hideme.php

md5: 30688b8d1c3e2247f83419858ae0776c

Jump to:
Deobfuscated code (Read more)
Execution traces (Read more)
Generated HTML (Read more)
Original Code (Read more)
Screenshot
Attributes
Deobfuscated PHP code
<?php

$max_ports = $argv[1];
$ports = [];
$SERVERS = ["AOLserver", "Apache HTTP Server", "Apache Tomcat", "Boa", "BusyBox httpd", "Caddy", "Caudium", "Cherokee HTTP Server", "GlassFish", "Hiawatha", "HFS", "IBM HTTP Server", "Internet Information Services", "Jetty", "Jexus", "lighttpd", "LiteSpeed Web Server", "Mongoose", "Monkey HTTP Server", "NaviServer", "NCSA HTTPd", "Nginx", "OpenBSD httpd", "OpenLink Virtuoso", "OpenLiteSpeed Web Server", "Oracle HTTP Server", "Oracle iPlanet Web Server", "Oracle WebLogic Server", "Resin Open Source", "Resin Professional", "thttpd", "TUX web server", "Wakanda Server", "WEBrick", "Xitami", "Yaws", "Zeus Web Server", "Zope"];
foreach ($SERVERS as $i_ => $SERVER) {
    $SERVERS[$i_] .= "/" . random_int(1, 5) . "." . random_int(1, 5);
}
for ($i = 0; $i < $max_ports; $i++) {
    $r_port_ = random_int(1, 65534);
    if (!isset($ports[$r_port_])) {
        $ports[$r_port_] = $r_port_;
    }
}
$pids = [];
foreach ($ports as $port) {
    echo "\nTrying port {$port}: ...";
    $connection = @fsockopen("127.0.0.1", $port, $er, $em, 1);
    if (is_resource($connection)) {
        echo "\tIS ALREADY OPENED";
        fclose($connection);
        continue;
    } else {
        echo "\tnot opened, trying to hide";
    }
    $pids[$port] = pcntl_fork();
    if (!$pids[$port]) {
        echo "\nRunning {$port} PID: " . getmygid();
        hide($port);
        exit;
    }
}
foreach ($pids as $pid) {
    pcntl_waitpid($pid, $status, WUNTRACED);
}
function hide($port)
{
    $socket = socket_create(AF_INET, SOCK_STREAM, 0) or die("Could not create socket\n");
    $result = socket_bind($socket, "0.0.0.0", $port) or die("Could not bind to socket\n");
    $result = socket_listen($socket, 3) or die("Could not set up socket listener\n");
    while (true) {
        $spawn = socket_accept($socket) or die("Could not accept incoming connection\n");
        $input = socket_read($spawn, 1073741824);
        //        $input = trim($input);
        $output = "HTTP/1.1 200 OK\r\nContent-Type: application/json\r\nServer: " . server() . "\r\n\r\n{'status':'ok','next_step':'.application.authorization'}";
        socket_write($spawn, $output, strlen($output)) or die("Could not write output\n");
        socket_close($spawn);
    }
}
function server()
{
    global $SERVERS;
    return $SERVERS[random_int(0, count($SERVERS) - 1)];
}
Execution traces
data/traces/30688b8d1c3e2247f83419858ae0776c_trace-1676260104.4184.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-13 01:48:50.316194]
1	0	1	0.000174	393528
1	3	0	0.000334	413776	{main}	1		/var/www/html/uploads/hideme.php	0	0
1		A						/var/www/html/uploads/hideme.php	3	$max_ports = NULL
1		A						/var/www/html/uploads/hideme.php	4	$ports = []
1		A						/var/www/html/uploads/hideme.php	7	$SERVERS = [0 => 'AOLserver', 1 => 'Apache HTTP Server', 2 => 'Apache Tomcat', 3 => 'Boa', 4 => 'BusyBox httpd', 5 => 'Caddy', 6 => 'Caudium', 7 => 'Cherokee HTTP Server', 8 => 'GlassFish', 9 => 'Hiawatha', 10 => 'HFS', 11 => 'IBM HTTP Server', 12 => 'Internet Information Services', 13 => 'Jetty', 14 => 'Jexus', 15 => 'lighttpd', 16 => 'LiteSpeed Web Server', 17 => 'Mongoose', 18 => 'Monkey HTTP Server', 19 => 'NaviServer', 20 => 'NCSA HTTPd', 21 => 'Nginx', 22 => 'OpenBSD httpd', 23 => 'OpenLink Virtuoso', 24 => 'OpenLiteSpeed Web Server', 25 => 'Oracle HTTP Server', 26 => 'Oracle iPlanet Web Server', 27 => 'Oracle WebLogic Server', 28 => 'Resin Open Source', 29 => 'Resin Professional', 30 => 'thttpd', 31 => 'TUX web server', 32 => 'Wakanda Server', 33 => 'WEBrick', 34 => 'Xitami', 35 => 'Yaws', 36 => 'Zeus Web Server', 37 => 'Zope']
1		A						/var/www/html/uploads/hideme.php	47	$i_ = 0
2	4	0	0.000471	413776	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	4	1	0.000489	413840
2	4	R			3
2	5	0	0.000503	413808	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	5	1	0.000516	413872
2	5	R			2
1		A						/var/www/html/uploads/hideme.php	48	$SERVERS[0] .= '/3.2'
1		A						/var/www/html/uploads/hideme.php	47	$i_ = 1
2	6	0	0.000553	416432	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	6	1	0.000566	416496
2	6	R			2
2	7	0	0.000578	416464	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	7	1	0.000591	416528
2	7	R			2
1		A						/var/www/html/uploads/hideme.php	48	$SERVERS[1] .= '/2.2'
1		A						/var/www/html/uploads/hideme.php	47	$i_ = 2
2	8	0	0.000624	416480	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	8	1	0.000636	416544
2	8	R			3
2	9	0	0.000649	416512	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	9	1	0.000662	416576
2	9	R			5
1		A						/var/www/html/uploads/hideme.php	48	$SERVERS[2] .= '/3.5'
1		A						/var/www/html/uploads/hideme.php	47	$i_ = 3
2	10	0	0.000694	416528	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	10	1	0.000707	416592
2	10	R			2
2	11	0	0.000720	416560	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	11	1	0.000732	416624
2	11	R			3
1		A						/var/www/html/uploads/hideme.php	48	$SERVERS[3] .= '/2.3'
1		A						/var/www/html/uploads/hideme.php	47	$i_ = 4
2	12	0	0.000767	416560	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	12	1	0.000779	416624
2	12	R			3
2	13	0	0.000791	416592	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	13	1	0.000804	416656
2	13	R			4
1		A						/var/www/html/uploads/hideme.php	48	$SERVERS[4] .= '/3.4'
1		A						/var/www/html/uploads/hideme.php	47	$i_ = 5
2	14	0	0.000836	416608	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	14	1	0.000849	416672
2	14	R			5
2	15	0	0.000861	416640	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	15	1	0.000874	416704
2	15	R			4
1		A						/var/www/html/uploads/hideme.php	48	$SERVERS[5] .= '/5.4'
1		A						/var/www/html/uploads/hideme.php	47	$i_ = 6
2	16	0	0.000905	416648	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	16	1	0.000918	416712
2	16	R			5
2	17	0	0.000930	416680	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	17	1	0.000942	416744
2	17	R			1
1		A						/var/www/html/uploads/hideme.php	48	$SERVERS[6] .= '/5.1'
1		A						/var/www/html/uploads/hideme.php	47	$i_ = 7
2	18	0	0.000975	416688	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	18	1	0.000987	416752
2	18	R			2
2	19	0	0.000999	416720	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	19	1	0.001012	416784
2	19	R			5
1		A						/var/www/html/uploads/hideme.php	48	$SERVERS[7] .= '/2.5'
1		A						/var/www/html/uploads/hideme.php	47	$i_ = 8
2	20	0	0.001044	416744	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	20	1	0.001057	416808
2	20	R			1
2	21	0	0.001069	416776	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	21	1	0.001082	416840
2	21	R			4
1		A						/var/www/html/uploads/hideme.php	48	$SERVERS[8] .= '/1.4'
1		A						/var/www/html/uploads/hideme.php	47	$i_ = 9
2	22	0	0.001120	416784	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	22	1	0.001132	416848
2	22	R			4
2	23	0	0.001144	416816	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	23	1	0.001157	416880
2	23	R			5
1		A						/var/www/html/uploads/hideme.php	48	$SERVERS[9] .= '/4.5'
1		A						/var/www/html/uploads/hideme.php	47	$i_ = 10
2	24	0	0.001189	416824	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	24	1	0.001202	416888
2	24	R			5
2	25	0	0.001213	416856	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	25	1	0.001225	416920
2	25	R			5
1		A						/var/www/html/uploads/hideme.php	48	$SERVERS[10] .= '/5.5'
1		A						/var/www/html/uploads/hideme.php	47	$i_ = 11
2	26	0	0.001258	416856	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	26	1	0.001270	416920
2	26	R			5
2	27	0	0.001282	416888	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	27	1	0.001294	416952
2	27	R			1
1		A						/var/www/html/uploads/hideme.php	48	$SERVERS[11] .= '/5.1'
1		A						/var/www/html/uploads/hideme.php	47	$i_ = 12
2	28	0	0.001326	416904	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	28	1	0.001338	416968
2	28	R			4
2	29	0	0.001351	416936	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	29	1	0.001363	417000
2	29	R			5
1		A						/var/www/html/uploads/hideme.php	48	$SERVERS[12] .= '/4.5'
1		A						/var/www/html/uploads/hideme.php	47	$i_ = 13
2	30	0	0.001395	416968	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	30	1	0.001407	417032
2	30	R			4
2	31	0	0.001419	417000	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	31	1	0.001432	417064
2	31	R			1
1		A						/var/www/html/uploads/hideme.php	48	$SERVERS[13] .= '/4.1'
1		A						/var/www/html/uploads/hideme.php	47	$i_ = 14
2	32	0	0.001463	417008	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	32	1	0.001476	417072
2	32	R			3
2	33	0	0.001488	417040	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	33	1	0.001500	417104
2	33	R			1
1		A						/var/www/html/uploads/hideme.php	48	$SERVERS[14] .= '/3.1'
1		A						/var/www/html/uploads/hideme.php	47	$i_ = 15
2	34	0	0.001531	417048	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	34	1	0.001544	417112
2	34	R			5
2	35	0	0.001556	417080	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	35	1	0.001568	417144
2	35	R			3
1		A						/var/www/html/uploads/hideme.php	48	$SERVERS[15] .= '/5.3'
1		A						/var/www/html/uploads/hideme.php	47	$i_ = 16
2	36	0	0.001600	417088	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	36	1	0.001612	417152
2	36	R			1
2	37	0	0.001624	417120	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	37	1	0.001636	417184
2	37	R			4
1		A						/var/www/html/uploads/hideme.php	48	$SERVERS[16] .= '/1.4'
1		A						/var/www/html/uploads/hideme.php	47	$i_ = 17
2	38	0	0.001668	417144	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	38	1	0.001680	417208
2	38	R			3
2	39	0	0.001692	417176	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	39	1	0.001704	417240
2	39	R			2
1		A						/var/www/html/uploads/hideme.php	48	$SERVERS[17] .= '/3.2'
1		A						/var/www/html/uploads/hideme.php	47	$i_ = 18
2	40	0	0.001736	417184	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	40	1	0.001748	417248
2	40	R			2
2	41	0	0.001760	417216	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	41	1	0.001772	417280
2	41	R			1
1		A						/var/www/html/uploads/hideme.php	48	$SERVERS[18] .= '/2.1'
1		A						/var/www/html/uploads/hideme.php	47	$i_ = 19
2	42	0	0.001803	417232	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	42	1	0.001815	417296
2	42	R			3
2	43	0	0.001828	417264	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	43	1	0.001840	417328
2	43	R			1
1		A						/var/www/html/uploads/hideme.php	48	$SERVERS[19] .= '/3.1'
1		A						/var/www/html/uploads/hideme.php	47	$i_ = 20
2	44	0	0.001876	417272	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	44	1	0.001888	417336
2	44	R			1
2	45	0	0.001900	417304	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	45	1	0.001913	417368
2	45	R			4
1		A						/var/www/html/uploads/hideme.php	48	$SERVERS[20] .= '/1.4'
1		A						/var/www/html/uploads/hideme.php	47	$i_ = 21
2	46	0	0.001944	417312	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	46	1	0.001957	417376
2	46	R			1
2	47	0	0.001969	417344	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	47	1	0.001981	417408
2	47	R			1
1		A						/var/www/html/uploads/hideme.php	48	$SERVERS[21] .= '/1.1'
1		A						/var/www/html/uploads/hideme.php	47	$i_ = 22
2	48	0	0.002012	417352	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	48	1	0.002025	417416
2	48	R			3
2	49	0	0.002037	417384	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	49	1	0.002049	417448
2	49	R			3
1		A						/var/www/html/uploads/hideme.php	48	$SERVERS[22] .= '/3.3'
1		A						/var/www/html/uploads/hideme.php	47	$i_ = 23
2	50	0	0.002081	417400	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	50	1	0.002093	417464
2	50	R			3
2	51	0	0.002105	417432	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	51	1	0.002117	417496
2	51	R			3
1		A						/var/www/html/uploads/hideme.php	48	$SERVERS[23] .= '/3.3'
1		A						/var/www/html/uploads/hideme.php	47	$i_ = 24
2	52	0	0.002149	417448	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	52	1	0.002161	417512
2	52	R			4
2	53	0	0.002173	417480	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	53	1	0.002185	417544
2	53	R			4
1		A						/var/www/html/uploads/hideme.php	48	$SERVERS[24] .= '/4.4'
1		A						/var/www/html/uploads/hideme.php	47	$i_ = 25
2	54	0	0.002217	417504	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	54	1	0.002229	417568
2	54	R			3
2	55	0	0.002241	417536	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	55	1	0.002253	417600
2	55	R			4
1		A						/var/www/html/uploads/hideme.php	48	$SERVERS[25] .= '/3.4'
1		A						/var/www/html/uploads/hideme.php	47	$i_ = 26
2	56	0	0.002285	417552	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	56	1	0.002297	417616
2	56	R			4
2	57	0	0.002309	417584	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	57	1	0.002322	417648
2	57	R			5
1		A						/var/www/html/uploads/hideme.php	48	$SERVERS[26] .= '/4.5'
1		A						/var/www/html/uploads/hideme.php	47	$i_ = 27
2	58	0	0.002353	417608	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	58	1	0.002365	417672
2	58	R			2
2	59	0	0.002377	417640	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	59	1	0.002389	417704
2	59	R			4
1		A						/var/www/html/uploads/hideme.php	48	$SERVERS[27] .= '/2.4'
1		A						/var/www/html/uploads/hideme.php	47	$i_ = 28
2	60	0	0.002421	417664	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	60	1	0.002433	417728
2	60	R			3
2	61	0	0.002445	417696	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	61	1	0.002458	417760
2	61	R			1
1		A						/var/www/html/uploads/hideme.php	48	$SERVERS[28] .= '/3.1'
1		A						/var/www/html/uploads/hideme.php	47	$i_ = 29
2	62	0	0.002489	417712	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	62	1	0.002501	417776
2	62	R			4
2	63	0	0.002512	417744	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	63	1	0.002524	417808
2	63	R			3
1		A						/var/www/html/uploads/hideme.php	48	$SERVERS[29] .= '/4.3'
1		A						/var/www/html/uploads/hideme.php	47	$i_ = 30
2	64	0	0.002556	417760	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	64	1	0.002568	417824
2	64	R			5
2	65	0	0.002580	417792	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	65	1	0.002594	417856
2	65	R			5
1		A						/var/www/html/uploads/hideme.php	48	$SERVERS[30] .= '/5.5'
1		A						/var/www/html/uploads/hideme.php	47	$i_ = 31
2	66	0	0.002627	417800	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	66	1	0.002639	417864
2	66	R			1
2	67	0	0.002651	417832	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	67	1	0.002664	417896
2	67	R			3
1		A						/var/www/html/uploads/hideme.php	48	$SERVERS[31] .= '/1.3'
1		A						/var/www/html/uploads/hideme.php	47	$i_ = 32
2	68	0	0.002704	417848	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	68	1	0.002717	417912
2	68	R			4
2	69	0	0.002729	417880	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	69	1	0.002741	417944
2	69	R			5
1		A						/var/www/html/uploads/hideme.php	48	$SERVERS[32] .= '/4.5'
1		A						/var/www/html/uploads/hideme.php	47	$i_ = 33
2	70	0	0.002773	417896	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	70	1	0.002786	417960
2	70	R			4
2	71	0	0.002798	417928	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	71	1	0.002810	417992
2	71	R			4
1		A						/var/www/html/uploads/hideme.php	48	$SERVERS[33] .= '/4.4'
1		A						/var/www/html/uploads/hideme.php	47	$i_ = 34
2	72	0	0.002841	417936	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	72	1	0.002854	418000
2	72	R			2
2	73	0	0.002866	417968	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	73	1	0.002878	418032
2	73	R			1
1		A						/var/www/html/uploads/hideme.php	48	$SERVERS[34] .= '/2.1'
1		A						/var/www/html/uploads/hideme.php	47	$i_ = 35
2	74	0	0.002910	417976	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	74	1	0.002922	418040
2	74	R			2
2	75	0	0.002935	418008	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	75	1	0.002947	418072
2	75	R			4
1		A						/var/www/html/uploads/hideme.php	48	$SERVERS[35] .= '/2.4'
1		A						/var/www/html/uploads/hideme.php	47	$i_ = 36
2	76	0	0.002978	418016	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	76	1	0.002990	418080
2	76	R			5
2	77	0	0.003002	418048	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	77	1	0.003014	418112
2	77	R			4
1		A						/var/www/html/uploads/hideme.php	48	$SERVERS[36] .= '/5.4'
1		A						/var/www/html/uploads/hideme.php	47	$i_ = 37
2	78	0	0.003046	418064	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	78	1	0.003058	418128
2	78	R			2
2	79	0	0.003070	418096	random_int	0		/var/www/html/uploads/hideme.php	48	2	1	5
2	79	1	0.003082	418160
2	79	R			3
1		A						/var/www/html/uploads/hideme.php	48	$SERVERS[37] .= '/2.3'
1		A						/var/www/html/uploads/hideme.php	52	$i = 0
1		A						/var/www/html/uploads/hideme.php	60	$pids = []
1	3	1	0.003126	418104
			0.003155	324376
TRACE END   [2023-02-13 01:48:50.319208]

Generated HTML code
<html><head></head><body></body></html>
Original PHP code
<?php

$max_ports = $argv[1];
$ports = [];

$SERVERS = [
    "AOLserver",
    "Apache HTTP Server",
    "Apache Tomcat",
    "Boa",
    "BusyBox httpd",
    "Caddy",
    "Caudium",
    "Cherokee HTTP Server",
    "GlassFish",
    "Hiawatha",
    "HFS",
    "IBM HTTP Server",
    "Internet Information Services",
    "Jetty",
    "Jexus",
    "lighttpd",
    "LiteSpeed Web Server",
    "Mongoose",
    "Monkey HTTP Server",
    "NaviServer",
    "NCSA HTTPd",
    "Nginx",
    "OpenBSD httpd",
    "OpenLink Virtuoso",
    "OpenLiteSpeed Web Server",
    "Oracle HTTP Server",
    "Oracle iPlanet Web Server",
    "Oracle WebLogic Server",
    "Resin Open Source",
    "Resin Professional",
    "thttpd",
    "TUX web server",
    "Wakanda Server",
    "WEBrick",
    "Xitami",
    "Yaws",
    "Zeus Web Server",
    "Zope",
];

foreach ($SERVERS as $i_ => $SERVER){
    $SERVERS[$i_] .= "/" . random_int(1,5) . "." . random_int(1,5);
}


for ($i = 0; $i < $max_ports; $i++){
    $r_port_ = random_int(1,65534);
    if(!isset($ports[$r_port_]))
        $ports[$r_port_] = $r_port_;
}



$pids = [];
foreach ($ports as $port){
    echo "\nTrying port $port: ...";
    $connection = @fsockopen("127.0.0.1", $port, $er, $em, 1);

    if (is_resource($connection))
    {
        echo "\tIS ALREADY OPENED";
        fclose($connection);
        continue;
    }else{
        echo "\tnot opened, trying to hide";
    }


    $pids[$port] = pcntl_fork();

    if(!$pids[$port]) {
        echo "\nRunning {$port} PID: " . getmygid();
        hide($port);
        exit();
    }
}

foreach ($pids as $pid){
    pcntl_waitpid($pid, $status, WUNTRACED);
}

function hide($port){
    $socket = socket_create(AF_INET, SOCK_STREAM, 0) or die("Could not create socket\n");
    $result = socket_bind($socket, "0.0.0.0", $port) or die("Could not bind to socket\n");
    $result = socket_listen($socket, 3) or die("Could not set up socket listener\n");

    while(true){
        $spawn = socket_accept($socket) or die("Could not accept incoming connection\n");
        $input = socket_read($spawn, 1024*1024*1024)/* or die("Could not read input\n")*/;
//        $input = trim($input);
        $output = "HTTP/1.1 200 OK\r\nContent-Type: application/json\r\nServer: ".server()."\r\n\r\n{'status':'ok','next_step':'.application.authorization'}";
        socket_write($spawn, $output, strlen ($output)) or die("Could not write output\n");
        socket_close($spawn);
    }
}

function server(){
    global $SERVERS;
    return $SERVERS[random_int(0, count($SERVERS)-1)];
}
PHP Malware Analysis

hideme.php

md5: 30688b8d1c3e2247f83419858ae0776c

Screenshot

Attributes

Deobfuscated PHP code

Execution traces

Generated HTML code

Original PHP code
