Unknown code in webpages

Question

Im finding unknown code in our live webpages. We also noticed couple of websites hosted on our shared web hosting space are mysteriously getting deleted.

The unknown code we found is displayedd below in image format. Kindly update us what kind of code is this and how can we avoid these code from getting added to our webpages.

Answer 1

Yep it looks like a backdoor identical to this one. I think thats an interesting post, it goes over the process of decoding it and bit on how to clean up your system.

Answer 2

See if this helps you any: http://forum.joomla.org/viewtopic.php?p=2360137

Answer 3

You are likely to have the same or similar code/trojan/virus duplicated elsewhere on your server, even outside of your user account. See advice #3 below.

This is suspiciously looking like a RAT, since it executes the decoded base64_decode by invoking eval(base64_decode( "whole_bunch_of_obfuscated_stuff")); As you did not put that file there, zip it immediately!

Further advice:

1. Note the creation date/time of this virus ; it will help you detect when/how you got infected.
2. ZIP the file rather than deleting it, take it off the server, and send it to [email protected] for a RAT dissection.
3. Search for other RAT on your system: execute a [~] grep -r "base64_decode" . as high up the directory tree as you can. See the article mentioned below for more details.
4. Contact your provider. Under certain conditions, such a remote control tool can cross user accounts.

An article dedicated to RAT and Server RAT Infection is located on thegothicparty.com.

You can read it here: http://thegothicparty.com/dev/article/server-side-virus-rat/