Since I'm able to uncompress the files on my mac I assume these are real zip files and not just something like renamed php files.
While you're probably right in this case, your assumption might not always hold. A ZIP archive remains valid even if you prepend arbitrary data to it, so it's quite possible to create a file that is simultaneously a valid ZIP archive containing innocent data and also a malicious PHP script. It's not even particularly hard; just concatenate the PHP code and the ZIP file, and make sure (e.g. using __halt_compiler()
) that PHP won't try to parse the appended ZIP archive data.
This trick is legitimately used to create self-extracting ZIP files, but it's perfectly possible to prepend any other hidden data or executable code into a ZIP file in the same way. Some programs may refuse to open such modified ZIP files (but if so, they're technically violating the ZIP format spec), or they may identify the file as something other than a ZIP file by default, but generally, if you feed such a file into code that expects a ZIP file, it will probably be accepted as one.
A more common malicious use of such tricks is to disguise exploit code in a ZIP-based container (e.g. a JAR file) as something harmless (like a GIF image, as in the GIFAR exploit), but there's no reason it couldn't be used in the other direction too, e.g. to bypass a naïve file upload filter that forbids uploading PHP scripts but allows ZIP files, without checking if the uploaded file might be both at the same time.