A friend from the Netherlands who normally does Wordpress stuff sent me the source code to a worm virus that he received. This thing is very dangerous in what damage it could do, or what it could download or do on your website and other parts of the web. Please be on the lookout for a "run.php" file that may or may not be this thing on any of your web hosts. Just thought I'd suggest this to you.
Some parts of the file were:
$curip = $targets[$curtarget][0] + $targetid;
$curip = mylong2ip($curip);
$out = "OPTIONS sip:$curip SIP/2.0\r\n";
$out .= "Via: SIP/2.0/UDP 127.0.1.1:5060;branch=z9hG4bK-3408002827;rport\r\n";
$out .= "Content-Length: 0\r\n";
$out .= "From: \"siplicious\"<sip:100@1.1.1.1>; tag=0101010113c4\r\n";
$out .= "Accept: application/sdp\r\n";
$out .= "To: \"siplicious\"<sip:100@1.1.1.1>\r\n";
$out .= "Contact: sip:None@127.0.1.1:5060\r\n";
$out .= "CSeq: 1 OPTIONS\r\n";
$out .= "Call-ID: 700556890817406150532338\r\n";
$out .= "Max-Forwards: 70\r\n";
$out .= "\r\n";
socket_sendto($sock, $out, strlen($out), 0, $curip, 5060);
PHP Worm Virus
Moderator: General Moderators
Re: PHP Worm Virus
You should report this to the wordpress team...
Re: PHP Worm Virus
Hey jack_indigo, I have a SIP server that was recently TARGETED by the script you have and I'm trying to determine more about what it does... can you post the entire script? Or at least the section on how it determines what the $targets[] are and the $targetid? Does it send SIP packets other than OPTIONS, e.g. like trying to make a call perhaps? Thanks a bunch.
Here's what I got:
OPTIONS sip:{myserveripaddr} SIP/2.0
Via: SIP/2.0/UDP 127.0.1.1:5060;branch=z9hG4bK-3408002827;rport
Content-Length: 0
From: "siplicious"<sip:100@1.1.1.1>; tag=0101010113c4
Accept: application/sdp
To: "siplicious"<sip:100@1.1.1.1>
Contact: sip:None@127.0.1.1:5060
CSeq: 1 OPTIONS
Call-ID: 700556890817406150532338
Max-Forwards: 70
Here's what I got:
OPTIONS sip:{myserveripaddr} SIP/2.0
Via: SIP/2.0/UDP 127.0.1.1:5060;branch=z9hG4bK-3408002827;rport
Content-Length: 0
From: "siplicious"<sip:100@1.1.1.1>; tag=0101010113c4
Accept: application/sdp
To: "siplicious"<sip:100@1.1.1.1>
Contact: sip:None@127.0.1.1:5060
CSeq: 1 OPTIONS
Call-ID: 700556890817406150532338
Max-Forwards: 70
- jaoudestudios
- DevNet Resident
- Posts: 1483
- Joined: Wed Jun 18, 2008 8:32 am
- Location: Surrey
Re: PHP Worm Virus
How did it get on the server in the first place? In an update?
And yes, good questions, what damage can it do?
And yes, good questions, what damage can it do?