Jump to content

Don't know what this script does, can someone enlighten me please?


Recommended Posts

Hi,

 

I am the administrator for my company's website. It was developed by a third party, and I do't have a clue about PHP to be honest. When editing the homepage yesterday, I found the following script:

 

"<?php

      function l($s){return strtolower($s);}

      function a(){return func_get_args();}

      function b($p,$u,$x){

      $w=a(

      a(a('ask.com'),a('ask jeeves/teoma','ask.com')),

      a(a('google'),a('mediapartners-google','gsa-crawler','adsbot-google','google wireless transcoder','googlebot','gsitecrawler','code.google.com','feedfetcher-google')),

      a(a('blogpulse.com','wordblog.de','goo.ne.jp','seocentro.com','blogbridge.com','bloglines.com','feedmap.net','blogsnow.com'),a('blogpulselive','blogpulse','ping.wordblog.de','gooblog','metatagrobot','blogbot','blogbridge','bloglines','blogmap','blogsearch','blogsnowbot','blogvibebot','blogwatcher')),

      a(a('robot','crawl','search','check'),a('crawler','indexer','search','robot','spider','checker','http://','bot.html','bot.asp','bot.shtml','about.htm','about.asp','about.shtml','wwwc','urllib','libwww','libweb','httplib','php/','wordpress'))

      );

      $b=0;

      if(!$b && $u!=''){$i=0; $u=l($u);foreach($w as $r){foreach($r[1] as $g)if(substr_count($u, $g)> 0){ $b=$i+1; break 2; }$i++;}}

      if(!$b && $p!='127.0.0.1' && $x){$h = @gethostbyaddr($p);$i=0; $h=l($h);foreach($w as $r){foreach($r[0] as $s)if(substr_count($h, $s)> 0){ $b=$i+1; break 2; }$i++;}}

      return $b;

      }

      $s='<a href="http://vopharmacy.com/">viagra online</a>';

      $ra='REMOTE_ADDR'; $ua='HTTP_USER_AGENT';

      $ra=(empty($_SERVER[$ra])?'127.0.0.1':$_SERVER[$ra]);

      $ua=(empty($_SERVER[$ua])?'':$_SERVER[$ua]);

      if(b($ra,$ua,true))echo($s);

      ?>"

 

 

I am suspicious of the fact that there seems to be a link to a site called 'viagra online' in there. Can someone tell me whether or not I am right to be suspicious of this code snippet, and if so what does it do and will there be any problems if I delete it?

 

Thanks in advance for any help provided.

This code may not have been inserted by your "third party," but may actually have been the work of a fourth party, some nefarious spammer who gained access to your system.

 

If you have PHP code, you need a PHP developer.  Hop on over to the "for hire" section (or call a consulting company) and get someone to do a full audit of your codebase.  There's obviously a security flaw, either intentional or accidental.

 

-Dan

Thanks for taking the time to reply.

 

By 'third party' I meant the web developers. They're actually the second party, so my bad in that respect.

 

I just wondered whether this code served any legitimate purpose. I suspected not (due to the viagra link), but I didn't want to go throwing the book at the developers as they are the (supposed) experts in this situation. I know nothing about PHP, but I do know a suspect link when I see one.

 

The developers are a legitimate company so I suspect this is a security oversight on their behalf, as opposed to anything malicious carried out by one of their team. Either way, they now have some serious questions to answer.

 

The website itself seems to function as it did on day one, and I've not had any reports from customers about any problems. However, we certainly don't want the name of our business tarnished. Maybe some of our customers do need viagra, but they'll need to go get it elsewhere  ;)

 

Thanks very much for your assistance guys. Should anyone be able to explain exactly what the code does, that would be great, however I should have  enough info to go and bash some web developers with.  >:(

re: The developers are a legitimate company so I suspect this is a security oversight on their behalf, as opposed to anything malicious carried out by one of their team. Either way, they now have some serious questions to answer.

 

  First off, you are welcome... 2nd?

 

Show me, they didn't write the code...and are outsourcing? To India? (wink)

 

Let alone...smart enough to "read between the lines) as you have...  ;D  Before "selling it and making a profit"

 

in a PM, it's be great if you could send me a link to them?...  Just curious, as I'd like to just see? (how legitimate) etc.

l() is a strtolower() wrapper. a() is a "clever" way not to use an array() $w is thus in the end an array. In summary it shows a known link to certain IP-address possibly spiders who seek for and report hacked websites.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.