PHP Malware Analysis
ip.php
md5: fb6cc12db6c740d9759fbb103e32a925
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Deobfuscated PHP code
<?php //IP Grabber //Variables $protocol = $_SERVER['SERVER_PROTOCOL']; $ip = $_SERVER['REMOTE_ADDR']; $port = $_SERVER['REMOTE_PORT']; $agent = $_SERVER['HTTP_USER_AGENT']; $ref = $_SERVER['HTTP_REFERER']; $hostname = gethostbyaddr($_SERVER['REMOTE_ADDR']); //Print IP, Hostname, Port Number, User Agent and Referer To Log.TXT $fh = fopen('log.txt', 'a'); fwrite($fh, "IP Address: " . $ip . "\n"); fwrite($fh, "Hostname: " . $hostname . "\n"); fwrite($fh, "Port Number: " . $port . "\n"); fwrite($fh, "User Agent: " . $agent . "\n"); fwrite($fh, "HTTP Referer: " . $ref . "\n\n"); fclose($fh);Execution traces
data/traces/fb6cc12db6c740d9759fbb103e32a925_trace-1676261560.9801.xtVersion: 3.1.0beta2 File format: 4 TRACE START [2023-02-13 02:13:06.877917] 1 0 1 0.000183 393464 1 3 0 0.000256 398552 {main} 1 /var/www/html/uploads/ip.php 0 0 1 A /var/www/html/uploads/ip.php 7 $protocol = 'HTTP/1.1' 1 A /var/www/html/uploads/ip.php 8 $ip = '127.0.0.1' 1 A /var/www/html/uploads/ip.php 9 $port = '58422' 1 A /var/www/html/uploads/ip.php 10 $agent = 'python-requests/2.25.1' 1 A /var/www/html/uploads/ip.php 11 $ref = NULL 2 4 0 0.000349 398552 gethostbyaddr 0 /var/www/html/uploads/ip.php 12 1 '127.0.0.1' 2 4 1 0.000393 398632 2 4 R 'localhost' 1 A /var/www/html/uploads/ip.php 12 $hostname = 'localhost' 2 5 0 0.000422 398592 fopen 0 /var/www/html/uploads/ip.php 16 2 'log.txt' 'a' 2 5 1 0.000457 399224 2 5 R resource(4) of type (stream) 1 A /var/www/html/uploads/ip.php 16 $fh = resource(4) of type (stream) 2 6 0 0.000493 399200 fwrite 0 /var/www/html/uploads/ip.php 17 2 resource(4) of type (stream) 'IP Address: 127.0.0.1\n' 2 6 1 0.000517 399264 2 6 R 22 2 7 0 0.000531 399200 fwrite 0 /var/www/html/uploads/ip.php 18 2 resource(4) of type (stream) 'Hostname: localhost\n' 2 7 1 0.000549 399264 2 7 R 20 2 8 0 0.000562 399200 fwrite 0 /var/www/html/uploads/ip.php 19 2 resource(4) of type (stream) 'Port Number: 58422\n' 2 8 1 0.000578 399264 2 8 R 19 2 9 0 0.000591 399216 fwrite 0 /var/www/html/uploads/ip.php 20 2 resource(4) of type (stream) 'User Agent: python-requests/2.25.1\n' 2 9 1 0.000608 399280 2 9 R 35 2 10 0 0.000621 399200 fwrite 0 /var/www/html/uploads/ip.php 21 2 resource(4) of type (stream) 'HTTP Referer: \n\n' 2 10 1 0.000638 399264 2 10 R 16 2 11 0 0.000651 399152 fclose 0 /var/www/html/uploads/ip.php 22 1 resource(4) of type (stream) 2 11 1 0.000666 398760 2 11 R TRUE 1 3 1 0.000679 398728 0.000703 314480 TRACE END [2023-02-13 02:13:06.878474]Generated HTML code
<html><head></head><body></body></html>Original PHP code
<?php //IP Grabber //Variables $protocol = $_SERVER['SERVER_PROTOCOL']; $ip = $_SERVER['REMOTE_ADDR']; $port = $_SERVER['REMOTE_PORT']; $agent = $_SERVER['HTTP_USER_AGENT']; $ref = $_SERVER['HTTP_REFERER']; $hostname = gethostbyaddr($_SERVER['REMOTE_ADDR']); //Print IP, Hostname, Port Number, User Agent and Referer To Log.TXT $fh = fopen('log.txt', 'a'); fwrite($fh, 'IP Address: '."".$ip ."\n"); fwrite($fh, 'Hostname: '."".$hostname ."\n"); fwrite($fh, 'Port Number: '."".$port ."\n"); fwrite($fh, 'User Agent: '."".$agent ."\n"); fwrite($fh, 'HTTP Referer: '."".$ref ."\n\n"); fclose($fh); ?>
