I’ve been digging through some PHP files that are trying very hard to hide what they are doing. Basically, the PHP code is base64 encoded and then compressed. The blob of random text is then stuffed into a PHP file which calls

eval(gzinflate(base64_decode("BLOB OF TEXT")));

to decode it and execute it on the web server. While it obscures what the code is doing (briefly), it fairly screams that something is not right with this file.

First to find any PHP files which use this on your server use:

egrep -r "eval(gzinflate(base64_de" . --include=*.php

That will find the offending files. To see what they did, I copied everything inside the “eval()” statement. Then I dumped into a text file on my laptop in something that looked like this.

[php] <?php
$X = gzinflate(base64_decode("BLOB OF TEXT"));
print $x;
?>
[/php]

Instead of displaying it in a browser, I called it from the command line.

> php foobar.txt

The code gets base64 decoded, decompressed and displayed in my console window. Because I removed “eval()” from the code I could see what the attacker was doing without worrying about executing bad code on my system. Or viewing it in my browser.