Hacked, what does this piece of code do?

Question

WARNING: This is a possible exploit. Do not run directly on your server if you're not sure what to do with this.

http://pastehtml.com/view/1b1m2r6.txt

I believe this was uploaded via an insecure upload script. How do I decode and uncompress this code? Running it in the browser might execute it as a shell script, open up a port or something.

I can do a base64 decode online but i couldn't really decompress it.

Answer 1

So there's a string. It's gzipped and base64 encoded, and the code decodes the base64 and then uncompresses it.

When that's done, I am resulted with this:

<? eval(base64_decode('...')); ?>

Another layer of base64, which is 720440 bytes long.

Now, base64 decoding that, we have 506961 bytes of exploit code.

That's here: http://azabani.com/misc/stackoverflow/3708246-exploit.txt

I'm still examining the code, and will update this answer when I have more understanding. The code is huge.

Still reading through the code, and the (very well-done) exploit allows these tools to be exposed to the hacker:

• TCP backdoor setup
• unauthorised shell access
• reading of all htpasswd, htaccess, password and configuration files
• log wiping
• MySQL access (read, write)
• append code to all files matching a name pattern (mass exploit)
• RFI/LFI scanner
• UDP flooding
• kernel information

This is probably a professional PHP-based server-wide exploit toolkit, and seeing as it's got a nice HTML interface and the whole lot, it could be easily used by a pro hacker, or even a script kiddie.

This exploit is called c99shell (thanks Yi Jiang) and it turns out to have been quite popular, being talked about and running for a few years already. There are many results on Google for this exploit.

Answer 2

First, replace the eval with an echo to see what code it would execute if you'd let it. Send the output of that script to another file, say, test2.php. In that file, do the same trick again. Run it, and it will output the complete malicious program (it's quite a beast), ~4k lines of hacker's delight.

Answer 3

Looking at Delan's decoded source, it appears to be a full-fledged backdoor providing a web interface that can be used to control the server in various ways. Telling fragments from the source:

echo '<center>Are you sure you want to install an IP:Port proxy on this
website/server?<br />

or

<b>Mass Code Injection:</b><br><br>
Use this to add PHP to the end of every .php page in the directory specified.

or

echo "<br><b>UDP Flood</b><br>Completed with $pakits (" . 
     round(($pakits*65)/1024, 2) . " MB) packets averaging ". 
     round($pakits/$exec_time, 2) . " packets per second \n";

or

if (!$fp) {echo "Can't get /etc/passwd for password-list.";}

I'd advise you to scrub that server and reinstall everything from scratch.

Answer 4

I know Delan Azabani has done this, but just so you actually know how he got the data out:

Just in case you're wondering how to decompress this, use base64 -d filename > output to parse base64 strings and gunzip file.name.gz to parse gzipped data.

The trick is in recognising that what you've got is base64 or gunzip and decompressing the right bits.

This way it goes absolutely nowhere near a JS parser or PHP parser.

Answer 5

This is code for php shell.
to decode this

replace replace eval("?>". with print( run this

php5 file.php > file2.php

then replace eval with print and run in browser. http://loclhost/file2.php