Lunchtime PHP Deobfuscation

I came across the bit of code posted below today while browsing Stack Overflow. The user who posted the question was asking what this bit of code actually did. He was aware that it was malicious due to the fact that it was on his server without his knowledge, and obfuscated. Unfortunately the question was marked as off topic, “Questions asking us to recommend or find a book, tool, software library, tutorial or other off-site resource are off-topic”.

A few users commented stating that they wouldn’t take the time deobfuscate the code, to not bother and just remove it from the server, etc. I thought the question was closed rather prematurely, because it is indeed related to programming. It’s also no more time consuming to reverse engineer this than it is to answer most other questions on Stack Overflow. I don’t subscribe to the philosophy that if you find a short snippet of obfuscated code on your server, you remove it without even attempting to see what it’s doing.

Since this snippet is very short, and easily deobfuscated, here’s how it’s done in a few steps.

Step 0: Original Obfuscated Code

Step 1: Human Readable Obfuscated Code

Things become significantly easier to read once we simply add some tabs and line breaks. Go through the code, and find semicolons in order to make things easier to read. After that, add some comments of your own to see what’s good so far.

Step 2: Quick & Dirty Decoder

In order to decode this entirely, without pissing away too much time, just use common sense. We’ll decode the script with itself by adding some comments to remove the malicious code we don’t want to run, and echos to see what these base64 string really are. Essentially we’re just creating a clean printout of all the base64_decode calls.

Here’s what we see when we run our janky little decoder.

~/Lab$ php ./test.php
8194460
base64_decode
copy
id
up
up
file
tmp_name
file
file

Step 3: Deobfuscated Script

Reading our decoder’s printout from the top down, it’s pretty easy to replace the obfuscated strings with our deobfuscated strings. After doing so, here’s what we wind up with. The whole script is rather short compared to all the initial gibberish.

It doesn’t tell us a whole lot about what the malware actually does on the victims system, because all we can see is that there’s a remote server copying and executing files. What you can tell though, is that if this was on your server, you’d absolutely need to be looking for other malicious files, because this was there to facilitate their transfer.

Going Further

This code looks like it infected a lot of PHP applications out in the wild. A simple Google query for echo 7457737+736723; reveals many WordPress, Drupal, OpenCart, and various other PHP applications infected. It’s likely installed via an infected plugin built for any of those systems, vulnerabilities in them, or issues with the hosts on which they’re running.

Through a search for the code on GitHub I was able to find an infected Russian store. Within their repository there is a file titled on.php which simply contains <?php echo 7457737+736723;?>. I presume this signifies that the host is infected successfully, and that PHP is running. After searching through their commit log I can see that the directory once contained additional obfuscated files.

accesson.php

dump.php

search.php

While I’d like to take the time to clean these files up as well, I haven’t yet done so. It seems that accesson.php is the one most people are talking about.

Original Post

Here is the original question.

Comments