It appears that this code looks for Apache web server virtual host directories, and sends info on any it finds back to the downloader.
whois says this address is in 5.149.250.0/23AS61046, HZ-HOSTING-LTD
traceroute says that the route to 5.149.250.197 goes through
a host MIT-HOLDING.ear3.London2.Level3.net which squares up with
the whois data.
whois also says the administrative contact is:
person: Vilko Damianov
address: 4000, Bulgaria, Plovdiv, 2 Lyuben Karavelov, unit 5
phone: +35932571279
nic-hdl: VD3206-RIPE
mnt-by: HZ-HOSTING-LTD
created: 2016-11-28T15:25:07Z
last-modified: 2016-11-28T15:25:07Z
Someone sent the code to a part of my WordPress honey pot, a fake
WSO web shell. WSO has a set of "actions", and the downloader
chose the "Php" action. WSO will act as if the value of a POST
parameter p1 is PHP source code, and run it through eval,
putting the output of the eval'ed source code inside a pair
of <pre> HTML tags. That's easily human readable, but
my guess is that most of the use of the Php action is automated.
The invoking program has to parses the WSO HTML to see what the
eval'ed code output.
When the PHP gets eval'ed, it looks for all directories with these 153 suffixes in the Document Root directory:
.ru .ru.com .ru.net .com.ru .org.ru .net.ru .msk.ru
.msk.su .spb.ru .spb.su .nov.ru .nov.su .edu.ru .int.ru
.ac.ru .pp.ru .su .ua .com.ua .co.ua .biz.ua .kiev.ua
.org.ua .net.ua .pp.ua .dp.ua .sumy.ua .uz.ua ks.ua
.pl.ua .if.ua .cv.ua .rv.ua .mk.ua .dn.ua .lg.ua .kh.ua
.zp.ua .od.ua .ck.ua .kr.ua .lutsk.ua .volin.ua .zt.ua
.yalta.ua .sevastopol.ua .cremea.ua .com .edu .gov
.net .org .biz .info .name .jobs .mobi .tel .travel
.az .am .by .ge .kz .kg .lv .lt .md .ru .su .tj .tm
.uz .ua .ad .at .be .ch .de .dk .es .eu .fi .fr .gr
.ie .is .it .li .lu .mc .mt .nl .no .pt .se .uk .al
.bg .cz .hu .mk .pl .ro .si .sk .ac .ag .as .asia .au
.br .bz .ca .cat .cc .cd .ck .cl .cn .cx .gi .gs
.hk .hm .hn .im .in .jp .kr .la .lk .me .mn .ms .mx
.my .nz .pk .sg .sh .st .tc .th .tk .to .tv .tw
.us .vc .vg .ws .za
If the PHP code finds a directory whose name has one of those suffixes, it prints it out, something like this:
/var/www/html/spork.zp.ua;spork.zp.ua@
It could print out a number of these.
If the Document Root directory name also has one of those suffixes, it looks through all sub-directories of Document Root for directories with names that have one of the suffixes above.
I can't tell if these are DNS domains, or if they're Apache virtual host directories. I think probably the latter.
This little gem gets downloaded a lot. As an example, between 2017-11-22 and 2018-01-29 (38 days), the "GetDomains" code got downloaded 116 times, from 23 different IP addresses:
120.76.210.220
134.249.116.78
178.162.194.40
178.162.194.54
178.89.44.135
178.91.225.35
185.81.113.156
185.81.113.158
194.165.16.79
198.41.99.51
2.134.166.36
5.149.250.194
5.149.250.195
5.149.250.196
5.149.250.197
5.149.250.215
5.149.250.216
5.149.250.34
5.76.169.177
5.76.172.115
91.109.19.24
91.223.167.117
95.59.106.0
120.76.210.220 is an Alibaba address, 178.162.194.54, 91.109.19.24 are all German LeaseWeb addresses, 185.81.113.156, 185.81.113.158, 5.149.250.* are from HZ Hosting, 91.223.167.117 is a NaszaSiec.NET address. 5.76.172.115, 5.76.169.177 95.59.106.0 (?) hail from a Kazahstan Kazakhtelecom NIC.
I don't understand the persistence or the frequency of download attempts. My honey pot has had code to give back fake "domain" directories, but I've never seen any follow-up compromise or exploitation attempts.