Hello,
Found some malicious code on my site and I don't really understand it, but it seems pretty complex. So I'm posting it here if someone needs to take a look, and prevent this from happening to others.
I'm not sure if it's a security hole in WordPress, or if my hosting partner got hacked, but here it is:
index.php (last modified: 2014-02-21)
http://chopapp.com/#1mpyxybd
It's a wall of text, since it's decoded, but using http://ddecode.com/phpdecoder/ i managed to make it more readable.
same chuck of code more readable:
http://chopapp.com/#68wz01zp
but if you are looking there are still some parts that are decoded using base64_decode. (used http://www.base64decode.org/ to decode it)
line 889 base64_decode:
http://chopapp.com/#vw8odqri
line 896 base64_decode:
http://chopapp.com/#arm4fjp6
line 899 base64_decode:
http://chopapp.com/#ndpufpn7
line 1427 base64 decode:
http://chopapp.com/#4fazalz7
line 1804 base64 decode:
http://chopapp.com/#4m45tzbt
also found this in the code:
D.K Shell v1.0
D.K Shell (c)oded by b47chguru & Lnx Root for ICF
D.K shell is made on the same architecture of WSO shell. D.K shell is a professional web shell..
It has all the features to bust the security..including disabling mod_security , disabling php safe mode, Symlink,webcrawler, auto-admin password changer for vbulletin,joomla,Wordpress...etc, perl cgi scipt compatibility and a better backconnection script.For any doubts or queries on D.K shell mail me at interestingpal@gmail.com Note:The security on the webserver is completely disabled when clicked on the 'safemode' link and the default port for php backconnection is 70
Special Thanks to Archith Kp who helped generously throughout the project..!!
Liked I said, pretty complex.
And those who are wondering, my site is ok, nothing was lost, and it was a empty demo site.