site hacked with gzinflate

General discussion on Zend Server for IBM System i
Post Reply
Posts: 9
Joined: Wed Jan 26, 2011 8:00 pm

site hacked with gzinflate

Post by lkleinman » Mon Oct 29, 2012 1:06 pm

We are running our website with ZendSever on our iSeries and I think the site was hacked. The INDEX.php page had a line inserted with code similar to the following

<?php eval(gzinflate(base64_decode('ALIGTflpZiAoIWlzc2V0KCRm........ (lots of other letters and numbers after this)

I have two questions:

I know that this is inflating a string and then executing it. I don't know what the inflated string actually is, although I'm sure it is not something good. How can I see the inflated code without actually running it?

How did it get there? The public authority for Index.php had been *RWX (it is now *R) but wouldn't the person who hacked this have needed a valid user profile and password to even access the iSeries?

Posts: 9
Joined: Tue Apr 28, 2009 5:15 pm
Location: Winnipeg, MB, Canada

Re: site hacked with gzinflate

Post by rbaril » Thu Nov 15, 2012 6:38 pm

You could copy out the code to another page and just echo it out to see it:

echo gzinflate(base64_decode('ALIGTflpZiAoIWlzc2V0KCRm........));

Post Reply