PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
A friend of mine's WordPress site got hacked recently and I'm going through all the files to try and work out what happened. I won't mention the theme in question here but there are four suspect files - three of them are JavaScripts that have had document.write() appended to them to load in 3rd party sites into an iframe in the main template but the fourth file (index.php) has the following code right at the top:
The /e flag tells preg_replace() to evaluate the replacement string as PHP code. That's the first warning that it's malicious.
There's only two layers of obfuscation, the second being a common eval(base64_decode(...)). The result is something which allows someone with $_COOKIE["v"] == "d" to see a form which allows them to submit and evaluate PHP code.