Unobfuscate PHP Hack Code
Updated: December 21, 2011
In an attempt to avoid detection hackers sometimes obfuscate the PHP hack code that they insert into files. The tool below supports unobfuscating code that uses eval(base64_decode(, eval(gzinflate(base64_decode(, eval(gzuncompress(base64_decode(, eval(gzinflate(str_rot13(base64_decode(, or eval(gzinflate(base64_decode(str_rot13( for obfuscation. In the Data box input only the obfuscated data and not the surrounding functions, so if the full code was eval(base64_decode('ZXhhbXBsZQ=='); you would only input ZXhhbXBsZQ== into the Data box.
Add the ability to submit data to this tool from web browser's contextual menu with our extension for Firefox and Chrome.
You can see recently submitted hack code that has been made available by the submitter for further research by the public here.
It is also fairly easy to unobfuscate the obfuscated code on your own web server. You do need to carefully follow the process, because if you do not fully neutralize the code could execute your computer. Depending on what the hack code does, this could be harmless or could cause your computer to get hacked. The code may have been obfuscated multiple times so you may have to repeat the process multiple times.
- Open a new text file in a text editor.
- Copy the PHP code into the file.
- Replace all instances of "eval" in the code with "print" or "echo". This is the step necessary to neutralize the code, so make sure to do it carefully.
- Save the text file with a .php extension.
- Upload the file to a web server that can handle PHP files.
- Open the web page in a web browser, the unobfuscated code will be displayed.
Related:
Services
- Hacked Website Cleanup
- Hacked Drupal Website Cleanup
- Hacked Joomla Website Cleanup
- Hacked Magento Store Cleanup
- Hacked MediaWiki Wiki Cleanup
- Hacked Moodle Website Cleanup
- Hacked osCommerce Store Cleanup
- Hacked phpBB Forum Cleanup
- Hacked WordPress Blog Cleanup
- Hacked Zen Cart Store Cleanup
