Don't know what this script does, can someone enlighten me please?

[krisw]

Hi,

 

I am the administrator for my company's website. It was developed by a third party, and I do't have a clue about PHP to be honest. When editing the homepage yesterday, I found the following script:

 

"<?php

      function l($s){return strtolower($s);}

      function a(){return func_get_args();}

      function b($p,$u,$x){

      $w=a(

      a(a('ask.com'),a('ask jeeves/teoma','ask.com')),

      a(a('google'),a('mediapartners-google','gsa-crawler','adsbot-google','google wireless transcoder','googlebot','gsitecrawler','code.google.com','feedfetcher-google')),

      a(a('blogpulse.com','wordblog.de','goo.ne.jp','seocentro.com','blogbridge.com','bloglines.com','feedmap.net','blogsnow.com'),a('blogpulselive','blogpulse','ping.wordblog.de','gooblog','metatagrobot','blogbot','blogbridge','bloglines','blogmap','blogsearch','blogsnowbot','blogvibebot','blogwatcher')),

      a(a('robot','crawl','search','check'),a('crawler','indexer','search','robot','spider','checker','http://','bot.html','bot.asp','bot.shtml','about.htm','about.asp','about.shtml','wwwc','urllib','libwww','libweb','httplib','php/','wordpress'))

      );

      $b=0;

      if(!$b && $u!=''){$i=0; $u=l($u);foreach($w as $r){foreach($r[1] as $g)if(substr_count($u, $g)> 0){ $b=$i+1; break 2; }$i++;}}

      if(!$b && $p!='127.0.0.1' && $x){$h = @gethostbyaddr($p);$i=0; $h=l($h);foreach($w as $r){foreach($r[0] as $s)if(substr_count($h, $s)> 0){ $b=$i+1; break 2; }$i++;}}

      return $b;

      }

      $s='<a href="http://vopharmacy.com/">viagra online</a>';

      $ra='REMOTE_ADDR'; $ua='HTTP_USER_AGENT';

      $ra=(empty($_SERVER[$ra])?'127.0.0.1':$_SERVER[$ra]);

      $ua=(empty($_SERVER[$ua])?'':$_SERVER[$ua]);

      if(b($ra,$ua,true))echo($s);

      ?>"

 

 

I am suspicious of the fact that there seems to be a link to a site called 'viagra online' in there. Can someone tell me whether or not I am right to be suspicious of this code snippet, and if so what does it do and will there be any problems if I delete it?

 

Thanks in advance for any help provided.

[trochia]

More than likely, you are correct in your assumption > $s='<a href="http://vopharmacy.com/">viagra online</a>';

 

  WHO? Was the '3rd party" :-)

 

Jim

 

 

[ManiacDan]

This code may not have been inserted by your "third party," but may actually have been the work of a fourth party, some nefarious spammer who gained access to your system.

 

If you have PHP code, you need a PHP developer.  Hop on over to the "for hire" section (or call a consulting company) and get someone to do a full audit of your codebase.  There's obviously a security flaw, either intentional or accidental.

 

-Dan

[krisw]

Thanks for taking the time to reply.

 

By 'third party' I meant the web developers. They're actually the second party, so my bad in that respect.

 

I just wondered whether this code served any legitimate purpose. I suspected not (due to the viagra link), but I didn't want to go throwing the book at the developers as they are the (supposed) experts in this situation. I know nothing about PHP, but I do know a suspect link when I see one.

 

The developers are a legitimate company so I suspect this is a security oversight on their behalf, as opposed to anything malicious carried out by one of their team. Either way, they now have some serious questions to answer.

 

The website itself seems to function as it did on day one, and I've not had any reports from customers about any problems. However, we certainly don't want the name of our business tarnished. Maybe some of our customers do need viagra, but they'll need to go get it elsewhere 

 

Thanks very much for your assistance guys. Should anyone be able to explain exactly what the code does, that would be great, however I should have  enough info to go and bash some web developers with. 

[trochia]

re: The developers are a legitimate company so I suspect this is a security oversight on their behalf, as opposed to anything malicious carried out by one of their team. Either way, they now have some serious questions to answer.

 

  First off, you are welcome... 2nd?

 

Show me, they didn't write the code...and are outsourcing? To India? (wink)

 

Let alone...smart enough to "read between the lines) as you have...    Before "selling it and making a profit"

 

in a PM, it's be great if you could send me a link to them?...  Just curious, as I'd like to just see? (how legitimate) etc.

[ignace]

l() is a strtolower() wrapper. a() is a "clever" way not to use an array() $w is thus in the end an array. In summary it shows a known link to certain IP-address possibly spiders who seek for and report hacked websites.