Reply to: PHP Virus?

Not a problem as Log4j isn't in use If an HTTP transaction includes a file then it'll be recorded but that's all unless its a data file expected by the workflow the client is triggering but then the client would need to have passed a number of security checks and filters to access the workflow unless the workflow is a really benign public one

I'm just interested in what the intent was and what the code looks like

In general terms, it's definitely worth checking for the Log4Shell vulnerability (CVE-2021-44228). However, I think it's unlikely to be related to this issue. The whole point of Log4Shell is that it allows RCE (Remote Code Execution): more specifically, the Log4j package is written in Java, and the vulnerability means that it might download an arbitrary Java class file using JNDI lookup.

So, if you're an attacker, and you can run your own arbitrary code on the web server, why would you use that code to create a PHP file? Whatever the "eval" statement is intended to do, you can just do directly via Java, and in a situation like this (where PHP isn't installed), nothing will happen. It seems more likely that there's a different vulnerability which allowed someone to create the PHP file.

Make sure your server is patched / configured against the log4j (Log4Shell) - people shouldn't be able to just drop php files on to your server ...

You could use CyberChef for the individual steps (e.g. Base64 decode and ROT13). You could also create your own PHP file (if you have another machine with PHP installed):

I.e. replace "eval()" with "echo" to display the script rather than running it. I would guess that the hostile code will define a variable called __FILE__, and then the unlink command will delete that temporary file.

NB I noticed that your sample has 5 opening brackets but 4 closing brackets. You'll need to make sure that they match.