PHP shells hackers use

chmod 000 *.txt made on 30. Apr 2008. Thinking how to make it available in future. Our CERT sending those messages out automatically and they do fix their scripts. 

From:    Jan Merila 
To:   tonu@no.spam.ee
Subject:    FW: [ABUSE #93885] [CERT-EE] KORDUSTEADE Viiruse levitamine teie vorgus
Date:    Wed, 30 Apr 2008 09:32:29 +0300



Varja palun see skript ära.
Need kirjad hakkavad närvidele käima juba.

Jan.


-----Original Message-----
From: abuse@linxtelecom.ee [mailto:abuse@linxtelecom.ee] 
Sent: Wednesday, April 30, 2008 9:02 AM
To: Jan Merila
Subject: [ABUSE #93885] [CERT-EE] KORDUSTEADE Viiruse levitamine teie vorgus

Tere

Saadan edasi kirja lõppu lisatud raporti.

Lugupidamisega,
Kati Tuhkur
Klienditugi

---------------------
     LINXTELECOM™
  www.linxtelecom.ee
---------------------
Otse: +372 622 3361
Üldine:  +372 622 3390

From: CERT-EE virus report 
To: abuse@linxtelecom.ee
Subject: [CERT-EE] KORDUSTEADE Viiruse levitamine teie vorgus
Date: Wed, 30 Apr 2008 07:35:45 +0300

        

Tere

Teie AS'is (3327) on leitud korduvalt sama kontrollsummaga 
(054fdd5ca77a15b380d1f4ded59f0578) viirust. Viirus asub no.spam.ee.
Palume viivituseta tokestada viiruse levitamine!
Allpool on toodud iga  eelneva kontrolli kohta aeg, kontrollsumma ja viide 
sisule ning viirusetorjujate poolt leitu. 

CERT-EE
PS! See e-kiri on automaatselt genereeritud. Vigade ilmnemisel voi muudes 
kusimustes kirjutage palun cert@cert.ee

viimase kontrolli aeg: Wed Apr 30 07:35:45 EEST 2008

*********************************
varasema raporti kuupaev:20080429
*********************************
Domeen: no.spam.ee

aadressid leitud whois kirjetest:
xx@tradenet.ee

viirusetorjujate tulemused:

aeg: Tue, 29 Apr 2008 06:46:20 +0200 (CEST)
md5:054fdd5ca77a15b380d1f4ded59f0578
sisu: no.spam.ee_~tonu_phpshell_r57shell.txt

AhnLab-V3       2008.4.29.0/20080429    found [HTML/Rst]
AntiVir 7.8.0.10/20080428       found [PHP/C99Shell.C]
Authentium      4.93.8/20080427 found [PHP/Rst.G]
Avast   4.8.1169.0/20080428     found [JS:TrojDnldr-16]
BitDefender     7.2/20080429    found [Backdoor.Php.Rst.G]
ClamAV  0.92.1/20080429 found [PHP.Shell]
Ewido   4.0/20080428    found [Backdoor.Rst.g]
F-Secure        6.70.13260.0/20080429   found [Backdoor.PHP.Rst.g]
Fortinet        3.14.0.0/20080429       found [PHP/Rst.BG!tr]
Ikarus  T3.1.1.26/20080429      found [Backdoor.PHP.Rst.H]
Kaspersky       7.0.0.125/20080429      found [Backdoor.PHP.Rst.g]
McAfee  5283/20080428   found [BackDoor-CUS!php]
Microsoft       1.3408/20080422 found [Backdoor:PHP/RST.H]
NOD32v2 3061/20080428   found [PHP/Rst.S]
Symantec        10/20080429     found [PHP.RSTBackdoor]
VirusBuster     4.3.26:9/20080428       found [PHP.RST.G]
Webwasher-Gateway       6.6.2/20080429  found [Script.C99Shell.C]
-----

PHP shell, Albanian

Seems to be very outdated but still interesting. Does not work on newer PHP versions and in safe mode. albanian-shell.txt No, it is not empty file. you have to scroll down a lot to see the code.

ASP shell, Italian

Low quality ASP shell. Needs to be named "explore.asp" explore.txt

PHP shell, "CrystalShell"

CrystalShell.txt

PHP shell, "Dtool - revengans - phpshell

Dtool - revengans - phpshell.txt

PHP shell, "r57shell"

r57shell.txt

PHP shell, "c99shell"

c99shell.txt

Perl!! atrix brasilian shellbot

atrix brasilian shellbot.pl.txt

One more PHP code

php-include-w-shell.txt

PHP shell which compiles reverse shell on target

CMD.txt (compiles a reverse shell).txt

format.com - formats your disk

This is Microsoft format.com file. Mean to automatically format you disk when "hackers" come and apply it to your page. For use on stupid people who think that those scripts on this page are exploiting their server and writing complaints about it.

back to home