Timeline for I found unknown PHP code on my server. How do I de-obfuscate the code?

Current License: CC BY-SA 4.0

29 events

when toggle format	what		by	license	comment
S Dec 7, 2024 at 10:41	history	suggested	Andrew Morton	CC BY-SA 4.0	One of the links to a tool appears to have been taken over by another entity. Replaced with an alternative. And another, but I couldn't find a substitute.
Nov 29, 2024 at 17:38	review	Suggested edits
S Dec 7, 2024 at 10:41
S Apr 8, 2021 at 20:24	history	suggested	CommunityBot	CC BY-SA 4.0	Removes animated "oh no!" Old Spice GIF for focus on content
Apr 8, 2021 at 18:24	review	Suggested edits
S Apr 8, 2021 at 20:24
Aug 27, 2017 at 17:37	history	edited	Mark Buffalo	CC BY-SA 3.0	deleted 2 characters in body
Mar 16, 2016 at 16:56	history	edited	Mark Buffalo	CC BY-SA 3.0	added passive aggression. updated to link to sandbox. added clarification
Mar 9, 2016 at 14:39	vote	accept	Mark Buffalo
Feb 25, 2016 at 13:59	comment	added	Mark Buffalo		@IsmaelMiguel Make the edit, or make your own answer. The XORing can usually be defeated by echoing the XOR'd strings. There's an example of echoing a XOR'd string above.
Feb 25, 2016 at 13:56	comment	added	Ismael Miguel		On the section "Commonly exploited PHP functions", you should add the `curl_*` family, which is really used too. On "Common obsfuscation formats", you should add `XORing` of strings (E.g.: `'A' ^ 'b' == '<space>'`).
Feb 25, 2016 at 10:53	review	Suggested edits
Feb 25, 2016 at 11:20
Feb 24, 2016 at 17:56	comment	added	Kaithar		@MarkBuffalo Ah, I'd interpreted that more as the exec'd code being stored that way rather than base64_decode call itself being hidden that way. Fair point though.
Feb 24, 2016 at 16:16	comment	added	Mark Buffalo		@Kaithar Yeah, I've covered that in `Common obsfuscation formats: #4`. Definitely annoying.
Feb 24, 2016 at 16:12	comment	added	Kaithar		A new and interesting variant that seems to have come about of late is to take a string like $nm3 = "dba4ce6_ospt" and then use substring matching to reconstruct the function name like "${$nm3[1].$nm3[2].$nm3[9]...}()" ... since the string can be in any order it's a real pain to grep for.
Feb 23, 2016 at 23:15	history	edited	Mark Buffalo	CC BY-SA 3.0	added 8 characters in body
Feb 23, 2016 at 17:11	history	edited	Mark Buffalo	CC BY-SA 3.0	formatting
Feb 23, 2016 at 15:22	history	edited	Mark Buffalo	CC BY-SA 3.0	added 98 characters in body
Feb 23, 2016 at 15:13	history	edited	Mark Buffalo	CC BY-SA 3.0	deleted 2 characters in body
Feb 23, 2016 at 15:03	history	edited	Mark Buffalo	CC BY-SA 3.0	deleted 31 characters in body
Feb 23, 2016 at 15:03	comment	added	Mark Buffalo		@WumpusQ.Wumbley My bad. I was trying to show that you aren't looking for the hex code column in the table, like on the first website. It's purely a cosmetic thing. Fixed.
Feb 23, 2016 at 15:01	comment	added	user54862		I'm intrigued by the idea that `\u004D` and friends aren't hex codes. Does the bold-shouty "HEX" have some specific meaning that I'm not aware of?
Feb 23, 2016 at 14:10	history	edited	Mark Buffalo	CC BY-SA 3.0	added 197 characters in body
Feb 23, 2016 at 13:58	history	edited	Mark Buffalo	CC BY-SA 3.0	added 60 characters in body
S Feb 23, 2016 at 12:50	history	suggested	NoDataDumpNoContribution	CC BY-SA 3.0	the introductory paragraph is not part of the answer, it may be a comment
Feb 23, 2016 at 12:12	review	Suggested edits
S Feb 23, 2016 at 12:50
Feb 23, 2016 at 10:43	history	edited	Mark Buffalo	CC BY-SA 3.0	fixed link. fixed fatigued derp
Feb 23, 2016 at 8:23	history	edited	Mark Buffalo	CC BY-SA 3.0	added 43 characters in body
Feb 23, 2016 at 8:05	history	edited	Mark Buffalo	CC BY-SA 3.0	deleted 10 characters in body
Feb 23, 2016 at 7:28	history	edited	Mark Buffalo	CC BY-SA 3.0	deleted 7 characters in body
Feb 23, 2016 at 7:13	history	answered	Mark Buffalo	CC BY-SA 3.0

toggle format