Aaron Saray recently found some rogue code on a hacked website and investigated what it actually does.

It’s hard to come up with a title for this - but - basically I found some rogue code the other day that I thought was pretty interesting. I was fixing a “hacked” website when I came across the source of the symptoms of the hack.

This obfuscated code is doing something bad, but we don’t know what at first glance. Obviously, the solution is to remove it - but - aren’t you a little curious what it was doing? Let’s take a look.

https://aaronsaray.com/2017/anatomy-of-a-php-hack.html