https://stackoverflow.com/questions/23508810
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianIt's a series of eval + Base64 encoding. The decoding process is relatively easy. If you look at the last line, you can see:
$idKTDNZxDpObOf3gyVJWUREvUEvaYuSMK3M($UuS9w2FD06i8R3aF7VSSFsjdONHd);
This is basically calling a function. To find out the actual PHP code being evaluted, simply echo the value of $UuS9w2FD06i8R3aF7VSSFsjdONHd. From the padding characters at the end of the output, you can easily make out that it's a Base64 encoded text. Decode that to ASCII text. Now change eval to echo. Rinse and repeat. Finally, you'd obtain the decrypted code.
By Googling the IPs in the code, I found this article which talks about an OptimizePress vulnerability. If your WordPress installation uses that theme, I suggest you delete the entire theme folder from /wp-contents directory and do a scan for more injected files. Optionally, contact the theme support for security fixes.
From a quick scan of the code, it looks like a backdoor that allows arbitrary PHP code to be evaluated, and files to be saved to your disk by exploiting WordPress' permissions. However, instead of worrying about what the code does, I suggest you find the vulnerability and fix it immediately. Make sure you contact the hosting support (if you have one) as well.
