For some reason the author suspiciously decided to obfuscate the PHP code in functions.php. Whipped up a quick script to de-obfuscate it (7 iterations) it and came back with this after some hand-beautifying:
Doesn't appear to do anything malicious. It does create a file with your root MySQL password in it though.
PHP Code:
<?php
ini_set('display_errors', 1);
function checkacl($acl) {
$user = $_ENV['REMOTE_USER'];
if($user == "root") {
return 1;
}
$reseller = file_get_contents("/var/cpanel/resellers");
foreach (split("\n", $reseller) as $line) {
if(preg_match("/^$user:/", $line)) {
$line = preg_replace("/^$user:/", "", $line);
foreach (split(",", $line) as $perm) {
if($perm == "all" || $perm == $acl) {
return 1;
}
}
}
}
return 0;
}
function hasAds($user) {
$sql = mysql_query("select * from `u` where ads='yes' and owner='root' and username='$user' limit 1");
return(mysql_num_rows($sql) == 1);
}
function resellerHasAds($user) {
$cu = $_ENV['REMOTE_USER'];
$sql = mysql_query("select * from `u` where ads='yes' and owner='$cu' and username='$user' limit 1");
return(mysql_num_rows($sql) == 1);
}
function removeAds($u) {
mysql_query("update `u` set ads='no' where username='$u' and owner='root' limit 1");
echo ' <center><h2>Forced ads</h1></center> <center><p>User <b>'.$u.'</b> will no longer have ads.</center> <center><a href="/cgi/addon_forcedAds.php">Go Back</a></center> ';
}
function createBread($arr) {
echo '<div id="pageheader"> <div id="breadcrumbs"> <p> <a href="/scripts/command?PFILE=main">Main</a> ';
foreach ($arr as $a) {
echo "\t\t\t>>\n";
echo "\t\t\t<a href=\"{$a[0]}\">{$a[1]}</a>\n";
}
echo "\t\t</p>\n\t</div>";
}
function addStyle() {
echo '<script type="text/javascript" src="/cPanel_magic_revision_1261011428/yui/datasource/datasource.js"></script> <script type="text/javascript" src="/cPanel_magic_revision_1261011439/yui/autocomplete/autocomplete.js"></script> <script type="text/javascript" src="/cPanel_magic_revision_1202352162/js/dnslist.js"></script> <div class="topboxmargin"></div> <link rel="stylesheet" type="text/css" href="/cPanel_magic_revision_1261011439/yui/autocomplete/assets/skins/sam/autocomplete.css" /> <link rel="stylesheet" type="text/css" href="/cPanel_magic_revision_1261011434/yui/fonts/fonts-min.css" /> <style type="text/css"> .dnsblock { width: 400px; float: left; padding: 20px; margin: 0; } #dnsedithdr { text-align:center; background: url(/cPanel_magic_revision_1181098613/themes/x/bg.png) repeat-x; font-weight: 900; } .yui-skin-sam .yui-ac-content li { text-align:left; list-style: none; } #zonelist { margin-left: 10px; } .zoneitem { float:left; width: 300px; overflow:auto; } #toolbox { margin-left: 10px; } #selecttools { background-color: #fafafa; border: 1px solid #ccc; margin-left: 10px; width: 450px; } .toolbox { border: 0; } #domaininput { color: #999; } </style> ';
}
function getRootPass() {
return str_replace("\n", '', preg_replace("/pass=\"(.*)\"/is", "$1", `cat /root/.my.cnf | grep 'pass'`));
}
function getTableSQL() {
return " CREATE TABLE IF NOT EXISTS `u` ( `id` INT( 5 ) NOT NULL AUTO_INCREMENT PRIMARY KEY , `username` VARCHAR( 8 ) NOT NULL, `owner` VARCHAR(8) NOT NULL, `pack` VARCHAR(255) NOT NULL ) ENGINE = MYISAM ; ";
}
function getFilteredPass() {
$pass2 = str_replace('$','\$',getRootPass()); return $pass2;
}
function getRootPassFileContents() {
$pass = getFilteredPass();
return ' <?php if (defined("JEFJWFURHGCNURHTF5M7DWHQTFNC4H")) { $pass = "'.$pass.'"; } else { $pass = "Nope"; } ';
}
function makeRootPassFile() {
echo `rm -f /ads/rootmpass.php`;
echo `touch /ads/rootmpass.php`;
$c = getRootPassFileContents();
echo `echo '$c' >> /ads/rootmpass.php`;
}
function createTable() {
@mysql_query(getTableSQL());
}
function createDataBase() {
@mysql_query("create database cPanelAdUsers");
}
function dieIfNotACL() {
if(!checkacl('all')) {
die;
}
}
function addAds($u) {
@mysql_query("update `u` set ads='yes' where owner='root' and `username`='$u' limit 1");
echo ' <center><h2>Forced ads</h1></center> <center><p>User <b>{$u}</b> will now have ads.</center> <center><a href="/cgi/addon_forcedAds.php">Go Back</a></center> ';
}
function getUserArray() {
$users = `ls /var/cpanel/users`;
$users = explode("\n", $users);
array_pop($users);
return $users;
}
function makeNoAdsArray() {
$arr = array();
foreach(getUserArray() as $u) {
if(!hasAds($u)) {
$arr[] = $u;
}
}
return $arr;
}
function makeAdsArray() {
$arr = array();
foreach(getUserArray() as $u) {
if(hasAds($u)) {
$arr[] = $u;
}
}
return $arr;
}
function outputForms() {
echo '<table><tr><td width="50%">';
outputAdsForm();
echo '</td></tr><tr><td>';
outputNoAdsForm();
echo '</td></tr></table>';
}
function outputAdsForm() {
echo ' <form action="/cgi/addon_forcedAds.php?action=add" method="get" name="secform"> <div id="domainchoice" class="dnsblock"> <div style="clear:both;" id="dnsedithdr">Remove ads from a user</div> <div style="clear:both;"> <input type="hidden" name="action" value="add"> <select id="domainselect" style="width: 100%;" name="domainselect" size="7" onChange="setInputDnsBox();"> ';
foreach(makeAdsArray() as $u) {
echo '<option>'.$u.'</option>';
}
echo ' </select> <!-- option value defaults to contents according to http://www.w3.org/TR/html4/interact/forms.html#edef-OPTION --> </div> </div> <div id="actionbutton" class="dnsblock" style="width: 40px; clear:left; margin-left: 120px;"> <input type="submit" class="input-button" value="Remove Ads"> </div> </form> ';
}
function outputNoAdsForm() {
echo ' <form action="/cgi/addon_forcedAds.php?action=add" method="get" name="secform"> <div id="domainchoice" class="dnsblock"> <div style="clear:both;" id="dnsedithdr">Show ads for a user</div> <div style="clear:both;"> <input type="hidden" name="action" value="remove"> <select id="domainselect" style="width: 100%;" name="domainselect" size="7" onChange="setInputDnsBox();"> ';
foreach(makeNoAdsArray() as $u) {
echo '<option>'.$u.'</option>';
}
echo ' </select> </div> </div> <div id="actionbutton" class="dnsblock" style="width: 40px; clear:left; margin-left: 120px;"> <input type="submit" class="input-button" value="Show Ads"> </div> </form> ';
}
function addUser($u, $o, $p, $a) {
mysql_connect("localhost", "root", getRootPass());
mysql_select_db("cPanelAdUsers");
mysql_query("insert into `u` set username='$u',plan='$p',owner='$o',ads='$a'");
mysql_close();
}
function removeUser($u) {
mysql_connect("localhost", "root", getRootPass());
mysql_select_db("cPanelAdUsers");
mysql_query("delete from `u` where username='$u'");
mysql_close();
}
function ownsUser($u) {
$cu = $_ENV['REMOTE_USER'];
return(`cat /var/cpanel/users/{$u} | grep 'OWNER' | sed 's/OWNER=//'` == $cu."\n");
}
function noRootAllowed() {
return 'Root not allowed to use this!';
}
function isAllowed() {
if(!checkacl('list-accts')) {
die('Access Denied');
}
if($_ENV['REMOTE_USER'] == 'root') {
die(noRootAllowed());
}
}
function ownerCheck($u) {
if(!ownsUser($u)) {
echo " <center><h2>Forced ads</h1></center> <center><p>You don't own user <b>$u</b>!</center> <center><a href=\"/cgi/addon_resellerForcedAds.cgi\">Go Back</a></center> ";
die;
}
}
function resellerRemoveAds($u) {
$cu = $_ENV['REMOTE_USER'];
ownerCheck($u);
mysql_connect("localhost", "root", getRootPass());
mysql_select_db("cPanelAdUsers");
mysql_query("update `u` set ads='no' where username='$u' and owner='$cu' limit 1") or die(mysql_error());
mysql_close();
echo ' <center><h2>Forced ads</h1></center> <center><p>User <b>'.$u.'</b> will no longer have ads.</center> <center><a href="/cgi/addon_resellerForcedAds.cgi">Go Back</a></center> ';
}
function resellerNoAdsArray() {
$arr = array();
foreach(getUserArray() as $u) {
if(!resellerHasAds($u) && ownsUser($u)) {
$arr[] = $u;
}
}
return $arr;
}
function resellerAdsArray() {
$arr = array();
foreach(getUserArray() as $u) {
if(resellerHasAds($u) && ownsUser($u)) {
$arr[] = $u;
}
}
return $arr;
}
function resellerAddAds($u) {
$cu = $_ENV['REMOTE_USER'];
ownerCheck($u);
mysql_connect("localhost", "root", getRootPass());
mysql_select_db("cPanelAdUsers");
mysql_query("update `u` set ads='yes' where username='$u' and owner='$cu' limit 1") or die(mysql_error());
mysql_close();
echo ' <center><h2>Forced ads</h1></center> <center><p>User <b>'.$u.'</b> will now have ads.</center> <center><a href="/cgi/addon_resellerForcedAds.cgi">Go Back</a></center> ';
}
function resellerOutputForms() {
echo '<table><tr><td width="50%">';
resellerOutputAdsForm();
echo '</td></tr><tr><td>';
resellerOutputNoAdsForm();
echo '</td></tr></table>';
}
function resellerOutputNoAdsForm() {
echo ' <form action="/cgi/addon_resellerForcedAds.cgi?action=add" method="get" name="secform"> <div id="domainchoice" class="dnsblock"> <div style="clear:both;" id="dnsedithdr">Show ads for a user</div> <div style="clear:both;"> <input type="hidden" name="action" value="remove"> <select id="domainselect" style="width: 100%;" name="domainselect" size="7" onChange="setInputDnsBox();"> ';
foreach(resellerNoAdsArray() as $u) {
echo '<option>'.$u.'</option>';
}
echo ' </select> </div> </div> <div id="actionbutton" class="dnsblock" style="width: 40px; clear:left; margin-left: 120px;"> <input type="submit" class="input-button" value="Show Ads"> </div> </form> ';
}
function resellerOutputAdsForm() {
echo ' <form action="/cgi/addon_resellerForcedAds.cgi?action=add" method="get" name="secform"> <div id="domainchoice" class="dnsblock"> <div style="clear:both;" id="dnsedithdr">Remove ads from a user</div> <div style="clear:both;"> <input type="hidden" name="action" value="add"> <select id="domainselect" style="width: 100%;" name="domainselect" size="7" onChange="setInputDnsBox();"> ';
foreach(resellerAdsArray() as $u) {
echo '<option>'.$u.'</option>';
}
echo ' </select> </div> </div> <div id="actionbutton" class="dnsblock" style="width: 40px; clear:left; margin-left: 120px;"> <input type="submit" class="input-button" value="Remove Ads"> </div> </form> ';
}
Doesn't appear to do anything malicious. It does create a file with your root MySQL password in it though.
Kevin Mark - TheHostingTool Lead Developer