Home » Malware Analysis » Decoding a Shell

Decoding a Shell

Original filename: zt.php

If you just executed the file, you simply see a password prompt – this indicates that it’s more than likely some type of php shell. To find out what it does, we have to de-obfuscate it.

Code in page:

First pass with str_rot13 returns the following:

So to get a little further, we do a dump of the gzinflate(base64_decode(str_rot13($code))) and get this:

The good ole Web Shell by oRb is hidden in this mess. You can see the password is just a simple md5 hash and a run through any md5 decrypter will provided you with “syurga”.