| View previous topic :: View next topic |
| Author |
Message |
dec
Voice
Joined: 26 Nov 2009
Posts: 12
|
 Posted: Thu Nov 26, 2009 5:53 pm Post subject: translate encrypted word |
 |
|
i found some script that have backdoor..
1 need help for decrypted on at least translate with word that i can understand..
| Code: |
1. if {[string tolower $channel] != [dezip "EQO/7.meDlC1iq2jE.UVfbE."]} {
2. set notc [dezip "c4c0O/Pz7NR0VY05E/t9zZo.PzSIW0c035C/"]
3. regsub -all -- [dezip "jGBDx04~ntxb0"] $text "" text
4. regsub -all -- [dezip "bFuC0.Jq~aEc0"] $text "" text
5. regsub -all -- [dezip "xdxsF1~hBM6q0"] $text "" text
6. regsub -all -- [dezip "jG~BDx04ntxb0"] $text "" text
7. regsub -all -- [dezip "bF~uC0.JqaEc0"] $sreas "" sreas
8. regsub -all -- [dezip "xdxs~F1hBM6q0"] $sreas "" sreas
|
thank you so much for help in advance.. |
|
| Back to top |
|
 |
nml375
Revered One
Joined: 04 Aug 2006
Posts: 2857
|
| Posted: Thu Nov 26, 2009 6:47 pm Post subject: |
|
|
Please don't crosspost. I will remove your other post in "Script Requests".
Are you thinking of the old netgate backdoor/trojan? Then you'll find a post by "user" on how you could decrypt that code on the forum...
_________________
NML_375, idling at #eggdrop@IrcNET |
|
| Back to top |
|
|
dec
Voice
Joined: 26 Nov 2009
Posts: 12
|
| Posted: Thu Dec 10, 2009 10:28 am Post subject: |
|
|
haii nml375
1st thing 1st verry sorry for the crosspost.
2nd thing is, can you redirect me to the post that you mention before..
i've try to search but i found lot of post by "user"
verry appreciate for your help before.. |
|
| Back to top |
|
|
blake
Master
Joined: 23 Feb 2009
Posts: 201
|
|
| Back to top |
|
|
dec
Voice
Joined: 26 Nov 2009
Posts: 12
|
| Posted: Tue Dec 22, 2009 11:12 am Post subject: |
|
|
still blank.. 
any other way to know how to decrypt the dezip code.. |
|
| Back to top |
|
|
nml375
Revered One
Joined: 04 Aug 2006
Posts: 2857
|
| Posted: Tue Dec 22, 2009 11:39 am Post subject: |
|
|
The thread that Blake linked contains all the needed information to de-obfuscate the lines you posted, including the dezip proc.
_________________
NML_375, idling at #eggdrop@IrcNET |
|
| Back to top |
|
|
dec
Voice
Joined: 26 Nov 2009
Posts: 12
|
| Posted: Wed Dec 23, 2009 3:58 pm Post subject: |
|
|
hai nml375 and blake,
i have try User tcl script to convert the "backdoor-script"
but still got nothing when i use the convert-result..
my bot still running to some strange channel..
the point is, still dont understand what the meaning of
this headache word.. 
| Code: |
1. if {[string tolower $channel] != [dezip "EQO/7.meDlC1iq2jE.UVfbE."]} {
2. set notc [dezip "c4c0O/Pz7NR0VY05E/t9zZo.PzSIW0c035C/"]
3. regsub -all -- [dezip "jGBDx04~ntxb0"] $text "" text
4. regsub -all -- [dezip "bFuC0.Jq~aEc0"] $text "" text
5. regsub -all -- [dezip "xdxsF1~hBM6q0"] $text "" text
6. regsub -all -- [dezip "jG~BDx04ntxb0"] $text "" text
7. regsub -all -- [dezip "bF~uC0.JqaEc0"] $sreas "" sreas
8. regsub -all -- [dezip "xdxs~F1hBM6q0"] $sreas "" sreas |
*still need help.. |
|
| Back to top |
|
|
nml375
Revered One
Joined: 04 Aug 2006
Posts: 2857
|
| Posted: Wed Dec 23, 2009 11:44 pm Post subject: |
|
|
As I wrote, the needed procs to "decrypt" this bad-boy is available in user's post. Once you got the dezip proc loaded, all you need to do is issue the dezip tcl command with the various strings that you'd like to decrypt..
I sure do hope that you don't actually intend to run this horrible piece of trojan/backdoor. Having your eggdrop joining some strange channels are the least of your concern, as it attempts to create a new owner's record, as well as replacing any command to list users in order to hide this... In the end, this bad-boy is written to allow it's author (or other malicious users) full access to your eggdrop, and the shell that is hosting it.
_________________
NML_375, idling at #eggdrop@IrcNET |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
