Today we released version 1.24.7 of ISPProtect. The new version contains new heuristics to recognize further malicious code.

Following we take a closer look at some malicious code snippet.

$a = base64_decode($b);
for($i = 0; $i < strlen($a); $i++){
    $a[$i] = chr(ord($a[$i]) ^ ((41528) % 256));
$c = gzinflate(strrev($a));

So what is this code doing? It loads some base64 encoded binary data from a variable ($b). Then it loops over each character of this decoded string and converts it to the desired final character that is needed for later processing with gzinflate.
Before the final string is passed to gzinflate it is reversed. There is absolutely no need to use code like this in non-malicious code. If you see something similar in one of your code files you should investigate it very closely.

New version 1.24.7 released

Marius Burkard has been working as a software developer for 20 years and has several years of experience as a server administrator. As one of the lead developers of the ISPConfig control panel and technical contact for several hundred web hosting customers, he has extensive experience with malware, hacked websites and the analysis of vulnerabilities.