PHP Infector

A reader wanted me to analyze a PHP file that was found on his hacked Wordpress site. The script is made up of three parts as you can see.

The top two sections contain an array of Base64-encoded strings. The bottom section references the arrays and performs the main functions.

My first thought was to replace each of the array variables with the actual decoded strings. Then I could read the script at the bottom and figure out what it's doing. But replacing each of the variable names with the values from the array manually would be a pain! (Anyone got a better idea? If so, let me know.)

Whenever I come across a problem, I try to find a generic solution that I can keep using in the future. Here's what I came up with...

First I take each of the top two sections and separate the encoded values by rows. So I take this:

And use search/replace to make it look like this:

Then I modified Converter to base64-decode each row separately:

Then I replaced each row with a pipe delimiter (since it wasn't being used anywhere):

I did the same for the second section:

I wrote a program that does a search and replace of the array values. I entered the search string that corresponded to the top section and pasted in the decoded strings with the pipe delimiter to get the result.

The second section was next.

All done! This script probably won't execute properly because some of the strings need to be quoted but at least you can get a much better idea of what's going on.

Basically this downloads a file from a website, gets the URL and visits it. It essentially serves up a drive-by link to unsuspecting visitors.

The iframe link is the landing page of Sweet Orange. The link changes every couple of minutes or so.

I'll need to think about this more and see if there's another generic solution. If not, I'll add this method to Converter in the future.

Posted on: 10/12/2013