Malware Signatures

  2. Home
  4. Malware Signatures
  6. php.hacktool.arhack_generic.001

php.hacktool.arhack_generic.001

SQL Injection Scanner created by Arhack-team. It uses Bing.com feature that allows to narrow down search results to a specific IP address.
This scanner fetches all available search results for the IP address of the server they scan and then parses them and scans for URL that contain various keywords
that suggest the site might be prone to an SQL injection attack

Affecting

Any servers with enabled PHP

Cleanup

Delete the malicious script and scan your server for other types of malware and specifically for backdoors.
You can also sign up with us and let our team remove the malware for you.

Dump


if(!$argv[1] or !$argv[2]){

print_r("
================================================================================
USAGE : php sql.php [IP] [FILENAME]
Ex : php sql.php 127.0.0.1 sql.txt

================================================================================
");
die();

}

function check_url($url,$source,$filename){ // By Dz.CraCker !?
if (preg_match("/error in your SQL syntax|mysql_fetch_array()|execute query|mysql_fetch_object()|mysql_num_rows()|mysql_fetch_assoc()|mysql_fetch_row()|SELECT * FROM|supplied argument is not a valid MySQL|Syntax error|Fatal error/i",$source)) {
echo "[+] Found -> $urln";
$rr=fopen($filename,"a+");
fwrite($rr,$url."n");
}
else{ echo "[~] Sql NoT FOuNd -> $urln"; }
}
...
$npages = 50000;

$npage = 1;
$allLinks = array();
$ip = $argv[1];

while($npage <= $npages)
{
$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, 'http://www.bing.com/search?q=ip%3A' . $ip . '+id=&first=' . $npage);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt($ch, CURLOPT_REFERER, 'http://www.bing.com/');
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8');
...
print_r("
=================================================================
SQL Injection Scanner
===> Email: aminemosta24@live.fr
===> Fb: facebook.com/Amine.Mosta60
(Y)
================================================================================
");

for ($x = 0; $x < count($resultPages); $x++){
$h3h3 = $resultPages[$x];
check_sql_inj($h3h3,$argv[2]);
}

print_r("
================================================================================
Information / IP : ".$ip." / Scanned Sites : ".count($resultPages)."

#Coded By Dz CraCker [Arhack-team]

Done =)