Fermé

Detect and fix what is this weird PHP process: /usr/local/bin/php -d safe_mode=off -r eval(base54_decode

Im checking my processes via htop and I noticed a weird process which consumes quite good % of the cpu:

Seems to be /usr/local/bin/php -d safe_mode=off -r eval(base64_decode and a huge base64 code string

I want to know:

1) What is it? If its a hack or what?

2) How to fix this?

3) How it got there

Compétences : Linux, MySQL, PHP, Tests de Logiciels, Ubuntu

en voir plus : what is the fix, php hack code, fix hack, php hack eval base, php eval base, decode mime attachment php, md5 base decode, base decode, decode email attachment php, decode php php, decode ioncube encrypted php files, decode captcha using php, decode attachment mail php

Concernant l'employeur :
( 113 commentaires ) DURANGO, Mexico

Nº du projet : #8459440

18 freelance font une offre moyenne de $43 pour ce travail

Sotirov

It's most likely virus/spamming code, where do you see this process running and can't you stop it? If you give me access to the server I'll try to find from where it gets started

%bids___i_sum_sub_32% %project_currencyDetails_sign_sub_33% USD en 1 jour
(81 Commentaires)
7.0
codetrance

I can help you. Do you have root access to your server?. I'm looking forwards to your response. Thank you.

%bids___i_sum_sub_32% %project_currencyDetails_sign_sub_33% USD en 1 jour
(184 Commentaires)
6.5
odessky

1) What is it? If its a hack or what? Yes 2) How to fix this? Order me 3) How it got there Your server is unsecured ***************************************************************************

%bids___i_sum_sub_35% %project_currencyDetails_sign_sub_36% USD en 5 jours
(250 Commentaires)
6.9
vili1977

Hello. I would like to help you with php proc identified. I have a lot of experience with linux many years. Thank you.

%bids___i_sum_sub_32% %project_currencyDetails_sign_sub_33% USD en 1 jour
(558 Commentaires)
7.0
nikosku

Hello, my name is Nikos and I'm working on the Linux server administration field for the past 5 years. Over these years I was responsible for two web hosting companies, managing at full their servers and providing cust Plus

%bids___i_sum_sub_32% %project_currencyDetails_sign_sub_33% USD en 1 jour
(124 Commentaires)
6.4
bms8197

Hello there, I am currently working as a Senior System Administrator at one of the biggest web hosting companies from Romania ([login to view URL]). I take care of over 200 servers (both physical server and virtual serv Plus

%bids___i_sum_sub_32% %project_currencyDetails_sign_sub_33% USD en 1 jour
(53 Commentaires)
5.4
vantuanvn

send me detail your servers, it will fix it and only receive paypal after it is finished . I setup and maintain many runing site : [login to view URL], [login to view URL], [login to view URL], [login to view URL],, [login to view URL], Plus

%bids___i_sum_sub_32% %project_currencyDetails_sign_sub_33% USD en 1 jour
(43 Commentaires)
5.5
tcjn

Nie złożono jeszcze oferty.

%bids___i_sum_sub_35% %project_currencyDetails_sign_sub_36% USD en 3 jours
(70 Commentaires)
5.2
JelTechnology

I will have to look into the server. Can fix in few hours time. Again you will have to provide ssh access to your server for me to be able to finish this job

%bids___i_sum_sub_32% %project_currencyDetails_sign_sub_33% USD en 1 jour
(6 Commentaires)
4.8
andrew8k

Hi, I am expert in PHP. Seems you have been hacked. Can you give me base64 code string? Regards, Andrew .

%bids___i_sum_sub_35% %project_currencyDetails_sign_sub_36% USD en 0 jours
(29 Commentaires)
4.9
thms00

Dear sir, As a pentester and security researcher, I think this is a hack. We can cleary see PHP is started without safe_mode with enables dangerous functions such as shell_exec. The only reason behind encoding wi Plus

%bids___i_sum_sub_35% %project_currencyDetails_sign_sub_36% USD en 3 jours
(37 Commentaires)
4.5
mikeorozco94

From how you've described it, this is potentially malicious code that has made its way onto your server via yourself or some outside party. I can figure out exactly what this code is doing and take the proper direct Plus

%bids___i_sum_sub_32% %project_currencyDetails_sign_sub_33% USD en 1 jour
(23 Commentaires)
4.1
snaiperskaya

A proposal has not yet been provided

%bids___i_sum_sub_32% %project_currencyDetails_sign_sub_33% USD en 1 jour
(9 Commentaires)
3.7
toufiqueimam

It's certainly a hacked process. It is running some php commands which is encoded in base64 so that you don't know what task is done by it. But i think you understand what it means? (illegal)

%bids___i_sum_sub_32% %project_currencyDetails_sign_sub_33% USD en 1 jour
(14 Commentaires)
3.3
jamesdawson95

I can find the base64 that is being executed in PHP and decode it to find exactly what is happening. I am free to start immediately.

%bids___i_sum_sub_35% %project_currencyDetails_sign_sub_36% USD en 0 jours
(11 Commentaires)
2.6
robertlanyi

Dear Sir/Madam, please let me introduce myself briefly. Fifteen years dealing with information technology, I am mostly familiar with fields of web development and system and network operations. Based on your de Plus

%bids___i_sum_sub_32% %project_currencyDetails_sign_sub_33% USD en 1 jour
(1 Évaluation)
1.5
tskshad

It's looks like your site/server is infected by malware. Does your site based on Wordpress?

%bids___i_sum_sub_35% %project_currencyDetails_sign_sub_36% USD en 3 jours
(0 Commentaires)
0.0
uniquecode4

Greeting! I will do it. I am 7+ years experienced in Core PHP with OOP/Procedures, CakePHP, CodeIgniter, MySql, MSSQL, MSAccess, CSV, Excel, XML, JS, AJAX, jQuery, JSON, XSLT, HTML, HTML5, Websites speedup task, Pa Plus

%bids___i_sum_sub_35% %project_currencyDetails_sign_sub_36% USD en 3 jours
(0 Commentaires)
0.0