File 8EEfu6gM
is the result of wget https://pastebin.com/raw/8EEfu6gM
- Pretty-print 8EEfu6gM into
f1.php
- Change "eval" to "print", invoke
php f1.php > dc1.php
- Pretty-print
dc1.php
intof2.php
- the decoding function uses a variable$_X
defined inf1.php
- Edit
f2.php
intof1.php
. - Invoke
php f1.php > dc2.php
- Pretty-print
dc2.php
intof3.php
Now we can reasonably compare this pastebin occurance with the one my honey pot caught to see how the "Martyr's Crew" does software engineering.
This version: Jijle3 PHP Shell v 0.1
The one I caught: Jijle3 PHP Shell v 0.1.8
A number of HTML and spelling changes occurred between v0.1 and v0.1.8, and a small amount of dead code got deleted.
It looks like not much changes, except appearance. I think that's consistent with timid programmers who may not have a good grasp of what their code base is intended to do. Since the code base is filled with borrowed or copied code, that makes a lot of sense.