I am afraid that its probably a fairly standard script to give a web based terminal emulator or file manager on your site. The common exploit path is to use a vulnerability in a site to upload a script which can then be called to gain further access. It will probably be impossible to trace what the attacker actually did although a good starting point is a grep for that script name in the access logs. It may give a clue as to when it was added and how to help you secure the site.

What you need to do now is to backup all files and databases. Then delete all files from your site and clear the database. Don't assume that you have managed to find all the files, if the attacker had access to your site they could have modified any code in any file. Don't be tempted to use the same database, if any section of your database contains html to be rendered in the page it could have been modified to add malicious javascript.

Restore your database from a backup taken prior to the exploit. Install the latest version of whatever software you are using on the site with all security patches applied and security configuration recommendations followed. You also should change every password associated with the site. Now you can use the backups of the exploited site in a separate environment to carefully extract any recent changes which were not in the backup.

It may sound paranoid but I have been dealing with the aftermath of website exploits like this for years. I have seen more sites than I can count exploited again because people did not properly secure and clean their sites.

rnewsham:

I've not looked into exploit code in quite a while, so I spent a little while reorganizing it to see what it does. As you mention, it performs the file manager features you mention, but also has some database exploration functionality, too. Not particularly malicious in itself, that I can see, but it's not something you'd put on someone's system unless one had larcenous intent.

It's kind of painful to look at, though, as the code is a mishmash of styles (functions called with & vs not), repetitive (bits of code pointlessly repeated), buggy (poorly formed HTML, and mostly crap.

...roboticus

When your only tool is a hammer, all problems look like your thumb.

Steals cpu n more from the careless just fine

As long as there isn't any personal or corporate information included in the script it should be fine to paste it here. You could add a warning that it's potentially malicious and include it inside code tags like this:  <code> ... </code>. Since you posted anonymously you can't edit your node and you'll have to post it in a new one.

If it is obfuscated it might be difficult to tell what it contains. In that case you could use Perl's B::Deparse module to deparse it and get an idea of what the script would do without actually running it. Here are some examples: Debunk Perl's magic with B::Deparse, 804232

Try this:

here is the malicious script below

Read more... (112 kB)

Interesting. I'll let the Monks who are more experienced with web development comment overall but I noticed the print decode_base64("PHNj.... and decided to try to decode it. It is some JavaScript(?) that has been encoded. It seems to just be doing keyword color highlighting for some program code. I first used a webpage to decode it and then the following script.

Read more... (4 kB)

The result is:

Read more... (3 kB)

I reformatted it slightly to try to make sense of it but I don't have the time or patience to take this any further. Good luck.

Read more... (3 kB)