ltoinel · December 20, 2021 23:16 · Boydidy · May 3, 2022
diff --git a/index.php b/index.php
 <?php

 # Fake Java HTTP server headers
 header("Server: WildFly/8",true);
 header("X-Powered-By: Undertow/1",true);

 /**
 * A Simple Attack logger
 */
 function log_attack($log_msg)
 {
  $log_filename = "data/" . date('Y-m-d');

  if (!file_exists($log_filename)) {
    // create directory/folder uploads.
    mkdir($log_filename, 0777, true);
  }

  $log_file_data = $log_filename . '/' . $_SERVER['REMOTE_ADDR'] . '.txt';

  // write the content
  file_put_contents($log_file_data, $log_msg . "\n", FILE_APPEND);
 }

 // We merge the SERVER and REQUEST arrays into one.
 $data = array_merge($_SERVER, $_REQUEST);
 $attack = false;

 // We try to find a dollar in the different values that can be a proof of log4shell attack.
 foreach ( $data as $key => $value) {

  // We found a dollar in a HTTP header or Request.
  if (strpos($value, '$')  !== FALSE) {
    $attack = true;
    log_attack($_SERVER['REMOTE_ADDR'] . ":" . $key . ":" .  print_r($value,true));

    // Check for Basic64 Command.
    $pointer = strpos($value, "Base64");

    // The JNDI contains a Basic64 command.
    if ($pointer !== FALSE){

      // We extract the base64 encoded command.
      $basic64 = substr($value, $pointer + 7, -1);

      // We decode the shell command and log it.
      $command = base64_decode($basic64);
      log_attack($_SERVER['REMOTE_ADDR'] . ":" . $command);

      // We split the shekll command into unique instructions for analysis.
      $command = str_replace(array("(",")"), "",  $command);
      $command = str_replace(array("||"), "|",  $command);
      $instructions = explode('|',$command);
 
      // We check each instruction to detect if it's a curl or wget command.
      foreach($instructions as $instruction){

        // If it's a curl or wget command.
        if (strpos($instruction,"curl") !== FALSE || strpos($instruction,"wget") !== FALSE){

            // We extract all args of the shell instruction.
            $args = explode(" ", $instruction);
            $url = end($args);

            // Create curl resource.
            $ch = curl_init();

            // Set  tyarget url.
            curl_setopt($ch, CURLOPT_URL, $url);

            // Return the transfer as a string.
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

            // Download the infected payload from the hacker server.
            $script = curl_exec($ch);

            // We save it for analysis.
            log_attack("PAYLOAD:$url=" . $script);

            // close curl resource to free up system resources.
            curl_close($ch);     
        }
      }
     
    }
  }
 }

 ?>
 <html>
 <head>
    <title>Welcome</title>
 </head>
 <body>
 <pre>
 <?php 
  if ($attack){
 ?>



                             ________________
                          ____/ (  (    )   )  \___
                         /( (  (  )   _    ))  )   )\
                       ((     (   )(    )  )   (   )  )
                     ((/  ( _(   )   (   _) ) (  () )  )
                    ( (  ( (_)   ((    (   )  .((_ ) .  )_
                   ( (  )    (      (  )    )   ) . ) (   )
                  (  (   (  (   ) (  _  ( _) ).  ) . ) ) ( )
                  ( (  (   ) (  )   (  ))     ) _)(   )  )  )
                 ( (  ( \ ) (    (_  ( ) ( )  )   ) )  )) ( )
                  (  (   (  (   (_ ( ) ( _    )  ) (  )  )   )
                 ( (  ( (  (  )     (_  )  ) )  _)   ) _( ( )
                  ((  (   )(    (     _    )   _) _(_ (  (_ )
                   (_((__(_(__(( ( ( |  ) ) ) )_))__))_)___)
                   ((__)        \\||lll|l||///          \_))
                            (   /(/ (  )  ) )\   )
                          (    ( ( ( | | ) ) )\   )
                           (   /(| / ( )) ) ) )) )
                         (     ( ((((_(|)_)))))     )
                          (      ||\(|(|)|/||     )
                        (        |(||(||)||||        )
                          (     //|/l|||)|\\ \     )
 			(/ / //  /|//||||\\  \ \  \ _)
 <?php
  } else {

 ?>

 ::::          ::::::      ::::      ::::    :::::::::
 ::::        ::::  ::::    ::::      ::::    :::::::::
 ::::       ::::    ::::   ::::      ::::    ::::
 ::::       ::::    ::::    ::::    ::::     ::::::::
 ::::       ::::    ::::     ::::  ::::      ::::
 ::::       ::::    ::::      ::::::::       ::::
 ::::::::::  ::::  ::::        ::::::        :::::::::
 ::::::::::    ::::::           ::::         :::::::::

 <?php
  } 
 ?>
 </pre>
 </body>
 </html>
	<?php

	# Fake Java HTTP server headers
	header("Server: WildFly/8",true);
	header("X-Powered-By: Undertow/1",true);

	/**
	* A Simple Attack logger
	*/
	function log_attack($log_msg)
	{
	$log_filename = "data/" . date('Y-m-d');

	if (!file_exists($log_filename)) {
	// create directory/folder uploads.
	mkdir($log_filename, 0777, true);
	}

	$log_file_data = $log_filename . '/' . $_SERVER['REMOTE_ADDR'] . '.txt';

	// write the content
	file_put_contents($log_file_data, $log_msg . "\n", FILE_APPEND);
	}

	// We merge the SERVER and REQUEST arrays into one.
	$data = array_merge($_SERVER, $_REQUEST);
	$attack = false;

	// We try to find a dollar in the different values that can be a proof of log4shell attack.
	foreach ( $data as $key => $value) {

	// We found a dollar in a HTTP header or Request.
	if (strpos($value, '$') !== FALSE) {
	$attack = true;
	log_attack($_SERVER['REMOTE_ADDR'] . ":" . $key . ":" . print_r($value,true));

	// Check for Basic64 Command.
	$pointer = strpos($value, "Base64");

	// The JNDI contains a Basic64 command.
	if ($pointer !== FALSE){

	// We extract the base64 encoded command.
	$basic64 = substr($value, $pointer + 7, -1);

	// We decode the shell command and log it.
	$command = base64_decode($basic64);
	log_attack($_SERVER['REMOTE_ADDR'] . ":" . $command);

	// We split the shekll command into unique instructions for analysis.
	$command = str_replace(array("(",")"), "", $command);
	$command = str_replace(array("\|\|"), "\|", $command);
	$instructions = explode('\|',$command);

	// We check each instruction to detect if it's a curl or wget command.
	foreach($instructions as $instruction){

	// If it's a curl or wget command.
	if (strpos($instruction,"curl") !== FALSE \|\| strpos($instruction,"wget") !== FALSE){

	// We extract all args of the shell instruction.
	$args = explode(" ", $instruction);
	$url = end($args);

	// Create curl resource.
	$ch = curl_init();

	// Set tyarget url.
	curl_setopt($ch, CURLOPT_URL, $url);

	// Return the transfer as a string.
	curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

	// Download the infected payload from the hacker server.
	$script = curl_exec($ch);

	// We save it for analysis.
	log_attack("PAYLOAD:$url=" . $script);

	// close curl resource to free up system resources.
	curl_close($ch);
	}
	}

	}
	}
	}

	?>
	<html>
	<head>
	<title>Welcome</title>
	</head>
	<body>
	<pre>
	<?php
	if ($attack){
	?>



	________________
	____/ ( ( ) ) \___
	/( ( ( ) _ )) ) )\
	(( ( )( ) ) ( ) )
	((/ ( _( ) ( _) ) ( () ) )
	( ( ( (_) (( ( ) .((_ ) . )_
	( ( ) ( ( ) ) ) . ) ( )
	( ( ( ( ) ( _ ( _) ). ) . ) ) ( )
	( ( ( ) ( ) ( )) ) _)( ) ) )
	( ( ( \ ) ( (_ ( ) ( ) ) ) ) )) ( )
	( ( ( ( (_ ( ) ( _ ) ) ( ) ) )
	( ( ( ( ( ) (_ ) ) ) _) ) _( ( )
	(( ( )( ( _ ) _) _(_ ( (_ )
	(_((__(_(__(( ( ( \| ) ) ) )_))__))_)___)
	((__) \\\|\|lll\|l\|\|/// \_))
	( /(/ ( ) ) )\ )
	( ( ( ( \| \| ) ) )\ )
	( /(\| / ( )) ) ) )) )
	( ( ((((_(\|)_))))) )
	( \|\|\(\|(\|)\|/\|\| )
	( \|(\|\|(\|\|)\|\|\|\| )
	( //\|/l\|\|\|)\|\\ \ )
	(/ / // /\|//\|\|\|\|\\ \ \ \ _)
	<?php
	} else {

	?>

	:::: :::::: :::: :::: :::::::::
	:::: :::: :::: :::: :::: :::::::::
	:::: :::: :::: :::: :::: ::::
	:::: :::: :::: :::: :::: ::::::::
	:::: :::: :::: :::: :::: ::::
	:::: :::: :::: :::::::: ::::
	:::::::::: :::: :::: :::::: :::::::::
	:::::::::: :::::: :::: :::::::::

	<?php
	}
	?>
	</pre>
	</body>
	</html>