1

Small question. I'm trying to figure out what a piece of code does that I came across on a website I visited.

The website has obviously been hacked into, as there's a bunch of minified PHP code up the top of the file. The file (the site's index.php) is showing server-side code, but appears to not execute, as all is shown in plain-text.

I just (20 minutes ago) send the/a owner and a generic email a message saying their site is most likely hacked, but should take it down nonetheless due to server-side code showing.

All that beside the question: what does the code do?

Partial & not complete screen snippet of said code:

Messed up code

Some important questions before I post any code though:

  • Can I just post this code here? Got no idea what it does, though have gone as far as to paste it in my own editor and comment out the final executing bit of PHP code (so there's the assumption it now does not function)
  • Is it even allowed to post possibly (very likely I think) malicious code?
  • Would a screen snippet of the code be an idea/alternative?
rkeet
  • 113
  • 6
  • Just provide a pastebin link. That's pretty common. However, there are questions on this site about breaking down stuff like this... Give me a minute... – Conor Mancone Oct 28 '18 at 22:03
  • That question and it's answers should provide you with everything you need (even if you didn't find the code on your site). To clarify my previous comment you can copy the code up to pastebin.com and paste a link here. Malware gets posted in here all the time, especially PHP malware. You are also welcome to just put it in a code block directly in your question. – Conor Mancone Oct 28 '18 at 22:07
  • @ConorMancone Thank you, hadn't found that one yet. Had gotten that far by myself already. Think this particular code might make it part of a botnet or something. A certain payload is expected and is extracted from between 2 defined strings (which alone look like a normal hash) using `preg_match`. The result is then used to in a newly created session, from which another result is extracted and finally executed. After that the error reporting gets turned back on. -> In other words, yep this is a duplicate from what you linked. I was wondering how to figure out what the payload/function would be – rkeet Oct 29 '18 at 08:01

0 Answers0