I checked and decoded some fake website scripts that steal iCloud data from a script and are encoded by a custom PHP encoder called "iServer/Powered By iSender Team".
decoder:
<?php /* * Script to decrypt files encoded with iServer/Powered By iSender Team */ header('Content-type: text/html; charset=utf-8'); // Your encoded file path $file = '/home/user/file.php'; /** * Return string after needle if it exists. */ function str_after($str, $needle, $last_occurence = false) { $pos = strpos($str, $needle); if ($pos === false) return $str; return ($last_occurence === false) ? substr($str, $pos + strlen($needle)) : substr($str, strrpos($str, $needle) + 1); } // get file content $content = file_get_contents($file); // split the eval section $eval_code = str_after($content, "eval("); $eval_code1 = strstr($eval_code, ")))", true); // get first value $value1 = str_after($eval_code1, "','"); //gets all text from needle on $value2 = strstr($value1, "',", true); //gets all text before needle // get two value $value3 = str_after($value1, "','"); //gets all text from needle on $value4 = strstr($value3, "'", true); //gets all text before needle // decode the file $myfile = file(str_replace('\\', '/', $file)); $file_ap = array_pop($myfile); echo (base64_decode(strtr($file_ap, $value2, $value4)));
