2012-04-01, 02:45:27
devaintfire Wrote:Yeah it is, so I am guessing that they are suggesting that the illegally uploaded directory contains the exploited script, a paradox!
They upload a (buggy or hampered with) script, which, when called with a php script (cok.php) as a parameter executes the returned faux gif, which in reality is a php script that contains all code as a base64 encoded slightly obscured zipped string which is eval'ed and creates - among other actions I did not analyze - C files from base64 encoded strings, ..., and returns a HTML page with lots of security relevant information.
But this does not explain, how the directories/files were created.