Is this PHP script a virus? What does it do?

[Fabron]

I was browsing the internet when my Kaspersky virus scanner popped up a Backdoor.PHP alert. It was a cache file in my Firefox cache folder. I uploaded the file to VirSCAN and 14 out of 37 scanners found malware.

 

http://virscan.org/report/83c9d4a27f48f4bfa0fd0e91cd2112cf.html

 

I am concerned, but unfortunately I know nothing about PHP so please help. Was this a false alert? What does this script do?

 

The file is attached to this post, password for the archive is

cJNLVSOf21ZUTEzAdP

 

PROCEED WITH CAUTION. THIS SCRIPT MIGHT BE HARMFUL.

 

MOD EDIT: Potentially harmful attachment removed.

[Psycho]

Assuming you don't have PHP installed on your machine you should have nothing to worry about. If you do have PHP installed, then you should be fine as long as the PHP file is not in a folder that is accessible via the web server and is not executed via the PHP parser.

[Pikachu2000]

If you want someone to look at the file, open it yourself and paste the contents inside of

 . . . 

BBCode tags. It's ridiculous to attach a file that may contain malware to a post and expect other to download and open it.

[Fabron]

If you want someone to look at the file, open it yourself and paste the contents inside of

 . . . 

BBCode tags. It's ridiculous to attach a file that may contain malware to a post and expect other to download and open it.

 

This is exactly what I did before but I was not able to post it with the code tags because it exceeded a certain number of characters.

[Fabron]

Here is the PHP script as text only:

 

http://pastebin.com/DMpFaZgD

[Fabron]

Assuming you don't have PHP installed on your machine you should have nothing to worry about. If you do have PHP installed, then you should be fine as long as the PHP file is not in a folder that is accessible via the web server and is not executed via the PHP parser.

 

I don't have PHP installed. I just accessed a web page with Firefox, then the alert popped up. I guess the PHP code automatically executes in this case, as part of displaying the web page, no?

[Psycho]

Assuming you don't have PHP installed on your machine you should have nothing to worry about. If you do have PHP installed, then you should be fine as long as the PHP file is not in a folder that is accessible via the web server and is not executed via the PHP parser.

 

I don't have PHP installed. I just accessed a web page with Firefox, then the alert popped up. I guess the PHP code automatically executes in this case, as part of displaying the web page, no?

 

No. You computer cannot execute PHP code unless you have installed the PHP server software. From what I understand these Backdoor.PHP scripts are meant to get surreptitiously installed onto web servers so the malicious users can then use that server to execute malicious code for other purposes. I really don't think you are at risk.

[Fabron]

Thanks, that's kind of a relief. The website I got this from was the login page of a hosting company I am a customer of. It's the form where name and password have to be entered. I didn't enter my login info because of the alert. It would however still be interesting to know if this was a real threat for my info or just a false alert? Can anyone review the PHP code and explain what it does?

[gizmola]

Yes that is a nasty script that is packed in there.  I wrote a script to unpack the source, and its ultimate payload is a kind of php form based shell to allow someone to run various commands as the webserver user.

 

Just to give you an idea, here's a menu variable it sets up:

 

$quicklaunch = array(
array("HOME",$surl),
array("","#\" onclick=\"history.back(1)"),
array("=>","#\" onclick=\"history.go(1)"),
array("UPDIR","#\" onclick=\"document.todo.act.value='ls';document.todo.d.value='%upd';document.todo.sort.value='%sort';document.todo.submit();"),
array("Search","#\" onclick=\"document.todo.act.value='search';document.todo.d.value='%d';document.todo.submit();"),
array("Buffer","#\" onclick=\"document.todo.act.value='fsbuff';document.todo.d.value='%d';document.todo.submit();"),
array("Tools","#\" onclick=\"document.todo.act.value='tools';document.todo.d.value='%d';document.todo.submit();"),
array("Proc.","#\" onclick=\"document.todo.act.value='processes';document.todo.d.value='%d';document.todo.submit();"),
array("FTP brute","#\" onclick=\"document.todo.act.value='ftpquickbrute';document.todo.d.value='%d';document.todo.submit();"),
array("Sec.","#\" onclick=\"document.todo.act.value='security';document.todo.d.value='%d';document.todo.submit();"),
array("SQL","#\" onclick=\"document.todo.act.value='sql';document.todo.d.value='%d';document.todo.submit();"),
array("PHP-code","#\" onclick=\"document.todo.act.value='eval';document.todo.d.value='%d';document.todo.submit();"),
array("Self remove","#\" onclick=\"document.todo.act.value='selfremove';document.todo.submit();"),
array("Logout","#\" onclick=\"if (confirm('Are you sure?')) window.close()")
);

 

So that should give you an idea 

 

Definitely a reminder of how evil the eval() command is.

[gizmola]

You should alert them, as it looks like someone has compromised their server and implanted this.  Bad news.

[ignace]

I unpacked it and pasted the source code here:

 

http://pastebin.com/kJHP8BcZ

[ignace]

It's actually quite nice of that hacker to tell us what we should look out for?

 

Here's a blog post about the script you found (c99madshell): http://www.derekfountain.org/security_c99madshell.php

[Fabron]

You should alert them, as it looks like someone has compromised their server and implanted this.  Bad news.

 

Thanks for the help. In your opinion, could this be a legit web interface for clients to control their hosting services, or does it really seem to be a malicious 3rd party backdoor? I will alert them right away if you think it's the latter.

[gizmola]

Yes it derives from "madnet". I'm just posting a cached version of their site, but it's referenced in the source http://webcache.googleusercontent.com/search?q=cache:3wb9DWSlhkkJ:madnet.name/eng/files/1/+madnet+php+script&cd=2&hl=en&ct=clnk&gl=us&client=firefox-a&source=www.google.com

[gizmola]

You should alert them, as it looks like someone has compromised their server and implanted this.  Bad news.

 

Thanks for the help. In your opinion, could this be a legit web interface for clients to control their hosting services, or does it really seem to be a malicious 3rd party backdoor? I will alert them right away if you think it's the latter.

 

It's a shell so it could be of legitimate use, as it gives you quite a lot of control, so yeah it could be like a poor man's cpanel.  Is this running on *your server*?  Why would it be downloaded to your local machine? 

[Fabron]

It's not running on my server. I have no idea why that script got downloaded by my browser on my computer, especially when it's server-side only and I can't execute it.

[ignace]

or does it really seem to be a malicious 3rd party backdoor?

 

It's used by script kiddies around the world, so yes it's a backdoor

[ignace]

I have no idea why that script got downloaded by my browser on my computer I have no idea why that script got downloaded by my browser on my computer

 

It found your RAM attractive? Either you or someone else downloaded it obviously as you can download it for free.

[gizmola]

Yes, I'm with Ignace.  It is meant to give someone access to a server.  In fact, the way it was packaged makes it clear that it is intended as an exploit. Probably they are finding ways to get people to download that script to their servers and from their they can execute it, so yeah, you need to alert your ISP that they have some sort of XSS exploit on that page.  You can point them to this thread if they want more information.

[Fabron]

I notified my hosting company a few hours ago. I hope no damage was done on their server with that madnet shell. Thanks to everyone who participated in this thread.