krisw

Thanks for taking the time to reply. By 'third party' I meant the web developers. They're actually the second party, so my bad in that respect. I just wondered whether this code served any legitimate purpose. I suspected not (due to the viagra link), but I didn't want to go throwing the book at the developers as they are the (supposed) experts in this situation. I know nothing about PHP, but I do know a suspect link when I see one. The developers are a legitimate company so I suspect this is a security oversight on their behalf, as opposed to anything malicious carried out by one of their team. Either way, they now have some serious questions to answer. The website itself seems to function as it did on day one, and I've not had any reports from customers about any problems. However, we certainly don't want the name of our business tarnished. Maybe some of our customers do need viagra, but they'll need to go get it elsewhere Thanks very much for your assistance guys. Should anyone be able to explain exactly what the code does, that would be great, however I should have enough info to go and bash some web developers with.

Hi, I am the administrator for my company's website. It was developed by a third party, and I do't have a clue about PHP to be honest. When editing the homepage yesterday, I found the following script: "<?php function l($s){return strtolower($s);} function a(){return func_get_args();} function b($p,$u,$x){ $w=a( a(a('ask.com'),a('ask jeeves/teoma','ask.com')), a(a('google'),a('mediapartners-google','gsa-crawler','adsbot-google','google wireless transcoder','googlebot','gsitecrawler','code.google.com','feedfetcher-google')), a(a('blogpulse.com','wordblog.de','goo.ne.jp','seocentro.com','blogbridge.com','bloglines.com','feedmap.net','blogsnow.com'),a('blogpulselive','blogpulse','ping.wordblog.de','gooblog','metatagrobot','blogbot','blogbridge','bloglines','blogmap','blogsearch','blogsnowbot','blogvibebot','blogwatcher')), a(a('robot','crawl','search','check'),a('crawler','indexer','search','robot','spider','checker','http://','bot.html','bot.asp','bot.shtml','about.htm','about.asp','about.shtml','wwwc','urllib','libwww','libweb','httplib','php/','wordpress')) ); $b=0; if(!$b && $u!=''){$i=0; $u=l($u);foreach($w as $r){foreach($r[1] as $g)if(substr_count($u, $g)> 0){ $b=$i+1; break 2; }$i++;}} if(!$b && $p!='127.0.0.1' && $x){$h = @gethostbyaddr($p);$i=0; $h=l($h);foreach($w as $r){foreach($r[0] as $s)if(substr_count($h, $s)> 0){ $b=$i+1; break 2; }$i++;}} return $b; } $s='<a href="http://vopharmacy.com/">viagra online</a>'; $ra='REMOTE_ADDR'; $ua='HTTP_USER_AGENT'; $ra=(empty($_SERVER[$ra])?'127.0.0.1':$_SERVER[$ra]); $ua=(empty($_SERVER[$ua])?'':$_SERVER[$ua]); if(b($ra,$ua,true))echo($s); ?>" I am suspicious of the fact that there seems to be a link to a site called 'viagra online' in there. Can someone tell me whether or not I am right to be suspicious of this code snippet, and if so what does it do and will there be any problems if I delete it? Thanks in advance for any help provided.