polonus
December 24, 2011, 12:01am
1
Pondus
December 24, 2011, 12:12am
2
What malware is this PHP/Spy.Ettu.D?
PHP script virus
http://www.sophos.com/en-us/security-news-trends/glossary.aspx#php
Donovan
December 24, 2011, 12:28am
3
This decodes to this .
This decodes to this
And this decodes to this .
Thanks to that ‘link’ you gave me.
Clearly this file echos coding into a file.
Edited because of having slight troubles with PhotoBucket, hopefully fixed now.
polonus
December 24, 2011, 12:43am
4
Hi Donovansrb10,
Thank you, my young friend. This time that online tool works like a charm ;D, so good de-obfuscation results. Yes here at these forums we teach the young to be better protected ::),
pol
Donovan
December 24, 2011, 12:50am
5
Hi Donovansrb10,
Thank you, my young friend. This time that online tool works like a charm ;D, so good de-obfuscation results. Yes here at these forums we teach the young to be better protected ::),
pol
Worked like a charm.
By the way, what kind of coding is ‘eval(gzinflate(base64_decode’? I don’t get how browsers would be able to decode it. Just looks like jumbled letters with backslashes and plus signs. ???
polonus
December 24, 2011, 1:29am
6
Hi Donovansrb10,
For a browser there is no problem to render it. We need some extra pair of glasses ;D eh…decoders I mean. Wordpress themes with this kind of code in footer php for instance should always be distrusted. Read here: http://www.techfreakstuff.com/2009/07/what-encrypted-code-wordpress-themes-evalgzinflatebase64_decode.html link author = Rohit Sane
This can be used by webmasters to scan the authenticity of their themes code:
http://wordpress.org/extend/plugins/tac/ tac = Theme Authenticity Checker,
polonus