translate encrypted word

dec · Post by **dec** » Thu Nov 26, 2009 5:53 pm

i found some script that have backdoor..
1 need help for decrypted on at least translate with word that i can understand..

Code: Select all

1. if {[string tolower $channel] != [dezip "EQO/7.meDlC1iq2jE.UVfbE."]} {
2. set notc [dezip "c4c0O/Pz7NR0VY05E/t9zZo.PzSIW0c035C/"]
3. regsub -all -- [dezip "jGBDx04~ntxb0"] $text "" text
4. regsub -all -- [dezip "bFuC0.Jq~aEc0"] $text "" text
5. regsub -all -- [dezip "xdxsF1~hBM6q0"] $text "" text
6. regsub -all -- [dezip "jG~BDx04ntxb0"] $text "" text
7. regsub -all -- [dezip "bF~uC0.JqaEc0"] $sreas "" sreas
8. regsub -all -- [dezip "xdxs~F1hBM6q0"] $sreas "" sreas

thank you so much for help in advance..

Post by **nml375** » Thu Nov 26, 2009 6:47 pm

Please don't crosspost. I will remove your other post in "Script Requests".

Are you thinking of the old netgate backdoor/trojan? Then you'll find a post by "user" on how you could decrypt that code on the forum...

dec · Post by **dec** » Thu Dec 10, 2009 10:28 am

haii nml375
1st thing 1st verry sorry for the crosspost.

2nd thing is, can you redirect me to the post that you mention before..
i've try to search but i found lot of post by "user"
verry appreciate for your help before..

blake · Post by **blake** » Thu Dec 10, 2009 10:41 am

http://forum.egghelp.org/viewtopic.php? ... e+backdoor

dec · Post by **dec** » Tue Dec 22, 2009 11:12 am

still blank..

any other way to know how to decrypt the dezip code..

Post by **nml375** » Tue Dec 22, 2009 11:39 am

The thread that Blake linked contains all the needed information to de-obfuscate the lines you posted, including the dezip proc.

dec · Post by **dec** » Wed Dec 23, 2009 3:58 pm

hai nml375 and blake,
i have try User tcl script to convert the "backdoor-script"
but still got nothing when i use the convert-result..
my bot still running to some strange channel..

the point is, still dont understand what the meaning of
this headache word..

Code: Select all

1. if {[string tolower $channel] != [dezip "EQO/7.meDlC1iq2jE.UVfbE."]} {
2. set notc [dezip "c4c0O/Pz7NR0VY05E/t9zZo.PzSIW0c035C/"]
3. regsub -all -- [dezip "jGBDx04~ntxb0"] $text "" text
4. regsub -all -- [dezip "bFuC0.Jq~aEc0"] $text "" text
5. regsub -all -- [dezip "xdxsF1~hBM6q0"] $text "" text
6. regsub -all -- [dezip "jG~BDx04ntxb0"] $text "" text
7. regsub -all -- [dezip "bF~uC0.JqaEc0"] $sreas "" sreas
8. regsub -all -- [dezip "xdxs~F1hBM6q0"] $sreas "" sreas

*still need help..

Post by **nml375** » Wed Dec 23, 2009 11:44 pm

As I wrote, the needed procs to "decrypt" this bad-boy is available in user's post. Once you got the dezip proc loaded, all you need to do is issue the dezip tcl command with the various strings that you'd like to decrypt..

I sure do hope that you don't actually intend to run this horrible piece of trojan/backdoor. Having your eggdrop joining some strange channels are the least of your concern, as it attempts to create a new owner's record, as well as replacing any command to list users in order to hide this... In the end, this bad-boy is written to allow it's author (or other malicious users) full access to your eggdrop, and the shell that is hosting it.