technically yes. one example of this use might be a server wanting to hide the true source of an image and maybe do some throttling (like those image shack -- this image has been viewed too many times today messages)

The situation would require apache to make php handle the gif file extension. the php inside the file would then do whatever checks were desired, and then send the headers for image/gif mime type, file size, etc, and then output the file with file_get_contents (or similar method)

You can convert to "bmp" format and back - to clean up scripts inside meta data of your uploaded images. Bmp does not have metadata but do have alpha transparency and 100% quality. In PHP you can use imagick class:

/*
Cleanup injected scripts from imagick object "$insecure", making object safe next manipulations.
*/
function MakeImageSafe($insecure) {
  global $configuration,$dic,$smarty;
  $ImageMETAFormat=strtolower($insecure->getImageFormat());
  $ImageMETAName=$insecure->getFilename();
  //convert to bmp to remove injected php/js... and
  if($ImageMETAFormat!="gif") {
    $insecure->setImageFormat("bmp");
    $insecure->writeImage("{$configuration['tmp_path']}/{$ImageMETAName}.bmp");
    //get secure image
    $original=new Imagick("{$configuration['tmp_path']}/{$ImageMETAName}.bmp");
    //delete temporary bmp
    unlink("{$configuration['tmp_path']}/{$ImageMETAName}.bmp");
  }
  else {
    // convert each frame in animated gif and recreate the gif
    $original=new Imagick();
    foreach($insecure as $frame) {
      $frame_delay=$frame->getImageDelay();
      //get timing
      $frame_page=$frame->getImagePage();
      //get offsets and geometry of the frames
      $frame->setImageFormat("bmp");
      $frame->writeImage("{$configuration['tmp_path']}/{$ImageMETAName}.bmp");
      $safeframe=new Imagick("{$configuration['tmp_path']}/{$ImageMETAName}.bmp");
      $safeframe->setImageDelay($frame_delay);
      $safeframe->setImagePage($frame_page['width'],$frame_page['height'],$frame_page['x'],$frame_page['y']);
      $safeframe->setImageFormat("gif");
      $original->addImage($safeframe->getImage());
      unlink("{$configuration['tmp_path']}/{$ImageMETAName}.bmp");
    }
  }
  //return safe object
  return $original;
}

Most image hosting websites allow scripts inclusion in images: eg: flickr, livejournal, or convert image to some bad format like jpeg - eg: google, etc. This script fixes this issue. Your comments are welcome! :) Cheers, Matt.

It was probably a server-side PHP script with the .gif extention that served a dynamic gif image to clients. The server is just configured to execute .gif files as PHP scripts (or, more likely, just that specific .gif file).

This is fairly common. You'll find it in websites that have dynamic images.

Most image formats have segments where the author can store some comments or other information that are not the actual image data.

If you store some PHP code in such a comment segment, upload it to a server as .php and the server just checks for valid image data (like the getimagesize function does), it’s being accepted as a valid image. But when it’s requested, the PHP code inside the comment segment is executed.

Posting the PHP code would be helpful in determining the intent of the script. While, as most of the commenters pointed out, there might be a benign explanation to it I still would not rule out less innocent shenanigans going on.

The benign case: the script is indeed meant to output a GIF image and you got the code instead because of a server misconfiguration. This could happen if:

1. the author mistyped the instruction in the .htaccess file to treat either all GIFs or this particular file as PHP
2. the webmaster overwrote the .htaccess with one lacking said instructions
3. the server administrator dropped an AllowOverride none into his httpd.conf disabling all userspace personalizations

I would look at the type of functions used in the code. This being supposedly a GIF file, I would expect the script to end with an imagegif($img) instruction or such, maybe followed by imagedestroy($img). If this is the case the script seems likely to be meant to output GIF images to the browser.

The evil case: somebody uploaded a bunch of hacker stuff masqueraded as a GIF, expecting later to launch it using any method that can give him access to the command line: an unprotected eval(), a hole elsewhere in the server or even a vulnerability in a totally unrelated daemon running on the same machine. His advantage in this case would be that the script would be stored in a known location derivable from the server root. There are scripts out there that include complete file managers and sets of utilities in a single package - just for the purpose of making havoc. Again, look at the source: if it starts with a shebang (something like #!/bin/php /usr/htdocs/myfakeimagefile.gif) it's definitely meant to be run from the command line. Lack of shebang doesn't however imply it can't be run as a script: as long as one knows where PHP is, where the script is and can access a command prompt can probably launch it anyway.

As a SysAdmin when I find PHP scripts with image extension (.gif, .jpg, .png) it usually means that somebody broke into a PHP Application and is hiding malicious code inside that file.

Their code can be executed by calling the PHP CLI or just by including the file from any other PHP script. Remember that include and require don't really care about the file's name. The latter is the most common case I've seen.

You would need to check the code itself and see what it does. Don't run it, read it first.