How can I decode this php code?

Question

I found this backdoor on a client's website.

http://pastebin.com/wVs8w44v (original format)

http://pastebin.com/acfx49QJ (semi - readable)

I have gotten rid of it and realise it's an obfuscated script but how can I deobfuscate it in order to get to the root of this matter and understand the motive behind this attack better?

Thanks!

Answer 1

I wrote a small Python script to deobfuscate the majority of the string obfuscation:

import urllib
import re

php = urllib.urlopen("http://pastebin.com/raw.php?i=wVs8w44v").read()

# Slight modification below so that we don't escape $
z26 = "jmiO@sxhFnD>J\r/u+RcHz3}g\nd{^8 ?eVwl_T\\\t|N5q)LobU]40!p%,rC-97k<'y=W:P$1BI&S6\"E(K`Y~.Q;f[v2a#X*ZAGtM"

# Decode all $z26[...] strings
for i in range(len(z26)):
    php = php.replace("$z26[" + str(i) + "]", "\"" + z26[i] + "\"")

# Concatenate decoded strings
php = php.replace("\".\"", "")

# Replace all $GLOBALS[...]
globals = {}
for m in re.finditer("\$GLOBALS\['(?P<key>\w+?)'\] = \"(?P<value>.*?)\";", php):
    globals[m.group("key")] = m.group("value")
php = re.sub(" \$GLOBALS\['(?P<key>\w+?)'\] = \"(?P<value>.*?)\";", "", php)
for key in globals.keys():
    php = php.replace("$GLOBALS['" + key + "']", globals[key])

print php

I then formatted the output with http://phpbeautifier.com/ and stored the results at http://pastebin.com/p7Tmvq4e.

The only major thing left to do is to rename the functions and arguments, but that can't be easily automated. I think the content at http://pastebin.com/p7Tmvq4e should meet your needs, though!