Can I see what this code is doing? (suspicious code found on one of my servers)

Factual Questions
1

The code starts with an echo, of an eval (evaluate php code?) of a base64_decode( and then a bunch of str_replaces… and then thousands upon thousands of characters.


echo eval(base64_decode(str_replace('*','a',str_replace('%','B',str_replace('~','F',str_replace('_','z',str_replace('$','x',str_replace('@','d',str_replace('^','3',.......

If I want to ‘decode’ this code safely so that I can see what it would do, can I run the php file without the ‘eval’ bit? …


echo base64_decode(str_replace('*','a',str_replace('%','B',str_replace('~','F',str_replace('_','z',str_replace('$','x',str_replace('@','d',str_replace('^','3',.......
2

Yes, you can, as long as it’s just base64_decodes and str_replaces.

If you want to be extra safe copy/paste the code (without eval) into Teh Playground and run it there.

And yes, that does look suspicious, Google just ‘eval(base64_decode(str_replace’ and you’ll see what I mean, some links:

Site hacked | WordPress.org
(which links to) javascript - Got Hacked - Anyone know what this PHP Code Does? - Stack Overflow

3

The reason for the encoding and string replacing is to bypass antivirus… This works as every transmit can have a new “key” and hence the payload is a new payload… the antivirus doesn’t have a signature to pick out !

So clearly … its a virus/worm thingy !

4

Just in case anyone wants to see the code without scrolling:

Unfortunately, it’s the bit at the right end we’d really want to see (after seeing a bit of the beginning).

5

Looks like it’s this thing. Seems pretty comprehensive - does pretty much everything. The last hack I had to clean up (from a client’s server previously “managed” by someone else) just slapped a fake Flash upgrade page in /var/www.