Detect and fix what is this weird PHP process: /usr/local/bin/php -d safe_mode=off -r eval(base54_decode

Hello. I would like to help you with php proc identified. I have a lot of experience with linux many years. Thank you.

It's most likely virus/spamming code, where do you see this process running and can't you stop it? If you give me access to the server I'll try to find from where it gets started

I can help you. Do you have root access to your server?. I'm looking forwards to your response. Thank you.

1) What is it? If its a hack or what? Yes 2) How to fix this? Order me 3) How it got there Your server is unsecured ***************************************************************************

Nie złożono jeszcze oferty.

I will have to look into the server. Can fix in few hours time. Again you will have to provide ssh access to your server for me to be able to finish this job

Hi, I am expert in PHP. Seems you have been hacked. Can you give me base64 code string? Regards, Andrew .

Dear sir, As a pentester and security researcher, I think this is a hack. We can cleary see PHP is started without safe_mode with enables dangerous functions such as shell_exec. The only reason behind encoding with base64 and eval the function is to obfuscate what's running. Can you paste the full base64 string so I reverse it and see what code is beinng eval'ed ? As this is showing in htop, it seem to be a really low skilled hacker as someone skilled would have hidden this from the process list. But maybe he's working on making it stealth right now so you should really not wait and speed up before something bad happens. It might be a cryptoPHP infection. Please paste me the base64 string this is the most important and it's missing from your description, but this is is clearly a hack. You should kill this process and make a crontab if it runs automatically again. Please PM, I would really like to find out what it is and identify what strain of malware lies behind this base64 string. You might be part of a DDOS or spam botnet. I hope for you it's not some kind of crypotPHP infection. Make sure you have backups of all your files and DONT delete them, it surely started to infect other scripts and a backdoor might have already been put on your server in case you find out this (which you did). You must find out what was done ASAP. Regards,

From how you've described it, this is potentially malicious code that has made its way onto your server via yourself or some outside party. I can figure out exactly what this code is doing and take the proper direction from there on what to do.

A proposal has not yet been provided

I can find the base64 that is being executed in PHP and decode it to find exactly what is happening. I am free to start immediately.

It's certainly a hacked process. It is running some php commands which is encoded in base64 so that you don't know what task is done by it. But i think you understand what it means? (illegal)

Dear Sir/Madam, please let me introduce myself briefly. Fifteen years dealing with information technology, I am mostly familiar with fields of web development and system and network operations. Based on your description this is definitely a hack. I work with PHP and webservers on a daily basis, so I can easily check your server for security issues. I can change your settings so no more harmful code will be executed. As I'm new here, please give me a chance to get some good ratings, it'd really help me get other jobs. :) Having any questions please don't hesitate to contact me, I'll be glad to answer them. I'm looking forward to work with you. Kind regards, Robert.

It's looks like your site/server is infected by malware. Does your site based on Wordpress?