We have a static HTML site built in 2013 that we maintain. We got a notification from Godaddy that there were malicious files in the website. I started to remove them, but wanted to see what was in them. When I opened one of the files that was 3 level into the website it was extremely complicated. It looks like part of many arrays and just pulling parts of multiple arrays. I believe the end goal is to assemble the final script. It looks like this.
Another interesting thing about this attack is the date of the file. It is from 2013. I had made a complete back of the site on 2/15/2016, but the bad files were from 2013. None of the bad files were in my back in 2016.
Nothing was solved. I removed the old files and updated the .htaccess file. I found it interesting how the date could be manipulated.
I hope this helps someone one else out there….