Buscador de Shell`s

Publicado el 08/11/2011 12:11:00 en Seguridad.
Author: [x][x] n4ch0m4n | Total de votos: 7   Vote



Estuve revisando DDLR y no vi esto, así que lo comparto.

Luego de subir una shell a un host que pude vulnerar, me puse a revisar los archivos alojados y vi un archivo llamado kevinscan.txt

Obviamente curioso, le di una revisada rápida al código y no es más que un buscador de shell's hecho en bash.

Estuve viéndolo y solo encuentra los que no estén cifrados. Pero bueno, ante un manotazo de ahogado de algún webmaster desesperado le puede venir bien, como también a nosotros para revisar si alguien ya estuvo donde nosotros pudimos ingresar y alguna utilidad más que Uds. seguramente le podrán encontrar.

Busqué esta tool en don google y no encontré mucho al respecto y tampoco quien lo creo (si alguien lo sabe sería bueno saberlo), por lo que pensé que sería más que útil compartirlo con DDLR.

Ahora bien, les dejo el código:

#!/bin/sh
export HISTFILE=/dev/null;
echo
echo -n "Search started at: " 
date
find ~/public_html -type f ( -name "*.htm" -o -name "*.html" -o -name "*.phtml" -o -name "*.php" -o -name "*.ll" -o -name "*.perl" -o -name "*.ssh" -o -name "*.php.dem" -o -name "*.pHp.dem" -o -name "*.js" -o -name "*.txt" -o -name "*.shtml" -o -name "*.py" -o -name "*.swt" -o -name "*.izri" -o -name "*.irzi" -o -name "*.php.jpg" -o -name "*.PHP" -o -name "*.php.jpeg" -o -name "*.php.gif" -o -name "*.sh" -o -name "*.cgi" -o -name "*.log" -o -name "*.pl" ) ! -iname "exploit-scanner.php" ! -iname "extra-strings.php" ! -iname "authorizenet_cc_[abc]im.php" ! -iname "chronocontact.html.php" ! -iname "view.html.php" ! -wholename "*/broken-link-checker/*" ! -wholename "*/wishlist-member/*" ! -wholename "*/supercache/*" ! -wholename "*/cache/*" -print0 | xargs -0 egrep -Hil '(GMJK Crew)|(fLasHcoM CpAnEl)|(FeeLCoMz)|(Bk-code shell)|(MaZaCrEw CpAnEl)|(VopCrew)|(fuckerboy)|(Cyber Crew Shell)|(OrigamiCrew)|(CyBeSteR)|(N3tsh_surl)|([ bjork)|(COLUMBUSSheLL)|(c88sh)|(Crazy_Hacker)|(Fx29Sh)|(r57sh)|(c99sh)|(!mPLe SHeLL)|(web shell)|(PoWeReD BY GodFatheR)|(Webcomm-Cr3w)|(O0O.maxx)|(Nigerian Spam Community)|(IcHig0)|(Modif by :)|(Sincan2)|(EdianShell)|(Tiagow)|(PackBot)|(mass.eMailer)|(MASS MAIL!!!)|(FxID)|(Oishi Crew)|(DexQy-community)|(J4m35_B0nd)|(psyBNC)|(milw0rm)|(sUxCrew)|($c99)|(HackerBooty)|(ThOurOS)|(Chanary)|(ccpower -config)|(cENxShell)|(bamby.web.id)|(autoversi.tcl)|(Defaced by)|(H4cked By)|(h4ck3d by)|(Fatihul Ulum)|(By TouchMoneY)|(Sender Mails)|(HacKer EgypT)|(rootshell-team)|(SHELL FUCKER)|(Mailer by Albrim)|(FraNGky)|(Karaw4nghacK)|(-=ok=-)|(PHP IRC Bot)|([S]uper[BAD])|(Emp3ror Undetectable)|(ByroeNet Team)|(Pitbull Bot)|(By racrew)|(Masss Defacer)|(Data Cha0s)|(webadmin.php)|(Cyber One)|(xcrew--)|(by ladusty)|(no malware on this code,)|(SnL_ayaz_/was_here)|(DONSHAQ Was Here)|(YoUngEST - Mass Mailer)|(DoS-Dz)|(devilzShell)|(By Shaun$$)|(patrao PHP)|(IndoIrc LCC)|(JaheeM Galaxy)|(Naija Boys Too Much)|(MulCiShell)|(Shell uploader By HalT)|(Shany was here)|(["lol"])|(send evil code)|(Andre_Corleone)|(Upload fisier:)|(Vrs-hCk)|(By Continue Crew)|(Phpshell)|(paraghcybernet)|(Database Scanner)|($$haun$$)|(KecoaK)|(cow_revo)|(Fx29ID)|(bhlcrew)|(PHP-Mailer)|(InboX Mass Mailer)|(ALL-inbox Mailer)|(cPanel brute forcer)|(gblack Was Here)|(indoshell)|(eX Mortal)|(RawckerHeaD)|(SimAttacker)|(V.I.T.A.L.)|(zreg exploit)|(ReloaD-X)|(dodol was here)|(eX was here)|(Codz by angel)|(cakill schumbag)|(Shevchenko)|(ONeTCr3w)|(Rengkong)|(yogyacarderlink Crew)|(:: Mailer Inbox ::)|(-HackeR-)|(Emoney --)|(Goog1e_analist_certs)|(owned by c0d3d)|(UnixStats Mass MaiLer)|(Hacked By NHC)|(Bot Shell)|(Response CMD)|(.:: Welcome ::.)|(BARUKLINTHENG)|(--=[ genol]=--)|(Upload GAGAL !!!)|(by shegs35c)|(Dz-Gr33nF@TheR)|(Super Floooder)|(D4rk Cod3rs)|(PHP Bot ::)|(online hacker)|(SerCom CoLi)|(By Th3-r4wKs)|(KingDefacer)|(living-tuerkei.de)|(By DurjanA)|(r1pp3rm4ya)|(Backdoor by RoCu)|(By Pejvaknuse)|(Spider PHP Shell)|(NeutroX CorP)|(ZaraByte File Uploader)|(DONEJE Was Here)|(Killer Hack)|(Simo64 WebShell)|(Morocain checker)|(AKACHIMAILER)|(iMHaBiRLiGi PhpFtp)|(Andalas_oku)|(Cha0s!)|(P.h.p.S.p.y)|(:: MAILER ::)|(Error to enters it)|(Oracle Super ....)|(By [ Silver Malaysia)|(semua ada waktunya!)|(PHP eMailer)|(By Yung Money)|(KingOfCode[Zen])|(By WebCraker)|(M A R A N H A O)|(-=php mailer inbox=-)|(by diccky)|(class pBot)|(M3DiJoK Mailer)|(hAckERbo0TY)|(LeoeMailer)|(up100500)|(MR GHOST HUNG)|(By BlueSpy)|(NetJackal)|(By AsOkA)|(by Hackc0re)|(BLACK_MASK)|(fuckyoursystem.org)|(putri-bot)|(HACKERMIND)|(|| VAMPIRE1)|(E L I T E!)|(Pasukan-ddos)|(Done The Work!!!)|(Powered by bLacknite)|(K4L0ng666 H3r3)|(Slowloris)|(by reisbey)|(~ Shell I)|(Coded By Burtay)|(sabri - PayPal)|(Flood</b><br>Completed)|(yetki kontrol fonksiyonu)|(Upload Success !!!)|(R3van BASTARD)|(Cr4sh_aka_RKL)|(By Secsion)|(Thurcom Webmail)|(Devil mailer)|(ConfigSpy)|(bot net versi genol)|(::SkyCreW::)|(P|i|c|h|i|n|c|h|a)|(LISTING FILES 2010)|(SPAM PRO CARNAVAL)|(By Xr0b0t)|(Mr-Lordz)|(lama's'hell)|(JabLay Crew)|(By $am$ung)|(By Dotexe)|(VulnScan v10)|(gr33ts:)|(MailerinBox --)|(- Inbox Mailer)|(by mr.le0n)|(hacked by itox)|(--=itox=--)|([-BLaCk-])|(Mask_magicianz)|(By Charo)|(Fariz_�oy)|(#PaGi was here)|(ro0tsCrew)|(Mundesuar Nga : AnGeL)|(Ps-X TeaM)|(Saldiri.Org)|(by Fatur)|(By legitseller18)|(CyberLords Team)|(Cmd #PdN)|(tubau-itz)|(By Kobra Crew)|(ByroeNet)|(Unit-X Team)|(Fariz_coy)|(ConnectBackShell)|(By Sun-Army)|(KaRtOsurO)|(e'e'k Injector)|(H @ p a t i t)|(MILDNet Community)|(by HEXB00T3R)|(4a-G TeaM)|(Hacked By Metropolis)|(PeTeR 7rB)|(l33t-k1ll3r)|(hell v. 3.0)|(alt_xred)|(Newsletter!!!)|(By xIgOr)|(Cash Them ReZulT)|(UnixUnited Crew)|(FerNANdU Ownz)|(CMD LISTING FILES 2010)|(PRINCE ISHOLA)|(Sh3ll)|(Kuang Grade Mark Eleven)|(Jabrik@Hackd)|(By Methesuck)|(by ach3com)|(hantu crew)|(By TuX_Sh4D0W)|(drie88)|(By Zikry.Z.Azhar)|(By Marwan1302)|(The Cyber Nuxbie)|(Xtream Xpl)|(By: Sindrom)|(function bullfinch)|(GRATIS Shell)|(P3ruT3am)|(MASS MAILERZ)|($r57=)|(By VoY493)|(Created By Shaun)|(shadowTeam)|(D.O.M TEAM)|(PoPpa Deus)|(The Old Team Is Back)|(HackTn.CoM)|(cybertreff)|(by Francoboy)|(KubuCyber Team)|(by FakoMasT3r)|(By RACIONAIS)|(Peace !!!)|(P.h.p.S.p.y)|(phpRemoteView)|(WHC CrEw)|(Maospati TeaM)|(SyRiAn | 34G13)|(BofA FullZ)|(AK-CoMMuNiTy Shell)|(r3m1ck shell)|(BatamHacker)|(SY-HACKER)|(JAAALiiikOm)|(MATRiX ALARAB)|(tryag.cOm)|(H4CK3R N4O)|(Red Eye Crew)|(0ldW0lf)|(LorD-C0d3r)|(REBEL KREW)|(STUNSHELL)|(indoseiancoder)|(Order of Grifos)|(Reverse Shell)|(by system-root)|(Symlink Tools)|(SMS Bomber)|(Mesin SMS)|(annoy the victims)|(petimati Cpanel)|(By Scra3zy)|(By PeruTeam)|(PROHacker PRIV8)|(iskorpitx)|(By MaGnUm-X)|(Islamic Ghosts Team)|(MOROCCO.SECURITY)|(site r00ter)|(Object not found!)|(By Risker)|(\x65\x76\x61\x6C\x28\x67\x7A\x69)|(Magic SpaMMeR MaiLeR)|(by Maksymilian)|(Hacked by Shark)|(Execution By StEvE)|(D A D D Y)|(- PRIV8)|(Garculas Shell)|(Mr H017)|(wpfooterz)|(^\_\_\_^)|(udp flood)|(port = 6667)|(By Dr.ahmed)|(FTP CraCkeR)|(Dr.JEeNTeL SheLL)|(Doma!ns)|(by VeXR)|(ML7s Hackers)|(>veter<)|(By WebCraker)|(Boa Spam AL)|(titanic crew)|(By Mr.Alo0oNe)|(By akatsuki)|(by GaDafFiMoneY)|(EggMoneyMAILER)|(:akatsuki:)|(Lloyds TsB Inc)|(BajoCrew Shell)|(One Code Unlock)|(Spam ReZulT)|(KeNiHaCk)|(K3N!H4Ck)|(G A R C U L A S)|(another Maga)|(RosebanditZ)|(by Ivan Ivanausqui)|(By OluChase)|(bank ReZulT)|(I MUST RICH)|(Inbox arab47)|(Inbox 4 All HZ)|(:: newsletter ::)|(Sudden_death)|(by B 4 R T H)|(LOKO_SPAM)|(Formosus-Crew)|(indonesiansecurity team)|(.:: mass mailer ::.)|(Enjoy New Aol)|(Team SQL)|(Exploit: error_log)|(Sniper_SA)|(MeToll)|(By Karar alShaMi)|(By Mohajer22)|(B0uK4risS)|(By Hasnf)|(Rapidshare)|(Sender Imbox)|(FakoMasT3r)|(Red Posion)|(JatimcreW)|(AlpHaNiX)|(by Neo2k8)|(nmapbot)|(ohai back)|(by p4km1n)|(billgates was here)|(plaNETWORK SheLL)|(irc.byroe.net)|(, no luck!)|(z3nc4rt.cc)|(AKACHI MAILER)|(Gat Fullz)|(CGI-Telnet)|(PHP Mailer 2011)|(iLLoGicSh3LL)|( CMD ::)|(@ MyHack)|(love2bbs)|(ihalimz.com)|(.: i[H]z)|(TeRoRisTe_Mc)|(serv3r ScaNN3r)|(EgY_SpIdEr)|(title>HcJ <)|(Priv8 SCR)|(ibl13Z Private Shell)|(irc.indoforum.org)|(port="6667")|(3MSHELL)|([ HaNgEr ])|(- G00dLuck -)|(|semua ada waktunya!)|(w3||5f4rg0)|(By NikoL :)|(By Da-Slake)|(سبام روت العرب)|(PayPal ReZulT)|(Y! Log)|(-SPM Log)|(ZenCart Pwnage)|(DAT RUDE BARRISTA)|(BY LUN4T1C0)|(Luthfi_ Fy)|(by: devil\_\_)|(By SooMin Kim)|(By kaycr3w)|(By Ja$pA)|(by DoitSelf)|(coguZAO)|(nst.void.ru)|(Lom...........x)|(STreammz !)|(the3gayskeeters)|(ibl13Z[dot)|(FUCK !!!)|(:: w33d)|(REd Dragon\_al)|(tiga-lima SheLL)|(g00nshell)|(Y()NOT-T)|(By seller_mailer)|([email protected])|(:GShell)|(by akatsuchi)|(infectslab:)|(nazis are comming!!)|($url = $urls[rand)|(By AwesomeBuge)|(-=SPAM=-)|(MagelangCyber)|(by Initial A)|(By Sikuruz)|(Codeshift3r)|(X-Cisadane)|(BY PSYCODEZ)|(Newbie-R)|(By faKmen)|(by Cyber AE)|(File Upload :)|(By SHinepo)|(By Adrian Unix)|(PROHacker was here)|(S U B Z I D)|($bunn = explode)|(semua ada waktunya!)|(UBS ReZuLt)|(\%3C\%48\%54\%4D\%4C\%3E\%0A)|(Bismillah)|(irc.javairc.org)|(RedHackeR)|(Th3 K!LL3r)|(By The setan)|(Solohackerlink Crew)|(solutionzzzzzz)|(BlAcK.JaGuAr)|(SUNT LA emailul)|(Hacker Indonesia)|(Thund3rC4sH)|($shell = curl_exec)|(james0baster)|(\_860972539\_)|(MadeinChina)|(WordPress Inserter Links)|(phpRemoteView)|(Shell by aak)|(fullz.result)|(::xs86-)|(gog1=liTiTTT1Ti1I)|(Dr.Timor)|(by r3v3ng4ns)|(By Iron Mask)|(B a n k l i n e)|(FODAX CORPORATION)|(Simple Shell)|(: inb0x :)|(Irc.Allnetwork.Org)|(-234- >)|(BY HaTeX)|(empixcrew)|(HTTP_SHELL)|($tds ="http://)|(95.163.66.187)|(Powered By root@localhost)|(BY kaMtiEz)|(by ChitoZz\_)|(By 2mibi)|(s0ul_p0w3r)|(KENNY WIZZY)|(DMaR AL-TMiMi)|([vb Tools])|(By SILVER FOX)|(Gaza Hacker Team)|(Symlink t00lz)|(Unit-X Team)|(By DrZer0)|(DrZer0 Hacker)|(Lagripe-Dz)|(AbdullaH AL-TAMiMi)|($v01b6e203)|(By [ Lkon)|(PHPJackal)|(sime:site)|(-CHA$E-)|(rush1ng)|(by LAMA)|(M1LH4S - T4M)|(By Xadpritox)|(AndRy PNT)|(Ani Shell)|(. Z190T .)|(B Y M A G I C)|(H3xTeCh)|(Surrogafier)|($Ve8662315)|(By TeaM MosTa)|(raCrew ConnectBack)|(M0H4M3D 4M1N3)|(>HcJ <)|(By RAB3OUN)|(# SA3D)|(by r3cogn1z3d)|(LEOMACS CRYPTOGRAPHIC CREW)|(aKpuMPiN)|(By kay8992)|(By DewaSpam)|(By TrYaG.CC)|(Inbox Mailr)|(ybhacker)|('filesman')|(By Newbie_Campuz)|(by bankonmoney4me)|(Crush Mailr)|(- PHP-Sender)|(netjackal.by.ru)'
echo
echo -n "Search completed at: " 
date
echo



Espero les sea de su interés y como siempre gracias por darse una vuelta por acá!!



Comments:


[x]
[x][x] KzZiIi3l (11 y) : 55102 Es posible o lo mas posible, es qe el mismo admin lo haya creado por cuestiones de seguridad.. te dejo +1 .


[x]
[x][x] n4ch0m4n (11 y) : 55103 gracias kzziii3l. Dudo que lo haya hecho este admin en particular. Además en google algo se encuentra pero no hay demasiada referencia hacia este script.


[x]
[x][x] MuldeR (11 y) : 55104 Es un comando muy completo :_D


[x]
[x][x] n4ch0m4n (11 y) : 55106 este kevin no se anda con cosas cortas... :P


[x]
[x][x] wacko (11 y) : 55107 Muy bueno tendremos que empezar a probar =)



[x]
[x][x] demoniaco (11 y) : 55113 interesante... Gracias por compartir!!!


[x]
[x][x] n4ch0m4n (11 y) : 55114 gracias a vos por pegarte una vuelta por acá!


[x]
[x][x] Virtux (11 y) : 55451 Esta interesante che, podria ser de gran ayuda para los que se dedican al alojamiento de pag web, etc.


[x]
[x][x] n4ch0m4n (11 y) : 55452 Si ya lo creo virtux, gracias por comentar!


[x]
[x][x] KiKoArg (11 y) : 55482 Les dejo uno en php

http://kikoarg.diosdelared.com/?coment=11965

Saludos


[x]
[x][x] n4ch0m4n (11 y) : 55486 ya pasé por ahi KikoArg, gracias por pasar por acá!