On Wed, Apr 11, 2012 at 10:06 PM, Raja Subramanian <[email protected]> wrote: > The malware sample is here: http://pastebin.com/7X9imPGp > > Can anyone decipher what this script is doing and how much damage > it has caused?
Sorry to reply to my own post. PHP programmers have nothing other than eval and base64_encode to hide their code. This malware contains a crafty way of hiding the base64_decode and eval function strings. Other than that it's vanilla. The really long string $m1nWMtcRk07 is just several wrappers of eval(base65_encode(...)). The final unwrapped code is here: http://pastebin.com/RdTmZKyw Looks like the GetMama malware is well known. This code is the first line of ~ 850 php files in my WP installation. Hope deleting it permanently removes the bad bits. If there's sufficient interest, at the May LUG meeting I can talk about my WP experience, hardening and malware analysis. - Raja _______________________________________________ ILUGC Mailing List: http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
