PHP Backdoor Analysis

The last few day’s I started scraping Pastebin. Today my system (raspberry pi) was having a rough time processing a file. Usually this happens with larger files so I though I’d check it out. This is what I found: http://pastebin.com/UsemAin9

Since I had some time I though I’d have a quite look. Here is my analysis.

As you can see the text I found ends with “==”. This usually indicates it’s base64 encoded. So, I copied the text into a file and removed the first part of the string – “data:image/jpeg;base64” (not valid base64). The reason this is tagged at the front is because I think it allows you to save (and my guess, upload) the file as an image. This is to evade (php) script upload protection.

I then decoded the whole file using “base64 —decode ” (command can be found in your average unix distro and cygwin). The output was: http://slexy.org/view/s2SHydo0JT (just click view raw paste for a better formatted view)

Here is where you can see that we are dealing with some sort of PHP script because of the opening PHP tag “<?php”. If you look at this in an editor – any PHP IDE or VIM will do – with a color scheme you can clearly see that there is still one big chunk of data that is encoded. So I selecting the data from “$_X=‘” up until “+’;” (almost at the end of the file). After this you’ll see there is an other PHP instruction called ‘eval’. Lets leave that for now and decode this first part first.

Note: This time the string did not end with “==”. But lets use the base64 decode function first (a bit of a hunch but since this method worked before it is alway’s worth a try).

Again using the same command we end up with: http://pastebin.com/fKGeXMwn

Awesome, we have something that looks like source code. But not fully there yet. In my previous file I grabbed the last part of the file that I haven’t decoded yet:

eval($OOO0000O0('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));

I decoded the string given as an argument – from “JF9” until “==”. Again the “==” makes me believe that this is most likely base64.

Output:

$_X=base64_decode($_X);$_X=strtr($_X,'123456aouie','aouie123456');$_R=ereg_replace('__FILE__',"'".$_F."'",$_X);eval($_R);$_R=0;$_X=0;

Now with some formating:

$_X=base64_decode($_X);
$_X=strtr($_X,'123456aouie','aouie123456');
$_R=ereg_replace('__FILE__',"'".$_F."'",$_X);
eval($_R);
$_R=0;
$_X=0;

This looks like the second stage of the decoding process. I already did the first base64_decode in my previous step but this showed strange PHP code. Second, you can see a strtr function call – strtr: translate characters or replace substrings. Before you run this decoding code you should remove the ‘eval’ function call, otherwise you’re executing the decoded text, and since we don’t really know whats in here (yet) that probably isn’t a very good idea.

So we create a decode.php file called “decode.php” and add the following lines:

This file will print out the code we where looking for aka a PHP backdoor - <a href="http://pastebin.com/uXvdjbeF">http://pastebin.com/uXvdjbeF</a>. Simple, but effective.

If you look quickly at the code you'll find a function that's called 'ZoneH'. This is a site where hackers report their victories. It looks like this backdoor can notify ZoneH from within. Based on the complexity of the encoding (not really) and this function we can probably assume that this backdoor is not used for very sophisticated attacks or custom attacks.

MD5 of the file: 252b69f8ef890fe6e720143ef7e2912d

Ruben.

Comments