Encryption

PHP Version

7.4.33

Cryptor

OpenSSL

Cipher

bf-cbc

mb_internal_encoding

UTF-8

IP Validation

$headers from get_ip()

Array
(
    [Incap-Client-Ip] => 184.154.76.19
    [X-Forwarded-For] => 184.154.76.19
    [Cdn-Loop] => IncapCDN; id="1226_2886449"
    [User-Agent] => SiteLock (Module: SmartDB; Source: https://www.sitelock.com/; Version: 1.0)
    [Host] => campaignmailer.us
    [Connection] => TE, close
    [Te] => deflate,gzip;q=0.3
)

IP Check started in

/home/campaip5/public_html/tmp/7a24d48db7f61fca80d0ac4960369922.php

IP Check started at

2023-03-02T13:10:21-05:00

The following IPs will be tested

Array
(
    [0] => 184.154.76.19
    [1] => 198.143.60.8
)

mapi_post URL

https://mapi.sitelock.com/v3/connect/

mapi_post_request

Array
(
    [pluginVersion] => 100.0.0
    [apiTargetVersion] => 3.0.0
    [token] => 8f65cc7e653375e27682204c46e36fd7
    [requests] => Array
        (
            [id] => 50b1faf19c99e7715ac096c62daaec21-16777806214711
            [action] => validate_ip
            [params] => Array
                (
                    [site_id] => 33526721
                    [ip] => 184.154.76.19
                )

        )

)

mapi_request

eyJwbHVnaW5WZXJzaW9uIjoiMTAwLjAuMCIsImFwaVRhcmdldFZlcnNpb24iOiIzLjAuMCIsInRva2VuIjoiOGY2NWNjN2U2NTMzNzVlMjc2ODIyMDRjNDZlMzZmZDciLCJyZXF1ZXN0cyI6eyJpZCI6IjUwYjFmYWYxOWM5OWU3NzE1YWMwOTZjNjJkYWFlYzIxLTE2Nzc3ODA2MjE0NzExIiwiYWN0aW9uIjoidmFsaWRhdGVfaXAiLCJwYXJhbXMiOnsic2l0ZV9pZCI6IjMzNTI2NzIxIiwiaXAiOiIxODQuMTU0Ljc2LjE5In19fQ==

curl_getinfo()

Array
(
    [url] => https://mapi.sitelock.com/v3/connect/
    [content_type] => text/html; charset=UTF-8
    [http_code] => 200
    [header_size] => 784
    [request_size] => 462
    [filetime] => -1
    [ssl_verify_result] => 20
    [redirect_count] => 0
    [total_time] => 0.308345
    [namelookup_time] => 0.000187
    [connect_time] => 0.01602
    [pretransfer_time] => 0.034074
    [size_upload] => 324
    [size_download] => 510
    [speed_download] => 1653
    [speed_upload] => 1050
    [download_content_length] => -1
    [upload_content_length] => 324
    [starttransfer_time] => 0.308251
    [redirect_time] => 0
    [redirect_url] => 
    [primary_ip] => 45.60.12.54
    [certinfo] => Array
        (
        )

    [primary_port] => 443
    [local_ip] => 162.214.124.68
    [local_port] => 50156
    [http_version] => 2
    [protocol] => 2
    [ssl_verifyresult] => 0
    [scheme] => HTTPS
    [appconnect_time_us] => 34024
    [connect_time_us] => 16020
    [namelookup_time_us] => 187
    [pretransfer_time_us] => 34074
    [redirect_time_us] => 0
    [starttransfer_time_us] => 308251
    [total_time_us] => 308345
)

mapi_response

{"apiVersion":"3.0.1","status":"ok","globalResponse":null,"banner":null,"forceLogout":false,"newToken":null,"now":1677780619,"responses":[{"id":"50b1faf19c99e7715ac096c62daaec21-16777806214711","data":{"ip_address":"184.154.76.19","valid":true},"raw_api_url":"https:\/\/api.sitelock.com\/v1\/8f65cc7e653375e27682204c46e36fd7\/dbscan\/checkip","raw_response":{"@attributes":{"version":"1.1","encoding":"UTF-8"},"checkIP":{"status":"1"}},"raw_request":{"site_id":"33526721","ip":"184.154.76.19"},"status":"ok"}]}

UnzipAndApply

_ZIPFILE

9f3b20ffba76c5ee970ba1a47f5fadc6.zip

_GET (raw)

cmd=db_creds_ready&enc_db_creds=OZ0TJEnUvIjd0GLW7QvAbwdpWDFljiGRssqO7CnVvUgnsL0E1AoPMEM3heuCxpjGPANG2n%2FIaWCqNhFCls%2Fka5V20zZIgyk6SW2jeVowc6creZqhkvv72yt6PK62j7wUNYRxCDH%2BsUCTCLG2H1%2Bpy9hv7JVruLXbnj6N%2B1CFvIkV1Uq9OPTlyBnxq3rjf2tL7koEDYnfi7I%3D&on_version_conflict=fix&smart_single_download_id=4314959&zip_md5=f1b6b4024587a4744f9ccc1a5fa3eea6

Detected memory_limit

32M

Chunk Size

1048576 (reduced from 10485760)

on_version_conflict

fix

ZIP file exists at './9f3b20ffba76c5ee970ba1a47f5fadc6.zip' ?

YES

Failed shell_exec( /usr/bin/unzip '/home/campaip5/public_html/tmp/9f3b20ffba76c5ee970ba1a47f5fadc6.zip' -d '/home/campaip5/public_html/tmp/.a0f65d3b59946cdf4fb49acc6a1c8e8e' ).

shell_exec_not_available

Attempting to use ZipArchive for extract.

good luck!

$_ZIP_MD5 received

f1b6b4024587a4744f9ccc1a5fa3eea6

Dropping original zip containing chunks: ./9f3b20ffba76c5ee970ba1a47f5fadc6.zip

OK

opening new ZIP to dump unencrypted chunks into. Will use Ciper: bf-cbc and Mode: 0

./.a0f65d3b59946cdf4fb49acc6a1c8e8e/zip_dump.zip

bytes in the chunk ./.a0f65d3b59946cdf4fb49acc6a1c8e8e/9f3b20ffba76c5ee970ba1a47f5fadc6.zip.0

bytes written after decrypting chunk: ./.a0f65d3b59946cdf4fb49acc6a1c8e8e/9f3b20ffba76c5ee970ba1a47f5fadc6.zip.0

closed new ZIP

./.a0f65d3b59946cdf4fb49acc6a1c8e8e/zip_dump.zip

zip-md5-compare

Array
(
    [MD5 expected] => f1b6b4024587a4744f9ccc1a5fa3eea6
    [MD5 received] => f1b6b4024587a4744f9ccc1a5fa3eea6
)

Failed shell_exec( /usr/bin/unzip '/home/campaip5/public_html/tmp/.a0f65d3b59946cdf4fb49acc6a1c8e8e/zip_dump.zip' -d '/home/campaip5/public_html/tmp/.a0f65d3b59946cdf4fb49acc6a1c8e8e' ).

shell_exec_not_available

Attempting to use ZipArchive for extract.

good luck!

data-zip-extract

done

removed ZIP dump

./.a0f65d3b59946cdf4fb49acc6a1c8e8e/zip_dump.zip

RAW_CONTENTS

update,Users,281,802414,WebAddress,cf9783f08fe69d5b8c757fae0b283fee,

Starting MySQLi constructor

$processed_data

Array
(
    [0] => Array
        (
            [0] => update
            [1] => Users
            [2] => 281
            [3] => 802414
            [4] => WebAddress
            [5] => cf9783f08fe69d5b8c757fae0b283fee
            [6] => 
        )

)

$_PLATFORM

other

$content

Array
(
    [0] => update
    [1] => Users
    [2] => 281
    [3] => 802414
    [4] => WebAddress
    [5] => cf9783f08fe69d5b8c757fae0b283fee
    [6] => 
)

Total updates in original logic

UNZIP & APPLY COMPLETE _XML

<xml version="1.0" encoding="UTF-8"><update_result><db_scan_id>58700</db_scan_id><site_id>33526721</site_id><result id="802414" status="fixed" err_msg="" /><status>ok</status></update_result></xml>

mapi_post URL

https://mapi.sitelock.com/v3/connect/

mapi_post_request

Array
(
    [pluginVersion] => 100.0.0
    [apiTargetVersion] => 3.0.0
    [token] => 8f65cc7e653375e27682204c46e36fd7
    [requests] => Array
        (
            [id] => 8a43da16772c724d02151057dfc56a63-16777806217888
            [action] => dbscan_complete
            [params] => Array
                (
                    [xml] => XY7NCsIwEIRfJexdk/7ZHjY5+gR6DrWJEmzTkk2lj+9iEcTbMDN8M7hNo3j5RGGOGoqjAuHjMLsQHxqul/OhA4Pr4vrsbfK0jtmgu1ka+miDM03XKoXyx0EKXGVRVU15assC5dfBHSCC09Cpsi5qEJT7vJKGe9i84+2U7EQ8DUIy6hOa+cmMXaL8+yL5v3kD
                    [gzmode] => gzdeflate
                )

        )

)

mapi_request

eyJwbHVnaW5WZXJzaW9uIjoiMTAwLjAuMCIsImFwaVRhcmdldFZlcnNpb24iOiIzLjAuMCIsInRva2VuIjoiOGY2NWNjN2U2NTMzNzVlMjc2ODIyMDRjNDZlMzZmZDciLCJyZXF1ZXN0cyI6eyJpZCI6IjhhNDNkYTE2NzcyYzcyNGQwMjE1MTA1N2RmYzU2YTYzLTE2Nzc3ODA2MjE3ODg4IiwiYWN0aW9uIjoiZGJzY2FuX2NvbXBsZXRlIiwicGFyYW1zIjp7InhtbCI6IlhZN05Dc0l3RUlSZkpleGRrXC83WkhqWTUrZ1I2RHJXSkVtelRrazJsais5aUVjVGJNRE44TTdoTm8zajVSR0dPR29xakF1SGpNTHNRSHhxdWxcL09oQTRQcjR2cnNiZkswanRtZ3Uxa2ErbWlETTAzWEtvWHl4MEVLWEdWUlZVMTVhc3NDNWRmQkhTQ0MwOUNwc2k1cUVKVDd2SktHZTlpODQrMlU3RVE4RFVJeTZoT2ErY21NWGFMOCt5TDV2M2tEIiwiZ3ptb2RlIjoiZ3pkZWZsYXRlIn19fQ==

curl_getinfo()

Array
(
    [url] => https://mapi.sitelock.com/v3/connect/
    [content_type] => text/html; charset=UTF-8
    [http_code] => 200
    [header_size] => 783
    [request_size] => 710
    [filetime] => -1
    [ssl_verify_result] => 20
    [redirect_count] => 0
    [total_time] => 2.762649
    [namelookup_time] => 0.000173
    [connect_time] => 0.015917
    [pretransfer_time] => 0.034185
    [size_upload] => 572
    [size_download] => 278
    [speed_download] => 100
    [speed_upload] => 207
    [download_content_length] => -1
    [upload_content_length] => 572
    [starttransfer_time] => 2.760327
    [redirect_time] => 0
    [redirect_url] => 
    [primary_ip] => 45.60.12.54
    [certinfo] => Array
        (
        )

    [primary_port] => 443
    [local_ip] => 162.214.124.68
    [local_port] => 50160
    [http_version] => 2
    [protocol] => 2
    [ssl_verifyresult] => 0
    [scheme] => HTTPS
    [appconnect_time_us] => 34129
    [connect_time_us] => 15917
    [namelookup_time_us] => 173
    [pretransfer_time_us] => 34185
    [redirect_time_us] => 0
    [starttransfer_time_us] => 2760327
    [total_time_us] => 2762649
)

mapi_response

{"apiVersion":"3.0.1","status":"ok","globalResponse":null,"banner":null,"forceLogout":false,"newToken":null,"now":1677780622,"responses":[{"id":"8a43da16772c724d02151057dfc56a63-16777806217888","data":{},"raw_api_url":null,"raw_response":null,"raw_request":null,"status":"ok"}]}

delete_unique_directory - rmdir( $path )

./.a0f65d3b59946cdf4fb49acc6a1c8e8e

Bullet run time, seconds.

3.08