Deobfuscate PHP Hack Code
Updated: June 10, 2013
In an attempt to avoid detection hackers sometimes obfuscate the PHP hack code that they insert into files. The tool below supports deobfuscating code that uses eval(base64_decode(, eval(gzinflate(base64_decode(, eval(gzuncompress(base64_decode(, eval(gzinflate(str_rot13(base64_decode(, eval(gzinflate(base64_decode(str_rot13( for obfuscation, Hex, and others. In the Obfuscated Data box input only the obfuscated data and not the surrounding functions, so if the full code was eval(base64_decode('ZXhhbXBsZQ=='); you would only input ZXhhbXBsZQ== into the Obfuscated Data box.
It is also fairly easy to deobfuscate the obfuscated code on your own web server. You do need to carefully follow the process, because if you do not fully neutralize the code could execute your computer. Depending on what the hack code does, this could be harmless or could cause your computer to get hacked. The code may have been obfuscated multiple times so you may have to repeat the process multiple times.
- Open a new text file in a text editor.
- Copy the PHP code into the file.
- Replace all instances of "eval" in the code with "print" or "echo". This is the step necessary to neutralize the code, so make sure to do it carefully.
- Save the text file with a .php extension.
- Upload the file to a web server that can handle PHP files.
- Open the web page in a web browser, the deobfuscated code will be displayed.
- Hacked Website Cleanup
- Hacked Drupal Website Cleanup
- Hacked Joomla Website Cleanup
- Hacked Magento Store Cleanup
- Hacked MediaWiki Wiki Cleanup
- Hacked Moodle Website Cleanup
- Hacked osCommerce Store Cleanup
- Hacked phpBB Forum Cleanup
- Hacked WordPress Website Cleanup
- Hacked Zen Cart Store Cleanup