Mystery encrypted php code that looks nasty

  • Resolved slartibartfast11

    (@slartibartfast11)


    9 years, 10 months ago

    I was having problems with my site. Noticed errors in the http requests. Then noticed in my wp-content directory a mu-plugins directory. It had a php file that was well encrypted. using a variety of strrev, base64_decode, gzinflate and preg_replace.

    I eventually got in decrypted and this was the result.

    //<?php

if (!function_exists('load')) {
  function load($what, $post = '') {
    $ua       = "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0";
    $timeout  = 30;
    $url      = parse_url($what);
    $c        = '';

    // URL
     [reacted: Plese do not post malware/evil/dangerous code here]
  }
}

    It looks really nasty. But I have a feeling that it didn’t work as my .httpaccess file was the old format and not setup for WordPress MU

    Any ideas php experts.

Viewing 1 replies (of 1 total)
  • Moderator bcworkz

    (@bcworkz)

    9 years, 10 months ago

    Any heavily obfuscated code has no place in an open source project. That alone is enough to assume it is up to no good. It appears to be a toehold from which other malicious code can be installed. The fact it was placed on your server at all is a really bad sign, you have a security hole somewhere. Work through the steps in FAQ My site was hacked.

    Congratulations on managing to decode that, it is no small feat. You should never post suspect code on the Internet. Hopefully a mod sees this and removes the code.

Viewing 1 replies (of 1 total)

The topic ‘Mystery encrypted php code that looks nasty’ is closed to new replies.