Re: decode a string.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On Mon, 26 Nov 2007, BuildSmart wrote:


To: php-install@xxxxxxxxxxxxx
From: BuildSmart <buildsmart@xxxxxxxxxxxxxxxxxx>
Subject:  decode a string.
One of the sites I manage has had what appears to be some kind of attempt to break in by appending the following to some php related url. 

&highlight=%2527%252esystem(chr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(95)%252echr(95)%252echr(95)%252echr(73)%252echr(78)%252echr(73)%252echr(67)%252echr(73)%252echr(79)%252echr(95)%252echr(95)%252echr(95)%252echr(59)%252echr(112)%252echr(115)%252echr(32)%252echr(120)%252echr(59)%252echr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(95)%252echr(95)%252echr(95)%252echr(70)%252echr(73)%252echr(77)%252echr(95)%252echr(95)%252echr(95)%252echr(59))%252e%2527

How can I decode this to find out what it is?

-- Dale
Googling for esystem(chr(101)%252echr(99) returns the following results: 

http://www.google.co.uk/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=bF1&q=esystem%28chr%28101%29%25252echr%2899%29&btnG=Search&meta=
In our previous story on the Santy worm, I'd left some comments on possible suggestions. To date, I've received replies back stating those suggestions (public and private) have helped tremendously. This article focuses on mod_security's filters, however, alternative filters will also be introduced -- some not tested, so feel free to write back to me here or in email such that they can be improved. What has been tested with success are the mod_security filters, and some mod_rewrite filters. Such are borne due to the life of Santy and Phpinclude worms.
The following code is implemented today in mod_security against the worms that attack PHP scripts: 

        SecFilterSelective ARG_highlight %27
        SecFilterSelective ARG_highlight %2527
        SecFilter "visualcoders\.net/spy\.gif\?\&cmd"
        SecFilter ":/"
        SecFilter "'"
Not all of these were in practice as the worms went live, but over the past couple days it has evolved to what is posted above. Here are some statistics from 25 Dec, 2004 at 15:11 GMT -5 to the writing of this article.
There have been a total of 296,293 attacks received by our servers in a 55 hour period. This is a breakdown (numbers won't add up 100% as additional filters were added to catch all). 


HTH

Keith
[Index of Archives]     [PHP Users]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [Postgresql]     [PHP Books]     [PHP Databases]     [PHP SOAP]
  Powered by Linux