Is this a hacker’s tool?

Over the last few days, I have had lots of site hits looking for rather strange URLs on this blog such as:

http://www.theopensourcerer.com/2007/10/25/upcoming-free-seminar//site.php?page=
http://www.erdc.cyc.edu.tw/4images/cache/rfi/test.txt???

I took a look at the file the url refers to. Here it is:


/\/\/\ Response CMD /\/\/\

Changing this CMD will result in corrupt scanning !



Can someone who understands PHP tell me what this is trying to do? It is clearly a scanning/hacking tool designed to retrieve data - I guess to help with further exploits. But I can't quite work it out, especially the
if((@eregi("uid",ex("id"))) || (@eregi("Windows",ex("net start")))){
echo("Safe Mode of this Server is : ");
line.

It's a php script so why should it care if the site is on Windows or Linux? Any takers...

Tags: ,

3 Comments

  • Alan Bell says:

    my guess is that there is a PHP application which has site.php as its index page, that page is insecure and will retrieve content from URLs and inject them into itself. The script itself is just trying to execute commands on the server, and reporting back what works. “net start” will list running services on a windows box so if the return value of net start contains “windows” then it proves that the “net start” command has been successfully executed. I am not sure what the application is that they are targeting with this, but it certainly isn’t WordPress.

  • Alan Lord says:

    Cool – thanks for the analysis.

  • Michael Lafferty says:

    Based upon our being hit by similar and often far simpler Perl scripts, we have tentatively concluded that the targeted application is Zen-Cart, an open source electronic commerce cart, and specifically the MySQL component in which customer and transaction data is stored. The simplest script we have seen to date is this:

    That script only attempts to determine if a MySQL database can be copied but makes not attempt to do so.

    We have not isolated the source of these scripts, as they are typically bounced though US-based ISP or ISP client servers. We did see what we think was a direct transmission from IP 208.69.192.133, which appears to be originating from a server in Argentina.

Leave a Reply

XHTML: You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>