how to decode base64 php code

brooksh · March 11, 2012

I downloaded a script and now it's using 100% of my server's resources. I believe the script has malicious code but I am unable to decode it to see. Can someone please explain to me how to view the source code?

The first part of the script is:

<?php /*  */$OOO000000=urldecode('%66%67%36%73%62%65%68%70%72%61%34%63%6f%5f%74%6e%64');$OOO0000O0=$OOO000000{4}.$OOO000000{9}.$OOO000000{3}.$OOO000000{5};$OOO0000O0.=$OOO000000{2}.$OOO000000{10}.$OOO000000{13}.$OOO000000{16};$OOO0000O0.=$OOO0000O0{3}.$OOO000000{11}.$OOO000000{12}.$OOO0000O0{7}.$OOO000000{5};$OOO000O00=$OOO000000{0}.$OOO000000{12}.$OOO000000{7}.$OOO000000{5}.$OOO000000{15};$O0O000O00=$OOO000000{0}.$OOO000000{1}.$OOO000000{5}.$OOO000000{14};$O0O000O0O=$O0O000O00.$OOO000000{11};$O0O000O00=$O0O000O00.$OOO000000{3};$O0O00OO00=$OOO000000{0}.$OOO000000{8}.$OOO000000{5}.$OOO000000{9}.$OOO000000{16};$OOO00000O=$OOO000000{3}.$OOO000000{14}.$OOO000000{8}.$OOO000000{14}.$OOO000000{8};$OOO0O0O00=__FILE__;$OO00O0000=0x39c;

Part 2:

eval($OOO0000O0('JE8wMDBPME8wMD0kT09PMDAwTzAwKCRPT08wTzBPMDAsJ3JiJyk7JE8wTzAwT08wMCgkTzAwME8wTzAwLDB4NDg5KTskT08wME8wME8wPSRPT08wMDAwTzAoJE9PTzAwMDAwTygkTzBPMDBPTzAwKCRPMDAwTzBPMDAsMHgxN2MpLCdONDFqOFRDYkxER0U5d1owMldpK01uczdWa3hyeVBJSllYUXV0bWRBUlMvMzVxaFVIcGc2ZnpGQmNPbHZlYW9LPScsJ0FCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXowMTIzNDU2Nzg5Ky8nKSk7ZXZhbCgkT08wME8wME8wKTs='));return;?>

Last Part:

flkje~EnhJbS~rkD8a09j409j409jz6PbDJydnHrCTukiYA7zaCiMpT7zeAE1LALQct+fa098eH+6NHEQLALQHt+fa09jNH98eHG1W0+feH9jNH98eRD8eH+6NH+feH91Yt+6NH98eH+6NHE1W0+6NH+6NH9jNSE1PZwjT/ZTWjVtp8WfMOPzRH9mPSGfzhy6PsxBXgIn4DimmVM7nfrsW4Mm9U96npxTnLyCyFkASC2dw0rbkmVsaE0iy5DfT12fWTWtPLiMSE+8zZ+z4WMmwMnnk7sTmxVsDukCndkFXSxdq5rsOUybTgyBWzPAPcI7RH9+L6wjMFw6YOGgeAGitSZFkurCa6kiYt+6NH98eH+6NHG+qmPdT5G1W0+6NH+6NH+6NSZH==1dmhVFpzkCMRLdmhVgaXyb45xswXPCmUrmafrBNhyCXHLQtv1QWhV7kmkFTfxsahLjfYDgyv1QW6rsTgPbtq0dT6yFmArQYAPFnQyFmfknafx7W5kiy5DbPmVAwSPCnJPCmfrCMSZHRtyFzXyAWOE+OXyBwSkFcRDBPmVAwSPCnJxFnOPFagk1y5DbPmVAwSPCnJxFnOPFagk1tv1QW6rsTgPbtq0dT6yFmArQYAPFnQyFmfknatk7wuydmHPCmUrQy5DbPmVAwSPCnJkCn6VBDSybWSrFcSZHRtyFzXyAWOE+OXyBwSkFcRDBWSPCpm7FXmVsWmyu8AE1Wfx7W5knaRksTtk7LpG+5GDbwqV7DfIifoV7w6xsPhG1Pfx7W5knaRksTtk7LgDgHtPCmfrCnJxCnXkCng9Qtv1QW6rsTgPbtq0dT6yFmArQYArdTFksPXPCmUrQy5DCOXPdnAV7WSrFcSZHRtyFzXyAWOE+OXyBwSkFcRDFWXPCMAECWXPCMRLtVYk1HYsiLSG+5GDbwqV7DfIifoV7w6xsPhG1PhV7kmkFTfxsahDgHtrdTFksPXPCmUrQtv1QW6rsTgPbtq0dT6yFmArQYAkCaqVsmh7Bngr1y5DCWUrsTSrmazydHSZHRtyFzXyAWOE+OXyBwSkFcRDFWUrsTSrQy5DCWUrsTSrQtv1QW6rsTgPbtq0dT6yFmArQYAxCaqknaHVsPmDgHtxCaqknaHVsPmG+5GDbwqV7DfIifoV7w6xsPhG1PtV7Wm7BmmV7LAECWXPCMRLmtQGitv1QW6rsTgPbtq0dT6yFmArQYAyFXUybSSrCpX7BWgVsw3xsOADgHtyFXUybSSrCpX7BWgVsw3xsOAG+5GDbwqV7DfIifokCm6yCpXIiYAxsOtk7YhPb45Dgtv1Y==srg^bL]qNZ|xKoYHhm

requinix · March 11, 2012

It's complicated.

Can you post the whole file unedited?

brooksh · March 11, 2012

This is one of the files unedited:

<?php /*  */$OOO000000=urldecode('%66%67%36%73%62%65%68%70%72%61%34%63%6f%5f%74%6e%64');$OOO0000O0=$OOO000000{4}.$OOO000000{9}.$OOO000000{3}.$OOO000000{5};$OOO0000O0.=$OOO000000{2}.$OOO000000{10}.$OOO000000{13}.$OOO000000{16};$OOO0000O0.=$OOO0000O0{3}.$OOO000000{11}.$OOO000000{12}.$OOO0000O0{7}.$OOO000000{5};$OOO000O00=$OOO000000{0}.$OOO000000{12}.$OOO000000{7}.$OOO000000{5}.$OOO000000{15};$O0O000O00=$OOO000000{0}.$OOO000000{1}.$OOO000000{5}.$OOO000000{14};$O0O000O0O=$O0O000O00.$OOO000000{11};$O0O000O00=$O0O000O00.$OOO000000{3};$O0O00OO00=$OOO000000{0}.$OOO000000{8}.$OOO000000{5}.$OOO000000{9}.$OOO000000{16};$OOO00000O=$OOO000000{3}.$OOO000000{14}.$OOO000000{8}.$OOO000000{14}.$OOO000000{8};$OOO0O0O00=__FILE__;$OO00O0000=0x39c;eval($OOO0000O0('JE8wMDBPME8wMD0kT09PMDAwTzAwKCRPT08wTzBPMDAsJ3JiJyk7JE8wTzAwT08wMCgkTzAwME8wTzAwLDB4NDg5KTskT08wME8wME8wPSRPT08wMDAwTzAoJE9PTzAwMDAwTygkTzBPMDBPTzAwKCRPMDAwTzBPMDAsMHgxN2MpLCdONDFqOFRDYkxER0U5d1owMldpK01uczdWa3hyeVBJSllYUXV0bWRBUlMvMzVxaFVIcGc2ZnpGQmNPbHZlYW9LPScsJ0FCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXowMTIzNDU2Nzg5Ky8nKSk7ZXZhbCgkT08wME8wME8wKTs='));return;?>flkje~EnhJbS~rkD8a09j409j409jz6PbDJydnHrCTukiYA7zaCiMpT7zeAE1LALQct+fa098eH+6NHEQLALQHt+fa09jNH98eHG1W0+feH9jNH98eRD8eH+6NH+feH91Yt+6NH98eH+6NHE1W0+6NH+6NH9jNSE1PZwjT/ZTWjVtp8WfMOPzRH9mPSGfzhy6PsxBXgIn4DimmVM7nfrsW4Mm9U96npxTnLyCyFkASC2dw0rbkmVsaE0iy5DfT12fWTWtPLiMSE+8zZ+z4WMmwMnnk7sTmxVsDukCndkFXSxdq5rsOUybTgyBWzPAPcI7RH9+L6wjMFw6YOGgeAGitSZFkurCa6kiYt+6NH98eH+6NHG+qmPdT5G1W0+6NH+6NH+6NSZH==1dmhVFpzkCMRLdmhVgaXyb45xswXPCmUrmafrBNhyCXHLQtv1QWhV7kmkFTfxsahLjfYDgyv1QW6rsTgPbtq0dT6yFmArQYAPFnQyFmfknafx7W5kiy5DbPmVAwSPCnJPCmfrCMSZHRtyFzXyAWOE+OXyBwSkFcRDBPmVAwSPCnJxFnOPFagk1y5DbPmVAwSPCnJxFnOPFagk1tv1QW6rsTgPbtq0dT6yFmArQYAPFnQyFmfknatk7wuydmHPCmUrQy5DbPmVAwSPCnJkCn6VBDSybWSrFcSZHRtyFzXyAWOE+OXyBwSkFcRDBWSPCpm7FXmVsWmyu8AE1Wfx7W5knaRksTtk7LpG+5GDbwqV7DfIifoV7w6xsPhG1Pfx7W5knaRksTtk7LgDgHtPCmfrCnJxCnXkCng9Qtv1QW6rsTgPbtq0dT6yFmArQYArdTFksPXPCmUrQy5DCOXPdnAV7WSrFcSZHRtyFzXyAWOE+OXyBwSkFcRDFWXPCMAECWXPCMRLtVYk1HYsiLSG+5GDbwqV7DfIifoV7w6xsPhG1PhV7kmkFTfxsahDgHtrdTFksPXPCmUrQtv1QW6rsTgPbtq0dT6yFmArQYAkCaqVsmh7Bngr1y5DCWUrsTSrmazydHSZHRtyFzXyAWOE+OXyBwSkFcRDFWUrsTSrQy5DCWUrsTSrQtv1QW6rsTgPbtq0dT6yFmArQYAxCaqknaHVsPmDgHtxCaqknaHVsPmG+5GDbwqV7DfIifoV7w6xsPhG1PtV7Wm7BmmV7LAECWXPCMRLmtQGitv1QW6rsTgPbtq0dT6yFmArQYAyFXUybSSrCpX7BWgVsw3xsOADgHtyFXUybSSrCpX7BWgVsw3xsOAG+5GDbwqV7DfIifokCm6yCpXIiYAxsOtk7YhPb45Dgtv1Y==srg^bL]qNZ|xKoYHhm

If I take the middle code and decode it:

highlight_string(base64_decode('JE8wMDBPME8wMD0kT09PMDAwTzAwKCRPT08wTzBPMDAsJ3JiJyk7JE8wTzAwT08wMCgkTzAwME8wTzAwLDB4NDdkKTskT08wME8wME8wPSRPT08wMDAwTzAoJE9PTzAwMDAwTygkTzBPMDBPTzAwKCRPMDAwTzBPMDAsMHgxN2MpLCdONDFqOFRDYkxER0U5d1owMldpK01uczdWa3hyeVBJSllYUXV0bWRBUlMvMzVxaFVIcGc2ZnpGQmNPbHZlYW9LPScsJ0FCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXowMTIzNDU2Nzg5Ky8nKSk7ZXZhbCgkT08wME8wME8wKTs='));

It displays this:

$O000O0O00=$OOO000O00($OOO0O0O00,'rb');$O0O00OO00($O000O0O00,0x47d);$OO00O00O0=$OOO0000O0($OOO00000O($O0O00OO00($O000O0O00,0x17c),'N41j8TCbLDGE9wZ02Wi+Mns7VkxryPIJYXQutmdARS/35qhUHpg6fzFBcOlveaoK=','ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'));eval($OO00O00O0);

But that's as far as I've been able to go.

trq · March 11, 2012

There is probably a reason it is hidden, what license is this software under?

requinix · March 11, 2012

Thanks for the heads-up thorpe.

brooksh, if you didn't see, the code is not malicious. It's quite simple and could not cause the 100% usage you're seeing.

brooksh · March 11, 2012

the script is malicious, it sends out strange requests. Anyways, I figured it out. look for the == sign.

simotenax · May 22, 2012

that's my decrypted output

<?php

include("inc/application_top.php");
$navegation = '';
$smarty->assign('website_title',$website_title);
$smarty->assign('website_keyword',$website_keyword);
$smarty->assign('website_description',$website_description);
$smarty->assign('title_header1',$title_header1);
$smarty->assign('title_header2',$title_header2);
$smarty->assign('navegation',$navegation);
$smarty->assign('date',date("F d, Y"));
$smarty->assign('navegation',$navegation);
$smarty->assign('domain_url',$domain_url);
$smarty->assign('domain',$domain);
$smarty->assign('home_page',$home_page);
$smarty->assign('date_year',date("Y"));
$smarty->assign('shopzilla_tracking',$shopzilla_tracking);
$smarty->display('index.tpl');

Sign In

how to decode base64 php code

Recommended Posts

brooksh

Link to comment

Share on other sites

requinix

Link to comment

Share on other sites

brooksh

Link to comment

Share on other sites

trq

Link to comment

Share on other sites

requinix

Link to comment

Share on other sites

brooksh

Link to comment

Share on other sites

simotenax

Link to comment

Share on other sites

Archived

Browse

Activity

Important Information