#!/usr/bin/perl # ------------------------------------------------------------------------ # ------------------------------------------------------------------------ # Infinity CGI Trojan Scanner v2.0 Beta # Copyright (C) 1999 Azrael, All Rights Reserved # ------------------------------------------------------------------------ # This script is to be used for educational use only. I (Azrael) accept # absolutely no responsibility for the information that may be possibly # attained through the use of this script and/or the actions that may # take place because of someone's usage of this script. # ------------------------------------------------------------------------ # Visit http://infinityproject.cjb.net for more updates on the scanner and/or # a better version available. # You can contact me at infinity@wwdg.com # ------------------------------------------------------------------------ # ------------------------------------------------------------------------ # # Don't forget to chmod this script 755 (u+rwx,g+rx,o+rx) # # # HTML Form to go on your website: # # Infinity Trojan/Backdoor Scanner v2.0 Beta

#

# Host:
# Verbose Mode: Yes No #

# #

# # ############################ # Setup Variables $yoursiteaddy = "yourdomain"; #Your website address # Customize the colors of the output. Remember, special characters like # @, ", | etc... need a \ before them. $bodycolors = ""; $specialcolors = "ffffff"; # colors of special text in the output $countscans = 1; # Turn this to 1 if you want to enable the scanner counter # If you enable countscans to 1, you must specify the location of the data file to use $counterlocation = "/pathto/count.txt"; # Blocked sites list # You must have the dontscan.cgi file installed on your site (Scanner Blocker) so # system administrators are able to block their sites from scans. $dontscanlocation = "/pathto/dontscan.txt"; $nslookuplocation = "/usr/bin/nslookup"; # Location of nslookup binary (which nslookup) # ############################ use Socket; $| = 1; print "$ENV{'SERVER_PROTOCOL'} 200 OK\n"; print "Server: $ENV{'SERVER_SOFTWARE'}\n"; print "Content-type: text/html\n\n"; print "$bodycolors"; print "[ Infinity Trojan Scanner 2.0 Beta ]

\n"; print "The Infinity Project: http://infinityproject.cjb.net\n"; print "
Script Written by Azrael

\n"; print "

Trojan Scanner hosted by: $yoursiteaddy\n

"; @values = split(/\&/,$ENV{'QUERY_STRING'}); foreach $i (@values) { ($varname, $mydata) = split(/=/,$i); $FORM{$varname} = $mydata; } $host = "$FORM{'host'}"; $verbose = "$FORM{'verbose'}"; $host =~ tr/\%/a/; $host =~ tr/\;/b/; $host =~ tr/+/ /; $host =~ tr//d/; $host =~ tr/\|/e/; $host =~ tr/\&/f/; $host =~ tr/\^/g/; $host =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; %trojans = ( "31337" => "BackOrifice 1.x", "6969" => "GateCrasher", "21554" => "GirlFriend", "12346" => "NetBus 1.x", "20034" => "NetBus 2.x", "30100" => "NetSphere", "10167" => "Portal of Doom", "6400" => "The tHing", "1243" => "SubSeven", "6670" => "Deep Throath 1,2,3.x", "31" => "Master Paradise", "1001" => "Silencer", "20000" => "Millenium", "65000" => "Devil 1.03", "7306" => "NetMonitor", "1170" => "Streaming Audio Trojan", "30303" => "Socket23", "61466" => "Telecommando", "12076" => "Gjamer", "4950" => "IcqTrojen", "16969" => "Priotrity", "1245" => "Vodoo", "5742" => "Wincrash", "2583" => "Wincrash2", "1033" => "Netspy", "1981" => "ShockRave", "2023" => "Pass Ripper", "666" => "Attack FTP", "50766" => "Fore, Schwindlerd", "34324" => "Tiny Telnet Server", "30999" => "Kuang", "11000" => "Senna Spy Trojans", "23456" => "WhackJob", "555" => "Phase0 or Stealth Spy or NeTadmin (they use same port)", "5400" => "BladeRunner", "9989" => "InIkiller", "9872" => "PortalOfDoom", "11223" => "ProgenicTrojan", "22222" => "Prosiak 0.47", "53001" => "RemoteWindowsShutdown", "5569" => "RoboHack", "1001" => "Silencer", "2565" => "Striker", "40412" => "TheSpy", "2001" => "TrojanCow", "1001" => "WebEx", "1999" => "Backdoor", "2801" => "Phineas", "1509" => "Psyber Streaming Server", "6939" => "Indoctrination", "456" => "Hackers Paradise", "1011" => "Doly Trojan", "1492" => "FTP99CMP", "1600" => "Shiva Burka", "31339" => "NetSpy DK", "12223" => "Hack´99 KeyLogger", "9989" => "iNi-Killer", "7789" => "ICQKiller", "5321" => "Firehotcker", "40423" => "Master Paradise", "121" => "BO jammerkillahV", "30029" => "AOLTrojan1.1", "31787" => "Hack'a'tack", "2140" => "The Invasor", "1807" => "SpySender", "29891" => "The Unexplained", "20331" => "Bla", "4567" => "FileNail", "69123" => "ShitHeep", "10607" => "Coma", "1042" => "Bla1.1", "2283" => "HVL Rat5p", "5400" => "BackConstruction1.2", "17300" => "Kuang2 theVirus", "5550" => "Xtcp", "21554" => "Schwindler 1.82", "1010" => "Doly trojan v1.35", "1015" => "Doly trojan v1.5", "1080" => "Wingate (Socks-Proxy) (No, this is NOT a trojan)", "6669" => "Vampire", "6883" => "DeltaSource", "33911" => "Trojan Spirit 2001 a", "1269" => "Maverick's Matrix", "3791" => "Total Eclypse 1.0", "5011" => "OOTLT + OOTLT Cart", "12701" => "Eclipse 2000", "5031" => "NetMetro 1.0", "5521" => "Illusion Mailer", "9400" => "InCommand 1.0", "23456" => "UglyFtp", "2140" => "DeepThroat" ); if($host eq "SHOWMELIST") { print "The following is a list of trojans/backdoors the CGI checks for\:

\n"; foreach $port (keys %trojans) { print "$trojans{$port} on port $port
"; } print "

[ Infinity Scanner - CGI Trojan/Backdoor Scanner ] Copyright 2000 Azrael, All Rights Reserved."; print "

"; } if($host ne "SHOWMELIST") { if($host !~ /[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/) { gethostbyname($host) or &dienice("Error: Can't resolv $host dns/ip.\n"); } $badstring1 = "\.html"; $badstring2 = "http\://"; $badstring3 = "infinityzone.cjb.net"; $badstring4 = "cjb\.net"; $badstring5 = "infinityproject.cjb.net"; if(lc($host) =~ lc($badstring1)) { &dienice("The Scanner can't scan HTML files. There are no exploits for them!"); } if(lc($host) =~ lc($badstring2)) { &dienice("Don't Enter the http:// part of the server! Just enter foobar.com or www.foobar.com (substitute your server in for that)."); } if(lc($host) =~ lc($badstring3)) { &dienice("You best not be trying to scan [ The Infinity Zone ]!"); } if(lc($host) =~ lc($badstring4)) { &dienice("You are not allowed to scan cjb.net! Anyway, don't you realize that the subdomains in their network are not really on their network but rather its just a mask! Arg, some people!"); } if(lc($host) =~ lc($badstring5)) { &dienice("You best not be trying to scan [ The Infinity Project ]!"); } $hostname = `$nslookuplocation $host`; if(lc($hostname) =~ ".gov") { &dienice("No scanning .gov sites!"); } if(lc($hostname) =~ ".mil") { &dienice("No scanning .mil sites!"); } if(lc($hostname) =~ ".GOV") { &dienice("No scanning .GOV sites!"); } if(lc($hostname) =~ ".MIL") { &dienice("No scanning .MIL sites!"); } open(DONTSCAN, "$dontscanlocation") or &dienice("Couldn't open the list of sites to not scan.\n"); @dontscanlist = ; close(DONTSCAN); @hostnameresults = `$nslookuplocation $host`; foreach $badsite (@dontscanlist) { chomp($badsite); if(lc($host) =~ lc($badsite)) { &dienice("That site is protected from being scanned."); } foreach $badsitehostname (@hostnameresults) { chomp($badsitehostname); if(lc($badsitehostname) =~ lc($badsite) and lc($badsitehostname) !~ lc($host)) { &dienice("That site is protected from being scanned."); } if(lc($badsitehostname) =~ lc(".gov")) { &dienice("That site is protected from being scanned."); } if(lc($badsitehostname) =~ lc(".mil")) { &dienice("That site is protected from being scanned."); } } } if($countscans == 1) { open(COUNT,"+<$counterlocation") || die "Couldn't open file: $counterlocation\n"; $hits = ; $hits = $hits + 1; seek (COUNT,0,0); print COUNT $hits; truncate COUNT, tell COUNT; close COUNT; print "There have been $hits scans with this scanner"; print "

\n\n"; } else { print "
\n\n"; } print "Scanning $host for trojans/backdoors.\n

\n"; $strNumberFound = 0; foreach $port (keys %trojans) { # print "$host\:$port
\n"; $serverIP = inet_aton($host); $serverAddr = sockaddr_in($port, $serverIP); $protocol_name = "tcp"; socket(CLIENT, PF_INET, SOCK_STREAM, getprotobyname('tcp')); if(connect(CLIENT, $serverAddr)) { print "Possible $trojans{$port} Trojan found on port $port.\n
\n"; $strNumberFound++; } else { if($verbose eq "yes") { print "Connection Refused on port $port for $trojans{$port}
\n"; } } close(CLIENT); } if($strNumberFound == 0) { print "\n

\nNo trojans/backdoors were detected on $host."; } print "\n

Finished scanning $host for trojans/backdoors."; print "\n

Thanks to TL Security for creating a huge list of trojans and their ports and thanks to cypress hill for forwarding me their link."; print "

[ Infinity Scanner - CGI Trojan/Backdoor Scanner ] Copyright 2000 Azrael, All Rights Reserved."; print "

"; } sub dienice() { ($msg) = @_; print "\n\nError:\n

$msg"; exit; }