Home » Php » security – Browser downloaded this unobfuscated PHP script. What is it doing?

security – Browser downloaded this unobfuscated PHP script. What is it doing?

Posted by: admin July 12, 2020 Leave a comment

Questions:

As soon as I entered a site, my browser (chrome) downloaded this script. It’s not obfuscated and not too long, and I think it’s harmless, but I don’t know PHP so i’m not sure. The file was called csync.php.

Chrome made it seem like this was the only file downloaded. Is it possible this is not true?

Could someone shed some light on what this is doing?

<?php
require_once("config/config.php");

require_function("util/StaticFunctions.php");
require_function("service/ServiceFactory.php");
require_function("bo/BoFactory.php");
require_function("data/DataFactory.php");
require_function("util/UtilFactory.php");
require_function("data/AkamaiLoggingService.php");

include 'config/setup/config-setup-skenzo.php';
include 'config/skenzo_request_variables.php';

header('P3P:CP="NON DSP COR NID CUR ADMa DEVo TAI PSA PSDo HIS OUR BUS COM NAV INT STA"');
header('Content-type: text/html');
header('Cache-Control: no-cache, no-store, must-revalidate');
header('Pragma: no-cache');
header('Expires: -1');

$visitorInfo = BoFactory::getVisitorInfo();
$vsid = $visitorInfo->getVisitorId();
$dataNames = VisitorInfo::$VSID_DATA_NAMES;
$mName = BoFactory::getInboundHttpRequest()->getSanitizedValueOfParam('type');
$mValue = BoFactory::getInboundHttpRequest()->getSanitizedValueOfParam('ovsid');



$vsCk = VISITOR_ID;
$vsDaCk = VISITOR_DATA;
$sepVal = VisitorInfo::$VALUE_SEP;
$sepTime = VisitorInfo::$TIME_SEP;
$vsDaTime = VisitorInfo::$VSID_DATA_TIME;

echo '<html> <head></head> <body> <script type="text/javascript" >';

$vsyncConf = array (
    "vsCk" => $vsCk,
    "vsDaCk" => $vsDaCk,
    "sepVal" => $sepVal,
    "sepTime" => $sepTime,
    "vsDaTime" => $vsDaTime
);

echo "var vsyncConfig = " . json_encode($vsyncConf) . ";\n";

include(SKENZO_MEDIA_DIR. '/js/util/C2/modules/mnvdata.js');
echo '</script>';
echo "</body></html>";

if(AKAMAI_LOG_POSTBACK == $_SERVER['SERVER_NAME'])
{
    define('AKAMAI_BULK_LOGGING', TRUE);
    define('TEST_ENGINE_FROM_SERVING', '1');

    try
    {
        $akLogService = new AkamaiLoggingService();
        $akLogService->handleAkamaiBulkData();
        echo '<!--var logged = 1;-->';
    }
    catch(Exception $e)
    {
        error("RTBLOG AKAMAI ERROR: " , $e , LOG_ALERT);
        echo '<!--var logged = 0;-->';
    }
}
else
{
    if(AKAMAI_LOG_ORIGIN == $_SERVER['SERVER_NAME'])
    {
        echo '<!--var logged = 1;-->';
    }
    else
    {
        define('AKAMAI_BULK_LOGGING', TRUE);
        define('TEST_ENGINE_FROM_SERVING', '1');

        try
        {
            $akLogService = new AkamaiLoggingService();
            $akLogService->handleGetRequests();
            echo '<!--var logged = 1;-->';
        }
        catch(Exception $e)
        {
            error("RTBLOG AKAMAI ERROR: " , $e , LOG_ALERT);
            echo '<!--var logged = 0;-->';
        }
    }
}

?>
How to&Answers:

The server you’re visiting is poorly configured. As a result, instead of executing the PHP, the server sent it to your browser. Browsers don’t execute PHP so you’re safe.

If you care about the site you were visiting, the nice thing to do would be to contact support and refer it to this post.

A similarly named csync.php file has been reported in a couple of places online over the last couple of days. This, along with its reference to AKAMAI (a huge content delivery network), suggests that the mis-configured server isn’t the 1st party site you were actually on, but a 3rd-party server that the site, along with many others, relies on.

File’s apparent source: http://qsearch.media.net/csync.php

Similar reports (Google): https://encrypted.google.com/search?q=csync.php+download

Answer:

I also saw this file drop into my downloads. The source is qsearch.media.net. If you visit media.net, you’ll see it is part of the internet advertisement ecosystem. It’s likely that there is a bug in one of their scripts. Sites using media.net’s service then incidentally cause your computer to download this php file.

Answer:

This is absolutely not server error of any websites, it is because my browser also download this script from multiple sites,one of them are from speedtest.net, i don’t know what’s hack is going on.