After deobfuscation, it appears to be a pathetically-bad example of script-kiddie code that attempts some kind of exploit on Drupal sites. It does not actually contain the exploit however, instead relying on a remote PHP script sitting on teod.com.ar that appears to perform some kind of exploit that resets the Drupal site's admin password — or it is just our script-kiddie trying to get a list of sites cracked with his "4|\/|4Z1|\|G!!11!!11!" exploit tool.
In short, it is either a really pathetic admin login bruteforce tool that only tries admin:admin or it is a client for an "Exploit-as-a-Service" with the actual exploit running on teod.com.ar.
As for the quality of the code, it is garbage. No warnings, no strict, numerous unneeded use statements, and that is before we even get to any of the actual code. My guess is that it has been pasted together from fragments of several other "1337 |-|4><0R" tools by yet another clueless clown.
Laymenos, you really need to start by reading perlintro and perlsub. Named subs do not nest like that in Perl, although perl will accept the syntax to allow closures to be easily produced. And find something better to do than trying to break into people's Web sites; some of those defacements were funny years ago, but that's just lame now.
|