Is this a hacker’s tool?
Over the last few days, I have had lots of site hits looking for rather strange URLs on this blog such as:
https://www.theopensourcerer.com/2007/10/25/upcoming-free-seminar//site.php?page=
http://www.erdc.cyc.edu.tw/4images/cache/rfi/test.txt???
I took a look at the file the url refers to. Here it is:
Changing this CMD will result in corrupt scanning !
my guess is that there is a PHP application which has site.php as its index page, that page is insecure and will retrieve content from URLs and inject them into itself. The script itself is just trying to execute commands on the server, and reporting back what works. “net start” will list running services on a windows box so if the return value of net start contains “windows” then it proves that the “net start” command has been successfully executed. I am not sure what the application is that they are targeting with this, but it certainly isn’t WordPress.
Cool – thanks for the analysis.
Based upon our being hit by similar and often far simpler Perl scripts, we have tentatively concluded that the targeted application is Zen-Cart, an open source electronic commerce cart, and specifically the MySQL component in which customer and transaction data is stored. The simplest script we have seen to date is this:
That script only attempts to determine if a MySQL database can be copied but makes not attempt to do so.
We have not isolated the source of these scripts, as they are typically bounced though US-based ISP or ISP client servers. We did see what we think was a direct transmission from IP 208.69.192.133, which appears to be originating from a server in Argentina.