site hacked with gzinflate

General discussion on Zend Server for IBM System i

site hacked with gzinflate

Postby lkleinman on Mon Oct 29, 2012 1:06 pm

We are running our website with ZendSever on our iSeries and I think the site was hacked. The INDEX.php page had a line inserted with code similar to the following

<?php eval(gzinflate(base64_decode('ALIGTflpZiAoIWlzc2V0KCRm........ (lots of other letters and numbers after this)

I have two questions:

I know that this is inflating a string and then executing it. I don't know what the inflated string actually is, although I'm sure it is not something good. How can I see the inflated code without actually running it?

How did it get there? The public authority for Index.php had been *RWX (it is now *R) but wouldn't the person who hacked this have needed a valid user profile and password to even access the iSeries?
lkleinman
 
Posts: 6
Joined: Wed Jan 26, 2011 8:00 pm

Re: site hacked with gzinflate

Postby rbaril on Thu Nov 15, 2012 6:38 pm

You could copy out the code to another page and just echo it out to see it:

echo gzinflate(base64_decode('ALIGTflpZiAoIWlzc2V0KCRm........));
rbaril
 
Posts: 9
Joined: Tue Apr 28, 2009 5:15 pm
Location: Winnipeg, MB, Canada


Return to Zend Server for IBM i

Who is online

Users browsing this forum: No registered users and 2 guests