Script kiddies have awesome tools

1. some time ago i hacked me a script kiddie with a awesome t00l lulz
2.  
3. Going through the changed files I stumbled upon a php file which had some code prepended. The script had a very long line that started like this:
4. [PHP]
5. eval(gzinflate(base64_decode(‘FJ3HcqPsFkUf……..
6. [/PHP]
7.  
8. Ok, lets check what does the script do. Lets assign the long string to a variable and base64 decode it and inflate the compression.
9. [PHP]
10. $script = base64_decode($script);
11. $script = gzinflate($script);
12. echo $script;
13. [/PHP]
14.  
15. The output was not what I expected.
16. [PHP]
17. eval(gzinflate(base64_decode(‘FJ3HjqPcGkUf57……..
18. [/PHP]
19.  
20. The strings looked similar and I was already looking for an error in my code. Nope, code is correct. There is a slight change in the string. It seems it was compressed and encoded couple of times. Wow, it means I can have many evals inside evals. Fun!
21. [PHP]
22. do {
23. // extract the first 28 characters
24. // the eval(gzinflate(base64_decode part
25. $start = substr($string, 0, 28);
26. // remove the first 30 chars, the eval(gzinflate(base64_decode(‘ part
27. $string = substr($string, 30);
28. // remove the last )));
29. $string = substr($string, 0, strlen($string)-4);
30.  
31. $string = base64_decode($string);
32. $string = gzinflate($string);
33. echo “Iteration:”.$i++.”\n”;
34. // iterate as long as we get a eval(gzinflat start
35. } while ($start == “eval(gzinflate(base64_decode”);
36. [/PHP]
37.  
38. After 11 iterations I got the code. Kind of reminded me a challenge that was posted to a mailing list and the question was what was the output of the program. That time it was more difficult: base64 encoded perl, that outputted base64 encoded bytecode, that outputted Java source file with a byte array that was byte code for the class file of the solution.
39. Lets see the functionality that it has to offer:
40.  
41. Full blown file manager
42. Quick menu for
43. Finding all suid files
44. Finding all sgid files
45. Finding all htaccess files
46. Finding all writeable folders
47. …
48. Interface for the UNIX tool find
49. Input field for executing commands as webserver user
50. Tools for installing a backdoor
51. Perl/C flavoured programs that are downloaded from a Singapore server
52. Compiled/Interpreted – depending what is available
53. Processes viewer
54. FTP brute force cracker using users from /etc/passwd
55. System info (CPU, Memory, installed binaries, passwd file, configuration files)
56. SQL dump utility
57. Interface for executing PHP code
58. Self removal
59. Adding a password for the script
60. Fancy design!
61.  
62. I’m just amazed. This is way too eazy. So this is how it works:
63.  
64. Lets scan the internet for WordPress installation (automated)
65. Look for vulnerable versions (automated)
66. Exploit (in this case themes were filled with hidden links – semi automated)
67. PROFIT! (automated)
68.  
69. only clamav know this mallwarescript so beware.
70. We are legion. we do not forget. we do not forgive. expect us. expect me