An analysis of a PHP implant I came across on VirusTotal Intelligence.
On an initial investigation of the file, it is pretty obvious there is something funky going on. Spot the
eval()
right at the beginning of the code...The decoded
eval
looks like this:<?php }A quick glance over the script shows it is a 'redirector', which has the intention to redirect traffic to an alternative location, in this case:
header("Location: http://ibontu.25u.com/");
The script also deflects requests from bots, to prevent the bots from being redirected to the alternative site.
Crude, but effective - somewhat :/
References
VirusTotal
Obfuscated - https://www.virustotal.com/en/file/dbc1bf2de89ee7dd2597697b315be084ccf86edefd9f7e2dbf430438871a3fee/analysis/ DeObfuscated - https://www.virustotal.com/en/file/66899269383bd479b0e29a5136e496bbd8d068daf514909bf7b2f30174dac0b9/analysis