Comments on: Is this a hacker’s tool? http://www.theopensourcerer.com/2007/12/20/is-this-a-hackers-tool/?utm_source=rss&utm_medium=rss&utm_campaign=is-this-a-hackers-tool The Magic of Open Source Fri, 10 Feb 2012 18:02:33 +0000 hourly 1 http://wordpress.org/?v=3.1.4 By: Michael Lafferty http://www.theopensourcerer.com/2007/12/20/is-this-a-hackers-tool/comment-page-1/#comment-443 Michael Lafferty Wed, 26 Dec 2007 23:13:52 +0000 http://www.theopensourcerer.com/2007/12/20/is-this-a-hackers-tool/#comment-443 Based upon our being hit by similar and often far simpler Perl scripts, we have tentatively concluded that the targeted application is Zen-Cart, an open source electronic commerce cart, and specifically the MySQL component in which customer and transaction data is stored. The simplest script we have seen to date is this: That script only attempts to determine if a MySQL database can be copied but makes not attempt to do so. We have not isolated the source of these scripts, as they are typically bounced though US-based ISP or ISP client servers. We did see what we think was a direct transmission from IP 208.69.192.133, which appears to be originating from a server in Argentina. Based upon our being hit by similar and often far simpler Perl scripts, we have tentatively concluded that the targeted application is Zen-Cart, an open source electronic commerce cart, and specifically the MySQL component in which customer and transaction data is stored. The simplest script we have seen to date is this:

That script only attempts to determine if a MySQL database can be copied but makes not attempt to do so.

We have not isolated the source of these scripts, as they are typically bounced though US-based ISP or ISP client servers. We did see what we think was a direct transmission from IP 208.69.192.133, which appears to be originating from a server in Argentina.

]]> By: Alan Lord http://www.theopensourcerer.com/2007/12/20/is-this-a-hackers-tool/comment-page-1/#comment-428 Alan Lord Thu, 20 Dec 2007 16:31:48 +0000 http://www.theopensourcerer.com/2007/12/20/is-this-a-hackers-tool/#comment-428 Cool - thanks for the analysis. Cool – thanks for the analysis.

]]> By: Alan Bell http://www.theopensourcerer.com/2007/12/20/is-this-a-hackers-tool/comment-page-1/#comment-427 Alan Bell Thu, 20 Dec 2007 14:27:17 +0000 http://www.theopensourcerer.com/2007/12/20/is-this-a-hackers-tool/#comment-427 my guess is that there is a PHP application which has site.php as its index page, that page is insecure and will retrieve content from URLs and inject them into itself. The script itself is just trying to execute commands on the server, and reporting back what works. "net start" will list running services on a windows box so if the return value of net start contains "windows" then it proves that the "net start" command has been successfully executed. I am not sure what the application is that they are targeting with this, but it certainly isn't WordPress. my guess is that there is a PHP application which has site.php as its index page, that page is insecure and will retrieve content from URLs and inject them into itself. The script itself is just trying to execute commands on the server, and reporting back what works. “net start” will list running services on a windows box so if the return value of net start contains “windows” then it proves that the “net start” command has been successfully executed. I am not sure what the application is that they are targeting with this, but it certainly isn’t WordPress.

]]>