bediger4000
diff --git a/‎vigilante_suspected/README.md
+196-109 b/‎vigilante_suspected/README.md
+196-109
diff --git a/‎vigilante_suspected/create_func_longevity
+1-1 b/‎vigilante_suspected/create_func_longevity
+1-1
diff --git a/‎vigilante_suspected/def_graphs
+2-2 b/‎vigilante_suspected/def_graphs
+2-2
diff --git a/‎vigilante_suspected/extract_defs
+6 b/‎vigilante_suspected/extract_defs
+6
diff --git a/‎vigilante_suspected/function_counts
+3-3 b/‎vigilante_suspected/function_counts
+3-3
diff --git a/‎vigilante_suspected/vigilante_detection.png
-2.04 KB b/‎vigilante_suspected/vigilante_detection.png
-2.04 KB
diff --git a/‎webshells/wso_in_depth/README.md
+20-4 b/‎webshells/wso_in_depth/README.md
+20-4
diff --git a/‎webshells/wso_in_depth/WSO (web shell) | ANTICHAT - Security online community.html
+319 b/‎webshells/wso_in_depth/WSO (web shell) | ANTICHAT - Security online community.html
+319
diff --git a/‎webshells/wso_in_depth/xaker.name/WSO web shell | Archive xaker.name, hacker forum.html
+106 b/‎webshells/wso_in_depth/xaker.name/WSO web shell | Archive xaker.name, hacker forum.html
+106
diff --git a/‎webshells/wso_in_depth/xaker.name/retrieve.wso
+2 b/‎webshells/wso_in_depth/xaker.name/retrieve.wso
+2
@@ -4,7 +4,7 @@ echo '|Serial Number|Initial appearance|Final appearance|'
 echo '|-------------|------------------|----------------|'
 ls -1 renamed_functions/*/R*php |
 sed -e 's/renamed_functions\///' -e 's/\//	/' -e 's/R//' -e 's/.php//' |
-sort -k2.1n -k1.1 |
+sort -k2.1n -k1.1 | sed 's/\(....-..-..\)./\1/' |
 awk 'NR==1 { firstdate=$1; sn=$2 } \
 	NR > 1 { if ($2 == sn) { lastdate = $1; } \
 			if ($2 != sn) {printf "|%s|%s|%s|\n", sn, firstdate, lastdate;  firstdate=$1; sn=$2; lastdate=""}\
 
@@ -3,7 +3,7 @@ rm -f defs.cont
 touch defs.cont
 for FNAME in extracted_defs/*
 do
-	TIMESTAMP=$(basename $FNAME | sed 's/def.//')
+	TIMESTAMP=$(basename $FNAME | sed -e 's/def.//'  -e 's/.$//' )
 	# Skip timestamps in which no changes take place
 	if [[ $TIMESTAMP =~ 2018-11-2[235] ]]
 	then
@@ -35,4 +35,4 @@ do
 	fi
 done
 
-sort -k2.1n defs.cont | awk 'NR==1 {last=$2; print $0} NR>1 {if (last != $2) { print "\n"} print $0; last=$2}' > defs.lines
+sort -k2.1n defs.cont | awk 'NR==1 {lastline=$0; last=$2; print $0} NR>1 {if (lastline != $0) {if (last != $2) { print "\n"} print $0; last=$2} lastline=$0}' > defs.lines
@@ -15,6 +15,12 @@ do
 	EPOCH=$( fgrep '[REQUEST_TIME]' $NEWFNAME | awk '{print $3}' )
 	TIMESTAMP=$(date --date="@$EPOCH" '+%Y-%m-%d' )
 
+	LETTER=a
+	while [[ -f extracted/defs.$TIMESTAMP$LETTER ]]
+	do
+		LETTER=$(echo $LETTER | tr "a-z" "b-za")
+	done
+	TIMESTAMP=$TIMESTAMP$LETTER
 
 	# Serialized array
 	echo '<?php' >  extracted/defs.$TIMESTAMP
 
@@ -11,12 +11,12 @@ done
 echo '|Capture date|Serial Number Count  |Deletions  |Additions  |'
 echo '|------------|:-------------------:|:---------:|:---------:|'
 
-PREV=serial_number_lists/2016-04-17
+PREV=serial_number_lists/2016-04-17a
 for FNAME in serial_number_lists/*
 do
-	if [[ $FNAME != serial_number_lists/2016-04-17 ]]
+	if [[ $FNAME != serial_number_lists/2016-04-17a ]]
 	then
-		TIMESTAMP=$(basename $FNAME | sed 's/def.//')
+		TIMESTAMP=$(basename $FNAME | sed -e 's/def.//' -e 's/.$//' )
 		# Elements of B not in A:
 		# fgrep -v -f A B       
 		ADDITIONS=$( fgrep -x -v -f $PREV $FNAME | wc -l )
 
@@ -9,16 +9,25 @@ like [Dameware](https://www.dameware.com/).
 https://www.wordfence.com/blog/2017/06/wso-shell/
 https://forum.antichat.ru/threads/103155/
 
-A family of programs, modified in the wild by everyone.
+A family of programs, modified in the wild by many programmers.
 
 ![WSO phylogeny](wso_phylogeny.png?raw=true)
 
 ## Origin
 
 ![oRb's avatar](orb_avatar.jpg?raw=true)
+![oRb's antichat avatar](avatar_m.png?raw=true)
+
+Announcements
+
+* https://forum.antichat.ru/threads/103155/
+* http://xaker.name/arhiv/threads/20827/
 
 ## Timeline
 
+1. 
+2. 
+
 ###
 
 2.1 - 2.5 orderly development by oRb (?)
@@ -37,9 +46,10 @@ I can't find a 1.x version.
 
 ### 4.x HardLinux variants
 
-Started with WSO 2.4,
+Started with WSO 2.3, (how do we know this?)
 worked from there,
 development hosted by github.
+Russian-language developers.
 
 ## Design
 
@@ -84,6 +94,8 @@ This is a unique, distinctive feature of all WSO variants.
         call_user_func('action' . $_POST['a']);
     }
 
+Which actions use c/p1/p2/p3?
+
 I suspect that between `call_user_func()`,
 the modularity provided by the action functions,
 and keeping HTML in PHP strings (rather than interleaved code and HTML),
@@ -106,6 +118,8 @@ or with a cookie, no explicit login needed.
 This often happens when attackers invoke `actionRC`,
 "a=RC" POST parameter and value.
 
+Is it worth mentioning the vigilante cookie?
+
 ### "action" functions
 
 The value of the POST parameter named "a" determines a category
@@ -146,9 +160,11 @@ Several other string-substituted variants occur.
 
 The Russian 4.x variants descend from 2.4 -
 they use a PHP session to keep state rather than keeping state in a cookie.
+Why did phylogeny indicate a 2.3 origin?
 
-WSO 2.5.1 is WSO 2.5 with a "call home" borrowed from fx29
-web shells. WSO 2.8 is 2.5.1 with another "call home".
+WSO 2.5.1 is WSO 2.5 with a "phone home" borrowed from fx29
+web shells. WSO 2.8 is 2.5.1 with an additional "phone home",
+the previous phone home is preserved.
 
 ### Conserved Features
 
 
@@ -0,0 +1,2 @@
+#!/bin/bash
+wget -r -np -k http://xaker.name/arhiv/threads/20827
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+#!/bin/bash`
	`2`	`+wget -r -np -k http://xaker.name/arhiv/threads/20827`