Skip to content

Instantly share code, notes, and snippets.

@mwdhouse

mwdhouse/GLOBALS

Last active December 20, 2015 20:19
Show Gist options
  • Save mwdhouse/6189616 to your computer and use it in GitHub Desktop.
Save mwdhouse/6189616 to your computer and use it in GitHub Desktop.
Download ZIP
Decoding Malware (https://twitter.com/andrewsmhay/status/365605589344206849) GLOBALS array becomes the below.
Raw
GLOBALS
array(1) {
["_584730172_"]=>
array(39) {
[0]=>
string(15) "error_reporting"
[1]=>
string(14) "set_time_limit"
[2]=>
string(6) "define"
[3]=>
string(7) "dirname"
[4]=>
string(6) "define"
[5]=>
string(6) "unlink"
[6]=>
string(11) "file_exists"
[7]=>
string(5) "touch"
[8]=>
string(11) "is_writable"
[9]=>
string(4) "trim"
[10]=>
string(17) "file_get_contents"
[11]=>
string(6) "unlink"
[12]=>
string(17) "file_get_contents"
[13]=>
string(6) "unlink"
[14]=>
string(10) "preg_match"
[15]=>
string(7) "implode"
[16]=>
string(10) "preg_match"
[17]=>
string(7) "implode"
[18]=>
string(17) "file_get_contents"
[19]=>
string(5) "fopen"
[20]=>
string(5) "flock"
[21]=>
string(5) "fputs"
[22]=>
string(5) "flock"
[23]=>
string(6) "fclose"
[24]=>
string(11) "file_exists"
[25]=>
string(11) "unserialize"
[26]=>
string(17) "file_get_contents"
[27]=>
string(4) "time"
[28]=>
string(17) "file_get_contents"
[29]=>
string(4) "time"
[30]=>
string(5) "fopen"
[31]=>
string(5) "flock"
[32]=>
string(5) "fputs"
[33]=>
string(9) "serialize"
[34]=>
string(5) "flock"
[35]=>
string(6) "fclose"
[36]=>
string(6) "substr"
[37]=>
string(6) "header"
[38]=>
string(6) "header"
}
}
Raw
Values in _1348942592 array
string(24) "http://gayleecher.com:81"
string(6) "qwe123"
string(6) "qwe123"
string(6) "123qwe"
string(4) "ROOT"
string(1) "/"
string(3) "LOG"
string(9) "ololo.txt"
string(11) "/iframe.txt"
string(4) "test"
string(4) "work"
string(20) "NO WORK, NOT GET URL"
string(21) "NO WORK, NOT WRITIBLE"
string(3) "aaa"
string(3) "aaa"
string(3) "aaa"
string(15) "SCRIPT_FILENAME"
string(6) ".count"
string(3) "bbb"
string(3) "bbb"
string(3) "ccc"
string(15) "SCRIPT_FILENAME"
string(6) ".count"
string(13) "Null count ok"
string(18) "ERROR null count(("
string(15) "HTTP_USER_AGENT"
string(4) "MSIE"
string(7) "Firefox"
string(5) "Opera"
string(7) "Windows"
string(1) "/"
string(1) "|"
string(2) "/i"
string(15) "HTTP_USER_AGENT"
string(1) "/"
string(1) "|"
string(2) "/i"
string(15) "HTTP_USER_AGENT"
string(15) "SCRIPT_FILENAME"
string(6) ".count"
string(0) ""
string(15) "SCRIPT_FILENAME"
string(6) ".count"
string(1) "w"
string(12) "/iframe2.txt"
string(13) "http://ya.ru/"
string(13) "settings.json"
string(13) "settings.json"
string(4) "last"
string(3) "url"
string(4) "last"
string(3) "url"
string(4) "last"
string(13) "settings.json"
string(1) "w"
string(3) "url"
string(3) "url"
string(4) "http"
string(7) "http://"
string(1) "/"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment