Decoding malicious php script from my hacked server

newbiecoder

WARNING: I believe this code is malicious....

I recently had a webserver hacked and have identified the suspect code. However it has clearly been obfuscated to hide what it does.

I want to understand what code the script was executing on my server, and also the process used to decode the code.

This is the original code (sorry can't work out how to display it over more than one line):

// Code removed by mod

Which following guidance in these forums, by converting 'eval' to 'print' a couple of times I got to this code.... (hopefully I've decoded it correctly this far).

// Code removed by mod

However, I suspect if I run this resultant code it will still execute something nasty so I'm not sure how to decode from here. Please help!

Thanks in advance.

bradgrafelman

Sorry, but I've had to remove the code you posted. It's either malicious (as you've suggested), in which case I wouldn't want someone to accidentally execute it as-is, or it's encoded for other reasons (e.g. protection/copyright).

If you truly want to figure out what the code does, you'll simply have to follow through the process of echo'ing out a statement that was eval()'d to see what it does, replace the eval() with that statement or statements (assuming they're benign), and move on to the next eval()'d statement and repeat the process.

johanafm

If you've been hacked, there's just one way to go. Format, clean install, new passwords, use last backup of your website from before it was hacked. If you know you've been hacked, you cannot assume that you know everything they have done with your machine. You should however assume that you are no longer (the only one) in control of it. But you are still responsible for it.