Quick security specialist needed

[Coop1979]

I have a malware infection on my server that I need assistance finding the source of, stopping, and blocking future damage. It is some sort of script that is inserting

eval(gzinflate(base64_decode(...)))

into my XenForo scripts as well as scripts for my other domains on the server.

The server runs OS X, and anyone familiar with Linux, PHP-fpm, & Nginx would be of great assistance.

I found a php file posing as a gif file within /private/var/tmp and have removed it, but the files keep getting the malicious

eval(gzinflate(base64_decode(...)))

code added to them.

Please message me with your experience and rates.

 

[rdn]

I'm a fan of @Deebs on this terms.

 

[TPerry]

Just as an aside... are any of the other sites WordPress. Most references I found to this referred to known security exploits with it and indicate needing to keep updated on them.
While you are waiting for a response this site has some good information
http://blog.aw-snap.info/2011/02/pharmacy-hack.html

 

[Coop1979]

I believe I found the invading file and quashed it like a bug. So far it's been 12 hours without any new code added to my files.

I have an OSCommerce site (an old one, too), that I believe is the source of the problem. I'll be deleting the whole thing over the weekend and moving to BigCommerce.

Thanks for the Wordpress heads-up - I have updated all installations on the server.

 

[MattW]

I believe I found the invading file and quashed it like a bug. So far it's been 12 hours without any new code added to my files.

I have an OSCommerce site (an old one, too), that I believe is the source of the problem. I'll be deleting the whole thing over the weekend and moving to BigCommerce.

Thanks for the Wordpress heads-up - I have updated all installations on the server.

Exactly how I got done back in 2009 via OSCommerce. Moved to OpenCart after that.