What does this code do?

KoldKol

My website has recently been broken into. The code they left behind is below.

From what I can tell there are just four functions that check if a value exists and sets it to 1. There is some other data echo'd (seemingly random to me) and the error reporting bits are a bit unclear to me too.

Anyone have any ideas?
Thanks!

<?php @register_shutdown_function("__sfd1222984309__");function __sfd1222984309__() { global $__sdv1222984309__; if (!empty($__sdv1222984309__)) return; $__sdv1222984309__=1; echo <<<DOC__DOC
<!-- [9cd6b71e3db344b8305ba33b0b4cfc21 -->
<!-- 9cd6b71e3db344b8305ba33b0b4cfc21] -->
DOC__DOC;
} ?>
<?php @register_shutdown_function("__sfd1222881745__");function __sfd1222881745__() { global $__sdv1222881745__; if (!empty($__sdv1222881745__)) return; $__sdv1222881745__=1; echo <<<DOC__DOC
<!-- [644e120022f7398efdac8d8d7793cd00 -->
<!-- 644e120022f7398efdac8d8d7793cd00] -->
DOC__DOC;
} ?>
<?php @register_shutdown_function("__sfd1222382753__");function __sfd1222382753__() { global $__sdv1222382753__; if (!empty($__sdv1222382753__)) return; $__sdv1222382753__=1; echo <<<DOC__DOC
<!-- [858a9f25574311fcaf7dff1702ca663e -->
<!-- 858a9f25574311fcaf7dff1702ca663e] -->
DOC__DOC;
} ?>
<?php @register_shutdown_function("__sfd1221867869__");function __sfd1221867869__() { global $__sdv1221867869__; if (!empty($__sdv1221867869__)) return; $__sdv1221867869__=1; echo <<<DOC__DOC
<!-- [ecc1467590ccc40b4bfc52a0f198814f -->
<!-- ecc1467590ccc40b4bfc52a0f198814f] -->
DOC__DOC;
} ?>

<?php error_reporting(0); echo "\n"; @__sfd1221867869__(); ?>

<?php error_reporting(0); echo "\n"; @__sfd1222382753__(); ?>

<?php error_reporting(0); echo "\n"; @__sfd1222881745__(); ?>

<?php error_reporting(0); echo "\n"; @__sfd1222984309__(); ?>

bretticus

<?php
// register a function to be called when the script is done (suppress errors)
@register_shutdown_function("__sfd1222984309__");
// define function that was previously referenced
function __sfd1222984309__() { 
	// use a global variable called $__sdv1222984309__
	global $__sdv1222984309__; 
	//  if the variable is set, do nothing and return.
	if (!empty($__sdv1222984309__)) 
	return; 
	// since last test was passed (variable is empty) set variable to 1.
	$__sdv1222984309__=1; 
	//echo some html comments (probably to see that your website is hacked or not.)
	echo <<<DOC__DOC
	<!-- [9cd6b71e3db344b8305ba33b0b4cfc21 -->
	<!-- 9cd6b71e3db344b8305ba33b0b4cfc21] -->
	DOC__DOC;
} ?>
<!-- turn off all error reporting and call script
 (I guess in case register_shutdown_function() didn't work.) -->
<?php error_reporting(0); echo "\n"; @__sfd1222984309__(); ?>

I would check your website to see if those comments appear. Do you have some way for the attacker to inject code into your website? ( an include via http wrapper, etc?)

KoldKol

Hi,
That was just a static HTML page, I've taken a look at any scripts involving forms etc, but none of them have the possibility of running commands (just run through a special chars functions and add to database or email).

Perhaps the shared server has the problem.