

Ad-hoc decoding a backdoor - nedbat
http://nedbatchelder.com/blog/201302/adhoc_decoding_a_backdoor.html

======
trotsky
If you're looking for a shortcut, next time just google the first half a dozen
or so bytes of the encoded payload. These compromises come from automated or
one click intrusion tools, and they often use the same or similar code for
years. Somebody else has always decoded it for you, and may have some
additional insights. This backdoor has been used in the wild for at least 2-3
years now so there is plenty of discussion.

Unless it's entertainment for you, reversing these scanner based website
compromises is generally not going to offer much insight. It's almost
certainly prefab code spit out by a tool any halfwit can buy for a few bucks,
it'll point back to an ip in a country that doesn't give a shit, and it's a
good chance the isp actively caters to customers like that.

If you caught it quickly, odds are you wont see any active maliciousness going
on yet. Most of the time a scanner will work to compromise a target number of
hosts say 1000 or so, and then will either sell them as a bundle or mass
deploy their own payload. This will almost always be some form of SEO link
generation, scare-ware popup ads or browser exploit kits.

Do your mom, you and the rest of the internet a favor - help her migrate to a
platform that isn't a constant stream of CVEs and infected addons. There are
plenty of fully managed platforms that include easy data portability and
custom domains.

