I came back from the holidays to find that someone used my websites customer upload form to upload a bogus file of some sort.
It’s labeled: “un.php.jpg”
As you can tell, its not a jpeg.
Inside the first few lines start with this:
GIF89; <? eval(gzinflate(base64_decode(' 7b3peuJI0jD6+53nmXtQqT3ddhsjwHgrV7mH1cZm B69VdTxCCJBZhCUBNv3WBZ1r+P59V3YicpFSCzau qu5ZzvRMt1EukZFbZERkZMRvJx9+mw6mf/2LorQc etc... code goes on and on (60k file though)
doing a google search for hack + gzinflate I came across this site:
I used one of the links there and decoded the php script.
Its a huge script. I’d appreciate it if someone with more PHP knowledge/experience would take a look at it for me.
I’m trying to figure out roughly what it does, an if it worked, what it did.
My primary goal is to be able to either write it off as a failed hack, or fix anything done to the site that I haven’t found and patch this security hole.
I can email the script, or upload it online somewhere upon request
(Either the encrypted or decrypted version)
Thank you for your time and help.