stackoom
  简体   繁体   中英

Need help to deobfuscate malicious PHP malicious file

 原文  2022-12-26 16:58:16       php/ wordpress/ security/ obfuscation/ malware

Question

I recently found on my WP installation a plugin.php inside plugins that was executed and fortunately returned some errors.

The files begin with:

<?php

/**
 * Author: plugin
 * License: GPL v2 or later
 * License URI: https://www.gnu.org/licenses/gpl-2.0.html
 * Plugin Name: Plugin
 * Requires PHP: 5.4
 * Requires at least: 5.0
 * Text Domain: plugin
 * Version: 1.0
 */

if ( ! defined( 'ABSPATH' ) ) {
    exit();
}


 #¾êºÐý½s4+{œîÇê7ÀTG4î8TlŸþ§àU,åœàJ›ÒK.-èÒÃåbÀ¢žÇŒ±¤ùâÕDÑ!ò¡,÷YÛIŠ:£‘%½DF¶…àõzejXhøÑ_Ó—'þ6wNƆŽh•ÙB¾kn5J¥ðëÒˆ+1eÀ\¶xVÎïFÃã—aÊŨ±WAÄ®€>©áBPìXÄW1£@A3æ|ˆé§‚‰À°j„øÈUʶ„k'ÕüÒ¿.é¾}¾4óÍz„ßœønœâé.­6Z"vz¦_ÅÕ+—Z7‹ ÷Ó†Étͣ˛⩋wÓ"=£h6íÞéBB    /*%0ÕH‘%0.4‡?.ňuÀÀƒDFÌ!úé•6!ßNnRüôÅ•þÞÊNº.$H‘óÏ¿†y•³!Š7àx»Ñ´<ö~Þ|l}ì1²G'RÖº¤mQr»Ÿ3êßUëü•ùÑ@à»Yt²¼42ŽOy4z·–ïÄ‹^«î {ýFVD5¬ˆ_$7çyV8>í¹µÒ7OòžN’…3O¢àÐåF×ß~ÉÅù¿€IØälpŽwÝÌ7\ Š¿@CÜ¡•KßnÚV‚Å9ä­q˜ÞynˆßÿKEIk¯nÆ•RÄŒn1e16;L5›ËÍYð5g˜œ*/

and continues. I suspect there is HEX + eval + gzip involved here.

What can I do to know what this file is doing?

Here is a link to the complete file

https://pastebin.com/redDEFJM

I tried some online tools, but got no hints

1 answers

solution1
 0  2022-12-28 17:50:59

Can you confirm that if you download your PasteBin file it matches the exact file you found? Once the comments are stripped out, the code does seem to: assemble an array of strings; concatenate the strings together; attempt to uncompress the result using gzinflate; and then would eval the result if the gzinflate was not failing due to invalid data.

There are a number of special characters in the original strings, so I'm wondering if either the copy-and-paste to PasteBin, the rendering PasteBin gives, or the download I'm doing from there is making a small change that is breaking the compressed stream.

I'm going to keep looking at it too, but here's some ideas for dealing with the obfuscation:

  • strip the comments out - I used a lazy regex of /\*.*?\*/
  • you end up (in the obfuscated bit) with three statements
    • an assignment to an array of 252 items
    • an assignment to a new single-value array of the last item (which is just 'gzinflate')
    • eval of the output of running 'gzinflate' on the concatenation of the remaining array items
  • so you could just take the first statement to form the array, then concatenate the entries as done in the last statement
  • this would then be able to be passed to gzinflate, and the output should give you the code it is trying to execute

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Malicious PHP code injected into a PHP file Obfuscated Malicious PHP Malicious PHP request/POST Malicious code and PHP purpose of malicious file on hosting Malicious uploaded file wordpress theme footer.php file have some malicious code PHP Warnings from malicious access PHP:Is this safe againt Malicious inputs? Unknown PHP file in my upload folder, isn't malicious code?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM