Hi,
recently some hacked into my WP website an uploaded 4 encrypted files (additionally one file named ntunel_mysql.php (no encryption) seems suspicious, not sure if it was by hacker ),
also, two new admins were created in my site.
one of 4 files encrypted is here: http://pastebin.com/ycTHyv0N
i’m unable to decode it using the tools i found. can anyone pls help
Pls let me know if you need additional details
How is the code executed? That would give a clue.
Ok, it looks like that code is self-executing. It’s actually rather clever, actually.
The second line essentially spits out this:
eval(gzuncompress(base64_decode(implode("",$ayZ))));die();
Which decodes the array of gibberish into the malicious code that actually runs. However, without a closer inspection, I’m not entirely sure what it does (displays ads, maybe?). Either way, I wouldn’t recommend running it, though.
Reverting to backup before this intrusion happened would probably be the best option, since you never know what other malicious pieces of code would’ve been left behind.
I would also take a closer look at what your file permissions are set at, and also locking down wordpress better.
Hi,
i’m not sure what the code does, but the hacker was able to create admin users and change my affiliate links to his in a script i use. i have traced down several accesses to the malicious files from someone in vietnam. here is a series of accesses made to the above file (timing: bottom to top):
/wp-content/themes/theme1/cache/external_2a6acded0ce47f4ce79a3117bf806167.php?cmd=base64_decode(aW5jbHVkZSAnL2V0Yy9wYXNzd2Qn)
/wp-content/themes/theme1/cache/external_2a6acded0ce47f4ce79a3117bf806167.php?cmd=base64_decode(“aW5jbHVkZSAnL2V0Yy9wYXNzd2Qn”)
/wp-content/themes/theme1/cache/external_2a6acded0ce47f4ce79a3117bf806167.php?cmd=include ‘etc/passwd’
there were another 50+ commands given
As I said, if you have a backup, or can request a backup restoration from your host, that would be the preferred approach to go.
a quick look at it reveals that it decodes into chinese - now I’m not so familiar with the language 
but it looks like (looks like gibberish nonsense) maybe forum posts… or news stuffing… hard to tell without knowing more or speaking the language…