Title: need help decoding malicious code
Last modified: August 19, 2016

---

# need help decoding malicious code

 *  Resolved [headlessspider](https://wordpress.org/support/users/headlessspider/)
 * (@headlessspider)
 * [17 years, 6 months ago](https://wordpress.org/support/topic/need-help-decoding-malicious-code/)
 * hello folks,
 * i found something strange in one of my blogs. the plugin manager has disabled
   it and i was able to download it. it appears to be a php script but the code 
   is ‘hidden’ by using hexadecimal values. i do not know what it does. can one 
   of you folks help a bit in decoding the thing? i do not have much of a free time
   right at the moment.
 * a screenshot of the code can be found at [http://noel.alanguilan.com/2008/10/01/new-wordpress-malicious-plugin/](http://noel.alanguilan.com/2008/10/01/new-wordpress-malicious-plugin/)
 * thanks for looking.

Viewing 7 replies - 1 through 7 (of 7 total)

 *  Moderator [Samuel Wood (Otto)](https://wordpress.org/support/users/otto42/)
 * (@otto42)
 * WordPress.org Admin
 * [17 years, 6 months ago](https://wordpress.org/support/topic/need-help-decoding-malicious-code/#post-871222)
 * Broken link, no DNS resolution for that domain name.
 * Also, a screenshot of the code would be useless. Post the actual code itself.
   Stick it on [http://wordpress.pastebin.com](http://wordpress.pastebin.com) and
   then paste a link to the code back here.
 *  Thread Starter [headlessspider](https://wordpress.org/support/users/headlessspider/)
 * (@headlessspider)
 * [17 years, 6 months ago](https://wordpress.org/support/topic/need-help-decoding-malicious-code/#post-871247)
 * i’d like to post it there but i’m having a hard time just doing a ‘select all’
   on either gedit or bluefish. ugh. i tried notepad under wine and just doing a
   copy after a select all crashed the program hence the screenshot. i could, however,
   send file to an e-mail address of your choosing.
 * strange about the dns resolution thing. the site is on yahoo. (i know, i know.)
 * edit: may i send the file to your otto destruct dot com e-mail address?
 *  Thread Starter [headlessspider](https://wordpress.org/support/users/headlessspider/)
 * (@headlessspider)
 * [17 years, 6 months ago](https://wordpress.org/support/topic/need-help-decoding-malicious-code/#post-871251)
 * ach. here’s the link:
 * [http://wordpress.pastebin.com/m46d5df79](http://wordpress.pastebin.com/m46d5df79)
 * it took be a good few minutes just to select all – copy – paste a 49k file. ugh.
 *  Moderator [Samuel Wood (Otto)](https://wordpress.org/support/users/otto42/)
 * (@otto42)
 * WordPress.org Admin
 * [17 years, 6 months ago](https://wordpress.org/support/topic/need-help-decoding-malicious-code/#post-871295)
 * Holy crap! Never seen one that complex. I’d have to write a special decoder for
   it.
 * Regardless, I would not trust it. Just delete the thing. Where did you find it,
   exactly?
 *  Thread Starter [headlessspider](https://wordpress.org/support/users/headlessspider/)
 * (@headlessspider)
 * [17 years, 6 months ago](https://wordpress.org/support/topic/need-help-decoding-malicious-code/#post-871400)
 * it was in a subdirectory under my tmp subdirectory in the server. the plugins
   manager told me it disabled the thing and i got suspicious — a plugin in the 
   tmp subdirectory?!? i couldn’t delete it at first. permission denied, the server
   said. so i had to change the permissions and not make it executable. after a 
   day i was able to delete it. i just want to know what it does, don’t you?
 *  Moderator [Samuel Wood (Otto)](https://wordpress.org/support/users/otto42/)
 * (@otto42)
 * WordPress.org Admin
 * [17 years, 6 months ago](https://wordpress.org/support/topic/need-help-decoding-malicious-code/#post-871411)
 * Some older versions of WordPress had security holes. Some exploits for those 
   security holes left traps in the code to have them hide their plugins by putting
   them in the tmp directory. So that is not all that unusual.
 * Regardless, it’s malicious code. Decoding it would probably take longer than 
   it’s worth, but I feel pretty sure that it’s a backdoor into the system.
 *  Thread Starter [headlessspider](https://wordpress.org/support/users/headlessspider/)
 * (@headlessspider)
 * [17 years, 6 months ago](https://wordpress.org/support/topic/need-help-decoding-malicious-code/#post-871414)
 * okay. i’ll take your word for it. i deleted it from the server already but i 
   have a copy in my workstation in case i have time later on to mess with it.
 * thanks otto for taking the time.

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘need help decoding malicious code’ is closed to new replies.

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 7 replies
 * 2 participants
 * Last reply from: [headlessspider](https://wordpress.org/support/users/headlessspider/)
 * Last activity: [17 years, 6 months ago](https://wordpress.org/support/topic/need-help-decoding-malicious-code/#post-871414)
 * Status: resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics