Seems like the attacker’s code was base64 encoded and gzipped.

So first the code is decoded from base64 encoding, and then it is unzipped basically until a string of code.

And then eval is called on the resulting string, which will execute the code that has been decoded and unzipped.

But without seeing what code gets generated, it is hard to say what it will do when the code is run.

I decoded the encoded text. Using the following approach

(I guess writing to file was a bad idea now that I think of it. Mainly if you’re on Windows. I guess it is a bit safer on Linux with the execute bit turned off. So I was kind of lucky in this case!)

<?php
$test = gzinflate(base64_decode("encoded_text"));
$myFile = "testFile.txt";
$fh = fopen($myFile, 'w');
fwrite($fh, $test);
fclose($fh);

I wrote the output to file just in case there was some random html or javascript that could infect my computer if I just echoed it to my browser. That may be why you got an anti-virus warning.

I’m not sure what it does yet.

Just skimming through the code, which is like 4,750 lines of code, it seems like it sets up Basic Auth. And then there’s a lot of database functions and some basic html interface. This in PHP. There’s also some perl too. Near the end.

Basically what it seems to do is this: Every page where that image is displayed it will output parts of that code and execute it along with your code, and it will try to get input data, or try to find session data and or database values.

Then other parts of the code basically create an admin interface when the url is visited like this: url?admin=1, which brings up a Basic Auth authentication. And then there is an simple interface phpmyadmin like interface where the user can try out different queries and gather out metadata about your db. Probably other stuff run to exec, etc too.

I could be wrong, but that’s the gist I get from going through the code.