How can I gzinflate and save the inflated data without running it? (Found what I think is a trojan on my server)

Well, not my server. My friend found it and sent it to me, trying to make sense of it. What it appears to be is a PHP IRC bot, but I have no idea how to decode it and make any sense of it.

Here is the code:

<?eval(gzinflate(base64_decode('some base 64 code here')))?>

So I decoded the base64, and it output a ton of strange characters, I'm guessing ei开发者_开发知识库ther encrypted or a different file type, like when you change a .jpg to a .txt and open it.

But I have no idea how to decode this and determine its source. Any help?

This should be safe, but still show you the code:

<pre>
<?echo(gzinflate(base64_decode('some base 64 code here')))?>
</pre>

That is, echo instead of eval.

If you'd rather do it in the shell, try gunzip after base64 decoding.

What you'll probably find is that the eval produces another cycle to eval. This may go on until finally the real code gets executed.

I would decode it step by step on a network disconnected machine which afterwards I would format.