DarkLeech Apache Malware Module reversed strings. Reference: http://unixfreaxjp.blogspot.jp/2013/03/darkleech-apache-module.html addr pos 0x16ED 0x16ED __gmon_start__ 0x16FC 0x16FC _init 0x1702 0x1702 _fini 0x1708 0x1708 __cxa_finalize 0x1717 0x1717 _Jv_RegisterClasses 0x172B 0x172B to_hex 0x173A 0x173A _CHECK_JS 0x1744 0x1744 _CHECK_RAW_COOKIE 0x1756 0x1756 KEY_CLIENT 0x1761 0x1761 _CHECK_SITE_KERNEL 0x1774 0x1774 _CHECK_REFERER_IS_HOST 0x178B 0x178B ap_hook_insert_filter 0x17A1 0x17A1 ap_register_output_filter 0x17BB 0x17BB rtrim 0x17C1 0x17C1 strlen 0x17C8 0x17C8 xor_decrypt_string 0x17DB 0x17DB FILTER 0x17E2 0x17E2 apr_palloc 0x17ED 0x17ED xor_encrypt_string 0x1800 0x1800 xor_encrypt 0x180C 0x180C _GEN_FILENAME_BLACKLIST 0x1824 0x1824 ap_md5 0x182B 0x182B __snprintf_chk 0x183A 0x183A ap_add_output_filter 0x184F 0x184F _CHECK_REFERER_IS_SEO 0x1865 0x1865 apr_table_get 0x1873 0x1873 SIZE_ARRAY_SE_REFERER 0x1889 0x1889 __ctype_toupper_loc 0x189D 0x189D _CHECK_BOT_USERAGENT 0x18B2 0x18B2 SIZE_ARRAY_BAN_USERAGENT 0x18CB 0x18CB stristr 0x18D3 0x18D3 _ADD_TO_BLACKLIST 0x18E5 0x18E5 fopen 0x18EB 0x18EB fclose 0x18F2 0x18F2 _CHECK_SITE_ADMIN 0x1904 0x1904 SIZE_ARRAY_BLACKLIST_URI 0x191D 0x191D CLIENT_IP 0x1927 0x1927 _CHECK_PROC 0x1933 0x1933 opendir 0x193B 0x193B readdir 0x1943 0x1943 strspn 0x194A 0x194A memset 0x1951 0x1951 fgets 0x1957 0x1957 SIZE_ARRAY_BAN_PROC 0x196B 0x196B strstr 0x1972 0x1972 _IS_SUDOER 0x197D 0x197D SIZE_ARRAY_SUDOERS 0x1990 0x1990 strcmp 0x1997 0x1997 _CHECK_UTMP 0x19A3 0x19A3 inet_ntoa 0x19AD 0x19AD getpwnam 0x19B6 0x19B6 __xstat 0x19BE 0x19BE _CHECK_BLACKLIST 0x19CF 0x19CF apr_file_open 0x19DD 0x19DD apr_file_close 0x19EC 0x19EC _ADD_TO_WAITLIST 0x19FD 0x19FD GEN_FILENAME_WAITLIST 0x1A13 0x1A13 __fprintf_chk 0x1A21 0x1A21 _SESSION_DELETE 0x1A31 0x1A31 GEN_FILENAME_SESSION 0x1A46 0x1A46 remove 0x1A4D 0x1A4D _SESSION_KEYGEN 0x1A5D 0x1A5D gettimeofday 0x1A6A 0x1A6A srand 0x1A70 0x1A70 _SET_COOKIE_KEY 0x1A80 0x1A80 gmtime 0x1A87 0x1A87 strftime 0x1A90 0x1A90 apr_table_add 0x1A9E 0x1A9E explode 0x1AA6 0x1AA6 strchr 0x1AAD 0x1AAD strncpy 0x1AB5 0x1AB5 base64encode 0x1AC7 0x1AC7 malloc 0x1ACE 0x1ACE _INJECT_SAVE 0x1ADB 0x1ADB GEN_FILENAME_INJECT 0x1AEF 0x1AEF _SESSION_SAVE 0x1AFD 0x1AFD ip2long 0x1B05 0x1B05 strtok 0x1B0C 0x1B0C _CHECK_LOCAL_IP 0x1B1C 0x1B1C urlencode 0x1B26 0x1B26 __ctype_b_loc 0x1B34 0x1B34 from_hex 0x1B3D 0x1B3D __ctype_tolower_loc 0x1B51 0x1B51 base64decode 0x1B5E 0x1B5E _INJECT_SKIP 0x1B6B 0x1B6B apr_bucket_type_eos 0x1B7F 0x1B7F apr_bucket_alloc 0x1B90 0x1B90 memcpy 0x1B97 0x1B97 apr_bucket_free 0x1BA7 0x1BA7 apr_bucket_heap_create 0x1BBE 0x1BBE apr_bucket_eos_create 0x1BD4 0x1BD4 _SESSION_LOAD 0x1BE2 0x1BE2 __strtol_internal 0x1BF4 0x1BF4 _INJECT_UPDATE 0x1C03 0x1C03 FILENAME_UPDATING 0x1C15 0x1C15 socket 0x1C1C 0x1C1C snprintf 0x1C25 0x1C25 gethostbyname 0x1C33 0x1C33 connect 0x1C3B 0x1C3B uname 0x1C4B 0x1C4B _CHECK_WAITLIST 0x1C5B 0x1C5B filesize 0x1C64 0x1C64 _INJECT_LOAD 0x1C71 0x1C71 fread 0x1C77 0x1C77 __memcpy_chk 0x1C84 0x1C84 _INJECT_DO 0x1C8F 0x1C8F SIZE_ARRAY_TAGS_FOR_INJECT 0x1CAA 0x1CAA __sprintf_chk 0x1CB8 0x1CB8 KEY_XOR 0x1CC0 0x1CC0 C_MODULE_VERSION 0x1CD1 0x1CD1 C_CC_HOST 0x1CDB 0x1CDB C_CC_URI 0x1CE4 0x1CE4 C_CC_REQUEST_FORMAT 0x1CF8 0x1CF8 C_MARKER_LEFT 0x1D06 0x1D06 C_MARKER_RIGHT 0x1D15 0x1D15 C_TMP_DIR 0x1D1F 0x1D1F C_LIST_PREF 0x1D2B 0x1D2B C_KEY_COOKIE_NAME 0x1D3D 0x1D3D C_ARRAY_TAGS_FOR_INJECT 0x1D55 0x1D55 C_ARRAY_BAN_USERAGENT 0x1D6B 0x1D6B C_ARRAY_BLACKLIST_URI 0x1D81 0x1D81 C_ARRAY_SE_REFERER 0x1D94 0x1D94 C_ARRAY_SUDOERS 0x1DA4 0x1DA4 C_ARRAY_BAN_PROC 0x1DB5 0x1DB5 C_STRING_1 0x1DC0 0x1DC0 C_STRING_2 0x1DCB 0x1DCB C_STRING_3 0x1DD6 0x1DD6 C_STRING_4 0x1DE1 0x1DE1 C_STRING_5 0x1DEC 0x1DEC C_STRING_6 0x1DF7 0x1DF7 C_STRING_7 0x1E02 0x1E02 C_STRING_8 0x1E0D 0x1E0D C_STRING_9 0x1E18 0x1E18 C_STRING_12 0x1E24 0x1E24 C_STRING_13 0x1E30 0x1E30 C_STRING_10 0x1E3C 0x1E3C C_STRING_11 0x1E48 0x1E48 C_STRING_14 0x1E54 0x1E54 C_STRING_15 0x1E60 0x1E60 C_STRING_16 0x1E6C 0x1E6C C_STRING_17 0x1E78 0x1E78 C_STRING_18 0x1E84 0x1E84 C_STRING_19 0x1E90 0x1E90 C_STRING_20 0x1E9C 0x1E9C C_STRING_21 0x1EA8 0x1EA8 C_STRING_22 0x1EB4 0x1EB4 C_STRING_23 0x1EC0 0x1EC0 C_STRING_24 0x1ECC 0x1ECC C_STRING_25 0x1ED8 0x1ED8 C_STRING_26 0x1EE4 0x1EE4 C_STRING_27 0x1EF0 0x1EF0 C_STRING_28 0x1EFC 0x1EFC C_STRING_29 0x1F08 0x1F08 C_STRING_30 0x1F14 0x1F14 C_STRING_31 0x1F20 0x1F20 C_STRING_32 0x1F2C 0x1F2C C_STRING_33 0x1F38 0x1F38 C_STRING_34 0x1F44 0x1F44 C_STRING_35 0x1F50 0x1F50 C_ARRAY_BAN_LOCAL_IP 0x1F65 0x1F65 apr_brigade_create 0x1F78 0x1F78 apr_brigade_cleanup 0x1F8C 0x1F8C ap_pass_brigade 0x1F9C 0x1F9C sec2_config_module 0x1FAF 0x1FAF ap_set_flag_slot 0x1FC0 0x1FC0 libm.so.6 0x1FCA 0x1FCA libc.so.6 0x1FD4 0x1FD4 __stack_chk_fail 0x1FE5 0x1FE5 _edata 0x1FEC 0x1FEC __bss_start 0x1FFD 0x1FFD mod_sec2_config.so 0x2010 0x2010 GLIBC_2.0 0x201A 0x201A GLIBC_2.1.3 0x2026 0x2026 GLIBC_2.1 0x2030 0x2030 GLIBC_2.4 0x203A 0x203A GLIBC_2.3.4 0x2046 0x2046 GLIBC_2.3 0x45BA 0x45BA <-t=<_t9<.t5<~t1 0x6FA3 0x6FA3 /var/run/utmp 0x6FB1 0x6FB1 /dev/ 0x6FC1 0x6FC1 mod_sec2_config.c 0x700F 0x700F ?456789:;<= 0x7047 0x7047 !"#$%&'()*+,-./0123 0x7060 0x7060 ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ 0x70AC 0x70AC 0123456789abcdef 0x84AE 0x84AE (Rtm~ 0x87E8 0x87E8 fX#*; 0x884C 0x884C 6ow'. 0x88B3 0x88B3 ||~,2 0x88F8 0x88F8 z|~+, 0x8A8A 0x8A8A @OnN1 0x8BF1 0x8BF1 GCC: (GNU) 4.1.1 20060525 (Red Hat 4.1.1-1) 0x8C1E 0x8C1E GCC: (GNU) 4.1.1 20070105 (Red Hat 4.1.1-51) 0x8C4C 0x8C4C GCC: (GNU) 4.1.1 20070105 (Red Hat 4.1.1-51) 0x8C7A 0x8C7A GCC: (GNU) 4.1.1 20070105 (Red Hat 4.1.1-51) 0x8CA8 0x8CA8 GCC: (GNU) 4.1.1 20060525 (Red Hat 4.1.1-1) 0x8CD5 0x8CD5 .shstrtab 0x8CDF 0x8CDF .hash 0x8CE5 0x8CE5 .dynsym 0x8CED 0x8CED .dynstr 0x8CF5 0x8CF5 .gnu.version 0x8D02 0x8D02 .gnu.version_r 0x8D11 0x8D11 .rel.dyn 0x8D1A 0x8D1A .rel.plt 0x8D23 0x8D23 .init 0x8D29 0x8D29 .text 0x8D2F 0x8D2F .fini 0x8D35 0x8D35 .rodata 0x8D3D 0x8D3D .eh_frame_hdr 0x8D4B 0x8D4B .eh_frame 0x8D55 0x8D55 .ctors 0x8D5C 0x8D5C .dtors 0x8D68 0x8D68 .data.rel.ro 0x8D75 0x8D75 .dynamic 0x8D83 0x8D83 .got.plt 0x8D8C 0x8D8C .data 0x8D97 0x8D97 .comment 0x16ED 0x16ED __gmon_start__ 0x16FC 0x16FC _init 0x1702 0x1702 _fini 0x1708 0x1708 __cxa_finalize 0x1717 0x1717 _Jv_RegisterClasses 0x172B 0x172B to_hex 0x173A 0x173A _CHECK_JS 0x1744 0x1744 _CHECK_RAW_COOKIE 0x1756 0x1756 KEY_CLIENT 0x1761 0x1761 _CHECK_SITE_KERNEL 0x1774 0x1774 _CHECK_REFERER_IS_HOST 0x178B 0x178B ap_hook_insert_filter 0x17A1 0x17A1 ap_register_output_filter 0x17BB 0x17BB rtrim 0x17C1 0x17C1 strlen 0x17C8 0x17C8 xor_decrypt_string 0x17DB 0x17DB FILTER 0x17E2 0x17E2 apr_palloc 0x17ED 0x17ED xor_encrypt_string 0x1800 0x1800 xor_encrypt 0x180C 0x180C _GEN_FILENAME_BLACKLIST 0x1824 0x1824 ap_md5 0x182B 0x182B __snprintf_chk 0x183A 0x183A ap_add_output_filter 0x184F 0x184F _CHECK_REFERER_IS_SEO 0x1865 0x1865 apr_table_get 0x1873 0x1873 SIZE_ARRAY_SE_REFERER 0x1889 0x1889 __ctype_toupper_loc 0x189D 0x189D _CHECK_BOT_USERAGENT 0x18B2 0x18B2 SIZE_ARRAY_BAN_USERAGENT 0x18CB 0x18CB stristr 0x18D3 0x18D3 _ADD_TO_BLACKLIST 0x18E5 0x18E5 fopen 0x18EB 0x18EB fclose 0x18F2 0x18F2 _CHECK_SITE_ADMIN 0x1904 0x1904 SIZE_ARRAY_BLACKLIST_URI 0x191D 0x191D CLIENT_IP 0x1927 0x1927 _CHECK_PROC 0x1933 0x1933 opendir 0x193B 0x193B readdir 0x1943 0x1943 strspn 0x194A 0x194A memset 0x1951 0x1951 fgets 0x1957 0x1957 SIZE_ARRAY_BAN_PROC 0x196B 0x196B strstr 0x1972 0x1972 _IS_SUDOER 0x197D 0x197D SIZE_ARRAY_SUDOERS 0x1990 0x1990 strcmp 0x1997 0x1997 _CHECK_UTMP 0x19A3 0x19A3 inet_ntoa 0x19AD 0x19AD getpwnam 0x19B6 0x19B6 __xstat 0x19BE 0x19BE _CHECK_BLACKLIST 0x19CF 0x19CF apr_file_open 0x19DD 0x19DD apr_file_close 0x19EC 0x19EC _ADD_TO_WAITLIST 0x19FD 0x19FD GEN_FILENAME_WAITLIST 0x1A13 0x1A13 __fprintf_chk 0x1A21 0x1A21 _SESSION_DELETE 0x1A31 0x1A31 GEN_FILENAME_SESSION 0x1A46 0x1A46 remove 0x1A4D 0x1A4D _SESSION_KEYGEN 0x1A5D 0x1A5D gettimeofday 0x1A6A 0x1A6A srand 0x1A70 0x1A70 _SET_COOKIE_KEY 0x1A80 0x1A80 gmtime 0x1A87 0x1A87 strftime 0x1A90 0x1A90 apr_table_add 0x1A9E 0x1A9E explode 0x1AA6 0x1AA6 strchr 0x1AAD 0x1AAD strncpy 0x1AB5 0x1AB5 base64encode 0x1AC7 0x1AC7 malloc 0x1ACE 0x1ACE _INJECT_SAVE 0x1ADB 0x1ADB GEN_FILENAME_INJECT 0x1AEF 0x1AEF _SESSION_SAVE 0x1AFD 0x1AFD ip2long 0x1B05 0x1B05 strtok 0x1B0C 0x1B0C _CHECK_LOCAL_IP 0x1B1C 0x1B1C urlencode 0x1B26 0x1B26 __ctype_b_loc 0x1B34 0x1B34 from_hex 0x1B3D 0x1B3D __ctype_tolower_loc 0x1B51 0x1B51 base64decode 0x1B5E 0x1B5E _INJECT_SKIP 0x1B6B 0x1B6B apr_bucket_type_eos 0x1B7F 0x1B7F apr_bucket_alloc 0x1B90 0x1B90 memcpy 0x1B97 0x1B97 apr_bucket_free 0x1BA7 0x1BA7 apr_bucket_heap_create 0x1BBE 0x1BBE apr_bucket_eos_create 0x1BD4 0x1BD4 _SESSION_LOAD 0x1BE2 0x1BE2 __strtol_internal 0x1BF4 0x1BF4 _INJECT_UPDATE 0x1C03 0x1C03 FILENAME_UPDATING 0x1C15 0x1C15 socket 0x1C1C 0x1C1C snprintf 0x1C25 0x1C25 gethostbyname 0x1C33 0x1C33 connect 0x1C3B 0x1C3B uname 0x1C4B 0x1C4B _CHECK_WAITLIST 0x1C5B 0x1C5B filesize 0x1C64 0x1C64 _INJECT_LOAD 0x1C71 0x1C71 fread 0x1C77 0x1C77 __memcpy_chk 0x1C84 0x1C84 _INJECT_DO 0x1C8F 0x1C8F SIZE_ARRAY_TAGS_FOR_INJECT 0x1CAA 0x1CAA __sprintf_chk 0x1CB8 0x1CB8 KEY_XOR 0x1CC0 0x1CC0 C_MODULE_VERSION 0x1CD1 0x1CD1 C_CC_HOST 0x1CDB 0x1CDB C_CC_URI 0x1CE4 0x1CE4 C_CC_REQUEST_FORMAT 0x1CF8 0x1CF8 C_MARKER_LEFT 0x1D06 0x1D06 C_MARKER_RIGHT 0x1D15 0x1D15 C_TMP_DIR 0x1D1F 0x1D1F C_LIST_PREF 0x1D2B 0x1D2B C_KEY_COOKIE_NAME 0x1D3D 0x1D3D C_ARRAY_TAGS_FOR_INJECT 0x1D55 0x1D55 C_ARRAY_BAN_USERAGENT 0x1D6B 0x1D6B C_ARRAY_BLACKLIST_URI 0x1D81 0x1D81 C_ARRAY_SE_REFERER 0x1D94 0x1D94 C_ARRAY_SUDOERS 0x1DA4 0x1DA4 C_ARRAY_BAN_PROC 0x1DB5 0x1DB5 C_STRING_1 0x1DC0 0x1DC0 C_STRING_2 0x1DCB 0x1DCB C_STRING_3 0x1DD6 0x1DD6 C_STRING_4 0x1DE1 0x1DE1 C_STRING_5 0x1DEC 0x1DEC C_STRING_6 0x1DF7 0x1DF7 C_STRING_7 0x1E02 0x1E02 C_STRING_8 0x1E0D 0x1E0D C_STRING_9 0x1E18 0x1E18 C_STRING_12 0x1E24 0x1E24 C_STRING_13 0x1E30 0x1E30 C_STRING_10 0x1E3C 0x1E3C C_STRING_11 0x1E48 0x1E48 C_STRING_14 0x1E54 0x1E54 C_STRING_15 0x1E60 0x1E60 C_STRING_16 0x1E6C 0x1E6C C_STRING_17 0x1E78 0x1E78 C_STRING_18 0x1E84 0x1E84 C_STRING_19 0x1E90 0x1E90 C_STRING_20 0x1E9C 0x1E9C C_STRING_21 0x1EA8 0x1EA8 C_STRING_22 0x1EB4 0x1EB4 C_STRING_23 0x1EC0 0x1EC0 C_STRING_24 0x1ECC 0x1ECC C_STRING_25 0x1ED8 0x1ED8 C_STRING_26 0x1EE4 0x1EE4 C_STRING_27 0x1EF0 0x1EF0 C_STRING_28 0x1EFC 0x1EFC C_STRING_29 0x1F08 0x1F08 C_STRING_30 0x1F14 0x1F14 C_STRING_31 0x1F20 0x1F20 C_STRING_32 0x1F2C 0x1F2C C_STRING_33 0x1F38 0x1F38 C_STRING_34 0x1F44 0x1F44 C_STRING_35 0x1F50 0x1F50 C_ARRAY_BAN_LOCAL_IP 0x1F65 0x1F65 apr_brigade_create 0x1F78 0x1F78 apr_brigade_cleanup 0x1F8C 0x1F8C ap_pass_brigade 0x1F9C 0x1F9C sec2_config_module 0x1FAF 0x1FAF ap_set_flag_slot 0x1FC0 0x1FC0 libm.so.6 0x1FCA 0x1FCA libc.so.6 0x1FD4 0x1FD4 __stack_chk_fail 0x1FE5 0x1FE5 _edata 0x1FEC 0x1FEC __bss_start 0x1FFD 0x1FFD mod_sec2_config.so 0x2010 0x2010 GLIBC_2.0 0x201A 0x201A GLIBC_2.1.3 0x2026 0x2026 GLIBC_2.1 0x2030 0x2030 GLIBC_2.4 0x203A 0x203A GLIBC_2.3.4 0x2046 0x2046 GLIBC_2.3 0x45BA 0x45BA <-t=<_t9<.t5<~t1 0x6FA3 0x6FA3 /var/run/utmp 0x6FB1 0x6FB1 /dev/ 0x6FC1 0x6FC1 mod_sec2_config.c 0x700F 0x700F ?456789:;<= 0x7047 0x7047 !"#$%&'()*+,-./0123 0x7060 0x7060 ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ 0x70AC 0x70AC 0123456789abcdef 0x84AE 0x84AE (Rtm~ 0x87E8 0x87E8 fX#*; 0x884C 0x884C 6ow'. 0x88B3 0x88B3 ||~,2 0x88F8 0x88F8 z|~+, 0x8A8A 0x8A8A @OnN1 0x8BF1 0x8BF1 GCC: (GNU) 4.1.1 20060525 (Red Hat 4.1.1-1) 0x8C1E 0x8C1E GCC: (GNU) 4.1.1 20070105 (Red Hat 4.1.1-51) 0x8C4C 0x8C4C GCC: (GNU) 4.1.1 20070105 (Red Hat 4.1.1-51) 0x8C7A 0x8C7A GCC: (GNU) 4.1.1 20070105 (Red Hat 4.1.1-51) 0x8CA8 0x8CA8 GCC: (GNU) 4.1.1 20060525 (Red Hat 4.1.1-1) 0x8CD5 0x8CD5 .shstrtab 0x8CDF 0x8CDF .hash 0x8CE5 0x8CE5 .dynsym 0x8CED 0x8CED .dynstr 0x8CF5 0x8CF5 .gnu.version 0x8D02 0x8D02 .gnu.version_r 0x8D11 0x8D11 .rel.dyn 0x8D1A 0x8D1A .rel.plt 0x8D23 0x8D23 .init 0x8D29 0x8D29 .text 0x8D2F 0x8D2F .fini 0x8D35 0x8D35 .rodata 0x8D3D 0x8D3D .eh_frame_hdr 0x8D4B 0x8D4B .eh_frame 0x8D55 0x8D55 .ctors 0x8D5C 0x8D5C .dtors 0x8D68 0x8D68 .data.rel.ro 0x8D75 0x8D75 .dynamic 0x8D83 0x8D83 .got.plt 0x8D8C 0x8D8C .data 0x8D97 0x8D97 .comment