Bizarre rogue PHP script

Habitual · 12-17-2018, 12:24 PM

Quote:

Originally Posted by l0f4r0

It's definitely obfuscated but I cannot find the encoding algorithm...
Maybe it's defined in another php page which could import that hbindy.php so I like cantab suggestion.

I think it's been obfuscated twice.

TenTenths · 12-17-2018, 12:46 PM

Quote:

Originally Posted by Habitual

I think it's been obfuscated twice.

Nope, it hasn't. As I said previously it creates a function and then executes the function whenever the script is called.

The function looks like an uploader rather than being directly malicious.

My main thought is that part of the strings tell php to use some form of different encoding rather than normal "english"

hydrurga · 12-17-2018, 01:38 PM

Could it possibly be embedded pre-compiled PHP bytecode?

https://www.thefreecountry.com/compilers/php.shtml

l0f4r0 · 12-17-2018, 04:28 PM

Voila: https://www.unphp.net/decode/f9730be...f424193c5c129/

hydrurga · 12-17-2018, 05:18 PM

https://www.reddit.com/r/Wordpress/c..._functions_to/

Quote:

This code is basically a backdoor to run arbitrary PHP code.

The code is passed to this in the form of a cookie sent by the browser. The cookie's data is encrypted (well, obfuscated) using a combination of base64 encoding and a relatively simple xor data mutator.

The cookie consists of a key and a value, the key is the key to decrypt the value, the value ends up being serialized data containing the malicious code to be executed and a password to ensure that the code came from the attacker. The md5 hash of the password is "9f5276b9083cb9d3b4c1217fa504e2aa", the password itself is unknown (it wasn't in any of the online lookup tables I tried).

So yes, this is malicious and not part of any legitimate code.

ondoho · 12-18-2018, 01:53 AM

thanks to everyone who helped understand & decode that.
i'm flabbergasted.

a question: is all of it valid syntax or is it deliberately sprinkled with gibberish, in a way that the PHP interpreter can skip over it (like a shell script won't necessarily fail if there's some errors in it)?