2

We had a former employee handling one of our servers where XAMPP was used to host some PHP based websites.

Now that employee left the organization due to some management issues. Yesterday we needed to make some changes to one of our applications and opened the PHP files, just to discover they all are encoded and we are struggling to decrypt them. Can anyone help and tell us what sort of encryption is this and how to recover the codes?

I have pasted a code file at https://pastebin.com/4uwZLZVF

We tried many online PHP decoders, but they tend to generate (mostly) errors in code.

e-sushi
  • 1,296
  • 2
  • 14
  • 41
Nitesh Singh
  • 21
  • 1
  • 1
    That seems like the source code is partly replaced by hex encodings of the characters. If after that replacement reversal the code makes no sense, it might has been obfuscated - that would be horrible. You might just revert in source control (or restore from backup). If it’s obfuscated well, rewriting the app might be faster to deliver maintainable code than de-obfuscation, so just revert the change. If you have no version management and no backup, management has just learned a valueable lesson: have a backup and source control. – Tobi Nary Nov 18 '17 at 13:19
  • I would check the mtime (modification time) on the encoded files. If _all_ encoded files have a new mtime, even those who are not regularely updated, it could indicate if the files were encoded just as he left the company. – Dog eat cat world Nov 18 '17 at 22:29
  • Voting to close as off-topic. It is hex encoded and obfuscated. Unphp is able to decode it. Also, it is **very** poorly written. Throw it out and start over. Sorry :( – Conor Mancone Nov 19 '17 at 03:21
  • 1
    Also, was this employee instructed to obfuscate and encode these files? If not, there is no reason to do such a thing except maliciously to hurt your employer in the event you are terminated. You may have a legal matter on your hands. You also have a management problem on your hands: the fact that you cam get encoded and obfuscated code in your code base without knowing it is **not** a good sign – Conor Mancone Nov 19 '17 at 03:24

0 Answers0