brooksh Posted March 11, 2012 Share Posted March 11, 2012 I downloaded a script and now it's using 100% of my server's resources. I believe the script has malicious code but I am unable to decode it to see. Can someone please explain to me how to view the source code? The first part of the script is: <?php /* */$OOO000000=urldecode('%66%67%36%73%62%65%68%70%72%61%34%63%6f%5f%74%6e%64');$OOO0000O0=$OOO000000{4}.$OOO000000{9}.$OOO000000{3}.$OOO000000{5};$OOO0000O0.=$OOO000000{2}.$OOO000000{10}.$OOO000000{13}.$OOO000000{16};$OOO0000O0.=$OOO0000O0{3}.$OOO000000{11}.$OOO000000{12}.$OOO0000O0{7}.$OOO000000{5};$OOO000O00=$OOO000000{0}.$OOO000000{12}.$OOO000000{7}.$OOO000000{5}.$OOO000000{15};$O0O000O00=$OOO000000{0}.$OOO000000{1}.$OOO000000{5}.$OOO000000{14};$O0O000O0O=$O0O000O00.$OOO000000{11};$O0O000O00=$O0O000O00.$OOO000000{3};$O0O00OO00=$OOO000000{0}.$OOO000000{8}.$OOO000000{5}.$OOO000000{9}.$OOO000000{16};$OOO00000O=$OOO000000{3}.$OOO000000{14}.$OOO000000{8}.$OOO000000{14}.$OOO000000{8};$OOO0O0O00=__FILE__;$OO00O0000=0x39c; Part 2: eval($OOO0000O0('JE8wMDBPME8wMD0kT09PMDAwTzAwKCRPT08wTzBPMDAsJ3JiJyk7JE8wTzAwT08wMCgkTzAwME8wTzAwLDB4NDg5KTskT08wME8wME8wPSRPT08wMDAwTzAoJE9PTzAwMDAwTygkTzBPMDBPTzAwKCRPMDAwTzBPMDAsMHgxN2MpLCdONDFqOFRDYkxER0U5d1owMldpK01uczdWa3hyeVBJSllYUXV0bWRBUlMvMzVxaFVIcGc2ZnpGQmNPbHZlYW9LPScsJ0FCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXowMTIzNDU2Nzg5Ky8nKSk7ZXZhbCgkT08wME8wME8wKTs='));return;?> Last Part: flkje~EnhJbS~rkD8a09j409j409jz6PbDJydnHrCTukiYA7zaCiMpT7zeAE1LALQct+fa098eH+6NHEQLALQHt+fa09jNH98eHG1W0+feH9jNH98eRD8eH+6NH+feH91Yt+6NH98eH+6NHE1W0+6NH+6NH9jNSE1PZwjT/ZTWjVtp8WfMOPzRH9mPSGfzhy6PsxBXgIn4DimmVM7nfrsW4Mm9U96npxTnLyCyFkASC2dw0rbkmVsaE0iy5DfT12fWTWtPLiMSE+8zZ+z4WMmwMnnk7sTmxVsDukCndkFXSxdq5rsOUybTgyBWzPAPcI7RH9+L6wjMFw6YOGgeAGitSZFkurCa6kiYt+6NH98eH+6NHG+qmPdT5G1W0+6NH+6NH+6NSZH==1dmhVFpzkCMRLdmhVgaXyb45xswXPCmUrmafrBNhyCXHLQtv1QWhV7kmkFTfxsahLjfYDgyv1QW6rsTgPbtq0dT6yFmArQYAPFnQyFmfknafx7W5kiy5DbPmVAwSPCnJPCmfrCMSZHRtyFzXyAWOE+OXyBwSkFcRDBPmVAwSPCnJxFnOPFagk1y5DbPmVAwSPCnJxFnOPFagk1tv1QW6rsTgPbtq0dT6yFmArQYAPFnQyFmfknatk7wuydmHPCmUrQy5DbPmVAwSPCnJkCn6VBDSybWSrFcSZHRtyFzXyAWOE+OXyBwSkFcRDBWSPCpm7FXmVsWmyu8AE1Wfx7W5knaRksTtk7LpG+5GDbwqV7DfIifoV7w6xsPhG1Pfx7W5knaRksTtk7LgDgHtPCmfrCnJxCnXkCng9Qtv1QW6rsTgPbtq0dT6yFmArQYArdTFksPXPCmUrQy5DCOXPdnAV7WSrFcSZHRtyFzXyAWOE+OXyBwSkFcRDFWXPCMAECWXPCMRLtVYk1HYsiLSG+5GDbwqV7DfIifoV7w6xsPhG1PhV7kmkFTfxsahDgHtrdTFksPXPCmUrQtv1QW6rsTgPbtq0dT6yFmArQYAkCaqVsmh7Bngr1y5DCWUrsTSrmazydHSZHRtyFzXyAWOE+OXyBwSkFcRDFWUrsTSrQy5DCWUrsTSrQtv1QW6rsTgPbtq0dT6yFmArQYAxCaqknaHVsPmDgHtxCaqknaHVsPmG+5GDbwqV7DfIifoV7w6xsPhG1PtV7Wm7BmmV7LAECWXPCMRLmtQGitv1QW6rsTgPbtq0dT6yFmArQYAyFXUybSSrCpX7BWgVsw3xsOADgHtyFXUybSSrCpX7BWgVsw3xsOAG+5GDbwqV7DfIifokCm6yCpXIiYAxsOtk7YhPb45Dgtv1Y==srg^bL]qNZ|xKoYHhm Quote Link to comment Share on other sites More sharing options...
requinix Posted March 11, 2012 Share Posted March 11, 2012 It's complicated. Can you post the whole file unedited? Quote Link to comment Share on other sites More sharing options...
brooksh Posted March 11, 2012 Author Share Posted March 11, 2012 This is one of the files unedited: <?php /* */$OOO000000=urldecode('%66%67%36%73%62%65%68%70%72%61%34%63%6f%5f%74%6e%64');$OOO0000O0=$OOO000000{4}.$OOO000000{9}.$OOO000000{3}.$OOO000000{5};$OOO0000O0.=$OOO000000{2}.$OOO000000{10}.$OOO000000{13}.$OOO000000{16};$OOO0000O0.=$OOO0000O0{3}.$OOO000000{11}.$OOO000000{12}.$OOO0000O0{7}.$OOO000000{5};$OOO000O00=$OOO000000{0}.$OOO000000{12}.$OOO000000{7}.$OOO000000{5}.$OOO000000{15};$O0O000O00=$OOO000000{0}.$OOO000000{1}.$OOO000000{5}.$OOO000000{14};$O0O000O0O=$O0O000O00.$OOO000000{11};$O0O000O00=$O0O000O00.$OOO000000{3};$O0O00OO00=$OOO000000{0}.$OOO000000{8}.$OOO000000{5}.$OOO000000{9}.$OOO000000{16};$OOO00000O=$OOO000000{3}.$OOO000000{14}.$OOO000000{8}.$OOO000000{14}.$OOO000000{8};$OOO0O0O00=__FILE__;$OO00O0000=0x39c;eval($OOO0000O0('JE8wMDBPME8wMD0kT09PMDAwTzAwKCRPT08wTzBPMDAsJ3JiJyk7JE8wTzAwT08wMCgkTzAwME8wTzAwLDB4NDg5KTskT08wME8wME8wPSRPT08wMDAwTzAoJE9PTzAwMDAwTygkTzBPMDBPTzAwKCRPMDAwTzBPMDAsMHgxN2MpLCdONDFqOFRDYkxER0U5d1owMldpK01uczdWa3hyeVBJSllYUXV0bWRBUlMvMzVxaFVIcGc2ZnpGQmNPbHZlYW9LPScsJ0FCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXowMTIzNDU2Nzg5Ky8nKSk7ZXZhbCgkT08wME8wME8wKTs='));return;?>flkje~EnhJbS~rkD8a09j409j409jz6PbDJydnHrCTukiYA7zaCiMpT7zeAE1LALQct+fa098eH+6NHEQLALQHt+fa09jNH98eHG1W0+feH9jNH98eRD8eH+6NH+feH91Yt+6NH98eH+6NHE1W0+6NH+6NH9jNSE1PZwjT/ZTWjVtp8WfMOPzRH9mPSGfzhy6PsxBXgIn4DimmVM7nfrsW4Mm9U96npxTnLyCyFkASC2dw0rbkmVsaE0iy5DfT12fWTWtPLiMSE+8zZ+z4WMmwMnnk7sTmxVsDukCndkFXSxdq5rsOUybTgyBWzPAPcI7RH9+L6wjMFw6YOGgeAGitSZFkurCa6kiYt+6NH98eH+6NHG+qmPdT5G1W0+6NH+6NH+6NSZH==1dmhVFpzkCMRLdmhVgaXyb45xswXPCmUrmafrBNhyCXHLQtv1QWhV7kmkFTfxsahLjfYDgyv1QW6rsTgPbtq0dT6yFmArQYAPFnQyFmfknafx7W5kiy5DbPmVAwSPCnJPCmfrCMSZHRtyFzXyAWOE+OXyBwSkFcRDBPmVAwSPCnJxFnOPFagk1y5DbPmVAwSPCnJxFnOPFagk1tv1QW6rsTgPbtq0dT6yFmArQYAPFnQyFmfknatk7wuydmHPCmUrQy5DbPmVAwSPCnJkCn6VBDSybWSrFcSZHRtyFzXyAWOE+OXyBwSkFcRDBWSPCpm7FXmVsWmyu8AE1Wfx7W5knaRksTtk7LpG+5GDbwqV7DfIifoV7w6xsPhG1Pfx7W5knaRksTtk7LgDgHtPCmfrCnJxCnXkCng9Qtv1QW6rsTgPbtq0dT6yFmArQYArdTFksPXPCmUrQy5DCOXPdnAV7WSrFcSZHRtyFzXyAWOE+OXyBwSkFcRDFWXPCMAECWXPCMRLtVYk1HYsiLSG+5GDbwqV7DfIifoV7w6xsPhG1PhV7kmkFTfxsahDgHtrdTFksPXPCmUrQtv1QW6rsTgPbtq0dT6yFmArQYAkCaqVsmh7Bngr1y5DCWUrsTSrmazydHSZHRtyFzXyAWOE+OXyBwSkFcRDFWUrsTSrQy5DCWUrsTSrQtv1QW6rsTgPbtq0dT6yFmArQYAxCaqknaHVsPmDgHtxCaqknaHVsPmG+5GDbwqV7DfIifoV7w6xsPhG1PtV7Wm7BmmV7LAECWXPCMRLmtQGitv1QW6rsTgPbtq0dT6yFmArQYAyFXUybSSrCpX7BWgVsw3xsOADgHtyFXUybSSrCpX7BWgVsw3xsOAG+5GDbwqV7DfIifokCm6yCpXIiYAxsOtk7YhPb45Dgtv1Y==srg^bL]qNZ|xKoYHhm If I take the middle code and decode it: highlight_string(base64_decode('JE8wMDBPME8wMD0kT09PMDAwTzAwKCRPT08wTzBPMDAsJ3JiJyk7JE8wTzAwT08wMCgkTzAwME8wTzAwLDB4NDdkKTskT08wME8wME8wPSRPT08wMDAwTzAoJE9PTzAwMDAwTygkTzBPMDBPTzAwKCRPMDAwTzBPMDAsMHgxN2MpLCdONDFqOFRDYkxER0U5d1owMldpK01uczdWa3hyeVBJSllYUXV0bWRBUlMvMzVxaFVIcGc2ZnpGQmNPbHZlYW9LPScsJ0FCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXowMTIzNDU2Nzg5Ky8nKSk7ZXZhbCgkT08wME8wME8wKTs=')); It displays this: $O000O0O00=$OOO000O00($OOO0O0O00,'rb');$O0O00OO00($O000O0O00,0x47d);$OO00O00O0=$OOO0000O0($OOO00000O($O0O00OO00($O000O0O00,0x17c),'N41j8TCbLDGE9wZ02Wi+Mns7VkxryPIJYXQutmdARS/35qhUHpg6fzFBcOlveaoK=','ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'));eval($OO00O00O0); But that's as far as I've been able to go. Quote Link to comment Share on other sites More sharing options...
trq Posted March 11, 2012 Share Posted March 11, 2012 There is probably a reason it is hidden, what license is this software under? Quote Link to comment Share on other sites More sharing options...
requinix Posted March 11, 2012 Share Posted March 11, 2012 Thanks for the heads-up thorpe. brooksh, if you didn't see, the code is not malicious. It's quite simple and could not cause the 100% usage you're seeing. Quote Link to comment Share on other sites More sharing options...
brooksh Posted March 11, 2012 Author Share Posted March 11, 2012 the script is malicious, it sends out strange requests. Anyways, I figured it out. look for the == sign. Quote Link to comment Share on other sites More sharing options...
simotenax Posted May 22, 2012 Share Posted May 22, 2012 that's my decrypted output <?php include("inc/application_top.php"); $navegation = ''; $smarty->assign('website_title',$website_title); $smarty->assign('website_keyword',$website_keyword); $smarty->assign('website_description',$website_description); $smarty->assign('title_header1',$title_header1); $smarty->assign('title_header2',$title_header2); $smarty->assign('navegation',$navegation); $smarty->assign('date',date("F d, Y")); $smarty->assign('navegation',$navegation); $smarty->assign('domain_url',$domain_url); $smarty->assign('domain',$domain); $smarty->assign('home_page',$home_page); $smarty->assign('date_year',date("Y")); $smarty->assign('shopzilla_tracking',$shopzilla_tracking); $smarty->display('index.tpl'); Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.