client website compromised, found a strange .php file. any ideas?
- by Kevin Strong
I do support work for a web development company and I found a suspicious file today on the website of one of our clients called "hope.php" which contained several eval(gzuncompress(base64_decode('....'))) commands (which on a site like this, usually indicates that they've been hacked).
Searching for the compromised site on google, we got a bunch of results which link to hope.php with various query strings that seem to generate different groups of seo terms like so:
(the second result from the top is legitimate, all the rest are not)
Here is the source of "hope.php":
http://pastebin.com/7Ss4NjfA
And here is the decoded version I got by replacing the eval()s with echo():
http://pastebin.com/m31Ys7q5
Any ideas where this came from or what it is doing? I've of course already removed the file from the server, but I've never seen code like this so I'm rather curious as to its origin. Where could I go to find more info about something like this?