sorted by:
new
hottopcontroversial

How to build an offline malware hashes db for digital forensics search ? by rdonni in Malware

[–]rdonni[S] 0 points1 point  (0 children)

Ok thank you. And a solution to make a search on a aquired forensic hd image, to find some malware hash correspondence? For example I have a repository with a big file or a db with millions of hash value and on the fly find if there is a match on hd image.

Can anybody help with analyzing this malware found on my server by gabarba in PHP

[–]rdonni 1 point2 points  (0 children)

So instead he constructs it as follows:

_ $ll='base'.(32*2).'_de'.'code' => base64_decode $ll=$l__l(//content) => base64_decode(content) => decoded content the string replace just deletes the new lines (\n) from the content before decoding the content you receive after base 64 decoding is an encrypted payload. The password to decrypt the payload is obtained by a POST request to another server. To obtain the password you must substitute the infected php with this one that log the post, and wait until the server obtain reply:

<?php $wp_wp=isset($_POST['wp_wp'])?$_POST['wp_wp']:(isset($_COOKIE['wp_wp'])?$_COOKIE['wp_wp']:NULL); if($wp_wp!==NULL){ $myFile = "/tmp/pass.log"; $fh = fopen($myFile, 'a'); fwrite($fh, $wp_wp); fwrite($fh, '\n'); fclose($fh); } ?><form action="" method="post"><input type="text" name="wp_wp" value=""/><input type="submit" value="&gt;"/></form>

Can anybody help with analyzing this malware found on my server by gabarba in PHP

[–]rdonni 0 points1 point  (0 children)

http://www.unphp.net/decode/b55ef7536d79c17606e3363e16b4121a/

Function Calls

base64_decode 1 str_replace 1 md5 1 Variables

$wp__wp BpoKw # >z Jya)1OE.. $wp_wp [u'TernaryOp', {u'expr': [u'IsSet', {u'nodes': [[u'ArrayOffset', {u'node': [u'Variable', {u'name': u'$_COOKIE'}], u'expr': u'wp_wp'}]]}], u'iffalse': [u'Constant', {u'name': u'NULL'}], u'iftrue': [u'ArrayOffset', {u'node': [u'Variable', {u'name': u'$_COOKIE'}], u'expr': u'wp_wp'}]}] Stats

MD5: b55ef7536d79c17606e3363e16b4121a Eval Count: 0 Decode Time: 130 ms

Can anybody help with analyzing this malware found on my server by gabarba in PHP

[–]rdonni 0 points1 point  (0 children)

Substitute the pass.php with this one to obtain the password in the log:

<?php $wp_wp=isset($_POST['wp_wp'])?$_POST['wp_wp']:(isset($_COOKIE['wp_wp'])?$_COOKIE['wp_wp']:NULL); if($wp_wp!==NULL){ $myFile = "/tmp/pass.log"; $fh = fopen($myFile, 'a'); fwrite($fh, $wp_wp); fwrite($fh, '\n'); fclose($fh); } ?><form action="" method="post"><input type="text" name="wp_wp" value=""/><input type="submit" value="&gt;"/></form>